.PP
.nf
.na
-.ft C
address_verify_map = hash:/var/lib/postfix/verify
address_verify_map = btree:/var/lib/postfix/verify
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.1 and later.
.SH address_verify_negative_cache (default: yes)
.PP
.nf
.na
-.ft C
# Postfix <= 2.6 default
address_verify_poll_count = 3
# Poor man's greylisting
address_verify_poll_count = 1
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.1 and later.
.SH address_verify_poll_delay (default: 3s)
.PP
.nf
.na
-.ft C
address_verify_sender = <>
address_verify_sender = postmaster@mydomain
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.1 and later.
.SH address_verify_sender_dependent_default_transport_maps (default: $sender_dependent_default_transport_maps)
.PP
.nf
.na
-.ft C
alias_database = hash:/etc/aliases
alias_database = hash:/etc/mail/aliases
.fi
.ad
-.ft R
.SH alias_maps (default: see "postconf \-d" output)
Optional lookup tables that are searched only with an email address
localpart (no domain) and that apply only to \fBlocal\fR(8) recipients;
.PP
.nf
.na
-.ft C
alias_maps = hash:/etc/aliases, nis:mail.aliases
alias_maps = hash:/etc/aliases
.fi
.ad
-.ft R
.SH allow_mail_to_commands (default: alias, forward)
Restrict \fBlocal\fR(8) mail delivery to external commands. The default
is to disallow delivery to "|command" in :include: files (see
.PP
.nf
.na
-.ft C
allow_mail_to_commands = alias,forward,include
.fi
.ad
-.ft R
.SH allow_mail_to_files (default: alias, forward)
Restrict \fBlocal\fR(8) mail delivery to external files. The default is
to disallow "/file/name" destinations in :include: files (see
.PP
.nf
.na
-.ft C
allow_mail_to_files = alias,forward,include
.fi
.ad
-.ft R
.SH allow_min_user (default: no)
Allow a sender or recipient address to have `\-' as the first
character. By
.PP
.nf
.na
-.ft C
allow_percent_hack = no
.fi
.ad
-.ft R
.SH allow_srv_lookup_fallback (default: no)
When SRV record lookup fails or no SRV record exists, fall back
to MX or IP address lookup as if SRV record lookup was not enabled.
.PP
.nf
.na
-.ft C
authorized_submit_users = !www, static:all
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.2 and later.
.SH authorized_verp_clients (default: $mynetworks)
.PP
.nf
.na
-.ft C
canonical_maps = dbm:/etc/postfix/canonical
canonical_maps = hash:/etc/postfix/canonical
.fi
.ad
-.ft R
.SH cleanup_replace_stray_cr_lf (default: yes)
Replace each stray <CR> or <LF> character in message
content with a space character, to prevent outbound SMTP smuggling,
.in +4
.nf
.na
-.ft C
using backwards\-compatible default setting \fIname=value\fR
to [accept a specific client request]
.sp
to [enable specific Postfix behavior]
.fi
.ad
-.ft R
.in -4
.PP
See COMPATIBILITY_README for specific message details. If such
.in +4
.nf
.na
-.ft C
# \fBpostconf\fR \fIname=value\fR
# \fBpostfix reload\fR
.fi
.ad
-.ft R
.in -4
.PP
When no more backwards\-compatible settings need to be made
.in +4
.nf
.na
-.ft C
# \fBpostconf compatibility_level=\fIN\fR\fR
# \fBpostfix reload\fR
.fi
.ad
-.ft R
.in -4
.PP
For \fIN\fR specify the number that is logged in your \fBpostfix\fR(1)
.in +4
.nf
.na
-.ft C
warning: To disable backwards compatibility use "postconf
compatibility_level=\fIN\fR" and "postfix reload"
.fi
.ad
-.ft R
.in -4
.PP
Starting with Postfix version 3.6, the compatibility level in
.PP
.nf
.na
-.ft C
debug_peer_list = 127.0.0.1
debug_peer_list = example.com
.fi
.ad
-.ft R
.SH debugger_command (default: empty)
The external command to execute when a Postfix daemon program is
invoked with the \-D option.
.PP
.nf
.na
-.ft C
debugger_command =
PATH=/usr/bin:/usr/X11R6/bin
ddd $daemon_directory/$process_name $process_id & sleep 5
.fi
.ad
-.ft R
.SH default_database_type (default: see "postconf \-d" output)
The default database type for use in \fBnewaliases\fR(1), \fBpostalias\fR(1)
and \fBpostmap\fR(1) commands. On many UNIX systems the default type is
.PP
.nf
.na
-.ft C
default_database_type = hash
default_database_type = dbm
.fi
.ad
-.ft R
.SH default_delivery_slot_cost (default: 5)
How often the Postfix queue manager's scheduler is allowed to
preempt delivery of one message with another.
.PP
.nf
.na
-.ft C
default_delivery_slot_cost = 0
default_delivery_slot_cost = 2
.fi
.ad
-.ft R
.SH default_delivery_slot_discount (default: 50)
The default value for transport\-specific _delivery_slot_discount
settings.
.in +4
.nf
.na
-.ft C
/etc/postfix/main.cf:
smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter
.fi
.ad
-.ft R
.in -4
.sp
.in +4
.nf
.na
-.ft C
/etc/postfix/smtp_dsn_filter:
/^4(\e.\ed+\e.\ed+ TLS is required, but host \eS+ refused to start TLS: .+)/
5$1
# 4.\ed+.\ed+ Cannot start TLS: handshake failure
.fi
.ad
-.ft R
.in -4
.PP
Example 2: censor the per\-recipient delivery status text so
.in +4
.nf
.na
-.ft C
/etc/postfix/main.cf:
local_delivery_status_filter = pcre:/etc/postfix/local_dsn_filter
.fi
.ad
-.ft R
.in -4
.sp
.in +4
.nf
.na
-.ft C
/etc/postfix/local_dsn_filter:
/^(2\eS+ delivered to file).+/ $1
/^(2\eS+ delivered to command).+/ $1
.fi
.ad
-.ft R
.in -4
.PP
Notes:
by an RFC 3463 enhanced status code.
.br
.IP "\fB$rbl_domain\fR"
-The RBL domain where $rbl_what is denylisted.
+The RBL domain (without any \fI=address\-filter\fR) where
+$rbl_what is denylisted.
.br
.IP "\fB$rbl_reason\fR"
The reason why $rbl_what is denylisted, or an empty string.
.PP
.nf
.na
-.ft C
default_transport = uucp:relayhostname
.fi
.ad
-.ft R
.SH default_transport_rate_delay (default: 0s)
The default amount of delay that is inserted between individual
message deliveries over the same message delivery transport,
.PP
.nf
.na
-.ft C
/etc/postfix/main.cf:
smtp_transport_rate_delay = 20s
.fi
.ad
-.ft R
.PP
To enable the delay, specify a non\-zero time value (an integral
value plus an optional one\-letter suffix that specifies the time
.PP
.nf
.na
-.ft C
defer_transports = smtp
.fi
.ad
-.ft R
.SH delay_logging_resolution_limit (default: 2)
The maximal number of digits after the decimal point when logging
sub\-second delay values. Specify a number in the range 0..6.
.PP
.nf
.na
-.ft C
disable_vrfy_command = no
.fi
.ad
-.ft R
.SH dns_ncache_ttl_fix_enable (default: no)
Enable a workaround for future libc incompatibility. The Postfix
implementation of RFC 2308 negative reply caching relies on the
.PP
.nf
.na
-.ft C
warning: DNSSEC validation may be unavailable
warning: reason: dnssec_probe 'ns:.' received a response that is not DNSSEC validated
warning: reason: dnssec_probe 'ns:.' received no response: Server failure
.fi
.ad
-.ft R
.PP
Possible reasons why DNSSEC validation may be unavailable:
.IP \(bu
.PP
.nf
.na
-.ft C
# postfix stop
# postconf enable_long_queue_ids=no
# postsuper
.fi
.ad
-.ft R
.PP
Repeat the postsuper command until it reports no more queue file
name changes.
.PP
.nf
.na
-.ft C
export_environment = TZ PATH=/bin:/usr/bin
.fi
.ad
-.ft R
.SH extract_recipient_limit (default: 10240)
The maximal number of recipient addresses that Postfix will extract
from message headers when mail is submitted with "\fBsendmail \-t\fR".
