From postconf-devel at de.postfix.org Sat Mar 3 23:00:02 2012 From: postconf-devel at de.postfix.org (postconf-devel at de.postfix.org) Date: Sat, 3 Mar 2012 23:00:02 +0100 Subject: [postconf-devel] [postconf.5.html] UPDATE Message-ID: <20120303220002.46B933DA45@de.postfix.org> An embedded and charset-unspecified text was scrubbed... Name: not available URL: From postconf-devel at de.postfix.org Mon Mar 5 04:00:02 2012 From: postconf-devel at de.postfix.org (postconf-devel at de.postfix.org) Date: Mon, 5 Mar 2012 04:00:02 +0100 Subject: [postconf-devel] [postconf.5.html] UPDATE Message-ID: <20120305030002.444BC3D548@de.postfix.org> An embedded and charset-unspecified text was scrubbed... Name: not available URL: From postconf-devel at de.postfix.org Tue Mar 6 00:00:03 2012 From: postconf-devel at de.postfix.org (postconf-devel at de.postfix.org) Date: Tue, 6 Mar 2012 00:00:03 +0100 Subject: [postconf-devel] [postconf.5.html] UPDATE Message-ID: <20120305230003.4045A3DD22@de.postfix.org> An embedded and charset-unspecified text was scrubbed... Name: not available URL: From postconf-devel at de.postfix.org Sun Mar 18 19:00:03 2012 From: postconf-devel at de.postfix.org (postconf-devel at de.postfix.org) Date: Sun, 18 Mar 2012 19:00:03 +0100 Subject: [postconf-devel] [postconf.5.html] UPDATE Message-ID: <20120318180003.59C873DA5D@de.postfix.org> An embedded and charset-unspecified text was scrubbed... Name: not available URL: From werner at detter.biz Sun Mar 18 19:06:24 2012 From: werner at detter.biz (Werner Detter) Date: Sun, 18 Mar 2012 19:06:24 +0100 Subject: [postconf-devel] [postconf.5.html] UPDATE In-Reply-To: <20120318180003.59C873DA5D@de.postfix.org> References: <20120318180003.59C873DA5D@de.postfix.org> Message-ID: <4F662420.1090209@detter.biz> Hi, wollt ihr mein Skript hier nicht mal deaktivieren nachdem das Projekt ja quasi tot ist? :) Gr?sse, Werner Am 18.03.12 19:00, schrieb postconf-devel at de.postfix.org: > -- generated message -- > > postconf.5.html has been updated: > > *** /tmp/postconf.5.html.orig 2012-03-05 11:40:00.000000000 +0100 > --- /tmp/postconf.5.html 2012-03-18 19:00:02.000000000 +0100 > *************** > *** 87,109 **** > > -
access_map_defer_code > - (default: 450)
> - > -

> - The numerical Postfix SMTP server response code for > - an access(5) map "defer" action, including "defer_if_permit" > - or "defer_if_reject". Prior to Postfix 2.6, the response > - is hard-coded as "450". > -

> - > -

> - Do not change this unless you have a complete understanding of RFC 2821. > -

> - > -

> - This feature is available in Postfix 2.6 and later. > -

> - > - > -
> - >
access_map_reject_code > --- 87,88 ---- > *************** > *** 112,115 **** >

> ! The numerical Postfix SMTP server response code for > ! an access(5) map "reject" action. >

> --- 91,94 ---- >

> ! The numerical Postfix SMTP server response code when a client > ! is rejected by an access(5) map restriction. >

> *************** > *** 123,146 **** > > -
address_verify_cache_cleanup_interval > - (default: 12h)
> - > -

The amount of time between verify(8) address verification > - database cleanup runs. This feature requires that the database > - supports the "delete" and "sequence" operators. Specify a zero > - interval to disable database cleanup.

> - > -

After each database cleanup run, the verify(8) daemon logs the > - number of entries that were retained and dropped. A cleanup run is > - logged as "partial" when the daemon terminates early after "postfix > - reload", "postfix stop", or no requests for $max_idle > - seconds.

> - > -

Time units: s (seconds), m (minutes), h (hours), d (days), w > - (weeks).

> - > -

This feature is available in Postfix 2.7.

> - > - > -
> - >
address_verify_default_transport > --- 102,103 ---- > *************** > *** 176,181 **** >
address_verify_map > ! (default: see "postconf -d" output)
> >

> ! Lookup table for persistent address verification status > storage. The table is maintained by the verify(8) service, and > --- 133,138 ---- >

address_verify_map > ! (default: empty)
> >

> ! Optional lookup table for persistent address verification status > storage. The table is maintained by the verify(8) service, and > *************** > *** 185,190 **** >

> ! The lookup table is persistent by default (Postfix 2.7 and later). > ! Specify an empty table name to keep the information in volatile > ! memory which is lost after "postfix reload" or "postfix > ! stop". This is the default with Postfix version 2.6 and earlier. >

> --- 142,145 ---- >

> ! By default, the information is kept in volatile memory, and is lost > ! after "postfix reload" or "postfix stop". >

> *************** > *** 194,204 **** > database becomes corrupted, the world comes to an end. To recover > ! delete (NOT: truncate) the file and do "postfix reload". >

> > !

Postfix daemon processes do not use root privileges when opening > ! this file (Postfix 2.5 and later). The file must therefore be > ! stored under a Postfix-owned directory such as the data_directory. > ! As a migration aid, an attempt to open the file under a non-Postfix > ! directory is redirected to the Postfix-owned data_directory, and a > ! warning is logged.

> > --- 149,158 ---- > database becomes corrupted, the world comes to an end. To recover > ! delete the file and do "postfix reload". >

> > !

As of version 2.5, Postfix no longer uses root privileges when > ! opening this file. The file should now be stored under the Postfix-owned > ! data_directory. As a migration aid, an attempt to open the file > ! under a non-Postfix directory is redirected to the Postfix-owned > ! data_directory, and a warning is logged.

> > *************** > *** 276,278 **** >
address_verify_poll_count > ! (default: normal: 3, overload: 1)
> > --- 230,232 ---- >
address_verify_poll_count > ! (default: 3)
> > *************** > *** 283,289 **** > > !

By default, the Postfix SMTP server polls the verify(8) service > ! up to three times under non-overload conditions, and only once when > ! under overload. With Postfix version 2.5 and earlier, the SMTP > ! server always polls the verify(8) service up to three times by > ! default.

> > --- 237,241 ---- > > !

> ! The default poll count is 3. > !

> > *************** > *** 291,293 **** > Specify 1 to implement a crude form of greylisting, that is, always > ! defer the first delivery request for a new address. >

> --- 243,245 ---- > Specify 1 to implement a crude form of greylisting, that is, always > ! defer the first delivery request for a never seen before address. >

> *************** > *** 295,297 **** >

> ! Examples: >

> --- 247,249 ---- >

> ! Example: >

> *************** > *** 299,303 **** > 
> - # Postfix ≤ 2.6 default
> - address_verify_poll_count = 3
> - # Poor man's greylisting
>   address_verify_poll_count = 1
> --- 251,252 ----
> ***************
> *** 435,447 ****
>   
> - 
address_verify_sender_dependent_default_transport_maps
> - (default: $sender_dependent_default_transport_maps)

> - 
> - 
 Overrides the sender_dependent_default_transport_maps parameter
> - setting for address verification probes.  

> - 
> - 
 This feature is available in Postfix 2.7 and later.  

> - 
> - 
> - 

> - 
>   
address_verify_sender_dependent_relayhost_maps
> --- 384,385 ----
> ***************
> *** 461,489 ****
>   
> - 
address_verify_sender_ttl
> - (default: 0s)

> - 
> - 
 The time between changes in the time-dependent portion of address
> - verification probe sender addresses. The time-dependent portion is
> - appended to the localpart of the address specified with the
> - address_verify_sender parameter. This feature is ignored when the
> - probe sender addresses is the null sender, i.e. the address_verify_sender
> - value is empty or <>. 

> - 
> - 
 Historically, the probe sender address was fixed. This has
> - caused such addresses to end up on spammer mailing lists, and has
> - resulted in wasted network and processing resources.  

> - 
> - 
 To enable time-dependent probe sender addresses, specify a
> - non-zero time value (an integral value plus an optional one-letter
> - suffix that specifies the time unit).  Specify a value of at least
> - several hours, to avoid problems with senders that use greylisting.
> - Avoid nice TTL values, to make the result less predictable.  Time
> - units are: s (seconds), m (minutes), h (hours), d (days), w (weeks).
> - 

> - 
> - 
 This feature is available in Postfix 2.9 and later.  

> - 
> - 
> - 

> - 
>   
address_verify_service_name
> --- 399,400 ----
> ***************
> *** 695,697 ****
>   
 To get the behavior before Postfix version 2.2, specify
> ! "local_header_rewrite_clients = static:all". 

>   
> --- 606,608 ----
>   
 To get the behavior before Postfix version 2.2, specify
> ! "local_header_rewrite_clients = static:all". 

>   
> ***************
> *** 749,762 ****
>   
> - 
always_add_missing_headers
> - (default: no)

> - 
> - 
 Always add (Resent-) From:, To:, Date: or Message-ID: headers
> - when not present.  Postfix 2.6 and later add these headers only
> - when clients match the local_header_rewrite_clients parameter
> - setting.  Earlier Postfix versions always add these headers; this
> - may break DKIM signatures that cover non-existent headers. 

> - 
> - 
> - 

> - 
>   
always_bcc
> --- 660,661 ----
> ***************
> *** 776,779 ****
>   To avoid mailer loops, automatic BCC recipients are not generated
> ! after Postfix forwards mail internally, or after Postfix generates
> ! mail itself. 

>   
> --- 675,678 ----
>   To avoid mailer loops, automatic BCC recipients are not generated
> ! for mail that Postfix forwards internally, nor for mail that Postfix
> ! generates itself. 

>   
> ***************
> *** 859,861 ****
>   
 To get the behavior before Postfix version 2.2, specify
> ! "local_header_rewrite_clients = static:all". 

>   
> --- 758,760 ----
>   
 To get the behavior before Postfix version 2.2, specify
> ! "local_header_rewrite_clients = static:all". 

>   
> ***************
> *** 896,898 ****
>   
 To get the behavior before Postfix version 2.2, specify
> ! "local_header_rewrite_clients = static:all". 

>   
> --- 795,797 ----
>   
 To get the behavior before Postfix version 2.2, specify
> ! "local_header_rewrite_clients = static:all". 

>   
> ***************
> *** 906,908 ****
>   How long the postkick(1) command waits for a request to enter the
> ! Postfix daemon process input buffer before giving up.
>   

> --- 805,807 ----
>   How long the postkick(1) command waits for a request to enter the
> ! server's input buffer before giving up.
>   

> ***************
> *** 922,924 ****
>   
authorized_flush_users
> ! (default: static:anyone)

>   
> --- 821,823 ----
>   
authorized_flush_users
> ! (default: static:anyone)

>   
> ***************
> *** 956,958 ****
>   
authorized_mailq_users
> ! (default: static:anyone)

>   
> --- 855,857 ----
>   
authorized_mailq_users
> ! (default: static:anyone)

>   
> ***************
> *** 990,992 ****
>   
authorized_submit_users
> ! (default: static:anyone)

>   
> --- 889,891 ----
>   
authorized_submit_users
> ! (default: static:anyone)

>   
> ***************
> *** 1021,1023 ****
>   
> ! authorized_submit_users = !www, static:all
>   

> --- 920,922 ----
>   
> ! authorized_submit_users = !www, static:all
>   

> ***************
> *** 1034,1036 ****
>   
> ! 
 What remote SMTP clients are allowed to specify the XVERP command.
>   This command requests that mail be delivered one recipient at a
> --- 933,935 ----
>   
> ! 
 What SMTP clients are allowed to specify the XVERP command.
>   This command requests that mail be delivered one recipient at a
> ***************
> *** 1246,1252 ****
>   
 The maximal amount of original message text that is sent in a
> ! non-delivery notification. Specify a byte count.  A message is
> ! returned as either message/rfc822 (the complete original) or as
> ! text/rfc822-headers (the headers only).  With Postfix version 2.4
> ! and earlier, a message is always returned as message/rfc822 and is
> ! truncated when it exceeds the size limit.
>   

> --- 1145,1151 ----
>   
 The maximal amount of original message text that is sent in a
> ! non-delivery notification. Specify a byte count. With Postfix 2.4
> ! and later, a message is returned as either message/rfc822 (the
> ! complete original) or as text/rfc822-headers (the headers only).
> ! With earlier Postfix versions, a message is always returned as
> ! message/rfc822 and is truncated when it exceeds the size limit.
>   

> ***************
> *** 1293,1295 ****
>   

> ! Enable inter-operability with remote SMTP clients that implement an obsolete
>   version of the AUTH command (RFC 4954). Examples of such clients
> --- 1192,1194 ----
>   

> ! Enable inter-operability with SMTP clients that implement an obsolete
>   version of the AUTH command (RFC 4954). Examples of such clients
> ***************
> *** 1360,1362 ****
>   
 To get the behavior before Postfix version 2.2, specify
> ! "local_header_rewrite_clients = static:all". 

>   
> --- 1259,1261 ----
>   
 To get the behavior before Postfix version 2.2, specify
> ! "local_header_rewrite_clients = static:all". 

>   
> ***************
> *** 1537,1540 ****
>   
> - 
 This feature is available in Postfix 2.2 and later. 

> - 
>   
> --- 1436,1437 ----
> ***************
> *** 1568,1593 ****
>   
> ! 
 After the message is queued, send the entire message to the
> ! specified transport:destination. The transport name
> ! specifies the first field of a mail delivery agent definition in
> ! master.cf; the syntax of the next-hop destination is described
> ! in the manual page of the corresponding delivery agent.  More
> ! information about external content filters is in the Postfix
> ! FILTER_README file.  

> ! 
> ! 
 Notes: 

> ! 
> ! 
    
> ! 
> ! 
  •  
     This setting has lower precedence than a FILTER action
> ! that is specified in an access(5), header_checks(5) or body_checks(5)
> ! table. 
    
> ! 
> ! 
  •  
     The meaning of an empty next-hop filter destination
> ! is version dependent.  Postfix 2.7 and later will use the recipient
> ! domain; earlier versions will use $myhostname.  Specify
> ! "default_filter_nexthop = $myhostname" for compatibility with Postfix
> ! 2.6 or earlier, or specify a content_filter value with an explicit
> ! next-hop destination.  
    
>   
> ! 

>   
> --- 1465,1477 ----
>   
> ! 

> ! The name of a mail delivery transport that filters mail after
> ! it is queued.
> ! 

>   
> ! 

> ! This parameter uses the same syntax as the right-hand side of a
> ! Postfix transport(5) table. This setting has a lower precedence
> ! than a content filter that is specified with an access(5) table or
> ! in a header_checks(5) or body_checks(5) table.
> ! 

>   
> ***************
> *** 1622,1656 ****
>   
> - 
daemon_table_open_error_is_fatal
> - (default: no)

> - 
> - 
 How a Postfix daemon process handles errors while opening lookup
> - tables: gradual degradation or immediate termination. 

> - 
> - 

> - 
> - 
  no  (default) 
 
 
 Gradual degradation: a
> - daemon process logs a message of type "error" and continues execution
> - with reduced functionality. Features that do not depend on the
> - unavailable table will work normally, while features that depend
> - on the table will result in a type "warning" message.  
 When
> - the notify_classes parameter value contains the "data" class, the
> - Postfix SMTP server and client will report transcripts of sessions
> - with an error because a table is unavailable.  
 

> - 
> - 
  yes  (historical behavior) 
 
 
 Immediate
> - termination: a daemon process logs a type "fatal" message and
> - terminates immediately.  This option reduces the number of possible
> - code paths through Postfix, and may therefore be slightly more
> - secure than the default.  
 

> - 
> - 

> - 
> - 
 For the sake of sanity, the number of type "error" messages is
> - limited to 13 over the lifetime of a daemon process. 

> - 
> - 
 This feature is available in Postfix 2.9 and later.  

> - 
> - 
> - 

> - 
>   
daemon_timeout
> --- 1506,1507 ----
> ***************
> *** 1711,1713 ****
>   debug_peer_list = 127.0.0.1
> ! debug_peer_list = example.com
>
> --- 1562,1564 ---- > debug_peer_list = 127.0.0.1 > ! debug_peer_list = some.domain > > *************** > *** 1960,1962 **** > > !

Use transport_destination_concurrency_negative_feedback > to specify a transport-specific override, where transport > --- 1811,1813 ---- > > !

Use transport_destination_concurrency_negative_feedback > to specify a transport-specific override, where transport > *************** > *** 2033,2036 **** >

NOTE: the delay is enforced by the queue manager. The delay > ! timer state does not survive "postfix reload" or "postfix > ! stop". >

> --- 1884,1886 ---- >

NOTE: the delay is enforced by the queue manager. The delay > ! timer state does not survive "postfix reload" or "postfix stop". >

> *************** > *** 2042,2048 **** > > -

NOTE: with a non-zero _destination_rate_delay, specify a > - transport_destination_concurrency_failed_cohort_limit of 10 > - or more to prevent Postfix from deferring all mail for the same > - destination after only one connection or handshake error.

> - >

This feature is available in Postfix 2.5 and later.

> --- 1892,1893 ---- > *************** > *** 2093,2109 **** > > -
default_filter_nexthop > - (default: empty)
> - > -

When a content_filter or FILTER request specifies no explicit > - next-hop destination, use $default_filter_nexthop instead; when > - that value is empty, use the domain in the recipient address. > - Specify "default_filter_nexthop = $myhostname" for compatibility > - with Postfix version 2.6 and earlier, or specify an explicit next-hop > - destination with each content_filter value or FILTER action.

> - > -

This feature is available in Postfix 2.7 and later.

> - > - > -
> - >
default_minimum_delivery_slots > --- 1938,1939 ---- > *************** > *** 2156,2158 **** >

> ! The default Postfix SMTP server response template for a request that is > rejected by an RBL-based restriction. This template can be overruled > --- 1986,1988 ---- >

> ! The default SMTP server response template for a request that is > rejected by an RBL-based restriction. This template can be overruled > *************** > *** 2346,2356 **** > $proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, > ! or $relay_domains. This information can be overruled with the > ! sender_dependent_default_transport_maps parameter and with the > ! transport(5) table.

> ! > !

> ! In order of decreasing precedence, the nexthop destination is taken > ! from $sender_dependent_default_transport_maps, $default_transport, > $sender_dependent_relayhost_maps, $relayhost, or from the recipient > ! domain. >

> --- 2176,2182 ---- > $proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, > ! or $relay_domains. In order of decreasing precedence, the nexthop > ! destination is taken from $default_transport, > $sender_dependent_relayhost_maps, $relayhost, or from the recipient > ! domain. This information can be overruled with the transport(5) > ! table. >

> *************** > *** 2360,2363 **** > is the name of a mail delivery transport defined in master.cf. > ! The :nexthop destination is optional; its syntax is documented > ! in the manual page of the corresponding delivery agent. >

> --- 2186,2189 ---- > is the name of a mail delivery transport defined in master.cf. > ! The :nexthop part is optional. For more details see the > ! transport(5) manual page. >

> *************** > *** 2462,2464 **** > > !
  • c = time in connection setup, including DNS, EHLO and STARTTLS > > --- 2288,2290 ---- > > !
  • c = time in connection setup, including DNS, EHLO and TLS > > *************** > *** 2651,2673 **** > > -
    dnsblog_reply_delay > - (default: 0s)
    > - > -

    A debugging aid to artifically delay DNS responses.

    > - > -

    This feature is available in Postfix 2.8.

    > - > - > -
    > - > -
    dnsblog_service_name > - (default: dnsblog)
    > - > -

    The name of the dnsblog(8) service entry in master.cf. This > - service performs DNS white/blacklist lookups.

    > - > -

    This feature is available in Postfix 2.8 and later.

    > - > - > -
    > - >
    dont_remove > --- 2477,2478 ---- > *************** > *** 2704,2716 **** > > -
    empty_address_default_transport_maps_lookup_key > - (default: <>)
    > - > -

    The sender_dependent_default_transport_maps search string that > - will be used instead of the null sender address.

    > - > -

    This feature is available in Postfix 2.7 and later.

    > - > - > -
    > - >
    empty_address_recipient > --- 2509,2510 ---- > *************** > *** 2752,2839 **** > > -
    enable_long_queue_ids > - (default: no)
    > - > -

    Enable long, non-repeating, queue IDs (queue file names). The > - benefit of non-repeating names is simpler logfile analysis and > - easier queue migration (there is no need to run "postsuper" to > - change queue file names that don't match their message file inode > - number).

    > - > -

    Note: see below for how to prepare long queue file names > - for migration to Postfix ≤ 2.8.

    > - > -

    Changing the parameter value to "yes" has the following effects: > -

    > - > -
      > - > -

    • Existing queue file names are not affected.

      > - > -

    • New queue files are created with names such as 3Pt2mN2VXxznjll. > - These are encoded in a 52-character alphabet that contains digits > - (0-9), upper-case letters (B-Z) and lower-case letters (b-z). For > - safety reasons the vowels (AEIOUaeiou) are excluded from the alphabet. > - The name format is: 6 or more characters for the time in seconds, > - 4 characters for the time in microseconds, the 'z'; the remainder > - is the file inode number encoded in the first 51 characters of the > - 52-character alphabet.

      > - > -

    • New messages have a Message-ID header with > - queueID@myhostname.

      > - > -

    • The mailq (postqueue -p) output has a wider Queue ID column. > - The number of whitespace-separated fields is not changed.

      > - > -

    • The hash_queue_depth algorithm uses the first characters > - of the queue file creation time in microseconds, after conversion > - into hexadecimal representation. This produces the same queue hashing > - behavior as if the queue file name was created with "enable_long_queue_ids > - = no".

      > - > -
    > - > -

    Changing the parameter value to "no" has the following effects: > -

    > - > -
      > - > -

    • Existing long queue file names are renamed to the short > - form (while running "postfix reload" or "postsuper").

      > - > -

    • New queue files are created with names such as C3CD21F3E90 > - from a hexadecimal alphabet that contains digits (0-9) and upper-case > - letters (A-F). The name format is: 5 characters for the time in > - microseconds; the remainder is the file inode number.

      > - > -

    • New messages have a Message-ID header with > - YYYYMMDDHHMMSS.queueid@myhostname, where > - YYYYMMDDHHMMSS are the year, month, day, hour, minute and > - second. > - > -

    • The mailq (postqueue -p) output has the same format as > - with Postfix ≤ 2.8.

      > - > -

    • The hash_queue_depth algorithm uses the first characters > - of the queue file name, with the hexadecimal representation of the > - file creation time in microseconds.

      > - > -
    > - > -

    Before migration to Postfix ≤ 2.8, the following commands > - are required to convert long queue file names into short names:

    > - > - 
    > - # postfix stop
> - # postconf enable_long_queue_ids=no
> - # postsuper
> -
    > - > -

    Repeat the postsuper command until it reports no more queue file > - name changes.

    > - > -

    This feature is available in Postfix 2.9 and later.

    > - > - > -
    > - >
    enable_original_recipient > --- 2546,2547 ---- > *************** > *** 3254,3267 **** > The number of subdirectory levels for queue directories listed with > ! the hash_queue_names parameter. Queue hashing is implemented by > ! creating one or more levels of directories with one-character names. > ! Originally, these directory names were equal to the first characters > ! of the queue file name, with the hexadecimal representation of the > ! file creation time in microseconds.

    > ! > !

    With long queue file names, queue hashing produces the same > ! results as with short names. The file creation time in microseconds > ! is converted into hexadecimal form before the result is used for > ! queue hashing. The base 16 encoding gives finer control over the > ! number of subdirectories than is possible with the base 52 encoding > ! of long queue file names.

    > > --- 2962,2965 ---- > The number of subdirectory levels for queue directories listed with > ! the hash_queue_names parameter. > !

    > > *************** > *** 3460,3462 **** >

    > ! With the default 100 Postfix SMTP server process limit, "in_flow_delay > = 1s" limits the mail inflow to 100 messages per second above the > --- 3158,3160 ---- >

    > ! With the default 100 SMTP server process limit, "in_flow_delay > = 1s" limits the mail inflow to 100 messages per second above the > *************** > *** 3497,3500 **** > "inside" and "outside" interfaces, this can prevent each instance from > ! being able to reach remote SMTP servers on the "other side" of the > ! firewall. Setting > smtp_bind_address to 0.0.0.0 avoids the potential problem for > --- 3195,3197 ---- > "inside" and "outside" interfaces, this can prevent each instance from > ! being able to reach servers on the "other side" of the firewall. Setting > smtp_bind_address to 0.0.0.0 avoids the potential problem for > *************** > *** 3536,3538 **** >

    inet_protocols > ! (default: all)
    > > --- 3233,3235 ---- >
    inet_protocols > ! (default: ipv4)
    > > *************** > *** 3544,3552 **** > > -

    With Postfix 2.8 and earlier the default is "ipv4". For backwards > - compatibility with these releases, the Postfix 2.9 and later upgrade > - procedure appends an explicit "inet_protocols = ipv4" setting to > - main.cf when no explicit setting is present. This compatibility > - workaround will be phased out as IPv6 deployment becomes more common. > -

    > - >

    This feature is available in Postfix 2.2 and later.

    > --- 3241,3242 ---- > *************** > *** 3564,3566 **** >

    When IPv4 support is enabled via the inet_protocols parameter, > ! Postfix will look up DNS type A records, and will convert > IPv4-in-IPv6 client IP addresses (::ffff:1.2.3.4) to their original > --- 3254,3256 ---- >

    When IPv4 support is enabled via the inet_protocols parameter, > ! Postfix will to DNS type A record lookups, and will convert > IPv4-in-IPv6 client IP addresses (::ffff:1.2.3.4) to their original > *************** > *** 3581,3584 **** > 

    > ! inet_protocols = ipv4
> ! inet_protocols = all (DEFAULT)
>   inet_protocols = ipv6
> --- 3271,3274 ----
>   
    > ! inet_protocols = ipv4 (DEFAULT)
> ! inet_protocols = all
>   inet_protocols = ipv6
> ***************
> *** 3659,3663 ****
>   The time after which a client closes an idle internal communication
> ! channel.  The purpose is to allow Postfix daemon processes to
> ! terminate voluntarily after they become idle. This is used, for
> ! example, by the Postfix address resolving and rewriting clients.
>   
    
> --- 3349,3353 ----
>   The time after which a client closes an idle internal communication
> ! channel.  The purpose is to allow servers to terminate voluntarily
> ! after they become idle. This is used, for example, by the address
> ! resolving and rewriting clients.
>   
    
> ***************
> *** 3697,3702 ****
>   The time after which a client closes an active internal communication
> ! channel.  The purpose is to allow Postfix daemon processes to
> ! terminate voluntarily
>   after reaching their client limit.  This is used, for example, by
> ! the Postfix address resolving and rewriting clients.
>   
    
> --- 3387,3391 ----
>   The time after which a client closes an active internal communication
> ! channel.  The purpose is to allow servers to terminate voluntarily
>   after reaching their client limit.  This is used, for example, by
> ! the address resolving and rewriting clients.
>   
    
> ***************
> *** 3724,3749 ****
>   
> - 
    lmtp_address_preference
> - (default: ipv6)
    
> - 
> - 
     The LMTP-specific version of the smtp_address_preference
> - configuration parameter.  See there for details. 
    
> - 
> - 
     This feature is available in Postfix 2.8 and later.  
    
> - 
> - 
> - 
    
> - 
> - 
    lmtp_assume_final
> - (default: no)
    
> - 
> - 
     When a remote LMTP server announces no DSN support, assume that
> - the
> - server performs final delivery, and send "delivered" delivery status
> - notifications instead of "relayed". The default setting is backwards
> - compatible to avoid the infinetisimal possibility of breaking
> - existing LMTP-based content filters. 
    
> - 
> - 
> - 
    
> - 
>   
    lmtp_bind_address
> --- 3413,3414 ----
> ***************
> *** 3770,3782 ****
>   
> - 
    lmtp_body_checks
> - (default: empty)
    
> - 
> - 
     The LMTP-specific version of the smtp_body_checks configuration
> - parameter. See there for details. 
    
> - 
> - 
     This feature is available in Postfix 2.5 and later. 
    
> - 
> - 
> - 
    
> - 
>   
    lmtp_cache_connection
> --- 3435,3436 ----
> ***************
> *** 3790,3800 ****
>   
> - 
     This parameter is available in Postfix version 2.2 and earlier.
> - With Postfix version 2.3 and later, see lmtp_connection_cache_on_demand,
> - lmtp_connection_cache_destinations, or lmtp_connection_reuse_time_limit.
> - 
    
> - 
>   
    
>   The effectiveness of cached connections will be determined by the
> ! number of remote LMTP servers in use, and the concurrency limit specified
> ! for the Postfix LMTP client. Cached connections are closed under any of
>   the following conditions:
> --- 3444,3449 ----
>   
>   
    
>   The effectiveness of cached connections will be determined by the
> ! number of LMTP servers in use, and the concurrency limit specified
> ! for the LMTP client. Cached connections are closed under any of
>   the following conditions:
> ***************
> *** 3804,3806 ****
>   
> ! 
  •  The Postfix LMTP client idle time limit is reached.  This limit is
>   specified with the Postfix max_idle configuration parameter.
> --- 3453,3455 ----
>   
> ! 
  •  The LMTP client idle time limit is reached.  This limit is
>   specified with the Postfix max_idle configuration parameter.
> ***************
> *** 3814,3816 ****
>   
> ! 
  •  Upon the onset of another delivery request, the remote LMTP server
>   associated with the current session does not respond to the RSET
> --- 3463,3465 ----
>   
> ! 
  •  Upon the onset of another delivery request, the LMTP server
>   associated with the current session does not respond to the RSET
> ***************
> *** 3821,3823 ****
>   
    
> ! Most of these limitations have been with the Postfix
>   a connection cache that is shared among multiple LMTP client
> --- 3470,3472 ----
>   
    
> ! Most of these limitations will be removed after Postfix implements
>   a connection cache that is shared among multiple LMTP client
> ***************
> *** 3843,3845 ****
>   
> ! 
     The Postfix LMTP client time limit for completing a TCP connection, or
>   zero (use the operating system built-in time limit).  When no
> --- 3492,3494 ----
>   
> ! 
     The LMTP client time limit for completing a TCP connection, or
>   zero (use the operating system built-in time limit).  When no
> ***************
> *** 3912,3917 ****
>   
> ! 
     The Postfix LMTP client time limit for sending the LMTP ".",
> ! and for receiving the remote LMTP server response.  When no response
> ! is received within the deadline, a warning is logged that the mail
> ! may be delivered multiple times.  
    
>   
> --- 3561,3566 ----
>   
> ! 
     The LMTP client time limit for sending the LMTP ".", and for
> ! receiving the server response.  When no response is received within
> ! the deadline, a warning is logged that the mail may be delivered
> ! multiple times.  
    
>   
> ***************
> *** 3929,3933 ****
>   
    
> ! The Postfix LMTP client time limit for sending the LMTP DATA command,
> ! and
> ! for receiving the remote LMTP server response.
>   
    
> --- 3578,3581 ----
>   
    
> ! The LMTP client time limit for sending the LMTP DATA command, and
> ! for receiving the server response.
>   
    
> ***************
> *** 3946,3949 ****
>   
    
> ! The Postfix LMTP client time limit for sending the LMTP message
> ! content.
>   When the connection stalls for more than $lmtp_data_xfer_timeout
> --- 3594,3596 ----
>   
    
> ! The LMTP client time limit for sending the LMTP message content.
>   When the connection stalls for more than $lmtp_data_xfer_timeout
> ***************
> *** 4002,4005 ****
>   case insensitive lists of LHLO keywords (pipelining, starttls,
> ! auth, etc.) that the Postfix LMTP client will ignore in the LHLO
> ! response
>   from a remote LMTP server. See lmtp_discard_lhlo_keywords for
> --- 3649,3651 ----
>   case insensitive lists of LHLO keywords (pipelining, starttls,
> ! auth, etc.) that the LMTP client will ignore in the LHLO response
>   from a remote LMTP server. See lmtp_discard_lhlo_keywords for
> ***************
> *** 4017,4020 ****
>   
     A case insensitive list of LHLO keywords (pipelining, starttls,
> ! auth, etc.) that the Postfix LMTP client will ignore in the LHLO
> ! response
>   from a remote LMTP server. 
    
> --- 3663,3665 ----
>   
     A case insensitive list of LHLO keywords (pipelining, starttls,
> ! auth, etc.) that the LMTP client will ignore in the LHLO response
>   from a remote LMTP server. 
    
> ***************
> *** 4038,4050 ****
>   
> - 
    lmtp_dns_resolver_options
> - (default: empty)
    
> - 
> - 
     The LMTP-specific version of the smtp_dns_resolver_options
> - configuration parameter.  See there for details. 
    
> - 
> - 
     This feature is available in Postfix 2.8 and later.  
    
> - 
> - 
> - 
    
> - 
>   
    lmtp_enforce_tls
> --- 3683,3684 ----
> ***************
> *** 4071,4083 ****
>   
> - 
    lmtp_header_checks
> - (default: empty)
    
> - 
> - 
     The LMTP-specific version of the smtp_header_checks configuration
> - parameter. See there for details. 
    
> - 
> - 
     This feature is available in Postfix 2.5 and later. 
    
> - 
> - 
> - 
    
> - 
>   
    lmtp_host_lookup
> --- 3705,3706 ----
> ***************
> *** 4114,4116 ****
>   /etc/postfix/master.cf:
> !     mylmtp ... lmtp -o lmtp_lhlo_name=foo.bar.com
>   
    • 
> --- 3737,3739 ----
>   /etc/postfix/master.cf:
> !     mylmtp ... lmtp -o lmtp_lhlo_name=foo.bar.com
>
    > *************** > *** 4128,4131 **** > > !

    The Postfix LMTP client time limit for sending the LHLO command, > ! and for receiving the initial remote LMTP server response.

    > > --- 3751,3754 ---- > > !

    The LMTP client time limit for sending the LHLO command, and > ! for receiving the initial server response.

    > > *************** > *** 4152,4155 **** >

    > ! The Postfix LMTP client time limit for sending the MAIL FROM command, > ! and for receiving the remote LMTP server response. >

    > --- 3775,3778 ---- >

    > ! The LMTP client time limit for sending the MAIL FROM command, and > ! for receiving the server response. >

    > *************** > *** 4164,4176 **** > > -
    lmtp_mime_header_checks > - (default: empty)
    > - > -

    The LMTP-specific version of the smtp_mime_header_checks > - configuration parameter. See there for details.

    > - > -

    This feature is available in Postfix 2.5 and later.

    > - > - > -
    > - >
    lmtp_mx_address_limit > --- 3787,3788 ---- > *************** > *** 4197,4220 **** > > -
    lmtp_nested_header_checks > - (default: empty)
    > - > -

    The LMTP-specific version of the smtp_nested_header_checks > - configuration parameter. See there for details.

    > - > -

    This feature is available in Postfix 2.5 and later.

    > - > - > -
    > - > -
    lmtp_per_record_deadline > - (default: no)
    > - > -

    The LMTP-specific version of the smtp_per_record_deadline > - configuration parameter. See there for details.

    > - > -

    This feature is available in Postfix 2.9 and later.

    > - > - > -
    > - >
    lmtp_pix_workaround_delay_time > --- 3809,3810 ---- > *************** > *** 4267,4270 **** >

    > ! The Postfix LMTP client time limit for sending the QUIT command, > ! and for receiving the remote LMTP server response. >

    > --- 3857,3860 ---- >

    > ! The LMTP client time limit for sending the QUIT command, and for > ! receiving the server response. >

    > *************** > *** 4305,4308 **** >

    > ! The Postfix LMTP client time limit for sending the RCPT TO command, > ! and for receiving the remote LMTP server response. >

    > --- 3895,3898 ---- >

    > ! The LMTP client time limit for sending the RCPT TO command, and > ! for receiving the server response. >

    > *************** > *** 4317,4329 **** > > -
    lmtp_reply_filter > - (default: empty)
    > - > -

    The LMTP-specific version of the smtp_reply_filter > - configuration parameter. See there for details.

    > - > -

    This feature is available in Postfix 2.7 and later.

    > - > - > -
    > - >
    lmtp_rset_timeout > --- 3907,3908 ---- > *************** > *** 4331,4335 **** > > !

    The Postfix LMTP client time limit for sending the RSET command, > ! and for receiving the remote LMTP server response. The LMTP client > ! sends RSET in > order to finish a recipient address probe, or to verify that a > --- 3910,3913 ---- > > !

    The LMTP client time limit for sending the RSET command, and > ! for receiving the server response. The LMTP client sends RSET in > order to finish a recipient address probe, or to verify that a > *************** > *** 4403,4405 **** >

    > ! Optional Postfix LMTP client lookup tables with one username:password entry > per host or domain. If a remote host or domain has no username:password > --- 3981,3983 ---- >

    > ! Optional LMTP client lookup tables with one username:password entry > per host or domain. If a remote host or domain has no username:password > *************** > *** 4503,4515 **** > > -

    lmtp_send_dummy_mail_auth > - (default: no)
    > - > -

    The LMTP-specific version of the smtp_send_dummy_mail_auth > - configuration parameter. See there for details.

    > - > -

    This feature is available in Postfix 2.9 and later.

    > - > - > -
    > - >
    lmtp_send_xforward_command > --- 4081,4082 ---- > *************** > *** 4518,4520 **** >

    > ! Send an XFORWARD command to the remote LMTP server when the LMTP LHLO > server response announces XFORWARD support. This allows an lmtp(8) > --- 4085,4087 ---- >

    > ! Send an XFORWARD command to the LMTP server when the LMTP LHLO > server response announces XFORWARD support. This allows an lmtp(8) > *************** > *** 4609,4621 **** > > -

    lmtp_tls_block_early_mail_reply > - (default: empty)
    > - > -

    The LMTP-specific version of the smtp_tls_block_early_mail_reply > - configuration parameter. See there for details.

    > - > -

    This feature is available in Postfix 2.7 and later.

    > - > - > -
    > - >
    lmtp_tls_cert_file > --- 4176,4177 ---- > *************** > *** 4631,4643 **** > > -
    lmtp_tls_ciphers > - (default: export)
    > - > -

    The LMTP-specific version of the smtp_tls_ciphers configuration > - parameter. See there for details.

    > - > -

    This feature is available in Postfix 2.6 and later.

    > - > - > -
    > - >
    lmtp_tls_dcert_file > --- 4187,4188 ---- > *************** > *** 4664,4673 **** > > !
    lmtp_tls_eccert_file > ! (default: empty)
    > > !

    The LMTP-specific version of the smtp_tls_eccert_file configuration > ! parameter. See there for details.

    > > !

    This feature is available in Postfix 2.6 and later, when Postfix is > ! compiled and linked with OpenSSL 1.0.0 or later.

    > > --- 4209,4217 ---- > > !
    lmtp_tls_enforce_peername > ! (default: yes)
    > > !

    The LMTP-specific version of the smtp_tls_enforce_peername > ! configuration parameter. See there for details.

    > > !

    This feature is available in Postfix 2.3 and later.

    > > *************** > *** 4676,4707 **** > > !
    lmtp_tls_eckey_file > (default: empty)
    > > !

    The LMTP-specific version of the smtp_tls_eckey_file configuration > ! parameter. See there for details.

    > > !

    This feature is available in Postfix 2.6 and later, when Postfix is > ! compiled and linked with OpenSSL 1.0.0 or later.

    > ! > ! > !
    > ! > !
    lmtp_tls_enforce_peername > ! (default: yes)
    > ! > !

    The LMTP-specific version of the smtp_tls_enforce_peername > ! configuration parameter. See there for details.

    > ! > !

    This feature is available in Postfix 2.3 and later.

    > ! > ! > !
    > ! > !
    lmtp_tls_exclude_ciphers > ! (default: empty)
    > ! > !

    The LMTP-specific version of the smtp_tls_exclude_ciphers > ! configuration parameter. See there for details.

    > ! > !

    This feature is available in Postfix 2.3 and later.

    > > --- 4220,4228 ---- > > !
    lmtp_tls_exclude_ciphers > (default: empty)
    > > !

    The LMTP-specific version of the smtp_tls_exclude_ciphers > ! configuration parameter. See there for details.

    > > !

    This feature is available in Postfix 2.3 and later.

    > > *************** > *** 4820,4832 **** > > -
    lmtp_tls_protocols > - (default: empty)
    > - > -

    The LMTP-specific version of the smtp_tls_protocols configuration > - parameter. See there for details.

    > - > -

    This feature is available in Postfix 2.6 and later.

    > - > - > -
    > - >
    lmtp_tls_scert_verifydepth > --- 4341,4342 ---- > *************** > *** 4912,4915 **** >

    > ! The Postfix LMTP client time limit for sending the XFORWARD command, > ! and for receiving the remote LMTP server response. >

    > --- 4422,4425 ---- >

    > ! The LMTP client time limit for sending the XFORWARD command, and > ! for receiving the server response. >

    > *************** > *** 4939,4943 **** > By default, non-Postfix commands are executed directly; commands > ! are given to given to the default shell (typically, /bin/sh) only > ! when they contain shell meta characters or shell built-in commands. > !

    > > --- 4449,4452 ---- > By default, non-Postfix commands are executed directly; commands > ! are given to given to /bin/sh only when they contain shell meta > ! characters or shell built-in commands.

    > > *************** > *** 4957,4959 **** > local_command_shell = /some/where/smrsh -c > - local_command_shell = /bin/bash -c > > --- 4466,4467 ---- > *************** > *** 5038,5041 **** >
    Append the domain name in $myorigin or $mydomain when the > ! remote SMTP client TLS certificate fingerprint or public key fingerprint > ! (Postfix 2.9 and later) is listed in $relay_clientcerts. > The fingerprint digest algorithm is configurable via the > --- 4546,4548 ---- >
    Append the domain name in $myorigin or $mydomain when the > ! client TLS certificate fingerprint is listed in $relay_clientcerts. > The fingerprint digest algorithm is configurable via the > *************** > *** 5047,5049 **** >
    Append the domain name in $myorigin or $mydomain when the > ! remote SMTP client TLS certificate is successfully verified, regardless of > whether it is listed on the server, and regardless of the certifying > --- 4554,4556 ---- >
    Append the domain name in $myorigin or $mydomain when the > ! client TLS certificate is successfully verified, regardless of > whether it is listed on the server, and regardless of the certifying > *************** > *** 5070,5072 **** > 
    > ! local_header_rewrite_clients = static:all
>
    > --- 4577,4579 ---- > 
    > ! local_header_rewrite_clients = static:all
>
    > *************** > *** 5178,5181 **** > is the name of a mail delivery transport defined in master.cf. > ! The :nexthop destination is optional; its syntax is documented > ! in the manual page of the corresponding delivery agent. >

    > --- 4685,4688 ---- > is the name of a mail delivery transport defined in master.cf. > ! The :nexthop part is optional. For more details see the > ! transport(5) manual page. >

    > *************** > *** 5626,5629 **** > client request is blocked by the reject_rbl_client, reject_rhsbl_client, > ! reject_rhsbl_reverse_client, reject_rhsbl_sender or > ! reject_rhsbl_recipient restriction. >

    > --- 5133,5135 ---- > client request is blocked by the reject_rbl_client, reject_rhsbl_client, > ! reject_rhsbl_sender or reject_rhsbl_recipient restriction. >

    > *************** > *** 5715,5717 **** >

    To get the behavior before Postfix version 2.2, specify > ! "local_header_rewrite_clients = static:all".

    > > --- 5221,5223 ---- >

    To get the behavior before Postfix version 2.2, specify > ! "local_header_rewrite_clients = static:all".

    > > *************** > *** 5763,5797 **** > > -
    master_service_disable > - (default: empty)
    > - > -

    Selectively disable master(8) listener ports by service type > - or by service name and type. Specify a list of service types > - ("inet", "unix", "fifo", or "pass") or "name.type" tuples, where > - "name" is the first field of a master.cf entry and "type" is a > - service type. As with other Postfix matchlists, a search stops at > - the first match. Specify "!pattern" to exclude a service from the > - list. By default, all master(8) listener ports are enabled.

    > - > -

    Note: this feature does not support "/file/name" or "type:table" > - patterns, nor does it support wildcards such as "*" or "all". This > - is intentional.

    > - > -

    Examples:

    > - > - 
    > - # Turn on all master(8) listener ports (the default).
> - master_service_disable =
> - # Turn off only the main SMTP listener port.
> - master_service_disable = smtp.inet
> - # Turn off all TCP/IP listener ports.
> - master_service_disable = inet
> - # Turn off all TCP/IP listener ports except "foo".
> - master_service_disable = !foo.inet, inet
> -
    > - > -

    This feature is available in Postfix 2.6 and later.

    > - > - > -
    > - >
    max_idle > --- 5269,5270 ---- > *************** > *** 5874,5882 **** > > -

    Note 1: this feature does not recognize text that requires MIME > - decoding. It inspects raw message content, just like header_checks > - and body_checks.

    > - > -

    Note 2: this feature is disabled with "receive_override_options > - = no_header_body_checks".

    > - >

    Example:

    > --- 5347,5348 ---- > *************** > *** 5915,5923 **** > > -

    Note 1: this feature does not recognize text that requires MIME > - decoding. It inspects raw message content, just like header_checks > - and body_checks.

    > - > -

    Note 2: this feature is disabled with "receive_override_options > - = no_header_body_checks".

    > - >

    Example:

    > --- 5381,5382 ---- > *************** > *** 5951,5953 **** >
    milter_connect_macros > ! (default: see "postconf -d" output)
    > > --- 5410,5412 ---- >
    milter_connect_macros > ! (default: see postconf -n output)
    > > *************** > *** 5997,5999 **** >
    milter_data_macros > ! (default: see "postconf -d" output)
    > > --- 5456,5458 ---- >
    milter_data_macros > ! (default: see postconf -n output)
    > > *************** > *** 6025,6029 **** > > -
    quarantine
    Like "accept", but freeze the message in > - the "hold" queue. Available with Postfix 2.6 and later.
    > - > > --- 5484,5485 ---- > *************** > *** 6036,6038 **** >
    milter_end_of_data_macros > ! (default: see "postconf -d" output)
    > > --- 5492,5494 ---- >
    milter_end_of_data_macros > ! (default: see postconf -n output)
    > > *************** > *** 6048,6050 **** >
    milter_end_of_header_macros > ! (default: see "postconf -d" output)
    > > --- 5504,5506 ---- >
    milter_end_of_header_macros > ! (default: see postconf -n output)
    > > *************** > *** 6059,6094 **** > > -
    milter_header_checks > - (default: empty)
    > - > -

    Optional lookup tables for content inspection of message headers > - that are produced by Milter applications. See the header_checks(5) > - manual page available actions. Currently, PREPEND is not implemented. > -

    > - > -

    The following example sends all mail that is marked as SPAM to > - a spam handling machine. Note that matches are case-insensitive > - by default.

    > - > - 
    > - /etc/postfix/main.cf:
> -     milter_header_checks = pcre:/etc/postfix/milter_header_checks
> -
    > - > - 
    > - /etc/postfix/milter_header_checks:
> -     /^X-SPAM-FLAG:\s+YES/ FILTER mysmtp:sanitizer.example.com:25
> -
    > - > -

    The milter_header_checks mechanism could also be used for > - whitelisting. For example it could be used to skip heavy content > - inspection for DKIM-signed mail from known friendly domains.

    > - > -

    This feature is available in Postfix 2.7, and as an optional > - patch for Postfix 2.6.

    > - > - > -
    > - >
    milter_helo_macros > ! (default: see "postconf -d" output)
    > > --- 5515,5518 ---- > >
    milter_helo_macros > ! (default: see postconf -n output)
    > > *************** > *** 6129,6131 **** >
    milter_mail_macros > ! (default: see "postconf -d" output)
    > > --- 5553,5555 ---- >
    milter_mail_macros > ! (default: see postconf -n output)
    > > *************** > *** 6141,6147 **** >
    milter_protocol > ! (default: 6)
    > >

    The mail filter protocol version and optional protocol extensions > ! for communication with a Milter application; prior to Postfix 2.6 > ! the default protocol is 2. Postfix > sends this version number during the initial protocol handshake. > --- 5565,5570 ---- >

    milter_protocol > ! (default: 2)
    > >

    The mail filter protocol version and optional protocol extensions > ! for communication with a Milter (mail filter) application. Postfix > sends this version number during the initial protocol handshake. > *************** > *** 6155,6158 **** >

    2
    Use Sendmail 8 mail filter protocol version 2 (default > ! with Sendmail version 8.11 .. 8.13 and Postfix version 2.3 .. > ! 2.5).
    > > --- 5578,5580 ---- >
    2
    Use Sendmail 8 mail filter protocol version 2 (default > ! as of Sendmail version 8.11).
    > > *************** > *** 6163,6165 **** >
    6
    Use Sendmail 8 mail filter protocol version 6 (default > ! with Sendmail version 8.14 and Postfix version 2.6).
    > > --- 5585,5587 ---- >
    6
    Use Sendmail 8 mail filter protocol version 6 (default > ! as of Sendmail version 8.14).
    > > *************** > *** 6182,6184 **** >
    milter_rcpt_macros > ! (default: see "postconf -d" output)
    > > --- 5604,5606 ---- >
    milter_rcpt_macros > ! (default: see postconf -n output)
    > > *************** > *** 6194,6196 **** >
    milter_unknown_command_macros > ! (default: see "postconf -d" output)
    > > --- 5616,5618 ---- >
    milter_unknown_command_macros > ! (default: see postconf -n output)
    > > *************** > *** 6275,6361 **** > > -
    multi_instance_directories > - (default: empty)
    > - > -

    An optional list of non-default Postfix configuration directories; > - these directories belong to additional Postfix instances that share > - the Postfix executable files and documentation with the default > - Postfix instance, and that are started, stopped, etc., together > - with the default Postfix instance. Specify a list of pathnames > - separated by comma or whitespace.

    > - > -

    When $multi_instance_directories is empty, the postfix(1) command > - runs in single-instance mode and operates on a single Postfix > - instance only. Otherwise, the postfix(1) command runs in multi-instance > - mode and invokes the multi-instance manager specified with the > - multi_instance_wrapper parameter. The multi-instance manager in > - turn executes postfix(1) commands for the default instance and for > - all Postfix instances in $multi_instance_directories.

    > - > -

    Currently, this parameter setting is ignored except for the > - default main.cf file.

    > - > -

    This feature is available in Postfix 2.6 and later.

    > - > - > -
    > - > -
    multi_instance_enable > - (default: no)
    > - > -

    Allow this Postfix instance to be started, stopped, etc., by a > - multi-instance manager. By default, new instances are created in > - a safe state that prevents them from being started inadvertently. > - This parameter is reserved for the multi-instance manager.

    > - > -

    This feature is available in Postfix 2.6 and later.

    > - > - > -
    > - > -
    multi_instance_group > - (default: empty)
    > - > -

    The optional instance group name of this Postfix instance. A > - group identifies closely-related Postfix instances that the > - multi-instance manager can start, stop, etc., as a unit. This > - parameter is reserved for the multi-instance manager.

    > - > -

    This feature is available in Postfix 2.6 and later.

    > - > - > -
    > - > -
    multi_instance_name > - (default: empty)
    > - > -

    The optional instance name of this Postfix instance. This name > - becomes also the default value for the syslog_name parameter.

    > - > -

    This feature is available in Postfix 2.6 and later.

    > - > - > -
    > - > -
    multi_instance_wrapper > - (default: empty)
    > - > -

    The pathname of a multi-instance manager command that the > - postfix(1) command invokes when the multi_instance_directories > - parameter value is non-empty. The pathname may be followed by > - initial command arguments separated by whitespace; shell > - metacharacters such as quotes are not supported in this context. > -

    > - > -

    The postfix(1) command invokes the manager command with the > - postfix(1) non-option command arguments on the manager command line, > - and with all installation configuration parameters exported into > - the manager command process environment. The manager command in > - turn invokes the postfix(1) command for individual Postfix instances > - as "postfix -c config_directory command".

    > - > -

    This feature is available in Postfix 2.6 and later.

    > - > - > -
    > - >
    multi_recipient_bounce_reject_code > --- 5697,5698 ---- > *************** > *** 6449,6452 **** > The internet domain name of this mail system. The default is to > ! use $myhostname minus the first component, or "localdomain" (Postfix > ! 2.3 and later). $mydomain is used as > a default value for many other configuration parameters. > --- 5786,5788 ---- > The internet domain name of this mail system. The default is to > ! use $myhostname minus the first component. $mydomain is used as > a default value for many other configuration parameters. > *************** > *** 6470,6475 **** > The internet hostname of this mail system. The default is to use > ! the fully-qualified domain name (FQDN) from gethostname(), or to > ! use the non-FQDN result from gethostname() and append ".$mydomain". > ! $myhostname is used as a default value for many other configuration > ! parameters.

    > > --- 5806,5810 ---- > The internet hostname of this mail system. The default is to use > ! the fully-qualified domain name from gethostname(). $myhostname is > ! used as a default value for many other configuration parameters. > !

    > > *************** > *** 6480,6482 **** > 
    > ! myhostname = host.example.com
>
    > --- 5815,5817 ---- > 
    > ! myhostname = host.domain.tld
>
    > *************** > *** 6490,6492 **** >

    > ! The list of "trusted" remote SMTP clients that have more privileges than > "strangers". > --- 5825,5827 ---- >

    > ! The list of "trusted" SMTP clients that have more privileges than > "strangers". > *************** > *** 6559,6561 **** >

  • Specify "mynetworks_style = subnet" when Postfix > ! should "trust" remote SMTP clients in the same IP subnetworks as the local > machine. On Linux, this works correctly only with interfaces > --- 5894,5896 ---- >

  • Specify "mynetworks_style = subnet" when Postfix > ! should "trust" SMTP clients in the same IP subnetworks as the local > machine. On Linux, this works correctly only with interfaces > *************** > *** 6564,6566 **** >

  • Specify "mynetworks_style = class" when Postfix should > ! "trust" remote SMTP clients in the same IP class A/B/C networks as the > local machine. Don't do this with a dialup site - it would cause > --- 5899,5901 ---- >

  • Specify "mynetworks_style = class" when Postfix should > ! "trust" SMTP clients in the same IP class A/B/C networks as the > local machine. Don't do this with a dialup site - it would cause > *************** > *** 6645,6648 **** > via the Postfix qmqpd(8) server, and old mail that is re-injected > ! into the queue with "postsuper -r". Specify space or comma as > ! separator. See the MILTER_README document for details.

    > > --- 5980,5983 ---- > via the Postfix qmqpd(8) server, and old mail that is re-injected > ! into the queue with "postsuper -r". See the MILTER_README document > ! for details.

    > > *************** > *** 6688,6697 **** > > -
    data
    > - > -
    Send the postmaster a transcript of the SMTP session with an > - error because a critical data file was unavailable. The notification > - is sent to the address specified with the error_notice_recipient > - configuration parameter (default: postmaster).
    This feature > - is available in Postfix 2.9 and later.
    > - >
    delay
    > --- 6023,6024 ---- > *************** > *** 6778,6781 **** > only domains whose primary MX hosts match the listed networks. > ! The parameter value syntax is the same as with the mynetworks > ! parameter; note, however, that the default value is empty.

    > > --- 6105,6107 ---- > only domains whose primary MX hosts match the listed networks. > !

    > > *************** > *** 6812,6834 **** > > !
    postmulti_control_commands > ! (default: reload flush)
    > ! > !

    The postfix(1) commands that the postmulti(1) instance manager > ! treats as "control" commands, that operate on running instances. For > ! these commands, disabled instances are skipped.

    > ! > !

    This feature is available in Postfix 2.6 and later.

    > > > !
    > > !
    postmulti_start_commands > ! (default: start)
    > > !

    The postfix(1) commands that the postmulti(1) instance manager treats > ! as "start" commands. For these commands, disabled instances are "checked" > ! rather than "started", and failure to "start" a member instance of an > ! instance group will abort the start-up of later instances.

    > > !

    This feature is available in Postfix 2.6 and later.

    > > --- 6138,6165 ---- > > !
    prepend_delivered_header > ! (default: command, file, forward)
    > > +

    The message delivery contexts where the Postfix local(8) delivery > + agent prepends a Delivered-To: message header with the address > + that the mail was delivered to. This information is used for mail > + delivery loop detection.

    > > !

    > ! By default, the Postfix local delivery agent prepends a Delivered-To: > ! header when forwarding mail and when delivering to file (mailbox) > ! and command. Turning off the Delivered-To: header when forwarding > ! mail is not recommended. > !

    > > !

    > ! Specify zero or more of forward, file, or command. > !

    > > !

    > ! Example: > !

    > > ! 
    > ! prepend_delivered_header = forward
> !
    > > *************** > *** 6837,6846 **** > > !
    postmulti_stop_commands > ! (default: see "postconf -d" output)
    > ! > !

    The postfix(1) commands that the postmulti(1) instance manager treats > ! as "stop" commands. For these commands, disabled instances are skipped, > ! and enabled instances are processed in reverse order.

    > > !

    This feature is available in Postfix 2.6 and later.

    > > --- 6168,6175 ---- > > !
    process_id > ! (read-only)
    > > !

    > ! The process ID of a Postfix command or daemon process. > !

    > > *************** > *** 6849,6945 **** > > !
    postscreen_access_list > ! (default: permit_mynetworks)
    > > !

    Permanent white/blacklist for remote SMTP client IP addresses. > ! postscreen(8) searches this list immediately after a remote SMTP > ! client connects. Specify a comma- or whitespace-separated list of > ! commands (in upper or lower case) or lookup tables. The search stops > ! upon the first command that fires for the client IP address.

    > > -
    > > !
    permit_mynetworks
    Whitelist the client and > ! terminate the search if the client IP address matches $mynetworks. > ! Do not subject the client to any before/after 220 greeting tests. > ! Pass the connection immediately to a Postfix SMTP server process. > !
    > > !
    type:table
    Query the specified lookup > ! table. Each table lookup result is an access list, except that > ! access lists inside a table cannot specify type:table entries.
    > ! To discourage the use of hash, btree, etc. tables, there is no > ! support for substring matching like smtpd(8). Use CIDR tables > ! instead.
    > ! > !
    permit
    Whitelist the client and terminate > ! the search. Do not subject the client to any before/after 220 > ! greeting tests. Pass the connection immediately to a Postfix SMTP > ! server process.
    > ! > !
    reject
    Blacklist the client and terminate > ! the search. Subject the client to the action configured with the > ! postscreen_blacklist_action configuration parameter.
    > ! > !
    dunno
    All postscreen(8) access lists > ! implicitly have this command at the end.
    When dunno > ! is executed inside a lookup table, return from the lookup table and > ! evaluate the next command.
    When dunno is executed > ! outside a lookup table, terminate the search, and subject the client > ! to the configured before/after 220 greeting tests.
    > > !
    > > -

    Example:

    > > ! 
    > ! /etc/postfix/main.cf:
> !     postscreen_access_list = permit_mynetworks,
> ! 		cidr:/etc/postfix/postscreen_access.cidr
> !     postscreen_blacklist_action = enforce
> !
    > > ! 
    > ! /etc/postfix/postscreen_access.cidr:
> !     # Rules are evaluated in the order as specified.
> !     # Blacklist 192.168.* except 192.168.0.1.
> !     192.168.0.1         dunno
> !     192.168.0.0/16      reject
> !
    > > !

    This feature is available in Postfix 2.8.

    > > > !
    > > !
    postscreen_bare_newline_action > ! (default: ignore)
    > > !

    The action that postscreen(8) takes when a remote SMTP client sends > ! a bare newline character, that is, a newline not preceded by carriage > ! return. Specify one of the following:

    > > !
    > > -
    ignore
    > > !
    Ignore the failure of this test. Allow other tests to complete. > ! Do not repeat this test before some the result from some > ! other test expires. > ! This option is useful for testing and collecting statistics > ! without blocking mail permanently.
    > > !
    enforce
    > > !
    Allow other tests to complete. Reject attempts to deliver mail > ! with a 550 SMTP reply, and log the helo/sender/recipient information. > ! Repeat this test the next time the client connects.
    > > !
    drop
    > > !
    Drop the connection immediately with a 521 SMTP reply. Repeat > ! this test the next time the client connects.
    > > !
    > > !

    This feature is available in Postfix 2.8.

    > > --- 6178,6265 ---- > > !
    process_id_directory > ! (default: pid)
    > > !

    > ! The location of Postfix PID files relative to $queue_directory. > ! This is a read-only parameter. > !

    > > > !
    > > !
    process_name > ! (read-only)
    > > !

    > ! The process name of a Postfix command or daemon process. > !

    > > > !
    > > !
    propagate_unmatched_extensions > ! (default: canonical, virtual)
    > > !

    > ! What address lookup tables copy an address extension from the lookup > ! key to the lookup result. > !

    > > +

    > + For example, with a virtual(5) mapping of "joe at example.com => > + joe.user at example.net", the address "joe+foo at example.com" > + would rewrite to "joe.user+foo at example.net". > +

    > > !

    > ! Specify zero or more of canonical, virtual, alias, > ! forward, include or generic. These cause > ! address extension > ! propagation with canonical(5), virtual(5), and aliases(5) maps, > ! with local(8) .forward and :include: file lookups, and with smtp(8) > ! generic maps, respectively.

    > > !

    > ! Note: enabling this feature for types other than canonical > ! and virtual is likely to cause problems when mail is forwarded > ! to other sites, especially with mail that is sent to a mailing list > ! exploder address. > !

    > > !

    > ! Examples: > !

    > > ! 
    > ! propagate_unmatched_extensions = canonical, virtual, alias,
> !         forward, include
> ! propagate_unmatched_extensions = canonical, virtual
> !
    > > > !
    > > !
    proxy_interfaces > ! (default: empty)
    > > !

    > ! The network interface addresses that this mail system receives mail > ! on by way of a proxy or network address translation unit. > !

    > > !

    > ! This feature is available in Postfix 2.0 and later. > !

    > > !

    You must specify your "outside" proxy/NAT addresses when your > ! system is a backup MX host for other domains, otherwise mail delivery > ! loops will happen when the primary MX host is down.

    > > !

    > ! Example: > !

    > > ! 
    > ! proxy_interfaces = 1.2.3.4
> !
    > > *************** > *** 6948,6959 **** > > !
    postscreen_bare_newline_enable > ! (default: no)
    > > !

    Enable "bare newline" SMTP protocol tests in the postscreen(8) > ! server. These tests are expensive: a remote SMTP client must > ! disconnect after > ! it passes the test, before it can talk to a real Postfix SMTP server. >

    > > !

    This feature is available in Postfix 2.8.

    > > --- 6268,6281 ---- > > !
    proxy_read_maps > ! (default: see "postconf -d" output)
    > > !

    > ! The lookup tables that the proxymap(8) server is allowed to > ! access for the read-only service. > ! Table references that don't begin with proxy: are ignored. >

    > > !

    > ! This feature is available in Postfix 2.0 and later. > !

    > > *************** > *** 6962,6978 **** > > !
    postscreen_bare_newline_ttl > ! (default: 30d)
    > ! > !

    The amount of time that postscreen(8) will use the result from > ! a successful "bare newline" SMTP protocol test. During this > ! time, the client IP address is excluded from this test. The default > ! is long because a remote SMTP client must disconnect after it passes > ! the test, > ! before it can talk to a real Postfix SMTP server.

    > > !

    Specify a non-zero time value (an integral value plus an optional > ! one-letter suffix that specifies the time unit). Time units: s > ! (seconds), m (minutes), h (hours), d (days), w (weeks).

    > > !

    This feature is available in Postfix 2.8.

    > > --- 6284,6296 ---- > > !
    proxy_write_maps > ! (default: see "postconf -d" output)
    > > !

    The lookup tables that the proxymap(8) server is allowed to > ! access for the read-write service. Postfix-owned local database > ! files should be stored under the Postfix-owned data_directory. > ! Table references that don't begin with proxy: are ignored.

    > > !

    > ! This feature is available in Postfix 2.5 and later. > !

    > > *************** > *** 6981,7012 **** > > !
    postscreen_blacklist_action > ! (default: ignore)
    > > !

    The action that postscreen(8) takes when a remote SMTP client is > ! permanently blacklisted with the postscreen_access_list parameter. > ! Specify one of the following:

    > > !
    > ! > !
    ignore (default)
    > ! > !
    Ignore this result. Allow other tests to complete. Repeat > ! this test the next time the client connects. > ! This option is useful for testing and collecting statistics > ! without blocking mail.
    > > !
    enforce
    > > -
    Allow other tests to complete. Reject attempts to deliver mail > - with a 550 SMTP reply, and log the helo/sender/recipient information. > - Repeat this test the next time the client connects.
    > > !
    drop
    > > !
    Drop the connection immediately with a 521 SMTP reply. Repeat > ! this test the next time the client connects.
    > > !
    > > !

    This feature is available in Postfix 2.8.

    > > --- 6299,6332 ---- > > !
    qmgr_clog_warn_time > ! (default: 300s)
    > > !

    > ! The minimal delay between warnings that a specific destination is > ! clogging up the Postfix active queue. Specify 0 to disable. > !

    > > !

    > ! This feature is enabled with the helpful_warnings parameter. > !

    > > !

    > ! This feature is available in Postfix 2.0 and later. > !

    > > > !
    > > !
    qmgr_fudge_factor > ! (default: 100)
    > > !

    > ! Obsolete feature: the percentage of delivery resources that a busy > ! mail system will use up for delivery of a large mailing list > ! message. > !

    > > !

    > ! This feature exists only in the oqmgr(8) old queue manager. The > ! current queue manager solves the problem in a better way. > !

    > > *************** > *** 7015,7035 **** > > !
    postscreen_cache_cleanup_interval > ! (default: 12h)
    > ! > !

    The amount of time between postscreen(8) cache cleanup runs. > ! Cache cleanup increases the load on the cache database and should > ! therefore not be run frequently. This feature requires that the > ! cache database supports the "delete" and "sequence" operators. > ! Specify a zero interval to disable cache cleanup.

    > ! > !

    After each cache cleanup run, the postscreen(8) daemon logs the > ! number of entries that were retained and dropped. A cleanup run is > ! logged as "partial" when the daemon terminates early after "postfix > ! reload", "postfix stop", or no requests for $max_idle > ! seconds.

    > ! > !

    Time units: s (seconds), m (minutes), h (hours), d (days), w > ! (weeks).

    > > !

    This feature is available in Postfix 2.8.

    > > --- 6335,6342 ---- > > !
    qmgr_message_active_limit > ! (default: 20000)
    > > !

    > ! The maximal number of messages in the active queue. > !

    > > *************** > *** 7038,7084 **** > > !
    postscreen_cache_map > ! (default: btree:$data_directory/postscreen_cache)
    > > !

    Persistent storage for the postscreen(8) server decisions.

    > > -

    To share a postscreen(8) cache between multiple postscreen(8) > - instances, use "postscreen_cache_map = proxy:btree:/path/to/file". > - This requires Postfix version 2.9 or later; earlier proxymap(8) > - implementations don't support cache cleanup. For an alternative > - approach see the memcache_table(5) manpage.

    > > !

    This feature is available in Postfix 2.8.

    > > > !
    > > -
    postscreen_cache_retention_time > - (default: 7d)
    > > !

    The amount of time that postscreen(8) will cache an expired > ! temporary whitelist entry before it is removed. This prevents clients > ! from being logged as "NEW" just because their cache entry expired > ! an hour ago. It also prevents the cache from filling up with clients > ! that passed some deep protocol test once and never came back.

    > > !

    Time units: s (seconds), m (minutes), h (hours), d (days), w > ! (weeks).

    > > !

    This feature is available in Postfix 2.8.

    > > > !
    > > !
    postscreen_client_connection_count_limit > ! (default: $smtpd_client_connection_count_limit)
    > > !

    How many simultaneous connections any remote SMTP client is > ! allowed to have > ! with the postscreen(8) daemon. By default, this limit is the same > ! as with the Postfix SMTP server. Note that the triage process can > ! take several seconds, with the time spent in postscreen_greet_wait > ! delay, and with the time spent talking to the postscreen(8) built-in > ! dummy SMTP protocol engine.

    > > !

    This feature is available in Postfix 2.8.

    > > --- 6345,6404 ---- > > !
    qmgr_message_recipient_limit > ! (default: 20000)
    > > !

    The maximal number of recipients held in memory by the Postfix > ! queue manager, and the maximal size of the size of the short-term, > ! in-memory "dead" destination status cache.

    > > > !
    > > +
    qmgr_message_recipient_minimum > + (default: 10)
    > > !

    > ! The minimal number of in-memory recipients for any message. This > ! takes priority over any other in-memory recipient limits (i.e., > ! the global qmgr_message_recipient_limit and the per transport > ! _recipient_limit) if necessary. The minimum value allowed for this > ! parameter is 1. > !

    > > > !
    > > !
    qmqpd_authorized_clients > ! (default: empty)
    > > !

    > ! What clients are allowed to connect to the QMQP server port. > !

    > > +

    > + By default, no client is allowed to use the service. This is > + because the QMQP server will relay mail to any destination. > +

    > > !

    > ! Specify a list of client patterns. A list pattern specifies a host > ! name, a domain name, an internet address, or a network/mask pattern, > ! where the mask specifies the number of bits in the network part. > ! When a pattern specifies a file name, its contents are substituted > ! for the file name; when a pattern is a "type:table" table specification, > ! table lookup is used instead.

    > > !

    > ! Patterns are separated by whitespace and/or commas. In order to > ! reverse the result, precede a pattern with an > ! exclamation point (!). The form "!/file/name" is supported only > ! in Postfix version 2.4 and later. > !

    > > !

    > ! Example: > !

    > > ! 
    > ! qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24
> !
    > > *************** > *** 7087,7098 **** > > !
    postscreen_command_count_limit > ! (default: 20)
    > > !

    The limit on the total number of commands per SMTP session for > ! postscreen(8)'s built-in SMTP protocol engine. This SMTP engine > ! defers or rejects all attempts to deliver mail, therefore there is > ! no need to enforce separate limits on the number of junk commands > ! and error commands.

    > > !

    This feature is available in Postfix 2.8.

    > > --- 6407,6416 ---- > > !
    qmqpd_client_port_logging > ! (default: no)
    > > !

    Enable logging of the remote QMQP client port in addition to > ! the hostname and IP address. The logging format is "host[address]:port". > !

    > > !

    This feature is available in Postfix 2.5 and later.

    > > *************** > *** 7101,7109 **** > > !
    postscreen_command_filter > ! (default: $smtpd_command_filter)
    > > !

    A mechanism to transform commands from remote SMTP clients. > ! See smtpd_command_filter for further details.

    > > !

    This feature is available in Postfix 2.8 and later.

    > > --- 6419,6433 ---- > > !
    qmqpd_error_delay > ! (default: 1s)
    > > !

    > ! How long the QMQP server will pause before sending a negative reply > ! to the client. The purpose is to slow down confused or malicious > ! clients. > !

    > > !

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). > !

    > > *************** > *** 7112,7120 **** > > !
    postscreen_command_time_limit > ! (default: ${stress?10}${stress:300}s)
    > > !

    The time limit to read an entire command line with postscreen(8)'s > ! built-in SMTP protocol engine.

    > > !

    This feature is available in Postfix 2.8.

    > > --- 6436,6450 ---- > > !
    qmqpd_timeout > ! (default: 300s)
    > > !

    > ! The time limit for sending or receiving information over the network. > ! If a read or write operation blocks for more than $qmqpd_timeout > ! seconds the QMQP server gives up and disconnects. > !

    > > !

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). > !

    > > *************** > *** 7123,7131 **** > > !
    postscreen_disable_vrfy_command > ! (default: $disable_vrfy_command)
    > ! > !

    Disable the SMTP VRFY command in the postscreen(8) daemon. See > ! disable_vrfy_command for details.

    > > !

    This feature is available in Postfix 2.8.

    > > --- 6453,6461 ---- > > !
    queue_directory > ! (default: see "postconf -d" output)
    > > !

    > ! The location of the Postfix top-level queue directory. This is the > ! root directory of Postfix daemon processes that run chrooted. > !

    > > *************** > *** 7134,7145 **** > > !
    postscreen_discard_ehlo_keyword_address_maps > ! (default: $smtpd_discard_ehlo_keyword_address_maps)
    > > !

    Lookup tables, indexed by the remote SMTP client address, with > ! case insensitive lists of EHLO keywords (pipelining, starttls, auth, > ! etc.) that the postscreen(8) server will not send in the EHLO response > ! to a remote SMTP client. See smtpd_discard_ehlo_keywords for details. > ! The table is not searched by hostname for robustness reasons.

    > > !

    This feature is available in Postfix 2.8 and later.

    > > --- 6464,6477 ---- > > !
    queue_file_attribute_count_limit > ! (default: 100)
    > > !

    > ! The maximal number of (name=value) attributes that may be stored > ! in a Postfix queue file. The limit is enforced by the cleanup(8) > ! server. > !

    > > !

    > ! This feature is available in Postfix 2.0 and later. > !

    > > *************** > *** 7148,7193 **** > > !
    postscreen_discard_ehlo_keywords > ! (default: $smtpd_discard_ehlo_keywords)
    > ! > !

    A case insensitive list of EHLO keywords (pipelining, starttls, > ! auth, etc.) that the postscreen(8) server will not send in the EHLO > ! response to a remote SMTP client. See smtpd_discard_ehlo_keywords > ! for details.

    > > !

    This feature is available in Postfix 2.8 and later.

    > > > !
    > > -
    postscreen_dnsbl_action > - (default: ignore)
    > > !

    The action that postscreen(8) takes when a remote SMTP client's combined > ! DNSBL score is equal to or greater than a threshold (as defined > ! with the postscreen_dnsbl_sites and postscreen_dnsbl_threshold > ! parameters). Specify one of the following:

    > > !
    > > !
    ignore (default)
    > > !
    Ignore the failure of this test. Allow other tests to complete. > ! Repeat this test the next time the client connects. > ! This option is useful for testing and collecting statistics > ! without blocking mail.
    > > !
    enforce
    > > -
    Allow other tests to complete. Reject attempts to deliver mail > - with a 550 SMTP reply, and log the helo/sender/recipient information. > - Repeat this test the next time the client connects.
    > > !
    drop
    > > !
    Drop the connection immediately with a 521 SMTP reply. Repeat > ! this test the next time the client connects.
    > > !
    > > !

    This feature is available in Postfix 2.8.

    > > --- 6480,6535 ---- > > !
    queue_minfree > ! (default: 0)
    > > !

    > ! The minimal amount of free space in bytes in the queue file system > ! that is needed to receive mail. This is currently used by the SMTP > ! server to decide if it will accept any mail at all. > !

    > > +

    > + By default, the Postfix version 2.1 SMTP server rejects MAIL FROM commands > + when the amount of free space is less than 1.5*$message_size_limit. > + To specify a higher minimum free space limit, specify a queue_minfree > + value that is at least 1.5*$message_size_limit. > +

    > > !

    > ! With Postfix versions 2.0 and earlier, a queue_minfree value of > ! zero means there is no minimum required amount of free space. > !

    > > > !
    > > !
    queue_run_delay > ! (default: 300s)
    > > !

    > ! The time between deferred queue scans by the queue manager; > ! prior to Postfix 2.4 the default value was 1000s. > !

    > > !

    This parameter should be set less than or equal to > ! $minimal_backoff_time. See also $maximal_backoff_time.

    > > !

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). > !

    > > > !
    > > !
    queue_service_name > ! (default: qmgr)
    > > !

    > ! The name of the qmgr(8) service. This service manages the Postfix > ! queue and schedules delivery requests. > !

    > > !

    > ! This feature is available in Postfix 2.0 and later. > !

    > > *************** > *** 7196,7224 **** > > !
    postscreen_dnsbl_reply_map > (default: empty)
    > > !

    A mapping from actual DNSBL domain name which includes a secret > ! password, to the DNSBL domain name that postscreen will reply with > ! when it rejects mail. When no mapping is found, the actual DNSBL > ! domain will be used.

    > > !

    For maximal stability it is best to use a file that is read > ! into memory such as pcre:, regexp: or texthash: (texthash: is similar > ! to hash:, except a) there is no need to run postmap(1) before the > ! file can be used, and b) texthash: does not detect changes after > ! the file is read).

    > > -

    Example:

    > > ! 
    > ! /etc/postfix/main.cf:
> !     postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
> !
    > > ! 
    > ! /etc/postfix/dnsbl_reply:
> !    secret.zen.spamhaus.org	zen.spamhaus.org
> !
    > > !

    This feature is available in Postfix 2.8.

    > > --- 6538,6564 ---- > > !
    rbl_reply_maps > (default: empty)
    > > !

    > ! Optional lookup tables with RBL response templates. The tables are > ! indexed by the RBL domain name. By default, Postfix uses the default > ! template as specified with the default_rbl_reply configuration > ! parameter. See there for a discussion of the syntax of RBL reply > ! templates. > !

    > > !

    > ! This feature is available in Postfix 2.0 and later. > !

    > > > !
    > > !
    readme_directory > ! (default: see "postconf -d" output)
    > > !

    > ! The location of Postfix README files that describe how to build, > ! configure or operate a specific Postfix subsystem or feature. > !

    > > *************** > *** 7227,7286 **** > > !
    postscreen_dnsbl_sites > (default: empty)
    > > !

    Optional list of DNS white/blacklist domains, filters and weight > ! factors. When the list is non-empty, the dnsblog(8) daemon will > ! query these domains with the IP addresses of remote SMTP clients, > ! and postscreen(8) will update an SMTP client's DNSBL score with > ! each non-error reply.

    > > !

    Caution: when postscreen rejects mail, it replies with the DNSBL > ! domain name. Use the postscreen_dnsbl_reply_map feature to hide > ! "password" information in DNSBL domain names.

    > > !

    When a client's score is equal to or greater than the threshold > ! specified with postscreen_dnsbl_threshold, postscreen(8) can drop > ! the connection with the remote SMTP client.

    > > !

    Specify a list of domain=filter*weight entries, separated by > ! comma or whitespace.

    > > !
      > > !

    • When no "=filter" is specified, postscreen(8) will use any > ! non-error DNSBL reply. Otherwise, postscreen(8) uses only DNSBL > ! replies that match the filter. The filter has the form d.d.d.d, > ! where each d is a number, or a pattern inside [] that contains one > ! or more ";"-separated numbers or number..number ranges.

      > ! > !

    • When no "*weight" is specified, postscreen(8) increments > ! the remote SMTP client's DNSBL score by 1. Otherwise, the weight must be > ! an integral number, and postscreen(8) adds the specified weight to > ! the remote SMTP client's DNSBL score. Specify a negative number for > ! whitelisting.

      > > !

    • When one postscreen_dnsbl_sites entry produces multiple > ! DNSBL responses, postscreen(8) applies the weight at most once. > !

      > > !
    > > !

    Examples:

    > > !

    To use example.com as a high-confidence blocklist, and to > ! block mail with example.net and example.org only when both agree: > !

    > > ! 
    > ! postscreen_dnsbl_threshold = 2
> ! postscreen_dnsbl_sites = example.com*2, example.net, example.org
> !
    > > !

    To filter only DNSBL replies containing 127.0.0.4:

    > > 
    > ! postscreen_dnsbl_sites = example.com=127.0.0.4
>
    > > !

    This feature is available in Postfix 2.8.

    > > --- 6567,6628 ---- > > !
    receive_override_options > (default: empty)
    > > !

    Enable or disable recipient validation, built-in content > ! filtering, or address mapping. Typically, these are specified in > ! master.cf as command-line arguments for the smtpd(8), qmqpd(8) or > ! pickup(8) daemons.

    > ! > !

    Specify zero or more of the following options. The options > ! override main.cf settings and are either implemented by smtpd(8), > ! qmqpd(8), or pickup(8) themselves, or they are forwarded to the > ! cleanup server.

    > ! > !
    > > !
    no_unknown_recipient_checks
    > > !
    Do not try to reject unknown recipients (SMTP server only). > ! This is typically specified AFTER an external content filter. > !
    > > !
    no_address_mappings
    > > !
    Disable canonical address mapping, virtual alias map expansion, > ! address masquerading, and automatic BCC (blind carbon-copy) > ! recipients. This is typically specified BEFORE an external content > ! filter.
    > > !
    no_header_body_checks
    > > !
    Disable header/body_checks. This is typically specified AFTER > ! an external content filter.
    > > !
    no_milters
    > > !
    Disable Milter (mail filter) applications. This is typically > ! specified AFTER an external content filter.
    > > !
    > > !

    > ! Note: when the "BEFORE content filter" receive_override_options > ! setting is specified in the main.cf file, specify the "AFTER content > ! filter" receive_override_options setting in master.cf (and vice > ! versa). > !

    > > !

    > ! Examples: > !

    > > 
    > ! receive_override_options =
> !     no_unknown_recipient_checks, no_header_body_checks
> ! receive_override_options = no_address_mappings
>
    > > !

    > ! This feature is available in Postfix 2.1 and later. > !

    > > *************** > *** 7289,7341 **** > > !
    postscreen_dnsbl_threshold > ! (default: 1)
    > ! > !

    The inclusive lower bound for blocking a remote SMTP client, based on > ! its combined DNSBL score as defined with the postscreen_dnsbl_sites > ! parameter.

    > ! > !

    This feature is available in Postfix 2.8.

    > ! > > !
    > > !
    postscreen_dnsbl_ttl > ! (default: 1h)
    > > !

    The amount of time that postscreen(8) will use the result from > ! a successful DNS blocklist test. During this time, the client IP address > ! is excluded from this test. The default is relatively short, because a > ! good client can immediately talk to a real Postfix SMTP server. >

    > > !

    Specify a non-zero time value (an integral value plus an optional > ! one-letter suffix that specifies the time unit). Time units: s > ! (seconds), m (minutes), h (hours), d (days), w (weeks).

    > > !

    This feature is available in Postfix 2.8.

    > > > !
    > > !
    postscreen_enforce_tls > ! (default: $smtpd_enforce_tls)
    > > !

    Mandatory TLS: announce STARTTLS support to remote SMTP clients, and > ! require that clients use TLS encryption. See smtpd_postscreen_enforce_tls > ! for details.

    > > !

    This feature is available in Postfix 2.8 and later. > ! Preferably, use postscreen_tls_security_level instead.

    > > > !
    > > !
    postscreen_expansion_filter > ! (default: see "postconf -d" output)
    > > !

    List of characters that are permitted in postscreen_reject_footer > ! attribute expansions. See smtpd_expansion_filter for further > ! details.

    > > !

    This feature is available in Postfix 2.8 and later.

    > > --- 6631,6690 ---- > > !
    recipient_bcc_maps > ! (default: empty)
    > > !

    > ! Optional BCC (blind carbon-copy) address lookup tables, indexed by > ! recipient address. The BCC address (multiple results are not > ! supported) is added when mail enters from outside of Postfix. > !

    > > !

    > ! This feature is available in Postfix 2.1 and later. > !

    > > !

    > ! The table search order is as follows: >

    > > !
      > > !
    • Look up the "user+extension at domain.tld" address including the > ! optional address extension. > > +
    • Look up the "user at domain.tld" address without the optional > + address extension. > > !
    • Look up the "user+extension" address local part when the > ! recipient domain equals $myorigin, $mydestination, $inet_interfaces > ! or $proxy_interfaces. > > !
    • Look up the "user" address local part when the recipient domain > ! equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces. > > !
    • Look up the "@domain.tld" part. > > !
    > > +

    > + Specify the types and names of databases to use. After change, > + run "postmap /etc/postfix/recipient_bcc". > +

    > > !

    > ! Note: if mail to the BCC address bounces it will be returned to > ! the sender. > !

    > > !

    Note: automatic BCC recipients are produced only for new mail. > ! To avoid mailer loops, automatic BCC recipients are not generated > ! for mail that Postfix forwards internally, nor for mail that Postfix > ! generates itself.

    > > !

    > ! Example: > !

    > > ! 
    > ! recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
> !
    > > *************** > *** 7344,7354 **** > > !
    postscreen_forbidden_commands > ! (default: $smtpd_forbidden_commands)
    > > !

    List of commands that the postscreen(8) server considers in > ! violation of the SMTP protocol. See smtpd_forbidden_commands for > ! syntax, and postscreen_non_smtp_command_action for possible actions. >

    > > !

    This feature is available in Postfix 2.8.

    > > --- 6693,6706 ---- > > !
    recipient_canonical_classes > ! (default: envelope_recipient, header_recipient)
    > ! > !

    What addresses are subject to recipient_canonical_maps address > ! mapping. By default, recipient_canonical_maps address mapping is > ! applied to envelope recipient addresses, and to header recipient > ! addresses.

    > > !

    Specify one or more of: envelope_recipient, header_recipient >

    > > !

    This feature is available in Postfix 2.2 and later.

    > > *************** > *** 7357,7391 **** > > !
    postscreen_greet_action > ! (default: ignore)
    > ! > !

    The action that postscreen(8) takes when a remote SMTP client speaks > ! before its turn within the time specified with the postscreen_greet_wait > ! parameter. Specify one of the following:

    > > !
    > > !
    ignore (default)
    > > !
    Ignore the failure of this test. Allow other tests to complete. > ! Repeat this test the next time the client connects. > ! This option is useful for testing and collecting statistics > ! without blocking mail.
    > > !
    enforce
    > > -
    Allow other tests to complete. Reject attempts to deliver mail > - with a 550 SMTP reply, and log the helo/sender/recipient information. > - Repeat this test the next time the client connects.
    > > !
    drop
    > > !
    Drop the connection immediately with a 521 SMTP reply. Repeat > ! this test the next time the client connects.
    > > !
    > > !

    In either case, postscreen(8) will not whitelist the remote SMTP client > ! IP address.

    > > !

    This feature is available in Postfix 2.8.

    > > --- 6709,6752 ---- > > !
    recipient_canonical_maps > ! (default: empty)
    > > !

    > ! Optional address mapping lookup tables for envelope and header > ! recipient addresses. > ! The table format and lookups are documented in canonical(5). > !

    > > !

    > ! Note: $recipient_canonical_maps is processed before $canonical_maps. > !

    > > !

    > ! Example: > !

    > > ! 
    > ! recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
> !
    > > > !
    > > !
    recipient_delimiter > ! (default: empty)
    > > !

    > ! The separator between user names and address extensions (user+foo). > ! See canonical(5), local(8), relocated(5) and virtual(5) for the > ! effects this has on aliases, canonical, virtual, relocated and > ! on .forward file lookups. Basically, the software tries user+foo > ! and .forward+foo before trying user and .forward. > !

    > > !

    > ! Example: > !

    > > ! 
    > ! recipient_delimiter = +
> !
    > > *************** > *** 7394,7406 **** > > !
    postscreen_greet_banner > ! (default: $smtpd_banner)
    > > !

    The text in the optional "220-text..." server > ! response that > ! postscreen(8) sends ahead of the real Postfix SMTP server's "220 > ! text..." response, in an attempt to confuse bad SMTP clients so > ! that they speak before their turn (pre-greet). Specify an empty > ! value to disable this feature.

    > > !

    This feature is available in Postfix 2.8.

    > > --- 6755,6767 ---- > > !
    reject_code > ! (default: 554)
    > > !

    > ! The numerical Postfix SMTP server response code when a remote SMTP > ! client request is rejected by the "reject" restriction. > !

    > > !

    > ! Do not change this unless you have a complete understanding of RFC 2821. > !

    > > *************** > *** 7409,7442 **** > > !
    postscreen_greet_ttl > ! (default: 1d)
    > ! > !

    The amount of time that postscreen(8) will use the result from > ! a successful PREGREET test. During this time, the client IP address > ! is excluded from this test. The default is relatively short, because > ! a good client can immediately talk to a real Postfix SMTP server.

    > ! > !

    Specify a non-zero time value (an integral value plus an optional > ! one-letter suffix that specifies the time unit). Time units: s > ! (seconds), m (minutes), h (hours), d (days), w (weeks).

    > ! > !

    This feature is available in Postfix 2.8.

    > ! > > !
    > > !
    postscreen_greet_wait > ! (default: ${stress?2}${stress:6}s)
    > > !

    The amount of time that postscreen(8) will wait for an SMTP > ! client to send a command before its turn, and for DNS blocklist > ! lookup results to arrive (default: up to 2 seconds under stress, > ! up to 6 seconds otherwise).

    > > !

    Specify a non-zero time value (an integral value plus an optional > ! one-letter suffix that specifies the time unit).

    > > !

    Time units: s (seconds), m (minutes), h (hours), d (days), w > ! (weeks).

    > > !

    This feature is available in Postfix 2.8.

    > > --- 6770,6797 ---- > > !
    relay_clientcerts > ! (default: empty)
    > > !

    List of tables with remote SMTP client-certificate fingerprints > ! for which the Postfix SMTP server will allow access with the > ! permit_tls_clientcerts feature. > ! The fingerprint digest algorithm is configurable via the > ! smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to > ! Postfix version 2.5).

    > > !

    Postfix lookup tables are in the form of (key, value) pairs. > ! Since we only need the key, the value can be chosen freely, e.g. > ! the name of the user or host: > ! D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home

    > > !

    Example:

    > > ! 
    > ! relay_clientcerts = hash:/etc/postfix/relay_clientcerts
> !
    > > !

    For more fine-grained control, use check_ccert_access to select > ! an appropriate access(5) policy for each client. > ! See RESTRICTION_CLASS_README.

    > > !

    This feature is available with Postfix version 2.2.

    > > *************** > *** 7445,7453 **** > > !
    postscreen_helo_required > ! (default: $smtpd_helo_required)
    > > !

    Require that a remote SMTP client sends HELO or EHLO before > ! commencing a MAIL transaction.

    > > !

    This feature is available in Postfix 2.8.

    > > --- 6800,6810 ---- > > !
    relay_destination_concurrency_limit > ! (default: $default_destination_concurrency_limit)
    > > !

    The maximal number of parallel deliveries to the same destination > ! via the relay message delivery transport. This limit is enforced > ! by the queue manager. The message delivery transport name is the > ! first field in the entry in the master.cf file.

    > > !

    This feature is available in Postfix 2.0 and later.

    > > *************** > *** 7456,7502 **** > > !
    postscreen_non_smtp_command_action > ! (default: drop)
    > ! > !

    The action that postscreen(8) takes when a remote SMTP client sends > ! non-SMTP commands as specified with the postscreen_forbidden_commands > ! parameter. Specify one of the following:

    > > !
    > > !
    ignore
    > > !
    Ignore the failure of this test. Allow other tests to complete. > ! Do not repeat this test before some the result from some > ! other test expires. > ! This option is useful for testing and collecting statistics > ! without blocking mail permanently.
    > ! > !
    enforce
    > ! > !
    Allow other tests to complete. Reject attempts to deliver mail > ! with a 550 SMTP reply, and log the helo/sender/recipient information. > ! Repeat this test the next time the client connects.
    > ! > !
    drop
    > ! > !
    Drop the connection immediately with a 521 SMTP reply. Repeat > ! this test the next time the client connects. This action is the > ! same as with the Postfix SMTP server's smtpd_forbidden_commands > ! feature.
    > > -
    > > !

    This feature is available in Postfix 2.8.

    > > > !
    > > !
    postscreen_non_smtp_command_enable > ! (default: no)
    > > !

    Enable "non-SMTP command" tests in the postscreen(8) server. These > ! tests are expensive: a client must disconnect after it passes the > ! test, before it can talk to a real Postfix SMTP server.

    > > !

    This feature is available in Postfix 2.8.

    > > --- 6813,6859 ---- > > !
    relay_destination_recipient_limit > ! (default: $default_destination_recipient_limit)
    > > !

    The maximal number of recipients per message for the relay > ! message delivery transport. This limit is enforced by the queue > ! manager. The message delivery transport name is the first field in > ! the entry in the master.cf file.

    > > !

    Setting this parameter to a value of 1 changes the meaning of > ! relay_destination_concurrency_limit from concurrency per domain > ! into concurrency per recipient.

    > > !

    This feature is available in Postfix 2.0 and later.

    > > > !
    > > +
    relay_domains > + (default: $mydestination)
    > > !

    What destination domains (and subdomains thereof) this system > ! will relay mail to. Subdomain matching is controlled with the > ! parent_domain_matches_subdomains parameter. For details about how > ! the relay_domains value is used, see the description of the > ! permit_auth_destination and reject_unauth_destination SMTP recipient > ! restrictions.

    > > !

    Domains that match $relay_domains are delivered with the > ! $relay_transport mail delivery transport. The SMTP server validates > ! recipient addresses with $relay_recipient_maps and rejects non-existent > ! recipients. See also the relay domains address class in the > ! ADDRESS_CLASS_README file.

    > > !

    Note: Postfix will not automatically forward mail for domains > ! that list this system as their primary or backup MX host. See the > ! permit_mx_backup restriction in the postconf(5) manual page.

    > > !

    Specify a list of host or domain names, "/file/name" patterns > ! or "type:table" lookup tables, separated by commas and/or whitespace. > ! Continue long lines by starting the next line with whitespace. A > ! "/file/name" pattern is replaced by its contents; a "type:table" > ! lookup table is matched when a (parent) domain appears as lookup > ! key. Specify "!pattern" to exclude a domain from the list. The form > ! "!/file/name" is supported only in Postfix version 2.4 and later. > !

    > > *************** > *** 7505,7520 **** > > !
    postscreen_non_smtp_command_ttl > ! (default: 30d)
    > ! > !

    The amount of time that postscreen(8) will use the result from > ! a successful "non_smtp_command" SMTP protocol test. During this > ! time, the client IP address is excluded from this test. The default > ! is long because a client must disconnect after it passes the test, > ! before it can talk to a real Postfix SMTP server.

    > > !

    Specify a non-zero time value (an integral value plus an optional > ! one-letter suffix that specifies the time unit). Time units: s > ! (seconds), m (minutes), h (hours), d (days), w (weeks).

    > > !

    This feature is available in Postfix 2.8.

    > > --- 6862,6875 ---- > > !
    relay_domains_reject_code > ! (default: 554)
    > > !

    > ! The numerical Postfix SMTP server response code when a client > ! request is rejected by the reject_unauth_destination recipient > ! restriction. > !

    > > !

    > ! Do not change this unless you have a complete understanding of RFC 2821. > !

    > > *************** > *** 7523,7569 **** > > !
    postscreen_pipelining_action > ! (default: enforce)
    > ! > !

    The action that postscreen(8) takes when a remote SMTP client > ! sends > ! multiple commands instead of sending one command and waiting for > ! the server to respond. Specify one of the following:

    > ! > !
    > > !
    ignore
    > > !
    Ignore the failure of this test. Allow other tests to complete. > ! Do not repeat this test before some the result from some > ! other test expires. > ! This option is useful for testing and collecting statistics > ! without blocking mail permanently.
    > > !
    enforce
    > > !
    Allow other tests to complete. Reject attempts to deliver mail > ! with a 550 SMTP reply, and log the helo/sender/recipient information. > ! Repeat this test the next time the client connects.
    > > !
    drop
    > > !
    Drop the connection immediately with a 521 SMTP reply. Repeat > ! this test the next time the client connects.
    > > -
    > > !

    This feature is available in Postfix 2.8.

    > > > !
    > > !
    postscreen_pipelining_enable > ! (default: no)
    > > !

    Enable "pipelining" SMTP protocol tests in the postscreen(8) > ! server. These tests are expensive: a good client must disconnect > ! after it passes the test, before it can talk to a real Postfix SMTP > ! server.

    > > !

    This feature is available in Postfix 2.8.

    > > --- 6878,6944 ---- > > !
    relay_recipient_maps > ! (default: empty)
    > > !

    Optional lookup tables with all valid addresses in the domains > ! that match $relay_domains. Specify @domain as a wild-card for > ! domains that have no valid recipient list, and become a source of > ! backscatter mail: Postfix accepts spam for non-existent recipients > ! and then floods innocent people with undeliverable mail. Technically, > ! tables > ! listed with $relay_recipient_maps are used as lists: Postfix needs > ! to know only if a lookup string is found or not, but it does not > ! use the result from table lookup.

    > > !

    > ! If this parameter is non-empty, then the Postfix SMTP server will reject > ! mail to unknown relay users. This feature is off by default. > !

    > > !

    > ! See also the relay domains address class in the ADDRESS_CLASS_README > ! file. > !

    > > !

    > ! Example: > !

    > > ! 
    > ! relay_recipient_maps = hash:/etc/postfix/relay_recipients
> !
    > > !

    > ! This feature is available in Postfix 2.0 and later. > !

    > > > !
    > > +
    relay_transport > + (default: relay)
    > > !

    > ! The default mail delivery transport and next-hop destination for > ! remote delivery to domains listed with $relay_domains. In order of > ! decreasing precedence, the nexthop destination is taken from > ! $relay_transport, $sender_dependent_relayhost_maps, $relayhost, or > ! from the recipient domain. This information can be overruled with > ! the transport(5) table. > !

    > > !

    > ! Specify a string of the form transport:nexthop, where transport > ! is the name of a mail delivery transport defined in master.cf. > ! The :nexthop part is optional. For more details see the > ! transport(5) manual page. > !

    > > !

    > ! See also the relay domains address class in the ADDRESS_CLASS_README > ! file. > !

    > > !

    > ! This feature is available in Postfix 2.0 and later. > !

    > > *************** > *** 7572,7614 **** > > !
    postscreen_pipelining_ttl > ! (default: 30d)
    > > !

    The amount of time that postscreen(8) will use the result from > ! a successful "pipelining" SMTP protocol test. During this time, the > ! client IP address is excluded from this test. The default is > ! long because a good client must disconnect after it passes the test, > ! before it can talk to a real Postfix SMTP server.

    > > !

    Specify a non-zero time value (an integral value plus an optional > ! one-letter suffix that specifies the time unit). Time units: s > ! (seconds), m (minutes), h (hours), d (days), w (weeks).

    > > !

    This feature is available in Postfix 2.8.

    > > > !
    > > !
    postscreen_post_queue_limit > ! (default: $default_process_limit)
    > > -

    The number of clients that can be waiting for service from a > - real Postfix SMTP server process. When this queue is full, all > - clients will > - receive a 421 reponse.

    > > !

    This feature is available in Postfix 2.8.

    > > > !
    > > !
    postscreen_pre_queue_limit > ! (default: $default_process_limit)
    > > !

    The number of non-whitelisted clients that can be waiting for > ! a decision whether they will receive service from a real Postfix > ! SMTP server > ! process. When this queue is full, all non-whitelisted clients will > ! receive a 421 reponse.

    > > !

    This feature is available in Postfix 2.8.

    > > --- 6947,7012 ---- > > !
    relayhost > ! (default: empty)
    > > !

    > ! The next-hop destination of non-local mail; overrides non-local > ! domains in recipient addresses. This information is overruled with > ! relay_transport, default_transport, sender_dependent_relayhost_maps > ! and with the transport(5) table. > !

    > > !

    > ! On an intranet, specify the organizational domain name. If your > ! internal DNS uses no MX records, specify the name of the intranet > ! gateway host instead. > !

    > > !

    > ! In the case of SMTP, specify a domain name, hostname, hostname:port, > ! [hostname]:port, [hostaddress] or [hostaddress]:port. The form > ! [hostname] turns off MX lookups. > !

    > > +

    > + If you're connected via UUCP, see the UUCP_README file for useful > + information. > +

    > > !

    > ! Examples: > !

    > > ! 
    > ! relayhost = $mydomain
> ! relayhost = [gateway.my.domain]
> ! relayhost = uucphost
> ! relayhost = [an.ip.add.ress]
> !
    > > > !
    > > +
    relocated_maps > + (default: empty)
    > > !

    > ! Optional lookup tables with new contact information for users or > ! domains that no longer exist. The table format and lookups are > ! documented in relocated(5). > !

    > > !

    > ! If you use this feature, run "postmap /etc/postfix/relocated" to > ! build the necessary DBM or DB file after change, then "postfix > ! reload" to make the changes visible. > !

    > > !

    > ! Examples: > !

    > > ! 
    > ! relocated_maps = dbm:/etc/postfix/relocated
> ! relocated_maps = hash:/etc/postfix/relocated
> !
    > > *************** > *** 7617,7639 **** > > !
    postscreen_reject_footer > ! (default: $smtpd_reject_footer)
    > ! > !

    Optional information that is appended after a 4XX or 5XX > ! postscreen(8) server > ! response. See smtpd_reject_footer for further details.

    > > !

    This feature is available in Postfix 2.8 and later.

    > > > !
    > > !
    postscreen_tls_security_level > ! (default: $smtpd_tls_security_level)
    > > !

    The SMTP TLS security level for the postscreen(8) server; when > ! a non-empty value is specified, this overrides the obsolete parameters > ! postscreen_use_tls and postscreen_enforce_tls. See smtpd_tls_security_level > ! for details.

    > > !

    This feature is available in Postfix 2.8 and later.

    > > --- 7015,7045 ---- > > !
    remote_header_rewrite_domain > ! (default: empty)
    > > !

    Don't rewrite message headers from remote clients at all when > ! this parameter is empty; otherwise, rewrite message headers and > ! append the specified domain name to incomplete addresses. The > ! local_header_rewrite_clients parameter controls what clients Postfix > ! considers local.

    > > +

    Examples:

    > > !

    The safe setting: append "domain.invalid" to incomplete header > ! addresses from remote SMTP clients, so that those addresses cannot > ! be confused with local addresses.

    > > !
    > ! 
    > ! remote_header_rewrite_domain = domain.invalid
> !
    > !
    > > !

    The default, purist, setting: don't rewrite headers from remote > ! clients at all.

    > > !
    > ! 
    > ! remote_header_rewrite_domain =
> !
    > !
    > > *************** > *** 7642,7651 **** > > !
    postscreen_use_tls > ! (default: $smtpd_use_tls)
    > ! > !

    Opportunistic TLS: announce STARTTLS support to remote SMTP clients, > ! but do not require that clients use TLS encryption.

    > > !

    This feature is available in Postfix 2.8 and later. > ! Preferably, use postscreen_tls_security_level instead.

    > > --- 7048,7058 ---- > > !
    require_home_directory > ! (default: no)
    > > !

    > ! Whether or not a local(8) recipient's home directory must exist > ! before mail delivery is attempted. By default this test is disabled. > ! It can be useful for environments that import home directories to > ! the mail server (NOT RECOMMENDED). > !

    > > *************** > *** 7654,7671 **** > > !
    postscreen_watchdog_timeout > ! (default: 10s)
    > > !

    How much time a postscreen(8) process may take to respond to > ! a remote SMTP client command or to perform a cache operation before it > ! is terminated by a built-in watchdog timer. This is a safety > ! mechanism that prevents postscreen(8) from becoming non-responsive > ! due to a bug in Postfix itself or in system software. To avoid > ! false alarms and unnecessary cache corruption this limit cannot be > ! set under 10s.

    > > !

    Specify a non-zero time value (an integral value plus an optional > ! one-letter suffix that specifies the time unit). Time units: s > ! (seconds), m (minutes), h (hours), d (days), w (weeks).

    > > !

    This feature is available in Postfix 2.8.

    > > --- 7061,7079 ---- > > !
    resolve_dequoted_address > ! (default: yes)
    > > !

    Resolve a recipient address safely instead of correctly, by > ! looking inside quotes.

    > > !

    By default, the Postfix address resolver does not quote the > ! address localpart as per RFC 822, so that additional @ or % or ! > ! operators remain visible. This behavior is safe but it is also > ! technically incorrect.

    > > !

    If you specify "resolve_dequoted_address = no", then > ! the Postfix > ! resolver will not know about additional @ etc. operators in the > ! address localpart. This opens opportunities for obscure mail relay > ! attacks with user at domain@domain addresses when Postfix provides > ! backup MX service for Sendmail systems.

    > > *************** > *** 7674,7724 **** > > !
    postscreen_whitelist_interfaces > ! (default: static:all)
    > > !

    A list of local postscreen(8) server IP addresses where a > ! non-whitelisted remote SMTP client can obtain postscreen(8)'s temporary > ! whitelist status. This status is required before the client can > ! talk to a Postfix SMTP server process. By default, a client can > ! obtain postscreen(8)'s whitelist status on any local postscreen(8) > ! server IP address.

    > > !

    When postscreen(8) listens on both primary and backup MX > ! addresses, the postscreen_whitelist_interfaces parameter can be > ! configured to give the temporary whitelist status only when a client > ! connects to a primary MX address. Once a client is whitelisted it > ! can talk to a Postfix SMTP server on any address. Thus, clients > ! that connect only to backup MX addresses will never become whitelisted, > ! and will never be allowed to talk to a Postfix SMTP server process. > !

    > > !

    Example:

    > > - 
    > - /etc/postfix/main.cf:
> -     # Don't whitelist connections to the backup IP address.
> -     postscreen_whitelist_interfaces = !168.100.189.8, static:all
> -
    > > !

    This feature is available in Postfix 2.9 and later.

    > > > !
    > > !
    prepend_delivered_header > ! (default: command, file, forward)
    > > -

    The message delivery contexts where the Postfix local(8) delivery > - agent prepends a Delivered-To: message header with the address > - that the mail was delivered to. This information is used for mail > - delivery loop detection.

    > > !

    > ! By default, the Postfix local delivery agent prepends a Delivered-To: > ! header when forwarding mail and when delivering to file (mailbox) > ! and command. Turning off the Delivered-To: header when forwarding > ! mail is not recommended. > !

    > >

    > ! Specify zero or more of forward, file, or command. >

    > --- 7082,7119 ---- > > !
    resolve_null_domain > ! (default: no)
    > > !

    Resolve an address that ends in the "@" null domain as if the > ! local hostname were specified, instead of rejecting the address as > ! invalid.

    > > !

    This feature is available in Postfix 2.1 and later. > ! Earlier versions always resolve the null domain as the local > ! hostname.

    > > !

    The Postfix SMTP server uses this feature to reject mail from > ! or to addresses that end in the "@" null domain, and from addresses > ! that rewrite into a form that ends in the "@" null domain.

    > > > !
    > > +
    resolve_numeric_domain > + (default: no)
    > > !

    Resolve "user at ipaddress" as "user@[ipaddress]", instead of > ! rejecting the address as invalid.

    > > !

    This feature is available in Postfix 2.3 and later. > > > !

    > ! > !
    rewrite_service_name > ! (default: rewrite)
    > >

    > ! The name of the address rewriting service. This service rewrites > ! addresses to standard form and resolves them to a (delivery method, > ! next-hop host, recipient) triple. >

    > *************** > *** 7726,7734 **** >

    > ! Example: >

    > > - 
    > - prepend_delivered_header = forward
> -
    > - > > --- 7121,7125 ---- >

    > ! This feature is available in Postfix 2.0 and later. >

    > > > *************** > *** 7736,7742 **** > > !
    process_id > ! (read-only)
    > >

    > ! The process ID of a Postfix command or daemon process. >

    > --- 7127,7133 ---- > > !
    sample_directory > ! (default: /etc/postfix)
    > >

    > ! The name of the directory with example Postfix configuration files. >

    > *************** > *** 7746,7755 **** > > !
    process_id_directory > ! (default: pid)
    > > !

    > ! The location of Postfix PID files relative to $queue_directory. > ! This is a read-only parameter. >

    > > > --- 7137,7153 ---- > > !
    send_cyrus_sasl_authzid > ! (default: no)
    > > !

    When authenticating to a remote SMTP or LMTP server with the > ! default setting "no", send no SASL authoriZation ID (authzid); send > ! only the SASL authentiCation ID (authcid) plus the authcid's password. >

    > > +

    The non-default setting "yes" enables the behavior of older > + Postfix versions. These always send a SASL authzid that is equal > + to the SASL authcid, but this causes inter-operability problems > + with some SMTP servers.

    > + > +

    This feature is available in Postfix 2.4.4 and later.

    > + > > *************** > *** 7757,7763 **** > > !
    process_name > ! (read-only)
    > >

    > ! The process name of a Postfix command or daemon process. >

    > --- 7155,7162 ---- > > !
    sender_based_routing > ! (default: no)
    > >

    > ! This parameter should not be used. It was replaced by sender_dependent_relayhost_maps > ! in Postfix version 2.3. >

    > *************** > *** 7767,7774 **** > > !
    propagate_unmatched_extensions > ! (default: canonical, virtual)
    > >

    > ! What address lookup tables copy an address extension from the lookup > ! key to the lookup result. >

    > --- 7166,7176 ---- > > !
    sender_bcc_maps > ! (default: empty)
    > ! > !

    Optional BCC (blind carbon-copy) address lookup tables, indexed > ! by sender address. The BCC address (multiple results are not > ! supported) is added when mail enters from outside of Postfix.

    > >

    > ! This feature is available in Postfix 2.1 and later. >

    > *************** > *** 7776,7816 **** >

    > ! For example, with a virtual(5) mapping of "joe at example.com => > ! joe.user at example.net", the address "joe+foo at example.com" > ! would rewrite to "joe.user+foo at example.net". >

    > > !

    > ! Specify zero or more of canonical, virtual, alias, > ! forward, include or generic. These cause > ! address extension > ! propagation with canonical(5), virtual(5), and aliases(5) maps, > ! with local(8) .forward and :include: file lookups, and with smtp(8) > ! generic maps, respectively.

    > > !

    > ! Note: enabling this feature for types other than canonical > ! and virtual is likely to cause problems when mail is forwarded > ! to other sites, especially with mail that is sent to a mailing list > ! exploder address. > !

    > > !

    > ! Examples: > !

    > > ! 
    > ! propagate_unmatched_extensions = canonical, virtual, alias,
> !         forward, include
> ! propagate_unmatched_extensions = canonical, virtual
> !
    > > > !
    > > !
    proxy_interfaces > ! (default: empty)
    > >

    > ! The network interface addresses that this mail system receives mail > ! on by way of a proxy or network address translation unit. >

    > --- 7178,7204 ---- >

    > ! The table search order is as follows: >

    > > !
      > > !
    • Look up the "user+extension at domain.tld" address including the > ! optional address extension. > > !
    • Look up the "user at domain.tld" address without the optional > ! address extension. > > !
    • Look up the "user+extension" address local part when the > ! sender domain equals $myorigin, $mydestination, $inet_interfaces > ! or $proxy_interfaces. > > +
    • Look up the "user" address local part when the sender domain > + equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces. > > !
    • Look up the "@domain.tld" part. > > !
    > >

    > ! Specify the types and names of databases to use. After change, > ! run "postmap /etc/postfix/sender_bcc". >

    > *************** > *** 7818,7825 **** >

    > ! This feature is available in Postfix 2.0 and later. >

    > > !

    You must specify your "outside" proxy/NAT addresses when your > ! system is a backup MX host for other domains, otherwise mail delivery > ! loops will happen when the primary MX host is down.

    > > --- 7206,7215 ---- >

    > ! Note: if mail to the BCC address bounces it will be returned to > ! the sender. >

    > > !

    Note: automatic BCC recipients are produced only for new mail. > ! To avoid mailer loops, automatic BCC recipients are not generated > ! for mail that Postfix forwards internally, nor for mail that Postfix > ! generates itself.

    > > *************** > *** 7830,7832 **** > 
    > ! proxy_interfaces = 1.2.3.4
>
    > --- 7220,7222 ---- > 
    > ! sender_bcc_maps = hash:/etc/postfix/sender_bcc
>
    > *************** > *** 7836,7875 **** > > !
    proxy_read_maps > ! (default: see "postconf -d" output)
    > > !

    > ! The lookup tables that the proxymap(8) server is allowed to > ! access for the read-only service. > ! Table references that don't begin with proxy: are ignored. >

    > > !

    > ! This feature is available in Postfix 2.0 and later. > !

    > > > -
    > > !
    proxy_write_maps > ! (default: see "postconf -d" output)
    > > !

    The lookup tables that the proxymap(8) server is allowed to > ! access for the read-write service. Postfix-owned local database > ! files should be stored under the Postfix-owned data_directory. > ! Table references that don't begin with proxy: are ignored.

    > >

    > ! This feature is available in Postfix 2.5 and later. >

    > > > !
    > > !
    proxymap_service_name > ! (default: proxymap)
    > > !

    The name of the proxymap read-only table lookup service. This > ! service is normally implemented by the proxymap(8) daemon.

    > ! > !

    This feature is available in Postfix 2.6 and later.

    > > --- 7226,7268 ---- > > !
    sender_canonical_classes > ! (default: envelope_sender, header_sender)
    > > !

    What addresses are subject to sender_canonical_maps address > ! mapping. By default, sender_canonical_maps address mapping is > ! applied to envelope sender addresses, and to header sender addresses. >

    > > !

    Specify one or more of: envelope_sender, header_sender

    > > +

    This feature is available in Postfix 2.2 and later.

    > > > !
    > > !
    sender_canonical_maps > ! (default: empty)
    > >

    > ! Optional address mapping lookup tables for envelope and header > ! sender addresses. > ! The table format and lookups are documented in canonical(5). >

    > > +

    > + Example: you want to rewrite the SENDER address "user at ugly.domain" > + to "user at pretty.domain", while still being able to send mail to > + the RECIPIENT address "user at ugly.domain". > +

    > > !

    > ! Note: $sender_canonical_maps is processed before $canonical_maps. > !

    > > !

    > ! Example: > !

    > > ! 
    > ! sender_canonical_maps = hash:/etc/postfix/sender_canonical
> !
    > > *************** > *** 7878,7905 **** > > !
    proxywrite_service_name > ! (default: proxywrite)
    > ! > !

    The name of the proxywrite read-write table lookup service. > ! This service is normally implemented by the proxymap(8) daemon. > !

    > ! > !

    This feature is available in Postfix 2.6 and later.

    > ! > > !
    > > !
    qmgr_clog_warn_time > ! (default: 300s)
    > >

    > ! The minimal delay between warnings that a specific destination is > ! clogging up the Postfix active queue. Specify 0 to disable. >

    > > !

    > ! This feature is enabled with the helpful_warnings parameter. > !

    > >

    > ! This feature is available in Postfix 2.0 and later. >

    > --- 7271,7297 ---- > > !
    sender_dependent_relayhost_maps > ! (default: empty)
    > > !

    A sender-dependent override for the global relayhost parameter > ! setting. The tables are searched by the envelope sender address and > ! @domain. This information is overruled with relay_transport, > ! default_transport and with the transport(5) table.

    > > !

    For safety reasons, this feature does not allow $number > ! substitutions in regular expression maps.

    > >

    > ! This feature is available in Postfix 2.3 and later. >

    > > ! > !
    > ! > !
    sendmail_path > ! (default: see "postconf -d" output)
    > >

    > ! A Sendmail compatibility feature that specifies the location of > ! the Postfix sendmail(1) command. This command can be used to > ! submit mail into the Postfix queue. >

    > *************** > *** 7909,7915 **** > > !
    qmgr_daemon_timeout > ! (default: 1000s)
    > > !

    How much time a Postfix queue manager process may take to handle > ! a request before it is terminated by a built-in watchdog timer. >

    > --- 7301,7308 ---- > > !
    service_throttle_time > ! (default: 60s)
    > > !

    > ! How long the Postfix master(8) waits before forking a server that > ! appears to be malfunctioning. >

    > *************** > *** 7921,7924 **** > > -

    This feature is available in Postfix 2.8 and later.

    > - > > --- 7314,7315 ---- > *************** > *** 7926,7939 **** > > !
    qmgr_fudge_factor > ! (default: 100)
    > ! > !

    > ! Obsolete feature: the percentage of delivery resources that a busy > ! mail system will use up for delivery of a large mailing list > ! message. > !

    > >

    > ! This feature exists only in the oqmgr(8) old queue manager. The > ! current queue manager solves the problem in a better way. >

    > --- 7317,7326 ---- > > !
    setgid_group > ! (default: postdrop)
    > >

    > ! The group ownership of set-gid Postfix commands and of group-writable > ! Postfix directories. When this parameter value is changed you need > ! to re-run "postfix set-permissions" (with Postfix version 2.0 and > ! earlier: "/etc/postfix/post-install set-permissions". >

    > *************** > *** 7943,7967 **** > > !
    qmgr_ipc_timeout > ! (default: 60s)
    > ! > !

    The time limit for the queue manager to send or receive information > ! over an internal communication channel. The purpose is to break > ! out of deadlock situations. If the time limit is exceeded the > ! software either retries or aborts the operation.

    > >

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). >

    > > -

    This feature is available in Postfix 2.8 and later.

    > - > - > -
    > - > -
    qmgr_message_active_limit > - (default: 20000)
    > - >

    > ! The maximal number of messages in the active queue. >

    > --- 7330,7342 ---- > > !
    show_user_unknown_table_name > ! (default: yes)
    > >

    > ! Display the name of the recipient table in the "User unknown" > ! responses. The extra detail makes trouble shooting easier but also > ! reveals information that is nobody elses business. >

    > >

    > ! This feature is available in Postfix 2.0 and later. >

    > *************** > *** 7971,7991 **** > > !
    qmgr_message_recipient_limit > ! (default: 20000)
    > ! > !

    The maximal number of recipients held in memory by the Postfix > ! queue manager, and the maximal size of the size of the short-term, > ! in-memory "dead" destination status cache.

    > ! > ! > !
    > > !
    qmgr_message_recipient_minimum > ! (default: 10)
    > >

    > ! The minimal number of in-memory recipients for any message. This > ! takes priority over any other in-memory recipient limits (i.e., > ! the global qmgr_message_recipient_limit and the per transport > ! _recipient_limit) if necessary. The minimum value allowed for this > ! parameter is 1. >

    > --- 7346,7357 ---- > > !
    showq_service_name > ! (default: showq)
    > > !

    > ! The name of the showq(8) service. This service produces mail queue > ! status reports. > !

    > >

    > ! This feature is available in Postfix 2.0 and later. >

    > *************** > *** 7995,8002 **** > > !
    qmqpd_authorized_clients > ! (default: empty)
    > >

    > ! What remote QMQP clients are allowed to connect to the Postfix QMQP > ! server port. >

    > --- 7361,7367 ---- > > !
    smtp_always_send_ehlo > ! (default: yes)
    > >

    > ! Always send EHLO at the start of an SMTP session. >

    > *************** > *** 8004,8022 **** >

    > ! By default, no client is allowed to use the service. This is > ! because the QMQP server will relay mail to any destination. >

    > > !

    > ! Specify a list of client patterns. A list pattern specifies a host > ! name, a domain name, an internet address, or a network/mask pattern, > ! where the mask specifies the number of bits in the network part. > ! When a pattern specifies a file name, its contents are substituted > ! for the file name; when a pattern is a "type:table" table specification, > ! table lookup is used instead.

    > >

    > ! Patterns are separated by whitespace and/or commas. In order to > ! reverse the result, precede a pattern with an > ! exclamation point (!). The form "!/file/name" is supported only > ! in Postfix version 2.4 and later. >

    > --- 7369,7384 ---- >

    > ! With "smtp_always_send_ehlo = no", Postfix sends EHLO only when > ! the word "ESMTP" appears in the server greeting banner (example: > ! 220 spike.porcupine.org ESMTP Postfix). >

    > > ! > !
    > ! > !
    smtp_bind_address > ! (default: empty)
    > >

    > ! An optional numerical network address that the Postfix SMTP client > ! should bind to when making an IPv4 connection. >

    > *************** > *** 8024,8043 **** >

    > ! Example: >

    > > 
    > ! qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24
>
    > > > !
    > ! > !
    qmqpd_client_port_logging > ! (default: no)
    > ! > !

    Enable logging of the remote QMQP client port in addition to > ! the hostname and IP address. The logging format is "host[address]:port". > !

    > ! > !

    This feature is available in Postfix 2.5 and later.

    > > --- 7386,7407 ---- >

    > ! This can be specified in the main.cf file for all SMTP clients, or > ! it can be specified in the master.cf file for a specific client, > ! for example: >

    > > +
    > 
    > ! /etc/postfix/master.cf:
> !     smtp ... smtp -o smtp_bind_address=11.22.33.44
>
    > +
    > > +

    Note 1: when inet_interfaces specifies no more than one IPv4 > + address, and that address is a non-loopback address, it is > + automatically used as the smtp_bind_address. This supports virtual > + IP hosting, but can be a problem on multi-homed firewalls. See the > + inet_interfaces documentation for more detail.

    > > !

    Note 2: address information may be enclosed inside [], > ! but this form is not required here.

    > > *************** > *** 8046,8088 **** > > !
    qmqpd_error_delay > ! (default: 1s)
    > ! > !

    > ! How long the Postfix QMQP server will pause before sending a negative > ! reply to the remote QMQP client. The purpose is to slow down confused > ! or malicious clients. > !

    > >

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). >

    > > ! > !
    > ! > !
    qmqpd_timeout > ! (default: 300s)
    > ! > !

    > ! The time limit for sending or receiving information over the network. > ! If a read or write operation blocks for more than $qmqpd_timeout > ! seconds the Postfix QMQP server gives up and disconnects. > !

    > >

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). >

    > > > !
    > ! > !
    queue_directory > ! (default: see "postconf -d" output)
    > > !

    > ! The location of the Postfix top-level queue directory. This is the > ! root directory of Postfix daemon processes that run chrooted. > !

    > > --- 7410,7442 ---- > > !
    smtp_bind_address6 > ! (default: empty)
    > >

    > ! An optional numerical network address that the Postfix SMTP client > ! should bind to when making an IPv6 connection. >

    > > !

    This feature is available in Postfix 2.2 and later.

    > >

    > ! This can be specified in the main.cf file for all SMTP clients, or > ! it can be specified in the master.cf file for a specific client, > ! for example: >

    > > +
    > + 
    > + /etc/postfix/master.cf:
> +     smtp ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8
> +
    > +
    > > !

    Note 1: when inet_interfaces specifies no more than one IPv6 > ! address, and that address is a non-loopback address, it is > ! automatically used as the smtp_bind_address6. This supports virtual > ! IP hosting, but can be a problem on multi-homed firewalls. See the > ! inet_interfaces documentation for more detail.

    > > !

    Note 2: address information may be enclosed inside [], > ! but this form is not recommended here.

    > > *************** > *** 8091,8104 **** > > !
    queue_file_attribute_count_limit > ! (default: 100)
    > > !

    > ! The maximal number of (name=value) attributes that may be stored > ! in a Postfix queue file. The limit is enforced by the cleanup(8) > ! server. >

    > > !

    > ! This feature is available in Postfix 2.0 and later. > !

    > > --- 7445,7455 ---- > > !
    smtp_body_checks > ! (default: empty)
    > > !

    Restricted body_checks(5) tables for the Postfix SMTP client. > ! These tables are searched while mail is being delivered. Actions > ! that change the delivery time or destination are not available. >

    > > !

    This feature is available in Postfix 2.5 and later.

    > > *************** > *** 8107,8129 **** > > !
    queue_minfree > ! (default: 0)
    > ! > !

    > ! The minimal amount of free space in bytes in the queue file system > ! that is needed to receive mail. This is currently used by the > ! Postfix SMTP server to decide if it will accept any mail at all. > !

    > > !

    > ! By default, the Postfix SMTP server rejects MAIL FROM commands when > ! the amount of free space is less than 1.5*$message_size_limit > ! (Postfix version 2.1 and later). > ! To specify a higher minimum free space limit, specify a queue_minfree > ! value that is at least 1.5*$message_size_limit. > !

    > > !

    > ! With Postfix versions 2.0 and earlier, a queue_minfree value of > ! zero means there is no minimum required amount of free space. > !

    > > --- 7458,7471 ---- > > !
    smtp_cname_overrides_servername > ! (default: version dependent)
    > > !

    Allow DNS CNAME records to override the servername that the > ! Postfix SMTP client uses for logging, SASL password lookup, TLS > ! policy decisions, or TLS certificate verification. The value "no" > ! hardens Postfix smtp_tls_per_site hostname-based policies against > ! false hostname information in DNS CNAME records, and makes SASL > ! password file lookups more predictable. This is the default setting > ! as of Postfix 2.3.

    > > !

    This feature is available in Postfix 2.2.9 and later.

    > > *************** > *** 8132,8143 **** > > !
    queue_run_delay > ! (default: 300s)
    > >

    > ! The time between deferred queue scans by the queue manager; > ! prior to Postfix 2.4 the default value was 1000s. >

    > > !

    This parameter should be set less than or equal to > ! $minimal_backoff_time. See also $maximal_backoff_time.

    > > --- 7474,7490 ---- > > !
    smtp_connect_timeout > ! (default: 30s)
    > >

    > ! The SMTP client time limit for completing a TCP connection, or > ! zero (use the operating system built-in time limit). >

    > > !

    > ! When no connection can be made within the deadline, the Postfix > ! SMTP client > ! tries the next address on the mail exchanger list. Specify 0 to > ! disable the time limit (i.e. use whatever timeout is implemented by > ! the operating system). > !

    > > *************** > *** 8151,8181 **** > > !
    queue_service_name > ! (default: qmgr)
    > > !

    > ! The name of the qmgr(8) service. This service manages the Postfix > ! queue and schedules delivery requests. > !

    > > !

    > ! This feature is available in Postfix 2.0 and later. > !

    > > > !
    > > !
    rbl_reply_maps > ! (default: empty)
    > > !

    > ! Optional lookup tables with RBL response templates. The tables are > ! indexed by the RBL domain name. By default, Postfix uses the default > ! template as specified with the default_rbl_reply configuration > ! parameter. See there for a discussion of the syntax of RBL reply > ! templates. > !

    > > !

    > ! This feature is available in Postfix 2.0 and later. > !

    > > --- 7498,7535 ---- > > !
    smtp_connection_cache_destinations > ! (default: empty)
    > > !

    Permanently enable SMTP connection caching for the specified > ! destinations. With SMTP connection caching, a connection is not > ! closed immediately after completion of a mail transaction. Instead, > ! the connection is kept open for up to $smtp_connection_cache_time_limit > ! seconds. This allows connections to be reused for other deliveries, > ! and can improve mail delivery performance.

    > > !

    Specify a comma or white space separated list of destinations > ! or pseudo-destinations:

    > > +
      > > !
    • if mail is sent without a relay host: a domain name (the > ! right-hand side of an email address, without the [] around a numeric > ! IP address), > > !
    • if mail is sent via a relay host: a relay host name (without > ! [] or non-default TCP port), as specified in main.cf or in the > ! transport map, > > !
    • if mail is sent via a UNIX-domain socket: a pathname (without > ! the unix: prefix), > > !
    • a /file/name with domain names and/or relay host names as > ! defined above, > ! > !
    • a "type:table" with domain names and/or relay host names on > ! the left-hand side. The right-hand side result from "type:table" > ! lookups is ignored. > ! > !
    > ! > !

    This feature is available in Postfix 2.2 and later.

    > > *************** > *** 8184,8192 **** > > !
    readme_directory > ! (default: see "postconf -d" output)
    > > !

    > ! The location of Postfix README files that describe how to build, > ! configure or operate a specific Postfix subsystem or feature. > !

    > > --- 7538,7551 ---- > > !
    smtp_connection_cache_on_demand > ! (default: yes)
    > > !

    Temporarily enable SMTP connection caching while a destination > ! has a high volume of mail in the active queue. With SMTP connection > ! caching, a connection is not closed immediately after completion > ! of a mail transaction. Instead, the connection is kept open for > ! up to $smtp_connection_cache_time_limit seconds. This allows > ! connections to be reused for other deliveries, and can improve mail > ! delivery performance.

    > ! > !

    This feature is available in Postfix 2.2 and later.

    > > *************** > *** 8195,8256 **** > > !
    receive_override_options > ! (default: empty)
    > > !

    Enable or disable recipient validation, built-in content > ! filtering, or address mapping. Typically, these are specified in > ! master.cf as command-line arguments for the smtpd(8), qmqpd(8) or > ! pickup(8) daemons.

    > > !

    Specify zero or more of the following options. The options > ! override main.cf settings and are either implemented by smtpd(8), > ! qmqpd(8), or pickup(8) themselves, or they are forwarded to the > ! cleanup server.

    > > -
    > > !
    no_unknown_recipient_checks
    > > !
    Do not try to reject unknown recipients (SMTP server only). > ! This is typically specified AFTER an external content filter. > !
    > > !
    no_address_mappings
    > > !
    Disable canonical address mapping, virtual alias map expansion, > ! address masquerading, and automatic BCC (blind carbon-copy) > ! recipients. This is typically specified BEFORE an external content > ! filter.
    > > -
    no_header_body_checks
    > > !
    Disable header/body_checks. This is typically specified AFTER > ! an external content filter.
    > > !
    no_milters
    > > !
    Disable Milter (mail filter) applications. This is typically > ! specified AFTER an external content filter.
    > > !
    > > !

    > ! Note: when the "BEFORE content filter" receive_override_options > ! setting is specified in the main.cf file, specify the "AFTER content > ! filter" receive_override_options setting in master.cf (and vice > ! versa). > !

    > > !

    > ! Examples: > !

    > > ! 
    > ! receive_override_options =
> !     no_unknown_recipient_checks, no_header_body_checks
> ! receive_override_options = no_address_mappings
> !
    > > !

    > ! This feature is available in Postfix 2.1 and later. > !

    > > --- 7554,7629 ---- > > !
    smtp_connection_cache_reuse_limit > ! (default: 10)
    > > !

    When SMTP connection caching is enabled, the number of times that > ! an SMTP session may be reused before it is closed. > !

    > > !

    This feature is available in Postfix 2.2. In Postfix 2.3 it is > ! replaced by $smtp_connection_reuse_time_limit.

    > > > !
    > > !
    smtp_connection_cache_time_limit > ! (default: 2s)
    > > !

    When SMTP connection caching is enabled, the amount of time that > ! an unused SMTP client socket is kept open before it is closed. Do > ! not specify larger values without permission from the remote sites. > !

    > > !

    This feature is available in Postfix 2.2 and later.

    > > > !
    > > !
    smtp_connection_reuse_time_limit > ! (default: 300s)
    > > !

    The amount of time during which Postfix will use an SMTP > ! connection repeatedly. The timer starts when the connection is > ! initiated (i.e. it includes the connect, greeting and helo latency, > ! in addition to the latencies of subsequent mail delivery transactions). > !

    > > !

    This feature addresses a performance stability problem with > ! remote SMTP servers. This problem is not specific to Postfix: it > ! can happen when any MTA sends large amounts of SMTP email to a site > ! that has multiple MX hosts.

    > > !

    The problem starts when one of a set of MX hosts becomes slower > ! than the rest. Even though SMTP clients connect to fast and slow > ! MX hosts with equal probability, the slow MX host ends up with more > ! simultaneous inbound connections than the faster MX hosts, because > ! the slow MX host needs more time to serve each client request.

    > > !

    The slow MX host becomes a connection attractor. If one MX > ! host becomes N times slower than the rest, it dominates mail delivery > ! latency unless there are more than N fast MX hosts to counter the > ! effect. And if the number of MX hosts is smaller than N, the mail > ! delivery latency becomes effectively that of the slowest MX host > ! divided by the total number of MX hosts.

    > > !

    The solution uses connection caching in a way that differs from > ! Postfix version 2.2. By limiting the amount of time during which a connection > ! can be used repeatedly (instead of limiting the number of deliveries > ! over that connection), Postfix not only restores fairness in the > ! distribution of simultaneous connections across a set of MX hosts, > ! it also favors deliveries over connections that perform well, which > ! is exactly what we want.

    > > !

    The default reuse time limit, 300s, is comparable to the various > ! smtp transaction timeouts which are fair estimates of maximum excess > ! latency for a slow delivery. Note that hosts may accept thousands > ! of messages over a single connection within the default connection > ! reuse time limit. This number is much larger than the default Postfix > ! version 2.2 limit of 10 messages per cached connection. It may prove necessary > ! to lower the limit to avoid interoperability issues with MTAs that > ! exhibit bugs when many messages are delivered via a single connection. > ! A lower reuse time limit risks losing the benefit of connection > ! reuse when the average connection and mail delivery latency exceeds > ! the reuse time limit.

    > ! > !

    This feature is available in Postfix 2.3 and later.

    > > *************** > *** 8259,8267 **** > > !
    recipient_bcc_maps > ! (default: empty)
    > >

    > ! Optional BCC (blind carbon-copy) address lookup tables, indexed by > ! recipient address. The BCC address (multiple results are not > ! supported) is added when mail enters from outside of Postfix. >

    > --- 7632,7639 ---- > > !
    smtp_data_done_timeout > ! (default: 600s)
    > >

    > ! The SMTP client time limit for sending the SMTP ".", and for receiving > ! the server response. >

    > *************** > *** 8269,8271 **** >

    > ! This feature is available in Postfix 2.1 and later. >

    > --- 7641,7644 ---- >

    > ! When no response is received within the deadline, a warning is > ! logged that the mail may be delivered multiple times. >

    > *************** > *** 8273,8319 **** >

    > ! The table search order is as follows: >

    > > -
      > - > -
    • Look up the "user+extension at domain.tld" address including the > - optional address extension. > - > -
    • Look up the "user at domain.tld" address without the optional > - address extension. > - > -
    • Look up the "user+extension" address local part when the > - recipient domain equals $myorigin, $mydestination, $inet_interfaces > - or $proxy_interfaces. > - > -
    • Look up the "user" address local part when the recipient domain > - equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces. > - > -
    • Look up the "@domain.tld" part. > > !
    > > !

    > ! Specify the types and names of databases to use. After change, > ! run "postmap /etc/postfix/recipient_bcc". > !

    > >

    > ! Note: if mail to the BCC address bounces it will be returned to > ! the sender. >

    > > -

    Note: automatic BCC recipients are produced only for new mail. > - To avoid mailer loops, automatic BCC recipients are not generated > - after Postfix forwards mail internally, or after Postfix generates > - mail itself.

    > - >

    > ! Example: >

    > > - 
    > - recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
> -
    > - > > --- 7646,7667 ---- >

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). >

    > > > !
    > > !
    smtp_data_init_timeout > ! (default: 120s)
    > >

    > ! The SMTP client time limit for sending the SMTP DATA command, and for > ! receiving the server response. >

    > >

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). >

    > > > *************** > *** 8321,8334 **** > > !
    recipient_canonical_classes > ! (default: envelope_recipient, header_recipient)
    > ! > !

    What addresses are subject to recipient_canonical_maps address > ! mapping. By default, recipient_canonical_maps address mapping is > ! applied to envelope recipient addresses, and to header recipient > ! addresses.

    > > !

    Specify one or more of: envelope_recipient, header_recipient >

    > > !

    This feature is available in Postfix 2.2 and later.

    > > --- 7669,7683 ---- > > !
    smtp_data_xfer_timeout > ! (default: 180s)
    > > !

    > ! The SMTP client time limit for sending the SMTP message content. > ! When the connection makes no progress for more than $smtp_data_xfer_timeout > ! seconds the Postfix SMTP client terminates the transfer. >

    > > !

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). > !

    > > *************** > *** 8337,8345 **** > > !
    recipient_canonical_maps > ! (default: empty)
    > >

    > ! Optional address mapping lookup tables for envelope and header > ! recipient addresses. > ! The table format and lookups are documented in canonical(5). >

    > --- 7686,7692 ---- > > !
    smtp_defer_if_no_mx_address_found > ! (default: no)
    > >

    > ! Defer mail delivery when no MX record resolves to an IP address. >

    > *************** > *** 8347,8349 **** >

    > ! Note: $recipient_canonical_maps is processed before $canonical_maps. >

    > --- 7694,7698 ---- >

    > ! The default (no) is to return the mail as undeliverable. With older > ! Postfix versions the default was to keep trying to deliver the mail > ! until someone fixed the MX record or until the mail was too old. >

    > *************** > *** 8351,8358 **** >

    > ! Example: >

    > > ! 
    > ! recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
> !
    > > --- 7700,7708 ---- >

    > ! Note: Postfix always ignores MX records with equal or worse preference > ! than the local MTA itself. >

    > > !

    > ! This feature is available in Postfix 2.1 and later. > !

    > > *************** > *** 8361,8380 **** > > !
    recipient_delimiter > ! (default: empty)
    > ! > !

    > ! The separator between user names and address extensions (user+foo). > ! See canonical(5), local(8), relocated(5) and virtual(5) for the > ! effects this has on aliases, canonical, virtual, relocated and > ! on .forward file lookups. Basically, the software tries user+foo > ! and .forward+foo before trying user and .forward. > !

    > ! > !

    > ! Example: > !

    > > ! 
    > ! recipient_delimiter = +
> !
    > > --- 7711,7719 ---- > > !
    smtp_destination_concurrency_limit > ! (default: $default_destination_concurrency_limit)
    > > !

    The maximal number of parallel deliveries to the same destination > ! via the smtp message delivery transport. This limit is enforced by > ! the queue manager. The message delivery transport name is the first > ! field in the entry in the master.cf file.

    > > *************** > *** 8383,8395 **** > > !
    reject_code > ! (default: 554)
    > > !

    > ! The numerical Postfix SMTP server response code when a remote SMTP > ! client request is rejected by the "reject" restriction. > !

    > > !

    > ! Do not change this unless you have a complete understanding of RFC 2821. > !

    > > --- 7722,7734 ---- > > !
    smtp_destination_recipient_limit > ! (default: $default_destination_recipient_limit)
    > > !

    The maximal number of recipients per message for the smtp > ! message delivery transport. This limit is enforced by the queue > ! manager. The message delivery transport name is the first field in > ! the entry in the master.cf file.

    > > !

    Setting this parameter to a value of 1 changes the meaning of > ! smtp_destination_concurrency_limit from concurrency per domain > ! into concurrency per recipient.

    > > *************** > *** 8398,8414 **** > > !
    reject_tempfail_action > ! (default: defer_if_permit)
    > > !

