Laptop-friendliness: avoid disk spin-up on idle systems by
s/fifo/unix/ in master.cf. Files: conf/master.cf.
+
+20120928-30
+
+ Feature: smtpd_relay_restrictions, proposed long ago by
+ Victor. The idea is to separate the mail relay policy from
+ the spam blocking policy, so that a permissive spam blocking
+ policy under smtpd_recipient_restrictions will no longer
+ unexpectedly result in a permissive mail relay policy.
+
+ This involves a change in default settings. Similar to the
+ way that local_recipient_maps was introduced, there is a
+ safety net that prevents unexpected mail bounces when a
+ site upgrades to Postfix 2.10 or later, and there is no
+ change in documented smtpd_recipient_restrictions behavior.
+ See the RELEASE_NOTES file for details. Files:
+ global/mail_params.h, smtpd/smtpd.c, smtpd/smtpd_check.c,
+ proto/postconf.proto, proto/SMTPD_ACCESS_README.html,
+ mantools/postlink, conf/post-install, RELEASE_NOTES.
+
+20120931-1001
+
+ Documentation: updated the remainder of the README files
+ and manual pages that discuss smtpd_recipient_restrictions.
+
+20121001
+
+ Cleanup: prepend 5.1.1 status code to "User unknown in
+ virtual alias table". File: trivial-rewrite/resolve.c.
+
+20121003
+
+ Bugfix: the postscreen_access_list feature was case-sensitive
+ in the first character of permit, reject, etc. Reported by
+ Francis Picabia. File: global/server_acl.c.
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
permit_mynetworks
+ # reject_unauth_destination is not needed here if the mail
+ # relay policy is specified under smtpd_relay_restrictions
+ # (available with Postfix 2.10 and later).
reject_unauth_destination
...
reject_unknown_recipient_domain
The unverified_sender_reject_reason parameter (default: empty) specifies fixed
text that Postfix will send to remote SMTP clients, instead of sending actual
-addres verification details. Do not specify the SMTP status code or enhanced
+address verification details. Do not specify the SMTP status code or enhanced
status code.
The unverified_sender_tempfail_action parameter (default: defer_if_permit)
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
+ # Postfix 2.10 and later: specify empty smtpd_relay_restrictions.
+ -o smtpd_relay_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
-------------------------------------------------------------------------------
+H\bHo\bos\bst\bt l\blo\boo\bok\bku\bup\bp i\bis\bss\bsu\bue\bes\bs
+
+By default Linux /etc/hosts lookups do not support multiple IP address per
+hostname. This causes warnings from the Postfix SMTP server that "hostname XXX
+does not resolve to address YYY", and is especially a problem with hosts that
+have both IPv4 and IPv6 addresses. To fix, turn on support for multiple IP
+addresses:
+
+ /etc/host.conf:
+ ...
+ # We have machines with multiple IP addresses.
+ multi on
+ ...
+
B\bBe\ber\brk\bke\bel\ble\bey\by D\bDB\bB i\bis\bss\bsu\bue\bes\bs
If you can't compile Postfix because the file "db.h" isn't found, then you MUST
# With multiple instances, rarely need "-o param=value" overrides
# in master.cf, each instance gets its own main.cf file.
#
+ # Postfix 2.10 and later: specify empty smtpd_relay_restrictions.
+ smtpd_relay_restrictions =
smtpd_recipient_restrictions = permit_mynetworks, reject
# Tolerate occasional high latency in the content filter.
SMTP clients.
The tlsproxy(8) implementation led to the discovery of a "new" class of
-vulnerability (CVE-2011-0411) that affected multiple implementations of TLS
-over SMTP, POP, IMAP, NNTP, and FTP.
+vulnerability (CVE-2011-0411) that affected multiple implementations of SMTP,
+POP, IMAP, NNTP, and FTP over TLS.
postscreen(8) was officially released as part of the Postfix 2.8 stable release
in January 2011.
permissive = permit
smtpd_recipient_restrictions =
- permit_mynetworks
- reject_unauth_destination
- check_recipient_access hash:/etc/postfix/recipient_access
+ permit_mynetworks
+ # reject_unauth_destination is not needed here if the mail
+ # relay policy is specified with smtpd_relay_restrictions
+ # (available with Postfix 2.10 and later).
+ reject_unauth_destination
+ check_recipient_access hash:/etc/postfix/recipient_access
+ ...
/etc/postfix/recipient_access:
- joe@my.domain permissive
- jane@my.domain restrictive
+ joe@my.domain permissive
+ jane@my.domain restrictive
With this in place, you can use "restrictive" or "permissive" on the right-hand
side of your per-client, helo, sender, or recipient SMTPD access tables.
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
+ ...
check_recipient_access hash:/etc/postfix/access
...the usual stuff...
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
+ ...
check_recipient_access hash:/etc/postfix/protected_destinations
...the usual stuff...
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
+ ...
check_sender_access hash:/etc/postfix/restricted_senders
...other stuff...
M\bMa\bai\bil\bl r\bre\bel\bla\bay\by a\bau\but\bth\bho\bor\bri\biz\bza\bat\bti\bio\bon\bn
-The permit_sasl_authenticated restriction allows SASL-authenticated SMTP
-clients to send mail to remote destinations. Add it to the list of
-smtpd_recipient_restrictions as follows:
+With permit_sasl_authenticated the Postfix SMTP server can allow SASL-
+authenticated SMTP clients to send mail to remote destinations. Examples:
+ # With Postfix 2.10 and later, the mail relay policy is
+ # preferably specified under smtpd_relay_restrictions.
+ /etc/postfix/main.cf:
+ smtpd_relay_restrictions =
+ permit_mynetworks
+ p\bpe\ber\brm\bmi\bit\bt_\b_s\bsa\bas\bsl\bl_\b_a\bau\but\bth\bhe\ben\bnt\bti\bic\bca\bat\bte\bed\bd
+ reject_unauth_destination
+
+ # Older configurations combine relay control and spam control under
+ # smtpd_recipient_restrictions. To use this example with Postfix >=
+ # 2.10 specify "smtpd_relay_restrictions=".
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
- ...
- permit_mynetworks
- p\bpe\ber\brm\bmi\bit\bt_\b_s\bsa\bas\bsl\bl_\b_a\bau\but\bth\bhe\ben\bnt\bti\bic\bca\bat\bte\bed\bd
- reject_unauth_destination
- ...
+ permit_mynetworks
+ p\bpe\ber\brm\bmi\bit\bt_\b_s\bsa\bas\bsl\bl_\b_a\bau\but\bth\bhe\ben\bnt\bti\bic\bca\bat\bte\bed\bd
+ reject_unauth_destination
+ ...other rules...
E\bEn\bnv\bve\bel\blo\bop\bpe\be s\bse\ben\bnd\bde\ber\br a\bad\bdd\bdr\bre\bes\bss\bs a\bau\but\bth\bho\bor\bri\biz\bza\bat\bti\bio\bon\bn
smtpd_recipient_restrictions =
...
r\bre\bej\bje\bec\bct\bt_\b_s\bse\ben\bnd\bde\ber\br_\b_l\blo\bog\bgi\bin\bn_\b_m\bmi\bis\bsm\bma\bat\btc\bch\bh
- permit_sasl_authenticated
- permit_mynetworks
- reject_unauth_destination
+ permit_sasl_authenticated
...
The controlled_envelope_senders table specifies the binding between a sender
250-STARTTLS
...
-Instead of port 25 (smtp), specify port 587 (submission) where appriopriate.
+Instead of port 25 (smtp), specify port 587 (submission) where appropriate.
E\bEn\bnc\bcr\bry\byp\bpt\bte\bed\bd S\bSM\bMT\bTP\bP s\bse\bes\bss\bsi\bio\bon\bn (\b(T\bTL\bLS\bS)\b)
information on http://www.mail-abuse.org/ and other websites.
By default, Postfix has a moderately restrictive approach to mail relaying.
-Postfix forwards mail only from clients in trusted networks, or to domains that
-are configured as authorized relay destinations. For a description of the
-default policy, see the smtpd_recipient_restrictions parameter in the postconf
-(5) manual page, and the information that is referenced from there.
+Postfix forwards mail only from clients in trusted networks, from clients that
+have authenticated with SASL, or to domains that are configured as authorized
+relay destinations. For a description of the default mail relay policy, see the
+smtpd_relay_restrictions parameter in the postconf(5) manual page, and the
+information that is referenced from there.
+
+ NOTE: Postfix versions before 2.10 did not have smtpd_relay_restrictions.
+ They combined the mail relay and spam blocking policies, under
+ smtpd_recipient_restrictions. This could lead to unexpected results. For
+ example, a permissive spam blocking policy could unexpectedly result in a
+ permissive mail relay policy. An example of this is documented under
+ "Dangerous use of smtpd_recipient_restrictions".
Most of the Postfix SMTP server access controls are targeted at stopping junk
email.
# Don't accept mail from domains that don't exist.
smtpd_sender_restrictions = reject_unknown_sender_domain
- # Whitelisting: local clients may specify any destination domain.
- smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
+ # Relay control (Postfix 2.10 and later): local clients and
+ # authenticated clients may specify any destination domain.
+ smtpd_relay_restrictions = permit_mynetworks,
+ permit_sasl_authenticated,
+ reject_unauth_destination
+
+ # Spam control: exclude local clients and authenticated clients
+ # from DNSBL lookups.
+ smtpd_recipient_restrictions = permit_mynetworks,
+ permit_sasl_authenticated,
+ # reject_unauth_destination is not needed here if the mail
+ # relay policy is specified under smtpd_relay_restrictions
+ # (available with Postfix 2.10 and later).
+ reject_unauth_destination
+ reject_rbl_client zen.spamhaus.org,
+ reject_rhsbl_helo dbl.spamhaus.org,
+ reject_rhsbl_sender dbl.spamhaus.org
# Block clients that speak too early.
smtpd_data_restrictions = reject_unauth_pipelining
All lists use the exact same syntax; they differ only in the time of evaluation
and in the effect of a REJECT or DEFER result.
- _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b
- |R\bRe\bes\bst\btr\bri\bic\bct\bti\bio\bon\bn l\bli\bis\bst\bt n\bna\bam\bme\be |S\bSt\bta\bat\btu\bus\bs |E\bEf\bff\bfe\bec\bct\bt o\bof\bf R\bRE\bEJ\bJE\bEC\bCT\bT o\bor\br D\bDE\bEF\bFE\bER\bR r\bre\bes\bsu\bul\blt\bt|
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |smtpd_client_restrictions |Optional|Reject all client commands |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |smtpd_helo_restrictions |Optional|Reject HELO/EHLO information |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |smtpd_sender_restrictions |Optional|Reject MAIL FROM information |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |smtpd_recipient_restrictions |Required|Reject RCPT TO information |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |smtpd_data_restrictions |Optional|Reject DATA command |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |smtpd_end_of_data_restrictions|Optional|Reject END-OF-DATA command |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
- |smtpd_etrn_restrictions |Optional|Reject ETRN command |
- |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b
+ | | | |E\bEf\bff\bfe\bec\bct\bt o\bof\bf |
+ |R\bRe\bes\bst\btr\bri\bic\bct\bti\bio\bon\bn l\bli\bis\bst\bt n\bna\bam\bme\be |V\bVe\ber\brs\bsi\bio\bon\bn|S\bSt\bta\bat\btu\bus\bs |R\bRE\bEJ\bJE\bEC\bCT\bT o\bor\br |
+ | | | |D\bDE\bEF\bFE\bER\bR |
+ | | | |r\bre\bes\bsu\bul\blt\bt |
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ | | | |Reject all |
+ |smtpd_client_restrictions |All |Optional |client |
+ | | | |commands |
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ | | | |Reject |
+ |smtpd_helo_restrictions |All |Optional |HELO/EHLO |
+ | | | |information|
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ | | | |Reject MAIL|
+ |smtpd_sender_restrictions |All |Optional |FROM |
+ | | | |information|
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ | | |Required if | |
+ | |>= 2.10|smtpd_recipient_restrictions| |
+ | | |does not enforce relay |Reject RCPT|
+ |smtpd_relay_restrictions | |policy |TO |
+ | |_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |information|
+ | | | | |
+ | |< 2.10 |Not available | |
+ | | | | |
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ | | |Required if | |
+ | |>= 2.10|smtpd_relay_restrictions | |
+ | | |does not enforce relay |Reject RCPT|
+ |smtpd_recipient_restrictions | |policy |TO |
+ | |_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |information|
+ | | | | |
+ | |< 2.10 |Required | |
+ | | | | |
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |smtpd_data_restrictions |>= 2.0 |Optional |Reject DATA|
+ | | | |command |
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ | | | |Reject END-|
+ |smtpd_end_of_data_restrictions|>= 2.2 |Optional |OF-DATA |
+ | | | |command |
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
+ |smtpd_etrn_restrictions |All |Optional |Reject ETRN|
+ | | | |command |
+ |_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b|_\b _\b _\b _\b _\b _\b _\b _\b _\b _\b _\b |
D\bDe\bel\bla\bay\bye\bed\bd e\bev\bva\bal\blu\bua\bat\bti\bio\bon\bn o\bof\bf S\bSM\bMT\bTP\bP a\bac\bcc\bce\bes\bss\bs r\bre\bes\bst\btr\bri\bic\bct\bti\bio\bon\bn l\bli\bis\bst\bts\bs
restriction lists until the RCPT TO or ETRN command. This behavior is
controlled by the smtpd_delay_reject parameter. Restriction lists are still
evaluated in the proper order of (client, helo, etrn) or (client, helo, sender,
-recipient, data, or end-of-data) restrictions. When a restriction list
-(example: client) evaluates to REJECT or DEFER the other restriction lists
-(example: helo, sender, etc.) are skipped.
+relay, recipient, data, or end-of-data) restrictions. When a restriction list
+(example: client) evaluates to REJECT or DEFER the restriction lists that
+follow (example: helo, sender, etc.) are skipped.
Around the time that smtpd_delay_reject was introduced, Postfix was also
changed to support mixed restriction lists that combine information about the
result is PERMIT, then the recipient address is accepted. And this is where
surprises can happen.
+The problem is that Postfix versions before 2.10 did not have
+smtpd_relay_restrictions. They combined the mail relay and spam blocking
+policies, under smtpd_recipient_restrictions. The result is that a permissive
+spam blocking policy could unexpectedly result in a permissive mail relay
+policy.
+
Here is an example that shows when a PERMIT result can result in too much
access permission:
3 permit_mynetworks
4 check_helo_access hash:/etc/postfix/helo_access
5 reject_unknown_helo_hostname
-6 reject_unauth_destination
+6 r\bre\bej\bje\bec\bct\bt_\b_u\bun\bna\bau\but\bth\bh_\b_d\bde\bes\bst\bti\bin\bna\bat\bti\bio\bon\bn
7
8 /etc/postfix/helo_access:
9 localhost.localdomain PERMIT
evaluates to PERMIT for EVERY host that announces itself as
"localhost.localdomain", making Postfix an open relay for all such hosts.
-In order to avoid surprises like these with smtpd_recipient_restrictions, you
-should place non-recipient restrictions AFTER the reject_unauth_destination
-restriction, not before. In the above example, the HELO based restrictions
-should be placed AFTER reject_unauth_destination, or better, the HELO based
-restrictions should be placed under smtpd_helo_restrictions where they can do
-no harm.
+With Postfix before version 2.10 you should place non-recipient restrictions
+AFTER the reject_unauth_destination restriction, not before. In the above
+example, the HELO based restrictions should be placed AFTER
+reject_unauth_destination, or better, the HELO based restrictions should be
+placed under smtpd_helo_restrictions where they can do no harm.
+
+1 /etc/postfix/main.cf:
+2 smtpd_recipient_restrictions =
+3 permit_mynetworks
+4 r\bre\bej\bje\bec\bct\bt_\b_u\bun\bna\bau\but\bth\bh_\b_d\bde\bes\bst\bti\bin\bna\bat\bti\bio\bon\bn
+5 check_helo_access hash:/etc/postfix/helo_access
+6 reject_unknown_helo_hostname
+7
+8 /etc/postfix/helo_access:
+9 localhost.localdomain PERMIT
+
+The above mistake will not happen with Postfix 2.10 and later, when the relay
+policy is specified under smtpd_relay_restrictions, and the spam blocking
+policy under smtpd_recipient_restrictions. Then, a permissive spam blocking
+policy will not result in a permissive mail relay policy.
S\bSM\bMT\bTP\bP a\bac\bcc\bce\bes\bss\bs r\bru\bul\ble\be t\bte\bes\bst\bti\bin\bng\bg
"connection refused" and other problems when you increase the smtpd process
limit.
+ * Line 8: reject_unauth_destination is not needed here if the mail relay
+ policy is specified with smtpd_relay_restrictions (available with Postfix
+ 2.10 and later).
+
* Lines 8, 9: always specify "check_policy_service" AFTER
"reject_unauth_destination" or else your system could become an open relay.
(in the above example, "policy") and a built-in suffix (in the above
example: "_time_limit").
- * Solaris UNIX-domain sockets do not work reliably. Use TCP sockets instead:
+ * With Solaris < 9, or Postfix < 2.10 on any Solaris version, use TCP sockets
+ instead of UNIX-domain sockets:
1 /etc/postfix/master.cf:
2 127.0.0.1:9998 inet n n n - 0 spawn
it. See the spawn(8) manpage for more information about the
transport_time_limit parameter.
+ * Line 9: reject_unauth_destination is not needed here if the mail relay
+ policy is specified with smtpd_relay_restrictions (available with Postfix
+ 2.10 and later).
+
Note: the "greylist_time_limit" parameter will not show up in
"postconf" command output before Postfix version 2.9. This limitation
applies to many parameters whose name is a combination of a master.cf
service name (in the above example, "greylist") and a built-in suffix
(in the above example: "_time_limit").
-On Solaris you must use inet: style sockets instead of unix: style, as detailed
-in the "Policy client/server configuration" section above.
+With Solaris < 9, or Postfix < 2.10 on any Solaris version, use inet: style
+sockets instead of unix: style, as detailed in the "Policy client/server
+configuration" section above.
1 /etc/postfix/master.cf:
2 127.0.0.1:9998 inet n n n - 0 spawn
NOTES:
- * Line 9: On Solaris you must use inet: style sockets instead of unix: style,
- as detailed in the "Example: greylist policy server" section above.
+ * Line 9: On Solaris < 9, or Postfix < 2.10 on any Solaris version, use inet:
+ style sockets instead of unix: style, as detailed in the "Example: greylist
+ policy server" section above.
+
+ * Line 5: reject_unauth_destination is not needed here if the mail relay
+ policy is specified with smtpd_relay_restrictions (available with Postfix
+ 2.10 and later).
* Line 6: Be sure to specify "check_sender_access" AFTER
"reject_unauth_destination" or else your system could become an open mail
NOTES:
- * Line 7: On Solaris you must use inet: style sockets instead of unix: style,
- as detailed in the "Example: greylist policy server" section above.
+ * Line 7: On Solaris < 9, or Postfix < 2.10 on any Solaris version, use inet:
+ style sockets instead of unix: style, as detailed in the "Example: greylist
+ policy server" section above.
+
+ * Line 5: reject_unauth_destination is not needed here if the mail relay
+ policy is specified with smtpd_relay_restrictions (available with Postfix
+ 2.10 and later).
* Lines 6-7: Be sure to specify check_sender_access and check_policy_service
AFTER reject_unauth_destination or else your system could become an open
smtp inet n - n - 20 smtpd
-o smtpd_proxy_filter=127.0.0.1:10025
-o smtpd_client_connection_count_limit=10
- # Postfix 2.7 and later performance feature.
- # -o smtpd_proxy_options=speed_adjust
+ # Postfix 2.7 and later performance feature.
+ # -o smtpd_proxy_options=speed_adjust
#
# After-filter SMTP server. Receive mail from the content filter
# on localhost port 10026.
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
+ # Postfix 2.10 and later: specify empty smtpd_relay_restrictions.
+ -o smtpd_relay_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
3 relay_domains = example.com
4 parent_domain_matches_subdomains =
5 debug_peer_list smtpd_access_maps
- 6 smtpd_recipient_restrictions =
- 7 permit_mynetworks reject_unauth_destination
- 8
- 9 relay_recipient_maps = hash:/etc/postfix/relay_recipients
- 10 transport_maps = hash:/etc/postfix/transport
- 11
- 12 /etc/postfix/relay_recipients:
- 13 user1@example.com x
- 14 user2@example.com x
- 15 . . .
- 16
- 17 /etc/postfix/transport:
- 18 example.com smtp:[inside-gateway.example.com]
+
+ 6a # Postfix 2.10 and later support separate relay control and
+ 7a # spam control.
+ 8a smtpd_relay_restrictions =
+ 9a permit_mynetworks reject_unauth_destination
+ 10a smtpd_recipient_restrictions = ...spam blocking rules....
+
+ 6b # Older configurations combine relay control and spam control. To
+ 7b # use this with Postfix >= 2.10 specify "smtpd_relay_restrictions=".
+ 8b smtpd_recipient_restrictions =
+ 9b permit_mynetworks reject_unauth_destination
+ 10b ...spam blocking rules....
+
+ 11 relay_recipient_maps = hash:/etc/postfix/relay_recipients
+ 12 transport_maps = hash:/etc/postfix/transport
+ 13
+ 14 /etc/postfix/relay_recipients:
+ 15 user1@example.com x
+ 16 user2@example.com x
+ 17 . . .
+ 18
+ 19 /etc/postfix/transport:
+ 20 example.com smtp:[inside-gateway.example.com]
Translation:
- * Lines 1-7: Accept mail from local systems in $mynetworks, and accept mail
+ * Lines 1-10: Accept mail from local systems in $mynetworks, and accept mail
from outside for "user@example.com" but not for
"user@anything.example.com". The magic is in lines 4-5.
- * Lines 9, 12-14: Define the list of valid addresses in the "example.com"
+ * Lines 11, 13-16: Define the list of valid addresses in the "example.com"
domain that can receive mail from the Internet. This prevents the mail
queue from filling up with undeliverable MAILER-DAEMON messages. If you
can't maintain a list of valid recipients then you must specify
"relay_recipient_maps =" (that is, an empty value), or you must specify an
"@example.com x" wild-card in the relay_recipients table.
- * Lines 10, 17-18: Route mail for "example.com" to the inside gateway
+ * Lines 12, 19-20: Route mail for "example.com" to the inside gateway
machine. The [] forces Postfix to do no MX lookup.
Specify d\bdb\bbm\bm instead of h\bha\bas\bsh\bh if your system uses d\bdb\bbm\bm files instead of d\bdb\bb files.
3
4 /etc/postfix/main.cf:
5 relay_domains = . . . the.backed-up.domain.tld
- 6 smtpd_recipient_restrictions =
- 7 permit_mynetworks reject_unauth_destination
- 8
- 9 # You must specify your NAT/proxy external address.
- 10 #proxy_interfaces = 1.2.3.4
- 11
- 12 relay_recipient_maps = hash:/etc/postfix/relay_recipients
+
+ 6a # Postfix 2.10 and later support separate relay control and
+ 7a # spam control.
+ 8a smtpd_relay_restrictions =
+ 9a permit_mynetworks reject_unauth_destination
+ 10a smtpd_recipient_restrictions = ...spam blocking rules....
+
+ 6b # Older configurations combine relay control and spam control. To
+ 7b # use this with Postfix >= 2.10 specify "smtpd_relay_restrictions=".
+ 8b smtpd_recipient_restrictions =
+ 9b permit_mynetworks reject_unauth_destination
+ 10b ...spam blocking rules....
+
+ 11 # You must specify your NAT/proxy external address.
+ 12 #proxy_interfaces = 1.2.3.4
13
- 14 /etc/postfix/relay_recipients:
- 15 user1@the.backed-up.domain.tld x
- 16 user2@the.backed-up.domain.tld x
- 17 . . .
+ 14 relay_recipient_maps = hash:/etc/postfix/relay_recipients
+ 15
+ 16 /etc/postfix/relay_recipients:
+ 17 user1@the.backed-up.domain.tld x
+ 18 user2@the.backed-up.domain.tld x
+ 19 . . .
When your system is PRIMARY MX host for a remote site you need the above, plus:
- 18 /etc/postfix/main.cf:
- 19 transport_maps = hash:/etc/postfix/transport
- 20
- 21 /etc/postfix/transport:
- 22 the.backed-up.domain.tld relay:[their.mail.host.tld]
+ 20 /etc/postfix/main.cf:
+ 21 transport_maps = hash:/etc/postfix/transport
+ 22
+ 23 /etc/postfix/transport:
+ 24 the.backed-up.domain.tld relay:[their.mail.host.tld]
Important notes:
* Do not list the.backed-up.domain.tld in virtual_mailbox_domains.
- * Lines 1-7: Forward mail from the Internet for "the.backed-up.domain.tld" to
+ * Lines 1-9: Forward mail from the Internet for "the.backed-up.domain.tld" to
the primary MX host for that domain.
- * Line 10: This is a must if Postfix receives mail via a NAT relay or proxy
+ * Line 12: This is a must if Postfix receives mail via a NAT relay or proxy
that presents a different IP address to the world than the local machine.
- * Lines 12-16: Define the list of valid addresses in the "the.backed-
+ * Lines 14-18: Define the list of valid addresses in the "the.backed-
up.domain.tld" domain. This prevents your mail queue from filling up with
undeliverable MAILER-DAEMON messages. If you can't maintain a list of valid
recipients then you must specify "relay_recipient_maps =" (that is, an
empty value), or you must specify an "@the.backed-up.domain.tld x" wild-
card in the relay_recipients table.
- * Line 22: The [] forces Postfix to do no MX lookup.
+ * Line 24: The [] forces Postfix to do no MX lookup.
Specify d\bdb\bbm\bm instead of h\bha\bas\bsh\bh if your system uses d\bdb\bbm\bm files instead of d\bdb\bb files.
To find out what lookup tables Postfix supports, use the command "p\bpo\bos\bst\btc\bco\bon\bnf\bf -\b-m\bm".
Example:
+ # With Postfix 2.10 and later, the mail relay policy is
+ # preferably specified under smtpd_relay_restrictions.
+ /etc/postfix/main.cf:
+ smtpd_relay_restrictions =
+ permit_mynetworks
+ permit_tls_clientcerts
+ reject_unauth_destination
+
+ # Older configurations combine relay control and spam control under
+ # smtpd_recipient_restrictions. To use this example with Postfix >=
+ # 2.10 specify "smtpd_relay_restrictions=".
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
- ...
+ permit_mynetworks
permit_tls_clientcerts
reject_unauth_destination
- ...
+ ...other rules...