.PP
.nf
.na
-.ft C
forward_path = /var/forward/$user
forward_path =
/var/forward/$user/.forward$recipient_delimiter$extension,
/var/forward/$user/.forward
.fi
.ad
-.ft R
.SH frozen_delivered_to (default: yes)
Update the \fBlocal\fR(8) delivery agent's idea of the Delivered\-To:
address (see prepend_delivered_header) only once, at the start of
.PP
.nf
.na
-.ft C
home_mailbox = Mailbox
home_mailbox = Maildir/
.fi
.ad
-.ft R
.SH hopcount_limit (default: 50)
The maximal number of Received: message headers that is allowed
in the primary message headers. A message that exceeds the limit
.PP
.nf
.na
-.ft C
inet_interfaces = all (DEFAULT)
inet_interfaces = loopback\-only (Postfix version 2.2 and later)
inet_interfaces = 127.0.0.1
inet_interfaces = 192.168.1.2, 127.0.0.1
.fi
.ad
-.ft R
.SH inet_protocols (default: see 'postconf \-d' output)
The Internet protocols Postfix will attempt to use when making
or accepting connections. Specify one or more of "ipv4"
.PP
.nf
.na
-.ft C
inet_protocols = ipv4
inet_protocols = all (DEFAULT)
inet_protocols = ipv6
inet_protocols = ipv4, ipv6
.fi
.ad
-.ft R
.SH info_log_address_format (default: external)
The email address form that will be used in non\-debug logging
(info, warning, etc.). As of Postfix 3.5 when an address localpart
.in +4
.nf
.na
-.ft C
from=<"name with spaces"@example.com>
.fi
.ad
-.ft R
.in -4
.PP
Older Postfix versions would log the internal (unquoted) form:
.in +4
.nf
.na
-.ft C
from=<name with spaces@example.com>
.fi
.ad
-.ft R
.in -4
.PP
The external and internal forms are identical for the vast
.PP
.nf
.na
-.ft C
lmtp_connect_timeout = 30s
.fi
.ad
-.ft R
.SH lmtp_connection_cache_destinations (default: empty)
The LMTP\-specific version of the smtp_connection_cache_destinations
configuration parameter. See there for details.
.in +4
.nf
.na
-.ft C
/etc/postfix/master.cf:
mylmtp ... lmtp \-o lmtp_lhlo_name=foo.bar.com
.fi
.ad
-.ft R
.in -4
.PP
This feature is available in Postfix 2.3 and later.
.PP
.nf
.na
-.ft C
lmtp_sasl_security_options = noplaintext
.fi
.ad
-.ft R
.SH lmtp_sasl_tls_security_options (default: $lmtp_sasl_security_options)
The LMTP\-specific version of the smtp_sasl_tls_security_options
configuration parameter. See there for details.
.PP
.nf
.na
-.ft C
local_command_shell = /some/where/smrsh \-c
local_command_shell = /bin/bash \-c
.fi
.ad
-.ft R
.SH local_delivery_status_filter (default: $default_delivery_status_filter)
Optional filter for the \fBlocal\fR(8) delivery agent to change the
status code or explanatory text of successful or unsuccessful
.in +4
.nf
.na
-.ft C
local_header_rewrite_clients = static:all
.fi
.ad
-.ft R
.in -4
.PP
The purist (and default) setting: rewrite headers only in mail
.in +4
.nf
.na
-.ft C
local_header_rewrite_clients = permit_inet_interfaces
.fi
.ad
-.ft R
.in -4
.PP
The intermediate setting: rewrite header addresses and append
.in +4
.nf
.na
-.ft C
local_header_rewrite_clients = permit_mynetworks,
permit_sasl_authenticated permit_tls_clientcerts
check_address_map hash:/etc/postfix/pop\-before\-smtp
.fi
.ad
-.ft R
.in -4
.SH local_login_sender_maps (default: static:*)
A list of lookup tables that are searched by the UNIX login name,
.PP
.nf
.na
-.ft C
/etc/postfix/main.cf:
# Allow root and postfix full control, anyone else can only
# send mail as themselves. Use "uid:" followed by the numerical
pcre:/etc/postfix/login_senders
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
/etc/postfix/login_senders:
# Allow both the bare username and the user@domain forms.
/(.+)/ $1 $1@example.com
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 3.6 and later.
.SH local_recipient_maps (default: proxy:unix:passwd.byname $alias_maps)
.PP
.nf
.na
-.ft C
local_recipient_maps =
.fi
.ad
-.ft R
.SH local_transport (default: local:$myhostname)
The default mail delivery transport and next\-hop destination
for final delivery to domains listed with mydestination, and for
.PP
.nf
.na
-.ft C
luser_relay = $user@other.host
luser_relay = $local@other.host
luser_relay = admin+$local
.fi
.ad
-.ft R
.SH mail_name (default: Postfix)
The mail system name that is displayed in Received: headers, in
the SMTP greeting banner, and in bounced mail.
.PP
.nf
.na
-.ft C
mail_spool_directory = /var/mail
mail_spool_directory = /var/spool/mail
.fi
.ad
-.ft R
.SH mail_version (default: see "postconf \-d" output)
The version of the mail system. Stable releases are named
\fImajor\fR.\fIminor\fR.\fIpatchlevel\fR. Experimental releases
.PP
.nf
.na
-.ft C
mailbox_command = /some/where/procmail
mailbox_command = /some/where/procmail \-a "$EXTENSION"
mailbox_command = /some/where/maildrop \-d "$USER"
\-f "$SENDER" "$EXTENSION"
.fi
.ad
-.ft R
.SH mailbox_command_maps (default: empty)
Optional lookup tables with per\-recipient external commands to use
for \fBlocal\fR(8) mailbox delivery. Behavior is as with mailbox_command.
.in +4
.nf
.na
-.ft C
masquerade_domains = foo.example.com example.com
.fi
.ad
-.ft R
.in -4
.PP
strips "user@any.thing.foo.example.com" to "user@foo.example.com",
.in +4
.nf
.na
-.ft C
masquerade_domains = !foo.example.com example.com
.fi
.ad
-.ft R
.in -4
.PP
does not change "user@any.thing.foo.example.com" or "user@foo.example.com",
.PP
.nf
.na
-.ft C
masquerade_domains = $mydomain
.fi
.ad
-.ft R
.SH masquerade_exceptions (default: empty)
Optional list of user names that are not subjected to address
masquerading, even when their addresses match $masquerade_domains.
.PP
.nf
.na
-.ft C
masquerade_exceptions = root, mailer\-daemon
masquerade_exceptions = root
.fi
.ad
-.ft R
.SH master_service_disable (default: empty)
Selectively disable \fBmaster\fR(8) listener ports by service type
or by service name and type. Specify a list of service types
.PP
.nf
.na
-.ft C
# With Postfix 2.6..2.10 use '.' instead of '/'.
# Turn on all \fBmaster\fR(8) listener ports (the default).
master_service_disable =
master_service_disable = !foo/inet, inet
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.6 and later.
.SH max_idle (default: 100s)
.PP
.nf
.na
-.ft C
message_reject_characters = \e0
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.3 and later.
.SH message_size_limit (default: 10240000)
.PP
.nf
.na
-.ft C
message_strip_characters = \e0
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.3 and later.
.SH meta_directory (default: see 'postconf \-d' output)
.PP
.nf
.na
-.ft C
/etc/postfix/main.cf:
milter_header_checks = pcre:/etc/postfix/milter_header_checks
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
/etc/postfix/milter_header_checks:
/^X\-SPAM\-FLAG:\es+YES/ FILTER mysmtp:sanitizer.example.com:25
.fi
.ad
-.ft R
.PP
The milter_header_checks mechanism could also be used for
allowlisting. For example it could be used to skip heavy content
.PP
.nf
.na
-.ft C
mydestination = $myhostname, localhost.$mydomain $mydomain
mydestination = $myhostname, localhost.$mydomain www.$mydomain, ftp.$mydomain
.fi
.ad
-.ft R
.SH mydomain (default: see "postconf \-d" output)
The internet domain name of this mail system. The default is to
use $myhostname minus the first component, or "localdomain" (Postfix
.PP
.nf
.na
-.ft C
mydomain = domain.tld
.fi
.ad
-.ft R
.SH myhostname (default: see "postconf \-d" output)
The internet hostname of this mail system. The default is to use
the fully\-qualified domain name (FQDN) from gethostname(), or to
.PP
.nf
.na
-.ft C
myhostname = host.example.com
.fi
.ad
-.ft R
.SH mynetworks (default: see "postconf \-d" output)
The list of "trusted" remote SMTP clients that have more privileges than
"strangers".