    The Postfix SMTP server's action when a reject-type restriction > ! fails due to a temporary error condition. Specify "defer" to defer > ! the remote SMTP client request immediately. With the default > ! "defer_if_permit" action, the Postfix SMTP server continues to look > ! for opportunities to reject mail, and defers the client request > ! only if it would otherwise be accepted.

    > ! > !

    For finer control, see: unverified_recipient_tempfail_action, > ! unverified_sender_tempfail_action, unknown_address_tempfail_action, > ! and unknown_helo_hostname_tempfail_action.

    > > !

    This feature is available in Postfix 2.6 and later.

    > > --- 7737,7749 ---- > > !
    smtp_discard_ehlo_keyword_address_maps > ! (default: empty)
    > > !

    Lookup tables, indexed by the remote SMTP server address, with > ! case insensitive lists of EHLO keywords (pipelining, starttls, auth, > ! etc.) that the Postfix SMTP client will ignore in the EHLO response from a > ! remote SMTP server. See smtp_discard_ehlo_keywords for details. The > ! table is not indexed by hostname for consistency with > ! smtpd_discard_ehlo_keyword_address_maps.

    > > !

    This feature is available in Postfix 2.2 and later.

    > > *************** > *** 8417,8444 **** > > !
    relay_clientcerts > (default: empty)
    > > !

    List of tables with remote SMTP client-certificate fingerprints or > ! public key fingerprints (Postfix 2.9 and later) for which the Postfix > ! SMTP server will allow access with the permit_tls_clientcerts > ! feature. The fingerprint digest algorithm is configurable via the > ! smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to > ! Postfix version 2.5).

    > > !

    Postfix lookup tables are in the form of (key, value) pairs. > ! Since we only need the key, the value can be chosen freely, e.g. > ! the name of the user or host: > ! D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home

    > > !

    Example:

    > > ! 
    > ! relay_clientcerts = hash:/etc/postfix/relay_clientcerts
> !
    > > !

    For more fine-grained control, use check_ccert_access to select > ! an appropriate access(5) policy for each client. > ! See RESTRICTION_CLASS_README.

    > > !

    This feature is available with Postfix version 2.2.

    > > --- 7752,7773 ---- > > !
    smtp_discard_ehlo_keywords > (default: empty)
    > > !

    A case insensitive list of EHLO keywords (pipelining, starttls, > ! auth, etc.) that the Postfix SMTP client will ignore in the EHLO > ! response from a remote SMTP server.

    > > !

    This feature is available in Postfix 2.2 and later.

    > > !

    Notes:

    > > !
      > > !

    • Specify the silent-discard pseudo keyword to prevent > ! this action from being logged.

      > > !

    • Use the smtp_discard_ehlo_keyword_address_maps feature to > ! discard EHLO keywords selectively.

      > ! > !
    > > *************** > *** 8447,8457 **** > > !
    relay_destination_concurrency_limit > ! (default: $default_destination_concurrency_limit)
    > > !

    The maximal number of parallel deliveries to the same destination > ! via the relay message delivery transport. This limit is enforced > ! by the queue manager. The message delivery transport name is the > ! first field in the entry in the master.cf file.

    > > !

    This feature is available in Postfix 2.0 and later.

    > > --- 7776,7800 ---- > > !
    smtp_enforce_tls > ! (default: no)
    > > !

    Enforcement mode: require that remote SMTP servers use TLS > ! encryption, and never send mail in the clear. This also requires > ! that the remote SMTP server hostname matches the information in > ! the remote server certificate, and that the remote SMTP server > ! certificate was issued by a CA that is trusted by the Postfix SMTP > ! client. If the certificate doesn't verify or the hostname doesn't > ! match, delivery is deferred and mail stays in the queue.

    > > !

    The server hostname is matched against all names provided as > ! dNSNames in the SubjectAlternativeName. If no dNSNames are specified, > ! the CommonName is checked. The behavior may be changed with the > ! smtp_tls_enforce_peername option.

    > ! > !

    This option is useful only if you are definitely sure that you > ! will only connect to servers that support RFC 2487 _and_ that > ! provide valid server certificates. Typical use is for clients that > ! send all their email to a dedicated mailhub.

    > ! > !

    This feature is available in Postfix 2.2 and later. With > ! Postfix 2.3 and later use smtp_tls_security_level instead.

    > > *************** > *** 8460,8506 **** > > !
    relay_destination_recipient_limit > ! (default: $default_destination_recipient_limit)
    > > !

    The maximal number of recipients per message for the relay > ! message delivery transport. This limit is enforced by the queue > ! manager. The message delivery transport name is the first field in > ! the entry in the master.cf file.

    > > !

    Setting this parameter to a value of 1 changes the meaning of > ! relay_destination_concurrency_limit from concurrency per domain > ! into concurrency per recipient.

    > > !

    This feature is available in Postfix 2.0 and later.

    > > > -
    > > !
    relay_domains > ! (default: $mydestination)
    > > !

    What destination domains (and subdomains thereof) this system > ! will relay mail to. Subdomain matching is controlled with the > ! parent_domain_matches_subdomains parameter. For details about how > ! the relay_domains value is used, see the description of the > ! permit_auth_destination and reject_unauth_destination SMTP recipient > ! restrictions.

    > > !

    Domains that match $relay_domains are delivered with the > ! $relay_transport mail delivery transport. The SMTP server validates > ! recipient addresses with $relay_recipient_maps and rejects non-existent > ! recipients. See also the relay domains address class in the > ! ADDRESS_CLASS_README file.

    > > !

    Note: Postfix will not automatically forward mail for domains > ! that list this system as their primary or backup MX host. See the > ! permit_mx_backup restriction in the postconf(5) manual page.

    > > !

    Specify a list of host or domain names, "/file/name" patterns > ! or "type:table" lookup tables, separated by commas and/or whitespace. > ! Continue long lines by starting the next line with whitespace. A > ! "/file/name" pattern is replaced by its contents; a "type:table" > ! lookup table is matched when a (parent) domain appears as lookup > ! key. Specify "!pattern" to exclude a domain from the list. The form > ! "!/file/name" is supported only in Postfix version 2.4 and later. > !

    > > --- 7803,7845 ---- > > !
    smtp_fallback_relay > ! (default: $fallback_relay)
    > > !

    > ! Optional list of relay hosts for SMTP destinations that can't be > ! found or that are unreachable. With Postfix 2.2 and earlier this > ! parameter is called fallback_relay.

    > > !

    > ! By default, mail is returned to the sender when a destination is > ! not found, and delivery is deferred when a destination is unreachable. > !

    > > !

    The fallback relays must be SMTP destinations. Specify a domain, > ! host, host:port, [host]:port, [address] or [address]:port; the form > ! [host] turns off MX lookups. If you specify multiple SMTP > ! destinations, Postfix will try them in the specified order.

    > > +

    To prevent mailer loops between MX hosts and fall-back hosts, > + Postfix version 2.2 and later will not use the fallback relays for > + destinations that it is MX host for (assuming DNS lookup is turned on). > +

    > > > !
    > > !
    smtp_generic_maps > ! (default: empty)
    > > !

    Optional lookup tables that perform address rewriting in the > ! SMTP client, typically to transform a locally valid address into > ! a globally valid address when sending mail across the Internet. > ! This is needed when the local machine does not have its own Internet > ! domain name, but uses something like localdomain.local > ! instead.

    > > !

    The table format and lookups are documented in generic(5); > ! examples are shown in the ADDRESS_REWRITING_README and > ! STANDARD_CONFIGURATION_README documents.

    > > !

    This feature is available in Postfix 2.2 and later.

    > > *************** > *** 8509,8522 **** > > !
    relay_domains_reject_code > ! (default: 554)
    > > !

    > ! The numerical Postfix SMTP server response code when a client > ! request is rejected by the reject_unauth_destination recipient > ! restriction. >

    > > !

    > ! Do not change this unless you have a complete understanding of RFC 2821. > !

    > > --- 7848,7858 ---- > > !
    smtp_header_checks > ! (default: empty)
    > > !

    Restricted header_checks(5) tables for the Postfix SMTP client. > ! These tables are searched while mail is being delivered. Actions > ! that change the delivery time or destination are not available. >

    > > !

    This feature is available in Postfix 2.5 and later.

    > > *************** > *** 8525,8542 **** > > !
    relay_recipient_maps > ! (default: empty)
    > ! > !

    Optional lookup tables with all valid addresses in the domains > ! that match $relay_domains. Specify @domain as a wild-card for > ! domains that have no valid recipient list, and become a source of > ! backscatter mail: Postfix accepts spam for non-existent recipients > ! and then floods innocent people with undeliverable mail. Technically, > ! tables > ! listed with $relay_recipient_maps are used as lists: Postfix needs > ! to know only if a lookup string is found or not, but it does not > ! use the result from table lookup.

    > >

    > ! If this parameter is non-empty, then the Postfix SMTP server will reject > ! mail to unknown relay users. This feature is off by default. >

    > --- 7861,7867 ---- > > !
    smtp_helo_name > ! (default: $myhostname)
    > >

    > ! The hostname to send in the SMTP EHLO or HELO command. >

    > *************** > *** 8544,8547 **** >

    > ! See also the relay domains address class in the ADDRESS_CLASS_README > ! file. >

    > --- 7869,7872 ---- >

    > ! The default value is the machine hostname. Specify a hostname or > ! [ip.add.re.ss]. >

    > *************** > *** 8549,8556 **** >

    > ! Example: >

    > > 
    > ! relay_recipient_maps = hash:/etc/postfix/relay_recipients
>
    > > --- 7874,7886 ---- >

    > ! This information can be specified in the main.cf file for all SMTP > ! clients, or it can be specified in the master.cf file for a specific > ! client, for example: >

    > > +
    > 
    > ! /etc/postfix/master.cf:
> !     mysmtp ... smtp -o smtp_helo_name=foo.bar.com
>
    > +
    > > *************** > *** 8563,8586 **** > > !
    relay_transport > ! (default: relay)
    > ! > !

    > ! The default mail delivery transport and next-hop destination for > ! remote delivery to domains listed with $relay_domains. In order of > ! decreasing precedence, the nexthop destination is taken from > ! $relay_transport, $sender_dependent_relayhost_maps, $relayhost, or > ! from the recipient domain. This information can be overruled with > ! the transport(5) table. > !

    > ! > !

    > ! Specify a string of the form transport:nexthop, where transport > ! is the name of a mail delivery transport defined in master.cf. > ! The :nexthop destination is optional; its syntax is documented > ! in the manual page of the corresponding delivery agent. > !

    > >

    > ! See also the relay domains address class in the ADDRESS_CLASS_README > ! file. >

    > --- 7893,7900 ---- > > !
    smtp_helo_timeout > ! (default: 300s)
    > >

    > ! The SMTP client time limit for sending the HELO or EHLO command, > ! and for receiving the initial server response. >

    > *************** > *** 8588,8590 **** >

    > ! This feature is available in Postfix 2.0 and later. >

    > --- 7902,7905 ---- >

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). >

    > *************** > *** 8594,8604 **** > > !
    relayhost > ! (default: empty)
    > >

    > ! The next-hop destination of non-local mail; overrides non-local > ! domains in recipient addresses. This information is overruled with > ! relay_transport, sender_dependent_default_transport_maps, > ! default_transport, sender_dependent_relayhost_maps > ! and with the transport(5) table. >

    > --- 7909,7916 ---- > > !
    smtp_host_lookup > ! (default: dns)
    > >

    > ! What mechanisms when the Postfix SMTP client uses to look up a host's IP > ! address. This parameter is ignored when DNS lookups are disabled. >

    > *************** > *** 8606,8650 **** >

    > ! On an intranet, specify the organizational domain name. If your > ! internal DNS uses no MX records, specify the name of the intranet > ! gateway host instead. >

    > > !

    > ! In the case of SMTP, specify a domain name, hostname, hostname:port, > ! [hostname]:port, [hostaddress] or [hostaddress]:port. The form > ! [hostname] turns off MX lookups. > !

    > > !

    > ! If you're connected via UUCP, see the UUCP_README file for useful > ! information. > !

    > > !

    > ! Examples: > !

    > > ! 
    > ! relayhost = $mydomain
> ! relayhost = [gateway.example.com]
> ! relayhost = uucphost
> ! relayhost = [an.ip.add.ress]
> !
    > > > !
    > > !
    relocated_maps > ! (default: empty)
    > >

    > ! Optional lookup tables with new contact information for users or > ! domains that no longer exist. The table format and lookups are > ! documented in relocated(5). >

    > >

    > ! If you use this feature, run "postmap /etc/postfix/relocated" to > ! build the necessary DBM or DB file after change, then "postfix > ! reload" to make the changes visible. >

    > --- 7918,7954 ---- >

    > ! Specify one of the following: >

    > > !
    > > !
    dns
    > > !
    Hosts can be found in the DNS (preferred).
    > > !
    native
    > ! > !
    Use the native naming service only (nsswitch.conf, or equivalent > ! mechanism).
    > > +
    dns, native
    > > !
    Use the native service for hosts not found in the DNS.
    > > !
    > >

    > ! This feature is available in Postfix 2.1 and later. >

    > > + > +
    > + > +
    smtp_line_length_limit > + (default: 990)
    > + >

    > ! The maximal length of message header and body lines that Postfix > ! will send via SMTP. Longer lines are broken by inserting > ! "<CR><LF><SPACE>". This minimizes the damage to > ! MIME formatted mail. >

    > *************** > *** 8652,8661 **** >

    > ! Examples: >

    > > - 
    > - relocated_maps = dbm:/etc/postfix/relocated
> - relocated_maps = hash:/etc/postfix/relocated
> -
    > - > > --- 7956,7961 ---- >

    > ! By default, the line length is limited to 990 characters, because > ! some server implementations cannot receive mail with long lines. >

    > > > *************** > *** 8663,8693 **** > > !
    remote_header_rewrite_domain > ! (default: empty)
    > > !

    Don't rewrite message headers from remote clients at all when > ! this parameter is empty; otherwise, rewrite message headers and > ! append the specified domain name to incomplete addresses. The > ! local_header_rewrite_clients parameter controls what clients Postfix > ! considers local.

    > > !

    Examples:

    > > -

    The safe setting: append "domain.invalid" to incomplete header > - addresses from remote SMTP clients, so that those addresses cannot > - be confused with local addresses.

    > > !
    > ! 
    > ! remote_header_rewrite_domain = domain.invalid
> !
    > !
    > > !

    The default, purist, setting: don't rewrite headers from remote > ! clients at all.

    > > !
    > ! 
    > ! remote_header_rewrite_domain =
> !
    > !
    > > --- 7963,7989 ---- > > !
    smtp_mail_timeout > ! (default: 300s)
    > > !

    > ! The SMTP client time limit for sending the MAIL FROM command, and > ! for receiving the server response. > !

    > > !

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). > !

    > > > !
    > > !
    smtp_mime_header_checks > ! (default: empty)
    > > !

    Restricted mime_header_checks(5) tables for the Postfix SMTP > ! client. These tables are searched while mail is being delivered. > ! Actions that change the delivery time or destination are not > ! available.

    > ! > !

    This feature is available in Postfix 2.5 and later.

    > > *************** > *** 8696,8759 **** > > !
    require_home_directory > ! (default: no)
    > >

    > ! Require that a local(8) recipient's home directory exists > ! before mail delivery is attempted. By default this test is disabled. > ! It can be useful for environments that import home directories to > ! the mail server (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED). >

    > > > -
    > > !
    reset_owner_alias > ! (default: no)
    > > !

    Reset the local(8) delivery agent's idea of the owner-alias > ! attribute, when delivering mail to a child alias that does not have > ! its own owner alias.

    > > !

    This feature is available in Postfix 2.8 and later. With older > ! Postfix releases, the behavior is as if this parameter is set to > ! "yes".

    > > !

    As documented in aliases(5), when an alias name has a > ! companion alias named owner-name, delivery errors will be > ! reported to the owner alias instead of the sender. This configuration > ! is recommended for mailing lists.

    > ! > !

    A less known property of the owner alias is that it also forces > ! the local(8) delivery agent to write local and remote addresses > ! from alias expansion to a new queue file, instead of attempting to > ! deliver mail to local addresses as soon as they come out of alias > ! expansion.

    > ! > !

    Writing local addresses from alias expansion to a new queue > ! file allows for robust handling of temporary delivery errors: errors > ! with one local member have no effect on deliveries to other members > ! of the list. On the other hand, delivery to local addresses as > ! soon as they come out of alias expansion is fragile: a temporary > ! error with one local address from alias expansion will cause the > ! entire alias to be expanded repeatedly until the error goes away, > ! or until the message expires in the queue. In that case, a problem > ! with one list member results in multiple message deliveries to other > ! list members.

    > ! > !

    The default behavior of Postfix 2.8 and later is to keep the > ! owner-alias attribute of the parent alias, when delivering mail to > ! a child alias that does not have its own owner alias. Then, local > ! addresses from that child alias will be written to a new queue file, > ! and a temporary error with one local address will not affect delivery > ! to other mailing list members.

    > ! > !

    Unfortunately, older Postfix releases reset the owner-alias > ! attribute when delivering mail to a child alias that does not have > ! its own owner alias. The local(8) delivery agent then attempts to > ! deliver local addresses as soon as they come out of child alias > ! expansion. If delivery to any address from child alias expansion > ! fails with a temporary error condition, the entire mailing list may > ! be expanded repeatedly until the mail expires in the queue, resulting > ! in multiple deliveries of the same message to mailing list members. > !

    > > --- 7992,8019 ---- > > !
    smtp_mx_address_limit > ! (default: 5)
    > >

    > ! The maximal number of MX (mail exchanger) IP addresses that can > ! result from mail exchanger lookups, or zero (no limit). Prior to > ! Postfix version 2.3, this limit was disabled by default. >

    > > +

    > + This feature is available in Postfix 2.1 and later. > +

    > > > !
    > > !
    smtp_mx_session_limit > ! (default: 2)
    > > !

    The maximal number of SMTP sessions per delivery request before > ! giving up or delivering to a fall-back relay host, or zero (no > ! limit). This restriction ignores sessions that fail to complete the > ! SMTP initial handshake (Postfix version 2.2 and earlier) or that fail to > ! complete the EHLO and TLS handshake (Postfix version 2.3 and later).

    > > !

    This feature is available in Postfix 2.1 and later.

    > > *************** > *** 8762,8780 **** > > !
    resolve_dequoted_address > ! (default: yes)
    > ! > !

    Resolve a recipient address safely instead of correctly, by > ! looking inside quotes.

    > > !

    By default, the Postfix address resolver does not quote the > ! address localpart as per RFC 822, so that additional @ or % or ! > ! operators remain visible. This behavior is safe but it is also > ! technically incorrect.

    > > !

    If you specify "resolve_dequoted_address = no", then > ! the Postfix > ! resolver will not know about additional @ etc. operators in the > ! address localpart. This opens opportunities for obscure mail relay > ! attacks with user at domain@domain addresses when Postfix provides > ! backup MX service for Sendmail systems.

    > > --- 8022,8032 ---- > > !
    smtp_nested_header_checks > ! (default: empty)
    > > !

    Restricted nested_header_checks(5) tables for the Postfix SMTP > ! client. These tables are searched while mail is being delivered. > ! Actions that change the delivery time or destination are not > ! available.

    > > !

    This feature is available in Postfix 2.5 and later.

    > > *************** > *** 8783,8798 **** > > !
    resolve_null_domain > (default: no)
    > > !

    Resolve an address that ends in the "@" null domain as if the > ! local hostname were specified, instead of rejecting the address as > ! invalid.

    > > -

    This feature is available in Postfix 2.1 and later. > - Earlier versions always resolve the null domain as the local > - hostname.

    > > !

    The Postfix SMTP server uses this feature to reject mail from > ! or to addresses that end in the "@" null domain, and from addresses > ! that rewrite into a form that ends in the "@" null domain.

    > > --- 8035,8058 ---- > > !
    smtp_never_send_ehlo > (default: no)
    > > !

    Never send EHLO at the start of an SMTP session. See also the > ! smtp_always_send_ehlo parameter.

    > > > !
    > ! > !
    smtp_pix_workaround_delay_time > ! (default: 10s)
    > ! > !

    > ! How long the Postfix SMTP client pauses before sending > ! ".<CR><LF>" in order to work around the PIX firewall > ! "<CR><LF>.<CR><LF>" bug. > !

    > ! > !

    > ! Choosing a too short time makes this workaround ineffective when > ! sending large messages over slow network connections. > !

    > > *************** > *** 8801,8809 **** > > !
    resolve_numeric_domain > ! (default: no)
    > > !

    Resolve "user at ipaddress" as "user@[ipaddress]", instead of > ! rejecting the address as invalid.

    > > !

    This feature is available in Postfix 2.3 and later. > > --- 8061,8071 ---- > > !

    smtp_pix_workaround_maps > ! (default: empty)
    > > !

    Lookup tables, indexed by the remote SMTP server address, with > ! per-destination workarounds for CISCO PIX firewall bugs. The table > ! is not indexed by hostname for consistency with > ! smtp_discard_ehlo_keyword_address_maps.

    > > !

    This feature is available in Postfix 2.4 and later.

    > > *************** > *** 8812,8820 **** > > !
    rewrite_service_name > ! (default: rewrite)
    > >

    > ! The name of the address rewriting service. This service rewrites > ! addresses to standard form and resolves them to a (delivery method, > ! next-hop host, recipient) triple. >

    > --- 8074,8087 ---- > > !
    smtp_pix_workaround_threshold_time > ! (default: 500s)
    > ! > !

    How long a message must be queued before the Postfix SMTP client > ! turns on the PIX firewall "<CR><LF>.<CR><LF>" > ! bug workaround for delivery through firewalls with "smtp fixup" > ! mode turned on.

    > >

    > ! By default, the workaround is turned off for mail that is queued > ! for less than 500 seconds. In other words, the workaround is normally > ! turned off for the first delivery attempt. >

    > *************** > *** 8822,8824 **** >

    > ! This feature is available in Postfix 2.0 and later. >

    > --- 8089,8093 ---- >

    > ! Specify 0 to enable the PIX firewall > ! "<CR><LF>.<CR><LF>" bug workaround upon the > ! first delivery attempt. >

    > *************** > *** 8828,8855 **** > > !
    sample_directory > ! (default: /etc/postfix)
    > ! > !

    > ! The name of the directory with example Postfix configuration files. > ! Starting with Postfix 2.1, these files have been replaced with the > ! postconf(5) manual page. > !

    > > > !
    > > !
    send_cyrus_sasl_authzid > ! (default: no)
    > > !

    When authenticating to a remote SMTP or LMTP server with the > ! default setting "no", send no SASL authoriZation ID (authzid); send > ! only the SASL authentiCation ID (authcid) plus the authcid's password. > !

    > > !

    The non-default setting "yes" enables the behavior of older > ! Postfix versions. These always send a SASL authzid that is equal > ! to the SASL authcid, but this causes inter-operability problems > ! with some SMTP servers.

    > > !

    This feature is available in Postfix 2.4.4 and later.

    > > --- 8097,8122 ---- > > !
    smtp_pix_workarounds > ! (default: disable_esmtp, delay_dotcrlf)
    > > +

    A list that specifies zero or more workarounds for CISCO PIX > + firewall bugs. These workarounds are implemented by the Postfix > + SMTP client. Workaround names are separated by comma or space, and > + are case insensitive. This parameter setting can be overruled with > + per-destination smtp_pix_workaround_maps settings.

    > > !
    > > !
    delay_dotcrlf
    Insert a delay before sending > ! ".<CR><LF>" after the end of the message content. The > ! delay is subject to the smtp_pix_workaround_delay_time and > ! smtp_pix_workaround_threshold_time parameter settings.
    > > !
    disable_esmtp
    Disable all extended SMTP commands: > ! send HELO instead of EHLO.
    > > !
    > > !

    This feature is available in Postfix 2.4 and later. The default > ! settings are backwards compatible with earlier Postfix versions. > !

    > > *************** > *** 8858,8865 **** > > !
    sender_based_routing > ! (default: no)
    > >

    > ! This parameter should not be used. It was replaced by sender_dependent_relayhost_maps > ! in Postfix version 2.3. >

    > --- 8125,8137 ---- > > !
    smtp_quit_timeout > ! (default: 300s)
    > >

    > ! The SMTP client time limit for sending the QUIT command, and for > ! receiving the server response. > !

    > ! > !

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). >

    > *************** > *** 8869,8879 **** > > !
    sender_bcc_maps > ! (default: empty)
    > ! > !

    Optional BCC (blind carbon-copy) address lookup tables, indexed > ! by sender address. The BCC address (multiple results are not > ! supported) is added when mail enters from outside of Postfix.

    > >

    > ! This feature is available in Postfix 2.1 and later. >

    > --- 8141,8149 ---- > > !
    smtp_quote_rfc821_envelope > ! (default: yes)
    > >

    > ! Quote addresses in SMTP MAIL FROM and RCPT TO commands as required > ! by RFC 2821. This includes putting quotes around an address localpart > ! that ends in ".". >

    > *************** > *** 8881,8926 **** >

    > ! The table search order is as follows: >

    > > !
      > > !
    • Look up the "user+extension at domain.tld" address including the > ! optional address extension. > ! > !
    • Look up the "user at domain.tld" address without the optional > ! address extension. > > !
    • Look up the "user+extension" address local part when the > ! sender domain equals $myorigin, $mydestination, $inet_interfaces > ! or $proxy_interfaces. > > -
    • Look up the "user" address local part when the sender domain > - equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces. > > !
    • Look up the "@domain.tld" part. > > !
    > >

    > ! Specify the types and names of databases to use. After change, > ! run "postmap /etc/postfix/sender_bcc". >

    > > -

    > - Note: if mail to the BCC address bounces it will be returned to > - the sender. > -

    > > !

    Note: automatic BCC recipients are produced only for new mail. > ! To avoid mailer loops, automatic BCC recipients are not generated > ! after Postfix forwards mail internally, or after Postfix generates > ! mail itself.

    > >

    > ! Example: >

    > > ! 
    > ! sender_bcc_maps = hash:/etc/postfix/sender_bcc
> !
    > > --- 8151,8198 ---- >

    > ! The default is to comply with RFC 2821. If you have to send mail to > ! a broken SMTP server, configure a special SMTP client in master.cf: >

    > > !
    > ! 
    > ! /etc/postfix/master.cf:
> !     broken-smtp . . . smtp -o smtp_quote_rfc821_envelope=no
> !
    > !
    > > !

    > ! and route mail for the destination in question to the "broken-smtp" > ! message delivery with a transport(5) table. > !

    > > !

    > ! This feature is available in Postfix 2.1 and later. > !

    > > > !
    > > !
    smtp_randomize_addresses > ! (default: yes)
    > >

    > ! Randomize the order of equal-preference MX host addresses. This > ! is a performance feature of the Postfix SMTP client. >

    > > > !
    > ! > !
    smtp_rcpt_timeout > ! (default: 300s)
    > >

    > ! The SMTP client time limit for sending the SMTP RCPT TO command, and > ! for receiving the server response. >

    > > !

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). > !

    > > *************** > *** 8929,8941 **** > > !
    sender_canonical_classes > ! (default: envelope_sender, header_sender)
    > ! > !

    What addresses are subject to sender_canonical_maps address > ! mapping. By default, sender_canonical_maps address mapping is > ! applied to envelope sender addresses, and to header sender addresses. > !

    > > !

    Specify one or more of: envelope_sender, header_sender

    > > !

    This feature is available in Postfix 2.2 and later.

    > > --- 8201,8211 ---- > > !
    smtp_rset_timeout > ! (default: 20s)
    > > !

    The SMTP client time limit for sending the RSET command, and > ! for receiving the server response. The SMTP client sends RSET in > ! order to finish a recipient address probe, or to verify that a > ! cached session is still usable.

    > > !

    This feature is available in Postfix 2.1 and later.

    > > *************** > *** 8944,8972 **** > > !
    sender_canonical_maps > (default: empty)
    > > !

    > ! Optional address mapping lookup tables for envelope and header > ! sender addresses. > ! The table format and lookups are documented in canonical(5). > !

    > > !

    > ! Example: you want to rewrite the SENDER address "user at ugly.domain" > ! to "user at pretty.domain", while still being able to send mail to > ! the RECIPIENT address "user at ugly.domain". >

    > > !

    > ! Note: $sender_canonical_maps is processed before $canonical_maps. > !

    > > !

    > ! Example: >

    > > 
    > ! sender_canonical_maps = hash:/etc/postfix/sender_canonical
>
    > > > --- 8214,8253 ---- > > !
    smtp_sasl_auth_cache_name > (default: empty)
    > > !

    An optional table to prevent repeated SASL authentication > ! failures with the same remote SMTP server hostname, username and > ! password. Each table (key, value) pair contains a server name, a > ! username and password, and the full server response. This information > ! is stored when a remote SMTP server rejects an authentication attempt > ! with a 535 reply code. As long as the smtp_sasl_password_maps > ! information does no change, and as long as the smtp_sasl_auth_cache_name > ! information does not expire (see smtp_sasl_auth_cache_time) the > ! Postfix SMTP client avoids SASL authentication attempts with the > ! same server, username and password, and instead bounces or defers > ! mail as controlled with the smtp_sasl_auth_soft_bounce configuration > ! parameter.

    > > !

    Use a per-destination delivery concurrency of 1 (for example, > ! "smtp_destination_concurrency_limit = 1", > ! "relay_destination_concurrency_limit = 1", etc.), otherwise multiple > ! delivery agents may experience a login failure at the same time. >

    > > !

    The table must be accessed via the proxywrite service, i.e. the > ! map name must start with "proxy:". The table should be stored under > ! the directory specified with the data_directory parameter.

    > > !

    This feature uses cryptographic hashing to protect plain-text > ! passwords, and requires that Postfix is compiled with TLS support. >

    > > +

    Example:

    > + > 
    > ! smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
>
    > > +

    This feature is available in Postfix 2.5 and later.

    > + > > *************** > *** 8974,8994 **** > > !
    sender_dependent_default_transport_maps > ! (default: empty)
    > ! > !

    A sender-dependent override for the global default_transport > ! parameter setting. The tables are searched by the envelope sender > ! address and @domain. A lookup result of DUNNO terminates the search > ! without overriding the global default_transport parameter setting. > ! This information is overruled with the transport(5) table.

    > ! > !

    Note: this overrides default_transport, not transport_maps, and > ! therefore the expected syntax is that of default_transport, not the > ! syntax of transport_maps. Specifically, this does not support the > ! transport_maps syntax for null transport, null nexthop, or null > ! email addresses.

    > > !

    For safety reasons, this feature does not allow $number > ! substitutions in regular expression maps.

    > > !

    This feature is available in Postfix 2.7 and later.

    > > --- 8255,8263 ---- > > !
    smtp_sasl_auth_cache_time > ! (default: 90d)
    > > !

    The maximal age of an smtp_sasl_auth_cache_name entry before it > ! is removed.

    > > !

    This feature is available in Postfix 2.5 and later.

    > > *************** > *** 8997,9016 **** > > !
    sender_dependent_relayhost_maps > ! (default: empty)
    > ! > !

    A sender-dependent override for the global relayhost parameter > ! setting. The tables are searched by the envelope sender address and > ! @domain. A lookup result of DUNNO terminates the search without > ! overriding the global relayhost parameter setting (Postfix 2.6 and > ! later). This information is overruled with relay_transport, > ! sender_dependent_default_transport_maps, default_transport and with > ! the transport(5) table.

    > > !

    For safety reasons, this feature does not allow $number > ! substitutions in regular expression maps.

    > >

    > ! This feature is available in Postfix 2.3 and later. >

    > > > --- 8266,8283 ---- > > !
    smtp_sasl_auth_enable > ! (default: no)
    > > !

    > ! Enable SASL authentication in the Postfix SMTP client. By default, > ! the Postfix SMTP client uses no authentication. > !

    > >

    > ! Example: >

    > > + 
    > + smtp_sasl_auth_enable = yes
> +
    > + > > *************** > *** 9018,9044 **** > > !
    sendmail_fix_line_endings > ! (default: always)
    > ! > !

    Controls how the Postfix sendmail command converts email message > ! line endings from <CR><LF> into UNIX format (<LF>). > !

    > > !
    > > !
    always
    Always convert message lines ending > ! in <CR><LF>. This setting is the default with Postfix > ! 2.9 and later.
    > ! > !
    strict
    Convert message lines ending in > ! <CR><LF> only if the first input line ends in > ! <CR><LF>. This setting is backwards-compatible with > ! Postfix 2.8 and earlier.
    > > !
    never
    Never convert message lines ending in > ! <CR><LF>. This setting exists for completeness only. > !
    > > !
    > > !

    This feature is available in Postfix 2.9 and later.

    > > --- 8285,8307 ---- > > !
    smtp_sasl_auth_soft_bounce > ! (default: yes)
    > > !

    When a remote SMTP server rejects a SASL authentication request > ! with a 535 reply code, defer mail delivery instead of returning > ! mail as undeliverable. The latter behavior was hard-coded prior to > ! Postfix version 2.5.

    > > !

    Note: the setting "yes" overrides the global soft_bounce > ! parameter, but the setting "no" does not.

    > > !

    Example:

    > > ! 
    > ! # Default as of Postfix 2.5
> ! smtp_sasl_auth_soft_bounce = yes
> ! # The old hard-coded default
> ! smtp_sasl_auth_soft_bounce = no
> !
    > > !

    This feature is available in Postfix 2.5 and later.

    > > *************** > *** 9047,9057 **** > > !
    sendmail_path > ! (default: see "postconf -d" output)
    > >

    > ! A Sendmail compatibility feature that specifies the location of > ! the Postfix sendmail(1) command. This command can be used to > ! submit mail into the Postfix queue. >

    > > > --- 8310,8340 ---- > > !
    smtp_sasl_mechanism_filter > ! (default: empty)
    > >

    > ! If non-empty, a Postfix SMTP client filter for the remote SMTP > ! server's list of offered SASL mechanisms. Different client and > ! server implementations may support different mechanism lists. By > ! default, the Postfix SMTP client will use the intersection of the > ! two. smtp_sasl_mechanism_filter further restricts what server > ! mechanisms the client will take into consideration.

    > ! > !

    Specify mechanism names, "/file/name" patterns or "type:table" > ! lookup tables. The right-hand side result from "type:table" lookups > ! is ignored. Specify "!pattern" to exclude a mechanism name from the > ! list. The form "!/file/name" is supported only in Postfix version > ! 2.4 and later.

    > ! > !

    This feature is available in Postfix 2.2 and later.

    > ! > !

    > ! Examples: >

    > > + 
    > + smtp_sasl_mechanism_filter = plain, login
> + smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
> + smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
> +
    > + > > *************** > *** 9059,9066 **** > > !
    service_throttle_time > ! (default: 60s)
    > >

    > ! How long the Postfix master(8) waits before forking a server that > ! appears to be malfunctioning. >

    > --- 8342,8352 ---- > > !
    smtp_sasl_password_maps > ! (default: empty)
    > >

    > ! Optional SMTP client lookup tables with one username:password entry > ! per remote hostname or domain, or sender address when sender-dependent > ! authentication is enabled. If no username:password entry is found, > ! then the Postfix SMTP client will not > ! attempt to authenticate to the remote host. >

    > *************** > *** 9068,9071 **** >

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). >

    > --- 8354,8357 ---- >

    > ! The Postfix SMTP client opens the lookup table before going to > ! chroot jail, so you can leave the password file in /etc/postfix. >

    > *************** > *** 9075,9085 **** > > !
    setgid_group > ! (default: postdrop)
    > > !

    > ! The group ownership of set-gid Postfix commands and of group-writable > ! Postfix directories. When this parameter value is changed you need > ! to re-run "postfix set-permissions" (with Postfix version 2.0 and > ! earlier: "/etc/postfix/post-install set-permissions". > !

    > > --- 8361,8372 ---- > > !
    smtp_sasl_path > ! (default: empty)
    > > !

    Implementation-specific information that the Postfix SMTP client > ! passes through to > ! the SASL plug-in implementation that is selected with > ! smtp_sasl_type. Typically this specifies the name of a > ! configuration file or rendezvous point.

    > ! > !

    This feature is available in Postfix 2.3 and later.

    > > *************** > *** 9088,9147 **** > > !
    show_user_unknown_table_name > ! (default: yes)
    > > !

    > ! Display the name of the recipient table in the "User unknown" > ! responses. The extra detail makes trouble shooting easier but also > ! reveals information that is nobody elses business. > !

    > >

    > ! This feature is available in Postfix 2.0 and later. >

    > > > !
    > ! > !
    showq_service_name > ! (default: showq)
    > > !

    > ! The name of the showq(8) service. This service produces mail queue > ! status reports. > !

    > > !

    > ! This feature is available in Postfix 2.0 and later. > !

    > > > !
    > > !
    smtp_address_preference > ! (default: any)
    > > !

    The address type ("ipv6", "ipv4" or "any") that the Postfix > ! SMTP client will try first, when a destination has IPv6 and IPv4 > ! addresses with equal MX preference. This feature has no effect > ! unless the inet_protocols setting enables both IPv4 and IPv6. > ! With Postfix 2.8 the default is "ipv6".

    > > !

    This feature is available in Postfix 2.8 and later.

    > > > !
    > > !
    smtp_always_send_ehlo > ! (default: yes)
    > >

    > ! Always send EHLO at the start of an SMTP session. >

    > > !

    > ! With "smtp_always_send_ehlo = no", the Postfix SMTP client sends > ! EHLO only when > ! the word "ESMTP" appears in the server greeting banner (example: > ! 220 spike.porcupine.org ESMTP Postfix). > !

    > > --- 8375,8424 ---- > > !
    smtp_sasl_security_options > ! (default: noplaintext, noanonymous)
    > > !

    Postfix SMTP client SASL security options; as of Postfix 2.3 > ! the list of available > ! features depends on the SASL client implementation that is selected > ! with smtp_sasl_type.

    > ! > !

    The following security features are defined for the cyrus > ! client SASL implementation:

    > >

    > ! Specify zero or more of the following: >

    > > +
    > > !
    noplaintext
    > > !
    Disallow methods that use plaintext passwords.
    > > !
    noactive
    > > +
    Disallow methods subject to active (non-dictionary) attack. > +
    > > !
    nodictionary
    > > !
    Disallow methods subject to passive (dictionary) attack.
    > > !
    noanonymous
    > > !
    Disallow methods that allow anonymous authentication.
    > > +
    mutual_auth
    > > !
    Only allow methods that provide mutual authentication (not > ! available with SASL version 1).
    > > !
    > >

    > ! Example: >

    > > ! 
    > ! smtp_sasl_security_options = noplaintext
> !
    > > *************** > *** 9150,9180 **** > > !
    smtp_bind_address > ! (default: empty)
    > ! > !

    > ! An optional numerical network address that the Postfix SMTP client > ! should bind to when making an IPv4 connection. > !

    > ! > !

    > ! This can be specified in the main.cf file for all SMTP clients, or > ! it can be specified in the master.cf file for a specific client, > ! for example: > !

    > ! > !
    > ! 
    > ! /etc/postfix/master.cf:
> !     smtp ... smtp -o smtp_bind_address=11.22.33.44
> !
    > !
    > > !

    Note 1: when inet_interfaces specifies no more than one IPv4 > ! address, and that address is a non-loopback address, it is > ! automatically used as the smtp_bind_address. This supports virtual > ! IP hosting, but can be a problem on multi-homed firewalls. See the > ! inet_interfaces documentation for more detail.

    > > !

    Note 2: address information may be enclosed inside [], > ! but this form is not required here.

    > > --- 8427,8435 ---- > > !
    smtp_sasl_tls_security_options > ! (default: $smtp_sasl_security_options)
    > > !

    The SASL authentication security options that the Postfix SMTP > ! client uses for TLS encrypted SMTP sessions.

    > > !

    This feature is available in Postfix 2.2 and later.

    > > *************** > *** 9183,9215 **** > > !
    smtp_bind_address6 > ! (default: empty)
    > > !

    > ! An optional numerical network address that the Postfix SMTP client > ! should bind to when making an IPv6 connection. > !

    > > -

    This feature is available in Postfix 2.2 and later.

    > > !

    > ! This can be specified in the main.cf file for all SMTP clients, or > ! it can be specified in the master.cf file for a specific client, > ! for example: > !

    > > !
    > ! 
    > ! /etc/postfix/master.cf:
> !     smtp ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8
> !
    > !
    > > !

    Note 1: when inet_interfaces specifies no more than one IPv6 > ! address, and that address is a non-loopback address, it is > ! automatically used as the smtp_bind_address6. This supports virtual > ! IP hosting, but can be a problem on multi-homed firewalls. See the > ! inet_interfaces documentation for more detail.

    > > !

    Note 2: address information may be enclosed inside [], > ! but this form is not recommended here.

    > > --- 8438,8458 ---- > > !
    smtp_sasl_tls_verified_security_options > ! (default: $smtp_sasl_tls_security_options)
    > > !

    The SASL authentication security options that the Postfix SMTP > ! client uses for TLS encrypted SMTP sessions with a verified server > ! certificate. This feature is under construction as of Postfix version > ! 2.3.

    > > > !
    > > !
    smtp_sasl_type > ! (default: cyrus)
    > > !

    The SASL plug-in type that the Postfix SMTP client should use > ! for authentication. The available types are listed with the > ! "postconf -A" command.

    > > !

    This feature is available in Postfix 2.3 and later.

    > > *************** > *** 9218,9228 **** > > !
    smtp_body_checks > ! (default: empty)
    > > !

    Restricted body_checks(5) tables for the Postfix SMTP client. > ! These tables are searched while mail is being delivered. Actions > ! that change the delivery time or destination are not available. >

    > > !

    This feature is available in Postfix 2.5 and later.

    > > --- 8461,8481 ---- > > !
    smtp_send_xforward_command > ! (default: no)
    > > !

    > ! Send the non-standard XFORWARD command when the Postfix SMTP server > ! EHLO response announces XFORWARD support. >

    > > !

    > ! This allows an "smtp" delivery agent, used for injecting mail into > ! a content filter, to forward the name, address, protocol and HELO > ! name of the original client to the content filter and downstream > ! queuing SMTP server. This can produce more useful logging than > ! localhost[127.0.0.1] etc. > !

    > ! > !

    > ! This feature is available in Postfix 2.1 and later. > !

    > > *************** > *** 9231,9244 **** > > !
    smtp_cname_overrides_servername > ! (default: version dependent)
    > > !

    Allow DNS CNAME records to override the servername that the > ! Postfix SMTP client uses for logging, SASL password lookup, TLS > ! policy decisions, or TLS certificate verification. The value "no" > ! hardens Postfix smtp_tls_per_site hostname-based policies against > ! false hostname information in DNS CNAME records, and makes SASL > ! password file lookups more predictable. This is the default setting > ! as of Postfix 2.3.

    > > !

    This feature is available in Postfix 2.2.9 and later.

    > > --- 8484,8497 ---- > > !
    smtp_sender_dependent_authentication > ! (default: no)
    > > !

    > ! Enable sender-dependent authentication in the Postfix SMTP client; this is > ! available only with SASL authentication, and disables SMTP connection > ! caching to ensure that mail from different senders will use the > ! appropriate credentials.

    > > !

    > ! This feature is available in Postfix 2.3 and later. > !

    > > *************** > *** 9247,9254 **** > > !
    smtp_connect_timeout > ! (default: 30s)
    > >

    > ! The Postfix SMTP client time limit for completing a TCP connection, or > ! zero (use the operating system built-in time limit). >

    > --- 8500,8507 ---- > > !
    smtp_skip_4xx_greeting > ! (default: yes)
    > >

    > ! Skip SMTP servers that greet with a 4XX status code (go away, try > ! again later). >

    > *************** > *** 9256,9268 **** >

    > ! When no connection can be made within the deadline, the Postfix > ! SMTP client > ! tries the next address on the mail exchanger list. Specify 0 to > ! disable the time limit (i.e. use whatever timeout is implemented by > ! the operating system). >

    > > !

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). > !

    > > --- 8509,8518 ---- >

    > ! By default, Postfix moves on the next mail exchanger. Specify > ! "smtp_skip_4xx_greeting = no" if Postfix should defer delivery > ! immediately. >

    > > !

    This feature is available in Postfix 2.0 and earlier. > ! Later Postfix versions always skip SMTP servers that greet with a > ! 4XX status code.

    > > *************** > *** 9271,9308 **** > > !
    smtp_connection_cache_destinations > ! (default: empty)
    > > !

    Permanently enable SMTP connection caching for the specified > ! destinations. With SMTP connection caching, a connection is not > ! closed immediately after completion of a mail transaction. Instead, > ! the connection is kept open for up to $smtp_connection_cache_time_limit > ! seconds. This allows connections to be reused for other deliveries, > ! and can improve mail delivery performance.

    > > !

    Specify a comma or white space separated list of destinations > ! or pseudo-destinations:

    > > -
      > > !
    • if mail is sent without a relay host: a domain name (the > ! right-hand side of an email address, without the [] around a numeric > ! IP address), > > !
    • if mail is sent via a relay host: a relay host name (without > ! [] or non-default TCP port), as specified in main.cf or in the > ! transport map, > > !
    • if mail is sent via a UNIX-domain socket: a pathname (without > ! the unix: prefix), > > -
    • a /file/name with domain names and/or relay host names as > - defined above, > > !
    • a "type:table" with domain names and/or relay host names on > ! the left-hand side. The right-hand side result from "type:table" > ! lookups is ignored. > > !
    > > !

    This feature is available in Postfix 2.2 and later.

    > > --- 8521,8555 ---- > > !
    smtp_skip_5xx_greeting > ! (default: yes)
    > > !

    > ! Skip SMTP servers that greet with a 5XX status code (go away, do > ! not try again later). > !

    > > !

    By default, the Postfix SMTP client moves on the next mail > ! exchanger. Specify "smtp_skip_5xx_greeting = no" if Postfix should > ! bounce the mail immediately. The default setting is incorrect, but > ! it is what a lot of people expect to happen.

    > > > !
    > > !
    smtp_skip_quit_response > ! (default: yes)
    > > !

    > ! Do not wait for the response to the SMTP QUIT command. > !

    > > > !
    > > !
    smtp_starttls_timeout > ! (default: 300s)
    > > !

    Time limit for Postfix SMTP client write and read operations > ! during TLS startup and shutdown handshake procedures.

    > ! > !

    This feature is available in Postfix 2.2 and later.

    > > *************** > *** 9311,9350 **** > > !
    smtp_connection_cache_on_demand > ! (default: yes)
    > > !

    Temporarily enable SMTP connection caching while a destination > ! has a high volume of mail in the active queue. With SMTP connection > ! caching, a connection is not closed immediately after completion > ! of a mail transaction. Instead, the connection is kept open for > ! up to $smtp_connection_cache_time_limit seconds. This allows > ! connections to be reused for other deliveries, and can improve mail > ! delivery performance.

    > > !

    This feature is available in Postfix 2.2 and later.

    > > > !
    > > -
    smtp_connection_cache_reuse_limit > - (default: 10)
    > > !

    When SMTP connection caching is enabled, the number of times that > ! an SMTP session may be reused before it is closed. > !

    > > !

    This feature is available in Postfix 2.2. In Postfix 2.3 it is > ! replaced by $smtp_connection_reuse_time_limit.

    > > > !
    > > !
    smtp_connection_cache_time_limit > ! (default: 2s)
    > > !

    When SMTP connection caching is enabled, the amount of time that > ! an unused SMTP client socket is kept open before it is closed. Do > ! not specify larger values without permission from the remote sites. > !

    > > !

    This feature is available in Postfix 2.2 and later.

    > > --- 8558,8597 ---- > > !
    smtp_tls_CAfile > ! (default: empty)
    > > !

    The file with the certificate of the certification authority > ! (CA) that issued the Postfix SMTP client certificate. This is > ! needed only when the CA certificate is not already present in the > ! client certificate file.

    > > !

    Example:

    > > + 
    > + smtp_tls_CAfile = /etc/postfix/CAcert.pem
> +
    > > !

    This feature is available in Postfix 2.2 and later.

    > > > !
    > > !
    smtp_tls_CApath > ! (default: empty)
    > > +

    Directory with PEM format certificate authority certificates > + that the Postfix SMTP client uses to verify a remote SMTP server > + certificate. Don't forget to create the necessary "hash" links > + with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". > +

    > > !

    To use this option in chroot mode, this directory (or a copy) > ! must be inside the chroot jail.

    > > !

    Example:

    > > ! 
    > ! smtp_tls_CApath = /etc/postfix/certs
> !
    > > !

    This feature is available in Postfix 2.2 and later.

    > > *************** > *** 9353,9423 **** > > !
    smtp_connection_reuse_time_limit > ! (default: 300s)
    > > !

    The amount of time during which Postfix will use an SMTP > ! connection repeatedly. The timer starts when the connection is > ! initiated (i.e. it includes the connect, greeting and helo latency, > ! in addition to the latencies of subsequent mail delivery transactions). > !

    > > !

    This feature addresses a performance stability problem with > ! remote SMTP servers. This problem is not specific to Postfix: it > ! can happen when any MTA sends large amounts of SMTP email to a site > ! that has multiple MX hosts.

    > > !

    The problem starts when one of a set of MX hosts becomes slower > ! than the rest. Even though SMTP clients connect to fast and slow > ! MX hosts with equal probability, the slow MX host ends up with more > ! simultaneous inbound connections than the faster MX hosts, because > ! the slow MX host needs more time to serve each client request.

    > ! > !

    The slow MX host becomes a connection attractor. If one MX > ! host becomes N times slower than the rest, it dominates mail delivery > ! latency unless there are more than N fast MX hosts to counter the > ! effect. And if the number of MX hosts is smaller than N, the mail > ! delivery latency becomes effectively that of the slowest MX host > ! divided by the total number of MX hosts.

    > ! > !

    The solution uses connection caching in a way that differs from > ! Postfix version 2.2. By limiting the amount of time during which a connection > ! can be used repeatedly (instead of limiting the number of deliveries > ! over that connection), Postfix not only restores fairness in the > ! distribution of simultaneous connections across a set of MX hosts, > ! it also favors deliveries over connections that perform well, which > ! is exactly what we want.

    > > !

    The default reuse time limit, 300s, is comparable to the various > ! smtp transaction timeouts which are fair estimates of maximum excess > ! latency for a slow delivery. Note that hosts may accept thousands > ! of messages over a single connection within the default connection > ! reuse time limit. This number is much larger than the default Postfix > ! version 2.2 limit of 10 messages per cached connection. It may prove necessary > ! to lower the limit to avoid interoperability issues with MTAs that > ! exhibit bugs when many messages are delivered via a single connection. > ! A lower reuse time limit risks losing the benefit of connection > ! reuse when the average connection and mail delivery latency exceeds > ! the reuse time limit.

    > > !

    This feature is available in Postfix 2.3 and later.

    > > > !
    > > !
    smtp_data_done_timeout > ! (default: 600s)
    > > !

    > ! The Postfix SMTP client time limit for sending the SMTP ".", and > ! for receiving the remote SMTP server response. > !

    > > !

    > ! When no response is received within the deadline, a warning is > ! logged that the mail may be delivered multiple times. > !

    > > !

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). > !

    > > --- 8600,8651 ---- > > !
    smtp_tls_cert_file > ! (default: empty)
    > > !

    File with the Postfix SMTP client RSA certificate in PEM format. > ! This file may also contain the Postfix SMTP client private RSA key, > ! and these may be the same as the Postfix SMTP server RSA certificate and key > ! file.

    > > !

    Do not configure client certificates unless you must present > ! client TLS certificates to one or more servers. Client certificates are > ! not usually needed, and can cause problems in configurations that work > ! well without them. The recommended setting is to let the defaults stand:

    > > !
    > ! 
    > ! smtp_tls_cert_file =
> ! smtp_tls_dcert_file =
> ! smtp_tls_key_file =
> ! smtp_tls_dkey_file =
> !
    > !
    > > !

    The best way to use the default settings is to comment out the above > ! parameters in main.cf if present.

    > > !

    In order to verify certificates, the CA certificate (in case > ! of a certificate chain, all CA certificates) must be available. > ! You should add these certificates to the client certificate, the > ! client certificate first, then the issuing CA(s).

    > > +

    Example: the certificate for "client.dom.ain" was issued by > + "intermediate CA" which itself has a certificate of "root CA". > + Create the client.pem file with "cat client_cert.pem intermediate_CA.pem > + root_CA.pem > client.pem".

    > > !

    If you also want to verify remote SMTP server certificates issued by > ! these CAs, you can also add the CA certificates to the smtp_tls_CAfile, > ! in which case it is not necessary to have them in the smtp_tls_cert_file > ! or smtp_tls_dcert_file.

    > > !

    A certificate supplied here must be usable as an SSL client certificate > ! and hence pass the "openssl verify -purpose sslclient ..." test.

    > > !

    Example:

    > > ! 
    > ! smtp_tls_cert_file = /etc/postfix/client.pem
> !
    > > !

    This feature is available in Postfix 2.2 and later.

    > > *************** > *** 9426,9456 **** > > !
    smtp_data_init_timeout > ! (default: 120s)
    > ! > !

    > ! The Postfix SMTP client time limit for sending the SMTP DATA command, > ! and for receiving the remote SMTP server response. > !

    > ! > !

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). > !

    > ! > ! > !
    > > !
    smtp_data_xfer_timeout > ! (default: 180s)
    > > !

    > ! The Postfix SMTP client time limit for sending the SMTP message content. > ! When the connection makes no progress for more than $smtp_data_xfer_timeout > ! seconds the Postfix SMTP client terminates the transfer. > !

    > > !

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). > !

    > > --- 8654,8671 ---- > > !
    smtp_tls_cipherlist > ! (default: empty)
    > > !

    Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS > ! cipher list. As this feature applies to all TLS security levels, it is easy > ! to create inter-operability problems by choosing a non-default cipher > ! list. Do not use a non-default TLS cipher list on hosts that deliver email > ! to the public Internet: you will be unable to send email to servers that > ! only support the ciphers you exclude. Using a restricted cipher list > ! may be more appropriate for an internal MTA, where one can exert some > ! control over the TLS software and settings of the peer servers.

    > > !

    Note: do not use "" quotes around the parameter value.

    > > !

    This feature is available in Postfix version 2.2. It is not used with > ! Postfix 2.3 and later; use smtp_tls_mandatory_ciphers instead.

    > > *************** > *** 9459,9482 **** > > !
    smtp_defer_if_no_mx_address_found > ! (default: no)
    > > !

    > ! Defer mail delivery when no MX record resolves to an IP address. > !

    > > !

    > ! The default (no) is to return the mail as undeliverable. With older > ! Postfix versions the default was to keep trying to deliver the mail > ! until someone fixed the MX record or until the mail was too old. >

    > > !

    > ! Note: the Postfix SMTP client always ignores MX records with equal > ! or worse preference > ! than the local MTA itself. > !

    > > !

    > ! This feature is available in Postfix 2.1 and later. > !

    > > --- 8674,8691 ---- > > !
    smtp_tls_dcert_file > ! (default: empty)
    > > !

    File with the Postfix SMTP client DSA certificate in PEM format. > ! This file may also contain the Postfix SMTP client private DSA key.

    > > !

    See the discussion under smtp_tls_cert_file for more details. >

    > > !

    Example:

    > > ! 
    > ! smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
> !
    > ! > !

    This feature is available in Postfix 2.2 and later.

    > > *************** > *** 9485,9523 **** > > !
    smtp_destination_concurrency_limit > ! (default: $default_destination_concurrency_limit)
    > ! > !

    The maximal number of parallel deliveries to the same destination > ! via the smtp message delivery transport. This limit is enforced by > ! the queue manager. The message delivery transport name is the first > ! field in the entry in the master.cf file.

    > > > !
    > > !
    smtp_destination_recipient_limit > ! (default: $default_destination_recipient_limit)
    > > -

    The maximal number of recipients per message for the smtp > - message delivery transport. This limit is enforced by the queue > - manager. The message delivery transport name is the first field in > - the entry in the master.cf file.

    > > !

    Setting this parameter to a value of 1 changes the meaning of > ! smtp_destination_concurrency_limit from concurrency per domain > ! into concurrency per recipient.

    > > > !
    > > !
    smtp_discard_ehlo_keyword_address_maps > ! (default: empty)
    > > !

    Lookup tables, indexed by the remote SMTP server address, with > ! case insensitive lists of EHLO keywords (pipelining, starttls, auth, > ! etc.) that the Postfix SMTP client will ignore in the EHLO response from a > ! remote SMTP server. See smtp_discard_ehlo_keywords for details. The > ! table is not indexed by hostname for consistency with > ! smtpd_discard_ehlo_keyword_address_maps.

    > > !

    This feature is available in Postfix 2.2 and later.

    > > --- 8694,8730 ---- > > !
    smtp_tls_dkey_file > ! (default: $smtp_tls_dcert_file)
    > > +

    File with the Postfix SMTP client DSA private key in PEM format. > + This file may be combined with the Postfix SMTP client DSA certificate > + file specified with $smtp_tls_dcert_file.

    > > !

    The private key must be accessible without a pass-phrase, i.e. it > ! must not be encrypted, but file permissions should grant read/write > ! access only to the system superuser account ("root").

    > > !

    This feature is available in Postfix 2.2 and later.

    > > > !
    > > +
    smtp_tls_enforce_peername > + (default: yes)
    > > !

    With mandatory TLS encryption, require that the remote SMTP > ! server hostname matches the information in the remote SMTP server > ! certificate. As of RFC 2487 the requirements for hostname checking > ! for MTA clients are not specified.

    > > !

    This option can be set to "no" to disable strict peer name > ! checking. This setting has no effect on sessions that are controlled > ! via the smtp_tls_per_site table.

    > > !

    Disabling the hostname verification can make sense in closed > ! environment where special CAs are created. If not used carefully, > ! this option opens the danger of a "man-in-the-middle" attack (the > ! CommonName of this attacker will be logged).

    > > !

    This feature is available in Postfix 2.2 and later. With > ! Postfix 2.3 and later use smtp_tls_security_level instead.

    > > *************** > *** 9526,9547 **** > > !
    smtp_discard_ehlo_keywords > (default: empty)
    > > !

    A case insensitive list of EHLO keywords (pipelining, starttls, > ! auth, etc.) that the Postfix SMTP client will ignore in the EHLO > ! response from a remote SMTP server.

    > ! > !

    This feature is available in Postfix 2.2 and later.

    > ! > !

    Notes:

    > > !
      > > !

    • Specify the silent-discard pseudo keyword to prevent > ! this action from being logged.

      > > !

    • Use the smtp_discard_ehlo_keyword_address_maps feature to > ! discard EHLO keywords selectively.

      > > !
    > > --- 8733,8764 ---- > > !
    smtp_tls_exclude_ciphers > (default: empty)
    > > !

    List of ciphers or cipher types to exclude from the Postfix > ! SMTP client cipher > ! list at all TLS security levels. This is not an OpenSSL cipherlist, it is > ! a simple list separated by whitespace and/or commas. The elements are a > ! single cipher, or one or more "+" separated cipher properties, in which > ! case only ciphers matching all the properties are excluded.

    > > !

    Examples (some of these will cause problems):

    > > !
    > ! 
    > ! smtp_tls_exclude_ciphers = aNULL
> ! smtp_tls_exclude_ciphers = MD5, DES
> ! smtp_tls_exclude_ciphers = DES+MD5
> ! smtp_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
> ! smtp_tls_exclude_ciphers = kEDH+aRSA
> !
    > !
    > > !

    The first setting, disables anonymous ciphers. The next setting > ! disables ciphers that use the MD5 digest algorithm or the (single) DES > ! encryption algorithm. The next setting disables ciphers that use MD5 and > ! DES together. The next setting disables the two ciphers "AES256-SHA" > ! and "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" > ! key exchange with RSA authentication.

    > > !

    This feature is available in Postfix 2.3 and later.

    > > *************** > *** 9550,9576 **** > > !
    smtp_dns_resolver_options > (default: empty)
    > > !

    DNS Resolver options for the Postfix SMTP client. Specify zero > ! or more of the following options, separated by comma or whitespace. > ! Option names are case-sensitive. Some options refer to domain names > ! that are specified in the file /etc/resolv.conf or equivalent.

    > > !
    > > !
    res_defnames
    > > !
    Append the current domain name to single-component names (those > ! that do not contain a "." character). This can produce incorrect > ! results, and is the hard-coded behavior prior to Postfix 2.8.
    > > !
    res_dnsrch
    > > !
    Search for host names in the current domain and in parent > ! domains. This can produce incorrect results and is therefore not > ! recommended.
    > > !
    > > !

    This feature is available in Postfix 2.8 and later.

    > > --- 8767,8825 ---- > > !
    smtp_tls_fingerprint_cert_match > (default: empty)
    > > !

    List of acceptable remote SMTP server certificate fingerprints > ! for the "fingerprint" TLS security level (smtp_tls_security_level = > ! fingerprint). At this security level, certificate authorities are > ! not used, and certificate expiration times are ignored. Instead, > ! server certificates are verified directly via their "fingerprint". The > ! fingerprint is a message digest of the server certificate. The digest > ! algorithm is selected via the smtp_tls_fingerprint_digest > ! parameter.

    > > !

    When an smtp_tls_policy_maps table entry specifies the > ! "fingerprint" security level, any "match" attributes in that entry specify > ! the list of valid fingerprints for the corresponding destination. Multiple > ! fingerprints can be combined with a "|" delimiter in a single match > ! attribute, or multiple match attributes can be employed.

    > > !

    Example: Certificate fingerprint verification with internal mailhub. > ! Two matching fingerprints are listed. The relayhost may be multiple > ! physical hosts behind a load-balancer, each with its own private/public > ! key and self-signed certificate. Alternatively, a single relayhost may > ! be in the process of switching from one set of private/public keys to > ! another, and both keys are trusted just prior to the transition.

    > > !
    > ! 
    > ! relayhost = [mailhub.example.com]
> ! smtp_tls_security_level = fingerprint
> ! smtp_tls_fingerprint_digest = md5
> ! smtp_tls_fingerprint_cert_match =
> !     3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
> !     EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
> !
    > !
    > > !

    Example: Certificate fingerprint verification with selected destinations. > ! As in the example above, we show two matching fingerprints:

    > > !
    > ! 
    > ! /etc/postfix/main.cf:
> !     smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
> !     smtp_tls_fingerprint_digest = md5
> !
    > !
    > > !
    > ! 
    > ! /etc/postfix/tls_policy:
> !     example.com	fingerprint
> !         match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
> !         match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
> !
    > !
    > > !

    This feature is available in Postfix 2.5 and later.

    > > *************** > *** 9579,9661 **** > > !
    smtp_enforce_tls > ! (default: no)
    > ! > !

    Enforcement mode: require that remote SMTP servers use TLS > ! encryption, and never send mail in the clear. This also requires > ! that the remote SMTP server hostname matches the information in > ! the remote server certificate, and that the remote SMTP server > ! certificate was issued by a CA that is trusted by the Postfix SMTP > ! client. If the certificate doesn't verify or the hostname doesn't > ! match, delivery is deferred and mail stays in the queue.

    > ! > !

    The server hostname is matched against all names provided as > ! dNSNames in the SubjectAlternativeName. If no dNSNames are specified, > ! the CommonName is checked. The behavior may be changed with the > ! smtp_tls_enforce_peername option.

    > ! > !

    This option is useful only if you are definitely sure that you > ! will only connect to servers that support RFC 2487 _and_ that > ! provide valid server certificates. Typical use is for clients that > ! send all their email to a dedicated mailhub.

    > ! > !

    This feature is available in Postfix 2.2 and later. With > ! Postfix 2.3 and later use smtp_tls_security_level instead.

    > ! > ! > !
    > > !
    smtp_fallback_relay > ! (default: $fallback_relay)
    > > !

    > ! Optional list of relay hosts for SMTP destinations that can't be > ! found or that are unreachable. With Postfix 2.2 and earlier this > ! parameter is called fallback_relay.

    > > !

    > ! By default, mail is returned to the sender when a destination is > ! not found, and delivery is deferred when a destination is unreachable. >

    > > !

    The fallback relays must be SMTP destinations. Specify a domain, > ! host, host:port, [host]:port, [address] or [address]:port; the form > ! [host] turns off MX lookups. If you specify multiple SMTP > ! destinations, Postfix will try them in the specified order.

    > > !

    To prevent mailer loops between MX hosts and fall-back hosts, > ! Postfix version 2.2 and later will not use the fallback relays for > ! destinations that it is MX host for (assuming DNS lookup is turned on). >

    > > > !
    > > !
    smtp_generic_maps > ! (default: empty)
    > > -

    Optional lookup tables that perform address rewriting in the > - Postfix SMTP client, typically to transform a locally valid address into > - a globally valid address when sending mail across the Internet. > - This is needed when the local machine does not have its own Internet > - domain name, but uses something like localdomain.local > - instead.

    > > !

    The table format and lookups are documented in generic(5); > ! examples are shown in the ADDRESS_REWRITING_README and > ! STANDARD_CONFIGURATION_README documents.

    > > !

    This feature is available in Postfix 2.2 and later.

    > > > !
    > > !
    smtp_header_checks > ! (default: empty)
    > > !

    Restricted header_checks(5) tables for the Postfix SMTP client. > ! These tables are searched while mail is being delivered. Actions > ! that change the delivery time or destination are not available. > !

    > > !

    This feature is available in Postfix 2.5 and later.

    > > --- 8828,8898 ---- > > !
    smtp_tls_fingerprint_digest > ! (default: md5)
    > > !

    The message digest algorithm used to construct remote SMTP server > ! certificate fingerprints. At the "fingerprint" TLS security level > ! (smtp_tls_security_level = fingerprint), the server certificate is > ! verified by directly matching its fingerprint. The fingerprint > ! is the message digest of the server certificate using the selected > ! algorithm. With a digest algorithm resistant to "second pre-image" > ! attacks, it is not feasible to create a new public key and a matching > ! certificate that has the same fingerprint.

    > > !

    The default algorithm is md5; this is consistent with > ! the backwards compatible setting of the digest used to verify client > ! certificates in the SMTP server.

    > > !

    The best practice algorithm is now sha1. Recent advances in hash > ! function cryptanalysis have led to md5 being deprecated in favor of sha1. > ! However, as long as there are no known "second pre-image" attacks > ! against md5, its use in this context can still be considered safe. >

    > > !

    While additional digest algorithms are often available with OpenSSL's > ! libcrypto, only those used by libssl in SSL cipher suites are available to > ! Postfix. For now this means just md5 or sha1.

    > > !

    To find the fingerprint of a specific certificate file, with a > ! specific digest algorithm, run: >

    > > +
    > + 
    > + $ openssl x509 -noout -fingerprint -digest -in certfile.pem
> +
    > +
    > + > +

    The text to the right of "=" sign is the desired fingerprint. > + For example:

    > > !
    > ! 
    > ! $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
> ! SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
> !
    > !
    > > !

    This feature is available in Postfix 2.5 and later.

    > > > !
    > > !
    smtp_tls_key_file > ! (default: $smtp_tls_cert_file)
    > > +

    File with the Postfix SMTP client RSA private key in PEM format. > + This file may be combined with the Postfix SMTP client RSA certificate > + file specified with $smtp_tls_cert_file.

    > > !

    The private key must be accessible without a pass-phrase, i.e. it > ! must not be encrypted, but file permissions should grant read/write > ! access only to the system superuser account ("root").

    > > !

    Example:

    > > ! 
    > ! smtp_tls_key_file = $smtp_tls_cert_file
> !
    > > !

    This feature is available in Postfix 2.2 and later.

    > > *************** > *** 9664,9709 **** > > !
    smtp_helo_name > ! (default: $myhostname)
    > > !

    > ! The hostname to send in the SMTP EHLO or HELO command. > !

    > > !

    > ! The default value is the machine hostname. Specify a hostname or > ! [ip.add.re.ss]. > !

    > > !

    > ! This information can be specified in the main.cf file for all SMTP > ! clients, or it can be specified in the master.cf file for a specific > ! client, for example: > !

    > > !
    > ! 
    > ! /etc/postfix/master.cf:
> !     mysmtp ... smtp -o smtp_helo_name=foo.bar.com
> !
    > !
    > > !

    > ! This feature is available in Postfix 2.0 and later. > !

    > > > !
    > > !
    smtp_helo_timeout > ! (default: 300s)
    > > !

    > ! The Postfix SMTP client time limit for sending the HELO or EHLO command, > ! and for receiving the initial remote SMTP server response. > !

    > > !

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). > !

    > > --- 8901,8929 ---- > > !
    smtp_tls_loglevel > ! (default: 0)
    > > !

    Enable additional Postfix SMTP client logging of TLS activity. > ! Each logging level also includes the information that is logged at > ! a lower logging level.

    > > !
    > > !
    0 Disable logging of TLS activity.
    > > !
    1 Log TLS handshake and certificate information.
    > > !
    2 Log levels during TLS negotiation.
    > > +
    3 Log hexadecimal and ASCII dump of TLS negotiation > + process.
    > > !
    4 Log hexadecimal and ASCII dump of complete > ! transmission after STARTTLS.
    > > !
    > > !

    Use "smtp_tls_loglevel = 3" only in case of problems. Use of > ! loglevel 4 is strongly discouraged.

    > > !

    This feature is available in Postfix 2.2 and later.

    > > *************** > *** 9712,9740 **** > > !
    smtp_host_lookup > ! (default: dns)
    > > !

    > ! What mechanisms the Postfix SMTP client uses to look up a host's IP > ! address. This parameter is ignored when DNS lookups are disabled > ! (see: disable_dns_lookups). > !

    > > !

    > ! Specify one of the following: > !

    > >
    > > !
    dns
    > ! > !
    Hosts can be found in the DNS (preferred).
    > ! > !
    native
    > > !
    Use the native naming service only (nsswitch.conf, or equivalent > ! mechanism).
    > > !
    dns, native
    > > !
    Use the native service for hosts not found in the DNS.
    > > --- 8932,9001 ---- > > !
    smtp_tls_mandatory_ciphers > ! (default: medium)
    > > !

    The minimum TLS cipher grade that the Postfix SMTP client will > ! use with > ! mandatory TLS encryption. The default value "medium" is suitable > ! for most destinations with which you may want to enforce TLS, and > ! is beyond the reach of today's crypt-analytic methods. See > ! smtp_tls_policy_maps for information on how to configure ciphers > ! on a per-destination basis.

    > > !

    The following cipher grades are supported:

    > >
    > +
    export
    > +
    Enable the mainstream "EXPORT" grade or better OpenSSL > + ciphers. This is always used for opportunistic encryption. It is > + not recommended for mandatory encryption unless you must enforce TLS > + with "crippled" peers. The underlying cipherlist is specified via the > + tls_export_cipherlist configuration parameter, which you are strongly > + encouraged to not change. The default value of tls_export_cipherlist > + includes anonymous ciphers, but these are automatically filtered out if > + the client is configured to verify server certificates. If you must > + exclude anonymous ciphers also at the "encrypt" security level, set > + "smtp_tls_mandatory_exclude_ciphers = aNULL".
    > > !
    low
    > !
    Enable the mainstream "LOW" grade or better OpenSSL ciphers. This > ! setting is only appropriate for internal mail servers. The underlying > ! cipherlist is specified via the tls_low_cipherlist configuration > ! parameter, which you are strongly encouraged to not change. The default > ! value of tls_low_cipherlist includes anonymous ciphers, but these are > ! automatically filtered out if the client is configured to verify server > ! certificates. If you must exclude anonymous ciphers also at the "encrypt" > ! security level, set "smtp_tls_mandatory_exclude_ciphers = aNULL".
    > > !
    medium
    > !
    Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers. > ! The underlying cipherlist is specified via the tls_medium_cipherlist > ! configuration parameter, which you are strongly encouraged to not change. > ! The default value of tls_medium_cipherlist includes anonymous ciphers, > ! but these are automatically filtered out if the client is configured to > ! verify server certificates. If you must exclude anonymous ciphers also > ! at the "encrypt" security level, set "smtp_tls_mandatory_exclude_ciphers > ! = aNULL".
    > > !
    high
    > !
    Enable only the mainstream "HIGH" grade OpenSSL ciphers. This > ! setting is appropriate when all mandatory TLS destinations support > ! some of "HIGH" grade ciphers, this is not uncommon. The underlying > ! cipherlist is specified via the tls_high_cipherlist configuration > ! parameter, which you are strongly encouraged to not change. The default > ! value of tls_high_cipherlist includes anonymous ciphers, but these are > ! automatically filtered out if the client is configured to verify server > ! certificates. If you must exclude anonymous ciphers also at the "encrypt" > ! security level, set "smtp_tls_mandatory_exclude_ciphers = aNULL".
    > > !
    null
    > !
    Enable only the "NULL" OpenSSL ciphers, these provide authentication > ! without encryption. This setting is only appropriate in the rare case > ! that all servers are prepared to use NULL ciphers (not normally enabled > ! in TLS servers). A plausible use-case is an LMTP server listening on a > ! UNIX-domain socket that is configured to support "NULL" ciphers. The > ! underlying cipherlist is specified via the tls_null_cipherlist > ! configuration parameter, which you are strongly encouraged to not > ! change. The default value of tls_null_cipherlist excludes anonymous > ! ciphers (OpenSSL 0.9.8 has NULL ciphers that offer data integrity without > ! encryption or authentication).
    > > *************** > *** 9742,9746 **** > > !

    > ! This feature is available in Postfix 2.1 and later. > !

    > > --- 9003,9005 ---- > > !

    This feature is available in Postfix 2.3 and later.

    > > *************** > *** 9749,9767 **** > > !
    smtp_line_length_limit > ! (default: 998)
    > > !

    > ! The maximal length of message header and body lines that Postfix > ! will send via SMTP. This limit does not include the <CR><LF> > ! at the end of each line. Longer lines are broken by inserting > ! "<CR><LF><SPACE>", to minimize the damage to MIME > ! formatted mail. > !

    > > !

    > ! The Postfix limit of 998 characters not including <CR><LF> > ! is consistent with the SMTP limit of 1000 characters including > ! <CR><LF>. The Postfix limit was 990 with Postfix 2.8 > ! and earlier. > !

    > > --- 9008,9018 ---- > > !
    smtp_tls_mandatory_exclude_ciphers > ! (default: empty)
    > > !

    Additional list of ciphers or cipher types to exclude from the > ! SMTP client cipher list at mandatory TLS security levels. This list > ! works in addition to the exclusions listed with smtp_tls_exclude_ciphers > ! (see there for syntax details).

    > > !

    This feature is available in Postfix 2.3 and later.

    > > *************** > *** 9770,9796 **** > > !
    smtp_mail_timeout > ! (default: 300s)
    > > !

    > ! The Postfix SMTP client time limit for sending the MAIL FROM command, > ! and for receiving the remote SMTP server response. > !

    > > !

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). > !

    > > > !
    > > !
    smtp_mime_header_checks > ! (default: empty)
    > > !

    Restricted mime_header_checks(5) tables for the Postfix SMTP > ! client. These tables are searched while mail is being delivered. > ! Actions that change the delivery time or destination are not > ! available.

    > > !

    This feature is available in Postfix 2.5 and later.

    > > --- 9021,9056 ---- > > !
    smtp_tls_mandatory_protocols > ! (default: SSLv3, TLSv1)
    > > !

    List of SSL/TLS protocols that the Postfix SMTP client will use with > ! mandatory TLS encryption. In main.cf the values are separated by > ! whitespace, commas or colons. In the policy table "protocols" attribute > ! (see smtp_tls_policy_maps) the only valid separator is colon. An > ! empty value means allow all protocols. The valid protocol names, (see > ! SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".

    > > !

    With Postfix ≥ 2.5 the parameter syntax is expanded to support > ! protocol exclusions. One can now explicitly exclude SSLv2 by setting > ! "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and > ! SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing > ! the protocols to include, rather than protocols to exclude, is still > ! supported; use the form you find more intuitive.

    > > +

    Since SSL version 2 has known protocol weaknesses and is now > + deprecated, the default setting excludes "SSLv2". This means that by > + default, SSL version 2 will not be used at the "encrypt" security level > + and higher.

    > > !

    See the documentation of the smtp_tls_policy_maps parameter and > ! TLS_README for more information about security levels.

    > > !

    Example:

    > > ! 
    > ! smtp_tls_mandatory_protocols = TLSv1
> ! # Alternative form with Postfix ≥ 2.5:
> ! smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> !
    > > !

    This feature is available in Postfix 2.3 and later.

    > > *************** > *** 9799,9828 **** > > !
    smtp_mx_address_limit > ! (default: 5)
    > ! > !

    > ! The maximal number of MX (mail exchanger) IP addresses that can > ! result from Postfix SMTP client mail exchanger lookups, or zero (no > ! limit). Prior to > ! Postfix version 2.3, this limit was disabled by default. > !

    > ! > !

    > ! This feature is available in Postfix 2.1 and later. > !

    > ! > > !
    > > !
    smtp_mx_session_limit > ! (default: 2)
    > > !

    The maximal number of SMTP sessions per delivery request before > ! the Postfix SMTP client > ! gives up or delivers to a fall-back relay host, or zero (no > ! limit). This restriction ignores sessions that fail to complete the > ! SMTP initial handshake (Postfix version 2.2 and earlier) or that fail to > ! complete the EHLO and TLS handshake (Postfix version 2.3 and later).

    > > !

    This feature is available in Postfix 2.1 and later.

    > > --- 9059,9073 ---- > > !
    smtp_tls_note_starttls_offer > ! (default: no)
    > > !

    Log the hostname of a remote SMTP server that offers STARTTLS, > ! when TLS is not already enabled for that server.

    > > !

    The logfile record looks like:

    > > ! 
    > ! postfix/smtp[pid]:  Host offered STARTTLS: [name.of.host]
> !
    > > !

    This feature is available in Postfix 2.2 and later.

    > > *************** > *** 9831,9890 **** > > !
    smtp_nested_header_checks > (default: empty)
    > > !

    Restricted nested_header_checks(5) tables for the Postfix SMTP > ! client. These tables are searched while mail is being delivered. > ! Actions that change the delivery time or destination are not > ! available.

    > ! > !

    This feature is available in Postfix 2.5 and later.

    > ! > ! > !
    > ! > !
    smtp_never_send_ehlo > ! (default: no)
    > > !

    Never send EHLO at the start of an SMTP session. See also the > ! smtp_always_send_ehlo parameter.

    > > > !
    > > !
    smtp_per_record_deadline > ! (default: no)
    > > !

    Change the behavior of the smtp_*_timeout time limits, from a > ! time limit per read or write system call, to a time limit to send > ! or receive a complete record (an SMTP command line, SMTP response > ! line, SMTP message content line, or TLS protocol message). This > ! limits the impact from hostile peers that trickle data one byte at > ! a time.

    > ! > !

    Note: when per-record deadlines are enabled, a short timeout > ! may cause problems with TLS over very slow network connections. > ! The reasons are that a TLS protocol message can be up to 16 kbytes > ! long (with TLSv1), and that an entire TLS protocol message must be > ! sent or received within the per-record deadline.

    > > !

    This feature is available in Postfix 2.9 and later. With older > ! Postfix releases, the behavior is as if this parameter is set to > ! "no".

    > > > !
    > > !
    smtp_pix_workaround_delay_time > ! (default: 10s)
    > > !

    > ! How long the Postfix SMTP client pauses before sending > ! ".<CR><LF>" in order to work around the PIX firewall > ! "<CR><LF>.<CR><LF>" bug. > !

    > > !

    > ! Choosing a too short time makes this workaround ineffective when > ! sending large messages over slow network connections. > !

    > > --- 9076,9151 ---- > > !
    smtp_tls_per_site > (default: empty)
    > > !

    Optional lookup tables with the Postfix SMTP client TLS usage > ! policy by next-hop destination and by remote SMTP server hostname. > ! When both lookups succeed, the more specific per-site policy (NONE, > ! MUST, etc) overrides the less specific one (MAY), and the more secure > ! per-site policy (MUST, etc) overrides the less secure one (NONE). > ! With Postfix 2.3 and later smtp_tls_per_site is strongly discouraged: > ! use smtp_tls_policy_maps instead.

    > > !

    Use of the bare hostname as the per-site table lookup key is > ! discouraged. Always use the full destination nexthop (enclosed in > ! [] with a possible ":port" suffix). A recipient domain or MX-enabled > ! transport next-hop with no port suffix may look like a bare hostname, > ! but is still a suitable destination.

    > > +

    Specify a next-hop destination or server hostname on the left-hand > + side; no wildcards are allowed. The next-hop destination is either > + the recipient domain, or the destination specified with a transport(5) > + table, the relayhost parameter, or the relay_transport parameter. > + On the right hand side specify one of the following keywords:

    > > !
    > > !
    NONE
    Don't use TLS at all. This overrides a less > ! specific MAY lookup result from the alternate host or next-hop > ! lookup key, and overrides the global smtp_use_tls, smtp_enforce_tls, > ! and smtp_tls_enforce_peername settings.
    > > !
    MAY
    Try to use TLS if the server announces support, > ! otherwise use the unencrypted connection. This has less precedence > ! than a more specific result (including NONE) from the alternate > ! host or next-hop lookup key, and has less precedence than the more > ! specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername > ! = yes".
    > > !
    MUST_NOPEERMATCH
    Require TLS encryption, but do not > ! require that the remote SMTP server hostname matches the information > ! in the remote SMTP server certificate, or that the server certificate > ! was issued by a trusted CA. This overrides a less secure NONE > ! or a less specific MAY lookup result from the alternate host > ! or next-hop lookup key, and overrides the global smtp_use_tls, > ! smtp_enforce_tls and smtp_tls_enforce_peername settings.
    > > +
    MUST
    Require TLS encryption, require that the remote > + SMTP server hostname matches the information in the remote SMTP > + server certificate, and require that the remote SMTP server certificate > + was issued by a trusted CA. This overrides a less secure NONE > + and MUST_NOPEERMATCH or a less specific MAY lookup > + result from the alternate host or next-hop lookup key, and overrides > + the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername > + settings.
    > > !
    > > !

    The above keywords correspond to the "none", "may", "encrypt" and > ! "verify" security levels for the new smtp_tls_security_level parameter > ! introduced in Postfix 2.3. Starting with Postfix 2.3, and independently > ! of how the policy is specified, the smtp_tls_mandatory_ciphers and > ! smtp_tls_mandatory_protocols parameters only apply when TLS encryption > ! is mandatory. Connections for which encryption is optional enable > ! all "export" grade and better ciphers.

    > > !

    As long as no secure DNS lookup mechanism is available, false > ! hostnames in MX or CNAME responses can change the server hostname > ! that Postfix uses for TLS policy lookup and server certificate > ! verification. Even with a perfect match between the server hostname and > ! the server certificate, there is no guarantee that Postfix is connected > ! to the right server. See TLS_README (Closing a DNS loophole with obsolete > ! per-site TLS policies) for a possible work-around.

    > > !

    This feature is available in Postfix 2.2 and later. With > ! Postfix 2.3 and later use smtp_tls_policy_maps instead.

    > > *************** > *** 9893,9938 **** > > !
    smtp_pix_workaround_maps > (default: empty)
    > > !

    Lookup tables, indexed by the remote SMTP server address, with > ! per-destination workarounds for CISCO PIX firewall bugs. The table > ! is not indexed by hostname for consistency with > ! smtp_discard_ehlo_keyword_address_maps.

    > ! > !

    This feature is available in Postfix 2.4 and later.

    > ! > ! > !
    > ! > !
    smtp_pix_workaround_threshold_time > ! (default: 500s)
    > ! > !

    How long a message must be queued before the Postfix SMTP client > ! turns on the PIX firewall "<CR><LF>.<CR><LF>" > ! bug workaround for delivery through firewalls with "smtp fixup" > ! mode turned on.

    > ! > !

    > ! By default, the workaround is turned off for mail that is queued > ! for less than 500 seconds. In other words, the workaround is normally > ! turned off for the first delivery attempt. > !

    > ! > !

    > ! Specify 0 to enable the PIX firewall > ! "<CR><LF>.<CR><LF>" bug workaround upon the > ! first delivery attempt. >

    > > > !
    > > !
    smtp_pix_workarounds > ! (default: disable_esmtp, delay_dotcrlf)
    > > !

    A list that specifies zero or more workarounds for CISCO PIX > ! firewall bugs. These workarounds are implemented by the Postfix > ! SMTP client. Workaround names are separated by comma or space, and > ! are case insensitive. This parameter setting can be overruled with > ! per-destination smtp_pix_workaround_maps settings.

    > > --- 9154,9188 ---- > > !
    smtp_tls_policy_maps > (default: empty)
    > > !

    Optional lookup tables with the Postfix SMTP client TLS security > ! policy by next-hop destination; when a non-empty value is specified, > ! this overrides the obsolete smtp_tls_per_site parameter. See > ! TLS_README for a more detailed discussion of TLS security levels. >

    > > +

    The TLS policy table is indexed by the full next-hop destination, > + which is either the recipient domain, or the verbatim next-hop > + specified in the transport table, $local_transport, $virtual_transport, > + $relay_transport or $default_transport. This includes any enclosing > + square brackets and any non-default destination server port suffix. The > + LMTP socket type prefix (inet: or unix:) is not included in the lookup > + key.

    > > !

    Only the next-hop domain, or $myhostname with LMTP over UNIX-domain > ! sockets, is used as the nexthop name for certificate verification. The > ! port and any enclosing square brackets are used in the table lookup key, > ! but are not used for server name verification.

    > > !

    When the lookup key is a domain name without enclosing square brackets > ! or any :port suffix (typically the recipient domain), and the full > ! domain is not found in the table, just as with the transport(5) table, > ! the parent domain starting with a leading "." is matched recursively. This > ! allows one to specify a security policy for a recipient domain and all > ! its sub-domains.

    > > !

    The lookup result is a security level, followed by an optional list > ! of whitespace and/or comma separated name=value attributes that override > ! related main.cf settings. The TLS security levels in order of increasing > ! security are:

    > > *************** > *** 9940,12458 **** > > !
    delay_dotcrlf
    Insert a delay before sending > ! ".<CR><LF>" after the end of the message content. The > ! delay is subject to the smtp_pix_workaround_delay_time and > ! smtp_pix_workaround_threshold_time parameter settings.
    > ! > !
    disable_esmtp
    Disable all extended SMTP commands: > ! send HELO instead of EHLO.
    > > !
    > > !

    This feature is available in Postfix 2.4 and later. The default > ! settings are backwards compatible with earlier Postfix versions. > !

    > > > !
    > > !
    smtp_quit_timeout > ! (default: 300s)
    > > !

    > ! The Postfix SMTP client time limit for sending the QUIT command, > ! and for receiving the remote SMTP server response. > !

    > >

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). >

    > > ! > !
    > ! > !
    smtp_quote_rfc821_envelope > ! (default: yes)
    > ! > !

    > ! Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO commands > ! as required > ! by RFC 2821. This includes putting quotes around an address localpart > ! that ends in ".". > !

    > ! > !

    > ! The default is to comply with RFC 2821. If you have to send mail to > ! a broken SMTP server, configure a special SMTP client in master.cf: > !

    > ! > !
    > ! 
    > ! /etc/postfix/master.cf:
> !     broken-smtp . . . smtp -o smtp_quote_rfc821_envelope=no
> !
    > !
    > ! > !

    > ! and route mail for the destination in question to the "broken-smtp" > ! message delivery with a transport(5) table. > !

    > ! > !

    > ! This feature is available in Postfix 2.1 and later. > !

    > ! > ! > !
    > ! > !
    smtp_randomize_addresses > ! (default: yes)
    > ! > !

    > ! Randomize the order of equal-preference MX host addresses. This > ! is a performance feature of the Postfix SMTP client. > !

    > ! > ! > !
    > ! > !
    smtp_rcpt_timeout > ! (default: 300s)
    > ! > !

    > ! The Postfix SMTP client time limit for sending the SMTP RCPT TO > ! command, and for receiving the remote SMTP server response. > !

    > ! > !

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). > !

    > ! > ! > !
    > ! > !
    smtp_reply_filter > ! (default: empty)
    > ! > !

    A mechanism to transform replies from remote SMTP servers one > ! line at a time. This is a last-resort tool to work around server > ! replies that break inter-operability with the Postfix SMTP client. > ! Other uses involve fault injection to test Postfix's handling of > ! invalid responses.

    > ! > !

    Notes:

    > ! > !
      > ! > !

    • In the case of a multi-line reply, the Postfix SMTP client > ! uses the final reply line's numerical SMTP reply code and enhanced > ! status code.

      > ! > !

    • The numerical SMTP reply code (XYZ) takes precedence over > ! the enhanced status code (X.Y.Z). When the enhanced status code > ! initial digit differs from the SMTP reply code initial digit, or > ! when no enhanced status code is present, the Postfix SMTP client > ! uses a generic enhanced status code (X.0.0) instead.

      > ! > !
    > ! > !

    Specify the name of a "type:table" lookup table. The search > ! string is a single SMTP reply line as received from the remote SMTP > ! server, except that the trailing <CR><LF> are removed. > ! When the lookup succeeds, the result replaces the single SMTP reply > ! line.

    > ! > !

    Examples:

    > ! > ! 
    > ! /etc/postfix/main.cf:
> !     smtp_reply_filter = pcre:/etc/postfix/reply_filter
> !
    > ! > ! 
    > ! /etc/postfix/reply_filter:
> !     # Transform garbage into "250-filler..." so that it looks like
> !     # one line from a multi-line reply. It does not matter what we
> !     # substitute here as long it has the right syntax.  The Postfix
> !     # SMTP client will use the final line's numerical SMTP reply
> !     # code and enhanced status code.
> !     !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage
> !
    > ! > !

    This feature is available in Postfix 2.7.

    > ! > ! > !
    > ! > !
    smtp_rset_timeout > ! (default: 20s)
    > ! > !

    The Postfix SMTP client time limit for sending the RSET command, > ! and for receiving the remote SMTP server response. The SMTP client > ! sends RSET in > ! order to finish a recipient address probe, or to verify that a > ! cached session is still usable.

    > ! > !

    This feature is available in Postfix 2.1 and later.

    > ! > ! > !
    > ! > !
    smtp_sasl_auth_cache_name > ! (default: empty)
    > ! > !

    An optional table to prevent repeated SASL authentication > ! failures with the same remote SMTP server hostname, username and > ! password. Each table (key, value) pair contains a server name, a > ! username and password, and the full server response. This information > ! is stored when a remote SMTP server rejects an authentication attempt > ! with a 535 reply code. As long as the smtp_sasl_password_maps > ! information does no change, and as long as the smtp_sasl_auth_cache_name > ! information does not expire (see smtp_sasl_auth_cache_time) the > ! Postfix SMTP client avoids SASL authentication attempts with the > ! same server, username and password, and instead bounces or defers > ! mail as controlled with the smtp_sasl_auth_soft_bounce configuration > ! parameter.

    > ! > !

    Use a per-destination delivery concurrency of 1 (for example, > ! "smtp_destination_concurrency_limit = 1", > ! "relay_destination_concurrency_limit = 1", etc.), otherwise multiple > ! delivery agents may experience a login failure at the same time. > !

    > ! > !

    The table must be accessed via the proxywrite service, i.e. the > ! map name must start with "proxy:". The table should be stored under > ! the directory specified with the data_directory parameter.

    > ! > !

    This feature uses cryptographic hashing to protect plain-text > ! passwords, and requires that Postfix is compiled with TLS support. > !

    > ! > !

    Example:

    > ! > ! 
    > ! smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
> !
    > ! > !

    This feature is available in Postfix 2.5 and later.

    > ! > ! > !
    > ! > !
    smtp_sasl_auth_cache_time > ! (default: 90d)
    > ! > !

    The maximal age of an smtp_sasl_auth_cache_name entry before it > ! is removed.

    > ! > !

    This feature is available in Postfix 2.5 and later.

    > ! > ! > !
    > ! > !
    smtp_sasl_auth_enable > ! (default: no)
    > ! > !

    > ! Enable SASL authentication in the Postfix SMTP client. By default, > ! the Postfix SMTP client uses no authentication. > !

    > ! > !

    > ! Example: > !

    > ! > ! 
    > ! smtp_sasl_auth_enable = yes
> !
    > ! > ! > !
    > ! > !
    smtp_sasl_auth_soft_bounce > ! (default: yes)
    > ! > !

    When a remote SMTP server rejects a SASL authentication request > ! with a 535 reply code, defer mail delivery instead of returning > ! mail as undeliverable. The latter behavior was hard-coded prior to > ! Postfix version 2.5.

    > ! > !

    Note: the setting "yes" overrides the global soft_bounce > ! parameter, but the setting "no" does not.

    > ! > !

    Example:

    > ! > ! 
    > ! # Default as of Postfix 2.5
> ! smtp_sasl_auth_soft_bounce = yes
> ! # The old hard-coded default
> ! smtp_sasl_auth_soft_bounce = no
> !
    > ! > !

    This feature is available in Postfix 2.5 and later.

    > ! > ! > !
    > ! > !
    smtp_sasl_mechanism_filter > ! (default: empty)
    > ! > !

    > ! If non-empty, a Postfix SMTP client filter for the remote SMTP > ! server's list of offered SASL mechanisms. Different client and > ! server implementations may support different mechanism lists; by > ! default, the Postfix SMTP client will use the intersection of the > ! two. smtp_sasl_mechanism_filter specifies an optional third mechanism > ! list to intersect with.

    > ! > !

    Specify mechanism names, "/file/name" patterns or "type:table" > ! lookup tables. The right-hand side result from "type:table" lookups > ! is ignored. Specify "!pattern" to exclude a mechanism name from the > ! list. The form "!/file/name" is supported only in Postfix version > ! 2.4 and later.

    > ! > !

    This feature is available in Postfix 2.2 and later.

    > ! > !

    > ! Examples: > !

    > ! > ! 
    > ! smtp_sasl_mechanism_filter = plain, login
> ! smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
> ! smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
> !
    > ! > ! > !
    > ! > !
    smtp_sasl_password_maps > ! (default: empty)
    > ! > !

    > ! Optional Postfix SMTP client lookup tables with one username:password > ! entry > ! per remote hostname or domain, or sender address when sender-dependent > ! authentication is enabled. If no username:password entry is found, > ! then the Postfix SMTP client will not > ! attempt to authenticate to the remote host. > !

    > ! > !

    > ! The Postfix SMTP client opens the lookup table before going to > ! chroot jail, so you can leave the password file in /etc/postfix. > !

    > ! > ! > !
    > ! > !
    smtp_sasl_path > ! (default: empty)
    > ! > !

    Implementation-specific information that the Postfix SMTP client > ! passes through to > ! the SASL plug-in implementation that is selected with > ! smtp_sasl_type. Typically this specifies the name of a > ! configuration file or rendezvous point.

    > ! > !

    This feature is available in Postfix 2.3 and later.

    > ! > ! > !
    > ! > !
    smtp_sasl_security_options > ! (default: noplaintext, noanonymous)
    > ! > !

    Postfix SMTP client SASL security options; as of Postfix 2.3 > ! the list of available > ! features depends on the SASL client implementation that is selected > ! with smtp_sasl_type.

    > ! > !

    The following security features are defined for the cyrus > ! client SASL implementation:

    > ! > !

    > ! Specify zero or more of the following: > !

    > ! > !
    > ! > !
    noplaintext
    > ! > !
    Disallow methods that use plaintext passwords.
    > ! > !
    noactive
    > ! > !
    Disallow methods subject to active (non-dictionary) attack. > !
    > ! > !
    nodictionary
    > ! > !
    Disallow methods subject to passive (dictionary) attack.
    > ! > !
    noanonymous
    > ! > !
    Disallow methods that allow anonymous authentication.
    > ! > !
    mutual_auth
    > ! > !
    Only allow methods that provide mutual authentication (not > ! available with SASL version 1).
    > ! > !
    > ! > !

    > ! Example: > !

    > ! > ! 
    > ! smtp_sasl_security_options = noplaintext
> !
    > ! > ! > !
    > ! > !
    smtp_sasl_tls_security_options > ! (default: $smtp_sasl_security_options)
    > ! > !

    The SASL authentication security options that the Postfix SMTP > ! client uses for TLS encrypted SMTP sessions.

    > ! > !

    This feature is available in Postfix 2.2 and later.

    > ! > ! > !
    > ! > !
    smtp_sasl_tls_verified_security_options > ! (default: $smtp_sasl_tls_security_options)
    > ! > !

    The SASL authentication security options that the Postfix SMTP > ! client uses for TLS encrypted SMTP sessions with a verified server > ! certificate.

    > ! > !

    When mail is sent to the public MX host for the recipient's > ! domain, server certificates are by default optional, and delivery > ! proceeds even if certificate verification fails. For delivery via > ! a submission service that requires SASL authentication, it may be > ! appropriate to send plaintext passwords only when the connection > ! to the server is strongly encrypted and the server identity > ! is verified.

    > ! > !

    The smtp_sasl_tls_verified_security_options parameter makes it > ! possible to only enable plaintext mechanisms when a secure connection > ! to the server is available. Submission servers subject to this > ! policy must either have verifiable certificates or offer suitable > ! non-plaintext SASL mechanisms.

    > ! > !

    This feature is available in Postfix 2.6 and later.

    > ! > ! > !
    > ! > !
    smtp_sasl_type > ! (default: cyrus)
    > ! > !

    The SASL plug-in type that the Postfix SMTP client should use > ! for authentication. The available types are listed with the > ! "postconf -A" command.

    > ! > !

    This feature is available in Postfix 2.3 and later.

    > ! > ! > !
    > ! > !
    smtp_send_dummy_mail_auth > ! (default: no)
    > ! > !

    Whether or not to append the "AUTH=<>" option to the MAIL > ! FROM command in SASL-authenticated SMTP sessions. The default is > ! not to send this, to avoid problems with broken remote SMTP servers. > ! Before Postfix 2.9 the behavior is as if "smtp_send_dummy_mail_auth > ! = yes". > ! > !

    This feature is available in Postfix 2.9 and later.

    > ! > ! > !
    > ! > !
    smtp_send_xforward_command > ! (default: no)
    > ! > !

    > ! Send the non-standard XFORWARD command when the Postfix SMTP server > ! EHLO response announces XFORWARD support. > !

    > ! > !

    > ! This allows a Postfix SMTP delivery agent, used for injecting mail > ! into > ! a content filter, to forward the name, address, protocol and HELO > ! name of the original client to the content filter and downstream > ! queuing SMTP server. This can produce more useful logging than > ! localhost[127.0.0.1] etc. > !

    > ! > !

    > ! This feature is available in Postfix 2.1 and later. > !

    > ! > ! > !
    > ! > !
    smtp_sender_dependent_authentication > ! (default: no)
    > ! > !

    > ! Enable sender-dependent authentication in the Postfix SMTP client; this is > ! available only with SASL authentication, and disables SMTP connection > ! caching to ensure that mail from different senders will use the > ! appropriate credentials.

    > ! > !

    > ! This feature is available in Postfix 2.3 and later. > !

    > ! > ! > !
    > ! > !
    smtp_skip_4xx_greeting > ! (default: yes)
    > ! > !

    > ! Skip SMTP servers that greet with a 4XX status code (go away, try > ! again later). > !

    > ! > !

    > ! By default, the Postfix SMTP client moves on the next mail exchanger. > ! Specify > ! "smtp_skip_4xx_greeting = no" if Postfix should defer delivery > ! immediately. > !

    > ! > !

    This feature is available in Postfix 2.0 and earlier. > ! Later Postfix versions always skip remote SMTP servers that greet > ! with a > ! 4XX status code.

    > ! > ! > !
    > ! > !
    smtp_skip_5xx_greeting > ! (default: yes)
    > ! > !

    > ! Skip remote SMTP servers that greet with a 5XX status code (go away, > ! do > ! not try again later). > !

    > ! > !

    By default, the Postfix SMTP client moves on the next mail > ! exchanger. Specify "smtp_skip_5xx_greeting = no" if Postfix should > ! bounce the mail immediately. The default setting is incorrect, but > ! it is what a lot of people expect to happen.

    > ! > ! > !
    > ! > !
    smtp_skip_quit_response > ! (default: yes)
    > ! > !

    > ! Do not wait for the response to the SMTP QUIT command. > !

    > ! > ! > !
    > ! > !
    smtp_starttls_timeout > ! (default: 300s)
    > ! > !

    Time limit for Postfix SMTP client write and read operations > ! during TLS startup and shutdown handshake procedures.

    > ! > !

    This feature is available in Postfix 2.2 and later.

    > ! > ! > !
    > ! > !
    smtp_tls_CAfile > ! (default: empty)
    > ! > !

    A file containing CA certificates of root CAs trusted to sign > ! either remote SMTP server certificates or intermediate CA certificates. > ! These are loaded into memory before the smtp(8) client enters the > ! chroot jail. If the number of trusted roots is large, consider using > ! smtp_tls_CApath instead, but note that the latter directory must be > ! present in the chroot jail if the smtp(8) client is chrooted. This > ! file may also be used to augment the client certificate trust chain, > ! but it is best to include all the required certificates directly in > ! $smtp_tls_cert_file.

    > ! > !

    Specify "smtp_tls_CAfile = /path/to/system_CA_file" to use > ! ONLY the system-supplied default certificate authority certificates. > !

    > ! > !

    Specify "tls_append_default_CA = no" to prevent Postfix from > ! appending the system-supplied default CAs and trusting third-party > ! certificates.

    > ! > !

    Example:

    > ! > ! 
    > ! smtp_tls_CAfile = /etc/postfix/CAcert.pem
> !
    > ! > !

    This feature is available in Postfix 2.2 and later.

    > ! > ! > !
    > ! > !
    smtp_tls_CApath > ! (default: empty)
    > ! > !

    Directory with PEM format certificate authority certificates > ! that the Postfix SMTP client uses to verify a remote SMTP server > ! certificate. Don't forget to create the necessary "hash" links > ! with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". > !

    > ! > !

    To use this option in chroot mode, this directory (or a copy) > ! must be inside the chroot jail.

    > ! > !

    Specify "smtp_tls_CApath = /path/to/system_CA_directory" to > ! use ONLY the system-supplied default certificate authority certificates. > !

    > ! > !

    Specify "tls_append_default_CA = no" to prevent Postfix from > ! appending the system-supplied default CAs and trusting third-party > ! certificates.

    > ! > !

    Example:

    > ! > ! 
    > ! smtp_tls_CApath = /etc/postfix/certs
> !
    > ! > !

    This feature is available in Postfix 2.2 and later.

    > ! > ! > !
    > ! > !
    smtp_tls_block_early_mail_reply > ! (default: no)
    > ! > !

    Try to detect a mail hijacking attack based on a TLS protocol > ! vulnerability (CVE-2009-3555), where an attacker prepends malicious > ! HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client TLS session. > ! The attack would succeed with non-Postfix SMTP servers that reply > ! to the malicious HELO, MAIL, RCPT, DATA commands after negotiating > ! the Postfix SMTP client TLS session.

    > ! > !

    This feature is available in Postfix 2.7.

    > ! > ! > !
    > ! > !
    smtp_tls_cert_file > ! (default: empty)
    > ! > !

    File with the Postfix SMTP client RSA certificate in PEM format. > ! This file may also contain the Postfix SMTP client private RSA key, > ! and these may be the same as the Postfix SMTP server RSA certificate and key > ! file.

    > ! > !

    Do not configure client certificates unless you must present > ! client TLS certificates to one or more servers. Client certificates are > ! not usually needed, and can cause problems in configurations that work > ! well without them. The recommended setting is to let the defaults stand:

    > ! > !
    > ! 
    > ! smtp_tls_cert_file =
> ! smtp_tls_key_file =
> ! smtp_tls_dcert_file =
> ! smtp_tls_dkey_file =
> ! smtp_tls_eccert_file =
> ! smtp_tls_eckey_file =
> !
    > !
    > ! > !

    The best way to use the default settings is to comment out the above > ! parameters in main.cf if present.

    > ! > !

    To enable remote SMTP servers to verify the Postfix SMTP client > ! certificate, the issuing CA certificates must be made available to the > ! server. You should include the required certificates in the client > ! certificate file, the client certificate first, then the issuing > ! CA(s) (bottom-up order).

    > ! > !

    Example: the certificate for "client.example.com" was issued by > ! "intermediate CA" which itself has a certificate issued by "root CA". > ! Create the client.pem file with "cat client_cert.pem intermediate_CA.pem > ! root_CA.pem > client.pem".

    > ! > !

    If you also want to verify remote SMTP server certificates issued by > ! these CAs, you can add the CA certificates to the smtp_tls_CAfile, in > ! which case it is not necessary to have them in the smtp_tls_cert_file, > ! smtp_tls_dcert_file or smtp_tls_eccert_file.

    > ! > !

    A certificate supplied here must be usable as an SSL client certificate > ! and hence pass the "openssl verify -purpose sslclient ..." test.

    > ! > !

    Example:

    > ! > ! 
    > ! smtp_tls_cert_file = /etc/postfix/client.pem
> !
    > ! > !

    This feature is available in Postfix 2.2 and later.

    > ! > ! > !
    > ! > !
    smtp_tls_cipherlist > ! (default: empty)
    > ! > !

    Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS > ! cipher list. As this feature applies to all TLS security levels, it is easy > ! to create inter-operability problems by choosing a non-default cipher > ! list. Do not use a non-default TLS cipher list on hosts that deliver email > ! to the public Internet: you will be unable to send email to servers that > ! only support the ciphers you exclude. Using a restricted cipher list > ! may be more appropriate for an internal MTA, where one can exert some > ! control over the TLS software and settings of the peer servers.

    > ! > !

    Note: do not use "" quotes around the parameter value.

    > ! > !

    This feature is available in Postfix version 2.2. It is not used with > ! Postfix 2.3 and later; use smtp_tls_mandatory_ciphers instead.

    > ! > ! > !
    > ! > !
    smtp_tls_ciphers > ! (default: export)
    > ! > !

    The minimum TLS cipher grade that the Postfix SMTP client > ! will use with opportunistic TLS encryption. Cipher types listed in > ! smtp_tls_exclude_ciphers are excluded from the base definition of > ! the selected cipher grade. The default value "export" ensures maximum > ! inter-operability. Because encryption is optional, stronger controls > ! are not appropriate, and this setting SHOULD NOT be changed unless the > ! change is essential.

    > ! > !

    When TLS is mandatory the cipher grade is chosen via the > ! smtp_tls_mandatory_ciphers configuration parameter, see there for syntax > ! details. See smtp_tls_policy_maps for information on how to configure > ! ciphers on a per-destination basis.

    > ! > !

    Example:

    > ! 
    > ! smtp_tls_ciphers = export
> !
    > ! > !

    This feature is available in Postfix 2.6 and later. With earlier Postfix > ! releases only the smtp_tls_mandatory_ciphers parameter is implemented, > ! and opportunistic TLS always uses "export" or better (i.e. all) ciphers.

    > ! > ! > !
    > ! > !
    smtp_tls_dcert_file > ! (default: empty)
    > ! > !

    File with the Postfix SMTP client DSA certificate in PEM format. > ! This file may also contain the Postfix SMTP client private DSA key.

    > ! > !

    See the discussion under smtp_tls_cert_file for more details. > !

    > ! > !

    Example:

    > ! > ! 
    > ! smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
> !
    > ! > !

    This feature is available in Postfix 2.2 and later.

    > ! > ! > !
    > ! > !
    smtp_tls_dkey_file > ! (default: $smtp_tls_dcert_file)
    > ! > !

    File with the Postfix SMTP client DSA private key in PEM format. > ! This file may be combined with the Postfix SMTP client DSA certificate > ! file specified with $smtp_tls_dcert_file.

    > ! > !

    The private key must be accessible without a pass-phrase, i.e. it > ! must not be encrypted. File permissions should grant read-only > ! access to the system superuser account ("root"), and no access > ! to anyone else.

    > ! > !

    This feature is available in Postfix 2.2 and later.

    > ! > ! > !
    > ! > !
    smtp_tls_eccert_file > ! (default: empty)
    > ! > !

    File with the Postfix SMTP client ECDSA certificate in PEM format. > ! This file may also contain the Postfix SMTP client ECDSA private key.

    > ! > !

    See the discussion under smtp_tls_cert_file for more details. > !

    > ! > !

    Example:

    > ! > ! 
    > ! smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem
> !
    > ! > !

    This feature is available in Postfix 2.6 and later, when Postfix is > ! compiled and linked with OpenSSL 1.0.0 or later.

    > ! > ! > !
    > ! > !
    smtp_tls_eckey_file > ! (default: $smtp_tls_eccert_file)
    > ! > !

    File with the Postfix SMTP client ECDSA private key in PEM format. > ! This file may be combined with the Postfix SMTP client ECDSA > ! certificate file specified with $smtp_tls_eccert_file.

    > ! > !

    The private key must be accessible without a pass-phrase, i.e. it > ! must not be encrypted. File permissions should grant read-only > ! access to the system superuser account ("root"), and no access > ! to anyone else.

    > ! > !

    This feature is available in Postfix 2.6 and later, when Postfix is > ! compiled and linked with OpenSSL 1.0.0 or later.

    > ! > ! > !
    > ! > !
    smtp_tls_enforce_peername > ! (default: yes)
    > ! > !

    With mandatory TLS encryption, require that the remote SMTP > ! server hostname matches the information in the remote SMTP server > ! certificate. As of RFC 2487 the requirements for hostname checking > ! for MTA clients are not specified.

    > ! > !

    This option can be set to "no" to disable strict peer name > ! checking. This setting has no effect on sessions that are controlled > ! via the smtp_tls_per_site table.

    > ! > !

    Disabling the hostname verification can make sense in closed > ! environment where special CAs are created. If not used carefully, > ! this option opens the danger of a "man-in-the-middle" attack (the > ! CommonName of this attacker will be logged).

    > ! > !

    This feature is available in Postfix 2.2 and later. With > ! Postfix 2.3 and later use smtp_tls_security_level instead.

    > ! > ! > !
    > ! > !
    smtp_tls_exclude_ciphers > ! (default: empty)
    > ! > !

    List of ciphers or cipher types to exclude from the Postfix > ! SMTP client cipher > ! list at all TLS security levels. This is not an OpenSSL cipherlist, it is > ! a simple list separated by whitespace and/or commas. The elements are a > ! single cipher, or one or more "+" separated cipher properties, in which > ! case only ciphers matching all the properties are excluded.

    > ! > !

    Examples (some of these will cause problems):

    > ! > !
    > ! 
    > ! smtp_tls_exclude_ciphers = aNULL
> ! smtp_tls_exclude_ciphers = MD5, DES
> ! smtp_tls_exclude_ciphers = DES+MD5
> ! smtp_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
> ! smtp_tls_exclude_ciphers = kEDH+aRSA
> !
    > !
    > ! > !

    The first setting, disables anonymous ciphers. The next setting > ! disables ciphers that use the MD5 digest algorithm or the (single) DES > ! encryption algorithm. The next setting disables ciphers that use MD5 and > ! DES together. The next setting disables the two ciphers "AES256-SHA" > ! and "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" > ! key exchange with RSA authentication.

    > ! > !

    This feature is available in Postfix 2.3 and later.

    > ! > ! > !
    > ! > !
    smtp_tls_fingerprint_cert_match > ! (default: empty)
    > ! > !

    List of acceptable remote SMTP server certificate fingerprints for > ! the "fingerprint" TLS security level (smtp_tls_security_level = > ! fingerprint). At this security level, certificate authorities are not > ! used, and certificate expiration times are ignored. Instead, server > ! certificates are verified directly via their certificate fingerprint > ! or public key fingerprint (Postfix 2.9 and later). The fingerprint > ! is a message digest of the server certificate (or public key). The > ! digest algorithm is selected via the smtp_tls_fingerprint_digest > ! parameter.

    > ! > !

    When an smtp_tls_policy_maps table entry specifies the > ! "fingerprint" security level, any "match" attributes in that entry specify > ! the list of valid fingerprints for the corresponding destination. Multiple > ! fingerprints can be combined with a "|" delimiter in a single match > ! attribute, or multiple match attributes can be employed.

    > ! > !

    Example: Certificate fingerprint verification with internal mailhub. > ! Two matching fingerprints are listed. The relayhost may be multiple > ! physical hosts behind a load-balancer, each with its own private/public > ! key and self-signed certificate. Alternatively, a single relayhost may > ! be in the process of switching from one set of private/public keys to > ! another, and both keys are trusted just prior to the transition.

    > ! > !
    > ! 
    > ! relayhost = [mailhub.example.com]
> ! smtp_tls_security_level = fingerprint
> ! smtp_tls_fingerprint_digest = md5
> ! smtp_tls_fingerprint_cert_match =
> !     3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
> !     EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
> !
    > !
    > ! > !

    Example: Certificate fingerprint verification with selected destinations. > ! As in the example above, we show two matching fingerprints:

    > ! > !
    > ! 
    > ! /etc/postfix/main.cf:
> !     smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
> !     smtp_tls_fingerprint_digest = md5
> !
    > !
    > ! > !
    > ! 
    > ! /etc/postfix/tls_policy:
> !     example.com	fingerprint
> !         match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
> !         match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
> !
    > !
    > ! > !

    This feature is available in Postfix 2.5 and later.

    > ! > ! > !
    > ! > !
    smtp_tls_fingerprint_digest > ! (default: md5)
    > ! > !

    The message digest algorithm used to construct remote SMTP server > ! certificate fingerprints. At the "fingerprint" TLS security level > ! (smtp_tls_security_level = fingerprint), the server certificate is > ! verified by directly matching its certificate fingerprint or its public > ! key fingerprint (Postfix 2.9 and later). The fingerprint is the > ! message digest of the server certificate (or its public key) > ! using the selected > ! algorithm. With a digest algorithm resistant to "second pre-image" > ! attacks, it is not feasible to create a new public key and a matching > ! certificate (or public/private key-pair) that has the same fingerprint.

    > ! > !

    The default algorithm is md5; this is consistent with > ! the backwards compatible setting of the digest used to verify client > ! certificates in the SMTP server.

    > ! > !

    The best practice algorithm is now sha1. Recent advances in hash > ! function cryptanalysis have led to md5 being deprecated in favor of sha1. > ! However, as long as there are no known "second pre-image" attacks > ! against md5, its use in this context can still be considered safe. > !

    > ! > !

    While additional digest algorithms are often available with OpenSSL's > ! libcrypto, only those used by libssl in SSL cipher suites are available to > ! Postfix. For now this means just md5 or sha1.

    > ! > !

    To find the fingerprint of a specific certificate file, with a > ! specific digest algorithm, run: > !

    > ! > !
    > ! 
    > ! $ openssl x509 -noout -fingerprint -digest -in certfile.pem
> !
    > !
    > ! > !

    The text to the right of "=" sign is the desired fingerprint. > ! For example:

    > ! > !
    > ! 
    > ! $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
> ! SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
> !
    > !
    > ! > !

    Public key fingerprints are more difficult to extract, however, > ! the SHA-1 public key fingerprint is often present as the value of the > ! "Subject Key Identifier" extension in X.509v3 certificates. The Postfix > ! SMTP server and client log the peer certificate fingerprint and public > ! key fingerprint when TLS loglevel is 1 or higher.

    > ! > !

    This feature is available in Postfix 2.5 and later.

    > ! > ! > !
    > ! > !
    smtp_tls_key_file > ! (default: $smtp_tls_cert_file)
    > ! > !

    File with the Postfix SMTP client RSA private key in PEM format. > ! This file may be combined with the Postfix SMTP client RSA certificate > ! file specified with $smtp_tls_cert_file.

    > ! > !

    The private key must be accessible without a pass-phrase, i.e. it > ! must not be encrypted. File permissions should grant read-only > ! access to the system superuser account ("root"), and no access > ! to anyone else.

    > ! > !

    Example:

    > ! > ! 
    > ! smtp_tls_key_file = $smtp_tls_cert_file
> !
    > ! > !

    This feature is available in Postfix 2.2 and later.

    > ! > ! > !
    > ! > !
    smtp_tls_loglevel > ! (default: 0)
    > ! > !

    Enable additional Postfix SMTP client logging of TLS activity. > ! Each logging level also includes the information that is logged at > ! a lower logging level.

    > ! > !
    > ! > !
    0 Log only a summary message on TLS handshake completion > ! — no logging of remote SMTP server certificate trust-chain > ! verification errors if server certificate verification is not required. > ! With Postfix 2.8 and earlier, disable logging of TLS activity.
    > ! > !
    1 Also log remote SMTP server trust-chain verification > ! errors and peer certificate summary information. With Postfix 2.8 > ! and earlier, log TLS handshake and certificate information.
    > ! > !
    2 Also log levels during TLS negotiation.
    > ! > !
    3 Also log hexadecimal and ASCII dump of TLS negotiation > ! process.
    > ! > !
    4 Also log hexadecimal and ASCII dump of complete > ! transmission after STARTTLS.
    > ! > !
    > ! > !

    Do not use "smtp_tls_loglevel = 2" or higher except in case of > ! problems. Use of loglevel 4 is strongly discouraged.

    > ! > !

    This feature is available in Postfix 2.2 and later.

    > ! > ! > !
    > ! > !
    smtp_tls_mandatory_ciphers > ! (default: medium)
    > ! > !

    The minimum TLS cipher grade that the Postfix SMTP client will > ! use with > ! mandatory TLS encryption. The default value "medium" is suitable > ! for most destinations with which you may want to enforce TLS, and > ! is beyond the reach of today's cryptanalytic methods. See > ! smtp_tls_policy_maps for information on how to configure ciphers > ! on a per-destination basis.

    > ! > !

    The following cipher grades are supported:

    > ! > !
    > !
    export
    > !
    Enable "EXPORT" grade or better OpenSSL > ! ciphers. This is the default for opportunistic encryption. It is > ! not recommended for mandatory encryption unless you must enforce TLS > ! with "crippled" peers. The underlying cipherlist is specified via the > ! tls_export_cipherlist configuration parameter, which you are strongly > ! encouraged to not change.
    > ! > !
    low
    > !
    Enable "LOW" grade or better OpenSSL ciphers. This > ! setting is only appropriate for internal mail servers. The underlying > ! cipherlist is specified via the tls_low_cipherlist configuration > ! parameter, which you are strongly encouraged to not change.
    > ! > !
    medium
    > !
    Enable "MEDIUM" grade or better OpenSSL ciphers. > ! The underlying cipherlist is specified via the tls_medium_cipherlist > ! configuration parameter, which you are strongly encouraged to not change. > !
    > ! > !
    high
    > !
    Enable only "HIGH" grade OpenSSL ciphers. This setting may > ! be appropriate when all mandatory TLS destinations (e.g. when all > ! mail is routed to a suitably capable relayhost) support at least one > ! "HIGH" grade cipher. The underlying cipherlist is specified via the > ! tls_high_cipherlist configuration parameter, which you are strongly > ! encouraged to not change.
    > ! > !
    null
    > !
    Enable only the "NULL" OpenSSL ciphers, these provide authentication > ! without encryption. This setting is only appropriate in the rare case > ! that all servers are prepared to use NULL ciphers (not normally enabled > ! in TLS servers). A plausible use-case is an LMTP server listening on a > ! UNIX-domain socket that is configured to support "NULL" ciphers. The > ! underlying cipherlist is specified via the tls_null_cipherlist > ! configuration parameter, which you are strongly encouraged to not > ! change.
    > ! > !
    > ! > !

    The underlying cipherlists for grades other than "null" include > ! anonymous ciphers, but these are automatically filtered out if the > ! Postfix SMTP client is configured to verify server certificates. > ! You are very unlikely to need to take any steps to exclude anonymous > ! ciphers, they are excluded automatically as necessary. If you must > ! exclude anonymous ciphers at the "may" or "encrypt" security levels, > ! when the Postfix SMTP client does not need or use peer certificates, set > ! "smtp_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers only when > ! TLS is enforced, set "smtp_tls_mandatory_exclude_ciphers = aNULL".

    > ! > !

    This feature is available in Postfix 2.3 and later.

    > ! > ! > !
    > ! > !
    smtp_tls_mandatory_exclude_ciphers > ! (default: empty)
    > ! > !

    Additional list of ciphers or cipher types to exclude from the > ! Postfix SMTP client cipher list at mandatory TLS security levels. This list > ! works in addition to the exclusions listed with smtp_tls_exclude_ciphers > ! (see there for syntax details).

    > ! > !

    Starting with Postfix 2.6, the mandatory cipher exclusions can be > ! specified on a per-destination basis via the TLS policy "exclude" > ! attribute. See smtp_tls_policy_maps for notes and examples.

    > ! > !

    This feature is available in Postfix 2.3 and later.

    > ! > ! > !
    > ! > !
    smtp_tls_mandatory_protocols > ! (default: SSLv3, TLSv1)
    > ! > !

    List of SSL/TLS protocols that the Postfix SMTP client will use with > ! mandatory TLS encryption. In main.cf the values are separated by > ! whitespace, commas or colons. In the policy table "protocols" attribute > ! (see smtp_tls_policy_maps) the only valid separator is colon. An > ! empty value means allow all protocols. The valid protocol names, (see > ! SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".

    > ! > !

    With Postfix ≥ 2.5 the parameter syntax is expanded to support > ! protocol exclusions. One can now explicitly exclude SSLv2 by setting > ! "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and > ! SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing > ! the protocols to include, rather than protocols to exclude, is still > ! supported; use the form you find more intuitive.

    > ! > !

    Since SSL version 2 has known protocol weaknesses and is now > ! deprecated, the default setting excludes "SSLv2". This means that by > ! default, SSL version 2 will not be used at the "encrypt" security level > ! and higher.

    > ! > !

    See the documentation of the smtp_tls_policy_maps parameter and > ! TLS_README for more information about security levels.

    > ! > !

    Example:

    > ! > ! 
    > ! smtp_tls_mandatory_protocols = TLSv1
> ! # Alternative form with Postfix ≥ 2.5:
> ! smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> !
    > ! > !

    This feature is available in Postfix 2.3 and later.

    > ! > ! > !
    > ! > !
    smtp_tls_note_starttls_offer > ! (default: no)
    > ! > !

    Log the hostname of a remote SMTP server that offers STARTTLS, > ! when TLS is not already enabled for that server.

    > ! > !

    The logfile record looks like:

    > ! > ! 
    > ! postfix/smtp[pid]:  Host offered STARTTLS: [name.of.host]
> !
    > ! > !

    This feature is available in Postfix 2.2 and later.

    > ! > ! > !
    > ! > !
    smtp_tls_per_site > ! (default: empty)
    > ! > !

    Optional lookup tables with the Postfix SMTP client TLS usage > ! policy by next-hop destination and by remote SMTP server hostname. > ! When both lookups succeed, the more specific per-site policy (NONE, > ! MUST, etc) overrides the less specific one (MAY), and the more secure > ! per-site policy (MUST, etc) overrides the less secure one (NONE). > ! With Postfix 2.3 and later smtp_tls_per_site is strongly discouraged: > ! use smtp_tls_policy_maps instead.

    > ! > !

    Use of the bare hostname as the per-site table lookup key is > ! discouraged. Always use the full destination nexthop (enclosed in > ! [] with a possible ":port" suffix). A recipient domain or MX-enabled > ! transport next-hop with no port suffix may look like a bare hostname, > ! but is still a suitable destination.

    > ! > !

    Specify a next-hop destination or server hostname on the left-hand > ! side; no wildcards are allowed. The next-hop destination is either > ! the recipient domain, or the destination specified with a transport(5) > ! table, the relayhost parameter, or the relay_transport parameter. > ! On the right hand side specify one of the following keywords:

    > ! > !
    > ! > !
    NONE
    Don't use TLS at all. This overrides a less > ! specific MAY lookup result from the alternate host or next-hop > ! lookup key, and overrides the global smtp_use_tls, smtp_enforce_tls, > ! and smtp_tls_enforce_peername settings.
    > ! > !
    MAY
    Try to use TLS if the server announces support, > ! otherwise use the unencrypted connection. This has less precedence > ! than a more specific result (including NONE) from the alternate > ! host or next-hop lookup key, and has less precedence than the more > ! specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername > ! = yes".
    > ! > !
    MUST_NOPEERMATCH
    Require TLS encryption, but do not > ! require that the remote SMTP server hostname matches the information > ! in the remote SMTP server certificate, or that the server certificate > ! was issued by a trusted CA. This overrides a less secure NONE > ! or a less specific MAY lookup result from the alternate host > ! or next-hop lookup key, and overrides the global smtp_use_tls, > ! smtp_enforce_tls and smtp_tls_enforce_peername settings.
    > ! > !
    MUST
    Require TLS encryption, require that the remote > ! SMTP server hostname matches the information in the remote SMTP > ! server certificate, and require that the remote SMTP server certificate > ! was issued by a trusted CA. This overrides a less secure NONE > ! and MUST_NOPEERMATCH or a less specific MAY lookup > ! result from the alternate host or next-hop lookup key, and overrides > ! the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername > ! settings.
    > ! > !
    > ! > !

    The above keywords correspond to the "none", "may", "encrypt" and > ! "verify" security levels for the new smtp_tls_security_level parameter > ! introduced in Postfix 2.3. Starting with Postfix 2.3, and independently > ! of how the policy is specified, the smtp_tls_mandatory_ciphers and > ! smtp_tls_mandatory_protocols parameters apply when TLS encryption > ! is mandatory. Connections for which encryption is optional typically > ! enable all "export" grade and better ciphers (see smtp_tls_ciphers > ! and smtp_tls_protocols).

    > ! > !

    As long as no secure DNS lookup mechanism is available, false > ! hostnames in MX or CNAME responses can change the server hostname > ! that Postfix uses for TLS policy lookup and server certificate > ! verification. Even with a perfect match between the server hostname and > ! the server certificate, there is no guarantee that Postfix is connected > ! to the right server. See TLS_README (Closing a DNS loophole with obsolete > ! per-site TLS policies) for a possible work-around.

    > ! > !

    This feature is available in Postfix 2.2 and later. With > ! Postfix 2.3 and later use smtp_tls_policy_maps instead.

    > ! > ! > !
    > ! > !
    smtp_tls_policy_maps > ! (default: empty)
    > ! > !

    Optional lookup tables with the Postfix SMTP client TLS security > ! policy by next-hop destination; when a non-empty value is specified, > ! this overrides the obsolete smtp_tls_per_site parameter. See > ! TLS_README for a more detailed discussion of TLS security levels. > !

    > ! > !

    The TLS policy table is indexed by the full next-hop destination, > ! which is either the recipient domain, or the verbatim next-hop > ! specified in the transport table, $local_transport, $virtual_transport, > ! $relay_transport or $default_transport. This includes any enclosing > ! square brackets and any non-default destination server port suffix. The > ! LMTP socket type prefix (inet: or unix:) is not included in the lookup > ! key.

    > ! > !

    Only the next-hop domain, or $myhostname with LMTP over UNIX-domain > ! sockets, is used as the nexthop name for certificate verification. The > ! port and any enclosing square brackets are used in the table lookup key, > ! but are not used for server name verification.

    > ! > !

    When the lookup key is a domain name without enclosing square brackets > ! or any :port suffix (typically the recipient domain), and the full > ! domain is not found in the table, just as with the transport(5) table, > ! the parent domain starting with a leading "." is matched recursively. This > ! allows one to specify a security policy for a recipient domain and all > ! its sub-domains.

    > ! > !

    The lookup result is a security level, followed by an optional list > ! of whitespace and/or comma separated name=value attributes that override > ! related main.cf settings. The TLS security levels in order of increasing > ! security are:

    > ! > !
    > ! > !
    none
    > !
    No TLS. No additional attributes are supported at this level.
    > ! > !
    may
    > !
    Opportunistic TLS. Since sending in the clear is acceptable, > ! demanding stronger than default TLS security merely reduces > ! inter-operability. The optional "ciphers", "exclude" and "protocols" > ! attributes (available for opportunistic TLS with Postfix ≥ 2.6) > ! override the "smtp_tls_ciphers", "smtp_tls_exclude_ciphers" and > ! "smtp_tls_protocols" configuration parameters. When opportunistic TLS > ! handshakes fail, Postfix retries the connection with TLS disabled. > ! This allows mail delivery to sites with non-interoperable TLS > ! implementations.
    > ! > !
    encrypt
    Mandatory TLS encryption. At this level > ! and higher, the optional "protocols" attribute overrides the main.cf > ! smtp_tls_mandatory_protocols parameter, the optional "ciphers" attribute > ! overrides the main.cf smtp_tls_mandatory_ciphers parameter, and the > ! optional "exclude" attribute (Postfix ≥ 2.6) overrides the main.cf > ! smtp_tls_mandatory_exclude_ciphers parameter. In the policy table, > ! multiple protocols or excluded ciphers must be separated by colons, > ! as attribute values may not contain whitespace or commas.
    > ! > !
    fingerprint
    Certificate fingerprint > ! verification. Available with Postfix 2.5 and later. At this security > ! level, there are no trusted certificate authorities. The certificate > ! trust chain, expiration date, ... are not checked. Instead, > ! the optional match attribute, or else the main.cf > ! smtp_tls_fingerprint_cert_match parameter, lists the certificate > ! fingerprints or the public key fingerprint (Postfix 2.9 and later) > ! of the valid server certificate. The digest > ! algorithm used to calculate the fingerprint is selected by the > ! smtp_tls_fingerprint_digest parameter. Multiple fingerprints can > ! be combined with a "|" delimiter in a single match attribute, or multiple > ! match attributes can be employed. The ":" character is not used as a > ! delimiter as it occurs between each pair of fingerprint (hexadecimal) > ! digits.
    > ! > !
    verify
    Mandatory TLS verification. At this security > ! level, DNS MX lookups are trusted to be secure enough, and the name > ! verified in the server certificate is usually obtained indirectly via > ! unauthenticated DNS MX lookups. The optional "match" attribute overrides > ! the main.cf smtp_tls_verify_cert_match parameter. In the policy table, > ! multiple match patterns and strategies must be separated by colons. > ! In practice explicit control over matching is more common with the > ! "secure" policy, described below.
    > ! > !
    secure
    Secure-channel TLS. At this security level, DNS > ! MX lookups, though potentially used to determine the candidate next-hop > ! gateway IP addresses, are not trusted to be secure enough for TLS > ! peername verification. Instead, the default name verified in the server > ! certificate is obtained directly from the next-hop, or is explicitly > ! specified via the optional match attribute which overrides the > ! main.cf smtp_tls_secure_cert_match parameter. In the policy table, > ! multiple match patterns and strategies must be separated by colons. > ! The match attribute is most useful when multiple domains are supported by > ! common server, the policy entries for additional domains specify matching > ! rules for the primary domain certificate. While transport table overrides > ! routing the secondary domains to the primary nexthop also allow secure > ! verification, they risk delivery to the wrong destination when domains > ! change hands or are re-assigned to new gateways. With the "match" > ! attribute approach, routing is not perturbed, and mail is deferred if > ! verification of a new MX host fails.
    > ! > !
    > ! > !

    > ! Example: > !

    > ! > ! 
    > ! /etc/postfix/main.cf:
> !     smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
> !     # Postfix 2.5 and later
> !     smtp_tls_fingerprint_digest = md5
> !
    > ! > ! 
    > ! /etc/postfix/tls_policy:
> !     example.edu                 none
> !     example.mil                 may
> !     example.gov                 encrypt protocols=TLSv1
> !     example.com                 verify ciphers=high
> !     example.net                 secure
> !     .example.net                secure match=.example.net:example.net
> !     [mail.example.org]:587      secure match=nexthop
> !     # Postfix 2.5 and later
> !     [thumb.example.org]          fingerprint
> !     	match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
> ! 	match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
> !
    > ! > !

    Note: The hostname strategy if listed in a non-default > ! setting of smtp_tls_secure_cert_match or in the match attribute > ! in the policy table can render the secure level vulnerable to > ! DNS forgery. Do not use the hostname strategy for secure-channel > ! configurations in environments where DNS security is not assured.

    > ! > !

    This feature is available in Postfix 2.3 and later.

    > ! > ! > !
    > ! > !
    smtp_tls_protocols > ! (default: !SSLv2)
    > ! > !

    List of TLS protocols that the Postfix SMTP client will exclude or > ! include with opportunistic TLS encryption. Starting with Postfix 2.6, > ! the Postfix SMTP client will by default not use the obsolete SSLv2 > ! protocol.

    > ! > !

    In main.cf the values are separated by whitespace, commas or > ! colons. In the policy table (see smtp_tls_policy_maps) the only valid > ! separator is colon. An empty value means allow all protocols. The valid > ! protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" > ! and "TLSv1".

    > ! > !

    To include a protocol list its name, to exclude it, prefix the name > ! with a "!" character. To exclude SSLv2 even for opportunistic TLS set > ! "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set > ! "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to > ! include, is supported, but not recommended. OpenSSL provides no mechanisms > ! for excluding protocols not known at compile-time. If Postfix is linked > ! against an OpenSSL library that supports additional protocol versions, > ! they cannot be excluded using either syntax.

    > ! > !

    Example:

    > ! 
    > ! # TLSv1 only!
> ! smtp_tls_protocols = !SSLv2, !SSLv3
> !
    > ! > !

    This feature is available in Postfix 2.6 and later.

    > ! > ! > !
    > ! > !
    smtp_tls_scert_verifydepth > ! (default: 9)
    > ! > !

    The verification depth for remote SMTP server certificates. A depth > ! of 1 is sufficient if the issuing CA is listed in a local CA file.

    > ! > !

    The default verification depth is 9 (the OpenSSL default) for > ! compatibility with earlier Postfix behavior. Prior to Postfix 2.5, > ! the default value was 5, but the limit was not actually enforced. If > ! you have set this to a lower non-default value, certificates with longer > ! trust chains may now fail to verify. Certificate chains with 1 or 2 > ! CAs are common, deeper chains are more rare and any number between 5 > ! and 9 should suffice in practice. You can choose a lower number if, > ! for example, you trust certificates directly signed by an issuing CA > ! but not any CAs it delegates to.

    > ! > !

    This feature is available in Postfix 2.2 and later.

    > ! > ! > !
    > ! > !
    smtp_tls_secure_cert_match > ! (default: nexthop, dot-nexthop)
    > ! > !

    How the Postfix SMTP client verifies the server certificate > ! peername for the > ! "secure" TLS security level. In a "secure" TLS policy table > ! ($smtp_tls_policy_maps) entry the optional "match" attribute > ! overrides this main.cf setting.

    > ! > !

    This parameter specifies one or more patterns or strategies separated > ! by commas, whitespace or colons. In the policy table the only valid > ! separator is the colon character.

    > ! > !

    For a description of the pattern and strategy syntax see the > ! smtp_tls_verify_cert_match parameter. The "hostname" strategy should > ! be avoided in this context, as in the absence of a secure global DNS, using > ! the results of MX lookups in certificate verification is not immune to active > ! (man-in-the-middle) attacks on DNS.

    > ! > !

    > ! Sample main.cf setting: > !

    > ! > !
    > ! 
    > ! smtp_tls_secure_cert_match = nexthop
> !
    > !
    > ! > !

    > ! Sample policy table override: > !

    > ! > !
    > ! 
    > ! example.net     secure match=example.com:.example.com
> ! .example.net    secure match=example.com:.example.com
> !
    > !
    > ! > !

    This feature is available in Postfix 2.3 and later.

    > ! > ! > !
    > ! > !
    smtp_tls_security_level > ! (default: empty)
    > ! > !

    The default SMTP TLS security level for the Postfix SMTP client; > ! when a non-empty value is specified, this overrides the obsolete > ! parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername. > !

    > ! > !

    Specify one of the following security levels:

    > ! > !
    > ! > !
    none
    TLS will not be used unless enabled for specific > ! destinations via smtp_tls_policy_maps.
    > ! > !
    may
    > !
    Opportunistic TLS. Use TLS if this is supported by the remote > ! SMTP server, otherwise use plaintext. Since > ! sending in the clear is acceptable, demanding stronger than default TLS > ! security merely reduces inter-operability. > ! The "smtp_tls_ciphers" and "smtp_tls_protocols" (Postfix ≥ 2.6) > ! configuration parameters provide control over the protocols and > ! cipher grade used with opportunistic TLS. With earlier releases the > ! opportunistic TLS cipher grade is always "export" and no protocols > ! are disabled. > ! When TLS handshakes fail, the connection is retried with TLS disabled. > ! This allows mail delivery to sites with non-interoperable TLS > ! implementations.
    > ! > !
    encrypt
    Mandatory TLS encryption. Since a minimum > ! level of security is intended, it is reasonable to be specific about > ! sufficiently secure protocol versions and ciphers. At this security level > ! and higher, the main.cf parameters smtp_tls_mandatory_protocols and > ! smtp_tls_mandatory_ciphers specify the TLS protocols and minimum > ! cipher grade which the administrator considers secure enough for > ! mandatory encrypted sessions. This security level is not an appropriate > ! default for systems delivering mail to the Internet.
    > ! > !
    fingerprint
    Certificate fingerprint > ! verification. Available with Postfix 2.5 and later. At this security > ! level, there are no trusted certificate authorities. The certificate > ! trust chain, expiration date, ... are not checked. Instead, the > ! smtp_tls_fingerprint_cert_match parameter lists the certificate > ! fingerprint or public key fingerprint (Postfix 2.9 and later) of > ! the valid server certificate. The digest > ! algorithm used to calculate the fingerprint is selected by the > ! smtp_tls_fingerprint_digest parameter.
    > ! > !
    verify
    Mandatory TLS verification. At this security > ! level, DNS MX lookups are trusted to be secure enough, and the name > ! verified in the server certificate is usually obtained indirectly > ! via unauthenticated DNS MX lookups. The smtp_tls_verify_cert_match > ! parameter controls how the server name is verified. In practice explicit > ! control over matching is more common at the "secure" level, described > ! below. This security level is not an appropriate default for systems > ! delivering mail to the Internet.
    > ! > !
    secure
    Secure-channel TLS. At this security level, > ! DNS MX lookups, though potentially used to determine the candidate > ! next-hop gateway IP addresses, are not trusted to be secure enough > ! for TLS peername verification. Instead, the default name verified in > ! the server certificate is obtained from the next-hop domain as specified > ! in the smtp_tls_secure_cert_match configuration parameter. The default > ! matching rule is that a server certificate matches when its name is equal > ! to or is a sub-domain of the nexthop domain. This security level is not > ! an appropriate default for systems delivering mail to the Internet.
    > ! > !
    > ! > !