Example: Postfix lookup tables are in the form of (key, value) pairs. Since we
only need the key, the value can be chosen freely, e.g. the name of the user or
the server supports. With SSLv3 and later, the server may choose its own most
preferred cipher that is supported (offered) by the client. Setting
"tls_preempt_cipherlist = yes" enables server cipher preferences. The default
-OpenSSL behaviour applies with "tls_preempt_cipherlist = no".
+OpenSSL behavior applies with "tls_preempt_cipherlist = no".
While server cipher selection may in some cases lead to a more secure or
performant cipher choice, there is some risk of interoperability issues. In the
overrides them explicitly. The values shown are the recommended ones.
You can use the smtpd_command_filter feature to append XVERP to SMTP commands
-from legacy sofware. This requires Postfix 2.7 or later.
+from legacy software. This requires Postfix 2.7 or later.
/etc/postfix/main.cf:
smtpd_command_filter = pcre:/etc/postfix/append_verp.pcre
If you upgrade from Postfix 2.8 or earlier, read RELEASE_NOTES-2.9
before proceeding.
+Incompatible changes with snapshot 20121007
+===========================================
+
+As part of a forward compatibility safety net, the Postfix installation
+procedure adds the following smtpd_relay_restrictions entry to
+main.cf when there is none:
+
+ smtpd_relay_restrictions =
+ permit_mynetworks
+ permit_sasl_authenticated
+ defer_unauth_destination
+
+If your site has a complex mail relay policy configured under
+smtpd_recipient_restrictions, this safety net will defer mail that
+the built-in smtpd_relay_restrictions setting would bounce.
+
+To eliminate this safety net, take one of the following three
+actions:
+
+- Set smtpd_relay_restrictions empty, and keep using the existing
+ mail relay authorization policy in smtpd_recipient_restrictions.
+
+- Copy the existing mail relay authorization policy from
+ smtpd_recipient_restrictions to smtpd_relay_restrictions.
+
+- Set smtpd_relay_restrictions by hand to the new built-in
+ policy: permit_mynetworks reject_unauth_destination.
+
+There is no need to change the value of smtpd_recipient_restrictions.
+
+
+Major changes with snapshot 20121007
+====================================
+
+This version introduces the smtpd_relay_restrictions feature
+for mail relay control. The new built-in default settings are:
+
+ smtpd_relay_restrictions =
+ permit_mynetworks
+ reject_unauth_destination
+
+ smtpd_recipient_restrictions =
+ ( optional spam blocking rules would go here )
+
+For comparison, this is the Postfix before 2.10 default:
+
+ smtpd_recipient_restrictions =
+ permit_mynetworks
+ reject_unauth_destination
+ ( optional spam blocking rules would go here )
+
+With Postfix versions before 2.10, the mail relay policy and spam
+blocking policy were combined under smtpd_recipient_restrictions,
+resulting in error-prone configuration.
+
+As of Postfix 2.10, the mail relay policy is preferably implemented
+with smtpd_relay_restrictions, so that a permissive spam blocking
+policy under smtpd_recipient_restrictions will not unexpectedly
+result in a permissive mail relay policy.
+
+As usual, this new feature is introduced with safety nets to prevent
+surprises when a site upgrades from an earlier Postfix release.
+
+1 - FORWARD COMPATIBILITY SAFETY NET: the Postfix installation
+ procedure adds the following smtpd_relay_restrictions entry to
+ main.cf when there is none:
+
+ smtpd_relay_restrictions =
+ permit_mynetworks
+ permit_sasl_authenticated
+ defer_unauth_destination
+
+ If your site has a complex mail relay policy configured under
+ smtpd_recipient_restrictions, this safety net will defer mail
+ that the built-in smtpd_relay_restrictions setting would bounce.
+
+ To eliminate this safety net, take one of the following three
+ actions:
+
+ - Set smtpd_relay_restrictions empty, and keep using the existing
+ mail relay authorization policy in smtpd_recipient_restrictions.
+
+ - Copy the existing mail relay authorization policy from
+ smtpd_recipient_restrictions to smtpd_relay_restrictions.
+
+ - Set smtpd_relay_restrictions by hand to the new built-in
+ policy: permit_mynetworks reject_unauth_destination.
+
+ There is no need to change the value of smtpd_recipient_restrictions.
+
+2 - BACKWARDS COMPATIBILITY SAFETY NET: sites that migrate from
+ Postfix versions before 2.10 can set smtpd_relay_restrictions
+ to the empty value, and use smtpd_recipient_restrictions exactly
+ as they used it before.
+
+Incompatible changes with snapshot 20120924
+===========================================
+
+Postfix no longer uses FIFOs to emulate UNIX-domain sockets on
+Solaris 9 (Vintage 2002!) and later. If you install Postfix for
+the first time on an older Solaris system, edit the master.cf file
+and replace "unix" with "fifo" for the pickup and qmgr services.
+
+Major changes with snapshot 20120924
+====================================
+
+Laptop-friendliness: the default master.cf file now uses "unix"
+instead of "fifo" for the pickup and qmgr services. This avoids
+periodic disk drive spin-up.
+
Incompatible changes with snapshot 20120625
===========================================
postscreen_upstream_proxy_protocol = haproxy
smtpd_upstream_proxy_protocol = haproxy
-Note 1: smtpd_upstream_proxy_protocol can't be used behind postscreen.
+Note 1: smtpd_upstream_proxy_protocol can't be used in smtpd processes
+that are behind postscreen. Configure postscreen_upstream_proxy_protocol
+instead.
Note 2: To use the nginx proxy with smtpd(8), enable the XCLIENT
protocol with smtpd_authorized_xclient_hosts. This supports SASL
Things to do after the stable release:
+ Spellcheck and double-word check.
+
Don't forget Apple's code donation for fetching mail from
IMAP server.
Make "rename" the default when postmapping a DB file
(later: use copy+rename for postmap -i, postmap -d).
- On most systems, switching the qmgr and pickup services
- from "fifo" to "unix" endpoints can avoid disk spin-up due
- to mtime changes. However, Postfix on Solaris emulates
- UNIX-domain sockets by sending a file handle through a FIFO.
- Either we need to a) find out if a Solaris FIFO is a "unix"
- or "fifo" endpoint (parsing master.cf is not an option for
- chrooted daemons), or b) silently implement a Solaris "fifo"
- endpoint as if master.cf says "unix", so that all Solaris
- FIFOs are emulated UNIX-domain endpoints. Or, we bite the
- bullet and stop emulating UNIX-domain onver FIFOs.
-
Service-name parameters aren't documented in daemon manpages.
When faking up the DSN ORCPT, don't send bare usernames
test "`$POSTCONF -dh inet_protocols`" = "ipv4" ||
test -n "`$POSTCONF -c $config_directory -nh inet_protocols`" || {
- echo COMPATIBILITY: editing main.cf, setting inet_protocols=ipv4.
- echo Specify inet_protocols explicitly if you want to enable IPv6.
- echo In a future release IPv6 will be enabled by default.
+ cat <<EOF | ${FMT}
+ COMPATIBILITY: editing $config_directory/main.cf, setting
+ inet_protocols=ipv4. Specify inet_protocols explicitly if you
+ want to enable IPv6.
+ In a future release IPv6 will be enabled by default.
+EOF
$POSTCONF -c $config_directory inet_protocols=ipv4 || exit 1
}
+
+ # Postfix 2.10.
+ # Safety net for incompatible changes due to the introduction
+ # of the smtpd_relay_restrictions feature to separate the
+ # mail relay policy from the spam blocking policy.
+ # PLEASE DO NOT REMOVE THIS CODE. ITS PURPOSE IS TO PREVENT
+ # INBOUND MAIL FROM UNEXPECTEDLY BOUNCING AFTER UPGRADING FROM
+ # POSTFIX BEFORE 2.10.
+ test -n "`$POSTCONF -c $config_directory -nh smtpd_relay_restrictions`" || {
+ cat <<EOF | ${FMT}
+ COMPATIBILITY: editing $config_directory/main.cf, overriding
+ smtpd_relay_restrictions to prevent inbound mail from
+ unexpectedly bouncing.
+ Specify an empty smtpd_relay_restrictions value to keep using
+ smtpd_recipient_restrictions as before.
+EOF
+ $POSTCONF -c $config_directory "smtpd_relay_restrictions = \
+ permit_mynetworks permit_sasl_authenticated \
+ defer_unauth_destination" || exit 1
+ }
}
# A reminder if this is the first time Postfix is being installed.
<td rowspan="3" align="center" valign="bottom"> <tt> -> </tt>
</td>
- <td rowspan="3" align="center" valign="middle"> probe<br>
- message </td>
+ <td rowspan="3" align="center" valign="middle"> probe<br>
+ message </td>
<td rowspan="3" align="center" valign="middle"> <tt> -> </tt>
</td>
- <td rowspan="3" bgcolor="#f0f0ff" align="center" valign="middle">
- Postfix<br> mail<br> queue </td>
+ <td rowspan="3" bgcolor="#f0f0ff" align="center" valign="middle">
+ Postfix<br> mail<br> queue </td>
</tr>
<td rowspan="3" align="center" valign="middle"> <tt> -> </tt>
</td>
- <td rowspan="3" bgcolor="#f0f0ff" align="center" valign="middle">
- <a href="smtpd.8.html">Postfix<br> SMTP<br> server</a> </td>
+ <td rowspan="3" bgcolor="#f0f0ff" align="center" valign="middle">
+
<a href="smtpd.8.html">Postfix<br> SMTP<br> server</a> </td>
<td rowspan="3" align="center" valign="middle"> <tt> <->
</tt> </td>
- <td rowspan="3" bgcolor="#f0f0ff" align="center" valign="middle">
- <a href="verify.8.html">Postfix<br> verify<br> server</a>
- </td>
+ <td rowspan="3" bgcolor="#f0f0ff" align="center" valign="middle">
+
<a href="verify.8.html">Postfix<br> verify<br> server</a>
+ </td>
</tr>
<td rowspan="3" align="center" valign="top"> <tt> <- </tt>
</td>
- <td rowspan="3" align="center" valign="middle"> probe<br>
- status </td>
+ <td rowspan="3" align="center" valign="middle"> probe<br>
+ status </td>
<td rowspan="3" align="center" valign="middle"> <tt> <- </tt>
</td>
- <td rowspan="3" bgcolor="#f0f0ff" align="center" valign="middle">
- Postfix<br> delivery<br> agents </td>
+ <td rowspan="3" bgcolor="#f0f0ff" align="center" valign="middle">
+ Postfix<br> delivery<br> agents </td>
<td rowspan="3" align="left" valign="middle"> <tt>-></tt>
Local<br> <tt>-></tt> Remote</td>
<td rowspan="3" colspan="4" align="center" valign="middle">
</td>
- <td rowspan="3" align="center" valign="middle"> <tt>
- ^</tt><br> <tt> |</tt><br> <tt> v</tt> </td>
+ <td rowspan="3" align="center" valign="middle"> <tt>
+ ^</tt><br> <tt> |</tt><br> <tt> v</tt> </td>
</tr>
<td colspan="4" align="center" valign="middle"> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle">
- Address<br> verification<br> database </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle">
+ Address<br> verification<br> database </td>
</tr>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>
+ # <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> is not needed here if the mail
+ # relay policy is specified under <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>
+ # (available with Postfix 2.10 and later).
<a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
...
<a href="postconf.5.html#reject_unknown_recipient_domain">reject_unknown_recipient_domain</a>
<p> The <a href="postconf.5.html#unverified_sender_reject_reason">unverified_sender_reject_reason</a> parameter (default:
empty) specifies fixed text that Postfix will send to remote SMTP
-clients, instead of sending actual addres verification details.
+clients, instead of sending actual address verification details.
Do not specify the SMTP status code or enhanced status code. </p>
<p> The <a href="postconf.5.html#unverified_sender_tempfail_action">unverified_sender_tempfail_action</a> parameter (default:
<td colspan="2"> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle">
- <a href="QSHAPE_README.html#maildrop_queue"> maildrop <br>
- queue </a> </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle">
+
<a href="QSHAPE_README.html#maildrop_queue"> maildrop <br>
+ queue </a> </td>
<td align="center" valign="middle"> <tt> <- </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle">Postfix<br>
- <a href="postdrop.1.html">postdrop(1)</a> </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle">Postfix<br>
+
<a href="postdrop.1.html">postdrop(1)</a> </td>
<td align="center" valign="middle"> <tt> <- </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle">Postfix<br>
- <a href="sendmail.1.html">sendmail(1)</a> </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle">Postfix<br>
+
<a href="sendmail.1.html">sendmail(1)</a> </td>
<td align="center" valign="middle"> <tt> <- </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle">Content
- <br> filter </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle">Content
+ <br> filter </td>
<td colspan="2"> </td>
-o <a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a>=
-o <a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>=
-o <a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a>=
+ # Postfix 2.10 and later: specify empty <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>.
+ -o <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>=
-o <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>=<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,reject
-o <a href="postconf.5.html#mynetworks">mynetworks</a>=127.0.0.0/8
-o <a href="postconf.5.html#smtpd_authorized_xforward_hosts">smtpd_authorized_xforward_hosts</a>=127.0.0.0/8
<hr>
+<h2> Host lookup issues </h2>
+
+<p> By default Linux /etc/hosts lookups do not support multiple IP
+address per hostname. This causes warnings from the Postfix SMTP
+server that "hostname XXX does not resolve to address YYY", and is
+especially a problem with hosts that have both IPv4 and IPv6
+addresses. To fix, turn on support for multiple IP addresses: </p>
+
+<blockquote>
+<pre>
+/etc/host.conf:
+ ...
+ # We have machines with multiple IP addresses.
+ multi on
+ ...
+</pre>
+</blockquote>
+
<h2>Berkeley DB issues</h2>
<p> If you can't compile Postfix because the file "db.h"
# With multiple instances, rarely need "-o param=value" overrides
# in <a href="master.5.html">master.cf</a>, each instance gets its own <a href="postconf.5.html">main.cf</a> file.
#
+ # Postfix 2.10 and later: specify empty <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>.
+ <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> =
<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, reject
# Tolerate occasional high latency in the content filter.
<p> The <a href="tlsproxy.8.html">tlsproxy(8)</a> implementation led to the discovery of a "new"
class of vulnerability (<a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0411"
->CVE-2011-0411</a>) that affected multiple implementations of TLS
-over SMTP, POP, IMAP, NNTP, and FTP. </p>
+>CVE-2011-0411</a>) that affected multiple implementations of SMTP,
+POP, IMAP, NNTP, and FTP over TLS. </p>
<p> <a href="postscreen.8.html">postscreen(8)</a> was officially released as part of the Postfix
2.8 stable release in January 2011.</p>
permissive = permit
<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
- <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>
- <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
- <a href="postconf.5.html#check_recipient_access">check_recipient_access</a> hash:/etc/postfix/recipient_access
+ <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>
+ # <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> is not needed here if the mail
+ # relay policy is specified with <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>
+ # (available with Postfix 2.10 and later).
+ <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
+ <a href="postconf.5.html#check_recipient_access">check_recipient_access</a> hash:/etc/postfix/recipient_access
+ ...
/etc/postfix/recipient_access:
- joe@my.domain permissive
- jane@my.domain restrictive
+ joe@my.domain permissive
+ jane@my.domain restrictive
</pre>
</blockquote>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
+ ...
<a href="postconf.5.html#check_recipient_access">check_recipient_access</a> hash:/etc/postfix/access
<i>...the usual stuff...</i>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
+ ...
<a href="postconf.5.html#check_recipient_access">check_recipient_access</a> hash:/etc/postfix/protected_destinations
<i>...the usual stuff...</i>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
+ ...
<a href="postconf.5.html#check_sender_access">check_sender_access</a> hash:/etc/postfix/restricted_senders
<i>...other stuff...</i>
<h4><a name="server_sasl_authz_relay">Mail relay authorization</a></h4>
-<p> The <code><a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a></code> restriction allows
+<p> With <code><a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a></code> the Postfix SMTP
+server can allow
SASL-authenticated SMTP clients to send mail to remote destinations.
-Add it to the list of <code><a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a></code> as
-follows: </p>
+Examples:
+</p>
<blockquote>
<pre>
+# With Postfix 2.10 and later, the mail relay policy is
+# preferably specified under <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>.
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+ <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> =
+ <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>
+ <strong><a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a></strong>
+ <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
+</pre>
+
+<pre>
+# Older configurations combine relay control and spam control under
+# <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>. To use this example with Postfix ≥
+# 2.10 specify "<a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>=".
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
- ...
- <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>
- <strong><a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a></strong>
- <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
- ...
+ <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>
+ <strong><a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a></strong>
+ <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
+ ...other rules...
</pre>
</blockquote>
<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
...
<strong><a href="postconf.5.html#reject_sender_login_mismatch">reject_sender_login_mismatch</a></strong>
- <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>
- <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>
- <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
+ <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>
...
</pre>
</blockquote>
</blockquote>
<p> Instead of port 25 (smtp), specify port 587 (submission) where
-appriopriate. </p>
+appropriate. </p>
<h4>Encrypted SMTP session (TLS)</h4>
<p> By default, Postfix has a moderately restrictive approach to
mail relaying. Postfix forwards mail only from clients in trusted
-networks, or to domains that are configured as authorized relay
-destinations. For a description of the default policy, see the
-<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> parameter in the <a href="postconf.5.html">postconf(5)</a> manual
-page, and the information that is referenced from there. </p>
+networks, from clients that have authenticated with SASL, or to
+domains that are configured as authorized relay
+destinations. For a description of the default mail relay policy,
+see the <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> parameter in the <a href="postconf.5.html">postconf(5)</a> manual
+page, and the information that is referenced from there. </p>
+
+<blockquote> <p> NOTE: Postfix versions before 2.10 did not have
+<a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>. They combined the mail relay and spam
+blocking policies, under <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>. This could
+lead to unexpected results. For example, a permissive spam blocking
+policy could unexpectedly result in a permissive mail relay policy.
+An example of this is documented under "<a href="#danger">Dangerous
+use of smtpd_recipient_restrictions</a>". </p> </blockquote>
<p> Most of the Postfix SMTP server access controls are targeted
at stopping junk email. </p>
# Don't accept mail from domains that don't exist.
<a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> = <a href="postconf.5.html#reject_unknown_sender_domain">reject_unknown_sender_domain</a>
- # Whitelisting: local clients may specify any destination domain.
- <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
+ # Relay control (Postfix 2.10 and later): local clients and
+ # authenticated clients may specify any destination domain.
+ <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,
+ <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>,
+ <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
+
+ # Spam control: exclude local clients and authenticated clients
+ # from DNSBL lookups.
+ <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,
+ <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>,
+ # <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> is not needed here if the mail
+ # relay policy is specified under <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>
+ # (available with Postfix 2.10 and later).
+ <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
+ <a href="postconf.5.html#reject_rbl_client">reject_rbl_client</a> zen.spamhaus.org,
+ <a href="postconf.5.html#reject_rhsbl_helo">reject_rhsbl_helo</a> dbl.spamhaus.org,
+ <a href="postconf.5.html#reject_rhsbl_sender">reject_rhsbl_sender</a> dbl.spamhaus.org
# Block clients that speak too early.
<a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> = <a href="postconf.5.html#reject_unauth_pipelining">reject_unauth_pipelining</a>
<table border="1">
-<tr> <th> Restriction list name </th> <th> Status </th> <th> Effect
+<tr> <th> Restriction list name </th> <th> Version </th> <th> Status
+</th> <th> Effect
of REJECT or DEFER result </th> </tr>
-<tr> <td> <a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> </td> <td> Optional </td> <td>
+<tr> <td> <a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> </td> <td> All </td> <td>
+Optional </td> <td>
Reject all client commands </td> </tr>
-<tr> <td> <a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a> </td> <td> Optional </td> <td>
+<tr> <td> <a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a> </td> <td> All </td> <td> Optional
+</td> <td>
Reject HELO/EHLO information </td> </tr>
-<tr> <td> <a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> </td> <td> Optional </td> <td>
+<tr> <td> <a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> </td> <td> All </td> <td>
+Optional </td> <td>
Reject MAIL FROM information </td> </tr>
-<tr> <td> <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> </td> <td> Required </td>
-<td> Reject RCPT TO information </td> </tr>
+<tr> <td rowspan="2"> <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> </td> <td> ≥ 2.10
+</td> <td> Required if <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> does not enforce
+relay policy</td>
+<td rowspan="2"> Reject RCPT TO information </td> </tr>
-<tr> <td> <a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> </td> <td> Optional </td> <td>
+<tr> <td> < 2.10</td> <td> Not available </td>
+</tr>
+
+<tr> <td rowspan="2"> <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> </td> <td> ≥
+2.10 </td> <td> Required if <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> does not enforce
+relay policy</td>
+<td rowspan="2"> Reject RCPT TO information </td> </tr>
+
+<tr> <td> < 2.10</td> <td> Required </td> </tr>
+
+<tr> <td> <a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> </td> <td> ≥ 2.0 </td> <td>
+Optional </td> <td>
Reject DATA command </td> </tr>
-<tr> <td> <a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a> </td> <td> Optional </td> <td>
+<tr> <td> <a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a> </td> <td> ≥ 2.2 </td>
+<td> Optional </td> <td>
Reject END-OF-DATA command </td> </tr>
-<tr> <td> <a href="postconf.5.html#smtpd_etrn_restrictions">smtpd_etrn_restrictions</a> </td> <td> Optional </td> <td>
+<tr> <td> <a href="postconf.5.html#smtpd_etrn_restrictions">smtpd_etrn_restrictions</a> </td> <td> All </td> <td> Optional
+</td> <td>
Reject ETRN command </td> </tr>
</table>
helo and sender restriction lists until the RCPT TO or ETRN command.
This behavior is controlled by the <a href="postconf.5.html#smtpd_delay_reject">smtpd_delay_reject</a> parameter.
Restriction lists are still evaluated in the proper order of (client,
-helo, etrn) or (client, helo, sender, recipient, data, or end-of-data)
-restrictions.
+helo, etrn) or (client, helo, sender, relay, recipient, data, or
+end-of-data) restrictions.
When a restriction list (example: client) evaluates to REJECT or
-DEFER the other restriction lists (example: helo, sender, etc.)
+DEFER the restriction lists that follow (example: helo, sender, etc.)
are skipped. </p>
<p> Around the time that <a href="postconf.5.html#smtpd_delay_reject">smtpd_delay_reject</a> was introduced, Postfix
no surprises here. If the result is PERMIT, then the recipient
address is accepted. And this is where surprises can happen. </p>
+<p> The problem is that Postfix versions before 2.10 did not have
+<a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>. They combined the mail relay and spam
+blocking policies, under <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>. The result
+is that a permissive spam blocking policy could unexpectedly result
+in a permissive mail relay policy. </p>
+
<p> Here is an example that shows when a PERMIT result can result
in too much access permission: </p>
3 <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>
4 <a href="postconf.5.html#check_helo_access">check_helo_access</a> hash:/etc/postfix/helo_access
5 <a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a>
-6 <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
+6 <b><a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a></b>
7
8 /etc/postfix/helo_access:
9 localhost.localdomain PERMIT
that announces itself as "localhost.localdomain", making Postfix
an open relay for all such hosts. </p>
-<p> In order to avoid surprises like these with
-<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>, you should place non-recipient
+<p> With Postfix before version 2.10 you should place non-recipient
restrictions AFTER the <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> restriction, not
before. In the above example, the HELO based restrictions should
be placed AFTER <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>, or better, the HELO
based restrictions should be placed under <a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a>
where they can do no harm. </p>
+<pre>
+1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
+2 <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
+3 <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>
+4 <b><a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a></b>
+5 <a href="postconf.5.html#check_helo_access">check_helo_access</a> hash:/etc/postfix/helo_access
+6 <a href="postconf.5.html#reject_unknown_helo_hostname">reject_unknown_helo_hostname</a>
+7
+8 /etc/postfix/helo_access:
+9 localhost.localdomain PERMIT
+</pre>
+
+<p> The above mistake will not happen with Postfix 2.10 and later,
+when the relay policy is specified under <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>,
+and the spam blocking policy under <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>.
+Then, a permissive spam blocking policy will not result in a
+permissive mail relay policy. </p>
+
<h2> <a name="testing"> SMTP access rule testing </a> </h2>
<p> Postfix has several features that aid in SMTP access rule
"-", to avoid "connection refused" and other problems when you
increase the smtpd process limit. </p>
+<li> <p> Line 8: <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> is not needed here if
+the mail relay policy is specified with <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>
+(available with Postfix 2.10 and later). </p>
+
<li> <p> Lines 8, 9: always specify "<a href="postconf.5.html#check_policy_service">check_policy_service</a>" AFTER
"<a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>" or else your system could become an
open relay. </p>
built-in suffix (in the above example: "_time_limit"). </p>
</blockquote>
-<li> <p> Solaris UNIX-domain sockets do not work reliably. Use
-TCP sockets instead: </p>
+<li> <p> With Solaris < 9, or Postfix < 2.10 on any Solaris
+version, use TCP sockets instead of UNIX-domain sockets: </p>
</ul>
See the <a href="spawn.8.html">spawn(8)</a> manpage for more information about the
<a href="postconf.5.html#transport_time_limit"><i>transport</i>_time_limit</a> parameter. </p>
+<li> <p> Line 9: <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> is not needed here if
+the mail relay policy is specified with <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>
+(available with Postfix 2.10 and later). </p>
+
<blockquote> <p> Note: the "<a href="postconf.5.html#transport_time_limit">greylist_time_limit</a>" parameter will not
show up in "postconf" command output before Postfix version 2.9.