.PP
.nf
.na
-.ft C
mynetworks = 127.0.0.0/8 168.100.189.0/28
mynetworks = !192.168.0.1, 192.168.0.0/28
mynetworks = 127.0.0.0/8 168.100.189.0/28 [::1]/128 [2001:240:587::]/64
mynetworks = cidr:/etc/postfix/network_table.cidr
.fi
.ad
-.ft R
.SH mynetworks_style (default: Postfix >= 3.0: host, Postfix < 3.0: subnet)
The method to generate the default value for the mynetworks parameter.
This is the list of trusted networks for relay access control etc.
.PP
.nf
.na
-.ft C
myorigin = $mydomain
.fi
.ad
-.ft R
.SH nested_header_checks (default: $header_checks)
Optional lookup tables for content inspection of non\-MIME message
headers in attached messages, as described in the \fBheader_checks\fR(5)
.PP
.nf
.na
-.ft C
notify_classes = bounce, delay, policy, protocol, resource, software
notify_classes = 2bounce, resource, software
.fi
.ad
-.ft R
.SH openssl_path (default: openssl)
The location of the OpenSSL command line program \fBopenssl\fR(1). This
is used by the "\fBpostfix tls\fR" command to create private keys,
.in +4
.nf
.na
-.ft C
/etc/postfix/main.cf:
# NetBSD pkgsrc:
openssl_path = /usr/pkg/bin/openssl
openssl_path = /usr/local/bin/openssl
.fi
.ad
-.ft R
.in -4
.PP
This feature is available in Postfix 3.1 and later.
.PP
.nf
.na
-.ft C
/etc/postfix/main.cf:
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_denylist_action = enforce
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
/etc/postfix/postscreen_access.cidr:
# Rules are evaluated in the order as specified.
# Denylist 192.168.* except 192.168.0.1.
192.168.0.0/16 reject
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.8.
.SH postscreen_allowlist_interfaces (default: static:all)
.PP
.nf
.na
-.ft C
/etc/postfix/main.cf:
# Don't allowlist connections to the backup IP address.
# Postfix < 3.6 use postscreen_whitelist_interfaces.
postscreen_allowlist_interfaces = !168.100.189.8, static:all
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 3.6 and later.
.PP
.PP
.nf
.na
-.ft C
/etc/postfix/main.cf:
postscreen_dnsbl_reply_map = texthash:/etc/postfix/dnsbl_reply
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
/etc/postfix/dnsbl_reply:
secret.zen.spamhaus.org zen.spamhaus.org
.fi
.ad
-.ft R
.PP
NOTE: This feature differs from the Postfix SMTP server's
rbl_reply_maps feature, where 1) the table search key includes the
-optional "\fI=address\fR" filter, and where 2) the lookup result
+optional "\fI=address\-filter\fR", and where 2) the lookup result
contains free text with \fI$name\fR variables.
.PP
This feature is available in Postfix 2.8.
.PP
.nf
.na
-.ft C
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_sites = example.com*2, example.net, example.org
.fi
.ad
-.ft R
.PP
To filter only DNSBL replies containing 127.0.0.4:
.PP
.nf
.na
-.ft C
postscreen_dnsbl_sites = example.com=127.0.0.4
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.8.
.SH postscreen_dnsbl_threshold (default: 1)
.PP
.nf
.na
-.ft C
prepend_delivered_header = forward
.fi
.ad
-.ft R
.SH process_id (read\-only)
The process ID of a Postfix command or daemon process.
.SH process_id_directory (default: pid)
.PP
.nf
.na
-.ft C
propagate_unmatched_extensions = canonical, virtual, alias,
forward, include
propagate_unmatched_extensions = canonical, virtual
.fi
.ad
-.ft R
.SH proxy_interfaces (default: empty)
The remote network interface addresses that this mail system receives mail
on by way of a proxy or network address translation unit.
.PP
.nf
.na
-.ft C
proxy_interfaces = 1.2.3.4
.fi
.ad
-.ft R
.SH proxy_read_maps (default: see "postconf \-d" output)
The lookup tables that the \fBproxymap\fR(8) server is allowed to
access for the read\-only service.
.PP
.nf
.na
-.ft C
qmqpd_authorized_clients = !192.168.0.1, 192.168.0.0/24
.fi
.ad
-.ft R
.SH qmqpd_client_port_logging (default: no)
Enable logging of the remote QMQP client port in addition to
the hostname and IP address. The logging format is "host[address]:port".
.SH rbl_reply_maps (default: empty)
Optional lookup tables with RBL or RHSBL response templates. The
table search key is the reject_rbl_* or reject_rhsbl_* argument,
-including any optional "\fI=address\-pattern\fR" filter.
+including any optional "\fI=address\-filter\fR". With Postfix 3.10
+and later, if the result is "not found" and the search key has the
+form \fIdomain=address\-filter\fR, then rbl_reply_maps will also
+search with the \fIdomain\fR.
.PP
By default, Postfix uses the
template as specified with the default_rbl_reply configuration
.PP
.nf
.na
-.ft C
/etc/postfix/main.cf:
rbl_reply_maps = hash:/etc/postfix/rbl_reply
smtpd_recipient_restrictions =
# variables.
\fIsecret\fR.zen.dq.spamhaus.net=127.0.0.[2..11]
554 $rbl_class $rbl_what blocked using ZEN \- see https://www.spamhaus.org/query/ip/$client_address for details
+.fi
+.ad
+.PP
+.nf
+.na
+ # Postfix >= 3.10: if a search key \fIdomain=address\-filter\fR
+ # is not found, then rbl_reply_maps will also search with the
+ # \fIdomain\fR.
\fIsecret\fR.zen.dq.spamhaus.net
554 $rbl_class $rbl_what blocked using ZEN \- see https://www.spamhaus.org/query/ip/$client_address for details
.fi
.ad
-.ft R
.PP
NOTE: This feature differs from postscreen_dnsbl_reply_map where
-the table search key is a domain name (no "\fI=address\fR" filter,
-no "\fI*weight\fR" factor) and where the lookup result should be
-a domain name (no free text, no \fI$name\fR variables).
+the table search key is only a domain name (no "\fI=address\-filter\fR",
+no "\fI*weight\fR" factor) and where the lookup result
+should be only a domain name (no free text, no \fI$name\fR variables).
.PP
This feature is available in Postfix 2.0 and later.
-The "=address\-pattern" filter is available in Postfix 2.8 and later.
+The "=address\-filter" feature is available in Postfix 2.8 and later.
.SH readme_directory (default: see "postconf \-d" output)
The location of Postfix README files that describe how to build,
configure or operate a specific Postfix subsystem or feature.
.PP
.nf
.na
-.ft C
receive_override_options =
no_unknown_recipient_checks, no_header_body_checks
receive_override_options = no_address_mappings
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.1 and later.
.SH recipient_bcc_maps (default: empty)
.PP
.nf
.na
-.ft C
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
.fi
.ad
-.ft R
.PP
After a change, run "\fBpostmap /etc/postfix/recipient_bcc\fR".
.PP
.PP
.nf
.na
-.ft C
recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
.fi
.ad
-.ft R
.SH recipient_delimiter (default: empty)
The set of characters that can separate an email address
localpart, user name, or a .forward file name from its extension.
.PP
.nf
.na
-.ft C
# Handle Postfix\-style extensions.
recipient_delimiter = +
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
# Handle both Postfix and qmail extensions (Postfix 2.11 and later).
recipient_delimiter = +\-
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
# Use .forward for mail without address extension, and for mail with
# an unrecognized address extension.
forward_path = $home/.forward${recipient_delimiter}${extension},
$home/.forward
.fi
.ad
-.ft R
.SH reject_code (default: 554)
The numerical Postfix SMTP server response code when a remote SMTP
client request is rejected by the "reject" restriction.
.PP
.nf
.na
-.ft C
relay_clientcerts = hash:/etc/postfix/relay_clientcerts
.fi
.ad
-.ft R
.PP
For more fine\-grained control, use check_ccert_access to select
an appropriate \fBaccess\fR(5) policy for each client.
.PP
.nf
.na
-.ft C
relay_recipient_maps = hash:/etc/postfix/relay_recipients
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.0 and later.