    > ! Examples: > !

    > ! > ! 
    > ! # No TLS. Formerly: smtp_use_tls=no and smtp_enforce_tls=no.
> ! smtp_tls_security_level = none
> !
    > ! > ! 
    > ! # Opportunistic TLS.
> ! smtp_tls_security_level = may
> ! # Postfix ≥ 2.6:
> ! # Do not tweak opportunistic ciphers or protocol unless it is essential
> ! # to do so (if a security vulnerability is found in the SSL library that
> ! # can be mitigated by disabling a particular protocol or raising the
> ! # cipher grade from "export" to "low" or "medium").
> ! smtp_tls_ciphers = export
> ! smtp_tls_protocols = !SSLv2
> !
    > ! > ! 
    > ! # Mandatory (high-grade) TLS encryption.
> ! smtp_tls_security_level = encrypt
> ! smtp_tls_mandatory_ciphers = high
> !
    > ! > ! 
    > ! # Mandatory TLS verification of hostname or nexthop domain.
> ! smtp_tls_security_level = verify
> ! smtp_tls_mandatory_ciphers = high
> ! smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
> !
    > ! > ! 
    > ! # Secure channel TLS with exact nexthop name match.
> ! smtp_tls_security_level = secure
> ! smtp_tls_mandatory_protocols = TLSv1
> ! smtp_tls_mandatory_ciphers = high
> ! smtp_tls_secure_cert_match = nexthop
> !
    > ! > ! 
    > ! # Certificate fingerprint verification (Postfix ≥ 2.5).
> ! # The CA-less "fingerprint" security level only scales to a limited
> ! # number of destinations. As a global default rather than a per-site
> ! # setting, this is practical when mail for all recipients is sent
> ! # to a central mail hub.
> ! relayhost = [mailhub.example.com]
> ! smtp_tls_security_level = fingerprint
> ! smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> ! smtp_tls_mandatory_ciphers = high
> ! smtp_tls_fingerprint_cert_match =
> !     3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
> !     EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
> !
    > ! > !

    This feature is available in Postfix 2.3 and later.

    > ! > ! > !
    > ! > !
    smtp_tls_session_cache_database > ! (default: empty)
    > ! > !

    Name of the file containing the optional Postfix SMTP client > ! TLS session cache. Specify a database type that supports enumeration, > ! such as btree or sdbm; there is no need to support > ! concurrent access. The file is created if it does not exist. The smtp(8) > ! daemon does not use this parameter directly, rather the cache is > ! implemented indirectly in the tlsmgr(8) daemon. This means that > ! per-smtp-instance master.cf overrides of this parameter are not effective. > ! Note, that each of the cache databases supported by tlsmgr(8) daemon: > ! $smtpd_tls_session_cache_database, $smtp_tls_session_cache_database > ! (and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to > ! be stored separately. It is not at this time possible to store multiple > ! caches in a single database.

    > ! > !

    Note: dbm databases are not suitable. TLS > ! session objects are too large.

    > ! > !

    As of version 2.5, Postfix no longer uses root privileges when > ! opening this file. The file should now be stored under the Postfix-owned > ! data_directory. As a migration aid, an attempt to open the file > ! under a non-Postfix directory is redirected to the Postfix-owned > ! data_directory, and a warning is logged.

    > ! > !

    Example:

    > ! > ! 
    > ! smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
> !
    > ! > !

    This feature is available in Postfix 2.2 and later.

    > ! > ! > !
    > ! > !
    smtp_tls_session_cache_timeout > ! (default: 3600s)
    > ! > !

    The expiration time of Postfix SMTP client TLS session cache > ! information. A cache cleanup is performed periodically > ! every $smtp_tls_session_cache_timeout seconds. As with > ! $smtp_tls_session_cache_database, this parameter is implemented in the > ! tlsmgr(8) daemon and therefore per-smtp-instance master.cf overrides > ! are not possible.

    > ! > !

    This feature is available in Postfix 2.2 and later.

    > ! > ! > !
    > ! > !
    smtp_tls_verify_cert_match > ! (default: hostname)
    > ! > !

    How the Postfix SMTP client verifies the server certificate > ! peername for the > ! "verify" TLS security level. In a "verify" TLS policy table > ! ($smtp_tls_policy_maps) entry the optional "match" attribute > ! overrides this main.cf setting.

    > ! > !

    This parameter specifies one or more patterns or strategies separated > ! by commas, whitespace or colons. In the policy table the only valid > ! separator is the colon character.

    > ! > !

    Patterns specify domain names, or domain name suffixes:

    > ! > !
    > ! > !
    example.com
    Match the example.com domain, > ! i.e. one of the names the server certificate must be example.com, > ! upper and lower case distinctions are ignored.
    > ! > !
    .example.com
    > !
    Match subdomains of the example.com domain, i.e. match > ! a name in the server certificate that consists of a non-zero number of > ! labels followed by a .example.com suffix. Case distinctions are > ! ignored.
    > ! > !
    > ! > !

    Strategies specify a transformation from the next-hop domain > ! to the expected name in the server certificate:

    > ! > !
    > ! > !
    nexthop
    > !
    Match against the next-hop domain, which is either the recipient > ! domain, or the transport next-hop configured for the domain stripped of > ! any optional socket type prefix, enclosing square brackets and trailing > ! port. When MX lookups are not suppressed, this is the original nexthop > ! domain prior to the MX lookup, not the result of the MX lookup. For > ! LMTP delivery via UNIX-domain sockets, the verified next-hop name is > ! $myhostname. This strategy is suitable for use with the "secure" > ! policy. Case is ignored.
    > ! > !
    dot-nexthop
    > !
    As above, but match server certificate names that are subdomains > ! of the next-hop domain. Case is ignored.
    > ! > !
    hostname
    Match against the hostname of the server, often > ! obtained via an unauthenticated DNS MX lookup. For LMTP delivery via > ! UNIX-domain sockets, the verified name is $myhostname. This matches > ! the verification strategy of the "MUST" keyword in the obsolete > ! smtp_tls_per_site table, and is suitable for use with the "verify" > ! security level. When the next-hop name is enclosed in square brackets > ! to suppress MX lookups, the "hostname" strategy is the same as the > ! "nexthop" strategy. Case is ignored.
    > ! > !
    > ! > !

    > ! Sample main.cf setting: > !

    > ! > ! 
    > ! smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
> !
    > ! > !

    > ! Sample policy table override: > !

    > ! > ! 
    > ! example.com     verify  match=hostname:nexthop
> ! .example.com    verify  match=example.com:.example.com:hostname
> !
    > ! > !

    This feature is available in Postfix 2.3 and later.

    > ! > ! > !
    > ! > !
    smtp_use_tls > ! (default: no)
    > ! > !

    Opportunistic mode: use TLS when a remote SMTP server announces > ! STARTTLS support, otherwise send the mail in the clear. Beware: > ! some SMTP servers offer STARTTLS even if it is not configured. With > ! Postfix < 2.3, if the TLS handshake fails, and no other server is > ! available, delivery is deferred and mail stays in the queue. If this > ! is a concern for you, use the smtp_tls_per_site feature instead.

    > ! > !

    This feature is available in Postfix 2.2 and later. With > ! Postfix 2.3 and later use smtp_tls_security_level instead.

    > ! > ! > !
    > ! > !
    smtp_xforward_timeout > ! (default: 300s)
    > ! > !

    > ! The Postfix SMTP client time limit for sending the XFORWARD command, > ! and for receiving the remote SMTP server response. > !

    > ! > !

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). > !

    > ! > !

    > ! This feature is available in Postfix 2.1 and later. > !

    > ! > ! > !
    > ! > !
    smtpd_authorized_verp_clients > ! (default: $authorized_verp_clients)
    > ! > !

    What remote SMTP clients are allowed to specify the XVERP command. > ! This command requests that mail be delivered one recipient at a > ! time with a per recipient return address.

    > ! > !

    By default, no clients are allowed to specify XVERP.

    > ! > !

    This parameter was renamed with Postfix version 2.1. The default value > ! is backwards compatible with Postfix version 2.0.

    > ! > !

    Specify a list of network/netmask patterns, separated by commas > ! and/or whitespace. The mask specifies the number of bits in the > ! network part of a host address. You can also specify hostnames or > ! .domain names (the initial dot causes the domain to match any name > ! below it), "/file/name" or "type:table" patterns. A "/file/name" > ! pattern is replaced by its contents; a "type:table" lookup table > ! is matched when a table entry matches a lookup string (the lookup > ! result is ignored). Continue long lines by starting the next line > ! with whitespace. Specify "!pattern" to exclude an address or network > ! block from the list. The form "!/file/name" is supported only in > ! Postfix version 2.4 and later.

    > ! > !

    Note: IP version 6 address information must be specified inside > ! [] in the smtpd_authorized_verp_clients value, and in > ! files specified with "/file/name". IP version 6 addresses contain > ! the ":" character, and would otherwise be confused with a "type:table" > ! pattern.

    > ! > ! > !
    > ! > !
    smtpd_authorized_xclient_hosts > ! (default: empty)
    > ! > !

    > ! What remote SMTP clients are allowed to use the XCLIENT feature. This > ! command overrides remote SMTP client information that is used for access > ! control. Typical use is for SMTP-based content filters, fetchmail-like > ! programs, or SMTP server access rule testing. See the XCLIENT_README > ! document for details. > !

    > ! > !

    > ! This feature is available in Postfix 2.1 and later. > !

    > ! > !

    > ! By default, no clients are allowed to specify XCLIENT. > !

    > ! > !

    > ! Specify a list of network/netmask patterns, separated by commas > ! and/or whitespace. The mask specifies the number of bits in the > ! network part of a host address. You can also specify hostnames or > ! .domain names (the initial dot causes the domain to match any name > ! below it), "/file/name" or "type:table" patterns. A "/file/name" > ! pattern is replaced by its contents; a "type:table" lookup table > ! is matched when a table entry matches a lookup string (the lookup > ! result is ignored). Continue long lines by starting the next line > ! with whitespace. Specify "!pattern" to exclude an address or network > ! block from the list. The form "!/file/name" is supported only in > ! Postfix version 2.4 and later.

    > ! > !

    Note: IP version 6 address information must be specified inside > ! [] in the smtpd_authorized_xclient_hosts value, and in > ! files specified with "/file/name". IP version 6 addresses contain > ! the ":" character, and would otherwise be confused with a "type:table" > ! pattern.

    > ! > ! > !
    > ! > !
    smtpd_authorized_xforward_hosts > ! (default: empty)
    > ! > !

    > ! What remote SMTP clients are allowed to use the XFORWARD feature. This > ! command forwards information that is used to improve logging after > ! SMTP-based content filters. See the XFORWARD_README document for > ! details. > !

    > ! > !

    > ! This feature is available in Postfix 2.1 and later. > !

    > ! > !

    > ! By default, no clients are allowed to specify XFORWARD. > !

    > ! > !

    > ! Specify a list of network/netmask patterns, separated by commas > ! and/or whitespace. The mask specifies the number of bits in the > ! network part of a host address. You can also specify hostnames or > ! .domain names (the initial dot causes the domain to match any name > ! below it), "/file/name" or "type:table" patterns. A "/file/name" > ! pattern is replaced by its contents; a "type:table" lookup table > ! is matched when a table entry matches a lookup string (the lookup > ! result is ignored). Continue long lines by starting the next line > ! with whitespace. Specify "!pattern" to exclude an address or network > ! block from the list. The form "!/file/name" is supported only in > ! Postfix version 2.4 and later.

    > ! > !

    Note: IP version 6 address information must be specified inside > ! [] in the smtpd_authorized_xforward_hosts value, and in > ! files specified with "/file/name". IP version 6 addresses contain > ! the ":" character, and would otherwise be confused with a "type:table" > ! pattern.

    > ! > ! > !
    > ! > !
    smtpd_banner > ! (default: $myhostname ESMTP $mail_name)
    > ! > !

    > ! The text that follows the 220 status code in the SMTP greeting > ! banner. Some people like to see the mail version advertised. By > ! default, Postfix shows no version. > !

    > ! > !

    > ! You MUST specify $myhostname at the start of the text. This is > ! required by the SMTP protocol. > !

    > ! > !

    > ! Example: > !

    > ! > ! 
    > ! smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
> !
    > ! > ! > !
    > ! > !
    smtpd_client_connection_count_limit > ! (default: 50)
    > ! > !

    > ! How many simultaneous connections any client is allowed to > ! make to this service. By default, the limit is set to half > ! the default process limit value. > !

    > ! > !

    > ! To disable this feature, specify a limit of 0. > !

    > ! > !

    > ! WARNING: The purpose of this feature is to limit abuse. It must > ! not be used to regulate legitimate mail traffic. > !

    > ! > !

    > ! This feature is available in Postfix 2.2 and later. > !

    > ! > ! > !
    > ! > !
    smtpd_client_connection_rate_limit > ! (default: 0)
    > ! > !

    > ! The maximal number of connection attempts any client is allowed to > ! make to this service per time unit. The time unit is specified > ! with the anvil_rate_time_unit configuration parameter. > !

    > ! > !

    > ! By default, a client can make as many connections per time unit as > ! Postfix can accept. > !

    > ! > !

    > ! To disable this feature, specify a limit of 0. > !

    > ! > !

    > ! WARNING: The purpose of this feature is to limit abuse. It must > ! not be used to regulate legitimate mail traffic. > !

    > ! > !

    > ! This feature is available in Postfix 2.2 and later. > !

    > ! > !

    > ! Example: > !

    > ! > ! 
    > ! smtpd_client_connection_rate_limit = 1000
> !
    > ! > ! > !
    > ! > !
    smtpd_client_event_limit_exceptions > ! (default: $mynetworks)
    > ! > !

    > ! Clients that are excluded from smtpd_client_*_count/rate_limit > ! restrictions. See the mynetworks parameter > ! description for the parameter value syntax. > !

    > ! > !

    > ! By default, clients in trusted networks are excluded. Specify a > ! list of network blocks, hostnames or .domain names (the initial > ! dot causes the domain to match any name below it). > !

    > ! > !

    Note: IP version 6 address information must be specified inside > ! [] in the smtpd_client_event_limit_exceptions value, and > ! in files specified with "/file/name". IP version 6 addresses > ! contain the ":" character, and would otherwise be confused with a > ! "type:table" pattern.

    > ! > !

    > ! This feature is available in Postfix 2.2 and later. > !

    > ! > ! > !
    > ! > !
    smtpd_client_message_rate_limit > ! (default: 0)
    > ! > !

    > ! The maximal number of message delivery requests that any client is > ! allowed to make to this service per time unit, regardless of whether > ! or not Postfix actually accepts those messages. The time unit is > ! specified with the anvil_rate_time_unit configuration parameter. > !

    > ! > !

    > ! By default, a client can send as many message delivery requests > ! per time unit as Postfix can accept. > !

    > ! > !

    > ! To disable this feature, specify a limit of 0. > !

    > ! > !

    > ! WARNING: The purpose of this feature is to limit abuse. It must > ! not be used to regulate legitimate mail traffic. > !

    > ! > !

    > ! This feature is available in Postfix 2.2 and later. > !

    > ! > !

    > ! Example: > !

    > ! > ! 
    > ! smtpd_client_message_rate_limit = 1000
> !
    > ! > ! > !
    > ! > !
    smtpd_client_new_tls_session_rate_limit > ! (default: 0)
    > ! > !

    > ! The maximal number of new (i.e., uncached) TLS sessions that a > ! remote SMTP client is allowed to negotiate with this service per > ! time unit. The time unit is specified with the anvil_rate_time_unit > ! configuration parameter. > !

    > ! > !

    > ! By default, a remote SMTP client can negotiate as many new TLS > ! sessions per time unit as Postfix can accept. > !

    > ! > !

    > ! To disable this feature, specify a limit of 0. Otherwise, specify > ! a limit that is at least the per-client concurrent session limit, > ! or else legitimate client sessions may be rejected. > !

    > ! > !

    > ! WARNING: The purpose of this feature is to limit abuse. It must > ! not be used to regulate legitimate mail traffic. > !

    > ! > !

    > ! This feature is available in Postfix 2.3 and later. > !

    > ! > !

    > ! Example: > !

    > ! > ! 
    > ! smtpd_client_new_tls_session_rate_limit = 100
> !
    > ! > ! > !
    > ! > !
    smtpd_client_port_logging > ! (default: no)
    > ! > !

    Enable logging of the remote SMTP client port in addition to > ! the hostname and IP address. The logging format is "host[address]:port". > !

    > ! > !

    This feature is available in Postfix 2.5 and later.

    > ! > ! > !
    > ! > !
    smtpd_client_recipient_rate_limit > ! (default: 0)
    > ! > !

    > ! The maximal number of recipient addresses that any client is allowed > ! to send to this service per time unit, regardless of whether or not > ! Postfix actually accepts those recipients. The time unit is specified > ! with the anvil_rate_time_unit configuration parameter. > !

    > ! > !

    > ! By default, a client can send as many recipient addresses per time > ! unit as Postfix can accept. > !

    > ! > !

    > ! To disable this feature, specify a limit of 0. > !

    > ! > !

    > ! WARNING: The purpose of this feature is to limit abuse. It must > ! not be used to regulate legitimate mail traffic. > !

    > ! > !

    > ! This feature is available in Postfix 2.2 and later. > !

    > ! > !

    > ! Example: > !

    > > 
    > ! smtpd_client_recipient_rate_limit = 1000
> !
    > ! > ! > !
    > ! > !
    smtpd_client_restrictions > ! (default: empty)
    > ! > !

    > ! Optional Postfix SMTP server access restrictions in the context of > ! a remote SMTP client connection request. > ! See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access > ! restriction lists" for a discussion of evaluation context and time. > !

    > ! > !

    > ! The default is to allow all connection requests. > !

    > ! > !

    > ! Specify a list of restrictions, separated by commas and/or whitespace. > ! Continue long lines by starting the next line with whitespace. > ! Restrictions are applied in the order as specified; the first > ! restriction that matches wins. > !

    > ! > !

    > ! The following restrictions are specific to client hostname or > ! client network address information. > !

    > ! > !
    > ! > !
    check_ccert_access type:table
    > ! > !
    Use the remote SMTP client certificate fingerprint or the public key > ! fingerprint (Postfix 2.9 and later) as lookup key for the specified > ! access(5) database; with Postfix version 2.2, also require that the > ! remote SMTP client certificate is verified successfully. > ! The fingerprint digest algorithm is configurable via the > ! smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to > ! Postfix version 2.5). This feature is available with Postfix version > ! 2.2 and later.
    > ! > !
    check_client_access type:table
    > ! > !
    Search the specified access database for the client hostname, > ! parent domains, client IP address, or networks obtained by stripping > ! least significant octets. See the access(5) manual page for details.
    > ! > !
    check_client_mx_access type:table
    > ! > !
    Search the specified access(5) database for the MX hosts for the > ! client hostname, and execute the corresponding action. Note: a result > ! of "OK" is not allowed for safety reasons. Instead, use DUNNO in order > ! to exclude specific hosts from blacklists. This feature is available > ! in Postfix 2.7 and later.
    > ! > !
    check_client_ns_access type:table
    > ! > !
    Search the specified access(5) database for the DNS servers for > ! the client hostname, and execute the corresponding action. Note: a > ! result of "OK" is not allowed for safety reasons. Instead, use DUNNO > ! in order to exclude specific hosts from blacklists. This feature is > ! available in Postfix 2.7 and later.
    > ! > !
    check_reverse_client_hostname_access type:table
    > ! > !
    Search the specified access database for the unverified reverse > ! client hostname, parent domains, client IP address, or networks > ! obtained by stripping least significant octets. See the access(5) > ! manual page for details. Note: a result of "OK" is not allowed for > ! safety reasons. Instead, use DUNNO in order to exclude specific > ! hosts from blacklists. This feature is available in Postfix 2.6 > ! and later.
    > ! > !
    check_reverse_client_hostname_mx_access type:table
    > ! > !
    Search the specified access(5) database for the MX hosts for the > ! unverified reverse client hostname, and execute the corresponding > ! action. Note: a result of "OK" is not allowed for safety reasons. > ! Instead, use DUNNO in order to exclude specific hosts from blacklists. > ! This feature is available in Postfix 2.7 and later.
    > ! > !
    check_reverse_client_hostname_ns_access type:table
    > ! > !
    Search the specified access(5) database for the DNS servers for > ! the unverified reverse client hostname, and execute the corresponding > ! action. Note: a result of "OK" is not allowed for safety reasons. > ! Instead, use DUNNO in order to exclude specific hosts from blacklists. > ! This feature is available in Postfix 2.7 and later.
    > ! > !
    permit_inet_interfaces
    > ! > !
    Permit the request when the client IP address matches > ! $inet_interfaces.
    > ! > !
    permit_mynetworks
    > ! > !
    Permit the request when the client IP address matches any > ! network or network address listed in $mynetworks.
    > ! > !
    permit_sasl_authenticated
    > ! > !
    Permit the request when the client is successfully > ! authenticated via the RFC 4954 (AUTH) protocol.
    > ! > !
    permit_tls_all_clientcerts
    > ! > !
    Permit the request when the remote SMTP client certificate is > ! verified successfully. This option must be used only if a special > ! CA issues the certificates and only this CA is listed as trusted > ! CA. Otherwise, clients with a third-party certificate would also > ! be allowed to relay. Specify "tls_append_default_CA = no" when the > ! trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath, > ! to prevent Postfix from appending the system-supplied default CAs. > ! This feature is available with Postfix version 2.2.
    > ! > !
    permit_tls_clientcerts
    > ! > !
    Permit the request when the remote SMTP client certificate > ! fingerprint or public key fingerprint (Postfix 2.9 and later) is > ! listed in $relay_clientcerts. > ! The fingerprint digest algorithm is configurable via the > ! smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to > ! Postfix version 2.5). This feature is available with Postfix version > ! 2.2.
    > ! > !
    reject_rbl_client rbl_domain=d.d.d.d
    > ! > !
    Reject the request when the reversed client network address is > ! listed with the A record "d.d.d.d" under rbl_domain > ! (Postfix version 2.1 and later only). Each "d" is a number, > ! or a pattern inside "[]" that contains one or more ";"-separated > ! numbers or number..number ranges (Postfix version 2.8 and later). > ! If no "=d.d.d.d" is specified, reject the request when the > ! reversed client network address is listed with any A record under > ! rbl_domain.
    > ! The maps_rbl_reject_code parameter specifies the response code for > ! rejected requests (default: 554), the default_rbl_reply parameter > ! specifies the default server reply, and the rbl_reply_maps parameter > ! specifies tables with server replies indexed by rbl_domain. > ! This feature is available in Postfix 2.0 and later.
    > ! > !
    permit_dnswl_client dnswl_domain=d.d.d.d
    > ! > !
    Accept the request when the reversed client network address is > ! listed with the A record "d.d.d.d" under dnswl_domain. > ! Each "d" is a number, or a pattern inside "[]" that contains > ! one or more ";"-separated numbers or number..number ranges. > ! If no "=d.d.d.d" is specified, accept the request when the > ! reversed client network address is listed with any A record under > ! dnswl_domain.
    For safety, permit_dnswl_client is silently > ! ignored when it would override reject_unauth_destination. The > ! result is DEFER_IF_REJECT when whitelist lookup fails. This feature > ! is available in Postfix 2.8 and later.
    > ! > !
    reject_rhsbl_client rbl_domain=d.d.d.d
    > ! > !
    Reject the request when the client hostname is listed with the > ! A record "d.d.d.d" under rbl_domain (Postfix version > ! 2.1 and later only). Each "d" is a number, or a pattern > ! inside "[]" that contains one or more ";"-separated numbers or > ! number..number ranges (Postfix version 2.8 and later). If no > ! "=d.d.d.d" is specified, reject the request when the client > ! hostname is listed with > ! any A record under rbl_domain. See the reject_rbl_client > ! description above for additional RBL related configuration parameters. > ! This feature is available in Postfix 2.0 and later; with Postfix > ! version 2.8 and later, reject_rhsbl_reverse_client will usually > ! produce better results.
    > ! > !
    permit_rhswl_client rhswl_domain=d.d.d.d
    > ! > !
    Accept the request when the client hostname is listed with the > ! A record "d.d.d.d" under rhswl_domain. Each "d" > ! is a number, or a pattern inside "[]" that contains one or more > ! ";"-separated numbers or number..number ranges. If no > ! "=d.d.d.d" is specified, accept the request when the client > ! hostname is listed with any A record under rhswl_domain. > !
    Caution: client name whitelisting is fragile, since the client > ! name lookup can fail due to temporary outages. Client name > ! whitelisting should be used only to reduce false positives in e.g. > ! DNS-based blocklists, and not for making access rule exceptions. > !
    For safety, permit_rhswl_client is silently ignored when it > ! would override reject_unauth_destination. The result is DEFER_IF_REJECT > ! when whitelist lookup fails. This feature is available in Postfix > ! 2.8 and later.
    > ! > !
    reject_rhsbl_reverse_client rbl_domain=d.d.d.d
    > ! > !
    Reject the request when the unverified reverse client hostname > ! is listed with the A record "d.d.d.d" under rbl_domain. > ! Each "d" is a number, or a pattern inside "[]" that contains > ! one or more ";"-separated numbers or number..number ranges. > ! If no "=d.d.d.d" is specified, reject the request when the > ! unverified reverse client hostname is listed with any A record under > ! rbl_domain. See the reject_rbl_client description above for > ! additional RBL related configuration parameters. This feature is > ! available in Postfix 2.8 and later.
    > ! > !
    reject_unknown_client_hostname (with Postfix < 2.3: reject_unknown_client)
    > ! > !
    Reject the request when 1) the client IP address->name mapping > ! fails, 2) the name->address mapping fails, or 3) the name->address > ! mapping does not match the client IP address.
    This is a > ! stronger restriction than the reject_unknown_reverse_client_hostname > ! feature, which triggers only under condition 1) above.
    The > ! unknown_client_reject_code parameter specifies the response code > ! for rejected requests (default: 450). The reply is always 450 in > ! case the address->name or name->address lookup failed due to > ! a temporary problem.
    > ! > !
    reject_unknown_reverse_client_hostname
    > ! > !
    Reject the request when the client IP address has no address->name > ! mapping.
    This is a weaker restriction than the > ! reject_unknown_client_hostname feature, which requires not only > ! that the address->name and name->address mappings exist, but > ! also that the two mappings reproduce the client IP address.
    > ! The unknown_client_reject_code parameter specifies the response > ! code for rejected requests (default: 450). The reply is always 450 > ! in case the address->name lookup failed due to a temporary > ! problem.
    This feature is available in Postfix 2.3 and > ! later.
    > ! > !
    > ! > !

    > ! In addition, you can use any of the following > ! generic restrictions. These restrictions are applicable in > ! any SMTP command context. > !

    > ! > !
    > ! > !
    check_policy_service servername
    > ! > !
    Query the specified policy server. See the SMTPD_POLICY_README > ! document for details. This feature is available in Postfix 2.1 > ! and later.
    > ! > !
    defer
    > ! > !
    Defer the request. The client is told to try again later. This > ! restriction is useful at the end of a restriction list, to make > ! the default policy explicit.
    The defer_code parameter specifies > ! the SMTP server reply code (default: 450).
    > ! > !
    defer_if_permit
    > ! > !
    Defer the request if some later restriction would result in an > ! explicit or implicit PERMIT action. This is useful when a blacklisting > ! feature fails due to a temporary problem. This feature is available > ! in Postfix version 2.1 and later.
    > ! > !
    defer_if_reject
    > ! > !
    Defer the request if some later restriction would result in a > ! REJECT action. This is useful when a whitelisting feature fails > ! due to a temporary problem. This feature is available in Postfix > ! version 2.1 and later.
    > ! > !
    permit
    > ! > !
    Permit the request. This restriction is useful at the end of > ! a restriction list, to make the default policy explicit.
    > ! > !
    reject_multi_recipient_bounce
    > ! > !
    Reject the request when the envelope sender is the null address, > ! and the message has multiple envelope recipients. This usage has > ! rare but legitimate applications: under certain conditions, > ! multi-recipient mail that was posted with the DSN option NOTIFY=NEVER > ! may be forwarded with the null sender address. > !
    Note: this restriction can only work reliably > ! when used in smtpd_data_restrictions or > ! smtpd_end_of_data_restrictions, because the total number of > ! recipients is not known at an earlier stage of the SMTP conversation. > ! Use at the RCPT stage will only reject the second etc. recipient. > !
    > ! The multi_recipient_bounce_reject_code parameter specifies the > ! response code for rejected requests (default: 550). This feature > ! is available in Postfix 2.1 and later.
    > > !
    reject_plaintext_session
    > > !
    Reject the request when the connection is not encrypted. This > ! restriction should not be used before the client has had a chance > ! to negotiate encryption with the AUTH or STARTTLS commands. > !
    > ! The plaintext_reject_code parameter specifies the response > ! code for rejected requests (default: 450). This feature is available > ! in Postfix 2.3 and later.
    > > -
    reject_unauth_pipelining
    > > !
    Reject the request when the client sends SMTP commands ahead > ! of time where it is not allowed, or when the client sends SMTP > ! commands ahead of time without knowing that Postfix actually supports > ! ESMTP command pipelining. This stops mail from bulk mail software > ! that improperly uses ESMTP command pipelining in order to speed up > ! deliveries. > !
    With Postfix 2.6 and later, the SMTP server sets a per-session > ! flag whenever it detects illegal pipelining, including pipelined > ! EHLO or HELO commands. The reject_unauth_pipelining feature simply > ! tests whether the flag was set at any point in time during the > ! session. > !
    With older Postfix versions, reject_unauth_pipelining checks > ! the current status of the input read queue, and its usage is not > ! recommended in contexts other than smtpd_data_restrictions.
    > > !
    reject
    > > !
    Reject the request. This restriction is useful at the end of > ! a restriction list, to make the default policy explicit. The > ! reject_code configuration parameter specifies the response code for > ! rejected requests (default: 554).
    > > !
    sleep seconds
    > > !
    Pause for the specified number of seconds and proceed with > ! the next restriction in the list, if any. This may stop zombie > ! mail when used as: > ! 
    > ! /etc/postfix/main.cf:
> !     smtpd_client_restrictions =
> !         sleep 1, reject_unauth_pipelining
> !     smtpd_delay_reject = no
> !
    > ! This feature is available in Postfix 2.3.
    > > -
    warn_if_reject
    > > !
    A safety net for testing. When "warn_if_reject" is placed > ! before a reject-type restriction, access table query, or > ! check_policy_service query, this logs a "reject_warning" message > ! instead of rejecting a request (when a reject-type restriction fails > ! due to a temporary error, this logs a "reject_warning" message for > ! any implicit "defer_if_permit" actions that would normally prevent > ! mail from being accepted by some later access restriction). This > ! feature has no effect on defer_if_reject restrictions.
    > > !
    > > !

    > ! Other restrictions that are valid in this context: > !

    > > ! > >

    > ! Example: >

    > > 
    > ! smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname
>
    > > --- 9190,9352 ---- > > !
    none
    > !
    No TLS. No additional attributes are supported at this level.
    > > !
    may
    > !
    Opportunistic TLS. No additional attributes are supported at this > ! level. Since sending in the clear is acceptable, demanding stronger > ! than default TLS security parameters merely reduces inter-operability. > ! Postfix 2.3 and later ignore the smtp_tls_mandatory_ciphers and > ! smtp_tls_mandatory_protocols parameters at this security level; all > ! protocols are allowed and "export" grade or better ciphers are used. > ! When TLS handshakes fail, the connection is retried with TLS disabled. > ! This allows mail delivery to sites with non-interoperable TLS > ! implementations.
    > > !
    encrypt
    Mandatory TLS encryption. At this level > ! and higher the optional "ciphers" attribute overrides the main.cf > ! smtp_tls_mandatory_ciphers parameter and the optional "protocols" > ! keyword overrides the main.cf smtp_tls_mandatory_protocols parameter. > ! In the policy table, multiple protocols must be separated by colons, > ! as attribute values may not contain whitespace or commas.
    > > +
    fingerprint
    Certificate fingerprint > + verification. Available with Postfix 2.5 and later. At this security > + level, there are no trusted certificate authorities. The certificate > + trust chain, expiration date, ... are not checked. Instead, > + the optional match attribute, or else the main.cf > + smtp_tls_fingerprint_cert_match parameter, lists the > + valid "fingerprints" of the server certificate. The digest > + algorithm used to calculate the fingerprint is selected by the > + smtp_tls_fingerprint_digest parameter. Multiple fingerprints can > + be combined with a "|" delimiter in a single match attribute, or multiple > + match attributes can be employed. The ":" character is not used as a > + delimiter as it occurs between each pair of fingerprint (hexadecimal) > + digits.
    > > !
    verify
    Mandatory TLS verification. At this security > ! level, DNS MX lookups are trusted to be secure enough, and the name > ! verified in the server certificate is usually obtained indirectly via > ! unauthenticated DNS MX lookups. The optional "match" attribute overrides > ! the main.cf smtp_tls_verify_cert_match parameter. In the policy table, > ! multiple match patterns and strategies must be separated by colons. > ! In practice explicit control over matching is more common with the > ! "secure" policy, described below.
    > > !
    secure
    Secure-channel TLS. At this security level, DNS > ! MX lookups, though potentially used to determine the candidate next-hop > ! gateway IP addresses, are not trusted to be secure enough for TLS > ! peername verification. Instead, the default name verified in the server > ! certificate is obtained directly from the next-hop, or is explicitly > ! specified via the optional match attribute which overrides the > ! main.cf smtp_tls_secure_cert_match parameter. In the policy table, > ! multiple match patterns and strategies must be separated by colons. > ! The match attribute is most useful when multiple domains are supported by > ! common server, the policy entries for additional domains specify matching > ! rules for the primary domain certificate. While transport table overrides > ! routing the secondary domains to the primary nexthop also allow secure > ! verification, they risk delivery to the wrong destination when domains > ! change hands or are re-assigned to new gateways. With the "match" > ! attribute approach, routing is not perturbed, and mail is deferred if > ! verification of a new MX host fails.
    > > !
    > >

    > ! Example: >

    > > ! 
    > ! /etc/postfix/main.cf:
> !     smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
> !     # Postfix 2.5 and later
> !     smtp_tls_fingerprint_digest = md5
> !
    > > 
    > ! /etc/postfix/tls_policy:
> !     example.edu                 none
> !     example.mil                 may
> !     example.gov                 encrypt protocols=TLSv1
> !     example.com                 verify ciphers=high
> !     example.net                 secure
> !     .example.net                secure match=.example.net:example.net
> !     [mail.example.org]:587      secure match=nexthop
> !     # Postfix 2.5 and later
> !     [thumb.example.org]          fingerprint
> !     	match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
> ! 	match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
> !
    > > !

    Note: The hostname strategy if listed in a non-default > ! setting of smtp_tls_secure_cert_match or in the match attribute > ! in the policy table can render the secure level vulnerable to > ! DNS forgery. Do not use the hostname strategy for secure-channel > ! configurations in environments where DNS security is not assured.

    > > !

    This feature is available in Postfix 2.3 and later.

    > > > !
    > > !
    smtp_tls_scert_verifydepth > ! (default: 9)
    > > !

    The verification depth for remote SMTP server certificates. A depth > ! of 1 is sufficient if the issuing CA is listed in a local CA file.

    > > !

    The default verification depth is 9 (the OpenSSL default) for > ! compatibility with earlier Postfix behavior. Prior to Postfix 2.5, > ! the default value was 5, but the limit was not actually enforced. If > ! you have set this to a lower non-default value, certificates with longer > ! trust chains may now fail to verify. Certificate chains with 1 or 2 > ! CAs are common, deeper chains are more rare and any number between 5 > ! and 9 should suffice in practice. You can choose a lower number if, > ! for example, you trust certificates directly signed by an issuing CA > ! but not any CAs it delegates to.

    > > !

    This feature is available in Postfix 2.2 and later.

    > > > !
    > > !
    smtp_tls_secure_cert_match > ! (default: nexthop, dot-nexthop)
    > > !

    The server certificate peername verification method for the > ! "secure" TLS security level. In a "secure" TLS policy table > ! ($smtp_tls_policy_maps) entry the optional "match" attribute > ! overrides this main.cf setting.

    > > !

    This parameter specifies one or more patterns or strategies separated > ! by commas, whitespace or colons. In the policy table the only valid > ! separator is the colon character.

    > > !

    For a description of the pattern and strategy syntax see the > ! smtp_tls_verify_cert_match parameter. The "hostname" strategy should > ! be avoided in this context, as in the absence of a secure global DNS, using > ! the results of MX lookups in certificate verification is not immune to active > ! (man-in-the-middle) attacks on DNS.

    > > !

    > ! Sample main.cf setting: > !

    > ! > !
    > ! 
    > ! smtp_tls_secure_cert_match = nexthop
> !
    > !
    > >

    > ! Sample policy table override: >

    > > +
    > 
    > ! example.net     secure match=example.com:.example.com
> ! .example.net    secure match=example.com:.example.com
>
    > +
    > + > +

    This feature is available in Postfix 2.3 and later.

    > > *************** > *** 12461,12502 **** > > !
    smtpd_command_filter > (default: empty)
    > > !

    A mechanism to transform commands from remote SMTP clients. > ! This is a last-resort tool to work around client commands that break > ! inter-operability with the Postfix SMTP server. Other uses involve > ! fault injection to test Postfix's handling of invalid commands. >

    > > !

    Specify the name of a "type:table" lookup table. The search > ! string is the SMTP command as received from the remote SMTP client, > ! except that initial whitespace and the trailing <CR><LF> > ! are removed. The result value is executed by the Postfix SMTP > ! server.

    > > !

    There is no need to use smtpd_command_filter for the following > ! cases:

    > > !
      > > !

    • Use "resolve_numeric_domain = yes" to accept > ! "user at ipaddress".

      > > !

    • Postfix already accepts the correct form > ! "user@[ipaddress]". Use virtual_alias_maps or canonical_maps > ! to translate these into domain names if necessary.

      > ! > !

    • Use "strict_rfc821_envelopes = no" to accept "RCPT TO:<User > ! Name <user at example.com>>". Postfix will ignore the "User > ! Name" part and deliver to the <user at example.com> address. > !

      > > !
    > > !

    Examples of problems that can be solved with the smtpd_command_filter > ! feature:

    > > 
    > ! /etc/postfix/main.cf:
> !     smtpd_command_filter = pcre:/etc/postfix/command_filter
>
    > --- 9355,9428 ---- > > !
    smtp_tls_security_level > (default: empty)
    > > !

    The default SMTP TLS security level for the Postfix SMTP client; > ! when a non-empty value is specified, this overrides the obsolete > ! parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername. >

    > > !

    Specify one of the following security levels:

    > ! > !
    > > !
    none
    TLS will not be used unless enabled for specific > ! destinations via smtp_tls_policy_maps.
    > > !
    may
    > !
    Opportunistic TLS. TLS will be used if supported by the server. Since > ! sending in the clear is acceptable, demanding stronger than default TLS > ! security parameters merely reduces inter-operability. Postfix 2.3 and > ! later ignore the smtp_tls_mandatory_ciphers and > ! smtp_tls_mandatory_protocols parameters at this security level; all > ! protocols are allowed and "export" grade or better ciphers are used. > ! When TLS handshakes fail, the connection is retried with TLS disabled. > ! This allows mail delivery to sites with non-interoperable TLS > ! implementations.
    > > !
    encrypt
    Mandatory TLS encryption. Since a minimum > ! level of security is intended, it reasonable to be specific about > ! sufficiently secure protocol versions and ciphers. At this security level > ! and higher, the main.cf parameters smtp_tls_mandatory_protocols and > ! smtp_tls_mandatory_ciphers specify the TLS protocols and minimum > ! cipher grade which the administrator considers secure enough for > ! mandatory encrypted sessions. This security level is not an appropriate > ! default for systems delivering mail to the Internet.
    > > !
    fingerprint
    Certificate fingerprint > ! verification. Available with Postfix 2.5 and later. At this security > ! level, there are no trusted certificate authorities. The certificate > ! trust chain, expiration date, ... are not checked. Instead, > ! the smtp_tls_fingerprint_cert_match parameter lists > ! the valid "fingerprints" of the server certificate. The digest > ! algorithm used to calculate the fingerprint is selected by the > ! smtp_tls_fingerprint_digest parameter.
    > > !
    verify
    Mandatory TLS verification. At this security > ! level, DNS MX lookups are trusted to be secure enough, and the name > ! verified in the server certificate is usually obtained indirectly > ! via unauthenticated DNS MX lookups. The smtp_tls_verify_cert_match > ! parameter controls how the server name is verified. In practice explicit > ! control over matching is more common at the "secure" level, described > ! below. This security level is not an appropriate default for systems > ! delivering mail to the Internet.
    > ! > !
    secure
    Secure-channel TLS. At this security level, > ! DNS MX lookups, though potentially used to determine the candidate > ! next-hop gateway IP addresses, are not trusted to be secure enough > ! for TLS peername verification. Instead, the default name verified in > ! the server certificate is obtained from the next-hop domain as specified > ! in the smtp_tls_secure_cert_match configuration parameter. The default > ! matching rule is that a server certificate matches when its name is equal > ! to or is a sub-domain of the nexthop domain. This security level is not > ! an appropriate default for systems delivering mail to the Internet.
    > ! > !
    > > !

    > ! Examples: > !

    > > 
    > ! # No TLS. Formerly: smtp_use_tls=no and smtp_enforce_tls=no.
> ! smtp_tls_security_level = none
>
    > *************** > *** 12504,12508 **** > 
    > ! /etc/postfix/command_filter:
> !     # Work around clients that send malformed HELO commands.
> !     /^HELO\s*$/ HELO domain.invalid
>
    > --- 9430,9433 ---- > 
    > ! # Opportunistic TLS.
> ! smtp_tls_security_level = may
>
    > *************** > *** 12510,12513 **** > 
    > !     # Work around clients that send empty lines.
> !     /^\s*$/     NOOP
>
    > --- 9435,9439 ---- > 
    > ! # Mandatory (high-grade) TLS encryption.
> ! smtp_tls_security_level = encrypt
> ! smtp_tls_mandatory_ciphers = high
>
    > *************** > *** 12515,12519 **** > 
    > !     # Work around clients that send RCPT TO:<'user at domain'>.
> !     # WARNING: do not lose the parameters that follow the address.
> !     /^RCPT\s+TO:\s*<'([^[:space:]]+)'>(.*)/     RCPT TO:<$1>$2
>
    > --- 9441,9446 ---- > 
    > ! # Mandatory TLS verification of hostname or nexthop domain.
> ! smtp_tls_security_level = verify
> ! smtp_tls_mandatory_ciphers = high
> ! smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
>
    > *************** > *** 12521,12525 **** > 
    > !     # Append XVERP to MAIL FROM commands to request VERP-style delivery.
> !     # See VERP_README for more information on how to use Postfix VERP.
> !     /^(MAIL FROM:<listname at example\.com>.*)/   $1 XVERP
>
    > --- 9448,9454 ---- > 
    > ! # Secure channel TLS with exact nexthop name match.
> ! smtp_tls_security_level = secure
> ! smtp_tls_mandatory_protocols = TLSv1
> ! smtp_tls_mandatory_ciphers = high
> ! smtp_tls_secure_cert_match = nexthop
>
    > *************** > *** 12527,12535 **** > 
    > !     # Bounce-never mail sink. Use notify_classes=bounce,resource,software
> !     # to send bounced mail to the postmaster (with message body removed).
> !     /^(RCPT\s+TO:.*?)\bNOTIFY=\S+\b(.*)/ $1 NOTIFY=NEVER $2
> !     /^(RCPT\s+TO:.*)/                    $1 NOTIFY=NEVER
>
    > > !

    This feature is available in Postfix 2.7.

    > > --- 9456,9472 ---- > 
    > ! # Certificate fingerprint verification (Postfix ≥ 2.5).
> ! # The CA-less "fingerprint" security level only scales to a limited
> ! # number of destinations. As a global default rather than a per-site
> ! # setting, this is practical when mail for all recipients is sent
> ! # to a central mail hub.
> ! relayhost = [mailhub.example.com]
> ! smtp_tls_security_level = fingerprint
> ! smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> ! smtp_tls_mandatory_ciphers = high
> ! smtp_tls_fingerprint_cert_match =
> !     3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
> !     EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
>
    > > !

    This feature is available in Postfix 2.3 and later.

    > > *************** > *** 12538,12609 **** > > !
    smtpd_data_restrictions > (default: empty)
    > > !

    > ! Optional access restrictions that the Postfix SMTP server applies > ! in the context of the SMTP DATA command. > ! See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access > ! restriction lists" for a discussion of evaluation context and time. > !

    > ! > !

    > ! This feature is available in Postfix 2.0 and later. > !

    > ! > !

    > ! Specify a list of restrictions, separated by commas and/or whitespace. > ! Continue long lines by starting the next line with whitespace. > ! Restrictions are applied in the order as specified; the first > ! restriction that matches wins. > !

    > ! > !

    > ! The following restrictions are valid in this context: > !

    > ! > ! > > !

    > ! Examples: > !

    > > 
    > ! smtpd_data_restrictions = reject_unauth_pipelining
> ! smtpd_data_restrictions = reject_multi_recipient_bounce
>
    > > ! > !
    > ! > !
    smtpd_delay_open_until_valid_rcpt > ! (default: yes)
    > ! > !

    Postpone the start of an SMTP mail transaction until a valid > ! RCPT TO command is received. Specify "no" to create a mail transaction > ! as soon as the Postfix SMTP server receives a valid MAIL FROM > ! command.

    > ! > !

    With sites that reject lots of mail, the default setting reduces > ! the use of > ! disk, CPU and memory resources. The downside is that rejected > ! recipients are logged with NOQUEUE instead of a mail transaction > ! ID. This complicates the logfile analysis of multi-recipient mail. > !

    > ! > !

    This feature is available in Postfix 2.3 and later.

    > > --- 9475,9508 ---- > > !
    smtp_tls_session_cache_database > (default: empty)
    > > !

    Name of the file containing the optional Postfix SMTP client > ! TLS session cache. Specify a database type that supports enumeration, > ! such as btree or sdbm; there is no need to support > ! concurrent access. The file is created if it does not exist. The smtp(8) > ! daemon does not use this parameter directly, rather the cache is > ! implemented indirectly in the tlsmgr(8) daemon. This means that > ! per-smtp-instance master.cf overrides of this parameter are not effective. > ! Note, that each of the cache databases supported by tlsmgr(8) daemon: > ! $smtpd_tls_session_cache_database, $smtp_tls_session_cache_database > ! (and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to > ! be stored separately. It is not at this time possible to store multiple > ! caches in a single database.

    > > !

    Note: dbm databases are not suitable. TLS > ! session objects are too large.

    > > !

    As of version 2.5, Postfix no longer uses root privileges when > ! opening this file. The file should now be stored under the Postfix-owned > ! data_directory. As a migration aid, an attempt to open the file > ! under a non-Postfix directory is redirected to the Postfix-owned > ! data_directory, and a warning is logged.

    > > !

    Example:

    > > 
    > ! smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
>
    > > !

    This feature is available in Postfix 2.2 and later.

    > > *************** > *** 12612,12635 **** > > !
    smtpd_delay_reject > ! (default: yes)
    > ! > !

    > ! Wait until the RCPT TO command before evaluating > ! $smtpd_client_restrictions, $smtpd_helo_restrictions and > ! $smtpd_sender_restrictions, or wait until the ETRN command before > ! evaluating $smtpd_client_restrictions and $smtpd_helo_restrictions. > !

    > > !

    > ! This feature is turned on by default because some clients apparently > ! mis-behave when the Postfix SMTP server rejects commands before > ! RCPT TO. > !

    > > !

    > ! The default setting has one major benefit: it allows Postfix to log > ! recipient address information when rejecting a client name/address > ! or sender address, so that it is possible to find out whose mail > ! is being rejected. > !

    > > --- 9511,9523 ---- > > !
    smtp_tls_session_cache_timeout > ! (default: 3600s)
    > > !

    The expiration time of Postfix SMTP client TLS session cache > ! information. A cache cleanup is performed periodically > ! every $smtp_tls_session_cache_timeout seconds. As with > ! $smtp_tls_session_cache_database, this parameter is implemented in the > ! tlsmgr(8) daemon and therefore per-smtp-instance master.cf overrides > ! are not possible.

    > > !

    This feature is available in Postfix 2.2 and later.

    > > *************** > *** 12638,12691 **** > > !
    smtpd_discard_ehlo_keyword_address_maps > ! (default: empty)
    > > !

    Lookup tables, indexed by the remote SMTP client address, with > ! case insensitive lists of EHLO keywords (pipelining, starttls, auth, > ! etc.) that the Postfix SMTP server will not send in the EHLO response > ! to a > ! remote SMTP client. See smtpd_discard_ehlo_keywords for details. > ! The table is not searched by hostname for robustness reasons.

    > > !

    This feature is available in Postfix 2.2 and later.

    > > > !
    > > !
    smtpd_discard_ehlo_keywords > ! (default: empty)
    > > !

    A case insensitive list of EHLO keywords (pipelining, starttls, > ! auth, etc.) that the Postfix SMTP server will not send in the EHLO > ! response > ! to a remote SMTP client.

    > > !

    This feature is available in Postfix 2.2 and later.

    > > !

    Notes:

    > > !
      > > !

    • Specify the silent-discard pseudo keyword to prevent > ! this action from being logged.

      > > !

    • Use the smtpd_discard_ehlo_keyword_address_maps feature > ! to discard EHLO keywords selectively.

      > > !
    > > > !
    > > !
    smtpd_end_of_data_restrictions > ! (default: empty)
    > > !

    Optional access restrictions that the Postfix SMTP server > ! applies in the context of the SMTP END-OF-DATA command. > ! See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access > ! restriction lists" for a discussion of evaluation context and time. >

    > > !

    This feature is available in Postfix 2.2 and later.

    > > !

    See smtpd_data_restrictions for details and limitations.

    > > --- 9526,9603 ---- > > !
    smtp_tls_verify_cert_match > ! (default: hostname)
    > > !

    The server certificate peername verification method for the > ! "verify" TLS security level. In a "verify" TLS policy table > ! ($smtp_tls_policy_maps) entry the optional "match" attribute > ! overrides this main.cf setting.

    > > !

    This parameter specifies one or more patterns or strategies separated > ! by commas, whitespace or colons. In the policy table the only valid > ! separator is the colon character.

    > > +

    Patterns specify domain names, or domain name suffixes:

    > > !
    > > !
    example.com
    Match the example.com domain, > ! i.e. one of the names the server certificate must be example.com, > ! upper and lower case distinctions are ignored.
    > > !
    .example.com
    > !
    Match subdomains of the example.com domain, i.e. match > ! a name in the server certificate that consists of a non-zero number of > ! labels followed by a .example.com suffix. Case distinctions are > ! ignored.
    > > !
    > > !

    Strategies specify a transformation from the next-hop domain > ! to the expected name in the server certificate:

    > > !
    > > !
    nexthop
    > !
    Match against the next-hop domain, which is either the recipient > ! domain, or the transport next-hop configured for the domain stripped of > ! any optional socket type prefix, enclosing square brackets and trailing > ! port. When MX lookups are not suppressed, this is the original nexthop > ! domain prior to the MX lookup, not the result of the MX lookup. For > ! LMTP delivery via UNIX-domain sockets, the verified next-hop name is > ! $myhostname. This strategy is suitable for use with the "secure" > ! policy. Case is ignored.
    > > !
    dot-nexthop
    > !
    As above, but match server certificate names that are subdomains > ! of the next-hop domain. Case is ignored.
    > > !
    hostname
    Match against the hostname of the server, often > ! obtained via an unauthenticated DNS MX lookup. For LMTP delivery via > ! UNIX-domain sockets, the verified name is $myhostname. This matches > ! the verification strategy of the "MUST" keyword in the obsolete > ! smtp_tls_per_site table, and is suitable for use with the "verify" > ! security level. When the next-hop name is enclosed in square brackets > ! to suppress MX lookups, the "hostname" strategy is the same as the > ! "nexthop" strategy. Case is ignored.
    > > +
    > > !

    > ! Sample main.cf setting: > !

    > > ! 
    > ! smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
> !
    > > !

    > ! Sample policy table override: >

    > > ! 
    > ! example.com     verify  match=hostname:nexthop
> ! .example.com    verify  match=example.com:.example.com:hostname
> !
    > > !

    This feature is available in Postfix 2.3 and later.

    > > *************** > *** 12694,12727 **** > > !
    smtpd_enforce_tls > (default: no)
    > > !

    Mandatory TLS: announce STARTTLS support to remote SMTP clients, > ! and require that clients use TLS encryption. According to RFC 2487 > ! this MUST NOT be applied in case of a publicly-referenced SMTP > ! server. This option is therefore off by default.

    > ! > !

    Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".

    > ! > !

    Note 2: when invoked via "sendmail -bs", Postfix will never offer > ! STARTTLS due to insufficient privileges to access the server private > ! key. This is intended behavior.

    > >

    This feature is available in Postfix 2.2 and later. With > ! Postfix 2.3 and later use smtpd_tls_security_level instead.

    > ! > ! > !
    > ! > !
    smtpd_error_sleep_time > ! (default: 1s)
    > ! > !

    With Postfix version 2.1 and later: the SMTP server response delay after > ! a client has made more than $smtpd_soft_error_limit errors, and > ! fewer than $smtpd_hard_error_limit errors, without delivering mail. > !

    > ! > !

    With Postfix version 2.0 and earlier: the SMTP server delay before > ! sending a reject (4xx or 5xx) response, when the client has made > ! fewer than $smtpd_soft_error_limit errors without delivering > ! mail.

    > > --- 9606,9619 ---- > > !
    smtp_use_tls > (default: no)
    > > !

    Opportunistic mode: use TLS when a remote SMTP server announces > ! STARTTLS support, otherwise send the mail in the clear. Beware: > ! some SMTP servers offer STARTTLS even if it is not configured. With > ! Postfix < 2.3, if the TLS handshake fails, and no other server is > ! available, delivery is deferred and mail stays in the queue. If this > ! is a concern for you, use the smtp_tls_per_site feature instead.

    > >

    This feature is available in Postfix 2.2 and later. With > ! Postfix 2.3 and later use smtp_tls_security_level instead.

    > > *************** > *** 12730,12745 **** > > !
    smtpd_etrn_restrictions > ! (default: empty)
    > ! > !

    > ! Optional SMTP server access restrictions in the context of a client > ! ETRN request. > ! See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access > ! restriction lists" for a discussion of evaluation context and time. > !

    > >

    > ! The Postfix ETRN implementation accepts only destinations that are > ! eligible for the Postfix "fast flush" service. See the ETRN_README > ! file for details. >

    > --- 9622,9629 ---- > > !
    smtp_xforward_timeout > ! (default: 300s)
    > >

    > ! The SMTP client time limit for sending the XFORWARD command, and > ! for receiving the server response. >

    > *************** > *** 12747,12752 **** >

    > ! Specify a list of restrictions, separated by commas and/or whitespace. > ! Continue long lines by starting the next line with whitespace. > ! Restrictions are applied in the order as specified; the first > ! restriction that matches wins. >

    > --- 9631,9634 ---- >

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). >

    > *************** > *** 12754,12790 **** >

    > ! The following restrictions are specific to the domain name information > ! received with the ETRN command. >

    > > -
    > - > -
    check_etrn_access type:table
    > - > -
    Search the specified access database for the ETRN domain name > - or its parent domains. See the access(5) manual page for details. > -
    > - > -
    > > !

    > ! Other restrictions that are valid in this context: > !

    > > ! > > !

    > ! Example: > !

    > > ! 
    > ! smtpd_etrn_restrictions = permit_mynetworks, reject
> !
    > > --- 9636,9672 ---- >

    > ! This feature is available in Postfix 2.1 and later. >

    > > > !
    > > !
    smtpd_authorized_verp_clients > ! (default: $authorized_verp_clients)
    > > !

    What SMTP clients are allowed to specify the XVERP command. > ! This command requests that mail be delivered one recipient at a > ! time with a per recipient return address.

    > > !

    By default, no clients are allowed to specify XVERP.

    > > !

    This parameter was renamed with Postfix version 2.1. The default value > ! is backwards compatible with Postfix version 2.0.

    > > !

    Specify a list of network/netmask patterns, separated by commas > ! and/or whitespace. The mask specifies the number of bits in the > ! network part of a host address. You can also specify hostnames or > ! .domain names (the initial dot causes the domain to match any name > ! below it), "/file/name" or "type:table" patterns. A "/file/name" > ! pattern is replaced by its contents; a "type:table" lookup table > ! is matched when a table entry matches a lookup string (the lookup > ! result is ignored). Continue long lines by starting the next line > ! with whitespace. Specify "!pattern" to exclude an address or network > ! block from the list. The form "!/file/name" is supported only in > ! Postfix version 2.4 and later.

    > > !

    Note: IP version 6 address information must be specified inside > ! [] in the smtpd_authorized_verp_clients value, and in > ! files specified with "/file/name". IP version 6 addresses contain > ! the ":" character, and would otherwise be confused with a "type:table" > ! pattern.

    > > *************** > *** 12793,12801 **** > > !
    smtpd_expansion_filter > ! (default: see "postconf -d" output)
    > >

    > ! What characters are allowed in $name expansions of RBL reply > ! templates. Characters not in the allowed set are replaced by "_". > ! Use C like escapes to specify special characters such as whitespace. >

    > --- 9675,9685 ---- > > !
    smtpd_authorized_xclient_hosts > ! (default: empty)
    > >

    > ! What SMTP clients are allowed to use the XCLIENT feature. This > ! command overrides SMTP client information that is used for access > ! control. Typical use is for SMTP-based content filters, fetchmail-like > ! programs, or SMTP server access rule testing. See the XCLIENT_README > ! document for details. >

    > *************** > *** 12803,12805 **** >

    > ! This parameter is not subjected to $parameter expansion. >

    > --- 9687,9689 ---- >

    > ! This feature is available in Postfix 2.1 and later. >

    > *************** > *** 12807,12811 **** >

    > ! This feature is available in Postfix 2.0 and later. >

    > > > --- 9691,9714 ---- >

    > ! By default, no clients are allowed to specify XCLIENT. >

    > > +

    > + Specify a list of network/netmask patterns, separated by commas > + and/or whitespace. The mask specifies the number of bits in the > + network part of a host address. You can also specify hostnames or > + .domain names (the initial dot causes the domain to match any name > + below it), "/file/name" or "type:table" patterns. A "/file/name" > + pattern is replaced by its contents; a "type:table" lookup table > + is matched when a table entry matches a lookup string (the lookup > + result is ignored). Continue long lines by starting the next line > + with whitespace. Specify "!pattern" to exclude an address or network > + block from the list. The form "!/file/name" is supported only in > + Postfix version 2.4 and later.

    > + > +

    Note: IP version 6 address information must be specified inside > + [] in the smtpd_authorized_xclient_hosts value, and in > + files specified with "/file/name". IP version 6 addresses contain > + the ":" character, and would otherwise be confused with a "type:table" > + pattern.

    > + > > *************** > *** 12813,12823 **** > > !
    smtpd_forbidden_commands > ! (default: CONNECT, GET, POST)
    > >

    > ! List of commands that cause the Postfix SMTP server to immediately > ! terminate the session with a 221 code. This can be used to disconnect > ! clients that obviously attempt to abuse the system. In addition to the > ! commands listed in this parameter, commands that follow the "Label:" > ! format of message headers will also cause a disconnect. >

    > --- 9716,9725 ---- > > !
    smtpd_authorized_xforward_hosts > ! (default: empty)
    > >

    > ! What SMTP clients are allowed to use the XFORWARD feature. This > ! command forwards information that is used to improve logging after > ! SMTP-based content filters. See the XFORWARD_README document for > ! details. >

    > *************** > *** 12825,12843 **** >

    > ! This feature is available in Postfix 2.2 and later. >

    > > ! > !
    > ! > !
    smtpd_hard_error_limit > ! (default: normal: 20, overload: 1)
    > >

    > ! The maximal number of errors a remote SMTP client is allowed to > ! make without delivering mail. The Postfix SMTP server disconnects > ! when the limit is exceeded. Normally the default limit is 20, but > ! it changes under overload to just 1. With Postfix 2.5 and earlier, > ! the SMTP server always allows up to 20 errors by default. > > !

    > > --- 9727,9753 ---- >

    > ! This feature is available in Postfix 2.1 and later. >

    > > !

    > ! By default, no clients are allowed to specify XFORWARD. > !

    > >

    > ! Specify a list of network/netmask patterns, separated by commas > ! and/or whitespace. The mask specifies the number of bits in the > ! network part of a host address. You can also specify hostnames or > ! .domain names (the initial dot causes the domain to match any name > ! below it), "/file/name" or "type:table" patterns. A "/file/name" > ! pattern is replaced by its contents; a "type:table" lookup table > ! is matched when a table entry matches a lookup string (the lookup > ! result is ignored). Continue long lines by starting the next line > ! with whitespace. Specify "!pattern" to exclude an address or network > ! block from the list. The form "!/file/name" is supported only in > ! Postfix version 2.4 and later.

    > > !

    Note: IP version 6 address information must be specified inside > ! [] in the smtpd_authorized_xforward_hosts value, and in > ! files specified with "/file/name". IP version 6 addresses contain > ! the ":" character, and would otherwise be confused with a "type:table" > ! pattern.

    > > *************** > *** 12846,12854 **** > > !
    smtpd_helo_required > ! (default: no)
    > >

    > ! Require that a remote SMTP client introduces itself with the HELO > ! or EHLO command before sending the MAIL command or other commands > ! that require EHLO negotiation. >

    > --- 9756,9769 ---- > > !
    smtpd_banner > ! (default: $myhostname ESMTP $mail_name)
    > ! > !

    > ! The text that follows the 220 status code in the SMTP greeting > ! banner. Some people like to see the mail version advertised. By > ! default, Postfix shows no version. > !

    > >

    > ! You MUST specify $myhostname at the start of the text. This is > ! required by the SMTP protocol. >

    > *************** > *** 12860,12862 **** > 
    > ! smtpd_helo_required = yes
>
    > --- 9775,9777 ---- > 
    > ! smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
>
    > *************** > *** 12866,12875 **** > > !
    smtpd_helo_restrictions > ! (default: empty)
    > >

    > ! Optional restrictions that the Postfix SMTP server applies in the > ! context of the SMTP HELO command. > ! See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access > ! restriction lists" for a discussion of evaluation context and time. >

    > --- 9781,9789 ---- > > !
    smtpd_client_connection_count_limit > ! (default: 50)
    > >

    > ! How many simultaneous connections any client is allowed to > ! make to this service. By default, the limit is set to half > ! the default process limit value. >

    > *************** > *** 12877,12884 **** >

    > ! The default is to permit everything. > !

    > ! > !

    Note: specify "smtpd_helo_required = yes" to fully enforce this > ! restriction (without "smtpd_helo_required = yes", a client can > ! simply skip smtpd_helo_restrictions by not sending HELO or EHLO). >

    > --- 9791,9793 ---- >

    > ! To disable this feature, specify a limit of 0. >

    > *************** > *** 12886,12891 **** >

    > ! Specify a list of restrictions, separated by commas and/or whitespace. > ! Continue long lines by starting the next line with whitespace. > ! Restrictions are applied in the order as specified; the first > ! restriction that matches wins. >

    > --- 9795,9798 ---- >

    > ! WARNING: The purpose of this feature is to limit abuse. It must > ! not be used to regulate legitimate mail traffic. >

    > *************** > *** 12893,13086 **** >

    > ! The following restrictions are specific to the hostname information > ! received with the HELO or EHLO command. >

    > > -
    > - > -
    check_helo_access type:table
    > - > -
    Search the specified access(5) database for the HELO or EHLO > - hostname or parent domains, and execute the corresponding action. > - Note: specify "smtpd_helo_required = yes" to fully enforce this > - restriction (without "smtpd_helo_required = yes", a client can > - simply skip check_helo_access by not sending HELO or EHLO).
    > - > -
    check_helo_mx_access type:table
    > - > -
    Search the specified access(5) database for the MX hosts for > - the HELO or EHLO hostname, and execute the corresponding action. > - Note 1: a result of "OK" is not allowed for safety reasons. Instead, > - use DUNNO in order to exclude specific hosts from blacklists. Note > - 2: specify "smtpd_helo_required = yes" to fully enforce this > - restriction (without "smtpd_helo_required = yes", a client can > - simply skip check_helo_mx_access by not sending HELO or EHLO). This > - feature is available in Postfix 2.1 and later. > -
    > - > -
    check_helo_ns_access type:table
    > - > -
    Search the specified access(5) database for the DNS servers > - for the HELO or EHLO hostname, and execute the corresponding action. > - Note 1: a result of "OK" is not allowed for safety reasons. Instead, > - use DUNNO in order to exclude specific hosts from blacklists. Note > - 2: specify "smtpd_helo_required = yes" to fully enforce this > - restriction (without "smtpd_helo_required = yes", a client can > - simply skip check_helo_ns_access by not sending HELO or EHLO). This > - feature is available in Postfix 2.1 and later. > -
    > - > -
    reject_invalid_helo_hostname (with Postfix < 2.3: reject_invalid_hostname)
    > - > -
    Reject the request when the HELO or EHLO hostname syntax is > - invalid. Note: specify "smtpd_helo_required = yes" to fully enforce > - this restriction (without "smtpd_helo_required = yes", a client can simply > - skip reject_invalid_helo_hostname by not sending HELO or EHLO). > -
    The invalid_hostname_reject_code specifies the response code > - for rejected requests (default: 501).
    > - > -
    reject_non_fqdn_helo_hostname (with Postfix < 2.3: reject_non_fqdn_hostname)
    > - > -
    Reject the request when the HELO or EHLO hostname is not in > - fully-qualified domain form, as required by the RFC. Note: specify > - "smtpd_helo_required = yes" to fully enforce this restriction > - (without "smtpd_helo_required = yes", a client can simply skip > - reject_non_fqdn_helo_hostname by not sending HELO or EHLO).
    > - The non_fqdn_reject_code parameter specifies the response code for > - rejected requests (default: 504).
    > - > -
    reject_rhsbl_helo rbl_domain=d.d.d.d
    > - > -
    Reject the request when the HELO or EHLO hostname hostname is > - listed with the A record "d.d.d.d" under rbl_domain > - (Postfix version 2.1 and later only). Each "d" is a number, > - or a pattern inside "[]" that contains one or more ";"-separated > - numbers or number..number ranges (Postfix version 2.8 and later). > - If no "=d.d.d.d" is > - specified, reject the request when the HELO or EHLO hostname is > - listed with any A record under rbl_domain. See the > - reject_rbl_client description for additional RBL related configuration > - parameters. Note: specify "smtpd_helo_required = yes" to fully > - enforce this restriction (without "smtpd_helo_required = yes", a > - client can simply skip reject_rhsbl_helo by not sending HELO or > - EHLO). This feature is available in Postfix 2.0 > - and later.
    > - > -
    reject_unknown_helo_hostname (with Postfix < 2.3: reject_unknown_hostname)
    > > !
    Reject the request when the HELO or EHLO hostname has no DNS A > ! or MX record.
    The unknown_hostname_reject_code parameter > ! specifies the numerical response code for rejected requests (default: > ! 450).
    The unknown_helo_hostname_tempfail_action parameter > ! specifies the action after a temporary DNS error (default: > ! defer_if_permit). Note: specify "smtpd_helo_required = yes" to fully > ! enforce this restriction (without "smtpd_helo_required = yes", a > ! client can simply skip reject_unknown_helo_hostname by not sending > ! HELO or EHLO).
    > > !
    > >

    > ! Other restrictions that are valid in this context: >

    > > - > - >

    > ! Examples: >

    > > - 
    > - smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
> - smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname
> -
    > - > - > -
    > - > -
    smtpd_history_flush_threshold > - (default: 100)
    > - >

    > ! The maximal number of lines in the Postfix SMTP server command history > ! before it is flushed upon receipt of EHLO, RSET, or end of DATA. >

    > > - > -
    > - > -
    smtpd_junk_command_limit > - (default: normal: 100, overload: 1)
    > - >

    > ! The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote > ! SMTP client can send before the Postfix SMTP server starts to > ! increment the error counter with each junk command. The junk > ! command count is reset after mail is delivered. See also the > ! smtpd_error_sleep_time and smtpd_soft_error_limit configuration > ! parameters. Normally the default limit is 100, but it changes under > ! overload to just 1. With Postfix 2.5 and earlier, the SMTP server > ! always allows up to 100 junk commands by default.

    > ! > ! > !
    > ! > !
    smtpd_log_access_permit_actions > ! (default: empty)
    > ! > !

    Enable logging of the named "permit" actions in SMTP server > ! access lists. This does not affect conditional actions such as > ! "defer_if_permit".

    > ! > !

    Specify a list of "permit" action names, "/file/name" or > ! "type:table" patterns, separated by commas and/or whitespace. The > ! list is matched left to right, and the search stops on the first > ! match. A "/file/name" pattern is replaced by its contents; a > ! "type:table" lookup table is matched when a name matches a lookup > ! key (the lookup result is ignored). Continue long lines by starting > ! the next line with whitespace. Specify "!pattern" to exclude a name > ! from the list.

    > > !

    Examples:

    > > ! 
    > ! /etc/postfix/main.cf:
> !     # Log all "permit" actions.
> !     smtpd_log_access_permit_actions = static:all
> !
    > > 
    > ! /etc/postfix/main.cf:
> !     # Log "permit_dnswl_client" only.
> !     smtpd_log_access_permit_actions = permit_dnswl_client
>
    > > -

    This feature is available in Postfix 2.10 and later.

    > - > - > -
    > - > -
    smtpd_milters > - (default: empty)
    > - > -

    A list of Milter (mail filter) applications for new mail that > - arrives via the Postfix smtpd(8) server. Specify space or comma as > - separator. See the MILTER_README document for details.

    > - > -

    This feature is available in Postfix 2.3 and later.

    > - > > --- 9800,9842 ---- >

    > ! This feature is available in Postfix 2.2 and later. >

    > > > !
    > > !
    smtpd_client_connection_rate_limit > ! (default: 0)
    > >

    > ! The maximal number of connection attempts any client is allowed to > ! make to this service per time unit. The time unit is specified > ! with the anvil_rate_time_unit configuration parameter. >

    > >

    > ! By default, a client can make as many connections per time unit as > ! Postfix can accept. >

    > >

    > ! To disable this feature, specify a limit of 0. >

    > >

    > ! WARNING: The purpose of this feature is to limit abuse. It must > ! not be used to regulate legitimate mail traffic. > !

    > > !

    > ! This feature is available in Postfix 2.2 and later. > !

    > > !

    > ! Example: > !

    > > 
    > ! smtpd_client_connection_rate_limit = 1000
>
    > > > *************** > *** 13088,13145 **** > > !
    smtpd_noop_commands > ! (default: empty)
    > >

    > ! List of commands that the Postfix SMTP server replies to with "250 > ! Ok", without doing any syntax checks and without changing state. > ! This list overrides any commands built into the Postfix SMTP server. >

    > > - > -
    > - > -
    smtpd_null_access_lookup_key > - (default: <>)
    > - >

    > ! The lookup key to be used in SMTP access(5) tables instead of the > ! null sender address. >

    > > > !
    > ! > !
    smtpd_peername_lookup > ! (default: yes)
    > ! > !

    Attempt to look up the remote SMTP client hostname, and verify that > ! the name matches the client IP address. A client name is set to > ! "unknown" when it cannot be looked up or verified, or when name > ! lookup is disabled. Turning off name lookup reduces delays due to > ! DNS lookup and increases the maximal inbound delivery rate.

    > ! > !

    This feature is available in Postfix 2.3 and later.

    > ! > ! > !
    > ! > !
    smtpd_per_record_deadline > ! (default: normal: no, overload: yes)
    > ! > !

    Change the behavior of the smtpd_timeout time limit, from a > ! time limit per read or write system call, to a time limit to send > ! or receive a complete record (an SMTP command line, SMTP response > ! line, SMTP message content line, or TLS protocol message). This > ! limits the impact from hostile peers that trickle data one byte at > ! a time.

    > ! > !

    Note: when per-record deadlines are enabled, a short timeout > ! may cause problems with TLS over very slow network connections. > ! The reasons are that a TLS protocol message can be up to 16 kbytes > ! long (with TLSv1), and that an entire TLS protocol message must be > ! sent or received within the per-record deadline.

    > ! > !

    This feature is available in Postfix 2.9 and later. With older > ! Postfix releases, the behavior is as if this parameter is set to > ! "no".

    > > --- 9844,9869 ---- > > !
    smtpd_client_event_limit_exceptions > ! (default: $mynetworks)
    > >

    > ! Clients that are excluded from connection count, connection rate, > ! or SMTP request rate restrictions. See the mynetworks parameter > ! description for the parameter value syntax. >

    > >

    > ! By default, clients in trusted networks are excluded. Specify a > ! list of network blocks, hostnames or .domain names (the initial > ! dot causes the domain to match any name below it). >

    > > +

    Note: IP version 6 address information must be specified inside > + [] in the smtpd_client_event_limit_exceptions value, and > + in files specified with "/file/name". IP version 6 addresses > + contain the ":" character, and would otherwise be confused with a > + "type:table" pattern.

    > > !

    > ! This feature is available in Postfix 2.2 and later. > !

    > > *************** > *** 13148,13155 **** > > !
    smtpd_policy_service_max_idle > ! (default: 300s)
    > >

    > ! The time after which an idle SMTPD policy service connection is > ! closed. >

    > --- 9872,9881 ---- > > !
    smtpd_client_message_rate_limit > ! (default: 0)
    > >

    > ! The maximal number of message delivery requests that any client is > ! allowed to make to this service per time unit, regardless of whether > ! or not Postfix actually accepts those messages. The time unit is > ! specified with the anvil_rate_time_unit configuration parameter. >

    > *************** > *** 13157,13170 **** >

    > ! This feature is available in Postfix 2.1 and later. >

    > > > !
    > ! > !
    smtpd_policy_service_max_ttl > ! (default: 1000s)
    > >

    > ! The time after which an active SMTPD policy service connection is > ! closed. >

    > --- 9883,9899 ---- >

    > ! By default, a client can send as many message delivery requests > ! per time unit as Postfix can accept. >

    > > +

    > + To disable this feature, specify a limit of 0. > +

    > > !

    > ! WARNING: The purpose of this feature is to limit abuse. It must > ! not be used to regulate legitimate mail traffic. > !

    > >

    > ! This feature is available in Postfix 2.2 and later. >

    > *************** > *** 13172,13176 **** >

    > ! This feature is available in Postfix 2.1 and later. >

    > > > --- 9901,9909 ---- >

    > ! Example: >

    > > + 
    > + smtpd_client_message_rate_limit = 1000
> +
    > + > > *************** > *** 13178,13185 **** > > !
    smtpd_policy_service_timeout > ! (default: 100s)
    > >

    > ! The time limit for connecting to, writing to or receiving from a > ! delegated SMTPD policy server. >

    > --- 9911,9920 ---- > > !
    smtpd_client_new_tls_session_rate_limit > ! (default: 0)
    > >

    > ! The maximal number of new (i.e., uncached) TLS sessions that a > ! remote SMTP client is allowed to negotiate with this service per > ! time unit. The time unit is specified with the anvil_rate_time_unit > ! configuration parameter. >

    > *************** > *** 13187,13200 **** >

    > ! This feature is available in Postfix 2.1 and later. >

    > > > !
    > ! > !
    smtpd_proxy_ehlo > ! (default: $myhostname)
    > >

    > ! How the Postfix SMTP server announces itself to the proxy filter. > ! By default, the Postfix hostname is used. >

    > --- 9922,9940 ---- >

    > ! By default, a remote SMTP client can negotiate as many new TLS > ! sessions per time unit as Postfix can accept. >

    > > +

    > + To disable this feature, specify a limit of 0. Otherwise, specify > + a limit that is at least the per-client concurrent session limit, > + or else legitimate client sessions may be rejected. > +

    > > !

    > ! WARNING: The purpose of this feature is to limit abuse. It must > ! not be used to regulate legitimate mail traffic. > !

    > >

    > ! This feature is available in Postfix 2.3 and later. >

    > *************** > *** 13202,13206 **** >

    > ! This feature is available in Postfix 2.1 and later. >

    > > > --- 9942,9950 ---- >

    > ! Example: >

    > > + 
    > + smtpd_client_new_tls_session_rate_limit = 100
> +
    > + > > *************** > *** 13208,13228 **** > > !
    smtpd_proxy_filter > ! (default: empty)
    > > !

    The hostname and TCP port of the mail filtering proxy server. > ! The proxy receives all mail from the Postfix SMTP server, and is > ! supposed to give the result to another Postfix SMTP server process. >

    > > !

    Specify "host:port" or "inet:host:port" for a TCP endpoint, or > ! "unix:pathname" for a UNIX-domain endpoint. The host can be specified > ! as an IP address or as a symbolic name; no MX lookups are done. > ! When no "host" or "host:" are specified, the local machine is > ! assumed. Pathname interpretation is relative to the Postfix queue > ! directory.

    > ! > !

    This feature is available in Postfix 2.1 and later.

    > ! > !

    The "inet:" and "unix:" prefixes are available in Postfix 2.3 > ! and later.

    > > --- 9952,9961 ---- > > !
    smtpd_client_port_logging > ! (default: no)
    > > !

    Enable logging of the remote SMTP client port in addition to > ! the hostname and IP address. The logging format is "host[address]:port". >

    > > !

    This feature is available in Postfix 2.5 and later.

    > > *************** > *** 13231,13273 **** > > !
    smtpd_proxy_options > ! (default: empty)
    > >

    > ! List of options that control how the Postfix SMTP server > ! communicates with a before-queue content filter. Specify zero or > ! more of the following, separated by comma or whitespace.

    > ! > !
    > ! > !
    speed_adjust
    > ! > !

    Do not connect to a before-queue content filter until an entire > ! message has been received. This reduces the number of simultaneous > ! before-queue content filter processes.

    > ! > !

    NOTE 1: A filter must not selectively reject recipients > ! of a multi-recipient message. Rejecting all recipients is OK, as > ! is accepting all recipients.

    > ! > !

    NOTE 2: This feature increases the minimum amount of free queue > ! space by $message_size_limit. The extra space is needed to save the > ! message to a temporary file.

    > ! > !
    > >

    > ! This feature is available in Postfix 2.7 and later. >

    > > - > -
    > - > -
    smtpd_proxy_timeout > - (default: 100s)
    > - >

    > ! The time limit for connecting to a proxy filter and for sending or > ! receiving information. When a connection fails the client gets a > ! generic error message while more detailed information is logged to > ! the maillog file. >

    > --- 9964,9982 ---- > > !
    smtpd_client_recipient_rate_limit > ! (default: 0)
    > >

    > ! The maximal number of recipient addresses that any client is allowed > ! to send to this service per time unit, regardless of whether or not > ! Postfix actually accepts those recipients. The time unit is specified > ! with the anvil_rate_time_unit configuration parameter. > !

    > >

    > ! By default, a client can make as many recipient addresses per time > ! unit as Postfix can accept. >

    > >

    > ! To disable this feature, specify a limit of 0. >

    > *************** > *** 13275,13278 **** >

    > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). >

    > --- 9984,9987 ---- >

    > ! WARNING: The purpose of this feature is to limit abuse. It must > ! not be used to regulate legitimate mail traffic. >

    > *************** > *** 13280,13305 **** >

    > ! This feature is available in Postfix 2.1 and later. >

    > > - > -
    > - > -
    smtpd_recipient_limit > - (default: 1000)
    > - >

    > ! The maximal number of recipients that the Postfix SMTP server > ! accepts per message delivery request. >

    > > ! > !
    > ! > !
    smtpd_recipient_overshoot_limit > ! (default: 1000)
    > ! > !

    The number of recipients that a remote SMTP client can send in > ! excess of the limit specified with $smtpd_recipient_limit, before > ! the Postfix SMTP server increments the per-session error count > ! for each excess recipient.

    > > --- 9989,10000 ---- >

    > ! This feature is available in Postfix 2.2 and later. >

    > >

    > ! Example: >

    > > ! 
    > ! smtpd_client_recipient_rate_limit = 1000
> !
    > > *************** > *** 13308,13349 **** > > !
    smtpd_recipient_restrictions > ! (default: permit_mynetworks, reject_unauth_destination)
    > ! > !

    > ! The access restrictions that the Postfix SMTP server applies in > ! the context of the RCPT TO command. > ! See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access > ! restriction lists" for a discussion of evaluation context and time. > !

    > >

    > ! By default, the Postfix SMTP server accepts: >

    > > - > - >

    > ! IMPORTANT: If you change this parameter setting, you must specify > ! at least one of the following restrictions. Otherwise Postfix will > ! refuse to receive mail: >

    > > -
    > - 
    > - reject, defer, defer_if_permit, reject_unauth_destination
> -
    > -
    > - >

    > --- 10003,10016 ---- > > !

    smtpd_client_restrictions > ! (default: empty)
    > >

    > ! Optional SMTP server access restrictions in the context of a client > ! SMTP connection request. >

    > >

    > ! The default is to allow all connection requests. >

    > >

    > *************** > *** 13356,13359 **** >

    > ! The following restrictions are specific to the recipient address > ! that is received with the RCPT TO command. >

    > --- 10023,10026 ---- >

    > ! The following restrictions are specific to client hostname or > ! client network address information. >

    > *************** > *** 13362,13503 **** > > !
    check_recipient_access type:table
    > > !
    Search the specified access(5) database for the resolved RCPT > ! TO address, domain, parent domains, or localpart@, and execute the > ! corresponding action.
    > > !
    check_recipient_mx_access type:table
    > > !
    Search the specified access(5) database for the MX hosts for > ! the RCPT TO domain, and execute the corresponding action. Note: > ! a result of "OK" is not allowed for safety reasons. Instead, use > ! DUNNO in order to exclude specific hosts from blacklists. This > ! feature is available in Postfix 2.1 and later.
    > > !
    check_recipient_ns_access type:table
    > > !
    Search the specified access(5) database for the DNS servers > ! for the RCPT TO domain, and execute the corresponding action. > ! Note: a result of "OK" is not allowed for safety reasons. Instead, > ! use DUNNO in order to exclude specific hosts from blacklists. This > ! feature is available in Postfix 2.1 and later.
    > > !
    permit_auth_destination
    > > !
    Permit the request when one of the following is true: > > !
    > > !
    permit_mx_backup
    > > !
    Permit the request when the local mail system is backup MX for > ! the RCPT TO domain, or when the domain is an authorized destination > ! (see permit_auth_destination for definition). > > !
      > > !
    • Safety: permit_mx_backup does not accept addresses that have > ! sender-specified routing information (example: user at elsewhere@domain). > > !
    • Safety: permit_mx_backup can be vulnerable to mis-use when > ! access is not restricted with permit_mx_backup_networks. > > !
    • Safety: as of Postfix version 2.3, permit_mx_backup no longer > ! accepts the address when the local mail system is primary MX for > ! the recipient domain. Exception: permit_mx_backup accepts the address > ! when it specifies an authorized destination (see permit_auth_destination > ! for definition). > > !
    • Limitation: mail may be rejected in case of a temporary DNS > ! lookup problem with Postfix prior to version 2.0. > > !
    > > !
    reject_non_fqdn_recipient
    > > !
    Reject the request when the RCPT TO address is not in > ! fully-qualified domain form, as required by the RFC.
    The > ! non_fqdn_reject_code parameter specifies the response code for > ! rejected requests (default: 504).
    > > !
    reject_rhsbl_recipient rbl_domain=d.d.d.d
    > > !
    Reject the request when the RCPT TO domain is listed with the > ! A record "d.d.d.d" under rbl_domain (Postfix version > ! 2.1 and later only). Each "d" is a number, or a pattern > ! inside "[]" that contains one or more ";"-separated numbers or > ! number..number ranges (Postfix version 2.8 and later). If no > ! "=d.d.d.d" is specified, reject > ! the request when the RCPT TO domain is listed with > ! any A record under rbl_domain.
    The maps_rbl_reject_code > ! parameter specifies the response code for rejected requests (default: > ! 554); the default_rbl_reply parameter specifies the default server > ! reply; and the rbl_reply_maps parameter specifies tables with server > ! replies indexed by rbl_domain. This feature is available > ! in Postfix version 2.0 and later.
    > > !
    reject_unauth_destination
    > > !
    Reject the request unless one of the following is true: > > ! The relay_domains_reject_code parameter specifies the response > ! code for rejected requests (default: 554).
    > > !
    reject_unknown_recipient_domain
    > > !
    Reject the request when Postfix is not final destination for > ! the recipient domain, and the RCPT TO domain has 1) no DNS A or MX > ! record or 2) a malformed MX record such as a record with > ! a zero-length MX hostname (Postfix version 2.3 and later).
    The > ! unknown_address_reject_code parameter specifies the numerical > ! response code for rejected requests (default: 450). The response > ! is always 450 in case of a temporary DNS error.
    The > ! unknown_address_tempfail_action parameter specifies the action > ! after a temporary DNS error (default: defer_if_permit).
    > > !
    reject_unlisted_recipient (with Postfix version 2.0: check_recipient_maps)
    > > !
    Reject the request when the RCPT TO address is not listed in > ! the list of valid recipients for its domain class. See the > ! smtpd_reject_unlisted_recipient parameter description for details. > ! This feature is available in Postfix 2.1 and later.
    > > !
    reject_unverified_recipient
    > > !
    Reject the request when mail to the RCPT TO address is known > ! to bounce, or when the recipient address destination is not reachable. > ! Address verification information is managed by the verify(8) server; > ! see the ADDRESS_VERIFICATION_README file for details.
    The > ! unverified_recipient_reject_code parameter specifies the numerical > ! response code when an address is known to bounce (default: 450, > ! change into 550 when you are confident that it is safe to do so). > !
    The unverified_recipient_defer_code parameter specifies the > ! numerical response code when an address probe failed due to a > ! temporary problem (default: 450).
    The > ! unverified_recipient_tempfail_action parameter specifies the action > ! after addres probe failure due to a temporary problem (default: > ! defer_if_permit).
    This feature is available in Postfix 2.1 > ! and later.
    > > --- 10029,10245 ---- > > !
    check_ccert_access type:table
    > > !
    Use the client certificate fingerprint as lookup key for the > ! specified access(5) database; with Postfix version 2.2, also require that > ! the SMTP client certificate is verified successfully. > ! The fingerprint digest algorithm is configurable via the > ! smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to > ! Postfix version 2.5). This feature is available with Postfix version > ! 2.2 and later.
    > > !
    check_client_access type:table
    > > !
    Search the specified access database for the client hostname, > ! parent domains, client IP address, or networks obtained by stripping > ! least significant octets. See the access(5) manual page for details.
    > > !
    check_reverse_client_hostname_access type:table
    > > !
    Search the specified access database for the unverified reverse > ! client hostname, parent domains, client IP address, or networks > ! obtained by stripping least significant octets. See the access(5) > ! manual page for details. Note: a result of "OK" is not allowed for > ! safety reasons. Instead, use DUNNO in order to exclude specific > ! hosts from blacklists. This feature is available in Postfix 2.6 > ! and later.
    > > !
    permit_inet_interfaces
    > > !
    Permit the request when the client IP address matches > ! $inet_interfaces.
    > > !
    permit_mynetworks
    > > !
    Permit the request when the client IP address matches any > ! network or network address listed in $mynetworks.
    > > !
    permit_sasl_authenticated
    > ! > !
    Permit the request when the client is successfully > ! authenticated via the RFC 4954 (AUTH) protocol.
    > ! > !
    permit_tls_all_clientcerts
    > ! > !
    Permit the request when the remote SMTP client certificate is > ! verified successfully. This option must be used only if a special > ! CA issues the certificates and only this CA is listed as trusted > ! CA, otherwise all clients with a recognized certificate would be > ! allowed to relay. This feature is available with Postfix version 2.2.
    > ! > !
    permit_tls_clientcerts
    > ! > !
    Permit the request when the remote SMTP client certificate > ! fingerprint is listed in $relay_clientcerts. > ! The fingerprint digest algorithm is configurable via the > ! smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to > ! Postfix version 2.5). This feature is available with Postfix version > ! 2.2.
    > ! > !
    reject_rbl_client rbl_domain=d.d.d.d
    > ! > !
    Reject the request when the reversed client network address is > ! listed with the A record "d.d.d.d" under rbl_domain > ! (Postfix version 2.1 and later only). If no "=d.d.d.d" is > ! specified, reject the request when the reversed client network > ! address is listed with any A record under rbl_domain.
    > ! The maps_rbl_reject_code parameter specifies the response code for > ! rejected requests (default: 554), the default_rbl_reply parameter > ! specifies the default server reply, and the rbl_reply_maps parameter > ! specifies tables with server replies indexed by rbl_domain. > ! This feature is available in Postfix 2.0 and later.
    > ! > !
    reject_rhsbl_client rbl_domain=d.d.d.d
    > ! > !
    Reject the request when the client hostname is listed with the > ! A record "d.d.d.d" under rbl_domain (Postfix version > ! 2.1 and later only). If no "=d.d.d.d" is specified, reject > ! the request when the client hostname is listed with > ! any A record under rbl_domain. See the reject_rbl_client > ! description above for additional RBL related configuration parameters. > ! This feature is available in Postfix 2.0 and later.
    > ! > !
    reject_unknown_client_hostname (with Postfix < 2.3: reject_unknown_client)
    > ! > !
    Reject the request when 1) the client IP address->name mapping > ! fails, 2) the name->address mapping fails, or 3) the name->address > ! mapping does not match the client IP address.
    This is a > ! stronger restriction than the reject_unknown_reverse_client_hostname > ! feature, which triggers only under condition 1) above.
    The > ! unknown_client_reject_code parameter specifies the response code > ! for rejected requests (default: 450). The reply is always 450 in > ! case the address->name or name->address lookup failed due to > ! a temporary problem.
    > > !
    reject_unknown_reverse_client_hostname
    > > !
    Reject the request when the client IP address has no address->name > ! mapping.
    This is a weaker restriction than the > ! reject_unknown_client_hostname feature, which requires not only > ! that the address->name and name->address mappings exist, but > ! also that the two mappings reproduce the client IP address.
    > ! The unknown_client_reject_code parameter specifies the response > ! code for rejected requests (default: 450). The reply is always 450 > ! in case the address->name lookup failed due to a temporary > ! problem.
    This feature is available in Postfix 2.3 and > ! later.
    > > ! > > !

    > ! In addition, you can use any of the following > ! generic restrictions. These restrictions are applicable in > ! any SMTP command context. > !

    > > !
    > > !
    check_policy_service servername
    > > !
    Query the specified policy server. See the SMTPD_POLICY_README > ! document for details. This feature is available in Postfix 2.1 > ! and later.
    > > !
    defer
    > > !
    Defer the request. The client is told to try again later. This > ! restriction is useful at the end of a restriction list, to make > ! the default policy explicit.
    The defer_code parameter specifies > ! the SMTP server reply code (default: 450).
    > > !
    defer_if_permit
    > > !
    Defer the request if some later restriction would result in an > ! explicit or implicit PERMIT action. This is useful when a blacklisting > ! feature fails due to a temporary problem. This feature is available > ! in Postfix version 2.1 and later.
    > > !
    defer_if_reject
    > > !
    Defer the request if some later restriction would result in a > ! REJECT action. This is useful when a whitelisting feature fails > ! due to a temporary problem. This feature is available in Postfix > ! version 2.1 and later.
    > > !
    permit
    > > !
    Permit the request. This restriction is useful at the end of > ! a restriction list, to make the default policy explicit.
    > > !
    reject_multi_recipient_bounce
    > > !
    Reject the request when the envelope sender is the null address, > ! and the message has multiple envelope recipients. This usage has > ! rare but legitimate applications: under certain conditions, > ! multi-recipient mail that was posted with the DSN option NOTIFY=NEVER > ! may be forwarded with the null sender address. > !
    Note: this restriction can only work reliably > ! when used in smtpd_data_restrictions or > ! smtpd_end_of_data_restrictions, because the total number of > ! recipients is not known at an earlier stage of the SMTP conversation. > ! Use at the RCPT stage will only reject the second etc. recipient. > !
    > ! The multi_recipient_bounce_reject_code parameter specifies the > ! response code for rejected requests (default: 550). This feature > ! is available in Postfix 2.1 and later.
    > > !
    reject_plaintext_session
    > > !
    Reject the request when the connection is not encrypted. This > ! restriction should not be used before the client has had a chance > ! to negotiate encryption with the AUTH or STARTTLS commands. > !
    > ! The plaintext_reject_code parameter specifies the response > ! code for rejected requests (default: 450). This feature is available > ! in Postfix 2.3 and later.
    > > !
    reject_unauth_pipelining
    > > !
    Reject the request when the client sends SMTP commands ahead > ! of time where it is not allowed, or when the client sends SMTP > ! commands ahead of time without knowing that Postfix actually supports > ! ESMTP command pipelining. This stops mail from bulk mail software > ! that improperly uses ESMTP command pipelining in order to speed up > ! deliveries.
    Note: reject_unauth_pipelining is not useful > ! outside smtpd_data_restrictions when 1) the client uses ESMTP (EHLO > ! instead of HELO) and 2) with "smtpd_delay_reject = yes" (the > ! default). The use of reject_unauth_pipelining in the other > ! restriction contexts is therefore not recommended.
    > > !
    reject
    > > !
    Reject the request. This restriction is useful at the end of > ! a restriction list, to make the default policy explicit. The > ! reject_code configuration parameter specifies the response code to > ! rejected requests (default: 554).
    > > !
    sleep seconds
    > > !
    Pause for the specified number of seconds and proceed with > ! the next restriction in the list, if any. This may stop zombie > ! mail when used as: > ! 
    > ! /etc/postfix/main.cf:
> !     smtpd_client_restrictions =
> !         sleep 1, reject_unauth_pipelining
> !     smtpd_delay_reject = no
> !
    > ! This feature is available in Postfix 2.3.
    > ! > !
    warn_if_reject
    > ! > !
    Change the meaning of the next restriction, so that it logs > ! a warning instead of rejecting a request (look for logfile records > ! that contain "reject_warning"). This is useful for testing new > ! restrictions in a "live" environment without risking unnecessary > ! loss of mail.
    > > *************** > *** 13511,13518 **** > > !
  • Generic restrictions that can be used > ! in any SMTP command context, described under smtpd_client_restrictions. > ! > !
  • SMTP command specific restrictions described under > ! smtpd_client_restrictions, smtpd_helo_restrictions and > ! smtpd_sender_restrictions. > > --- 10253,10261 ---- > > !
  • SMTP command specific restrictions that are described under > ! the smtpd_helo_restrictions, smtpd_sender_restrictions or > ! smtpd_recipient_restrictions parameters. When helo, sender or > ! recipient restrictions are listed under smtpd_client_restrictions, > ! they have effect only with "smtpd_delay_reject = yes", so that > ! $smtpd_client_restrictions is evaluated at the time of the RCPT TO > ! command. > > *************** > *** 13525,13527 **** > 
    > ! smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
>
    > --- 10268,10270 ---- > 
    > ! smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname
>
    > *************** > *** 13531,13608 **** > > !
    smtpd_reject_footer > (default: empty)
    > > !

    Optional information that is appended after each Postfix SMTP > ! server > ! 4XX or 5XX response.

    > > !

    Example:

    > > ! 
    > ! /etc/postfix/main.cf:
> !     smtpd_reject_footer = For assistance, call 800-555-0101.
> !      Please provide the following information in your problem report:
> !      time ($localtime), client ($client_address) and server
> !      ($server_name).
> !
    > > !

    Server response:

    > > ! 
    > !     550-5.5.1 <user at example> Recipient address rejected: User unknown
> !     550 5.5.1 For assistance, call 800-555-0101. Please provide the
> !     following information in your problem report: time (Jan 4 15:42:00),
> !     client (192.168.1.248) and server (mail1.example.com).
> !
    > > !

    Note: the above text is meant to make it easier to find the > ! Postfix logfile records for a failed SMTP session. The text itself > ! is not logged to the Postfix SMTP server's maillog file.

    > > !

    Be sure to keep the text as short as possible. Long text may > ! be truncated before it is logged to the remote SMTP client's maillog > ! file, or before it is returned to the sender in a delivery status > ! notification.

    > > !

    This feature supports a limited number of $name attributes in > ! the footer text. These are replaced by their current value for the > ! SMTP session:

    > > !
    > > !
    client_address
    The Client IP address that > ! is logged in the maillog file.
    > > -
    client_port
    The client TCP port that is > - logged in the maillog file.
    > > !
    localtime
    The server local time (Mmm dd > ! hh:mm:ss) that is logged in the maillog file.
    > > !
    server_name
    The server's myhostname value. > ! This attribute is made available for sites with multiple MTAs > ! (perhaps behind a load-balancer), where the server name can help > ! the server support team to quickly find the right log files.
    > > !
    > > !

    Notes:

    > > !
      > > -

    • NOT SUPPORTED are other attributes such as sender, recipient, > - or main.cf parameters.

      > > !

    • For safety reasons, text that does not match > ! $smtpd_expansion_filter is censored.

      > > !
    > > !

    This feature supports the two-character sequence \n as a request > ! for a line break in the footer text. Postfix automatically inserts > ! after each line break the three-digit SMTP reply code (and optional > ! enhanced status code) from the original Postfix reject message. >

    > > !

    This feature is available in Postfix 2.8 and later.

    > > --- 10274,10362 ---- > > !
    smtpd_data_restrictions > (default: empty)
    > > !

    > ! Optional access restrictions that the Postfix SMTP server applies > ! in the context of the SMTP DATA command. > !

    > > !

    > ! This feature is available in Postfix 2.0 and later. > !

    > > !

    > ! Specify a list of restrictions, separated by commas and/or whitespace. > ! Continue long lines by starting the next line with whitespace. > ! Restrictions are applied in the order as specified; the first > ! restriction that matches wins. > !

    > > !

    > ! The following restrictions are valid in this context: > !

    > > ! > > !

    > ! Examples: > !

    > > ! 
    > ! smtpd_data_restrictions = reject_unauth_pipelining
> ! smtpd_data_restrictions = reject_multi_recipient_bounce
> !
    > > > !
    > > !
    smtpd_delay_open_until_valid_rcpt > ! (default: yes)
    > > !

    Postpone the start of an SMTP mail transaction until a valid > ! RCPT TO command is received. Specify "no" to create a mail transaction > ! as soon as the SMTP server receives a valid MAIL FROM command.

    > > !

    With sites that reject lots of mail, the default setting reduces > ! the use of > ! disk, CPU and memory resources. The downside is that rejected > ! recipients are logged with NOQUEUE instead of a mail transaction > ! ID. This complicates the logfile analysis of multi-recipient mail. > !

    > > !

    This feature is available in Postfix 2.3 and later.

    > > > !
    > > !
    smtpd_delay_reject > ! (default: yes)
    > > !

    > ! Wait until the RCPT TO command before evaluating > ! $smtpd_client_restrictions, $smtpd_helo_restrictions and > ! $smtpd_sender_restrictions, or wait until the ETRN command before > ! evaluating $smtpd_client_restrictions and $smtpd_helo_restrictions. > !

    > ! > !

    > ! This feature is turned on by default because some clients apparently > ! mis-behave when the Postfix SMTP server rejects commands before > ! RCPT TO. >

    > > !

    > ! The default setting has one major benefit: it allows Postfix to log > ! recipient address information when rejecting a client name/address > ! or sender address, so that it is possible to find out whose mail > ! is being rejected. > !

    > > *************** > *** 13611,13641 **** > > !
    smtpd_reject_unlisted_recipient > ! (default: yes)
    > > !

    > ! Request that the Postfix SMTP server rejects mail for unknown > ! recipient addresses, even when no explicit reject_unlisted_recipient > ! access restriction is specified. This prevents the Postfix queue > ! from filling up with undeliverable MAILER-DAEMON messages. > !

    > > !

    An address is always considered "known" when it matches a > ! virtual(5) alias or a canonical(5) mapping. > > !

      > > !
    • The recipient domain matches $mydestination, $inet_interfaces > ! or $proxy_interfaces, but the recipient is not listed in > ! $local_recipient_maps, and $local_recipient_maps is not null. > > !
    • The recipient domain matches $virtual_alias_domains but the > ! recipient is not listed in $virtual_alias_maps. > > !
    • The recipient domain matches $virtual_mailbox_domains but the > ! recipient is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps > ! is not null. > > !
    • The recipient domain matches $relay_domains but the recipient > ! is not listed in $relay_recipient_maps, and $relay_recipient_maps > ! is not null. > > --- 10365,10398 ---- > > !
      smtpd_discard_ehlo_keyword_address_maps > ! (default: empty)
      > > !

      Lookup tables, indexed by the remote SMTP client address, with > ! case insensitive lists of EHLO keywords (pipelining, starttls, auth, > ! etc.) that the SMTP server will not send in the EHLO response to a > ! remote SMTP client. See smtpd_discard_ehlo_keywords for details. > ! The table is not searched by hostname for robustness reasons.

      > ! > !

      This feature is available in Postfix 2.2 and later.

      > ! > ! > !
      > > !
      smtpd_discard_ehlo_keywords > ! (default: empty)
      > ! > !

      A case insensitive list of EHLO keywords (pipelining, starttls, > ! auth, etc.) that the SMTP server will not send in the EHLO response > ! to a remote SMTP client.

      > > !

      This feature is available in Postfix 2.2 and later.

      > > !

      Notes:

      > > !
        > > !

      • Specify the silent-discard pseudo keyword to prevent > ! this action from being logged.

        > > !

      • Use the smtpd_discard_ehlo_keyword_address_maps feature > ! to discard EHLO keywords selectively.

        > > *************** > *** 13643,13648 **** > > -

        > - This feature is available in Postfix 2.1 and later. > -

        > - > > --- 10400,10401 ---- > *************** > *** 13650,13684 **** > > !
        smtpd_reject_unlisted_sender > ! (default: no)
        > > !

        Request that the Postfix SMTP server rejects mail from unknown > ! sender addresses, even when no explicit reject_unlisted_sender > ! access restriction is specified. This can slow down an explosion > ! of forged mail from worms or viruses.

        > > !

        An address is always considered "known" when it matches a > ! virtual(5) alias or a canonical(5) mapping. > > !

        > > !

        > ! This feature is available in Postfix 2.1 and later. > !

        > > --- 10403,10434 ---- > > !
        smtpd_end_of_data_restrictions > ! (default: empty)
        > > !

        Optional access restrictions that the Postfix SMTP server > ! applies in the context of the SMTP END-OF-DATA command.

        > > !

        This feature is available in Postfix 2.2 and later.

        > > !

        See smtpd_data_restrictions for syntax details.

        > > > !
        > > !
        smtpd_enforce_tls > ! (default: no)
        > > !

        Mandatory TLS: announce STARTTLS support to SMTP clients, > ! and require that clients use TLS encryption. According to RFC 2487 > ! this MUST NOT be applied in case of a publicly-referenced SMTP > ! server. This option is off by default and should be used only on > ! dedicated servers.

        > > !

        Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".

        > > !

        Note 2: when invoked via "sendmail -bs", Postfix will never offer > ! STARTTLS due to insufficient privileges to access the server private > ! key. This is intended behavior.

        > ! > !

        This feature is available in Postfix 2.2 and later. With > ! Postfix 2.3 and later use smtpd_tls_security_level instead.

        > > *************** > *** 13687,13701 **** > > !
        smtpd_restriction_classes > ! (default: empty)
        > > !

        > ! User-defined aliases for groups of access restrictions. The aliases > ! can be specified in smtpd_recipient_restrictions etc., and on the > ! right-hand side of a Postfix access(5) table. >

        > > !

        > ! One major application is for implementing per-recipient UCE control. > ! See the RESTRICTION_CLASS_README document for other examples. > !

        > > --- 10437,10450 ---- > > !
        smtpd_error_sleep_time > ! (default: 1s)
        > > !

        With Postfix version 2.1 and later: the SMTP server response delay after > ! a client has made more than $smtpd_soft_error_limit errors, and > ! fewer than $smtpd_hard_error_limit errors, without delivering mail. >

        > > !

        With Postfix version 2.0 and earlier: the SMTP server delay before > ! sending a reject (4xx or 5xx) response, when the client has made > ! fewer than $smtpd_soft_error_limit errors without delivering > ! mail.

        > > *************** > *** 13704,13714 **** > > !
        smtpd_sasl_application_name > ! (default: smtpd)
        > >

        > ! The application name that the Postfix SMTP server uses for SASL > ! server initialization. This > ! controls the name of the SASL configuration file. The default value > ! is smtpd, corresponding to a SASL configuration file named > ! smtpd.conf. >

        > --- 10453,10460 ---- > > !
        smtpd_etrn_restrictions > ! (default: empty)
        > >

        > ! Optional SMTP server access restrictions in the context of a client > ! ETRN request. >

        > *************** > *** 13716,13730 **** >

        > ! This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3 > ! it was renamed to smtpd_sasl_path. >

        > > - > -
        > - > -
        smtpd_sasl_auth_enable > - (default: no)
        > - >

        > ! Enable SASL authentication in the Postfix SMTP server. By default, > ! the Postfix SMTP server does not use authentication. >

        > --- 10462,10473 ---- >

        > ! The Postfix ETRN implementation accepts only destinations that are > ! eligible for the Postfix "fast flush" service. See the ETRN_README > ! file for details. >

        > >

        > ! Specify a list of restrictions, separated by commas and/or whitespace. > ! Continue long lines by starting the next line with whitespace. > ! Restrictions are applied in the order as specified; the first > ! restriction that matches wins. >

        > *************** > *** 13732,13768 **** >

        > ! If a remote SMTP client is authenticated, the permit_sasl_authenticated > ! access restriction can be used to permit relay access, like this: >

        > > !
        > ! 
        > ! smtpd_recipient_restrictions =
> !     permit_mynetworks, permit_sasl_authenticated, ...
> !
        > !
        > > !

        To reject all SMTP connections from unauthenticated clients, > ! specify "smtpd_delay_reject = yes" (which is the default) and use: > !

        > > !
        > ! 
        > ! smtpd_client_restrictions = permit_sasl_authenticated, reject
> !
        > !
        > >

        > ! See the SASL_README file for SASL configuration and operation details. >

        > > > !
        > > !
        smtpd_sasl_authenticated_header > ! (default: no)
        > > !

        Report the SASL authenticated user name in the smtpd(8) Received > ! message header.

        > > !

        This feature is available in Postfix 2.3 and later.

        > > --- 10475,10511 ---- >

        > ! The following restrictions are specific to the domain name information > ! received with the ETRN command. >

        > > !
        > > !
        check_etrn_access type:table
        > > !
        Search the specified access database for the ETRN domain name > ! or its parent domains. See the access(5) manual page for details. > !
        > ! > !
        > >

        > ! Other restrictions that are valid in this context: >

        > > + > > !

        > ! Example: > !

        > ! > ! 
        > ! smtpd_etrn_restrictions = permit_mynetworks, reject
> !
        > > *************** > *** 13771,13778 **** > > !
        smtpd_sasl_exceptions_networks > ! (default: empty)
        > >

        > ! What remote SMTP clients the Postfix SMTP server will not offer > ! AUTH support to. >

        > --- 10514,10522 ---- > > !
        smtpd_expansion_filter > ! (default: see "postconf -d" output)
        > >

        > ! What characters are allowed in $name expansions of RBL reply > ! templates. Characters not in the allowed set are replaced by "_". > ! Use C like escapes to specify special characters such as whitespace. >

        > *************** > *** 13780,13785 **** >

        > ! Some clients (Netscape 4 at least) have a bug that causes them to > ! require a login and password whenever AUTH is offered, whether it's > ! necessary or not. To work around this, specify, for example, > ! $mynetworks to prevent Postfix from offering AUTH to local clients. >

        > --- 10524,10526 ---- >

        > ! This parameter is not subjected to $parameter expansion. >

        > *************** > *** 13787,13815 **** >

        > ! Specify a list of network/netmask patterns, separated by commas > ! and/or whitespace. The mask specifies the number of bits in the > ! network part of a host address. You can also "/file/name" or > ! "type:table" patterns. A "/file/name" pattern is replaced by its > ! contents; a "type:table" lookup table is matched when a table entry > ! matches a lookup string (the lookup result is ignored). Continue > ! long lines by starting the next line with whitespace. Specify > ! "!pattern" to exclude an address or network block from the list. > ! The form "!/file/name" is supported only in Postfix version 2.4 and > ! later.

        > > !

        Note: IP version 6 address information must be specified inside > ! [] in the smtpd_sasl_exceptions_networks value, and in > ! files specified with "/file/name". IP version 6 addresses contain > ! the ":" character, and would otherwise be confused with a "type:table" > ! pattern.

        > >

        > ! Example: >

        > > - 
        > - smtpd_sasl_exceptions_networks = $mynetworks
> -
        > - >

        > ! This feature is available in Postfix 2.1 and later. >

        > --- 10528,10548 ---- >

        > ! This feature is available in Postfix 2.0 and later. > !

        > > ! > !
        > ! > !
        smtpd_forbidden_commands > ! (default: CONNECT, GET, POST)
        > >

        > ! List of commands that causes the Postfix SMTP server to immediately > ! terminate the session with a 221 code. This can be used to disconnect > ! clients that obviously attempt to abuse the system. In addition to the > ! commands listed in this parameter, commands that follow the "Label:" > ! format of message headers will also cause a disconnect. >

        > >

        > ! This feature is available in Postfix 2.2 and later. >

        > *************** > *** 13819,13830 **** > > !
        smtpd_sasl_local_domain > ! (default: empty)
        > >

        > ! The name of the Postfix SMTP server's local SASL authentication > ! realm. >

        > >

        > ! By default, the local authentication realm name is the null string. >

        > --- 10552,10571 ---- > > !
        smtpd_hard_error_limit > ! (default: 20)
        > >

        > ! The maximal number of errors a remote SMTP client is allowed to > ! make without delivering mail. The Postfix SMTP server disconnects > ! when the limit is exceeded. >

        > > + > +
        > + > +
        smtpd_helo_required > + (default: no)
        > + >

        > ! Require that a remote SMTP client introduces itself at the beginning > ! of an SMTP session with the HELO or EHLO command. >

        > *************** > *** 13832,13834 **** >

        > ! Examples: >

        > --- 10573,10575 ---- >

        > ! Example: >

        > *************** > *** 13836,13839 **** > 
        > ! smtpd_sasl_local_domain = $mydomain
> ! smtpd_sasl_local_domain = $myhostname
>
        > --- 10577,10579 ---- > 
        > ! smtpd_helo_required = yes
>
        > *************** > *** 13843,13874 **** > > !
        smtpd_sasl_path > ! (default: smtpd)
        > ! > !

        Implementation-specific information that the Postfix SMTP server > ! passes through to > ! the SASL plug-in implementation that is selected with > ! smtpd_sasl_type. Typically this specifies the name of a > ! configuration file or rendezvous point.

        > ! > !

        This feature is available in Postfix 2.3 and later. In earlier > ! releases it was called smtpd_sasl_application_name.

        > ! > ! > !
        > ! > !
        smtpd_sasl_security_options > ! (default: noanonymous)
        > > !

        Postfix SMTP server SASL security options; as of Postfix 2.3 > ! the list of available > ! features depends on the SASL server implementation that is selected > ! with smtpd_sasl_type.

        > > !

        The following security features are defined for the cyrus > ! server SASL implementation:

        > >

        > ! Restrict what authentication mechanisms the Postfix SMTP server > ! will offer to the client. The list of available authentication > ! mechanisms is system dependent. >

        > --- 10583,10601 ---- > > !
        smtpd_helo_restrictions > ! (default: empty)
        > > !

        > ! Optional restrictions that the Postfix SMTP server applies in the > ! context of the SMTP HELO command. > !

        > > !

        > ! The default is to permit everything. > !

        > >

        > ! Specify a list of restrictions, separated by commas and/or whitespace. > ! Continue long lines by starting the next line with whitespace. > ! Restrictions are applied in the order as specified; the first > ! restriction that matches wins. >

        > *************** > *** 13876,13878 **** >

        > ! Specify zero or more of the following: >

        > --- 10603,10606 ---- >

        > ! The following restrictions are specific to the hostname information > ! received with the HELO or EHLO command. >

        > *************** > *** 13881,13907 **** > > !
        noplaintext
        > > !
        Disallow methods that use plaintext passwords.
        > > !
        noactive
        > > !
        Disallow methods subject to active (non-dictionary) attack.
        > > !
        nodictionary
        > > !
        Disallow methods subject to passive (dictionary) attack.
        > > !
        noanonymous
        > > !
        Disallow methods that allow anonymous authentication.
        > > !
        forward_secrecy
        > > !
        Only allow methods that support forward secrecy (Dovecot only). >
        > > !
        mutual_auth
        > > !
        Only allow methods that provide mutual authentication (not available > ! with Cyrus SASL version 1).
        > > --- 10609,10661 ---- > > !
        check_helo_access type:table
        > > !
        Search the specified access(5) database for the HELO or EHLO > ! hostname or parent domains, and execute the corresponding action. > !
        > > !
        check_helo_mx_access type:table
        > > !
        Search the specified access(5) database for the MX hosts for > ! the HELO or EHLO hostname, and execute the corresponding action. > ! Note: a result of "OK" is not allowed for safety reasons. Instead, > ! use DUNNO in order to exclude specific hosts from blacklists. This > ! feature is available in Postfix 2.1 and later.
        > > !
        check_helo_ns_access type:table
        > > !
        Search the specified access(5) database for the DNS servers > ! for the HELO or EHLO hostname, and execute the corresponding action. > ! Note: a result of "OK" is not allowed for safety reasons. Instead, > ! use DUNNO in order to exclude specific hosts from blacklists. This > ! feature is available in Postfix 2.1 and later.
        > > !
        reject_invalid_helo_hostname (with Postfix < 2.3: reject_invalid_hostname)
        > > !
        Reject the request when the HELO or EHLO hostname syntax is > ! invalid.
        The invalid_hostname_reject_code specifies the response > ! code to rejected requests (default: 501).
        > > !
        reject_non_fqdn_helo_hostname (with Postfix < 2.3: reject_non_fqdn_hostname)
        > > !
        Reject the request when the HELO or EHLO hostname is not in > ! fully-qualified domain form, as required by the RFC.
        The > ! non_fqdn_reject_code parameter specifies the response code to > ! rejected requests (default: 504).
        > ! > !
        reject_rhsbl_helo rbl_domain=d.d.d.d
        > ! > !
        Reject the request when the HELO or EHLO hostname hostname is > ! listed with the A record "d.d.d.d" under rbl_domain > ! (Postfix version 2.1 and later only). If no "=d.d.d.d" is > ! specified, reject the request when the HELO or EHLO hostname is > ! listed with any A record under rbl_domain. See the > ! reject_rbl_client description for additional RBL related configuration > ! parameters. This feature is available in Postfix 2.0 and later. >
        > > !
        reject_unknown_helo_hostname (with Postfix < 2.3: reject_unknown_hostname)
        > > !
        Reject the request when the HELO or EHLO hostname has no DNS A > ! or MX record.
        The unknown_hostname_reject_code specifies the > ! response code to rejected requests (default: 450).
        > > *************** > *** 13910,13926 **** >

        > ! By default, the Postfix SMTP server accepts plaintext passwords but > ! not anonymous logins. >

        > > !

        > ! Warning: it appears that clients try authentication methods in the > ! order as advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5) > ! which means that if you disable plaintext passwords, clients will > ! log in anonymously, even when they should be able to use CRAM-MD5. > ! So, if you disable plaintext logins, disable anonymous logins too. > ! Postfix treats anonymous login as no authentication. > !

        > >

        > ! Example: >

        > --- 10664,10687 ---- >

        > ! Other restrictions that are valid in this context: >

        > > ! > >

        > ! Examples: >

        > *************** > *** 13928,13930 **** > 
        > ! smtpd_sasl_security_options = noanonymous, noplaintext
>
        > --- 10689,10692 ---- > 
        > ! smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
> ! smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname
>
        > *************** > *** 13934,13942 **** > > !
        smtpd_sasl_tls_security_options > ! (default: $smtpd_sasl_security_options)
        > > !

        The SASL authentication security options that the Postfix SMTP > ! server uses for TLS encrypted SMTP sessions.

        > > !

        This feature is available in Postfix 2.2 and later.

        > > --- 10696,10719 ---- > > !
        smtpd_history_flush_threshold > ! (default: 100)
        > > !

        > ! The maximal number of lines in the Postfix SMTP server command history > ! before it is flushed upon receipt of EHLO, RSET, or end of DATA. > !

        > > ! > !
        > ! > !
        smtpd_junk_command_limit > ! (default: 100)
        > ! > !

        > ! The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote > ! SMTP client can send before the Postfix SMTP server starts to > ! increment the error counter with each junk command. The junk > ! command count is reset after mail is delivered. See also the > ! smtpd_error_sleep_time and smtpd_soft_error_limit configuration > ! parameters. > !

        > > *************** > *** 13945,13952 **** > > !
        smtpd_sasl_type > ! (default: cyrus)
        > > !

        The SASL plug-in type that the Postfix SMTP server should use > ! for authentication. The available types are listed with the > ! "postconf -a" command.

        > > --- 10722,10729 ---- > > !
        smtpd_milters > ! (default: empty)
        > > !

        A list of Milter (mail filter) applications for new mail that > ! arrives via the Postfix smtpd(8) server. See the MILTER_README > ! document for details.

        > > *************** > *** 13957,13959 **** > > !
        smtpd_sender_login_maps > (default: empty)
        > --- 10734,10736 ---- > > !
        smtpd_noop_commands > (default: empty)
        > *************** > *** 13961,13993 **** >

        > ! Optional lookup table with the SASL login names that own sender > ! (MAIL FROM) addresses. >

        > >

        > ! Specify zero or more "type:table" lookup tables. With lookups from > ! indexed files such as DB or DBM, or from networked tables such as > ! NIS, LDAP or SQL, the following search operations are done with a > ! sender address of user at domain:

        > > -
        > > !
        1) user at domain
        > > !
        This table lookup is always done and has the highest precedence.
        > > !
        2) user
        > > !
        This table lookup is done only when the domain part of the > ! sender address matches $myorigin, $mydestination, $inet_interfaces > ! or $proxy_interfaces.
        > > -
        3) @domain
        > > !
        This table lookup is done last and has the lowest precedence.
        > > !
        > >

        > ! In all cases the result of table lookup must be either "not found" > ! or a list of SASL login names separated by comma and/or whitespace. >

        > --- 10738,10782 ---- >

        > ! List of commands that the Postfix SMTP server replies to with "250 > ! Ok", without doing any syntax checks and without changing state. > ! This list overrides any commands built into the Postfix SMTP server. >

        > > + > +
        > + > +
        smtpd_null_access_lookup_key > + (default: <>)
        > + >

        > ! The lookup key to be used in SMTP access(5) tables instead of the > ! null sender address. > !

        > > > !
        > > !
        smtpd_peername_lookup > ! (default: yes)
        > > !

        Attempt to look up the remote SMTP client hostname, and verify that > ! the name matches the client IP address. A client name is set to > ! "unknown" when it cannot be looked up or verified, or when name > ! lookup is disabled. Turning off name lookup reduces delays due to > ! DNS lookup and increases the maximal inbound delivery rate.

        > > !

        This feature is available in Postfix 2.3 and later.

        > > > !
        > > !
        smtpd_policy_service_max_idle > ! (default: 300s)
        > >

        > ! The time after which an idle SMTPD policy service connection is > ! closed. > !

        > ! > !

        > ! This feature is available in Postfix 2.1 and later. >

        > *************** > *** 13997,14006 **** > > !
        smtpd_sender_restrictions > ! (default: empty)
        > >

        > ! Optional restrictions that the Postfix SMTP server applies in the > ! context of the MAIL FROM command. > ! See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access > ! restriction lists" for a discussion of evaluation context and time. >

        > --- 10786,10793 ---- > > !
        smtpd_policy_service_max_ttl > ! (default: 1000s)
        > >

        > ! The time after which an active SMTPD policy service connection is > ! closed. >

        > *************** > *** 14008,14017 **** >

        > ! The default is to permit everything. >

        > >

        > ! Specify a list of restrictions, separated by commas and/or whitespace. > ! Continue long lines by starting the next line with whitespace. > ! Restrictions are applied in the order as specified; the first > ! restriction that matches wins. >

        > --- 10795,10808 ---- >

        > ! This feature is available in Postfix 2.1 and later. >

        > > + > +
        > + > +
        smtpd_policy_service_timeout > + (default: 100s)
        > + >

        > ! The time limit for connecting to, writing to or receiving from a > ! delegated SMTPD policy server. >

        > *************** > *** 14019,14130 **** >

        > ! The following restrictions are specific to the sender address > ! received with the MAIL FROM command. >

        > > -
        > > !
        check_sender_access type:table
        > > !
        Search the specified access(5) database for the MAIL FROM > ! address, domain, parent domains, or localpart@, and execute the > ! corresponding action.
        > > !
        check_sender_mx_access type:table
        > > !
        Search the specified access(5) database for the MX hosts for > ! the MAIL FROM address, and execute the corresponding action. Note: > ! a result of "OK" is not allowed for safety reasons. Instead, use > ! DUNNO in order to exclude specific hosts from blacklists. This > ! feature is available in Postfix 2.1 and later.
        > > -
        check_sender_ns_access type:table
        > > !
        Search the specified access(5) database for the DNS servers > ! for the MAIL FROM address, and execute the corresponding action. > ! Note: a result of "OK" is not allowed for safety reasons. Instead, > ! use DUNNO in order to exclude specific hosts from blacklists. This > ! feature is available in Postfix 2.1 and later.
        > > !
        reject_authenticated_sender_login_mismatch
        > > !
        Enforces the reject_sender_login_mismatch restriction for > ! authenticated clients only. This feature is available in > ! Postfix version 2.1 and later.
        > > !
        reject_non_fqdn_sender
        > > !
        Reject the request when the MAIL FROM address is not in > ! fully-qualified domain form, as required by the RFC.
        The > ! non_fqdn_reject_code parameter specifies the response code for > ! rejected requests (default: 504).
        > > !
        reject_rhsbl_sender rbl_domain=d.d.d.d
        > > !
        Reject the request when the MAIL FROM domain is listed with > ! the A record "d.d.d.d" under rbl_domain (Postfix > ! version 2.1 and later only). Each "d" is a number, or a > ! pattern inside "[]" that contains one or more ";"-separated numbers > ! or number..number ranges (Postfix version 2.8 and later). If no > ! "=d.d.d.d" is specified, > ! reject the request when the MAIL FROM domain is > ! listed with any A record under rbl_domain.
        The > ! maps_rbl_reject_code parameter specifies the response code for > ! rejected requests (default: 554); the default_rbl_reply parameter > ! specifies the default server reply; and the rbl_reply_maps parameter > ! specifies tables with server replies indexed by rbl_domain. > ! This feature is available in Postfix 2.0 and later.
        > > -
        reject_sender_login_mismatch
        > > !
        Reject the request when $smtpd_sender_login_maps specifies an > ! owner for the MAIL FROM address, but the client is not (SASL) logged > ! in as that MAIL FROM address owner; or when the client is (SASL) > ! logged in, but the client login name doesn't own the MAIL FROM > ! address according to $smtpd_sender_login_maps.
        > > !
        reject_unauthenticated_sender_login_mismatch
        > > !
        Enforces the reject_sender_login_mismatch restriction for > ! unauthenticated clients only. This feature is available in > ! Postfix version 2.1 and later.
        > > -
        reject_unknown_sender_domain
        > > !
        Reject the request when Postfix is not final destination for > ! the sender address, and the MAIL FROM domain has 1) no DNS A or MX > ! record, or 2) a malformed MX record such as a record with > ! a zero-length MX hostname (Postfix version 2.3 and later).
        The > ! unknown_address_reject_code parameter specifies the numerical > ! response code for rejected requests (default: 450). The response > ! is always 450 in case of a temporary DNS error.
        The > ! unknown_address_tempfail_action parameter specifies the action > ! after a temporary DNS error (default: defer_if_permit).
        > > !
        reject_unlisted_sender
        > > !
        Reject the request when the MAIL FROM address is not listed in > ! the list of valid recipients for its domain class. See the > ! smtpd_reject_unlisted_sender parameter description for details. > ! This feature is available in Postfix 2.1 and later.
        > > -
        reject_unverified_sender
        > > !
        Reject the request when mail to the MAIL FROM address is known to > ! bounce, or when the sender address destination is not reachable. > ! Address verification information is managed by the verify(8) server; > ! see the ADDRESS_VERIFICATION_README file for details.
        The > ! unverified_sender_reject_code parameter specifies the numerical > ! response code when an address is known to bounce (default: 450, > ! change into 550 when you are confident that it is safe to do so). > !
        The unverified_sender_defer_code specifies the numerical response > ! code when an address address probe failed due to a temporary problem > ! (default: 450).
        The unverified_sender_tempfail_action parameter > ! specifies the action after address probe failure due to a temporary > ! problem (default: defer_if_permit).
        This feature is available > ! in Postfix 2.1 and later.
        > > !
        > >

        > ! Other restrictions that are valid in this context: >

        > --- 10810,10909 ---- >

        > ! This feature is available in Postfix 2.1 and later. >

        > > > !
        > > !
        smtpd_proxy_ehlo > ! (default: $myhostname)
        > > !

        > ! How the Postfix SMTP server announces itself to the proxy filter. > ! By default, the Postfix hostname is used. > !

        > > !

        > ! This feature is available in Postfix 2.1 and later. > !

        > > > !
        > > !
        smtpd_proxy_filter > ! (default: empty)
        > > !

        The hostname and TCP port of the mail filtering proxy server. > ! The proxy receives all mail from the Postfix SMTP server, and is > ! supposed to give the result to another Postfix SMTP server process. > !

        > > !

        Specify "host:port" or "inet:host:port" for a TCP endpoint, or > ! "unix:pathname" for a UNIX-domain endpoint. The host can be specified > ! as an IP address or as a symbolic name; no MX lookups are done. > ! When no "host" or "host:" are specified, the local machine is > ! assumed. Pathname interpretation is relative to the Postfix queue > ! directory.

        > > !

        This feature is available in Postfix 2.1 and later.

        > ! > !

        The "inet:" and "unix:" prefixes are available in Postfix 2.3 > ! and later.

        > ! > ! > !
        > ! > !
        smtpd_proxy_timeout > ! (default: 100s)
        > ! > !

        > ! The time limit for connecting to a proxy filter and for sending or > ! receiving information. When a connection fails the client gets a > ! generic error message while more detailed information is logged to > ! the maillog file. > !

        > > !

        > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). > !

        > > !

        > ! This feature is available in Postfix 2.1 and later. > !

        > > > !
        > > !
        smtpd_recipient_limit > ! (default: 1000)
        > > !

        > ! The maximal number of recipients that the Postfix SMTP server > ! accepts per message delivery request. > !

        > > > !
        > > !
        smtpd_recipient_overshoot_limit > ! (default: 1000)
        > > !

        The number of recipients that a remote SMTP client can send in > ! excess of the limit specified with $smtpd_recipient_limit, before > ! the Postfix SMTP server increments the per-session error count > ! for each excess recipient.

        > > > !
        > > !
        smtpd_recipient_restrictions > ! (default: permit_mynetworks, reject_unauth_destination)
        > >

        > ! The access restrictions that the Postfix SMTP server applies in > ! the context of the RCPT TO command. > !

        > ! > !

        > ! By default, the Postfix SMTP server accepts: >

        > *************** > *** 14133,14145 **** > > !
      • Generic restrictions that can be used > ! in any SMTP command context, described under smtpd_client_restrictions. > > !
      • SMTP command specific restrictions described under > ! smtpd_client_restrictions and smtpd_helo_restrictions. > > !
      • SMTP command specific restrictions described under > ! smtpd_recipient_restrictions. When recipient restrictions are listed > ! under smtpd_sender_restrictions, they have effect only with > ! "smtpd_delay_reject = yes", so that $smtpd_sender_restrictions is > ! evaluated at the time of the RCPT TO command. > > --- 10912,10922 ---- > > !
      • Mail from clients whose IP address matches $mynetworks, or: > > !
      • Mail to remote destinations that match $relay_domains, except > ! for addresses that contain sender-specified routing > ! (user at elsewhere@domain), or: > > !
      • Mail to local destinations that match $inet_interfaces > ! or $proxy_interfaces, $mydestination, $virtual_alias_domains, or > ! $virtual_mailbox_domains. > > *************** > *** 14148,14354 **** >

        > ! Examples: >

        > > 
        > ! smtpd_sender_restrictions = reject_unknown_sender_domain
> ! smtpd_sender_restrictions = reject_unknown_sender_domain,
> !     check_sender_access hash:/etc/postfix/access
>
        > > ! > !
        • > ! > !
        smtpd_service_name > ! (default: smtpd)
        > ! > !

        The internal service that postscreen(8) hands off allowed > ! connections to. In a future version there may be different > ! classes of SMTP service.

        > ! > !

        This feature is available in Postfix 2.8.

        > ! > ! > !
        > ! > !
        smtpd_soft_error_limit > ! (default: 10)
        > >

        > ! The number of errors a remote SMTP client is allowed to make without > ! delivering mail before the Postfix SMTP server slows down all its > ! responses. >

        > > !
          > > !

        • With Postfix version 2.1 and later, the Postfix SMTP server > ! delays all responses by $smtpd_error_sleep_time seconds.

          > > !

        • With Postfix versions 2.0 and earlier, the Postfix SMTP > ! server delays all responses by (number of errors) seconds.

          > > !
        > > > !
        > > !
        smtpd_starttls_timeout > ! (default: see "postconf -d" output)
        > > !

        The time limit for Postfix SMTP server write and read operations > ! during TLS startup and shutdown handshake procedures. The current > ! default value is stress-dependent. Before Postfix version 2.8, it > ! was fixed at 300s.

        > > !

        This feature is available in Postfix 2.2 and later.

        > > > !
        > > !
        smtpd_timeout > ! (default: normal: 300s, overload: 10s)
        > > !

        > ! The time limit for sending a Postfix SMTP server response and for > ! receiving a remote SMTP client request. Normally the default limit > ! is 300s, but it changes under overload to just 10s. With Postfix > ! 2.5 and earlier, the SMTP server always uses a time limit of 300s > ! by default. > !

        > > !

        > ! Note: if you set SMTP time limits to very large values you may have > ! to update the global ipc_timeout parameter. > !

        > > !

        > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). > !

        > > > !
        > > !
        smtpd_tls_CAfile > ! (default: empty)
        > > !

        A file containing (PEM format) CA certificates of root CAs trusted > ! to sign either remote SMTP client certificates or intermediate CA > ! certificates. These are loaded into memory before the smtpd(8) server > ! enters the chroot jail. If the number of trusted roots is large, consider > ! using smtpd_tls_CApath instead, but note that the latter directory must > ! be present in the chroot jail if the smtpd(8) server is chrooted. This > ! file may also be used to augment the server certificate trust chain, > ! but it is best to include all the required certificates directly in the > ! server certificate file.

        > ! > !

        Specify "smtpd_tls_CAfile = /path/to/system_CA_file" to use ONLY > ! the system-supplied default certificate authority certificates. > !

        > ! > !

        Specify "tls_append_default_CA = no" to prevent Postfix from > ! appending the system-supplied default CAs and trusting third-party > ! certificates.

        > ! > !

        By default (see smtpd_tls_ask_ccert), client certificates are not > ! requested, and smtpd_tls_CAfile should remain empty. If you do make use > ! of client certificates, the distinguished names (DNs) of the certificate > ! authorities listed in smtpd_tls_CAfile are sent to the remote SMTP client > ! in the client certificate request message. MUAs with multiple client > ! certificates may use the list of preferred certificate authorities > ! to select the correct client certificate. You may want to put your > ! "preferred" CA or CAs in this file, and install other trusted CAs in > ! $smtpd_tls_CApath.

        > > !

        Example:

        > > ! 
        > ! smtpd_tls_CAfile = /etc/postfix/CAcert.pem
> !
        > > !

        This feature is available in Postfix 2.2 and later.

        > > > !
        > > !
        smtpd_tls_CApath > ! (default: empty)
        > > !

        A directory containing (PEM format) CA certificates of root CAs > ! trusted to sign either remote SMTP client certificates or intermediate CA > ! certificates. Do not forget to create the necessary "hash" links with, > ! for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use > ! smtpd_tls_CApath in chroot mode, this directory (or a copy) must be > ! inside the chroot jail.

        > ! > !

        Specify "smtpd_tls_CApath = /path/to/system_CA_directory" to > ! use ONLY the system-supplied default certificate authority certificates. > !

        > ! > !

        Specify "tls_append_default_CA = no" to prevent Postfix from > ! appending the system-supplied default CAs and trusting third-party > ! certificates.

        > ! > !

        By default (see smtpd_tls_ask_ccert), client certificates are > ! not requested, and smtpd_tls_CApath should remain empty. In contrast > ! to smtpd_tls_CAfile, DNs of certificate authorities installed > ! in $smtpd_tls_CApath are not included in the client certificate > ! request message. MUAs with multiple client certificates may use the > ! list of preferred certificate authorities to select the correct > ! client certificate. You may want to put your "preferred" CA or > ! CAs in $smtpd_tls_CAfile, and install the remaining trusted CAs in > ! $smtpd_tls_CApath.

        > > !

        Example:

        > > ! 
        > ! smtpd_tls_CApath = /etc/postfix/certs
> !
        > > !

        This feature is available in Postfix 2.2 and later.

        > > > !
        > > !
        smtpd_tls_always_issue_session_ids > ! (default: yes)
        > > !

        Force the Postfix SMTP server to issue a TLS session id, even > ! when TLS session caching is turned off (smtpd_tls_session_cache_database > ! is empty). This behavior is compatible with Postfix < 2.3.

        > > !

        With Postfix 2.3 and later the Postfix SMTP server can disable > ! session id generation when TLS session caching is turned off. This > ! keeps remote SMTP clients from caching sessions that almost certainly cannot > ! be re-used.

        > > !

        By default, the Postfix SMTP server always generates TLS session > ! ids. This works around a known defect in mail client applications > ! such as MS Outlook, and may also prevent interoperability issues > ! with other MTAs.

        > > !

        Example:

        > > ! 
        > ! smtpd_tls_always_issue_session_ids = no
> !
        > > !

        This feature is available in Postfix 2.3 and later.

        > > > !
        > > !
        smtpd_tls_ask_ccert > ! (default: no)
        > > !

        Ask a remote SMTP client for a client certificate. This > ! information is needed for certificate based mail relaying with, > ! for example, the permit_tls_clientcerts feature.

        > > !

        Some clients such as Netscape will either complain if no > ! certificate is available (for the list of CAs in $smtpd_tls_CAfile) > ! or will offer multiple client certificates to choose from. This > ! may be annoying, so this option is "off" by default.

        > > !

        This feature is available in Postfix 2.2 and later.

        > > --- 10925,11107 ---- >

        > ! IMPORTANT: If you change this parameter setting, you must specify > ! at least one of the following restrictions. Otherwise Postfix will > ! refuse to receive mail: >

        > > +
        > 
        > ! reject, defer, defer_if_permit, reject_unauth_destination
>
        > +
        > > !

        > ! Specify a list of restrictions, separated by commas and/or whitespace. > ! Continue long lines by starting the next line with whitespace. > ! Restrictions are applied in the order as specified; the first > ! restriction that matches wins. > !