This limitation applies to many parameters whose name is a combination
</ul>
-<p> On Solaris you must use inet: style sockets instead of unix:
+<p> With Solaris < 9, or Postfix < 2.10 on any Solaris
+version, use inet: style sockets instead of unix:
style, as detailed in the "<a href="#client_config">Policy
client/server configuration</a>" section above. </p>
<ul>
-<li> <p> Line 9: On Solaris you must use inet: style sockets
+<li> <p> Line 9: On Solaris < 9, or Postfix < 2.10 on any
+Solaris version, use inet: style sockets
instead of unix: style, as detailed in the "<a href="#greylist">Example:
greylist policy server</a>" section above. </p>
+<li> <p> Line 5: <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> is not needed here if
+the mail relay policy is specified with <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>
+(available with Postfix 2.10 and later). </p>
+
<li> <p> Line 6: Be sure to specify "<a href="postconf.5.html#check_sender_access">check_sender_access</a>" AFTER
"<a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>" or else your system could become an
open mail relay. </p>
<ul>
-<li> <p> Line 7: On Solaris you must use inet: style sockets
+<li> <p> Line 7: On Solaris < 9, or Postfix < 2.10 on any
+Solaris version, use inet: style sockets
instead of unix: style, as detailed in the "<a href="#greylist">Example:
greylist policy server</a>" section above. </p>
+<li> <p> Line 5: <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> is not needed here if
+the mail relay policy is specified with <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>
+(available with Postfix 2.10 and later). </p>
+
<li> <p> Lines 6-7: Be sure to specify <a href="postconf.5.html#check_sender_access">check_sender_access</a> and
<a href="postconf.5.html#check_policy_service">check_policy_service</a> AFTER <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a> or else your
system could become an open mail relay. </p>
<tr>
- <td bgcolor="#f0f0ff" align="center" valign="middle"
- width="10%"> Internet </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle"
+ width="10%"> Internet </td>
<td align="center" valign="middle" width="5%"> <tt> -> </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle"
- width="10%"> <a href="smtpd.8.html">Postfix SMTP server</a>
- </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle"
+
width="10%"> <a href="smtpd.8.html">Postfix SMTP server</a>
+ </td>
<td align="center" valign="middle" width="5%"> <tt> -> </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle"
- width="10%"> <b>Before</b> <b>queue</b> <b>filter</b> </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle"
+ width="10%"> <b>Before</b> <b>queue</b> <b>filter</b> </td>
<td align="center" valign="middle" width="5%"> <tt> -> </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle"
- width="10%"> <a href="smtpd.8.html">Postfix SMTP server</a>
- </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle"
+
width="10%"> <a href="smtpd.8.html">Postfix SMTP server</a>
+ </td>
<td align="center" valign="middle" width="5%"> <tt> -> </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle"
- width="10%"> <a href="cleanup.8.html">Postfix cleanup
- server</a> </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle"
+
width="10%"> <a href="cleanup.8.html">Postfix cleanup
+ server</a> </td>
<td align="center" valign="middle" width="5%"> <tt> -> </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle"
- width="10%"> Postfix queue </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle"
+ width="10%"> Postfix queue </td>
<td align="center" valign="middle" width="5%"> <tt> -< </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle"
- width="10%"> <a href="smtp.8.html">smtp</a><br> <a
- href="local.8.html">local</a><br> <a
- href="virtual.8.html">virtual</a> </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle"
+
width="10%"> <a href="smtp.8.html">smtp</a><br> <a
+
href="local.8.html">local</a><br> <a
+ href="virtual.8.html">virtual</a> </td>
</tr>
<td align="center" valign="middle" width="5%"> <tt> -> </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle"
- width="10%"> <a href="smtpd.8.html">Postfix SMTP server on
- port 25</a> </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle"
+
width="10%"> <a href="smtpd.8.html">Postfix SMTP server on
+ port 25</a> </td>
<td align="center" valign="middle" width="5%"> <tt> -> </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle"
- width="10%"> filter on localhost port 10025 </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle"
+ width="10%"> filter on localhost port 10025 </td>
<td align="center" valign="middle" width="5%"> <tt> -> </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle"
- width="10%"> <a href="smtpd.8.html">Postfix SMTP server on
- localhost port 10026</a> </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle"
+
width="10%"> <a href="smtpd.8.html">Postfix SMTP server on
+ localhost port 10026</a> </td>
<td align="center" valign="middle" width="5%"> <tt> -> </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle"
- width="10%"> <a href="cleanup.8.html">Postfix cleanup
- server</a> </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle"
+
width="10%"> <a href="cleanup.8.html">Postfix cleanup
+ server</a> </td>
<td align="center" valign="middle" width="5%"> <tt> -> </tt> </td>
smtp inet n - n - 20 smtpd
-o <a href="postconf.5.html#smtpd_proxy_filter">smtpd_proxy_filter</a>=127.0.0.1:10025
-o <a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a>=10
- # Postfix 2.7 and later performance feature.
- # -o <a href="postconf.5.html#smtpd_proxy_options">smtpd_proxy_options</a>=speed_adjust
+ # Postfix 2.7 and later performance feature.
+
# -o <a href="postconf.5.html#smtpd_proxy_options">smtpd_proxy_options</a>=speed_adjust
#
# After-filter SMTP server. Receive mail from the content filter
# on localhost port 10026.
-o <a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a>=
-o <a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a>=
-o <a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a>=
+ # Postfix 2.10 and later: specify empty <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>.
+ -o <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>=
-o <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>=<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,reject
-o <a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a>=
-o <a href="postconf.5.html#mynetworks">mynetworks</a>=127.0.0.0/8
3 <a href="postconf.5.html#relay_domains">relay_domains</a> = example.com
4 <a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> =
5 <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> smtpd_access_maps
- 6 <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
- 7 <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a> <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
- 8
- 9 <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> = hash:/etc/postfix/relay_recipients
-10 <a href="postconf.5.html#transport_maps">transport_maps</a> = hash:/etc/postfix/transport
-11
-12 /etc/postfix/relay_recipients:
-13 user1@example.com x
-14 user2@example.com x
-15 . . .
-16
-17 /etc/postfix/transport:
-18 example.com <a href="smtp.8.html">smtp</a>:[inside-gateway.example.com]
+<br>
+ 6a # Postfix 2.10 and later support separate relay control and
+ 7a # spam control.
+ 8a <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> =
+ 9a <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a> <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
+10a <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> = ...spam blocking rules....
+<br>
+ 6b # Older configurations combine relay control and spam control. To
+ 7b # use this with Postfix ≥ 2.10 specify "<a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>=".
+ 8b <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
+ 9b <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a> <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
+10b ...spam blocking rules....
+<br>
+11 <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> = hash:/etc/postfix/relay_recipients
+12 <a href="postconf.5.html#transport_maps">transport_maps</a> = hash:/etc/postfix/transport
+13
+14 /etc/postfix/relay_recipients:
+15 user1@example.com x
+16 user2@example.com x
+17 . . .
+18
+19 /etc/postfix/transport:
+20 example.com <a href="smtp.8.html">smtp</a>:[inside-gateway.example.com]
</pre>
</blockquote>
<p> Translation: </p>
<ul>
-
-<li><p> Lines 1-
7: Accept mail from local systems in $<a href="postconf.5.html#mynetworks">mynetworks</a>,
+
+<li><p> Lines 1-
10: Accept mail from local systems in $<a href="postconf.5.html#mynetworks">mynetworks</a>,
and accept mail from outside for "user@example.com" but not for
"user@anything.example.com". The magic is in lines 4-5. </p>
-<li> <p> Lines 9, 12-14: Define the list of valid addresses in the
+<li> <p> Lines 11, 13-16: Define the list of valid addresses in the
"example.com" domain that can receive mail from the Internet. This
prevents the mail queue from filling up with undeliverable
MAILER-DAEMON messages. If you can't maintain a list of valid
is, an empty value), or you must specify an "@example.com x"
wild-card in the relay_recipients table. </p>
-<li> <p> Lines 10, 17-18: Route mail for "example.com" to the inside
+<li> <p> Lines 12, 19-20: Route mail for "example.com" to the inside
gateway machine. The <tt>[]</tt> forces Postfix to do no MX lookup.
</p>
3
4 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
5 <a href="postconf.5.html#relay_domains">relay_domains</a> = . . . the.backed-up.domain.tld
- 6 <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
- 7 <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a> <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
- 8
- 9 # You must specify your NAT/proxy external address.
-10 #<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> = 1.2.3.4
-11
-12 <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> = hash:/etc/postfix/relay_recipients
+<br>
+ 6a # Postfix 2.10 and later support separate relay control and
+ 7a # spam control.
+ 8a <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> =
+ 9a <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a> <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
+10a <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> = ...spam blocking rules....
+<br>
+ 6b # Older configurations combine relay control and spam control. To
+ 7b # use this with Postfix ≥ 2.10 specify "<a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>=".
+ 8b <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
+ 9b <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a> <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
+10b ...spam blocking rules....
+<br>
+11 # You must specify your NAT/proxy external address.
+12 #<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> = 1.2.3.4
13
-14 /etc/postfix/relay_recipients:
-15 user1@the.backed-up.domain.tld x
-16 user2@the.backed-up.domain.tld x
-17 . . .
+14 <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> = hash:/etc/postfix/relay_recipients
+15
+16 /etc/postfix/relay_recipients:
+17 user1@the.backed-up.domain.tld x
+18 user2@the.backed-up.domain.tld x
+19 . . .
</pre>
</blockquote>
<blockquote>
<pre>
-
18 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
-
19 <a href="postconf.5.html#transport_maps">transport_maps</a> = hash:/etc/postfix/transport
-20
-21 /etc/postfix/transport:
-22 the.backed-up.domain.tld relay:[their.mail.host.tld]
+
20 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
+
21 <a href="postconf.5.html#transport_maps">transport_maps</a> = hash:/etc/postfix/transport
+22
+23 /etc/postfix/transport:
+24 the.backed-up.domain.tld relay:[their.mail.host.tld]
</pre>
</blockquote>
<li><p>Do not list the.backed-up.domain.tld in <a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>.</p>
-<li> <p> Lines 1-7: Forward mail from the Internet for
+<li> <p> Lines 1-9: Forward mail from the Internet for
"the.backed-up.domain.tld" to the primary MX host for that domain.
</p>
-<li> <p> Line 10: This is a must if Postfix receives mail via a
+<li> <p> Line 12: This is a must if Postfix receives mail via a
NAT relay or proxy that presents a different IP address to the
world than the local machine. </p>
-<li> <p> Lines 12-16: Define the list of valid addresses in the
+<li> <p> Lines 14-18: Define the list of valid addresses in the
"the.backed-up.domain.tld" domain. This prevents your mail queue
from filling up with undeliverable MAILER-DAEMON messages. If you
can't maintain a list of valid recipients then you must specify
specify an "@the.backed-up.domain.tld x" wild-card in the
relay_recipients table. </p>
-<li> <p> Line 22: The <tt>[]</tt> forces Postfix to do no MX lookup. </p>
+<li> <p> Line 24: The <tt>[]</tt> forces Postfix to do no MX lookup. </p>
</ul>
<blockquote>
<pre>
+# With Postfix 2.10 and later, the mail relay policy is
+# preferably specified under <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>.
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+ <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> =
+ <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>
+ <a href="postconf.5.html#permit_tls_clientcerts">permit_tls_clientcerts</a>
+ <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
+</pre>
+
+<pre>
+# Older configurations combine relay control and spam control under
+# <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>. To use this example with Postfix ≥
+# 2.10 specify "<a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>=".
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
- ...
+ <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>
<a href="postconf.5.html#permit_tls_clientcerts">permit_tls_clientcerts</a>
<a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
- ...
+ ...other rules...
</pre>
</blockquote>
cipher that the server supports. With SSLv3 and later, the server
may choose its own most preferred cipher that is supported (offered)
by the client. Setting "<a href="postconf.5.html#tls_preempt_cipherlist">tls_preempt_cipherlist</a> = yes" enables server
-cipher preferences. The default OpenSSL behaviour applies with
+cipher preferences. The default OpenSSL behavior applies with
"<a href="postconf.5.html#tls_preempt_cipherlist">tls_preempt_cipherlist</a> = no". </p>
<p> While server cipher selection may in some cases lead to a more secure
recommended ones. </p>
<p> You can use the <a href="postconf.5.html#smtpd_command_filter">smtpd_command_filter</a> feature to append XVERP
-to SMTP commands from legacy sofware. This requires Postfix 2.7
+to SMTP commands from legacy software. This requires Postfix 2.7
or later. </p>
<blockquote>
<DT><b><a name="dnsblog_reply_delay">dnsblog_reply_delay</a>
(default: 0s)</b></DT><DD>
-<p> A debugging aid to artifically delay DNS responses. </p>
+<p> A debugging aid to artificially delay DNS responses. </p>
<p> This feature is available in Postfix 2.8. </p>
the
server performs final delivery, and send "delivered" delivery status
notifications instead of "relayed". The default setting is backwards
-compatible to avoid the infinetisimal possibility of breaking
+compatible to avoid the infinitesimal possibility of breaking
existing LMTP-based content filters. </p>
<p>
In particular, "trusted" SMTP clients are allowed to relay mail
-through Postfix. See the <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> parameter
+through Postfix. See the <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> parameter
description in the <a href="postconf.5.html">postconf(5)</a> manual.
</p>
<p> The number of clients that can be waiting for service from a
real Postfix SMTP server process. When this queue is full, all
clients will
-receive a 421 reponse. </p>
+receive a 421 response. </p>
<p> This feature is available in Postfix 2.8. </p>
a decision whether they will receive service from a real Postfix
SMTP server
process. When this queue is full, all non-whitelisted clients will
-receive a 421 reponse. </p>
+receive a 421 response. </p>
<p> This feature is available in Postfix 2.8. </p>
SSLv3 set "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2, !SSLv3". Listing
the protocols to include, rather than protocols to exclude, is
supported, but not recommended. The exclusion form more closely
-matches the behaviour when the OpenSSL library is newer than Postfix.
+matches the behavior when the OpenSSL library is newer than Postfix.
</p>
<p> Since SSL version 2 has known protocol weaknesses and is now
"<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
"<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a> = !SSLv2, !SSLv3". Explicitly listing the protocols to
include, rather than protocols to exclude, is supported, but not
-recommended. The exclusion form more closely matches the behaviour
+recommended. The exclusion form more closely matches the behavior
when the OpenSSL library is newer than Postfix. </p>
<p> Example: </p>
(default: empty)</b></DT><DD>
<p>
-Optional Postfix SMTP server access restrictions in the context of
-a remote SMTP client connection request.
+Optional restrictions that the Postfix SMTP server applies in the
+context of a client connection request.
See <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a>, section "Delayed evaluation of SMTP access
restriction lists" for a discussion of evaluation context and time.
</p>
(default: empty)</b></DT><DD>
<p>
-Optional SMTP server access restrictions in the context of a client
-ETRN request.
+Optional restrictions that the Postfix SMTP server applies in the
+context of a client ETRN command.
See <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a>, section "Delayed evaluation of SMTP access
restriction lists" for a discussion of evaluation context and time.
</p>
<p>
Optional restrictions that the Postfix SMTP server applies in the
-context of the SMTP HELO command.
+context of a client HELO command.
See <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a>, section "Delayed evaluation of SMTP access
restriction lists" for a discussion of evaluation context and time.
</p>
</DD>
<DT><b><a name="smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>
-(default: <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>)</b></DT><DD>
+(default: see "postconf -d" output)</b></DT><DD>
<p>
-The access restrictions that the Postfix SMTP server applies in
-the context of the RCPT TO command.
+Optional restrictions that the Postfix SMTP server applies in the
+context of a client RCPT TO command, after <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>.
See <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a>, section "Delayed evaluation of SMTP access
restriction lists" for a discussion of evaluation context and time.
</p>
-<p>
-By default, the Postfix SMTP server accepts:
-</p>
+<p> With Postfix versions before 2.10, the rules for relay permission
+and spam blocking were combined under <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>,
+resulting in error-prone configuration. As of Postfix 2.10, relay
+permission rules are preferably implemented with <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>,
+so that a permissive spam blocking policy under
+<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> will no longer result in a permissive
+mail relay policy. </p>
-<ul>
-
-<li> Mail from clients whose IP address matches $<a href="postconf.5.html#mynetworks">mynetworks</a>, or:
-
-<li> Mail to remote destinations that match $<a href="postconf.5.html#relay_domains">relay_domains</a>, except
-for addresses that contain sender-specified routing
-(user@elsewhere@domain), or:
-
-<li> Mail to local destinations that match $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>
-or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, or
-$<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>.
-
-</ul>
+<p> For backwards compatibility, sites that migrate from Postfix
+versions before 2.10 can set <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> to the empty
+value, and use <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> exactly as before. </p>
<p>
-IMPORTANT: If you change this parameter setting, you must specify
+IMPORTANT: Either the <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> or the
+<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> parameter must specify
at least one of the following restrictions. Otherwise Postfix will
refuse to receive mail:
</p>
<blockquote>
<pre>
-reject, defer, <a href="postconf.5.html#defer_if_permit">defer_if_permit</a>, <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
+reject, <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
+</pre>
+</blockquote>
+
+<blockquote>
+<pre>
+defer, <a href="postconf.5.html#defer_if_permit">defer_if_permit</a>, <a href="postconf.5.html#defer_unauth_destination">defer_unauth_destination</a>
</pre>
</blockquote>
$<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, or $<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>, and contains
no sender-specified routing (user@elsewhere@domain).
-</ul>
The <a href="postconf.5.html#relay_domains_reject_code">relay_domains_reject_code</a> parameter specifies the response
+</ul>The <a href="postconf.5.html#relay_domains_reject_code">relay_domains_reject_code</a> parameter specifies the response
code for rejected requests (default: 554). </dd>
+<dt><b><a name="defer_unauth_destination">defer_unauth_destination</a></b></dt>
+
+<dd> Reject the same requests as <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>, with a
+non-permanent error code. This feature is available in Postfix
+2.10 and later.</dd>
+
<dt><b><a name="reject_unknown_recipient_domain">reject_unknown_recipient_domain</a></b></dt>
<dd>Reject the request when Postfix is not final destination for
</p>
<pre>
+# The Postfix before 2.10 default mail relay policy. Later Postfix
+# versions implement this preferably with <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>.
<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
</pre>
</p>
+</DD>
+
+<DT><b><a name="smtpd_relay_restrictions">smtpd_relay_restrictions</a>
+(default: <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>)</b></DT><DD>
+
+<p> Access restrictions for mail relay control that the Postfix
+SMTP server applies in the context of the RCPT TO command, before
+<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>.
+See <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a>, section "Delayed evaluation of SMTP access
+restriction lists" for a discussion of evaluation context and time.
+</p>
+
+<p> With Postfix versions before 2.10, the rules for relay permission
+and spam blocking were combined under <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>,
+resulting in error-prone configuration. As of Postfix 2.10, relay
+permission rules are preferably implemented with <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>,
+so that a permissive spam blocking policy under
+<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> will no longer result in a permissive
+mail relay policy. </p>
+
+<p> For backwards compatibility, sites that migrate from Postfix
+versions before 2.10 can set <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> to the empty
+value, and use <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> exactly as before. </p>
+
+<p>
+By default, the Postfix SMTP server accepts:
+</p>
+
+<ul>
+
+<li> Mail from clients whose IP address matches $<a href="postconf.5.html#mynetworks">mynetworks</a>, or:
+
+<li> Mail to remote destinations that match $<a href="postconf.5.html#relay_domains">relay_domains</a>, except
+for addresses that contain sender-specified routing
+(user@elsewhere@domain), or:
+
+<li> Mail to local destinations that match $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>
+or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>, $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a>, or
+$<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a>.
+
+</ul>
+
+<p>
+IMPORTANT: Either the <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> or the
+<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> parameter must specify
+at least one of the following restrictions. Otherwise Postfix will
+refuse to receive mail:
+</p>
+
+<blockquote>
+<pre>
+reject, <a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>
+</pre>
+</blockquote>
+
+<blockquote>
+<pre>
+defer, <a href="postconf.5.html#defer_if_permit">defer_if_permit</a>, <a href="postconf.5.html#defer_unauth_destination">defer_unauth_destination</a>
+</pre>
+</blockquote>
+
+<p>
+Specify a list of restrictions, separated by commas and/or whitespace.
+Continue long lines by starting the next line with whitespace.
+The same restrictions are available as documented under
+<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>.
+</p>
+
+<p> This feature is available in Postix 2.10 and later. </p>
+
+
</DD>
<DT><b><a name="smtpd_restriction_classes">smtpd_restriction_classes</a>
<blockquote>
<pre>
+# With Postfix 2.10 and later, the mail relay policy is
+# preferably specified under <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>.
+<a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> =
+ <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>, ...
+</pre>
+
+<pre>
+# With Postfix before 2.10, the relay policy can be
+# specified only under <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a>.
<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> =
<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, <a href="postconf.5.html#permit_sasl_authenticated">permit_sasl_authenticated</a>, ...
</pre>
<p>
Optional restrictions that the Postfix SMTP server applies in the
-context of the MAIL FROM command.
+context of a client MAIL FROM command.
See <a href="SMTPD_ACCESS_README.html">SMTPD_ACCESS_README</a>, section "Delayed evaluation of SMTP access
restriction lists" for a discussion of evaluation context and time.
</p>
SSLv3 set "<a href="postconf.5.html#smtpd_tls_mandatory_protocols">smtpd_tls_mandatory_protocols</a> = !SSLv2, !SSLv3". Listing
the protocols to include, rather than protocols to exclude, is
supported, but not recommended. The exclusion form more closely
-matches the behaviour when the OpenSSL library is newer than Postfix.
+matches the behavior when the OpenSSL library is newer than Postfix.
</p>
<p> Since SSL version 2 has known protocol weaknesses and is now
"<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
"<a href="postconf.5.html#smtpd_tls_protocols">smtpd_tls_protocols</a> = !SSLv2, !SSLv3". Explicitly listing the protocols to
include, rather than protocols to exclude, is supported, but not
-recommended. The exclusion form more closely matches the behaviour
+recommended. The exclusion form more closely matches the behavior
when the OpenSSL library is newer than Postfix. </p>
<p> Example: </p>
explicit ".domain.tld" pattern.
<b><a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> (empty)</b>
- Optional Postfix SMTP server access restrictions in
- the context of a remote SMTP client connection
+ Optional restrictions that the Postfix SMTP server
+ applies in the context of a client connection
request.
<b><a href="postconf.5.html#smtpd_helo_required">smtpd_helo_required</a> (no)</b>
<b><a href="postconf.5.html#smtpd_helo_restrictions">smtpd_helo_restrictions</a> (empty)</b>
Optional restrictions that the Postfix SMTP server
- applies in the context of the SMTP HELO command.
+ applies in the context of a client HELO command.
<b><a href="postconf.5.html#smtpd_sender_restrictions">smtpd_sender_restrictions</a> (empty)</b>
Optional restrictions that the Postfix SMTP server
- applies in the context of the MAIL FROM command.
-
- <b><a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,</b>
- <b><a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>)</b>
- The access restrictions that the Postfix SMTP
- server applies in the context of the RCPT TO com-
+ applies in the context of a client MAIL FROM com-
mand.
+ <b><a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> (see 'postconf -d' output)</b>
+ Optional restrictions that the Postfix SMTP server
+ applies in the context of a client RCPT TO command,
+ after <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a>.
+
<b><a href="postconf.5.html#smtpd_etrn_restrictions">smtpd_etrn_restrictions</a> (empty)</b>
- Optional SMTP server access restrictions in the
- context of a client ETRN request.
+ Optional restrictions that the Postfix SMTP server
+ applies in the context of a client ETRN command.
<b><a href="postconf.5.html#allow_untrusted_routing">allow_untrusted_routing</a> (no)</b>
- Forward mail with sender-specified routing
- (user[@%!]remote[@%!]site) from untrusted clients
+ Forward mail with sender-specified routing
+ (user[@%!]remote[@%!]site) from untrusted clients
to destinations matching $<a href="postconf.5.html#relay_domains">relay_domains</a>.
<b><a href="postconf.5.html#smtpd_restriction_classes">smtpd_restriction_classes</a> (empty)</b>
- User-defined aliases for groups of access restric-
+ User-defined aliases for groups of access restric-
tions.
<b><a href="postconf.5.html#smtpd_null_access_lookup_key">smtpd_null_access_lookup_key</a> (</b><><b>)</b>
- The lookup key to be used in SMTP <a href="access.5.html"><b>access</b>(5)</a> tables
+ The lookup key to be used in SMTP <a href="access.5.html"><b>access</b>(5)</a> tables
instead of the null sender address.
<b><a href="postconf.5.html#permit_mx_backup_networks">permit_mx_backup_networks</a> (empty)</b>
Restrict the use of the <a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a> SMTP
- access feature to only domains whose primary MX
+ access feature to only domains whose primary MX
hosts match the listed networks.
Available in Postfix version 2.0 and later:
<b><a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> (empty)</b>
- Optional access restrictions that the Postfix SMTP
+ Optional access restrictions that the Postfix SMTP
server applies in the context of the SMTP DATA com-
mand.
<b><a href="postconf.5.html#smtpd_expansion_filter">smtpd_expansion_filter</a> (see 'postconf -d' output)</b>
- What characters are allowed in $name expansions of
+ What characters are allowed in $name expansions of
RBL reply templates.
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#smtpd_reject_unlisted_sender">smtpd_reject_unlisted_sender</a> (no)</b>
- Request that the Postfix SMTP server rejects mail
- from unknown sender addresses, even when no
- explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a> access restriction
+ Request that the Postfix SMTP server rejects mail
+ from unknown sender addresses, even when no
+ explicit <a href="postconf.5.html#reject_unlisted_sender">reject_unlisted_sender</a> access restriction
is specified.
<b><a href="postconf.5.html#smtpd_reject_unlisted_recipient">smtpd_reject_unlisted_recipient</a> (yes)</b>
- Request that the Postfix SMTP server rejects mail
+ Request that the Postfix SMTP server rejects mail
for unknown recipient addresses, even when no
- explicit <a href="postconf.5.html#reject_unlisted_recipient">reject_unlisted_recipient</a> access restric-
+ explicit <a href="postconf.5.html#reject_unlisted_recipient">reject_unlisted_recipient</a> access restric-
tion is specified.
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a> (empty)</b>
- Optional access restrictions that the Postfix SMTP
- server applies in the context of the SMTP END-OF-
+ Optional access restrictions that the Postfix SMTP
+ server applies in the context of the SMTP END-OF-
DATA command.
+ Available in Postfix version 2.10 and later:
+
+ <b><a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> (<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>,</b>
+ <b><a href="postconf.5.html#reject_unauth_destination">reject_unauth_destination</a>)</b>
+ Access restrictions for mail relay control that the
+ Postfix SMTP server applies in the context of the
+ RCPT TO command, before <a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restric</a>-
+ <a href="postconf.5.html#smtpd_recipient_restrictions">tions</a>.
+
<b>SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS</b>
Postfix version 2.1 introduces sender and recipient
address verification. This feature is implemented by
.IP \(bu
The message is received from the network, and the
remote_header_rewrite_domain parameter specifies a non-empty value.
+.br
.PP
To get the behavior before Postfix version 2.2, specify
"local_header_rewrite_clients = static:all".
.IP \(bu
The message is received from the network, and the
remote_header_rewrite_domain parameter specifies a non-empty value.
+.br
.PP
To get the behavior before Postfix version 2.2, specify
"local_header_rewrite_clients = static:all".
.IP \(bu
The message is received from the network, and the
remote_header_rewrite_domain parameter specifies a non-empty value.
+.br
.PP
To get the behavior before Postfix version 2.2, specify
"local_header_rewrite_clients = static:all".
Be careful when making changes. Excessively large values
will result in the loss of non-delivery notifications, when a bounce
message size exceeds a local or remote MTA's message size limit.
+.br
.SH bounce_template_file (default: empty)
Pathname of a configuration file with bounce message templates.
These override the built-in templates of delivery status notification
.IP \(bu
The message is received from the network, and the
remote_header_rewrite_domain parameter specifies a non-empty value.
+.br
.PP
To get the behavior before Postfix version 2.2, specify
"local_header_rewrite_clients = static:all".
execution_directory_expansion_filter parameter.
.IP "\fB$user\fR"
The recipient's username.
+.br
.IP "\fB$shell\fR"
The recipient's login shell pathname.
+.br
.IP "\fB$home\fR"
The recipient's home directory.
+.br
.IP "\fB$recipient\fR"
The full recipient address.
+.br
.IP "\fB$extension\fR"
The optional recipient address extension.
+.br
.IP "\fB$domain\fR"
The recipient domain.
+.br
.IP "\fB$local\fR"
The entire recipient localpart.
+.br
.IP "\fB$recipient_delimiter\fR"
The system-wide recipient address extension delimiter.
+.br
.IP "\fB${name?value}\fR"
Expands to \fIvalue\fR when \fI$name\fR is non-empty.
+.br
.IP "\fB${name:value}\fR"
Expands to \fIvalue\fR when \fI$name\fR is empty.
+.br
+.br
.PP
Instead of $name you can also specify ${name} or $(name).
.PP
and commands).
.IP \(bu
The "-c" command-line option (commands only).
+.br
.PP
With Postfix command that run with set-gid privileges, a
config_directory override requires either root privileges, or it
"default_filter_nexthop = $myhostname" for compatibility with Postfix
2.6 or earlier, or specify a content_filter value with an explicit
next-hop \fIdestination\fR.
+.br
.SH cyrus_sasl_config_path (default: empty)
Search path for Cyrus SASL application configuration files,
currently used only to locate the $smtpd_sasl_path.conf file.
the notify_classes parameter value contains the "data" class, the
Postfix SMTP server and client will report transcripts of sessions
with an error because a table is unavailable.
+.br
.IP "\fB yes \fR (historical behavior)"
Immediate
termination: a daemon process logs a type "fatal" message and
terminates immediately. This option reduces the number of possible
code paths through Postfix, and may therefore be slightly more
secure than the default.
+.br
+.br
.PP
For the sake of sanity, the number of type "error" messages is
limited to 13 over the lifetime of a daemon process.
before 2.5, where a destination's delivery concurrency is throttled
down to zero (and further delivery suspended) after a single failed
pseudo-cohort.
+.br
.IP "\fB\fInumber\fR / concurrency \fR"
Variable feedback of "\fInumber\fR / (delivery concurrency)".
The \fInumber\fR must be in the range 0..1 inclusive. With
\fInumber\fR equal to "1", a destination's delivery concurrency
is decremented by 1 after each failed pseudo-cohort.
+.br
+.br
.PP
A pseudo-cohort is the number of deliveries equal to a destination's
delivery concurrency.
inclusive. The default setting of "1" is compatible with Postfix
versions before 2.5, where a destination's delivery concurrency
doubles after each successful pseudo-cohort.
+.br
.IP "\fB\fInumber\fR / concurrency \fR"
Variable feedback of "\fInumber\fR / (delivery concurrency)".
The \fInumber\fR must be in the range 0..1 inclusive. With
\fInumber\fR equal to "1", a destination's delivery concurrency
is incremented by 1 after each successful pseudo-cohort.
+.br
+.br
.PP
A pseudo-cohort is the number of deliveries equal to a destination's
delivery concurrency.
to 1, the rate delay specifies the time between deliveries to the
\fIsame recipient\fR. Different recipients are delivered in
parallel, subject to the process limits specified in master.cf.
+.br
.PP
To enable the delay, specify a non-zero time value (an integral
value plus an optional one-letter suffix that specifies the time
settings in a similar manner, from settings for delivery to the
\fIsame domain\fR into settings for delivery to the \fIsame
recipient\fR.
+.br
.PP
Use \fItransport\fR_destination_recipient_limit to specify a
transport-specific override, where \fItransport\fR is the master.cf
The template is subject to exactly one level of $name substitution:
.IP "\fB$client\fR"
The client hostname and IP address, formatted as name[address].
+.br
.IP "\fB$client_address\fR"
The client IP address.
+.br
.IP "\fB$client_name\fR"
The client hostname or "unknown". See reject_unknown_client_hostname
for more details.
+.br
.IP "\fB$reverse_client_name\fR"
The client hostname from address->name lookup, or "unknown".
See reject_unknown_reverse_client_hostname for more details.
+.br
.IP "\fB$helo_name\fR"
The hostname given in HELO or EHLO command or empty string.
+.br
.IP "\fB$rbl_class\fR"
The blacklisted entity type: Client host, Helo command, Sender
address, or Recipient address.
+.br
.IP "\fB$rbl_code\fR"
The numerical SMTP response code, as specified with the
maps_rbl_reject_code configuration parameter. Note: The numerical
SMTP response code is required, and must appear at the start of the
reply. With Postfix version 2.3 and later this information may be followed
by an RFC 3463 enhanced status code.
+.br
.IP "\fB$rbl_domain\fR"
The RBL domain where $rbl_what is blacklisted.
+.br
.IP "\fB$rbl_reason\fR"
The reason why $rbl_what is blacklisted, or an empty string.
+.br
.IP "\fB$rbl_what\fR"
The entity that is blacklisted (an IP address, a hostname, a domain
name, or an email address whose domain was blacklisted).
+.br
.IP "\fB$recipient\fR"
The recipient address or <> in case of the null address.
+.br
.IP "\fB$recipient_domain\fR"
The recipient domain or empty string.
+.br
.IP "\fB$recipient_name\fR"
The recipient address localpart or <> in case of null address.
+.br
.IP "\fB$sender\fR"
The sender address or <> in case of the null address.
+.br
.IP "\fB$sender_domain\fR"
The sender domain or empty string.
+.br
.IP "\fB$sender_name\fR"
The sender address localpart or <> in case of the null address.
+.br
.IP "\fB${name?text}\fR"
Expands to `text' if $name is not empty.
+.br
.IP "\fB${name:text}\fR"
Expands to `text' if $name is empty.
+.br
+.br
.PP
Instead of $name you can also specify ${name} or $(name).
.PP
command argument or the client hostname/address), the Postfix SMTP
server will transform a sender or recipient DSN status into a generic
non-address DSN status (e.g., 4.0.0).
+.br
.SH default_recipient_limit (default: 20000)
The default per-transport upper limit on the number of in-memory
recipients. These limits take priority over the global
c = time in connection setup, including DNS, EHLO and STARTTLS
.IP \(bu
d = time in message transmission
+.br
.PP
This feature is available in Postfix 2.3 and later.
.SH delay_notice_recipient (default: postmaster)
.ad
.ft R
.SH dnsblog_reply_delay (default: 0s)
-A debugging aid to artifically delay DNS responses.
+A debugging aid to artificially delay DNS responses.
.PP
This feature is available in Postfix 2.8.
.SH dnsblog_service_name (default: dnsblog)
into hexadecimal representation. This produces the same queue hashing
behavior as if the queue file name was created with "enable_long_queue_ids
= no".
+.br
.PP
Changing the parameter value to "no" has the following effects:
.IP \(bu
The hash_queue_depth algorithm uses the first characters
of the queue file name, with the hexadecimal representation of the
file creation time in microseconds.
+.br
.PP
Before migration to Postfix <= 2.8, the following commands
are required to convert long queue file names into short names:
.IP \(bu
In transport maps, specify "relay:\fInexthop...\fR"
as the right-hand side for backup or primary MX domain entries.
+.br
.PP
Postfix version 2.2 and later will not use the fallback_relay feature
for destinations that it is MX host for.
forward_expansion_filter parameter.
.IP "\fB$user\fR"
The recipient's username.
+.br
.IP "\fB$shell\fR"
The recipient's login shell pathname.
+.br
.IP "\fB$home\fR"
The recipient's home directory.
+.br
.IP "\fB$recipient\fR"
The full recipient address.
+.br
.IP "\fB$extension\fR"
The optional recipient address extension.
+.br
.IP "\fB$domain\fR"
The recipient domain.
+.br
.IP "\fB$local\fR"
The entire recipient localpart.
+.br
.IP "\fB$recipient_delimiter\fR"
The system-wide recipient address extension delimiter.
+.br
.IP "\fB${name?value}\fR"
Expands to \fIvalue\fR when \fI$name\fR is non-empty.
+.br
.IP "\fB${name:value}\fR"
Expands to \fIvalue\fR when \fI$name\fR is empty.
+.br
+.br
.PP
Instead of $name you can also specify ${name} or $(name).
.PP
parameters:
.IP "\fBTZ\fR"
Needed for sane time keeping on most System-V-ish systems.
+.br
.IP "\fBDISPLAY\fR"
Needed for debugging Postfix daemons with an X-windows debugger.
+.br
.IP "\fBXAUTHORITY\fR"
Needed for debugging Postfix daemons with an X-windows debugger.
+.br
.IP "\fBMAIL_CONFIG\fR"
Needed to make "\fBpostfix -c\fR" work.
+.br
+.br
.PP
Specify a list of names and/or name=value pairs, separated by
whitespace or comma. The name=value form is supported with
.IP "\fBbounce\fR"
Inspect the content of delivery
status notifications.
+.br
.IP "\fBnotify\fR"
Inspect the content of postmaster
notifications by the \fBsmtp\fR(8) and \fBsmtpd\fR(8) processes.
+.br
+.br
.PP
NOTE: It's generally not safe to enable content inspection of
Postfix-generated email messages. The user is warned.
the
server performs final delivery, and send "delivered" delivery status
notifications instead of "relayed". The default setting is backwards
-compatible to avoid the infinetisimal possibility of breaking
+compatible to avoid the infinitesimal possibility of breaking
existing LMTP-based content filters.
.SH lmtp_bind_address (default: empty)
The LMTP-specific version of the smtp_bind_address configuration
Upon the onset of another delivery request, the remote LMTP server
associated with the current session does not respond to the RSET
command.
+.br
.PP
Most of these limitations have been with the Postfix
a connection cache that is shared among multiple LMTP client
.IP \(bu
Use the lmtp_discard_lhlo_keyword_address_maps feature to
discard LHLO keywords selectively.
+.br
.SH lmtp_dns_resolver_options (default: empty)
The LMTP-specific version of the smtp_dns_resolver_options
configuration parameter. See there for details.
client SASL implementation:
.IP "\fBnoplaintext\fR"
Disallow authentication methods that use plaintext passwords.
+.br
.IP "\fBnoactive\fR"
Disallow authentication methods that are vulnerable to non-dictionary
active attacks.
+.br
.IP "\fBnodictionary\fR"
Disallow authentication methods that are vulnerable to passive
dictionary attack.
+.br
.IP "\fBnoanonymous\fR"
Disallow anonymous logins.
+.br
+.br
.PP
Example:
.PP
Append the domain name in $myorigin or $mydomain when the
client IP address matches $inet_interfaces. This is enabled by
default.
+.br
.IP "\fBpermit_mynetworks\fR"
Append the domain name in $myorigin or $mydomain when the
client IP address matches any network or network address listed in
$mynetworks. This setting will not prevent remote mail header
address rewriting when mail from a remote client is forwarded by
a neighboring system.
+.br
.IP "\fBpermit_sasl_authenticated \fR"
Append the domain name in $myorigin or $mydomain when the
client is successfully authenticated via the RFC 4954 (AUTH)
protocol.
+.br
.IP "\fBpermit_tls_clientcerts \fR"
Append the domain name in $myorigin or $mydomain when the
remote SMTP client TLS certificate fingerprint or public key fingerprint
The fingerprint digest algorithm is configurable via the
smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to
Postfix version 2.5).
+.br
.IP "\fBpermit_tls_all_clientcerts \fR"
Append the domain name in $myorigin or $mydomain when the
remote SMTP client TLS certificate is successfully verified, regardless of
whether it is listed on the server, and regardless of the certifying
authority.
+.br
.IP "\fBcheck_address_map \fItype:table\fR \fR"
.IP "\fB\fItype:table\fR \fR"
Append the domain name in $myorigin or $mydomain when the
client IP address matches the specified lookup table.
The lookup result is ignored, and no subnet lookup is done. This
is suitable for, e.g., pop-before-smtp lookup tables.
+.br
+.br
.PP
Examples:
.PP
.IP \(bu
You use the "luser_relay", "mailbox_transport", or "fallback_transport"
feature of the Postfix \fBlocal\fR(8) delivery agent.
+.br
.PP
Details are described in the LOCAL_RECIPIENT_README file.
.PP
The following $name expansions are done on luser_relay:
.IP "\fB$domain\fR"
The recipient domain.
+.br
.IP "\fB$extension\fR"
The recipient address extension.
+.br
.IP "\fB$home\fR"
The recipient's home directory.
+.br
.IP "\fB$local\fR"
The entire recipient address localpart.
+.br
.IP "\fB$recipient\fR"
The full recipient address.
+.br
.IP "\fB$recipient_delimiter\fR"
The system-wide recipient address extension delimiter.
+.br
.IP "\fB$shell\fR"
The recipient's login shell.
+.br
.IP "\fB$user\fR"
The recipient username.
+.br
.IP "\fB${name?value}\fR"
Expands to \fIvalue\fR when \fI$name\fR has a non-empty value.
+.br
.IP "\fB${name:value}\fR"
Expands to \fIvalue\fR when \fI$name\fR has an empty value.
+.br
+.br
.PP
Instead of $name you can also specify ${name} or $(name).
.PP
.IP "\fBCLIENT_ADDRESS\fR"
Remote client network address. Available in Postfix version 2.2 and
later.
+.br
.IP "\fBCLIENT_HELO\fR"
Remote client EHLO command parameter. Available in Postfix version 2.2
and later.
+.br
.IP "\fBCLIENT_HOSTNAME\fR"
Remote client hostname. Available in Postfix version 2.2 and later.
+.br
.IP "\fBCLIENT_PROTOCOL\fR"
Remote client protocol. Available in Postfix version 2.2 and later.
+.br
.IP "\fBDOMAIN\fR"
The domain part of the recipient address.
+.br
.IP "\fBEXTENSION\fR"
The optional address extension.
+.br
.IP "\fBHOME\fR"
The recipient home directory.
+.br
.IP "\fBLOCAL\fR"
The recipient address localpart.
+.br
.IP "\fBLOGNAME\fR"
The recipient's username.
+.br
.IP "\fBORIGINAL_RECIPIENT\fR"
The entire recipient address, before any address rewriting or
aliasing.
+.br
.IP "\fBRECIPIENT\fR"
The full recipient address.
+.br
.IP "\fBSASL_METHOD\fR"
SASL authentication method specified in the remote client AUTH
command. Available in Postfix version 2.2 and later.
+.br
.IP "\fBSASL_SENDER\fR"
SASL sender address specified in the remote client MAIL FROM
command. Available in Postfix version 2.2 and later.
+.br
.IP "\fBSASL_USER\fR"
SASL username specified in the remote client AUTH command.
Available in Postfix version 2.2 and later.
+.br
.IP "\fBSENDER\fR"
The full sender address.
+.br
.IP "\fBSHELL\fR"
The recipient's login shell.
+.br
.IP "\fBUSER\fR"
The recipient username.
+.br
+.br
.PP
Unlike other Postfix configuration parameters, the mailbox_command
parameter is not subjected to $name substitutions. This is to make
.IP \(bu
The message is received from the network, and the
remote_header_rewrite_domain parameter specifies a non-empty value.
+.br
.PP
To get the behavior before Postfix version 2.2, specify
"local_header_rewrite_clients = static:all".
unavailable or mis-configured. Specify one of the following:
.IP "accept"
Proceed as if the mail filter was not present.
+.br
.IP "reject"
Reject all further commands in this session
with a permanent status code.
+.br
.IP "tempfail"
Reject all further commands in this session
with a temporary status code.
+.br
.IP "quarantine"
Like "accept", but freeze the message in
the "hold" queue. Available with Postfix 2.6 and later.
+.br
+.br
.PP
This feature is available in Postfix 2.3 and later.
.SH milter_end_of_data_macros (default: see "postconf -d" output)
Use Sendmail 8 mail filter protocol version 2 (default
with Sendmail version 8.11 .. 8.13 and Postfix version 2.3 ..
2.5).
+.br
.IP "3"
Use Sendmail 8 mail filter protocol version 3.
+.br
.IP "4"
Use Sendmail 8 mail filter protocol version 4.
+.br
.IP "6"
Use Sendmail 8 mail filter protocol version 6 (default
with Sendmail version 8.14 and Postfix version 2.6).
+.br
+.br
.PP
Protocol extensions:
.IP "no_header_reply"
Specify this when the Milter application
will not reply for each individual message header.
+.br
+.br
.PP
This feature is available in Postfix 2.3 and later.
.SH milter_rcpt_macros (default: see "postconf -d" output)
not listed with the local_recipient_maps parameter. See the
\fBpostconf\fR(5) manual for a description of the local_recipient_maps
and unknown_local_recipient_reject_code parameters.
+.br
.PP
Specify a list of host or domain names, "/file/name" or "type:table"
patterns, separated by commas and/or whitespace. A "/file/name"
"strangers".
.PP
In particular, "trusted" SMTP clients are allowed to relay mail
-through Postfix. See the smtpd_recipient_restrictions parameter
+through Postfix. See the smtpd_relay_restrictions parameter
description in the \fBpostconf\fR(5) manual.
.PP
You can specify the list of "trusted" network addresses by hand
Postfix to "trust" your entire provider's network. Instead, specify
an explicit mynetworks list by hand, as described with the mynetworks
configuration parameter.
+.br
.SH myorigin (default: $myhostname)
The domain name that locally-posted mail appears to come
from, and that locally posted mail is delivered to. The default,
send transcripts of SMTP sessions when Postfix rejects mail. The
notification is sent to the address specified with the
bounce_notice_recipient configuration parameter (default: postmaster).
+.br
.IP "\fB2bounce\fR"
Send undeliverable bounced mail to the postmaster. The notification
is sent to the address specified with the 2bounce_notice_recipient
configuration parameter (default: postmaster).
+.br
.IP "\fBdata\fR"
Send the postmaster a transcript of the SMTP session with an
error because a critical data file was unavailable. The notification
.br
This feature
is available in Postfix 2.9 and later.
+.br
.IP "\fBdelay\fR"
Send the postmaster copies of the headers of delayed mail. The
notification is sent to the address specified with the
delay_notice_recipient configuration parameter (default: postmaster).
+.br
.IP "\fBpolicy\fR"
Send the postmaster a transcript of the SMTP session when a
client request was rejected because of (UCE) policy. The notification
is sent to the address specified with the error_notice_recipient
configuration parameter (default: postmaster).
+.br
.IP "\fBprotocol\fR"
Send the postmaster a transcript of the SMTP session in case
of client or server protocol errors. The notification is sent to
the address specified with the error_notice_recipient configuration
parameter (default: postmaster).
+.br
.IP "\fBresource\fR"
Inform the postmaster of mail not delivered due to resource
problems. The notification is sent to the address specified with
the error_notice_recipient configuration parameter (default:
postmaster).
+.br
.IP "\fBsoftware\fR"
Inform the postmaster of mail not delivered due to software
problems. The notification is sent to the address specified with
the error_notice_recipient configuration parameter (default:
postmaster).
+.br
+.br
.PP
Examples:
.PP
terminate the search if the client IP address matches $mynetworks.
Do not subject the client to any before/after 220 greeting tests.
Pass the connection immediately to a Postfix SMTP server process.
+.br
.IP "\fB type:table \fR"
Query the specified lookup
table. Each table lookup result is an access list, except that
To discourage the use of hash, btree, etc. tables, there is no
support for substring matching like \fBsmtpd\fR(8). Use CIDR tables
instead.
+.br
.IP "\fB permit \fR"
Whitelist the client and terminate
the search. Do not subject the client to any before/after 220
greeting tests. Pass the connection immediately to a Postfix SMTP
server process.
+.br
.IP "\fB reject \fR"
Blacklist the client and terminate
the search. Subject the client to the action configured with the
postscreen_blacklist_action configuration parameter.
+.br
.IP "\fB dunno \fR"
All \fBpostscreen\fR(8) access lists
implicitly have this command at the end.
When \fB dunno \fR is executed
outside a lookup table, terminate the search, and subject the client
to the configured before/after 220 greeting tests.
+.br
+.br
.PP
Example:
.PP
other test expires.
This option is useful for testing and collecting statistics
without blocking mail permanently.
+.br
.IP "\fBenforce\fR"
Allow other tests to complete. Reject attempts to deliver mail
with a 550 SMTP reply, and log the helo/sender/recipient information.
Repeat this test the next time the client connects.
+.br
.IP "\fBdrop\fR"
Drop the connection immediately with a 521 SMTP reply. Repeat
this test the next time the client connects.
+.br
+.br
.PP
This feature is available in Postfix 2.8.
.SH postscreen_bare_newline_enable (default: no)
this test the next time the client connects.
This option is useful for testing and collecting statistics
without blocking mail.
+.br
.IP "\fBenforce\fR"
Allow other tests to complete. Reject attempts to deliver mail
with a 550 SMTP reply, and log the helo/sender/recipient information.
Repeat this test the next time the client connects.
+.br
.IP "\fBdrop\fR"
Drop the connection immediately with a 521 SMTP reply. Repeat
this test the next time the client connects.
+.br
+.br
.PP
This feature is available in Postfix 2.8.
.SH postscreen_cache_cleanup_interval (default: 12h)
Repeat this test the next time the client connects.
This option is useful for testing and collecting statistics
without blocking mail.
+.br
.IP "\fBenforce\fR"
Allow other tests to complete. Reject attempts to deliver mail
with a 550 SMTP reply, and log the helo/sender/recipient information.
Repeat this test the next time the client connects.
+.br
.IP "\fBdrop\fR"
Drop the connection immediately with a 521 SMTP reply. Repeat
this test the next time the client connects.
+.br
+.br
.PP
This feature is available in Postfix 2.8.
.SH postscreen_dnsbl_reply_map (default: empty)
.IP \(bu
When one postscreen_dnsbl_sites entry produces multiple
DNSBL responses, \fBpostscreen\fR(8) applies the weight at most once.
+.br
.PP
Examples:
.PP
Repeat this test the next time the client connects.
This option is useful for testing and collecting statistics
without blocking mail.
+.br
.IP "\fBenforce\fR"
Allow other tests to complete. Reject attempts to deliver mail
with a 550 SMTP reply, and log the helo/sender/recipient information.
Repeat this test the next time the client connects.
+.br
.IP "\fBdrop\fR"
Drop the connection immediately with a 521 SMTP reply. Repeat
this test the next time the client connects.
+.br
+.br
.PP
In either case, \fBpostscreen\fR(8) will not whitelist the remote SMTP client
IP address.
other test expires.
This option is useful for testing and collecting statistics
without blocking mail permanently.
+.br
.IP "\fBenforce\fR"
Allow other tests to complete. Reject attempts to deliver mail
with a 550 SMTP reply, and log the helo/sender/recipient information.
Repeat this test the next time the client connects.
+.br
.IP "\fBdrop\fR"
Drop the connection immediately with a 521 SMTP reply. Repeat
this test the next time the client connects. This action is the
same as with the Postfix SMTP server's smtpd_forbidden_commands
feature.
+.br
+.br
.PP
This feature is available in Postfix 2.8.
.SH postscreen_non_smtp_command_enable (default: no)
other test expires.
This option is useful for testing and collecting statistics
without blocking mail permanently.
+.br
.IP "\fBenforce\fR"
Allow other tests to complete. Reject attempts to deliver mail
with a 550 SMTP reply, and log the helo/sender/recipient information.
Repeat this test the next time the client connects.
+.br
.IP "\fBdrop\fR"
Drop the connection immediately with a 521 SMTP reply. Repeat
this test the next time the client connects.
+.br
+.br
.PP
This feature is available in Postfix 2.8.
.SH postscreen_pipelining_enable (default: no)
The number of clients that can be waiting for service from a
real Postfix SMTP server process. When this queue is full, all
clients will
-receive a 421 reponse.
+receive a 421 response.
.PP
This feature is available in Postfix 2.8.
.SH postscreen_pre_queue_limit (default: $default_process_limit)
a decision whether they will receive service from a real Postfix
SMTP server
process. When this queue is full, all non-whitelisted clients will
-receive a 421 reponse.
+receive a 421 response.
.PP
This feature is available in Postfix 2.8.
.SH postscreen_reject_footer (default: $smtpd_reject_footer)
.IP "\fBno_unknown_recipient_checks\fR"
Do not try to reject unknown recipients (SMTP server only).
This is typically specified AFTER an external content filter.
+.br
.IP "\fBno_address_mappings\fR"
Disable canonical address mapping, virtual alias map expansion,
address masquerading, and automatic BCC (blind carbon-copy)
recipients. This is typically specified BEFORE an external content
filter.
+.br
.IP "\fBno_header_body_checks\fR"
Disable header/body_checks. This is typically specified AFTER
an external content filter.
+.br
.IP "\fBno_milters\fR"
Disable Milter (mail filter) applications. This is typically
specified AFTER an external content filter.
+.br
+.br
.PP
Note: when the "BEFORE content filter" receive_override_options
setting is specified in the main.cf file, specify the "AFTER content
equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces.
.IP \(bu
Look up the "@domain.tld" part.
+.br
.PP
Specify the types and names of databases to use. After change,
run "\fBpostmap /etc/postfix/recipient_bcc\fR".
equals $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces.
.IP \(bu
Look up the "@domain.tld" part.
+.br
.PP
Specify the types and names of databases to use. After change,
run "\fBpostmap /etc/postfix/sender_bcc\fR".
Always convert message lines ending
in <CR><LF>. This setting is the default with Postfix
2.9 and later.
+.br
.IP "\fBstrict\fR"
Convert message lines ending in
<CR><LF> only if the first input line ends in
<CR><LF>. This setting is backwards-compatible with
Postfix 2.8 and earlier.
+.br
.IP "\fBnever\fR"
Never convert message lines ending in
<CR><LF>. This setting exists for completeness only.
+.br
+.br
.PP
This feature is available in Postfix 2.9 and later.
.SH sendmail_path (default: see "postconf -d" output)
a "type:table" with domain names and/or relay host names on
the left-hand side. The right-hand side result from "type:table"
lookups is ignored.
+.br
.PP
This feature is available in Postfix 2.2 and later.
.SH smtp_connection_cache_on_demand (default: yes)
.IP \(bu
Use the smtp_discard_ehlo_keyword_address_maps feature to
discard EHLO keywords selectively.
+.br
.SH smtp_dns_resolver_options (default: empty)
DNS Resolver options for the Postfix SMTP client. Specify zero
or more of the following options, separated by comma or whitespace.
Append the current domain name to single-component names (those
that do not contain a "." character). This can produce incorrect
results, and is the hard-coded behavior prior to Postfix 2.8.
+.br
.IP "\fBres_dnsrch\fR"
Search for host names in the current domain and in parent
domains. This can produce incorrect results and is therefore not
recommended.
+.br
+.br
.PP
This feature is available in Postfix 2.8 and later.
.SH smtp_enforce_tls (default: no)
Specify one of the following:
.IP "\fBdns\fR"
Hosts can be found in the DNS (preferred).
+.br
.IP "\fBnative\fR"
Use the native naming service only (nsswitch.conf, or equivalent
mechanism).
+.br
.IP "\fBdns, native\fR"
Use the native service for hosts not found in the DNS.
+.br
+.br
.PP
This feature is available in Postfix 2.1 and later.
.SH smtp_line_length_limit (default: 998)
".<CR><LF>" after the end of the message content. The
delay is subject to the smtp_pix_workaround_delay_time and
smtp_pix_workaround_threshold_time parameter settings.
+.br
.IP "\fBdisable_esmtp\fR
Disable all extended SMTP commands:
send HELO instead of EHLO.
+.br
+.br
.PP
This feature is available in Postfix 2.4 and later. The default
settings are backwards compatible with earlier Postfix versions.
initial digit differs from the SMTP reply code initial digit, or
when no enhanced status code is present, the Postfix SMTP client
uses a generic enhanced status code (X.0.0) instead.
+.br
.PP
Specify the name of a "type:table" lookup table. The search
string is a single SMTP reply line as received from the remote SMTP
Specify zero or more of the following:
.IP "\fBnoplaintext\fR"
Disallow methods that use plaintext passwords.
+.br
.IP "\fBnoactive\fR"
Disallow methods subject to active (non-dictionary) attack.
+.br
.IP "\fBnodictionary\fR"
Disallow methods subject to passive (dictionary) attack.
+.br
.IP "\fBnoanonymous\fR"
Disallow methods that allow anonymous authentication.
+.br
.IP "\fBmutual_auth\fR"
Only allow methods that provide mutual authentication (not
available with SASL version 1).
+.br
+.br
.PP
Example:
.PP
— no logging of remote SMTP server certificate trust-chain
verification errors if server certificate verification is not required.
With Postfix 2.8 and earlier, disable logging of TLS activity.
+.br
.IP ""
1 Also log remote SMTP server trust-chain verification
errors and peer certificate summary information. With Postfix 2.8
and earlier, log TLS handshake and certificate information.
+.br
.IP ""
2 Also log levels during TLS negotiation.
+.br
.IP ""
3 Also log hexadecimal and ASCII dump of TLS negotiation
process.
+.br
.IP ""
4 Also log hexadecimal and ASCII dump of complete
transmission after STARTTLS.
+.br
+.br
.PP
Do not use "smtp_tls_loglevel = 2" or higher except in case of
problems. Use of loglevel 4 is strongly discouraged.
with "crippled" peers. The underlying cipherlist is specified via the
tls_export_cipherlist configuration parameter, which you are strongly
encouraged to not change.
+.br
.IP "\fBlow\fR"
Enable "LOW" grade or better OpenSSL ciphers. This
setting is only appropriate for internal mail servers. The underlying
cipherlist is specified via the tls_low_cipherlist configuration
parameter, which you are strongly encouraged to not change.
+.br
.IP "\fBmedium\fR"
Enable "MEDIUM" grade or better OpenSSL ciphers.
The underlying cipherlist is specified via the tls_medium_cipherlist
configuration parameter, which you are strongly encouraged to not change.
+.br
.IP "\fBhigh\fR"
Enable only "HIGH" grade OpenSSL ciphers. This setting may
be appropriate when all mandatory TLS destinations (e.g. when all
"HIGH" grade cipher. The underlying cipherlist is specified via the
tls_high_cipherlist configuration parameter, which you are strongly
encouraged to not change.
+.br
.IP "\fBnull\fR"
Enable only the "NULL" OpenSSL ciphers, these provide authentication
without encryption. This setting is only appropriate in the rare case
underlying cipherlist is specified via the tls_null_cipherlist
configuration parameter, which you are strongly encouraged to not
change.
+.br
+.br
.PP
The underlying cipherlists for grades other than "null" include
anonymous ciphers, but these are automatically filtered out if the
SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
the protocols to include, rather than protocols to exclude, is
supported, but not recommended. The exclusion form more closely
-matches the behaviour when the OpenSSL library is newer than Postfix.
+matches the behavior when the OpenSSL library is newer than Postfix.
.PP
Since SSL version 2 has known protocol weaknesses and is now
deprecated, the default setting excludes "SSLv2". This means that by
specific \fBMAY\fR lookup result from the alternate host or next-hop
lookup key, and overrides the global smtp_use_tls, smtp_enforce_tls,
and smtp_tls_enforce_peername settings.
+.br
.IP "MAY"
Try to use TLS if the server announces support,
otherwise use the unencrypted connection. This has less precedence
host or next-hop lookup key, and has less precedence than the more
specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername
= yes".
+.br
.IP "MUST_NOPEERMATCH"
Require TLS encryption, but do not
require that the remote SMTP server hostname matches the information
or a less specific \fBMAY\fR lookup result from the alternate host
or next-hop lookup key, and overrides the global smtp_use_tls,
smtp_enforce_tls and smtp_tls_enforce_peername settings.
+.br
.IP "MUST"
Require TLS encryption, require that the remote
SMTP server hostname matches the information in the remote SMTP
result from the alternate host or next-hop lookup key, and overrides
the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername
settings.
+.br
+.br
.PP
The above keywords correspond to the "none", "may", "encrypt" and
"verify" security levels for the new smtp_tls_security_level parameter
security are:
.IP "\fBnone\fR"
No TLS. No additional attributes are supported at this level.
+.br
.IP "\fBmay\fR"
Opportunistic TLS. Since sending in the clear is acceptable,
demanding stronger than default TLS security merely reduces
handshakes fail, Postfix retries the connection with TLS disabled.
This allows mail delivery to sites with non-interoperable TLS
implementations.
+.br
.IP "\fBencrypt\fR"
Mandatory TLS encryption. At this level
and higher, the optional "protocols" attribute overrides the main.cf
smtp_tls_mandatory_exclude_ciphers parameter. In the policy table,
multiple protocols or excluded ciphers must be separated by colons,
as attribute values may not contain whitespace or commas.
+.br
.IP "\fBfingerprint\fR"
Certificate fingerprint
verification. Available with Postfix 2.5 and later. At this security
match attributes can be employed. The ":" character is not used as a
delimiter as it occurs between each pair of fingerprint (hexadecimal)
digits.
+.br
.IP "\fBverify\fR"
Mandatory TLS verification. At this security
level, DNS MX lookups are trusted to be secure enough, and the name
multiple match patterns and strategies must be separated by colons.
In practice explicit control over matching is more common with the
"secure" policy, described below.
+.br
.IP "\fBsecure\fR"
Secure-channel TLS. At this security level, DNS
MX lookups, though potentially used to determine the candidate next-hop
change hands or are re-assigned to new gateways. With the "match"
attribute approach, routing is not perturbed, and mail is deferred if
verification of a new MX host fails.
+.br
+.br
.PP
Example:
.PP
"smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
"smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
include, rather than protocols to exclude, is supported, but not
-recommended. The exclusion form more closely matches the behaviour
+recommended. The exclusion form more closely matches the behavior
when the OpenSSL library is newer than Postfix.
.PP
Example:
.IP "\fBnone\fR"
TLS will not be used unless enabled for specific
destinations via smtp_tls_policy_maps.
+.br
.IP "\fBmay\fR"
Opportunistic TLS. Use TLS if this is supported by the remote
SMTP server, otherwise use plaintext. Since
When TLS handshakes fail, the connection is retried with TLS disabled.
This allows mail delivery to sites with non-interoperable TLS
implementations.
+.br
.IP "\fBencrypt\fR"
Mandatory TLS encryption. Since a minimum
level of security is intended, it is reasonable to be specific about
cipher grade which the administrator considers secure enough for
mandatory encrypted sessions. This security level is not an appropriate
default for systems delivering mail to the Internet.
+.br
.IP "\fBfingerprint\fR"
Certificate fingerprint
verification. Available with Postfix 2.5 and later. At this security
the valid server certificate. The digest
algorithm used to calculate the fingerprint is selected by the
\fBsmtp_tls_fingerprint_digest\fR parameter.
+.br
.IP "\fBverify\fR"
Mandatory TLS verification. At this security
level, DNS MX lookups are trusted to be secure enough, and the name
control over matching is more common at the "secure" level, described
below. This security level is not an appropriate default for systems
delivering mail to the Internet.
+.br
.IP "\fBsecure\fR"
Secure-channel TLS. At this security level,
DNS MX lookups, though potentially used to determine the candidate
matching rule is that a server certificate matches when its name is equal
to or is a sub-domain of the nexthop domain. This security level is not
an appropriate default for systems delivering mail to the Internet.
+.br
+.br
.PP
Examples:
.PP
Match the \fIexample.com\fR domain,
i.e. one of the names the server certificate must be \fIexample.com\fR,
upper and lower case distinctions are ignored.
+.br
.IP "\fI.example.com\fR"
Match subdomains of the \fIexample.com\fR domain, i.e. match
a name in the server certificate that consists of a non-zero number of
labels followed by a \fI.example.com\fR suffix. Case distinctions are
ignored.
+.br
+.br
.PP
Strategies specify a transformation from the next-hop domain
to the expected name in the server certificate:
LMTP delivery via UNIX-domain sockets, the verified next-hop name is
$myhostname. This strategy is suitable for use with the "secure"
policy. Case is ignored.
+.br
.IP "dot-nexthop"
As above, but match server certificate names that are subdomains
of the next-hop domain. Case is ignored.
+.br
.IP "hostname"
Match against the hostname of the server, often
obtained via an unauthenticated DNS MX lookup. For LMTP delivery via
security level. When the next-hop name is enclosed in square brackets
to suppress MX lookups, the "hostname" strategy is the same as the
"nexthop" strategy. Case is ignored.
+.br
+.br
.PP
Sample main.cf setting:
.PP
.ad
.ft R
.SH smtpd_client_restrictions (default: empty)
-Optional Postfix SMTP server access restrictions in the context of
-a remote SMTP client connection request.
+Optional restrictions that the Postfix SMTP server applies in the
+context of a client connection request.
See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access
restriction lists" for a discussion of evaluation context and time.
.PP
smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to
Postfix version 2.5). This feature is available with Postfix version
2.2 and later.
+.br
.IP "\fBcheck_client_access \fItype:table\fR\fR"
Search the specified access database for the client hostname,
parent domains, client IP address, or networks obtained by stripping
least significant octets. See the \fBaccess\fR(5) manual page for details.
+.br
.IP "\fBcheck_client_mx_access \fItype:table\fR\fR"
Search the specified \fBaccess\fR(5) database for the MX hosts for the
client hostname, and execute the corresponding action. Note: a result
of "OK" is not allowed for safety reasons. Instead, use DUNNO in order
to exclude specific hosts from blacklists. This feature is available
in Postfix 2.7 and later.
+.br
.IP "\fBcheck_client_ns_access \fItype:table\fR\fR"
Search the specified \fBaccess\fR(5) database for the DNS servers for
the client hostname, and execute the corresponding action. Note: a
result of "OK" is not allowed for safety reasons. Instead, use DUNNO
in order to exclude specific hosts from blacklists. This feature is
available in Postfix 2.7 and later.
+.br
.IP "\fBcheck_reverse_client_hostname_access \fItype:table\fR\fR"
Search the specified access database for the unverified reverse
client hostname, parent domains, client IP address, or networks
safety reasons. Instead, use DUNNO in order to exclude specific
hosts from blacklists. This feature is available in Postfix 2.6
and later.
+.br
.IP "\fBcheck_reverse_client_hostname_mx_access \fItype:table\fR\fR"
Search the specified \fBaccess\fR(5) database for the MX hosts for the
unverified reverse client hostname, and execute the corresponding
action. Note: a result of "OK" is not allowed for safety reasons.
Instead, use DUNNO in order to exclude specific hosts from blacklists.
This feature is available in Postfix 2.7 and later.
+.br
.IP "\fBcheck_reverse_client_hostname_ns_access \fItype:table\fR\fR"
Search the specified \fBaccess\fR(5) database for the DNS servers for
the unverified reverse client hostname, and execute the corresponding
action. Note: a result of "OK" is not allowed for safety reasons.
Instead, use DUNNO in order to exclude specific hosts from blacklists.
This feature is available in Postfix 2.7 and later.
+.br
.IP "\fBpermit_inet_interfaces\fR"
Permit the request when the client IP address matches
$inet_interfaces.
+.br
.IP "\fBpermit_mynetworks\fR"
Permit the request when the client IP address matches any
network or network address listed in $mynetworks.
+.br
.IP "\fBpermit_sasl_authenticated\fR"
Permit the request when the client is successfully
authenticated via the RFC 4954 (AUTH) protocol.
+.br
.IP "\fBpermit_tls_all_clientcerts\fR"
Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
to prevent Postfix from appending the system-supplied default CAs.
This feature is available with Postfix version 2.2.
+.br
.IP "\fBpermit_tls_clientcerts\fR"
Permit the request when the remote SMTP client certificate
fingerprint or public key fingerprint (Postfix 2.9 and later) is
smtpd_tls_fingerprint_digest parameter (hard-coded as md5 prior to
Postfix version 2.5). This feature is available with Postfix version
2.2.
+.br
.IP "\fBreject_rbl_client \fIrbl_domain=d.d.d.d\fR\fR"
Reject the request when the reversed client network address is
listed with the A record "\fId.d.d.d\fR" under \fIrbl_domain\fR
specifies the default server reply, and the rbl_reply_maps parameter
specifies tables with server replies indexed by \fIrbl_domain\fR.
This feature is available in Postfix 2.0 and later.
+.br
.IP "\fBpermit_dnswl_client \fIdnswl_domain=d.d.d.d\fR\fR"
Accept the request when the reversed client network address is
listed with the A record "\fId.d.d.d\fR" under \fIdnswl_domain\fR.
ignored when it would override reject_unauth_destination. The
result is DEFER_IF_REJECT when whitelist lookup fails. This feature
is available in Postfix 2.8 and later.
+.br
.IP "\fBreject_rhsbl_client \fIrbl_domain=d.d.d.d\fR\fR"
Reject the request when the client hostname is listed with the
A record "\fId.d.d.d\fR" under \fIrbl_domain\fR (Postfix version
This feature is available in Postfix 2.0 and later; with Postfix
version 2.8 and later, reject_rhsbl_reverse_client will usually
produce better results.
+.br
.IP "\fBpermit_rhswl_client \fIrhswl_domain=d.d.d.d\fR\fR"
Accept the request when the client hostname is listed with the
A record "\fId.d.d.d\fR" under \fIrhswl_domain\fR. Each "\fId\fR"
would override reject_unauth_destination. The result is DEFER_IF_REJECT
when whitelist lookup fails. This feature is available in Postfix
2.8 and later.
+.br
.IP "\fBreject_rhsbl_reverse_client \fIrbl_domain=d.d.d.d\fR\fR"
Reject the request when the unverified reverse client hostname
is listed with the A record "\fId.d.d.d\fR" under \fIrbl_domain\fR.
\fIrbl_domain\fR. See the reject_rbl_client description above for
additional RBL related configuration parameters. This feature is
available in Postfix 2.8 and later.
+.br
.IP "\fBreject_unknown_client_hostname\fR (with Postfix < 2.3: reject_unknown_client)"
Reject the request when 1) the client IP address->name mapping
fails, 2) the name->address mapping fails, or 3) the name->address
for rejected requests (default: 450). The reply is always 450 in
case the address->name or name->address lookup failed due to
a temporary problem.
+.br
.IP "\fBreject_unknown_reverse_client_hostname\fR"
Reject the request when the client IP address has no address->name
mapping.
.br
This feature is available in Postfix 2.3 and
later.
+.br
+.br
.PP
In addition, you can use any of the following
generic restrictions. These restrictions are applicable in
Query the specified policy server. See the SMTPD_POLICY_README
document for details. This feature is available in Postfix 2.1
and later.
+.br
.IP "\fBdefer\fR"
Defer the request. The client is told to try again later. This
restriction is useful at the end of a restriction list, to make
.br
The defer_code parameter specifies
the SMTP server reply code (default: 450).
+.br
.IP "\fBdefer_if_permit\fR"
Defer the request if some later restriction would result in an
explicit or implicit PERMIT action. This is useful when a blacklisting
feature fails due to a temporary problem. This feature is available
in Postfix version 2.1 and later.
+.br
.IP "\fBdefer_if_reject\fR"
Defer the request if some later restriction would result in a
REJECT action. This is useful when a whitelisting feature fails
due to a temporary problem. This feature is available in Postfix
version 2.1 and later.
+.br
.IP "\fBpermit\fR"
Permit the request. This restriction is useful at the end of
a restriction list, to make the default policy explicit.
+.br
.IP "\fBreject_multi_recipient_bounce\fR"
Reject the request when the envelope sender is the null address,
and the message has multiple envelope recipients. This usage has
The multi_recipient_bounce_reject_code parameter specifies the
response code for rejected requests (default: 550). This feature
is available in Postfix 2.1 and later.
+.br
.IP "\fBreject_plaintext_session\fR"
Reject the request when the connection is not encrypted. This
restriction should not be used before the client has had a chance
The plaintext_reject_code parameter specifies the response
code for rejected requests (default: 450). This feature is available
in Postfix 2.3 and later.
+.br
.IP "\fBreject_unauth_pipelining\fR"
Reject the request when the client sends SMTP commands ahead
of time where it is not allowed, or when the client sends SMTP
With older Postfix versions, reject_unauth_pipelining checks
the current status of the input read queue, and its usage is not
recommended in contexts other than smtpd_data_restrictions.
+.br
.IP "\fBreject\fR"
Reject the request. This restriction is useful at the end of
a restriction list, to make the default policy explicit. The
reject_code configuration parameter specifies the response code for
rejected requests (default: 554).
+.br
.IP "\fBsleep \fIseconds\fR\fR"
Pause for the specified number of seconds and proceed with
the next restriction in the list, if any. This may stop zombie
.ad
.ft R
This feature is available in Postfix 2.3.
+.br
.IP "\fBwarn_if_reject\fR"
A safety net for testing. When "warn_if_reject" is placed
before a reject-type restriction, access table query, or
any implicit "defer_if_permit" actions that would normally prevent
mail from being accepted by some later access restriction). This
feature has no effect on defer_if_reject restrictions.
+.br
+.br
.PP
Other restrictions that are valid in this context:
.IP \(bu
they have effect only with "smtpd_delay_reject = yes", so that
$smtpd_client_restrictions is evaluated at the time of the RCPT TO
command.
+.br
.PP
Example:
.PP
Use "strict_rfc821_envelopes = no" to accept "RCPT TO:<\fIUser
Name <user@example.com>>\fR". Postfix will ignore the "\fIUser
Name\fR" part and deliver to the \fI<user@example.com>\fR address.
+.br
.PP
Examples of problems that can be solved with the smtpd_command_filter
feature:
because any decision will affect all recipients equally. Acting on
all recipients would require a possibly very large amount of memory,
and would also be misleading for the reasons mentioned before.
+.br
.PP
Examples:
.PP
.IP \(bu
Use the smtpd_discard_ehlo_keyword_address_maps feature
to discard EHLO keywords selectively.
+.br
.SH smtpd_end_of_data_restrictions (default: empty)
Optional access restrictions that the Postfix SMTP server
applies in the context of the SMTP END-OF-DATA command.
fewer than $smtpd_soft_error_limit errors without delivering
mail.
.SH smtpd_etrn_restrictions (default: empty)
-Optional SMTP server access restrictions in the context of a client
-ETRN request.
+Optional restrictions that the Postfix SMTP server applies in the
+context of a client ETRN command.
See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access
restriction lists" for a discussion of evaluation context and time.
.PP
.IP "\fBcheck_etrn_access \fItype:table\fR\fR"
Search the specified access database for the ETRN domain name
or its parent domains. See the \fBaccess\fR(5) manual page for details.
+.br
+.br
.PP
Other restrictions that are valid in this context:
.IP \(bu
.IP \(bu
SMTP command specific restrictions described under
smtpd_client_restrictions and smtpd_helo_restrictions.
+.br
.PP
Example:
.PP
.ft R
.SH smtpd_helo_restrictions (default: empty)
Optional restrictions that the Postfix SMTP server applies in the
-context of the SMTP HELO command.
+context of a client HELO command.
See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access
restriction lists" for a discussion of evaluation context and time.
.PP
Note: specify "smtpd_helo_required = yes" to fully enforce this
restriction (without "smtpd_helo_required = yes", a client can
simply skip check_helo_access by not sending HELO or EHLO).
+.br
.IP "\fBcheck_helo_mx_access \fItype:table\fR\fR"
Search the specified \fBaccess\fR(5) database for the MX hosts for
the HELO or EHLO hostname, and execute the corresponding action.
restriction (without "smtpd_helo_required = yes", a client can
simply skip check_helo_mx_access by not sending HELO or EHLO). This
feature is available in Postfix 2.1 and later.
+.br
.IP "\fBcheck_helo_ns_access \fItype:table\fR\fR"
Search the specified \fBaccess\fR(5) database for the DNS servers
for the HELO or EHLO hostname, and execute the corresponding action.
restriction (without "smtpd_helo_required = yes", a client can
simply skip check_helo_ns_access by not sending HELO or EHLO). This
feature is available in Postfix 2.1 and later.
+.br
.IP "\fBreject_invalid_helo_hostname\fR (with Postfix < 2.3: reject_invalid_hostname)"
Reject the request when the HELO or EHLO hostname is malformed.
Note: specify "smtpd_helo_required = yes" to fully enforce
.br
The invalid_hostname_reject_code specifies the response code
for rejected requests (default: 501).
+.br
.IP "\fBreject_non_fqdn_helo_hostname\fR (with Postfix < 2.3: reject_non_fqdn_hostname)"
Reject the request when the HELO or EHLO hostname is not in
fully-qualified domain form, as required by the RFC. Note: specify
.br
The non_fqdn_reject_code parameter specifies the response code for
rejected requests (default: 504).
+.br
.IP "\fBreject_rhsbl_helo \fIrbl_domain=d.d.d.d\fR\fR"
Reject the request when the HELO or EHLO hostname hostname is
listed with the A record "\fId.d.d.d\fR" under \fIrbl_domain\fR
client can simply skip reject_rhsbl_helo by not sending HELO or
EHLO). This feature is available in Postfix 2.0
and later.
+.br
.IP "\fBreject_unknown_helo_hostname\fR (with Postfix < 2.3: reject_unknown_hostname)"
Reject the request when the HELO or EHLO hostname has no DNS A
or MX record.
enforce this restriction (without "smtpd_helo_required = yes", a
client can simply skip reject_unknown_helo_hostname by not sending
HELO or EHLO).
+.br
+.br
.PP
Other restrictions that are valid in this context:
.IP \(bu
they have effect only with "smtpd_delay_reject = yes", so that
$smtpd_helo_restrictions is evaluated at the time of the RCPT TO
command.
+.br
.PP
Examples:
.PP
NOTE 2: This feature increases the minimum amount of free queue
space by $message_size_limit. The extra space is needed to save the
message to a temporary file.
+.br
+.br
.PP
This feature is available in Postfix 2.7 and later.
.SH smtpd_proxy_timeout (default: 100s)
excess of the limit specified with $smtpd_recipient_limit, before
the Postfix SMTP server increments the per-session error count
for each excess recipient.
-.SH smtpd_recipient_restrictions (default: permit_mynetworks, reject_unauth_destination)
-The access restrictions that the Postfix SMTP server applies in
-the context of the RCPT TO command.
+.SH smtpd_recipient_restrictions (default: see "postconf -d" output)
+Optional restrictions that the Postfix SMTP server applies in the
+context of a client RCPT TO command, after smtpd_relay_restrictions.
See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access
restriction lists" for a discussion of evaluation context and time.
.PP
-By default, the Postfix SMTP server accepts:
-.IP \(bu
-Mail from clients whose IP address matches $mynetworks, or:
-.IP \(bu
-Mail to remote destinations that match $relay_domains, except
-for addresses that contain sender-specified routing
-(user@elsewhere@domain), or:
-.IP \(bu
-Mail to local destinations that match $inet_interfaces
-or $proxy_interfaces, $mydestination, $virtual_alias_domains, or
-$virtual_mailbox_domains.
+With Postfix versions before 2.10, the rules for relay permission
+and spam blocking were combined under smtpd_recipient_restrictions,
+resulting in error-prone configuration. As of Postfix 2.10, relay
+permission rules are preferably implemented with smtpd_relay_restrictions,
+so that a permissive spam blocking policy under
+smtpd_recipient_restrictions will no longer result in a permissive
+mail relay policy.
.PP
-IMPORTANT: If you change this parameter setting, you must specify
+For backwards compatibility, sites that migrate from Postfix
+versions before 2.10 can set smtpd_relay_restrictions to the empty
+value, and use smtpd_recipient_restrictions exactly as before.
+.PP
+IMPORTANT: Either the smtpd_relay_restrictions or the
+smtpd_recipient_restrictions parameter must specify
at least one of the following restrictions. Otherwise Postfix will
refuse to receive mail:
.sp
.nf
.na
.ft C
-reject, defer, defer_if_permit, reject_unauth_destination
+reject, reject_unauth_destination
+.fi
+.ad
+.ft R
+.in -4
+.sp
+.in +4
+.nf
+.na
+.ft C
+defer, defer_if_permit, defer_unauth_destination
.fi
.ad
.ft R
Search the specified \fBaccess\fR(5) database for the resolved RCPT
TO address, domain, parent domains, or localpart@, and execute the
corresponding action.
+.br
.IP "\fBcheck_recipient_mx_access \fItype:table\fR\fR"
Search the specified \fBaccess\fR(5) database for the MX hosts for
the RCPT TO domain, and execute the corresponding action. Note:
a result of "OK" is not allowed for safety reasons. Instead, use
DUNNO in order to exclude specific hosts from blacklists. This
feature is available in Postfix 2.1 and later.
+.br
.IP "\fBcheck_recipient_ns_access \fItype:table\fR\fR"
Search the specified \fBaccess\fR(5) database for the DNS servers
for the RCPT TO domain, and execute the corresponding action.
Note: a result of "OK" is not allowed for safety reasons. Instead,
use DUNNO in order to exclude specific hosts from blacklists. This
feature is available in Postfix 2.1 and later.
+.br
.IP "\fBpermit_auth_destination\fR"
Permit the request when one of the following is true:
.IP \(bu
matches $mydestination, $inet_interfaces, $proxy_interfaces,
$virtual_alias_domains, or $virtual_mailbox_domains, and the address
contains no sender-specified routing (user@elsewhere@domain).
+.br
+.br
.IP "\fBpermit_mx_backup\fR"
Permit the request when the local mail system is backup MX for
the RCPT TO domain, or when the domain is an authorized destination
.IP \(bu
Limitation: mail may be rejected in case of a temporary DNS
lookup problem with Postfix prior to version 2.0.
+.br
+.br
.IP "\fBreject_non_fqdn_recipient\fR"
Reject the request when the RCPT TO address is not in
fully-qualified domain form, as required by the RFC.
The
non_fqdn_reject_code parameter specifies the response code for
rejected requests (default: 504).
+.br
.IP "\fBreject_rhsbl_recipient \fIrbl_domain=d.d.d.d\fR\fR"
Reject the request when the RCPT TO domain is listed with the
A record "\fId.d.d.d\fR" under \fIrbl_domain\fR (Postfix version
reply; and the rbl_reply_maps parameter specifies tables with server
replies indexed by \fIrbl_domain\fR. This feature is available
in Postfix version 2.0 and later.
+.br
.IP "\fBreject_unauth_destination\fR"
Reject the request unless one of the following is true:
.IP \(bu
matches $mydestination, $inet_interfaces, $proxy_interfaces,
$virtual_alias_domains, or $virtual_mailbox_domains, and contains
no sender-specified routing (user@elsewhere@domain).
- The relay_domains_reject_code parameter specifies the response
+.br
+The relay_domains_reject_code parameter specifies the response
code for rejected requests (default: 554).
+.br
+.IP "\fBdefer_unauth_destination\fR"
+Reject the same requests as reject_unauth_destination, with a
+non-permanent error code. This feature is available in Postfix
+2.10 and later.
+.br
.IP "\fBreject_unknown_recipient_domain\fR"
Reject the request when Postfix is not final destination for
the recipient domain, and the RCPT TO domain has 1) no DNS A or MX
The
unknown_address_tempfail_action parameter specifies the action
after a temporary DNS error (default: defer_if_permit).
+.br
.IP "\fBreject_unlisted_recipient\fR (with Postfix version 2.0: check_recipient_maps)"
Reject the request when the RCPT TO address is not listed in
the list of valid recipients for its domain class. See the
smtpd_reject_unlisted_recipient parameter description for details.
This feature is available in Postfix 2.1 and later.
+.br
.IP "\fBreject_unverified_recipient\fR"
Reject the request when mail to the RCPT TO address is known
to bounce, or when the recipient address destination is not reachable.
.br
This feature is available in Postfix 2.1
and later.
+.br
+.br
.PP
Other restrictions that are valid in this context:
.IP \(bu
SMTP command specific restrictions described under
smtpd_client_restrictions, smtpd_helo_restrictions and
smtpd_sender_restrictions.
+.br
.PP
Example:
.PP
.nf
.na
.ft C
+# The Postfix before 2.10 default mail relay policy. Later Postfix
+# versions implement this preferably with smtpd_relay_restrictions.
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
.fi
.ad
.IP "\fBclient_address\fR"
The Client IP address that
is logged in the maillog file.
+.br
.IP "\fBclient_port\fR"
The client TCP port that is
logged in the maillog file.
+.br
.IP "\fBlocaltime\fR"
The server local time (Mmm dd
hh:mm:ss) that is logged in the maillog file.
+.br
.IP "\fBserver_name\fR"
The server's myhostname value.
This attribute is made available for sites with multiple MTAs
(perhaps behind a load-balancer), where the server name can help
the server support team to quickly find the right log files.
+.br
+.br
.PP
Notes:
.IP \(bu
.IP \(bu
For safety reasons, text that does not match
$smtpd_expansion_filter is censored.
+.br
.PP
This feature supports the two-character sequence \en as a request
for a line break in the footer text. Postfix automatically inserts
The recipient domain matches $relay_domains but the recipient
is not listed in $relay_recipient_maps, and $relay_recipient_maps
is not null.
+.br
.PP
This feature is available in Postfix 2.1 and later.
.SH smtpd_reject_unlisted_sender (default: no)
The sender domain matches $relay_domains but the sender is
not listed in $relay_recipient_maps, and $relay_recipient_maps is
not null.
+.br
.PP
This feature is available in Postfix 2.1 and later.
+.SH smtpd_relay_restrictions (default: permit_mynetworks, reject_unauth_destination)
+Access restrictions for mail relay control that the Postfix
+SMTP server applies in the context of the RCPT TO command, before
+smtpd_recipient_restrictions.
+See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access
+restriction lists" for a discussion of evaluation context and time.
+.PP
+With Postfix versions before 2.10, the rules for relay permission
+and spam blocking were combined under smtpd_recipient_restrictions,
+resulting in error-prone configuration. As of Postfix 2.10, relay
+permission rules are preferably implemented with smtpd_relay_restrictions,
+so that a permissive spam blocking policy under
+smtpd_recipient_restrictions will no longer result in a permissive
+mail relay policy.
+.PP
+For backwards compatibility, sites that migrate from Postfix
+versions before 2.10 can set smtpd_relay_restrictions to the empty
+value, and use smtpd_recipient_restrictions exactly as before.
+.PP
+By default, the Postfix SMTP server accepts:
+.IP \(bu
+Mail from clients whose IP address matches $mynetworks, or:
+.IP \(bu
+Mail to remote destinations that match $relay_domains, except
+for addresses that contain sender-specified routing
+(user@elsewhere@domain), or:
+.IP \(bu
+Mail to local destinations that match $inet_interfaces
+or $proxy_interfaces, $mydestination, $virtual_alias_domains, or
+$virtual_mailbox_domains.
+.br
+.PP
+IMPORTANT: Either the smtpd_relay_restrictions or the
+smtpd_recipient_restrictions parameter must specify
+at least one of the following restrictions. Otherwise Postfix will
+refuse to receive mail:
+.sp
+.in +4
+.nf
+.na
+.ft C
+reject, reject_unauth_destination
+.fi
+.ad
+.ft R
+.in -4
+.sp
+.in +4
+.nf
+.na
+.ft C
+defer, defer_if_permit, defer_unauth_destination
+.fi
+.ad
+.ft R
+.in -4
+.PP
+Specify a list of restrictions, separated by commas and/or whitespace.
+Continue long lines by starting the next line with whitespace.
+The same restrictions are available as documented under
+smtpd_recipient_restrictions.
+.PP
+This feature is available in Postix 2.10 and later.
.SH smtpd_restriction_classes (default: empty)
User-defined aliases for groups of access restrictions. The aliases
can be specified in smtpd_recipient_restrictions etc., and on the
.nf
.na
.ft C
+# With Postfix 2.10 and later, the mail relay policy is
+# preferably specified under smtpd_relay_restrictions.
+smtpd_relay_restrictions =
+ permit_mynetworks, permit_sasl_authenticated, ...
+.fi
+.ad
+.ft R
+.PP
+.nf
+.na
+.ft C
+# With Postfix before 2.10, the relay policy can be
+# specified only under smtpd_recipient_restrictions.
smtpd_recipient_restrictions =
permit_mynetworks, permit_sasl_authenticated, ...
.fi
Specify zero or more of the following:
.IP "\fBnoplaintext\fR"
Disallow methods that use plaintext passwords.
+.br
.IP "\fBnoactive\fR"
Disallow methods subject to active (non-dictionary) attack.
+.br
.IP "\fBnodictionary\fR"
Disallow methods subject to passive (dictionary) attack.
+.br
.IP "\fBnoanonymous\fR"
Disallow methods that allow anonymous authentication.
+.br
.IP "\fBforward_secrecy\fR"
Only allow methods that support forward secrecy (Dovecot only).
+.br
.IP "\fBmutual_auth\fR"
Only allow methods that provide mutual authentication (not available
with Cyrus SASL version 1).
+.br
+.br
.PP
By default, the Postfix SMTP server accepts plaintext passwords but
not anonymous logins.
sender address of \fIuser@domain\fR:
.IP "1) \fIuser@domain\fR"
This table lookup is always done and has the highest precedence.
+.br
.IP "2) \fIuser\fR"
This table lookup is done only when the \fIdomain\fR part of the
sender address matches $myorigin, $mydestination, $inet_interfaces
or $proxy_interfaces.
+.br
.IP "3) \fI@domain\fR"
This table lookup is done last and has the lowest precedence.
+.br
+.br
.PP
In all cases the result of table lookup must be either "not found"
or a list of SASL login names separated by comma and/or whitespace.
.SH smtpd_sender_restrictions (default: empty)
Optional restrictions that the Postfix SMTP server applies in the
-context of the MAIL FROM command.
+context of a client MAIL FROM command.
See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access
restriction lists" for a discussion of evaluation context and time.
.PP
Search the specified \fBaccess\fR(5) database for the MAIL FROM
address, domain, parent domains, or localpart@, and execute the
corresponding action.
+.br
.IP "\fBcheck_sender_mx_access \fItype:table\fR\fR"
Search the specified \fBaccess\fR(5) database for the MX hosts for
the MAIL FROM address, and execute the corresponding action. Note:
a result of "OK" is not allowed for safety reasons. Instead, use
DUNNO in order to exclude specific hosts from blacklists. This
feature is available in Postfix 2.1 and later.
+.br
.IP "\fBcheck_sender_ns_access \fItype:table\fR\fR"
Search the specified \fBaccess\fR(5) database for the DNS servers
for the MAIL FROM address, and execute the corresponding action.
Note: a result of "OK" is not allowed for safety reasons. Instead,
use DUNNO in order to exclude specific hosts from blacklists. This
feature is available in Postfix 2.1 and later.
+.br
.IP "\fBreject_authenticated_sender_login_mismatch\fR"
Enforces the reject_sender_login_mismatch restriction for
authenticated clients only. This feature is available in
Postfix version 2.1 and later.
+.br
.IP "\fBreject_non_fqdn_sender\fR"
Reject the request when the MAIL FROM address is not in
fully-qualified domain form, as required by the RFC.
The
non_fqdn_reject_code parameter specifies the response code for
rejected requests (default: 504).
+.br
.IP "\fBreject_rhsbl_sender \fIrbl_domain=d.d.d.d\fR\fR"
Reject the request when the MAIL FROM domain is listed with
the A record "\fId.d.d.d\fR" under \fIrbl_domain\fR (Postfix
specifies the default server reply; and the rbl_reply_maps parameter
specifies tables with server replies indexed by \fIrbl_domain\fR.
This feature is available in Postfix 2.0 and later.
+.br
.IP "\fBreject_sender_login_mismatch\fR"
Reject the request when $smtpd_sender_login_maps specifies an
owner for the MAIL FROM address, but the client is not (SASL) logged
in as that MAIL FROM address owner; or when the client is (SASL)
logged in, but the client login name doesn't own the MAIL FROM
address according to $smtpd_sender_login_maps.
+.br
.IP "\fBreject_unauthenticated_sender_login_mismatch\fR"
Enforces the reject_sender_login_mismatch restriction for
unauthenticated clients only. This feature is available in
Postfix version 2.1 and later.
+.br
.IP "\fBreject_unknown_sender_domain\fR"
Reject the request when Postfix is not final destination for
the sender address, and the MAIL FROM domain has 1) no DNS A or MX
The
unknown_address_tempfail_action parameter specifies the action
after a temporary DNS error (default: defer_if_permit).
+.br
.IP "\fBreject_unlisted_sender\fR"
Reject the request when the MAIL FROM address is not listed in
the list of valid recipients for its domain class. See the
smtpd_reject_unlisted_sender parameter description for details.
This feature is available in Postfix 2.1 and later.
+.br
.IP "\fBreject_unverified_sender\fR"
Reject the request when mail to the MAIL FROM address is known to
bounce, or when the sender address destination is not reachable.
.br
This feature is available
in Postfix 2.1 and later.
+.br
+.br
.PP
Other restrictions that are valid in this context:
.IP \(bu
under smtpd_sender_restrictions, they have effect only with
"smtpd_delay_reject = yes", so that $smtpd_sender_restrictions is
evaluated at the time of the RCPT TO command.
+.br
.PP
Examples:
.PP
.IP \(bu
With Postfix versions 2.0 and earlier, the Postfix SMTP
server delays all responses by (number of errors) seconds.
+.br
.SH smtpd_starttls_timeout (default: see "postconf -d" output)
The time limit for Postfix SMTP server write and read operations
during TLS startup and shutdown handshake procedures. The current
Don't use EECDH. Ciphers based on EECDH key
exchange will be disabled. This is the default in Postfix versions
2.6 and 2.7.
+.br
.IP "\fBstrong\fR"
Use EECDH with approximately 128
bits of security at a reasonable computational cost. This is the
current best-practice trade-off between security and computational
efficiency. This is the default in Postfix version 2.8 and later.
+.br
.IP "\fBultra\fR"
Use EECDH with approximately 192 bits of
security at computational cost that is approximately twice as high
as 128 bit strength ECC. Barring significant progress in attacks on
elliptic curve crypto-systems, the "strong" curve is sufficient for most
users.
+.br
+.br
.PP
This feature is available in Postfix 2.6 and later, when it is
compiled and linked with OpenSSL 1.0.0 or later.
errors
if client certificate verification is not required. With Postfix 2.8
and earlier, disable logging of TLS activity.
+.br
.IP ""
1 Also log trust-chain verification errors and peer
certificate name and issuer. With Postfix 2.8 and earlier, log TLS
handshake and certificate information.
+.br
.IP ""
2 Also log levels during TLS negotiation.
+.br
.IP ""
3 Also log hexadecimal and ASCII dump of TLS negotiation
process.
+.br
.IP ""
4 Also log hexadecimal and ASCII dump of complete
transmission after STARTTLS.
+.br
+.br
.PP
Do not use "smtpd_tls_loglevel = 2" or higher except in case
of problems. Use of loglevel 4 is strongly discouraged.
used with opportunistic TLS encryption. The underlying cipherlist
is specified via the tls_export_cipherlist configuration parameter,
which you are strongly encouraged to not change.
+.br
.IP "\fBlow\fR"
Enable "LOW" grade or stronger OpenSSL ciphers. The
underlying cipherlist is specified via the tls_low_cipherlist
configuration parameter, which you are strongly encouraged to
not change.
+.br
.IP "\fBmedium\fR"
Enable "MEDIUM" grade or stronger OpenSSL ciphers. These use 128-bit
or longer symmetric bulk-encryption keys. This is the default minimum
strength for mandatory TLS encryption. The underlying cipherlist is
specified via the tls_medium_cipherlist configuration parameter, which
you are strongly encouraged to not change.
+.br
.IP "\fBhigh\fR"
Enable only "HIGH" grade OpenSSL ciphers. The
underlying cipherlist is specified via the tls_high_cipherlist
configuration parameter, which you are strongly encouraged to
not change.
+.br
.IP "\fBnull\fR"
Enable only the "NULL" OpenSSL ciphers, these provide authentication
without encryption. This setting is only appropriate in the rare
enabled in TLS clients). The underlying cipherlist is specified via the
tls_null_cipherlist configuration parameter, which you are strongly
encouraged to not change.
+.br
+.br
.PP
Cipher types listed in
smtpd_tls_mandatory_exclude_ciphers or smtpd_tls_exclude_ciphers are
SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
the protocols to include, rather than protocols to exclude, is
supported, but not recommended. The exclusion form more closely
-matches the behaviour when the OpenSSL library is newer than Postfix.
+matches the behavior when the OpenSSL library is newer than Postfix.
.PP
Since SSL version 2 has known protocol weaknesses and is now
deprecated, the default setting excludes "SSLv2". This means that
"smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
"smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
include, rather than protocols to exclude, is supported, but not
-recommended. The exclusion form more closely matches the behaviour
+recommended. The exclusion form more closely matches the behavior
when the OpenSSL library is newer than Postfix.
.PP
Example:
Specify one of the following security levels:
.IP "\fBnone\fR"
TLS will not be used.
+.br
.IP "\fBmay\fR"
Opportunistic TLS: announce STARTTLS support
to remote SMTP clients, but do not require that clients use TLS encryption.
+.br
.IP "\fBencrypt\fR"
Mandatory TLS encryption: announce
STARTTLS support to remote SMTP clients, and require that clients use TLS
encryption. According to RFC 2487 this MUST NOT be applied in case
of a publicly-referenced SMTP server. Instead, this option should
be used only on dedicated servers.
+.br
+.br
.PP
Note 1: the "fingerprint", "verify" and "secure" levels are not
supported here.
.IP \(bu
The message is received from the network, and the
remote_header_rewrite_domain parameter specifies a non-empty value.
+.br
.PP
To get the behavior before Postfix version 2.2, specify
"local_header_rewrite_clients = static:all".
you can only disable one of these via the hexadecimal syntax above.
.IP "\fBMICROSOFT_SESS_ID_BUG\fR"
See SSL_CTX_\fBset_options\fR(3)
+.br
.IP "\fBNETSCAPE_CHALLENGE_BUG\fR"
See SSL_CTX_\fBset_options\fR(3)
+.br
.IP "\fBLEGACY_SERVER_CONNECT\fR"
See SSL_CTX_\fBset_options\fR(3)
+.br
.IP "\fBNETSCAPE_REUSE_CIPHER_CHANGE_BUG\fR"
also aliased
as \fBCVE-2010-4180\fR. Postfix 2.8 disables this work-around by
default with OpenSSL versions that may predate the fix. Fixed in
OpenSSL 0.9.8q and OpenSSL 1.0.0c.
+.br
.IP "\fBSSLREF2_REUSE_CERT_TYPE_BUG\fR"
See
SSL_CTX_\fBset_options\fR(3)
+.br
.IP "\fBMICROSOFT_BIG_SSLV3_BUFFER\fR"
See
SSL_CTX_\fBset_options\fR(3)
+.br
.IP "\fBMSIE_SSLV2_RSA_PADDING\fR"
also aliased as
\fBCVE-2005-2969\fR. Postfix 2.8 disables this work-around by
default with OpenSSL versions that may predate the fix. Fixed in
OpenSSL 0.9.7h and OpenSSL 0.9.8a.
+.br
.IP "\fBSSLEAY_080_CLIENT_DH_BUG\fR"
See
SSL_CTX_\fBset_options\fR(3)
+.br
.IP "\fBTLS_D5_BUG\fR"
See SSL_CTX_\fBset_options\fR(3)
+.br
.IP "\fBTLS_BLOCK_PADDING_BUG\fR"
See SSL_CTX_\fBset_options\fR(3)
+.br
.IP "\fBTLS_ROLLBACK_BUG\fR"
See SSL_CTX_\fBset_options\fR(3).
This is disabled in OpenSSL 0.9.7 and later. Nobody should still
be using 0.9.6!
+.br
.IP "\fBDONT_INSERT_EMPTY_FRAGMENTS\fR"
See
SSL_CTX_\fBset_options\fR(3)
+.br
.IP "\fBCRYPTOPRO_TLSEXT_BUG\fR"
New with GOST support in
OpenSSL 1.0.0.
+.br
+.br
.PP
This feature is available in Postfix 2.8 and later.
.SH tls_eecdh_strong_curve (default: prime256v1)
What Postfix features match subdomains of "domain.tld" automatically,
instead of requiring an explicit ".domain.tld" pattern.
.IP "\fBsmtpd_client_restrictions (empty)\fR"
-Optional Postfix SMTP server access restrictions in the context of
-a remote SMTP client connection request.
+Optional restrictions that the Postfix SMTP server applies in the
+context of a client connection request.
.IP "\fBsmtpd_helo_required (no)\fR"
Require that a remote SMTP client introduces itself with the HELO
or EHLO command before sending the MAIL command or other commands
that require EHLO negotiation.
.IP "\fBsmtpd_helo_restrictions (empty)\fR"
Optional restrictions that the Postfix SMTP server applies in the
-context of the SMTP HELO command.
+context of a client HELO command.
.IP "\fBsmtpd_sender_restrictions (empty)\fR"
Optional restrictions that the Postfix SMTP server applies in the
-context of the MAIL FROM command.
-.IP "\fBsmtpd_recipient_restrictions (permit_mynetworks, reject_unauth_destination)\fR"
-The access restrictions that the Postfix SMTP server applies in
-the context of the RCPT TO command.
+context of a client MAIL FROM command.
+.IP "\fBsmtpd_recipient_restrictions (see 'postconf -d' output)\fR"
+Optional restrictions that the Postfix SMTP server applies in the
+context of a client RCPT TO command, after smtpd_relay_restrictions.
.IP "\fBsmtpd_etrn_restrictions (empty)\fR"
-Optional SMTP server access restrictions in the context of a client
-ETRN request.
+Optional restrictions that the Postfix SMTP server applies in the
+context of a client ETRN command.
.IP "\fBallow_untrusted_routing (no)\fR"
Forward mail with sender-specified routing (user[@%!]remote[@%!]site)
from untrusted clients to destinations matching $relay_domains.
.IP "\fBsmtpd_end_of_data_restrictions (empty)\fR"
Optional access restrictions that the Postfix SMTP server
applies in the context of the SMTP END-OF-DATA command.
+.PP
+Available in Postfix version 2.10 and later:
+.IP "\fBsmtpd_relay_restrictions (permit_mynetworks, reject_unauth_destination)\fR"
+Access restrictions for mail relay control that the Postfix
+SMTP server applies in the context of the RCPT TO command, before
+smtpd_recipient_restrictions.
.SH "SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS"
.na
.nf
$block =~ s/<ul>/\n/g;
#$block =~ s/<\/dl>/\n.PP\n/g;
#$block =~ s/<\/ul>/\n.PP\n/g;
- $block =~ s/<\/dl>/\n/g;
- $block =~ s/<\/ul>/\n/g;
+ $block =~ s/<\/dl>/\n.br\n/g;
+ $block =~ s/<\/ul>/\n.br\n/g;
$block =~ s/<dd>\s*/\n/g;
- $block =~ s/<\/dd>/\n/g;
+ $block =~ s/<\/dd>/\n.br\n/g;
$block =~ s/<li>\s*/\n.IP \\(bu\n/g;
$block =~ s/<dt>\s*/\n.IP "/g;
$block =~ s/\s*<\/dt>/"/g;
s;\bsmtpd_proxy_timeout\b;<a href="postconf.5.html#smtpd_proxy_timeout">$&</a>;g;
s;\bsmtpd_proxy_options\b;<a href="postconf.5.html#smtpd_proxy_options">$&</a>;g;
s;\bsmtpd_recip[-</bB>]*\n* *[<bB>]*ient_limit\b;<a href="postconf.5.html#smtpd_recipient_limit">$&</a>;g;
- s;\bsmtpd_recip[-</bB>]*\n* *[<bB>]*ient_restrictions\b;<a href="postconf.5.html#smtpd_recipient_restrictions">$&</a>;g;
+ s;\bsmtpd_recip[-</bB>]*\n* *[<bB>]*ient_restric[-</bB>]*\n* *[<bB>]*tions\b;<a href="postconf.5.html#smtpd_recipient_restrictions">$&</a>;g;
+ s;\bsmtpd_relay_restrictions\b;<a href="postconf.5.html#smtpd_relay_restrictions">$&</a>;g;
s;\bsmtpd_reject_unlisted_recip[-</bB>]*\n* *[<bB>]*ient\b;<a href="postconf.5.html#smtpd_reject_unlisted_recipient">$&</a>;g;
s;\bsmtpd_reject_unlisted_sender\b;<a href="postconf.5.html#smtpd_reject_unlisted_sender">$&</a>;g;
s;\bsmtpd_restriction_classes\b;<a href="postconf.5.html#smtpd_restriction_classes">$&</a>;g;
s;\bcheck_reverse_client_hostname_ns_access\b;<a href="postconf.5.html#check_reverse_client_hostname_ns_access">$&</a>;g;
s;\bpermit_inet_interfaces\b;<a href="postconf.5.html#permit_inet_interfaces">$&</a>;g;
s;\bpermit_mynetworks\b;<a href="postconf.5.html#permit_mynetworks">$&</a>;g;
- s;\bpermit_sasl_authenticated\b;<a href="postconf.5.html#permit_sasl_authenticated">$&</a>;g;
+ s;\bper
[-</bB>]*\n* *[<bB>]*mit_sasl_authenticated\b;<a href="postconf.5.html#permit_sasl_authenticated">$&</a>;g;
s;\bpermit_tls_clientcerts\b;<a href="postconf.5.html#permit_tls_clientcerts">$&</a>;g;
s;\bpermit_tls_all_clientcerts\b;<a href="postconf.5.html#permit_tls_all_clientcerts">$&</a>;g;
s;\breject_unknown_client_hostname\b;<a href="postconf.5.html#reject_unknown_client_hostname">$&</a>;g;
s;\breject_non_fqdn_recip[-</bB>]*\n* *[<bB>]*ient\b;<a href="postconf.5.html#reject_non_fqdn_recipient">$&</a>;g;
s;\breject_rhsbl_recip[-</bB>]*\n* *[<bB>]*ient\b;<a href="postconf.5.html#reject_rhsbl_recipient">$&</a>;g;
s;\breject_unauth_destination\b;<a href="postconf.5.html#reject_unauth_destination">$&</a>;g;
+ s;\bdefer_unauth_destination\b;<a href="postconf.5.html#defer_unauth_destination">$&</a>;g;
s;\breject_unknown_recipi[-</bB>]*\n*[ <bB>]*ent_domain\b;<a href="postconf.5.html#reject_unknown_recipient_domain">$&</a>;g;
s;\breject_unlisted_recip[-</bB>]*\n* *[<bB>]*ient\b;<a href="postconf.5.html#reject_unlisted_recipient">$&</a>;g;
s;\breject_unver[-</bB>]*\n*[ <bB>]*ified_recip[-</bB>]*\n* *[<bB>]*ient\b;<a href="postconf.5.html#reject_unverified_recipient">$&</a>;g;
<td rowspan="3" align="center" valign="bottom"> <tt> -> </tt>
</td>
- <td rowspan="3" align="center" valign="middle"> probe<br>
- message </td>
+ <td rowspan="3" align="center" valign="middle"> probe<br>
+ message </td>
<td rowspan="3" align="center" valign="middle"> <tt> -> </tt>
</td>
- <td rowspan="3" bgcolor="#f0f0ff" align="center" valign="middle">
- Postfix<br> mail<br> queue </td>
+ <td rowspan="3" bgcolor="#f0f0ff" align="center" valign="middle">
+ Postfix<br> mail<br> queue </td>
</tr>
<td rowspan="3" align="center" valign="middle"> <tt> -> </tt>
</td>
- <td rowspan="3" bgcolor="#f0f0ff" align="center" valign="middle">
- <a href="smtpd.8.html">Postfix<br> SMTP<br> server</a> </td>
+ <td rowspan="3" bgcolor="#f0f0ff" align="center" valign="middle">
+
<a href="smtpd.8.html">Postfix<br> SMTP<br> server</a> </td>
<td rowspan="3" align="center" valign="middle"> <tt> <->
</tt> </td>
- <td rowspan="3" bgcolor="#f0f0ff" align="center" valign="middle">
- <a href="verify.8.html">Postfix<br> verify<br> server</a>
- </td>
+ <td rowspan="3" bgcolor="#f0f0ff" align="center" valign="middle">
+
<a href="verify.8.html">Postfix<br> verify<br> server</a>
+ </td>
</tr>
<td rowspan="3" align="center" valign="top"> <tt> <- </tt>
</td>
- <td rowspan="3" align="center" valign="middle"> probe<br>
- status </td>
+ <td rowspan="3" align="center" valign="middle"> probe<br>
+ status </td>
<td rowspan="3" align="center" valign="middle"> <tt> <- </tt>
</td>
- <td rowspan="3" bgcolor="#f0f0ff" align="center" valign="middle">
- Postfix<br> delivery<br> agents </td>
+ <td rowspan="3" bgcolor="#f0f0ff" align="center" valign="middle">
+ Postfix<br> delivery<br> agents </td>
<td rowspan="3" align="left" valign="middle"> <tt>-></tt>
Local<br> <tt>-></tt> Remote</td>
<td rowspan="3" colspan="4" align="center" valign="middle">
</td>
- <td rowspan="3" align="center" valign="middle"> <tt>
- ^</tt><br> <tt> |</tt><br> <tt> v</tt> </td>
+ <td rowspan="3" align="center" valign="middle"> <tt>
+ ^</tt><br> <tt> |</tt><br> <tt> v</tt> </td>
</tr>
<td colspan="4" align="center" valign="middle"> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle">
- Address<br> verification<br> database </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle">
+ Address<br> verification<br> database </td>
</tr>
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
permit_mynetworks
+ # reject_unauth_destination is not needed here if the mail
+ # relay policy is specified under smtpd_relay_restrictions
+ # (available with Postfix 2.10 and later).
reject_unauth_destination
...
reject_unknown_recipient_domain
<p> The unverified_sender_reject_reason parameter (default:
empty) specifies fixed text that Postfix will send to remote SMTP
-clients, instead of sending actual addres verification details.
+clients, instead of sending actual address verification details.
Do not specify the SMTP status code or enhanced status code. </p>
<p> The unverified_sender_tempfail_action parameter (default:
<td colspan="2"> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle">
- <a href="QSHAPE_README.html#maildrop_queue"> maildrop <br>
- queue </a> </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle">
+
<a href="QSHAPE_README.html#maildrop_queue"> maildrop <br>
+ queue </a> </td>
<td align="center" valign="middle"> <tt> <- </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle">Postfix<br>
- postdrop(1) </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle">Postfix<br>
+ postdrop(1) </td>
<td align="center" valign="middle"> <tt> <- </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle">Postfix<br>
- sendmail(1) </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle">Postfix<br>
+ sendmail(1) </td>
<td align="center" valign="middle"> <tt> <- </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle">Content
- <br> filter </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle">Content
+ <br> filter </td>
<td colspan="2"> </td>
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
+ # Postfix 2.10 and later: specify empty smtpd_relay_restrictions.
+ -o smtpd_relay_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
<hr>
+<h2> Host lookup issues </h2>
+
+<p> By default Linux /etc/hosts lookups do not support multiple IP
+address per hostname. This causes warnings from the Postfix SMTP
+server that "hostname XXX does not resolve to address YYY", and is
+especially a problem with hosts that have both IPv4 and IPv6
+addresses. To fix, turn on support for multiple IP addresses: </p>
+
+<blockquote>
+<pre>
+/etc/host.conf:
+ ...
+ # We have machines with multiple IP addresses.
+ multi on
+ ...
+</pre>
+</blockquote>
+
<h2>Berkeley DB issues</h2>
<p> If you can't compile Postfix because the file "db.h"
# With multiple instances, rarely need "-o param=value" overrides
# in master.cf, each instance gets its own main.cf file.
#
+ # Postfix 2.10 and later: specify empty smtpd_relay_restrictions.
+ smtpd_relay_restrictions =
smtpd_recipient_restrictions = permit_mynetworks, reject
# Tolerate occasional high latency in the content filter.
<p> The tlsproxy(8) implementation led to the discovery of a "new"
class of vulnerability (<a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0411"
->CVE-2011-0411</a>) that affected multiple implementations of TLS
-over SMTP, POP, IMAP, NNTP, and FTP. </p>
+>CVE-2011-0411</a>) that affected multiple implementations of SMTP,
+POP, IMAP, NNTP, and FTP over TLS. </p>
<p> postscreen(8) was officially released as part of the Postfix
2.8 stable release in January 2011.</p>
permissive = permit
smtpd_recipient_restrictions =
- permit_mynetworks
- reject_unauth_destination
- check_recipient_access hash:/etc/postfix/recipient_access
+ permit_mynetworks
+ # reject_unauth_destination is not needed here if the mail
+ # relay policy is specified with smtpd_relay_restrictions
+ # (available with Postfix 2.10 and later).
+ reject_unauth_destination
+ check_recipient_access hash:/etc/postfix/recipient_access
+ ...
/etc/postfix/recipient_access:
- joe@my.domain permissive
- jane@my.domain restrictive
+ joe@my.domain permissive
+ jane@my.domain restrictive
</pre>
</blockquote>
<pre>
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
+ ...
check_recipient_access hash:/etc/postfix/access
<i>...the usual stuff...</i>
<pre>
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
+ ...
check_recipient_access hash:/etc/postfix/protected_destinations
<i>...the usual stuff...</i>
<pre>
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
+ ...
check_sender_access hash:/etc/postfix/restricted_senders
<i>...other stuff...</i>
<h4><a name="server_sasl_authz_relay">Mail relay authorization</a></h4>
-<p> The <code>permit_sasl_authenticated</code> restriction allows
+<p> With <code>permit_sasl_authenticated</code> the Postfix SMTP
+server can allow
SASL-authenticated SMTP clients to send mail to remote destinations.
-Add it to the list of <code>smtpd_recipient_restrictions</code> as
-follows: </p>
+Examples:
+</p>
<blockquote>
<pre>
+# With Postfix 2.10 and later, the mail relay policy is
+# preferably specified under smtpd_relay_restrictions.
+/etc/postfix/main.cf:
+ smtpd_relay_restrictions =
+ permit_mynetworks
+ <strong>permit_sasl_authenticated</strong>
+ reject_unauth_destination
+</pre>
+
+<pre>
+# Older configurations combine relay control and spam control under
+# smtpd_recipient_restrictions. To use this example with Postfix ≥
+# 2.10 specify "smtpd_relay_restrictions=".
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
- ...
- permit_mynetworks
- <strong>permit_sasl_authenticated</strong>
- reject_unauth_destination
- ...
+ permit_mynetworks
+ <strong>permit_sasl_authenticated</strong>
+ reject_unauth_destination
+ ...other rules...
</pre>
</blockquote>
smtpd_recipient_restrictions =
...
<strong>reject_sender_login_mismatch</strong>
- permit_sasl_authenticated
- permit_mynetworks
- reject_unauth_destination
+ permit_sasl_authenticated
...
</pre>
</blockquote>
</blockquote>
<p> Instead of port 25 (smtp), specify port 587 (submission) where
-appriopriate. </p>
+appropriate. </p>
<h4>Encrypted SMTP session (TLS)</h4>
<p> By default, Postfix has a moderately restrictive approach to
mail relaying. Postfix forwards mail only from clients in trusted
-networks, or to domains that are configured as authorized relay
-destinations. For a description of the default policy, see the
-smtpd_recipient_restrictions parameter in the postconf(5) manual
-page, and the information that is referenced from there. </p>
+networks, from clients that have authenticated with SASL, or to
+domains that are configured as authorized relay
+destinations. For a description of the default mail relay policy,
+see the smtpd_relay_restrictions parameter in the postconf(5) manual
+page, and the information that is referenced from there. </p>
+
+<blockquote> <p> NOTE: Postfix versions before 2.10 did not have
+smtpd_relay_restrictions. They combined the mail relay and spam
+blocking policies, under smtpd_recipient_restrictions. This could
+lead to unexpected results. For example, a permissive spam blocking
+policy could unexpectedly result in a permissive mail relay policy.
+An example of this is documented under "<a href="#danger">Dangerous
+use of smtpd_recipient_restrictions</a>". </p> </blockquote>
<p> Most of the Postfix SMTP server access controls are targeted
at stopping junk email. </p>
# Don't accept mail from domains that don't exist.
smtpd_sender_restrictions = reject_unknown_sender_domain
- # Whitelisting: local clients may specify any destination domain.
- smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
+ # Relay control (Postfix 2.10 and later): local clients and
+ # authenticated clients may specify any destination domain.
+ smtpd_relay_restrictions = permit_mynetworks,
+ permit_sasl_authenticated,
+ reject_unauth_destination
+
+ # Spam control: exclude local clients and authenticated clients
+ # from DNSBL lookups.
+ smtpd_recipient_restrictions = permit_mynetworks,
+ permit_sasl_authenticated,
+ # reject_unauth_destination is not needed here if the mail
+ # relay policy is specified under smtpd_relay_restrictions
+ # (available with Postfix 2.10 and later).
+ reject_unauth_destination
+ reject_rbl_client zen.spamhaus.org,
+ reject_rhsbl_helo dbl.spamhaus.org,
+ reject_rhsbl_sender dbl.spamhaus.org
# Block clients that speak too early.
smtpd_data_restrictions = reject_unauth_pipelining
<table border="1">
-<tr> <th> Restriction list name </th> <th> Status </th> <th> Effect
+<tr> <th> Restriction list name </th> <th> Version </th> <th> Status
+</th> <th> Effect
of REJECT or DEFER result </th> </tr>
-<tr> <td> smtpd_client_restrictions </td> <td> Optional </td> <td>
+<tr> <td> smtpd_client_restrictions </td> <td> All </td> <td>
+Optional </td> <td>
Reject all client commands </td> </tr>
-<tr> <td> smtpd_helo_restrictions </td> <td> Optional </td> <td>
+<tr> <td> smtpd_helo_restrictions </td> <td> All </td> <td> Optional
+</td> <td>
Reject HELO/EHLO information </td> </tr>
-<tr> <td> smtpd_sender_restrictions </td> <td> Optional </td> <td>
+<tr> <td> smtpd_sender_restrictions </td> <td> All </td> <td>
+Optional </td> <td>
Reject MAIL FROM information </td> </tr>
-<tr> <td> smtpd_recipient_restrictions </td> <td> Required </td>
-<td> Reject RCPT TO information </td> </tr>
+<tr> <td rowspan="2"> smtpd_relay_restrictions </td> <td> ≥ 2.10
+</td> <td> Required if smtpd_recipient_restrictions does not enforce
+relay policy</td>
+<td rowspan="2"> Reject RCPT TO information </td> </tr>
-<tr> <td> smtpd_data_restrictions </td> <td> Optional </td> <td>
+<tr> <td> < 2.10</td> <td> Not available </td>
+</tr>
+
+<tr> <td rowspan="2"> smtpd_recipient_restrictions </td> <td> ≥
+2.10 </td> <td> Required if smtpd_relay_restrictions does not enforce
+relay policy</td>
+<td rowspan="2"> Reject RCPT TO information </td> </tr>
+
+<tr> <td> < 2.10</td> <td> Required </td> </tr>
+
+<tr> <td> smtpd_data_restrictions </td> <td> ≥ 2.0 </td> <td>
+Optional </td> <td>
Reject DATA command </td> </tr>
-<tr> <td> smtpd_end_of_data_restrictions </td> <td> Optional </td> <td>
+<tr> <td> smtpd_end_of_data_restrictions </td> <td> ≥ 2.2 </td>
+<td> Optional </td> <td>
Reject END-OF-DATA command </td> </tr>
-<tr> <td> smtpd_etrn_restrictions </td> <td> Optional </td> <td>
+<tr> <td> smtpd_etrn_restrictions </td> <td> All </td> <td> Optional
+</td> <td>
Reject ETRN command </td> </tr>
</table>
helo and sender restriction lists until the RCPT TO or ETRN command.
This behavior is controlled by the smtpd_delay_reject parameter.
Restriction lists are still evaluated in the proper order of (client,
-helo, etrn) or (client, helo, sender, recipient, data, or end-of-data)
-restrictions.
+helo, etrn) or (client, helo, sender, relay, recipient, data, or
+end-of-data) restrictions.
When a restriction list (example: client) evaluates to REJECT or
-DEFER the other restriction lists (example: helo, sender, etc.)
+DEFER the restriction lists that follow (example: helo, sender, etc.)
are skipped. </p>
<p> Around the time that smtpd_delay_reject was introduced, Postfix
no surprises here. If the result is PERMIT, then the recipient
address is accepted. And this is where surprises can happen. </p>
+<p> The problem is that Postfix versions before 2.10 did not have
+smtpd_relay_restrictions. They combined the mail relay and spam
+blocking policies, under smtpd_recipient_restrictions. The result
+is that a permissive spam blocking policy could unexpectedly result
+in a permissive mail relay policy. </p>
+
<p> Here is an example that shows when a PERMIT result can result
in too much access permission: </p>
3 permit_mynetworks
4 check_helo_access hash:/etc/postfix/helo_access
5 reject_unknown_helo_hostname
-6 reject_unauth_destination
+6 <b>reject_unauth_destination</b>
7
8 /etc/postfix/helo_access:
9 localhost.localdomain PERMIT
that announces itself as "localhost.localdomain", making Postfix
an open relay for all such hosts. </p>
-<p> In order to avoid surprises like these with
-smtpd_recipient_restrictions, you should place non-recipient
+<p> With Postfix before version 2.10 you should place non-recipient
restrictions AFTER the reject_unauth_destination restriction, not
before. In the above example, the HELO based restrictions should
be placed AFTER reject_unauth_destination, or better, the HELO
based restrictions should be placed under smtpd_helo_restrictions
where they can do no harm. </p>
+<pre>
+1 /etc/postfix/main.cf:
+2 smtpd_recipient_restrictions =
+3 permit_mynetworks
+4 <b>reject_unauth_destination</b>
+5 check_helo_access hash:/etc/postfix/helo_access
+6 reject_unknown_helo_hostname
+7
+8 /etc/postfix/helo_access:
+9 localhost.localdomain PERMIT
+</pre>
+
+<p> The above mistake will not happen with Postfix 2.10 and later,
+when the relay policy is specified under smtpd_relay_restrictions,
+and the spam blocking policy under smtpd_recipient_restrictions.
+Then, a permissive spam blocking policy will not result in a
+permissive mail relay policy. </p>
+
<h2> <a name="testing"> SMTP access rule testing </a> </h2>
<p> Postfix has several features that aid in SMTP access rule
"-", to avoid "connection refused" and other problems when you
increase the smtpd process limit. </p>
+<li> <p> Line 8: reject_unauth_destination is not needed here if
+the mail relay policy is specified with smtpd_relay_restrictions
+(available with Postfix 2.10 and later). </p>
+
<li> <p> Lines 8, 9: always specify "check_policy_service" AFTER
"reject_unauth_destination" or else your system could become an
open relay. </p>
built-in suffix (in the above example: "_time_limit"). </p>
</blockquote>
-<li> <p> Solaris UNIX-domain sockets do not work reliably. Use
-TCP sockets instead: </p>
+<li> <p> With Solaris < 9, or Postfix < 2.10 on any Solaris
+version, use TCP sockets instead of UNIX-domain sockets: </p>
</ul>
See the spawn(8) manpage for more information about the
<i>transport</i>_time_limit parameter. </p>
+<li> <p> Line 9: reject_unauth_destination is not needed here if
+the mail relay policy is specified with smtpd_relay_restrictions
+(available with Postfix 2.10 and later). </p>
+
<blockquote> <p> Note: the "greylist_time_limit" parameter will not
show up in "postconf" command output before Postfix version 2.9.
This limitation applies to many parameters whose name is a combination
</ul>
-<p> On Solaris you must use inet: style sockets instead of unix:
+<p> With Solaris < 9, or Postfix < 2.10 on any Solaris
+version, use inet: style sockets instead of unix:
style, as detailed in the "<a href="#client_config">Policy
client/server configuration</a>" section above. </p>
<ul>
-<li> <p> Line 9: On Solaris you must use inet: style sockets
+<li> <p> Line 9: On Solaris < 9, or Postfix < 2.10 on any
+Solaris version, use inet: style sockets
instead of unix: style, as detailed in the "<a href="#greylist">Example:
greylist policy server</a>" section above. </p>
+<li> <p> Line 5: reject_unauth_destination is not needed here if
+the mail relay policy is specified with smtpd_relay_restrictions
+(available with Postfix 2.10 and later). </p>
+
<li> <p> Line 6: Be sure to specify "check_sender_access" AFTER
"reject_unauth_destination" or else your system could become an
open mail relay. </p>
<ul>
-<li> <p> Line 7: On Solaris you must use inet: style sockets
+<li> <p> Line 7: On Solaris < 9, or Postfix < 2.10 on any
+Solaris version, use inet: style sockets
instead of unix: style, as detailed in the "<a href="#greylist">Example:
greylist policy server</a>" section above. </p>
+<li> <p> Line 5: reject_unauth_destination is not needed here if
+the mail relay policy is specified with smtpd_relay_restrictions
+(available with Postfix 2.10 and later). </p>
+
<li> <p> Lines 6-7: Be sure to specify check_sender_access and
check_policy_service AFTER reject_unauth_destination or else your
system could become an open mail relay. </p>
<tr>
- <td bgcolor="#f0f0ff" align="center" valign="middle"
- width="10%"> Internet </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle"
+ width="10%"> Internet </td>
<td align="center" valign="middle" width="5%"> <tt> -> </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle"
- width="10%"> <a href="smtpd.8.html">Postfix SMTP server</a>
- </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle"
+
width="10%"> <a href="smtpd.8.html">Postfix SMTP server</a>
+ </td>
<td align="center" valign="middle" width="5%"> <tt> -> </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle"
- width="10%"> <b>Before</b> <b>queue</b> <b>filter</b> </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle"
+ width="10%"> <b>Before</b> <b>queue</b> <b>filter</b> </td>
<td align="center" valign="middle" width="5%"> <tt> -> </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle"
- width="10%"> <a href="smtpd.8.html">Postfix SMTP server</a>
- </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle"
+
width="10%"> <a href="smtpd.8.html">Postfix SMTP server</a>
+ </td>
<td align="center" valign="middle" width="5%"> <tt> -> </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle"
- width="10%"> <a href="cleanup.8.html">Postfix cleanup
- server</a> </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle"
+
width="10%"> <a href="cleanup.8.html">Postfix cleanup
+ server</a> </td>
<td align="center" valign="middle" width="5%"> <tt> -> </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle"
- width="10%"> Postfix queue </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle"
+ width="10%"> Postfix queue </td>
<td align="center" valign="middle" width="5%"> <tt> -< </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle"
- width="10%"> <a href="smtp.8.html">smtp</a><br> <a
- href="local.8.html">local</a><br> <a
- href="virtual.8.html">virtual</a> </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle"
+
width="10%"> <a href="smtp.8.html">smtp</a><br> <a
+
href="local.8.html">local</a><br> <a
+ href="virtual.8.html">virtual</a> </td>
</tr>
<td align="center" valign="middle" width="5%"> <tt> -> </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle"
- width="10%"> <a href="smtpd.8.html">Postfix SMTP server on
- port 25</a> </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle"
+
width="10%"> <a href="smtpd.8.html">Postfix SMTP server on
+ port 25</a> </td>
<td align="center" valign="middle" width="5%"> <tt> -> </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle"
- width="10%"> filter on localhost port 10025 </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle"
+ width="10%"> filter on localhost port 10025 </td>
<td align="center" valign="middle" width="5%"> <tt> -> </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle"
- width="10%"> <a href="smtpd.8.html">Postfix SMTP server on
- localhost port 10026</a> </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle"
+
width="10%"> <a href="smtpd.8.html">Postfix SMTP server on
+ localhost port 10026</a> </td>
<td align="center" valign="middle" width="5%"> <tt> -> </tt> </td>
- <td bgcolor="#f0f0ff" align="center" valign="middle"
- width="10%"> <a href="cleanup.8.html">Postfix cleanup
- server</a> </td>
+ <td bgcolor="#f0f0ff" align="center" valign="middle"
+
width="10%"> <a href="cleanup.8.html">Postfix cleanup
+ server</a> </td>
<td align="center" valign="middle" width="5%"> <tt> -> </tt> </td>
smtp inet n - n - 20 smtpd
-o smtpd_proxy_filter=127.0.0.1:10025
-o smtpd_client_connection_count_limit=10
- # Postfix 2.7 and later performance feature.
- # -o smtpd_proxy_options=speed_adjust
+ # Postfix 2.7 and later performance feature.
+ # -o smtpd_proxy_options=speed_adjust
#
# After-filter SMTP server. Receive mail from the content filter
# on localhost port 10026.
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
+ # Postfix 2.10 and later: specify empty smtpd_relay_restrictions.
+ -o smtpd_relay_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=
-o mynetworks=127.0.0.0/8
3 relay_domains = example.com
4 parent_domain_matches_subdomains =
5 debug_peer_list smtpd_access_maps
- 6 smtpd_recipient_restrictions =
- 7 permit_mynetworks reject_unauth_destination
- 8
- 9 relay_recipient_maps = hash:/etc/postfix/relay_recipients
-10 transport_maps = hash:/etc/postfix/transport
-11
-12 /etc/postfix/relay_recipients:
-13 user1@example.com x
-14 user2@example.com x
-15 . . .
-16
-17 /etc/postfix/transport:
-18 example.com smtp:[inside-gateway.example.com]
+<br>
+ 6a # Postfix 2.10 and later support separate relay control and
+ 7a # spam control.
+ 8a smtpd_relay_restrictions =
+ 9a permit_mynetworks reject_unauth_destination
+10a smtpd_recipient_restrictions = ...spam blocking rules....
+<br>
+ 6b # Older configurations combine relay control and spam control. To
+ 7b # use this with Postfix ≥ 2.10 specify "smtpd_relay_restrictions=".
+ 8b smtpd_recipient_restrictions =
+ 9b permit_mynetworks reject_unauth_destination
+10b ...spam blocking rules....
+<br>
+11 relay_recipient_maps = hash:/etc/postfix/relay_recipients
+12 transport_maps = hash:/etc/postfix/transport
+13
+14 /etc/postfix/relay_recipients:
+15 user1@example.com x
+16 user2@example.com x
+17 . . .
+18
+19 /etc/postfix/transport:
+20 example.com smtp:[inside-gateway.example.com]
</pre>
</blockquote>
<p> Translation: </p>
<ul>
-
-<li><p> Lines 1-7: Accept mail from local systems in $mynetworks,
+
+<li><p> Lines 1-10: Accept mail from local systems in $mynetworks,
and accept mail from outside for "user@example.com" but not for
"user@anything.example.com". The magic is in lines 4-5. </p>
-<li> <p> Lines 9, 12-14: Define the list of valid addresses in the
+<li> <p> Lines 11, 13-16: Define the list of valid addresses in the
"example.com" domain that can receive mail from the Internet. This
prevents the mail queue from filling up with undeliverable
MAILER-DAEMON messages. If you can't maintain a list of valid
is, an empty value), or you must specify an "@example.com x"
wild-card in the relay_recipients table. </p>
-<li> <p> Lines 10, 17-18: Route mail for "example.com" to the inside
+<li> <p> Lines 12, 19-20: Route mail for "example.com" to the inside
gateway machine. The <tt>[]</tt> forces Postfix to do no MX lookup.
</p>
3
4 /etc/postfix/main.cf:
5 relay_domains = . . . the.backed-up.domain.tld
- 6 smtpd_recipient_restrictions =
- 7 permit_mynetworks reject_unauth_destination
- 8
- 9 # You must specify your NAT/proxy external address.
-10 #proxy_interfaces = 1.2.3.4
-11
-12 relay_recipient_maps = hash:/etc/postfix/relay_recipients
+<br>
+ 6a # Postfix 2.10 and later support separate relay control and
+ 7a # spam control.
+ 8a smtpd_relay_restrictions =
+ 9a permit_mynetworks reject_unauth_destination
+10a smtpd_recipient_restrictions = ...spam blocking rules....
+<br>
+ 6b # Older configurations combine relay control and spam control. To
+ 7b # use this with Postfix ≥ 2.10 specify "smtpd_relay_restrictions=".
+ 8b smtpd_recipient_restrictions =
+ 9b permit_mynetworks reject_unauth_destination
+10b ...spam blocking rules....
+<br>
+11 # You must specify your NAT/proxy external address.
+12 #proxy_interfaces = 1.2.3.4
13
-14 /etc/postfix/relay_recipients:
-15 user1@the.backed-up.domain.tld x
-16 user2@the.backed-up.domain.tld x
-17 . . .
+14 relay_recipient_maps = hash:/etc/postfix/relay_recipients
+15
+16 /etc/postfix/relay_recipients:
+17 user1@the.backed-up.domain.tld x
+18 user2@the.backed-up.domain.tld x
+19 . . .
</pre>
</blockquote>
<blockquote>
<pre>
-18 /etc/postfix/main.cf:
-19 transport_maps = hash:/etc/postfix/transport
-20
-21 /etc/postfix/transport:
-22 the.backed-up.domain.tld relay:[their.mail.host.tld]
+20 /etc/postfix/main.cf:
+21 transport_maps = hash:/etc/postfix/transport
+22
+23 /etc/postfix/transport:
+24 the.backed-up.domain.tld relay:[their.mail.host.tld]
</pre>
</blockquote>
<li><p>Do not list the.backed-up.domain.tld in virtual_mailbox_domains.</p>
-<li> <p> Lines 1-7: Forward mail from the Internet for
+<li> <p> Lines 1-9: Forward mail from the Internet for
"the.backed-up.domain.tld" to the primary MX host for that domain.
</p>
-<li> <p> Line 10: This is a must if Postfix receives mail via a
+<li> <p> Line 12: This is a must if Postfix receives mail via a
NAT relay or proxy that presents a different IP address to the
world than the local machine. </p>
-<li> <p> Lines 12-16: Define the list of valid addresses in the
+<li> <p> Lines 14-18: Define the list of valid addresses in the
"the.backed-up.domain.tld" domain. This prevents your mail queue
from filling up with undeliverable MAILER-DAEMON messages. If you
can't maintain a list of valid recipients then you must specify
specify an "@the.backed-up.domain.tld x" wild-card in the
relay_recipients table. </p>
-<li> <p> Line 22: The <tt>[]</tt> forces Postfix to do no MX lookup. </p>
+<li> <p> Line 24: The <tt>[]</tt> forces Postfix to do no MX lookup. </p>
</ul>
<blockquote>
<pre>
+# With Postfix 2.10 and later, the mail relay policy is
+# preferably specified under smtpd_relay_restrictions.
+/etc/postfix/main.cf:
+ smtpd_relay_restrictions =
+ permit_mynetworks
+ permit_tls_clientcerts
+ reject_unauth_destination
+</pre>
+
+<pre>
+# Older configurations combine relay control and spam control under
+# smtpd_recipient_restrictions. To use this example with Postfix ≥
+# 2.10 specify "smtpd_relay_restrictions=".
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
- ...
+ permit_mynetworks
permit_tls_clientcerts
reject_unauth_destination
- ...
+ ...other rules...
</pre>
</blockquote>
cipher that the server supports. With SSLv3 and later, the server
may choose its own most preferred cipher that is supported (offered)
by the client. Setting "tls_preempt_cipherlist = yes" enables server
-cipher preferences. The default OpenSSL behaviour applies with
+cipher preferences. The default OpenSSL behavior applies with
"tls_preempt_cipherlist = no". </p>
<p> While server cipher selection may in some cases lead to a more secure
recommended ones. </p>
<p> You can use the smtpd_command_filter feature to append XVERP
-to SMTP commands from legacy sofware. This requires Postfix 2.7
+to SMTP commands from legacy software. This requires Postfix 2.7
or later. </p>
<blockquote>
<p>
In particular, "trusted" SMTP clients are allowed to relay mail
-through Postfix. See the smtpd_recipient_restrictions parameter
+through Postfix. See the smtpd_relay_restrictions parameter
description in the postconf(5) manual.
</p>
%PARAM smtpd_client_restrictions
<p>
-Optional Postfix SMTP server access restrictions in the context of
-a remote SMTP client connection request.
+Optional restrictions that the Postfix SMTP server applies in the
+context of a client connection request.
See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access
restriction lists" for a discussion of evaluation context and time.
</p>
%PARAM smtpd_etrn_restrictions
<p>
-Optional SMTP server access restrictions in the context of a client
-ETRN request.
+Optional restrictions that the Postfix SMTP server applies in the
+context of a client ETRN command.
See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access
restriction lists" for a discussion of evaluation context and time.
</p>
<p>
Optional restrictions that the Postfix SMTP server applies in the
-context of the SMTP HELO command.
+context of a client HELO command.
See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access
restriction lists" for a discussion of evaluation context and time.
</p>
accepts per message delivery request.
</p>
-%PARAM smtpd_recipient_restrictions permit_mynetworks, reject_unauth_destination
+%PARAM smtpd_recipient_restrictions see "postconf -d" output
<p>
-The access restrictions that the Postfix SMTP server applies in
-the context of the RCPT TO command.
+Optional restrictions that the Postfix SMTP server applies in the
+context of a client RCPT TO command, after smtpd_relay_restrictions.
See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access
restriction lists" for a discussion of evaluation context and time.
</p>
-<p>
-By default, the Postfix SMTP server accepts:
-</p>
-
-<ul>
-
-<li> Mail from clients whose IP address matches $mynetworks, or:
+<p> With Postfix versions before 2.10, the rules for relay permission
+and spam blocking were combined under smtpd_recipient_restrictions,
+resulting in error-prone configuration. As of Postfix 2.10, relay
+permission rules are preferably implemented with smtpd_relay_restrictions,
+so that a permissive spam blocking policy under
+smtpd_recipient_restrictions will no longer result in a permissive
+mail relay policy. </p>
-<li> Mail to remote destinations that match $relay_domains, except
-for addresses that contain sender-specified routing
-(user@elsewhere@domain), or:
-
-<li> Mail to local destinations that match $inet_interfaces
-or $proxy_interfaces, $mydestination, $virtual_alias_domains, or
-$virtual_mailbox_domains.
-
-</ul>
+<p> For backwards compatibility, sites that migrate from Postfix
+versions before 2.10 can set smtpd_relay_restrictions to the empty
+value, and use smtpd_recipient_restrictions exactly as before. </p>
<p>
-IMPORTANT: If you change this parameter setting, you must specify
+IMPORTANT: Either the smtpd_relay_restrictions or the
+smtpd_recipient_restrictions parameter must specify
at least one of the following restrictions. Otherwise Postfix will
refuse to receive mail:
</p>
<blockquote>
<pre>
-reject, defer, defer_if_permit, reject_unauth_destination
+reject, reject_unauth_destination
+</pre>
+</blockquote>
+
+<blockquote>
+<pre>
+defer, defer_if_permit, defer_unauth_destination
</pre>
</blockquote>
$virtual_alias_domains, or $virtual_mailbox_domains, and contains
no sender-specified routing (user@elsewhere@domain).
-</ul> The relay_domains_reject_code parameter specifies the response
+</ul>The relay_domains_reject_code parameter specifies the response
code for rejected requests (default: 554). </dd>
+<dt><b><a name="defer_unauth_destination">defer_unauth_destination</a></b></dt>
+
+<dd> Reject the same requests as reject_unauth_destination, with a
+non-permanent error code. This feature is available in Postfix
+2.10 and later.</dd>
+
<dt><b><a name="reject_unknown_recipient_domain">reject_unknown_recipient_domain</a></b></dt>
<dd>Reject the request when Postfix is not final destination for
</p>
<pre>
+# The Postfix before 2.10 default mail relay policy. Later Postfix
+# versions implement this preferably with smtpd_relay_restrictions.
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
</pre>
+%PARAM smtpd_relay_restrictions permit_mynetworks, reject_unauth_destination
+
+<p> Access restrictions for mail relay control that the Postfix
+SMTP server applies in the context of the RCPT TO command, before
+smtpd_recipient_restrictions.
+See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access
+restriction lists" for a discussion of evaluation context and time.
+</p>
+
+<p> With Postfix versions before 2.10, the rules for relay permission
+and spam blocking were combined under smtpd_recipient_restrictions,
+resulting in error-prone configuration. As of Postfix 2.10, relay
+permission rules are preferably implemented with smtpd_relay_restrictions,
+so that a permissive spam blocking policy under
+smtpd_recipient_restrictions will no longer result in a permissive
+mail relay policy. </p>
+
+<p> For backwards compatibility, sites that migrate from Postfix
+versions before 2.10 can set smtpd_relay_restrictions to the empty
+value, and use smtpd_recipient_restrictions exactly as before. </p>
+
+<p>
+By default, the Postfix SMTP server accepts:
+</p>
+
+<ul>
+
+<li> Mail from clients whose IP address matches $mynetworks, or:
+
+<li> Mail to remote destinations that match $relay_domains, except
+for addresses that contain sender-specified routing
+(user@elsewhere@domain), or:
+
+<li> Mail to local destinations that match $inet_interfaces
+or $proxy_interfaces, $mydestination, $virtual_alias_domains, or
+$virtual_mailbox_domains.
+
+</ul>
+
+<p>
+IMPORTANT: Either the smtpd_relay_restrictions or the
+smtpd_recipient_restrictions parameter must specify
+at least one of the following restrictions. Otherwise Postfix will
+refuse to receive mail:
+</p>
+
+<blockquote>
+<pre>
+reject, reject_unauth_destination
+</pre>
+</blockquote>
+
+<blockquote>
+<pre>
+defer, defer_if_permit, defer_unauth_destination
+</pre>
+</blockquote>
+
+<p>
+Specify a list of restrictions, separated by commas and/or whitespace.
+Continue long lines by starting the next line with whitespace.
+The same restrictions are available as documented under
+smtpd_recipient_restrictions.
+</p>
+
+<p> This feature is available in Postix 2.10 and later. </p>
+
%CLASS sasl-auth SASL Authentication
<p>
<blockquote>
<pre>
+# With Postfix 2.10 and later, the mail relay policy is
+# preferably specified under smtpd_relay_restrictions.
+smtpd_relay_restrictions =
+ permit_mynetworks, permit_sasl_authenticated, ...
+</pre>
+
+<pre>
+# With Postfix before 2.10, the relay policy can be
+# specified only under smtpd_recipient_restrictions.
smtpd_recipient_restrictions =
permit_mynetworks, permit_sasl_authenticated, ...
</pre>
<p>
Optional restrictions that the Postfix SMTP server applies in the
-context of the MAIL FROM command.
+context of a client MAIL FROM command.
See SMTPD_ACCESS_README, section "Delayed evaluation of SMTP access
restriction lists" for a discussion of evaluation context and time.
</p>
SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
the protocols to include, rather than protocols to exclude, is
supported, but not recommended. The exclusion form more closely
-matches the behaviour when the OpenSSL library is newer than Postfix.
+matches the behavior when the OpenSSL library is newer than Postfix.
</p>
<p> Since SSL version 2 has known protocol weaknesses and is now
SSLv3 set "smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing
the protocols to include, rather than protocols to exclude, is
supported, but not recommended. The exclusion form more closely
-matches the behaviour when the OpenSSL library is newer than Postfix.
+matches the behavior when the OpenSSL library is newer than Postfix.
</p>
<p> Since SSL version 2 has known protocol weaknesses and is now
"smtp_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
"smtp_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
include, rather than protocols to exclude, is supported, but not
-recommended. The exclusion form more closely matches the behaviour
+recommended. The exclusion form more closely matches the behavior
when the OpenSSL library is newer than Postfix. </p>
<p> Example: </p>
"smtpd_tls_protocols = !SSLv2". To exclude both "SSLv2" and "SSLv3" set
"smtpd_tls_protocols = !SSLv2, !SSLv3". Explicitly listing the protocols to
include, rather than protocols to exclude, is supported, but not
-recommended. The exclusion form more closely matches the behaviour
+recommended. The exclusion form more closely matches the behavior
when the OpenSSL library is newer than Postfix. </p>
<p> Example: </p>
the
server performs final delivery, and send "delivered" delivery status
notifications instead of "relayed". The default setting is backwards
-compatible to avoid the infinetisimal possibility of breaking
+compatible to avoid the infinitesimal possibility of breaking
existing LMTP-based content filters. </p>
%PARAM always_add_missing_headers no
<p> The number of clients that can be waiting for service from a
real Postfix SMTP server process. When this queue is full, all
clients will
-receive a 421 reponse. </p>
+receive a 421 response. </p>
<p> This feature is available in Postfix 2.8. </p>
a decision whether they will receive service from a real Postfix
SMTP server
process. When this queue is full, all non-whitelisted clients will
-receive a 421 reponse. </p>
+receive a 421 response. </p>
<p> This feature is available in Postfix 2.8. </p>
%PARAM dnsblog_reply_delay 0s
-<p> A debugging aid to artifically delay DNS responses. </p>
+<p> A debugging aid to artificially delay DNS responses. </p>
<p> This feature is available in Postfix 2.8. </p>
#define DEF_MAIL_CHECKS ""
extern char *var_mail_checks;
+#define VAR_RELAY_CHECKS "smtpd_relay_restrictions"
+#define DEF_RELAY_CHECKS PERMIT_MYNETWORKS ", " \
+ REJECT_UNAUTH_DEST
+extern char *var_relay_checks;
+
#define VAR_RCPT_CHECKS "smtpd_recipient_restrictions"
-#define DEF_RCPT_CHECKS PERMIT_MYNETWORKS ", " REJECT_UNAUTH_DEST
+#define DEF_RCPT_CHECKS ""
extern char *var_rcpt_checks;
#define VAR_ETRN_CHECKS "smtpd_etrn_restrictions"
#define PERMIT_AUTH_DEST "permit_auth_destination"
#define REJECT_UNAUTH_DEST "reject_unauth_destination"
+#define DEFER_UNAUTH_DEST "defer_unauth_destination"
#define CHECK_RELAY_DOMAINS "check_relay_domains"
#define PERMIT_TLS_CLIENTCERTS "permit_tls_clientcerts"
#define PERMIT_TLS_ALL_CLIENTCERTS "permit_tls_all_clientcerts"
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20120924"
+#define MAIL_RELEASE_DATE "20121007"
#define MAIL_VERSION_NUMBER "2.10"
#ifdef SNAPSHOT
char *bp = saved_acl;
char *acl;
-#define STREQ(x,y) ((*x) == (*y) && strcasecmp((x), (y)) == 0)
-#define STRNE(x,y) ((*x) != (*y) || strcasecmp((x), (y)) != 0)
+#define STREQ(x,y) (strcasecmp((x), (y)) == 0)
+#define STRNE(x,y) (strcasecmp((x), (y)) != 0)
/*
* Nested tables are not allowed. Tables are opened before entering the
/* What Postfix features match subdomains of "domain.tld" automatically,
/* instead of requiring an explicit ".domain.tld" pattern.
/* .IP "\fBsmtpd_client_restrictions (empty)\fR"
-/* Optional Postfix SMTP server access restrictions in the context of
-/* a remote SMTP client connection request.
+/* Optional restrictions that the Postfix SMTP server applies in the
+/* context of a client connection request.
/* .IP "\fBsmtpd_helo_required (no)\fR"
/* Require that a remote SMTP client introduces itself with the HELO
/* or EHLO command before sending the MAIL command or other commands
/* that require EHLO negotiation.
/* .IP "\fBsmtpd_helo_restrictions (empty)\fR"
/* Optional restrictions that the Postfix SMTP server applies in the
-/* context of the SMTP HELO command.
+/* context of a client HELO command.
/* .IP "\fBsmtpd_sender_restrictions (empty)\fR"
/* Optional restrictions that the Postfix SMTP server applies in the
-/* context of the MAIL FROM command.
-/* .IP "\fBsmtpd_recipient_restrictions (permit_mynetworks, reject_unauth_destination)\fR"
-/* The access restrictions that the Postfix SMTP server applies in
-/* the context of the RCPT TO command.
+/* context of a client MAIL FROM command.
+/* .IP "\fBsmtpd_recipient_restrictions (see 'postconf -d' output)\fR"
+/* Optional restrictions that the Postfix SMTP server applies in the
+/* context of a client RCPT TO command, after smtpd_relay_restrictions.
/* .IP "\fBsmtpd_etrn_restrictions (empty)\fR"
-/* Optional SMTP server access restrictions in the context of a client
-/* ETRN request.
+/* Optional restrictions that the Postfix SMTP server applies in the
+/* context of a client ETRN command.
/* .IP "\fBallow_untrusted_routing (no)\fR"
/* Forward mail with sender-specified routing (user[@%!]remote[@%!]site)
/* from untrusted clients to destinations matching $relay_domains.
/* .IP "\fBsmtpd_end_of_data_restrictions (empty)\fR"
/* Optional access restrictions that the Postfix SMTP server
/* applies in the context of the SMTP END-OF-DATA command.
+/* .PP
+/* Available in Postfix version 2.10 and later:
+/* .IP "\fBsmtpd_relay_restrictions (permit_mynetworks, reject_unauth_destination)\fR"
+/* Access restrictions for mail relay control that the Postfix
+/* SMTP server applies in the context of the RCPT TO command, before
+/* smtpd_recipient_restrictions.
/* SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS
/* .ad
/* .fi
char *var_client_checks;
char *var_helo_checks;
char *var_mail_checks;
+char *var_relay_checks;
char *var_rcpt_checks;
char *var_etrn_checks;
char *var_data_checks;
VAR_CLIENT_CHECKS, DEF_CLIENT_CHECKS, &var_client_checks, 0, 0,
VAR_HELO_CHECKS, DEF_HELO_CHECKS, &var_helo_checks, 0, 0,
VAR_MAIL_CHECKS, DEF_MAIL_CHECKS, &var_mail_checks, 0, 0,
+ VAR_RELAY_CHECKS, DEF_RELAY_CHECKS, &var_relay_checks, 0, 0,
VAR_RCPT_CHECKS, DEF_RCPT_CHECKS, &var_rcpt_checks, 0, 0,
VAR_ETRN_CHECKS, DEF_ETRN_CHECKS, &var_etrn_checks, 0, 0,
VAR_DATA_CHECKS, DEF_DATA_CHECKS, &var_data_checks, 0, 0,
static ARGV *client_restrctions;
static ARGV *helo_restrctions;
static ARGV *mail_restrctions;
+static ARGV *relay_restrctions;
static ARGV *rcpt_restrctions;
static ARGV *etrn_restrctions;
static ARGV *data_restrctions;
for (reqd = required; *reqd; reqd++)
vstring_sprintf_append(example, "%s%s", *reqd,
reqd[1] == 0 ? "" : reqd[2] == 0 ? " or " : ", ");
- msg_fatal("parameter \"%s\": specify at least one working instance of: %s",
+ msg_fatal("in parameter %s, specify at least one working instance of: %s",
name, STR(example));
}
const char *value;
char *cp;
static const char *rcpt_required[] = {
- CHECK_RELAY_DOMAINS,
REJECT_UNAUTH_DEST,
+ DEFER_UNAUTH_DEST,
REJECT_ALL,
DEFER_ALL,
DEFER_IF_PERMIT,
+ CHECK_RELAY_DOMAINS,
0,
};
static NAME_CODE tempfail_actions[] = {
var_helo_checks);
mail_restrctions = smtpd_check_parse(SMTPD_CHECK_PARSE_ALL,
var_mail_checks);
+ relay_restrctions = smtpd_check_parse(SMTPD_CHECK_PARSE_ALL,
+ var_relay_checks);
rcpt_restrctions = smtpd_check_parse(SMTPD_CHECK_PARSE_ALL,
var_rcpt_checks);
etrn_restrctions = smtpd_check_parse(SMTPD_CHECK_PARSE_ALL,
/*
* People screw up the relay restrictions too often. Require that they
- * list at least one restriction that rejects mail by default.
+ * list at least one restriction that rejects mail by default. We allow
+ * relay restrictions to be empty for sites that require backwards
+ * compatibility.
*/
#ifndef TEST
- if (!has_required(rcpt_restrctions, rcpt_required))
- fail_required(VAR_RCPT_CHECKS, rcpt_required);
+ if (!has_required(rcpt_restrctions, rcpt_required)
+ && !has_required(relay_restrctions, rcpt_required))
+ fail_required(VAR_RELAY_CHECKS " or " VAR_RCPT_CHECKS, rcpt_required);
#endif
/*
/* reject_unauth_destination - FAIL for message relaying */
-static int reject_unauth_destination(SMTPD_STATE *state, char *recipient)
+static int reject_unauth_destination(SMTPD_STATE *state, char *recipient,
+ int reply_code, const char *reply_dsn)
{
const char *myname = "reject_unauth_destination";
* Reject relaying to sites that are not listed in relay_domains.
*/
return (smtpd_check_reject(state, MAIL_ERROR_POLICY,
- var_relay_code, "5.7.1",
+ reply_code, reply_dsn,
"<%s>: Relay access denied",
recipient));
}
}
} else if (strcasecmp(name, REJECT_UNAUTH_DEST) == 0) {
if (state->recipient)
- status = reject_unauth_destination(state, state->recipient);
+ status = reject_unauth_destination(state, state->recipient,
+ var_relay_code, "5.7.1");
+ } else if (strcasecmp(name, DEFER_UNAUTH_DEST) == 0) {
+ if (state->recipient)
+ status = reject_unauth_destination(state, state->recipient,
+ var_relay_code - 100, "4.7.1");
} else if (strcasecmp(name, CHECK_RELAY_DOMAINS) == 0) {
if (state->recipient)
status = check_relay_domains(state, state->recipient,
if (state->defer_if_permit.active && state->defer_if_reject.active)
break;
}
- if (msg_verbose && name == 0)
+ if (msg_verbose)
msg_info(">>> END %s RESTRICTIONS <<<", reply_class);
state->recursion = saved_recursion;
int status;
char *saved_recipient;
char *err;
+ ARGV *restrctions[2];
+ int n;
/*
* Initialize.
state->defer_if_permit.active = state->defer_if_permit_sender;
/*
- * Apply restrictions in the order as specified.
+ * Apply restrictions in the order as specified. We allow relay
+ * restrictions to be empty, for sites that require backwards
+ * compatibility.
*/
SMTPD_CHECK_RESET();
- status = setjmp(smtpd_check_buf);
- if (status == 0 && rcpt_restrctions->argc)
- status = generic_checks(state, rcpt_restrctions,
+ restrctions[0] = relay_restrctions;
+ restrctions[1] = rcpt_restrctions;
+ for (n = 0; n < 2; n++) {
+ status = setjmp(smtpd_check_buf);
+ if (status == 0 && restrctions[n]->argc)
+ status = generic_checks(state, restrctions[n],
recipient, SMTPD_NAME_RECIPIENT, CHECK_RECIP_ACL);
+ if (status == SMTPD_CHECK_REJECT)
+ break;
+ }
/*
* Force permission into deferral when some earlier temporary error may
}
if (*bp == '#')
continue;
+
if (*bp == '!') {
vstream_printf("exit %d\n", system(bp + 1));
continue;
#endif
}
vstring_strcpy(channel, MAIL_SERVICE_ERROR);
- vstring_sprintf(nexthop, "User unknown%s",
+ vstring_sprintf(nexthop, "5.1.1 User unknown%s",
var_show_unk_rcpt_table ?
" in virtual alias table" : "");
*flags |= RESOLVE_CLASS_ALIAS;
#define DICT_DEBUG(d) ((d)->flags & DICT_FLAG_DEBUG ? dict_debug(d) : (d))
+ /*
+ * See dict_open.c embedded manpage for flag definitions.
+ */
#define DICT_FLAG_NONE (0)
-#define DICT_FLAG_DUP_WARN (1<<0) /* if file, warn about dups */
-#define DICT_FLAG_DUP_IGNORE (1<<1) /* if file, ignore dups */
+#define DICT_FLAG_DUP_WARN (1<<0) /* warn about dups if not supported */
+#define DICT_FLAG_DUP_IGNORE (1<<1) /* ignore dups if not supported */
#define DICT_FLAG_TRY0NULL (1<<2) /* do not append 0 to key/value */
#define DICT_FLAG_TRY1NULL (1<<3) /* append 0 to key/value */
#define DICT_FLAG_FIXED (1<<4) /* fixed key map */
#define DICT_FLAG_PATTERN (1<<5) /* keys are patterns */
-#define DICT_FLAG_LOCK (1<<6) /* temp lock before each access */
-#define DICT_FLAG_DUP_REPLACE (1<<7) /* if file, replace dups */
-#define DICT_FLAG_SYNC_UPDATE (1<<8) /* if file, sync updates */
+#define DICT_FLAG_LOCK (1<<6) /* use temp lock before access */
+#define DICT_FLAG_DUP_REPLACE (1<<7) /* replace dups if supported */
+#define DICT_FLAG_SYNC_UPDATE (1<<8) /* sync updates if supported */
#define DICT_FLAG_DEBUG (1<<9) /* log access */
/*#define DICT_FLAG_FOLD_KEY (1<<10) /* lowercase the lookup key */
#define DICT_FLAG_NO_REGSUB (1<<11) /* disallow regexp substitution */
#define DICT_ERR_CONFIG (-2) /* configuration error */
/*
- * FAIL/ERROR are suggested result values, not meant for use in comparisons.
+ * Result values for exposed functions except lookup. FAIL/ERROR are
+ * suggested values, not for use in comparisons for equality.
*/
#define DICT_STAT_FAIL 1 /* any value > 0: notfound, conflict */
#define DICT_STAT_SUCCESS 0 /* request satisfied */
#define DICT_STAT_ERROR (-1) /* any value < 0: database error */
+ /*
+ * Set an error code and return a result value.
+ */
#define DICT_ERR_VAL_RETURN(dict, err, val) do { \
(dict)->error = (err); \
return (val); \
/* One exception is the default lock function. When the
/* dictionary provides a file handle for locking, the default
/* lock function returns the result from myflock(), otherwise
-/* it returns 0. The lock function is called to implement the
-/* DICT_FLAG_OPEN_LOCK feature (lock database on open) when
-/* a database is not multi-writer safe.
+/* it returns 0. Presently, the lock function is used only to
+/* implement the DICT_FLAG_OPEN_LOCK feature (lock the database
+/* exclusively after it is opened) for databases that are not
+/* multi-writer safe.
/*
/* dict_free() releases memory and cleans up after dict_alloc().
/* It is up to the caller to dispose of any memory that was allocated
/* before writing, and acquire a shared lock before reading.
/* .IP DICT_FLAG_OPEN_LOCK
/* With databases that are not multi-writer safe, request that
-/* dict_open() acquires an exclusive lock, or that it reports
-/* a fatal run-time error otherwise.
+/* dict_open() acquires an exclusive lock, or that it terminates
+/* with a fatal run-time error.
/* .IP DICT_FLAG_FOLD_FIX
/* With databases whose lookup fields are fixed-case strings,
-/* fold the search key to lower case before accessing the
+/* fold the search string to lower case before accessing the
/* database. This includes hash:, cdb:, dbm:. nis:, ldap:,
/* *sql.
/* .IP DICT_FLAG_FOLD_MUL
/* With file-based maps, flush I/O buffers to file after each update.
/* Thus feature is not supported with some file-based dictionaries.
/* .IP DICT_FLAG_NO_REGSUB
-/* Disallow regular expression substitution from left-hand side data
-/* into the right-hand side.
+/* Disallow regular expression substitution from the lookup string
+/* into the lookup result, to block data injection attacks.
/* .IP DICT_FLAG_NO_PROXY
-/* Disallow access through the \fBproxymap\fR service.
+/* Disallow access through the unprivileged \fBproxymap\fR
+/* service, to block privilege escalation attacks.
/* .IP DICT_FLAG_NO_UNAUTH
-/* Disallow network lookup mechanisms that lack any form of
-/* authentication (example: tcp_table; even NIS can be secured
-/* to some extent by requiring that the server binds to a
-/* privileged port).
+/* Disallow lookup mechanisms that lack any form of authentication,
+/* to block privilege escalation attacks (example: tcp_table;
+/* even NIS can be secured to some extent by requiring that
+/* the server binds to a privileged port).
/* .IP DICT_FLAG_PARANOID
/* A combination of all the paranoia flags: DICT_FLAG_NO_REGSUB,
/* DICT_FLAG_NO_PROXY and DICT_FLAG_NO_UNAUTH.
+/* .IP DICT_FLAG_DEBUG
+/* Enable additional logging.
/* .PP
/* Specify DICT_FLAG_NONE for no special processing.
/*
projects / thirdparty / postfix.git / commitdiff