.SH relay_transport (default: relay)
.PP
.nf
.na
-.ft C
relayhost = $mydomain
relayhost = [gateway.example.com]
relayhost = mail1.example:587, mail2.example:587
relayhost = [an.ip.add.ress]
.fi
.ad
-.ft R
.SH relocated_maps (default: empty)
Optional lookup tables with new contact information for users or
domains that no longer exist. The table format and lookups are
.PP
.nf
.na
-.ft C
relocated_maps = dbm:/etc/postfix/relocated
relocated_maps = hash:/etc/postfix/relocated
.fi
.ad
-.ft R
.SH remote_header_rewrite_domain (default: empty)
Rewrite or add message headers in mail from remote clients if
the remote_header_rewrite_domain parameter value is non\-empty,
.in +4
.nf
.na
-.ft C
remote_header_rewrite_domain = domain.invalid
.fi
.ad
-.ft R
.in -4
.PP
The default, purist, setting: don't rewrite headers from remote
.in +4
.nf
.na
-.ft C
remote_header_rewrite_domain =
.fi
.ad
-.ft R
.in -4
.SH require_home_directory (default: no)
Require that a \fBlocal\fR(8) recipient's home directory exists
.PP
.nf
.na
-.ft C
sender_bcc_maps = hash:/etc/postfix/sender_bcc
.fi
.ad
-.ft R
.PP
After a change, run "\fBpostmap /etc/postfix/sender_bcc\fR".
.PP
.PP
.nf
.na
-.ft C
sender_canonical_maps = hash:/etc/postfix/sender_canonical
.fi
.ad
-.ft R
.SH sender_dependent_default_transport_maps (default: empty)
A sender\-dependent override for the global default_transport
parameter setting. The tables are searched by the envelope sender
.PP
.nf
.na
-.ft C
# Distinguish inbound MTA logging from submission and smtps logging.
smtp inet n \- n \- \- smtpd
submission inet n \- n \- \- smtpd
\-o syslog_name=postfix/$service_name
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
# Distinguish outbound MTA logging from inbound relay logging.
smtp unix \- \- n \- \- smtp
relay unix \- \- n \- \- smtp
\-o syslog_name=postfix/$service_name
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 3.3 and later.
.SH service_throttle_time (default: 60s)
.in +4
.nf
.na
-.ft C
/etc/postfix/main.cf:
inet_protocols = all
.fi
.ad
-.ft R
.in -4
.sp
.in +4
.nf
.na
-.ft C
/etc/postfix/master.cf
smtp ...other fields... smtp \-o inet_protocols=ipv4
.fi
.ad
-.ft R
.in -4
.br
.PP
.in +4
.nf
.na
-.ft C
/etc/postfix/main.cf:
transport_maps = hash:/etc/postfix/transport
.fi
.ad
-.ft R
.in -4
.sp
.in +4
.nf
.na
-.ft C
/etc/postfix/transport:
smtp\-domain\-that\-verifies\-after\-data smtp\-data\-target:
lmtp\-domain\-that\-verifies\-after\-data lmtp\-data\-target:
.fi
.ad
-.ft R
.in -4
.sp
.in +4
.nf
.na
-.ft C
/etc/postfix/master.cf:
smtp\-data\-target unix \- \- n \- \- smtp
\-o smtp_address_verify_target=data
\-o lmtp_address_verify_target=data
.fi
.ad
-.ft R
.in -4
.PP
Unselective use of the "data" target does no harm, but will
.in +4
.nf
.na
-.ft C
/etc/postfix/master.cf:
smtp ... smtp \-o smtp_bind_address=11.22.33.44
.fi
.ad
-.ft R
.in -4
.PP
See smtp_bind_address_enforce for how Postfix should handle
.in +4
.nf
.na
-.ft C
/etc/postfix/master.cf:
smtp ... smtp \-o smtp_bind_address6=1:2:3:4:5:6:7:8
.fi
.ad
-.ft R
.in -4
.PP
See smtp_bind_address_enforce for how Postfix should handle
.PP
.nf
.na
-.ft C
\fIname ttl class type preference value\fR
.fi
.ad
-.ft R
.PP
The \fIclass\fR field is always "IN", the \fIpreference\fR
field exists only for MX records, the names of hosts, domains, etc.
.PP
.nf
.na
-.ft C
/etc/postfix/main.cf:
smtp_dns_reply_filter = pcre:/etc/postfix/smtp_dns_reply_filter
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
/etc/postfix/smtp_dns_reply_filter:
# /domain ttl IN AAAA address/ action, all case\-insensitive.
# Note: the domain name ends in ".".
/^\eS+\e.google\e.com\e.\es+\eS+\es+\eS+\es+AAAA\es+/ IGNORE
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 3.0 and later.
.SH smtp_dns_resolver_options (default: empty)
.in +4
.nf
.na
-.ft C
/etc/postfix/master.cf:
mysmtp ... smtp \-o smtp_helo_name=foo.bar.com
.fi
.ad
-.ft R
.in -4
.PP
This feature is available in Postfix 2.0 and later.
.in +4
.nf
.na
-.ft C
/etc/postfix/master.cf:
broken\-smtp . . . smtp \-o smtp_quote_rfc821_envelope=no
.fi
.ad
-.ft R
.in -4
.PP
and route mail for the destination in question to the "broken\-smtp"
.PP
.nf
.na
-.ft C
/etc/postfix/main.cf:
smtp_reply_filter = pcre:/etc/postfix/reply_filter
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
/etc/postfix/reply_filter:
# Transform garbage into "250\-filler..." so that it looks like
# one line from a multi\-line reply. It does not matter what we
!/^([2\-5][0\-9][0\-9]($|[\- ]))/ 250\-filler for garbage
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.7.
.SH smtp_rset_timeout (default: 20s)
.PP
.nf
.na
-.ft C
smtp_sasl_auth_cache_name = proxy:btree:/var/lib/postfix/sasl_auth_cache
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.5 and later.
.SH smtp_sasl_auth_cache_time (default: 90d)
.PP
.nf
.na
-.ft C
smtp_sasl_auth_enable = yes
.fi
.ad
-.ft R
.SH smtp_sasl_auth_soft_bounce (default: yes)
When a remote SMTP server rejects a SASL authentication request
with a 535 reply code, defer mail delivery instead of returning
.PP
.nf
.na
-.ft C
# Default as of Postfix 2.5
smtp_sasl_auth_soft_bounce = yes
# The old hard\-coded default
smtp_sasl_auth_soft_bounce = no
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.5 and later.
.SH smtp_sasl_mechanism_filter (default: empty)
.PP
.nf
.na
-.ft C
smtp_sasl_mechanism_filter = plain, login
smtp_sasl_mechanism_filter = /etc/postfix/smtp_mechs
smtp_sasl_mechanism_filter = !gssapi, !login, static:rest
.fi
.ad
-.ft R
.SH smtp_sasl_password_maps (default: empty)
Optional Postfix SMTP client lookup tables with one username:password
entry per sender, remote hostname or next\-hop domain. Per\-sender
.PP
.nf
.na
-.ft C
smtp_sasl_security_options = noplaintext
.fi
.ad
-.ft R
.SH smtp_sasl_tls_security_options (default: $smtp_sasl_security_options)
The SASL authentication security options that the Postfix SMTP
client uses for TLS encrypted SMTP sessions.
.PP
.nf
.na
-.ft C
smtp_tls_CAfile = /etc/postfix/CAcert.pem
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.2 and later.
.SH smtp_tls_CApath (default: empty)
.PP
.nf
.na
-.ft C
smtp_tls_CApath = /etc/postfix/certs
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.2 and later.
.SH smtp_tls_block_early_mail_reply (default: no)
.in +4
.nf
.na
-.ft C
smtp_tls_cert_file =
smtp_tls_key_file =
smtp_tls_eccert_file =
smtp_tls_chain_files =
.fi
.ad
-.ft R
.in -4
.PP
The best way to use the default settings is to comment out the above
.in +4
.nf
.na
-.ft C
# \fBumask 077\fR
# \fBcat client_key.pem client_cert.pem intermediate_CA.pem > chain.pem \fR
.fi
.ad
-.ft R
.in -4
.PP
If you also want to verify remote SMTP server certificates issued by
.PP
.nf
.na
-.ft C
smtp_tls_cert_file = /etc/postfix/chain.pem
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.2 and later.
.SH smtp_tls_chain_files (default: empty)
.in +4
.nf
.na
-.ft C
/etc/postfix/main.cf:
smtp_tls_chain_files =
${config_directory}/ed25519.pem,
${config_directory}/rsa.pem
.fi
.ad
-.ft R
.in -4
.sp
.in +4
.nf
.na
-.ft C
/etc/postfix/ed25519.pem:
\-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\-
MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
\-\-\-\-\-END CERTIFICATE\-\-\-\-\-
.fi
.ad
-.ft R
.in -4
.sp
.in +4
.nf
.na
-.ft C
/etc/postfix/ed448.pem:
\-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\-
MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
\-\-\-\-\-END CERTIFICATE\-\-\-\-\-
.fi
.ad
-.ft R
.in -4
.sp
.in +4
.nf
.na
-.ft C
/etc/postfix/rsa.pem:
\-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\-
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
\-\-\-\-\-END CERTIFICATE\-\-\-\-\-
.fi
.ad
-.ft R
.in -4
.PP
Example (all keys and certificates in a single file):
.in +4
.nf
.na
-.ft C
/etc/postfix/main.cf:
smtp_tls_chain_files = ${config_directory}/chains.pem
.fi
.ad
-.ft R
.in -4
.sp
.in +4
.nf
.na
-.ft C
/etc/postfix/chains.pem:
\-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\-
MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
\-\-\-\-\-END CERTIFICATE\-\-\-\-\-
.fi
.ad
-.ft R
.in -4
.PP
This feature is available in Postfix 3.4 and later.
.PP
.nf
.na
-.ft C
smtp_tls_dcert_file = /etc/postfix/client\-dsa.pem
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.2 and later.
.SH smtp_tls_dkey_file (default: $smtp_tls_dcert_file)
.PP
.nf
.na
-.ft C
smtp_tls_eccert_file = /etc/postfix/ecdsa\-ccert.pem
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.6 and later, when Postfix is
compiled and linked with OpenSSL 1.0.0 or later.
.PP
.nf
.na
-.ft C
# SHA256 digest of the first certificate in "cert.pem"
$ openssl x509 \-in cert.pem \-outform DER | openssl dgst \-sha256 \-c
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
# SHA256 digest of the SPKI of the first certificate in "cert.pem"
$ openssl x509 \-in cert.pem \-pubkey \-noout |
openssl pkey \-pubin \-outform DER | openssl dgst \-sha256 \-c
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
# SHA256 digest of the SPKI of the first private key in "pkey.pem"
$ openssl pkey \-in pkey.pem \-pubout \-outform DER |
openssl dgst \-sha256 \-c
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 3.9 and later.
.SH smtp_tls_enforce_peername (default: yes)
.in +4
.nf
.na
-.ft C
smtp_tls_exclude_ciphers = aNULL
smtp_tls_exclude_ciphers = MD5, DES
smtp_tls_exclude_ciphers = DES+MD5
smtp_tls_exclude_ciphers = kEDH+aRSA
.fi
.ad
-.ft R
.in -4
.PP
The first setting disables anonymous ciphers. The next setting
.in +4
.nf
.na
-.ft C
relayhost = [mailhub.example.com]
smtp_tls_security_level = fingerprint
smtp_tls_fingerprint_digest = sha256
dd:5c:ef:f5:c3:bc:64:25:36:...:99:36:06:ce:40:ef:de:2e:ad:a4
.fi
.ad
-.ft R
.in -4
.PP
Example: Certificate fingerprint verification with selected destinations.
.in +4
.nf
.na
-.ft C
/etc/postfix/main.cf:
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_fingerprint_digest = sha256
.fi
.ad
-.ft R
.in -4
.sp
.in +4
.nf
.na
-.ft C
/etc/postfix/tls_policy:
example.com fingerprint
match=51:e9:af:2e:1e:40:1f:...:64:0a:30:35:2d:09:16:31:5a:eb:82:76
match=b6:b4:72:34:e2:59:cd:...:c2:ca:63:0d:4d:cc:2c:7d:84:de:e6:2f
.fi
.ad
-.ft R
.in -4
.PP
This feature is available in Postfix 2.5 and later.
.in +4
.nf
.na
-.ft C
$ openssl x509 \-noout \-fingerprint \-\fIdigest\fR \-in \fIcertfile\fR.pem
.fi
.ad
-.ft R
.in -4
.PP
The text to the right of the "=" sign is the desired fingerprint.
.in +4
.nf
.na
-.ft C
$ openssl x509 \-noout \-fingerprint \-sha256 \-in cert.pem
SHA256 Fingerprint=D4:6A:AB:19:24:...:BB:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
.fi
.ad
-.ft R
.in -4
.PP
To extract the public key fingerprint from an X.509 certificate,
.in +4
.nf
.na
-.ft C
# OpenSSL >= 1.0 with SHA\-256 fingerprints.
$ openssl x509 \-in cert.pem \-noout \-pubkey |
openssl pkey \-pubin \-outform DER |
(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:...:fc:09:1a:61:98:b5:bc:7c:60:58
.fi
.ad
-.ft R
.in -4
.PP
The Postfix SMTP server and client log the peer (leaf) certificate
.PP
.nf
.na
-.ft C
smtp_tls_key_file = $smtp_tls_cert_file
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.2 and later.
.SH smtp_tls_loglevel (default: 0)
.in +4
.nf
.na
-.ft C
# Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported
# in some future version of OpenSSL (presently a warning is logged).
smtp_tls_mandatory_protocols = >=TLSv1.2, <=0305
smtp_tls_mandatory_protocols = >=0x0303
.fi
.ad
-.ft R
.in -4
.PP
With Postfix < 3.6 there is no support for a minimum or maximum
.in +4
.nf
.na
-.ft C
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1.1
.fi
.ad
-.ft R
.in -4
.PP
also disables any protocol versions higher than TLSv1.1 leaving
Example:
.nf
.na
-.ft C
# Preferred syntax with Postfix >= 3.6:
smtp_tls_mandatory_protocols = >=TLSv1.2, <=TLSv1.3
# Legacy syntax:
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.3 and later.
.SH smtp_tls_note_starttls_offer (default: no)
.PP
.nf
.na
-.ft C
postfix/smtp[pid]: Host offered STARTTLS: [name.of.host]
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.2 and later.
.SH smtp_tls_per_site (default: empty)
.PP
.nf
.na
-.ft C
/etc/postfix/main.cf:
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
# Postfix 2.5 and later.
smtp_tls_fingerprint_digest = sha256
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
/etc/postfix/tls_policy:
example.edu none
example.mil may
match=51:e9:af:2e:1e:40:1f:...:64:0a:30:35:2d:09:16:31:5a:eb:82:76
.fi
.ad
-.ft R
.PP
\fBNote:\fR The "hostname" strategy if listed in a non\-default
setting of smtp_tls_secure_cert_match or in the "match" attribute
.in +4
.nf
.na
-.ft C
# Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported
# in some future version of OpenSSL (presently a warning is logged).
smtp_tls_protocols = >=TLSv1, <=0305
smtp_tls_protocols = >=0x0301
.fi
.ad
-.ft R
.in -4
.PP
With Postfix < 3.6 there is no support for a minimum or maximum
.in +4
.nf
.na
-.ft C
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1.1
.fi
.ad
-.ft R
.in -4
also disables any protocols version higher than TLSv1.1 leaving
only "TLSv1" enabled.
Example:
.nf
.na
-.ft C
# Preferred syntax with Postfix >= 3.6:
smtp_tls_protocols = >=TLSv1, <=TLSv1.3
# Legacy syntax:
smtp_tls_protocols = !SSLv2, !SSLv3
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.6 and later.
.SH smtp_tls_scert_verifydepth (default: 9)
.in +4
.nf
.na
-.ft C
smtp_tls_secure_cert_match = nexthop
.fi
.ad
-.ft R
.in -4
.PP
Sample policy table override:
.in +4
.nf
.na
-.ft C
example.net secure match=example.com:.example.com
\&.example.net secure match=example.com:.example.com
.fi
.ad
-.ft R
.in -4
.PP
This feature is available in Postfix 2.3 and later.
.PP
.nf
.na
-.ft C
# No TLS. Formerly: smtp_use_tls=no and smtp_enforce_tls=no.
smtp_tls_security_level = none
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
# Opportunistic TLS.
smtp_tls_security_level = may
# Do not tweak opportunistic ciphers or protocols unless it is essential
smtp_tls_protocols = !SSLv2, !SSLv3
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
# Mandatory (high\-grade) TLS encryption.
smtp_tls_security_level = encrypt
smtp_tls_mandatory_ciphers = high
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
# Authenticated TLS 1.2 or better matching the nexthop domain or a
# subdomain.
smtp_tls_security_level = secure
smtp_tls_secure_cert_match = nexthop, dot\-nexthop
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
# Certificate fingerprint verification (Postfix >= 2.5).
# The CA\-less "fingerprint" security level only scales to a limited
# number of destinations. As a global default rather than a per\-site
EC:3B:2D:B0:...:A3:9D:72:F6
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.3 and later.
.SH smtp_tls_servername (default: empty)
.PP
.nf
.na
-.ft C
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.2 and later.
.SH smtp_tls_session_cache_timeout (default: 3600s)
.in +4
.nf
.na
-.ft C
$ openssl x509 \-in cert.pem \-out ta\-key.pem \-noout \-pubkey
.fi
.ad
-.ft R
.in -4
.PP
This feature is available in Postfix 2.11 and later.
.PP
.nf
.na
-.ft C
smtp_tls_verify_cert_match = hostname, nexthop, dot\-nexthop
.fi
.ad
-.ft R
.PP
Sample policy table override:
.PP
.nf
.na
-.ft C
example.com verify match=hostname:nexthop
\&.example.com verify match=example.com:.example.com:hostname
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.3 and later.
.SH smtp_tls_wrappermode (default: no)
.PP
.nf
.na
-.ft C
/etc/postfix/main.cf:
# Client\-side SMTPS requires "encrypt" or stronger.
smtp_tls_security_level = encrypt
relayhost = [mail.example.com]:465
.fi
.ad
-.ft R
.PP
More examples are in TLS_README, including examples for older
Postfix versions.
.PP
.nf
.na
-.ft C
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
.fi
.ad
-.ft R
.SH smtpd_client_auth_rate_limit (default: 0)
The maximal number of AUTH commands that any client is allowed to
send to this service per time unit, regardless of whether or not
.PP
.nf
.na
-.ft C
smtpd_client_connection_rate_limit = 1000
.fi
.ad
-.ft R
.SH smtpd_client_event_limit_exceptions (default: $mynetworks)
Clients that are excluded from smtpd_client_*_count/rate_limit
restrictions. See the mynetworks parameter
.PP
.nf
.na
-.ft C
smtpd_client_message_rate_limit = 1000
.fi
.ad
-.ft R
.SH smtpd_client_new_tls_session_rate_limit (default: 0)
The maximal number of new (i.e., uncached) TLS sessions that a
remote SMTP client is allowed to negotiate with this service per
.PP
.nf
.na
-.ft C
smtpd_client_new_tls_session_rate_limit = 100
.fi
.ad
-.ft R
.SH smtpd_client_port_logging (default: no)
Enable logging of the remote SMTP client port in addition to
the hostname and IP address. The logging format is "host[address]:port".
.PP
.nf
.na
-.ft C
smtpd_client_recipient_rate_limit = 1000
.fi
.ad
-.ft R
.SH smtpd_client_restrictions (default: empty)
Optional restrictions that the Postfix SMTP server applies in the
context of a client connection request.
mail when used as:
.nf
.na
-.ft C
/etc/postfix/main.cf:
smtpd_client_restrictions =
sleep 1, reject_unauth_pipelining
smtpd_delay_reject = no
.fi
.ad
-.ft R
This feature is available in Postfix 2.3.
.br
.IP "\fBwarn_if_reject\fR"
.PP
.nf
.na
-.ft C
smtpd_client_restrictions = permit_mynetworks, reject_unknown_client_hostname
.fi
.ad
-.ft R
.SH smtpd_command_filter (default: empty)
A mechanism to transform commands from remote SMTP clients.
This is a last\-resort tool to work around client commands that break
.PP
.nf
.na
-.ft C
/etc/postfix/main.cf:
smtpd_command_filter = pcre:/etc/postfix/command_filter
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
/etc/postfix/command_filter:
# Work around clients that send malformed HELO commands.
/^HELO\es*$/ HELO domain.invalid
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
# Work around clients that send empty lines.
/^\es*$/ NOOP
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
# Work around clients that send RCPT TO:<'user@domain'>.
# WARNING: do not lose the parameters that follow the address.
/^(RCPT\es+TO:\es*<)'([^[:space:]]+)'(>.*)/ $1$2$3
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
# Append XVERP to MAIL FROM commands to request VERP\-style delivery.
# See VERP_README for more information on how to use Postfix VERP.
/^(MAIL\es+FROM:\es*<listname@example\e.com>.*)/ $1 XVERP
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
# Bounce\-never mail sink. Use notify_classes=bounce,resource,software
# to send bounced mail to the postmaster (with message body removed).
/^(RCPT\es+TO:\es*<.*>.*)\es+NOTIFY=\eS+(.*)/ $1 NOTIFY=NEVER$2
/^(RCPT\es+TO:.*)/ $1 NOTIFY=NEVER
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.7.
.SH smtpd_data_restrictions (default: empty)
.PP
.nf
.na
-.ft C
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_data_restrictions = reject_multi_recipient_bounce
.fi
.ad
-.ft R
.SH smtpd_delay_open_until_valid_rcpt (default: yes)
Postpone the start of an SMTP mail transaction until a valid
RCPT TO command is received. Specify "no" to create a mail transaction
.PP
.nf
.na
-.ft C
smtpd_etrn_restrictions = permit_mynetworks, reject
.fi
.ad
-.ft R
.SH smtpd_expansion_filter (default: see "postconf \-d" output)
What characters are allowed in $name expansions of RBL reply
templates. Characters not in the allowed set are replaced by "_".
.in +4
.nf
.na
-.ft C
# Require the standard End\-of\-DATA sequence <CR><LF>.<CR><LF>.
# Otherwise, allow bare <LF> and process it as if the client sent
# <CR><LF>.
smtpd_forbid_bare_newline_exclusions = $mynetworks
.fi
.ad
-.ft R
.in -4
.PP
Alternative:
.in +4
.nf
.na
-.ft C
# Reject input lines that contain <LF> and log a "bare <LF> received"
# error. Require that input lines end in <CR><LF>, and require the
# standard End\-of\-DATA sequence <CR><LF>.<CR><LF>.
# smtpd_discard_ehlo_keywords = chunking, silent\-discard
.fi
.ad
-.ft R
.in -4
.PP
This feature with settings \fByes\fR and \fBno\fR is available
.PP
.nf
.na
-.ft C
smtpd_helo_required = yes
.fi
.ad
-.ft R
.SH smtpd_helo_restrictions (default: empty)
Optional restrictions that the Postfix SMTP server applies in the
context of a client HELO command.
.PP
.nf
.na
-.ft C
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_helo_hostname
smtpd_helo_restrictions = permit_mynetworks, reject_unknown_helo_hostname
.fi
.ad
-.ft R
.SH smtpd_history_flush_threshold (default: 100)
The maximal number of lines in the Postfix SMTP server command history
before it is flushed upon receipt of EHLO, RSET, or end of DATA.
.PP
.nf
.na
-.ft C
/etc/postfix/main.cf:
# Log all "permit" actions.
smtpd_log_access_permit_actions = static:all
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
/etc/postfix/main.cf:
# Log "permit_dnswl_client" only.
smtpd_log_access_permit_actions = permit_dnswl_client
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.10 and later.
.SH smtpd_milter_maps (default: empty)
.PP
.nf
.na
-.ft C
/etc/postfix/main.cf:
smtpd_milter_maps = cidr:/etc/postfix/smtpd_milter_map
smtpd_milters = inet:host:port, { inet:host:port, ... }, ...
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
/etc/postfix/smtpd_milter_map:
# Disable Milters for local clients.
127.0.0.0/8 DISABLE
2001:db8::/32 DISABLE
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 3.2 and later.
.SH smtpd_milters (default: empty)
.in +4
.nf
.na
-.ft C
reject, reject_unauth_destination
.fi
.ad
-.ft R
.in -4
.sp
.in +4
.nf
.na
-.ft C
defer, defer_if_permit, defer_unauth_destination
.fi
.ad
-.ft R
.in -4
.PP
Specify a list of restrictions, separated by commas and/or whitespace.
.PP
.nf
.na
-.ft C
# The Postfix before 2.10 default mail relay policy. Later Postfix
# versions implement this preferably with smtpd_relay_restrictions.
smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
.fi
.ad
-.ft R
.SH smtpd_reject_footer (default: empty)
Optional information that is appended after each Postfix SMTP
server
.PP
.nf
.na
-.ft C
/etc/postfix/main.cf:
smtpd_reject_footer = \ec. For assistance, call 800\-555\-0101.
Please provide the following information in your problem report:
($server_name).
.fi
.ad
-.ft R
.PP
Server response:
.PP
.nf
.na
-.ft C
550\-5.5.1 <user@example> Recipient address rejected: User
unknown. For assistance, call 800\-555\-0101. Please provide the
following information in your problem report: time (Jan 4 15:42:00),
client (192.168.1.248) and server (mail1.example.com).