        > >

        > ! The following restrictions are specific to the recipient address > ! that is received with the RCPT TO command. >

        > > !
        > > !
        check_recipient_access type:table
        > > !
        Search the specified access(5) database for the resolved RCPT > ! TO address, domain, parent domains, or localpart@, and execute the > ! corresponding action.
        > > !
        check_recipient_mx_access type:table
        > ! > !
        Search the specified access(5) database for the MX hosts for > ! the RCPT TO domain, and execute the corresponding action. Note: > ! a result of "OK" is not allowed for safety reasons. Instead, use > ! DUNNO in order to exclude specific hosts from blacklists. This > ! feature is available in Postfix 2.1 and later.
        > > +
        check_recipient_ns_access type:table
        > > !
        Search the specified access(5) database for the DNS servers > ! for the RCPT TO domain, and execute the corresponding action. > ! Note: a result of "OK" is not allowed for safety reasons. Instead, > ! use DUNNO in order to exclude specific hosts from blacklists. This > ! feature is available in Postfix 2.1 and later.
        > > !
        permit_auth_destination
        > > !
        Permit the request when one of the following is true: > > !
        > > !
        permit_mx_backup
        > > !
        Permit the request when the local mail system is backup MX for > ! the RCPT TO domain, or when the domain is an authorized destination > ! (see permit_auth_destination for definition). > > !
          > > +
        • Safety: permit_mx_backup does not accept addresses that have > + sender-specified routing information (example: user at elsewhere@domain). > > !
        • Safety: permit_mx_backup can be vulnerable to mis-use when > ! access is not restricted with permit_mx_backup_networks. > > !
        • Safety: as of Postfix version 2.3, permit_mx_backup no longer > ! accepts the address when the local mail system is primary MX for > ! the recipient domain. Exception: permit_mx_backup accepts the address > ! when it specifies an authorized destination (see permit_auth_destination > ! for definition). > > !
        • Limitation: mail may be rejected in case of a temporary DNS > ! lookup problem with Postfix prior to version 2.0. > > !
        > > !
        reject_non_fqdn_recipient
        > > !
        Reject the request when the RCPT TO address is not in > ! fully-qualified domain form, as required by the RFC.
        The > ! non_fqdn_reject_code parameter specifies the response code to > ! rejected requests (default: 504).
        > > +
        reject_rhsbl_recipient rbl_domain=d.d.d.d
        > > !
        Reject the request when the RCPT TO domain is listed with the > ! A record "d.d.d.d" under rbl_domain (Postfix version > ! 2.1 and later only). If no "=d.d.d.d" is specified, reject > ! the request when the RCPT TO domain is listed with > ! any A record under rbl_domain.
        The maps_rbl_reject_code > ! parameter specifies the response code for rejected requests (default: > ! 554); the default_rbl_reply parameter specifies the default server > ! reply; and the rbl_reply_maps parameter specifies tables with server > ! replies indexed by rbl_domain. This feature is available > ! in Postfix version 2.0 and later.
        > > !
        reject_unauth_destination
        > > !
        Reject the request unless one of the following is true: > > ! The relay_domains_reject_code parameter specifies the response > + code for rejected requests (default: 554).
        > > !
        reject_unknown_recipient_domain
        > > !
        Reject the request when Postfix is not final destination for > ! the recipient domain, and the RCPT TO domain has no DNS A or MX > ! record, or when it has a malformed MX record such as a record with > ! a zero-length MX hostname (Postfix version 2.3 and later).
        The > ! unknown_address_reject_code parameter specifies the response code > ! for rejected requests (default: 450). The response is always 450 > ! in case of a temporary DNS error.
        > > !
        reject_unlisted_recipient (with Postfix version 2.0: check_recipient_maps)
        > > !
        Reject the request when the RCPT TO address is not listed in > ! the list of valid recipients for its domain class. See the > ! smtpd_reject_unlisted_recipient parameter description for details. > ! This feature is available in Postfix 2.1 and later.
        > > !
        reject_unverified_recipient
        > > !
        Reject the request when mail to the RCPT TO address is known > ! to bounce, or when the recipient address destination is not reachable. > ! Address verification information is managed by the verify(8) server; > ! see the ADDRESS_VERIFICATION_README file for details.
        The > ! unverified_recipient_reject_code parameter specifies the response > ! when an address is known to bounce (default: 450, change into 550 > ! when you are confident that it is safe to do so). The > ! unverified_recipient_defer_code parameter specifies the response > ! when an address probe failed due to a temporary problem (default: > ! 450). This feature is available in Postfix 2.1 and later.
        > > !
        > > !

        > ! Other restrictions that are valid in this context: > !

        > > + > > !

        > ! Example: > !

        > > ! 
        > ! smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
> !
        > > *************** > *** 14357,14388 **** > > !
        smtpd_tls_auth_only > ! (default: no)
        > > !

        When TLS encryption is optional in the Postfix SMTP server, do > ! not announce or accept SASL authentication over unencrypted > ! connections.

        > > !

        This feature is available in Postfix 2.2 and later.

        > > > !
        > > !
        smtpd_tls_ccert_verifydepth > ! (default: 9)
        > > !

        The verification depth for remote SMTP client certificates. A > ! depth of 1 is sufficient if the issuing CA is listed in a local CA > ! file.

        > > !

        The default verification depth is 9 (the OpenSSL default) for > ! compatibility with earlier Postfix behavior. Prior to Postfix 2.5, > ! the default value was 5, but the limit was not actually enforced. If > ! you have set this to a lower non-default value, certificates with longer > ! trust chains may now fail to verify. Certificate chains with 1 or 2 > ! CAs are common, deeper chains are more rare and any number between 5 > ! and 9 should suffice in practice. You can choose a lower number if, > ! for example, you trust certificates directly signed by an issuing CA > ! but not any CAs it delegates to.

        > > !

        This feature is available in Postfix 2.2 and later.

        > > --- 11110,11143 ---- > > !
        smtpd_reject_unlisted_recipient > ! (default: yes)
        > > !

        > ! Request that the Postfix SMTP server rejects mail for unknown > ! recipient addresses, even when no explicit reject_unlisted_recipient > ! access restriction is specified. This prevents the Postfix queue > ! from filling up with undeliverable MAILER-DAEMON messages. > !

        > > ! > > !

        > ! This feature is available in Postfix 2.1 and later. > !

        > > *************** > *** 14391,14446 **** > > !
        smtpd_tls_cert_file > ! (default: empty)
        > ! > !

        File with the Postfix SMTP server RSA certificate in PEM format. > ! This file may also contain the Postfix SMTP server private RSA key.

        > ! > !

        Public Internet MX hosts without certificates signed by a "reputable" > ! CA must generate, and be prepared to present to most clients, a > ! self-signed or private-CA signed certificate. The client will not be > ! able to authenticate the server, but unless it is running Postfix 2.3 or > ! similar software, it will still insist on a server certificate.

        > ! > !

        For servers that are not public Internet MX hosts, Postfix > ! 2.3 supports configurations with no certificates. This entails the > ! use of just the anonymous TLS ciphers, which are not supported by > ! typical SMTP clients. Since such clients will not, as a rule, fall > ! back to plain text after a TLS handshake failure, the server will > ! be unable to receive email from TLS enabled clients. To avoid > ! accidental configurations with no certificates, Postfix 2.3 enables > ! certificate-less operation only when the administrator explicitly > ! sets "smtpd_tls_cert_file = none". This ensures that new Postfix > ! configurations will not accidentally run with no certificates.

        > > !

        Both RSA and DSA certificates are supported. When both types > ! are present, the cipher used determines which certificate will be > ! presented to the client. For Netscape and OpenSSL clients without > ! special cipher choices the RSA certificate is preferred.

        > > !

        To enable a remote SMTP client to verify the Postfix SMTP server > ! certificate, the issuing CA certificates must be made available to the > ! client. You should include the required certificates in the server > ! certificate file, the server certificate first, then the issuing > ! CA(s) (bottom-up order).

        > > !

        Example: the certificate for "server.example.com" was issued by > ! "intermediate CA" which itself has a certificate of "root CA". > ! Create the server.pem file with "cat server_cert.pem intermediate_CA.pem > ! root_CA.pem > server.pem".

        > > !

        If you also want to verify client certificates issued by these > ! CAs, you can add the CA certificates to the smtpd_tls_CAfile, in which > ! case it is not necessary to have them in the smtpd_tls_cert_file or > ! smtpd_tls_dcert_file.

        > > !

        A certificate supplied here must be usable as an SSL server certificate > ! and hence pass the "openssl verify -purpose sslserver ..." test.

        > > !

        Example:

        > > ! 
        > ! smtpd_tls_cert_file = /etc/postfix/server.pem
> !
        > > !

        This feature is available in Postfix 2.2 and later.

        > > --- 11146,11177 ---- > > !
        smtpd_reject_unlisted_sender > ! (default: no)
        > > !

        Request that the Postfix SMTP server rejects mail from unknown > ! sender addresses, even when no explicit reject_unlisted_sender > ! access restriction is specified. This can slow down an explosion > ! of forged mail from worms or viruses.

        > > ! > > !

        > ! This feature is available in Postfix 2.1 and later. > !

        > > *************** > *** 14449,14467 **** > > !
        smtpd_tls_cipherlist > (default: empty)
        > > !

        Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS > ! cipher list. It is easy to create inter-operability problems by choosing > ! a non-default cipher list. Do not use a non-default TLS cipherlist for > ! MX hosts on the public Internet. Clients that begin the TLS handshake, > ! but are unable to agree on a common cipher, may not be able to send any > ! email to the SMTP server. Using a restricted cipher list may be more > ! appropriate for a dedicated MSA or an internal mailhub, where one can > ! exert some control over the TLS software and settings of the connecting > ! clients.

        > ! > !

        Note: do not use "" quotes around the parameter value.

        > > !

        This feature is available with Postfix version 2.2. It is not used with > ! Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.

        > > --- 11180,11194 ---- > > !
        smtpd_restriction_classes > (default: empty)
        > > !

        > ! User-defined aliases for groups of access restrictions. The aliases > ! can be specified in smtpd_recipient_restrictions etc., and on the > ! right-hand side of a Postfix access(5) table. > !

        > > !

        > ! One major application is for implementing per-recipient UCE control. > ! See the RESTRICTION_CLASS_README document for other examples. > !

        > > *************** > *** 14470,14494 **** > > !
        smtpd_tls_ciphers > ! (default: export)
        > ! > !

        The minimum TLS cipher grade that the Postfix SMTP server > ! will use with opportunistic TLS encryption. Cipher types listed in > ! smtpd_tls_exclude_ciphers are excluded from the base definition of > ! the selected cipher grade. The default value "export" ensures maximum > ! inter-operability. Because encryption is optional, stronger controls > ! are not appropriate, and this setting SHOULD NOT be changed unless the > ! change is essential.

        > ! > !

        When TLS is mandatory the cipher grade is chosen via the > ! smtpd_tls_mandatory_ciphers configuration parameter, see there for syntax > ! details.

        > > !

        Example:

        > ! 
        > ! smtpd_tls_ciphers = export
> !
        > > !

        This feature is available in Postfix 2.6 and later. With earlier Postfix > ! releases only the smtpd_tls_mandatory_ciphers parameter is implemented, > ! and opportunistic TLS always uses "export" or better (i.e. all) ciphers.

        > > --- 11197,11213 ---- > > !
        smtpd_sasl_application_name > ! (default: smtpd)
        > > !

        > ! The application name that the Postfix SMTP server uses for SASL > ! server initialization. This > ! controls the name of the SASL configuration file. The default value > ! is smtpd, corresponding to a SASL configuration file named > ! smtpd.conf. > !

        > > !

        > ! This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3 > ! it was renamed to smtpd_sasl_path. > !

        > > *************** > *** 14497,14514 **** > > !
        smtpd_tls_dcert_file > ! (default: empty)
        > > !

        File with the Postfix SMTP server DSA certificate in PEM format. > ! This file may also contain the Postfix SMTP server private DSA key.

        > > !

        See the discussion under smtpd_tls_cert_file for more details. >

        > > !

        Example:

        > > 
        > ! smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
>
        > > !

        This feature is available in Postfix 2.2 and later.

        > > --- 11216,11250 ---- > > !
        smtpd_sasl_auth_enable > ! (default: no)
        > > !

        > ! Enable SASL authentication in the Postfix SMTP server. By default, > ! the Postfix SMTP server does not use authentication. > !

        > > !

        > ! If a remote SMTP client is authenticated, the permit_sasl_authenticated > ! access restriction can be used to permit relay access, like this: >

        > > !
        > ! 
        > ! smtpd_recipient_restrictions =
> !     permit_mynetworks, permit_sasl_authenticated, ...
> !
        > !
        > ! > !

        To reject all SMTP connections from unauthenticated clients, > ! specify "smtpd_delay_reject = yes" (which is the default) and use: > !

        > > +
        > 
        > ! smtpd_client_restrictions = permit_sasl_authenticated, reject
>
        > +
        > > !

        > ! See the SASL_README file for SASL configuration and operation details. > !

        > > *************** > *** 14517,14546 **** > > !
        smtpd_tls_dh1024_param_file > (default: empty)
        > > !

        File with DH parameters that the Postfix SMTP server should > ! use with EDH ciphers.

        > > !

        Instead of using the exact same parameter sets as distributed > ! with other TLS packages, it is more secure to generate your own > ! set of parameters with something like the following command:

        > > !
        > ! 
        > ! openssl gendh -out /etc/postfix/dh_1024.pem -2 1024
> !
        > !
        > > !

        Your actual source for entropy may differ. Some systems have > ! /dev/random; on other system you may consider using the "Entropy > ! Gathering Daemon EGD", available at http://egd.sourceforge.net/ >

        > > -

        Example:

        > - > 
        > ! smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
>
        > > !

        This feature is available with Postfix version 2.2.

        > > --- 11253,11309 ---- > > !
        smtpd_sasl_authenticated_header > ! (default: no)
        > ! > !

        Report the SASL authenticated user name in the smtpd(8) Received > ! message header.

        > ! > !

        This feature is available in Postfix 2.3 and later.

        > ! > ! > !
        > ! > !
        smtpd_sasl_exceptions_networks > (default: empty)
        > > !

        > ! What remote SMTP clients the Postfix SMTP server will not offer > ! AUTH support to. > !

        > > !

        > ! Some clients (Netscape 4 at least) have a bug that causes them to > ! require a login and password whenever AUTH is offered, whether it's > ! necessary or not. To work around this, specify, for example, > ! $mynetworks to prevent Postfix from offering AUTH to local clients. > !

        > > !

        > ! Specify a list of network/netmask patterns, separated by commas > ! and/or whitespace. The mask specifies the number of bits in the > ! network part of a host address. You can also "/file/name" or > ! "type:table" patterns. A "/file/name" pattern is replaced by its > ! contents; a "type:table" lookup table is matched when a table entry > ! matches a lookup string (the lookup result is ignored). Continue > ! long lines by starting the next line with whitespace. Specify > ! "!pattern" to exclude an address or network block from the list. > ! The form "!/file/name" is supported only in Postfix version 2.4 and > ! later.

        > ! > !

        Note: IP version 6 address information must be specified inside > ! [] in the smtpd_sasl_exceptions_networks value, and in > ! files specified with "/file/name". IP version 6 addresses contain > ! the ":" character, and would otherwise be confused with a "type:table" > ! pattern.

        > > !

        > ! Example: >

        > > 
        > ! smtpd_sasl_exceptions_networks = $mynetworks
>
        > > !

        > ! This feature is available in Postfix 2.1 and later. > !

        > > *************** > *** 14549,14567 **** > > !
        smtpd_tls_dh512_param_file > (default: empty)
        > > !

        File with DH parameters that the Postfix SMTP server should > ! use with EDH ciphers.

        > > !

        See also the discussion under the smtpd_tls_dh1024_param_file > ! configuration parameter.

        > > !

        Example:

        > > 
        > ! smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
>
        > > -

        This feature is available with Postfix version 2.2.

        > - > > --- 11312,11334 ---- > > !
        smtpd_sasl_local_domain > (default: empty)
        > > !

        > ! The name of the Postfix SMTP server's local SASL authentication > ! realm. > !

        > > !

        > ! By default, the local authentication realm name is the null string. > !

        > > !

        > ! Examples: > !

        > > 
        > ! smtpd_sasl_local_domain = $mydomain
> ! smtpd_sasl_local_domain = $myhostname
>
        > > > *************** > *** 14569,14583 **** > > !
        smtpd_tls_dkey_file > ! (default: $smtpd_tls_dcert_file)
        > ! > !

        File with the Postfix SMTP server DSA private key in PEM format. > ! This file may be combined with the Postfix SMTP server DSA certificate > ! file specified with $smtpd_tls_dcert_file.

        > > !

        The private key must be accessible without a pass-phrase, i.e. it > ! must not be encrypted. File permissions should grant read-only > ! access to the system superuser account ("root"), and no access > ! to anyone else.

        > > !

        This feature is available in Postfix 2.2 and later.

        > > --- 11336,11348 ---- > > !
        smtpd_sasl_path > ! (default: smtpd)
        > > !

        Implementation-specific information that the Postfix SMTP server > ! passes through to > ! the SASL plug-in implementation that is selected with > ! smtpd_sasl_type. Typically this specifies the name of a > ! configuration file or rendezvous point.

        > > !

        This feature is available in Postfix 2.3 and later. In earlier > ! releases it was called smtpd_sasl_application_name.

        > > *************** > *** 14586,14650 **** > > !
        smtpd_tls_eccert_file > ! (default: empty)
        > ! > !

        File with the Postfix SMTP server ECDSA certificate in PEM format. > ! This file may also contain the Postfix SMTP server private ECDSA key.

        > ! > !

        See the discussion under smtpd_tls_cert_file for more details.

        > ! > !

        Example:

        > > ! 
        > ! smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem
> !
        > > !

        This feature is available in Postfix 2.6 and later, when Postfix is > ! compiled and linked with OpenSSL 1.0.0 or later.

        > > > !
        > > !
        smtpd_tls_eckey_file > ! (default: $smtpd_tls_eccert_file)
        > > !

        File with the Postfix SMTP server ECDSA private key in PEM format. > ! This file may be combined with the Postfix SMTP server ECDSA certificate > ! file specified with $smtpd_tls_eccert_file.

        > > !

        The private key must be accessible without a pass-phrase, i.e. it > ! must not be encrypted. File permissions should grant read-only > ! access to the system superuser account ("root"), and no access > ! to anyone else.

        > > !

        This feature is available in Postfix 2.6 and later, when Postfix is > ! compiled and linked with OpenSSL 1.0.0 or later.

        > > > !
        > > !
        smtpd_tls_eecdh_grade > ! (default: see "postconf -d" output)
        > > !

        The Postfix SMTP server security grade for ephemeral elliptic-curve > ! Diffie-Hellman (EECDH) key exchange.

        > > !

        The available choices are:

        > > !
        > > !
        none
        Don't use EECDH. Ciphers based on EECDH key > ! exchange will be disabled. This is the default in Postfix versions > ! 2.6 and 2.7.
        > ! > !
        strong
        Use EECDH with approximately 128 > ! bits of security at a reasonable computational cost. This is the > ! current best-practice trade-off between security and computational > ! efficiency. This is the default in Postfix version 2.8 and later. >
        > > !
        ultra
        Use EECDH with approximately 192 bits of > ! security at computational cost that is approximately twice as high > ! as 128 bit strength ECC. Barring significant progress in attacks on > ! elliptic curve crypto-systems, the "strong" curve is sufficient for most > ! users.
        > > --- 11351,11400 ---- > > !
        smtpd_sasl_security_options > ! (default: noanonymous)
        > > !

        Postfix SMTP server SASL security options; as of Postfix 2.3 > ! the list of available > ! features depends on the SASL server implementation that is selected > ! with smtpd_sasl_type.

        > > !

        The following security features are defined for the cyrus > ! server SASL implementation:

        > > +

        > + Restrict what authentication mechanisms the Postfix SMTP server > + will offer to the client. The list of available authentication > + mechanisms is system dependent. > +

        > > !

        > ! Specify zero or more of the following: > !

        > > !
        > > !
        noplaintext
        > > !
        Disallow methods that use plaintext passwords.
        > > !
        noactive
        > > +
        Disallow methods subject to active (non-dictionary) attack.
        > > !
        nodictionary
        > > !
        Disallow methods subject to passive (dictionary) attack.
        > > !
        noanonymous
        > > !
        Disallow methods that allow anonymous authentication.
        > > !
        forward_secrecy
        > > !
        Only allow methods that support forward secrecy (Dovecot only). >
        > > !
        mutual_auth
        > ! > !
        Only allow methods that provide mutual authentication (not available > ! with Cyrus SASL version 1).
        > > *************** > *** 14652,14690 **** > > !

        This feature is available in Postfix 2.6 and later, when it is > ! compiled and linked with OpenSSL 1.0.0 or later.

        > > > !
        > > !
        smtpd_tls_exclude_ciphers > ! (default: empty)
        > > -

        List of ciphers or cipher types to exclude from the SMTP server > - cipher list at all TLS security levels. Excluding valid ciphers > - can create interoperability problems. DO NOT exclude ciphers unless it > - is essential to do so. This is not an OpenSSL cipherlist; it is a simple > - list separated by whitespace and/or commas. The elements are a single > - cipher, or one or more "+" separated cipher properties, in which case > - only ciphers matching all the properties are excluded.

        > > !

        Examples (some of these will cause problems):

        > > !
        > ! 
        > ! smtpd_tls_exclude_ciphers = aNULL
> ! smtpd_tls_exclude_ciphers = MD5, DES
> ! smtpd_tls_exclude_ciphers = DES+MD5
> ! smtpd_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
> ! smtpd_tls_exclude_ciphers = kEDH+aRSA
> !
        > !
        > > !

        The first setting disables anonymous ciphers. The next setting > ! disables ciphers that use the MD5 digest algorithm or the (single) DES > ! encryption algorithm. The next setting disables ciphers that use MD5 and > ! DES together. The next setting disables the two ciphers "AES256-SHA" > ! and "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" > ! key exchange with RSA authentication.

        > > !

        This feature is available in Postfix 2.3 and later.

        > > --- 11402,11435 ---- > > !

        > ! By default, the Postfix SMTP server accepts plaintext passwords but > ! not anonymous logins. > !

        > > +

        > + Warning: it appears that clients try authentication methods in the > + order as advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5) > + which means that if you disable plaintext passwords, clients will > + log in anonymously, even when they should be able to use CRAM-MD5. > + So, if you disable plaintext logins, disable anonymous logins too. > + Postfix treats anonymous login as no authentication. > +

        > > !

        > ! Example: > !

        > > ! 
        > ! smtpd_sasl_security_options = noanonymous, noplaintext
> !
        > > > !
        > > !
        smtpd_sasl_tls_security_options > ! (default: $smtpd_sasl_security_options)
        > > !

        The SASL authentication security options that the Postfix SMTP > ! server uses for TLS encrypted SMTP sessions.

        > > !

        This feature is available in Postfix 2.2 and later.

        > > *************** > *** 14693,14775 **** > > !
        smtpd_tls_fingerprint_digest > ! (default: md5)
        > > !

        The message digest algorithm to construct remote SMTP > ! client-certificate > ! fingerprints or public key fingerprints (Postfix 2.9 and later) > ! for check_ccert_access and permit_tls_clientcerts. The > ! default algorithm is md5, for backwards compatibility with Postfix > ! releases prior to 2.5.

        > > !

        Advances in hash > ! function cryptanalysis have led to md5 being deprecated in favor of sha1. > ! However, as long as there are no known "second pre-image" attacks > ! against md5, its use in this context can still be considered safe. > !

        > > -

        While additional digest algorithms are often available with OpenSSL's > - libcrypto, only those used by libssl in SSL cipher suites are available to > - Postfix.

        > > !

        To find the fingerprint of a specific certificate file, with a > ! specific digest algorithm, run:

        > > !
        > ! 
        > ! $ openssl x509 -noout -fingerprint -digest -in certfile.pem
> !
        > !
        > > !

        The text to the right of "=" sign is the desired fingerprint. > ! For example:

        > > !
        > ! 
        > ! $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
> ! SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
> !
        > !
        > > !

        Public key fingerprints are more difficult to extract, however, > ! the SHA-1 public key fingerprint is often present as the value of the > ! "Subject Key Identifier" extension in X.509v3 certificates. The Postfix > ! SMTP server and client log the peer certificate fingerprint and public > ! key fingerprint when TLS loglevel is 1 or higher.

        > > !

        Example: client-certificate access table, with sha1 fingerprints:

        > > !
        > ! 
        > ! /etc/postfix/main.cf:
> !     smtpd_tls_fingerprint_digest = sha1
> !     smtpd_client_restrictions =
> !         check_ccert_access hash:/etc/postfix/access,
> !         reject
> !
        > ! 
        > ! /etc/postfix/access:
> !     # Action folded to next line...
> !     AF:88:7C:AD:51:95:6F:36:96:F6:01:FB:2E:48:CD:AB:49:25:A2:3B
> !         OK
> !     85:16:78:FD:73:6E:CE:70:E0:31:5F:0D:3C:C8:6D:C4:2C:24:59:E1
> !         permit_auth_destination
> !
        > !
        > > !

        This feature is available in Postfix 2.5 and later.

        > > > !
        > > !
        smtpd_tls_key_file > ! (default: $smtpd_tls_cert_file)
        > > !

        File with the Postfix SMTP server RSA private key in PEM format. > ! This file may be combined with the Postfix SMTP server RSA certificate > ! file specified with $smtpd_tls_cert_file.

        > > !

        The private key must be accessible without a pass-phrase, i.e. it > ! must not be encrypted. File permissions should grant read-only > ! access to the system superuser account ("root"), and no access > ! to anyone else.

        > > --- 11438,11487 ---- > > !
        smtpd_sasl_type > ! (default: cyrus)
        > > !

        The SASL plug-in type that the Postfix SMTP server should use > ! for authentication. The available types are listed with the > ! "postconf -a" command.

        > > !

        This feature is available in Postfix 2.3 and later.

        > > > !
        > > !
        smtpd_sender_login_maps > ! (default: empty)
        > > !

        > ! Optional lookup table with the SASL login names that own sender > ! (MAIL FROM) addresses. > !

        > > !

        > ! Specify zero or more "type:table" lookup tables. With lookups from > ! indexed files such as DB or DBM, or from networked tables such as > ! NIS, LDAP or SQL, the following search operations are done with a > ! sender address of user at domain:

        > > !
        > > !
        1) user at domain
        > > !
        This table lookup is always done and has the highest precedence.
        > > !
        2) user
        > > +
        This table lookup is done only when the domain part of the > + sender address matches $myorigin, $mydestination, $inet_interfaces > + or $proxy_interfaces.
        > > !
        3) @domain
        > > !
        This table lookup is done last and has the lowest precedence.
        > > !
        > > !

        > ! In all cases the result of table lookup must be either "not found" > ! or a list of SASL login names separated by comma and/or whitespace. > !

        > > *************** > *** 14778,14936 **** > > !
        smtpd_tls_loglevel > ! (default: 0)
        > > !

        Enable additional Postfix SMTP server logging of TLS activity. > ! Each logging level also includes the information that is logged at > ! a lower logging level.

        > > !
        > > !
        0 Log only a summary message on TLS handshake completion > ! — no logging of remote SMTP client certificate trust-chain verification > ! errors > ! if client certificate verification is not required. With Postfix 2.8 > ! and earlier, disable logging of TLS activity.
        > ! > !
        1 Also log trust-chain verification errors and peer > ! certificate name and issuer. With Postfix 2.8 and earlier, log TLS > ! handshake and certificate information.
        > > !
        2 Also log levels during TLS negotiation.
        > > !
        3 Also log hexadecimal and ASCII dump of TLS negotiation > ! process.
        > > !
        4 Also log hexadecimal and ASCII dump of complete > ! transmission after STARTTLS.
        > > !
        > > !

        Do not use "smtpd_tls_loglevel = 2" or higher except in case > ! of problems. Use of loglevel 4 is strongly discouraged.

        > > !

        This feature is available in Postfix 2.2 and later.

        > > > !
        > > !
        smtpd_tls_mandatory_ciphers > ! (default: medium)
        > > !

        The minimum TLS cipher grade that the Postfix SMTP server will > ! use with mandatory TLS encryption. The default grade ("medium") is > ! sufficiently strong that any benefit from globally restricting TLS > ! sessions to a more stringent grade is likely negligible, especially > ! given the fact that many implementations still do not offer any stronger > ! ("high" grade) ciphers, while those that do, will always use "high" > ! grade ciphers. So insisting on "high" grade ciphers is generally > ! counter-productive. Allowing "export" or "low" ciphers is typically > ! not a good idea, as systems limited to just these are limited to > ! obsolete browsers. No known SMTP clients fail to support at least > ! one "medium" or "high" grade cipher.

        > > !

        The following cipher grades are supported:

        > > !
        > !
        export
        > !
        Enable "EXPORT" grade or stronger OpenSSL ciphers. > ! This is the most appropriate setting for public MX hosts, and is always > ! used with opportunistic TLS encryption. The underlying cipherlist > ! is specified via the tls_export_cipherlist configuration parameter, > ! which you are strongly encouraged to not change.
        > > !
        low
        > !
        Enable "LOW" grade or stronger OpenSSL ciphers. The > ! underlying cipherlist is specified via the tls_low_cipherlist > ! configuration parameter, which you are strongly encouraged to > ! not change.
        > > !
        medium
        > !
        Enable "MEDIUM" grade or stronger OpenSSL ciphers. These use 128-bit > ! or longer symmetric bulk-encryption keys. This is the default minimum > ! strength for mandatory TLS encryption. The underlying cipherlist is > ! specified via the tls_medium_cipherlist configuration parameter, which > ! you are strongly encouraged to not change.
        > > !
        high
        > !
        Enable only "HIGH" grade OpenSSL ciphers. The > ! underlying cipherlist is specified via the tls_high_cipherlist > ! configuration parameter, which you are strongly encouraged to > ! not change.
        > > !
        null
        > !
        Enable only the "NULL" OpenSSL ciphers, these provide authentication > ! without encryption. This setting is only appropriate in the rare > ! case that all clients are prepared to use NULL ciphers (not normally > ! enabled in TLS clients). The underlying cipherlist is specified via the > ! tls_null_cipherlist configuration parameter, which you are strongly > ! encouraged to not change.
        > > !
        > > !

        Cipher types listed in > ! smtpd_tls_mandatory_exclude_ciphers or smtpd_tls_exclude_ciphers are > ! excluded from the base definition of the selected cipher grade. See > ! smtpd_tls_ciphers for cipher controls that apply to opportunistic > ! TLS.

        > > !

        The underlying cipherlists for grades other than "null" include > ! anonymous ciphers, but these are automatically filtered out if the > ! server is configured to ask for remote SMTP client certificates. You are very > ! unlikely to need to take any steps to exclude anonymous ciphers, they > ! are excluded automatically as required. If you must exclude anonymous > ! ciphers even when Postfix does not need or use peer certificates, set > ! "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers only > ! when TLS is enforced, set "smtpd_tls_mandatory_exclude_ciphers = aNULL".

        > > !

        This feature is available in Postfix 2.3 and later.

        > > > !
        > > !
        smtpd_tls_mandatory_exclude_ciphers > ! (default: empty)
        > > !

        Additional list of ciphers or cipher types to exclude from the > ! Postfix SMTP server cipher list at mandatory TLS security levels. > ! This list > ! works in addition to the exclusions listed with smtpd_tls_exclude_ciphers > ! (see there for syntax details).

        > > !

        This feature is available in Postfix 2.3 and later.

        > > > !
        > > !
        smtpd_tls_mandatory_protocols > ! (default: SSLv3, TLSv1)
        > > !

        The SSL/TLS protocols accepted by the Postfix SMTP server with > ! mandatory TLS encryption. If the list is empty, the server supports all > ! available SSL/TLS protocol versions. A non-empty value is a list > ! of protocol > ! names separated by whitespace, commas or colons. The supported protocol > ! names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.

        > > !

        With Postfix ≥ 2.5 the parameter syntax is expanded to support > ! protocol exclusions. One can now explicitly exclude SSLv2 by setting > ! "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and > ! SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing > ! the protocols to include, rather than protocols to exclude, is still > ! supported, use the form you find more intuitive.

        > > !

        Since SSL version 2 has known protocol weaknesses and is now > ! deprecated, the default setting excludes "SSLv2". This means that > ! by default, SSL version 2 will not be used at the "encrypt" security > ! level.

        > > !

        Example:

        > > 
        > ! smtpd_tls_mandatory_protocols = TLSv1
> ! # Alternative form with Postfix ≥ 2.5:
> ! smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
>
        > > -

        This feature is available in Postfix 2.3 and later.

        > - > > --- 11490,11641 ---- > > !
        smtpd_sender_restrictions > ! (default: empty)
        > > !

        > ! Optional restrictions that the Postfix SMTP server applies in the > ! context of the MAIL FROM command. > !

        > > !

        > ! The default is to permit everything. > !

        > > !

        > ! Specify a list of restrictions, separated by commas and/or whitespace. > ! Continue long lines by starting the next line with whitespace. > ! Restrictions are applied in the order as specified; the first > ! restriction that matches wins. > !

        > > !

        > ! The following restrictions are specific to the sender address > ! received with the MAIL FROM command. > !

        > > !
        > > !
        check_sender_access type:table
        > > !
        Search the specified access(5) database for the MAIL FROM > ! address, domain, parent domains, or localpart@, and execute the > ! corresponding action.
        > > !
        check_sender_mx_access type:table
        > > !
        Search the specified access(5) database for the MX hosts for > ! the MAIL FROM address, and execute the corresponding action. Note: > ! a result of "OK" is not allowed for safety reasons. Instead, use > ! DUNNO in order to exclude specific hosts from blacklists. This > ! feature is available in Postfix 2.1 and later.
        > > +
        check_sender_ns_access type:table
        > > !
        Search the specified access(5) database for the DNS servers > ! for the MAIL FROM address, and execute the corresponding action. > ! Note: a result of "OK" is not allowed for safety reasons. Instead, > ! use DUNNO in order to exclude specific hosts from blacklists. This > ! feature is available in Postfix 2.1 and later.
        > > !
        reject_authenticated_sender_login_mismatch
        > > !
        Enforces the reject_sender_login_mismatch restriction for > ! authenticated clients only. This feature is available in > ! Postfix version 2.1 and later.
        > > !
        reject_non_fqdn_sender
        > > !
        Reject the request when the MAIL FROM address is not in > ! fully-qualified domain form, as required by the RFC.
        The > ! non_fqdn_reject_code parameter specifies the response code to > ! rejected requests (default: 504).
        > > !
        reject_rhsbl_sender rbl_domain=d.d.d.d
        > > !
        Reject the request when the MAIL FROM domain is listed with > ! the A record "d.d.d.d" under rbl_domain (Postfix > ! version 2.1 and later only). If no "=d.d.d.d" is specified, > ! reject the request when the MAIL FROM domain is > ! listed with any A record under rbl_domain.
        The > ! maps_rbl_reject_code parameter specifies the response code for > ! rejected requests (default: 554); the default_rbl_reply parameter > ! specifies the default server reply; and the rbl_reply_maps parameter > ! specifies tables with server replies indexed by rbl_domain. > ! This feature is available in Postfix 2.0 and later.
        > > !
        reject_sender_login_mismatch
        > > !
        Reject the request when $smtpd_sender_login_maps specifies an > ! owner for the MAIL FROM address, but the client is not (SASL) logged > ! in as that MAIL FROM address owner; or when the client is (SASL) > ! logged in, but the client login name doesn't own the MAIL FROM > ! address according to $smtpd_sender_login_maps.
        > > !
        reject_unauthenticated_sender_login_mismatch
        > > !
        Enforces the reject_sender_login_mismatch restriction for > ! unauthenticated clients only. This feature is available in > ! Postfix version 2.1 and later.
        > > !
        reject_unknown_sender_domain
        > > !
        Reject the request when Postfix is not final destination for > ! the sender address, and the MAIL FROM address has no DNS A or MX > ! record, or when it has a malformed MX record such as a record with > ! a zero-length MX hostname (Postfix version 2.3 and later).
        The > ! unknown_address_reject_code parameter specifies the response code > ! for rejected requests (default: 450). The response is always 450 > ! in case of a temporary DNS error.
        > > +
        reject_unlisted_sender
        > > !
        Reject the request when the MAIL FROM address is not listed in > ! the list of valid recipients for its domain class. See the > ! smtpd_reject_unlisted_sender parameter description for details. > ! This feature is available in Postfix 2.1 and later.
        > > !
        reject_unverified_sender
        > > !
        Reject the request when mail to the MAIL FROM address is known to > ! bounce, or when the sender address destination is not reachable. > ! Address verification information is managed by the verify(8) server; > ! see the ADDRESS_VERIFICATION_README file for details.
        The > ! unverified_sender_reject_code parameter specifies the response when > ! an address is known to bounce (default: 450, change into 550 when > ! you are confident that it is safe to do so). The > ! unverified_sender_defer_code specifies the response when an address > ! address probe failed due to a temporary problem (default: 450). > ! This feature is available in Postfix 2.1 and later.
        > > !
        > > +

        > + Other restrictions that are valid in this context: > +

        > > ! > > !

        > ! Examples: > !

        > > 
        > ! smtpd_sender_restrictions = reject_unknown_sender_domain
> ! smtpd_sender_restrictions = reject_unknown_sender_domain,
> !     check_sender_access hash:/etc/postfix/access
>
        > > > *************** > *** 14938,14983 **** > > !
        smtpd_tls_protocols > ! (default: empty)
        > ! > !

        List of TLS protocols that the Postfix SMTP server will exclude > ! or include with opportunistic TLS encryption. This parameter SHOULD be > ! left at its default empty value, allowing all protocols to be used with > ! opportunistic TLS.

        > ! > !

        In main.cf the values are separated by whitespace, commas or > ! colons. An empty value means allow all protocols. The valid protocol > ! names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" and > ! "TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute > ! values are separated by a colon.

        > ! > !

        To include a protocol list its name, to exclude it, prefix the name > ! with a "!" character. To exclude SSLv2 even for opportunistic TLS set > ! "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set > ! "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to > ! include, is supported, but not recommended. OpenSSL provides no mechanisms > ! for excluding protocols not known at compile-time. If Postfix is linked > ! against an OpenSSL library that supports additional protocol versions, > ! they cannot be excluded using either syntax.

        > ! > !

        Example:

        > ! 
        > ! smtpd_tls_protocols = !SSLv2
> !
        > ! > !

        This feature is available in Postfix 2.6 and later.

        > > > !
        > > !
        smtpd_tls_received_header > ! (default: no)
        > > !

        Request that the Postfix SMTP server produces Received: message > ! headers that include information about the protocol and cipher used, > ! as well as the remote SMTP client CommonName and client certificate issuer > ! CommonName. This is disabled by default, as the information may > ! be modified in transit through other mail servers. Only information > ! that was recorded by the final destination can be trusted.

        > > !

        This feature is available in Postfix 2.2 and later.

        > > --- 11643,11662 ---- > > !
        smtpd_soft_error_limit > ! (default: 10)
        > > +

        > + The number of errors a remote SMTP client is allowed to make without > + delivering mail before the Postfix SMTP server slows down all its > + responses. > +

        > > !
          > > !

        • With Postfix version 2.1 and later, the Postfix SMTP server > ! delays all responses by $smtpd_error_sleep_time seconds.

          > > !

        • With Postfix versions 2.0 and earlier, the Postfix SMTP > ! server delays all responses by (number of errors) seconds.

          > > !
        > > *************** > *** 14986,14996 **** > > !
        smtpd_tls_req_ccert > ! (default: no)
        > ! > !

        With mandatory TLS encryption, require a trusted remote SMTP client > ! certificate in order to allow TLS connections to proceed. This > ! option implies "smtpd_tls_ask_ccert = yes".

        > > !

        When TLS encryption is optional, this setting is ignored with > ! a warning written to the mail log.

        > > --- 11665,11671 ---- > > !
        smtpd_starttls_timeout > ! (default: 300s)
        > > !

        The time limit for Postfix SMTP server write and read operations > ! during TLS startup and shutdown handshake procedures.

        > > *************** > *** 15001,15043 **** > > !
        smtpd_tls_security_level > ! (default: empty)
        > ! > !

        The SMTP TLS security level for the Postfix SMTP server; when > ! a non-empty value is specified, this overrides the obsolete parameters > ! smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with > ! "smtpd_tls_wrappermode = yes".

        > > !

        Specify one of the following security levels:

        > > !
        > > !
        none
        TLS will not be used.
        > > -
        may
        Opportunistic TLS: announce STARTTLS support > - to remote SMTP clients, but do not require that clients use TLS encryption. > -
        > > !
        encrypt
        Mandatory TLS encryption: announce > ! STARTTLS support to remote SMTP clients, and require that clients use TLS > ! encryption. According to RFC 2487 this MUST NOT be applied in case > ! of a publicly-referenced SMTP server. Instead, this option should > ! be used only on dedicated servers.
        > > !
        > > !

        Note 1: the "fingerprint", "verify" and "secure" levels are not > ! supported here. > ! The Postfix SMTP server logs a warning and uses "encrypt" instead. > ! To verify remote SMTP client certificates, see TLS_README for a discussion > ! of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and permit_tls_clientcerts > ! features.

        > > !

        Note 2: The parameter setting "smtpd_tls_security_level = > ! encrypt" implies "smtpd_tls_auth_only = yes".

        > > !

        Note 3: when invoked via "sendmail -bs", Postfix will never > ! offer STARTTLS due to insufficient privileges to access the server > ! private key. This is intended behavior.

        > > !

        This feature is available in Postfix 2.3 and later.

        > > --- 11676,11715 ---- > > !
        smtpd_timeout > ! (default: 300s)
        > > !

        > ! The time limit for sending a Postfix SMTP server response and for > ! receiving a remote SMTP client request. > !

        > > !

        > ! Note: if you set SMTP time limits to very large values you may have > ! to update the global ipc_timeout parameter. > !

        > > !

        > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). > !

        > > > !
        > > !
        smtpd_tls_CAfile > ! (default: empty)
        > > !

        The file with the certificate of the certification authority > ! (CA) that issued the Postfix SMTP server certificate. This is > ! needed only when the CA certificate is not already present in the > ! server certificate file. This file may also contain the CA > ! certificates of other trusted CAs. You must use this file for the > ! list of trusted CAs if you want to use chroot-mode.

        > > !

        Example:

        > > ! 
        > ! smtpd_tls_CAfile = /etc/postfix/CAcert.pem
> !
        > > !

        This feature is available in Postfix 2.2 and later.

        > > *************** > *** 15046,15072 **** > > !
        smtpd_tls_session_cache_database > (default: empty)
        > > !

        Name of the file containing the optional Postfix SMTP server > ! TLS session cache. Specify a database type that supports enumeration, > ! such as btree or sdbm; there is no need to support > ! concurrent access. The file is created if it does not exist. The smtpd(8) > ! daemon does not use this parameter directly, rather the cache is > ! implemented indirectly in the tlsmgr(8) daemon. This means that > ! per-smtpd-instance master.cf overrides of this parameter are not > ! effective. Note, that each of the cache databases supported by tlsmgr(8) > ! daemon: $smtpd_tls_session_cache_database, $smtp_tls_session_cache_database > ! (and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to be > ! stored separately. It is not at this time possible to store multiple > ! caches in a single database.

        > ! > !

        Note: dbm databases are not suitable. TLS > ! session objects are too large.

        > ! > !

        As of version 2.5, Postfix no longer uses root privileges when > ! opening this file. The file should now be stored under the Postfix-owned > ! data_directory. As a migration aid, an attempt to open the file > ! under a non-Postfix directory is redirected to the Postfix-owned > ! data_directory, and a warning is logged.

        > ! >

        Example:

        > --- 11718,11734 ---- > > !
        smtpd_tls_CApath > (default: empty)
        > > !

        Directory with PEM format certificate authority certificates > ! that the Postfix SMTP server offers to remote SMTP clients for the > ! purpose of client certificate verification. Do not forget to create > ! the necessary "hash" links with, for example, "$OPENSSL_HOME/bin/c_rehash > ! /etc/postfix/certs".

        > ! > !

        To use this option in chroot mode, this directory (or a copy) > ! must be inside the chroot jail. Please note that in this case the > ! CA certificates are not offered to the client, so that e.g. Netscape > ! clients might not offer certificates issued by them. Use of this > ! feature is therefore not recommended.

        > ! >

        Example:

        > *************** > *** 15074,15076 **** > 
        > ! smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
>
        > --- 11736,11738 ---- > 
        > ! smtpd_tls_CApath = /etc/postfix/certs
>
        > *************** > *** 15082,15110 **** > > !
        smtpd_tls_session_cache_timeout > ! (default: 3600s)
        > ! > !

        The expiration time of Postfix SMTP server TLS session cache > ! information. A cache cleanup is performed periodically > ! every $smtpd_tls_session_cache_timeout seconds. As with > ! $smtpd_tls_session_cache_database, this parameter is implemented in the > ! tlsmgr(8) daemon and therefore per-smtpd-instance master.cf overrides > ! are not possible.

        > ! > !

        This feature is available in Postfix 2.2 and later.

        > > > !
        > > !
        smtpd_tls_wrappermode > ! (default: no)
        > > !

        Run the Postfix SMTP server in the non-standard "wrapper" mode, > ! instead of using the STARTTLS command.

        > > !

        If you want to support this service, enable a special port in > ! master.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP > ! server's command line. Port 465 (smtps) was once chosen for this > ! purpose.

        > > !

        This feature is available in Postfix 2.2 and later.

        > > --- 11744,11769 ---- > > !
        smtpd_tls_always_issue_session_ids > ! (default: yes)
        > > +

        Force the Postfix SMTP server to issue a TLS session id, even > + when TLS session caching is turned off (smtpd_tls_session_cache_database > + is empty). This behavior is compatible with Postfix < 2.3.

        > > !

        With Postfix 2.3 and later the Postfix SMTP server can disable > ! session id generation when TLS session caching is turned off. This > ! keeps clients from caching sessions that almost certainly cannot > ! be re-used.

        > > !

        By default, the Postfix SMTP server always generates TLS session > ! ids. This works around a known defect in mail client applications > ! such as MS Outlook, and may also prevent interoperability issues > ! with other MTAs.

        > > !

        Example:

        > > ! 
        > ! smtpd_tls_always_issue_session_ids = no
> !
        > > !

        This feature is available in Postfix 2.3 and later.

        > > *************** > *** 15113,15126 **** > > !
        smtpd_use_tls > (default: no)
        > > !

        Opportunistic TLS: announce STARTTLS support to remote SMTP clients, > ! but do not require that clients use TLS encryption.

        > > !

        Note: when invoked via "sendmail -bs", Postfix will never offer > ! STARTTLS due to insufficient privileges to access the server private > ! key. This is intended behavior.

        > > !

        This feature is available in Postfix 2.2 and later. With > ! Postfix 2.3 and later use smtpd_tls_security_level instead.

        > > --- 11772,11786 ---- > > !
        smtpd_tls_ask_ccert > (default: no)
        > > !

        Ask a remote SMTP client for a client certificate. This > ! information is needed for certificate based mail relaying with, > ! for example, the permit_tls_clientcerts feature.

        > > !

        Some clients such as Netscape will either complain if no > ! certificate is available (for the list of CAs in $smtpd_tls_CAfile) > ! or will offer multiple client certificates to choose from. This > ! may be annoying, so this option is "off" by default.

        > > !

        This feature is available in Postfix 2.2 and later.

        > > *************** > *** 15129,15148 **** > > !
        soft_bounce > (default: no)
        > > !

        > ! Safety net to keep mail queued that would otherwise be returned to > ! the sender. This parameter disables locally-generated bounces, > ! and prevents the Postfix SMTP server from rejecting mail permanently, > ! by changing 5xx reply codes into 4xx. However, soft_bounce is no > ! cure for address rewriting mistakes or mail routing mistakes. > !

        > ! > !

        > ! Example: > !

        > > ! 
        > ! soft_bounce = yes
> !
        > > --- 11789,11798 ---- > > !
        smtpd_tls_auth_only > (default: no)
        > > !

        When TLS encryption is optional in the Postfix SMTP server, do > ! not announce or accept SASL authentication over unencrypted > ! connections.

        > > !

        This feature is available in Postfix 2.2 and later.

        > > *************** > *** 15151,15164 **** > > !
        stale_lock_time > ! (default: 500s)
        > > !

        > ! The time after which a stale exclusive mailbox lockfile is removed. > ! This is used for delivery to file or mailbox. > !

        > > !

        > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). > !

        > > --- 11801,11820 ---- > > !
        smtpd_tls_ccert_verifydepth > ! (default: 9)
        > > !

        The verification depth for remote SMTP client certificates. A > ! depth of 1 is sufficient if the issuing CA is listed in a local CA > ! file.

        > > !

        The default verification depth is 9 (the OpenSSL default) for > ! compatibility with earlier Postfix behavior. Prior to Postfix 2.5, > ! the default value was 5, but the limit was not actually enforced. If > ! you have set this to a lower non-default value, certificates with longer > ! trust chains may now fail to verify. Certificate chains with 1 or 2 > ! CAs are common, deeper chains are more rare and any number between 5 > ! and 9 should suffice in practice. You can choose a lower number if, > ! for example, you trust certificates directly signed by an issuing CA > ! but not any CAs it delegates to.

        > ! > !

        This feature is available in Postfix 2.2 and later.

        > > *************** > *** 15167,15194 **** > > !
        stress > (default: empty)
        > > !

        This feature is documented in the STRESS_README document.

        > > !

        This feature is available in Postfix 2.5 and later.

        > > > !
        > > !
        strict_7bit_headers > ! (default: no)
        > > !

        > ! Reject mail with 8-bit text in message headers. This blocks mail > ! from poorly written applications. > !

        > > !

        > ! This feature should not be enabled on a general purpose mail server, > ! because it is likely to reject legitimate email. > !

        > > !

        > ! This feature is available in Postfix 2.0 and later. > !

        > > --- 11823,11877 ---- > > !
        smtpd_tls_cert_file > (default: empty)
        > > !

        File with the Postfix SMTP server RSA certificate in PEM format. > ! This file may also contain the Postfix SMTP server private RSA key.

        > > !

        Public Internet MX hosts without certificates signed by a "reputable" > ! CA must generate, and be prepared to present to most clients, a > ! self-signed or private-CA signed certificate. The client will not be > ! able to authenticate the server, but unless it is running Postfix 2.3 or > ! similar software, it will still insist on a server certificate.

        > > +

        For servers that are not public Internet MX hosts, Postfix > + 2.3 supports configurations with no certificates. This entails the > + use of just the anonymous TLS ciphers, which are not supported by > + typical SMTP clients. Since such clients will not, as a rule, fall > + back to plain text after a TLS handshake failure, the server will > + be unable to receive email from TLS enabled clients. To avoid > + accidental configurations with no certificates, Postfix 2.3 enables > + certificate-less operation only when the administrator explicitly > + sets "smtpd_tls_cert_file = none". This ensures that new Postfix > + configurations will not accidentally run with no certificates.

        > > !

        Both RSA and DSA certificates are supported. When both types > ! are present, the cipher used determines which certificate will be > ! presented to the client. For Netscape and OpenSSL clients without > ! special cipher choices the RSA certificate is preferred.

        > > !

        In order to verify a certificate, the CA certificate (in case > ! of a certificate chain, all CA certificates) must be available. > ! You should add these certificates to the server certificate, the > ! server certificate first, then the issuing CA(s).

        > > !

        Example: the certificate for "server.dom.ain" was issued by > ! "intermediate CA" which itself has a certificate of "root CA". > ! Create the server.pem file with "cat server_cert.pem intermediate_CA.pem > ! root_CA.pem > server.pem".

        > > !

        If you also want to verify client certificates issued by these > ! CAs, you can add the CA certificates to the smtpd_tls_CAfile, in which > ! case it is not necessary to have them in the smtpd_tls_cert_file or > ! smtpd_tls_dcert_file.

        > > !

        A certificate supplied here must be usable as an SSL server certificate > ! and hence pass the "openssl verify -purpose sslserver ..." test.

        > ! > !

        Example:

        > ! > ! 
        > ! smtpd_tls_cert_file = /etc/postfix/server.pem
> !
        > ! > !

        This feature is available in Postfix 2.2 and later.

        > > *************** > *** 15197,15213 **** > > !
        strict_8bitmime > ! (default: no)
        > > !

        > ! Enable both strict_7bit_headers and strict_8bitmime_body. > !

        > > !

        > ! This feature should not be enabled on a general purpose mail server, > ! because it is likely to reject legitimate email. > !

        > > !

        > ! This feature is available in Postfix 2.0 and later. > !

        > > --- 11880,11898 ---- > > !
        smtpd_tls_cipherlist > ! (default: empty)
        > > !

        Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS > ! cipher list. It is easy to create inter-operability problems by choosing > ! a non-default cipher list. Do not use a non-default TLS cipherlist for > ! MX hosts on the public Internet. Clients that begin the TLS handshake, > ! but are unable to agree on a common cipher, may not be able to send any > ! email to the SMTP server. Using a restricted cipher list may be more > ! appropriate for a dedicated MSA or an internal mailhub, where one can > ! exert some control over the TLS software and settings of the connecting > ! clients.

        > > !

        Note: do not use "" quotes around the parameter value.

        > > !

        This feature is available with Postfix version 2.2. It is not used with > ! Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.

        > > *************** > *** 15216,15301 **** > > !
        strict_8bitmime_body > ! (default: no)
        > ! > !

        > ! Reject 8-bit message body text without 8-bit MIME content encoding > ! information. This blocks mail from poorly written applications. > !

        > > !

        > ! Unfortunately, this also rejects majordomo approval requests when > ! the included request contains valid 8-bit MIME mail, and it rejects > ! bounces from mailers that do not MIME encapsulate 8-bit content > ! (for example, bounces from qmail or from old versions of Postfix). > !

        > > !

        > ! This feature should not be enabled on a general purpose mail server, > ! because it is likely to reject legitimate email. >

        > > !

        > ! This feature is available in Postfix 2.0 and later. > !

        > > > !
        > > -
        strict_mailbox_ownership > - (default: yes)
        > > !

        Defer delivery when a mailbox file is not owned by its recipient. > ! The default setting is not backwards compatible.

        > > !

        This feature is available in Postfix 2.5.3 and later.

        > > > !
        > > !
        strict_mime_encoding_domain > ! (default: no)
        > > !

        > ! Reject mail with invalid Content-Transfer-Encoding: information > ! for the message/* or multipart/* MIME content types. This blocks > ! mail from poorly written software. >

        > > !

        > ! This feature should not be enabled on a general purpose mail server, > ! because it will reject mail after a single violation. > !

        > > !

        > ! This feature is available in Postfix 2.0 and later. > !

        > > > -
        > > !
        strict_rfc821_envelopes > ! (default: no)
        > > !

        > ! Require that addresses received in SMTP MAIL FROM and RCPT TO > ! commands are enclosed with <>, and that those addresses do > ! not contain RFC 822 style comments or phrases. This stops mail > ! from poorly written software. > !

        > > !

        > ! By default, the Postfix SMTP server accepts RFC 822 syntax in MAIL > ! FROM and RCPT TO addresses. > !

        > > > !
        > > !
        sun_mailtool_compatibility > ! (default: no)
        > > !

        > ! Obsolete SUN mailtool compatibility feature. Instead, use > ! "mailbox_delivery_lock = dotlock". > !

        > > --- 11901,11970 ---- > > !
        smtpd_tls_dcert_file > ! (default: empty)
        > > !

        File with the Postfix SMTP server DSA certificate in PEM format. > ! This file may also contain the Postfix SMTP server private DSA key.

        > > !

        See the discussion under smtpd_tls_cert_file for more details. >

        > > !

        Example:

        > > + 
        > + smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
> +
        > > !

        This feature is available in Postfix 2.2 and later.

        > > > !
        > > !
        smtpd_tls_dh1024_param_file > ! (default: empty)
        > > +

        File with DH parameters that the Postfix SMTP server should > + use with EDH ciphers.

        > > !

        Instead of using the exact same parameter sets as distributed > ! with other TLS packages, it is more secure to generate your own > ! set of parameters with something like the following command:

        > > !
        > ! 
        > ! openssl gendh -out /etc/postfix/dh_1024.pem -2 1024
> !
        > !
        > > !

        Your actual source for entropy may differ. Some systems have > ! /dev/random; on other system you may consider using the "Entropy > ! Gathering Daemon EGD", available at http://egd.sourceforge.net/ >

        > > !

        Example:

        > > ! 
        > ! smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
> !
        > > +

        This feature is available with Postfix version 2.2.

        > > > !
        > > !
        smtpd_tls_dh512_param_file > ! (default: empty)
        > > !

        File with DH parameters that the Postfix SMTP server should > ! use with EDH ciphers.

        > > +

        See also the discussion under the smtpd_tls_dh1024_param_file > + configuration parameter.

        > > !

        Example:

        > > ! 
        > ! smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
> !
        > > !

        This feature is available with Postfix version 2.2.

        > > *************** > *** 15304,15358 **** > > !
        swap_bangpath > ! (default: yes)
        > ! > !

        > ! Enable the rewriting of "site!user" into "user at site". This is > ! necessary if your machine is connected to UUCP networks. It is > ! enabled by default. > !

        > > !

        Note: with Postfix version 2.2, message header address rewriting > ! happens only when one of the following conditions is true:

        > > ! > > !

        To get the behavior before Postfix version 2.2, specify > ! "local_header_rewrite_clients = static:all".

        > > !

        > ! Example: > !

        > > 
        > ! swap_bangpath = no
>
        > > > !
        > ! > !
        syslog_facility > ! (default: mail)
        > ! > !

        > ! The syslog facility of Postfix logging. Specify a facility as > ! defined in syslog.conf(5). The default facility is "mail". > !

        > ! > !

        > ! Warning: a non-default syslog_facility setting takes effect only > ! after a Postfix process has completed initialization. Errors during > ! process initialization will be logged with the default facility. > ! Examples are errors while parsing the command line arguments, and > ! errors while accessing the Postfix main.cf configuration file. > !

        > > --- 11973,12021 ---- > > !
        smtpd_tls_dkey_file > ! (default: $smtpd_tls_dcert_file)
        > > !

        File with the Postfix SMTP server DSA private key in PEM format. > ! This file may be combined with the Postfix SMTP server DSA certificate > ! file specified with $smtpd_tls_dcert_file.

        > > !

        The private key must be accessible without a pass-phrase, i.e. it > ! must not be encrypted, but file permissions should grant read/write > ! access only to the system superuser account ("root").

        > > !

        This feature is available in Postfix 2.2 and later.

        > > > !
        > > !
        smtpd_tls_exclude_ciphers > ! (default: empty)
        > > !

        List of ciphers or cipher types to exclude from the SMTP server > ! cipher list at all TLS security levels. Excluding valid ciphers > ! can create interoperability problems. DO NOT exclude ciphers unless it > ! is essential to do so. This is not an OpenSSL cipherlist; it is a simple > ! list separated by whitespace and/or commas. The elements are a single > ! cipher, or one or more "+" separated cipher properties, in which case > ! only ciphers matching all the properties are excluded.

        > > !

        Examples (some of these will cause problems):

        > > +
        > 
        > ! smtpd_tls_exclude_ciphers = aNULL
> ! smtpd_tls_exclude_ciphers = MD5, DES
> ! smtpd_tls_exclude_ciphers = DES+MD5
> ! smtpd_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
> ! smtpd_tls_exclude_ciphers = kEDH+aRSA
>
        > +
        > > +

        The first setting disables anonymous ciphers. The next setting > + disables ciphers that use the MD5 digest algorithm or the (single) DES > + encryption algorithm. The next setting disables ciphers that use MD5 and > + DES together. The next setting disables the two ciphers "AES256-SHA" > + and "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" > + key exchange with RSA authentication.

        > > !

        This feature is available in Postfix 2.3 and later.

        > > *************** > *** 15361,15391 **** > > !
        syslog_name > ! (default: see "postconf -d" output)
        > > !

        > ! The mail system name that is prepended to the process name in syslog > ! records, so that "smtpd" becomes, for example, "postfix/smtpd". >

        > > !

        > ! Warning: a non-default syslog_name setting takes effect only after > ! a Postfix process has completed initialization. Errors during > ! process initialization will be logged with the default name. Examples > ! are errors while parsing the command line arguments, and errors > ! while accessing the Postfix main.cf configuration file. >

        > > > !
        > ! > !
        tcp_windowsize > ! (default: 0)
        > ! > !

        An optional workaround for routers that break TCP window scaling. > ! Specify a value > 0 and < 65536 to enable this feature. With > ! Postfix TCP servers (smtpd(8), qmqpd(8)), this feature is implemented > ! by the Postfix master(8) daemon.

        > ! > !

        To change this parameter without stopping Postfix, you need to > ! first terminate all Postfix TCP servers:

        > > --- 12024,12046 ---- > > !
        smtpd_tls_fingerprint_digest > ! (default: md5)
        > > !

        The message digest algorithm used to construct client-certificate > ! fingerprints for check_ccert_access and > ! permit_tls_clientcerts. The default algorithm is md5, > ! for backwards compatibility with Postfix releases prior to 2.5. >

        > > !

        The best practice algorithm is now sha1. Recent advances in hash > ! function cryptanalysis have led to md5 being deprecated in favor of sha1. > ! However, as long as there are no known "second pre-image" attacks > ! against md5, its use in this context can still be considered safe. >

        > > +

        While additional digest algorithms are often available with OpenSSL's > + libcrypto, only those used by libssl in SSL cipher suites are available to > + Postfix. For now this means just md5 or sha1.

        > > !

        To find the fingerprint of a specific certificate file, with a > ! specific digest algorithm, run:

        > > *************** > *** 15393,15396 **** > 
        > ! # postconf -e master_service_disable=inet
> ! # postfix reload
>
        > --- 12048,12050 ---- > 
        > ! $ openssl x509 -noout -fingerprint -digest -in certfile.pem
>
        > *************** > *** 15398,15402 **** > > !

        This immediately terminates all processes that accept network > ! connections. Next, you enable Postfix TCP servers with the updated > ! tcp_windowsize setting:

        > > --- 12052,12055 ---- > > !

        The text to the right of "=" sign is the desired fingerprint. > ! For example:

        > > *************** > *** 15404,15407 **** > 
        > ! # postconf -e tcp_windowsize=65535 master_service_disable=
> ! # postfix reload
>
        > --- 12057,12060 ---- > 
        > ! $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
> ! SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
>
        > *************** > *** 15409,15432 **** > > !

        If you skip these steps with a running Postfix system, then the > ! tcp_windowsize change will work only for Postfix TCP clients (smtp(8), > ! lmtp(8)).

        > ! > !

        This feature is available in Postfix 2.6 and later.

        > ! > ! > !
        > > !
        tls_append_default_CA > ! (default: no)
        > > !

        Append the system-supplied default certificate authority > ! certificates to the ones specified with *_tls_CApath or *_tls_CAfile. > ! The default is "no"; this prevents Postfix from trusting third-party > ! certificates and giving them relay permission with > ! permit_tls_all_clientcerts.

        > ! > !

        This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8, > ! 2.7.2 and later versions. Specify "tls_append_default_CA = yes" for > ! backwards compatibility, to avoid breaking certificate verification > ! with sites that don't use permit_tls_all_clientcerts.

        > > --- 12062,12084 ---- > > !

        Example: client-certificate access table, with sha1 fingerprints:

        > > !
        > ! 
        > ! /etc/postfix/main.cf:
> !     smtpd_tls_fingerprint_digest = sha1
> !     smtpd_client_restrictions =
> !         check_ccert_access hash:/etc/postfix/access,
> !         reject
> !
        > ! 
        > ! /etc/postfix/access:
> !     # Action folded to next line...
> !     AF:88:7C:AD:51:95:6F:36:96:F6:01:FB:2E:48:CD:AB:49:25:A2:3B
> !         OK
> !     85:16:78:FD:73:6E:CE:70:E0:31:5F:0D:3C:C8:6D:C4:2C:24:59:E1
> !         permit_auth_destination
> !
        > !
        > > !

        This feature is available in Postfix 2.5 and later.

        > > *************** > *** 15435,15446 **** > > !
        tls_daemon_random_bytes > ! (default: 32)
        > > !

        The number of pseudo-random bytes that an smtp(8) or smtpd(8) > ! process requests from the tlsmgr(8) server in order to seed its > ! internal pseudo random number generator (PRNG). The default of 32 > ! bytes (equivalent to 256 bits) is sufficient to generate a 128bit > ! (or 168bit) session key.

        > > !

        This feature is available in Postfix 2.2 and later.

        > > --- 12087,12098 ---- > > !
        smtpd_tls_key_file > ! (default: $smtpd_tls_cert_file)
        > > !

        File with the Postfix SMTP server RSA private key in PEM format. > ! This file may be combined with the Postfix SMTP server RSA certificate > ! file specified with $smtpd_tls_cert_file.

        > > !

        The private key must be accessible without a pass-phrase, i.e. it > ! must not be encrypted, but file permissions should grant read/write > ! access only to the system superuser account ("root").

        > > *************** > *** 15449,15557 **** > > !
        tls_disable_workarounds > ! (default: see "postconf -d" output)
        > ! > !

        List or bit-mask of OpenSSL bug work-arounds to disable.

        > ! > !

        The OpenSSL toolkit includes a set of work-arounds for buggy SSL/TLS > ! implementations. Applications, such as Postfix, that want to maximize > ! interoperability ask the OpenSSL library to enable the full set of > ! recommended work-arounds.

        > ! > !

        From time to time, it is discovered that a work-around creates a > ! security issue, and should no longer be used. If upgrading OpenSSL > ! to a fixed version is not an option or an upgrade is not available > ! in a timely manner, or in closed environments where no buggy clients > ! or servers exist, it may be appropriate to disable some or all of the > ! OpenSSL interoperability work-arounds. This parameter specifies which > ! bug work-arounds to disable.

        > ! > !

        If the value of the parameter is a hexadecimal long integer starting > ! with "0x", the bug work-arounds corresponding to the bits specified in > ! its value are removed from the SSL_OP_ALL work-around bit-mask > ! (see openssl/ssl.h and SSL_CTX_set_options(3)). You can specify more > ! bits than are present in SSL_OP_ALL, excess bits are ignored. Specifying > ! 0xFFFFFFFF disables all bug-workarounds on a 32-bit system. This should > ! also be sufficient on 64-bit systems, until OpenSSL abandons support > ! for 32-bit systems and starts using the high 32 bits of a 64-bit > ! bug-workaround mask.

        > ! > !

        Otherwise, the parameter is a white-space or comma separated list > ! of specific named bug work-arounds chosen from the list below. It > ! is possible that your OpenSSL version includes new bug work-arounds > ! added after your Postfix source code was last updated, in that case > ! you can only disable one of these via the hexadecimal syntax above.

        > ! > !
        > > !
        MICROSOFT_SESS_ID_BUG
        See SSL_CTX_set_options(3)
        > > !
        NETSCAPE_CHALLENGE_BUG
        See SSL_CTX_set_options(3)
        > > !
        LEGACY_SERVER_CONNECT
        See SSL_CTX_set_options(3)
        > > !
        NETSCAPE_REUSE_CIPHER_CHANGE_BUG
        also aliased > ! as CVE-2010-4180. Postfix 2.8 disables this work-around by > ! default with OpenSSL versions that may predate the fix. Fixed in > ! OpenSSL 0.9.8q and OpenSSL 1.0.0c.
        > > !
        SSLREF2_REUSE_CERT_TYPE_BUG
        See > ! SSL_CTX_set_options(3)
        > > !
        MICROSOFT_BIG_SSLV3_BUFFER
        See > ! SSL_CTX_set_options(3)
        > > !
        MSIE_SSLV2_RSA_PADDING
        also aliased as > ! CVE-2005-2969. Postfix 2.8 disables this work-around by > ! default with OpenSSL versions that may predate the fix. Fixed in > ! OpenSSL 0.9.7h and OpenSSL 0.9.8a.
        > > !
        SSLEAY_080_CLIENT_DH_BUG
        See > ! SSL_CTX_set_options(3)
        > > !
        TLS_D5_BUG
        See SSL_CTX_set_options(3)
        > > !
        TLS_BLOCK_PADDING_BUG
        See SSL_CTX_set_options(3)
        > > -
        TLS_ROLLBACK_BUG
        See SSL_CTX_set_options(3). > - This is disabled in OpenSSL 0.9.7 and later. Nobody should still > - be using 0.9.6!
        > > !
        DONT_INSERT_EMPTY_FRAGMENTS
        See > ! SSL_CTX_set_options(3)
        > > !
        CRYPTOPRO_TLSEXT_BUG
        New with GOST support in > ! OpenSSL 1.0.0.
        > > !
        > > !

        This feature is available in Postfix 2.8 and later.

        > > > !
        > > !
        tls_eecdh_strong_curve > ! (default: prime256v1)
        > > !

        The elliptic curve used by the Postfix SMTP server for sensibly > ! strong > ! ephemeral ECDH key exchange. This curve is used by the Postfix SMTP > ! server when "smtpd_tls_eecdh_grade = strong". The phrase "sensibly > ! strong" means approximately 128-bit security based on best known > ! attacks. The selected curve must be implemented by OpenSSL (as > ! reported by ecparam(1) with the "-list_curves" option) and be one > ! of the curves listed in Section 5.1.1 of RFC 4492. You should not > ! generally change this setting.

        > > !

        This default curve is specified in NSA "Suite B" Cryptography > ! (see http://www.nsa.gov/ia/industry/crypto_suite_b.cfm) for > ! information classified as SECRET.

        > > !

        Note: elliptic curve names are poorly standardized; different > ! standards groups are assigning different names to the same underlying > ! curves. The curve with the X9.62 name "prime256v1" is also known > ! under the SECG name "secp256r1", but OpenSSL does not recognize the > ! latter name.

        > > !

        This feature is available in Postfix 2.6 and later, when it is > ! compiled and linked with OpenSSL 1.0.0 or later.

        > > --- 12101,12210 ---- > > !
        smtpd_tls_loglevel > ! (default: 0)
        > > !

        Enable additional Postfix SMTP server logging of TLS activity. > ! Each logging level also includes the information that is logged at > ! a lower logging level.

        > > !
        > > !
        0 Disable logging of TLS activity.
        > > !
        1 Log TLS handshake and certificate information.
        > > !
        2 Log levels during TLS negotiation.
        > > !
        3 Log hexadecimal and ASCII dump of TLS negotiation > ! process.
        > > !
        4 Also log hexadecimal and ASCII dump of complete > ! transmission after STARTTLS.
        > > !
        > > !

        Use "smtpd_tls_loglevel = 3" only in case of problems. Use of > ! loglevel 4 is strongly discouraged.

        > > !

        This feature is available in Postfix 2.2 and later.

        > > > !
        > > !
        smtpd_tls_mandatory_ciphers > ! (default: medium)
        > > !

        The minimum TLS cipher grade that the Postfix SMTP server will > ! use with mandatory > ! TLS encryption. Cipher types listed in smtpd_tls_mandatory_exclude_ciphers > ! or smtpd_tls_exclude_ciphers are excluded from the base definition > ! of the selected cipher grade. With opportunistic TLS encryption, > ! the "export" grade is used unconditionally with exclusions specified > ! only via smtpd_tls_exclude_ciphers.

        > > !

        The following cipher grades are supported:

        > > +
        > +
        export
        > +
        Enable the mainstream "EXPORT" grade or better OpenSSL ciphers. > + This is the most appropriate setting for public MX hosts, and is always > + used with opportunistic TLS encryption. The underlying cipherlist > + is specified via the tls_export_cipherlist configuration parameter, > + which you are strongly encouraged to not change. The default value > + of tls_export_cipherlist includes anonymous ciphers, but these are > + automatically filtered out if the server is configured to ask for > + client certificates. If you must always exclude anonymous ciphers, > + set "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers > + only when TLS is enforced, set "smtpd_tls_mandatory_exclude_ciphers = > + aNULL".
        > > !
        low
        > !
        Enable the mainstream "LOW" grade or better OpenSSL ciphers. The > ! underlying cipherlist is specified via the tls_low_cipherlist > ! configuration parameter, which you are strongly encouraged to > ! not change. The default value of tls_low_cipherlist includes > ! anonymous ciphers, but these are automatically filtered out if the > ! server is configured to ask for client certificates. If you must > ! always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers = > ! aNULL". To exclude anonymous ciphers only when TLS is enforced, set > ! "smtpd_tls_mandatory_exclude_ciphers = aNULL".
        > > !
        medium
        > !
        Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers. These > ! are essentially the 128-bit or stronger ciphers. This is the default > ! minimum strength for mandatory TLS encryption. MSAs that enforce > ! TLS and have clients that do not support any "MEDIUM" or "HIGH" > ! grade ciphers, may need to configure a weaker ("low" or "export") > ! minimum cipher grade. The underlying cipherlist is specified via the > ! tls_medium_cipherlist configuration parameter, which you are strongly > ! encouraged to not change. The default value of tls_medium_cipherlist > ! includes anonymous ciphers, but these are automatically filtered out if > ! the server is configured to ask for client certificates. If you must > ! always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers = > ! aNULL". To exclude anonymous ciphers only when TLS is enforced, set > ! "smtpd_tls_mandatory_exclude_ciphers = aNULL".
        > > !
        high
        > !
        Enable only the mainstream "HIGH" grade OpenSSL ciphers. The > ! underlying cipherlist is specified via the tls_high_cipherlist > ! configuration parameter, which you are strongly encouraged to > ! not change. The default value of tls_high_cipherlist includes > ! anonymous ciphers, but these are automatically filtered out if the > ! server is configured to ask for client certificates. If you must > ! always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers = > ! aNULL". To exclude anonymous ciphers only when TLS is enforced, set > ! "smtpd_tls_mandatory_exclude_ciphers = aNULL".
        > > !
        null
        > !
        Enable only the "NULL" OpenSSL ciphers, these provide authentication > ! without encryption. This setting is only appropriate in the rare > ! case that all clients are prepared to use NULL ciphers (not normally > ! enabled in TLS clients). The underlying cipherlist is specified via the > ! tls_null_cipherlist configuration parameter, which you are strongly > ! encouraged to not change. The default value of tls_null_cipherlist > ! excludes anonymous ciphers (OpenSSL 0.9.8 has NULL ciphers that offer > ! data integrity without encryption or authentication).
        > > !
        > > !

        This feature is available in Postfix 2.3 and later.

        > > *************** > *** 15560,15581 **** > > !
        tls_eecdh_ultra_curve > ! (default: secp384r1)
        > ! > !

        The elliptic curve used by the Postfix SMTP server for maximally > ! strong > ! ephemeral ECDH key exchange. This curve is used by the Postfix SMTP > ! server when "smtpd_tls_eecdh_grade = ultra". The phrase "maximally > ! strong" means approximately 192-bit security based on best known attacks. > ! This additional strength comes at a significant computational cost, most > ! users should instead set "smtpd_tls_eecdh_grade = strong". The selected > ! curve must be implemented by OpenSSL (as reported by ecparam(1) with the > ! "-list_curves" option) and be one of the curves listed in Section 5.1.1 > ! of RFC 4492. You should not generally change this setting.

        > > !

        This default "ultra" curve is specified in NSA "Suite B" Cryptography > ! (see http://www.nsa.gov/ia/industry/crypto_suite_b.cfm) for information > ! classified as TOP SECRET.

        > > !

        This feature is available in Postfix 2.6 and later, when it is > ! compiled and linked with OpenSSL 1.0.0 or later.

        > > --- 12213,12223 ---- > > !
        smtpd_tls_mandatory_exclude_ciphers > ! (default: empty)
        > > !

        Additional list of ciphers or cipher types to exclude from the > ! SMTP server cipher list at mandatory TLS security levels. This list > ! works in addition to the exclusions listed with smtpd_tls_exclude_ciphers > ! (see there for syntax details).

        > > !

        This feature is available in Postfix 2.3 and later.

        > > *************** > *** 15584,15615 **** > > !
        tls_export_cipherlist > ! (default: ALL:+RC4:@STRENGTH)
        > ! > !

        The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This > ! defines the meaning of the "export" setting in smtpd_tls_mandatory_ciphers, > ! smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is > ! the cipherlist for the opportunistic ("may") TLS client security > ! level and is the default cipherlist for the SMTP server. You are > ! strongly encouraged to not change this setting. With OpenSSL 1.0.0 and > ! later the cipherlist may start with an "aNULL:" prefix, which restores > ! the 0.9.8-compatible ordering of the aNULL ciphers to the top of the > ! list when they are enabled. This prefix is not needed with previous > ! OpenSSL releases.

        > > !

        This feature is available in Postfix 2.3 and later.

        > > > !
        > > !
        tls_high_cipherlist > ! (default: ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)
        > > !

        The OpenSSL cipherlist for "HIGH" grade ciphers. This defines > ! the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, > ! smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are > ! strongly encouraged to not change this setting. With OpenSSL 1.0.0 and > ! later the cipherlist may start with an "aNULL:" prefix, which restores > ! the 0.9.8-compatible ordering of the aNULL ciphers to the top of the > ! list when they are enabled. This prefix is not needed with previous > ! OpenSSL releases.

        > > --- 12226,12256 ---- > > !
        smtpd_tls_mandatory_protocols > ! (default: SSLv3, TLSv1)
        > > !

        The SSL/TLS protocols accepted by the Postfix SMTP server with > ! mandatory TLS encryption. If the list is empty, the server supports all > ! available SSL/TLS protocol versions. A non-empty value is a list > ! of protocol > ! names separated by whitespace, commas or colons. The supported protocol > ! names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.

        > > +

        With Postfix ≥ 2.5 the parameter syntax is expanded to support > + protocol exclusions. One can now explicitly exclude SSLv2 by setting > + "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and > + SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing > + the protocols to include, rather than protocols to exclude, is still > + supported, use the form you find more intuitive.

        > > !

        Since SSL version 2 has known protocol weaknesses and is now > ! deprecated, the default setting excludes "SSLv2". This means that > ! by default, SSL version 2 will not be used at the "encrypt" security > ! level.

        > > !

        Example:

        > > ! 
        > ! smtpd_tls_mandatory_protocols = TLSv1
> ! # Alternative form with Postfix ≥ 2.5:
> ! smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
> !
        > > *************** > *** 15620,15634 **** > > !
        tls_low_cipherlist > ! (default: ALL:!EXPORT:+RC4:@STRENGTH)
        > > !

        The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines > ! the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, > ! smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are > ! strongly encouraged to not change this setting. With OpenSSL 1.0.0 and > ! later the cipherlist may start with an "aNULL:" prefix, which restores > ! the 0.9.8-compatible ordering of the aNULL ciphers to the top of the > ! list when they are enabled. This prefix is not needed with previous > ! OpenSSL releases.

        > > !

        This feature is available in Postfix 2.3 and later.

        > > --- 12261,12273 ---- > > !
        smtpd_tls_received_header > ! (default: no)
        > > !

        Request that the Postfix SMTP server produces Received: message > ! headers that include information about the protocol and cipher used, > ! as well as the client CommonName and client certificate issuer > ! CommonName. This is disabled by default, as the information may > ! be modified in transit through other mail servers. Only information > ! that was recorded by the final destination can be trusted.

        > > !

        This feature is available in Postfix 2.2 and later.

        > > *************** > *** 15637,15707 **** > > !
        tls_medium_cipherlist > ! (default: ALL:!EXPORT:!LOW:+RC4:@STRENGTH)
        > > !

        The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers. This > ! defines the meaning of the "medium" setting in smtpd_tls_mandatory_ciphers, > ! smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is > ! the default cipherlist for mandatory TLS encryption in the TLS > ! client (with anonymous ciphers disabled when verifying server > ! certificates). You are strongly encouraged to not change this > ! setting. With OpenSSL 1.0.0 and later the cipherlist may start with an > ! "aNULL:" prefix, which restores the 0.9.8-compatible ordering of the > ! aNULL ciphers to the top of the list when they are enabled. This prefix > ! is not needed with previous OpenSSL releases.

        > > !

        This feature is available in Postfix 2.3 and later.

        > > > -
        > > !
        tls_null_cipherlist > ! (default: eNULL:!aNULL)
        > > !

        The OpenSSL cipherlist for "NULL" grade ciphers that provide > ! authentication without encryption. This defines the meaning of the "null" > ! setting in smtpd_mandatory_tls_ciphers, smtp_tls_mandatory_ciphers and > ! lmtp_tls_mandatory_ciphers. You are strongly encouraged to not > ! change this setting.

        > > !

        This feature is available in Postfix 2.3 and later.

        > > > !
        > > !
        tls_preempt_cipherlist > ! (default: no)
        > > !

        With SSLv3 and later, use the Postfix SMTP server's cipher > ! preference order instead of the remote client's cipher preference > ! order.

        > ! > !

        By default, the OpenSSL server selects the client's most preferred > ! cipher that the server supports. With SSLv3 and later, the server may > ! choose its own most preferred cipher that is supported (offered) by > ! the client. Setting "tls_preempt_cipherlist = yes" enables server cipher > ! preferences.

        > ! > !

        While server cipher selection may in some cases lead to a more secure > ! or performant cipher choice, there is some risk of interoperability > ! issues. In the past, some SSL clients have listed lower priority ciphers > ! that they did not implement correctly. If the server chooses a cipher > ! that the client prefers less, it may select a cipher whose client > ! implementation is flawed.

        > > !

        This feature is available in Postfix 2.8 and later, in combination > ! with OpenSSL 0.9.7 and later.

        > > > !
        > > !
        tls_random_bytes > ! (default: 32)
        > > !

        The number of bytes that tlsmgr(8) reads from $tls_random_source > ! when (re)seeding the in-memory pseudo random number generator (PRNG) > ! pool. The default of 32 bytes (256 bits) is good enough for 128bit > ! symmetric keys. If using EGD or a device file, a maximum of 255 > ! bytes is read.

        > > !

        This feature is available in Postfix 2.2 and later.

        > > --- 12276,12333 ---- > > !
        smtpd_tls_req_ccert > ! (default: no)
        > > !

        With mandatory TLS encryption, require a trusted remote SMTP client > ! certificate in order to allow TLS connections to proceed. This > ! option implies "smtpd_tls_ask_ccert = yes".

        > > !

        When TLS encryption is optional, this setting is ignored with > ! a warning written to the mail log.

        > > +

        This feature is available in Postfix 2.2 and later.

        > > > !
        > > !
        smtpd_tls_security_level > ! (default: empty)
        > > !

        The SMTP TLS security level for the Postfix SMTP server; when > ! a non-empty value is specified, this overrides the obsolete parameters > ! smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with > ! "smtpd_tls_wrappermode = yes".

        > > +

        Specify one of the following security levels:

        > > !
        > > !
        none
        TLS will not be used.
        > > !
        may
        Opportunistic TLS: announce STARTTLS support > ! to SMTP clients, but do not require that clients use TLS encryption. > !
        > > !
        encrypt
        Mandatory TLS encryption: announce > ! STARTTLS support to SMTP clients, and require that clients use TLS > ! encryption. According to RFC 2487 this MUST NOT be applied in case > ! of a publicly-referenced SMTP server. Instead, this option should > ! be used only on dedicated servers.
        > > +
        > > !

        Note 1: the "fingerprint", "verify" and "secure" levels are not > ! supported here. > ! The Postfix SMTP server logs a warning and uses "encrypt" instead. > ! To verify SMTP client certificates, see TLS_README for a discussion > ! of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and permit_tls_clientcerts > ! features.

        > > !

        Note 2: The parameter setting "smtpd_tls_security_level = > ! encrypt" implies "smtpd_tls_auth_only = yes".

        > > !

        Note 3: when invoked via "sendmail -bs", Postfix will never > ! offer STARTTLS due to insufficient privileges to access the server > ! private key. This is intended behavior.

        > > !

        This feature is available in Postfix 2.3 and later.

        > > *************** > *** 15710,15736 **** > > !
        tls_random_exchange_name > ! (default: see "postconf -d" output)
        > ! > !

        Name of the pseudo random number generator (PRNG) state file > ! that is maintained by tlsmgr(8). The file is created when it does > ! not exist, and its length is fixed at 1024 bytes.

        > ! > !

        As of version 2.5, Postfix no longer uses root privileges when > ! opening this file, and the default file location was changed from > ! ${config_directory}/prng_exch to ${data_directory}/prng_exch. As > ! a migration aid, an attempt to open the file under a non-Postfix > ! directory is redirected to the Postfix-owned data_directory, and a > ! warning is logged.

        > > !

        This feature is available in Postfix 2.2 and later.

        > > > !
        > > !
        tls_random_prng_update_period > ! (default: 3600s)
        > > !

        The time between attempts by tlsmgr(8) to save the state of > ! the pseudo random number generator (PRNG) to the file specified > ! with $tls_random_exchange_name.

        > > --- 12336,12367 ---- > > !
        smtpd_tls_session_cache_database > ! (default: empty)
        > > !

        Name of the file containing the optional Postfix SMTP server > ! TLS session cache. Specify a database type that supports enumeration, > ! such as btree or sdbm; there is no need to support > ! concurrent access. The file is created if it does not exist. The smtpd(8) > ! daemon does not use this parameter directly, rather the cache is > ! implemented indirectly in the tlsmgr(8) daemon. This means that > ! per-smtpd-instance master.cf overrides of this parameter are not > ! effective. Note, that each of the cache databases supported by tlsmgr(8) > ! daemon: $smtpd_tls_session_cache_database, $smtp_tls_session_cache_database > ! (and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to be > ! stored separately. It is not at this time possible to store multiple > ! caches in a single database.

        > > +

        Note: dbm databases are not suitable. TLS > + session objects are too large.

        > > !

        As of version 2.5, Postfix no longer uses root privileges when > ! opening this file. The file should now be stored under the Postfix-owned > ! data_directory. As a migration aid, an attempt to open the file > ! under a non-Postfix directory is redirected to the Postfix-owned > ! data_directory, and a warning is logged.

        > > !

        Example:

        > > ! 
        > ! smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
> !
        > > *************** > *** 15741,15749 **** > > !
        tls_random_reseed_period > (default: 3600s)
        > > !

        The maximal time between attempts by tlsmgr(8) to re-seed the > ! in-memory pseudo random number generator (PRNG) pool from external > ! sources. The actual time between re-seeding attempts is calculated > ! using the PRNG, and is between 0 and the time specified.

        > > --- 12372,12382 ---- > > !
        smtpd_tls_session_cache_timeout > (default: 3600s)
        > > !

        The expiration time of Postfix SMTP server TLS session cache > ! information. A cache cleanup is performed periodically > ! every $smtpd_tls_session_cache_timeout seconds. As with > ! $smtpd_tls_session_cache_database, this parameter is implemented in the > ! tlsmgr(8) daemon and therefore per-smtpd-instance master.cf overrides > ! are not possible.

        > > *************** > *** 15754,15767 **** > > !
        tls_random_source > ! (default: see "postconf -d" output)
        > > !

        The external entropy source for the in-memory tlsmgr(8) pseudo > ! random number generator (PRNG) pool. Be sure to specify a non-blocking > ! source. If this source is not a regular file, the entropy source > ! type must be prepended: egd:/path/to/egd_socket for a source with > ! EGD compatible socket interface, or dev:/path/to/device for a > ! device file.

        > > !

        Note: on OpenBSD systems specify /dev/arandom when /dev/urandom > ! gives timeout errors.

        > > --- 12387,12398 ---- > > !
        smtpd_tls_wrappermode > ! (default: no)
        > > !

        Run the Postfix SMTP server in the non-standard "wrapper" mode, > ! instead of using the STARTTLS command.

        > > !

        If you want to support this service, enable a special port in > ! master.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP > ! server's command line. Port 465 (smtps) was once chosen for this > ! purpose.

        > > *************** > *** 15772,15781 **** > > !
        tlsproxy_enforce_tls > ! (default: $smtpd_enforce_tls)
        > > !

        Mandatory TLS: announce STARTTLS support to remote SMTP clients, and > ! require that clients use TLS encryption. See smtpd_enforce_tls for > ! further details.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > --- 12403,12416 ---- > > !
        smtpd_use_tls > ! (default: no)
        > ! > !

        Opportunistic TLS: announce STARTTLS support to SMTP clients, > ! but do not require that clients use TLS encryption.

        > > !

        Note: when invoked via "sendmail -bs", Postfix will never offer > ! STARTTLS due to insufficient privileges to access the server private > ! key. This is intended behavior.

        > > !

        This feature is available in Postfix 2.2 and later. With > ! Postfix 2.3 and later use smtpd_tls_security_level instead.

        > > *************** > *** 15784,15792 **** > > !
        tlsproxy_service_name > ! (default: tlsproxy)
        > > !

        The name of the tlsproxy(8) service entry in master.cf. This > ! service performs plaintext <=> TLS ciphertext conversion.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > --- 12419,12438 ---- > > !
        soft_bounce > ! (default: no)
        > ! > !

        > ! Safety net to keep mail queued that would otherwise be returned to > ! the sender. This parameter disables locally-generated bounces, > ! and prevents the Postfix SMTP server from rejecting mail permanently, > ! by changing 5xx reply codes into 4xx. However, soft_bounce is no > ! cure for address rewriting mistakes or mail routing mistakes. > !

        > > !

        > ! Example: > !

        > > ! 
        > ! soft_bounce = yes
> !
        > > *************** > *** 15795,15804 **** > > !
        tlsproxy_tls_CAfile > ! (default: $smtpd_tls_CAfile)
        > > !

        A file containing (PEM format) CA certificates of root CAs > ! trusted to sign either remote SMTP client certificates or intermediate > ! CA certificates. See smtpd_tls_CAfile for further details.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > --- 12441,12454 ---- > > !
        stale_lock_time > ! (default: 500s)
        > > !

        > ! The time after which a stale exclusive mailbox lockfile is removed. > ! This is used for delivery to file or mailbox. > !

        > > !

        > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > ! The default time unit is s (seconds). > !

        > > *************** > *** 15807,15816 **** > > !
        tlsproxy_tls_CApath > ! (default: $smtpd_tls_CApath)
        > > !

        A directory containing (PEM format) CA certificates of root CAs > ! trusted to sign either remote SMTP client certificates or intermediate > ! CA certificates. See smtpd_tls_CApath for further details.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > --- 12457,12464 ---- > > !
        stress > ! (default: empty)
        > > !

        This feature is documented in the STRESS_README document.

        > > !

        This feature is available in Postfix 2.5 and later.

        > > *************** > *** 15819,15863 **** > > !
        tlsproxy_tls_always_issue_session_ids > ! (default: $smtpd_tls_always_issue_session_ids)
        > ! > !

        Force the Postfix tlsproxy(8) server to issue a TLS session id, > ! even when TLS session caching is turned off. See > ! smtpd_tls_always_issue_session_ids for further details.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > > !
        > > -
        tlsproxy_tls_ask_ccert > - (default: $smtpd_tls_ask_ccert)
        > > !

        Ask a remote SMTP client for a client certificate. See > ! smtpd_tls_ask_ccert for further details.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > > !
        > > !
        tlsproxy_tls_ccert_verifydepth > ! (default: $smtpd_tls_ccert_verifydepth)
        > > -

        The verification depth for remote SMTP client certificates. A > - depth of 1 is sufficient if the issuing CA is listed in a local CA > - file. See smtpd_tls_ccert_verifydepth for further details.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > > !
        > > !
        tlsproxy_tls_cert_file > ! (default: $smtpd_tls_cert_file)
        > > !

        File with the Postfix tlsproxy(8) server RSA certificate in PEM > ! format. This file may also contain the Postfix tlsproxy(8) server > ! private RSA key. See smtpd_tls_cert_file for further details.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > --- 12467,12530 ---- > > !
        strict_7bit_headers > ! (default: no)
        > > !

        > ! Reject mail with 8-bit text in message headers. This blocks mail > ! from poorly written applications. > !

        > > +

        > + This feature should not be enabled on a general purpose mail server, > + because it is likely to reject legitimate email. > +

        > > !

        > ! This feature is available in Postfix 2.0 and later. > !

        > > > !
        > > !
        strict_8bitmime > ! (default: no)
        > > +

        > + Enable both strict_7bit_headers and strict_8bitmime_body. > +

        > > !

        > ! This feature should not be enabled on a general purpose mail server, > ! because it is likely to reject legitimate email. > !

        > > !

        > ! This feature is available in Postfix 2.0 and later. > !

        > > > !
        > > +
        strict_8bitmime_body > + (default: no)
        > > !

        > ! Reject 8-bit message body text without 8-bit MIME content encoding > ! information. This blocks mail from poorly written applications. > !

        > > !

        > ! Unfortunately, this also rejects majordomo approval requests when > ! the included request contains valid 8-bit MIME mail, and it rejects > ! bounces from mailers that do not MIME encapsulate 8-bit content > ! (for example, bounces from qmail or from old versions of Postfix). > !

        > > !

        > ! This feature should not be enabled on a general purpose mail server, > ! because it is likely to reject legitimate email. > !

        > > !

        > ! This feature is available in Postfix 2.0 and later. > !

        > > *************** > *** 15866,15875 **** > > !
        tlsproxy_tls_ciphers > ! (default: $smtpd_tls_ciphers)
        > > !

        The minimum TLS cipher grade that the Postfix tlsproxy(8) server > ! will use with opportunistic TLS encryption. See smtpd_tls_ciphers > ! for further details.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > --- 12533,12541 ---- > > !
        strict_mailbox_ownership > ! (default: yes)
        > > !

        Defer delivery when a mailbox file is not owned by its recipient. > ! The default setting is not backwards compatible.

        > > !

        This feature is available in Postfix 2.5.3 and later.

        > > *************** > *** 15878,15900 **** > > !
        tlsproxy_tls_dcert_file > ! (default: $smtpd_tls_dcert_file)
        > > !

        File with the Postfix tlsproxy(8) server DSA certificate in PEM > ! format. This file may also contain the Postfix tlsproxy(8) server > ! private DSA key. See smtpd_tls_dcert_file for further details. >

        > > !

        This feature is available in Postfix 2.8 and later.

        > ! > ! > !
        > ! > !
        tlsproxy_tls_dh1024_param_file > ! (default: $smtpd_tls_dh1024_param_file)
        > ! > !

        File with DH parameters that the Postfix tlsproxy(8) server > ! should use with EDH ciphers. See smtpd_tls_dh1024_param_file for > ! further details.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > --- 12544,12562 ---- > > !
        strict_mime_encoding_domain > ! (default: no)
        > > !

        > ! Reject mail with invalid Content-Transfer-Encoding: information > ! for the message/* or multipart/* MIME content types. This blocks > ! mail from poorly written software. >

        > > !

        > ! This feature should not be enabled on a general purpose mail server, > ! because it will reject mail after a single violation. > !

        > > !

        > ! This feature is available in Postfix 2.0 and later. > !

        > > *************** > *** 15903,15912 **** > > !
        tlsproxy_tls_dh512_param_file > ! (default: $smtpd_tls_dh512_param_file)
        > > !

        File with DH parameters that the Postfix tlsproxy(8) server > ! should use with EDH ciphers. See smtpd_tls_dh512_param_file for > ! further details.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > --- 12565,12580 ---- > > !
        strict_rfc821_envelopes > ! (default: no)
        > > !

        > ! Require that addresses received in SMTP MAIL FROM and RCPT TO > ! commands are enclosed with <>, and that those addresses do > ! not contain RFC 822 style comments or phrases. This stops mail > ! from poorly written software. > !

        > > !

        > ! By default, the Postfix SMTP server accepts RFC 822 syntax in MAIL > ! FROM and RCPT TO addresses. > !

        > > *************** > *** 15915,15925 **** > > !
        tlsproxy_tls_dkey_file > ! (default: $smtpd_tls_dkey_file)
        > ! > !

        File with the Postfix tlsproxy(8) server DSA private key in PEM > ! format. This file may be combined with the Postfix tlsproxy(8) > ! server DSA certificate file specified with $smtpd_tls_dcert_file. > ! See smtpd_tls_dkey_file for further details.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > --- 12583,12591 ---- > > !
        sun_mailtool_compatibility > ! (default: no)
        > > !

        > ! Obsolete SUN mailtool compatibility feature. Instead, use > ! "mailbox_delivery_lock = dotlock". > !

        > > *************** > *** 15928,15963 **** > > !
        tlsproxy_tls_eccert_file > ! (default: $smtpd_tls_eccert_file)
        > ! > !

        File with the Postfix tlsproxy(8) server ECDSA certificate in > ! PEM format. This file may also contain the Postfix tlsproxy(8) > ! server private ECDSA key. See smtpd_tls_eccert_file for further > ! details.

        > ! > !

        This feature is available in Postfix 2.8 and later.

        > > > !
        > > !
        tlsproxy_tls_eckey_file > ! (default: $smtpd_tls_eckey_file)
        > > !

        File with the Postfix tlsproxy(8) server ECDSA private key in > ! PEM format. This file may be combined with the Postfix tlsproxy(8) > ! server ECDSA certificate file specified with $smtpd_tls_eccert_file. > ! See smtpd_tls_eckey_file for further details.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > > !
        > > !
        tlsproxy_tls_eecdh_grade > ! (default: $smtpd_tls_eecdh_grade)
        > > !

        The Postfix tlsproxy(8) server security grade for ephemeral > ! elliptic-curve Diffie-Hellman (EECDH) key exchange. See > ! smtpd_tls_eecdh_grade for further details.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > --- 12594,12629 ---- > > !
        swap_bangpath > ! (default: yes)
        > > +

        > + Enable the rewriting of "site!user" into "user at site". This is > + necessary if your machine is connected to UUCP networks. It is > + enabled by default. > +

        > > !

        Note: with Postfix version 2.2, message header address rewriting > ! happens only when one of the following conditions is true:

        > > ! > > !

        To get the behavior before Postfix version 2.2, specify > ! "local_header_rewrite_clients = static:all".

        > > !

        > ! Example: > !

        > > ! 
        > ! swap_bangpath = no
> !
        > > *************** > *** 15966,15975 **** > > !
        tlsproxy_tls_exclude_ciphers > ! (default: $smtpd_tls_exclude_ciphers)
        > > !

        List of ciphers or cipher types to exclude from the tlsproxy(8) > ! server cipher list at all TLS security levels. See > ! smtpd_tls_exclude_ciphers for further details.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > --- 12632,12648 ---- > > !
        syslog_facility > ! (default: mail)
        > > !

        > ! The syslog facility of Postfix logging. Specify a facility as > ! defined in syslog.conf(5). The default facility is "mail". > !

        > > !

        > ! Warning: a non-default syslog_facility setting takes effect only > ! after a Postfix process has completed initialization. Errors during > ! process initialization will be logged with the default facility. > ! Examples are errors while parsing the command line arguments, and > ! errors while accessing the Postfix main.cf configuration file. > !

        > > *************** > *** 15978,15988 **** > > !
        tlsproxy_tls_fingerprint_digest > ! (default: $smtpd_tls_fingerprint_digest)
        > > !

        The message digest algorithm to construct remote SMTP > ! client-certificate > ! fingerprints. See smtpd_tls_fingerprint_digest for further details. >

        > > !

        This feature is available in Postfix 2.8 and later.

        > > --- 12651,12667 ---- > > !
        syslog_name > ! (default: postfix)
        > > !

        > ! The mail system name that is prepended to the process name in syslog > ! records, so that "smtpd" becomes, for example, "postfix/smtpd". >

        > > !

        > ! Warning: a non-default syslog_name setting takes effect only after > ! a Postfix process has completed initialization. Errors during > ! process initialization will be logged with the default name. Examples > ! are errors while parsing the command line arguments, and errors > ! while accessing the Postfix main.cf configuration file. > !

        > > *************** > *** 15991,16001 **** > > !
        tlsproxy_tls_key_file > ! (default: $smtpd_tls_key_file)
        > > !

        File with the Postfix tlsproxy(8) server RSA private key in PEM > ! format. This file may be combined with the Postfix tlsproxy(8) > ! server RSA certificate file specified with $smtpd_tls_cert_file. > ! See smtpd_tls_key_file for further details.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > --- 12670,12681 ---- > > !
        tls_daemon_random_bytes > ! (default: 32)
        > > !

        The number of pseudo-random bytes that an smtp(8) or smtpd(8) > ! process requests from the tlsmgr(8) server in order to seed its > ! internal pseudo random number generator (PRNG). The default of 32 > ! bytes (equivalent to 256 bits) is sufficient to generate a 128bit > ! (or 168bit) session key.

        > > !

        This feature is available in Postfix 2.2 and later.

        > > *************** > *** 16004,16014 **** > > !
        tlsproxy_tls_loglevel > ! (default: $smtpd_tls_loglevel)
        > > !

        Enable additional Postfix tlsproxy(8) server logging of TLS > ! activity. Each logging level also includes the information that > ! is logged at a lower logging level. See smtpd_tls_loglevel for > ! further details.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > --- 12684,12696 ---- > > !
        tls_export_cipherlist > ! (default: ALL:+RC4:@STRENGTH)
        > > !

        The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This > ! defines the meaning of the "export" setting in smtpd_tls_mandatory_ciphers, > ! smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is > ! the cipherlist for the opportunistic ("may") TLS client security > ! level and is the default cipherlist for the SMTP server. You are > ! strongly encouraged to not change this setting.

        > > !

        This feature is available in Postfix 2.3 and later.

        > > *************** > *** 16017,16026 **** > > !
        tlsproxy_tls_mandatory_ciphers > ! (default: $smtpd_tls_mandatory_ciphers)
        > > !

        The minimum TLS cipher grade that the Postfix tlsproxy(8) server > ! will use with mandatory TLS encryption. See smtpd_tls_mandatory_ciphers > ! for further details.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > --- 12699,12709 ---- > > !
        tls_high_cipherlist > ! (default: ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)
        > > !

        The OpenSSL cipherlist for "HIGH" grade ciphers. This defines > ! the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, > ! smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are > ! strongly encouraged to not change this setting.

        > > !

        This feature is available in Postfix 2.3 and later.

        > > *************** > *** 16029,16038 **** > > !
        tlsproxy_tls_mandatory_exclude_ciphers > ! (default: $smtpd_tls_mandatory_exclude_ciphers)
        > > !

        Additional list of ciphers or cipher types to exclude from the > ! tlsproxy(8) server cipher list at mandatory TLS security levels. > ! See smtpd_tls_mandatory_exclude_ciphers for further details.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > --- 12712,12722 ---- > > !
        tls_low_cipherlist > ! (default: ALL:!EXPORT:+RC4:@STRENGTH)
        > > !

        The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines > ! the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, > ! smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are > ! strongly encouraged to not change this setting.

        > > !

        This feature is available in Postfix 2.3 and later.

        > > *************** > *** 16041,16051 **** > > !
        tlsproxy_tls_mandatory_protocols > ! (default: $smtpd_tls_mandatory_protocols)
        > > !

        The SSL/TLS protocols accepted by the Postfix tlsproxy(8) server > ! with mandatory TLS encryption. If the list is empty, the server > ! supports all available SSL/TLS protocol versions. See > ! smtpd_tls_mandatory_protocols for further details.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > --- 12725,12738 ---- > > !
        tls_medium_cipherlist > ! (default: ALL:!EXPORT:!LOW:+RC4:@STRENGTH)
        > > !

        The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers. This > ! defines the meaning of the "medium" setting in smtpd_tls_mandatory_ciphers, > ! smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is > ! the default cipherlist for mandatory TLS encryption in the TLS > ! client (with anonymous ciphers disabled when verifying server > ! certificates). You are strongly encouraged to not change this > ! setting.

        > > !

        This feature is available in Postfix 2.3 and later.

        > > *************** > *** 16054,16063 **** > > !
        tlsproxy_tls_protocols > ! (default: $smtpd_tls_protocols)
        > > !

        List of TLS protocols that the Postfix tlsproxy(8) server will > ! exclude or include with opportunistic TLS encryption. See > ! smtpd_tls_protocols for further details.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > --- 12741,12752 ---- > > !
        tls_null_cipherlist > ! (default: eNULL:!aNULL)
        > > !

        The OpenSSL cipherlist for "NULL" grade ciphers that provide > ! authentication without encryption. This defines the meaning of the "null" > ! setting in smtpd_mandatory_tls_ciphers, smtp_tls_mandatory_ciphers and > ! lmtp_tls_mandatory_ciphers. You are strongly encouraged to not > ! change this setting.

        > > !

        This feature is available in Postfix 2.3 and later.

        > > *************** > *** 16066,16075 **** > > !
        tlsproxy_tls_req_ccert > ! (default: $smtpd_tls_req_ccert)
        > > !

        With mandatory TLS encryption, require a trusted remote SMTP > ! client certificate in order to allow TLS connections to proceed. > ! See smtpd_tls_req_ccert for further details.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > --- 12755,12766 ---- > > !
        tls_random_bytes > ! (default: 32)
        > > !

        The number of bytes that tlsmgr(8) reads from $tls_random_source > ! when (re)seeding the in-memory pseudo random number generator (PRNG) > ! pool. The default of 32 bytes (256 bits) is good enough for 128bit > ! symmetric keys. If using EGD or a device file, a maximum of 255 > ! bytes is read.

        > > !

        This feature is available in Postfix 2.2 and later.

        > > *************** > *** 16078,16088 **** > > !
        tlsproxy_tls_security_level > ! (default: $smtpd_tls_security_level)
        > > !

        The SMTP TLS security level for the Postfix tlsproxy(8) server; > ! when a non-empty value is specified, this overrides the obsolete > ! parameters smtpd_use_tls and smtpd_enforce_tls. See > ! smtpd_tls_security_level for further details.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > --- 12769,12785 ---- > > !
        tls_random_exchange_name > ! (default: see "postconf -d" output)
        > ! > !

        Name of the pseudo random number generator (PRNG) state file > ! that is maintained by tlsmgr(8). The file is created when it does > ! not exist, and its length is fixed at 1024 bytes.

        > > !

        As of version 2.5, Postfix no longer uses root privileges when > ! opening this file, and the default file location was changed from > ! ${config_directory}/prng_exch to ${data_directory}/prng_exch. As > ! a migration aid, an attempt to open the file under a non-Postfix > ! directory is redirected to the Postfix-owned data_directory, and a > ! warning is logged.

        > > !

        This feature is available in Postfix 2.2 and later.

        > > *************** > *** 16091,16101 **** > > !
        tlsproxy_tls_session_cache_timeout > ! (default: $smtpd_tls_session_cache_timeout)
        > > !

        The expiration time of Postfix tlsproxy(8) server TLS session > ! cache information. A cache cleanup is performed periodically every > ! $smtpd_tls_session_cache_timeout seconds. See > ! smtpd_tls_session_cache_timeout for further details.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > --- 12788,12797 ---- > > !
        tls_random_prng_update_period > ! (default: 3600s)
        > > !

        The time between attempts by tlsmgr(8) to save the state of > ! the pseudo random number generator (PRNG) to the file specified > ! with $tls_random_exchange_name.

        > > !

        This feature is available in Postfix 2.2 and later.

        > > *************** > *** 16104,16113 **** > > !
        tlsproxy_use_tls > ! (default: $smtpd_use_tls)
        > > !

        Opportunistic TLS: announce STARTTLS support to remote SMTP clients, > ! but do not require that clients use TLS encryption. See smtpd_use_tls > ! for further details.

        > > !

        This feature is available in Postfix 2.8 and later.

        > > --- 12800,12810 ---- > > !
        tls_random_reseed_period > ! (default: 3600s)
        > > !

        The maximal time between attempts by tlsmgr(8) to re-seed the > ! in-memory pseudo random number generator (PRNG) pool from external > ! sources. The actual time between re-seeding attempts is calculated > ! using the PRNG, and is between 0 and the time specified.

        > > !

        This feature is available in Postfix 2.2 and later.

        > > *************** > *** 16116,16132 **** > > !
        tlsproxy_watchdog_timeout > ! (default: 10s)
        > > !

        How much time a tlsproxy(8) process may take to process local > ! or remote I/O before it is terminated by a built-in watchdog timer. > ! This is a safety mechanism that prevents tlsproxy(8) from becoming > ! non-responsive due to a bug in Postfix itself or in system software. > ! To avoid false alarms and unnecessary cache corruption this limit > ! cannot be set under 10s.

        > > !

        Specify a non-zero time value (an integral value plus an optional > ! one-letter suffix that specifies the time unit). Time units: s > ! (seconds), m (minutes), h (hours), d (days), w (weeks).

        > > !

        This feature is available in Postfix 2.8.

        > > --- 12813,12828 ---- > > !
        tls_random_source > ! (default: see "postconf -d" output)
        > > !

        The external entropy source for the in-memory tlsmgr(8) pseudo > ! random number generator (PRNG) pool. Be sure to specify a non-blocking > ! source. If this source is not a regular file, the entropy source > ! type must be prepended: egd:/path/to/egd_socket for a source with > ! EGD compatible socket interface, or dev:/path/to/device for a > ! device file.

        > > !

        Note: on OpenBSD systems specify /dev/arandom when /dev/urandom > ! gives timeout errors.

        > > !

        This feature is available in Postfix 2.2 and later.

        > > *************** > *** 16159,16166 **** > > -

        Note: transport_delivery_slot_cost parameters will not > - show up in "postconf" command output before Postfix version 2.9. > - This limitation applies to many parameters whose name is a combination > - of a master.cf service name and a built-in suffix (in this case: > - "_delivery_slot_cost").

        > - > > --- 12855,12856 ---- > *************** > *** 16175,16182 **** > > -

        Note: transport_delivery_slot_discount parameters will > - not show up in "postconf" command output before Postfix version > - 2.9. This limitation applies to many parameters whose name is a > - combination of a master.cf service name and a built-in suffix (in > - this case: "_delivery_slot_discount").

        > - > > --- 12865,12866 ---- > *************** > *** 16191,16198 **** > > -

        Note: transport_delivery_slot_loan parameters will not > - show up in "postconf" command output before Postfix version 2.9. > - This limitation applies to many parameters whose name is a combination > - of a master.cf service name and a built-in suffix (in this case: > - "_delivery_slot_loan").

        > - > > --- 12875,12876 ---- > *************** > *** 16208,16216 **** > > -

        Note: some transport_destination_concurrency_failed_cohort_limit > - parameters will not show up in "postconf" command output before > - Postfix version 2.9. This limitation applies to many parameters > - whose name is a combination of a master.cf service name and a > - built-in suffix (in this case: > - "_destination_concurrency_failed_cohort_limit").

        > - >

        This feature is available in Postfix 2.5 and later.

        > --- 12886,12887 ---- > *************** > *** 16228,16236 **** > > -

        Note: some transport_destination_concurrency_limit > - parameters will not show up in "postconf" command output before > - Postfix version 2.9. This limitation applies to many parameters > - whose name is a combination of a master.cf service name and a > - built-in suffix (in this case: "_destination_concurrency_limit"). > -

        > - > > --- 12899,12900 ---- > *************** > *** 16246,16254 **** > > -

        Note: some transport_destination_concurrency_negative_feedback > - parameters will not show up in "postconf" command output before > - Postfix version 2.9. This limitation applies to many parameters > - whose name is a combination of a master.cf service name and a > - built-in suffix (in this case: > - "_destination_concurrency_negative_feedback").

        > - >

        This feature is available in Postfix 2.5 and later.

        > --- 12910,12911 ---- > *************** > *** 16266,16274 **** > > -

        Note: some transport_destination_concurrency_positive_feedback > - parameters will not show up in "postconf" command output before > - Postfix version 2.9. This limitation applies to many parameters > - whose name is a combination of a master.cf service name and a > - built-in suffix (in this case: > - "_destination_concurrency_positive_feedback").

        > - >

        This feature is available in Postfix 2.5 and later.

        > --- 12923,12924 ---- > *************** > *** 16285,16292 **** > > -

        Note: some transport_destination_rate_delay parameters > - will not show up in "postconf" command output before Postfix version > - 2.9. This limitation applies to many parameters whose name is a > - combination of a master.cf service name and a built-in suffix (in > - this case: "_destination_rate_delay").

        > - >

        This feature is available in Postfix 2.5 and later.

        > --- 12935,12936 ---- > *************** > *** 16304,16311 **** > > -

        Note: some transport_destination_recipient_limit parameters > - will not show up in "postconf" command output before Postfix version > - 2.9. This limitation applies to many parameters whose name is a > - combination of a master.cf service name and a built-in suffix (in > - this case: "_destination_recipient_limit").

        > - > > --- 12948,12949 ---- > *************** > *** 16320,16327 **** > > -

        Note: transport_extra_recipient_limit parameters will > - not show up in "postconf" command output before Postfix version > - 2.9. This limitation applies to many parameters whose name is a > - combination of a master.cf service name and a built-in suffix (in > - this case: "_extra_recipient_limit").

        > - > > --- 12958,12959 ---- > *************** > *** 16336,16344 **** > > -

        Note: some transport_initial_destination_concurrency > - parameters will not show up in "postconf" command output before > - Postfix version 2.9. This limitation applies to many parameters > - whose name is a combination of a master.cf service name and a > - built-in suffix (in this case: "_initial_destination_concurrency"). > -

        > - >

        This feature is available in Postfix 2.5 and later.

        > --- 12968,12969 ---- > *************** > *** 16384,16391 **** > > -

        Note: transport_minimum_delivery_slots parameters will > - not show up in "postconf" command output before Postfix version > - 2.9. This limitation applies to many parameters whose name is a > - combination of a master.cf service name and a built-in suffix (in > - this case: "_minimum_delivery_slots").

        > - > > --- 13009,13010 ---- > *************** > *** 16400,16407 **** > > -

        Note: some transport_recipient_limit parameters will not > - show up in "postconf" command output before Postfix version 2.9. > - This limitation applies to many parameters whose name is a combination > - of a master.cf service name and a built-in suffix (in this case: > - "_recipient_limit").

        > - > > --- 13019,13020 ---- > *************** > *** 16416,16423 **** > > -

        Note: transport_recipient_refill_delay parameters will > - not show up in "postconf" command output before Postfix version > - 2.9. This limitation applies to many parameters whose name is a > - combination of a master.cf service name and a built-in suffix (in > - this case: "_recipient_refill_delay").

        > - >

        This feature is available in Postfix 2.4 and later.

        > --- 13029,13030 ---- > *************** > *** 16434,16441 **** > > -

        Note: transport_recipient_refill_limit parameters will > - not show up in "postconf" command output before Postfix version > - 2.9. This limitation applies to many parameters whose name is a > - combination of a master.cf service name and a built-in suffix (in > - this case: "_recipient_refill_limit").

        > - >

        This feature is available in Postfix 2.4 and later.

        > --- 13041,13042 ---- > *************** > *** 16468,16475 **** > > -

        Note: transport_time_limit parameters will not show up > - in "postconf" command output before Postfix version 2.9. This > - limitation applies to many parameters whose name is a combination > - of a master.cf service name and a built-in suffix (in this case: > - "_time_limit").

        > - > > --- 13069,13070 ---- > *************** > *** 16496,16498 **** >
        undisclosed_recipients_header > ! (default: see "postconf -d" output)
        > > --- 13091,13093 ---- >
        undisclosed_recipients_header > ! (default: To: undisclosed-recipients:;)
        > > *************** > *** 16500,16512 **** > Message header that the Postfix cleanup(8) server inserts when a > ! message contains no To: or Cc: message header. With Postfix 2.8 > ! and later, the default value is empty. With Postfix 2.4-2.7, > ! specify an empty value to disable this feature.

        > ! > !

        Example:

        > ! > ! 
        > ! # Default value before Postfix 2.8.
> ! # Note: the ":" and ";" are both required.
> ! undisclosed_recipients_header = To: undisclosed-recipients:;
> !
        > > --- 13095,13098 ---- > Message header that the Postfix cleanup(8) server inserts when a > ! message contains no To: or Cc: message header. With Postfix 2.4 > ! and later, specify an empty value to disable this feature.

        > > *************** > *** 16532,16549 **** > > -
        unknown_address_tempfail_action > - (default: $reject_tempfail_action)
        > - > -

        The Postfix SMTP server's action when reject_unknown_sender_domain > - or reject_unknown_recipient_domain fail due to a temporary error > - condition. Specify "defer" to defer the remote SMTP client request > - immediately. With the default "defer_if_permit" action, the Postfix > - SMTP server continues to look for opportunities to reject mail, and > - defers the client request only if it would otherwise be accepted. > -

        > - > -

        This feature is available in Postfix 2.6 and later.

        > - > - > -
        > - >
        unknown_client_reject_code > --- 13118,13119 ---- > *************** > *** 16565,16581 **** > > -
        unknown_helo_hostname_tempfail_action > - (default: $reject_tempfail_action)
        > - > -

        The Postfix SMTP server's action when reject_unknown_helo_hostname > - fails due to an temporary error condition. Specify "defer" to defer > - the remote SMTP client request immediately. With the default > - "defer_if_permit" action, the Postfix SMTP server continues to look > - for opportunities to reject mail, and defers the client request > - only if it would otherwise be accepted.

        > - > -

        This feature is available in Postfix 2.6 and later.

        > - > - > -
        > - >
        unknown_hostname_reject_code > --- 13135,13136 ---- > *************** > *** 16648,16650 **** >

        > ! The Postfix SMTP server reply code when a recipient address matches > $virtual_alias_domains, and $virtual_alias_maps specifies a list > --- 13203,13205 ---- >

        > ! The SMTP server reply code when a recipient address matches > $virtual_alias_domains, and $virtual_alias_maps specifies a list > *************** > *** 16664,16666 **** >

        > ! The Postfix SMTP server reply code when a recipient address matches > $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list > --- 13219,13221 ---- >

        > ! The SMTP server reply code when a recipient address matches > $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list > *************** > *** 16727,16753 **** > > !

        The Postfix SMTP server's reply when rejecting mail with > ! reject_unverified_recipient. Do not include the numeric SMTP reply > ! code or the enhanced status code. By default, the response includes > ! actual address verification details. > ! > !

        Example:

        > ! > ! 
        > ! unverified_recipient_reject_reason = Recipient address lookup failed
> !
        > ! > !

        This feature is available in Postfix 2.6 and later.

        > ! > ! > !
        > ! > !
        unverified_recipient_tempfail_action > ! (default: $reject_tempfail_action)
        > ! > !

        The Postfix SMTP server's action when reject_unverified_recipient > ! fails due to a temporary error condition. Specify "defer" to defer > ! the remote SMTP client request immediately. With the default > ! "defer_if_permit" action, the Postfix SMTP server continues to look > ! for opportunities to reject mail, and defers the client request > ! only if it would otherwise be accepted.

        > > --- 13282,13286 ---- > > !

        When rejecting mail with reject_unverified_recipient, reply > ! with this text as the reason, instead of actual address verification > ! details. > > *************** > *** 16809,16835 **** > > !

        The Postfix SMTP server's reply when rejecting mail with > ! reject_unverified_sender. Do not include the numeric SMTP reply > ! code or the enhanced status code. By default, the response includes > ! actual address verification details. > ! > !

        Example:

        > ! > ! 
        > ! unverified_sender_reject_reason = Sender address lookup failed
> !
        > ! > !

        This feature is available in Postfix 2.6 and later.

        > ! > ! > !
        > ! > !
        unverified_sender_tempfail_action > ! (default: $reject_tempfail_action)
        > ! > !

        The Postfix SMTP server's action when reject_unverified_sender > ! fails due to a temporary error condition. Specify "defer" to defer > ! the remote SMTP client request immediately. With the default > ! "defer_if_permit" action, the Postfix SMTP server continues to look > ! for opportunities to reject mail, and defers the client request > ! only if it would otherwise be accepted.

        > > --- 13342,13346 ---- > > !

        When rejecting mail with reject_unverified_sender, reply with > ! this text as the reason, instead of actual address verification > ! details. > > *************** > *** 17079,17082 **** >

        > ! The maximal size in bytes of an individual virtual(8) mailbox or > ! maildir file, or zero (no limit).

        > > --- 13590,13594 ---- >

        > ! The maximal size in bytes of an individual mailbox or maildir file, > ! or zero (no limit). > !

        > > *************** > *** 17196,17199 **** > is the name of a mail delivery transport defined in master.cf. > ! The :nexthop destination is optional; its syntax is documented > ! in the manual page of the corresponding delivery agent. >

        > --- 13708,13711 ---- > is the name of a mail delivery transport defined in master.cf. > ! The :nexthop part is optional. For more details see the > ! transport(5) manual page. >

        > > _______________________________________________ > postconf-devel mailing list > postconf-devel at de.postfix.org > http://de.postfix.org/cgi-bin/mailman/listinfo/postconf-devel -- Werner Detter IT-Consulting, IT-Services Lilienstra?e 4 Mobil: +49 151 19640507 81669 M?nchen Web: http://www.werner-detter.de Bashian Roulette? [ $(($RANDOM%10)) -eq 0 ] && rm -rf / -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 258 bytes Desc: OpenPGP digital signature URL: From p at state-of-mind.de Sun Mar 18 19:32:33 2012 From: p at state-of-mind.de (Patrick Ben Koetter) Date: Sun, 18 Mar 2012 19:32:33 +0100 Subject: [postconf-devel] [postconf.5.html] UPDATE In-Reply-To: <4F662420.1090209@detter.biz> References: <20120318180003.59C873DA5D@de.postfix.org> <4F662420.1090209@detter.biz> Message-ID: <20120318183229.GB2224@state-of-mind.de> * Werner Detter : > Hi, > > wollt ihr mein Skript hier nicht mal deaktivieren nachdem das Projekt ja > quasi tot ist? :) ACK > > Gr?sse, > Werner > > > > > Am 18.03.12 19:00, schrieb postconf-devel at de.postfix.org: > > -- generated message -- > > > > postconf.5.html has been updated: > > > > *** /tmp/postconf.5.html.orig 2012-03-05 11:40:00.000000000 +0100 > > --- /tmp/postconf.5.html 2012-03-18 19:00:02.000000000 +0100 > > *************** > > *** 87,109 **** > > > > -
        access_map_defer_code > > - (default: 450)
        > > - > > -

        > > - The numerical Postfix SMTP server response code for > > - an access(5) map "defer" action, including "defer_if_permit" > > - or "defer_if_reject". Prior to Postfix 2.6, the response > > - is hard-coded as "450". > > -

        > > - > > -

        > > - Do not change this unless you have a complete understanding of RFC 2821. > > -

        > > - > > -

        > > - This feature is available in Postfix 2.6 and later. > > -

        > > - > > - > > -
        > > - > >
        access_map_reject_code > > --- 87,88 ---- > > *************** > > *** 112,115 **** > >

        > > ! The numerical Postfix SMTP server response code for > > ! an access(5) map "reject" action. > >

        > > --- 91,94 ---- > >

        > > ! The numerical Postfix SMTP server response code when a client > > ! is rejected by an access(5) map restriction. > >

        > > *************** > > *** 123,146 **** > > > > -
        address_verify_cache_cleanup_interval > > - (default: 12h)
        > > - > > -

        The amount of time between verify(8) address verification > > - database cleanup runs. This feature requires that the database > > - supports the "delete" and "sequence" operators. Specify a zero > > - interval to disable database cleanup.

        > > - > > -

        After each database cleanup run, the verify(8) daemon logs the > > - number of entries that were retained and dropped. A cleanup run is > > - logged as "partial" when the daemon terminates early after "postfix > > - reload", "postfix stop", or no requests for $max_idle > > - seconds.

        > > - > > -

        Time units: s (seconds), m (minutes), h (hours), d (days), w > > - (weeks).

        > > - > > -

        This feature is available in Postfix 2.7.

        > > - > > - > > -
        > > - > >
        address_verify_default_transport > > --- 102,103 ---- > > *************** > > *** 176,181 **** > >
        address_verify_map > > ! (default: see "postconf -d" output)
        > > > >

        > > ! Lookup table for persistent address verification status > > storage. The table is maintained by the verify(8) service, and > > --- 133,138 ---- > >

        address_verify_map > > ! (default: empty)
        > > > >

        > > ! Optional lookup table for persistent address verification status > > storage. The table is maintained by the verify(8) service, and > > *************** > > *** 185,190 **** > >

        > > ! The lookup table is persistent by default (Postfix 2.7 and later). > > ! Specify an empty table name to keep the information in volatile > > ! memory which is lost after "postfix reload" or "postfix > > ! stop". This is the default with Postfix version 2.6 and earlier. > >

        > > --- 142,145 ---- > >

        > > ! By default, the information is kept in volatile memory, and is lost > > ! after "postfix reload" or "postfix stop". > >

        > > *************** > > *** 194,204 **** > > database becomes corrupted, the world comes to an end. To recover > > ! delete (NOT: truncate) the file and do "postfix reload". > >

        > > > > !

        Postfix daemon processes do not use root privileges when opening > > ! this file (Postfix 2.5 and later). The file must therefore be > > ! stored under a Postfix-owned directory such as the data_directory. > > ! As a migration aid, an attempt to open the file under a non-Postfix > > ! directory is redirected to the Postfix-owned data_directory, and a > > ! warning is logged.

        > > > > --- 149,158 ---- > > database becomes corrupted, the world comes to an end. To recover > > ! delete the file and do "postfix reload". > >

        > > > > !

        As of version 2.5, Postfix no longer uses root privileges when > > ! opening this file. The file should now be stored under the Postfix-owned > > ! data_directory. As a migration aid, an attempt to open the file > > ! under a non-Postfix directory is redirected to the Postfix-owned > > ! data_directory, and a warning is logged.

        > > > > *************** > > *** 276,278 **** > >
        address_verify_poll_count > > ! (default: normal: 3, overload: 1)
        > > > > --- 230,232 ---- > >
        address_verify_poll_count > > ! (default: 3)
        > > > > *************** > > *** 283,289 **** > > > > !

        By default, the Postfix SMTP server polls the verify(8) service > > ! up to three times under non-overload conditions, and only once when > > ! under overload. With Postfix version 2.5 and earlier, the SMTP > > ! server always polls the verify(8) service up to three times by > > ! default.

        > > > > --- 237,241 ---- > > > > !

        > > ! The default poll count is 3. > > !

        > > > > *************** > > *** 291,293 **** > > Specify 1 to implement a crude form of greylisting, that is, always > > ! defer the first delivery request for a new address. > >

        > > --- 243,245 ---- > > Specify 1 to implement a crude form of greylisting, that is, always > > ! defer the first delivery request for a never seen before address. > >

        > > *************** > > *** 295,297 **** > >

        > > ! Examples: > >

        > > --- 247,249 ---- > >

        > > ! Example: > >

        > > *************** > > *** 299,303 **** > > 
        > > - # Postfix ≤ 2.6 default
> > - address_verify_poll_count = 3
> > - # Poor man's greylisting
> >   address_verify_poll_count = 1
> > --- 251,252 ----
> > ***************
> > *** 435,447 ****
> >   
> > - 
        address_verify_sender_dependent_default_transport_maps
> > - (default: $sender_dependent_default_transport_maps)
        
> > - 
> > - 
         Overrides the sender_dependent_default_transport_maps parameter
> > - setting for address verification probes.  
        
> > - 
> > - 
         This feature is available in Postfix 2.7 and later.  
        
> > - 
> > - 
> > - 
        
> > - 
> >   
        address_verify_sender_dependent_relayhost_maps
> > --- 384,385 ----
> > ***************
> > *** 461,489 ****
> >   
> > - 
        address_verify_sender_ttl
> > - (default: 0s)
        
> > - 
> > - 
         The time between changes in the time-dependent portion of address
> > - verification probe sender addresses. The time-dependent portion is
> > - appended to the localpart of the address specified with the
> > - address_verify_sender parameter. This feature is ignored when the
> > - probe sender addresses is the null sender, i.e. the address_verify_sender
> > - value is empty or <>. 
        
> > - 
> > - 
         Historically, the probe sender address was fixed. This has
> > - caused such addresses to end up on spammer mailing lists, and has
> > - resulted in wasted network and processing resources.  
        
> > - 
> > - 
         To enable time-dependent probe sender addresses, specify a
> > - non-zero time value (an integral value plus an optional one-letter
> > - suffix that specifies the time unit).  Specify a value of at least
> > - several hours, to avoid problems with senders that use greylisting.
> > - Avoid nice TTL values, to make the result less predictable.  Time
> > - units are: s (seconds), m (minutes), h (hours), d (days), w (weeks).
> > - 
        
> > - 
> > - 
         This feature is available in Postfix 2.9 and later.  
        
> > - 
> > - 
> > - 
        
> > - 
> >   
        address_verify_service_name
> > --- 399,400 ----
> > ***************
> > *** 695,697 ****
> >   
         To get the behavior before Postfix version 2.2, specify
> > ! "local_header_rewrite_clients = static:all". 
        
> >   
> > --- 606,608 ----
> >   
         To get the behavior before Postfix version 2.2, specify
> > ! "local_header_rewrite_clients = static:all". 
        
> >   
> > ***************
> > *** 749,762 ****
> >   
> > - 
        always_add_missing_headers
> > - (default: no)
        
> > - 
> > - 
         Always add (Resent-) From:, To:, Date: or Message-ID: headers
> > - when not present.  Postfix 2.6 and later add these headers only
> > - when clients match the local_header_rewrite_clients parameter
> > - setting.  Earlier Postfix versions always add these headers; this
> > - may break DKIM signatures that cover non-existent headers. 
        
> > - 
> > - 
> > - 
        
> > - 
> >   
        always_bcc
> > --- 660,661 ----
> > ***************
> > *** 776,779 ****
> >   To avoid mailer loops, automatic BCC recipients are not generated
> > ! after Postfix forwards mail internally, or after Postfix generates
> > ! mail itself. 
        
> >   
> > --- 675,678 ----
> >   To avoid mailer loops, automatic BCC recipients are not generated
> > ! for mail that Postfix forwards internally, nor for mail that Postfix
> > ! generates itself. 
        
> >   
> > ***************
> > *** 859,861 ****
> >   
         To get the behavior before Postfix version 2.2, specify
> > ! "local_header_rewrite_clients = static:all". 
        
> >   
> > --- 758,760 ----
> >   
         To get the behavior before Postfix version 2.2, specify
> > ! "local_header_rewrite_clients = static:all". 
        
> >   
> > ***************
> > *** 896,898 ****
> >   
         To get the behavior before Postfix version 2.2, specify
> > ! "local_header_rewrite_clients = static:all". 
        
> >   
> > --- 795,797 ----
> >   
         To get the behavior before Postfix version 2.2, specify
> > ! "local_header_rewrite_clients = static:all". 
        
> >   
> > ***************
> > *** 906,908 ****
> >   How long the postkick(1) command waits for a request to enter the
> > ! Postfix daemon process input buffer before giving up.
> >   
        
> > --- 805,807 ----
> >   How long the postkick(1) command waits for a request to enter the
> > ! server's input buffer before giving up.
> >   
        
> > ***************
> > *** 922,924 ****
> >   
        authorized_flush_users
> > ! (default: static:anyone)
        
> >   
> > --- 821,823 ----
> >   
        authorized_flush_users
> > ! (default: static:anyone)
        
> >   
> > ***************
> > *** 956,958 ****
> >   
        authorized_mailq_users
> > ! (default: static:anyone)
        
> >   
> > --- 855,857 ----
> >   
        authorized_mailq_users
> > ! (default: static:anyone)
        
> >   
> > ***************
> > *** 990,992 ****
> >   
        authorized_submit_users
> > ! (default: static:anyone)
        
> >   
> > --- 889,891 ----
> >   
        authorized_submit_users
> > ! (default: static:anyone)
        
> >   
> > ***************
> > *** 1021,1023 ****
> >   
        > > ! authorized_submit_users = !www, static:all
> >   
        
> > --- 920,922 ----
> >   
        > > ! authorized_submit_users = !www, static:all
> >   
        
> > ***************
> > *** 1034,1036 ****
> >   
> > ! 
         What remote SMTP clients are allowed to specify the XVERP command.
> >   This command requests that mail be delivered one recipient at a
> > --- 933,935 ----
> >   
> > ! 
         What SMTP clients are allowed to specify the XVERP command.
> >   This command requests that mail be delivered one recipient at a
> > ***************
> > *** 1246,1252 ****
> >   
         The maximal amount of original message text that is sent in a
> > ! non-delivery notification. Specify a byte count.  A message is
> > ! returned as either message/rfc822 (the complete original) or as
> > ! text/rfc822-headers (the headers only).  With Postfix version 2.4
> > ! and earlier, a message is always returned as message/rfc822 and is
> > ! truncated when it exceeds the size limit.
> >   
        
> > --- 1145,1151 ----
> >   
         The maximal amount of original message text that is sent in a
> > ! non-delivery notification. Specify a byte count. With Postfix 2.4
> > ! and later, a message is returned as either message/rfc822 (the
> > ! complete original) or as text/rfc822-headers (the headers only).
> > ! With earlier Postfix versions, a message is always returned as
> > ! message/rfc822 and is truncated when it exceeds the size limit.
> >   
        
> > ***************
> > *** 1293,1295 ****
> >   
        
> > ! Enable inter-operability with remote SMTP clients that implement an obsolete
> >   version of the AUTH command (RFC 4954). Examples of such clients
> > --- 1192,1194 ----
> >   
        
> > ! Enable inter-operability with SMTP clients that implement an obsolete
> >   version of the AUTH command (RFC 4954). Examples of such clients
> > ***************
> > *** 1360,1362 ****
> >   
         To get the behavior before Postfix version 2.2, specify
> > ! "local_header_rewrite_clients = static:all". 
        
> >   
> > --- 1259,1261 ----
> >   
         To get the behavior before Postfix version 2.2, specify
> > ! "local_header_rewrite_clients = static:all". 
        
> >   
> > ***************
> > *** 1537,1540 ****
> >   
> > - 
         This feature is available in Postfix 2.2 and later. 
        
> > - 
> >   
> > --- 1436,1437 ----
> > ***************
> > *** 1568,1593 ****
> >   
> > ! 
         After the message is queued, send the entire message to the
> > ! specified transport:destination. The transport name
> > ! specifies the first field of a mail delivery agent definition in
> > ! master.cf; the syntax of the next-hop destination is described
> > ! in the manual page of the corresponding delivery agent.  More
> > ! information about external content filters is in the Postfix
> > ! FILTER_README file.  
        
> > ! 
> > ! 
         Notes: 
        
> > ! 
> > ! 
          
> > ! 
> > ! 
        •  
           This setting has lower precedence than a FILTER action
> > ! that is specified in an access(5), header_checks(5) or body_checks(5)
> > ! table. 
          
> > ! 
> > ! 
        •  
           The meaning of an empty next-hop filter destination
> > ! is version dependent.  Postfix 2.7 and later will use the recipient
> > ! domain; earlier versions will use $myhostname.  Specify
> > ! "default_filter_nexthop = $myhostname" for compatibility with Postfix
> > ! 2.6 or earlier, or specify a content_filter value with an explicit
> > ! next-hop destination.  
          
> >   
> > ! 
        
> >   
> > --- 1465,1477 ----
> >   
> > ! 
        
> > ! The name of a mail delivery transport that filters mail after
> > ! it is queued.
> > ! 
        
> >   
> > ! 
        
> > ! This parameter uses the same syntax as the right-hand side of a
> > ! Postfix transport(5) table. This setting has a lower precedence
> > ! than a content filter that is specified with an access(5) table or
> > ! in a header_checks(5) or body_checks(5) table.
> > ! 
        
> >   
> > ***************
> > *** 1622,1656 ****
> >   
> > - 
        daemon_table_open_error_is_fatal
> > - (default: no)
        
> > - 
> > - 
         How a Postfix daemon process handles errors while opening lookup
> > - tables: gradual degradation or immediate termination. 
        
> > - 
> > - 
        
> > - 
> > - 
          no  (default) 
         
         
         Gradual degradation: a
> > - daemon process logs a message of type "error" and continues execution
> > - with reduced functionality. Features that do not depend on the
> > - unavailable table will work normally, while features that depend
> > - on the table will result in a type "warning" message.  
         When
> > - the notify_classes parameter value contains the "data" class, the
> > - Postfix SMTP server and client will report transcripts of sessions
> > - with an error because a table is unavailable.  
         
        
> > - 
> > - 
          yes  (historical behavior) 
         
         
         Immediate
> > - termination: a daemon process logs a type "fatal" message and
> > - terminates immediately.  This option reduces the number of possible
> > - code paths through Postfix, and may therefore be slightly more
> > - secure than the default.  
         
        
> > - 
> > - 
        
> > - 
> > - 
         For the sake of sanity, the number of type "error" messages is
> > - limited to 13 over the lifetime of a daemon process. 
        
> > - 
> > - 
         This feature is available in Postfix 2.9 and later.  
        
> > - 
> > - 
> > - 
        
> > - 
> >   
        daemon_timeout
> > --- 1506,1507 ----
> > ***************
> > *** 1711,1713 ****
> >   debug_peer_list = 127.0.0.1
> > ! debug_peer_list = example.com
> >
        > > --- 1562,1564 ---- > > debug_peer_list = 127.0.0.1 > > ! debug_peer_list = some.domain > > > > *************** > > *** 1960,1962 **** > > > > !

        Use transport_destination_concurrency_negative_feedback > > to specify a transport-specific override, where transport > > --- 1811,1813 ---- > > > > !

        Use transport_destination_concurrency_negative_feedback > > to specify a transport-specific override, where transport > > *************** > > *** 2033,2036 **** > >

        NOTE: the delay is enforced by the queue manager. The delay > > ! timer state does not survive "postfix reload" or "postfix > > ! stop". > >

        > > --- 1884,1886 ---- > >

        NOTE: the delay is enforced by the queue manager. The delay > > ! timer state does not survive "postfix reload" or "postfix stop". > >

        > > *************** > > *** 2042,2048 **** > > > > -

        NOTE: with a non-zero _destination_rate_delay, specify a > > - transport_destination_concurrency_failed_cohort_limit of 10 > > - or more to prevent Postfix from deferring all mail for the same > > - destination after only one connection or handshake error.

        > > - > >

        This feature is available in Postfix 2.5 and later.

        > > --- 1892,1893 ---- > > *************** > > *** 2093,2109 **** > > > > -
        default_filter_nexthop > > - (default: empty)
        > > - > > -

        When a content_filter or FILTER request specifies no explicit > > - next-hop destination, use $default_filter_nexthop instead; when > > - that value is empty, use the domain in the recipient address. > > - Specify "default_filter_nexthop = $myhostname" for compatibility > > - with Postfix version 2.6 and earlier, or specify an explicit next-hop > > - destination with each content_filter value or FILTER action.

        > > - > > -

        This feature is available in Postfix 2.7 and later.

        > > - > > - > > -
        > > - > >
        default_minimum_delivery_slots > > --- 1938,1939 ---- > > *************** > > *** 2156,2158 **** > >

        > > ! The default Postfix SMTP server response template for a request that is > > rejected by an RBL-based restriction. This template can be overruled > > --- 1986,1988 ---- > >

        > > ! The default SMTP server response template for a request that is > > rejected by an RBL-based restriction. This template can be overruled > > *************** > > *** 2346,2356 **** > > $proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, > > ! or $relay_domains. This information can be overruled with the > > ! sender_dependent_default_transport_maps parameter and with the > > ! transport(5) table.

        > > ! > > !

