Regression prevention: copied a queue file record typecheck
from the pickup daemon. Files: *qmgr/qmgr_message.c.
+20211115
+
+ Bugfix (introduced: 20210708): duplicate bounce_notice_recipient
+ entries in postconf output. The fix to send SMTP session
+ transcripts to bounce_notice_recipient was incomplete.
+ Reported by Vincent Lefevre. File: smtpd/smtpd.c.
+
20211127
Feature: support for the pcre2 library (the legacy pcre
automatically authorize proxied maps inside pipemap (example:
pipemap:{proxy:maptype:mapname, ...}) or inside unionmap. Problem
reported by Mirko Vogt. Files: proxymap/proxymap.c.
+
+20211218
+
+ Typo fixes based on automated scans of C source code comments.
+ Verified that the .o files have not changed. Files:
+ bounce/bounce_notify_util.c, cleanup/cleanup_api.c,
+ cleanup/cleanup_message.c, dns/dns_lookup.c, flush/flush.c,
+ global/compat_level.c, global/db_common.c,
+ global/deliver_request.c, global/dict_ldap.c, global/dict_sqlite.c,
+ global/dynamicmaps.c, global/mail_conf_time.c, global/mail_copy.c,
+ global/mail_params.h, global/mail_proto.h, global/memcache_proto.c,
+ global/normalize_mailhost_addr.c, global/quote_822_local.c,
+ global/test_main.c, global/verify.c, global/verify_sender_addr.c,
+ local/unknown.c, master/dgram_server.c, master/event_server.c,
+ master/multi_server.c, master/single_server.c,
+ master/trigger_server.c, oqmgr/qmgr_entry.c,
+ postconf/postconf_dbms.c, postconf/postconf_master.c,
+ postconf/postconf_user.c, postdrop/postdrop.c, postmap/postmap.c,
+ postmulti/postmulti.c, postqueue/showq_compat.c,
+ postscreen/postscreen_smtpd.c, postscreen/postscreen_starttls.c,
+ posttls-finger/posttls-finger.c, proxymap/proxymap.c,
+ qmgr/qmgr_entry.c, qmqpd/qmqpd_peer.c, smtp/smtp.h,
+ smtp/smtp_proto.c, smtpd/smtpd_check.c, smtpd/smtpd_peer.c,
+ tls/tls_certkey.c, tls/tls_client.c, tls/tls_fprint.c,
+ tls/tls_misc.c, tls/tls_server.c, tlsmgr/tlsmgr.c,
+ tlsproxy/tlsproxy.c, trivial-rewrite/resolve.c,
+ trivial-rewrite/transport.c, trivial-rewrite/trivial-rewrite.c,
+ util/argv.c, util/dict_cache.c, util/dict_cdb.c, util/dict_file.c,
+ util/dict_random.c, util/dict_random.h, util/dict_thash.c,
+ util/dup2_pass_on_exec.c, util/edit_file.c, util/extpar.c,
+ util/gccw.c, util/mac_expand.c, util/mac_expand.h,
+ util/myaddrinfo.c, util/name_mask.c, util/sane_link.c,
+ util/sane_rename.c, util/unix_dgram_connect.c,
+ util/unix_dgram_listen.c, util/unix_pass_fd_fix.c,
+ util/vstring.c, xsasl/xsasl_dovecot_server.c.
+
+ Typo fixes based on automated scans of other files. Files:
+ auxiliary/qshape/qshape.pl, conf/post-install,
+ conf/postmulti-script, makedefs, postfix-install,
+ proto/postconf.proto, TLS_ACKNOWLEDGEMENTS, TLS_CHANGES.
+
+ Documentation: added a note to the cidr_table manpage that
+ with an inline CIDR map, "$" needs to be specified as "$$"
+ to avoid $name expansion surprises. File: proto/cidr_table.
+
+20211220
+
+ Bugfix (introduced: Postfix 2.5): off-by-one error while writing
+ a string terminator. This code had passed all memory corruption
+ tests, presumably because it wrote over an alignment padding byte,
+ or over an adjacent character byte that was never read. Reported
+ by Robert Siemer. Files: *qmgr/qmgr_feedback.c.
+
+ Typo fixes from Raf, based on manual inspection. Verified
+ that the .o files have not changed. Files: conf/main.cf,
+ mantools/postlink, proto/ADDRESS_REWRITING_README.html,
+ proto/BACKSCATTER_README.html,
+ proto/BASIC_CONFIGURATION_README.html, proto/BDAT_README.html,
+ proto/BUILTIN_FILTER_README.html, proto/COMPATIBILITY_README.html,
+ proto/CONNECTION_CACHE_README.html, proto/DATABASE_README.html,
+ proto/DEBUG_README.html, proto/FORWARD_SECRECY_README.html,
+ proto/INSTALL.html, proto/IPV6_README.html, proto/LDAP_README.html,
+ proto/LINUX_README.html, proto/MAILLOG_README.html,
+ proto/MILTER_README.html, proto/MULTI_INSTANCE_README.html,
+ proto/MYSQL_README.html, proto/POSTSCREEN_3_5_README.html,
+ proto/POSTSCREEN_README.html, proto/QSHAPE_README.html,
+ proto/SASL_README.html, proto/SCHEDULER_README.html,
+ proto/SMTPD_ACCESS_README.html, proto/SMTPD_POLICY_README.html,
+ proto/SMTPD_PROXY_README.html, proto/SMTPUTF8_README.html,
+ proto/SQLITE_README.html, proto/STANDARD_CONFIGURATION_README.html,
+ proto/STRESS_README.html, proto/TLS_LEGACY_README.html,
+ proto/TLS_README.html, proto/TUNING_README.html,
+ proto/VIRTUAL_README.html, proto/access, proto/canonical,
+ proto/generic, proto/ldap_table, proto/master, proto/mysql_table,
+ proto/pgsql_table, proto/postconf.proto, proto/relocated,
+ proto/sqlite_table, proto/transport, proto/virtual,
+ global/mail_version.h, local/local.c, pipe/pipe.c,
+ postalias/postalias.c, postconf/postconf.c, postfix/postfix.c,
+ postmap/postmap.c, postmulti/postmulti.c,
+ posttls-finger/posttls-finger.c, sendmail/sendmail.c,
+ smtpstone/smtp-sink.c, tlsproxy/tlsproxy.c,
+ trivial-rewrite/trivial-rewrite.c, virtual/virtual.c.
+
+20211221
+
+ Documentation: reverted some postconf(5) changes from
+ "Specify a non-zero time value" to "Specify a non-negative
+ time value". File: proto/postconf.proto.
+
+ Documentation: reverted "destination concurrency limit" to
+ "destination recipient limit". File: proto/SCHEDULER_README.html.
+
+ Documentation: rephrased conditional $name expositions for
+ forward_path and command_execution_directory. File:
+ local/local.c.
+
+ Documentation: added Postfix 3.0 syntax to postconf(5)
+ descriptions of command_execution_directory, default_rbl_reply,
+ forward_path, luser_relay, recipient_delimiter. File:
+ proto/postconf.proto.
+
+ Documentation: updated descriptions of smtpd_error_sleep_time
+ and smtpd_soft_error_limit. File: proto/postconf.proto.
+
+ Fixed non-UTF8 quotes in TLS_CHANGES that caused nvi to
+ truncate the file.
+
+ Fixed a remaining typo in util/load_lib.c.
+
+20211222
+
+ Added a top-level 'make typo-check' target to automate
+ the typo checks (this only works on Wietse's development
+ system, because it depends on specific implementations of
+ spell and lynx). Files: Makefile.in, mantools/comment.c,
+ mantools/deroff, mantools/check-double-cc,
+ mantools/check-double-install-proto-text,
+ mantools/check-double-proto-html, mantools/check-spell-cc,
+ mantools/check-spell-install-proto-text,
+ mantools/check-spell-proto-html, proto/stop, proto/stop.double-cc,
+ proto/stop.double-install-proto-text, proto/stop.double-proto-html,
+ proto/stop.spell-cc, proto/stop.spell-proto-html.
+
+ Cleanup: manpages don't need \' - that causes groff to emit
+ non-ASCII text (depending on the locale). Christian Goettsche.
+ Files: sendmail/sendmail.c, spawn/spawn.c.
+
+20211223
+
+ Report unsupported usage. Do not link Postfix database
+ plugins against libpostfix-util or libpostfix-global. This
+ introduces false build dependencies. File: makedefs.
+
+ Report unsupported usage. Do not build with LD_LIBRARY_PATH.
+ File: makedefs.
+
+ Documented the implementation-dependent mailbox_size_limit
+ and message_size_limit maximal values. File: proto/postconf.proto.
+
+ Cleanup: make typo-check tests portable across differernt
+ spellcheck implementations. Files: proto/stop.spell-proto-html,
+ proto/stop.spell-cc.
+
+ Cleanup: added missing parameters to the mantools/postlink
+ script, based on output from the mantools/check-postlink
+ script.
+
+ Cleanup: added missing _maps parameter names to the
+ proxy_read_maps default value, based on output from the
+ mantools/missing-proxy-read-maps script.
+ File: global/mail_params.h.
+
+ Sanity: added LANG=C to the typo-check scripts to get
+ consistent output. Files: mantools/check-spell-proto-html,
+ mantools/check-spell-install-proto-text, mantools/check-spell-cc,
+ mantools/check-double-proto-html,
+ mantools/check-double-install-proto-text, mantools/check-double-cc.
+
+20211224
+
+ Cleanup: some compilter complains about indentation in a
+ multiline macro. File: util/dict_db.c.
+
+20211231
+
+ Cleanup: informative error message after failure to connect
+ to 'dovecot' socket. File: src/xsasl/xsasl_dovecot_server.c.
+
+20220101
+
+ Cleanup: AppArmor may return EPERM for permission errors.
+ This could result in a false "mail system is down" error
+ message from the postqueue command. File: postqueue/postqueue.c.
+
+202220102
+
+ Cleanup: log the reason why the postqueue command thinks
+ that the mail system is down, in case some security software
+ or kernel bug emits a weird error. File: postqueue/postqueue.c.
+
+ Robustness: randomize the initial state of Postfix in-memory
+ hash tables, to defend against collision attacks involving
+ a large number of attacker-chosen lookup keys. Presently,
+ the only known opportunity for such attacks involves remote
+ SMTP client IPv6 addresses in the anvil service. Other
+ tables with attacker-chosen lookup keys are limited in size.
+ The fix is cheap, and therefore implemented for all Postfix
+ in-memory hash tables. Problem reported by Pascal Junod.
+ File: util/htable.c.
# make upgrade meta_directory=/usr/libexec/postfix ...
# make install meta_directory=/usr/libexec/postfix ...
-As with the command "make makefiles, the command "make install/upgrade
+As with the command "make makefiles", the command "make install/upgrade
name=value..." will replace the string MAIL_VERSION at the end of a
configuration parameter value with the Postfix release version. Do not try to
specify something like $mail_version on this command line. This produces
# newaliases
# sendmail -bi
+ # postalias /etc/aliases (pathname is system dependent!)
11 - To chroot or not to chroot
# To test with valgrind:
-# make -i tests VALGRIND="valgrind --tool=memcheck --log-file=/some/where.%p"
+# make -i tests NORANDOMIZE="" VALGRIND="valgrind --tool=memcheck --log-file=/some/where.%p"
SHELL = /bin/sh
WARN = -Wmissing-prototypes -Wformat -Wno-comment -fno-common
OPTS = 'WARN=$(WARN)'
(set -e; echo "[$$i]"; cd $$i; $(MAKE) -f Makefile.in $(OPTS) MAKELEVEL=) || exit 1; \
done </dev/null
-printfck: update
+typo-check: spell-cc spell-install-proto-text spell-proto-html \
+ double-cc double-install-proto-text double-proto-html
+
+spell-cc:
+ mantools/check-spell-cc | diff /dev/null -
+
+spell-install-proto-text:
+ mantools/check-spell-install-proto-text | diff /dev/null -
+
+spell-proto-html:
+ mantools/check-spell-proto-html | diff /dev/null -
+
+double-cc:
+ mantools/check-double-cc | diff /dev/null -
+
+double-install-proto-text:
+ mantools/check-double-install-proto-text | diff /dev/null -
+
+double-proto-html:
+ mantools/check-double-proto-html | diff /dev/null -
# The build-time shlib_directory setting must take precedence over
# the installed main.cf settings, otherwise we can't update an
Rewrite "user@host" to "user@host.$mydomain"
This feature is controlled by the boolean append_dot_mydomain parameter
- (default: yes). The purpose is to get consistent treatment of different
- forms of the same hostname.
+ (default: Postfix ≥ 3.0: no, Postfix < 3.0: yes). The purpose is to
+ get consistent treatment of different forms of the same hostname.
NOTE: Postfix versions 2.2 and later rewrite message headers from
remote SMTP clients only if the client matches the
email addresses as username@example.com, messages with DSN turned on will
trigger the REJECT action in the previous section.
- If you have such clients then you can to exclude their Message-ID strings
- with the two "Message-ID:.* <!&!" patterns that are shown in the previous
+ If you have such clients then you can exclude their Message-ID strings with
+ the two "Message-ID:.* <!&!" patterns that are shown in the previous
section. Otherwise you will not be able to use the two backscatter rules to
stop forged Message ID strings. Of course this workaround may break the
next time Outlook is changed.
Recognizing virus scanner mail is an error prone process, because there is a
lot of variation in report formats. The following is only a small example of
message header patterns. For a large collection of header and body patterns
-that recognize virus notification email, see http://www.dkuug.dk/keld/virus/ or
-http://www.t29.dk/antiantivirus.txt.
+that recognize virus notification email, see https://web.archive.org/web/
+20100317123907/http://std.dkuug.dk/keld/virus/ or http://www.t29.dk/
+antiantivirus.txt.
/etc/postfix/header_checks:
/^Subject: *Your email contains VIRUSES/ DISCARD virus notification
SASL_README and TLS_README documents.
IMPORTANT: If your machine is connected to a wide area network then the
-"mynetworks_style = host" setting may be too friendly.
+"mynetworks_style = subnet" setting may be too friendly.
Examples (specify only one of the following):
Postfix do the work for you. The default is to let Postfix do the work. The
result depends on the mynetworks_style parameter value.
- * Specify "mynetworks_style = host" when Postfix should forward mail from
- only the local machine.
+ * Specify "mynetworks_style = host" (the default when compatibility_level >=
+ 2) when Postfix should forward mail from only the local machine.
- * Specify "mynetworks_style = subnet" (the default) when Postfix should
- forward mail from SMTP clients in the same IP subnetworks as the local
- machine. On Linux, this works correctly only with interfaces specified with
- the "ifconfig" command.
+ * Specify "mynetworks_style = subnet" (the default when compatibility_level <
+ 2) when Postfix should forward mail from SMTP clients in the same IP
+ subnetworks as the local machine. On Linux, this works correctly only with
+ interfaces specified with the "ifconfig" or "ip" command.
* Specify "mynetworks_style = class" when Postfix should forward mail from
SMTP clients in the same IP class A/B/C networks as the local machine.
In RFC 4468, the authors write that a client may pipeline commands, and that
after sending BURL LAST or BDAT LAST, a client must wait for the server's
-response. But as this text does not appear in RFC 3030 which defines BDAT, is
-it a useless restriction that Postfix will not enforce.
+response. But as this text does not appear in RFC 3030 which defines BDAT, it
+is a useless restriction that Postfix will not enforce.
The following information applies to Postfix 2.1. Earlier Postfix versions do
not support the receive_override_options feature.
-If you are MX service provider and want to apply disable head/body checks for
-some domains, you can configure ONE Postfix instance with multiple SMTP server
-IP addresses in master.cf. Each address provides a different service.
+If you are an MX service provider and want to enable header/body checks only
+for some domains, you can configure ONE Postfix instance with multiple SMTP
+server IP addresses in master.cf. Each address provides a different service.
/etc/postfix.master.cf:
# =================================================================
The mynetworks_style default value has changed from "subnet" to "host". This
parameter is used to implement the "permit_mynetworks" feature. The change
-could in unexpected 'access denied' errors after Postfix is updated from an
+could cause unexpected 'access denied' errors after Postfix is updated from an
older version. The backwards-compatibility safety net is designed to prevent
such surprises.
The connection cache can be searched by destination domain name (the right-hand
side of the recipient address) and by the IP address of the host at the other
end of the connection. This allows Postfix to reuse a connection even when the
-remote host is mail server for domains with different names.
+remote host is a mail server for domains with different names.
C\bCo\bon\bnn\bne\bec\bct\bti\bio\bon\bn c\bca\bac\bch\bhe\be c\bco\bon\bnf\bfi\big\bgu\bur\bra\bat\bti\bio\bon\bn
Any non-empty lookup result value may be used here: the lookup result is not
used. Examples are the local_recipient_maps that determine what local
recipients Postfix accepts in mail from the network, the mydestination
-parameter that specifies what domains Postfix delivers locally, or the
+parameter that specifies what domains Postfix delivers locally for, or the
mynetworks parameter that specifies the IP addresses of trusted clients or
client networks. Technically, these are lists, not tables. Despite the
difference, Postfix lists are described here because they use the same
to create a database file for just a few fixed elements. See also the
static: map type.
i\bin\bnt\bte\ber\brn\bna\bal\bl
- A non-shared, in-memory hash table. Its content are lost when a process
- terminates.
+ A non-shared, in-memory hash table. Its contents are lost when a
+ process terminates.
l\blm\bmd\bdb\bb
OpenLDAP LMDB database. This is available only on systems with support
for LMDB databases. Public database files are created with the postmap
o "p\bpo\bos\bst\btc\bco\bon\bnf\bf -\b-M\bMf\bf" (Postfix 2.9 or later).
- * Better, provide output from the p\bpo\bos\bst\btf\bfi\bin\bng\bge\ber\br tool. This can be found at http:
- //ftp.wl0.org/SOURCES/postfinger.
+ * Better, provide output from the p\bpo\bos\bst\btf\bfi\bin\bng\bge\ber\br tool. This can be found at
+ https://github.com/ford--prefect/postfinger.
* If the problem is SASL related, consider including the output from the
- s\bsa\bas\bsl\blf\bfi\bin\bng\bge\ber\br tool. This can be found at http://postfix.state-of-mind.de/
- patrick.koetter/saslfinger/.
+ s\bsa\bas\bsl\blf\bfi\bin\bng\bge\ber\br tool. This can be found at https://packages.debian.org/
+ search?keywords=sasl2-bin.
* If the problem is about too much mail in the queue, consider including
output from the q\bqs\bsh\bha\bap\bpe\be tool, as described in the QSHAPE_README file.
E\bED\bDH\bH S\bSe\ber\brv\bve\ber\br s\bsu\bup\bpp\bpo\bor\brt\bt
-Postfix >= 2.2 support 1024-bit-prime EDH out of the box, with no additional
+Postfix >= 2.2 supports 1024-bit-prime EDH out of the box, with no additional
configuration, but you may want to override the default prime to be 2048 bits
long, and you may want to regenerate your primes periodically. See the quick-
start section for details. With Postfix >= 3.1 the out of the box (compiled-in)
E\bEE\bEC\bCD\bDH\bH S\bSe\ber\brv\bve\ber\br s\bsu\bup\bpp\bpo\bor\brt\bt
-Postfix >= 2.6 support NIST P-256 EECDH when built with OpenSSL >= 1.0.0. When
+Postfix >= 2.6 supports NIST P-256 EECDH when built with OpenSSL >= 1.0.0. When
the remote SMTP client also supports EECDH and implements the P-256 curve,
forward secrecy just works.
key-exchange mechanism is invented that also supports forward secrecy.
The actual key length and raw algorithm key length are generally the same with
-non-export ciphers, but may they differ for the legacy export ciphers where the
+non-export ciphers, but they may differ for the legacy export ciphers where the
actual key is artificially shortened.
Starting with TLS 1.3 the cipher name no longer contains enough information to
# make upgrade meta_directory=/usr/libexec/postfix ...
# make install meta_directory=/usr/libexec/postfix ...
-As with the command "make makefiles, the command "make install/upgrade
+As with the command "make makefiles", the command "make install/upgrade
name=value..." will replace the string MAIL_VERSION at the end of a
configuration parameter value with the Postfix release version. Do not try to
specify something like $mail_version on this command line. This produces
# newaliases
# sendmail -bi
+ # postalias /etc/aliases (pathname is system dependent!)
1\b11\b1 -\b- T\bTo\bo c\bch\bhr\bro\boo\bot\bt o\bor\br n\bno\bot\bt t\bto\bo c\bch\bhr\bro\boo\bot\bt
mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [fe80::]/10 [2001:
240:587::]/64
- If you did specify the mynetworks parameter value in main.cf, you need
+ If you did specify the mynetworks parameter value in main.cf, you need to
update the mynetworks value to include the IPv6 networks the system is in.
Be sure to specify IPv6 address information inside "[]", like this:
query_filter = (&(mailacceptinggeneralid=%s)(!(|(maildrop="*|*")
(maildrop="*:*")(maildrop="*/*"))))
- * And for that matter, even for aliases, you may not want users able to
+ * And for that matter, even for aliases, you may not want users to be able to
specify their maildrops as programs, includes, etc. This might be
particularly pertinent on a "sealed" server where they don't have local
UNIX accounts, but exist only in LDAP and Cyrus. You might allow the fun
H\bHo\bos\bst\bt l\blo\boo\bok\bku\bup\bp i\bis\bss\bsu\bue\bes\bs
-By default Linux /etc/hosts lookups do not support multiple IP address per
+By default Linux /etc/hosts lookups do not support multiple IP addresses per
hostname. This causes warnings from the Postfix SMTP server that "hostname XXX
does not resolve to address YYY", and is especially a problem with hosts that
-have both IPv4 and IPv6 addresses. To fix, turn on support for multiple IP
+have both IPv4 and IPv6 addresses. To fix this, turn on support for multiple IP
addresses:
/etc/host.conf:
P\bPr\bro\boc\bcm\bma\bai\bil\bl i\bis\bss\bsu\bue\bes\bs
-On RedHat Linux 7.1 and later p\bpr\bro\boc\bcm\bma\bai\bil\bl no longer has permission to write the
+On RedHat Linux 7.1 and later p\bpr\bro\boc\bcm\bma\bai\bil\bl no longer has permission to write to the
mail spool directory. Workaround:
# chmod 1777 /var/spool/mail
Notes:
- * This command will not rotate a logfile with pathname under the /dev
+ * This command will not rotate a logfile with a pathname under the /dev
directory, such as /dev/stdout.
* This command does not (yet) remove old logfiles.
as well as non-daemon programs for local mail submission or Postfix
management.
- * Logging to Postfix logfile or stdout requires the Postfix postlogd(8)
+ * Logging to the Postfix logfile or stdout requires the Postfix postlogd(8)
service. This ensures that simultaneous logging from different programs
will not get mixed up.
Connect to the local UNIX-domain server that is bound to the specified
pathname. If the smtpd(8) or cleanup(8) process runs chrooted, an
absolute pathname is interpreted relative to the Postfix queue
- directory.
+ directory. On many systems, l\blo\boc\bca\bal\bl is a synonym for u\bun\bni\bix\bx
i\bin\bne\bet\bt:\b:host:\b:port
Connect to the specified TCP port on the specified local or remote
To force a macro to be sent even when its value has not been updated, you may
specify macro default values with the milter_macro_defaults parameter. Specify
zero or more name=value pairs separated by comma or whitespace; you may even
-specify macro names that Postfix does know about!
+specify macro names that Postfix does not know about!
W\bWo\bor\brk\bka\bar\bro\bou\bun\bnd\bds\bs
testing
EOF
-The test message should be delivered the members of the "mtaadmin" address
+The test message should be delivered to the members of the "mtaadmin" address
group (or whatever address group you choose) with the following headers:
From: mtaadmin+root=mta1@example.com
smtpd_relay_restrictions =
smtpd_recipient_restrictions = permit_mynetworks, reject
- # Tolerate occasional high latency in the content filter.
+ # Tolerate occasional high latency in the content filter.
#
smtpd_timeout = 1200s
obtained from:
http://www.mysql.com/downloads/
- http://sourceforge.net/projects/mysql/
In order to build Postfix with mysql map support, you will need to add -
DHAS_MYSQL and -I for the directory containing the mysql headers, and the
configuration feature.
* Liviu Daia with further refinements from Jose Luis Tallon and Victor
Duchovni developed the common query, result_format, domain and
- expansion_limit interface for LDAP, MySQL and PosgreSQL.
+ expansion_limit interface for LDAP, MySQL and PostgreSQL.
introduce a common point of failure.
* First, configure the host to listen on both primary and backup MX
- addresses. Use the appropriate ifconfig command for the local operating
- system, or update the appropriate configuration files and "refresh" the
- network protocol stack.
+ addresses. Use the appropriate ifconfig or ip command for the local
+ operating system, or update the appropriate configuration files and
+ "refresh" the network protocol stack.
Second, configure Postfix to listen on the new IP address (this step is
needed when you have specified inet_interfaces in main.cf).
* Some postscreen(8) configuration parameters implement stress-dependent
behavior. This is supported only when the default value is stress-dependent
(that is, "postconf -d parametername" output shows "parametername = $
- {stress?something}${stress:something}"). Other parameters always evaluate
- as if the stress value is the empty string.
+ {stress?something}${stress:something}" or "parametername = ${stress?
+ {something}:{something}}"). Other parameters always evaluate as if the
+ stress value is the empty string.
* See "Tests before the 220 SMTP server greeting" for details about the
logging from these postscreen(8) tests.
introduce a common point of failure.
* First, configure the host to listen on both primary and backup MX
- addresses. Use the appropriate ifconfig command for the local operating
- system, or update the appropriate configuration files and "refresh" the
- network protocol stack.
+ addresses. Use the appropriate ifconfig or ip command for the local
+ operating system, or update the appropriate configuration files and
+ "refresh" the network protocol stack.
Second, configure Postfix to listen on the new IP address (this step is
needed when you have specified inet_interfaces in main.cf).
* Some postscreen(8) configuration parameters implement stress-dependent
behavior. This is supported only when the default value is stress-dependent
(that is, "postconf -d parametername" output shows "parametername = $
- {stress?something}${stress:something}"). Other parameters always evaluate
- as if the stress value is the empty string.
+ {stress?something}${stress:something}" or "parametername = ${stress?
+ {something}:{something}}"). Other parameters always evaluate as if the
+ stress value is the empty string.
* See "Tests before the 220 SMTP server greeting" for details about the
logging from these postscreen(8) tests.
When the output is a terminal intermediate results showing the top 20 domains
(-n option) are displayed after every 1000 messages (-N option) and the final
output also shows only the top 20 domains. This makes qshape useful even when
-the deferred queue is very large and it may otherwise take prohibitively long
-to read the entire deferred queue.
+the "deferred" queue is very large and it may otherwise take prohibitively long
+to read the entire "deferred" queue.
-By default, qshape shows statistics for the union of both the incoming and
-active queues which are the most relevant queues to look at when analyzing
+By default, qshape shows statistics for the union of both the "incoming" and
+"active" queues which are the most relevant queues to look at when analyzing
performance.
One can request an alternate list of queues:
$ qshape deferred
$ qshape incoming active deferred
-this will show the age distribution of the deferred queue or the union of the
-incoming active and deferred queues.
+this will show the age distribution of the "deferred" queue or the union of the
+"incoming", "active" and "deferred" queues.
Command line options control the number of display "buckets", the age limit for
the smallest bucket, display of parent domain counts and so on. The "-h" option
stopped.
The problem destinations or sender domains appear near the top left corner of
-the output table. Remember that the active queue can accommodate up to 20000
+the output table. Remember that the "active" queue can accommodate up to 20000
($qmgr_message_active_limit) messages. To check whether this limit has been
reached, use:
$ qshape -s active (show sender statistics)
-If the total sender count is below 20000 the active queue is not yet saturated,
-any high volume sender domains show near the top of the output.
+If the total sender count is below 20000 the "active" queue is not yet
+saturated, any high volume sender domains show near the top of the output.
-With oqmgr(8) the active queue is also limited to at most 20000 recipient
+With oqmgr(8) the "active" queue is also limited to at most 20000 recipient
addresses ($qmgr_message_recipient_limit). To check for exhaustion of this
limit use:
E\bEx\bxa\bam\bmp\bpl\ble\be 1\b1:\b: H\bHe\bea\bal\blt\bth\bhy\by q\bqu\bue\beu\bue\be
-When looking at just the incoming and active queues, under normal conditions
-(no congestion) the incoming and active queues are nearly empty. Mail leaves
-the system almost as quickly as it comes in or is deferred without congestion
-in the active queue.
+When looking at just the "incoming" and "active" queues, under normal
+conditions (no congestion) the "incoming" and "active" queues are nearly empty.
+Mail leaves the system almost as quickly as it comes in or is deferred without
+congestion in the "active" queue.
- $ qshape (show incoming and active queue status)
+ $ qshape (show "incoming" and "active" queue status)
T 5 10 20 40 80 160 320 640 1280 1280+
TOTAL 5 0 0 0 1 0 0 0 1 1 2
meri.uwasa.fi 5 0 0 0 1 0 0 0 1 1 2
-If one looks at the two queues separately, the incoming queue is empty or
-perhaps briefly has one or two messages, while the active queue holds more
+If one looks at the two queues separately, the "incoming" queue is empty or
+perhaps briefly has one or two messages, while the "active" queue holds more
messages and for a somewhat longer time:
$ qshape incoming
This is from a server where recipient validation is not yet available for some
of the hosted domains. Dictionary attacks on the unvalidated domains result in
bounce backscatter. The bounces dominate the queue, but with proper tuning they
-do not saturate the incoming or active queues. The high volume of deferred mail
-is not a direct cause for alarm.
+do not saturate the "incoming" or "active" queues. The high volume of deferred
+mail is not a direct cause for alarm.
$ qshape deferred | head
The domains shown are mostly bulk-mailers and all the volume is the tail end of
the time distribution, showing that short term arrival rates are moderate.
Larger numbers and lower message ages are more indicative of current trouble.
-Old mail still going nowhere is largely harmless so long as the active and
-incoming queues are short. We can also see that the groups.msn.com
+Old mail still going nowhere is largely harmless so long as the "active" and
+"incoming" queues are short. We can also see that the groups.msn.com
undeliverables are low rate steady stream rather than a concentrated dictionary
attack that is now over.
E\bEx\bxa\bam\bmp\bpl\ble\be 3\b3:\b: C\bCo\bon\bng\bge\bes\bst\bti\bio\bon\bn i\bin\bn t\bth\bhe\be a\bac\bct\bti\biv\bve\be q\bqu\bue\beu\bue\be
This example is taken from a Feb 2004 discussion on the Postfix Users list.
-Congestion was reported with the active and incoming queues large and not
+Congestion was reported with the "active" and "incoming" queues large and not
shrinking despite very large delivery agent process limits. The thread is
archived at: http://groups.google.com/
groups?threadm=c0b7js$2r65$1@FreeBSD.csie.NCTU.edu.tw and http://
Using an older version of qshape(1) it was quickly determined that all the
messages were for just a few destinations:
- $ qshape (show incoming and active queue status)
+ $ qshape (show "incoming" and "active" queue status)
T A 5 10 20 40 80 160 320 320+
TOTAL 11775 9996 0 0 1 1 42 94 221 1420
lists.sourceforge.net 2313 2313 0 0 0 0 0 0 0 0
gzd.gotdns.com 102 0 0 0 0 0 0 0 2 100
-The "A" column showed the count of messages in the active queue, and the
-numbered columns showed totals for the deferred queue. At 10000 messages
-(Postfix 1.x active queue size limit) the active queue is full. The incoming
-was growing rapidly.
+The "A" column showed the count of messages in the "active" queue, and the
+numbered columns showed totals for the "deferred" queue. At 10000 messages
+(Postfix 1.x "active" queue size limit) the "active" queue is full. The
+"incoming" queue was growing rapidly.
With the trouble destinations clearly identified, the administrator quickly
found and fixed the problem. It is substantially harder to glean the same
E\bEx\bxa\bam\bmp\bpl\ble\be 4\b4:\b: H\bHi\big\bgh\bh v\bvo\bol\blu\bum\bme\be d\bde\bes\bst\bti\bin\bna\bat\bti\bio\bon\bn b\bba\bac\bck\bkl\blo\bog\bg
When a site you send a lot of email to is down or slow, mail messages will
-rapidly build up in the deferred queue, or worse, in the active queue. The
+rapidly build up in the "deferred" queue, or worse, in the "active" queue. The
qshape output will show large numbers for the destination domain in all age
buckets that overlap the starting time of the problem:
...
Here the "highvolume.com" destination is continuing to accumulate deferred
-mail. The incoming and active queues are fine, but the deferred queue started
-growing some time between 1 and 2 hours ago and continues to grow.
+mail. The "incoming" and "active" queues are fine, but the "deferred" queue
+started growing some time between 1 and 2 hours ago and continues to grow.
If the high volume destination is not down, but is instead slow, one might see
-similar congestion in the active queue. Active queue congestion is a greater
-cause for alarm; one might need to take measures to ensure that the mail is
-deferred instead or even add an access(5) rule asking the sender to try again
-later.
+similar congestion in the "active" queue. "Active" queue congestion is a
+greater cause for alarm; one might need to take measures to ensure that the
+mail is deferred instead or even add an access(5) rule asking the sender to try
+again later.
If a high volume destination exhibits frequent bursts of consecutive
connections refused by all MX hosts or "421 Server busy errors", it is possible
rate or perhaps excessive CPU consumption in the cleanup(8) service due to
excessive body_checks, or (Postfix >= 2.3) high latency milters.
-Note, that once the active queue is full, the cleanup service will attempt to
+Note, that once the "active" queue is full, the cleanup service will attempt to
slow down message injection by pausing $in_flow_delay for each message. In this
case "maildrop" queue congestion may be a consequence of congestion downstream,
rather than a problem in its own right.
incomplete queue files whose mode is 0600, as these are still being written by
cleanup.
-The queue manager scans the incoming queue bringing any new mail into the
-"active" queue if the active queue resource limits have not been exceeded. By
-default, the active queue accommodates at most 20000 messages. Once the active
-queue message limit is reached, the queue manager stops scanning the incoming
-(and deferred, see below) queue.
+The queue manager scans the "incoming" queue bringing any new mail into the
+"active" queue if the "active" queue resource limits have not been exceeded. By
+default, the "active" queue accommodates at most 20000 messages. Once the
+"active" queue message limit is reached, the queue manager stops scanning the
+"incoming" queue (and the "deferred" queue, see below).
-Under normal conditions the incoming queue is nearly empty (has only mode 0600
-files), with the queue manager able to import new messages into the active
-queue as soon as they become available.
+Under normal conditions the "incoming" queue is nearly empty (has only mode
+0600 files), with the queue manager able to import new messages into the
+"active" queue as soon as they become available.
-The incoming queue grows when the message input rate spikes above the rate at
-which the queue manager can import messages into the active queue. The main
+The "incoming" queue grows when the message input rate spikes above the rate at
+which the queue manager can import messages into the "active" queue. The main
factors slowing down the queue manager are disk I/O and lookup queries to the
trivial-rewrite service. If the queue manager is routinely not keeping up,
consider not using "slow" lookup services (MySQL, LDAP, ...) for transport
at the same time.
If a server is being hammered from multiple directions, consider raising the
-in_flow_delay to 10 seconds, but only if the incoming queue is growing even
-while the active queue is not full and the trivial-rewrite service is using a
+in_flow_delay to 10 seconds, but only if the "incoming" queue is growing even
+while the "active" queue is not full and the trivial-rewrite service is using a
fast transport lookup mechanism.
T\bTh\bhe\be "\b"a\bac\bct\bti\biv\bve\be"\b" q\bqu\bue\beu\bue\be
The queue manager is a delivery agent scheduler; it works to ensure fast and
fair delivery of mail to all destinations within designated resource limits.
-The active queue is somewhat analogous to an operating system's process run
-queue. Messages in the active queue are ready to be sent (runnable), but are
+The "active" queue is somewhat analogous to an operating system's process run
+queue. Messages in the "active" queue are ready to be sent (runnable), but are
not necessarily in the process of being sent (running).
While most Postfix administrators think of the "active" queue as a directory on
turn to be processed. The envelope information for messages in the "active"
queue is managed in memory, allowing the queue manager to do global scheduling,
allocating available delivery agent processes to an appropriate message in the
-active queue.
+"active" queue.
-Within the active queue, (multi-recipient) messages are broken up into groups
+Within the "active" queue, (multi-recipient) messages are broken up into groups
of recipients that share the same transport/nexthop combination; the group size
is capped by the transport's recipient concurrency limit.
Per-recipient limits are appropriate when performing final delivery to
mailboxes rather than when relaying to a remote server.
-Congestion occurs in the active queue when one or more destinations drain
+Congestion occurs in the "active" queue when one or more destinations drain
slower than the corresponding message input rate.
-Input into the active queue comes both from new mail in the "incoming" queue,
+Input into the "active" queue comes both from new mail in the "incoming" queue,
and retries of mail in the "deferred" queue. Should the "deferred" queue get
really large, retries of old mail can dominate the arrival rate of new mail.
Systems with more CPU, faster disks and more network bandwidth can deal with
-larger deferred queues, but as a rule of thumb the deferred queue scales to
+larger "deferred" queues, but as a rule of thumb the "deferred" queue scales to
somewhere between 100,000 and 1,000,000 messages with good performance unlikely
above that "limit". Systems with queues this large should typically stop
accepting new mail, or put the backlog "on hold" until the underlying issue is
When a destination is down for some time, the queue manager will mark it dead,
and immediately defer all mail for the destination without trying to assign it
-to a delivery agent. In this case the messages will quickly leave the active
-queue and end up in the deferred queue (with Postfix < 2.4, this is done
+to a delivery agent. In this case the messages will quickly leave the "active"
+queue and end up in the "deferred" queue (with Postfix < 2.4, this is done
directly by the queue manager, with Postfix >= 2.4 this is done via the "retry"
delivery agent).
When the destination is instead simply slow, or there is a problem causing an
-excessive arrival rate the active queue will grow and will become dominated by
-mail to the congested destination.
+excessive arrival rate the "active" queue will grow and will become dominated
+by mail to the congested destination.
The only way to reduce congestion is to either reduce the input rate or
increase the throughput. Increasing the throughput requires either increasing
The best way to avoid bottlenecks when one or more MX hosts is non-responsive
is to use connection caching. Connection caching was introduced with Postfix
2.2 and is by default enabled on demand for destinations with a backlog of mail
-in the active queue. When connection caching is in effect for a particular
+in the "active" queue. When connection caching is in effect for a particular
destination, established connections are re-used to send additional messages,
this reduces the number of connections made per message delivery and maintains
good throughput even in the face of partial unavailability of the destination's
of timeouts and concurrency limits.
Another common cause of congestion is unwarranted flushing of the entire
-deferred queue. The deferred queue holds messages that are likely to fail to be
-delivered and are also likely to be slow to fail delivery (time out). As a
-result the most common reaction to a large deferred queue (flush it!) is more
-than likely counter-productive, and typically makes the congestion worse. Do
-not flush the deferred queue unless you expect that most of its content has
-recently become deliverable (e.g. relayhost back up after an outage)!
+"deferred" queue. The "deferred" queue holds messages that are likely to fail
+to be delivered and are also likely to be slow to fail delivery (time out). As
+a result the most common reaction to a large "deferred" queue (flush it!) is
+more than likely counter-productive, and typically makes the congestion worse.
+Do not flush the "deferred" queue unless you expect that most of its content
+has recently become deliverable (e.g. relayhost back up after an outage)!
Note that whenever the queue manager is restarted, there may already be
-messages in the active queue directory, but the "real" active queue in memory
-is empty. In order to recover the in-memory state, the queue manager moves all
-the active queue messages back into the incoming queue, and then uses its
-normal incoming queue scan to refill the active queue. The process of moving
-all the messages back and forth, redoing transport table (trivial-rewrite(8)
-resolve service) lookups, and re-importing the messages back into memory is
-expensive. At all costs, avoid frequent restarts of the queue manager (e.g. via
-frequent execution of "postfix reload").
+messages in the "active" queue directory, but the "real" "active" queue in
+memory is empty. In order to recover the in-memory state, the queue manager
+moves all the "active" queue messages back into the "incoming" queue, and then
+uses its normal "incoming" queue scan to refill the "active" queue. The process
+of moving all the messages back and forth, redoing transport table (trivial-
+rewrite(8) resolve service) lookups, and re-importing the messages back into
+memory is expensive. At all costs, avoid frequent restarts of the queue manager
+(e.g. via frequent execution of "postfix reload").
T\bTh\bhe\be "\b"d\bde\bef\bfe\ber\brr\bre\bed\bd"\b" q\bqu\bue\beu\bue\be
When all the deliverable recipients for a message are delivered, and for some
recipients delivery failed for a transient reason (it might succeed later), the
-message is placed in the deferred queue.
+message is placed in the "deferred" queue.
-The queue manager scans the deferred queue periodically. The scan interval is
-controlled by the queue_run_delay parameter. While a deferred queue scan is in
-progress, if an incoming queue scan is also in progress (ideally these are
-brief since the incoming queue should be short), the queue manager alternates
+The queue manager scans the "deferred" queue periodically. The scan interval is
+controlled by the queue_run_delay parameter. While a "deferred" queue scan is
+in progress, if an "incoming" queue scan is also in progress (ideally these are
+brief since the "incoming" queue should be short), the queue manager alternates
between looking for messages in the "incoming" queue and in the "deferred"
-queue. This "round-robin" strategy prevents starvation of either the incoming
-or the deferred queues.
+queue. This "round-robin" strategy prevents starvation of either the "incoming"
+or the "deferred" queues.
-Each deferred queue scan only brings a fraction of the deferred queue back into
-the active queue for a retry. This is because each message in the deferred
-queue is assigned a "cool-off" time when it is deferred. This is done by time-
-warping the modification time of the queue file into the future. The queue file
-is not eligible for a retry if its modification time is not yet reached.
+Each "deferred" queue scan only brings a fraction of the "deferred" queue back
+into the "active" queue for a retry. This is because each message in the
+"deferred" queue is assigned a "cool-off" time when it is deferred. This is
+done by time-warping the modification time of the queue file into the future.
+The queue file is not eligible for a retry if its modification time is not yet
+reached.
The "cool-off" time is at least $minimal_backoff_time and at most
$maximal_backoff_time. The next retry time is set by doubling the message's age
in the queue, and adjusting up or down to lie within the limits. This means
that young messages are initially retried more often than old messages.
-If a high volume site routinely has large deferred queues, it may be useful to
-adjust the queue_run_delay, minimal_backoff_time and maximal_backoff_time to
+If a high volume site routinely has large "deferred" queues, it may be useful
+to adjust the queue_run_delay, minimal_backoff_time and maximal_backoff_time to
provide short enough delays on first failure (Postfix >= 2.4 has a sensibly low
minimal backoff time by default), with perhaps longer delays after multiple
failures, to reduce the retransmission rate of old messages and thereby reduce
-the quantity of previously deferred mail in the active queue. If you want a
+the quantity of previously deferred mail in the "active" queue. If you want a
really low minimal_backoff_time, you may also want to lower queue_run_delay,
but understand that more frequent scans will increase the demand for disk I/O.
-One common cause of large deferred queues is failure to validate recipients at
-the SMTP input stage. Since spammers routinely launch dictionary attacks from
-unrepliable sender addresses, the bounces for invalid recipient addresses clog
-the deferred queue (and at high volumes proportionally clog the active queue).
-Recipient validation is strongly recommended through use of the
+One common cause of large "deferred" queues is failure to validate recipients
+at the SMTP input stage. Since spammers routinely launch dictionary attacks
+from unrepliable sender addresses, the bounces for invalid recipient addresses
+clog the "deferred" queue (and at high volumes proportionally clog the "active"
+queue). Recipient validation is strongly recommended through use of the
local_recipient_maps and relay_recipient_maps parameters. Even when bounces
drain quickly they inundate innocent victims of forgery with unwanted email. To
avoid this, do not accept mail for invalid recipients.
When a host with lots of deferred mail is down for some time, it is possible
-for the entire deferred queue to reach its retry time simultaneously. This can
-lead to a very full active queue once the host comes back up. The phenomenon
-can repeat approximately every maximal_backoff_time seconds if the messages are
-again deferred after a brief burst of congestion. Perhaps, a future Postfix
-release will add a random offset to the retry time (or use a combination of
-strategies) to reduce the odds of repeated complete deferred queue flushes.
+for the entire "deferred" queue to reach its retry time simultaneously. This
+can lead to a very full "active" queue once the host comes back up. The
+phenomenon can repeat approximately every maximal_backoff_time seconds if the
+messages are again deferred after a brief burst of congestion. Perhaps, a
+future Postfix release will add a random offset to the retry time (or use a
+combination of strategies) to reduce the odds of repeated complete "deferred"
+queue flushes.
C\bCr\bre\bed\bdi\bit\bts\bs
Specify ldapdb to enable the plugin.
ldapdb_uri
- Specify either ldapi:// for to connect over a UNIX-domain socket, ldap:
- // for an unencrypted TCP connection or ldaps:// for an encrypted TCP
+ Specify either ldapi:// to connect over a UNIX-domain socket, ldap:/
+ / for an unencrypted TCP connection, or ldaps:// for an encrypted TCP
connection.
ldapdb_id
single MySQL database, and configure different Postfix queries to extract
the appropriate information.
- * Specify dbm instead of hash if your system uses dbm files instead of db
+ * Specify d\bdb\bbm\bm instead of h\bha\bas\bsh\bh if your system uses d\bdb\bbm\bm files instead of d\bdb\bb
files. To find out what lookup tables Postfix supports, use the command
- "postconf -m".
+ "p\bpo\bos\bst\btc\bco\bon\bnf\bf -\b-m\bm".
- * Execute the command "postmap /etc/postfix/sasl_passwd" whenever you change
+ * Execute the command "p\bpo\bos\bst\btm\bma\bap\bp /\b/e\bet\btc\bc/\b/p\bpo\bos\bst\btf\bfi\bix\bx/\b/s\bsa\bas\bsl\bl_\b_p\bpa\bas\bss\bsw\bwd\bd" whenever you change
the sasl_passwd table.
- * Execute the command "postmap /etc/postfix/sender_relay" whenever you change
+ * Execute the command "p\bpo\bos\bst\btm\bma\bap\bp /\b/e\bet\btc\bc/\b/p\bpo\bos\bst\btf\bfi\bix\bx/\b/s\bse\ben\bnd\bde\ber\br_\b_r\bre\bel\bla\bay\by" whenever you change
the sender_relay table.
P\bPo\bos\bst\btf\bfi\bix\bx S\bSM\bMT\bTP\bP/\b/L\bLM\bMT\bTP\bP c\bcl\bli\bie\ben\bnt\bt p\bpo\bol\bli\bic\bcy\by -\b- S\bSA\bAS\bSL\bL m\bme\bec\bch\bha\ban\bni\bis\bsm\bm p\bpr\bro\bop\bpe\ber\brt\bti\bie\bes\bs
Postfix configuration a little more convenient because you don't have to
specify the SASL plug-in type in the Postfix main.cf file (but this may
cause surprises when you switch to a later Postfix version that is built
- with the default SASL type of sasl).
+ with the default SASL type of cyrus).
* If you also want support for LDAP or TLS (or for Cyrus SASL), you need to
merge their CCARGS and AUXLIBS options into the above command line; see the
T\bTh\bhe\be s\bst\btr\bru\buc\bct\btu\bur\bre\bes\bs u\bus\bse\bed\bd b\bby\by n\bnq\bqm\bmg\bgr\br
Let's start by recapitulating the structures and terms used when referring to
-queue manager and how it operates. Many of these are partially described
+the queue manager and how it operates. Many of these are partially described
elsewhere, but it is nice to have a coherent overview in one place:
* Each message structure represents one mail message which Postfix is to
set of queues (describing the destinations it shall talk to) and jobs
(referencing the messages it shall deliver).
- * Each transport queue (not to be confused with the on-disk active queue or
- incoming queue) groups everything what is going be delivered to given
+ * Each transport queue (not to be confused with the on-disk "active" queue or
+ "incoming" queue) groups everything what is going be delivered to given
destination (aka nexthop) by its transport. Each queue belongs to one
transport, so each destination may be referred to by several queues, one
for each transport. Each queue maintains a list of all recipient entries
W\bWh\bha\bat\bt h\bha\bap\bpp\bpe\ben\bns\bs w\bwh\bhe\ben\bn n\bnq\bqm\bmg\bgr\br p\bpi\bic\bck\bks\bs u\bup\bp t\bth\bhe\be m\bme\bes\bss\bsa\bag\bge\be
-Whenever nqmgr moves a queue file into the active queue, the following happens:
-It reads all necessary information from the queue file as oqmgr does, and also
-reads as many recipients as possible - more on that later, for now let's just
-pretend it always reads all recipients.
+Whenever nqmgr moves a queue file into the "active" queue, the following
+happens: It reads all necessary information from the queue file as oqmgr does,
+and also reads as many recipients as possible - more on that later, for now
+let's just pretend it always reads all recipients.
Then it resolves the recipients as oqmgr does, which means obtaining (address,
nexthop, transport) triple for each recipient. For each triple, it finds the
transport; if it does not exist yet, it instantiates it (unless it's dead).
-Within the transport, it finds the destination queue for given nexthop; if it
-does not exist yet, it instantiates it (unless it's dead). The triple is then
-bound to given destination queue. This happens in qmgr_resolve() and is
+Within the transport, it finds the destination queue for the given nexthop; if
+it does not exist yet, it instantiates it (unless it's dead). The triple is
+then bound to given destination queue. This happens in qmgr_resolve() and is
basically the same as in oqmgr.
Then for each triple which was bound to some queue (and thus transport), the
the peer which represents the bound destination queue within this jobs context;
if it does not exist yet, it instantiates it. Finally, it stores the address
from the resolved triple to the recipient entry which is appended to both the
-queue entry list and the peer entry list. The addresses for same nexthop are
-batched in the entries up to recipient_concurrency limit for that transport.
-This happens in qmgr_assign() and apart from that it operates with job and peer
-structures it is basically the same as in oqmgr.
+queue entry list and the peer entry list. The addresses for the same nexthop
+are batched in the entries up to the transport_destination_recipient_limit for
+that transport. This happens in qmgr_message_assign(), and apart from that it
+operates with job and peer structures, it is basically the same as in oqmgr.
When the job is instantiated, it is enqueued on the transport's job list based
on the time its message was picked up by nqmgr. For first batch of recipients
this means it is appended to the end of the job list, but the ordering of the
job list by the enqueue time is important as we will see shortly.
-[Now you should have pretty good idea what is the state of the nqmgr after
-couple of messages was picked up, what is the relation between all those job,
-peer, queue and entry structures.]
+[Now you should have a pretty good idea what the state of the nqmgr is after a
+couple of messages were picked up, and what the relation is between all those
+job, peer, queue and entry structures.]
H\bHo\bow\bw t\bth\bhe\be e\ben\bnt\btr\bry\by s\bse\bel\ble\bec\bct\bti\bio\bon\bn w\bwo\bor\brk\bks\bs
nqmgr. So by default we get the top-level round-robin transport, and within
each transport we get the FIFO message delivery. The round-robin of the peers
by the destination is perhaps of little importance in most real-life cases
-(unless the recipient_concurrency limit is reached, in one job there is only
-one peer structure for each destination), but theoretically it makes sure that
-even within single jobs, destinations are treated fairly.
+(unless the transport_destination_recipient_limit is reached, in one job there
+is only one peer structure for each destination), but theoretically it makes
+sure that even within single jobs, destinations are treated fairly.
[By now you should have a feeling you really know how the scheduler works,
except for the preemption, under ideal conditions - that is, no recipient
by two two-recipient mails?
The simple answer would be to use delivery sequence 12121313. But the problem
-is that this does not scale well. Imagine you have mail with thousand
-recipients followed by mail with hundred recipients. It is tempting to suggest
-the delivery sequence like 121212...., but alas! Imagine there arrives another
-mail with say ten recipients. But there are no free slots anymore, so it can't
-slip by, not even if it had just only one recipients. It will be stuck until
+is that this does not scale well. Imagine you have mail with a thousand
+recipients followed by mail with a hundred recipients. It is tempting to
+suggest the delivery sequence like 121212...., but alas! Imagine there arrives
+another mail with say ten recipients. But there are no free slots anymore, so
+it can't slip by, not even if it had only one recipient. It will be stuck until
the hundred-recipient mail is delivered, which really sucks.
-So, it becomes obvious that while inflating the message to get free slots is
+So, it becomes obvious that while inflating the message to get free slots is a
great idea, one has to be really careful of how the free slots are assigned,
otherwise one might corner himself. So, how does nqmgr really use the free
slots?
wait wait! Could we? Aren't we overinflating the original one thousand
recipient mail?
-Well, despite it looks so at the first glance, another trick will allow us to
-answer "no, we are not!". If we had said that we will inflate the delivery time
-twice at maximum, and then we consider every other slot as a free slot, then we
-would overinflate in case of the recursive preemption. BUT! The trick is that
-if we use only every n-th slot as a free slot for n>2, there is always some
-worst inflation factor which we can guarantee not to be breached, even if we
-apply the algorithm recursively. To be precise, if for every k>1 normally used
-slots we accumulate one free delivery slot, than the inflation factor is not
-worse than k/(k-1) no matter how many recursive preemptions happen. And it's
-not worse than (k+1)/k if only non-recursive preemption happens. Now, having
-got through the theory and the related math, let's see how nqmgr implements
-this.
+Well, despite the fact that it looks so at the first glance, another trick will
+allow us to answer "no, we are not!". If we had said that we will inflate the
+delivery time twice at maximum, and then we consider every other slot as a free
+slot, then we would overinflate in case of the recursive preemption. BUT! The
+trick is that if we use only every n-th slot as a free slot for n>2, there is
+always some worst inflation factor which we can guarantee not to be breached,
+even if we apply the algorithm recursively. To be precise, if for every k>1
+normally used slots we accumulate one free delivery slot, than the inflation
+factor is not worse than k/(k-1) no matter how many recursive preemptions
+happen. And it's not worse than (k+1)/k if only non-recursive preemption
+happens. Now, having got through the theory and the related math, let's see how
+nqmgr implements this.
Each job has so called "available delivery slot" counter. Each transport has a
transport_delivery_slot_cost parameter, which defaults to
default_delivery_slot_cost parameter which is set to 5 by default. This is the
k from the paragraph above. Each time k entries of the job are selected for
delivery, this counter is incremented by one. Once there are some slots
-accumulated, job which requires no more than that number of slots to be fully
+accumulated, a job which requires no more than that number of slots to be fully
delivered can preempt this job.
[Well, the truth is, the counter is incremented every time an entry is selected
-and it is divided by k when it is used. But for the understanding it's good
-enough to use the above approximation of the truth.]
+and it is divided by k when it is used. But to understand, it's good enough to
+use the above approximation of the truth.]
OK, so now we know the conditions which must be satisfied so one job can
preempt another one. But what job gets preempted, how do we choose what job
exactly happen?
The answer for the first part is simple. The job whose entry was selected the
-last time is so called current job. Normally, it is the first job on the
+last time is the so called current job. Normally, it is the first job on the
scheduler's job list, but destination concurrency limits may change this as we
will see later. It is always only the current job which may get preempted.
-Now for the second part. The current job has certain amount of recipient
+Now for the second part. The current job has a certain amount of recipient
entries, and as such may accumulate at maximum some amount of available
delivery slots. It might have already accumulated some, and perhaps even
already used some when it was preempted before (remember a job can be preempted
is, the older the job is, the more we should try to deliver it in order to get
best message delivery rates. These rates are of course subject to how many
recipients the message has, therefore the division by the recipient (entry)
-count. No one shall be surprised that message with n recipients takes n times
-longer to deliver than message with one recipient.
+count. No one shall be surprised that a message with n recipients takes n times
+longer to deliver than a message with one recipient.
Now let's recap the previous two paragraphs. Isn't it too complicated? Why
don't the candidates come only among the jobs which can be delivered within the
number of slots the current job already accumulated? Why do we need to estimate
how much it has yet to accumulate? If you found out the answer, congratulate
yourself. If we did it this simple way, we would always choose the candidate
-with least recipient entries. If there were enough single recipient mails
+with the fewest recipient entries. If there were enough single recipient mails
coming in, they would always slip by the bulk mail as soon as possible, and the
-two and more recipients mail would never get a chance, no matter how long they
+two or more recipients mail would never get a chance, no matter how long they
have been sitting around in the job list.
-This candidate selection has interesting implication - that when we choose the
-best candidate for preemption (this is done in qmgr_choose_candidate()), it may
-happen that we may not use it for preemption immediately. This leads to an
+This candidate selection has an interesting implication - that when we choose
+the best candidate for preemption (this is done in qmgr_choose_candidate()), it
+may happen that we may not use it for preemption immediately. This leads to an
answer to the last part of the original question - when does the preemption
happen?
to be chosen for delivery. To avoid needless overhead, the preemption is not
attempted if the current job could never accumulate more than
transport_minimum_delivery_slots (defaults to default_minimum_delivery_slots
-which defaults to 3). If there is already enough accumulated slots to preempt
+which defaults to 3). If there are already enough accumulated slots to preempt
the current job by the chosen best candidate, it is done immediately. This
basically means that the candidate is moved in front of the current job on the
scheduler's job list and decreasing the accumulated slot counter by the amount
-used by the candidate. If there is not enough slots... well, I could say that
+used by the candidate. If there are not enough slots... well, I could say that
nothing happens and the another preemption is attempted the next time. But
that's not the complete truth.
The truth is that it turns out that it is not really necessary to wait until
the jobs counter accumulates all the delivery slots in advance. Say we have
ten-recipient mail followed by two two-recipient mails. If the preemption
-happened when enough delivery slot accumulate (assuming slot cost 2), the
+happened when enough delivery slots accumulate (assuming slot cost 2), the
delivery sequence becomes 11112211113311. Now what would we get if we would
wait only for 50% of the necessary slots to accumulate and we promise we would
wait for the remaining 50% later, after we get back to the preempted job? If we
-use such slot loan, the delivery sequence becomes 11221111331111. As we can
-see, it makes it no considerably worse for the delivery of the ten-recipient
+use such a slot loan, the delivery sequence becomes 11221111331111. As we can
+see, it makes it not considerably worse for the delivery of the ten-recipient
mail, but it allows the small messages to be delivered sooner.
The concept of these slot loans is where the transport_delivery_slot_discount
slots required to deliver the best candidate is compared with the number of
slots the current slot had accumulated so far.
-And it pretty much concludes this chapter.
+And that pretty much concludes this chapter.
[Now you should have a feeling that you pretty much understand the scheduler
-and the preemption, or at least that you will have it after you read the last
-chapter couple more times. You shall clearly see the job list and the
+and the preemption, or at least that you will have after you read the last
+chapter a couple more times. You shall clearly see the job list and the
preemption happening at its head, in ideal delivery conditions. The feeling of
understanding shall last until you start wondering what happens if some of the
jobs are blocked, which you might eventually figure out correctly from what had
Now what happens when the destination limits are reached and no more entries
for that destination may be selected by the scheduler?
-From user's point of view it is all simple. If some of the peers of a job can't
-be selected, those peers are simply skipped by the entry selection algorithm
-(the pseudo-code described before) and only the selectable ones are used. If
-none of the peers may be selected, the job is declared a "blocker job". Blocker
-jobs are skipped by the entry selection algorithm and they are also excluded
-from the candidates for preemption of current job. Thus the scheduler
-effectively behaves as if the blocker jobs didn't exist on the job list at all.
-As soon as at least one of the peers of a blocker job becomes unblocked (that
-is, the delivery agent handling the delivery of the recipient entry for given
-destination successfully finishes), the job's blocker status is removed and the
-job again participates in all further scheduler actions normally.
+From the user's point of view it is all simple. If some of the peers of a job
+can't be selected, those peers are simply skipped by the entry selection
+algorithm (the pseudo-code described before) and only the selectable ones are
+used. If none of the peers may be selected, the job is declared a "blocker
+job". Blocker jobs are skipped by the entry selection algorithm and they are
+also excluded from the candidates for preemption of the current job. Thus the
+scheduler effectively behaves as if the blocker jobs didn't exist on the job
+list at all. As soon as at least one of the peers of a blocker job becomes
+unblocked (that is, the delivery agent handling the delivery of the recipient
+entry for the given destination successfully finishes), the job's blocker
+status is removed and the job again participates in all further scheduler
+actions normally.
So the summary is that the users don't really have to be concerned about the
interaction of the destination limits and scheduling algorithm. It works well
As we see, it's all very clean and straightforward. Now how does this change
because of blockers?
-The answer is: a lot. Any job may become blocker job at any time, and also
-become normal job again at any time. This has several important implications:
+The answer is: a lot. Any job may become a blocker job at any time, and also
+become a normal job again at any time. This has several important implications:
1. The jobs may be completed in arbitrary order. For example, in the example
above, if the current job 7 becomes blocked, the next job 4 may complete
completed and only after that 4 becomes unblocked and is completed... You
get the idea.
- [Interesting side note: even when jobs are delivered out of order, from
+ [Interesting side note: even when jobs are delivered out of order, from a
single destination's point of view the jobs are still delivered in the
expected order (that is, FIFO unless there was some preemption involved).
This is because whenever a destination queue becomes unblocked (the
too, then job 4 completes. Tricky, huh?
If I illustrate the relations after the above mentioned examples (but those in
-point 1)), the situation would look like this:
+point 1), the situation would look like this:
v- parent
Now how does nqmgr deal with all these complicated relations?
Well, it maintains them all as described, but fortunately, all these relations
-are necessary only for purposes of proper counting of available delivery slots.
-For purposes of ordering the jobs for entry selection, the original rule still
-applies: "the job preempting the current job is moved in front of the current
-job on the job list". So for entry selection purposes, the job relations remain
-as simple as this:
+are necessary only for the purpose of proper counting of available delivery
+slots. For the purpose of ordering the jobs for entry selection, the original
+rule still applies: "the job preempting the current job is moved in front of
+the current job on the job list". So for entry selection purposes, the job
+relations remain as simple as this:
7--8--1--2--6--3--5--.. <- scheduler's job list order
all this and stick with the user's point of view: the blocker jobs are simply
ignored.
-[By now, you should have a feeling that there is more things going under the
-hood than you ever wanted to know. You decide that forgetting about this
+[By now, you should have a feeling that there are more things going on under
+the hood than you ever wanted to know. You decide that forgetting about this
chapter is the best you can do for the sake of your mind's health and you
basically stick with the idea how the scheduler works in ideal conditions, when
there are no blockers, which is good enough.]
D\bDe\bea\bal\bli\bin\bng\bg w\bwi\bit\bth\bh m\bme\bem\bmo\bor\bry\by r\bre\bes\bso\bou\bur\brc\bce\be l\bli\bim\bmi\bit\bts\bs
When discussing the nqmgr scheduler, we have so far assumed that all recipients
-of all messages in the active queue are completely read into the memory. This
-is simply not true. There is an upper bound on the amount of memory the nqmgr
-may use, and therefore it must impose some limits on the information it may
-store in the memory at any given time.
+of all messages in the "active" queue are completely read into memory. This is
+simply not true. There is an upper bound on the amount of memory the nqmgr may
+use, and therefore it must impose some limits on the information it may store
+in memory at any given time.
First of all, not all messages may be read in-core at once. At any time, only
qmgr_message_active_limit messages may be read in-core at maximum. When read
-into memory, the messages are picked from the incoming and deferred message
-queues and moved to the active queue (incoming having priority), so if there is
-more than qmgr_message_active_limit messages queued in the active queue, the
-rest will have to wait until (some of) the messages in the active queue are
+into memory, the messages are picked from the "incoming" and "deferred" queues
+and moved to the "active" queue (incoming having priority), so if there are
+more than qmgr_message_active_limit messages queued in the "active" queue, the
+rest will have to wait until (some of) the messages in the "active" queue are
completely delivered (or deferred).
Even with the limited amount of in-core messages, there is another limit which
-must be imposed in order to avoid memory exhaustion. Each message may contain
-huge amount of recipients (tens or hundreds of thousands are not uncommon), so
-if nqmgr read all recipients of all messages in the active queue, it may easily
-run out of memory. Therefore there must be some upper bound on the amount of
-message recipients which are read into the memory at the same time.
+must be imposed in order to avoid memory exhaustion. Each message may contain a
+huge number of recipients (tens or hundreds of thousands are not uncommon), so
+if nqmgr read all recipients of all messages in the "active" queue, it may
+easily run out of memory. Therefore there must be some upper bound on the
+amount of message recipients which are read into memory at the same time.
Before discussing how exactly nqmgr implements the recipient limits, let's see
how the sole existence of the limits themselves affects the nqmgr and its
The message limit is straightforward - it just limits the size of the lookahead
the nqmgr's scheduler has when choosing which message can preempt the current
-one. Messages not in the active queue simply are not considered at all.
+one. Messages not in the "active" queue are simply not considered at all.
The recipient limit complicates more things. First of all, the message reading
code must support reading the recipients in batches, which among other things
unread recipients, it is not clear how many recipient entries there will be, as
they are subject to per-destination grouping. It is not even clear to what
transports (and thus jobs) the recipients will be assigned. And with messages
-coming from the deferred queue, it is not even clear how many unread recipients
-are still to be delivered. This all means that the scheduler must use only
-estimates of how many recipients entries there will be. Fortunately, it is
-possible to estimate the minimum and maximum correctly, so the scheduler can
-always err on the safe side. Obviously, the better the estimates, the better
-results, so it is best when we are able to read all recipients in-core and turn
-the estimates into exact counts, or at least try to read as many as possible to
-make the estimates as accurate as possible.
+coming from the "deferred" queue, it is not even clear how many unread
+recipients are still to be delivered. This all means that the scheduler must
+use only estimates of how many recipients entries there will be. Fortunately,
+it is possible to estimate the minimum and maximum correctly, so the scheduler
+can always err on the safe side. Obviously, the better the estimates, the
+better the results, so it is best when we are able to read all recipients in-
+core and turn the estimates into exact counts, or at least try to read as many
+as possible to make the estimates as accurate as possible.
The third complication is that it is no longer true that the scheduler is done
with a job once all of its in-core recipients are delivered. It is possible
the recipient limit itself. Now how does it achieve it?
Perhaps the easiest solution would be to say that each message may have at
-maximum X recipients stored in-core, but such solution would be poor for
+maximum X recipients stored in-core, but such a solution would be poor for
several reasons. With reasonable qmgr_message_active_limit values, the X would
-have to be quite low to maintain reasonable memory footprint. And with low X
+have to be quite low to maintain a reasonable memory footprint. And with low X
lots of things would not work well. The nqmgr would have problems to use the
transport_destination_recipient_limit efficiently. The scheduler's preemption
would be suboptimal as the recipient count estimates would be inaccurate. The
recipients again and again.
Therefore it seems reasonable to have a solution which does not use a limit
-imposed on per-message basis, but which maintains a pool of available recipient
-slots, which can be shared among all messages in the most efficient manner. And
-as we do not want separate transports to compete for resources whenever
-possible, it seems appropriate to maintain such recipient pool for each
-transport separately. This is the general idea, now how does it work in
+imposed on a per-message basis, but which maintains a pool of available
+recipient slots, which can be shared among all messages in the most efficient
+manner. And as we do not want separate transports to compete for resources
+whenever possible, it seems appropriate to maintain such a recipient pool for
+each transport separately. This is the general idea, now how does it work in
practice?
-First we have to solve little chicken-and-egg problem. If we want to use the
-per-transport recipient pools, we first need to know to what transport(s) is
-the message assigned. But we will find that out only after we read in the
-recipients first. So it is obvious that we first have to read in some
-recipients, use them to find out to what transports is the message to be
-assigned, and only after that we can use the per-transport recipient pools.
+First we have to solve a little chicken-and-egg problem. If we want to use the
+per-transport recipient pools, we first need to know to what transport(s) the
+message is assigned. But we will find that out only after we first read in the
+recipients. So it is obvious that we first have to read in some recipients, use
+them to find out to what transports the message is to be assigned, and only
+after that can we use the per-transport recipient pools.
Now how many recipients shall we read for the first time? This is what
qmgr_message_recipient_minimum and qmgr_message_recipient_limit values control.
The qmgr_message_recipient_minimum value specifies how many recipients of each
-message we will read for the first time, no matter what. It is necessary to
-read at least one recipient before we can assign the message to a transport and
-create the first job. However, reading only qmgr_message_recipient_minimum
-recipients even if there are only few messages with few recipients in-core
-would be wasteful. Therefore if there is less than qmgr_message_recipient_limit
+message we will read the first time, no matter what. It is necessary to read at
+least one recipient before we can assign the message to a transport and create
+the first job. However, reading only qmgr_message_recipient_minimum recipients
+even if there are only few messages with few recipients in-core would be
+wasteful. Therefore if there are fewer than qmgr_message_recipient_limit
recipients in-core so far, the first batch of recipients may be larger than
qmgr_message_recipient_minimum - as large as is required to reach the
qmgr_message_recipient_limit limit.
of the message permits (plus the qmgr_message_recipient_minimum amount which
always applies).
-For example, if a message has three jobs, first with 1 recipient still in-core
-and 4 recipient slots, second with 5 recipient in-core and 5 recipient slots,
-and third with 2 recipients in-core and 0 recipient slots, it has 1+5+2=7
-recipients in-core and 4+5+0=9 jobs' recipients slots in total. This means that
-we could immediately read 2+qmgr_message_recipient_minimum more recipients of
-that message in core.
+For example, if a message has three jobs, the first with 1 recipient still in-
+core and 4 recipient slots, the second with 5 recipients in-core and 5
+recipient slots, and the third with 2 recipients in-core and 0 recipient slots,
+it has 1+5+2=8 recipients in-core and 4+5+0=9 jobs' recipients slots in total.
+This means that we could immediately read 2+qmgr_message_recipient_minimum more
+recipients of that message in core.
The above example illustrates several things which might be worth mentioning
explicitly: first, note that although the per-transport slots are assigned to
More specifically, each time a job is created and appended to the job list, it
gets all unused recipient slots from its transport's pool. It keeps them until
all recipients of its message are read. When this happens, all unused recipient
-slots are transferred to the next job (which is now in fact now first such job)
+slots are transferred to the next job (which is now in fact the first such job)
on the job list which still has some recipients unread, or eventually back to
-the transport pool if there is no such job. Such transfer then also happens
+the transport pool if there is no such job. Such a transfer then also happens
whenever a recipient entry of that job is delivered.
There is also a scenario when a job is not appended to the end of the job list
-(for example it was created as a result of second or later recipient batch).
+(for example it was created as a result of a second or later recipient batch).
Then it works exactly as above, except that if it was put in front of the first
unread job (that is, the job of a message which still has some unread
-recipients in queue file), that job is first forced to return all of its unused
-recipient slots to the transport pool.
+recipients in the queue file), that job is first forced to return all of its
+unused recipient slots to the transport pool.
The algorithm just described leads to the following state: The first unread job
on the job list always gets all the remaining recipient slots of that transport
there because of the sponsoring mentioned before) and the jobs after this job
get nothing from the transport recipient pool (unless they got something before
and then the first unread job was created and enqueued in front of them later -
-in such case the also get at maximum as many slots as they have recipients in-
-core).
-
-Things work fine in such state for most of the time, because the current job is
-either completely read in-core or has as much recipient slots as there are, but
-there is one situation which we still have to take care of specially. Imagine
-if the current job is preempted by some unread job from the job list and there
-are no more recipient slots available, so this new current job could read only
-batches of qmgr_message_recipient_minimum recipients at a time. This would
-really degrade performance. For this reason, each transport has extra pool of
-transport_extra_recipient_limit recipient slots, dedicated exactly for this
-situation. Each time an unread job preempts the current job, it gets half of
-the remaining recipient slots from the normal pool and this extra pool.
+in such a case, they also get at maximum as many slots as they have recipients
+in-core).
+
+Things work fine in such a state for most of the time, because the current job
+is either completely read in-core or has as many recipient slots as there are,
+but there is one situation which we still have to take care of specially.
+Imagine if the current job is preempted by some unread job from the job list
+and there are no more recipient slots available, so this new current job could
+read only batches of qmgr_message_recipient_minimum recipients at a time. This
+would really degrade performance. For this reason, each transport has an extra
+pool of transport_extra_recipient_limit recipient slots, dedicated exactly for
+this situation. Each time an unread job preempts the current job, it gets half
+of the remaining recipient slots from the normal pool and this extra pool.
And that's it. It sure does sound pretty complicated, but fortunately most
-people don't really have to care how exactly it works as long as it works.
+people don't really have to care exactly how it works as long as it works.
Perhaps the only important things to know for most people are the following
upper bound formulas:
where the sum is over all used transports.
-And this terribly complicated chapter concludes the documentation of nqmgr
+And this terribly complicated chapter concludes the documentation of the nqmgr
scheduler.
[By now you should theoretically know the nqmgr scheduler inside out. In
practice, you still hope that you will never have to really understand the last
or last two chapters completely, and fortunately most people really won't.
Understanding how the scheduler works in ideal conditions is more than good
-enough for vast majority of users.]
+enough for the vast majority of users.]
C\bCr\bre\bed\bdi\bit\bts\bs
produces a result of PERMIT, REJECT or DEFER (try again later). The end of each
list is equivalent to a PERMIT result. By placing a PERMIT restriction before a
REJECT restriction you can make exceptions for specific clients or users. This
-is called allowlisting; the fourth example above allows mail from local
-networks but otherwise rejects mail to arbitrary destinations.
+is called allowlisting; the smtpd_relay_restrictions example above allows mail
+from local networks, and from SASL authenticated clients, but otherwise rejects
+mail to arbitrary destinations.
The table below summarizes the purpose of each SMTP access restriction list.
All lists use the exact same syntax; they differ only in the time of evaluation
127.0.0.1 port 9998. The second example specifies an absolute pathname of a
UNIX-domain socket. The third example specifies a pathname relative to the
Postfix queue directory; use this for policy servers that are spawned by the
-Postfix master daemon.
+Postfix master daemon. On many systems, "local" is a synonym for "unix".
To create a policy service that listens on a UNIX-domain socket called
"policy", and that runs under control of the Postfix spawn(8) daemon, you would
* Line 11: this increases the time that a policy server process may run to
3600 seconds. The default time limit of 1000 seconds is too short; the
- policy daemon needs to run long as the SMTP server process that talks to
+ policy daemon needs to run as long as the SMTP server process that talks to
it. See the spawn(8) manpage for more information about the
transport_time_limit parameter.
* Line 6: this increases the time that a greylist server process may run to
3600 seconds. The default time limit of 1000 seconds is too short; the
- greylist daemon needs to run long as the SMTP server process that talks to
- it. See the spawn(8) manpage for more information about the
+ greylist daemon needs to run as long as the SMTP server process that talks
+ to it. See the spawn(8) manpage for more information about the
transport_time_limit parameter.
* Line 9: reject_unauth_destination is not needed here if the mail relay
It is relatively safe to turn on greylisting for specific domains that often
appear in forged email. At some point in cyberspace/time a list of frequently
-forged MAIL FROM domains could be found at http://www.monkeys.com/anti-spam/
-filtering/sender-domain-validate.in.
+forged MAIL FROM domains could be found at https://web.archive.org/web/
+20080526153208/http://www.monkeys.com/anti-spam/filtering/sender-domain-
+validate.in.
1 /etc/postfix/main.cf:
2 smtpd_recipient_restrictions =
The content filter itself is not described here. You can use any filter that is
SMTP enabled. For non-SMTP capable content filtering software, Bennett Todd's
-SMTP proxy implements a nice Perl-based framework. See: http://
-bent.latency.net/smtpprox/ or https://github.com/jnorell/smtpprox.
+SMTP proxy implements a nice Perl-based framework. See: https://
+web.archive.org/web/20151022025756/http://bent.latency.net/smtpprox/ or https:/
+/github.com/jnorell/smtpprox/
Postfix
Postfix filter on SMTP server Postfix Postfix
By default, the filter has 100 seconds to do its work. If it takes longer then
Postfix gives up and reports an error to the remote SMTP client. You can
-increase this time limit (see configuration parameter section below) but doing
-so is pointless because you can't control when the remote SMTP client times
-out.
+increase this time limit (see the "Configuration parameters" section below) but
+doing so is pointless because you can't control when the remote SMTP client
+times out.
C\bCo\bon\bnf\bfi\big\bgu\bur\bra\bat\bti\bio\bon\bn p\bpa\bar\bra\bam\bme\bet\bte\ber\brs\bs
For compatibility with pre-SMTPUTF8 environments, Postfix does not
automatically set the "SMTPUTF8 requested" flag on messages from non-SMTPUTF8
-clients that contain an UTF-8 header value or UTF-8 address localpart. This
+clients that contain a UTF-8 header value or UTF-8 address localpart. This
would make such messages undeliverable to non-SMTPUTF8 servers, and could be a
barrier to SMTPUTF8 adoption.
leaves the machine; not when you send mail between users on the same machine.
The following example presents additional configuration. You need to combine
-this with basic configuration information as discussed the first half of this
-document.
+this with basic configuration information as discussed in the first half of
+this document.
1 /etc/postfix/main.cf:
2 smtp_generic_maps = hash:/etc/postfix/generic
valid Internet address of their own.
The following example presents additional configuration. You need to combine
-this with basic configuration information as discussed the first half of this
-document.
+this with basic configuration information as discussed in the first half of
+this document.
1 /etc/postfix/main.cf:
2 myhostname = hostname.localdomain
single MySQL database, and configure different Postfix queries to extract
the appropriate information.
- * Specify dbm instead of hash if your system uses dbm files instead of db
+ * Specify d\bdb\bbm\bm instead of h\bha\bas\bsh\bh if your system uses d\bdb\bbm\bm files instead of d\bdb\bb
files. To find out what lookup tables Postfix supports, use the command
- "postconf -m".
+ "p\bpo\bos\bst\btc\bco\bon\bnf\bf -\b-m\bm".
- * Execute the command "postmap /etc/postfix/sasl_passwd" whenever you change
+ * Execute the command "p\bpo\bos\bst\btm\bma\bap\bp /\b/e\bet\btc\bc/\b/p\bpo\bos\bst\btf\bfi\bix\bx/\b/s\bsa\bas\bsl\bl_\b_p\bpa\bas\bss\bsw\bwd\bd" whenever you change
the sasl_passwd table.
- * Execute the command "postmap /etc/postfix/sender_relay" whenever you change
+ * Execute the command "p\bpo\bos\bst\btm\bma\bap\bp /\b/e\bet\btc\bc/\b/p\bpo\bos\bst\btf\bfi\bix\bx/\b/s\bse\ben\bnd\bde\ber\br_\b_r\bre\bel\bla\bay\by" whenever you change
the sender_relay table.
# See sqlite_table(5) for details.
query = SELECT forw_addr FROM mxaliases WHERE alias='%s' AND status='paid'
-A\bAd\bdd\bdi\bit\bti\bio\bon\bna\bal\bl n\bno\bot\bte\bes\bs
-
-The SQLite configuration interface setup allows for multiple sqlite databases:
-you can use one for a virtual table, one for an access table, and one for an
-aliases table if you want.
-
C\bCr\bre\bed\bdi\bit\bts\bs
SQLite support was added with Postfix version 2.8.
settings.
First we present the non-mailhost configuration, because it is the simpler one.
-This machine sends mail as "user@example.com" and is final destination for
+This machine sends mail as "user@example.com" and is the final destination for
"user@hostname.example.com".
1 /etc/postfix/main.cf:
below, "Postfix behind a firewall".
Next we present the mailhost configuration. This machine sends mail as
-"user@example.com" and is final destination for "user@hostname.example.com" as
-well as "user@example.com".
+"user@example.com" and is the final destination for "user@hostname.example.com"
+as well as "user@example.com".
1 DNS:
2 example.com IN MX 10 mailhost.example.com.
literals matching $inet_interfaces or $proxy_interfaces are deemed local.
So "localpart@[a.d.d.r]" can be matched as simply "localpart" in canonical
(5) and virtual(5). This avoids the need to specify firewall IP addresses
- into Postfix configuration files.
+ in Postfix configuration files.
The last part of the solution does the email forwarding, which is the real
purpose of the firewall email function.
Postfix version you have, execute the command "p\bpo\bos\bst\btc\bco\bon\bnf\bf m\bma\bai\bil\bl_\b_v\bve\ber\brs\bsi\bio\bon\bn".
The following example presents additional configuration. You need to combine
-this with basic configuration information as discussed the first half of this
-document.
+this with basic configuration information as discussed in the first half of
+this document.
1 /etc/postfix/main.cf:
2 transport_maps = hash:/etc/postfix/transport
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg P\bPo\bos\bst\btf\bfi\bix\bx a\bas\bs p\bpr\bri\bim\bma\bar\bry\by o\bor\br b\bba\bac\bck\bku\bup\bp M\bMX\bX h\bho\bos\bst\bt f\bfo\bor\br a\ba r\bre\bem\bmo\bot\bte\be s\bsi\bit\bte\be
This section presents additional configuration. You need to combine this with
-basic configuration information as discussed the first half of this document.
+basic configuration information as discussed in the first half of this
+document.
When your system is SECONDARY MX host for a remote site this is all you need:
dialup connections that are up 24x7, see the local area network section above.
This section presents additional configuration. You need to combine this with
-basic configuration information as discussed the first half of this document.
+basic configuration information as discussed in the first half of this
+document.
If you do not have your own hostname and IP address (usually with dialup, cable
TV or DSL connections) then you should also study the section on "Postfix on
leaves the machine; not when you send mail between users on the same machine.
The following example presents additional configuration. You need to combine
-this with basic configuration information as discussed the first half of this
-document.
+this with basic configuration information as discussed in the first half of
+this document.
1 /etc/postfix/main.cf:
2 smtp_generic_maps = hash:/etc/postfix/generic
valid Internet address of their own.
The following example presents additional configuration. You need to combine
-this with basic configuration information as discussed the first half of this
-document.
+this with basic configuration information as discussed in the first half of
+this document.
1 /etc/postfix/main.cf:
2 myhostname = hostname.localdomain
The postscreen(8) daemon, introduced with Postfix 2.8, provides additional
protection against mail server overload. One postscreen(8) process handles
-multiple inbound SMTP connections, and decides which clients may to talk to a
+multiple inbound SMTP connections, and decides which clients may talk to a
Postfix SMTP server process. By keeping spambots away, postscreen(8) leaves
more SMTP server processes available for legitimate clients, and delays the
onset of server overload conditions.
In order to use TLS, the Postfix SMTP server needs a certificate and a private
key. Both must be in "pem" format. The private key must not be encrypted,
-meaning: the key must be accessible without password. Both certificate and
+meaning: the key must be accessible without a password. Both certificate and
private key may be in the same file.
Both RSA and DSA certificates are supported. Typically you will only have RSA
% c\bca\bat\bt s\bse\ber\brv\bve\ber\br_\b_c\bce\ber\brt\bt.\b.p\bpe\bem\bm i\bin\bnt\bte\ber\brm\bme\bed\bdi\bia\bat\bte\be_\b_C\bCA\bA.\b.p\bpe\bem\bm >\b> s\bse\ber\brv\bve\ber\br.\b.p\bpe\bem\bm
-A Postfix SMTP server certificate supplied here must be usable as SSL server
+A Postfix SMTP server certificate supplied here must be usable as an SSL server
certificate and hence pass the "openssl verify -purpose sslserver ..." test.
A client that trusts the root CA has a local copy of the root CA certificate,
The permit_tls_all_clientcerts feature must be used with caution, because it
can result in too many access permissions. Use this feature only if a special
-CA issues the client certificates, and only if this CA is listed as trusted CA.
-If other CAs are trusted, any owner of a valid client certificate would be
+CA issues the client certificates, and only if this CA is listed as a trusted
+CA. If other CAs are trusted, any owner of a valid client certificate would be
authorized. The permit_tls_all_clientcerts feature can be practical for a
specially created email relay server.
S\bSe\ber\brv\bve\ber\br-\b-s\bsi\bid\bde\be c\bci\bip\bph\bhe\ber\br c\bco\bon\bnt\btr\bro\bol\bls\bs
To influence the Postfix SMTP server cipher selection scheme, you can give
-cipherlist string. A detailed description would go to far here; please refer to
-the OpenSSL documentation. If you don't know what to do with it, simply don't
-touch it and leave the (openssl-)compiled in default!
+cipherlist string. A detailed description would go too far here; please refer
+to the OpenSSL documentation. If you don't know what to do with it, simply
+don't touch it and leave the (openssl-)compiled in default!
DO NOT USE " to enclose the string, specify just the string!!!
It is possible for the Postfix SMTP client to use the same key/certificate pair
as the Postfix SMTP server. If a certificate is to be presented, it must be in
"pem" format. The private key must not be encrypted, meaning: it must be
-accessible without password. Both parts (certificate and private key) may be in
-the same file.
+accessible without a password. Both parts (certificate and private key) may be
+in the same file.
In order for remote SMTP servers to verify the Postfix SMTP client
certificates, the CA certificate (in case of a certificate chain, all CA
% c\bca\bat\bt c\bcl\bli\bie\ben\bnt\bt_\b_c\bce\ber\brt\bt.\b.p\bpe\bem\bm i\bin\bnt\bte\ber\brm\bme\bed\bdi\bia\bat\bte\be_\b_C\bCA\bA.\b.p\bpe\bem\bm >\b> c\bcl\bli\bie\ben\bnt\bt.\b.p\bpe\bem\bm
-A Postfix SMTP client certificate supplied here must be usable as SSL client
+A Postfix SMTP client certificate supplied here must be usable as an SSL client
certificate and hence pass the "openssl verify -purpose sslclient ..." test.
A server that trusts the root CA has a local copy of the root CA certificate,
"smtp_use_tls = yes".
* When both hostname and next-hop destination lookups produce a result, the
- more specific per-site policy (NONE, MUST, etc) overrides the less specific
- one (MAY), and the more secure per-site policy (MUST, etc) overrides the
- less secure one (NONE).
+ more specific per-site policy (NONE, MUST, etc.) overrides the less
+ specific one (MAY), and the more secure per-site policy (MUST, etc.)
+ overrides the less secure one (NONE).
* After the per-site policy lookups are combined, the result generally
overrides the global policy. The exception is the less specific M\bMA\bAY\bY per-
example.org NONE
# TLS should not be used with the host smtp.example.com.
- smtp.example.com NONE
+ [smtp.example.com] NONE
D\bDi\bis\bsc\bco\bov\bve\ber\bri\bin\bng\bg s\bse\ber\brv\bve\ber\brs\bs t\bth\bha\bat\bt s\bsu\bup\bpp\bpo\bor\brt\bt T\bTL\bLS\bS
C\bCl\bli\bie\ben\bnt\bt-\b-s\bsi\bid\bde\be c\bci\bip\bph\bhe\ber\br c\bco\bon\bnt\btr\bro\bol\bls\bs
To influence the Postfix SMTP client cipher selection scheme, you can give
-cipherlist string. A detailed description would go to far here; please refer to
-the OpenSSL documentation. If you don't know what to do with it, simply don't
-touch it and leave the (openssl-)compiled in default!
+cipherlist string. A detailed description would go too far here; please refer
+to the OpenSSL documentation. If you don't know what to do with it, simply
+don't touch it and leave the (openssl-)compiled in default!
DO NOT USE " to enclose the string, specify just the string!!!
* Problems in the TLS code: <postfix_tls@aet.tu-cottbus.de>
* Problems in vanilla Postfix: <postfix-users@postfix.org>
-C\bCo\bom\bmp\bpa\bat\bti\bib\bbi\bil\bli\bit\bty\by w\bwi\bit\bth\bh P\bPo\bos\bst\btf\bfi\bix\bx <\b<2\b2.\b.2\b2 T\bTL\bLS\bS s\bsu\bup\bpp\bpo\bor\brt\bt
+C\bCo\bom\bmp\bpa\bat\bti\bib\bbi\bil\bli\bit\bty\by w\bwi\bit\bth\bh P\bPo\bos\bst\btf\bfi\bix\bx <\b< 2\b2.\b.2\b2 T\bTL\bLS\bS s\bsu\bup\bpp\bpo\bor\brt\bt
Postfix version 2.2 TLS support is based on the Postfix/TLS patch by Lutz
Ja"nicke, but differs in a few minor ways.
encrypt mail and to authenticate remote SMTP clients or servers. You also turn
on hundreds of thousands of lines of OpenSSL library code. Assuming that
OpenSSL is written as carefully as Wietse's own code, every 1000 lines
-introduce one additional bug into Postfix.
+introduces one additional bug into Postfix.
Topics covered in this document:
receive the issuing CA certificates via the TLS handshake or via public-key
infrastructure. This means that the Postfix server public-key certificate file
must include the server certificate first, then the issuing CA(s) (bottom-up
-order). The Postfix SMTP server certificate must be usable as SSL server
+order). The Postfix SMTP server certificate must be usable as an SSL server
certificate and hence pass the "openssl verify -purpose sslserver ..." test.
The examples that follow show how to create a server certificate file. We
cert, [chain]) sequences, one per algorithm. It is typically simpler to keep
the chain for each algorithm in its own file. Most users are likely to deploy
just a single RSA chain, but with OpenSSL 1.1.1, it is possible to deploy up to
-five chains, one each for RSA, ECDSA, ED25519, ED448 and even the obsolete DSA.
+five chains, one each for RSA, ECDSA, ED25519, ED448, and even the obsolete
+DSA.
# Postfix >= 3.4. Preferred configuration interface. Each file
# starts with the private key, followed by the corresponding
The permit_tls_all_clientcerts feature must be used with caution, because it
can result in too many access permissions. Use this feature only if a special
-CA issues the client certificates, and only if this CA is listed as trusted CA.
-If other CAs are trusted, any owner of a valid client certificate would be
+CA issues the client certificates, and only if this CA is listed as a trusted
+CA. If other CAs are trusted, any owner of a valid client certificate would be
authorized. The permit_tls_all_clientcerts feature can be practical for a
specially created email relay server.
It is possible for the Postfix SMTP client to use the same key/certificate pair
as the Postfix SMTP server. If a certificate is to be presented, it must be in
"PEM" format. The private key must not be encrypted, meaning: it must be
-accessible without password. Both parts (certificate and private key) may be in
-the same file.
+accessible without a password. Both parts (certificate and private key) may be
+in the same file.
With OpenSSL 1.1.1 and Postfix >= 3.4 it is also possible to configure Ed25519
and Ed448 certificates. Rather than add two more pairs of key and certificate
# u\bum\bma\bas\bsk\bk 0\b07\b77\b7
# c\bca\bat\bt c\bcl\bli\bie\ben\bnt\bt_\b_k\bke\bey\by.\b.p\bpe\bem\bm c\bcl\bli\bie\ben\bnt\bt_\b_c\bce\ber\brt\bt.\b.p\bpe\bem\bm i\bin\bnt\bte\ber\brm\bme\bed\bdi\bia\bat\bte\be_\b_C\bCA\bA.\b.p\bpe\bem\bm >\b> c\bch\bha\bai\bin\bn.\b.p\bpe\bem\bm
-A Postfix SMTP client certificate supplied here must be usable as SSL client
+A Postfix SMTP client certificate supplied here must be usable as an SSL client
certificate and hence pass the "openssl verify -purpose sslclient ..." test.
A server that trusts the root CA has a local copy of the root CA certificate,
cert, [chain]) sequences, one per algorithm. It is typically simpler to keep
the chain for each algorithm in its own file. Most users are likely to deploy
at most a single RSA chain, but with OpenSSL 1.1.1, it is possible to deploy up
-five chains, one each for RSA, ECDSA, ED25519, ED448 and even the obsolete DSA.
+five chains, one each for RSA, ECDSA, ED25519, ED448, and even the obsolete
+DSA.
# Postfix >= 3.4. Preferred configuration interface. Each file
# starts with the private key, followed by the corresponding
files.
s\bse\bec\bcu\bur\bre\be
Secure certificate verification. Mail is delivered only if the TLS
- handshake succeeds, if the remote SMTP server certificate can be validated
- (not expired or revoked, and signed by a trusted Certification Authority),
- and if the server certificate name matches the optional "match" attribute
- (or the main.cf smtp_tls_secure_cert_match parameter value when no optional
- "match" attribute is specified). With Postfix >= 2.11 the "tafile"
- attribute optionally modifies trust chain verification in the same manner
- as the "smtp_tls_trust_anchor_file" parameter. The "tafile" attribute may
- be specified multiple times to load multiple trust-anchor files.
+ handshake succeeds, and DNS forgery resistant remote SMTP certificate
+ verification succeeds (not expired or revoked, and signed by a trusted
+ Certification Authority), and if the server certificate name matches the
+ optional "match" attribute (or the main.cf smtp_tls_secure_cert_match
+ parameter value when no optional "match" attribute is specified). With
+ Postfix >= 2.11 the "tafile" attribute optionally modifies trust chain
+ verification in the same manner as the "smtp_tls_trust_anchor_file"
+ parameter. The "tafile" attribute may be specified multiple times to load
+ multiple trust-anchor files.
Notes:
* The "match" attribute is especially useful to verify TLS certificates for
sites that you have no trust relationship with. For real authentication you
need also enable DNSSEC record signing for your domain and publish TLSA records
and/or your Postfix public key certificate needs to be signed by a recognized
-Certification Authority. To authenticate the certificates of remote host you
+Certification Authority. To authenticate the certificates of a remote host you
need a DNSSEC-validating local resolver and to enable DANE authentication and/
or configure the Postfix SMTP client with a list of public key certificates of
Certification Authorities, but make sure to read about the limitations of the
Often servers that perform TLS client authentication will issue the
required certificates signed by their own CA. If you configure the client
certificate and key incorrectly, you will be unable to send mail to sites
- that request client certificate, but don't require them from all clients.
+ that request a client certificate, but don't require them from all clients.
/etc/postfix/main.cf:
smtp_tls_CAfile = /etc/postfix/cacert.pem
forwards to multiple MX hosts. When all MX hosts are up and accepting
connections in a timely fashion, throughput will be high. If any MX host is
down and completely unresponsive, the average connection latency rises to at
-least 1/N * $smtp_connection_timeout, if there are N MX hosts. This limits
-throughput to at most the destination concurrency * N /
-$smtp_connection_timeout.
+least 1/N * $smtp_connect_timeout, if there are N MX hosts. This limits
+throughput to at most the destination concurrency * N / $smtp_connect_timeout.
For example, with a destination concurrency of 100 and 2 MX hosts, each host
will handle up to 50 simultaneous connections. If one MX host is down and the
not all MX hosts are down.
If necessary, set a higher transport_destination_concurrency_limit (in main.cf
-since this is a queue manager parameter) and a lower smtp_connection_timeout
-(with a "-o" override in master.cf since this parameter has no per-transport
-name) for the relay transport and any transports dedicated for specific high
-volume destinations.
+since this is a queue manager parameter) and a lower smtp_connect_timeout (with
+a "-o" override in master.cf since this parameter has no per-transport name)
+for the relay transport and any transports dedicated for specific high volume
+destinations.
T\bTu\bun\bni\bin\bng\bg t\bth\bhe\be n\bnu\bum\bmb\bbe\ber\br o\bof\bf r\bre\bec\bci\bip\bpi\bie\ben\bnt\bts\bs p\bpe\ber\br d\bde\bel\bli\biv\bve\ber\bry\by
C\bCa\ban\bno\bon\bni\bic\bca\bal\bl v\bve\ber\brs\bsu\bus\bs h\bho\bos\bst\bte\bed\bd v\bve\ber\brs\bsu\bus\bs o\bot\bth\bhe\ber\br d\bdo\bom\bma\bai\bin\bns\bs
-Most Postfix systems are f\bfi\bin\bna\bal\bl d\bde\bes\bst\bti\bin\bna\bat\bti\bio\bon\bn for only a few domain names. These
-include the hostnames and [the IP addresses] of the machine that Postfix runs
-on, and sometimes also include the parent domain of the hostname. The remainder
-of this document will refer to these domains as the canonical domains. They are
-usually implemented with the Postfix local domain address class, as defined in
-the ADDRESS_CLASS_README file.