.fi
.ad
-.ft R
.PP
Note: the above text is meant to make it easier to find the
Postfix logfile records for a failed SMTP session. The text itself
.in +4
.nf
.na
-.ft C
reject, reject_unauth_destination
.fi
.ad
-.ft R
.in -4
.sp
.in +4
.nf
.na
-.ft C
defer, defer_if_permit, defer_unauth_destination
.fi
.ad
-.ft R
.in -4
.PP
Specify a list of restrictions, separated by commas and/or whitespace.
.in +4
.nf
.na
-.ft C
# With Postfix 2.10 and later, the mail relay policy is
# preferably specified under smtpd_relay_restrictions.
smtpd_relay_restrictions =
permit_mynetworks, permit_sasl_authenticated, ...
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
# With Postfix before 2.10, the relay policy can be
# specified only under smtpd_recipient_restrictions.
smtpd_recipient_restrictions =
permit_mynetworks, permit_sasl_authenticated, ...
.fi
.ad
-.ft R
.in -4
.PP
To reject all SMTP connections from unauthenticated clients,
.in +4
.nf
.na
-.ft C
smtpd_client_restrictions = permit_sasl_authenticated, reject
.fi
.ad
-.ft R
.in -4
.PP
See the SASL_README file for SASL configuration and operation details.
.PP
.nf
.na
-.ft C
smtpd_sasl_exceptions_networks = $mynetworks
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.1 and later.
.SH smtpd_sasl_local_domain (default: empty)
.PP
.nf
.na
-.ft C
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_local_domain = $myhostname
.fi
.ad
-.ft R
.SH smtpd_sasl_mechanism_filter (default: !external, static:rest)
If non\-empty, a filter for the SASL mechanism names that the
Postfix SMTP server will announce in the EHLO response. By default,
.PP
.nf
.na
-.ft C
smtpd_sasl_mechanism_filter = !external, !gssapi, static:rest
smtpd_sasl_mechanism_filter = login, plain
smtpd_sasl_mechanism_filter = /etc/postfix/smtpd_mechs
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 3.6 and later.
.SH smtpd_sasl_path (default: smtpd)
.PP
.nf
.na
-.ft C
smtpd_sasl_security_options = noanonymous, noplaintext
.fi
.ad
-.ft R
.SH smtpd_sasl_service (default: smtp)
The service name that is passed to the SASL plug\-in that is
selected with \fBsmtpd_sasl_type\fR and \fBsmtpd_sasl_path\fR.
.PP
.nf
.na
-.ft C
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_sender_restrictions = reject_unknown_sender_domain,
check_sender_access hash:/etc/postfix/access
.fi
.ad
-.ft R
.SH smtpd_service_name (default: smtpd)
The internal service that \fBpostscreen\fR(8) hands off allowed
connections to. In a future version there may be different
.PP
.nf
.na
-.ft C
smtpd_tls_CAfile = /etc/postfix/CAcert.pem
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.2 and later.
.SH smtpd_tls_CApath (default: empty)
.PP
.nf
.na
-.ft C
smtpd_tls_CApath = /etc/postfix/certs
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.2 and later.
.SH smtpd_tls_always_issue_session_ids (default: yes)
.PP
.nf
.na
-.ft C
smtpd_tls_always_issue_session_ids = no
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.3 and later.
.SH smtpd_tls_ask_ccert (default: no)
.PP
.nf
.na
-.ft C
smtpd_tls_cert_file = /etc/postfix/server.pem
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.2 and later.
.SH smtpd_tls_chain_files (default: empty)
.in +4
.nf
.na
-.ft C
/etc/postfix/main.cf:
smtpd_tls_chain_files =
${config_directory}/ed25519.pem,
${config_directory}/rsa.pem
.fi
.ad
-.ft R
.in -4
.sp
.in +4
.nf
.na
-.ft C
/etc/postfix/ed25519.pem:
\-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\-
MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
\-\-\-\-\-END CERTIFICATE\-\-\-\-\-
.fi
.ad
-.ft R
.in -4
.sp
.in +4
.nf
.na
-.ft C
/etc/postfix/ed448.pem:
\-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\-
MEcCAQAwBQYDK2VxBDsEOQf+m0P+G0qi+NZ0RolyeiE5zdlPQR8h8y4jByBifpIe
\-\-\-\-\-END CERTIFICATE\-\-\-\-\-
.fi
.ad
-.ft R
.in -4
.sp
.in +4
.nf
.na
-.ft C
/etc/postfix/rsa.pem:
\-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\-
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDc4QusgkahH9rL
\-\-\-\-\-END CERTIFICATE\-\-\-\-\-
.fi
.ad
-.ft R
.in -4
.PP
Example (all keys and certificates in a single file):
.in +4
.nf
.na
-.ft C
/etc/postfix/main.cf:
smtpd_tls_chain_files = ${config_directory}/chains.pem
.fi
.ad
-.ft R
.in -4
.sp
.in +4
.nf
.na
-.ft C
/etc/postfix/chains.pem:
\-\-\-\-\-BEGIN PRIVATE KEY\-\-\-\-\-
MC4CAQAwBQYDK2VwBCIEIEJfbbO4BgBQGBg9NAbIJaDBqZb4bC4cOkjtAH+Efbz3
\-\-\-\-\-END CERTIFICATE\-\-\-\-\-
.fi
.ad
-.ft R
.in -4
.PP
This feature is available in Postfix 3.4 and later.
.PP
.nf
.na
-.ft C
smtpd_tls_dcert_file = /etc/postfix/server\-dsa.pem
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.2 and later.
.SH smtpd_tls_dh1024_param_file (default: empty)
.in +4
.nf
.na
-.ft C
openssl dhparam \-out /etc/postfix/dh2048.pem 2048
openssl dhparam \-out /etc/postfix/dh1024.pem 1024
# As of Postfix 3.6, export\-grade 512\-bit DH parameters are no longer
openssl dhparam \-out /etc/postfix/dh512.pem 512
.fi
.ad
-.ft R
.in -4
.PP
It is safe to share the same DH parameters between multiple
.PP
.nf
.na
-.ft C
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.2 and later.
.SH smtpd_tls_dh512_param_file (default: empty)
.PP
.nf
.na
-.ft C
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.2 and later,
but is ignored in Postfix 3.6 and later.
.PP
.nf
.na
-.ft C
smtpd_tls_eccert_file = /etc/postfix/ecdsa\-scert.pem
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.6 and later, when Postfix is
compiled and linked with OpenSSL 1.0.0 or later.
.PP
.nf
.na
-.ft C
# SHA256 digest of the first certificate in "cert.pem"
$ openssl x509 \-in cert.pem \-outform DER | openssl dgst \-sha256 \-c
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
# SHA256 digest of the SPKI of the first certificate in "cert.pem"
$ openssl x509 \-in cert.pem \-pubkey \-noout |
openssl pkey \-pubin \-outform DER | openssl dgst \-sha256 \-c
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
# SHA256 digest of the SPKI of the first private key in "pkey.pem"
$ openssl pkey \-in pkey.pem \-pubout \-outform DER |
openssl dgst \-sha256 \-c
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 3.9 and later.
.SH smtpd_tls_exclude_ciphers (default: empty)
.in +4
.nf
.na
-.ft C
smtpd_tls_exclude_ciphers = aNULL
smtpd_tls_exclude_ciphers = MD5, DES
smtpd_tls_exclude_ciphers = DES+MD5
smtpd_tls_exclude_ciphers = kEDH+aRSA
.fi
.ad
-.ft R
.in -4
.PP
The first setting disables anonymous ciphers. The next setting
.in +4
.nf
.na
-.ft C
$ openssl x509 \-noout \-fingerprint \-\fIdigest\fR \-in \fIcertfile\fR.pem
.fi
.ad
-.ft R
.in -4
.PP
The text to the right of "=" sign is the desired fingerprint.
.in +4
.nf
.na
-.ft C
$ openssl x509 \-noout \-fingerprint \-sha256 \-in cert.pem
SHA256 Fingerprint=D4:6A:AB:19:24:...:A6:CB:66:82:C0:8E:9B:EE:29:A8:1A
.fi
.ad
-.ft R
.in -4
.PP
To extract the public key fingerprint from an X.509 certificate,
.in +4
.nf
.na
-.ft C
$ openssl x509 \-in cert.pem \-noout \-pubkey |
openssl pkey \-pubin \-outform DER |
openssl dgst \-sha256 \-c
(stdin)= 64:3f:1f:f6:e5:1e:d4:2a:56:8b:fc:09:1a:61:98:b5:bc:7c:60:58
.fi
.ad
-.ft R
.in -4
.PP
The Postfix SMTP server and client log the peer (leaf) certificate
.in +4
.nf
.na
-.ft C
/etc/postfix/main.cf:
smtpd_tls_fingerprint_digest = sha256
smtpd_client_restrictions =
reject
.fi
.ad
-.ft R
.nf
.na
-.ft C
/etc/postfix/access:
# Action folded to next line...
AF:88:7C:AD:51:95:6F:36:96:...:01:FB:2E:48:CD:AB:49:25:A2:3B
permit_auth_destination
.fi
.ad
-.ft R
.in -4
.PP
This feature is available in Postfix 2.5 and later.
.in +4
.nf
.na
-.ft C
# Allow only TLS 1.2 through (hypothetical) TLS 1.4, once supported
# in some future version of OpenSSL (presently a warning is logged).
smtpd_tls_mandatory_protocols = >=TLSv1.2, <=0305
smtpd_tls_mandatory_protocols = >=0x0303
.fi
.ad
-.ft R
.in -4
.PP
With Postfix < 3.6 there is no support for a minimum or maximum
.PP
.nf
.na
-.ft C
# Preferred syntax with Postfix >= 3.6:
smtpd_tls_mandatory_protocols = >=TLSv1.2, <=TLSv1.3
# Legacy syntax:
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.3 and later.
.SH smtpd_tls_protocols (default: see 'postconf \-d' output)
.in +4
.nf
.na
-.ft C
# Allow only TLS 1.0 through (hypothetical) TLS 1.4, once supported
# in some future version of OpenSSL (presently a warning is logged).
smtpd_tls_protocols = >=TLSv1, <=0305
smtpd_tls_protocols = >=0x0301
.fi
.ad
-.ft R
.in -4
.PP
With Postfix < 3.6 there is no support for a minimum or maximum
Example:
.nf
.na
-.ft C
# Preferred syntax with Postfix >= 3.6:
smtpd_tls_protocols = >=TLSv1, <=TLSv1.3
# Legacy syntax:
smtpd_tls_protocols = !SSLv2, !SSLv3
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.6 and later.
.SH smtpd_tls_received_header (default: no)
.PP
.nf
.na
-.ft C
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.2 and later.
.SH smtpd_tls_session_cache_timeout (default: 3600s)
.PP
.nf
.na
-.ft C
soft_bounce = yes
.fi
.ad
-.ft R
.SH stale_lock_time (default: 500s)
The time after which a stale exclusive mailbox lockfile is removed.
This is used for delivery to file or mailbox.
.PP
.nf
.na
-.ft C
swap_bangpath = no
.fi
.ad
-.ft R
.SH syslog_facility (default: mail)
The syslog facility of Postfix logging. Specify a facility as
defined in syslog.\fBconf\fR(5). The default facility is "mail".
.in +4
.nf
.na
-.ft C
# postconf \-e master_service_disable=inet
# postfix reload
.fi
.ad
-.ft R
.in -4
.PP
This immediately terminates all processes that accept network
.in +4
.nf
.na
-.ft C
# postconf \-e tcp_windowsize=65535 master_service_disable=
# postfix reload
.fi
.ad
-.ft R
.in -4
.PP
If you skip these steps with a running Postfix system, then the
.in +4
.nf
.na
-.ft C
# The name 'openssl_conf' is the default application name
# The section name to the right of the '=' sign is arbitrary,
# any name will do, so long as it refers to the desired section.
MinProtocol = TLSv1.2
.fi
.ad
-.ft R
.in -4
.PP
Example: Custom settings for an application named "postfix".
.in +4
.nf
.na
-.ft C
# The mapping from an application name to the corresponding configuration
# section must appear near the top of the file, (in what is sometimes called
# the "default section") prior to the start of any explicitly named
MinProtocol = TLSv1
.fi
.ad
-.ft R
.in -4
.PP
This feature is available in Postfix >= 3.9, 3.8.1, 3.7.6,
.in +4
.nf
.na
-.ft C
/etc/postfix/main.cf:
#
# The indexed SNI table must be created with "postmap \-F"
tls_server_sni_maps = ${indexed}sni
.fi
.ad
-.ft R
.in -4
.sp
.in +4
.nf
.na
-.ft C
/etc/postfix/sni:
#
# The example.com domain has both an RSA and ECDSA certificate
example.org /etc/postfix/sni\-chains/example.net.pem
.fi
.ad
-.ft R
.in -4
.PP
Note that the SNI lookup tables should also have entries for
.in +4
.nf
.na
-.ft C
example.com. IN MX 0 example.com.mx1.example.net.
example.com. IN MX 0 example.com.mx2.example.net.
.fi
.ad
-.ft R
.in -4
.PP
and the TLS certificate may be for "*.example.net". The "*"
.PP
.nf
.na
-.ft C
transport_maps = dbm:/etc/postfix/transport
transport_maps = hash:/etc/postfix/transport
.fi
.ad
-.ft R
.SH transport_minimum_delivery_slots (default: $default_minimum_delivery_slots)
A transport\-specific override for the default_minimum_delivery_slots
parameter value, where \fItransport\fR is the master.cf name of
.PP
.nf
.na
-.ft C
# Default value before Postfix 2.8.
# Note: the ":" and ";" are both required.
undisclosed_recipients_header = To: undisclosed\-recipients:;
.fi
.ad
-.ft R
.SH unknown_address_reject_code (default: 450)
The numerical response code when the Postfix SMTP server rejects a
sender or recipient address because its domain is unknown. This
.PP
.nf
.na
-.ft C
unknown_local_recipient_reject_code = 450
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.0 and later.
.SH unknown_relay_recipient_reject_code (default: 550)
.PP
.nf
.na
-.ft C
unverified_recipient_reject_reason = Recipient address lookup failed
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.6 and later.
.SH unverified_recipient_tempfail_action (default: $reject_tempfail_action)
.PP
.nf
.na
-.ft C
unverified_sender_reject_reason = Sender address lookup failed
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 2.6 and later.
.SH unverified_sender_tempfail_action (default: $reject_tempfail_action)
.PP
.nf
.na
-.ft C
/etc/postfix/main.cf:
use_srv_lookup = submission
relayhost = example.com:submission
...see SASL_README for sasl configuration...
.fi
.ad
-.ft R
.PP
Example 2: MUA\-to\-MTA submission using SRV record lookup for
the "submissions" service for domain "example.org". This uses a
.PP
.nf
.na
-.ft C
/etc/postfix/main.cf:
use_srv_lookup = submissions
default_transport = smtp\-wraptls:example.org:submissions
...see SASL_README for sasl configuration...
.fi
.ad
-.ft R
.PP
.nf
.na
-.ft C
/etc/postfix/master.cf:
smtp\-wraptls unix ... ... ... ... ... smtp
\-o { smtp_tls_wrappermode = yes }
\-o { smtp_tls_security_level = encrypt }
.fi
.ad
-.ft R
.PP
Example 3: Sender\-dependent selection for a combination of
MUA\-to\-MTA submission services. This combines examples 1 and 2 with
.PP
.nf
.na
-.ft C
/etc/postfix/main.cf:
use_srv_lookup = submission, submissions
sender_dependent_default_transport_maps = inline:{
...see SASL_README for sasl configuration...
.fi
.ad
-.ft R
.PP
Example 4: MTA\-to\-MTA traffic, using SRV record lookup for the
SMTP service. This is useful for Postfix tests, and may be useful
.PP
.nf
.na
-.ft C
/etc/postfix/main.cf:
use_srv_lookup = smtp
# Fall back to MX record lookup when SRV records are unavailable.
#ignore_srv_lookup_error = yes
.fi
.ad
-.ft R
.PP
This feature is available in Postfix 3.8 and later.
.SH verp_delimiter_filter (default: \-=+)
.PP
.nf
.na
-.ft C
virtual_alias_domains = virtual1.tld virtual2.tld
.fi
.ad
-.ft R
.SH virtual_alias_expansion_limit (default: 1000)
The maximal number of addresses that virtual alias expansion produces
from each original recipient.
.PP
.nf
.na
-.ft C
virtual_alias_maps = dbm:/etc/postfix/virtual
virtual_alias_maps = hash:/etc/postfix/virtual
.fi
.ad
-.ft R
.SH virtual_alias_recursion_limit (default: 1000)
The maximal nesting depth of virtual alias expansion. Currently
the recursion limit is applied only to the left branch of the
.PP
.nf
.na
-.ft C
virtual_mailbox_base = /var/mail
.fi
.ad
-.ft R
.SH virtual_mailbox_domains (default: $virtual_mailbox_maps)
Postfix is the final destination for the specified list of domains;
mail is delivered via the $virtual_transport mail delivery transport.
projects / thirdparty / postfix.git / commitdiff