        > > ! In order of decreasing precedence, the nexthop destination is taken > > ! from $sender_dependent_default_transport_maps, $default_transport, > > $sender_dependent_relayhost_maps, $relayhost, or from the recipient > > ! domain. > >

        > > --- 2176,2182 ---- > > $proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, > > ! or $relay_domains. In order of decreasing precedence, the nexthop > > ! destination is taken from $default_transport, > > $sender_dependent_relayhost_maps, $relayhost, or from the recipient > > ! domain. This information can be overruled with the transport(5) > > ! table. > >

        > > *************** > > *** 2360,2363 **** > > is the name of a mail delivery transport defined in master.cf. > > ! The :nexthop destination is optional; its syntax is documented > > ! in the manual page of the corresponding delivery agent. > >

        > > --- 2186,2189 ---- > > is the name of a mail delivery transport defined in master.cf. > > ! The :nexthop part is optional. For more details see the > > ! transport(5) manual page. > >

        > > *************** > > *** 2462,2464 **** > > > > !
      • c = time in connection setup, including DNS, EHLO and STARTTLS > > > > --- 2288,2290 ---- > > > > !
      • c = time in connection setup, including DNS, EHLO and TLS > > > > *************** > > *** 2651,2673 **** > > > > -
        dnsblog_reply_delay > > - (default: 0s)
        > > - > > -

        A debugging aid to artifically delay DNS responses.

        > > - > > -

        This feature is available in Postfix 2.8.

        > > - > > - > > -
        > > - > > -
        dnsblog_service_name > > - (default: dnsblog)
        > > - > > -

        The name of the dnsblog(8) service entry in master.cf. This > > - service performs DNS white/blacklist lookups.

        > > - > > -

        This feature is available in Postfix 2.8 and later.

        > > - > > - > > -
        > > - > >
        dont_remove > > --- 2477,2478 ---- > > *************** > > *** 2704,2716 **** > > > > -
        empty_address_default_transport_maps_lookup_key > > - (default: <>)
        > > - > > -

        The sender_dependent_default_transport_maps search string that > > - will be used instead of the null sender address.

        > > - > > -

        This feature is available in Postfix 2.7 and later.

        > > - > > - > > -
        > > - > >
        empty_address_recipient > > --- 2509,2510 ---- > > *************** > > *** 2752,2839 **** > > > > -
        enable_long_queue_ids > > - (default: no)
        > > - > > -

        Enable long, non-repeating, queue IDs (queue file names). The > > - benefit of non-repeating names is simpler logfile analysis and > > - easier queue migration (there is no need to run "postsuper" to > > - change queue file names that don't match their message file inode > > - number).

        > > - > > -

        Note: see below for how to prepare long queue file names > > - for migration to Postfix ≤ 2.8.

        > > - > > -

        Changing the parameter value to "yes" has the following effects: > > -

        > > - > > -
          > > - > > -

        • Existing queue file names are not affected.

          > > - > > -

        • New queue files are created with names such as 3Pt2mN2VXxznjll. > > - These are encoded in a 52-character alphabet that contains digits > > - (0-9), upper-case letters (B-Z) and lower-case letters (b-z). For > > - safety reasons the vowels (AEIOUaeiou) are excluded from the alphabet. > > - The name format is: 6 or more characters for the time in seconds, > > - 4 characters for the time in microseconds, the 'z'; the remainder > > - is the file inode number encoded in the first 51 characters of the > > - 52-character alphabet.

          > > - > > -

        • New messages have a Message-ID header with > > - queueID@myhostname.

          > > - > > -

        • The mailq (postqueue -p) output has a wider Queue ID column. > > - The number of whitespace-separated fields is not changed.

          > > - > > -

        • The hash_queue_depth algorithm uses the first characters > > - of the queue file creation time in microseconds, after conversion > > - into hexadecimal representation. This produces the same queue hashing > > - behavior as if the queue file name was created with "enable_long_queue_ids > > - = no".

          > > - > > -
        > > - > > -

        Changing the parameter value to "no" has the following effects: > > -

        > > - > > -
          > > - > > -

        • Existing long queue file names are renamed to the short > > - form (while running "postfix reload" or "postsuper").

          > > - > > -

        • New queue files are created with names such as C3CD21F3E90 > > - from a hexadecimal alphabet that contains digits (0-9) and upper-case > > - letters (A-F). The name format is: 5 characters for the time in > > - microseconds; the remainder is the file inode number.

          > > - > > -

        • New messages have a Message-ID header with > > - YYYYMMDDHHMMSS.queueid@myhostname, where > > - YYYYMMDDHHMMSS are the year, month, day, hour, minute and > > - second. > > - > > -

        • The mailq (postqueue -p) output has the same format as > > - with Postfix ≤ 2.8.

          > > - > > -

        • The hash_queue_depth algorithm uses the first characters > > - of the queue file name, with the hexadecimal representation of the > > - file creation time in microseconds.

          > > - > > -
        > > - > > -

        Before migration to Postfix ≤ 2.8, the following commands > > - are required to convert long queue file names into short names:

        > > - > > - 
        > > - # postfix stop
> > - # postconf enable_long_queue_ids=no
> > - # postsuper
> > -
        > > - > > -

        Repeat the postsuper command until it reports no more queue file > > - name changes.

        > > - > > -

        This feature is available in Postfix 2.9 and later.

        > > - > > - > > -
        > > - > >
        enable_original_recipient > > --- 2546,2547 ---- > > *************** > > *** 3254,3267 **** > > The number of subdirectory levels for queue directories listed with > > ! the hash_queue_names parameter. Queue hashing is implemented by > > ! creating one or more levels of directories with one-character names. > > ! Originally, these directory names were equal to the first characters > > ! of the queue file name, with the hexadecimal representation of the > > ! file creation time in microseconds.

        > > ! > > !

        With long queue file names, queue hashing produces the same > > ! results as with short names. The file creation time in microseconds > > ! is converted into hexadecimal form before the result is used for > > ! queue hashing. The base 16 encoding gives finer control over the > > ! number of subdirectories than is possible with the base 52 encoding > > ! of long queue file names.

        > > > > --- 2962,2965 ---- > > The number of subdirectory levels for queue directories listed with > > ! the hash_queue_names parameter. > > !

        > > > > *************** > > *** 3460,3462 **** > >

        > > ! With the default 100 Postfix SMTP server process limit, "in_flow_delay > > = 1s" limits the mail inflow to 100 messages per second above the > > --- 3158,3160 ---- > >

        > > ! With the default 100 SMTP server process limit, "in_flow_delay > > = 1s" limits the mail inflow to 100 messages per second above the > > *************** > > *** 3497,3500 **** > > "inside" and "outside" interfaces, this can prevent each instance from > > ! being able to reach remote SMTP servers on the "other side" of the > > ! firewall. Setting > > smtp_bind_address to 0.0.0.0 avoids the potential problem for > > --- 3195,3197 ---- > > "inside" and "outside" interfaces, this can prevent each instance from > > ! being able to reach servers on the "other side" of the firewall. Setting > > smtp_bind_address to 0.0.0.0 avoids the potential problem for > > *************** > > *** 3536,3538 **** > >

        inet_protocols > > ! (default: all)
        > > > > --- 3233,3235 ---- > >
        inet_protocols > > ! (default: ipv4)
        > > > > *************** > > *** 3544,3552 **** > > > > -

        With Postfix 2.8 and earlier the default is "ipv4". For backwards > > - compatibility with these releases, the Postfix 2.9 and later upgrade > > - procedure appends an explicit "inet_protocols = ipv4" setting to > > - main.cf when no explicit setting is present. This compatibility > > - workaround will be phased out as IPv6 deployment becomes more common. > > -

        > > - > >

        This feature is available in Postfix 2.2 and later.

        > > --- 3241,3242 ---- > > *************** > > *** 3564,3566 **** > >

        When IPv4 support is enabled via the inet_protocols parameter, > > ! Postfix will look up DNS type A records, and will convert > > IPv4-in-IPv6 client IP addresses (::ffff:1.2.3.4) to their original > > --- 3254,3256 ---- > >

        When IPv4 support is enabled via the inet_protocols parameter, > > ! Postfix will to DNS type A record lookups, and will convert > > IPv4-in-IPv6 client IP addresses (::ffff:1.2.3.4) to their original > > *************** > > *** 3581,3584 **** > > 

        > > ! inet_protocols = ipv4
> > ! inet_protocols = all (DEFAULT)
> >   inet_protocols = ipv6
> > --- 3271,3274 ----
> >   
        > > ! inet_protocols = ipv4 (DEFAULT)
> > ! inet_protocols = all
> >   inet_protocols = ipv6
> > ***************
> > *** 3659,3663 ****
> >   The time after which a client closes an idle internal communication
> > ! channel.  The purpose is to allow Postfix daemon processes to
> > ! terminate voluntarily after they become idle. This is used, for
> > ! example, by the Postfix address resolving and rewriting clients.
> >   
        
> > --- 3349,3353 ----
> >   The time after which a client closes an idle internal communication
> > ! channel.  The purpose is to allow servers to terminate voluntarily
> > ! after they become idle. This is used, for example, by the address
> > ! resolving and rewriting clients.
> >   
        
> > ***************
> > *** 3697,3702 ****
> >   The time after which a client closes an active internal communication
> > ! channel.  The purpose is to allow Postfix daemon processes to
> > ! terminate voluntarily
> >   after reaching their client limit.  This is used, for example, by
> > ! the Postfix address resolving and rewriting clients.
> >   
        
> > --- 3387,3391 ----
> >   The time after which a client closes an active internal communication
> > ! channel.  The purpose is to allow servers to terminate voluntarily
> >   after reaching their client limit.  This is used, for example, by
> > ! the address resolving and rewriting clients.
> >   
        
> > ***************
> > *** 3724,3749 ****
> >   
> > - 
        lmtp_address_preference
> > - (default: ipv6)
        
> > - 
> > - 
         The LMTP-specific version of the smtp_address_preference
> > - configuration parameter.  See there for details. 
        
> > - 
> > - 
         This feature is available in Postfix 2.8 and later.  
        
> > - 
> > - 
> > - 
        
> > - 
> > - 
        lmtp_assume_final
> > - (default: no)
        
> > - 
> > - 
         When a remote LMTP server announces no DSN support, assume that
> > - the
> > - server performs final delivery, and send "delivered" delivery status
> > - notifications instead of "relayed". The default setting is backwards
> > - compatible to avoid the infinetisimal possibility of breaking
> > - existing LMTP-based content filters. 
        
> > - 
> > - 
> > - 
        
> > - 
> >   
        lmtp_bind_address
> > --- 3413,3414 ----
> > ***************
> > *** 3770,3782 ****
> >   
> > - 
        lmtp_body_checks
> > - (default: empty)
        
> > - 
> > - 
         The LMTP-specific version of the smtp_body_checks configuration
> > - parameter. See there for details. 
        
> > - 
> > - 
         This feature is available in Postfix 2.5 and later. 
        
> > - 
> > - 
> > - 
        
> > - 
> >   
        lmtp_cache_connection
> > --- 3435,3436 ----
> > ***************
> > *** 3790,3800 ****
> >   
> > - 
         This parameter is available in Postfix version 2.2 and earlier.
> > - With Postfix version 2.3 and later, see lmtp_connection_cache_on_demand,
> > - lmtp_connection_cache_destinations, or lmtp_connection_reuse_time_limit.
> > - 
        
> > - 
> >   
        
> >   The effectiveness of cached connections will be determined by the
> > ! number of remote LMTP servers in use, and the concurrency limit specified
> > ! for the Postfix LMTP client. Cached connections are closed under any of
> >   the following conditions:
> > --- 3444,3449 ----
> >   
> >   
        
> >   The effectiveness of cached connections will be determined by the
> > ! number of LMTP servers in use, and the concurrency limit specified
> > ! for the LMTP client. Cached connections are closed under any of
> >   the following conditions:
> > ***************
> > *** 3804,3806 ****
> >   
> > ! 
      •  The Postfix LMTP client idle time limit is reached.  This limit is
> >   specified with the Postfix max_idle configuration parameter.
> > --- 3453,3455 ----
> >   
> > ! 
      •  The LMTP client idle time limit is reached.  This limit is
> >   specified with the Postfix max_idle configuration parameter.
> > ***************
> > *** 3814,3816 ****
> >   
> > ! 
      •  Upon the onset of another delivery request, the remote LMTP server
> >   associated with the current session does not respond to the RSET
> > --- 3463,3465 ----
> >   
> > ! 
      •  Upon the onset of another delivery request, the LMTP server
> >   associated with the current session does not respond to the RSET
> > ***************
> > *** 3821,3823 ****
> >   
        
> > ! Most of these limitations have been with the Postfix
> >   a connection cache that is shared among multiple LMTP client
> > --- 3470,3472 ----
> >   
        
> > ! Most of these limitations will be removed after Postfix implements
> >   a connection cache that is shared among multiple LMTP client
> > ***************
> > *** 3843,3845 ****
> >   
> > ! 
         The Postfix LMTP client time limit for completing a TCP connection, or
> >   zero (use the operating system built-in time limit).  When no
> > --- 3492,3494 ----
> >   
> > ! 
         The LMTP client time limit for completing a TCP connection, or
> >   zero (use the operating system built-in time limit).  When no
> > ***************
> > *** 3912,3917 ****
> >   
> > ! 
         The Postfix LMTP client time limit for sending the LMTP ".",
> > ! and for receiving the remote LMTP server response.  When no response
> > ! is received within the deadline, a warning is logged that the mail
> > ! may be delivered multiple times.  
        
> >   
> > --- 3561,3566 ----
> >   
> > ! 
         The LMTP client time limit for sending the LMTP ".", and for
> > ! receiving the server response.  When no response is received within
> > ! the deadline, a warning is logged that the mail may be delivered
> > ! multiple times.  
        
> >   
> > ***************
> > *** 3929,3933 ****
> >   
        
> > ! The Postfix LMTP client time limit for sending the LMTP DATA command,
> > ! and
> > ! for receiving the remote LMTP server response.
> >   
        
> > --- 3578,3581 ----
> >   
        
> > ! The LMTP client time limit for sending the LMTP DATA command, and
> > ! for receiving the server response.
> >   
        
> > ***************
> > *** 3946,3949 ****
> >   
        
> > ! The Postfix LMTP client time limit for sending the LMTP message
> > ! content.
> >   When the connection stalls for more than $lmtp_data_xfer_timeout
> > --- 3594,3596 ----
> >   
        
> > ! The LMTP client time limit for sending the LMTP message content.
> >   When the connection stalls for more than $lmtp_data_xfer_timeout
> > ***************
> > *** 4002,4005 ****
> >   case insensitive lists of LHLO keywords (pipelining, starttls,
> > ! auth, etc.) that the Postfix LMTP client will ignore in the LHLO
> > ! response
> >   from a remote LMTP server. See lmtp_discard_lhlo_keywords for
> > --- 3649,3651 ----
> >   case insensitive lists of LHLO keywords (pipelining, starttls,
> > ! auth, etc.) that the LMTP client will ignore in the LHLO response
> >   from a remote LMTP server. See lmtp_discard_lhlo_keywords for
> > ***************
> > *** 4017,4020 ****
> >   
         A case insensitive list of LHLO keywords (pipelining, starttls,
> > ! auth, etc.) that the Postfix LMTP client will ignore in the LHLO
> > ! response
> >   from a remote LMTP server. 
        
> > --- 3663,3665 ----
> >   
         A case insensitive list of LHLO keywords (pipelining, starttls,
> > ! auth, etc.) that the LMTP client will ignore in the LHLO response
> >   from a remote LMTP server. 
        
> > ***************
> > *** 4038,4050 ****
> >   
> > - 
        lmtp_dns_resolver_options
> > - (default: empty)
        
> > - 
> > - 
         The LMTP-specific version of the smtp_dns_resolver_options
> > - configuration parameter.  See there for details. 
        
> > - 
> > - 
         This feature is available in Postfix 2.8 and later.  
        
> > - 
> > - 
> > - 
        
> > - 
> >   
        lmtp_enforce_tls
> > --- 3683,3684 ----
> > ***************
> > *** 4071,4083 ****
> >   
> > - 
        lmtp_header_checks
> > - (default: empty)
        
> > - 
> > - 
         The LMTP-specific version of the smtp_header_checks configuration
> > - parameter. See there for details. 
        
> > - 
> > - 
         This feature is available in Postfix 2.5 and later. 
        
> > - 
> > - 
> > - 
        
> > - 
> >   
        lmtp_host_lookup
> > --- 3705,3706 ----
> > ***************
> > *** 4114,4116 ****
> >   /etc/postfix/master.cf:
> > !     mylmtp ... lmtp -o lmtp_lhlo_name=foo.bar.com
> >   
        • 
> > --- 3737,3739 ----
> >   /etc/postfix/master.cf:
> > !     mylmtp ... lmtp -o lmtp_lhlo_name=foo.bar.com
> >
        > > *************** > > *** 4128,4131 **** > > > > !

        The Postfix LMTP client time limit for sending the LHLO command, > > ! and for receiving the initial remote LMTP server response.

        > > > > --- 3751,3754 ---- > > > > !

        The LMTP client time limit for sending the LHLO command, and > > ! for receiving the initial server response.

        > > > > *************** > > *** 4152,4155 **** > >

        > > ! The Postfix LMTP client time limit for sending the MAIL FROM command, > > ! and for receiving the remote LMTP server response. > >

        > > --- 3775,3778 ---- > >

        > > ! The LMTP client time limit for sending the MAIL FROM command, and > > ! for receiving the server response. > >

        > > *************** > > *** 4164,4176 **** > > > > -
        lmtp_mime_header_checks > > - (default: empty)
        > > - > > -

        The LMTP-specific version of the smtp_mime_header_checks > > - configuration parameter. See there for details.

        > > - > > -

        This feature is available in Postfix 2.5 and later.

        > > - > > - > > -
        > > - > >
        lmtp_mx_address_limit > > --- 3787,3788 ---- > > *************** > > *** 4197,4220 **** > > > > -
        lmtp_nested_header_checks > > - (default: empty)
        > > - > > -

        The LMTP-specific version of the smtp_nested_header_checks > > - configuration parameter. See there for details.

        > > - > > -

        This feature is available in Postfix 2.5 and later.

        > > - > > - > > -
        > > - > > -
        lmtp_per_record_deadline > > - (default: no)
        > > - > > -

        The LMTP-specific version of the smtp_per_record_deadline > > - configuration parameter. See there for details.

        > > - > > -

        This feature is available in Postfix 2.9 and later.

        > > - > > - > > -
        > > - > >
        lmtp_pix_workaround_delay_time > > --- 3809,3810 ---- > > *************** > > *** 4267,4270 **** > >

        > > ! The Postfix LMTP client time limit for sending the QUIT command, > > ! and for receiving the remote LMTP server response. > >

        > > --- 3857,3860 ---- > >

        > > ! The LMTP client time limit for sending the QUIT command, and for > > ! receiving the server response. > >

        > > *************** > > *** 4305,4308 **** > >

        > > ! The Postfix LMTP client time limit for sending the RCPT TO command, > > ! and for receiving the remote LMTP server response. > >

        > > --- 3895,3898 ---- > >

        > > ! The LMTP client time limit for sending the RCPT TO command, and > > ! for receiving the server response. > >

        > > *************** > > *** 4317,4329 **** > > > > -
        lmtp_reply_filter > > - (default: empty)
        > > - > > -

        The LMTP-specific version of the smtp_reply_filter > > - configuration parameter. See there for details.

        > > - > > -

        This feature is available in Postfix 2.7 and later.

        > > - > > - > > -
        > > - > >
        lmtp_rset_timeout > > --- 3907,3908 ---- > > *************** > > *** 4331,4335 **** > > > > !

        The Postfix LMTP client time limit for sending the RSET command, > > ! and for receiving the remote LMTP server response. The LMTP client > > ! sends RSET in > > order to finish a recipient address probe, or to verify that a > > --- 3910,3913 ---- > > > > !

        The LMTP client time limit for sending the RSET command, and > > ! for receiving the server response. The LMTP client sends RSET in > > order to finish a recipient address probe, or to verify that a > > *************** > > *** 4403,4405 **** > >

        > > ! Optional Postfix LMTP client lookup tables with one username:password entry > > per host or domain. If a remote host or domain has no username:password > > --- 3981,3983 ---- > >

        > > ! Optional LMTP client lookup tables with one username:password entry > > per host or domain. If a remote host or domain has no username:password > > *************** > > *** 4503,4515 **** > > > > -

        lmtp_send_dummy_mail_auth > > - (default: no)
        > > - > > -

        The LMTP-specific version of the smtp_send_dummy_mail_auth > > - configuration parameter. See there for details.

        > > - > > -

        This feature is available in Postfix 2.9 and later.

        > > - > > - > > -
        > > - > >
        lmtp_send_xforward_command > > --- 4081,4082 ---- > > *************** > > *** 4518,4520 **** > >

        > > ! Send an XFORWARD command to the remote LMTP server when the LMTP LHLO > > server response announces XFORWARD support. This allows an lmtp(8) > > --- 4085,4087 ---- > >

        > > ! Send an XFORWARD command to the LMTP server when the LMTP LHLO > > server response announces XFORWARD support. This allows an lmtp(8) > > *************** > > *** 4609,4621 **** > > > > -

        lmtp_tls_block_early_mail_reply > > - (default: empty)
        > > - > > -

        The LMTP-specific version of the smtp_tls_block_early_mail_reply > > - configuration parameter. See there for details.

        > > - > > -

        This feature is available in Postfix 2.7 and later.

        > > - > > - > > -
        > > - > >
        lmtp_tls_cert_file > > --- 4176,4177 ---- > > *************** > > *** 4631,4643 **** > > > > -
        lmtp_tls_ciphers > > - (default: export)
        > > - > > -

        The LMTP-specific version of the smtp_tls_ciphers configuration > > - parameter. See there for details.

        > > - > > -

        This feature is available in Postfix 2.6 and later.

        > > - > > - > > -
        > > - > >
        lmtp_tls_dcert_file > > --- 4187,4188 ---- > > *************** > > *** 4664,4673 **** > > > > !
        lmtp_tls_eccert_file > > ! (default: empty)
        > > > > !

        The LMTP-specific version of the smtp_tls_eccert_file configuration > > ! parameter. See there for details.

        > > > > !

        This feature is available in Postfix 2.6 and later, when Postfix is > > ! compiled and linked with OpenSSL 1.0.0 or later.

        > > > > --- 4209,4217 ---- > > > > !
        lmtp_tls_enforce_peername > > ! (default: yes)
        > > > > !

        The LMTP-specific version of the smtp_tls_enforce_peername > > ! configuration parameter. See there for details.

        > > > > !

        This feature is available in Postfix 2.3 and later.

        > > > > *************** > > *** 4676,4707 **** > > > > !
        lmtp_tls_eckey_file > > (default: empty)
        > > > > !

        The LMTP-specific version of the smtp_tls_eckey_file configuration > > ! parameter. See there for details.

        > > > > !

        This feature is available in Postfix 2.6 and later, when Postfix is > > ! compiled and linked with OpenSSL 1.0.0 or later.

        > > ! > > ! > > !
        > > ! > > !
        lmtp_tls_enforce_peername > > ! (default: yes)
        > > ! > > !

        The LMTP-specific version of the smtp_tls_enforce_peername > > ! configuration parameter. See there for details.

        > > ! > > !

        This feature is available in Postfix 2.3 and later.

        > > ! > > ! > > !
        > > ! > > !
        lmtp_tls_exclude_ciphers > > ! (default: empty)
        > > ! > > !

        The LMTP-specific version of the smtp_tls_exclude_ciphers > > ! configuration parameter. See there for details.

        > > ! > > !

        This feature is available in Postfix 2.3 and later.

        > > > > --- 4220,4228 ---- > > > > !
        lmtp_tls_exclude_ciphers > > (default: empty)
        > > > > !

        The LMTP-specific version of the smtp_tls_exclude_ciphers > > ! configuration parameter. See there for details.

        > > > > !

        This feature is available in Postfix 2.3 and later.

        > > > > *************** > > *** 4820,4832 **** > > > > -
        lmtp_tls_protocols > > - (default: empty)
        > > - > > -

        The LMTP-specific version of the smtp_tls_protocols configuration > > - parameter. See there for details.

        > > - > > -

        This feature is available in Postfix 2.6 and later.

        > > - > > - > > -
        > > - > >
        lmtp_tls_scert_verifydepth > > --- 4341,4342 ---- > > *************** > > *** 4912,4915 **** > >

        > > ! The Postfix LMTP client time limit for sending the XFORWARD command, > > ! and for receiving the remote LMTP server response. > >

        > > --- 4422,4425 ---- > >

        > > ! The LMTP client time limit for sending the XFORWARD command, and > > ! for receiving the server response. > >

        > > *************** > > *** 4939,4943 **** > > By default, non-Postfix commands are executed directly; commands > > ! are given to given to the default shell (typically, /bin/sh) only > > ! when they contain shell meta characters or shell built-in commands. > > !

        > > > > --- 4449,4452 ---- > > By default, non-Postfix commands are executed directly; commands > > ! are given to given to /bin/sh only when they contain shell meta > > ! characters or shell built-in commands.

        > > > > *************** > > *** 4957,4959 **** > > local_command_shell = /some/where/smrsh -c > > - local_command_shell = /bin/bash -c > > > > --- 4466,4467 ---- > > *************** > > *** 5038,5041 **** > >
        Append the domain name in $myorigin or $mydomain when the > > ! remote SMTP client TLS certificate fingerprint or public key fingerprint > > ! (Postfix 2.9 and later) is listed in $relay_clientcerts. > > The fingerprint digest algorithm is configurable via the > > --- 4546,4548 ---- > >
        Append the domain name in $myorigin or $mydomain when the > > ! client TLS certificate fingerprint is listed in $relay_clientcerts. > > The fingerprint digest algorithm is configurable via the > > *************** > > *** 5047,5049 **** > >
        Append the domain name in $myorigin or $mydomain when the > > ! remote SMTP client TLS certificate is successfully verified, regardless of > > whether it is listed on the server, and regardless of the certifying > > --- 4554,4556 ---- > >
        Append the domain name in $myorigin or $mydomain when the > > ! client TLS certificate is successfully verified, regardless of > > whether it is listed on the server, and regardless of the certifying > > *************** > > *** 5070,5072 **** > > 
        > > ! local_header_rewrite_clients = static:all
> >
        > > --- 4577,4579 ---- > > 
        > > ! local_header_rewrite_clients = static:all
> >
        > > *************** > > *** 5178,5181 **** > > is the name of a mail delivery transport defined in master.cf. > > ! The :nexthop destination is optional; its syntax is documented > > ! in the manual page of the corresponding delivery agent. > >

        > > --- 4685,4688 ---- > > is the name of a mail delivery transport defined in master.cf. > > ! The :nexthop part is optional. For more details see the > > ! transport(5) manual page. > >

        > > *************** > > *** 5626,5629 **** > > client request is blocked by the reject_rbl_client, reject_rhsbl_client, > > ! reject_rhsbl_reverse_client, reject_rhsbl_sender or > > ! reject_rhsbl_recipient restriction. > >

        > > --- 5133,5135 ---- > > client request is blocked by the reject_rbl_client, reject_rhsbl_client, > > ! reject_rhsbl_sender or reject_rhsbl_recipient restriction. > >

        > > *************** > > *** 5715,5717 **** > >

        To get the behavior before Postfix version 2.2, specify > > ! "local_header_rewrite_clients = static:all".

        > > > > --- 5221,5223 ---- > >

        To get the behavior before Postfix version 2.2, specify > > ! "local_header_rewrite_clients = static:all".

        > > > > *************** > > *** 5763,5797 **** > > > > -
        master_service_disable > > - (default: empty)
        > > - > > -

        Selectively disable master(8) listener ports by service type > > - or by service name and type. Specify a list of service types > > - ("inet", "unix", "fifo", or "pass") or "name.type" tuples, where > > - "name" is the first field of a master.cf entry and "type" is a > > - service type. As with other Postfix matchlists, a search stops at > > - the first match. Specify "!pattern" to exclude a service from the > > - list. By default, all master(8) listener ports are enabled.

        > > - > > -

        Note: this feature does not support "/file/name" or "type:table" > > - patterns, nor does it support wildcards such as "*" or "all". This > > - is intentional.

        > > - > > -

        Examples:

        > > - > > - 
        > > - # Turn on all master(8) listener ports (the default).
> > - master_service_disable =
> > - # Turn off only the main SMTP listener port.
> > - master_service_disable = smtp.inet
> > - # Turn off all TCP/IP listener ports.
> > - master_service_disable = inet
> > - # Turn off all TCP/IP listener ports except "foo".
> > - master_service_disable = !foo.inet, inet
> > -
        > > - > > -

        This feature is available in Postfix 2.6 and later.

        > > - > > - > > -
        > > - > >
        max_idle > > --- 5269,5270 ---- > > *************** > > *** 5874,5882 **** > > > > -

        Note 1: this feature does not recognize text that requires MIME > > - decoding. It inspects raw message content, just like header_checks > > - and body_checks.

        > > - > > -

        Note 2: this feature is disabled with "receive_override_options > > - = no_header_body_checks".

        > > - > >

        Example:

        > > --- 5347,5348 ---- > > *************** > > *** 5915,5923 **** > > > > -

        Note 1: this feature does not recognize text that requires MIME > > - decoding. It inspects raw message content, just like header_checks > > - and body_checks.

        > > - > > -

        Note 2: this feature is disabled with "receive_override_options > > - = no_header_body_checks".

        > > - > >

        Example:

        > > --- 5381,5382 ---- > > *************** > > *** 5951,5953 **** > >
        milter_connect_macros > > ! (default: see "postconf -d" output)
        > > > > --- 5410,5412 ---- > >
        milter_connect_macros > > ! (default: see postconf -n output)
        > > > > *************** > > *** 5997,5999 **** > >
        milter_data_macros > > ! (default: see "postconf -d" output)
        > > > > --- 5456,5458 ---- > >
        milter_data_macros > > ! (default: see postconf -n output)
        > > > > *************** > > *** 6025,6029 **** > > > > -
        quarantine
        Like "accept", but freeze the message in > > - the "hold" queue. Available with Postfix 2.6 and later.
        > > - > >
    • > > --- 5484,5485 ---- > > *************** > > *** 6036,6038 **** > >
    milter_end_of_data_macros > > ! (default: see "postconf -d" output)
    > > > > --- 5492,5494 ---- > >
    milter_end_of_data_macros > > ! (default: see postconf -n output)
    > > > > *************** > > *** 6048,6050 **** > >
    milter_end_of_header_macros > > ! (default: see "postconf -d" output)
    > > > > --- 5504,5506 ---- > >
    milter_end_of_header_macros > > ! (default: see postconf -n output)
    > > > > *************** > > *** 6059,6094 **** > > > > -
    milter_header_checks > > - (default: empty)
    > > - > > -

    Optional lookup tables for content inspection of message headers > > - that are produced by Milter applications. See the header_checks(5) > > - manual page available actions. Currently, PREPEND is not implemented. > > -

    > > - > > -

    The following example sends all mail that is marked as SPAM to > > - a spam handling machine. Note that matches are case-insensitive > > - by default.

    > > - > > - 
    > > - /etc/postfix/main.cf:
> > -     milter_header_checks = pcre:/etc/postfix/milter_header_checks
> > -
    > > - > > - 
    > > - /etc/postfix/milter_header_checks:
> > -     /^X-SPAM-FLAG:\s+YES/ FILTER mysmtp:sanitizer.example.com:25
> > -
    > > - > > -

    The milter_header_checks mechanism could also be used for > > - whitelisting. For example it could be used to skip heavy content > > - inspection for DKIM-signed mail from known friendly domains.

    > > - > > -

    This feature is available in Postfix 2.7, and as an optional > > - patch for Postfix 2.6.

    > > - > > - > > -
    > > - > >
    milter_helo_macros > > ! (default: see "postconf -d" output)
    > > > > --- 5515,5518 ---- > > > >
    milter_helo_macros > > ! (default: see postconf -n output)
    > > > > *************** > > *** 6129,6131 **** > >
    milter_mail_macros > > ! (default: see "postconf -d" output)
    > > > > --- 5553,5555 ---- > >
    milter_mail_macros > > ! (default: see postconf -n output)
    > > > > *************** > > *** 6141,6147 **** > >
    milter_protocol > > ! (default: 6)
    > > > >

    The mail filter protocol version and optional protocol extensions > > ! for communication with a Milter application; prior to Postfix 2.6 > > ! the default protocol is 2. Postfix > > sends this version number during the initial protocol handshake. > > --- 5565,5570 ---- > >

    milter_protocol > > ! (default: 2)
    > > > >

    The mail filter protocol version and optional protocol extensions > > ! for communication with a Milter (mail filter) application. Postfix > > sends this version number during the initial protocol handshake. > > *************** > > *** 6155,6158 **** > >

    2
    Use Sendmail 8 mail filter protocol version 2 (default > > ! with Sendmail version 8.11 .. 8.13 and Postfix version 2.3 .. > > ! 2.5).
    > > > > --- 5578,5580 ---- > >
    2
    Use Sendmail 8 mail filter protocol version 2 (default > > ! as of Sendmail version 8.11).
    > > > > *************** > > *** 6163,6165 **** > >
    6
    Use Sendmail 8 mail filter protocol version 6 (default > > ! with Sendmail version 8.14 and Postfix version 2.6).
    > > > > --- 5585,5587 ---- > >
    6
    Use Sendmail 8 mail filter protocol version 6 (default > > ! as of Sendmail version 8.14).
    > > > > *************** > > *** 6182,6184 **** > >
    milter_rcpt_macros > > ! (default: see "postconf -d" output)
    > > > > --- 5604,5606 ---- > >
    milter_rcpt_macros > > ! (default: see postconf -n output)
    > > > > *************** > > *** 6194,6196 **** > >
    milter_unknown_command_macros > > ! (default: see "postconf -d" output)
    > > > > --- 5616,5618 ---- > >
    milter_unknown_command_macros > > ! (default: see postconf -n output)
    > > > > *************** > > *** 6275,6361 **** > > > > -
    multi_instance_directories > > - (default: empty)
    > > - > > -

    An optional list of non-default Postfix configuration directories; > > - these directories belong to additional Postfix instances that share > > - the Postfix executable files and documentation with the default > > - Postfix instance, and that are started, stopped, etc., together > > - with the default Postfix instance. Specify a list of pathnames > > - separated by comma or whitespace.

    > > - > > -

    When $multi_instance_directories is empty, the postfix(1) command > > - runs in single-instance mode and operates on a single Postfix > > - instance only. Otherwise, the postfix(1) command runs in multi-instance > > - mode and invokes the multi-instance manager specified with the > > - multi_instance_wrapper parameter. The multi-instance manager in > > - turn executes postfix(1) commands for the default instance and for > > - all Postfix instances in $multi_instance_directories.

    > > - > > -

    Currently, this parameter setting is ignored except for the > > - default main.cf file.

    > > - > > -

    This feature is available in Postfix 2.6 and later.

    > > - > > - > > -
    > > - > > -
    multi_instance_enable > > - (default: no)
    > > - > > -

    Allow this Postfix instance to be started, stopped, etc., by a > > - multi-instance manager. By default, new instances are created in > > - a safe state that prevents them from being started inadvertently. > > - This parameter is reserved for the multi-instance manager.

    > > - > > -

    This feature is available in Postfix 2.6 and later.

    > > - > > - > > -
    > > - > > -
    multi_instance_group > > - (default: empty)
    > > - > > -

    The optional instance group name of this Postfix instance. A > > - group identifies closely-related Postfix instances that the > > - multi-instance manager can start, stop, etc., as a unit. This > > - parameter is reserved for the multi-instance manager.

    > > - > > -

    This feature is available in Postfix 2.6 and later.

    > > - > > - > > -
    > > - > > -
    multi_instance_name > > - (default: empty)
    > > - > > -

    The optional instance name of this Postfix instance. This name > > - becomes also the default value for the syslog_name parameter.

    > > - > > -

    This feature is available in Postfix 2.6 and later.

    > > - > > - > > -
    > > - > > -
    multi_instance_wrapper > > - (default: empty)
    > > - > > -

    The pathname of a multi-instance manager command that the > > - postfix(1) command invokes when the multi_instance_directories > > - parameter value is non-empty. The pathname may be followed by > > - initial command arguments separated by whitespace; shell > > - metacharacters such as quotes are not supported in this context. > > -

    > > - > > -

    The postfix(1) command invokes the manager command with the > > - postfix(1) non-option command arguments on the manager command line, > > - and with all installation configuration parameters exported into > > - the manager command process environment. The manager command in > > - turn invokes the postfix(1) command for individual Postfix instances > > - as "postfix -c config_directory command".

    > > - > > -

    This feature is available in Postfix 2.6 and later.

    > > - > > - > > -
    > > - > >
    multi_recipient_bounce_reject_code > > --- 5697,5698 ---- > > *************** > > *** 6449,6452 **** > > The internet domain name of this mail system. The default is to > > ! use $myhostname minus the first component, or "localdomain" (Postfix > > ! 2.3 and later). $mydomain is used as > > a default value for many other configuration parameters. > > --- 5786,5788 ---- > > The internet domain name of this mail system. The default is to > > ! use $myhostname minus the first component. $mydomain is used as > > a default value for many other configuration parameters. > > *************** > > *** 6470,6475 **** > > The internet hostname of this mail system. The default is to use > > ! the fully-qualified domain name (FQDN) from gethostname(), or to > > ! use the non-FQDN result from gethostname() and append ".$mydomain". > > ! $myhostname is used as a default value for many other configuration > > ! parameters.

    > > > > --- 5806,5810 ---- > > The internet hostname of this mail system. The default is to use > > ! the fully-qualified domain name from gethostname(). $myhostname is > > ! used as a default value for many other configuration parameters. > > !

    > > > > *************** > > *** 6480,6482 **** > > 
    > > ! myhostname = host.example.com
> >
    > > --- 5815,5817 ---- > > 
    > > ! myhostname = host.domain.tld
> >
    > > *************** > > *** 6490,6492 **** > >

    > > ! The list of "trusted" remote SMTP clients that have more privileges than > > "strangers". > > --- 5825,5827 ---- > >

    > > ! The list of "trusted" SMTP clients that have more privileges than > > "strangers". > > *************** > > *** 6559,6561 **** > >

  • Specify "mynetworks_style = subnet" when Postfix > > ! should "trust" remote SMTP clients in the same IP subnetworks as the local > > machine. On Linux, this works correctly only with interfaces > > --- 5894,5896 ---- > >

  • Specify "mynetworks_style = subnet" when Postfix > > ! should "trust" SMTP clients in the same IP subnetworks as the local > > machine. On Linux, this works correctly only with interfaces > > *************** > > *** 6564,6566 **** > >

  • Specify "mynetworks_style = class" when Postfix should > > ! "trust" remote SMTP clients in the same IP class A/B/C networks as the > > local machine. Don't do this with a dialup site - it would cause > > --- 5899,5901 ---- > >

  • Specify "mynetworks_style = class" when Postfix should > > ! "trust" SMTP clients in the same IP class A/B/C networks as the > > local machine. Don't do this with a dialup site - it would cause > > *************** > > *** 6645,6648 **** > > via the Postfix qmqpd(8) server, and old mail that is re-injected > > ! into the queue with "postsuper -r". Specify space or comma as > > ! separator. See the MILTER_README document for details.

    > > > > --- 5980,5983 ---- > > via the Postfix qmqpd(8) server, and old mail that is re-injected > > ! into the queue with "postsuper -r". See the MILTER_README document > > ! for details.

    > > > > *************** > > *** 6688,6697 **** > > > > -
    data
    > > - > > -
    Send the postmaster a transcript of the SMTP session with an > > - error because a critical data file was unavailable. The notification > > - is sent to the address specified with the error_notice_recipient > > - configuration parameter (default: postmaster).
    This feature > > - is available in Postfix 2.9 and later.
    > > - > >
    delay
    > > --- 6023,6024 ---- > > *************** > > *** 6778,6781 **** > > only domains whose primary MX hosts match the listed networks. > > ! The parameter value syntax is the same as with the mynetworks > > ! parameter; note, however, that the default value is empty.

    > > > > --- 6105,6107 ---- > > only domains whose primary MX hosts match the listed networks. > > !

    > > > > *************** > > *** 6812,6834 **** > > > > !
    postmulti_control_commands > > ! (default: reload flush)
    > > ! > > !

    The postfix(1) commands that the postmulti(1) instance manager > > ! treats as "control" commands, that operate on running instances. For > > ! these commands, disabled instances are skipped.

    > > ! > > !

    This feature is available in Postfix 2.6 and later.

    > > > > > > !
    > > > > !
    postmulti_start_commands > > ! (default: start)
    > > > > !

    The postfix(1) commands that the postmulti(1) instance manager treats > > ! as "start" commands. For these commands, disabled instances are "checked" > > ! rather than "started", and failure to "start" a member instance of an > > ! instance group will abort the start-up of later instances.

    > > > > !

    This feature is available in Postfix 2.6 and later.

    > > > > --- 6138,6165 ---- > > > > !
    prepend_delivered_header > > ! (default: command, file, forward)
    > > > > +

    The message delivery contexts where the Postfix local(8) delivery > > + agent prepends a Delivered-To: message header with the address > > + that the mail was delivered to. This information is used for mail > > + delivery loop detection.

    > > > > !

    > > ! By default, the Postfix local delivery agent prepends a Delivered-To: > > ! header when forwarding mail and when delivering to file (mailbox) > > ! and command. Turning off the Delivered-To: header when forwarding > > ! mail is not recommended. > > !

    > > > > !

    > > ! Specify zero or more of forward, file, or command. > > !

    > > > > !

    > > ! Example: > > !

    > > > > ! 
    > > ! prepend_delivered_header = forward
> > !
    > > > > *************** > > *** 6837,6846 **** > > > > !
    postmulti_stop_commands > > ! (default: see "postconf -d" output)
    > > ! > > !

    The postfix(1) commands that the postmulti(1) instance manager treats > > ! as "stop" commands. For these commands, disabled instances are skipped, > > ! and enabled instances are processed in reverse order.

    > > > > !

    This feature is available in Postfix 2.6 and later.

    > > > > --- 6168,6175 ---- > > > > !
    process_id > > ! (read-only)
    > > > > !

    > > ! The process ID of a Postfix command or daemon process. > > !

    > > > > *************** > > *** 6849,6945 **** > > > > !
    postscreen_access_list > > ! (default: permit_mynetworks)
    > > > > !

    Permanent white/blacklist for remote SMTP client IP addresses. > > ! postscreen(8) searches this list immediately after a remote SMTP > > ! client connects. Specify a comma- or whitespace-separated list of > > ! commands (in upper or lower case) or lookup tables. The search stops > > ! upon the first command that fires for the client IP address.

    > > > > -
    > > > > !
    permit_mynetworks
    Whitelist the client and > > ! terminate the search if the client IP address matches $mynetworks. > > ! Do not subject the client to any before/after 220 greeting tests. > > ! Pass the connection immediately to a Postfix SMTP server process. > > !
    > > > > !
    type:table
    Query the specified lookup > > ! table. Each table lookup result is an access list, except that > > ! access lists inside a table cannot specify type:table entries.
    > > ! To discourage the use of hash, btree, etc. tables, there is no > > ! support for substring matching like smtpd(8). Use CIDR tables > > ! instead.
    > > ! > > !
    permit
    Whitelist the client and terminate > > ! the search. Do not subject the client to any before/after 220 > > ! greeting tests. Pass the connection immediately to a Postfix SMTP > > ! server process.
    > > ! > > !
    reject
    Blacklist the client and terminate > > ! the search. Subject the client to the action configured with the > > ! postscreen_blacklist_action configuration parameter.
    > > ! > > !
    dunno
    All postscreen(8) access lists > > ! implicitly have this command at the end.
    When dunno > > ! is executed inside a lookup table, return from the lookup table and > > ! evaluate the next command.
    When dunno is executed > > ! outside a lookup table, terminate the search, and subject the client > > ! to the configured before/after 220 greeting tests.
    > > > > !
    > > > > -

    Example:

    > > > > ! 
    > > ! /etc/postfix/main.cf:
> > !     postscreen_access_list = permit_mynetworks,
> > ! 		cidr:/etc/postfix/postscreen_access.cidr
> > !     postscreen_blacklist_action = enforce
> > !
    > > > > ! 
    > > ! /etc/postfix/postscreen_access.cidr:
> > !     # Rules are evaluated in the order as specified.
> > !     # Blacklist 192.168.* except 192.168.0.1.
> > !     192.168.0.1         dunno
> > !     192.168.0.0/16      reject
> > !
    > > > > !

    This feature is available in Postfix 2.8.

    > > > > > > !
    > > > > !
    postscreen_bare_newline_action > > ! (default: ignore)
    > > > > !

    The action that postscreen(8) takes when a remote SMTP client sends > > ! a bare newline character, that is, a newline not preceded by carriage > > ! return. Specify one of the following:

    > > > > !
    > > > > -
    ignore
    > > > > !
    Ignore the failure of this test. Allow other tests to complete. > > ! Do not repeat this test before some the result from some > > ! other test expires. > > ! This option is useful for testing and collecting statistics > > ! without blocking mail permanently.
    > > > > !
    enforce
    > > > > !
    Allow other tests to complete. Reject attempts to deliver mail > > ! with a 550 SMTP reply, and log the helo/sender/recipient information. > > ! Repeat this test the next time the client connects.
    > > > > !
    drop
    > > > > !
    Drop the connection immediately with a 521 SMTP reply. Repeat > > ! this test the next time the client connects.
    > > > > !
    > > > > !

    This feature is available in Postfix 2.8.

    > > > > --- 6178,6265 ---- > > > > !
    process_id_directory > > ! (default: pid)
    > > > > !

    > > ! The location of Postfix PID files relative to $queue_directory. > > ! This is a read-only parameter. > > !

    > > > > > > !
    > > > > !
    process_name > > ! (read-only)
    > > > > !

    > > ! The process name of a Postfix command or daemon process. > > !

    > > > > > > !
    > > > > !
    propagate_unmatched_extensions > > ! (default: canonical, virtual)
    > > > > !

    > > ! What address lookup tables copy an address extension from the lookup > > ! key to the lookup result. > > !

    > > > > +

    > > + For example, with a virtual(5) mapping of "joe at example.com => > > + joe.user at example.net", the address "joe+foo at example.com" > > + would rewrite to "joe.user+foo at example.net". > > +

    > > > > !

    > > ! Specify zero or more of canonical, virtual, alias, > > ! forward, include or generic. These cause > > ! address extension > > ! propagation with canonical(5), virtual(5), and aliases(5) maps, > > ! with local(8) .forward and :include: file lookups, and with smtp(8) > > ! generic maps, respectively.

    > > > > !

    > > ! Note: enabling this feature for types other than canonical > > ! and virtual is likely to cause problems when mail is forwarded > > ! to other sites, especially with mail that is sent to a mailing list > > ! exploder address. > > !

    > > > > !

    > > ! Examples: > > !

    > > > > ! 
    > > ! propagate_unmatched_extensions = canonical, virtual, alias,
> > !         forward, include
> > ! propagate_unmatched_extensions = canonical, virtual
> > !
    > > > > > > !
    > > > > !
    proxy_interfaces > > ! (default: empty)
    > > > > !

    > > ! The network interface addresses that this mail system receives mail > > ! on by way of a proxy or network address translation unit. > > !

    > > > > !

    > > ! This feature is available in Postfix 2.0 and later. > > !

    > > > > !

    You must specify your "outside" proxy/NAT addresses when your > > ! system is a backup MX host for other domains, otherwise mail delivery > > ! loops will happen when the primary MX host is down.

    > > > > !

    > > ! Example: > > !

    > > > > ! 
    > > ! proxy_interfaces = 1.2.3.4
> > !
    > > > > *************** > > *** 6948,6959 **** > > > > !
    postscreen_bare_newline_enable > > ! (default: no)
    > > > > !

    Enable "bare newline" SMTP protocol tests in the postscreen(8) > > ! server. These tests are expensive: a remote SMTP client must > > ! disconnect after > > ! it passes the test, before it can talk to a real Postfix SMTP server. > >

    > > > > !

    This feature is available in Postfix 2.8.

    > > > > --- 6268,6281 ---- > > > > !
    proxy_read_maps > > ! (default: see "postconf -d" output)
    > > > > !

    > > ! The lookup tables that the proxymap(8) server is allowed to > > ! access for the read-only service. > > ! Table references that don't begin with proxy: are ignored. > >

    > > > > !

    > > ! This feature is available in Postfix 2.0 and later. > > !

    > > > > *************** > > *** 6962,6978 **** > > > > !
    postscreen_bare_newline_ttl > > ! (default: 30d)
    > > ! > > !

    The amount of time that postscreen(8) will use the result from > > ! a successful "bare newline" SMTP protocol test. During this > > ! time, the client IP address is excluded from this test. The default > > ! is long because a remote SMTP client must disconnect after it passes > > ! the test, > > ! before it can talk to a real Postfix SMTP server.

    > > > > !

    Specify a non-zero time value (an integral value plus an optional > > ! one-letter suffix that specifies the time unit). Time units: s > > ! (seconds), m (minutes), h (hours), d (days), w (weeks).

    > > > > !

    This feature is available in Postfix 2.8.

    > > > > --- 6284,6296 ---- > > > > !
    proxy_write_maps > > ! (default: see "postconf -d" output)
    > > > > !

    The lookup tables that the proxymap(8) server is allowed to > > ! access for the read-write service. Postfix-owned local database > > ! files should be stored under the Postfix-owned data_directory. > > ! Table references that don't begin with proxy: are ignored.

    > > > > !

    > > ! This feature is available in Postfix 2.5 and later. > > !

    > > > > *************** > > *** 6981,7012 **** > > > > !
    postscreen_blacklist_action > > ! (default: ignore)
    > > > > !

    The action that postscreen(8) takes when a remote SMTP client is > > ! permanently blacklisted with the postscreen_access_list parameter. > > ! Specify one of the following:

    > > > > !
    > > ! > > !
    ignore (default)
    > > ! > > !
    Ignore this result. Allow other tests to complete. Repeat > > ! this test the next time the client connects. > > ! This option is useful for testing and collecting statistics > > ! without blocking mail.
    > > > > !
    enforce
    > > > > -
    Allow other tests to complete. Reject attempts to deliver mail > > - with a 550 SMTP reply, and log the helo/sender/recipient information. > > - Repeat this test the next time the client connects.
    > > > > !
    drop
    > > > > !
    Drop the connection immediately with a 521 SMTP reply. Repeat > > ! this test the next time the client connects.
    > > > > !
    > > > > !

    This feature is available in Postfix 2.8.

    > > > > --- 6299,6332 ---- > > > > !
    qmgr_clog_warn_time > > ! (default: 300s)
    > > > > !

    > > ! The minimal delay between warnings that a specific destination is > > ! clogging up the Postfix active queue. Specify 0 to disable. > > !

    > > > > !

    > > ! This feature is enabled with the helpful_warnings parameter. > > !

    > > > > !

    > > ! This feature is available in Postfix 2.0 and later. > > !

    > > > > > > !
    > > > > !
    qmgr_fudge_factor > > ! (default: 100)
    > > > > !

    > > ! Obsolete feature: the percentage of delivery resources that a busy > > ! mail system will use up for delivery of a large mailing list > > ! message. > > !

    > > > > !

    > > ! This feature exists only in the oqmgr(8) old queue manager. The > > ! current queue manager solves the problem in a better way. > > !

    > > > > *************** > > *** 7015,7035 **** > > > > !
    postscreen_cache_cleanup_interval > > ! (default: 12h)
    > > ! > > !

    The amount of time between postscreen(8) cache cleanup runs. > > ! Cache cleanup increases the load on the cache database and should > > ! therefore not be run frequently. This feature requires that the > > ! cache database supports the "delete" and "sequence" operators. > > ! Specify a zero interval to disable cache cleanup.

    > > ! > > !

    After each cache cleanup run, the postscreen(8) daemon logs the > > ! number of entries that were retained and dropped. A cleanup run is > > ! logged as "partial" when the daemon terminates early after "postfix > > ! reload", "postfix stop", or no requests for $max_idle > > ! seconds.

    > > ! > > !

    Time units: s (seconds), m (minutes), h (hours), d (days), w > > ! (weeks).

    > > > > !

    This feature is available in Postfix 2.8.

    > > > > --- 6335,6342 ---- > > > > !
    qmgr_message_active_limit > > ! (default: 20000)
    > > > > !

    > > ! The maximal number of messages in the active queue. > > !

    > > > > *************** > > *** 7038,7084 **** > > > > !
    postscreen_cache_map > > ! (default: btree:$data_directory/postscreen_cache)
    > > > > !

    Persistent storage for the postscreen(8) server decisions.

    > > > > -

    To share a postscreen(8) cache between multiple postscreen(8) > > - instances, use "postscreen_cache_map = proxy:btree:/path/to/file". > > - This requires Postfix version 2.9 or later; earlier proxymap(8) > > - implementations don't support cache cleanup. For an alternative > > - approach see the memcache_table(5) manpage.

    > > > > !

    This feature is available in Postfix 2.8.

    > > > > > > !
    > > > > -
    postscreen_cache_retention_time > > - (default: 7d)
    > > > > !

    The amount of time that postscreen(8) will cache an expired > > ! temporary whitelist entry before it is removed. This prevents clients > > ! from being logged as "NEW" just because their cache entry expired > > ! an hour ago. It also prevents the cache from filling up with clients > > ! that passed some deep protocol test once and never came back.

    > > > > !

    Time units: s (seconds), m (minutes), h (hours), d (days), w > > ! (weeks).

    > > > > !

    This feature is available in Postfix 2.8.

    > > > > > > !
    > > > > !
    postscreen_client_connection_count_limit > > ! (default: $smtpd_client_connection_count_limit)
    > > > > !

    How many simultaneous connections any remote SMTP client is > > ! allowed to have > > ! with the postscreen(8) daemon. By default, this limit is the same > > ! as with the Postfix SMTP server. Note that the triage process can > > ! take several seconds, with the time spent in postscreen_greet_wait > > ! delay, and with the time spent talking to the postscreen(8) built-in > > ! dummy SMTP protocol engine.

    > > > > !

    This feature is available in Postfix 2.8.

    > > > > --- 6345,6404 ---- > > > > !
    qmgr_message_recipient_limit > > ! (default: 20000)
    > > > > !

    The maximal number of recipients held in memory by the Postfix > > ! queue manager, and the maximal size of the size of the short-term, > > ! in-memory "dead" destination status cache.

    > > > > > > !
    > > > > +
    qmgr_message_recipient_minimum > > + (default: 10)
    > > > > !

    > > ! The minimal number of in-memory recipients for any message. This > > ! takes priority over any other in-memory recipient limits (i.e., > > ! the global qmgr_message_recipient_limit and the per transport > > ! _recipient_limit) if necessary. The minimum value allowed for this > > ! parameter is 1. > > !

    > > > > > > !
    > > > > !
    qmqpd_authorized_clients > > ! (default: empty)
    > > > > !

    > > ! What clients are allowed to connect to the QMQP server port. > > !

    > > > > +

    > > + By default, no client is allowed to use the service. This is > > + because the QMQP server will relay mail to any destination. > > +

    > > > > !

    > > ! Specify a list of client patterns. A list pattern specifies a host > > ! name, a domain name, an internet address, or a network/mask pattern, > > ! where the mask specifies the number of bits in the network part. > > ! When a pattern specifies a file name, its contents are substituted > > ! for the file name; when a pattern is a "type:table" table specification, > > ! table lookup is used instead.

    > > > > !

    > > ! Patterns are separated by whitespace and/or commas. In order to > > ! reverse the result, precede a pattern with an > > ! exclamation point (!). The form "!/file/name" is supported only > > ! in Postfix version 2.4 and later. > > !

    > > > > !

    > > ! Example: > > !

    > > > > ! 
    > > ! qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24
> > !
    > > > > *************** > > *** 7087,7098 **** > > > > !
    postscreen_command_count_limit > > ! (default: 20)
    > > > > !

    The limit on the total number of commands per SMTP session for > > ! postscreen(8)'s built-in SMTP protocol engine. This SMTP engine > > ! defers or rejects all attempts to deliver mail, therefore there is > > ! no need to enforce separate limits on the number of junk commands > > ! and error commands.

    > > > > !

    This feature is available in Postfix 2.8.

    > > > > --- 6407,6416 ---- > > > > !
    qmqpd_client_port_logging > > ! (default: no)
    > > > > !

    Enable logging of the remote QMQP client port in addition to > > ! the hostname and IP address. The logging format is "host[address]:port". > > !

    > > > > !

    This feature is available in Postfix 2.5 and later.

    > > > > *************** > > *** 7101,7109 **** > > > > !
    postscreen_command_filter > > ! (default: $smtpd_command_filter)
    > > > > !

    A mechanism to transform commands from remote SMTP clients. > > ! See smtpd_command_filter for further details.

    > > > > !

    This feature is available in Postfix 2.8 and later.

    > > > > --- 6419,6433 ---- > > > > !
    qmqpd_error_delay > > ! (default: 1s)
    > > > > !

    > > ! How long the QMQP server will pause before sending a negative reply > > ! to the client. The purpose is to slow down confused or malicious > > ! clients. > > !

    > > > > !

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > > !

    > > > > *************** > > *** 7112,7120 **** > > > > !
    postscreen_command_time_limit > > ! (default: ${stress?10}${stress:300}s)
    > > > > !

    The time limit to read an entire command line with postscreen(8)'s > > ! built-in SMTP protocol engine.

    > > > > !

    This feature is available in Postfix 2.8.

    > > > > --- 6436,6450 ---- > > > > !
    qmqpd_timeout > > ! (default: 300s)
    > > > > !

    > > ! The time limit for sending or receiving information over the network. > > ! If a read or write operation blocks for more than $qmqpd_timeout > > ! seconds the QMQP server gives up and disconnects. > > !

    > > > > !

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > > !

    > > > > *************** > > *** 7123,7131 **** > > > > !
    postscreen_disable_vrfy_command > > ! (default: $disable_vrfy_command)
    > > ! > > !

    Disable the SMTP VRFY command in the postscreen(8) daemon. See > > ! disable_vrfy_command for details.

    > > > > !

    This feature is available in Postfix 2.8.

    > > > > --- 6453,6461 ---- > > > > !
    queue_directory > > ! (default: see "postconf -d" output)
    > > > > !

    > > ! The location of the Postfix top-level queue directory. This is the > > ! root directory of Postfix daemon processes that run chrooted. > > !

    > > > > *************** > > *** 7134,7145 **** > > > > !
    postscreen_discard_ehlo_keyword_address_maps > > ! (default: $smtpd_discard_ehlo_keyword_address_maps)
    > > > > !

    Lookup tables, indexed by the remote SMTP client address, with > > ! case insensitive lists of EHLO keywords (pipelining, starttls, auth, > > ! etc.) that the postscreen(8) server will not send in the EHLO response > > ! to a remote SMTP client. See smtpd_discard_ehlo_keywords for details. > > ! The table is not searched by hostname for robustness reasons.

    > > > > !

    This feature is available in Postfix 2.8 and later.

    > > > > --- 6464,6477 ---- > > > > !
    queue_file_attribute_count_limit > > ! (default: 100)
    > > > > !

    > > ! The maximal number of (name=value) attributes that may be stored > > ! in a Postfix queue file. The limit is enforced by the cleanup(8) > > ! server. > > !

    > > > > !

    > > ! This feature is available in Postfix 2.0 and later. > > !

    > > > > *************** > > *** 7148,7193 **** > > > > !
    postscreen_discard_ehlo_keywords > > ! (default: $smtpd_discard_ehlo_keywords)
    > > ! > > !

    A case insensitive list of EHLO keywords (pipelining, starttls, > > ! auth, etc.) that the postscreen(8) server will not send in the EHLO > > ! response to a remote SMTP client. See smtpd_discard_ehlo_keywords > > ! for details.

    > > > > !

    This feature is available in Postfix 2.8 and later.

    > > > > > > !
    > > > > -
    postscreen_dnsbl_action > > - (default: ignore)
    > > > > !

    The action that postscreen(8) takes when a remote SMTP client's combined > > ! DNSBL score is equal to or greater than a threshold (as defined > > ! with the postscreen_dnsbl_sites and postscreen_dnsbl_threshold > > ! parameters). Specify one of the following:

    > > > > !
    > > > > !
    ignore (default)
    > > > > !
    Ignore the failure of this test. Allow other tests to complete. > > ! Repeat this test the next time the client connects. > > ! This option is useful for testing and collecting statistics > > ! without blocking mail.
    > > > > !
    enforce
    > > > > -
    Allow other tests to complete. Reject attempts to deliver mail > > - with a 550 SMTP reply, and log the helo/sender/recipient information. > > - Repeat this test the next time the client connects.
    > > > > !
    drop
    > > > > !
    Drop the connection immediately with a 521 SMTP reply. Repeat > > ! this test the next time the client connects.
    > > > > !
    > > > > !

    This feature is available in Postfix 2.8.

    > > > > --- 6480,6535 ---- > > > > !
    queue_minfree > > ! (default: 0)
    > > > > !

    > > ! The minimal amount of free space in bytes in the queue file system > > ! that is needed to receive mail. This is currently used by the SMTP > > ! server to decide if it will accept any mail at all. > > !

    > > > > +

    > > + By default, the Postfix version 2.1 SMTP server rejects MAIL FROM commands > > + when the amount of free space is less than 1.5*$message_size_limit. > > + To specify a higher minimum free space limit, specify a queue_minfree > > + value that is at least 1.5*$message_size_limit. > > +

    > > > > !

    > > ! With Postfix versions 2.0 and earlier, a queue_minfree value of > > ! zero means there is no minimum required amount of free space. > > !

    > > > > > > !
    > > > > !
    queue_run_delay > > ! (default: 300s)
    > > > > !

    > > ! The time between deferred queue scans by the queue manager; > > ! prior to Postfix 2.4 the default value was 1000s. > > !

    > > > > !

    This parameter should be set less than or equal to > > ! $minimal_backoff_time. See also $maximal_backoff_time.

    > > > > !

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > > !

    > > > > > > !
    > > > > !
    queue_service_name > > ! (default: qmgr)
    > > > > !

    > > ! The name of the qmgr(8) service. This service manages the Postfix > > ! queue and schedules delivery requests. > > !

    > > > > !

    > > ! This feature is available in Postfix 2.0 and later. > > !

    > > > > *************** > > *** 7196,7224 **** > > > > !
    postscreen_dnsbl_reply_map > > (default: empty)
    > > > > !

    A mapping from actual DNSBL domain name which includes a secret > > ! password, to the DNSBL domain name that postscreen will reply with > > ! when it rejects mail. When no mapping is found, the actual DNSBL > > ! domain will be used.

    > > > > !

    For maximal stability it is best to use a file that is read > > ! into memory such as pcre:, regexp: or texthash: (texthash: is similar > > ! to hash:, except a) there is no need to run postmap(1) before the > > ! file can be used, and b) texthash: does not detect changes after > > ! the file is read).

    > > > > -

    Example:

    > > > > ! 
    > > ! /etc/postfix/main.cf:
> > !     postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
> > !
    > > > > ! 
    > > ! /etc/postfix/dnsbl_reply:
> > !    secret.zen.spamhaus.org	zen.spamhaus.org
> > !
    > > > > !

    This feature is available in Postfix 2.8.

    > > > > --- 6538,6564 ---- > > > > !
    rbl_reply_maps > > (default: empty)
    > > > > !

    > > ! Optional lookup tables with RBL response templates. The tables are > > ! indexed by the RBL domain name. By default, Postfix uses the default > > ! template as specified with the default_rbl_reply configuration > > ! parameter. See there for a discussion of the syntax of RBL reply > > ! templates. > > !

    > > > > !

    > > ! This feature is available in Postfix 2.0 and later. > > !

    > > > > > > !
    > > > > !
    readme_directory > > ! (default: see "postconf -d" output)
    > > > > !

    > > ! The location of Postfix README files that describe how to build, > > ! configure or operate a specific Postfix subsystem or feature. > > !

    > > > > *************** > > *** 7227,7286 **** > > > > !
    postscreen_dnsbl_sites > > (default: empty)
    > > > > !

    Optional list of DNS white/blacklist domains, filters and weight > > ! factors. When the list is non-empty, the dnsblog(8) daemon will > > ! query these domains with the IP addresses of remote SMTP clients, > > ! and postscreen(8) will update an SMTP client's DNSBL score with > > ! each non-error reply.

    > > > > !

    Caution: when postscreen rejects mail, it replies with the DNSBL > > ! domain name. Use the postscreen_dnsbl_reply_map feature to hide > > ! "password" information in DNSBL domain names.

    > > > > !

    When a client's score is equal to or greater than the threshold > > ! specified with postscreen_dnsbl_threshold, postscreen(8) can drop > > ! the connection with the remote SMTP client.

    > > > > !

    Specify a list of domain=filter*weight entries, separated by > > ! comma or whitespace.

    > > > > !
      > > > > !

    • When no "=filter" is specified, postscreen(8) will use any > > ! non-error DNSBL reply. Otherwise, postscreen(8) uses only DNSBL > > ! replies that match the filter. The filter has the form d.d.d.d, > > ! where each d is a number, or a pattern inside [] that contains one > > ! or more ";"-separated numbers or number..number ranges.

      > > ! > > !

    • When no "*weight" is specified, postscreen(8) increments > > ! the remote SMTP client's DNSBL score by 1. Otherwise, the weight must be > > ! an integral number, and postscreen(8) adds the specified weight to > > ! the remote SMTP client's DNSBL score. Specify a negative number for > > ! whitelisting.

      > > > > !

    • When one postscreen_dnsbl_sites entry produces multiple > > ! DNSBL responses, postscreen(8) applies the weight at most once. > > !

      > > > > !
    > > > > !

    Examples:

    > > > > !

    To use example.com as a high-confidence blocklist, and to > > ! block mail with example.net and example.org only when both agree: > > !

    > > > > ! 
    > > ! postscreen_dnsbl_threshold = 2
> > ! postscreen_dnsbl_sites = example.com*2, example.net, example.org
> > !
    > > > > !

    To filter only DNSBL replies containing 127.0.0.4:

    > > > > 
    > > ! postscreen_dnsbl_sites = example.com=127.0.0.4
> >
    > > > > !

    This feature is available in Postfix 2.8.

    > > > > --- 6567,6628 ---- > > > > !
    receive_override_options > > (default: empty)
    > > > > !

    Enable or disable recipient validation, built-in content > > ! filtering, or address mapping. Typically, these are specified in > > ! master.cf as command-line arguments for the smtpd(8), qmqpd(8) or > > ! pickup(8) daemons.

    > > ! > > !

    Specify zero or more of the following options. The options > > ! override main.cf settings and are either implemented by smtpd(8), > > ! qmqpd(8), or pickup(8) themselves, or they are forwarded to the > > ! cleanup server.

    > > ! > > !
    > > > > !
    no_unknown_recipient_checks
    > > > > !
    Do not try to reject unknown recipients (SMTP server only). > > ! This is typically specified AFTER an external content filter. > > !
    > > > > !
    no_address_mappings
    > > > > !
    Disable canonical address mapping, virtual alias map expansion, > > ! address masquerading, and automatic BCC (blind carbon-copy) > > ! recipients. This is typically specified BEFORE an external content > > ! filter.
    > > > > !
    no_header_body_checks
    > > > > !
    Disable header/body_checks. This is typically specified AFTER > > ! an external content filter.
    > > > > !
    no_milters
    > > > > !
    Disable Milter (mail filter) applications. This is typically > > ! specified AFTER an external content filter.
    > > > > !
    > > > > !

    > > ! Note: when the "BEFORE content filter" receive_override_options > > ! setting is specified in the main.cf file, specify the "AFTER content > > ! filter" receive_override_options setting in master.cf (and vice > > ! versa). > > !

    > > > > !

    > > ! Examples: > > !

    > > > > 
    > > ! receive_override_options =
> > !     no_unknown_recipient_checks, no_header_body_checks
> > ! receive_override_options = no_address_mappings
> >
    > > > > !

    > > ! This feature is available in Postfix 2.1 and later. > > !

    > > > > *************** > > *** 7289,7341 **** > > > > !
    postscreen_dnsbl_threshold > > ! (default: 1)
    > > ! > > !

    The inclusive lower bound for blocking a remote SMTP client, based on > > ! its combined DNSBL score as defined with the postscreen_dnsbl_sites > > ! parameter.

    > > ! > > !

    This feature is available in Postfix 2.8.

    > > ! > > > > !
    > > > > !
    postscreen_dnsbl_ttl > > ! (default: 1h)
    > > > > !

    The amount of time that postscreen(8) will use the result from > > ! a successful DNS blocklist test. During this time, the client IP address > > ! is excluded from this test. The default is relatively short, because a > > ! good client can immediately talk to a real Postfix SMTP server. > >

    > > > > !

    Specify a non-zero time value (an integral value plus an optional > > ! one-letter suffix that specifies the time unit). Time units: s > > ! (seconds), m (minutes), h (hours), d (days), w (weeks).

    > > > > !

    This feature is available in Postfix 2.8.

    > > > > > > !
    > > > > !
    postscreen_enforce_tls > > ! (default: $smtpd_enforce_tls)
    > > > > !

    Mandatory TLS: announce STARTTLS support to remote SMTP clients, and > > ! require that clients use TLS encryption. See smtpd_postscreen_enforce_tls > > ! for details.

    > > > > !

    This feature is available in Postfix 2.8 and later. > > ! Preferably, use postscreen_tls_security_level instead.

    > > > > > > !
    > > > > !
    postscreen_expansion_filter > > ! (default: see "postconf -d" output)
    > > > > !

    List of characters that are permitted in postscreen_reject_footer > > ! attribute expansions. See smtpd_expansion_filter for further > > ! details.

    > > > > !

    This feature is available in Postfix 2.8 and later.

    > > > > --- 6631,6690 ---- > > > > !
    recipient_bcc_maps > > ! (default: empty)
    > > > > !

    > > ! Optional BCC (blind carbon-copy) address lookup tables, indexed by > > ! recipient address. The BCC address (multiple results are not > > ! supported) is added when mail enters from outside of Postfix. > > !

    > > > > !

    > > ! This feature is available in Postfix 2.1 and later. > > !

    > > > > !

    > > ! The table search order is as follows: > >

    > > > > !
      > > > > !
    • Look up the "user+extension at domain.tld" address including the > > ! optional address extension. > > > > +
    • Look up the "user at domain.tld" address without the optional > > + address extension. > > > > !
    • Look up the "user+extension" address local part when the > > ! recipient domain equals $myorigin, $mydestination, $inet_interfaces > > ! or $proxy_interfaces. > > > > !
    • Look up the "user" address local part when the recipient domain > > ! equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces. > > > > !
    • Look up the "@domain.tld" part. > > > > !
    > > > > +

    > > + Specify the types and names of databases to use. After change, > > + run "postmap /etc/postfix/recipient_bcc". > > +

    > > > > !

    > > ! Note: if mail to the BCC address bounces it will be returned to > > ! the sender. > > !

    > > > > !

    Note: automatic BCC recipients are produced only for new mail. > > ! To avoid mailer loops, automatic BCC recipients are not generated > > ! for mail that Postfix forwards internally, nor for mail that Postfix > > ! generates itself.

    > > > > !

    > > ! Example: > > !

    > > > > ! 
    > > ! recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
> > !
    > > > > *************** > > *** 7344,7354 **** > > > > !
    postscreen_forbidden_commands > > ! (default: $smtpd_forbidden_commands)
    > > > > !

    List of commands that the postscreen(8) server considers in > > ! violation of the SMTP protocol. See smtpd_forbidden_commands for > > ! syntax, and postscreen_non_smtp_command_action for possible actions. > >

    > > > > !

    This feature is available in Postfix 2.8.

    > > > > --- 6693,6706 ---- > > > > !
    recipient_canonical_classes > > ! (default: envelope_recipient, header_recipient)
    > > ! > > !

    What addresses are subject to recipient_canonical_maps address > > ! mapping. By default, recipient_canonical_maps address mapping is > > ! applied to envelope recipient addresses, and to header recipient > > ! addresses.

    > > > > !

    Specify one or more of: envelope_recipient, header_recipient > >

    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > *************** > > *** 7357,7391 **** > > > > !
    postscreen_greet_action > > ! (default: ignore)
    > > ! > > !

    The action that postscreen(8) takes when a remote SMTP client speaks > > ! before its turn within the time specified with the postscreen_greet_wait > > ! parameter. Specify one of the following:

    > > > > !
    > > > > !
    ignore (default)
    > > > > !
    Ignore the failure of this test. Allow other tests to complete. > > ! Repeat this test the next time the client connects. > > ! This option is useful for testing and collecting statistics > > ! without blocking mail.
    > > > > !
    enforce
    > > > > -
    Allow other tests to complete. Reject attempts to deliver mail > > - with a 550 SMTP reply, and log the helo/sender/recipient information. > > - Repeat this test the next time the client connects.
    > > > > !
    drop
    > > > > !
    Drop the connection immediately with a 521 SMTP reply. Repeat > > ! this test the next time the client connects.
    > > > > !
    > > > > !

    In either case, postscreen(8) will not whitelist the remote SMTP client > > ! IP address.

    > > > > !

    This feature is available in Postfix 2.8.

    > > > > --- 6709,6752 ---- > > > > !
    recipient_canonical_maps > > ! (default: empty)
    > > > > !

    > > ! Optional address mapping lookup tables for envelope and header > > ! recipient addresses. > > ! The table format and lookups are documented in canonical(5). > > !

    > > > > !

    > > ! Note: $recipient_canonical_maps is processed before $canonical_maps. > > !

    > > > > !

    > > ! Example: > > !

    > > > > ! 
    > > ! recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
> > !
    > > > > > > !
    > > > > !
    recipient_delimiter > > ! (default: empty)
    > > > > !

    > > ! The separator between user names and address extensions (user+foo). > > ! See canonical(5), local(8), relocated(5) and virtual(5) for the > > ! effects this has on aliases, canonical, virtual, relocated and > > ! on .forward file lookups. Basically, the software tries user+foo > > ! and .forward+foo before trying user and .forward. > > !

    > > > > !

    > > ! Example: > > !

    > > > > ! 
    > > ! recipient_delimiter = +
> > !
    > > > > *************** > > *** 7394,7406 **** > > > > !
    postscreen_greet_banner > > ! (default: $smtpd_banner)
    > > > > !

    The text in the optional "220-text..." server > > ! response that > > ! postscreen(8) sends ahead of the real Postfix SMTP server's "220 > > ! text..." response, in an attempt to confuse bad SMTP clients so > > ! that they speak before their turn (pre-greet). Specify an empty > > ! value to disable this feature.

    > > > > !

    This feature is available in Postfix 2.8.

    > > > > --- 6755,6767 ---- > > > > !
    reject_code > > ! (default: 554)
    > > > > !

    > > ! The numerical Postfix SMTP server response code when a remote SMTP > > ! client request is rejected by the "reject" restriction. > > !

    > > > > !

    > > ! Do not change this unless you have a complete understanding of RFC 2821. > > !

    > > > > *************** > > *** 7409,7442 **** > > > > !
    postscreen_greet_ttl > > ! (default: 1d)
    > > ! > > !

    The amount of time that postscreen(8) will use the result from > > ! a successful PREGREET test. During this time, the client IP address > > ! is excluded from this test. The default is relatively short, because > > ! a good client can immediately talk to a real Postfix SMTP server.

    > > ! > > !

    Specify a non-zero time value (an integral value plus an optional > > ! one-letter suffix that specifies the time unit). Time units: s > > ! (seconds), m (minutes), h (hours), d (days), w (weeks).

    > > ! > > !

    This feature is available in Postfix 2.8.

    > > ! > > > > !
    > > > > !
    postscreen_greet_wait > > ! (default: ${stress?2}${stress:6}s)
    > > > > !

    The amount of time that postscreen(8) will wait for an SMTP > > ! client to send a command before its turn, and for DNS blocklist > > ! lookup results to arrive (default: up to 2 seconds under stress, > > ! up to 6 seconds otherwise).

    > > > > !

    Specify a non-zero time value (an integral value plus an optional > > ! one-letter suffix that specifies the time unit).

    > > > > !

    Time units: s (seconds), m (minutes), h (hours), d (days), w > > ! (weeks).

    > > > > !

    This feature is available in Postfix 2.8.

    > > > > --- 6770,6797 ---- > > > > !
    relay_clientcerts > > ! (default: empty)
    > > > > !

    List of tables with remote SMTP client-certificate fingerprints > > ! for which the Postfix SMTP server will allow access with the > > ! permit_tls_clientcerts feature. > > ! The fingerprint digest algorithm is configurable via the > > ! smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to > > ! Postfix version 2.5).

    > > > > !

    Postfix lookup tables are in the form of (key, value) pairs. > > ! Since we only need the key, the value can be chosen freely, e.g. > > ! the name of the user or host: > > ! D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home

    > > > > !

    Example:

    > > > > ! 
    > > ! relay_clientcerts = hash:/etc/postfix/relay_clientcerts
> > !
    > > > > !

    For more fine-grained control, use check_ccert_access to select > > ! an appropriate access(5) policy for each client. > > ! See RESTRICTION_CLASS_README.

    > > > > !

    This feature is available with Postfix version 2.2.

    > > > > *************** > > *** 7445,7453 **** > > > > !
    postscreen_helo_required > > ! (default: $smtpd_helo_required)
    > > > > !

    Require that a remote SMTP client sends HELO or EHLO before > > ! commencing a MAIL transaction.

    > > > > !

    This feature is available in Postfix 2.8.

    > > > > --- 6800,6810 ---- > > > > !
    relay_destination_concurrency_limit > > ! (default: $default_destination_concurrency_limit)
    > > > > !

    The maximal number of parallel deliveries to the same destination > > ! via the relay message delivery transport. This limit is enforced > > ! by the queue manager. The message delivery transport name is the > > ! first field in the entry in the master.cf file.

    > > > > !

    This feature is available in Postfix 2.0 and later.

    > > > > *************** > > *** 7456,7502 **** > > > > !
    postscreen_non_smtp_command_action > > ! (default: drop)
    > > ! > > !

    The action that postscreen(8) takes when a remote SMTP client sends > > ! non-SMTP commands as specified with the postscreen_forbidden_commands > > ! parameter. Specify one of the following:

    > > > > !
    > > > > !
    ignore
    > > > > !
    Ignore the failure of this test. Allow other tests to complete. > > ! Do not repeat this test before some the result from some > > ! other test expires. > > ! This option is useful for testing and collecting statistics > > ! without blocking mail permanently.
    > > ! > > !
    enforce
    > > ! > > !
    Allow other tests to complete. Reject attempts to deliver mail > > ! with a 550 SMTP reply, and log the helo/sender/recipient information. > > ! Repeat this test the next time the client connects.
    > > ! > > !
    drop
    > > ! > > !
    Drop the connection immediately with a 521 SMTP reply. Repeat > > ! this test the next time the client connects. This action is the > > ! same as with the Postfix SMTP server's smtpd_forbidden_commands > > ! feature.
    > > > > -
    > > > > !

    This feature is available in Postfix 2.8.

    > > > > > > !
    > > > > !
    postscreen_non_smtp_command_enable > > ! (default: no)
    > > > > !

    Enable "non-SMTP command" tests in the postscreen(8) server. These > > ! tests are expensive: a client must disconnect after it passes the > > ! test, before it can talk to a real Postfix SMTP server.

    > > > > !

    This feature is available in Postfix 2.8.

    > > > > --- 6813,6859 ---- > > > > !
    relay_destination_recipient_limit > > ! (default: $default_destination_recipient_limit)
    > > > > !

    The maximal number of recipients per message for the relay > > ! message delivery transport. This limit is enforced by the queue > > ! manager. The message delivery transport name is the first field in > > ! the entry in the master.cf file.

    > > > > !

    Setting this parameter to a value of 1 changes the meaning of > > ! relay_destination_concurrency_limit from concurrency per domain > > ! into concurrency per recipient.

    > > > > !

    This feature is available in Postfix 2.0 and later.

    > > > > > > !
    > > > > +
    relay_domains > > + (default: $mydestination)
    > > > > !

    What destination domains (and subdomains thereof) this system > > ! will relay mail to. Subdomain matching is controlled with the > > ! parent_domain_matches_subdomains parameter. For details about how > > ! the relay_domains value is used, see the description of the > > ! permit_auth_destination and reject_unauth_destination SMTP recipient > > ! restrictions.

    > > > > !

    Domains that match $relay_domains are delivered with the > > ! $relay_transport mail delivery transport. The SMTP server validates > > ! recipient addresses with $relay_recipient_maps and rejects non-existent > > ! recipients. See also the relay domains address class in the > > ! ADDRESS_CLASS_README file.

    > > > > !

    Note: Postfix will not automatically forward mail for domains > > ! that list this system as their primary or backup MX host. See the > > ! permit_mx_backup restriction in the postconf(5) manual page.

    > > > > !

    Specify a list of host or domain names, "/file/name" patterns > > ! or "type:table" lookup tables, separated by commas and/or whitespace. > > ! Continue long lines by starting the next line with whitespace. A > > ! "/file/name" pattern is replaced by its contents; a "type:table" > > ! lookup table is matched when a (parent) domain appears as lookup > > ! key. Specify "!pattern" to exclude a domain from the list. The form > > ! "!/file/name" is supported only in Postfix version 2.4 and later. > > !

    > > > > *************** > > *** 7505,7520 **** > > > > !
    postscreen_non_smtp_command_ttl > > ! (default: 30d)
    > > ! > > !

    The amount of time that postscreen(8) will use the result from > > ! a successful "non_smtp_command" SMTP protocol test. During this > > ! time, the client IP address is excluded from this test. The default > > ! is long because a client must disconnect after it passes the test, > > ! before it can talk to a real Postfix SMTP server.

    > > > > !

    Specify a non-zero time value (an integral value plus an optional > > ! one-letter suffix that specifies the time unit). Time units: s > > ! (seconds), m (minutes), h (hours), d (days), w (weeks).

    > > > > !

    This feature is available in Postfix 2.8.

    > > > > --- 6862,6875 ---- > > > > !
    relay_domains_reject_code > > ! (default: 554)
    > > > > !

    > > ! The numerical Postfix SMTP server response code when a client > > ! request is rejected by the reject_unauth_destination recipient > > ! restriction. > > !

    > > > > !

    > > ! Do not change this unless you have a complete understanding of RFC 2821. > > !

    > > > > *************** > > *** 7523,7569 **** > > > > !
    postscreen_pipelining_action > > ! (default: enforce)
    > > ! > > !

    The action that postscreen(8) takes when a remote SMTP client > > ! sends > > ! multiple commands instead of sending one command and waiting for > > ! the server to respond. Specify one of the following:

    > > ! > > !
    > > > > !
    ignore
    > > > > !
    Ignore the failure of this test. Allow other tests to complete. > > ! Do not repeat this test before some the result from some > > ! other test expires. > > ! This option is useful for testing and collecting statistics > > ! without blocking mail permanently.
    > > > > !
    enforce
    > > > > !
    Allow other tests to complete. Reject attempts to deliver mail > > ! with a 550 SMTP reply, and log the helo/sender/recipient information. > > ! Repeat this test the next time the client connects.
    > > > > !
    drop
    > > > > !
    Drop the connection immediately with a 521 SMTP reply. Repeat > > ! this test the next time the client connects.
    > > > > -
    > > > > !

    This feature is available in Postfix 2.8.

    > > > > > > !
    > > > > !
    postscreen_pipelining_enable > > ! (default: no)
    > > > > !

    Enable "pipelining" SMTP protocol tests in the postscreen(8) > > ! server. These tests are expensive: a good client must disconnect > > ! after it passes the test, before it can talk to a real Postfix SMTP > > ! server.

    > > > > !

    This feature is available in Postfix 2.8.

    > > > > --- 6878,6944 ---- > > > > !
    relay_recipient_maps > > ! (default: empty)
    > > > > !

    Optional lookup tables with all valid addresses in the domains > > ! that match $relay_domains. Specify @domain as a wild-card for > > ! domains that have no valid recipient list, and become a source of > > ! backscatter mail: Postfix accepts spam for non-existent recipients > > ! and then floods innocent people with undeliverable mail. Technically, > > ! tables > > ! listed with $relay_recipient_maps are used as lists: Postfix needs > > ! to know only if a lookup string is found or not, but it does not > > ! use the result from table lookup.

    > > > > !

    > > ! If this parameter is non-empty, then the Postfix SMTP server will reject > > ! mail to unknown relay users. This feature is off by default. > > !

    > > > > !

    > > ! See also the relay domains address class in the ADDRESS_CLASS_README > > ! file. > > !

    > > > > !

    > > ! Example: > > !

    > > > > ! 
    > > ! relay_recipient_maps = hash:/etc/postfix/relay_recipients
> > !
    > > > > !

    > > ! This feature is available in Postfix 2.0 and later. > > !

    > > > > > > !
    > > > > +
    relay_transport > > + (default: relay)
    > > > > !

    > > ! The default mail delivery transport and next-hop destination for > > ! remote delivery to domains listed with $relay_domains. In order of > > ! decreasing precedence, the nexthop destination is taken from > > ! $relay_transport, $sender_dependent_relayhost_maps, $relayhost, or > > ! from the recipient domain. This information can be overruled with > > ! the transport(5) table. > > !

    > > > > !

    > > ! Specify a string of the form transport:nexthop, where transport > > ! is the name of a mail delivery transport defined in master.cf. > > ! The :nexthop part is optional. For more details see the > > ! transport(5) manual page. > > !

    > > > > !

    > > ! See also the relay domains address class in the ADDRESS_CLASS_README > > ! file. > > !

    > > > > !

    > > ! This feature is available in Postfix 2.0 and later. > > !

    > > > > *************** > > *** 7572,7614 **** > > > > !
    postscreen_pipelining_ttl > > ! (default: 30d)
    > > > > !

    The amount of time that postscreen(8) will use the result from > > ! a successful "pipelining" SMTP protocol test. During this time, the > > ! client IP address is excluded from this test. The default is > > ! long because a good client must disconnect after it passes the test, > > ! before it can talk to a real Postfix SMTP server.

    > > > > !

    Specify a non-zero time value (an integral value plus an optional > > ! one-letter suffix that specifies the time unit). Time units: s > > ! (seconds), m (minutes), h (hours), d (days), w (weeks).

    > > > > !

    This feature is available in Postfix 2.8.

    > > > > > > !
    > > > > !
    postscreen_post_queue_limit > > ! (default: $default_process_limit)
    > > > > -

    The number of clients that can be waiting for service from a > > - real Postfix SMTP server process. When this queue is full, all > > - clients will > > - receive a 421 reponse.

    > > > > !

    This feature is available in Postfix 2.8.

    > > > > > > !
    > > > > !
    postscreen_pre_queue_limit > > ! (default: $default_process_limit)
    > > > > !

    The number of non-whitelisted clients that can be waiting for > > ! a decision whether they will receive service from a real Postfix > > ! SMTP server > > ! process. When this queue is full, all non-whitelisted clients will > > ! receive a 421 reponse.

    > > > > !

    This feature is available in Postfix 2.8.

    > > > > --- 6947,7012 ---- > > > > !
    relayhost > > ! (default: empty)
    > > > > !

    > > ! The next-hop destination of non-local mail; overrides non-local > > ! domains in recipient addresses. This information is overruled with > > ! relay_transport, default_transport, sender_dependent_relayhost_maps > > ! and with the transport(5) table. > > !

    > > > > !

    > > ! On an intranet, specify the organizational domain name. If your > > ! internal DNS uses no MX records, specify the name of the intranet > > ! gateway host instead. > > !

    > > > > !

    > > ! In the case of SMTP, specify a domain name, hostname, hostname:port, > > ! [hostname]:port, [hostaddress] or [hostaddress]:port. The form > > ! [hostname] turns off MX lookups. > > !

    > > > > +

    > > + If you're connected via UUCP, see the UUCP_README file for useful > > + information. > > +

    > > > > !

    > > ! Examples: > > !

    > > > > ! 
    > > ! relayhost = $mydomain
> > ! relayhost = [gateway.my.domain]
> > ! relayhost = uucphost
> > ! relayhost = [an.ip.add.ress]
> > !
    > > > > > > !
    > > > > +
    relocated_maps > > + (default: empty)
    > > > > !

    > > ! Optional lookup tables with new contact information for users or > > ! domains that no longer exist. The table format and lookups are > > ! documented in relocated(5). > > !

    > > > > !

    > > ! If you use this feature, run "postmap /etc/postfix/relocated" to > > ! build the necessary DBM or DB file after change, then "postfix > > ! reload" to make the changes visible. > > !

    > > > > !

    > > ! Examples: > > !

    > > > > ! 
    > > ! relocated_maps = dbm:/etc/postfix/relocated
> > ! relocated_maps = hash:/etc/postfix/relocated
> > !
    > > > > *************** > > *** 7617,7639 **** > > > > !
    postscreen_reject_footer > > ! (default: $smtpd_reject_footer)
    > > ! > > !

    Optional information that is appended after a 4XX or 5XX > > ! postscreen(8) server > > ! response. See smtpd_reject_footer for further details.

    > > > > !

    This feature is available in Postfix 2.8 and later.

    > > > > > > !
    > > > > !
    postscreen_tls_security_level > > ! (default: $smtpd_tls_security_level)
    > > > > !

    The SMTP TLS security level for the postscreen(8) server; when > > ! a non-empty value is specified, this overrides the obsolete parameters > > ! postscreen_use_tls and postscreen_enforce_tls. See smtpd_tls_security_level > > ! for details.

    > > > > !

    This feature is available in Postfix 2.8 and later.

    > > > > --- 7015,7045 ---- > > > > !
    remote_header_rewrite_domain > > ! (default: empty)
    > > > > !

    Don't rewrite message headers from remote clients at all when > > ! this parameter is empty; otherwise, rewrite message headers and > > ! append the specified domain name to incomplete addresses. The > > ! local_header_rewrite_clients parameter controls what clients Postfix > > ! considers local.

    > > > > +

    Examples:

    > > > > !

    The safe setting: append "domain.invalid" to incomplete header > > ! addresses from remote SMTP clients, so that those addresses cannot > > ! be confused with local addresses.

    > > > > !
    > > ! 
    > > ! remote_header_rewrite_domain = domain.invalid
> > !
    > > !
    > > > > !

    The default, purist, setting: don't rewrite headers from remote > > ! clients at all.

    > > > > !
    > > ! 
    > > ! remote_header_rewrite_domain =
> > !
    > > !
    > > > > *************** > > *** 7642,7651 **** > > > > !
    postscreen_use_tls > > ! (default: $smtpd_use_tls)
    > > ! > > !

    Opportunistic TLS: announce STARTTLS support to remote SMTP clients, > > ! but do not require that clients use TLS encryption.

    > > > > !

    This feature is available in Postfix 2.8 and later. > > ! Preferably, use postscreen_tls_security_level instead.

    > > > > --- 7048,7058 ---- > > > > !
    require_home_directory > > ! (default: no)
    > > > > !

    > > ! Whether or not a local(8) recipient's home directory must exist > > ! before mail delivery is attempted. By default this test is disabled. > > ! It can be useful for environments that import home directories to > > ! the mail server (NOT RECOMMENDED). > > !

    > > > > *************** > > *** 7654,7671 **** > > > > !
    postscreen_watchdog_timeout > > ! (default: 10s)
    > > > > !

    How much time a postscreen(8) process may take to respond to > > ! a remote SMTP client command or to perform a cache operation before it > > ! is terminated by a built-in watchdog timer. This is a safety > > ! mechanism that prevents postscreen(8) from becoming non-responsive > > ! due to a bug in Postfix itself or in system software. To avoid > > ! false alarms and unnecessary cache corruption this limit cannot be > > ! set under 10s.

    > > > > !

    Specify a non-zero time value (an integral value plus an optional > > ! one-letter suffix that specifies the time unit). Time units: s > > ! (seconds), m (minutes), h (hours), d (days), w (weeks).

    > > > > !

    This feature is available in Postfix 2.8.

    > > > > --- 7061,7079 ---- > > > > !
    resolve_dequoted_address > > ! (default: yes)
    > > > > !

    Resolve a recipient address safely instead of correctly, by > > ! looking inside quotes.

    > > > > !

    By default, the Postfix address resolver does not quote the > > ! address localpart as per RFC 822, so that additional @ or % or ! > > ! operators remain visible. This behavior is safe but it is also > > ! technically incorrect.

    > > > > !

    If you specify "resolve_dequoted_address = no", then > > ! the Postfix > > ! resolver will not know about additional @ etc. operators in the > > ! address localpart. This opens opportunities for obscure mail relay > > ! attacks with user at domain@domain addresses when Postfix provides > > ! backup MX service for Sendmail systems.

    > > > > *************** > > *** 7674,7724 **** > > > > !
    postscreen_whitelist_interfaces > > ! (default: static:all)
    > > > > !

    A list of local postscreen(8) server IP addresses where a > > ! non-whitelisted remote SMTP client can obtain postscreen(8)'s temporary > > ! whitelist status. This status is required before the client can > > ! talk to a Postfix SMTP server process. By default, a client can > > ! obtain postscreen(8)'s whitelist status on any local postscreen(8) > > ! server IP address.

    > > > > !

    When postscreen(8) listens on both primary and backup MX > > ! addresses, the postscreen_whitelist_interfaces parameter can be > > ! configured to give the temporary whitelist status only when a client > > ! connects to a primary MX address. Once a client is whitelisted it > > ! can talk to a Postfix SMTP server on any address. Thus, clients > > ! that connect only to backup MX addresses will never become whitelisted, > > ! and will never be allowed to talk to a Postfix SMTP server process. > > !

    > > > > !

    Example:

    > > > > - 
    > > - /etc/postfix/main.cf:
> > -     # Don't whitelist connections to the backup IP address.
> > -     postscreen_whitelist_interfaces = !168.100.189.8, static:all
> > -
    > > > > !

    This feature is available in Postfix 2.9 and later.

    > > > > > > !
    > > > > !
    prepend_delivered_header > > ! (default: command, file, forward)
    > > > > -

    The message delivery contexts where the Postfix local(8) delivery > > - agent prepends a Delivered-To: message header with the address > > - that the mail was delivered to. This information is used for mail > > - delivery loop detection.

    > > > > !

    > > ! By default, the Postfix local delivery agent prepends a Delivered-To: > > ! header when forwarding mail and when delivering to file (mailbox) > > ! and command. Turning off the Delivered-To: header when forwarding > > ! mail is not recommended. > > !

    > > > >

    > > ! Specify zero or more of forward, file, or command. > >

    > > --- 7082,7119 ---- > > > > !
    resolve_null_domain > > ! (default: no)
    > > > > !

    Resolve an address that ends in the "@" null domain as if the > > ! local hostname were specified, instead of rejecting the address as > > ! invalid.

    > > > > !

    This feature is available in Postfix 2.1 and later. > > ! Earlier versions always resolve the null domain as the local > > ! hostname.

    > > > > !

    The Postfix SMTP server uses this feature to reject mail from > > ! or to addresses that end in the "@" null domain, and from addresses > > ! that rewrite into a form that ends in the "@" null domain.

    > > > > > > !
    > > > > +
    resolve_numeric_domain > > + (default: no)
    > > > > !

    Resolve "user at ipaddress" as "user@[ipaddress]", instead of > > ! rejecting the address as invalid.

    > > > > !

    This feature is available in Postfix 2.3 and later. > > > > > > !

    > > ! > > !
    rewrite_service_name > > ! (default: rewrite)
    > > > >

    > > ! The name of the address rewriting service. This service rewrites > > ! addresses to standard form and resolves them to a (delivery method, > > ! next-hop host, recipient) triple. > >

    > > *************** > > *** 7726,7734 **** > >

    > > ! Example: > >

    > > > > - 
    > > - prepend_delivered_header = forward
> > -
    > > - > > > > --- 7121,7125 ---- > >

    > > ! This feature is available in Postfix 2.0 and later. > >

    > > > > > > *************** > > *** 7736,7742 **** > > > > !
    process_id > > ! (read-only)
    > > > >

    > > ! The process ID of a Postfix command or daemon process. > >

    > > --- 7127,7133 ---- > > > > !
    sample_directory > > ! (default: /etc/postfix)
    > > > >

    > > ! The name of the directory with example Postfix configuration files. > >

    > > *************** > > *** 7746,7755 **** > > > > !
    process_id_directory > > ! (default: pid)
    > > > > !

    > > ! The location of Postfix PID files relative to $queue_directory. > > ! This is a read-only parameter. > >

    > > > > > > --- 7137,7153 ---- > > > > !
    send_cyrus_sasl_authzid > > ! (default: no)
    > > > > !

    When authenticating to a remote SMTP or LMTP server with the > > ! default setting "no", send no SASL authoriZation ID (authzid); send > > ! only the SASL authentiCation ID (authcid) plus the authcid's password. > >

    > > > > +

    The non-default setting "yes" enables the behavior of older > > + Postfix versions. These always send a SASL authzid that is equal > > + to the SASL authcid, but this causes inter-operability problems > > + with some SMTP servers.

    > > + > > +

    This feature is available in Postfix 2.4.4 and later.

    > > + > > > > *************** > > *** 7757,7763 **** > > > > !
    process_name > > ! (read-only)
    > > > >

    > > ! The process name of a Postfix command or daemon process. > >

    > > --- 7155,7162 ---- > > > > !
    sender_based_routing > > ! (default: no)
    > > > >

    > > ! This parameter should not be used. It was replaced by sender_dependent_relayhost_maps > > ! in Postfix version 2.3. > >

    > > *************** > > *** 7767,7774 **** > > > > !
    propagate_unmatched_extensions > > ! (default: canonical, virtual)
    > > > >

    > > ! What address lookup tables copy an address extension from the lookup > > ! key to the lookup result. > >

    > > --- 7166,7176 ---- > > > > !
    sender_bcc_maps > > ! (default: empty)
    > > ! > > !

    Optional BCC (blind carbon-copy) address lookup tables, indexed > > ! by sender address. The BCC address (multiple results are not > > ! supported) is added when mail enters from outside of Postfix.

    > > > >

    > > ! This feature is available in Postfix 2.1 and later. > >

    > > *************** > > *** 7776,7816 **** > >

    > > ! For example, with a virtual(5) mapping of "joe at example.com => > > ! joe.user at example.net", the address "joe+foo at example.com" > > ! would rewrite to "joe.user+foo at example.net". > >

    > > > > !

    > > ! Specify zero or more of canonical, virtual, alias, > > ! forward, include or generic. These cause > > ! address extension > > ! propagation with canonical(5), virtual(5), and aliases(5) maps, > > ! with local(8) .forward and :include: file lookups, and with smtp(8) > > ! generic maps, respectively.

    > > > > !

    > > ! Note: enabling this feature for types other than canonical > > ! and virtual is likely to cause problems when mail is forwarded > > ! to other sites, especially with mail that is sent to a mailing list > > ! exploder address. > > !

    > > > > !

    > > ! Examples: > > !

    > > > > ! 
    > > ! propagate_unmatched_extensions = canonical, virtual, alias,
> > !         forward, include
> > ! propagate_unmatched_extensions = canonical, virtual
> > !
    > > > > > > !
    > > > > !
    proxy_interfaces > > ! (default: empty)
    > > > >

    > > ! The network interface addresses that this mail system receives mail > > ! on by way of a proxy or network address translation unit. > >

    > > --- 7178,7204 ---- > >

    > > ! The table search order is as follows: > >

    > > > > !
      > > > > !
    • Look up the "user+extension at domain.tld" address including the > > ! optional address extension. > > > > !
    • Look up the "user at domain.tld" address without the optional > > ! address extension. > > > > !
    • Look up the "user+extension" address local part when the > > ! sender domain equals $myorigin, $mydestination, $inet_interfaces > > ! or $proxy_interfaces. > > > > +
    • Look up the "user" address local part when the sender domain > > + equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces. > > > > !
    • Look up the "@domain.tld" part. > > > > !
    > > > >

    > > ! Specify the types and names of databases to use. After change, > > ! run "postmap /etc/postfix/sender_bcc". > >

    > > *************** > > *** 7818,7825 **** > >

    > > ! This feature is available in Postfix 2.0 and later. > >

    > > > > !

    You must specify your "outside" proxy/NAT addresses when your > > ! system is a backup MX host for other domains, otherwise mail delivery > > ! loops will happen when the primary MX host is down.

    > > > > --- 7206,7215 ---- > >

    > > ! Note: if mail to the BCC address bounces it will be returned to > > ! the sender. > >

    > > > > !

    Note: automatic BCC recipients are produced only for new mail. > > ! To avoid mailer loops, automatic BCC recipients are not generated > > ! for mail that Postfix forwards internally, nor for mail that Postfix > > ! generates itself.

    > > > > *************** > > *** 7830,7832 **** > > 
    > > ! proxy_interfaces = 1.2.3.4
> >
    > > --- 7220,7222 ---- > > 
    > > ! sender_bcc_maps = hash:/etc/postfix/sender_bcc
> >
    > > *************** > > *** 7836,7875 **** > > > > !
    proxy_read_maps > > ! (default: see "postconf -d" output)
    > > > > !

    > > ! The lookup tables that the proxymap(8) server is allowed to > > ! access for the read-only service. > > ! Table references that don't begin with proxy: are ignored. > >

    > > > > !

    > > ! This feature is available in Postfix 2.0 and later. > > !

    > > > > > > -
    > > > > !
    proxy_write_maps > > ! (default: see "postconf -d" output)
    > > > > !

    The lookup tables that the proxymap(8) server is allowed to > > ! access for the read-write service. Postfix-owned local database > > ! files should be stored under the Postfix-owned data_directory. > > ! Table references that don't begin with proxy: are ignored.

    > > > >

    > > ! This feature is available in Postfix 2.5 and later. > >

    > > > > > > !
    > > > > !
    proxymap_service_name > > ! (default: proxymap)
    > > > > !

    The name of the proxymap read-only table lookup service. This > > ! service is normally implemented by the proxymap(8) daemon.

    > > ! > > !

    This feature is available in Postfix 2.6 and later.

    > > > > --- 7226,7268 ---- > > > > !
    sender_canonical_classes > > ! (default: envelope_sender, header_sender)
    > > > > !

    What addresses are subject to sender_canonical_maps address > > ! mapping. By default, sender_canonical_maps address mapping is > > ! applied to envelope sender addresses, and to header sender addresses. > >

    > > > > !

    Specify one or more of: envelope_sender, header_sender

    > > > > +

    This feature is available in Postfix 2.2 and later.

    > > > > > > !
    > > > > !
    sender_canonical_maps > > ! (default: empty)
    > > > >

    > > ! Optional address mapping lookup tables for envelope and header > > ! sender addresses. > > ! The table format and lookups are documented in canonical(5). > >

    > > > > +

    > > + Example: you want to rewrite the SENDER address "user at ugly.domain" > > + to "user at pretty.domain", while still being able to send mail to > > + the RECIPIENT address "user at ugly.domain". > > +

    > > > > !

    > > ! Note: $sender_canonical_maps is processed before $canonical_maps. > > !

    > > > > !

    > > ! Example: > > !

    > > > > ! 
    > > ! sender_canonical_maps = hash:/etc/postfix/sender_canonical
> > !
    > > > > *************** > > *** 7878,7905 **** > > > > !
    proxywrite_service_name > > ! (default: proxywrite)
    > > ! > > !

    The name of the proxywrite read-write table lookup service. > > ! This service is normally implemented by the proxymap(8) daemon. > > !

    > > ! > > !

    This feature is available in Postfix 2.6 and later.

    > > ! > > > > !
    > > > > !
    qmgr_clog_warn_time > > ! (default: 300s)
    > > > >

    > > ! The minimal delay between warnings that a specific destination is > > ! clogging up the Postfix active queue. Specify 0 to disable. > >

    > > > > !

    > > ! This feature is enabled with the helpful_warnings parameter. > > !

    > > > >

    > > ! This feature is available in Postfix 2.0 and later. > >

    > > --- 7271,7297 ---- > > > > !
    sender_dependent_relayhost_maps > > ! (default: empty)
    > > > > !

    A sender-dependent override for the global relayhost parameter > > ! setting. The tables are searched by the envelope sender address and > > ! @domain. This information is overruled with relay_transport, > > ! default_transport and with the transport(5) table.

    > > > > !

    For safety reasons, this feature does not allow $number > > ! substitutions in regular expression maps.

    > > > >

    > > ! This feature is available in Postfix 2.3 and later. > >

    > > > > ! > > !
    > > ! > > !
    sendmail_path > > ! (default: see "postconf -d" output)
    > > > >

    > > ! A Sendmail compatibility feature that specifies the location of > > ! the Postfix sendmail(1) command. This command can be used to > > ! submit mail into the Postfix queue. > >

    > > *************** > > *** 7909,7915 **** > > > > !
    qmgr_daemon_timeout > > ! (default: 1000s)
    > > > > !

    How much time a Postfix queue manager process may take to handle > > ! a request before it is terminated by a built-in watchdog timer. > >

    > > --- 7301,7308 ---- > > > > !
    service_throttle_time > > ! (default: 60s)
    > > > > !

    > > ! How long the Postfix master(8) waits before forking a server that > > ! appears to be malfunctioning. > >

    > > *************** > > *** 7921,7924 **** > > > > -

    This feature is available in Postfix 2.8 and later.

    > > - > > > > --- 7314,7315 ---- > > *************** > > *** 7926,7939 **** > > > > !
    qmgr_fudge_factor > > ! (default: 100)
    > > ! > > !

    > > ! Obsolete feature: the percentage of delivery resources that a busy > > ! mail system will use up for delivery of a large mailing list > > ! message. > > !

    > > > >

    > > ! This feature exists only in the oqmgr(8) old queue manager. The > > ! current queue manager solves the problem in a better way. > >

    > > --- 7317,7326 ---- > > > > !
    setgid_group > > ! (default: postdrop)
    > > > >

    > > ! The group ownership of set-gid Postfix commands and of group-writable > > ! Postfix directories. When this parameter value is changed you need > > ! to re-run "postfix set-permissions" (with Postfix version 2.0 and > > ! earlier: "/etc/postfix/post-install set-permissions". > >

    > > *************** > > *** 7943,7967 **** > > > > !
    qmgr_ipc_timeout > > ! (default: 60s)
    > > ! > > !

    The time limit for the queue manager to send or receive information > > ! over an internal communication channel. The purpose is to break > > ! out of deadlock situations. If the time limit is exceeded the > > ! software either retries or aborts the operation.

    > > > >

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > >

    > > > > -

    This feature is available in Postfix 2.8 and later.

    > > - > > - > > -
    > > - > > -
    qmgr_message_active_limit > > - (default: 20000)
    > > - > >

    > > ! The maximal number of messages in the active queue. > >

    > > --- 7330,7342 ---- > > > > !
    show_user_unknown_table_name > > ! (default: yes)
    > > > >

    > > ! Display the name of the recipient table in the "User unknown" > > ! responses. The extra detail makes trouble shooting easier but also > > ! reveals information that is nobody elses business. > >

    > > > >

    > > ! This feature is available in Postfix 2.0 and later. > >

    > > *************** > > *** 7971,7991 **** > > > > !
    qmgr_message_recipient_limit > > ! (default: 20000)
    > > ! > > !

    The maximal number of recipients held in memory by the Postfix > > ! queue manager, and the maximal size of the size of the short-term, > > ! in-memory "dead" destination status cache.

    > > ! > > ! > > !
    > > > > !
    qmgr_message_recipient_minimum > > ! (default: 10)
    > > > >

    > > ! The minimal number of in-memory recipients for any message. This > > ! takes priority over any other in-memory recipient limits (i.e., > > ! the global qmgr_message_recipient_limit and the per transport > > ! _recipient_limit) if necessary. The minimum value allowed for this > > ! parameter is 1. > >

    > > --- 7346,7357 ---- > > > > !
    showq_service_name > > ! (default: showq)
    > > > > !

    > > ! The name of the showq(8) service. This service produces mail queue > > ! status reports. > > !

    > > > >

    > > ! This feature is available in Postfix 2.0 and later. > >

    > > *************** > > *** 7995,8002 **** > > > > !
    qmqpd_authorized_clients > > ! (default: empty)
    > > > >

    > > ! What remote QMQP clients are allowed to connect to the Postfix QMQP > > ! server port. > >

    > > --- 7361,7367 ---- > > > > !
    smtp_always_send_ehlo > > ! (default: yes)
    > > > >

    > > ! Always send EHLO at the start of an SMTP session. > >

    > > *************** > > *** 8004,8022 **** > >

    > > ! By default, no client is allowed to use the service. This is > > ! because the QMQP server will relay mail to any destination. > >

    > > > > !

    > > ! Specify a list of client patterns. A list pattern specifies a host > > ! name, a domain name, an internet address, or a network/mask pattern, > > ! where the mask specifies the number of bits in the network part. > > ! When a pattern specifies a file name, its contents are substituted > > ! for the file name; when a pattern is a "type:table" table specification, > > ! table lookup is used instead.

    > > > >

    > > ! Patterns are separated by whitespace and/or commas. In order to > > ! reverse the result, precede a pattern with an > > ! exclamation point (!). The form "!/file/name" is supported only > > ! in Postfix version 2.4 and later. > >

    > > --- 7369,7384 ---- > >

    > > ! With "smtp_always_send_ehlo = no", Postfix sends EHLO only when > > ! the word "ESMTP" appears in the server greeting banner (example: > > ! 220 spike.porcupine.org ESMTP Postfix). > >

    > > > > ! > > !
    > > ! > > !
    smtp_bind_address > > ! (default: empty)
    > > > >

    > > ! An optional numerical network address that the Postfix SMTP client > > ! should bind to when making an IPv4 connection. > >

    > > *************** > > *** 8024,8043 **** > >

    > > ! Example: > >

    > > > > 
    > > ! qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24
> >
    > > > > > > !
    > > ! > > !
    qmqpd_client_port_logging > > ! (default: no)
    > > ! > > !

    Enable logging of the remote QMQP client port in addition to > > ! the hostname and IP address. The logging format is "host[address]:port". > > !

    > > ! > > !

    This feature is available in Postfix 2.5 and later.

    > > > > --- 7386,7407 ---- > >

    > > ! This can be specified in the main.cf file for all SMTP clients, or > > ! it can be specified in the master.cf file for a specific client, > > ! for example: > >

    > > > > +
    > > 
    > > ! /etc/postfix/master.cf:
> > !     smtp ... smtp -o smtp_bind_address=11.22.33.44
> >
    > > +
    > > > > +

    Note 1: when inet_interfaces specifies no more than one IPv4 > > + address, and that address is a non-loopback address, it is > > + automatically used as the smtp_bind_address. This supports virtual > > + IP hosting, but can be a problem on multi-homed firewalls. See the > > + inet_interfaces documentation for more detail.

    > > > > !

    Note 2: address information may be enclosed inside [], > > ! but this form is not required here.

    > > > > *************** > > *** 8046,8088 **** > > > > !
    qmqpd_error_delay > > ! (default: 1s)
    > > ! > > !

    > > ! How long the Postfix QMQP server will pause before sending a negative > > ! reply to the remote QMQP client. The purpose is to slow down confused > > ! or malicious clients. > > !

    > > > >

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > >

    > > > > ! > > !
    > > ! > > !
    qmqpd_timeout > > ! (default: 300s)
    > > ! > > !

    > > ! The time limit for sending or receiving information over the network. > > ! If a read or write operation blocks for more than $qmqpd_timeout > > ! seconds the Postfix QMQP server gives up and disconnects. > > !

    > > > >

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > >

    > > > > > > !
    > > ! > > !
    queue_directory > > ! (default: see "postconf -d" output)
    > > > > !

    > > ! The location of the Postfix top-level queue directory. This is the > > ! root directory of Postfix daemon processes that run chrooted. > > !

    > > > > --- 7410,7442 ---- > > > > !
    smtp_bind_address6 > > ! (default: empty)
    > > > >

    > > ! An optional numerical network address that the Postfix SMTP client > > ! should bind to when making an IPv6 connection. > >

    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > >

    > > ! This can be specified in the main.cf file for all SMTP clients, or > > ! it can be specified in the master.cf file for a specific client, > > ! for example: > >

    > > > > +
    > > + 
    > > + /etc/postfix/master.cf:
> > +     smtp ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8
> > +
    > > +
    > > > > !

    Note 1: when inet_interfaces specifies no more than one IPv6 > > ! address, and that address is a non-loopback address, it is > > ! automatically used as the smtp_bind_address6. This supports virtual > > ! IP hosting, but can be a problem on multi-homed firewalls. See the > > ! inet_interfaces documentation for more detail.

    > > > > !

    Note 2: address information may be enclosed inside [], > > ! but this form is not recommended here.

    > > > > *************** > > *** 8091,8104 **** > > > > !
    queue_file_attribute_count_limit > > ! (default: 100)
    > > > > !

    > > ! The maximal number of (name=value) attributes that may be stored > > ! in a Postfix queue file. The limit is enforced by the cleanup(8) > > ! server. > >

    > > > > !

    > > ! This feature is available in Postfix 2.0 and later. > > !

    > > > > --- 7445,7455 ---- > > > > !
    smtp_body_checks > > ! (default: empty)
    > > > > !

    Restricted body_checks(5) tables for the Postfix SMTP client. > > ! These tables are searched while mail is being delivered. Actions > > ! that change the delivery time or destination are not available. > >

    > > > > !

    This feature is available in Postfix 2.5 and later.

    > > > > *************** > > *** 8107,8129 **** > > > > !
    queue_minfree > > ! (default: 0)
    > > ! > > !

    > > ! The minimal amount of free space in bytes in the queue file system > > ! that is needed to receive mail. This is currently used by the > > ! Postfix SMTP server to decide if it will accept any mail at all. > > !

    > > > > !

    > > ! By default, the Postfix SMTP server rejects MAIL FROM commands when > > ! the amount of free space is less than 1.5*$message_size_limit > > ! (Postfix version 2.1 and later). > > ! To specify a higher minimum free space limit, specify a queue_minfree > > ! value that is at least 1.5*$message_size_limit. > > !

    > > > > !

    > > ! With Postfix versions 2.0 and earlier, a queue_minfree value of > > ! zero means there is no minimum required amount of free space. > > !

    > > > > --- 7458,7471 ---- > > > > !
    smtp_cname_overrides_servername > > ! (default: version dependent)
    > > > > !

    Allow DNS CNAME records to override the servername that the > > ! Postfix SMTP client uses for logging, SASL password lookup, TLS > > ! policy decisions, or TLS certificate verification. The value "no" > > ! hardens Postfix smtp_tls_per_site hostname-based policies against > > ! false hostname information in DNS CNAME records, and makes SASL > > ! password file lookups more predictable. This is the default setting > > ! as of Postfix 2.3.

    > > > > !

    This feature is available in Postfix 2.2.9 and later.

    > > > > *************** > > *** 8132,8143 **** > > > > !
    queue_run_delay > > ! (default: 300s)
    > > > >

    > > ! The time between deferred queue scans by the queue manager; > > ! prior to Postfix 2.4 the default value was 1000s. > >

    > > > > !

    This parameter should be set less than or equal to > > ! $minimal_backoff_time. See also $maximal_backoff_time.

    > > > > --- 7474,7490 ---- > > > > !
    smtp_connect_timeout > > ! (default: 30s)
    > > > >

    > > ! The SMTP client time limit for completing a TCP connection, or > > ! zero (use the operating system built-in time limit). > >

    > > > > !

    > > ! When no connection can be made within the deadline, the Postfix > > ! SMTP client > > ! tries the next address on the mail exchanger list. Specify 0 to > > ! disable the time limit (i.e. use whatever timeout is implemented by > > ! the operating system). > > !

    > > > > *************** > > *** 8151,8181 **** > > > > !
    queue_service_name > > ! (default: qmgr)
    > > > > !

    > > ! The name of the qmgr(8) service. This service manages the Postfix > > ! queue and schedules delivery requests. > > !

    > > > > !

    > > ! This feature is available in Postfix 2.0 and later. > > !

    > > > > > > !
    > > > > !
    rbl_reply_maps > > ! (default: empty)
    > > > > !

    > > ! Optional lookup tables with RBL response templates. The tables are > > ! indexed by the RBL domain name. By default, Postfix uses the default > > ! template as specified with the default_rbl_reply configuration > > ! parameter. See there for a discussion of the syntax of RBL reply > > ! templates. > > !

    > > > > !

    > > ! This feature is available in Postfix 2.0 and later. > > !

    > > > > --- 7498,7535 ---- > > > > !
    smtp_connection_cache_destinations > > ! (default: empty)
    > > > > !

    Permanently enable SMTP connection caching for the specified > > ! destinations. With SMTP connection caching, a connection is not > > ! closed immediately after completion of a mail transaction. Instead, > > ! the connection is kept open for up to $smtp_connection_cache_time_limit > > ! seconds. This allows connections to be reused for other deliveries, > > ! and can improve mail delivery performance.

    > > > > !

    Specify a comma or white space separated list of destinations > > ! or pseudo-destinations:

    > > > > +
      > > > > !
    • if mail is sent without a relay host: a domain name (the > > ! right-hand side of an email address, without the [] around a numeric > > ! IP address), > > > > !
    • if mail is sent via a relay host: a relay host name (without > > ! [] or non-default TCP port), as specified in main.cf or in the > > ! transport map, > > > > !
    • if mail is sent via a UNIX-domain socket: a pathname (without > > ! the unix: prefix), > > > > !
    • a /file/name with domain names and/or relay host names as > > ! defined above, > > ! > > !
    • a "type:table" with domain names and/or relay host names on > > ! the left-hand side. The right-hand side result from "type:table" > > ! lookups is ignored. > > ! > > !
    > > ! > > !

    This feature is available in Postfix 2.2 and later.

    > > > > *************** > > *** 8184,8192 **** > > > > !
    readme_directory > > ! (default: see "postconf -d" output)
    > > > > !

    > > ! The location of Postfix README files that describe how to build, > > ! configure or operate a specific Postfix subsystem or feature. > > !

    > > > > --- 7538,7551 ---- > > > > !
    smtp_connection_cache_on_demand > > ! (default: yes)
    > > > > !

    Temporarily enable SMTP connection caching while a destination > > ! has a high volume of mail in the active queue. With SMTP connection > > ! caching, a connection is not closed immediately after completion > > ! of a mail transaction. Instead, the connection is kept open for > > ! up to $smtp_connection_cache_time_limit seconds. This allows > > ! connections to be reused for other deliveries, and can improve mail > > ! delivery performance.

    > > ! > > !

    This feature is available in Postfix 2.2 and later.

    > > > > *************** > > *** 8195,8256 **** > > > > !
    receive_override_options > > ! (default: empty)
    > > > > !

    Enable or disable recipient validation, built-in content > > ! filtering, or address mapping. Typically, these are specified in > > ! master.cf as command-line arguments for the smtpd(8), qmqpd(8) or > > ! pickup(8) daemons.

    > > > > !

    Specify zero or more of the following options. The options > > ! override main.cf settings and are either implemented by smtpd(8), > > ! qmqpd(8), or pickup(8) themselves, or they are forwarded to the > > ! cleanup server.

    > > > > -
    > > > > !
    no_unknown_recipient_checks
    > > > > !
    Do not try to reject unknown recipients (SMTP server only). > > ! This is typically specified AFTER an external content filter. > > !
    > > > > !
    no_address_mappings
    > > > > !
    Disable canonical address mapping, virtual alias map expansion, > > ! address masquerading, and automatic BCC (blind carbon-copy) > > ! recipients. This is typically specified BEFORE an external content > > ! filter.
    > > > > -
    no_header_body_checks
    > > > > !
    Disable header/body_checks. This is typically specified AFTER > > ! an external content filter.
    > > > > !
    no_milters
    > > > > !
    Disable Milter (mail filter) applications. This is typically > > ! specified AFTER an external content filter.
    > > > > !
    > > > > !

    > > ! Note: when the "BEFORE content filter" receive_override_options > > ! setting is specified in the main.cf file, specify the "AFTER content > > ! filter" receive_override_options setting in master.cf (and vice > > ! versa). > > !

    > > > > !

    > > ! Examples: > > !

    > > > > ! 
    > > ! receive_override_options =
> > !     no_unknown_recipient_checks, no_header_body_checks
> > ! receive_override_options = no_address_mappings
> > !
    > > > > !

    > > ! This feature is available in Postfix 2.1 and later. > > !

    > > > > --- 7554,7629 ---- > > > > !
    smtp_connection_cache_reuse_limit > > ! (default: 10)
    > > > > !

    When SMTP connection caching is enabled, the number of times that > > ! an SMTP session may be reused before it is closed. > > !

    > > > > !

    This feature is available in Postfix 2.2. In Postfix 2.3 it is > > ! replaced by $smtp_connection_reuse_time_limit.

    > > > > > > !
    > > > > !
    smtp_connection_cache_time_limit > > ! (default: 2s)
    > > > > !

    When SMTP connection caching is enabled, the amount of time that > > ! an unused SMTP client socket is kept open before it is closed. Do > > ! not specify larger values without permission from the remote sites. > > !

    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > > > !
    > > > > !
    smtp_connection_reuse_time_limit > > ! (default: 300s)
    > > > > !

    The amount of time during which Postfix will use an SMTP > > ! connection repeatedly. The timer starts when the connection is > > ! initiated (i.e. it includes the connect, greeting and helo latency, > > ! in addition to the latencies of subsequent mail delivery transactions). > > !

    > > > > !

    This feature addresses a performance stability problem with > > ! remote SMTP servers. This problem is not specific to Postfix: it > > ! can happen when any MTA sends large amounts of SMTP email to a site > > ! that has multiple MX hosts.

    > > > > !

    The problem starts when one of a set of MX hosts becomes slower > > ! than the rest. Even though SMTP clients connect to fast and slow > > ! MX hosts with equal probability, the slow MX host ends up with more > > ! simultaneous inbound connections than the faster MX hosts, because > > ! the slow MX host needs more time to serve each client request.

    > > > > !

    The slow MX host becomes a connection attractor. If one MX > > ! host becomes N times slower than the rest, it dominates mail delivery > > ! latency unless there are more than N fast MX hosts to counter the > > ! effect. And if the number of MX hosts is smaller than N, the mail > > ! delivery latency becomes effectively that of the slowest MX host > > ! divided by the total number of MX hosts.

    > > > > !

    The solution uses connection caching in a way that differs from > > ! Postfix version 2.2. By limiting the amount of time during which a connection > > ! can be used repeatedly (instead of limiting the number of deliveries > > ! over that connection), Postfix not only restores fairness in the > > ! distribution of simultaneous connections across a set of MX hosts, > > ! it also favors deliveries over connections that perform well, which > > ! is exactly what we want.

    > > > > !

    The default reuse time limit, 300s, is comparable to the various > > ! smtp transaction timeouts which are fair estimates of maximum excess > > ! latency for a slow delivery. Note that hosts may accept thousands > > ! of messages over a single connection within the default connection > > ! reuse time limit. This number is much larger than the default Postfix > > ! version 2.2 limit of 10 messages per cached connection. It may prove necessary > > ! to lower the limit to avoid interoperability issues with MTAs that > > ! exhibit bugs when many messages are delivered via a single connection. > > ! A lower reuse time limit risks losing the benefit of connection > > ! reuse when the average connection and mail delivery latency exceeds > > ! the reuse time limit.

    > > ! > > !

    This feature is available in Postfix 2.3 and later.

    > > > > *************** > > *** 8259,8267 **** > > > > !
    recipient_bcc_maps > > ! (default: empty)
    > > > >

    > > ! Optional BCC (blind carbon-copy) address lookup tables, indexed by > > ! recipient address. The BCC address (multiple results are not > > ! supported) is added when mail enters from outside of Postfix. > >

    > > --- 7632,7639 ---- > > > > !
    smtp_data_done_timeout > > ! (default: 600s)
    > > > >

    > > ! The SMTP client time limit for sending the SMTP ".", and for receiving > > ! the server response. > >

    > > *************** > > *** 8269,8271 **** > >

    > > ! This feature is available in Postfix 2.1 and later. > >

    > > --- 7641,7644 ---- > >

    > > ! When no response is received within the deadline, a warning is > > ! logged that the mail may be delivered multiple times. > >

    > > *************** > > *** 8273,8319 **** > >

    > > ! The table search order is as follows: > >

    > > > > -
      > > - > > -
    • Look up the "user+extension at domain.tld" address including the > > - optional address extension. > > - > > -
    • Look up the "user at domain.tld" address without the optional > > - address extension. > > - > > -
    • Look up the "user+extension" address local part when the > > - recipient domain equals $myorigin, $mydestination, $inet_interfaces > > - or $proxy_interfaces. > > - > > -
    • Look up the "user" address local part when the recipient domain > > - equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces. > > - > > -
    • Look up the "@domain.tld" part. > > > > !
    > > > > !

    > > ! Specify the types and names of databases to use. After change, > > ! run "postmap /etc/postfix/recipient_bcc". > > !

    > > > >

    > > ! Note: if mail to the BCC address bounces it will be returned to > > ! the sender. > >

    > > > > -

    Note: automatic BCC recipients are produced only for new mail. > > - To avoid mailer loops, automatic BCC recipients are not generated > > - after Postfix forwards mail internally, or after Postfix generates > > - mail itself.

    > > - > >

    > > ! Example: > >

    > > > > - 
    > > - recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
> > -
    > > - > > > > --- 7646,7667 ---- > >

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > >

    > > > > > > !
    > > > > !
    smtp_data_init_timeout > > ! (default: 120s)
    > > > >

    > > ! The SMTP client time limit for sending the SMTP DATA command, and for > > ! receiving the server response. > >

    > > > >

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > >

    > > > > > > *************** > > *** 8321,8334 **** > > > > !
    recipient_canonical_classes > > ! (default: envelope_recipient, header_recipient)
    > > ! > > !

    What addresses are subject to recipient_canonical_maps address > > ! mapping. By default, recipient_canonical_maps address mapping is > > ! applied to envelope recipient addresses, and to header recipient > > ! addresses.

    > > > > !

    Specify one or more of: envelope_recipient, header_recipient > >

    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > --- 7669,7683 ---- > > > > !
    smtp_data_xfer_timeout > > ! (default: 180s)
    > > > > !

    > > ! The SMTP client time limit for sending the SMTP message content. > > ! When the connection makes no progress for more than $smtp_data_xfer_timeout > > ! seconds the Postfix SMTP client terminates the transfer. > >

    > > > > !

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > > !

    > > > > *************** > > *** 8337,8345 **** > > > > !
    recipient_canonical_maps > > ! (default: empty)
    > > > >

    > > ! Optional address mapping lookup tables for envelope and header > > ! recipient addresses. > > ! The table format and lookups are documented in canonical(5). > >

    > > --- 7686,7692 ---- > > > > !
    smtp_defer_if_no_mx_address_found > > ! (default: no)
    > > > >

    > > ! Defer mail delivery when no MX record resolves to an IP address. > >

    > > *************** > > *** 8347,8349 **** > >

    > > ! Note: $recipient_canonical_maps is processed before $canonical_maps. > >

    > > --- 7694,7698 ---- > >

    > > ! The default (no) is to return the mail as undeliverable. With older > > ! Postfix versions the default was to keep trying to deliver the mail > > ! until someone fixed the MX record or until the mail was too old. > >

    > > *************** > > *** 8351,8358 **** > >

    > > ! Example: > >

    > > > > ! 
    > > ! recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
> > !
    > > > > --- 7700,7708 ---- > >

    > > ! Note: Postfix always ignores MX records with equal or worse preference > > ! than the local MTA itself. > >

    > > > > !

    > > ! This feature is available in Postfix 2.1 and later. > > !

    > > > > *************** > > *** 8361,8380 **** > > > > !
    recipient_delimiter > > ! (default: empty)
    > > ! > > !

    > > ! The separator between user names and address extensions (user+foo). > > ! See canonical(5), local(8), relocated(5) and virtual(5) for the > > ! effects this has on aliases, canonical, virtual, relocated and > > ! on .forward file lookups. Basically, the software tries user+foo > > ! and .forward+foo before trying user and .forward. > > !

    > > ! > > !

    > > ! Example: > > !

    > > > > ! 
    > > ! recipient_delimiter = +
> > !
    > > > > --- 7711,7719 ---- > > > > !
    smtp_destination_concurrency_limit > > ! (default: $default_destination_concurrency_limit)
    > > > > !

    The maximal number of parallel deliveries to the same destination > > ! via the smtp message delivery transport. This limit is enforced by > > ! the queue manager. The message delivery transport name is the first > > ! field in the entry in the master.cf file.

    > > > > *************** > > *** 8383,8395 **** > > > > !
    reject_code > > ! (default: 554)
    > > > > !

    > > ! The numerical Postfix SMTP server response code when a remote SMTP > > ! client request is rejected by the "reject" restriction. > > !

    > > > > !

    > > ! Do not change this unless you have a complete understanding of RFC 2821. > > !

    > > > > --- 7722,7734 ---- > > > > !
    smtp_destination_recipient_limit > > ! (default: $default_destination_recipient_limit)
    > > > > !

    The maximal number of recipients per message for the smtp > > ! message delivery transport. This limit is enforced by the queue > > ! manager. The message delivery transport name is the first field in > > ! the entry in the master.cf file.

    > > > > !

    Setting this parameter to a value of 1 changes the meaning of > > ! smtp_destination_concurrency_limit from concurrency per domain > > ! into concurrency per recipient.

    > > > > *************** > > *** 8398,8414 **** > > > > !
    reject_tempfail_action > > ! (default: defer_if_permit)
    > > > > !

    The Postfix SMTP server's action when a reject-type restriction > > ! fails due to a temporary error condition. Specify "defer" to defer > > ! the remote SMTP client request immediately. With the default > > ! "defer_if_permit" action, the Postfix SMTP server continues to look > > ! for opportunities to reject mail, and defers the client request > > ! only if it would otherwise be accepted.

    > > ! > > !

    For finer control, see: unverified_recipient_tempfail_action, > > ! unverified_sender_tempfail_action, unknown_address_tempfail_action, > > ! and unknown_helo_hostname_tempfail_action.

    > > > > !

    This feature is available in Postfix 2.6 and later.

    > > > > --- 7737,7749 ---- > > > > !
    smtp_discard_ehlo_keyword_address_maps > > ! (default: empty)
    > > > > !

    Lookup tables, indexed by the remote SMTP server address, with > > ! case insensitive lists of EHLO keywords (pipelining, starttls, auth, > > ! etc.) that the Postfix SMTP client will ignore in the EHLO response from a > > ! remote SMTP server. See smtp_discard_ehlo_keywords for details. The > > ! table is not indexed by hostname for consistency with > > ! smtpd_discard_ehlo_keyword_address_maps.

    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > *************** > > *** 8417,8444 **** > > > > !
    relay_clientcerts > > (default: empty)
    > > > > !

    List of tables with remote SMTP client-certificate fingerprints or > > ! public key fingerprints (Postfix 2.9 and later) for which the Postfix > > ! SMTP server will allow access with the permit_tls_clientcerts > > ! feature. The fingerprint digest algorithm is configurable via the > > ! smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to > > ! Postfix version 2.5).

    > > > > !

    Postfix lookup tables are in the form of (key, value) pairs. > > ! Since we only need the key, the value can be chosen freely, e.g. > > ! the name of the user or host: > > ! D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home

    > > > > !

    Example:

    > > > > ! 
    > > ! relay_clientcerts = hash:/etc/postfix/relay_clientcerts
> > !
    > > > > !

    For more fine-grained control, use check_ccert_access to select > > ! an appropriate access(5) policy for each client. > > ! See RESTRICTION_CLASS_README.

    > > > > !

    This feature is available with Postfix version 2.2.

    > > > > --- 7752,7773 ---- > > > > !
    smtp_discard_ehlo_keywords > > (default: empty)
    > > > > !

    A case insensitive list of EHLO keywords (pipelining, starttls, > > ! auth, etc.) that the Postfix SMTP client will ignore in the EHLO > > ! response from a remote SMTP server.

    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > !

    Notes:

    > > > > !
      > > > > !

    • Specify the silent-discard pseudo keyword to prevent > > ! this action from being logged.

      > > > > !

    • Use the smtp_discard_ehlo_keyword_address_maps feature to > > ! discard EHLO keywords selectively.

      > > ! > > !
    > > > > *************** > > *** 8447,8457 **** > > > > !
    relay_destination_concurrency_limit > > ! (default: $default_destination_concurrency_limit)
    > > > > !

    The maximal number of parallel deliveries to the same destination > > ! via the relay message delivery transport. This limit is enforced > > ! by the queue manager. The message delivery transport name is the > > ! first field in the entry in the master.cf file.

    > > > > !

    This feature is available in Postfix 2.0 and later.

    > > > > --- 7776,7800 ---- > > > > !
    smtp_enforce_tls > > ! (default: no)
    > > > > !

    Enforcement mode: require that remote SMTP servers use TLS > > ! encryption, and never send mail in the clear. This also requires > > ! that the remote SMTP server hostname matches the information in > > ! the remote server certificate, and that the remote SMTP server > > ! certificate was issued by a CA that is trusted by the Postfix SMTP > > ! client. If the certificate doesn't verify or the hostname doesn't > > ! match, delivery is deferred and mail stays in the queue.

    > > > > !

    The server hostname is matched against all names provided as > > ! dNSNames in the SubjectAlternativeName. If no dNSNames are specified, > > ! the CommonName is checked. The behavior may be changed with the > > ! smtp_tls_enforce_peername option.

    > > ! > > !

    This option is useful only if you are definitely sure that you > > ! will only connect to servers that support RFC 2487 _and_ that > > ! provide valid server certificates. Typical use is for clients that > > ! send all their email to a dedicated mailhub.

    > > ! > > !

    This feature is available in Postfix 2.2 and later. With > > ! Postfix 2.3 and later use smtp_tls_security_level instead.

    > > > > *************** > > *** 8460,8506 **** > > > > !
    relay_destination_recipient_limit > > ! (default: $default_destination_recipient_limit)
    > > > > !

    The maximal number of recipients per message for the relay > > ! message delivery transport. This limit is enforced by the queue > > ! manager. The message delivery transport name is the first field in > > ! the entry in the master.cf file.

    > > > > !

    Setting this parameter to a value of 1 changes the meaning of > > ! relay_destination_concurrency_limit from concurrency per domain > > ! into concurrency per recipient.

    > > > > !

    This feature is available in Postfix 2.0 and later.

    > > > > > > -
    > > > > !
    relay_domains > > ! (default: $mydestination)
    > > > > !

    What destination domains (and subdomains thereof) this system > > ! will relay mail to. Subdomain matching is controlled with the > > ! parent_domain_matches_subdomains parameter. For details about how > > ! the relay_domains value is used, see the description of the > > ! permit_auth_destination and reject_unauth_destination SMTP recipient > > ! restrictions.

    > > > > !

    Domains that match $relay_domains are delivered with the > > ! $relay_transport mail delivery transport. The SMTP server validates > > ! recipient addresses with $relay_recipient_maps and rejects non-existent > > ! recipients. See also the relay domains address class in the > > ! ADDRESS_CLASS_README file.

    > > > > !

    Note: Postfix will not automatically forward mail for domains > > ! that list this system as their primary or backup MX host. See the > > ! permit_mx_backup restriction in the postconf(5) manual page.

    > > > > !

    Specify a list of host or domain names, "/file/name" patterns > > ! or "type:table" lookup tables, separated by commas and/or whitespace. > > ! Continue long lines by starting the next line with whitespace. A > > ! "/file/name" pattern is replaced by its contents; a "type:table" > > ! lookup table is matched when a (parent) domain appears as lookup > > ! key. Specify "!pattern" to exclude a domain from the list. The form > > ! "!/file/name" is supported only in Postfix version 2.4 and later. > > !

    > > > > --- 7803,7845 ---- > > > > !
    smtp_fallback_relay > > ! (default: $fallback_relay)
    > > > > !

    > > ! Optional list of relay hosts for SMTP destinations that can't be > > ! found or that are unreachable. With Postfix 2.2 and earlier this > > ! parameter is called fallback_relay.

    > > > > !

    > > ! By default, mail is returned to the sender when a destination is > > ! not found, and delivery is deferred when a destination is unreachable. > > !

    > > > > !

    The fallback relays must be SMTP destinations. Specify a domain, > > ! host, host:port, [host]:port, [address] or [address]:port; the form > > ! [host] turns off MX lookups. If you specify multiple SMTP > > ! destinations, Postfix will try them in the specified order.

    > > > > +

    To prevent mailer loops between MX hosts and fall-back hosts, > > + Postfix version 2.2 and later will not use the fallback relays for > > + destinations that it is MX host for (assuming DNS lookup is turned on). > > +

    > > > > > > !
    > > > > !
    smtp_generic_maps > > ! (default: empty)
    > > > > !

    Optional lookup tables that perform address rewriting in the > > ! SMTP client, typically to transform a locally valid address into > > ! a globally valid address when sending mail across the Internet. > > ! This is needed when the local machine does not have its own Internet > > ! domain name, but uses something like localdomain.local > > ! instead.

    > > > > !

    The table format and lookups are documented in generic(5); > > ! examples are shown in the ADDRESS_REWRITING_README and > > ! STANDARD_CONFIGURATION_README documents.

    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > *************** > > *** 8509,8522 **** > > > > !
    relay_domains_reject_code > > ! (default: 554)
    > > > > !

    > > ! The numerical Postfix SMTP server response code when a client > > ! request is rejected by the reject_unauth_destination recipient > > ! restriction. > >

    > > > > !

    > > ! Do not change this unless you have a complete understanding of RFC 2821. > > !

    > > > > --- 7848,7858 ---- > > > > !
    smtp_header_checks > > ! (default: empty)
    > > > > !

    Restricted header_checks(5) tables for the Postfix SMTP client. > > ! These tables are searched while mail is being delivered. Actions > > ! that change the delivery time or destination are not available. > >

    > > > > !