-
-Besides the canonical domains, Postfix can be configured to be f\bfi\bin\bna\bal\bl
+Most Postfix systems are the f\bfi\bin\bna\bal\bl d\bde\bes\bst\bti\bin\bna\bat\bti\bio\bon\bn for only a few domain names.
+These include the hostnames and [the IP addresses] of the machine that Postfix
+runs on, and sometimes also include the parent domain of the hostname. The
+remainder of this document will refer to these domains as the canonical
+domains. They are usually implemented with the Postfix local domain address
+class, as defined in the ADDRESS_CLASS_README file.
+
+Besides the canonical domains, Postfix can be configured to be the f\bfi\bin\bna\bal\bl
d\bde\bes\bst\bti\bin\bna\bat\bti\bio\bon\bn for any number of additional domains. These domains are called
hosted, because they are not directly associated with the name of the machine
itself. Hosted domains are usually implemented with the virtual alias domain
ADDRESS_CLASS_README file.
Finally, Postfix can be configured as a transit host for sending mail across
-the internet. Obviously, Postfix is not final destination for such mail. This
-function is available only for authorized clients and/or users, and is
+the internet. Obviously, Postfix is not the final destination for such mail.
+This function is available only for authorized clients and/or users, and is
implemented by the default domain address class, as defined in the
ADDRESS_CLASS_README file.
- Walcir Fontanini <walcir@densis.fee.unicamp.br>
- * tested on Solaris 2.5 and and reported missing "snprintf()"
+ * tested on Solaris 2.5 and reported missing "snprintf()"
-> was fixed in pfixtls-0.1.2
* contributed the script to add fingerprints
contributed/fp.csh
- Updated configuration information:
* As of OpenSSL 0.9.4, certificate chain verification is not sufficient,
since the certificate purpose is not checked, so I recommend to add
- all intermediate CAs the the list of CAs and stay with a verification
+ all intermediate CAs the list of CAs and stay with a verification
depth of 1.
Work is in progress for 0.9.5.
- Stepped up to the just released new patchlevel postfix-19990906-pl09.
1999/10/09
- Set an absolut maximum length of 32 for the IDs used for session caching.
- This matches the default in OpenSSL, but I don´t want to see surprises
+ This matches the default in OpenSSL, but I don't want to see surprises
when somebody sometimes will run into a longer session id.
1999/10/05 == Released 0.4.0 ==
to computer sience students.
1999/09/28
- - I cannot use the mod_ssl way for session caching and I don´t want to
- spend an extra "gcache" daemon as ApacheSSL does. So I follow Wietse´s
+ - I cannot use the mod_ssl way for session caching and I don't want to
+ spend an extra "gcache" daemon as ApacheSSL does. So I follow Wietse's
idea realized for his mail queues and create hash level based subdirectory
structures. The good thing: I can cannibalize the mail_queue code.
- The bad thing: there is a path length of 100 chars fix coded in Wietse´s
+ The bad thing: there is a path length of 100 chars fix coded in Wietse's
routines. It does hold for 32byte session ideas.
Status: can save sessions to disk and recall them (server side).
- Created new call backs for external session caching for the server side.
In a first step, they can print out the session ids for the newly created
session and when recalling a session.
- As the OpenSSL documentation on this is pretty sparse, Ben Laurie´s
- ApacheSSL code is very helpful, Ralph Engelschall´s Mod_SSL code for
+ As the OpenSSL documentation on this is pretty sparse, Ben Laurie's
+ ApacheSSL code is very helpful, Ralph Engelschall's Mod_SSL code for
session caching is far more complicated.
1999/09/23 == Released 0.3.10 ==
SSL_CTX_set_session_id_context() call was missing. To find this, I
had to trace through the OpenSSL library and when I finally found it
in ssl/ssl_sess.c, there was an appropriate comment about this. I however
- have to find out why I didn´t receive the appropriate error message...
+ have to find out why I didn't receive the appropriate error message...
- This bug was hidden during the first developing stages, as the shutdown
sequence was not working correct, so the session was not cached.
1999/09/09 == Released 0.3.6 ==
1999/09/09
- - Added a missing ´#ifdef HAS_SSL #endif´ in smtp_connect.c.
+ - Added a missing '#ifdef HAS_SSL #endif' in smtp_connect.c.
Noted by Jeff Johnson <jeff@websitefactory.net>.
- HINT:
On 1999/09/06 a new "stable" version of postfix was released.
1999/04/14
- Ported from OpenSSL the BIO_callback functions to dump out the negotiation
and transmission for debugging purposes. The functions are triggered
- by the the new loglevels 3 and 4.
+ by the new loglevels 3 and 4.
- Call SSL_free() to get rid of the SSL connection structure not used
anymore.
Wish list:
- Factor out the new get_nested_dict_name() function from
- proxymap.c, make it a library function, and reuse it in
- postconf_dbms.c.
+ Things to do before the stable release:
+
+ make typo-check, HTML validator check,
+ mantools/missing-proxy-read-maps, mantools/check-postlink.
- Convert the proxymap protol into "server speaks first".
+ Disable -DSNAPSHOT and -DNONPROD in makedefs.
Fix code that still uses "long" for data_size and data_offset,
and that uses "%ld" in sscanf().
- A smart query service for live Postfix tables that outputs JSON?
+ For consistent naming (tlsproxy_client_mumble <> smtp_tls_mumble),
+ rename tlsproxy_client_level to tlsproxy_client_security_level,
+ and tlsproxy_client_policy to tlsproxy_client_policy_maps.
+ This requires backwards-compatible defaults and documentation
+ updates.
- proxy_read_maps needs a dedicated matcher that looks
- inside pipemap:{}. Maybe steal some code from postconf.
+ A smart query service for live Postfix tables that outputs JSON?
Add a pointer to
http://mmogilvi.users.sourceforge.net/software/oauthbearer.html
Replace ad-hoc code for pipe(8) flags handling, with
infrastructure that was built for smtp(8).
- Things to do before the stable release:
-
- Spell-check, double-word check, HTML validator check,
- mantools/missing-proxy-read-maps check.
-
- Disable -DSNAPSHOT and -DNONPROD in makedefs.
-
Move map descriptions from postconf(1) to DATABASE_README
and point there. The text in DATABASE_README is less complete
than that in postconf(1).
"The 's' option shows sender domain counts.\n".
"The 'p' option shows address counts by for parent domains.\n".
"Parent domains are shown with a leading '.' before the domain name.\n".
- "Parent domains are only shown if the the domain is not a TLD, and at\n".
+ "Parent domains are only shown if the domain is not a TLD, and at\n".
"least <min_subdomains> (default 5) subdomains are shown in the output.\n\n".
"The bucket age ranges in units of <bucket_time> minutes are\n".
#
# Alternatively, the table can be provided as a regu-
# lar-expression map where patterns are given as regular
-# expressions, or lookups can be directed to TCP-based
+# expressions, or lookups can be directed to a TCP-based
# server. In those cases, the lookups are done in a slightly
# different way as described below under "REGULAR EXPRESSION
# TABLES" or "TCP-BASED TABLES".
#
# DEFER_IF_PERMIT optional text...
# Defer the request if some later restriction would
-# result in a an explicit or implicit PERMIT action.
+# result in an explicit or implicit PERMIT action.
# Reply with "$access_map_defer_code 4.7.1 optional
# text..." when the optional text is specified, oth-
# erwise reply with a generic error response message.
#
# Alternatively, the table can be provided as a regu-
# lar-expression map where patterns are given as regular
-# expressions, or lookups can be directed to TCP-based
+# expressions, or lookups can be directed to a TCP-based
# server. In those cases, the lookups are done in a slightly
# different way as described below under "REGULAR EXPRESSION
# TABLES" or "TCP-BASED TABLES".
#
# masquerade_exceptions (empty)
# Optional list of user names that are not subjected
-# to address masquerading, even when their address
-# matches $masquerade_domains.
+# to address masquerading, even when their addresses
+# match $masquerade_domains.
#
# mydestination ($myhostname, localhost.$mydomain, local-
# host)
#
# Alternatively, the table can be provided as a regu-
# lar-expression map where patterns are given as regular
-# expressions, or lookups can be directed to TCP-based
-# server. In those case, the lookups are done in a slightly
+# expressions, or lookups can be directed to a TCP-based
+# server. In those cases, the lookups are done in a slightly
# different way as described below under "REGULAR EXPRESSION
# TABLES" or "TCP-BASED TABLES".
#
# This section describes how the table lookups change when
# lookups are directed to a TCP-based server. For a descrip-
# tion of the TCP client/server lookup protocol, see tcp_ta-
-# ble(5). This feature is not available up to and including
-# Postfix version 2.4.
+# ble(5). This feature is available in Postfix 2.5 and
+# later.
#
# Each lookup operation uses the entire address once. Thus,
# user@domain mail addresses are not broken up into their
# The text below provides only a parameter summary. See
# postconf(5) for more details including examples.
#
-# smtp_generic_maps
-# Address mapping lookup table for envelope and
-# header sender and recipient addresses while deliv-
-# ering mail via SMTP.
+# smtp_generic_maps (empty)
+# Optional lookup tables that perform address rewrit-
+# ing in the Postfix SMTP client, typically to trans-
+# form a locally valid address into a globally valid
+# address when sending mail across the Internet.
#
-# propagate_unmatched_extensions
-# A list of address rewriting or forwarding mecha-
-# nisms that propagate an address extension from the
-# original address to the result. Specify zero or
-# more of canonical, virtual, alias, forward,
-# include, or generic.
+# propagate_unmatched_extensions (canonical, virtual)
+# What address lookup tables copy an address exten-
+# sion from the lookup key to the lookup result.
#
# Other parameters of interest:
#
-# inet_interfaces
-# The network interface addresses that this system
-# receives mail on. You need to stop and start Post-
-# fix when this parameter changes.
-#
-# proxy_interfaces
-# Other interfaces that this machine receives mail on
-# by way of a proxy agent or network address transla-
-# tor.
-#
-# mydestination
-# List of domains that this mail system considers
-# local.
-#
-# myorigin
-# The domain that is appended to locally-posted mail.
-#
-# owner_request_special
-# Give special treatment to owner-xxx and xxx-request
-# addresses.
+# inet_interfaces (all)
+# The network interface addresses that this mail sys-
+# tem receives mail on.
+#
+# proxy_interfaces (empty)
+# The network interface addresses that this mail sys-
+# tem receives mail on by way of a proxy or network
+# address translation unit.
+#
+# mydestination ($myhostname, localhost.$mydomain, local-
+# host)
+# The list of domains that are delivered via the
+# $local_transport mail delivery transport.
+#
+# myorigin ($myhostname)
+# The domain name that locally-posted mail appears to
+# come from, and that locally posted mail is deliv-
+# ered to.
+#
+# owner_request_special (yes)
+# Enable special treatment for owner-listname entries
+# in the aliases(5) file, and don't split owner-list-
+# name and listname-request address localparts when
+# the recipient_delimiter is set to "-".
#
# SEE ALSO
# postmap(1), Postfix lookup table manager
#
# The level below is what should be used with new (not upgrade) installs.
#
-compatibility_level = 3.6
+compatibility_level = 3.7
# SOFT BOUNCE
#
# You can specify the list of "trusted" network addresses by hand
# or you can let Postfix do it for you (which is the default).
#
-# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
-# clients in the same IP subnetworks as the local machine.
-# On Linux, this works correctly only with interfaces specified
-# with the "ifconfig" command.
+# By default (mynetworks_style = host), Postfix "trusts" only
+# the local machine.
#
+# Specify "mynetworks_style = subnet" when Postfix should "trust"
+# SMTP clients in the same IP subnetworks as the local machine.
+# On Linux, this works correctly only with interfaces specified
+# with the "ifconfig" or "ip" command.
+#
# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
# clients in the same IP class A/B/C networks as the local machine.
# Don't do this with a dialup site - it would cause Postfix to "trust"
#mynetworks = hash:/etc/postfix/network_table
# The relay_domains parameter restricts what destinations this system will
-# relay mail to. See the smtpd_recipient_restrictions description in
-# postconf(5) for detailed information.
+# relay mail to. See the smtpd_relay_restrictions and
+# smtpd_recipient_restrictions descriptions in postconf(5) for detailed
+# information.
#
# By default, Postfix relays mail
-# - from "trusted" clients (IP address matches $mynetworks) to any destination,
+# - from "trusted" clients (IP address matches $mynetworks, or is
+# SASL authenticated) to any destination,
# - from "untrusted" clients to destinations that match $relay_domains or
# subdomains thereof, except addresses with sender-specified routing.
-# The default relay_domains value is $mydestination.
+# The default relay_domains value is empty.
#
# In addition to the above, the Postfix SMTP server by default accepts mail
# that Postfix is final destination for:
# list this system as their primary or backup MX host. See the
# permit_mx_backup restriction description in postconf(5).
#
-#relay_domains = $mydestination
+#relay_domains =
# INTERNET OR INTRANET
# should not be in the command search path of any users.
# .IP command_directory
# The directory for Postfix administrative commands. This
-# directory should be in the command search path of adminstrative users.
+# directory should be in the command search path of administrative users.
# .IP queue_directory
# The directory for Postfix queues.
# .IP data_directory
# daemon_directory - From primary instance
# meta_directory - From primary instance
# shlib_directory - From primary instance
-# config_directroy - config_directory of target instance
+# config_directory - config_directory of target instance
# queue_directory - queue_directory of target instance
# data_directory - data_directory of target instance
#
#
# Alternatively, the table can be provided as a regu-
# lar-expression map where patterns are given as regular
-# expressions, or lookups can be directed to TCP-based
+# expressions, or lookups can be directed to a TCP-based
# server. In those case, the lookups are done in a slightly
# different way as described below under "REGULAR EXPRESSION
# TABLES" or "TCP-BASED TABLES".
# description of regular expression lookup table syntax, see
# regexp_table(5) or pcre_table(5). For a description of the
# TCP client/server table lookup protocol, see tcp_table(5).
-# This feature is not available up to and including Postfix
-# version 2.4.
+# This feature is available in Postfix 2.5 and later.
#
-# Each pattern is a regular expression that is applied to
+# Each pattern is a regular expression that is applied to
# the entire address being looked up. Thus, user@domain mail
-# addresses are not broken up into their user and @domain
+# addresses are not broken up into their user and @domain
# constituent parts, nor is user+foo broken up into user and
# foo.
#
-# Patterns are applied in the order as specified in the ta-
-# ble, until a pattern is found that matches the search
+# Patterns are applied in the order as specified in the ta-
+# ble, until a pattern is found that matches the search
# string.
#
-# Results are the same as with indexed file lookups, with
-# the additional feature that parenthesized substrings from
+# Results are the same as with indexed file lookups, with
+# the additional feature that parenthesized substrings from
# the pattern can be interpolated as $1, $2 and so on.
#
# TCP-BASED TABLES
-# This section describes how the table lookups change when
+# This section describes how the table lookups change when
# lookups are directed to a TCP-based server. For a descrip-
# tion of the TCP client/server lookup protocol, see tcp_ta-
-# ble(5). This feature is not available up to and including
-# Postfix version 2.4.
+# ble(5). This feature is available in Postfix 2.5 and
+# later.
#
# Each lookup operation uses the entire address once. Thus,
-# user@domain mail addresses are not broken up into their
+# user@domain mail addresses are not broken up into their
# user and @domain constituent parts, nor is user+foo broken
# up into user and foo.
#
# Results are the same as with indexed file lookups.
#
# BUGS
-# The table format does not understand quoting conventions.
+# The table format does not understand quoting conventions.
#
# CONFIGURATION PARAMETERS
-# The following main.cf parameters are especially relevant.
-# The text below provides only a parameter summary. See
+# The following main.cf parameters are especially relevant.
+# The text below provides only a parameter summary. See
# postconf(5) for more details including examples.
#
-# relocated_maps
-# List of lookup tables for relocated users or sites.
+# relocated_maps (empty)
+# Optional lookup tables with new contact information
+# for users or domains that no longer exist.
#
# Other parameters of interest:
#
-# inet_interfaces
-# The network interface addresses that this system
-# receives mail on. You need to stop and start Post-
-# fix when this parameter changes.
+# inet_interfaces (all)
+# The network interface addresses that this mail sys-
+# tem receives mail on.
#
-# mydestination
-# List of domains that this mail system considers
-# local.
+# mydestination ($myhostname, localhost.$mydomain, local-
+# host)
+# The list of domains that are delivered via the
+# $local_transport mail delivery transport.
#
-# myorigin
-# The domain that is appended to locally-posted mail.
+# myorigin ($myhostname)
+# The domain name that locally-posted mail appears to
+# come from, and that locally posted mail is deliv-
+# ered to.
#
-# proxy_interfaces
-# Other interfaces that this machine receives mail on
-# by way of a proxy agent or network address transla-
-# tor.
+# proxy_interfaces (empty)
+# The network interface addresses that this mail sys-
+# tem receives mail on by way of a proxy or network
+# address translation unit.
#
# SEE ALSO
# trivial-rewrite(8), address resolver
# postconf(5), configuration parameters
#
# README FILES
-# Use "postconf readme_directory" or "postconf html_direc-
+# Use "postconf readme_directory" or "postconf html_direc-
# tory" to locate this information.
# DATABASE_README, Postfix lookup table overview
# ADDRESS_REWRITING_README, address rewriting guide
#
# LICENSE
-# The Secure Mailer license must be distributed with this
+# The Secure Mailer license must be distributed with this
# software.
#
# AUTHOR(S)
#
# Alternatively, the table can be provided as a regu-
# lar-expression map where patterns are given as regular
-# expressions, or lookups can be directed to TCP-based
+# expressions, or lookups can be directed to a TCP-based
# server. In those case, the lookups are done in a slightly
# different way as described below under "REGULAR EXPRESSION
# TABLES" or "TCP-BASED TABLES".
#
# Alternatively, the table can be provided as a regu-
# lar-expression map where patterns are given as regular
-# expressions, or lookups can be directed to TCP-based
+# expressions, or lookups can be directed to a TCP-based
# server. In those case, the lookups are done in a slightly
# different way as described below under "REGULAR EXPRESSION
# TABLES" or "TCP-BASED TABLES".
# tination, or when it is listed in $inet_interfaces
# or $proxy_interfaces.
#
-# This functionality overlaps with functionality of
-# the local aliases(5) database. The difference is
+# This functionality overlaps with the functionality
+# of the local aliases(5) database. The difference is
# that virtual(5) mapping can be applied to non-local
# addresses.
#
#
# The propagate_unmatched_extensions parameter controls
# whether an unmatched address extension (+foo) is propa-
-# gated to the result of table lookup.
+# gated to the result of a table lookup.
#
# VIRTUAL ALIAS DOMAINS
# Besides virtual aliases, the virtual alias table can also
# This section describes how the table lookups change when
# lookups are directed to a TCP-based server. For a descrip-
# tion of the TCP client/server lookup protocol, see tcp_ta-
-# ble(5). This feature is not available up to and including
-# Postfix version 2.4.
+# ble(5). This feature is available in Postfix 2.5 and
+# later.
#
# Each lookup operation uses the entire address once. Thus,
# user@domain mail addresses are not broken up into their
# virtual_alias_maps ($virtual_maps)
# Optional lookup tables that alias specific mail
# addresses or domains to other local or remote
-# address.
+# addresses.
#
# virtual_alias_domains ($virtual_alias_maps)
-# Postfix is final destination for the specified list
-# of virtual alias domains, that is, domains for
+# Postfix is the final destination for the specified
+# list of virtual alias domains, that is, domains for
# which all addresses are aliased to addresses in
# other local or remote domains.
#
Rewrite "user@host" to "user@host.$<a href="postconf.5.html#mydomain">mydomain</a>" </dt>
<dd> <p> This feature is controlled by the boolean <a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a>
-parameter (default: yes). The purpose is to get consistent treatment
-of different forms of the same hostname. </p>
+parameter (default: Postfix ≥ 3.0: no, Postfix < 3.0: yes). The purpose
+is to get consistent treatment of different forms of the same hostname. </p>
<p> NOTE: Postfix versions 2.2 and later rewrite message headers
from remote SMTP clients only if the client matches the
messages with DSN turned on will trigger the REJECT action in the
previous section. </p>
-<p> If you have such clients then you can to exclude their Message-ID
+<p> If you have such clients then you can exclude their Message-ID
strings with the two "<tt>Message-ID:.* <!&!</tt>" patterns
that are shown in the previous section. Otherwise you will not be
able to use the two backscatter rules to stop forged Message ID
because there is a lot of variation in report formats. The following
is only a small example of message header patterns. For a large
collection of header and body patterns that recognize virus
-notification email, see <a href="http://www.dkuug.dk/keld/virus/">http://www.dkuug.dk/keld/virus/</a>
+notification email, see
+<a href="https://web.archive.org/web/20100317123907/http://std.dkuug.dk/keld/virus/">https://web.archive.org/web/20100317123907/http://std.dkuug.dk/keld/virus/</a>
or <a href="http://www.t29.dk/antiantivirus.txt">http://www.t29.dk/antiantivirus.txt</a>. </p>
<blockquote>
This is explained in the <a href="SASL_README.html">SASL_README</a> and <a href="TLS_README.html">TLS_README</a> documents. </p>
<p> IMPORTANT: If your machine is connected to a wide area network
-then the "<a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = host" setting may be too friendly. </p>
+then the "<a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = subnet" setting may be too friendly. </p>
<p> Examples (specify only one of the following): </p>
<ul>
-<li> <p> Specify "<a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = host" when Postfix should
-forward mail from only the local machine. </p>
+<li> <p> Specify "<a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = host" (the default when
+<a href="postconf.5.html#compatibility_level">compatibility_level</a> ≥ 2) when Postfix should forward mail from
+only the local machine. </p>
-<li> <p> Specify "<a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = subnet" (the default) when
-Postfix should forward mail from SMTP clients in the same IP
-subnetworks as the local machine. On Linux, this works correctly
-only with interfaces specified with the "ifconfig" command. </p>
+<li> <p> Specify "<a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = subnet" (the default when
+<a href="postconf.5.html#compatibility_level">compatibility_level</a> < 2) when Postfix should forward mail from
+SMTP clients in the same IP subnetworks as the local machine.
+On Linux, this works correctly only with interfaces specified
+with the "ifconfig" or "ip" command. </p>
<li> <p> Specify "<a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = class" when Postfix should
forward mail from SMTP clients in the same IP class A/B/C networks
<p> In <a href="https://tools.ietf.org/html/rfc4468">RFC 4468</a>, the authors write that a client may pipeline
commands, and that after sending BURL LAST or BDAT LAST, a client
must wait for the server's response. But as this text does not
-appear in <a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> which defines BDAT, is it a useless restriction
+appear in <a href="https://tools.ietf.org/html/rfc3030">RFC 3030</a> which defines BDAT, it is a useless restriction
that Postfix will not enforce. </p>
</body>
Postfix versions do not support the <a href="postconf.5.html#receive_override_options">receive_override_options</a> feature.
</p>
-<p> If you are MX service provider and want to apply disable
-head/body checks for some domains, you can configure ONE Postfix
+<p> If you are an MX service provider and want to enable header/body
+checks only for some domains, you can configure ONE Postfix
instance with multiple SMTP server IP addresses in <a href="master.5.html">master.cf</a>. Each
address provides a different service. </p>
<p> The <a href="postconf.5.html#mynetworks_style">mynetworks_style</a> default value has changed from "subnet"
to "host". This parameter is used to implement the "<a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>"
-feature. The change could in unexpected 'access denied' errors after
+feature. The change could cause unexpected 'access denied' errors after
Postfix is updated from an older version. The backwards-compatibility
safety net is designed to prevent such surprises. </p>
<p> The connection cache can be searched by destination domain name
(the right-hand side of the recipient address) and by the IP address
of the host at the other end of the connection. This allows Postfix
-to reuse a connection even when the remote host is mail server for
+to reuse a connection even when the remote host is a mail server for
domains with different names. </p>
<h2><a name="configuration">Connection cache configuration </a></h2>
here: the lookup result is not used. Examples
are the <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> that determine what local recipients
Postfix accepts in mail from the network, the <a href="postconf.5.html#mydestination">mydestination</a> parameter
-that specifies what domains Postfix delivers locally, or the
+that specifies what domains Postfix delivers locally for, or the
<a href="postconf.5.html#mynetworks">mynetworks</a> parameter that specifies the IP addresses of trusted
clients or client networks. Technically, these are lists, not
tables. Despite the difference, Postfix lists are described here
<dt> <b>internal</b> </dt>
-<dd> A non-shared, in-memory hash table. Its content are lost when
+<dd> A non-shared, in-memory hash table. Its contents are lost when
a process terminates. </dd>
<dt> <b>lmdb</b> </dt>
</ul>
<li> <p> Better, provide output from the <b>postfinger</b> tool.
-This can be found at <a href="http://ftp.wl0.org/SOURCES/postfinger">http://ftp.wl0.org/SOURCES/postfinger</a>. </p>
+This can be found at <a href="https://github.com/ford--prefect/postfinger">https://github.com/ford--prefect/postfinger</a>. </p>
<li> <p> If the problem is SASL related, consider including the
output from the <b>saslfinger</b> tool. This can be found at
-<a href="http://postfix.state-of-mind.de/patrick.koetter/saslfinger/">http://postfix.state-of-mind.de/patrick.koetter/saslfinger/</a>. </p>
+<a href="https://packages.debian.org/search?keywords=sasl2-bin">https://packages.debian.org/search?keywords=sasl2-bin</a>. </p>
<li> <p> If the problem is about too much mail in the queue, consider
including output from the <b>qshape</b> tool, as described in the
<h3> EDH Server support </h3>
-<p> Postfix ≥ 2.2 support 1024-bit-prime EDH out of the box,
+<p> Postfix ≥ 2.2 supports 1024-bit-prime EDH out of the box,
with no additional configuration, but you may want to override the
default prime to be 2048 bits long, and you may want to regenerate
your primes periodically. See the <a href="#quick-start">quick-start</a>
<h3> EECDH Server support </h3>
-<p> Postfix ≥ 2.6 support NIST P-256 EECDH when built with OpenSSL
+<p> Postfix ≥ 2.6 supports NIST P-256 EECDH when built with OpenSSL
≥ 1.0.0. When the remote SMTP client also supports EECDH and
implements the P-256 curve, forward secrecy just works. </p>
mechanism is invented that also supports forward secrecy. </p>
<p> The actual key length and raw algorithm key length
-are generally the same with non-export ciphers, but may they
+are generally the same with non-export ciphers, but they may
differ for the legacy export ciphers where the actual key
is artificially shortened. </p>
</pre>
</blockquote>
-<p> As with the command "make makefiles, the command "make
+<p> As with the command "make makefiles", the command "make
install/upgrade name=value..." will replace the string MAIL_VERSION
at the end of a configuration parameter value with the Postfix
release version. Do not try to specify something like $<a href="postconf.5.html#mail_version">mail_version</a>
one or more non-default object libraries. Postfix 3.0 and later
specify some of their database library dependencies with <a href="CDB_README.html">AUXLIBS_CDB</a>,
<a href="LDAP_README.html">AUXLIBS_LDAP</a>, <a href="LMDB_README.html">AUXLIBS_LMDB</a>, <a href="MYSQL_README.html">AUXLIBS_MYSQL</a>, <a href="PCRE_README.html">AUXLIBS_PCRE</a>, <a href="PGSQL_README.html">AUXLIBS_PGSQL</a>,
-
<a href="SDBM_README.html">AUXLIBS_SDBM</a>, and <a href="SQLITE_README.html">AUXLIBS_SQLITE</a>, respectively. </td> </tr>
+
AUXLIBS_SDBM, and <a href="SQLITE_README.html">AUXLIBS_SQLITE</a>, respectively. </td> </tr>
<tr> <td colspan="2"> CC=compiler_command</td> <td> Specifies a
non-default compiler. On many systems, the default is <tt>gcc</tt>.
<p> Follow the instructions in the "<a href="#mandatory">Mandatory
configuration file edits</a>" in section 10, and review the "<a
-name="#hamlet">To chroot or not to chroot</a>" text in section
+href="#hamlet">To chroot or not to chroot</a>" text in section
11. </p>
<p> Start the Postfix system: </p>
<pre>
# newaliases
# sendmail -bi
+# postalias /etc/aliases (pathname is system dependent!)
</pre>
</blockquote>
</blockquote>
<p> If you did specify the <a href="postconf.5.html#mynetworks">mynetworks</a> parameter value in
-<a href="postconf.5.html">main.cf</a>, you need update the <a href="postconf.5.html#mynetworks">mynetworks</a> value to include
+<a href="postconf.5.html">main.cf</a>, you need
to update the <a href="postconf.5.html#mynetworks">mynetworks</a> value to include
the IPv6 networks the system is in. Be sure to specify IPv6 address
information inside "<tt>[]</tt>", like this: </p>
</pre>
</blockquote>
-<li> <p> And for that matter, even for aliases, you may not want users able to
+<li> <p> And for that matter, even for aliases, you may not want users to be able to
specify their maildrops as programs, includes, etc. This might be
particularly pertinent on a "sealed" server where they don't have
local UNIX accounts, but exist only in LDAP and Cyrus. You might allow
<h2> Host lookup issues </h2>
<p> By default Linux /etc/hosts lookups do not support multiple IP
-address per hostname. This causes warnings from the Postfix SMTP
+addresses per hostname. This causes warnings from the Postfix SMTP
server that "hostname XXX does not resolve to address YYY", and is
especially a problem with hosts that have both IPv4 and IPv6
-addresses. To fix, turn on support for multiple IP addresses: </p>
+addresses. To fix this, turn on support for multiple IP addresses: </p>
<blockquote>
<pre>
<p> On RedHat Linux 7.1 and later <b>procmail</b> no longer has
permission
-to write the mail spool directory. Workaround: </p>
+to write to the mail spool directory. Workaround: </p>
<blockquote>
<pre>
<ul>
-<li> <p> This command will not rotate a logfile with pathname under
+<li> <p> This command will not rotate a logfile with a pathname under
the /dev directory, such as /dev/stdout. </p>
<li> <p> This command does not (yet) remove old logfiles. </p>
in the background, as well as non-daemon programs for local mail
submission or Postfix management.
-<li> <p> Logging to Postfix logfile or stdout requires the Postfix
+<li> <p> Logging to the Postfix logfile or stdout requires the Postfix
<a href="postlogd.8.html">postlogd(8)</a> service. This ensures that simultaneous logging from
different programs will not get mixed up. </p>
<dt> <b>unix:</b><i>pathname</i> </dt> <dd><p>Connect to the local
UNIX-domain server that is bound to the specified pathname. If the
<a href="smtpd.8.html">smtpd(8)</a> or <a href="cleanup.8.html">cleanup(8)</a> process runs chrooted, an absolute pathname
-is interpreted relative to the Postfix queue directory.</p> </dd>
+is interpreted relative to the Postfix queue directory. On many
+systems, <b>local</b> is a synonym for <b>unix</b></p> </dd>
<dt> <b> inet:</b><i>host</i><b>:</b><i>port</i> </dt> <dd> <p>
Connect to the specified TCP port on the specified local or remote
you may specify macro default values with the <a href="postconf.5.html#milter_macro_defaults">milter_macro_defaults</a>
parameter. Specify zero or more <i>name=value</i> pairs separated by
comma or whitespace; you may even specify macro names that Postfix does
-know about! </p>
+not know about! </p>
<h2><a name="workarounds">Workarounds</a></h2>
</pre>
</blockquote>
-<p> The test message should be delivered the members of the "mtaadmin"
+<p> The test message should be delivered to the members of the "mtaadmin"
address group (or whatever address group you choose) with the
following headers: </p>
<a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> =
<a href="postconf.5.html#smtpd_recipient_restrictions">smtpd_recipient_restrictions</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, reject
- # Tolerate occasional high latency in the content filter.
+ # Tolerate occasional high latency in the content filter.
#
<a href="postconf.5.html#smtpd_timeout">smtpd_timeout</a> = 1200s
<li><p> The <a href="postconf.5.html">main.cf</a>, <a href="master.5.html">master.cf</a> (and other optional) configuration
files in $<a href="postconf.5.html#config_directory">config_directory</a>. </p>
-<li> <p> The <a href="QSHAPE_README.html#maildrop_queue">maildrop</a>,
incoming, active, deferred and <a href="QSHAPE_README.html#hold_queue">hold queues</a>
+<li> <p> The <a href="QSHAPE_README.html#maildrop_queue">maildrop</a>,
<a href="QSHAPE_README.html#incoming_queue">incoming</a>, active, deferred and <a href="QSHAPE_README.html#hold_queue">hold queues</a>
in $<a href="postconf.5.html#queue_directory">queue_directory</a> (which contains additional directories needed
by Postfix, and which optionally doubles as a chroot jail for Postfix
daemon processes). </p>
which can be obtained from: </p>
<blockquote>
- <p> <a href="http://www.mysql.com/downloads/">http://www.mysql.com/downloads/</a> <br>
- <a href="http://sourceforge.net/projects/mysql/">http://sourceforge.net/projects/mysql/</a> </p>
+ <p> <a href="http://www.mysql.com/downloads/">http://www.mysql.com/downloads/</a> </p>
</blockquote>
<p> In order to build Postfix with mysql map support, you will need to add
<li> Liviu Daia with further refinements from Jose Luis Tallon and
Victor Duchovni developed the common query, result_format, domain and
-expansion_limit interface for LDAP, MySQL and PosgreSQL.</li>
+expansion_limit interface for LDAP, MySQL and PostgreSQL.</li>
</ul>
that appear on the <i>permanent</i> access list. </p>
<p> By default the temporary allowlist is not shared with other
-postscreen(8) daemons. See <a href="#temp_white_sharing"> Sharing
+<a href="postscreen.8.html">postscreen(8)</a> daemons. See
+<a href="#temp_white_sharing"> Sharing
the temporary allowlist </a> below for alternatives. </p>
<p> When the SMTP client address appears on the temporary
<ul>
<li> <p> First, configure the host to listen on both primary and
-backup MX addresses. Use the appropriate <tt>ifconfig</tt> command
-for the local operating system, or update the appropriate configuration
-files and "refresh" the network protocol stack. </p>
+backup MX addresses. Use the appropriate <tt>ifconfig</tt> or <tt>ip</tt>
+command for the local operating system, or update the appropriate
+configuration files and "refresh" the network protocol stack. </p>
<p> <p> Second, configure Postfix to listen on the new IP address
(this step is needed when you have specified <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> in
<a href="postscreen.8.html">postscreen(8)</a> can run a number of tests in parallel. </p>
<p> When a good client passes these tests, and no "<a
-href="#after_220">deep protocol tests</a>" are configured, postscreen(8)
+href="#after_220">deep protocol tests</a>"
+are configured, <a href="postscreen.8.html">postscreen(8)</a>
adds the client to the temporary allowlist and hands off the "live"
connection to a Postfix SMTP server process. The client can then
continue as if <a href="postscreen.8.html">postscreen(8)</a> never even existed (except of course
receiver send one command and one response at a time. Unlike the
Postfix SMTP server, <a href="postscreen.8.html">postscreen(8)</a> does not announce support
for ESMTP command pipelining. Therefore, clients are not allowed
-to send multiple commands. postscreen(8)'s <a href="#after_220">deep
+to send multiple commands. <a href="postscreen.8.html">postscreen(8)</a>'s
+<a href="#after_220">deep
protocol test</a> for this is disabled by default. </p>
<p> With "<a href="postconf.5.html#postscreen_pipelining_enable">postscreen_pipelining_enable</a> = yes", <a href="postscreen.8.html">postscreen(8)</a> detects
of this is the usage of commands such as CONNECT and other non-SMTP
commands. Just like the Postfix SMTP server's <a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a>
feature, <a href="postscreen.8.html">postscreen(8)</a> has an equivalent <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a>
-feature to block these clients. postscreen(8)'s <a href="#after_220">deep
+feature to block these clients. <a href="postscreen.8.html">postscreen(8)</a>'s
+<a href="#after_220">deep
protocol test</a> for this is disabled by default. </p>
<p> With "<a href="postconf.5.html#postscreen_non_smtp_command_enable">postscreen_non_smtp_command_enable</a> = yes", <a href="postscreen.8.html">postscreen(8)</a>
<p> SMTP is a line-oriented protocol: lines have a limited length,
and are terminated with <CR><LF>. Lines ending in a
"bare" <LF>, that is newline not preceded by carriage return,
-are not allowed in SMTP. postscreen(8)'s <a href="#after_220">deep
+are not allowed in SMTP. <a href="postscreen.8.html">postscreen(8)</a>'s
+<a href="#after_220">deep
protocol test</a> for this is disabled by default. </p>
<p> With "<a href="postconf.5.html#postscreen_bare_newline_enable">postscreen_bare_newline_enable</a> = yes", <a href="postscreen.8.html">postscreen(8)</a>
<li> <p> Some <a href="postscreen.8.html">postscreen(8)</a> configuration parameters implement
stress-dependent behavior. This is supported only when the default
value is stress-dependent (that is, "postconf -d <i>parametername</i>"
-output shows "<i>parametername</i> =
-${stress?<i>something</i>}${stress:<i>something</i>}").
+output shows
+"<i>parametername</i> = ${stress?<i>something</i>}${stress:<i>something</i>}" or
+"<i>parametername</i> = ${stress?{<i>something</i>}:{<i>something</i>}}").
Other parameters always evaluate as if the stress value is the empty
string. </p>
<li> <p> See "<a href="#before_220">Tests before the 220 SMTP server
-greeting</a>" for details about the logging from these postscreen(8)
-tests. </p>
+greeting</a>" for details about the logging from these
+<a href="postscreen.8.html">postscreen(8)</a> tests. </p>
<li> <p> If you run Postfix 2.6 or earlier you must stop and start
the master daemon ("<tt>postfix stop; postfix start</tt>"). This
tests. </p>
<p> When a good client passes the "<a href="#after_220">deep
-protocol tests</a>", postscreen(8) adds the client to the temporary
+protocol tests</a>",
+<a href="postscreen.8.html">postscreen(8)</a> adds the client to the temporary
allowlist but it cannot hand off the "live" connection to a Postfix
SMTP server process in the middle of the session. Instead, <a href="postscreen.8.html">postscreen(8)</a>
defers mail delivery attempts with a 4XX status, logs the
that appear on the <i>permanent</i> access list. </p>
<p> By default the temporary allowlist is not shared with other
-postscreen(8) daemons. See <a href="#temp_allow_sharing"> Sharing
+<a href="postscreen.8.html">postscreen(8)</a> daemons. See
+<a href="#temp_allow_sharing"> Sharing
the temporary allowlist </a> below for alternatives. </p>
<p> When the SMTP client address appears on the temporary
<ul>
<li> <p> First, configure the host to listen on both primary and
-backup MX addresses. Use the appropriate <tt>ifconfig</tt> command
-for the local operating system, or update the appropriate configuration
-files and "refresh" the network protocol stack. </p>
+backup MX addresses. Use the appropriate <tt>ifconfig</tt> or <tt>ip</tt>
+command for the local operating system, or update the appropriate
+configuration files and "refresh" the network protocol stack. </p>
<p> <p> Second, configure Postfix to listen on the new IP address
(this step is needed when you have specified <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> in
<a href="postscreen.8.html">postscreen(8)</a> can run a number of tests in parallel. </p>
<p> When a good client passes these tests, and no "<a
-href="#after_220">deep protocol tests</a>" are configured, postscreen(8)
+href="#after_220">deep protocol tests</a>"
+are configured, <a href="postscreen.8.html">postscreen(8)</a>
adds the client to the temporary allowlist and hands off the "live"
connection to a Postfix SMTP server process. The client can then
continue as if <a href="postscreen.8.html">postscreen(8)</a> never even existed (except of course
receiver send one command and one response at a time. Unlike the
Postfix SMTP server, <a href="postscreen.8.html">postscreen(8)</a> does not announce support
for ESMTP command pipelining. Therefore, clients are not allowed
-to send multiple commands. postscreen(8)'s <a href="#after_220">deep
+to send multiple commands. <a href="postscreen.8.html">postscreen(8)</a>'s
+<a href="#after_220">deep
protocol test</a> for this is disabled by default. </p>
<p> With "<a href="postconf.5.html#postscreen_pipelining_enable">postscreen_pipelining_enable</a> = yes", <a href="postscreen.8.html">postscreen(8)</a> detects
of this is the usage of commands such as CONNECT and other non-SMTP
commands. Just like the Postfix SMTP server's <a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a>
feature, <a href="postscreen.8.html">postscreen(8)</a> has an equivalent <a href="postconf.5.html#postscreen_forbidden_commands">postscreen_forbidden_commands</a>
-feature to block these clients. postscreen(8)'s <a href="#after_220">deep
+feature to block these clients. <a href="postscreen.8.html">postscreen(8)</a>'s
+<a href="#after_220">deep
protocol test</a> for this is disabled by default. </p>
<p> With "<a href="postconf.5.html#postscreen_non_smtp_command_enable">postscreen_non_smtp_command_enable</a> = yes", <a href="postscreen.8.html">postscreen(8)</a>
<p> SMTP is a line-oriented protocol: lines have a limited length,
and are terminated with <CR><LF>. Lines ending in a
"bare" <LF>, that is newline not preceded by carriage return,
-are not allowed in SMTP. postscreen(8)'s <a href="#after_220">deep
+are not allowed in SMTP. <a href="postscreen.8.html">postscreen(8)</a>'s
+<a href="#after_220">deep
protocol test</a> for this is disabled by default. </p>
<p> With "<a href="postconf.5.html#postscreen_bare_newline_enable">postscreen_bare_newline_enable</a> = yes", <a href="postscreen.8.html">postscreen(8)</a>
<li> <p> Some <a href="postscreen.8.html">postscreen(8)</a> configuration parameters implement
stress-dependent behavior. This is supported only when the default
value is stress-dependent (that is, "postconf -d <i>parametername</i>"
-output shows "<i>parametername</i> =
-${stress?<i>something</i>}${stress:<i>something</i>}").
+output shows
+"<i>parametername</i> = ${stress?<i>something</i>}${stress:<i>something</i>}" or
+"<i>parametername</i> = ${stress?{<i>something</i>}:{<i>something</i>}}").
Other parameters always evaluate as if the stress value is the empty
string. </p>
<li> <p> See "<a href="#before_220">Tests before the 220 SMTP server
-greeting</a>" for details about the logging from these postscreen(8)
-tests. </p>
+greeting</a>" for details about the logging from these
+<a href="postscreen.8.html">postscreen(8)</a> tests. </p>
<li> <p> If you run Postfix 2.6 or earlier you must stop and start
the master daemon ("<tt>postfix stop; postfix start</tt>"). This
tests. </p>
<p> When a good client passes the "<a href="#after_220">deep
-protocol tests</a>", postscreen(8) adds the client to the temporary
+protocol tests</a>",
+<a href="postscreen.8.html">postscreen(8)</a> adds the client to the temporary
allowlist but it cannot hand off the "live" connection to a Postfix
SMTP server process in the middle of the session. Instead, <a href="postscreen.8.html">postscreen(8)</a>
defers mail delivery attempts with a 4XX status, logs the
<p> When the output is a terminal intermediate results showing the top 20
domains (-n option) are displayed after every 1000 messages (-N option)
and the final output also shows only the top 20 domains. This makes
-qshape useful even when the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> is very large and it may
-otherwise take prohibitively long to read the entire <a href="QSHAPE_README.html#deferred_queue">deferred queue</a>. </p>
+qshape useful even when the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a> is very large and it may
+otherwise take prohibitively long to read the entire "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a>. </p>
<p> By default, qshape shows statistics for the union of both the
-<a href="QSHAPE_README.html#incoming_queue">incoming</a> and <a href="QSHAPE_README.html#active_queue">active queues</a> which are the most relevant queues to
+"<a href="QSHAPE_README.html#incoming_queue">incoming"</a> and "<a href="QSHAPE_README.html#active_queue">active" queues</a> which are the most relevant queues to
look at when analyzing performance. </p>
<p> One can request an alternate list of queues: </p>
</pre>
</blockquote>
-<p> this will show the age distribution of the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> or
-the union of the incoming active and <a href="QSHAPE_README.html#deferred_queue">deferred queues</a>. </p>
+<p> this will show the age distribution of the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a> or
+the union of the "<a href="QSHAPE_README.html#incoming_queue">incoming"</a>, "<a href="QSHAPE_README.html#active_queue">active"</a> and "<a href="QSHAPE_README.html#deferred_queue">deferred" queues</a>. </p>
<p> Command line options control the number of display "buckets",
the age limit for the smallest bucket, display of parent domain
a burst of mail started, and when it stopped. </p>
<p> The problem destinations or sender domains appear near the top
-left corner of the output table. Remember that the <a href="QSHAPE_README.html#active_queue">active queue</a>
+left corner of the output table. Remember that the "<a href="QSHAPE_README.html#active_queue">active" queue</a>
can accommodate up to 20000 ($<a href="postconf.5.html#qmgr_message_active_limit">qmgr_message_active_limit</a>) messages.
To check whether this limit has been reached, use: </p>
</pre>
</blockquote>
-<p> If the total sender count is below 20000 the <a href="QSHAPE_README.html#active_queue">active queue</a> is
+<p> If the total sender count is below 20000 the "<a href="QSHAPE_README.html#active_queue">active" queue</a> is
not yet saturated, any high volume sender domains show near the
top of the output.
-<p> With <a href="qmgr.8.html">oqmgr(8)</a> the <a href="QSHAPE_README.html#active_queue">active queue</a> is also limited to at most 20000
+<p> With <a href="qmgr.8.html">oqmgr(8)</a> the "<a href="QSHAPE_README.html#active_queue">active" queue</a> is also limited to at most 20000
recipient addresses ($<a href="postconf.5.html#qmgr_message_recipient_limit">qmgr_message_recipient_limit</a>). To check for
exhaustion of this limit use: </p>
<h2><a name="healthy">Example 1: Healthy queue</a></h2>
-<p> When looking at just the <a href="QSHAPE_README.html#incoming_queue">incoming</a> and <a href="QSHAPE_README.html#active_queue">active queues</a>, under
-normal conditions (no congestion) the <a href="QSHAPE_README.html#incoming_queue">incoming</a> and <a href="QSHAPE_README.html#active_queue">active queues</a>
+<p> When looking at just the "<a href="QSHAPE_README.html#incoming_queue">incoming"</a> and "<a href="QSHAPE_README.html#active_queue">active" queues</a>, under
+normal conditions (no congestion) the "<a href="QSHAPE_README.html#incoming_queue">incoming"</a> and "<a href="QSHAPE_README.html#active_queue">active" queues</a>
are nearly empty. Mail leaves the system almost as quickly as it
-comes in or is deferred without congestion in the <a href="QSHAPE_README.html#active_queue">active queue</a>.
+comes in or is deferred without congestion in the "<a href="QSHAPE_README.html#active_queue">active" queue</a>.
</p>
<blockquote>
<pre>
-$ qshape <i>(show <a href="QSHAPE_README.html#incoming_queue">incoming</a> and <a href="QSHAPE_README.html#active_queue">active queue</a> status)</i>
+$ qshape <i>(show "<a href="QSHAPE_README.html#incoming_queue">incoming"</a> and "<a href="QSHAPE_README.html#active_queue">active" queue</a> status)</i>
T 5 10 20 40 80 160 320 640 1280 1280+
TOTAL 5 0 0 0 1 0 0 0 1 1 2
</pre>
</blockquote>
-<p> If one looks at the two queues separately, the <a href="QSHAPE_README.html#incoming_queue">incoming queue</a>
+<p> If one looks at the two queues separately, the "<a href="QSHAPE_README.html#incoming_queue">incoming" queue</a>
is empty or perhaps briefly has one or two messages, while the
-<a href="QSHAPE_README.html#active_queue">active queue</a> holds more messages and for a somewhat longer time:
+"<a href="QSHAPE_README.html#active_queue">active" queue</a> holds more messages and for a somewhat longer time:
</p>
<blockquote>
available for some of the <a href="VIRTUAL_README.html#canonical">hosted domains</a>. Dictionary attacks on
the unvalidated domains result in bounce backscatter. The bounces
dominate the queue, but with proper tuning they do not saturate the
-<a href="QSHAPE_README.html#incoming_queue">incoming</a> or <a href="QSHAPE_README.html#active_queue">active queues</a>. The high volume of deferred mail is not
+"<a href="QSHAPE_README.html#incoming_queue">incoming"</a> or "<a href="QSHAPE_README.html#active_queue">active" queues</a>. The high volume of deferred mail is not
a direct cause for alarm. </p>
<blockquote>
is the tail end of the time distribution, showing that short term
arrival rates are moderate. Larger numbers and lower message ages
are more indicative of current trouble. Old mail still going nowhere
-is largely harmless so long as the active and <a href="QSHAPE_README.html#incoming_queue">incoming queues</a> are
+is largely harmless so long as the "<a href="QSHAPE_README.html#active_queue">active"</a> and "<a href="QSHAPE_README.html#incoming_queue">incoming" queues</a> are
short. We can also see that the groups.msn.com undeliverables are
low rate steady stream rather than a concentrated dictionary attack
that is now over. </p>
queue</a></h2>
<p> This example is taken from a Feb 2004 discussion on the Postfix
-Users list. Congestion was reported with the active and incoming
-queues large and not shrinking despite very large delivery agent
+Users list. Congestion was reported with the
+"<a href="QSHAPE_README.html#active_queue">active"</a> and "<a href="QSHAPE_README.html#incoming_queue">incoming" queues</a>
+large and not shrinking despite very large delivery agent
process limits. The thread is archived at:
<a href="http://groups.google.com/groups?threadm=c0b7js$2r65$1@FreeBSD.csie.NCTU.edu.tw">http://groups.google.com/groups?threadm=c0b7js$2r65$1@FreeBSD.csie.NCTU.edu.tw</a>
and
<blockquote>
<pre>
-$ qshape <i>(show <a href="QSHAPE_README.html#incoming_queue">incoming</a> and <a href="QSHAPE_README.html#active_queue">active queue</a> status)</i>
+$ qshape <i>(show "<a href="QSHAPE_README.html#incoming_queue">incoming"</a> and "<a href="QSHAPE_README.html#active_queue">active" queue</a> status)</i>
T A 5 10 20 40 80 160 320 320+
TOTAL 11775 9996 0 0 1 1 42 94 221 1420
</pre>
</blockquote>
-<p> The "A" column showed the count of messages in the <a href="QSHAPE_README.html#active_queue">active queue</a>,
-and the numbered columns showed totals for the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a>. At
-10000 messages (Postfix 1.x <a href="QSHAPE_README.html#active_queue">active queue</a> size limit) the active
-queue is full. The incoming was growing rapidly. </p>
+<p> The "A" column showed the count of messages in the "<a href="QSHAPE_README.html#active_queue">active" queue</a>,
+and the numbered columns showed totals for the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a>. At
+10000 messages (Postfix 1.x "<a href="QSHAPE_README.html#active_queue">active" queue</a> size limit) the "<a href="QSHAPE_README.html#active_queue">active" queue</a>
+is full. The "<a href="QSHAPE_README.html#incoming_queue">incoming" queue</a> was growing rapidly. </p>
<p> With the trouble destinations clearly identified, the administrator
quickly found and fixed the problem. It is substantially harder to
<h2><a name="backlog">Example 4: High volume destination backlog</a></h2>
<p> When a site you send a lot of email to is down or slow, mail
-messages will rapidly build up in the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a>, or worse, in
-the <a href="QSHAPE_README.html#active_queue">active queue</a>. The qshape output will show large numbers for
+messages will rapidly build up in the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a>, or worse, in
+the "<a href="QSHAPE_README.html#active_queue">active" queue</a>. The qshape output will show large numbers for
the destination domain in all age buckets that overlap the starting
time of the problem: </p>
</blockquote>
<p> Here the "highvolume.com" destination is continuing to accumulate
-deferred mail. The <a href="QSHAPE_README.html#incoming_queue">incoming</a> and <a href="QSHAPE_README.html#active_queue">active queues</a> are fine, but the
-<a href="QSHAPE_README.html#deferred_queue">deferred queue</a> started growing some time between 1 and 2 hours ago
+deferred mail. The "<a href="QSHAPE_README.html#incoming_queue">incoming"</a> and "<a href="QSHAPE_README.html#active_queue">active" queues</a> are fine, but the
+"<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a> started growing some time between 1 and 2 hours ago
and continues to grow. </p>
<p> If the high volume destination is not down, but is instead
-slow, one might see similar congestion in the <a href="QSHAPE_README.html#active_queue">active queue</a>. Active
-queue congestion is a greater cause for alarm; one might need to
+slow, one might see similar congestion in the "<a href="QSHAPE_README.html#active_queue">active" queue</a>.
+"<a href="QSHAPE_README.html#active_queue">Active" queue</a> congestion is a greater cause for alarm; one might need to
take measures to ensure that the mail is deferred instead or even
add an <a href="access.5.html">access(5)</a> rule asking the sender to try again later. </p>
service due to excessive <a href="postconf.5.html#body_checks">body_checks</a>, or (Postfix ≥ 2.3) high latency
milters. </p>
-<p> Note, that once the <a href="QSHAPE_README.html#active_queue">active queue</a> is full, the cleanup service
+<p> Note, that once the "<a href="QSHAPE_README.html#active_queue">active" queue</a> is full, the cleanup service
will attempt to slow down message injection by pausing $<a href="postconf.5.html#in_flow_delay">in_flow_delay</a>
for each message. In this case "<a href="QSHAPE_README.html#maildrop_queue">maildrop" queue</a> congestion may be
a consequence of congestion downstream, rather than a problem in
<p> The administrator can define "smtpd" <a href="access.5.html">access(5)</a> policies, or
<a href="cleanup.8.html">cleanup(8)</a> header/body checks that cause messages to be automatically
diverted from normal processing and placed indefinitely in the
-"<a href="QSHAPE_README.html#hold_queue">hold" queue</a>. Messages placed in the "hold" queue stay there until
+"<a href="QSHAPE_README.html#hold_queue">hold" queue</a>. Messages placed in the "<a href="QSHAPE_README.html#hold_queue">hold" queue</a> stay there until
the administrator intervenes. No periodic delivery attempts are
made for messages in the "<a href="QSHAPE_README.html#hold_queue">hold" queue</a>. The <a href="postsuper.1.html">postsuper(1)</a> command
can be used to manually release messages into the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a>.
<p> Messages can potentially stay in the "<a href="QSHAPE_README.html#hold_queue">hold" queue</a> longer than
$<a href="postconf.5.html#maximal_queue_lifetime">maximal_queue_lifetime</a>. If such "old" messages need to be released from
-the "<a href="QSHAPE_README.html#hold_queue">hold" queue</a>, they should typically be moved into the "maildrop"
-queue using "postsuper -r", so that the message gets a new timestamp and
+the "<a href="QSHAPE_README.html#hold_queue">hold" queue</a>, they should typically be moved into the "<a href="QSHAPE_README.html#maildrop_queue">maildrop" queue</a>
+using "postsuper -r", so that the message gets a new timestamp and
is given more than one opportunity to be delivered. Messages that are
"young" can be moved directly into the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a> using
"postsuper -H". </p>
ignores incomplete queue files whose mode is 0600, as these are
still being written by cleanup. </p>
-<p> The queue manager scans the <a href="QSHAPE_README.html#incoming_queue">incoming queue</a> bringing any new
-mail into the "<a href="QSHAPE_README.html#active_queue">active" queue</a> if the active queue resource limits
-have not been exceeded. By default, the <a href="QSHAPE_README.html#active_queue">active queue</a> accommodates
-at most 20000 messages. Once the <a href="QSHAPE_README.html#active_queue">active queue</a> message limit is
-reached, the queue manager stops scanning the incoming (and deferred,
-see below) queue. </p>
+<p> The queue manager scans the "<a href="QSHAPE_README.html#incoming_queue">incoming" queue</a> bringing any new
+mail into the "<a href="QSHAPE_README.html#active_queue">active" queue</a> if the "<a href="QSHAPE_README.html#active_queue">active" queue</a> resource limits
+have not been exceeded. By default, the "<a href="QSHAPE_README.html#active_queue">active" queue</a> accommodates
+at most 20000 messages. Once the "<a href="QSHAPE_README.html#active_queue">active" queue</a> message limit is
+reached, the queue manager stops scanning the "<a href="QSHAPE_README.html#incoming_queue">incoming" queue</a>
+(and the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a>, see below). </p>
-<p> Under normal conditions the <a href="QSHAPE_README.html#incoming_queue">incoming queue</a> is nearly empty (has
+<p> Under normal conditions the "<a href="QSHAPE_README.html#incoming_queue">incoming" queue</a> is nearly empty (has
only mode 0600 files), with the queue manager able to import new
-messages into the <a href="QSHAPE_README.html#active_queue">active queue</a> as soon as they become available.
+messages into the "<a href="QSHAPE_README.html#active_queue">active" queue</a> as soon as they become available.
</p>
-<p> The <a href="QSHAPE_README.html#incoming_queue">incoming queue</a> grows when the message input rate spikes
+<p> The "<a href="QSHAPE_README.html#incoming_queue">incoming" queue</a> grows when the message input rate spikes
above the rate at which the queue manager can import messages into
-the <a href="QSHAPE_README.html#active_queue">active queue</a>. The main factors slowing down the queue manager
+the "<a href="QSHAPE_README.html#active_queue">active" queue</a>. The main factors slowing down the queue manager
are disk I/O and lookup queries to the trivial-rewrite service. If the queue
manager is routinely not keeping up, consider not using "slow"
lookup services (MySQL, LDAP, ...) for transport lookups or speeding
excessive input rate from many sources at the same time. </p>
<p> If a server is being hammered from multiple directions, consider
-raising the <a href="postconf.5.html#in_flow_delay">in_flow_delay</a> to 10 seconds, but only if the incoming
-queue is growing even while the <a href="QSHAPE_README.html#active_queue">active queue</a> is not full and the
+raising the <a href="postconf.5.html#in_flow_delay">in_flow_delay</a> to 10 seconds, but only if the "<a href="QSHAPE_README.html#incoming_queue">incoming" queue</a>
+is growing even while the "<a href="QSHAPE_README.html#active_queue">active" queue</a> is not full and the
trivial-rewrite service is using a fast transport lookup mechanism.
</p>
ensure fast and fair delivery of mail to all destinations within
designated resource limits. </p>
-<p> The <a href="QSHAPE_README.html#active_queue">active queue</a> is somewhat analogous to an operating system's
-process run queue. Messages in the <a href="QSHAPE_README.html#active_queue">active queue</a> are ready to be
+<p> The "<a href="QSHAPE_README.html#active_queue">active" queue</a> is somewhat analogous to an operating system's
+process run queue. Messages in the "<a href="QSHAPE_README.html#active_queue">active" queue</a> are ready to be
sent (runnable), but are not necessarily in the process of being
sent (running). </p>
as a directory on disk, the real "<a href="QSHAPE_README.html#active_queue">active" queue</a> is a set of data
structures in the memory of the queue manager process. </p>
-<p> Messages in the "<a href="QSHAPE_README.html#maildrop_queue">maildrop"</a>, "<a href="QSHAPE_README.html#hold_queue">hold"</a>, "<a href="QSHAPE_README.html#incoming_queue">incoming"</a> and "deferred"
-queues (see below) do not occupy memory; they are safely stored on
+<p> Messages in the "<a href="QSHAPE_README.html#maildrop_queue">maildrop"</a>, "<a href="QSHAPE_README.html#hold_queue">hold"</a>, "<a href="QSHAPE_README.html#incoming_queue">incoming"</a> and "<a href="QSHAPE_README.html#deferred_queue">deferred" queues</a>
+(see below) do not occupy memory; they are safely stored on
disk waiting for their turn to be processed. The envelope information
for messages in the "<a href="QSHAPE_README.html#active_queue">active" queue</a> is managed in memory, allowing
the queue manager to do global scheduling, allocating available
-delivery agent processes to an appropriate message in the active
-queue. </p>
+delivery agent processes to an appropriate message in the "<a href="QSHAPE_README.html#active_queue">active" queue</a>. </p>
-<p> Within the <a href="QSHAPE_README.html#active_queue">active queue</a>, (multi-recipient) messages are broken
+<p> Within the "<a href="QSHAPE_README.html#active_queue">active" queue</a>, (multi-recipient) messages are broken
up into groups of recipients that share the same transport/nexthop
combination; the group size is capped by the transport's recipient
concurrency limit. </p>
performing final delivery to mailboxes rather than when relaying
to a remote server. </p>
-<p> Congestion occurs in the <a href="QSHAPE_README.html#active_queue">active queue</a> when one or more destinations
+<p> Congestion occurs in the "<a href="QSHAPE_README.html#active_queue">active" queue</a> when one or more destinations
drain slower than the corresponding message input rate. </p>
-<p> Input into the <a href="QSHAPE_README.html#active_queue">active queue</a> comes both from new mail in the "incoming"
-queue, and retries of mail in the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a>. Should the "deferred"
-queue get really large, retries of old mail can dominate the arrival
+<p> Input into the "<a href="QSHAPE_README.html#active_queue">active" queue</a> comes both from new mail in the "<a href="QSHAPE_README.html#incoming_queue">incoming" queue</a>,
+and retries of mail in the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a>. Should the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a>
+get really large, retries of old mail can dominate the arrival
rate of new mail. Systems with more CPU, faster disks and more network
-bandwidth can deal with larger <a href="QSHAPE_README.html#deferred_queue">deferred queues</a>, but as a rule of thumb
-the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> scales to somewhere between 100,000 and 1,000,000
+bandwidth can deal with larger "<a href="QSHAPE_README.html#deferred_queue">deferred" queues</a>, but as a rule of thumb
+the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a> scales to somewhere between 100,000 and 1,000,000
messages with good performance unlikely above that "limit". Systems with
queues this large should typically stop accepting new mail, or put the
backlog "on hold" until the underlying issue is fixed (provided that
<p> When a destination is down for some time, the queue manager will
mark it dead, and immediately defer all mail for the destination without
trying to assign it to a delivery agent. In this case the messages
-will quickly leave the <a href="QSHAPE_README.html#active_queue">active queue</a> and end up in the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a>
+will quickly leave the "<a href="QSHAPE_README.html#active_queue">active" queue</a> and end up in the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a>
(with Postfix < 2.4, this is done directly by the queue manager,
with Postfix ≥ 2.4 this is done via the "retry" delivery agent). </p>
<p> When the destination is instead simply slow, or there is a problem
-causing an excessive arrival rate the <a href="QSHAPE_README.html#active_queue">active queue</a> will grow and will
+causing an excessive arrival rate the "<a href="QSHAPE_README.html#active_queue">active" queue</a> will grow and will
become dominated by mail to the congested destination. </p>
<p> The only way to reduce congestion is to either reduce the input
<p> The best way to avoid bottlenecks when one or more MX hosts is
non-responsive is to use connection caching. Connection caching was
introduced with Postfix 2.2 and is by default enabled on demand for
-destinations with a backlog of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>. When connection
+destinations with a backlog of mail in the "<a href="QSHAPE_README.html#active_queue">active" queue</a>. When connection
caching is in effect for a particular destination, established connections
are re-used to send additional messages, this reduces the number of
connections made per message delivery and maintains good throughput even
and allows separate tuning of timeouts and concurrency limits. </p>
<p> Another common cause of congestion is unwarranted flushing of the
-entire <a href="QSHAPE_README.html#deferred_queue">deferred queue</a>. The deferred queue holds messages that are likely
+entire "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a>. The "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a> holds messages that are likely
to fail to be delivered and are also likely to be slow to fail delivery
-(time out). As a result the most common reaction to a large <a href="QSHAPE_README.html#deferred_queue">deferred queue</a>
+(time out). As a result the most common reaction to a large "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a>
(flush it!) is more than likely counter-productive, and typically makes
-the congestion worse. Do not flush the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> unless you expect
+the congestion worse. Do not flush the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a> unless you expect
that most of its content has recently become deliverable (e.g. <a href="postconf.5.html#relayhost">relayhost</a>
back up after an outage)! </p>
<p> Note that whenever the queue manager is restarted, there may
-already be messages in the <a href="QSHAPE_README.html#active_queue">active queue</a> directory, but the "real"
-<a href="QSHAPE_README.html#active_queue">active queue</a> in memory is empty. In order to recover the in-memory
-state, the queue manager moves all the <a href="QSHAPE_README.html#active_queue">active queue</a> messages
-back into the <a href="QSHAPE_README.html#incoming_queue">incoming queue</a>, and then uses its normal incoming
-queue scan to refill the <a href="QSHAPE_README.html#active_queue">active queue</a>. The process of moving all
+already be messages in the "<a href="QSHAPE_README.html#active_queue">active" queue</a> directory, but the "real"
+"<a href="QSHAPE_README.html#active_queue">active" queue</a> in memory is empty. In order to recover the in-memory
+state, the queue manager moves all the "<a href="QSHAPE_README.html#active_queue">active" queue</a> messages
+back into the "<a href="QSHAPE_README.html#incoming_queue">incoming" queue</a>, and then uses its normal "<a href="QSHAPE_README.html#incoming_queue">incoming" queue</a>
+scan to refill the "<a href="QSHAPE_README.html#active_queue">active" queue</a>. The process of moving all
the messages back and forth, redoing transport table (<a href="trivial-rewrite.8.html">trivial-rewrite(8)</a>
resolve service) lookups, and re-importing the messages back into
memory is expensive. At all costs, avoid frequent restarts of the
<p> When all the deliverable recipients for a message are delivered,
and for some recipients delivery failed for a transient reason (it
-might succeed later), the message is placed in the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a>.
+might succeed later), the message is placed in the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a>.
</p>
-<p> The queue manager scans the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> periodically. The scan
-interval is controlled by the <a href="postconf.5.html#queue_run_delay">queue_run_delay</a> parameter. While a deferred
-queue scan is in progress, if an <a href="QSHAPE_README.html#incoming_queue">incoming queue</a> scan is also in progress
-(ideally these are brief since the <a href="QSHAPE_README.html#incoming_queue">incoming queue</a> should be short), the
-queue manager alternates between looking for messages in the "incoming"
-
queue and in the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a>. This "round-robin" strategy prevents
-starvation of either the <a href="QSHAPE_README.html#incoming_queue">incoming</a> or the <a href="QSHAPE_README.html#deferred_queue">deferred queues</a>. </p>
-
-<p> Each <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> scan only brings a fraction of the deferred
-queue back into the <a href="QSHAPE_README.html#active_queue">active queue</a> for a retry. This is because each
-message in the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> is assigned a "cool-off" time when
+<p> The queue manager scans the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a> periodically. The scan
+interval is controlled by the <a href="postconf.5.html#queue_run_delay">queue_run_delay</a> parameter. While a "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a>
+scan is in progress, if an "<a href="QSHAPE_README.html#incoming_queue">incoming" queue</a> scan is also in progress
+(ideally these are brief since the "<a href="QSHAPE_README.html#incoming_queue">incoming" queue</a> should be short), the
+queue manager alternates between looking for messages in the "<a href="QSHAPE_README.html#incoming_queue">incoming" queue</a>
+and in the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a>. This "round-robin" strategy prevents
+starvation of either the "<a href="QSHAPE_README.html#incoming_queue">incoming"</a> or the "<a href="QSHAPE_README.html#deferred_queue">deferred" queues</a>. </p>
+
+<p> Each "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a> scan only brings a fraction of the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a>
+back into the "<a href="QSHAPE_README.html#active_queue">active" queue</a> for a retry. This is because each
+message in the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a> is assigned a "cool-off" time when
it is deferred. This is done by time-warping the modification
time of the queue file into the future. The queue file is not
eligible for a retry if its modification time is not yet reached.
within the limits. This means that young messages are initially
retried more often than old messages. </p>
-<p> If a high volume site routinely has large <a href="QSHAPE_README.html#deferred_queue">deferred queues</a>, it
+<p> If a high volume site routinely has large "<a href="QSHAPE_README.html#deferred_queue">deferred" queues</a>, it
may be useful to adjust the <a href="postconf.5.html#queue_run_delay">queue_run_delay</a>, <a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a> and
<a href="postconf.5.html#maximal_backoff_time">maximal_backoff_time</a> to provide short enough delays on first failure
(Postfix ≥ 2.4 has a sensibly low minimal backoff time by default),
with perhaps longer delays after multiple failures, to reduce the
retransmission rate of old messages and thereby reduce the quantity
-of previously deferred mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>. If you want a really
+of previously deferred mail in the "<a href="QSHAPE_README.html#active_queue">active" queue</a>. If you want a really
low <a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a>, you may also want to lower <a href="postconf.5.html#queue_run_delay">queue_run_delay</a>,
but understand that more frequent scans will increase the demand for
disk I/O. </p>
-<p> One common cause of large <a href="QSHAPE_README.html#deferred_queue">deferred queues</a> is failure to validate
+<p> One common cause of large "<a href="QSHAPE_README.html#deferred_queue">deferred" queues</a> is failure to validate
recipients at the SMTP input stage. Since spammers routinely launch
dictionary attacks from unrepliable sender addresses, the bounces
-for invalid recipient addresses clog the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> (and at high
-volumes proportionally clog the <a href="QSHAPE_README.html#active_queue">active queue</a>). Recipient validation
+for invalid recipient addresses clog the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a> (and at high
+volumes proportionally clog the "<a href="QSHAPE_README.html#active_queue">active" queue</a>). Recipient validation
is strongly recommended through use of the <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> and
<a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> parameters. Even when bounces drain quickly they
inundate innocent victims of forgery with unwanted email. To avoid
this, do not accept mail for invalid recipients. </p>
<p> When a host with lots of deferred mail is down for some time,
-it is possible for the entire <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> to reach its retry
-time simultaneously. This can lead to a very full <a href="QSHAPE_README.html#active_queue">active queue</a> once
+it is possible for the entire "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a> to reach its retry
+time simultaneously. This can lead to a very full "<a href="QSHAPE_README.html#active_queue">active" queue</a> once
the host comes back up. The phenomenon can repeat approximately
every <a href="postconf.5.html#maximal_backoff_time">maximal_backoff_time</a> seconds if the messages are again deferred
after a brief burst of congestion. Perhaps, a future Postfix release
will add a random offset to the retry time (or use a combination
-of strategies) to reduce the odds of repeated complete deferred
-queue flushes. </p>
+of strategies) to reduce the odds of repeated complete "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a>
+flushes. </p>
<h2><a name="credits">Credits</a></h2>
<dt>ldapdb_uri</dt>
-<dd> <p> Specify either <code>ldapi://</code> for to connect over
+<dd> <p> Specify either <code><a href="ldap_table.5.html">ldapi</a>://</code> to connect over
a UNIX-domain socket, <code><a href="ldap_table.5.html">ldap</a>://</code> for an unencrypted TCP
-connection or <code>ldaps://</code> for an encrypted TCP connection.
+connection, or <code><a href="ldap_table.5.html">ldaps</a>://</code> for an encrypted TCP connection.
</p> </dd>
<dt>ldapdb_id</dt>
tables into one single MySQL database, and configure different
Postfix queries to extract the appropriate information. </p>
-<li> <p> Specify dbm instead of hash if your system uses dbm files
-instead of db files. To find out what lookup tables Postfix supports,
-use the command "postconf -m". </p>
+<li> <p> Specify <b>dbm</b> instead of <b>hash</b> if your system uses
+<b>dbm</b> files instead of <b>db</b> files. To find out what lookup
+tables Postfix supports, use the command "<b>postconf -m</b>". </p>
-<li> <p> Execute the command "postmap /etc/postfix/sasl_passwd"
+<li> <p> Execute the command "<b>postmap /etc/postfix/sasl_passwd</b>"
whenever you change the sasl_passwd table. </p>
-<li> <p> Execute the command "postmap /etc/postfix/sender_relay"
+<li> <p> Execute the command "<b>postmap /etc/postfix/sender_relay</b>"
whenever you change the sender_relay table. </p>
</ul>
convenient because you don't have to specify the SASL plug-in type
in the Postfix <a href="postconf.5.html">main.cf</a> file (but this may cause surprises when you
switch to a later Postfix version that is built with the default
-SASL type of <code>sasl</code>). </p>
+SASL type of <code>cyrus</code>). </p>
</li>
<blockquote> <i> This library is being deprecated and applications
should transition to using the SASLv2 library</i> (source: <a
-href="http://cyrusimap.web.cmu.edu/downloads.html">Project Cyrus:
+href="http://www.cyrusimap.org/download.html">Project Cyrus:
Downloads</a>). </blockquote>
<p> If you still need to set it up, here's a quick rundown: </p>
<p>
Let's start by recapitulating the structures and terms used when
-referring to queue manager and how it operates. Many of these are
+referring to the queue manager and how it operates. Many of these are
partially described elsewhere, but it is nice to have a coherent
overview in one place:
deliver). </p>
<li> <p> Each transport queue (not to be confused with the on-disk
-<a href="QSHAPE_README.html#active_queue">active queue</a> or <a href="QSHAPE_README.html#incoming_queue">incoming queue</a>) groups everything what is going be
+"<a href="QSHAPE_README.html#active_queue">active" queue</a> or "<a href="QSHAPE_README.html#incoming_queue">incoming" queue</a>) groups everything what is going be
delivered to given destination (aka nexthop) by its transport. Each
queue belongs to one transport, so each destination may be referred
to by several queues, one for each transport. Each queue maintains
<p>
-Whenever <tt>nqmgr</tt> moves a queue file into the <a href="QSHAPE_README.html#active_queue">active queue</a>,
+Whenever <tt>nqmgr</tt> moves a queue file into the "<a href="QSHAPE_README.html#active_queue">active" queue</a>,
the following happens: It reads all necessary information from the
queue file as <tt>oqmgr</tt> does, and also reads as many recipients
as possible - more on that later, for now let's just pretend it
means obtaining (address, nexthop, transport) triple for each
recipient. For each triple, it finds the transport; if it does not
exist yet, it instantiates it (unless it's dead). Within the
-transport, it finds the destination queue for given nexthop; if it
+transport, it finds the destination queue for the given nexthop; if it
does not exist yet, it instantiates it (unless it's dead). The
triple is then bound to given destination queue. This happens in
qmgr_resolve() and is basically the same as in <tt>oqmgr</tt>.
not exist yet, it instantiates it. Finally, it stores the address
from the resolved triple to the recipient entry which is appended
to both the queue entry list and the peer entry list. The addresses
-for same nexthop are batched in the entries up to recipient_concurrency
-limit for that transport. This happens in qmgr_assign() and apart
-from that it operates with job and peer structures it is basically the
+for the same nexthop are batched in the entries up to the
+<a href="postconf.5.html#transport_destination_recipient_limit"><i>transport</i>_destination_recipient_limit</a> for that transport.
+This happens in qmgr_message_assign(), and apart
+from that it operates with job and peer structures, it is basically the
same as in <tt>oqmgr</tt>.
</p>
<p>
-[Now you should have pretty good idea what is the state of the
-<tt>nqmgr</tt> after couple of messages was picked up, what is the
-relation between all those job, peer, queue and entry structures.]
+[Now you should have a pretty good idea what the state of the
+<tt>nqmgr</tt> is after a couple of messages were picked up, and what the
+relation is between all those job, peer, queue and entry structures.]
</p>
top-level round-robin transport, and within each transport we get
the FIFO message delivery. The round-robin of the peers by the
destination is perhaps of little importance in most real-life cases
-(unless the recipient_concurrency limit is reached, in one job there
+(unless the <a href="postconf.5.html#transport_destination_recipient_limit"><i>transport</i>_destination_recipient_limit</a> is reached,
+in one job there
is only one peer structure for each destination), but theoretically
it makes sure that even within single jobs, destinations are treated
fairly.
The simple answer would be to use delivery sequence <tt>12121313</tt>.
But the problem is that this does not scale well. Imagine you have
-mail with thousand recipients followed by mail with hundred recipients.
+mail with a thousand recipients followed by mail with a hundred recipients.
It is tempting to suggest the delivery sequence like <tt>121212....</tt>,
but alas! Imagine there arrives another mail with say ten recipients.
But there are no free slots anymore, so it can't slip by, not even
-if it had just only one recipients. It will be stuck until the
+if it had only one recipient. It will be stuck until the
hundred-recipient mail is delivered, which really sucks.
</p>
<p>
So, it becomes obvious that while inflating the message to get
-free slots is great idea, one has to be really careful of how the
+free slots is a great idea, one has to be really careful of how the
free slots are assigned, otherwise one might corner himself. So,
how does <tt>nqmgr</tt> really use the free slots?
<p>
-Well, despite it looks so at the first glance, another trick will
+Well, despite the fact that it looks so at the first glance, another trick will
allow us to answer "no, we are not!". If we had said that we will
inflate the delivery time twice at maximum, and then we consider
every other slot as a free slot, then we would overinflate in case
defaults to <a href="postconf.5.html#default_delivery_slot_cost">default_delivery_slot_cost</a> parameter which is set to 5
by default. This is the k from the paragraph above. Each time k
entries of the job are selected for delivery, this counter is
-incremented by one. Once there are some slots accumulated, job which
+incremented by one. Once there are some slots accumulated, a job which
requires no more than that number of slots to be fully delivered
can preempt this job.
[Well, the truth is, the counter is incremented every time an entry
is selected and it is divided by k when it is used.
-But for the understanding it's good enough to use
+But to understand, it's good enough to use
the above approximation of the truth.]
</p>
<p>
The answer for the first part is simple. The job whose entry was
-selected the last time is so called current job. Normally, it is
+selected the last time is the so called current job. Normally, it is
the first job on the scheduler's job list, but destination concurrency
limits may change this as we will see later. It is always only the
current job which may get preempted.
<p>
-Now for the second part. The current job has certain amount of
+Now for the second part. The current job has a certain amount of
recipient entries, and as such may accumulate at maximum some amount
of available delivery slots. It might have already accumulated some,
and perhaps even already used some when it was preempted before
it in order to get best message delivery rates. These rates are of
course subject to how many recipients the message has, therefore
the division by the recipient (entry) count. No one shall be surprised
-that message with n recipients takes n times longer to deliver than
-message with one recipient.
+that a message with n recipients takes n times longer to deliver than
+a message with one recipient.
</p>
accumulated? Why do we need to estimate how much it has yet to
accumulate? If you found out the answer, congratulate yourself. If
we did it this simple way, we would always choose the candidate
-with least recipient entries. If there were enough single recipient
+with the fewest recipient entries. If there were enough single recipient
mails coming in, they would always slip by the bulk mail as soon
-as possible, and the two and more recipients mail would never get
+as possible, and the two or more recipients mail would never get
a chance, no matter how long they have been sitting around in the
job list.
<p>
-This candidate selection has interesting implication - that when
+This candidate selection has an interesting implication - that when
we choose the best candidate for preemption (this is done in
qmgr_choose_candidate()), it may happen that we may not use it for
preemption immediately. This leads to an answer to the last part
entry is to be chosen for delivery. To avoid needless overhead, the
preemption is not attempted if the current job could never accumulate
more than <a href="postconf.5.html#transport_minimum_delivery_slots"><i>transport</i>_minimum_delivery_slots</a> (defaults to
-<a href="postconf.5.html#default_minimum_delivery_slots">default_minimum_delivery_slots</a> which defaults to 3). If there is
+<a href="postconf.5.html#default_minimum_delivery_slots">default_minimum_delivery_slots</a> which defaults to 3). If there are
already enough accumulated slots to preempt the current job by the
chosen best candidate, it is done immediately. This basically means
that the candidate is moved in front of the current job on the
scheduler's job list and decreasing the accumulated slot counter
-by the amount used by the candidate. If there is not enough slots...
+by the amount used by the candidate. If there are not enough slots...
well, I could say that nothing happens and the another preemption
is attempted the next time. But that's not the complete truth.
The truth is that it turns out that it is not really necessary to
wait until the jobs counter accumulates all the delivery slots in
advance. Say we have ten-recipient mail followed by two two-recipient
-mails. If the preemption happened when enough delivery slot accumulate
+mails. If the preemption happened when enough delivery slots accumulate
(assuming slot cost 2), the delivery sequence becomes
<tt>11112211113311</tt>. Now what would we get if we would wait
only for 50% of the necessary slots to accumulate and we promise
we would wait for the remaining 50% later, after we get back
-to the preempted job? If we use such slot loan, the delivery sequence
-becomes <tt>11221111331111</tt>. As we can see, it makes it no
+to the preempted job? If we use such a slot loan, the delivery sequence
+becomes <tt>11221111331111</tt>. As we can see, it makes it not
considerably worse for the delivery of the ten-recipient mail, but
it allows the small messages to be delivered sooner.
<p>
-And it pretty much concludes this chapter.
+And that pretty much concludes this chapter.
</p>
<p>
[Now you should have a feeling that you pretty much understand the
-scheduler and the preemption, or at least that you will have it
-after you read the last chapter couple more times. You shall clearly
+scheduler and the preemption, or at least that you will have
+after you read the last chapter a couple more times. You shall clearly
see the job list and the preemption happening at its head, in ideal
delivery conditions. The feeling of understanding shall last until
you start wondering what happens if some of the jobs are blocked,
<p>
-From user's point of view it is all simple. If some of the peers
+From the user's point of view it is all simple. If some of the peers
of a job can't be selected, those peers are simply skipped by the
entry selection algorithm (the pseudo-code described before) and
only the selectable ones are used. If none of the peers may be
selected, the job is declared a "blocker job". Blocker jobs are
skipped by the entry selection algorithm and they are also excluded
-from the candidates for preemption of current job. Thus the scheduler
+from the candidates for preemption of the current job. Thus the scheduler
effectively behaves as if the blocker jobs didn't exist on the job
list at all. As soon as at least one of the peers of a blocker job
becomes unblocked (that is, the delivery agent handling the delivery
-of the recipient entry for given destination successfully finishes),
+of the recipient entry for the given destination successfully finishes),
the job's blocker status is removed and the job again participates
in all further scheduler actions normally.
<p>
-The answer is: a lot. Any job may become blocker job at any time,
-and also become normal job again at any time. This has several
+The answer is: a lot. Any job may become a blocker job at any time,
+and also become a normal job again at any time. This has several
important implications:
</p>
<p>
[Interesting side note: even when jobs are delivered out of order,
-from single destination's point of view the jobs are still delivered
+from a single destination's point of view the jobs are still delivered
in the expected order (that is, FIFO unless there was some preemption
involved). This is because whenever a destination queue becomes
unblocked (the destination limit allows selection of more recipient
<p>
If I illustrate the relations after the above mentioned examples
-(but those in point 1)), the situation would look like this:
+(but those in point 1), the situation would look like this:
</p>
<p>
Well, it maintains them all as described, but fortunately, all these
-relations are necessary only for purposes of proper counting of
-available delivery slots. For purposes of ordering the jobs for
+relations are necessary only for the purpose of proper counting of
+available delivery slots. For the purpose of ordering the jobs for
entry selection, the original rule still applies: "the job preempting
the current job is moved in front of the current job on the job
list". So for entry selection purposes, the job relations remain
<p>
-[By now, you should have a feeling that there is more things going
-under the hood than you ever wanted to know. You decide that
+[By now, you should have a feeling that there are more things going
+on under the hood than you ever wanted to know. You decide that
forgetting about this chapter is the best you can do for the sake
of your mind's health and you basically stick with the idea how the
scheduler works in ideal conditions, when there are no blockers,
<p>
When discussing the <tt>nqmgr</tt> scheduler, we have so far assumed
-that all recipients of all messages in the <a href="QSHAPE_README.html#active_queue">active queue</a> are completely
-read into the memory. This is simply not true. There is an upper
+that all recipients of all messages in the "<a href="QSHAPE_README.html#active_queue">active" queue</a> are completely
+read into memory. This is simply not true. There is an upper
bound on the amount of memory the <tt>nqmgr</tt> may use, and
therefore it must impose some limits on the information it may store
-in the memory at any given time.
+in memory at any given time.
</p>
First of all, not all messages may be read in-core at once. At any
time, only <a href="postconf.5.html#qmgr_message_active_limit">qmgr_message_active_limit</a> messages may be read in-core
at maximum. When read into memory, the messages are picked from the
-<a href="QSHAPE_README.html#incoming_queue">incoming</a> and deferred message queues and moved to the <a href="QSHAPE_README.html#active_queue">active queue</a>
-(incoming having priority), so if there is more than
-<a href="postconf.5.html#qmgr_message_active_limit">qmgr_message_active_limit</a> messages queued in the <a href="QSHAPE_README.html#active_queue">active queue</a>, the
-rest will have to wait until (some of) the messages in the active
-queue are completely delivered (or deferred).
+"<a href="QSHAPE_README.html#incoming_queue">incoming"</a> and "<a href="QSHAPE_README.html#deferred_queue">deferred" queues</a> and moved to the "<a href="QSHAPE_README.html#active_queue">active" queue</a>
+(incoming having priority), so if there are more than
+<a href="postconf.5.html#qmgr_message_active_limit">qmgr_message_active_limit</a> messages queued in the "<a href="QSHAPE_README.html#active_queue">active" queue</a>, the
+rest will have to wait until (some of) the messages in the "<a href="QSHAPE_README.html#active_queue">active" queue</a>
+are completely delivered (or deferred).
</p>
Even with the limited amount of in-core messages, there is another
limit which must be imposed in order to avoid memory exhaustion.
-Each message may contain huge amount of recipients (tens or hundreds
+Each message may contain a huge number of recipients (tens or hundreds
of thousands are not uncommon), so if <tt>nqmgr</tt> read all
-recipients of all messages in the <a href="QSHAPE_README.html#active_queue">active queue</a>, it may easily run
+recipients of all messages in the "<a href="QSHAPE_README.html#active_queue">active" queue</a>, it may easily run
out of memory. Therefore there must be some upper bound on the
-amount of message recipients which are read into the memory at the
+amount of message recipients which are read into memory at the
same time.
</p>
The message limit is straightforward - it just limits the size of
the
lookahead the <tt>nqmgr</tt>'s scheduler has when choosing which
-message can preempt the current one. Messages not in the active
-queue simply are not considered at all.
+message can preempt the current one. Messages not in the "<a href="QSHAPE_README.html#active_queue">active" queue</a>
+are simply not considered at all.
</p>
many recipient entries there will be, as they are subject to
per-destination grouping. It is not even clear to what transports
(and thus jobs) the recipients will be assigned. And with messages
-coming from the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a>, it is not even clear how many unread
+coming from the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a>, it is not even clear how many unread
recipients are still to be delivered. This all means that the
scheduler must use only estimates of how many recipients entries
there will be. Fortunately, it is possible to estimate the minimum
and maximum correctly, so the scheduler can always err on the safe
-side. Obviously, the better the estimates, the better results, so
+side. Obviously, the better the estimates, the better the results, so
it is best when we are able to read all recipients in-core and turn
the estimates into exact counts, or at least try to read as many
as possible to make the estimates as accurate as possible.
<p>
Perhaps the easiest solution would be to say that each message may
-have at maximum X recipients stored in-core, but such solution would
+have at maximum X recipients stored in-core, but such a solution would
be poor for several reasons. With reasonable <a href="postconf.5.html#qmgr_message_active_limit">qmgr_message_active_limit</a>
-values, the X would have to be quite low to maintain reasonable
+values, the X would have to be quite low to maintain a reasonable
memory footprint. And with low X lots of things would not work well.
The <tt>nqmgr</tt> would have problems to use the
<a href="postconf.5.html#transport_destination_recipient_limit"><i>transport</i>_destination_recipient_limit</a> efficiently. The
<p>
Therefore it seems reasonable to have a solution which does not use
-a limit imposed on per-message basis, but which maintains a pool
+a limit imposed on a per-message basis, but which maintains a pool
of available recipient slots, which can be shared among all messages
in the most efficient manner. And as we do not want separate
transports to compete for resources whenever possible, it seems
-appropriate to maintain such recipient pool for each transport
+appropriate to maintain such a recipient pool for each transport
separately. This is the general idea, now how does it work in
practice?
<p>
-First we have to solve little chicken-and-egg problem. If we want
+First we have to solve a little chicken-and-egg problem. If we want
to use the per-transport recipient pools, we first need to know to
-what transport(s) is the message assigned. But we will find that
-out only after we read in the recipients first. So it is obvious
+what transport(s) the message is assigned. But we will find that
+out only after we first read in the recipients. So it is obvious
that we first have to read in some recipients, use them to find out
-to what transports is the message to be assigned, and only after
-that we can use the per-transport recipient pools.
+to what transports the message is to be assigned, and only after
+that can we use the per-transport recipient pools.
</p>
Now how many recipients shall we read for the first time? This is
what <a href="postconf.5.html#qmgr_message_recipient_minimum">qmgr_message_recipient_minimum</a> and <a href="postconf.5.html#qmgr_message_recipient_limit">qmgr_message_recipient_limit</a>
values control. The <a href="postconf.5.html#qmgr_message_recipient_minimum">qmgr_message_recipient_minimum</a> value specifies
-how many recipients of each message we will read for the first time,
+how many recipients of each message we will read the first time,
no matter what. It is necessary to read at least one recipient
before we can assign the message to a transport and create the first
job. However, reading only <a href="postconf.5.html#qmgr_message_recipient_minimum">qmgr_message_recipient_minimum</a> recipients
even if there are only few messages with few recipients in-core would
-be wasteful. Therefore if there
is less than <a href="postconf.5.html#qmgr_message_recipient_limit">qmgr_message_recipient_limit</a>
+be wasteful. Therefore if there
are fewer than <a href="postconf.5.html#qmgr_message_recipient_limit">qmgr_message_recipient_limit</a>
recipients in-core so far, the first batch of recipients may be
larger than <a href="postconf.5.html#qmgr_message_recipient_minimum">qmgr_message_recipient_minimum</a> - as large as is required
to reach the <a href="postconf.5.html#qmgr_message_recipient_limit">qmgr_message_recipient_limit</a> limit.
<p>
-For example, if a message has three jobs, first with 1 recipient
-still in-core and 4 recipient slots, second with 5 recipient in-core
-and 5 recipient slots, and third with 2 recipients in-core and 0
-recipient slots, it has 1+5+2=7 recipients in-core and 4+5+0=9 jobs'
+For example, if a message has three jobs, the first with 1 recipient
+still in-core and 4 recipient slots, the second with 5 recipients in-core
+and 5 recipient slots, and the third with 2 recipients in-core and 0
+recipient slots, it has 1+5+2=8 recipients in-core and 4+5+0=9 jobs'
recipients slots in total. This means that we could immediately
read 2+<a href="postconf.5.html#qmgr_message_recipient_minimum">qmgr_message_recipient_minimum</a> more recipients of that message
in core.
job list, it gets all unused recipient slots from its transport's
pool. It keeps them until all recipients of its message are read.
When this happens, all unused recipient slots are transferred to
-the next job (which is now in fact now first such job) on the job
+the next job (which is now in fact the first such job) on the job
list which still has some recipients unread, or eventually back to
-the transport pool if there is no such job. Such transfer then also
+the transport pool if there is no such job. Such a transfer then also
happens whenever a recipient entry of that job is delivered.
</p>
<p>
There is also a scenario when a job is not appended to the end of
-the job list (for example it was created as a result of second or
+the job list (for example it was created as a result of a second or
later recipient batch). Then it works exactly as above, except that
if it was put in front of the first unread job (that is, the job
-of a message which still has some unread recipients in queue file),
+of a message which still has some unread recipients in the queue file),
that job is first forced to return all of its unused recipient slots
to the transport pool.
of the sponsoring mentioned before) and the jobs after this job get
nothing from the transport recipient pool (unless they got something
before and then the first unread job was created and enqueued in
-front of them later - in such case the also get at maximum as many
+front of them later - in such a case, they also get at maximum as many
slots as they have recipients in-core).
</p>
<p>
-Things work fine in such state for most of the time, because the
-current job is either completely read in-core or has as much recipient
+Things work fine in such a state for most of the time, because the
+current job is either completely read in-core or has as many recipient
slots as there are, but there is one situation which we still have
to take care of specially. Imagine if the current job is preempted
by some unread job from the job list and there are no more recipient
slots available, so this new current job could read only batches
of <a href="postconf.5.html#qmgr_message_recipient_minimum">qmgr_message_recipient_minimum</a> recipients at a time. This would
-really degrade performance. For this reason, each transport has
+really degrade performance. For this reason, each transport has an
extra pool of <a href="postconf.5.html#transport_extra_recipient_limit"><i>transport</i>_extra_recipient_limit</a> recipient
slots, dedicated exactly for this situation. Each time an unread
job preempts the current job, it gets half of the remaining recipient
<p>
And that's it. It sure does sound pretty complicated, but fortunately
-most people don't really have to care how exactly it works as long
+most people don't really have to care exactly how it works as long
as it works. Perhaps the only important things to know for most
people are the following upper bound formulas:
<p>
And this terribly complicated chapter concludes the documentation
-of <tt>nqmgr</tt> scheduler.
+of the <tt>nqmgr</tt> scheduler.
</p>
inside out. In practice, you still hope that you will never have
to really understand the last or last two chapters completely, and
fortunately most people really won't. Understanding how the scheduler
-works in ideal conditions is more than good enough for vast majority
+works in ideal conditions is more than good enough for the vast majority
of users.]
</p>
again later). The end of each list is equivalent to a PERMIT result.
By placing a PERMIT restriction before a REJECT restriction you
can make exceptions for specific clients or users. This is called
-allowlisting; the fourth example above allows mail from local
-networks but otherwise rejects mail to arbitrary destinations. </p>
+allowlisting; the <a href="postconf.5.html#smtpd_relay_restrictions">smtpd_relay_restrictions</a> example above allows mail from local
+networks, and from SASL authenticated clients, but otherwise rejects mail
+to arbitrary destinations. </p>
<p> The table below summarizes the purpose of each SMTP access
restriction list. All lists use the exact same syntax; they differ
the Postfix SMTP server can delegate decisions to an external policy
server (Postfix 2.1 and later). </p>
-<p> With this policy delegation mechanism, a simple <a href="#greylist">
-greylist </a> policy can be implemented with only a dozen lines of
+<p> With this policy delegation mechanism, a simple
+<a href="#greylist">greylist</a> policy can be implemented with only a dozen lines of
Perl, as is shown at the end of this document. A complete example
can be found in the Postfix source code, in the directory
examples/smtpd-policy. </p>
<p> Another example of policy delegation is the SPF policy server
-at https://web.archive.org/web/20190221142057/<a href="http://www.openspf.org/Software">http://www.openspf.org/Software</a>. </p>
+at <a href="https://web.archive.org/web/20190221142057/http://www.openspf.org/Software">https://web.archive.org/web/20190221142057/http://www.openspf.org/Software</a>. </p>
<p> Policy delegation is now the preferred method for adding policies
to Postfix. It's much easier to develop a new feature in few lines
an absolute pathname of a UNIX-domain socket. The third example
specifies a pathname relative to the Postfix queue directory; use
this for policy servers that are spawned by the Postfix master
-daemon. </p>
+daemon. On many systems, "local" is a synonym for "unix".</p>
<p> To create a policy service that listens on a UNIX-domain socket
called "policy", and that runs under control of the Postfix <a href="spawn.8.html">spawn(8)</a>
<li> <p> Line 11: this increases the time that a policy server
process may run to 3600 seconds. The default time limit of 1000
-seconds is too short; the policy daemon needs to run long as the
+seconds is too short; the policy daemon needs to run as long as the
SMTP server process that talks to it.
See the <a href="spawn.8.html">spawn(8)</a> manpage for more information about the
<a href="postconf.5.html#transport_time_limit"><i>transport</i>_time_limit</a> parameter. </p>
<li> <p> Line 6: this increases the time that a greylist server
process may run to 3600 seconds. The default time limit of 1000
-seconds is too short; the greylist daemon needs to run long as the
+seconds is too short; the greylist daemon needs to run as long as the
SMTP server process that talks to it.
See the <a href="spawn.8.html">spawn(8)</a> manpage for more information about the
<a href="postconf.5.html#transport_time_limit"><i>transport</i>_time_limit</a> parameter. </p>
domains that often appear in forged email. At some point
in cyberspace/time a list of frequently
forged MAIL FROM domains could be found at
-<a href="http://www.monkeys.com/anti-spam/filtering/sender-domain-validate.in">http://www.monkeys.com/anti-spam/filtering/sender-domain-validate.in</a>.
+<a href="https://web.archive.org/web/20080526153208/http://www.monkeys.com/anti-spam/filtering/sender-domain-validate.in">https://web.archive.org/web/20080526153208/http://www.monkeys.com/anti-spam/filtering/sender-domain-validate.in</a>.
<blockquote>
<pre>
<p> The content filter itself is not described here. You can use
any filter that is SMTP enabled. For non-SMTP capable content
filtering software, Bennett Todd's SMTP proxy implements a nice
-Perl-based framework. See: <a href="http://bent.latency.net/smtpprox/">http://bent.latency.net/smtpprox/</a> or
-https://github.com/jnorell/smtpprox.</p>
+Perl-based framework. See:
+<a href="https://web.archive.org/web/20151022025756/http://bent.latency.net/smtpprox/">https://web.archive.org/web/20151022025756/http://bent.latency.net/smtpprox/</a>
+or <a href="https://github.com/jnorell/smtpprox/">https://github.com/jnorell/smtpprox/</a> </p>
<blockquote>
<p> By default, the filter has 100 seconds to do its work. If it
takes longer then Postfix gives up and reports an error to the
-remote SMTP client. You can increase this time limit (see configuration
-parameter section below) but doing so is pointless because you
+remote SMTP client. You can increase this time limit (see the <a href="#parameters">"Configuration
+parameters"</a> section below) but doing so is pointless because you
can't control when the remote SMTP client times out. </p>
<h2><a name="parameters">Configuration parameters</a></h2>
<p> For compatibility with pre-SMTPUTF8 environments, Postfix does
not automatically set the "SMTPUTF8 requested" flag on messages
-from non-SMTPUTF8 clients that contain an UTF-8 header value or
+from non-SMTPUTF8 clients that contain a UTF-8 header value or
UTF-8 address localpart. This would make such messages undeliverable
to non-SMTPUTF8 servers, and could be a barrier to SMTPUTF8 adoption.
</p>
<p> The following example presents additional configuration. You
need to combine this with basic configuration information as
-discussed the first half of this document. </p>
+discussed in the first half of this document. </p>
<blockquote>
<pre>
<p> The following example presents additional configuration. You
need to combine this with basic configuration information as
-discussed the first half of this document. </p>
+discussed in the first half of this document. </p>
<blockquote>
<pre>
tables into one single MySQL database, and configure different
Postfix queries to extract the appropriate information. </p>
-<li> <p> Specify dbm instead of hash if your system uses dbm files
-instead of db files. To find out what lookup tables Postfix supports,
-use the command "postconf -m". </p>
+<li> <p> Specify <b>dbm</b> instead of <b>hash</b> if your system uses
+<b>dbm</b> files instead of <b>db</b> files. To find out what lookup
+tables Postfix supports, use the command "<b>postconf -m</b>". </p>
-<li> <p> Execute the command "postmap /etc/postfix/sasl_passwd"
+<li> <p> Execute the command "<b>postmap /etc/postfix/sasl_passwd</b>"
whenever you change the sasl_passwd table. </p>
-<li> <p> Execute the command "postmap /etc/postfix/sender_relay"
+<li> <p> Execute the command "<b>postmap /etc/postfix/sender_relay</b>"
whenever you change the sender_relay table. </p>
</ul>
query = SELECT forw_addr FROM mxaliases WHERE alias='%s' AND status='paid'
</pre>
-<h2>Additional notes</h2>
-
-<p> The SQLite configuration interface setup allows for multiple
-sqlite databases: you can use one for a virtual table, one for an
-access table, and one for an aliases table if you want. </p>
-
<h2>Credits</h2>
<p> SQLite support was added with Postfix version 2.8. </p>
<p> First we present the non-mailhost configuration, because it is
the simpler one. This machine sends mail as "user@example.com" and
-is final destination for "user@hostname.example.com". </p>
+is the final destination for "user@hostname.example.com". </p>
<blockquote>
<pre>
</ul>
<p> Next we present the mailhost configuration. This machine sends
-mail as "user@example.com" and is final destination for
+mail as "user@example.com" and is the final destination for
"user@hostname.example.com" as well as "user@example.com". </p>
<blockquote>
only address literals matching $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>
are deemed local. So "localpart@[a.d.d.r]" can be matched as simply
"localpart" in <a href="canonical.5.html">canonical(5)</a> and <a href="virtual.5.html">virtual(5)</a>. This avoids the need to
-specify firewall IP addresses into Postfix configuration files. </p>
+specify firewall IP addresses in Postfix configuration files. </p>
</ul>
<p> The following example presents additional configuration. You
need to combine this with basic configuration information as
-discussed the first half of this document. </p>
+discussed in the first half of this document. </p>
<blockquote>
<pre>
<h2><a name="backup">Configuring Postfix as primary or backup MX host for a remote site</a></h2>
<p> This section presents additional configuration. You need to
-combine this with basic configuration information as discussed the
+combine this with basic configuration information as discussed in the
first half of this document. </p>
<p> When your system is SECONDARY MX host for a remote site this
href="#local_network">local area network</a> section above. </p>
<p> This section presents additional configuration. You need to
-combine this with basic configuration information as discussed the
+combine this with basic configuration information as discussed in the
first half of this document. </p>
<p> If you do not have your own hostname and IP address (usually
<p> The following example presents additional configuration. You
need to combine this with basic configuration information as
-discussed the first half of this document. </p>
+discussed in the first half of this document. </p>
<blockquote>
<pre>
<p> The following example presents additional configuration. You
need to combine this with basic configuration information as
-discussed the first half of this document. </p>
+discussed in the first half of this document. </p>
<blockquote>
<pre>
<p> The <a href="postscreen.8.html">postscreen(8)</a> daemon, introduced with Postfix 2.8, provides
additional protection against mail server overload. One <a href="postscreen.8.html">postscreen(8)</a>
process handles multiple inbound SMTP connections, and decides which
-clients may to talk to a Postfix SMTP server process. By keeping
+clients may talk to a Postfix SMTP server process. By keeping
spambots away, <a href="postscreen.8.html">postscreen(8)</a> leaves more SMTP server processes
available for legitimate clients, and delays the onset of server
overload conditions. </p>
<p> Postfix version 2.2 introduces support for TLS as described in
<a href="https://tools.ietf.org/html/rfc3207">RFC 3207</a>. TLS Support for older Postfix versions was available as
an add-on patch. The section "<a href="#compat">Compatibility with
-Postfix < 2.2 TLS support</a>" below discusses the differences
+Postfix < 2.2 TLS support</a>" below discusses the differences
between these implementations. </p>
<p> Topics covered in this document: </p>
<li><a href="#problems"> Reporting problems </a>
-<li><a href="#compat">Compatibility with Postfix < 2.2 TLS support</a>
+<li><a href="#compat">Compatibility with Postfix < 2.2 TLS support</a>
<li><a href="#credits"> Credits </a>
<p> In order to use TLS, the Postfix SMTP server needs a certificate
and a private key. Both must be in "pem" format. The private key
must not be encrypted, meaning: the key must be accessible without
-password. Both certificate and private key may be in the same
+a password. Both certificate and private key may be in the same
file. </p>
<p> Both RSA and DSA certificates are supported. Typically you will
</blockquote>
<p> A Postfix SMTP server certificate supplied here must be usable
-as SSL server certificate and hence pass the "openssl verify -purpose
+as an SSL server certificate and hence pass the "openssl verify -purpose
sslserver ..." test. </p>
<p> A client that trusts the root CA has a local copy of the root
<p> The <a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a> feature must be used with caution,
because it can result in too many access permissions. Use this
feature only if a special CA issues the client certificates, and
-only if this CA is listed as trusted CA. If other CAs are trusted,
+only if this CA is listed as a trusted CA. If other CAs are trusted,
any owner of a valid client certificate would be authorized.
The <a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a> feature can be practical for a
specially created email relay server. </p>
<p> To influence the Postfix SMTP server cipher selection scheme,
you can give cipherlist string. A detailed description would go
-to far here; please refer to the OpenSSL documentation. If you
+too far here; please refer to the OpenSSL documentation. If you
don't know what to do with it, simply don't touch it and leave the
(openssl-)compiled in default! </p>
key/certificate pair as the Postfix SMTP server. If a certificate
is to be presented, it must be in "pem" format. The private key
must not be encrypted, meaning: it must be accessible without
-password. Both parts (certificate and private key) may be in the
+a password. Both parts (certificate and private key) may be in the
same file. </p>
<p> In order for remote SMTP servers to verify the Postfix SMTP
</blockquote>
<p> A Postfix SMTP client certificate supplied here must be usable
-as SSL client certificate and hence pass the "openssl verify -purpose
+as an SSL client certificate and hence pass the "openssl verify -purpose
sslclient ..." test. </p>
<p> A server that trusts the root CA has a local copy of the root
"<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> = yes" imply "<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> = yes". </p>
<li> <p> When both hostname and next-hop destination lookups produce
-a result, the more specific per-site policy (NONE, MUST, etc)
+a result, the more specific per-site policy (NONE, MUST, etc.)
overrides the less specific one (MAY), and the more secure per-site
-policy (MUST, etc) overrides the less secure one (NONE). </p>
+policy (MUST, etc.) overrides the less secure one (NONE). </p>
<li> <p> After the per-site policy lookups are combined, the result
generally overrides the global policy. The exception is the less
example.org NONE
# TLS should not be used with the host <i>smtp.example.com</i>.
- smtp.example.com NONE
+ [smtp.example.com] NONE
</pre>
</blockquote>
<p> To influence the Postfix SMTP client cipher selection scheme,
you can give cipherlist string. A detailed description would go
-to far here; please refer to the OpenSSL documentation. If you
+too far here; please refer to the OpenSSL documentation. If you
don't know what to do with it, simply don't touch it and leave the
(openssl-)compiled in default! </p>
</ul>
-<h2><a name="compat">Compatibility with Postfix <2.2 TLS support</a></h2>
+<h2><a name="compat">Compatibility with Postfix < 2.2 TLS support</a></h2>
<p> Postfix version 2.2 TLS support is based on the Postfix/TLS
patch by Lutz Jänicke, but differs in a few minor ways. </p>
the ability to encrypt mail and to authenticate remote SMTP clients
or servers. You also turn on hundreds of thousands of lines of
OpenSSL library code. Assuming that OpenSSL is written as carefully
-as Wietse's own code, every 1000 lines introduce one additional bug
+as Wietse's own code, every 1000 lines introduces one additional bug
into Postfix. </p>
<p> Topics covered in this document: </p>
or via public-key infrastructure. This means that the Postfix server
public-key certificate file must include the server certificate
first, then the issuing CA(s) (bottom-up order). The Postfix SMTP
-server certificate must be usable as SSL server certificate and
+server certificate must be usable as an SSL server certificate and
hence pass the "<tt>openssl verify -purpose sslserver ...</tt>" test.
</p>
per algorithm. It is typically simpler to keep the chain for each
algorithm in its own file. Most users are likely to deploy just a
single RSA chain, but with OpenSSL 1.1.1, it is possible to deploy up to
-five chains, one each for RSA, ECDSA, ED25519, ED448 and even the
+five chains, one each for RSA, ECDSA, ED25519, ED448, and even the
obsolete DSA. </p>
<blockquote>
<p> The <a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a> feature must be used with caution,
because it can result in too many access permissions. Use this
feature only if a special CA issues the client certificates, and
-only if this CA is listed as trusted CA. If other CAs are trusted,
+only if this CA is listed as a trusted CA. If other CAs are trusted,
any owner of a valid client certificate would be authorized.
The <a href="postconf.5.html#permit_tls_all_clientcerts">permit_tls_all_clientcerts</a> feature can be practical for a
specially created email relay server. </p>
key/certificate pair as the Postfix SMTP server. If a certificate
is to be presented, it must be in "PEM" format. The private key
must not be encrypted, meaning: it must be accessible without
-password. Both parts (certificate and private key) may be in the
+a password. Both parts (certificate and private key) may be in the
same file. </p>
<p> With OpenSSL 1.1.1 and Postfix ≥ 3.4 it is also possible to
</blockquote>
<p> A Postfix SMTP client certificate supplied here must be usable
-as SSL client certificate and hence pass the "openssl verify -purpose
+as an SSL client certificate and hence pass the "openssl verify -purpose
sslclient ..." test. </p>
<p> A server that trusts the root CA has a local copy of the root
per algorithm. It is typically simpler to keep the chain for each
algorithm in its own file. Most users are likely to deploy at most a
single RSA chain, but with OpenSSL 1.1.1, it is possible to deploy up
-five chains, one each for RSA, ECDSA, ED25519, ED448 and even the
+five chains, one each for RSA, ECDSA, ED25519, ED448, and even the
obsolete DSA. </p>
<blockquote>
<dt><b>secure</b></dt> <dd><a href="#client_tls_secure">Secure certificate
verification.</a> Mail is delivered only if the TLS handshake succeeds,
-if the remote SMTP server certificate can be validated (not expired
-or revoked, and signed by a trusted Certification Authority), and if the
-server certificate name matches the optional "match" attribute (or the
-<a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> parameter value when no optional
+and DNS forgery resistant remote SMTP certificate verification succeeds
+(not expired or revoked, and signed by a trusted Certification Authority),
+and if the server certificate name matches the optional "match" attribute
+
(or the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> parameter value when no optional
"match" attribute is specified). With Postfix ≥ 2.11 the "tafile"
attribute optionally modifies trust chain verification in the same manner
as the "<a href="postconf.5.html#smtp_tls_trust_anchor_file">smtp_tls_trust_anchor_file</a>" parameter. The "tafile" attribute
with. For real authentication you need also enable DNSSEC record
signing for your domain and publish TLSA records and/or your Postfix
public key certificate needs to be signed by a recognized Certification
-Authority. To authenticate the certificates of remote host you
+Authority. To authenticate the certificates of a remote host you
need a DNSSEC-validating local resolver and to enable <a
href="#client_tls_dane">DANE</a> authentication and/or configure
the Postfix SMTP client with a list of public key certificates of
submission via client certificates. Often servers that perform TLS client
authentication will issue the required certificates signed by their own
CA. If you configure the client certificate and key incorrectly, you
-will be unable to send mail to sites that request client certificate,
+will be unable to send mail to sites that request a client certificate,
but don't require them from all clients. </p>
<blockquote>
MX hosts are up and accepting connections in a timely fashion,
throughput will be high. If any MX host is down and completely
unresponsive, the average connection latency rises to at least 1/N
-* $smtp_connection_timeout, if there are N MX hosts. This limits
+* $<a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a>, if there are N MX hosts. This limits
throughput to at most the destination concurrency * N /
-$smtp_connection_timeout. </p>
+$<a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a>. </p>
<p> For example, with a destination concurrency of 100 and 2 MX
hosts, each host will handle up to 50 simultaneous connections. If
as 5s or even 1s can be used to prevent congestion when one or
more, but not all MX hosts are down. </p>
-<p> If necessary, set a higher transport_destination_concurrency_limit
+<p> If necessary, set a higher <a href="postconf.5.html#transport_destination_concurrency_limit"><i>transport</i>_destination_concurrency_limit</a>
(in <a href="postconf.5.html">main.cf</a> since this is a queue manager parameter) and a lower
-
smtp_connection_timeout (with a "-o" override in <a href="master.5.html">master.cf</a> since
+
<a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (with a "-o" override in <a href="master.5.html">master.cf</a> since
this parameter has no per-transport name) for the relay transport
and any transports dedicated for specific high volume destinations.
</p>
<h2><a name="canonical">Canonical versus hosted versus
other domains</a></h2>
-<p>Most Postfix systems are <b>final destination</b> for only a
+<p>Most Postfix systems are the <b>final destination</b> for only a
few domain names. These include the hostnames and [the IP addresses]
of the machine that Postfix runs on, and sometimes also include
the parent domain of the hostname. The remainder of this document
as defined in the <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a> file.</p>
<p> Besides the <a href="VIRTUAL_README.html#canonical">canonical domains</a>, Postfix can be configured to be
-<b>final destination</b> for any number of additional domains.
+the <b>final destination</b> for any number of additional domains.
These domains are called hosted, because they are not directly
associated with the name of the machine itself. Hosted domains are
usually implemented with the <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a> address class
file. </p>
<p> Finally, Postfix can be configured as a transit host for sending
-mail across the internet. Obviously, Postfix is not final destination
+mail across the internet. Obviously, Postfix is not the final destination
for such mail. This function is available only for authorized
clients and/or users, and is implemented by the <a href="ADDRESS_CLASS_README.html#default_domain_class">default domain</a>
address class, as defined in the <a href="ADDRESS_CLASS_README.html">ADDRESS_CLASS_README</a> file. </p>
Alternatively, the table can be provided as a regular-expression map
where patterns are given as regular expressions, or lookups can be
- directed to TCP-based server. In those cases, the lookups are done in a
- slightly different way as described below under "REGULAR EXPRESSION
+ directed to a TCP-based server. In those cases, the lookups are done in
+ a slightly different way as described below under "REGULAR EXPRESSION
TABLES" or "TCP-BASED TABLES".
<b>CASE FOLDING</b>
This feature is available in Postfix 2.1 and later.
<b>DEFER_IF_PERMIT</b> <i>optional text...</i>
- Defer the request if some later restriction would result in a an
+ Defer the request if some later restriction would result in an
explicit or implicit PERMIT action. Reply with
"<b>$<a href="postconf.5.html#access_map_defer_code">access_map_defer_code</a> 4.7.1</b> <i>optional text...</i>" when the
optional text is specified, otherwise reply with a generic error
Available in Postfix 3.7 and later:
- <b>header_from_format (standard)</b>
+ <b><a href="postconf.5.html#header_from_format">header_from_format</a> (standard)</b>
The format of the Postfix-generated <b>From:</b> header.
<b>FILES</b>
Alternatively, the table can be provided as a regular-expression map
where patterns are given as regular expressions, or lookups can be
- directed to TCP-based server. In those cases, the lookups are done in a
- slightly different way as described below under "REGULAR EXPRESSION
+ directed to a TCP-based server. In those cases, the lookups are done in
+ a slightly different way as described below under "REGULAR EXPRESSION
TABLES" or "TCP-BASED TABLES".
By default the <a href="canonical.5.html"><b>canonical</b>(5)</a> mapping affects both message header
<b><a href="postconf.5.html#masquerade_exceptions">masquerade_exceptions</a> (empty)</b>
Optional list of user names that are not subjected to address
- masquerading, even when their address
matches $<a href="postconf.5.html#masquerade_domains">masquer</a>-
+ masquerading, even when their address
es match $<a href="postconf.5.html#masquerade_domains">masquer</a>-
<a href="postconf.5.html#masquerade_domains">ade_domains</a>.
<b><a href="postconf.5.html#mydestination">mydestination</a> ($<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, localhost)</b>
Postfix parses the result as if it is a file in /etc/postfix.
+ Note: if a rule contains <b>$</b>, specify <b>$$</b> to keep Postfix from trying to
+ do <i>$name</i> expansion as it evaluates a parameter value.
+
<b>EXAMPLE SMTPD ACCESS MAP</b>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> = ... <a href="cidr_table.5.html">cidr</a>:/etc/postfix/client.cidr ...
after applying <a href="header_checks.5.html"><b>header_checks</b>(5)</a> and before invoking Milter
applications.
- <b>header_from_format (standard)</b>
+ <b><a href="postconf.5.html#header_from_format">header_from_format</a> (standard)</b>
The format of the Postfix-generated <b>From:</b> header.
<b>BUILT-IN CONTENT FILTERING CONTROLS</b>
Available in Postfix 3.7 and later:
- <b>header_from_format (standard)</b>
+ <b><a href="postconf.5.html#header_from_format">header_from_format</a> (standard)</b>
The format of the Postfix-generated <b>From:</b> header.
<b>FILES</b>
Alternatively, the table can be provided as a regular-expression map
where patterns are given as regular expressions, or lookups can be
- directed to TCP-based server. In those case, the lookups are done in a
- slightly different way as described below under "REGULAR EXPRESSION
+ directed to a TCP-based server. In those cases, the lookups are done in
+ a slightly different way as described below under "REGULAR EXPRESSION
TABLES" or "TCP-BASED TABLES".
<b>CASE FOLDING</b>
<b>TCP-BASED TABLES</b>
This section describes how the table lookups change when lookups are
directed to a TCP-based server. For a description of the TCP
- client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>. This feature is not
- available up to and including Postfix version 2.4.
+ client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>. This feature is
+ available in Postfix 2.5 and later.
Each lookup operation uses the entire address once. Thus, <i>user@domain</i>
mail addresses are not broken up into their <i>user</i> and <i>@domain</i> con-
below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for more
details including examples.
- <b><a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a></b>
- Address mapping lookup table for envelope and header sender and
- recipient addresses while delivering mail via SMTP.
+ <b><a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> (empty)</b>
+ Optional lookup tables that perform address rewriting in the
+ Postfix SMTP client, typically to transform a locally valid
+ address into a globally valid address when sending mail across
+ the Internet.
- <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a></b>
- A list of address rewriting or forwarding mechanisms that propa-
- gate an address extension from the original address to the
- result. Specify zero or more of <b>canonical</b>, <b>virtual</b>, <b>alias</b>, <b>for-</b>
- <b>ward</b>, <b>include</b>, or <b>generic</b>.
+ <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a> (canonical, virtual)</b>
+ What address lookup tables copy an address extension from the
+ lookup key to the lookup result.
Other parameters of interest:
- <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a></b>
- The network interface addresses that this system receives mail
- on. You need to stop and start Postfix when this parameter
- changes.
+ <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
+ The network interface addresses that this mail system receives
+ mail on.
- <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a></b>
- Other interfaces that this machine receives mail on by way of a
- proxy agent or network address translator.
+ <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
+ The network interface addresses that this mail system receives
+ mail on by way of a proxy or network address translation unit.
- <b><a href="postconf.5.html#mydestination">mydestination</a></b>
- List of domains that this mail system considers local.
+ <b><a href="postconf.5.html#mydestination">mydestination</a> ($<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, localhost)</b>
+ The list of domains that are delivered via the $<a href="postconf.5.html#local_transport">local_transport</a>
+ mail delivery transport.
- <b><a href="postconf.5.html#myorigin">myorigin</a></b>
- The domain that is appended to locally-posted mail.
+ <b><a href="postconf.5.html#myorigin">myorigin</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
+ The domain name that locally-posted mail appears to come from,
+ and that locally posted mail is delivered to.
- <b><a href="postconf.5.html#owner_request_special">owner_request_special</a></b>
- Give special treatment to <b>owner-</b><i>xxx</i> and <i>xxx</i><b>-request</b> addresses.
+ <b><a href="postconf.5.html#owner_request_special">owner_request_special</a> (yes)</b>
+ Enable special treatment for owner-<i>listname</i> entries in the
+ <a href="aliases.5.html"><b>aliases</b>(5)</a> file, and don't split owner-<i>listname</i> and <i>list-</i>
+ <i>name</i>-request address localparts when the <a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> is
+ set to "-".
<b>SEE ALSO</b>
<a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager
(the last one provided that OpenLDAP was compiled with support
for SSL):
- server_host = ldapi://%2Fsome%2Fpath
- ldaps://ldap.example.com:636
+ server_host = <a href="ldap_table.5.html">ldapi</a>://%2Fsome%2Fpath
+ <a href="ldap_table.5.html">ldaps</a>://ldap.example.com:636
<b>server_port (default: 389)</b>
The port the LDAP server listens on, e.g.
<b>%[SUD]</b> For the <b>search_base</b> parameter, the upper-case equivalents
of the above expansions behave identically to their
lower-case counter-parts. With the <b>result_format</b> parame-
- ter (previously called <b>result_filter</b> see the COMPATIBIL-
- ITY section and below), they expand to the corresponding
- components of input key rather than the result value.
+ ter (previously called <b>result_filter</b> see the OTHER OBSO-
+ LETE FEATURES section and below), they expand to the cor-
+ responding components of input key rather than the result
+ value.
- <b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by the corre-
- sponding most significant component of the input key's
- domain. If the input key is <i>user@mail.example.com</i>, then
+ <b>%[1-9]</b> The patterns %1, %2, ... %9 are replaced by the corre-
+ sponding most significant component of the input key's
+ domain. If the input key is <i>user@mail.example.com</i>, then
%1 is <b>com</b>, %2 is <b>example</b> and %3 is <b>mail</b>. If the input key
- is unqualified or does not have enough domain components
+ is unqualified or does not have enough domain components
to satisfy all the specified patterns, the search is sup-
pressed and returns no results.
<b>query_filter (default: mailacceptinggeneralid=%s)</b>
- The <a href="https://tools.ietf.org/html/rfc2254">RFC2254</a> filter used to search the directory, where <b>%s</b> is a
+ The <a href="https://tools.ietf.org/html/rfc2254">RFC2254</a> filter used to search the directory, where <b>%s</b> is a
substitute for the address Postfix is trying to resolve, e.g.
query_filter = (&(mail=%s)(paid_up=true))
<b>%%</b> This is replaced by a literal '%' character. (Postfix 2.2
and later).
- <b>%s</b> This is replaced by the input key. <a href="https://tools.ietf.org/html/rfc2254">RFC 2254</a> quoting is
- used to make sure that the input key does not add unex-
+ <b>%s</b> This is replaced by the input key. <a href="https://tools.ietf.org/html/rfc2254">RFC 2254</a> quoting is
+ used to make sure that the input key does not add unex-
pected metacharacters.
<b>%u</b> When the input key is an address of the form user@domain,
<b>%u</b> is replaced by the (<a href="https://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted local part of the
- address. Otherwise, <b>%u</b> is replaced by the entire search
- string. If the localpart is empty, the search is sup-
+ address. Otherwise, <b>%u</b> is replaced by the entire search
+ string. If the localpart is empty, the search is sup-
pressed and returns no results.
<b>%d</b> When the input key is an address of the form user@domain,
- <b>%d</b> is replaced by the (<a href="https://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted domain part of
- the address. Otherwise, the search is suppressed and
+ <b>%d</b> is replaced by the (<a href="https://tools.ietf.org/html/rfc2254">RFC 2254</a>) quoted domain part of
+ the address. Otherwise, the search is suppressed and
returns no results.
<b>%[SUD]</b> The upper-case equivalents of the above expansions behave
- in the <b>query_filter</b> parameter identically to their
- lower-case counter-parts. With the <b>result_format</b> parame-
- ter (previously called <b>result_filter</b> see the COMPATIBIL-
- ITY section and below), they expand to the corresponding
- components of input key rather than the result value.
+ in the <b>query_filter</b> parameter identically to their
+ lower-case counter-parts. With the <b>result_format</b> parame-
+ ter (previously called <b>result_filter</b> see the OTHER OBSO-
+ LETE FEATURES section and below), they expand to the cor-
+ responding components of input key rather than the result
+ value.
The above %S, %U and %D expansions are available with
Postfix 2.2 and later.
NOTE: DO NOT put quotes around the result format!
<b>domain (default: no domain list)</b>
- This is a list of domain names, paths to files, or dictionaries.
- When specified, only fully qualified search keys with a
- *non-empty* localpart and a matching domain are eligible for
+ This is a list of domain names, paths to files, or "<a href="DATABASE_README.html">type:table</a>"
+ databases. When specified, only fully qualified search keys with
+ a *non-empty* localpart and a matching domain are eligible for
lookup: 'user' lookups, bare domain lookups and "@domain"
lookups are not performed. This can significantly reduce the
query load on the LDAP server.
LDAP SSL service can be requested by using a LDAP SSL URL in the
server_host parameter:
- server_host = ldaps://ldap.example.com:636
+ server_host = <a href="ldap_table.5.html">ldaps</a>://ldap.example.com:636
STARTTLS can be turned on with the start_tls parameter:
DATA requests, when deadlines are enabled with
<a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>.
- <b>header_from_format (standard)</b>
+ <b><a href="postconf.5.html#header_from_format">header_from_format</a> (standard)</b>
The format of the Postfix-generated <b>From:</b> header.
<b>MIME PROCESSING CONTROLS</b>
Implemented in the <a href="qmgr.8.html">qmgr(8)</a> daemon:
- <b>
transport_destination_concurrency_limit ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
+ <b>
<a href="postconf.5.html#transport_destination_concurrency_limit">transport_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
<b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b>
- A transport-specific override for the default_destination_con-
-
currency_limit parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
+ A transport-specific override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
+
<a href="postconf.5.html#default_destination_concurrency_limit">currency_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
name of the message delivery transport.
- <b>
transport_destination_recipient_limit ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b>
+ <b>
<a href="postconf.5.html#transport_destination_recipient_limit">transport_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b>
<b><a href="postconf.5.html#default_destination_recipient_limit">ent_limit</a>)</b>
A transport-specific override for the <a href="postconf.5.html#default_destination_recipient_limit">default_destination_recip</a>-
<a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
shell), <b>$recipient</b> (complete recipient address), <b>$extension</b> (recipient
address extension), <b>$domain</b> (recipient domain), <b>$local</b> (entire recipi-
ent address localpart) and <b>$<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a>.</b> The forms
- <i>${name?value}</i> and <i>${name:value}</i> expand conditionally to <i>value</i> when
- <i>$name</i> is (is not) defined. Characters that may have special meaning to
- the shell or file system are replaced by underscores. The list of
- acceptable characters is specified with the <b><a href="postconf.5.html#forward_expansion_filter">forward_expansion_filter</a></b>
- configuration parameter.
+ <i>${name?value}</i> and <i>${name?{value}}</i> (Postfix 3.0 and later) expand condi-
+ tionally to <i>value</i> when <i>$name</i> is defined, and the forms <i>${name:value}</i>
+ <i>${name:{value}}</i> (Postfix 3.0 and later) expand conditionally to <i>value</i>
+ when <i>$name</i> is not defined. The form <i>${name?{value1}:{value2}}</i> (Postfix
+ 3.0 and later) expands conditionally to <i>value1</i> when <i>$name</i> is defined,
+ or <i>value2</i> otherwise. Characters that may have special meaning to the
+ shell or file system are replaced with underscores. The list of accept-
+ able characters is specified with the <b><a href="postconf.5.html#forward_expansion_filter">forward_expansion_filter</a></b> configu-
+ ration parameter.
An alias or ~/.<b>forward</b> file may list any combination of external com-
mands, destination file names, <b>:include:</b> directives, or mail addresses.
<b>$shell</b> (recipient shell), <b>$recipient</b> (complete recipient address),
<b>$extension</b> (recipient address extension), <b>$domain</b> (recipient domain),
<b>$local</b> (entire recipient address localpart) and <b>$<a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a>.</b>
- The forms <i>${name?value}</i> and <i>${name:value}</i> expand conditionally to <i>value</i>
- when <i>$name</i> is (is not) defined. Characters that may have special mean-
- ing to the shell or file system are replaced by underscores. The list
- of acceptable characters is specified with the <b><a href="postconf.5.html#execution_directory_expansion_filter">execution_direc</a>-</b>
- <b><a href="postconf.5.html#execution_directory_expansion_filter">tory_expansion_filter</a></b> configuration parameter.
+ The forms <i>${name?value}</i> and <i>${name?{value}}</i> (Postfix 3.0 and later)
+ expand conditionally to <i>value</i> when <i>$name</i> is defined, and the forms
+ <i>${name:value}</i> and <i>${name:{value}}</i> (Postfix 3.0 and later) expand condi-
+ tionally to <i>value</i> when <i>$name</i> is not defined. The form
+ <i>${name?{value1}:{value2}}</i> (Postfix 3.0 and later) expands conditionally
+ to <i>value1</i> when <i>$name</i> is defined, or <i>value2</i> otherwise. Characters that
+ may have special meaning to the shell or file system are replaced with
+ underscores. The list of acceptable characters is specified with the
+ <b><a href="postconf.5.html#execution_directory_expansion_filter">execution_directory_expansion_filter</a></b> configuration parameter.
The command is executed directly where possible. Assistance by the
shell (<b>/bin/sh</b> on UNIX systems) is used only when the command contains
A limited amount of message context is exported via environment vari-
ables. Characters that may have special meaning to the shell are
- replaced by underscores. The list of acceptable characters is speci-
+ replaced with underscores. The list of acceptable characters is speci-
fied with the <b><a href="postconf.5.html#command_expansion_filter">command_expansion_filter</a></b> configuration parameter.
<b>SHELL</b> The recipient user's login shell.
<b><a href="postconf.5.html#command_execution_directory">command_execution_directory</a> (empty)</b>
The <a href="local.8.html"><b>local</b>(8)</a> delivery agent working directory for delivery to
- external command.
+ external commands.
<b>MAILBOX LOCKING CONTROLS</b>
<b><a href="postconf.5.html#deliver_lock_attempts">deliver_lock_attempts</a> (20)</b>
<b><a href="postconf.5.html#default_privs">default_privs</a> (nobody)</b>
The default rights used by the <a href="local.8.html"><b>local</b>(8)</a> delivery agent for
- delivery to external file or command.
+ delivery to an external file or command.
<b><a href="postconf.5.html#forward_expansion_filter">forward_expansion_filter</a> (see 'postconf -d' output)</b>
Restrict the characters that the <a href="local.8.html"><b>local</b>(8)</a> delivery agent allows
<b><a href="postconf.5.html#local_command_shell">local_command_shell</a> (empty)</b>
Optional shell program for <a href="local.8.html"><b>local</b>(8)</a> delivery to non-Postfix com-
- mand.
+ mands.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix daemon process
headers of mail that is still queued.
<b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b>
- The list of environment parameters that a privileged Postfix
+ The list of environment variables that a privileged Postfix
process will import from a non-Postfix parent process, or
name=value environment overrides.
Specifies one or more non-default object libraries. Postfix 3.0
and later specify some of their database library dependencies
with <a href="CDB_README.html">AUXLIBS_CDB</a>, <a href="LDAP_README.html">AUXLIBS_LDAP</a>, <a href="LMDB_README.html">AUXLIBS_LMDB</a>, <a href="MYSQL_README.html">AUXLIBS_MYSQL</a>,
- <a href="PCRE_README.html">AUXLIBS_PCRE</a>, <a href="PGSQL_README.html">AUXLIBS_PGSQL</a>,
<a href="SDBM_README.html">AUXLIBS_SDBM</a>, and <a href="SQLITE_README.html">AUXLIBS_SQLITE</a>,
+ <a href="PCRE_README.html">AUXLIBS_PCRE</a>, <a href="PGSQL_README.html">AUXLIBS_PGSQL</a>,
AUXLIBS_SDBM, and <a href="SQLITE_README.html">AUXLIBS_SQLITE</a>,
respectively.
<b>CC=</b><i>compiler</i><b>_</b><i>command</i>
The <a href="local.8.html"><b>local</b>(8)</a>, <a href="pipe.8.html"><b>pipe</b>(8)</a>, <a href="spawn.8.html"><b>spawn</b>(8)</a>, and <a href="virtual.8.html"><b>virtual</b>(8)</a> daemons require
privileges.
- <b>Chroot (default: Postfix</b> ><b>= 3.0: n, Postfix</b> <<b>3.0: y)</b>
+ <b>Chroot (default: Postfix</b> ><b>= 3.0: n, Postfix</b> < <b>3.0: y)</b>
Whether or not the service runs chrooted to the mail queue
directory (pathname is controlled by the <b><a href="postconf.5.html#queue_directory">queue_directory</a></b> config-
uration variable in the <a href="postconf.5.html">main.cf</a> file).
Alternatively, lookup tables can be specified as MySQL databases. In
order to use MySQL lookups, define a MySQL source as a lookup table in
<a href="postconf.5.html">main.cf</a>, for example:
- <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="mysql_table.5.html">mysql</a>:/etc/mysql-aliases.cf
+ <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="mysql_table.5.html">mysql</a>:/etc/postfix/mysql-aliases.cf
The file /etc/postfix/mysql-aliases.cf has the same format as the Post-
fix <a href="postconf.5.html">main.cf</a> file, and can specify the parameters described below.
<b>MYSQL PARAMETERS</b>
<b>hosts</b> The hosts that Postfix will try to connect to and query from.
Specify <i>unix:</i> for UNIX domain sockets, <i>inet:</i> for TCP connections
- (default). Example:
+ (default). Examples:
+ hosts = inet:host1.some.domain inet:host2.some.domain:port
hosts = host1.some.domain host2.some.domain:port
hosts = unix:/file/name
NOTE: DO NOT put quotes around the result format!
<b>domain (default: no domain list)</b>
- This is a list of domain names, paths to files, or dictionaries.
- When specified, only fully qualified search keys with a
- *non-empty* localpart and a matching domain are eligible for
+ This is a list of domain names, paths to files, or "<a href="DATABASE_README.html">type:table</a>"
+ databases. When specified, only fully qualified search keys with
+ a *non-empty* localpart and a matching domain are eligible for
lookup: 'user' lookups, bare domain lookups and "@domain"
lookups are not performed. This can significantly reduce the
query load on the MySQL server.
headers of mail that is still queued.
<b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b>
- The list of environment parameters that a privileged Postfix
+ The list of environment variables that a privileged Postfix
process will import from a non-Postfix parent process, or
name=value environment overrides.
Alternatively, lookup tables can be specified as PostgreSQL databases.
In order to use PostgreSQL lookups, define a PostgreSQL source as a
lookup table in <a href="postconf.5.html">main.cf</a>, for example:
- <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="pgsql_table.5.html">pgsql</a>:/etc/pgsql-aliases.cf
+ <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="pgsql_table.5.html">pgsql</a>:/etc/postfix/pgsql-aliases.cf
The file /etc/postfix/pgsql-aliases.cf has the same format as the Post-
fix <a href="postconf.5.html">main.cf</a> file, and can specify the parameters described below.
prefixes are accepted and ignored for backwards compatibility.
Examples:
hosts = postgresql://username@example.com/tablename?sslmode=require
+ hosts = inet:host1.some.domain inet:host2.some.domain:port
hosts = host1.some.domain host2.some.domain:port
hosts = unix:/file/name
<b>select_function</b>, <b>query</b>, <b>select_field</b>, ...
With Postfix 2.2 the <b>query</b> parameter has highest precedence, see
- COMPATIBILITY above.
+ OBSOLETE QUERY INTERFACES below.
NOTE: DO NOT put quotes around the <b>query</b> parameter.
NOTE: DO NOT put quotes around the result format!
<b>domain (default: no domain list)</b>
- This is a list of domain names, paths to files, or dictionaries.
- When specified, only fully qualified search keys with a
- *non-empty* localpart and a matching domain are eligible for
+ This is a list of domain names, paths to files, or "<a href="DATABASE_README.html">type:table</a>"
+ databases. When specified, only fully qualified search keys with
+ a *non-empty* localpart and a matching domain are eligible for
lookup: 'user' lookups, bare domain lookups and "@domain"
lookups are not performed. This can significantly reduce the
query load on the PostgreSQL server.
as an argument by itself:
<i>Right</i>: command -f $sender -- $recipient
+ NOTE: DO NOT put quotes around the command, $sender, or $recipi-
+ ent.
This feature is available as of Postfix 2.3.
<b>size</b>=<i>size</i><b>_</b><i>limit</i> (optional)
- Don't deliver messages that exceed this size limit (in bytes);
+ Don't deliver messages that exceed this size limit (in bytes);
return them to the sender instead.
<b>user</b>=<i>username</i> (required)
<b>user</b>=<i>username</i>:<i>groupname</i>
- Execute the external command with the user ID and group ID of
- the specified <i>username</i>. The software refuses to execute com-
- mands with root privileges, or with the privileges of the mail
+ Execute the external command with the user ID and group ID of
+ the specified <i>username</i>. The software refuses to execute com-
+ mands with root privileges, or with the privileges of the mail
system owner. If <i>groupname</i> is specified, the corresponding group
ID is used instead of the group ID of <i>username</i>.
<b>argv</b>=<i>command</i>... (required)
- The command to be executed. This must be specified as the last
+ The command to be executed. This must be specified as the last
command attribute. The command is executed directly, i.e. with-
- out interpretation of shell meta characters by a shell command
+ out interpretation of shell meta characters by a shell command
interpreter.
Specify "{" and "}" around command arguments that contain white-
- space (Postfix 3.0 and later). Whitespace after the opening "{"
+ space (Postfix 3.0 and later). Whitespace after the opening "{"
and before the closing "}" is ignored.
- In the command argument vector, the following macros are recog-
+ In the command argument vector, the following macros are recog-
nized and replaced with corresponding information from the Post-
fix queue manager delivery request.
- In addition to the form ${<i>name</i>}, the forms $<i>name</i> and the depre-
+ In addition to the form ${<i>name</i>}, the forms $<i>name</i> and the depre-
cated form $(<i>name</i>) are also recognized. Specify <b>$$</b> where a sin-
gle <b>$</b> is wanted.
<b>${client_address}</b>
- This macro expands to the remote client network address.
+ This macro expands to the remote client network address.
This feature is available as of Postfix 2.2.
<b>${client_helo}</b>
- This macro expands to the remote client HELO command
+ This macro expands to the remote client HELO command
parameter.
This feature is available as of Postfix 2.2.
This feature is available as of Postfix 2.2.
<b>${client_port}</b>
- This macro expands to the remote client TCP port number.
+ This macro expands to the remote client TCP port number.
This feature is available as of Postfix 2.5.
<b>${domain}</b>
This macro expands to the domain portion of the recipient
- address. For example, with an address <i>user+foo@domain</i>
+ address. For example, with an address <i>user+foo@domain</i>
the domain is <i>domain</i>.
This information is modified by the <b>h</b> flag for case fold-
This feature is available as of Postfix 2.5.
<b>${extension}</b>
- This macro expands to the extension part of a recipient
- address. For example, with an address <i>user+foo@domain</i>
+ This macro expands to the extension part of a recipient
+ address. For example, with an address <i>user+foo@domain</i>
the extension is <i>foo</i>.
- A command-line argument that contains <b>${extension}</b>
- expands into as many command-line arguments as there are
+ A command-line argument that contains <b>${extension}</b>
+ expands into as many command-line arguments as there are
recipients.
This information is modified by the <b>u</b> flag for case fold-
<b>${mailbox}</b>
This macro expands to the complete local part of a recip-
- ient address. For example, with an address
+ ient address. For example, with an address
<i>user+foo@domain</i> the mailbox is <i>user+foo</i>.
- A command-line argument that contains <b>${mailbox}</b> expands
- to as many command-line arguments as there are recipi-
+ A command-line argument that contains <b>${mailbox}</b> expands
+ to as many command-line arguments as there are recipi-
ents.
This information is modified by the <b>u</b> flag for case fold-
ing.
<b>${original_recipient}</b>
- This macro expands to the complete recipient address
+ This macro expands to the complete recipient address
before any address rewriting or aliasing.
- A command-line argument that contains <b>${original_recipi-</b>
- <b>ent}</b> expands to as many command-line arguments as there
+ A command-line argument that contains <b>${original_recipi-</b>
+ <b>ent}</b> expands to as many command-line arguments as there
are recipients.
This information is modified by the <b>hqu</b> flags for quoting
<b>${recipient}</b>
This macro expands to the complete recipient address.
- A command-line argument that contains <b>${recipient}</b>
- expands to as many command-line arguments as there are
+ A command-line argument that contains <b>${recipient}</b>
+ expands to as many command-line arguments as there are
recipients.
This information is modified by the <b>hqu</b> flags for quoting
<b>${sasl_method}</b>
This macro expands to the name of the SASL authentication
- mechanism in the AUTH command when the Postfix SMTP
+ mechanism in the AUTH command when the Postfix SMTP
server received the message.
This feature is available as of Postfix 2.2.
<b>${sasl_sender}</b>
- This macro expands to the SASL sender name (i.e. the
+ This macro expands to the SASL sender name (i.e. the
original submitter as per <a href="https://tools.ietf.org/html/rfc4954">RFC 4954</a>) in the MAIL FROM com-
mand when the Postfix SMTP server received the message.
This feature is available as of Postfix 2.2.
<b>${sender}</b>
- This macro expands to the envelope sender address. By
- default, the null sender address expands to MAILER-DAE-
- MON; this can be changed with the <b>null_sender</b> attribute,
+ This macro expands to the envelope sender address. By
+ default, the null sender address expands to MAILER-DAE-
+ MON; this can be changed with the <b>null_sender</b> attribute,
as described above.
This information is modified by the <b>q</b> flag for quoting.
<b>${size}</b>
This macro expands to Postfix's idea of the message size,
- which is an approximation of the size of the message as
+ which is an approximation of the size of the message as
delivered.
<b>${user}</b>
- This macro expands to the username part of a recipient
- address. For example, with an address <i>user+foo@domain</i>
+ This macro expands to the username part of a recipient
+ address. For example, with an address <i>user+foo@domain</i>
the username part is <i>user</i>.
- A command-line argument that contains <b>${user}</b> expands
- into as many command-line arguments as there are recipi-
+ A command-line argument that contains <b>${user}</b> expands
+ into as many command-line arguments as there are recipi-
ents.
This information is modified by the <b>u</b> flag for case fold-
<a href="https://tools.ietf.org/html/rfc3463">RFC 3463</a> (Enhanced status codes)
<b>DIAGNOSTICS</b>
- Command exit status codes are expected to follow the conventions
+ Command exit status codes are expected to follow the conventions
defined in <<b>sysexits.h</b>>. Exit status 0 means normal successful comple-
tion.
In the case of a non-zero exit status, a limited amount of command out-
- put is logged, and reported in a delivery status notification. When
- the output begins with a 4.X.X or 5.X.X enhanced status code, the sta-
- tus code takes precedence over the non-zero exit status (Postfix ver-
+ put is logged, and reported in a delivery status notification. When
+ the output begins with a 4.X.X or 5.X.X enhanced status code, the sta-
+ tus code takes precedence over the non-zero exit status (Postfix ver-
sion 2.3 and later).
- After successful delivery (zero exit status) a limited amount of com-
- mand output is logged, and reported in "success" delivery status noti-
+ After successful delivery (zero exit status) a limited amount of com-
+ mand output is logged, and reported in "success" delivery status noti-
fications (Postfix 3.0 and later). This command output is not examined
for the presence of an enhanced status code.
- Problems
and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
- Corrupted message files are marked so that the queue manager can move
+ Problems
and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
+ Corrupted message files are marked so that the queue manager can move
them to the <b>corrupt</b> queue for further inspection.
<b>SECURITY</b>
- This program needs a dual personality 1) to access the private Postfix
- queue and IPC mechanisms, and 2) to execute external commands as the
+ This program needs a dual personality 1) to access the private Postfix
+ queue and IPC mechanisms, and 2) to execute external commands as the
specified user. It is therefore security sensitive.
<b>CONFIGURATION PARAMETERS</b>
Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically as <a href="pipe.8.html"><b>pipe</b>(8)</a> processes run
- for only a limited amount of time. Use the command "<b>postfix reload</b>" to
+ for only a limited amount of time. Use the command "<b>postfix reload</b>" to
speed up a change.
- The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for
+ The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for
more details including examples.
<b>RESOURCE AND RATE CONTROLS</b>
In the text below, <i>transport</i> is the first field in a <a href="master.5.html"><b>master.cf</b></a> entry.
- <b>
transport_time_limit ($<a href="postconf.5.html#command_time_limit">command_time_limit</a>)</b>
+ <b>
<a href="postconf.5.html#transport_time_limit">transport_time_limit</a> ($<a href="postconf.5.html#command_time_limit">command_time_limit</a>)</b>
A transport-specific override for the <a href="postconf.5.html#command_time_limit">command_time_limit</a> parame-
- ter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a> name of the message
+ ter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a> name of the message
delivery transport.
Implemented in the <a href="qmgr.8.html">qmgr(8)</a> daemon:
- <b>
transport_destination_concurrency_limit ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
+ <b>
<a href="postconf.5.html#transport_destination_concurrency_limit">transport_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
<b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b>
- A transport-specific override for the default_destination_con-
-
currency_limit parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
+ A transport-specific override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
+
<a href="postconf.5.html#default_destination_concurrency_limit">currency_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
name of the message delivery transport.
- <b>
transport_destination_recipient_limit ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b>
+ <b>
<a href="postconf.5.html#transport_destination_recipient_limit">transport_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b>
<b><a href="postconf.5.html#default_destination_recipient_limit">ent_limit</a>)</b>
A transport-specific override for the <a href="postconf.5.html#default_destination_recipient_limit">default_destination_recip</a>-
- <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a>
parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
+ <a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a>
parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
name of the message delivery transport.
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
figuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
- How much time a Postfix daemon process may take to handle a
+ How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer.
<b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
- The maximal number of digits after the decimal point when log-
+ The maximal number of digits after the decimal point when log-
ging sub-second delay values.
<b><a href="postconf.5.html#export_environment">export_environment</a> (see 'postconf -d' output)</b>
- The list of environment variables that a Postfix process will
+ The list of environment variables that a Postfix process will
export to non-Postfix processes.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
- The time limit for sending or receiving information over an
+ The time limit for sending or receiving information over an
internal communication channel.
<b><a href="postconf.5.html#mail_owner">mail_owner</a> (postfix)</b>
- The UNIX system account that owns the Postfix queue and most
+ The UNIX system account that owns the Postfix queue and most
Postfix daemon processes.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
- The maximum amount of time that an idle Postfix daemon process
+ The maximum amount of time that an idle Postfix daemon process
waits for an incoming connection before terminating voluntarily.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
The location of the Postfix top-level queue directory.
<b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b>
- The set of characters that can separate an email address local-
+ The set of characters that can separate an email address local-
part, user name, or a .forward file name from its extension.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
- A prefix that is prepended to the process name in syslog
+ A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd".
Available in Postfix version 3.0 and later:
<b><a href="postconf.5.html#pipe_delivery_status_filter">pipe_delivery_status_filter</a> ($<a href="postconf.5.html#default_delivery_status_filter">default_delivery_status_filter</a>)</b>
- Optional filter for the <a href="pipe.8.html"><b>pipe</b>(8)</a> delivery agent to change the
+ Optional filter for the <a href="pipe.8.html"><b>pipe</b>(8)</a> delivery agent to change the
delivery status code or explanatory text of successful or unsuc-
cessful deliveries.
Available in Postfix version 3.3 and later:
<b><a href="postconf.5.html#enable_original_recipient">enable_original_recipient</a> (yes)</b>
- Enable support for the original recipient address after an
- address is rewritten to a different address (for example with
+ Enable support for the original recipient address after an
+ address is rewritten to a different address (for example with
aliasing or with canonical mapping).
<b><a href="postconf.5.html#service_name">service_name</a> (read-only)</b>
Available in Postfix 3.5 and later:
<b><a href="postconf.5.html#info_log_address_format">info_log_address_format</a> (external)</b>
- The email address form that will be used in non-debug logging
+ The email address form that will be used in non-debug logging
(info, warning, etc.).
<b>SEE ALSO</b>
The <a href="postalias.1.html"><b>postalias</b>(1)</a> command creates or queries one or more Postfix alias
databases, or updates an existing one. The input and output file for-
mats are expected to be compatible with Sendmail version 8, and are
- expected to be suitable for the use as NIS alias maps.
+ expected to be suitable for use as NIS alias maps.
If the result files do not exist they will be created with the same
group and other read permissions as their source file.
and <a href="postmap.1.html"><b>postmap</b>(1)</a> commands.
<b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b>
- The list of environment parameters that a privileged Postfix
+ The list of environment variables that a privileged Postfix
process will import from a non-Postfix parent process, or
name=value environment overrides.
<b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
Enable preliminary SMTPUTF8 support for the protocols described
- in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
+ in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>, <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a>, and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a>.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
or more service fields with new values as specified with "<i>ser-</i>
<i>vice/type/field=value</i>" on the <a href="postconf.1.html"><b>postconf</b>(1)</a> command line. Cur-
rently, the "command" field contains the command name and com-
- mand arguments. this may change in the near future, so that the
+ mand arguments. This may change in the near future, so that the
"command" field contains only the command name, and a new "argu-
ments" pseudofield contains the command arguments.
whitespace on the <a href="postconf.1.html"><b>postconf</b>(1)</a> command line.
The <b>-e</b> option is no longer needed with Postfix version 2.8 and
- later.
+ later, as it is assumed whenever a value is specified (empty or
+ non-empty).
<b>-f</b> Fold long lines when printing <a href="postconf.5.html"><b>main.cf</b></a> or <a href="master.5.html"><b>master.cf</b></a> configuration
file entries, for human readability.
This feature is available with Postfix 2.9 and later.
<b>-F</b> Show <a href="master.5.html"><b>master.cf</b></a> per-entry field settings (by default all services
- and all fields), formatted as "<i>service/type/field=value</i>", one
+ and all fields), formatted as "<i>service/type/field=value</i>", one
per line. Specify <b>-Ff</b> to fold long lines.
- Specify
one or more "<i>service/type/field</i>" instances on the <a href="postconf.1.html"><b>post-</b></a>
- <a href="postconf.1.html"><b>conf</b>(1)</a> command line to limit the output to fields of interest.
- Trailing parameter name or service type fields that are omitted
+ Specify
one or more "<i>service/type/field</i>" instances on the <a href="postconf.1.html"><b>post-</b></a>
+ <a href="postconf.1.html"><b>conf</b>(1)</a> command line to limit the output to fields of interest.
+ Trailing parameter name or service type fields that are omitted
will be handled as "*" wildcard fields.
This feature is available with Postfix 2.11 and later.
- <b>-h</b> Show parameter or attribute values without the "<i>name</i> = " label
+ <b>-h</b> Show parameter or attribute values without the "<i>name</i> = " label
that normally precedes the value.
- <b>-H</b> Show parameter or attribute names without the " = <i>value</i>" that
+ <b>-H</b> Show parameter or attribute names without the " = <i>value</i>" that
normally follows the name.
This feature is available with Postfix 3.1 and later.
- <b>-l</b> List the names of all supported mailbox locking methods. Post-
+ <b>-l</b> List the names of all supported mailbox locking methods. Post-
fix supports the following methods:
- <b>flock</b> A kernel-based advisory locking method for local files
+ <b>flock</b> A kernel-based advisory locking method for local files
only. This locking method is available on systems with a
BSD compatible library.
- <b>fcntl</b> A kernel-based advisory locking method for local and
+ <b>fcntl</b> A kernel-based advisory locking method for local and
remote files.
<b>dotlock</b>
An application-level locking method. An application locks
- a file named <i>filename</i> by creating a file named <i>file-</i>
+ a file named <i>filename</i> by creating a file named <i>file-</i>
<i>name</i><b>.lock</b>. The application is expected to remove its own
- lock file, as well as stale lock files that were left
+ lock file, as well as stale lock files that were left
behind after abnormal program termination.
- <b>-m</b> List the names of all supported lookup table types. In Postfix
- configuration files, lookup tables are specified as <i>type</i><b>:</b><i>name</i>,
+ <b>-m</b> List the names of all supported lookup table types. In Postfix
+ configuration files, lookup tables are specified as <i>type</i><b>:</b><i>name</i>,
where <i>type</i> is one of the types listed below. The table <i>name</i> syn-
- tax
depends on the lookup table type as described in the <a href="DATABASE_README.html">DATA</a>-
+ tax
depends on the lookup table type as described in the <a href="DATABASE_README.html">DATA</a>-
<a href="DATABASE_README.html">BASE_README</a> document.
- <b>btree</b> A sorted, balanced tree structure. Available on systems
+ <b>btree</b> A sorted, balanced tree structure. Available on systems
with support for Berkeley DB databases.
- <b>cdb</b> A read-optimized structure with no support for incremen-
- tal updates. Available on systems with support for CDB
+ <b>cdb</b> A read-optimized structure with no support for incremen-
+ tal updates. Available on systems with support for CDB
databases.
This feature is available with Postfix 2.2 and later.
<b>cidr</b> A table that associates values with Classless
- Inter-Domain Routing (CIDR) patterns. This is described
+ Inter-Domain Routing (CIDR) patterns. This is described
in <a href="cidr_table.5.html"><b>cidr_table</b>(5)</a>.
This feature is available with Postfix 2.2 and later.
<b>environ</b>
The UNIX process environment array. The lookup key is the
- environment variable name; the table name is ignored.
+ environment variable name; the table name is ignored.
Originally implemented for testing, someone may find this
useful someday.
- <b>fail</b> A table that reliably fails all requests. The lookup ta-
- ble name is used for logging. This table exists to sim-
+ <b>fail</b> A table that reliably fails all requests. The lookup ta-
+ ble name is used for logging. This table exists to sim-
plify Postfix error tests.
This feature is available with Postfix 2.9 and later.
tems with support for Berkeley DB databases.
<b>inline</b> (read-only)
- A
non-shared, in-memory lookup table. Example: "<b><a href="DATABASE_README.html#types">inline</a>:{</b>
- <i>key</i><b>=</b><i>value</i><b>, {</b> <i>key</i> <b>=</b> <i>text with whitespace or comma</i> <b>}}</b>".
- Key-value pairs are separated by whitespace or comma;
- with a key-value pair inside "<b>{}</b>", whitespace is ignored
- after the opening "<b>{</b>", around the "<b>=</b>" between key and
- value, and before the closing "<b>}</b>". Inline tables elimi-
- nate the need to create a database file for just a few
+ A
non-shared, in-memory lookup table. Example: "<b><a href="DATABASE_README.html#types">inline</a>:{</b>
+ <i>key</i><b>=</b><i>value</i><b>, {</b> <i>key</i> <b>=</b> <i>text with whitespace or comma</i> <b>}}</b>".
+ Key-value pairs are separated by whitespace or comma;
+ with a key-value pair inside "<b>{}</b>", whitespace is ignored
+ after the opening "<b>{</b>", around the "<b>=</b>" between key and
+ value, and before the closing "<b>}</b>". Inline tables elimi-
+ nate the need to create a database file for just a few
fixed elements. See also the <i><a href="DATABASE_README.html#types">static</a>:</i> map type.
This feature is available with Postfix 3.0 and later.
<b>internal</b>
- A non-shared, in-memory hash table. Its content are lost
+ A non-shared, in-memory hash table. Its content are lost
when a process terminates.
- <b>lmdb</b> OpenLDAP LMDB database (a memory-mapped, persistent
- file). Available on systems with support for LMDB data-
+ <b>lmdb</b> OpenLDAP LMDB database (a memory-mapped, persistent
+ file). Available on systems with support for LMDB data-
bases. This is described in <a href="lmdb_table.5.html"><b>lmdb_table</b>(5)</a>.
This feature is available with Postfix 2.11 and later.
LDAP database client. This is described in <a href="ldap_table.5.html"><b>ldap_table</b>(5)</a>.
<b>memcache</b>
- Memcache
database client. This is described in <a href="memcache_table.5.html"><b>mem-</b></a>
+ Memcache
database client. This is described in <a href="memcache_table.5.html"><b>mem-</b></a>
<a href="memcache_table.5.html"><b>cache_table</b>(5)</a>.
This feature is available with Postfix 2.9 and later.
<b>mysql</b> (read-only)
MySQL database client. Available on systems with support
- for
MySQL databases. This is described in <a href="mysql_table.5.html"><b>mysql_ta-</b></a>
+ for
MySQL databases. This is described in <a href="mysql_table.5.html"><b>mysql_ta-</b></a>
<a href="mysql_table.5.html"><b>ble</b>(5)</a>.
<b>pcre</b> (read-only)
- A lookup table based on Perl Compatible Regular Expres-
+ A lookup table based on Perl Compatible Regular Expres-
sions. The file format is described in <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>.
<b>pgsql</b> (read-only)
- PostgreSQL database client. This is described in
+ PostgreSQL database client. This is described in
<a href="pgsql_table.5.html"><b>pgsql_table</b>(5)</a>.
This feature is available with Postfix 2.1 and later.
<b>pipemap</b> (read-only)
- A lookup table that constructs a pipeline of tables.
- Example: "<b><a href="DATABASE_README.html#types">pipemap</a>:{</b><i>type</i><b>_</b><i>1:name</i><b>_</b><i>1, ..., type</i><b>_</b><i>n:name</i><b>_</b><i>n</i><b>}</b>".
- Each "<a href="DATABASE_README.html#types">pipemap</a>:" query is given to the first table. Each
+ A lookup table that constructs a pipeline of tables.
+ Example: "<b><a href="DATABASE_README.html#types">pipemap</a>:{</b><i>type</i><b>_</b><i>1:name</i><b>_</b><i>1, ..., type</i><b>_</b><i>n:name</i><b>_</b><i>n</i><b>}</b>".
+ Each "<a href="DATABASE_README.html#types">pipemap</a>:" query is given to the first table. Each
lookup result becomes the query for the next table in the
- pipeline, and the last table produces the final result.
- When any table lookup produces no result, the pipeline
- produces no result. The first and last characters of the
+ pipeline, and the last table produces the final result.
+ When any table lookup produces no result, the pipeline
+ produces no result. The first and last characters of the
"<a href="DATABASE_README.html#types">pipemap</a>:" table name must be "<b>{</b>" and "<b>}</b>". Within these,
individual maps are separated with comma or whitespace.
This feature is available with Postfix 3.0 and later.
- <b>proxy</b> Postfix <a href="proxymap.8.html"><b>proxymap</b>(8)</a> client for shared access to Postfix
+ <b>proxy</b> Postfix <a href="proxymap.8.html"><b>proxymap</b>(8)</a> client for shared access to Postfix
databases. The table name syntax is <i>type</i><b>:</b><i>name</i>.
This feature is available with Postfix 2.0 and later.
<b>randmap</b> (read-only)
- An in-memory table that performs random selection. Exam-
+ An in-memory table that performs random selection. Exam-
ple: "<b><a href="DATABASE_README.html#types">randmap</a>:{</b><i>result</i><b>_</b><i>1, ..., result</i><b>_</b><i>n</i><b>}</b>". Each table
query returns a random choice from the specified results.
- The first and last characters of the "<a href="DATABASE_README.html#types">randmap</a>:" table
- name must be "<b>{</b>" and "<b>}</b>". Within these, individual
+ The first and last characters of the "<a href="DATABASE_README.html#types">randmap</a>:" table
+ name must be "<b>{</b>" and "<b>}</b>". Within these, individual
results are separated with comma or whitespace. To give a
specific result more weight, specify it multiple times.
This feature is available with Postfix 3.0 and later.
<b>regexp</b> (read-only)
- A lookup table based on regular expressions. The file
+ A lookup table based on regular expressions. The file
format is described in <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a>.
<b>sdbm</b> An indexed file type based on hashing. Available on sys-
This feature is available with Postfix 2.2 and later.
<b>socketmap</b> (read-only)
- Sendmail-style socketmap client. The table name is
- <b>inet</b>:<i>host</i>:<i>port</i>:<i>name</i> for a TCP/IP server, or <b>unix</b>:<i>path-</i>
- <i>name</i>:<i>name</i> for a UNIX-domain server. This is described in
+ Sendmail-style socketmap client. The table name is
+ <b>inet</b>:<i>host</i>:<i>port</i>:<i>name</i> for a TCP/IP server, or <b>unix</b>:<i>path-</i>
+ <i>name</i>:<i>name</i> for a UNIX-domain server. This is described in
<a href="socketmap_table.5.html"><b>socketmap_table</b>(5)</a>.
This feature is available with Postfix 2.10 and later.
This feature is available with Postfix 2.8 and later.
<b>static</b> (read-only)
- A table that always returns its name as lookup result.
+ A table that always returns its name as lookup result.
For example, <b><a href="DATABASE_README.html#types">static</a>:foobar</b> always returns the string <b>foo-</b>
- <b>bar</b> as lookup result. Specify "<b><a href="DATABASE_README.html#types">static</a>:{</b> <i>text with white-</i>
- <i>space</i> <b>}</b>" when the result contains whitespace; this form
- ignores whitespace after the opening "<b>{</b>" and before the
+ <b>bar</b> as lookup result. Specify "<b><a href="DATABASE_README.html#types">static</a>:{</b> <i>text with white-</i>
+ <i>space</i> <b>}</b>" when the result contains whitespace; this form
+ ignores whitespace after the opening "<b>{</b>" and before the
closing "<b>}</b>". See also the <i><a href="DATABASE_README.html#types">inline</a>:</i> map.
The form "<b><a href="DATABASE_README.html#types">static</a>:{</b><i>text</i><b>}</b> is available with Postfix 3.0 and
TCP/IP client. The protocol is described in <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>.
<b>texthash</b> (read-only)
- Produces similar results as <a href="DATABASE_README.html#types">hash</a>: files, except that you
- don't need to run the <a href="postmap.1.html"><b>postmap</b>(1)</a> command before you can
- use the file, and that it does not detect changes after
+ Produces similar results as <a href="DATABASE_README.html#types">hash</a>: files, except that you
+ don't need to run the <a href="postmap.1.html"><b>postmap</b>(1)</a> command before you can
+ use the file, and that it does not detect changes after
the file is read.
This feature is available with Postfix 2.8 and later.
<b>unionmap</b> (read-only)
- A table that sends each query to multiple lookup tables
- and that concatenates all found results, separated by
+ A table that sends each query to multiple lookup tables
+ and that concatenates all found results, separated by
comma. The table name syntax is the same as for <b>pipemap</b>.
This feature is available with Postfix 3.0 and later.
<b>unix</b> (read-only)
- A limited view of the UNIX authentication database. The
+ A limited view of the UNIX authentication database. The
following tables are implemented:
<b>unix:passwd.byname</b>
- The table is the UNIX password database. The key
- is a login name. The result is a password file
+ The table is the UNIX password database. The key
+ is a login name. The result is a password file
entry in <b>passwd</b>(5) format.
<b>unix:group.byname</b>
The table is the UNIX group database. The key is a
- group name. The result is a group file entry in
+ group name. The result is a group file entry in
<b>group</b>(5) format.
- Other table types may exist depending on how Postfix was built.
+ Other table types may exist depending on how Postfix was built.
- <b>-M</b> Show <a href="master.5.html"><b>master.cf</b></a> file contents instead of <a href="postconf.5.html"><b>main.cf</b></a> file contents.
+ <b>-M</b> Show <a href="master.5.html"><b>master.cf</b></a> file contents instead of <a href="postconf.5.html"><b>main.cf</b></a> file contents.
Specify <b>-Mf</b> to fold long lines for human readability.
Specify zero or more arguments, each with a <i>service-name</i> or <i>ser-</i>
- <i>vice-name/service-type</i> pair, where <i>service-name</i> is the first
- field of a <a href="master.5.html">master.cf</a> entry and <i>service-type</i> is one of (<b>inet</b>,
+ <i>vice-name/service-type</i> pair, where <i>service-name</i> is the first
+ field of a <a href="master.5.html">master.cf</a> entry and <i>service-type</i> is one of (<b>inet</b>,
<b>unix</b>, <b>fifo</b>, or <b>pass</b>).
- If <i>service-name</i> or <i>service-name/service-type</i> is specified, only
- the matching <a href="master.5.html">master.cf</a> entries will be output. For example,
- "<b>postconf -Mf smtp</b>" will output all services named "smtp", and
- "<b>postconf -Mf smtp/inet</b>" will output only the smtp service that
- listens on the network. Trailing service type fields that are
+ If <i>service-name</i> or <i>service-name/service-type</i> is specified, only
+ the matching <a href="master.5.html">master.cf</a> entries will be output. For example,
+ "<b>postconf -Mf smtp</b>" will output all services named "smtp", and
+ "<b>postconf -Mf smtp/inet</b>" will output only the smtp service that
+ listens on the network. Trailing service type fields that are
omitted will be handled as "*" wildcard fields.
This feature is available with Postfix 2.9 and later. The syntax
- was changed from "<i>name.type</i>" to "<i>name/type</i>", and "*" wildcard
+ was changed from "<i>name.type</i>" to "<i>name/type</i>", and "*" wildcard
support was added with Postfix 2.11.
<b>-n</b> Show only configuration parameters that have explicit <i>name=value</i>
- settings in <a href="postconf.5.html"><b>main.cf</b></a>. Specify <b>-nf</b> to fold long lines for human
- readability (Postfix 2.9 and later). To show settings that dif-
+ settings in <a href="postconf.5.html"><b>main.cf</b></a>. Specify <b>-nf</b> to fold long lines for human
+ readability (Postfix 2.9 and later). To show settings that dif-
fer from built-in defaults only, use the following bash syntax:
- comm -23 <(postconf -n) <(postconf -d)
+ LANG=C comm -23 <(postconf -n) <(postconf -d)
Replace "-23" with "-12" to show settings that duplicate
built-in defaults.
<b>-o</b> <i>name=value</i>
- Override <a href="postconf.5.html"><b>main.cf</b></a> parameter settings.
+ Override <a href="postconf.5.html"><b>main.cf</b></a> parameter settings. This lets you see the
+ effect changing a parameter would have when it is used in other
+ configuration parameters, e.g.:
+ postconf -x -o stress=yes
This feature is available with Postfix 2.10 and later.
This feature is available with Postfix 2.11 and later.
- <b>-P</b> Show <a href="master.5.html"><b>master.cf</b></a> service parameter settings (by default all ser-
- vices and all parameters), formatted as "<i>service/type/parame-</i>
+ <b>-P</b> Show <a href="master.5.html"><b>master.cf</b></a> service parameter settings (by default all ser-
+ vices and all parameters), formatted as "<i>service/type/parame-</i>
<i>ter=value</i>", one per line. Specify <b>-Pf</b> to fold long lines.
- Specify one or more "<i>service/type/parameter</i>" instances on the
- <a href="postconf.1.html"><b>postconf</b>(1)</a> command line to limit the output to parameters of
- interest. Trailing parameter name or service type fields that
+ Specify one or more "<i>service/type/parameter</i>" instances on the
+ <a href="postconf.1.html"><b>postconf</b>(1)</a> command line to limit the output to parameters of
+ interest. Trailing parameter name or service type fields that
are omitted will be handled as "*" wildcard fields.
This feature is available with Postfix 2.11 and later.
<b>-t</b> [<i>template</i><b>_</b><i>file</i>]
- Display the templates for text that appears at the beginning of
- delivery status notification (DSN) messages, without expanding
+ Display the templates for text that appears at the beginning of
+ delivery status notification (DSN) messages, without expanding
$<b>name</b> expressions.
- To override the <b><a href="postconf.5.html#bounce_template_file">bounce_template_file</a></b> parameter setting, specify
- a template file name at the end of the "<b>postconf -t</b>" command
- line. Specify an empty file name to display built-in templates
+ To override the <b><a href="postconf.5.html#bounce_template_file">bounce_template_file</a></b> parameter setting, specify
+ a template file name at the end of the "<b>postconf -t</b>" command
+ line. Specify an empty file name to display built-in templates
(in shell language: "").
This feature is available with Postfix 2.3 and later.
<b>-T</b> <i>mode</i>
- If Postfix is compiled without TLS support, the <b>-T</b> option pro-
- duces no output. Otherwise, if an invalid <i>mode</i> is specified,
- the <b>-T</b> option reports an error and exits with a non-zero status
+ If Postfix is compiled without TLS support, the <b>-T</b> option pro-
+ duces no output. Otherwise, if an invalid <i>mode</i> is specified,
+ the <b>-T</b> option reports an error and exits with a non-zero status
code. The valid modes are:
<b>compile-version</b>
Output the OpenSSL version that Postfix was compiled with
- (i.e. the OpenSSL version in a header file). The output
+ (i.e. the OpenSSL version in a header file). The output
format is the same as with the command "<b>openssl version</b>".
<b>run-version</b>
runtime (i.e. the OpenSSL version in a shared library).
<b>public-key-algorithms</b>
- Output the lower-case names of the supported public-key
+ Output the lower-case names of the supported public-key
algorithms, one per-line.
This feature is available with Postfix 3.1 and later.
- <b>-v</b> Enable verbose logging for debugging purposes. Multiple <b>-v</b>
+ <b>-v</b> Enable verbose logging for debugging purposes. Multiple <b>-v</b>
options make the software increasingly verbose.
- <b>-x</b> Expand <i>$name</i> in <a href="postconf.5.html"><b>main.cf</b></a> or <a href="master.5.html"><b>master.cf</b></a> parameter values. The
+ <b>-x</b> Expand <i>$name</i> in <a href="postconf.5.html"><b>main.cf</b></a> or <a href="master.5.html"><b>master.cf</b></a> parameter values. The
expansion is recursive.
This feature is available with Postfix 2.10 and later.
- <b>-X</b> Edit the <a href="postconf.5.html"><b>main.cf</b></a> configuration file, and remove the parameters
+ <b>-X</b> Edit the <a href="postconf.5.html"><b>main.cf</b></a> configuration file, and remove the parameters
named on the <a href="postconf.1.html"><b>postconf</b>(1)</a> command line. Specify a list of param-
eter names, not "<i>name=value</i>" pairs.
- With <b>-M</b>, edit the <a href="master.5.html"><b>master.cf</b></a> configuration file, and remove one
- or more service entries as specified with "<i>service/type</i>" on the
+ With <b>-M</b>, edit the <a href="master.5.html"><b>master.cf</b></a> configuration file, and remove one
+ or more service entries as specified with "<i>service/type</i>" on the
<a href="postconf.1.html"><b>postconf</b>(1)</a> command line.
- With <b>-P</b>, edit the <a href="master.5.html"><b>master.cf</b></a> configuration file, and remove one
+ With <b>-P</b>, edit the <a href="master.5.html"><b>master.cf</b></a> configuration file, and remove one
or more service parameter settings (-o parameter=value settings)
- as
specified with "<i>service/type/parameter</i>" on the <a href="postconf.1.html"><b>postconf</b>(1)</a>
+ as
specified with "<i>service/type/parameter</i>" on the <a href="postconf.1.html"><b>postconf</b>(1)</a>
command line.
In all cases the file is copied to a temporary file then renamed
into place. Specify quotes to protect special characters on the
<a href="postconf.1.html"><b>postconf</b>(1)</a> command line.
- There is no <a href="postconf.1.html"><b>postconf</b>(1)</a> command to perform the reverse opera-
+ There is no <a href="postconf.1.html"><b>postconf</b>(1)</a> command to perform the reverse opera-
tion.
- This feature is available with Postfix 2.10 and later. Support
+ This feature is available with Postfix 2.10 and later. Support
for -M and -P was added with Postfix 2.11.
<b>-#</b> Edit the <a href="postconf.5.html"><b>main.cf</b></a> configuration file, and comment out the parame-
eters revert to their default values. Specify a list of parame-
ter names, not "<i>name=value</i>" pairs.
- With <b>-M</b>, edit the <a href="master.5.html"><b>master.cf</b></a> configuration file, and comment out
- one or more service entries as specified with "<i>service/type</i>" on
+ With <b>-M</b>, edit the <a href="master.5.html"><b>master.cf</b></a> configuration file, and comment out
+ one or more service entries as specified with "<i>service/type</i>" on
the <a href="postconf.1.html"><b>postconf</b>(1)</a> command line.
In all cases the file is copied to a temporary file then renamed
into place. Specify quotes to protect special characters on the
<a href="postconf.1.html"><b>postconf</b>(1)</a> command line.
- There is no <a href="postconf.1.html"><b>postconf</b>(1)</a> command to perform the reverse opera-
+ There is no <a href="postconf.1.html"><b>postconf</b>(1)</a> command to perform the reverse opera-
tion.
- This feature is available with Postfix 2.6 and later. Support
+ This feature is available with Postfix 2.6 and later. Support
for -M was added with Postfix 2.11.
<b>DIAGNOSTICS</b>
Directory with Postfix configuration files.
<b>CONFIGURATION PARAMETERS</b>
- The following <a href="postconf.5.html"><b>main.cf</b></a> parameters are especially relevant to this pro-
+ The following <a href="postconf.5.html"><b>main.cf</b></a> parameters are especially relevant to this pro-
gram.
- The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for
+ The text below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for
more details including examples.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
figuration files.
<b><a href="postconf.5.html#bounce_template_file">bounce_template_file</a> (empty)</b>
- Pathname of a configuration file with bounce message templates.
+ Pathname of a configuration file with bounce message templates.
<b>FILES</b>
/etc/postfix/<a href="postconf.5.html">main.cf</a>, Postfix configuration parameters
reload</b>", "<b>postfix stop</b>", or no requests for $<a href="postconf.5.html#max_idle">max_idle</a>
seconds. </p>
-<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
-(weeks). </p>
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is h (hours). </p>
<p> This feature is available in Postfix 2.7. </p>
<p>
Specify a location in a file system that will not fill up. If the
-database becomes corrupted, the world comes to an end. To recover
+database becomes corrupted, the world comes to an end. To recover,
delete (NOT: truncate) the file and do "<b>postfix reload</b>".
</p>
verification cache.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days). </p>
<p>
This feature is available in Postfix 2.1 and later.
be refreshed.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is h (hours). </p>
<p>
This feature is available in Postfix 2.1 and later.
The default polling delay is 3 seconds.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p>
This feature is available in Postfix 2.1 and later.
verification cache.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days). </p>
<p>
This feature is available in Postfix 2.1 and later.
when the probe fails (optimistic caching).
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days). </p>
<p>
This feature is available in Postfix 2.1 and later.
resulted in wasted network and processing resources. </p>
<p> To enable time-dependent probe sender addresses, specify a
-non-zero time value (an integral value plus an optional one-letter
-suffix that specifies the time unit). Specify a value of at least
-several hours, to avoid problems with senders that use greylisting.
-Avoid nice TTL values, to make the result less predictable. Time
-units are: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-</p>
+non-zero time value. Specify a value of at least several hours,
+to avoid problems with senders that use greylisting. Avoid nice
+TTL values, to make the result less predictable. </p>
+
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p> This feature is available in Postfix 2.9 and later. </p>
only. Thus, information is lost whenever the process terminates.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
logs peak usage information.
</p>
-<p>
-This feature is available in Postfix 2.2 and later.
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
+This feature is available in Postfix 2.2 and later.
</p>
Postfix daemon process input buffer before giving up.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p>
This feature is available in Postfix 2.1 and later.
as for regular mail.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is d (days).
-</p>
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days). </p>
<p>
Specify 0 when mail delivery should be tried only once.
<p> Pathname of a configuration file with bounce message templates.
These override the built-in templates of delivery status notification
-(DSN) messages for undeliverable mail, for delayed mail, successful
+(DSN) messages for undeliverable mail, delayed mail, successful
delivery, or delivery verification. The <a href="bounce.5.html">bounce(5)</a> manual page
describes how to edit and test template files. </p>
(default: empty)</b></DT><DD>
<p> The <a href="local.8.html">local(8)</a> delivery agent working directory for delivery to
-external command. Failure to change directory causes the delivery
+external commands. Failure to change directory causes the delivery
to be deferred. </p>
<p> The <a href="postconf.5.html#command_execution_directory">command_execution_directory</a> value is not subject to Postfix
<dt><b>${name?value}</b></dt>
+<dt><b>${name?{value}}</b> (Postfix ≥ 3.0)</dt>
+
<dd>Expands to <i>value</i> when <i>$name</i> is non-empty. </dd>
<dt><b>${name:value}</b></dt>
+<dt><b>${name:{value}}</b> (Postfix ≥ 3.0)</dt>
+
<dd>Expands to <i>value</i> when <i>$name</i> is empty. </dd>
+<dt><b>${name?{value1}:{value2}}</b> (Postfix ≥ 3.0)</dt>
+
+<dd>Expands to <i>value1</i> when <i>$name</i> is non-empty,
+<i>value2</i> otherwise. </dd>
+
</dl>
<p>
<p> How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer. </p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
the other message can be delivered using no more delivery slots
(i.e., invocations of delivery agents) than the current message
counter has accumulated (or will eventually accumulate - see about
-slot loans below). This parameter controls how often is the counter
+slot loans below). This parameter controls how often the counter is
incremented - it happens after each <a href="postconf.5.html#default_delivery_slot_cost">default_delivery_slot_cost</a>
recipients have been delivered.
</p>
This parameter speeds up the moment when a message preemption can
happen. Instead of waiting until the full amount of delivery slots
required is available, the preemption can happen when
-transport_delivery_slot_discount percent of the required amount
-plus transport_delivery_slot_loan still remains to be accumulated.
+<a href="postconf.5.html#transport_delivery_slot_discount"><i>transport</i>_delivery_slot_discount</a> percent of the required amount
+plus <a href="postconf.5.html#transport_delivery_slot_loan"><i>transport</i>_delivery_slot_loan</a> still remains to be accumulated.
Note that the full amount will still have to be accumulated before
another preemption can take place later.
</p>
This parameter speeds up the moment when a message preemption can
happen. Instead of waiting until the full amount of delivery slots
required is available, the preemption can happen when
-transport_delivery_slot_discount percent of the required amount
-plus transport_delivery_slot_loan still remains to be accumulated.
+<a href="postconf.5.html#transport_delivery_slot_discount">transport_delivery_slot_discount</a> percent of the required amount
+plus <a href="postconf.5.html#transport_delivery_slot_loan">transport_delivery_slot_loan</a> still remains to be accumulated.
Note that the full amount will still have to be accumulated before
another preemption can take place later.
</p>
The default maximal number of parallel deliveries to the same
destination. This is the default limit for delivery via the <a href="lmtp.8.html">lmtp(8)</a>,
<a href="pipe.8.html">pipe(8)</a>, <a href="smtp.8.html">smtp(8)</a> and <a href="virtual.8.html">virtual(8)</a> delivery agents.
-With per-destination recipient limit > 1, a destination is a domain,
+With a per-destination recipient limit > 1, a destination is a domain,
otherwise it is a recipient.
</p>
number of in-memory recipients. This extra recipient space is
reserved for the cases when the Postfix queue manager's scheduler
preempts one message with another and suddenly needs some extra
-recipients slots for the chosen message in order to avoid performance
+recipient slots for the chosen message in order to avoid performance
degradation.
</p>
<p>
The default rights used by the <a href="local.8.html">local(8)</a> delivery agent for delivery
-to external file or command. These rights are used when delivery
+to an external file or command. These rights are used when delivery
is requested from an <a href="aliases.5.html">aliases(5)</a> file that is owned by <b>root</b>, or
when delivery is done on behalf of <b>root</b>. <b>DO NOT SPECIFY A
PRIVILEGED USER OR THE POSTFIX OWNER</b>.
<dd>The sender address localpart or <> in case of the null address. </dd>
-<dt><b>${name?text}</b></dt>
+<dt><b>${name?value}</b></dt>
+
+<dt><b>${name?{value}}</b> (Postfix ≥ 3.0)</dt>
+
+<dd>Expands to <i>value</i> when <i>$name</i> is non-empty. </dd>
+
+<dt><b>${name:value}</b></dt>
+
+<dt><b>${name:{value}}</b> (Postfix ≥ 3.0)</dt>
-<dd>Expands to `text' if $name is not empty. </dd>
+<dd>Expands to <i>value</i> when <i>$name</i> is empty. </dd>
-<dt><b>${name:text}</b></dt>
+<dt><b>${name?{value1}:{value2}}</b> (Postfix ≥ 3.0)</dt>
-<dd>Expands to `text' if $name is empty. </dd>
+<dd>Expands to <i>value1</i> when <i>$name</i> is non-empty,
+<i>value2</i> otherwise. </dd>
</dl>
(default: 5s)</b></DT><DD>
<p>
-The default per-transport maximum delay between recipients refills.
-When not all message recipients fit into the memory at once, keep loading
+The default per-transport maximum delay between refilling recipients.
+When not all message recipients fit into memory at once, keep loading
more of them at least once every this many seconds. This is used to
-make sure the recipients are refilled in timely manner even when
+make sure the recipients are refilled in a timely manner even when
$<a href="postconf.5.html#default_recipient_refill_limit">default_recipient_refill_limit</a> is too high for too slow deliveries.
</p>
<p>
The default per-transport limit on the number of recipients refilled at
-once. When not all message recipients fit into the memory at once, keep
+once. When not all message recipients fit into memory at once, keep
loading more of them in batches of at least this many at a time. See also
$<a href="postconf.5.html#default_recipient_refill_delay">default_recipient_refill_delay</a>, which may result in recipient batches
lower than this when this limit is too high for too slow deliveries.
<p> The two default VERP delimiter characters. These are used when
no explicit delimiters are specified with the SMTP XVERP command
-or with the "<b>sendmail -V</b>" command-line option. Specify
-characters that are allowed by the <a href="postconf.5.html#verp_delimiter_filter">verp_delimiter_filter</a> setting.
+or with the "<b>sendmail -XV</b>" command-line option (Postfix 2.2
+and earlier: <b>-V</b>). Specify characters that are allowed by the
+<a href="postconf.5.html#verp_delimiter_filter">verp_delimiter_filter</a> setting.
</p>
<p>
<p>
The names of message delivery transports that should not deliver mail
unless someone issues "<b>sendmail -q</b>" or equivalent. Specify zero
-or more names of mail delivery transports names that appear in the
+or more mail delivery transport names that appear in the
first field of <a href="master.5.html">master.cf</a>.
</p>
<p> The maximal number of digits after the decimal point when logging
sub-second delay values. Specify a number in the range 0..6. </p>
-<p> Large delay values are rounded off to an integral number seconds;
+<p> Large delay values are rounded off to an integral number of seconds;
delay values below the <a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> are logged
as "0", and delay values under 100s are logged with at most two-digit
precision. </p>
file or <a href="bounce.8.html">bounce(8)</a> logfile.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
<p> The delay between attempts to fork() a child process. </p>
-<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
-(weeks). The default time unit is s (seconds). </p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
<dt><b>${name?value}</b></dt>
+<dt><b>${name?{value}}</b> (Postfix ≥ 3.0)</dt>
+
<dd>Expands to <i>value</i> when <i>$name</i> is non-empty. </dd>
<dt><b>${name:value}</b></dt>
+<dt><b>${name:{value}}</b> (Postfix ≥ 3.0)</dt>
+
<dd>Expands to <i>value</i> when <i>$name</i> is empty. </dd>
+<dt><b>${name?{value1}:{value2}}</b> (Postfix ≥ 3.0)</dt>
+
+<dd>Expands to <i>value1</i> when <i>$name</i> is non-empty,
+<i>value2</i> otherwise. </dd>
+
</dl>
<p>
<p> The format of the Postfix-generated <b>From:</b> header. This
setting affects the appearance of 'full name' information when a
-local program such as /bin/mail submits a message without From:
+local program such as /bin/mail submits a message without a From:
header through the Postfix <a href="sendmail.1.html">sendmail(1)</a> command. </p>
<p> Specify one of the following: </p>
<DT><b><a name="import_environment">import_environment</a>
(default: see "postconf -d" output)</b></DT><DD>
-<p> The list of environment parameters that a privileged Postfix
+<p> The list of environment variables that a privileged Postfix
process will import from a non-Postfix parent process, or name=value
environment overrides. Unprivileged utilities will enforce the
name=value overrides, but otherwise will not change their process
-environment. Examples of relevant parameters: </p>
+environment. Examples of relevant environment variables: </p>
<dl>
<p> Specify a list of names and/or name=value pairs, separated by
whitespace or comma. Specify "{ name=value }" to protect whitespace
-or comma in parameter values (whitespace after the opening "{" and
+or comma in environment variable values (whitespace after the opening "{" and
before the closing "}"
is ignored). The form name=value is supported with Postfix version
2.1 and later; the use of {} is supported with Postfix 3.0 and
<p> With Postfix 2.4 the default value was reduced from 100s to 5s. </p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
fatal error.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
the Postfix address resolving and rewriting clients.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p>
This feature is available in Postfix 2.1 and later.
<p>
Most of these limitations have been with the Postfix
-a connection cache that is shared among multiple LMTP client
+connection cache that is shared among multiple LMTP client
programs.
</p>
connection can be made within the deadline, the LMTP client tries
the next address on the mail exchanger list. </p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p>
Example:
is received within the deadline, a warning is logged that the mail
may be delivered multiple times. </p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
for receiving the remote LMTP server response.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
the LMTP client terminates the transfer.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
<p>
The default value is the machine hostname. Specify a hostname or
-[ip.add.re.ss].
+[ip.add.re.ss] or [ip:v6:add:re::ss].
</p>
<p>
and for receiving the remote LMTP server response.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
and for receiving the remote LMTP server response.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
and for receiving the remote LMTP server response.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
order to finish a recipient address probe, or to verify that a
cached connection is still alive. </p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
<dt><b>nodictionary</b></dt>
<dd>Disallow authentication methods that are vulnerable to passive
-dictionary attack. </dd>
+dictionary attacks. </dd>
<dt><b>noanonymous</b></dt>
server response announces XFORWARD support. This allows an <a href="lmtp.8.html">lmtp(8)</a>
delivery agent, used for content filter message injection, to
forward the name, address, protocol and HELO name of the original
-client to the content filter and downstream queuing LMTP server.
+client to the content filter and downstream LMTP server.
Before you change the value to yes, it is best to make sure that
your content filter supports this command.
</p>
the mail exchanger list.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p>
This feature is available in Postfix 2.1 and later.
(default: empty)</b></DT><DD>
<p>
-Optional shell program for <a href="local.8.html">local(8)</a> delivery to non-Postfix command.
+Optional shell program for <a href="local.8.html">local(8)</a> delivery to non-Postfix commands.
By default, non-Postfix commands are executed directly; commands
are given to the default shell (typically, /bin/sh) only when they
contain shell meta characters or shell built-in commands.
# send mail as themselves. Use "uid:" followed by the numerical
# UID when the UID has no entry in the UNIX password file.
<a href="postconf.5.html#local_login_sender_maps">local_login_sender_maps</a> =
- <a href="DATABASE_README.html#types">inline</a>:{ { root = *}, { postfix = * } },
+ <a href="DATABASE_README.html#types">inline</a>:{ { root = * }, { postfix = * } },
<a href="pcre_table.5.html">pcre</a>:/etc/postfix/login_senders
</pre>
<pre>
/etc/postfix/login_senders:
# Allow both the bare username and the user@domain forms.
- /(.+)/ $1 $1@example.com/
+ /(.+)/ $1 $1@example.com
</pre>
<p> This feature is available in Postfix 3.6 and later. </p>
<dt><b>${name?value}</b></dt>
-<dd>Expands to <i>value</i> when <i>$name</i> has a non-empty value. </dd>
+<dt><b>${name?{value}}</b> (Postfix ≥ 3.0)</dt>
+
+<dd>Expands to <i>value</i> when <i>$name</i> is non-empty. </dd>
<dt><b>${name:value}</b></dt>
-<dd>Expands to <i>value</i> when <i>$name</i> has an empty value. </dd>
+<dt><b>${name:{value}}</b> (Postfix ≥ 3.0)</dt>
+
+<dd>Expands to <i>value</i> when <i>$name</i> is empty. </dd>
+
+<dt><b>${name?{value1}:{value2}}</b> (Postfix ≥ 3.0)</dt>
+
+<dd>Expands to <i>value1</i> when <i>$name</i> is non-empty,
+<i>value2</i> otherwise. </dd>
</dl>
file, or zero (no limit). In fact, this limits the size of any
file that is written to upon local delivery, including files written
by external commands that are executed by the <a href="local.8.html">local(8)</a> delivery
-agent. </p>
+agent. The value cannot exceed LONG_MAX (typically, a 32-bit or
+64-bit signed integer).
+</p>
<p>
This limit must not be smaller than the message size limit.
Postfix daemon processes.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
<p> This parameter should be set to a value greater than or equal
to $<a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a>. See also $<a href="postconf.5.html#queue_run_delay">queue_run_delay</a>. </p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
<a href="postconf.5.html#maximal_queue_lifetime">maximal_queue_lifetime</a> limit.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is d (days).
-</p>
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days). </p>
<p>
Specify 0 when mail delivery should be tried only once.
<p>
The maximal size in bytes of a message, including envelope information.
+The value cannot exceed LONG_MAX (typically, a 32-bit or 64-bit
+signed integer).
</p>
<p> Note: be careful when making changes. Excessively small values
filter) application, and for receiving the response. </p>
<p> Specify a non-zero time value (an integral value plus an optional
-one-letter suffix that specifies the time unit). </p>
-
-<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
-(weeks). The default time unit is s (seconds). </p>
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p> This feature is available in Postfix 2.3 and later. </p>
application, and for negotiating protocol options. </p>
<p> Specify a non-zero time value (an integral value plus an optional
-one-letter suffix that specifies the time unit). </p>
-
-<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
-(weeks). The default time unit is s (seconds). </p>
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p> This feature is available in Postfix 2.3 and later. </p>
filter) application, and for receiving the response. </p>
<p> Specify a non-zero time value (an integral value plus an optional
-one-letter suffix that specifies the time unit). </p>
-
-<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
-(weeks). The default time unit is s (seconds). </p>
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p> This feature is available in Postfix 2.3 and later. </p>
applications. These defaults are used when there is no corresponding
information from the message delivery context. </p>
-<p> Specify <i>name=value</i> or <i>{name}=value</i> pairs separated
+<p> Specify <i>name=value</i> or <i>{name=value}</i> pairs separated
by comma or whitespace. Enclose a pair in "{}" when a value contains
comma or whitespace (this form ignores whitespace after the enclosing
"{", around the "=", and before the enclosing "}"). </p>
<p> This parameter should be set greater than or equal to
$<a href="postconf.5.html#queue_run_delay">queue_run_delay</a>. See also $<a href="postconf.5.html#maximal_backoff_time">maximal_backoff_time</a>. </p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
in Postfix version 2.4 and later. </p>
<p> Note 1: Pattern matching of domain names is controlled by the
-or absence of "<a href="postconf.5.html#mynetworks">mynetworks</a>" in the <a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a>
+
presence or absence of "<a href="postconf.5.html#mynetworks">mynetworks</a>" in the <a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a>
parameter value. </p>
<p> Note 2: IP version 6 address information must be specified inside
<li><p>Specify "<a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = subnet" when Postfix
should "trust" remote SMTP clients in the same IP subnetworks as the local
machine. On Linux, this works correctly only with interfaces
-specified with the "ifconfig" command. </p>
+specified with the "ifconfig" or "ip" command. </p>
<li><p>Specify "<a href="postconf.5.html#mynetworks_style">mynetworks_style</a> = class" when Postfix should
"trust" remote SMTP clients in the same IP class A/B/C networks as the
does not arrive via the Postfix <a href="smtpd.8.html">smtpd(8)</a> server. This includes local
submission via the <a href="sendmail.1.html">sendmail(1)</a> command line, new mail that arrives
via the Postfix <a href="qmqpd.8.html">qmqpd(8)</a> server, and old mail that is re-injected
-into the queue with "postsuper -r". Specify space or comma as
+into the queue with "postsuper -r". Specify space or comma as a
separator. See the <a href="MILTER_README.html">MILTER_README</a> document for details. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
<dd>
<a href="postconf.5.html#qmqpd_authorized_clients">qmqpd_authorized_clients</a>,
-smtpd_access_maps,
+<a href="SMTPD_ACCESS_README.html">smtpd_access_maps</a>,
</dd>
<dt> Postfix version 2.8 and later </dt>
<p> Specify a non-zero time value (an integral value plus an optional
one-letter suffix that specifies the time unit). Time units: s
-(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p> This feature is available in Postfix 3.4 and later. </p>
<dt> <b>ignore</b> </dt>
<dd> Ignore the failure of this test. Allow other tests to complete.
-Do <i>not</i> repeat this test before some the result from some
+Do <i>not</i> repeat this test before the result from some
other test expires.
This option is useful for testing and collecting statistics
without blocking mail permanently. </dd>
<p> Specify a non-zero time value (an integral value plus an optional
one-letter suffix that specifies the time unit). Time units: s
-(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days). </p>
<p> This feature is available in Postfix 2.8. </p>
reload</b>", "<b>postfix stop</b>", or no requests for $<a href="postconf.5.html#max_idle">max_idle</a>
seconds. </p>
-<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
-(weeks). </p>
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is h (hours). </p>
<p> This feature is available in Postfix 2.8. </p>
an hour ago. It also prevents the cache from filling up with clients
that passed some deep protocol test once and never came back. </p>
-<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
-(weeks). </p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days). </p>
<p> This feature is available in Postfix 2.8. </p>
<p> Specify a non-zero time value (an integral value plus an optional
one-letter suffix that specifies the time unit). Time units: s
-(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is h (hours). </p>
<p> This feature is available in Postfix 3.1. The default setting
is backwards-compatible with older Postfix versions. </p>
<p> Specify a non-zero time value (an integral value plus an optional
one-letter suffix that specifies the time unit). Time units: s
-(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p> This feature is available in Postfix 3.1. </p>
<DT><b><a name="postscreen_dnsbl_reply_map">postscreen_dnsbl_reply_map</a>
(default: empty)</b></DT><DD>
-<p> A mapping from actual DNSBL domain name which includes a secret
+<p> A mapping from an actual DNSBL domain name which includes a secret
password, to the DNSBL domain name that postscreen will reply with
when it rejects mail. When no mapping is found, the actual DNSBL
domain will be used. </p>
the timeouts in the <a href="dnsblog.8.html">dnsblog(8)</a> daemon which are defined by system
resolver(3) routines. </p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p> This feature is available in Postfix 3.0. </p>
<p> Specify a non-zero time value (an integral value plus an optional
one-letter suffix that specifies the time unit). Time units: s
-(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is h (hours). </p>
<p> This feature is available in Postfix 2.8-3.0. It was
replaced by <a href="postconf.5.html#postscreen_dnsbl_max_ttl">postscreen_dnsbl_max_ttl</a> in Postfix 3.1. </p>
<p> Specify a non-zero time value (an integral value plus an optional
one-letter suffix that specifies the time unit). Time units: s
-(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days). </p>
<p> This feature is available in Postfix 2.8. </p>
up to 6 seconds otherwise). <p>
<p> Specify a non-zero time value (an integral value plus an optional
-one-letter suffix that specifies the time unit). </p>
-
-<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
-(weeks). </p>
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p> This feature is available in Postfix 2.8. </p>
<dt> <b>ignore</b> </dt>
<dd> Ignore the failure of this test. Allow other tests to complete.
-Do <i>not</i> repeat this test before some the result from some
+Do <i>not</i> repeat this test before the result from some
other test expires.
This option is useful for testing and collecting statistics
without blocking mail permanently. </dd>
<p> Specify a non-zero time value (an integral value plus an optional
one-letter suffix that specifies the time unit). Time units: s
-(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days). </p>
<p> This feature is available in Postfix 2.8. </p>
<dt> <b>ignore</b> </dt>
<dd> Ignore the failure of this test. Allow other tests to complete.
-Do <i>not</i> repeat this test before some the result from some
+Do <i>not</i> repeat this test before the result from some
other test expires.
This option is useful for testing and collecting statistics
without blocking mail permanently. </dd>
<p> Specify a non-zero time value (an integral value plus an optional
one-letter suffix that specifies the time unit). Time units: s
-(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days). </p>
<p> This feature is available in Postfix 2.8. </p>
<p> Specify a non-zero time value (an integral value plus an optional
one-letter suffix that specifies the time unit). Time units: s
-(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p> This feature is available in Postfix 2.8. </p>
clogging up the Postfix <a href="QSHAPE_README.html#active_queue">active queue</a>. Specify 0 to disable.
</p>
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p>
This feature is enabled with the <a href="postconf.5.html#helpful_warnings">helpful_warnings</a> parameter.
</p>
a request before it is terminated by a built-in watchdog timer.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p> This feature is available in Postfix 2.8 and later. </p>
out of deadlock situations. If the time limit is exceeded the
software either retries or aborts the operation. </p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p> This feature is available in Postfix 2.8 and later. </p>
or malicious clients.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
seconds the Postfix QMQP server gives up and disconnects.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
<p> This parameter should be set less than or equal to
$<a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a>. See also $<a href="postconf.5.html#maximal_backoff_time">maximal_backoff_time</a>. </p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
may then be used to generate an extended .forward file name. This
implementation recognizes one delimiter character and one extension
per email address localpart or email address. With Postfix 2.10 and
-earler, the <a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> specifies a single character. </p>
+earl
ier, the <a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> specifies a single character. </p>
<p> See <a href="canonical.5.html">canonical(5)</a>, <a href="local.8.html">local(8)</a>, <a href="relocated.5.html">relocated(5)</a> and <a href="virtual.5.html">virtual(5)</a> for the
effects of <a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> on lookups in aliases, canonical,
tables
listed with $<a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> are used as lists: Postfix needs
to know only if a lookup string is found or not, but it does not
-use the result from table lookup. </p>
+use the result from the table lookup. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
appears to be malfunctioning.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
the operating system).
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
logged that the mail may be delivered multiple times.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
and for receiving the initial remote SMTP server response.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
and for receiving the remote SMTP server response.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
</p>
<p>
-Choosing a too short time makes this workaround ineffective when
+Choosing too short a time makes this workaround ineffective when
sending large messages over slow network connections.
</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
</DD>
bug workaround for delivery through firewalls with "smtp fixup"
mode turned on. </p>
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p>
By default, the workaround is turned off for mail that is queued
for less than 500 seconds. In other words, the workaround is normally
and for receiving the remote SMTP server response.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
command, and for receiving the remote SMTP server response.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
order to finish a recipient address probe, or to verify that a
cached session is still usable. </p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p> This feature is available in Postfix 2.1 and later. </p>
username and password, and the full server response. This information
is stored when a remote SMTP server rejects an authentication attempt
with a 535 reply code. As long as the <a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a>
-information does no change, and as long as the <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a>
+information does no
t change, and as long as the <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a>
information does not expire (see <a href="postconf.5.html#smtp_sasl_auth_cache_time">smtp_sasl_auth_cache_time</a>) the
Postfix SMTP client avoids SASL authentication attempts with the
same server, username and password, and instead bounces or defers
<p> The maximal age of an <a href="postconf.5.html#smtp_sasl_auth_cache_name">smtp_sasl_auth_cache_name</a> entry before it
is removed. </p>
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days). </p>
+
<p> This feature is available in Postfix 2.5 and later. </p>
<p> Time limit for Postfix SMTP client write and read operations
during TLS startup and shutdown handshake procedures. </p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p> This feature is available in Postfix 2.2 and later. </p>
<p> The file or files must contain at most one key of each type. If,
for example, two or more RSA keys and corresponding chains are listed,
depending on the version of OpenSSL either only the last one will be
-used or an configuration error may be detected. Note that while
+used or a configuration error may be detected. Note that while
"Ed25519" and "Ed448" are considered separate algorithms, the various
ECDSA curves (typically one of prime256v1, secp384r1 or secp521r1) are
considered as different parameters of a single "ECDSA" algorithm, so it
compromise SMTP transport security by returning forged MX records,
such attacks are "tamper-evident" since any forged MX hostnames
will be recorded in the mail logs. Attackers who place a high value
-staying hidden may be deterred from forging MX records. </p>
+on staying hidden may be deterred from forging MX records. </p>
<p>
This feature is available in Postfix 3.1 and later. The <b>may</b>
checking. This setting has no effect on sessions that are controlled
via the <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> table. </p>
-<p> Disabling the hostname verification can make sense in closed
+<p> Disabling the hostname verification can make sense in a closed
environment where special CAs are created. If not used carefully,
this option opens the danger of a "man-in-the-middle" attack (the
CommonName of this attacker will be logged). </p>
</pre>
</blockquote>
-<p> The first setting, disables anonymous ciphers. The next setting
+<p> The first setting disables anonymous ciphers. The next setting
disables ciphers that use the MD5 digest algorithm or the (single) DES
encryption algorithm. The next setting disables ciphers that use MD5 and
DES together. The next setting disables the two ciphers "AES256-SHA"
</pre>
</blockquote>
-<p> The text to the right of "=" sign is the desired fingerprint.
+<p> The text to the right of the "=" sign is the desired fingerprint.
For example: </p>
<blockquote>
</blockquote>
<p> The Postfix SMTP server and client log the peer (leaf) certificate
-fingerprint and public key fingerprint when the TLS loglevel is 2 or
+fingerprint and the public key fingerprint when the TLS loglevel is 2 or
higher. </p>
<p> This feature is available in Postfix 2.5 and later. </p>
<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>
-<dt> </dt> <dd> 3 Also log hexadecimal and ASCII dump of TLS negotiation
-process. </dd>
+<dt> </dt> <dd> 3 Also log the hexadecimal and ASCII dump of the
+TLS negotiation process. </dd>
-<dt> </dt> <dd> 4 Also log hexadecimal and ASCII dump of complete
+<dt> </dt> <dd> 4 Also log the hexadecimal and ASCII dump of complete
transmission after STARTTLS. </dd>
</dl>
<dt><b>export</b></dt>
<dd> Enable "EXPORT" grade or better OpenSSL ciphers. The underlying
cipherlist is specified via the <a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> configuration
-parameter, which you are strongly encouraged to not change. This
+parameter, which you are strongly encouraged not to change. This
choice is insecure and SHOULD NOT be used. </dd>
<dt><b>low</b></dt>
<dd> Enable "LOW" grade or better OpenSSL ciphers. The underlying
cipherlist is specified via the <a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> configuration
-parameter, which you are strongly encouraged to not change. This
+parameter, which you are strongly encouraged not to change. This
choice is insecure and SHOULD NOT be used. </dd>
<dt><b>medium</b></dt>
<dd> Enable "MEDIUM" grade or better OpenSSL ciphers.
The underlying cipherlist is specified via the <a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a>
-configuration parameter, which you are strongly encouraged to not change.
+configuration parameter, which you are strongly encouraged not to change.
</dd>
<dt><b>high</b></dt>
mail is routed to a suitably capable <a href="postconf.5.html#relayhost">relayhost</a>) support at least one
"HIGH" grade cipher. The underlying cipherlist is specified via the
<a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a> configuration parameter, which you are strongly
-encouraged to not change. </dd>
+encouraged not to change. </dd>
<dt><b>null</b></dt>
<dd> Enable only the "NULL" OpenSSL ciphers, these provide authentication
in TLS servers). A plausible use-case is an LMTP server listening on a
UNIX-domain socket that is configured to support "NULL" ciphers. The
underlying cipherlist is specified via the <a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a>
-configuration parameter, which you are strongly encouraged to not
+configuration parameter, which you are strongly encouraged not to
change. </dd>
</dl>
<p> With Postfix < 3.6 there is no support for a minimum or maximum
version, and the protocol range is configured via protocol exclusions.
To require at least TLS 1.0, set "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> = !SSLv2,
-!SSLv3". Listing the protocols to include, rather than protocols to
+!SSLv3". Listing the protocols to include, rather than the protocols to
exclude, is supported, but not recommended. The exclusion syntax more
accurately matches the underlying OpenSSL interface. </p>
</pre>
</blockquote>
-<p> also disables any protocols version higher than TLSv1.1 leaving
+<p> also disables any protocol versions higher than TLSv1.1 leaving
only "TLSv1" enabled. </p>
<p> Support for "TLSv1.3" was introduced in OpenSSL 1.1.1. Disabling
<p> While the vast majority of SMTP servers with DANE TLSA records now
support at least TLS 1.2, a few still only support TLS 1.0. If you use
-"dane" or "dane-only" it is best to not disable TLSv1, except perhaps
+"dane" or "dane-only" it is best not to disable TLSv1, except perhaps
via the policy table for destinations which you are sure will support
"TLSv1.2". </p>
<p> Optional lookup tables with the Postfix SMTP client TLS usage
policy by next-hop destination and by remote SMTP server hostname.
When both lookups succeed, the more specific per-site policy (NONE,
-MUST, etc) overrides the less specific one (MAY), and the more secure
-per-site policy (MUST, etc) overrides the less secure one (NONE).
+MUST, etc.) overrides the less specific one (MAY), and the more secure
+per-site policy (MUST, etc.) overrides the less secure one (NONE).
With Postfix 2.3 and later <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> is strongly discouraged:
use <a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> instead. </p>
and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> settings. </dd>
<dt> MAY </dt> <dd> Try to use TLS if the server announces support,
-otherwise use the unencrypted connection. This has less precedence
+otherwise use an unencrypted connection. This has less precedence
than a more specific result (including <b>NONE</b>) from the alternate
host or next-hop lookup key, and has less precedence than the more
specific global "<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> = yes" or "<a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
SMTP server hostname matches the information in the remote SMTP
server certificate, and require that the remote SMTP server certificate
was issued by a trusted CA. This overrides a less secure <b>NONE</b>
-and <b>MUST_NOPEERMATCH</b> or a less specific <b>MAY</b> lookup
+or <b>MUST_NOPEERMATCH</b> or a less specific <b>MAY</b> lookup
result from the alternate host or next-hop lookup key, and overrides
the global <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>
settings. </dd>
and "connection_reuse" attribute (Postfix ≥ 3.4) override the
"<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>", "<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a>", "<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a>",
and
-"<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a>" configuration parameters. When opportunistic
+"<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a>" configuration parameters. In the policy table,
+multiple ciphers, protocols or excluded ciphers must be separated by colons,
+as attribute values may not contain whitespace or commas. When opportunistic
TLS handshakes fail, Postfix retries the connection with TLS disabled.
This allows mail delivery to sites with non-interoperable TLS
implementations.</dd>
<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> parameter, and the optional
"connection_reuse" attribute (Postfix ≥ 3.4) overrides the
<a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. In the policy table,
-multiple protocols or excluded ciphers must be separated by colons,
+multiple ciphers, protocols or excluded ciphers must be separated by colons,
as attribute values may not contain whitespace or commas. </dd>
<dt><b><a href="TLS_README.html#client_tls_dane">dane</a></b></dt>
TLS authentication and DNSSEC support is available with Postfix
2.11 and later. The optional "connection_reuse" attribute (Postfix
≥ 3.4) overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter.
+When the effective security level used is <a
+href="TLS_README.html#client_tls_may">may</a>, the optional "ciphers",
+"exclude", and "protocols" attributes (Postfix ≥ 2.6) override the
+"<a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>", "<a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a>", and "<a href="postconf.5.html#smtp_tls_protocols">smtp_tls_protocols</a>"
+configuration parameters.
+When the effective security level used is <a
+href="TLS_README.html#client_tls_encrypt">encrypt</a>, the optional "ciphers",
+"exclude", and "protocols" attributes (Postfix ≥ 2.6) override the
+"<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>", "<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and
+"<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>" configuration parameters.
</dd>
<dt><b><a href="TLS_README.html#client_tls_dane">dane-only</a></b></dt>
usable TLSA records are obtained for the remote SMTP server, the
server certificate must match the TLSA records. <a href="https://tools.ietf.org/html/rfc7672">RFC 7672</a> (DANE) TLS
authentication and DNSSEC support is available with Postfix 2.11
-and later. The optional "connection_reuse" attribute (Postfix ≥
-3.4) overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter.
+and later. The optional "ciphers", "exclude", and "protocols" attributes
+(Postfix ≥ 2.6) override the "<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>",
+"<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>"
+configuration parameters. The optional "connection_reuse" attribute
+(Postfix ≥ 3.4) overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter.
</dd>
<dt><b><a href="TLS_README.html#client_tls_fprint">fingerprint</a></b></dt>
verification. Available with Postfix 2.5 and later. At this security
level, there are no trusted Certification Authorities. The certificate
trust chain, expiration date, ... are not checked. Instead,
-the optional
<b>match</b> attribute, or else the <a href="postconf.5.html">main.cf</a>
+the optional
"match" attribute, or else the <a href="postconf.5.html">main.cf</a>
<b><a href="postconf.5.html#smtp_tls_fingerprint_cert_match">smtp_tls_fingerprint_cert_match</a></b> parameter, lists the certificate
fingerprints or the public key fingerprint (Postfix 2.9 and later)
of the valid server certificate. The digest
be combined with a "|" delimiter in a single match attribute, or multiple
match attributes can be employed. The ":" character is not used as a
delimiter as it occurs between each pair of fingerprint (hexadecimal)
-digits. The optional "connection_reuse" attribute (Postfix ≥ 3.4)
-overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. </dd>
+digits. The optional "ciphers", "exclude", and "protocols" attributes
+(Postfix ≥ 2.6) override the "<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>",
+"<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and "<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>"
+configuration parameters. The optional "connection_reuse" attribute
+(Postfix ≥ 3.4) overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a>
+parameter. </dd>
<dt><b><a href="TLS_README.html#client_tls_verify">verify</a></b></dt>
<dd>Mandatory TLS verification. At this security
the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> parameter. In the policy table,
multiple match patterns and strategies must be separated by colons.
In practice explicit control over matching is more common with the
-"secure" policy, described below. The optional "connection_reuse"
-attribute (Postfix ≥ 3.4) overrides the <a href="postconf.5.html">main.cf</a>
+"secure" policy, described below. The optional "ciphers", "exclude",
+and "protocols" attributes (Postfix ≥ 2.6) override the
+"<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>", "<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and
+"<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>" configuration parameters. The optional
+"connection_reuse" attribute (Postfix ≥ 3.4) overrides the <a href="postconf.5.html">main.cf</a>
<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. </dd>
<dt><b><a href="TLS_README.html#client_tls_secure">secure</a></b></dt>
gateway IP addresses, are <b>not</b> trusted to be secure enough for TLS
peername verification. Instead, the default name verified in the server
certificate is obtained directly from the next-hop, or is explicitly
-specified via the optional <b>match</b> attribute which overrides the
+specified via the optional "match" attribute which overrides the
<a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> parameter. In the policy table,
multiple match patterns and strategies must be separated by colons.
The match attribute is most useful when multiple domains are supported by
-common server, the policy entries for additional domains specify matching
+a common server: the policy entries for additional domains specify matching
rules for the primary domain certificate. While transport table overrides
-routing the secondary domains to the primary nexthop also allow secure
+that route the secondary domains to the primary nexthop also allow secure
verification, they risk delivery to the wrong destination when domains
change hands or are re-assigned to new gateways. With the "match"
attribute approach, routing is not perturbed, and mail is deferred if
-verification of a new MX host fails. The optional "connection_reuse"
-attribute (Postfix ≥ 3.4) overrides the <a href="postconf.5.html">main.cf</a>
+verification of a new MX host fails. The optional "ciphers", "exclude",
+and "protocols" attributes (Postfix ≥ 2.6) override the
+"<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>", "<a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a>", and
+"<a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a>" configuration parameters. The optional
+"connection_reuse" attribute (Postfix ≥ 3.4) overrides the <a href="postconf.5.html">main.cf</a>
<a href="postconf.5.html#smtp_tls_connection_reuse">smtp_tls_connection_reuse</a> parameter. </dd>
</dl>
match=51:e9:af:2e:1e:40:1f:...:64:0a:30:35:2d:09:16:31:5a:eb:82:76
</pre>
-<p> <b>Note:</b> The <b>hostname</b> strategy if listed in a non-default
-setting of <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> or in the <b>match</b> attribute
-in the policy table can render the <b>secure</b> level vulnerable to
-DNS forgery. Do not use the <b>hostname</b> strategy for secure-channel
+<p> <b>Note:</b> The "hostname" strategy if listed in a non-default
+setting of <a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> or in the "match" attribute
+in the policy table can render the "secure" level vulnerable to
+DNS forgery. Do not use the "hostname" strategy for secure-channel
configurations in environments where DNS security is not assured. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
acceptable protocols is to set the lowest acceptable TLS protocol
version and/or the highest acceptable TLS protocol version. To set the
lower bound include an element of the form: ">=<i>version</i>" where
-<i>version</i> is a either one of the TLS protocol names listed above,
+<i>version</i> is either one of the TLS protocol names listed above,
or a hexadecimal number corresponding to the desired TLS protocol
version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.). For the upper
bound, use "<=<i>version</i>". There must be no whitespace between
<DT><b><a name="smtp_tls_security_level">smtp_tls_security_level</a>
(default: empty)</b></DT><DD>
-<p> The default SMTP TLS security level for the Postfix SMTP client;
-when a non-empty value is specified, this overrides the obsolete
-parameters <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
-</p>
+<p> The default SMTP TLS security level for the Postfix SMTP client.
+When a non-empty value is specified, this overrides the obsolete
+parameters <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>;
+when no value is specified for <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> or the obsolete
+parameters, the default SMTP TLS security level is
+<a href="TLS_README.html#client_tls_none">none</a>. </p>
<p> Specify one of the following security levels: </p>
<pre>
# Opportunistic TLS.
<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = may
-# Do not tweak opportunistic ciphers or protocol unless it is essential
+# Do not tweak opportunistic ciphers or protocols unless it is essential
# to do so (if a security vulnerability is found in the SSL library that
# can be mitigated by disabling a particular protocol or raising the
# cipher grade).
daemon does not use this parameter directly, rather the cache is
implemented indirectly in the <a href="tlsmgr.8.html">tlsmgr(8)</a> daemon. This means that
per-smtp-instance <a href="master.5.html">master.cf</a> overrides of this parameter are not effective.
-Note
, that each of the cache databases supported by <a href="tlsmgr.8.html">tlsmgr(8)</a> daemon:
+Note that each of the cache databases supported by <a href="tlsmgr.8.html">tlsmgr(8)</a> daemon:
$<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a>, $<a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a>
(and with Postfix 2.3 and later $<a href="postconf.5.html#lmtp_tls_session_cache_database">lmtp_tls_session_cache_database</a>), needs to
be stored separately. It is not at this time possible to store multiple
≤ 0, session caching is disabled. If set to a positive value
less than 2 minutes, the minimum value of 2 minutes is used instead. </p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p> This feature is available in Postfix 2.2 and later. </p>
(default: no)</b></DT><DD>
<p> Request that the Postfix SMTP client connects using the
-legacy SMTPS protocol instead of using the STARTTLS command. </p>
+SUBMISSIONS/SMTPS protocol instead of using the STARTTLS command. </p>
<p> This mode requires "<a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> = encrypt" or
stronger. </p>
and for receiving the remote SMTP server response.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p>
This feature is available in Postfix 2.1 and later.
</p>
<p>
-By default, there is no limit on the number AUTH commands that a
+By default, there is no limit on the number of AUTH commands that a
client may send.
</p>
<dd> By default use the remote SMTP client certificate fingerprint
or the public key
-fingerprint (Postfix 2.9 and later) as lookup key for the specified
+fingerprint (Postfix 2.9 and later) as the lookup key for the specified
<a href="access.5.html">access(5)</a> database; with Postfix version 2.2, also require that the
remote SMTP client certificate is verified successfully.
The fingerprint digest algorithm is configurable via the
<dt><b><a name="check_sasl_access">check_sasl_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
-<dd> Use the remote SMTP client SASL user name as lookup key for
+<dd> Use the remote SMTP client SASL user name as the lookup key for
the specified <a href="access.5.html">access(5)</a> database. The lookup key has the form
"username@domainname" when the <a href="postconf.5.html#smtpd_sasl_local_domain">smtpd_sasl_local_domain</a> parameter
value is non-empty. Unlike the <a href="postconf.5.html#check_client_access">check_client_access</a> feature,
<dd> Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
-CA issues the certificates and only this CA is listed as trusted
+CA issues the certificates and only this CA is listed as a trusted
CA. Otherwise, clients with a third-party certificate would also
be allowed to relay. Specify "<a href="postconf.5.html#tls_append_default_CA">tls_append_default_CA</a> = no" when the
trusted CA is specified with <a href="postconf.5.html#smtpd_tls_CAfile">smtpd_tls_CAfile</a> or <a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a>,
<pre>
# Append XVERP to MAIL FROM commands to request VERP-style delivery.
# See <a href="VERP_README.html">VERP_README</a> for more information on how to use Postfix VERP.
- /^(MAIL FROM:\s*<listname@example\.com>.*)/ $1 XVERP
+ /^(MAIL\s+FROM:\s*<listname@example\.com>.*)/ $1 XVERP
</pre>
<pre>
fewer than $<a href="postconf.5.html#smtpd_hard_error_limit">smtpd_hard_error_limit</a> errors, without delivering mail.
</p>
-<p>With Postfix version 2.0 and earlier: the SMTP server delay before
-sending a reject (4xx or 5xx) response, when the client has made
-fewer than $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> errors without delivering
-mail. </p>
+<p>With Postfix version 2.0 and earlier: the SMTP server delay
+before sending a reject (4xx or 5xx) response, when the client has
+made fewer than $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> errors without delivering
+mail. When the client has made $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a> or more errors,
+delay all responses with the larger of (number of errors) seconds
+or $<a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_time</a>. </p>
+
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
<p>
The maximal number of errors a remote SMTP client is allowed to
make without delivering mail. The Postfix SMTP server disconnects
-when the limit is exceeded. Normally the default limit is 20, but
+when the limit is reached. Normally the default limit is 20, but
it changes under overload to just 1. With Postfix 2.5 and earlier,
the SMTP server always allows up to 20 errors by default.
+Valid values are greater than zero.
</p>
closed.
</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p>
This feature is available in Postfix 2.1 and later.
</p>
closed.
</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p>
This feature is available in Postfix 2.1 and later.
</p>
<p> The delay between attempts to resend a failed SMTPD policy
service request. Specify a value greater than zero. </p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p> This feature is available in Postfix 3.0 and later. </p>
delegated SMTPD policy server.
</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p>
This feature is available in Postfix 2.1 and later.
</p>
<p> Specify "host:port" or "inet:host:port" for a TCP endpoint, or
"unix:pathname" for a UNIX-domain endpoint. The host can be specified
as an IP address or as a symbolic name; no MX lookups are done.
-When no "host" or "host:" are specified, the local machine is
+When no "host" or "host:" is specified, the local machine is
assumed. Pathname interpretation is relative to the Postfix queue
directory. </p>
the maillog file.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p>
This feature is available in Postfix 2.1 and later.
<ul>
-<li> Postfix is mail forwarder: the resolved RCPT TO domain matches
+<li> Postfix is a mail forwarder: the resolved RCPT TO domain matches
$<a href="postconf.5.html#relay_domains">relay_domains</a> or a subdomain thereof, and the address contains no
sender-specified routing (user@elsewhere@domain),
<dt><b><a name="permit_mx_backup">permit_mx_backup</a></b></dt>
-<dd>Permit the request when the local mail system is backup MX for
+<dd>Permit the request when the local mail system is a backup MX for
the RCPT TO domain, or when the domain is an authorized destination
(see <a href="postconf.5.html#permit_auth_destination">permit_auth_destination</a> for definition).
access is not restricted with <a href="postconf.5.html#permit_mx_backup_networks">permit_mx_backup_networks</a>.
<li> Safety: as of Postfix version 2.3, <a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a> no longer
-accepts the address when the local mail system is primary MX for
+accepts the address when the local mail system is a primary MX for
the recipient domain. Exception: <a href="postconf.5.html#permit_mx_backup">permit_mx_backup</a> accepts the address
when it specifies an authorized destination (see <a href="postconf.5.html#permit_auth_destination">permit_auth_destination</a>
for definition).
<ul>
-<li> Postfix is mail forwarder: the resolved RCPT TO domain matches
+<li> Postfix is a mail forwarder: the resolved RCPT TO domain matches
$<a href="postconf.5.html#relay_domains">relay_domains</a> or a subdomain thereof, and contains no sender-specified
routing (user@elsewhere@domain),
see the <a href="ADDRESS_VERIFICATION_README.html">ADDRESS_VERIFICATION_README</a> file for details. <br> The
<a href="postconf.5.html#unverified_recipient_reject_code">unverified_recipient_reject_code</a> parameter specifies the numerical
response code when an address is known to bounce (default: 450,
-change into 550 when you are confident that it is safe to do so).
+change it to 550 when you are confident that it is safe to do so).
<br>The <a href="postconf.5.html#unverified_recipient_defer_code">unverified_recipient_defer_code</a> parameter specifies the
numerical response code when an address probe failed due to a
temporary problem (default: 450). <br> The
<li> Mail from clients whose IP address matches $<a href="postconf.5.html#mynetworks">mynetworks</a>, or:
+<li> Mail from clients who are SASL authenticated, or:
+
<li> Mail to remote destinations that match $<a href="postconf.5.html#relay_domains">relay_domains</a>, except
for addresses that contain sender-specified routing
(user@elsewhere@domain), or:
<p>
Specify a list of network/netmask patterns, separated by commas
and/or whitespace. The mask specifies the number of bits in the
-network part of a host address. You can also "/file/name" or
+network part of a host address. You can also specify "/file/name" or
"<a href="DATABASE_README.html">type:table</a>" patterns. A "/file/name" pattern is replaced by its
contents; a "<a href="DATABASE_README.html">type:table</a>" lookup table is matched when a table entry
matches a lookup string (the lookup result is ignored). Continue
<dt><b><a name="reject_unknown_sender_domain">reject_unknown_sender_domain</a></b></dt>
-<dd>Reject the request when Postfix is not final destination for
+<dd>Reject the request when Postfix is not the final destination for
the sender address, and the MAIL FROM domain has 1) no DNS MX and
no DNS A
record, or 2) a malformed MX record such as a record with
<ul>
-<li><p>With Postfix version 2.1 and later, the Postfix SMTP server
-delays all responses by $<a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_time</a> seconds. </p>
+<li><p>With Postfix version 2.1 and later, when the error count
+is > $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a>, the Postfix SMTP server
+delays all responses by $<a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_time</a>. </p>
+
+<li><p>With Postfix versions 2.0 and earlier, when the error count
+is > $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a>, the Postfix SMTP server delays all
+responses by the larger of (number of errors) seconds or
+$<a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_time</a>. </p>
-<li><p>With Postfix versions 2.0 and earlier, the Postfix SMTP
-server delays all responses by (number of errors) seconds. </p>
+<li><p>With Postfix versions 2.0 and earlier, when the error count
+is ≤ $<a href="postconf.5.html#smtpd_soft_error_limit">smtpd_soft_error_limit</a>, the Postfix SMTP server delays 4XX
+and 5XX responses by $<a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_time</a>. </p>
</ul>
default value is stress-dependent. Before Postfix version 2.8, it
was fixed at 300s. </p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p> This feature is available in Postfix 2.2 and later. </p>
to update the global <a href="postconf.5.html#ipc_timeout">ipc_timeout</a> parameter.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
<p> The file or files must contain at most one key of each type. If,
for example, two or more RSA keys and corresponding chains are listed,
depending on the version of OpenSSL either only the last one will be
-used or an configuration error may be detected. Note that while
+used or a configuration error may be detected. Note that while
"Ed25519" and "Ed448" are considered separate algorithms, the various
ECDSA curves (typically one of prime256v1, secp384r1 or secp521r1) are
considered as different parameters of a single "ECDSA" algorithm, so it
<a href="postconf.5.html#smtpd_tls_dh1024_param_file">smtpd_tls_dh1024_param_file</a> = /etc/postfix/dh2048.pem
</pre>
-<p>This feature is available with Postfix version 2.2.</p>
+<p>This feature is available in Postfix 2.2 and later.</p>
</DD>
<a href="postconf.5.html#smtpd_tls_dh512_param_file">smtpd_tls_dh512_param_file</a> = /etc/postfix/dh_512.pem
</pre>
-<p>This feature is available with Postfix version 2.2.</p>
+<p>This feature is available in Postfix 2.2 and later,
+but is ignored in Postfix 3.6 and later.</p>
</DD>
<dt><b>export</b></dt>
<dd> Enable "EXPORT" grade or stronger OpenSSL ciphers. The
underlying cipherlist is specified via the <a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a>
-configuration parameter, which you are strongly encouraged to not
+configuration parameter, which you are strongly encouraged not to
change. This choice is insecure and SHOULD NOT be used. </dd>
<dt><b>low</b></dt>
<dd> Enable "LOW" grade or stronger OpenSSL ciphers. The underlying
cipherlist is specified via the <a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> configuration
-parameter, which you are strongly encouraged to not change. This
+parameter, which you are strongly encouraged not to change. This
choice is insecure and SHOULD NOT be used. </dd>
<dt><b>medium</b></dt>
or longer symmetric bulk-encryption keys. This is the default minimum
strength for mandatory TLS encryption. The underlying cipherlist is
specified via the <a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> configuration parameter, which
-you are strongly encouraged to not change. </dd>
+you are strongly encouraged not to change. </dd>
<dt><b>high</b></dt>
<dd> Enable only "HIGH" grade OpenSSL ciphers. The
case that all clients are prepared to use NULL ciphers (not normally
enabled in TLS clients). The underlying cipherlist is specified via the
<a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> configuration parameter, which you are strongly
-encouraged to not change. </dd>
+encouraged not to change. </dd>
</dl>
daemon does not use this parameter directly, rather the cache is
implemented indirectly in the <a href="tlsmgr.8.html">tlsmgr(8)</a> daemon. This means that
per-smtpd-instance <a href="master.5.html">master.cf</a> overrides of this parameter are not
-effective. Note
, that each of the cache databases supported by <a href="tlsmgr.8.html">tlsmgr(8)</a>
+effective. Note that each of the cache databases supported by <a href="tlsmgr.8.html">tlsmgr(8)</a>
daemon: $<a href="postconf.5.html#smtpd_tls_session_cache_database">smtpd_tls_session_cache_database</a>, $<a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a>
(and with Postfix 2.3 and later $<a href="postconf.5.html#lmtp_tls_session_cache_database">lmtp_tls_session_cache_database</a>), needs to be
stored separately. It is not at this time possible to store multiple
an OpenSSL library (at least version 0.9.8h) that provides full
support for this TLS extension. </p>
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p> This feature is available in Postfix 2.2 and later, and updated
for TLS session ticket support in Postfix 2.11. </p>
<DT><b><a name="smtpd_tls_wrappermode">smtpd_tls_wrappermode</a>
(default: no)</b></DT><DD>
-<p> Run the Postfix SMTP server in the non-standard "wrapper" mode,
+<p> Run the Postfix SMTP server in TLS "wrapper" mode,
instead of using the STARTTLS command. </p>
<p> If you want to support this service, enable a special port in
<a href="master.5.html">master.cf</a>, and specify "-o <a href="postconf.5.html#smtpd_tls_wrappermode">smtpd_tls_wrappermode</a>=yes" on the SMTP
-server's command line. Port 465 (smtps) was once chosen for this
-purpose. </p>
+server's command line. Port 465 (submissions/smtps) is reserved for
+this purpose. </p>
<p> This feature is available in Postfix 2.2 and later. </p>
<p> The time limit for the proxy protocol specified with the
<a href="postconf.5.html#smtpd_upstream_proxy_protocol">smtpd_upstream_proxy_protocol</a> parameter. </p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p> This feature is available in Postfix 2.10 and later. </p>
(default: yes)</b></DT><DD>
<p> Enable preliminary SMTPUTF8 support for the protocols described
-in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533. This requires that Postfix is built to support
-these protocols. </p>
+in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>, <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a>, and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a>. This requires that Postfix is
+built to support these protocols. </p>
<p> This feature is available in Postfix 3.0 and later. </p>
This is used for delivery to file or mailbox.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
<p> Note: It is unwise to omit sha256 from the digest list. This
digest algorithm is the only mandatory to implement digest algorithm
-in <a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a>, and many servers are expected publish TLSA records
+in <a href="https://tools.ietf.org/html/rfc6698">RFC 6698</a>, and many servers are expected to publish TLSA records
with just sha256 digests. Unless one of the standard digests is
seriously compromised and servers have had ample time to update their
TLSA records you should not omit any standard digests, just arrange
SMTP client and server. These curves are used by the Postfix SMTP
server when "<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> = auto". The selected curves
must be implemented by OpenSSL and be standardized for use in TLS
-(<a href="https://tools.ietf.org/html/rfc4492">RFC 4492</a> or its imminent successor). It is unwise to list only
+(<a href="https://tools.ietf.org/html/rfc8422">RFC 8422</a>). It is unwise to list only
"bleeding-edge" curves supported by a small subset of clients. The
default list is suitable for most users. </p>
strong" means approximately 128-bit security based on best known
attacks. The selected curve must be implemented by OpenSSL (as
reported by ecparam(1) with the "-list_curves" option) and be one
-of the curves listed in Section 5.1.1 of <a href="https://tools.ietf.org/html/rfc4492">RFC 4492</a>. You should not
+of the curves listed in Section 5.1.1 of <a href="https://tools.ietf.org/html/rfc8422">RFC 8422</a>. You should not
generally change this setting. Remote SMTP client implementations
must support this curve for EECDH key exchange to take place. It
-is unwise to choose an "bleeding-edge" curve supported by only a
+is unwise to choose only "bleeding-edge" curves supported by only a
small subset of clients. </p>
<p> The default "strong" curve is rated in NSA <a
users should instead set "<a href="postconf.5.html#smtpd_tls_eecdh_grade">smtpd_tls_eecdh_grade</a> = strong". The selected
curve must be implemented by OpenSSL (as reported by ecparam(1) with the
"-list_curves" option) and be one of the curves listed in Section 5.1.1
-of <a href="https://tools.ietf.org/html/rfc4492">RFC 4492</a>. You should not generally change this setting. </p>
+of <a href="https://tools.ietf.org/html/rfc8422">RFC 8422</a>. You should not generally change this setting. Remote SMTP
+client implementations must support this curve for EECDH key exchange
+to take place. It is unwise to choose only "bleeding-edge" curves
+supported by only a small subset of clients. </p>
<p> This default "ultra" curve is rated in NSA <a
href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite
releases before the middle of 2015 this is the default cipherlist
for the opportunistic ("may") TLS client security level and also
the default cipherlist for the SMTP server. You are strongly
-encouraged to not change this setting. </p>
+encouraged not to change this setting. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
the meaning of the "high" setting in <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>,
<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>, <a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>, <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>,
<a href="postconf.5.html#lmtp_tls_ciphers">lmtp_tls_ciphers</a>, and <a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>. You are strongly
-encouraged to not change this setting. </p>
+encouraged not to change this setting. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
an incorrect algorithm. This parameter has no effect on the certificate
fingerprint support that is available since Postfix 2.2. </p>
-<p> Specify "<a href="postconf.5.html#tls_legacy_public_key_fingerprint">tls_legacy_public_key_fingerprints</a> = yes" temporarily,
+<p> Specify "<a href="postconf.5.html#tls_legacy_public_key_fingerprints">tls_legacy_public_key_fingerprints</a> = yes" temporarily,
pending a migration from configuration files with incorrect Postfix
2.9.0..2.9.5 certificate public-key finger prints, to the correct
fingerprints used by Postfix 2.9.6 and later. To compute the correct
the meaning of the "low" setting in <a href="postconf.5.html#smtpd_tls_ciphers">smtpd_tls_ciphers</a>,
<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>, <a href="postconf.5.html#smtp_tls_ciphers">smtp_tls_ciphers</a>, <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a>,
<a href="postconf.5.html#lmtp_tls_ciphers">lmtp_tls_ciphers</a>, and <a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>. You are strongly
-encouraged to not change this setting. </p>
+encouraged not to change this setting. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
default cipherlist for mandatory TLS encryption in the TLS client
(with anonymous ciphers disabled when verifying server certificates).
This is the default cipherlist for opportunistic TLS with Postfix
-releases after the middle of 2015. You are strongly encouraged to
-not change this setting. </p>
+releases after the middle of 2015. You are strongly encouraged not
+to change this setting. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
<p> The OpenSSL cipherlist for "NULL" grade ciphers that provide
authentication without encryption. This defines the meaning of the "null"
-setting in
smtpd_mandatory_tls_ciphers, <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> and
-<a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>. You are strongly encouraged to not
+setting in
<a href="postconf.5.html#smtpd_tls_mandatory_ciphers">smtpd_tls_mandatory_ciphers</a>, <a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> and
+<a href="postconf.5.html#lmtp_tls_mandatory_ciphers">lmtp_tls_mandatory_ciphers</a>. You are strongly encouraged not to
change this setting. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
the pseudo random number generator (PRNG) to the file specified
with $<a href="postconf.5.html#tls_random_exchange_name">tls_random_exchange_name</a>. </p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p> This feature is available in Postfix 2.2 and later. </p>
sources. The actual time between re-seeding attempts is calculated
using the PRNG, and is between 0 and the time specified. </p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p> This feature is available in Postfix 2.2 and later. </p>
EGD compatible socket interface, or dev:/path/to/device for a
device file. </p>
-<p> Note: on OpenBSD systems specify /dev/arandom when /dev/urandom
+<p> Note: on OpenBSD systems specify dev:/dev/arandom when dev:/dev/urandom
gives timeout errors. </p>
<p> This feature is available in Postfix 2.2 and later. </p>
<p> When this parameter is non-empty, the Postfix SMTP server enables
SNI extension processing, and logs SNI values that are invalid or
-don't match an entry in the the specified tables. When an entry
+don't match an entry in the specified tables. When an entry
does match, the SNI name is logged as part of the connection summary
at log levels 1 and higher. </p>
(default: $<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>)</b></DT><DD>
<p> Enforcement mode: require that SMTP servers use TLS encryption.
-See <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> for further details. </p>
+See <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> for further details. Use
+<a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a> instead. </p>
<p> This feature is available in Postfix 3.4 and later. </p>
(default: $<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>)</b></DT><DD>
<p> Opportunistic mode: use TLS when a remote server announces TLS
-support. See <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> for further details. </p>
+support. See <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> for further details. Use
+<a href="postconf.5.html#tlsproxy_client_security_level">tlsproxy_client_security_level</a> instead. </p>
<p> This feature is available in Postfix 3.4 and later. </p>
<p> Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
require that clients use TLS encryption. See <a href="postconf.5.html#smtpd_enforce_tls">smtpd_enforce_tls</a> for
-further details. </p>
+further details. Use <a href="postconf.5.html#tlsproxy_tls_security_level">tlsproxy_tls_security_level</a> instead. </p>
<p> This feature is available in Postfix 2.8 and later. </p>
<p> Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
but do not require that clients use TLS encryption. See <a href="postconf.5.html#smtpd_use_tls">smtpd_use_tls</a>
-for further details. </p>
+for further details. Use <a href="postconf.5.html#tlsproxy_tls_security_level">tlsproxy_tls_security_level</a> instead. </p>
<p> This feature is available in Postfix 2.8 and later. </p>
<p> Specify a non-zero time value (an integral value plus an optional
one-letter suffix that specifies the time unit). Time units: s
-(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p> This feature is available in Postfix 2.8 and later </p>
a malfunctioning message delivery transport.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
value, where <i>transport</i> is the <a href="master.5.html">master.cf</a> name of the message
delivery transport. </p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p> Note: <a href="postconf.5.html#transport_time_limit"><i>transport</i>_time_limit</a> parameters will not show up
in "postconf" command output before Postfix version 2.9. This
limitation applies to many parameters whose name is a combination
parameter value, where the initial <i>transport</i> in the parameter
name is the <a href="master.5.html">master.cf</a> name of the message delivery transport. </p>
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
+<p> Note: <a href="postconf.5.html#transport_transport_rate_delay"><i>transport</i>_transport_rate_delay</a> parameters will
+not show up in "postconf" command output before Postfix version
+2.9. This limitation applies to many parameters whose name is a
+combination of a <a href="master.5.html">master.cf</a> service name and a built-in suffix (in
+this case: "_transport_rate_delay"). </p>
+
</DD>
load.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
</DD>
<DT><b><a name="virtual_alias_domains">virtual_alias_domains</a>
(default: $<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>)</b></DT><DD>
-<p> Postfix is final destination for the specified list of virtual
+<p> Postfix is the final destination for the specified list of virtual
alias domains, that is, domains for which all addresses are aliased
to addresses in other local or remote domains. The SMTP server
validates recipient addresses with $<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> and rejects
<p> Specify a list of host or domain names, "/file/name" or
"<a href="DATABASE_README.html">type:table</a>" patterns, separated by commas and/or whitespace. A
"/file/name" pattern is replaced by its contents; a "<a href="DATABASE_README.html">type:table</a>"
-lookup table is matched when a table entry matches a lookup string
+lookup table is matched when a table entry matches a host or domain name
(the lookup result is ignored). Continue long lines by starting
the next line with whitespace. Specify "!pattern" to exclude a host
or domain name from the list. The form "!/file/name" is supported
<p>
Optional lookup tables that alias specific mail addresses or domains
-to other local or remote address. The table format and lookups
+to other local or remote addresses. The table format and lookups
are documented in <a href="virtual.5.html">virtual(5)</a>. For an overview of Postfix address
manipulations see the <a href="ADDRESS_REWRITING_README.html">ADDRESS_REWRITING_README</a> document.
</p>
<DT><b><a name="virtual_mailbox_domains">virtual_mailbox_domains</a>
(default: $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>)</b></DT><DD>
-<p> Postfix is final destination for the specified list of domains;
+<p> Postfix is the final destination for the specified list of domains;
mail is delivered via the $<a href="postconf.5.html#virtual_transport">virtual_transport</a> mail delivery transport.
By default this is the Postfix <a href="virtual.8.html">virtual(8)</a> delivery agent. The SMTP
server validates recipient addresses with $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>
"user@domain.tld" entry.
</p>
+<p>
+With the default "<a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> = $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>",
+lookup tables also need entries with a left-hand side of "domain.tld"
+to satisfy virtual_mailbox_domain lookups (the right-hand side is
+required but will not be used).
+</p>
+
<p> The remainder of this text is specific to the <a href="virtual.8.html">virtual(8)</a> delivery
agent. It does not apply when mail is delivered with a different
mail delivery program. </p>
<li> <a href="postconf.1.html">postconf(1)</a>, Postfix configuration utility
+<li> <a href="postdrop.1.html">postdrop(1)</a>, Postfix mail posting utility
+
<li> <a href="postfix.1.html">postfix(1)</a>, Postfix control program
<li> <a href="postfix-tls.1.html">postfix-tls(1)</a>, Postfix TLS management
Other configuration parameters:
<b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b>
- The list of environment parameters that a privileged Postfix
+ The list of environment variables that a privileged Postfix
process will import from a non-Postfix parent process, or
name=value environment overrides.
<a href="postalias.1.html">postalias(1)</a>, create/update/query alias database
<a href="postcat.1.html">postcat(1)</a>, examine Postfix queue file
<a href="postconf.1.html">postconf(1)</a>, Postfix configuration utility
+ <a href="postdrop.1.html">postdrop(1)</a>, Postfix mail posting utility
<a href="postfix.1.html">postfix(1)</a>, Postfix control program
<a href="postfix-tls.1.html">postfix-tls(1)</a>, Postfix TLS management
<a href="postkick.1.html">postkick(1)</a>, trigger Postfix daemon
starts with whitespace continues a logical line.
The <i>key</i> and <i>value</i> are processed as is, except that surrounding white
- space is stripped off. Whitespace in lookup keys is supported as of
- Postfix 3.2.
+ space is stripped off. Whitespace in lookup keys is supported in Post-
+ fix 3.2 and later, by surrounding the key with double quote characters
+ `"'. Within the double quotes, double quote `"' and backslash `\' char-
+ acters can be included by quoting them with a preceding backslash.
When the <b>-F</b> option is given, the <i>value</i> must specify one or more file-
names separated by comma and/or whitespace; <a href="postmap.1.html"><b>postmap</b>(1)</a> will concatenate
body-style lookup keys for attachment MIME headers and for
attached message/* headers.
- NOTE: with "<a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> = yes", the <b>-b</b> option option dis-
- ables UTF-8 syntax checks on query keys and lookup results.
- Specify the <b>-U</b> option to force UTF-8 syntax checks anyway.
+ NOTE: with "<a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> = yes", the <b>-b</b> option disables UTF-8
+ syntax checks on query keys and lookup results. Specify the <b>-U</b>
+ option to force UTF-8 syntax checks anyway.
This feature is available in Postfix version 2.6 and later.
and <a href="postmap.1.html"><b>postmap</b>(1)</a> commands.
<b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b>
- The list of environment parameters that a privileged Postfix
+ The list of environment variables that a privileged Postfix
process will import from a non-Postfix parent process, or
name=value environment overrides.
<b><a href="postconf.5.html#smtputf8_enable">smtputf8_enable</a> (yes)</b>
Enable preliminary SMTPUTF8 support for the protocols described
- in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>..6533.
+ in <a href="https://tools.ietf.org/html/rfc6531">RFC 6531</a>, <a href="https://tools.ietf.org/html/rfc6532">RFC 6532</a>, and <a href="https://tools.ietf.org/html/rfc6533">RFC 6533</a>.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
default values for the private directories of the new
instance. The "<b>-G</b> <i>group</i>" option may be specified to
assign the instance to a group, otherwise, the new
- instance is not a member of any groups.
+ instance is not a member of any group.
The new instance <a href="postconf.5.html">main.cf</a> is the stock <a href="postconf.5.html">main.cf</a> with the
parameters that specify the locations of shared files
<a href="postconf.5.html#data_directory">data_directory</a>=/my/data/dir
If any of these pathnames is not supplied, the program
- attempts to generate the pathname by taking the corre-
- sponding primary instance pathname, and by replacing the
- last pathname component by the value of the <b>-I</b> option.
+ attempts to generate the missing pathname(s) by taking
+ the corresponding primary instance pathname, and replac-
+ ing the last pathname component by the value of the <b>-I</b>
+ option.
- If the instance configuration directory already exists,
- and contains both a <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> file, <b>create</b>
+ If the instance configuration directory already exists,
+ and contains both a <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> file, <b>create</b>
will "import" the instance as-is. For existing instances,
<b>create</b> and <b>import</b> are identical.
- <b>import</b> Import an existing instance into the list of instances
+ <b>import</b> Import an existing instance into the list of instances
managed by the <a href="postmulti.1.html"><b>postmulti</b>(1)</a> multi-instance manager. This
- adds the instance to the <a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a> list
+ adds the instance to the <a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a> list
of the primary instance. If the "<b>-I</b> <i>name</i>" option is pro-
- vided it specifies the new name for the instance and is
- used to define a default location for the instance con-
- figuration directory (as with <b>create</b> above). The "<b>-G</b>
- <i>group</i>" option may be used to assign the instance to a
- group. Add a "<b><a href="postconf.5.html#config_directory">config_directory</a>=</b><i>/path</i>" argument to over-
+ vided it specifies the new name for the instance and is
+ used to define a default location for the instance con-
+ figuration directory (as with <b>create</b> above). The "<b>-G</b>
+ <i>group</i>" option may be used to assign the instance to a
+ group. Add a "<b><a href="postconf.5.html#config_directory">config_directory</a>=</b><i>/path</i>" argument to over-
ride a default pathname based on "<b>-I</b> <i>name</i>".
<b>destroy</b>
- Destroy a secondary Postfix instance. To be a candidate
+ Destroy a secondary Postfix instance. To be a candidate
for destruction an instance must be disabled, stopped and
- its queue must not contain any messages. Attempts to
- destroy the primary Postfix instance trigger a fatal
+ its queue must not contain any messages. Attempts to
+ destroy the primary Postfix instance trigger a fatal
error, without destroying the instance.
The instance is removed from the primary instance <a href="postconf.5.html">main.cf</a>
file's <a href="postconf.5.html#alternate_config_directories">alternate_config_directories</a> parameter and its
- data, queue and configuration directories are cleaned of
- files and directories created by the Postfix system. The
+ data, queue and configuration directories are cleaned of
+ files and directories created by the Postfix system. The
<a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> files are removed from the configu-
- ration directory even if they have been modified since
- initial creation. Finally, the instance is "deported"
+ ration directory even if they have been modified since
+ initial creation. Finally, the instance is "deported"
from the list of managed instances.
- If other files are present in instance private directo-
+ If other files are present in instance private directo-
ries, the directories may not be fully removed, a warning
is logged to alert the administrator. It is expected that
- an instance built using "fresh" directories via the <b>cre-</b>
- <b>ate</b> action will be fully removed by the <b>destroy</b> action
- (if first disabled). If the instance configuration and
- queue directories are populated with additional files
- (access and rewriting tables, chroot jail content, etc.)
+ an instance built using "fresh" directories via the <b>cre-</b>
+ <b>ate</b> action will be fully removed by the <b>destroy</b> action
+ (if first disabled). If the instance configuration and
+ queue directories are populated with additional files
+ (access and rewriting tables, chroot jail content, etc.)
the instance directories will not be fully removed.
- The <b>destroy</b> action triggers potentially dangerous file
- removal operations. Make sure the instance's data, queue
- and configuration directories are set correctly and do
+ The <b>destroy</b> action triggers potentially dangerous file
+ removal operations. Make sure the instance's data, queue
+ and configuration directories are set correctly and do
not contain any valuable files.
- <b>deport</b> Deport a secondary instance from the list of managed
+ <b>deport</b> Deport a secondary instance from the list of managed
instances. This deletes the instance configuration direc-
- tory
from the primary instance's <a href="postconf.5.html#multi_instance_directories">multi_instance_directo</a>-
- <a href="postconf.5.html#multi_instance_directories">ries</a> list, but does not remove any files or directories.
+ tory
from the primary instance's <a href="postconf.5.html#multi_instance_directories">multi_instance_directo</a>-
+ <a href="postconf.5.html#multi_instance_directories">ries</a> list, but does not remove any files or directories.
- <b>assign</b> Assign a new instance name or a new group name to the
- selected instance. Use "<b>-G -</b>" to specify "no group" and
- "<b>-I -</b>" to specify "no name". If you choose to make an
- instance "nameless", set a suitable <a href="postconf.5.html#syslog_name">syslog_name</a> in the
+ <b>assign</b> Assign a new instance name or a new group name to the
+ selected instance. Use "<b>-G -</b>" to specify "no group" and
+ "<b>-I -</b>" to specify "no name". If you choose to make an
+ instance "nameless", set a suitable <a href="postconf.5.html#syslog_name">syslog_name</a> in the
corresponding <a href="postconf.5.html">main.cf</a> file.
<b>enable</b> Mark the selected instance as enabled. This just sets the
instance's <a href="postconf.5.html">main.cf</a> file.
<b>disable</b>
- Mark the selected instance as disabled. This means that
- the instance will not be started etc. with "postfix
- start", "postmulti -p start" and so on. The instance can
- still be started etc. with "postfix -c config-directory
+ Mark the selected instance as disabled. This means that
+ the instance will not be started etc. with "postfix
+ start", "postmulti -p start" and so on. The instance can
+ still be started etc. with "postfix -c config-directory
start".
<b>Other options</b>
- <b>-v</b> Enable verbose logging for debugging purposes. Multiple <b>-v</b>
+ <b>-v</b> Enable verbose logging for debugging purposes. Multiple <b>-v</b>
options make the software increasingly verbose.
<b>ENVIRONMENT</b>
- The <a href="postmulti.1.html"><b>postmulti</b>(1)</a> command exports the following environment variables
+ The <a href="postmulti.1.html"><b>postmulti</b>(1)</a> command exports the following environment variables
before executing the requested <i>command</i> for a given instance:
<b>MAIL_VERBOSE</b>
<b>CONFIGURATION PARAMETERS</b>
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and <a href="master.5.html">master.cf</a> con-
figuration files.
<b><a href="postconf.5.html#daemon_directory">daemon_directory</a> (see 'postconf -d' output)</b>
The directory with Postfix support programs and daemon programs.
<b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b>
- The list of environment parameters that a privileged Postfix
- process will import from a non-Postfix parent process, or
+ The list of environment variables that a privileged Postfix
+ process will import from a non-Postfix parent process, or
name=value environment overrides.
<b><a href="postconf.5.html#multi_instance_directories">multi_instance_directories</a> (empty)</b>
- An optional list of non-default Postfix configuration directo-
- ries; these directories belong to additional Postfix instances
- that share the Postfix executable files and documentation with
- the default Postfix instance, and that are started, stopped,
+ An optional list of non-default Postfix configuration directo-
+ ries; these directories belong to additional Postfix instances
+ that share the Postfix executable files and documentation with
+ the default Postfix instance, and that are started, stopped,
etc., together with the default Postfix instance.
<b><a href="postconf.5.html#multi_instance_group">multi_instance_group</a> (empty)</b>
The optional instance name of this Postfix instance.
<b><a href="postconf.5.html#multi_instance_enable">multi_instance_enable</a> (no)</b>
- Allow this Postfix instance to be started, stopped, etc., by a
+ Allow this Postfix instance to be started, stopped, etc., by a
multi-instance manager.
<b><a href="postconf.5.html#postmulti_start_commands">postmulti_start_commands</a> (start)</b>
- The <a href="postfix.1.html"><b>postfix</b>(1)</a> commands that the <a href="postmulti.1.html"><b>postmulti</b>(1)</a> instance manager
+ The <a href="postfix.1.html"><b>postfix</b>(1)</a> commands that the <a href="postmulti.1.html"><b>postmulti</b>(1)</a> instance manager
treats as "start" commands.
<b><a href="postconf.5.html#postmulti_stop_commands">postmulti_stop_commands</a> (see 'postconf -d' output)</b>
- The <a href="postfix.1.html"><b>postfix</b>(1)</a> commands that the <a href="postmulti.1.html"><b>postmulti</b>(1)</a> instance manager
+ The <a href="postfix.1.html"><b>postfix</b>(1)</a> commands that the <a href="postmulti.1.html"><b>postmulti</b>(1)</a> instance manager
treats as "stop" commands.
<b><a href="postconf.5.html#postmulti_control_commands">postmulti_control_commands</a> (reload flush)</b>
- The <a href="postfix.1.html"><b>postfix</b>(1)</a> commands that the <a href="postmulti.1.html"><b>postmulti</b>(1)</a> instance manager
+ The <a href="postfix.1.html"><b>postfix</b>(1)</a> commands that the <a href="postmulti.1.html"><b>postmulti</b>(1)</a> instance manager
treats as "control" commands, that operate on running instances.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (see 'postconf -d' output)</b>
- A prefix that is prepended to the process name in syslog
+ A prefix that is prepended to the process name in syslog
records, so that, for example, "smtpd" becomes "prefix/smtpd".
Available in Postfix 3.0 and later:
<b><a href="postconf.5.html#meta_directory">meta_directory</a> (see 'postconf -d' output)</b>
- The location of non-executable files that are shared among mul-
- tiple Postfix instances, such as postfix-files, dynamicmaps.cf,
- and
the multi-instance template files <a href="postconf.5.html">main.cf</a>.proto and <a href="master.5.html">mas-
+ The location of non-executable files that are shared among mul-
+ tiple Postfix instances, such as postfix-files, dynamicmaps.cf,
+ and
the multi-instance template files <a href="postconf.5.html">main.cf</a>.proto and <a href="master.5.html">mas-
ter.cf</a>.proto.
<b><a href="postconf.5.html#shlib_directory">shlib_directory</a> (see 'postconf -d' output)</b>
- The location of Postfix dynamically-linked libraries (libpost-
- fix-*.so), and the default location of Postfix database plugins
- (postfix-*.so) that have a relative pathname in the dynam-
+ The location of Postfix dynamically-linked libraries (libpost-
+ fix-*.so), and the default location of Postfix database plugins
+ (postfix-*.so) that have a relative pathname in the dynam-
icmaps.cf file.
<b>FILES</b>
TLS-related information about the server. With SMTP, the destination is
a domainname; with LMTP it is either a domainname prefixed with <b>inet:</b>
or a pathname prefixed with <b>unix:</b>. If Postfix is built without TLS
- support, the resulting posttls-finger program has very limited func-
+ support, the resulting <a href="posttls-finger.1.html"><b>posttls-finger</b>(1)</a> program has very limited func-
tionality, and only the <b>-a</b>, <b>-c</b>, <b>-h</b>, <b>-o</b>, <b>-S</b>, <b>-t</b>, <b>-T</b> and <b>-v</b> options are
available.
<b>-a</b> <i>family</i> (default: <b>any</b>)
Address family preference: <b>ipv4</b>, <b>ipv6</b> or <b>any</b>. When using <b>any</b>,
- posttls-finger will randomly select one of the two as the more
- preferred, and exhaust all MX preferences for the first address
- family before trying any addresses for the other.
+ <a href="posttls-finger.1.html"><b>posttls-finger</b>(1)</a> will randomly select one of the two as the
+ more preferred, and exhaust all MX preferences for the first
+ address family before trying any addresses for the other.
<b>-A</b> <i>trust-anchor.pem</i> (default: none)
A list of PEM trust-anchor files that overrides CAfile and CAp-
server fingerprints and matching against user provided certifi-
cate fingerprints (with DANE TLSA records the algorithm is spec-
ified in the DNS). In Postfix versions prior to 3.6, the
- default value was "sha1".
+ default value was "md5".
<b>-f</b> Lookup the associated DANE TLSA RRset even when a hostname is
not an alias and its address records lie in an unsigned zone.
trusted.
<b>-g</b> <i>grade</i> (default: medium)
- The minimum TLS cipher grade used by posttls-finger. See
+ The minimum TLS cipher grade used by <a href="posttls-finger.1.html"><b>posttls-finger</b>(1)</a>. See
<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> for details.
<b>-h</b> <i>host</i><b>_</b><i>lookup</i> (default: <b>dns</b>)
allows you to test certificate or public-key fingerprint matches
before you deploy them in the policy table.
- Note, since <b>posttls-finger</b> does not actually deliver any email,
- the <b>none</b>, <b>may</b> and <b>encrypt</b> security levels are not very useful.
- Since <b>may</b> and <b>encrypt</b> don't require peer certificates, they will
- often negotiate anonymous TLS ciphersuites, so you won't learn
- much about the remote SMTP server's certificates at these levels
- if it also supports anonymous TLS (though you may learn that the
- server supports anonymous TLS).
+ Note, since <a href="posttls-finger.1.html"><b>posttls-finger</b>(1)</a> does not actually deliver any
+ email, the <b>none</b>, <b>may</b> and <b>encrypt</b> security levels are not very
+ useful. Since <b>may</b> and <b>encrypt</b> don't require peer certificates,
+ they will often negotiate anonymous TLS ciphersuites, so you
+ won't learn much about the remote SMTP server's certificates at
+ these levels if it also supports anonymous TLS (though you may
+ learn that the server supports anonymous TLS).
<b>-L</b> <i>logopts</i> (default: <b>routine,certmatch</b>)
Fine-grained TLS logging options. To tune the TLS features
The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is <b>dane</b>, but the MX record
was found via an "insecure" MX lookup. See the <a href="postconf.5.html">main.cf</a> documen-
- tation for smtp_tls_insecure_mx_policy for details.
+ tation for <a href="postconf.5.html#smtp_tls_dane_insecure_mx_policy">smtp_tls_dane_insecure_mx_policy</a> for details.
<b>-o</b> <i>name=value</i>
Specify zero or more times to override the value of the <a href="postconf.5.html">main.cf</a>
configure the SMTP EHLO name sent to the remote server.
<b>-p</b> <i>protocols</i> (default: >=TLSv1)
- TLS protocols that posttls-finger will exclude or include. See
- <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> for details.
+ TLS protocols that <a href="posttls-finger.1.html"><b>posttls-finger</b>(1)</a> will exclude or include.
+
See <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> for details.
<b>-P</b> <i>CApath/</i> (default: none)
The OpenSSL CApath/ directory (indexed via c_rehash(1)) for
<b>-v</b> Enable verbose Postfix logging. Specify more than once to
increase the level of verbose logging.
- <b>-w</b> Enable outgoing TLS wrapper mode, or SMTPS support. This is
- typically provided on port 465 by servers that are compatible
- with the ad-hoc SMTP in SSL protocol, rather than the standard
- STARTTLS protocol. The destination <i>domain</i>:<i>port</i> should of course
- provide such a service.
+ <b>-w</b> Enable outgoing TLS wrapper mode, or SUBMISSIONS/SMTPS support.
+ This is typically provided on port 465 by servers that are com-
+ patible with the SMTP-in-SSL protocol, rather than the STARTTLS
+ protocol. The destination <i>domain</i>:<i>port</i> must of course provide
+ such a service.
<b>-X</b> Enable <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> mode. This is an unsupported mode, for pro-
gram development only.
Alternatively, the table can be provided as a regular-expression map
where patterns are given as regular expressions, or lookups can be
- directed to TCP-based server. In those case, the lookups are done in a
- slightly different way as described below under "REGULAR EXPRESSION
+ directed to a TCP-based server. In those case, the lookups are done in
+ a slightly different way as described below under "REGULAR EXPRESSION
TABLES" or "TCP-BASED TABLES".
Table lookups are case insensitive.
to a TCP-based server. For a description of regular expression lookup
table syntax, see <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>. For a description
of the TCP client/server table lookup protocol, see <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>. This
- feature is not available up to and including Postfix version 2.4.
+ feature is available in Postfix 2.5 and later.
Each pattern is a regular expression that is applied to the entire
address being looked up. Thus, <i>user@domain</i> mail addresses are not bro-
<b>TCP-BASED TABLES</b>
This section describes how the table lookups change when lookups are
directed to a TCP-based server. For a description of the TCP
- client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>. This feature is not
- available up to and including Postfix version 2.4.
+ client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>. This feature is
+ available in Postfix 2.5 and later.
Each lookup operation uses the entire address once. Thus, <i>user@domain</i>
mail addresses are not broken up into their <i>user</i> and <i>@domain</i> con-
below provides only a parameter summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for more
details including examples.
- <b><a href="postconf.5.html#relocated_maps">relocated_maps</a></b>
- List of lookup tables for relocated users or sites.
+ <b><a href="postconf.5.html#relocated_maps">relocated_maps</a> (empty)</b>
+ Optional lookup tables with new contact information for users or
+ domains that no longer exist.
Other parameters of interest:
- <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a></b>
- The network interface addresses that this system receives mail
- on. You need to stop and start Postfix when this parameter
- changes.
+ <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
+ The network interface addresses that this mail system receives
+ mail on.
- <b><a href="postconf.5.html#mydestination">mydestination</a></b>
- List of domains that this mail system considers local.
+ <b><a href="postconf.5.html#mydestination">mydestination</a> ($<a href="postconf.5.html#myhostname">myhostname</a>, localhost.$<a href="postconf.5.html#mydomain">mydomain</a>, localhost)</b>
+ The list of domains that are delivered via the $<a href="postconf.5.html#local_transport">local_transport</a>
+ mail delivery transport.
- <b><a href="postconf.5.html#myorigin">myorigin</a></b>
- The domain that is appended to locally-posted mail.
+ <b><a href="postconf.5.html#myorigin">myorigin</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
+ The domain name that locally-posted mail appears to come from,
+ and that locally posted mail is delivered to.
- <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a></b>
- Other interfaces that this machine receives mail on by way of a
- proxy agent or network address translator.
+ <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
+ The network interface addresses that this mail system receives
+ mail on by way of a proxy or network address translation unit.
<b>SEE ALSO</b>
<a href="trivial-rewrite.8.html">trivial-rewrite(8)</a>, address resolver
headers of mail that is still queued.
<b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b>
- The list of environment parameters that a privileged Postfix
+ The list of environment variables that a privileged Postfix
process will import from a non-Postfix parent process, or
name=value environment overrides.
Listen on the UNIX-domain socket at <i>pathname</i>.
<i>backlog</i>
- The maximum length the queue of pending connections, as defined
- by the <b>listen</b>(2) system call.
+ The maximum length of the queue of pending connections, as
+ defined by the <b>listen</b>(2) system call.
<b>DUMP FILE FORMAT</b>
Each dumped message contains a sequence of text lines, terminated with
DATA requests, when deadlines are enabled with
<a href="postconf.5.html#smtp_per_request_deadline">smtp_per_request_deadline</a>.
- <b>header_from_format (standard)</b>
+ <b><a href="postconf.5.html#header_from_format">header_from_format</a> (standard)</b>
The format of the Postfix-generated <b>From:</b> header.
<b>MIME PROCESSING CONTROLS</b>
Implemented in the <a href="qmgr.8.html">qmgr(8)</a> daemon:
- <b>
transport_destination_concurrency_limit ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
+ <b>
<a href="postconf.5.html#transport_destination_concurrency_limit">transport_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concur</a>-</b>
<b><a href="postconf.5.html#default_destination_concurrency_limit">rency_limit</a>)</b>
- A transport-specific override for the default_destination_con-
-
currency_limit parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
+ A transport-specific override for the <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_con</a>-
+
<a href="postconf.5.html#default_destination_concurrency_limit">currency_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
name of the message delivery transport.
- <b>
transport_destination_recipient_limit ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b>
+ <b>
<a href="postconf.5.html#transport_destination_recipient_limit">transport_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destination_recipi</a>-</b>
<b><a href="postconf.5.html#default_destination_recipient_limit">ent_limit</a>)</b>
A transport-specific override for the <a href="postconf.5.html#default_destination_recipient_limit">default_destination_recip</a>-
<a href="postconf.5.html#default_destination_recipient_limit">ient_limit</a> parameter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a>
Available in Postfix version 2.11 and later:
- <b>smtpd_sasl_service (smtp)</b>
+ <b><a href="postconf.5.html#smtpd_sasl_service">smtpd_sasl_service</a> (smtp)</b>
The service name that is passed to the SASL plug-in that is
selected with <b><a href="postconf.5.html#smtpd_sasl_type">smtpd_sasl_type</a></b> and <b><a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a></b>.
DATA and BDAT requests, when deadlines are enabled with
<a href="postconf.5.html#smtpd_per_request_deadline">smtpd_per_request_deadline</a>.
- <b>header_from_format (standard)</b>
+ <b><a href="postconf.5.html#header_from_format">header_from_format</a> (standard)</b>
The format of the Postfix-generated <b>From:</b> header.
<b>TARPIT CONTROLS</b>
<a href="master.5.html"><b>master.cf</b></a> file.
<b>RESOURCE AND RATE CONTROL</b>
- <b>
transport_time_limit ($<a href="postconf.5.html#command_time_limit">command_time_limit</a>)</b>
+ <b>
<a href="postconf.5.html#transport_time_limit">transport_time_limit</a> ($<a href="postconf.5.html#command_time_limit">command_time_limit</a>)</b>
A transport-specific override for the <a href="postconf.5.html#command_time_limit">command_time_limit</a> parame-
ter value, where <i>transport</i> is the <a href="master.5.html">master.cf</a> name of the message
delivery transport.
Alternatively, lookup tables can be specified as SQLite databases. In
order to use SQLite lookups, define an SQLite source as a lookup table
in <a href="postconf.5.html">main.cf</a>, for example:
- <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="sqlite_table.5.html">sqlite</a>:/etc/sqlite-aliases.cf
+ <a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="sqlite_table.5.html">sqlite</a>:/etc/postfix/sqlite-aliases.cf
The file /etc/postfix/sqlite-aliases.cf has the same format as the
Postfix <a href="postconf.5.html">main.cf</a> file, and can specify the parameters described below.
NOTE: DO NOT put quotes around the result format!
<b>domain (default: no domain list)</b>
- This is a list of domain names, paths to files, or dictionaries.
- When specified, only fully qualified search keys with a
- *non-empty* localpart and a matching domain are eligible for
+ This is a list of domain names, paths to files, or "<a href="DATABASE_README.html">type:table</a>"
+ databases. When specified, only fully qualified search keys with
+ a *non-empty* localpart and a matching domain are eligible for
lookup: 'user' lookups, bare domain lookups and "@domain"
lookups are not performed. This can significantly reduce the
query load on the SQLite server.
Available in Postfix version 2.9 and later:
- <b><a href="postconf.5.html#tls_legacy_public_key_fingerprint">tls_legacy_public_key_fingerprints</a> (no)</b>
+ <b><a href="postconf.5.html#tls_legacy_public_key_fingerprints">tls_legacy_public_key_fingerprints</a> (no)</b>
A temporary migration aid for sites that use certificate <i>pub-</i>
<i>lic-key</i> fingerprints with Postfix 2.9.0..2.9.5, which use an
incorrect algorithm.
Mandatory TLS: announce STARTTLS support to remote SMTP clients,
and require that clients use TLS encryption.
+ <b><a href="postconf.5.html#tlsproxy_client_use_tls">tlsproxy_client_use_tls</a> ($<a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>)</b>
+ Opportunistic mode: use TLS when a remote server announces TLS
+ support.
+
+ <b><a href="postconf.5.html#tlsproxy_client_enforce_tls">tlsproxy_client_enforce_tls</a> ($<a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>)</b>
+ Enforcement mode: require that SMTP servers use TLS encryption.
+
<b>RESOURCE CONTROLS</b>
<b><a href="postconf.5.html#tlsproxy_watchdog_timeout">tlsproxy_watchdog_timeout</a> (10s)</b>
How much time a <a href="tlsproxy.8.html"><b>tlsproxy</b>(8)</a> process may take to process local or
Available in Postfix 3.7 and later:
- <b>header_from_format (standard)</b>
+ <b><a href="postconf.5.html#header_from_format">header_from_format</a> (standard)</b>
The format of the Postfix-generated <b>From:</b> header.
<b>FILES</b>
Alternatively, the table can be provided as a regular-expression map
where patterns are given as regular expressions, or lookups can be
- directed to TCP-based server. In those case, the lookups are done in a
- slightly different way as described below under "REGULAR EXPRESSION
+ directed to a TCP-based server. In those case, the lookups are done in
+ a slightly different way as described below under "REGULAR EXPRESSION
TABLES" or "TCP-BASED TABLES".
<b>CASE FOLDING</b>
Resolve the address for address verification purposes.
<b>SERVER PROCESS MANAGEMENT</b>
- The <a href="trivial-rewrite.8.html"><b>trivial-rewrite</b>(8)</a> servers run under control by the Postfix master
- server. Each server can handle multiple simultaneous connections.
- When all servers are busy while a client connects, the master creates a
- new server process, provided that the trivial-rewrite server process
- limit is not exceeded. Each trivial-rewrite server terminates after
- serving at least <b>$<a href="postconf.5.html#max_use">max_use</a></b> clients of after <b>$<a href="postconf.5.html#max_idle">max_idle</a></b> seconds of idle
- time.
+ The <a href="trivial-rewrite.8.html"><b>trivial-rewrite</b>(8)</a> servers run under control by the Postfix <a href="master.8.html">mas-</a>
+ <a href="master.8.html">ter(8)</a> server. Each server can handle multiple simultaneous connec-
+ tions. When all servers are busy while a client connects, the master
+ creates a new server process, provided that the trivial-rewrite server
+ process limit is not exceeded. Each trivial-rewrite server terminates
+ after serving at least <b>$<a href="postconf.5.html#max_use">max_use</a></b> clients of after <b>$<a href="postconf.5.html#max_idle">max_idle</a></b> seconds of
+ idle time.
<b>STANDARDS</b>
None. The command does not interact with the outside world.
Alternatively, the table can be provided as a regular-expression map
where patterns are given as regular expressions, or lookups can be
- directed to TCP-based server. In those case, the lookups are done in a
- slightly different way as described below under "REGULAR EXPRESSION
+ directed to a TCP-based server. In those case, the lookups are done in
+ a slightly different way as described below under "REGULAR EXPRESSION
TABLES" or "TCP-BASED TABLES".
<b>CASE FOLDING</b>
$<b><a href="postconf.5.html#myorigin">myorigin</a></b>, when <i>site</i> is listed in $<b><a href="postconf.5.html#mydestination">mydestination</a></b>, or when it is
listed in $<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a></b> or $<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a></b>.
- This functionality overlaps with functionality of the local
+ This functionality overlaps with the functionality of the local
<i>aliases</i>(5) database. The difference is that <a href="virtual.5.html"><b>virtual</b>(5)</a> mapping
can be applied to non-local addresses.
<i>user</i>@<i>domain</i>, <i>user+foo</i>, <i>user</i>, and @<i>domain</i>.
The <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a></b> parameter controls whether an
- unmatched address extension (<i>+foo</i>) is propagated to the result of table
- lookup.
+ unmatched address extension (<i>+foo</i>) is propagated to the result of a ta-
+ ble lookup.
<b>VIRTUAL ALIAS DOMAINS</b>
Besides virtual aliases, the virtual alias table can also be used to
<b>TCP-BASED TABLES</b>
This section describes how the table lookups change when lookups are
directed to a TCP-based server. For a description of the TCP
- client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>. This feature is not
- available up to and including Postfix version 2.4.
+ client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>. This feature is
+ available in Postfix 2.5 and later.
Each lookup operation uses the entire address once. Thus, <i>user@domain</i>
mail addresses are not broken up into their <i>user</i> and <i>@domain</i> con-
<b><a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> ($<a href="postconf.5.html#virtual_maps">virtual_maps</a>)</b>
Optional lookup tables that alias specific mail addresses or
- domains to other local or remote address.
+ domains to other local or remote addresses.
<b><a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a> ($<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a>)</b>
- Postfix is final destination for the specified list of virtual
- alias domains, that is, domains for which all addresses are
+ Postfix is the final destination for the specified list of vir-
+ tual alias domains, that is, domains for which all addresses are
aliased to addresses in other local or remote domains.
<b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a> (canonical, virtual)</b>
<b>DIAGNOSTICS</b>
Mail bounces when the recipient has no mailbox or when the recipient is
- over disk quota. In all other cases, mail for an existing recipient is
- deferred and a warning is logged.
+ over disk quota. In all other problem cases, mail for an existing
+ recipient is deferred and a warning is logged.
Problems and transactions are logged to <b>syslogd</b>(8) or <a href="postlogd.8.html"><b>postlogd</b>(8)</a>.
Corrupted message files are marked so that the queue manager can move
Available in Postfix version 2.0 and later:
<b><a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> ($<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>)</b>
- Postfix is final destination for the specified list of domains;
- mail is delivered via the $<a href="postconf.5.html#virtual_transport">virtual_transport</a> mail delivery
- transport.
+ Postfix is the final destination for the specified list of
+ domains; mail is delivered via the $<a href="postconf.5.html#virtual_transport">virtual_transport</a> mail
+ delivery transport.
<b><a href="postconf.5.html#virtual_transport">virtual_transport</a> (virtual)</b>
The default mail delivery transport and next-hop destination for
# New York, NY 10011, USA
#--
+# By now all shells must have functions.
+
+error() {
+ # Alas, tput(1) is not portable so we can't use visual effects.
+ echo "ATTENTION:" 1>&2;
+ echo "ATTENTION:" $* 1>&2;
+ echo "ATTENTION:" 1>&2;
+ exit 1
+}
+
+# First, deal with unsupported usage.
+case "$LD_LIBRARY_PATH" in
+?*) error "Not supported: building with LD_LIBRARY_PATH";;
+esac
+
+env | grep '^AUXLIBS_' | while read line
+do
+ case "$line" in
+*-lpostfix-*) error "Not supported: linking plugins with -lpostfix-*: $line";;
+ esac
+done || exit 1
+
# Emit system-dependent Makefile macro definitions to standard output.
echo "#----------------------------------------------------------------"
# Ugly function to make our error message more visible among the
# garbage that is output by some versions of make(1).
-# By now all shells must have functions.
-
-error() {
- # Alas, tput(1) is not portable so we can't use visual effects.
- echo "ATTENTION:" 1>&2;
- echo "ATTENTION:" $* 1>&2;
- echo "ATTENTION:" 1>&2;
- exit 1
-}
-
case $# in
# Officially supported usage.
0) SYSTEM=`(uname -s) 2>/dev/null`
CCARGS="$CCARGS -Dstrcasecmp=fix_strcasecmp \
-Dstrncasecmp=fix_strncasecmp"
STRCASE="strcasecmp.o"
- # Avoid common types of braindamage
- case "$LD_LIBRARY_PATH" in
- ?*) error "Don't set LD_LIBRARY_PATH";;
- esac
case "${CC}" in
*" "*) ;;
*ucb*) error "Don't use /usr/ucb/cc or ucblib";;
# "make makefiles name=value...". The replacement depends on usage
# context: the expanded release version in actual pathnames, or the
# unexpanded ${mail_version} in configuration parameter values (both
-# main.cf and and built-in defaults).
+# main.cf and built-in defaults).
# Helper function to determine DEF_MAIL_VERSION.
The \fBpostalias\fR(1) command creates or queries one or more Postfix
alias databases, or updates an existing one. The input and output
file formats are expected to be compatible with Sendmail version 8,
-and are expected to be suitable for the use as NIS alias maps.
+and are expected to be suitable for use as NIS alias maps.
If the result files do not exist they will be created with the
same group and other read permissions as their source file.
The default database type for use in \fBnewaliases\fR(1), \fBpostalias\fR(1)
and \fBpostmap\fR(1) commands.
.IP "\fBimport_environment (see 'postconf -d' output)\fR"
-The list of environment parameters that a privileged Postfix
+The list of environment variables that a privileged Postfix
process will import from a non\-Postfix parent process, or name=value
environment overrides.
.IP "\fBsmtputf8_enable (yes)\fR"
Enable preliminary SMTPUTF8 support for the protocols described
-in RFC 6531..6533.
+in RFC 6531, RFC 6532, and RFC 6533.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
and replace one or more service fields with new values as
specified with "\fIservice/type/field=value\fR" on the
\fBpostconf\fR(1) command line. Currently, the "command"
-field contains the command name and command arguments. this
+field contains the command name and command arguments. This
may change in the near future, so that the "command" field
contains only the command name, and a new "arguments"
pseudofield contains the command arguments.
line.
The \fB\-e\fR option is no longer needed with Postfix version
-2.8 and later.
+2.8 and later, as it is assumed whenever a value is specified
+(empty or non\-empty).
.IP \fB\-f\fR
Fold long lines when printing \fBmain.cf\fR or \fBmaster.cf\fR
configuration file entries, for human readability.
This feature is available with Postfix 2.11 and later.
.IP \fB\-h\fR
-Show parameter or attribute values without the "\fIname\fR
-= " label that normally precedes the value.
+Show parameter or attribute values without the "\fIname\fR = "
+label that normally precedes the value.
.IP \fB\-H\fR
Show parameter or attribute names without the " = \fIvalue\fR"
that normally follows the name.
later). To show settings that differ from built\-in defaults
only, use the following bash syntax:
.nf
- comm \-23 <(postconf \-n) <(postconf \-d)
+ LANG=C comm \-23 <(postconf \-n) <(postconf \-d)
.fi
Replace "\-23" with "\-12" to show settings that duplicate
built\-in defaults.
.IP "\fB\-o \fIname=value\fR"
-Override \fBmain.cf\fR parameter settings.
+Override \fBmain.cf\fR parameter settings. This lets you see
+the effect changing a parameter would have when it is used in
+other configuration parameters, e.g.:
+.nf
+ postconf \-x \-o stress=yes
+.fi
This feature is available with Postfix 2.10 and later.
.IP \fB\-p\fR
.PP
Other configuration parameters:
.IP "\fBimport_environment (see 'postconf -d' output)\fR"
-The list of environment parameters that a privileged Postfix
+The list of environment variables that a privileged Postfix
process will import from a non\-Postfix parent process, or name=value
environment overrides.
.IP "\fBsyslog_facility (mail)\fR"
postalias(1), create/update/query alias database
postcat(1), examine Postfix queue file
postconf(1), Postfix configuration utility
+postdrop(1), Postfix mail posting utility
postfix(1), Postfix control program
postfix\-tls(1), Postfix TLS management
postkick(1), trigger Postfix daemon
.PP
The \fIkey\fR and \fIvalue\fR are processed as is, except that
surrounding white space is stripped off. Whitespace in lookup
-keys is supported as of Postfix 3.2.
+keys is supported in Postfix 3.2 and later, by surrounding the
+key with double quote characters `"'. Within the double quotes,
+double quote `"' and backslash `\\' characters can be included
+by quoting them with a preceding backslash.
When the \fB\-F\fR option is given, the \fIvalue\fR must
specify one or more filenames separated by comma and/or
headers and for attached message/* headers.
.sp
NOTE: with "smtputf8_enable = yes", the \fB\-b\fR option
-option disables UTF\-8 syntax checks on query keys and
-lookup results. Specify the \fB\-U\fR option to force UTF\-8
+disables UTF\-8 syntax checks on query keys and lookup
+results. Specify the \fB\-U\fR option to force UTF\-8
syntax checks anyway.
.sp
This feature is available in Postfix version 2.6 and later.
The default database type for use in \fBnewaliases\fR(1), \fBpostalias\fR(1)
and \fBpostmap\fR(1) commands.
.IP "\fBimport_environment (see 'postconf -d' output)\fR"
-The list of environment parameters that a privileged Postfix
+The list of environment variables that a privileged Postfix
process will import from a non\-Postfix parent process, or name=value
environment overrides.
.IP "\fBsmtputf8_enable (yes)\fR"
Enable preliminary SMTPUTF8 support for the protocols described
-in RFC 6531..6533.
+in RFC 6531, RFC 6532, and RFC 6533.
.IP "\fBsyslog_facility (mail)\fR"
The syslog facility of Postfix logging.
.IP "\fBsyslog_name (see 'postconf -d' output)\fR"
values for the private directories of the new instance. The
"\fB\-G \fIgroup\fR" option may be specified to assign the
instance to a group, otherwise, the new instance is not a
-member of any groups.
+member of any group.
.sp
The new instance main.cf is the stock main.cf with the
parameters that specify the locations of shared files cloned
.RE
.IP
If any of these pathnames is not supplied, the program
-attempts to generate the pathname by taking the corresponding
-primary instance pathname, and by replacing the last pathname
-component by the value of the \fB\-I\fR option.
+attempts to generate the missing pathname(s) by taking the
+corresponding primary instance pathname, and replacing the
+last pathname component by the value of the \fB\-I\fR option.
.sp
If the instance configuration directory already exists, and
contains both a main.cf and master.cf file, \fBcreate\fR
.IP "\fBdaemon_directory (see 'postconf -d' output)\fR"
The directory with Postfix support programs and daemon programs.
.IP "\fBimport_environment (see 'postconf -d' output)\fR"
-The list of environment parameters that a privileged Postfix
+The list of environment variables that a privileged Postfix
process will import from a non\-Postfix parent process, or name=value
environment overrides.
.IP "\fBmulti_instance_directories (empty)\fR"
and reports TLS\-related information about the server. With SMTP, the
destination is a domainname; with LMTP it is either a domainname
prefixed with \fBinet:\fR or a pathname prefixed with \fBunix:\fR. If
-Postfix is built without TLS support, the resulting posttls\-finger
+Postfix is built without TLS support, the resulting \fBposttls\-finger\fR(1)
program has very limited functionality, and only the \fB\-a\fR, \fB\-c\fR,
\fB\-h\fR, \fB\-o\fR, \fB\-S\fR, \fB\-t\fR, \fB\-T\fR and \fB\-v\fR options
are available.
Arguments:
.IP "\fB\-a\fR \fIfamily\fR (default: \fBany\fR)"
Address family preference: \fBipv4\fR, \fBipv6\fR or \fBany\fR. When
-using \fBany\fR, posttls\-finger will randomly select one of the two as
-the more preferred, and exhaust all MX preferences for the first
-address family before trying any addresses for the other.
+using \fBany\fR, \fBposttls\-finger\fR(1) will randomly select one of
+the two as the more preferred, and exhaust all MX preferences for the
+first address family before trying any addresses for the other.
.IP "\fB\-A\fR \fItrust\-anchor.pem\fR (default: none)"
A list of PEM trust\-anchor files that overrides CAfile and CApath
trust chain verification. Specify the option multiple times to
fingerprints and matching against user provided certificate
fingerprints (with DANE TLSA records the algorithm is specified
in the DNS). In Postfix versions prior to 3.6, the default value
-was "sha1".
+was "md5".
.IP "\fB\-f\fR"
Lookup the associated DANE TLSA RRset even when a hostname is not an
alias and its address records lie in an unsigned zone. See
verification. By default no CAfile is used and no public CAs
are trusted.
.IP "\fB\-g \fIgrade\fR (default: medium)"
-The minimum TLS cipher grade used by posttls\-finger. See
-smtp_tls_mandatory_ciphers for details.
+The minimum TLS cipher grade used by \fBposttls\-finger\fR(1).
+See smtp_tls_mandatory_ciphers for details.
.IP "\fB\-h \fIhost_lookup\fR (default: \fBdns\fR)"
The hostname lookup methods used for the connection. See the
documentation of smtp_host_lookup for syntax and semantics.
security level allows you to test certificate or public\-key
fingerprint matches before you deploy them in the policy table.
.IP
-Note, since \fBposttls\-finger\fR does not actually deliver any email,
+Note, since \fBposttls\-finger\fR(1) does not actually deliver any email,
the \fBnone\fR, \fBmay\fR and \fBencrypt\fR security levels are not
very useful. Since \fBmay\fR and \fBencrypt\fR don't require peer
certificates, they will often negotiate anonymous TLS ciphersuites,
The TLS policy for MX hosts with "secure" TLSA records when the
nexthop destination security level is \fBdane\fR, but the MX
record was found via an "insecure" MX lookup. See the main.cf
-documentation for smtp_tls_insecure_mx_policy for details.
+documentation for smtp_tls_dane_insecure_mx_policy for details.
.IP "\fB\-o \fIname=value\fR"
Specify zero or more times to override the value of the main.cf
parameter \fIname\fR with \fIvalue\fR. Possible use\-cases include
overriding the values of TLS library parameters, or "myhostname" to
configure the SMTP EHLO name sent to the remote server.
.IP "\fB\-p \fIprotocols\fR (default: >=TLSv1)"
-TLS protocols that posttls\-finger will exclude or include. See
+TLS protocols that \fBposttls\-finger\fR(1) will exclude or include. See
smtp_tls_mandatory_protocols for details.
.IP "\fB\-P \fICApath/\fR (default: none)"
The OpenSSL CApath/ directory (indexed via c_rehash(1)) for remote
Enable verbose Postfix logging. Specify more than once to increase
the level of verbose logging.
.IP "\fB\-w\fR"
-Enable outgoing TLS wrapper mode, or SMTPS support. This is typically
-provided on port 465 by servers that are compatible with the ad\-hoc
-SMTP in SSL protocol, rather than the standard STARTTLS protocol.
-The destination \fIdomain\fR:\fIport\fR should of course provide such
+Enable outgoing TLS wrapper mode, or SUBMISSIONS/SMTPS support. This
+is typically provided on port 465 by servers that are compatible with
+the SMTP\-in\-SSL protocol, rather than the STARTTLS protocol.
+The destination \fIdomain\fR:\fIport\fR must of course provide such
a service.
.IP "\fB\-X\fR"
Enable \fBtlsproxy\fR(8) mode. This is an unsupported mode,
command above.
.IP \fB\-bl\fR
Go into daemon mode. To accept only local connections as
-with Sendmail\'s \fB\-bl\fR option, specify "\fBinet_interfaces
+with Sendmail's \fB\-bl\fR option, specify "\fBinet_interfaces
= loopback\fR" in the Postfix \fBmain.cf\fR configuration
file.
.IP \fB\-bm\fR
Initialize alias database. See the \fBnewaliases\fR
command above.
.IP "\fB\-i\fR"
-When reading a message from standard input, don\'t treat a line
+When reading a message from standard input, don't treat a line
with only a \fB.\fR character as the end of input.
.IP "\fB\-L \fIlabel\fR (ignored)"
The logging label. Use the \fBsyslog_name\fR configuration
To send 8\-bit or binary content, use an appropriate MIME encapsulation
and specify the appropriate \fB\-B\fR command\-line option.
.IP "\fB\-oi\fR"
-When reading a message from standard input, don\'t treat a line
+When reading a message from standard input, don't treat a line
with only a \fB.\fR character as the end of input.
.IP "\fB\-om\fR (ignored)"
The sender is never eliminated from alias etc. expansions.
The time after which the sender receives a copy of the message
headers of mail that is still queued.
.IP "\fBimport_environment (see 'postconf -d' output)\fR"
-The list of environment parameters that a privileged Postfix
+The list of environment variables that a privileged Postfix
process will import from a non\-Postfix parent process, or name=value
environment overrides.
.IP "\fBmail_owner (postfix)\fR"
.IP \fBunix:\fR\fIpathname\fR
Listen on the UNIX\-domain socket at \fIpathname\fR.
.IP \fIbacklog\fR
-The maximum length the queue of pending connections,
+The maximum length of the queue of pending connections,
as defined by the \fBlisten\fR(2) system call.
.SH "DUMP FILE FORMAT"
.na
Alternatively, the table can be provided as a regular\-expression
map where patterns are given as regular expressions, or lookups
-can be directed to TCP\-based server. In those cases, the lookups
+can be directed to a TCP\-based server. In those cases, the lookups
are done in a slightly different way as described below under
"REGULAR EXPRESSION TABLES" or "TCP\-BASED TABLES".
.SH "CASE FOLDING"
.sp
This feature is available in Postfix 2.1 and later.
.IP "\fBDEFER_IF_PERMIT \fIoptional text...\fR
-Defer the request if some later restriction would result in a
+Defer the request if some later restriction would result in
an explicit or implicit PERMIT action.
Reply with "\fB$access_map_defer_code 4.7.1 \fI optional
text...\fR" when the
Alternatively, the table can be provided as a regular\-expression
map where patterns are given as regular expressions, or lookups
-can be directed to TCP\-based server. In those cases, the lookups
+can be directed to a TCP\-based server. In those cases, the lookups
are done in a slightly different way as described below under
"REGULAR EXPRESSION TABLES" or "TCP\-BASED TABLES".
off in email addresses.
.IP "\fBmasquerade_exceptions (empty)\fR"
Optional list of user names that are not subjected to address
-masquerading, even when their address matches $masquerade_domains.
+masquerading, even when their addresses match $masquerade_domains.
.IP "\fBmydestination ($myhostname, localhost.$mydomain, localhost)\fR"
The list of domains that are delivered via the $local_transport
mail delivery transport.
.fi
Postfix parses the result as if it is a file in /etc/postfix.
+
+Note: if a rule contains \fB$\fR, specify \fB$$\fR to keep
+Postfix from trying to do \fI$name\fR expansion as it
+evaluates a parameter value.
.SH "EXAMPLE SMTPD ACCESS MAP"
.na
.nf
Alternatively, the table can be provided as a regular\-expression
map where patterns are given as regular expressions, or lookups
-can be directed to TCP\-based server. In those case, the lookups
+can be directed to a TCP\-based server. In those cases, the lookups
are done in a slightly different way as described below under
"REGULAR EXPRESSION TABLES" or "TCP\-BASED TABLES".
.SH "CASE FOLDING"
This section describes how the table lookups change when lookups
are directed to a TCP\-based server. For a description of the TCP
client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.4.
+This feature is available in Postfix 2.5 and later.
Each lookup operation uses the entire address once. Thus,
\fIuser@domain\fR mail addresses are not broken up into their
The following \fBmain.cf\fR parameters are especially relevant.
The text below provides only a parameter summary. See
\fBpostconf\fR(5) for more details including examples.
-.IP \fBsmtp_generic_maps\fR
-Address mapping lookup table for envelope and header sender
-and recipient addresses while delivering mail via SMTP.
-.IP \fBpropagate_unmatched_extensions\fR
-A list of address rewriting or forwarding mechanisms that propagate
-an address extension from the original address to the result.
-Specify zero or more of \fBcanonical\fR, \fBvirtual\fR, \fBalias\fR,
-\fBforward\fR, \fBinclude\fR, or \fBgeneric\fR.
+.IP "\fBsmtp_generic_maps (empty)\fR"
+Optional lookup tables that perform address rewriting in the
+Postfix SMTP client, typically to transform a locally valid address into
+a globally valid address when sending mail across the Internet.
+.IP "\fBpropagate_unmatched_extensions (canonical, virtual)\fR"
+What address lookup tables copy an address extension from the lookup
+key to the lookup result.
.PP
Other parameters of interest:
-.IP \fBinet_interfaces\fR
-The network interface addresses that this system receives mail on.
-You need to stop and start Postfix when this parameter changes.
-.IP \fBproxy_interfaces\fR
-Other interfaces that this machine receives mail on by way of a
-proxy agent or network address translator.
-.IP \fBmydestination\fR
-List of domains that this mail system considers local.
-.IP \fBmyorigin\fR
-The domain that is appended to locally\-posted mail.
-.IP \fBowner_request_special\fR
-Give special treatment to \fBowner\-\fIxxx\fR and \fIxxx\fB\-request\fR
-addresses.
+.IP "\fBinet_interfaces (all)\fR"
+The network interface addresses that this mail system receives
+mail on.
+.IP "\fBproxy_interfaces (empty)\fR"
+The network interface addresses that this mail system receives mail
+on by way of a proxy or network address translation unit.
+.IP "\fBmydestination ($myhostname, localhost.$mydomain, localhost)\fR"
+The list of domains that are delivered via the $local_transport
+mail delivery transport.
+.IP "\fBmyorigin ($myhostname)\fR"
+The domain name that locally\-posted mail appears to come
+from, and that locally posted mail is delivered to.
+.IP "\fBowner_request_special (yes)\fR"
+Enable special treatment for owner\-\fIlistname\fR entries in the
+\fBaliases\fR(5) file, and don't split owner\-\fIlistname\fR and
+\fIlistname\fR\-request address localparts when the recipient_delimiter
+is set to "\-".
.SH "SEE ALSO"
.na
.nf
For the \fBsearch_base\fR parameter, the upper\-case equivalents
of the above expansions behave identically to their lower\-case
counter\-parts. With the \fBresult_format\fR parameter (previously
-called \fBresult_filter\fR see the COMPATIBILITY section and below),
-they expand to the corresponding components of input key rather
-than the result value.
+called \fBresult_filter\fR see the OTHER OBSOLETE FEATURES section
+and below), they expand to the corresponding components of input
+key rather than the result value.
.IP "\fB%[1\-9]\fR"
The patterns %1, %2, ... %9 are replaced by the corresponding
most significant component of the input key's domain. If the
The upper\-case equivalents of the above expansions behave in the
\fBquery_filter\fR parameter identically to their lower\-case
counter\-parts. With the \fBresult_format\fR parameter (previously
-called \fBresult_filter\fR see the COMPATIBILITY section and below),
-they expand to the corresponding components of input key rather
-than the result value.
+called \fBresult_filter\fR see the OTHER OBSOLETE FEATURES section
+and below), they expand to the corresponding components of input
+key rather than the result value.
.IP
The above %S, %U and %D expansions are available with Postfix 2.2
and later.
NOTE: DO NOT put quotes around the result format!
.IP "\fBdomain (default: no domain list)\fR"
This is a list of domain names, paths to files, or
-dictionaries. When specified, only fully qualified search
+"type:table" databases. When specified, only fully qualified search
keys with a *non\-empty* localpart and a matching domain
are eligible for lookup: 'user' lookups, bare domain lookups
and "@domain" lookups are not performed. This can significantly
.sp
The \fBlocal\fR(8), \fBpipe\fR(8), \fBspawn\fR(8), and
\fBvirtual\fR(8) daemons require privileges.
-.IP "\fBChroot (default: Postfix >= 3.0: n, Postfix <3.0: y)\fR"
+.IP "\fBChroot (default: Postfix >= 3.0: n, Postfix < 3.0: y)\fR"
Whether or not the service runs chrooted to the mail queue
directory (pathname is controlled by the \fBqueue_directory\fR
configuration variable in the main.cf file).
In order to use MySQL lookups, define a MySQL source as a lookup
table in main.cf, for example:
.nf
- alias_maps = mysql:/etc/mysql\-aliases.cf
+ alias_maps = mysql:/etc/postfix/mysql\-aliases.cf
.fi
The file /etc/postfix/mysql\-aliases.cf has the same format as
.IP "\fBhosts\fR"
The hosts that Postfix will try to connect to and query from.
Specify \fIunix:\fR for UNIX domain sockets, \fIinet:\fR for TCP
-connections (default). Example:
+connections (default). Examples:
.nf
+ hosts = inet:host1.some.domain inet:host2.some.domain:port
hosts = host1.some.domain host2.some.domain:port
hosts = unix:/file/name
.fi
NOTE: DO NOT put quotes around the result format!
.IP "\fBdomain (default: no domain list)\fR"
-This is a list of domain names, paths to files, or
-dictionaries. When specified, only fully qualified search
-keys with a *non\-empty* localpart and a matching domain
-are eligible for lookup: 'user' lookups, bare domain lookups
+This is a list of domain names, paths to files, or "type:table"
+databases. When specified, only fully qualified search keys
+with a *non\-empty* localpart and a matching domain are
+eligible for lookup: 'user' lookups, bare domain lookups
and "@domain" lookups are not performed. This can significantly
reduce the query load on the MySQL server.
.nf
databases. In order to use PostgreSQL lookups, define a
PostgreSQL source as a lookup table in main.cf, for example:
.nf
- alias_maps = pgsql:/etc/pgsql\-aliases.cf
+ alias_maps = pgsql:/etc/postfix/pgsql\-aliases.cf
.fi
The file /etc/postfix/pgsql\-aliases.cf has the same format as
Examples:
.nf
hosts = postgresql://username@example.com/tablename?sslmode=require
+ hosts = inet:host1.some.domain inet:host2.some.domain:port
hosts = host1.some.domain host2.some.domain:port
hosts = unix:/file/name
.fi
\fBselect_function\fR, \fBquery\fR, \fBselect_field\fR, ...
With Postfix 2.2 the \fBquery\fR parameter has highest precedence,
-see COMPATIBILITY above.
+see OBSOLETE QUERY INTERFACES below.
NOTE: DO NOT put quotes around the \fBquery\fR parameter.
.IP "\fBresult_format (default: \fB%s\fR)\fR"
NOTE: DO NOT put quotes around the result format!
.IP "\fBdomain (default: no domain list)\fR"
-This is a list of domain names, paths to files, or
-dictionaries. When specified, only fully qualified search
+This is a list of domain names, paths to files, or "type:table"
+databases. When specified, only fully qualified search
keys with a *non\-empty* localpart and a matching domain
are eligible for lookup: 'user' lookups, bare domain lookups
and "@domain" lookups are not performed. This can significantly
reload\fR", "\fBpostfix stop\fR", or no requests for $max_idle
seconds.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w
-(weeks).
+Specify a non\-negative time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is h (hours).
.PP
This feature is available in Postfix 2.7.
.SH address_verify_default_transport (default: $default_transport)
stop\fR". This is the default with Postfix version 2.6 and earlier.
.PP
Specify a location in a file system that will not fill up. If the
-database becomes corrupted, the world comes to an end. To recover
+database becomes corrupted, the world comes to an end. To recover,
delete (NOT: truncate) the file and do "\fBpostfix reload\fR".
.PP
Postfix daemon processes do not use root privileges when opening
The time after which a failed probe expires from the address
verification cache.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days).
.PP
This feature is available in Postfix 2.1 and later.
.SH address_verify_negative_refresh_time (default: 3h)
The time after which a failed address verification probe needs to
be refreshed.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is h (hours).
.PP
This feature is available in Postfix 2.1 and later.
.SH address_verify_pending_request_limit (default: see "postconf \-d" output)
.PP
The default polling delay is 3 seconds.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
.PP
This feature is available in Postfix 2.1 and later.
.SH address_verify_positive_expire_time (default: 31d)
The time after which a successful probe expires from the address
verification cache.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days).
.PP
This feature is available in Postfix 2.1 and later.
.SH address_verify_positive_refresh_time (default: 7d)
to be refreshed. The address verification status is not updated
when the probe fails (optimistic caching).
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days).
.PP
This feature is available in Postfix 2.1 and later.
.SH address_verify_relay_transport (default: $relay_transport)
resulted in wasted network and processing resources.
.PP
To enable time\-dependent probe sender addresses, specify a
-non\-zero time value (an integral value plus an optional one\-letter
-suffix that specifies the time unit). Specify a value of at least
-several hours, to avoid problems with senders that use greylisting.
-Avoid nice TTL values, to make the result less predictable. Time
-units are: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+non\-zero time value. Specify a value of at least several hours,
+to avoid problems with senders that use greylisting. Avoid nice
+TTL values, to make the result less predictable.
+.PP
+Specify a non\-negative time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
.PP
This feature is available in Postfix 2.9 and later.
.SH address_verify_service_name (default: verify)
frequency of updates, the \fBanvil\fR(8) server uses volatile memory
only. Thus, information is lost whenever the process terminates.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH anvil_status_update_time (default: 600s)
How frequently the \fBanvil\fR(8) connection and rate limiting server
logs peak usage information.
.PP
-This feature is available in Postfix 2.2 and later.
-.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
+.PP
+This feature is available in Postfix 2.2 and later.
.SH append_at_myorigin (default: yes)
With locally submitted mail, append the string "@$myorigin" to mail
addresses without domain information. With remotely submitted mail,
How long the \fBpostkick\fR(1) command waits for a request to enter the
Postfix daemon process input buffer before giving up.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.PP
This feature is available in Postfix 2.1 and later.
bounce_queue_lifetime limit. By default, this limit is the same
as for regular mail.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-negative time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is d (days).
.PP
Specify 0 when mail delivery should be tried only once.
.SH bounce_template_file (default: empty)
Pathname of a configuration file with bounce message templates.
These override the built\-in templates of delivery status notification
-(DSN) messages for undeliverable mail, for delayed mail, successful
+(DSN) messages for undeliverable mail, delayed mail, successful
delivery, or delivery verification. The \fBbounce\fR(5) manual page
describes how to edit and test template files.
.PP
The location of all postfix administrative commands.
.SH command_execution_directory (default: empty)
The \fBlocal\fR(8) delivery agent working directory for delivery to
-external command. Failure to change directory causes the delivery
+external commands. Failure to change directory causes the delivery
to be deferred.
.PP
The command_execution_directory value is not subject to Postfix
address extension delimiter (Postfix 2.10 and earlier).
.br
.IP "\fB${name?value}\fR"
+.IP "\fB${name?{value}}\fR (Postfix >= 3.0)"
Expands to \fIvalue\fR when \fI$name\fR is non\-empty.
.br
.IP "\fB${name:value}\fR"
+.IP "\fB${name:{value}}\fR (Postfix >= 3.0)"
Expands to \fIvalue\fR when \fI$name\fR is empty.
.br
+.IP "\fB${name?{value1}:{value2}}\fR (Postfix >= 3.0)"
+Expands to \fIvalue1\fR when \fI$name\fR is non\-empty,
+\fIvalue2\fR otherwise.
+.br
.br
.PP
Instead of $name you can also specify ${name} or $(name).
How much time a Postfix daemon process may take to handle a
request before it is terminated by a built\-in watchdog timer.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH data_directory (default: see "postconf \-d" output)
The directory with Postfix\-writable data files (for example:
the other message can be delivered using no more delivery slots
(i.e., invocations of delivery agents) than the current message
counter has accumulated (or will eventually accumulate \- see about
-slot loans below). This parameter controls how often is the counter
+slot loans below). This parameter controls how often the counter is
incremented \- it happens after each default_delivery_slot_cost
recipients have been delivered.
.PP
This parameter speeds up the moment when a message preemption can
happen. Instead of waiting until the full amount of delivery slots
required is available, the preemption can happen when
-transport_delivery_slot_discount percent of the required amount
-plus transport_delivery_slot_loan still remains to be accumulated.
+\fItransport\fR_delivery_slot_discount percent of the required amount
+plus \fItransport\fR_delivery_slot_loan still remains to be accumulated.
Note that the full amount will still have to be accumulated before
another preemption can take place later.
.PP
The default maximal number of parallel deliveries to the same
destination. This is the default limit for delivery via the \fBlmtp\fR(8),
\fBpipe\fR(8), \fBsmtp\fR(8) and \fBvirtual\fR(8) delivery agents.
-With per\-destination recipient limit > 1, a destination is a domain,
+With a per\-destination recipient limit > 1, a destination is a domain,
otherwise it is a recipient.
.PP
Use \fItransport\fR_destination_concurrency_limit to specify a
number of in\-memory recipients. This extra recipient space is
reserved for the cases when the Postfix queue manager's scheduler
preempts one message with another and suddenly needs some extra
-recipients slots for the chosen message in order to avoid performance
+recipient slots for the chosen message in order to avoid performance
degradation.
.PP
Use \fItransport\fR_extra_recipient_limit to specify a
name of the message delivery transport.
.SH default_privs (default: nobody)
The default rights used by the \fBlocal\fR(8) delivery agent for delivery
-to external file or command. These rights are used when delivery
+to an external file or command. These rights are used when delivery
is requested from an \fBaliases\fR(5) file that is owned by \fBroot\fR, or
when delivery is done on behalf of \fBroot\fR. \fBDO NOT SPECIFY A
PRIVILEGED USER OR THE POSTFIX OWNER\fR.
.IP "\fB$sender_name\fR"
The sender address localpart or <> in case of the null address.
.br
-.IP "\fB${name?text}\fR"
-Expands to `text' if $name is not empty.
+.IP "\fB${name?value}\fR"
+.IP "\fB${name?{value}}\fR (Postfix >= 3.0)"
+Expands to \fIvalue\fR when \fI$name\fR is non\-empty.
+.br
+.IP "\fB${name:value}\fR"
+.IP "\fB${name:{value}}\fR (Postfix >= 3.0)"
+Expands to \fIvalue\fR when \fI$name\fR is empty.
.br
-.IP "\fB${name:text}\fR"
-Expands to `text' if $name is empty.
+.IP "\fB${name?{value1}:{value2}}\fR (Postfix >= 3.0)"
+Expands to \fIvalue1\fR when \fI$name\fR is non\-empty,
+\fIvalue2\fR otherwise.
.br
.br
.PP
transport\-specific override, where \fItransport\fR is the master.cf
name of the message delivery transport.
.SH default_recipient_refill_delay (default: 5s)
-The default per\-transport maximum delay between recipients refills.
-When not all message recipients fit into the memory at once, keep loading
+The default per\-transport maximum delay between refilling recipients.
+When not all message recipients fit into memory at once, keep loading
more of them at least once every this many seconds. This is used to
-make sure the recipients are refilled in timely manner even when
+make sure the recipients are refilled in a timely manner even when
$default_recipient_refill_limit is too high for too slow deliveries.
.PP
Use \fItransport\fR_recipient_refill_delay to specify a
This feature is available in Postfix 2.4 and later.
.SH default_recipient_refill_limit (default: 100)
The default per\-transport limit on the number of recipients refilled at
-once. When not all message recipients fit into the memory at once, keep
+once. When not all message recipients fit into memory at once, keep
loading more of them in batches of at least this many at a time. See also
$default_recipient_refill_delay, which may result in recipient batches
lower than this when this limit is too high for too slow deliveries.
.SH default_verp_delimiters (default: +=)
The two default VERP delimiter characters. These are used when
no explicit delimiters are specified with the SMTP XVERP command
-or with the "\fBsendmail \-V\fR" command\-line option. Specify
-characters that are allowed by the verp_delimiter_filter setting.
+or with the "\fBsendmail \-XV\fR" command\-line option (Postfix 2.2
+and earlier: \fB\-V\fR). Specify characters that are allowed by the
+verp_delimiter_filter setting.
.PP
This feature is available in Postfix 1.1 and later.
.SH defer_code (default: 450)
.SH defer_transports (default: empty)
The names of message delivery transports that should not deliver mail
unless someone issues "\fBsendmail \-q\fR" or equivalent. Specify zero
-or more names of mail delivery transports names that appear in the
+or more mail delivery transport names that appear in the
first field of master.cf.
.PP
Example:
The maximal number of digits after the decimal point when logging
sub\-second delay values. Specify a number in the range 0..6.
.PP
-Large delay values are rounded off to an integral number seconds;
+Large delay values are rounded off to an integral number of seconds;
delay values below the delay_logging_resolution_limit are logged
as "0", and delay values under 100s are logged with at most two\-digit
precision.
The time between attempts to acquire an exclusive lock on a mailbox
file or \fBbounce\fR(8) logfile.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH destination_concurrency_feedback_debug (default: no)
Make the queue manager's feedback algorithm verbose for performance
.SH fork_delay (default: 1s)
The delay between attempts to fork() a child process.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w
-(weeks). The default time unit is s (seconds).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
.SH forward_expansion_filter (default: see "postconf \-d" output)
Restrict the characters that the \fBlocal\fR(8) delivery agent allows in
$name expansions of $forward_path. Characters outside the
address extension delimiter (Postfix 2.10 and earlier).
.br
.IP "\fB${name?value}\fR"
+.IP "\fB${name?{value}}\fR (Postfix >= 3.0)"
Expands to \fIvalue\fR when \fI$name\fR is non\-empty.
.br
.IP "\fB${name:value}\fR"
+.IP "\fB${name:{value}}\fR (Postfix >= 3.0)"
Expands to \fIvalue\fR when \fI$name\fR is empty.
.br
+.IP "\fB${name?{value1}:{value2}}\fR (Postfix >= 3.0)"
+Expands to \fIvalue1\fR when \fI$name\fR is non\-empty,
+\fIvalue2\fR otherwise.
+.br
.br
.PP
Instead of $name you can also specify ${name} or $(name).
.SH header_from_format (default: standard)
The format of the Postfix\-generated \fBFrom:\fR header. This
setting affects the appearance of 'full name' information when a
-local program such as /bin/mail submits a message without From:
+local program such as /bin/mail submits a message without a From:
header through the Postfix \fBsendmail\fR(1) command.
.PP
Specify one of the following:
lookup instead. This violates the SMTP standard and can result in
mis\-delivery of mail.
.SH import_environment (default: see "postconf \-d" output)
-The list of environment parameters that a privileged Postfix
+The list of environment variables that a privileged Postfix
process will import from a non\-Postfix parent process, or name=value
environment overrides. Unprivileged utilities will enforce the
name=value overrides, but otherwise will not change their process
-environment. Examples of relevant parameters:
+environment. Examples of relevant environment variables:
.IP "\fBTZ\fR"
May be needed for sane time keeping on most System\-V\-ish systems.
.br
.PP
Specify a list of names and/or name=value pairs, separated by
whitespace or comma. Specify "{ name=value }" to protect whitespace
-or comma in parameter values (whitespace after the opening "{" and
+or comma in environment variable values (whitespace after the opening "{" and
before the closing "}"
is ignored). The form name=value is supported with Postfix version
2.1 and later; the use of {} is supported with Postfix 3.0 and
.PP
With Postfix 2.4 the default value was reduced from 100s to 5s.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH ipc_timeout (default: 3600s)
The time limit for sending or receiving information over an internal
situations. If the time limit is exceeded the software aborts with a
fatal error.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH ipc_ttl (default: 1000s)
The time after which a client closes an active internal communication
after reaching their client limit. This is used, for example, by
the Postfix address resolving and rewriting clients.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.PP
This feature is available in Postfix 2.1 and later.
.br
.PP
Most of these limitations have been with the Postfix
-a connection cache that is shared among multiple LMTP client
+connection cache that is shared among multiple LMTP client
programs.
.SH lmtp_cname_overrides_servername (default: yes)
The LMTP\-specific version of the smtp_cname_overrides_servername
connection can be made within the deadline, the LMTP client tries
the next address on the mail exchanger list.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-negative time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.PP
Example:
is received within the deadline, a warning is logged that the mail
may be delivered multiple times.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH lmtp_data_init_timeout (default: 120s)
The Postfix LMTP client time limit for sending the LMTP DATA command,
and
for receiving the remote LMTP server response.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH lmtp_data_xfer_timeout (default: 180s)
The Postfix LMTP client time limit for sending the LMTP message
When the connection stalls for more than $lmtp_data_xfer_timeout
the LMTP client terminates the transfer.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH lmtp_defer_if_no_mx_address_found (default: no)
The LMTP\-specific version of the smtp_defer_if_no_mx_address_found
The hostname to send in the LMTP LHLO command.
.PP
The default value is the machine hostname. Specify a hostname or
-[ip.add.re.ss].
+[ip.add.re.ss] or [ip:v6:add:re::ss].
.PP
This information can be specified in the main.cf file for all LMTP
clients, or it can be specified in the master.cf file for a specific
The Postfix LMTP client time limit for sending the MAIL FROM command,
and for receiving the remote LMTP server response.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH lmtp_mime_header_checks (default: empty)
The LMTP\-specific version of the smtp_mime_header_checks
The Postfix LMTP client time limit for sending the QUIT command,
and for receiving the remote LMTP server response.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH lmtp_quote_rfc821_envelope (default: yes)
The LMTP\-specific version of the smtp_quote_rfc821_envelope
The Postfix LMTP client time limit for sending the RCPT TO command,
and for receiving the remote LMTP server response.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH lmtp_reply_filter (default: empty)
The LMTP\-specific version of the smtp_reply_filter
order to finish a recipient address probe, or to verify that a
cached connection is still alive.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH lmtp_sasl_auth_cache_name (default: empty)
The LMTP\-specific version of the smtp_sasl_auth_cache_name
.br
.IP "\fBnodictionary\fR"
Disallow authentication methods that are vulnerable to passive
-dictionary attack.
+dictionary attacks.
.br
.IP "\fBnoanonymous\fR"
Disallow anonymous logins.
server response announces XFORWARD support. This allows an \fBlmtp\fR(8)
delivery agent, used for content filter message injection, to
forward the name, address, protocol and HELO name of the original
-client to the content filter and downstream queuing LMTP server.
+client to the content filter and downstream LMTP server.
Before you change the value to yes, it is best to make sure that
your content filter supports this command.
.PP
In case of problems the client does NOT try the next address on
the mail exchanger list.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.PP
This feature is available in Postfix 2.1 and later.
.SH local_command_shell (default: empty)
-Optional shell program for \fBlocal\fR(8) delivery to non\-Postfix command.
+Optional shell program for \fBlocal\fR(8) delivery to non\-Postfix commands.
By default, non\-Postfix commands are executed directly; commands
are given to the default shell (typically, /bin/sh) only when they
contain shell meta characters or shell built\-in commands.
# send mail as themselves. Use "uid:" followed by the numerical
# UID when the UID has no entry in the UNIX password file.
local_login_sender_maps =
- inline:{ { root = *}, { postfix = * } },
+ inline:{ { root = * }, { postfix = * } },
pcre:/etc/postfix/login_senders
.fi
.ad
.ft C
/etc/postfix/login_senders:
# Allow both the bare username and the user@domain forms.
- /(.+)/ $1 $1@example.com/
+ /(.+)/ $1 $1@example.com
.fi
.ad
.ft R
The recipient username.
.br
.IP "\fB${name?value}\fR"
-Expands to \fIvalue\fR when \fI$name\fR has a non\-empty value.
+.IP "\fB${name?{value}}\fR (Postfix >= 3.0)"
+Expands to \fIvalue\fR when \fI$name\fR is non\-empty.
.br
.IP "\fB${name:value}\fR"
-Expands to \fIvalue\fR when \fI$name\fR has an empty value.
+.IP "\fB${name:{value}}\fR (Postfix >= 3.0)"
+Expands to \fIvalue\fR when \fI$name\fR is empty.
+.br
+.IP "\fB${name?{value1}:{value2}}\fR (Postfix >= 3.0)"
+Expands to \fIvalue1\fR when \fI$name\fR is non\-empty,
+\fIvalue2\fR otherwise.
.br
.br
.PP
file, or zero (no limit). In fact, this limits the size of any
file that is written to upon local delivery, including files written
by external commands that are executed by the \fBlocal\fR(8) delivery
-agent.
+agent. The value cannot exceed LONG_MAX (typically, a 32\-bit or
+64\-bit signed integer).
.PP
This limit must not be smaller than the message size limit.
.SH mailbox_transport (default: empty)
is ignored by the Postfix queue manager and by other long\-lived
Postfix daemon processes.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH max_use (default: 100)
The maximal number of incoming connections that a Postfix daemon
This parameter should be set to a value greater than or equal
to $minimal_backoff_time. See also $queue_run_delay.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH maximal_queue_lifetime (default: 5d)
Consider a message as undeliverable, when delivery fails with a
temporary error, and the time in the queue has reached the
maximal_queue_lifetime limit.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-negative time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is d (days).
.PP
Specify 0 when mail delivery should be tried only once.
This feature is available in Postfix 2.3 and later.
.SH message_size_limit (default: 10240000)
The maximal size in bytes of a message, including envelope information.
+The value cannot exceed LONG_MAX (typically, a 32\-bit or 64\-bit
+signed integer).
.PP
Note: be careful when making changes. Excessively small values
will result in the loss of non\-delivery notifications, when a bounce
filter) application, and for receiving the response.
.PP
Specify a non\-zero time value (an integral value plus an optional
-one\-letter suffix that specifies the time unit).
-.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w
-(weeks). The default time unit is s (seconds).
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
.PP
This feature is available in Postfix 2.3 and later.
.SH milter_connect_macros (default: see "postconf \-d" output)
application, and for negotiating protocol options.
.PP
Specify a non\-zero time value (an integral value plus an optional
-one\-letter suffix that specifies the time unit).
-.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w
-(weeks). The default time unit is s (seconds).
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
.PP
This feature is available in Postfix 2.3 and later.
.SH milter_content_timeout (default: 300s)
filter) application, and for receiving the response.
.PP
Specify a non\-zero time value (an integral value plus an optional
-one\-letter suffix that specifies the time unit).
-.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w
-(weeks). The default time unit is s (seconds).
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
.PP
This feature is available in Postfix 2.3 and later.
.SH milter_data_macros (default: see "postconf \-d" output)
applications. These defaults are used when there is no corresponding
information from the message delivery context.
.PP
-Specify \fIname=value\fR or \fI{name}=value\fR pairs separated
+Specify \fIname=value\fR or \fI{name=value}\fR pairs separated
by comma or whitespace. Enclose a pair in "{}" when a value contains
comma or whitespace (this form ignores whitespace after the enclosing
"{", around the "=", and before the enclosing "}").
This parameter should be set greater than or equal to
$queue_run_delay. See also $maximal_backoff_time.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH multi_instance_directories (default: empty)
An optional list of non\-default Postfix configuration directories;
in Postfix version 2.4 and later.
.PP
Note 1: Pattern matching of domain names is controlled by the
-or absence of "mynetworks" in the parent_domain_matches_subdomains
+presence or absence of "mynetworks" in the parent_domain_matches_subdomains
parameter value.
.PP
Note 2: IP version 6 address information must be specified inside
Specify "mynetworks_style = subnet" when Postfix
should "trust" remote SMTP clients in the same IP subnetworks as the local
machine. On Linux, this works correctly only with interfaces
-specified with the "ifconfig" command.
+specified with the "ifconfig" or "ip" command.
.IP \(bu
Specify "mynetworks_style = class" when Postfix should
"trust" remote SMTP clients in the same IP class A/B/C networks as the
does not arrive via the Postfix \fBsmtpd\fR(8) server. This includes local
submission via the \fBsendmail\fR(1) command line, new mail that arrives
via the Postfix \fBqmqpd\fR(8) server, and old mail that is re\-injected
-into the queue with "postsuper \-r". Specify space or comma as
+into the queue with "postsuper \-r". Specify space or comma as a
separator. See the MILTER_README document for details.
.PP
This feature is available in Postfix 2.3 and later.
Specify a non\-zero time value (an integral value plus an optional
one\-letter suffix that specifies the time unit). Time units: s
(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
.PP
This feature is available in Postfix 3.4 and later.
.SH postmulti_control_commands (default: reload flush)
return. Specify one of the following:
.IP "\fBignore\fR"
Ignore the failure of this test. Allow other tests to complete.
-Do \fInot\fR repeat this test before some the result from some
+Do \fInot\fR repeat this test before the result from some
other test expires.
This option is useful for testing and collecting statistics
without blocking mail permanently.
Specify a non\-zero time value (an integral value plus an optional
one\-letter suffix that specifies the time unit). Time units: s
(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days).
.PP
This feature is available in Postfix 2.8.
.SH postscreen_blacklist_action (default: ignore)
reload\fR", "\fBpostfix stop\fR", or no requests for $max_idle
seconds.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w
-(weeks).
+Specify a non\-negative time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is h (hours).
.PP
This feature is available in Postfix 2.8.
.SH postscreen_cache_map (default: btree:$data_directory/postscreen_cache)
an hour ago. It also prevents the cache from filling up with clients
that passed some deep protocol test once and never came back.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w
-(weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days).
.PP
This feature is available in Postfix 2.8.
.SH postscreen_client_connection_count_limit (default: $smtpd_client_connection_count_limit)
Specify a non\-zero time value (an integral value plus an optional
one\-letter suffix that specifies the time unit). Time units: s
(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is h (hours).
.PP
This feature is available in Postfix 3.1. The default setting
is backwards\-compatible with older Postfix versions.
Specify a non\-zero time value (an integral value plus an optional
one\-letter suffix that specifies the time unit). Time units: s
(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
.PP
This feature is available in Postfix 3.1.
.SH postscreen_dnsbl_reply_map (default: empty)
-A mapping from actual DNSBL domain name which includes a secret
+A mapping from an actual DNSBL domain name which includes a secret
password, to the DNSBL domain name that postscreen will reply with
when it rejects mail. When no mapping is found, the actual DNSBL
domain will be used.
the timeouts in the \fBdnsblog\fR(8) daemon which are defined by system
\fBresolver\fR(3) routines.
.PP
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
+.PP
This feature is available in Postfix 3.0.
.SH postscreen_dnsbl_ttl (default: 1h)
The amount of time that \fBpostscreen\fR(8) will use the result from
Specify a non\-zero time value (an integral value plus an optional
one\-letter suffix that specifies the time unit). Time units: s
(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is h (hours).
.PP
This feature is available in Postfix 2.8\-3.0. It was
replaced by postscreen_dnsbl_max_ttl in Postfix 3.1.
Specify a non\-zero time value (an integral value plus an optional
one\-letter suffix that specifies the time unit). Time units: s
(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days).
.PP
This feature is available in Postfix 2.8.
.SH postscreen_greet_wait (default: normal: 6s, overload: 2s)
up to 6 seconds otherwise).
.PP
Specify a non\-zero time value (an integral value plus an optional
-one\-letter suffix that specifies the time unit).
-.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w
-(weeks).
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
.PP
This feature is available in Postfix 2.8.
.SH postscreen_helo_required (default: $smtpd_helo_required)
parameter. Specify one of the following:
.IP "\fBignore\fR"
Ignore the failure of this test. Allow other tests to complete.
-Do \fInot\fR repeat this test before some the result from some
+Do \fInot\fR repeat this test before the result from some
other test expires.
This option is useful for testing and collecting statistics
without blocking mail permanently.
Specify a non\-zero time value (an integral value plus an optional
one\-letter suffix that specifies the time unit). Time units: s
(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days).
.PP
This feature is available in Postfix 2.8.
.SH postscreen_pipelining_action (default: enforce)
the server to respond. Specify one of the following:
.IP "\fBignore\fR"
Ignore the failure of this test. Allow other tests to complete.
-Do \fInot\fR repeat this test before some the result from some
+Do \fInot\fR repeat this test before the result from some
other test expires.
This option is useful for testing and collecting statistics
without blocking mail permanently.
Specify a non\-zero time value (an integral value plus an optional
one\-letter suffix that specifies the time unit). Time units: s
(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days).
.PP
This feature is available in Postfix 2.8.
.SH postscreen_post_queue_limit (default: $default_process_limit)
Specify a non\-zero time value (an integral value plus an optional
one\-letter suffix that specifies the time unit). Time units: s
(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
.PP
This feature is available in Postfix 2.8.
.SH postscreen_whitelist_interfaces (default: static:all)
The minimal delay between warnings that a specific destination is
clogging up the Postfix active queue. Specify 0 to disable.
.PP
+Specify a non\-negative time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
+.PP
This feature is enabled with the helpful_warnings parameter.
.PP
This feature is available in Postfix 2.0 and later.
How much time a Postfix queue manager process may take to handle
a request before it is terminated by a built\-in watchdog timer.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.PP
This feature is available in Postfix 2.8 and later.
out of deadlock situations. If the time limit is exceeded the
software either retries or aborts the operation.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.PP
This feature is available in Postfix 2.8 and later.
reply to the remote QMQP client. The purpose is to slow down confused
or malicious clients.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-negative time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH qmqpd_timeout (default: 300s)
The time limit for sending or receiving information over the network.
If a read or write operation blocks for more than $qmqpd_timeout
seconds the Postfix QMQP server gives up and disconnects.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH queue_directory (default: see "postconf \-d" output)
The location of the Postfix top\-level queue directory. This is the
This parameter should be set less than or equal to
$minimal_backoff_time. See also $maximal_backoff_time.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH queue_service_name (default: qmgr)
The name of the \fBqmgr\fR(8) service. This service manages the Postfix
may then be used to generate an extended .forward file name. This
implementation recognizes one delimiter character and one extension
per email address localpart or email address. With Postfix 2.10 and
-earler, the recipient_delimiter specifies a single character.
+earlier, the recipient_delimiter specifies a single character.
.PP
See \fBcanonical\fR(5), \fBlocal\fR(8), \fBrelocated\fR(5) and \fBvirtual\fR(5) for the
effects of recipient_delimiter on lookups in aliases, canonical,
tables
listed with $relay_recipient_maps are used as lists: Postfix needs
to know only if a lookup string is found or not, but it does not
-use the result from table lookup.
+use the result from the table lookup.
.PP
Specify zero or more "type:name" lookup tables, separated by
whitespace or comma. Tables will be searched in the specified order
How long the Postfix \fBmaster\fR(8) waits before forking a server that
appears to be malfunctioning.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH setgid_group (default: postdrop)
The group ownership of set\-gid Postfix commands and of group\-writable
disable the time limit (i.e. use whatever timeout is implemented by
the operating system).
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-negative time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH smtp_connection_cache_destinations (default: empty)
Permanently enable SMTP connection caching for the specified
When no response is received within the deadline, a warning is
logged that the mail may be delivered multiple times.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH smtp_data_init_timeout (default: 120s)
The Postfix SMTP client time limit for sending the SMTP DATA command,
The Postfix SMTP client time limit for sending the HELO or EHLO command,
and for receiving the initial remote SMTP server response.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH smtp_host_lookup (default: dns)
What mechanisms the Postfix SMTP client uses to look up a host's
The Postfix SMTP client time limit for sending the MAIL FROM command,
and for receiving the remote SMTP server response.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH smtp_mime_header_checks (default: empty)
Restricted \fBmime_header_checks\fR(5) tables for the Postfix SMTP
".<CR><LF>" in order to work around the PIX firewall
"<CR><LF>.<CR><LF>" bug.
.PP
-Choosing a too short time makes this workaround ineffective when
+Choosing too short a time makes this workaround ineffective when
sending large messages over slow network connections.
+.PP
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
.SH smtp_pix_workaround_maps (default: empty)
Lookup tables, indexed by the remote SMTP server address, with
per\-destination workarounds for CISCO PIX firewall bugs. The table
bug workaround for delivery through firewalls with "smtp fixup"
mode turned on.
.PP
+Specify a non\-negative time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
+.PP
By default, the workaround is turned off for mail that is queued
for less than 500 seconds. In other words, the workaround is normally
turned off for the first delivery attempt.
The Postfix SMTP client time limit for sending the QUIT command,
and for receiving the remote SMTP server response.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH smtp_quote_rfc821_envelope (default: yes)
Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO commands
The Postfix SMTP client time limit for sending the SMTP RCPT TO
command, and for receiving the remote SMTP server response.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH smtp_reply_filter (default: empty)
A mechanism to transform replies from remote SMTP servers one
order to finish a recipient address probe, or to verify that a
cached session is still usable.
.PP
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
+.PP
This feature is available in Postfix 2.1 and later.
.SH smtp_sasl_auth_cache_name (default: empty)
An optional table to prevent repeated SASL authentication
username and password, and the full server response. This information
is stored when a remote SMTP server rejects an authentication attempt
with a 535 reply code. As long as the smtp_sasl_password_maps
-information does no change, and as long as the smtp_sasl_auth_cache_name
+information does not change, and as long as the smtp_sasl_auth_cache_name
information does not expire (see smtp_sasl_auth_cache_time) the
Postfix SMTP client avoids SASL authentication attempts with the
same server, username and password, and instead bounces or defers
The maximal age of an smtp_sasl_auth_cache_name entry before it
is removed.
.PP
+Specify a non\-negative time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days).
+.PP
This feature is available in Postfix 2.5 and later.
.SH smtp_sasl_auth_enable (default: no)
Enable SASL authentication in the Postfix SMTP client. By default,
Time limit for Postfix SMTP client write and read operations
during TLS startup and shutdown handshake procedures.
.PP
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
+.PP
This feature is available in Postfix 2.2 and later.
.SH smtp_tcp_port (default: smtp)
The default TCP port that the Postfix SMTP client connects to.
The file or files must contain at most one key of each type. If,
for example, two or more RSA keys and corresponding chains are listed,
depending on the version of OpenSSL either only the last one will be
-used or an configuration error may be detected. Note that while
+used or a configuration error may be detected. Note that while
"Ed25519" and "Ed448" are considered separate algorithms, the various
ECDSA curves (typically one of prime256v1, secp384r1 or secp521r1) are
considered as different parameters of a single "ECDSA" algorithm, so it
compromise SMTP transport security by returning forged MX records,
such attacks are "tamper\-evident" since any forged MX hostnames
will be recorded in the mail logs. Attackers who place a high value
-staying hidden may be deterred from forging MX records.
+on staying hidden may be deterred from forging MX records.
.PP
This feature is available in Postfix 3.1 and later. The \fBmay\fR
policy is backwards\-compatible with earlier Postfix versions.
checking. This setting has no effect on sessions that are controlled
via the smtp_tls_per_site table.
.PP
-Disabling the hostname verification can make sense in closed
+Disabling the hostname verification can make sense in a closed
environment where special CAs are created. If not used carefully,
this option opens the danger of a "man\-in\-the\-middle" attack (the
CommonName of this attacker will be logged).
.ft R
.in -4
.PP
-The first setting, disables anonymous ciphers. The next setting
+The first setting disables anonymous ciphers. The next setting
disables ciphers that use the MD5 digest algorithm or the (single) DES
encryption algorithm. The next setting disables ciphers that use MD5 and
DES together. The next setting disables the two ciphers "AES256\-SHA"
.ft R
.in -4
.PP
-The text to the right of "=" sign is the desired fingerprint.
+The text to the right of the "=" sign is the desired fingerprint.
For example:
.sp
.in +4
.in -4
.PP
The Postfix SMTP server and client log the peer (leaf) certificate
-fingerprint and public key fingerprint when the TLS loglevel is 2 or
+fingerprint and the public key fingerprint when the TLS loglevel is 2 or
higher.
.PP
This feature is available in Postfix 2.5 and later.
2 Also log levels during TLS negotiation.
.br
.IP ""
-3 Also log hexadecimal and ASCII dump of TLS negotiation
-process.
+3 Also log the hexadecimal and ASCII dump of the
+TLS negotiation process.
.br
.IP ""
-4 Also log hexadecimal and ASCII dump of complete
+4 Also log the hexadecimal and ASCII dump of complete
transmission after STARTTLS.
.br
.br
.IP "\fBexport\fR"
Enable "EXPORT" grade or better OpenSSL ciphers. The underlying
cipherlist is specified via the tls_export_cipherlist configuration
-parameter, which you are strongly encouraged to not change. This
+parameter, which you are strongly encouraged not to change. This
choice is insecure and SHOULD NOT be used.
.br
.IP "\fBlow\fR"
Enable "LOW" grade or better OpenSSL ciphers. The underlying
cipherlist is specified via the tls_low_cipherlist configuration
-parameter, which you are strongly encouraged to not change. This
+parameter, which you are strongly encouraged not to change. This
choice is insecure and SHOULD NOT be used.
.br
.IP "\fBmedium\fR"
Enable "MEDIUM" grade or better OpenSSL ciphers.
The underlying cipherlist is specified via the tls_medium_cipherlist
-configuration parameter, which you are strongly encouraged to not change.
+configuration parameter, which you are strongly encouraged not to change.
.br
.IP "\fBhigh\fR"
Enable only "HIGH" grade OpenSSL ciphers. This setting may
mail is routed to a suitably capable relayhost) support at least one
"HIGH" grade cipher. The underlying cipherlist is specified via the
tls_high_cipherlist configuration parameter, which you are strongly
-encouraged to not change.
+encouraged not to change.
.br
.IP "\fBnull\fR"
Enable only the "NULL" OpenSSL ciphers, these provide authentication
in TLS servers). A plausible use\-case is an LMTP server listening on a
UNIX\-domain socket that is configured to support "NULL" ciphers. The
underlying cipherlist is specified via the tls_null_cipherlist
-configuration parameter, which you are strongly encouraged to not
+configuration parameter, which you are strongly encouraged not to
change.
.br
.br
With Postfix < 3.6 there is no support for a minimum or maximum
version, and the protocol range is configured via protocol exclusions.
To require at least TLS 1.0, set "smtp_tls_mandatory_protocols = !SSLv2,
-!SSLv3". Listing the protocols to include, rather than protocols to
+!SSLv3". Listing the protocols to include, rather than the protocols to
exclude, is supported, but not recommended. The exclusion syntax more
accurately matches the underlying OpenSSL interface.
.PP
.ft R
.in -4
.PP
-also disables any protocols version higher than TLSv1.1 leaving
+also disables any protocol versions higher than TLSv1.1 leaving
only "TLSv1" enabled.
.PP
Support for "TLSv1.3" was introduced in OpenSSL 1.1.1. Disabling
.PP
While the vast majority of SMTP servers with DANE TLSA records now
support at least TLS 1.2, a few still only support TLS 1.0. If you use
-"dane" or "dane\-only" it is best to not disable TLSv1, except perhaps
+"dane" or "dane\-only" it is best not to disable TLSv1, except perhaps
via the policy table for destinations which you are sure will support
"TLSv1.2".
.PP
Optional lookup tables with the Postfix SMTP client TLS usage
policy by next\-hop destination and by remote SMTP server hostname.
When both lookups succeed, the more specific per\-site policy (NONE,
-MUST, etc) overrides the less specific one (MAY), and the more secure
-per\-site policy (MUST, etc) overrides the less secure one (NONE).
+MUST, etc.) overrides the less specific one (MAY), and the more secure
+per\-site policy (MUST, etc.) overrides the less secure one (NONE).
With Postfix 2.3 and later smtp_tls_per_site is strongly discouraged:
use smtp_tls_policy_maps instead.
.PP
.br
.IP "MAY"
Try to use TLS if the server announces support,
-otherwise use the unencrypted connection. This has less precedence
+otherwise use an unencrypted connection. This has less precedence
than a more specific result (including \fBNONE\fR) from the alternate
host or next\-hop lookup key, and has less precedence than the more
specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername
SMTP server hostname matches the information in the remote SMTP
server certificate, and require that the remote SMTP server certificate
was issued by a trusted CA. This overrides a less secure \fBNONE\fR
-and \fBMUST_NOPEERMATCH\fR or a less specific \fBMAY\fR lookup
+or \fBMUST_NOPEERMATCH\fR or a less specific \fBMAY\fR lookup
result from the alternate host or next\-hop lookup key, and overrides
the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername
settings.
and "connection_reuse" attribute (Postfix >= 3.4) override the
"smtp_tls_ciphers", "smtp_tls_exclude_ciphers", "smtp_tls_protocols",
and
-"smtp_tls_connection_reuse" configuration parameters. When opportunistic
+"smtp_tls_connection_reuse" configuration parameters. In the policy table,
+multiple ciphers, protocols or excluded ciphers must be separated by colons,
+as attribute values may not contain whitespace or commas. When opportunistic
TLS handshakes fail, Postfix retries the connection with TLS disabled.
This allows mail delivery to sites with non\-interoperable TLS
implementations.
smtp_tls_mandatory_exclude_ciphers parameter, and the optional
"connection_reuse" attribute (Postfix >= 3.4) overrides the
main.cf smtp_tls_connection_reuse parameter. In the policy table,
-multiple protocols or excluded ciphers must be separated by colons,
+multiple ciphers, protocols or excluded ciphers must be separated by colons,
as attribute values may not contain whitespace or commas.
.br
.IP "\fBdane\fR"
TLS authentication and DNSSEC support is available with Postfix
2.11 and later. The optional "connection_reuse" attribute (Postfix
>= 3.4) overrides the main.cf smtp_tls_connection_reuse parameter.
+When the effective security level used is may, the optional "ciphers",
+"exclude", and "protocols" attributes (Postfix >= 2.6) override the
+"smtp_tls_ciphers", "smtp_tls_exclude_ciphers", and "smtp_tls_protocols"
+configuration parameters.
+When the effective security level used is encrypt, the optional "ciphers",
+"exclude", and "protocols" attributes (Postfix >= 2.6) override the
+"smtp_tls_mandatory_ciphers", "smtp_tls_mandatory_exclude_ciphers", and
+"smtp_tls_mandatory_protocols" configuration parameters.
.br
.IP "\fBdane\-only\fR"
Mandatory DANE TLS. The TLS policy for the destination is
usable TLSA records are obtained for the remote SMTP server, the
server certificate must match the TLSA records. RFC 7672 (DANE) TLS
authentication and DNSSEC support is available with Postfix 2.11
-and later. The optional "connection_reuse" attribute (Postfix >=
-3.4) overrides the main.cf smtp_tls_connection_reuse parameter.
+and later. The optional "ciphers", "exclude", and "protocols" attributes
+(Postfix >= 2.6) override the "smtp_tls_mandatory_ciphers",
+"smtp_tls_mandatory_exclude_ciphers", and "smtp_tls_mandatory_protocols"
+configuration parameters. The optional "connection_reuse" attribute
+(Postfix >= 3.4) overrides the main.cf smtp_tls_connection_reuse parameter.
.br
.IP "\fBfingerprint\fR"
Certificate fingerprint
verification. Available with Postfix 2.5 and later. At this security
level, there are no trusted Certification Authorities. The certificate
trust chain, expiration date, ... are not checked. Instead,
-the optional \fBmatch\fR attribute, or else the main.cf
+the optional "match" attribute, or else the main.cf
\fBsmtp_tls_fingerprint_cert_match\fR parameter, lists the certificate
fingerprints or the public key fingerprint (Postfix 2.9 and later)
of the valid server certificate. The digest
be combined with a "|" delimiter in a single match attribute, or multiple
match attributes can be employed. The ":" character is not used as a
delimiter as it occurs between each pair of fingerprint (hexadecimal)
-digits. The optional "connection_reuse" attribute (Postfix >= 3.4)
-overrides the main.cf smtp_tls_connection_reuse parameter.
+digits. The optional "ciphers", "exclude", and "protocols" attributes
+(Postfix >= 2.6) override the "smtp_tls_mandatory_ciphers",
+"smtp_tls_mandatory_exclude_ciphers", and "smtp_tls_mandatory_protocols"
+configuration parameters. The optional "connection_reuse" attribute
+(Postfix >= 3.4) overrides the main.cf smtp_tls_connection_reuse
+parameter.
.br
.IP "\fBverify\fR"
Mandatory TLS verification. At this security
the main.cf smtp_tls_verify_cert_match parameter. In the policy table,
multiple match patterns and strategies must be separated by colons.
In practice explicit control over matching is more common with the
-"secure" policy, described below. The optional "connection_reuse"
-attribute (Postfix >= 3.4) overrides the main.cf
+"secure" policy, described below. The optional "ciphers", "exclude",
+and "protocols" attributes (Postfix >= 2.6) override the
+"smtp_tls_mandatory_ciphers", "smtp_tls_mandatory_exclude_ciphers", and
+"smtp_tls_mandatory_protocols" configuration parameters. The optional
+"connection_reuse" attribute (Postfix >= 3.4) overrides the main.cf
smtp_tls_connection_reuse parameter.
.br
.IP "\fBsecure\fR"
gateway IP addresses, are \fBnot\fR trusted to be secure enough for TLS
peername verification. Instead, the default name verified in the server
certificate is obtained directly from the next\-hop, or is explicitly
-specified via the optional \fBmatch\fR attribute which overrides the
+specified via the optional "match" attribute which overrides the
main.cf smtp_tls_secure_cert_match parameter. In the policy table,
multiple match patterns and strategies must be separated by colons.
The match attribute is most useful when multiple domains are supported by
-common server, the policy entries for additional domains specify matching
+a common server: the policy entries for additional domains specify matching
rules for the primary domain certificate. While transport table overrides
-routing the secondary domains to the primary nexthop also allow secure
+that route the secondary domains to the primary nexthop also allow secure
verification, they risk delivery to the wrong destination when domains
change hands or are re\-assigned to new gateways. With the "match"
attribute approach, routing is not perturbed, and mail is deferred if
-verification of a new MX host fails. The optional "connection_reuse"
-attribute (Postfix >= 3.4) overrides the main.cf
+verification of a new MX host fails. The optional "ciphers", "exclude",
+and "protocols" attributes (Postfix >= 2.6) override the
+"smtp_tls_mandatory_ciphers", "smtp_tls_mandatory_exclude_ciphers", and
+"smtp_tls_mandatory_protocols" configuration parameters. The optional
+"connection_reuse" attribute (Postfix >= 3.4) overrides the main.cf
smtp_tls_connection_reuse parameter.
.br
.br
.ad
.ft R
.PP
-\fBNote:\fR The \fBhostname\fR strategy if listed in a non\-default
-setting of smtp_tls_secure_cert_match or in the \fBmatch\fR attribute
-in the policy table can render the \fBsecure\fR level vulnerable to
-DNS forgery. Do not use the \fBhostname\fR strategy for secure\-channel
+\fBNote:\fR The "hostname" strategy if listed in a non\-default
+setting of smtp_tls_secure_cert_match or in the "match" attribute
+in the policy table can render the "secure" level vulnerable to
+DNS forgery. Do not use the "hostname" strategy for secure\-channel
configurations in environments where DNS security is not assured.
.PP
This feature is available in Postfix 2.3 and later.
acceptable protocols is to set the lowest acceptable TLS protocol
version and/or the highest acceptable TLS protocol version. To set the
lower bound include an element of the form: ">=\fIversion\fR" where
-\fIversion\fR is a either one of the TLS protocol names listed above,
+\fIversion\fR is either one of the TLS protocol names listed above,
or a hexadecimal number corresponding to the desired TLS protocol
version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.). For the upper
bound, use "<=\fIversion\fR". There must be no whitespace between
.PP
This feature is available in Postfix 2.3 and later.
.SH smtp_tls_security_level (default: empty)
-The default SMTP TLS security level for the Postfix SMTP client;
-when a non\-empty value is specified, this overrides the obsolete
-parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
+The default SMTP TLS security level for the Postfix SMTP client.
+When a non\-empty value is specified, this overrides the obsolete
+parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername;
+when no value is specified for smtp_tls_enforce_peername or the obsolete
+parameters, the default SMTP TLS security level is
+none.
.PP
Specify one of the following security levels:
.IP "\fBnone\fR"
.ft C
# Opportunistic TLS.
smtp_tls_security_level = may
-# Do not tweak opportunistic ciphers or protocol unless it is essential
+# Do not tweak opportunistic ciphers or protocols unless it is essential
# to do so (if a security vulnerability is found in the SSL library that
# can be mitigated by disabling a particular protocol or raising the
# cipher grade).
daemon does not use this parameter directly, rather the cache is
implemented indirectly in the \fBtlsmgr\fR(8) daemon. This means that
per\-smtp\-instance master.cf overrides of this parameter are not effective.
-Note, that each of the cache databases supported by \fBtlsmgr\fR(8) daemon:
+Note that each of the cache databases supported by \fBtlsmgr\fR(8) daemon:
$smtpd_tls_session_cache_database, $smtp_tls_session_cache_database
(and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to
be stored separately. It is not at this time possible to store multiple
<= 0, session caching is disabled. If set to a positive value
less than 2 minutes, the minimum value of 2 minutes is used instead.
.PP
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
+.PP
This feature is available in Postfix 2.2 and later.
.SH smtp_tls_trust_anchor_file (default: empty)
Zero or more PEM\-format files with trust\-anchor certificates
This feature is available in Postfix 2.3 and later.
.SH smtp_tls_wrappermode (default: no)
Request that the Postfix SMTP client connects using the
-legacy SMTPS protocol instead of using the STARTTLS command.
+SUBMISSIONS/SMTPS protocol instead of using the STARTTLS command.
.PP
This mode requires "smtp_tls_security_level = encrypt" or
stronger.
The Postfix SMTP client time limit for sending the XFORWARD command,
and for receiving the remote SMTP server response.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.PP
This feature is available in Postfix 2.1 and later.
Postfix actually accepts those commands. The time unit is specified
with the anvil_rate_time_unit configuration parameter.
.PP
-By default, there is no limit on the number AUTH commands that a
+By default, there is no limit on the number of AUTH commands that a
client may send.
.PP
To disable this feature, specify a limit of 0.
.IP "\fBcheck_ccert_access \fItype:table\fR\fR"
By default use the remote SMTP client certificate fingerprint
or the public key
-fingerprint (Postfix 2.9 and later) as lookup key for the specified
+fingerprint (Postfix 2.9 and later) as the lookup key for the specified
\fBaccess\fR(5) database; with Postfix version 2.2, also require that the
remote SMTP client certificate is verified successfully.
The fingerprint digest algorithm is configurable via the
This feature is available in Postfix 2.7 and later.
.br
.IP "\fBcheck_sasl_access \fItype:table\fR\fR"
-Use the remote SMTP client SASL user name as lookup key for
+Use the remote SMTP client SASL user name as the lookup key for
the specified \fBaccess\fR(5) database. The lookup key has the form
"username@domainname" when the smtpd_sasl_local_domain parameter
value is non\-empty. Unlike the check_client_access feature,
.IP "\fBpermit_tls_all_clientcerts\fR"
Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
-CA issues the certificates and only this CA is listed as trusted
+CA issues the certificates and only this CA is listed as a trusted
CA. Otherwise, clients with a third\-party certificate would also
be allowed to relay. Specify "tls_append_default_CA = no" when the
trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
.ft C
# Append XVERP to MAIL FROM commands to request VERP\-style delivery.
# See VERP_README for more information on how to use Postfix VERP.
- /^(MAIL FROM:\es*<listname@example\e.com>.*)/ $1 XVERP
+ /^(MAIL\es+FROM:\es*<listname@example\e.com>.*)/ $1 XVERP
.fi
.ad
.ft R
a client has made more than $smtpd_soft_error_limit errors, and
fewer than $smtpd_hard_error_limit errors, without delivering mail.
.PP
-With Postfix version 2.0 and earlier: the SMTP server delay before
-sending a reject (4xx or 5xx) response, when the client has made
-fewer than $smtpd_soft_error_limit errors without delivering
-mail.
+With Postfix version 2.0 and earlier: the SMTP server delay
+before sending a reject (4xx or 5xx) response, when the client has
+made fewer than $smtpd_soft_error_limit errors without delivering
+mail. When the client has made $smtpd_soft_error_limit or more errors,
+delay all responses with the larger of (number of errors) seconds
+or $smtpd_error_sleep_time.
+.PP
+Specify a non\-negative time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
.SH smtpd_etrn_restrictions (default: empty)
Optional restrictions that the Postfix SMTP server applies in the
context of a client ETRN command.
.SH smtpd_hard_error_limit (default: normal: 20, overload: 1)
The maximal number of errors a remote SMTP client is allowed to
make without delivering mail. The Postfix SMTP server disconnects
-when the limit is exceeded. Normally the default limit is 20, but
+when the limit is reached. Normally the default limit is 20, but
it changes under overload to just 1. With Postfix 2.5 and earlier,
the SMTP server always allows up to 20 errors by default.
+Valid values are greater than zero.
.SH smtpd_helo_required (default: no)
Require that a remote SMTP client introduces itself with the HELO
or EHLO command before sending the MAIL command or other commands
The time after which an idle SMTPD policy service connection is
closed.
.PP
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
+.PP
This feature is available in Postfix 2.1 and later.
.SH smtpd_policy_service_max_ttl (default: 1000s)
The time after which an active SMTPD policy service connection is
closed.
.PP
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
+.PP
This feature is available in Postfix 2.1 and later.
.SH smtpd_policy_service_policy_context (default: empty)
Optional information that the Postfix SMTP server specifies in
The delay between attempts to resend a failed SMTPD policy
service request. Specify a value greater than zero.
.PP
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
+.PP
This feature is available in Postfix 3.0 and later.
.SH smtpd_policy_service_timeout (default: 100s)
The time limit for connecting to, writing to, or receiving from a
delegated SMTPD policy server.
.PP
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
+.PP
This feature is available in Postfix 2.1 and later.
.SH smtpd_policy_service_try_limit (default: 2)
The maximal number of attempts to send an SMTPD policy service
Specify "host:port" or "inet:host:port" for a TCP endpoint, or
"unix:pathname" for a UNIX\-domain endpoint. The host can be specified
as an IP address or as a symbolic name; no MX lookups are done.
-When no "host" or "host:" are specified, the local machine is
+When no "host" or "host:" is specified, the local machine is
assumed. Pathname interpretation is relative to the Postfix queue
directory.
.PP
generic error message while more detailed information is logged to
the maillog file.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.PP
This feature is available in Postfix 2.1 and later.
.IP "\fBpermit_auth_destination\fR"
Permit the request when one of the following is true:
.IP \(bu
-Postfix is mail forwarder: the resolved RCPT TO domain matches
+Postfix is a mail forwarder: the resolved RCPT TO domain matches
$relay_domains or a subdomain thereof, and the address contains no
sender\-specified routing (user@elsewhere@domain),
.IP \(bu
.br
.br
.IP "\fBpermit_mx_backup\fR"
-Permit the request when the local mail system is backup MX for
+Permit the request when the local mail system is a backup MX for
the RCPT TO domain, or when the domain is an authorized destination
(see permit_auth_destination for definition).
.IP \(bu
access is not restricted with permit_mx_backup_networks.
.IP \(bu
Safety: as of Postfix version 2.3, permit_mx_backup no longer
-accepts the address when the local mail system is primary MX for
+accepts the address when the local mail system is a primary MX for
the recipient domain. Exception: permit_mx_backup accepts the address
when it specifies an authorized destination (see permit_auth_destination
for definition).
.IP "\fBreject_unauth_destination\fR"
Reject the request unless one of the following is true:
.IP \(bu
-Postfix is mail forwarder: the resolved RCPT TO domain matches
+Postfix is a mail forwarder: the resolved RCPT TO domain matches
$relay_domains or a subdomain thereof, and contains no sender\-specified
routing (user@elsewhere@domain),
.IP \(bu
The
unverified_recipient_reject_code parameter specifies the numerical
response code when an address is known to bounce (default: 450,
-change into 550 when you are confident that it is safe to do so).
+change it to 550 when you are confident that it is safe to do so).
.br
The unverified_recipient_defer_code parameter specifies the
numerical response code when an address probe failed due to a
.IP \(bu
Mail from clients whose IP address matches $mynetworks, or:
.IP \(bu
+Mail from clients who are SASL authenticated, or:
+.IP \(bu
Mail to remote destinations that match $relay_domains, except
for addresses that contain sender\-specified routing
(user@elsewhere@domain), or:
.PP
Specify a list of network/netmask patterns, separated by commas
and/or whitespace. The mask specifies the number of bits in the
-network part of a host address. You can also "/file/name" or
+network part of a host address. You can also specify "/file/name" or
"type:table" patterns. A "/file/name" pattern is replaced by its
contents; a "type:table" lookup table is matched when a table entry
matches a lookup string (the lookup result is ignored). Continue
Postfix version 2.1 and later.
.br
.IP "\fBreject_unknown_sender_domain\fR"
-Reject the request when Postfix is not final destination for
+Reject the request when Postfix is not the final destination for
the sender address, and the MAIL FROM domain has 1) no DNS MX and
no DNS A
record, or 2) a malformed MX record such as a record with
delivering mail before the Postfix SMTP server slows down all its
responses.
.IP \(bu
-With Postfix version 2.1 and later, the Postfix SMTP server
-delays all responses by $smtpd_error_sleep_time seconds.
+With Postfix version 2.1 and later, when the error count
+is > $smtpd_soft_error_limit, the Postfix SMTP server
+delays all responses by $smtpd_error_sleep_time.
+.IP \(bu
+With Postfix versions 2.0 and earlier, when the error count
+is > $smtpd_soft_error_limit, the Postfix SMTP server delays all
+responses by the larger of (number of errors) seconds or
+$smtpd_error_sleep_time.
.IP \(bu
-With Postfix versions 2.0 and earlier, the Postfix SMTP
-server delays all responses by (number of errors) seconds.
+With Postfix versions 2.0 and earlier, when the error count
+is <= $smtpd_soft_error_limit, the Postfix SMTP server delays 4XX
+and 5XX responses by $smtpd_error_sleep_time.
.br
.SH smtpd_starttls_timeout (default: see "postconf \-d" output)
The time limit for Postfix SMTP server write and read operations
default value is stress\-dependent. Before Postfix version 2.8, it
was fixed at 300s.
.PP
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
+.PP
This feature is available in Postfix 2.2 and later.
.SH smtpd_timeout (default: normal: 300s, overload: 10s)
When the Postfix SMTP server wants to send an SMTP server
Note: if you set SMTP time limits to very large values you may have
to update the global ipc_timeout parameter.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH smtpd_tls_CAfile (default: empty)
A file containing (PEM format) CA certificates of root CAs trusted
The file or files must contain at most one key of each type. If,
for example, two or more RSA keys and corresponding chains are listed,
depending on the version of OpenSSL either only the last one will be
-used or an configuration error may be detected. Note that while
+used or a configuration error may be detected. Note that while
"Ed25519" and "Ed448" are considered separate algorithms, the various
ECDSA curves (typically one of prime256v1, secp384r1 or secp521r1) are
considered as different parameters of a single "ECDSA" algorithm, so it
.ad
.ft R
.PP
-This feature is available with Postfix version 2.2.
+This feature is available in Postfix 2.2 and later.
.SH smtpd_tls_dh512_param_file (default: empty)
File with DH parameters that the Postfix SMTP server should
use with export\-grade EDH ciphers. The default SMTP server cipher
.ad
.ft R
.PP
-This feature is available with Postfix version 2.2.
+This feature is available in Postfix 2.2 and later,
+but is ignored in Postfix 3.6 and later.
.SH smtpd_tls_dkey_file (default: $smtpd_tls_dcert_file)
File with the Postfix SMTP server DSA private key in PEM format.
This file may be combined with the Postfix SMTP server DSA certificate
.IP "\fBexport\fR"
Enable "EXPORT" grade or stronger OpenSSL ciphers. The
underlying cipherlist is specified via the tls_export_cipherlist
-configuration parameter, which you are strongly encouraged to not
+configuration parameter, which you are strongly encouraged not to
change. This choice is insecure and SHOULD NOT be used.
.br
.IP "\fBlow\fR"
Enable "LOW" grade or stronger OpenSSL ciphers. The underlying
cipherlist is specified via the tls_low_cipherlist configuration
-parameter, which you are strongly encouraged to not change. This
+parameter, which you are strongly encouraged not to change. This
choice is insecure and SHOULD NOT be used.
.br
.IP "\fBmedium\fR"
or longer symmetric bulk\-encryption keys. This is the default minimum
strength for mandatory TLS encryption. The underlying cipherlist is
specified via the tls_medium_cipherlist configuration parameter, which
-you are strongly encouraged to not change.
+you are strongly encouraged not to change.
.br
.IP "\fBhigh\fR"
Enable only "HIGH" grade OpenSSL ciphers. The
case that all clients are prepared to use NULL ciphers (not normally
enabled in TLS clients). The underlying cipherlist is specified via the
tls_null_cipherlist configuration parameter, which you are strongly
-encouraged to not change.
+encouraged not to change.
.br
.br
.PP
daemon does not use this parameter directly, rather the cache is
implemented indirectly in the \fBtlsmgr\fR(8) daemon. This means that
per\-smtpd\-instance master.cf overrides of this parameter are not
-effective. Note, that each of the cache databases supported by \fBtlsmgr\fR(8)
+effective. Note that each of the cache databases supported by \fBtlsmgr\fR(8)
daemon: $smtpd_tls_session_cache_database, $smtp_tls_session_cache_database
(and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to be
stored separately. It is not at this time possible to store multiple
an OpenSSL library (at least version 0.9.8h) that provides full
support for this TLS extension.
.PP
+Specify a non\-negative time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
+.PP
This feature is available in Postfix 2.2 and later, and updated
for TLS session ticket support in Postfix 2.11.
.SH smtpd_tls_wrappermode (default: no)
-Run the Postfix SMTP server in the non\-standard "wrapper" mode,
+Run the Postfix SMTP server in TLS "wrapper" mode,
instead of using the STARTTLS command.
.PP
If you want to support this service, enable a special port in
master.cf, and specify "\-o smtpd_tls_wrappermode=yes" on the SMTP
-server's command line. Port 465 (smtps) was once chosen for this
-purpose.
+server's command line. Port 465 (submissions/smtps) is reserved for
+this purpose.
.PP
This feature is available in Postfix 2.2 and later.
.SH smtpd_upstream_proxy_protocol (default: empty)
The time limit for the proxy protocol specified with the
smtpd_upstream_proxy_protocol parameter.
.PP
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
+.PP
This feature is available in Postfix 2.10 and later.
.SH smtpd_use_tls (default: no)
Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
This feature is available in Postfix 3.0 and later.
.SH smtputf8_enable (default: yes)
Enable preliminary SMTPUTF8 support for the protocols described
-in RFC 6531..6533. This requires that Postfix is built to support
-these protocols.
+in RFC 6531, RFC 6532, and RFC 6533. This requires that Postfix is
+built to support these protocols.
.PP
This feature is available in Postfix 3.0 and later.
.SH soft_bounce (default: no)
The time after which a stale exclusive mailbox lockfile is removed.
This is used for delivery to file or mailbox.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH stress (default: empty)
This feature is documented in the STRESS_README document.
.PP
Note: It is unwise to omit sha256 from the digest list. This
digest algorithm is the only mandatory to implement digest algorithm
-in RFC 6698, and many servers are expected publish TLSA records
+in RFC 6698, and many servers are expected to publish TLSA records
with just sha256 digests. Unless one of the standard digests is
seriously compromised and servers have had ample time to update their
TLSA records you should not omit any standard digests, just arrange
SMTP client and server. These curves are used by the Postfix SMTP
server when "smtpd_tls_eecdh_grade = auto". The selected curves
must be implemented by OpenSSL and be standardized for use in TLS
-(RFC 4492 or its imminent successor). It is unwise to list only
+(RFC 8422). It is unwise to list only
"bleeding\-edge" curves supported by a small subset of clients. The
default list is suitable for most users.
.PP
strong" means approximately 128\-bit security based on best known
attacks. The selected curve must be implemented by OpenSSL (as
reported by \fBecparam\fR(1) with the "\-list_curves" option) and be one
-of the curves listed in Section 5.1.1 of RFC 4492. You should not
+of the curves listed in Section 5.1.1 of RFC 8422. You should not
generally change this setting. Remote SMTP client implementations
must support this curve for EECDH key exchange to take place. It
-is unwise to choose an "bleeding\-edge" curve supported by only a
+is unwise to choose only "bleeding\-edge" curves supported by only a
small subset of clients.
.PP
The default "strong" curve is rated in NSA Suite
users should instead set "smtpd_tls_eecdh_grade = strong". The selected
curve must be implemented by OpenSSL (as reported by \fBecparam\fR(1) with the
"\-list_curves" option) and be one of the curves listed in Section 5.1.1
-of RFC 4492. You should not generally change this setting.
+of RFC 8422. You should not generally change this setting. Remote SMTP
+client implementations must support this curve for EECDH key exchange
+to take place. It is unwise to choose only "bleeding\-edge" curves
+supported by only a small subset of clients.
.PP
This default "ultra" curve is rated in NSA Suite
B for information classified up to TOP SECRET.
releases before the middle of 2015 this is the default cipherlist
for the opportunistic ("may") TLS client security level and also
the default cipherlist for the SMTP server. You are strongly
-encouraged to not change this setting.
+encouraged not to change this setting.
.PP
This feature is available in Postfix 2.3 and later.
.SH tls_fast_shutdown_enable (default: yes)
the meaning of the "high" setting in smtpd_tls_ciphers,
smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. You are strongly
-encouraged to not change this setting.
+encouraged not to change this setting.
.PP
This feature is available in Postfix 2.3 and later.
.SH tls_legacy_public_key_fingerprints (default: no)
the meaning of the "low" setting in smtpd_tls_ciphers,
smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. You are strongly
-encouraged to not change this setting.
+encouraged not to change this setting.
.PP
This feature is available in Postfix 2.3 and later.
.SH tls_medium_cipherlist (default: see "postconf \-d" output)
default cipherlist for mandatory TLS encryption in the TLS client
(with anonymous ciphers disabled when verifying server certificates).
This is the default cipherlist for opportunistic TLS with Postfix
-releases after the middle of 2015. You are strongly encouraged to
-not change this setting.
+releases after the middle of 2015. You are strongly encouraged not
+to change this setting.
.PP
This feature is available in Postfix 2.3 and later.
.SH tls_null_cipherlist (default: eNULL:!aNULL)
The OpenSSL cipherlist for "NULL" grade ciphers that provide
authentication without encryption. This defines the meaning of the "null"
-setting in smtpd_mandatory_tls_ciphers, smtp_tls_mandatory_ciphers and
-lmtp_tls_mandatory_ciphers. You are strongly encouraged to not
+setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and
+lmtp_tls_mandatory_ciphers. You are strongly encouraged not to
change this setting.
.PP
This feature is available in Postfix 2.3 and later.
the pseudo random number generator (PRNG) to the file specified
with $tls_random_exchange_name.
.PP
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
+.PP
This feature is available in Postfix 2.2 and later.
.SH tls_random_reseed_period (default: 3600s)
The maximal time between attempts by \fBtlsmgr\fR(8) to re\-seed the
sources. The actual time between re\-seeding attempts is calculated
using the PRNG, and is between 0 and the time specified.
.PP
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
+.PP
This feature is available in Postfix 2.2 and later.
.SH tls_random_source (default: see "postconf \-d" output)
The external entropy source for the in\-memory \fBtlsmgr\fR(8) pseudo
EGD compatible socket interface, or dev:/path/to/device for a
device file.
.PP
-Note: on OpenBSD systems specify /dev/arandom when /dev/urandom
+Note: on OpenBSD systems specify dev:/dev/arandom when dev:/dev/urandom
gives timeout errors.
.PP
This feature is available in Postfix 2.2 and later.
.PP
When this parameter is non\-empty, the Postfix SMTP server enables
SNI extension processing, and logs SNI values that are invalid or
-don't match an entry in the the specified tables. When an entry
+don't match an entry in the specified tables. When an entry
does match, the SNI name is logged as part of the connection summary
at log levels 1 and higher.
.PP
This feature is available in Postfix 3.4 and later.
.SH tlsproxy_client_enforce_tls (default: $smtp_enforce_tls)
Enforcement mode: require that SMTP servers use TLS encryption.
-See smtp_enforce_tls for further details.
+See smtp_enforce_tls for further details. Use
+tlsproxy_client_security_level instead.
.PP
This feature is available in Postfix 3.4 and later.
.SH tlsproxy_client_fingerprint_digest (default: $smtp_tls_fingerprint_digest)
This feature is available in Postfix 3.4 and later.
.SH tlsproxy_client_use_tls (default: $smtp_use_tls)
Opportunistic mode: use TLS when a remote server announces TLS
-support. See smtp_use_tls for further details.
+support. See smtp_use_tls for further details. Use
+tlsproxy_client_security_level instead.
.PP
This feature is available in Postfix 3.4 and later.
.SH tlsproxy_enforce_tls (default: $smtpd_enforce_tls)
Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
require that clients use TLS encryption. See smtpd_enforce_tls for
-further details.
+further details. Use tlsproxy_tls_security_level instead.
.PP
This feature is available in Postfix 2.8 and later.
.SH tlsproxy_service_name (default: tlsproxy)
.SH tlsproxy_use_tls (default: $smtpd_use_tls)
Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
but do not require that clients use TLS encryption. See smtpd_use_tls
-for further details.
+for further details. Use tlsproxy_tls_security_level instead.
.PP
This feature is available in Postfix 2.8 and later.
.SH tlsproxy_watchdog_timeout (default: 10s)
Specify a non\-zero time value (an integral value plus an optional
one\-letter suffix that specifies the time unit). Time units: s
(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
.PP
This feature is available in Postfix 2.8 and later
.SH trace_service_name (default: trace)
The time between attempts by the Postfix queue manager to contact
a malfunctioning message delivery transport.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH transport_time_limit (default: $command_time_limit)
A transport\-specific override for the command_time_limit parameter
value, where \fItransport\fR is the master.cf name of the message
delivery transport.
.PP
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
+.PP
Note: \fItransport\fR_time_limit parameters will not show up
in "postconf" command output before Postfix version 2.9. This
limitation applies to many parameters whose name is a combination
A transport\-specific override for the default_transport_rate_delay
parameter value, where the initial \fItransport\fR in the parameter
name is the master.cf name of the message delivery transport.
+.PP
+Specify a non\-negative time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds).
+.PP
+Note: \fItransport\fR_transport_rate_delay parameters will
+not show up in "postconf" command output before Postfix version
+2.9. This limitation applies to many parameters whose name is a
+combination of a master.cf service name and a built\-in suffix (in
+this case: "_transport_rate_delay").
.SH trigger_timeout (default: 10s)
The time limit for sending a trigger to a Postfix daemon (for
example, the \fBpickup\fR(8) or \fBqmgr\fR(8) daemon). This time limit prevents
programs from getting stuck when the mail system is under heavy
load.
.PP
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
+Specify a non\-zero time value (an integral value plus an optional
+one\-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH undisclosed_recipients_header (default: see "postconf \-d" output)
Message header that the Postfix \fBcleanup\fR(8) server inserts when a
.PP
This feature is available in Postfix 3.0 and later.
.SH virtual_alias_domains (default: $virtual_alias_maps)
-Postfix is final destination for the specified list of virtual
+Postfix is the final destination for the specified list of virtual
alias domains, that is, domains for which all addresses are aliased
to addresses in other local or remote domains. The SMTP server
validates recipient addresses with $virtual_alias_maps and rejects
Specify a list of host or domain names, "/file/name" or
"type:table" patterns, separated by commas and/or whitespace. A
"/file/name" pattern is replaced by its contents; a "type:table"
-lookup table is matched when a table entry matches a lookup string
+lookup table is matched when a table entry matches a host or domain name
(the lookup result is ignored). Continue long lines by starting
the next line with whitespace. Specify "!pattern" to exclude a host
or domain name from the list. The form "!/file/name" is supported
This feature is available in Postfix 2.1 and later.
.SH virtual_alias_maps (default: $virtual_maps)
Optional lookup tables that alias specific mail addresses or domains
-to other local or remote address. The table format and lookups
+to other local or remote addresses. The table format and lookups
are documented in \fBvirtual\fR(5). For an overview of Postfix address
manipulations see the ADDRESS_REWRITING_README document.
.PP
.ad
.ft R
.SH virtual_mailbox_domains (default: $virtual_mailbox_maps)
-Postfix is final destination for the specified list of domains;
+Postfix is the final destination for the specified list of domains;
mail is delivered via the $virtual_transport mail delivery transport.
By default this is the Postfix \fBvirtual\fR(8) delivery agent. The SMTP
server validates recipient addresses with $virtual_mailbox_maps
match any user in the specified domain that does not have a specific
"user@domain.tld" entry.
.PP
+With the default "virtual_mailbox_domains = $virtual_mailbox_maps",
+lookup tables also need entries with a left\-hand side of "domain.tld"
+to satisfy virtual_mailbox_domain lookups (the right\-hand side is
+required but will not be used).
+.PP
The remainder of this text is specific to the \fBvirtual\fR(8) delivery
agent. It does not apply when mail is delivered with a different
mail delivery program.
Alternatively, the table can be provided as a regular\-expression
map where patterns are given as regular expressions, or lookups
-can be directed to TCP\-based server. In those case, the lookups
+can be directed to a TCP\-based server. In those case, the lookups
are done in a slightly different way as described below under
"REGULAR EXPRESSION TABLES" or "TCP\-BASED TABLES".
expression lookup table syntax, see \fBregexp_table\fR(5) or
\fBpcre_table\fR(5). For a description of the TCP client/server
table lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.4.
+This feature is available in Postfix 2.5 and later.
Each pattern is a regular expression that is applied to the entire
address being looked up. Thus, \fIuser@domain\fR mail addresses are not
This section describes how the table lookups change when lookups
are directed to a TCP\-based server. For a description of the TCP
client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.4.
+This feature is available in Postfix 2.5 and later.
Each lookup operation uses the entire address once. Thus,
\fIuser@domain\fR mail addresses are not broken up into their
The following \fBmain.cf\fR parameters are especially relevant.
The text below provides only a parameter summary. See
\fBpostconf\fR(5) for more details including examples.
-.IP \fBrelocated_maps\fR
-List of lookup tables for relocated users or sites.
+.IP "\fBrelocated_maps (empty)\fR"
+Optional lookup tables with new contact information for users or
+domains that no longer exist.
.PP
Other parameters of interest:
-.IP \fBinet_interfaces\fR
-The network interface addresses that this system receives mail on.
-You need to stop and start Postfix when this parameter changes.
-.IP \fBmydestination\fR
-List of domains that this mail system considers local.
-.IP \fBmyorigin\fR
-The domain that is appended to locally\-posted mail.
-.IP \fBproxy_interfaces\fR
-Other interfaces that this machine receives mail on by way of a
-proxy agent or network address translator.
+.IP "\fBinet_interfaces (all)\fR"
+The network interface addresses that this mail system receives
+mail on.
+.IP "\fBmydestination ($myhostname, localhost.$mydomain, localhost)\fR"
+The list of domains that are delivered via the $local_transport
+mail delivery transport.
+.IP "\fBmyorigin ($myhostname)\fR"
+The domain name that locally\-posted mail appears to come
+from, and that locally posted mail is delivered to.
+.IP "\fBproxy_interfaces (empty)\fR"
+The network interface addresses that this mail system receives mail
+on by way of a proxy or network address translation unit.
.SH "SEE ALSO"
.na
.nf
In order to use SQLite lookups, define an SQLite source as a lookup
table in main.cf, for example:
.nf
- alias_maps = sqlite:/etc/sqlite\-aliases.cf
+ alias_maps = sqlite:/etc/postfix/sqlite\-aliases.cf
.fi
The file /etc/postfix/sqlite\-aliases.cf has the same format as
NOTE: DO NOT put quotes around the result format!
.IP "\fBdomain (default: no domain list)\fR"
-This is a list of domain names, paths to files, or
-dictionaries. When specified, only fully qualified search
+This is a list of domain names, paths to files, or "type:table"
+databases. When specified, only fully qualified search
keys with a *non\-empty* localpart and a matching domain
are eligible for lookup: 'user' lookups, bare domain lookups
and "@domain" lookups are not performed. This can significantly
Alternatively, the table can be provided as a regular\-expression
map where patterns are given as regular expressions, or lookups
-can be directed to TCP\-based server. In those case, the lookups
+can be directed to a TCP\-based server. In those case, the lookups
are done in a slightly different way as described below under
"REGULAR EXPRESSION TABLES" or "TCP\-BASED TABLES".
.SH "CASE FOLDING"
Alternatively, the table can be provided as a regular\-expression
map where patterns are given as regular expressions, or lookups
-can be directed to TCP\-based server. In those case, the lookups
+can be directed to a TCP\-based server. In those case, the lookups
are done in a slightly different way as described below under
"REGULAR EXPRESSION TABLES" or "TCP\-BASED TABLES".
.SH "CASE FOLDING"
$\fBmydestination\fR, or when it is listed in $\fBinet_interfaces\fR
or $\fBproxy_interfaces\fR.
.sp
-This functionality overlaps with functionality of the local
+This functionality overlaps with the functionality of the local
\fIaliases\fR(5) database. The difference is that \fBvirtual\fR(5)
mapping can be applied to non\-local addresses.
.IP "@\fIdomain address, address, ...\fR"
The \fBpropagate_unmatched_extensions\fR parameter controls whether
an unmatched address extension (\fI+foo\fR) is propagated to the
-result of table lookup.
+result of a table lookup.
.SH "VIRTUAL ALIAS DOMAINS"
.na
.nf
This section describes how the table lookups change when lookups
are directed to a TCP\-based server. For a description of the TCP
client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.4.
+This feature is available in Postfix 2.5 and later.
Each lookup operation uses the entire address once. Thus,
\fIuser@domain\fR mail addresses are not broken up into their
a configuration change.
.IP "\fBvirtual_alias_maps ($virtual_maps)\fR"
Optional lookup tables that alias specific mail addresses or domains
-to other local or remote address.
+to other local or remote addresses.
.IP "\fBvirtual_alias_domains ($virtual_alias_maps)\fR"
-Postfix is final destination for the specified list of virtual
+Postfix is the final destination for the specified list of virtual
alias domains, that is, domains for which all addresses are aliased
to addresses in other local or remote domains.
.IP "\fBpropagate_unmatched_extensions (canonical, virtual)\fR"
(complete recipient address), \fB$extension\fR (recipient address
extension), \fB$domain\fR (recipient domain), \fB$local\fR
(entire recipient address localpart) and
-\fB$recipient_delimiter.\fR The forms \fI${name?value}\fR and
-\fI${name:value}\fR expand conditionally to \fIvalue\fR when
-\fI$name\fR is (is not) defined.
-Characters that may have special meaning to the shell or file system
-are replaced by underscores. The list of acceptable characters
-is specified with the \fBforward_expansion_filter\fR configuration
+\fB$recipient_delimiter.\fR The forms \fI${name?value}\fR
+and \fI${name?{value}}\fR (Postfix 3.0 and later) expand
+conditionally to \fIvalue\fR when \fI$name\fR is defined,
+and the forms \fI${name:value}\fR \fI${name:{value}}\fR
+(Postfix 3.0 and later) expand conditionally to \fIvalue\fR
+when \fI$name\fR is not defined. The form
+\fI${name?{value1}:{value2}}\fR (Postfix 3.0 and later)
+expands conditionally to \fIvalue1\fR when \fI$name\fR is
+defined, or \fIvalue2\fR otherwise. Characters that may
+have special meaning to the shell or file system are replaced
+with underscores. The list of acceptable characters is
+specified with the \fBforward_expansion_filter\fR configuration
parameter.
An alias or ~/.\fBforward\fR file may list any combination of external
address), \fB$extension\fR (recipient address extension),
\fB$domain\fR (recipient domain), \fB$local\fR (entire
recipient address localpart) and \fB$recipient_delimiter.\fR
-The forms \fI${name?value}\fR and \fI${name:value}\fR expand
-conditionally to \fIvalue\fR when \fI$name\fR is (is not)
-defined. Characters that may have special meaning to the
-shell or file system are replaced by underscores. The list
-of acceptable characters is specified with the
-\fBexecution_directory_expansion_filter\fR configuration
-parameter.
+The forms \fI${name?value}\fR and \fI${name?{value}}\fR
+(Postfix 3.0 and later) expand conditionally to \fIvalue\fR
+when \fI$name\fR is defined, and the forms \fI${name:value}\fR
+and \fI${name:{value}}\fR (Postfix 3.0 and later) expand
+conditionally to \fIvalue\fR when \fI$name\fR is not defined.
+The form \fI${name?{value1}:{value2}}\fR (Postfix 3.0 and
+later) expands conditionally to \fIvalue1\fR when \fI$name\fR
+is defined, or \fIvalue2\fR otherwise. Characters that may
+have special meaning to the shell or file system are replaced
+with underscores. The list of acceptable characters
+is specified with the \fBexecution_directory_expansion_filter\fR
+configuration parameter.
The command is executed directly where possible. Assistance by the
shell (\fB/bin/sh\fR on UNIX systems) is used only when the command
A limited amount of message context is exported via environment
variables. Characters that may have special meaning to the shell
-are replaced by underscores. The list of acceptable characters
+are replaced with underscores. The list of acceptable characters
is specified with the \fBcommand_expansion_filter\fR configuration
parameter.
.IP \fBSHELL\fR
Available in Postfix version 2.2 and later:
.IP "\fBcommand_execution_directory (empty)\fR"
The \fBlocal\fR(8) delivery agent working directory for delivery to
-external command.
+external commands.
.SH "MAILBOX LOCKING CONTROLS"
.na
.nf
$name expansions of $mailbox_command and $command_execution_directory.
.IP "\fBdefault_privs (nobody)\fR"
The default rights used by the \fBlocal\fR(8) delivery agent for delivery
-to external file or command.
+to an external file or command.
.IP "\fBforward_expansion_filter (see 'postconf -d' output)\fR"
Restrict the characters that the \fBlocal\fR(8) delivery agent allows in
$name expansions of $forward_path.
The time limit for sending or receiving information over an internal
communication channel.
.IP "\fBlocal_command_shell (empty)\fR"
-Optional shell program for \fBlocal\fR(8) delivery to non\-Postfix command.
+Optional shell program for \fBlocal\fR(8) delivery to non\-Postfix commands.
.IP "\fBmax_idle (100s)\fR"
The maximum amount of time that an idle Postfix daemon process waits
for an incoming connection before terminating voluntarily.
.nf
\fIRight\fR: command \-f $sender \-\- $recipient
.fi
+NOTE: DO NOT put quotes around the command, $sender, or $recipient.
.IP
This feature is available as of Postfix 2.3.
.IP "\fBsize\fR=\fIsize_limit\fR (optional)"
and spawns an external command whenever a connection is established.
The connection can be made over local IPC (such as UNIX\-domain
sockets) or over non\-local IPC (such as TCP sockets).
-The command\'s standard input, output and error streams are connected
+The command's standard input, output and error streams are connected
directly to the communication endpoint.
This daemon expects to be run from the \fBmaster\fR(8) process
.IP "\fBtlsproxy_enforce_tls ($smtpd_enforce_tls)\fR"
Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
require that clients use TLS encryption.
+.IP "\fBtlsproxy_client_use_tls ($smtp_use_tls)\fR"
+Opportunistic mode: use TLS when a remote server announces TLS
+support.
+.IP "\fBtlsproxy_client_enforce_tls ($smtp_enforce_tls)\fR"
+Enforcement mode: require that SMTP servers use TLS encryption.
.SH "RESOURCE CONTROLS"
.na
.nf
.ad
.fi
The \fBtrivial\-rewrite\fR(8) servers run under control by
-the Postfix master
+the Postfix master(8)
server. Each server can handle multiple simultaneous connections.
When all servers are busy while a client connects, the master
creates a new server process, provided that the trivial\-rewrite
.ad
.fi
Mail bounces when the recipient has no mailbox or when the
-recipient is over disk quota. In all other cases, mail for
+recipient is over disk quota. In all other problem cases, mail for
an existing recipient is deferred and a warning is logged.
Problems and transactions are logged to \fBsyslogd\fR(8)
.PP
Available in Postfix version 2.0 and later:
.IP "\fBvirtual_mailbox_domains ($virtual_mailbox_maps)\fR"
-Postfix is final destination for the specified list of domains;
+Postfix is the final destination for the specified list of domains;
mail is delivered via the $virtual_transport mail delivery transport.
.IP "\fBvirtual_transport (virtual)\fR"
The default mail delivery transport and next\-hop destination for
--- /dev/null
+#!/bin/sh
+
+# Finds double words in C comments. See mantools/comment.c for 'comment'
+# source code.
+
+LANG=C; export LANG
+
+find src -name '*.[hc]' | xargs cat | comment | mantools/deroff | mantools/find-double | fgrep -vxf proto/stop.double-cc
--- /dev/null
+#!/bin/sh
+
+# Finds double words in install and proto text files.
+
+LANG=C; export LANG
+
+ls *install* proto/* | egrep -v 'stop|Makefile|html|\.proto' | xargs mantools/deroff | mantools/find-double | fgrep -vxf proto/stop.double-install-proto-text
--- /dev/null
+#!/bin/sh
+
+# Finds double words in proto html files.
+
+LANG=C; export LANG
+
+ls proto/*.html proto/*.proto | xargs mantools/dehtml | mantools/find-double | fgrep -vxf proto/stop.double-proto-html
--- /dev/null
+#!/bin/sh
+
+# Spellchecks comments in C source code. See mantools/comment.c for
+# 'comment' source code.
+
+LANG=C; export LANG
+
+find . -name *.[hc] | xargs cat | comment | mantools/deroff | spell | fgrep -vxf proto/stop | fgrep -vxf proto/stop.spell-cc
--- /dev/null
+#!/bin/sh
+
+# Spellchecks the install scripts and proto non-html files.
+
+LANG=C; export LANG
+
+ls *install* proto/* | egrep -v 'stop|Makefile|html|\.proto' | mantools/deroff | spell | fgrep -vxf proto/stop
--- /dev/null
+#!/bin/sh
+
+# Spellchecks the proto HTML files.
+
+LANG=C; export LANG
+
+mantools/dehtml proto/*html proto/*.proto | spell | fgrep -vxf proto/stop | fgrep -vxf proto/stop.spell-proto-html
--- /dev/null
+#include <stdio.h>
+
+void copy_comment()
+{
+ int c;
+
+ while ((c = getchar()) != EOF) {
+ if (c == '*') {
+ if ((c = getchar()) == '/') {
+ putchar('\n');
+ return;
+ }
+ if (c != EOF)
+ ungetc(c, stdin);
+ putchar('*');
+ } else {
+ putchar(c);
+ }
+ }
+}
+
+void skip_string(int quote)
+{
+ int c;
+
+ while ((c = getchar()) != EOF) {
+ if (c == quote) {
+ return;
+ } else if (c == '\\') {
+ getchar();
+ }
+ }
+}
+
+int main()
+{
+ int c;
+
+ while ((c = getchar()) != EOF) {
+ switch (c) {
+ case '/':
+ if ((c = getchar()) == '*') {
+ copy_comment();
+ } else if (c == '/') {
+ while ((c = getchar()) != EOF) {
+ putchar(c);
+ if (c == '\n')
+ break;
+ }
+ } else {
+ if (c != EOF)
+ ungetc(c, stdin);
+ }
+ break;
+ case '"':
+ case '\'':
+ skip_string(c);
+ break;
+ case '\\':
+ (void) getchar();
+ break;
+ default:
+ break;
+ }
+ }
+}
--- /dev/null
+#!/bin/sh
+
+sed '
+ s/^\.[^ ]*//
+ s/\\f.//g
+ s/\\(..//g
+' "$@"
--- /dev/null
+#!/bin/sh
+
+sed 's/[^A-Z0-9a-z_][^A-Z0-9a-z_]*/ /g' "$@" | awk '
+ { for (i = 1; i <= NF; i++) {
+ if (length($i) > 1 && $(i) == last) {
+ if (i == 1)
+ printf("%s ", last)
+ print
+ }
+ last = $(i)
+ }
+ }
+'
$printit = 0;
next LINE;
}
- if (/"[Hh][Tt][Tt][Pp]:/) {
+ if (/"[Hh][Tt][Tt][Pp][Ss]?:/) {
print;
$printit = 0;
next LINE;
s;\bcon[-</bB>]*\n*[ <bB>]*tent_filter\b;<a href="postconf.5.html#content_filter">$&</a>;g;
s;\bdata_direc[-</bB>]*\n*[ <bB>]*tory\b;<a href="postconf.5.html#data_directory">$&</a>;g;
s;\bdae[-</bB>]*\n*[ <bB>]*mon_direc[-</bB>]*\n*[ <bB>]*tory\b;<a href="postconf.5.html#daemon_directory">$&</a>;g;
+ s;\bdaemon_table_open_error_is_fatal\b;<a href="postconf.5.html#daemon_table_open_error_is_fatal">$&</a>;g;
s;\bdaemon_timeout\b;<a href="postconf.5.html#daemon_timeout">$&</a>;g;
s;\bdebug_peer_level\b;<a href="postconf.5.html#debug_peer_level">$&</a>;g;
s;\bdebug_peer_list\b;<a href="postconf.5.html#debug_peer_list">$&</a>;g;
s;\bdefault_delivery_status_filter\b;<a href="postconf.5.html#default_delivery_status_filter">$&</a>;g;
s;\bdefault_data[-</Bb>]*\n* *[<Bb>]*base_type\b;<a href="postconf.5.html#default_database_type">$&</a>;g;
s;\bdefault_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_cost\b;<a href="postconf.5.html#default_delivery_slot_cost">$&</a>;g;
- s;\bdefault_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_discount\b;<a href="postconf.5.html#default_delivery_slot_discount">$&</a>;g;
+ s;\bdefault_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_dis
[-</Bb>]*\n* *[<Bb>]*count\b;<a href="postconf.5.html#default_delivery_slot_discount">$&</a>;g;
s;\bdefault_deliv[-</Bb>]*\n* *[<Bb>]*ery_slot_loan\b;<a href="postconf.5.html#default_delivery_slot_loan">$&</a>;g;
- s;\bdefault_destina[-</Bb>]*\n* *[<Bb>]*tion_concur[-</Bb>]*\n* *[<Bb>]*rency_limit\b;<a href="postconf.5.html#default_destination_concurrency_limit">$&</a>;g;
+ s;\bdefault_destina[-</Bb>]*\n* *[<Bb>]*tion_con
[-</Bb>]*\n* *[<Bb>]*cur[-</Bb>]*\n* *[<Bb>]*rency_limit\b;<a href="postconf.5.html#default_destination_concurrency_limit">$&</a>;g;
s;\bdefault_destina[-</Bb>]*\n* *[<Bb>]*tion_recip[-</bB>]*\n* *[<bB>]*i[-</bB>]*\n* *[<bB>]*ent_limit\b;<a href="postconf.5.html#default_destination_recipient_limit">$&</a>;g;
s;\bdefault_extra_recipi[-</bB>]*\n* *[<bB>]*ent_limit\b;<a href="postconf.5.html#default_extra_recipient_limit">$&</a>;g;
s;\bdefault_minimum_deliv[-</Bb>]*\n* *[<Bb>]*ery_slots\b;<a href="postconf.5.html#default_minimum_delivery_slots">$&</a>;g;
s;\bdefault_privs\b;<a href="postconf.5.html#default_privs">$&</a>;g;
s;\bdefault_process_limit\b;<a href="postconf.5.html#default_process_limit">$&</a>;g;
s;\bdefault_rbl_reply\b;<a href="postconf.5.html#default_rbl_reply">$&</a>;g;
- s;\bdefault_recipi[-</bB>]*\n* *[<bB>]*ent_refill_limit\b;<a href="postconf.5.html#default_recipient_refill_limit">$&</a>;g;
- s;\bdefault_recipi[-</bB>]*\n* *[<bB>]*ent_refill_delay\b;<a href="postconf.5.html#default_recipient_refill_delay">$&</a>;g;
+ s;\bdefault_recipi[-</bB>]*\n* *[<bB>]*ent_re
[-</bB>]*\n* *[<bB>]*fill_limit\b;<a href="postconf.5.html#default_recipient_refill_limit">$&</a>;g;
+ s;\bdefault_recipi[-</bB>]*\n* *[<bB>]*ent_re
[-</bB>]*\n* *[<bB>]*fill_delay\b;<a href="postconf.5.html#default_recipient_refill_delay">$&</a>;g;
s;\bdefault_recip[-</bB>]*\n* *[<bB>]*ient_limit\b;<a href="postconf.5.html#default_recipient_limit">$&</a>;g;
s;\bdefault_transport\b;<a href="postconf.5.html#default_transport">$&</a>;g;
s;\bsender[-</bB>]*\n* *[<bB>]*_de[-</bB>]*\n* *[<bB>]*pen[-</bB>]*\n* *[<bB>]*dent_de[-</bB>]*\n* *[<bB>]*fault[-</bB>]*\n* *[<bB>]*_trans[-</bB>]*\n* *[<bB>]*port[-</bB>]*\n* *[<bB>]*_maps\b;<a href="postconf.5.html#sender_dependent_default_transport_maps">$&</a>;g;
s;\bheader_address_token_limit\b;<a href="postconf.5.html#header_address_token_limit">$&</a>;g;
s;\bheader_checks\b;<a href="postconf.5.html#header_checks">$&</a>;g;
s;\bheader_size_limit\b;<a href="postconf.5.html#header_size_limit">$&</a>;g;
+ s;\bheader_from_format\b;<a href="postconf.5.html#header_from_format">$&</a>;g;
s;\bhelpful_warnings\b;<a href="postconf.5.html#helpful_warnings">$&</a>;g;
s;\bhome_mailbox\b;<a href="postconf.5.html#home_mailbox">$&</a>;g;
s;\bhopcount_limit\b;<a href="postconf.5.html#hopcount_limit">$&</a>;g;
s;\bin_flow_delay\b;<a href="postconf.5.html#in_flow_delay">$&</a>;g;
s;\binet_inter[-</bB>]*\n*[ <bB>]*faces\b;<a href="postconf.5.html#inet_interfaces">$&</a>;g;
s;\binet_protocols\b;<a href="postconf.5.html#inet_protocols">$&</a>;g;
- s;\binitial_desti[-</bB>]*\n*[ <bB>]*nation_concur[-</bB>]*\n*[ <bB>]*rency\b;<a href="postconf.5.html#initial_destination_concurrency">$&</a>;g;
+ s;\binitial_desti[-</bB>]*\n*[ <bB>]*nation_con
[-</bB>]*\n*[ <bB>]*cur[-</bB>]*\n*[ <bB>]*rency\b;<a href="postconf.5.html#initial_destination_concurrency">$&</a>;g;
s;\binvalid_hostname_reject_code\b;<a href="postconf.5.html#invalid_hostname_reject_code">$&</a>;g;
s;\bipc_idle\b;<a href="postconf.5.html#ipc_idle">$&</a>;g;
s;\bipc_timeout\b;<a href="postconf.5.html#ipc_timeout">$&</a>;g;
s;\bline_length_limit\b;<a href="postconf.5.html#line_length_limit">$&</a>;g;
s;\blmdb_map_size\b;<a href="postconf.5.html#lmdb_map_size">$&</a>;g;
s;\blmtp_address_preference\b;<a href="postconf.5.html#lmtp_address_preference">$&</a>;g;
+ s;\blmtp_bind_address_enforce\b;<a href="postconf.5.html#lmtp_bind_address_enforce">$&</a>;g;
s;\blmtp_body_checks\b;<a href="postconf.5.html#lmtp_body_checks">$&</a>;g;
s;\blmtp_cname_overrides_servername\b;<a href="postconf.5.html#lmtp_cname_overrides_servername">$&</a>;g;
s;\blmtp_delivery_status_filter\b;<a href="postconf.5.html#lmtp_delivery_status_filter">$&</a>;g;
s;\bqmqpd_authorized_clients\b;<a href="postconf.5.html#qmqpd_authorized_clients">$&</a>;g;
s;\bservice_name\b;<a href="postconf.5.html#service_name">$&</a>;g;
- s;\bdefault_desti[-</Bb>]*\n* *[<Bb>]*na[-</Bb>]*\n* *[<Bb>]*tion_concur[-</Bb>]*\n* *[<Bb>]*rency_negative_feedback\b;<a href="postconf.5.html#default_destination_concurrency_negative_feedback">$&</a>;g;
- s;\bdefault_desti[-</Bb>]*\n* *[<Bb>]*na[-</Bb>]*\n* *[<Bb>]*tion_concur[-</Bb>]*\n* *[<Bb>]*rency_positive_feedback\b;<a href="postconf.5.html#default_destination_concurrency_positive_feedback">$&</a>;g;
- s;\bdefault_desti[-</Bb>]*\n* *[<Bb>]*na[-</Bb>]*\n* *[<Bb>]*tion_con[-</Bb>]*\n* *[<Bb>]*currency_failed_cohort_limit\b;<a href="postconf.5.html#default_destination_concurrency_failed_cohort_limit">$&</a>;g;
+ s;\bdefault_desti[-</Bb>]*\n* *[<Bb>]*na[-</Bb>]*\n* *[<Bb>]*tion_con
[-</Bb>]*\n* *[<Bb>]*cur[-</Bb>]*\n* *[<Bb>]*rency_negative_feedback\b;<a href="postconf.5.html#default_destination_concurrency_negative_feedback">$&</a>;g;
+ s;\bdefault_desti[-</Bb>]*\n* *[<Bb>]*na[-</Bb>]*\n* *[<Bb>]*tion_con
[-</Bb>]*\n* *[<Bb>]*cur[-</Bb>]*\n* *[<Bb>]*rency_positive_feedback\b;<a href="postconf.5.html#default_destination_concurrency_positive_feedback">$&</a>;g;
+ s;\bdefault_desti[-</Bb>]*\n* *[<Bb>]*na[-</Bb>]*\n* *[<Bb>]*tion_con[-</Bb>]*\n* *[<Bb>]*cur
[-</Bb>]*\n* *[<Bb>]*rency_failed_cohort_limit\b;<a href="postconf.5.html#default_destination_concurrency_failed_cohort_limit">$&</a>;g;
s;\bdestination_concurrency_feedback_debug\b;<a href="postconf.5.html#destination_concurrency_feedback_debug">$&</a>;g;
s;\bdefault_destina[-</Bb>]*\n* *[<Bb>]*tion_rate_delay\b;<a href="postconf.5.html#default_destination_rate_delay">$&</a>;g;
- s;\bdefault_trans[-<\/bB>]*\n*[ <bB>]*port_rate_delay\b;<a href="postconf.5.html#default_transport_rate_delay">$&</a>;g;
+ s;\bdefault_trans[-<\/bB>]*\n*[ <bB>]*port_rate_de
[-<\/bB>]*\n*[ <bB>]*lay\b;<a href="postconf.5.html#default_transport_rate_delay">$&</a>;g;
s;\bmeta_directory\b;<a href="postconf.5.html#meta_directory">$&</a>;g;
s;\bqmqpd_client_port_logging\b;<a href="postconf.5.html#qmqpd_client_port_logging">$&</a>;g;
s;\bsmtpd_sasl_tls_security_options\b;<a href="postconf.5.html#smtpd_sasl_tls_security_options">$&</a>;g;
s;\bsmtpd_sasl_type\b;<a href="postconf.5.html#smtpd_sasl_type">$&</a>;g;
s;\bsmtpd_sasl_mechanism_filter\b;<a href="postconf.5.html#smtpd_sasl_mechanism_filter">$&</a>;g;
+ s;\bsmtpd_sasl_service\b;<a href="postconf.5.html#smtpd_sasl_service">$&</a>;g;
s;\bsmtpd_start[-</bB>]*\n* *[<bB>]*tls_timeout\b;<a href="postconf.5.html#smtpd_starttls_timeout">$&</a>;g;
s;\bsmtpd_tls_CAfile\b;<a href="postconf.5.html#smtpd_tls_CAfile">$&</a>;g;
s;\bsmtpd_tls_CApath\b;<a href="postconf.5.html#smtpd_tls_CApath">$&</a>;g;
s;\btls_preempt_cipherlist\b;<a href="postconf.5.html#tls_preempt_cipherlist">$&</a>;g;
s;\btls_disable_workarounds\b;<a href="postconf.5.html#tls_disable_workarounds">$&</a>;g;
s;\btls_append_default_CA\b;<a href="postconf.5.html#tls_append_default_CA">$&</a>;g;
- s;\btls_legacy_public_key_fingerprints\b;<a href="postconf.5.html#tls_legacy_public_key_fingerprint">$&</a>;g;
+ s;\btls_legacy_public_key_fingerprints\b;<a href="postconf.5.html#tls_legacy_public_key_fingerprints">$&</a>;g;
s;\btls_dane_digests\b;<a href="postconf.5.html#tls_dane_digests">$&</a>;g;
s;\btls_wildcard_matches_multiple_labels\b;<a href="postconf.5.html#tls_wildcard_matches_multiple_labels">$&</a>;g;
s;\btls_session_ticket_cipher\b;<a href="postconf.5.html#tls_session_ticket_cipher">$&</a>;g;
s;\bknown_tcp_ports\b;<a href="postconf.5.html#known_tcp_ports">$&</a>;g;
# Transport-dependent magical parameters.
-
- s;(<i>transport</i>)(<b>)?(_destination_concurrency_failed_cohort_limit)\b;$2<a href="postconf.5.html#transport_destination_concurrency_failed_cohort_limit">$1$3</a>;g;
- s;(<i>transport</i>)(<b>)?(_destination_concurrency_negative_feedback)\b;$2<a href="postconf.5.html#transport_destination_concurrency_negative_feedback">$1$3</a>;g;
- s;(<i>transport</i>)(<b>)?(_destination_concurrency_positive_feedback)\b;$2<a href="postconf.5.html#transport_destination_concurrency_positive_feedback">$1$3</a>;g;
- s;(<i>transport</i>)(<b>)?(_delivery_slot_cost)\b;$2<a href="postconf.5.html#transport_delivery_slot_cost">$1$3</a>;g;
- s;(<i>transport</i>)(<b>)?(_delivery_slot_discount)\b;$2<a href="postconf.5.html#transport_delivery_slot_discount">$1$3</a>;g;
- s;(<i>transport</i>)(<b>)?(_delivery_slot_loan)\b;$2<a href="postconf.5.html#transport_delivery_slot_loan">$1$3</a>;g;
- s;(<i>transport</i>)(<b>)?(_destination_concurrency_limit)\b;$2<a href="postconf.5.html#transport_destination_concurrency_limit">$1$3</a>;g;
- s;(<i>transport</i>)(<b>)?(_destination_recipient_limit)\b;$2<a href="postconf.5.html#transport_destination_recipient_limit">$1$3</a>;g;
- s;(<i>transport</i>)(<b>)?(_extra_recipient_limit)\b;$2<a href="postconf.5.html#transport_extra_recipient_limit">$1$3</a>;g;
- s;(<i>transport</i>)(<b>)?(_initial_destination_concurrency)\b;$2<a href="postconf.5.html#transport_initial_destination_concurrency">$1$3</a>;g;
- s;(<i>transport</i>)(<b>)?(_minimum_delivery_slots)\b;$2<a href="postconf.5.html#transport_minimum_delivery_slots">$1$3</a>;g;
- s;(<i>transport</i>)(<b>)?(_recipient_limit)\b;$2<a href="postconf.5.html#transport_recipient_limit">$1$3</a>;g;
- s;(<i>transport</i>)(<b>)?(_recipient_refill_delay)\b;$2<a href="postconf.5.html#transport_recipient_refill_delay">$1$3</a>;g;
- s;(<i>transport</i>)(<b>)?(_recipient_refill_limit)\b;$2<a href="postconf.5.html#transport_recipient_refill_limit">$1$3</a>;g;
- s;(<i>transport</i>)(<b>)?(_time_limit)\b;$2<a href="postconf.5.html#transport_time_limit">$1$3</a>;g;
- s;(<i>transport</i>)(<b>)?(_destination_rate_delay)\b;$2<a href="postconf.5.html#transport_destination_rate_delay">$1$3</a>;g;
- s;(<i>transport</i>)(<b>)?(_transport_rate_delay)\b;$2<a href="postconf.5.html#transport_transport_rate_delay">$1$3</a>;g;
+ # Note: Accept non-italic "transport" prefix for content that has been
+ # converted from troff in C sources. Tooling doesn't support bold+italic.
+
+ s;((?:<i>)?transport(?:</i>)?)(<b>)?(_destination_concurrency_failed_cohort_limit)\b;$2<a href="postconf.5.html#transport_destination_concurrency_failed_cohort_limit">$1$3</a>;g;
+ s;((?:<i>)?transport(?:</i>)?)(<b>)?(_destination_concurrency_negative_feedback)\b;$2<a href="postconf.5.html#transport_destination_concurrency_negative_feedback">$1$3</a>;g;
+ s;((?:<i>)?transport(?:</i>)?)(<b>)?(_destination_concurrency_positive_feedback)\b;$2<a href="postconf.5.html#transport_destination_concurrency_positive_feedback">$1$3</a>;g;
+ s;((?:<i>)?transport(?:</i>)?)(<b>)?(_delivery_slot_cost)\b;$2<a href="postconf.5.html#transport_delivery_slot_cost">$1$3</a>;g;
+ s;((?:<i>)?transport(?:</i>)?)(<b>)?(_delivery_slot_discount)\b;$2<a href="postconf.5.html#transport_delivery_slot_discount">$1$3</a>;g;
+ s;((?:<i>)?transport(?:</i>)?)(<b>)?(_delivery_slot_loan)\b;$2<a href="postconf.5.html#transport_delivery_slot_loan">$1$3</a>;g;
+ s;((?:<i>)?transport(?:</i>)?)(<b>)?(_destination_concurrency_limit)\b;$2<a href="postconf.5.html#transport_destination_concurrency_limit">$1$3</a>;g;
+ s;((?:<i>)?transport(?:</i>)?)(<b>)?(_destination_recipient_limit)\b;$2<a href="postconf.5.html#transport_destination_recipient_limit">$1$3</a>;g;
+ s;((?:<i>)?transport(?:</i>)?)(<b>)?(_extra_recipient_limit)\b;$2<a href="postconf.5.html#transport_extra_recipient_limit">$1$3</a>;g;
+ s;((?:<i>)?transport(?:</i>)?)(<b>)?(_initial_destination_concurrency)\b;$2<a href="postconf.5.html#transport_initial_destination_concurrency">$1$3</a>;g;
+ s;((?:<i>)?transport(?:</i>)?)(<b>)?(_minimum_delivery_slots)\b;$2<a href="postconf.5.html#transport_minimum_delivery_slots">$1$3</a>;g;
+ s;((?:<i>)?transport(?:</i>)?)(<b>)?(_recipient_limit)\b;$2<a href="postconf.5.html#transport_recipient_limit">$1$3</a>;g;
+ s;((?:<i>)?transport(?:</i>)?)(<b>)?(_recipient_refill_delay)\b;$2<a href="postconf.5.html#transport_recipient_refill_delay">$1$3</a>;g;
+ s;((?:<i>)?transport(?:</i>)?)(<b>)?(_recipient_refill_limit)\b;$2<a href="postconf.5.html#transport_recipient_refill_limit">$1$3</a>;g;
+ s;((?:<i>)?transport(?:</i>)?)(<b>)?(_time_limit)\b;$2<a href="postconf.5.html#transport_time_limit">$1$3</a>;g;
+ s;((?:<i>)?transport(?:</i>)?)(<b>)?(_destination_rate_delay)\b;$2<a href="postconf.5.html#transport_destination_rate_delay">$1$3</a>;g;
+ s;((?:<i>)?transport(?:</i>)?)(<b>)?(_transport_rate_delay)\b;$2<a href="postconf.5.html#transport_transport_rate_delay">$1$3</a>;g;
# Undo hyperlinks of manual pages with the same name as parameters.
$printit = 0;
next LINE;
}
- s/canonical domains*/<a href="VIRTUAL_README.html#canonical">$&<\/a>/;
- s/hosted domains*/<a href="VIRTUAL_README.html#canonical">$&<\/a>/;
- #s/other domains*/<a href="VIRTUAL_README.html#canonical">&<\/a>/
- s/virtual alias example/<a href="VIRTUAL_README.html#virtual_alias">$&<\/a>/;
- s/virtual mailbox example/<a href="VIRTUAL_README.html#virtual_mailbox">$&<\/a>/;
- s/local domains*/<a href="ADDRESS_CLASS_README.html#local_domain_class">$&<\/a>/;
- s/virtual alias domains*/<a href="ADDRESS_CLASS_README.html#virtual_alias_class">$&<\/a>/;
- s/virtual ALIAS domains*/<a href="ADDRESS_CLASS_README.html#virtual_alias_class">$&<\/a>/;
- s/virtual mailbox domains*/<a href="ADDRESS_CLASS_README.html#virtual_mailbox_class">$&<\/a>/;
- s/virtual MAILBOX domains*/<a href="ADDRESS_CLASS_README.html#virtual_mailbox_class">$&<\/a>/;
- s/relay domains*/<a href="ADDRESS_CLASS_README.html#relay_domain_class">$&<\/a>/;
- s/default domains*/<a href="ADDRESS_CLASS_README.html#default_domain_class">$&<\/a>/;
- s/mydestination domains*/<a href="ADDRESS_CLASS_README.html#local_domain_class">$&<\/a>/;
- s/\b"*maildrop"* *queues*\b/<a href="QSHAPE_README.html#maildrop_queue">$&<\/a>/;
- s/\b("*maildrop"*),/<a href="QSHAPE_README.html#maildrop_queue">$1<\/a>,/;
- s/\b("*incoming"*) and\b/<a href="QSHAPE_README.html#incoming_queue">$1<\/a> and/;
- s/\b("*incoming"*) or\b/<a href="QSHAPE_README.html#incoming_queue">$1<\/a> or/;
- s/\b"*incoming"* *queues*\b/<a href="QSHAPE_README.html#incoming_queue">$&<\/a>/;
- s/<b> *incoming *<\/b> *queues*\b/<a href="QSHAPE_README.html#incoming_queue">$&<\/a>/;
- s/\b"*active"* *queues*\b/<a href="QSHAPE_README.html#active_queue">$&<\/a>/;
- s/\b"*deferred"* *queues*\b/<a href="QSHAPE_README.html#deferred_queue">$&<\/a>/;
- s/\b"*hold"* *queues*\b/<a href="QSHAPE_README.html#hold_queue">$&<\/a>/;
- s/\b("*hold"*),/<a href="QSHAPE_README.html#hold_queue">$1<\/a>,/;
- s/\b(postfix *tls)\b/<a href="postfix-tls.1.html">$1<\/a>/;
+ s/canonical domains*/<a href="VIRTUAL_README.html#canonical">$&<\/a>/g;
+ s/hosted domains*/<a href="VIRTUAL_README.html#canonical">$&<\/a>/g;
+ #s/other domains*/<a href="VIRTUAL_README.html#canonical">&<\/a>/g;
+ s/virtual alias example/<a href="VIRTUAL_README.html#virtual_alias">$&<\/a>/g;
+ s/virtual mailbox example/<a href="VIRTUAL_README.html#virtual_mailbox">$&<\/a>/g;
+ s/local domains*/<a href="ADDRESS_CLASS_README.html#local_domain_class">$&<\/a>/g;
+ s/virtual alias domains*/<a href="ADDRESS_CLASS_README.html#virtual_alias_class">$&<\/a>/g;
+ s/virtual ALIAS domains*/<a href="ADDRESS_CLASS_README.html#virtual_alias_class">$&<\/a>/g;
+ s/virtual mailbox domains*/<a href="ADDRESS_CLASS_README.html#virtual_mailbox_class">$&<\/a>/g;
+ s/virtual MAILBOX domains*/<a href="ADDRESS_CLASS_README.html#virtual_mailbox_class">$&<\/a>/g;
+ s/relay domains*/<a href="ADDRESS_CLASS_README.html#relay_domain_class">$&<\/a>/g;
+ s/default domains*/<a href="ADDRESS_CLASS_README.html#default_domain_class">$&<\/a>/g;
+ s/mydestination domains*/<a href="ADDRESS_CLASS_README.html#local_domain_class">$&<\/a>/g;
+ s/\b"*maildrop"* *queues*\b/<a href="QSHAPE_README.html#maildrop_queue">$&<\/a>/g;
+ s/\b("*maildrop"*),/<a href="QSHAPE_README.html#maildrop_queue">$1<\/a>,/g;
+ s/\b(?<!\/)("*incoming"*),/<a href="QSHAPE_README.html#incoming_queue">$1<\/a>,/g;
+ s/\b("*incoming"*) and\b/<a href="QSHAPE_README.html#incoming_queue">$1<\/a> and/g;
+ s/\b("*incoming"*) or\b/<a href="QSHAPE_README.html#incoming_queue">$1<\/a> or/g;
+ s/\b"*incoming"* *queues*\b/<a href="QSHAPE_README.html#incoming_queue">$&<\/a>/g;
+ s/<b> *incoming *<\/b> *queues*\b/<a href="QSHAPE_README.html#incoming_queue">$&<\/a>/g;
+ s/\b("*active"*) and\b/<a href="QSHAPE_README.html#active_queue">$1<\/a> and/g;
+ s/\b"*active"* *queues*\b/<a href="QSHAPE_README.html#active_queue">$&<\/a>/ig;
+ s/\b"*deferred"* *queues*\b/<a href="QSHAPE_README.html#deferred_queue">$&<\/a>/g;
+ s/\b"*hold"* *queues*\b/<a href="QSHAPE_README.html#hold_queue">$&<\/a>/g;
+ s/\b("*hold"*),/<a href="QSHAPE_README.html#hold_queue">$1<\/a>,/g;
+ s/\b(postfix *tls)\b/<a href="postfix-tls.1.html">$1<\/a>/g;
# Hyperlink map types.
s/\b(fail):/<a href="DATABASE_README.html#types">$1<\/a>:/g;
s/\b(hash):/<a href="DATABASE_README.html#types">$1<\/a>:/g;
s/\b(internal):/<a href="DATABASE_README.html#types">$1<\/a>:/g;
- s/\b(ldap):/<a href="ldap_table.5.html">$1<\/a>:/g;
+ s/\b(ldap
[is]?):/<a href="ldap_table.5.html">$1<\/a>:/g;
s/\b(lmdb):/<a href="lmdb_table.5.html">$1<\/a>:/g;
s/\b(memcache):/<a href="memcache_table.5.html">$1<\/a>:/g;
s/\b(mysql):/<a href="mysql_table.5.html">$1<\/a>:/g;
s/([^\/])\b(virtual):/$1<a href="virtual.8.html">$2<\/a>:/g;
# Database library dependencies.
+ # Note: Exclude AUXLIBS_SDBM because there is no SDBM_README.
- s/\b(AUXLIBS_)([A-Z]+)\b/<a href="$2_README.html">$1$2<\/a>/g;
+ s/\b(AUXLIBS_
(?!SDBM))([A-Z]+)\b/<a href="$2_README.html">$1$2<\/a>/g;
}
continue {
if ($printit)
# This parameter setting is recorded in the installed main.cf file.
# .IP command_directory
# The final destination directory for Postfix administrative commands.
-# This directory should be in the command search path of adminstrative
+# This directory should be in the command search path of administrative
# users. The built-in default directory name is system dependent.
# This parameter setting is recorded in the installed main.cf file.
# .IP html_directory
command_directory_prompt="the final destination directory for
installed Postfix administrative commands. This directory should
-be in the command search path of adminstrative users."
+be in the command search path of administrative users."
queue_directory_prompt="the final destination directory for Postfix
queues."
Rewrite "user@host" to "user@host.$mydomain" </dt>
<dd> <p> This feature is controlled by the boolean append_dot_mydomain
-parameter (default: yes). The purpose is to get consistent treatment
-of different forms of the same hostname. </p>
+parameter (default: Postfix ≥ 3.0: no, Postfix < 3.0: yes). The purpose
+is to get consistent treatment of different forms of the same hostname. </p>
<p> NOTE: Postfix versions 2.2 and later rewrite message headers
from remote SMTP clients only if the client matches the
messages with DSN turned on will trigger the REJECT action in the
previous section. </p>
-<p> If you have such clients then you can to exclude their Message-ID
+<p> If you have such clients then you can exclude their Message-ID
strings with the two "<tt>Message-ID:.* <!&!</tt>" patterns
that are shown in the previous section. Otherwise you will not be
able to use the two backscatter rules to stop forged Message ID
because there is a lot of variation in report formats. The following
is only a small example of message header patterns. For a large
collection of header and body patterns that recognize virus
-notification email, see http://www.dkuug.dk/keld/virus/
+notification email, see
+https://web.archive.org/web/20100317123907/http://std.dkuug.dk/keld/virus/
or http://www.t29.dk/antiantivirus.txt. </p>
<blockquote>
This is explained in the SASL_README and TLS_README documents. </p>
<p> IMPORTANT: If your machine is connected to a wide area network
-then the "mynetworks_style = host" setting may be too friendly. </p>
+then the "mynetworks_style = subnet" setting may be too friendly. </p>
<p> Examples (specify only one of the following): </p>
<ul>
-<li> <p> Specify "mynetworks_style = host" when Postfix should
-forward mail from only the local machine. </p>
+<li> <p> Specify "mynetworks_style = host" (the default when
+compatibility_level ≥ 2) when Postfix should forward mail from
+only the local machine. </p>
-<li> <p> Specify "mynetworks_style = subnet" (the default) when
-Postfix should forward mail from SMTP clients in the same IP
-subnetworks as the local machine. On Linux, this works correctly
-only with interfaces specified with the "ifconfig" command. </p>
+<li> <p> Specify "mynetworks_style = subnet" (the default when
+compatibility_level < 2) when Postfix should forward mail from
+SMTP clients in the same IP subnetworks as the local machine.
+On Linux, this works correctly only with interfaces specified
+with the "ifconfig" or "ip" command. </p>
<li> <p> Specify "mynetworks_style = class" when Postfix should
forward mail from SMTP clients in the same IP class A/B/C networks
<p> In RFC 4468, the authors write that a client may pipeline
commands, and that after sending BURL LAST or BDAT LAST, a client
must wait for the server's response. But as this text does not
-appear in RFC 3030 which defines BDAT, is it a useless restriction
+appear in RFC 3030 which defines BDAT, it is a useless restriction
that Postfix will not enforce. </p>
</body>
Postfix versions do not support the receive_override_options feature.
</p>
-<p> If you are MX service provider and want to apply disable
-head/body checks for some domains, you can configure ONE Postfix
+<p> If you are an MX service provider and want to enable header/body
+checks only for some domains, you can configure ONE Postfix
instance with multiple SMTP server IP addresses in master.cf. Each
address provides a different service. </p>
<p> The mynetworks_style default value has changed from "subnet"
to "host". This parameter is used to implement the "permit_mynetworks"
-feature. The change could in unexpected 'access denied' errors after
+feature. The change could cause unexpected 'access denied' errors after
Postfix is updated from an older version. The backwards-compatibility
safety net is designed to prevent such surprises. </p>
<p> The connection cache can be searched by destination domain name
(the right-hand side of the recipient address) and by the IP address
of the host at the other end of the connection. This allows Postfix
-to reuse a connection even when the remote host is mail server for
+to reuse a connection even when the remote host is a mail server for
domains with different names. </p>
<h2><a name="configuration">Connection cache configuration </a></h2>
here: the lookup result is not used. Examples
are the local_recipient_maps that determine what local recipients
Postfix accepts in mail from the network, the mydestination parameter
-that specifies what domains Postfix delivers locally, or the
+that specifies what domains Postfix delivers locally for, or the
mynetworks parameter that specifies the IP addresses of trusted
clients or client networks. Technically, these are lists, not
tables. Despite the difference, Postfix lists are described here
<dt> <b>internal</b> </dt>
-<dd> A non-shared, in-memory hash table. Its content are lost when
+<dd> A non-shared, in-memory hash table. Its contents are lost when
a process terminates. </dd>
<dt> <b>lmdb</b> </dt>
</ul>
<li> <p> Better, provide output from the <b>postfinger</b> tool.
-This can be found at http://ftp.wl0.org/SOURCES/postfinger. </p>
+This can be found at https://github.com/ford--prefect/postfinger. </p>
<li> <p> If the problem is SASL related, consider including the
output from the <b>saslfinger</b> tool. This can be found at
-http://postfix.state-of-mind.de/patrick.koetter/saslfinger/. </p>
+https://packages.debian.org/search?keywords=sasl2-bin. </p>
<li> <p> If the problem is about too much mail in the queue, consider
including output from the <b>qshape</b> tool, as described in the
<h3> EDH Server support </h3>
-<p> Postfix ≥ 2.2 support 1024-bit-prime EDH out of the box,
+<p> Postfix ≥ 2.2 supports 1024-bit-prime EDH out of the box,
with no additional configuration, but you may want to override the
default prime to be 2048 bits long, and you may want to regenerate
your primes periodically. See the <a href="#quick-start">quick-start</a>
<h3> EECDH Server support </h3>
-<p> Postfix ≥ 2.6 support NIST P-256 EECDH when built with OpenSSL
+<p> Postfix ≥ 2.6 supports NIST P-256 EECDH when built with OpenSSL
≥ 1.0.0. When the remote SMTP client also supports EECDH and
implements the P-256 curve, forward secrecy just works. </p>
mechanism is invented that also supports forward secrecy. </p>
<p> The actual key length and raw algorithm key length
-are generally the same with non-export ciphers, but may they
+are generally the same with non-export ciphers, but they may
differ for the legacy export ciphers where the actual key
is artificially shortened. </p>
</pre>
</blockquote>
-<p> As with the command "make makefiles, the command "make
+<p> As with the command "make makefiles", the command "make
install/upgrade name=value..." will replace the string MAIL_VERSION
at the end of a configuration parameter value with the Postfix
release version. Do not try to specify something like $mail_version
<p> Follow the instructions in the "<a href="#mandatory">Mandatory
configuration file edits</a>" in section 10, and review the "<a
-name="#hamlet">To chroot or not to chroot</a>" text in section
+href="#hamlet">To chroot or not to chroot</a>" text in section
11. </p>
<p> Start the Postfix system: </p>
<pre>
# newaliases
# sendmail -bi
+# postalias /etc/aliases (pathname is system dependent!)
</pre>
</blockquote>
</blockquote>
<p> If you did specify the mynetworks parameter value in
-main.cf, you need update the mynetworks value to include
+main.cf, you need to update the mynetworks value to include
the IPv6 networks the system is in. Be sure to specify IPv6 address
information inside "<tt>[]</tt>", like this: </p>
</pre>
</blockquote>
-<li> <p> And for that matter, even for aliases, you may not want users able to
+<li> <p> And for that matter, even for aliases, you may not want users to be able to
specify their maildrops as programs, includes, etc. This might be
particularly pertinent on a "sealed" server where they don't have
local UNIX accounts, but exist only in LDAP and Cyrus. You might allow
<h2> Host lookup issues </h2>
<p> By default Linux /etc/hosts lookups do not support multiple IP
-address per hostname. This causes warnings from the Postfix SMTP
+addresses per hostname. This causes warnings from the Postfix SMTP
server that "hostname XXX does not resolve to address YYY", and is
especially a problem with hosts that have both IPv4 and IPv6
-addresses. To fix, turn on support for multiple IP addresses: </p>
+addresses. To fix this, turn on support for multiple IP addresses: </p>
<blockquote>
<pre>
<p> On RedHat Linux 7.1 and later <b>procmail</b> no longer has
permission
-to write the mail spool directory. Workaround: </p>
+to write to the mail spool directory. Workaround: </p>
<blockquote>
<pre>
<ul>
-<li> <p> This command will not rotate a logfile with pathname under
+<li> <p> This command will not rotate a logfile with a pathname under
the /dev directory, such as /dev/stdout. </p>
<li> <p> This command does not (yet) remove old logfiles. </p>
in the background, as well as non-daemon programs for local mail
submission or Postfix management.
-<li> <p> Logging to Postfix logfile or stdout requires the Postfix
+<li> <p> Logging to the Postfix logfile or stdout requires the Postfix
postlogd(8) service. This ensures that simultaneous logging from
different programs will not get mixed up. </p>
<dt> <b>unix:</b><i>pathname</i> </dt> <dd><p>Connect to the local
UNIX-domain server that is bound to the specified pathname. If the
smtpd(8) or cleanup(8) process runs chrooted, an absolute pathname
-is interpreted relative to the Postfix queue directory.</p> </dd>
+is interpreted relative to the Postfix queue directory. On many
+systems, <b>local</b> is a synonym for <b>unix</b></p> </dd>
<dt> <b> inet:</b><i>host</i><b>:</b><i>port</i> </dt> <dd> <p>
Connect to the specified TCP port on the specified local or remote
you may specify macro default values with the milter_macro_defaults
parameter. Specify zero or more <i>name=value</i> pairs separated by
comma or whitespace; you may even specify macro names that Postfix does
-know about! </p>
+not know about! </p>
<h2><a name="workarounds">Workarounds</a></h2>
</pre>
</blockquote>
-<p> The test message should be delivered the members of the "mtaadmin"
+<p> The test message should be delivered to the members of the "mtaadmin"
address group (or whatever address group you choose) with the
following headers: </p>
smtpd_relay_restrictions =
smtpd_recipient_restrictions = permit_mynetworks, reject
- # Tolerate occasional high latency in the content filter.
+ # Tolerate occasional high latency in the content filter.
#
smtpd_timeout = 1200s
which can be obtained from: </p>
<blockquote>
- <p> http://www.mysql.com/downloads/ <br>
- http://sourceforge.net/projects/mysql/ </p>
+ <p> http://www.mysql.com/downloads/ </p>
</blockquote>
<p> In order to build Postfix with mysql map support, you will need to add
<li> Liviu Daia with further refinements from Jose Luis Tallon and
Victor Duchovni developed the common query, result_format, domain and
-expansion_limit interface for LDAP, MySQL and PosgreSQL.</li>
+expansion_limit interface for LDAP, MySQL and PostgreSQL.</li>
</ul>
that appear on the <i>permanent</i> access list. </p>
<p> By default the temporary allowlist is not shared with other
-postscreen(8) daemons. See <a href="#temp_white_sharing"> Sharing
+postscreen(8) daemons. See
+<a href="#temp_white_sharing"> Sharing
the temporary allowlist </a> below for alternatives. </p>
<p> When the SMTP client address appears on the temporary
<ul>
<li> <p> First, configure the host to listen on both primary and
-backup MX addresses. Use the appropriate <tt>ifconfig</tt> command
-for the local operating system, or update the appropriate configuration
-files and "refresh" the network protocol stack. </p>
+backup MX addresses. Use the appropriate <tt>ifconfig</tt> or <tt>ip</tt>
+command for the local operating system, or update the appropriate
+configuration files and "refresh" the network protocol stack. </p>
<p> <p> Second, configure Postfix to listen on the new IP address
(this step is needed when you have specified inet_interfaces in
postscreen(8) can run a number of tests in parallel. </p>
<p> When a good client passes these tests, and no "<a
-href="#after_220">deep protocol tests</a>" are configured, postscreen(8)
+href="#after_220">deep protocol tests</a>"
+are configured, postscreen(8)
adds the client to the temporary allowlist and hands off the "live"
connection to a Postfix SMTP server process. The client can then
continue as if postscreen(8) never even existed (except of course
receiver send one command and one response at a time. Unlike the
Postfix SMTP server, postscreen(8) does not announce support
for ESMTP command pipelining. Therefore, clients are not allowed
-to send multiple commands. postscreen(8)'s <a href="#after_220">deep
+to send multiple commands. postscreen(8)'s
+<a href="#after_220">deep
protocol test</a> for this is disabled by default. </p>
<p> With "postscreen_pipelining_enable = yes", postscreen(8) detects
of this is the usage of commands such as CONNECT and other non-SMTP
commands. Just like the Postfix SMTP server's smtpd_forbidden_commands
feature, postscreen(8) has an equivalent postscreen_forbidden_commands
-feature to block these clients. postscreen(8)'s <a href="#after_220">deep
+feature to block these clients. postscreen(8)'s
+<a href="#after_220">deep
protocol test</a> for this is disabled by default. </p>
<p> With "postscreen_non_smtp_command_enable = yes", postscreen(8)
<p> SMTP is a line-oriented protocol: lines have a limited length,
and are terminated with <CR><LF>. Lines ending in a
"bare" <LF>, that is newline not preceded by carriage return,
-are not allowed in SMTP. postscreen(8)'s <a href="#after_220">deep
+are not allowed in SMTP. postscreen(8)'s
+<a href="#after_220">deep
protocol test</a> for this is disabled by default. </p>
<p> With "postscreen_bare_newline_enable = yes", postscreen(8)
<li> <p> Some postscreen(8) configuration parameters implement
stress-dependent behavior. This is supported only when the default
value is stress-dependent (that is, "postconf -d <i>parametername</i>"
-output shows "<i>parametername</i> =
-${stress?<i>something</i>}${stress:<i>something</i>}").
+output shows
+"<i>parametername</i> = ${stress?<i>something</i>}${stress:<i>something</i>}" or
+"<i>parametername</i> = ${stress?{<i>something</i>}:{<i>something</i>}}").
Other parameters always evaluate as if the stress value is the empty
string. </p>
<li> <p> See "<a href="#before_220">Tests before the 220 SMTP server
-greeting</a>" for details about the logging from these postscreen(8)
-tests. </p>
+greeting</a>" for details about the logging from these
+postscreen(8) tests. </p>
<li> <p> If you run Postfix 2.6 or earlier you must stop and start
the master daemon ("<tt>postfix stop; postfix start</tt>"). This
tests. </p>
<p> When a good client passes the "<a href="#after_220">deep
-protocol tests</a>", postscreen(8) adds the client to the temporary
+protocol tests</a>",
+postscreen(8) adds the client to the temporary
allowlist but it cannot hand off the "live" connection to a Postfix
SMTP server process in the middle of the session. Instead, postscreen(8)
defers mail delivery attempts with a 4XX status, logs the
that appear on the <i>permanent</i> access list. </p>
<p> By default the temporary allowlist is not shared with other
-postscreen(8) daemons. See <a href="#temp_allow_sharing"> Sharing
+postscreen(8) daemons. See
+<a href="#temp_allow_sharing"> Sharing
the temporary allowlist </a> below for alternatives. </p>
<p> When the SMTP client address appears on the temporary
<ul>
<li> <p> First, configure the host to listen on both primary and
-backup MX addresses. Use the appropriate <tt>ifconfig</tt> command
-for the local operating system, or update the appropriate configuration
-files and "refresh" the network protocol stack. </p>
+backup MX addresses. Use the appropriate <tt>ifconfig</tt> or <tt>ip</tt>
+command for the local operating system, or update the appropriate
+configuration files and "refresh" the network protocol stack. </p>
<p> <p> Second, configure Postfix to listen on the new IP address
(this step is needed when you have specified inet_interfaces in
postscreen(8) can run a number of tests in parallel. </p>
<p> When a good client passes these tests, and no "<a
-href="#after_220">deep protocol tests</a>" are configured, postscreen(8)
+href="#after_220">deep protocol tests</a>"
+are configured, postscreen(8)
adds the client to the temporary allowlist and hands off the "live"
connection to a Postfix SMTP server process. The client can then
continue as if postscreen(8) never even existed (except of course
receiver send one command and one response at a time. Unlike the
Postfix SMTP server, postscreen(8) does not announce support
for ESMTP command pipelining. Therefore, clients are not allowed
-to send multiple commands. postscreen(8)'s <a href="#after_220">deep
+to send multiple commands. postscreen(8)'s
+<a href="#after_220">deep
protocol test</a> for this is disabled by default. </p>
<p> With "postscreen_pipelining_enable = yes", postscreen(8) detects
of this is the usage of commands such as CONNECT and other non-SMTP
commands. Just like the Postfix SMTP server's smtpd_forbidden_commands
feature, postscreen(8) has an equivalent postscreen_forbidden_commands
-feature to block these clients. postscreen(8)'s <a href="#after_220">deep
+feature to block these clients. postscreen(8)'s
+<a href="#after_220">deep
protocol test</a> for this is disabled by default. </p>
<p> With "postscreen_non_smtp_command_enable = yes", postscreen(8)
<p> SMTP is a line-oriented protocol: lines have a limited length,
and are terminated with <CR><LF>. Lines ending in a
"bare" <LF>, that is newline not preceded by carriage return,
-are not allowed in SMTP. postscreen(8)'s <a href="#after_220">deep
+are not allowed in SMTP. postscreen(8)'s
+<a href="#after_220">deep
protocol test</a> for this is disabled by default. </p>
<p> With "postscreen_bare_newline_enable = yes", postscreen(8)
<li> <p> Some postscreen(8) configuration parameters implement
stress-dependent behavior. This is supported only when the default
value is stress-dependent (that is, "postconf -d <i>parametername</i>"
-output shows "<i>parametername</i> =
-${stress?<i>something</i>}${stress:<i>something</i>}").
+output shows
+"<i>parametername</i> = ${stress?<i>something</i>}${stress:<i>something</i>}" or
+"<i>parametername</i> = ${stress?{<i>something</i>}:{<i>something</i>}}").
Other parameters always evaluate as if the stress value is the empty
string. </p>
<li> <p> See "<a href="#before_220">Tests before the 220 SMTP server
-greeting</a>" for details about the logging from these postscreen(8)
-tests. </p>
+greeting</a>" for details about the logging from these
+postscreen(8) tests. </p>
<li> <p> If you run Postfix 2.6 or earlier you must stop and start
the master daemon ("<tt>postfix stop; postfix start</tt>"). This
tests. </p>
<p> When a good client passes the "<a href="#after_220">deep
-protocol tests</a>", postscreen(8) adds the client to the temporary
+protocol tests</a>",
+postscreen(8) adds the client to the temporary
allowlist but it cannot hand off the "live" connection to a Postfix
SMTP server process in the middle of the session. Instead, postscreen(8)
defers mail delivery attempts with a 4XX status, logs the
<p> When the output is a terminal intermediate results showing the top 20
domains (-n option) are displayed after every 1000 messages (-N option)
and the final output also shows only the top 20 domains. This makes
-qshape useful even when the deferred queue is very large and it may
-otherwise take prohibitively long to read the entire deferred queue. </p>
+qshape useful even when the "deferred" queue is very large and it may
+otherwise take prohibitively long to read the entire "deferred" queue. </p>
<p> By default, qshape shows statistics for the union of both the
-incoming and active queues which are the most relevant queues to
+"incoming" and "active" queues which are the most relevant queues to
look at when analyzing performance. </p>
<p> One can request an alternate list of queues: </p>
</pre>
</blockquote>
-<p> this will show the age distribution of the deferred queue or
-the union of the incoming active and deferred queues. </p>
+<p> this will show the age distribution of the "deferred" queue or
+the union of the "incoming", "active" and "deferred" queues. </p>
<p> Command line options control the number of display "buckets",
the age limit for the smallest bucket, display of parent domain
a burst of mail started, and when it stopped. </p>
<p> The problem destinations or sender domains appear near the top
-left corner of the output table. Remember that the active queue
+left corner of the output table. Remember that the "active" queue
can accommodate up to 20000 ($qmgr_message_active_limit) messages.
To check whether this limit has been reached, use: </p>
</pre>
</blockquote>
-<p> If the total sender count is below 20000 the active queue is
+<p> If the total sender count is below 20000 the "active" queue is
not yet saturated, any high volume sender domains show near the
top of the output.
-<p> With oqmgr(8) the active queue is also limited to at most 20000
+<p> With oqmgr(8) the "active" queue is also limited to at most 20000
recipient addresses ($qmgr_message_recipient_limit). To check for
exhaustion of this limit use: </p>
<h2><a name="healthy">Example 1: Healthy queue</a></h2>
-<p> When looking at just the incoming and active queues, under
-normal conditions (no congestion) the incoming and active queues
+<p> When looking at just the "incoming" and "active" queues, under
+normal conditions (no congestion) the "incoming" and "active" queues
are nearly empty. Mail leaves the system almost as quickly as it
-comes in or is deferred without congestion in the active queue.
+comes in or is deferred without congestion in the "active" queue.
</p>
<blockquote>
<pre>
-$ qshape <i>(show incoming and active queue status)</i>
+$ qshape <i>(show "incoming" and "active" queue status)</i>
T 5 10 20 40 80 160 320 640 1280 1280+
TOTAL 5 0 0 0 1 0 0 0 1 1 2
</pre>
</blockquote>
-<p> If one looks at the two queues separately, the incoming queue
+<p> If one looks at the two queues separately, the "incoming" queue
is empty or perhaps briefly has one or two messages, while the
-active queue holds more messages and for a somewhat longer time:
+"active" queue holds more messages and for a somewhat longer time:
</p>
<blockquote>
available for some of the hosted domains. Dictionary attacks on
the unvalidated domains result in bounce backscatter. The bounces
dominate the queue, but with proper tuning they do not saturate the
-incoming or active queues. The high volume of deferred mail is not
+"incoming" or "active" queues. The high volume of deferred mail is not
a direct cause for alarm. </p>
<blockquote>
is the tail end of the time distribution, showing that short term
arrival rates are moderate. Larger numbers and lower message ages
are more indicative of current trouble. Old mail still going nowhere
-is largely harmless so long as the active and incoming queues are
+is largely harmless so long as the "active" and "incoming" queues are
short. We can also see that the groups.msn.com undeliverables are
low rate steady stream rather than a concentrated dictionary attack
that is now over. </p>
queue</a></h2>
<p> This example is taken from a Feb 2004 discussion on the Postfix
-Users list. Congestion was reported with the active and incoming
-queues large and not shrinking despite very large delivery agent
+Users list. Congestion was reported with the
+"active" and "incoming" queues
+large and not shrinking despite very large delivery agent
process limits. The thread is archived at:
http://groups.google.com/groups?threadm=c0b7js$2r65$1@FreeBSD.csie.NCTU.edu.tw
and
<blockquote>
<pre>
-$ qshape <i>(show incoming and active queue status)</i>
+$ qshape <i>(show "incoming" and "active" queue status)</i>
T A 5 10 20 40 80 160 320 320+
TOTAL 11775 9996 0 0 1 1 42 94 221 1420
</pre>
</blockquote>
-<p> The "A" column showed the count of messages in the active queue,
-and the numbered columns showed totals for the deferred queue. At
-10000 messages (Postfix 1.x active queue size limit) the active
-queue is full. The incoming was growing rapidly. </p>
+<p> The "A" column showed the count of messages in the "active" queue,
+and the numbered columns showed totals for the "deferred" queue. At
+10000 messages (Postfix 1.x "active" queue size limit) the "active" queue
+is full. The "incoming" queue was growing rapidly. </p>
<p> With the trouble destinations clearly identified, the administrator
quickly found and fixed the problem. It is substantially harder to
<h2><a name="backlog">Example 4: High volume destination backlog</a></h2>
<p> When a site you send a lot of email to is down or slow, mail
-messages will rapidly build up in the deferred queue, or worse, in
-the active queue. The qshape output will show large numbers for
+messages will rapidly build up in the "deferred" queue, or worse, in
+the "active" queue. The qshape output will show large numbers for
the destination domain in all age buckets that overlap the starting
time of the problem: </p>
</blockquote>
<p> Here the "highvolume.com" destination is continuing to accumulate
-deferred mail. The incoming and active queues are fine, but the
-deferred queue started growing some time between 1 and 2 hours ago
+deferred mail. The "incoming" and "active" queues are fine, but the
+"deferred" queue started growing some time between 1 and 2 hours ago
and continues to grow. </p>
<p> If the high volume destination is not down, but is instead
-slow, one might see similar congestion in the active queue. Active
-queue congestion is a greater cause for alarm; one might need to
+slow, one might see similar congestion in the "active" queue.
+"Active" queue congestion is a greater cause for alarm; one might need to
take measures to ensure that the mail is deferred instead or even
add an access(5) rule asking the sender to try again later. </p>
service due to excessive body_checks, or (Postfix ≥ 2.3) high latency
milters. </p>
-<p> Note, that once the active queue is full, the cleanup service
+<p> Note, that once the "active" queue is full, the cleanup service
will attempt to slow down message injection by pausing $in_flow_delay
for each message. In this case "maildrop" queue congestion may be
a consequence of congestion downstream, rather than a problem in
<p> Messages can potentially stay in the "hold" queue longer than
$maximal_queue_lifetime. If such "old" messages need to be released from
-the "hold" queue, they should typically be moved into the "maildrop"
-queue using "postsuper -r", so that the message gets a new timestamp and
+the "hold" queue, they should typically be moved into the "maildrop" queue
+using "postsuper -r", so that the message gets a new timestamp and
is given more than one opportunity to be delivered. Messages that are
"young" can be moved directly into the "deferred" queue using
"postsuper -H". </p>
ignores incomplete queue files whose mode is 0600, as these are
still being written by cleanup. </p>
-<p> The queue manager scans the incoming queue bringing any new
-mail into the "active" queue if the active queue resource limits
-have not been exceeded. By default, the active queue accommodates
-at most 20000 messages. Once the active queue message limit is
-reached, the queue manager stops scanning the incoming (and deferred,
-see below) queue. </p>
+<p> The queue manager scans the "incoming" queue bringing any new
+mail into the "active" queue if the "active" queue resource limits
+have not been exceeded. By default, the "active" queue accommodates
+at most 20000 messages. Once the "active" queue message limit is
+reached, the queue manager stops scanning the "incoming" queue
+(and the "deferred" queue, see below). </p>
-<p> Under normal conditions the incoming queue is nearly empty (has
+<p> Under normal conditions the "incoming" queue is nearly empty (has
only mode 0600 files), with the queue manager able to import new
-messages into the active queue as soon as they become available.
+messages into the "active" queue as soon as they become available.
</p>
-<p> The incoming queue grows when the message input rate spikes
+<p> The "incoming" queue grows when the message input rate spikes
above the rate at which the queue manager can import messages into
-the active queue. The main factors slowing down the queue manager
+the "active" queue. The main factors slowing down the queue manager
are disk I/O and lookup queries to the trivial-rewrite service. If the queue
manager is routinely not keeping up, consider not using "slow"
lookup services (MySQL, LDAP, ...) for transport lookups or speeding
excessive input rate from many sources at the same time. </p>
<p> If a server is being hammered from multiple directions, consider
-raising the in_flow_delay to 10 seconds, but only if the incoming
-queue is growing even while the active queue is not full and the
+raising the in_flow_delay to 10 seconds, but only if the "incoming" queue
+is growing even while the "active" queue is not full and the
trivial-rewrite service is using a fast transport lookup mechanism.
</p>
ensure fast and fair delivery of mail to all destinations within
designated resource limits. </p>
-<p> The active queue is somewhat analogous to an operating system's
-process run queue. Messages in the active queue are ready to be
+<p> The "active" queue is somewhat analogous to an operating system's
+process run queue. Messages in the "active" queue are ready to be
sent (runnable), but are not necessarily in the process of being
sent (running). </p>
as a directory on disk, the real "active" queue is a set of data
structures in the memory of the queue manager process. </p>
-<p> Messages in the "maildrop", "hold", "incoming" and "deferred"
-queues (see below) do not occupy memory; they are safely stored on
+<p> Messages in the "maildrop", "hold", "incoming" and "deferred" queues
+(see below) do not occupy memory; they are safely stored on
disk waiting for their turn to be processed. The envelope information
for messages in the "active" queue is managed in memory, allowing
the queue manager to do global scheduling, allocating available
-delivery agent processes to an appropriate message in the active
-queue. </p>
+delivery agent processes to an appropriate message in the "active" queue. </p>
-<p> Within the active queue, (multi-recipient) messages are broken
+<p> Within the "active" queue, (multi-recipient) messages are broken
up into groups of recipients that share the same transport/nexthop
combination; the group size is capped by the transport's recipient
concurrency limit. </p>
performing final delivery to mailboxes rather than when relaying
to a remote server. </p>
-<p> Congestion occurs in the active queue when one or more destinations
+<p> Congestion occurs in the "active" queue when one or more destinations
drain slower than the corresponding message input rate. </p>
-<p> Input into the active queue comes both from new mail in the "incoming"
-queue, and retries of mail in the "deferred" queue. Should the "deferred"
-queue get really large, retries of old mail can dominate the arrival
+<p> Input into the "active" queue comes both from new mail in the "incoming" queue,
+and retries of mail in the "deferred" queue. Should the "deferred" queue
+get really large, retries of old mail can dominate the arrival
rate of new mail. Systems with more CPU, faster disks and more network
-bandwidth can deal with larger deferred queues, but as a rule of thumb
-the deferred queue scales to somewhere between 100,000 and 1,000,000
+bandwidth can deal with larger "deferred" queues, but as a rule of thumb
+the "deferred" queue scales to somewhere between 100,000 and 1,000,000
messages with good performance unlikely above that "limit". Systems with
queues this large should typically stop accepting new mail, or put the
backlog "on hold" until the underlying issue is fixed (provided that
<p> When a destination is down for some time, the queue manager will
mark it dead, and immediately defer all mail for the destination without
trying to assign it to a delivery agent. In this case the messages
-will quickly leave the active queue and end up in the deferred queue
+will quickly leave the "active" queue and end up in the "deferred" queue
(with Postfix < 2.4, this is done directly by the queue manager,
with Postfix ≥ 2.4 this is done via the "retry" delivery agent). </p>
<p> When the destination is instead simply slow, or there is a problem
-causing an excessive arrival rate the active queue will grow and will
+causing an excessive arrival rate the "active" queue will grow and will
become dominated by mail to the congested destination. </p>
<p> The only way to reduce congestion is to either reduce the input
<p> The best way to avoid bottlenecks when one or more MX hosts is
non-responsive is to use connection caching. Connection caching was
introduced with Postfix 2.2 and is by default enabled on demand for
-destinations with a backlog of mail in the active queue. When connection
+destinations with a backlog of mail in the "active" queue. When connection
caching is in effect for a particular destination, established connections
are re-used to send additional messages, this reduces the number of
connections made per message delivery and maintains good throughput even
and allows separate tuning of timeouts and concurrency limits. </p>
<p> Another common cause of congestion is unwarranted flushing of the
-entire deferred queue. The deferred queue holds messages that are likely
+entire "deferred" queue. The "deferred" queue holds messages that are likely
to fail to be delivered and are also likely to be slow to fail delivery
-(time out). As a result the most common reaction to a large deferred queue
+(time out). As a result the most common reaction to a large "deferred" queue
(flush it!) is more than likely counter-productive, and typically makes
-the congestion worse. Do not flush the deferred queue unless you expect
+the congestion worse. Do not flush the "deferred" queue unless you expect
that most of its content has recently become deliverable (e.g. relayhost
back up after an outage)! </p>
<p> Note that whenever the queue manager is restarted, there may
-already be messages in the active queue directory, but the "real"
-active queue in memory is empty. In order to recover the in-memory
-state, the queue manager moves all the active queue messages
-back into the incoming queue, and then uses its normal incoming
-queue scan to refill the active queue. The process of moving all
+already be messages in the "active" queue directory, but the "real"
+"active" queue in memory is empty. In order to recover the in-memory
+state, the queue manager moves all the "active" queue messages
+back into the "incoming" queue, and then uses its normal "incoming" queue
+scan to refill the "active" queue. The process of moving all
the messages back and forth, redoing transport table (trivial-rewrite(8)
resolve service) lookups, and re-importing the messages back into
memory is expensive. At all costs, avoid frequent restarts of the
<p> When all the deliverable recipients for a message are delivered,
and for some recipients delivery failed for a transient reason (it
-might succeed later), the message is placed in the deferred queue.
+might succeed later), the message is placed in the "deferred" queue.
</p>
-<p> The queue manager scans the deferred queue periodically. The scan
-interval is controlled by the queue_run_delay parameter. While a deferred
-queue scan is in progress, if an incoming queue scan is also in progress
-(ideally these are brief since the incoming queue should be short), the
-queue manager alternates between looking for messages in the "incoming"
-queue and in the "deferred" queue. This "round-robin" strategy prevents
-starvation of either the incoming or the deferred queues. </p>
-
-<p> Each deferred queue scan only brings a fraction of the deferred
-queue back into the active queue for a retry. This is because each
-message in the deferred queue is assigned a "cool-off" time when
+<p> The queue manager scans the "deferred" queue periodically. The scan
+interval is controlled by the queue_run_delay parameter. While a "deferred" queue
+scan is in progress, if an "incoming" queue scan is also in progress
+(ideally these are brief since the "incoming" queue should be short), the
+queue manager alternates between looking for messages in the "incoming" queue
+and in the "deferred" queue. This "round-robin" strategy prevents
+starvation of either the "incoming" or the "deferred" queues. </p>
+
+<p> Each "deferred" queue scan only brings a fraction of the "deferred" queue
+back into the "active" queue for a retry. This is because each
+message in the "deferred" queue is assigned a "cool-off" time when
it is deferred. This is done by time-warping the modification
time of the queue file into the future. The queue file is not
eligible for a retry if its modification time is not yet reached.
within the limits. This means that young messages are initially
retried more often than old messages. </p>
-<p> If a high volume site routinely has large deferred queues, it
+<p> If a high volume site routinely has large "deferred" queues, it
may be useful to adjust the queue_run_delay, minimal_backoff_time and
maximal_backoff_time to provide short enough delays on first failure
(Postfix ≥ 2.4 has a sensibly low minimal backoff time by default),
with perhaps longer delays after multiple failures, to reduce the
retransmission rate of old messages and thereby reduce the quantity
-of previously deferred mail in the active queue. If you want a really
+of previously deferred mail in the "active" queue. If you want a really
low minimal_backoff_time, you may also want to lower queue_run_delay,
but understand that more frequent scans will increase the demand for
disk I/O. </p>
-<p> One common cause of large deferred queues is failure to validate
+<p> One common cause of large "deferred" queues is failure to validate
recipients at the SMTP input stage. Since spammers routinely launch
dictionary attacks from unrepliable sender addresses, the bounces
-for invalid recipient addresses clog the deferred queue (and at high
-volumes proportionally clog the active queue). Recipient validation
+for invalid recipient addresses clog the "deferred" queue (and at high
+volumes proportionally clog the "active" queue). Recipient validation
is strongly recommended through use of the local_recipient_maps and
relay_recipient_maps parameters. Even when bounces drain quickly they
inundate innocent victims of forgery with unwanted email. To avoid
this, do not accept mail for invalid recipients. </p>
<p> When a host with lots of deferred mail is down for some time,
-it is possible for the entire deferred queue to reach its retry
-time simultaneously. This can lead to a very full active queue once
+it is possible for the entire "deferred" queue to reach its retry
+time simultaneously. This can lead to a very full "active" queue once
the host comes back up. The phenomenon can repeat approximately
every maximal_backoff_time seconds if the messages are again deferred
after a brief burst of congestion. Perhaps, a future Postfix release
will add a random offset to the retry time (or use a combination
-of strategies) to reduce the odds of repeated complete deferred
-queue flushes. </p>
+of strategies) to reduce the odds of repeated complete "deferred" queue
+flushes. </p>
<h2><a name="credits">Credits</a></h2>
<dt>ldapdb_uri</dt>
-<dd> <p> Specify either <code>ldapi://</code> for to connect over
+<dd> <p> Specify either <code>ldapi://</code> to connect over
a UNIX-domain socket, <code>ldap://</code> for an unencrypted TCP
-connection or <code>ldaps://</code> for an encrypted TCP connection.
+connection, or <code>ldaps://</code> for an encrypted TCP connection.
</p> </dd>
<dt>ldapdb_id</dt>
tables into one single MySQL database, and configure different
Postfix queries to extract the appropriate information. </p>
-<li> <p> Specify dbm instead of hash if your system uses dbm files
-instead of db files. To find out what lookup tables Postfix supports,
-use the command "postconf -m". </p>
+<li> <p> Specify <b>dbm</b> instead of <b>hash</b> if your system uses
+<b>dbm</b> files instead of <b>db</b> files. To find out what lookup
+tables Postfix supports, use the command "<b>postconf -m</b>". </p>
-<li> <p> Execute the command "postmap /etc/postfix/sasl_passwd"
+<li> <p> Execute the command "<b>postmap /etc/postfix/sasl_passwd</b>"
whenever you change the sasl_passwd table. </p>
-<li> <p> Execute the command "postmap /etc/postfix/sender_relay"
+<li> <p> Execute the command "<b>postmap /etc/postfix/sender_relay</b>"
whenever you change the sender_relay table. </p>
</ul>
convenient because you don't have to specify the SASL plug-in type
in the Postfix main.cf file (but this may cause surprises when you
switch to a later Postfix version that is built with the default
-SASL type of <code>sasl</code>). </p>
+SASL type of <code>cyrus</code>). </p>
</li>
<blockquote> <i> This library is being deprecated and applications
should transition to using the SASLv2 library</i> (source: <a
-href="http://cyrusimap.web.cmu.edu/downloads.html">Project Cyrus:
+href="http://www.cyrusimap.org/download.html">Project Cyrus:
Downloads</a>). </blockquote>
<p> If you still need to set it up, here's a quick rundown: </p>
<p>
Let's start by recapitulating the structures and terms used when
-referring to queue manager and how it operates. Many of these are
+referring to the queue manager and how it operates. Many of these are
partially described elsewhere, but it is nice to have a coherent
overview in one place:
deliver). </p>
<li> <p> Each transport queue (not to be confused with the on-disk
-active queue or incoming queue) groups everything what is going be
+"active" queue or "incoming" queue) groups everything what is going be
delivered to given destination (aka nexthop) by its transport. Each
queue belongs to one transport, so each destination may be referred
to by several queues, one for each transport. Each queue maintains
<p>
-Whenever <tt>nqmgr</tt> moves a queue file into the active queue,
+Whenever <tt>nqmgr</tt> moves a queue file into the "active" queue,
the following happens: It reads all necessary information from the
queue file as <tt>oqmgr</tt> does, and also reads as many recipients
as possible - more on that later, for now let's just pretend it
means obtaining (address, nexthop, transport) triple for each
recipient. For each triple, it finds the transport; if it does not
exist yet, it instantiates it (unless it's dead). Within the
-transport, it finds the destination queue for given nexthop; if it
+transport, it finds the destination queue for the given nexthop; if it
does not exist yet, it instantiates it (unless it's dead). The
triple is then bound to given destination queue. This happens in
qmgr_resolve() and is basically the same as in <tt>oqmgr</tt>.
not exist yet, it instantiates it. Finally, it stores the address
from the resolved triple to the recipient entry which is appended
to both the queue entry list and the peer entry list. The addresses
-for same nexthop are batched in the entries up to recipient_concurrency
-limit for that transport. This happens in qmgr_assign() and apart
-from that it operates with job and peer structures it is basically the
+for the same nexthop are batched in the entries up to the
+<i>transport</i>_destination_recipient_limit for that transport.
+This happens in qmgr_message_assign(), and apart
+from that it operates with job and peer structures, it is basically the
same as in <tt>oqmgr</tt>.
</p>
<p>
-[Now you should have pretty good idea what is the state of the
-<tt>nqmgr</tt> after couple of messages was picked up, what is the
-relation between all those job, peer, queue and entry structures.]
+[Now you should have a pretty good idea what the state of the
+<tt>nqmgr</tt> is after a couple of messages were picked up, and what the
+relation is between all those job, peer, queue and entry structures.]
</p>
top-level round-robin transport, and within each transport we get
the FIFO message delivery. The round-robin of the peers by the
destination is perhaps of little importance in most real-life cases
-(unless the recipient_concurrency limit is reached, in one job there
+(unless the <i>transport</i>_destination_recipient_limit is reached,
+in one job there
is only one peer structure for each destination), but theoretically
it makes sure that even within single jobs, destinations are treated
fairly.
The simple answer would be to use delivery sequence <tt>12121313</tt>.
But the problem is that this does not scale well. Imagine you have
-mail with thousand recipients followed by mail with hundred recipients.
+mail with a thousand recipients followed by mail with a hundred recipients.
It is tempting to suggest the delivery sequence like <tt>121212....</tt>,
but alas! Imagine there arrives another mail with say ten recipients.
But there are no free slots anymore, so it can't slip by, not even
-if it had just only one recipients. It will be stuck until the
+if it had only one recipient. It will be stuck until the
hundred-recipient mail is delivered, which really sucks.
</p>
<p>
So, it becomes obvious that while inflating the message to get
-free slots is great idea, one has to be really careful of how the
+free slots is a great idea, one has to be really careful of how the
free slots are assigned, otherwise one might corner himself. So,
how does <tt>nqmgr</tt> really use the free slots?
<p>
-Well, despite it looks so at the first glance, another trick will
+Well, despite the fact that it looks so at the first glance, another trick will
allow us to answer "no, we are not!". If we had said that we will
inflate the delivery time twice at maximum, and then we consider
every other slot as a free slot, then we would overinflate in case
defaults to default_delivery_slot_cost parameter which is set to 5
by default. This is the k from the paragraph above. Each time k
entries of the job are selected for delivery, this counter is
-incremented by one. Once there are some slots accumulated, job which
+incremented by one. Once there are some slots accumulated, a job which
requires no more than that number of slots to be fully delivered
can preempt this job.
[Well, the truth is, the counter is incremented every time an entry
is selected and it is divided by k when it is used.
-But for the understanding it's good enough to use
+But to understand, it's good enough to use
the above approximation of the truth.]
</p>
<p>
The answer for the first part is simple. The job whose entry was
-selected the last time is so called current job. Normally, it is
+selected the last time is the so called current job. Normally, it is
the first job on the scheduler's job list, but destination concurrency
limits may change this as we will see later. It is always only the
current job which may get preempted.
<p>
-Now for the second part. The current job has certain amount of
+Now for the second part. The current job has a certain amount of
recipient entries, and as such may accumulate at maximum some amount
of available delivery slots. It might have already accumulated some,
and perhaps even already used some when it was preempted before
it in order to get best message delivery rates. These rates are of
course subject to how many recipients the message has, therefore
the division by the recipient (entry) count. No one shall be surprised
-that message with n recipients takes n times longer to deliver than
-message with one recipient.
+that a message with n recipients takes n times longer to deliver than
+a message with one recipient.
</p>
accumulated? Why do we need to estimate how much it has yet to
accumulate? If you found out the answer, congratulate yourself. If
we did it this simple way, we would always choose the candidate
-with least recipient entries. If there were enough single recipient
+with the fewest recipient entries. If there were enough single recipient
mails coming in, they would always slip by the bulk mail as soon
-as possible, and the two and more recipients mail would never get
+as possible, and the two or more recipients mail would never get
a chance, no matter how long they have been sitting around in the
job list.
<p>
-This candidate selection has interesting implication - that when
+This candidate selection has an interesting implication - that when
we choose the best candidate for preemption (this is done in
qmgr_choose_candidate()), it may happen that we may not use it for
preemption immediately. This leads to an answer to the last part
entry is to be chosen for delivery. To avoid needless overhead, the
preemption is not attempted if the current job could never accumulate
more than <i>transport</i>_minimum_delivery_slots (defaults to
-default_minimum_delivery_slots which defaults to 3). If there is
+default_minimum_delivery_slots which defaults to 3). If there are
already enough accumulated slots to preempt the current job by the
chosen best candidate, it is done immediately. This basically means
that the candidate is moved in front of the current job on the
scheduler's job list and decreasing the accumulated slot counter
-by the amount used by the candidate. If there is not enough slots...
+by the amount used by the candidate. If there are not enough slots...
well, I could say that nothing happens and the another preemption
is attempted the next time. But that's not the complete truth.
The truth is that it turns out that it is not really necessary to
wait until the jobs counter accumulates all the delivery slots in
advance. Say we have ten-recipient mail followed by two two-recipient
-mails. If the preemption happened when enough delivery slot accumulate
+mails. If the preemption happened when enough delivery slots accumulate
(assuming slot cost 2), the delivery sequence becomes
<tt>11112211113311</tt>. Now what would we get if we would wait
only for 50% of the necessary slots to accumulate and we promise
we would wait for the remaining 50% later, after we get back
-to the preempted job? If we use such slot loan, the delivery sequence
-becomes <tt>11221111331111</tt>. As we can see, it makes it no
+to the preempted job? If we use such a slot loan, the delivery sequence
+becomes <tt>11221111331111</tt>. As we can see, it makes it not
considerably worse for the delivery of the ten-recipient mail, but
it allows the small messages to be delivered sooner.
<p>
-And it pretty much concludes this chapter.
+And that pretty much concludes this chapter.
</p>
<p>
[Now you should have a feeling that you pretty much understand the
-scheduler and the preemption, or at least that you will have it
-after you read the last chapter couple more times. You shall clearly
+scheduler and the preemption, or at least that you will have
+after you read the last chapter a couple more times. You shall clearly
see the job list and the preemption happening at its head, in ideal
delivery conditions. The feeling of understanding shall last until
you start wondering what happens if some of the jobs are blocked,
<p>
-From user's point of view it is all simple. If some of the peers
+From the user's point of view it is all simple. If some of the peers
of a job can't be selected, those peers are simply skipped by the
entry selection algorithm (the pseudo-code described before) and
only the selectable ones are used. If none of the peers may be
selected, the job is declared a "blocker job". Blocker jobs are
skipped by the entry selection algorithm and they are also excluded
-from the candidates for preemption of current job. Thus the scheduler
+from the candidates for preemption of the current job. Thus the scheduler
effectively behaves as if the blocker jobs didn't exist on the job
list at all. As soon as at least one of the peers of a blocker job
becomes unblocked (that is, the delivery agent handling the delivery
-of the recipient entry for given destination successfully finishes),
+of the recipient entry for the given destination successfully finishes),
the job's blocker status is removed and the job again participates
in all further scheduler actions normally.
<p>
-The answer is: a lot. Any job may become blocker job at any time,
-and also become normal job again at any time. This has several
+The answer is: a lot. Any job may become a blocker job at any time,
+and also become a normal job again at any time. This has several
important implications:
</p>
<p>
[Interesting side note: even when jobs are delivered out of order,
-from single destination's point of view the jobs are still delivered
+from a single destination's point of view the jobs are still delivered
in the expected order (that is, FIFO unless there was some preemption
involved). This is because whenever a destination queue becomes
unblocked (the destination limit allows selection of more recipient
<p>
If I illustrate the relations after the above mentioned examples
-(but those in point 1)), the situation would look like this:
+(but those in point 1), the situation would look like this:
</p>
<p>
Well, it maintains them all as described, but fortunately, all these
-relations are necessary only for purposes of proper counting of
-available delivery slots. For purposes of ordering the jobs for
+relations are necessary only for the purpose of proper counting of
+available delivery slots. For the purpose of ordering the jobs for
entry selection, the original rule still applies: "the job preempting
the current job is moved in front of the current job on the job
list". So for entry selection purposes, the job relations remain
<p>
-[By now, you should have a feeling that there is more things going
-under the hood than you ever wanted to know. You decide that
+[By now, you should have a feeling that there are more things going
+on under the hood than you ever wanted to know. You decide that
forgetting about this chapter is the best you can do for the sake
of your mind's health and you basically stick with the idea how the
scheduler works in ideal conditions, when there are no blockers,
<p>
When discussing the <tt>nqmgr</tt> scheduler, we have so far assumed
-that all recipients of all messages in the active queue are completely
-read into the memory. This is simply not true. There is an upper
+that all recipients of all messages in the "active" queue are completely
+read into memory. This is simply not true. There is an upper
bound on the amount of memory the <tt>nqmgr</tt> may use, and
therefore it must impose some limits on the information it may store
-in the memory at any given time.
+in memory at any given time.
</p>
First of all, not all messages may be read in-core at once. At any
time, only qmgr_message_active_limit messages may be read in-core
at maximum. When read into memory, the messages are picked from the
-incoming and deferred message queues and moved to the active queue
-(incoming having priority), so if there is more than
-qmgr_message_active_limit messages queued in the active queue, the
-rest will have to wait until (some of) the messages in the active
-queue are completely delivered (or deferred).
+"incoming" and "deferred" queues and moved to the "active" queue
+(incoming having priority), so if there are more than
+qmgr_message_active_limit messages queued in the "active" queue, the
+rest will have to wait until (some of) the messages in the "active" queue
+are completely delivered (or deferred).
</p>
Even with the limited amount of in-core messages, there is another
limit which must be imposed in order to avoid memory exhaustion.
-Each message may contain huge amount of recipients (tens or hundreds
+Each message may contain a huge number of recipients (tens or hundreds
of thousands are not uncommon), so if <tt>nqmgr</tt> read all
-recipients of all messages in the active queue, it may easily run
+recipients of all messages in the "active" queue, it may easily run
out of memory. Therefore there must be some upper bound on the
-amount of message recipients which are read into the memory at the
+amount of message recipients which are read into memory at the
same time.
</p>
The message limit is straightforward - it just limits the size of
the
lookahead the <tt>nqmgr</tt>'s scheduler has when choosing which
-message can preempt the current one. Messages not in the active
-queue simply are not considered at all.
+message can preempt the current one. Messages not in the "active" queue
+are simply not considered at all.
</p>
many recipient entries there will be, as they are subject to
per-destination grouping. It is not even clear to what transports
(and thus jobs) the recipients will be assigned. And with messages
-coming from the deferred queue, it is not even clear how many unread
+coming from the "deferred" queue, it is not even clear how many unread
recipients are still to be delivered. This all means that the
scheduler must use only estimates of how many recipients entries
there will be. Fortunately, it is possible to estimate the minimum
and maximum correctly, so the scheduler can always err on the safe
-side. Obviously, the better the estimates, the better results, so
+side. Obviously, the better the estimates, the better the results, so
it is best when we are able to read all recipients in-core and turn
the estimates into exact counts, or at least try to read as many
as possible to make the estimates as accurate as possible.
<p>
Perhaps the easiest solution would be to say that each message may
-have at maximum X recipients stored in-core, but such solution would
+have at maximum X recipients stored in-core, but such a solution would
be poor for several reasons. With reasonable qmgr_message_active_limit
-values, the X would have to be quite low to maintain reasonable
+values, the X would have to be quite low to maintain a reasonable
memory footprint. And with low X lots of things would not work well.
The <tt>nqmgr</tt> would have problems to use the
<i>transport</i>_destination_recipient_limit efficiently. The
<p>
Therefore it seems reasonable to have a solution which does not use
-a limit imposed on per-message basis, but which maintains a pool
+a limit imposed on a per-message basis, but which maintains a pool
of available recipient slots, which can be shared among all messages
in the most efficient manner. And as we do not want separate
transports to compete for resources whenever possible, it seems
-appropriate to maintain such recipient pool for each transport
+appropriate to maintain such a recipient pool for each transport
separately. This is the general idea, now how does it work in
practice?
<p>
-First we have to solve little chicken-and-egg problem. If we want
+First we have to solve a little chicken-and-egg problem. If we want
to use the per-transport recipient pools, we first need to know to
-what transport(s) is the message assigned. But we will find that
-out only after we read in the recipients first. So it is obvious
+what transport(s) the message is assigned. But we will find that
+out only after we first read in the recipients. So it is obvious
that we first have to read in some recipients, use them to find out
-to what transports is the message to be assigned, and only after
-that we can use the per-transport recipient pools.
+to what transports the message is to be assigned, and only after
+that can we use the per-transport recipient pools.
</p>
Now how many recipients shall we read for the first time? This is
what qmgr_message_recipient_minimum and qmgr_message_recipient_limit
values control. The qmgr_message_recipient_minimum value specifies
-how many recipients of each message we will read for the first time,
+how many recipients of each message we will read the first time,
no matter what. It is necessary to read at least one recipient
before we can assign the message to a transport and create the first
job. However, reading only qmgr_message_recipient_minimum recipients
even if there are only few messages with few recipients in-core would
-be wasteful. Therefore if there is less than qmgr_message_recipient_limit
+be wasteful. Therefore if there are fewer than qmgr_message_recipient_limit
recipients in-core so far, the first batch of recipients may be
larger than qmgr_message_recipient_minimum - as large as is required
to reach the qmgr_message_recipient_limit limit.
<p>
-For example, if a message has three jobs, first with 1 recipient
-still in-core and 4 recipient slots, second with 5 recipient in-core
-and 5 recipient slots, and third with 2 recipients in-core and 0
-recipient slots, it has 1+5+2=7 recipients in-core and 4+5+0=9 jobs'
+For example, if a message has three jobs, the first with 1 recipient
+still in-core and 4 recipient slots, the second with 5 recipients in-core
+and 5 recipient slots, and the third with 2 recipients in-core and 0
+recipient slots, it has 1+5+2=8 recipients in-core and 4+5+0=9 jobs'
recipients slots in total. This means that we could immediately
read 2+qmgr_message_recipient_minimum more recipients of that message
in core.
job list, it gets all unused recipient slots from its transport's
pool. It keeps them until all recipients of its message are read.
When this happens, all unused recipient slots are transferred to
-the next job (which is now in fact now first such job) on the job
+the next job (which is now in fact the first such job) on the job
list which still has some recipients unread, or eventually back to
-the transport pool if there is no such job. Such transfer then also
+the transport pool if there is no such job. Such a transfer then also
happens whenever a recipient entry of that job is delivered.
</p>
<p>
There is also a scenario when a job is not appended to the end of
-the job list (for example it was created as a result of second or
+the job list (for example it was created as a result of a second or
later recipient batch). Then it works exactly as above, except that
if it was put in front of the first unread job (that is, the job
-of a message which still has some unread recipients in queue file),
+of a message which still has some unread recipients in the queue file),
that job is first forced to return all of its unused recipient slots
to the transport pool.
of the sponsoring mentioned before) and the jobs after this job get
nothing from the transport recipient pool (unless they got something
before and then the first unread job was created and enqueued in
-front of them later - in such case the also get at maximum as many
+front of them later - in such a case, they also get at maximum as many
slots as they have recipients in-core).
</p>
<p>
-Things work fine in such state for most of the time, because the
-current job is either completely read in-core or has as much recipient
+Things work fine in such a state for most of the time, because the
+current job is either completely read in-core or has as many recipient
slots as there are, but there is one situation which we still have
to take care of specially. Imagine if the current job is preempted
by some unread job from the job list and there are no more recipient
slots available, so this new current job could read only batches
of qmgr_message_recipient_minimum recipients at a time. This would
-really degrade performance. For this reason, each transport has
+really degrade performance. For this reason, each transport has an
extra pool of <i>transport</i>_extra_recipient_limit recipient
slots, dedicated exactly for this situation. Each time an unread
job preempts the current job, it gets half of the remaining recipient
<p>
And that's it. It sure does sound pretty complicated, but fortunately
-most people don't really have to care how exactly it works as long
+most people don't really have to care exactly how it works as long
as it works. Perhaps the only important things to know for most
people are the following upper bound formulas:
<p>
And this terribly complicated chapter concludes the documentation
-of <tt>nqmgr</tt> scheduler.
+of the <tt>nqmgr</tt> scheduler.
</p>
inside out. In practice, you still hope that you will never have
to really understand the last or last two chapters completely, and
fortunately most people really won't. Understanding how the scheduler
-works in ideal conditions is more than good enough for vast majority
+works in ideal conditions is more than good enough for the vast majority
of users.]
</p>
again later). The end of each list is equivalent to a PERMIT result.
By placing a PERMIT restriction before a REJECT restriction you
can make exceptions for specific clients or users. This is called
-allowlisting; the fourth example above allows mail from local
-networks but otherwise rejects mail to arbitrary destinations. </p>
+allowlisting; the smtpd_relay_restrictions example above allows mail from local
+networks, and from SASL authenticated clients, but otherwise rejects mail
+to arbitrary destinations. </p>
<p> The table below summarizes the purpose of each SMTP access
restriction list. All lists use the exact same syntax; they differ
the Postfix SMTP server can delegate decisions to an external policy
server (Postfix 2.1 and later). </p>
-<p> With this policy delegation mechanism, a simple <a href="#greylist">
-greylist </a> policy can be implemented with only a dozen lines of
+<p> With this policy delegation mechanism, a simple
+<a href="#greylist">greylist</a> policy can be implemented with only a dozen lines of
Perl, as is shown at the end of this document. A complete example
can be found in the Postfix source code, in the directory
examples/smtpd-policy. </p>
an absolute pathname of a UNIX-domain socket. The third example
specifies a pathname relative to the Postfix queue directory; use
this for policy servers that are spawned by the Postfix master
-daemon. </p>
+daemon. On many systems, "local" is a synonym for "unix".</p>
<p> To create a policy service that listens on a UNIX-domain socket
called "policy", and that runs under control of the Postfix spawn(8)
<li> <p> Line 11: this increases the time that a policy server
process may run to 3600 seconds. The default time limit of 1000
-seconds is too short; the policy daemon needs to run long as the
+seconds is too short; the policy daemon needs to run as long as the
SMTP server process that talks to it.
See the spawn(8) manpage for more information about the
<i>transport</i>_time_limit parameter. </p>
<li> <p> Line 6: this increases the time that a greylist server
process may run to 3600 seconds. The default time limit of 1000
-seconds is too short; the greylist daemon needs to run long as the
+seconds is too short; the greylist daemon needs to run as long as the
SMTP server process that talks to it.
See the spawn(8) manpage for more information about the
<i>transport</i>_time_limit parameter. </p>
domains that often appear in forged email. At some point
in cyberspace/time a list of frequently
forged MAIL FROM domains could be found at
-http://www.monkeys.com/anti-spam/filtering/sender-domain-validate.in.
+https://web.archive.org/web/20080526153208/http://www.monkeys.com/anti-spam/filtering/sender-domain-validate.in.
<blockquote>
<pre>
<p> The content filter itself is not described here. You can use
any filter that is SMTP enabled. For non-SMTP capable content
filtering software, Bennett Todd's SMTP proxy implements a nice
-Perl-based framework. See: http://bent.latency.net/smtpprox/ or
-https://github.com/jnorell/smtpprox.</p>
+Perl-based framework. See:
+https://web.archive.org/web/20151022025756/http://bent.latency.net/smtpprox/
+or https://github.com/jnorell/smtpprox/ </p>
<blockquote>
<p> By default, the filter has 100 seconds to do its work. If it
takes longer then Postfix gives up and reports an error to the
-remote SMTP client. You can increase this time limit (see configuration
-parameter section below) but doing so is pointless because you
+remote SMTP client. You can increase this time limit (see the <a href="#parameters">"Configuration
+parameters"</a> section below) but doing so is pointless because you
can't control when the remote SMTP client times out. </p>
<h2><a name="parameters">Configuration parameters</a></h2>
<p> For compatibility with pre-SMTPUTF8 environments, Postfix does
not automatically set the "SMTPUTF8 requested" flag on messages
-from non-SMTPUTF8 clients that contain an UTF-8 header value or
+from non-SMTPUTF8 clients that contain a UTF-8 header value or
UTF-8 address localpart. This would make such messages undeliverable
to non-SMTPUTF8 servers, and could be a barrier to SMTPUTF8 adoption.
</p>
query = SELECT forw_addr FROM mxaliases WHERE alias='%s' AND status='paid'
</pre>
-<h2>Additional notes</h2>
-
-<p> The SQLite configuration interface setup allows for multiple
-sqlite databases: you can use one for a virtual table, one for an
-access table, and one for an aliases table if you want. </p>
-
<h2>Credits</h2>
<p> SQLite support was added with Postfix version 2.8. </p>
<p> First we present the non-mailhost configuration, because it is
the simpler one. This machine sends mail as "user@example.com" and
-is final destination for "user@hostname.example.com". </p>
+is the final destination for "user@hostname.example.com". </p>
<blockquote>
<pre>
</ul>
<p> Next we present the mailhost configuration. This machine sends
-mail as "user@example.com" and is final destination for
+mail as "user@example.com" and is the final destination for
"user@hostname.example.com" as well as "user@example.com". </p>
<blockquote>
only address literals matching $inet_interfaces or $proxy_interfaces
are deemed local. So "localpart@[a.d.d.r]" can be matched as simply
"localpart" in canonical(5) and virtual(5). This avoids the need to
-specify firewall IP addresses into Postfix configuration files. </p>
+specify firewall IP addresses in Postfix configuration files. </p>
</ul>
<p> The following example presents additional configuration. You
need to combine this with basic configuration information as
-discussed the first half of this document. </p>
+discussed in the first half of this document. </p>
<blockquote>
<pre>
<h2><a name="backup">Configuring Postfix as primary or backup MX host for a remote site</a></h2>
<p> This section presents additional configuration. You need to
-combine this with basic configuration information as discussed the
+combine this with basic configuration information as discussed in the
first half of this document. </p>
<p> When your system is SECONDARY MX host for a remote site this
href="#local_network">local area network</a> section above. </p>
<p> This section presents additional configuration. You need to
-combine this with basic configuration information as discussed the
+combine this with basic configuration information as discussed in the
first half of this document. </p>
<p> If you do not have your own hostname and IP address (usually
<p> The following example presents additional configuration. You
need to combine this with basic configuration information as
-discussed the first half of this document. </p>
+discussed in the first half of this document. </p>
<blockquote>
<pre>
<p> The following example presents additional configuration. You
need to combine this with basic configuration information as
-discussed the first half of this document. </p>
+discussed in the first half of this document. </p>
<blockquote>
<pre>
<p> The postscreen(8) daemon, introduced with Postfix 2.8, provides
additional protection against mail server overload. One postscreen(8)
process handles multiple inbound SMTP connections, and decides which
-clients may to talk to a Postfix SMTP server process. By keeping
+clients may talk to a Postfix SMTP server process. By keeping
spambots away, postscreen(8) leaves more SMTP server processes
available for legitimate clients, and delays the onset of server
overload conditions. </p>
<p> Postfix version 2.2 introduces support for TLS as described in
RFC 3207. TLS Support for older Postfix versions was available as
an add-on patch. The section "<a href="#compat">Compatibility with
-Postfix < 2.2 TLS support</a>" below discusses the differences
+Postfix < 2.2 TLS support</a>" below discusses the differences
between these implementations. </p>
<p> Topics covered in this document: </p>
<li><a href="#problems"> Reporting problems </a>
-<li><a href="#compat">Compatibility with Postfix < 2.2 TLS support</a>
+<li><a href="#compat">Compatibility with Postfix < 2.2 TLS support</a>
<li><a href="#credits"> Credits </a>
<p> In order to use TLS, the Postfix SMTP server needs a certificate
and a private key. Both must be in "pem" format. The private key
must not be encrypted, meaning: the key must be accessible without
-password. Both certificate and private key may be in the same
+a password. Both certificate and private key may be in the same
file. </p>
<p> Both RSA and DSA certificates are supported. Typically you will
</blockquote>
<p> A Postfix SMTP server certificate supplied here must be usable
-as SSL server certificate and hence pass the "openssl verify -purpose
+as an SSL server certificate and hence pass the "openssl verify -purpose
sslserver ..." test. </p>
<p> A client that trusts the root CA has a local copy of the root
<p> The permit_tls_all_clientcerts feature must be used with caution,
because it can result in too many access permissions. Use this
feature only if a special CA issues the client certificates, and
-only if this CA is listed as trusted CA. If other CAs are trusted,
+only if this CA is listed as a trusted CA. If other CAs are trusted,
any owner of a valid client certificate would be authorized.
The permit_tls_all_clientcerts feature can be practical for a
specially created email relay server. </p>
<p> To influence the Postfix SMTP server cipher selection scheme,
you can give cipherlist string. A detailed description would go
-to far here; please refer to the OpenSSL documentation. If you
+too far here; please refer to the OpenSSL documentation. If you
don't know what to do with it, simply don't touch it and leave the
(openssl-)compiled in default! </p>
key/certificate pair as the Postfix SMTP server. If a certificate
is to be presented, it must be in "pem" format. The private key
must not be encrypted, meaning: it must be accessible without
-password. Both parts (certificate and private key) may be in the
+a password. Both parts (certificate and private key) may be in the
same file. </p>
<p> In order for remote SMTP servers to verify the Postfix SMTP
</blockquote>
<p> A Postfix SMTP client certificate supplied here must be usable
-as SSL client certificate and hence pass the "openssl verify -purpose
+as an SSL client certificate and hence pass the "openssl verify -purpose
sslclient ..." test. </p>
<p> A server that trusts the root CA has a local copy of the root
"smtp_tls_enforce_peername = yes" imply "smtp_use_tls = yes". </p>
<li> <p> When both hostname and next-hop destination lookups produce
-a result, the more specific per-site policy (NONE, MUST, etc)
+a result, the more specific per-site policy (NONE, MUST, etc.)
overrides the less specific one (MAY), and the more secure per-site
-policy (MUST, etc) overrides the less secure one (NONE). </p>
+policy (MUST, etc.) overrides the less secure one (NONE). </p>
<li> <p> After the per-site policy lookups are combined, the result
generally overrides the global policy. The exception is the less
example.org NONE
# TLS should not be used with the host <i>smtp.example.com</i>.
- smtp.example.com NONE
+ [smtp.example.com] NONE
</pre>
</blockquote>
<p> To influence the Postfix SMTP client cipher selection scheme,
you can give cipherlist string. A detailed description would go
-to far here; please refer to the OpenSSL documentation. If you
+too far here; please refer to the OpenSSL documentation. If you
don't know what to do with it, simply don't touch it and leave the
(openssl-)compiled in default! </p>
</ul>
-<h2><a name="compat">Compatibility with Postfix <2.2 TLS support</a></h2>
+<h2><a name="compat">Compatibility with Postfix < 2.2 TLS support</a></h2>
<p> Postfix version 2.2 TLS support is based on the Postfix/TLS
patch by Lutz Jänicke, but differs in a few minor ways. </p>
the ability to encrypt mail and to authenticate remote SMTP clients
or servers. You also turn on hundreds of thousands of lines of
OpenSSL library code. Assuming that OpenSSL is written as carefully
-as Wietse's own code, every 1000 lines introduce one additional bug
+as Wietse's own code, every 1000 lines introduces one additional bug
into Postfix. </p>
<p> Topics covered in this document: </p>
or via public-key infrastructure. This means that the Postfix server
public-key certificate file must include the server certificate
first, then the issuing CA(s) (bottom-up order). The Postfix SMTP
-server certificate must be usable as SSL server certificate and
+server certificate must be usable as an SSL server certificate and
hence pass the "<tt>openssl verify -purpose sslserver ...</tt>" test.
</p>
per algorithm. It is typically simpler to keep the chain for each
algorithm in its own file. Most users are likely to deploy just a
single RSA chain, but with OpenSSL 1.1.1, it is possible to deploy up to
-five chains, one each for RSA, ECDSA, ED25519, ED448 and even the
+five chains, one each for RSA, ECDSA, ED25519, ED448, and even the
obsolete DSA. </p>
<blockquote>
<p> The permit_tls_all_clientcerts feature must be used with caution,
because it can result in too many access permissions. Use this
feature only if a special CA issues the client certificates, and
-only if this CA is listed as trusted CA. If other CAs are trusted,
+only if this CA is listed as a trusted CA. If other CAs are trusted,
any owner of a valid client certificate would be authorized.
The permit_tls_all_clientcerts feature can be practical for a
specially created email relay server. </p>
key/certificate pair as the Postfix SMTP server. If a certificate
is to be presented, it must be in "PEM" format. The private key
must not be encrypted, meaning: it must be accessible without
-password. Both parts (certificate and private key) may be in the
+a password. Both parts (certificate and private key) may be in the
same file. </p>
<p> With OpenSSL 1.1.1 and Postfix ≥ 3.4 it is also possible to
</blockquote>
<p> A Postfix SMTP client certificate supplied here must be usable
-as SSL client certificate and hence pass the "openssl verify -purpose
+as an SSL client certificate and hence pass the "openssl verify -purpose
sslclient ..." test. </p>
<p> A server that trusts the root CA has a local copy of the root
per algorithm. It is typically simpler to keep the chain for each
algorithm in its own file. Most users are likely to deploy at most a
single RSA chain, but with OpenSSL 1.1.1, it is possible to deploy up
-five chains, one each for RSA, ECDSA, ED25519, ED448 and even the
+five chains, one each for RSA, ECDSA, ED25519, ED448, and even the
obsolete DSA. </p>
<blockquote>
<dt><b>secure</b></dt> <dd><a href="#client_tls_secure">Secure certificate
verification.</a> Mail is delivered only if the TLS handshake succeeds,
-if the remote SMTP server certificate can be validated (not expired
-or revoked, and signed by a trusted Certification Authority), and if the
-server certificate name matches the optional "match" attribute (or the
-main.cf smtp_tls_secure_cert_match parameter value when no optional
+and DNS forgery resistant remote SMTP certificate verification succeeds
+(not expired or revoked, and signed by a trusted Certification Authority),
+and if the server certificate name matches the optional "match" attribute
+(or the main.cf smtp_tls_secure_cert_match parameter value when no optional
"match" attribute is specified). With Postfix ≥ 2.11 the "tafile"
attribute optionally modifies trust chain verification in the same manner
as the "smtp_tls_trust_anchor_file" parameter. The "tafile" attribute
with. For real authentication you need also enable DNSSEC record
signing for your domain and publish TLSA records and/or your Postfix
public key certificate needs to be signed by a recognized Certification
-Authority. To authenticate the certificates of remote host you
+Authority. To authenticate the certificates of a remote host you
need a DNSSEC-validating local resolver and to enable <a
href="#client_tls_dane">DANE</a> authentication and/or configure
the Postfix SMTP client with a list of public key certificates of
submission via client certificates. Often servers that perform TLS client
authentication will issue the required certificates signed by their own
CA. If you configure the client certificate and key incorrectly, you
-will be unable to send mail to sites that request client certificate,
+will be unable to send mail to sites that request a client certificate,
but don't require them from all clients. </p>
<blockquote>
MX hosts are up and accepting connections in a timely fashion,
throughput will be high. If any MX host is down and completely
unresponsive, the average connection latency rises to at least 1/N
-* $smtp_connection_timeout, if there are N MX hosts. This limits
+* $smtp_connect_timeout, if there are N MX hosts. This limits
throughput to at most the destination concurrency * N /
-$smtp_connection_timeout. </p>
+$smtp_connect_timeout. </p>
<p> For example, with a destination concurrency of 100 and 2 MX
hosts, each host will handle up to 50 simultaneous connections. If
as 5s or even 1s can be used to prevent congestion when one or
more, but not all MX hosts are down. </p>
-<p> If necessary, set a higher transport_destination_concurrency_limit
+<p> If necessary, set a higher <i>transport</i>_destination_concurrency_limit
(in main.cf since this is a queue manager parameter) and a lower
-smtp_connection_timeout (with a "-o" override in master.cf since
+smtp_connect_timeout (with a "-o" override in master.cf since
this parameter has no per-transport name) for the relay transport
and any transports dedicated for specific high volume destinations.
</p>
<h2><a name="canonical">Canonical versus hosted versus
other domains</a></h2>
-<p>Most Postfix systems are <b>final destination</b> for only a
+<p>Most Postfix systems are the <b>final destination</b> for only a
few domain names. These include the hostnames and [the IP addresses]
of the machine that Postfix runs on, and sometimes also include
the parent domain of the hostname. The remainder of this document
as defined in the ADDRESS_CLASS_README file.</p>
<p> Besides the canonical domains, Postfix can be configured to be
-<b>final destination</b> for any number of additional domains.
+the <b>final destination</b> for any number of additional domains.
These domains are called hosted, because they are not directly
associated with the name of the machine itself. Hosted domains are
usually implemented with the virtual alias domain address class
file. </p>
<p> Finally, Postfix can be configured as a transit host for sending
-mail across the internet. Obviously, Postfix is not final destination
+mail across the internet. Obviously, Postfix is not the final destination
for such mail. This function is available only for authorized
clients and/or users, and is implemented by the default domain
address class, as defined in the ADDRESS_CLASS_README file. </p>
#
# Alternatively, the table can be provided as a regular-expression
# map where patterns are given as regular expressions, or lookups
-# can be directed to TCP-based server. In those cases, the lookups
+# can be directed to a TCP-based server. In those cases, the lookups
# are done in a slightly different way as described below under
# "REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
# CASE FOLDING
# .sp
# This feature is available in Postfix 2.1 and later.
# .IP "\fBDEFER_IF_PERMIT \fIoptional text...\fR
-# Defer the request if some later restriction would result in a
+# Defer the request if some later restriction would result in
# an explicit or implicit PERMIT action.
# Reply with "\fB$access_map_defer_code 4.7.1 \fI optional
# text...\fR" when the
#
# Alternatively, the table can be provided as a regular-expression
# map where patterns are given as regular expressions, or lookups
-# can be directed to TCP-based server. In those cases, the lookups
+# can be directed to a TCP-based server. In those cases, the lookups
# are done in a slightly different way as described below under
# "REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
#
# off in email addresses.
# .IP "\fBmasquerade_exceptions (empty)\fR"
# Optional list of user names that are not subjected to address
-# masquerading, even when their address matches $masquerade_domains.
+# masquerading, even when their addresses match $masquerade_domains.
# .IP "\fBmydestination ($myhostname, localhost.$mydomain, localhost)\fR"
# The list of domains that are delivered via the $local_transport
# mail delivery transport.
# .fi
#
# Postfix parses the result as if it is a file in /etc/postfix.
+#
+# Note: if a rule contains \fB$\fR, specify \fB$$\fR to keep
+# Postfix from trying to do \fI$name\fR expansion as it
+# evaluates a parameter value.
# EXAMPLE SMTPD ACCESS MAP
# .nf
# /etc/postfix/main.cf:
#
# Alternatively, the table can be provided as a regular-expression
# map where patterns are given as regular expressions, or lookups
-# can be directed to TCP-based server. In those case, the lookups
+# can be directed to a TCP-based server. In those cases, the lookups
# are done in a slightly different way as described below under
# "REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
# CASE FOLDING
# This section describes how the table lookups change when lookups
# are directed to a TCP-based server. For a description of the TCP
# client/server lookup protocol, see \fBtcp_table\fR(5).
-# This feature is not available up to and including Postfix version 2.4.
+# This feature is available in Postfix 2.5 and later.
#
# Each lookup operation uses the entire address once. Thus,
# \fIuser@domain\fR mail addresses are not broken up into their
# The following \fBmain.cf\fR parameters are especially relevant.
# The text below provides only a parameter summary. See
# \fBpostconf\fR(5) for more details including examples.
-# .IP \fBsmtp_generic_maps\fR
-# Address mapping lookup table for envelope and header sender
-# and recipient addresses while delivering mail via SMTP.
-# .IP \fBpropagate_unmatched_extensions\fR
-# A list of address rewriting or forwarding mechanisms that propagate
-# an address extension from the original address to the result.
-# Specify zero or more of \fBcanonical\fR, \fBvirtual\fR, \fBalias\fR,
-# \fBforward\fR, \fBinclude\fR, or \fBgeneric\fR.
+# .IP "\fBsmtp_generic_maps (empty)\fR"
+# Optional lookup tables that perform address rewriting in the
+# Postfix SMTP client, typically to transform a locally valid address into
+# a globally valid address when sending mail across the Internet.
+# .IP "\fBpropagate_unmatched_extensions (canonical, virtual)\fR"
+# What address lookup tables copy an address extension from the lookup
+# key to the lookup result.
# .PP
# Other parameters of interest:
-# .IP \fBinet_interfaces\fR
-# The network interface addresses that this system receives mail on.
-# You need to stop and start Postfix when this parameter changes.
-# .IP \fBproxy_interfaces\fR
-# Other interfaces that this machine receives mail on by way of a
-# proxy agent or network address translator.
-# .IP \fBmydestination\fR
-# List of domains that this mail system considers local.
-# .IP \fBmyorigin\fR
-# The domain that is appended to locally-posted mail.
-# .IP \fBowner_request_special\fR
-# Give special treatment to \fBowner-\fIxxx\fR and \fIxxx\fB-request\fR
-# addresses.
+# .IP "\fBinet_interfaces (all)\fR"
+# The network interface addresses that this mail system receives
+# mail on.
+# .IP "\fBproxy_interfaces (empty)\fR"
+# The network interface addresses that this mail system receives mail
+# on by way of a proxy or network address translation unit.
+# .IP "\fBmydestination ($myhostname, localhost.$mydomain, localhost)\fR"
+# The list of domains that are delivered via the $local_transport
+# mail delivery transport.
+# .IP "\fBmyorigin ($myhostname)\fR"
+# The domain name that locally-posted mail appears to come
+# from, and that locally posted mail is delivered to.
+# .IP "\fBowner_request_special (yes)\fR"
+# Enable special treatment for owner-\fIlistname\fR entries in the
+# \fBaliases\fR(5) file, and don't split owner-\fIlistname\fR and
+# \fIlistname\fR-request address localparts when the recipient_delimiter
+# is set to "-".
# SEE ALSO
# postmap(1), Postfix lookup table manager
# postconf(5), configuration parameters
# For the \fBsearch_base\fR parameter, the upper-case equivalents
# of the above expansions behave identically to their lower-case
# counter-parts. With the \fBresult_format\fR parameter (previously
-# called \fBresult_filter\fR see the COMPATIBILITY section and below),
-# they expand to the corresponding components of input key rather
-# than the result value.
+# called \fBresult_filter\fR see the OTHER OBSOLETE FEATURES section
+# and below), they expand to the corresponding components of input
+# key rather than the result value.
# .IP "\fB%[1-9]\fR"
# The patterns %1, %2, ... %9 are replaced by the corresponding
# most significant component of the input key's domain. If the
# The upper-case equivalents of the above expansions behave in the
# \fBquery_filter\fR parameter identically to their lower-case
# counter-parts. With the \fBresult_format\fR parameter (previously
-# called \fBresult_filter\fR see the COMPATIBILITY section and below),
-# they expand to the corresponding components of input key rather
-# than the result value.
+# called \fBresult_filter\fR see the OTHER OBSOLETE FEATURES section
+# and below), they expand to the corresponding components of input
+# key rather than the result value.
# .IP
# The above %S, %U and %D expansions are available with Postfix 2.2
# and later.
# NOTE: DO NOT put quotes around the result format!
# .IP "\fBdomain (default: no domain list)\fR"
# This is a list of domain names, paths to files, or
-# dictionaries. When specified, only fully qualified search
+# "type:table" databases. When specified, only fully qualified search
# keys with a *non-empty* localpart and a matching domain
# are eligible for lookup: 'user' lookups, bare domain lookups
# and "@domain" lookups are not performed. This can significantly
# .sp
# The \fBlocal\fR(8), \fBpipe\fR(8), \fBspawn\fR(8), and
# \fBvirtual\fR(8) daemons require privileges.
-# .IP "\fBChroot (default: Postfix >= 3.0: n, Postfix <3.0: y)\fR"
+# .IP "\fBChroot (default: Postfix >= 3.0: n, Postfix < 3.0: y)\fR"
# Whether or not the service runs chrooted to the mail queue
# directory (pathname is controlled by the \fBqueue_directory\fR
# configuration variable in the main.cf file).
# In order to use MySQL lookups, define a MySQL source as a lookup
# table in main.cf, for example:
# .nf
-# alias_maps = mysql:/etc/mysql-aliases.cf
+# alias_maps = mysql:/etc/postfix/mysql-aliases.cf
# .fi
#
# The file /etc/postfix/mysql-aliases.cf has the same format as
# .IP "\fBhosts\fR"
# The hosts that Postfix will try to connect to and query from.
# Specify \fIunix:\fR for UNIX domain sockets, \fIinet:\fR for TCP
-# connections (default). Example:
+# connections (default). Examples:
# .nf
+# hosts = inet:host1.some.domain inet:host2.some.domain:port
# hosts = host1.some.domain host2.some.domain:port
# hosts = unix:/file/name
# .fi
#
# NOTE: DO NOT put quotes around the result format!
# .IP "\fBdomain (default: no domain list)\fR"
-# This is a list of domain names, paths to files, or
-# dictionaries. When specified, only fully qualified search
-# keys with a *non-empty* localpart and a matching domain
-# are eligible for lookup: 'user' lookups, bare domain lookups
+# This is a list of domain names, paths to files, or "type:table"
+# databases. When specified, only fully qualified search keys
+# with a *non-empty* localpart and a matching domain are
+# eligible for lookup: 'user' lookups, bare domain lookups
# and "@domain" lookups are not performed. This can significantly
# reduce the query load on the MySQL server.
# .nf
# databases. In order to use PostgreSQL lookups, define a
# PostgreSQL source as a lookup table in main.cf, for example:
# .nf
-# alias_maps = pgsql:/etc/pgsql-aliases.cf
+# alias_maps = pgsql:/etc/postfix/pgsql-aliases.cf
# .fi
#
# The file /etc/postfix/pgsql-aliases.cf has the same format as
# Examples:
# .nf
# hosts = postgresql://username@example.com/tablename?sslmode=require
+# hosts = inet:host1.some.domain inet:host2.some.domain:port
# hosts = host1.some.domain host2.some.domain:port
# hosts = unix:/file/name
# .fi
# \fBselect_function\fR, \fBquery\fR, \fBselect_field\fR, ...
#
# With Postfix 2.2 the \fBquery\fR parameter has highest precedence,
-# see COMPATIBILITY above.
+# see OBSOLETE QUERY INTERFACES below.
#
# NOTE: DO NOT put quotes around the \fBquery\fR parameter.
# .IP "\fBresult_format (default: \fB%s\fR)\fR"
#
# NOTE: DO NOT put quotes around the result format!
# .IP "\fBdomain (default: no domain list)\fR"
-# This is a list of domain names, paths to files, or
-# dictionaries. When specified, only fully qualified search
+# This is a list of domain names, paths to files, or "type:table"
+# databases. When specified, only fully qualified search
# keys with a *non-empty* localpart and a matching domain
# are eligible for lookup: 'user' lookups, bare domain lookups
# and "@domain" lookups are not performed. This can significantly
<p>
Specify a location in a file system that will not fill up. If the
-database becomes corrupted, the world comes to an end. To recover
+database becomes corrupted, the world comes to an end. To recover,
delete (NOT: truncate) the file and do "<b>postfix reload</b>".
</p>
verification cache.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days). </p>
<p>
This feature is available in Postfix 2.1 and later.
be refreshed.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is h (hours). </p>
<p>
This feature is available in Postfix 2.1 and later.
reload</b>", "<b>postfix stop</b>", or no requests for $max_idle
seconds. </p>
-<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
-(weeks). </p>
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is h (hours). </p>
<p> This feature is available in Postfix 2.7. </p>
The default polling delay is 3 seconds.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p>
This feature is available in Postfix 2.1 and later.
verification cache.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days). </p>
<p>
This feature is available in Postfix 2.1 and later.
when the probe fails (optimistic caching).
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days). </p>
<p>
This feature is available in Postfix 2.1 and later.
as for regular mail.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is d (days).
-</p>
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days). </p>
<p>
Specify 0 when mail delivery should be tried only once.
<p> How much time a Postfix daemon process may take to handle a
request before it is terminated by a built-in watchdog timer. </p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM debug_peer_level 2
the other message can be delivered using no more delivery slots
(i.e., invocations of delivery agents) than the current message
counter has accumulated (or will eventually accumulate - see about
-slot loans below). This parameter controls how often is the counter
+slot loans below). This parameter controls how often the counter is
incremented - it happens after each default_delivery_slot_cost
recipients have been delivered.
</p>
The default maximal number of parallel deliveries to the same
destination. This is the default limit for delivery via the lmtp(8),
pipe(8), smtp(8) and virtual(8) delivery agents.
-With per-destination recipient limit > 1, a destination is a domain,
+With a per-destination recipient limit > 1, a destination is a domain,
otherwise it is a recipient.
</p>
number of in-memory recipients. This extra recipient space is
reserved for the cases when the Postfix queue manager's scheduler
preempts one message with another and suddenly needs some extra
-recipients slots for the chosen message in order to avoid performance
+recipient slots for the chosen message in order to avoid performance
degradation.
</p>
<p>
The default rights used by the local(8) delivery agent for delivery
-to external file or command. These rights are used when delivery
+to an external file or command. These rights are used when delivery
is requested from an aliases(5) file that is owned by <b>root</b>, or
when delivery is done on behalf of <b>root</b>. <b>DO NOT SPECIFY A
PRIVILEGED USER OR THE POSTFIX OWNER</b>.
<dd>The sender address localpart or <> in case of the null address. </dd>
-<dt><b>${name?text}</b></dt>
+<dt><b>${name?value}</b></dt>
-<dd>Expands to `text' if $name is not empty. </dd>
+<dt><b>${name?{value}}</b> (Postfix ≥ 3.0)</dt>
-<dt><b>${name:text}</b></dt>
+<dd>Expands to <i>value</i> when <i>$name</i> is non-empty. </dd>
+
+<dt><b>${name:value}</b></dt>
+
+<dt><b>${name:{value}}</b> (Postfix ≥ 3.0)</dt>
+
+<dd>Expands to <i>value</i> when <i>$name</i> is empty. </dd>
-<dd>Expands to `text' if $name is empty. </dd>
+<dt><b>${name?{value1}:{value2}}</b> (Postfix ≥ 3.0)</dt>
+
+<dd>Expands to <i>value1</i> when <i>$name</i> is non-empty,
+<i>value2</i> otherwise. </dd>
</dl>
<p>
The default per-transport limit on the number of recipients refilled at
-once. When not all message recipients fit into the memory at once, keep
+once. When not all message recipients fit into memory at once, keep
loading more of them in batches of at least this many at a time. See also
$default_recipient_refill_delay, which may result in recipient batches
lower than this when this limit is too high for too slow deliveries.
%PARAM default_recipient_refill_delay 5s
<p>
-The default per-transport maximum delay between recipients refills.
-When not all message recipients fit into the memory at once, keep loading
+The default per-transport maximum delay between refilling recipients.
+When not all message recipients fit into memory at once, keep loading
more of them at least once every this many seconds. This is used to
-make sure the recipients are refilled in timely manner even when
+make sure the recipients are refilled in a timely manner even when
$default_recipient_refill_limit is too high for too slow deliveries.
</p>
<p>
The names of message delivery transports that should not deliver mail
unless someone issues "<b>sendmail -q</b>" or equivalent. Specify zero
-or more names of mail delivery transports names that appear in the
+or more mail delivery transport names that appear in the
first field of master.cf.
</p>
file or bounce(8) logfile.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM disable_vrfy_command no
<p> The delay between attempts to fork() a child process. </p>
-<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
-(weeks). The default time unit is s (seconds). </p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM execution_directory_expansion_filter see "postconf -d" output
%PARAM command_execution_directory
<p> The local(8) delivery agent working directory for delivery to
-external command. Failure to change directory causes the delivery
+external commands. Failure to change directory causes the delivery
to be deferred. </p>
<p> The command_execution_directory value is not subject to Postfix
<dt><b>${name?value}</b></dt>
+<dt><b>${name?{value}}</b> (Postfix ≥ 3.0)</dt>
+
<dd>Expands to <i>value</i> when <i>$name</i> is non-empty. </dd>
<dt><b>${name:value}</b></dt>
+<dt><b>${name:{value}}</b> (Postfix ≥ 3.0)</dt>
+
<dd>Expands to <i>value</i> when <i>$name</i> is empty. </dd>
+<dt><b>${name?{value1}:{value2}}</b> (Postfix ≥ 3.0)</dt>
+
+<dd>Expands to <i>value1</i> when <i>$name</i> is non-empty,
+<i>value2</i> otherwise. </dd>
+
</dl>
<p>
<dt><b>${name?value}</b></dt>
+<dt><b>${name?{value}}</b> (Postfix ≥ 3.0)</dt>
+
<dd>Expands to <i>value</i> when <i>$name</i> is non-empty. </dd>
<dt><b>${name:value}</b></dt>
+<dt><b>${name:{value}}</b> (Postfix ≥ 3.0)</dt>
+
<dd>Expands to <i>value</i> when <i>$name</i> is empty. </dd>
+<dt><b>${name?{value1}:{value2}}</b> (Postfix ≥ 3.0)</dt>
+
+<dd>Expands to <i>value1</i> when <i>$name</i> is non-empty,
+<i>value2</i> otherwise. </dd>
+
</dl>
<p>
%PARAM import_environment see "postconf -d" output
-<p> The list of environment parameters that a privileged Postfix
+<p> The list of environment variables that a privileged Postfix
process will import from a non-Postfix parent process, or name=value
environment overrides. Unprivileged utilities will enforce the
name=value overrides, but otherwise will not change their process
-environment. Examples of relevant parameters: </p>
+environment. Examples of relevant environment variables: </p>
<dl>
<p> Specify a list of names and/or name=value pairs, separated by
whitespace or comma. Specify "{ name=value }" to protect whitespace
-or comma in parameter values (whitespace after the opening "{" and
+or comma in environment variable values (whitespace after the opening "{" and
before the closing "}"
is ignored). The form name=value is supported with Postfix version
2.1 and later; the use of {} is supported with Postfix 3.0 and
<p> With Postfix 2.4 the default value was reduced from 100s to 5s. </p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM ipc_timeout 3600s
fatal error.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM ipc_ttl 1000s
the Postfix address resolving and rewriting clients.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p>
This feature is available in Postfix 2.1 and later.
connection can be made within the deadline, the LMTP client tries
the next address on the mail exchanger list. </p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p>
Example:
is received within the deadline, a warning is logged that the mail
may be delivered multiple times. </p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM lmtp_data_init_timeout 120s
for receiving the remote LMTP server response.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM lmtp_data_xfer_timeout 180s
the LMTP client terminates the transfer.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM lmtp_lhlo_timeout 300s
deadline, the LMTP client tries the next address on the mail
exchanger list. </p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM lmtp_mail_timeout 300s
and for receiving the remote LMTP server response.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM lmtp_quit_timeout 300s
and for receiving the remote LMTP server response.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM lmtp_rcpt_timeout 300s
and for receiving the remote LMTP server response.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM lmtp_rset_timeout 20s
order to finish a recipient address probe, or to verify that a
cached connection is still alive. </p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM lmtp_send_xforward_command no
server response announces XFORWARD support. This allows an lmtp(8)
delivery agent, used for content filter message injection, to
forward the name, address, protocol and HELO name of the original
-client to the content filter and downstream queuing LMTP server.
+client to the content filter and downstream LMTP server.
Before you change the value to yes, it is best to make sure that
your content filter supports this command.
</p>
the mail exchanger list.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p>
This feature is available in Postfix 2.1 and later.
%PARAM local_command_shell
<p>
-Optional shell program for local(8) delivery to non-Postfix command.
+Optional shell program for local(8) delivery to non-Postfix commands.
By default, non-Postfix commands are executed directly; commands
are given to the default shell (typically, /bin/sh) only when they
contain shell meta characters or shell built-in commands.
<dt><b>${name?value}</b></dt>
-<dd>Expands to <i>value</i> when <i>$name</i> has a non-empty value. </dd>
+<dt><b>${name?{value}}</b> (Postfix ≥ 3.0)</dt>
+
+<dd>Expands to <i>value</i> when <i>$name</i> is non-empty. </dd>
<dt><b>${name:value}</b></dt>
-<dd>Expands to <i>value</i> when <i>$name</i> has an empty value. </dd>
+<dt><b>${name:{value}}</b> (Postfix ≥ 3.0)</dt>
+
+<dd>Expands to <i>value</i> when <i>$name</i> is empty. </dd>
+
+<dt><b>${name?{value1}:{value2}}</b> (Postfix ≥ 3.0)</dt>
+
+<dd>Expands to <i>value1</i> when <i>$name</i> is non-empty,
+<i>value2</i> otherwise. </dd>
</dl>
file, or zero (no limit). In fact, this limits the size of any
file that is written to upon local delivery, including files written
by external commands that are executed by the local(8) delivery
-agent. </p>
+agent. The value cannot exceed LONG_MAX (typically, a 32-bit or
+64-bit signed integer).
+</p>
<p>
This limit must not be smaller than the message size limit.
Postfix daemon processes.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM max_use 100
<p> This parameter should be set to a value greater than or equal
to $minimal_backoff_time. See also $queue_run_delay. </p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM maximal_queue_lifetime 5d
maximal_queue_lifetime limit.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is d (days).
-</p>
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days). </p>
<p>
Specify 0 when mail delivery should be tried only once.
<p>
The maximal size in bytes of a message, including envelope information.
+The value cannot exceed LONG_MAX (typically, a 32-bit or 64-bit
+signed integer).
</p>
<p> Note: be careful when making changes. Excessively small values
<p> This parameter should be set greater than or equal to
$queue_run_delay. See also $maximal_backoff_time. </p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM multi_recipient_bounce_reject_code 550
in Postfix version 2.4 and later. </p>
<p> Note 1: Pattern matching of domain names is controlled by the
-or absence of "mynetworks" in the parent_domain_matches_subdomains
+presence or absence of "mynetworks" in the parent_domain_matches_subdomains
parameter value. </p>
<p> Note 2: IP version 6 address information must be specified inside
<dd>
qmqpd_authorized_clients,
-smtpd_access_maps,
+<a href="SMTPD_ACCESS_README.html">smtpd_access_maps</a>,
</dd>
<dt> Postfix version 2.8 and later </dt>
or malicious clients.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM qmqpd_timeout 300s
seconds the Postfix QMQP server gives up and disconnects.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM queue_minfree 0
<p> This parameter should be set less than or equal to
$minimal_backoff_time. See also $maximal_backoff_time. </p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM rbl_reply_maps
may then be used to generate an extended .forward file name. This
implementation recognizes one delimiter character and one extension
per email address localpart or email address. With Postfix 2.10 and
-earler, the recipient_delimiter specifies a single character. </p>
+earlier, the recipient_delimiter specifies a single character. </p>
<p> See canonical(5), local(8), relocated(5) and virtual(5) for the
effects of recipient_delimiter on lookups in aliases, canonical,
tables
listed with $relay_recipient_maps are used as lists: Postfix needs
to know only if a lookup string is found or not, but it does not
-use the result from table lookup. </p>
+use the result from the table lookup. </p>
<p>
Specify zero or more "type:name" lookup tables, separated by
the operating system).
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM smtp_data_done_timeout 600s
logged that the mail may be delivered multiple times.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM smtp_data_init_timeout 120s
and for receiving the initial remote SMTP server response.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM smtp_host_lookup dns
and for receiving the remote SMTP server response.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM smtp_mx_address_limit 5
bug workaround for delivery through firewalls with "smtp fixup"
mode turned on. </p>
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p>
By default, the workaround is turned off for mail that is queued
for less than 500 seconds. In other words, the workaround is normally
and for receiving the remote SMTP server response.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM smtp_quote_rfc821_envelope yes
command, and for receiving the remote SMTP server response.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM smtp_sasl_auth_enable no
and for receiving the remote SMTP server response.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p>
This feature is available in Postfix 2.1 and later.
</p>
<p>
-By default, there is no limit on the number AUTH commands that a
+By default, there is no limit on the number of AUTH commands that a
client may send.
</p>
<dd> By default use the remote SMTP client certificate fingerprint
or the public key
-fingerprint (Postfix 2.9 and later) as lookup key for the specified
+fingerprint (Postfix 2.9 and later) as the lookup key for the specified
access(5) database; with Postfix version 2.2, also require that the
remote SMTP client certificate is verified successfully.
The fingerprint digest algorithm is configurable via the
<dt><b><a name="check_sasl_access">check_sasl_access</a> <i><a href="DATABASE_README.html">type:table</a></i></b></dt>
-<dd> Use the remote SMTP client SASL user name as lookup key for
+<dd> Use the remote SMTP client SASL user name as the lookup key for
the specified access(5) database. The lookup key has the form
"username@domainname" when the smtpd_sasl_local_domain parameter
value is non-empty. Unlike the check_client_access feature,
<dd> Permit the request when the remote SMTP client certificate is
verified successfully. This option must be used only if a special
-CA issues the certificates and only this CA is listed as trusted
+CA issues the certificates and only this CA is listed as a trusted
CA. Otherwise, clients with a third-party certificate would also
be allowed to relay. Specify "tls_append_default_CA = no" when the
trusted CA is specified with smtpd_tls_CAfile or smtpd_tls_CApath,
fewer than $smtpd_hard_error_limit errors, without delivering mail.
</p>
-<p>With Postfix version 2.0 and earlier: the SMTP server delay before
-sending a reject (4xx or 5xx) response, when the client has made
-fewer than $smtpd_soft_error_limit errors without delivering
-mail. </p>
+<p>With Postfix version 2.0 and earlier: the SMTP server delay
+before sending a reject (4xx or 5xx) response, when the client has
+made fewer than $smtpd_soft_error_limit errors without delivering
+mail. When the client has made $smtpd_soft_error_limit or more errors,
+delay all responses with the larger of (number of errors) seconds
+or $smtpd_error_sleep_time. </p>
+
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM smtpd_soft_error_limit 10
<ul>
-<li><p>With Postfix version 2.1 and later, the Postfix SMTP server
-delays all responses by $smtpd_error_sleep_time seconds. </p>
+<li><p>With Postfix version 2.1 and later, when the error count
+is > $smtpd_soft_error_limit, the Postfix SMTP server
+delays all responses by $smtpd_error_sleep_time. </p>
+
+<li><p>With Postfix versions 2.0 and earlier, when the error count
+is > $smtpd_soft_error_limit, the Postfix SMTP server delays all
+responses by the larger of (number of errors) seconds or
+$smtpd_error_sleep_time. </p>
-<li><p>With Postfix versions 2.0 and earlier, the Postfix SMTP
-server delays all responses by (number of errors) seconds. </p>
+<li><p>With Postfix versions 2.0 and earlier, when the error count
+is ≤ $smtpd_soft_error_limit, the Postfix SMTP server delays 4XX
+and 5XX responses by $smtpd_error_sleep_time. </p>
</ul>
<p>
The maximal number of errors a remote SMTP client is allowed to
make without delivering mail. The Postfix SMTP server disconnects
-when the limit is exceeded. Normally the default limit is 20, but
+when the limit is reached. Normally the default limit is 20, but
it changes under overload to just 1. With Postfix 2.5 and earlier,
the SMTP server always allows up to 20 errors by default.
+Valid values are greater than zero.
</p>
<p> Specify "host:port" or "inet:host:port" for a TCP endpoint, or
"unix:pathname" for a UNIX-domain endpoint. The host can be specified
as an IP address or as a symbolic name; no MX lookups are done.
-When no "host" or "host:" are specified, the local machine is
+When no "host" or "host:" is specified, the local machine is
assumed. Pathname interpretation is relative to the Postfix queue
directory. </p>
the maillog file.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p>
This feature is available in Postfix 2.1 and later.
<ul>
-<li> Postfix is mail forwarder: the resolved RCPT TO domain matches
+<li> Postfix is a mail forwarder: the resolved RCPT TO domain matches
$relay_domains or a subdomain thereof, and the address contains no
sender-specified routing (user@elsewhere@domain),
<dt><b><a name="permit_mx_backup">permit_mx_backup</a></b></dt>
-<dd>Permit the request when the local mail system is backup MX for
+<dd>Permit the request when the local mail system is a backup MX for
the RCPT TO domain, or when the domain is an authorized destination
(see permit_auth_destination for definition).
access is not restricted with permit_mx_backup_networks.
<li> Safety: as of Postfix version 2.3, permit_mx_backup no longer
-accepts the address when the local mail system is primary MX for
+accepts the address when the local mail system is a primary MX for
the recipient domain. Exception: permit_mx_backup accepts the address
when it specifies an authorized destination (see permit_auth_destination
for definition).
<ul>
-<li> Postfix is mail forwarder: the resolved RCPT TO domain matches
+<li> Postfix is a mail forwarder: the resolved RCPT TO domain matches
$relay_domains or a subdomain thereof, and contains no sender-specified
routing (user@elsewhere@domain),
see the ADDRESS_VERIFICATION_README file for details. <br> The
unverified_recipient_reject_code parameter specifies the numerical
response code when an address is known to bounce (default: 450,
-change into 550 when you are confident that it is safe to do so).
+change it to 550 when you are confident that it is safe to do so).
<br>The unverified_recipient_defer_code parameter specifies the
numerical response code when an address probe failed due to a
temporary problem (default: 450). <br> The
<li> Mail from clients whose IP address matches $mynetworks, or:
+<li> Mail from clients who are SASL authenticated, or:
+
<li> Mail to remote destinations that match $relay_domains, except
for addresses that contain sender-specified routing
(user@elsewhere@domain), or:
<p>
Specify a list of network/netmask patterns, separated by commas
and/or whitespace. The mask specifies the number of bits in the
-network part of a host address. You can also "/file/name" or
+network part of a host address. You can also specify "/file/name" or
"type:table" patterns. A "/file/name" pattern is replaced by its
contents; a "type:table" lookup table is matched when a table entry
matches a lookup string (the lookup result is ignored). Continue
<dt><b><a name="reject_unknown_sender_domain">reject_unknown_sender_domain</a></b></dt>
-<dd>Reject the request when Postfix is not final destination for
+<dd>Reject the request when Postfix is not the final destination for
the sender address, and the MAIL FROM domain has 1) no DNS MX and
no DNS A
record, or 2) a malformed MX record such as a record with
to update the global ipc_timeout parameter.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM soft_bounce no
This is used for delivery to file or mailbox.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM strict_rfc821_envelopes no
a malfunctioning message delivery transport.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM trigger_timeout 10s
load.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM unknown_address_reject_code 450
%PARAM virtual_alias_domains $virtual_alias_maps
-<p> Postfix is final destination for the specified list of virtual
+<p> Postfix is the final destination for the specified list of virtual
alias domains, that is, domains for which all addresses are aliased
to addresses in other local or remote domains. The SMTP server
validates recipient addresses with $virtual_alias_maps and rejects
<p> Specify a list of host or domain names, "/file/name" or
"type:table" patterns, separated by commas and/or whitespace. A
"/file/name" pattern is replaced by its contents; a "type:table"
-lookup table is matched when a table entry matches a lookup string
+lookup table is matched when a table entry matches a host or domain name
(the lookup result is ignored). Continue long lines by starting
the next line with whitespace. Specify "!pattern" to exclude a host
or domain name from the list. The form "!/file/name" is supported
<p>
Optional lookup tables that alias specific mail addresses or domains
-to other local or remote address. The table format and lookups
+to other local or remote addresses. The table format and lookups
are documented in virtual(5). For an overview of Postfix address
manipulations see the ADDRESS_REWRITING_README document.
</p>
Postfix daemon process input buffer before giving up.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p>
This feature is available in Postfix 2.1 and later.
logs peak usage information.
</p>
-<p>
-This feature is available in Postfix 2.2 and later.
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
+This feature is available in Postfix 2.2 and later.
</p>
%PARAM enable_errors_to no
only. Thus, information is lost whenever the process terminates.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM command_expansion_filter see "postconf -d" output
This parameter speeds up the moment when a message preemption can
happen. Instead of waiting until the full amount of delivery slots
required is available, the preemption can happen when
-transport_delivery_slot_discount percent of the required amount
-plus transport_delivery_slot_loan still remains to be accumulated.
+<i>transport</i>_delivery_slot_discount percent of the required amount
+plus <i>transport</i>_delivery_slot_loan still remains to be accumulated.
Note that the full amount will still have to be accumulated before
another preemption can take place later.
</p>
<p> The two default VERP delimiter characters. These are used when
no explicit delimiters are specified with the SMTP XVERP command
-or with the "<b>sendmail -V</b>" command-line option. Specify
-characters that are allowed by the verp_delimiter_filter setting.
+or with the "<b>sendmail -XV</b>" command-line option (Postfix 2.2
+and earlier: <b>-V</b>). Specify characters that are allowed by the
+verp_delimiter_filter setting.
</p>
<p>
<p>
Most of these limitations have been with the Postfix
-a connection cache that is shared among multiple LMTP client
+connection cache that is shared among multiple LMTP client
programs.
</p>
<dt><b>nodictionary</b></dt>
<dd>Disallow authentication methods that are vulnerable to passive
-dictionary attack. </dd>
+dictionary attacks. </dd>
<dt><b>noanonymous</b></dt>
<li><p>Specify "mynetworks_style = subnet" when Postfix
should "trust" remote SMTP clients in the same IP subnetworks as the local
machine. On Linux, this works correctly only with interfaces
-specified with the "ifconfig" command. </p>
+specified with the "ifconfig" or "ip" command. </p>
<li><p>Specify "mynetworks_style = class" when Postfix should
"trust" remote SMTP clients in the same IP class A/B/C networks as the
clogging up the Postfix active queue. Specify 0 to disable.
</p>
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p>
This feature is enabled with the helpful_warnings parameter.
</p>
appears to be malfunctioning.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
%PARAM setgid_group postdrop
</p>
<p>
-Choosing a too short time makes this workaround ineffective when
+Choosing too short a time makes this workaround ineffective when
sending large messages over slow network connections.
</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
%PARAM smtp_randomize_addresses yes
<p>
order to finish a recipient address probe, or to verify that a
cached session is still usable. </p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p> This feature is available in Postfix 2.1 and later. </p>
%PARAM smtpd_data_restrictions
closed.
</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p>
This feature is available in Postfix 2.1 and later.
</p>
closed.
</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p>
This feature is available in Postfix 2.1 and later.
</p>
delegated SMTPD policy server.
</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p>
This feature is available in Postfix 2.1 and later.
</p>
%PARAM virtual_mailbox_domains $virtual_mailbox_maps
-<p> Postfix is final destination for the specified list of domains;
+<p> Postfix is the final destination for the specified list of domains;
mail is delivered via the $virtual_transport mail delivery transport.
By default this is the Postfix virtual(8) delivery agent. The SMTP
server validates recipient addresses with $virtual_mailbox_maps
"user@domain.tld" entry.
</p>
+<p>
+With the default "virtual_mailbox_domains = $virtual_mailbox_maps",
+lookup tables also need entries with a left-hand side of "domain.tld"
+to satisfy virtual_mailbox_domain lookups (the right-hand side is
+required but will not be used).
+</p>
+
<p> The remainder of this text is specific to the virtual(8) delivery
agent. It does not apply when mail is delivered with a different
mail delivery program. </p>
%PARAM smtpd_tls_wrappermode no
-<p> Run the Postfix SMTP server in the non-standard "wrapper" mode,
+<p> Run the Postfix SMTP server in TLS "wrapper" mode,
instead of using the STARTTLS command. </p>
<p> If you want to support this service, enable a special port in
master.cf, and specify "-o smtpd_tls_wrappermode=yes" on the SMTP
-server's command line. Port 465 (smtps) was once chosen for this
-purpose. </p>
+server's command line. Port 465 (submissions/smtps) is reserved for
+this purpose. </p>
<p> This feature is available in Postfix 2.2 and later. </p>
daemon does not use this parameter directly, rather the cache is
implemented indirectly in the tlsmgr(8) daemon. This means that
per-smtpd-instance master.cf overrides of this parameter are not
-effective. Note, that each of the cache databases supported by tlsmgr(8)
+effective. Note that each of the cache databases supported by tlsmgr(8)
daemon: $smtpd_tls_session_cache_database, $smtp_tls_session_cache_database
(and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to be
stored separately. It is not at this time possible to store multiple
an OpenSSL library (at least version 0.9.8h) that provides full
support for this TLS extension. </p>
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p> This feature is available in Postfix 2.2 and later, and updated
for TLS session ticket support in Postfix 2.11. </p>
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
</pre>
-<p>This feature is available with Postfix version 2.2.</p>
+<p>This feature is available in Postfix 2.2 and later.</p>
%PARAM smtpd_tls_dh512_param_file
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
</pre>
-<p>This feature is available with Postfix version 2.2.</p>
+<p>This feature is available in Postfix 2.2 and later,
+but is ignored in Postfix 3.6 and later.</p>
%PARAM smtpd_starttls_timeout see "postconf -d" output
default value is stress-dependent. Before Postfix version 2.8, it
was fixed at 300s. </p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p> This feature is available in Postfix 2.2 and later. </p>
%PARAM smtp_tls_cert_file
<dt> </dt> <dd> 2 Also log levels during TLS negotiation. </dd>
-<dt> </dt> <dd> 3 Also log hexadecimal and ASCII dump of TLS negotiation
-process. </dd>
+<dt> </dt> <dd> 3 Also log the hexadecimal and ASCII dump of the
+TLS negotiation process. </dd>
-<dt> </dt> <dd> 4 Also log hexadecimal and ASCII dump of complete
+<dt> </dt> <dd> 4 Also log the hexadecimal and ASCII dump of complete
transmission after STARTTLS. </dd>
</dl>
daemon does not use this parameter directly, rather the cache is
implemented indirectly in the tlsmgr(8) daemon. This means that
per-smtp-instance master.cf overrides of this parameter are not effective.
-Note, that each of the cache databases supported by tlsmgr(8) daemon:
+Note that each of the cache databases supported by tlsmgr(8) daemon:
$smtpd_tls_session_cache_database, $smtp_tls_session_cache_database
(and with Postfix 2.3 and later $lmtp_tls_session_cache_database), needs to
be stored separately. It is not at this time possible to store multiple
≤ 0, session caching is disabled. If set to a positive value
less than 2 minutes, the minimum value of 2 minutes is used instead. </p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p> This feature is available in Postfix 2.2 and later. </p>
%PARAM smtp_use_tls no
checking. This setting has no effect on sessions that are controlled
via the smtp_tls_per_site table. </p>
-<p> Disabling the hostname verification can make sense in closed
+<p> Disabling the hostname verification can make sense in a closed
environment where special CAs are created. If not used carefully,
this option opens the danger of a "man-in-the-middle" attack (the
CommonName of this attacker will be logged). </p>
<p> Optional lookup tables with the Postfix SMTP client TLS usage
policy by next-hop destination and by remote SMTP server hostname.
When both lookups succeed, the more specific per-site policy (NONE,
-MUST, etc) overrides the less specific one (MAY), and the more secure
-per-site policy (MUST, etc) overrides the less secure one (NONE).
+MUST, etc.) overrides the less specific one (MAY), and the more secure
+per-site policy (MUST, etc.) overrides the less secure one (NONE).
With Postfix 2.3 and later smtp_tls_per_site is strongly discouraged:
use smtp_tls_policy_maps instead. </p>
and smtp_tls_enforce_peername settings. </dd>
<dt> MAY </dt> <dd> Try to use TLS if the server announces support,
-otherwise use the unencrypted connection. This has less precedence
+otherwise use an unencrypted connection. This has less precedence
than a more specific result (including <b>NONE</b>) from the alternate
host or next-hop lookup key, and has less precedence than the more
specific global "smtp_enforce_tls = yes" or "smtp_tls_enforce_peername
SMTP server hostname matches the information in the remote SMTP
server certificate, and require that the remote SMTP server certificate
was issued by a trusted CA. This overrides a less secure <b>NONE</b>
-and <b>MUST_NOPEERMATCH</b> or a less specific <b>MAY</b> lookup
+or <b>MUST_NOPEERMATCH</b> or a less specific <b>MAY</b> lookup
result from the alternate host or next-hop lookup key, and overrides
the global smtp_use_tls, smtp_enforce_tls and smtp_tls_enforce_peername
settings. </dd>
<p> Time limit for Postfix SMTP client write and read operations
during TLS startup and shutdown handshake procedures. </p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p> This feature is available in Postfix 2.2 and later. </p>
%PARAM smtp_tls_dkey_file $smtp_tls_dcert_file
EGD compatible socket interface, or dev:/path/to/device for a
device file. </p>
-<p> Note: on OpenBSD systems specify /dev/arandom when /dev/urandom
+<p> Note: on OpenBSD systems specify dev:/dev/arandom when dev:/dev/urandom
gives timeout errors. </p>
<p> This feature is available in Postfix 2.2 and later. </p>
sources. The actual time between re-seeding attempts is calculated
using the PRNG, and is between 0 and the time specified. </p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p> This feature is available in Postfix 2.2 and later. </p>
%PARAM tls_random_prng_update_period 3600s
the pseudo random number generator (PRNG) to the file specified
with $tls_random_exchange_name. </p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p> This feature is available in Postfix 2.2 and later. </p>
%PARAM tls_daemon_random_bytes 32
<p> The maximal number of digits after the decimal point when logging
sub-second delay values. Specify a number in the range 0..6. </p>
-<p> Large delay values are rounded off to an integral number seconds;
+<p> Large delay values are rounded off to an integral number of seconds;
delay values below the delay_logging_resolution_limit are logged
as "0", and delay values under 100s are logged with at most two-digit
precision. </p>
<p> Pathname of a configuration file with bounce message templates.
These override the built-in templates of delivery status notification
-(DSN) messages for undeliverable mail, for delayed mail, successful
+(DSN) messages for undeliverable mail, delayed mail, successful
delivery, or delivery verification. The bounce(5) manual page
describes how to edit and test template files. </p>
<p>
The default value is the machine hostname. Specify a hostname or
-[ip.add.re.ss].
+[ip.add.re.ss] or [ip:v6:add:re::ss].
</p>
<p>
and "connection_reuse" attribute (Postfix ≥ 3.4) override the
"smtp_tls_ciphers", "smtp_tls_exclude_ciphers", "smtp_tls_protocols",
and
-"smtp_tls_connection_reuse" configuration parameters. When opportunistic
+"smtp_tls_connection_reuse" configuration parameters. In the policy table,
+multiple ciphers, protocols or excluded ciphers must be separated by colons,
+as attribute values may not contain whitespace or commas. When opportunistic
TLS handshakes fail, Postfix retries the connection with TLS disabled.
This allows mail delivery to sites with non-interoperable TLS
implementations.</dd>
smtp_tls_mandatory_exclude_ciphers parameter, and the optional
"connection_reuse" attribute (Postfix ≥ 3.4) overrides the
main.cf smtp_tls_connection_reuse parameter. In the policy table,
-multiple protocols or excluded ciphers must be separated by colons,
+multiple ciphers, protocols or excluded ciphers must be separated by colons,
as attribute values may not contain whitespace or commas. </dd>
<dt><b><a href="TLS_README.html#client_tls_dane">dane</a></b></dt>
TLS authentication and DNSSEC support is available with Postfix
2.11 and later. The optional "connection_reuse" attribute (Postfix
≥ 3.4) overrides the main.cf smtp_tls_connection_reuse parameter.
+When the effective security level used is <a
+href="TLS_README.html#client_tls_may">may</a>, the optional "ciphers",
+"exclude", and "protocols" attributes (Postfix ≥ 2.6) override the
+"smtp_tls_ciphers", "smtp_tls_exclude_ciphers", and "smtp_tls_protocols"
+configuration parameters.
+When the effective security level used is <a
+href="TLS_README.html#client_tls_encrypt">encrypt</a>, the optional "ciphers",
+"exclude", and "protocols" attributes (Postfix ≥ 2.6) override the
+"smtp_tls_mandatory_ciphers", "smtp_tls_mandatory_exclude_ciphers", and
+"smtp_tls_mandatory_protocols" configuration parameters.
</dd>
<dt><b><a href="TLS_README.html#client_tls_dane">dane-only</a></b></dt>
usable TLSA records are obtained for the remote SMTP server, the
server certificate must match the TLSA records. RFC 7672 (DANE) TLS
authentication and DNSSEC support is available with Postfix 2.11
-and later. The optional "connection_reuse" attribute (Postfix ≥
-3.4) overrides the main.cf smtp_tls_connection_reuse parameter.
+and later. The optional "ciphers", "exclude", and "protocols" attributes
+(Postfix ≥ 2.6) override the "smtp_tls_mandatory_ciphers",
+"smtp_tls_mandatory_exclude_ciphers", and "smtp_tls_mandatory_protocols"
+configuration parameters. The optional "connection_reuse" attribute
+(Postfix ≥ 3.4) overrides the main.cf smtp_tls_connection_reuse parameter.
</dd>
<dt><b><a href="TLS_README.html#client_tls_fprint">fingerprint</a></b></dt>
verification. Available with Postfix 2.5 and later. At this security
level, there are no trusted Certification Authorities. The certificate
trust chain, expiration date, ... are not checked. Instead,
-the optional <b>match</b> attribute, or else the main.cf
+the optional "match" attribute, or else the main.cf
<b>smtp_tls_fingerprint_cert_match</b> parameter, lists the certificate
fingerprints or the public key fingerprint (Postfix 2.9 and later)
of the valid server certificate. The digest
be combined with a "|" delimiter in a single match attribute, or multiple
match attributes can be employed. The ":" character is not used as a
delimiter as it occurs between each pair of fingerprint (hexadecimal)
-digits. The optional "connection_reuse" attribute (Postfix ≥ 3.4)
-overrides the main.cf smtp_tls_connection_reuse parameter. </dd>
+digits. The optional "ciphers", "exclude", and "protocols" attributes
+(Postfix ≥ 2.6) override the "smtp_tls_mandatory_ciphers",
+"smtp_tls_mandatory_exclude_ciphers", and "smtp_tls_mandatory_protocols"
+configuration parameters. The optional "connection_reuse" attribute
+(Postfix ≥ 3.4) overrides the main.cf smtp_tls_connection_reuse
+parameter. </dd>
<dt><b><a href="TLS_README.html#client_tls_verify">verify</a></b></dt>
<dd>Mandatory TLS verification. At this security
the main.cf smtp_tls_verify_cert_match parameter. In the policy table,
multiple match patterns and strategies must be separated by colons.
In practice explicit control over matching is more common with the
-"secure" policy, described below. The optional "connection_reuse"
-attribute (Postfix ≥ 3.4) overrides the main.cf
+"secure" policy, described below. The optional "ciphers", "exclude",
+and "protocols" attributes (Postfix ≥ 2.6) override the
+"smtp_tls_mandatory_ciphers", "smtp_tls_mandatory_exclude_ciphers", and
+"smtp_tls_mandatory_protocols" configuration parameters. The optional
+"connection_reuse" attribute (Postfix ≥ 3.4) overrides the main.cf
smtp_tls_connection_reuse parameter. </dd>
<dt><b><a href="TLS_README.html#client_tls_secure">secure</a></b></dt>
gateway IP addresses, are <b>not</b> trusted to be secure enough for TLS
peername verification. Instead, the default name verified in the server
certificate is obtained directly from the next-hop, or is explicitly
-specified via the optional <b>match</b> attribute which overrides the
+specified via the optional "match" attribute which overrides the
main.cf smtp_tls_secure_cert_match parameter. In the policy table,
multiple match patterns and strategies must be separated by colons.
The match attribute is most useful when multiple domains are supported by
-common server, the policy entries for additional domains specify matching
+a common server: the policy entries for additional domains specify matching
rules for the primary domain certificate. While transport table overrides
-routing the secondary domains to the primary nexthop also allow secure
+that route the secondary domains to the primary nexthop also allow secure
verification, they risk delivery to the wrong destination when domains
change hands or are re-assigned to new gateways. With the "match"
attribute approach, routing is not perturbed, and mail is deferred if
-verification of a new MX host fails. The optional "connection_reuse"
-attribute (Postfix ≥ 3.4) overrides the main.cf
+verification of a new MX host fails. The optional "ciphers", "exclude",
+and "protocols" attributes (Postfix ≥ 2.6) override the
+"smtp_tls_mandatory_ciphers", "smtp_tls_mandatory_exclude_ciphers", and
+"smtp_tls_mandatory_protocols" configuration parameters. The optional
+"connection_reuse" attribute (Postfix ≥ 3.4) overrides the main.cf
smtp_tls_connection_reuse parameter. </dd>
</dl>
match=51:e9:af:2e:1e:40:1f:...:64:0a:30:35:2d:09:16:31:5a:eb:82:76
</pre>
-<p> <b>Note:</b> The <b>hostname</b> strategy if listed in a non-default
-setting of smtp_tls_secure_cert_match or in the <b>match</b> attribute
-in the policy table can render the <b>secure</b> level vulnerable to
-DNS forgery. Do not use the <b>hostname</b> strategy for secure-channel
+<p> <b>Note:</b> The "hostname" strategy if listed in a non-default
+setting of smtp_tls_secure_cert_match or in the "match" attribute
+in the policy table can render the "secure" level vulnerable to
+DNS forgery. Do not use the "hostname" strategy for secure-channel
configurations in environments where DNS security is not assured. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
<p> With Postfix < 3.6 there is no support for a minimum or maximum
version, and the protocol range is configured via protocol exclusions.
To require at least TLS 1.0, set "smtp_tls_mandatory_protocols = !SSLv2,
-!SSLv3". Listing the protocols to include, rather than protocols to
+!SSLv3". Listing the protocols to include, rather than the protocols to
exclude, is supported, but not recommended. The exclusion syntax more
accurately matches the underlying OpenSSL interface. </p>
</pre>
</blockquote>
-<p> also disables any protocols version higher than TLSv1.1 leaving
+<p> also disables any protocol versions higher than TLSv1.1 leaving
only "TLSv1" enabled. </p>
<p> Support for "TLSv1.3" was introduced in OpenSSL 1.1.1. Disabling
<p> While the vast majority of SMTP servers with DANE TLSA records now
support at least TLS 1.2, a few still only support TLS 1.0. If you use
-"dane" or "dane-only" it is best to not disable TLSv1, except perhaps
+"dane" or "dane-only" it is best not to disable TLSv1, except perhaps
via the policy table for destinations which you are sure will support
"TLSv1.2". </p>
%PARAM smtp_tls_security_level
-<p> The default SMTP TLS security level for the Postfix SMTP client;
-when a non-empty value is specified, this overrides the obsolete
-parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
-</p>
+<p> The default SMTP TLS security level for the Postfix SMTP client.
+When a non-empty value is specified, this overrides the obsolete
+parameters smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername;
+when no value is specified for smtp_tls_enforce_peername or the obsolete
+parameters, the default SMTP TLS security level is
+<a href="TLS_README.html#client_tls_none">none</a>. </p>
<p> Specify one of the following security levels: </p>
<pre>
# Opportunistic TLS.
smtp_tls_security_level = may
-# Do not tweak opportunistic ciphers or protocol unless it is essential
+# Do not tweak opportunistic ciphers or protocols unless it is essential
# to do so (if a security vulnerability is found in the SSL library that
# can be mitigated by disabling a particular protocol or raising the
# cipher grade).
does not arrive via the Postfix smtpd(8) server. This includes local
submission via the sendmail(1) command line, new mail that arrives
via the Postfix qmqpd(8) server, and old mail that is re-injected
-into the queue with "postsuper -r". Specify space or comma as
+into the queue with "postsuper -r". Specify space or comma as a
separator. See the MILTER_README document for details. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
application, and for negotiating protocol options. </p>
<p> Specify a non-zero time value (an integral value plus an optional
-one-letter suffix that specifies the time unit). </p>
-
-<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
-(weeks). The default time unit is s (seconds). </p>
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p> This feature is available in Postfix 2.3 and later. </p>
filter) application, and for receiving the response. </p>
<p> Specify a non-zero time value (an integral value plus an optional
-one-letter suffix that specifies the time unit). </p>
-
-<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
-(weeks). The default time unit is s (seconds). </p>
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p> This feature is available in Postfix 2.3 and later. </p>
filter) application, and for receiving the response. </p>
<p> Specify a non-zero time value (an integral value plus an optional
-one-letter suffix that specifies the time unit). </p>
-
-<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
-(weeks). The default time unit is s (seconds). </p>
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p> This feature is available in Postfix 2.3 and later. </p>
applications. These defaults are used when there is no corresponding
information from the message delivery context. </p>
-<p> Specify <i>name=value</i> or <i>{name}=value</i> pairs separated
+<p> Specify <i>name=value</i> or <i>{name=value}</i> pairs separated
by comma or whitespace. Enclose a pair in "{}" when a value contains
comma or whitespace (this form ignores whitespace after the enclosing
"{", around the "=", and before the enclosing "}"). </p>
<dt><b>export</b></dt>
<dd> Enable "EXPORT" grade or stronger OpenSSL ciphers. The
underlying cipherlist is specified via the tls_export_cipherlist
-configuration parameter, which you are strongly encouraged to not
+configuration parameter, which you are strongly encouraged not to
change. This choice is insecure and SHOULD NOT be used. </dd>
<dt><b>low</b></dt>
<dd> Enable "LOW" grade or stronger OpenSSL ciphers. The underlying
cipherlist is specified via the tls_low_cipherlist configuration
-parameter, which you are strongly encouraged to not change. This
+parameter, which you are strongly encouraged not to change. This
choice is insecure and SHOULD NOT be used. </dd>
<dt><b>medium</b></dt>
or longer symmetric bulk-encryption keys. This is the default minimum
strength for mandatory TLS encryption. The underlying cipherlist is
specified via the tls_medium_cipherlist configuration parameter, which
-you are strongly encouraged to not change. </dd>
+you are strongly encouraged not to change. </dd>
<dt><b>high</b></dt>
<dd> Enable only "HIGH" grade OpenSSL ciphers. The
case that all clients are prepared to use NULL ciphers (not normally
enabled in TLS clients). The underlying cipherlist is specified via the
tls_null_cipherlist configuration parameter, which you are strongly
-encouraged to not change. </dd>
+encouraged not to change. </dd>
</dl>
<dt><b>export</b></dt>
<dd> Enable "EXPORT" grade or better OpenSSL ciphers. The underlying
cipherlist is specified via the tls_export_cipherlist configuration
-parameter, which you are strongly encouraged to not change. This
+parameter, which you are strongly encouraged not to change. This
choice is insecure and SHOULD NOT be used. </dd>
<dt><b>low</b></dt>
<dd> Enable "LOW" grade or better OpenSSL ciphers. The underlying
cipherlist is specified via the tls_low_cipherlist configuration
-parameter, which you are strongly encouraged to not change. This
+parameter, which you are strongly encouraged not to change. This
choice is insecure and SHOULD NOT be used. </dd>
<dt><b>medium</b></dt>
<dd> Enable "MEDIUM" grade or better OpenSSL ciphers.
The underlying cipherlist is specified via the tls_medium_cipherlist
-configuration parameter, which you are strongly encouraged to not change.
+configuration parameter, which you are strongly encouraged not to change.
</dd>
<dt><b>high</b></dt>
mail is routed to a suitably capable relayhost) support at least one
"HIGH" grade cipher. The underlying cipherlist is specified via the
tls_high_cipherlist configuration parameter, which you are strongly
-encouraged to not change. </dd>
+encouraged not to change. </dd>
<dt><b>null</b></dt>
<dd> Enable only the "NULL" OpenSSL ciphers, these provide authentication
in TLS servers). A plausible use-case is an LMTP server listening on a
UNIX-domain socket that is configured to support "NULL" ciphers. The
underlying cipherlist is specified via the tls_null_cipherlist
-configuration parameter, which you are strongly encouraged to not
+configuration parameter, which you are strongly encouraged not to
change. </dd>
</dl>
</pre>
</blockquote>
-<p> The first setting, disables anonymous ciphers. The next setting
+<p> The first setting disables anonymous ciphers. The next setting
disables ciphers that use the MD5 digest algorithm or the (single) DES
encryption algorithm. The next setting disables ciphers that use MD5 and
DES together. The next setting disables the two ciphers "AES256-SHA"
the meaning of the "high" setting in smtpd_tls_ciphers,
smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. You are strongly
-encouraged to not change this setting. </p>
+encouraged not to change this setting. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
default cipherlist for mandatory TLS encryption in the TLS client
(with anonymous ciphers disabled when verifying server certificates).
This is the default cipherlist for opportunistic TLS with Postfix
-releases after the middle of 2015. You are strongly encouraged to
-not change this setting. </p>
+releases after the middle of 2015. You are strongly encouraged not
+to change this setting. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
the meaning of the "low" setting in smtpd_tls_ciphers,
smtpd_tls_mandatory_ciphers, smtp_tls_ciphers, smtp_tls_mandatory_ciphers,
lmtp_tls_ciphers, and lmtp_tls_mandatory_ciphers. You are strongly
-encouraged to not change this setting. </p>
+encouraged not to change this setting. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
releases before the middle of 2015 this is the default cipherlist
for the opportunistic ("may") TLS client security level and also
the default cipherlist for the SMTP server. You are strongly
-encouraged to not change this setting. </p>
+encouraged not to change this setting. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
<p> The OpenSSL cipherlist for "NULL" grade ciphers that provide
authentication without encryption. This defines the meaning of the "null"
-setting in smtpd_mandatory_tls_ciphers, smtp_tls_mandatory_ciphers and
-lmtp_tls_mandatory_ciphers. You are strongly encouraged to not
+setting in smtpd_tls_mandatory_ciphers, smtp_tls_mandatory_ciphers and
+lmtp_tls_mandatory_ciphers. You are strongly encouraged not to
change this setting. </p>
<p> This feature is available in Postfix 2.3 and later. </p>
</pre>
</blockquote>
-<p> The text to the right of "=" sign is the desired fingerprint.
+<p> The text to the right of the "=" sign is the desired fingerprint.
For example: </p>
<blockquote>
</blockquote>
<p> The Postfix SMTP server and client log the peer (leaf) certificate
-fingerprint and public key fingerprint when the TLS loglevel is 2 or
+fingerprint and the public key fingerprint when the TLS loglevel is 2 or
higher. </p>
<p> This feature is available in Postfix 2.5 and later. </p>
acceptable protocols is to set the lowest acceptable TLS protocol
version and/or the highest acceptable TLS protocol version. To set the
lower bound include an element of the form: ">=<i>version</i>" where
-<i>version</i> is a either one of the TLS protocol names listed above,
+<i>version</i> is either one of the TLS protocol names listed above,
or a hexadecimal number corresponding to the desired TLS protocol
version (0301 for TLS 1.0, 0302 for TLS 1.1, etc.). For the upper
bound, use "<=<i>version</i>". There must be no whitespace between
SMTP client and server. These curves are used by the Postfix SMTP
server when "smtpd_tls_eecdh_grade = auto". The selected curves
must be implemented by OpenSSL and be standardized for use in TLS
-(RFC 4492 or its imminent successor). It is unwise to list only
+(RFC 8422). It is unwise to list only
"bleeding-edge" curves supported by a small subset of clients. The
default list is suitable for most users. </p>
strong" means approximately 128-bit security based on best known
attacks. The selected curve must be implemented by OpenSSL (as
reported by ecparam(1) with the "-list_curves" option) and be one
-of the curves listed in Section 5.1.1 of RFC 4492. You should not
+of the curves listed in Section 5.1.1 of RFC 8422. You should not
generally change this setting. Remote SMTP client implementations
must support this curve for EECDH key exchange to take place. It
-is unwise to choose an "bleeding-edge" curve supported by only a
+is unwise to choose only "bleeding-edge" curves supported by only a
small subset of clients. </p>
<p> The default "strong" curve is rated in NSA <a
users should instead set "smtpd_tls_eecdh_grade = strong". The selected
curve must be implemented by OpenSSL (as reported by ecparam(1) with the
"-list_curves" option) and be one of the curves listed in Section 5.1.1
-of RFC 4492. You should not generally change this setting. </p>
+of RFC 8422. You should not generally change this setting. Remote SMTP
+client implementations must support this curve for EECDH key exchange
+to take place. It is unwise to choose only "bleeding-edge" curves
+supported by only a small subset of clients. </p>
<p> This default "ultra" curve is rated in NSA <a
href="https://web.archive.org/web/20160330034144/https://www.nsa.gov/ia/programs/suiteb_cryptography/">Suite
value, where <i>transport</i> is the master.cf name of the message
delivery transport. </p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p> Note: <i>transport</i>_time_limit parameters will not show up
in "postconf" command output before Postfix version 2.9. This
limitation applies to many parameters whose name is a combination
parameter value, where the initial <i>transport</i> in the parameter
name is the master.cf name of the message delivery transport. </p>
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
+<p> Note: <i>transport</i>_transport_rate_delay parameters will
+not show up in "postconf" command output before Postfix version
+2.9. This limitation applies to many parameters whose name is a
+combination of a master.cf service name and a built-in suffix (in
+this case: "_transport_rate_delay"). </p>
+
%PARAM default_destination_rate_delay 0s
<p> The default amount of delay that is inserted between individual
username and password, and the full server response. This information
is stored when a remote SMTP server rejects an authentication attempt
with a 535 reply code. As long as the smtp_sasl_password_maps
-information does no change, and as long as the smtp_sasl_auth_cache_name
+information does not change, and as long as the smtp_sasl_auth_cache_name
information does not expire (see smtp_sasl_auth_cache_time) the
Postfix SMTP client avoids SASL authentication attempts with the
same server, username and password, and instead bounces or defers
<p> The maximal age of an smtp_sasl_auth_cache_name entry before it
is removed. </p>
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days). </p>
+
<p> This feature is available in Postfix 2.5 and later. </p>
%PARAM lmtp_sasl_auth_soft_bounce yes
<p> Specify a non-zero time value (an integral value plus an optional
one-letter suffix that specifies the time unit). Time units: s
-(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days). </p>
<p> This feature is available in Postfix 2.8. </p>
an hour ago. It also prevents the cache from filling up with clients
that passed some deep protocol test once and never came back. </p>
-<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
-(weeks). </p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days). </p>
<p> This feature is available in Postfix 2.8. </p>
reload</b>", "<b>postfix stop</b>", or no requests for $max_idle
seconds. </p>
-<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
-(weeks). </p>
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is h (hours). </p>
<p> This feature is available in Postfix 2.8. </p>
up to 6 seconds otherwise). <p>
<p> Specify a non-zero time value (an integral value plus an optional
-one-letter suffix that specifies the time unit). </p>
-
-<p> Time units: s (seconds), m (minutes), h (hours), d (days), w
-(weeks). </p>
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p> This feature is available in Postfix 2.8. </p>
<pre>
# Append XVERP to MAIL FROM commands to request VERP-style delivery.
# See VERP_README for more information on how to use Postfix VERP.
- /^(MAIL FROM:\s*<listname@example\.com>.*)/ $1 XVERP
+ /^(MAIL\s+FROM:\s*<listname@example\.com>.*)/ $1 XVERP
</pre>
<pre>
<p> Specify a non-zero time value (an integral value plus an optional
one-letter suffix that specifies the time unit). Time units: s
-(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is h (hours). </p>
<p> This feature is available in Postfix 2.8-3.0. It was
replaced by postscreen_dnsbl_max_ttl in Postfix 3.1. </p>
<p> Specify a non-zero time value (an integral value plus an optional
one-letter suffix that specifies the time unit). Time units: s
-(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p> This feature is available in Postfix 3.1. </p>
<p> Specify a non-zero time value (an integral value plus an optional
one-letter suffix that specifies the time unit). Time units: s
-(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is h (hours). </p>
<p> This feature is available in Postfix 3.1. The default setting
is backwards-compatible with older Postfix versions. </p>
<dt> <b>ignore</b> </dt>
<dd> Ignore the failure of this test. Allow other tests to complete.
-Do <i>not</i> repeat this test before some the result from some
+Do <i>not</i> repeat this test before the result from some
other test expires.
This option is useful for testing and collecting statistics
without blocking mail permanently. </dd>
<p> Specify a non-zero time value (an integral value plus an optional
one-letter suffix that specifies the time unit). Time units: s
-(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days). </p>
<p> This feature is available in Postfix 2.8. </p>
<p> Specify a non-zero time value (an integral value plus an optional
one-letter suffix that specifies the time unit). Time units: s
-(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p> This feature is available in Postfix 2.8. </p>
<dt> <b>ignore</b> </dt>
<dd> Ignore the failure of this test. Allow other tests to complete.
-Do <i>not</i> repeat this test before some the result from some
+Do <i>not</i> repeat this test before the result from some
other test expires.
This option is useful for testing and collecting statistics
without blocking mail permanently. </dd>
<p> Specify a non-zero time value (an integral value plus an optional
one-letter suffix that specifies the time unit). Time units: s
-(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days). </p>
<p> This feature is available in Postfix 2.8. </p>
%PARAM postscreen_dnsbl_reply_map
-<p> A mapping from actual DNSBL domain name which includes a secret
+<p> A mapping from an actual DNSBL domain name which includes a secret
password, to the DNSBL domain name that postscreen will reply with
when it rejects mail. When no mapping is found, the actual DNSBL
domain will be used. </p>
the timeouts in the dnsblog(8) daemon which are defined by system
resolver(3) routines. </p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p> This feature is available in Postfix 3.0. </p>
%PARAM postscreen_bare_newline_action ignore
<dt> <b>ignore</b> </dt>
<dd> Ignore the failure of this test. Allow other tests to complete.
-Do <i>not</i> repeat this test before some the result from some
+Do <i>not</i> repeat this test before the result from some
other test expires.
This option is useful for testing and collecting statistics
without blocking mail permanently. </dd>
<p> Specify a non-zero time value (an integral value plus an optional
one-letter suffix that specifies the time unit). Time units: s
-(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is d (days). </p>
<p> This feature is available in Postfix 2.8. </p>
out of deadlock situations. If the time limit is exceeded the
software either retries or aborts the operation. </p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p> This feature is available in Postfix 2.8 and later. </p>
a request before it is terminated by a built-in watchdog timer.
</p>
-<p>
-Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-The default time unit is s (seconds).
-</p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p> This feature is available in Postfix 2.8 and later. </p>
<p> Specify a non-zero time value (an integral value plus an optional
one-letter suffix that specifies the time unit). Time units: s
-(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p> This feature is available in Postfix 2.8 and later </p>
<p> Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
require that clients use TLS encryption. See smtpd_enforce_tls for
-further details. </p>
+further details. Use tlsproxy_tls_security_level instead. </p>
<p> This feature is available in Postfix 2.8 and later. </p>
<p> Opportunistic TLS: announce STARTTLS support to remote SMTP clients,
but do not require that clients use TLS encryption. See smtpd_use_tls
-for further details. </p>
+for further details. Use tlsproxy_tls_security_level instead. </p>
<p> This feature is available in Postfix 2.8 and later. </p>
<p> The time limit for the proxy protocol specified with the
smtpd_upstream_proxy_protocol parameter. </p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p> This feature is available in Postfix 2.10 and later. </p>
%PARAM enable_long_queue_ids no
resulted in wasted network and processing resources. </p>
<p> To enable time-dependent probe sender addresses, specify a
-non-zero time value (an integral value plus an optional one-letter
-suffix that specifies the time unit). Specify a value of at least
-several hours, to avoid problems with senders that use greylisting.
-Avoid nice TTL values, to make the result less predictable. Time
-units are: s (seconds), m (minutes), h (hours), d (days), w (weeks).
-</p>
+non-zero time value. Specify a value of at least several hours,
+to avoid problems with senders that use greylisting. Avoid nice
+TTL values, to make the result less predictable. </p>
+
+<p> Specify a non-negative time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p> This feature is available in Postfix 2.9 and later. </p>
<p> Note: It is unwise to omit sha256 from the digest list. This
digest algorithm is the only mandatory to implement digest algorithm
-in RFC 6698, and many servers are expected publish TLSA records
+in RFC 6698, and many servers are expected to publish TLSA records
with just sha256 digests. Unless one of the standard digests is
seriously compromised and servers have had ample time to update their
TLSA records you should not omit any standard digests, just arrange
<p> The delay between attempts to resend a failed SMTPD policy
service request. Specify a value greater than zero. </p>
+<p> Specify a non-zero time value (an integral value plus an optional
+one-letter suffix that specifies the time unit). Time units: s
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
+
<p> This feature is available in Postfix 3.0 and later. </p>
%PARAM smtputf8_enable yes
<p> Enable preliminary SMTPUTF8 support for the protocols described
-in RFC 6531..6533. This requires that Postfix is built to support
-these protocols. </p>
+in RFC 6531, RFC 6532, and RFC 6533. This requires that Postfix is
+built to support these protocols. </p>
<p> This feature is available in Postfix 3.0 and later. </p>
%PARAM smtp_tls_wrappermode no
<p> Request that the Postfix SMTP client connects using the
-legacy SMTPS protocol instead of using the STARTTLS command. </p>
+SUBMISSIONS/SMTPS protocol instead of using the STARTTLS command. </p>
<p> This mode requires "smtp_tls_security_level = encrypt" or
stronger. </p>
compromise SMTP transport security by returning forged MX records,
such attacks are "tamper-evident" since any forged MX hostnames
will be recorded in the mail logs. Attackers who place a high value
-staying hidden may be deterred from forging MX records. </p>
+on staying hidden may be deterred from forging MX records. </p>
<p>
This feature is available in Postfix 3.1 and later. The <b>may</b>
<p> The format of the Postfix-generated <b>From:</b> header. This
setting affects the appearance of 'full name' information when a
-local program such as /bin/mail submits a message without From:
+local program such as /bin/mail submits a message without a From:
header through the Postfix sendmail(1) command. </p>
<p> Specify one of the following: </p>
%PARAM tlsproxy_client_use_tls $smtp_use_tls
<p> Opportunistic mode: use TLS when a remote server announces TLS
-support. See smtp_use_tls for further details. </p>
+support. See smtp_use_tls for further details. Use
+tlsproxy_client_security_level instead. </p>
<p> This feature is available in Postfix 3.4 and later. </p>
%PARAM tlsproxy_client_enforce_tls $smtp_enforce_tls
<p> Enforcement mode: require that SMTP servers use TLS encryption.
-See smtp_enforce_tls for further details. </p>
+See smtp_enforce_tls for further details. Use
+tlsproxy_client_security_level instead. </p>
<p> This feature is available in Postfix 3.4 and later. </p>
<p> The file or files must contain at most one key of each type. If,
for example, two or more RSA keys and corresponding chains are listed,
depending on the version of OpenSSL either only the last one will be
-used or an configuration error may be detected. Note that while
+used or a configuration error may be detected. Note that while
"Ed25519" and "Ed448" are considered separate algorithms, the various
ECDSA curves (typically one of prime256v1, secp384r1 or secp521r1) are
considered as different parameters of a single "ECDSA" algorithm, so it
<p> The file or files must contain at most one key of each type. If,
for example, two or more RSA keys and corresponding chains are listed,
depending on the version of OpenSSL either only the last one will be
-used or an configuration error may be detected. Note that while
+used or a configuration error may be detected. Note that while
"Ed25519" and "Ed448" are considered separate algorithms, the various
ECDSA curves (typically one of prime256v1, secp384r1 or secp521r1) are
considered as different parameters of a single "ECDSA" algorithm, so it
<p> When this parameter is non-empty, the Postfix SMTP server enables
SNI extension processing, and logs SNI values that are invalid or
-don't match an entry in the the specified tables. When an entry
+don't match an entry in the specified tables. When an entry
does match, the SNI name is logged as part of the connection summary
at log levels 1 and higher. </p>
<p> Specify a non-zero time value (an integral value plus an optional
one-letter suffix that specifies the time unit). Time units: s
-(seconds), m (minutes), h (hours), d (days), w (weeks). </p>
+(seconds), m (minutes), h (hours), d (days), w (weeks).
+The default time unit is s (seconds). </p>
<p> This feature is available in Postfix 3.4 and later. </p>
# send mail as themselves. Use "uid:" followed by the numerical
# UID when the UID has no entry in the UNIX password file.
local_login_sender_maps =
- inline:{ { root = *}, { postfix = * } },
+ inline:{ { root = * }, { postfix = * } },
pcre:/etc/postfix/login_senders
</pre>
<pre>
/etc/postfix/login_senders:
# Allow both the bare username and the user@domain forms.
- /(.+)/ $1 $1@example.com/
+ /(.+)/ $1 $1@example.com
</pre>
<p> This feature is available in Postfix 3.6 and later. </p>
#
# Alternatively, the table can be provided as a regular-expression
# map where patterns are given as regular expressions, or lookups
-# can be directed to TCP-based server. In those case, the lookups
+# can be directed to a TCP-based server. In those case, the lookups
# are done in a slightly different way as described below under
# "REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
#
# expression lookup table syntax, see \fBregexp_table\fR(5) or
# \fBpcre_table\fR(5). For a description of the TCP client/server
# table lookup protocol, see \fBtcp_table\fR(5).
-# This feature is not available up to and including Postfix version 2.4.
+# This feature is available in Postfix 2.5 and later.
#
# Each pattern is a regular expression that is applied to the entire
# address being looked up. Thus, \fIuser@domain\fR mail addresses are not
# This section describes how the table lookups change when lookups
# are directed to a TCP-based server. For a description of the TCP
# client/server lookup protocol, see \fBtcp_table\fR(5).
-# This feature is not available up to and including Postfix version 2.4.
+# This feature is available in Postfix 2.5 and later.
#
# Each lookup operation uses the entire address once. Thus,
# \fIuser@domain\fR mail addresses are not broken up into their
# The following \fBmain.cf\fR parameters are especially relevant.
# The text below provides only a parameter summary. See
# \fBpostconf\fR(5) for more details including examples.
-# .IP \fBrelocated_maps\fR
-# List of lookup tables for relocated users or sites.
+# .IP "\fBrelocated_maps (empty)\fR"
+# Optional lookup tables with new contact information for users or
+# domains that no longer exist.
# .PP
# Other parameters of interest:
-# .IP \fBinet_interfaces\fR
-# The network interface addresses that this system receives mail on.
-# You need to stop and start Postfix when this parameter changes.
-# .IP \fBmydestination\fR
-# List of domains that this mail system considers local.
-# .IP \fBmyorigin\fR
-# The domain that is appended to locally-posted mail.
-# .IP \fBproxy_interfaces\fR
-# Other interfaces that this machine receives mail on by way of a
-# proxy agent or network address translator.
+# .IP "\fBinet_interfaces (all)\fR"
+# The network interface addresses that this mail system receives
+# mail on.
+# .IP "\fBmydestination ($myhostname, localhost.$mydomain, localhost)\fR"
+# The list of domains that are delivered via the $local_transport
+# mail delivery transport.
+# .IP "\fBmyorigin ($myhostname)\fR"
+# The domain name that locally-posted mail appears to come
+# from, and that locally posted mail is delivered to.
+# .IP "\fBproxy_interfaces (empty)\fR"
+# The network interface addresses that this mail system receives mail
+# on by way of a proxy or network address translation unit.
# SEE ALSO
# trivial-rewrite(8), address resolver
# postmap(1), Postfix lookup table manager
# In order to use SQLite lookups, define an SQLite source as a lookup
# table in main.cf, for example:
# .nf
-# alias_maps = sqlite:/etc/sqlite-aliases.cf
+# alias_maps = sqlite:/etc/postfix/sqlite-aliases.cf
# .fi
#
# The file /etc/postfix/sqlite-aliases.cf has the same format as
#
# NOTE: DO NOT put quotes around the result format!
# .IP "\fBdomain (default: no domain list)\fR"
-# This is a list of domain names, paths to files, or
-# dictionaries. When specified, only fully qualified search
+# This is a list of domain names, paths to files, or "type:table"
+# databases. When specified, only fully qualified search
# keys with a *non-empty* localpart and a matching domain
# are eligible for lookup: 'user' lookups, bare domain lookups
# and "@domain" lookups are not performed. This can significantly
ALLOWLISTED
DENYLIST
DENYLISTED
+epilog
+prolog
+proto
+ICMP
--- /dev/null
+void void rewrite_proto stream
+ Strip trailing dot at end of domain but not dot dot or dot This
+ strip source routed addresses site site user domain
+transport_lookup transport_lookup finds the channel and nexthop for the given
+ Typically the nexthop specifies a hostname hostname TCP Port or the
+resolve_addr resolve_addr resolve address according to rule set
+ technically incorrect this is needed to stop user domain domain relay
+ needs white space but stuff stuff does not This is not a
+ where stuff stuff does not happen
+ Strip trailing dot at end of domain but not dot dot or at dot
+XXX XXX Short cut invalid address forms
+ Connect via TCP to domain domain port port The default
+ Connect via TCP to domain domain port port The default
+files files that are owned by the wrong user or files that have world write
+ name is is not defined
+ conditionally to value when name is is not
+MUMBLE_TODO MUMBLE_TODO flags must not be cleared once raised The _TODO_TO_PASS and
+psc_todo_tests psc_todo_tests overwrites all per session flag bits and
+ Either hand off the socket to a real SMTP engine or say bye bye
+char char context
+inet_pton inet_pton
+void void psc_early_tests state
+void void psc_smtpd_init void
+void void psc_smtpd_tests state
+ IP postscreen_dnsbl_max_ttl postscreen_dnsbl_ttl postscreen_dnsbl_ttl 1 h
+ WARNING WARNING WARNING
+ WARNING WARNING WARNING
+ The event driven TLS I O implementation is founded on on line OpenSSL
+unused unused
+ IP f command command
+ IP q command command
+ IP Q command command
+ IP r command command
+ IP s command command
+ TCP port port Both host and port may be
+void void
+ reset_cmd_flags reset per command command flags
+ set_cmd_flags set per command command flags
+ Connect via TCP to host host port port The default
+ Connect via TCP to host host port port The default
+argv argv command
+time time of entry into active queue
+peer peer entries
+FD_SETSIZE FD_SETSIZE
+FD_SETSIZE FD_SETSIZE
+FD_SETSIZE FD_SETSIZE
+ var spool postfix incoming incoming queue
+ var spool postfix active active queue
+ var spool postfix deferred deferred queue
+time time of entry into active queue
+FD_SETSIZE FD_SETSIZE
+FD_SETSIZE FD_SETSIZE
+FD_SETSIZE FD_SETSIZE
+ var spool postfix incoming incoming queue
+ var spool postfix active active queue
+ var spool postfix deferred deferred queue
+XXX XXX
+ WARNING WARNING WARNING
+ WARNING WARNING WARNING
+NOTREACHED NOTREACHED
+ If not connected to stdin stdin must not be a terminal
+ WARNING WARNING WARNING
+ WARNING WARNING WARNING
+ WARNING WARNING WARNING
+ WARNING WARNING WARNING
+ WARNING WARNING WARNING
+ WARNING WARNING WARNING
+ WARNING WARNING WARNING
+ WARNING WARNING WARNING
+ If not connected to stdin stdin must not be a terminal
+select select
+ If not connected to stdin stdin must not be a terminal
+ main main program
+this this first
+linkage linkage
+ Postfix master master cf file processing
+select select
+ If not connected to stdin stdin must not be a terminal
+ response to stress level changes Doing so would would contaminate
+ IP CA_MAIL_SERVER_EXIT void void
+ If not connected to stdin stdin must not be a terminal
+smtp_site_fail smtp_site_fail handles the case where the program fails to
+ We can t avoid copying copying lots of strings into VSTRING buffers
+binding binding properties passivated
+endpoint endpoint properties passivated
+safety safety
+XXX XXX
+ See src tls tls_level c and src tls tls h Levels above encrypt require
+smtp_rcpt_done smtp_rcpt_done
+smtp_rcpt_done smtp_rcpt_done
+smtp_rcpt_done smtp_rcpt_done
+ Ignore out of protocol enhanced status codes codes that accompany 3XX
+ IP name name
+void void
+FALLTHROUGH FALLTHROUGH
+HAS_PCRE HAS_PCRE
+HAS_PCRE HAS_PCRE
+ any any
+ typedef DICT DICT_OPEN_FN const char int int
+EDIT_FILE EDIT_FILE edit_file_open original_path output_flags output_mode
+void void
+nvtable_locate nvtable_locate returns a pointer to the entry that was stored
+legacy legacy
+ for symlinks owned by root NEVER NEVER make exceptions for symlinks
+ sanitize sanitize db_get put del result
+ simple attr attr name colon attr value newline
+void void htable_free table free_fn
+void void htable_walk table action ptr
+htable_locate htable_locate returns a pointer to the entry that was stored
+ IP CA_VSTREAM_POPEN_WAITPID_FN pid_t pid_t WAIT_STATUS_T int
+optimization optimization
+msg_fatal msg_fatal reports an unrecoverable error and terminates the program
+ compare compare the address family and network address or
+ numbers or number number ranges
+ v4pattern v4field v4field v4field v4field
+ v4pattern v4field v4field v4field v4field
+ v4pattern v4field v4field v4field v4field
+ v4seq_member v4octet v4octet v4octet
+ v4seq_member v4octet v4octet v4octet
+Corruption Corruption
+ main main program
+privileges privileges
+DICT_THASH_OPEN_RETURN DICT_THASH_OPEN_RETURN
+ Fatal errors cannot open file file write error out of memory
+found found
+found found
+XXX XXX maybe earlier
+XXX XXX
+ verified RedHat 3 03
+ Bits per byte byte in vector bit offset in byte bytes per set
+ echo echo text received on stdin
+ request request a bunch of timer events
+ Fatal errors cannot open file file write error out of memory
+found found
+found found
+ concatenate concatenate null terminated list of strings
+void void context
+void void binhash_free table free_fn
+void void binhash_walk table action ptr
+binhash_locate binhash_locate returns a pointer to the entry that was stored
+width width precision separator
+ and whitespace characters must be replaced by XX XX being the
+ and whitespace characters and the by XX XX being the two digit
+ Fatal errors cannot open file file write error out of
+privileges privileges
+ Example 00000000000000000000000000000001 01 80 10 80 lo
+ text text
+void void
+matched matched text
+SUNOS5 SUNOS5
+ casefold casefold text for caseless comparison
+ simple name string string simple name
+ attribute list attribute attribute attribute list
+ attribute list attribute attribute attribute list
+ attribute string string
+string string ISO Latin 1 character set except the character
+ WARNING WARNING WARNING
+ WARNING WARNING WARNING
+ Example checking infrastructure for int int const int
+ Example variables with type int int const int
+int int int_val
+ host port host host
+host host port host host
+ host port host host
+ port port
+ host port host host
+ host port host host port port
+ host port host host port port
+ simple attr attr name null attr value null
+ IP CA_SLMDB_CTL_LONGJMP_FN void void int
+ IP CA_SLMDB_CTL_NOTIFY_FN void void int
+ IP CA_SLMDB_CTL_ASSERT_FN void void const char
+ DICT dict_static_open name name dict_flags
+buffer buffer length
+privileges privileges
+key key length
+ simple attr attr name attr value newline
+ attr name any string without null or or newline
+ var spool postfix maildrop maildrop queue
+ WARNING WARNING WARNING
+ WARNING WARNING WARNING
+lmdb lmdb supports concurrent writes and reads from different
+private private
+private private
+ var spool postfix private private class endpoints
+ var spool postfix public public class endpoints
+messages messages put on hold
+option option disables UTF 8 syntax checks on query keys and
+option option disables UTF 8 syntax checks on query keys and
+lmdb lmdb supports concurrent writes and reads from different
+peer peer
+void void
+XXX XXX
+ relay loopholes with user domain domain when relaying mail to a
+ Strip one trailing dot but not dot dot
+void void
+headers headers after multipart boundary
+ by XX XX being the two digit uppercase hexadecimal equivalent
+must must
+request request completed unsuccessfully
+DSN_BUF DSN_BUF dsb_create void
+DSN_SPLIT DSN_SPLIT dsn_split dp def_dsn text
+ that registers operators such as level level that compare
+ var_maillog_file var_maillog_file import_service_path 0
+ IP address address family information and the numerical TCP port
+privileges privileges
+void void rcpb_reset rcpb
+ The entire lookup key key
+DSN DSN dsn_create status action reason dtype dtext mtype mname
+ When specified with a flush request request that
+storage storage
+message message size
+ starts with or or the prefix which will be used
+ with or or the prefix which will be used to obtain
+strings strings with digits uppercase letters and lowercase
+safe_strtoul safe_strtoul implements similar functionality as strtoul
+ typedef LOGIN_SENDER_MATCH LOGIN_SENDER_MATCH
+LOGIN_SENDER_MATCH LOGIN_SENDER_MATCH login_sender_create
+void void anvil_clnt_free anvil_clnt
+privileges privileges
+ characters specified with special with x XX XX being
+0000 0000 0000 007 F 0x xxxxxx
+0000 0000 0000 007 F 0x xxxxxx
+ https github com aox aox blob master encodings utf cpp with
+FALLTHROUGH FALLTHROUGH
+ Detail format is digit digit 1 3 digit 1 3
+encoding encoding domain
+domain domain
+domain domain
+encoding encoding
+XXX XXX EAI inspect encoded message global
+domain domain
+MBOX MBOX mbox_open path flags mode st user group lock_style
+ incomplete address address rewriting alias expansion automatic BCC
+unquoted unquoted form then quoted
+ records data offset offset of the first REC_TYPE_NORM or REC_TYPE_CONT
+DELIVER_REQUEST DELIVER_REQUEST deliver_request_read stream
+MAIL_VERSION MAIL_VERSION mail_version_parse version_string why
+dict_xx_open dict_xx_open result
+ When specified with a flush request request that
+MAIL_STREAM MAIL_STREAM mail_stream_file queue class service mode
+ starts with or or the prefix which will be used to
+hosts hosts on which databases reside
+ or maptype mapname search name name The search
+ with or or the prefix which will be used to obtain
+the the message delivery record
+MKMAP MKMAP mkmap_open type path open_flags dict_flags
+BOUNCE_LOG BOUNCE_LOG bounce_log_open queue id flags mode
+ internal external external first
+context context for queue file changes
+sender sender transport
+SMFIM_EOH SMFIM_EOH SMFIM_EOM
+value value to string
+RE RE
+PCF_MASTER_ENT PCF_MASTER_ENT local_scope
+to to instantiate legacy per dbms parameters and to examine
+ tls_digest_encode encode message digest binary blob as xx xx
+logged logged
+logged logged
+ DNS at the dane dane only and half dane security levels or be
+void void tls_pre_jail_init TLS_ROLE
+TLS_ROLE TLS_ROLE role
+and and the protocol version floor ceiling given a list plist of
+ of the form name name hexvalue hexvalue If plist
+ of the form name name hexvalue hexvalue If plist
+XXX XXX We re ignoring the function name do we want to log it
+ If the match is required unambiguous insist that that no other values
+ etc postfix canonical canonical mapping table
+ etc postfix virtual virtual mapping table
+void void
+regions regions with body content
+SASLv2 SASLv2 s sasl_server_new takes two new parameters to specify local and
+SASLv2 SASLv2 s sasl_client_new takes two new parameters to specify local and
+ All 5xx replies must have a 5 xx xx detail code
+ Truncate hostnames ending in dot but not dot dot
+ Truncate hostnames ending in dot but not dot dot
+ Truncate hostnames ending in dot but not dot dot
+ Truncate names ending in dot but not dot dot
+200412 200412
+ Reject mail to unknown addresses in local domains domains that
+client client name
+stuff stuff
+counter counter
+Milter Milter initialization status
+USE_TLSPROXY USE_TLSPROXY
+address address family
+void void
+probed probed if non zero the time the currently outstanding address probe was
+ recipient lists and some MUAs even specify word word address
+VERP VERP
+NOTREACHED NOTREACHED
+NOTREACHED NOTREACHED
+NOTREACHED NOTREACHED
+NOTREACHED NOTREACHED
+NOTREACHED NOTREACHED
+NOTREACHED NOTREACHED
+NOTREACHED NOTREACHED
+key key
+key key
+key key
+key key
+key key
+key key
+key key
+key key
+key key
+key key
+key key
+key key
+key key
+key key
+key key
+key key
+key key
+ Fatal error error opening existing file
+void void bounce_cleanup_unregister void
+ Fatal error error opening existing file
+BOUNCE_TEMPLATES BOUNCE_TEMPLATES bounce_templates_create void
+void void bounce_templates_free templates
+ Fatal error error opening existing file
+ also showq showq c
+name name length
+BOUNCE_INFO BOUNCE_INFO bounce_mail_init service queue_name queue_id encoding
+ Fatal error error opening existing file
+more more useful and more consistent
+ Fatal error error opening existing file
+ Fatal error error opening existing file
+XXX XXX
+ int compar DNS_RR DNS_RR
--- /dev/null
+bind bind no
+bind bind sasl
+bind bind yes
+ command_directory command_directory
+ Content Disposition Type name es es e 2E
+ daemon_directory daemon_directory
+ data_directory data_directory
+done done
+ echo 0 Error unknown type type for path in meta postfix files 1 2
+ echo echo 0 Error name should be an absolute path name 1 2
+esac esac
+ eval echo n name name c
+ eval group group
+ eval owner owner
+example example com uucp example
+file contains only a small subset of all parameters parameters
+group group
+ html_directory html_directory
+ IP domain address address
+ IP pattern address address
+ IP user address address
+ IP user domain address address
+ mail_owner mail_owner
+ mailq_path mailq_path
+ manpage_directory manpage_directory
+ meta_directory meta_directory
+ newaliases_path newaliases_path
+ nisplus name s name name name column
+ postmap q nisplus name s name name inputfile
+ postmap q string nisplus name s name name
+postmaster postmaster root
+ queue_directory queue_directory
+ readme_directory readme_directory
+root root you
+ sample_directory sample_directory
+ sendmail_path sendmail_path
+ server_host ldap ldap example com 1444
+ setgid_group setgid_group
+ shlib_directory shlib_directory
+ user foo domain user domain domain
+virtual virtual alias domain anything right hand content does not matter
--- /dev/null
+ 1 000 000 messages with good performance unlikely above that limit
+ 10 10 Mandatory configuration file edits
+ 11 11 To chroot or not to chroot
+ 12 12 Care and feeding of the Postfix system
+14 rbl_domain rbl_reason rbl_reason
+168 100 189 2 255 255 255 224
+18 rbl_domain rbl_reason rbl_reason
+ 1 ffff ffff ffff ffff ffff ffff ffff ffff
+2001 240 587 0 2d0 b7ff fe88 2ca7 ffff ffff ffff ffff
+ 31 sasldb Accounts are stored stored in a Cyrus SASL Berkeley DB
+ 33 ldapdb Accounts are stored stored in an LDAP database
+ 4 yes yes yes never 100
+5 postmaster postmaster example com
+5 root root localhost
+6 abuse abuse example com
+80821 S 0 00 24 smtpd n smtp t inet u c o stress yes
+83326 S 0 00 28 smtpd n smtp t inet u c o stress
+84345 Ss 0 00 11 usr bin perl usr libexec postfix smtpd policy pl
+ 8 SENDMAIL usr sbin sendmail G i NEVER NEVER NEVER use t here
+address localpart as per RFC 822 so that additional or or
+all all Maximum per destination delivery concurrency
+and cost cost 1 times more than if the preemptive scheduler was
+ and sneak in the ten recipient mail Wait wait wait Could we Aren t
+ aNULL aNULL kEECDH kEDH RC4 eNULL EXPORT LOW STRENGTH
+Arrival Date Sun 26 Nov 2006 17 01 01 0500 EST
+attacks with user domain domain addresses when Postfix provides
+authzTo authzTo dn regex uniqueIdentifier ou people dc example dc com
+ AUXLIBS AUXLIBS options for LDAP or TLS etc
+blockquote blockquote
+ broken smtp smtp o smtp_quote_rfc821_envelope no
+ccert_fingerprint C2 9D F4 87 71 73 73 D9 18 E7 C2 F3 C1 DA 6E 04
+command_directory command_directory
+ concurrency concurrency limit
+config_directory config_directory
+daemon_directory daemon_directory
+data_directory data_directory
+Date Sun 26 Nov 2006 17 01 01 0500 EST
+dd dd Alternatively check_ccert_access accepts an explicit search
+dd dd check_ccert_access type table search_order cert_fingerprint
+dd dd The commas are optional dd
+dd dd The default algorithm is b sha256 b with Postfix ge 3 6
+ dd No TLS TLS will not be used unless enabled for specific
+Dec 4 04 30 09 hostname postfix smtpd 58549 NOQUEUE reject
+ default_transport uucp uucp gateway
+ different client IP addresses Lookup results override the the global
+Documentation Documentation is available as README files start with the file
+done done
+done done
+ dt b a name check_address_map check_address_map a i a href DATABASE_RE
+ dt b a name check_ccert_access check_ccert_access a i a href DATABASE_
+ dt b a name check_client_a_access check_client_a_access a i a href DAT
+ dt b a name check_client_access check_client_access a i a href DATABAS
+ dt b a name check_client_mx_access check_client_mx_access a i a href D
+ dt b a name check_client_ns_access check_client_ns_access a i a href D
+ dt b a name check_etrn_access check_etrn_access a i a href DATABASE_RE
+ dt b a name check_helo_a_access check_helo_a_access a i a href DATABAS
+ dt b a name check_helo_access check_helo_access a i a href DATABASE_RE
+ dt b a name check_helo_mx_access check_helo_mx_access a i a href DATAB
+ dt b a name check_helo_ns_access check_helo_ns_access a i a href DATAB
+ dt b a name check_policy_service check_policy_service i servername i a
+ dt b a name check_recipient_a_access check_recipient_a_access a i a hre
+ dt b a name check_recipient_access check_recipient_access a i a href D
+ dt b a name check_recipient_mx_access check_recipient_mx_access a i a h
+ dt b a name check_recipient_ns_access check_recipient_ns_access a i a h
+ dt b a name check_sasl_access check_sasl_access a i a href DATABASE_RE
+ dt b a name check_sender_a_access check_sender_a_access a i a href DAT
+ dt b a name check_sender_access check_sender_access a i a href DATABAS
+ dt b a name check_sender_mx_access check_sender_mx_access a i a href D
+ dt b a name check_sender_ns_access check_sender_ns_access a i a href D
+ dt b a name defer defer a b dt
+ dt b a name defer_if_permit defer_if_permit a b dt
+ dt b a name defer_if_reject defer_if_reject a b dt
+ dt b a name defer_unauth_destination defer_unauth_destination a b dt
+ dt b a name no_address_mappings no_address_mappings a b dt
+ dt b a name no_header_body_checks no_header_body_checks a b dt
+ dt b a name no_milters no_milters a b dt
+ dt b a name no_unknown_recipient_checks no_unknown_recipient_checks a b
+ dt b a name permit_auth_destination permit_auth_destination a b dt
+ dt b a name permit_dnswl_client permit_dnswl_client i dnswl_domain d d d d
+ dt b a name permit_inet_interfaces permit_inet_interfaces a b dt
+ dt b a name permit_mx_backup permit_mx_backup a b dt
+ dt b a name permit_mynetworks permit_mynetworks a b dt
+ dt b a name permit permit a b dt
+ dt b a name permit_rhswl_client permit_rhswl_client i rhswl_domain d d d d
+ dt b a name permit_sasl_authenticated permit_sasl_authenticated a b dt
+ dt b a name permit_tls_all_clientcerts permit_tls_all_clientcerts a b
+ dt b a name permit_tls_clientcerts permit_tls_clientcerts a b dt
+ dt b a name reject_invalid_helo_hostname reject_invalid_helo_hostname a
+ dt b a name reject_multi_recipient_bounce reject_multi_recipient_bounce a
+ dt b a name reject_non_fqdn_helo_hostname reject_non_fqdn_helo_hostname a
+ dt b a name reject_non_fqdn_recipient reject_non_fqdn_recipient a b dt
+ dt b a name reject_non_fqdn_sender reject_non_fqdn_sender a b dt
+ dt b a name reject_plaintext_session reject_plaintext_session a b dt
+ dt b a name reject_rbl_client reject_rbl_client i rbl_domain d d d d i
+ dt b a name reject reject a b dt
+ dt b a name reject_rhsbl_client reject_rhsbl_client i rbl_domain d d d d
+ dt b a name reject_rhsbl_helo reject_rhsbl_helo i rbl_domain d d d d i
+ dt b a name reject_rhsbl_recipient reject_rhsbl_recipient i rbl_domain d d
+ dt b a name reject_rhsbl_reverse_client reject_rhsbl_reverse_client i rbl_
+ dt b a name reject_rhsbl_sender reject_rhsbl_sender i rbl_domain d d d d
+ dt b a name reject_sender_login_mismatch reject_sender_login_mismatch a
+ dt b a name reject_unauth_destination reject_unauth_destination a b dt
+ dt b a name reject_unauth_pipelining reject_unauth_pipelining a b dt
+ dt b a name reject_unknown_client_hostname reject_unknown_client_hostname
+ dt b a name reject_unknown_helo_hostname reject_unknown_helo_hostname a
+ dt b a name reject_unknown_recipient_domain reject_unknown_recipient_domain
+ dt b a name reject_unknown_sender_domain reject_unknown_sender_domain a
+ dt b a name reject_unlisted_recipient reject_unlisted_recipient a b wi
+ dt b a name reject_unlisted_sender reject_unlisted_sender a b dt
+ dt b a name reject_unverified_recipient reject_unverified_recipient a b
+ dt b a name reject_unverified_sender reject_unverified_sender a b dt
+ dt b a name sleep sleep i seconds i a b dt
+ dt b a name warn_if_reject warn_if_reject a b dt
+dt dt b i a href DATABASE_README html type table a i b dt
+dt dt b i number i i number i b dt
+ dt dt dd 0 Disable logging of TLS activity dd
+ dt dt dd 1 Log only a summary message on TLS handshake completion
+ dt dt dd 2 Also log levels during TLS negotiation dd
+ dt dt dd 3 Also log hexadecimal and ASCII dump of TLS negotiation
+ dt dt dd 4 Also log hexadecimal and ASCII dump of complete
+ dude dude example com
+ eliminates the latency of the TCP handshake SYN SYN ACK ACK
+ example com uucp uucp host
+ example MAIL RCPT BDAT BDAT MAIL RCPT BDAT without ever having to
+ export MANPATH MANPATH pwd man MANPATH
+fe80 1 2d0 b7ff fe88 2ca7 ffff ffff ffff ffff
+fe80 5 1 ffff ffff ffff ffff
+file allows for robust handling of temporary delivery errors errors
+Filtered Filtered
+for the file name when a pattern is a type table table specification
+from host example com 192 168 0 2 TLSv1 with cipher cipher name
+generic generic a restrictions These restrictions are applicable in
+ groups msn com 63 2 1 2 4 4 14 14 14 8 0
+ highvolume com 4000 160 160 320 640 1280 1440 0 0 0 0
+host host port host port address or address port the form
+ http www umich edu dirsvcs ldap ldap html or OpenLDAP
+ id 84863BC0E5 Sun 26 Nov 2006 17 01 01 0500 EST
+ if concurrency concurrency limit
+ ifconfig en0 alias address netmask 255 255 255 255
+ inet_addr_local inet_addr_local configured 2 IPv4 addresses
+ inet_addr_local inet_addr_local configured 4 IPv6 addresses
+insiders_only insiders_only check_sender_access hash etc postfix insiders reject
+in the form of a domain name hostname hostname port hostname port
+into memory such as pcre regexp or texthash texthash is similar
+ jane jane janes preferred machine
+ joe joe joes preferred machine
+ Line 8 NEVER NEVER NEVER use the t command line option here It
+listname listname request
+ lists sourceforge net 2313 2313 0 0 0 0 0 0 0 0
+local local 8
+local_only local_only
+maildrop maildrop
+maildrop maildrop owner cn root dc your dc com
+make make makefiles CC opt ansic bin cc Ae HP UX
+make make makefiles CC purify cc
+ man man man5 postconf 5 less
+master_service_disable foo inet inet
+multi_instance_enable multi_instance_enable
+multi_instance_group multi_instance_group
+multi_instance_name multi_instance_name
+mydestination myhostname localhost mydomain mydomain
+ mydomain to an incomplete address address rewriting alias
+mynetworks mynetworks 127 0 0 0 8 168 100 189 0 28 1 128 fe80 10 2001 240 587
+mynetworks mynetworks hash etc postfix network_table
+Name lt user example com gt gt i Postfix will ignore the i User
+ name name port name or name port
+ NOTE Postfix 3 6 also introduces support for the level level
+number number ranges Postfix version 2 8 and later If no
+numbers or number number ranges Postfix version 2 8 and later
+one or more separated numbers or number number ranges
+ openssl req new key key
+or more separated numbers or number number ranges p
+or number number ranges Postfix version 2 8 and later If no
+ ownership of system directories such as etc usr usr bin var
+ PARAM postscreen_dnsbl_max_ttl postscreen_dnsbl_ttl postscreen_dnsbl_ttl
+ patterns list multiple domain names as domain domain
+ p Note 2 address information may be enclosed inside tt tt
+ postfix 12345 12345 postfix no where no shell
+ Postfix 2 3 2 5 to hang up on clients that that match
+ Postfix has TWO sets of mail filters filters that are used for
+Postfix Postfix can use an LDAP directory as a source for any of its lookups
+ Postfix Postfix passes the status back to the remote SMTP
+ Postfix Postfix will send the mail back to the sender address
+pre pre
+query_filter mailacceptinggeneralid s maildrop maildrop
+queue_directory queue_directory
+Received from localhost localhost 127 0 0 1
+Received Received from porcupine org
+rejected rejected recipients are available on request by the Milter
+ rewrite 8 none none
+ Say we have ten recipient mail followed by two two recipient mails If
+ separated numbers or number number ranges If no
+smtpd_recipient_restrictions smtpd_recipient_restrictions
+smtpd_relay_restrictions smtpd_relay_restrictions
+smtpd_relay_restrictions smtpd_relay_restrictions
+ smtpd_tls_mandatory_protocols SSLv2 SSLv3 TLSv1 TLSv1 1
+smtpd_tls_mandatory_protocols SSLv2 SSLv3 TLSv1 TLSv1 1
+ smtp smtp o smtp_bind_address 11 22 33 44
+ smtp smtp o smtp_bind_address6 1 2 3 4 5 6 7 8
+ smtp_tls_mandatory_protocols SSLv2 SSLv3 TLSv1 TLSv1 1
+smtp_tls_mandatory_protocols SSLv2 SSLv3 TLSv1 TLSv1 1
+ SSLv3 TLSv1 TLSv1 1 TLSv1 2 and TLSv1 3 Starting with
+ T 5 10 20 40 80 160 320 640 1280 1280
+ T A 5 10 20 40 80 160 320 320
+ The and match and literally Without the the
+ The matches literally Without the the would
+Therefore 301 0301 0x301 and 0x0301 are all equivalent to
+ The syntax of name value value name value and name value
+the the backed up domain tld domain This prevents your mail queue
+ tls_random_source dev dev urandom
+ tls_random_source dev dev urandom
+tls_random_source dev dev urandom
+TLS TLS support in the LMTP delivery agent
+ TLSv1 3 with cipher TLS_AES_256_GCM_SHA384 256 256 bits
+ to flush flush 8 Deferred
+to host example com 192 168 0 2 25 TLSv1 with cipher cipher name
+ to server example TLSv1 3 with cipher TLS_AES_256_GCM_SHA384 256 256 bits
+ TOTAL 5000 200 200 400 800 1600 1000 200 200 200 200
+transport transport
+ tt tt in the authorized_verp_clients value and in files
+ tt tt in the mynetworks value and in files specified with
+ tt tt in the smtpd_authorized_verp_clients value and in
+ tt tt in the smtpd_authorized_xclient_hosts value and in
+ tt tt in the smtpd_authorized_xforward_hosts value and in
+ tt tt in the smtpd_client_event_limit_exceptions value and
+ tt tt in the smtpd_sasl_exceptions_networks value and in
+ tt tt p
+two two recipient mails
+ uid cn cn auth
+Unfiltered Unfiltered
+ unknown recipients in local domains domains that match mydestination
+ Use blockquote pre pre blockquote for examples
+ Use pre pre for the Examples section at the end
+username username
+ user sourceforge net 7678 7678 0 0 0 0 0 0 0 0
+ using TLSv1 3 with cipher TLS_AES_256_GCM_SHA384 256 256 bits
+ using TLSv1 with cipher cipher name
+var var spool and so on This is especially an issue if you executed
+With the standard operators lt lt etc compatibility
+ yes yes yes never 100
+zombie zombie tlsproxy 8 smtpd 8
+ and 1 000 000 messages with good performance unlikely above that
+dt dt b name value b Postfix ge 3 0 dt
+ dt dt dd 3 Also log the hexadecimal and ASCII dump of the
+ dt dt dd 4 Also log the hexadecimal and ASCII dump of complete
+ parametername stress something something Other
+ p Note on OpenBSD systems specify dev dev arandom when dev dev urandom
--- /dev/null
+Aarnio
+abcd
+ABI
+ABNF
+abounce
+accessor
+ack
+acked
+acknowledgement
+acl
+ACL
+adaptor
+ADDCH
+adddr
+addenv
+addn
+Addr
+addrbuf
+ADDRFAMILY
+addrinfo
+ADDRINFO
+addrs
+adefer
+adelay
+adhoc
+adomain
+aes
+af
+AFS
+Aho
+ai
+aierr
+AIX
+al
+alg
+algbits
+algcode
+allalnum
+allascii
+allbits
+alldig
+Allgemeine
+ALLOC
+allocator
+Allowlist
+allowlisting
+ALLPERMS
+ALLPKTS
+allprint
+Allright
+allspace
+alphanum
+alphanumerics
+androsyn
+aox
+ap
+api
+APIs
+appl
+APPL
+ar
+arg
+argc
+Argh
+argi
+argl
+argp
+Args
+ARGS
+ARGV
+argvp
+arpa
+ARPA
+aRv
+ascii
+aslo
+ast
+async
+atol
+atrace
+ATTR
+attrp
+attrs
+atype
+Auch
+auths
+autoclass
+Autodetect
+Autodetection
+automagically
+AUTOUTF
+AUXULIARY
+AWK
+Axel
+Backoff
+BADFLAGS
+BADHINTS
+balpar
+basename
+Basename
+bdat
+BDAT
+bdehnoqv
+BDFORXhqu
+beh
+bfFhimnNoprsuUvw
+BH
+BINARYMIME
+binhash
+BINHASH
+BIOs
+bitclean
+BITCLEAN
+bitmasks
+bitrot
+Bitrot
+bitset
+bitwise
+Bitwise
+blackholes
+blocklisted
+bona
+bool
+BOOL
+booleans
+br
+bsmtp
+BST
+buf
+BUF
+BUFIZ
+buflen
+bufp
+BUFSIZ
+bufsize
+BUFSIZE
+bufstat
+bugtraq
+byuid
+bzero
+cachable
+cacheable
+canonicalization
+canonicalize
+Canonicalize
+canonicalized
+CANONNAME
+CAPTURECOUNT
+carriagecontrol
+carriagereturn
+Carsten
+CASEF
+Casefold
+casefolded
+casefoldx
+casemapped
+cC
+ccerts
+cdbm
+CDBM
+cdbq
+CDE
+certkey
+certmatch
+cfg
+CFG
+chainfiles
+ChangeCipherSpec
+charactersets
+charset
+checkdir
+Chroot
+CHROOT
+chrooting
+Ciphersuite
+cleanenv
+clearerr
+clist
+clnt
+CLNT
+clobbber
+closefrom
+closelog
+CLR
+clumsify
+cmalloc
+cmd
+CMD
+cmdp
+cmds
+cmp
+cmsg
+CMSG
+CNAMEs
+codepoint
+Codepoint
+codepoints
+colocated
+comingle
+compar
+COMPAT
+comsat
+COND
+CONF
+conn
+const
+Const
+conv
+cooldown
+Coverity
+cpio
+cpp
+cptr
+CPTR
+CPUs
+CREAT
+CRLF
+ctable
+CTABLE
+ctext
+ctime
+ctl
+CTL
+ctype
+CUID
+curr
+cvt
+CWD
+cz
+da
+datagram
+datagrams
+datalink
+dbms
+dbopen
+dbpath
+DCL
+dcs
+Dditvw
+dealloc
+deallocate
+deallocates
+deallocating
+deallocation
+debian
+decapsulate
+DECnet
+decrypt
+decryptable
+decrypted
+decrypting
+DEFL
+DEFLT
+deflts
+DEFNAME
+DEFNAMES
+DEFPATH
+defport
+DEFS
+defval
+del
+delim
+delims
+deliverability
+delrcpt
+DELRCPT
+denylisting
+dequote
+dereference
+dereferencing
+deserialization
+Dest
+DEST
+DESTADDR
+DESTPORT
+destructor
+df
+DFFF
+dfhHnopvx
+DFL
+DFXP
+dgram
+DGRAM
+DHparams
+dhs
+Dik
+dirent
+dirname
+dirs
+DISCONN
+DJB
+DJBDNS
+DJB's
+dlen
+dlfunc
+DLL
+DNSBLOG
+DNSBNL
+dNSName
+DNSRCH
+dnsxl
+DNSXL
+dom
+dont
+DONT
+doproto
+DORX
+dotforward
+dp
+Driehuis
+dsb
+DSB
+dsbuf
+DSNs
+dst
+dtext
+DTEXT
+DTXT
+dtype
+DTYPE
+dumpfile
+dup
+DUP
+DUPFD
+dups
+dymap
+EACCES
+EADDRINUSE
+EAGAIN
+EBADF
+ec
+ECONNABORTED
+ECONNREFUSED
+ECONNRESET
+eddd
+EDQUOT
+ee
+EEXIST
+EFBC
+EFBDA
+EFBIG
+egid
+Eindhoven
+EINTR
+EINVAL
+Elektrotechnik
+elif
+else's
+elsize
+empt
+emptive
+Emtpy
+emul
+ENDIF
+ENDIFs
+endp
+endpt
+ENOBUFS
+ENOENT
+ENOMEM
+ENOSPC
+ENOTCONN
+ent
+ENT
+entrancy
+enum
+ENUM
+env
+ENV
+ENVFROM
+envid
+ENVID
+ENVRCPT
+eob
+EOB
+eod
+eof
+EOL
+eother
+EOVERFLOW
+EPERM
+epilog
+EPIPE
+EPROTO
+epv
+eq
+EQ
+ERANGE
+errno
+errstr
+Eschborn
+especials
+ESTALE
+et
+ETIMEDOUT
+eugid
+EUGID
+euid
+EV
+eval
+EVAL
+EVP
+EXCHANGER
+exchangers
+execvp
+expar
+EXPN
+expr
+EXPR
+extern
+extpar
+EXTPAR
+FALLTHROUGH
+FALLTRHOUGH
+fam
+Fawcett
+fbck
+fchmod
+fclose
+FCNTL
+fdclose
+FDD
+FDEF
+fdopen
+fds
+fdtable
+feof
+ferror
+FFDHE
+FFF
+FFFE
+FFFF
+fflush
+fg
+fgetc
+fgets
+fh
+fhHovx
+fi
+fide
+fifo
+FIFOs
+filedes
+fileno
+filesystem
+filesystems
+filt
+FILT
+findenv
+fixme
+Fixme
+FLD
+fmt
+fn
+FN
+FoldCase
+fopen
+forcetlsa
+FOREACH
+formatter
+formfeed
+Forststrasse
+fovx
+fp
+fprint
+fprintf
+fpt
+fpurge
+fputc
+fputs
+fread
+freeaddrinfo
+fron
+fscanf
+fsck
+fseek
+fset
+fsops
+fsspace
+fsstone
+fstat
+fsync
+ftell
+ftime
+ftimeout
+ftimeval
+ftruncate
+fu
+fullname
+fullwidth
+func
+FUNC
+futimes
+fwi
+fwrite
+gai
+GECOS
+Geoff
+GETC
+GETCHAR
+getegid
+getenv
+geteuid
+getgrnam
+gethostbyaddr
+GETHOSTBYNAME
+getnameinfo
+GETNAMEINFO
+getopt
+GETOPT
+getpid
+getpw
+getsockopt
+gettimeofday
+getuid
+ghostgun
+giasbm
+gid
+GID
+ging
+github
+GLIBC
+glibc's
+globals
+gmtoff
+gn
+Goedel's
+goto
+GOTO
+gotsigchld
+gotsighup
+grey
+groupid
+grr
+Grr
+halfdane
+halfwidth
+handoff
+HaProxy
+hardlink
+hardlinks
+hbc
+HBC
+hc
+hdr
+HDR
+hdrs
+HDRS
+hdrval
+HelloRetryRequest
+helohost
+herror
+hexdump
+hexvalue
+hfrom
+HFROM
+HGMP
+Hinxton
+HMAC
+honoured
+hostaddr
+HOSTADDR
+hostmumble
+Hostname
+HOSTNAME
+hostport
+hostrr
+hport
+HPUX
+HRR
+htable
+HTABLE
+htonl
+htons
+https
+HUP
+ial
+icgroup
+ICT
+IDENT
+ideographic
+idna
+IDNA
+ifdefs
+IFF
+ifinet
+IFINET
+IFMT
+ifself
+IGN
+illumos
+IMPL
+INADDR
+incr
+INCR
+indexable
+Indexable
+indirections
+ing
+INIT
+initializations
+initializer
+inj
+Inlined
+inlining
+instantiation
+interruptible
+intra
+INTV
+intval
+inum
+INVAL
+ioctls
+iostuff
+iov
+iovlen
+ipaddr
+IPD
+ipmatch
+IPPROTO
+isalnum
+ISALNUM
+isascii
+ISASCII
+iscntrl
+isjmp
+ISMARKED
+isprint
+ISSET
+issetuid
+ISSOCK
+ISXXX
+iter
+ITER
+iterator's
+iterators's
+itty
+Jaenicke
+jbuf
+JCL
+jeffm
+JIT
+jmp
+johhny
+jq
+json
+JSON
+KAME
+Karlsruhe
+kB
+Keean
+keepalive
+keepalives
+Kellerspeicherpegelanzeiger
+Kernighan
+keyfile
+keyname
+Kilani
+killme
+Kirch
+koobera
+Kouhei
+Krahmer
+lastl
+latencies
+lateron
+ldapone
+LDH
+len
+LEV
+leven
+lex
+lexicals
+lf
+lflags
+libbind
+LIBC
+libdata
+libfuncs
+libmaster
+libmemcache
+Libmilter
+libname
+libresolv
+libtls
+libunbound
+libutil
+lims
+lineno
+liveness
+lnsl
+LOCALDOMAIN
+LOCALPART
+Logfile
+Logfiles
+logmask
+logopts
+logrotate
+logtag
+logwriter
+LOGWRITER
+LONGJMP
+longjump
+Lookups
+lowfd
+lowfrom
+lposix
+lseek
+lsm
+LSM
+lsocket
+lstat
+Lstat
+ltype
+lvalue
+lvalues
+lx
+LY
+macrps
+MAILLOG
+makedef
+malloc
+mallocs
+mapnames
+MAPNAMES
+mapsize
+maptypes
+masq
+masterp
+matchlist
+Matti
+maxdepth
+maxlen
+MAXLEN
+MaxProtocol
+MAXSEG
+maxsize
+mbox
+MBOX
+mdalg
+mdb
+MDB
+MECH
+Meer
+memcaches
+memcat
+memchr
+memcmp
+memcpy
+memmove
+memopen
+memreopen
+memset
+MERCHANTABILITY
+mesg
+MESG
+midna
+MILTER
+milter's
+MILTERS
+MinProtocol
+minrate
+minssf
+Mis
+misconfiguration
+mkdirs
+mkfifo
+mkmap
+MKMAP
+mmap
+MMNNFFPPS
+mname
+MNAME
+Montegancedo
+MQID
+MRU
+msgs
+msk
+mss
+MSS
+mtp
+MTU
+mtype
+MTYPE
+MUL
+multf
+multibyte
+multiline
+multiserver
+multivalued
+mutexes
+Muuss
+MVCC
+mvect
+MVECT
+mxrr
+MXs
+myaddrinfo
+mydest
+mydomainname
+myflock
+MYFLOCK
+myfree
+mygroup
+mymalloc
+mymemdup
+mypasswd
+mypwcache
+mypwd
+mypwenter
+mypwfree
+mypwnam
+mypwuid
+myrand
+myrealloc
+mysqlsource
+mysrand
+mystrdup
+mystrndup
+mystrtok
+mystrtokdq
+mystrtokq
+na
+Nagle
+Nagle's
+nam
+namaddr
+namadr
+NAMADR
+namechecks
+NAMELEN
+namelength
+nameser
+namespace
+namespaces
+nameval
+NAMEVAL
+namme
+nasties
+natively
+NATs
+nbbio
+NBBIO
+nbool
+NBOOL
+nbytes
+nc
+ncache
+Ncache
+NCACHE
+nd
+ndbm
+ndr
+nelm
+netblock
+netdb
+NetInfo
+Netstring
+NETSTRING
+netstrings
+newcontext
+newd
+newpath
+newqeueid
+newqueueid
+newtls
+nexhop
+NeXT
+NEXTHOP
+nexthops
+nf
+Nfinoprsuvw
+NFS
+ni
+nid
+NID
+nids
+nint
+NINT
+nlink
+nlinks
+nnn
+NOCLOSE
+NODELAY
+nodename
+noexcept
+NOEXT
+noforward
+NOKEY
+NOLOCK
+NOMEMINIT
+NONAME
+NONDEF
+nonl
+noop
+Noop
+nop
+NOP
+NORETURN
+normalizer
+NOSUB
+notfound
+NOTFOUND
+NOTHROTTLE
+NOTREACHED
+nowait
+NOWAIT
+np
+nparts
+nr
+Nr
+nscd
+ntls
+ntohs
+ntop
+NUL
+nulll
+nullmx
+nullMX
+NULLMX
+num
+NUMERICHOST
+nvtable
+NVTABLE
+nxxx
+oact
+Oaktree
+oconv
+offsetof
+OID
+oldd
+oldlog
+oldstyle
+oname
+OpenLDAP's
+openlog
+operability
+OPs
+OPTNEG
+orcpt
+ORCPT
+ord
+ot
+ourself
+overallocate
+ownreq
+ozz
+padchar
+padlen
+pagein
+pageout
+PARAM
+parametername
+params
+PARAMS
+paren
+parens
+parm
+parsable
+parseline
+parsers
+Pashkov
+passivate
+Passivate
+passivated
+passivation
+pathame
+Pathname
+pathp
+patrik
+pcf
+PCF
+pclose
+pcs
+PDDMDS
+pdelay
+PDMS
+pedantism
+peekfd
+peercert
+permited
+pfxs
+PGRES
+PGresult
+pgsqlsource
+Pieter
+Pipelining
+PKCS
+PKEY
+PKIX
+PLAINTEXT
+Plauger
+plist
+plmysql
+PLMYSQL
+plpgsql
+PLPGSQL
+PMilter
+Pn
+pname
+POB
+popen
+POPEN
+portnum
+PORTP
+pos
+posix
+Posix
+postcondition
+Postcondition
+postexpire
+POSTFIX
+postgresql
+Postgresql
+Postlog
+postlogd
+Postprocessing
+postremove
+postrename
+postrmdir
+posttls
+PPTR
+PQescapeString
+PQescapeStringConn
+prabhat
+PRE
+precedences
+pred
+predefines
+prefetch
+prefi
+pregreet
+PREGREET
+pregreeting
+preimage
+Preload
+prepended
+prepending
+Prepending
+prepends
+preprocessed
+Preprocessing
+PREREQ
+prescan
+printfck
+PRINTFLIKE
+PRINTFPTRLIKE
+PRNGD
+PROC
+procname
+procnet
+PROCNET
+progname
+programmatically
+prolog
+proto
+Proto
+protomask
+prototyped
+PROX
+proxied
+Proxied
+PROXYING
+Proxymappers
+psc
+PSC
+pseudofield
+pseudothread
+pseudothreads
+PSS
+psSv
+PTHREAD
+pton
+PTRs
+pushback
+PUTC
+PUTCHAR
+putenv
+pv
+qfile
+qflags
+qI
+qIqueueid
+qname
+qnameval
+qsort
+QSTRING
+ratbox
+raxoft
+rcode
+RCODE
+rcpb
+RCPTs
+rdb
+rdev
+rdonly
+RDONLY
+rdwr
+RDWR
+readdir
+readline
+readlline
+readllines
+readwrite
+realloc
+recdump
+recip
+RECIP
+reclen
+reconnection
+recurse
+Recurse
+RECURSE
+Recurses
+recursing
+recv
+RECV
+Redhat
+Redistributions
+reentrancy
+REENTRANCY
+reentrant
+refcounts
+refesh
+regerror
+reget
+REGSUB
+relop
+RELOP
+relops
+rendez
+repl
+replayer
+replycode
+representable
+requestor
+requestors
+requeuing
+resflags
+responder
+restartable
+resync
+resynchronize
+ret
+RET
+retransmission
+retransmit
+retryable
+retval
+revalidate
+revalidated
+rewriter
+rfind
+rflag
+rflags
+rh
+RHS
+RHSBL
+rhswl
+RHSWL
+Ribbens
+rl
+RLIM
+RMTA
+rname
+RO
+Roel
+roques
+roundtrips
+rp
+RPCs
+RQST
+rr
+RRDATA
+rrlist
+RRSIG
+rtnetlink
+ruleset
+RWR
+sa
+salen
+SAML
+sanitization
+Santize
+sb
+SCACHE
+SCANFLIKE
+SCCS
+Schoenmakers
+Schupke
+scott
+screener
+sdelay
+SDK's
+seach
+seekable
+selectable
+sendfd
+sendmsg
+sep
+serv
+SERV
+serverid
+serverout
+servers's
+servicename
+servname
+SERVNAME
+SERVPORT
+sess
+SESS
+setegid
+Setenv
+seteuid
+setgroups
+Sethi
+setrlimit
+setsid
+setsockopt
+setuid
+sgid
+sig
+SIG
+sigaction
+sigaddset
+SIGALRM
+sigchld
+SIGCHLD
+sigdeath
+sigdelay
+sigemptyset
+sighup
+SIGILL
+siginit
+SIGINT
+SIGKILL
+signum
+SIGPIPE
+sigprocmask
+SIGQUIT
+sigresume
+SIGSEGV
+sigset
+sigsetup
+sigval
+silenty
+siocgif
+SIOCGIFCONF
+SIOCGIFNETMASK
+siocglif
+SIOCGLIFCONF
+SIOCGLIFNETMASK
+SIOCLIF
+sizeof
+skipblanks
+sl
+SLMDB
+SLMs
+smap
+SMFIF
+SMFIM
+sni
+SOA
+sockaddr
+SOCKADDR
+Socketmap
+socketmapname
+socketmaps
+socketpair
+socklen
+sockmap
+socktype
+SOCKTYPE
+sofar
+softerror
+softlinks
+SOML
+soname
+sp
+SPARC
+spawner
+Spead
+SPID
+splitq
+splitter
+sqlitecon
+sqrt
+SRC
+srv
+srvr
+sscanf
+SSF
+ssize
+ssscanf
+stackable
+starttime
+STATCUR
+STATFAIL
+statp
+STATUNTRIED
+StatusOr
+statusp
+stdarg
+stderr
+STDERR
+STDIN
+stdout
+STDOUT
+steenkeeng
+stmt
+str
+STR
+strcasecmp
+strcat
+strcpy
+streamlf
+STREAMLF
+STREQ
+strerror
+STRERROR
+strflags
+strftime
+stringops
+strlen
+STRLEN
+strncasecmp
+strncat
+strncpy
+strrecord
+STRREF
+strspn
+strtol
+strtoul
+strtype
+struct
+structs
+strval
+STS
+stuffozz
+stye
+subclasses
+subcommand
+subdirectories
+Subdirectory
+subjectAltName
+subjectAltNames
+sublist
+sublists
+Subnet
+subnets
+subopen
+subpatterns
+Substring
+substrings
+subtype
+subtypes
+succ
+sudo
+sunislelodge
+superblocks
+superset
+supprt
+Sutou
+SVID
+swb
+Symas
+symlinked
+symlink's
+symlinks
+syscall
+SYSCALL
+sysconf
+Syslog
+syslogged
+syslogging
+sysv
+TAAAA
+tailp
+tas
+teardown
+Tempfail
+tempfailed
+testcase
+testname
+th
+tha
+thash
+THASH
+theadsafe
+threadsafe
+thusly
+timecmp
+timeval
+timval
+tindx
+tItp
+tkt
+TLScontext
+tlsext
+tlsfinger
+tlsmgrmem
+tlsmgr's
+tlsp
+TLSP
+TLSPKTS
+TLSPROXY
+TLVs
+tm
+tmpbuf
+ToASCII
+TOCTOU
+Todo
+TODO
+TOFILE
+tok
+TOK
+tokenize
+Tokenize
+tokenizer
+tokenizes
+tokenizing
+tokval
+toUTF
+tp
+translit
+transp
+TRANSP
+treibsand
+tresspassers
+trimblanks
+trivally
+TRNC
+TRUNC
+TRUSTAD
+trustfile
+TTL
+TTLs
+tty
+tunable
+Tunable
+Tunables
+tv
+txn
+TXT
+Typechecking
+TYPECONNSTRING
+typedef
+typedefs
+TYPEINET
+TYPEUNIX
+ucasemap
+uchar
+UDP
+ug
+ugid
+uic
+uidna
+UIDNA
+UIDs
+uint
+ULIMIT
+Ullman
+ulong
+ULONG
+ultostr
+Ultrix
+ulval
+un
+unalias
+uname
+UNAUTH
+unbuffered
+uncache
+Uncomment
+undef
+UNDEF
+Undefine
+Undeliverable
+unescape
+UNFAIL
+unformatted
+unget
+ungetc
+Unhandled
+unicode
+unimpl
+uniq
+unistd
+unitialized
+Universitaetsplatz
+UnixWare
+unk
+unlink
+Unlink
+unlinked
+unlinking
+unlockfile
+unmark
+Unmark
+unmarks
+Unoptimized
+Unparsable
+unparse
+unparsed
+unparser
+unparsing
+UNPROTO
+unprototyped
+unregister
+unregistering
+unregisters
+unselect
+unselected
+unsetenv
+unsets
+UNSPEC
+unterminated
+unthrottle
+Unthrottle
+UNTHROTTLE
+UNTRUSTED
+upass
+upd
+updatable
+UPDATABLE
+Upref
+uprefs
+URI
+URIs
+url
+useauto
+usebits
+usec
+usleep
+USR
+utf
+utime
+UTS
+uva
+uxtext
+va
+valgrind
+validator
+VALIDATOR
+variadic
+vbuf
+VBUF
+VBUFs
+vdsb
+ve
+ver
+verifier
+verpified
+VERPify
+vfprintf
+vfy
+vmailer
+Vmailer
+vmilter
+VMS
+vmsg
+Vn
+vopened
+vous
+vp
+vprint
+vprintf
+vscan
+vsmtp
+vsmtpd
+vsnl
+VSNL
+vsprintf
+vstream
+VSTREAM
+Vstreams
+VSTREAM's
+VSTREAMs
+VSTREAMS
+vstring
+VSTRING
+VSTRINGs
+vtrace
+waitpid
+WAITPID
+Wakeup
+WAKEUP
+wat
+webservers
+WeiYu
+Wformat
+whatsup
+Whitespace
+WIFSTOPPED
+wil
+wildcarded
+Wimplicit
+wireshark
+Wmissing
+Woops
+Wparentheses
+wr
+Wrappermode
+WRITEMAP
+WRONLY
+wsp
+Wstrict
+Wswitch
+WTF
+Wuninitialized
+Wunused
+XCPT
+xdelay
+xe
+xfers
+xmask
+xport
+xsasl
+XSASL
+XSH
+xt
+XTRA
+XVxy
+xxdbx
+xxgdb
+xxxx
+XXXXX
+xxxxxx
+XXXXXXX
+YASLM
+yeardays
+yyyy
+yyyymmdd
+zA
+zer
+Zmailer
+AMD
+All's
+BIO
+BTU
+CALLBACK
+CHUNKING
+CO
+CONT
+CV
+Callback
+Cert
+Compaq
+DBL
+DBMS
+DICT
+DP
+Deferrals
+ENC
+EXCL
+EXP
+EXT
+Ff
+Goode
+Grandfathered
+INST
+Inline
+Kluge
+LANG
+LIB
+LP
+MAI
+MGR
+MIPS
+MISC
+MSG
+MULTIPART
+Majordomo
+Misc
+Mn
+NB
+NR
+OBS
+ORIG
+OTOH
+PF
+PP
+PX
+Pf
+Plugins
+REC
+RR
+Rcpt
+Regexp
+SB
+SC
+SEQ
+SN
+STAT
+STATS
+STD
+Siemens
+Simplistically
+Stat
+UK
+UNICODE
+USERNAME
+UTC
+Unicode
+Username
+VA
+ab
+alphanumerical
+app
+av
+barf
+beholder's
+bidirectionally
+binding's
+bio
+builtin
+callback
+callbacks
+ch
+chg
+comm
+comp
+crappy
+def
+deferrals
+diff
+enc
+excl
+exp
+ext
+externalized
+gazillions
+ht
+incl
+instance's
+key's
+kluge
+masqueraded
+maxed
+metadata
+mgr
+mp
+neg
+op
+ops
+perms
+pf
+piggybacked
+pref
+proactive
+proactively
+proxy's
+pt
+reanimates
+rec
+refactor
+regexps
+request's
+rollover
+schlepping
+scratchpad
+seq
+singlets
+stat
+stats
+trespassing
+ts
+val
+vars
+verboten
+versioning
+wiki
--- /dev/null
+ABNF
+ADAgECAhQSv
+adhoc
+ADME
+aes
+af
+ahQkZ
+AIX
+Allowlist
+allowlisting
+allowlists
+alphanumerics
+amavisd
+ame
+apache
+ASE
+ATABASE
+ated
+attractor
+authc
+Axel
+backported
+Backscatter
+BAQEFAASCBKcwggSjAgEAAoIBAQDc
+barelf
+bC
+BDAT
+BgBQGBg
+BINARYMIME
+bona
+BQ
+br
+CAQAwBQYDK
+Carsten
+CdUaexKP
+ce
+certN
+cflags
+cgi
+CHACHA
+chainN
+ching
+ciphe
+cldr
+cOkjtAH
+COMPAT
+concurrenc
+conn
+Crespo
+cronjob
+csie
+cve
+cvename
+Cy
+cyrusimap
+DATAB
+DATABAS
+dbpath
+DCCAeCgAwIBAgIUIUkrbk
+deduplication
+Denylist
+denylisting
+denylists
+der
+dereferencing
+DESTADDR
+destinatio
+DESTPORT
+dfn
+dgram
+dH
+DISPLA
+dll
+dom
+doma
+dont
+DONT
+dq
+ecdsacerts
+ecdsakey
+EEXIST
+eeYOxyThMA
+Efbz
+egv
+else's
+ENOENT
+exchangers
+exploder
+fb
+fe
+fg
+fi
+fide
+fifo
+filesystem
+fmsiQoRHzAFBgMrZXEwFDESMBAG
+fprint
+Fq
+GAemPCT
+ge
+gid
+GID
+github
+Gunnar
+hardlink
+hea
+hecks
+HGVNTK
+HHMMSS
+hostn
+HOSTNAME
+hre
+href
+HswDQYJKoZIhvcNAQEL
+https
+HuNn
+HUP
+iana
+IDENT
+idna
+IDNA
+ijs
+imit
+IU
+jane
+Jänicke
+Jänicke's
+jByBifpIe
+jnorell
+joe
+js
+jsp
+kali
+KAME
+KazmyRi
+keld
+keyN
+Kilani
+krcaJvDSMgvu
+KypOZPNPF
+lan
+latencies
+li
+libmemcache
+libs
+lient
+limi
+LNler
+Logfile
+logrotate
+LOGTAG
+lookahead
+Lookups
+lsqlite
+lt
+MAILLOG
+mbox
+MEcCAQAwBQYDK
+MessageLabs
+MIDDLEBOX
+MIIBdjCB
+MIIBKzCB
+MIIC
+MIIEvQIBADANBgkqhkiG
+MILTER
+mit
+mitre
+mtaadmin
+MTAADMIN
+mtadmin
+mua
+mygroup
+myinst
+NAbIJaDBqZb
+nameservers
+namespace
+nat
+nC
+ncache
+NCALLS
+NCTU
+newgroup
+NFS
+nH
+ninit
+NNTP
+noop
+nroffescape
+nullmx
+nulPzwUo
+nzHQJ
+OGvpyrMlm
+oP
+opendmarc
+orion
+oth
+overinflate
+oyE
+PARAM
+parametername
+params
+parsers
+Pathname
+pfs
+pkgsrc
+POSTFIX
+postlogd
+pQcWsx
+precedences
+pregreet
+Pregreet
+PREGREET
+prepended
+prepending
+prepends
+proble
+proxied
+Pseudocode
+PSS
+punycode
+qADAgECAhQaw
+qi
+qmznjbD
+Quanah
+QusgkahH
+Ralf
+relayhos
+RESOLV
+resolvers
+retransmission
+retransmits
+retransmitted
+rf
+rflRreYuUZBp
+rhswl
+Rirz
+rL
+rMZDAFBgMrZXAwFDESMBAG
+RolyeiE
+roundtrips
+RPCZDrPX
+rsacerts
+rsachain
+rsakey
+rsyslog
+runnable
+SASLAUTHD
+scheduler's
+schemas
+se
+selectable
+ser
+SESS
+si
+SLcOiXFHXlxp
+smarthost
+smatch
+sni
+Softw
+sp
+spamassassin
+spambot
+sqrt
+stderr
+stdout
+Stdout
+stname
+strftime
+subdirectories
+suboptimal
+suid
+suiteb
+systemd
+sz
+tDc
+tempfailing
+th
+threadm
+threadsafe
+tname
+TRE
+trusteddomain
+TTL
+tu
+tw
+TXT
+uname
+Uncomment
+Undeliverable
+unexpanded
+unextended
+unicode
+unrefreshed
+unrepliable
+Unselective
+unvalidated
+uva
+vali
+VwBCIEIEJfbbO
+VxBDsEOQf
+VZuh
+Whitespace
+wi
+wip
+wKsTGDH
+wzFd
+xhtml
+YPDWxEHom
+YWH
+yYhh
+zdlPQR
+Aren
+rejec
+debian
+prox
+vir
+AAA
+Admin
+CHUNKING
+DAT
+Downsides
+Firefox
+Inline
+Jänicke's
+LANG
+NZ
+Plugin
+Plugins
+Unicode
+WHITELIST
+bk
+ch
+chg
+chunking
+comm
+dbl
+downsides
+fer
+gt
+hos
+injectors
+kinks
+pkg
+rollover
+rs
+subj
+wiki
+JÃ
#
# Alternatively, the table can be provided as a regular-expression
# map where patterns are given as regular expressions, or lookups
-# can be directed to TCP-based server. In those case, the lookups
+# can be directed to a TCP-based server. In those case, the lookups
# are done in a slightly different way as described below under
# "REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
# CASE FOLDING
#
# Alternatively, the table can be provided as a regular-expression
# map where patterns are given as regular expressions, or lookups
-# can be directed to TCP-based server. In those case, the lookups
+# can be directed to a TCP-based server. In those case, the lookups
# are done in a slightly different way as described below under
# "REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
# CASE FOLDING
# $\fBmydestination\fR, or when it is listed in $\fBinet_interfaces\fR
# or $\fBproxy_interfaces\fR.
# .sp
-# This functionality overlaps with functionality of the local
+# This functionality overlaps with the functionality of the local
# \fIaliases\fR(5) database. The difference is that \fBvirtual\fR(5)
# mapping can be applied to non-local addresses.
# .IP "@\fIdomain address, address, ...\fR"
#
# The \fBpropagate_unmatched_extensions\fR parameter controls whether
# an unmatched address extension (\fI+foo\fR) is propagated to the
-# result of table lookup.
+# result of a table lookup.
# VIRTUAL ALIAS DOMAINS
# .ad
# .fi
# This section describes how the table lookups change when lookups
# are directed to a TCP-based server. For a description of the TCP
# client/server lookup protocol, see \fBtcp_table\fR(5).
-# This feature is not available up to and including Postfix version 2.4.
+# This feature is available in Postfix 2.5 and later.
#
# Each lookup operation uses the entire address once. Thus,
# \fIuser@domain\fR mail addresses are not broken up into their
# a configuration change.
# .IP "\fBvirtual_alias_maps ($virtual_maps)\fR"
# Optional lookup tables that alias specific mail addresses or domains
-# to other local or remote address.
+# to other local or remote addresses.
# .IP "\fBvirtual_alias_domains ($virtual_alias_maps)\fR"
-# Postfix is final destination for the specified list of virtual
+# Postfix is the final destination for the specified list of virtual
# alias domains, that is, domains for which all addresses are aliased
# to addresses in other local or remote domains.
# .IP "\fBpropagate_unmatched_extensions (canonical, virtual)\fR"
* relayed.". Postfix adds an ORCPT parameter under these conditions.
*
* Therefore, all down-stream MTAs will send DSNs with Original-Recipient
- * field ontaining this same ORCPT value. When a down-stream MTA can use
+ * field containing this same ORCPT value. When a down-stream MTA can use
* that information in their DSNs, it makes no sense that an up-stream
* MTA can't use that same information in its own DSNs.
*
* (mail submitted with the Postfix sendmail command, mail forwarded by
* the local(8) delivery agent, or mail re-queued with "postsuper -r"),
* send a bounce notification, reset the error flags in case of success,
- * and request deletion of the the incoming queue file and of the
+ * and request deletion of the incoming queue file and of the
* optional DSN SUCCESS records from virtual alias expansion.
*
* XXX It would make no sense to knowingly report success after we already
/*
* Future proofing: the Milter client's header suppression algorithm
* assumes that the MTA prepends its own Received: header. This
- * assupmtion may be violated after some source-code update. The
+ * assumption may be violated after some source-code update. The
* following check ensures consistency, at least for local submission.
*/
if (state->hop_count < 1) {
#define INET6_ADDR_LEN 16 /* XXX */
/*
- * Use the theadsafe resolver API if available, not because it is theadsafe,
+ * Use the threadsafe resolver API if available, not because it is theadsafe,
* but because it has more functionality.
*/
#ifdef USE_RES_NCALLS
path, queue_name, MAIL_QUEUE_INCOMING);
/*
- * If we got here, we achieved something, so let's claim succes.
+ * If we got here, we achieved something, so let's claim success.
*/
return (1);
}
/* the major field ranges from 0..COMPAT_MAJOR_SHIFT47 or more
/* (11 bits or more).
/*
-/* This would be a great use case for fucntions returning
+/* This would be a great use case for functions returning
/* StatusOr<compat_level_t> or StatusOr<string>, but is it a bit
/* late for a port to C++.
/* LICENSE
/* same ctx argument. The context accumulates run-time lookup key and result
/* validation information (inapplicable keys or results are skipped) and is
/* needed later in each call of \fIdb_common_expand\fR. A non-zero return
-/* value indicates that data-depedent '%' expansions were found in the input
+/* value indicates that data-dependent '%' expansions were found in the input
/* template.
/*
/* db_common_alloc() provides a way to use db_common_parse_domain()
/* When the input data lacks all fields needed for the expansion, zero
/* is returned and the query or result should be skipped. Otherwise
/* the expansion is appended to the result buffer (after a comma if the
-/* the result buffer is not empty).
+/* result buffer is not empty).
/*
/* If not NULL, the \fBquote_func\fR callback performs database-specific
/* quoting of each variable before expansion.
/*
/* The \fIhop_status\fR member must be updated by the caller
/* when all delivery to the destination in \fInexthop\fR should
-/* be deferred. This member is passed to to dsn_free().
+/* be deferred. This member is passed to dsn_free().
/*
/* deliver_request_done() reports the delivery status back to the
/* client, including the optional \fIhop_status\fR etc. information,
/*
* When the LDAP URI explicitly specifies a set of attributes, we use the
- * interection of the URI attributes and our result attributes. This way
+ * interaction of the URI attributes and our result attributes. This way
* LDAP URIs can hide certain attributes that should not be part of the
* query. There is no point in retrieving attributes not listed in our
* result set, we won't make any use of those.
}
/*
- * Optionally fold the key. Folding may be enabled on on-the-fly.
+ * Optionally fold the key. Folding may be enabled on-the-fly.
*/
if (dict->flags & DICT_FLAG_FOLD_FIX) {
if (dict->fold_buf == 0)
VSTRING *sub_conf_path;
/*
- * Reload dynamicsmaps.cf, but don't reload already-loaded plugins.
+ * Reload dynamicmaps.cf, but don't reload already-loaded plugins.
*/
if (dymap_info != 0)
htable_free(dymap_info, dymap_entry_free);
/* get_mail_conf_time() looks up the named entry in the global
/* configuration dictionary. The default value is returned
/* when no value was found. \fIdef_unit\fR supplies the default
-/* time unit for numbers numbers specified without explicit unit.
+/* time unit for numbers specified without explicit unit.
/* \fImin\fR is zero or specifies a lower limit on the integer
/* value or string length; \fImax\fR is zero or specifies an
/* upper limit on the integer value or string length.
* while fflush and fsync() succeed. Think of remote file systems such as
* AFS that copy the file back to the server upon close. Oh well, no
* point optimizing the error case. XXX On systems that use flock()
- * locking, we must truncate the file file before closing it (and losing
+ * locking, we must truncate the file before closing it (and losing
* the exclusive lock).
*/
read_error = vstream_ferror(src);
/*
* How long a daemon command may take to receive or deliver a message etc.
- * before we assume it is wegded (should never happen).
+ * before we assume it is wedged (should never happen).
*/
#define VAR_DAEMON_TIMEOUT "daemon_timeout"
#define DEF_DAEMON_TIMEOUT "18000s"
" $" VAR_SMTPD_EHLO_DIS_MAPS \
" $" VAR_SMTPD_MILTER_MAPS \
" $" VAR_VIRT_GID_MAPS \
- " $" VAR_VIRT_UID_MAPS
+ " $" VAR_VIRT_UID_MAPS \
+ " $" VAR_LOCAL_LOGIN_SND_MAPS \
+ " $" VAR_PSC_REJ_FTR_MAPS \
+ " $" VAR_SMTPD_REJ_FTR_MAPS \
+ " $" VAR_TLS_SERVER_SNI_MAPS
extern char *var_proxy_read_maps;
#define VAR_PROXY_WRITE_MAPS "proxy_write_maps"
extern char *var_smtpd_dns_re_filter;
/*
- * Share TLS sessions through tlproxy(8).
+ * Share TLS sessions through tlsproxy(8).
*/
#define VAR_SMTP_TLS_CONN_REUSE "smtp_tls_connection_reuse"
#define DEF_SMTP_TLS_CONN_REUSE 0
#define MAIL_PROTO_QMQP "QMQP"
/*
- * Names of services: these are the names of the UNIX-domain socket or or
+ * Names of services: these are the names of the UNIX-domain socket or
* FIFO that a service listens on.
*/
#define MAIL_SERVICE_BOUNCE "bounce"
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20211217"
+#define MAIL_RELEASE_DATE "20220102"
#define MAIL_VERSION_NUMBER "3.7"
#ifdef SNAPSHOT
/* ssize_t len;
/* DESCRIPTION
/* This module implements the low-level memcache protocol.
-/* All functions return -1 on error and 0 on succcess.
+/* All functions return -1 on error and 0 on success.
/* SEE ALSO
/* smtp_proto(3) SMTP low-level protocol.
/* AUTHOR(S)
/* .IP addr_family
/* Null pointer, or pointer to integer for storing the address
/* family.
-/* DIAGNISTICS
+/* DIAGNOSTICS
/* normalize_mailhost_addr() returns -1 if the input is malformed,
/* zero otherwise.
/* LICENSE
/*
* Proof-of-concept test program. Read an unquoted address from stdin, and
* show the quoted and unquoted results. Specify <> to test behavior for an
- * empty unquoted adress.
+ * empty unquoted address.
*/
#include <ctype.h>
#include <string.h>
/*
* Register higher-level dictionaries and initialize the support for
- * dynamically-loaded dictionarles.
+ * dynamically-loaded dictionaries.
*/
mail_dict_init();
* XXX No DSN check; this routine is called from bounce/defer/sent, which
* know what the DSN initial digit should look like.
*
- * XXX vrfy_stat is competely redundant because of dsn.
+ * XXX vrfy_stat is completely redundant because of dsn.
*/
if (var_verify_neg_cache || vrfy_stat == DEL_RCPT_STAT_OK) {
if (recipient->orig_addr[0])
#define VERIFY_BASE 31
/*
- * We append the time-dependent portion to the localpart of the the address
+ * We append the time-dependent portion to the localpart of the address
* verification probe sender address, so that the result has the form
* ``fixed1variable@fixed2''. There is no delimiter between ``fixed1'' and
* ``variable'', because that could make "old" time stamps valid depending
/* (complete recipient address), \fB$extension\fR (recipient address
/* extension), \fB$domain\fR (recipient domain), \fB$local\fR
/* (entire recipient address localpart) and
-/* \fB$recipient_delimiter.\fR The forms \fI${name?value}\fR and
-/* \fI${name:value}\fR expand conditionally to \fIvalue\fR when
-/* \fI$name\fR is (is not) defined.
-/* Characters that may have special meaning to the shell or file system
-/* are replaced by underscores. The list of acceptable characters
-/* is specified with the \fBforward_expansion_filter\fR configuration
+/* \fB$recipient_delimiter.\fR The forms \fI${name?value}\fR
+/* and \fI${name?{value}}\fR (Postfix 3.0 and later) expand
+/* conditionally to \fIvalue\fR when \fI$name\fR is defined,
+/* and the forms \fI${name:value}\fR \fI${name:{value}}\fR
+/* (Postfix 3.0 and later) expand conditionally to \fIvalue\fR
+/* when \fI$name\fR is not defined. The form
+/* \fI${name?{value1}:{value2}}\fR (Postfix 3.0 and later)
+/* expands conditionally to \fIvalue1\fR when \fI$name\fR is
+/* defined, or \fIvalue2\fR otherwise. Characters that may
+/* have special meaning to the shell or file system are replaced
+/* with underscores. The list of acceptable characters is
+/* specified with the \fBforward_expansion_filter\fR configuration
/* parameter.
/*
/* An alias or ~/.\fBforward\fR file may list any combination of external
/* address), \fB$extension\fR (recipient address extension),
/* \fB$domain\fR (recipient domain), \fB$local\fR (entire
/* recipient address localpart) and \fB$recipient_delimiter.\fR
-/* The forms \fI${name?value}\fR and \fI${name:value}\fR expand
-/* conditionally to \fIvalue\fR when \fI$name\fR is (is not)
-/* defined. Characters that may have special meaning to the
-/* shell or file system are replaced by underscores. The list
-/* of acceptable characters is specified with the
-/* \fBexecution_directory_expansion_filter\fR configuration
-/* parameter.
+/* The forms \fI${name?value}\fR and \fI${name?{value}}\fR
+/* (Postfix 3.0 and later) expand conditionally to \fIvalue\fR
+/* when \fI$name\fR is defined, and the forms \fI${name:value}\fR
+/* and \fI${name:{value}}\fR (Postfix 3.0 and later) expand
+/* conditionally to \fIvalue\fR when \fI$name\fR is not defined.
+/* The form \fI${name?{value1}:{value2}}\fR (Postfix 3.0 and
+/* later) expands conditionally to \fIvalue1\fR when \fI$name\fR
+/* is defined, or \fIvalue2\fR otherwise. Characters that may
+/* have special meaning to the shell or file system are replaced
+/* with underscores. The list of acceptable characters
+/* is specified with the \fBexecution_directory_expansion_filter\fR
+/* configuration parameter.
/*
/* The command is executed directly where possible. Assistance by the
/* shell (\fB/bin/sh\fR on UNIX systems) is used only when the command
/*
/* A limited amount of message context is exported via environment
/* variables. Characters that may have special meaning to the shell
-/* are replaced by underscores. The list of acceptable characters
+/* are replaced with underscores. The list of acceptable characters
/* is specified with the \fBcommand_expansion_filter\fR configuration
/* parameter.
/* .IP \fBSHELL\fR
/* Available in Postfix version 2.2 and later:
/* .IP "\fBcommand_execution_directory (empty)\fR"
/* The \fBlocal\fR(8) delivery agent working directory for delivery to
-/* external command.
+/* external commands.
/* MAILBOX LOCKING CONTROLS
/* .ad
/* .fi
/* $name expansions of $mailbox_command and $command_execution_directory.
/* .IP "\fBdefault_privs (nobody)\fR"
/* The default rights used by the \fBlocal\fR(8) delivery agent for delivery
-/* to external file or command.
+/* to an external file or command.
/* .IP "\fBforward_expansion_filter (see 'postconf -d' output)\fR"
/* Restrict the characters that the \fBlocal\fR(8) delivery agent allows in
/* $name expansions of $forward_path.
/* The time limit for sending or receiving information over an internal
/* communication channel.
/* .IP "\fBlocal_command_shell (empty)\fR"
-/* Optional shell program for \fBlocal\fR(8) delivery to non-Postfix command.
+/* Optional shell program for \fBlocal\fR(8) delivery to non-Postfix commands.
/* .IP "\fBmax_idle (100s)\fR"
/* The maximum amount of time that an idle Postfix daemon process waits
/* for an incoming connection before terminating voluntarily.
return (0);
/*
- * The fall-back transport specifies a delivery machanism that handles
+ * The fall-back transport specifies a delivery mechanism that handles
* users not found in the aliases or UNIX passwd databases.
*/
if (*var_fbck_transp_maps && transp_maps == 0)
/*
* Register higher-level dictionaries and initialize the support for
- * dynamically-loaded dictionarles.
+ * dynamically-loaded dictionaries.
*/
mail_dict_init();
/*
* Register higher-level dictionaries and initialize the support for
- * dynamically-loaded dictionarles.
+ * dynamically-loaded dictionaries.
*/
mail_dict_init();
/* Only the last instance of this parameter type is remembered.
/* .IP "CA_MAIL_SERVER_POST_ACCEPT(void *(VSTREAM *stream, char *service_name, char **argv, HTABLE *attr))"
/* Function to be executed after accepting a new connection.
-/* The stream, service_name and argv argunents are the same
+/* The stream, service_name and argv arguments are the same
/* as with the "service" argument. The attr argument is null
/* or a pointer to a table with 'pass' connection attributes.
/* The table is destroyed after the function returns.
/*
* Register higher-level dictionaries and initialize the support for
- * dynamically-loaded dictionarles.
+ * dynamically-loaded dictionaries.
*/
mail_dict_init();
/*
* Register higher-level dictionaries and initialize the support for
- * dynamically-loaded dictionarles.
+ * dynamically-loaded dictionaries.
*/
mail_dict_init();
/*
* Register higher-level dictionaries and initialize the support for
- * dynamically-loaded dictionarles.
+ * dynamically-loaded dictionaries.
*/
mail_dict_init();
*
* XXX At this point in the code, the busy reference count is still less
* than the concurrency limit (otherwise this code would not be invoked
- * in the first place) so we have to make make some awkward adjustments
+ * in the first place) so we have to make some awkward adjustments
* below.
*
* XXX The queue length test below looks at the active queue share of an
double enum_val;
char denom_str[30 + 1];
double denom_val;
- char slash;
+ char slash[1 + 1];
char junk;
char *fbck_name;
char *fbck_val;
fb->base = -1; /* assume error */
switch (sscanf(fbck_val, "%lf %1[/] %30s%c",
- &enum_val, &slash, denom_str, &junk)) {
+ &enum_val, slash, denom_str, &junk)) {
case 1:
fb->index = QMGR_FEEDBACK_IDX_NONE;
fb->base = enum_val;
/* .nf
/* \fIRight\fR: command -f $sender -- $recipient
/* .fi
+/* NOTE: DO NOT put quotes around the command, $sender, or $recipient.
/* .IP
/* This feature is available as of Postfix 2.3.
/* .IP "\fBsize\fR=\fIsize_limit\fR (optional)"
/* The \fBpostalias\fR(1) command creates or queries one or more Postfix
/* alias databases, or updates an existing one. The input and output
/* file formats are expected to be compatible with Sendmail version 8,
-/* and are expected to be suitable for the use as NIS alias maps.
+/* and are expected to be suitable for use as NIS alias maps.
/*
/* If the result files do not exist they will be created with the
/* same group and other read permissions as their source file.
/* The default database type for use in \fBnewaliases\fR(1), \fBpostalias\fR(1)
/* and \fBpostmap\fR(1) commands.
/* .IP "\fBimport_environment (see 'postconf -d' output)\fR"
-/* The list of environment parameters that a privileged Postfix
+/* The list of environment variables that a privileged Postfix
/* process will import from a non-Postfix parent process, or name=value
/* environment overrides.
/* .IP "\fBsmtputf8_enable (yes)\fR"
/* Enable preliminary SMTPUTF8 support for the protocols described
-/* in RFC 6531..6533.
+/* in RFC 6531, RFC 6532, and RFC 6533.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
/* and replace one or more service fields with new values as
/* specified with "\fIservice/type/field=value\fR" on the
/* \fBpostconf\fR(1) command line. Currently, the "command"
-/* field contains the command name and command arguments. this
+/* field contains the command name and command arguments. This
/* may change in the near future, so that the "command" field
/* contains only the command name, and a new "arguments"
/* pseudofield contains the command arguments.
/* line.
/*
/* The \fB-e\fR option is no longer needed with Postfix version
-/* 2.8 and later.
+/* 2.8 and later, as it is assumed whenever a value is specified
+/* (empty or non-empty).
/* .IP \fB-f\fR
/* Fold long lines when printing \fBmain.cf\fR or \fBmaster.cf\fR
/* configuration file entries, for human readability.
/*
/* This feature is available with Postfix 2.11 and later.
/* .IP \fB-h\fR
-/* Show parameter or attribute values without the "\fIname\fR
-/* = " label that normally precedes the value.
+/* Show parameter or attribute values without the "\fIname\fR = "
+/* label that normally precedes the value.
/* .IP \fB-H\fR
/* Show parameter or attribute names without the " = \fIvalue\fR"
/* that normally follows the name.
/* later). To show settings that differ from built-in defaults
/* only, use the following bash syntax:
/* .nf
-/* comm -23 <(postconf -n) <(postconf -d)
+/* LANG=C comm -23 <(postconf -n) <(postconf -d)
/* .fi
/* Replace "-23" with "-12" to show settings that duplicate
/* built-in defaults.
/* .IP "\fB-o \fIname=value\fR"
-/* Override \fBmain.cf\fR parameter settings.
+/* Override \fBmain.cf\fR parameter settings. This lets you see
+/* the effect changing a parameter would have when it is used in
+/* other configuration parameters, e.g.:
+/* .nf
+/* postconf -x -o stress=yes
+/* .fi
/*
/* This feature is available with Postfix 2.10 and later.
/* .IP \fB-p\fR
* Populate the dictionary with settings in this database client
* configuration file. Don't die if a file can't be opened - some
* files may contain passwords and should not be world-readable.
- * Note: dict_load_fp() nags about duplicate pameter settings.
+ * Note: dict_load_fp() nags about duplicate parameter settings.
*/
dict = dict_ht_open(dict_spec, O_CREAT | O_RDWR, 0);
dict_register(dict_spec, dict);
/*
* Print parameters in sorted order. The number of parameters per
- * master.cf entry is small, so we optmiize for code simplicity and don't
+ * master.cf entry is small, so we optimize for code simplicity and don't
* worry about the cost of double lookup.
*/
/*
* Scan parameter values that are left at their defaults in the global
* name space. Some defaults contain the $name of an obsolete parameter
- * for backwards compatilility purposes. We might warn that an explicit
+ * for backwards compatibility purposes. We might warn that an explicit
* name=value is obsolete, but we must not warn that the parameter is
* unused.
*/
for (;;) {
/* Don't allow PTR records. */
rec_type = rec_get_raw(VSTREAM_IN, buf, var_line_limit, REC_FLAG_NONE);
- if (rec_type == REC_TYPE_EOF) { /* request cancelled */
+ if (rec_type == REC_TYPE_EOF) { /* request canceled */
mail_stream_cleanup(dst);
if (remove(postdrop_path))
msg_warn("uid=%ld: remove %s: %m", (long) uid, postdrop_path);
/* .PP
/* Other configuration parameters:
/* .IP "\fBimport_environment (see 'postconf -d' output)\fR"
-/* The list of environment parameters that a privileged Postfix
+/* The list of environment variables that a privileged Postfix
/* process will import from a non-Postfix parent process, or name=value
/* environment overrides.
/* .IP "\fBsyslog_facility (mail)\fR"
/* postalias(1), create/update/query alias database
/* postcat(1), examine Postfix queue file
/* postconf(1), Postfix configuration utility
+/* postdrop(1), Postfix mail posting utility
/* postfix(1), Postfix control program
/* postfix-tls(1), Postfix TLS management
/* postkick(1), trigger Postfix daemon
/* .PP
/* The \fIkey\fR and \fIvalue\fR are processed as is, except that
/* surrounding white space is stripped off. Whitespace in lookup
-/* keys is supported as of Postfix 3.2.
+/* keys is supported in Postfix 3.2 and later, by surrounding the
+/* key with double quote characters `"'. Within the double quotes,
+/* double quote `"' and backslash `\\' characters can be included
+/* by quoting them with a preceding backslash.
/*
/* When the \fB-F\fR option is given, the \fIvalue\fR must
/* specify one or more filenames separated by comma and/or
/* headers and for attached message/* headers.
/* .sp
/* NOTE: with "smtputf8_enable = yes", the \fB-b\fR option
-/* option disables UTF-8 syntax checks on query keys and
-/* lookup results. Specify the \fB-U\fR option to force UTF-8
+/* disables UTF-8 syntax checks on query keys and lookup
+/* results. Specify the \fB-U\fR option to force UTF-8
/* syntax checks anyway.
/* .sp
/* This feature is available in Postfix version 2.6 and later.
/* The default database type for use in \fBnewaliases\fR(1), \fBpostalias\fR(1)
/* and \fBpostmap\fR(1) commands.
/* .IP "\fBimport_environment (see 'postconf -d' output)\fR"
-/* The list of environment parameters that a privileged Postfix
+/* The list of environment variables that a privileged Postfix
/* process will import from a non-Postfix parent process, or name=value
/* environment overrides.
/* .IP "\fBsmtputf8_enable (yes)\fR"
/* Enable preliminary SMTPUTF8 support for the protocols described
-/* in RFC 6531..6533.
+/* in RFC 6531, RFC 6532, and RFC 6533.
/* .IP "\fBsyslog_facility (mail)\fR"
/* The syslog facility of Postfix logging.
/* .IP "\fBsyslog_name (see 'postconf -d' output)\fR"
dicts[n] = 0;
/*
- * Perform all queries. Open maps on the fly, to avoid opening unecessary
+ * Perform all queries. Open maps on the fly, to avoid opening unnecessary
* maps.
*/
if ((postmap_flags & POSTMAP_FLAG_HB_KEY) == 0) {
/* values for the private directories of the new instance. The
/* "\fB-G \fIgroup\fR" option may be specified to assign the
/* instance to a group, otherwise, the new instance is not a
-/* member of any groups.
+/* member of any group.
/* .sp
/* The new instance main.cf is the stock main.cf with the
/* parameters that specify the locations of shared files cloned
/* .RE
/* .IP
/* If any of these pathnames is not supplied, the program
-/* attempts to generate the pathname by taking the corresponding
-/* primary instance pathname, and by replacing the last pathname
-/* component by the value of the \fB-I\fR option.
+/* attempts to generate the missing pathname(s) by taking the
+/* corresponding primary instance pathname, and replacing the
+/* last pathname component by the value of the \fB-I\fR option.
/* .sp
/* If the instance configuration directory already exists, and
/* contains both a main.cf and master.cf file, \fBcreate\fR
/* .IP "\fBdaemon_directory (see 'postconf -d' output)\fR"
/* The directory with Postfix support programs and daemon programs.
/* .IP "\fBimport_environment (see 'postconf -d' output)\fR"
-/* The list of environment parameters that a privileged Postfix
+/* The list of environment variables that a privileged Postfix
/* process will import from a non-Postfix parent process, or name=value
/* environment overrides.
/* .IP "\fBmulti_instance_directories (empty)\fR"
* To detect conflicts, each instance name and each shared or private
* pathname is registered in one place, with its owner. Everyone must
* register their claims when they join, and will be rejected in case of
- * conlict.
+ * conflict.
*
* Each claim value involves a parameter value (either a directory name or an
* instance name). Each claim owner is the config_directory pathname plus
/*
* XXX Avoid false conflicts with meta_directory. This usually overlaps
- * with other directories, typcally config_directory, shlib_directory or
+ * with other directories, typically config_directory, shlib_directory or
* daemon_directory.
*/
for (sp = shared_dir_table; sp->param_name; ++sp) {
* Don't assume that the mail system is down when the user has
* insufficient permission to access the showq socket.
*/
- else if (errno == EACCES) {
+ else if (errno == EACCES || errno == EPERM) {
msg_fatal_status(EX_SOFTWARE,
"Connect to the %s %s service: %m",
var_mail_name, var_showq_service);
ARGV *argv;
int stat;
- msg_warn("Mail system is down -- accessing queue directly");
+ msg_warn("Mail system is down -- accessing queue directly"
+ " (Connect to the %s %s service: %m)",
+ var_mail_name, var_showq_service);
showq_path = concatenate(var_daemon_dir, "/", var_showq_service,
(char *) 0);
argv = argv_alloc(6);
*/
else {
msg_fatal_status(EX_UNAVAILABLE,
- "Queue report unavailable - mail system is down");
+ "Queue report unavailable - mail system is down"
+ " (Connect to the %s %s service: %m)",
+ var_mail_name, var_showq_service);
}
}
/* NAME
/* showq_compat 8
/* SUMMARY
-/* Sendmail mailq compatibitily adapter
+/* Sendmail mailq compatibility adapter
/* SYNOPSIS
/* void showq_compat(
/* VSTREAM *showq)
/*
* Encapsulation. The STARTTLS, EHLO and AUTH command handlers temporarily
* suspend SMTP command events, send an asynchronous proxy request, and
- * resume SMTP command events after receiving the asynchrounous proxy
+ * resume SMTP command events after receiving the asynchronous proxy
* response (the EHLO handler must asynchronously talk to the auth server
* before it can announce the SASL mechanism list; the list can depend on
* the client IP address and on the presence on TLS encryption).
*/
/*
- * Transient state for the portscreen(8)-to-tlsproxy(8) hand-off protocol.
+ * Transient state for the postscreen(8)-to-tlsproxy(8) hand-off protocol.
*/
typedef struct {
VSTREAM *tlsproxy_stream; /* hand-off negotiation */
/* and reports TLS-related information about the server. With SMTP, the
/* destination is a domainname; with LMTP it is either a domainname
/* prefixed with \fBinet:\fR or a pathname prefixed with \fBunix:\fR. If
-/* Postfix is built without TLS support, the resulting posttls-finger
+/* Postfix is built without TLS support, the resulting \fBposttls-finger\fR(1)
/* program has very limited functionality, and only the \fB-a\fR, \fB-c\fR,
/* \fB-h\fR, \fB-o\fR, \fB-S\fR, \fB-t\fR, \fB-T\fR and \fB-v\fR options
/* are available.
/* Arguments:
/* .IP "\fB-a\fR \fIfamily\fR (default: \fBany\fR)"
/* Address family preference: \fBipv4\fR, \fBipv6\fR or \fBany\fR. When
-/* using \fBany\fR, posttls-finger will randomly select one of the two as
-/* the more preferred, and exhaust all MX preferences for the first
-/* address family before trying any addresses for the other.
+/* using \fBany\fR, \fBposttls-finger\fR(1) will randomly select one of
+/* the two as the more preferred, and exhaust all MX preferences for the
+/* first address family before trying any addresses for the other.
/* .IP "\fB-A\fR \fItrust-anchor.pem\fR (default: none)"
/* A list of PEM trust-anchor files that overrides CAfile and CApath
/* trust chain verification. Specify the option multiple times to
/* fingerprints and matching against user provided certificate
/* fingerprints (with DANE TLSA records the algorithm is specified
/* in the DNS). In Postfix versions prior to 3.6, the default value
-/* was "sha1".
+/* was "md5".
/* .IP "\fB-f\fR"
/* Lookup the associated DANE TLSA RRset even when a hostname is not an
/* alias and its address records lie in an unsigned zone. See
/* verification. By default no CAfile is used and no public CAs
/* are trusted.
/* .IP "\fB-g \fIgrade\fR (default: medium)"
-/* The minimum TLS cipher grade used by posttls-finger. See
-/* smtp_tls_mandatory_ciphers for details.
+/* The minimum TLS cipher grade used by \fBposttls-finger\fR(1).
+/* See smtp_tls_mandatory_ciphers for details.
/* .IP "\fB-h \fIhost_lookup\fR (default: \fBdns\fR)"
/* The hostname lookup methods used for the connection. See the
/* documentation of smtp_host_lookup for syntax and semantics.
/* security level allows you to test certificate or public-key
/* fingerprint matches before you deploy them in the policy table.
/* .IP
-/* Note, since \fBposttls-finger\fR does not actually deliver any email,
+/* Note, since \fBposttls-finger\fR(1) does not actually deliver any email,
/* the \fBnone\fR, \fBmay\fR and \fBencrypt\fR security levels are not
/* very useful. Since \fBmay\fR and \fBencrypt\fR don't require peer
/* certificates, they will often negotiate anonymous TLS ciphersuites,
/* The TLS policy for MX hosts with "secure" TLSA records when the
/* nexthop destination security level is \fBdane\fR, but the MX
/* record was found via an "insecure" MX lookup. See the main.cf
-/* documentation for smtp_tls_insecure_mx_policy for details.
+/* documentation for smtp_tls_dane_insecure_mx_policy for details.
/* .IP "\fB-o \fIname=value\fR"
/* Specify zero or more times to override the value of the main.cf
/* parameter \fIname\fR with \fIvalue\fR. Possible use-cases include
/* overriding the values of TLS library parameters, or "myhostname" to
/* configure the SMTP EHLO name sent to the remote server.
/* .IP "\fB-p \fIprotocols\fR (default: >=TLSv1)"
-/* TLS protocols that posttls-finger will exclude or include. See
+/* TLS protocols that \fBposttls-finger\fR(1) will exclude or include. See
/* smtp_tls_mandatory_protocols for details.
/* .IP "\fB-P \fICApath/\fR (default: none)"
/* The OpenSSL CApath/ directory (indexed via c_rehash(1)) for remote
/* Enable verbose Postfix logging. Specify more than once to increase
/* the level of verbose logging.
/* .IP "\fB-w\fR"
-/* Enable outgoing TLS wrapper mode, or SMTPS support. This is typically
-/* provided on port 465 by servers that are compatible with the ad-hoc
-/* SMTP in SSL protocol, rather than the standard STARTTLS protocol.
-/* The destination \fIdomain\fR:\fIport\fR should of course provide such
+/* Enable outgoing TLS wrapper mode, or SUBMISSIONS/SMTPS support. This
+/* is typically provided on port 465 by servers that are compatible with
+/* the SMTP-in-SSL protocol, rather than the STARTTLS protocol.
+/* The destination \fIdomain\fR:\fIport\fR must of course provide such
/* a service.
/* .IP "\fB-X\fR"
/* Enable \fBtlsproxy\fR(8) mode. This is an unsupported mode,
return (addr_list);
}
-/* dane_host_level - canidate host "dane" or degraded security level */
+/* dane_host_level - candidate host "dane" or degraded security level */
static int dane_host_level(STATE *state, DNS_RR *addr)
{
{
const struct {
const char *type_col;
- ssize_t type_col_len
+ ssize_t type_col_len;
} *prefix, prefixes[] = {
DICT_TYPE_UNION ":", (sizeof(DICT_TYPE_UNION ":") - 1),
DICT_TYPE_PIPE ":", (sizeof(DICT_TYPE_PIPE ":") - 1),
}
}
-/* post_accept - anounce our protocol name */
+/* post_accept - announce our protocol name */
static void post_accept(VSTREAM *stream, char *unused_name, char **unused_argv,
HTABLE *unused_attr)
*
* XXX At this point in the code, the busy reference count is still less
* than the concurrency limit (otherwise this code would not be invoked
- * in the first place) so we have to make make some awkward adjustments
+ * in the first place) so we have to make some awkward adjustments
* below.
*
* XXX The queue length test below looks at the active queue share of an
double enum_val;
char denom_str[30 + 1];
double denom_val;
- char slash;
+ char slash[1 + 1];
char junk;
char *fbck_name;
char *fbck_val;
fb->base = -1; /* assume error */
switch (sscanf(fbck_val, "%lf %1[/] %30s%c",
- &enum_val, &slash, denom_str, &junk)) {
+ &enum_val, slash, denom_str, &junk)) {
case 1:
fb->index = QMGR_FEEDBACK_IDX_NONE;
fb->base = enum_val;
/*
* Following RFC 2821 section 4.1.3, an IPv6 address literal gets
* a prefix of 'IPv6:'. We do this consistently for all IPv6
- * addresses that that appear in headers or envelopes. The fact
+ * addresses that appear in headers or envelopes. The fact
* that valid_mailhost_addr() enforces the form helps of course.
* We use the form without IPV6: prefix when doing access
* control, or when accessing the connection cache.
/* command above.
/* .IP \fB-bl\fR
/* Go into daemon mode. To accept only local connections as
-/* with Sendmail\'s \fB-bl\fR option, specify "\fBinet_interfaces
+/* with Sendmail's \fB-bl\fR option, specify "\fBinet_interfaces
/* = loopback\fR" in the Postfix \fBmain.cf\fR configuration
/* file.
/* .IP \fB-bm\fR
/* Initialize alias database. See the \fBnewaliases\fR
/* command above.
/* .IP "\fB-i\fR"
-/* When reading a message from standard input, don\'t treat a line
+/* When reading a message from standard input, don't treat a line
/* with only a \fB.\fR character as the end of input.
/* .IP "\fB-L \fIlabel\fR (ignored)"
/* The logging label. Use the \fBsyslog_name\fR configuration
/* To send 8-bit or binary content, use an appropriate MIME encapsulation
/* and specify the appropriate \fB-B\fR command-line option.
/* .IP "\fB-oi\fR"
-/* When reading a message from standard input, don\'t treat a line
+/* When reading a message from standard input, don't treat a line
/* with only a \fB.\fR character as the end of input.
/* .IP "\fB-om\fR (ignored)"
/* The sender is never eliminated from alias etc. expansions.
/* The time after which the sender receives a copy of the message
/* headers of mail that is still queued.
/* .IP "\fBimport_environment (see 'postconf -d' output)\fR"
-/* The list of environment parameters that a privileged Postfix
+/* The list of environment variables that a privileged Postfix
/* process will import from a non-Postfix parent process, or name=value
/* environment overrides.
/* .IP "\fBmail_owner (postfix)\fR"
extern MAPS *smtp_pix_bug_maps; /* PIX workarounds */
extern MAPS *smtp_generic_maps; /* make internal address valid */
-extern int smtp_ext_prop_mask; /* address externsion propagation */
+extern int smtp_ext_prop_mask; /* address extension propagation */
extern unsigned smtp_dns_res_opt; /* DNS query flags */
#ifdef USE_TLS
(session->expire_time = (when))
/*
- * Encapsulate the following so that we don't expose details of of
+ * Encapsulate the following so that we don't expose details of
* connection management and error handling to the SMTP protocol engine.
*/
#ifdef USE_SASL_AUTH
* either the transport name or the values of CAfile and CApath. We use
* the transport name.
*
- * XXX: We store only one session per lookup key. Ideally the the key maps
+ * XXX: We store only one session per lookup key. Ideally the key maps
* 1-to-1 to a server TLS session cache. We use the IP address, port and
* ehlo response name to build a lookup key that works for split caches
* (that announce distinct names) behind a load balancer.
* not clobber this non-zero value once it is set. The
* variable need not survive longjmp() calls, since the only
* setjmp() which does not return early is the one sets this
- * condition, subquent failures always return early.
+ * condition, subsequent failures always return early.
*/
#define LOST_CONNECTION_INSIDE_DATA (except == SMTP_ERR_EOF)
* value would block the request, without logging REJECT messages.
* Approach: evaluate fake relay restrictions (permit_mynetworks,
* permit_sasl_authenticated, permit_auth_destination) and log a warning
- * if the result is DUNNO instead of OK, i.e. a reject_unauth_destinatin
+ * if the result is DUNNO instead of OK, i.e. a reject_unauth_destination
* at the end would have blocked the request.
*
* If warn_compat_break_relay_restrictions is true, always evaluate
/*
* Following RFC 2821 section 4.1.3, an IPv6 address literal gets
* a prefix of 'IPv6:'. We do this consistently for all IPv6
- * addresses that that appear in headers or envelopes. The fact
+ * addresses that appear in headers or envelopes. The fact
* that valid_mailhost_addr() enforces the form helps of course.
* We use the form without IPV6: prefix when doing access
* control, or when accessing the connection cache.
/* .IP \fBunix:\fR\fIpathname\fR
/* Listen on the UNIX-domain socket at \fIpathname\fR.
/* .IP \fIbacklog\fR
-/* The maximum length the queue of pending connections,
+/* The maximum length of the queue of pending connections,
/* as defined by the \fBlisten\fR(2) system call.
/* DUMP FILE FORMAT
/* .ad
/* and spawns an external command whenever a connection is established.
/* The connection can be made over local IPC (such as UNIX-domain
/* sockets) or over non-local IPC (such as TCP sockets).
-/* The command\'s standard input, output and error streams are connected
+/* The command's standard input, output and error streams are connected
/* directly to the communication endpoint.
/*
/* This daemon expects to be run from the \fBmaster\fR(8) process
if (pkey)
EVP_PKEY_free(pkey);
- /* XXX: Legacy behaviour was silent, should we stay silent? */
+ /* XXX: Legacy behavior was silent, should we stay silent? */
if (st->mixed) {
msg_warn("ignoring 2nd key at index %d in %s after 1st at %d",
st->objnum, st->source, st->keynum);
* associated TLSA RRs.
*
* Since the hostname is DNSSEC-validated, it must be a DNS FQDN and
- * thererefore valid for use with SNI.
+ * therefore valid for use with SNI.
*/
if (SSL_dane_enable(TLScontext->con, 0) <= 0) {
msg_warn("%s: error enabling DANE-based certificate validation",
/* The return value is dynamically allocated with mymalloc(),
/* and the caller must eventually free it with myfree().
/*
-/* tls_cert_fprint() returns a fingerprint of the the given
+/* tls_cert_fprint() returns a fingerprint of the given
/* certificate using the requested message digest, formatted
/* with tls_digest_encode(). Panics if the
/* (previously verified) digest algorithm is not found. The return
return (memcmp(p->data, q->data, p->length));
}
-/* tls_digest_tlsa - fold in digest of sorced TLSA records */
+/* tls_digest_tlsa - fold in digest of TLSA records */
static int tls_digest_tlsa(EVP_MD_CTX *mdctx, TLS_TLSA *tlsa)
{
if (md_len > EVP_MAX_MD_SIZE || md_len >= INT_MAX / 3)
msg_panic("unexpectedly large message digest size: %u", md_len);
- /* No risk of overrunes, len is bounded by OpenSSL digest length */
+ /* No risk of overruns, len is bounded by OpenSSL digest length */
for (i = 0; i < md_len; i++) {
result[i * 3] = hexcodes[(md_buf[i] & 0xf0) >> 4U];
result[(i * 3) + 1] = hexcodes[(md_buf[i] & 0x0f)];
*
* Modified to save a lot of strcpy and strcat by Matti Aarnio.
*
- * Rewritten by Wietse to elimate fixed-size stack buffer, array index
+ * Rewritten by Wietse to eliminate fixed-size stack buffer, array index
* multiplication and division, sprintf() and strcpy(), and lots of strlen()
* calls. We could make it a little faster by using a fixed-size stack-based
* buffer.
/* Application-specific. */
/*
- * The session_id_context indentifies the service that created a session.
+ * The session_id_context identifies the service that created a session.
* This information is used to distinguish between multiple TLS-based
* servers running on the same server. We use the name of the mail system.
*/
return (TLS_MGR_STAT_ERR);
}
}
- /* Return value overrites name buffer */
+ /* Return value overwrites name buffer */
vstring_memcpy(buffer, (char *) key, sizeof(*key));
return (TLS_MGR_STAT_OK);
}
/* .IP "\fBtlsproxy_enforce_tls ($smtpd_enforce_tls)\fR"
/* Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
/* require that clients use TLS encryption.
+/* .IP "\fBtlsproxy_client_use_tls ($smtp_use_tls)\fR"
+/* Opportunistic mode: use TLS when a remote server announces TLS
+/* support.
+/* .IP "\fBtlsproxy_client_enforce_tls ($smtp_enforce_tls)\fR"
+/* Enforcement mode: require that SMTP servers use TLS encryption.
/* RESOURCE CONTROLS
/* .ad
/* .fi
* block. In practice, postscreen(8) limits the number of client
* commands, and thus postscreen(8)'s output will fit in a kernel buffer.
* A remote SMTP server is not supposed to flood the local SMTP client
- * with massive replies; it it does, then the local SMTP client should
+ * with massive replies; if it does, then the local SMTP client should
* deal with it.
*/
if (NBBIO_WRITE_PEND(plaintext_buf) > 0) {
TLSP_STATE *state = (TLSP_STATE *) context;
/*
- * Without a TLS quivalent of the NBBIO layer, we must decode the events
+ * Without a TLS equivalent of the NBBIO layer, we must decode the events
* ourselves and do the ciphertext I/O. Then, we can decide if we want to
* read or write more ciphertext.
*/
* This suggests that we parse the address in internalized (unquoted) form.
* Unfortunately, if we do that, the unparser generates incorrect white
* space between adjacent non-operator tokens. Example: ``first last''
- * needs white space, but ``stuff[stuff]'' does not. This is is not a
+ * needs white space, but ``stuff[stuff]'' does not. This is not a
* problem when unparsing the result from parsing externalized forms,
* because the parser/unparser were designed for valid externalized forms
* where ``stuff[stuff]'' does not happen.
/* before calling transport_lookup().
/*
/* transport_post_init() can be invoked after entering the chroot
-/* jail, and must be called before before calling transport_lookup().
+/* jail, and must be called before calling transport_lookup().
/*
/* transport_lookup() finds the channel and nexthop for the given
/* domain, and returns 1 if something was found. Otherwise, 0
/* .ad
/* .fi
/* The \fBtrivial-rewrite\fR(8) servers run under control by
-/* the Postfix master
+/* the Postfix master(8)
/* server. Each server can handle multiple simultaneous connections.
/* When all servers are busy while a client connects, the master
/* creates a new server process, provided that the trivial-rewrite
#endif
-/* post_accept - anounce our protocol name */
+/* post_accept - announce our protocol name */
static void post_accept(VSTREAM *stream, char *unused_name, char **unused_argv,
HTABLE *unused_attr)
/*
/* argv_terminate() null-terminates its string array argument.
/*
-/* argv_truncate() trucates its argument to the specified
+/* argv_truncate() truncates its argument to the specified
/* number of entries, but does not reallocate memory. The
/* result is null-terminated.
/*
/* behind" strategy does not interfere with database access,
/* allow dict_cache_sequence() to run to completion.
/* .IP table
-/* A bare dictonary handle.
+/* A bare dictionary handle.
/* DIAGNOSTICS
/* When a request is satisfied, the lookup routine returns
/* non-null, and the update, delete and sequence routines
if (st0.st_ino == st1.st_ino && st0.st_dev == st1.st_dev
&& st0.st_rdev == st1.st_rdev && st0.st_nlink == st1.st_nlink
&& st0.st_nlink > 0)
- break; /* successefully opened */
+ break; /* successfully opened */
close(fd);
if (dbenv) dbenv->close(dbenv, 0); \
if (lock_fd >= 0) (void) close(lock_fd); \
if (db_base_buf) vstring_free(db_base_buf); \
- if (db_path) myfree(db_path); return (_dict); \
+ if (db_path) myfree(db_path); \
+ return (_dict); \
} while (0)
#endif
/* memory that are associated with this DICT.
/*
/* dict_file_get_error() should be called only after error;
-/* it returns a desciption of the problem. Storage is owned
+/* it returns a description of the problem. Storage is owned
/* by the caller.
/*
/* dict_file_lookup() wraps the dictionary lookup method and
dict_random->dict.owner.uid = 0;
/*
- * Split the name name into its constituent parts.
+ * Split the table name into its constituent parts.
*/
if ((len = balpar(name, CHARS_BRACE)) == 0 || name[len] != 0
|| *(saved_name = mystrndup(name + 1, len - 2)) == 0
/* NAME
/* dict_random 3h
/* SUMMARY
-/* dictionary manager interface for ramdomized tables
+/* dictionary manager interface for randomized tables
/* SYNOPSIS
/* #include <dict_random.h>
/* DESCRIPTION
* Store the value under the key. Handle duplicates
* appropriately. XXX Move this into dict_ht, but 1) that map
* ignores duplicates by default and we would have to check that
- * we won't break existing code that depends on such benavior; 2)
+ * we won't break existing code that depends on such behavior; 2)
* by inlining the checks here we can degrade gracefully instead
* of terminating with a fatal error. See comment in
* dict_inline.c.
postmap: warning: dict_thash.in, line 2: record is in "key: value" format; is this an alias file?
postmap: warning: dict_thash.in, line 3: expected format: key whitespace value -- ignoring this line
postmap: warning: dict_thash.in, line 5: duplicate entry: "aaa"
-aaa bbb
xxx: yyy
+aaa bbb
/* NAME
/* dup2_pass_on_exec 1
/* SUMMARY
-/* dup2 close-on-exec behaviour test program
+/* dup2 close-on-exec behavior test program
/* SYNOPSIS
/* dup2_pass_on_exec
/* DESCRIPTION
* content and its temporary pathname (within the rules of the
* cooperative protocol). But wait, there is more.
*
- * There are many opportunies for trouble when opening a pre-existing
+ * There are many opportunities for trouble when opening a pre-existing
* output file. Here are just a few.
*
* - Victor observes that a system crash in the middle of the
EDIT_FILE_FREE(ep);
}
-/* edit_file_close - rename the file into place and and close the file */
+/* edit_file_close - rename the file into place and close the file */
int edit_file_close(EDIT_FILE *ep)
{
/* EXTPAR_FLAG_NONE, or the bitwise OR of one or more flags:
/* .RS
/* .IP EXTPAR_FLAG_EXTRACT
-/* This flag is intended to instruct expar() callers that
-/* expar() should be invoked. It has no effect on expar()
+/* This flag is intended to instruct extpar() callers that
+/* extpar() should be invoked. It has no effect on expar()
/* itself.
/* .IP EXTPAR_FLAG_STRIP
/* Skip whitespace after the opening parenthesis, and trim
/*
- * This is is a regression test for all the things that gcc is meant to warn
+ * This is a regression test for all the things that gcc is meant to warn
* about.
*
* gcc version 3 breaks several tests:
/* values to be remembered are not character pointers, proper casts
/* should be used or the code will not be portable.
/*
+/* To thwart collision attacks, the hash function is seeded
+/* once from /dev/urandom, and if that is unavailable, from
+/* wallclock-time and monotonic system clocks. To disable
+/* seeding for tests, specify NORANDOMIZE in the environment
+/* (the value does not matter).
+/*
/* htable_create() creates a table of the specified size and returns a
/* pointer to the result. The lookup keys are saved with mystrdup().
/* htable_enter() stores a (key, value) pair into the specified table
#include <sys_defs.h>
#include <string.h>
+#include <sys/time.h>
+#include <time.h>
+#include <stdint.h>
+#include <fcntl.h>
+#include <unistd.h>
/* Local stuff */
#include "msg.h"
#include "htable.h"
+ /*
+ * Fall back to a mix of absolute and time-since-boot information in the
+ * rare case that /dev/urandom is unavailable.
+ */
+#ifdef CLOCK_UPTIME
+#define NON_WALLTIME_CLOCK CLOCK_UPTIME
+#elif defined(CLOCK_BOOTTIME)
+#define NON_WALLTIME_CLOCK CLOCK_BOOTTIME
+#elif defined(CLOCK_MONOTONIC)
+#define NON_WALLTIME_CLOCK CLOCK_MONOTONIC
+#elif defined(CLOCK_HIGHRES)
+#define NON_WALLTIME_CLOCK CLOCK_HIGHRES
+#endif
+
+/* htable_seed - randomize the hash function */
+
+static size_t htable_seed(void)
+{
+ uint32_t result = 0;
+
+ /*
+ * Medium-quality seed, for defenses against local and remote attacks.
+ */
+ int fd;
+ int count;
+
+ if ((fd = open("/dev/urandom", O_RDONLY)) > 0) {
+ count = read(fd, &result, sizeof(result));
+ (void) close(fd);
+ if (count == sizeof(result))
+ return (result);
+ }
+
+ /*
+ * Low-quality seed, for defenses against remote attacks. Based on 1) the
+ * time since boot (good when an attacker knows the program start time
+ * but not the system boot time), and 2) absolute time (good when an
+ * attacker does not know the program start time). Assumes a system with
+ * better than microsecond resolution, and a network stack that does not
+ * leak the time since boot, for example, through TCP or ICMP timestamps.
+ * With those caveats, this seed is good for 20-30 bits of randomness.
+ */
+#ifdef NON_WALLTIME_CLOCK
+ {
+ struct timespec ts;
+
+ if (clock_gettime(NON_WALLTIME_CLOCK, &ts) != 0)
+ msg_fatal("clock_gettime() failed: %m");
+ result += (size_t) ts.tv_sec ^ (size_t) ts.tv_nsec;
+ }
+#elif defined(USE_GETHRTIME)
+ result += gethrtime();
+#endif
+
+#ifdef CLOCK_REALTIME
+ {
+ struct timespec ts;
+
+ if (clock_gettime(CLOCK_REALTIME, &ts) != 0)
+ msg_fatal("clock_gettime() failed: %m");
+ result += (size_t) ts.tv_sec ^ (size_t) ts.tv_nsec;
+ }
+#else
+ {
+ struct timeval tv;
+
+ if (GETTIMEOFDAY(&tv) != 0)
+ msg_fatal("gettimeofday() failed: %m");
+ result += (size_t) tv.tv_sec + (size_t) tv.tv_usec;
+ }
+#endif
+ return (result + getpid());
+}
+
/* htable_hash - hash a string */
static size_t htable_hash(const char *s, size_t size)
{
- size_t h = 0;
+ static size_t seed = 0;
+ static int randomize = 1;
+ size_t h;
size_t g;
/*
- * From the "Dragon" book by Aho, Sethi and Ullman.
+ * Initialize.
*/
+ if (seed == 0 && randomize) {
+ if (getenv("NORANDOMIZE"))
+ randomize = 0;
+ else
+ seed = htable_seed();
+#if 0
+ if (msg_verbose)
+ msg_info("htable_hash: seed=0x%lx", (long) seed);
+#endif
+ }
+ /*
+ * Inspired the "Dragon" book by Aho, Sethi and Ullman. Updated to use a
+ * seed, and to maintain 32+ bit state.
+ */
+ h = seed;
while (*s) {
- h = (h << 4U) + *(unsigned const char *) s++;
- if ((g = (h & 0xf0000000)) != 0) {
- h ^= (g >> 24U);
- h ^= g;
- }
+ g = h & 0xf0000000;
+ h = ((h << 4U) | (g >> 28U)) + *(unsigned const char *) s++;
}
return (h % size);
}
/*
* Load a large number of strings and delete them in a random order.
*/
+ msg_verbose = 1;
hash = htable_create(10);
while (vstring_get(buf, VSTREAM_IN) != VSTREAM_EOF)
htable_enter(hash, vstring_str(buf), CAST_INT_TO_VOID_PTR(count++));
/* .IP libname
/* shared-library pathname.
/* .IP libfuncs
-/* Array of LIB_FN strucures. The last name member must be null.
+/* Array of LIB_FN structures. The last name member must be null.
/* .IP libdata
-/* Array of LIB_DP strucures. The last name member must be null.
+/* Array of LIB_DP structures. The last name member must be null.
/* SEE ALSO
/* msg(3) diagnostics interface
/* DIAGNOSTICS
/*
/* The following substitutions are supported:
/* .IP "$name, ${name}"
-/* Unconditional attribute-based substition. The result is the
+/* Unconditional attribute-based substitution. The result is the
/* named attribute value (empty if the attribute is not defined)
/* after optional further named attribute substitution.
/* .IP "${name?text}, ${name?{text}}"
-/* Conditional attribute-based substition. If the named attribute
+/* Conditional attribute-based substitution. If the named attribute
/* value is non-empty, the result is the given text, after
/* named attribute expansion and relational expression evaluation.
/* Otherwise, the result is empty. Whitespace before or after
/* {text} is ignored.
/* .IP "${name:text}, ${name:{text}}"
-/* Conditional attribute-based substition. If the attribute
+/* Conditional attribute-based substitution. If the attribute
/* value is empty or undefined, the expansion is the given
/* text, after named attribute expansion and relational expression
/* evaluation. Otherwise, the result is empty. Whitespace
/* before or after {text} is ignored.
/* .IP "${name?{text1}:{text2}}, ${name?{text1}:text2}"
-/* Conditional attribute-based substition. If the named attribute
+/* Conditional attribute-based substitution. If the named attribute
/* value is non-empty, the result is text1. Otherwise, the
/* result is text2. In both cases the result is subject to
/* named attribute expansion and relational expression evaluation.
/* Whitespace before or after {text1} or {text2} is ignored.
/* .IP "${{text1} == ${text2} ? {text3} : {text4}}"
-/* Relational expression-based substition. First, the content
+/* Relational expression-based substitution. First, the content
/* of {text1} and ${text2} is subjected to named attribute and
/* relational expression-based substitution. Next, the relational
/* expression is evaluated. If it evaluates to "true", the
/*
* Look up the named parameter. Todo: allow the lookup function
- * to specify if the result is safe for $name expanson.
+ * to specify if the result is safe for $name expansion.
*/
lookup = mc->lookup(start, lookup_mode, mc->context);
}
#define MAC_EXP_OP_TOK_GT 6 /* > */
/*
- * Relational operator results. An enum to discourage asuming that 0 is
+ * Relational operator results. An enum to discourage assuming that 0 is
* false, !0 is true.
*/
typedef enum MAC_EXP_OP_RES {
struct addrinfo *next;
/*
- * Artefact of implementation: tolerate a null pointer argument.
+ * Artifact of implementation: tolerate a null pointer argument.
*/
for (ap = ai; ap != 0; ap = next) {
next = ap->ai_next;
/* comma and/or whitespace characters. The "long_" version returns
/* a "long int" bitmask, rather than an "int" bitmask.
/*
-/* str_name_mask() translates a mask into its equlvalent names.
+/* str_name_mask() translates a mask into its equivalent names.
/* The result is written to a static buffer that is overwritten
/* upon each call. The "long_" version converts a "long int"
/* bitmask, rather than an "int" bitmask.
return (0);
/*
- * Woops. Save errno, and see if the error is an NFS artefact. If it is,
+ * Woops. Save errno, and see if the error is an NFS artifact. If it is,
* pretend the error never happened.
*/
saved_errno = errno;
return (0);
/*
- * Woops. Save errno, and see if the error is an NFS artefact. If it is,
+ * Woops. Save errno, and see if the error is an NFS artifact. If it is,
* pretend the error never happened.
*/
saved_errno = errno;
/* .IP block_mode
/* Either NON_BLOCKING for a non-blocking socket, or BLOCKING for
/* blocking mode.
-/* DIAGNOSIICS
+/* DIAGNOSTICS
/* Fatal errors: path too large, can't create socket.
/*
/* Other errors result in a -1 result value, with errno indicating
/* .IP backlog
/* Either NON_BLOCKING for a non-blocking socket, or BLOCKING for
/* blocking mode.
-/* DIAGNOSIICS
+/* DIAGNOSTICS
/* Fatal errors: path too large, can't create socket.
/* LICENSE
/* .ad
/* for sending or receiving file descriptors over UNIX-domain
/* sockets.
/*
-/* set_unix_pass_fd_fix() takes a list of workarouds in external
+/* set_unix_pass_fd_fix() takes a list of workarounds in external
/* form, and stores their internal representation. The result
/* is used by unix_send_fd() and unix_recv_fd().
/*
/* Specifies a hard upper limit on a string's length. When the
/* length would be exceeded, the program simulates a memory
/* allocation problem (i.e. it terminates through msg_fatal()).
-/* This fuctionality is currently unimplemented.
+/* This functionality is currently unimplemented.
/* .IP "CA_VSTRING_CTL_EXACT (no argument)"
/* Allocate the requested amounts, instead of rounding up.
/* This should be used for tests only.
/* RFC 822 (ARPA Internet Text Messages)
/* DIAGNOSTICS
/* Mail bounces when the recipient has no mailbox or when the
-/* recipient is over disk quota. In all other cases, mail for
+/* recipient is over disk quota. In all other problem cases, mail for
/* an existing recipient is deferred and a warning is logged.
/*
/* Problems and transactions are logged to \fBsyslogd\fR(8)
/* .PP
/* Available in Postfix version 2.0 and later:
/* .IP "\fBvirtual_mailbox_domains ($virtual_mailbox_maps)\fR"
-/* Postfix is final destination for the specified list of domains;
+/* Postfix is the final destination for the specified list of domains;
/* mail is delivered via the $virtual_transport mail delivery transport.
/* .IP "\fBvirtual_transport (virtual)\fR"
/* The default mail delivery transport and next-hop destination for
#define AUTH_PROTOCOL_MINOR_VERSION 0
/*
- * Encorce read/write time limits, so that we can produce accurate
+ * Enforce read/write time limits, so that we can produce accurate
* diagnostics instead of getting killed by the watchdog timer.
*/
#define AUTH_TIMEOUT 10
fd = unix_connect(path, BLOCKING, AUTH_TIMEOUT);
}
if (fd < 0) {
- msg_warn("SASL: Connect to %s failed: %m", xp->socket_path);
+ msg_warn("SASL: Connect to Dovecot auth socket '%s' failed: %m",
+ xp->socket_path);
return (-1);
}
sasl_stream = vstream_fdopen(fd, O_RDWR);
projects / thirdparty / postfix.git / commitdiff