    This feature is available in Postfix 2.5 and later.

    > > > > *************** > > *** 8525,8542 **** > > > > !
    relay_recipient_maps > > ! (default: empty)
    > > ! > > !

    Optional lookup tables with all valid addresses in the domains > > ! that match $relay_domains. Specify @domain as a wild-card for > > ! domains that have no valid recipient list, and become a source of > > ! backscatter mail: Postfix accepts spam for non-existent recipients > > ! and then floods innocent people with undeliverable mail. Technically, > > ! tables > > ! listed with $relay_recipient_maps are used as lists: Postfix needs > > ! to know only if a lookup string is found or not, but it does not > > ! use the result from table lookup.

    > > > >

    > > ! If this parameter is non-empty, then the Postfix SMTP server will reject > > ! mail to unknown relay users. This feature is off by default. > >

    > > --- 7861,7867 ---- > > > > !
    smtp_helo_name > > ! (default: $myhostname)
    > > > >

    > > ! The hostname to send in the SMTP EHLO or HELO command. > >

    > > *************** > > *** 8544,8547 **** > >

    > > ! See also the relay domains address class in the ADDRESS_CLASS_README > > ! file. > >

    > > --- 7869,7872 ---- > >

    > > ! The default value is the machine hostname. Specify a hostname or > > ! [ip.add.re.ss]. > >

    > > *************** > > *** 8549,8556 **** > >

    > > ! Example: > >

    > > > > 
    > > ! relay_recipient_maps = hash:/etc/postfix/relay_recipients
> >
    > > > > --- 7874,7886 ---- > >

    > > ! This information can be specified in the main.cf file for all SMTP > > ! clients, or it can be specified in the master.cf file for a specific > > ! client, for example: > >

    > > > > +
    > > 
    > > ! /etc/postfix/master.cf:
> > !     mysmtp ... smtp -o smtp_helo_name=foo.bar.com
> >
    > > +
    > > > > *************** > > *** 8563,8586 **** > > > > !
    relay_transport > > ! (default: relay)
    > > ! > > !

    > > ! The default mail delivery transport and next-hop destination for > > ! remote delivery to domains listed with $relay_domains. In order of > > ! decreasing precedence, the nexthop destination is taken from > > ! $relay_transport, $sender_dependent_relayhost_maps, $relayhost, or > > ! from the recipient domain. This information can be overruled with > > ! the transport(5) table. > > !

    > > ! > > !

    > > ! Specify a string of the form transport:nexthop, where transport > > ! is the name of a mail delivery transport defined in master.cf. > > ! The :nexthop destination is optional; its syntax is documented > > ! in the manual page of the corresponding delivery agent. > > !

    > > > >

    > > ! See also the relay domains address class in the ADDRESS_CLASS_README > > ! file. > >

    > > --- 7893,7900 ---- > > > > !
    smtp_helo_timeout > > ! (default: 300s)
    > > > >

    > > ! The SMTP client time limit for sending the HELO or EHLO command, > > ! and for receiving the initial server response. > >

    > > *************** > > *** 8588,8590 **** > >

    > > ! This feature is available in Postfix 2.0 and later. > >

    > > --- 7902,7905 ---- > >

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > >

    > > *************** > > *** 8594,8604 **** > > > > !
    relayhost > > ! (default: empty)
    > > > >

    > > ! The next-hop destination of non-local mail; overrides non-local > > ! domains in recipient addresses. This information is overruled with > > ! relay_transport, sender_dependent_default_transport_maps, > > ! default_transport, sender_dependent_relayhost_maps > > ! and with the transport(5) table. > >

    > > --- 7909,7916 ---- > > > > !
    smtp_host_lookup > > ! (default: dns)
    > > > >

    > > ! What mechanisms when the Postfix SMTP client uses to look up a host's IP > > ! address. This parameter is ignored when DNS lookups are disabled. > >

    > > *************** > > *** 8606,8650 **** > >

    > > ! On an intranet, specify the organizational domain name. If your > > ! internal DNS uses no MX records, specify the name of the intranet > > ! gateway host instead. > >

    > > > > !

    > > ! In the case of SMTP, specify a domain name, hostname, hostname:port, > > ! [hostname]:port, [hostaddress] or [hostaddress]:port. The form > > ! [hostname] turns off MX lookups. > > !

    > > > > !

    > > ! If you're connected via UUCP, see the UUCP_README file for useful > > ! information. > > !

    > > > > !

    > > ! Examples: > > !

    > > > > ! 
    > > ! relayhost = $mydomain
> > ! relayhost = [gateway.example.com]
> > ! relayhost = uucphost
> > ! relayhost = [an.ip.add.ress]
> > !
    > > > > > > !
    > > > > !
    relocated_maps > > ! (default: empty)
    > > > >

    > > ! Optional lookup tables with new contact information for users or > > ! domains that no longer exist. The table format and lookups are > > ! documented in relocated(5). > >

    > > > >

    > > ! If you use this feature, run "postmap /etc/postfix/relocated" to > > ! build the necessary DBM or DB file after change, then "postfix > > ! reload" to make the changes visible. > >

    > > --- 7918,7954 ---- > >

    > > ! Specify one of the following: > >

    > > > > !
    > > > > !
    dns
    > > > > !
    Hosts can be found in the DNS (preferred).
    > > > > !
    native
    > > ! > > !
    Use the native naming service only (nsswitch.conf, or equivalent > > ! mechanism).
    > > > > +
    dns, native
    > > > > !
    Use the native service for hosts not found in the DNS.
    > > > > !
    > > > >

    > > ! This feature is available in Postfix 2.1 and later. > >

    > > > > + > > +
    > > + > > +
    smtp_line_length_limit > > + (default: 990)
    > > + > >

    > > ! The maximal length of message header and body lines that Postfix > > ! will send via SMTP. Longer lines are broken by inserting > > ! "<CR><LF><SPACE>". This minimizes the damage to > > ! MIME formatted mail. > >

    > > *************** > > *** 8652,8661 **** > >

    > > ! Examples: > >

    > > > > - 
    > > - relocated_maps = dbm:/etc/postfix/relocated
> > - relocated_maps = hash:/etc/postfix/relocated
> > -
    > > - > > > > --- 7956,7961 ---- > >

    > > ! By default, the line length is limited to 990 characters, because > > ! some server implementations cannot receive mail with long lines. > >

    > > > > > > *************** > > *** 8663,8693 **** > > > > !
    remote_header_rewrite_domain > > ! (default: empty)
    > > > > !

    Don't rewrite message headers from remote clients at all when > > ! this parameter is empty; otherwise, rewrite message headers and > > ! append the specified domain name to incomplete addresses. The > > ! local_header_rewrite_clients parameter controls what clients Postfix > > ! considers local.

    > > > > !

    Examples:

    > > > > -

    The safe setting: append "domain.invalid" to incomplete header > > - addresses from remote SMTP clients, so that those addresses cannot > > - be confused with local addresses.

    > > > > !
    > > ! 
    > > ! remote_header_rewrite_domain = domain.invalid
> > !
    > > !
    > > > > !

    The default, purist, setting: don't rewrite headers from remote > > ! clients at all.

    > > > > !
    > > ! 
    > > ! remote_header_rewrite_domain =
> > !
    > > !
    > > > > --- 7963,7989 ---- > > > > !
    smtp_mail_timeout > > ! (default: 300s)
    > > > > !

    > > ! The SMTP client time limit for sending the MAIL FROM command, and > > ! for receiving the server response. > > !

    > > > > !

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > > !

    > > > > > > !
    > > > > !
    smtp_mime_header_checks > > ! (default: empty)
    > > > > !

    Restricted mime_header_checks(5) tables for the Postfix SMTP > > ! client. These tables are searched while mail is being delivered. > > ! Actions that change the delivery time or destination are not > > ! available.

    > > ! > > !

    This feature is available in Postfix 2.5 and later.

    > > > > *************** > > *** 8696,8759 **** > > > > !
    require_home_directory > > ! (default: no)
    > > > >

    > > ! Require that a local(8) recipient's home directory exists > > ! before mail delivery is attempted. By default this test is disabled. > > ! It can be useful for environments that import home directories to > > ! the mail server (IMPORTING HOME DIRECTORIES IS NOT RECOMMENDED). > >

    > > > > > > -
    > > > > !
    reset_owner_alias > > ! (default: no)
    > > > > !

    Reset the local(8) delivery agent's idea of the owner-alias > > ! attribute, when delivering mail to a child alias that does not have > > ! its own owner alias.

    > > > > !

    This feature is available in Postfix 2.8 and later. With older > > ! Postfix releases, the behavior is as if this parameter is set to > > ! "yes".

    > > > > !

    As documented in aliases(5), when an alias name has a > > ! companion alias named owner-name, delivery errors will be > > ! reported to the owner alias instead of the sender. This configuration > > ! is recommended for mailing lists.

    > > ! > > !

    A less known property of the owner alias is that it also forces > > ! the local(8) delivery agent to write local and remote addresses > > ! from alias expansion to a new queue file, instead of attempting to > > ! deliver mail to local addresses as soon as they come out of alias > > ! expansion.

    > > ! > > !

    Writing local addresses from alias expansion to a new queue > > ! file allows for robust handling of temporary delivery errors: errors > > ! with one local member have no effect on deliveries to other members > > ! of the list. On the other hand, delivery to local addresses as > > ! soon as they come out of alias expansion is fragile: a temporary > > ! error with one local address from alias expansion will cause the > > ! entire alias to be expanded repeatedly until the error goes away, > > ! or until the message expires in the queue. In that case, a problem > > ! with one list member results in multiple message deliveries to other > > ! list members.

    > > ! > > !

    The default behavior of Postfix 2.8 and later is to keep the > > ! owner-alias attribute of the parent alias, when delivering mail to > > ! a child alias that does not have its own owner alias. Then, local > > ! addresses from that child alias will be written to a new queue file, > > ! and a temporary error with one local address will not affect delivery > > ! to other mailing list members.

    > > ! > > !

    Unfortunately, older Postfix releases reset the owner-alias > > ! attribute when delivering mail to a child alias that does not have > > ! its own owner alias. The local(8) delivery agent then attempts to > > ! deliver local addresses as soon as they come out of child alias > > ! expansion. If delivery to any address from child alias expansion > > ! fails with a temporary error condition, the entire mailing list may > > ! be expanded repeatedly until the mail expires in the queue, resulting > > ! in multiple deliveries of the same message to mailing list members. > > !

    > > > > --- 7992,8019 ---- > > > > !
    smtp_mx_address_limit > > ! (default: 5)
    > > > >

    > > ! The maximal number of MX (mail exchanger) IP addresses that can > > ! result from mail exchanger lookups, or zero (no limit). Prior to > > ! Postfix version 2.3, this limit was disabled by default. > >

    > > > > +

    > > + This feature is available in Postfix 2.1 and later. > > +

    > > > > > > !
    > > > > !
    smtp_mx_session_limit > > ! (default: 2)
    > > > > !

    The maximal number of SMTP sessions per delivery request before > > ! giving up or delivering to a fall-back relay host, or zero (no > > ! limit). This restriction ignores sessions that fail to complete the > > ! SMTP initial handshake (Postfix version 2.2 and earlier) or that fail to > > ! complete the EHLO and TLS handshake (Postfix version 2.3 and later).

    > > > > !

    This feature is available in Postfix 2.1 and later.

    > > > > *************** > > *** 8762,8780 **** > > > > !
    resolve_dequoted_address > > ! (default: yes)
    > > ! > > !

    Resolve a recipient address safely instead of correctly, by > > ! looking inside quotes.

    > > > > !

    By default, the Postfix address resolver does not quote the > > ! address localpart as per RFC 822, so that additional @ or % or ! > > ! operators remain visible. This behavior is safe but it is also > > ! technically incorrect.

    > > > > !

    If you specify "resolve_dequoted_address = no", then > > ! the Postfix > > ! resolver will not know about additional @ etc. operators in the > > ! address localpart. This opens opportunities for obscure mail relay > > ! attacks with user at domain@domain addresses when Postfix provides > > ! backup MX service for Sendmail systems.

    > > > > --- 8022,8032 ---- > > > > !
    smtp_nested_header_checks > > ! (default: empty)
    > > > > !

    Restricted nested_header_checks(5) tables for the Postfix SMTP > > ! client. These tables are searched while mail is being delivered. > > ! Actions that change the delivery time or destination are not > > ! available.

    > > > > !

    This feature is available in Postfix 2.5 and later.

    > > > > *************** > > *** 8783,8798 **** > > > > !
    resolve_null_domain > > (default: no)
    > > > > !

    Resolve an address that ends in the "@" null domain as if the > > ! local hostname were specified, instead of rejecting the address as > > ! invalid.

    > > > > -

    This feature is available in Postfix 2.1 and later. > > - Earlier versions always resolve the null domain as the local > > - hostname.

    > > > > !

    The Postfix SMTP server uses this feature to reject mail from > > ! or to addresses that end in the "@" null domain, and from addresses > > ! that rewrite into a form that ends in the "@" null domain.

    > > > > --- 8035,8058 ---- > > > > !
    smtp_never_send_ehlo > > (default: no)
    > > > > !

    Never send EHLO at the start of an SMTP session. See also the > > ! smtp_always_send_ehlo parameter.

    > > > > > > !
    > > ! > > !
    smtp_pix_workaround_delay_time > > ! (default: 10s)
    > > ! > > !

    > > ! How long the Postfix SMTP client pauses before sending > > ! ".<CR><LF>" in order to work around the PIX firewall > > ! "<CR><LF>.<CR><LF>" bug. > > !

    > > ! > > !

    > > ! Choosing a too short time makes this workaround ineffective when > > ! sending large messages over slow network connections. > > !

    > > > > *************** > > *** 8801,8809 **** > > > > !
    resolve_numeric_domain > > ! (default: no)
    > > > > !

    Resolve "user at ipaddress" as "user@[ipaddress]", instead of > > ! rejecting the address as invalid.

    > > > > !

    This feature is available in Postfix 2.3 and later. > > > > --- 8061,8071 ---- > > > > !

    smtp_pix_workaround_maps > > ! (default: empty)
    > > > > !

    Lookup tables, indexed by the remote SMTP server address, with > > ! per-destination workarounds for CISCO PIX firewall bugs. The table > > ! is not indexed by hostname for consistency with > > ! smtp_discard_ehlo_keyword_address_maps.

    > > > > !

    This feature is available in Postfix 2.4 and later.

    > > > > *************** > > *** 8812,8820 **** > > > > !
    rewrite_service_name > > ! (default: rewrite)
    > > > >

    > > ! The name of the address rewriting service. This service rewrites > > ! addresses to standard form and resolves them to a (delivery method, > > ! next-hop host, recipient) triple. > >

    > > --- 8074,8087 ---- > > > > !
    smtp_pix_workaround_threshold_time > > ! (default: 500s)
    > > ! > > !

    How long a message must be queued before the Postfix SMTP client > > ! turns on the PIX firewall "<CR><LF>.<CR><LF>" > > ! bug workaround for delivery through firewalls with "smtp fixup" > > ! mode turned on.

    > > > >

    > > ! By default, the workaround is turned off for mail that is queued > > ! for less than 500 seconds. In other words, the workaround is normally > > ! turned off for the first delivery attempt. > >

    > > *************** > > *** 8822,8824 **** > >

    > > ! This feature is available in Postfix 2.0 and later. > >

    > > --- 8089,8093 ---- > >

    > > ! Specify 0 to enable the PIX firewall > > ! "<CR><LF>.<CR><LF>" bug workaround upon the > > ! first delivery attempt. > >

    > > *************** > > *** 8828,8855 **** > > > > !
    sample_directory > > ! (default: /etc/postfix)
    > > ! > > !

    > > ! The name of the directory with example Postfix configuration files. > > ! Starting with Postfix 2.1, these files have been replaced with the > > ! postconf(5) manual page. > > !

    > > > > > > !
    > > > > !
    send_cyrus_sasl_authzid > > ! (default: no)
    > > > > !

    When authenticating to a remote SMTP or LMTP server with the > > ! default setting "no", send no SASL authoriZation ID (authzid); send > > ! only the SASL authentiCation ID (authcid) plus the authcid's password. > > !

    > > > > !

    The non-default setting "yes" enables the behavior of older > > ! Postfix versions. These always send a SASL authzid that is equal > > ! to the SASL authcid, but this causes inter-operability problems > > ! with some SMTP servers.

    > > > > !

    This feature is available in Postfix 2.4.4 and later.

    > > > > --- 8097,8122 ---- > > > > !
    smtp_pix_workarounds > > ! (default: disable_esmtp, delay_dotcrlf)
    > > > > +

    A list that specifies zero or more workarounds for CISCO PIX > > + firewall bugs. These workarounds are implemented by the Postfix > > + SMTP client. Workaround names are separated by comma or space, and > > + are case insensitive. This parameter setting can be overruled with > > + per-destination smtp_pix_workaround_maps settings.

    > > > > !
    > > > > !
    delay_dotcrlf
    Insert a delay before sending > > ! ".<CR><LF>" after the end of the message content. The > > ! delay is subject to the smtp_pix_workaround_delay_time and > > ! smtp_pix_workaround_threshold_time parameter settings.
    > > > > !
    disable_esmtp
    Disable all extended SMTP commands: > > ! send HELO instead of EHLO.
    > > > > !
    > > > > !

    This feature is available in Postfix 2.4 and later. The default > > ! settings are backwards compatible with earlier Postfix versions. > > !

    > > > > *************** > > *** 8858,8865 **** > > > > !
    sender_based_routing > > ! (default: no)
    > > > >

    > > ! This parameter should not be used. It was replaced by sender_dependent_relayhost_maps > > ! in Postfix version 2.3. > >

    > > --- 8125,8137 ---- > > > > !
    smtp_quit_timeout > > ! (default: 300s)
    > > > >

    > > ! The SMTP client time limit for sending the QUIT command, and for > > ! receiving the server response. > > !

    > > ! > > !

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > >

    > > *************** > > *** 8869,8879 **** > > > > !
    sender_bcc_maps > > ! (default: empty)
    > > ! > > !

    Optional BCC (blind carbon-copy) address lookup tables, indexed > > ! by sender address. The BCC address (multiple results are not > > ! supported) is added when mail enters from outside of Postfix.

    > > > >

    > > ! This feature is available in Postfix 2.1 and later. > >

    > > --- 8141,8149 ---- > > > > !
    smtp_quote_rfc821_envelope > > ! (default: yes)
    > > > >

    > > ! Quote addresses in SMTP MAIL FROM and RCPT TO commands as required > > ! by RFC 2821. This includes putting quotes around an address localpart > > ! that ends in ".". > >

    > > *************** > > *** 8881,8926 **** > >

    > > ! The table search order is as follows: > >

    > > > > !
      > > > > !
    • Look up the "user+extension at domain.tld" address including the > > ! optional address extension. > > ! > > !
    • Look up the "user at domain.tld" address without the optional > > ! address extension. > > > > !
    • Look up the "user+extension" address local part when the > > ! sender domain equals $myorigin, $mydestination, $inet_interfaces > > ! or $proxy_interfaces. > > > > -
    • Look up the "user" address local part when the sender domain > > - equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces. > > > > !
    • Look up the "@domain.tld" part. > > > > !
    > > > >

    > > ! Specify the types and names of databases to use. After change, > > ! run "postmap /etc/postfix/sender_bcc". > >

    > > > > -

    > > - Note: if mail to the BCC address bounces it will be returned to > > - the sender. > > -

    > > > > !

    Note: automatic BCC recipients are produced only for new mail. > > ! To avoid mailer loops, automatic BCC recipients are not generated > > ! after Postfix forwards mail internally, or after Postfix generates > > ! mail itself.

    > > > >

    > > ! Example: > >

    > > > > ! 
    > > ! sender_bcc_maps = hash:/etc/postfix/sender_bcc
> > !
    > > > > --- 8151,8198 ---- > >

    > > ! The default is to comply with RFC 2821. If you have to send mail to > > ! a broken SMTP server, configure a special SMTP client in master.cf: > >

    > > > > !
    > > ! 
    > > ! /etc/postfix/master.cf:
> > !     broken-smtp . . . smtp -o smtp_quote_rfc821_envelope=no
> > !
    > > !
    > > > > !

    > > ! and route mail for the destination in question to the "broken-smtp" > > ! message delivery with a transport(5) table. > > !

    > > > > !

    > > ! This feature is available in Postfix 2.1 and later. > > !

    > > > > > > !
    > > > > !
    smtp_randomize_addresses > > ! (default: yes)
    > > > >

    > > ! Randomize the order of equal-preference MX host addresses. This > > ! is a performance feature of the Postfix SMTP client. > >

    > > > > > > !
    > > ! > > !
    smtp_rcpt_timeout > > ! (default: 300s)
    > > > >

    > > ! The SMTP client time limit for sending the SMTP RCPT TO command, and > > ! for receiving the server response. > >

    > > > > !

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > > !

    > > > > *************** > > *** 8929,8941 **** > > > > !
    sender_canonical_classes > > ! (default: envelope_sender, header_sender)
    > > ! > > !

    What addresses are subject to sender_canonical_maps address > > ! mapping. By default, sender_canonical_maps address mapping is > > ! applied to envelope sender addresses, and to header sender addresses. > > !

    > > > > !

    Specify one or more of: envelope_sender, header_sender

    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > --- 8201,8211 ---- > > > > !
    smtp_rset_timeout > > ! (default: 20s)
    > > > > !

    The SMTP client time limit for sending the RSET command, and > > ! for receiving the server response. The SMTP client sends RSET in > > ! order to finish a recipient address probe, or to verify that a > > ! cached session is still usable.

    > > > > !

    This feature is available in Postfix 2.1 and later.

    > > > > *************** > > *** 8944,8972 **** > > > > !
    sender_canonical_maps > > (default: empty)
    > > > > !

    > > ! Optional address mapping lookup tables for envelope and header > > ! sender addresses. > > ! The table format and lookups are documented in canonical(5). > > !

    > > > > !

    > > ! Example: you want to rewrite the SENDER address "user at ugly.domain" > > ! to "user at pretty.domain", while still being able to send mail to > > ! the RECIPIENT address "user at ugly.domain". > >

    > > > > !

    > > ! Note: $sender_canonical_maps is processed before $canonical_maps. > > !

    > > > > !

    > > ! Example: > >

    > > > > 
    > > ! sender_canonical_maps = hash:/etc/postfix/sender_canonical
> >
    > > > > > > --- 8214,8253 ---- > > > > !
    smtp_sasl_auth_cache_name > > (default: empty)
    > > > > !

    An optional table to prevent repeated SASL authentication > > ! failures with the same remote SMTP server hostname, username and > > ! password. Each table (key, value) pair contains a server name, a > > ! username and password, and the full server response. This information > > ! is stored when a remote SMTP server rejects an authentication attempt > > ! with a 535 reply code. As long as the smtp_sasl_password_maps > > ! information does no change, and as long as the smtp_sasl_auth_cache_name > > ! information does not expire (see smtp_sasl_auth_cache_time) the > > ! Postfix SMTP client avoids SASL authentication attempts with the > > ! same server, username and password, and instead bounces or defers > > ! mail as controlled with the smtp_sasl_auth_soft_bounce configuration > > ! parameter.

    > > > > !

    Use a per-destination delivery concurrency of 1 (for example, > > ! "smtp_destination_concurrency_limit = 1", > > ! "relay_destination_concurrency_limit = 1", etc.), otherwise multiple > > ! delivery agents may experience a login failure at the same time. > >

    > > > > !

    The table must be accessed via the proxywrite service, i.e. the > > ! map name must start with "proxy:". The table should be stored under > > ! the directory specified with the data_directory parameter.

    > > > > !

    This feature uses cryptographic hashing to protect plain-text > > ! passwords, and requires that Postfix is compiled with TLS support. > >

    > > > > +

    Example:

    > > + > > 
    > > ! smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
> >
    > > > > +

    This feature is available in Postfix 2.5 and later.

    > > + > > > > *************** > > *** 8974,8994 **** > > > > !
    sender_dependent_default_transport_maps > > ! (default: empty)
    > > ! > > !

    A sender-dependent override for the global default_transport > > ! parameter setting. The tables are searched by the envelope sender > > ! address and @domain. A lookup result of DUNNO terminates the search > > ! without overriding the global default_transport parameter setting. > > ! This information is overruled with the transport(5) table.

    > > ! > > !

    Note: this overrides default_transport, not transport_maps, and > > ! therefore the expected syntax is that of default_transport, not the > > ! syntax of transport_maps. Specifically, this does not support the > > ! transport_maps syntax for null transport, null nexthop, or null > > ! email addresses.

    > > > > !

    For safety reasons, this feature does not allow $number > > ! substitutions in regular expression maps.

    > > > > !

    This feature is available in Postfix 2.7 and later.

    > > > > --- 8255,8263 ---- > > > > !
    smtp_sasl_auth_cache_time > > ! (default: 90d)
    > > > > !

    The maximal age of an smtp_sasl_auth_cache_name entry before it > > ! is removed.

    > > > > !

    This feature is available in Postfix 2.5 and later.

    > > > > *************** > > *** 8997,9016 **** > > > > !
    sender_dependent_relayhost_maps > > ! (default: empty)
    > > ! > > !

    A sender-dependent override for the global relayhost parameter > > ! setting. The tables are searched by the envelope sender address and > > ! @domain. A lookup result of DUNNO terminates the search without > > ! overriding the global relayhost parameter setting (Postfix 2.6 and > > ! later). This information is overruled with relay_transport, > > ! sender_dependent_default_transport_maps, default_transport and with > > ! the transport(5) table.

    > > > > !

    For safety reasons, this feature does not allow $number > > ! substitutions in regular expression maps.

    > > > >

    > > ! This feature is available in Postfix 2.3 and later. > >

    > > > > > > --- 8266,8283 ---- > > > > !
    smtp_sasl_auth_enable > > ! (default: no)
    > > > > !

    > > ! Enable SASL authentication in the Postfix SMTP client. By default, > > ! the Postfix SMTP client uses no authentication. > > !

    > > > >

    > > ! Example: > >

    > > > > + 
    > > + smtp_sasl_auth_enable = yes
> > +
    > > + > > > > *************** > > *** 9018,9044 **** > > > > !
    sendmail_fix_line_endings > > ! (default: always)
    > > ! > > !

    Controls how the Postfix sendmail command converts email message > > ! line endings from <CR><LF> into UNIX format (<LF>). > > !

    > > > > !
    > > > > !
    always
    Always convert message lines ending > > ! in <CR><LF>. This setting is the default with Postfix > > ! 2.9 and later.
    > > ! > > !
    strict
    Convert message lines ending in > > ! <CR><LF> only if the first input line ends in > > ! <CR><LF>. This setting is backwards-compatible with > > ! Postfix 2.8 and earlier.
    > > > > !
    never
    Never convert message lines ending in > > ! <CR><LF>. This setting exists for completeness only. > > !
    > > > > !
    > > > > !

    This feature is available in Postfix 2.9 and later.

    > > > > --- 8285,8307 ---- > > > > !
    smtp_sasl_auth_soft_bounce > > ! (default: yes)
    > > > > !

    When a remote SMTP server rejects a SASL authentication request > > ! with a 535 reply code, defer mail delivery instead of returning > > ! mail as undeliverable. The latter behavior was hard-coded prior to > > ! Postfix version 2.5.

    > > > > !

    Note: the setting "yes" overrides the global soft_bounce > > ! parameter, but the setting "no" does not.

    > > > > !

    Example:

    > > > > ! 
    > > ! # Default as of Postfix 2.5
> > ! smtp_sasl_auth_soft_bounce = yes
> > ! # The old hard-coded default
> > ! smtp_sasl_auth_soft_bounce = no
> > !
    > > > > !

    This feature is available in Postfix 2.5 and later.

    > > > > *************** > > *** 9047,9057 **** > > > > !
    sendmail_path > > ! (default: see "postconf -d" output)
    > > > >

    > > ! A Sendmail compatibility feature that specifies the location of > > ! the Postfix sendmail(1) command. This command can be used to > > ! submit mail into the Postfix queue. > >

    > > > > > > --- 8310,8340 ---- > > > > !
    smtp_sasl_mechanism_filter > > ! (default: empty)
    > > > >

    > > ! If non-empty, a Postfix SMTP client filter for the remote SMTP > > ! server's list of offered SASL mechanisms. Different client and > > ! server implementations may support different mechanism lists. By > > ! default, the Postfix SMTP client will use the intersection of the > > ! two. smtp_sasl_mechanism_filter further restricts what server > > ! mechanisms the client will take into consideration.

    > > ! > > !

    Specify mechanism names, "/file/name" patterns or "type:table" > > ! lookup tables. The right-hand side result from "type:table" lookups > > ! is ignored. Specify "!pattern" to exclude a mechanism name from the > > ! list. The form "!/file/name" is supported only in Postfix version > > ! 2.4 and later.

    > > ! > > !

    This feature is available in Postfix 2.2 and later.

    > > ! > > !

    > > ! Examples: > >

    > > > > + 
    > > + smtp_sasl_mechanism_filter = plain, login
> > + smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
> > + smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
> > +
    > > + > > > > *************** > > *** 9059,9066 **** > > > > !
    service_throttle_time > > ! (default: 60s)
    > > > >

    > > ! How long the Postfix master(8) waits before forking a server that > > ! appears to be malfunctioning. > >

    > > --- 8342,8352 ---- > > > > !
    smtp_sasl_password_maps > > ! (default: empty)
    > > > >

    > > ! Optional SMTP client lookup tables with one username:password entry > > ! per remote hostname or domain, or sender address when sender-dependent > > ! authentication is enabled. If no username:password entry is found, > > ! then the Postfix SMTP client will not > > ! attempt to authenticate to the remote host. > >

    > > *************** > > *** 9068,9071 **** > >

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > >

    > > --- 8354,8357 ---- > >

    > > ! The Postfix SMTP client opens the lookup table before going to > > ! chroot jail, so you can leave the password file in /etc/postfix. > >

    > > *************** > > *** 9075,9085 **** > > > > !
    setgid_group > > ! (default: postdrop)
    > > > > !

    > > ! The group ownership of set-gid Postfix commands and of group-writable > > ! Postfix directories. When this parameter value is changed you need > > ! to re-run "postfix set-permissions" (with Postfix version 2.0 and > > ! earlier: "/etc/postfix/post-install set-permissions". > > !

    > > > > --- 8361,8372 ---- > > > > !
    smtp_sasl_path > > ! (default: empty)
    > > > > !

    Implementation-specific information that the Postfix SMTP client > > ! passes through to > > ! the SASL plug-in implementation that is selected with > > ! smtp_sasl_type. Typically this specifies the name of a > > ! configuration file or rendezvous point.

    > > ! > > !

    This feature is available in Postfix 2.3 and later.

    > > > > *************** > > *** 9088,9147 **** > > > > !
    show_user_unknown_table_name > > ! (default: yes)
    > > > > !

    > > ! Display the name of the recipient table in the "User unknown" > > ! responses. The extra detail makes trouble shooting easier but also > > ! reveals information that is nobody elses business. > > !

    > > > >

    > > ! This feature is available in Postfix 2.0 and later. > >

    > > > > > > !
    > > ! > > !
    showq_service_name > > ! (default: showq)
    > > > > !

    > > ! The name of the showq(8) service. This service produces mail queue > > ! status reports. > > !

    > > > > !

    > > ! This feature is available in Postfix 2.0 and later. > > !

    > > > > > > !
    > > > > !
    smtp_address_preference > > ! (default: any)
    > > > > !

    The address type ("ipv6", "ipv4" or "any") that the Postfix > > ! SMTP client will try first, when a destination has IPv6 and IPv4 > > ! addresses with equal MX preference. This feature has no effect > > ! unless the inet_protocols setting enables both IPv4 and IPv6. > > ! With Postfix 2.8 the default is "ipv6".

    > > > > !

    This feature is available in Postfix 2.8 and later.

    > > > > > > !
    > > > > !
    smtp_always_send_ehlo > > ! (default: yes)
    > > > >

    > > ! Always send EHLO at the start of an SMTP session. > >

    > > > > !

    > > ! With "smtp_always_send_ehlo = no", the Postfix SMTP client sends > > ! EHLO only when > > ! the word "ESMTP" appears in the server greeting banner (example: > > ! 220 spike.porcupine.org ESMTP Postfix). > > !

    > > > > --- 8375,8424 ---- > > > > !
    smtp_sasl_security_options > > ! (default: noplaintext, noanonymous)
    > > > > !

    Postfix SMTP client SASL security options; as of Postfix 2.3 > > ! the list of available > > ! features depends on the SASL client implementation that is selected > > ! with smtp_sasl_type.

    > > ! > > !

    The following security features are defined for the cyrus > > ! client SASL implementation:

    > > > >

    > > ! Specify zero or more of the following: > >

    > > > > +
    > > > > !
    noplaintext
    > > > > !
    Disallow methods that use plaintext passwords.
    > > > > !
    noactive
    > > > > +
    Disallow methods subject to active (non-dictionary) attack. > > +
    > > > > !
    nodictionary
    > > > > !
    Disallow methods subject to passive (dictionary) attack.
    > > > > !
    noanonymous
    > > > > !
    Disallow methods that allow anonymous authentication.
    > > > > +
    mutual_auth
    > > > > !
    Only allow methods that provide mutual authentication (not > > ! available with SASL version 1).
    > > > > !
    > > > >

    > > ! Example: > >

    > > > > ! 
    > > ! smtp_sasl_security_options = noplaintext
> > !
    > > > > *************** > > *** 9150,9180 **** > > > > !
    smtp_bind_address > > ! (default: empty)
    > > ! > > !

    > > ! An optional numerical network address that the Postfix SMTP client > > ! should bind to when making an IPv4 connection. > > !

    > > ! > > !

    > > ! This can be specified in the main.cf file for all SMTP clients, or > > ! it can be specified in the master.cf file for a specific client, > > ! for example: > > !

    > > ! > > !
    > > ! 
    > > ! /etc/postfix/master.cf:
> > !     smtp ... smtp -o smtp_bind_address=11.22.33.44
> > !
    > > !
    > > > > !

    Note 1: when inet_interfaces specifies no more than one IPv4 > > ! address, and that address is a non-loopback address, it is > > ! automatically used as the smtp_bind_address. This supports virtual > > ! IP hosting, but can be a problem on multi-homed firewalls. See the > > ! inet_interfaces documentation for more detail.

    > > > > !

    Note 2: address information may be enclosed inside [], > > ! but this form is not required here.

    > > > > --- 8427,8435 ---- > > > > !
    smtp_sasl_tls_security_options > > ! (default: $smtp_sasl_security_options)
    > > > > !

    The SASL authentication security options that the Postfix SMTP > > ! client uses for TLS encrypted SMTP sessions.

    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > *************** > > *** 9183,9215 **** > > > > !
    smtp_bind_address6 > > ! (default: empty)
    > > > > !

    > > ! An optional numerical network address that the Postfix SMTP client > > ! should bind to when making an IPv6 connection. > > !

    > > > > -

    This feature is available in Postfix 2.2 and later.

    > > > > !

    > > ! This can be specified in the main.cf file for all SMTP clients, or > > ! it can be specified in the master.cf file for a specific client, > > ! for example: > > !

    > > > > !
    > > ! 
    > > ! /etc/postfix/master.cf:
> > !     smtp ... smtp -o smtp_bind_address6=1:2:3:4:5:6:7:8
> > !
    > > !
    > > > > !

    Note 1: when inet_interfaces specifies no more than one IPv6 > > ! address, and that address is a non-loopback address, it is > > ! automatically used as the smtp_bind_address6. This supports virtual > > ! IP hosting, but can be a problem on multi-homed firewalls. See the > > ! inet_interfaces documentation for more detail.

    > > > > !

    Note 2: address information may be enclosed inside [], > > ! but this form is not recommended here.

    > > > > --- 8438,8458 ---- > > > > !
    smtp_sasl_tls_verified_security_options > > ! (default: $smtp_sasl_tls_security_options)
    > > > > !

    The SASL authentication security options that the Postfix SMTP > > ! client uses for TLS encrypted SMTP sessions with a verified server > > ! certificate. This feature is under construction as of Postfix version > > ! 2.3.

    > > > > > > !
    > > > > !
    smtp_sasl_type > > ! (default: cyrus)
    > > > > !

    The SASL plug-in type that the Postfix SMTP client should use > > ! for authentication. The available types are listed with the > > ! "postconf -A" command.

    > > > > !

    This feature is available in Postfix 2.3 and later.

    > > > > *************** > > *** 9218,9228 **** > > > > !
    smtp_body_checks > > ! (default: empty)
    > > > > !

    Restricted body_checks(5) tables for the Postfix SMTP client. > > ! These tables are searched while mail is being delivered. Actions > > ! that change the delivery time or destination are not available. > >

    > > > > !

    This feature is available in Postfix 2.5 and later.

    > > > > --- 8461,8481 ---- > > > > !
    smtp_send_xforward_command > > ! (default: no)
    > > > > !

    > > ! Send the non-standard XFORWARD command when the Postfix SMTP server > > ! EHLO response announces XFORWARD support. > >

    > > > > !

    > > ! This allows an "smtp" delivery agent, used for injecting mail into > > ! a content filter, to forward the name, address, protocol and HELO > > ! name of the original client to the content filter and downstream > > ! queuing SMTP server. This can produce more useful logging than > > ! localhost[127.0.0.1] etc. > > !

    > > ! > > !

    > > ! This feature is available in Postfix 2.1 and later. > > !

    > > > > *************** > > *** 9231,9244 **** > > > > !
    smtp_cname_overrides_servername > > ! (default: version dependent)
    > > > > !

    Allow DNS CNAME records to override the servername that the > > ! Postfix SMTP client uses for logging, SASL password lookup, TLS > > ! policy decisions, or TLS certificate verification. The value "no" > > ! hardens Postfix smtp_tls_per_site hostname-based policies against > > ! false hostname information in DNS CNAME records, and makes SASL > > ! password file lookups more predictable. This is the default setting > > ! as of Postfix 2.3.

    > > > > !

    This feature is available in Postfix 2.2.9 and later.

    > > > > --- 8484,8497 ---- > > > > !
    smtp_sender_dependent_authentication > > ! (default: no)
    > > > > !

    > > ! Enable sender-dependent authentication in the Postfix SMTP client; this is > > ! available only with SASL authentication, and disables SMTP connection > > ! caching to ensure that mail from different senders will use the > > ! appropriate credentials.

    > > > > !

    > > ! This feature is available in Postfix 2.3 and later. > > !

    > > > > *************** > > *** 9247,9254 **** > > > > !
    smtp_connect_timeout > > ! (default: 30s)
    > > > >

    > > ! The Postfix SMTP client time limit for completing a TCP connection, or > > ! zero (use the operating system built-in time limit). > >

    > > --- 8500,8507 ---- > > > > !
    smtp_skip_4xx_greeting > > ! (default: yes)
    > > > >

    > > ! Skip SMTP servers that greet with a 4XX status code (go away, try > > ! again later). > >

    > > *************** > > *** 9256,9268 **** > >

    > > ! When no connection can be made within the deadline, the Postfix > > ! SMTP client > > ! tries the next address on the mail exchanger list. Specify 0 to > > ! disable the time limit (i.e. use whatever timeout is implemented by > > ! the operating system). > >

    > > > > !

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > > !

    > > > > --- 8509,8518 ---- > >

    > > ! By default, Postfix moves on the next mail exchanger. Specify > > ! "smtp_skip_4xx_greeting = no" if Postfix should defer delivery > > ! immediately. > >

    > > > > !

    This feature is available in Postfix 2.0 and earlier. > > ! Later Postfix versions always skip SMTP servers that greet with a > > ! 4XX status code.

    > > > > *************** > > *** 9271,9308 **** > > > > !
    smtp_connection_cache_destinations > > ! (default: empty)
    > > > > !

    Permanently enable SMTP connection caching for the specified > > ! destinations. With SMTP connection caching, a connection is not > > ! closed immediately after completion of a mail transaction. Instead, > > ! the connection is kept open for up to $smtp_connection_cache_time_limit > > ! seconds. This allows connections to be reused for other deliveries, > > ! and can improve mail delivery performance.

    > > > > !

    Specify a comma or white space separated list of destinations > > ! or pseudo-destinations:

    > > > > -
      > > > > !
    • if mail is sent without a relay host: a domain name (the > > ! right-hand side of an email address, without the [] around a numeric > > ! IP address), > > > > !
    • if mail is sent via a relay host: a relay host name (without > > ! [] or non-default TCP port), as specified in main.cf or in the > > ! transport map, > > > > !
    • if mail is sent via a UNIX-domain socket: a pathname (without > > ! the unix: prefix), > > > > -
    • a /file/name with domain names and/or relay host names as > > - defined above, > > > > !
    • a "type:table" with domain names and/or relay host names on > > ! the left-hand side. The right-hand side result from "type:table" > > ! lookups is ignored. > > > > !
    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > --- 8521,8555 ---- > > > > !
    smtp_skip_5xx_greeting > > ! (default: yes)
    > > > > !

    > > ! Skip SMTP servers that greet with a 5XX status code (go away, do > > ! not try again later). > > !

    > > > > !

    By default, the Postfix SMTP client moves on the next mail > > ! exchanger. Specify "smtp_skip_5xx_greeting = no" if Postfix should > > ! bounce the mail immediately. The default setting is incorrect, but > > ! it is what a lot of people expect to happen.

    > > > > > > !
    > > > > !
    smtp_skip_quit_response > > ! (default: yes)
    > > > > !

    > > ! Do not wait for the response to the SMTP QUIT command. > > !

    > > > > > > !
    > > > > !
    smtp_starttls_timeout > > ! (default: 300s)
    > > > > !

    Time limit for Postfix SMTP client write and read operations > > ! during TLS startup and shutdown handshake procedures.

    > > ! > > !

    This feature is available in Postfix 2.2 and later.

    > > > > *************** > > *** 9311,9350 **** > > > > !
    smtp_connection_cache_on_demand > > ! (default: yes)
    > > > > !

    Temporarily enable SMTP connection caching while a destination > > ! has a high volume of mail in the active queue. With SMTP connection > > ! caching, a connection is not closed immediately after completion > > ! of a mail transaction. Instead, the connection is kept open for > > ! up to $smtp_connection_cache_time_limit seconds. This allows > > ! connections to be reused for other deliveries, and can improve mail > > ! delivery performance.

    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > > > !
    > > > > -
    smtp_connection_cache_reuse_limit > > - (default: 10)
    > > > > !

    When SMTP connection caching is enabled, the number of times that > > ! an SMTP session may be reused before it is closed. > > !

    > > > > !

    This feature is available in Postfix 2.2. In Postfix 2.3 it is > > ! replaced by $smtp_connection_reuse_time_limit.

    > > > > > > !
    > > > > !
    smtp_connection_cache_time_limit > > ! (default: 2s)
    > > > > !

    When SMTP connection caching is enabled, the amount of time that > > ! an unused SMTP client socket is kept open before it is closed. Do > > ! not specify larger values without permission from the remote sites. > > !

    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > --- 8558,8597 ---- > > > > !
    smtp_tls_CAfile > > ! (default: empty)
    > > > > !

    The file with the certificate of the certification authority > > ! (CA) that issued the Postfix SMTP client certificate. This is > > ! needed only when the CA certificate is not already present in the > > ! client certificate file.

    > > > > !

    Example:

    > > > > + 
    > > + smtp_tls_CAfile = /etc/postfix/CAcert.pem
> > +
    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > > > !
    > > > > !
    smtp_tls_CApath > > ! (default: empty)
    > > > > +

    Directory with PEM format certificate authority certificates > > + that the Postfix SMTP client uses to verify a remote SMTP server > > + certificate. Don't forget to create the necessary "hash" links > > + with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". > > +

    > > > > !

    To use this option in chroot mode, this directory (or a copy) > > ! must be inside the chroot jail.

    > > > > !

    Example:

    > > > > ! 
    > > ! smtp_tls_CApath = /etc/postfix/certs
> > !
    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > *************** > > *** 9353,9423 **** > > > > !
    smtp_connection_reuse_time_limit > > ! (default: 300s)
    > > > > !

    The amount of time during which Postfix will use an SMTP > > ! connection repeatedly. The timer starts when the connection is > > ! initiated (i.e. it includes the connect, greeting and helo latency, > > ! in addition to the latencies of subsequent mail delivery transactions). > > !

    > > > > !

    This feature addresses a performance stability problem with > > ! remote SMTP servers. This problem is not specific to Postfix: it > > ! can happen when any MTA sends large amounts of SMTP email to a site > > ! that has multiple MX hosts.

    > > > > !

    The problem starts when one of a set of MX hosts becomes slower > > ! than the rest. Even though SMTP clients connect to fast and slow > > ! MX hosts with equal probability, the slow MX host ends up with more > > ! simultaneous inbound connections than the faster MX hosts, because > > ! the slow MX host needs more time to serve each client request.

    > > ! > > !

    The slow MX host becomes a connection attractor. If one MX > > ! host becomes N times slower than the rest, it dominates mail delivery > > ! latency unless there are more than N fast MX hosts to counter the > > ! effect. And if the number of MX hosts is smaller than N, the mail > > ! delivery latency becomes effectively that of the slowest MX host > > ! divided by the total number of MX hosts.

    > > ! > > !

    The solution uses connection caching in a way that differs from > > ! Postfix version 2.2. By limiting the amount of time during which a connection > > ! can be used repeatedly (instead of limiting the number of deliveries > > ! over that connection), Postfix not only restores fairness in the > > ! distribution of simultaneous connections across a set of MX hosts, > > ! it also favors deliveries over connections that perform well, which > > ! is exactly what we want.

    > > > > !

    The default reuse time limit, 300s, is comparable to the various > > ! smtp transaction timeouts which are fair estimates of maximum excess > > ! latency for a slow delivery. Note that hosts may accept thousands > > ! of messages over a single connection within the default connection > > ! reuse time limit. This number is much larger than the default Postfix > > ! version 2.2 limit of 10 messages per cached connection. It may prove necessary > > ! to lower the limit to avoid interoperability issues with MTAs that > > ! exhibit bugs when many messages are delivered via a single connection. > > ! A lower reuse time limit risks losing the benefit of connection > > ! reuse when the average connection and mail delivery latency exceeds > > ! the reuse time limit.

    > > > > !

    This feature is available in Postfix 2.3 and later.

    > > > > > > !
    > > > > !
    smtp_data_done_timeout > > ! (default: 600s)
    > > > > !

    > > ! The Postfix SMTP client time limit for sending the SMTP ".", and > > ! for receiving the remote SMTP server response. > > !

    > > > > !

    > > ! When no response is received within the deadline, a warning is > > ! logged that the mail may be delivered multiple times. > > !

    > > > > !

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > > !

    > > > > --- 8600,8651 ---- > > > > !
    smtp_tls_cert_file > > ! (default: empty)
    > > > > !

    File with the Postfix SMTP client RSA certificate in PEM format. > > ! This file may also contain the Postfix SMTP client private RSA key, > > ! and these may be the same as the Postfix SMTP server RSA certificate and key > > ! file.

    > > > > !

    Do not configure client certificates unless you must present > > ! client TLS certificates to one or more servers. Client certificates are > > ! not usually needed, and can cause problems in configurations that work > > ! well without them. The recommended setting is to let the defaults stand:

    > > > > !
    > > ! 
    > > ! smtp_tls_cert_file =
> > ! smtp_tls_dcert_file =
> > ! smtp_tls_key_file =
> > ! smtp_tls_dkey_file =
> > !
    > > !
    > > > > !

    The best way to use the default settings is to comment out the above > > ! parameters in main.cf if present.

    > > > > !

    In order to verify certificates, the CA certificate (in case > > ! of a certificate chain, all CA certificates) must be available. > > ! You should add these certificates to the client certificate, the > > ! client certificate first, then the issuing CA(s).

    > > > > +

    Example: the certificate for "client.dom.ain" was issued by > > + "intermediate CA" which itself has a certificate of "root CA". > > + Create the client.pem file with "cat client_cert.pem intermediate_CA.pem > > + root_CA.pem > client.pem".

    > > > > !

    If you also want to verify remote SMTP server certificates issued by > > ! these CAs, you can also add the CA certificates to the smtp_tls_CAfile, > > ! in which case it is not necessary to have them in the smtp_tls_cert_file > > ! or smtp_tls_dcert_file.

    > > > > !

    A certificate supplied here must be usable as an SSL client certificate > > ! and hence pass the "openssl verify -purpose sslclient ..." test.

    > > > > !

    Example:

    > > > > ! 
    > > ! smtp_tls_cert_file = /etc/postfix/client.pem
> > !
    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > *************** > > *** 9426,9456 **** > > > > !
    smtp_data_init_timeout > > ! (default: 120s)
    > > ! > > !

    > > ! The Postfix SMTP client time limit for sending the SMTP DATA command, > > ! and for receiving the remote SMTP server response. > > !

    > > ! > > !

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > > !

    > > ! > > ! > > !
    > > > > !
    smtp_data_xfer_timeout > > ! (default: 180s)
    > > > > !

    > > ! The Postfix SMTP client time limit for sending the SMTP message content. > > ! When the connection makes no progress for more than $smtp_data_xfer_timeout > > ! seconds the Postfix SMTP client terminates the transfer. > > !

    > > > > !

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > > !

    > > > > --- 8654,8671 ---- > > > > !
    smtp_tls_cipherlist > > ! (default: empty)
    > > > > !

    Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS > > ! cipher list. As this feature applies to all TLS security levels, it is easy > > ! to create inter-operability problems by choosing a non-default cipher > > ! list. Do not use a non-default TLS cipher list on hosts that deliver email > > ! to the public Internet: you will be unable to send email to servers that > > ! only support the ciphers you exclude. Using a restricted cipher list > > ! may be more appropriate for an internal MTA, where one can exert some > > ! control over the TLS software and settings of the peer servers.

    > > > > !

    Note: do not use "" quotes around the parameter value.

    > > > > !

    This feature is available in Postfix version 2.2. It is not used with > > ! Postfix 2.3 and later; use smtp_tls_mandatory_ciphers instead.

    > > > > *************** > > *** 9459,9482 **** > > > > !
    smtp_defer_if_no_mx_address_found > > ! (default: no)
    > > > > !

    > > ! Defer mail delivery when no MX record resolves to an IP address. > > !

    > > > > !

    > > ! The default (no) is to return the mail as undeliverable. With older > > ! Postfix versions the default was to keep trying to deliver the mail > > ! until someone fixed the MX record or until the mail was too old. > >

    > > > > !

    > > ! Note: the Postfix SMTP client always ignores MX records with equal > > ! or worse preference > > ! than the local MTA itself. > > !

    > > > > !

    > > ! This feature is available in Postfix 2.1 and later. > > !

    > > > > --- 8674,8691 ---- > > > > !
    smtp_tls_dcert_file > > ! (default: empty)
    > > > > !

    File with the Postfix SMTP client DSA certificate in PEM format. > > ! This file may also contain the Postfix SMTP client private DSA key.

    > > > > !

    See the discussion under smtp_tls_cert_file for more details. > >

    > > > > !

    Example:

    > > > > ! 
    > > ! smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
> > !
    > > ! > > !

    This feature is available in Postfix 2.2 and later.

    > > > > *************** > > *** 9485,9523 **** > > > > !
    smtp_destination_concurrency_limit > > ! (default: $default_destination_concurrency_limit)
    > > ! > > !

    The maximal number of parallel deliveries to the same destination > > ! via the smtp message delivery transport. This limit is enforced by > > ! the queue manager. The message delivery transport name is the first > > ! field in the entry in the master.cf file.

    > > > > > > !
    > > > > !
    smtp_destination_recipient_limit > > ! (default: $default_destination_recipient_limit)
    > > > > -

    The maximal number of recipients per message for the smtp > > - message delivery transport. This limit is enforced by the queue > > - manager. The message delivery transport name is the first field in > > - the entry in the master.cf file.

    > > > > !

    Setting this parameter to a value of 1 changes the meaning of > > ! smtp_destination_concurrency_limit from concurrency per domain > > ! into concurrency per recipient.

    > > > > > > !
    > > > > !
    smtp_discard_ehlo_keyword_address_maps > > ! (default: empty)
    > > > > !

    Lookup tables, indexed by the remote SMTP server address, with > > ! case insensitive lists of EHLO keywords (pipelining, starttls, auth, > > ! etc.) that the Postfix SMTP client will ignore in the EHLO response from a > > ! remote SMTP server. See smtp_discard_ehlo_keywords for details. The > > ! table is not indexed by hostname for consistency with > > ! smtpd_discard_ehlo_keyword_address_maps.

    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > --- 8694,8730 ---- > > > > !
    smtp_tls_dkey_file > > ! (default: $smtp_tls_dcert_file)
    > > > > +

    File with the Postfix SMTP client DSA private key in PEM format. > > + This file may be combined with the Postfix SMTP client DSA certificate > > + file specified with $smtp_tls_dcert_file.

    > > > > !

    The private key must be accessible without a pass-phrase, i.e. it > > ! must not be encrypted, but file permissions should grant read/write > > ! access only to the system superuser account ("root").

    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > > > !
    > > > > +
    smtp_tls_enforce_peername > > + (default: yes)
    > > > > !

    With mandatory TLS encryption, require that the remote SMTP > > ! server hostname matches the information in the remote SMTP server > > ! certificate. As of RFC 2487 the requirements for hostname checking > > ! for MTA clients are not specified.

    > > > > !

    This option can be set to "no" to disable strict peer name > > ! checking. This setting has no effect on sessions that are controlled > > ! via the smtp_tls_per_site table.

    > > > > !

    Disabling the hostname verification can make sense in closed > > ! environment where special CAs are created. If not used carefully, > > ! this option opens the danger of a "man-in-the-middle" attack (the > > ! CommonName of this attacker will be logged).

    > > > > !

    This feature is available in Postfix 2.2 and later. With > > ! Postfix 2.3 and later use smtp_tls_security_level instead.

    > > > > *************** > > *** 9526,9547 **** > > > > !
    smtp_discard_ehlo_keywords > > (default: empty)
    > > > > !

    A case insensitive list of EHLO keywords (pipelining, starttls, > > ! auth, etc.) that the Postfix SMTP client will ignore in the EHLO > > ! response from a remote SMTP server.

    > > ! > > !

    This feature is available in Postfix 2.2 and later.

    > > ! > > !

    Notes:

    > > > > !
      > > > > !

    • Specify the silent-discard pseudo keyword to prevent > > ! this action from being logged.

      > > > > !

    • Use the smtp_discard_ehlo_keyword_address_maps feature to > > ! discard EHLO keywords selectively.

      > > > > !
    > > > > --- 8733,8764 ---- > > > > !
    smtp_tls_exclude_ciphers > > (default: empty)
    > > > > !

    List of ciphers or cipher types to exclude from the Postfix > > ! SMTP client cipher > > ! list at all TLS security levels. This is not an OpenSSL cipherlist, it is > > ! a simple list separated by whitespace and/or commas. The elements are a > > ! single cipher, or one or more "+" separated cipher properties, in which > > ! case only ciphers matching all the properties are excluded.

    > > > > !

    Examples (some of these will cause problems):

    > > > > !
    > > ! 
    > > ! smtp_tls_exclude_ciphers = aNULL
> > ! smtp_tls_exclude_ciphers = MD5, DES
> > ! smtp_tls_exclude_ciphers = DES+MD5
> > ! smtp_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
> > ! smtp_tls_exclude_ciphers = kEDH+aRSA
> > !
    > > !
    > > > > !

    The first setting, disables anonymous ciphers. The next setting > > ! disables ciphers that use the MD5 digest algorithm or the (single) DES > > ! encryption algorithm. The next setting disables ciphers that use MD5 and > > ! DES together. The next setting disables the two ciphers "AES256-SHA" > > ! and "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" > > ! key exchange with RSA authentication.

    > > > > !

    This feature is available in Postfix 2.3 and later.

    > > > > *************** > > *** 9550,9576 **** > > > > !
    smtp_dns_resolver_options > > (default: empty)
    > > > > !

    DNS Resolver options for the Postfix SMTP client. Specify zero > > ! or more of the following options, separated by comma or whitespace. > > ! Option names are case-sensitive. Some options refer to domain names > > ! that are specified in the file /etc/resolv.conf or equivalent.

    > > > > !
    > > > > !
    res_defnames
    > > > > !
    Append the current domain name to single-component names (those > > ! that do not contain a "." character). This can produce incorrect > > ! results, and is the hard-coded behavior prior to Postfix 2.8.
    > > > > !
    res_dnsrch
    > > > > !
    Search for host names in the current domain and in parent > > ! domains. This can produce incorrect results and is therefore not > > ! recommended.
    > > > > !
    > > > > !

    This feature is available in Postfix 2.8 and later.

    > > > > --- 8767,8825 ---- > > > > !
    smtp_tls_fingerprint_cert_match > > (default: empty)
    > > > > !

    List of acceptable remote SMTP server certificate fingerprints > > ! for the "fingerprint" TLS security level (smtp_tls_security_level = > > ! fingerprint). At this security level, certificate authorities are > > ! not used, and certificate expiration times are ignored. Instead, > > ! server certificates are verified directly via their "fingerprint". The > > ! fingerprint is a message digest of the server certificate. The digest > > ! algorithm is selected via the smtp_tls_fingerprint_digest > > ! parameter.

    > > > > !

    When an smtp_tls_policy_maps table entry specifies the > > ! "fingerprint" security level, any "match" attributes in that entry specify > > ! the list of valid fingerprints for the corresponding destination. Multiple > > ! fingerprints can be combined with a "|" delimiter in a single match > > ! attribute, or multiple match attributes can be employed.

    > > > > !

    Example: Certificate fingerprint verification with internal mailhub. > > ! Two matching fingerprints are listed. The relayhost may be multiple > > ! physical hosts behind a load-balancer, each with its own private/public > > ! key and self-signed certificate. Alternatively, a single relayhost may > > ! be in the process of switching from one set of private/public keys to > > ! another, and both keys are trusted just prior to the transition.

    > > > > !
    > > ! 
    > > ! relayhost = [mailhub.example.com]
> > ! smtp_tls_security_level = fingerprint
> > ! smtp_tls_fingerprint_digest = md5
> > ! smtp_tls_fingerprint_cert_match =
> > !     3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
> > !     EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
> > !
    > > !
    > > > > !

    Example: Certificate fingerprint verification with selected destinations. > > ! As in the example above, we show two matching fingerprints:

    > > > > !
    > > ! 
    > > ! /etc/postfix/main.cf:
> > !     smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
> > !     smtp_tls_fingerprint_digest = md5
> > !
    > > !
    > > > > !
    > > ! 
    > > ! /etc/postfix/tls_policy:
> > !     example.com	fingerprint
> > !         match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
> > !         match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
> > !
    > > !
    > > > > !

    This feature is available in Postfix 2.5 and later.

    > > > > *************** > > *** 9579,9661 **** > > > > !
    smtp_enforce_tls > > ! (default: no)
    > > ! > > !

    Enforcement mode: require that remote SMTP servers use TLS > > ! encryption, and never send mail in the clear. This also requires > > ! that the remote SMTP server hostname matches the information in > > ! the remote server certificate, and that the remote SMTP server > > ! certificate was issued by a CA that is trusted by the Postfix SMTP > > ! client. If the certificate doesn't verify or the hostname doesn't > > ! match, delivery is deferred and mail stays in the queue.

    > > ! > > !

    The server hostname is matched against all names provided as > > ! dNSNames in the SubjectAlternativeName. If no dNSNames are specified, > > ! the CommonName is checked. The behavior may be changed with the > > ! smtp_tls_enforce_peername option.

    > > ! > > !

    This option is useful only if you are definitely sure that you > > ! will only connect to servers that support RFC 2487 _and_ that > > ! provide valid server certificates. Typical use is for clients that > > ! send all their email to a dedicated mailhub.

    > > ! > > !

    This feature is available in Postfix 2.2 and later. With > > ! Postfix 2.3 and later use smtp_tls_security_level instead.

    > > ! > > ! > > !
    > > > > !
    smtp_fallback_relay > > ! (default: $fallback_relay)
    > > > > !

    > > ! Optional list of relay hosts for SMTP destinations that can't be > > ! found or that are unreachable. With Postfix 2.2 and earlier this > > ! parameter is called fallback_relay.

    > > > > !

    > > ! By default, mail is returned to the sender when a destination is > > ! not found, and delivery is deferred when a destination is unreachable. > >

    > > > > !

    The fallback relays must be SMTP destinations. Specify a domain, > > ! host, host:port, [host]:port, [address] or [address]:port; the form > > ! [host] turns off MX lookups. If you specify multiple SMTP > > ! destinations, Postfix will try them in the specified order.

    > > > > !

    To prevent mailer loops between MX hosts and fall-back hosts, > > ! Postfix version 2.2 and later will not use the fallback relays for > > ! destinations that it is MX host for (assuming DNS lookup is turned on). > >

    > > > > > > !
    > > > > !
    smtp_generic_maps > > ! (default: empty)
    > > > > -

    Optional lookup tables that perform address rewriting in the > > - Postfix SMTP client, typically to transform a locally valid address into > > - a globally valid address when sending mail across the Internet. > > - This is needed when the local machine does not have its own Internet > > - domain name, but uses something like localdomain.local > > - instead.

    > > > > !

    The table format and lookups are documented in generic(5); > > ! examples are shown in the ADDRESS_REWRITING_README and > > ! STANDARD_CONFIGURATION_README documents.

    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > > > !
    > > > > !
    smtp_header_checks > > ! (default: empty)
    > > > > !

    Restricted header_checks(5) tables for the Postfix SMTP client. > > ! These tables are searched while mail is being delivered. Actions > > ! that change the delivery time or destination are not available. > > !

    > > > > !

    This feature is available in Postfix 2.5 and later.

    > > > > --- 8828,8898 ---- > > > > !
    smtp_tls_fingerprint_digest > > ! (default: md5)
    > > > > !

    The message digest algorithm used to construct remote SMTP server > > ! certificate fingerprints. At the "fingerprint" TLS security level > > ! (smtp_tls_security_level = fingerprint), the server certificate is > > ! verified by directly matching its fingerprint. The fingerprint > > ! is the message digest of the server certificate using the selected > > ! algorithm. With a digest algorithm resistant to "second pre-image" > > ! attacks, it is not feasible to create a new public key and a matching > > ! certificate that has the same fingerprint.

    > > > > !

    The default algorithm is md5; this is consistent with > > ! the backwards compatible setting of the digest used to verify client > > ! certificates in the SMTP server.

    > > > > !

    The best practice algorithm is now sha1. Recent advances in hash > > ! function cryptanalysis have led to md5 being deprecated in favor of sha1. > > ! However, as long as there are no known "second pre-image" attacks > > ! against md5, its use in this context can still be considered safe. > >

    > > > > !

    While additional digest algorithms are often available with OpenSSL's > > ! libcrypto, only those used by libssl in SSL cipher suites are available to > > ! Postfix. For now this means just md5 or sha1.

    > > > > !

    To find the fingerprint of a specific certificate file, with a > > ! specific digest algorithm, run: > >

    > > > > +
    > > + 
    > > + $ openssl x509 -noout -fingerprint -digest -in certfile.pem
> > +
    > > +
    > > + > > +

    The text to the right of "=" sign is the desired fingerprint. > > + For example:

    > > > > !
    > > ! 
    > > ! $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
> > ! SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
> > !
    > > !
    > > > > !

    This feature is available in Postfix 2.5 and later.

    > > > > > > !
    > > > > !
    smtp_tls_key_file > > ! (default: $smtp_tls_cert_file)
    > > > > +

    File with the Postfix SMTP client RSA private key in PEM format. > > + This file may be combined with the Postfix SMTP client RSA certificate > > + file specified with $smtp_tls_cert_file.

    > > > > !

    The private key must be accessible without a pass-phrase, i.e. it > > ! must not be encrypted, but file permissions should grant read/write > > ! access only to the system superuser account ("root").

    > > > > !

    Example:

    > > > > ! 
    > > ! smtp_tls_key_file = $smtp_tls_cert_file
> > !
    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > *************** > > *** 9664,9709 **** > > > > !
    smtp_helo_name > > ! (default: $myhostname)
    > > > > !

    > > ! The hostname to send in the SMTP EHLO or HELO command. > > !

    > > > > !

    > > ! The default value is the machine hostname. Specify a hostname or > > ! [ip.add.re.ss]. > > !

    > > > > !

    > > ! This information can be specified in the main.cf file for all SMTP > > ! clients, or it can be specified in the master.cf file for a specific > > ! client, for example: > > !

    > > > > !
    > > ! 
    > > ! /etc/postfix/master.cf:
> > !     mysmtp ... smtp -o smtp_helo_name=foo.bar.com
> > !
    > > !
    > > > > !

    > > ! This feature is available in Postfix 2.0 and later. > > !

    > > > > > > !
    > > > > !
    smtp_helo_timeout > > ! (default: 300s)
    > > > > !

    > > ! The Postfix SMTP client time limit for sending the HELO or EHLO command, > > ! and for receiving the initial remote SMTP server response. > > !

    > > > > !

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > > !

    > > > > --- 8901,8929 ---- > > > > !
    smtp_tls_loglevel > > ! (default: 0)
    > > > > !

    Enable additional Postfix SMTP client logging of TLS activity. > > ! Each logging level also includes the information that is logged at > > ! a lower logging level.

    > > > > !
    > > > > !
    0 Disable logging of TLS activity.
    > > > > !
    1 Log TLS handshake and certificate information.
    > > > > !
    2 Log levels during TLS negotiation.
    > > > > +
    3 Log hexadecimal and ASCII dump of TLS negotiation > > + process.
    > > > > !
    4 Log hexadecimal and ASCII dump of complete > > ! transmission after STARTTLS.
    > > > > !
    > > > > !

    Use "smtp_tls_loglevel = 3" only in case of problems. Use of > > ! loglevel 4 is strongly discouraged.

    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > *************** > > *** 9712,9740 **** > > > > !
    smtp_host_lookup > > ! (default: dns)
    > > > > !

    > > ! What mechanisms the Postfix SMTP client uses to look up a host's IP > > ! address. This parameter is ignored when DNS lookups are disabled > > ! (see: disable_dns_lookups). > > !

    > > > > !

    > > ! Specify one of the following: > > !

    > > > >
    > > > > !
    dns
    > > ! > > !
    Hosts can be found in the DNS (preferred).
    > > ! > > !
    native
    > > > > !
    Use the native naming service only (nsswitch.conf, or equivalent > > ! mechanism).
    > > > > !
    dns, native
    > > > > !
    Use the native service for hosts not found in the DNS.
    > > > > --- 8932,9001 ---- > > > > !
    smtp_tls_mandatory_ciphers > > ! (default: medium)
    > > > > !

    The minimum TLS cipher grade that the Postfix SMTP client will > > ! use with > > ! mandatory TLS encryption. The default value "medium" is suitable > > ! for most destinations with which you may want to enforce TLS, and > > ! is beyond the reach of today's crypt-analytic methods. See > > ! smtp_tls_policy_maps for information on how to configure ciphers > > ! on a per-destination basis.

    > > > > !

    The following cipher grades are supported:

    > > > >
    > > +
    export
    > > +
    Enable the mainstream "EXPORT" grade or better OpenSSL > > + ciphers. This is always used for opportunistic encryption. It is > > + not recommended for mandatory encryption unless you must enforce TLS > > + with "crippled" peers. The underlying cipherlist is specified via the > > + tls_export_cipherlist configuration parameter, which you are strongly > > + encouraged to not change. The default value of tls_export_cipherlist > > + includes anonymous ciphers, but these are automatically filtered out if > > + the client is configured to verify server certificates. If you must > > + exclude anonymous ciphers also at the "encrypt" security level, set > > + "smtp_tls_mandatory_exclude_ciphers = aNULL".
    > > > > !
    low
    > > !
    Enable the mainstream "LOW" grade or better OpenSSL ciphers. This > > ! setting is only appropriate for internal mail servers. The underlying > > ! cipherlist is specified via the tls_low_cipherlist configuration > > ! parameter, which you are strongly encouraged to not change. The default > > ! value of tls_low_cipherlist includes anonymous ciphers, but these are > > ! automatically filtered out if the client is configured to verify server > > ! certificates. If you must exclude anonymous ciphers also at the "encrypt" > > ! security level, set "smtp_tls_mandatory_exclude_ciphers = aNULL".
    > > > > !
    medium
    > > !
    Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers. > > ! The underlying cipherlist is specified via the tls_medium_cipherlist > > ! configuration parameter, which you are strongly encouraged to not change. > > ! The default value of tls_medium_cipherlist includes anonymous ciphers, > > ! but these are automatically filtered out if the client is configured to > > ! verify server certificates. If you must exclude anonymous ciphers also > > ! at the "encrypt" security level, set "smtp_tls_mandatory_exclude_ciphers > > ! = aNULL".
    > > > > !
    high
    > > !
    Enable only the mainstream "HIGH" grade OpenSSL ciphers. This > > ! setting is appropriate when all mandatory TLS destinations support > > ! some of "HIGH" grade ciphers, this is not uncommon. The underlying > > ! cipherlist is specified via the tls_high_cipherlist configuration > > ! parameter, which you are strongly encouraged to not change. The default > > ! value of tls_high_cipherlist includes anonymous ciphers, but these are > > ! automatically filtered out if the client is configured to verify server > > ! certificates. If you must exclude anonymous ciphers also at the "encrypt" > > ! security level, set "smtp_tls_mandatory_exclude_ciphers = aNULL".
    > > > > !
    null
    > > !
    Enable only the "NULL" OpenSSL ciphers, these provide authentication > > ! without encryption. This setting is only appropriate in the rare case > > ! that all servers are prepared to use NULL ciphers (not normally enabled > > ! in TLS servers). A plausible use-case is an LMTP server listening on a > > ! UNIX-domain socket that is configured to support "NULL" ciphers. The > > ! underlying cipherlist is specified via the tls_null_cipherlist > > ! configuration parameter, which you are strongly encouraged to not > > ! change. The default value of tls_null_cipherlist excludes anonymous > > ! ciphers (OpenSSL 0.9.8 has NULL ciphers that offer data integrity without > > ! encryption or authentication).
    > > > > *************** > > *** 9742,9746 **** > > > > !

    > > ! This feature is available in Postfix 2.1 and later. > > !

    > > > > --- 9003,9005 ---- > > > > !

    This feature is available in Postfix 2.3 and later.

    > > > > *************** > > *** 9749,9767 **** > > > > !
    smtp_line_length_limit > > ! (default: 998)
    > > > > !

    > > ! The maximal length of message header and body lines that Postfix > > ! will send via SMTP. This limit does not include the <CR><LF> > > ! at the end of each line. Longer lines are broken by inserting > > ! "<CR><LF><SPACE>", to minimize the damage to MIME > > ! formatted mail. > > !

    > > > > !

    > > ! The Postfix limit of 998 characters not including <CR><LF> > > ! is consistent with the SMTP limit of 1000 characters including > > ! <CR><LF>. The Postfix limit was 990 with Postfix 2.8 > > ! and earlier. > > !

    > > > > --- 9008,9018 ---- > > > > !
    smtp_tls_mandatory_exclude_ciphers > > ! (default: empty)
    > > > > !

    Additional list of ciphers or cipher types to exclude from the > > ! SMTP client cipher list at mandatory TLS security levels. This list > > ! works in addition to the exclusions listed with smtp_tls_exclude_ciphers > > ! (see there for syntax details).

    > > > > !

    This feature is available in Postfix 2.3 and later.

    > > > > *************** > > *** 9770,9796 **** > > > > !
    smtp_mail_timeout > > ! (default: 300s)
    > > > > !

    > > ! The Postfix SMTP client time limit for sending the MAIL FROM command, > > ! and for receiving the remote SMTP server response. > > !

    > > > > !

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > > !

    > > > > > > !
    > > > > !
    smtp_mime_header_checks > > ! (default: empty)
    > > > > !

    Restricted mime_header_checks(5) tables for the Postfix SMTP > > ! client. These tables are searched while mail is being delivered. > > ! Actions that change the delivery time or destination are not > > ! available.

    > > > > !

    This feature is available in Postfix 2.5 and later.

    > > > > --- 9021,9056 ---- > > > > !
    smtp_tls_mandatory_protocols > > ! (default: SSLv3, TLSv1)
    > > > > !

    List of SSL/TLS protocols that the Postfix SMTP client will use with > > ! mandatory TLS encryption. In main.cf the values are separated by > > ! whitespace, commas or colons. In the policy table "protocols" attribute > > ! (see smtp_tls_policy_maps) the only valid separator is colon. An > > ! empty value means allow all protocols. The valid protocol names, (see > > ! SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".

    > > > > !

    With Postfix ≥ 2.5 the parameter syntax is expanded to support > > ! protocol exclusions. One can now explicitly exclude SSLv2 by setting > > ! "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and > > ! SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing > > ! the protocols to include, rather than protocols to exclude, is still > > ! supported; use the form you find more intuitive.

    > > > > +

    Since SSL version 2 has known protocol weaknesses and is now > > + deprecated, the default setting excludes "SSLv2". This means that by > > + default, SSL version 2 will not be used at the "encrypt" security level > > + and higher.

    > > > > !

    See the documentation of the smtp_tls_policy_maps parameter and > > ! TLS_README for more information about security levels.

    > > > > !

    Example:

    > > > > ! 
    > > ! smtp_tls_mandatory_protocols = TLSv1
> > ! # Alternative form with Postfix ≥ 2.5:
> > ! smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> > !
    > > > > !

    This feature is available in Postfix 2.3 and later.

    > > > > *************** > > *** 9799,9828 **** > > > > !
    smtp_mx_address_limit > > ! (default: 5)
    > > ! > > !

    > > ! The maximal number of MX (mail exchanger) IP addresses that can > > ! result from Postfix SMTP client mail exchanger lookups, or zero (no > > ! limit). Prior to > > ! Postfix version 2.3, this limit was disabled by default. > > !

    > > ! > > !

    > > ! This feature is available in Postfix 2.1 and later. > > !

    > > ! > > > > !
    > > > > !
    smtp_mx_session_limit > > ! (default: 2)
    > > > > !

    The maximal number of SMTP sessions per delivery request before > > ! the Postfix SMTP client > > ! gives up or delivers to a fall-back relay host, or zero (no > > ! limit). This restriction ignores sessions that fail to complete the > > ! SMTP initial handshake (Postfix version 2.2 and earlier) or that fail to > > ! complete the EHLO and TLS handshake (Postfix version 2.3 and later).

    > > > > !

    This feature is available in Postfix 2.1 and later.

    > > > > --- 9059,9073 ---- > > > > !
    smtp_tls_note_starttls_offer > > ! (default: no)
    > > > > !

    Log the hostname of a remote SMTP server that offers STARTTLS, > > ! when TLS is not already enabled for that server.

    > > > > !

    The logfile record looks like:

    > > > > ! 
    > > ! postfix/smtp[pid]:  Host offered STARTTLS: [name.of.host]
> > !
    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > *************** > > *** 9831,9890 **** > > > > !
    smtp_nested_header_checks > > (default: empty)
    > > > > !

    Restricted nested_header_checks(5) tables for the Postfix SMTP > > ! client. These tables are searched while mail is being delivered. > > ! Actions that change the delivery time or destination are not > > ! available.

    > > ! > > !

    This feature is available in Postfix 2.5 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_never_send_ehlo > > ! (default: no)
    > > > > !

    Never send EHLO at the start of an SMTP session. See also the > > ! smtp_always_send_ehlo parameter.

    > > > > > > !
    > > > > !
    smtp_per_record_deadline > > ! (default: no)
    > > > > !

    Change the behavior of the smtp_*_timeout time limits, from a > > ! time limit per read or write system call, to a time limit to send > > ! or receive a complete record (an SMTP command line, SMTP response > > ! line, SMTP message content line, or TLS protocol message). This > > ! limits the impact from hostile peers that trickle data one byte at > > ! a time.

    > > ! > > !

    Note: when per-record deadlines are enabled, a short timeout > > ! may cause problems with TLS over very slow network connections. > > ! The reasons are that a TLS protocol message can be up to 16 kbytes > > ! long (with TLSv1), and that an entire TLS protocol message must be > > ! sent or received within the per-record deadline.

    > > > > !

    This feature is available in Postfix 2.9 and later. With older > > ! Postfix releases, the behavior is as if this parameter is set to > > ! "no".

    > > > > > > !
    > > > > !
    smtp_pix_workaround_delay_time > > ! (default: 10s)
    > > > > !

    > > ! How long the Postfix SMTP client pauses before sending > > ! ".<CR><LF>" in order to work around the PIX firewall > > ! "<CR><LF>.<CR><LF>" bug. > > !

    > > > > !

    > > ! Choosing a too short time makes this workaround ineffective when > > ! sending large messages over slow network connections. > > !

    > > > > --- 9076,9151 ---- > > > > !
    smtp_tls_per_site > > (default: empty)
    > > > > !

    Optional lookup tables with the Postfix SMTP client TLS usage > > ! policy by next-hop destination and by remote SMTP server hostname. > > ! When both lookups succeed, the more specific per-site policy (NONE, > > ! MUST, etc) overrides the less specific one (MAY), and the more secure > > ! per-site policy (MUST, etc) overrides the less secure one (NONE). > > ! With Postfix 2.3 and later smtp_tls_per_site is strongly discouraged: > > ! use smtp_tls_policy_maps instead.

    > > > > !

    Use of the bare hostname as the per-site table lookup key is > > ! discouraged. Always use the full destination nexthop (enclosed in > > ! [] with a possible ":port" suffix). A recipient domain or MX-enabled > > ! transport next-hop with no port suffix may look like a bare hostname, > > ! but is still a suitable destination.

    > > > > +

    Specify a next-hop destination or server hostname on the left-hand > > + side; no wildcards are allowed. The next-hop destination is either > > + the recipient domain, or the destination specified with a transport(5) > > + table, the relayhost parameter, or the relay_transport parameter. > > + On the right hand side specify one of the following keywords:

    > > > > !
    > > > > !
    NONE
    Don't use TLS at all. This overrides a less > > ! specific MAY lookup result from the alternate host or next-hop > > ! lookup key, and overrides the global smtp_use_tls, smtp_enforce_tls, > > ! and smtp_tls_enforce_peername settings.
    > > > > !
    MAY
    Try to use TLS if the server announces support, > > ! otherwise use the unencrypted connection. This has less precedence > > ! than a more specific result (including NONE) from the alternate > > ! host or next-hop lookup key, and has less precedence than the more > > ! specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername > > ! = yes".
    > > > > !
    MUST_NOPEERMATCH
    Require TLS encryption, but do not > > ! require that the remote SMTP server hostname matches the information > > ! in the remote SMTP server certificate, or that the server certificate > > ! was issued by a trusted CA. This overrides a less secure NONE > > ! or a less specific MAY lookup result from the alternate host > > ! or next-hop lookup key, and overrides the global smtp_use_tls, > > ! smtp_enforce_tls and smtp_tls_enforce_peername settings.
    > > > > +
    MUST
    Require TLS encryption, require that the remote > > + SMTP server hostname matches the information in the remote SMTP > > + server certificate, and require that the remote SMTP server certificate > > + was issued by a trusted CA. This overrides a less secure NONE > > + and MUST_NOPEERMATCH or a less specific MAY lookup > > + result from the alternate host or next-hop lookup key, and overrides > > + the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername > > + settings.
    > > > > !
    > > > > !

    The above keywords correspond to the "none", "may", "encrypt" and > > ! "verify" security levels for the new smtp_tls_security_level parameter > > ! introduced in Postfix 2.3. Starting with Postfix 2.3, and independently > > ! of how the policy is specified, the smtp_tls_mandatory_ciphers and > > ! smtp_tls_mandatory_protocols parameters only apply when TLS encryption > > ! is mandatory. Connections for which encryption is optional enable > > ! all "export" grade and better ciphers.

    > > > > !

    As long as no secure DNS lookup mechanism is available, false > > ! hostnames in MX or CNAME responses can change the server hostname > > ! that Postfix uses for TLS policy lookup and server certificate > > ! verification. Even with a perfect match between the server hostname and > > ! the server certificate, there is no guarantee that Postfix is connected > > ! to the right server. See TLS_README (Closing a DNS loophole with obsolete > > ! per-site TLS policies) for a possible work-around.

    > > > > !

    This feature is available in Postfix 2.2 and later. With > > ! Postfix 2.3 and later use smtp_tls_policy_maps instead.

    > > > > *************** > > *** 9893,9938 **** > > > > !
    smtp_pix_workaround_maps > > (default: empty)
    > > > > !

    Lookup tables, indexed by the remote SMTP server address, with > > ! per-destination workarounds for CISCO PIX firewall bugs. The table > > ! is not indexed by hostname for consistency with > > ! smtp_discard_ehlo_keyword_address_maps.

    > > ! > > !

    This feature is available in Postfix 2.4 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_pix_workaround_threshold_time > > ! (default: 500s)
    > > ! > > !

    How long a message must be queued before the Postfix SMTP client > > ! turns on the PIX firewall "<CR><LF>.<CR><LF>" > > ! bug workaround for delivery through firewalls with "smtp fixup" > > ! mode turned on.

    > > ! > > !

    > > ! By default, the workaround is turned off for mail that is queued > > ! for less than 500 seconds. In other words, the workaround is normally > > ! turned off for the first delivery attempt. > > !

    > > ! > > !

    > > ! Specify 0 to enable the PIX firewall > > ! "<CR><LF>.<CR><LF>" bug workaround upon the > > ! first delivery attempt. > >

    > > > > > > !
    > > > > !
    smtp_pix_workarounds > > ! (default: disable_esmtp, delay_dotcrlf)
    > > > > !

    A list that specifies zero or more workarounds for CISCO PIX > > ! firewall bugs. These workarounds are implemented by the Postfix > > ! SMTP client. Workaround names are separated by comma or space, and > > ! are case insensitive. This parameter setting can be overruled with > > ! per-destination smtp_pix_workaround_maps settings.

    > > > > --- 9154,9188 ---- > > > > !
    smtp_tls_policy_maps > > (default: empty)
    > > > > !

    Optional lookup tables with the Postfix SMTP client TLS security > > ! policy by next-hop destination; when a non-empty value is specified, > > ! this overrides the obsolete smtp_tls_per_site parameter. See > > ! TLS_README for a more detailed discussion of TLS security levels. > >

    > > > > +

    The TLS policy table is indexed by the full next-hop destination, > > + which is either the recipient domain, or the verbatim next-hop > > + specified in the transport table, $local_transport, $virtual_transport, > > + $relay_transport or $default_transport. This includes any enclosing > > + square brackets and any non-default destination server port suffix. The > > + LMTP socket type prefix (inet: or unix:) is not included in the lookup > > + key.

    > > > > !

    Only the next-hop domain, or $myhostname with LMTP over UNIX-domain > > ! sockets, is used as the nexthop name for certificate verification. The > > ! port and any enclosing square brackets are used in the table lookup key, > > ! but are not used for server name verification.

    > > > > !

    When the lookup key is a domain name without enclosing square brackets > > ! or any :port suffix (typically the recipient domain), and the full > > ! domain is not found in the table, just as with the transport(5) table, > > ! the parent domain starting with a leading "." is matched recursively. This > > ! allows one to specify a security policy for a recipient domain and all > > ! its sub-domains.

    > > > > !

    The lookup result is a security level, followed by an optional list > > ! of whitespace and/or comma separated name=value attributes that override > > ! related main.cf settings. The TLS security levels in order of increasing > > ! security are:

    > > > > *************** > > *** 9940,12458 **** > > > > !
    delay_dotcrlf
    Insert a delay before sending > > ! ".<CR><LF>" after the end of the message content. The > > ! delay is subject to the smtp_pix_workaround_delay_time and > > ! smtp_pix_workaround_threshold_time parameter settings.
    > > ! > > !
    disable_esmtp
    Disable all extended SMTP commands: > > ! send HELO instead of EHLO.
    > > > > !
    > > > > !

    This feature is available in Postfix 2.4 and later. The default > > ! settings are backwards compatible with earlier Postfix versions. > > !

    > > > > > > !
    > > > > !
    smtp_quit_timeout > > ! (default: 300s)
    > > > > !

    > > ! The Postfix SMTP client time limit for sending the QUIT command, > > ! and for receiving the remote SMTP server response. > > !

    > > > >

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > >

    > > > > ! > > !
    > > ! > > !
    smtp_quote_rfc821_envelope > > ! (default: yes)
    > > ! > > !

    > > ! Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO commands > > ! as required > > ! by RFC 2821. This includes putting quotes around an address localpart > > ! that ends in ".". > > !

    > > ! > > !

    > > ! The default is to comply with RFC 2821. If you have to send mail to > > ! a broken SMTP server, configure a special SMTP client in master.cf: > > !

    > > ! > > !
    > > ! 
    > > ! /etc/postfix/master.cf:
> > !     broken-smtp . . . smtp -o smtp_quote_rfc821_envelope=no
> > !
    > > !
    > > ! > > !

    > > ! and route mail for the destination in question to the "broken-smtp" > > ! message delivery with a transport(5) table. > > !

    > > ! > > !

    > > ! This feature is available in Postfix 2.1 and later. > > !

    > > ! > > ! > > !
    > > ! > > !
    smtp_randomize_addresses > > ! (default: yes)
    > > ! > > !

    > > ! Randomize the order of equal-preference MX host addresses. This > > ! is a performance feature of the Postfix SMTP client. > > !

    > > ! > > ! > > !
    > > ! > > !
    smtp_rcpt_timeout > > ! (default: 300s)
    > > ! > > !

    > > ! The Postfix SMTP client time limit for sending the SMTP RCPT TO > > ! command, and for receiving the remote SMTP server response. > > !

    > > ! > > !

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > > !

    > > ! > > ! > > !
    > > ! > > !
    smtp_reply_filter > > ! (default: empty)
    > > ! > > !

    A mechanism to transform replies from remote SMTP servers one > > ! line at a time. This is a last-resort tool to work around server > > ! replies that break inter-operability with the Postfix SMTP client. > > ! Other uses involve fault injection to test Postfix's handling of > > ! invalid responses.

    > > ! > > !

    Notes:

    > > ! > > !
      > > ! > > !

    • In the case of a multi-line reply, the Postfix SMTP client > > ! uses the final reply line's numerical SMTP reply code and enhanced > > ! status code.

      > > ! > > !

    • The numerical SMTP reply code (XYZ) takes precedence over > > ! the enhanced status code (X.Y.Z). When the enhanced status code > > ! initial digit differs from the SMTP reply code initial digit, or > > ! when no enhanced status code is present, the Postfix SMTP client > > ! uses a generic enhanced status code (X.0.0) instead.

      > > ! > > !
    > > ! > > !

    Specify the name of a "type:table" lookup table. The search > > ! string is a single SMTP reply line as received from the remote SMTP > > ! server, except that the trailing <CR><LF> are removed. > > ! When the lookup succeeds, the result replaces the single SMTP reply > > ! line.

    > > ! > > !

    Examples:

    > > ! > > ! 
    > > ! /etc/postfix/main.cf:
> > !     smtp_reply_filter = pcre:/etc/postfix/reply_filter
> > !
    > > ! > > ! 
    > > ! /etc/postfix/reply_filter:
> > !     # Transform garbage into "250-filler..." so that it looks like
> > !     # one line from a multi-line reply. It does not matter what we
> > !     # substitute here as long it has the right syntax.  The Postfix
> > !     # SMTP client will use the final line's numerical SMTP reply
> > !     # code and enhanced status code.
> > !     !/^([2-5][0-9][0-9]($|[- ]))/ 250-filler for garbage
> > !
    > > ! > > !

    This feature is available in Postfix 2.7.

    > > ! > > ! > > !
    > > ! > > !
    smtp_rset_timeout > > ! (default: 20s)
    > > ! > > !

    The Postfix SMTP client time limit for sending the RSET command, > > ! and for receiving the remote SMTP server response. The SMTP client > > ! sends RSET in > > ! order to finish a recipient address probe, or to verify that a > > ! cached session is still usable.

    > > ! > > !

    This feature is available in Postfix 2.1 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_sasl_auth_cache_name > > ! (default: empty)
    > > ! > > !

    An optional table to prevent repeated SASL authentication > > ! failures with the same remote SMTP server hostname, username and > > ! password. Each table (key, value) pair contains a server name, a > > ! username and password, and the full server response. This information > > ! is stored when a remote SMTP server rejects an authentication attempt > > ! with a 535 reply code. As long as the smtp_sasl_password_maps > > ! information does no change, and as long as the smtp_sasl_auth_cache_name > > ! information does not expire (see smtp_sasl_auth_cache_time) the > > ! Postfix SMTP client avoids SASL authentication attempts with the > > ! same server, username and password, and instead bounces or defers > > ! mail as controlled with the smtp_sasl_auth_soft_bounce configuration > > ! parameter.

    > > ! > > !

    Use a per-destination delivery concurrency of 1 (for example, > > ! "smtp_destination_concurrency_limit = 1", > > ! "relay_destination_concurrency_limit = 1", etc.), otherwise multiple > > ! delivery agents may experience a login failure at the same time. > > !

    > > ! > > !

    The table must be accessed via the proxywrite service, i.e. the > > ! map name must start with "proxy:". The table should be stored under > > ! the directory specified with the data_directory parameter.

    > > ! > > !

    This feature uses cryptographic hashing to protect plain-text > > ! passwords, and requires that Postfix is compiled with TLS support. > > !

    > > ! > > !

    Example:

    > > ! > > ! 
    > > ! smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
> > !
    > > ! > > !

    This feature is available in Postfix 2.5 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_sasl_auth_cache_time > > ! (default: 90d)
    > > ! > > !

    The maximal age of an smtp_sasl_auth_cache_name entry before it > > ! is removed.

    > > ! > > !

    This feature is available in Postfix 2.5 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_sasl_auth_enable > > ! (default: no)
    > > ! > > !

    > > ! Enable SASL authentication in the Postfix SMTP client. By default, > > ! the Postfix SMTP client uses no authentication. > > !

    > > ! > > !

    > > ! Example: > > !

    > > ! > > ! 
    > > ! smtp_sasl_auth_enable = yes
> > !
    > > ! > > ! > > !
    > > ! > > !
    smtp_sasl_auth_soft_bounce > > ! (default: yes)
    > > ! > > !

    When a remote SMTP server rejects a SASL authentication request > > ! with a 535 reply code, defer mail delivery instead of returning > > ! mail as undeliverable. The latter behavior was hard-coded prior to > > ! Postfix version 2.5.

    > > ! > > !

    Note: the setting "yes" overrides the global soft_bounce > > ! parameter, but the setting "no" does not.

    > > ! > > !

    Example:

    > > ! > > ! 
    > > ! # Default as of Postfix 2.5
> > ! smtp_sasl_auth_soft_bounce = yes
> > ! # The old hard-coded default
> > ! smtp_sasl_auth_soft_bounce = no
> > !
    > > ! > > !

    This feature is available in Postfix 2.5 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_sasl_mechanism_filter > > ! (default: empty)
    > > ! > > !

    > > ! If non-empty, a Postfix SMTP client filter for the remote SMTP > > ! server's list of offered SASL mechanisms. Different client and > > ! server implementations may support different mechanism lists; by > > ! default, the Postfix SMTP client will use the intersection of the > > ! two. smtp_sasl_mechanism_filter specifies an optional third mechanism > > ! list to intersect with.

    > > ! > > !

    Specify mechanism names, "/file/name" patterns or "type:table" > > ! lookup tables. The right-hand side result from "type:table" lookups > > ! is ignored. Specify "!pattern" to exclude a mechanism name from the > > ! list. The form "!/file/name" is supported only in Postfix version > > ! 2.4 and later.

    > > ! > > !

    This feature is available in Postfix 2.2 and later.

    > > ! > > !

    > > ! Examples: > > !

    > > ! > > ! 
    > > ! smtp_sasl_mechanism_filter = plain, login
> > ! smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
> > ! smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
> > !
    > > ! > > ! > > !
    > > ! > > !
    smtp_sasl_password_maps > > ! (default: empty)
    > > ! > > !

    > > ! Optional Postfix SMTP client lookup tables with one username:password > > ! entry > > ! per remote hostname or domain, or sender address when sender-dependent > > ! authentication is enabled. If no username:password entry is found, > > ! then the Postfix SMTP client will not > > ! attempt to authenticate to the remote host. > > !

    > > ! > > !

    > > ! The Postfix SMTP client opens the lookup table before going to > > ! chroot jail, so you can leave the password file in /etc/postfix. > > !

    > > ! > > ! > > !
    > > ! > > !
    smtp_sasl_path > > ! (default: empty)
    > > ! > > !

    Implementation-specific information that the Postfix SMTP client > > ! passes through to > > ! the SASL plug-in implementation that is selected with > > ! smtp_sasl_type. Typically this specifies the name of a > > ! configuration file or rendezvous point.

    > > ! > > !

    This feature is available in Postfix 2.3 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_sasl_security_options > > ! (default: noplaintext, noanonymous)
    > > ! > > !

    Postfix SMTP client SASL security options; as of Postfix 2.3 > > ! the list of available > > ! features depends on the SASL client implementation that is selected > > ! with smtp_sasl_type.

    > > ! > > !

    The following security features are defined for the cyrus > > ! client SASL implementation:

    > > ! > > !

    > > ! Specify zero or more of the following: > > !

    > > ! > > !
    > > ! > > !
    noplaintext
    > > ! > > !
    Disallow methods that use plaintext passwords.
    > > ! > > !
    noactive
    > > ! > > !
    Disallow methods subject to active (non-dictionary) attack. > > !
    > > ! > > !
    nodictionary
    > > ! > > !
    Disallow methods subject to passive (dictionary) attack.
    > > ! > > !
    noanonymous
    > > ! > > !
    Disallow methods that allow anonymous authentication.
    > > ! > > !
    mutual_auth
    > > ! > > !
    Only allow methods that provide mutual authentication (not > > ! available with SASL version 1).
    > > ! > > !
    > > ! > > !

    > > ! Example: > > !

    > > ! > > ! 
    > > ! smtp_sasl_security_options = noplaintext
> > !
    > > ! > > ! > > !
    > > ! > > !
    smtp_sasl_tls_security_options > > ! (default: $smtp_sasl_security_options)
    > > ! > > !

    The SASL authentication security options that the Postfix SMTP > > ! client uses for TLS encrypted SMTP sessions.

    > > ! > > !

    This feature is available in Postfix 2.2 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_sasl_tls_verified_security_options > > ! (default: $smtp_sasl_tls_security_options)
    > > ! > > !

    The SASL authentication security options that the Postfix SMTP > > ! client uses for TLS encrypted SMTP sessions with a verified server > > ! certificate.

    > > ! > > !

    When mail is sent to the public MX host for the recipient's > > ! domain, server certificates are by default optional, and delivery > > ! proceeds even if certificate verification fails. For delivery via > > ! a submission service that requires SASL authentication, it may be > > ! appropriate to send plaintext passwords only when the connection > > ! to the server is strongly encrypted and the server identity > > ! is verified.

    > > ! > > !

    The smtp_sasl_tls_verified_security_options parameter makes it > > ! possible to only enable plaintext mechanisms when a secure connection > > ! to the server is available. Submission servers subject to this > > ! policy must either have verifiable certificates or offer suitable > > ! non-plaintext SASL mechanisms.

    > > ! > > !

    This feature is available in Postfix 2.6 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_sasl_type > > ! (default: cyrus)
    > > ! > > !

    The SASL plug-in type that the Postfix SMTP client should use > > ! for authentication. The available types are listed with the > > ! "postconf -A" command.

    > > ! > > !

    This feature is available in Postfix 2.3 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_send_dummy_mail_auth > > ! (default: no)
    > > ! > > !

    Whether or not to append the "AUTH=<>" option to the MAIL > > ! FROM command in SASL-authenticated SMTP sessions. The default is > > ! not to send this, to avoid problems with broken remote SMTP servers. > > ! Before Postfix 2.9 the behavior is as if "smtp_send_dummy_mail_auth > > ! = yes". > > ! > > !

    This feature is available in Postfix 2.9 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_send_xforward_command > > ! (default: no)
    > > ! > > !

    > > ! Send the non-standard XFORWARD command when the Postfix SMTP server > > ! EHLO response announces XFORWARD support. > > !

    > > ! > > !

    > > ! This allows a Postfix SMTP delivery agent, used for injecting mail > > ! into > > ! a content filter, to forward the name, address, protocol and HELO > > ! name of the original client to the content filter and downstream > > ! queuing SMTP server. This can produce more useful logging than > > ! localhost[127.0.0.1] etc. > > !

    > > ! > > !

    > > ! This feature is available in Postfix 2.1 and later. > > !

    > > ! > > ! > > !
    > > ! > > !
    smtp_sender_dependent_authentication > > ! (default: no)
    > > ! > > !

    > > ! Enable sender-dependent authentication in the Postfix SMTP client; this is > > ! available only with SASL authentication, and disables SMTP connection > > ! caching to ensure that mail from different senders will use the > > ! appropriate credentials.

    > > ! > > !

    > > ! This feature is available in Postfix 2.3 and later. > > !

    > > ! > > ! > > !
    > > ! > > !
    smtp_skip_4xx_greeting > > ! (default: yes)
    > > ! > > !

    > > ! Skip SMTP servers that greet with a 4XX status code (go away, try > > ! again later). > > !

    > > ! > > !

    > > ! By default, the Postfix SMTP client moves on the next mail exchanger. > > ! Specify > > ! "smtp_skip_4xx_greeting = no" if Postfix should defer delivery > > ! immediately. > > !

    > > ! > > !

    This feature is available in Postfix 2.0 and earlier. > > ! Later Postfix versions always skip remote SMTP servers that greet > > ! with a > > ! 4XX status code.

    > > ! > > ! > > !
    > > ! > > !
    smtp_skip_5xx_greeting > > ! (default: yes)
    > > ! > > !

    > > ! Skip remote SMTP servers that greet with a 5XX status code (go away, > > ! do > > ! not try again later). > > !

    > > ! > > !

    By default, the Postfix SMTP client moves on the next mail > > ! exchanger. Specify "smtp_skip_5xx_greeting = no" if Postfix should > > ! bounce the mail immediately. The default setting is incorrect, but > > ! it is what a lot of people expect to happen.

    > > ! > > ! > > !
    > > ! > > !
    smtp_skip_quit_response > > ! (default: yes)
    > > ! > > !

    > > ! Do not wait for the response to the SMTP QUIT command. > > !

    > > ! > > ! > > !
    > > ! > > !
    smtp_starttls_timeout > > ! (default: 300s)
    > > ! > > !

    Time limit for Postfix SMTP client write and read operations > > ! during TLS startup and shutdown handshake procedures.

    > > ! > > !

    This feature is available in Postfix 2.2 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_CAfile > > ! (default: empty)
    > > ! > > !

    A file containing CA certificates of root CAs trusted to sign > > ! either remote SMTP server certificates or intermediate CA certificates. > > ! These are loaded into memory before the smtp(8) client enters the > > ! chroot jail. If the number of trusted roots is large, consider using > > ! smtp_tls_CApath instead, but note that the latter directory must be > > ! present in the chroot jail if the smtp(8) client is chrooted. This > > ! file may also be used to augment the client certificate trust chain, > > ! but it is best to include all the required certificates directly in > > ! $smtp_tls_cert_file.

    > > ! > > !

    Specify "smtp_tls_CAfile = /path/to/system_CA_file" to use > > ! ONLY the system-supplied default certificate authority certificates. > > !

    > > ! > > !

    Specify "tls_append_default_CA = no" to prevent Postfix from > > ! appending the system-supplied default CAs and trusting third-party > > ! certificates.

    > > ! > > !

    Example:

    > > ! > > ! 
    > > ! smtp_tls_CAfile = /etc/postfix/CAcert.pem
> > !
    > > ! > > !

    This feature is available in Postfix 2.2 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_CApath > > ! (default: empty)
    > > ! > > !

    Directory with PEM format certificate authority certificates > > ! that the Postfix SMTP client uses to verify a remote SMTP server > > ! certificate. Don't forget to create the necessary "hash" links > > ! with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". > > !

    > > ! > > !

    To use this option in chroot mode, this directory (or a copy) > > ! must be inside the chroot jail.

    > > ! > > !

    Specify "smtp_tls_CApath = /path/to/system_CA_directory" to > > ! use ONLY the system-supplied default certificate authority certificates. > > !

    > > ! > > !

    Specify "tls_append_default_CA = no" to prevent Postfix from > > ! appending the system-supplied default CAs and trusting third-party > > ! certificates.

    > > ! > > !

    Example:

    > > ! > > ! 
    > > ! smtp_tls_CApath = /etc/postfix/certs
> > !
    > > ! > > !

    This feature is available in Postfix 2.2 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_block_early_mail_reply > > ! (default: no)
    > > ! > > !

    Try to detect a mail hijacking attack based on a TLS protocol > > ! vulnerability (CVE-2009-3555), where an attacker prepends malicious > > ! HELO, MAIL, RCPT, DATA commands to a Postfix SMTP client TLS session. > > ! The attack would succeed with non-Postfix SMTP servers that reply > > ! to the malicious HELO, MAIL, RCPT, DATA commands after negotiating > > ! the Postfix SMTP client TLS session.

    > > ! > > !

    This feature is available in Postfix 2.7.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_cert_file > > ! (default: empty)
    > > ! > > !

    File with the Postfix SMTP client RSA certificate in PEM format. > > ! This file may also contain the Postfix SMTP client private RSA key, > > ! and these may be the same as the Postfix SMTP server RSA certificate and key > > ! file.

    > > ! > > !

    Do not configure client certificates unless you must present > > ! client TLS certificates to one or more servers. Client certificates are > > ! not usually needed, and can cause problems in configurations that work > > ! well without them. The recommended setting is to let the defaults stand:

    > > ! > > !
    > > ! 
    > > ! smtp_tls_cert_file =
> > ! smtp_tls_key_file =
> > ! smtp_tls_dcert_file =
> > ! smtp_tls_dkey_file =
> > ! smtp_tls_eccert_file =
> > ! smtp_tls_eckey_file =
> > !
    > > !
    > > ! > > !

    The best way to use the default settings is to comment out the above > > ! parameters in main.cf if present.

    > > ! > > !

    To enable remote SMTP servers to verify the Postfix SMTP client > > ! certificate, the issuing CA certificates must be made available to the > > ! server. You should include the required certificates in the client > > ! certificate file, the client certificate first, then the issuing > > ! CA(s) (bottom-up order).

    > > ! > > !

    Example: the certificate for "client.example.com" was issued by > > ! "intermediate CA" which itself has a certificate issued by "root CA". > > ! Create the client.pem file with "cat client_cert.pem intermediate_CA.pem > > ! root_CA.pem > client.pem".

    > > ! > > !

    If you also want to verify remote SMTP server certificates issued by > > ! these CAs, you can add the CA certificates to the smtp_tls_CAfile, in > > ! which case it is not necessary to have them in the smtp_tls_cert_file, > > ! smtp_tls_dcert_file or smtp_tls_eccert_file.

    > > ! > > !

    A certificate supplied here must be usable as an SSL client certificate > > ! and hence pass the "openssl verify -purpose sslclient ..." test.

    > > ! > > !

    Example:

    > > ! > > ! 
    > > ! smtp_tls_cert_file = /etc/postfix/client.pem
> > !
    > > ! > > !

    This feature is available in Postfix 2.2 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_cipherlist > > ! (default: empty)
    > > ! > > !

    Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS > > ! cipher list. As this feature applies to all TLS security levels, it is easy > > ! to create inter-operability problems by choosing a non-default cipher > > ! list. Do not use a non-default TLS cipher list on hosts that deliver email > > ! to the public Internet: you will be unable to send email to servers that > > ! only support the ciphers you exclude. Using a restricted cipher list > > ! may be more appropriate for an internal MTA, where one can exert some > > ! control over the TLS software and settings of the peer servers.

    > > ! > > !

    Note: do not use "" quotes around the parameter value.

    > > ! > > !

    This feature is available in Postfix version 2.2. It is not used with > > ! Postfix 2.3 and later; use smtp_tls_mandatory_ciphers instead.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_ciphers > > ! (default: export)
    > > ! > > !

    The minimum TLS cipher grade that the Postfix SMTP client > > ! will use with opportunistic TLS encryption. Cipher types listed in > > ! smtp_tls_exclude_ciphers are excluded from the base definition of > > ! the selected cipher grade. The default value "export" ensures maximum > > ! inter-operability. Because encryption is optional, stronger controls > > ! are not appropriate, and this setting SHOULD NOT be changed unless the > > ! change is essential.

    > > ! > > !

    When TLS is mandatory the cipher grade is chosen via the > > ! smtp_tls_mandatory_ciphers configuration parameter, see there for syntax > > ! details. See smtp_tls_policy_maps for information on how to configure > > ! ciphers on a per-destination basis.

    > > ! > > !

    Example:

    > > ! 
    > > ! smtp_tls_ciphers = export
> > !
    > > ! > > !

    This feature is available in Postfix 2.6 and later. With earlier Postfix > > ! releases only the smtp_tls_mandatory_ciphers parameter is implemented, > > ! and opportunistic TLS always uses "export" or better (i.e. all) ciphers.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_dcert_file > > ! (default: empty)
    > > ! > > !

    File with the Postfix SMTP client DSA certificate in PEM format. > > ! This file may also contain the Postfix SMTP client private DSA key.

    > > ! > > !

    See the discussion under smtp_tls_cert_file for more details. > > !

    > > ! > > !

    Example:

    > > ! > > ! 
    > > ! smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
> > !
    > > ! > > !

    This feature is available in Postfix 2.2 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_dkey_file > > ! (default: $smtp_tls_dcert_file)
    > > ! > > !

    File with the Postfix SMTP client DSA private key in PEM format. > > ! This file may be combined with the Postfix SMTP client DSA certificate > > ! file specified with $smtp_tls_dcert_file.

    > > ! > > !

    The private key must be accessible without a pass-phrase, i.e. it > > ! must not be encrypted. File permissions should grant read-only > > ! access to the system superuser account ("root"), and no access > > ! to anyone else.

    > > ! > > !

    This feature is available in Postfix 2.2 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_eccert_file > > ! (default: empty)
    > > ! > > !

    File with the Postfix SMTP client ECDSA certificate in PEM format. > > ! This file may also contain the Postfix SMTP client ECDSA private key.

    > > ! > > !

    See the discussion under smtp_tls_cert_file for more details. > > !

    > > ! > > !

    Example:

    > > ! > > ! 
    > > ! smtp_tls_eccert_file = /etc/postfix/ecdsa-ccert.pem
> > !
    > > ! > > !

    This feature is available in Postfix 2.6 and later, when Postfix is > > ! compiled and linked with OpenSSL 1.0.0 or later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_eckey_file > > ! (default: $smtp_tls_eccert_file)
    > > ! > > !

    File with the Postfix SMTP client ECDSA private key in PEM format. > > ! This file may be combined with the Postfix SMTP client ECDSA > > ! certificate file specified with $smtp_tls_eccert_file.

    > > ! > > !

    The private key must be accessible without a pass-phrase, i.e. it > > ! must not be encrypted. File permissions should grant read-only > > ! access to the system superuser account ("root"), and no access > > ! to anyone else.

    > > ! > > !

    This feature is available in Postfix 2.6 and later, when Postfix is > > ! compiled and linked with OpenSSL 1.0.0 or later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_enforce_peername > > ! (default: yes)
    > > ! > > !

    With mandatory TLS encryption, require that the remote SMTP > > ! server hostname matches the information in the remote SMTP server > > ! certificate. As of RFC 2487 the requirements for hostname checking > > ! for MTA clients are not specified.

    > > ! > > !

    This option can be set to "no" to disable strict peer name > > ! checking. This setting has no effect on sessions that are controlled > > ! via the smtp_tls_per_site table.

    > > ! > > !

    Disabling the hostname verification can make sense in closed > > ! environment where special CAs are created. If not used carefully, > > ! this option opens the danger of a "man-in-the-middle" attack (the > > ! CommonName of this attacker will be logged).

    > > ! > > !

    This feature is available in Postfix 2.2 and later. With > > ! Postfix 2.3 and later use smtp_tls_security_level instead.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_exclude_ciphers > > ! (default: empty)
    > > ! > > !

    List of ciphers or cipher types to exclude from the Postfix > > ! SMTP client cipher > > ! list at all TLS security levels. This is not an OpenSSL cipherlist, it is > > ! a simple list separated by whitespace and/or commas. The elements are a > > ! single cipher, or one or more "+" separated cipher properties, in which > > ! case only ciphers matching all the properties are excluded.

    > > ! > > !

    Examples (some of these will cause problems):

    > > ! > > !
    > > ! 
    > > ! smtp_tls_exclude_ciphers = aNULL
> > ! smtp_tls_exclude_ciphers = MD5, DES
> > ! smtp_tls_exclude_ciphers = DES+MD5
> > ! smtp_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
> > ! smtp_tls_exclude_ciphers = kEDH+aRSA
> > !
    > > !
    > > ! > > !

    The first setting, disables anonymous ciphers. The next setting > > ! disables ciphers that use the MD5 digest algorithm or the (single) DES > > ! encryption algorithm. The next setting disables ciphers that use MD5 and > > ! DES together. The next setting disables the two ciphers "AES256-SHA" > > ! and "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" > > ! key exchange with RSA authentication.

    > > ! > > !

    This feature is available in Postfix 2.3 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_fingerprint_cert_match > > ! (default: empty)
    > > ! > > !

    List of acceptable remote SMTP server certificate fingerprints for > > ! the "fingerprint" TLS security level (smtp_tls_security_level = > > ! fingerprint). At this security level, certificate authorities are not > > ! used, and certificate expiration times are ignored. Instead, server > > ! certificates are verified directly via their certificate fingerprint > > ! or public key fingerprint (Postfix 2.9 and later). The fingerprint > > ! is a message digest of the server certificate (or public key). The > > ! digest algorithm is selected via the smtp_tls_fingerprint_digest > > ! parameter.

    > > ! > > !

    When an smtp_tls_policy_maps table entry specifies the > > ! "fingerprint" security level, any "match" attributes in that entry specify > > ! the list of valid fingerprints for the corresponding destination. Multiple > > ! fingerprints can be combined with a "|" delimiter in a single match > > ! attribute, or multiple match attributes can be employed.

    > > ! > > !

    Example: Certificate fingerprint verification with internal mailhub. > > ! Two matching fingerprints are listed. The relayhost may be multiple > > ! physical hosts behind a load-balancer, each with its own private/public > > ! key and self-signed certificate. Alternatively, a single relayhost may > > ! be in the process of switching from one set of private/public keys to > > ! another, and both keys are trusted just prior to the transition.

    > > ! > > !
    > > ! 
    > > ! relayhost = [mailhub.example.com]
> > ! smtp_tls_security_level = fingerprint
> > ! smtp_tls_fingerprint_digest = md5
> > ! smtp_tls_fingerprint_cert_match =
> > !     3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
> > !     EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
> > !
    > > !
    > > ! > > !

    Example: Certificate fingerprint verification with selected destinations. > > ! As in the example above, we show two matching fingerprints:

    > > ! > > !
    > > ! 
    > > ! /etc/postfix/main.cf:
> > !     smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
> > !     smtp_tls_fingerprint_digest = md5
> > !
    > > !
    > > ! > > !
    > > ! 
    > > ! /etc/postfix/tls_policy:
> > !     example.com	fingerprint
> > !         match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
> > !         match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
> > !
    > > !
    > > ! > > !

    This feature is available in Postfix 2.5 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_fingerprint_digest > > ! (default: md5)
    > > ! > > !

    The message digest algorithm used to construct remote SMTP server > > ! certificate fingerprints. At the "fingerprint" TLS security level > > ! (smtp_tls_security_level = fingerprint), the server certificate is > > ! verified by directly matching its certificate fingerprint or its public > > ! key fingerprint (Postfix 2.9 and later). The fingerprint is the > > ! message digest of the server certificate (or its public key) > > ! using the selected > > ! algorithm. With a digest algorithm resistant to "second pre-image" > > ! attacks, it is not feasible to create a new public key and a matching > > ! certificate (or public/private key-pair) that has the same fingerprint.

    > > ! > > !

    The default algorithm is md5; this is consistent with > > ! the backwards compatible setting of the digest used to verify client > > ! certificates in the SMTP server.

    > > ! > > !

    The best practice algorithm is now sha1. Recent advances in hash > > ! function cryptanalysis have led to md5 being deprecated in favor of sha1. > > ! However, as long as there are no known "second pre-image" attacks > > ! against md5, its use in this context can still be considered safe. > > !

    > > ! > > !

    While additional digest algorithms are often available with OpenSSL's > > ! libcrypto, only those used by libssl in SSL cipher suites are available to > > ! Postfix. For now this means just md5 or sha1.

    > > ! > > !

    To find the fingerprint of a specific certificate file, with a > > ! specific digest algorithm, run: > > !

    > > ! > > !
    > > ! 
    > > ! $ openssl x509 -noout -fingerprint -digest -in certfile.pem
> > !
    > > !
    > > ! > > !

    The text to the right of "=" sign is the desired fingerprint. > > ! For example:

    > > ! > > !
    > > ! 
    > > ! $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
> > ! SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
> > !
    > > !
    > > ! > > !

    Public key fingerprints are more difficult to extract, however, > > ! the SHA-1 public key fingerprint is often present as the value of the > > ! "Subject Key Identifier" extension in X.509v3 certificates. The Postfix > > ! SMTP server and client log the peer certificate fingerprint and public > > ! key fingerprint when TLS loglevel is 1 or higher.

    > > ! > > !

    This feature is available in Postfix 2.5 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_key_file > > ! (default: $smtp_tls_cert_file)
    > > ! > > !

    File with the Postfix SMTP client RSA private key in PEM format. > > ! This file may be combined with the Postfix SMTP client RSA certificate > > ! file specified with $smtp_tls_cert_file.

    > > ! > > !

    The private key must be accessible without a pass-phrase, i.e. it > > ! must not be encrypted. File permissions should grant read-only > > ! access to the system superuser account ("root"), and no access > > ! to anyone else.

    > > ! > > !

    Example:

    > > ! > > ! 
    > > ! smtp_tls_key_file = $smtp_tls_cert_file
> > !
    > > ! > > !

    This feature is available in Postfix 2.2 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_loglevel > > ! (default: 0)
    > > ! > > !

    Enable additional Postfix SMTP client logging of TLS activity. > > ! Each logging level also includes the information that is logged at > > ! a lower logging level.

    > > ! > > !
    > > ! > > !
    0 Log only a summary message on TLS handshake completion > > ! — no logging of remote SMTP server certificate trust-chain > > ! verification errors if server certificate verification is not required. > > ! With Postfix 2.8 and earlier, disable logging of TLS activity.
    > > ! > > !
    1 Also log remote SMTP server trust-chain verification > > ! errors and peer certificate summary information. With Postfix 2.8 > > ! and earlier, log TLS handshake and certificate information.
    > > ! > > !
    2 Also log levels during TLS negotiation.
    > > ! > > !
    3 Also log hexadecimal and ASCII dump of TLS negotiation > > ! process.
    > > ! > > !
    4 Also log hexadecimal and ASCII dump of complete > > ! transmission after STARTTLS.
    > > ! > > !
    > > ! > > !

    Do not use "smtp_tls_loglevel = 2" or higher except in case of > > ! problems. Use of loglevel 4 is strongly discouraged.

    > > ! > > !

    This feature is available in Postfix 2.2 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_mandatory_ciphers > > ! (default: medium)
    > > ! > > !

    The minimum TLS cipher grade that the Postfix SMTP client will > > ! use with > > ! mandatory TLS encryption. The default value "medium" is suitable > > ! for most destinations with which you may want to enforce TLS, and > > ! is beyond the reach of today's cryptanalytic methods. See > > ! smtp_tls_policy_maps for information on how to configure ciphers > > ! on a per-destination basis.

    > > ! > > !

    The following cipher grades are supported:

    > > ! > > !
    > > !
    export
    > > !
    Enable "EXPORT" grade or better OpenSSL > > ! ciphers. This is the default for opportunistic encryption. It is > > ! not recommended for mandatory encryption unless you must enforce TLS > > ! with "crippled" peers. The underlying cipherlist is specified via the > > ! tls_export_cipherlist configuration parameter, which you are strongly > > ! encouraged to not change.
    > > ! > > !
    low
    > > !
    Enable "LOW" grade or better OpenSSL ciphers. This > > ! setting is only appropriate for internal mail servers. The underlying > > ! cipherlist is specified via the tls_low_cipherlist configuration > > ! parameter, which you are strongly encouraged to not change.
    > > ! > > !
    medium
    > > !
    Enable "MEDIUM" grade or better OpenSSL ciphers. > > ! The underlying cipherlist is specified via the tls_medium_cipherlist > > ! configuration parameter, which you are strongly encouraged to not change. > > !
    > > ! > > !
    high
    > > !
    Enable only "HIGH" grade OpenSSL ciphers. This setting may > > ! be appropriate when all mandatory TLS destinations (e.g. when all > > ! mail is routed to a suitably capable relayhost) support at least one > > ! "HIGH" grade cipher. The underlying cipherlist is specified via the > > ! tls_high_cipherlist configuration parameter, which you are strongly > > ! encouraged to not change.
    > > ! > > !
    null
    > > !
    Enable only the "NULL" OpenSSL ciphers, these provide authentication > > ! without encryption. This setting is only appropriate in the rare case > > ! that all servers are prepared to use NULL ciphers (not normally enabled > > ! in TLS servers). A plausible use-case is an LMTP server listening on a > > ! UNIX-domain socket that is configured to support "NULL" ciphers. The > > ! underlying cipherlist is specified via the tls_null_cipherlist > > ! configuration parameter, which you are strongly encouraged to not > > ! change.
    > > ! > > !
    > > ! > > !

    The underlying cipherlists for grades other than "null" include > > ! anonymous ciphers, but these are automatically filtered out if the > > ! Postfix SMTP client is configured to verify server certificates. > > ! You are very unlikely to need to take any steps to exclude anonymous > > ! ciphers, they are excluded automatically as necessary. If you must > > ! exclude anonymous ciphers at the "may" or "encrypt" security levels, > > ! when the Postfix SMTP client does not need or use peer certificates, set > > ! "smtp_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers only when > > ! TLS is enforced, set "smtp_tls_mandatory_exclude_ciphers = aNULL".

    > > ! > > !

    This feature is available in Postfix 2.3 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_mandatory_exclude_ciphers > > ! (default: empty)
    > > ! > > !

    Additional list of ciphers or cipher types to exclude from the > > ! Postfix SMTP client cipher list at mandatory TLS security levels. This list > > ! works in addition to the exclusions listed with smtp_tls_exclude_ciphers > > ! (see there for syntax details).

    > > ! > > !

    Starting with Postfix 2.6, the mandatory cipher exclusions can be > > ! specified on a per-destination basis via the TLS policy "exclude" > > ! attribute. See smtp_tls_policy_maps for notes and examples.

    > > ! > > !

    This feature is available in Postfix 2.3 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_mandatory_protocols > > ! (default: SSLv3, TLSv1)
    > > ! > > !

    List of SSL/TLS protocols that the Postfix SMTP client will use with > > ! mandatory TLS encryption. In main.cf the values are separated by > > ! whitespace, commas or colons. In the policy table "protocols" attribute > > ! (see smtp_tls_policy_maps) the only valid separator is colon. An > > ! empty value means allow all protocols. The valid protocol names, (see > > ! SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1".

    > > ! > > !

    With Postfix ≥ 2.5 the parameter syntax is expanded to support > > ! protocol exclusions. One can now explicitly exclude SSLv2 by setting > > ! "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and > > ! SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing > > ! the protocols to include, rather than protocols to exclude, is still > > ! supported; use the form you find more intuitive.

    > > ! > > !

    Since SSL version 2 has known protocol weaknesses and is now > > ! deprecated, the default setting excludes "SSLv2". This means that by > > ! default, SSL version 2 will not be used at the "encrypt" security level > > ! and higher.

    > > ! > > !

    See the documentation of the smtp_tls_policy_maps parameter and > > ! TLS_README for more information about security levels.

    > > ! > > !

    Example:

    > > ! > > ! 
    > > ! smtp_tls_mandatory_protocols = TLSv1
> > ! # Alternative form with Postfix ≥ 2.5:
> > ! smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> > !
    > > ! > > !

    This feature is available in Postfix 2.3 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_note_starttls_offer > > ! (default: no)
    > > ! > > !

    Log the hostname of a remote SMTP server that offers STARTTLS, > > ! when TLS is not already enabled for that server.

    > > ! > > !

    The logfile record looks like:

    > > ! > > ! 
    > > ! postfix/smtp[pid]:  Host offered STARTTLS: [name.of.host]
> > !
    > > ! > > !

    This feature is available in Postfix 2.2 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_per_site > > ! (default: empty)
    > > ! > > !

    Optional lookup tables with the Postfix SMTP client TLS usage > > ! policy by next-hop destination and by remote SMTP server hostname. > > ! When both lookups succeed, the more specific per-site policy (NONE, > > ! MUST, etc) overrides the less specific one (MAY), and the more secure > > ! per-site policy (MUST, etc) overrides the less secure one (NONE). > > ! With Postfix 2.3 and later smtp_tls_per_site is strongly discouraged: > > ! use smtp_tls_policy_maps instead.

    > > ! > > !

    Use of the bare hostname as the per-site table lookup key is > > ! discouraged. Always use the full destination nexthop (enclosed in > > ! [] with a possible ":port" suffix). A recipient domain or MX-enabled > > ! transport next-hop with no port suffix may look like a bare hostname, > > ! but is still a suitable destination.

    > > ! > > !

    Specify a next-hop destination or server hostname on the left-hand > > ! side; no wildcards are allowed. The next-hop destination is either > > ! the recipient domain, or the destination specified with a transport(5) > > ! table, the relayhost parameter, or the relay_transport parameter. > > ! On the right hand side specify one of the following keywords:

    > > ! > > !
    > > ! > > !
    NONE
    Don't use TLS at all. This overrides a less > > ! specific MAY lookup result from the alternate host or next-hop > > ! lookup key, and overrides the global smtp_use_tls, smtp_enforce_tls, > > ! and smtp_tls_enforce_peername settings.
    > > ! > > !
    MAY
    Try to use TLS if the server announces support, > > ! otherwise use the unencrypted connection. This has less precedence > > ! than a more specific result (including NONE) from the alternate > > ! host or next-hop lookup key, and has less precedence than the more > > ! specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername > > ! = yes".
    > > ! > > !
    MUST_NOPEERMATCH
    Require TLS encryption, but do not > > ! require that the remote SMTP server hostname matches the information > > ! in the remote SMTP server certificate, or that the server certificate > > ! was issued by a trusted CA. This overrides a less secure NONE > > ! or a less specific MAY lookup result from the alternate host > > ! or next-hop lookup key, and overrides the global smtp_use_tls, > > ! smtp_enforce_tls and smtp_tls_enforce_peername settings.
    > > ! > > !
    MUST
    Require TLS encryption, require that the remote > > ! SMTP server hostname matches the information in the remote SMTP > > ! server certificate, and require that the remote SMTP server certificate > > ! was issued by a trusted CA. This overrides a less secure NONE > > ! and MUST_NOPEERMATCH or a less specific MAY lookup > > ! result from the alternate host or next-hop lookup key, and overrides > > ! the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername > > ! settings.
    > > ! > > !
    > > ! > > !

    The above keywords correspond to the "none", "may", "encrypt" and > > ! "verify" security levels for the new smtp_tls_security_level parameter > > ! introduced in Postfix 2.3. Starting with Postfix 2.3, and independently > > ! of how the policy is specified, the smtp_tls_mandatory_ciphers and > > ! smtp_tls_mandatory_protocols parameters apply when TLS encryption > > ! is mandatory. Connections for which encryption is optional typically > > ! enable all "export" grade and better ciphers (see smtp_tls_ciphers > > ! and smtp_tls_protocols).

    > > ! > > !

    As long as no secure DNS lookup mechanism is available, false > > ! hostnames in MX or CNAME responses can change the server hostname > > ! that Postfix uses for TLS policy lookup and server certificate > > ! verification. Even with a perfect match between the server hostname and > > ! the server certificate, there is no guarantee that Postfix is connected > > ! to the right server. See TLS_README (Closing a DNS loophole with obsolete > > ! per-site TLS policies) for a possible work-around.

    > > ! > > !

    This feature is available in Postfix 2.2 and later. With > > ! Postfix 2.3 and later use smtp_tls_policy_maps instead.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_policy_maps > > ! (default: empty)
    > > ! > > !

    Optional lookup tables with the Postfix SMTP client TLS security > > ! policy by next-hop destination; when a non-empty value is specified, > > ! this overrides the obsolete smtp_tls_per_site parameter. See > > ! TLS_README for a more detailed discussion of TLS security levels. > > !

    > > ! > > !

    The TLS policy table is indexed by the full next-hop destination, > > ! which is either the recipient domain, or the verbatim next-hop > > ! specified in the transport table, $local_transport, $virtual_transport, > > ! $relay_transport or $default_transport. This includes any enclosing > > ! square brackets and any non-default destination server port suffix. The > > ! LMTP socket type prefix (inet: or unix:) is not included in the lookup > > ! key.

    > > ! > > !

    Only the next-hop domain, or $myhostname with LMTP over UNIX-domain > > ! sockets, is used as the nexthop name for certificate verification. The > > ! port and any enclosing square brackets are used in the table lookup key, > > ! but are not used for server name verification.

    > > ! > > !

    When the lookup key is a domain name without enclosing square brackets > > ! or any :port suffix (typically the recipient domain), and the full > > ! domain is not found in the table, just as with the transport(5) table, > > ! the parent domain starting with a leading "." is matched recursively. This > > ! allows one to specify a security policy for a recipient domain and all > > ! its sub-domains.

    > > ! > > !

    The lookup result is a security level, followed by an optional list > > ! of whitespace and/or comma separated name=value attributes that override > > ! related main.cf settings. The TLS security levels in order of increasing > > ! security are:

    > > ! > > !
    > > ! > > !
    none
    > > !
    No TLS. No additional attributes are supported at this level.
    > > ! > > !
    may
    > > !
    Opportunistic TLS. Since sending in the clear is acceptable, > > ! demanding stronger than default TLS security merely reduces > > ! inter-operability. The optional "ciphers", "exclude" and "protocols" > > ! attributes (available for opportunistic TLS with Postfix ≥ 2.6) > > ! override the "smtp_tls_ciphers", "smtp_tls_exclude_ciphers" and > > ! "smtp_tls_protocols" configuration parameters. When opportunistic TLS > > ! handshakes fail, Postfix retries the connection with TLS disabled. > > ! This allows mail delivery to sites with non-interoperable TLS > > ! implementations.
    > > ! > > !
    encrypt
    Mandatory TLS encryption. At this level > > ! and higher, the optional "protocols" attribute overrides the main.cf > > ! smtp_tls_mandatory_protocols parameter, the optional "ciphers" attribute > > ! overrides the main.cf smtp_tls_mandatory_ciphers parameter, and the > > ! optional "exclude" attribute (Postfix ≥ 2.6) overrides the main.cf > > ! smtp_tls_mandatory_exclude_ciphers parameter. In the policy table, > > ! multiple protocols or excluded ciphers must be separated by colons, > > ! as attribute values may not contain whitespace or commas.
    > > ! > > !
    fingerprint
    Certificate fingerprint > > ! verification. Available with Postfix 2.5 and later. At this security > > ! level, there are no trusted certificate authorities. The certificate > > ! trust chain, expiration date, ... are not checked. Instead, > > ! the optional match attribute, or else the main.cf > > ! smtp_tls_fingerprint_cert_match parameter, lists the certificate > > ! fingerprints or the public key fingerprint (Postfix 2.9 and later) > > ! of the valid server certificate. The digest > > ! algorithm used to calculate the fingerprint is selected by the > > ! smtp_tls_fingerprint_digest parameter. Multiple fingerprints can > > ! be combined with a "|" delimiter in a single match attribute, or multiple > > ! match attributes can be employed. The ":" character is not used as a > > ! delimiter as it occurs between each pair of fingerprint (hexadecimal) > > ! digits.
    > > ! > > !
    verify
    Mandatory TLS verification. At this security > > ! level, DNS MX lookups are trusted to be secure enough, and the name > > ! verified in the server certificate is usually obtained indirectly via > > ! unauthenticated DNS MX lookups. The optional "match" attribute overrides > > ! the main.cf smtp_tls_verify_cert_match parameter. In the policy table, > > ! multiple match patterns and strategies must be separated by colons. > > ! In practice explicit control over matching is more common with the > > ! "secure" policy, described below.
    > > ! > > !
    secure
    Secure-channel TLS. At this security level, DNS > > ! MX lookups, though potentially used to determine the candidate next-hop > > ! gateway IP addresses, are not trusted to be secure enough for TLS > > ! peername verification. Instead, the default name verified in the server > > ! certificate is obtained directly from the next-hop, or is explicitly > > ! specified via the optional match attribute which overrides the > > ! main.cf smtp_tls_secure_cert_match parameter. In the policy table, > > ! multiple match patterns and strategies must be separated by colons. > > ! The match attribute is most useful when multiple domains are supported by > > ! common server, the policy entries for additional domains specify matching > > ! rules for the primary domain certificate. While transport table overrides > > ! routing the secondary domains to the primary nexthop also allow secure > > ! verification, they risk delivery to the wrong destination when domains > > ! change hands or are re-assigned to new gateways. With the "match" > > ! attribute approach, routing is not perturbed, and mail is deferred if > > ! verification of a new MX host fails.
    > > ! > > !
    > > ! > > !

    > > ! Example: > > !

    > > ! > > ! 
    > > ! /etc/postfix/main.cf:
> > !     smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
> > !     # Postfix 2.5 and later
> > !     smtp_tls_fingerprint_digest = md5
> > !
    > > ! > > ! 
    > > ! /etc/postfix/tls_policy:
> > !     example.edu                 none
> > !     example.mil                 may
> > !     example.gov                 encrypt protocols=TLSv1
> > !     example.com                 verify ciphers=high
> > !     example.net                 secure
> > !     .example.net                secure match=.example.net:example.net
> > !     [mail.example.org]:587      secure match=nexthop
> > !     # Postfix 2.5 and later
> > !     [thumb.example.org]          fingerprint
> > !     	match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
> > ! 	match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
> > !
    > > ! > > !

    Note: The hostname strategy if listed in a non-default > > ! setting of smtp_tls_secure_cert_match or in the match attribute > > ! in the policy table can render the secure level vulnerable to > > ! DNS forgery. Do not use the hostname strategy for secure-channel > > ! configurations in environments where DNS security is not assured.

    > > ! > > !

    This feature is available in Postfix 2.3 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_protocols > > ! (default: !SSLv2)
    > > ! > > !

    List of TLS protocols that the Postfix SMTP client will exclude or > > ! include with opportunistic TLS encryption. Starting with Postfix 2.6, > > ! the Postfix SMTP client will by default not use the obsolete SSLv2 > > ! protocol.

    > > ! > > !

    In main.cf the values are separated by whitespace, commas or > > ! colons. In the policy table (see smtp_tls_policy_maps) the only valid > > ! separator is colon. An empty value means allow all protocols. The valid > > ! protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" > > ! and "TLSv1".

    > > ! > > !

    To include a protocol list its name, to exclude it, prefix the name > > ! with a "!" character. To exclude SSLv2 even for opportunistic TLS set > > ! "smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set > > ! "smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to > > ! include, is supported, but not recommended. OpenSSL provides no mechanisms > > ! for excluding protocols not known at compile-time. If Postfix is linked > > ! against an OpenSSL library that supports additional protocol versions, > > ! they cannot be excluded using either syntax.

    > > ! > > !

    Example:

    > > ! 
    > > ! # TLSv1 only!
> > ! smtp_tls_protocols = !SSLv2, !SSLv3
> > !
    > > ! > > !

    This feature is available in Postfix 2.6 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_scert_verifydepth > > ! (default: 9)
    > > ! > > !

    The verification depth for remote SMTP server certificates. A depth > > ! of 1 is sufficient if the issuing CA is listed in a local CA file.

    > > ! > > !

    The default verification depth is 9 (the OpenSSL default) for > > ! compatibility with earlier Postfix behavior. Prior to Postfix 2.5, > > ! the default value was 5, but the limit was not actually enforced. If > > ! you have set this to a lower non-default value, certificates with longer > > ! trust chains may now fail to verify. Certificate chains with 1 or 2 > > ! CAs are common, deeper chains are more rare and any number between 5 > > ! and 9 should suffice in practice. You can choose a lower number if, > > ! for example, you trust certificates directly signed by an issuing CA > > ! but not any CAs it delegates to.

    > > ! > > !

    This feature is available in Postfix 2.2 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_secure_cert_match > > ! (default: nexthop, dot-nexthop)
    > > ! > > !

    How the Postfix SMTP client verifies the server certificate > > ! peername for the > > ! "secure" TLS security level. In a "secure" TLS policy table > > ! ($smtp_tls_policy_maps) entry the optional "match" attribute > > ! overrides this main.cf setting.

    > > ! > > !

    This parameter specifies one or more patterns or strategies separated > > ! by commas, whitespace or colons. In the policy table the only valid > > ! separator is the colon character.

    > > ! > > !

    For a description of the pattern and strategy syntax see the > > ! smtp_tls_verify_cert_match parameter. The "hostname" strategy should > > ! be avoided in this context, as in the absence of a secure global DNS, using > > ! the results of MX lookups in certificate verification is not immune to active > > ! (man-in-the-middle) attacks on DNS.

    > > ! > > !

    > > ! Sample main.cf setting: > > !

    > > ! > > !
    > > ! 
    > > ! smtp_tls_secure_cert_match = nexthop
> > !
    > > !
    > > ! > > !

    > > ! Sample policy table override: > > !

    > > ! > > !
    > > ! 
    > > ! example.net     secure match=example.com:.example.com
> > ! .example.net    secure match=example.com:.example.com
> > !
    > > !
    > > ! > > !

    This feature is available in Postfix 2.3 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_security_level > > ! (default: empty)
    > > ! > > !

    The default SMTP TLS security level for the Postfix SMTP client; > > ! when a non-empty value is specified, this overrides the obsolete > > ! parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername. > > !

    > > ! > > !

    Specify one of the following security levels:

    > > ! > > !
    > > ! > > !
    none
    TLS will not be used unless enabled for specific > > ! destinations via smtp_tls_policy_maps.
    > > ! > > !
    may
    > > !
    Opportunistic TLS. Use TLS if this is supported by the remote > > ! SMTP server, otherwise use plaintext. Since > > ! sending in the clear is acceptable, demanding stronger than default TLS > > ! security merely reduces inter-operability. > > ! The "smtp_tls_ciphers" and "smtp_tls_protocols" (Postfix ≥ 2.6) > > ! configuration parameters provide control over the protocols and > > ! cipher grade used with opportunistic TLS. With earlier releases the > > ! opportunistic TLS cipher grade is always "export" and no protocols > > ! are disabled. > > ! When TLS handshakes fail, the connection is retried with TLS disabled. > > ! This allows mail delivery to sites with non-interoperable TLS > > ! implementations.
    > > ! > > !
    encrypt
    Mandatory TLS encryption. Since a minimum > > ! level of security is intended, it is reasonable to be specific about > > ! sufficiently secure protocol versions and ciphers. At this security level > > ! and higher, the main.cf parameters smtp_tls_mandatory_protocols and > > ! smtp_tls_mandatory_ciphers specify the TLS protocols and minimum > > ! cipher grade which the administrator considers secure enough for > > ! mandatory encrypted sessions. This security level is not an appropriate > > ! default for systems delivering mail to the Internet.
    > > ! > > !
    fingerprint
    Certificate fingerprint > > ! verification. Available with Postfix 2.5 and later. At this security > > ! level, there are no trusted certificate authorities. The certificate > > ! trust chain, expiration date, ... are not checked. Instead, the > > ! smtp_tls_fingerprint_cert_match parameter lists the certificate > > ! fingerprint or public key fingerprint (Postfix 2.9 and later) of > > ! the valid server certificate. The digest > > ! algorithm used to calculate the fingerprint is selected by the > > ! smtp_tls_fingerprint_digest parameter.
    > > ! > > !
    verify
    Mandatory TLS verification. At this security > > ! level, DNS MX lookups are trusted to be secure enough, and the name > > ! verified in the server certificate is usually obtained indirectly > > ! via unauthenticated DNS MX lookups. The smtp_tls_verify_cert_match > > ! parameter controls how the server name is verified. In practice explicit > > ! control over matching is more common at the "secure" level, described > > ! below. This security level is not an appropriate default for systems > > ! delivering mail to the Internet.
    > > ! > > !
    secure
    Secure-channel TLS. At this security level, > > ! DNS MX lookups, though potentially used to determine the candidate > > ! next-hop gateway IP addresses, are not trusted to be secure enough > > ! for TLS peername verification. Instead, the default name verified in > > ! the server certificate is obtained from the next-hop domain as specified > > ! in the smtp_tls_secure_cert_match configuration parameter. The default > > ! matching rule is that a server certificate matches when its name is equal > > ! to or is a sub-domain of the nexthop domain. This security level is not > > ! an appropriate default for systems delivering mail to the Internet.
    > > ! > > !
    > > ! > > !

    > > ! Examples: > > !

    > > ! > > ! 
    > > ! # No TLS. Formerly: smtp_use_tls=no and smtp_enforce_tls=no.
> > ! smtp_tls_security_level = none
> > !
    > > ! > > ! 
    > > ! # Opportunistic TLS.
> > ! smtp_tls_security_level = may
> > ! # Postfix ≥ 2.6:
> > ! # Do not tweak opportunistic ciphers or protocol unless it is essential
> > ! # to do so (if a security vulnerability is found in the SSL library that
> > ! # can be mitigated by disabling a particular protocol or raising the
> > ! # cipher grade from "export" to "low" or "medium").
> > ! smtp_tls_ciphers = export
> > ! smtp_tls_protocols = !SSLv2
> > !
    > > ! > > ! 
    > > ! # Mandatory (high-grade) TLS encryption.
> > ! smtp_tls_security_level = encrypt
> > ! smtp_tls_mandatory_ciphers = high
> > !
    > > ! > > ! 
    > > ! # Mandatory TLS verification of hostname or nexthop domain.
> > ! smtp_tls_security_level = verify
> > ! smtp_tls_mandatory_ciphers = high
> > ! smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
> > !
    > > ! > > ! 
    > > ! # Secure channel TLS with exact nexthop name match.
> > ! smtp_tls_security_level = secure
> > ! smtp_tls_mandatory_protocols = TLSv1
> > ! smtp_tls_mandatory_ciphers = high
> > ! smtp_tls_secure_cert_match = nexthop
> > !
    > > ! > > ! 
    > > ! # Certificate fingerprint verification (Postfix ≥ 2.5).
> > ! # The CA-less "fingerprint" security level only scales to a limited
> > ! # number of destinations. As a global default rather than a per-site
> > ! # setting, this is practical when mail for all recipients is sent
> > ! # to a central mail hub.
> > ! relayhost = [mailhub.example.com]
> > ! smtp_tls_security_level = fingerprint
> > ! smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> > ! smtp_tls_mandatory_ciphers = high
> > ! smtp_tls_fingerprint_cert_match =
> > !     3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
> > !     EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
> > !
    > > ! > > !

    This feature is available in Postfix 2.3 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_session_cache_database > > ! (default: empty)
    > > ! > > !

    Name of the file containing the optional Postfix SMTP client > > ! TLS session cache. Specify a database type that supports enumeration, > > ! such as btree or sdbm; there is no need to support > > ! concurrent access. The file is created if it does not exist. The smtp(8) > > ! daemon does not use this parameter directly, rather the cache is > > ! implemented indirectly in the tlsmgr(8) daemon. This means that > > ! per-smtp-instance master.cf overrides of this parameter are not effective. > > ! Note, that each of the cache databases supported by tlsmgr(8) daemon: > > ! $smtpd_tls_session_cache_database, $smtp_tls_session_cache_database > > ! (and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to > > ! be stored separately. It is not at this time possible to store multiple > > ! caches in a single database.

    > > ! > > !

    Note: dbm databases are not suitable. TLS > > ! session objects are too large.

    > > ! > > !

    As of version 2.5, Postfix no longer uses root privileges when > > ! opening this file. The file should now be stored under the Postfix-owned > > ! data_directory. As a migration aid, an attempt to open the file > > ! under a non-Postfix directory is redirected to the Postfix-owned > > ! data_directory, and a warning is logged.

    > > ! > > !

    Example:

    > > ! > > ! 
    > > ! smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
> > !
    > > ! > > !

    This feature is available in Postfix 2.2 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_session_cache_timeout > > ! (default: 3600s)
    > > ! > > !

    The expiration time of Postfix SMTP client TLS session cache > > ! information. A cache cleanup is performed periodically > > ! every $smtp_tls_session_cache_timeout seconds. As with > > ! $smtp_tls_session_cache_database, this parameter is implemented in the > > ! tlsmgr(8) daemon and therefore per-smtp-instance master.cf overrides > > ! are not possible.

    > > ! > > !

    This feature is available in Postfix 2.2 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_tls_verify_cert_match > > ! (default: hostname)
    > > ! > > !

    How the Postfix SMTP client verifies the server certificate > > ! peername for the > > ! "verify" TLS security level. In a "verify" TLS policy table > > ! ($smtp_tls_policy_maps) entry the optional "match" attribute > > ! overrides this main.cf setting.

    > > ! > > !

    This parameter specifies one or more patterns or strategies separated > > ! by commas, whitespace or colons. In the policy table the only valid > > ! separator is the colon character.

    > > ! > > !

    Patterns specify domain names, or domain name suffixes:

    > > ! > > !
    > > ! > > !
    example.com
    Match the example.com domain, > > ! i.e. one of the names the server certificate must be example.com, > > ! upper and lower case distinctions are ignored.
    > > ! > > !
    .example.com
    > > !
    Match subdomains of the example.com domain, i.e. match > > ! a name in the server certificate that consists of a non-zero number of > > ! labels followed by a .example.com suffix. Case distinctions are > > ! ignored.
    > > ! > > !
    > > ! > > !

    Strategies specify a transformation from the next-hop domain > > ! to the expected name in the server certificate:

    > > ! > > !
    > > ! > > !
    nexthop
    > > !
    Match against the next-hop domain, which is either the recipient > > ! domain, or the transport next-hop configured for the domain stripped of > > ! any optional socket type prefix, enclosing square brackets and trailing > > ! port. When MX lookups are not suppressed, this is the original nexthop > > ! domain prior to the MX lookup, not the result of the MX lookup. For > > ! LMTP delivery via UNIX-domain sockets, the verified next-hop name is > > ! $myhostname. This strategy is suitable for use with the "secure" > > ! policy. Case is ignored.
    > > ! > > !
    dot-nexthop
    > > !
    As above, but match server certificate names that are subdomains > > ! of the next-hop domain. Case is ignored.
    > > ! > > !
    hostname
    Match against the hostname of the server, often > > ! obtained via an unauthenticated DNS MX lookup. For LMTP delivery via > > ! UNIX-domain sockets, the verified name is $myhostname. This matches > > ! the verification strategy of the "MUST" keyword in the obsolete > > ! smtp_tls_per_site table, and is suitable for use with the "verify" > > ! security level. When the next-hop name is enclosed in square brackets > > ! to suppress MX lookups, the "hostname" strategy is the same as the > > ! "nexthop" strategy. Case is ignored.
    > > ! > > !
    > > ! > > !

    > > ! Sample main.cf setting: > > !

    > > ! > > ! 
    > > ! smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
> > !
    > > ! > > !

    > > ! Sample policy table override: > > !

    > > ! > > ! 
    > > ! example.com     verify  match=hostname:nexthop
> > ! .example.com    verify  match=example.com:.example.com:hostname
> > !
    > > ! > > !

    This feature is available in Postfix 2.3 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtp_use_tls > > ! (default: no)
    > > ! > > !

    Opportunistic mode: use TLS when a remote SMTP server announces > > ! STARTTLS support, otherwise send the mail in the clear. Beware: > > ! some SMTP servers offer STARTTLS even if it is not configured. With > > ! Postfix < 2.3, if the TLS handshake fails, and no other server is > > ! available, delivery is deferred and mail stays in the queue. If this > > ! is a concern for you, use the smtp_tls_per_site feature instead.

    > > ! > > !

    This feature is available in Postfix 2.2 and later. With > > ! Postfix 2.3 and later use smtp_tls_security_level instead.

    > > ! > > ! > > !
    > > ! > > !
    smtp_xforward_timeout > > ! (default: 300s)
    > > ! > > !

    > > ! The Postfix SMTP client time limit for sending the XFORWARD command, > > ! and for receiving the remote SMTP server response. > > !

    > > ! > > !

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > > !

    > > ! > > !

    > > ! This feature is available in Postfix 2.1 and later. > > !

    > > ! > > ! > > !
    > > ! > > !
    smtpd_authorized_verp_clients > > ! (default: $authorized_verp_clients)
    > > ! > > !

    What remote SMTP clients are allowed to specify the XVERP command. > > ! This command requests that mail be delivered one recipient at a > > ! time with a per recipient return address.

    > > ! > > !

    By default, no clients are allowed to specify XVERP.

    > > ! > > !

    This parameter was renamed with Postfix version 2.1. The default value > > ! is backwards compatible with Postfix version 2.0.

    > > ! > > !

    Specify a list of network/netmask patterns, separated by commas > > ! and/or whitespace. The mask specifies the number of bits in the > > ! network part of a host address. You can also specify hostnames or > > ! .domain names (the initial dot causes the domain to match any name > > ! below it), "/file/name" or "type:table" patterns. A "/file/name" > > ! pattern is replaced by its contents; a "type:table" lookup table > > ! is matched when a table entry matches a lookup string (the lookup > > ! result is ignored). Continue long lines by starting the next line > > ! with whitespace. Specify "!pattern" to exclude an address or network > > ! block from the list. The form "!/file/name" is supported only in > > ! Postfix version 2.4 and later.

    > > ! > > !

    Note: IP version 6 address information must be specified inside > > ! [] in the smtpd_authorized_verp_clients value, and in > > ! files specified with "/file/name". IP version 6 addresses contain > > ! the ":" character, and would otherwise be confused with a "type:table" > > ! pattern.

    > > ! > > ! > > !
    > > ! > > !
    smtpd_authorized_xclient_hosts > > ! (default: empty)
    > > ! > > !

    > > ! What remote SMTP clients are allowed to use the XCLIENT feature. This > > ! command overrides remote SMTP client information that is used for access > > ! control. Typical use is for SMTP-based content filters, fetchmail-like > > ! programs, or SMTP server access rule testing. See the XCLIENT_README > > ! document for details. > > !

    > > ! > > !

    > > ! This feature is available in Postfix 2.1 and later. > > !

    > > ! > > !

    > > ! By default, no clients are allowed to specify XCLIENT. > > !

    > > ! > > !

    > > ! Specify a list of network/netmask patterns, separated by commas > > ! and/or whitespace. The mask specifies the number of bits in the > > ! network part of a host address. You can also specify hostnames or > > ! .domain names (the initial dot causes the domain to match any name > > ! below it), "/file/name" or "type:table" patterns. A "/file/name" > > ! pattern is replaced by its contents; a "type:table" lookup table > > ! is matched when a table entry matches a lookup string (the lookup > > ! result is ignored). Continue long lines by starting the next line > > ! with whitespace. Specify "!pattern" to exclude an address or network > > ! block from the list. The form "!/file/name" is supported only in > > ! Postfix version 2.4 and later.

    > > ! > > !

    Note: IP version 6 address information must be specified inside > > ! [] in the smtpd_authorized_xclient_hosts value, and in > > ! files specified with "/file/name". IP version 6 addresses contain > > ! the ":" character, and would otherwise be confused with a "type:table" > > ! pattern.

    > > ! > > ! > > !
    > > ! > > !
    smtpd_authorized_xforward_hosts > > ! (default: empty)
    > > ! > > !

    > > ! What remote SMTP clients are allowed to use the XFORWARD feature. This > > ! command forwards information that is used to improve logging after > > ! SMTP-based content filters. See the XFORWARD_README document for > > ! details. > > !

    > > ! > > !

    > > ! This feature is available in Postfix 2.1 and later. > > !

    > > ! > > !

    > > ! By default, no clients are allowed to specify XFORWARD. > > !

    > > ! > > !

    > > ! Specify a list of network/netmask patterns, separated by commas > > ! and/or whitespace. The mask specifies the number of bits in the > > ! network part of a host address. You can also specify hostnames or > > ! .domain names (the initial dot causes the domain to match any name > > ! below it), "/file/name" or "type:table" patterns. A "/file/name" > > ! pattern is replaced by its contents; a "type:table" lookup table > > ! is matched when a table entry matches a lookup string (the lookup > > ! result is ignored). Continue long lines by starting the next line > > ! with whitespace. Specify "!pattern" to exclude an address or network > > ! block from the list. The form "!/file/name" is supported only in > > ! Postfix version 2.4 and later.

    > > ! > > !

    Note: IP version 6 address information must be specified inside > > ! [] in the smtpd_authorized_xforward_hosts value, and in > > ! files specified with "/file/name". IP version 6 addresses contain > > ! the ":" character, and would otherwise be confused with a "type:table" > > ! pattern.

    > > ! > > ! > > !
    > > ! > > !
    smtpd_banner > > ! (default: $myhostname ESMTP $mail_name)
    > > ! > > !

    > > ! The text that follows the 220 status code in the SMTP greeting > > ! banner. Some people like to see the mail version advertised. By > > ! default, Postfix shows no version. > > !

    > > ! > > !

    > > ! You MUST specify $myhostname at the start of the text. This is > > ! required by the SMTP protocol. > > !

    > > ! > > !

    > > ! Example: > > !

    > > ! > > ! 
    > > ! smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
> > !
    > > ! > > ! > > !
    > > ! > > !
    smtpd_client_connection_count_limit > > ! (default: 50)
    > > ! > > !

    > > ! How many simultaneous connections any client is allowed to > > ! make to this service. By default, the limit is set to half > > ! the default process limit value. > > !

    > > ! > > !

    > > ! To disable this feature, specify a limit of 0. > > !

    > > ! > > !

    > > ! WARNING: The purpose of this feature is to limit abuse. It must > > ! not be used to regulate legitimate mail traffic. > > !

    > > ! > > !

    > > ! This feature is available in Postfix 2.2 and later. > > !

    > > ! > > ! > > !
    > > ! > > !
    smtpd_client_connection_rate_limit > > ! (default: 0)
    > > ! > > !

    > > ! The maximal number of connection attempts any client is allowed to > > ! make to this service per time unit. The time unit is specified > > ! with the anvil_rate_time_unit configuration parameter. > > !

    > > ! > > !

    > > ! By default, a client can make as many connections per time unit as > > ! Postfix can accept. > > !

    > > ! > > !

    > > ! To disable this feature, specify a limit of 0. > > !

    > > ! > > !

    > > ! WARNING: The purpose of this feature is to limit abuse. It must > > ! not be used to regulate legitimate mail traffic. > > !

    > > ! > > !

    > > ! This feature is available in Postfix 2.2 and later. > > !

    > > ! > > !

    > > ! Example: > > !

    > > ! > > ! 
    > > ! smtpd_client_connection_rate_limit = 1000
> > !
    > > ! > > ! > > !
    > > ! > > !
    smtpd_client_event_limit_exceptions > > ! (default: $mynetworks)
    > > ! > > !

    > > ! Clients that are excluded from smtpd_client_*_count/rate_limit > > ! restrictions. See the mynetworks parameter > > ! description for the parameter value syntax. > > !

    > > ! > > !

    > > ! By default, clients in trusted networks are excluded. Specify a > > ! list of network blocks, hostnames or .domain names (the initial > > ! dot causes the domain to match any name below it). > > !

    > > ! > > !

    Note: IP version 6 address information must be specified inside > > ! [] in the smtpd_client_event_limit_exceptions value, and > > ! in files specified with "/file/name". IP version 6 addresses > > ! contain the ":" character, and would otherwise be confused with a > > ! "type:table" pattern.

    > > ! > > !

    > > ! This feature is available in Postfix 2.2 and later. > > !

    > > ! > > ! > > !
    > > ! > > !
    smtpd_client_message_rate_limit > > ! (default: 0)
    > > ! > > !

    > > ! The maximal number of message delivery requests that any client is > > ! allowed to make to this service per time unit, regardless of whether > > ! or not Postfix actually accepts those messages. The time unit is > > ! specified with the anvil_rate_time_unit configuration parameter. > > !

    > > ! > > !

    > > ! By default, a client can send as many message delivery requests > > ! per time unit as Postfix can accept. > > !

    > > ! > > !

    > > ! To disable this feature, specify a limit of 0. > > !

    > > ! > > !

    > > ! WARNING: The purpose of this feature is to limit abuse. It must > > ! not be used to regulate legitimate mail traffic. > > !

    > > ! > > !

    > > ! This feature is available in Postfix 2.2 and later. > > !

    > > ! > > !

    > > ! Example: > > !

    > > ! > > ! 
    > > ! smtpd_client_message_rate_limit = 1000
> > !
    > > ! > > ! > > !
    > > ! > > !
    smtpd_client_new_tls_session_rate_limit > > ! (default: 0)
    > > ! > > !

    > > ! The maximal number of new (i.e., uncached) TLS sessions that a > > ! remote SMTP client is allowed to negotiate with this service per > > ! time unit. The time unit is specified with the anvil_rate_time_unit > > ! configuration parameter. > > !

    > > ! > > !

    > > ! By default, a remote SMTP client can negotiate as many new TLS > > ! sessions per time unit as Postfix can accept. > > !

    > > ! > > !

    > > ! To disable this feature, specify a limit of 0. Otherwise, specify > > ! a limit that is at least the per-client concurrent session limit, > > ! or else legitimate client sessions may be rejected. > > !

    > > ! > > !

    > > ! WARNING: The purpose of this feature is to limit abuse. It must > > ! not be used to regulate legitimate mail traffic. > > !

    > > ! > > !

    > > ! This feature is available in Postfix 2.3 and later. > > !

    > > ! > > !

    > > ! Example: > > !

    > > ! > > ! 
    > > ! smtpd_client_new_tls_session_rate_limit = 100
> > !
    > > ! > > ! > > !
    > > ! > > !
    smtpd_client_port_logging > > ! (default: no)
    > > ! > > !

    Enable logging of the remote SMTP client port in addition to > > ! the hostname and IP address. The logging format is "host[address]:port". > > !

    > > ! > > !

    This feature is available in Postfix 2.5 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtpd_client_recipient_rate_limit > > ! (default: 0)
    > > ! > > !

    > > ! The maximal number of recipient addresses that any client is allowed > > ! to send to this service per time unit, regardless of whether or not > > ! Postfix actually accepts those recipients. The time unit is specified > > ! with the anvil_rate_time_unit configuration parameter. > > !

    > > ! > > !

    > > ! By default, a client can send as many recipient addresses per time > > ! unit as Postfix can accept. > > !

    > > ! > > !

    > > ! To disable this feature, specify a limit of 0. > > !

    > > ! > > !

    > > ! WARNING: The purpose of this feature is to limit abuse. It must > > ! not be used to regulate legitimate mail traffic. > > !

    > > ! > > !

    > > ! This feature is available in Postfix 2.2 and later. > > !

    > > ! > > !

    > > ! Example: > > !

    > > > > 
    > > ! smtpd_client_recipient_rate_limit = 1000
> > !
    > > ! > > ! > > !
    > > ! > > !
    smtpd_client_restrictions > > ! (default: empty)
    > > ! > > !

    > > ! Optional Postfix SMTP server access restrictions in the context of > > ! a remote SMTP client connection request. > > ! See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access > > ! restriction lists" for a discussion of evaluation context and time. > > !

    > > ! > > !

    > > ! The default is to allow all connection requests. > > !

    > > ! > > !

    > > ! Specify a list of restrictions, separated by commas and/or whitespace. > > ! Continue long lines by starting the next line with whitespace. > > ! Restrictions are applied in the order as specified; the first > > ! restriction that matches wins. > > !

    > > ! > > !

    > > ! The following restrictions are specific to client hostname or > > ! client network address information. > > !

    > > ! > > !
    > > ! > > !
    check_ccert_access type:table
    > > ! > > !
    Use the remote SMTP client certificate fingerprint or the public key > > ! fingerprint (Postfix 2.9 and later) as lookup key for the specified > > ! access(5) database; with Postfix version 2.2, also require that the > > ! remote SMTP client certificate is verified successfully. > > ! The fingerprint digest algorithm is configurable via the > > ! smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to > > ! Postfix version 2.5). This feature is available with Postfix version > > ! 2.2 and later.
    > > ! > > !
    check_client_access type:table
    > > ! > > !
    Search the specified access database for the client hostname, > > ! parent domains, client IP address, or networks obtained by stripping > > ! least significant octets. See the access(5) manual page for details.
    > > ! > > !
    check_client_mx_access type:table
    > > ! > > !
    Search the specified access(5) database for the MX hosts for the > > ! client hostname, and execute the corresponding action. Note: a result > > ! of "OK" is not allowed for safety reasons. Instead, use DUNNO in order > > ! to exclude specific hosts from blacklists. This feature is available > > ! in Postfix 2.7 and later.
    > > ! > > !
    check_client_ns_access type:table
    > > ! > > !
    Search the specified access(5) database for the DNS servers for > > ! the client hostname, and execute the corresponding action. Note: a > > ! result of "OK" is not allowed for safety reasons. Instead, use DUNNO > > ! in order to exclude specific hosts from blacklists. This feature is > > ! available in Postfix 2.7 and later.
    > > ! > > !
    check_reverse_client_hostname_access type:table
    > > ! > > !
    Search the specified access database for the unverified reverse > > ! client hostname, parent domains, client IP address, or networks > > ! obtained by stripping least significant octets. See the access(5) > > ! manual page for details. Note: a result of "OK" is not allowed for > > ! safety reasons. Instead, use DUNNO in order to exclude specific > > ! hosts from blacklists. This feature is available in Postfix 2.6 > > ! and later.
    > > ! > > !
    check_reverse_client_hostname_mx_access type:table
    > > ! > > !
    Search the specified access(5) database for the MX hosts for the > > ! unverified reverse client hostname, and execute the corresponding > > ! action. Note: a result of "OK" is not allowed for safety reasons. > > ! Instead, use DUNNO in order to exclude specific hosts from blacklists. > > ! This feature is available in Postfix 2.7 and later.
    > > ! > > !
    check_reverse_client_hostname_ns_access type:table
    > > ! > > !
    Search the specified access(5) database for the DNS servers for > > ! the unverified reverse client hostname, and execute the corresponding > > ! action. Note: a result of "OK" is not allowed for safety reasons. > > ! Instead, use DUNNO in order to exclude specific hosts from blacklists. > > ! This feature is available in Postfix 2.7 and later.
    > > ! > > !
    permit_inet_interfaces
    > > ! > > !
    Permit the request when the client IP address matches > > ! $inet_interfaces.
    > > ! > > !
    permit_mynetworks
    > > ! > > !
    Permit the request when the client IP address matches any > > ! network or network address listed in $mynetworks.
    > > ! > > !
    permit_sasl_authenticated
    > > ! > > !
    Permit the request when the client is successfully > > ! authenticated via the RFC 4954 (AUTH) protocol.
    > > ! > > !
    permit_tls_all_clientcerts
    > > ! > > !
    Permit the request when the remote SMTP client certificate is > > ! verified successfully. This option must be used only if a special > > ! CA issues the certificates and only this CA is listed as trusted > > ! CA. Otherwise, clients with a third-party certificate would also > > ! be allowed to relay. Specify "tls_append_default_CA = no" when the > > ! trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath, > > ! to prevent Postfix from appending the system-supplied default CAs. > > ! This feature is available with Postfix version 2.2.
    > > ! > > !
    permit_tls_clientcerts
    > > ! > > !
    Permit the request when the remote SMTP client certificate > > ! fingerprint or public key fingerprint (Postfix 2.9 and later) is > > ! listed in $relay_clientcerts. > > ! The fingerprint digest algorithm is configurable via the > > ! smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to > > ! Postfix version 2.5). This feature is available with Postfix version > > ! 2.2.
    > > ! > > !
    reject_rbl_client rbl_domain=d.d.d.d
    > > ! > > !
    Reject the request when the reversed client network address is > > ! listed with the A record "d.d.d.d" under rbl_domain > > ! (Postfix version 2.1 and later only). Each "d" is a number, > > ! or a pattern inside "[]" that contains one or more ";"-separated > > ! numbers or number..number ranges (Postfix version 2.8 and later). > > ! If no "=d.d.d.d" is specified, reject the request when the > > ! reversed client network address is listed with any A record under > > ! rbl_domain.
    > > ! The maps_rbl_reject_code parameter specifies the response code for > > ! rejected requests (default: 554), the default_rbl_reply parameter > > ! specifies the default server reply, and the rbl_reply_maps parameter > > ! specifies tables with server replies indexed by rbl_domain. > > ! This feature is available in Postfix 2.0 and later.
    > > ! > > !
    permit_dnswl_client dnswl_domain=d.d.d.d
    > > ! > > !
    Accept the request when the reversed client network address is > > ! listed with the A record "d.d.d.d" under dnswl_domain. > > ! Each "d" is a number, or a pattern inside "[]" that contains > > ! one or more ";"-separated numbers or number..number ranges. > > ! If no "=d.d.d.d" is specified, accept the request when the > > ! reversed client network address is listed with any A record under > > ! dnswl_domain.
    For safety, permit_dnswl_client is silently > > ! ignored when it would override reject_unauth_destination. The > > ! result is DEFER_IF_REJECT when whitelist lookup fails. This feature > > ! is available in Postfix 2.8 and later.
    > > ! > > !
    reject_rhsbl_client rbl_domain=d.d.d.d
    > > ! > > !
    Reject the request when the client hostname is listed with the > > ! A record "d.d.d.d" under rbl_domain (Postfix version > > ! 2.1 and later only). Each "d" is a number, or a pattern > > ! inside "[]" that contains one or more ";"-separated numbers or > > ! number..number ranges (Postfix version 2.8 and later). If no > > ! "=d.d.d.d" is specified, reject the request when the client > > ! hostname is listed with > > ! any A record under rbl_domain. See the reject_rbl_client > > ! description above for additional RBL related configuration parameters. > > ! This feature is available in Postfix 2.0 and later; with Postfix > > ! version 2.8 and later, reject_rhsbl_reverse_client will usually > > ! produce better results.
    > > ! > > !
    permit_rhswl_client rhswl_domain=d.d.d.d
    > > ! > > !
    Accept the request when the client hostname is listed with the > > ! A record "d.d.d.d" under rhswl_domain. Each "d" > > ! is a number, or a pattern inside "[]" that contains one or more > > ! ";"-separated numbers or number..number ranges. If no > > ! "=d.d.d.d" is specified, accept the request when the client > > ! hostname is listed with any A record under rhswl_domain. > > !
    Caution: client name whitelisting is fragile, since the client > > ! name lookup can fail due to temporary outages. Client name > > ! whitelisting should be used only to reduce false positives in e.g. > > ! DNS-based blocklists, and not for making access rule exceptions. > > !
    For safety, permit_rhswl_client is silently ignored when it > > ! would override reject_unauth_destination. The result is DEFER_IF_REJECT > > ! when whitelist lookup fails. This feature is available in Postfix > > ! 2.8 and later.
    > > ! > > !
    reject_rhsbl_reverse_client rbl_domain=d.d.d.d
    > > ! > > !
    Reject the request when the unverified reverse client hostname > > ! is listed with the A record "d.d.d.d" under rbl_domain. > > ! Each "d" is a number, or a pattern inside "[]" that contains > > ! one or more ";"-separated numbers or number..number ranges. > > ! If no "=d.d.d.d" is specified, reject the request when the > > ! unverified reverse client hostname is listed with any A record under > > ! rbl_domain. See the reject_rbl_client description above for > > ! additional RBL related configuration parameters. This feature is > > ! available in Postfix 2.8 and later.
    > > ! > > !
    reject_unknown_client_hostname (with Postfix < 2.3: reject_unknown_client)
    > > ! > > !
    Reject the request when 1) the client IP address->name mapping > > ! fails, 2) the name->address mapping fails, or 3) the name->address > > ! mapping does not match the client IP address.
    This is a > > ! stronger restriction than the reject_unknown_reverse_client_hostname > > ! feature, which triggers only under condition 1) above.
    The > > ! unknown_client_reject_code parameter specifies the response code > > ! for rejected requests (default: 450). The reply is always 450 in > > ! case the address->name or name->address lookup failed due to > > ! a temporary problem.
    > > ! > > !
    reject_unknown_reverse_client_hostname
    > > ! > > !
    Reject the request when the client IP address has no address->name > > ! mapping.
    This is a weaker restriction than the > > ! reject_unknown_client_hostname feature, which requires not only > > ! that the address->name and name->address mappings exist, but > > ! also that the two mappings reproduce the client IP address.
    > > ! The unknown_client_reject_code parameter specifies the response > > ! code for rejected requests (default: 450). The reply is always 450 > > ! in case the address->name lookup failed due to a temporary > > ! problem.
    This feature is available in Postfix 2.3 and > > ! later.
    > > ! > > !
    > > ! > > !

    > > ! In addition, you can use any of the following > > ! generic restrictions. These restrictions are applicable in > > ! any SMTP command context. > > !

    > > ! > > !
    > > ! > > !
    check_policy_service servername
    > > ! > > !
    Query the specified policy server. See the SMTPD_POLICY_README > > ! document for details. This feature is available in Postfix 2.1 > > ! and later.
    > > ! > > !
    defer
    > > ! > > !
    Defer the request. The client is told to try again later. This > > ! restriction is useful at the end of a restriction list, to make > > ! the default policy explicit.
    The defer_code parameter specifies > > ! the SMTP server reply code (default: 450).
    > > ! > > !
    defer_if_permit
    > > ! > > !
    Defer the request if some later restriction would result in an > > ! explicit or implicit PERMIT action. This is useful when a blacklisting > > ! feature fails due to a temporary problem. This feature is available > > ! in Postfix version 2.1 and later.
    > > ! > > !
    defer_if_reject
    > > ! > > !
    Defer the request if some later restriction would result in a > > ! REJECT action. This is useful when a whitelisting feature fails > > ! due to a temporary problem. This feature is available in Postfix > > ! version 2.1 and later.
    > > ! > > !
    permit
    > > ! > > !
    Permit the request. This restriction is useful at the end of > > ! a restriction list, to make the default policy explicit.
    > > ! > > !
    reject_multi_recipient_bounce
    > > ! > > !
    Reject the request when the envelope sender is the null address, > > ! and the message has multiple envelope recipients. This usage has > > ! rare but legitimate applications: under certain conditions, > > ! multi-recipient mail that was posted with the DSN option NOTIFY=NEVER > > ! may be forwarded with the null sender address. > > !
    Note: this restriction can only work reliably > > ! when used in smtpd_data_restrictions or > > ! smtpd_end_of_data_restrictions, because the total number of > > ! recipients is not known at an earlier stage of the SMTP conversation. > > ! Use at the RCPT stage will only reject the second etc. recipient. > > !
    > > ! The multi_recipient_bounce_reject_code parameter specifies the > > ! response code for rejected requests (default: 550). This feature > > ! is available in Postfix 2.1 and later.
    > > > > !
    reject_plaintext_session
    > > > > !
    Reject the request when the connection is not encrypted. This > > ! restriction should not be used before the client has had a chance > > ! to negotiate encryption with the AUTH or STARTTLS commands. > > !
    > > ! The plaintext_reject_code parameter specifies the response > > ! code for rejected requests (default: 450). This feature is available > > ! in Postfix 2.3 and later.
    > > > > -
    reject_unauth_pipelining
    > > > > !
    Reject the request when the client sends SMTP commands ahead > > ! of time where it is not allowed, or when the client sends SMTP > > ! commands ahead of time without knowing that Postfix actually supports > > ! ESMTP command pipelining. This stops mail from bulk mail software > > ! that improperly uses ESMTP command pipelining in order to speed up > > ! deliveries. > > !
    With Postfix 2.6 and later, the SMTP server sets a per-session > > ! flag whenever it detects illegal pipelining, including pipelined > > ! EHLO or HELO commands. The reject_unauth_pipelining feature simply > > ! tests whether the flag was set at any point in time during the > > ! session. > > !
    With older Postfix versions, reject_unauth_pipelining checks > > ! the current status of the input read queue, and its usage is not > > ! recommended in contexts other than smtpd_data_restrictions.
    > > > > !
    reject
    > > > > !
    Reject the request. This restriction is useful at the end of > > ! a restriction list, to make the default policy explicit. The > > ! reject_code configuration parameter specifies the response code for > > ! rejected requests (default: 554).
    > > > > !
    sleep seconds
    > > > > !
    Pause for the specified number of seconds and proceed with > > ! the next restriction in the list, if any. This may stop zombie > > ! mail when used as: > > ! 
    > > ! /etc/postfix/main.cf:
> > !     smtpd_client_restrictions =
> > !         sleep 1, reject_unauth_pipelining
> > !     smtpd_delay_reject = no
> > !
    > > ! This feature is available in Postfix 2.3.
    > > > > -
    warn_if_reject
    > > > > !
    A safety net for testing. When "warn_if_reject" is placed > > ! before a reject-type restriction, access table query, or > > ! check_policy_service query, this logs a "reject_warning" message > > ! instead of rejecting a request (when a reject-type restriction fails > > ! due to a temporary error, this logs a "reject_warning" message for > > ! any implicit "defer_if_permit" actions that would normally prevent > > ! mail from being accepted by some later access restriction). This > > ! feature has no effect on defer_if_reject restrictions.
    > > > > !
    > > > > !

    > > ! Other restrictions that are valid in this context: > > !

    > > > > ! > > > >

    > > ! Example: > >

    > > > > 
    > > ! smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname
> >
    > > > > --- 9190,9352 ---- > > > > !
    none
    > > !
    No TLS. No additional attributes are supported at this level.
    > > > > !
    may
    > > !
    Opportunistic TLS. No additional attributes are supported at this > > ! level. Since sending in the clear is acceptable, demanding stronger > > ! than default TLS security parameters merely reduces inter-operability. > > ! Postfix 2.3 and later ignore the smtp_tls_mandatory_ciphers and > > ! smtp_tls_mandatory_protocols parameters at this security level; all > > ! protocols are allowed and "export" grade or better ciphers are used. > > ! When TLS handshakes fail, the connection is retried with TLS disabled. > > ! This allows mail delivery to sites with non-interoperable TLS > > ! implementations.
    > > > > !
    encrypt
    Mandatory TLS encryption. At this level > > ! and higher the optional "ciphers" attribute overrides the main.cf > > ! smtp_tls_mandatory_ciphers parameter and the optional "protocols" > > ! keyword overrides the main.cf smtp_tls_mandatory_protocols parameter. > > ! In the policy table, multiple protocols must be separated by colons, > > ! as attribute values may not contain whitespace or commas.
    > > > > +
    fingerprint
    Certificate fingerprint > > + verification. Available with Postfix 2.5 and later. At this security > > + level, there are no trusted certificate authorities. The certificate > > + trust chain, expiration date, ... are not checked. Instead, > > + the optional match attribute, or else the main.cf > > + smtp_tls_fingerprint_cert_match parameter, lists the > > + valid "fingerprints" of the server certificate. The digest > > + algorithm used to calculate the fingerprint is selected by the > > + smtp_tls_fingerprint_digest parameter. Multiple fingerprints can > > + be combined with a "|" delimiter in a single match attribute, or multiple > > + match attributes can be employed. The ":" character is not used as a > > + delimiter as it occurs between each pair of fingerprint (hexadecimal) > > + digits.
    > > > > !
    verify
    Mandatory TLS verification. At this security > > ! level, DNS MX lookups are trusted to be secure enough, and the name > > ! verified in the server certificate is usually obtained indirectly via > > ! unauthenticated DNS MX lookups. The optional "match" attribute overrides > > ! the main.cf smtp_tls_verify_cert_match parameter. In the policy table, > > ! multiple match patterns and strategies must be separated by colons. > > ! In practice explicit control over matching is more common with the > > ! "secure" policy, described below.
    > > > > !
    secure
    Secure-channel TLS. At this security level, DNS > > ! MX lookups, though potentially used to determine the candidate next-hop > > ! gateway IP addresses, are not trusted to be secure enough for TLS > > ! peername verification. Instead, the default name verified in the server > > ! certificate is obtained directly from the next-hop, or is explicitly > > ! specified via the optional match attribute which overrides the > > ! main.cf smtp_tls_secure_cert_match parameter. In the policy table, > > ! multiple match patterns and strategies must be separated by colons. > > ! The match attribute is most useful when multiple domains are supported by > > ! common server, the policy entries for additional domains specify matching > > ! rules for the primary domain certificate. While transport table overrides > > ! routing the secondary domains to the primary nexthop also allow secure > > ! verification, they risk delivery to the wrong destination when domains > > ! change hands or are re-assigned to new gateways. With the "match" > > ! attribute approach, routing is not perturbed, and mail is deferred if > > ! verification of a new MX host fails.
    > > > > !
    > > > >

    > > ! Example: > >

    > > > > ! 
    > > ! /etc/postfix/main.cf:
> > !     smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
> > !     # Postfix 2.5 and later
> > !     smtp_tls_fingerprint_digest = md5
> > !
    > > > > 
    > > ! /etc/postfix/tls_policy:
> > !     example.edu                 none
> > !     example.mil                 may
> > !     example.gov                 encrypt protocols=TLSv1
> > !     example.com                 verify ciphers=high
> > !     example.net                 secure
> > !     .example.net                secure match=.example.net:example.net
> > !     [mail.example.org]:587      secure match=nexthop
> > !     # Postfix 2.5 and later
> > !     [thumb.example.org]          fingerprint
> > !     	match=EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
> > ! 	match=3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
> > !
    > > > > !

    Note: The hostname strategy if listed in a non-default > > ! setting of smtp_tls_secure_cert_match or in the match attribute > > ! in the policy table can render the secure level vulnerable to > > ! DNS forgery. Do not use the hostname strategy for secure-channel > > ! configurations in environments where DNS security is not assured.

    > > > > !

    This feature is available in Postfix 2.3 and later.

    > > > > > > !
    > > > > !
    smtp_tls_scert_verifydepth > > ! (default: 9)
    > > > > !

    The verification depth for remote SMTP server certificates. A depth > > ! of 1 is sufficient if the issuing CA is listed in a local CA file.

    > > > > !

    The default verification depth is 9 (the OpenSSL default) for > > ! compatibility with earlier Postfix behavior. Prior to Postfix 2.5, > > ! the default value was 5, but the limit was not actually enforced. If > > ! you have set this to a lower non-default value, certificates with longer > > ! trust chains may now fail to verify. Certificate chains with 1 or 2 > > ! CAs are common, deeper chains are more rare and any number between 5 > > ! and 9 should suffice in practice. You can choose a lower number if, > > ! for example, you trust certificates directly signed by an issuing CA > > ! but not any CAs it delegates to.

    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > > > !
    > > > > !
    smtp_tls_secure_cert_match > > ! (default: nexthop, dot-nexthop)
    > > > > !

    The server certificate peername verification method for the > > ! "secure" TLS security level. In a "secure" TLS policy table > > ! ($smtp_tls_policy_maps) entry the optional "match" attribute > > ! overrides this main.cf setting.

    > > > > !

    This parameter specifies one or more patterns or strategies separated > > ! by commas, whitespace or colons. In the policy table the only valid > > ! separator is the colon character.

    > > > > !

    For a description of the pattern and strategy syntax see the > > ! smtp_tls_verify_cert_match parameter. The "hostname" strategy should > > ! be avoided in this context, as in the absence of a secure global DNS, using > > ! the results of MX lookups in certificate verification is not immune to active > > ! (man-in-the-middle) attacks on DNS.

    > > > > !

    > > ! Sample main.cf setting: > > !

    > > ! > > !
    > > ! 
    > > ! smtp_tls_secure_cert_match = nexthop
> > !
    > > !
    > > > >

    > > ! Sample policy table override: > >

    > > > > +
    > > 
    > > ! example.net     secure match=example.com:.example.com
> > ! .example.net    secure match=example.com:.example.com
> >
    > > +
    > > + > > +

    This feature is available in Postfix 2.3 and later.

    > > > > *************** > > *** 12461,12502 **** > > > > !
    smtpd_command_filter > > (default: empty)
    > > > > !

    A mechanism to transform commands from remote SMTP clients. > > ! This is a last-resort tool to work around client commands that break > > ! inter-operability with the Postfix SMTP server. Other uses involve > > ! fault injection to test Postfix's handling of invalid commands. > >

    > > > > !

    Specify the name of a "type:table" lookup table. The search > > ! string is the SMTP command as received from the remote SMTP client, > > ! except that initial whitespace and the trailing <CR><LF> > > ! are removed. The result value is executed by the Postfix SMTP > > ! server.

    > > > > !

    There is no need to use smtpd_command_filter for the following > > ! cases:

    > > > > !
      > > > > !

    • Use "resolve_numeric_domain = yes" to accept > > ! "user at ipaddress".

      > > > > !

    • Postfix already accepts the correct form > > ! "user@[ipaddress]". Use virtual_alias_maps or canonical_maps > > ! to translate these into domain names if necessary.

      > > ! > > !

    • Use "strict_rfc821_envelopes = no" to accept "RCPT TO:<User > > ! Name <user at example.com>>". Postfix will ignore the "User > > ! Name" part and deliver to the <user at example.com> address. > > !

      > > > > !
    > > > > !

    Examples of problems that can be solved with the smtpd_command_filter > > ! feature:

    > > > > 
    > > ! /etc/postfix/main.cf:
> > !     smtpd_command_filter = pcre:/etc/postfix/command_filter
> >
    > > --- 9355,9428 ---- > > > > !
    smtp_tls_security_level > > (default: empty)
    > > > > !

    The default SMTP TLS security level for the Postfix SMTP client; > > ! when a non-empty value is specified, this overrides the obsolete > > ! parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername. > >

    > > > > !

    Specify one of the following security levels:

    > > ! > > !
    > > > > !
    none
    TLS will not be used unless enabled for specific > > ! destinations via smtp_tls_policy_maps.
    > > > > !
    may
    > > !
    Opportunistic TLS. TLS will be used if supported by the server. Since > > ! sending in the clear is acceptable, demanding stronger than default TLS > > ! security parameters merely reduces inter-operability. Postfix 2.3 and > > ! later ignore the smtp_tls_mandatory_ciphers and > > ! smtp_tls_mandatory_protocols parameters at this security level; all > > ! protocols are allowed and "export" grade or better ciphers are used. > > ! When TLS handshakes fail, the connection is retried with TLS disabled. > > ! This allows mail delivery to sites with non-interoperable TLS > > ! implementations.
    > > > > !
    encrypt
    Mandatory TLS encryption. Since a minimum > > ! level of security is intended, it reasonable to be specific about > > ! sufficiently secure protocol versions and ciphers. At this security level > > ! and higher, the main.cf parameters smtp_tls_mandatory_protocols and > > ! smtp_tls_mandatory_ciphers specify the TLS protocols and minimum > > ! cipher grade which the administrator considers secure enough for > > ! mandatory encrypted sessions. This security level is not an appropriate > > ! default for systems delivering mail to the Internet.
    > > > > !
    fingerprint
    Certificate fingerprint > > ! verification. Available with Postfix 2.5 and later. At this security > > ! level, there are no trusted certificate authorities. The certificate > > ! trust chain, expiration date, ... are not checked. Instead, > > ! the smtp_tls_fingerprint_cert_match parameter lists > > ! the valid "fingerprints" of the server certificate. The digest > > ! algorithm used to calculate the fingerprint is selected by the > > ! smtp_tls_fingerprint_digest parameter.
    > > > > !
    verify
    Mandatory TLS verification. At this security > > ! level, DNS MX lookups are trusted to be secure enough, and the name > > ! verified in the server certificate is usually obtained indirectly > > ! via unauthenticated DNS MX lookups. The smtp_tls_verify_cert_match > > ! parameter controls how the server name is verified. In practice explicit > > ! control over matching is more common at the "secure" level, described > > ! below. This security level is not an appropriate default for systems > > ! delivering mail to the Internet.
    > > ! > > !
    secure
    Secure-channel TLS. At this security level, > > ! DNS MX lookups, though potentially used to determine the candidate > > ! next-hop gateway IP addresses, are not trusted to be secure enough > > ! for TLS peername verification. Instead, the default name verified in > > ! the server certificate is obtained from the next-hop domain as specified > > ! in the smtp_tls_secure_cert_match configuration parameter. The default > > ! matching rule is that a server certificate matches when its name is equal > > ! to or is a sub-domain of the nexthop domain. This security level is not > > ! an appropriate default for systems delivering mail to the Internet.
    > > ! > > !
    > > > > !

    > > ! Examples: > > !

    > > > > 
    > > ! # No TLS. Formerly: smtp_use_tls=no and smtp_enforce_tls=no.
> > ! smtp_tls_security_level = none
> >
    > > *************** > > *** 12504,12508 **** > > 
    > > ! /etc/postfix/command_filter:
> > !     # Work around clients that send malformed HELO commands.
> > !     /^HELO\s*$/ HELO domain.invalid
> >
    > > --- 9430,9433 ---- > > 
    > > ! # Opportunistic TLS.
> > ! smtp_tls_security_level = may
> >
    > > *************** > > *** 12510,12513 **** > > 
    > > !     # Work around clients that send empty lines.
> > !     /^\s*$/     NOOP
> >
    > > --- 9435,9439 ---- > > 
    > > ! # Mandatory (high-grade) TLS encryption.
> > ! smtp_tls_security_level = encrypt
> > ! smtp_tls_mandatory_ciphers = high
> >
    > > *************** > > *** 12515,12519 **** > > 
    > > !     # Work around clients that send RCPT TO:<'user at domain'>.
> > !     # WARNING: do not lose the parameters that follow the address.
> > !     /^RCPT\s+TO:\s*<'([^[:space:]]+)'>(.*)/     RCPT TO:<$1>$2
> >
    > > --- 9441,9446 ---- > > 
    > > ! # Mandatory TLS verification of hostname or nexthop domain.
> > ! smtp_tls_security_level = verify
> > ! smtp_tls_mandatory_ciphers = high
> > ! smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
> >
    > > *************** > > *** 12521,12525 **** > > 
    > > !     # Append XVERP to MAIL FROM commands to request VERP-style delivery.
> > !     # See VERP_README for more information on how to use Postfix VERP.
> > !     /^(MAIL FROM:<listname at example\.com>.*)/   $1 XVERP
> >
    > > --- 9448,9454 ---- > > 
    > > ! # Secure channel TLS with exact nexthop name match.
> > ! smtp_tls_security_level = secure
> > ! smtp_tls_mandatory_protocols = TLSv1
> > ! smtp_tls_mandatory_ciphers = high
> > ! smtp_tls_secure_cert_match = nexthop
> >
    > > *************** > > *** 12527,12535 **** > > 
    > > !     # Bounce-never mail sink. Use notify_classes=bounce,resource,software
> > !     # to send bounced mail to the postmaster (with message body removed).
> > !     /^(RCPT\s+TO:.*?)\bNOTIFY=\S+\b(.*)/ $1 NOTIFY=NEVER $2
> > !     /^(RCPT\s+TO:.*)/                    $1 NOTIFY=NEVER
> >
    > > > > !

    This feature is available in Postfix 2.7.

    > > > > --- 9456,9472 ---- > > 
    > > ! # Certificate fingerprint verification (Postfix ≥ 2.5).
> > ! # The CA-less "fingerprint" security level only scales to a limited
> > ! # number of destinations. As a global default rather than a per-site
> > ! # setting, this is practical when mail for all recipients is sent
> > ! # to a central mail hub.
> > ! relayhost = [mailhub.example.com]
> > ! smtp_tls_security_level = fingerprint
> > ! smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
> > ! smtp_tls_mandatory_ciphers = high
> > ! smtp_tls_fingerprint_cert_match =
> > !     3D:95:34:51:24:66:33:B9:D2:40:99:C0:C1:17:0B:D1
> > !     EC:3B:2D:B0:5B:B1:FB:6D:20:A3:9D:72:F6:8D:12:35
> >
    > > > > !

    This feature is available in Postfix 2.3 and later.

    > > > > *************** > > *** 12538,12609 **** > > > > !
    smtpd_data_restrictions > > (default: empty)
    > > > > !

    > > ! Optional access restrictions that the Postfix SMTP server applies > > ! in the context of the SMTP DATA command. > > ! See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access > > ! restriction lists" for a discussion of evaluation context and time. > > !

    > > ! > > !

    > > ! This feature is available in Postfix 2.0 and later. > > !

    > > ! > > !

    > > ! Specify a list of restrictions, separated by commas and/or whitespace. > > ! Continue long lines by starting the next line with whitespace. > > ! Restrictions are applied in the order as specified; the first > > ! restriction that matches wins. > > !

    > > ! > > !

    > > ! The following restrictions are valid in this context: > > !

    > > ! > > !
      > > ! > > !
    • Generic restrictions that can be used > > ! in any SMTP command context, described under smtpd_client_restrictions. > > ! > > !
    • SMTP command specific restrictions described under > > ! smtpd_client_restrictions, smtpd_helo_restrictions, > > ! smtpd_sender_restrictions or smtpd_recipient_restrictions. > > > > !
    • However, no recipient information is available in the case of > > ! multi-recipient mail. Acting on only one recipient would be misleading, > > ! because any decision will affect all recipients equally. Acting on > > ! all recipients would require a possibly very large amount of memory, > > ! and would also be misleading for the reasons mentioned before. > > > > !
    > > > > !

    > > ! Examples: > > !

    > > > > 
    > > ! smtpd_data_restrictions = reject_unauth_pipelining
> > ! smtpd_data_restrictions = reject_multi_recipient_bounce
> >
    > > > > ! > > !
    > > ! > > !
    smtpd_delay_open_until_valid_rcpt > > ! (default: yes)
    > > ! > > !

    Postpone the start of an SMTP mail transaction until a valid > > ! RCPT TO command is received. Specify "no" to create a mail transaction > > ! as soon as the Postfix SMTP server receives a valid MAIL FROM > > ! command.

    > > ! > > !

    With sites that reject lots of mail, the default setting reduces > > ! the use of > > ! disk, CPU and memory resources. The downside is that rejected > > ! recipients are logged with NOQUEUE instead of a mail transaction > > ! ID. This complicates the logfile analysis of multi-recipient mail. > > !

    > > ! > > !

    This feature is available in Postfix 2.3 and later.

    > > > > --- 9475,9508 ---- > > > > !
    smtp_tls_session_cache_database > > (default: empty)
    > > > > !

    Name of the file containing the optional Postfix SMTP client > > ! TLS session cache. Specify a database type that supports enumeration, > > ! such as btree or sdbm; there is no need to support > > ! concurrent access. The file is created if it does not exist. The smtp(8) > > ! daemon does not use this parameter directly, rather the cache is > > ! implemented indirectly in the tlsmgr(8) daemon. This means that > > ! per-smtp-instance master.cf overrides of this parameter are not effective. > > ! Note, that each of the cache databases supported by tlsmgr(8) daemon: > > ! $smtpd_tls_session_cache_database, $smtp_tls_session_cache_database > > ! (and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to > > ! be stored separately. It is not at this time possible to store multiple > > ! caches in a single database.

    > > > > !

    Note: dbm databases are not suitable. TLS > > ! session objects are too large.

    > > > > !

    As of version 2.5, Postfix no longer uses root privileges when > > ! opening this file. The file should now be stored under the Postfix-owned > > ! data_directory. As a migration aid, an attempt to open the file > > ! under a non-Postfix directory is redirected to the Postfix-owned > > ! data_directory, and a warning is logged.

    > > > > !

    Example:

    > > > > 
    > > ! smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
> >
    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > *************** > > *** 12612,12635 **** > > > > !
    smtpd_delay_reject > > ! (default: yes)
    > > ! > > !

    > > ! Wait until the RCPT TO command before evaluating > > ! $smtpd_client_restrictions, $smtpd_helo_restrictions and > > ! $smtpd_sender_restrictions, or wait until the ETRN command before > > ! evaluating $smtpd_client_restrictions and $smtpd_helo_restrictions. > > !

    > > > > !

    > > ! This feature is turned on by default because some clients apparently > > ! mis-behave when the Postfix SMTP server rejects commands before > > ! RCPT TO. > > !

    > > > > !

    > > ! The default setting has one major benefit: it allows Postfix to log > > ! recipient address information when rejecting a client name/address > > ! or sender address, so that it is possible to find out whose mail > > ! is being rejected. > > !

    > > > > --- 9511,9523 ---- > > > > !
    smtp_tls_session_cache_timeout > > ! (default: 3600s)
    > > > > !

    The expiration time of Postfix SMTP client TLS session cache > > ! information. A cache cleanup is performed periodically > > ! every $smtp_tls_session_cache_timeout seconds. As with > > ! $smtp_tls_session_cache_database, this parameter is implemented in the > > ! tlsmgr(8) daemon and therefore per-smtp-instance master.cf overrides > > ! are not possible.

    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > *************** > > *** 12638,12691 **** > > > > !
    smtpd_discard_ehlo_keyword_address_maps > > ! (default: empty)
    > > > > !

    Lookup tables, indexed by the remote SMTP client address, with > > ! case insensitive lists of EHLO keywords (pipelining, starttls, auth, > > ! etc.) that the Postfix SMTP server will not send in the EHLO response > > ! to a > > ! remote SMTP client. See smtpd_discard_ehlo_keywords for details. > > ! The table is not searched by hostname for robustness reasons.

    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > > > !
    > > > > !
    smtpd_discard_ehlo_keywords > > ! (default: empty)
    > > > > !

    A case insensitive list of EHLO keywords (pipelining, starttls, > > ! auth, etc.) that the Postfix SMTP server will not send in the EHLO > > ! response > > ! to a remote SMTP client.

    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > !

    Notes:

    > > > > !
      > > > > !

    • Specify the silent-discard pseudo keyword to prevent > > ! this action from being logged.

      > > > > !

    • Use the smtpd_discard_ehlo_keyword_address_maps feature > > ! to discard EHLO keywords selectively.

      > > > > !
    > > > > > > !
    > > > > !
    smtpd_end_of_data_restrictions > > ! (default: empty)
    > > > > !

    Optional access restrictions that the Postfix SMTP server > > ! applies in the context of the SMTP END-OF-DATA command. > > ! See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access > > ! restriction lists" for a discussion of evaluation context and time. > >

    > > > > !

    This feature is available in Postfix 2.2 and later.

    > > > > !

    See smtpd_data_restrictions for details and limitations.

    > > > > --- 9526,9603 ---- > > > > !
    smtp_tls_verify_cert_match > > ! (default: hostname)
    > > > > !

    The server certificate peername verification method for the > > ! "verify" TLS security level. In a "verify" TLS policy table > > ! ($smtp_tls_policy_maps) entry the optional "match" attribute > > ! overrides this main.cf setting.

    > > > > !

    This parameter specifies one or more patterns or strategies separated > > ! by commas, whitespace or colons. In the policy table the only valid > > ! separator is the colon character.

    > > > > +

    Patterns specify domain names, or domain name suffixes:

    > > > > !
    > > > > !
    example.com
    Match the example.com domain, > > ! i.e. one of the names the server certificate must be example.com, > > ! upper and lower case distinctions are ignored.
    > > > > !
    .example.com
    > > !
    Match subdomains of the example.com domain, i.e. match > > ! a name in the server certificate that consists of a non-zero number of > > ! labels followed by a .example.com suffix. Case distinctions are > > ! ignored.
    > > > > !
    > > > > !

    Strategies specify a transformation from the next-hop domain > > ! to the expected name in the server certificate:

    > > > > !
    > > > > !
    nexthop
    > > !
    Match against the next-hop domain, which is either the recipient > > ! domain, or the transport next-hop configured for the domain stripped of > > ! any optional socket type prefix, enclosing square brackets and trailing > > ! port. When MX lookups are not suppressed, this is the original nexthop > > ! domain prior to the MX lookup, not the result of the MX lookup. For > > ! LMTP delivery via UNIX-domain sockets, the verified next-hop name is > > ! $myhostname. This strategy is suitable for use with the "secure" > > ! policy. Case is ignored.
    > > > > !
    dot-nexthop
    > > !
    As above, but match server certificate names that are subdomains > > ! of the next-hop domain. Case is ignored.
    > > > > !
    hostname
    Match against the hostname of the server, often > > ! obtained via an unauthenticated DNS MX lookup. For LMTP delivery via > > ! UNIX-domain sockets, the verified name is $myhostname. This matches > > ! the verification strategy of the "MUST" keyword in the obsolete > > ! smtp_tls_per_site table, and is suitable for use with the "verify" > > ! security level. When the next-hop name is enclosed in square brackets > > ! to suppress MX lookups, the "hostname" strategy is the same as the > > ! "nexthop" strategy. Case is ignored.
    > > > > +
    > > > > !

    > > ! Sample main.cf setting: > > !

    > > > > ! 
    > > ! smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
> > !
    > > > > !

    > > ! Sample policy table override: > >

    > > > > ! 
    > > ! example.com     verify  match=hostname:nexthop
> > ! .example.com    verify  match=example.com:.example.com:hostname
> > !
    > > > > !

    This feature is available in Postfix 2.3 and later.

    > > > > *************** > > *** 12694,12727 **** > > > > !
    smtpd_enforce_tls > > (default: no)
    > > > > !

    Mandatory TLS: announce STARTTLS support to remote SMTP clients, > > ! and require that clients use TLS encryption. According to RFC 2487 > > ! this MUST NOT be applied in case of a publicly-referenced SMTP > > ! server. This option is therefore off by default.

    > > ! > > !

    Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".

    > > ! > > !

    Note 2: when invoked via "sendmail -bs", Postfix will never offer > > ! STARTTLS due to insufficient privileges to access the server private > > ! key. This is intended behavior.

    > > > >

    This feature is available in Postfix 2.2 and later. With > > ! Postfix 2.3 and later use smtpd_tls_security_level instead.

    > > ! > > ! > > !
    > > ! > > !
    smtpd_error_sleep_time > > ! (default: 1s)
    > > ! > > !

    With Postfix version 2.1 and later: the SMTP server response delay after > > ! a client has made more than $smtpd_soft_error_limit errors, and > > ! fewer than $smtpd_hard_error_limit errors, without delivering mail. > > !

    > > ! > > !

    With Postfix version 2.0 and earlier: the SMTP server delay before > > ! sending a reject (4xx or 5xx) response, when the client has made > > ! fewer than $smtpd_soft_error_limit errors without delivering > > ! mail.

    > > > > --- 9606,9619 ---- > > > > !
    smtp_use_tls > > (default: no)
    > > > > !

    Opportunistic mode: use TLS when a remote SMTP server announces > > ! STARTTLS support, otherwise send the mail in the clear. Beware: > > ! some SMTP servers offer STARTTLS even if it is not configured. With > > ! Postfix < 2.3, if the TLS handshake fails, and no other server is > > ! available, delivery is deferred and mail stays in the queue. If this > > ! is a concern for you, use the smtp_tls_per_site feature instead.

    > > > >

    This feature is available in Postfix 2.2 and later. With > > ! Postfix 2.3 and later use smtp_tls_security_level instead.

    > > > > *************** > > *** 12730,12745 **** > > > > !
    smtpd_etrn_restrictions > > ! (default: empty)
    > > ! > > !

    > > ! Optional SMTP server access restrictions in the context of a client > > ! ETRN request. > > ! See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access > > ! restriction lists" for a discussion of evaluation context and time. > > !

    > > > >

    > > ! The Postfix ETRN implementation accepts only destinations that are > > ! eligible for the Postfix "fast flush" service. See the ETRN_README > > ! file for details. > >

    > > --- 9622,9629 ---- > > > > !
    smtp_xforward_timeout > > ! (default: 300s)
    > > > >

    > > ! The SMTP client time limit for sending the XFORWARD command, and > > ! for receiving the server response. > >

    > > *************** > > *** 12747,12752 **** > >

    > > ! Specify a list of restrictions, separated by commas and/or whitespace. > > ! Continue long lines by starting the next line with whitespace. > > ! Restrictions are applied in the order as specified; the first > > ! restriction that matches wins. > >

    > > --- 9631,9634 ---- > >

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > >

    > > *************** > > *** 12754,12790 **** > >

    > > ! The following restrictions are specific to the domain name information > > ! received with the ETRN command. > >

    > > > > -
    > > - > > -
    check_etrn_access type:table
    > > - > > -
    Search the specified access database for the ETRN domain name > > - or its parent domains. See the access(5) manual page for details. > > -
    > > - > > -
    > > > > !

    > > ! Other restrictions that are valid in this context: > > !

    > > > > ! > > > > !

    > > ! Example: > > !

    > > > > ! 
    > > ! smtpd_etrn_restrictions = permit_mynetworks, reject
> > !
    > > > > --- 9636,9672 ---- > >

    > > ! This feature is available in Postfix 2.1 and later. > >

    > > > > > > !
    > > > > !
    smtpd_authorized_verp_clients > > ! (default: $authorized_verp_clients)
    > > > > !

    What SMTP clients are allowed to specify the XVERP command. > > ! This command requests that mail be delivered one recipient at a > > ! time with a per recipient return address.

    > > > > !

    By default, no clients are allowed to specify XVERP.

    > > > > !

    This parameter was renamed with Postfix version 2.1. The default value > > ! is backwards compatible with Postfix version 2.0.

    > > > > !

    Specify a list of network/netmask patterns, separated by commas > > ! and/or whitespace. The mask specifies the number of bits in the > > ! network part of a host address. You can also specify hostnames or > > ! .domain names (the initial dot causes the domain to match any name > > ! below it), "/file/name" or "type:table" patterns. A "/file/name" > > ! pattern is replaced by its contents; a "type:table" lookup table > > ! is matched when a table entry matches a lookup string (the lookup > > ! result is ignored). Continue long lines by starting the next line > > ! with whitespace. Specify "!pattern" to exclude an address or network > > ! block from the list. The form "!/file/name" is supported only in > > ! Postfix version 2.4 and later.

    > > > > !

    Note: IP version 6 address information must be specified inside > > ! [] in the smtpd_authorized_verp_clients value, and in > > ! files specified with "/file/name". IP version 6 addresses contain > > ! the ":" character, and would otherwise be confused with a "type:table" > > ! pattern.

    > > > > *************** > > *** 12793,12801 **** > > > > !
    smtpd_expansion_filter > > ! (default: see "postconf -d" output)
    > > > >

    > > ! What characters are allowed in $name expansions of RBL reply > > ! templates. Characters not in the allowed set are replaced by "_". > > ! Use C like escapes to specify special characters such as whitespace. > >

    > > --- 9675,9685 ---- > > > > !
    smtpd_authorized_xclient_hosts > > ! (default: empty)
    > > > >

    > > ! What SMTP clients are allowed to use the XCLIENT feature. This > > ! command overrides SMTP client information that is used for access > > ! control. Typical use is for SMTP-based content filters, fetchmail-like > > ! programs, or SMTP server access rule testing. See the XCLIENT_README > > ! document for details. > >

    > > *************** > > *** 12803,12805 **** > >

    > > ! This parameter is not subjected to $parameter expansion. > >

    > > --- 9687,9689 ---- > >

    > > ! This feature is available in Postfix 2.1 and later. > >

    > > *************** > > *** 12807,12811 **** > >

    > > ! This feature is available in Postfix 2.0 and later. > >

    > > > > > > --- 9691,9714 ---- > >

    > > ! By default, no clients are allowed to specify XCLIENT. > >

    > > > > +

    > > + Specify a list of network/netmask patterns, separated by commas > > + and/or whitespace. The mask specifies the number of bits in the > > + network part of a host address. You can also specify hostnames or > > + .domain names (the initial dot causes the domain to match any name > > + below it), "/file/name" or "type:table" patterns. A "/file/name" > > + pattern is replaced by its contents; a "type:table" lookup table > > + is matched when a table entry matches a lookup string (the lookup > > + result is ignored). Continue long lines by starting the next line > > + with whitespace. Specify "!pattern" to exclude an address or network > > + block from the list. The form "!/file/name" is supported only in > > + Postfix version 2.4 and later.

    > > + > > +

    Note: IP version 6 address information must be specified inside > > + [] in the smtpd_authorized_xclient_hosts value, and in > > + files specified with "/file/name". IP version 6 addresses contain > > + the ":" character, and would otherwise be confused with a "type:table" > > + pattern.

    > > + > > > > *************** > > *** 12813,12823 **** > > > > !
    smtpd_forbidden_commands > > ! (default: CONNECT, GET, POST)
    > > > >

    > > ! List of commands that cause the Postfix SMTP server to immediately > > ! terminate the session with a 221 code. This can be used to disconnect > > ! clients that obviously attempt to abuse the system. In addition to the > > ! commands listed in this parameter, commands that follow the "Label:" > > ! format of message headers will also cause a disconnect. > >

    > > --- 9716,9725 ---- > > > > !
    smtpd_authorized_xforward_hosts > > ! (default: empty)
    > > > >

    > > ! What SMTP clients are allowed to use the XFORWARD feature. This > > ! command forwards information that is used to improve logging after > > ! SMTP-based content filters. See the XFORWARD_README document for > > ! details. > >

    > > *************** > > *** 12825,12843 **** > >

    > > ! This feature is available in Postfix 2.2 and later. > >

    > > > > ! > > !
    > > ! > > !
    smtpd_hard_error_limit > > ! (default: normal: 20, overload: 1)
    > > > >

    > > ! The maximal number of errors a remote SMTP client is allowed to > > ! make without delivering mail. The Postfix SMTP server disconnects > > ! when the limit is exceeded. Normally the default limit is 20, but > > ! it changes under overload to just 1. With Postfix 2.5 and earlier, > > ! the SMTP server always allows up to 20 errors by default. > > > > !

    > > > > --- 9727,9753 ---- > >

    > > ! This feature is available in Postfix 2.1 and later. > >

    > > > > !

    > > ! By default, no clients are allowed to specify XFORWARD. > > !

    > > > >

    > > ! Specify a list of network/netmask patterns, separated by commas > > ! and/or whitespace. The mask specifies the number of bits in the > > ! network part of a host address. You can also specify hostnames or > > ! .domain names (the initial dot causes the domain to match any name > > ! below it), "/file/name" or "type:table" patterns. A "/file/name" > > ! pattern is replaced by its contents; a "type:table" lookup table > > ! is matched when a table entry matches a lookup string (the lookup > > ! result is ignored). Continue long lines by starting the next line > > ! with whitespace. Specify "!pattern" to exclude an address or network > > ! block from the list. The form "!/file/name" is supported only in > > ! Postfix version 2.4 and later.

    > > > > !

    Note: IP version 6 address information must be specified inside > > ! [] in the smtpd_authorized_xforward_hosts value, and in > > ! files specified with "/file/name". IP version 6 addresses contain > > ! the ":" character, and would otherwise be confused with a "type:table" > > ! pattern.

    > > > > *************** > > *** 12846,12854 **** > > > > !
    smtpd_helo_required > > ! (default: no)
    > > > >

    > > ! Require that a remote SMTP client introduces itself with the HELO > > ! or EHLO command before sending the MAIL command or other commands > > ! that require EHLO negotiation. > >

    > > --- 9756,9769 ---- > > > > !
    smtpd_banner > > ! (default: $myhostname ESMTP $mail_name)
    > > ! > > !

    > > ! The text that follows the 220 status code in the SMTP greeting > > ! banner. Some people like to see the mail version advertised. By > > ! default, Postfix shows no version. > > !

    > > > >

    > > ! You MUST specify $myhostname at the start of the text. This is > > ! required by the SMTP protocol. > >

    > > *************** > > *** 12860,12862 **** > > 
    > > ! smtpd_helo_required = yes
> >
    > > --- 9775,9777 ---- > > 
    > > ! smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
> >
    > > *************** > > *** 12866,12875 **** > > > > !
    smtpd_helo_restrictions > > ! (default: empty)
    > > > >

    > > ! Optional restrictions that the Postfix SMTP server applies in the > > ! context of the SMTP HELO command. > > ! See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access > > ! restriction lists" for a discussion of evaluation context and time. > >

    > > --- 9781,9789 ---- > > > > !
    smtpd_client_connection_count_limit > > ! (default: 50)
    > > > >

    > > ! How many simultaneous connections any client is allowed to > > ! make to this service. By default, the limit is set to half > > ! the default process limit value. > >

    > > *************** > > *** 12877,12884 **** > >

    > > ! The default is to permit everything. > > !

    > > ! > > !

    Note: specify "smtpd_helo_required = yes" to fully enforce this > > ! restriction (without "smtpd_helo_required = yes", a client can > > ! simply skip smtpd_helo_restrictions by not sending HELO or EHLO). > >

    > > --- 9791,9793 ---- > >

    > > ! To disable this feature, specify a limit of 0. > >

    > > *************** > > *** 12886,12891 **** > >

    > > ! Specify a list of restrictions, separated by commas and/or whitespace. > > ! Continue long lines by starting the next line with whitespace. > > ! Restrictions are applied in the order as specified; the first > > ! restriction that matches wins. > >

    > > --- 9795,9798 ---- > >

    > > ! WARNING: The purpose of this feature is to limit abuse. It must > > ! not be used to regulate legitimate mail traffic. > >

    > > *************** > > *** 12893,13086 **** > >

    > > ! The following restrictions are specific to the hostname information > > ! received with the HELO or EHLO command. > >

    > > > > -
    > > - > > -
    check_helo_access type:table
    > > - > > -
    Search the specified access(5) database for the HELO or EHLO > > - hostname or parent domains, and execute the corresponding action. > > - Note: specify "smtpd_helo_required = yes" to fully enforce this > > - restriction (without "smtpd_helo_required = yes", a client can > > - simply skip check_helo_access by not sending HELO or EHLO).
    > > - > > -
    check_helo_mx_access type:table
    > > - > > -
    Search the specified access(5) database for the MX hosts for > > - the HELO or EHLO hostname, and execute the corresponding action. > > - Note 1: a result of "OK" is not allowed for safety reasons. Instead, > > - use DUNNO in order to exclude specific hosts from blacklists. Note > > - 2: specify "smtpd_helo_required = yes" to fully enforce this > > - restriction (without "smtpd_helo_required = yes", a client can > > - simply skip check_helo_mx_access by not sending HELO or EHLO). This > > - feature is available in Postfix 2.1 and later. > > -
    > > - > > -
    check_helo_ns_access type:table
    > > - > > -
    Search the specified access(5) database for the DNS servers > > - for the HELO or EHLO hostname, and execute the corresponding action. > > - Note 1: a result of "OK" is not allowed for safety reasons. Instead, > > - use DUNNO in order to exclude specific hosts from blacklists. Note > > - 2: specify "smtpd_helo_required = yes" to fully enforce this > > - restriction (without "smtpd_helo_required = yes", a client can > > - simply skip check_helo_ns_access by not sending HELO or EHLO). This > > - feature is available in Postfix 2.1 and later. > > -
    > > - > > -
    reject_invalid_helo_hostname (with Postfix < 2.3: reject_invalid_hostname)
    > > - > > -
    Reject the request when the HELO or EHLO hostname syntax is > > - invalid. Note: specify "smtpd_helo_required = yes" to fully enforce > > - this restriction (without "smtpd_helo_required = yes", a client can simply > > - skip reject_invalid_helo_hostname by not sending HELO or EHLO). > > -
    The invalid_hostname_reject_code specifies the response code > > - for rejected requests (default: 501).
    > > - > > -
    reject_non_fqdn_helo_hostname (with Postfix < 2.3: reject_non_fqdn_hostname)
    > > - > > -
    Reject the request when the HELO or EHLO hostname is not in > > - fully-qualified domain form, as required by the RFC. Note: specify > > - "smtpd_helo_required = yes" to fully enforce this restriction > > - (without "smtpd_helo_required = yes", a client can simply skip > > - reject_non_fqdn_helo_hostname by not sending HELO or EHLO).
    > > - The non_fqdn_reject_code parameter specifies the response code for > > - rejected requests (default: 504).
    > > - > > -
    reject_rhsbl_helo rbl_domain=d.d.d.d
    > > - > > -
    Reject the request when the HELO or EHLO hostname hostname is > > - listed with the A record "d.d.d.d" under rbl_domain > > - (Postfix version 2.1 and later only). Each "d" is a number, > > - or a pattern inside "[]" that contains one or more ";"-separated > > - numbers or number..number ranges (Postfix version 2.8 and later). > > - If no "=d.d.d.d" is > > - specified, reject the request when the HELO or EHLO hostname is > > - listed with any A record under rbl_domain. See the > > - reject_rbl_client description for additional RBL related configuration > > - parameters. Note: specify "smtpd_helo_required = yes" to fully > > - enforce this restriction (without "smtpd_helo_required = yes", a > > - client can simply skip reject_rhsbl_helo by not sending HELO or > > - EHLO). This feature is available in Postfix 2.0 > > - and later.
    > > - > > -
    reject_unknown_helo_hostname (with Postfix < 2.3: reject_unknown_hostname)
    > > > > !
    Reject the request when the HELO or EHLO hostname has no DNS A > > ! or MX record.
    The unknown_hostname_reject_code parameter > > ! specifies the numerical response code for rejected requests (default: > > ! 450).
    The unknown_helo_hostname_tempfail_action parameter > > ! specifies the action after a temporary DNS error (default: > > ! defer_if_permit). Note: specify "smtpd_helo_required = yes" to fully > > ! enforce this restriction (without "smtpd_helo_required = yes", a > > ! client can simply skip reject_unknown_helo_hostname by not sending > > ! HELO or EHLO).
    > > > > !
    > > > >

    > > ! Other restrictions that are valid in this context: > >

    > > > > - > > - > >

    > > ! Examples: > >

    > > > > - 
    > > - smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
> > - smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname
> > -
    > > - > > - > > -
    > > - > > -
    smtpd_history_flush_threshold > > - (default: 100)
    > > - > >

    > > ! The maximal number of lines in the Postfix SMTP server command history > > ! before it is flushed upon receipt of EHLO, RSET, or end of DATA. > >

    > > > > - > > -
    > > - > > -
    smtpd_junk_command_limit > > - (default: normal: 100, overload: 1)
    > > - > >

    > > ! The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote > > ! SMTP client can send before the Postfix SMTP server starts to > > ! increment the error counter with each junk command. The junk > > ! command count is reset after mail is delivered. See also the > > ! smtpd_error_sleep_time and smtpd_soft_error_limit configuration > > ! parameters. Normally the default limit is 100, but it changes under > > ! overload to just 1. With Postfix 2.5 and earlier, the SMTP server > > ! always allows up to 100 junk commands by default.

    > > ! > > ! > > !
    > > ! > > !
    smtpd_log_access_permit_actions > > ! (default: empty)
    > > ! > > !

    Enable logging of the named "permit" actions in SMTP server > > ! access lists. This does not affect conditional actions such as > > ! "defer_if_permit".

    > > ! > > !

    Specify a list of "permit" action names, "/file/name" or > > ! "type:table" patterns, separated by commas and/or whitespace. The > > ! list is matched left to right, and the search stops on the first > > ! match. A "/file/name" pattern is replaced by its contents; a > > ! "type:table" lookup table is matched when a name matches a lookup > > ! key (the lookup result is ignored). Continue long lines by starting > > ! the next line with whitespace. Specify "!pattern" to exclude a name > > ! from the list.

    > > > > !

    Examples:

    > > > > ! 
    > > ! /etc/postfix/main.cf:
> > !     # Log all "permit" actions.
> > !     smtpd_log_access_permit_actions = static:all
> > !
    > > > > 
    > > ! /etc/postfix/main.cf:
> > !     # Log "permit_dnswl_client" only.
> > !     smtpd_log_access_permit_actions = permit_dnswl_client
> >
    > > > > -

    This feature is available in Postfix 2.10 and later.

    > > - > > - > > -
    > > - > > -
    smtpd_milters > > - (default: empty)
    > > - > > -

    A list of Milter (mail filter) applications for new mail that > > - arrives via the Postfix smtpd(8) server. Specify space or comma as > > - separator. See the MILTER_README document for details.

    > > - > > -

    This feature is available in Postfix 2.3 and later.

    > > - > > > > --- 9800,9842 ---- > >

    > > ! This feature is available in Postfix 2.2 and later. > >

    > > > > > > !
    > > > > !
    smtpd_client_connection_rate_limit > > ! (default: 0)
    > > > >

    > > ! The maximal number of connection attempts any client is allowed to > > ! make to this service per time unit. The time unit is specified > > ! with the anvil_rate_time_unit configuration parameter. > >

    > > > >

    > > ! By default, a client can make as many connections per time unit as > > ! Postfix can accept. > >

    > > > >

    > > ! To disable this feature, specify a limit of 0. > >

    > > > >

    > > ! WARNING: The purpose of this feature is to limit abuse. It must > > ! not be used to regulate legitimate mail traffic. > > !

    > > > > !

    > > ! This feature is available in Postfix 2.2 and later. > > !

    > > > > !

    > > ! Example: > > !

    > > > > 
    > > ! smtpd_client_connection_rate_limit = 1000
> >
    > > > > > > *************** > > *** 13088,13145 **** > > > > !
    smtpd_noop_commands > > ! (default: empty)
    > > > >

    > > ! List of commands that the Postfix SMTP server replies to with "250 > > ! Ok", without doing any syntax checks and without changing state. > > ! This list overrides any commands built into the Postfix SMTP server. > >

    > > > > - > > -
    > > - > > -
    smtpd_null_access_lookup_key > > - (default: <>)
    > > - > >

    > > ! The lookup key to be used in SMTP access(5) tables instead of the > > ! null sender address. > >

    > > > > > > !
    > > ! > > !
    smtpd_peername_lookup > > ! (default: yes)
    > > ! > > !

    Attempt to look up the remote SMTP client hostname, and verify that > > ! the name matches the client IP address. A client name is set to > > ! "unknown" when it cannot be looked up or verified, or when name > > ! lookup is disabled. Turning off name lookup reduces delays due to > > ! DNS lookup and increases the maximal inbound delivery rate.

    > > ! > > !

    This feature is available in Postfix 2.3 and later.

    > > ! > > ! > > !
    > > ! > > !
    smtpd_per_record_deadline > > ! (default: normal: no, overload: yes)
    > > ! > > !

    Change the behavior of the smtpd_timeout time limit, from a > > ! time limit per read or write system call, to a time limit to send > > ! or receive a complete record (an SMTP command line, SMTP response > > ! line, SMTP message content line, or TLS protocol message). This > > ! limits the impact from hostile peers that trickle data one byte at > > ! a time.

    > > ! > > !

    Note: when per-record deadlines are enabled, a short timeout > > ! may cause problems with TLS over very slow network connections. > > ! The reasons are that a TLS protocol message can be up to 16 kbytes > > ! long (with TLSv1), and that an entire TLS protocol message must be > > ! sent or received within the per-record deadline.

    > > ! > > !

    This feature is available in Postfix 2.9 and later. With older > > ! Postfix releases, the behavior is as if this parameter is set to > > ! "no".

    > > > > --- 9844,9869 ---- > > > > !
    smtpd_client_event_limit_exceptions > > ! (default: $mynetworks)
    > > > >

    > > ! Clients that are excluded from connection count, connection rate, > > ! or SMTP request rate restrictions. See the mynetworks parameter > > ! description for the parameter value syntax. > >

    > > > >

    > > ! By default, clients in trusted networks are excluded. Specify a > > ! list of network blocks, hostnames or .domain names (the initial > > ! dot causes the domain to match any name below it). > >

    > > > > +

    Note: IP version 6 address information must be specified inside > > + [] in the smtpd_client_event_limit_exceptions value, and > > + in files specified with "/file/name". IP version 6 addresses > > + contain the ":" character, and would otherwise be confused with a > > + "type:table" pattern.

    > > > > !

    > > ! This feature is available in Postfix 2.2 and later. > > !

    > > > > *************** > > *** 13148,13155 **** > > > > !
    smtpd_policy_service_max_idle > > ! (default: 300s)
    > > > >

    > > ! The time after which an idle SMTPD policy service connection is > > ! closed. > >

    > > --- 9872,9881 ---- > > > > !
    smtpd_client_message_rate_limit > > ! (default: 0)
    > > > >

    > > ! The maximal number of message delivery requests that any client is > > ! allowed to make to this service per time unit, regardless of whether > > ! or not Postfix actually accepts those messages. The time unit is > > ! specified with the anvil_rate_time_unit configuration parameter. > >

    > > *************** > > *** 13157,13170 **** > >

    > > ! This feature is available in Postfix 2.1 and later. > >

    > > > > > > !
    > > ! > > !
    smtpd_policy_service_max_ttl > > ! (default: 1000s)
    > > > >

    > > ! The time after which an active SMTPD policy service connection is > > ! closed. > >

    > > --- 9883,9899 ---- > >

    > > ! By default, a client can send as many message delivery requests > > ! per time unit as Postfix can accept. > >

    > > > > +

    > > + To disable this feature, specify a limit of 0. > > +

    > > > > !

    > > ! WARNING: The purpose of this feature is to limit abuse. It must > > ! not be used to regulate legitimate mail traffic. > > !

    > > > >

    > > ! This feature is available in Postfix 2.2 and later. > >

    > > *************** > > *** 13172,13176 **** > >

    > > ! This feature is available in Postfix 2.1 and later. > >

    > > > > > > --- 9901,9909 ---- > >

    > > ! Example: > >

    > > > > + 
    > > + smtpd_client_message_rate_limit = 1000
> > +
    > > + > > > > *************** > > *** 13178,13185 **** > > > > !
    smtpd_policy_service_timeout > > ! (default: 100s)
    > > > >

    > > ! The time limit for connecting to, writing to or receiving from a > > ! delegated SMTPD policy server. > >

    > > --- 9911,9920 ---- > > > > !
    smtpd_client_new_tls_session_rate_limit > > ! (default: 0)
    > > > >

    > > ! The maximal number of new (i.e., uncached) TLS sessions that a > > ! remote SMTP client is allowed to negotiate with this service per > > ! time unit. The time unit is specified with the anvil_rate_time_unit > > ! configuration parameter. > >

    > > *************** > > *** 13187,13200 **** > >

    > > ! This feature is available in Postfix 2.1 and later. > >

    > > > > > > !
    > > ! > > !
    smtpd_proxy_ehlo > > ! (default: $myhostname)
    > > > >

    > > ! How the Postfix SMTP server announces itself to the proxy filter. > > ! By default, the Postfix hostname is used. > >

    > > --- 9922,9940 ---- > >

    > > ! By default, a remote SMTP client can negotiate as many new TLS > > ! sessions per time unit as Postfix can accept. > >

    > > > > +

    > > + To disable this feature, specify a limit of 0. Otherwise, specify > > + a limit that is at least the per-client concurrent session limit, > > + or else legitimate client sessions may be rejected. > > +

    > > > > !

    > > ! WARNING: The purpose of this feature is to limit abuse. It must > > ! not be used to regulate legitimate mail traffic. > > !

    > > > >

    > > ! This feature is available in Postfix 2.3 and later. > >

    > > *************** > > *** 13202,13206 **** > >

    > > ! This feature is available in Postfix 2.1 and later. > >

    > > > > > > --- 9942,9950 ---- > >

    > > ! Example: > >

    > > > > + 
    > > + smtpd_client_new_tls_session_rate_limit = 100
> > +
    > > + > > > > *************** > > *** 13208,13228 **** > > > > !
    smtpd_proxy_filter > > ! (default: empty)
    > > > > !

    The hostname and TCP port of the mail filtering proxy server. > > ! The proxy receives all mail from the Postfix SMTP server, and is > > ! supposed to give the result to another Postfix SMTP server process. > >

    > > > > !

    Specify "host:port" or "inet:host:port" for a TCP endpoint, or > > ! "unix:pathname" for a UNIX-domain endpoint. The host can be specified > > ! as an IP address or as a symbolic name; no MX lookups are done. > > ! When no "host" or "host:" are specified, the local machine is > > ! assumed. Pathname interpretation is relative to the Postfix queue > > ! directory.

    > > ! > > !

    This feature is available in Postfix 2.1 and later.

    > > ! > > !

    The "inet:" and "unix:" prefixes are available in Postfix 2.3 > > ! and later.

    > > > > --- 9952,9961 ---- > > > > !
    smtpd_client_port_logging > > ! (default: no)
    > > > > !

    Enable logging of the remote SMTP client port in addition to > > ! the hostname and IP address. The logging format is "host[address]:port". > >

    > > > > !

    This feature is available in Postfix 2.5 and later.

    > > > > *************** > > *** 13231,13273 **** > > > > !
    smtpd_proxy_options > > ! (default: empty)
    > > > >

    > > ! List of options that control how the Postfix SMTP server > > ! communicates with a before-queue content filter. Specify zero or > > ! more of the following, separated by comma or whitespace.

    > > ! > > !
    > > ! > > !
    speed_adjust
    > > ! > > !

    Do not connect to a before-queue content filter until an entire > > ! message has been received. This reduces the number of simultaneous > > ! before-queue content filter processes.

    > > ! > > !

    NOTE 1: A filter must not selectively reject recipients > > ! of a multi-recipient message. Rejecting all recipients is OK, as > > ! is accepting all recipients.

    > > ! > > !

    NOTE 2: This feature increases the minimum amount of free queue > > ! space by $message_size_limit. The extra space is needed to save the > > ! message to a temporary file.

    > > ! > > !
    > > > >

    > > ! This feature is available in Postfix 2.7 and later. > >

    > > > > - > > -
    > > - > > -
    smtpd_proxy_timeout > > - (default: 100s)
    > > - > >

    > > ! The time limit for connecting to a proxy filter and for sending or > > ! receiving information. When a connection fails the client gets a > > ! generic error message while more detailed information is logged to > > ! the maillog file. > >

    > > --- 9964,9982 ---- > > > > !
    smtpd_client_recipient_rate_limit > > ! (default: 0)
    > > > >

    > > ! The maximal number of recipient addresses that any client is allowed > > ! to send to this service per time unit, regardless of whether or not > > ! Postfix actually accepts those recipients. The time unit is specified > > ! with the anvil_rate_time_unit configuration parameter. > > !

    > > > >

    > > ! By default, a client can make as many recipient addresses per time > > ! unit as Postfix can accept. > >

    > > > >

    > > ! To disable this feature, specify a limit of 0. > >

    > > *************** > > *** 13275,13278 **** > >

    > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > >

    > > --- 9984,9987 ---- > >

    > > ! WARNING: The purpose of this feature is to limit abuse. It must > > ! not be used to regulate legitimate mail traffic. > >

    > > *************** > > *** 13280,13305 **** > >

    > > ! This feature is available in Postfix 2.1 and later. > >

    > > > > - > > -
    > > - > > -
    smtpd_recipient_limit > > - (default: 1000)
    > > - > >

    > > ! The maximal number of recipients that the Postfix SMTP server > > ! accepts per message delivery request. > >

    > > > > ! > > !
    > > ! > > !
    smtpd_recipient_overshoot_limit > > ! (default: 1000)
    > > ! > > !

    The number of recipients that a remote SMTP client can send in > > ! excess of the limit specified with $smtpd_recipient_limit, before > > ! the Postfix SMTP server increments the per-session error count > > ! for each excess recipient.

    > > > > --- 9989,10000 ---- > >

    > > ! This feature is available in Postfix 2.2 and later. > >

    > > > >

    > > ! Example: > >

    > > > > ! 
    > > ! smtpd_client_recipient_rate_limit = 1000
> > !
    > > > > *************** > > *** 13308,13349 **** > > > > !
    smtpd_recipient_restrictions > > ! (default: permit_mynetworks, reject_unauth_destination)
    > > ! > > !

    > > ! The access restrictions that the Postfix SMTP server applies in > > ! the context of the RCPT TO command. > > ! See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access > > ! restriction lists" for a discussion of evaluation context and time. > > !

    > > > >

    > > ! By default, the Postfix SMTP server accepts: > >

    > > > > - > > - > >

    > > ! IMPORTANT: If you change this parameter setting, you must specify > > ! at least one of the following restrictions. Otherwise Postfix will > > ! refuse to receive mail: > >

    > > > > -
    > > - 
    > > - reject, defer, defer_if_permit, reject_unauth_destination
> > -
    > > -
    > > - > >

    > > --- 10003,10016 ---- > > > > !

    smtpd_client_restrictions > > ! (default: empty)
    > > > >

    > > ! Optional SMTP server access restrictions in the context of a client > > ! SMTP connection request. > >

    > > > >

    > > ! The default is to allow all connection requests. > >

    > > > >

    > > *************** > > *** 13356,13359 **** > >

    > > ! The following restrictions are specific to the recipient address > > ! that is received with the RCPT TO command. > >

    > > --- 10023,10026 ---- > >

    > > ! The following restrictions are specific to client hostname or > > ! client network address information. > >

    > > *************** > > *** 13362,13503 **** > > > > !
    check_recipient_access type:table
    > > > > !
    Search the specified access(5) database for the resolved RCPT > > ! TO address, domain, parent domains, or localpart@, and execute the > > ! corresponding action.
    > > > > !
    check_recipient_mx_access type:table
    > > > > !
    Search the specified access(5) database for the MX hosts for > > ! the RCPT TO domain, and execute the corresponding action. Note: > > ! a result of "OK" is not allowed for safety reasons. Instead, use > > ! DUNNO in order to exclude specific hosts from blacklists. This > > ! feature is available in Postfix 2.1 and later.
    > > > > !
    check_recipient_ns_access type:table
    > > > > !
    Search the specified access(5) database for the DNS servers > > ! for the RCPT TO domain, and execute the corresponding action. > > ! Note: a result of "OK" is not allowed for safety reasons. Instead, > > ! use DUNNO in order to exclude specific hosts from blacklists. This > > ! feature is available in Postfix 2.1 and later.
    > > > > !
    permit_auth_destination
    > > > > !
    Permit the request when one of the following is true: > > > > !
    > > > > !
    permit_mx_backup
    > > > > !
    Permit the request when the local mail system is backup MX for > > ! the RCPT TO domain, or when the domain is an authorized destination > > ! (see permit_auth_destination for definition). > > > > !
      > > > > !
    • Safety: permit_mx_backup does not accept addresses that have > > ! sender-specified routing information (example: user at elsewhere@domain). > > > > !
    • Safety: permit_mx_backup can be vulnerable to mis-use when > > ! access is not restricted with permit_mx_backup_networks. > > > > !
    • Safety: as of Postfix version 2.3, permit_mx_backup no longer > > ! accepts the address when the local mail system is primary MX for > > ! the recipient domain. Exception: permit_mx_backup accepts the address > > ! when it specifies an authorized destination (see permit_auth_destination > > ! for definition). > > > > !
    • Limitation: mail may be rejected in case of a temporary DNS > > ! lookup problem with Postfix prior to version 2.0. > > > > !
    > > > > !
    reject_non_fqdn_recipient
    > > > > !
    Reject the request when the RCPT TO address is not in > > ! fully-qualified domain form, as required by the RFC.
    The > > ! non_fqdn_reject_code parameter specifies the response code for > > ! rejected requests (default: 504).
    > > > > !
    reject_rhsbl_recipient rbl_domain=d.d.d.d
    > > > > !
    Reject the request when the RCPT TO domain is listed with the > > ! A record "d.d.d.d" under rbl_domain (Postfix version > > ! 2.1 and later only). Each "d" is a number, or a pattern > > ! inside "[]" that contains one or more ";"-separated numbers or > > ! number..number ranges (Postfix version 2.8 and later). If no > > ! "=d.d.d.d" is specified, reject > > ! the request when the RCPT TO domain is listed with > > ! any A record under rbl_domain.
    The maps_rbl_reject_code > > ! parameter specifies the response code for rejected requests (default: > > ! 554); the default_rbl_reply parameter specifies the default server > > ! reply; and the rbl_reply_maps parameter specifies tables with server > > ! replies indexed by rbl_domain. This feature is available > > ! in Postfix version 2.0 and later.
    > > > > !
    reject_unauth_destination
    > > > > !
    Reject the request unless one of the following is true: > > > > ! The relay_domains_reject_code parameter specifies the response > > ! code for rejected requests (default: 554).
    > > > > !
    reject_unknown_recipient_domain
    > > > > !
    Reject the request when Postfix is not final destination for > > ! the recipient domain, and the RCPT TO domain has 1) no DNS A or MX > > ! record or 2) a malformed MX record such as a record with > > ! a zero-length MX hostname (Postfix version 2.3 and later).
    The > > ! unknown_address_reject_code parameter specifies the numerical > > ! response code for rejected requests (default: 450). The response > > ! is always 450 in case of a temporary DNS error.
    The > > ! unknown_address_tempfail_action parameter specifies the action > > ! after a temporary DNS error (default: defer_if_permit).
    > > > > !
    reject_unlisted_recipient (with Postfix version 2.0: check_recipient_maps)
    > > > > !
    Reject the request when the RCPT TO address is not listed in > > ! the list of valid recipients for its domain class. See the > > ! smtpd_reject_unlisted_recipient parameter description for details. > > ! This feature is available in Postfix 2.1 and later.
    > > > > !
    reject_unverified_recipient
    > > > > !
    Reject the request when mail to the RCPT TO address is known > > ! to bounce, or when the recipient address destination is not reachable. > > ! Address verification information is managed by the verify(8) server; > > ! see the ADDRESS_VERIFICATION_README file for details.
    The > > ! unverified_recipient_reject_code parameter specifies the numerical > > ! response code when an address is known to bounce (default: 450, > > ! change into 550 when you are confident that it is safe to do so). > > !
    The unverified_recipient_defer_code parameter specifies the > > ! numerical response code when an address probe failed due to a > > ! temporary problem (default: 450).
    The > > ! unverified_recipient_tempfail_action parameter specifies the action > > ! after addres probe failure due to a temporary problem (default: > > ! defer_if_permit).
    This feature is available in Postfix 2.1 > > ! and later.
    > > > > --- 10029,10245 ---- > > > > !
    check_ccert_access type:table
    > > > > !
    Use the client certificate fingerprint as lookup key for the > > ! specified access(5) database; with Postfix version 2.2, also require that > > ! the SMTP client certificate is verified successfully. > > ! The fingerprint digest algorithm is configurable via the > > ! smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to > > ! Postfix version 2.5). This feature is available with Postfix version > > ! 2.2 and later.
    > > > > !
    check_client_access type:table
    > > > > !
    Search the specified access database for the client hostname, > > ! parent domains, client IP address, or networks obtained by stripping > > ! least significant octets. See the access(5) manual page for details.
    > > > > !
    check_reverse_client_hostname_access type:table
    > > > > !
    Search the specified access database for the unverified reverse > > ! client hostname, parent domains, client IP address, or networks > > ! obtained by stripping least significant octets. See the access(5) > > ! manual page for details. Note: a result of "OK" is not allowed for > > ! safety reasons. Instead, use DUNNO in order to exclude specific > > ! hosts from blacklists. This feature is available in Postfix 2.6 > > ! and later.
    > > > > !
    permit_inet_interfaces
    > > > > !
    Permit the request when the client IP address matches > > ! $inet_interfaces.
    > > > > !
    permit_mynetworks
    > > > > !
    Permit the request when the client IP address matches any > > ! network or network address listed in $mynetworks.
    > > > > !
    permit_sasl_authenticated
    > > ! > > !
    Permit the request when the client is successfully > > ! authenticated via the RFC 4954 (AUTH) protocol.
    > > ! > > !
    permit_tls_all_clientcerts
    > > ! > > !
    Permit the request when the remote SMTP client certificate is > > ! verified successfully. This option must be used only if a special > > ! CA issues the certificates and only this CA is listed as trusted > > ! CA, otherwise all clients with a recognized certificate would be > > ! allowed to relay. This feature is available with Postfix version 2.2.
    > > ! > > !
    permit_tls_clientcerts
    > > ! > > !
    Permit the request when the remote SMTP client certificate > > ! fingerprint is listed in $relay_clientcerts. > > ! The fingerprint digest algorithm is configurable via the > > ! smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to > > ! Postfix version 2.5). This feature is available with Postfix version > > ! 2.2.
    > > ! > > !
    reject_rbl_client rbl_domain=d.d.d.d
    > > ! > > !
    Reject the request when the reversed client network address is > > ! listed with the A record "d.d.d.d" under rbl_domain > > ! (Postfix version 2.1 and later only). If no "=d.d.d.d" is > > ! specified, reject the request when the reversed client network > > ! address is listed with any A record under rbl_domain.
    > > ! The maps_rbl_reject_code parameter specifies the response code for > > ! rejected requests (default: 554), the default_rbl_reply parameter > > ! specifies the default server reply, and the rbl_reply_maps parameter > > ! specifies tables with server replies indexed by rbl_domain. > > ! This feature is available in Postfix 2.0 and later.
    > > ! > > !
    reject_rhsbl_client rbl_domain=d.d.d.d
    > > ! > > !
    Reject the request when the client hostname is listed with the > > ! A record "d.d.d.d" under rbl_domain (Postfix version > > ! 2.1 and later only). If no "=d.d.d.d" is specified, reject > > ! the request when the client hostname is listed with > > ! any A record under rbl_domain. See the reject_rbl_client > > ! description above for additional RBL related configuration parameters. > > ! This feature is available in Postfix 2.0 and later.
    > > ! > > !
    reject_unknown_client_hostname (with Postfix < 2.3: reject_unknown_client)
    > > ! > > !
    Reject the request when 1) the client IP address->name mapping > > ! fails, 2) the name->address mapping fails, or 3) the name->address > > ! mapping does not match the client IP address.
    This is a > > ! stronger restriction than the reject_unknown_reverse_client_hostname > > ! feature, which triggers only under condition 1) above.
    The > > ! unknown_client_reject_code parameter specifies the response code > > ! for rejected requests (default: 450). The reply is always 450 in > > ! case the address->name or name->address lookup failed due to > > ! a temporary problem.
    > > > > !
    reject_unknown_reverse_client_hostname
    > > > > !
    Reject the request when the client IP address has no address->name > > ! mapping.
    This is a weaker restriction than the > > ! reject_unknown_client_hostname feature, which requires not only > > ! that the address->name and name->address mappings exist, but > > ! also that the two mappings reproduce the client IP address.
    > > ! The unknown_client_reject_code parameter specifies the response > > ! code for rejected requests (default: 450). The reply is always 450 > > ! in case the address->name lookup failed due to a temporary > > ! problem.
    This feature is available in Postfix 2.3 and > > ! later.
    > > > > ! > > > > !

    > > ! In addition, you can use any of the following > > ! generic restrictions. These restrictions are applicable in > > ! any SMTP command context. > > !

    > > > > !
    > > > > !
    check_policy_service servername
    > > > > !
    Query the specified policy server. See the SMTPD_POLICY_README > > ! document for details. This feature is available in Postfix 2.1 > > ! and later.
    > > > > !
    defer
    > > > > !
    Defer the request. The client is told to try again later. This > > ! restriction is useful at the end of a restriction list, to make > > ! the default policy explicit.
    The defer_code parameter specifies > > ! the SMTP server reply code (default: 450).
    > > > > !
    defer_if_permit
    > > > > !
    Defer the request if some later restriction would result in an > > ! explicit or implicit PERMIT action. This is useful when a blacklisting > > ! feature fails due to a temporary problem. This feature is available > > ! in Postfix version 2.1 and later.
    > > > > !
    defer_if_reject
    > > > > !
    Defer the request if some later restriction would result in a > > ! REJECT action. This is useful when a whitelisting feature fails > > ! due to a temporary problem. This feature is available in Postfix > > ! version 2.1 and later.
    > > > > !
    permit
    > > > > !
    Permit the request. This restriction is useful at the end of > > ! a restriction list, to make the default policy explicit.
    > > > > !
    reject_multi_recipient_bounce
    > > > > !
    Reject the request when the envelope sender is the null address, > > ! and the message has multiple envelope recipients. This usage has > > ! rare but legitimate applications: under certain conditions, > > ! multi-recipient mail that was posted with the DSN option NOTIFY=NEVER > > ! may be forwarded with the null sender address. > > !
    Note: this restriction can only work reliably > > ! when used in smtpd_data_restrictions or > > ! smtpd_end_of_data_restrictions, because the total number of > > ! recipients is not known at an earlier stage of the SMTP conversation. > > ! Use at the RCPT stage will only reject the second etc. recipient. > > !
    > > ! The multi_recipient_bounce_reject_code parameter specifies the > > ! response code for rejected requests (default: 550). This feature > > ! is available in Postfix 2.1 and later.
    > > > > !
    reject_plaintext_session
    > > > > !
    Reject the request when the connection is not encrypted. This > > ! restriction should not be used before the client has had a chance > > ! to negotiate encryption with the AUTH or STARTTLS commands. > > !
    > > ! The plaintext_reject_code parameter specifies the response > > ! code for rejected requests (default: 450). This feature is available > > ! in Postfix 2.3 and later.
    > > > > !
    reject_unauth_pipelining
    > > > > !
    Reject the request when the client sends SMTP commands ahead > > ! of time where it is not allowed, or when the client sends SMTP > > ! commands ahead of time without knowing that Postfix actually supports > > ! ESMTP command pipelining. This stops mail from bulk mail software > > ! that improperly uses ESMTP command pipelining in order to speed up > > ! deliveries.
    Note: reject_unauth_pipelining is not useful > > ! outside smtpd_data_restrictions when 1) the client uses ESMTP (EHLO > > ! instead of HELO) and 2) with "smtpd_delay_reject = yes" (the > > ! default). The use of reject_unauth_pipelining in the other > > ! restriction contexts is therefore not recommended.
    > > > > !
    reject
    > > > > !
    Reject the request. This restriction is useful at the end of > > ! a restriction list, to make the default policy explicit. The > > ! reject_code configuration parameter specifies the response code to > > ! rejected requests (default: 554).
    > > > > !
    sleep seconds
    > > > > !
    Pause for the specified number of seconds and proceed with > > ! the next restriction in the list, if any. This may stop zombie > > ! mail when used as: > > ! 
    > > ! /etc/postfix/main.cf:
> > !     smtpd_client_restrictions =
> > !         sleep 1, reject_unauth_pipelining
> > !     smtpd_delay_reject = no
> > !
    > > ! This feature is available in Postfix 2.3.
    > > ! > > !
    warn_if_reject
    > > ! > > !
    Change the meaning of the next restriction, so that it logs > > ! a warning instead of rejecting a request (look for logfile records > > ! that contain "reject_warning"). This is useful for testing new > > ! restrictions in a "live" environment without risking unnecessary > > ! loss of mail.
    > > > > *************** > > *** 13511,13518 **** > > > > !
  • Generic restrictions that can be used > > ! in any SMTP command context, described under smtpd_client_restrictions. > > ! > > !
  • SMTP command specific restrictions described under > > ! smtpd_client_restrictions, smtpd_helo_restrictions and > > ! smtpd_sender_restrictions. > > > > --- 10253,10261 ---- > > > > !
  • SMTP command specific restrictions that are described under > > ! the smtpd_helo_restrictions, smtpd_sender_restrictions or > > ! smtpd_recipient_restrictions parameters. When helo, sender or > > ! recipient restrictions are listed under smtpd_client_restrictions, > > ! they have effect only with "smtpd_delay_reject = yes", so that > > ! $smtpd_client_restrictions is evaluated at the time of the RCPT TO > > ! command. > > > > *************** > > *** 13525,13527 **** > > 
    > > ! smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
> >
    > > --- 10268,10270 ---- > > 
    > > ! smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname
> >
    > > *************** > > *** 13531,13608 **** > > > > !
    smtpd_reject_footer > > (default: empty)
    > > > > !

    Optional information that is appended after each Postfix SMTP > > ! server > > ! 4XX or 5XX response.

    > > > > !

    Example:

    > > > > ! 
    > > ! /etc/postfix/main.cf:
> > !     smtpd_reject_footer = For assistance, call 800-555-0101.
> > !      Please provide the following information in your problem report:
> > !      time ($localtime), client ($client_address) and server
> > !      ($server_name).
> > !
    > > > > !

    Server response:

    > > > > ! 
    > > !     550-5.5.1 <user at example> Recipient address rejected: User unknown
> > !     550 5.5.1 For assistance, call 800-555-0101. Please provide the
> > !     following information in your problem report: time (Jan 4 15:42:00),
> > !     client (192.168.1.248) and server (mail1.example.com).
> > !
    > > > > !

    Note: the above text is meant to make it easier to find the > > ! Postfix logfile records for a failed SMTP session. The text itself > > ! is not logged to the Postfix SMTP server's maillog file.

    > > > > !

    Be sure to keep the text as short as possible. Long text may > > ! be truncated before it is logged to the remote SMTP client's maillog > > ! file, or before it is returned to the sender in a delivery status > > ! notification.

    > > > > !

    This feature supports a limited number of $name attributes in > > ! the footer text. These are replaced by their current value for the > > ! SMTP session:

    > > > > !
    > > > > !
    client_address
    The Client IP address that > > ! is logged in the maillog file.
    > > > > -
    client_port
    The client TCP port that is > > - logged in the maillog file.
    > > > > !
    localtime
    The server local time (Mmm dd > > ! hh:mm:ss) that is logged in the maillog file.
    > > > > !
    server_name
    The server's myhostname value. > > ! This attribute is made available for sites with multiple MTAs > > ! (perhaps behind a load-balancer), where the server name can help > > ! the server support team to quickly find the right log files.
    > > > > !
    > > > > !

    Notes:

    > > > > !
      > > > > -

    • NOT SUPPORTED are other attributes such as sender, recipient, > > - or main.cf parameters.

      > > > > !

    • For safety reasons, text that does not match > > ! $smtpd_expansion_filter is censored.

      > > > > !
    > > > > !

    This feature supports the two-character sequence \n as a request > > ! for a line break in the footer text. Postfix automatically inserts > > ! after each line break the three-digit SMTP reply code (and optional > > ! enhanced status code) from the original Postfix reject message. > >

    > > > > !

    This feature is available in Postfix 2.8 and later.

    > > > > --- 10274,10362 ---- > > > > !
    smtpd_data_restrictions > > (default: empty)
    > > > > !

    > > ! Optional access restrictions that the Postfix SMTP server applies > > ! in the context of the SMTP DATA command. > > !

    > > > > !

    > > ! This feature is available in Postfix 2.0 and later. > > !

    > > > > !

    > > ! Specify a list of restrictions, separated by commas and/or whitespace. > > ! Continue long lines by starting the next line with whitespace. > > ! Restrictions are applied in the order as specified; the first > > ! restriction that matches wins. > > !

    > > > > !

    > > ! The following restrictions are valid in this context: > > !

    > > > > ! > > > > !

    > > ! Examples: > > !

    > > > > ! 
    > > ! smtpd_data_restrictions = reject_unauth_pipelining
> > ! smtpd_data_restrictions = reject_multi_recipient_bounce
> > !
    > > > > > > !
    > > > > !
    smtpd_delay_open_until_valid_rcpt > > ! (default: yes)
    > > > > !

    Postpone the start of an SMTP mail transaction until a valid > > ! RCPT TO command is received. Specify "no" to create a mail transaction > > ! as soon as the SMTP server receives a valid MAIL FROM command.

    > > > > !

    With sites that reject lots of mail, the default setting reduces > > ! the use of > > ! disk, CPU and memory resources. The downside is that rejected > > ! recipients are logged with NOQUEUE instead of a mail transaction > > ! ID. This complicates the logfile analysis of multi-recipient mail. > > !

    > > > > !

    This feature is available in Postfix 2.3 and later.

    > > > > > > !
    > > > > !
    smtpd_delay_reject > > ! (default: yes)
    > > > > !

    > > ! Wait until the RCPT TO command before evaluating > > ! $smtpd_client_restrictions, $smtpd_helo_restrictions and > > ! $smtpd_sender_restrictions, or wait until the ETRN command before > > ! evaluating $smtpd_client_restrictions and $smtpd_helo_restrictions. > > !

    > > ! > > !

    > > ! This feature is turned on by default because some clients apparently > > ! mis-behave when the Postfix SMTP server rejects commands before > > ! RCPT TO. > >

    > > > > !

    > > ! The default setting has one major benefit: it allows Postfix to log > > ! recipient address information when rejecting a client name/address > > ! or sender address, so that it is possible to find out whose mail > > ! is being rejected. > > !

    > > > > *************** > > *** 13611,13641 **** > > > > !
    smtpd_reject_unlisted_recipient > > ! (default: yes)
    > > > > !

    > > ! Request that the Postfix SMTP server rejects mail for unknown > > ! recipient addresses, even when no explicit reject_unlisted_recipient > > ! access restriction is specified. This prevents the Postfix queue > > ! from filling up with undeliverable MAILER-DAEMON messages. > > !

    > > > > !

    An address is always considered "known" when it matches a > > ! virtual(5) alias or a canonical(5) mapping. > > > > !

      > > > > !
    • The recipient domain matches $mydestination, $inet_interfaces > > ! or $proxy_interfaces, but the recipient is not listed in > > ! $local_recipient_maps, and $local_recipient_maps is not null. > > > > !
    • The recipient domain matches $virtual_alias_domains but the > > ! recipient is not listed in $virtual_alias_maps. > > > > !
    • The recipient domain matches $virtual_mailbox_domains but the > > ! recipient is not listed in $virtual_mailbox_maps, and $virtual_mailbox_maps > > ! is not null. > > > > !
    • The recipient domain matches $relay_domains but the recipient > > ! is not listed in $relay_recipient_maps, and $relay_recipient_maps > > ! is not null. > > > > --- 10365,10398 ---- > > > > !
      smtpd_discard_ehlo_keyword_address_maps > > ! (default: empty)
      > > > > !

      Lookup tables, indexed by the remote SMTP client address, with > > ! case insensitive lists of EHLO keywords (pipelining, starttls, auth, > > ! etc.) that the SMTP server will not send in the EHLO response to a > > ! remote SMTP client. See smtpd_discard_ehlo_keywords for details. > > ! The table is not searched by hostname for robustness reasons.

      > > ! > > !

      This feature is available in Postfix 2.2 and later.

      > > ! > > ! > > !
      > > > > !
      smtpd_discard_ehlo_keywords > > ! (default: empty)
      > > ! > > !

      A case insensitive list of EHLO keywords (pipelining, starttls, > > ! auth, etc.) that the SMTP server will not send in the EHLO response > > ! to a remote SMTP client.

      > > > > !

      This feature is available in Postfix 2.2 and later.

      > > > > !

      Notes:

      > > > > !
        > > > > !

      • Specify the silent-discard pseudo keyword to prevent > > ! this action from being logged.

        > > > > !

      • Use the smtpd_discard_ehlo_keyword_address_maps feature > > ! to discard EHLO keywords selectively.

        > > > > *************** > > *** 13643,13648 **** > > > > -

        > > - This feature is available in Postfix 2.1 and later. > > -

        > > - > > > > --- 10400,10401 ---- > > *************** > > *** 13650,13684 **** > > > > !
        smtpd_reject_unlisted_sender > > ! (default: no)
        > > > > !

        Request that the Postfix SMTP server rejects mail from unknown > > ! sender addresses, even when no explicit reject_unlisted_sender > > ! access restriction is specified. This can slow down an explosion > > ! of forged mail from worms or viruses.

        > > > > !

        An address is always considered "known" when it matches a > > ! virtual(5) alias or a canonical(5) mapping. > > > > !

        > > > > !

        > > ! This feature is available in Postfix 2.1 and later. > > !

        > > > > --- 10403,10434 ---- > > > > !
        smtpd_end_of_data_restrictions > > ! (default: empty)
        > > > > !

        Optional access restrictions that the Postfix SMTP server > > ! applies in the context of the SMTP END-OF-DATA command.

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > !

        See smtpd_data_restrictions for syntax details.

        > > > > > > !
        > > > > !
        smtpd_enforce_tls > > ! (default: no)
        > > > > !

        Mandatory TLS: announce STARTTLS support to SMTP clients, > > ! and require that clients use TLS encryption. According to RFC 2487 > > ! this MUST NOT be applied in case of a publicly-referenced SMTP > > ! server. This option is off by default and should be used only on > > ! dedicated servers.

        > > > > !

        Note 1: "smtpd_enforce_tls = yes" implies "smtpd_tls_auth_only = yes".

        > > > > !

        Note 2: when invoked via "sendmail -bs", Postfix will never offer > > ! STARTTLS due to insufficient privileges to access the server private > > ! key. This is intended behavior.

        > > ! > > !

        This feature is available in Postfix 2.2 and later. With > > ! Postfix 2.3 and later use smtpd_tls_security_level instead.

        > > > > *************** > > *** 13687,13701 **** > > > > !
        smtpd_restriction_classes > > ! (default: empty)
        > > > > !

        > > ! User-defined aliases for groups of access restrictions. The aliases > > ! can be specified in smtpd_recipient_restrictions etc., and on the > > ! right-hand side of a Postfix access(5) table. > >

        > > > > !

        > > ! One major application is for implementing per-recipient UCE control. > > ! See the RESTRICTION_CLASS_README document for other examples. > > !

        > > > > --- 10437,10450 ---- > > > > !
        smtpd_error_sleep_time > > ! (default: 1s)
        > > > > !

        With Postfix version 2.1 and later: the SMTP server response delay after > > ! a client has made more than $smtpd_soft_error_limit errors, and > > ! fewer than $smtpd_hard_error_limit errors, without delivering mail. > >

        > > > > !

        With Postfix version 2.0 and earlier: the SMTP server delay before > > ! sending a reject (4xx or 5xx) response, when the client has made > > ! fewer than $smtpd_soft_error_limit errors without delivering > > ! mail.

        > > > > *************** > > *** 13704,13714 **** > > > > !
        smtpd_sasl_application_name > > ! (default: smtpd)
        > > > >

        > > ! The application name that the Postfix SMTP server uses for SASL > > ! server initialization. This > > ! controls the name of the SASL configuration file. The default value > > ! is smtpd, corresponding to a SASL configuration file named > > ! smtpd.conf. > >

        > > --- 10453,10460 ---- > > > > !
        smtpd_etrn_restrictions > > ! (default: empty)
        > > > >

        > > ! Optional SMTP server access restrictions in the context of a client > > ! ETRN request. > >

        > > *************** > > *** 13716,13730 **** > >

        > > ! This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3 > > ! it was renamed to smtpd_sasl_path. > >

        > > > > - > > -
        > > - > > -
        smtpd_sasl_auth_enable > > - (default: no)
        > > - > >

        > > ! Enable SASL authentication in the Postfix SMTP server. By default, > > ! the Postfix SMTP server does not use authentication. > >

        > > --- 10462,10473 ---- > >

        > > ! The Postfix ETRN implementation accepts only destinations that are > > ! eligible for the Postfix "fast flush" service. See the ETRN_README > > ! file for details. > >

        > > > >

        > > ! Specify a list of restrictions, separated by commas and/or whitespace. > > ! Continue long lines by starting the next line with whitespace. > > ! Restrictions are applied in the order as specified; the first > > ! restriction that matches wins. > >

        > > *************** > > *** 13732,13768 **** > >

        > > ! If a remote SMTP client is authenticated, the permit_sasl_authenticated > > ! access restriction can be used to permit relay access, like this: > >

        > > > > !
        > > ! 
        > > ! smtpd_recipient_restrictions =
> > !     permit_mynetworks, permit_sasl_authenticated, ...
> > !
        > > !
        > > > > !

        To reject all SMTP connections from unauthenticated clients, > > ! specify "smtpd_delay_reject = yes" (which is the default) and use: > > !

        > > > > !
        > > ! 
        > > ! smtpd_client_restrictions = permit_sasl_authenticated, reject
> > !
        > > !
        > > > >

        > > ! See the SASL_README file for SASL configuration and operation details. > >

        > > > > > > !
        > > > > !
        smtpd_sasl_authenticated_header > > ! (default: no)
        > > > > !

        Report the SASL authenticated user name in the smtpd(8) Received > > ! message header.

        > > > > !

        This feature is available in Postfix 2.3 and later.

        > > > > --- 10475,10511 ---- > >

        > > ! The following restrictions are specific to the domain name information > > ! received with the ETRN command. > >

        > > > > !
        > > > > !
        check_etrn_access type:table
        > > > > !
        Search the specified access database for the ETRN domain name > > ! or its parent domains. See the access(5) manual page for details. > > !
        > > ! > > !
        > > > >

        > > ! Other restrictions that are valid in this context: > >

        > > > > + > > > > !

        > > ! Example: > > !

        > > ! > > ! 
        > > ! smtpd_etrn_restrictions = permit_mynetworks, reject
> > !
        > > > > *************** > > *** 13771,13778 **** > > > > !
        smtpd_sasl_exceptions_networks > > ! (default: empty)
        > > > >

        > > ! What remote SMTP clients the Postfix SMTP server will not offer > > ! AUTH support to. > >

        > > --- 10514,10522 ---- > > > > !
        smtpd_expansion_filter > > ! (default: see "postconf -d" output)
        > > > >

        > > ! What characters are allowed in $name expansions of RBL reply > > ! templates. Characters not in the allowed set are replaced by "_". > > ! Use C like escapes to specify special characters such as whitespace. > >

        > > *************** > > *** 13780,13785 **** > >

        > > ! Some clients (Netscape 4 at least) have a bug that causes them to > > ! require a login and password whenever AUTH is offered, whether it's > > ! necessary or not. To work around this, specify, for example, > > ! $mynetworks to prevent Postfix from offering AUTH to local clients. > >

        > > --- 10524,10526 ---- > >

        > > ! This parameter is not subjected to $parameter expansion. > >

        > > *************** > > *** 13787,13815 **** > >

        > > ! Specify a list of network/netmask patterns, separated by commas > > ! and/or whitespace. The mask specifies the number of bits in the > > ! network part of a host address. You can also "/file/name" or > > ! "type:table" patterns. A "/file/name" pattern is replaced by its > > ! contents; a "type:table" lookup table is matched when a table entry > > ! matches a lookup string (the lookup result is ignored). Continue > > ! long lines by starting the next line with whitespace. Specify > > ! "!pattern" to exclude an address or network block from the list. > > ! The form "!/file/name" is supported only in Postfix version 2.4 and > > ! later.

        > > > > !

        Note: IP version 6 address information must be specified inside > > ! [] in the smtpd_sasl_exceptions_networks value, and in > > ! files specified with "/file/name". IP version 6 addresses contain > > ! the ":" character, and would otherwise be confused with a "type:table" > > ! pattern.

        > > > >

        > > ! Example: > >

        > > > > - 
        > > - smtpd_sasl_exceptions_networks = $mynetworks
> > -
        > > - > >

        > > ! This feature is available in Postfix 2.1 and later. > >

        > > --- 10528,10548 ---- > >

        > > ! This feature is available in Postfix 2.0 and later. > > !

        > > > > ! > > !
        > > ! > > !
        smtpd_forbidden_commands > > ! (default: CONNECT, GET, POST)
        > > > >

        > > ! List of commands that causes the Postfix SMTP server to immediately > > ! terminate the session with a 221 code. This can be used to disconnect > > ! clients that obviously attempt to abuse the system. In addition to the > > ! commands listed in this parameter, commands that follow the "Label:" > > ! format of message headers will also cause a disconnect. > >

        > > > >

        > > ! This feature is available in Postfix 2.2 and later. > >

        > > *************** > > *** 13819,13830 **** > > > > !
        smtpd_sasl_local_domain > > ! (default: empty)
        > > > >

        > > ! The name of the Postfix SMTP server's local SASL authentication > > ! realm. > >

        > > > >

        > > ! By default, the local authentication realm name is the null string. > >

        > > --- 10552,10571 ---- > > > > !
        smtpd_hard_error_limit > > ! (default: 20)
        > > > >

        > > ! The maximal number of errors a remote SMTP client is allowed to > > ! make without delivering mail. The Postfix SMTP server disconnects > > ! when the limit is exceeded. > >

        > > > > + > > +
        > > + > > +
        smtpd_helo_required > > + (default: no)
        > > + > >

        > > ! Require that a remote SMTP client introduces itself at the beginning > > ! of an SMTP session with the HELO or EHLO command. > >

        > > *************** > > *** 13832,13834 **** > >

        > > ! Examples: > >

        > > --- 10573,10575 ---- > >

        > > ! Example: > >

        > > *************** > > *** 13836,13839 **** > > 
        > > ! smtpd_sasl_local_domain = $mydomain
> > ! smtpd_sasl_local_domain = $myhostname
> >
        > > --- 10577,10579 ---- > > 
        > > ! smtpd_helo_required = yes
> >
        > > *************** > > *** 13843,13874 **** > > > > !
        smtpd_sasl_path > > ! (default: smtpd)
        > > ! > > !

        Implementation-specific information that the Postfix SMTP server > > ! passes through to > > ! the SASL plug-in implementation that is selected with > > ! smtpd_sasl_type. Typically this specifies the name of a > > ! configuration file or rendezvous point.

        > > ! > > !

        This feature is available in Postfix 2.3 and later. In earlier > > ! releases it was called smtpd_sasl_application_name.

        > > ! > > ! > > !
        > > ! > > !
        smtpd_sasl_security_options > > ! (default: noanonymous)
        > > > > !

        Postfix SMTP server SASL security options; as of Postfix 2.3 > > ! the list of available > > ! features depends on the SASL server implementation that is selected > > ! with smtpd_sasl_type.

        > > > > !

        The following security features are defined for the cyrus > > ! server SASL implementation:

        > > > >

        > > ! Restrict what authentication mechanisms the Postfix SMTP server > > ! will offer to the client. The list of available authentication > > ! mechanisms is system dependent. > >

        > > --- 10583,10601 ---- > > > > !
        smtpd_helo_restrictions > > ! (default: empty)
        > > > > !

        > > ! Optional restrictions that the Postfix SMTP server applies in the > > ! context of the SMTP HELO command. > > !

        > > > > !

        > > ! The default is to permit everything. > > !

        > > > >

        > > ! Specify a list of restrictions, separated by commas and/or whitespace. > > ! Continue long lines by starting the next line with whitespace. > > ! Restrictions are applied in the order as specified; the first > > ! restriction that matches wins. > >

        > > *************** > > *** 13876,13878 **** > >

        > > ! Specify zero or more of the following: > >

        > > --- 10603,10606 ---- > >

        > > ! The following restrictions are specific to the hostname information > > ! received with the HELO or EHLO command. > >

        > > *************** > > *** 13881,13907 **** > > > > !
        noplaintext
        > > > > !
        Disallow methods that use plaintext passwords.
        > > > > !
        noactive
        > > > > !
        Disallow methods subject to active (non-dictionary) attack.
        > > > > !
        nodictionary
        > > > > !
        Disallow methods subject to passive (dictionary) attack.
        > > > > !
        noanonymous
        > > > > !
        Disallow methods that allow anonymous authentication.
        > > > > !
        forward_secrecy
        > > > > !
        Only allow methods that support forward secrecy (Dovecot only). > >
        > > > > !
        mutual_auth
        > > > > !
        Only allow methods that provide mutual authentication (not available > > ! with Cyrus SASL version 1).
        > > > > --- 10609,10661 ---- > > > > !
        check_helo_access type:table
        > > > > !
        Search the specified access(5) database for the HELO or EHLO > > ! hostname or parent domains, and execute the corresponding action. > > !
        > > > > !
        check_helo_mx_access type:table
        > > > > !
        Search the specified access(5) database for the MX hosts for > > ! the HELO or EHLO hostname, and execute the corresponding action. > > ! Note: a result of "OK" is not allowed for safety reasons. Instead, > > ! use DUNNO in order to exclude specific hosts from blacklists. This > > ! feature is available in Postfix 2.1 and later.
        > > > > !
        check_helo_ns_access type:table
        > > > > !
        Search the specified access(5) database for the DNS servers > > ! for the HELO or EHLO hostname, and execute the corresponding action. > > ! Note: a result of "OK" is not allowed for safety reasons. Instead, > > ! use DUNNO in order to exclude specific hosts from blacklists. This > > ! feature is available in Postfix 2.1 and later.
        > > > > !
        reject_invalid_helo_hostname (with Postfix < 2.3: reject_invalid_hostname)
        > > > > !
        Reject the request when the HELO or EHLO hostname syntax is > > ! invalid.
        The invalid_hostname_reject_code specifies the response > > ! code to rejected requests (default: 501).
        > > > > !
        reject_non_fqdn_helo_hostname (with Postfix < 2.3: reject_non_fqdn_hostname)
        > > > > !
        Reject the request when the HELO or EHLO hostname is not in > > ! fully-qualified domain form, as required by the RFC.
        The > > ! non_fqdn_reject_code parameter specifies the response code to > > ! rejected requests (default: 504).
        > > ! > > !
        reject_rhsbl_helo rbl_domain=d.d.d.d
        > > ! > > !
        Reject the request when the HELO or EHLO hostname hostname is > > ! listed with the A record "d.d.d.d" under rbl_domain > > ! (Postfix version 2.1 and later only). If no "=d.d.d.d" is > > ! specified, reject the request when the HELO or EHLO hostname is > > ! listed with any A record under rbl_domain. See the > > ! reject_rbl_client description for additional RBL related configuration > > ! parameters. This feature is available in Postfix 2.0 and later. > >
        > > > > !
        reject_unknown_helo_hostname (with Postfix < 2.3: reject_unknown_hostname)
        > > > > !
        Reject the request when the HELO or EHLO hostname has no DNS A > > ! or MX record.
        The unknown_hostname_reject_code specifies the > > ! response code to rejected requests (default: 450).
        > > > > *************** > > *** 13910,13926 **** > >

        > > ! By default, the Postfix SMTP server accepts plaintext passwords but > > ! not anonymous logins. > >

        > > > > !

        > > ! Warning: it appears that clients try authentication methods in the > > ! order as advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5) > > ! which means that if you disable plaintext passwords, clients will > > ! log in anonymously, even when they should be able to use CRAM-MD5. > > ! So, if you disable plaintext logins, disable anonymous logins too. > > ! Postfix treats anonymous login as no authentication. > > !

        > > > >

        > > ! Example: > >

        > > --- 10664,10687 ---- > >

        > > ! Other restrictions that are valid in this context: > >

        > > > > ! > > > >

        > > ! Examples: > >

        > > *************** > > *** 13928,13930 **** > > 
        > > ! smtpd_sasl_security_options = noanonymous, noplaintext
> >
        > > --- 10689,10692 ---- > > 
        > > ! smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
> > ! smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname
> >
        > > *************** > > *** 13934,13942 **** > > > > !
        smtpd_sasl_tls_security_options > > ! (default: $smtpd_sasl_security_options)
        > > > > !

        The SASL authentication security options that the Postfix SMTP > > ! server uses for TLS encrypted SMTP sessions.

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > --- 10696,10719 ---- > > > > !
        smtpd_history_flush_threshold > > ! (default: 100)
        > > > > !

        > > ! The maximal number of lines in the Postfix SMTP server command history > > ! before it is flushed upon receipt of EHLO, RSET, or end of DATA. > > !

        > > > > ! > > !
        > > ! > > !
        smtpd_junk_command_limit > > ! (default: 100)
        > > ! > > !

        > > ! The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote > > ! SMTP client can send before the Postfix SMTP server starts to > > ! increment the error counter with each junk command. The junk > > ! command count is reset after mail is delivered. See also the > > ! smtpd_error_sleep_time and smtpd_soft_error_limit configuration > > ! parameters. > > !

        > > > > *************** > > *** 13945,13952 **** > > > > !
        smtpd_sasl_type > > ! (default: cyrus)
        > > > > !

        The SASL plug-in type that the Postfix SMTP server should use > > ! for authentication. The available types are listed with the > > ! "postconf -a" command.

        > > > > --- 10722,10729 ---- > > > > !
        smtpd_milters > > ! (default: empty)
        > > > > !

        A list of Milter (mail filter) applications for new mail that > > ! arrives via the Postfix smtpd(8) server. See the MILTER_README > > ! document for details.

        > > > > *************** > > *** 13957,13959 **** > > > > !
        smtpd_sender_login_maps > > (default: empty)
        > > --- 10734,10736 ---- > > > > !
        smtpd_noop_commands > > (default: empty)
        > > *************** > > *** 13961,13993 **** > >

        > > ! Optional lookup table with the SASL login names that own sender > > ! (MAIL FROM) addresses. > >

        > > > >

        > > ! Specify zero or more "type:table" lookup tables. With lookups from > > ! indexed files such as DB or DBM, or from networked tables such as > > ! NIS, LDAP or SQL, the following search operations are done with a > > ! sender address of user at domain:

        > > > > -
        > > > > !
        1) user at domain
        > > > > !
        This table lookup is always done and has the highest precedence.
        > > > > !
        2) user
        > > > > !
        This table lookup is done only when the domain part of the > > ! sender address matches $myorigin, $mydestination, $inet_interfaces > > ! or $proxy_interfaces.
        > > > > -
        3) @domain
        > > > > !
        This table lookup is done last and has the lowest precedence.
        > > > > !
        > > > >

        > > ! In all cases the result of table lookup must be either "not found" > > ! or a list of SASL login names separated by comma and/or whitespace. > >

        > > --- 10738,10782 ---- > >

        > > ! List of commands that the Postfix SMTP server replies to with "250 > > ! Ok", without doing any syntax checks and without changing state. > > ! This list overrides any commands built into the Postfix SMTP server. > >

        > > > > + > > +
        > > + > > +
        smtpd_null_access_lookup_key > > + (default: <>)
        > > + > >

        > > ! The lookup key to be used in SMTP access(5) tables instead of the > > ! null sender address. > > !

        > > > > > > !
        > > > > !
        smtpd_peername_lookup > > ! (default: yes)
        > > > > !

        Attempt to look up the remote SMTP client hostname, and verify that > > ! the name matches the client IP address. A client name is set to > > ! "unknown" when it cannot be looked up or verified, or when name > > ! lookup is disabled. Turning off name lookup reduces delays due to > > ! DNS lookup and increases the maximal inbound delivery rate.

        > > > > !

        This feature is available in Postfix 2.3 and later.

        > > > > > > !
        > > > > !
        smtpd_policy_service_max_idle > > ! (default: 300s)
        > > > >

        > > ! The time after which an idle SMTPD policy service connection is > > ! closed. > > !

        > > ! > > !

        > > ! This feature is available in Postfix 2.1 and later. > >

        > > *************** > > *** 13997,14006 **** > > > > !
        smtpd_sender_restrictions > > ! (default: empty)
        > > > >

        > > ! Optional restrictions that the Postfix SMTP server applies in the > > ! context of the MAIL FROM command. > > ! See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access > > ! restriction lists" for a discussion of evaluation context and time. > >

        > > --- 10786,10793 ---- > > > > !
        smtpd_policy_service_max_ttl > > ! (default: 1000s)
        > > > >

        > > ! The time after which an active SMTPD policy service connection is > > ! closed. > >

        > > *************** > > *** 14008,14017 **** > >

        > > ! The default is to permit everything. > >

        > > > >

        > > ! Specify a list of restrictions, separated by commas and/or whitespace. > > ! Continue long lines by starting the next line with whitespace. > > ! Restrictions are applied in the order as specified; the first > > ! restriction that matches wins. > >

        > > --- 10795,10808 ---- > >

        > > ! This feature is available in Postfix 2.1 and later. > >

        > > > > + > > +
        > > + > > +
        smtpd_policy_service_timeout > > + (default: 100s)
        > > + > >

        > > ! The time limit for connecting to, writing to or receiving from a > > ! delegated SMTPD policy server. > >

        > > *************** > > *** 14019,14130 **** > >

        > > ! The following restrictions are specific to the sender address > > ! received with the MAIL FROM command. > >

        > > > > -
        > > > > !
        check_sender_access type:table
        > > > > !
        Search the specified access(5) database for the MAIL FROM > > ! address, domain, parent domains, or localpart@, and execute the > > ! corresponding action.
        > > > > !
        check_sender_mx_access type:table
        > > > > !
        Search the specified access(5) database for the MX hosts for > > ! the MAIL FROM address, and execute the corresponding action. Note: > > ! a result of "OK" is not allowed for safety reasons. Instead, use > > ! DUNNO in order to exclude specific hosts from blacklists. This > > ! feature is available in Postfix 2.1 and later.
        > > > > -
        check_sender_ns_access type:table
        > > > > !
        Search the specified access(5) database for the DNS servers > > ! for the MAIL FROM address, and execute the corresponding action. > > ! Note: a result of "OK" is not allowed for safety reasons. Instead, > > ! use DUNNO in order to exclude specific hosts from blacklists. This > > ! feature is available in Postfix 2.1 and later.
        > > > > !
        reject_authenticated_sender_login_mismatch
        > > > > !
        Enforces the reject_sender_login_mismatch restriction for > > ! authenticated clients only. This feature is available in > > ! Postfix version 2.1 and later.
        > > > > !
        reject_non_fqdn_sender
        > > > > !
        Reject the request when the MAIL FROM address is not in > > ! fully-qualified domain form, as required by the RFC.
        The > > ! non_fqdn_reject_code parameter specifies the response code for > > ! rejected requests (default: 504).
        > > > > !
        reject_rhsbl_sender rbl_domain=d.d.d.d
        > > > > !
        Reject the request when the MAIL FROM domain is listed with > > ! the A record "d.d.d.d" under rbl_domain (Postfix > > ! version 2.1 and later only). Each "d" is a number, or a > > ! pattern inside "[]" that contains one or more ";"-separated numbers > > ! or number..number ranges (Postfix version 2.8 and later). If no > > ! "=d.d.d.d" is specified, > > ! reject the request when the MAIL FROM domain is > > ! listed with any A record under rbl_domain.
        The > > ! maps_rbl_reject_code parameter specifies the response code for > > ! rejected requests (default: 554); the default_rbl_reply parameter > > ! specifies the default server reply; and the rbl_reply_maps parameter > > ! specifies tables with server replies indexed by rbl_domain. > > ! This feature is available in Postfix 2.0 and later.
        > > > > -
        reject_sender_login_mismatch
        > > > > !
        Reject the request when $smtpd_sender_login_maps specifies an > > ! owner for the MAIL FROM address, but the client is not (SASL) logged > > ! in as that MAIL FROM address owner; or when the client is (SASL) > > ! logged in, but the client login name doesn't own the MAIL FROM > > ! address according to $smtpd_sender_login_maps.
        > > > > !
        reject_unauthenticated_sender_login_mismatch
        > > > > !
        Enforces the reject_sender_login_mismatch restriction for > > ! unauthenticated clients only. This feature is available in > > ! Postfix version 2.1 and later.
        > > > > -
        reject_unknown_sender_domain
        > > > > !
        Reject the request when Postfix is not final destination for > > ! the sender address, and the MAIL FROM domain has 1) no DNS A or MX > > ! record, or 2) a malformed MX record such as a record with > > ! a zero-length MX hostname (Postfix version 2.3 and later).
        The > > ! unknown_address_reject_code parameter specifies the numerical > > ! response code for rejected requests (default: 450). The response > > ! is always 450 in case of a temporary DNS error.
        The > > ! unknown_address_tempfail_action parameter specifies the action > > ! after a temporary DNS error (default: defer_if_permit).
        > > > > !
        reject_unlisted_sender
        > > > > !
        Reject the request when the MAIL FROM address is not listed in > > ! the list of valid recipients for its domain class. See the > > ! smtpd_reject_unlisted_sender parameter description for details. > > ! This feature is available in Postfix 2.1 and later.
        > > > > -
        reject_unverified_sender
        > > > > !
        Reject the request when mail to the MAIL FROM address is known to > > ! bounce, or when the sender address destination is not reachable. > > ! Address verification information is managed by the verify(8) server; > > ! see the ADDRESS_VERIFICATION_README file for details.
        The > > ! unverified_sender_reject_code parameter specifies the numerical > > ! response code when an address is known to bounce (default: 450, > > ! change into 550 when you are confident that it is safe to do so). > > !
        The unverified_sender_defer_code specifies the numerical response > > ! code when an address address probe failed due to a temporary problem > > ! (default: 450).
        The unverified_sender_tempfail_action parameter > > ! specifies the action after address probe failure due to a temporary > > ! problem (default: defer_if_permit).
        This feature is available > > ! in Postfix 2.1 and later.
        > > > > !
        > > > >

        > > ! Other restrictions that are valid in this context: > >

        > > --- 10810,10909 ---- > >

        > > ! This feature is available in Postfix 2.1 and later. > >

        > > > > > > !
        > > > > !
        smtpd_proxy_ehlo > > ! (default: $myhostname)
        > > > > !

        > > ! How the Postfix SMTP server announces itself to the proxy filter. > > ! By default, the Postfix hostname is used. > > !

        > > > > !

        > > ! This feature is available in Postfix 2.1 and later. > > !

        > > > > > > !
        > > > > !
        smtpd_proxy_filter > > ! (default: empty)
        > > > > !

        The hostname and TCP port of the mail filtering proxy server. > > ! The proxy receives all mail from the Postfix SMTP server, and is > > ! supposed to give the result to another Postfix SMTP server process. > > !

        > > > > !

        Specify "host:port" or "inet:host:port" for a TCP endpoint, or > > ! "unix:pathname" for a UNIX-domain endpoint. The host can be specified > > ! as an IP address or as a symbolic name; no MX lookups are done. > > ! When no "host" or "host:" are specified, the local machine is > > ! assumed. Pathname interpretation is relative to the Postfix queue > > ! directory.

        > > > > !

        This feature is available in Postfix 2.1 and later.

        > > ! > > !

        The "inet:" and "unix:" prefixes are available in Postfix 2.3 > > ! and later.

        > > ! > > ! > > !
        > > ! > > !
        smtpd_proxy_timeout > > ! (default: 100s)
        > > ! > > !

        > > ! The time limit for connecting to a proxy filter and for sending or > > ! receiving information. When a connection fails the client gets a > > ! generic error message while more detailed information is logged to > > ! the maillog file. > > !

        > > > > !

        > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > > !

        > > > > !

        > > ! This feature is available in Postfix 2.1 and later. > > !

        > > > > > > !
        > > > > !
        smtpd_recipient_limit > > ! (default: 1000)
        > > > > !

        > > ! The maximal number of recipients that the Postfix SMTP server > > ! accepts per message delivery request. > > !

        > > > > > > !
        > > > > !
        smtpd_recipient_overshoot_limit > > ! (default: 1000)
        > > > > !

        The number of recipients that a remote SMTP client can send in > > ! excess of the limit specified with $smtpd_recipient_limit, before > > ! the Postfix SMTP server increments the per-session error count > > ! for each excess recipient.

        > > > > > > !
        > > > > !
        smtpd_recipient_restrictions > > ! (default: permit_mynetworks, reject_unauth_destination)
        > > > >

        > > ! The access restrictions that the Postfix SMTP server applies in > > ! the context of the RCPT TO command. > > !

        > > ! > > !

        > > ! By default, the Postfix SMTP server accepts: > >

        > > *************** > > *** 14133,14145 **** > > > > !
      • Generic restrictions that can be used > > ! in any SMTP command context, described under smtpd_client_restrictions. > > > > !
      • SMTP command specific restrictions described under > > ! smtpd_client_restrictions and smtpd_helo_restrictions. > > > > !
      • SMTP command specific restrictions described under > > ! smtpd_recipient_restrictions. When recipient restrictions are listed > > ! under smtpd_sender_restrictions, they have effect only with > > ! "smtpd_delay_reject = yes", so that $smtpd_sender_restrictions is > > ! evaluated at the time of the RCPT TO command. > > > > --- 10912,10922 ---- > > > > !
      • Mail from clients whose IP address matches $mynetworks, or: > > > > !
      • Mail to remote destinations that match $relay_domains, except > > ! for addresses that contain sender-specified routing > > ! (user at elsewhere@domain), or: > > > > !
      • Mail to local destinations that match $inet_interfaces > > ! or $proxy_interfaces, $mydestination, $virtual_alias_domains, or > > ! $virtual_mailbox_domains. > > > > *************** > > *** 14148,14354 **** > >

        > > ! Examples: > >

        > > > > 
        > > ! smtpd_sender_restrictions = reject_unknown_sender_domain
> > ! smtpd_sender_restrictions = reject_unknown_sender_domain,
> > !     check_sender_access hash:/etc/postfix/access
> >
        > > > > ! > > !
        • > > ! > > !
        smtpd_service_name > > ! (default: smtpd)
        > > ! > > !

        The internal service that postscreen(8) hands off allowed > > ! connections to. In a future version there may be different > > ! classes of SMTP service.

        > > ! > > !

        This feature is available in Postfix 2.8.

        > > ! > > ! > > !
        > > ! > > !
        smtpd_soft_error_limit > > ! (default: 10)
        > > > >

        > > ! The number of errors a remote SMTP client is allowed to make without > > ! delivering mail before the Postfix SMTP server slows down all its > > ! responses. > >

        > > > > !
          > > > > !

        • With Postfix version 2.1 and later, the Postfix SMTP server > > ! delays all responses by $smtpd_error_sleep_time seconds.

          > > > > !

        • With Postfix versions 2.0 and earlier, the Postfix SMTP > > ! server delays all responses by (number of errors) seconds.

          > > > > !
        > > > > > > !
        > > > > !
        smtpd_starttls_timeout > > ! (default: see "postconf -d" output)
        > > > > !

        The time limit for Postfix SMTP server write and read operations > > ! during TLS startup and shutdown handshake procedures. The current > > ! default value is stress-dependent. Before Postfix version 2.8, it > > ! was fixed at 300s.

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > > > !
        > > > > !
        smtpd_timeout > > ! (default: normal: 300s, overload: 10s)
        > > > > !

        > > ! The time limit for sending a Postfix SMTP server response and for > > ! receiving a remote SMTP client request. Normally the default limit > > ! is 300s, but it changes under overload to just 10s. With Postfix > > ! 2.5 and earlier, the SMTP server always uses a time limit of 300s > > ! by default. > > !

        > > > > !

        > > ! Note: if you set SMTP time limits to very large values you may have > > ! to update the global ipc_timeout parameter. > > !

        > > > > !

        > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > > !

        > > > > > > !
        > > > > !
        smtpd_tls_CAfile > > ! (default: empty)
        > > > > !

        A file containing (PEM format) CA certificates of root CAs trusted > > ! to sign either remote SMTP client certificates or intermediate CA > > ! certificates. These are loaded into memory before the smtpd(8) server > > ! enters the chroot jail. If the number of trusted roots is large, consider > > ! using smtpd_tls_CApath instead, but note that the latter directory must > > ! be present in the chroot jail if the smtpd(8) server is chrooted. This > > ! file may also be used to augment the server certificate trust chain, > > ! but it is best to include all the required certificates directly in the > > ! server certificate file.

        > > ! > > !

        Specify "smtpd_tls_CAfile = /path/to/system_CA_file" to use ONLY > > ! the system-supplied default certificate authority certificates. > > !

        > > ! > > !

        Specify "tls_append_default_CA = no" to prevent Postfix from > > ! appending the system-supplied default CAs and trusting third-party > > ! certificates.

        > > ! > > !

        By default (see smtpd_tls_ask_ccert), client certificates are not > > ! requested, and smtpd_tls_CAfile should remain empty. If you do make use > > ! of client certificates, the distinguished names (DNs) of the certificate > > ! authorities listed in smtpd_tls_CAfile are sent to the remote SMTP client > > ! in the client certificate request message. MUAs with multiple client > > ! certificates may use the list of preferred certificate authorities > > ! to select the correct client certificate. You may want to put your > > ! "preferred" CA or CAs in this file, and install other trusted CAs in > > ! $smtpd_tls_CApath.

        > > > > !

        Example:

        > > > > ! 
        > > ! smtpd_tls_CAfile = /etc/postfix/CAcert.pem
> > !
        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > > > !
        > > > > !
        smtpd_tls_CApath > > ! (default: empty)
        > > > > !

        A directory containing (PEM format) CA certificates of root CAs > > ! trusted to sign either remote SMTP client certificates or intermediate CA > > ! certificates. Do not forget to create the necessary "hash" links with, > > ! for example, "$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs". To use > > ! smtpd_tls_CApath in chroot mode, this directory (or a copy) must be > > ! inside the chroot jail.

        > > ! > > !

        Specify "smtpd_tls_CApath = /path/to/system_CA_directory" to > > ! use ONLY the system-supplied default certificate authority certificates. > > !

        > > ! > > !

        Specify "tls_append_default_CA = no" to prevent Postfix from > > ! appending the system-supplied default CAs and trusting third-party > > ! certificates.

        > > ! > > !

        By default (see smtpd_tls_ask_ccert), client certificates are > > ! not requested, and smtpd_tls_CApath should remain empty. In contrast > > ! to smtpd_tls_CAfile, DNs of certificate authorities installed > > ! in $smtpd_tls_CApath are not included in the client certificate > > ! request message. MUAs with multiple client certificates may use the > > ! list of preferred certificate authorities to select the correct > > ! client certificate. You may want to put your "preferred" CA or > > ! CAs in $smtpd_tls_CAfile, and install the remaining trusted CAs in > > ! $smtpd_tls_CApath.

        > > > > !

        Example:

        > > > > ! 
        > > ! smtpd_tls_CApath = /etc/postfix/certs
> > !
        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > > > !
        > > > > !
        smtpd_tls_always_issue_session_ids > > ! (default: yes)
        > > > > !

        Force the Postfix SMTP server to issue a TLS session id, even > > ! when TLS session caching is turned off (smtpd_tls_session_cache_database > > ! is empty). This behavior is compatible with Postfix < 2.3.

        > > > > !

        With Postfix 2.3 and later the Postfix SMTP server can disable > > ! session id generation when TLS session caching is turned off. This > > ! keeps remote SMTP clients from caching sessions that almost certainly cannot > > ! be re-used.

        > > > > !

        By default, the Postfix SMTP server always generates TLS session > > ! ids. This works around a known defect in mail client applications > > ! such as MS Outlook, and may also prevent interoperability issues > > ! with other MTAs.

        > > > > !

        Example:

        > > > > ! 
        > > ! smtpd_tls_always_issue_session_ids = no
> > !
        > > > > !

        This feature is available in Postfix 2.3 and later.

        > > > > > > !
        > > > > !
        smtpd_tls_ask_ccert > > ! (default: no)
        > > > > !

        Ask a remote SMTP client for a client certificate. This > > ! information is needed for certificate based mail relaying with, > > ! for example, the permit_tls_clientcerts feature.

        > > > > !

        Some clients such as Netscape will either complain if no > > ! certificate is available (for the list of CAs in $smtpd_tls_CAfile) > > ! or will offer multiple client certificates to choose from. This > > ! may be annoying, so this option is "off" by default.

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > --- 10925,11107 ---- > >

        > > ! IMPORTANT: If you change this parameter setting, you must specify > > ! at least one of the following restrictions. Otherwise Postfix will > > ! refuse to receive mail: > >

        > > > > +
        > > 
        > > ! reject, defer, defer_if_permit, reject_unauth_destination
> >
        > > +
        > > > > !

        > > ! Specify a list of restrictions, separated by commas and/or whitespace. > > ! Continue long lines by starting the next line with whitespace. > > ! Restrictions are applied in the order as specified; the first > > ! restriction that matches wins. > > !

        > > > >

        > > ! The following restrictions are specific to the recipient address > > ! that is received with the RCPT TO command. > >

        > > > > !
        > > > > !
        check_recipient_access type:table
        > > > > !
        Search the specified access(5) database for the resolved RCPT > > ! TO address, domain, parent domains, or localpart@, and execute the > > ! corresponding action.
        > > > > !
        check_recipient_mx_access type:table
        > > ! > > !
        Search the specified access(5) database for the MX hosts for > > ! the RCPT TO domain, and execute the corresponding action. Note: > > ! a result of "OK" is not allowed for safety reasons. Instead, use > > ! DUNNO in order to exclude specific hosts from blacklists. This > > ! feature is available in Postfix 2.1 and later.
        > > > > +
        check_recipient_ns_access type:table
        > > > > !
        Search the specified access(5) database for the DNS servers > > ! for the RCPT TO domain, and execute the corresponding action. > > ! Note: a result of "OK" is not allowed for safety reasons. Instead, > > ! use DUNNO in order to exclude specific hosts from blacklists. This > > ! feature is available in Postfix 2.1 and later.
        > > > > !
        permit_auth_destination
        > > > > !
        Permit the request when one of the following is true: > > > > !
        > > > > !
        permit_mx_backup
        > > > > !
        Permit the request when the local mail system is backup MX for > > ! the RCPT TO domain, or when the domain is an authorized destination > > ! (see permit_auth_destination for definition). > > > > !
          > > > > +
        • Safety: permit_mx_backup does not accept addresses that have > > + sender-specified routing information (example: user at elsewhere@domain). > > > > !
        • Safety: permit_mx_backup can be vulnerable to mis-use when > > ! access is not restricted with permit_mx_backup_networks. > > > > !
        • Safety: as of Postfix version 2.3, permit_mx_backup no longer > > ! accepts the address when the local mail system is primary MX for > > ! the recipient domain. Exception: permit_mx_backup accepts the address > > ! when it specifies an authorized destination (see permit_auth_destination > > ! for definition). > > > > !
        • Limitation: mail may be rejected in case of a temporary DNS > > ! lookup problem with Postfix prior to version 2.0. > > > > !
        > > > > !
        reject_non_fqdn_recipient
        > > > > !
        Reject the request when the RCPT TO address is not in > > ! fully-qualified domain form, as required by the RFC.
        The > > ! non_fqdn_reject_code parameter specifies the response code to > > ! rejected requests (default: 504).
        > > > > +
        reject_rhsbl_recipient rbl_domain=d.d.d.d
        > > > > !
        Reject the request when the RCPT TO domain is listed with the > > ! A record "d.d.d.d" under rbl_domain (Postfix version > > ! 2.1 and later only). If no "=d.d.d.d" is specified, reject > > ! the request when the RCPT TO domain is listed with > > ! any A record under rbl_domain.
        The maps_rbl_reject_code > > ! parameter specifies the response code for rejected requests (default: > > ! 554); the default_rbl_reply parameter specifies the default server > > ! reply; and the rbl_reply_maps parameter specifies tables with server > > ! replies indexed by rbl_domain. This feature is available > > ! in Postfix version 2.0 and later.
        > > > > !
        reject_unauth_destination
        > > > > !
        Reject the request unless one of the following is true: > > > > ! The relay_domains_reject_code parameter specifies the response > > + code for rejected requests (default: 554).
        > > > > !
        reject_unknown_recipient_domain
        > > > > !
        Reject the request when Postfix is not final destination for > > ! the recipient domain, and the RCPT TO domain has no DNS A or MX > > ! record, or when it has a malformed MX record such as a record with > > ! a zero-length MX hostname (Postfix version 2.3 and later).
        The > > ! unknown_address_reject_code parameter specifies the response code > > ! for rejected requests (default: 450). The response is always 450 > > ! in case of a temporary DNS error.
        > > > > !
        reject_unlisted_recipient (with Postfix version 2.0: check_recipient_maps)
        > > > > !
        Reject the request when the RCPT TO address is not listed in > > ! the list of valid recipients for its domain class. See the > > ! smtpd_reject_unlisted_recipient parameter description for details. > > ! This feature is available in Postfix 2.1 and later.
        > > > > !
        reject_unverified_recipient
        > > > > !
        Reject the request when mail to the RCPT TO address is known > > ! to bounce, or when the recipient address destination is not reachable. > > ! Address verification information is managed by the verify(8) server; > > ! see the ADDRESS_VERIFICATION_README file for details.
        The > > ! unverified_recipient_reject_code parameter specifies the response > > ! when an address is known to bounce (default: 450, change into 550 > > ! when you are confident that it is safe to do so). The > > ! unverified_recipient_defer_code parameter specifies the response > > ! when an address probe failed due to a temporary problem (default: > > ! 450). This feature is available in Postfix 2.1 and later.
        > > > > !
        > > > > !

        > > ! Other restrictions that are valid in this context: > > !

        > > > > + > > > > !

        > > ! Example: > > !

        > > > > ! 
        > > ! smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
> > !
        > > > > *************** > > *** 14357,14388 **** > > > > !
        smtpd_tls_auth_only > > ! (default: no)
        > > > > !

        When TLS encryption is optional in the Postfix SMTP server, do > > ! not announce or accept SASL authentication over unencrypted > > ! connections.

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > > > !
        > > > > !
        smtpd_tls_ccert_verifydepth > > ! (default: 9)
        > > > > !

        The verification depth for remote SMTP client certificates. A > > ! depth of 1 is sufficient if the issuing CA is listed in a local CA > > ! file.

        > > > > !

        The default verification depth is 9 (the OpenSSL default) for > > ! compatibility with earlier Postfix behavior. Prior to Postfix 2.5, > > ! the default value was 5, but the limit was not actually enforced. If > > ! you have set this to a lower non-default value, certificates with longer > > ! trust chains may now fail to verify. Certificate chains with 1 or 2 > > ! CAs are common, deeper chains are more rare and any number between 5 > > ! and 9 should suffice in practice. You can choose a lower number if, > > ! for example, you trust certificates directly signed by an issuing CA > > ! but not any CAs it delegates to.

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > --- 11110,11143 ---- > > > > !
        smtpd_reject_unlisted_recipient > > ! (default: yes)
        > > > > !

        > > ! Request that the Postfix SMTP server rejects mail for unknown > > ! recipient addresses, even when no explicit reject_unlisted_recipient > > ! access restriction is specified. This prevents the Postfix queue > > ! from filling up with undeliverable MAILER-DAEMON messages. > > !

        > > > > ! > > > > !

        > > ! This feature is available in Postfix 2.1 and later. > > !

        > > > > *************** > > *** 14391,14446 **** > > > > !
        smtpd_tls_cert_file > > ! (default: empty)
        > > ! > > !

        File with the Postfix SMTP server RSA certificate in PEM format. > > ! This file may also contain the Postfix SMTP server private RSA key.

        > > ! > > !

        Public Internet MX hosts without certificates signed by a "reputable" > > ! CA must generate, and be prepared to present to most clients, a > > ! self-signed or private-CA signed certificate. The client will not be > > ! able to authenticate the server, but unless it is running Postfix 2.3 or > > ! similar software, it will still insist on a server certificate.

        > > ! > > !

        For servers that are not public Internet MX hosts, Postfix > > ! 2.3 supports configurations with no certificates. This entails the > > ! use of just the anonymous TLS ciphers, which are not supported by > > ! typical SMTP clients. Since such clients will not, as a rule, fall > > ! back to plain text after a TLS handshake failure, the server will > > ! be unable to receive email from TLS enabled clients. To avoid > > ! accidental configurations with no certificates, Postfix 2.3 enables > > ! certificate-less operation only when the administrator explicitly > > ! sets "smtpd_tls_cert_file = none". This ensures that new Postfix > > ! configurations will not accidentally run with no certificates.

        > > > > !

        Both RSA and DSA certificates are supported. When both types > > ! are present, the cipher used determines which certificate will be > > ! presented to the client. For Netscape and OpenSSL clients without > > ! special cipher choices the RSA certificate is preferred.

        > > > > !

        To enable a remote SMTP client to verify the Postfix SMTP server > > ! certificate, the issuing CA certificates must be made available to the > > ! client. You should include the required certificates in the server > > ! certificate file, the server certificate first, then the issuing > > ! CA(s) (bottom-up order).

        > > > > !

        Example: the certificate for "server.example.com" was issued by > > ! "intermediate CA" which itself has a certificate of "root CA". > > ! Create the server.pem file with "cat server_cert.pem intermediate_CA.pem > > ! root_CA.pem > server.pem".

        > > > > !

        If you also want to verify client certificates issued by these > > ! CAs, you can add the CA certificates to the smtpd_tls_CAfile, in which > > ! case it is not necessary to have them in the smtpd_tls_cert_file or > > ! smtpd_tls_dcert_file.

        > > > > !

        A certificate supplied here must be usable as an SSL server certificate > > ! and hence pass the "openssl verify -purpose sslserver ..." test.

        > > > > !

        Example:

        > > > > ! 
        > > ! smtpd_tls_cert_file = /etc/postfix/server.pem
> > !
        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > --- 11146,11177 ---- > > > > !
        smtpd_reject_unlisted_sender > > ! (default: no)
        > > > > !

        Request that the Postfix SMTP server rejects mail from unknown > > ! sender addresses, even when no explicit reject_unlisted_sender > > ! access restriction is specified. This can slow down an explosion > > ! of forged mail from worms or viruses.

        > > > > ! > > > > !

        > > ! This feature is available in Postfix 2.1 and later. > > !

        > > > > *************** > > *** 14449,14467 **** > > > > !
        smtpd_tls_cipherlist > > (default: empty)
        > > > > !

        Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS > > ! cipher list. It is easy to create inter-operability problems by choosing > > ! a non-default cipher list. Do not use a non-default TLS cipherlist for > > ! MX hosts on the public Internet. Clients that begin the TLS handshake, > > ! but are unable to agree on a common cipher, may not be able to send any > > ! email to the SMTP server. Using a restricted cipher list may be more > > ! appropriate for a dedicated MSA or an internal mailhub, where one can > > ! exert some control over the TLS software and settings of the connecting > > ! clients.

        > > ! > > !

        Note: do not use "" quotes around the parameter value.

        > > > > !

        This feature is available with Postfix version 2.2. It is not used with > > ! Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.

        > > > > --- 11180,11194 ---- > > > > !
        smtpd_restriction_classes > > (default: empty)
        > > > > !

        > > ! User-defined aliases for groups of access restrictions. The aliases > > ! can be specified in smtpd_recipient_restrictions etc., and on the > > ! right-hand side of a Postfix access(5) table. > > !

        > > > > !

        > > ! One major application is for implementing per-recipient UCE control. > > ! See the RESTRICTION_CLASS_README document for other examples. > > !

        > > > > *************** > > *** 14470,14494 **** > > > > !
        smtpd_tls_ciphers > > ! (default: export)
        > > ! > > !

        The minimum TLS cipher grade that the Postfix SMTP server > > ! will use with opportunistic TLS encryption. Cipher types listed in > > ! smtpd_tls_exclude_ciphers are excluded from the base definition of > > ! the selected cipher grade. The default value "export" ensures maximum > > ! inter-operability. Because encryption is optional, stronger controls > > ! are not appropriate, and this setting SHOULD NOT be changed unless the > > ! change is essential.

        > > ! > > !

        When TLS is mandatory the cipher grade is chosen via the > > ! smtpd_tls_mandatory_ciphers configuration parameter, see there for syntax > > ! details.

        > > > > !

        Example:

        > > ! 
        > > ! smtpd_tls_ciphers = export
> > !
        > > > > !

        This feature is available in Postfix 2.6 and later. With earlier Postfix > > ! releases only the smtpd_tls_mandatory_ciphers parameter is implemented, > > ! and opportunistic TLS always uses "export" or better (i.e. all) ciphers.

        > > > > --- 11197,11213 ---- > > > > !
        smtpd_sasl_application_name > > ! (default: smtpd)
        > > > > !

        > > ! The application name that the Postfix SMTP server uses for SASL > > ! server initialization. This > > ! controls the name of the SASL configuration file. The default value > > ! is smtpd, corresponding to a SASL configuration file named > > ! smtpd.conf. > > !

        > > > > !

        > > ! This feature is available in Postfix 2.1 and 2.2. With Postfix 2.3 > > ! it was renamed to smtpd_sasl_path. > > !

        > > > > *************** > > *** 14497,14514 **** > > > > !
        smtpd_tls_dcert_file > > ! (default: empty)
        > > > > !

        File with the Postfix SMTP server DSA certificate in PEM format. > > ! This file may also contain the Postfix SMTP server private DSA key.

        > > > > !

        See the discussion under smtpd_tls_cert_file for more details. > >

        > > > > !

        Example:

        > > > > 
        > > ! smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
> >
        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > --- 11216,11250 ---- > > > > !
        smtpd_sasl_auth_enable > > ! (default: no)
        > > > > !

        > > ! Enable SASL authentication in the Postfix SMTP server. By default, > > ! the Postfix SMTP server does not use authentication. > > !

        > > > > !

        > > ! If a remote SMTP client is authenticated, the permit_sasl_authenticated > > ! access restriction can be used to permit relay access, like this: > >

        > > > > !
        > > ! 
        > > ! smtpd_recipient_restrictions =
> > !     permit_mynetworks, permit_sasl_authenticated, ...
> > !
        > > !
        > > ! > > !

        To reject all SMTP connections from unauthenticated clients, > > ! specify "smtpd_delay_reject = yes" (which is the default) and use: > > !

        > > > > +
        > > 
        > > ! smtpd_client_restrictions = permit_sasl_authenticated, reject
> >
        > > +
        > > > > !

        > > ! See the SASL_README file for SASL configuration and operation details. > > !

        > > > > *************** > > *** 14517,14546 **** > > > > !
        smtpd_tls_dh1024_param_file > > (default: empty)
        > > > > !

        File with DH parameters that the Postfix SMTP server should > > ! use with EDH ciphers.

        > > > > !

        Instead of using the exact same parameter sets as distributed > > ! with other TLS packages, it is more secure to generate your own > > ! set of parameters with something like the following command:

        > > > > !
        > > ! 
        > > ! openssl gendh -out /etc/postfix/dh_1024.pem -2 1024
> > !
        > > !
        > > > > !

        Your actual source for entropy may differ. Some systems have > > ! /dev/random; on other system you may consider using the "Entropy > > ! Gathering Daemon EGD", available at http://egd.sourceforge.net/ > >

        > > > > -

        Example:

        > > - > > 
        > > ! smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
> >
        > > > > !

        This feature is available with Postfix version 2.2.

        > > > > --- 11253,11309 ---- > > > > !
        smtpd_sasl_authenticated_header > > ! (default: no)
        > > ! > > !

        Report the SASL authenticated user name in the smtpd(8) Received > > ! message header.

        > > ! > > !

        This feature is available in Postfix 2.3 and later.

        > > ! > > ! > > !
        > > ! > > !
        smtpd_sasl_exceptions_networks > > (default: empty)
        > > > > !

        > > ! What remote SMTP clients the Postfix SMTP server will not offer > > ! AUTH support to. > > !

        > > > > !

        > > ! Some clients (Netscape 4 at least) have a bug that causes them to > > ! require a login and password whenever AUTH is offered, whether it's > > ! necessary or not. To work around this, specify, for example, > > ! $mynetworks to prevent Postfix from offering AUTH to local clients. > > !

        > > > > !

        > > ! Specify a list of network/netmask patterns, separated by commas > > ! and/or whitespace. The mask specifies the number of bits in the > > ! network part of a host address. You can also "/file/name" or > > ! "type:table" patterns. A "/file/name" pattern is replaced by its > > ! contents; a "type:table" lookup table is matched when a table entry > > ! matches a lookup string (the lookup result is ignored). Continue > > ! long lines by starting the next line with whitespace. Specify > > ! "!pattern" to exclude an address or network block from the list. > > ! The form "!/file/name" is supported only in Postfix version 2.4 and > > ! later.

        > > ! > > !

        Note: IP version 6 address information must be specified inside > > ! [] in the smtpd_sasl_exceptions_networks value, and in > > ! files specified with "/file/name". IP version 6 addresses contain > > ! the ":" character, and would otherwise be confused with a "type:table" > > ! pattern.

        > > > > !

        > > ! Example: > >

        > > > > 
        > > ! smtpd_sasl_exceptions_networks = $mynetworks
> >
        > > > > !

        > > ! This feature is available in Postfix 2.1 and later. > > !

        > > > > *************** > > *** 14549,14567 **** > > > > !
        smtpd_tls_dh512_param_file > > (default: empty)
        > > > > !

        File with DH parameters that the Postfix SMTP server should > > ! use with EDH ciphers.

        > > > > !

        See also the discussion under the smtpd_tls_dh1024_param_file > > ! configuration parameter.

        > > > > !

        Example:

        > > > > 
        > > ! smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
> >
        > > > > -

        This feature is available with Postfix version 2.2.

        > > - > > > > --- 11312,11334 ---- > > > > !
        smtpd_sasl_local_domain > > (default: empty)
        > > > > !

        > > ! The name of the Postfix SMTP server's local SASL authentication > > ! realm. > > !

        > > > > !

        > > ! By default, the local authentication realm name is the null string. > > !

        > > > > !

        > > ! Examples: > > !

        > > > > 
        > > ! smtpd_sasl_local_domain = $mydomain
> > ! smtpd_sasl_local_domain = $myhostname
> >
        > > > > > > *************** > > *** 14569,14583 **** > > > > !
        smtpd_tls_dkey_file > > ! (default: $smtpd_tls_dcert_file)
        > > ! > > !

        File with the Postfix SMTP server DSA private key in PEM format. > > ! This file may be combined with the Postfix SMTP server DSA certificate > > ! file specified with $smtpd_tls_dcert_file.

        > > > > !

        The private key must be accessible without a pass-phrase, i.e. it > > ! must not be encrypted. File permissions should grant read-only > > ! access to the system superuser account ("root"), and no access > > ! to anyone else.

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > --- 11336,11348 ---- > > > > !
        smtpd_sasl_path > > ! (default: smtpd)
        > > > > !

        Implementation-specific information that the Postfix SMTP server > > ! passes through to > > ! the SASL plug-in implementation that is selected with > > ! smtpd_sasl_type. Typically this specifies the name of a > > ! configuration file or rendezvous point.

        > > > > !

        This feature is available in Postfix 2.3 and later. In earlier > > ! releases it was called smtpd_sasl_application_name.

        > > > > *************** > > *** 14586,14650 **** > > > > !
        smtpd_tls_eccert_file > > ! (default: empty)
        > > ! > > !

        File with the Postfix SMTP server ECDSA certificate in PEM format. > > ! This file may also contain the Postfix SMTP server private ECDSA key.

        > > ! > > !

        See the discussion under smtpd_tls_cert_file for more details.

        > > ! > > !

        Example:

        > > > > ! 
        > > ! smtpd_tls_eccert_file = /etc/postfix/ecdsa-scert.pem
> > !
        > > > > !

        This feature is available in Postfix 2.6 and later, when Postfix is > > ! compiled and linked with OpenSSL 1.0.0 or later.

        > > > > > > !
        > > > > !
        smtpd_tls_eckey_file > > ! (default: $smtpd_tls_eccert_file)
        > > > > !

        File with the Postfix SMTP server ECDSA private key in PEM format. > > ! This file may be combined with the Postfix SMTP server ECDSA certificate > > ! file specified with $smtpd_tls_eccert_file.

        > > > > !

        The private key must be accessible without a pass-phrase, i.e. it > > ! must not be encrypted. File permissions should grant read-only > > ! access to the system superuser account ("root"), and no access > > ! to anyone else.

        > > > > !

        This feature is available in Postfix 2.6 and later, when Postfix is > > ! compiled and linked with OpenSSL 1.0.0 or later.

        > > > > > > !
        > > > > !
        smtpd_tls_eecdh_grade > > ! (default: see "postconf -d" output)
        > > > > !

        The Postfix SMTP server security grade for ephemeral elliptic-curve > > ! Diffie-Hellman (EECDH) key exchange.

        > > > > !

        The available choices are:

        > > > > !
        > > > > !
        none
        Don't use EECDH. Ciphers based on EECDH key > > ! exchange will be disabled. This is the default in Postfix versions > > ! 2.6 and 2.7.
        > > ! > > !
        strong
        Use EECDH with approximately 128 > > ! bits of security at a reasonable computational cost. This is the > > ! current best-practice trade-off between security and computational > > ! efficiency. This is the default in Postfix version 2.8 and later. > >
        > > > > !
        ultra
        Use EECDH with approximately 192 bits of > > ! security at computational cost that is approximately twice as high > > ! as 128 bit strength ECC. Barring significant progress in attacks on > > ! elliptic curve crypto-systems, the "strong" curve is sufficient for most > > ! users.
        > > > > --- 11351,11400 ---- > > > > !
        smtpd_sasl_security_options > > ! (default: noanonymous)
        > > > > !

        Postfix SMTP server SASL security options; as of Postfix 2.3 > > ! the list of available > > ! features depends on the SASL server implementation that is selected > > ! with smtpd_sasl_type.

        > > > > !

        The following security features are defined for the cyrus > > ! server SASL implementation:

        > > > > +

        > > + Restrict what authentication mechanisms the Postfix SMTP server > > + will offer to the client. The list of available authentication > > + mechanisms is system dependent. > > +

        > > > > !

        > > ! Specify zero or more of the following: > > !

        > > > > !
        > > > > !
        noplaintext
        > > > > !
        Disallow methods that use plaintext passwords.
        > > > > !
        noactive
        > > > > +
        Disallow methods subject to active (non-dictionary) attack.
        > > > > !
        nodictionary
        > > > > !
        Disallow methods subject to passive (dictionary) attack.
        > > > > !
        noanonymous
        > > > > !
        Disallow methods that allow anonymous authentication.
        > > > > !
        forward_secrecy
        > > > > !
        Only allow methods that support forward secrecy (Dovecot only). > >
        > > > > !
        mutual_auth
        > > ! > > !
        Only allow methods that provide mutual authentication (not available > > ! with Cyrus SASL version 1).
        > > > > *************** > > *** 14652,14690 **** > > > > !

        This feature is available in Postfix 2.6 and later, when it is > > ! compiled and linked with OpenSSL 1.0.0 or later.

        > > > > > > !
        > > > > !
        smtpd_tls_exclude_ciphers > > ! (default: empty)
        > > > > -

        List of ciphers or cipher types to exclude from the SMTP server > > - cipher list at all TLS security levels. Excluding valid ciphers > > - can create interoperability problems. DO NOT exclude ciphers unless it > > - is essential to do so. This is not an OpenSSL cipherlist; it is a simple > > - list separated by whitespace and/or commas. The elements are a single > > - cipher, or one or more "+" separated cipher properties, in which case > > - only ciphers matching all the properties are excluded.

        > > > > !

        Examples (some of these will cause problems):

        > > > > !
        > > ! 
        > > ! smtpd_tls_exclude_ciphers = aNULL
> > ! smtpd_tls_exclude_ciphers = MD5, DES
> > ! smtpd_tls_exclude_ciphers = DES+MD5
> > ! smtpd_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
> > ! smtpd_tls_exclude_ciphers = kEDH+aRSA
> > !
        > > !
        > > > > !

        The first setting disables anonymous ciphers. The next setting > > ! disables ciphers that use the MD5 digest algorithm or the (single) DES > > ! encryption algorithm. The next setting disables ciphers that use MD5 and > > ! DES together. The next setting disables the two ciphers "AES256-SHA" > > ! and "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" > > ! key exchange with RSA authentication.

        > > > > !

        This feature is available in Postfix 2.3 and later.

        > > > > --- 11402,11435 ---- > > > > !

        > > ! By default, the Postfix SMTP server accepts plaintext passwords but > > ! not anonymous logins. > > !

        > > > > +

        > > + Warning: it appears that clients try authentication methods in the > > + order as advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5) > > + which means that if you disable plaintext passwords, clients will > > + log in anonymously, even when they should be able to use CRAM-MD5. > > + So, if you disable plaintext logins, disable anonymous logins too. > > + Postfix treats anonymous login as no authentication. > > +

        > > > > !

        > > ! Example: > > !

        > > > > ! 
        > > ! smtpd_sasl_security_options = noanonymous, noplaintext
> > !
        > > > > > > !
        > > > > !
        smtpd_sasl_tls_security_options > > ! (default: $smtpd_sasl_security_options)
        > > > > !

        The SASL authentication security options that the Postfix SMTP > > ! server uses for TLS encrypted SMTP sessions.

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > *************** > > *** 14693,14775 **** > > > > !
        smtpd_tls_fingerprint_digest > > ! (default: md5)
        > > > > !

        The message digest algorithm to construct remote SMTP > > ! client-certificate > > ! fingerprints or public key fingerprints (Postfix 2.9 and later) > > ! for check_ccert_access and permit_tls_clientcerts. The > > ! default algorithm is md5, for backwards compatibility with Postfix > > ! releases prior to 2.5.

        > > > > !

        Advances in hash > > ! function cryptanalysis have led to md5 being deprecated in favor of sha1. > > ! However, as long as there are no known "second pre-image" attacks > > ! against md5, its use in this context can still be considered safe. > > !

        > > > > -

        While additional digest algorithms are often available with OpenSSL's > > - libcrypto, only those used by libssl in SSL cipher suites are available to > > - Postfix.

        > > > > !

        To find the fingerprint of a specific certificate file, with a > > ! specific digest algorithm, run:

        > > > > !
        > > ! 
        > > ! $ openssl x509 -noout -fingerprint -digest -in certfile.pem
> > !
        > > !
        > > > > !

        The text to the right of "=" sign is the desired fingerprint. > > ! For example:

        > > > > !
        > > ! 
        > > ! $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
> > ! SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
> > !
        > > !
        > > > > !

        Public key fingerprints are more difficult to extract, however, > > ! the SHA-1 public key fingerprint is often present as the value of the > > ! "Subject Key Identifier" extension in X.509v3 certificates. The Postfix > > ! SMTP server and client log the peer certificate fingerprint and public > > ! key fingerprint when TLS loglevel is 1 or higher.

        > > > > !

        Example: client-certificate access table, with sha1 fingerprints:

        > > > > !
        > > ! 
        > > ! /etc/postfix/main.cf:
> > !     smtpd_tls_fingerprint_digest = sha1
> > !     smtpd_client_restrictions =
> > !         check_ccert_access hash:/etc/postfix/access,
> > !         reject
> > !
        > > ! 
        > > ! /etc/postfix/access:
> > !     # Action folded to next line...
> > !     AF:88:7C:AD:51:95:6F:36:96:F6:01:FB:2E:48:CD:AB:49:25:A2:3B
> > !         OK
> > !     85:16:78:FD:73:6E:CE:70:E0:31:5F:0D:3C:C8:6D:C4:2C:24:59:E1
> > !         permit_auth_destination
> > !
        > > !
        > > > > !

        This feature is available in Postfix 2.5 and later.

        > > > > > > !
        > > > > !
        smtpd_tls_key_file > > ! (default: $smtpd_tls_cert_file)
        > > > > !

        File with the Postfix SMTP server RSA private key in PEM format. > > ! This file may be combined with the Postfix SMTP server RSA certificate > > ! file specified with $smtpd_tls_cert_file.

        > > > > !

        The private key must be accessible without a pass-phrase, i.e. it > > ! must not be encrypted. File permissions should grant read-only > > ! access to the system superuser account ("root"), and no access > > ! to anyone else.

        > > > > --- 11438,11487 ---- > > > > !
        smtpd_sasl_type > > ! (default: cyrus)
        > > > > !

        The SASL plug-in type that the Postfix SMTP server should use > > ! for authentication. The available types are listed with the > > ! "postconf -a" command.

        > > > > !

        This feature is available in Postfix 2.3 and later.

        > > > > > > !
        > > > > !
        smtpd_sender_login_maps > > ! (default: empty)
        > > > > !

        > > ! Optional lookup table with the SASL login names that own sender > > ! (MAIL FROM) addresses. > > !

        > > > > !

        > > ! Specify zero or more "type:table" lookup tables. With lookups from > > ! indexed files such as DB or DBM, or from networked tables such as > > ! NIS, LDAP or SQL, the following search operations are done with a > > ! sender address of user at domain:

        > > > > !
        > > > > !
        1) user at domain
        > > > > !
        This table lookup is always done and has the highest precedence.
        > > > > !
        2) user
        > > > > +
        This table lookup is done only when the domain part of the > > + sender address matches $myorigin, $mydestination, $inet_interfaces > > + or $proxy_interfaces.
        > > > > !
        3) @domain
        > > > > !
        This table lookup is done last and has the lowest precedence.
        > > > > !
        > > > > !

        > > ! In all cases the result of table lookup must be either "not found" > > ! or a list of SASL login names separated by comma and/or whitespace. > > !

        > > > > *************** > > *** 14778,14936 **** > > > > !
        smtpd_tls_loglevel > > ! (default: 0)
        > > > > !

        Enable additional Postfix SMTP server logging of TLS activity. > > ! Each logging level also includes the information that is logged at > > ! a lower logging level.

        > > > > !
        > > > > !
        0 Log only a summary message on TLS handshake completion > > ! — no logging of remote SMTP client certificate trust-chain verification > > ! errors > > ! if client certificate verification is not required. With Postfix 2.8 > > ! and earlier, disable logging of TLS activity.
        > > ! > > !
        1 Also log trust-chain verification errors and peer > > ! certificate name and issuer. With Postfix 2.8 and earlier, log TLS > > ! handshake and certificate information.
        > > > > !
        2 Also log levels during TLS negotiation.
        > > > > !
        3 Also log hexadecimal and ASCII dump of TLS negotiation > > ! process.
        > > > > !
        4 Also log hexadecimal and ASCII dump of complete > > ! transmission after STARTTLS.
        > > > > !
        > > > > !

        Do not use "smtpd_tls_loglevel = 2" or higher except in case > > ! of problems. Use of loglevel 4 is strongly discouraged.

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > > > !
        > > > > !
        smtpd_tls_mandatory_ciphers > > ! (default: medium)
        > > > > !

        The minimum TLS cipher grade that the Postfix SMTP server will > > ! use with mandatory TLS encryption. The default grade ("medium") is > > ! sufficiently strong that any benefit from globally restricting TLS > > ! sessions to a more stringent grade is likely negligible, especially > > ! given the fact that many implementations still do not offer any stronger > > ! ("high" grade) ciphers, while those that do, will always use "high" > > ! grade ciphers. So insisting on "high" grade ciphers is generally > > ! counter-productive. Allowing "export" or "low" ciphers is typically > > ! not a good idea, as systems limited to just these are limited to > > ! obsolete browsers. No known SMTP clients fail to support at least > > ! one "medium" or "high" grade cipher.

        > > > > !

        The following cipher grades are supported:

        > > > > !
        > > !
        export
        > > !
        Enable "EXPORT" grade or stronger OpenSSL ciphers. > > ! This is the most appropriate setting for public MX hosts, and is always > > ! used with opportunistic TLS encryption. The underlying cipherlist > > ! is specified via the tls_export_cipherlist configuration parameter, > > ! which you are strongly encouraged to not change.
        > > > > !
        low
        > > !
        Enable "LOW" grade or stronger OpenSSL ciphers. The > > ! underlying cipherlist is specified via the tls_low_cipherlist > > ! configuration parameter, which you are strongly encouraged to > > ! not change.
        > > > > !
        medium
        > > !
        Enable "MEDIUM" grade or stronger OpenSSL ciphers. These use 128-bit > > ! or longer symmetric bulk-encryption keys. This is the default minimum > > ! strength for mandatory TLS encryption. The underlying cipherlist is > > ! specified via the tls_medium_cipherlist configuration parameter, which > > ! you are strongly encouraged to not change.
        > > > > !
        high
        > > !
        Enable only "HIGH" grade OpenSSL ciphers. The > > ! underlying cipherlist is specified via the tls_high_cipherlist > > ! configuration parameter, which you are strongly encouraged to > > ! not change.
        > > > > !
        null
        > > !
        Enable only the "NULL" OpenSSL ciphers, these provide authentication > > ! without encryption. This setting is only appropriate in the rare > > ! case that all clients are prepared to use NULL ciphers (not normally > > ! enabled in TLS clients). The underlying cipherlist is specified via the > > ! tls_null_cipherlist configuration parameter, which you are strongly > > ! encouraged to not change.
        > > > > !
        > > > > !

        Cipher types listed in > > ! smtpd_tls_mandatory_exclude_ciphers or smtpd_tls_exclude_ciphers are > > ! excluded from the base definition of the selected cipher grade. See > > ! smtpd_tls_ciphers for cipher controls that apply to opportunistic > > ! TLS.

        > > > > !

        The underlying cipherlists for grades other than "null" include > > ! anonymous ciphers, but these are automatically filtered out if the > > ! server is configured to ask for remote SMTP client certificates. You are very > > ! unlikely to need to take any steps to exclude anonymous ciphers, they > > ! are excluded automatically as required. If you must exclude anonymous > > ! ciphers even when Postfix does not need or use peer certificates, set > > ! "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers only > > ! when TLS is enforced, set "smtpd_tls_mandatory_exclude_ciphers = aNULL".

        > > > > !

        This feature is available in Postfix 2.3 and later.

        > > > > > > !
        > > > > !
        smtpd_tls_mandatory_exclude_ciphers > > ! (default: empty)
        > > > > !

        Additional list of ciphers or cipher types to exclude from the > > ! Postfix SMTP server cipher list at mandatory TLS security levels. > > ! This list > > ! works in addition to the exclusions listed with smtpd_tls_exclude_ciphers > > ! (see there for syntax details).

        > > > > !

        This feature is available in Postfix 2.3 and later.

        > > > > > > !
        > > > > !
        smtpd_tls_mandatory_protocols > > ! (default: SSLv3, TLSv1)
        > > > > !

        The SSL/TLS protocols accepted by the Postfix SMTP server with > > ! mandatory TLS encryption. If the list is empty, the server supports all > > ! available SSL/TLS protocol versions. A non-empty value is a list > > ! of protocol > > ! names separated by whitespace, commas or colons. The supported protocol > > ! names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.

        > > > > !

        With Postfix ≥ 2.5 the parameter syntax is expanded to support > > ! protocol exclusions. One can now explicitly exclude SSLv2 by setting > > ! "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and > > ! SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing > > ! the protocols to include, rather than protocols to exclude, is still > > ! supported, use the form you find more intuitive.

        > > > > !

        Since SSL version 2 has known protocol weaknesses and is now > > ! deprecated, the default setting excludes "SSLv2". This means that > > ! by default, SSL version 2 will not be used at the "encrypt" security > > ! level.

        > > > > !

        Example:

        > > > > 
        > > ! smtpd_tls_mandatory_protocols = TLSv1
> > ! # Alternative form with Postfix ≥ 2.5:
> > ! smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
> >
        > > > > -

        This feature is available in Postfix 2.3 and later.

        > > - > > > > --- 11490,11641 ---- > > > > !
        smtpd_sender_restrictions > > ! (default: empty)
        > > > > !

        > > ! Optional restrictions that the Postfix SMTP server applies in the > > ! context of the MAIL FROM command. > > !

        > > > > !

        > > ! The default is to permit everything. > > !

        > > > > !

        > > ! Specify a list of restrictions, separated by commas and/or whitespace. > > ! Continue long lines by starting the next line with whitespace. > > ! Restrictions are applied in the order as specified; the first > > ! restriction that matches wins. > > !

        > > > > !

        > > ! The following restrictions are specific to the sender address > > ! received with the MAIL FROM command. > > !

        > > > > !
        > > > > !
        check_sender_access type:table
        > > > > !
        Search the specified access(5) database for the MAIL FROM > > ! address, domain, parent domains, or localpart@, and execute the > > ! corresponding action.
        > > > > !
        check_sender_mx_access type:table
        > > > > !
        Search the specified access(5) database for the MX hosts for > > ! the MAIL FROM address, and execute the corresponding action. Note: > > ! a result of "OK" is not allowed for safety reasons. Instead, use > > ! DUNNO in order to exclude specific hosts from blacklists. This > > ! feature is available in Postfix 2.1 and later.
        > > > > +
        check_sender_ns_access type:table
        > > > > !
        Search the specified access(5) database for the DNS servers > > ! for the MAIL FROM address, and execute the corresponding action. > > ! Note: a result of "OK" is not allowed for safety reasons. Instead, > > ! use DUNNO in order to exclude specific hosts from blacklists. This > > ! feature is available in Postfix 2.1 and later.
        > > > > !
        reject_authenticated_sender_login_mismatch
        > > > > !
        Enforces the reject_sender_login_mismatch restriction for > > ! authenticated clients only. This feature is available in > > ! Postfix version 2.1 and later.
        > > > > !
        reject_non_fqdn_sender
        > > > > !
        Reject the request when the MAIL FROM address is not in > > ! fully-qualified domain form, as required by the RFC.
        The > > ! non_fqdn_reject_code parameter specifies the response code to > > ! rejected requests (default: 504).
        > > > > !
        reject_rhsbl_sender rbl_domain=d.d.d.d
        > > > > !
        Reject the request when the MAIL FROM domain is listed with > > ! the A record "d.d.d.d" under rbl_domain (Postfix > > ! version 2.1 and later only). If no "=d.d.d.d" is specified, > > ! reject the request when the MAIL FROM domain is > > ! listed with any A record under rbl_domain.
        The > > ! maps_rbl_reject_code parameter specifies the response code for > > ! rejected requests (default: 554); the default_rbl_reply parameter > > ! specifies the default server reply; and the rbl_reply_maps parameter > > ! specifies tables with server replies indexed by rbl_domain. > > ! This feature is available in Postfix 2.0 and later.
        > > > > !
        reject_sender_login_mismatch
        > > > > !
        Reject the request when $smtpd_sender_login_maps specifies an > > ! owner for the MAIL FROM address, but the client is not (SASL) logged > > ! in as that MAIL FROM address owner; or when the client is (SASL) > > ! logged in, but the client login name doesn't own the MAIL FROM > > ! address according to $smtpd_sender_login_maps.
        > > > > !
        reject_unauthenticated_sender_login_mismatch
        > > > > !
        Enforces the reject_sender_login_mismatch restriction for > > ! unauthenticated clients only. This feature is available in > > ! Postfix version 2.1 and later.
        > > > > !
        reject_unknown_sender_domain
        > > > > !
        Reject the request when Postfix is not final destination for > > ! the sender address, and the MAIL FROM address has no DNS A or MX > > ! record, or when it has a malformed MX record such as a record with > > ! a zero-length MX hostname (Postfix version 2.3 and later).
        The > > ! unknown_address_reject_code parameter specifies the response code > > ! for rejected requests (default: 450). The response is always 450 > > ! in case of a temporary DNS error.
        > > > > +
        reject_unlisted_sender
        > > > > !
        Reject the request when the MAIL FROM address is not listed in > > ! the list of valid recipients for its domain class. See the > > ! smtpd_reject_unlisted_sender parameter description for details. > > ! This feature is available in Postfix 2.1 and later.
        > > > > !
        reject_unverified_sender
        > > > > !
        Reject the request when mail to the MAIL FROM address is known to > > ! bounce, or when the sender address destination is not reachable. > > ! Address verification information is managed by the verify(8) server; > > ! see the ADDRESS_VERIFICATION_README file for details.
        The > > ! unverified_sender_reject_code parameter specifies the response when > > ! an address is known to bounce (default: 450, change into 550 when > > ! you are confident that it is safe to do so). The > > ! unverified_sender_defer_code specifies the response when an address > > ! address probe failed due to a temporary problem (default: 450). > > ! This feature is available in Postfix 2.1 and later.
        > > > > !
        > > > > +

        > > + Other restrictions that are valid in this context: > > +

        > > > > ! > > > > !

        > > ! Examples: > > !

        > > > > 
        > > ! smtpd_sender_restrictions = reject_unknown_sender_domain
> > ! smtpd_sender_restrictions = reject_unknown_sender_domain,
> > !     check_sender_access hash:/etc/postfix/access
> >
        > > > > > > *************** > > *** 14938,14983 **** > > > > !
        smtpd_tls_protocols > > ! (default: empty)
        > > ! > > !

        List of TLS protocols that the Postfix SMTP server will exclude > > ! or include with opportunistic TLS encryption. This parameter SHOULD be > > ! left at its default empty value, allowing all protocols to be used with > > ! opportunistic TLS.

        > > ! > > !

        In main.cf the values are separated by whitespace, commas or > > ! colons. An empty value means allow all protocols. The valid protocol > > ! names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" and > > ! "TLSv1". In smtp_tls_policy_maps table entries, "protocols" attribute > > ! values are separated by a colon.

        > > ! > > !

        To include a protocol list its name, to exclude it, prefix the name > > ! with a "!" character. To exclude SSLv2 even for opportunistic TLS set > > ! "smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set > > ! "smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to > > ! include, is supported, but not recommended. OpenSSL provides no mechanisms > > ! for excluding protocols not known at compile-time. If Postfix is linked > > ! against an OpenSSL library that supports additional protocol versions, > > ! they cannot be excluded using either syntax.

        > > ! > > !

        Example:

        > > ! 
        > > ! smtpd_tls_protocols = !SSLv2
> > !
        > > ! > > !

        This feature is available in Postfix 2.6 and later.

        > > > > > > !
        > > > > !
        smtpd_tls_received_header > > ! (default: no)
        > > > > !

        Request that the Postfix SMTP server produces Received: message > > ! headers that include information about the protocol and cipher used, > > ! as well as the remote SMTP client CommonName and client certificate issuer > > ! CommonName. This is disabled by default, as the information may > > ! be modified in transit through other mail servers. Only information > > ! that was recorded by the final destination can be trusted.

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > --- 11643,11662 ---- > > > > !
        smtpd_soft_error_limit > > ! (default: 10)
        > > > > +

        > > + The number of errors a remote SMTP client is allowed to make without > > + delivering mail before the Postfix SMTP server slows down all its > > + responses. > > +

        > > > > !
          > > > > !

        • With Postfix version 2.1 and later, the Postfix SMTP server > > ! delays all responses by $smtpd_error_sleep_time seconds.

          > > > > !

        • With Postfix versions 2.0 and earlier, the Postfix SMTP > > ! server delays all responses by (number of errors) seconds.

          > > > > !
        > > > > *************** > > *** 14986,14996 **** > > > > !
        smtpd_tls_req_ccert > > ! (default: no)
        > > ! > > !

        With mandatory TLS encryption, require a trusted remote SMTP client > > ! certificate in order to allow TLS connections to proceed. This > > ! option implies "smtpd_tls_ask_ccert = yes".

        > > > > !

        When TLS encryption is optional, this setting is ignored with > > ! a warning written to the mail log.

        > > > > --- 11665,11671 ---- > > > > !
        smtpd_starttls_timeout > > ! (default: 300s)
        > > > > !

        The time limit for Postfix SMTP server write and read operations > > ! during TLS startup and shutdown handshake procedures.

        > > > > *************** > > *** 15001,15043 **** > > > > !
        smtpd_tls_security_level > > ! (default: empty)
        > > ! > > !

        The SMTP TLS security level for the Postfix SMTP server; when > > ! a non-empty value is specified, this overrides the obsolete parameters > > ! smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with > > ! "smtpd_tls_wrappermode = yes".

        > > > > !

        Specify one of the following security levels:

        > > > > !
        > > > > !
        none
        TLS will not be used.
        > > > > -
        may
        Opportunistic TLS: announce STARTTLS support > > - to remote SMTP clients, but do not require that clients use TLS encryption. > > -
        > > > > !
        encrypt
        Mandatory TLS encryption: announce > > ! STARTTLS support to remote SMTP clients, and require that clients use TLS > > ! encryption. According to RFC 2487 this MUST NOT be applied in case > > ! of a publicly-referenced SMTP server. Instead, this option should > > ! be used only on dedicated servers.
        > > > > !
        > > > > !

        Note 1: the "fingerprint", "verify" and "secure" levels are not > > ! supported here. > > ! The Postfix SMTP server logs a warning and uses "encrypt" instead. > > ! To verify remote SMTP client certificates, see TLS_README for a discussion > > ! of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and permit_tls_clientcerts > > ! features.

        > > > > !

        Note 2: The parameter setting "smtpd_tls_security_level = > > ! encrypt" implies "smtpd_tls_auth_only = yes".

        > > > > !

        Note 3: when invoked via "sendmail -bs", Postfix will never > > ! offer STARTTLS due to insufficient privileges to access the server > > ! private key. This is intended behavior.

        > > > > !

        This feature is available in Postfix 2.3 and later.

        > > > > --- 11676,11715 ---- > > > > !
        smtpd_timeout > > ! (default: 300s)
        > > > > !

        > > ! The time limit for sending a Postfix SMTP server response and for > > ! receiving a remote SMTP client request. > > !

        > > > > !

        > > ! Note: if you set SMTP time limits to very large values you may have > > ! to update the global ipc_timeout parameter. > > !

        > > > > !

        > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > > !

        > > > > > > !
        > > > > !
        smtpd_tls_CAfile > > ! (default: empty)
        > > > > !

        The file with the certificate of the certification authority > > ! (CA) that issued the Postfix SMTP server certificate. This is > > ! needed only when the CA certificate is not already present in the > > ! server certificate file. This file may also contain the CA > > ! certificates of other trusted CAs. You must use this file for the > > ! list of trusted CAs if you want to use chroot-mode.

        > > > > !

        Example:

        > > > > ! 
        > > ! smtpd_tls_CAfile = /etc/postfix/CAcert.pem
> > !
        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > *************** > > *** 15046,15072 **** > > > > !
        smtpd_tls_session_cache_database > > (default: empty)
        > > > > !

        Name of the file containing the optional Postfix SMTP server > > ! TLS session cache. Specify a database type that supports enumeration, > > ! such as btree or sdbm; there is no need to support > > ! concurrent access. The file is created if it does not exist. The smtpd(8) > > ! daemon does not use this parameter directly, rather the cache is > > ! implemented indirectly in the tlsmgr(8) daemon. This means that > > ! per-smtpd-instance master.cf overrides of this parameter are not > > ! effective. Note, that each of the cache databases supported by tlsmgr(8) > > ! daemon: $smtpd_tls_session_cache_database, $smtp_tls_session_cache_database > > ! (and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to be > > ! stored separately. It is not at this time possible to store multiple > > ! caches in a single database.

        > > ! > > !

        Note: dbm databases are not suitable. TLS > > ! session objects are too large.

        > > ! > > !

        As of version 2.5, Postfix no longer uses root privileges when > > ! opening this file. The file should now be stored under the Postfix-owned > > ! data_directory. As a migration aid, an attempt to open the file > > ! under a non-Postfix directory is redirected to the Postfix-owned > > ! data_directory, and a warning is logged.

        > > ! > >

        Example:

        > > --- 11718,11734 ---- > > > > !
        smtpd_tls_CApath > > (default: empty)
        > > > > !

        Directory with PEM format certificate authority certificates > > ! that the Postfix SMTP server offers to remote SMTP clients for the > > ! purpose of client certificate verification. Do not forget to create > > ! the necessary "hash" links with, for example, "$OPENSSL_HOME/bin/c_rehash > > ! /etc/postfix/certs".

        > > ! > > !

        To use this option in chroot mode, this directory (or a copy) > > ! must be inside the chroot jail. Please note that in this case the > > ! CA certificates are not offered to the client, so that e.g. Netscape > > ! clients might not offer certificates issued by them. Use of this > > ! feature is therefore not recommended.

        > > ! > >

        Example:

        > > *************** > > *** 15074,15076 **** > > 
        > > ! smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
> >
        > > --- 11736,11738 ---- > > 
        > > ! smtpd_tls_CApath = /etc/postfix/certs
> >
        > > *************** > > *** 15082,15110 **** > > > > !
        smtpd_tls_session_cache_timeout > > ! (default: 3600s)
        > > ! > > !

        The expiration time of Postfix SMTP server TLS session cache > > ! information. A cache cleanup is performed periodically > > ! every $smtpd_tls_session_cache_timeout seconds. As with > > ! $smtpd_tls_session_cache_database, this parameter is implemented in the > > ! tlsmgr(8) daemon and therefore per-smtpd-instance master.cf overrides > > ! are not possible.

        > > ! > > !

        This feature is available in Postfix 2.2 and later.

        > > > > > > !
        > > > > !
        smtpd_tls_wrappermode > > ! (default: no)
        > > > > !

        Run the Postfix SMTP server in the non-standard "wrapper" mode, > > ! instead of using the STARTTLS command.

        > > > > !

        If you want to support this service, enable a special port in > > ! master.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP > > ! server's command line. Port 465 (smtps) was once chosen for this > > ! purpose.

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > --- 11744,11769 ---- > > > > !
        smtpd_tls_always_issue_session_ids > > ! (default: yes)
        > > > > +

        Force the Postfix SMTP server to issue a TLS session id, even > > + when TLS session caching is turned off (smtpd_tls_session_cache_database > > + is empty). This behavior is compatible with Postfix < 2.3.

        > > > > !

        With Postfix 2.3 and later the Postfix SMTP server can disable > > ! session id generation when TLS session caching is turned off. This > > ! keeps clients from caching sessions that almost certainly cannot > > ! be re-used.

        > > > > !

        By default, the Postfix SMTP server always generates TLS session > > ! ids. This works around a known defect in mail client applications > > ! such as MS Outlook, and may also prevent interoperability issues > > ! with other MTAs.

        > > > > !

        Example:

        > > > > ! 
        > > ! smtpd_tls_always_issue_session_ids = no
> > !
        > > > > !

        This feature is available in Postfix 2.3 and later.

        > > > > *************** > > *** 15113,15126 **** > > > > !
        smtpd_use_tls > > (default: no)
        > > > > !

        Opportunistic TLS: announce STARTTLS support to remote SMTP clients, > > ! but do not require that clients use TLS encryption.

        > > > > !

        Note: when invoked via "sendmail -bs", Postfix will never offer > > ! STARTTLS due to insufficient privileges to access the server private > > ! key. This is intended behavior.

        > > > > !

        This feature is available in Postfix 2.2 and later. With > > ! Postfix 2.3 and later use smtpd_tls_security_level instead.

        > > > > --- 11772,11786 ---- > > > > !
        smtpd_tls_ask_ccert > > (default: no)
        > > > > !

        Ask a remote SMTP client for a client certificate. This > > ! information is needed for certificate based mail relaying with, > > ! for example, the permit_tls_clientcerts feature.

        > > > > !

        Some clients such as Netscape will either complain if no > > ! certificate is available (for the list of CAs in $smtpd_tls_CAfile) > > ! or will offer multiple client certificates to choose from. This > > ! may be annoying, so this option is "off" by default.

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > *************** > > *** 15129,15148 **** > > > > !
        soft_bounce > > (default: no)
        > > > > !

        > > ! Safety net to keep mail queued that would otherwise be returned to > > ! the sender. This parameter disables locally-generated bounces, > > ! and prevents the Postfix SMTP server from rejecting mail permanently, > > ! by changing 5xx reply codes into 4xx. However, soft_bounce is no > > ! cure for address rewriting mistakes or mail routing mistakes. > > !

        > > ! > > !

        > > ! Example: > > !

        > > > > ! 
        > > ! soft_bounce = yes
> > !
        > > > > --- 11789,11798 ---- > > > > !
        smtpd_tls_auth_only > > (default: no)
        > > > > !

        When TLS encryption is optional in the Postfix SMTP server, do > > ! not announce or accept SASL authentication over unencrypted > > ! connections.

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > *************** > > *** 15151,15164 **** > > > > !
        stale_lock_time > > ! (default: 500s)
        > > > > !

        > > ! The time after which a stale exclusive mailbox lockfile is removed. > > ! This is used for delivery to file or mailbox. > > !

        > > > > !

        > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > > !

        > > > > --- 11801,11820 ---- > > > > !
        smtpd_tls_ccert_verifydepth > > ! (default: 9)
        > > > > !

        The verification depth for remote SMTP client certificates. A > > ! depth of 1 is sufficient if the issuing CA is listed in a local CA > > ! file.

        > > > > !

        The default verification depth is 9 (the OpenSSL default) for > > ! compatibility with earlier Postfix behavior. Prior to Postfix 2.5, > > ! the default value was 5, but the limit was not actually enforced. If > > ! you have set this to a lower non-default value, certificates with longer > > ! trust chains may now fail to verify. Certificate chains with 1 or 2 > > ! CAs are common, deeper chains are more rare and any number between 5 > > ! and 9 should suffice in practice. You can choose a lower number if, > > ! for example, you trust certificates directly signed by an issuing CA > > ! but not any CAs it delegates to.

        > > ! > > !

        This feature is available in Postfix 2.2 and later.

        > > > > *************** > > *** 15167,15194 **** > > > > !
        stress > > (default: empty)
        > > > > !

        This feature is documented in the STRESS_README document.

        > > > > !

        This feature is available in Postfix 2.5 and later.

        > > > > > > !
        > > > > !
        strict_7bit_headers > > ! (default: no)
        > > > > !

        > > ! Reject mail with 8-bit text in message headers. This blocks mail > > ! from poorly written applications. > > !

        > > > > !

        > > ! This feature should not be enabled on a general purpose mail server, > > ! because it is likely to reject legitimate email. > > !

        > > > > !

        > > ! This feature is available in Postfix 2.0 and later. > > !

        > > > > --- 11823,11877 ---- > > > > !
        smtpd_tls_cert_file > > (default: empty)
        > > > > !

        File with the Postfix SMTP server RSA certificate in PEM format. > > ! This file may also contain the Postfix SMTP server private RSA key.

        > > > > !

        Public Internet MX hosts without certificates signed by a "reputable" > > ! CA must generate, and be prepared to present to most clients, a > > ! self-signed or private-CA signed certificate. The client will not be > > ! able to authenticate the server, but unless it is running Postfix 2.3 or > > ! similar software, it will still insist on a server certificate.

        > > > > +

        For servers that are not public Internet MX hosts, Postfix > > + 2.3 supports configurations with no certificates. This entails the > > + use of just the anonymous TLS ciphers, which are not supported by > > + typical SMTP clients. Since such clients will not, as a rule, fall > > + back to plain text after a TLS handshake failure, the server will > > + be unable to receive email from TLS enabled clients. To avoid > > + accidental configurations with no certificates, Postfix 2.3 enables > > + certificate-less operation only when the administrator explicitly > > + sets "smtpd_tls_cert_file = none". This ensures that new Postfix > > + configurations will not accidentally run with no certificates.

        > > > > !

        Both RSA and DSA certificates are supported. When both types > > ! are present, the cipher used determines which certificate will be > > ! presented to the client. For Netscape and OpenSSL clients without > > ! special cipher choices the RSA certificate is preferred.

        > > > > !

        In order to verify a certificate, the CA certificate (in case > > ! of a certificate chain, all CA certificates) must be available. > > ! You should add these certificates to the server certificate, the > > ! server certificate first, then the issuing CA(s).

        > > > > !

        Example: the certificate for "server.dom.ain" was issued by > > ! "intermediate CA" which itself has a certificate of "root CA". > > ! Create the server.pem file with "cat server_cert.pem intermediate_CA.pem > > ! root_CA.pem > server.pem".

        > > > > !

        If you also want to verify client certificates issued by these > > ! CAs, you can add the CA certificates to the smtpd_tls_CAfile, in which > > ! case it is not necessary to have them in the smtpd_tls_cert_file or > > ! smtpd_tls_dcert_file.

        > > > > !

        A certificate supplied here must be usable as an SSL server certificate > > ! and hence pass the "openssl verify -purpose sslserver ..." test.

        > > ! > > !

        Example:

        > > ! > > ! 
        > > ! smtpd_tls_cert_file = /etc/postfix/server.pem
> > !
        > > ! > > !

        This feature is available in Postfix 2.2 and later.

        > > > > *************** > > *** 15197,15213 **** > > > > !
        strict_8bitmime > > ! (default: no)
        > > > > !

        > > ! Enable both strict_7bit_headers and strict_8bitmime_body. > > !

        > > > > !

        > > ! This feature should not be enabled on a general purpose mail server, > > ! because it is likely to reject legitimate email. > > !

        > > > > !

        > > ! This feature is available in Postfix 2.0 and later. > > !

        > > > > --- 11880,11898 ---- > > > > !
        smtpd_tls_cipherlist > > ! (default: empty)
        > > > > !

        Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS > > ! cipher list. It is easy to create inter-operability problems by choosing > > ! a non-default cipher list. Do not use a non-default TLS cipherlist for > > ! MX hosts on the public Internet. Clients that begin the TLS handshake, > > ! but are unable to agree on a common cipher, may not be able to send any > > ! email to the SMTP server. Using a restricted cipher list may be more > > ! appropriate for a dedicated MSA or an internal mailhub, where one can > > ! exert some control over the TLS software and settings of the connecting > > ! clients.

        > > > > !

        Note: do not use "" quotes around the parameter value.

        > > > > !

        This feature is available with Postfix version 2.2. It is not used with > > ! Postfix 2.3 and later; use smtpd_tls_mandatory_ciphers instead.

        > > > > *************** > > *** 15216,15301 **** > > > > !
        strict_8bitmime_body > > ! (default: no)
        > > ! > > !

        > > ! Reject 8-bit message body text without 8-bit MIME content encoding > > ! information. This blocks mail from poorly written applications. > > !

        > > > > !

        > > ! Unfortunately, this also rejects majordomo approval requests when > > ! the included request contains valid 8-bit MIME mail, and it rejects > > ! bounces from mailers that do not MIME encapsulate 8-bit content > > ! (for example, bounces from qmail or from old versions of Postfix). > > !

        > > > > !

        > > ! This feature should not be enabled on a general purpose mail server, > > ! because it is likely to reject legitimate email. > >

        > > > > !

        > > ! This feature is available in Postfix 2.0 and later. > > !

        > > > > > > !
        > > > > -
        strict_mailbox_ownership > > - (default: yes)
        > > > > !

        Defer delivery when a mailbox file is not owned by its recipient. > > ! The default setting is not backwards compatible.

        > > > > !

        This feature is available in Postfix 2.5.3 and later.

        > > > > > > !
        > > > > !
        strict_mime_encoding_domain > > ! (default: no)
        > > > > !

        > > ! Reject mail with invalid Content-Transfer-Encoding: information > > ! for the message/* or multipart/* MIME content types. This blocks > > ! mail from poorly written software. > >

        > > > > !

        > > ! This feature should not be enabled on a general purpose mail server, > > ! because it will reject mail after a single violation. > > !

        > > > > !

        > > ! This feature is available in Postfix 2.0 and later. > > !

        > > > > > > -
        > > > > !
        strict_rfc821_envelopes > > ! (default: no)
        > > > > !

        > > ! Require that addresses received in SMTP MAIL FROM and RCPT TO > > ! commands are enclosed with <>, and that those addresses do > > ! not contain RFC 822 style comments or phrases. This stops mail > > ! from poorly written software. > > !

        > > > > !

        > > ! By default, the Postfix SMTP server accepts RFC 822 syntax in MAIL > > ! FROM and RCPT TO addresses. > > !

        > > > > > > !
        > > > > !
        sun_mailtool_compatibility > > ! (default: no)
        > > > > !

        > > ! Obsolete SUN mailtool compatibility feature. Instead, use > > ! "mailbox_delivery_lock = dotlock". > > !

        > > > > --- 11901,11970 ---- > > > > !
        smtpd_tls_dcert_file > > ! (default: empty)
        > > > > !

        File with the Postfix SMTP server DSA certificate in PEM format. > > ! This file may also contain the Postfix SMTP server private DSA key.

        > > > > !

        See the discussion under smtpd_tls_cert_file for more details. > >

        > > > > !

        Example:

        > > > > + 
        > > + smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
> > +
        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > > > !
        > > > > !
        smtpd_tls_dh1024_param_file > > ! (default: empty)
        > > > > +

        File with DH parameters that the Postfix SMTP server should > > + use with EDH ciphers.

        > > > > !

        Instead of using the exact same parameter sets as distributed > > ! with other TLS packages, it is more secure to generate your own > > ! set of parameters with something like the following command:

        > > > > !
        > > ! 
        > > ! openssl gendh -out /etc/postfix/dh_1024.pem -2 1024
> > !
        > > !
        > > > > !

        Your actual source for entropy may differ. Some systems have > > ! /dev/random; on other system you may consider using the "Entropy > > ! Gathering Daemon EGD", available at http://egd.sourceforge.net/ > >

        > > > > !

        Example:

        > > > > ! 
        > > ! smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
> > !
        > > > > +

        This feature is available with Postfix version 2.2.

        > > > > > > !
        > > > > !
        smtpd_tls_dh512_param_file > > ! (default: empty)
        > > > > !

        File with DH parameters that the Postfix SMTP server should > > ! use with EDH ciphers.

        > > > > +

        See also the discussion under the smtpd_tls_dh1024_param_file > > + configuration parameter.

        > > > > !

        Example:

        > > > > ! 
        > > ! smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
> > !
        > > > > !

        This feature is available with Postfix version 2.2.

        > > > > *************** > > *** 15304,15358 **** > > > > !
        swap_bangpath > > ! (default: yes)
        > > ! > > !

        > > ! Enable the rewriting of "site!user" into "user at site". This is > > ! necessary if your machine is connected to UUCP networks. It is > > ! enabled by default. > > !

        > > > > !

        Note: with Postfix version 2.2, message header address rewriting > > ! happens only when one of the following conditions is true:

        > > > > ! > > > > !

        To get the behavior before Postfix version 2.2, specify > > ! "local_header_rewrite_clients = static:all".

        > > > > !

        > > ! Example: > > !

        > > > > 
        > > ! swap_bangpath = no
> >
        > > > > > > !
        > > ! > > !
        syslog_facility > > ! (default: mail)
        > > ! > > !

        > > ! The syslog facility of Postfix logging. Specify a facility as > > ! defined in syslog.conf(5). The default facility is "mail". > > !

        > > ! > > !

        > > ! Warning: a non-default syslog_facility setting takes effect only > > ! after a Postfix process has completed initialization. Errors during > > ! process initialization will be logged with the default facility. > > ! Examples are errors while parsing the command line arguments, and > > ! errors while accessing the Postfix main.cf configuration file. > > !

        > > > > --- 11973,12021 ---- > > > > !
        smtpd_tls_dkey_file > > ! (default: $smtpd_tls_dcert_file)
        > > > > !

        File with the Postfix SMTP server DSA private key in PEM format. > > ! This file may be combined with the Postfix SMTP server DSA certificate > > ! file specified with $smtpd_tls_dcert_file.

        > > > > !

        The private key must be accessible without a pass-phrase, i.e. it > > ! must not be encrypted, but file permissions should grant read/write > > ! access only to the system superuser account ("root").

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > > > !
        > > > > !
        smtpd_tls_exclude_ciphers > > ! (default: empty)
        > > > > !

        List of ciphers or cipher types to exclude from the SMTP server > > ! cipher list at all TLS security levels. Excluding valid ciphers > > ! can create interoperability problems. DO NOT exclude ciphers unless it > > ! is essential to do so. This is not an OpenSSL cipherlist; it is a simple > > ! list separated by whitespace and/or commas. The elements are a single > > ! cipher, or one or more "+" separated cipher properties, in which case > > ! only ciphers matching all the properties are excluded.

        > > > > !

        Examples (some of these will cause problems):

        > > > > +
        > > 
        > > ! smtpd_tls_exclude_ciphers = aNULL
> > ! smtpd_tls_exclude_ciphers = MD5, DES
> > ! smtpd_tls_exclude_ciphers = DES+MD5
> > ! smtpd_tls_exclude_ciphers = AES256-SHA, DES-CBC3-MD5
> > ! smtpd_tls_exclude_ciphers = kEDH+aRSA
> >
        > > +
        > > > > +

        The first setting disables anonymous ciphers. The next setting > > + disables ciphers that use the MD5 digest algorithm or the (single) DES > > + encryption algorithm. The next setting disables ciphers that use MD5 and > > + DES together. The next setting disables the two ciphers "AES256-SHA" > > + and "DES-CBC3-MD5". The last setting disables ciphers that use "EDH" > > + key exchange with RSA authentication.

        > > > > !

        This feature is available in Postfix 2.3 and later.

        > > > > *************** > > *** 15361,15391 **** > > > > !
        syslog_name > > ! (default: see "postconf -d" output)
        > > > > !

        > > ! The mail system name that is prepended to the process name in syslog > > ! records, so that "smtpd" becomes, for example, "postfix/smtpd". > >

        > > > > !

        > > ! Warning: a non-default syslog_name setting takes effect only after > > ! a Postfix process has completed initialization. Errors during > > ! process initialization will be logged with the default name. Examples > > ! are errors while parsing the command line arguments, and errors > > ! while accessing the Postfix main.cf configuration file. > >

        > > > > > > !
        > > ! > > !
        tcp_windowsize > > ! (default: 0)
        > > ! > > !

        An optional workaround for routers that break TCP window scaling. > > ! Specify a value > 0 and < 65536 to enable this feature. With > > ! Postfix TCP servers (smtpd(8), qmqpd(8)), this feature is implemented > > ! by the Postfix master(8) daemon.

        > > ! > > !

        To change this parameter without stopping Postfix, you need to > > ! first terminate all Postfix TCP servers:

        > > > > --- 12024,12046 ---- > > > > !
        smtpd_tls_fingerprint_digest > > ! (default: md5)
        > > > > !

        The message digest algorithm used to construct client-certificate > > ! fingerprints for check_ccert_access and > > ! permit_tls_clientcerts. The default algorithm is md5, > > ! for backwards compatibility with Postfix releases prior to 2.5. > >

        > > > > !

        The best practice algorithm is now sha1. Recent advances in hash > > ! function cryptanalysis have led to md5 being deprecated in favor of sha1. > > ! However, as long as there are no known "second pre-image" attacks > > ! against md5, its use in this context can still be considered safe. > >

        > > > > +

        While additional digest algorithms are often available with OpenSSL's > > + libcrypto, only those used by libssl in SSL cipher suites are available to > > + Postfix. For now this means just md5 or sha1.

        > > > > !

        To find the fingerprint of a specific certificate file, with a > > ! specific digest algorithm, run:

        > > > > *************** > > *** 15393,15396 **** > > 
        > > ! # postconf -e master_service_disable=inet
> > ! # postfix reload
> >
        > > --- 12048,12050 ---- > > 
        > > ! $ openssl x509 -noout -fingerprint -digest -in certfile.pem
> >
        > > *************** > > *** 15398,15402 **** > > > > !

        This immediately terminates all processes that accept network > > ! connections. Next, you enable Postfix TCP servers with the updated > > ! tcp_windowsize setting:

        > > > > --- 12052,12055 ---- > > > > !

        The text to the right of "=" sign is the desired fingerprint. > > ! For example:

        > > > > *************** > > *** 15404,15407 **** > > 
        > > ! # postconf -e tcp_windowsize=65535 master_service_disable=
> > ! # postfix reload
> >
        > > --- 12057,12060 ---- > > 
        > > ! $ openssl x509 -noout -fingerprint -sha1 -in cert.pem
> > ! SHA1 Fingerprint=D4:6A:AB:19:24:79:F8:32:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
> >
        > > *************** > > *** 15409,15432 **** > > > > !

        If you skip these steps with a running Postfix system, then the > > ! tcp_windowsize change will work only for Postfix TCP clients (smtp(8), > > ! lmtp(8)).

        > > ! > > !

        This feature is available in Postfix 2.6 and later.

        > > ! > > ! > > !
        > > > > !
        tls_append_default_CA > > ! (default: no)
        > > > > !

        Append the system-supplied default certificate authority > > ! certificates to the ones specified with *_tls_CApath or *_tls_CAfile. > > ! The default is "no"; this prevents Postfix from trusting third-party > > ! certificates and giving them relay permission with > > ! permit_tls_all_clientcerts.

        > > ! > > !

        This feature is available in Postfix 2.4.15, 2.5.11, 2.6.8, > > ! 2.7.2 and later versions. Specify "tls_append_default_CA = yes" for > > ! backwards compatibility, to avoid breaking certificate verification > > ! with sites that don't use permit_tls_all_clientcerts.

        > > > > --- 12062,12084 ---- > > > > !

        Example: client-certificate access table, with sha1 fingerprints:

        > > > > !
        > > ! 
        > > ! /etc/postfix/main.cf:
> > !     smtpd_tls_fingerprint_digest = sha1
> > !     smtpd_client_restrictions =
> > !         check_ccert_access hash:/etc/postfix/access,
> > !         reject
> > !
        > > ! 
        > > ! /etc/postfix/access:
> > !     # Action folded to next line...
> > !     AF:88:7C:AD:51:95:6F:36:96:F6:01:FB:2E:48:CD:AB:49:25:A2:3B
> > !         OK
> > !     85:16:78:FD:73:6E:CE:70:E0:31:5F:0D:3C:C8:6D:C4:2C:24:59:E1
> > !         permit_auth_destination
> > !
        > > !
        > > > > !

        This feature is available in Postfix 2.5 and later.

        > > > > *************** > > *** 15435,15446 **** > > > > !
        tls_daemon_random_bytes > > ! (default: 32)
        > > > > !

        The number of pseudo-random bytes that an smtp(8) or smtpd(8) > > ! process requests from the tlsmgr(8) server in order to seed its > > ! internal pseudo random number generator (PRNG). The default of 32 > > ! bytes (equivalent to 256 bits) is sufficient to generate a 128bit > > ! (or 168bit) session key.

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > --- 12087,12098 ---- > > > > !
        smtpd_tls_key_file > > ! (default: $smtpd_tls_cert_file)
        > > > > !

        File with the Postfix SMTP server RSA private key in PEM format. > > ! This file may be combined with the Postfix SMTP server RSA certificate > > ! file specified with $smtpd_tls_cert_file.

        > > > > !

        The private key must be accessible without a pass-phrase, i.e. it > > ! must not be encrypted, but file permissions should grant read/write > > ! access only to the system superuser account ("root").

        > > > > *************** > > *** 15449,15557 **** > > > > !
        tls_disable_workarounds > > ! (default: see "postconf -d" output)
        > > ! > > !

        List or bit-mask of OpenSSL bug work-arounds to disable.

        > > ! > > !

        The OpenSSL toolkit includes a set of work-arounds for buggy SSL/TLS > > ! implementations. Applications, such as Postfix, that want to maximize > > ! interoperability ask the OpenSSL library to enable the full set of > > ! recommended work-arounds.

        > > ! > > !

        From time to time, it is discovered that a work-around creates a > > ! security issue, and should no longer be used. If upgrading OpenSSL > > ! to a fixed version is not an option or an upgrade is not available > > ! in a timely manner, or in closed environments where no buggy clients > > ! or servers exist, it may be appropriate to disable some or all of the > > ! OpenSSL interoperability work-arounds. This parameter specifies which > > ! bug work-arounds to disable.

        > > ! > > !

        If the value of the parameter is a hexadecimal long integer starting > > ! with "0x", the bug work-arounds corresponding to the bits specified in > > ! its value are removed from the SSL_OP_ALL work-around bit-mask > > ! (see openssl/ssl.h and SSL_CTX_set_options(3)). You can specify more > > ! bits than are present in SSL_OP_ALL, excess bits are ignored. Specifying > > ! 0xFFFFFFFF disables all bug-workarounds on a 32-bit system. This should > > ! also be sufficient on 64-bit systems, until OpenSSL abandons support > > ! for 32-bit systems and starts using the high 32 bits of a 64-bit > > ! bug-workaround mask.

        > > ! > > !

        Otherwise, the parameter is a white-space or comma separated list > > ! of specific named bug work-arounds chosen from the list below. It > > ! is possible that your OpenSSL version includes new bug work-arounds > > ! added after your Postfix source code was last updated, in that case > > ! you can only disable one of these via the hexadecimal syntax above.

        > > ! > > !
        > > > > !
        MICROSOFT_SESS_ID_BUG
        See SSL_CTX_set_options(3)
        > > > > !
        NETSCAPE_CHALLENGE_BUG
        See SSL_CTX_set_options(3)
        > > > > !
        LEGACY_SERVER_CONNECT
        See SSL_CTX_set_options(3)
        > > > > !
        NETSCAPE_REUSE_CIPHER_CHANGE_BUG
        also aliased > > ! as CVE-2010-4180. Postfix 2.8 disables this work-around by > > ! default with OpenSSL versions that may predate the fix. Fixed in > > ! OpenSSL 0.9.8q and OpenSSL 1.0.0c.
        > > > > !
        SSLREF2_REUSE_CERT_TYPE_BUG
        See > > ! SSL_CTX_set_options(3)
        > > > > !
        MICROSOFT_BIG_SSLV3_BUFFER
        See > > ! SSL_CTX_set_options(3)
        > > > > !
        MSIE_SSLV2_RSA_PADDING
        also aliased as > > ! CVE-2005-2969. Postfix 2.8 disables this work-around by > > ! default with OpenSSL versions that may predate the fix. Fixed in > > ! OpenSSL 0.9.7h and OpenSSL 0.9.8a.
        > > > > !
        SSLEAY_080_CLIENT_DH_BUG
        See > > ! SSL_CTX_set_options(3)
        > > > > !
        TLS_D5_BUG
        See SSL_CTX_set_options(3)
        > > > > !
        TLS_BLOCK_PADDING_BUG
        See SSL_CTX_set_options(3)
        > > > > -
        TLS_ROLLBACK_BUG
        See SSL_CTX_set_options(3). > > - This is disabled in OpenSSL 0.9.7 and later. Nobody should still > > - be using 0.9.6!
        > > > > !
        DONT_INSERT_EMPTY_FRAGMENTS
        See > > ! SSL_CTX_set_options(3)
        > > > > !
        CRYPTOPRO_TLSEXT_BUG
        New with GOST support in > > ! OpenSSL 1.0.0.
        > > > > !
        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > > > !
        > > > > !
        tls_eecdh_strong_curve > > ! (default: prime256v1)
        > > > > !

        The elliptic curve used by the Postfix SMTP server for sensibly > > ! strong > > ! ephemeral ECDH key exchange. This curve is used by the Postfix SMTP > > ! server when "smtpd_tls_eecdh_grade = strong". The phrase "sensibly > > ! strong" means approximately 128-bit security based on best known > > ! attacks. The selected curve must be implemented by OpenSSL (as > > ! reported by ecparam(1) with the "-list_curves" option) and be one > > ! of the curves listed in Section 5.1.1 of RFC 4492. You should not > > ! generally change this setting.

        > > > > !

        This default curve is specified in NSA "Suite B" Cryptography > > ! (see http://www.nsa.gov/ia/industry/crypto_suite_b.cfm) for > > ! information classified as SECRET.

        > > > > !

        Note: elliptic curve names are poorly standardized; different > > ! standards groups are assigning different names to the same underlying > > ! curves. The curve with the X9.62 name "prime256v1" is also known > > ! under the SECG name "secp256r1", but OpenSSL does not recognize the > > ! latter name.

        > > > > !

        This feature is available in Postfix 2.6 and later, when it is > > ! compiled and linked with OpenSSL 1.0.0 or later.

        > > > > --- 12101,12210 ---- > > > > !
        smtpd_tls_loglevel > > ! (default: 0)
        > > > > !

        Enable additional Postfix SMTP server logging of TLS activity. > > ! Each logging level also includes the information that is logged at > > ! a lower logging level.

        > > > > !
        > > > > !
        0 Disable logging of TLS activity.
        > > > > !
        1 Log TLS handshake and certificate information.
        > > > > !
        2 Log levels during TLS negotiation.
        > > > > !
        3 Log hexadecimal and ASCII dump of TLS negotiation > > ! process.
        > > > > !
        4 Also log hexadecimal and ASCII dump of complete > > ! transmission after STARTTLS.
        > > > > !
        > > > > !

        Use "smtpd_tls_loglevel = 3" only in case of problems. Use of > > ! loglevel 4 is strongly discouraged.

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > > > !
        > > > > !
        smtpd_tls_mandatory_ciphers > > ! (default: medium)
        > > > > !

        The minimum TLS cipher grade that the Postfix SMTP server will > > ! use with mandatory > > ! TLS encryption. Cipher types listed in smtpd_tls_mandatory_exclude_ciphers > > ! or smtpd_tls_exclude_ciphers are excluded from the base definition > > ! of the selected cipher grade. With opportunistic TLS encryption, > > ! the "export" grade is used unconditionally with exclusions specified > > ! only via smtpd_tls_exclude_ciphers.

        > > > > !

        The following cipher grades are supported:

        > > > > +
        > > +
        export
        > > +
        Enable the mainstream "EXPORT" grade or better OpenSSL ciphers. > > + This is the most appropriate setting for public MX hosts, and is always > > + used with opportunistic TLS encryption. The underlying cipherlist > > + is specified via the tls_export_cipherlist configuration parameter, > > + which you are strongly encouraged to not change. The default value > > + of tls_export_cipherlist includes anonymous ciphers, but these are > > + automatically filtered out if the server is configured to ask for > > + client certificates. If you must always exclude anonymous ciphers, > > + set "smtpd_tls_exclude_ciphers = aNULL". To exclude anonymous ciphers > > + only when TLS is enforced, set "smtpd_tls_mandatory_exclude_ciphers = > > + aNULL".
        > > > > !
        low
        > > !
        Enable the mainstream "LOW" grade or better OpenSSL ciphers. The > > ! underlying cipherlist is specified via the tls_low_cipherlist > > ! configuration parameter, which you are strongly encouraged to > > ! not change. The default value of tls_low_cipherlist includes > > ! anonymous ciphers, but these are automatically filtered out if the > > ! server is configured to ask for client certificates. If you must > > ! always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers = > > ! aNULL". To exclude anonymous ciphers only when TLS is enforced, set > > ! "smtpd_tls_mandatory_exclude_ciphers = aNULL".
        > > > > !
        medium
        > > !
        Enable the mainstream "MEDIUM" grade or better OpenSSL ciphers. These > > ! are essentially the 128-bit or stronger ciphers. This is the default > > ! minimum strength for mandatory TLS encryption. MSAs that enforce > > ! TLS and have clients that do not support any "MEDIUM" or "HIGH" > > ! grade ciphers, may need to configure a weaker ("low" or "export") > > ! minimum cipher grade. The underlying cipherlist is specified via the > > ! tls_medium_cipherlist configuration parameter, which you are strongly > > ! encouraged to not change. The default value of tls_medium_cipherlist > > ! includes anonymous ciphers, but these are automatically filtered out if > > ! the server is configured to ask for client certificates. If you must > > ! always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers = > > ! aNULL". To exclude anonymous ciphers only when TLS is enforced, set > > ! "smtpd_tls_mandatory_exclude_ciphers = aNULL".
        > > > > !
        high
        > > !
        Enable only the mainstream "HIGH" grade OpenSSL ciphers. The > > ! underlying cipherlist is specified via the tls_high_cipherlist > > ! configuration parameter, which you are strongly encouraged to > > ! not change. The default value of tls_high_cipherlist includes > > ! anonymous ciphers, but these are automatically filtered out if the > > ! server is configured to ask for client certificates. If you must > > ! always exclude anonymous ciphers, set "smtpd_tls_exclude_ciphers = > > ! aNULL". To exclude anonymous ciphers only when TLS is enforced, set > > ! "smtpd_tls_mandatory_exclude_ciphers = aNULL".
        > > > > !
        null
        > > !
        Enable only the "NULL" OpenSSL ciphers, these provide authentication > > ! without encryption. This setting is only appropriate in the rare > > ! case that all clients are prepared to use NULL ciphers (not normally > > ! enabled in TLS clients). The underlying cipherlist is specified via the > > ! tls_null_cipherlist configuration parameter, which you are strongly > > ! encouraged to not change. The default value of tls_null_cipherlist > > ! excludes anonymous ciphers (OpenSSL 0.9.8 has NULL ciphers that offer > > ! data integrity without encryption or authentication).
        > > > > !
        > > > > !

        This feature is available in Postfix 2.3 and later.

        > > > > *************** > > *** 15560,15581 **** > > > > !
        tls_eecdh_ultra_curve > > ! (default: secp384r1)
        > > ! > > !

        The elliptic curve used by the Postfix SMTP server for maximally > > ! strong > > ! ephemeral ECDH key exchange. This curve is used by the Postfix SMTP > > ! server when "smtpd_tls_eecdh_grade = ultra". The phrase "maximally > > ! strong" means approximately 192-bit security based on best known attacks. > > ! This additional strength comes at a significant computational cost, most > > ! users should instead set "smtpd_tls_eecdh_grade = strong". The selected > > ! curve must be implemented by OpenSSL (as reported by ecparam(1) with the > > ! "-list_curves" option) and be one of the curves listed in Section 5.1.1 > > ! of RFC 4492. You should not generally change this setting.

        > > > > !

        This default "ultra" curve is specified in NSA "Suite B" Cryptography > > ! (see http://www.nsa.gov/ia/industry/crypto_suite_b.cfm) for information > > ! classified as TOP SECRET.

        > > > > !

        This feature is available in Postfix 2.6 and later, when it is > > ! compiled and linked with OpenSSL 1.0.0 or later.

        > > > > --- 12213,12223 ---- > > > > !
        smtpd_tls_mandatory_exclude_ciphers > > ! (default: empty)
        > > > > !

        Additional list of ciphers or cipher types to exclude from the > > ! SMTP server cipher list at mandatory TLS security levels. This list > > ! works in addition to the exclusions listed with smtpd_tls_exclude_ciphers > > ! (see there for syntax details).

        > > > > !

        This feature is available in Postfix 2.3 and later.

        > > > > *************** > > *** 15584,15615 **** > > > > !
        tls_export_cipherlist > > ! (default: ALL:+RC4:@STRENGTH)
        > > ! > > !

        The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This > > ! defines the meaning of the "export" setting in smtpd_tls_mandatory_ciphers, > > ! smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is > > ! the cipherlist for the opportunistic ("may") TLS client security > > ! level and is the default cipherlist for the SMTP server. You are > > ! strongly encouraged to not change this setting. With OpenSSL 1.0.0 and > > ! later the cipherlist may start with an "aNULL:" prefix, which restores > > ! the 0.9.8-compatible ordering of the aNULL ciphers to the top of the > > ! list when they are enabled. This prefix is not needed with previous > > ! OpenSSL releases.

        > > > > !

        This feature is available in Postfix 2.3 and later.

        > > > > > > !
        > > > > !
        tls_high_cipherlist > > ! (default: ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)
        > > > > !

        The OpenSSL cipherlist for "HIGH" grade ciphers. This defines > > ! the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, > > ! smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are > > ! strongly encouraged to not change this setting. With OpenSSL 1.0.0 and > > ! later the cipherlist may start with an "aNULL:" prefix, which restores > > ! the 0.9.8-compatible ordering of the aNULL ciphers to the top of the > > ! list when they are enabled. This prefix is not needed with previous > > ! OpenSSL releases.

        > > > > --- 12226,12256 ---- > > > > !
        smtpd_tls_mandatory_protocols > > ! (default: SSLv3, TLSv1)
        > > > > !

        The SSL/TLS protocols accepted by the Postfix SMTP server with > > ! mandatory TLS encryption. If the list is empty, the server supports all > > ! available SSL/TLS protocol versions. A non-empty value is a list > > ! of protocol > > ! names separated by whitespace, commas or colons. The supported protocol > > ! names are "SSLv2", "SSLv3" and "TLSv1", and are not case sensitive.

        > > > > +

        With Postfix ≥ 2.5 the parameter syntax is expanded to support > > + protocol exclusions. One can now explicitly exclude SSLv2 by setting > > + "smtpd_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and > > + SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing > > + the protocols to include, rather than protocols to exclude, is still > > + supported, use the form you find more intuitive.

        > > > > !

        Since SSL version 2 has known protocol weaknesses and is now > > ! deprecated, the default setting excludes "SSLv2". This means that > > ! by default, SSL version 2 will not be used at the "encrypt" security > > ! level.

        > > > > !

        Example:

        > > > > ! 
        > > ! smtpd_tls_mandatory_protocols = TLSv1
> > ! # Alternative form with Postfix ≥ 2.5:
> > ! smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
> > !
        > > > > *************** > > *** 15620,15634 **** > > > > !
        tls_low_cipherlist > > ! (default: ALL:!EXPORT:+RC4:@STRENGTH)
        > > > > !

        The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines > > ! the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, > > ! smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are > > ! strongly encouraged to not change this setting. With OpenSSL 1.0.0 and > > ! later the cipherlist may start with an "aNULL:" prefix, which restores > > ! the 0.9.8-compatible ordering of the aNULL ciphers to the top of the > > ! list when they are enabled. This prefix is not needed with previous > > ! OpenSSL releases.

        > > > > !

        This feature is available in Postfix 2.3 and later.

        > > > > --- 12261,12273 ---- > > > > !
        smtpd_tls_received_header > > ! (default: no)
        > > > > !

        Request that the Postfix SMTP server produces Received: message > > ! headers that include information about the protocol and cipher used, > > ! as well as the client CommonName and client certificate issuer > > ! CommonName. This is disabled by default, as the information may > > ! be modified in transit through other mail servers. Only information > > ! that was recorded by the final destination can be trusted.

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > *************** > > *** 15637,15707 **** > > > > !
        tls_medium_cipherlist > > ! (default: ALL:!EXPORT:!LOW:+RC4:@STRENGTH)
        > > > > !

        The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers. This > > ! defines the meaning of the "medium" setting in smtpd_tls_mandatory_ciphers, > > ! smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is > > ! the default cipherlist for mandatory TLS encryption in the TLS > > ! client (with anonymous ciphers disabled when verifying server > > ! certificates). You are strongly encouraged to not change this > > ! setting. With OpenSSL 1.0.0 and later the cipherlist may start with an > > ! "aNULL:" prefix, which restores the 0.9.8-compatible ordering of the > > ! aNULL ciphers to the top of the list when they are enabled. This prefix > > ! is not needed with previous OpenSSL releases.

        > > > > !

        This feature is available in Postfix 2.3 and later.

        > > > > > > -
        > > > > !
        tls_null_cipherlist > > ! (default: eNULL:!aNULL)
        > > > > !

        The OpenSSL cipherlist for "NULL" grade ciphers that provide > > ! authentication without encryption. This defines the meaning of the "null" > > ! setting in smtpd_mandatory_tls_ciphers, smtp_tls_mandatory_ciphers and > > ! lmtp_tls_mandatory_ciphers. You are strongly encouraged to not > > ! change this setting.

        > > > > !

        This feature is available in Postfix 2.3 and later.

        > > > > > > !
        > > > > !
        tls_preempt_cipherlist > > ! (default: no)
        > > > > !

        With SSLv3 and later, use the Postfix SMTP server's cipher > > ! preference order instead of the remote client's cipher preference > > ! order.

        > > ! > > !

        By default, the OpenSSL server selects the client's most preferred > > ! cipher that the server supports. With SSLv3 and later, the server may > > ! choose its own most preferred cipher that is supported (offered) by > > ! the client. Setting "tls_preempt_cipherlist = yes" enables server cipher > > ! preferences.

        > > ! > > !

        While server cipher selection may in some cases lead to a more secure > > ! or performant cipher choice, there is some risk of interoperability > > ! issues. In the past, some SSL clients have listed lower priority ciphers > > ! that they did not implement correctly. If the server chooses a cipher > > ! that the client prefers less, it may select a cipher whose client > > ! implementation is flawed.

        > > > > !

        This feature is available in Postfix 2.8 and later, in combination > > ! with OpenSSL 0.9.7 and later.

        > > > > > > !
        > > > > !
        tls_random_bytes > > ! (default: 32)
        > > > > !

        The number of bytes that tlsmgr(8) reads from $tls_random_source > > ! when (re)seeding the in-memory pseudo random number generator (PRNG) > > ! pool. The default of 32 bytes (256 bits) is good enough for 128bit > > ! symmetric keys. If using EGD or a device file, a maximum of 255 > > ! bytes is read.

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > --- 12276,12333 ---- > > > > !
        smtpd_tls_req_ccert > > ! (default: no)
        > > > > !

        With mandatory TLS encryption, require a trusted remote SMTP client > > ! certificate in order to allow TLS connections to proceed. This > > ! option implies "smtpd_tls_ask_ccert = yes".

        > > > > !

        When TLS encryption is optional, this setting is ignored with > > ! a warning written to the mail log.

        > > > > +

        This feature is available in Postfix 2.2 and later.

        > > > > > > !
        > > > > !
        smtpd_tls_security_level > > ! (default: empty)
        > > > > !

        The SMTP TLS security level for the Postfix SMTP server; when > > ! a non-empty value is specified, this overrides the obsolete parameters > > ! smtpd_use_tls and smtpd_enforce_tls. This parameter is ignored with > > ! "smtpd_tls_wrappermode = yes".

        > > > > +

        Specify one of the following security levels:

        > > > > !
        > > > > !
        none
        TLS will not be used.
        > > > > !
        may
        Opportunistic TLS: announce STARTTLS support > > ! to SMTP clients, but do not require that clients use TLS encryption. > > !
        > > > > !
        encrypt
        Mandatory TLS encryption: announce > > ! STARTTLS support to SMTP clients, and require that clients use TLS > > ! encryption. According to RFC 2487 this MUST NOT be applied in case > > ! of a publicly-referenced SMTP server. Instead, this option should > > ! be used only on dedicated servers.
        > > > > +
        > > > > !

        Note 1: the "fingerprint", "verify" and "secure" levels are not > > ! supported here. > > ! The Postfix SMTP server logs a warning and uses "encrypt" instead. > > ! To verify SMTP client certificates, see TLS_README for a discussion > > ! of the smtpd_tls_ask_ccert, smtpd_tls_req_ccert, and permit_tls_clientcerts > > ! features.

        > > > > !

        Note 2: The parameter setting "smtpd_tls_security_level = > > ! encrypt" implies "smtpd_tls_auth_only = yes".

        > > > > !

        Note 3: when invoked via "sendmail -bs", Postfix will never > > ! offer STARTTLS due to insufficient privileges to access the server > > ! private key. This is intended behavior.

        > > > > !

        This feature is available in Postfix 2.3 and later.

        > > > > *************** > > *** 15710,15736 **** > > > > !
        tls_random_exchange_name > > ! (default: see "postconf -d" output)
        > > ! > > !

        Name of the pseudo random number generator (PRNG) state file > > ! that is maintained by tlsmgr(8). The file is created when it does > > ! not exist, and its length is fixed at 1024 bytes.

        > > ! > > !

        As of version 2.5, Postfix no longer uses root privileges when > > ! opening this file, and the default file location was changed from > > ! ${config_directory}/prng_exch to ${data_directory}/prng_exch. As > > ! a migration aid, an attempt to open the file under a non-Postfix > > ! directory is redirected to the Postfix-owned data_directory, and a > > ! warning is logged.

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > > > !
        > > > > !
        tls_random_prng_update_period > > ! (default: 3600s)
        > > > > !

        The time between attempts by tlsmgr(8) to save the state of > > ! the pseudo random number generator (PRNG) to the file specified > > ! with $tls_random_exchange_name.

        > > > > --- 12336,12367 ---- > > > > !
        smtpd_tls_session_cache_database > > ! (default: empty)
        > > > > !

        Name of the file containing the optional Postfix SMTP server > > ! TLS session cache. Specify a database type that supports enumeration, > > ! such as btree or sdbm; there is no need to support > > ! concurrent access. The file is created if it does not exist. The smtpd(8) > > ! daemon does not use this parameter directly, rather the cache is > > ! implemented indirectly in the tlsmgr(8) daemon. This means that > > ! per-smtpd-instance master.cf overrides of this parameter are not > > ! effective. Note, that each of the cache databases supported by tlsmgr(8) > > ! daemon: $smtpd_tls_session_cache_database, $smtp_tls_session_cache_database > > ! (and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to be > > ! stored separately. It is not at this time possible to store multiple > > ! caches in a single database.

        > > > > +

        Note: dbm databases are not suitable. TLS > > + session objects are too large.

        > > > > !

        As of version 2.5, Postfix no longer uses root privileges when > > ! opening this file. The file should now be stored under the Postfix-owned > > ! data_directory. As a migration aid, an attempt to open the file > > ! under a non-Postfix directory is redirected to the Postfix-owned > > ! data_directory, and a warning is logged.

        > > > > !

        Example:

        > > > > ! 
        > > ! smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
> > !
        > > > > *************** > > *** 15741,15749 **** > > > > !
        tls_random_reseed_period > > (default: 3600s)
        > > > > !

        The maximal time between attempts by tlsmgr(8) to re-seed the > > ! in-memory pseudo random number generator (PRNG) pool from external > > ! sources. The actual time between re-seeding attempts is calculated > > ! using the PRNG, and is between 0 and the time specified.

        > > > > --- 12372,12382 ---- > > > > !
        smtpd_tls_session_cache_timeout > > (default: 3600s)
        > > > > !

        The expiration time of Postfix SMTP server TLS session cache > > ! information. A cache cleanup is performed periodically > > ! every $smtpd_tls_session_cache_timeout seconds. As with > > ! $smtpd_tls_session_cache_database, this parameter is implemented in the > > ! tlsmgr(8) daemon and therefore per-smtpd-instance master.cf overrides > > ! are not possible.

        > > > > *************** > > *** 15754,15767 **** > > > > !
        tls_random_source > > ! (default: see "postconf -d" output)
        > > > > !

        The external entropy source for the in-memory tlsmgr(8) pseudo > > ! random number generator (PRNG) pool. Be sure to specify a non-blocking > > ! source. If this source is not a regular file, the entropy source > > ! type must be prepended: egd:/path/to/egd_socket for a source with > > ! EGD compatible socket interface, or dev:/path/to/device for a > > ! device file.

        > > > > !

        Note: on OpenBSD systems specify /dev/arandom when /dev/urandom > > ! gives timeout errors.

        > > > > --- 12387,12398 ---- > > > > !
        smtpd_tls_wrappermode > > ! (default: no)
        > > > > !

        Run the Postfix SMTP server in the non-standard "wrapper" mode, > > ! instead of using the STARTTLS command.

        > > > > !

        If you want to support this service, enable a special port in > > ! master.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP > > ! server's command line. Port 465 (smtps) was once chosen for this > > ! purpose.

        > > > > *************** > > *** 15772,15781 **** > > > > !
        tlsproxy_enforce_tls > > ! (default: $smtpd_enforce_tls)
        > > > > !

        Mandatory TLS: announce STARTTLS support to remote SMTP clients, and > > ! require that clients use TLS encryption. See smtpd_enforce_tls for > > ! further details.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > --- 12403,12416 ---- > > > > !
        smtpd_use_tls > > ! (default: no)
        > > ! > > !

        Opportunistic TLS: announce STARTTLS support to SMTP clients, > > ! but do not require that clients use TLS encryption.

        > > > > !

        Note: when invoked via "sendmail -bs", Postfix will never offer > > ! STARTTLS due to insufficient privileges to access the server private > > ! key. This is intended behavior.

        > > > > !

        This feature is available in Postfix 2.2 and later. With > > ! Postfix 2.3 and later use smtpd_tls_security_level instead.

        > > > > *************** > > *** 15784,15792 **** > > > > !
        tlsproxy_service_name > > ! (default: tlsproxy)
        > > > > !

        The name of the tlsproxy(8) service entry in master.cf. This > > ! service performs plaintext <=> TLS ciphertext conversion.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > --- 12419,12438 ---- > > > > !
        soft_bounce > > ! (default: no)
        > > ! > > !

        > > ! Safety net to keep mail queued that would otherwise be returned to > > ! the sender. This parameter disables locally-generated bounces, > > ! and prevents the Postfix SMTP server from rejecting mail permanently, > > ! by changing 5xx reply codes into 4xx. However, soft_bounce is no > > ! cure for address rewriting mistakes or mail routing mistakes. > > !

        > > > > !

        > > ! Example: > > !

        > > > > ! 
        > > ! soft_bounce = yes
> > !
        > > > > *************** > > *** 15795,15804 **** > > > > !
        tlsproxy_tls_CAfile > > ! (default: $smtpd_tls_CAfile)
        > > > > !

        A file containing (PEM format) CA certificates of root CAs > > ! trusted to sign either remote SMTP client certificates or intermediate > > ! CA certificates. See smtpd_tls_CAfile for further details.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > --- 12441,12454 ---- > > > > !
        stale_lock_time > > ! (default: 500s)
        > > > > !

        > > ! The time after which a stale exclusive mailbox lockfile is removed. > > ! This is used for delivery to file or mailbox. > > !

        > > > > !

        > > ! Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). > > ! The default time unit is s (seconds). > > !

        > > > > *************** > > *** 15807,15816 **** > > > > !
        tlsproxy_tls_CApath > > ! (default: $smtpd_tls_CApath)
        > > > > !

        A directory containing (PEM format) CA certificates of root CAs > > ! trusted to sign either remote SMTP client certificates or intermediate > > ! CA certificates. See smtpd_tls_CApath for further details.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > --- 12457,12464 ---- > > > > !
        stress > > ! (default: empty)
        > > > > !

        This feature is documented in the STRESS_README document.

        > > > > !

        This feature is available in Postfix 2.5 and later.

        > > > > *************** > > *** 15819,15863 **** > > > > !
        tlsproxy_tls_always_issue_session_ids > > ! (default: $smtpd_tls_always_issue_session_ids)
        > > ! > > !

        Force the Postfix tlsproxy(8) server to issue a TLS session id, > > ! even when TLS session caching is turned off. See > > ! smtpd_tls_always_issue_session_ids for further details.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > > > !
        > > > > -
        tlsproxy_tls_ask_ccert > > - (default: $smtpd_tls_ask_ccert)
        > > > > !

        Ask a remote SMTP client for a client certificate. See > > ! smtpd_tls_ask_ccert for further details.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > > > !
        > > > > !
        tlsproxy_tls_ccert_verifydepth > > ! (default: $smtpd_tls_ccert_verifydepth)
        > > > > -

        The verification depth for remote SMTP client certificates. A > > - depth of 1 is sufficient if the issuing CA is listed in a local CA > > - file. See smtpd_tls_ccert_verifydepth for further details.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > > > !
        > > > > !
        tlsproxy_tls_cert_file > > ! (default: $smtpd_tls_cert_file)
        > > > > !

        File with the Postfix tlsproxy(8) server RSA certificate in PEM > > ! format. This file may also contain the Postfix tlsproxy(8) server > > ! private RSA key. See smtpd_tls_cert_file for further details.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > --- 12467,12530 ---- > > > > !
        strict_7bit_headers > > ! (default: no)
        > > > > !

        > > ! Reject mail with 8-bit text in message headers. This blocks mail > > ! from poorly written applications. > > !

        > > > > +

        > > + This feature should not be enabled on a general purpose mail server, > > + because it is likely to reject legitimate email. > > +

        > > > > !

        > > ! This feature is available in Postfix 2.0 and later. > > !

        > > > > > > !
        > > > > !
        strict_8bitmime > > ! (default: no)
        > > > > +

        > > + Enable both strict_7bit_headers and strict_8bitmime_body. > > +

        > > > > !

        > > ! This feature should not be enabled on a general purpose mail server, > > ! because it is likely to reject legitimate email. > > !

        > > > > !

        > > ! This feature is available in Postfix 2.0 and later. > > !

        > > > > > > !
        > > > > +
        strict_8bitmime_body > > + (default: no)
        > > > > !

        > > ! Reject 8-bit message body text without 8-bit MIME content encoding > > ! information. This blocks mail from poorly written applications. > > !

        > > > > !

        > > ! Unfortunately, this also rejects majordomo approval requests when > > ! the included request contains valid 8-bit MIME mail, and it rejects > > ! bounces from mailers that do not MIME encapsulate 8-bit content > > ! (for example, bounces from qmail or from old versions of Postfix). > > !

        > > > > !

        > > ! This feature should not be enabled on a general purpose mail server, > > ! because it is likely to reject legitimate email. > > !

        > > > > !

        > > ! This feature is available in Postfix 2.0 and later. > > !

        > > > > *************** > > *** 15866,15875 **** > > > > !
        tlsproxy_tls_ciphers > > ! (default: $smtpd_tls_ciphers)
        > > > > !

        The minimum TLS cipher grade that the Postfix tlsproxy(8) server > > ! will use with opportunistic TLS encryption. See smtpd_tls_ciphers > > ! for further details.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > --- 12533,12541 ---- > > > > !
        strict_mailbox_ownership > > ! (default: yes)
        > > > > !

        Defer delivery when a mailbox file is not owned by its recipient. > > ! The default setting is not backwards compatible.

        > > > > !

        This feature is available in Postfix 2.5.3 and later.

        > > > > *************** > > *** 15878,15900 **** > > > > !
        tlsproxy_tls_dcert_file > > ! (default: $smtpd_tls_dcert_file)
        > > > > !

        File with the Postfix tlsproxy(8) server DSA certificate in PEM > > ! format. This file may also contain the Postfix tlsproxy(8) server > > ! private DSA key. See smtpd_tls_dcert_file for further details. > >

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > ! > > ! > > !
        > > ! > > !
        tlsproxy_tls_dh1024_param_file > > ! (default: $smtpd_tls_dh1024_param_file)
        > > ! > > !

        File with DH parameters that the Postfix tlsproxy(8) server > > ! should use with EDH ciphers. See smtpd_tls_dh1024_param_file for > > ! further details.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > --- 12544,12562 ---- > > > > !
        strict_mime_encoding_domain > > ! (default: no)
        > > > > !

        > > ! Reject mail with invalid Content-Transfer-Encoding: information > > ! for the message/* or multipart/* MIME content types. This blocks > > ! mail from poorly written software. > >

        > > > > !

        > > ! This feature should not be enabled on a general purpose mail server, > > ! because it will reject mail after a single violation. > > !

        > > > > !

        > > ! This feature is available in Postfix 2.0 and later. > > !

        > > > > *************** > > *** 15903,15912 **** > > > > !
        tlsproxy_tls_dh512_param_file > > ! (default: $smtpd_tls_dh512_param_file)
        > > > > !

        File with DH parameters that the Postfix tlsproxy(8) server > > ! should use with EDH ciphers. See smtpd_tls_dh512_param_file for > > ! further details.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > --- 12565,12580 ---- > > > > !
        strict_rfc821_envelopes > > ! (default: no)
        > > > > !

        > > ! Require that addresses received in SMTP MAIL FROM and RCPT TO > > ! commands are enclosed with <>, and that those addresses do > > ! not contain RFC 822 style comments or phrases. This stops mail > > ! from poorly written software. > > !

        > > > > !

        > > ! By default, the Postfix SMTP server accepts RFC 822 syntax in MAIL > > ! FROM and RCPT TO addresses. > > !

        > > > > *************** > > *** 15915,15925 **** > > > > !
        tlsproxy_tls_dkey_file > > ! (default: $smtpd_tls_dkey_file)
        > > ! > > !

        File with the Postfix tlsproxy(8) server DSA private key in PEM > > ! format. This file may be combined with the Postfix tlsproxy(8) > > ! server DSA certificate file specified with $smtpd_tls_dcert_file. > > ! See smtpd_tls_dkey_file for further details.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > --- 12583,12591 ---- > > > > !
        sun_mailtool_compatibility > > ! (default: no)
        > > > > !

        > > ! Obsolete SUN mailtool compatibility feature. Instead, use > > ! "mailbox_delivery_lock = dotlock". > > !

        > > > > *************** > > *** 15928,15963 **** > > > > !
        tlsproxy_tls_eccert_file > > ! (default: $smtpd_tls_eccert_file)
        > > ! > > !

        File with the Postfix tlsproxy(8) server ECDSA certificate in > > ! PEM format. This file may also contain the Postfix tlsproxy(8) > > ! server private ECDSA key. See smtpd_tls_eccert_file for further > > ! details.

        > > ! > > !

        This feature is available in Postfix 2.8 and later.

        > > > > > > !
        > > > > !
        tlsproxy_tls_eckey_file > > ! (default: $smtpd_tls_eckey_file)
        > > > > !

        File with the Postfix tlsproxy(8) server ECDSA private key in > > ! PEM format. This file may be combined with the Postfix tlsproxy(8) > > ! server ECDSA certificate file specified with $smtpd_tls_eccert_file. > > ! See smtpd_tls_eckey_file for further details.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > > > !
        > > > > !
        tlsproxy_tls_eecdh_grade > > ! (default: $smtpd_tls_eecdh_grade)
        > > > > !

        The Postfix tlsproxy(8) server security grade for ephemeral > > ! elliptic-curve Diffie-Hellman (EECDH) key exchange. See > > ! smtpd_tls_eecdh_grade for further details.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > --- 12594,12629 ---- > > > > !
        swap_bangpath > > ! (default: yes)
        > > > > +

        > > + Enable the rewriting of "site!user" into "user at site". This is > > + necessary if your machine is connected to UUCP networks. It is > > + enabled by default. > > +

        > > > > !

        Note: with Postfix version 2.2, message header address rewriting > > ! happens only when one of the following conditions is true:

        > > > > ! > > > > !

        To get the behavior before Postfix version 2.2, specify > > ! "local_header_rewrite_clients = static:all".

        > > > > !

        > > ! Example: > > !

        > > > > ! 
        > > ! swap_bangpath = no
> > !
        > > > > *************** > > *** 15966,15975 **** > > > > !
        tlsproxy_tls_exclude_ciphers > > ! (default: $smtpd_tls_exclude_ciphers)
        > > > > !

        List of ciphers or cipher types to exclude from the tlsproxy(8) > > ! server cipher list at all TLS security levels. See > > ! smtpd_tls_exclude_ciphers for further details.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > --- 12632,12648 ---- > > > > !
        syslog_facility > > ! (default: mail)
        > > > > !

        > > ! The syslog facility of Postfix logging. Specify a facility as > > ! defined in syslog.conf(5). The default facility is "mail". > > !

        > > > > !

        > > ! Warning: a non-default syslog_facility setting takes effect only > > ! after a Postfix process has completed initialization. Errors during > > ! process initialization will be logged with the default facility. > > ! Examples are errors while parsing the command line arguments, and > > ! errors while accessing the Postfix main.cf configuration file. > > !

        > > > > *************** > > *** 15978,15988 **** > > > > !
        tlsproxy_tls_fingerprint_digest > > ! (default: $smtpd_tls_fingerprint_digest)
        > > > > !

        The message digest algorithm to construct remote SMTP > > ! client-certificate > > ! fingerprints. See smtpd_tls_fingerprint_digest for further details. > >

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > --- 12651,12667 ---- > > > > !
        syslog_name > > ! (default: postfix)
        > > > > !

        > > ! The mail system name that is prepended to the process name in syslog > > ! records, so that "smtpd" becomes, for example, "postfix/smtpd". > >

        > > > > !

        > > ! Warning: a non-default syslog_name setting takes effect only after > > ! a Postfix process has completed initialization. Errors during > > ! process initialization will be logged with the default name. Examples > > ! are errors while parsing the command line arguments, and errors > > ! while accessing the Postfix main.cf configuration file. > > !

        > > > > *************** > > *** 15991,16001 **** > > > > !
        tlsproxy_tls_key_file > > ! (default: $smtpd_tls_key_file)
        > > > > !

        File with the Postfix tlsproxy(8) server RSA private key in PEM > > ! format. This file may be combined with the Postfix tlsproxy(8) > > ! server RSA certificate file specified with $smtpd_tls_cert_file. > > ! See smtpd_tls_key_file for further details.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > --- 12670,12681 ---- > > > > !
        tls_daemon_random_bytes > > ! (default: 32)
        > > > > !

        The number of pseudo-random bytes that an smtp(8) or smtpd(8) > > ! process requests from the tlsmgr(8) server in order to seed its > > ! internal pseudo random number generator (PRNG). The default of 32 > > ! bytes (equivalent to 256 bits) is sufficient to generate a 128bit > > ! (or 168bit) session key.

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > *************** > > *** 16004,16014 **** > > > > !
        tlsproxy_tls_loglevel > > ! (default: $smtpd_tls_loglevel)
        > > > > !

        Enable additional Postfix tlsproxy(8) server logging of TLS > > ! activity. Each logging level also includes the information that > > ! is logged at a lower logging level. See smtpd_tls_loglevel for > > ! further details.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > --- 12684,12696 ---- > > > > !
        tls_export_cipherlist > > ! (default: ALL:+RC4:@STRENGTH)
        > > > > !

        The OpenSSL cipherlist for "EXPORT" or higher grade ciphers. This > > ! defines the meaning of the "export" setting in smtpd_tls_mandatory_ciphers, > > ! smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is > > ! the cipherlist for the opportunistic ("may") TLS client security > > ! level and is the default cipherlist for the SMTP server. You are > > ! strongly encouraged to not change this setting.

        > > > > !

        This feature is available in Postfix 2.3 and later.

        > > > > *************** > > *** 16017,16026 **** > > > > !
        tlsproxy_tls_mandatory_ciphers > > ! (default: $smtpd_tls_mandatory_ciphers)
        > > > > !

        The minimum TLS cipher grade that the Postfix tlsproxy(8) server > > ! will use with mandatory TLS encryption. See smtpd_tls_mandatory_ciphers > > ! for further details.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > --- 12699,12709 ---- > > > > !
        tls_high_cipherlist > > ! (default: ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)
        > > > > !

        The OpenSSL cipherlist for "HIGH" grade ciphers. This defines > > ! the meaning of the "high" setting in smtpd_tls_mandatory_ciphers, > > ! smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are > > ! strongly encouraged to not change this setting.

        > > > > !

        This feature is available in Postfix 2.3 and later.

        > > > > *************** > > *** 16029,16038 **** > > > > !
        tlsproxy_tls_mandatory_exclude_ciphers > > ! (default: $smtpd_tls_mandatory_exclude_ciphers)
        > > > > !

        Additional list of ciphers or cipher types to exclude from the > > ! tlsproxy(8) server cipher list at mandatory TLS security levels. > > ! See smtpd_tls_mandatory_exclude_ciphers for further details.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > --- 12712,12722 ---- > > > > !
        tls_low_cipherlist > > ! (default: ALL:!EXPORT:+RC4:@STRENGTH)
        > > > > !

        The OpenSSL cipherlist for "LOW" or higher grade ciphers. This defines > > ! the meaning of the "low" setting in smtpd_tls_mandatory_ciphers, > > ! smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. You are > > ! strongly encouraged to not change this setting.

        > > > > !

        This feature is available in Postfix 2.3 and later.

        > > > > *************** > > *** 16041,16051 **** > > > > !
        tlsproxy_tls_mandatory_protocols > > ! (default: $smtpd_tls_mandatory_protocols)
        > > > > !

        The SSL/TLS protocols accepted by the Postfix tlsproxy(8) server > > ! with mandatory TLS encryption. If the list is empty, the server > > ! supports all available SSL/TLS protocol versions. See > > ! smtpd_tls_mandatory_protocols for further details.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > --- 12725,12738 ---- > > > > !
        tls_medium_cipherlist > > ! (default: ALL:!EXPORT:!LOW:+RC4:@STRENGTH)
        > > > > !

        The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers. This > > ! defines the meaning of the "medium" setting in smtpd_tls_mandatory_ciphers, > > ! smtp_tls_mandatory_ciphers and lmtp_tls_mandatory_ciphers. This is > > ! the default cipherlist for mandatory TLS encryption in the TLS > > ! client (with anonymous ciphers disabled when verifying server > > ! certificates). You are strongly encouraged to not change this > > ! setting.

        > > > > !

        This feature is available in Postfix 2.3 and later.

        > > > > *************** > > *** 16054,16063 **** > > > > !
        tlsproxy_tls_protocols > > ! (default: $smtpd_tls_protocols)
        > > > > !

        List of TLS protocols that the Postfix tlsproxy(8) server will > > ! exclude or include with opportunistic TLS encryption. See > > ! smtpd_tls_protocols for further details.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > --- 12741,12752 ---- > > > > !
        tls_null_cipherlist > > ! (default: eNULL:!aNULL)
        > > > > !

        The OpenSSL cipherlist for "NULL" grade ciphers that provide > > ! authentication without encryption. This defines the meaning of the "null" > > ! setting in smtpd_mandatory_tls_ciphers, smtp_tls_mandatory_ciphers and > > ! lmtp_tls_mandatory_ciphers. You are strongly encouraged to not > > ! change this setting.

        > > > > !

        This feature is available in Postfix 2.3 and later.

        > > > > *************** > > *** 16066,16075 **** > > > > !
        tlsproxy_tls_req_ccert > > ! (default: $smtpd_tls_req_ccert)
        > > > > !

        With mandatory TLS encryption, require a trusted remote SMTP > > ! client certificate in order to allow TLS connections to proceed. > > ! See smtpd_tls_req_ccert for further details.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > --- 12755,12766 ---- > > > > !
        tls_random_bytes > > ! (default: 32)
        > > > > !

        The number of bytes that tlsmgr(8) reads from $tls_random_source > > ! when (re)seeding the in-memory pseudo random number generator (PRNG) > > ! pool. The default of 32 bytes (256 bits) is good enough for 128bit > > ! symmetric keys. If using EGD or a device file, a maximum of 255 > > ! bytes is read.

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > *************** > > *** 16078,16088 **** > > > > !
        tlsproxy_tls_security_level > > ! (default: $smtpd_tls_security_level)
        > > > > !

        The SMTP TLS security level for the Postfix tlsproxy(8) server; > > ! when a non-empty value is specified, this overrides the obsolete > > ! parameters smtpd_use_tls and smtpd_enforce_tls. See > > ! smtpd_tls_security_level for further details.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > --- 12769,12785 ---- > > > > !
        tls_random_exchange_name > > ! (default: see "postconf -d" output)
        > > ! > > !

        Name of the pseudo random number generator (PRNG) state file > > ! that is maintained by tlsmgr(8). The file is created when it does > > ! not exist, and its length is fixed at 1024 bytes.

        > > > > !

        As of version 2.5, Postfix no longer uses root privileges when > > ! opening this file, and the default file location was changed from > > ! ${config_directory}/prng_exch to ${data_directory}/prng_exch. As > > ! a migration aid, an attempt to open the file under a non-Postfix > > ! directory is redirected to the Postfix-owned data_directory, and a > > ! warning is logged.

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > *************** > > *** 16091,16101 **** > > > > !
        tlsproxy_tls_session_cache_timeout > > ! (default: $smtpd_tls_session_cache_timeout)
        > > > > !

        The expiration time of Postfix tlsproxy(8) server TLS session > > ! cache information. A cache cleanup is performed periodically every > > ! $smtpd_tls_session_cache_timeout seconds. See > > ! smtpd_tls_session_cache_timeout for further details.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > --- 12788,12797 ---- > > > > !
        tls_random_prng_update_period > > ! (default: 3600s)
        > > > > !

        The time between attempts by tlsmgr(8) to save the state of > > ! the pseudo random number generator (PRNG) to the file specified > > ! with $tls_random_exchange_name.

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > *************** > > *** 16104,16113 **** > > > > !
        tlsproxy_use_tls > > ! (default: $smtpd_use_tls)
        > > > > !

        Opportunistic TLS: announce STARTTLS support to remote SMTP clients, > > ! but do not require that clients use TLS encryption. See smtpd_use_tls > > ! for further details.

        > > > > !

        This feature is available in Postfix 2.8 and later.

        > > > > --- 12800,12810 ---- > > > > !
        tls_random_reseed_period > > ! (default: 3600s)
        > > > > !

        The maximal time between attempts by tlsmgr(8) to re-seed the > > ! in-memory pseudo random number generator (PRNG) pool from external > > ! sources. The actual time between re-seeding attempts is calculated > > ! using the PRNG, and is between 0 and the time specified.

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > *************** > > *** 16116,16132 **** > > > > !
        tlsproxy_watchdog_timeout > > ! (default: 10s)
        > > > > !

        How much time a tlsproxy(8) process may take to process local > > ! or remote I/O before it is terminated by a built-in watchdog timer. > > ! This is a safety mechanism that prevents tlsproxy(8) from becoming > > ! non-responsive due to a bug in Postfix itself or in system software. > > ! To avoid false alarms and unnecessary cache corruption this limit > > ! cannot be set under 10s.

        > > > > !

        Specify a non-zero time value (an integral value plus an optional > > ! one-letter suffix that specifies the time unit). Time units: s > > ! (seconds), m (minutes), h (hours), d (days), w (weeks).

        > > > > !

        This feature is available in Postfix 2.8.

        > > > > --- 12813,12828 ---- > > > > !
        tls_random_source > > ! (default: see "postconf -d" output)
        > > > > !

        The external entropy source for the in-memory tlsmgr(8) pseudo > > ! random number generator (PRNG) pool. Be sure to specify a non-blocking > > ! source. If this source is not a regular file, the entropy source > > ! type must be prepended: egd:/path/to/egd_socket for a source with > > ! EGD compatible socket interface, or dev:/path/to/device for a > > ! device file.

        > > > > !

        Note: on OpenBSD systems specify /dev/arandom when /dev/urandom > > ! gives timeout errors.

        > > > > !

        This feature is available in Postfix 2.2 and later.

        > > > > *************** > > *** 16159,16166 **** > > > > -

        Note: transport_delivery_slot_cost parameters will not > > - show up in "postconf" command output before Postfix version 2.9. > > - This limitation applies to many parameters whose name is a combination > > - of a master.cf service name and a built-in suffix (in this case: > > - "_delivery_slot_cost").

        > > - > > > > --- 12855,12856 ---- > > *************** > > *** 16175,16182 **** > > > > -

        Note: transport_delivery_slot_discount parameters will > > - not show up in "postconf" command output before Postfix version > > - 2.9. This limitation applies to many parameters whose name is a > > - combination of a master.cf service name and a built-in suffix (in > > - this case: "_delivery_slot_discount").

        > > - > > > > --- 12865,12866 ---- > > *************** > > *** 16191,16198 **** > > > > -

        Note: transport_delivery_slot_loan parameters will not > > - show up in "postconf" command output before Postfix version 2.9. > > - This limitation applies to many parameters whose name is a combination > > - of a master.cf service name and a built-in suffix (in this case: > > - "_delivery_slot_loan").

        > > - > > > > --- 12875,12876 ---- > > *************** > > *** 16208,16216 **** > > > > -

        Note: some transport_destination_concurrency_failed_cohort_limit > > - parameters will not show up in "postconf" command output before > > - Postfix version 2.9. This limitation applies to many parameters > > - whose name is a combination of a master.cf service name and a > > - built-in suffix (in this case: > > - "_destination_concurrency_failed_cohort_limit").

        > > - > >

        This feature is available in Postfix 2.5 and later.

        > > --- 12886,12887 ---- > > *************** > > *** 16228,16236 **** > > > > -

        Note: some transport_destination_concurrency_limit > > - parameters will not show up in "postconf" command output before > > - Postfix version 2.9. This limitation applies to many parameters > > - whose name is a combination of a master.cf service name and a > > - built-in suffix (in this case: "_destination_concurrency_limit"). > > -

        > > - > > > > --- 12899,12900 ---- > > *************** > > *** 16246,16254 **** > > > > -

        Note: some transport_destination_concurrency_negative_feedback > > - parameters will not show up in "postconf" command output before > > - Postfix version 2.9. This limitation applies to many parameters > > - whose name is a combination of a master.cf service name and a > > - built-in suffix (in this case: > > - "_destination_concurrency_negative_feedback").

        > > - > >

        This feature is available in Postfix 2.5 and later.

        > > --- 12910,12911 ---- > > *************** > > *** 16266,16274 **** > > > > -

        Note: some transport_destination_concurrency_positive_feedback > > - parameters will not show up in "postconf" command output before > > - Postfix version 2.9. This limitation applies to many parameters > > - whose name is a combination of a master.cf service name and a > > - built-in suffix (in this case: > > - "_destination_concurrency_positive_feedback").

        > > - > >

        This feature is available in Postfix 2.5 and later.

        > > --- 12923,12924 ---- > > *************** > > *** 16285,16292 **** > > > > -

        Note: some transport_destination_rate_delay parameters > > - will not show up in "postconf" command output before Postfix version > > - 2.9. This limitation applies to many parameters whose name is a > > - combination of a master.cf service name and a built-in suffix (in > > - this case: "_destination_rate_delay").

        > > - > >

        This feature is available in Postfix 2.5 and later.

        > > --- 12935,12936 ---- > > *************** > > *** 16304,16311 **** > > > > -

        Note: some transport_destination_recipient_limit parameters > > - will not show up in "postconf" command output before Postfix version > > - 2.9. This limitation applies to many parameters whose name is a > > - combination of a master.cf service name and a built-in suffix (in > > - this case: "_destination_recipient_limit").

        > > - > > > > --- 12948,12949 ---- > > *************** > > *** 16320,16327 **** > > > > -

        Note: transport_extra_recipient_limit parameters will > > - not show up in "postconf" command output before Postfix version > > - 2.9. This limitation applies to many parameters whose name is a > > - combination of a master.cf service name and a built-in suffix (in > > - this case: "_extra_recipient_limit").

        > > - > > > > --- 12958,12959 ---- > > *************** > > *** 16336,16344 **** > > > > -

        Note: some transport_initial_destination_concurrency > > - parameters will not show up in "postconf" command output before > > - Postfix version 2.9. This limitation applies to many parameters > > - whose name is a combination of a master.cf service name and a > > - built-in suffix (in this case: "_initial_destination_concurrency"). > > -

        > > - > >

        This feature is available in Postfix 2.5 and later.

        > > --- 12968,12969 ---- > > *************** > > *** 16384,16391 **** > > > > -

        Note: transport_minimum_delivery_slots parameters will > > - not show up in "postconf" command output before Postfix version > > - 2.9. This limitation applies to many parameters whose name is a > > - combination of a master.cf service name and a built-in suffix (in > > - this case: "_minimum_delivery_slots").

        > > - > > > > --- 13009,13010 ---- > > *************** > > *** 16400,16407 **** > > > > -

        Note: some transport_recipient_limit parameters will not > > - show up in "postconf" command output before Postfix version 2.9. > > - This limitation applies to many parameters whose name is a combination > > - of a master.cf service name and a built-in suffix (in this case: > > - "_recipient_limit").

        > > - > > > > --- 13019,13020 ---- > > *************** > > *** 16416,16423 **** > > > > -

        Note: transport_recipient_refill_delay parameters will > > - not show up in "postconf" command output before Postfix version > > - 2.9. This limitation applies to many parameters whose name is a > > - combination of a master.cf service name and a built-in suffix (in > > - this case: "_recipient_refill_delay").

        > > - > >

        This feature is available in Postfix 2.4 and later.

        > > --- 13029,13030 ---- > > *************** > > *** 16434,16441 **** > > > > -

        Note: transport_recipient_refill_limit parameters will > > - not show up in "postconf" command output before Postfix version > > - 2.9. This limitation applies to many parameters whose name is a > > - combination of a master.cf service name and a built-in suffix (in > > - this case: "_recipient_refill_limit").

        > > - > >

        This feature is available in Postfix 2.4 and later.

        > > --- 13041,13042 ---- > > *************** > > *** 16468,16475 **** > > > > -

        Note: transport_time_limit parameters will not show up > > - in "postconf" command output before Postfix version 2.9. This > > - limitation applies to many parameters whose name is a combination > > - of a master.cf service name and a built-in suffix (in this case: > > - "_time_limit").

        > > - > > > > --- 13069,13070 ---- > > *************** > > *** 16496,16498 **** > >
        undisclosed_recipients_header > > ! (default: see "postconf -d" output)
        > > > > --- 13091,13093 ---- > >
        undisclosed_recipients_header > > ! (default: To: undisclosed-recipients:;)
        > > > > *************** > > *** 16500,16512 **** > > Message header that the Postfix cleanup(8) server inserts when a > > ! message contains no To: or Cc: message header. With Postfix 2.8 > > ! and later, the default value is empty. With Postfix 2.4-2.7, > > ! specify an empty value to disable this feature.

        > > ! > > !

        Example:

        > > ! > > ! 
        > > ! # Default value before Postfix 2.8.
> > ! # Note: the ":" and ";" are both required.
> > ! undisclosed_recipients_header = To: undisclosed-recipients:;
> > !
        > > > > --- 13095,13098 ---- > > Message header that the Postfix cleanup(8) server inserts when a > > ! message contains no To: or Cc: message header. With Postfix 2.4 > > ! and later, specify an empty value to disable this feature.

        > > > > *************** > > *** 16532,16549 **** > > > > -
        unknown_address_tempfail_action > > - (default: $reject_tempfail_action)
        > > - > > -

        The Postfix SMTP server's action when reject_unknown_sender_domain > > - or reject_unknown_recipient_domain fail due to a temporary error > > - condition. Specify "defer" to defer the remote SMTP client request > > - immediately. With the default "defer_if_permit" action, the Postfix > > - SMTP server continues to look for opportunities to reject mail, and > > - defers the client request only if it would otherwise be accepted. > > -

        > > - > > -

        This feature is available in Postfix 2.6 and later.

        > > - > > - > > -
        > > - > >
        unknown_client_reject_code > > --- 13118,13119 ---- > > *************** > > *** 16565,16581 **** > > > > -
        unknown_helo_hostname_tempfail_action > > - (default: $reject_tempfail_action)
        > > - > > -

        The Postfix SMTP server's action when reject_unknown_helo_hostname > > - fails due to an temporary error condition. Specify "defer" to defer > > - the remote SMTP client request immediately. With the default > > - "defer_if_permit" action, the Postfix SMTP server continues to look > > - for opportunities to reject mail, and defers the client request > > - only if it would otherwise be accepted.

        > > - > > -

        This feature is available in Postfix 2.6 and later.

        > > - > > - > > -
        > > - > >
        unknown_hostname_reject_code > > --- 13135,13136 ---- > > *************** > > *** 16648,16650 **** > >

        > > ! The Postfix SMTP server reply code when a recipient address matches > > $virtual_alias_domains, and $virtual_alias_maps specifies a list > > --- 13203,13205 ---- > >

        > > ! The SMTP server reply code when a recipient address matches > > $virtual_alias_domains, and $virtual_alias_maps specifies a list > > *************** > > *** 16664,16666 **** > >

        > > ! The Postfix SMTP server reply code when a recipient address matches > > $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list > > --- 13219,13221 ---- > >

        > > ! The SMTP server reply code when a recipient address matches > > $virtual_mailbox_domains, and $virtual_mailbox_maps specifies a list > > *************** > > *** 16727,16753 **** > > > > !

        The Postfix SMTP server's reply when rejecting mail with > > ! reject_unverified_recipient. Do not include the numeric SMTP reply > > ! code or the enhanced status code. By default, the response includes > > ! actual address verification details. > > ! > > !

        Example:

        > > ! > > ! 
        > > ! unverified_recipient_reject_reason = Recipient address lookup failed
> > !
        > > ! > > !

        This feature is available in Postfix 2.6 and later.

        > > ! > > ! > > !
        > > ! > > !
        unverified_recipient_tempfail_action > > ! (default: $reject_tempfail_action)
        > > ! > > !

        The Postfix SMTP server's action when reject_unverified_recipient > > ! fails due to a temporary error condition. Specify "defer" to defer > > ! the remote SMTP client request immediately. With the default > > ! "defer_if_permit" action, the Postfix SMTP server continues to look > > ! for opportunities to reject mail, and defers the client request > > ! only if it would otherwise be accepted.

        > > > > --- 13282,13286 ---- > > > > !

        When rejecting mail with reject_unverified_recipient, reply > > ! with this text as the reason, instead of actual address verification > > ! details. > > > > *************** > > *** 16809,16835 **** > > > > !

        The Postfix SMTP server's reply when rejecting mail with > > ! reject_unverified_sender. Do not include the numeric SMTP reply > > ! code or the enhanced status code. By default, the response includes > > ! actual address verification details. > > ! > > !

        Example:

        > > ! > > ! 
        > > ! unverified_sender_reject_reason = Sender address lookup failed
> > !
        > > ! > > !

        This feature is available in Postfix 2.6 and later.

        > > ! > > ! > > !
        > > ! > > !
        unverified_sender_tempfail_action > > ! (default: $reject_tempfail_action)
        > > ! > > !

        The Postfix SMTP server's action when reject_unverified_sender > > ! fails due to a temporary error condition. Specify "defer" to defer > > ! the remote SMTP client request immediately. With the default > > ! "defer_if_permit" action, the Postfix SMTP server continues to look > > ! for opportunities to reject mail, and defers the client request > > ! only if it would otherwise be accepted.

        > > > > --- 13342,13346 ---- > > > > !

        When rejecting mail with reject_unverified_sender, reply with > > ! this text as the reason, instead of actual address verification > > ! details. > > > > *************** > > *** 17079,17082 **** > >

        > > ! The maximal size in bytes of an individual virtual(8) mailbox or > > ! maildir file, or zero (no limit).

        > > > > --- 13590,13594 ---- > >

        > > ! The maximal size in bytes of an individual mailbox or maildir file, > > ! or zero (no limit). > > !

        > > > > *************** > > *** 17196,17199 **** > > is the name of a mail delivery transport defined in master.cf. > > ! The :nexthop destination is optional; its syntax is documented > > ! in the manual page of the corresponding delivery agent. > >

        > > --- 13708,13711 ---- > > is the name of a mail delivery transport defined in master.cf. > > ! The :nexthop part is optional. For more details see the > > ! transport(5) manual page. > >

        > > > > _______________________________________________ > > postconf-devel mailing list > > postconf-devel at de.postfix.org > > http://de.postfix.org/cgi-bin/mailman/listinfo/postconf-devel > > > -- > Werner Detter > IT-Consulting, IT-Services > > Lilienstra?e 4 Mobil: +49 151 19640507 > 81669 M?nchen Web: http://www.werner-detter.de > > Bashian Roulette? > [ $(($RANDOM%10)) -eq 0 ] && rm -rf / > > _______________________________________________ > postconf-devel mailing list > postconf-devel at de.postfix.org > http://de.postfix.org/cgi-bin/mailman/listinfo/postconf-devel -- state of mind () http://www.state-of-mind.de Franziskanerstra?e 15 Telefon +49 89 3090 4664 81669 M?nchen Telefax +49 89 3090 4666 Amtsgericht M?nchen Partnerschaftsregister PR 563 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: Digital signature URL: