Bugfix: the test for "no debugger_command" was wrong.
Leandro Santi. File: global/debugger_command.c.
-20041117
+20040117
Robustness: the master-child protocol now includes a process
generation number besides the child process ID. The process
instead of appending mail to a deleted file. To minimize
the use of this workaround, Postfix now by default creates
mailbox dotlock files on all systems, and creates dotlock
- files before opening mailbox files. Files: util/sys_defs.h,
- global/mbox_open.c.
-
-20070301
-
- Workaround: updated workaround for broken Solaris accept().
- File: util/inet_listen.c.
-
- Workaround: on some FreeBSD versions, accept(2) can fail
- with a bogus EINVAL error. We now allow accept(2) to fail
- for a limited number of times before terminating the process.
- Files: master/single_server.c, master/multi_server.c.
-
-20070306
-
- Bugfix (introduced with Postfix 2.3 Milter support): postdrop
- reported "illegal seek" instead of "file too large". File:
- postdrop/postdrop.c.
-
-20070310
-
- Cleanup: specify "undisclosed_recipients_header =" to disable
- Postfix's "To: undisclosed-recipients:;" header for mail
- that lists no recipient. The To: header is not required as
- of RFC 2822. The undisclosed_recipients_header parameter
- value can now be an empty string, a value that was not
- allowed with earlier Postfix versions. With Postfix 2.5 it
- will be empty by default. Files: cleanup/cleanup.c,
- cleanup/cleanup_message.c.
-
-20070312
-
- Backwards compatibility: don't pad short message header
- records when Milter support is turned off. This maintains
- compatibility with Postfix versions that pre-date Milter
- support. File: cleanup/cleanup_out.c.
-
-20070314
-
- Bitrot: move the "don't run this daemon by hand" message
- before other tests. Files: master/*server.c.
-
-20070315
-
- Bitrot: New OpenLDAP APIs deprecate simplified interfaces,
- that are the only ones available in Sun's LDAP SDK. Define
- suitable macros that work with new OpenLDAP and Sun's code.
- Victor Duchovni, Morgan Stanley. File: src/global/dict_ldap.c
-
- Cleanup: new "leaf" and "terminal" result attributes support
- fine-tuning of LDAP group expansion, and provide a solution
- for the problem case where DN recursion returns both the
- group address and the addresses of the member objects.
- Victor Duchovni, Morgan Stanley. Files: src/global/dict_ldap.c,
- proto/LDAP_README.html, proto/ldap_table
-
-20070317
-
- Idioten Sicherheit: stamp every executable file and every
- core dump file with "mail_version=xxxxx". Adding version
- stamps and checks to every IPC message is too much change
- after code freeze, and requires too much time for testing.
- File: src/global/mail_version.h and every main program file.
-
-20070320
-
- Bugfix (introduced between 20070120 and 20070121): the
- cleanup server stored no "delayed mail warning" queue file
- records with "sendmail -t", and no header_checks filter/redirect
- records or content encoding records with other mail. File:
- global/rec_type.h.
-
-20070321
-
- Bugfix (introduced 20070224): local(8) or virtual(8) could
- log a misleading error message after failure to open a
- mailbox file. File: global/mbox_open.c.
-
- Bugfix (code should have been updated 20070104): the proxymap
- client did not propagate changes in case folding flags.
- Currently, nothing in Postfix uses this functionality.
- File: global/dict_proxy.c.
+ files before opening mailbox files. Files: util/sys_defs.h.
Wish list:
- Bind all deliveries to the same local delivery process,
- making Postfix perform as poorly as monolithic mailers,
- but giving a possibility to eliminate duplicate deliveries.
-
- Maybe declare loop when resolve_local(mxhost) is true?
-
Update message content length when adding/removing headers.
Need scache size limit.
am using now.
Update MILTER_README with Martinec info.
- http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim
Make postcat header/body aware so people can grep headers.
* QSHAPE_README: Bottleneck analysis
* TUNING_README: Performance tuning
* DEBUG_README: Debugging strategies
+ * Error messages (*)
C\bCo\bon\bnt\bte\ben\bnt\bt i\bin\bns\bsp\bpe\bec\bct\bti\bio\bon\bn
M\bMa\bai\bil\bli\bin\bng\bg l\bli\bis\bst\bt s\bsu\bup\bpp\bpo\bor\brt\bt
+ * qmail/ezmlm support (*)
* VERP_README: VERP Support
S\bSp\bpe\bec\bci\bif\bfi\bic\bc e\ben\bnv\bvi\bir\bro\bon\bnm\bme\ben\bnt\bts\bs
* LINUX_README: Linux issues
* NFS_README: NFS issues
+ * ULTRIX_README: Ultrix support
O\bOt\bth\bhe\ber\br m\bma\bai\bil\bl d\bde\bel\bli\biv\bve\ber\bry\by a\bag\bge\ben\bnt\bts\bs
+ * Cyrus (*)
* MAILDROP_README: Maildrop
+ * LMTP (*)
O\bOt\bth\bhe\ber\br t\bto\bop\bpi\bic\bcs\bs
* XCLIENT_README: XCLIENT Command
* XFORWARD_README: XFORWARD Command
+(*) These documents will be made available via http://www.postfix.org/ and
+mirror sites.
+
* The list of domains that are a member of the class: for example, all local
domains, or all relay domains.
- * The default delivery transport. For example, the local, virtual or relay
- delivery transport (delivery transports are defined in master.cf). This
- helps to keep Postfix configurations simple, by avoiding the need for
- explicit routing information in transport maps.
+ * The default delivery method. For example, the local or smtp delivery agent.
+ This helps to keep Postfix configurations simple.
* The list of valid recipient addresses for that address class. The Postfix
SMTP server rejects invalid recipients with "User unknown in <name of
W\bWA\bAR\bRN\bNI\bIN\bNG\bG
The sender/recipient address verification feature described in this document is
-suitable only for low-traffic sites. It performs poorly under high load;
-excessive sender address verification activity may even cause your site to be
-blacklisted by some providers. See the "Limitations" section below for details.
+suitable only for low-traffic sites. It performs poorly under high load and may
+cause your site to be blacklisted by some providers. See the "Limitations"
+section below for details.
W\bWh\bha\bat\bt P\bPo\bos\bst\btf\bfi\bix\bx a\bad\bdd\bdr\bre\bes\bss\bs v\bve\ber\bri\bif\bfi\bic\bca\bat\bti\bio\bon\bn c\bca\ban\bn d\bdo\bo f\bfo\bor\br y\byo\bou\bu
Recipient address verification is relatively straightforward and there are no
surprises. If a recipient probe fails, then Postfix rejects mail for the
recipient address. If a recipient probe succeeds, then Postfix accepts mail for
-the recipient address. However, recipient address verification probes can
-increase the load on down-stream MTAs when you're being flooded by backscatter
-bounces, or when some spammer is mounting a dictionary attack.
+the recipient address.
By default, address verification results are not saved. To avoid probing the
same address repeatedly, you can store the result in a persistent database as
the same performance improvement as with a shared connection cache, non-shared
connections need to be kept open for a longer time.
+ Internet <-- smtp(8) <-> scache(8) <-> smtp(8) --> Internet
+
+
The scache(8) server, introduced with Postfix version 2.2, maintains the shared
connection cache. With Postfix version 2.2, only the smtp(8) client has support
to access this cache.
- /-- smtp(8) --> Internet
-
- qmgr(8) |
- |
- \-- | smtp(8) --> Internet
- |
- ^
- |
-
- scache(8)
-
When SMTP connection caching is enabled (see next section), the smtp(8) client
does not disconnect after a mail transaction, but gives the connection to the
scache(8) server which keeps the connection open for a limited amount of time.
lookups" below.
* You can use Berkeley DB files with fixed lookup strings for simple address
rewriting operations and you can use regular expression tables for the more
- complicated work. In other words, you don't have to put everything into the
- same table.
+ complicated work.
P\bPo\bos\bst\btf\bfi\bix\bx l\bli\bis\bst\bts\bs v\bve\ber\brs\bsu\bus\bs t\bta\bab\bbl\ble\bes\bs
is because commands such as postmap(1) or postalias(1) overwrite existing
files. If the update fails in the middle then you have no usable database, and
Postfix will stop working. This is not an issue with the CDB database type
-available with Postfix 2.2 and later: CDB creates a new file, and renames the
-file upon successful completion.
+available with Postfix 2.2 and later, because CDB database rebuilds are atomic.
With multi-file databases such as DBM, there is no simple solution. With
Berkeley DB and other "one file" databases, it is possible to add some extra
in tcp_table(5). The lookup table name is "tcp:host:port" where "host"
specifies a symbolic hostname or a numeric IP address, and "port"
specifies a symbolic service name or a numeric port number. This
- protocol is not available up to and including Postfix version 2.4.
+ protocol is not available up to and including Postfix version 2.2.
u\bun\bni\bix\bx (read-only)
A limited way to query the UNIX authentication database. The following
tables are implemented:
B\bBu\bui\bil\bld\bdi\bin\bng\bg P\bPo\bos\bst\btf\bfi\bix\bx o\bon\bn s\bsy\bys\bst\bte\bem\bms\bs w\bwi\bit\bth\bho\bou\but\bt B\bBe\ber\brk\bke\bel\ble\bey\by D\bDB\bB
-Some UNIXes ship without Berkeley DB support; for historical reasons these use
-DBM files instead. A problem with DBM files is that they can store only limited
-amounts of data. To build Postfix with Berkeley DB support you need to download
-and install the source code from http://www.oracle.com/database/berkeley-db/.
+Many commercial UNIXes ship without Berkeley DB support. Examples are Solaris,
+HP-UX, IRIX, UNIXWARE. In order to build Postfix with Berkeley DB support you
+need to download and install the source code from http://www.sleepycat.com/
Warning: some Linux system libraries use Berkeley DB, as do some third-party
libraries such as SASL. If you compile Postfix with a different Berkeley DB
implementation, then every Postfix program will dump core because either the
-system library, the SASL library, or Postfix itself ends up using the wrong
+system library, SASL library, or Postfix itself ends up using the wrong
version.
The more recent Berkeley DB versions have a compile-time switch, "--with-
can co-exist in the same application. Although wasteful, this may be the only
way to keep things from falling apart.
-To build Postfix after you installed the Berkeley DB from source code, use
-something like:
+To build Postfix after you installed the Berkeley DB from http://
+www.sleepycat.com/, use something like:
% make tidy
% make makefiles CCARGS="-DHAS_DB -I/usr/local/BerkeleyDB/include" \
% make makefiles .... AUXLIBS="... -lpthread"
-More information is available at http://www.oracle.com/database/berkeley-db/.
+More information is available at http://www.sleepycat.com/.
configuration file settings that you can fix. Postfix cannot proceed until
this is fixed.
- * "e\ber\brr\bro\bor\br" reports an error condition. For safety reasons, a Postfix process
- will terminate when more than 13 of these happen.
+ * "e\ber\brr\bro\bor\br" reports a fatal or non-fatal error condition. Postfix cannot
+ proceed until this is fixed.
* "w\bwa\bar\brn\bni\bin\bng\bg" indicates a non-fatal error. These are problems that you may not
be able to fix (such as a broken DNS server elsewhere on the network) but
Mail Delivery Status Report will be mailed to <your login name>.
These reports contain information that is generated by Postfix delivery agents.
-Since these run as daemon processes that cannot interact with users directly,
+Since these run as daemon processes and do not interact with users directly,
the result is sent as mail to the sender of the test message. The format of
these reports is practically identical to that of ordinary non-delivery
notifications.
R\bRe\bec\bco\bor\brd\bd t\bth\bhe\be S\bSM\bMT\bTP\bP s\bse\bes\bss\bsi\bio\bon\bn w\bwi\bit\bth\bh a\ba n\bne\bet\btw\bwo\bor\brk\bk s\bsn\bni\bif\bff\bfe\ber\br
This example uses t\btc\bcp\bpd\bdu\bum\bmp\bp. In order to record a conversation you need to
-specify a large enough buffer with the "-\b-s\bs" option or else you will miss some
+specify a large enough buffer with the "-s" option or else you will miss some
or all of the packet payload.
- # t\btc\bcp\bpd\bdu\bum\bmp\bp -\b-w\bw /\b/f\bfi\bil\ble\be/\b/n\bna\bam\bme\be -\b-s\bs 0\b0 h\bho\bos\bst\bt e\bex\bxa\bam\bmp\bpl\ble\be.\b.c\bco\bom\bm a\ban\bnd\bd p\bpo\bor\brt\bt 2\b25\b5
-
-Older tcpdump versions don't support "-\b-s\bs 0\b0"; in that case, use "-\b-s\bs 2\b20\b00\b00\b0"
-instead.
+ # t\btc\bcp\bpd\bdu\bum\bmp\bp -\b-w\bw /\b/f\bfi\bil\ble\be/\b/n\bna\bam\bme\be -\b-s\bs 2\b20\b00\b00\b0 h\bho\bos\bst\bt e\bex\bxa\bam\bmp\bpl\ble\be.\b.c\bco\bom\bm a\ban\bnd\bd p\bpo\bor\brt\bt 2\b25\b5
Run this for a while, stop with Ctrl-C when done. To view the data use a binary
-viewer, e\bet\bth\bhe\ber\bre\bea\bal\bl, or good old l\ble\bes\bss\bs.
+viewer, or e\bet\bth\bhe\ber\bre\bea\bal\bl, or use my t\btc\bcp\bpd\bdu\bum\bmp\bpx\bx utility that is available from ftp://
+ftp.porcupine.org/pub/debugging/.
M\bMa\bak\bki\bin\bng\bg P\bPo\bos\bst\btf\bfi\bix\bx d\bda\bae\bem\bmo\bon\bn p\bpr\bro\bog\bgr\bra\bam\bms\bs m\bmo\bor\bre\be v\bve\ber\brb\bbo\bos\bse\be
Append one or more "-\b-v\bv" options to selected daemon definitions in /etc/postfix/
master.cf and type "p\bpo\bos\bst\btf\bfi\bix\bx r\bre\bel\blo\boa\bad\bd". This will cause a lot of activity to be
-logged to the syslog daemon. For example, to make the Postfix SMTP server
-process more verbose:
+logged to the syslog daemon. Example:
/etc/postfix/master.cf:
smtp inet n - n - - smtpd -v
-To diagnose problems with address rewriting specify a "-\b-v\bv" option for the
-cleanup(8) and/or trivial-rewrite(8) daemon, and to diagnose problems with mail
-delivery specify a "-\b-v\bv" option for the qmgr(8) or oqmgr(8) queue manager, or
-for the lmtp(8), local(8), pipe(8), smtp(8), or virtual(8) delivery agent.
+This makes the Postfix SMTP server more verbose. To diagnose problems with
+address rewriting one would specify a "-\b-v\bv" option for the cleanup(8) and/or
+trivial-rewrite(8) daemon, and to diagnose problems with mail delivery one
+would specify a "-\b-v\bv" option for the qmgr(8) or oqmgr(8) queue manager, or for
+the lmtp(8), local(8), pipe(8), smtp(8), or virtual(8) delivery agent.
M\bMa\ban\bnu\bua\bal\bll\bly\by t\btr\bra\bac\bci\bin\bng\bg a\ba P\bPo\bos\bst\btf\bfi\bix\bx d\bda\bae\bem\bmo\bon\bn p\bpr\bro\boc\bce\bes\bss\bs
* Postfix logging. See the text at the top of the DEBUG_README document to
find out where logging is stored. Please do not frustrate the helpers by
- word wrapping the logging. If the logging is more than a few kbytes of
- text, consider posting an URL on a web or ftp site.
+ word wrapping the logging.
* Consider using a test email address so that you don't have to reveal email
addresses or passwords of innocent people.
- * If you can't use a test email address, please anonymize email addresses and
- host names consistently. Replace each letter by "A", each digit by "D" so
- that the helpers can still recognize syntactical errors.
+ * If you can't use a test email address, please anonymize information
+ consistently. Replace each letter by "A", each digit by "D" so that the
+ helpers can still recognize syntactical errors.
- * Output from "p\bpo\bos\bst\btc\bco\bon\bnf\bf -\b-n\bn". Please do not send your main.cf file, or 500+
+ * Output from "p\bpo\bos\bst\btc\bco\bon\bnf\bf -\b-n\bn". Please do not send your main.cf file or 400+
lines of p\bpo\bos\bst\btc\bco\bon\bnf\bf output.
* Better, provide output from the p\bpo\bos\bst\btf\bfi\bin\bng\bge\ber\br tool. This can be found at http:
* If the problem is about too much mail in the queue, consider including
output from the q\bqs\bsh\bha\bap\bpe\be tool, as described in the QSHAPE_README file.
- * If the problem is protocol related (connections time out, or an SMTP server
+ * If the problem is protocol related (connections time out or an SMTP server
complains about syntax errors etc.) consider recording a session with
t\btc\bcp\bpd\bdu\bum\bmp\bp, as described in the DEBUG_README document.
confused with the message ID, which identifies the message content.
The implementation of DSN support involves extra parameters to the SMTP MAIL
-FROM and RCPT TO commands, as well as two Postfix sendmail command line options
+FROM and RCPT TO commands, as well as new Postfix sendmail command line options
that provide a sub-set of the functions of the extra SMTP command parameters.
This document has information on the following topics:
s\bse\ber\brv\bve\ber\br. The mail is not delivered via the connection that was used for sending
ETRN.
+Postfix versions before 1.0 (also known as version 20010228) implemented the
+ETRN command in an inefficient manner: they simply attempted to deliver all
+queued mail. This is slow on mail servers that queue mail for many customers.
+
As of version 1.0, Postfix has a fast ETRN implementation that does not require
Postfix to examine every queue file. Instead, Postfix maintains a record of
what queue files contain mail for destinations that are configured for ETRN
the ETRN service. Client commands are shown in bold font.
220 my.server.tld ESMTP Postfix
- H\bHE\bEL\bLO\bO m\bmy\by.\b.c\bcl\bli\bie\ben\bnt\bt.\b.t\btl\bld\bd
+ h\bhe\bel\blo\bo m\bmy\by.\b.c\bcl\bli\bie\ben\bnt\bt.\b.t\btl\bld\bd
250 Ok
- E\bET\bTR\bRN\bN s\bso\bom\bme\be.\b.c\bcu\bus\bst\bto\bom\bme\ber\br.\b.d\bdo\bom\bma\bai\bin\bn
+ e\bet\btr\brn\bn s\bso\bom\bme\be.\b.c\bcu\bus\bst\bto\bom\bme\ber\br.\b.d\bdo\bom\bma\bai\bin\bn
250 Queuing started
- Q\bQU\bUI\bIT\bT
+ q\bqu\bui\bit\bt
221 Bye
As mentioned in the introduction, the mail is delivered by connecting to the
The Postfix operator can request delivery for a specific customer by using the
command "sendmail -qRdestination" and, with Postfix version 1.1 and later,
-"postqueue -sdestination". Access to this feature is controlled with the
-authorized_flush_users configuration parameter (Postfix version 2.2 and later).
+"postqueue -sdestination".
H\bHo\bow\bw P\bPo\bos\bst\btf\bfi\bix\bx f\bfa\bas\bst\bt E\bET\bTR\bRN\bN w\bwo\bor\brk\bks\bs
* The flush(8) daemon maintains per-destination logfiles with queue file
names. When a request to "deliver mail now" arrives, Postfix will attempt
to deliver all recipients in the queue files that have mail for the
- destination in question. This does not perform well with queue files that
- have recipients in many different domains, such as queue files with
- outbound mailing list traffic.
+ destination in question. This does not perform well when queue files have
+ recipients in many different domains.
* The flush(8) daemon maintains per-destination logfiles only for
- destinations listed with $fast_flush_domains. With other destinations you
- cannot request delivery with "sendmail -qRdestination" or, with Postfix
- version 1.1 and later, "postqueue -sdestination".
+ destinations listed with $fast_flush_domains. With other destinations it
+ not possible to trigger delivery with "sendmail -qRdestination" or, with
+ Postfix version 1.1 and later, "postqueue -sdestination".
* Up to and including early versions of Postfix version 2.1, the "fast flush"
service may not deliver some messages if the request to "deliver mail now"
dead domains, and the list of message delivery transports specified with
the defer_transports configuration parameter.
- * Up to and including Postfix version 2.3, the "fast flush" service may not
- deliver some messages if the request to "deliver mail now" arrives while an
- incoming queue scan is already in progress.
-
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg t\bth\bhe\be P\bPo\bos\bst\btf\bfi\bix\bx f\bfa\bas\bst\bt E\bET\bTR\bRN\bN s\bse\ber\brv\bvi\bic\bce\be
The behavior of the flush(8) daemon is controlled by parameters in the main.cf
client), and type the commands shown in boldface:
220 my.server.tld ESMTP Postfix
- H\bHE\bEL\bLO\bO m\bmy\by.\b.c\bcl\bli\bie\ben\bnt\bt.\b.t\btl\bld\bd
+ h\bhe\bel\blo\bo m\bmy\by.\b.c\bcl\bli\bie\ben\bnt\bt.\b.t\btl\bld\bd
250 Ok
- E\bET\bTR\bRN\bN s\bso\bom\bme\be.\b.c\bcu\bus\bst\bto\bom\bme\ber\br.\b.d\bdo\bom\bma\bai\bin\bn
+ e\bet\btr\brn\bn s\bso\bom\bme\be.\b.c\bcu\bus\bst\bto\bom\bme\ber\br.\b.d\bdo\bom\bma\bai\bin\bn
250 Queuing started
where "some.customer.domain" is the name of a domain that has a non-empty
The text in bold face stands for the commands that you type:
220 my.server.tld ESMTP Postfix
- H\bHE\bEL\bLO\bO m\bmy\by.\b.c\bcl\bli\bie\ben\bnt\bt.\b.t\btl\bld\bd
+ h\bhe\bel\blo\bo m\bmy\by.\b.c\bcl\bli\bie\ben\bnt\bt.\b.t\btl\bld\bd
250 Ok
- E\bET\bTR\bRN\bN s\bso\bom\bme\be.\b.o\bot\bth\bhe\ber\br.\b.c\bcu\bus\bst\bto\bom\bme\ber\br.\b.d\bdo\bom\bma\bai\bin\bn
+ e\bet\btr\brn\bn s\bso\bom\bme\be.\b.o\bot\bth\bhe\ber\br.\b.c\bcu\bus\bst\bto\bom\bme\ber\br.\b.d\bdo\bom\bma\bai\bin\bn
250 Queuing started
This time, the "ETRN"" command should trigger NO mail deliveries at all. If
destination.
220 my.server.tld ESMTP Postfix
- H\bHE\bEL\bLO\bO m\bmy\by.\b.c\bcl\bli\bie\ben\bnt\bt.\b.t\btl\bld\bd
+ h\bhe\bel\blo\bo m\bmy\by.\b.c\bcl\bli\bie\ben\bnt\bt.\b.t\btl\bld\bd
250 Ok
- E\bET\bTR\bRN\bN n\bno\bot\bt.\b.a\ba.\b.c\bcu\bus\bst\bto\bom\bme\ber\br.\b.d\bdo\bom\bma\bai\bin\bn
+ e\bet\btr\brn\bn n\bno\bot\bt.\b.a\ba.\b.c\bcu\bus\bst\bto\bom\bme\ber\br.\b.d\bdo\bom\bma\bai\bin\bn
459 <not.a.customer.domain>: service unavailable
In this case, Postfix should reject the request as shown above.
everything: receiving, filtering and delivering mail. Applications that use two
separate Postfix instances will be covered by a later version of this document.
-The after-queue content filter is not to be confused with the approaches
-described in the SMTPD_PROXY_README or MILTER_README documents, where incoming
-SMTP mail is filtered BEFORE it is stored into the Postfix queue.
+The after-queue content filter is not to be confused with the approach that is
+described in the SMTPD_PROXY_README document, where incoming SMTP mail is
+filtered BEFORE it is stored into the Postfix queue.
This document describes two approaches to content filter all email, as well as
several options to filter mail selectively:
P\bPr\bri\bin\bnc\bci\bip\bpl\ble\bes\bs o\bof\bf o\bop\bpe\ber\bra\bat\bti\bio\bon\bn
-An after-queue content filter receives unfiltered mail from Postfix (as
-described further below) and can do one of the following:
+An external content filter receives unfiltered mail from Postfix (as described
+further below) and does one of the following:
1. Re-inject the mail back into Postfix, perhaps after changing content and/or
destination.
- 2. Discard or quarantine the mail.
-
- 3. Reject the mail (by sending a suitable status code back to Postfix).
- Postfix will send the mail back to the sender address.
+ 2. Reject the mail (by sending a suitable status code back to Postfix).
+ Postfix will return the mail to the sender.
NOTE: in this time of mail worms and forged spam, it is a VERY BAD IDEA to send
viruses back to the sender address, because the sender address is almost
S\bSi\bim\bmp\bpl\ble\be c\bco\bon\bnt\bte\ben\bnt\bt f\bfi\bil\blt\bte\ber\br e\bex\bxa\bam\bmp\bpl\ble\be
-The first example is simple to set up, but has major limitations that will be
-addressed in a second example. Postfix receives unfiltered mail from the
-network with the smtpd(8) server, and delivers unfiltered mail to a content
+The first example is simple to set up. Postfix receives unfiltered mail from
+the network with the smtpd(8) server, and delivers unfiltered mail to a content
filter with the Postfix pipe(8) delivery agent. The content filter injects
filtered mail back into Postfix with the Postfix sendmail(1) command, so that
Postfix can deliver it to the final destination.
Notes:
- * Line 8: The -G option says the filter output is not a local mail
- submission: don't do silly things like appending the local domain name to
- addresses in message headers. This option does nothing before Postfix
- version 2.3.
+ * Line 8: The -G option does nothing before Postfix 2.3, otherwise it
+ disables address rewriting of message headers.
* Line 8: The -i option says don't stop reading input when a line contains
"." only.
* Line 8: NEVER NEVER NEVER use the "-t" command-line option here. It will
- mis-deliver mail, like sending messages from a mailing list back to the
- mailing list.
+ mis-deliver mail, like sending mailing list mail back to the mailing list.
* Line 21: The idea is to first capture the message to file and then run the
content through a third-party content filter program.
- * Line 22: If the message cannot be captured to file, mail delivery is
- deferred by terminating with exit status 75 (EX_TEMPFAIL). Postfix places
- the message in the deferred mail queue and tries again later.
+ * Line 22: If the mail cannot be captured to file, mail delivery is deferred
+ by terminating with exit status 75 (EX_TEMPFAIL). Postfix places the
+ message in the deferred mail queue and tries again later.
* Line 25: You will need to specify a real content filter program here that
receives the content on standard input.
* Line 26: If the content filter program finds a problem, the mail is bounced
- by terminating with exit status 69 (EX_UNAVAILABLE). Postfix will send the
- message back to the sender as undeliverable mail.
+ by terminating with exit status 69 (EX_UNAVAILABLE). Postfix will return
+ the message to the sender as undeliverable.
- * NOTE: in this time of mail worms and spam, it is a BAD IDEA to send known
+ * Note: in this time of mail worms and spam, it is a BAD IDEA to send known
viruses or spam back to the sender, because that address is likely to be
- forged. It is safer to discard known viruses and to quarantine suspicious
- content so that it can be inspected by a human being.
+ forged. It is safer to discard known to be bad content and to quarantine
+ suspicious content so that it can be inspected by a human being.
* Line 28: If the content is OK, it is given as input to the Postfix sendmail
command, and the exit status of the filter command is whatever exit status
I suggest that you first run this script by hand until you are satisfied with
the results. Run it with a real message (headers+body) as input:
- % /path/to/script -f sender -- recipient... <message-file
+ % /path/to/script -f sender recipient... <message-file
Once you're satisfied with the content filtering script:
smtp inet ...other stuff here, do not change... smtpd
-o content_filter=filter:dummy
- The "-o content_filter" line causes Postfix to add one content filter
- request record to each incoming mail message, with content "filter:dummy".
- This record overrides the normal mail routing and causes mail to be given
- to the content filter instead.
+ The "content_filter" line causes Postfix to add one content filter request
+ record to each incoming mail message, with content "filter:dummy". This
+ record overrides the normal mail routing and causes mail to be given to the
+ content filter instead.
The content_filter configuration parameter accepts the same syntax as the
right-hand side in a Postfix transport table.
* Edit the master.cf file, remove the "-o content_filter=filter:dummy" text
from the entry that defines the Postfix SMTP server.
- * Execute "p\bpo\bos\bst\bts\bsu\bup\bpe\ber\br -\b-r\br A\bAL\bLL\bL" to remove content filter request records from
+ * Execute "p\bpo\bos\bst\bts\bsu\bup\bpe\ber\br -\b-r\br A\bAL\bLL\bL" to remove content filter information from
existing queue files.
* Execute another "p\bpo\bos\bst\btf\bfi\bix\bx r\bre\bel\blo\boa\bad\bd".
content filter 10025
The example given here filters all mail, including mail that arrives via SMTP
-and mail that is locally submitted via the Postfix sendmail command (local
-submissions enter Postfix via the pickup(8) server; to keep the figure simple
-we omit local submission details). See examples near the end of this document
-for how to exclude local users from filtering, or how to configure a
-destination dependent content filter.
+and mail that is locally submitted via the Postfix sendmail command. See
+examples near the end of this document for how to exclude local users from
+filtering, or how to configure a destination dependent content filter.
You can expect to lose about a factor of two in Postfix performance for mail
that arrives and leaves via SMTP, provided that the content filter creates no
* The "-o disable_mime_output_conversion=yes" is a workaround that prevents
the breaking of domainkeys and other digital signatures. This is needed
because some SMTP-based content filters don't announce 8BITMIME support,
- even though they can handle 8-bit mail.
+ even though they can handle it just fine.
* The "-o smtp_generic_maps=" is a workaround that prevents local address
rewriting with generic(5) maps. Such rewriting should happen only when mail
user handles all potentially dangerous mail content - that is why it should
be a separate account.
- * By default, Postfix will terminate a command that runs longer than
- command_time_limit seconds (default: 1000s). This is a safety measure that
- prevents filters from running forever.
-
If you want to have your filter listening on port localhost:10025 instead of
Postfix, then you must run your filter as a stand-alone program, and must not
use the Postfix spawn service.
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
- * NOTE: do not use spaces around the "=" or "," characters.
+ * Note: do not use spaces around the "=" or "," characters.
- * NOTE: the SMTP server must not have a smaller process limit than the
+ * Note: the SMTP server must not have a smaller process limit than the
"filter" master.cf entry.
* The "-o content_filter=" overrides main.cf settings, and requests no
content filtering for mail from the content filter. This is required or
- else mail will loop.
+ else mail will stay in the content filtering loop.
* The "-o receive_override_options" overrides main.cf settings to avoid
duplicating work that was already done before the content filter. These
o We specify "no_milters" to disable Milter applications (this option is
available only in Postfix 2.3 and later).
- o We don't specify "no_address_mappings" here. This enables virtual alias
+ o We don't specify "no_address_mapping" here. This enables virtual alias
expansion, canonical mappings, address masquerading, and other address
mappings after the content filter. The main.cf setting of
"receive_override_options" disables these mappings before the content
content_filter = scan:localhost:10025
receive_override_options = no_address_mappings
- * Execute "p\bpo\bos\bst\bts\bsu\bup\bpe\ber\br -\b-r\br A\bAL\bLL\bL" to remove content filter request records from
+ * Execute "p\bpo\bos\bst\bts\bsu\bup\bpe\ber\br -\b-r\br A\bAL\bLL\bL" to remove content filter information from
existing queue files.
* Execute another "p\bpo\bos\bst\btf\bfi\bix\bx r\bre\bel\blo\boa\bad\bd".
1\b1 -\b- P\bPu\bur\brp\bpo\bos\bse\be o\bof\bf t\bth\bhi\bis\bs d\bdo\boc\bcu\bum\bme\ben\bnt\bt
-If you are using a pre-compiled version of Postfix, you should start with
-BASIC_CONFIGURATION_README and the general documentation referenced by it.
-INSTALL is only a bootstrap document to get Postfix up and running from scratch
-with the minimal number of steps; it should not be considered part of the
-general documentation.
+This is a bootstrap document that helps you get Postfix up and running from
+scratch with the minimal number of steps. If you are using a pre-compiled
+version of Postfix, you should be reading the general Postfix documentation
+which aims to describe the system in more detail. This bootstrap document
+should not be considered part of the general Postfix documentation.
This document describes how to build, install and configure a Postfix system so
that it can do one of the following:
% export MANPATH; MANPATH="`pwd`/man:$MANPATH"
% setenv MANPATH "`pwd`/man:$MANPATH"
-Of particular interest is the postconf(5) manual page that lists all the 500+
+Of particular interest is the postconf(5) manual page that lists all the 400+
configuration parameters. The HTML version of this text makes it easy to
navigate around.
OSF1.V3 - OSF1.V5 (Digital UNIX)
Reliant UNIX 5.x
Rhapsody 5.x
- SunOS 4.1.4 (March 2007)
- SunOS 5.4 - 5.10 (Solaris 2.4..10)
+ SunOS 4.1.4 (July 2006)
+ SunOS 5.4 - 5.9 (Solaris 2.4..9)
Ultrix 4.x (well, that was long ago)
or something closely resemblant.
4\b4.\b.1\b1 -\b- G\bGe\bet\btt\bti\bin\bng\bg s\bst\bta\bar\brt\bte\bed\bd
On Solaris, the "make" command and other utilities for software development are
-in /usr/ccs/bin, so you MUST have /usr/ccs/bin in your command search path. If
-these files do not exist, install the development packages first. See the
-Solaris FAQ item "Which packages do I need to install to support a C
-compiler?".
+in /usr/ccs/bin, so you MUST have /usr/ccs/bin in your command search path.
If you need to build Postfix for multiple architectures, use the "lndir"
command to build a shadow tree with symbolic links to the source files. "lndir"
4\b4.\b.5\b5 -\b- S\bSu\bup\bpp\bpo\bor\brt\bt f\bfo\bor\br t\bth\bho\bou\bus\bsa\ban\bnd\bds\bs o\bof\bf p\bpr\bro\boc\bce\bes\bss\bse\bes\bs
-The number of connections that Postfix can manage simultaneously is limited by
-the number of processes that it can run. This number in turn is limited by the
-number of files and sockets that a single process can open. For example, the
-Postfix queue manager has a separate connection to each delivery process, and
-the anvil(8) server has one connection per smtpd(8) process.
-
-Postfix version 2.4 and later have no built-in limits on the number of open
-files or sockets, when compiled on systems that support one of the following:
-
- * BSD kqueue(2) (FreeBSD 4.1, NetBSD 2.0, OpenBSD 2.9),
- * Solaris 8 /dev/poll,
- * Linux 2.6 epoll(4).
-
-With other Postfix versions or operating systems, the number of file
-descriptors per process is limited by the value of the FD_SETSIZE macro. If you
-expect to run more than 1000 mail delivery processes, you may need to override
-the definition of the FD_SETSIZE macro to make select() work correctly:
+In order to build Postfix for very large applications, where you expect to run
+more than 1000 mail delivery processes, you may need to override the definition
+of the FD_SETSIZE macro to make select() work correctly:
% make makefiles CCARGS=-DFD_SETSIZE=2048
not allowed) and overriding the __FD_SETSIZE macro. Beware, undocumented
interfaces can change at any time and without warning.
-But wait, there is more: none of this will work unless the operating system is
-configured to handle thousands of connections. See the TUNING_README guide for
-examples of how to increase the number of open sockets or files.
-
4\b4.\b.6\b6 -\b- C\bCo\bom\bmp\bpi\bil\bli\bin\bng\bg P\bPo\bos\bst\btf\bfi\bix\bx,\b, a\bat\bt l\bla\bas\bst\bt
If the command
This text describes how to install Postfix from source code. See the
PACKAGE_README file if you are building a package for distribution to other
-systems.
+systems. See auxiliary/MacOSX/README-INSTALL.OSX for information about
+installing Postfix from source on Mac OS X.
6\b6.\b.1\b1 -\b- S\bSa\bav\bve\be e\bex\bxi\bis\bst\bti\bin\bng\bg S\bSe\ben\bnd\bdm\bma\bai\bil\bl b\bbi\bin\bna\bar\bri\bie\bes\bs
IMPORTANT: if you are REPLACING an existing Sendmail installation with Postfix,
you may need to keep the old sendmail program running for some time in order to
-flush the mail queue.
-
- * Some systems implement a mail switch mechanism where different MTAs
- (Postfix, Sendmail, etc.) can be installed at the same time, while only one
- of them is actually being used. Examples of such switching mechanisms are
- the FreeBSD mailwrapper(8) or the Linux mail switch. In this case you
- should try to "flip" the switch to "Postfix" before installing Postfix.
-
- * If your system has no mail switch mechanism, execute the following commands
- (your sendmail, newaliases and mailq programs may be in a different place):
+flush the mail queue. As superuser, execute the following commands (your
+sendmail, newaliases and mailq programs may be in a different place):
# mv /usr/sbin/sendmail /usr/sbin/sendmail.OFF
# mv /usr/bin/newaliases /usr/bin/newaliases.OFF
# make upgrade (non-interactive version, for upgrades)
- * The interactive version ("make install") asks for pathnames for Postfix
- data and program files, and stores your preferences in the main.cf file. I\bIf\bf
- y\byo\bou\bu d\bdo\bon\bn'\b't\bt w\bwa\ban\bnt\bt P\bPo\bos\bst\btf\bfi\bix\bx t\bto\bo o\bov\bve\ber\brw\bwr\bri\bit\bte\be n\bno\bon\bn-\b-P\bPo\bos\bst\btf\bfi\bix\bx "\b"s\bse\ben\bnd\bdm\bma\bai\bil\bl"\b",\b, "\b"m\bma\bai\bil\blq\bq"\b" a\ban\bnd\bd
- "\b"n\bne\bew\bwa\bal\bli\bia\bas\bse\bes\bs"\b" f\bfi\bil\ble\bes\bs,\b, s\bsp\bpe\bec\bci\bif\bfy\by p\bpa\bat\bth\bhn\bna\bam\bme\bes\bs t\bth\bha\bat\bt e\ben\bnd\bd i\bin\bn "\b".\b.p\bpo\bos\bst\btf\bfi\bix\bx"\b".
-
* The non-interactive version ("make upgrade") needs the /etc/postfix/main.cf
file from a previous installation. If the file does not exist, use
interactive installation ("make install") instead.
+ * The interactive version offers suggestions for pathnames that you can
+ override interactively, and stores your preferences in /etc/postfix/main.cf
+ for convenient future upgrades.
+
6\b6.\b.4\b4 -\b- C\bCo\bon\bnf\bfi\big\bgu\bur\bre\be P\bPo\bos\bst\btf\bfi\bix\bx
Proceed to the section on how you wish to run Postfix on your particular
address. Simply configure your mail user agent to directly invoke the Postfix
sendmail program.
-To create a virtual network interface address, study your system ifconfig
-manual page. The command syntax could be any of:
-
- # i
\bif
\bfc
\bco
\bon
\bnf
\bfi
\big
\bg l
\ble
\be0
\b0:
\b:1
\b1 <
\b<a
\bad
\bdd
\bdr
\bre
\bes
\bss
\bs>
\b> n
\bne
\bet
\btm
\bma
\bas
\bsk
\bk <
\b<m
\bma
\bas
\bsk
\bk>
\b> u
\bup
\bp
- # i
\bif
\bfc
\bco
\bon
\bnf
\bfi
\big
\bg e
\ben
\bn0
\b0 a
\bal
\bli
\bia
\bas
\bs <
\b<a
\bad
\bdd
\bdr
\bre
\bes
\bss
\bs>
\b> n
\bne
\bet
\btm
\bma
\bas
\bsk
\bk 2
\b25
\b55
\b5.
\b.2
\b25
\b55
\b5.
\b.2
\b25
\b55
\b5.
\b.2
\b25
\b55
\b5
-
In the /etc/postfix/main.cf file, I would specify
/etc/postfix/main.cf:
* Configuring LDAP lookups
* Example: aliases
* Example: virtual domains/addresses
- * Example: expanding LDAP groups
* Other uses of LDAP lookups
* Notes and things to think about
* Feedback
and in ldap:/etc/postfix/ldap-aliases.cf you have:
- server_host = ldap.example.com
- search_base = dc=example, dc=com
+ server_host = ldap.my.com
+ search_base = dc=my, dc=com
Upon receiving mail for a local address "ldapuser" that isn't found in the /
etc/aliases database, Postfix will search the LDAP server listening at port 389
-on ldap.example.com. It will bind anonymously, search for any directory entries
+on ldap.my.com. It will bind anonymously, search for any directory entries
whose mailacceptinggeneralid attribute is "ldapuser", read the "maildrop"
attributes of those found, and build a list of their maildrops, which will be
treated as RFC822 addresses to which the message will be delivered.
attributes are fully qualified with their virtual domains. Finally, if you want
to designate a directory entry as the default user for a virtual domain, just
give it an additional mailacceptinggeneralid (or the equivalent in your
-directory) of "@fake.dom". That's right, no user part. If you don't want a
+directory) of "@virtual.dom". That's right, no user part. If you don't want a
catchall user, omit this step and mail to unknown users in the domain will
simply bounce.
Normal users might simply have one mailacceptinggeneralid and maildrop, e.g.
"normaluser@fake.dom" and "normaluser@real.dom".
-E\bEx\bxa\bam\bmp\bpl\ble\be:\b: e\bex\bxp\bpa\ban\bnd\bdi\bin\bng\bg L\bLD\bDA\bAP\bP g\bgr\bro\bou\bup\bps\bs
-
-LDAP is frequently used to store group member information. There are a number
-of ways of handling LDAP groups. We will show a few examples in order of
-increasing complexity, but owing to the number of independent variables, we can
-only present a tiny portion of the solution space. We show how to:
-
- 1. query groups as lists of addresses;
-
- 2. query groups as lists of user objects containing addresses;
-
- 3. forward special lists unexpanded to a separate list server, for moderation
- or other processing;
-
- 4. handle complex schemas by controlling expansion and by treating leaf nodes
- specially, using features that are new in Postfix 2.4.
-
-The example LDAP entries and implied schema below show two group entries
-("agroup" and "bgroup") and four user entries ("auser", "buser", "cuser" and
-"duser"). The group "agroup" has the users "auser" (1) and "buser" (2) as
-members via DN references in the multi-valued attribute "memberdn", and direct
-email addresses of two external users "auser@example.org" (3) and
-"buser@example.org" (4) stored in the multi-valued attribute "memberaddr". The
-same is true of "bgroup" and "cuser"/"duser" (6)/(7)/(8)/(9), but "bgroup" also
-has a "maildrop" attribute of "bgroup@mlm.example.com" (5):
-
- dn: cn=agroup, dc=example, dc=com
- objectclass: top
- objectclass: ldapgroup
- cn: agroup
- mail: agroup@example.com
- 1 -> memberdn: uid=auser, dc=example, dc=com
- 2 -> memberdn: uid=buser, dc=example, dc=com
- 3 -> memberaddr: auser@example.org
- 4 -> memberaddr: buser@example.org
-
- dn: cn=bgroup, dc=example, dc=com
- objectclass: top
- objectclass: ldapgroup
- cn: bgroup
- mail: bgroup@example.com
- 5 -> maildrop: bgroup@mlm.example.com
- 6 -> memberdn: uid=cuser, dc=example, dc=com
- 7 -> memberdn: uid=duser, dc=example, dc=com
- 8 -> memberaddr: cuser@example.org
- 9 -> memberaddr: duser@example.org
-
- dn: uid=auser, dc=example, dc=com
- objectclass: top
- objectclass: ldapuser
- uid: auser
- 10 -> mail: auser@example.com
- 11 -> maildrop: auser@mailhub.example.com
-
- dn: uid=buser, dc=example, dc=com
- objectclass: top
- objectclass: ldapuser
- uid: buser
- 12 -> mail: buser@example.com
- 13 -> maildrop: buser@mailhub.example.com
-
- dn: uid=cuser, dc=example, dc=com
- objectclass: top
- objectclass: ldapuser
- uid: cuser
- 14 -> mail: cuser@example.com
-
- dn: uid=duser, dc=example, dc=com
- objectclass: top
- objectclass: ldapuser
- uid: duser
- 15 -> mail: duser@example.com
-
-Our first use case ignores the "memberdn" attributes, and assumes that groups
-hold only direct "memberaddr" strings as in (3), (4), (8) and (9). The goal is
-to map the group address to the list of constituent "memberaddr" values. This
-is simple, ignoring the various connection related settings (hosts, ports, bind
-settings, timeouts, ...) we have:
-
- simple.cf:
- ...
- search_base = dc=example, dc=com
- query_filter = mail=%s
- result_attribute = memberaddr
- $ postmap -q agroup@example.com ldap:simple.cf
- auser@example.org,buser@example.org
-
-We search "dc=example, dc=com". The "mail" attribute is used in the
-query_filter to locate the right group, the "result_attribute" setting
-described in ldap_table(5) is used to specify that "memberaddr" values from the
-matching group are to be returned as a comma separated list. Always check
-tables using postmap(1) with the "-q" option, before deploying them into
-production use in main.cf.
-
-Our second use case instead expands "memberdn" attributes (1), (2), (6) and
-(7), follows the DN references and returns the "maildrop" of the referenced
-user entries. Here we use the "special_result_attribute" setting from
-ldap_table(5) to designate the "memberdn" attribute as holding DNs of the
-desired member entries. The "result_attribute" setting selects which attributes
-are returned from the selected DNs. It is important to choose a result
-attribute that is not also present in the group object, because result
-attributes are collected from both the group and the member DNs. In this case
-we choose "maildrop" and assume for the moment that groups never have a
-"maildrop" (the "bgroup" "maildrop" attribute is for a different use case). The
-returned data for "auser" and "buser" is from items (11) and (13) in the
-example data.
-
- special.cf:
- ...
- search_base = dc=example, dc=com
- query_filter = mail=%s
- result_attribute = maildrop
- special_result_attribute = memberdn
- $ postmap -q agroup@example.com ldap:special.cf
- auser@mailhub.example.com,buser@mailhub.example.com
-
-Note: if the desired member object result attribute is always also present in
-the group, you get surprising results: the expansion also returns the address
-of the group. This is a known limitation of Postfix releases prior to 2.4, and
-is addressed in the new with Postfix 2.4 "leaf_result_attribute" feature
-described in ldap_table(5).
-
-Our third use case has some groups that are expanded immediately, and other
-groups that are forwarded to a dedicated mailing list manager host for delayed
-expansion. This uses two LDAP tables, one for users and forwarded groups and a
-second for groups that can be expanded immediately. It is assumed that groups
-that require forwarding are never nested members of groups that are directly
-expanded.
-
- no_expand.cf:
- ...
- search_base = dc=example, dc=com
- query_filter = mail=%s
- result_attribute = maildrop
- expand.cf
- ...
- search_base = dc=example, dc=com
- query_filter = mail=%s
- result_attribute = maildrop
- special_result_attribute = memberdn
- $ postmap -q auser@example.com ldap:no_expand.cf ldap:expand.cf
- auser@mailhub.example.com
- $ postmap -q agroup@example.com ldap:no_expand.cf ldap:expand.cf
- auser@mailhub.example.com,buser@mailhub.example.com
- $ postmap -q bgroup@example.com ldap:no_expand.cf ldap:expand.cf
- bgroup@mlm.example.com
-
-Non-group objects and groups with delayed expansion (those that have a maildrop
-attribute) are rewritten to a single maildrop value. Groups that don't have a
-maildrop are expanded as the second use case. This admits a more elegant
-solution with Postfix 2.4 and later.
-
-Our final use case is the same as the third, but this time uses new features in
-Postfix 2.4. We now are able to use just one LDAP table and no longer need to
-assume that forwarded groups are never nested inside expanded groups.
-
- fancy.cf:
- ...
- search_base = dc=example, dc=com
- query_filter = mail=%s
- result_attribute = memberaddr
- special_result_attribute = memberdn
- terminal_result_attribute = maildrop
- leaf_result_attribute = mail
- $ postmap -q auser@example.com ldap:fancy.cf
- auser@mailhub.example.com
- $ postmap -q cuser@example.com ldap:fancy.cf
- cuser@example.com
- $ postmap -q agroup@example.com ldap:fancy.cf
-
- auser@mailhub.example.com,buser@mailhub.example.com,auser@example.org,buser@example.org
- $ postmap -q bgroup@example.com ldap:fancy.cf
- bgroup@mlm.example.com
-
-Above, delayed expansion is enabled via "terminal_result_attribute", which, if
-present, is used as the sole result and all other expansion is suppressed.
-Otherwise, the "leaf_result_attribute" is only returned for leaf objects that
-don't have a "special_result_attribute" (non-groups), while the
-"result_attribute" (direct member address of groups) is returned at every level
-of recursive expansion, not just the leaf nodes. This fancy example illustrates
-all the features of Postfix 2.4 group expansion.
-
O\bOt\bth\bhe\ber\br u\bus\bse\bes\bs o\bof\bf L\bLD\bDA\bAP\bP l\blo\boo\bok\bku\bup\bps\bs
Other common uses for LDAP lookups include rewriting senders and recipients
with Postfix's canonical lookups, for example in order to make mail leaving
-your site appear to be coming from "First.Last@example.com" instead of
-"userid@example.com".
+your site appear to be coming from "First.Last@site.dom" instead of
+"userid@site.dom".
N\bNo\bot\bte\bes\bs a\ban\bnd\bd t\bth\bhi\bin\bng\bgs\bs t\bto\bo t\bth\bhi\bin\bnk\bk a\bab\bbo\bou\but\bt
define an entry intended for use as a mailing list that looks like this
(Warning! Schema made up just for this example):
- dn: cn=Accounting Staff List, dc=example, dc=com
+ dn: cn=Accounting Staff List, dc=my, dc=com
cn: Accounting Staff List
- o: example.com
+ o: my.com
objectclass: maillist
mailacceptinggeneralid: accountingstaff
mailacceptinggeneralid: accounting-staff
* Liviu Daia with further refinements from Jose Luis Tallon and Victor
Duchovni developed the common query, result_format, domain and
expansion_limit interface for LDAP, MySQL and PosgreSQL.
- * Gunnar Wrobel provided a first implementation of a feature to limit LDAP
- search results to leaf nodes only. Victor generalized this into the Postfix
- 2.4 "leaf_result_attribute" feature.
And of course Wietse.
B\bBe\ber\brk\bke\bel\ble\bey\by D\bDB\bB i\bis\bss\bsu\bue\bes\bs
-If you can't compile Postfix because the file "db.h" isn't found, then you MUST
-install the Berkeley DB development package (name: db???-devel-???) that
-matches your system library. You can find out what is installed with the rpm
-command. For example:
+Warning: if you can't compile Postfix because the file "db.h" isn't found, then
+you MUST install the Berkeley DB development package (name: db???-devel-???)
+that matches your system library. You can find out what is installed with the
+rpm command. For example:
$ r\brp\bpm\bm -\b-q\bqf\bf /\b/u\bus\bsr\br/\b/l\bli\bib\bb/\b/l\bli\bib\bbd\bdb\bb.\b.s\bso\bo
db4-4.3.29-2
This means that you need to install db4-devel-4.3.29-2 (on some systems,
-specify "r\brp\bpm\bm -\b-q\bqf\bf /\b/l\bli\bib\bb/\b/l\bli\bib\bbd\bdb\bb.\b.s\bso\bo" instead).
+specify /lib/libdb.so in the rpm query).
DO NOT download some Berkeley DB version from the network. Every Postfix
program will dump core when it is built with a different Berkeley DB version
P\bPr\bro\boc\bcm\bma\bai\bil\bl i\bis\bss\bsu\bue\bes\bs
On RedHat Linux 7.1 and later p\bpr\bro\boc\bcm\bma\bai\bil\bl no longer has permission to write the
-mail spool directory. Workaround:
-
- # chmod 1777 /var/spool/mail
+mail spool directory. Workaround: chmod 1777 /var/spool/mail.
S\bSy\bys\bsl\blo\bog\bgd\bd p\bpe\ber\brf\bfo\bor\brm\bma\ban\bnc\bce\be
local_recipient_maps =
That is, an empty value. With this setting, the Postfix SMTP server will not
-reject mail with "User unknown in local recipient table". D\bDo\bon\bn'\b't\bt d\bdo\bo t\bth\bhi\bis\bs o\bon\bn
-s\bsy\bys\bst\bte\bem\bms\bs t\bth\bha\bat\bt r\bre\bec\bce\bei\biv\bve\be m\bma\bai\bil\bl d\bdi\bir\bre\bec\bct\btl\bly\by f\bfr\bro\bom\bm t\bth\bhe\be I\bIn\bnt\bte\ber\brn\bne\bet\bt.\b. W\bWi\bit\bth\bh t\bto\bod\bda\bay\by'\b's\bs w\bwo\bor\brm\bms\bs a\ban\bnd\bd
-v\bvi\bir\bru\bus\bse\bes\bs,\b, P\bPo\bos\bst\btf\bfi\bix\bx w\bwi\bil\bll\bl b\bbe\bec\bco\bom\bme\be a\ba b\bba\bac\bck\bks\bsc\bca\bat\btt\bte\ber\br s\bso\bou\bur\brc\bce\be:\b: i\bit\bt a\bac\bcc\bce\bep\bpt\bts\bs m\bma\bai\bil\bl f\bfo\bor\br n\bno\bon\bn-\b-
-e\bex\bxi\bis\bst\bte\ben\bnt\bt r\bre\bec\bci\bip\bpi\bie\ben\bnt\bts\bs a\ban\bnd\bd t\bth\bhe\ben\bn t\btr\bri\bie\bes\bs t\bto\bo r\bre\bet\btu\bur\brn\bn t\bth\bha\bat\bt m\bma\bai\bil\bl a\bas\bs "\b"u\bun\bnd\bde\bel\bli\biv\bve\ber\bra\bab\bbl\ble\be"\b" t\bto\bo
-t\bth\bhe\be o\bof\bft\bte\ben\bn f\bfo\bor\brg\bge\bed\bd s\bse\ben\bnd\bde\ber\br a\bad\bdd\bdr\bre\bes\bss\bs.
+reject mail with "User unknown in local recipient table".
W\bWh\bhe\ben\bn y\byo\bou\bu n\bne\bee\bed\bd t\bto\bo c\bch\bha\ban\bng\bge\be t\bth\bhe\be l\blo\boc\bca\bal\bl_\b_r\bre\bec\bci\bip\bpi\bie\ben\bnt\bt_\b_m\bma\bap\bps\bs s\bse\bet\btt\bti\bin\bng\bg i\bin\bn m\bma\bai\bin\bn.\b.c\bcf\bf
directories.
The following example shows how to use maildrop for some.domain and for
-someother.domain. The example comes in two parts.
-
-Part 1 describes changes to the main.cf file:
+someother.domain.
1 /etc/postfix/main.cf:
2 maildrop_destination_recipient_limit = 1
Note: Do not use the postfix user as the maildrop user.
-Part 2 describes changes to the master.cf file:
-
/etc/postfix/master.cf:
maildrop unix - n n - - pipe
flags=ODRhu user=vmail argv=/path/to/maildrop -d ${recipient}
The reason for adding Milter support to Postfix is that there exists a large
collection of applications, not only to block unwanted mail, but also to verify
-authenticity (examples: Domain keys identified mail, SenderID+SPF and Domain
-keys) or to digitally sign mail (examples: Domain keys identified mail, Domain
-keys). Having yet another Postfix-specific version of all that software is a
-poor use of human and system resources.
+authenticity (examples: SenderID+SPF and Domain keys) or to digitally sign mail
+(example: Domain keys). Having yet another Postfix-specific version of all that
+software is a poor use of human and system resources.
Postfix version 2.4 implements all the requests of Sendmail version 8 Milter
protocols up to version 4, including message body replacement (body replacement
such a library, but Sendmail does.
On some Linux and *BSD distributions, the Sendmail libmilter library is
-installed by default. With this, applications such as dkim-milter and sid-
-milter build out of the box without requiring any tinkering:
+installed by default. With this, applications such as dk-milter and sid-milter
+build out of the box without requiring any tinkering:
- $ g\bgz\bzc\bca\bat\bt d\bdk\bki\bim\bm-\b-m\bmi\bil\blt\bte\ber\br-\b-x\bx.\b.y\by.\b.z\bz.\b.t\bta\bar\br.\b.g\bgz\bz |\b| t\bta\bar\br x\bxf\bf -\b-
- $ c\bcd\bd d\bdk\bki\bim\bm-\b-m\bmi\bil\blt\bte\ber\br-\b-x\bx.\b.y\by.\b.z\bz
+ $ g\bgz\bzc\bca\bat\bt d\bdk\bk-\b-m\bmi\bil\blt\bte\ber\br-\b-x\bx.\b.y\by.\b.z\bz.\b.t\bta\bar\br.\b.g\bgz\bz |\b| t\bta\bar\br x\bxf\bf -\b-
+ $ c\bcd\bd d\bdk\bk-\b-m\bmi\bil\blt\bte\ber\br-\b-x\bx.\b.y\by.\b.z\bz
$ m\bma\bak\bke\be
[...lots of output omitted...]
To run a Milter application, see the documentation of the filter for options. A
typical command looks like this:
- # /\b/s\bso\bom\bme\be/\b/w\bwh\bhe\ber\bre\be/\b/d\bdk\bki\bim\bm-\b-f\bfi\bil\blt\bte\ber\br -\b-u\bu u\bus\bse\ber\bri\bid\bd -\b-p\bp i\bin\bne\bet\bt:\b:p\bpo\bor\brt\btn\bnu\bum\bmb\bbe\ber\br@\b@l\blo\boc\bca\bal\blh\bho\bos\bst\bt .\b..\b..\b.o\bot\bth\bhe\ber\br
+ # /\b/s\bso\bom\bme\be/\b/w\bwh\bhe\ber\bre\be/\b/d\bdk\bk-\b-f\bfi\bil\blt\bte\ber\br -\b-u\bu u\bus\bse\ber\bri\bid\bd -\b-p\bp i\bin\bne\bet\bt:\b:p\bpo\bor\brt\btn\bnu\bum\bmb\bbe\ber\br@\b@l\blo\boc\bca\bal\blh\bho\bos\bst\bt .\b..\b..\b.o\bot\bth\bhe\ber\br
o\bop\bpt\bti\bio\bon\bns\bs.\b..\b..\b.
Please specify a userid value that isn't used for other applications (not
X-SenderID: Sendmail Sender-ID Filter vx.y.z host.example.com <unknown-
msgid>
- This happens because those Milter applications expect that the queue ID is
+ This happens because some Milter applications expect that the queue ID is
known before the MTA accepts the MAIL FROM (sender) command. Postfix, on
the other hand, does not choose a queue file name until after it accepts
- the first valid RCPT TO (recipient) command (Postfix queue file names must
+ the first valid RCPT TO (recipient) command. Postfix queue file names must
be unique across multiple directories, so the name can't be chosen before
- the file is created; if multiple messages were to use the same queue ID
- simultaneously, mail would be lost).
+ the file is created. If multiple messages were to use the same queue ID
+ simultaneously, mail would be lost.
-If you experience the ugly header problem, see if a recent version of the
-Milter application fixes it. For example, current versions of dkim-filter and
-dk-filter already have code that looks up the Postfix queue ID at a later
-protocol stage.
+ To work around the ugly message header from Milter applications, we add a
+ little code to the Milter source to look up the queue ID after Postfix
+ receives the end of the message.
-To fix the ugly message header with sid-filter applications, we change the
-source code, so that it does the queue ID lookup after Postfix receives the end
-of the message.
+ o Edit the filter source file (typically named dk-filter/dk-filter.c or
+ similar).
- * Edit the filter source file (named sid-filter/sid-filter.c).
+ o Look up the mlfi_eom() function and add code near the top shown as b\bbo\bol\bld\bd
+ text below:
- * Look up the smfilter table and replace mlfi_eoh by NULL.
+ dfc = cc->cctx_msg;
+ assert(dfc != NULL);
- * Look up the mlfi_eom() function and add code near the top that calls
- mlfi_eoh() as shown by the b\bbo\bol\bld\bd text below:
+ /\b/*\b* D\bDe\bet\bte\ber\brm\bmi\bin\bne\be t\bth\bhe\be j\bjo\bob\bb I\bID\bD f\bfo\bor\br l\blo\bog\bgg\bgi\bin\bng\bg.\b. *\b*/\b/
+ i\bif\bf (\b(d\bdf\bfc\bc-\b->\b>m\bmc\bct\btx\bx_\b_j\bjo\bob\bbi\bid\bd =\b==\b= 0\b0 |\b||\b| s\bst\btr\brc\bcm\bmp\bp(\b(d\bdf\bfc\bc-\b->\b>m\bmc\bct\btx\bx_\b_j\bjo\bob\bbi\bid\bd,\b, J\bJO\bOB\bBI\bID\bDU\bUN\bNK\bKN\bNO\bOW\bWN\bN)\b) =\b==\b= 0\b0)\b)
+ {\b{
+ c\bch\bha\bar\br *\b*j\bjo\bob\bbi\bid\bd =\b= s\bsm\bmf\bfi\bi_\b_g\bge\bet\bts\bsy\bym\bmv\bva\bal\bl(\b(c\bct\btx\bx,\b, "\b"i\bi"\b")\b);\b;
+ i\bif\bf (\b(j\bjo\bob\bbi\bid\bd !\b!=\b= 0\b0)\b)
+ d\bdf\bfc\bc-\b->\b>m\bmc\bct\btx\bx_\b_j\bjo\bob\bbi\bid\bd =\b= j\bjo\bob\bbi\bid\bd;\b;
+ }\b}
- assert(ctx != NULL);
- #endif /* !DEBUG */
+ /* get hostname; used in the X header and in new MIME boundaries */
- r\bre\bet\bt =\b= m\bml\blf\bfi\bi_\b_e\beo\boh\bh(\b(c\bct\btx\bx)\b);\b;
- i\bif\bf (\b(r\bre\bet\bt !\b!=\b= S\bSM\bMF\bFI\bIS\bS_\b_C\bCO\bON\bNT\bTI\bIN\bNU\bUE\bE)\b)
- r\bre\bet\btu\bur\brn\bn r\bre\bet\bt;\b;
+ NOTES:
-NOTES:
+ o Different mail filters use slightly different names for variables. If
+ the above code does not compile, look for the code at the start of the
+ mlfi_eoh() routine.
- * This was tested with sid-milter-0.2.10 and sid-milter-0.2.14.
+ o This fixes only the ugly message header, but not the WARNING message.
+ Fortunately, dk-filter logs that message only once.
- * This fixes only the ugly message header, but not the WARNING message.
- Fortunately, sid-milter logs that message only once.
+ With some Milter applications we can fix both the WARNING and the "unknown-
+ msgid" by postponing the call of mlfi_eoh() (or whatever routine logs the
+ WARNING) until the end of the message.
-To fix the ugly message header with other Milter applications, you will need to
-do something like this:
+ o Edit the filter source file (typically named sid-filter/sid-filter.c or
+ similar).
- * Edit the filter source file (typically named xxx-filter/xxx-filter.c or
- similar).
+ o Look up the smfilter table and replace mlfi_eoh (or whatever routine
+ logs the WARNING) by NULL.
- * Look up the mlfi_eom() function and add code near the top shown as b\bbo\bol\bld\bd
- text below:
+ o Look up the mlfi_eom() function and add code near the top that calls
+ mlfi_eoh() as shown by the b\bbo\bol\bld\bd text below:
- dfc = cc->cctx_msg;
- assert(dfc != NULL);
+ assert(ctx != NULL);
+ #endif /* !DEBUG */
- /\b/*\b* D\bDe\bet\bte\ber\brm\bmi\bin\bne\be t\bth\bhe\be j\bjo\bob\bb I\bID\bD f\bfo\bor\br l\blo\bog\bgg\bgi\bin\bng\bg.\b. *\b*/\b/
- i\bif\bf (\b(d\bdf\bfc\bc-\b->\b>m\bmc\bct\btx\bx_\b_j\bjo\bob\bbi\bid\bd =\b==\b= 0\b0 |\b||\b| s\bst\btr\brc\bcm\bmp\bp(\b(d\bdf\bfc\bc-\b->\b>m\bmc\bct\btx\bx_\b_j\bjo\bob\bbi\bid\bd,\b, J\bJO\bOB\bBI\bID\bDU\bUN\bNK\bKN\bNO\bOW\bWN\bN)\b) =\b==\b= 0\b0)\b) {\b{
- c\bch\bha\bar\br *\b*j\bjo\bob\bbi\bid\bd =\b= s\bsm\bmf\bfi\bi_\b_g\bge\bet\bts\bsy\bym\bmv\bva\bal\bl(\b(c\bct\btx\bx,\b, "\b"i\bi"\b")\b);\b;
- i\bif\bf (\b(j\bjo\bob\bbi\bid\bd !\b!=\b= 0\b0)\b)
- d\bdf\bfc\bc-\b->\b>m\bmc\bct\btx\bx_\b_j\bjo\bob\bbi\bid\bd =\b= j\bjo\bob\bbi\bid\bd;\b;
- }\b}
+ r\bre\bet\bt =\b= m\bml\blf\bfi\bi_\b_e\beo\boh\bh(\b(c\bct\btx\bx)\b);\b;
+ i\bif\bf (\b(r\bre\bet\bt !\b!=\b= S\bSM\bMF\bFI\bIS\bS_\b_C\bCO\bON\bNT\bTI\bIN\bNU\bUE\bE)\b)
+ r\bre\bet\btu\bur\brn\bn r\bre\bet\bt;\b;
- /* get hostname; used in the X header and in new MIME boundaries */
-
-NOTES:
-
- * Different mail filters use slightly different names for variables. If the
- above code does not compile, look for the code at the start of the mlfi_eoh
- () routine.
-
- * This fixes only the ugly message header, but not the WARNING message.
- Fortunately, many Milters log that message only once.
+ This works with sid-milter-0.2.10. Other Milter applications will dump core
+ when you do this.
L\bLi\bim\bmi\bit\bta\bat\bti\bio\bon\bns\bs
application name: st_optionneg[134563840]: 0x3d does not fulfill action
requirements 0x1e
- The solution is to use Postfix version 2.4 or later.
+ The solution is to use a Postfix version that supports the missing
+ functionality.
* Most Milter configuration options are global. Future Postfix versions may
support per-Milter timeouts, per-Milter error handling, etc.
When delivering mail to a destination with multiple mail servers,
connection caching can help to skip over a non-responding server, and thus
- dramatically speed up delivery. SMTP connection caching is available in
- Postfix version 2.2 and later. More information about this feature is in
- the CONNECTION_CACHE_README document.
+ dramatically speed up delivery.
- /-- smtp(8) --> Internet
-
- qmgr(8) |
- |
- \-- | smtp(8) --> Internet
- |
- ^
- |
-
- scache(8)
+ smtp(8) <-> scache(8) <-> smtp(8)
+
* The showq(8) servers list the Postfix queue status. This is the queue
listing service that does the work for the mailq(1) and postqueue(1)
G\bGe\ben\bne\ber\bra\bal\bl d\bdi\bis\bst\btr\bri\bib\bbu\but\bti\bio\bon\bns\bs:\b: p\bpl\ble\bea\bas\bse\be p\bpr\bro\bov\bvi\bid\bde\be a\ba s\bsm\bma\bal\bll\bl d\bde\bef\bfa\bau\bul\blt\bt m\bma\bai\bin\bn.\b.c\bcf\bf f\bfi\bil\ble\be
The installed main.cf file must be small. PLEASE resist the temptation to list
-all parameters in the main.cf file. Postfix is supposed to be easy to
-configure. Listing all parameters in main.cf defeats the purpose. It is an
-invitation for hobbyists to make random changes without understanding what they
-do, and gets them into endless trouble.
+all 400+ parameters in the main.cf file. Postfix is supposed to be easy to
+configure. Listing all 400+ in main.cf defeats the purpose. It is an invitation
+for hobbyists to make random changes without understanding what they do, and
+gets them into endless trouble.
G\bGe\ben\bne\ber\bra\bal\bl d\bdi\bis\bst\btr\bri\bib\bbu\but\bti\bio\bon\bns\bs:\b: p\bpl\ble\bea\bas\bse\be i\bin\bnc\bcl\blu\bud\bde\be R\bRE\bEA\bAD\bDM\bME\bE o\bor\br H\bHT\bTM\bML\bL f\bfi\bil\ble\bes\bs
P\bPu\bur\brp\bpo\bos\bse\be o\bof\bf t\bth\bhi\bis\bs d\bdo\boc\bcu\bum\bme\ben\bnt\bt
-This document is an introduction to Postfix queue congestion analysis. It
-explains how the qshape(1) program can help to track down the reason for queue
-congestion. qshape(1) is bundled with Postfix 2.1 and later source code, under
-the "auxiliary" directory. This document describes qshape(1) as bundled with
-Postfix 2.4.
+This document describes the qshape(1) program which helps the administrator
+understand the Postfix queue message distribution sorted by time and by sender
+or recipient domain. qshape(1) is bundled with the Postfix 2.1 source under the
+"auxiliary" directory.
+
+In order to understand the output of qshape(1), it useful to understand the
+various Postfix queues. To this end the role of each Postfix queue directory is
+described briefly in the "Background info: Postfix queue directories" section
+near the end of this document.
This document covers the following topics:
* Example 2: Deferred queue full of dictionary attack bounces
* Example 3: Congestion in the active queue
* Example 4: High volume destination backlog
- * Postfix queue directories
+ * Background info: Postfix queue directories
o The "maildrop" queue
o The "hold" queue
10 and 20 minutes old, 1 between 320 and 640 minutes old and 12 older than
1280 minutes (1440 minutes in a day).
-When the output is a terminal intermediate results showing the top 20 domains
-(-n option) are displayed after every 1000 messages (-N option) and the final
-output also shows only the top 20 domains. This makes qshape useful even when
-the deferred queue is very large and it may otherwise take prohibitively long
-to read the entire deferred queue.
-
By default, qshape shows statistics for the union of both the incoming and
active queues which are the most relevant queues to look at when analyzing
performance.
One can request an alternate list of queues:
- $ qshape deferred
- $ qshape incoming active deferred
+ $ qshape deferred | less
+ $ qshape incoming active deferred | less
this will show the age distribution of the deferred queue or the union of the
incoming active and deferred queues.
The problem destinations or sender domains appear near the top left corner of
the output table. Remember that the active queue can accommodate up to 20000
-($qmgr_message_active_limit) messages. To check whether this limit has been
+($qmgr_message_active_limit) messages. To check wether this limit has been
reached, use:
- $ qshape -s active (show sender statistics)
+ $ qshape -s active | head (show sender statistics)
If the total sender count is below 20000 the active queue is not yet saturated,
any high volume sender domains show near the top of the output.
-With oqmgr(8) the active queue is also limited to at most 20000 recipient
-addresses ($qmgr_message_recipient_limit). To check for exhaustion of this
-limit use:
+The active queue is also limited to at most 20000 recipient addresses
+($qmgr_message_recipient_limit). To check for exhaustion of this limit use:
- $ qshape active (show recipient statistics)
+ $ qshape active | head (show recipient statistics)
Having found the high volume domains, it is often useful to search the logs for
recent messages pertaining to the domains in question.
nature of the errors. The destination will be retried again after the
expiration of a $minimal_backoff_time timer. If the error bursts are frequent
enough it may be that only a small quantity of email is delivered before the
-destination is again marked "dead". In some cases enabling static (not on
-demand) connection caching by listing the appropriate nexthop domain in a table
-included in "smtp_connection_cache_destinations" may help to reduce the error
-rate, because most messages will re-use existing connections.
+destination is again marked "dead".
The MTA that has been observed most frequently to exhibit such bursts of errors
is Microsoft Exchange, which refuses connections under load. Some proxy virus
the client as a "421" error.
Note that it is now possible to configure Postfix to exhibit similarly erratic
-behavior by misconfiguring the anvil(8) service. Do not use anvil(8) for
-steady-state rate limiting, its purpose is (unintentional) DoS prevention and
-the rate limits set should be very generous!
+behavior by misconfiguring the anvil(8) server (not included in Postfix 2.1.).
+Do not use anvil(8) for steady-state rate limiting, its purpose is DoS
+prevention and the rate limits set should be very generous!
-If one finds oneself needing to deliver a high volume of mail to a destination
-that exhibits frequent brief bursts of errors and connection caching does not
-solve the problem, there is a subtle workaround.
+In the long run it is hoped that the Postfix dead host detection and
+concurrency control mechanism will be tuned to be more "noise" tolerant. If one
+finds oneself needing to deliver a high volume of mail to a destination that
+exhibits frequent brief bursts of errors, there is a subtle workaround.
* In master.cf set up a dedicated clone of the "smtp" transport for the
destination in question.
number in the 10-20 range is typical).
* IMPORTANT!!! In main.cf configure a very large initial and destination
- concurrency limit for this transport (say 2000).
+ concurrency limit for this transport (say 200).
/etc/postfix/main.cf:
- initial_destination_concurrency = 2000
- transportname_destination_concurrency_limit = 2000
+ initial_destination_concurrency = 200
+ transportname_destination_concurrency_limit = 200
Where transportname is the name of the master.cf entry in question.
-The effect of this surprising configuration is that up to 2000 consecutive
+The effect of this surprising configuration is that up to 200 consecutive
errors are tolerated without marking the destination dead, while the total
concurrency remains reasonable (10-20 processes). This trick is only for a very
specialized situation: high volume delivery into a channel with multi-error
Hopefully a more elegant solution to these problems will be found in the
future.
-P\bPo\bos\bst\btf\bfi\bix\bx q\bqu\bue\beu\bue\be d\bdi\bir\bre\bec\bct\bto\bor\bri\bie\bes\bs
+B\bBa\bac\bck\bkg\bgr\bro\bou\bun\bnd\bd i\bin\bnf\bfo\bo:\b: P\bPo\bos\bst\btf\bfi\bix\bx q\bqu\bue\beu\bue\be d\bdi\bir\bre\bec\bct\bto\bor\bri\bie\bes\bs
The following sections describe Postfix queues: their purpose, what normal
behavior looks like, and how to diagnose abnormal behavior.
All mail that enters the main Postfix queue does so via the cleanup(8) service.
The cleanup service is responsible for envelope and header rewriting, header
-and body regular expression checks, automatic bcc recipient processing, milter
-content processing, and reliable insertion of the message into the Postfix
-"incoming" queue.
+and body regular expression checks, automatic bcc recipient processing and
+guaranteed insertion of the message into the Postfix "incoming" queue.
In the absence of excessive CPU consumption in cleanup(8) header or body
regular expression checks or other software consuming all available CPU
Congestion in this queue is indicative of an excessive local message submission
rate or perhaps excessive CPU consumption in the cleanup(8) service due to
-excessive body_checks, or (Postfix >= 2.3) high latency milters.
+excessive body_checks.
Note, that once the active queue is full, the cleanup service will attempt to
slow down message injection by pausing $in_flow_delay for each message. In this
case "maildrop" queue congestion may be a consequence of congestion downstream,
rather than a problem in its own right.
-Note, you should not attempt to deliver large volumes of mail via the pickup(8)
-service. High volume sites should avoid using "simple" content filters that re-
-inject scanned mail via Postfix sendmail(1) and postdrop(1).
+Note also, that one should not attempt to deliver large volumes of mail via the
+pickup(8) service. High volume sites must avoid using content filters that
+reinject scanned mail via Postfix sendmail(1) and postdrop(1).
A high arrival rate of locally submitted mail may be an indication of an
uncaught forwarding loop, or a run-away notification program. Try to keep the
delivery attempts are made for messages in the "hold" queue. The postsuper(1)
command can be used to manually release messages into the "deferred" queue.
-Messages can potentially stay in the "hold" queue longer than
-$maximal_queue_lifetime. If such "old" messages need to be released from the
-"hold" queue, they should typically be moved into the "maildrop" queue using
-"postsuper -r", so that the message gets a new timestamp and is given more than
-one opportunity to be delivered. Messages that are "young" can be moved
-directly into the "deferred" queue using "postsuper -H".
+Messages can potentially stay in the "hold" queue for a time exceeding the
+normal maximal queue lifetime (after which undelivered messages are bounced
+back to the sender). If such "old" messages need to be released from the "hold"
+queue, they should typically be moved into the "maildrop" queue, so that the
+message gets a new timestamp and is given more than one opportunity to be
+delivered. Messages that are "young" can be moved directly into the "deferred"
+queue.
The "hold" queue plays little role in Postfix performance, and monitoring of
the "hold" queue is typically more closely motivated by tracking spam and
The incoming queue grows when the message input rate spikes above the rate at
which the queue manager can import messages into the active queue. The main
-factors slowing down the queue manager are disk I/O and lookup queries to the
-trivial-rewrite service. If the queue manager is routinely not keeping up,
-consider not using "slow" lookup services (MySQL, LDAP, ...) for transport
-lookups or speeding up the hosts that provide the lookup service. If the
-problem is I/O starvation, consider striping the queue over more disks, faster
-controllers with a battery write cache, or other hardware improvements. At the
-very least, make sure that the queue directory is mounted with the "noatime"
-option if applicable to the underlying filesystem.
+factor slowing down the queue manager is transport queries to the trivial-
+rewrite service. If the queue manager is routinely not keeping up, consider not
+using "slow" lookup services (MySQL, LDAP, ...) for transport lookups or
+speeding up the hosts that provide the lookup service.
The in_flow_delay parameter is used to clamp the input rate when the queue
manager starts to fall behind. The cleanup(8) service will pause for
is capped by the transport's recipient concurrency limit.
Multiple recipient groups (from one or more messages) are queued for delivery
-grouped by transport/nexthop combination. The d\bde\bes\bst\bti\bin\bna\bat\bti\bio\bon\bn concurrency limit for
-the transports caps the number of simultaneous delivery attempts for each
-nexthop. Transports with a r\bre\bec\bci\bip\bpi\bie\ben\bnt\bt concurrency limit of 1 are special: these
-are grouped by the actual recipient address rather than the nexthop, yielding
-per-recipient concurrency limits rather than per-domain concurrency limits.
-Per-recipient limits are appropriate when performing final delivery to
+via the common transport/nexthop combination. The destination concurrency limit
+for the transports caps the number of simultaneous delivery attempts for each
+nexthop. Transports with a recipient concurrency limit of 1 are special: these
+are grouped by the actual recipient address rather than the nexthop, thereby
+enabling per-recipient concurrency limits rather than per-domain concurrency
+limits. Per-recipient limits are appropriate when performing final delivery to
mailboxes rather than when relaying to a remote server.
Congestion occurs in the active queue when one or more destinations drain
-slower than the corresponding message input rate.
-
-Input into the active queue comes both from new mail in the "incoming" queue,
-and retries of mail in the "deferred" queue. Should the "deferred" queue get
-really large, retries of old mail can dominate the arrival rate of new mail.
-Systems with more CPU, faster disks and more network bandwidth can deal with
-larger deferred queues, but as a rule of thumb the deferred queue scales to
-somewhere between 100,000 and 1,000,000 messages with good performance unlikely
-above that "limit". Systems with queues this large should typically stop
-accepting new mail, or put the backlog "on hold" until the underlying issue is
-fixed (provided that there is enough capacity to handle just the new mail).
-
-When a destination is down for some time, the queue manager will mark it dead,
-and immediately defer all mail for the destination without trying to assign it
-to a delivery agent. In this case the messages will quickly leave the active
-queue and end up in the deferred queue (with Postfix < 2.4, this is done
-directly by the queue manager, with Postfix >= 2.4 this is done via the "retry"
-delivery agent).
-
-When the destination is instead simply slow, or there is a problem causing an
-excessive arrival rate the active queue will grow and will become dominated by
-mail to the congested destination.
+slower than the corresponding message input rate. If a destination is down for
+some time, the queue manager will mark it dead, and immediately defer all mail
+for the destination without trying to assign it to a delivery agent. In this
+case the messages will quickly leave the active queue and end up in the
+deferred queue. If the destination is instead simply slow, or there is a
+problem causing an excessive arrival rate the active queue will grow and will
+become dominated by mail to the congested destination.
The only way to reduce congestion is to either reduce the input rate or
increase the throughput. Increasing the throughput requires either increasing
the system and network are not loaded, raise the "smtp" and/or "relay" process
limits!
-When a high volume destination is served by multiple MX hosts with typically
-low delivery latency, performance can suffer dramatically when one of the MX
-hosts is unresponsive and SMTP connections to that host timeout. For example,
-if there are 2 equal weight MX hosts, the SMTP connection timeout is 30 seconds
-and one of the MX hosts is down, the average SMTP connection will take
-approximately 15 seconds to complete. With a default per-destination
-concurrency limit of 20 connections, throughput falls to just over 1 message
-per second.
-
-The best way to avoid bottlenecks when one or more MX hosts is non-responsive
-is to use connection caching. Connection caching was introduced with Postfix
-2.2 and is by default enabled on demand for destinations with a backlog of mail
-in the active queue. When connection caching is in effect for a particular
-destination, established connections are re-used to send additional messages,
-this reduces the number of connections made per message delivery and maintains
-good throughput even in the face of partial unavailability of the destination's
-MX hosts.
-
-If connection caching is not available (Postfix < 2.2) or does not provide a
-sufficient latency reduction, especially for the "relay" transport used to
-forward mail to "your own" domains, consider setting lower than default SMTP
-connection timeouts (1-5 seconds) and higher than default destination
-concurrency limits. This will further reduce latency and provide more
-concurrency to maintain throughput should latency rise.
-
-Setting high concurrency limits to domains that are not your own may be viewed
-as hostile by the receiving system, and steps may be taken to prevent you from
-monopolizing the destination system's resources. The defensive measures may
-substantially reduce your throughput or block access entirely. Do not set
-aggressive concurrency limits to remote domains without coordinating with the
-administrators of the target domain.
-
-If necessary, dedicate and tune custom transports for selected high volume
-destinations. The "relay" transport is provided for forwarding mail to domains
-for which your server is a primary or backup MX host. These can make up a
-substantial fraction of your email traffic. Use the "relay" and not the "smtp"
-transport to send email to these domains. Using the "relay" transport allocates
-a separate delivery agent pool to these destinations and allows separate tuning
-of timeouts and concurrency limits.
+Especially for the "relay" transport, consider lower SMTP connection timeouts
+(1-5 seconds) and higher than default destination concurrency limits. Compute
+the expected latency when 1 out of N of the MX hosts for a high volume site is
+down and not responding, and make sure that the configured concurrency divided
+by this latency exceeds the required steady-state message rate. If the
+destination is managed by you, consider load balancers in front of groups of MX
+hosts. Load balancers have higher uptime and will be able to hide individual MX
+host failures.
+
+If necessary, dedicate and tune custom transports for high volume destinations.
Another common cause of congestion is unwarranted flushing of the entire
deferred queue. The deferred queue holds messages that are likely to fail to be
-delivered and are also likely to be slow to fail delivery (time out). As a
-result the most common reaction to a large deferred queue (flush it!) is more
-than likely counter-productive, and typically makes the congestion worse. Do
-not flush the deferred queue unless you expect that most of its content has
+delivered and are also likely to be slow to fail delivery (timeouts). This
+means that the most common reaction to a large deferred queue (flush it!) is
+more than likely counter- productive, and is likely to make the problem worse.
+Do not flush the deferred queue unless you expect that most of its content has
recently become deliverable (e.g. relayhost back up after an outage)!
Note that whenever the queue manager is restarted, there may already be
normal incoming queue scan to refill the active queue. The process of moving
all the messages back and forth, redoing transport table (trivial-rewrite(8)
resolve service) lookups, and re-importing the messages back into memory is
-expensive. At all costs, avoid frequent restarts of the queue manager (e.g. via
-frequent execution of "postfix reload").
+expensive. At all costs, avoid frequent restarts of the queue manager.
T\bTh\bhe\be "\b"d\bde\bef\bfe\ber\brr\bre\bed\bd"\b" q\bqu\bue\beu\bue\be
controlled by the queue_run_delay parameter. While a deferred queue scan is in
progress, if an incoming queue scan is also in progress (ideally these are
brief since the incoming queue should be short), the queue manager alternates
-between looking for messages in the "incoming" queue and in the "deferred"
+between bringing a new "incoming" message and a new "deferred" message into the
queue. This "round-robin" strategy prevents starvation of either the incoming
or the deferred queues.
Each deferred queue scan only brings a fraction of the deferred queue back into
the active queue for a retry. This is because each message in the deferred
queue is assigned a "cool-off" time when it is deferred. This is done by time-
-warping the modification time of the queue file into the future. The queue file
-is not eligible for a retry if its modification time is not yet reached.
+warping the modification times of the queue file into the future. The queue
+file is not eligible for a retry if its modification time is not yet reached.
The "cool-off" time is at least $minimal_backoff_time and at most
$maximal_backoff_time. The next retry time is set by doubling the message's age
If a high volume site routinely has large deferred queues, it may be useful to
adjust the queue_run_delay, minimal_backoff_time and maximal_backoff_time to
-provide short enough delays on first failure (Postfix >= 2.4 has a sensibly low
-minimal backoff time by default), with perhaps longer delays after multiple
-failures, to reduce the retransmission rate of old messages and thereby reduce
-the quantity of previously deferred mail in the active queue. If you want a
-really low minimal_backoff_time, you may also want to lower queue_run_delay,
-but understand that more frequent scans will increase the demand for disk I/O.
+provide short enough delays on first failure, with perhaps longer delays after
+multiple failures, to reduce the retransmission rate of old messages and
+thereby reduce the quantity of previously deferred mail in the active queue.
One common cause of large deferred queues is failure to validate recipients at
the SMTP input stage. Since spammers routinely launch dictionary attacks from
unrepliable sender addresses, the bounces for invalid recipient addresses clog
the deferred queue (and at high volumes proportionally clog the active queue).
Recipient validation is strongly recommended through use of the
-local_recipient_maps and relay_recipient_maps parameters. Even when bounces
-drain quickly they inundate innocent victims of forgery with unwanted email. To
-avoid this, do not accept mail for invalid recipients.
+local_recipient_maps and relay_recipient_maps parameters.
When a host with lots of deferred mail is down for some time, it is possible
for the entire deferred queue to reach its retry time simultaneously. This can
lead to a very full active queue once the host comes back up. The phenomenon
can repeat approximately every maximal_backoff_time seconds if the messages are
-again deferred after a brief burst of congestion. Perhaps, a future Postfix
-release will add a random offset to the retry time (or use a combination of
-strategies) to reduce the odds of repeated complete deferred queue flushes.
+again deferred after a brief burst of congestion. Ideally, in the future
+Postfix will add a random offset to the retry time (or use a combination of
+strategies) to reduce the chances of repeated complete deferred queue flushes.
C\bCr\bre\bed\bdi\bit\bts\bs
B\bBu\bui\bil\bld\bdi\bin\bng\bg t\bth\bhe\be C\bCy\byr\bru\bus\bs S\bSA\bAS\bSL\bL l\bli\bib\bbr\bra\bar\bry\by
-Postfix appears to work with cyrus-sasl-1.5.x or cyrus-sasl-2.1.x, which are
+Postfix appears to work with cyrus-sasl-1.5.5 or cyrus-sasl-2.1.1, which are
available from:
ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/
IMPORTANT: if you install the Cyrus SASL libraries as per the default, you will
-have to symlink /usr/lib/sasl -> /usr/local/lib/sasl for version 1.5.x or /usr/
-lib/sasl2 -> /usr/local/lib/sasl2 for version 2.1.x.
+have to symlink /usr/lib/sasl -> /usr/local/lib/sasl for version 1.5.5 or /usr/
+lib/sasl2 -> /usr/local/lib/sasl2 for version 2.1.1.
-Reportedly, Microsoft Outlook (Express) requires the non-standard LOGIN
-authentication method. To enable this authentication method, specify ``./
-configure --enable-login''.
+Reportedly, Microsoft Internet Explorer version 5 requires the non-standard
+SASL LOGIN authentication method. To enable this authentication method, specify
+``./configure --enable-login''.
B\bBu\bui\bil\bld\bdi\bin\bng\bg P\bPo\bos\bst\btf\bfi\bix\bx w\bwi\bit\bth\bh C\bCy\byr\bru\bus\bs S\bSA\bAS\bSL\bL s\bsu\bup\bpp\bpo\bor\brt\bt
On some systems this generates the necessary Makefile definitions:
-(for Cyrus SASL version 1.5.x):
+(for Cyrus SASL version 1.5.5):
% make tidy # if you have left-over files from a previous build
% make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
-I/usr/local/include" AUXLIBS="-L/usr/local/lib -lsasl"
-(for Cyrus SASL version 2.1.x):
+(for Cyrus SASL version 2.1.1):
% make tidy # if you have left-over files from a previous build
% make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
On Solaris 2.x you need to specify run-time link information, otherwise ld.so
will not find the SASL shared library:
-(for Cyrus SASL version 1.5.x):
+(for Cyrus SASL version 1.5.5):
% make tidy # if you have left-over files from a previous build
% make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
-I/usr/local/include" AUXLIBS="-L/usr/local/lib \
-R/usr/local/lib -lsasl"
-(for Cyrus SASL version 2.1.x):
+(for Cyrus SASL version 2.1.1):
% make tidy # if you have left-over files from a previous build
% make makefiles CCARGS="-DUSE_SASL_AUTH -DUSE_CYRUS_SASL \
Older Microsoft SMTP client software implements a non-standard version of the
AUTH protocol syntax, and expects that the SMTP server replies to EHLO with
-"250 AUTH=mechanism-list" instead of "250 AUTH mechanism-list". To accommodate
-such clients (in addition to conformant clients) use the following:
+"250 AUTH=stuff" instead of "250 AUTH stuff". To accommodate such clients (in
+addition to conformant clients) use the following:
/etc/postfix/main.cf:
broken_sasl_auth_clients = yes
C\bCy\byr\bru\bus\bs S\bSA\bAS\bSL\bL c\bco\bon\bnf\bfi\big\bgu\bur\bra\bat\bti\bio\bon\bn f\bfo\bor\br t\bth\bhe\be P\bPo\bos\bst\btf\bfi\bix\bx S\bSM\bMT\bTP\bP s\bse\ber\brv\bve\ber\br
-You need to configure how the Cyrus SASL library should authenticate a client's
-username and password. These settings must be stored in a separate
-configuration file.
-
-The name of the configuration file (default: smtpd.conf) will be constructed
-from a value sent by Postfix to the Cyrus SASL library, which adds the suffix
-.conf. The value is configured using one of the following variables:
-
- /etc/postfix/main.cf:
- # Postfix 2.3 and later
- smtpd_sasl_path = smtpd
- # Postfix < 2.3
- smtpd_sasl_application_name = smtpd
-
-Cyrus SASL searches for the configuration file in /usr/local/lib/sasl/ (Cyrus
-SASL version 1.5.5) or /usr/local/lib/sasl2/ (Cyrus SASL version 2.1.x).
+In /usr/local/lib/sasl/smtpd.conf (Cyrus SASL version 1.5.5) or /usr/local/lib/
+sasl2/smtpd.conf (Cyrus SASL version 2.1.1) you need to specify how the server
+should validate client passwords.
Note: some Postfix distributions are modified and look for the smtpd.conf file
-in /etc/postfix/sasl.
+in /etc/postfix.
Note: some Cyrus SASL distributions look for the smtpd.conf file in /etc/sasl2.
- * To authenticate against the UNIX password database, use:
+ * To authenticate against the UNIX password database, try:
- (Cyrus SASL version 1.5.x)
+ (Cyrus SASL version 1.5.5)
/usr/local/lib/sasl/smtpd.conf:
pwcheck_method: pwcheck
- IMPORTANT: pwcheck establishes a UNIX domain socket in /var/pwcheck and
- waits for authentication requests. Postfix processes must have
- read+execute permission to this directory or authentication attempts
- will fail.
+ (Cyrus SASL version 2.1.1)
+
+ /usr/local/lib/sasl2/smtpd.conf:
+ pwcheck_method: pwcheck
+
+ The name of the file in /usr/local/lib/sasl (Cyrus SASL version 1.5.5) or /
+ usr/local/lib/sasl2 (Cyrus SASL version 2.1.1) used by the SASL library for
+ configuration can be set with:
+
+ /etc/postfix/main.cf:
+ smtpd_sasl_application_name = smtpd (Postfix < 2.3)
+ smtpd_sasl_path = smtpd (Postfix 2.3 and later)
+
+ The pwcheck daemon is contained in the cyrus-sasl source tarball.
+
+ IMPORTANT: postfix processes need to have group read+execute permission for
+ the /var/pwcheck directory, otherwise authentication attempts will fail.
- The pwcheck daemon is contained in the cyrus-sasl source tarball.
+ * Alternately, in Cyrus SASL 1.5.26 and later (including 2.1.1), try:
(Cyrus SASL version 1.5.26)
/usr/local/lib/sasl/smtpd.conf:
pwcheck_method: saslauthd
- (Cyrus SASL version 2.1.x)
+ (Cyrus SASL version 2.1.1)
/usr/local/lib/sasl2/smtpd.conf:
pwcheck_method: saslauthd
- mech_list: PLAIN LOGIN
The saslauthd daemon is also contained in the cyrus-sasl source tarball. It
is more flexible than the pwcheck daemon, in that it can authenticate
against PAM and various other sources. To use PAM, start saslauthd with "-
a pam".
- IMPORTANT: saslauthd usually establishes a UNIX domain socket in /var/run/
- saslauthd and waits for authentication requests. Postfix processes must
- have read+execute permission to this directory or authentication attempts
- will fail.
-
- Note: The directory where saslauthd puts the socket is configurable. See
- the command-line option "-m /path/to/socket" in the saslauthd --help
- listing.
-
* To authenticate against Cyrus SASL's own password database:
- (Cyrus SASL version 1.5.x)
+ (Cyrus SASL version 1.5.5)
/usr/local/lib/sasl/smtpd.conf:
- pwcheck_method: sasldb
+ pwcheck_method: sasldb
- (Cyrus SASL version 2.1.x)
+ (Cyrus SASL version 2.1.1)
/usr/local/lib/sasl2/smtpd.conf:
- pwcheck_method: auxprop
- auxprop_plugin: sasldb
- mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
+ pwcheck_method: auxprop
This will use the Cyrus SASL password file (default: /etc/sasldb in version
- 1.5.x, or /etc/sasldb2 in version 2.1.x), which is maintained with the
+ 1.5.5, or /etc/sasldb2 in version 2.1.1), which is maintained with the
saslpasswd or saslpasswd2 command (part of the Cyrus SASL software). On
some poorly-supported systems the saslpasswd command needs to be run
multiple times before it stops complaining. The Postfix SMTP server needs
EXAMPLE:
- (Cyrus SASL version 1.5.x)
+ (Cyrus SASL version 1.5.5)
% saslpasswd -c -u `postconf -h myhostname` exampleuser
- (Cyrus SASL version 2.1.x)
+ (Cyrus SASL version 2.1.1)
% saslpasswd2 -c -u `postconf -h myhostname` exampleuser
You can find out SASL's idea about the realms of the users in sasldb with
- sasldblistusers (Cyrus SASL version 1.5.x) or sasldblistusers2 (Cyrus SASL
- version 2.1.x).
+ sasldblistusers (Cyrus SASL version 1.5.5) or sasldblistusers2 (Cyrus SASL
+ version 2.1.1).
On the Postfix side, you can have only one realm per smtpd instance, and
only the users belonging to that realm would be able to authenticate. The
/etc/postfix/main.cf:
smtpd_sasl_local_domain = $myhostname
-IMPORTANT: The Cyrus SASL password verification services pwcheck and saslauthd
-can only support the plaintext mechanisms PLAIN or LOGIN. However, the Cyrus
-SASL library doesn't know this, and will happily advertise other authentication
-mechanisms that the SASL library implements, such as DIGEST-MD5. As a result,
-if an SMTP client chooses any mechanism other than PLAIN or LOGIN while pwcheck
-or saslauthd are used, authentication will fail. Thus you may need to limit the
-list of mechanisms advertised by Postfix.
+IMPORTANT: all users must be able to authenticate using ALL authentication
+mechanisms advertised by Postfix, otherwise the negotiation might end up with
+an unsupported mechanism, and authentication would fail. For example if you
+configure SASL to use saslauthd for authentication against PAM (pluggable
+authentication modules), only the PLAIN and LOGIN mechanisms are supported and
+stand a chance to succeed, yet the SASL library would also advertise other
+mechanisms, such as DIGEST-MD5. This happens because those mechanisms are made
+available by other plugins, and the SASL library have no way to know that your
+only valid authentication source is PAM. Thus you might need to limit the list
+of mechanisms advertised by Postfix.
* With older Cyrus SASL versions you remove the corresponding library files
from the SASL plug-in directory (and again whenever the system is updated).
- * With Cyrus SASL version 2.1.x or later the mech_list variable can specify a
- list of authentication mechanisms that Cyrus SASL may offer:
+ * With Cyrus SASL version 2.1.1 or later:
/usr/local/lib/sasl2/smtpd.conf:
mech_list: plain login
For the same reasons you might want to limit the list of plugins used for
authentication.
- * With Cyrus SASL version 1.5.x your only choice is to delete the
+ * With Cyrus SASL version 1.5.5 your only choice is to delete the
corresponding library files from the SASL plug-in directory.
- * With SASL version 2.1.x:
+ * With SASL version 2.1.1:
/usr/local/lib/sasl2/smtpd.conf:
- pwcheck_method: auxprop
- auxprop_plugin: sql
+ pwcheck_method: auxprop
+ auxprop_plugin: sql
To run software chrooted with SASL support is an interesting exercise. It
probably is not worth the trouble.
T\bTr\bro\bou\bub\bbl\ble\be s\bsh\bho\boo\bot\bti\bin\bng\bg t\bth\bhe\be S\bSA\bAS\bSL\bL i\bin\bnt\bte\ber\brn\bna\bal\bls\bs
In the Cyrus SASL sources you'll find a subdirectory named "sample". Run make
-there, then create a symbolic link from sample.conf to smtpd.conf in your Cyrus
-SASL library directory /usr/local/lib/sasl2. "su" to the user postfix (or
-whatever your mail_owner directive is set to):
+there, "su" to the user postfix (or whatever your mail_owner directive is set
+to):
% su postfix
-then run the resulting sample server and client in separate terminals. The
-sample applications send log messages to the syslog facility auth. Check the
-log to fix the problem or run strace / ktrace / truss on the server to see what
-makes it unhappy. Repeat the previous step until you can successfully
-authenticate with the sample client. Only then get back to Postfix.
+then run the resulting sample server and client in separate terminals. Strace /
+ktrace / truss the server to see what makes it unhappy, and fix the problem.
+Repeat the previous step until you can successfully authenticate with the
+sample client. Only then get back to Postfix.
E\bEn\bna\bab\bbl\bli\bin\bng\bg S\bSA\bAS\bSL\bL a\bau\but\bth\bhe\ben\bnt\bti\bic\bca\bat\bti\bio\bon\bn i\bin\bn t\bth\bhe\be P\bPo\bos\bst\btf\bfi\bix\bx S\bSM\bMT\bTP\bP c\bcl\bli\bie\ben\bnt\bt
[mail.myisp.net] username:password
[mail.myisp.net]:submission username:password
-The Postfix SASL client password file is opened before the SMTP server enters
-the optional chroot jail, so you can keep the file in /etc/postfix and set
-permissions read / write only for root to keep the username:password
-combinations away from other system users.
-
Postfix version 2.3 supports-per-sender SASL password information. To search
the Postfix SASL password by sender before it searches by destination, specify:
/etc/postfix/main.cf:
smtp_sasl_security_options = noanonymous
+The Postfix SASL client password file is opened before the SMTP server enters
+the optional chroot jail, so you can keep the file in /etc/postfix.
+
Note: Some SMTP servers support authentication mechanisms that, although
available on the client system, may not in practice work or possess the
appropriate credentials to authenticate to the server. It is possible via the
smtp_sasl_mechanism_filter = !gssapi, !external, static:all
In the above example, Postfix will decline to use mechanisms that require
-special infrastructure such as Kerberos or TLS.
+special infrastructure such as Kerberos.
The Postfix SMTP client is backwards compatible with SMTP servers that use the
non-standard "AUTH=method..." syntax in response to the EHLO command; there is
smtpd_sasl_path.
* The Dovecot SMTP server-only plug-in was originally implemented by Timo
Sirainen of Procontrol, Finland.
- * Patrick Ben Koetter revised this document for Postfix 2.4 and made much
- needed updates.
www.openspf.org/Software.
Policy delegation is now the preferred method for adding policies to Postfix.
-It's much easier to develop a new feature in few lines of Perl, Python, Ruby,
-or TCL, than trying to do the same in C code. The difference in performance
-will be unnoticeable except in the most demanding environments. On active
-systems a policy daemon process is used multiple times, for up to $max_use
-incoming SMTP connections.
+It's much easier to develop a new feature in few lines of Perl, than trying to
+do the same in C code. The difference in performance will be unnoticeable
+except in the most demanding environments. On active systems a policy daemon
+process is used multiple times, for up to $max_use incoming SMTP connections.
This document covers the following topics:
how the client was authenticated via TLS. These attributes are empty in
case of no certificate authentication. As of Postfix 2.2.11 these attribute
values are encoded as xtext: some characters are represented by +XX, where
- XX is the two-digit hexadecimal representation of the character value.
+ XX is the two-digit hecadecimal representation of the character value.
* The "encryption_*" attributes (Postfix 2.3 and later) specify information
about how the connection is encrypted. With plaintext connections the
1. Re-inject the mail back into Postfix via SMTP, perhaps after changing its
content and/or destination.
- 2. Discard or quarantine the mail.
-
- 3. Reject the mail by sending a suitable SMTP status code back to Postfix.
+ 2. Reject the mail by sending a suitable SMTP status code back to Postfix.
Postfix passes the status back to the remote SMTP client. This way, Postfix
does not have to send a bounce message.
from using up all 20 SMTP server processes. This limit is not necessary if
you receive all mail from a trusted relay host.
- Note: this setting is available in Postfix version 2.2 and later. Earlier
- Postfix versions will ignore it.
+ Note: this setting is ignored by the stable Postfix 2.1 release. The
+ feature will be available only in the experimental release until Postfix
+ 2.2.
* The "-o smtpd_proxy_filter=127.0.0.1:10025" tells the before filter SMTP
server that it should give incoming mail to the content filter that listens
/etc/postfix/main.cf:
smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
- smtp_tls_dkey_file = $smtp_tls_dcert_file
+ smtp_tls_dkey_file = $smtpd_tls_cert_file
To verify a remote SMTP server certificate, the Postfix SMTP client needs to
trust the certificates of the issuing certification authorities. These
$smtp_tls_CApath directory needs to be accessible inside the optional chroot
jail.
-The choice between $smtp_tls_CAfile and $smtp_tls_CApath is a space/time
+The choice between $smtp_tls_CAfile and $smtpd_tls_CApath is a space/time
tradeoff. If there are many trusted CAs, the cost of preloading them all into
memory may not pay off in reduced access time when the certificate is needed.
/etc/postfix/main.cf:
smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
- smtp_tls_dkey_file = $smtp_tls_dcert_file
+ smtp_tls_dkey_file = $smtpd_tls_cert_file
To verify a remote SMTP server certificate, the Postfix SMTP client needs to
trust the certificates of the issuing certification authorities. These
$smtp_tls_CApath directory needs to be accessible inside the optional chroot
jail.
-The choice between $smtp_tls_CAfile and $smtp_tls_CApath is a space/time
+The choice between $smtp_tls_CAfile and $smtpd_tls_CApath is a space/time
tradeoff. If there are many trusted CAs, the cost of preloading them all into
memory may not pay off in reduced access time when the certificate is needed.
is used selectively, only with destinations explicitly configured for TLS.
You can disable TLS for a subset of destinations, while leaving it enabled for
-the rest. With the Postfix 2.3 and later TLS policy table, specify the "none"
-security level. With the obsolete per-site table, specify the "NONE" keyword.
+the rest. With the Postfix 2.3+ TLS policy table, specify the "none" security
+level. With the obsolete per-site table, specify the "NONE" keyword.
O\bOp\bpp\bpo\bor\brt\btu\bun\bni\bis\bst\bti\bic\bc T\bTL\bLS\bS
warning written to the mail logs.
You can enable opportunistic TLS just for selected destinations. With the
-Postfix 2.3 and later TLS policy table, specify the "may" security level. With
-the obsolete per-site table, specify the "MAY" keyword.
+Postfix 2.3+ TLS policy table, specify the "may" security level. With the
+obsolete per-site table, specify the "MAY" keyword.
This is the most common security level for TLS protected SMTP sessions,
stronger security is not generally available and, if needed, is typically only
security level.
You can enable mandatory TLS encryption just for specific destinations. With
-the Postfix 2.3 and later TLS policy table, specify the "encrypt" security
-level. With the obsolete per-site table, specify the "MUST_NOPEERMATCH"
-keyword. While the obsolete approach still works with Postfix 2.3, it is
-strongly discouraged: users of Postfix 2.3 and later should use the new TLS
-policy settings.
+the Postfix 2.3+ TLS policy table, specify the "encrypt" security level. With
+the obsolete per-site table, specify the "MUST_NOPEERMATCH" keyword. While the
+obsolete approach still works with Postfix 2.3, it is strongly discouraged:
+users of Postfix 2.3+ should use the new TLS policy settings.
Examples:
.example.com encrypt
Postfix 2.2 syntax (no support for sub-domains without resorting to regexp
-tables). With Postfix 2.3 and later, do not use the obsolete per-site table.
+tables). With Postfix 2.3+, do not use the obsolete per-site table.
/etc/postfix/main.cf:
smtp_tls_per_site = hash:/etc/postfix/tls_per_site
Instead, use the destination (for example, "[example.net]:587"), as the per-
site table lookup key (a recipient domain or MX-enabled transport nexthop with
no port suffix may look like a bare hostname, but is still a suitable
-destination). With Postfix 2.3 and later, do not use the obsolete per-site
-table; use the new policy table instead.
+destination). With Postfix 2.3+, do not use the obsolete per-site table; use
+the new policy table instead.
/etc/postfix/main.cf:
smtp_tls_per_site = hash:/etc/postfix/tls_per_site
configuration instead.
You can enable mandatory server certificate verification just for specific
-destinations. With the Postfix 2.3 and later TLS policy table, specify the
-"verify" security level. With the obsolete per-site table, specify the "MUST"
-keyword. While the obsolete approach still works with Postfix 2.3, it is
-strongly discouraged: users of Postfix 2.3 and later should use the new TLS
-policy settings.
+destinations. With the Postfix 2.3+ TLS policy table, specify the "verify"
+security level. With the obsolete per-site table, specify the "MUST" keyword.
+While the obsolete approach still works with Postfix 2.3, it is strongly
+discouraged: users of Postfix 2.3+ should use the new TLS policy settings.
Example:
necessary STARTTLS support.
You can enable secure TLS verification just for specific destinations. With the
-Postfix 2.3 and later TLS policy table, specify the "secure" security level.
-With the obsolete per-site table, specify the "MUST" keyword and harden the
-certificate verification against DNS forgery. While the obsolete approach still
-works with Postfix 2.3, it is strongly discouraged: users of Postfix 2.3 and
-later should use the new TLS policy settings.
+Postfix 2.3+ TLS policy table, specify the "secure" security level. With the
+obsolete per-site table, specify the "MUST" keyword and harden the certificate
+verification against DNS forgery. While the obsolete approach still works with
+Postfix 2.3, it is strongly discouraged: users of Postfix 2.3+ should use the
+new TLS policy settings.
Examples:
/etc/postfix/tls_policy:
[tls.example.com] secure match=tls.example.com
-Postfix 2.2.9 and later syntax:
+Postfix 2.2.9+ syntax:
N\bNo\bot\bte\be:\b: Avoid policy lookups with the bare hostname (for example,
"tls.example.com"). Instead, use the destination (for example, "
[tls.example.com]") as the per-site table lookup key (a recipient domain or MX-
enabled transport nexthop with no port suffix may look like a bare hostname,
-but is still a suitable destination). With Postfix 2.3 and later, do not use
-the obsolete per-site table; use the new policy table instead.
+but is still a suitable destination). With Postfix 2.3+, do not use the
+obsolete per-site table; use the new policy table instead.
/etc/postfix/main.cf:
smtp_cname_overrides_servername = no
nexthop (enclosed in [] with a possible ":port" suffix) as the per-site table
lookup key (a recipient domain or MX-enabled transport nexthop with no port
suffix may look like a bare hostname, but is still a suitable destination).
-With Postfix 2.3 and later, use of the obsolete approach documented here is
-strongly discouraged: use the new policy table instead.
+With Postfix 2.3+, use of the obsolete approach documented here is strongly
+discouraged: use the new policy table instead.
Starting with Postfix 2.3, the underlying TLS enforcement levels are common to
the obsolete per-site table and the new policy table. The main.cf
For a general discussion of TLS security for SMTP see TLS limitations above.
What follows applies only to Postfix 2.2.9 and subsequent Postfix 2.2 patch
-levels. Do not use this approach with Postfix 2.3 and later; instead see the
+levels. Do not use this approach with Postfix 2.3+; instead see the
instructions under secure server certificate verification.
As long as no secure DNS lookup mechanism is available, false hostnames in MX
M\bMe\bea\bas\bsu\bur\bre\bes\bs a\bag\bga\bai\bin\bns\bst\bt c\bcl\bli\bie\ben\bnt\bts\bs t\bth\bha\bat\bt m\bma\bak\bke\be t\bto\boo\bo m\bma\ban\bny\by c\bco\bon\bnn\bne\bec\bct\bti\bio\bon\bns\bs
-Note: these features use the Postfix anvil(8) service, introduced with Postfix
-version 2.2.
+Note: this feature is not included with Postfix version 2.1.
The Postfix smtpd(8) server can limit the number of simultaneous connections
-from the same SMTP client, as well as the connection rate and the rate of
-certain SMTP commands from the same client. These statistics are maintained by
-the anvil(8) server (translation: if anvil(8) breaks, then connection limits
-stop working).
-
-IMPORTANT: These limits must not be used to regulate legitimate traffic: mail
-will suffer grotesque delays if you do so. The limits are designed to protect
-the smtpd(8) server against abuse by out-of-control clients.
-
- smtpd_client_connection_count_limit (default: 50)
- The maximum number of connections than an SMTP client may make
- simultaneously.
- smtpd_client_connection_rate_limit (default: no limit)
- The maximum number of connections that an SMTP client may make in the
- time interval specified with anvil_rate_time_unit (default: 60s).
- smtpd_client_message_rate_limit (default: no limit)
- The maximum number of message delivery requests that an SMTP client may
- make in the time interval specified with anvil_rate_time_unit (default:
- 60s).
- smtpd_client_recipient_rate_limit (default: no limit)
- The maximum number of recipient addresses that an SMTP client may
- specify in the time interval specified with anvil_rate_time_unit
- (default: 60s).
- smtpd_client_new_tls_session_rate_limit (default: no limit)
- The maximum number of new TLS sessions (without using the TLS session
- cache) that an SMTP client may negotiate in the time interval specified
- with anvil_rate_time_unit (default: 60s).
- smtpd_client_event_limit_exceptions (default: $mynetworks)
- SMTP clients that are excluded from connection and rate limits
- specified above.
+from the same SMTP client, as well as the number of connections that a client
+is allowed to make per unit time. These statistics are maintained by the anvil
+(8) server (translation: if anvil(8) breaks, then connection limits stop
+working).
+
+IMPORTANT: These limits are designed to protect the smtpd(8) server against
+flagrant abuse. Do not use these limits to regulate legitimate traffic: mail
+will suffer grotesque delays if you do so.
+
+ * An SMTP client may make up to $smtpd_client_connection_count_limit
+ simultaneous connections (default: 50). This is half the default process
+ limit.
+
+ * An SMTP client may make up to $smtpd_client_message_rate_limit message
+ delivery requests per unit time (default: no limit).
+
+ * An SMTP client may send up to $smtpd_client_recipient_rate_limit recipient
+ addresses per unit time (default: no limit).
+
+ * An SMTP client may make up to $smtpd_client_connection_rate_limit
+ connections per unit time (default: no limit).
+
+ * These limits are not applied to SMTP clients in the networks specified with
+ $smtpd_client_event_limit_exceptions (default: clients in $mynetworks may
+ make an unlimited number of connections).
+
+ * The anvil_rate_time_unit parameter specifies the time unit over which
+ client connection rates are computed (default: 60s).
G\bGe\ben\bne\ber\bra\bal\bl m\bma\bai\bil\bl d\bde\bel\bli\biv\bve\ber\bry\by p\bpe\ber\brf\bfo\bor\brm\bma\ban\bnc\bce\be t\bti\bip\bps\bs
limit delivery concurrency to the same recipient: if the recipient has an
expensive shell command in her .forward file, or if the recipient is a
mailing list manager, you don't want to run too many instances of those
- processes at the same time.
+ processes the same time.
* The default smtp_destination_concurrency_limit of 20 seems enough to
noticeably load a system without bringing it to its knees. Be careful when
This process is governed by a bunch of little parameters.
- queue_run_delay (default: 300 seconds; before Postfix 2.4: 1000s)
+ queue_run_delay (default: 1000 seconds)
How often the queue manager scans the queue for deferred mail.
- minimal_backoff_time (default: 300 seconds; before Postfix 2.4: 1000s)
+ minimal_backoff_time (default: 1000 seconds)
The minimal amount of time a message won't be looked at, and the
minimal amount of time to stay away from a "dead" destination.
maximal_backoff_time (default: 4000 seconds)
When mail is being deferred frequently, fixing the problem is always better
than increasing the frequency of delivery attempts. However, if you can control
only the delivery attempt frequency, consider using a dedicated fallback_relay
-"graveyard" machine for bad destinations, so that these destinations do not
-ruin the performance of normal mail deliveries.
+"graveyard" machine for bad destinations so that they do not ruin the
+performance of normal mail deliveries.
T\bTu\bun\bni\bin\bng\bg t\bth\bhe\be n\bnu\bum\bmb\bbe\ber\br o\bof\bf P\bPo\bos\bst\btf\bfi\bix\bx p\bpr\bro\boc\bce\bes\bss\bse\bes\bs
When Postfix opens too many files or sockets, processes will abort with fatal
errors, and the system may log "file table full" errors.
- * Depending on your Postfix and operating system versions you may need to
- recompile Postfix if you need more than 1024 file descriptors per process:
-
- o No recompilation is needed for Postfix version 2.4 and later, when it
- was compiled for systems that support BSD kqueue(2) (FreeBSD 4.1,
- NetBSD 2.0, OpenBSD 2.9), Solaris 8 /dev/poll, or Linux 2.6 epoll(4).
-
- o Otherwise, Postfix needs to be recompiled to override the default
- FD_SETSIZE value.
-
* Reduce the number of processes as described under "Tuning the number of
Postfix processes" above. Fewer processes need fewer open files and
sockets.
sure to verify the following information with your system tuning guide:
o Some FreeBSD kernel parameters can be specified in /boot/loader.conf,
- and some can be specified in /etc/sysctl.conf or changed with sysctl
- commands. Which is which depends on the version.
+ and some can be changed with sysctl commands. Which is which depends on
+ the version.
kern.ipc.maxsockets="5000"
kern.ipc.nmbclusters="65536"
kern.maxfiles="16384"
kern.maxfilesperproc="16384"
- o Linux kernel parameters can be specified in /etc/sysctl.conf or changed
- with sysctl commands:
+ o Linux kernel parameters can be specified in /etc/sysctl.conf and can
+ also be changed with sysctl commands:
fs.file-max=16384
kernel.threads-max=2048
NEVER list a virtual MAILBOX domain name as a virtual ALIAS domain!
* Lines 4, 7-13: The virtual_mailbox_maps parameter specifies the lookup
- table with all valid recipient addresses. The lookup result value is
- ignored by Postfix. In the above example, info@example.com and
- sales@example.com are listed as valid addresses; other mail for example.com
- is rejected with "User unknown" by the Postfix SMTP server. It's left up to
- the non-Postfix delivery agent to reject non-existent recipients from local
- submission or from local alias expansion. If you intend to use LDAP, MySQL
- or PgSQL instead of local files, be sure to review the "local files versus
- databases" section at the top of this document!
+ table with all valid recipient addresses. The lookup result is ignored by
+ Postfix. In the above example, info@example.com and sales@example.com are
+ listed as valid addresses, and mail for anything else is rejected with
+ "User unknown". If you intend to use LDAP, MySQL or PgSQL instead of local
+ files, be sure to review the "local files versus databases" section at the
+ top of this document!
* Line 12: The commented out entry (text after #) shows how one would inform
Postfix of the existence of a catch-all address. Again, the lookup result
--- /dev/null
+What needs to be done before Postfix 2.4.0 is finished:
+
+- Update MILTER_README (dkim, application patches).
+
+- Create RELEASE_NOTES_2.4.
+
+- Update BACKSCATTER_README with PCRE rules.
+
+- Truncate wish list from HISTORY.
+
+- Spell check and double word check the proto files.
+
+- Parameter hyperlink check and HTML check the html outputs.
+
+- Replace SPF policy server script by link to SPF website.
+
+- Remove MacOS X examples. They have not been updated.
--- /dev/null
+#!/bin/sh
+
+# Gerben Wierda, Oct 2001. Adapted from an existing example. I waive every
+# copyright on this and I also do not give any warranty.
+
+# Updated Sepember 29, 2002
+# To work properly, the POSTFIX variable needs to be set to -YES-
+# in /etc/hostconfig
+
+. /etc/rc.common
+
+if [ "${POSTFIX:=-NO-}" = "-YES-" -a "${MAILSERVER:=-NO-}" = "-YES-" ]
+then
+ ConsoleMessage "Cannot run concurrent postfix and sendmail"
+ sleep 2
+ exit
+fi
+
+##
+# Start mail server
+##
+
+if [ "$1" == "start" ]
+then
+ if [ "${POSTFIX:=-NO-}" = "-YES-" ]
+ then
+ ConsoleMessage "Starting Postfix mail services"
+ /usr/sbin/postfix start
+ fi
+elif [ "$1" == "stop" ]
+then
+ ConsoleMessage "Stopping Postfix mail services"
+ /usr/sbin/postfix stop
+elif [ "$1" == "restart" ]
+then
+ if [ "${POSTFIX:=-NO-}" = "-YES-" ]
+ then
+ ConsoleMessage "Reloading Postfix configuration"
+ /usr/sbin/postfix reload
+ else
+ ConsoleMessage "Stopping Postfix mail services"
+ /usr/sbin/postfix stop
+ fi
+fi
+
+
--- /dev/null
+{
+ Description = "Postfix mail server";
+ Provides = ("SMTP");
+ Requires = ("Resolver");
+ Uses = ("Network Time", "NFS");
+ Preference = "None";
+ Messages =
+ {
+ start = "Starting Postfix";
+ stop = "Stopping Postfix";
+ restart = "Reloading Postfix Configuration";
+ };
+}
--- /dev/null
+# Adapted from an existing example by Gerben Wierda, Oct 2001. I waive every
+# copyright on this and I also do not give any warranty.
+
+Let's start with the important warning:
+
+DO NOT USE THE MULTIPLE USERS APPLICATION TO CREATE THE POSTFIX USER!
+
+NOTE: Mac OS X as of version 10.3 comes with Postfix as the standard mailer
+and it is supported in Server Admin on Mac OS X 10.3 Server . The instructions
+below therefore only apply for Mac OS X 10.2.8.
+
+NOTE: As of 29 September 2002, these instructions and the scripts have changed
+to make the solution more robust for Apple updates.
+
+Run the commands below in the order that they are presented
+
+A. INSTALLING POSTFIX for the first time and selecting it as the active
+ Mail Transfer Agent (MTA):
+
+ # All these commands are written to be run from this directory.
+
+ # This repairs the previous Oct 2001 setup if any
+ sudo ./repair-oldsetup
+
+ # Prepare for reactivating sendmail
+ sudo ./backup-sendmail-binaries
+
+ # this creates the necessary users & groups for proper operation
+ # of postfix:
+ sudo ./niscript
+
+ # Install postfix:
+ # When the script asks you for setgid (the default will be no) tell it
+ # maildrop
+ (cd ../..; sudo make install)
+
+ # Prepare for reactivating postfix
+ sudo ./backup-postfix-binaries
+
+ # edit /etc/postfix/main.cf to suit your requirements
+ ### add your own commands here ###
+
+ # Activate postfix startup at boot time. Deactivates sendmail.
+ sudo ./activate-postfix
+
+ # Test. Read INSTALL for a series of suggested tests.
+
+B. DEACTIVATING POSTFIX
+
+ # Deactivate postfix startup at boot time
+ sudo ./deactivate-postfix
+
+C. RESTORING Sendmail as the MTA when Postfix is the active MTA
+
+ # This repairs the previous Oct 2001 setup if any
+ sudo ./repair-oldsetup
+
+ # Deactivate postfix startup at boot time
+ sudo ./deactivate-postfix
+
+ sudo ./activate-sendmail
+
+ # Restart your computer
+
+D. RESTORING postfix as the MTA when Sendmail is the active MTA
+
+ # NOTE: The first time you activate postfix you have to follow
+ # the steps of A.
+
+ # This repairs the previous Oct 2001 setup if any
+ sudo ./repair-oldsetup
+
+ sudo ./activate-postfix
+
--- /dev/null
+#!/bin/sh
+
+# Written by Gerben Wierda, Oct 2001. I waive every copyright on this and
+# I also do not give any warranty.
+
+. ./defines
+
+# Activate binaries
+if [ ! -e ${POSTFIXBACKUPDIR}/sendmail ]
+then
+ echo "Something is wrong: there is no existing postfix binary backup"
+ exit 1;
+else
+ echo "Restoring postfix versions of sendmail programs from backup..."
+ (cd ${POSTFIXBACKUPDIR}; tar cf - sendmail) | (cd /usr/sbin; tar xf -)
+ (cd ${POSTFIXBACKUPDIR}; tar cf - newaliases) | (cd /usr/bin; tar xf -)
+ (cd ${POSTFIXBACKUPDIR}; tar cf - mailq) | (cd /usr/bin; tar xf -)
+fi
+
+if [ -e "${PSI}" ]
+then
+ echo "Postfix StartupItem already exists."
+else
+ if [ -e "${PSIDISABLED}" ]
+ then
+ echo "Reinstating disabled Postfix StartupItem..."
+ mv "${PSIDISABLED}" "${PSI}"
+ else
+ echo "Installing new default Postfix StartupItem..."
+ cp -R Postfix.StartupItem "${PSI}"
+ fi
+fi
+
+# De-activate sendmail in /etc/hostconfig
+/usr/bin/perl -pi -e 's/MAILSERVER=-YES-/MAILSERVER=-NO-/g' /etc/hostconfig
+# Activate postfix in /etc/hostconfig
+if /usr/bin/grep '^POSTFIX=-NO-' /etc/hostconfig >/dev/null 2>&1; then
+ /usr/bin/perl -pi -e 's/POSTFIX=-NO-/POSTFIX=-YES-/g' /etc/hostconfig
+else
+ echo "POSTFIX=-YES-" >>/etc/hostconfig
+fi
+
+/usr/sbin/postfix start
--- /dev/null
+#!/bin/sh
+
+# Written by Gerben Wierda, Oct 2001. I waive every copyright on this and
+# I also do not give any warranty.
+
+. ./defines
+
+. ./deactivate-postfix
+
+# Activate binaries
+if [ ! -e ${SENDMAILBACKUPDIR}/sendmail ]
+then
+ echo "Something is wrong: there is no existing sendmail binary backup"
+ exit 1;
+else
+ echo "Restoring sendmail versions of sendmail programs from backup..."
+ (cd ${SENDMAILBACKUPDIR}; tar cf - sendmail) | (cd /usr/sbin; tar xf -)
+ (cd ${SENDMAILBACKUPDIR}; tar cf - newaliases) | (cd /usr/bin; tar xf -)
+ (cd ${SENDMAILBACKUPDIR}; tar cf - mailq) | (cd /usr/bin; tar xf -)
+fi
+
+# Activate sendmail in /etc/hostconfig
+/usr/bin/perl -pi -e 's/MAILSERVER=-NO-/MAILSERVER=-YES-/g' /etc/hostconfig
+
--- /dev/null
+#! /bin/sh
+
+# Written by Gerben Wierda, Oct 2001. I waive every copyright on this and
+# I also do not give any warranty.
+
+# We use tar, as we do not know beforehand if we are dealing with real
+# files or symbolic links. Since we use tar, we cannot change filenames
+# we need to create a directory to hold our backup binaries.
+
+. ./defines
+
+if [ ! -d ${POSTFIXBACKUPDIR} ]
+then
+ mkdir -p ${POSTFIXBACKUPDIR}
+fi
+
+(cd /usr/sbin; tar cf - sendmail) | (cd ${POSTFIXBACKUPDIR}; tar xf -)
+(cd /usr/bin; tar cf - newaliases) | (cd ${POSTFIXBACKUPDIR}; tar xf -)
+(cd /usr/bin; tar cf - mailq) | (cd ${POSTFIXBACKUPDIR}; tar xf -)
+
--- /dev/null
+#! /bin/sh
+
+# Written by Gerben Wierda, Oct 2001. I waive every copyright on this and
+# I also do not give any warranty.
+
+# We use tar, as we do not know beforehand if we are dealing with real
+# files or symbolic links. Since we use tar, we cannot change filenames
+# we need to create a directory to hold our backup binaries.
+
+. ./defines
+
+if [ ! -d ${SENDMAILBACKUPDIR} ]
+then
+ mkdir -p ${SENDMAILBACKUPDIR}
+fi
+
+(cd /usr/sbin; tar cf - sendmail) | (cd ${SENDMAILBACKUPDIR}; tar xf -)
+(cd /usr/bin; tar cf - newaliases) | (cd ${SENDMAILBACKUPDIR}; tar xf -)
+(cd /usr/bin; tar cf - mailq) | (cd ${SENDMAILBACKUPDIR}; tar xf -)
+
--- /dev/null
+#!/bin/sh
+
+# Written by Gerben Wierda, Sep 2002. I waive every copyright on this and
+# I also do not give any warranty.
+
+. ./defines
+
+if [ -e "${PSI}" ]
+then
+ mv "${PSI}" "${PSIDISABLED}"
+fi
+
+# De-activate postfix in /etc/hostconfig
+/usr/bin/perl -pi -e 's/POSTFIX=-YES-/POSTFIX=-NO-/g' /etc/hostconfig
+
+/usr/sbin/postfix stop >/dev/null 2>&1
--- /dev/null
+#! /bin/sh
+
+# Written by Gerben Wierda, Oct 2001. I waive every copyright on this and
+# I also do not give any warranty.
+
+SIDIR="/Library/StartupItems"
+
+PSI="${SIDIR}/Postfix"
+PSIDISABLED="${PSI}.disabled"
+
+POSTFIXBACKUPDIR=/usr/sbin/.postfixbackup
+SENDMAILBACKUPDIR=/usr/sbin/.sendmailbackup
--- /dev/null
+#!/usr/bin/perl
+
+# niscript.pl by Gerben Wierda <gerben_wierda@rna.nl>
+
+# This little script is an adaptation of the original niscript sh script by
+# Joe Block <jpb@creol.ucf.edu>
+# instead of using fixed uid/gid and thus not robust if you run it on a
+# system where groups and/or users have been added, this script checks
+# if the users/groups are there and if not creates them with free id's.
+
+# 17 Jul 2002 GW: Fixed two bugs
+# 1. Typo in createuser would always have uid 88 for postfix
+# 2. Add to netinfo domain . instead of / so that it also works on systems
+# where the / domain is actually network-wide (not very useful to add
+# a postfix user to all systems in that netinfo domain...)
+
+print <<_WARNING
+
+This script massages your netinfo database. This can severely break
+your system. If your netinfo database breaks, you get to keep the parts.
+
+No Warranty. Really.
+
+This script tries to create two groups (if they do not already exist):
+- postfix
+- maildrop
+and tries to create a user (if it does not already exist)
+- postfix
+which is member of group postfix.
+
+_WARNING
+;
+
+# The script starts to look at id 88 (both for user and group) and up to 65535
+# It dies if no free id is found.
+
+my $postfixgid = undef;
+my $maildropgid = undef;
+my $postfixuid = undef;
+
+# First create
+
+my @groups = readgroups();
+foreach $group (@groups) {
+ (my $groupname, undef, my $gid, undef) = split( ':', $group);
+ if ($groupname eq 'postfix') {
+ warn "You already have a postfix group (with gid $gid)\n";
+ $postfixgid = $gid;
+ }
+ if ($groupname eq 'maildrop') {
+ warn "You already have a maildrop group (with gid $gid)\n";
+ $maildropgid = $gid;
+ }
+}
+
+if (not defined $postfixgid) {
+ $postfixgid = creategroup( 'postfix');
+}
+
+if (not defined $maildropgid) {
+ $maildropgid = creategroup( 'maildrop');
+}
+
+my @users = readusers();
+foreach $user (@users) {
+ (my $username, undef, my $uid, undef) = split( ':', $user);
+ if ($username eq 'postfix') {
+ warn "You already have a postfix user (with uid $uid)\n";
+ $postfixuid = $uid;
+ }
+}
+
+if (not defined $postfixuid) {
+ $postfixuid = createuser( 'postfix', '"Postfix User"',
+ '/usr/bin/false', '/etc/postfix',
+ $postfixgid);
+ addusertogroup( 'postfix', 'postfix');
+}
+
+warn "\n";
+
+sub creategroup
+{
+ my $name = shift;
+ open( NIDUMP, "nidump group .|") or die "Cannot run nidump\n";
+ my @groups=<NIDUMP>;
+ close( NIDUMP);
+
+ my $tryno;
+ NEXTNO: for ($tryno = 88; $tryno <= 65535; $tryno++) {
+ foreach my $group (@groups) {
+ (my $groupname, undef, my $gid, undef) =
+ split( ':', $group);
+ next NEXTNO if $gid == $tryno;
+ }
+ last NEXTNO;
+ }
+ die "Cannot find free gid\n" if $tryno == 65536;
+ warn "Will create $name as gid $tryno\n";
+ system "niutil -create . /groups/$name";
+ system "niutil -createprop . /groups/$name name $name";
+ system "niutil -createprop . /groups/$name gid $tryno";
+ system "niutil -createprop . /groups/$name passwd '*'";
+ return $tryno;
+}
+
+sub addusertogroup
+{
+ my $user = shift;
+ my $group = shift;
+ system "niutil -appendprop . /groups/$group users $user";
+}
+
+sub readgroups
+{
+ open( NIDUMP, "nidump group .|") or die "Cannot run nidump\n";
+ my @groups=<NIDUMP>;
+ close( NIDUMP);
+ return @groups;
+}
+
+sub readusers
+{
+ my @passwd;
+ open( NIDUMP, "nidump passwd .|") or die "Cannot run nidump\n";
+ @passwd=<NIDUMP>;
+ close( NIDUMP);
+ return @passwd;
+}
+
+sub createuser
+{
+ my $name = shift;
+ my $realname = shift;
+ my $shell = shift;
+ my $home = shift;
+ my $gid = shift;
+
+ open( NIDUMP, "nidump passwd .|") or die "Cannot run nidump\n";
+ my @passwds=<NIDUMP>;
+ close( NIDUMP);
+
+ my $tryno;
+ NEXTNO: for ($tryno = 88; $tryno <= 65535; $tryno++) {
+ foreach my $passwd (@passwds) {
+ (my $passwdname, undef, my $uid, undef) =
+ split( ':', $passwd);
+ next NEXTNO if $uid == $tryno;
+ }
+ last NEXTNO;
+ }
+ die "Cannot find free uid\n" if $tryno == 65536;
+ warn "Will create $name as uid $tryno\n";
+ system "niutil -create . /users/$name";
+ system "niutil -createprop . /users/$name realname $realname";
+ system "niutil -createprop . /users/$name shell $shell";
+ system "niutil -createprop . /users/$name uid $tryno";
+ system "niutil -createprop . /users/$name gid $gid";
+ system "niutil -createprop . /users/$name home $home";
+ system "niutil -createprop . /users/$name _shadow_passwd";
+ system "niutil -createprop . /users/$name passwd '*'";
+ return $tryno;
+}
+
--- /dev/null
+#!/bin/sh
+
+if [ -d /System/Library/DisabledStartupItems/Sendmail ]
+then
+ mv /System/Library/DisabledStartupItems/Sendmail /System/Library/StartupItems
+ rmdir /System/Library/DisabledStartupItems/Sendmail
+ rm -rf /System/Library/StartupItems/Postfix
+fi
# \fBqshape\fR [\fB-s\fR] [\fB-p\fR] [\fB-m \fImin_subdomains\fR]
# [\fB-b \fIbucket_count\fR] [\fB-t \fIbucket_time\fR]
# [\fB-l\fR] [\fB-w \fIterminal_width\fR]
-# [\fB-N \fIbatch_msg_count\fR] [\fB-n \fIbatch_top_domains\fR]
# [\fB-c \fIconfig_directory\fR] [\fIqueue_name\fR ...]
# DESCRIPTION
# The \fBqshape\fR program helps the administrator understand the
# parent domain rows are shown as '.+' followed by the last 16 bytes
# of the domain name. If this is still too narrow to show the domain
# name and all the counters, the terminal_width limit is violated.
-# .IP "\fB-N \fIbatch_msg_count\fR"
-# When the output device is a terminal, intermediate results are
-# shown each "batch_msg_count" messages. This produces usable results
-# in a reasonable time even when the deferred queue is large. The
-# default is to show intermediate results every 1000 messages.
-# .IP "\fB-n \fIbatch_top_domains\fR"
-# When reporting intermediate or final results to a termainal, report
-# only the top "batch_top_domains" domains. The default limit is 20
-# domains.
# .IP "\fB-c \fIconfig_directory\fR"
# The \fBmain.cf\fR configuration file is in the named directory
# instead of the default configuration directory.
use File::Find;
use Getopt::Std;
-my $cls; # Clear screen escape sequence
-my $batch_msg_count; # Interim result frequency
-my $batch_top_domains; # Interim result count
my %opts; # Command line switches
my %q; # domain counts for queues and buckets
my %sub; # subdomain counts for parent domains
warn "$0: $_[0]" unless exists($opts{"h"});
die "Usage: $0 [ -s ] [ -p ] [ -m <min_subdomains> ] [ -l ]\n".
"\t[ -b <bucket_count> ] [ -t <bucket_time> ] [ -w <terminal_width> ]\n".
- "\t[ -N <batch_msg_count> ] [ -n <batch_top_domains> ]\n".
"\t[ -c <config_directory> ] [ <queue_name> ... ]\n".
"The 's' option shows sender domain counts.\n".
"The 'p' option shows address counts by for parent domains.\n".
"not supported. If necessary, use explicit absolute paths for all queues.\n";
};
- getopts("lhc:psw:b:t:m:n:N:", \%opts);
+ getopts("lhc:psw:b:t:m:", \%opts);
warn "Help message" if (exists $opts{"h"});
@qlist = @ARGV if (@ARGV > 0);
$tick = $opts{"t"} if (exists $opts{"t"} && $opts{"t"} > 0);
$minsub = $opts{"m"} if (exists $opts{"m"} && $opts{"m"} > 0);
-if ( -t STDOUT ) {
- $batch_msg_count = 1000 unless defined($batch_msg_count = $opts{"N"});
- $batch_top_domains = 20 unless defined ($batch_top_domains = $opts{"n"});
- $cls = `clear`;
-} else {
- $batch_msg_count = 0;
- $batch_top_domains = 0;
- $cls = "";
-}
-
sub rec_get {
my ($h) = @_;
my $r = getc($h) || return;
# Collate by age of message in the selected queues.
#
-my $msgs;
sub wanted {
if (my ($t, $s, @r) = qenv($_)) {
my $b = bucket($t, $now);
$new = ! $old;
} while ($opts{"p"} && $a =~ s/^(?:\.)?[^.]+\.(.*\.)/.$1/);
}
- if ($batch_msg_count > 0 && ++$msgs % $batch_msg_count == 0) {
- results();
- }
}
}
+find(\&wanted, @qlist);
my @heads;
-my $fmt;
-my $dw;
+my $fmt = "";
+my $dw = $width;
+
+for (my $i = 0, my $t = 0; $i <= $bnum; ) {
+ $q{"TOTAL"}->[$i] ||= 0;
+ my $l = length($q{"TOTAL"}->[$i]);
+ my $h = ($i == 0) ? "T" : $t;
+ $l = length($h) if (length($h) >= $l);
+ $l = ($l > 2) ? $l + 1 : 3;
+ push(@heads, $h);
+ $fmt .= sprintf "%%%ds", $l;
+ $dw -= $l;
+ if (++$i < $bnum) { $t += ($t && !$opts{"l"}) ? $t : $tick; } else { $t = "$t+"; }
+}
+$dw = $dwidth if ($dw < $dwidth);
sub pdomain {
my ($d, @count) = @_;
printf "$fmt\n", @count;
}
-sub results {
- @heads = ();
- $dw = $width;
- $fmt = "";
- for (my $i = 0, my $t = 0; $i <= $bnum; ) {
- $q{"TOTAL"}->[$i] ||= 0;
- my $l = length($q{"TOTAL"}->[$i]);
- my $h = ($i == 0) ? "T" : $t;
- $l = length($h) if (length($h) >= $l);
- $l = ($l > 2) ? $l + 1 : 3;
- push(@heads, $h);
- $fmt .= sprintf "%%%ds", $l;
- $dw -= $l;
- if (++$i < $bnum) { $t += ($t && !$opts{"l"}) ? $t : $tick; } else { $t = "$t+"; }
- }
- $dw = $dwidth if ($dw < $dwidth);
-
- print $cls if ($batch_msg_count > 0);
-
- # Print headings
- #
- pdomain("", @heads);
+# Print headings
+#
+pdomain("", @heads);
- my $n = 0;
+# Show per-domain totals
+#
+foreach my $d (sort { $q{$b}->[0] <=> $q{$a}->[0] ||
+ length($a) <=> length($b) } keys %q) {
- # Show per-domain totals
+ # Skip parent domains with < $minsub subdomains.
#
- foreach my $d (sort { $q{$b}->[0] <=> $q{$a}->[0] ||
- length($a) <=> length($b) } keys %q) {
-
- # Skip parent domains with < $minsub subdomains.
- #
- next if ($d =~ /^\./ && $sub{$d} < $minsub);
+ next if ($d =~ /^\./ && $sub{$d} < $minsub);
- last if ($batch_top_domains > 0 && ++$n > $batch_top_domains);
-
- pdomain($d, @{$q{$d}});
- }
+ pdomain($d, @{$q{$d}});
}
-
-find(\&wanted, @qlist);
-results();
# ACCESS(5) ACCESS(5)
#
# NAME
-# access - Postfix SMTP server access table
+# access - Postfix access table format
#
# SYNOPSIS
# postmap /etc/postfix/access
# postmap -q - /etc/postfix/access <inputfile
#
# DESCRIPTION
-# This document describes access control on remote SMTP
-# client information: host names, network addresses, and
-# envelope sender or recipient addresses; it is implemented
-# by the Postfix SMTP server. See header_checks(5) or
-# body_checks(5) for access control on the content of email
-# messages.
-#
-# Normally, the access(5) table is specified as a text file
-# that serves as input to the postmap(1) command. The
-# result, an indexed file in dbm or db format, is used for
-# fast searching by the mail system. Execute the command
-# "postmap /etc/postfix/access" to rebuild an indexed file
-# after changing the corresponding text file.
-#
-# When the table is provided via other means such as NIS,
-# LDAP or SQL, the same lookups are done as for ordinary
+# The optional access(5) table directs the Postfix SMTP
+# server to selectively reject or accept mail. Access can be
+# allowed or denied for specific host names, domain names,
+# networks, host addresses or mail addresses.
+#
+# For an example, see the EXAMPLE section at the end of this
+# manual page.
+#
+# Normally, the access(5) table is specified as a text file
+# that serves as input to the postmap(1) command. The
+# result, an indexed file in dbm or db format, is used for
+# fast searching by the mail system. Execute the command
+# "postmap /etc/postfix/access" in order to rebuild the
+# indexed file after changing the access table.
+#
+# When the table is provided via other means such as NIS,
+# LDAP or SQL, the same lookups are done as for ordinary
# indexed files.
#
-# Alternatively, the table can be provided as a regular-
+# Alternatively, the table can be provided as a regular-
# expression map where patterns are given as regular expres-
-# sions, or lookups can be directed to TCP-based server. In
-# those cases, the lookups are done in a slightly different
-# way as described below under "REGULAR EXPRESSION TABLES"
-# or "TCP-BASED TABLES".
+# sions, or lookups can be directed to TCP-based server. In
+# that case, the lookups are done in a slightly different
+# way as described below under "REGULAR EXPRESSION TABLES"
+# and "TCP-BASED TABLES".
#
# CASE FOLDING
-# The search string is folded to lowercase before database
-# lookup. As of Postfix 2.3, the search string is not case
-# folded with database types such as regexp: or pcre: whose
+# The search string is folded to lowercase before database
+# lookup. As of Postfix 2.3, the search string is not case
+# folded with database types such as regexp: or pcre: whose
# lookup fields can match both upper and lower case.
#
# TABLE FORMAT
# address, perform the corresponding action.
#
# blank lines and comments
-# Empty lines and whitespace-only lines are ignored,
-# as are lines whose first non-whitespace character
+# Empty lines and whitespace-only lines are ignored,
+# as are lines whose first non-whitespace character
# is a `#'.
#
# multi-line text
-# A logical line starts with non-whitespace text. A
-# line that starts with whitespace continues a logi-
+# A logical line starts with non-whitespace text. A
+# line that starts with whitespace continues a logi-
# cal line.
#
# EMAIL ADDRESS PATTERNS
# With lookups from indexed files such as DB or DBM, or from
-# networked tables such as NIS, LDAP or SQL, patterns are
+# networked tables such as NIS, LDAP or SQL, patterns are
# tried in the order as listed below:
#
# user@domain
# Matches the specified mail address.
#
# domain.tld
-# Matches domain.tld as the domain part of an email
+# Matches domain.tld as the domain part of an email
# address.
#
# The pattern domain.tld also matches subdomains, but
# only when the string smtpd_access_maps is listed in
-# the Postfix parent_domain_matches_subdomains con-
-# figuration setting (note that this is the default
-# for some versions of Postfix). Otherwise, specify
-# .domain.tld (note the initial dot) in order to
+# the Postfix parent_domain_matches_subdomains con-
+# figuration setting (note that this is the default
+# for some versions of Postfix). Otherwise, specify
+# .domain.tld (note the initial dot) in order to
# match subdomains.
#
-# user@ Matches all mail addresses with the specified user
+# user@ Matches all mail addresses with the specified user
# part.
#
-# Note: lookup of the null sender address is not possible
-# with some types of lookup table. By default, Postfix uses
-# <> as the lookup key for such addresses. The value is
-# specified with the smtpd_null_access_lookup_key parameter
+# Note: lookup of the null sender address is not possible
+# with some types of lookup table. By default, Postfix uses
+# <> as the lookup key for such addresses. The value is
+# specified with the smtpd_null_access_lookup_key parameter
# in the Postfix main.cf file.
#
# EMAIL ADDRESS EXTENSION
# When a mail address localpart contains the optional recip-
-# ient delimiter (e.g., user+foo@domain), the lookup order
-# becomes: user+foo@domain, user@domain, domain, user+foo@,
+# ient delimiter (e.g., user+foo@domain), the lookup order
+# becomes: user+foo@domain, user@domain, domain, user+foo@,
# and user@.
#
# HOST NAME/ADDRESS PATTERNS
# With lookups from indexed files such as DB or DBM, or from
-# networked tables such as NIS, LDAP or SQL, the following
+# networked tables such as NIS, LDAP or SQL, the following
# lookup patterns are examined in the order as listed:
#
# domain.tld
#
# The pattern domain.tld also matches subdomains, but
# only when the string smtpd_access_maps is listed in
-# the Postfix parent_domain_matches_subdomains con-
+# the Postfix parent_domain_matches_subdomains con-
# figuration setting. Otherwise, specify .domain.tld
-# (note the initial dot) in order to match subdo-
+# (note the initial dot) in order to match subdo-
# mains.
#
# net.work.addr.ess
#
# net.work
#
-# net Matches the specified IPv4 host address or subnet-
-# work. An IPv4 host address is a sequence of four
+# net Matches the specified IPv4 host address or subnet-
+# work. An IPv4 host address is a sequence of four
# decimal octets separated by ".".
#
-# Subnetworks are matched by repeatedly truncating
+# Subnetworks are matched by repeatedly truncating
# the last ".octet" from the remote IPv4 host address
-# string until a match is found in the access table,
+# string until a match is found in the access table,
# or until further truncation is not possible.
#
-# NOTE 1: The access map lookup key must be in canon-
-# ical form: do not specify unnecessary null charac-
-# ters, and do not enclose network address informa-
-# tion with "[]" characters.
+# NOTE 1: The information in the access map should be
+# in canonical form, with unnecessary null characters
+# eliminated. Address information must not be
+# enclosed with "[]" characters.
#
-# NOTE 2: use the cidr lookup table type to specify
+# NOTE 2: use the cidr lookup table type to specify
# network/netmask patterns. See cidr_table(5) for
# details.
#
#
# net:work
#
-# net Matches the specified IPv6 host address or subnet-
-# work. An IPv6 host address is a sequence of three
-# to eight hexadecimal octet pairs separated by ":".
+# net Matches the specified IPv6 host address or subnet-
+# work. An IPv6 host address is a sequence of three
+# to eight hexadecimal octet pairs separated by ":".
#
-# Subnetworks are matched by repeatedly truncating
-# the last ":octetpair" from the remote IPv6 host
+# Subnetworks are matched by repeatedly truncating
+# the last ":octetpair" from the remote IPv6 host
# address string until a match is found in the access
# table, or until further truncation is not possible.
#
# the string representation of the IPv6 host address.
# Thus, not all the ":" subnetworks will be tried.
#
-# NOTE 2: The access map lookup key must be in canon-
-# ical form: do not specify unnecessary null charac-
-# ters, and do not enclose network address informa-
-# tion with "[]" characters.
+# NOTE 2: The information in the access map should be
+# in canonical form, with unnecessary null characters
+# eliminated. Address information must not be
+# enclosed with "[]" characters.
#
-# NOTE 3: use the cidr lookup table type to specify
+# NOTE 3: use the cidr lookup table type to specify
# network/netmask patterns. See cidr_table(5) for
# details.
#
#
# all-numerical
# An all-numerical result is treated as OK. This for-
-# mat is generated by address-based relay authoriza-
+# mat is generated by address-based relay authoriza-
# tion schemes such as pop-before-smtp.
#
# REJECT ACTIONS
-# Postfix version 2.3 and later support enhanced status
-# codes as defined in RFC 3463. When no code is specified
-# at the beginning of the text below, Postfix inserts a
-# default enhanced status code of "5.7.1" in the case of
-# reject actions, and "4.7.1" in the case of defer actions.
+# Postfix version 2.3 and later support enhanced status
+# codes as defined in RFC 3463. When no code is specified
+# at the beginning of the text below, Postfix inserts a
+# default enhanced status code of "5.7.1" in the case of
+# reject actions, and "4.7.1" in the case of defer actions.
# See "ENHANCED STATUS CODES" below.
#
# 4NN text
#
# 5NN text
-# Reject the address etc. that matches the pattern,
+# Reject the address etc. that matches the pattern,
# and respond with the numerical three-digit code and
-# text. 4NN means "try again later", while 5NN means
+# text. 4NN means "try again later", while 5NN means
# "do not try again".
#
-# The reply code "421" causes Postfix to disconnect
+# The reply code "421" causes Postfix to disconnect
# immediately (Postfix version 2.3 and later).
#
# REJECT optional text...
-# Reject the address etc. that matches the pattern.
-# Reply with $reject_code optional text... when the
-# optional text is specified, otherwise reply with a
+# Reject the address etc. that matches the pattern.
+# Reply with $reject_code optional text... when the
+# optional text is specified, otherwise reply with a
# generic error response message.
#
# DEFER_IF_REJECT optional text...
-# Defer the request if some later restriction would
-# result in a REJECT action. Reply with "450 4.7.1
-# optional text... when the optional text is speci-
-# fied, otherwise reply with a generic error response
-# message.
+# Defer the request if some later restriction would
+# result in a REJECT action. Reply with "450 optional
+# text... when the optional text is specified, other-
+# wise reply with a generic error response message.
#
# This feature is available in Postfix 2.1 and later.
#
# DEFER_IF_PERMIT optional text...
# Defer the request if some later restriction would
# result in a an explicit or implicit PERMIT action.
-# Reply with "450 4.7.1 optional text... when the
-# optional text is specified, otherwise reply with a
-# generic error response message.
+# Reply with "450 optional text... when the optional
+# text is specified, otherwise reply with a generic
+# error response message.
#
# This feature is available in Postfix 2.1 and later.
#
# about external content filters is in the Postfix
# FILTER_README file.
#
-# Note: this action overrides the content_filter set-
-# ting, and currently affects all recipients of the
-# message.
+# Note: this action overrides the main.cf con-
+# tent_filter setting, and currently affects all
+# recipients of the message.
#
# This feature is available in Postfix 2.0 and later.
#
# Note: use "postsuper -r" to release mail that was
# kept on hold for a significant fraction of $maxi-
# mal_queue_lifetime or $bounce_queue_lifetime, or
-# longer. Use "postsuper -H" only for mail that will
-# not expire within a few delivery attempts.
+# longer.
#
-# Note: this action currently affects all recipients
+# Note: this action currently affects all recipients
# of the message.
#
# This feature is available in Postfix 2.0 and later.
#
# PREPEND headername: headervalue
-# Prepend the specified message header to the mes-
-# sage. When more than one PREPEND action executes,
-# the first prepended header appears before the sec-
-# ond etc. prepended header.
+# Prepend the specified message header to the mes-
+# sage. When this action is used multiple times, the
+# first prepended header appears before the second
+# etc. prepended header.
+#
+# Note: this action does not support multi-line mes-
+# sage headers.
#
-# Note: this action must execute before the message
-# content is received; it cannot execute in the con-
-# text of smtpd_end_of_data_restrictions.
+# Note: this action must be used before the message
+# content is received; it cannot be used in
+# smtpd_end_of_data_restrictions.
#
# This feature is available in Postfix 2.1 and later.
#
# lookups are directed to a TCP-based server. For a descrip-
# tion of the TCP client/server lookup protocol, see tcp_ta-
# ble(5). This feature is not available up to and including
-# Postfix version 2.4.
+# Postfix version 2.3.
#
# Each lookup operation uses the entire query string once.
# Depending on the application, that string is an entire
# When the command fails, a limited amount of command
# output is mailed back to the sender. The file
# /usr/include/sysexits.h defines the expected exit
-# status codes. For example, use "|exit 67" to simu-
-# late a "user unknown" error, and "|exit 0" to
+# status codes. For example, use |"exit 67" to simu-
+# late a "user unknown" error, and |"exit 0" to
# implement an expensive black hole.
#
# :include:/file/name
# file that serves as input to the postmap(1) command. The
# result, an indexed file in dbm or db format, is used for
# fast searching by the mail system. Execute the command
-# "postmap /etc/postfix/canonical" to rebuild an indexed
-# file after changing the corresponding text file.
+# "postmap /etc/postfix/canonical" in order to rebuild the
+# indexed file after changing the text file.
#
# When the table is provided via other means such as NIS,
# LDAP or SQL, the same lookups are done as for ordinary
# Alternatively, the table can be provided as a regular-
# expression map where patterns are given as regular expres-
# sions, or lookups can be directed to TCP-based server. In
-# those cases, the lookups are done in a slightly different
+# that case, the lookups are done in a slightly different
# way as described below under "REGULAR EXPRESSION TABLES"
-# or "TCP-BASED TABLES".
+# and "TCP-BASED TABLES".
#
# By default the canonical(5) mapping affects both message
# header addresses (i.e. addresses that appear inside mes-
# addresses produced by legacy mail systems.
#
# The canonical(5) mapping is not to be confused with vir-
-# tual alias support or with local aliasing. To change the
-# destination but not the headers, use the virtual(5) or
-# aliases(5) map instead.
+# tual domain support. Use the virtual(5) map for that pur-
+# pose.
+#
+# The canonical(5) mapping is not to be confused with local
+# aliasing. Use the aliases(5) map for that purpose.
#
# CASE FOLDING
# The search string is folded to lowercase before database
# Replace other addresses in domain by address. This
# form has the lowest precedence.
#
-# Note: @domain is a wild-card. When this form is
-# applied to recipient addresses, the Postfix SMTP
-# server accepts mail for any recipient in domain,
-# regardless of whether that recipient exists. This
-# may turn your mail system into a backscatter source
-# that returns undeliverable spam to innocent people.
-#
# RESULT ADDRESS REWRITING
# The lookup result is subject to address rewriting:
#
# lookups are directed to a TCP-based server. For a descrip-
# tion of the TCP client/server lookup protocol, see tcp_ta-
# ble(5). This feature is not available up to and including
-# Postfix version 2.4.
+# Postfix version 2.3.
#
# Each lookup operation uses the entire address once. Thus,
# user@domain mail addresses are not broken up into their
# that serves as input to the postmap(1) command. The
# result, an indexed file in dbm or db format, is used for
# fast searching by the mail system. Execute the command
-# "postmap /etc/postfix/generic" to rebuild an indexed file
-# after changing the corresponding text file.
+# "postmap /etc/postfix/generic" in order to rebuild the
+# indexed file after changing the text file.
#
# When the table is provided via other means such as NIS,
# LDAP or SQL, the same lookups are done as for ordinary
# Alternatively, the table can be provided as a regular-
# expression map where patterns are given as regular expres-
# sions, or lookups can be directed to TCP-based server. In
-# those case, the lookups are done in a slightly different
+# that case, the lookups are done in a slightly different
# way as described below under "REGULAR EXPRESSION TABLES"
-# or "TCP-BASED TABLES".
+# and "TCP-BASED TABLES".
#
# CASE FOLDING
# The search string is folded to lowercase before database
# lookups are directed to a TCP-based server. For a descrip-
# tion of the TCP client/server lookup protocol, see tcp_ta-
# ble(5). This feature is not available up to and including
-# Postfix version 2.4.
+# Postfix version 2.3.
#
# Each lookup operation uses the entire address once. Thus,
# user@domain mail addresses are not broken up into their
# HEADER_CHECKS(5) HEADER_CHECKS(5)
#
# NAME
-# header_checks - Postfix built-in content inspection
+# header_checks - Postfix built-in header/body inspection
#
# SYNOPSIS
# header_checks = pcre:/etc/postfix/header_checks
# nested_header_checks = pcre:/etc/postfix/nested_header_checks
# body_checks = pcre:/etc/postfix/body_checks
#
-# postmap -q "string" pcre:/etc/postfix/filename
-# postmap -q - pcre:/etc/postfix/filename <inputfile
+# postmap -fq "string" pcre:/etc/postfix/filename
+# postmap -fq - pcre:/etc/postfix/filename <inputfile
#
# DESCRIPTION
-# This document describes access control on the content of
-# message headers and message body lines; it is implemented
-# by the Postfix cleanup(8) server before mail is queued.
-# See access(5) for access control on remote SMTP client
-# information.
-#
-# Each message header or message body line is compared
-# against a list of patterns. When a match is found the
-# corresponding action is executed, and the matching process
-# is repeated for the next message header or message body
-# line.
-#
-# For examples, see the EXAMPLES section at the end of this
+# Postfix provides a simple built-in content inspection
+# mechanism that examines incoming mail one message header
+# or one message body line at a time. Each input is compared
+# against a list of patterns, and when a match is found the
+# corresponding action is executed. This feature is imple-
+# mented by the Postfix cleanup(8) server.
+#
+# For examples, see the EXAMPLES section at the end of this
# manual page.
#
# Postfix header or body_checks are designed to stop a flood
-# of mail from worms or viruses; they do not decode attach-
-# ments, and they do not unzip archives. See the documents
-# referenced below in the README FILES section if you need
+# of mail from worms or viruses; they do not decode attach-
+# ments, and they do not unzip archives. See the documents
+# referenced below in the README FILES section if you need
# more sophisticated content analysis.
#
# Postfix supports four built-in content inspection classes:
#
# header_checks
-# These are applied to initial message headers
-# (except for the headers that are processed with
+# These are applied to initial message headers
+# (except for the headers that are processed with
# mime_header_checks).
#
# mime_header_checks (default: $header_checks)
-# These are applied to MIME related message headers
+# These are applied to MIME related message headers
# only.
#
# This feature is available in Postfix 2.0 and later.
#
# nested_header_checks (default: $header_checks)
-# These are applied to message headers of attached
-# email messages (except for the headers that are
+# These are applied to message headers of attached
+# email messages (except for the headers that are
# processed with mime_header_checks).
#
# This feature is available in Postfix 2.0 and later.
#
# body_checks
-# These are applied to all other content, including
+# These are applied to all other content, including
# multi-part message boundaries.
#
# With Postfix versions before 2.0, all content after
# tent.
#
# Note: message headers are examined one logical header at a
-# time, even when a message header spans multiple lines.
+# time, even when a message header spans multiple lines.
# Body lines are always examined one line at a time.
#
# TABLE FORMAT
-# This document assumes that header and body_checks rules
-# are specified in the form of Postfix regular expression
-# lookup tables. Usually the best performance is obtained
+# This document assumes that header and body_checks rules
+# are specified in the form of Postfix regular expression
+# lookup tables. Usually the best performance is obtained
# with pcre (Perl Compatible Regular Expression) tables, but
-# the slower regexp (POSIX regular expressions) support is
-# more widely available. Use the command "postconf -m" to
-# find out what lookup table types your Postfix system sup-
+# the slower regexp (POSIX regular expressions) support is
+# more widely available. Use the command "postconf -m" to
+# find out what lookup table types your Postfix system sup-
# ports.
#
# The general format of Postfix regular expression tables is
-# given below. For a discussion of specific pattern or
-# flags syntax, see pcre_table(5) or regexp_table(5),
+# given below. For a discussion of specific pattern or
+# flags syntax, see pcre_table(5) or regexp_table(5),
# respectively.
#
# /pattern/flags action
-# When pattern matches the input string, execute the
-# corresponding action. See below for a list of pos-
+# When pattern matches the input string, execute the
+# corresponding action. See below for a list of pos-
# sible actions.
#
# !/pattern/flags action
-# When pattern does not match the input string, exe-
+# When pattern does not match the input string, exe-
# cute the corresponding action.
#
# if /pattern/flags
#
# endif Match the input string against the patterns between
-# if and endif, if and only if the same input string
-# also matches pattern. The if..endif can nest.
+# if and endif, if and only if the input string also
+# matches pattern. The if..endif can nest.
#
-# Note: do not prepend whitespace to patterns inside
+# Note: do not prepend whitespace to patterns inside
# if..endif.
#
# if !/pattern/flags
#
# endif Match the input string against the patterns between
-# if and endif, if and only if the same input string
-# does not match pattern. The if..endif can nest.
+# if and endif, if and only if the input string does
+# not match pattern. The if..endif can nest.
#
# blank lines and comments
-# Empty lines and whitespace-only lines are ignored,
-# as are lines whose first non-whitespace character
+# Empty lines and whitespace-only lines are ignored,
+# as are lines whose first non-whitespace character
# is a `#'.
#
# multi-line text
-# A pattern/action line starts with non-whitespace
-# text. A line that starts with whitespace continues
+# A pattern/action line starts with non-whitespace
+# text. A line that starts with whitespace continues
# a logical line.
#
# TABLE SEARCH ORDER
-# For each line of message input, the patterns are applied
-# in the order as specified in the table. When a pattern is
-# found that matches the input line, the corresponding
-# action is executed and then the next input line is
+# For each line of message input, the patterns are applied
+# in the order as specified in the table. When a pattern is
+# found that matches the input line, the corresponding
+# action is executed and then the next input line is
# inspected.
#
# TEXT SUBSTITUTION
-# Substitution of substrings from the matched expression
-# into the action string is possible using the conventional
-# Perl syntax ($1, $2, etc.). The macros in the result
-# string may need to be written as ${n} or $(n) if they
+# Substitution of substrings from the matched expression
+# into the action string is possible using the conventional
+# Perl syntax ($1, $2, etc.). The macros in the result
+# string may need to be written as ${n} or $(n) if they
# aren't followed by whitespace.
#
-# Note: since negated patterns (those preceded by !) return
+# Note: since negated patterns (those preceded by !) return
# a result when the expression does not match, substitutions
# are not available for negated patterns.
#
# case for consistency with other Postfix documentation.
#
# DISCARD optional text...
-# Claim successful delivery and silently discard the
-# message. Log the optional text if specified, oth-
+# Claim successful delivery and silently discard the
+# message. Log the optional text if specified, oth-
# erwise log a generic message.
#
-# Note: this action disables further header or
-# body_checks inspection of the current message and
+# Note: this action disables further header or
+# body_checks inspection of the current message and
# affects all recipients. To discard only one recip-
# ient without discarding the entire message, use the
# transport(5) table to direct mail to the discard(8)
#
# This feature is available in Postfix 2.0 and later.
#
-# DUNNO Pretend that the input line did not match any pat-
-# tern, and inspect the next input line. This action
+# DUNNO Pretend that the input line did not match any pat-
+# tern, and inspect the next input line. This action
# can be used to shorten the table search.
#
-# For backwards compatibility reasons, Postfix also
-# accepts OK but it is (and always has been) treated
+# For backwards compatibility reasons, Postfix also
+# accepts OK but it is (and always has been) treated
# as DUNNO.
#
# This feature is available in Postfix 2.1 and later.
#
# FILTER transport:destination
-# Write a content filter request to the queue file,
-# and inspect the next input line. After the com-
-# plete message is received it will be sent through
+# Write a content filter request to the queue file
+# and inspect the next input line. After the com-
+# plete message is received it will be sent through
# the specified external content filter. More infor-
-# mation about external content filters is in the
+# mation about external content filters is in the
# Postfix FILTER_README file.
#
-# Note: this action overrides the content_filter set-
-# ting, and affects all recipients of the message. In
-# the case that multiple FILTER actions fire, only
-# the last one is executed.
+# Note: this action overrides the main.cf con-
+# tent_filter setting, and affects all recipients of
+# the message. In the case that multiple FILTER
+# actions fire, only the last one is executed.
#
# This feature is available in Postfix 2.0 and later.
#
# HOLD optional text...
-# Arrange for the message to be placed on the hold
-# queue, and inspect the next input line. The mes-
-# sage remains on hold until someone either deletes
-# it or releases it for delivery. Log the optional
+# Arrange for the message to be placed on the hold
+# queue, and inspect the next input line. The mes-
+# sage remains on hold until someone either deletes
+# it or releases it for delivery. Log the optional
# text if specified, otherwise log a generic message.
#
-# Mail that is placed on hold can be examined with
-# the postcat(1) command, and can be destroyed or
+# Mail that is placed on hold can be examined with
+# the postcat(1) command, and can be destroyed or
# released with the postsuper(1) command.
#
-# Note: use "postsuper -r" to release mail that was
-# kept on hold for a significant fraction of $maxi-
+# Note: use "postsuper -r" to release mail that was
+# kept on hold for a significant fraction of $maxi-
# mal_queue_lifetime or $bounce_queue_lifetime, or
-# longer. Use "postsuper -H" only for mail that will
-# not expire within a few delivery attempts.
+# longer.
#
# Note: this action affects all recipients of the
# message.
#
# This feature is available in Postfix 2.0 and later.
#
-# IGNORE Delete the current line from the input, and inspect
+# IGNORE Delete the current line from the input and inspect
# the next input line.
#
# PREPEND text...
-# Prepend one line with the specified text, and
+# Prepend one line with the specified text and
# inspect the next input line.
#
# Notes:
#
# REDIRECT user@domain
# Write a message redirection request to the queue
-# file, and inspect the next input line. After the
+# file and inspect the next input line. After the
# message is queued, it will be sent to the specified
# address instead of the intended recipient(s).
#
# This feature is available in Postfix 2.1 and later.
#
# REPLACE text...
-# Replace the current line with the specified text,
+# Replace the current line with the specified text
# and inspect the next input line.
#
# This feature is available in Postfix 2.2 and later.
#
# WARN optional text...
# Log a warning with the optional text... (or log a
-# generic message), and inspect the next input line.
+# generic message) and inspect the next input line.
# This action is useful for debugging and for testing
# a pattern before applying more drastic actions.
#
# BUGS
# Many people overlook the main limitations of header and
-# body_checks rules.
-#
-# o These rules operate on one logical message header
-# or one body line at a time. A decision made for one
-# line is not carried over to the next line.
-#
-# o If text in the message body is encoded (RFC 2045)
-# then the rules have to specified for the encoded
-# form.
-#
-# o Likewise, when message headers are encoded (RFC
-# 2047) then the rules need to be specified for the
-# encoded form.
+# body_checks rules. These rules operate on one logical
+# message header or one body line at a time, and a decision
+# made for one line is not carried over to the next line.
+# If text in the message body is encoded (RFC 2045) then the
+# rules have to specified for the encoded form. Likewise,
+# when message headers are encoded (RFC 2047) then the rules
+# need to be specified for the encoded form.
#
# Message headers added by the cleanup(8) daemon itself are
# excluded from inspection. Examples of such message headers
# Turn on safety nets for new features that could bounce mail that
# would be accepted by a previous Postfix version.
+ # This safety net is also documented in LOCAL_RECIPIENT_README.
- # [The "unknown_local_recipient_reject_code = 450" safety net,
- # introduced with Postfix 2.0 and deleted after Postfix 2.3.]
+# unknown_local=unknown_local_recipient_reject_code
+# has_lrm=`$POSTCONF -c $config_directory -n local_recipient_maps`
+# has_lrjc=`$POSTCONF -c $config_directory -n $unknown_local`
+#
+# if [ -z "$has_lrm" -a -z "$has_lrjc" ]
+# then
+# echo SAFETY: editing main.cf, setting $unknown_local=450.
+# echo See the LOCAL_RECIPIENT_README file for details.
+# $POSTCONF -c $config_directory -e "$unknown_local = 450" || exit 1
+# fi
# Add missing proxymap service to master.cf.
$readme_directory/PACKAGE_README:f:root:-:644
$readme_directory/PCRE_README:f:root:-:644
$readme_directory/PGSQL_README:f:root:-:644
-$readme_directory/QMQP_README:f:root:-:644:o
+$readme_directory/QMQP_README:f:root:-:644
$readme_directory/QSHAPE_README:f:root:-:644
$readme_directory/RELEASE_NOTES:f:root:-:644
$readme_directory/RESTRICTION_CLASS_README:f:root:-:644
$html_directory/CDB_README.html:f:root:-:644
$html_directory/CONNECTION_CACHE_README.html:f:root:-:644
$html_directory/CONTENT_INSPECTION_README.html:f:root:-:644
-$html_directory/CYRUS_README.html:f:root:-:644:o
+$html_directory/CYRUS_README.html:f:root:-:644
$html_directory/DATABASE_README.html:f:root:-:644
$html_directory/DB_README.html:f:root:-:644
$html_directory/DEBUG_README.html:f:root:-:644
$html_directory/PACKAGE_README.html:f:root:-:644
$html_directory/PCRE_README.html:f:root:-:644
$html_directory/PGSQL_README.html:f:root:-:644
-$html_directory/QMQP_README.html:f:root:-:644:o
+$html_directory/QMQP_README.html:f:root:-:644
$html_directory/QSHAPE_README.html:f:root:-:644
$html_directory/RESTRICTION_CLASS_README.html:f:root:-:644
$html_directory/SASL_README.html:f:root:-:644
$html_directory/TLS_LEGACY_README.html:f:root:-:644
$html_directory/TLS_README.html:f:root:-:644
$html_directory/TUNING_README.html:f:root:-:644
-$html_directory/ULTRIX_README.html:f:root:-:644:o
+$html_directory/ULTRIX_README.html:f:root:-:644
$html_directory/UUCP_README.html:f:root:-:644
$html_directory/VERP_README.html:f:root:-:644
$html_directory/VIRTUAL_README.html:f:root:-:644
$html_directory/canonical.5.html:f:root:-:644
$html_directory/cidr_table.5.html:f:root:-:644
$html_directory/cleanup.8.html:f:root:-:644
-$html_directory/defer.8.html:h:$html_directory/bounce.8.html:-:644
+$html_directory/defer.8.html:f:root:-:644
$html_directory/discard.8.html:f:root:-:644
$html_directory/error.8.html:f:root:-:644
$html_directory/flush.8.html:f:root:-:644
$html_directory/master.8.html:f:root:-:644
$html_directory/mysql_table.5.html:f:root:-:644
$html_directory/nisplus_table.5.html:f:root:-:644
-$html_directory/newaliases.1.html:h:$html_directory/mailq.1.html:-:644
+$html_directory/newaliases.1.html:f:root:-:644
$html_directory/oqmgr.8.html:f:root:-:644
$html_directory/pcre_table.5.html:f:root:-:644
$html_directory/pgsql_table.5.html:f:root:-:644
$html_directory/qmqpd.8.html:f:root:-:644
$html_directory/regexp_table.5.html:f:root:-:644
$html_directory/relocated.5.html:f:root:-:644
-$html_directory/sendmail.1.html:h:$html_directory/mailq.1.html:-:644
+$html_directory/sendmail.1.html:f:root:-:644
$html_directory/showq.8.html:f:root:-:644
$html_directory/smtp-sink.1.html:f:root:-:644
$html_directory/smtp-source.1.html:f:root:-:644
-$html_directory/smtp.8.html:h:$html_directory/lmtp.8.html:-:644
+$html_directory/smtp.8.html:f:root:-:644
$html_directory/smtpd.8.html:f:root:-:644
$html_directory/spawn.8.html:f:root:-:644
$html_directory/tcp_table.5.html:f:root:-:644
-$html_directory/trace.8.html:h:$html_directory/bounce.8.html:-:644
+$html_directory/trace.8.html:f:root:-:644
$html_directory/transport.5.html:f:root:-:644
$html_directory/trivial-rewrite.8.html:f:root:-:644
$html_directory/verify.8.html:f:root:-:644
}
$INFO stopping the Postfix mail system
kill `sed 1q pid/master.pid`
- for i in 5 4 3 2 1
+ for i in 6 5 4 3 2 1
do
$daemon_directory/master -t && exit 0
- $INFO waiting for the Postfix mail system to terminate
+ $INFO waiting for the Postfix mail system to terminate - $i
sleep 1
done
$WARN stopping the Postfix mail system with force
# file that serves as input to the postmap(1) command. The
# result, an indexed file in dbm or db format, is used for
# fast searching by the mail system. Execute the command
-# "postmap /etc/postfix/relocated" to rebuild an indexed
-# file after changing the corresponding relocated table.
+# "postmap /etc/postfix/relocated" in order to rebuild the
+# indexed file after changing the relocated table.
#
# When the table is provided via other means such as NIS,
# LDAP or SQL, the same lookups are done as for ordinary
# Alternatively, the table can be provided as a regular-
# expression map where patterns are given as regular expres-
# sions, or lookups can be directed to TCP-based server. In
-# those case, the lookups are done in a slightly different
+# that case, the lookups are done in a slightly different
# way as described below under "REGULAR EXPRESSION TABLES"
-# or "TCP-BASED TABLES".
+# and "TCP-BASED TABLES".
#
# Table lookups are case insensitive.
#
# regexp_table(5) or pcre_table(5). For a description of the
# TCP client/server table lookup protocol, see tcp_table(5).
# This feature is not available up to and including Postfix
-# version 2.4.
+# version 2.3.
#
# Each pattern is a regular expression that is applied to
# the entire address being looked up. Thus, user@domain mail
# lookups are directed to a TCP-based server. For a descrip-
# tion of the TCP client/server lookup protocol, see tcp_ta-
# ble(5). This feature is not available up to and including
-# Postfix version 2.4.
+# Postfix version 2.3.
#
# Each lookup operation uses the entire address once. Thus,
# user@domain mail addresses are not broken up into their
# file that serves as input to the postmap(1) command. The
# result, an indexed file in dbm or db format, is used for
# fast searching by the mail system. Execute the command
-# "postmap /etc/postfix/transport" to rebuild an indexed
-# file after changing the corresponding transport table.
+# "postmap /etc/postfix/transport" in order to rebuild the
+# indexed file after changing the transport table.
#
# When the table is provided via other means such as NIS,
# LDAP or SQL, the same lookups are done as for ordinary
# Alternatively, the table can be provided as a regular-
# expression map where patterns are given as regular expres-
# sions, or lookups can be directed to TCP-based server. In
-# those case, the lookups are done in a slightly different
+# that case, the lookups are done in a slightly different
# way as described below under "REGULAR EXPRESSION TABLES"
-# or "TCP-BASED TABLES".
+# and "TCP-BASED TABLES".
#
# CASE FOLDING
# The search string is folded to lowercase before database
# lookups are directed to a TCP-based server. For a descrip-
# tion of the TCP client/server lookup protocol, see tcp_ta-
# ble(5). This feature is not available up to and including
-# Postfix version 2.4.
+# Postfix version 2.3.
#
# Each lookup operation uses the entire recipient address
# once. Thus, some.domain.hierarchy is not looked up via
# text file that serves as input to the postmap(1) command.
# The result, an indexed file in dbm or db format, is used
# for fast searching by the mail system. Execute the command
-# "postmap /etc/postfix/virtual" to rebuild an indexed file
-# after changing the corresponding text file.
+# "postmap /etc/postfix/virtual" in order to rebuild the
+# indexed file after changing the text file.
#
# When the table is provided via other means such as NIS,
# LDAP or SQL, the same lookups are done as for ordinary
# Alternatively, the table can be provided as a regular-
# expression map where patterns are given as regular expres-
# sions, or lookups can be directed to TCP-based server. In
-# those case, the lookups are done in a slightly different
+# that case, the lookups are done in a slightly different
# way as described below under "REGULAR EXPRESSION TABLES"
-# or "TCP-BASED TABLES".
+# and "TCP-BASED TABLES".
#
# CASE FOLDING
# The search string is folded to lowercase before database
# Redirect mail for other users in domain to address.
# This form has the lowest precedence.
#
-# Note: @domain is a wild-card. With this form, the
-# Postfix SMTP server accepts mail for any recipient
-# in domain, regardless of whether that recipient
-# exists. This may turn your mail system into a
-# backscatter source that returns undeliverable spam
-# to innocent people.
-#
# RESULT ADDRESS REWRITING
# The lookup result is subject to address rewriting:
#
-# o When the result has the form @otherdomain, the
-# result becomes the same user in otherdomain. This
+# o When the result has the form @otherdomain, the
+# result becomes the same user in otherdomain. This
# works only for the first address in a multi-address
# lookup result.
#
-# o When "append_at_myorigin=yes", append "@$myorigin"
+# o When "append_at_myorigin=yes", append "@$myorigin"
# to addresses without "@domain".
#
# o When "append_dot_mydomain=yes", append ".$mydomain"
#
# ADDRESS EXTENSION
# When a mail address localpart contains the optional recip-
-# ient delimiter (e.g., user+foo@domain), the lookup order
+# ient delimiter (e.g., user+foo@domain), the lookup order
# becomes: user+foo@domain, user@domain, user+foo, user, and
# @domain.
#
-# The propagate_unmatched_extensions parameter controls
-# whether an unmatched address extension (+foo) is propa-
+# The propagate_unmatched_extensions parameter controls
+# whether an unmatched address extension (+foo) is propa-
# gated to the result of table lookup.
#
# VIRTUAL ALIAS DOMAINS
-# Besides virtual aliases, the virtual alias table can also
+# Besides virtual aliases, the virtual alias table can also
# be used to implement virtual alias domains. With a virtual
-# alias domain, all recipient addresses are aliased to
+# alias domain, all recipient addresses are aliased to
# addresses in other domains.
#
# Virtual alias domains are not to be confused with the vir-
# tual mailbox domains that are implemented with the Postfix
# virtual(8) mail delivery agent. With virtual mailbox
-# domains, each recipient address can have its own mailbox.
+# domains, each recipient address can have its own mailbox.
#
-# With a virtual alias domain, the virtual domain has its
-# own user name space. Local (i.e. non-virtual) usernames
-# are not visible in a virtual alias domain. In particular,
-# local aliases(5) and local mailing lists are not visible
+# With a virtual alias domain, the virtual domain has its
+# own user name space. Local (i.e. non-virtual) usernames
+# are not visible in a virtual alias domain. In particular,
+# local aliases(5) and local mailing lists are not visible
# as localname@virtual-alias.domain.
#
# Support for a virtual alias domain looks like:
# /etc/postfix/main.cf:
# virtual_alias_maps = hash:/etc/postfix/virtual
#
-# Note: some systems use dbm databases instead of hash.
-# See the output from "postconf -m" for available data-
+# Note: some systems use dbm databases instead of hash.
+# See the output from "postconf -m" for available data-
# base types.
#
# /etc/postfix/virtual:
# user1@virtual-alias.domain address1
# user2@virtual-alias.domain address2, address3
#
-# The virtual-alias.domain anything entry is required for a
+# The virtual-alias.domain anything entry is required for a
# virtual alias domain. Without this entry, mail is rejected
-# with "relay access denied", or bounces with "mail loops
+# with "relay access denied", or bounces with "mail loops
# back to myself".
#
-# Do not specify virtual alias domain names in the main.cf
+# Do not specify virtual alias domain names in the main.cf
# mydestination or relay_domains configuration parameters.
#
-# With a virtual alias domain, the Postfix SMTP server
-# accepts mail for known-user@virtual-alias.domain, and
-# rejects mail for unknown-user@virtual-alias.domain as
+# With a virtual alias domain, the Postfix SMTP server
+# accepts mail for known-user@virtual-alias.domain, and
+# rejects mail for unknown-user@virtual-alias.domain as
# undeliverable.
#
-# Instead of specifying the virtual alias domain name via
-# the virtual_alias_maps table, you may also specify it via
+# Instead of specifying the virtual alias domain name via
+# the virtual_alias_maps table, you may also specify it via
# the main.cf virtual_alias_domains configuration parameter.
-# This latter parameter uses the same syntax as the main.cf
+# This latter parameter uses the same syntax as the main.cf
# mydestination configuration parameter.
#
# REGULAR EXPRESSION TABLES
-# This section describes how the table lookups change when
+# This section describes how the table lookups change when
# the table is given in the form of regular expressions. For
-# a description of regular expression lookup table syntax,
+# a description of regular expression lookup table syntax,
# see regexp_table(5) or pcre_table(5).
#
-# Each pattern is a regular expression that is applied to
+# Each pattern is a regular expression that is applied to
# the entire address being looked up. Thus, user@domain mail
-# addresses are not broken up into their user and @domain
+# addresses are not broken up into their user and @domain
# constituent parts, nor is user+foo broken up into user and
# foo.
#
-# Patterns are applied in the order as specified in the ta-
-# ble, until a pattern is found that matches the search
+# Patterns are applied in the order as specified in the ta-
+# ble, until a pattern is found that matches the search
# string.
#
-# Results are the same as with indexed file lookups, with
-# the additional feature that parenthesized substrings from
+# Results are the same as with indexed file lookups, with
+# the additional feature that parenthesized substrings from
# the pattern can be interpolated as $1, $2 and so on.
#
# TCP-BASED TABLES
-# This section describes how the table lookups change when
+# This section describes how the table lookups change when
# lookups are directed to a TCP-based server. For a descrip-
# tion of the TCP client/server lookup protocol, see tcp_ta-
# ble(5). This feature is not available up to and including
-# Postfix version 2.4.
+# Postfix version 2.3.
#
# Each lookup operation uses the entire address once. Thus,
-# user@domain mail addresses are not broken up into their
+# user@domain mail addresses are not broken up into their
# user and @domain constituent parts, nor is user+foo broken
# up into user and foo.
#
# Results are the same as with indexed file lookups.
#
# BUGS
-# The table format does not understand quoting conventions.
+# The table format does not understand quoting conventions.
#
# CONFIGURATION PARAMETERS
-# The following main.cf parameters are especially relevant
-# to this topic. See the Postfix main.cf file for syntax
-# details and for default values. Use the "postfix reload"
+# The following main.cf parameters are especially relevant
+# to this topic. See the Postfix main.cf file for syntax
+# details and for default values. Use the "postfix reload"
# command after a configuration change.
#
# virtual_alias_maps
# List of virtual aliasing tables.
#
# virtual_alias_domains
-# List of virtual alias domains. This uses the same
+# List of virtual alias domains. This uses the same
# syntax as the mydestination parameter.
#
# propagate_unmatched_extensions
-# A list of address rewriting or forwarding mecha-
-# nisms that propagate an address extension from the
-# original address to the result. Specify zero or
-# more of canonical, virtual, alias, forward,
+# A list of address rewriting or forwarding mecha-
+# nisms that propagate an address extension from the
+# original address to the result. Specify zero or
+# more of canonical, virtual, alias, forward,
# include, or generic.
#
# Other parameters of interest:
#
# inet_interfaces
-# The network interface addresses that this system
+# The network interface addresses that this system
# receives mail on. You need to stop and start Post-
# fix when this parameter changes.
#
# mydestination
-# List of domains that this mail system considers
+# List of domains that this mail system considers
# local.
#
# myorigin
-# The domain that is appended to any address that
+# The domain that is appended to any address that
# does not have a domain.
#
# owner_request_special
# canonical(5), canonical address mapping
#
# README FILES
-# Use "postconf readme_directory" or "postconf html_direc-
+# Use "postconf readme_directory" or "postconf html_direc-
# tory" to locate this information.
# ADDRESS_REWRITING_README, address rewriting guide
# DATABASE_README, Postfix lookup table overview
# VIRTUAL_README, domain hosting guide
#
# LICENSE
-# The Secure Mailer license must be distributed with this
+# The Secure Mailer license must be distributed with this
# software.
#
# AUTHOR(S)
+++ /dev/null
-See http://www.openspf.org/Software for the current version of the
-SPF policy daemon for Postfix.
-
-SPF support is also available via MILTER plugins, such as sid-milter
-at http://sourceforge.net/projects/sid-milter/ which implements both
-SenderID and SPF.
--- /dev/null
+#!/usr/bin/perl
+
+# postfix-policyd-spf
+# http://www.openspf.org
+# version 1.07
+# $Id$
+
+use Fcntl;
+use Sys::Syslog qw(:DEFAULT setlogsock);
+use strict;
+
+# ----------------------------------------------------------
+# configuration
+# ----------------------------------------------------------
+
+# to use SPF, install Mail::SPF::Query from CPAN or from the SPF website at http://www.openspf.org/downloads.html
+
+ my @HANDLERS;
+ push @HANDLERS, "testing";
+ push @HANDLERS, "sender_permitted_from"; use Mail::SPF::Query;
+
+my $VERBOSE = 0;
+
+my $DEFAULT_RESPONSE = "DUNNO";
+
+#
+# Syslogging options for verbose mode and for fatal errors.
+# NOTE: comment out the $syslog_socktype line if syslogging does not
+# work on your system.
+#
+
+my $syslog_socktype = 'unix'; # inet, unix, stream, console
+my $syslog_facility = "mail";
+my $syslog_options = "pid";
+my $syslog_priority = "info";
+my $syslog_ident = "postfix/policy-spf";
+
+# ----------------------------------------------------------
+# minimal documentation
+# ----------------------------------------------------------
+
+#
+# Usage: smtpd-policy.pl [-v]
+#
+# Demo delegated Postfix SMTPD policy server.
+# This server implements SPF.
+# Another server implements greylisting.
+# Postfix has a pluggable policy server architecture.
+# You can call one or both from Postfix.
+#
+# The SPF handler uses Mail::SPF::Query to do the heavy lifting.
+#
+# This documentation assumes you have read Postfix's README_FILES/SMTPD_POLICY_README
+#
+# Logging is sent to syslogd.
+#
+# How it works: each time a Postfix SMTP server process is started
+# it connects to the policy service socket, and Postfix runs one
+# instance of this PERL script. By default, a Postfix SMTP server
+# process terminates after 100 seconds of idle time, or after serving
+# 100 clients. Thus, the cost of starting this PERL script is smoothed
+# out over time.
+#
+# To run this from /etc/postfix/master.cf:
+#
+# policy unix - n n - - spawn
+# user=nobody argv=/usr/bin/perl /usr/libexec/postfix/smtpd-policy.pl
+#
+# To use this from Postfix SMTPD, use in /etc/postfix/main.cf:
+#
+# smtpd_recipient_restrictions =
+# ...
+# reject_unauth_destination
+# check_policy_service unix:private/policy
+# ...
+#
+# NOTE: specify check_policy_service AFTER reject_unauth_destination
+# or else your system can become an open relay.
+#
+# To test this script by hand, execute:
+#
+# % perl smtpd-policy.pl
+#
+# Each query is a bunch of attributes. Order does not matter, and
+# the demo script uses only a few of all the attributes shown below:
+#
+# request=smtpd_access_policy
+# protocol_state=RCPT
+# protocol_name=SMTP
+# helo_name=some.domain.tld
+# queue_id=8045F2AB23
+# sender=foo@bar.tld
+# recipient=bar@foo.tld
+# client_address=1.2.3.4
+# client_name=another.domain.tld
+# [empty line]
+#
+# The policy server script will answer in the same style, with an
+# attribute list followed by a empty line:
+#
+# action=dunno
+# [empty line]
+#
+
+# Jul 23 18:43:29 dumbo/dumbo policyd[21171]: Attribute: client_address=208.210.125.227
+# Jul 23 18:43:29 dumbo/dumbo policyd[21171]: Attribute: client_name=newbabe.mengwong.com
+# Jul 23 18:43:29 dumbo/dumbo policyd[21171]: Attribute: helo_name=newbabe.mengwong.com
+# Jul 23 18:43:29 dumbo/dumbo policyd[21171]: Attribute: protocol_name=ESMTP
+# Jul 23 18:43:29 dumbo/dumbo policyd[21171]: Attribute: protocol_state=RCPT
+# Jul 23 18:43:29 dumbo/dumbo policyd[21171]: Attribute: queue_id=
+# Jul 23 18:43:29 dumbo/dumbo policyd[21171]: Attribute: recipient=mengwong@dumbo.pobox.com
+# Jul 23 18:43:29 dumbo/dumbo policyd[21171]: Attribute: request=smtpd_access_policy
+# Jul 23 18:43:29 dumbo/dumbo policyd[21171]: Attribute: sender=mengwong@newbabe.mengwong.com
+
+# ----------------------------------------------------------
+# initialization
+# ----------------------------------------------------------
+
+#
+# Log an error and abort.
+#
+sub fatal_exit {
+ syslog(err => "fatal_exit: @_");
+ syslog(warning => "fatal_exit: @_");
+ syslog(info => "fatal_exit: @_");
+ die "fatal: @_";
+}
+
+#
+# Unbuffer standard output.
+#
+select((select(STDOUT), $| = 1)[0]);
+
+#
+# This process runs as a daemon, so it can't log to a terminal. Use
+# syslog so that people can actually see our messages.
+#
+setlogsock $syslog_socktype;
+openlog $syslog_ident, $syslog_options, $syslog_facility;
+
+# ----------------------------------------------------------
+# main
+# ----------------------------------------------------------
+
+#
+# Receive a bunch of attributes, evaluate the policy, send the result.
+#
+my %attr;
+while (<STDIN>) {
+ chomp;
+ if (/=/) { my ($k, $v) = split (/=/, $_, 2); $attr{$k} = $v; next }
+ elsif (length) { syslog(warning => sprintf("warning: ignoring garbage: %.100s", $_)); next; }
+
+ if ($VERBOSE) {
+ for (sort keys %attr) {
+ syslog(debug => "Attribute: %s=%s", $_, $attr{$_});
+ }
+ }
+
+ fatal_exit ("unrecognized request type: '$attr{request}'") unless $attr{request} eq "smtpd_access_policy";
+
+ my $action = $DEFAULT_RESPONSE;
+ my %responses;
+ foreach my $handler (@HANDLERS) {
+ no strict 'refs';
+ my $response = $handler->(attr=>\%attr);
+ syslog(debug => "handler %s: %s", $handler, $response);
+ if ($response and $response !~ /^dunno/i) {
+ syslog(info => "handler %s: %s is decisive.", $handler, $response);
+ $action = $response; last;
+ }
+ }
+
+ syslog(info => "decided action=%s", $action);
+
+ print STDOUT "action=$action\n\n";
+ %attr = ();
+}
+
+# ----------------------------------------------------------
+# plugin: SPF
+# ----------------------------------------------------------
+sub sender_permitted_from {
+ local %_ = @_;
+ my %attr = %{ $_{attr} };
+
+ my $query = eval { new Mail::SPF::Query (ip =>$attr{client_address},
+ sender=>$attr{sender},
+ helo =>$attr{helo_name}) };
+ if ($@) {
+ syslog(info => "%s: Mail::SPF::Query->new(%s, %s, %s) failed: %s",
+ $attr{queue_id}, $attr{client_address}, $attr{sender}, $attr{helo_name}, $@);
+ return "DUNNO";
+ }
+ my ($result, $smtp_comment, $header_comment) = $query->result();
+
+ syslog(info => "%s: SPF %s: smtp_comment=%s, header_comment=%s",
+ $attr{queue_id}, $result, $smtp_comment, $header_comment);
+
+ if ($result eq "fail") { return "REJECT $smtp_comment"; }
+ elsif ($result eq "error") { return "DEFER_IF_PERMIT $smtp_comment"; }
+ else { return "PREPEND Received-SPF: $result ($header_comment)"; }
+}
+
+# ----------------------------------------------------------
+# plugin: testing
+# ----------------------------------------------------------
+sub testing {
+ local %_ = @_;
+ my %attr = %{ $_{attr} };
+
+ if (lc address_stripped($attr{sender}) eq
+ lc address_stripped($attr{recipient})
+ and
+ $attr{recipient} =~ /policyblock/) {
+
+ syslog(info => "%s: testing: will block as requested", $attr{queue_id});
+ return "REJECT smtpd-policy blocking $attr{recipient}";
+ }
+ else {
+ syslog(info => "%s: testing: stripped sender=%s, stripped rcpt=%s",
+ $attr{queue_id},
+ address_stripped($attr{sender}),
+ address_stripped($attr{recipient}),
+ );
+
+ }
+ return "DUNNO";
+}
+
+sub address_stripped {
+ # my $foo = localpart_lhs('foo+bar@baz.com'); # returns 'foo@baz.com'
+ my $string = shift;
+ for ($string) {
+ s/[+-].*\@/\@/;
+ }
+ return $string;
+}
<li> <p> The list of domains that are a member of the class: for
example, all <a href="ADDRESS_CLASS_README.html#local_domain_class">local domains</a>, or all <a href="ADDRESS_CLASS_README.html#relay_domain_class">relay domains</a>. </p>
-<li> <p> The default delivery transport. For example, the local,
-virtual or relay delivery transport (delivery transports are defined
-in <a href="master.5.html">master.cf</a>). This helps to keep Postfix configurations simple,
-by avoiding the need for explicit routing information in transport
-maps. </p>
+<li> <p> The default delivery method. For example, the local or
+smtp delivery agent. This helps to keep Postfix configurations
+simple. </p>
<li> <p> The list of valid recipient addresses for that address
class. The Postfix SMTP server rejects invalid recipients with
<a href="ADDRESS_CLASS_README.html#local_domain_class">local domain</a> class. </p>
<li> <p> The mail delivery transport is specified with the
-<a href="postconf.5.html#local_transport">local_transport</a> parameter. The default value is <b>
<a href="local.8.html">local</a>:$<a href="postconf.5.html#myhostname">myhostname</a></b>
+<a href="postconf.5.html#local_transport">local_transport</a> parameter. The default value is <b>
local:$<a href="postconf.5.html#myhostname">myhostname</a></b>
for delivery with the <a href="local.8.html">local(8)</a> delivery agent. </p>
</ul>
unknown local recipients. See the <a href="LOCAL_RECIPIENT_README.html">LOCAL_RECIPIENT_README</a> file hints
and tips. </p>
-<li> <p> Introduction of the relay delivery transport in <a href="master.5.html">master.cf</a>.
+<li> <p> Introduction of the relay delivery transport in master.cf.
This helps to avoid mail delivery scheduling problems on inbound
mail relays when there is a lot of outbound mail, but may require
that you update your "<a href="postconf.5.html#defer_transports">defer_transports</a>" setting. </p>
<p> The sender/recipient address verification feature described in this
document is suitable only for low-traffic sites. It performs poorly
-under high load; excessive sender address verification activity may
-even cause your site to be blacklisted by some
+under high load and may cause your site to be blacklisted by some
providers. See the "<a href="#limitations">Limitations</a>" section
below for details. </p>
<p> Recipient address verification is relatively straightforward
and there are no surprises. If a recipient probe fails, then Postfix
rejects mail for the recipient address. If a recipient probe
-succeeds, then Postfix accepts mail for the recipient address.
-However, recipient address verification probes can increase the
-load on down-stream MTAs when you're being flooded by backscatter
-bounces, or when some spammer is mounting a dictionary attack. </p>
+succeeds, then Postfix accepts mail for the recipient address. </p>
<p> By default, address verification results are not saved. To avoid
probing the same address repeatedly, you can store the result in a
the same performance improvement as with a shared connection cache,
non-shared connections need to be kept open for a longer time. </p>
-<p> The <a href="scache.8.html">scache(8)</a> server, introduced with Postfix version 2.2,
-maintains the shared connection cache. With Postfix version 2.2,
-only the <a href="smtp.8.html">smtp(8)</a> client has support to access this cache. </p>
-
<blockquote>
<table>
-<tr> <td> </td> <td> <tt> /-- </tt> </td> <td align="center"
-colspan="3" bgcolor="#f0f0ff"> <a href="smtp.8.html">smtp(8)</a> </td> <td colspan="2"> <tt>
---> </tt> Internet </td> </tr>
-
-<tr> <td align="center" bgcolor="#f0f0ff"> <a href="qmgr.8.html">qmgr(8)</a> </td> <td> </td>
-<td align="center" rowspan="3"> </td> <td align="center"
-rowspan="3"><tt>|<br>|<br>|<br>|<br>v</tt></td> <td> </td>
-</tr>
-
-<tr> <td> </td> <td> <tt> \-- </tt> </td> <td align="center"
-colspan="2" bgcolor="#f0f0ff"> <a href="smtp.8.html">smtp(8)</a> </td> <td align="left"> <tt>
---> </tt> Internet </td> </tr>
-
-<tr> <td colspan="3"> </td> <td align="center"><tt>^<br>|</tt></td>
-<td> </td> </tr>
-
-<tr> <td colspan="3"> </td> <td align="center" colspan="3"
-bgcolor="#f0f0ff"> <a href="scache.8.html">scache(8)</a> </td> </tr>
+<tr> <td> Internet <-- </td> <td align="center" bgcolor="#f0f0ff">
+<br> <a href="smtp.8.html">smtp(8)</a> <br> </td> <td> <tt> <-> </tt> </td> <td
+align="center" bgcolor="#f0f0ff"> <br> <a href="scache.8.html">scache(8)</a> <br> </td>
+<td> <tt> <-> </tt> </td> <td align="center" bgcolor="#f0f0ff">
+<br> <a href="smtp.8.html">smtp(8)</a> <br> </td> <td> --> Internet </td>
</table>
</blockquote>
+<p> The <a href="scache.8.html">scache(8)</a> server, introduced with Postfix version 2.2,
+maintains the shared connection cache. With Postfix version 2.2,
+only the <a href="smtp.8.html">smtp(8)</a> client has support to access this cache. </p>
+
<p> When SMTP connection caching is enabled (see next section), the
<a href="smtp.8.html">smtp(8)</a> client does not disconnect after a mail transaction, but
gives the connection to the <a href="scache.8.html">scache(8)</a> server which keeps the
-connection open for a limited amount of time. </p>
+connection open for a limited amount of time. </p>
<p> After handing over the open connection to the <a href="scache.8.html">scache(8)</a> server,
the <a href="smtp.8.html">smtp(8)</a> client continues with some other mail delivery request.
<blockquote>
<pre>
-/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+/etc/postfix/main.cf:
<a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> = yes
</pre>
IP address), </p>
<li> <p> if mail is sent via a <a href="postconf.5.html#relayhost">relay host</a>: a <a href="postconf.5.html#relayhost">relay host</a> name (without
-the [] or non-default TCP port), as specified in <a href="postconf.5.html">main.cf</a> or in the
+the [] or non-default TCP port), as specified in main.cf or in the
transport map, </p>
<li> <p> a /file/name with domain names and/or <a href="postconf.5.html#relayhost">relay host</a> names as
<blockquote>
<pre>
-/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+/etc/postfix/main.cf:
<a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> = $<a href="postconf.5.html#relayhost">relayhost</a>
<a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> = hotmail.com, ...
<a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> = static:all (<i>not recommended</i>)
--- /dev/null
+<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
+ "http://www.w3.org/TR/html4/loose.dtd">
+
+<html>
+
+<head>
+
+<title>Postfix Cyrus Howto</title>
+
+<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
+
+</head>
+
+<body>
+
+<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix Cyrus Howto</h1>
+
+<hr>
+
+<p> This document will be made available via <a href="http://www.postfix.org/">http://www.postfix.org/</a>. </p>
+
+</body>
+
+</html>
<blockquote>
<pre>
-/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+/etc/postfix/main.cf:
<a href="postconf.5.html#alias_maps">alias_maps</a> = hash:/etc/postfix/aliases (local aliasing)
<a href="postconf.5.html#header_checks">header_checks</a> = <a href="regexp_table.5.html">regexp</a>:/etc/postfix/header_checks (content filtering)
<a href="postconf.5.html#transport_maps">transport_maps</a> = hash:/etc/postfix/transport (routing table)
<li> You can use Berkeley DB files with fixed lookup strings for
simple address rewriting operations and you can use regular expression
-tables for the more complicated work. In other words, you don't
-have to put everything into the same table.
+tables for the more complicated work.
</ul>
<a href="postmap.1.html">postmap(1)</a> or <a href="postalias.1.html">postalias(1)</a> overwrite existing files. If the update
fails in the middle then you have no usable database, and Postfix
will stop working. This is not an issue with the CDB database type
-available with Postfix 2.2 and later: <a href="CDB_README.html">CDB</a>
-creates a new file, and renames the file upon successful completion.
-</p>
+available with Postfix 2.2 and later, because <a href="CDB_README.html">CDB</a>
+database rebuilds are atomic. </p>
<p> With multi-file databases such as DBM, there is no simple
solution. With Berkeley DB and other "one file" databases, it is
where "host" specifies a symbolic hostname or a numeric IP address,
and "port" specifies a symbolic service name or a numeric port
number. This protocol is not available up to and including Postfix
-version 2.4. </dd>
+version 2.2. </dd>
<dt> <b>unix</b> (read-only) </dt>
<h2><a name="no_db">Building Postfix on systems without Berkeley
DB</a></h2>
-<p> Some UNIXes ship without Berkeley DB support; for historical
-reasons these use DBM files instead. A problem with DBM files is
-that they can store only limited amounts of data. To build Postfix
-with
+<p> Many commercial UNIXes ship without Berkeley DB support. Examples
+are Solaris, HP-UX, IRIX, UNIXWARE. In order to build Postfix with
Berkeley DB support you need to download and install the source
-code from <a href="http://www.oracle.com/database/berkeley-db/">http://www.oracle.com/database/berkeley-db/</a>. </p>
+code from <a href="http://www.sleepycat.com/">http://www.sleepycat.com/</a> </p>
<p> Warning: some Linux system libraries use Berkeley DB, as do
some third-party libraries such as SASL. If you compile Postfix
with a different Berkeley DB implementation, then every Postfix
-program will dump core because either the system library, the SASL
+program will dump core because either the system library, SASL
library, or Postfix itself ends up using the wrong version. </p>
<p>The more recent Berkeley DB versions have a compile-time switch,
falling apart. </p>
<p> To build Postfix after you installed the Berkeley DB from
-source code, use something like: </p>
+<a href="http://www.sleepycat.com/">http://www.sleepycat.com/</a>, use something like: </p>
<blockquote>
<pre>
</pre>
</blockquote>
-<p> More information is available at
-<a href="http://www.oracle.com/database/berkeley-db/">http://www.oracle.com/database/berkeley-db/</a>. </p>
+<p> More information is available at <a href="http://www.sleepycat.com/">http://www.sleepycat.com/</a>. </p>
</body>
permissions, incorrect configuration file settings that you can
fix. Postfix cannot proceed until this is fixed. </p>
-<li> <p> "<b>error</b>" reports an error condition. For safety
-reasons, a Postfix process will terminate when more than 13 of these
-happen. </p>
+<li> <p> "<b>error</b>" reports a fatal or non-fatal error condition.
+Postfix cannot proceed until this is fixed. </p>
<li> <p> "<b>warning</b>" indicates a non-fatal error. These are
problems that you may not be able to fix (such as a broken DNS
</ul>
<p> These reports contain information that is generated by Postfix
-delivery agents. Since these run as daemon processes that cannot
+delivery agents. Since these run as daemon processes and do not
interact with users directly, the result is sent as mail to the
sender of the test message. The format of these reports is practically
identical to that of ordinary non-delivery notifications. </p>
<h2><a name="sniffer">Record the SMTP session with a network sniffer</a></h2>
<p> This example uses <b>tcpdump</b>. In order to record a conversation
-you need to specify a large enough buffer with the "<b>-s</b>"
-option or else you will miss some or all of the packet payload.
-</p>
+you need to specify a large enough buffer with the "-s" option or
+else you will miss some or all of the packet payload. </p>
<blockquote>
<pre>
-# <b>tcpdump -w /file/name -s 0 host example.com and port 25</b>
+# <b>tcpdump -w /file/name -s 2000 host example.com and port 25</b>
</pre>
</blockquote>
-<p> Older tcpdump versions don't support "<b>-s 0</b>"; in that case,
-use "<b>-s 2000</b>" instead. </p>
-
<p> Run this for a while, stop with Ctrl-C when done. To view the
-data use a binary viewer, <b>ethereal</b>, or good old <b>less</b>.
+data use a binary viewer, or <b>ethereal</b>, or use my <b>tcpdumpx</b>
+utility that is available from <a href="ftp://ftp.porcupine.org/pub/debugging/">ftp://ftp.porcupine.org/pub/debugging/</a>.
</p>
<h2><a name="verbose">Making Postfix daemon programs more verbose</a></h2>
<p> Append one or more "<b>-v</b>" options to selected daemon
definitions in /etc/postfix/<a href="master.5.html">master.cf</a> and type "<b>postfix reload</b>".
This will cause a lot of activity to be logged to the syslog daemon.
-For example, to make the Postfix SMTP server process more verbose: </p>
+Example: </p>
<blockquote>
<pre>
</pre>
</blockquote>
-<p> To diagnose problems with address rewriting specify a "<b>-v</b>"
+<p> This makes the Postfix SMTP server more verbose. To diagnose
+problems with address rewriting one would specify a "<b>-v</b>"
option for the <a href="cleanup.8.html">cleanup(8)</a> and/or <a href="trivial-rewrite.8.html">trivial-rewrite(8)</a> daemon, and to
-diagnose problems with mail delivery specify a "<b>-v</b>"
+diagnose problems with mail delivery one would specify a "<b>-v</b>"
option for the <a href="qmgr.8.html">qmgr(8)</a> or <a href="qmgr.8.html">oqmgr(8)</a> queue manager, or for the <a href="lmtp.8.html">lmtp(8)</a>,
<a href="local.8.html">local(8)</a>, <a href="pipe.8.html">pipe(8)</a>, <a href="smtp.8.html">smtp(8)</a>, or <a href="virtual.8.html">virtual(8)</a> delivery agent. </p>
<li> <p> Postfix logging. See the text at the top of the <a href="DEBUG_README.html">DEBUG_README</a>
document to find out where logging is stored. Please do not frustrate
-the helpers by word wrapping the logging. If the logging is more
-than a few kbytes of text, consider posting an URL on a web or ftp
-site. </p>
+the helpers by word wrapping the logging. </p>
<li> <p> Consider using a test email address so that you don't have
to reveal email addresses or passwords of innocent people. </p>
<li> <p> If you can't use a test email address, please anonymize
-email addresses and host names consistently. Replace each letter
-by "A", each digit
+information consistently. Replace each letter by "A", each digit
by "D" so that the helpers can still recognize syntactical errors.
</p>
<li> <p> Output from "<b>postconf -n</b>". Please do not send your
-<a href="postconf.5.html">main.cf</a> file, or 500+ lines of <b>postconf</b> output. </p>
+<a href="postconf.5.html">main.cf</a> file or 400+ lines of <b>postconf</b> output. </p>
-<li> <p> Better, provide output from the <b>postfinger</b> tool.
+<li> <p> Better, provide output from the <b>postfinger</b> tool.
This can be found at <a href="http://ftp.wl0.org/SOURCES/postfinger">http://ftp.wl0.org/SOURCES/postfinger</a>. </p>
<li> <p> If the problem is SASL related, consider including the
including output from the <b>qshape</b> tool, as described in the
<a href="QSHAPE_README.html">QSHAPE_README</a> file. </p>
-<li> <p> If the problem is protocol related (connections time out,
+<li> <p> If the problem is protocol related (connections time out
or an SMTP server complains about syntax errors etc.) consider
recording a session with <b>tcpdump</b>, as described in the <a
href="#sniffer">DEBUG_README</a> document. </ul>
</ul>
<p> The implementation of DSN support involves extra parameters to
-the SMTP MAIL FROM and RCPT TO commands, as well as two Postfix
+the SMTP MAIL FROM and RCPT TO commands, as well as new Postfix
sendmail command line options that provide a sub-set of the functions
of the extra SMTP command parameters. </p>
not delivered via the connection that was used for sending ETRN.
</p>
+<p> Postfix versions before 1.0 (also known as version 20010228)
+implemented the ETRN command in an inefficient manner: they simply
+attempted to deliver all queued mail. This is slow on mail servers
+that queue mail for many customers. </p>
+
<p> As of version 1.0, Postfix has a fast ETRN implementation that
does not require Postfix to examine every queue file. Instead,
Postfix maintains a record of what queue files contain mail for
<blockquote>
<pre>
220 my.server.tld ESMTP Postfix
-<b>HELO my.client.tld</b>
+<b>helo my.client.tld</b>
250 Ok
-<b>ETRN some.customer.domain</b>
+<b>etrn some.customer.domain</b>
250 Queuing started
-<b>QUIT</b>
+<b>quit</b>
221 Bye
</pre>
</blockquote>
<p> The Postfix operator can request delivery for a specific customer
by using the command "sendmail -qR<i>destination</i>" and, with
Postfix version 1.1 and later, "postqueue -s<i>destination</i>".
-Access to this feature is controlled with the <a href="postconf.5.html#authorized_flush_users">authorized_flush_users</a>
-configuration parameter (Postfix version 2.2 and later).
</p>
<h2><a name="how">How Postfix fast ETRN works</a></h2>
with queue file names. When a request to "deliver mail now" arrives,
Postfix will attempt to deliver all recipients in the queue files
that have mail for the destination in question. This does not
-perform well with queue files that have recipients in many different
-domains, such as queue files with outbound mailing list traffic.
-</p>
+perform well when queue files have recipients in many different
+domains. </p>
<li> <p> The <a href="flush.8.html">flush(8)</a> daemon maintains per-destination logfiles
only for destinations listed with $<a href="postconf.5.html#fast_flush_domains">fast_flush_domains</a>. With other
-destinations you cannot request delivery with "sendmail
+destinations it not possible to trigger delivery with "sendmail
-qR<i>destination</i>" or, with Postfix version 1.1 and later,
"postqueue -s<i>destination</i>". </p>
the list of message delivery transports specified with the
<a href="postconf.5.html#defer_transports">defer_transports</a> configuration parameter. </p>
-<li> <p> Up to and including Postfix version 2.3, the "fast flush"
-service may not deliver some messages if the request to "deliver
-mail now" arrives while an <a href="QSHAPE_README.html#incoming_queue">incoming queue</a> scan is already in progress.
-</p>
-
</ul>
<h2><a name="config">Configuring the Postfix fast ETRN service</a></h2>
<p> The behavior of the <a href="flush.8.html">flush(8)</a> daemon is controlled by parameters
-in the <a href="postconf.5.html">main.cf</a> configuration file. </p>
+in the main.cf configuration file. </p>
<p> By default, Postfix "fast ETRN" service is available only for
destinations that Postfix is willing to relay mail to: </p>
<blockquote>
<pre>
-/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+/etc/postfix/main.cf:
<a href="postconf.5.html#fast_flush_domains">fast_flush_domains</a> = $<a href="postconf.5.html#relay_domains">relay_domains</a>
<a href="postconf.5.html#smtpd_etrn_restrictions">smtpd_etrn_restrictions</a> = <a href="postconf.5.html#permit_mynetworks">permit_mynetworks</a>, reject
</pre>
<blockquote>
<pre>
-/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+/etc/postfix/main.cf:
<a href="postconf.5.html#fast_flush_domains">fast_flush_domains</a> = $<a href="postconf.5.html#relay_domains">relay_domains</a>, some.other.domain
</pre>
</blockquote>
<blockquote>
<pre>
-/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+/etc/postfix/main.cf:
<a href="postconf.5.html#fast_flush_domains">fast_flush_domains</a> =
</pre>
</blockquote>
<blockquote>
<pre>
- 1 /etc/postfix/<a href="master.5.html">master.cf</a>:
+ 1 /etc/postfix/master.cf:
2 # =============================================================
3 # service type private unpriv chroot wakeup maxproc command
4 # (yes) (yes) (yes) (never) (100)
7 relay unix - - n - - smtp
8 etrn-only unix - - n - - smtp
9
-10 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
+10 /etc/postfix/main.cf:
11 <a href="postconf.5.html#relay_domains">relay_domains</a> = customer.tld ...other domains...
12 <a href="postconf.5.html#defer_transports">defer_transports</a> = etrn-only
13 <a href="postconf.5.html#transport_maps">transport_maps</a> = hash:/etc/postfix/transport
<blockquote>
<pre>
220 my.server.tld ESMTP Postfix
-<b>HELO my.client.tld</b>
+<b>helo my.client.tld</b>
250 Ok
-<b>ETRN some.customer.domain</b>
+<b>etrn some.customer.domain</b>
250 Queuing started
</pre>
</blockquote>
<blockquote>
<pre>
220 my.server.tld ESMTP Postfix
-<b>HELO my.client.tld</b>
+<b>helo my.client.tld</b>
250 Ok
-<b>ETRN some.other.customer.domain</b>
+<b>etrn some.other.customer.domain</b>
250 Queuing started
</pre>
</blockquote>
<blockquote>
<pre>
220 my.server.tld ESMTP Postfix
-<b>HELO my.client.tld</b>
+<b>helo my.client.tld</b>
250 Ok
-<b>ETRN not.a.customer.domain</b>
+<b>etrn not.a.customer.domain</b>
459 <not.a.customer.domain>: service unavailable
</pre>
</blockquote>
be covered by a later version of this document. </p>
<p> The after-queue content filter is not to be confused with the
-approaches described in the <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> or <a href="MILTER_README.html">MILTER_README</a>
-documents,
+approach that is described in the <a href="SMTPD_PROXY_README.html">SMTPD_PROXY_README</a> document,
where incoming SMTP mail is filtered BEFORE it is stored into the
Postfix queue. </p>
<h2><a name="principles">Principles of operation</a> </h2>
-<p> An after-queue content filter receives unfiltered mail from Postfix
-(as described further below) and can do one of the following: </p>
+<p> An external content filter receives unfiltered mail from Postfix
+(as described further below) and does one of the following: </p>
<ol>
<li> <p> Re-inject the mail back into Postfix, perhaps after changing
content and/or destination. </p>
-<li> <p> Discard or quarantine the mail. </p>
-
<li> <p> Reject the mail (by sending a suitable status code back to
- Postfix). Postfix will send the mail back to the sender address. </p>
+ Postfix). Postfix will return the mail to the sender. </p>
</ol>
<h2><a name="simple_filter">Simple content filter example</a></h2>
-<p> The first example is simple to set up, but has major limitations
-that will be addressed in a second example. Postfix receives
+<p> The first example is simple to set up. Postfix receives
unfiltered mail from the network with the <a href="smtpd.8.html">smtpd(8)</a> server, and
delivers unfiltered mail to a content filter with the Postfix
<a href="pipe.8.html">pipe(8)</a> delivery agent. The content filter injects filtered mail
<ul>
-<li> <p> Line 8: The -G option says the filter output is not a local
-mail submission: don't do silly things like appending the local
-domain name to addresses in message headers. This option does
-nothing before Postfix version 2.3. </p>
+<li> <p> Line 8: The -G option does nothing before Postfix 2.3,
+otherwise it disables address rewriting of message headers. </p>
<li> <p> Line 8: The -i option says don't stop reading input when
a line contains "." only. </p>
<li> <p> Line 8: NEVER NEVER NEVER use the "-t" command-line option
-here. It will mis-deliver mail, like sending messages from a mailing
-list back to the mailing list. </p>
+here. It will mis-deliver mail, like sending mailing list mail back
+to the mailing list. </p>
<li> <p> Line 21: The idea is to first capture the message to
file and then run the content through a third-party content filter
program. </p>
-<li> <p> Line 22: If the message cannot be captured to file, mail
+<li> <p> Line 22: If the mail cannot be captured to file, mail
delivery is deferred by terminating with exit status 75 (EX_TEMPFAIL).
Postfix places the message in the deferred mail queue and tries
again later. </p>
<li> <p> Line 26: If the content filter program finds a problem,
the mail is bounced by terminating with exit status 69 (EX_UNAVAILABLE).
-Postfix will send the message back to the sender as undeliverable
-mail.
+Postfix will return the message to the sender as undeliverable.
</p>
-<li> <p> NOTE: in this time of mail worms and spam, it is a BAD
+<li> <p> Note: in this time of mail worms and spam, it is a BAD
IDEA to send known viruses or spam back to the sender, because that
-address is likely to be forged. It is safer to discard known viruses
-and to quarantine suspicious content so that it can
+address is likely to be forged. It is safer to discard known to be
+bad content and to quarantine suspicious content so that it can
be inspected by a human being. </p>
<li> <p> Line 28: If the content is OK, it is given as input to
<blockquote>
<pre>
-% /path/to/script -f sender -- recipient... <message-file
+% /path/to/script -f sender recipient... <message-file
</pre>
</blockquote>
-o <a href="postconf.5.html#content_filter">content_filter</a>=filter:dummy
</pre>
-<p> The "
-o <a href="postconf.5.html#content_filter">content_filter</a>" line causes Postfix to add one content
+<p> The "<a href="postconf.5.html#content_filter">content_filter</a>" line causes Postfix to add one content
filter request record to each incoming mail message, with content
"filter:dummy". This record overrides the normal mail routing
and causes mail to be given to the content filter instead. </p>
Postfix SMTP server. </p>
<li> <p> Execute "<b>postsuper -r ALL</b>" to remove content
-filter request records from existing queue files. </p>
+filter information from existing queue files. </p>
<li> <p> Execute another "<b>postfix reload</b>". </p>
<p> The example given here filters all mail, including mail that
arrives via SMTP and mail that is locally submitted via the Postfix
-sendmail command (local submissions enter Postfix via the <a href="pickup.8.html">pickup(8)</a>
-server; to keep the figure simple we omit local submission details).
-See examples near the end of this document for
+sendmail command. See examples near the end of this document for
how to exclude local users from filtering, or how to configure a
destination dependent content filter. </p>
<li> <p> The "-o <a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a>=yes" is a workaround
that prevents the breaking of domainkeys and other digital signatures.
This is needed because some SMTP-based content filters don't announce
-8BITMIME support, even though they can handle 8-bit mail. </p>
+8BITMIME support, even though they can handle it just fine. </p>
<li> <p> The "-o <a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a>=" is a workaround that prevents
local address rewriting with <a href="generic.5.html">generic(5)</a> maps. Such rewriting should
dangerous mail content - that is why it should be a separate account.
</p>
-<li> <p> By default, Postfix will terminate a command that runs
-longer than <a href="postconf.5.html#command_time_limit">command_time_limit</a> seconds (default: 1000s). This is a
-safety measure that prevents filters from running forever. </p>
-
</ul>
<p> If you want to have your filter listening on port localhost:10025
<ul>
-<li> <p> NOTE: do not use spaces around the "=" or "," characters. </p>
+<li> <p> Note: do not use spaces around the "=" or "," characters. </p>
-<li> <p> NOTE: the SMTP server must not have a smaller process
+<li> <p> Note: the SMTP server must not have a smaller process
limit than the "filter" <a href="master.5.html">master.cf</a> entry. </p>
<li> <p> The "-o <a href="postconf.5.html#content_filter">content_filter</a>=" overrides <a href="postconf.5.html">main.cf</a> settings, and
requests no content filtering for mail from the content filter.
-This is required or else mail will loop. </p>
+This is required or else mail will stay in the content filtering
+loop. </p>
<li> <p> The "-o <a href="postconf.5.html#receive_override_options">receive_override_options</a>" overrides <a href="postconf.5.html">main.cf</a> settings
to avoid duplicating work that was already done before the content
<li> <p> We specify "<a href="postconf.5.html#no_milters">no_milters</a>" to disable Milter applications
(this option is available only in Postfix 2.3 and later). </p>
- <li> <p> We don't specify "<a href="postconf.5.html#no_address_mappings">no_address_mappings</a>" here. This
+ <li> <p> We don't specify "no_address_mapping" here. This
enables virtual alias expansion, canonical mappings, address
masquerading, and other address mappings after the content
filter. The <a href="postconf.5.html">main.cf</a> setting of "<a href="postconf.5.html#receive_override_options">receive_override_options</a>"
</blockquote>
<li> <p> Execute "<b>postsuper -r ALL</b>" to remove content
-filter request records from existing queue files. </p>
+filter information from existing queue files. </p>
<li> <p> Execute another "<b>postfix reload</b>". </p>
<h2> <a name="1">1 - Purpose of this document</a> </h2>
-<p> If you are using a pre-compiled version of Postfix, you should
-start with <a href="BASIC_CONFIGURATION_README.html">BASIC_CONFIGURATION_README</a> and the general documentation
-referenced by it. <a href="INSTALL.html">INSTALL</a> is only a bootstrap document to get
-Postfix up and running from scratch with the minimal number of
-steps; it should not be considered part of the general documentation.
-</p>
+<p> This is a bootstrap document that helps you get Postfix up and
+running from scratch with the minimal number of steps. If you are
+using a pre-compiled version of Postfix, you should be reading the
+general Postfix documentation which aims to describe the system in
+more detail. This bootstrap document should not be considered part
+of the general Postfix documentation. </p>
<p> This document describes how to build, install and configure a
Postfix system so that it can do one of the following: </p>
</blockquote>
<p> Of particular interest is the <a href="postconf.5.html">postconf(5)</a> manual page that
-lists all the 500+ configuration parameters. The HTML version of
+lists all the 400+ configuration parameters. The HTML version of
this text makes it easy to navigate around. </p>
<p> All Postfix source files have their own built-in manual page.
OSF1.V3 - OSF1.V5 (Digital UNIX) <br>
Reliant UNIX 5.x <br>
Rhapsody 5.x <br>
-SunOS 4.1.4 (March 2007) <br>
-SunOS 5.4 - 5.10 (Solaris 2.4..10) <br>
+SunOS 4.1.4 (July 2006) <br>
+SunOS 5.4 - 5.9 (Solaris 2.4..9) <br>
Ultrix 4.x (well, that was long ago) <br>
</p>
</blockquote>
<p> On Solaris, the "make" command and other utilities for software
development are in /usr/ccs/bin, so you MUST have /usr/ccs/bin in
-your command search path. If these files do not exist, install the
-development packages first. See the Solaris FAQ item "<a
-href="http://www.science.uva.nl/pub/solaris/solaris2.html#q6.2">Which
-packages do I need to install to support a C compiler?</a>". </p>
+your command search path. </p>
<p> If you need to build Postfix for multiple architectures, use the
"lndir" command to build a shadow tree with symbolic links to the
<h3>4.5 - Support for thousands of processes</h3>
-<p> The number of connections that Postfix can manage simultaneously
-is limited by the number of processes that it can run. This number
-in turn is limited by the number of files and sockets that a single
-process can open. For example, the Postfix queue manager has a
-separate connection to each delivery process, and the <a href="anvil.8.html">anvil(8)</a>
-server has one connection per <a href="smtpd.8.html">smtpd(8)</a> process. </p>
-
-<p> Postfix version 2.4 and later have no built-in limits on the
-number of open files or sockets, when compiled on systems that
-support one of the following: </p>
-
-<ul>
-
-<li> BSD kqueue(2) (FreeBSD 4.1, NetBSD 2.0, OpenBSD 2.9),
-
-<li> Solaris 8 /dev/poll,
-
-<li> Linux 2.6 epoll(4).
-
-</ul>
-
-
-<p> With other Postfix versions or operating systems, the number
-of file descriptors per process is limited by the value of the
-FD_SETSIZE macro. If you expect to run more than 1000 mail delivery
-processes, you may need to override the definition of the FD_SETSIZE
-macro to make select() work correctly: </p>
+<p> In order to build Postfix for very large applications, where you
+expect to run more than 1000 mail delivery processes, you may need to
+override the definition of the FD_SETSIZE macro to make select()
+work correctly: </p>
<blockquote>
<pre>
overriding the __FD_SETSIZE macro. Beware, undocumented interfaces
can change at any time and without warning. </p>
-<p> But wait, there is more: none of this will work unless the
-operating system is configured to handle thousands of connections.
-See the <a href="TUNING_README.html">TUNING_README</a> guide for examples of how to increase the
-number of open sockets or files. </p>
-
<h3>4.6 - Compiling Postfix, at last</h3>
<p> If the command </p>
<p> This text describes how to install Postfix from source code.
See the <a href="PACKAGE_README.html">PACKAGE_README</a> file if you are building a package for
-distribution to other systems. </p>
+distribution to other systems. See auxiliary/MacOSX/README-<a href="INSTALL.html">INSTALL</a>.OSX
+for information about installing Postfix from source on Mac OS X.
+</p>
<h3>6.1 - Save existing Sendmail binaries</h3>
<p> <a name="save">IMPORTANT</a>: if you are REPLACING an existing
Sendmail installation with Postfix, you may need to keep the old
sendmail program running for some time in order to flush the mail
-queue. </p>
-
-<ul>
-
-<li> <p> Some systems implement a mail switch mechanism where
-different MTAs (Postfix, Sendmail, etc.) can be installed at the
-same time, while only one of them is actually being used. Examples
-of such switching mechanisms are the FreeBSD mailwrapper(8) or the
-Linux mail switch. In this case you should try to "flip" the switch
-to "Postfix" before installing Postfix. </p>
-
-<li> <p> If your system has no mail switch mechanism, execute the
-following commands (your sendmail, newaliases and mailq programs
-may be in a different place): </p>
+queue. As superuser, execute the following commands (your sendmail,
+newaliases and mailq programs may be in a different place): </p>
+<blockquote>
<pre>
# mv /usr/sbin/sendmail /usr/sbin/sendmail.OFF
# mv /usr/bin/newaliases /usr/bin/newaliases.OFF
# chmod 755 /usr/sbin/sendmail.OFF /usr/bin/newaliases.OFF \
/usr/bin/mailq.OFF
</pre>
-
-</ul>
+</blockquote>
<h3>6.2 - Create account and groups</h3>
<ul>
-<li> <p> The interactive version ("make install") asks for pathnames
-for Postfix data and program files, and stores your preferences in
-the <a href="postconf.5.html">main.cf</a> file. <b> If you don't want Postfix to overwrite
-non-Postfix "sendmail", "mailq" and "newaliases" files, specify
-pathnames that end in ".postfix"</b>. </p>
-
<li> <p> The non-interactive version ("make upgrade") needs the
/etc/postfix/<a href="postconf.5.html">main.cf</a> file from a previous installation. If the file
does not exist, use interactive installation ("make install")
instead. </p>
+<li> <p> The interactive version offers suggestions for pathnames
+that you can override interactively, and stores your preferences
+in /etc/postfix/<a href="postconf.5.html">main.cf</a> for convenient future upgrades. </p>
+
</ul>
<h3>6.4 - Configure Postfix</h3>
Postfix on a virtual interface address. Simply configure your mail
user agent to directly invoke the Postfix sendmail program. </p>
-<p> To create a virtual network interface address, study your
-system ifconfig manual page. The command syntax could be any
-of: </p>
-
-<blockquote>
-<pre>
-# <b>ifconfig le0:1 <address> netmask <mask> up</b>
-# <b>ifconfig en0 alias <address> netmask 255.255.255.255</b>
-</pre>
-</blockquote>
-
<p> In the /etc/postfix/<a href="postconf.5.html">main.cf</a> file, I would specify </p>
<blockquote>
<li><a href="#example_virtual">Example: virtual domains/addresses</a>
-<li><a href="#example_group">Example: expanding LDAP groups</a>
-
<li><a href="#other">Other uses of LDAP lookups</a>
<li><a href="#hmmmm">Notes and things to think about</a>
<h2><a name="config">Configuring LDAP lookups</a></h2>
<p> In order to use LDAP lookups, define an LDAP source
-as a table lookup in <a href="postconf.5.html">main.cf</a>, for example: </p>
+as a table lookup in main.cf, for example: </p>
<blockquote>
<pre>
<h2><a name="example_alias">Example: local(8) aliases</a></h2>
<p> Here's a basic example for using LDAP to look up <a href="local.8.html">local(8)</a>
-aliases. Assume that in <a href="postconf.5.html">main.cf</a>, you have: </p>
+aliases. Assume that in main.cf, you have: </p>
<blockquote>
<pre>
<blockquote>
<pre>
-server_host = ldap.example.com
-search_base = dc=example, dc=com
+server_host = ldap.my.com
+search_base = dc=my, dc=com
</pre>
</blockquote>
<p> Upon receiving mail for a local address "ldapuser" that isn't
found in the /etc/aliases database, Postfix will search the LDAP
-server listening at port 389 on ldap.example.com. It will bind anonymously,
+server listening at port 389 on ldap.my.com. It will bind anonymously,
search for any directory entries whose mailacceptinggeneralid
attribute is "ldapuser", read the "maildrop" attributes of those
found, and build a list of their maildrops, which will be treated
fully qualified with their virtual domains. Finally, if you want
to designate a directory entry as the default user for a virtual
domain, just give it an additional mailacceptinggeneralid (or the
-equivalent in your directory) of "@fake.dom". That's right, no
+equivalent in your directory) of "@virtual.dom". That's right, no
user part. If you don't want a catchall user, omit this step and
mail to unknown users in the domain will simply bounce. </p>
<a href="QSHAPE_README.html#maildrop_queue">maildrop</a>, e.g. "normaluser@fake.dom" and "normaluser@real.dom".
</p>
-<h2><a name="example_group">Example: expanding LDAP groups</a></h2>
-
-<p>
-LDAP is frequently used to store group member information. There are a
-number of ways of handling LDAP groups. We will show a few examples in
-order of increasing complexity, but owing to the number of independent
-variables, we can only present a tiny portion of the solution space.
-We show how to:
-</p>
-
-<ol>
-
-<li> <p> query groups as lists of addresses; </p>
-
-<li> <p> query groups as lists of user objects containing addresses; </p>
-
-<li> <p> forward special lists unexpanded to a separate list server,
-for moderation or other processing; </p>
-
-<li> <p> handle complex schemas by controlling expansion and by treating
-leaf nodes specially, using features that are new in Postfix 2.4. </p>
-
-</ol>
-
-<p>
-The example LDAP entries and implied schema below show two group entries
-("agroup" and "bgroup") and four user entries ("auser", "buser", "cuser"
-and "duser"). The group "agroup" has the users "auser" (1) and "buser" (2)
-as members via DN references in the multi-valued attribute "memberdn", and
-direct email addresses of two external users "auser@example.org" (3) and
-"buser@example.org" (4) stored in the multi-valued attribute "memberaddr".
-The same is true of "bgroup" and "cuser"/"duser" (6)/(7)/(8)/(9), but
-"bgroup" also has a "maildrop" attribute of "bgroup@mlm.example.com"
-(5): </p>
-
-<blockquote>
-<pre>
- dn: cn=agroup, dc=example, dc=com
- objectclass: top
- objectclass: ldapgroup
- cn: agroup
- mail: agroup@example.com
-1 -> memberdn: uid=auser, dc=example, dc=com
-2 -> memberdn: uid=buser, dc=example, dc=com
-3 -> memberaddr: auser@example.org
-4 -> memberaddr: buser@example.org
-</pre>
-<br>
-
-<pre>
- dn: cn=bgroup, dc=example, dc=com
- objectclass: top
- objectclass: ldapgroup
- cn: bgroup
- mail: bgroup@example.com
-5 -> maildrop: bgroup@mlm.example.com
-6 -> memberdn: uid=cuser, dc=example, dc=com
-7 -> memberdn: uid=duser, dc=example, dc=com
-8 -> memberaddr: cuser@example.org
-9 -> memberaddr: duser@example.org
-</pre>
-<br>
-
-<pre>
- dn: uid=auser, dc=example, dc=com
- objectclass: top
- objectclass: ldapuser
- uid: auser
-10 -> mail: auser@example.com
-11 -> maildrop: auser@mailhub.example.com
-</pre>
-<br>
-
-<pre>
- dn: uid=buser, dc=example, dc=com
- objectclass: top
- objectclass: ldapuser
- uid: buser
-12 -> mail: buser@example.com
-13 -> maildrop: buser@mailhub.example.com
-</pre>
-<br>
-
-<pre>
- dn: uid=cuser, dc=example, dc=com
- objectclass: top
- objectclass: ldapuser
- uid: cuser
-14 -> mail: cuser@example.com
-</pre>
-<br>
-
-<pre>
- dn: uid=duser, dc=example, dc=com
- objectclass: top
- objectclass: ldapuser
- uid: duser
-15 -> mail: duser@example.com
-</pre>
-<br>
-
-</blockquote>
-
-<p> Our first use case ignores the "memberdn" attributes, and assumes
-that groups hold only direct "memberaddr" strings as in (3), (4), (8) and
-(9). The goal is to map the group address to the list of constituent
-"memberaddr" values. This is simple, ignoring the various connection
-related settings (hosts, ports, bind settings, timeouts, ...) we have:
-</p>
-
-<blockquote>
-<pre>
- simple.cf:
- ...
- search_base = dc=example, dc=com
- query_filter = mail=%s
- result_attribute = memberaddr
- $ postmap -q agroup@example.com <a href="ldap_table.5.html">ldap</a>:simple.cf
- auser@example.org,buser@example.org
-</pre>
-</blockquote>
-
-<p> We search "dc=example, dc=com". The "mail" attribute is used in the
-query_filter to locate the right group, the "result_attribute" setting
-described in <a href="ldap_table.5.html">ldap_table(5)</a> is used to specify that "memberaddr" values
-from the matching group are to be returned as a comma separated list.
-Always check tables using <a href="postmap.1.html">postmap(1)</a> with the "-q" option, before
-deploying them into production use in <a href="postconf.5.html">main.cf</a>. </p>
-
-<p> Our second use case instead expands "memberdn" attributes (1), (2),
-(6) and (7), follows the DN references and returns the "maildrop" of the
-referenced user entries. Here we use the "special_result_attribute"
-setting from <a href="ldap_table.5.html">ldap_table(5)</a> to designate the "memberdn" attribute
-as holding DNs of the desired member entries. The "result_attribute"
-setting selects which attributes are returned from the selected DNs. It
-is important to choose a result attribute that is not also present in
-the group object, because result attributes are collected from both
-the group and the member DNs. In this case we choose "maildrop" and
-assume for the moment that groups never have a "maildrop" (the "bgroup"
-"maildrop" attribute is for a different use case). The returned data for
-"auser" and "buser" is from items (11) and (13) in the example data. </p>
-
-<blockquote>
-<pre>
- special.cf:
- ...
- search_base = dc=example, dc=com
- query_filter = mail=%s
- result_attribute = maildrop
- special_result_attribute = memberdn
- $ postmap -q agroup@example.com <a href="ldap_table.5.html">ldap</a>:special.cf
- auser@mailhub.example.com,buser@mailhub.example.com
-</pre>
-</blockquote>
-
-<p> Note: if the desired member object result attribute is always also
-present in the group, you get surprising results: the expansion also
-returns the address of the group. This is a known limitation of Postfix
-releases prior to 2.4, and is addressed in the new with Postfix 2.4
-"leaf_result_attribute" feature described in <a href="ldap_table.5.html">ldap_table(5)</a>. </p>
-
-<p> Our third use case has some groups that are expanded immediately,
-and other groups that are forwarded to a dedicated mailing list manager
-host for delayed expansion. This uses two LDAP tables, one for users
-and forwarded groups and a second for groups that can be expanded
-immediately. It is assumed that groups that require forwarding are
-never nested members of groups that are directly expanded. </p>
-
-<blockquote>
-<pre>
- no_expand.cf:
- ...
- search_base = dc=example, dc=com
- query_filter = mail=%s
- result_attribute = maildrop
- expand.cf
- ...
- search_base = dc=example, dc=com
- query_filter = mail=%s
- result_attribute = maildrop
- special_result_attribute = memberdn
- $ postmap -q auser@example.com <a href="ldap_table.5.html">ldap</a>:no_expand.cf <a href="ldap_table.5.html">ldap</a>:expand.cf
- auser@mailhub.example.com
- $ postmap -q agroup@example.com <a href="ldap_table.5.html">ldap</a>:no_expand.cf <a href="ldap_table.5.html">ldap</a>:expand.cf
- auser@mailhub.example.com,buser@mailhub.example.com
- $ postmap -q bgroup@example.com <a href="ldap_table.5.html">ldap</a>:no_expand.cf <a href="ldap_table.5.html">ldap</a>:expand.cf
- bgroup@mlm.example.com
-</pre>
-</blockquote>
-
-<p> Non-group objects and groups with delayed expansion (those that have a
-maildrop attribute) are rewritten to a single maildrop value. Groups that
-don't have a maildrop are expanded as the second use case. This admits
-a more elegant solution with Postfix 2.4 and later. </p>
-
-<p> Our final use case is the same as the third, but this time uses new
-features in Postfix 2.4. We now are able to use just one LDAP table and
-no longer need to assume that forwarded groups are never nested inside
-expanded groups. </p>
-
-<blockquote>
-<pre>
- fancy.cf:
- ...
- search_base = dc=example, dc=com
- query_filter = mail=%s
- result_attribute = memberaddr
- special_result_attribute = memberdn
- terminal_result_attribute = maildrop
- leaf_result_attribute = mail
- $ postmap -q auser@example.com <a href="ldap_table.5.html">ldap</a>:fancy.cf
- auser@mailhub.example.com
- $ postmap -q cuser@example.com <a href="ldap_table.5.html">ldap</a>:fancy.cf
- cuser@example.com
- $ postmap -q agroup@example.com <a href="ldap_table.5.html">ldap</a>:fancy.cf
- auser@mailhub.example.com,buser@mailhub.example.com,auser@example.org,buser@example.org
- $ postmap -q bgroup@example.com <a href="ldap_table.5.html">ldap</a>:fancy.cf
- bgroup@mlm.example.com
-</pre>
-</blockquote>
-
-<p> Above, delayed expansion is enabled via "terminal_result_attribute",
-which, if present, is used as the sole result and all other expansion is
-suppressed. Otherwise, the "leaf_result_attribute" is only returned for
-leaf objects that don't have a "special_result_attribute" (non-groups),
-while the "result_attribute" (direct member address of groups) is returned
-at every level of recursive expansion, not just the leaf nodes. This fancy
-example illustrates all the features of Postfix 2.4 group expansion. </p>
-
<h2><a name="other">Other uses of LDAP lookups</a></h2>
Other common uses for LDAP lookups include rewriting senders and
recipients with Postfix's canonical lookups, for example in order
to make mail leaving your site appear to be coming from
-"First.Last@example.com" instead of "userid@example.com".
+"First.Last@site.dom" instead of "userid@site.dom".
<h2><a name="hmmmm">Notes and things to think about</a></h2>
<blockquote>
<pre>
-dn: cn=Accounting Staff List, dc=example, dc=com
+dn: cn=Accounting Staff List, dc=my, dc=com
cn: Accounting Staff List
-o: example.com
+o: my.com
objectclass: maillist
mailacceptinggeneralid: accountingstaff
mailacceptinggeneralid: accounting-staff
external files (<a href="ldap_table.5.html">ldap</a>:/path/ldap.cf) needed to securely store
passwords for plain auth.
-<li>Liviu Daia revised the configuration interface and added the <a href="postconf.5.html">main.cf</a>
+<li>Liviu Daia revised the configuration interface and added the main.cf
configuration feature.</li>
<li>Liviu Daia with further refinements from Jose Luis Tallon and
Victor Duchovni developed the common query, result_format, domain and
expansion_limit interface for LDAP, MySQL and PosgreSQL.</li>
-<li>Gunnar Wrobel provided a first implementation of a feature to
-limit LDAP search results to leaf nodes only. Victor generalized
-this into the Postfix 2.4 "leaf_result_attribute" feature. </li>
-
</ul>
And of course Wietse.
<h2>Berkeley DB issues</h2>
-<p> If you can't compile Postfix because the file "db.h"
+<p> Warning: if you can't compile Postfix because the file "db.h"
isn't found, then you MUST install the Berkeley DB development
package (name: db???-devel-???) that matches your system library.
You can find out what is installed with the rpm command. For example:
</blockquote>
<p> This means that you need to install db4-devel-4.3.29-2 (on
-some systems, specify "<b>rpm -qf /lib/libdb.so</b>" instead). </p>
+some systems, specify <tt>/lib/libdb.so</tt> in the rpm query). </p>
<p> DO NOT download some Berkeley DB version from the network.
Every Postfix program will dump core when it is built with a different
<p> On RedHat Linux 7.1 and later <b>procmail</b> no longer has
permission
-to write the mail spool directory. Workaround: </p>
-
-<blockquote>
-<pre>
-# chmod 1777 /var/spool/mail
-</pre>
-</blockquote>
+to write the mail spool directory. Workaround: chmod 1777
+/var/spool/mail.
+</p>
<h2>Syslogd performance</h2>
<blockquote>
<pre>
-/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+/etc/postfix/main.cf:
<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> = <a href="proxymap.8.html">proxy</a>:unix:passwd.byname $<a href="postconf.5.html#alias_maps">alias_maps</a>
</pre>
</blockquote>
<blockquote>
<pre>
-/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+/etc/postfix/main.cf:
<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> =
</pre>
</blockquote>
<p> That is, an empty value. With this setting, the Postfix SMTP
server will not reject mail with "User unknown in local recipient
-table". <b> Don't do this on systems that receive mail directly
-from the Internet. With today's worms and viruses, Postfix will
-become a backscatter source: it accepts mail for non-existent
-recipients and then tries to return that mail as "undeliverable"
-to the often forged sender address</b>. </p>
+table". </p>
<h2><a name="change">When you need to change the local_recipient_maps
setting in main.cf</a></h2>
<li> <p> Problem: you don't use the default Postfix <a href="local.8.html">local(8)</a>
delivery agent for domains matching $<a href="postconf.5.html#mydestination">mydestination</a>, $<a href="postconf.5.html#inet_interfaces">inet_interfaces</a>,
or $<a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a>. For example, you redefined the
- "<a href="postconf.5.html#local_transport">local_transport</a>" setting in <a href="postconf.5.html">main.cf</a>. </p>
+ "<a href="postconf.5.html#local_transport">local_transport</a>" setting in main.cf. </p>
<p> Solution: your <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> setting needs to specify
a database that lists all the known user names or addresses
specify: </p>
<pre>
-/etc/postfix/<a href="postconf.5.html">main.cf</a>
+/etc/postfix/main.cf
<a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a> localhost.$<a href="postconf.5.html#mydomain">mydomain</a> localhost ...
<a href="postconf.5.html#local_transport">local_transport</a> = virtual
<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> = $<a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a>
non-UNIX users: </p>
<pre>
-/etc/postfix/<a href="postconf.5.html">main.cf</a>
+/etc/postfix/main.cf
<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> = <a href="proxymap.8.html">proxy</a>:unix:passwd.byname, $<a href="postconf.5.html#alias_maps">alias_maps</a>,
<the database with non-UNIX accounts>
</pre>
</p>
<pre>
-/etc/postfix/<a href="postconf.5.html">main.cf</a>
+/etc/postfix/main.cf
<a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> =
</pre>
recipients that don't have UNIX home directories. </p>
<p> The following example shows how to use maildrop for some.domain
-and for someother.domain. The example comes in two parts. </p>
-
-<p> Part 1 describes changes to the <a href="postconf.5.html">main.cf</a> file: </p>
+and for someother.domain. </p>
<blockquote>
<pre>
<p> Note: Do not use the postfix user as the maildrop user. </p>
-<p> Part 2 describes changes to the <a href="master.5.html">master.cf</a> file: </p>
-
<blockquote>
<pre>
/etc/postfix/<a href="master.5.html">master.cf</a>:
<p> The reason for adding Milter support to Postfix is that there
exists a large collection of applications, not only to block unwanted
mail, but also to verify authenticity (examples: <a
-href="http://sourceforge.net/projects/dkim-milter/">Domain keys
-identified mail</a>, <a
href="http://sourceforge.net/projects/sid-milter/">SenderID+SPF</a> and
<a href="http://sourceforge.net/projects/dk-milter/">Domain keys</a>)
-or to digitally sign mail (examples: <a
-href="http://sourceforge.net/projects/dkim-milter/">Domain keys
-identified mail</a>, <a
+or to digitally sign mail (example: <a
href="http://sourceforge.net/projects/dk-milter/">Domain keys</a>).
Having yet another Postfix-specific version of all that software
is a poor use of human and system resources. </p>
<p> On some Linux and *BSD distributions, the Sendmail libmilter
library is installed by default. With this, applications such as
-<a href="http://sourceforge.net/projects/dkim-milter/">dkim-milter</a>
+<a href="http://sourceforge.net/projects/dk-milter/">dk-milter</a>
and <a href="http://sourceforge.net/projects/sid-milter/">sid-milter</a>
build out of the box without requiring any tinkering:</p>
<blockquote>
<pre>
-$ <b>gzcat dkim-milter-<i>x.y.z</i>.tar.gz | tar xf -</b>
-$ <b>cd dkim-milter-<i>x.y.z</i></b>
+$ <b>gzcat dk-milter-<i>x.y.z</i>.tar.gz | tar xf -</b>
+$ <b>cd dk-milter-<i>x.y.z</i></b>
$ <b>make</b>
[...<i>lots of output omitted</i>...]
</pre>
<blockquote>
<pre>
-# <b>/some/where/dkim-filter -u <i>userid</i> -p inet:<i>portnumber</i>@localhost ...<i>other options</i>...</b>
+# <b>/some/where/dk-filter -u <i>userid</i> -p inet:<i>portnumber</i>@localhost ...<i>other options</i>...</b>
</pre>
</blockquote>
</pre>
</blockquote>
-<p> This happens because those Milter applications expect that the
+<p> This happens because some Milter applications expect that the
queue ID is known <i>before</i> the MTA accepts the MAIL FROM
(sender) command. Postfix, on the other hand, does not choose a
queue file name until <i>after</i> it accepts the first valid RCPT
-TO (recipient) command (Postfix queue file names must be unique
+TO (recipient) command. Postfix queue file names must be unique
across multiple directories, so the name can't be chosen before the
-file is created; if multiple messages were to use the same queue
-ID <i>simultaneously</i>, mail would be lost). </p>
+file is created. If multiple messages were to use the same queue
+ID <i>simultaneously</i>, mail would be lost. </p>
-</ul>
-
-<p> If you experience the ugly header problem, see if a recent
-version of the Milter application fixes it. For example, current
-versions of dkim-filter and dk-filter already have code that looks
-up the Postfix queue ID at a later protocol stage. </p>
-
-<p> To fix the ugly message header with sid-filter applications,
-we change the source code, so that it does the queue ID lookup after
-Postfix receives the end of the message. </p>
+<p> To work around the ugly message header from Milter applications,
+we add a little code to the Milter source to look up the queue ID
+after Postfix receives the end of the message. </p>
<ul>
-<li> <p> Edit the filter source file (named
-<tt>sid-filter/sid-filter.c</tt>). </p>
-
-<li> <p> Look up the <tt>smfilter</tt> table and replace
-<tt>mlfi_eoh</tt> by <tt>NULL</tt>.
-</p>
+<li> <p> Edit the filter source file (typically named
+<tt>dk-filter/dk-filter.c</tt> or similar). </p>
<li> <p> Look up the <tt>mlfi_eom()</tt> function and add code near
-the top that calls <tt>mlfi_eoh()</tt> as shown by the <b>bold</b>
-text below: </p>
+the top shown as <b>bold</b> text below: </p>
</ul>
<blockquote>
<pre>
- assert(ctx != NULL);
-#endif /* !DEBUG */
+dfc = cc->cctx_msg;
+assert(dfc != NULL);
<b>
- ret = mlfi_eoh(ctx);
- if (ret != SMFIS_CONTINUE)
- return ret;</b>
+/* Determine the job ID for logging. */
+if (dfc->mctx_jobid == 0 || strcmp(dfc->mctx_jobid, JOBIDUNKNOWN) == 0) {
+ char *jobid = smfi_getsymval(ctx, "i");
+ if (jobid != 0)
+ dfc->mctx_jobid = jobid;
+}</b>
+
+/* get hostname; used in the X header and in new MIME boundaries */
</pre>
</blockquote>
<ul>
-<li> <p> This was tested with sid-milter-0.2.10 and sid-milter-0.2.14. </p>
+<li> <p> Different mail filters use slightly different names for
+variables. If the above code does not compile, look for the code
+at the start of the <tt>mlfi_eoh()</tt> routine. </p>
<li> <p> This fixes only the ugly message header, but not the WARNING
-message. Fortunately, sid-milter logs that message only once. </p>
+message. Fortunately, dk-filter logs that message only once. </p>
</ul>
-<p> To fix the ugly message header with other Milter applications,
-you will need to do something like this: </p>
+<p> With some Milter applications we can fix both the WARNING and
+the "unknown-msgid" by postponing the call of <tt>mlfi_eoh()</tt>
+(or whatever routine logs the WARNING) until the end of the message.
+</p>
<ul>
<li> <p> Edit the filter source file (typically named
-<tt>xxx-filter/xxx-filter.c</tt> or similar). </p>
+<tt>sid-filter/sid-filter.c</tt> or similar). </p>
+
+<li> <p> Look up the <tt>smfilter</tt> table and replace
+<tt>mlfi_eoh</tt> (or whatever routine logs the WARNING) by NULL.
+</p>
<li> <p> Look up the <tt>mlfi_eom()</tt> function and add code near
-the top shown as <b>bold</b> text below: </p>
+the top that calls <tt>mlfi_eoh()</tt> as shown by the <b>bold</b>
+text below: </p>
</ul>
<blockquote>
<pre>
-dfc = cc->cctx_msg;
-assert(dfc != NULL);
+ assert(ctx != NULL);
+#endif /* !DEBUG */
<b>
-/* Determine the job ID for logging. */
-if (dfc->mctx_jobid == 0 || strcmp(dfc->mctx_jobid, JOBIDUNKNOWN) == 0) {
- char *jobid = smfi_getsymval(ctx, "i");
- if (jobid != 0)
- dfc->mctx_jobid = jobid;
-}</b>
-
-/* get hostname; used in the X header and in new MIME boundaries */
+ ret = mlfi_eoh(ctx);
+ if (ret != SMFIS_CONTINUE)
+ return ret;</b>
</pre>
</blockquote>
-<p> NOTES: </p>
-
-<ul>
-
-<li> <p> Different mail filters use slightly different names for
-variables. If the above code does not compile, look for the code
-at the start of the <tt>mlfi_eoh()</tt> routine. </p>
-
-<li> <p> This fixes only the ugly message header, but not the WARNING
-message. Fortunately, many Milters log that message only once. </p>
+<p> This works with sid-milter-0.2.10. Other Milter applications
+will dump core when you do this. </p>
</ul>
</pre>
</blockquote>
-<p> The solution is to use Postfix version 2.4 or later. </p>
+<p> The solution is to use a Postfix version that supports the
+missing functionality. </p>
<li> <p> Most Milter configuration options are global. Future Postfix
versions may support per-Milter timeouts, per-Milter error handling,
defer.8.html: bounce.8.html
rm -f $@
- ln $? $@
+ ln -s $? $@
discard.8.html: ../src/discard/discard.c
PATH=../mantools:$$PATH; \
lmtp.8.html: smtp.8.html
rm -f $@
- ln $? $@
+ ln -s $? $@
local.8.html: ../src/local/local.c
PATH=../mantools:$$PATH; \
trace.8.html: bounce.8.html
rm -f $@
- ln $? $@
+ ln -s $? $@
trivial-rewrite.8.html: ../src/trivial-rewrite/trivial-rewrite.c
PATH=../mantools:$$PATH; \
mailq.1.html: sendmail.1.html
rm -f $@
- ln $? $@
+ ln -s $? $@
newaliases.1.html: sendmail.1.html
PATH=../mantools:$$PATH; \
rm -f $@
- ln $? $@
+ ln -s $? $@
smtp-source.1.html: ../src/smtpstone/smtp-source.c
PATH=../mantools:$$PATH; \
<p> When delivering mail to a destination with multiple mail servers,
connection caching can help to skip over a non-responding server,
-and thus dramatically speed up delivery. SMTP connection caching
-is available in Postfix version 2.2 and later. More information
-about this feature is in the <a href="CONNECTION_CACHE_README.html">CONNECTION_CACHE_README</a> document. </p>
+and thus dramatically speed up delivery. </p>
<table>
-<tr> <td> </td> <td> <tt> /-- </tt> </td> <td align="center"
-colspan="3" bgcolor="#f0f0ff"> <a href="smtp.8.html">smtp(8)</a> </td> <td colspan="2"> <tt>
---> </tt> Internet </td> </tr>
-
-<tr> <td align="center" bgcolor="#f0f0ff"> <a href="qmgr.8.html">qmgr(8)</a> </td> <td> </td>
-<td align="center" rowspan="3"> </td> <td align="center"
-rowspan="3"><tt>|<br>|<br>|<br>|<br>v</tt></td> <td> </td>
-</tr>
-
-<tr> <td> </td> <td> <tt> \-- </tt> </td> <td align="center"
-colspan="2" bgcolor="#f0f0ff"> <a href="smtp.8.html">smtp(8)</a> </td> <td align="left"> <tt>
---> </tt> Internet </td> </tr>
-
-<tr> <td colspan="3"> </td> <td align="center"><tt>^<br>|</tt></td>
-<td> </td> </tr>
-
-<tr> <td colspan="3"> </td> <td align="center" colspan="3"
-bgcolor="#f0f0ff"> <a href="scache.8.html">scache(8)</a> </td> </tr>
+<tr> <td align="center" bgcolor="#f0f0ff"> <br> <a href="smtp.8.html">smtp(8)</a> <br>
+ </td> <td> <tt> <-> </tt> </td> <td align="center"
+bgcolor="#f0f0ff"> <br> <a href="scache.8.html">scache(8)</a> <br> </td> <td> <tt>
+<-> </tt> </td> <td align="center" bgcolor="#f0f0ff"> <br>
+<a href="smtp.8.html">smtp(8)</a> <br> </td>
</table>
<h2>General distributions: please provide a small default main.cf
file</h2>
-<p> The installed <a href="postconf.5.html">main.cf</a> file must be small. PLEASE resist the
-temptation to list all parameters in the <a href="postconf.5.html">main.cf</a> file. Postfix
-is supposed to be easy to configure. Listing all parameters in <a href="postconf.5.html">main.cf</a>
+<p> The installed main.cf file must be small. PLEASE resist the
+temptation to list all 400+ parameters in the main.cf file. Postfix
+is supposed to be easy to configure. Listing all 400+ in main.cf
defeats the purpose. It is an invitation for hobbyists to make
random changes without understanding what they do, and gets them
into endless trouble. </p>
<p> You will be prompted for installation parameters. Specify an
install_root directory other than /. The <a href="postconf.5.html#mail_owner">mail_owner</a> and <a href="postconf.5.html#setgid_group">setgid_group</a>
-installation parameter settings will be recorded in the <a href="postconf.5.html">main.cf</a>
+installation parameter settings will be recorded in the main.cf
file, but they won't take effect until the package is unpacked and
installed on the destination machine. </p>
--- /dev/null
+<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
+ "http://www.w3.org/TR/html4/loose.dtd">
+
+<html>
+
+<head>
+
+<title>Postfix qmail and ezmlm support</title>
+
+<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
+
+</head>
+
+<body>
+
+<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix qmail and ezmlm support</h1>
+
+<hr>
+
+<p> This document will be made available via <a href="http://www.postfix.org/">http://www.postfix.org/</a>. </p>
+
+</body>
+
+</html>
<h2>Purpose of this document </h2>
-<p> This document is an introduction to Postfix queue congestion analysis.
-It explains how the <a href="qshape.1.html">qshape(1)</a> program can help to track down the
-reason for queue congestion. <a href="qshape.1.html">qshape(1)</a> is bundled with Postfix
-2.1 and later source code, under the "auxiliary" directory. This
-document describes <a href="qshape.1.html">qshape(1)</a> as bundled with Postfix 2.4. </p>
+<p> This document describes the <a href="qshape.1.html">qshape(1)</a> program which helps the
+administrator understand the Postfix queue message distribution
+sorted by time and by sender or recipient domain. <a href="qshape.1.html">qshape(1)</a> is
+bundled with the Postfix 2.1 source under the "auxiliary" directory.
+</p>
+
+<p> In order to understand the output of <a href="qshape.1.html">qshape(1)</a>, it useful to
+understand the various Postfix queues. To this end the role of each
+Postfix queue directory is described briefly in the "Background
+info: Postfix queue directories" section near the end of this
+document. </p>
<p> This document covers the following topics: </p>
<li><a href="#backlog">Example 4: High volume destination backlog</a>
-<li><a href="#queues">Postfix queue directories</a>
+<li><a href="#queues">Background info: Postfix queue directories</a>
<ul>
<h2><a name="qshape">Introducing the qshape tool</a></h2>
+
<p> When mail is draining slowly or the queue is unexpectedly large,
run <a href="qshape.1.html">qshape(1)</a> as the super-user (root) to help zero in on the problem.
The <a href="qshape.1.html">qshape(1)</a> program displays a tabular view of the Postfix queue
</ul>
-<p> When the output is a terminal intermediate results showing the top 20
-domains (-n option) are displayed after every 1000 messages (-N option)
-and the final output also shows only the top 20 domains. This makes
-qshape useful even when the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> is very large and it may
-otherwise take prohibitively long to read the entire <a href="QSHAPE_README.html#deferred_queue">deferred queue</a>. </p>
-
<p> By default, qshape shows statistics for the union of both the
<a href="QSHAPE_README.html#incoming_queue">incoming</a> and <a href="QSHAPE_README.html#active_queue">active queues</a> which are the most relevant queues to
look at when analyzing performance. </p>
<blockquote>
<pre>
-$ qshape deferred
-$ qshape incoming active deferred
+$ qshape deferred | less
+$ qshape incoming active deferred | less
</pre>
</blockquote>
<p> The problem destinations or sender domains appear near the top
left corner of the output table. Remember that the <a href="QSHAPE_README.html#active_queue">active queue</a>
can accommodate up to 20000 ($<a href="postconf.5.html#qmgr_message_active_limit">qmgr_message_active_limit</a>) messages.
-To check whether this limit has been reached, use: </p>
+To check wether this limit has been reached, use: </p>
<blockquote>
<pre>
-$ qshape -s active <i>(show sender statistics)</i>
+$ qshape -s active | head <i>(show sender statistics)</i>
</pre>
</blockquote>
not yet saturated, any high volume sender domains show near the
top of the output.
-<p> With <a href="qmgr.8.html">oqmgr(8)</a> the <a href="QSHAPE_README.html#active_queue">active queue</a> is also limited to at most 20000
-recipient addresses ($<a href="postconf.5.html#qmgr_message_recipient_limit">qmgr_message_recipient_limit</a>). To check for
-exhaustion of this limit use: </p>
+<p> The <a href="QSHAPE_README.html#active_queue">active queue</a> is also limited to at most 20000 recipient
+addresses ($<a href="postconf.5.html#qmgr_message_recipient_limit">qmgr_message_recipient_limit</a>). To check for exhaustion
+of this limit use: </p>
<blockquote>
<pre>
-$ qshape active <i>(show recipient statistics)</i>
+$ qshape active | head <i>(show recipient statistics)</i>
</pre>
</blockquote>
take measures to ensure that the mail is deferred instead or even
add an <a href="access.5.html">access(5)</a> rule asking the sender to try again later. </p>
-<p> If a high volume destination exhibits frequent bursts of consecutive
-connections refused by all MX hosts or "421 Server busy errors", it
-is possible for the queue manager to mark the destination as "dead"
-despite the transient nature of the errors. The destination will be
-retried again after the expiration of a $<a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a> timer.
-If the error bursts are frequent enough it may be that only a small
-quantity of email is delivered before the destination is again marked
-"dead". In some cases enabling static (not on demand) connection
-caching by listing the appropriate nexthop domain in a table included in
-"<a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a>" may help to reduce the error rate,
-because most messages will re-use existing connections. </p>
+<p> If a high volume destination exhibits frequent bursts of
+consecutive connections refused by all MX hosts or "421 Server busy
+errors", it is possible for the queue manager to mark the destination
+as "dead" despite the transient nature of the errors. The destination
+will be retried again after the expiration of a $<a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a>
+timer. If the error bursts are frequent enough it may be that only
+a small quantity of email is delivered before the destination is
+again marked "dead". </p>
<p> The MTA that has been observed most frequently to exhibit such
bursts of errors is Microsoft Exchange, which refuses connections
server propagate the refused connection to the client as a "421"
error. </p>
-<p> Note that it is now possible to configure Postfix to exhibit similarly
-erratic behavior by misconfiguring the <a href="anvil.8.html">anvil(8)</a> service. Do not use
-<a href="anvil.8.html">anvil(8)</a> for steady-state rate limiting, its purpose is (unintentional)
-DoS prevention and the rate limits set should be very generous! </p>
+<p> Note that it is now possible to configure Postfix to exhibit
+similarly erratic behavior by misconfiguring the <a href="anvil.8.html">anvil(8)</a> server
+(not included in Postfix 2.1.). Do not use <a href="anvil.8.html">anvil(8)</a> for steady-state
+rate limiting, its purpose is DoS prevention and the rate limits
+set should be very generous! </p>
-<p> If one finds oneself needing to deliver a high volume of mail to a
-destination that exhibits frequent brief bursts of errors and connection
-caching does not solve the problem, there is a subtle workaround. </p>
+<p> In the long run it is hoped that the Postfix dead host detection
+and concurrency control mechanism will be tuned to be more "noise"
+tolerant. If one finds oneself needing to deliver a high volume
+of mail to a destination that exhibits frequent brief bursts of
+errors, there is a subtle workaround. </p>
<ul>
-<li> <p> In <a href="master.5.html">master.cf</a> set up a dedicated clone of the "smtp"
+<li> <p> In master.cf set up a dedicated clone of the "smtp"
transport for the destination in question. </p>
-<li> <p> In <a href="master.5.html">master.cf</a> configure a reasonable process limit for the
+<li> <p> In master.cf configure a reasonable process limit for the
transport (a number in the 10-20 range is typical). </p>
-<li> <p> IMPORTANT!!! In <a href="postconf.5.html">main.cf</a> configure a very large initial
-and destination concurrency limit for this transport (say 2000). </p>
+<li> <p> IMPORTANT!!! In main.cf configure a very large initial
+and destination concurrency limit for this transport (say 200). </p>
<pre>
-/etc/postfix/<a href="postconf.5.html">main.cf</a>:
- <a href="postconf.5.html#initial_destination_concurrency">initial_destination_concurrency</a> = 2000
- <i>transportname</i>_destination_concurrency_limit = 2000
+/etc/postfix/main.cf:
+ <a href="postconf.5.html#initial_destination_concurrency">initial_destination_concurrency</a> = 200
+ <i>transportname</i>_destination_concurrency_limit = 200
</pre>
-<p> Where <i>transportname</i> is the name of the <a href="master.5.html">master.cf</a> entry
+<p> Where <i>transportname</i> is the name of the master.cf entry
in question. </p>
</ul>
-<p> The effect of this surprising configuration is that up to 2000
+<p> The effect of this surprising configuration is that up to 200
consecutive errors are tolerated without marking the destination
dead, while the total concurrency remains reasonable (10-20
processes). This trick is only for a very specialized situation:
high volume delivery into a channel with multi-error bursts
that is capable of high throughput, but is repeatedly throttled by
-the bursts of errors. </p>
+the bursts of errors.
<p> When a destination is unable to handle the load even after the
Postfix process limit is reduced to 1, a desperate measure is to
<li> <p> In the transport map entry for the problem destination,
specify a dead host as the primary nexthop. </p>
-<li> <p> In the <a href="master.5.html">master.cf</a> entry for the transport specify the
+<li> <p> In the master.cf entry for the transport specify the
problem destination as the <a href="postconf.5.html#fallback_relay">fallback_relay</a> and specify a small
<a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> value. </p>
/etc/postfix/transport:
problem.example.com slow:[dead.host]
-/etc/postfix/<a href="master.5.html">master.cf</a>:
+/etc/postfix/master.cf:
# service type private unpriv chroot wakeup maxproc command
slow unix - - n - 1 smtp
-o <a href="postconf.5.html#fallback_relay">fallback_relay</a>=problem.example.com
<p> Hopefully a more elegant solution to these problems will be
found in the future. </p>
-<h2><a name="queues">Postfix queue directories</a></h2>
+<h2><a name="queues">Background info: Postfix queue directories</a></h2>
<p> The following sections describe Postfix queues: their purpose,
what normal behavior looks like, and how to diagnose abnormal
<p> All mail that enters the main Postfix queue does so via the
<a href="cleanup.8.html">cleanup(8)</a> service. The cleanup service is responsible for envelope
and header rewriting, header and body regular expression checks,
-automatic bcc recipient processing, milter content processing, and
-
reliable insertion of the message into the Postfix "<a href="QSHAPE_README.html#incoming_queue">incoming" queue</a>. </p>
+automatic bcc recipient processing and guaranteed insertion of the
+message into the Postfix "<a href="QSHAPE_README.html#incoming_queue">incoming" queue</a>. </p>
<p> In the absence of excessive CPU consumption in <a href="cleanup.8.html">cleanup(8)</a> header
or body regular expression checks or other software consuming all
disk I/O latency (+ CPU if not negligible) of the cleanup service.
</p>
-<p> Congestion in this queue is indicative of an excessive local message
-submission rate or perhaps excessive CPU consumption in the <a href="cleanup.8.html">cleanup(8)</a>
-service due to excessive <a href="postconf.5.html#body_checks">body_checks</a>, or (Postfix ≥ 2.3) high latency
-milters. </p>
+<p> Congestion in this queue is indicative of an excessive local
+message submission rate or perhaps excessive CPU consumption in
+the <a href="cleanup.8.html">cleanup(8)</a> service due to excessive <a href="postconf.5.html#body_checks">body_checks</a>. </p>
<p> Note, that once the <a href="QSHAPE_README.html#active_queue">active queue</a> is full, the cleanup service
will attempt to slow down message injection by pausing $<a href="postconf.5.html#in_flow_delay">in_flow_delay</a>
a consequence of congestion downstream, rather than a problem in
its own right. </p>
-<p> Note, you should not attempt to deliver large volumes of mail via
-the <a href="pickup.8.html">pickup(8)</a> service. High volume sites should avoid using "simple"
-content filters that re-inject scanned mail via Postfix <a href="sendmail.1.html">sendmail(1)</a>
-and <a href="postdrop.1.html">postdrop(1)</a>. </p>
+<p> Note also, that one should not attempt to deliver large volumes
+of mail via the <a href="pickup.8.html">pickup(8)</a> service. High volume sites must avoid
+using content filters that reinject scanned mail via Postfix
+
<a href="sendmail.1.html">sendmail(1)</a> and <a href="postdrop.1.html">postdrop(1)</a>. </p>
<p> A high arrival rate of locally submitted mail may be an indication
of an uncaught forwarding loop, or a run-away notification program.
<p> The administrator can define "smtpd" <a href="access.5.html">access(5)</a> policies, or
<a href="cleanup.8.html">cleanup(8)</a> header/body checks that cause messages to be automatically
diverted from normal processing and placed indefinitely in the
-"<a href="QSHAPE_README.html#hold_queue">hold" queue</a>. Messages placed in the "hold" queue stay there until
+"<a href="QSHAPE_README.html#hold_queue">hold" queue</a>. Messages placed in the "hold" queue stay there until
the administrator intervenes. No periodic delivery attempts are
made for messages in the "<a href="QSHAPE_README.html#hold_queue">hold" queue</a>. The <a href="postsuper.1.html">postsuper(1)</a> command
can be used to manually release messages into the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a>.
</p>
-<p> Messages can potentially stay in the "<a href="QSHAPE_README.html#hold_queue">hold" queue</a> longer than
-$<a href="postconf.5.html#maximal_queue_lifetime">maximal_queue_lifetime</a>. If such "old" messages need to be released from
-the "<a href="QSHAPE_README.html#hold_queue">hold" queue</a>, they should typically be moved into the "maildrop"
-queue using "postsuper -r", so that the message gets a new timestamp and
-is given more than one opportunity to be delivered. Messages that are
-"young" can be moved directly into the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a> using
-"postsuper -H". </p>
+<p> Messages can potentially stay in the "<a href="QSHAPE_README.html#hold_queue">hold" queue</a> for a time
+exceeding the normal maximal queue lifetime (after which undelivered
+messages are bounced back to the sender). If such "old" messages
+need to be released from the "<a href="QSHAPE_README.html#hold_queue">hold" queue</a>, they should typically
+be moved into the "<a href="QSHAPE_README.html#maildrop_queue">maildrop" queue</a>, so that the message gets a new
+timestamp and is given more than one opportunity to be delivered.
+Messages that are "young" can be moved directly into the "deferred"
+queue. </p>
<p> The "<a href="QSHAPE_README.html#hold_queue">hold" queue</a> plays little role in Postfix performance, and
monitoring of the "<a href="QSHAPE_README.html#hold_queue">hold" queue</a> is typically more closely motivated
<p> The <a href="QSHAPE_README.html#incoming_queue">incoming queue</a> grows when the message input rate spikes
above the rate at which the queue manager can import messages into
-the <a href="QSHAPE_README.html#active_queue">active queue</a>. The main factors slowing down the queue manager
-are disk I/O and lookup queries to the trivial-rewrite service. If the queue
+the <a href="QSHAPE_README.html#active_queue">active queue</a>. The main factor slowing down the queue manager
+is transport queries to the trivial-rewrite service. If the queue
manager is routinely not keeping up, consider not using "slow"
lookup services (MySQL, LDAP, ...) for transport lookups or speeding
-up the hosts that provide the lookup service. If the problem is I/O
-starvation, consider striping the queue over more disks, faster controllers
-with a battery write cache, or other hardware improvements. At the very
-least, make sure that the queue directory is mounted with the "noatime"
-option if applicable to the underlying filesystem. </p>
+up the hosts that provide the lookup service. </p>
<p> The <a href="postconf.5.html#in_flow_delay">in_flow_delay</a> parameter is used to clamp the input rate
when the queue manager starts to fall behind. The <a href="cleanup.8.html">cleanup(8)</a> service
concurrency limit. </p>
<p> Multiple recipient groups (from one or more messages) are queued
-for delivery grouped by transport/nexthop combination. The
-<b>destination</b> concurrency limit for the transports caps the number
+for delivery via the common transport/nexthop combination. The
+destination concurrency limit for the transports caps the number
of simultaneous delivery attempts for each nexthop. Transports with
-a <b>recipient</b> concurrency limit of 1 are special: these are grouped
-by the actual recipient address rather than the nexthop, yielding
-per-recipient concurrency limits rather than per-domain
+a recipient concurrency limit of 1 are special: these are grouped
+by the actual recipient address rather than the nexthop, thereby
+enabling per-recipient concurrency limits rather than per-domain
concurrency limits. Per-recipient limits are appropriate when
performing final delivery to mailboxes rather than when relaying
to a remote server. </p>
<p> Congestion occurs in the <a href="QSHAPE_README.html#active_queue">active queue</a> when one or more destinations
-drain slower than the corresponding message input rate. </p>
-
-<p> Input into the <a href="QSHAPE_README.html#active_queue">active queue</a> comes both from new mail in the "incoming"
-queue, and retries of mail in the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a>. Should the "deferred"
-queue get really large, retries of old mail can dominate the arrival
-rate of new mail. Systems with more CPU, faster disks and more network
-bandwidth can deal with larger <a href="QSHAPE_README.html#deferred_queue">deferred queues</a>, but as a rule of thumb
-the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> scales to somewhere between 100,000 and 1,000,000
-messages with good performance unlikely above that "limit". Systems with
-queues this large should typically stop accepting new mail, or put the
-backlog "on hold" until the underlying issue is fixed (provided that
-there is enough capacity to handle just the new mail). </p>
-
-<p> When a destination is down for some time, the queue manager will
-mark it dead, and immediately defer all mail for the destination without
+drain slower than the corresponding message input rate. If a
+destination is down for some time, the queue manager will mark it
+dead, and immediately defer all mail for the destination without
trying to assign it to a delivery agent. In this case the messages
-will quickly leave the <a href="QSHAPE_README.html#active_queue">active queue</a> and end up in the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a>
-(with Postfix < 2.4, this is done directly by the queue manager,
-with Postfix ≥ 2.4 this is done via the "retry" delivery agent). </p>
-
-<p> When the destination is instead simply slow, or there is a problem
-causing an excessive arrival rate the <a href="QSHAPE_README.html#active_queue">active queue</a> will grow and will
-become dominated by mail to the congested destination. </p>
+will quickly leave the <a href="QSHAPE_README.html#active_queue">active queue</a> and end up in the deferred
+queue. If the destination is instead simply slow, or there is a
+problem causing an excessive arrival rate the <a href="QSHAPE_README.html#active_queue">active queue</a> will
+grow and will become dominated by mail to the congested destination.
+</p>
<p> The only way to reduce congestion is to either reduce the input
rate or increase the throughput. Increasing the throughput requires
is draining slowly and the system and network are not loaded, raise
the "smtp" and/or "relay" process limits! </p>
-<p> When a high volume destination is served by multiple MX hosts with
-typically low delivery latency, performance can suffer dramatically when
-one of the MX hosts is unresponsive and SMTP connections to that host
-timeout. For example, if there are 2 equal weight MX hosts, the SMTP
-connection timeout is 30 seconds and one of the MX hosts is down, the
-average SMTP connection will take approximately 15 seconds to complete.
-With a default per-destination concurrency limit of 20 connections,
-throughput falls to just over 1 message per second. </p>
-
-<p> The best way to avoid bottlenecks when one or more MX hosts is
-non-responsive is to use connection caching. Connection caching was
-introduced with Postfix 2.2 and is by default enabled on demand for
-destinations with a backlog of mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>. When connection
-caching is in effect for a particular destination, established connections
-are re-used to send additional messages, this reduces the number of
-connections made per message delivery and maintains good throughput even
-in the face of partial unavailability of the destination's MX hosts. </p>
-
-<p> If connection caching is not available (Postfix < 2.2) or does
-not provide a sufficient latency reduction, especially for the "relay"
-transport used to forward mail to "your own" domains, consider setting
-lower than default SMTP connection timeouts (1-5 seconds) and higher
-than default destination concurrency limits. This will further reduce
-latency and provide more concurrency to maintain throughput should
-latency rise. </p>
-
-<p> Setting high concurrency limits to domains that are not your own may
-be viewed as hostile by the receiving system, and steps may be taken
-to prevent you from monopolizing the destination system's resources.
-The defensive measures may substantially reduce your throughput or block
-access entirely. Do not set aggressive concurrency limits to remote
-domains without coordinating with the administrators of the target
-domain. </p>
-
-<p> If necessary, dedicate and tune custom transports for selected high
-volume destinations. The "relay" transport is provided for forwarding mail
-to domains for which your server is a primary or backup MX host. These can
-make up a substantial fraction of your email traffic. Use the "relay" and
-not the "smtp" transport to send email to these domains. Using the "relay"
-transport allocates a separate delivery agent pool to these destinations
-and allows separate tuning of timeouts and concurrency limits. </p>
-
-<p> Another common cause of congestion is unwarranted flushing of the
-entire <a href="QSHAPE_README.html#deferred_queue">deferred queue</a>. The deferred queue holds messages that are likely
-to fail to be delivered and are also likely to be slow to fail delivery
-(time out). As a result the most common reaction to a large <a href="QSHAPE_README.html#deferred_queue">deferred queue</a>
-(flush it!) is more than likely counter-productive, and typically makes
-the congestion worse. Do not flush the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> unless you expect
-that most of its content has recently become deliverable (e.g. <a href="postconf.5.html#relayhost">relayhost</a>
-back up after an outage)! </p>
+<p> Especially for the "relay" transport, consider lower SMTP
+connection timeouts (1-5 seconds) and higher than default destination
+concurrency limits. Compute the expected latency when 1 out of N
+of the MX hosts for a high volume site is down and not responding,
+and make sure that the configured concurrency divided by this
+latency exceeds the required steady-state message rate. If the
+destination is managed by you, consider load balancers in front of
+groups of MX hosts. Load balancers have higher uptime and will be
+able to hide individual MX host failures. </p>
+
+<p> If necessary, dedicate and tune custom transports for high
+volume destinations. </p>
+
+<p> Another common cause of congestion is unwarranted flushing of
+the entire <a href="QSHAPE_README.html#deferred_queue">deferred queue</a>. The deferred queue holds messages that
+are likely to fail to be delivered and are also likely to be slow
+to fail delivery (timeouts). This means that the most common reaction
+to a large <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> (flush it!) is more than likely counter-
+productive, and is likely to make the problem worse. Do not flush
+the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> unless you expect that most of its content has
+recently become deliverable (e.g. <a href="postconf.5.html#relayhost">relayhost</a> back up after an outage)!
+</p>
<p> Note that whenever the queue manager is restarted, there may
already be messages in the <a href="QSHAPE_README.html#active_queue">active queue</a> directory, but the "real"
the messages back and forth, redoing transport table (<a href="trivial-rewrite.8.html">trivial-rewrite(8)</a>
resolve service) lookups, and re-importing the messages back into
memory is expensive. At all costs, avoid frequent restarts of the
-queue manager (e.g. via frequent execution of "postfix reload"). </p>
+queue manager. </p>
<h3> <a name="deferred_queue"> The "deferred" queue </a> </h3>
might succeed later), the message is placed in the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a>.
</p>
-<p> The queue manager scans the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> periodically. The scan
-interval is controlled by the <a href="postconf.5.html#queue_run_delay">queue_run_delay</a> parameter. While a deferred
-queue scan is in progress, if an <a href="QSHAPE_README.html#incoming_queue">incoming queue</a> scan is also in progress
-(ideally these are brief since the <a href="QSHAPE_README.html#incoming_queue">incoming queue</a> should be short), the
-queue manager alternates between looking for messages in the "incoming"
-queue and in the "<a href="QSHAPE_README.html#deferred_queue">deferred" queue</a>. This "round-robin" strategy prevents
-starvation of either the <a href="QSHAPE_README.html#incoming_queue">incoming</a> or the <a href="QSHAPE_README.html#deferred_queue">deferred queues</a>. </p>
+<p> The queue manager scans the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> periodically. The
+scan interval is controlled by the <a href="postconf.5.html#queue_run_delay">queue_run_delay</a> parameter.
+While a <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> scan is in progress, if an <a href="QSHAPE_README.html#incoming_queue">incoming queue</a>
+scan is also in progress (ideally these are brief since the incoming
+queue should be short), the queue manager alternates between bringing
+a new "incoming" message and a new "deferred" message into the
+queue. This "round-robin" strategy prevents starvation of either
+the <a href="QSHAPE_README.html#incoming_queue">incoming</a> or the <a href="QSHAPE_README.html#deferred_queue">deferred queues</a>. </p>
<p> Each <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> scan only brings a fraction of the deferred
queue back into the <a href="QSHAPE_README.html#active_queue">active queue</a> for a retry. This is because each
message in the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> is assigned a "cool-off" time when
it is deferred. This is done by time-warping the modification
-time of the queue file into the future. The queue file is not
+times of the queue file into the future. The queue file is not
eligible for a retry if its modification time is not yet reached.
</p>
retried more often than old messages. </p>
<p> If a high volume site routinely has large <a href="QSHAPE_README.html#deferred_queue">deferred queues</a>, it
-may be useful to adjust the <a href="postconf.5.html#queue_run_delay">queue_run_delay</a>, <a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a> and
-<a href="postconf.5.html#maximal_backoff_time">maximal_backoff_time</a> to provide short enough delays on first failure
-(Postfix ≥ 2.4 has a sensibly low minimal backoff time by default),
-with perhaps longer delays after multiple failures, to reduce the
-retransmission rate of old messages and thereby reduce the quantity
-of previously deferred mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>. If you want a really
-low <a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a>, you may also want to lower <a href="postconf.5.html#queue_run_delay">queue_run_delay</a>,
-but understand that more frequent scans will increase the demand for
-disk I/O. </p>
+may be useful to adjust the <a href="postconf.5.html#queue_run_delay">queue_run_delay</a>, <a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a>
+and <a href="postconf.5.html#maximal_backoff_time">maximal_backoff_time</a> to provide short enough delays on first
+failure, with perhaps longer delays after multiple failures, to
+reduce the retransmission rate of old messages and thereby reduce
+the quantity of previously deferred mail in the <a href="QSHAPE_README.html#active_queue">active queue</a>. </p>
<p> One common cause of large <a href="QSHAPE_README.html#deferred_queue">deferred queues</a> is failure to validate
recipients at the SMTP input stage. Since spammers routinely launch
dictionary attacks from unrepliable sender addresses, the bounces
-for invalid recipient addresses clog the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> (and at high
-volumes proportionally clog the <a href="QSHAPE_README.html#active_queue">active queue</a>). Recipient validation
-is strongly recommended through use of the <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a> and
-<a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> parameters. Even when bounces drain quickly they
-inundate innocent victims of forgery with unwanted email. To avoid
-this, do not accept mail for invalid recipients. </p>
+for invalid recipient addresses clog the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> (and at
+high volumes proportionally clog the <a href="QSHAPE_README.html#active_queue">active queue</a>). Recipient
+validation is strongly recommended through use of the <a href="postconf.5.html#local_recipient_maps">local_recipient_maps</a>
+and <a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> parameters. </p>
<p> When a host with lots of deferred mail is down for some time,
it is possible for the entire <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> to reach its retry
time simultaneously. This can lead to a very full <a href="QSHAPE_README.html#active_queue">active queue</a> once
the host comes back up. The phenomenon can repeat approximately
every <a href="postconf.5.html#maximal_backoff_time">maximal_backoff_time</a> seconds if the messages are again deferred
-after a brief burst of congestion. Perhaps, a future Postfix release
+after a brief burst of congestion. Ideally, in the future Postfix
will add a random offset to the retry time (or use a combination
-of strategies) to reduce the odds of repeated complete deferred
+of strategies) to reduce the chances of repeated complete deferred
queue flushes. </p>
<h2><a name="credits">Credits</a></h2>
<h2><a name="build_sasl">Building the Cyrus SASL library</a></h2>
-<p> Postfix appears to work with cyrus-sasl-1.5.x or cyrus-sasl-2.1.x,
+<p> Postfix appears to work with cyrus-sasl-1.5.5 or cyrus-sasl-2.1.1,
which are available from: </p>
<blockquote>
<p> IMPORTANT: if you install the Cyrus SASL libraries as per the
default, you will have to symlink /usr/lib/sasl -> /usr/local/lib/sasl
-for version 1.5.x or /usr/lib/sasl2 -> /usr/local/lib/sasl2 for
-version 2.1.x. </p>
+for version 1.5.5 or /usr/lib/sasl2 -> /usr/local/lib/sasl2 for
+version 2.1.1. </p>
-<p> Reportedly, Microsoft Outlook (Express) requires the
-non-standard LOGIN authentication method. To enable this
+<p> Reportedly, Microsoft Internet Explorer version 5 requires the
+non-standard SASL LOGIN authentication method. To enable this
authentication method, specify ``./configure --enable-login''. </p>
<h2><a name="build_postfix">Building Postfix with Cyrus SASL support</a></h2>
<dl>
-<dt> (for Cyrus SASL version 1.5.x):
+<dt> (for Cyrus SASL version 1.5.5):
<dd>
<pre>
% make tidy # if you have left-over files from a previous build
-I/usr/local/include" AUXLIBS="-L/usr/local/lib -lsasl"
</pre>
-<dt> (for Cyrus SASL version 2.1.x):
+<dt> (for Cyrus SASL version 2.1.1):
<dd>
<pre>
% make tidy # if you have left-over files from a previous build
<dl>
-<dt> (for Cyrus SASL version 1.5.x):
+<dt> (for Cyrus SASL version 1.5.5):
<dd>
<pre>
% make tidy # if you have left-over files from a previous build
-R/usr/local/lib -lsasl"
</pre>
-<dt> (for Cyrus SASL version 2.1.x):
+<dt> (for Cyrus SASL version 2.1.1):
<dd>
<pre>
% make tidy # if you have left-over files from a previous build
<p> Older Microsoft SMTP client software implements a non-standard
version of the AUTH protocol syntax, and expects that the SMTP
-server replies to EHLO with "250 AUTH=mechanism-list" instead of
-"250 AUTH mechanism-list". To accommodate such clients (in addition
-to conformant
+server replies to EHLO with "250 AUTH=stuff" instead of "250 AUTH
+stuff". To accommodate such clients (in addition to conformant
clients) use the following: </p>
<blockquote>
<h2><a name="server_cyrus">Cyrus SASL configuration for the Postfix
SMTP server</a></h2>
-<p> You need to configure how the Cyrus SASL library should
-authenticate a client's username and password. These settings must
-be stored in a separate configuration file. </p>
-
-<p> The name of the configuration file (default: smtpd.conf) will
-be constructed from a value sent by Postfix to the Cyrus SASL
-library, which adds the suffix .conf. The value is configured using
-one of the following variables: </p>
-
-<blockquote>
-<pre>
-/etc/postfix/<a href="postconf.5.html">main.cf</a>:
- # Postfix 2.3 and later
- <a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a> = smtpd
- # Postfix < 2.3
- smtpd_sasl_application_name = smtpd
-</pre>
-</blockquote>
-
-<p> Cyrus SASL searches for the configuration file in /usr/local/lib/sasl/
-(Cyrus SASL version 1.5.5) or /usr/local/lib/sasl2/ (Cyrus SASL
-version 2.1.x). </p>
+<p> In /usr/local/lib/sasl/smtpd.conf (Cyrus SASL version 1.5.5) or
+/usr/local/lib/sasl2/smtpd.conf (Cyrus SASL version 2.1.1) you need to
+specify how the server should validate client passwords. </p>
<p> Note: some Postfix distributions are modified and look for
-the smtpd.conf file in /etc/postfix/sasl. </p>
+the smtpd.conf file in /etc/postfix. </p>
<p> Note: some Cyrus SASL distributions look for the smtpd.conf
file in /etc/sasl2. </p>
<ul>
-<li> <p> To authenticate against the UNIX password database, use: </p>
+<li> <p> To authenticate against the UNIX password database, try: </p>
<dl>
-<dt> (Cyrus SASL version 1.5.x)
+<dt> (Cyrus SASL version 1.5.5)
<dd>
<pre>
/usr/local/lib/sasl/smtpd.conf:
</pre>
-<p> IMPORTANT: pwcheck establishes a UNIX domain socket in /var/pwcheck
-and waits for authentication requests. Postfix processes must have
-read+execute permission to this directory or authentication attempts
-will fail. </p>
+<dt> (Cyrus SASL version 2.1.1)
+<dd>
+<pre>
+/usr/local/lib/sasl2/smtpd.conf:
+ pwcheck_method: pwcheck
+</pre>
+
+</dl>
+
+<p> The name of the file in /usr/local/lib/sasl (Cyrus SASL version
+1.5.5) or /usr/local/lib/sasl2 (Cyrus SASL version 2.1.1) used by
+the SASL
+library for configuration can be set with: </p>
+
+<blockquote>
+<pre>
+/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+ smtpd_sasl_application_name = smtpd (Postfix < 2.3)
+ <a href="postconf.5.html#smtpd_sasl_path">smtpd_sasl_path</a> = smtpd (Postfix 2.3 and later)
+</pre>
+</blockquote>
<p> The pwcheck daemon is contained in the cyrus-sasl source tarball. </p>
+<p> IMPORTANT: postfix processes need to have group read+execute
+permission for the /var/pwcheck directory, otherwise authentication
+attempts will fail. </p>
+
+<li> <p> Alternately, in Cyrus SASL 1.5.26 and later (including
+2.1.1), try: </p>
+
+<dl>
+
<dt> (Cyrus SASL version 1.5.26)
<dd>
<pre>
pwcheck_method: saslauthd
</pre>
-<dt> (Cyrus SASL version 2.1.x)
+<dt> (Cyrus SASL version 2.1.1)
<dd>
<pre>
/usr/local/lib/sasl2/smtpd.conf:
pwcheck_method: saslauthd
- mech_list: PLAIN LOGIN
</pre>
</dl>
can authenticate against PAM and various other sources. To use PAM,
start saslauthd with "-a pam". </p>
-<p> IMPORTANT: saslauthd usually establishes a UNIX domain socket
-in /var/run/saslauthd and waits for authentication requests. Postfix
-processes must have read+execute permission to this directory or
-authentication attempts will fail. </p>
-
-<p> Note: The directory where saslauthd puts the socket is configurable.
-See the command-line option "-m /path/to/socket" in the saslauthd
---help listing. </p>
-
<li> <p> To authenticate against Cyrus SASL's own password database: </p>
<dl>
-<dt> (Cyrus SASL version 1.5.x)
+<dt> (Cyrus SASL version 1.5.5)
<dd>
<pre>
/usr/local/lib/sasl/smtpd.conf:
- pwcheck_method: sasldb
+ pwcheck_method: sasldb
</pre>
-<dt> (Cyrus SASL version 2.1.x)
+<dt> (Cyrus SASL version 2.1.1)
<dd>
<pre>
/usr/local/lib/sasl2/smtpd.conf:
- pwcheck_method: auxprop
- auxprop_plugin: sasldb
- mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
+ pwcheck_method: auxprop
</pre>
</dl>
<p> This will use the Cyrus SASL password file (default: /etc/sasldb in
-version 1.5.x, or /etc/sasldb2 in version 2.1.x), which is maintained
+version 1.5.5, or /etc/sasldb2 in version 2.1.1), which is maintained
with the saslpasswd or saslpasswd2 command (part of the Cyrus SASL
software). On some poorly-supported systems the saslpasswd command needs
to be run multiple times before it stops complaining. The Postfix SMTP
<p> EXAMPLE: </p>
<dl>
-<dt> (Cyrus SASL version 1.5.x)
+<dt> (Cyrus SASL version 1.5.5)
<dd>
<pre>
% saslpasswd -c -u `postconf -h <a href="postconf.5.html#myhostname">myhostname</a>` exampleuser
</pre>
-<dt> (Cyrus SASL version 2.1.x)
+<dt> (Cyrus SASL version 2.1.1)
<dd>
<pre>
% saslpasswd2 -c -u `postconf -h <a href="postconf.5.html#myhostname">myhostname</a>` exampleuser
</dl>
<p> You can find out SASL's idea about the realms of the users
-in sasldb with <i>sasldblistusers</i> (Cyrus SASL version 1.5.x) or
-<i>sasldblistusers2</i> (Cyrus SASL version 2.1.x). </p>
+in sasldb with <i>sasldblistusers</i> (Cyrus SASL version 1.5.5) or
+<i>sasldblistusers2</i> (Cyrus SASL version 2.1.1). </p>
<p> On the Postfix side, you can have only one realm per smtpd
instance, and only the users belonging to that realm would be able to
</ul>
-<p> IMPORTANT: The Cyrus SASL password verification services pwcheck
-and saslauthd can only support the plaintext mechanisms PLAIN or
-LOGIN. However, the Cyrus SASL library doesn't know this, and will
-happily advertise other authentication mechanisms that the SASL
-library implements, such as DIGEST-MD5. As a result, if an SMTP
-client chooses any mechanism other than PLAIN or LOGIN while pwcheck
-or saslauthd are used, authentication will fail. Thus you may need
-to limit the list of mechanisms advertised by Postfix. </p>
+<p> IMPORTANT: all users must be able to authenticate using ALL
+authentication mechanisms advertised by Postfix, otherwise the
+negotiation might end up with an unsupported mechanism, and
+authentication would fail. For example if you configure SASL to
+use <i>saslauthd</i> for authentication against PAM (pluggable
+authentication modules), only the PLAIN and LOGIN mechanisms are
+supported and stand a chance to succeed, yet the SASL library would also
+advertise other mechanisms, such as DIGEST-MD5. This happens because
+those mechanisms are made available by other plugins, and the SASL
+library have no way to know that your only valid authentication source
+is PAM. Thus you might need to limit the list of mechanisms advertised
+by Postfix. </p>
<ul>
library files from the SASL plug-in directory (and again whenever
the system is updated). </p>
-<li> <p> With Cyrus SASL version 2.1.x or later the mech_list variable
-can specify a list of authentication mechanisms that Cyrus SASL may
-offer: </p>
+<li> <p> With Cyrus SASL version 2.1.1 or later: </p>
<blockquote>
<pre>
<ul>
-<li> <p> With Cyrus SASL version 1.5.x your only choice is to
+<li> <p> With Cyrus SASL version 1.5.5 your only choice is to
delete the corresponding library files from the SASL plug-in
directory. </p>
-<li> <p> With SASL version 2.1.x: </p>
+<li> <p> With SASL version 2.1.1: </p>
<blockquote>
<pre>
/usr/local/lib/sasl2/smtpd.conf:
- pwcheck_method: auxprop
- auxprop_plugin: sql
+ pwcheck_method: auxprop
+ auxprop_plugin: sql
</pre>
</blockquote>
<h2><a name="debugging">Trouble shooting the SASL internals</a></h2>
<p> In the Cyrus SASL sources you'll find a subdirectory named
-"sample". Run make there, then create a symbolic link from sample.conf
-to smtpd.conf in your Cyrus SASL library directory /usr/local/lib/sasl2.
-"su" to the user <i>postfix</i> (or whatever your <i><a href="postconf.5.html#mail_owner">mail_owner</a></i>
-directive is set to): </p>
+"sample". Run make there, "su" to the user <i>postfix</i> (or
+whatever your <i><a href="postconf.5.html#mail_owner">mail_owner</a></i> directive is set to):
<blockquote>
<pre>
</blockquote>
<p> then run the resulting sample server and client in separate
-terminals. The sample applications send log messages to the syslog
-facility auth. Check the log to fix the problem or run strace /
-ktrace / truss on the server to see what makes it unhappy. Repeat
-the previous step until you can successfully authenticate with the
-sample client. Only then get back to Postfix. </p>
+terminals. Strace / ktrace / truss the server to see what makes
+it unhappy, and fix the problem. Repeat the previous step until
+you can successfully authenticate with the sample client. Only
+then get back to Postfix. </p>
<h2><a name="client_sasl">Enabling SASL authentication in the
Postfix SMTP client</a></h2>
</pre>
</blockquote>
-<p> The Postfix SASL client password file is opened before the SMTP
-server enters the optional chroot jail, so you can keep the file
-in /etc/postfix and set permissions read / write only for root to
-keep the username:password combinations away from other system
-users. </p>
-
<p> Postfix version 2.3 supports-per-sender SASL password
information. To search the Postfix SASL password by sender
before it searches by destination, specify: </p>
</pre>
</blockquote>
+<p> The Postfix SASL client password file is opened before the SMTP server
+enters the optional chroot jail, so you can keep the file in
+/etc/postfix. </p>
+
<p> Note: Some SMTP servers support authentication mechanisms that,
although available on the client system, may not in practice work or
possess the appropriate credentials to authenticate to the server. It
</blockquote>
<p> In the above example, Postfix will decline to use mechanisms
-that require special infrastructure such as Kerberos or TLS. </p>
+that require special infrastructure such as Kerberos. </p>
<p> The Postfix SMTP client is backwards compatible with SMTP
servers that use the non-standard "AUTH=method..." syntax in response
<li> The Dovecot SMTP server-only plug-in was originally implemented by
Timo Sirainen of Procontrol, Finland.
-<li> Patrick Ben Koetter revised this document for Postfix 2.4 and
-made much needed updates.
-
</ul>
</body>
<p> Policy delegation is now the preferred method for adding policies
to Postfix. It's much easier to develop a new feature in few lines
-of Perl, Python, Ruby, or TCL, than trying to do the same in C code.
-The difference in
+of Perl, than trying to do the same in C code. The difference in
performance will be unnoticeable except in the most demanding
environments. On active systems a policy daemon process is used
multiple times, for up to $<a href="postconf.5.html#max_use">max_use</a> incoming SMTP connections. </p>
These attributes are empty in case of no certificate authentication.
As of Postfix 2.2.11 these attribute values are encoded as
xtext: some characters are represented by +XX, where XX is the
- two-digit hexadecimal representation of the character value.
+ two-digit hecadecimal representation of the character value.
</p>
<li> <p> The "encryption_*" attributes (Postfix 2.3 and later)
<li> <p> Re-inject the mail back into Postfix via SMTP, perhaps
after changing its content and/or destination. </p>
- <li> <p> Discard or quarantine the mail. </p>
-
<li> <p> Reject the mail by sending a suitable SMTP status code
back to Postfix. Postfix passes the status back to the remote
SMTP client. This way, Postfix does not have to send a bounce
This limit is not necessary if you receive all mail from a
trusted <a href="postconf.5.html#relayhost">relay host</a>. </p>
- <p> Note: this setting is available in Postfix version 2.2 and
- later. Earlier Postfix versions will ignore it. </p>
+ <p> Note: this setting is ignored by the stable Postfix 2.1
+ release. The feature will be available only in the experimental
+ release until Postfix 2.2. </p>
<li> <p> The "-o <a href="postconf.5.html#smtpd_proxy_filter">smtpd_proxy_filter</a>=127.0.0.1:10025" tells the
before filter SMTP server that it should give incoming mail to
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> = /etc/postfix/client-dsa.pem
- <a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> = $<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>
+ <a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> = $<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>
</pre>
</blockquote>
is needed. Thus, the $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> directory needs to be accessible
inside the optional chroot jail. </p>
-<p> The choice between $<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> and $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> is
+<p> The choice between $<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> and $<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> is
a space/time tradeoff. If there are many trusted CAs, the cost of
preloading them all into memory may not pay off in reduced access time
when the certificate is needed. </p>
<pre>
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> = /etc/postfix/client-dsa.pem
- <a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> = $<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>
+ <a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> = $<a href="postconf.5.html#smtpd_tls_cert_file">smtpd_tls_cert_file</a>
</pre>
</blockquote>
is needed. Thus, the $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> directory needs to be accessible
inside the optional chroot jail. </p>
-<p> The choice between $<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> and $<a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> is
+<p> The choice between $<a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> and $<a href="postconf.5.html#smtpd_tls_CApath">smtpd_tls_CApath</a> is
a space/time tradeoff. If there are many trusted CAs, the cost of
preloading them all into memory may not pay off in reduced access time
when the certificate is needed. </p>
for TLS. </p>
<p> You can disable TLS for a subset of destinations, while leaving
-it enabled for the rest. With the Postfix 2.3
and later TLS <a
+it enabled for the rest. With the Postfix 2.3
+ TLS <a
href="#client_tls_policy">policy table</a>, specify the "none"
security level. With the obsolete <a href="#client_tls_obs">per-site</a>
table, specify the "NONE" keyword. </p>
be ignored with a warning written to the mail logs. </p>
<p> You can enable opportunistic TLS just for selected destinations. With
-the Postfix 2.3
and later TLS <a href="#client_tls_policy">policy table</a>,
+the Postfix 2.3
+ TLS <a href="#client_tls_policy">policy table</a>,
specify the "may" security level. With the obsolete <a
href="#client_tls_obs">per-site</a> table, specify the "MAY" keyword.</p>
TLS encryption as the default security level. </p>
<p> You can enable mandatory TLS encryption just for specific destinations.
-With the Postfix 2.3
and later TLS <a href="#client_tls_policy">policy
+With the Postfix 2.3
+ TLS <a href="#client_tls_policy">policy
table</a>, specify the "encrypt" security level. With the
obsolete <a href="#client_tls_obs">per-site</a> table, specify the
"MUST_NOPEERMATCH" keyword. While the obsolete approach still works
-with Postfix 2.3, it is strongly discouraged: users of Postfix 2.3 and later
+with Postfix 2.3, it is strongly discouraged: users of Postfix 2.3+
should use the new TLS policy settings. </p>
<p> Examples: </p>
</blockquote>
<p> Postfix 2.2 syntax (no support for sub-domains without resorting to
-regexp tables). With Postfix 2.3
and later, do not use the obsolete <a
+regexp tables). With Postfix 2.3
+, do not use the obsolete <a
href="#client_tls_obs">per-site</a> table. </p>
<blockquote>
use the destination (for example, "[example.net]:587"), as the <a
href="#client_tls_obs">per-site</a> table lookup key (a recipient domain
or MX-enabled transport nexthop with no port suffix may look like a bare
-hostname, but is still a suitable <i>destination</i>). With Postfix 2.3
-and later,
+hostname, but is still a suitable <i>destination</i>). With Postfix 2.3+,
do not use the obsolete <a href="#client_tls_obs">per-site</a> table;
use the new <a href="#client_tls_policy">policy table</a> instead. </p>
</p>
<p> You can enable mandatory server certificate verification just
-for specific destinations. With the Postfix 2.3
and later TLS <a
+for specific destinations. With the Postfix 2.3
+ TLS <a
href="#client_tls_policy">policy table</a>, specify the "verify"
security level. With the obsolete <a href="#client_tls_obs">per-site</a>
table, specify the "MUST" keyword. While the obsolete approach
still works with Postfix 2.3, it is strongly discouraged: users of
-Postfix 2.3 and later should use the new TLS policy settings. </p>
+Postfix 2.3+ should use the new TLS policy settings. </p>
<p> Example: </p>
STARTTLS support. </p>
<p> You can enable secure TLS verification just for specific destinations.
-With the Postfix 2.3
and later TLS <a href="#client_tls_policy">policy table</a>,
+With the Postfix 2.3
+ TLS <a href="#client_tls_policy">policy table</a>,
specify the "secure" security level. With the obsolete
<a href="#client_tls_obs">per-site</a> table, specify the "MUST"
keyword and <a href="#client_tls_harden">harden</a> the certificate
verification against DNS forgery. While the obsolete approach still
-works with Postfix 2.3, it is strongly discouraged: users of Postfix 2.3
-and later
+works with Postfix 2.3, it is strongly discouraged: users of Postfix 2.3+
should use the new TLS policy settings. </p>
<p> Examples: </p>
</pre>
</blockquote>
-<p> Postfix 2.2.9 and later syntax: </p>
+<p> Postfix 2.2.9+ syntax: </p>
<p> <b>Note:</b> Avoid policy lookups with the bare hostname (for
example, "tls.example.com"). Instead, use the destination (for
example, "[tls.example.com]") as the <a
href="#client_tls_obs">per-site</a> table lookup key (a recipient domain
or MX-enabled transport nexthop with no port suffix may look like a bare
-hostname, but is still a suitable <i>destination</i>). With Postfix 2.3
-and later,
+hostname, but is still a suitable <i>destination</i>). With Postfix 2.3+,
do not use the obsolete <a href="#client_tls_obs">per-site</a> table;
use the new <a href="#client_tls_policy">policy table</a> instead. </p>
full destination nexthop (enclosed in [] with a possible ":port"
suffix) as the per-site table lookup key (a recipient domain or
MX-enabled transport nexthop with no port suffix may look like a bare
-hostname, but is still a suitable <i>destination</i>). With Postfix 2.3
-and later,
+hostname, but is still a suitable <i>destination</i>). With Postfix 2.3+,
use of the obsolete approach documented here is strongly discouraged:
use the new <a href="#client_tls_policy">policy table</a> instead. </p>
<p> For a general discussion of TLS security for SMTP see <a
href="#client_tls_limits">TLS limitations</a> above. What follows applies
only to Postfix 2.2.9 and subsequent Postfix 2.2 patch levels. Do
-not use this approach with Postfix 2.3
-and later; instead see the instructions under <a
+not use this approach with Postfix 2.3+; instead see the instructions under <a
href="#client_tls_secure">secure</a> server certificate verification. </p>
<p> As long as no secure DNS lookup mechanism is available, false
the DNS requests or replies. </p>
<li> <p> If the number of <a href="smtpd.8.html">smtpd(8)</a> processes has reached the process
-limit as specified in <a href="master.5.html">master.cf</a>, new SMTP clients must wait until
+limit as specified in master.cf, new SMTP clients must wait until
a process becomes available. Increase the number of processes if
memory permits. See the instructions given under "<a
href="#proc_limit">Tuning the number of Postfix processes</a>".
<blockquote>
<pre>
-/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+/etc/postfix/main.cf:
# Not needed with Postfix 2.1
<a href="postconf.5.html#smtpd_error_sleep_time">smtpd_error_sleep_time</a> = 0
</pre>
<h2><a name="conn_limit">Measures against clients that make too many connections</a></h2>
-<p> Note: these features use the Postfix <a href="anvil.8.html">anvil(8)</a> service, introduced
-with Postfix version 2.2. </p>
+<p> Note: this feature is not included with Postfix version 2.1. </p>
<p> The Postfix <a href="smtpd.8.html">smtpd(8)</a> server can limit the number of simultaneous
-connections from the same SMTP client, as well as the connection
-rate and the rate of certain SMTP commands from the same client.
+connections from the same SMTP client, as well as the number of
+connections that a client is allowed to make per unit time.
These statistics are maintained by the <a href="anvil.8.html">anvil(8)</a> server (translation:
if <a href="anvil.8.html">anvil(8)</a> breaks, then connection limits stop working). </p>
-<p> IMPORTANT: These limits must not be used to regulate legitimate
-traffic: mail will suffer grotesque delays if you do so. The limits
-are designed to protect the <a href="smtpd.8.html">smtpd(8)</a> server against abuse by
-out-of-control clients. </p>
+<p> IMPORTANT: These limits are designed to protect the <a href="smtpd.8.html">smtpd(8)</a> server
+against flagrant abuse. Do not use these limits to regulate legitimate
+traffic: mail will suffer grotesque delays if you do so. </p>
-<blockquote>
-
-<dl>
-
-<dt> <a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a> (default: 50) </dt> <dd>
-The maximum number of connections than an SMTP client may make
-simultaneously. </dd>
+<ul>
-<dt> <a href="postconf.5.html#smtpd_client_connection_rate_limit">smtpd_client_connection_rate_limit</a> (default: no limit) </dt>
-<dd> The maximum number of connections that an SMTP client may make
-in the time interval specified with <a href="postconf.5.html#anvil_rate_time_unit">anvil_rate_time_unit</a> (default:
-60s). </dd>
+<li> <p> An SMTP client may make up to $<a href="postconf.5.html#smtpd_client_connection_count_limit">smtpd_client_connection_count_limit</a>
+simultaneous connections (default: 50). This is half the default
+process limit. </p>
-<dt> <a href="postconf.5.html#smtpd_client_message_rate_limit">smtpd_client_message_rate_limit</a> (default: no limit) </dt> <dd>
-The maximum number of message delivery requests that an SMTP client
-may make in the time interval specified with <a href="postconf.5.html#anvil_rate_time_unit">anvil_rate_time_unit</a>
-(default: 60s). </dd>
+<li> <p> An SMTP client may make up to $<a href="postconf.5.html#smtpd_client_message_rate_limit">smtpd_client_message_rate_limit</a>
+message delivery requests per unit time (default: no limit). </p>
-<dt> <a href="postconf.5.html#smtpd_client_recipient_rate_limit">smtpd_client_recipient_rate_limit</a> (default: no limit) </dt>
-<dd> The maximum number of recipient addresses that an SMTP client
-may specify in the time interval specified with <a href="postconf.5.html#anvil_rate_time_unit">anvil_rate_time_unit</a>
-(default: 60s). </dd>
+<li> <p> An SMTP client may send up to $<a href="postconf.5.html#smtpd_client_recipient_rate_limit">smtpd_client_recipient_rate_limit</a>
+recipient addresses per unit time (default: no limit). </p>
-<dt> <a href="postconf.5.html#smtpd_client_new_tls_session_rate_limit">smtpd_client_new_tls_session_rate_limit</a> (default: no limit)
-</dt> <dd> The maximum number of new TLS sessions (without using
-the TLS session cache) that an SMTP client may negotiate in the
-time interval specified with <a href="postconf.5.html#anvil_rate_time_unit">anvil_rate_time_unit</a> (default: 60s).
-</dd>
+<li> <p> An SMTP client may make up to $<a href="postconf.5.html#smtpd_client_connection_rate_limit">smtpd_client_connection_rate_limit</a>
+connections per unit time (default: no limit). </p>
-<dt> <a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a> (default: $<a href="postconf.5.html#mynetworks">mynetworks</a>)
-</dt> <dd> SMTP clients that are excluded from connection and rate
-limits specified above. </dd>
+<li> <p> These limits are not applied to SMTP clients in the networks
+specified with $<a href="postconf.5.html#smtpd_client_event_limit_exceptions">smtpd_client_event_limit_exceptions</a> (default:
+clients in $<a href="postconf.5.html#mynetworks">mynetworks</a> may make an unlimited number of connections).
-</dl>
+<li> <p> The <a href="postconf.5.html#anvil_rate_time_unit">anvil_rate_time_unit</a> parameter specifies the time
+unit over which client connection rates are computed (default:
+60s).
-</blockquote>
+</ul>
<h2><a name="mailing_tips">General mail delivery performance tips</a></h2>
<li> <p> The <a href="postconf.5.html#default_destination_concurrency_limit">default_destination_concurrency_limit</a> parameter (default:
20) controls how many messages may be sent to the same destination
simultaneously. You can override this setting for specific message
-delivery transports by taking the name of the <a href="master.5.html">master.cf</a> entry
+delivery transports by taking the name of the master.cf entry
and appending "_destination_concurrency_limit". </p>
</ul>
to the same recipient: if the recipient has an expensive shell
command in her .forward file, or if the recipient is a mailing list
manager, you don't want to run too many instances of those processes
-at the same time. </p>
+the same time. </p>
<li> <p> The default <a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> of 20 seems
enough to noticeably load a system without bringing it to its knees.
more, but not all MX hosts are down. </p>
<p> If necessary, set a higher transport_destination_concurrency_limit
-(in <a href="postconf.5.html">main.cf</a> since this is a queue manager parameter) and a lower
-smtp_connection_timeout (with a "-o" override in <a href="master.5.html">master.cf</a> since
+(in main.cf since this is a queue manager parameter) and a lower
+smtp_connection_timeout (with a "-o" override in master.cf since
this parameter has no per-transport name) for the relay transport
and any transports dedicated for specific high volume destinations.
</p>
<dl>
-<dt> <a href="postconf.5.html#queue_run_delay">queue_run_delay</a> (default: 300 seconds; before Postfix 2.4:
-1000s) </dt> <dd> How often
+<dt> <a href="postconf.5.html#queue_run_delay">queue_run_delay</a> (default: 1000 seconds) </dt> <dd> How often
the queue manager scans the queue for deferred mail. </dd>
-<dt> <a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a> (default: 300 seconds; before Postfix
-2.4: 1000s) </dt> <dd> The
+<dt> <a href="postconf.5.html#minimal_backoff_time">minimal_backoff_time</a> (default: 1000 seconds) </dt> <dd> The
minimal amount of time a message won't be looked at, and the minimal
amount of time to stay away from a "dead" destination. </dd>
always better than increasing the frequency of delivery attempts.
However, if you can control only the delivery attempt frequency,
consider using a dedicated <a href="postconf.5.html#fallback_relay">fallback_relay</a> "graveyard" machine for
-bad destinations, so that these destinations do not ruin the
-performance of normal
+bad destinations so that they do not ruin the performance of normal
mail deliveries. </p>
<h2><a name="proc_limit">Tuning the number of Postfix processes</a></h2>
little memory, as well as networks with low bandwidth. </p>
<p> You can change the global process limit by specifying a
-non-default <a href="postconf.5.html#default_process_limit">default_process_limit</a> in the <a href="postconf.5.html">main.cf</a> file. For example,
+non-default <a href="postconf.5.html#default_process_limit">default_process_limit</a> in the main.cf file. For example,
to run up to 10 smtp client processes, 10 smtp server processes,
and so on: </p>
<blockquote>
<pre>
-/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+/etc/postfix/main.cf:
<a href="postconf.5.html#default_process_limit">default_process_limit</a> = 10
</pre>
</blockquote>
<p> You need to execute "postfix reload" to make the change effective.
The limits are enforced by the Postfix <a href="master.8.html">master(8)</a> daemon which does
-not automatically read <a href="postconf.5.html">main.cf</a> when it changes. </p>
+not automatically read main.cf when it changes. </p>
<p> You can override the process limit for specific Postfix daemons
-by editing the <a href="master.5.html">master.cf</a> file. For example, if you do not wish to
+by editing the master.cf file. For example, if you do not wish to
receive 100 SMTP messages at the same time, but do not want to
change the process limits for local mail deliveries, you could
specify: </p>
<blockquote>
<pre>
-/etc/postfix/<a href="master.5.html">master.cf</a>:
+/etc/postfix/master.cf:
# ====================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
<ul>
-<li> <p> Depending on your Postfix and operating system versions
-you may need to recompile Postfix if you need more than 1024 file
-descriptors per process: </p>
-
-<ul> <li> <p> No recompilation is needed for Postfix version 2.4
-and later, when it was compiled for systems that support BSD kqueue(2)
-(FreeBSD 4.1, NetBSD 2.0, OpenBSD 2.9), Solaris 8 /dev/poll, or
-Linux 2.6 epoll(4). </p>
-
-<li> <p> Otherwise, Postfix needs to be recompiled to override the
-default FD_SETSIZE value. </p>
-
-</ul>
-
<li> <p> Reduce the number of processes as described under "<a
href="#proc_limit">Tuning the number of Postfix processes</a>" above.
Fewer processes need fewer open files and sockets. </p>
<ul>
<li> <p> Some FreeBSD kernel parameters can be specified in
-/boot/loader.conf, and some can be specified in /etc/sysctl.conf
-or changed with sysctl commands.
+/boot/loader.conf, and some can be changed with sysctl commands.
Which is which depends on the version.
</p>
</pre>
<li> <p> Linux kernel parameters can be specified in /etc/sysctl.conf
-or changed with sysctl commands: </p>
+and can also be changed with sysctl commands: </p>
<pre>
fs.file-max=16384
<li> <p> Solaris kernel parameters can be specified in /etc/system,
as described in the <a
-href="http://www.science.uva.nl/pub/solaris/solaris2.html#q3.48">Solaris
+href="http://www.science.uva.nl/pub/solaris/solaris2.html#q3.46">Solaris
FAQ</a> entry titled "How can I increase the number of file
descriptors per process?" </p>
--- /dev/null
+<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
+ "http://www.w3.org/TR/html4/loose.dtd">
+
+<html>
+
+<head>
+
+<title>Postfix and Ultrix </title>
+
+<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
+
+</head>
+
+<body>
+
+<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix and Ultrix </h1>
+
+<hr>
+
+<h2> Postfix on Ultrix </h2>
+
+<p> This document is probably only of historical value, because
+Ultrix version 4 dates from the early 1990s. However, as long as
+Wietse keeps Postfix alive for SunOS 4, it is likely to run on
+Ultrix 4 with very little change. Feedback is welcome if anyone
+actually still uses Postfix on any version of Ultrix. </p>
+
+<p> The source of this document is an email message by Christian von Roques
+that was sent on Jun 2, 1999. </p>
+
+<blockquote>
+
+<p> I've upgraded the MTA of our DECstation-3100 running Ultrix4.3a to
+postfix-19990317-pl05 and am sending you the patches I needed to get
+it running under Ultrix. </p>
+
+<p> . . . </p>
+
+<p> One of the bugs of Ultrix's /bin/sh is that shell-variables
+set in arguments of `:' expand to garbage if expanded in here-documents.
+Using a different shell helps. I needed to replace all calls of
+``sh .../makedefs'' by ``$(SHELL) .../makedefs'' in all the
+Makefile.in and am now able to use ``make SHELL=/bin/sh5'' or zsh.
+
+<p> . . . </p>
+
+<p> Ultrix's FD_SET_SIZE is 4096, but getdtablesize()
+returns 64 by default, if not increased when building a new
+kernel. getrlimit() doesn't know RLIMIT_NOFILE. This makes
+event_init() always log the warning: `could allocate space for
+only 64 open files'. </p>
+
+<p> I just reduced the threshold from 256 to 64, but this is not good.
+The initial problem still remains: How to disable this warning on
+Ultrix without making the source ugly? </p>
+
+</blockquote>
+
+<p> To work around the first problem, all the Makefile.in files
+have been updated to use `$(SHELL)' instead of `sh'. So you only
+need to supply a non-default shell in order to eliminate Ultrix
+shell trouble. </p>
+
+<p> To work around the latter, util/sys_defs.h was updated for
+Ultrix, with a default FD_SETSIZE of 100. This should be sufficient
+for a workstation. Even in 1999, no-one would run a major mail hub
+on Ultrix 4. </p>
+
+</body>
+
+</html>
<blockquote>
<pre>
-/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+/etc/postfix/main.cf:
<a href="postconf.5.html#mydestination">mydestination</a> = $<a href="postconf.5.html#myhostname">myhostname</a> localhost.$<a href="postconf.5.html#mydomain">mydomain</a> ... example.com
</pre>
</blockquote>
<blockquote>
<pre>
- 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
+ 1 /etc/postfix/main.cf:
2 <a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a> = example.com ...other <a href="VIRTUAL_README.html#canonical">hosted domains</a>...
3 <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = hash:/etc/postfix/virtual
4
- 5 /etc/postfix/<a href="virtual.8.html">virtual</a>:
+ 5 /etc/postfix/virtual:
6 postmaster@example.com postmaster
7 info@example.com joe
8 sales@example.com jane
<p>Execute the command "<b>postmap /etc/postfix/virtual</b>" after
changing the virtual file, and execute the command "<b>postfix
-reload</b>" after changing the <a href="postconf.5.html">main.cf</a> file. </p>
+reload</b>" after changing the main.cf file. </p>
<p> Note: virtual aliases can resolve to a local address or to a
remote address, or both. They don't have to resolve to UNIX system
<blockquote>
<pre>
- 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
+ 1 /etc/postfix/main.cf:
2 <a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> = example.com ...more domains...
3 <a href="postconf.5.html#virtual_mailbox_base">virtual_mailbox_base</a> = /var/mail/vhosts
4 <a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> = hash:/etc/postfix/vmailbox
14 # @example.com example.com/catchall
15 ...virtual mailboxes for more domains...
16
-17 /etc/postfix/<a href="virtual.8.html">virtual</a>:
+17 /etc/postfix/virtual:
18 postmaster@example.com postmaster
</pre>
</blockquote>
You can use the same mechanism to redirect an address to a remote
address. </p>
-<li> <p> Line 18: This example assumes that in
<a href="postconf.5.html">main.cf</a>, $<a href="postconf.5.html#myorigin">myorigin</a>
+<li> <p> Line 18: This example assumes that in
main.cf, $<a href="postconf.5.html#myorigin">myorigin</a>
is listed under the <a href="postconf.5.html#mydestination">mydestination</a> parameter setting. If that is
not the case, specify an explicit domain name on the right-hand
side of the virtual alias table entries or else mail will go to
<p> Execute the command "<b>postmap /etc/postfix/virtual</b>" after
changing the virtual file, execute "<b>postmap /etc/postfix/vmailbox</b>"
after changing the vmailbox file, and execute the command "<b>postfix
-reload</b>" after changing the <a href="postconf.5.html">main.cf</a> file. </p>
+reload</b>" after changing the main.cf file. </p>
<p> Note: mail delivery happens with the recipient's UID/GID
privileges specified with <a href="postconf.5.html#virtual_uid_maps">virtual_uid_maps</a> and <a href="postconf.5.html#virtual_gid_maps">virtual_gid_maps</a>.
<blockquote>
<pre>
- 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
+ 1 /etc/postfix/main.cf:
2 <a href="postconf.5.html#virtual_transport">virtual_transport</a> = ...see below...
3 <a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> = example.com ...more domains...
4 <a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> = hash:/etc/postfix/vmailbox
12 # @example.com whatever
13 ...virtual mailboxes for more domains...
14
-15 /etc/postfix/<a href="virtual.8.html">virtual</a>:
+15 /etc/postfix/virtual:
16 postmaster@example.com postmaster
</pre>
</blockquote>
<li> <p> Line 2: With delivery to a non-Postfix mailbox store for
<a href="VIRTUAL_README.html#canonical">hosted domains</a>, the <a href="postconf.5.html#virtual_transport">virtual_transport</a> parameter usually specifies
-the Postfix LMTP client, or the name of a <a href="master.5.html">master.cf</a> entry that
+the Postfix LMTP client, or the name of a master.cf entry that
executes non-Postfix software via the pipe delivery agent. Typical
examples (use only one): </p>
<p> Postfix comes ready with support for LMTP. And an example
maildrop delivery method is already defined in the default Postfix
-
<a href="master.5.html">master.cf</a> file. See the <a href="MAILDROP_README.html">MAILDROP_README</a> document for more details.
+
master.cf file. See the <a href="MAILDROP_README.html">MAILDROP_README</a> document for more details.
</p>
<li> <p> Line 3: The <a href="postconf.5.html#virtual_mailbox_domains">virtual_mailbox_domains</a> setting tells Postfix
<li> <p> Lines 4, 7-13: The <a href="postconf.5.html#virtual_mailbox_maps">virtual_mailbox_maps</a> parameter specifies
the lookup table with all valid recipient addresses. The lookup
-result value is ignored by Postfix. In the above example,
-info@example.com
-and sales@example.com are listed as valid addresses; other mail for
-example.com is rejected with "User unknown" by the Postfix SMTP
-server. It's left up to the non-Postfix delivery agent to reject
-non-existent recipients from local submission or from local alias
-expansion. If you intend to
+result is ignored by Postfix. In the above example, info@example.com
+and sales@example.com are listed as valid addresses, and mail for
+anything else is rejected with "User unknown". If you intend to
use LDAP, MySQL or PgSQL instead of local files, be sure to review
the <a href="#local_vs_database"> "local files versus databases"</a>
section at the top of this document! </p>
postmaster. You can use the same mechanism to redirect any addresses
to a local or remote address. </p>
-<li> <p> Line 16: This example assumes that in
<a href="postconf.5.html">main.cf</a>, $<a href="postconf.5.html#myorigin">myorigin</a>
+<li> <p> Line 16: This example assumes that in
main.cf, $<a href="postconf.5.html#myorigin">myorigin</a>
is listed under the <a href="postconf.5.html#mydestination">mydestination</a> parameter setting. If that is
not the case, specify an explicit domain name on the right-hand
side of the virtual alias table entries or else mail will go to
<p> Execute the command "<b>postmap /etc/postfix/virtual</b>" after
changing the virtual file, execute "<b>postmap /etc/postfix/vmailbox</b>"
after changing the vmailbox file, and execute the command "<b>postfix
-reload</b>" after changing the <a href="postconf.5.html">main.cf</a> file. </p>
+reload</b>" after changing the main.cf file. </p>
<h2><a name="forwarding">Mail forwarding domains</a></h2>
<blockquote>
<pre>
- 1 /etc/postfix/<a href="postconf.5.html">main.cf</a>:
+ 1 /etc/postfix/main.cf:
2 <a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a> = example.com ...other <a href="VIRTUAL_README.html#canonical">hosted domains</a>...
3 <a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = hash:/etc/postfix/virtual
4
- 5 /etc/postfix/<a href="virtual.8.html">virtual</a>:
+ 5 /etc/postfix/virtual:
6 postmaster@example.com postmaster
7 joe@example.com joe@somewhere
8 jane@example.com jane@somewhere-else
<p> Execute the command "<b>postmap /etc/postfix/virtual</b>" after
changing the virtual file, and execute the command "<b>postfix
-reload</b>" after changing the <a href="postconf.5.html">main.cf</a> file. </p>
+reload</b>" after changing the main.cf file. </p>
<p> More details about the virtual alias file are given in the
<a href="virtual.5.html">virtual(5)</a> manual page, including multiple addresses on the right-hand
<blockquote>
<pre>
-/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+/etc/postfix/main.cf:
<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = hash:/etc/postfix/virtual
-/etc/postfix/<a href="virtual.8.html">virtual</a>:
+/etc/postfix/virtual:
listname-request@example.com listname-request
listname@example.com listname
owner-listname@example.com owner-listname
</pre>
</blockquote>
-<p> This example assumes that in
<a href="postconf.5.html">main.cf</a>, $<a href="postconf.5.html#myorigin">myorigin</a> is listed under
+<p> This example assumes that in
main.cf, $<a href="postconf.5.html#myorigin">myorigin</a> is listed under
the <a href="postconf.5.html#mydestination">mydestination</a> parameter setting. If that is not the case,
specify an explicit domain name on the right-hand side of the
virtual alias table entries or else mail will go to the wrong
<blockquote>
<pre>
-/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+/etc/postfix/main.cf:
<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = hash:/etc/postfix/virtual
-/etc/postfix/<a href="virtual.8.html">virtual</a>:
+/etc/postfix/virtual:
user@domain.tld user@domain.tld, user@domain.tld@autoreply.<a href="postconf.5.html#mydomain">mydomain</a>.tld
</pre>
</blockquote>
<blockquote>
<pre>
-/etc/postfix/<a href="postconf.5.html">main.cf</a>:
+/etc/postfix/main.cf:
<a href="postconf.5.html#transport_maps">transport_maps</a> = hash:/etc/postfix/transport
/etc/postfix/transport:
autoreply.<a href="postconf.5.html#mydomain">mydomain</a>.tld autoreply:
-/etc/postfix/<a href="master.5.html">master.cf</a>:
+/etc/postfix/master.cf:
# =============================================================
# service type private unpriv chroot wakeup maxproc command
# (yes) (yes) (yes) (never) (100)
the user@domain.tld recipient address on the command line. </p>
<p> For more information, see the <a href="pipe.8.html">pipe(8)</a> manual page, and the
-comments in the Postfix <a href="master.5.html">master.cf</a> file. </p>
+comments in the Postfix master.cf file. </p>
</body>
ACCESS(5) ACCESS(5)
<b>NAME</b>
- access - Postfix SMTP server access table
+ access - Postfix access table format
<b>SYNOPSIS</b>
<b>postmap /etc/postfix/access</b>
<b>postmap -q - /etc/postfix/access</b> <<i>inputfile</i>
<b>DESCRIPTION</b>
- This document describes access control on remote SMTP
- client information: host names, network addresses, and
- envelope sender or recipient addresses; it is implemented
- by the Postfix SMTP server. See <b><a href="postconf.5.html#header_checks">header_checks</a></b>(5) or
- <b><a href="postconf.5.html#body_checks">body_checks</a></b>(5) for access control on the content of email
- messages.
-
- Normally, the <a href="access.5.html"><b>access</b>(5)</a> table is specified as a text file
- that serves as input to the <a href="postmap.1.html"><b>postmap</b>(1)</a> command. The
- result, an indexed file in <b>dbm</b> or <b>db</b> format, is used for
- fast searching by the mail system. Execute the command
- "<b>postmap /etc/postfix/access</b>" to rebuild an indexed file
- after changing the corresponding text file.
-
- When the table is provided via other means such as NIS,
- LDAP or SQL, the same lookups are done as for ordinary
+ The optional <a href="access.5.html"><b>access</b>(5)</a> table directs the Postfix SMTP
+ server to selectively reject or accept mail. Access can be
+ allowed or denied for specific host names, domain names,
+ networks, host addresses or mail addresses.
+
+ For an example, see the EXAMPLE section at the end of this
+ manual page.
+
+ Normally, the <a href="access.5.html"><b>access</b>(5)</a> table is specified as a text file
+ that serves as input to the <a href="postmap.1.html"><b>postmap</b>(1)</a> command. The
+ result, an indexed file in <b>dbm</b> or <b>db</b> format, is used for
+ fast searching by the mail system. Execute the command
+ "<b>postmap /etc/postfix/access</b>" in order to rebuild the
+ indexed file after changing the access table.
+
+ When the table is provided via other means such as NIS,
+ LDAP or SQL, the same lookups are done as for ordinary
indexed files.
- Alternatively, the table can be provided as a regular-
+ Alternatively, the table can be provided as a regular-
expression map where patterns are given as regular expres-
- sions, or lookups can be directed to TCP-based server. In
- those cases, the lookups are done in a slightly different
- way as described below under "REGULAR EXPRESSION TABLES"
- or "TCP-BASED TABLES".
+ sions, or lookups can be directed to TCP-based server. In
+ that case, the lookups are done in a slightly different
+ way as described below under "REGULAR EXPRESSION TABLES"
+ and "TCP-BASED TABLES".
<b>CASE FOLDING</b>
- The search string is folded to lowercase before database
- lookup. As of Postfix 2.3, the search string is not case
- folded with database types such as <a href="regexp_table.5.html">regexp</a>: or <a href="pcre_table.5.html">pcre</a>: whose
+ The search string is folded to lowercase before database
+ lookup. As of Postfix 2.3, the search string is not case
+ folded with database types such as <a href="regexp_table.5.html">regexp</a>: or <a href="pcre_table.5.html">pcre</a>: whose
lookup fields can match both upper and lower case.
<b>TABLE FORMAT</b>
address, perform the corresponding <i>action</i>.
blank lines and comments
- Empty lines and whitespace-only lines are ignored,
- as are lines whose first non-whitespace character
+ Empty lines and whitespace-only lines are ignored,
+ as are lines whose first non-whitespace character
is a `#'.
multi-line text
- A logical line starts with non-whitespace text. A
- line that starts with whitespace continues a logi-
+ A logical line starts with non-whitespace text. A
+ line that starts with whitespace continues a logi-
cal line.
<b>EMAIL ADDRESS PATTERNS</b>
With lookups from indexed files such as DB or DBM, or from
- networked tables such as NIS, LDAP or SQL, patterns are
+ networked tables such as NIS, LDAP or SQL, patterns are
tried in the order as listed below:
<i>user</i>@<i>domain</i>
Matches the specified mail address.
<i>domain.tld</i>
- Matches <i>domain.tld</i> as the domain part of an email
+ Matches <i>domain.tld</i> as the domain part of an email
address.
The pattern <i>domain.tld</i> also matches subdomains, but
only when the string <b>smtpd_access_maps</b> is listed in
- the Postfix <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a></b> con-
- figuration setting (note that this is the default
- for some versions of Postfix). Otherwise, specify
- <i>.domain.tld</i> (note the initial dot) in order to
+ the Postfix <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a></b> con-
+ figuration setting (note that this is the default
+ for some versions of Postfix). Otherwise, specify
+ <i>.domain.tld</i> (note the initial dot) in order to
match subdomains.
- <i>user</i>@ Matches all mail addresses with the specified user
+ <i>user</i>@ Matches all mail addresses with the specified user
part.
- Note: lookup of the null sender address is not possible
- with some types of lookup table. By default, Postfix uses
- <> as the lookup key for such addresses. The value is
- specified with the <b><a href="postconf.5.html#smtpd_null_access_lookup_key">smtpd_null_access_lookup_key</a></b> parameter
+ Note: lookup of the null sender address is not possible
+ with some types of lookup table. By default, Postfix uses
+ <> as the lookup key for such addresses. The value is
+ specified with the <b><a href="postconf.5.html#smtpd_null_access_lookup_key">smtpd_null_access_lookup_key</a></b> parameter
in the Postfix <a href="postconf.5.html"><b>main.cf</b></a> file.
<b>EMAIL ADDRESS EXTENSION</b>
When a mail address localpart contains the optional recip-
- ient delimiter (e.g., <i>user+foo</i>@<i>domain</i>), the lookup order
- becomes: <i>user+foo</i>@<i>domain</i>, <i>user</i>@<i>domain</i>, <i>domain</i>, <i>user+foo</i>@,
+ ient delimiter (e.g., <i>user+foo</i>@<i>domain</i>), the lookup order
+ becomes: <i>user+foo</i>@<i>domain</i>, <i>user</i>@<i>domain</i>, <i>domain</i>, <i>user+foo</i>@,
and <i>user</i>@.
<b>HOST NAME/ADDRESS PATTERNS</b>
With lookups from indexed files such as DB or DBM, or from
- networked tables such as NIS, LDAP or SQL, the following
+ networked tables such as NIS, LDAP or SQL, the following
lookup patterns are examined in the order as listed:
<i>domain.tld</i>
The pattern <i>domain.tld</i> also matches subdomains, but
only when the string <b>smtpd_access_maps</b> is listed in
- the Postfix <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a></b> con-
+ the Postfix <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a></b> con-
figuration setting. Otherwise, specify <i>.domain.tld</i>
- (note the initial dot) in order to match subdo-
+ (note the initial dot) in order to match subdo-
mains.
<i>net.work.addr.ess</i>
<i>net.work</i>
- <i>net</i> Matches the specified IPv4 host address or subnet-
- work. An IPv4 host address is a sequence of four
+ <i>net</i> Matches the specified IPv4 host address or subnet-
+ work. An IPv4 host address is a sequence of four
decimal octets separated by ".".
- Subnetworks are matched by repeatedly truncating
+ Subnetworks are matched by repeatedly truncating
the last ".octet" from the remote IPv4 host address
- string until a match is found in the access table,
+ string until a match is found in the access table,
or until further truncation is not possible.
- NOTE 1: The access map lookup key must be in canon-
- ical form: do not specify unnecessary null charac-
- ters, and do not enclose network address informa-
- tion with "[]" characters.
+ NOTE 1: The information in the access map should be
+ in canonical form, with unnecessary null characters
+ eliminated. Address information must not be
+ enclosed with "[]" characters.
- NOTE 2: use the <b>cidr</b> lookup table type to specify
+ NOTE 2: use the <b>cidr</b> lookup table type to specify
network/netmask patterns. See <a href="cidr_table.5.html"><b>cidr_table</b>(5)</a> for
details.
<i>net:work</i>
- <i>net</i> Matches the specified IPv6 host address or subnet-
- work. An IPv6 host address is a sequence of three
- to eight hexadecimal octet pairs separated by ":".
+ <i>net</i> Matches the specified IPv6 host address or subnet-
+ work. An IPv6 host address is a sequence of three
+ to eight hexadecimal octet pairs separated by ":".
- Subnetworks are matched by repeatedly truncating
- the last ":octetpair" from the remote IPv6 host
+ Subnetworks are matched by repeatedly truncating
+ the last ":octetpair" from the remote IPv6 host
address string until a match is found in the access
table, or until further truncation is not possible.
the string representation of the IPv6 host address.
Thus, not all the ":" subnetworks will be tried.
- NOTE 2: The access map lookup key must be in canon-
- ical form: do not specify unnecessary null charac-
- ters, and do not enclose network address informa-
- tion with "[]" characters.
+ NOTE 2: The information in the access map should be
+ in canonical form, with unnecessary null characters
+ eliminated. Address information must not be
+ enclosed with "[]" characters.
- NOTE 3: use the <b>cidr</b> lookup table type to specify
+ NOTE 3: use the <b>cidr</b> lookup table type to specify
network/netmask patterns. See <a href="cidr_table.5.html"><b>cidr_table</b>(5)</a> for
details.
<i>all-numerical</i>
An all-numerical result is treated as OK. This for-
- mat is generated by address-based relay authoriza-
+ mat is generated by address-based relay authoriza-
tion schemes such as pop-before-smtp.
<b>REJECT ACTIONS</b>
- Postfix version 2.3 and later support enhanced status
- codes as defined in <a href="http://www.faqs.org/rfcs/rfc3463.html">RFC 3463</a>. When no code is specified
- at the beginning of the <i>text</i> below, Postfix inserts a
- default enhanced status code of "5.7.1" in the case of
- reject actions, and "4.7.1" in the case of defer actions.
+ Postfix version 2.3 and later support enhanced status
+ codes as defined in <a href="http://www.faqs.org/rfcs/rfc3463.html">RFC 3463</a>. When no code is specified
+ at the beginning of the <i>text</i> below, Postfix inserts a
+ default enhanced status code of "5.7.1" in the case of
+ reject actions, and "4.7.1" in the case of defer actions.
See "ENHANCED STATUS CODES" below.
<b>4</b><i>NN text</i>
<b>5</b><i>NN text</i>
- Reject the address etc. that matches the pattern,
+ Reject the address etc. that matches the pattern,
and respond with the numerical three-digit code and
- text. <b>4</b><i>NN</i> means "try again later", while <b>5</b><i>NN</i> means
+ text. <b>4</b><i>NN</i> means "try again later", while <b>5</b><i>NN</i> means
"do not try again".
- The reply code "421" causes Postfix to disconnect
+ The reply code "421" causes Postfix to disconnect
immediately (Postfix version 2.3 and later).
<b>REJECT</b> <i>optional text...</i>
- Reject the address etc. that matches the pattern.
- Reply with <i>$reject</i><b>_</b><i>code optional text...</i> when the
- optional text is specified, otherwise reply with a
+ Reject the address etc. that matches the pattern.
+ Reply with <i>$reject</i><b>_</b><i>code optional text...</i> when the
+ optional text is specified, otherwise reply with a
generic error response message.
<b>DEFER_IF_REJECT</b> <i>optional text...</i>
- Defer the request if some later restriction would
- result in a REJECT action. Reply with "<b>450 4.7.1</b>
- <i>optional text...</i> when the optional text is speci-
- fied, otherwise reply with a generic error response
- message.
+ Defer the request if some later restriction would
+ result in a REJECT action. Reply with "<b>450</b> <i>optional</i>
+ <i>text...</i> when the optional text is specified, other-
+ wise reply with a generic error response message.
This feature is available in Postfix 2.1 and later.
<b>DEFER_IF_PERMIT</b> <i>optional text...</i>
Defer the request if some later restriction would
result in a an explicit or implicit PERMIT action.
- Reply with "<b>450 4.7.1</b> <i>optional text...</i> when the
- optional text is specified, otherwise reply with a
- generic error response message.
+ Reply with "<b>450</b> <i>optional text...</i> when the optional
+ text is specified, otherwise reply with a generic
+ error response message.
This feature is available in Postfix 2.1 and later.
about external content filters is in the Postfix
<a href="FILTER_README.html">FILTER_README</a> file.
- Note: this action overrides the <b><a href="postconf.5.html#content_filter">content_filter</a></b> set-
- ting, and currently affects all recipients of the
- message.
+ Note: this action overrides the <a href="postconf.5.html"><b>main.cf</a> <a href="postconf.5.html#content_filter">con</a>-</b>
+ <b><a href="postconf.5.html#content_filter">tent_filter</a></b> setting, and currently affects all
+ recipients of the message.
This feature is available in Postfix 2.0 and later.
Note: use "<b>postsuper -r</b>" to release mail that was
kept on hold for a significant fraction of <b>$<a href="postconf.5.html#maximal_queue_lifetime">maxi</a>-</b>
<b><a href="postconf.5.html#maximal_queue_lifetime">mal_queue_lifetime</a></b> or <b>$<a href="postconf.5.html#bounce_queue_lifetime">bounce_queue_lifetime</a></b>, or
- longer. Use "<b>postsuper -H</b>" only for mail that will
- not expire within a few delivery attempts.
+ longer.
- Note: this action currently affects all recipients
+ Note: this action currently affects all recipients
of the message.
This feature is available in Postfix 2.0 and later.
<b>PREPEND</b> <i>headername: headervalue</i>
- Prepend the specified message header to the mes-
- sage. When more than one PREPEND action executes,
- the first prepended header appears before the sec-
- ond etc. prepended header.
+ Prepend the specified message header to the mes-
+ sage. When this action is used multiple times, the
+ first prepended header appears before the second
+ etc. prepended header.
+
+ Note: this action does not support multi-line mes-
+ sage headers.
- Note: this action must execute before the message
- content is received; it cannot execute in the con-
-
text of <b><a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a></b>.
+ Note: this action must be used before the message
+ content is received; it cannot be used in
+ <b><a href="postconf.5.html#smtpd_end_of_data_restrictions">smtpd_end_of_data_restrictions</a></b>.
This feature is available in Postfix 2.1 and later.
lookups are directed to a TCP-based server. For a descrip-
tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
<a href="tcp_table.5.html"><b>ble</b>(5)</a>. This feature is not available up to and including
- Postfix version 2.4.
+ Postfix version 2.3.
Each lookup operation uses the entire query string once.
Depending on the application, that string is an entire
When the command fails, a limited amount of command
output is mailed back to the sender. The file
<b>/usr/include/sysexits.h</b> defines the expected exit
- status codes. For example, use <b>"|exit 67"</b> to simu-
- late a "user unknown" error, and <b>"|exit 0"</b> to
+ status codes. For example, use <b>|"exit 67"</b> to simu-
+ late a "user unknown" error, and <b>|"exit 0"</b> to
implement an expensive black hole.
<b>:include:</b><i>/file/name</i>
In this preliminary implementation, a count (or rate) lim-
ited server can have only one remote client at a time. If
- a server reports multiple simultaneous clients, state is
- kept only for the last reported client.
+ a server reports multiple simultaneous clients, all but
+ the last reported client are ignored.
The <a href="anvil.8.html"><b>anvil</b>(8)</a> server automatically discards client request
information after it expires. To prevent the <a href="anvil.8.html"><b>anvil</b>(8)</a>
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
- before terminating voluntarily.
+ daemon process waits for the next service request
+ before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of incoming connections that a
- Postfix daemon process will service before termi-
- nating voluntarily.
+ The maximal number of connection requests before a
+ Postfix daemon process terminates.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>SEE ALSO</b>
<a href="TUNING_README.html">TUNING_README</a>, performance tuning
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>HISTORY</b>
bounce template formats.
<b>GENERAL PROCEDURE</b>
- To create a customized bounce template file, create a tem-
- porary copy of the file <b>/etc/postfix/bounce.cf.default</b> and
+ To create customized bounce template file, create a tempo-
+ rary copy of the file <b>/etc/postfix/bounce.cf.default</b> and
edit the temporary file.
To preview the results of $<i>name</i> expansions in the template
<b>o</b> Append a recipient (non-)delivery status record to
a per-message log file.
- <b>o</b> Enqueue a delivery status notification message,
- with a copy of a per-message log file and of the
- corresponding message. When the delivery status
- notification message is enqueued successfully, the
- per-message log file is deleted.
+ <b>o</b> Enqueue a bounce message, with a copy of a per-mes-
+ sage log file and of the corresponding message.
+ When the bounce message is enqueued successfully,
+ the per-message log file is deleted.
The software does a best notification effort. A non-deliv-
- ery notification is sent even when the log file or the
+ ery notification is sent even when the log file or the
original message cannot be read.
- Optionally, a bounce (defer, trace) client can request
- that the per-message log file be deleted when the
- requested operation fails. This is used by clients that
- cannot retry transactions by themselves, and that depend
+ Optionally, a bounce (defer, trace) client can request
+ that the per-message log file be deleted when the
+ requested operation fails. This is used by clients that
+ cannot retry transactions by themselves, and that depend
on retry logic in their own client.
<b>STANDARDS</b>
Problems and transactions are logged to <b>syslogd</b>(8).
<b>CONFIGURATION PARAMETERS</b>
- Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as
+ Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as
<a href="bounce.8.html"><b>bounce</b>(8)</a> processes run for only a limited amount of time.
Use the command "<b>postfix reload</b>" to speed up a change.
- The text below provides only a parameter summary. See
+ The text below provides only a parameter summary. See
<a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
<b><a href="postconf.5.html#2bounce_notice_recipient">2bounce_notice_recipient</a> (postmaster)</b>
- The recipient of undeliverable mail that cannot be
+ The recipient of undeliverable mail that cannot be
returned to the sender.
<b><a href="postconf.5.html#backwards_bounce_logfile_compatibility">backwards_bounce_logfile_compatibility</a> (yes)</b>
- Produce additional <a href="bounce.8.html"><b>bounce</b>(8)</a> logfile records that
+ Produce additional <a href="bounce.8.html"><b>bounce</b>(8)</a> logfile records that
can be read by Postfix versions before 2.0.
<b><a href="postconf.5.html#bounce_notice_recipient">bounce_notice_recipient</a> (postmaster)</b>
- The recipient of postmaster notifications with the
+ The recipient of postmaster notifications with the
message headers of mail that Postfix did not
- deliver and of SMTP conversation transcripts of
+ deliver and of SMTP conversation transcripts of
mail that Postfix did not receive.
<b><a href="postconf.5.html#bounce_size_limit">bounce_size_limit</a> (50000)</b>
sent in a non-delivery notification.
<b><a href="postconf.5.html#bounce_template_file">bounce_template_file</a> (empty)</b>
- Pathname of a configuration file with bounce mes-
+ Pathname of a configuration file with bounce mes-
sage templates.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
<a href="master.5.html">master.cf</a> configuration files.
<b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
- How much time a Postfix daemon process may take to
- handle a request before it is terminated by a
+ How much time a Postfix daemon process may take to
+ handle a request before it is terminated by a
built-in watchdog timer.
<b><a href="postconf.5.html#delay_notice_recipient">delay_notice_recipient</a> (postmaster)</b>
- The recipient of postmaster notifications with the
- message headers of mail that cannot be delivered
+ The recipient of postmaster notifications with the
+ message headers of mail that cannot be delivered
within $<a href="postconf.5.html#delay_warning_time">delay_warning_time</a> time units.
<b><a href="postconf.5.html#deliver_lock_attempts">deliver_lock_attempts</a> (20)</b>
sive lock on a mailbox file or <a href="bounce.8.html"><b>bounce</b>(8)</a> logfile.
<b><a href="postconf.5.html#deliver_lock_delay">deliver_lock_delay</a> (1s)</b>
- The time between attempts to acquire an exclusive
+ The time between attempts to acquire an exclusive
lock on a mailbox file or <a href="bounce.8.html"><b>bounce</b>(8)</a> logfile.
<b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
over an internal communication channel.
<b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
- What categories of Postfix-generated mail are sub-
- ject to before-queue content inspection by
+ What categories of Postfix-generated mail are sub-
+ ject to before-queue content inspection by
<a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
<b><a href="postconf.5.html#mail_name">mail_name</a> (Postfix)</b>
bounced mail.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
- The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
- before terminating voluntarily.
+ The maximum amount of time that an idle Postfix
+ daemon process waits for the next service request
+ before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of incoming connections that a
- Postfix daemon process will service before termi-
- nating voluntarily.
+ The maximal number of connection requests before a
+ Postfix daemon process terminates.
<b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
The list of error classes that are reported to the
file that serves as input to the <a href="postmap.1.html"><b>postmap</b>(1)</a> command. The
result, an indexed file in <b>dbm</b> or <b>db</b> format, is used for
fast searching by the mail system. Execute the command
- "<b>postmap /etc/postfix/canonical</b>" to rebuild an indexed
- file after changing the corresponding text file.
+ "<b>postmap /etc/postfix/canonical</b>" in order to rebuild the
+ indexed file after changing the text file.
When the table is provided via other means such as NIS,
LDAP or SQL, the same lookups are done as for ordinary
Alternatively, the table can be provided as a regular-
expression map where patterns are given as regular expres-
sions, or lookups can be directed to TCP-based server. In
- those cases, the lookups are done in a slightly different
+ that case, the lookups are done in a slightly different
way as described below under "REGULAR EXPRESSION TABLES"
- or "TCP-BASED TABLES".
+ and "TCP-BASED TABLES".
By default the <a href="canonical.5.html"><b>canonical</b>(5)</a> mapping affects both message
header addresses (i.e. addresses that appear inside mes-
addresses produced by legacy mail systems.
The <a href="canonical.5.html"><b>canonical</b>(5)</a> mapping is not to be confused with <i>vir-</i>
- <i>tual alias</i> support or with local aliasing. To change the
- destination but not the headers, use the <a href="virtual.5.html"><b>virtual</b>(5)</a> or
- <a href="aliases.5.html"><b>aliases</b>(5)</a> map instead.
+ <i>tual domain</i> support. Use the <a href="virtual.5.html"><b>virtual</b>(5)</a> map for that pur-
+ pose.
+
+ The <a href="canonical.5.html"><b>canonical</b>(5)</a> mapping is not to be confused with local
+ aliasing. Use the <a href="aliases.5.html"><b>aliases</b>(5)</a> map for that purpose.
<b>CASE FOLDING</b>
The search string is folded to lowercase before database
Replace other addresses in <i>domain</i> by <i>address</i>. This
form has the lowest precedence.
- Note: @<i>domain</i> is a wild-card. When this form is
- applied to recipient addresses, the Postfix SMTP
- server accepts mail for any recipient in <i>domain</i>,
- regardless of whether that recipient exists. This
- may turn your mail system into a backscatter source
- that returns undeliverable spam to innocent people.
-
<b>RESULT ADDRESS REWRITING</b>
The lookup result is subject to address rewriting:
lookups are directed to a TCP-based server. For a descrip-
tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
<a href="tcp_table.5.html"><b>ble</b>(5)</a>. This feature is not available up to and including
- Postfix version 2.4.
+ Postfix version 2.3.
Each lookup operation uses the entire address once. Thus,
<i>user@domain</i> mail addresses are not broken up into their
The Postfix mail system uses optional lookup tables.
These tables are usually in <b>dbm</b> or <b>db</b> format. Alterna-
tively, lookup tables can be specified in CIDR (Classless
- Inter-Domain Routing) form. In this case, each input is
- compared against a list of patterns. When a match is
- found, the corresponding result is returned and the search
- is terminated.
+ Inter-Domain Routing) form.
- To find out what types of lookup tables your Postfix sys-
+ To find out what types of lookup tables your Postfix sys-
tem supports use the "<b>postconf -m</b>" command.
- To test lookup tables, use the "<b>postmap -q</b>" command as
+ To test lookup tables, use the "<b>postmap -q</b>" command as
described in the SYNOPSIS above.
<b>TABLE FORMAT</b>
The general form of a Postfix CIDR table is:
<i>network</i><b>_</b><i>address</i><b>/</b><i>network</i><b>_</b><i>mask result</i>
- When a search string matches the specified network
- block, use the corresponding <i>result</i> value. Specify
- 0.0.0.0/0 to match every IPv4 address, and ::/0 to
+ When a search string matches the specified network
+ block, use the corresponding <i>result</i> value. Specify
+ 0.0.0.0/0 to match every IPv4 address, and ::/0 to
match every IPv6 address.
An IPv4 network address is a sequence of four deci-
- mal octets separated by ".", and an IPv6 network
+ mal octets separated by ".", and an IPv6 network
address is a sequence of three to eight hexadecimal
octet pairs separated by ":".
- Before comparisons are made, lookup keys and table
+ Before comparisons are made, lookup keys and table
entries are converted from string to binary. There-
- fore table entries will be matched regardless of
+ fore table entries will be matched regardless of
redundant zero characters.
- Note: address information may be enclosed inside
- "[]" but this form is not required.
+ Note: address information may be enclosed inside
+ "[]" but this form is not recommended.
IPv6 support is available in Postfix 2.2 and later.
<i>network</i><b>_</b><i>address result</i>
- When a search string matches the specified network
+ When a search string matches the specified network
address, use the corresponding <i>result</i> value.
blank lines and comments
- Empty lines and whitespace-only lines are ignored,
- as are lines whose first non-whitespace character
+ Empty lines and whitespace-only lines are ignored,
+ as are lines whose first non-whitespace character
is a `#'.
multi-line text
- A logical line starts with non-whitespace text. A
- line that starts with whitespace continues a logi-
+ A logical line starts with non-whitespace text. A
+ line that starts with whitespace continues a logi-
cal line.
<b>TABLE SEARCH ORDER</b>
- Patterns are applied in the order as specified in the ta-
- ble, until a pattern is found that matches the search
+ Patterns are applied in the order as specified in the ta-
+ ble, until a pattern is found that matches the search
string.
<b>EXAMPLE SMTPD ACCESS MAP</b>
- /etc/postfix/<a href="postconf.5.html">main.cf</a>:
+ /etc/postfix/main.cf:
<a href="postconf.5.html#smtpd_client_restrictions">smtpd_client_restrictions</a> = ... <a href="cidr_table.5.html">cidr</a>:/etc/postfix/client.cidr ...
/etc/postfix/client.<a href="cidr_table.5.html">cidr</a>:
<b>AUTHOR(S)</b>
The CIDR table lookup code was originally written by:
Jozsef Kadlecsik
+ kadlec@blackhole.kfki.hu
KFKI Research Institute for Particle and Nuclear Physics
POB. 49
1525 Budapest, Hungary
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
- before terminating voluntarily.
+ daemon process waits for the next service request
+ before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of incoming connections that a
- Postfix daemon process will service before termi-
- nating voluntarily.
+ The maximal number of connection requests before a
+ Postfix daemon process terminates.
<b><a href="postconf.5.html#myhostname">myhostname</a> (see 'postconf -d' output)</b>
The internet hostname of this mail system.
<b><a href="postconf.5.html#myorigin">myorigin</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
The domain name that locally-posted mail appears to
- come from, and that locally posted mail is deliv-
+ come from, and that locally posted mail is deliv-
ered to.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#soft_bounce">soft_bounce</a> (no)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
Available in Postfix version 2.1 and later:
<b><a href="postconf.5.html#enable_original_recipient">enable_original_recipient</a> (yes)</b>
- Enable support for the X-Original-To message
+ Enable support for the X-Original-To message
header.
<b>FILES</b>
<a href="CONTENT_INSPECTION_README.html">CONTENT_INSPECTION_README</a> content inspection
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
+++ /dev/null
-<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
- "http://www.w3.org/TR/html4/loose.dtd">
-<html> <head>
-<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
-<title> Postfix manual - bounce(8) </title>
-</head> <body> <pre>
-BOUNCE(8) BOUNCE(8)
-
-<b>NAME</b>
- bounce - Postfix delivery status reports
-
-<b>SYNOPSIS</b>
- <b>bounce</b> [generic Postfix daemon options]
-
-<b>DESCRIPTION</b>
- The <a href="bounce.8.html"><b>bounce</b>(8)</a> daemon maintains per-message log files with
- delivery status information. Each log file is named after
- the queue file that it corresponds to, and is kept in a
- queue subdirectory named after the service name in the
- <a href="master.5.html"><b>master.cf</b></a> file (either <b>bounce</b>, <b>defer</b> or <b>trace</b>). This pro-
- gram expects to be run from the <a href="master.8.html"><b>master</b>(8)</a> process manager.
-
- The <a href="bounce.8.html"><b>bounce</b>(8)</a> daemon processes two types of service
- requests:
-
- <b>o</b> Append a recipient (non-)delivery status record to
- a per-message log file.
-
- <b>o</b> Enqueue a delivery status notification message,
- with a copy of a per-message log file and of the
- corresponding message. When the delivery status
- notification message is enqueued successfully, the
- per-message log file is deleted.
-
- The software does a best notification effort. A non-deliv-
- ery notification is sent even when the log file or the
- original message cannot be read.
-
- Optionally, a bounce (defer, trace) client can request
- that the per-message log file be deleted when the
- requested operation fails. This is used by clients that
- cannot retry transactions by themselves, and that depend
- on retry logic in their own client.
-
-<b>STANDARDS</b>
- <a href="http://www.faqs.org/rfcs/rfc822.html">RFC 822</a> (ARPA Internet Text Messages)
- <a href="http://www.faqs.org/rfcs/rfc2045.html">RFC 2045</a> (Format of Internet Message Bodies)
- <a href="http://www.faqs.org/rfcs/rfc2822.html">RFC 2822</a> (ARPA Internet Text Messages)
- <a href="http://www.faqs.org/rfcs/rfc3462.html">RFC 3462</a> (Delivery Status Notifications)
- <a href="http://www.faqs.org/rfcs/rfc3464.html">RFC 3464</a> (Delivery Status Notifications)
- <a href="http://www.faqs.org/rfcs/rfc3834.html">RFC 3834</a> (Auto-Submitted: message header)
-
-<b>DIAGNOSTICS</b>
- Problems and transactions are logged to <b>syslogd</b>(8).
-
-<b>CONFIGURATION PARAMETERS</b>
- Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as
- <a href="bounce.8.html"><b>bounce</b>(8)</a> processes run for only a limited amount of time.
- Use the command "<b>postfix reload</b>" to speed up a change.
-
- The text below provides only a parameter summary. See
- <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
-
- <b><a href="postconf.5.html#2bounce_notice_recipient">2bounce_notice_recipient</a> (postmaster)</b>
- The recipient of undeliverable mail that cannot be
- returned to the sender.
-
- <b><a href="postconf.5.html#backwards_bounce_logfile_compatibility">backwards_bounce_logfile_compatibility</a> (yes)</b>
- Produce additional <a href="bounce.8.html"><b>bounce</b>(8)</a> logfile records that
- can be read by Postfix versions before 2.0.
-
- <b><a href="postconf.5.html#bounce_notice_recipient">bounce_notice_recipient</a> (postmaster)</b>
- The recipient of postmaster notifications with the
- message headers of mail that Postfix did not
- deliver and of SMTP conversation transcripts of
- mail that Postfix did not receive.
-
- <b><a href="postconf.5.html#bounce_size_limit">bounce_size_limit</a> (50000)</b>
- The maximal amount of original message text that is
- sent in a non-delivery notification.
-
- <b><a href="postconf.5.html#bounce_template_file">bounce_template_file</a> (empty)</b>
- Pathname of a configuration file with bounce mes-
- sage templates.
-
- <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
- <a href="master.5.html">master.cf</a> configuration files.
-
- <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
- How much time a Postfix daemon process may take to
- handle a request before it is terminated by a
- built-in watchdog timer.
-
- <b><a href="postconf.5.html#delay_notice_recipient">delay_notice_recipient</a> (postmaster)</b>
- The recipient of postmaster notifications with the
- message headers of mail that cannot be delivered
- within $<a href="postconf.5.html#delay_warning_time">delay_warning_time</a> time units.
-
- <b><a href="postconf.5.html#deliver_lock_attempts">deliver_lock_attempts</a> (20)</b>
- The maximal number of attempts to acquire an exclu-
- sive lock on a mailbox file or <a href="bounce.8.html"><b>bounce</b>(8)</a> logfile.
-
- <b><a href="postconf.5.html#deliver_lock_delay">deliver_lock_delay</a> (1s)</b>
- The time between attempts to acquire an exclusive
- lock on a mailbox file or <a href="bounce.8.html"><b>bounce</b>(8)</a> logfile.
-
- <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
- The time limit for sending or receiving information
- over an internal communication channel.
-
- <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
- What categories of Postfix-generated mail are sub-
- ject to before-queue content inspection by
- <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
-
- <b><a href="postconf.5.html#mail_name">mail_name</a> (Postfix)</b>
- The mail system name that is displayed in Received:
- headers, in the SMTP greeting banner, and in
- bounced mail.
-
- <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
- The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
- before terminating voluntarily.
-
- <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of incoming connections that a
- Postfix daemon process will service before termi-
- nating voluntarily.
-
- <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
- The list of error classes that are reported to the
- postmaster.
-
- <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
- process.
-
- <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
- process.
-
- <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
- tory.
-
- <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
- The syslog facility of Postfix logging.
-
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
- becomes, for example, "postfix/smtpd".
-
-<b>FILES</b>
- /var/spool/postfix/bounce/* non-delivery records
- /var/spool/postfix/defer/* non-delivery records
- /var/spool/postfix/trace/* delivery status records
-
-<b>SEE ALSO</b>
- <a href="bounce.5.html">bounce(5)</a>, bounce message template format
- <a href="qmgr.8.html">qmgr(8)</a>, queue manager
- <a href="postconf.5.html">postconf(5)</a>, configuration parameters
- <a href="master.5.html">master(5)</a>, generic daemon options
- <a href="master.8.html">master(8)</a>, process manager
- syslogd(8), system logging
-
-<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
- software.
-
-<b>AUTHOR(S)</b>
- Wietse Venema
- IBM T.J. Watson Research
- P.O. Box 704
- Yorktown Heights, NY 10598, USA
-
- BOUNCE(8)
-</pre> </body> </html>
--- /dev/null
+bounce.8.html
\ No newline at end of file
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
- before terminating voluntarily.
+ daemon process waits for the next service request
+ before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of incoming connections that a
- Postfix daemon process will service before termi-
- nating voluntarily.
+ The maximal number of connection requests before a
+ Postfix daemon process terminates.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>SEE ALSO</b>
syslogd(8), system logging
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>HISTORY</b>
<b>DESCRIPTION</b>
The Postfix <a href="error.8.html"><b>error</b>(8)</a> delivery agent processes delivery
requests from the queue manager. Each request specifies a
- queue file, a sender address, the reason for non-delivery
- (specified as the next-hop destination), and recipient
+ queue file, a sender address, a domain or host name that
+ is treated as the reason for non-delivery, and recipient
information. The reason may be prefixed with an RFC
3463-compatible detail code. This program expects to be
run from the <a href="master.8.html"><b>master</b>(8)</a> process manager.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
- before terminating voluntarily.
+ daemon process waits for the next service request
+ before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of incoming connections that a
- Postfix daemon process will service before termi-
- nating voluntarily.
+ The maximal number of connection requests before a
+ Postfix daemon process terminates.
<b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
- The list of error classes that are reported to the
+ The list of error classes that are reported to the
postmaster.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>SEE ALSO</b>
syslogd(8), system logging
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
- before terminating voluntarily.
+ daemon process waits for the next service request
+ before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of incoming connections that a
- Postfix daemon process will service before termi-
- nating voluntarily.
+ The maximal number of connection requests before a
+ Postfix daemon process terminates.
- <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> (see 'postconf -d' out-</b>
+ <b><a href="postconf.5.html#parent_domain_matches_subdomains">parent_domain_matches_subdomains</a> (see 'postconf -d' out-</b>
<b>put)</b>
What Postfix features match subdomains of
"domain.tld" automatically, instead of requiring an
explicit ".domain.tld" pattern.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>FILES</b>
<a href="ETRN_README.html">ETRN_README</a>, Postfix ETRN howto
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>HISTORY</b>
that serves as input to the <a href="postmap.1.html"><b>postmap</b>(1)</a> command. The
result, an indexed file in <b>dbm</b> or <b>db</b> format, is used for
fast searching by the mail system. Execute the command
- "<b>postmap /etc/postfix/generic</b>" to rebuild an indexed file
- after changing the corresponding text file.
+ "<b>postmap /etc/postfix/generic</b>" in order to rebuild the
+ indexed file after changing the text file.
When the table is provided via other means such as NIS,
LDAP or SQL, the same lookups are done as for ordinary
Alternatively, the table can be provided as a regular-
expression map where patterns are given as regular expres-
sions, or lookups can be directed to TCP-based server. In
- those case, the lookups are done in a slightly different
+ that case, the lookups are done in a slightly different
way as described below under "REGULAR EXPRESSION TABLES"
- or "TCP-BASED TABLES".
+ and "TCP-BASED TABLES".
<b>CASE FOLDING</b>
The search string is folded to lowercase before database
lookups are directed to a TCP-based server. For a descrip-
tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
<a href="tcp_table.5.html"><b>ble</b>(5)</a>. This feature is not available up to and including
- Postfix version 2.4.
+ Postfix version 2.3.
Each lookup operation uses the entire address once. Thus,
<i>user@domain</i> mail addresses are not broken up into their
HEADER_CHECKS(5) HEADER_CHECKS(5)
<b>NAME</b>
- <a href="postconf.5.html#header_checks">header_checks</a> - Postfix built-in content inspection
+ <a href="postconf.5.html#header_checks">header_checks</a> - Postfix built-in header/body inspection
<b>SYNOPSIS</b>
<b><a href="postconf.5.html#header_checks">header_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/header_checks</b>
<b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/nested_header_checks</b>
<b><a href="postconf.5.html#body_checks">body_checks</a> = <a href="pcre_table.5.html">pcre</a>:/etc/postfix/body_checks</b>
- <b>postmap -q "</b><i>string</i><b>" <a href="pcre_table.5.html">pcre</a>:/etc/postfix/</b><i>filename</i>
- <b>postmap -q - <a href="pcre_table.5.html">pcre</a>:/etc/postfix/</b><i>filename</i> <<i>inputfile</i>
+ <b>postmap -
fq "</b><i>string</i><b>" <a href="pcre_table.5.html">pcre</a>:/etc/postfix/</b><i>filename</i>
+ <b>postmap -
fq - <a href="pcre_table.5.html">pcre</a>:/etc/postfix/</b><i>filename</i> <<i>inputfile</i>
<b>DESCRIPTION</b>
- This document describes access control on the content of
- message headers and message body lines; it is implemented
- by the Postfix <a href="cleanup.8.html">cleanup(8)</a> server before mail is queued.
- See <a href="access.5.html"><b>access</b>(5)</a> for access control on remote SMTP client
- information.
-
- Each message header or message body line is compared
- against a list of patterns. When a match is found the
- corresponding action is executed, and the matching process
- is repeated for the next message header or message body
- line.
-
- For examples, see the EXAMPLES section at the end of this
+ Postfix provides a simple built-in content inspection
+ mechanism that examines incoming mail one message header
+ or one message body line at a time. Each input is compared
+ against a list of patterns, and when a match is found the
+ corresponding action is executed. This feature is imple-
+ mented by the Postfix <a href="cleanup.8.html"><b>cleanup</b>(8)</a> server.
+
+ For examples, see the EXAMPLES section at the end of this
manual page.
Postfix header or <a href="postconf.5.html#body_checks">body_checks</a> are designed to stop a flood
- of mail from worms or viruses; they do not decode attach-
- ments, and they do not unzip archives. See the documents
- referenced below in the README FILES section if you need
+ of mail from worms or viruses; they do not decode attach-
+ ments, and they do not unzip archives. See the documents
+ referenced below in the README FILES section if you need
more sophisticated content analysis.
Postfix supports four built-in content inspection classes:
<b><a href="postconf.5.html#header_checks">header_checks</a></b>
- These are applied to initial message headers
- (except for the headers that are processed with
+ These are applied to initial message headers
+ (except for the headers that are processed with
<b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b>).
<b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b> (default: <b>$<a href="postconf.5.html#header_checks">header_checks</a></b>)
- These are applied to MIME related message headers
+ These are applied to MIME related message headers
only.
This feature is available in Postfix 2.0 and later.
<b><a href="postconf.5.html#nested_header_checks">nested_header_checks</a></b> (default: <b>$<a href="postconf.5.html#header_checks">header_checks</a></b>)
- These are applied to message headers of attached
- email messages (except for the headers that are
+ These are applied to message headers of attached
+ email messages (except for the headers that are
processed with <b><a href="postconf.5.html#mime_header_checks">mime_header_checks</a></b>).
This feature is available in Postfix 2.0 and later.
<b><a href="postconf.5.html#body_checks">body_checks</a></b>
- These are applied to all other content, including
+ These are applied to all other content, including
multi-part message boundaries.
With Postfix versions before 2.0, all content after
tent.
Note: message headers are examined one logical header at a
- time, even when a message header spans multiple lines.
+ time, even when a message header spans multiple lines.
Body lines are always examined one line at a time.
<b>TABLE FORMAT</b>
- This document assumes that header and <a href="postconf.5.html#body_checks">body_checks</a> rules
- are specified in the form of Postfix regular expression
- lookup tables. Usually the best performance is obtained
+ This document assumes that header and <a href="postconf.5.html#body_checks">body_checks</a> rules
+ are specified in the form of Postfix regular expression
+ lookup tables. Usually the best performance is obtained
with <b>pcre</b> (Perl Compatible Regular Expression) tables, but
- the slower <b>regexp</b> (POSIX regular expressions) support is
- more widely available. Use the command "<b>postconf -m</b>" to
- find out what lookup table types your Postfix system sup-
+ the slower <b>regexp</b> (POSIX regular expressions) support is
+ more widely available. Use the command "<b>postconf -m</b>" to
+ find out what lookup table types your Postfix system sup-
ports.
The general format of Postfix regular expression tables is
- given below. For a discussion of specific pattern or
- flags
syntax, see <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a> or <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a>,
+ given below. For a discussion of specific pattern or
+ flags
syntax, see <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a> or <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a>,
respectively.
<b>/</b><i>pattern</i><b>/</b><i>flags action</i>
- When <i>pattern</i> matches the input string, execute the
- corresponding <i>action</i>. See below for a list of pos-
+ When <i>pattern</i> matches the input string, execute the
+ corresponding <i>action</i>. See below for a list of pos-
sible actions.
<b>!/</b><i>pattern</i><b>/</b><i>flags action</i>
- When <i>pattern</i> does <b>not</b> match the input string, exe-
+ When <i>pattern</i> does <b>not</b> match the input string, exe-
cute the corresponding <i>action</i>.
<b>if /</b><i>pattern</i><b>/</b><i>flags</i>
<b>endif</b> Match the input string against the patterns between
- <b>if</b> and <b>endif</b>, if and only if the same input string
- also matches <i>pattern</i>. The <b>if</b>..<b>endif</b> can nest.
+ <b>if</b> and <b>endif</b>, if and only if the input string also
+ matches <i>pattern</i>. The <b>if</b>..<b>endif</b> can nest.
- Note: do not prepend whitespace to patterns inside
+ Note: do not prepend whitespace to patterns inside
<b>if</b>..<b>endif</b>.
<b>if !/</b><i>pattern</i><b>/</b><i>flags</i>
<b>endif</b> Match the input string against the patterns between
- <b>if</b> and <b>endif</b>, if and only if the same input string
- does <b>not</b> match <i>pattern</i>. The <b>if</b>..<b>endif</b> can nest.
+ <b>if</b> and <b>endif</b>, if and only if the input string does
+ <b>not</b> match <i>pattern</i>. The <b>if</b>..<b>endif</b> can nest.
blank lines and comments
- Empty lines and whitespace-only lines are ignored,
- as are lines whose first non-whitespace character
+ Empty lines and whitespace-only lines are ignored,
+ as are lines whose first non-whitespace character
is a `#'.
multi-line text
- A pattern/action line starts with non-whitespace
- text. A line that starts with whitespace continues
+ A pattern/action line starts with non-whitespace
+ text. A line that starts with whitespace continues
a logical line.
<b>TABLE SEARCH ORDER</b>
- For each line of message input, the patterns are applied
- in the order as specified in the table. When a pattern is
- found that matches the input line, the corresponding
- action is executed and then the next input line is
+ For each line of message input, the patterns are applied
+ in the order as specified in the table. When a pattern is
+ found that matches the input line, the corresponding
+ action is executed and then the next input line is
inspected.
<b>TEXT SUBSTITUTION</b>
- Substitution of substrings from the matched expression
- into the <i>action</i> string is possible using the conventional
- Perl syntax (<b>$1</b>, <b>$2</b>, etc.). The macros in the result
- string may need to be written as <b>${n}</b> or <b>$(n)</b> if they
+ Substitution of substrings from the matched expression
+ into the <i>action</i> string is possible using the conventional
+ Perl syntax (<b>$1</b>, <b>$2</b>, etc.). The macros in the result
+ string may need to be written as <b>${n}</b> or <b>$(n)</b> if they
aren't followed by whitespace.
- Note: since negated patterns (those preceded by <b>!</b>) return
+ Note: since negated patterns (those preceded by <b>!</b>) return
a result when the expression does not match, substitutions
are not available for negated patterns.
case for consistency with other Postfix documentation.
<b>DISCARD</b> <i>optional text...</i>
- Claim successful delivery and silently discard the
- message. Log the optional text if specified, oth-
+ Claim successful delivery and silently discard the
+ message. Log the optional text if specified, oth-
erwise log a generic message.
- Note: this action disables further header or
- <a href="postconf.5.html#body_checks">body_checks</a> inspection of the current message and
+ Note: this action disables further header or
+ <a href="postconf.5.html#body_checks">body_checks</a> inspection of the current message and
affects all recipients. To discard only one recip-
ient without discarding the entire message, use the
<a href="transport.5.html">transport(5)</a> table to direct mail to the <a href="discard.8.html">discard(8)</a>
This feature is available in Postfix 2.0 and later.
- <b>DUNNO</b> Pretend that the input line did not match any pat-
- tern, and inspect the next input line. This action
+ <b>DUNNO</b> Pretend that the input line did not match any pat-
+ tern, and inspect the next input line. This action
can be used to shorten the table search.
- For backwards compatibility reasons, Postfix also
- accepts <b>OK</b> but it is (and always has been) treated
+ For backwards compatibility reasons, Postfix also
+ accepts <b>OK</b> but it is (and always has been) treated
as <b>DUNNO</b>.
This feature is available in Postfix 2.1 and later.
<b>FILTER</b> <i>transport:destination</i>
- Write a content filter request to the queue file,
- and inspect the next input line. After the com-
- plete message is received it will be sent through
+ Write a content filter request to the queue file
+ and inspect the next input line. After the com-
+ plete message is received it will be sent through
the specified external content filter. More infor-
- mation about external content filters is in the
+ mation about external content filters is in the
Postfix <a href="FILTER_README.html">FILTER_README</a> file.
- Note: this action overrides the <b><a href="postconf.5.html#content_filter">content_filter</a></b> set-
- ting, and affects all recipients of the message. In
- the case that multiple <b>FILTER</b> actions fire, only
- the last one is executed.
+ Note: this action overrides the <b>main.cf <a href="postconf.5.html#content_filter">con</a>-</b>
+ <b><a href="postconf.5.html#content_filter">tent_filter</a></b> setting, and affects all recipients of
+ the message. In the case that multiple <b>FILTER</b>
+ actions fire, only the last one is executed.
This feature is available in Postfix 2.0 and later.
<b>HOLD</b> <i>optional text...</i>
- Arrange for the message to be placed on the <b>hold</b>
- queue, and inspect the next input line. The mes-
- sage remains on <b>hold</b> until someone either deletes
- it or releases it for delivery. Log the optional
+ Arrange for the message to be placed on the <b>hold</b>
+ queue, and inspect the next input line. The mes-
+ sage remains on <b>hold</b> until someone either deletes
+ it or releases it for delivery. Log the optional
text if specified, otherwise log a generic message.
- Mail that is placed on hold can be examined with
- the <a href="postcat.1.html"><b>postcat</b>(1)</a> command, and can be destroyed or
+ Mail that is placed on hold can be examined with
+ the <a href="postcat.1.html"><b>postcat</b>(1)</a> command, and can be destroyed or
released with the <a href="postsuper.1.html"><b>postsuper</b>(1)</a> command.
- Note: use "<b>postsuper -r</b>" to release mail that was
- kept
on hold for a significant fraction of <b>$<a href="postconf.5.html#maximal_queue_lifetime">maxi</a>-</b>
+ Note: use "<b>postsuper -r</b>" to release mail that was
+ kept
on hold for a significant fraction of <b>$<a href="postconf.5.html#maximal_queue_lifetime">maxi</a>-</b>
<b><a href="postconf.5.html#maximal_queue_lifetime">mal_queue_lifetime</a></b> or <b>$<a href="postconf.5.html#bounce_queue_lifetime">bounce_queue_lifetime</a></b>, or
- longer. Use "<b>postsuper -H</b>" only for mail that will
- not expire within a few delivery attempts.
+ longer.
Note: this action affects all recipients of the
message.
This feature is available in Postfix 2.0 and later.
- <b>IGNORE</b> Delete the current line from the input, and inspect
+ <b>IGNORE</b> Delete the current line from the input and inspect
the next input line.
<b>PREPEND</b> <i>text...</i>
- Prepend one line with the specified text, and
+ Prepend one line with the specified text and
inspect the next input line.
Notes:
<b>REDIRECT</b> <i>user@domain</i>
Write a message redirection request to the queue
- file, and inspect the next input line. After the
+ file and inspect the next input line. After the
message is queued, it will be sent to the specified
address instead of the intended recipient(s).
This feature is available in Postfix 2.1 and later.
<b>REPLACE</b> <i>text...</i>
- Replace the current line with the specified text,
+ Replace the current line with the specified text
and inspect the next input line.
This feature is available in Postfix 2.2 and later.
<b>WARN</b> <i>optional text...</i>
Log a warning with the <i>optional text...</i> (or log a
- generic message), and inspect the next input line.
+ generic message) and inspect the next input line.
This action is useful for debugging and for testing
a pattern before applying more drastic actions.
<b>BUGS</b>
Many people overlook the main limitations of header and
- <a href="postconf.5.html#body_checks">body_checks</a> rules.
-
- <b>o</b> These rules operate on one logical message header
- or one body line at a time. A decision made for one
- line is not carried over to the next line.
-
- <b>o</b> If text in the message body is encoded (<a href="http://www.faqs.org/rfcs/rfc2045.html">RFC 2045</a>)
- then the rules have to specified for the encoded
- form.
-
- <b>o</b> Likewise, when message headers are encoded (<a href="http://www.faqs.org/rfcs/rfc2047.html">RFC</a>
- <a href="http://www.faqs.org/rfcs/rfc2047.html">2047</a>) then the rules need to be specified for the
- encoded form.
+ <a href="postconf.5.html#body_checks">body_checks</a> rules. These rules operate on one logical
+ message header or one body line at a time, and a decision
+ made for one line is not carried over to the next line.
+ If text in the message body is encoded (<a href="http://www.faqs.org/rfcs/rfc2045.html">RFC 2045</a>) then the
+ rules have to specified for the encoded form. Likewise,
+ when message headers are encoded (<a href="http://www.faqs.org/rfcs/rfc2047.html">RFC 2047</a>) then the rules
+ need to be specified for the encoded form.
Message headers added by the <a href="cleanup.8.html"><b>cleanup</b>(8)</a> daemon itself are
excluded from inspection. Examples of such message headers
Header pattern to block attachments with bad file name
extensions.
- /etc/postfix/<a href="postconf.5.html">main.cf</a>:
+ /etc/postfix/main.cf:
<a href="postconf.5.html#header_checks">header_checks</a> = <a href="regexp_table.5.html">regexp</a>:/etc/postfix/header_checks
/etc/postfix/header_checks:
Body pattern to stop a specific HTML browser vulnerability
exploit.
- /etc/postfix/<a href="postconf.5.html">main.cf</a>:
+ /etc/postfix/main.cf:
<a href="postconf.5.html#body_checks">body_checks</a> = <a href="regexp_table.5.html">regexp</a>:/etc/postfix/body_checks
/etc/postfix/body_checks:
<li> <a href="DEBUG_README.html"> Debugging strategies </a>
+<li> Error messages (*)
+
</ul>
<p><strong>Content inspection </strong></p>
<ul>
+<li> qmail/ezmlm support (*)
+
<li> <a href="VERP_README.html"> VERP Support </a>
</ul>
<li> <a href="NFS_README.html"> NFS issues </a>
+<li> <a href="ULTRIX_README.html"> Ultrix support </a>
+
</ul>
<p><strong> Other mail delivery agents </strong></p>
<ul>
+<li> Cyrus (*)
+
<li> <a href="MAILDROP_README.html"> Maildrop </a>
+<li> LMTP (*)
+
</ul>
<p><strong> Other topics </strong></p>
</td>
+<tr> <td colspan="3"> <font size="-1"> (*) These documents will be
+made available via <a href="http://www.postfix.org/">
+http://www.postfix.org/</a> and mirror sites. </font> </td> </tr>
+
</table>
</body>
In order to use LDAP lookups, define an LDAP source as a
lookup table in <a href="postconf.5.html">main.cf</a>, for example:
-
<a href="postconf.5.html#alias_maps">alias_maps</a> = <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf
The file /etc/postfix/ldap-aliases.cf has the same format
For example, NEVER do this in a map defining $<a href="postconf.5.html#mydestination">mydestina</a>-
<a href="postconf.5.html#mydestination">tion</a>:
-
query_filter = domain=*
result_attribute = domain
Do this instead:
-
query_filter = domain=%s
result_attribute = domain
<b>server_host (default: localhost)</b>
The name of the host running the LDAP server, e.g.
-
server_host = ldap.example.com
Depending on the LDAP client library you're using,
the first one fail. It should also be possible to
give each server in the list a different port
(overriding <b>server_port</b> below), by naming them like
-
server_host = ldap.example.com:1444
With OpenLDAP, a (list of) LDAP URLs can be used to
specify both the hostname(s) and the port(s):
-
server_host = <a href="ldap_table.5.html">ldap</a>://ldap.example.com:1444
<a href="ldap_table.5.html">ldap</a>://ldap2.example.com:1444
supported, including connections over UNIX domain
sockets, and LDAP SSL (the last one provided that
OpenLDAP was compiled with support for SSL):
-
server_host = ldapi://%2Fsome%2Fpath
ldaps://ldap.example.com:636
<b>server_port (default: 389)</b>
The port the LDAP server listens on, e.g.
-
server_port = 778
<b>timeout (default: 10 seconds)</b>
The number of seconds a search can take before tim-
ing out, e.g.
-
timeout = 5
<b>search_base (No default; you must configure this)</b>
The <a href="http://www.faqs.org/rfcs/rfc2253.html">RFC2253</a> base DN at which to conduct the search,
e.g.
-
search_base = dc=your, dc=com
With Postfix 2.2 and later this parameter supports
key does not add unexpected metacharacters.
<b>%u</b> When the input key is an address of the form
- user@domain, <b>%u</b> is replaced by the (<a href="http://www.faqs.org/rfcs/rfc2253.html">RFC</a>
- <a href="http://www.faqs.org/rfcs/rfc2253.html">2253</a>) quoted local part of the address.
+ user@domain, <b>%u</b> is replaced by the (RFC
+ 2253) quoted local part of the address.
Otherwise, <b>%u</b> is replaced by the entire
search string. If the localpart is empty,
the search is suppressed and returns no
results.
<b>%d</b> When the input key is an address of the form
- user@domain, <b>%d</b> is replaced by the (<a href="http://www.faqs.org/rfcs/rfc2253.html">RFC</a>
- <a href="http://www.faqs.org/rfcs/rfc2253.html">2253</a>) quoted domain part of the address.
+ user@domain, <b>%d</b> is replaced by the (RFC
+ 2253) quoted domain part of the address.
Otherwise, the search is suppressed and
returns no results.
The <a href="http://www.faqs.org/rfcs/rfc2254.html">RFC2254</a> filter used to search the directory,
where <b>%s</b> is a substitute for the address Postfix is
trying to resolve, e.g.
-
query_filter = (&(mail=%s)(paid_up=true))
This parameter supports the following '%' expan-
key does not add unexpected metacharacters.
<b>%u</b> When the input key is an address of the form
- user@domain, <b>%u</b> is replaced by the (<a href="http://www.faqs.org/rfcs/rfc2254.html">RFC</a>
- <a href="http://www.faqs.org/rfcs/rfc2254.html">2254</a>) quoted local part of the address.
+ user@domain, <b>%u</b> is replaced by the (RFC
+ 2254) quoted local part of the address.
Otherwise, <b>%u</b> is replaced by the entire
search string. If the localpart is empty,
the search is suppressed and returns no
results.
<b>%d</b> When the input key is an address of the form
- user@domain, <b>%d</b> is replaced by the (<a href="http://www.faqs.org/rfcs/rfc2254.html">RFC</a>
- <a href="http://www.faqs.org/rfcs/rfc2254.html">2254</a>) quoted domain part of the address.
+ user@domain, <b>%d</b> is replaced by the (RFC
+ 2254) quoted domain part of the address.
Otherwise, the search is suppressed and
returns no results.
is <b>example</b> and %3 is <b>mail</b>. If the input key
is unqualified or does not have enough
domain components to satisfy all the speci-
- fied patterns, the search is suppressed and
+ fied patterns, the saerch is suppressed and
returns no results.
The above %1, ..., %9 expansions are avail-
lookups, bare domain lookups and "@domain" lookups
are not performed. This can significantly reduce
the query load on the LDAP server.
-
domain = postfix.org, hash:/etc/postfix/search-
domains
The attribute(s) Postfix will read from any direc-
tory entries returned by the lookup, to be resolved
to an email address.
-
result_attribute = mailbox, maildrop
- <b>special_result_attribute (default: empty)</b>
+ <b>special_result_attribute (No default)</b>
The attribute(s) of directory entries that can con-
tain DNs or URLs. If found, a recursive subsequent
search is done using their values.
-
- special_result_attribute = memberdn
+ special_result_attribute = member
DN recursion retrieves the same result_attributes
as the main query, including the special attributes
map's special result attributes, these are also
retrieved and used recursively.
- <b>terminal_result_attribute (default: empty)</b>
- When one or more terminal result attributes are
- found in an LDAP entry, all other result attributes
- are ignored and only the terminal result attributes
- are returned. This is useful for delegating expan-
- sion of group members to a particular host, by
- using an optional "maildrop" attribute on selected
- groups to route the group to a specific host, where
- the group is expanded, possibly via mailing-list
- manager or other special processing.
-
- terminal_result_attribute = maildrop
-
- This feature is available with Postfix 2.4 or
- later.
-
- <b>leaf_result_attribute (default: empty)</b>
- When one or more special result attributes are
- found in a non-terminal (see above) LDAP entry,
- leaf result attributes are excluded from the expan-
- sion of that entry. This is useful when expanding
- groups and the desired mail address attribute(s) of
- the member objects obtained via DN or URI recursion
- are also present in the group object. To only
- return the attribute values from the leaf objects
- and not the containing group, add the attribute to
- the leaf_result_attribute list, and not the
- result_attribute list, which is always expanded.
- Note, the default value of "result_attribute" is
- not empty, you may want to set it explicitly empty
- when using "leaf_result_attribute" to expand the
- group to a list of member DN addresses. If groups
- have both member DN references AND attributes that
- hold multiple string valued rfc822 addresses, then
- the string attributes go in "result_attribute".
- The attributes that represent the email addresses
- of objects referenced via a DN (or LDAP URI) go in
- "leaf_result_attribute".
-
- result_attribute = memberaddr
- special_result_attribute = memberdn
- terminal_result_attribute = maildrop
- leaf_result_attribute = mail
-
- This feature is available with Postfix 2.4 or
- later.
-
<b>scope (default: sub)</b>
The LDAP search scope: <b>sub</b>, <b>base</b>, or <b>one</b>. These
translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
Whether or not to bind to the LDAP server. Newer
LDAP implementations don't require clients to bind,
which saves time. Example:
-
bind = no
If you do need to bind, you might consider config-
<b>bind_dn (default: empty)</b>
If you do have to bind, do it with this distin-
guished name. Example:
-
bind_dn = uid=postfix, dc=your, dc=com
<b>bind_pw (default: empty)</b>
because <a href="postconf.5.html">main.cf</a> needs to be world readable to allow
local accounts to submit mail via the sendmail com-
mand. Example:
-
bind_pw = postfixpw
<b>cache (IGNORED with a warning)</b>
LDAP SSL service can be requested by using a LDAP SSL URL
in the server_host parameter:
-
server_host = ldaps://ldap.example.com:636
STARTTLS can be turned on with the start_tls parameter:
-
start_tls = yes
Both forms require LDAP protocol version 3, which has to
be set explicitly with:
-
version = 3
If any of the Postfix programs querying the map is config-
<b>EXAMPLE</b>
Here's a basic example for using LDAP to look up <a href="local.8.html">local(8)</a>
aliases. Assume that in <a href="postconf.5.html">main.cf</a>, you have:
-
<a href="postconf.5.html#alias_maps">alias_maps</a> = hash:/etc/aliases,
<a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf
and in <a href="ldap_table.5.html">ldap</a>:/etc/postfix/ldap-aliases.cf you have:
-
- server_host = ldap.example.com
- search_base = dc=example, dc=com
+ server_host = ldap.my.com
+ search_base = dc=my, dc=com
Upon receiving mail for a local address "ldapuser" that
isn't found in the /etc/aliases database, Postfix will
- search the LDAP server listening at port 389 on ldap.exam-
- ple.com. It will bind anonymously, search for any direc-
- tory entries whose mailacceptinggeneralid attribute is
- "ldapuser", read the "maildrop" attributes of those found,
- and build a list of their maildrops, which will be treated
- as <a href="http://www.faqs.org/rfcs/rfc822.html">RFC822</a> addresses to which the message will be deliv-
- ered.
+ search the LDAP server listening at port 389 on
+ ldap.my.com. It will bind anonymously, search for any
+ directory entries whose mailacceptinggeneralid attribute
+ is "ldapuser", read the "maildrop" attributes of those
+ found, and build a list of their maildrops, which will be
+ treated as <a href="http://www.faqs.org/rfcs/rfc822.html">RFC822</a> addresses to which the message will be
+ delivered.
<b>SEE ALSO</b>
<a href="postmap.1.html">postmap(1)</a>, Postfix lookup table manager
+++ /dev/null
-<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
- "http://www.w3.org/TR/html4/loose.dtd">
-<html> <head>
-<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
-<title> Postfix manual - smtp(8) </title>
-</head> <body> <pre>
-SMTP(8) SMTP(8)
-
-<b>NAME</b>
- smtp - Postfix SMTP+LMTP client
-
-<b>SYNOPSIS</b>
- <b>smtp</b> [generic Postfix daemon options]
-
-<b>DESCRIPTION</b>
- The Postfix SMTP+LMTP client implements the SMTP and LMTP
- mail delivery protocols. It processes message delivery
- requests from the queue manager. Each request specifies a
- queue file, a sender address, a domain or host to deliver
- to, and recipient information. This program expects to be
- run from the <a href="master.8.html"><b>master</b>(8)</a> process manager.
-
- The SMTP+LMTP client updates the queue file and marks
- recipients as finished, or it informs the queue manager
- that delivery should be tried again at a later time.
- Delivery status reports are sent to the <a href="bounce.8.html"><b>bounce</b>(8)</a>,
- <a href="defer.8.html"><b>defer</b>(8)</a> or <a href="trace.8.html"><b>trace</b>(8)</a> daemon as appropriate.
-
- The SMTP+LMTP client looks up a list of mail exchanger
- addresses for the destination host, sorts the list by
- preference, and connects to each listed address until it
- finds a server that responds.
-
- When a server is not reachable, or when mail delivery
- fails due to a recoverable error condition, the SMTP+LMTP
- client will try to deliver the mail to an alternate host.
-
- After a successful mail transaction, a connection may be
- saved to the <a href="scache.8.html"><b>scache</b>(8)</a> connection cache server, so that it
- may be used by any SMTP+LMTP client for a subsequent
- transaction.
-
- By default, connection caching is enabled temporarily for
- destinations that have a high volume of mail in the active
- queue. Connection caching can be enabled permanently for
- specific destinations.
-
-<b>SMTP DESTINATION SYNTAX</b>
- SMTP destinations have the following form:
-
- <i>domainname</i>
-
- <i>domainname</i>:<i>port</i>
- Look up the mail exchangers for the specified
- domain, and connect to the specified port (default:
- <b>smtp</b>).
-
- [<i>hostname</i>]
-
- [<i>hostname</i>]:<i>port</i>
- Look up the address(es) of the specified host, and
- connect to the specified port (default: <b>smtp</b>).
-
- [<i>address</i>]
-
- [<i>address</i>]:<i>port</i>
- Connect to the host at the specified address, and
- connect to the specified port (default: <b>smtp</b>). An
- IPv6 address must be formatted as [<b>ipv6</b>:<i>address</i>].
-
-<b>LMTP DESTINATION SYNTAX</b>
- LMTP destinations have the following form:
-
- <b>unix</b>:<i>pathname</i>
- Connect to the local UNIX-domain server that is
- bound to the specified <i>pathname</i>. If the process
- runs chrooted, an absolute pathname is interpreted
- relative to the Postfix queue directory.
-
- <b>inet</b>:<i>hostname</i>
-
- <b>inet:</b><i>hostname</i>:<i>port</i>
-
- <b>inet</b>:[<i>address</i>]
-
- <b>inet</b>:[<i>address</i>]:<i>port</i>
- Connect to the specified TCP port on the specified
- local or remote host. If no port is specified, con-
- nect to the port defined as <b>lmtp</b> in <b>services</b>(4).
- If no such service is found, the <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a></b> con-
- figuration parameter (default value of 24) will be
- used. An IPv6 address must be formatted as
- [<b>ipv6</b>:<i>address</i>].
-
-<b>SECURITY</b>
- The SMTP+LMTP client is moderately security-sensitive. It
- talks to SMTP or LMTP servers and to DNS servers on the
- network. The SMTP+LMTP client can be run chrooted at fixed
- low privilege.
-
-<b>STANDARDS</b>
- <a href="http://www.faqs.org/rfcs/rfc821.html">RFC 821</a> (SMTP protocol)
- <a href="http://www.faqs.org/rfcs/rfc822.html">RFC 822</a> (ARPA Internet Text Messages)
- <a href="http://www.faqs.org/rfcs/rfc1651.html">RFC 1651</a> (SMTP service extensions)
- <a href="http://www.faqs.org/rfcs/rfc1652.html">RFC 1652</a> (8bit-MIME transport)
- <a href="http://www.faqs.org/rfcs/rfc1870.html">RFC 1870</a> (Message Size Declaration)
- <a href="http://www.faqs.org/rfcs/rfc2033.html">RFC 2033</a> (LMTP protocol)
- <a href="http://www.faqs.org/rfcs/rfc2034.html">RFC 2034</a> (SMTP Enhanced Error Codes)
- <a href="http://www.faqs.org/rfcs/rfc2045.html">RFC 2045</a> (MIME: Format of Internet Message Bodies)
- <a href="http://www.faqs.org/rfcs/rfc2046.html">RFC 2046</a> (MIME: Media Types)
- <a href="http://www.faqs.org/rfcs/rfc2554.html">RFC 2554</a> (AUTH command)
- <a href="http://www.faqs.org/rfcs/rfc2821.html">RFC 2821</a> (SMTP protocol)
- <a href="http://www.faqs.org/rfcs/rfc2920.html">RFC 2920</a> (SMTP Pipelining)
- <a href="http://www.faqs.org/rfcs/rfc3207.html">RFC 3207</a> (STARTTLS command)
- <a href="http://www.faqs.org/rfcs/rfc3461.html">RFC 3461</a> (SMTP DSN Extension)
- <a href="http://www.faqs.org/rfcs/rfc3463.html">RFC 3463</a> (Enhanced Status Codes)
-
-<b>DIAGNOSTICS</b>
- Problems and transactions are logged to <b>syslogd</b>(8). Cor-
- rupted message files are marked so that the queue manager
- can move them to the <b>corrupt</b> queue for further inspection.
-
- Depending on the setting of the <b><a href="postconf.5.html#notify_classes">notify_classes</a></b> parameter,
- the postmaster is notified of bounces, protocol problems,
- and of other trouble.
-
-<b>BUGS</b>
- SMTP and LMTP connection caching does not work with TLS.
- The necessary support for TLS object passivation and re-
- activation does not exist without closing the session,
- which defeats the purpose.
-
- SMTP and LMTP connection caching assumes that SASL creden-
- tials are valid for all destinations that map onto the
- same IP address and TCP port.
-
-<b>CONFIGURATION PARAMETERS</b>
- Before Postfix version 2.3, the LMTP client is a separate
- program that implements only a subset of the functionality
- available with SMTP: there is no support for TLS, and con-
- nections are cached in-process, making it ineffective when
- the client is used for multiple domains.
-
- Most smtp_<i>xxx</i> configuration parameters have an lmtp_<i>xxx</i>
- "mirror" parameter for the equivalent LMTP feature. This
- document describes only those LMTP-related parameters that
- aren't simply "mirror" parameters.
-
- Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as <a href="smtp.8.html"><b>smtp</b>(8)</a>
- processes run for only a limited amount of time. Use the
- command "<b>postfix reload</b>" to speed up a change.
-
- The text below provides only a parameter summary. See
- <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
-
-<b>COMPATIBILITY CONTROLS</b>
- <b><a href="postconf.5.html#ignore_mx_lookup_error">ignore_mx_lookup_error</a> (no)</b>
- Ignore DNS MX lookups that produce no response.
-
- <b><a href="postconf.5.html#smtp_always_send_ehlo">smtp_always_send_ehlo</a> (yes)</b>
- Always send EHLO at the start of an SMTP session.
-
- <b><a href="postconf.5.html#smtp_never_send_ehlo">smtp_never_send_ehlo</a> (no)</b>
- Never send EHLO at the start of an SMTP session.
-
- <b><a href="postconf.5.html#smtp_defer_if_no_mx_address_found">smtp_defer_if_no_mx_address_found</a> (no)</b>
- Defer mail delivery when no MX record resolves to
- an IP address.
-
- <b><a href="postconf.5.html#smtp_line_length_limit">smtp_line_length_limit</a> (990)</b>
- The maximal length of message header and body lines
- that Postfix will send via SMTP.
-
- <b><a href="postconf.5.html#smtp_pix_workaround_delay_time">smtp_pix_workaround_delay_time</a> (10s)</b>
- How long the Postfix SMTP client pauses before
- sending ".<CR><LF>" in order to work around the PIX
- firewall "<CR><LF>.<CR><LF>" bug.
-
- <b><a href="postconf.5.html#smtp_pix_workaround_threshold_time">smtp_pix_workaround_threshold_time</a> (500s)</b>
- How long a message must be queued before the Post-
- fix SMTP client turns on the PIX firewall
- "<CR><LF>.<CR><LF>" bug workaround for delivery
- through firewalls with "smtp fixup" mode turned on.
-
- <b><a href="postconf.5.html#smtp_pix_workarounds">smtp_pix_workarounds</a> (disable_esmtp, delay_dotcrlf)</b>
- A list that specifies zero or more workarounds for
- CISCO PIX firewall bugs.
-
- <b><a href="postconf.5.html#smtp_pix_workaround_maps">smtp_pix_workaround_maps</a> (empty)</b>
- Lookup tables, indexed by the remote SMTP server
- address, with per-destination workarounds for CISCO
- PIX firewall bugs.
-
- <b><a href="postconf.5.html#smtp_quote_rfc821_envelope">smtp_quote_rfc821_envelope</a> (yes)</b>
- Quote addresses in SMTP MAIL FROM and RCPT TO com-
- mands as required by <a href="http://www.faqs.org/rfcs/rfc821.html">RFC 821</a>.
-
- <b><a href="postconf.5.html#smtp_skip_5xx_greeting">smtp_skip_5xx_greeting</a> (yes)</b>
- Skip SMTP servers that greet with a 5XX status code
- (go away, do not try again later).
-
- <b><a href="postconf.5.html#smtp_skip_quit_response">smtp_skip_quit_response</a> (yes)</b>
- Do not wait for the response to the SMTP QUIT com-
- mand.
-
- Available in Postfix version 2.0 and earlier:
-
- <b><a href="postconf.5.html#smtp_skip_4xx_greeting">smtp_skip_4xx_greeting</a> (yes)</b>
- Skip SMTP servers that greet with a 4XX status code
- (go away, try again later).
-
- Available in Postfix version 2.2 and later:
-
- <b><a href="postconf.5.html#smtp_discard_ehlo_keyword_address_maps">smtp_discard_ehlo_keyword_address_maps</a> (empty)</b>
- Lookup tables, indexed by the remote SMTP server
- address, with case insensitive lists of EHLO key-
- words (pipelining, starttls, auth, etc.) that the
- Postfix SMTP client will ignore in the EHLO
- response from a remote SMTP server.
-
- <b><a href="postconf.5.html#smtp_discard_ehlo_keywords">smtp_discard_ehlo_keywords</a> (empty)</b>
- A case insensitive list of EHLO keywords (pipelin-
- ing, starttls, auth, etc.) that the Postfix SMTP
- client will ignore in the EHLO response from a
- remote SMTP server.
-
- <b><a href="postconf.5.html#smtp_generic_maps">smtp_generic_maps</a> (empty)</b>
- Optional lookup tables that perform address rewrit-
- ing in the SMTP client, typically to transform a
- locally valid address into a globally valid address
- when sending mail across the Internet.
-
- Available in Postfix version 2.2.9 and later:
-
- <b><a href="postconf.5.html#smtp_cname_overrides_servername">smtp_cname_overrides_servername</a> (version dependent)</b>
- Allow DNS CNAME records to override the servername
- that the Postfix SMTP client uses for logging, SASL
- password lookup, TLS policy decisions, or TLS cer-
- tificate verification.
-
- Available in Postfix version 2.3 and later:
-
- <b><a href="postconf.5.html#lmtp_discard_lhlo_keyword_address_maps">lmtp_discard_lhlo_keyword_address_maps</a> (empty)</b>
- Lookup tables, indexed by the remote LMTP server
- address, with case insensitive lists of LHLO key-
- words (pipelining, starttls, auth, etc.) that the
- LMTP client will ignore in the LHLO response from a
- remote LMTP server.
-
- <b><a href="postconf.5.html#lmtp_discard_lhlo_keywords">lmtp_discard_lhlo_keywords</a> (empty)</b>
- A case insensitive list of LHLO keywords (pipelin-
- ing, starttls, auth, etc.) that the LMTP client
- will ignore in the LHLO response from a remote LMTP
- server.
-
-<b>MIME PROCESSING CONTROLS</b>
- Available in Postfix version 2.0 and later:
-
- <b><a href="postconf.5.html#disable_mime_output_conversion">disable_mime_output_conversion</a> (no)</b>
- Disable the conversion of 8BITMIME format to 7BIT
- format.
-
- <b><a href="postconf.5.html#mime_boundary_length_limit">mime_boundary_length_limit</a> (2048)</b>
- The maximal length of MIME multipart boundary
- strings.
-
- <b><a href="postconf.5.html#mime_nesting_limit">mime_nesting_limit</a> (100)</b>
- The maximal recursion level that the MIME processor
- will handle.
-
-<b>EXTERNAL CONTENT INSPECTION CONTROLS</b>
- Available in Postfix version 2.1 and later:
-
- <b><a href="postconf.5.html#smtp_send_xforward_command">smtp_send_xforward_command</a> (no)</b>
- Send the non-standard XFORWARD command when the
- Postfix SMTP server EHLO response announces XFOR-
- WARD support.
-
-<b>SASL AUTHENTICATION CONTROLS</b>
- <b><a href="postconf.5.html#smtp_sasl_auth_enable">smtp_sasl_auth_enable</a> (no)</b>
- Enable SASL authentication in the Postfix SMTP
- client.
-
- <b><a href="postconf.5.html#smtp_sasl_password_maps">smtp_sasl_password_maps</a> (empty)</b>
- Optional SMTP client lookup tables with one user-
- name:password entry per remote hostname or domain,
- or sender address when sender-dependent authentica-
- tion is enabled.
-
- <b><a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_security_options</a> (noplaintext, noanonymous)</b>
- SASL security options; as of Postfix 2.3 the list
- of available features depends on the SASL client
- implementation that is selected with
- <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
-
- Available in Postfix version 2.2 and later:
-
- <b><a href="postconf.5.html#smtp_sasl_mechanism_filter">smtp_sasl_mechanism_filter</a> (empty)</b>
- If non-empty, a Postfix SMTP client filter for the
- remote SMTP server's list of offered SASL mecha-
- nisms.
-
- Available in Postfix version 2.3 and later:
-
- <b><a href="postconf.5.html#smtp_sender_dependent_authentication">smtp_sender_dependent_authentication</a> (no)</b>
- Enable sender-dependent authentication in the Post-
- fix SMTP client; this is available only with SASL
- authentication, and disables SMTP connection
- caching to ensure that mail from different senders
- will use the appropriate credentials.
-
- <b><a href="postconf.5.html#smtp_sasl_path">smtp_sasl_path</a> (empty)</b>
- Implementation-specific information that is passed
- through to the SASL plug-in implementation that is
- selected with <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a></b>.
-
- <b><a href="postconf.5.html#smtp_sasl_type">smtp_sasl_type</a> (cyrus)</b>
- The SASL plug-in type that the Postfix SMTP client
- should use for authentication.
-
-<b>STARTTLS SUPPORT CONTROLS</b>
- Detailed information about STARTTLS configuration may be
- found in the <a href="TLS_README.html">TLS_README</a> document.
-
- <b><a href="postconf.5.html#smtp_tls_security_level">smtp_tls_security_level</a> (empty)</b>
- The default SMTP TLS security level for the Postfix
- SMTP client; when a non-empty value is specified,
- this overrides the obsolete parameters
- <a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a>, <a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a>, and
- <a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a>.
-
- <b><a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a> ($<a href="postconf.5.html#smtp_sasl_security_options">smtp_sasl_secu</a>-</b>
- <b><a href="postconf.5.html#smtp_sasl_security_options">rity_options</a>)</b>
- The SASL authentication security options that the
- Postfix SMTP client uses for TLS encrypted SMTP
- sessions.
-
- <b><a href="postconf.5.html#smtp_starttls_timeout">smtp_starttls_timeout</a> (300s)</b>
- Time limit for Postfix SMTP client write and read
- operations during TLS startup and shutdown hand-
- shake procedures.
-
- <b><a href="postconf.5.html#smtp_tls_CAfile">smtp_tls_CAfile</a> (empty)</b>
- The file with the certificate of the certification
- authority (CA) that issued the Postfix SMTP client
- certificate.
-
- <b><a href="postconf.5.html#smtp_tls_CApath">smtp_tls_CApath</a> (empty)</b>
- Directory with PEM format certificate authority
- certificates that the Postfix SMTP client uses to
- verify a remote SMTP server certificate.
-
- <b><a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a> (empty)</b>
- File with the Postfix SMTP client RSA certificate
- in PEM format.
-
- <b><a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> (medium)</b>
- The minimum TLS cipher grade that the Postfix SMTP
- client will use with mandatory TLS encryption.
-
- <b><a href="postconf.5.html#smtp_tls_exclude_ciphers">smtp_tls_exclude_ciphers</a> (empty)</b>
- List of ciphers or cipher types to exclude from the
- Postfix SMTP client cipher list at all TLS security
- levels.
-
- <b><a href="postconf.5.html#smtp_tls_mandatory_exclude_ciphers">smtp_tls_mandatory_exclude_ciphers</a> (empty)</b>
- Additional list of ciphers or cipher types to
- exclude from the SMTP client cipher list at manda-
- tory TLS security levels.
-
- <b><a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a> (empty)</b>
- File with the Postfix SMTP client DSA certificate
- in PEM format.
-
- <b><a href="postconf.5.html#smtp_tls_dkey_file">smtp_tls_dkey_file</a> ($<a href="postconf.5.html#smtp_tls_dcert_file">smtp_tls_dcert_file</a>)</b>
- File with the Postfix SMTP client DSA private key
- in PEM format.
-
- <b><a href="postconf.5.html#smtp_tls_key_file">smtp_tls_key_file</a> ($<a href="postconf.5.html#smtp_tls_cert_file">smtp_tls_cert_file</a>)</b>
- File with the Postfix SMTP client RSA private key
- in PEM format.
-
- <b><a href="postconf.5.html#smtp_tls_loglevel">smtp_tls_loglevel</a> (0)</b>
- Enable additional Postfix SMTP client logging of
- TLS activity.
-
- <b><a href="postconf.5.html#smtp_tls_note_starttls_offer">smtp_tls_note_starttls_offer</a> (no)</b>
- Log the hostname of a remote SMTP server that
- offers STARTTLS, when TLS is not already enabled
- for that server.
-
- <b><a href="postconf.5.html#smtp_tls_policy_maps">smtp_tls_policy_maps</a> (empty)</b>
- Optional lookup tables with the Postfix SMTP client
- TLS security policy by next-hop destination; when a
- non-empty value is specified, this overrides the
- obsolete <a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> parameter.
-
- <b><a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> (SSLv3, TLSv1)</b>
- List of TLS protocols that the Postfix SMTP client
- will use with mandatory TLS encryption.
-
- <b><a href="postconf.5.html#smtp_tls_scert_verifydepth">smtp_tls_scert_verifydepth</a> (5)</b>
- The verification depth for remote SMTP server cer-
- tificates.
-
- <b><a href="postconf.5.html#smtp_tls_secure_cert_match">smtp_tls_secure_cert_match</a> (nexthop, dot-nexthop)</b>
- The server certificate peername verification method
- for the "secure" TLS security level.
-
- <b><a href="postconf.5.html#smtp_tls_session_cache_database">smtp_tls_session_cache_database</a> (empty)</b>
- Name of the file containing the optional Postfix
- SMTP client TLS session cache.
-
- <b><a href="postconf.5.html#smtp_tls_session_cache_timeout">smtp_tls_session_cache_timeout</a> (3600s)</b>
- The expiration time of Postfix SMTP client TLS ses-
- sion cache information.
-
- <b><a href="postconf.5.html#smtp_tls_verify_cert_match">smtp_tls_verify_cert_match</a> (hostname)</b>
- The server certificate peername verification method
- for the "verify" TLS security level.
-
- <b><a href="postconf.5.html#tls_daemon_random_bytes">tls_daemon_random_bytes</a> (32)</b>
- The number of pseudo-random bytes that an <a href="smtp.8.html"><b>smtp</b>(8)</a>
- or <a href="smtpd.8.html"><b>smtpd</b>(8)</a> process requests from the <a href="tlsmgr.8.html"><b>tlsmgr</b>(8)</a>
- server in order to seed its internal pseudo random
- number generator (PRNG).
-
- <b><a href="postconf.5.html#tls_high_cipherlist">tls_high_cipherlist</a></b>
- <b>(ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)</b>
- The OpenSSL cipherlist for "HIGH" grade ciphers.
-
- <b><a href="postconf.5.html#tls_medium_cipherlist">tls_medium_cipherlist</a> (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)</b>
- The OpenSSL cipherlist for "MEDIUM" or higher grade
- ciphers.
-
- <b><a href="postconf.5.html#tls_low_cipherlist">tls_low_cipherlist</a> (ALL:!EXPORT:+RC4:@STRENGTH)</b>
- The OpenSSL cipherlist for "LOW" or higher grade
- ciphers.
-
- <b><a href="postconf.5.html#tls_export_cipherlist">tls_export_cipherlist</a> (ALL:+RC4:@STRENGTH)</b>
- The OpenSSL cipherlist for "EXPORT" or higher grade
- ciphers.
-
- <b><a href="postconf.5.html#tls_null_cipherlist">tls_null_cipherlist</a> (eNULL:!aNULL)</b>
- The OpenSSL cipherlist for "NULL" grade ciphers
- that provide authentication without encryption.
-
- Available in Postfix version 2.4 and later:
-
- <b><a href="postconf.5.html#smtp_sasl_tls_verified_security_options">smtp_sasl_tls_verified_security_options</a></b>
- <b>($<a href="postconf.5.html#smtp_sasl_tls_security_options">smtp_sasl_tls_security_options</a>)</b>
- The SASL authentication security options that the
- Postfix SMTP client uses for TLS encrypted SMTP
- sessions with a verified server certificate.
-
-<b>OBSOLETE STARTTLS CONTROLS</b>
- The following configuration parameters exist for compati-
- bility with Postfix versions before 2.3. Support for these
- will be removed in a future release.
-
- <b><a href="postconf.5.html#smtp_use_tls">smtp_use_tls</a> (no)</b>
- Opportunistic mode: use TLS when a remote SMTP
- server announces STARTTLS support, otherwise send
- the mail in the clear.
-
- <b><a href="postconf.5.html#smtp_enforce_tls">smtp_enforce_tls</a> (no)</b>
- Enforcement mode: require that remote SMTP servers
- use TLS encryption, and never send mail in the
- clear.
-
- <b><a href="postconf.5.html#smtp_tls_enforce_peername">smtp_tls_enforce_peername</a> (yes)</b>
- With mandatory TLS encryption, require that the
- remote SMTP server hostname matches the information
- in the remote SMTP server certificate.
-
- <b><a href="postconf.5.html#smtp_tls_per_site">smtp_tls_per_site</a> (empty)</b>
- Optional lookup tables with the Postfix SMTP client
- TLS usage policy by next-hop destination and by
- remote SMTP server hostname.
-
- <b><a href="postconf.5.html#smtp_tls_cipherlist">smtp_tls_cipherlist</a> (empty)</b>
- Obsolete Postfix < 2.3 control for the Postfix SMTP
- client TLS cipher list.
-
-<b>RESOURCE AND RATE CONTROLS</b>
- <b><a href="postconf.5.html#smtp_destination_concurrency_limit">smtp_destination_concurrency_limit</a> ($<a href="postconf.5.html#default_destination_concurrency_limit">default_destina</a>-</b>
- <b><a href="postconf.5.html#default_destination_concurrency_limit">tion_concurrency_limit</a>)</b>
- The maximal number of parallel deliveries to the
- same destination via the smtp message delivery
- transport.
-
- <b><a href="postconf.5.html#smtp_destination_recipient_limit">smtp_destination_recipient_limit</a> ($<a href="postconf.5.html#default_destination_recipient_limit">default_destina</a>-</b>
- <b><a href="postconf.5.html#default_destination_recipient_limit">tion_recipient_limit</a>)</b>
- The maximal number of recipients per delivery via
- the smtp message delivery transport.
-
- <b><a href="postconf.5.html#smtp_connect_timeout">smtp_connect_timeout</a> (30s)</b>
- The SMTP client time limit for completing a TCP
- connection, or zero (use the operating system
- built-in time limit).
-
- <b><a href="postconf.5.html#smtp_helo_timeout">smtp_helo_timeout</a> (300s)</b>
- The SMTP client time limit for sending the HELO or
- EHLO command, and for receiving the initial server
- response.
-
- <b><a href="postconf.5.html#lmtp_lhlo_timeout">lmtp_lhlo_timeout</a> (300s)</b>
- The LMTP client time limit for sending the LHLO
- command, and for receiving the initial server
- response.
-
- <b><a href="postconf.5.html#smtp_xforward_timeout">smtp_xforward_timeout</a> (300s)</b>
- The SMTP client time limit for sending the XFORWARD
- command, and for receiving the server response.
-
- <b><a href="postconf.5.html#smtp_mail_timeout">smtp_mail_timeout</a> (300s)</b>
- The SMTP client time limit for sending the MAIL
- FROM command, and for receiving the server
- response.
-
- <b><a href="postconf.5.html#smtp_rcpt_timeout">smtp_rcpt_timeout</a> (300s)</b>
- The SMTP client time limit for sending the SMTP
- RCPT TO command, and for receiving the server
- response.
-
- <b><a href="postconf.5.html#smtp_data_init_timeout">smtp_data_init_timeout</a> (120s)</b>
- The SMTP client time limit for sending the SMTP
- DATA command, and for receiving the server
- response.
-
- <b><a href="postconf.5.html#smtp_data_xfer_timeout">smtp_data_xfer_timeout</a> (180s)</b>
- The SMTP client time limit for sending the SMTP
- message content.
-
- <b><a href="postconf.5.html#smtp_data_done_timeout">smtp_data_done_timeout</a> (600s)</b>
- The SMTP client time limit for sending the SMTP
- ".", and for receiving the server response.
-
- <b><a href="postconf.5.html#smtp_quit_timeout">smtp_quit_timeout</a> (300s)</b>
- The SMTP client time limit for sending the QUIT
- command, and for receiving the server response.
-
- Available in Postfix version 2.1 and later:
-
- <b><a href="postconf.5.html#smtp_mx_address_limit">smtp_mx_address_limit</a> (5)</b>
- The maximal number of MX (mail exchanger) IP
- addresses that can result from mail exchanger
- lookups, or zero (no limit).
-
- <b><a href="postconf.5.html#smtp_mx_session_limit">smtp_mx_session_limit</a> (2)</b>
- The maximal number of SMTP sessions per delivery
- request before giving up or delivering to a fall-
- back <a href="postconf.5.html#relayhost">relay host</a>, or zero (no limit).
-
- <b><a href="postconf.5.html#smtp_rset_timeout">smtp_rset_timeout</a> (20s)</b>
- The SMTP client time limit for sending the RSET
- command, and for receiving the server response.
-
- Available in Postfix version 2.2 and earlier:
-
- <b><a href="postconf.5.html#lmtp_cache_connection">lmtp_cache_connection</a> (yes)</b>
- Keep Postfix LMTP client connections open for up to
- $<a href="postconf.5.html#max_idle">max_idle</a> seconds.
-
- Available in Postfix version 2.2 and later:
-
- <b><a href="postconf.5.html#smtp_connection_cache_destinations">smtp_connection_cache_destinations</a> (empty)</b>
- Permanently enable SMTP connection caching for the
- specified destinations.
-
- <b><a href="postconf.5.html#smtp_connection_cache_on_demand">smtp_connection_cache_on_demand</a> (yes)</b>
- Temporarily enable SMTP connection caching while a
- destination has a high volume of mail in the active
- queue.
-
- <b><a href="postconf.5.html#smtp_connection_reuse_time_limit">smtp_connection_reuse_time_limit</a> (300s)</b>
- The amount of time during which Postfix will use an
- SMTP connection repeatedly.
-
- <b><a href="postconf.5.html#smtp_connection_cache_time_limit">smtp_connection_cache_time_limit</a> (2s)</b>
- When SMTP connection caching is enabled, the amount
- of time that an unused SMTP client socket is kept
- open before it is closed.
-
- Available in Postfix version 2.3 and later:
-
- <b><a href="postconf.5.html#connection_cache_protocol_timeout">connection_cache_protocol_timeout</a> (5s)</b>
- Time limit for connection cache connect, send or
- receive operations.
-
-<b>TROUBLE SHOOTING CONTROLS</b>
- <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
- The increment in verbose logging level when a
- remote client or server matches a pattern in the
- <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
-
- <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
- Optional list of remote client or server hostname
- or network address patterns that cause the verbose
- logging level to increase by the amount specified
- in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
-
- <b><a href="postconf.5.html#error_notice_recipient">error_notice_recipient</a> (postmaster)</b>
- The recipient of postmaster notifications about
- mail delivery problems that are caused by policy,
- resource, software or protocol errors.
-
- <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
- What categories of Postfix-generated mail are sub-
- ject to before-queue content inspection by
- <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
-
- <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
- The list of error classes that are reported to the
- postmaster.
-
-<b>MISCELLANEOUS CONTROLS</b>
- <b><a href="postconf.5.html#best_mx_transport">best_mx_transport</a> (empty)</b>
- Where the Postfix SMTP client should deliver mail
- when it detects a "mail loops back to myself" error
- condition.
-
- <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
- <a href="master.5.html">master.cf</a> configuration files.
-
- <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
- How much time a Postfix daemon process may take to
- handle a request before it is terminated by a
- built-in watchdog timer.
-
- <b><a href="postconf.5.html#delay_logging_resolution_limit">delay_logging_resolution_limit</a> (2)</b>
- The maximal number of digits after the decimal
- point when logging sub-second delay values.
-
- <b><a href="postconf.5.html#disable_dns_lookups">disable_dns_lookups</a> (no)</b>
- Disable DNS lookups in the Postfix SMTP and LMTP
- clients.
-
- <b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a> (all)</b>
- The network interface addresses that this mail sys-
- tem receives mail on.
-
- <b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
- The Internet protocols Postfix will attempt to use
- when making or accepting connections.
-
- <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
- The time limit for sending or receiving information
- over an internal communication channel.
-
- <b><a href="postconf.5.html#lmtp_tcp_port">lmtp_tcp_port</a> (24)</b>
- The default TCP port that the Postfix LMTP client
- connects to.
-
- <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
- The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
- before terminating voluntarily.
-
- <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of incoming connections that a
- Postfix daemon process will service before termi-
- nating voluntarily.
-
- <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
- process.
-
- <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
- process.
-
- <b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
- The network interface addresses that this mail sys-
- tem receives mail on by way of a proxy or network
- address translation unit.
-
- <b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
- An optional numerical network address that the
- Postfix SMTP client should bind to when making an
- IPv4 connection.
-
- <b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
- An optional numerical network address that the
- Postfix SMTP client should bind to when making an
- IPv6 connection.
-
- <b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
- The hostname to send in the SMTP EHLO or HELO com-
- mand.
-
- <b><a href="postconf.5.html#lmtp_lhloname">lmtp_lhlo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
- The hostname to send in the LMTP LHLO command.
-
- <b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b>
- What mechanisms when the Postfix SMTP client uses
- to look up a host's IP address.
-
- <b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b>
- Randomize the order of equal-preference MX host
- addresses.
-
- <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
- The syslog facility of Postfix logging.
-
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
- becomes, for example, "postfix/smtpd".
-
- Available with Postfix 2.2 and earlier:
-
- <b><a href="postconf.5.html#fallback_relay">fallback_relay</a> (empty)</b>
- Optional list of relay hosts for SMTP destinations
- that can't be found or that are unreachable.
-
- Available with Postfix 2.3 and later:
-
- <b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
- Optional list of relay hosts for SMTP destinations
- that can't be found or that are unreachable.
-
-<b>SEE ALSO</b>
- <a href="qmgr.8.html">qmgr(8)</a>, queue manager
- <a href="bounce.8.html">bounce(8)</a>, delivery status reports
- <a href="scache.8.html">scache(8)</a>, connection cache server
- <a href="postconf.5.html">postconf(5)</a>, configuration parameters
- <a href="master.5.html">master(5)</a>, generic daemon options
- <a href="master.8.html">master(8)</a>, process manager
- <a href="tlsmgr.8.html">tlsmgr(8)</a>, TLS session and PRNG management
- syslogd(8), system logging
-
-<b>README FILES</b>
- <a href="SASL_README.html">SASL_README</a>, Postfix SASL howto
- <a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto
-
-<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
- software.
-
-<b>AUTHOR(S)</b>
- Wietse Venema
- IBM T.J. Watson Research
- P.O. Box 704
- Yorktown Heights, NY 10598, USA
-
- Command pipelining in cooperation with:
- Jon Ribbens
- Oaktree Internet Solutions Ltd.,
- Internet House,
- Canal Basin,
- Coventry,
- CV1 4LY, United Kingdom.
-
- SASL support originally by:
- Till Franke
- SuSE Rhein/Main AG
- 65760 Eschborn, Germany
-
- Connection caching in cooperation with:
- Victor Duchovni
- Morgan Stanley
-
- TLS support originally by:
- Lutz Jaenicke
- BTU Cottbus
- Allgemeine Elektrotechnik
- Universitaetsplatz 3-4
- D-03044 Cottbus, Germany
-
- SMTP(8)
-</pre> </body> </html>
--- /dev/null
+smtp.8.html
\ No newline at end of file
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
- before terminating voluntarily.
+ daemon process waits for the next service request
+ before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of incoming connections that a
- Postfix daemon process will service before termi-
- nating voluntarily.
+ The maximal number of connection requests before a
+ Postfix daemon process terminates.
<b><a href="postconf.5.html#prepend_delivered_header">prepend_delivered_header</a> (command, file, forward)</b>
- The message delivery contexts where the Postfix
- <a href="local.8.html"><b>local</b>(8)</a> delivery agent prepends a Delivered-To:
- message header with the address that the mail was
+ The message delivery contexts where the Postfix
+ <a href="local.8.html"><b>local</b>(8)</a> delivery agent prepends a Delivered-To:
+ message header with the address that the mail was
delivered to.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a> (canonical, virtual)</b>
- What address lookup tables copy an address exten-
+ What address lookup tables copy an address exten-
sion from the lookup key to the lookup result.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b>
sions (user+foo).
<b><a href="postconf.5.html#require_home_directory">require_home_directory</a> (no)</b>
- Whether or not a <a href="local.8.html"><b>local</b>(8)</a> recipient's home direc-
- tory must exist before mail delivery is attempted.
+ Whether or not a <a href="local.8.html"><b>local</b>(8)</a> recipient's home direc-
+ tory must exist before mail delivery is attempted.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>FILES</b>
syslogd(8), system logging
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>HISTORY</b>
The <b>Delivered-To:</b> message header appears in the <b>qmail</b> sys-
tem by Daniel Bernstein.
- The <i>maildir</i> structure appears in the <b>qmail</b> system by
+ The <i>maildir</i> structure appears in the <b>qmail</b> system by
Daniel Bernstein.
<b>AUTHOR(S)</b>
+++ /dev/null
-<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
- "http://www.w3.org/TR/html4/loose.dtd">
-<html> <head>
-<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
-<title> Postfix manual - sendmail(1) </title>
-</head> <body> <pre>
-SENDMAIL(1) SENDMAIL(1)
-
-<b>NAME</b>
- sendmail - Postfix to Sendmail compatibility interface
-
-<b>SYNOPSIS</b>
- <b>sendmail</b> [<i>option ...</i>] [<i>recipient ...</i>]
-
- <b>mailq</b>
- <b>sendmail -bp</b>
-
- <b>newaliases</b>
- <b>sendmail -I</b>
-
-<b>DESCRIPTION</b>
- The Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command implements the Postfix to
- Sendmail compatibility interface. For the sake of compat-
- ibility with existing applications, some Sendmail command-
- line options are recognized but silently ignored.
-
- By default, Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> reads a message from stan-
- dard input until EOF or until it reads a line with only a
- <b>.</b> character, and arranges for delivery. Postfix <a href="sendmail.1.html"><b>send-</b></a>
- <a href="sendmail.1.html"><b>mail</b>(1)</a> relies on the <a href="postdrop.1.html"><b>postdrop</b>(1)</a> command to create a
- queue file in the <b>maildrop</b> directory.
-
- Specific command aliases are provided for other common
- modes of operation:
-
- <b>mailq</b> List the mail queue. Each entry shows the queue
- file ID, message size, arrival time, sender, and
- the recipients that still need to be delivered. If
- mail could not be delivered upon the last attempt,
- the reason for failure is shown. This mode of oper-
- ation is implemented by executing the <a href="postqueue.1.html"><b>postqueue</b>(1)</a>
- command.
-
- <b>newaliases</b>
- Initialize the alias database. If no input file is
- specified (with the <b>-oA</b> option, see below), the
- program processes the file(s) specified with the
- <b><a href="postconf.5.html#alias_database">alias_database</a></b> configuration parameter. If no
- alias database type is specified, the program uses
- the type specified with the <b><a href="postconf.5.html#default_database_type">default_database_type</a></b>
- configuration parameter. This mode of operation is
- implemented by running the <a href="postalias.1.html"><b>postalias</b>(1)</a> command.
-
- Note: it may take a minute or so before an alias
- database update becomes visible. Use the "<b>postfix</b>
- <b>reload</b>" command to eliminate this delay.
-
- These and other features can be selected by specifying the
- appropriate combination of command-line options. Some fea-
- tures are controlled by parameters in the <a href="postconf.5.html"><b>main.cf</b></a> configu-
- ration file.
-
- The following options are recognized:
-
- <b>-Am</b> (ignored)
-
- <b>-Ac</b> (ignored)
- Postfix sendmail uses the same configuration file
- regardless of whether or not a message is an ini-
- tial submission.
-
- <b>-B</b> <i>body</i><b>_</b><i>type</i>
- The message body MIME type: <b>7BIT</b> or <b>8BITMIME</b>.
-
- <b>-bd</b> Go into daemon mode. This mode of operation is
- implemented by executing the "<b>postfix start</b>" com-
- mand.
-
- <b>-bh</b> (ignored)
-
- <b>-bH</b> (ignored)
- Postfix has no persistent host status database.
-
- <b>-bi</b> Initialize alias database. See the <b>newaliases</b> com-
- mand above.
-
- <b>-bm</b> Read mail from standard input and arrange for
- delivery. This is the default mode of operation.
-
- <b>-bp</b> List the mail queue. See the <b>mailq</b> command above.
-
- <b>-bs</b> Stand-alone SMTP server mode. Read SMTP commands
- from standard input, and write responses to stan-
- dard output. In stand-alone SMTP server mode, mail
- relaying and other access controls are disabled by
- default. To enable them, run the process as the
- <b><a href="postconf.5.html#mail_owner">mail_owner</a></b> user.
-
- This mode of operation is implemented by running
- the <a href="smtpd.8.html"><b>smtpd</b>(8)</a> daemon.
-
- <b>-bv</b> Do not collect or deliver a message. Instead, send
- an email report after verifying each recipient
- address. This is useful for testing address
- rewriting and routing configurations.
-
- This feature is available in Postfix version 2.1
- and later.
-
- <b>-C</b> <i>config</i><b>_</b><i>file</i>
-
- <b>-C</b> <i>config</i><b>_</b><i>dir</i>
- The path name of the Postfix <a href="postconf.5.html"><b>main.cf</b></a> file, or of
- its parent directory. This information is ignored
- with Postfix versions before 2.3.
-
- With all Postfix versions, you can specify a direc-
- tory pathname with the MAIL_CONFIG environment
- variable to override the location of configuration
- files.
-
- <b>-F</b> <i>full</i><b>_</b><i>name</i>
- Set the sender full name. This overrides the NAME
- environment variable, and is used only with mes-
- sages that have no <b>From:</b> message header.
-
- <b>-f</b> <i>sender</i>
- Set the envelope sender address. This is the
- address where delivery problems are sent to. With
- Postfix versions before 2.1, the <b>Errors-To:</b> message
- header overrides the error return address.
-
- <b>-G</b> Gateway (relay) submission, as opposed to initial
- user submission. Either do not rewrite addresses
- at all, or update incomplete addresses with the
- domain information specified with <b>remote_header_re-</b>
- <b>write_domain</b>.
-
- This option is ignored before Postfix version 2.3.
-
- <b>-h</b> <i>hop</i><b>_</b><i>count</i> (ignored)
- Hop count limit. Use the <b><a href="postconf.5.html#hopcount_limit">hopcount_limit</a></b> configura-
- tion parameter instead.
-
- <b>-I</b> Initialize alias database. See the <b>newaliases</b> com-
- mand above.
-
- <b>-i</b> When reading a message from standard input, don't
- treat a line with only a <b>.</b> character as the end of
- input.
-
- <b>-L</b> <i>label</i> (ignored)
- The logging label. Use the <b><a href="postconf.5.html#syslog_name">syslog_name</a></b> configura-
- tion parameter instead.
-
- <b>-m</b> (ignored)
- Backwards compatibility.
-
- <b>-N</b> <i>dsn</i> (default: 'delay, failure')
- Delivery status notification control. Specify
- either a comma-separated list with one or more of
- <b>failure</b> (send notification when delivery fails),
- <b>delay</b> (send notification when delivery is delayed),
- or <b>success</b> (send notification when the message is
- delivered); or specify <b>never</b> (don't send any noti-
- fications at all).
-
- This feature is available in Postfix 2.3 and later.
-
- <b>-n</b> (ignored)
- Backwards compatibility.
-
- <b>-oA</b><i>alias</i><b>_</b><i>database</i>
- Non-default alias database. Specify <i>pathname</i> or
- <i>type</i>:<i>pathname</i>. See <a href="postalias.1.html"><b>postalias</b>(1)</a> for details.
-
- <b>-O</b> <i>option=value</i> (ignored)
- Backwards compatibility.
-
- <b>-o7</b> (ignored)
-
- <b>-o8</b> (ignored)
- To send 8-bit or binary content, use an appropriate
- MIME encapsulation and specify the appropriate <b>-B</b>
- command-line option.
-
- <b>-oi</b> When reading a message from standard input, don't
- treat a line with only a <b>.</b> character as the end of
- input.
-
- <b>-om</b> (ignored)
- The sender is never eliminated from alias etc.
- expansions.
-
- <b>-o</b> <i>x value</i> (ignored)
- Set option <i>x</i> to <i>value</i>. Use the equivalent configu-
- ration parameter in <a href="postconf.5.html"><b>main.cf</b></a> instead.
-
- <b>-r</b> <i>sender</i>
- Set the envelope sender address. This is the
- address where delivery problems are sent to. With
- Postfix versions before 2.1, the <b>Errors-To:</b> message
- header overrides the error return address.
-
- <b>-R</b> <i>return</i><b>_</b><i>limit</i> (ignored)
- Limit the size of bounced mail. Use the
- <b><a href="postconf.5.html#bounce_size_limit">bounce_size_limit</a></b> configuration parameter instead.
-
- <b>-q</b> Attempt to deliver all queued mail. This is imple-
- mented by executing the <a href="postqueue.1.html"><b>postqueue</b>(1)</a> command.
-
- Warning: flushing undeliverable mail frequently
- will result in poor delivery performance of all
- other mail.
-
- <b>-q</b><i>interval</i> (ignored)
- The interval between queue runs. Use the
- <b><a href="postconf.5.html#queue_run_delay">queue_run_delay</a></b> configuration parameter instead.
-
- <b>-qI</b><i>queueid</i>
- Schedule immediate delivery of mail with the speci-
- fied queue ID. This option is implemented by exe-
- cuting the <a href="postqueue.1.html"><b>postqueue</b>(1)</a> command, and is available
- with Postfix version 2.4 and later.
-
- <b>-qR</b><i>site</i>
- Schedule immediate delivery of all mail that is
- queued for the named <i>site</i>. This option accepts only
- <i>site</i> names that are eligible for the "fast flush"
- service, and is implemented by executing the
- <a href="postqueue.1.html"><b>postqueue</b>(1)</a> command. See <a href="flush.8.html"><b>flush</b>(8)</a> for more infor-
- mation about the "fast flush" service.
-
- <b>-qS</b><i>site</i>
- This command is not implemented. Use the slower
- "<b>sendmail -q</b>" command instead.
-
- <b>-t</b> Extract recipients from message headers. These are
- added to any recipients specified on the command
- line.
-
- With Postfix versions prior to 2.1, this option
- requires that no recipient addresses are specified
- on the command line.
-
- <b>-U</b> (ignored)
- Initial user submission.
-
- <b>-V</b> <i>envid</i>
- Specify the envelope ID for notification by servers
- that support DSN.
-
- This feature is available in Postfix 2.3 and later.
-
- <b>-XV</b> (Postfix 2.2 and earlier: <b>-V</b>)
- Variable Envelope Return Path. Given an envelope
- sender address of the form <i>owner-listname</i>@<i>origin</i>,
- each recipient <i>user</i>@<i>domain</i> receives mail with a
- personalized envelope sender address.
-
- By default, the personalized envelope sender
- address is <i>owner-listname</i><b>+</b><i>user</i><b>=</b><i>domain</i>@<i>origin</i>. The
- default <b>+</b> and <b>=</b> characters are configurable with
- the <b><a href="postconf.5.html#default_verp_delimiters">default_verp_delimiters</a></b> configuration parame-
- ter.
-
- <b>-XV</b><i>xy</i> (Postfix 2.2 and earlier: <b>-V</b><i>xy</i>)
- As <b>-XV</b>, but uses <i>x</i> and <i>y</i> as the VERP delimiter
- characters, instead of the characters specified
- with the <b><a href="postconf.5.html#default_verp_delimiters">default_verp_delimiters</a></b> configuration
- parameter.
-
- <b>-v</b> Send an email report of the first delivery attempt
- (Postfix versions 2.1 and later). Mail delivery
- always happens in the background. When multiple <b>-v</b>
- options are given, enable verbose logging for
- debugging purposes.
-
- <b>-X</b> <i>log</i><b>_</b><i>file</i> (ignored)
- Log mailer traffic. Use the <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a></b> and
- <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a></b> configuration parameters instead.
-
-<b>SECURITY</b>
- By design, this program is not set-user (or group) id.
- However, it must handle data from untrusted, possibly
- remote, users. Thus, the usual precautions need to be
- taken against malicious inputs.
-
-<b>DIAGNOSTICS</b>
- Problems are logged to <b>syslogd</b>(8) and to the standard
- error stream.
-
-<b>ENVIRONMENT</b>
- <b>MAIL_CONFIG</b>
- Directory with Postfix configuration files.
-
- <b>MAIL_VERBOSE</b> (value does not matter)
- Enable verbose logging for debugging purposes.
-
- <b>MAIL_DEBUG</b> (value does not matter)
- Enable debugging with an external command, as spec-
- ified with the <b><a href="postconf.5.html#debugger_command">debugger_command</a></b> configuration
- parameter.
-
- <b>NAME</b> The sender full name. This is used only with mes-
- sages that have no <b>From:</b> message header. See also
- the <b>-F</b> option above.
-
-<b>CONFIGURATION PARAMETERS</b>
- The following <a href="postconf.5.html"><b>main.cf</b></a> parameters are especially relevant
- to this program. The text below provides only a parameter
- summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including exam-
- ples.
-
-<b>TROUBLE SHOOTING CONTROLS</b>
- The <a href="DEBUG_README.html">DEBUG_README</a> file gives examples of how to trouble
- shoot a Postfix system.
-
- <b><a href="postconf.5.html#debugger_command">debugger_command</a> (empty)</b>
- The external command to execute when a Postfix dae-
- mon program is invoked with the -D option.
-
- <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
- The increment in verbose logging level when a
- remote client or server matches a pattern in the
- <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
-
- <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
- Optional list of remote client or server hostname
- or network address patterns that cause the verbose
- logging level to increase by the amount specified
- in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
-
-<b>ACCESS CONTROLS</b>
- Available in Postfix version 2.2 and later:
-
- <b><a href="postconf.5.html#authorized_flush_users">authorized_flush_users</a> (static:anyone)</b>
- List of users who are authorized to flush the
- queue.
-
- <b><a href="postconf.5.html#authorized_mailq_users">authorized_mailq_users</a> (static:anyone)</b>
- List of users who are authorized to view the queue.
-
- <b><a href="postconf.5.html#authorized_submit_users">authorized_submit_users</a> (static:anyone)</b>
- List of users who are authorized to submit mail
- with the <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command (and with the privi-
- leged <a href="postdrop.1.html"><b>postdrop</b>(1)</a> helper command).
-
-<b>RESOURCE AND RATE CONTROLS</b>
- <b><a href="postconf.5.html#bounce_size_limit">bounce_size_limit</a> (50000)</b>
- The maximal amount of original message text that is
- sent in a non-delivery notification.
-
- <b><a href="postconf.5.html#fork_attempts">fork_attempts</a> (5)</b>
- The maximal number of attempts to fork() a child
- process.
-
- <b><a href="postconf.5.html#fork_delay">fork_delay</a> (1s)</b>
- The delay between attempts to fork() a child
- process.
-
- <b><a href="postconf.5.html#hopcount_limit">hopcount_limit</a> (50)</b>
- The maximal number of Received: message headers
- that is allowed in the primary message headers.
-
- <b><a href="postconf.5.html#queue_run_delay">queue_run_delay</a> (version dependent)</b>
- The time between <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> scans by the queue
- manager.
-
-<b>FAST FLUSH CONTROLS</b>
- The <a href="ETRN_README.html">ETRN_README</a> file describes configuration and operation
- details for the Postfix "fast flush" service.
-
- <b><a href="postconf.5.html#fast_flush_domains">fast_flush_domains</a> ($<a href="postconf.5.html#relay_domains">relay_domains</a>)</b>
- Optional list of destinations that are eligible for
- per-destination logfiles with mail that is queued
- to those destinations.
-
-<b>VERP CONTROLS</b>
- The <a href="VERP_README.html">VERP_README</a> file describes configuration and operation
- details of Postfix support for variable envelope return
- path addresses.
-
- <b><a href="postconf.5.html#default_verp_delimiters">default_verp_delimiters</a> (+=)</b>
- The two default VERP delimiter characters.
-
- <b><a href="postconf.5.html#verp_delimiter_filter">verp_delimiter_filter</a> (-=+)</b>
- The characters Postfix accepts as VERP delimiter
- characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line
- and in SMTP commands.
-
-<b>MISCELLANEOUS CONTROLS</b>
- <b><a href="postconf.5.html#alias_database">alias_database</a> (see 'postconf -d' output)</b>
- The alias databases for <a href="local.8.html"><b>local</b>(8)</a> delivery that are
- updated with "<b>newaliases</b>" or with "<b>sendmail -bi</b>".
-
- <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
- The location of all postfix administrative com-
- mands.
-
- <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
- <a href="master.5.html">master.cf</a> configuration files.
-
- <b><a href="postconf.5.html#daemon_directory">daemon_directory</a> (see 'postconf -d' output)</b>
- The directory with Postfix support programs and
- daemon programs.
-
- <b><a href="postconf.5.html#default_database_type">default_database_type</a> (see 'postconf -d' output)</b>
- The default database type for use in <a href="newaliases.1.html"><b>newaliases</b>(1)</a>,
- <a href="postalias.1.html"><b>postalias</b>(1)</a> and <a href="postmap.1.html"><b>postmap</b>(1)</a> commands.
-
- <b><a href="postconf.5.html#delay_warning_time">delay_warning_time</a> (0h)</b>
- The time after which the sender receives the mes-
- sage headers of mail that is still queued.
-
- <b><a href="postconf.5.html#enable_errors_to">enable_errors_to</a> (no)</b>
- Report mail delivery errors to the address speci-
- fied with the non-standard Errors-To: message
- header, instead of the envelope sender address
- (this feature is removed with Postfix version 2.2,
- is turned off by default with Postfix version 2.1,
- and is always turned on with older Postfix ver-
- sions).
-
- <b><a href="postconf.5.html#mail_owner">mail_owner</a> (postfix)</b>
- The UNIX system account that owns the Postfix queue
- and most Postfix daemon processes.
-
- <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
- tory.
-
- <b><a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> (empty)</b>
- Don't rewrite message headers from remote clients
- at all when this parameter is empty; otherwise, re-
- write message headers and append the specified
- domain name to incomplete addresses.
-
- <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
- The syslog facility of Postfix logging.
-
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
- becomes, for example, "postfix/smtpd".
-
-<b>FILES</b>
- /var/spool/postfix, mail queue
- /etc/postfix, configuration files
-
-<b>SEE ALSO</b>
- <a href="pickup.8.html">pickup(8)</a>, mail pickup daemon
- <a href="qmgr.8.html">qmgr(8)</a>, queue manager
- <a href="smtpd.8.html">smtpd(8)</a>, SMTP server
- <a href="flush.8.html">flush(8)</a>, fast flush service
- <a href="postsuper.1.html">postsuper(1)</a>, queue maintenance
- <a href="postalias.1.html">postalias(1)</a>, create/update/query alias database
- <a href="postdrop.1.html">postdrop(1)</a>, mail posting utility
- <a href="postfix.1.html">postfix(1)</a>, mail system control
- <a href="postqueue.1.html">postqueue(1)</a>, mail queue control
- syslogd(8), system logging
-
-<b>README_FILES</b>
- <a href="DEBUG_README.html">DEBUG_README</a>, Postfix debugging howto
- <a href="ETRN_README.html">ETRN_README</a>, Postfix ETRN howto
- <a href="VERP_README.html">VERP_README</a>, Postfix VERP howto
-
-<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
- software.
-
-<b>AUTHOR(S)</b>
- Wietse Venema
- IBM T.J. Watson Research
- P.O. Box 704
- Yorktown Heights, NY 10598, USA
-
- SENDMAIL(1)
-</pre> </body> </html>
--- /dev/null
+sendmail.1.html
\ No newline at end of file
number server.
The behavior of the <a href="master.8.html"><b>master</b>(8)</a> daemon is controlled by the
- <
a href="master.5.html"><b>master.cf</b></a> configuration file, as described in <a href="master.5.html"><b>master</b>(5)</a>.
+ <
b>master.cf</b> configuration file, as described in <a href="master.5.html"><b>master</b>(5)</a>.
Options:
<b>-c</b> <i>config</i><b>_</b><i>dir</i>
- Read the <a href="postconf.5.html"><b>main.cf</b></a> and <a href="master.5.html"><b>master.cf</b></a> configuration files
+ Read the <b>main.cf</b> and <b>master.cf</b> configuration files
in the named directory instead of the default con-
figuration directory. This also overrides the con-
figuration files for other Postfix daemon pro-
<b>-D</b> After initialization, run a debugger on the master
process. The debugging command is specified with
- the <b><a href="postconf.5.html#debugger_command">debugger_command</a></b> in the <a href="postconf.5.html"><b>main.cf</b></a> global configu-
+ the <b><a href="postconf.5.html#debugger_command">debugger_command</a></b> in the <b>main.cf</b> global configu-
ration file.
<b>-d</b> Do not redirect stdin, stdout or stderr to
<b>SIGHUP</b> Upon receipt of a <b>HUP</b> signal (e.g., after "<b>postfix</b>
<b>reload</b>"), the master process re-reads its configu-
ration files. If a service has been removed from
- the <a href="master.5.html"><b>master.cf</b></a> file, its running processes are ter-
+ the <b>master.cf</b> file, its running processes are ter-
minated immediately. Otherwise, running processes
are allowed to terminate as soon as is convenient,
so that changes in configuration settings affect
<b>MAIL_DEBUG</b>
After initialization, start a debugger as specified
with the <b><a href="postconf.5.html#debugger_command">debugger_command</a></b> configuration parameter
- in the <a href="postconf.5.html"><b>main.cf</b></a> configuration file.
+ in the <b>main.cf</b> configuration file.
<b>MAIL_CONFIG</b>
Directory with Postfix configuration files.
<b>CONFIGURATION PARAMETERS</b>
Unlike most Postfix daemon processes, the <a href="master.8.html"><b>master</b>(8)</a> server
- does not automatically pick up changes to <a href="postconf.5.html"><b>main.cf</b></a>. Changes
- to <a href="master.5.html"><b>master.cf</b></a> are never picked up automatically. Use the
+ does not automatically pick up changes to <b>main.cf</b>. Changes
+ to <b>master.cf</b> are never picked up automatically. Use the
"<b>postfix reload</b>" command after a configuration change.
<b>RESOURCE AND RATE CONTROLS</b>
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
- before terminating voluntarily.
+ daemon process waits for the next service request
+ before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of incoming connections that a
- Postfix daemon process will service before termi-
- nating voluntarily.
+ The maximal number of connection requests before a
+ Postfix daemon process terminates.
<b><a href="postconf.5.html#service_throttle_time">service_throttle_time</a> (60s)</b>
How long the Postfix <a href="master.8.html"><b>master</b>(8)</a> waits before forking
<b>MISCELLANEOUS CONTROLS</b>
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
- <a href="master.5.html">master.cf</a> configuration files.
+ The default location of the Postfix main.cf and
+ master.cf configuration files.
<b><a href="postconf.5.html#daemon_directory">daemon_directory</a> (see 'postconf -d' output)</b>
- The directory with Postfix support programs and
+ The directory with Postfix support programs and
daemon programs.
<b><a href="postconf.5.html#debugger_command">debugger_command</a> (empty)</b>
tem receives mail on.
<b><a href="postconf.5.html#inet_protocols">inet_protocols</a> (ipv4)</b>
- The Internet protocols Postfix will attempt to use
+ The Internet protocols Postfix will attempt to use
when making or accepting connections.
<b><a href="postconf.5.html#import_environment">import_environment</a> (see 'postconf -d' output)</b>
- The list of environment parameters that a Postfix
+ The list of environment parameters that a Postfix
process will import from a non-Postfix parent
process.
and most Postfix daemon processes.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>FILES</b>
- /etc/postfix/<a href="postconf.5.html">main.cf</a>, global configuration file.
- /etc/postfix/<a href="master.5.html">master.cf</a>, master server configuration file.
+ /etc/postfix/main.cf, global configuration file.
+ /etc/postfix/master.cf, master server configuration file.
/var/spool/postfix/pid/master.pid, master lock file.
<b>SEE ALSO</b>
<a href="qmgr.8.html">qmgr(8)</a>, queue manager
<a href="verify.8.html">verify(8)</a>, address verification
- <a href="master.5.html">master(5)</a>, <a href="master.5.html">master.cf</a> configuration file syntax
- <a href="postconf.5.html">postconf(5)</a>, <a href="postconf.5.html">main.cf</a> configuration parameter syntax
+ <a href="master.5.html">master(5)</a>, master.cf configuration file syntax
+ <a href="postconf.5.html">postconf(5)</a>, main.cf configuration parameter syntax
syslogd(8), system logging
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
+++ /dev/null
-<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
- "http://www.w3.org/TR/html4/loose.dtd">
-<html> <head>
-<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
-<title> Postfix manual - sendmail(1) </title>
-</head> <body> <pre>
-SENDMAIL(1) SENDMAIL(1)
-
-<b>NAME</b>
- sendmail - Postfix to Sendmail compatibility interface
-
-<b>SYNOPSIS</b>
- <b>sendmail</b> [<i>option ...</i>] [<i>recipient ...</i>]
-
- <b>mailq</b>
- <b>sendmail -bp</b>
-
- <b>newaliases</b>
- <b>sendmail -I</b>
-
-<b>DESCRIPTION</b>
- The Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command implements the Postfix to
- Sendmail compatibility interface. For the sake of compat-
- ibility with existing applications, some Sendmail command-
- line options are recognized but silently ignored.
-
- By default, Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> reads a message from stan-
- dard input until EOF or until it reads a line with only a
- <b>.</b> character, and arranges for delivery. Postfix <a href="sendmail.1.html"><b>send-</b></a>
- <a href="sendmail.1.html"><b>mail</b>(1)</a> relies on the <a href="postdrop.1.html"><b>postdrop</b>(1)</a> command to create a
- queue file in the <b>maildrop</b> directory.
-
- Specific command aliases are provided for other common
- modes of operation:
-
- <b>mailq</b> List the mail queue. Each entry shows the queue
- file ID, message size, arrival time, sender, and
- the recipients that still need to be delivered. If
- mail could not be delivered upon the last attempt,
- the reason for failure is shown. This mode of oper-
- ation is implemented by executing the <a href="postqueue.1.html"><b>postqueue</b>(1)</a>
- command.
-
- <b>newaliases</b>
- Initialize the alias database. If no input file is
- specified (with the <b>-oA</b> option, see below), the
- program processes the file(s) specified with the
- <b><a href="postconf.5.html#alias_database">alias_database</a></b> configuration parameter. If no
- alias database type is specified, the program uses
- the type specified with the <b><a href="postconf.5.html#default_database_type">default_database_type</a></b>
- configuration parameter. This mode of operation is
- implemented by running the <a href="postalias.1.html"><b>postalias</b>(1)</a> command.
-
- Note: it may take a minute or so before an alias
- database update becomes visible. Use the "<b>postfix</b>
- <b>reload</b>" command to eliminate this delay.
-
- These and other features can be selected by specifying the
- appropriate combination of command-line options. Some fea-
- tures are controlled by parameters in the <a href="postconf.5.html"><b>main.cf</b></a> configu-
- ration file.
-
- The following options are recognized:
-
- <b>-Am</b> (ignored)
-
- <b>-Ac</b> (ignored)
- Postfix sendmail uses the same configuration file
- regardless of whether or not a message is an ini-
- tial submission.
-
- <b>-B</b> <i>body</i><b>_</b><i>type</i>
- The message body MIME type: <b>7BIT</b> or <b>8BITMIME</b>.
-
- <b>-bd</b> Go into daemon mode. This mode of operation is
- implemented by executing the "<b>postfix start</b>" com-
- mand.
-
- <b>-bh</b> (ignored)
-
- <b>-bH</b> (ignored)
- Postfix has no persistent host status database.
-
- <b>-bi</b> Initialize alias database. See the <b>newaliases</b> com-
- mand above.
-
- <b>-bm</b> Read mail from standard input and arrange for
- delivery. This is the default mode of operation.
-
- <b>-bp</b> List the mail queue. See the <b>mailq</b> command above.
-
- <b>-bs</b> Stand-alone SMTP server mode. Read SMTP commands
- from standard input, and write responses to stan-
- dard output. In stand-alone SMTP server mode, mail
- relaying and other access controls are disabled by
- default. To enable them, run the process as the
- <b><a href="postconf.5.html#mail_owner">mail_owner</a></b> user.
-
- This mode of operation is implemented by running
- the <a href="smtpd.8.html"><b>smtpd</b>(8)</a> daemon.
-
- <b>-bv</b> Do not collect or deliver a message. Instead, send
- an email report after verifying each recipient
- address. This is useful for testing address
- rewriting and routing configurations.
-
- This feature is available in Postfix version 2.1
- and later.
-
- <b>-C</b> <i>config</i><b>_</b><i>file</i>
-
- <b>-C</b> <i>config</i><b>_</b><i>dir</i>
- The path name of the Postfix <a href="postconf.5.html"><b>main.cf</b></a> file, or of
- its parent directory. This information is ignored
- with Postfix versions before 2.3.
-
- With all Postfix versions, you can specify a direc-
- tory pathname with the MAIL_CONFIG environment
- variable to override the location of configuration
- files.
-
- <b>-F</b> <i>full</i><b>_</b><i>name</i>
- Set the sender full name. This overrides the NAME
- environment variable, and is used only with mes-
- sages that have no <b>From:</b> message header.
-
- <b>-f</b> <i>sender</i>
- Set the envelope sender address. This is the
- address where delivery problems are sent to. With
- Postfix versions before 2.1, the <b>Errors-To:</b> message
- header overrides the error return address.
-
- <b>-G</b> Gateway (relay) submission, as opposed to initial
- user submission. Either do not rewrite addresses
- at all, or update incomplete addresses with the
- domain information specified with <b>remote_header_re-</b>
- <b>write_domain</b>.
-
- This option is ignored before Postfix version 2.3.
-
- <b>-h</b> <i>hop</i><b>_</b><i>count</i> (ignored)
- Hop count limit. Use the <b><a href="postconf.5.html#hopcount_limit">hopcount_limit</a></b> configura-
- tion parameter instead.
-
- <b>-I</b> Initialize alias database. See the <b>newaliases</b> com-
- mand above.
-
- <b>-i</b> When reading a message from standard input, don't
- treat a line with only a <b>.</b> character as the end of
- input.
-
- <b>-L</b> <i>label</i> (ignored)
- The logging label. Use the <b><a href="postconf.5.html#syslog_name">syslog_name</a></b> configura-
- tion parameter instead.
-
- <b>-m</b> (ignored)
- Backwards compatibility.
-
- <b>-N</b> <i>dsn</i> (default: 'delay, failure')
- Delivery status notification control. Specify
- either a comma-separated list with one or more of
- <b>failure</b> (send notification when delivery fails),
- <b>delay</b> (send notification when delivery is delayed),
- or <b>success</b> (send notification when the message is
- delivered); or specify <b>never</b> (don't send any noti-
- fications at all).
-
- This feature is available in Postfix 2.3 and later.
-
- <b>-n</b> (ignored)
- Backwards compatibility.
-
- <b>-oA</b><i>alias</i><b>_</b><i>database</i>
- Non-default alias database. Specify <i>pathname</i> or
- <i>type</i>:<i>pathname</i>. See <a href="postalias.1.html"><b>postalias</b>(1)</a> for details.
-
- <b>-O</b> <i>option=value</i> (ignored)
- Backwards compatibility.
-
- <b>-o7</b> (ignored)
-
- <b>-o8</b> (ignored)
- To send 8-bit or binary content, use an appropriate
- MIME encapsulation and specify the appropriate <b>-B</b>
- command-line option.
-
- <b>-oi</b> When reading a message from standard input, don't
- treat a line with only a <b>.</b> character as the end of
- input.
-
- <b>-om</b> (ignored)
- The sender is never eliminated from alias etc.
- expansions.
-
- <b>-o</b> <i>x value</i> (ignored)
- Set option <i>x</i> to <i>value</i>. Use the equivalent configu-
- ration parameter in <a href="postconf.5.html"><b>main.cf</b></a> instead.
-
- <b>-r</b> <i>sender</i>
- Set the envelope sender address. This is the
- address where delivery problems are sent to. With
- Postfix versions before 2.1, the <b>Errors-To:</b> message
- header overrides the error return address.
-
- <b>-R</b> <i>return</i><b>_</b><i>limit</i> (ignored)
- Limit the size of bounced mail. Use the
- <b><a href="postconf.5.html#bounce_size_limit">bounce_size_limit</a></b> configuration parameter instead.
-
- <b>-q</b> Attempt to deliver all queued mail. This is imple-
- mented by executing the <a href="postqueue.1.html"><b>postqueue</b>(1)</a> command.
-
- Warning: flushing undeliverable mail frequently
- will result in poor delivery performance of all
- other mail.
-
- <b>-q</b><i>interval</i> (ignored)
- The interval between queue runs. Use the
- <b><a href="postconf.5.html#queue_run_delay">queue_run_delay</a></b> configuration parameter instead.
-
- <b>-qI</b><i>queueid</i>
- Schedule immediate delivery of mail with the speci-
- fied queue ID. This option is implemented by exe-
- cuting the <a href="postqueue.1.html"><b>postqueue</b>(1)</a> command, and is available
- with Postfix version 2.4 and later.
-
- <b>-qR</b><i>site</i>
- Schedule immediate delivery of all mail that is
- queued for the named <i>site</i>. This option accepts only
- <i>site</i> names that are eligible for the "fast flush"
- service, and is implemented by executing the
- <a href="postqueue.1.html"><b>postqueue</b>(1)</a> command. See <a href="flush.8.html"><b>flush</b>(8)</a> for more infor-
- mation about the "fast flush" service.
-
- <b>-qS</b><i>site</i>
- This command is not implemented. Use the slower
- "<b>sendmail -q</b>" command instead.
-
- <b>-t</b> Extract recipients from message headers. These are
- added to any recipients specified on the command
- line.
-
- With Postfix versions prior to 2.1, this option
- requires that no recipient addresses are specified
- on the command line.
-
- <b>-U</b> (ignored)
- Initial user submission.
-
- <b>-V</b> <i>envid</i>
- Specify the envelope ID for notification by servers
- that support DSN.
-
- This feature is available in Postfix 2.3 and later.
-
- <b>-XV</b> (Postfix 2.2 and earlier: <b>-V</b>)
- Variable Envelope Return Path. Given an envelope
- sender address of the form <i>owner-listname</i>@<i>origin</i>,
- each recipient <i>user</i>@<i>domain</i> receives mail with a
- personalized envelope sender address.
-
- By default, the personalized envelope sender
- address is <i>owner-listname</i><b>+</b><i>user</i><b>=</b><i>domain</i>@<i>origin</i>. The
- default <b>+</b> and <b>=</b> characters are configurable with
- the <b><a href="postconf.5.html#default_verp_delimiters">default_verp_delimiters</a></b> configuration parame-
- ter.
-
- <b>-XV</b><i>xy</i> (Postfix 2.2 and earlier: <b>-V</b><i>xy</i>)
- As <b>-XV</b>, but uses <i>x</i> and <i>y</i> as the VERP delimiter
- characters, instead of the characters specified
- with the <b><a href="postconf.5.html#default_verp_delimiters">default_verp_delimiters</a></b> configuration
- parameter.
-
- <b>-v</b> Send an email report of the first delivery attempt
- (Postfix versions 2.1 and later). Mail delivery
- always happens in the background. When multiple <b>-v</b>
- options are given, enable verbose logging for
- debugging purposes.
-
- <b>-X</b> <i>log</i><b>_</b><i>file</i> (ignored)
- Log mailer traffic. Use the <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a></b> and
- <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a></b> configuration parameters instead.
-
-<b>SECURITY</b>
- By design, this program is not set-user (or group) id.
- However, it must handle data from untrusted, possibly
- remote, users. Thus, the usual precautions need to be
- taken against malicious inputs.
-
-<b>DIAGNOSTICS</b>
- Problems are logged to <b>syslogd</b>(8) and to the standard
- error stream.
-
-<b>ENVIRONMENT</b>
- <b>MAIL_CONFIG</b>
- Directory with Postfix configuration files.
-
- <b>MAIL_VERBOSE</b> (value does not matter)
- Enable verbose logging for debugging purposes.
-
- <b>MAIL_DEBUG</b> (value does not matter)
- Enable debugging with an external command, as spec-
- ified with the <b><a href="postconf.5.html#debugger_command">debugger_command</a></b> configuration
- parameter.
-
- <b>NAME</b> The sender full name. This is used only with mes-
- sages that have no <b>From:</b> message header. See also
- the <b>-F</b> option above.
-
-<b>CONFIGURATION PARAMETERS</b>
- The following <a href="postconf.5.html"><b>main.cf</b></a> parameters are especially relevant
- to this program. The text below provides only a parameter
- summary. See <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including exam-
- ples.
-
-<b>TROUBLE SHOOTING CONTROLS</b>
- The <a href="DEBUG_README.html">DEBUG_README</a> file gives examples of how to trouble
- shoot a Postfix system.
-
- <b><a href="postconf.5.html#debugger_command">debugger_command</a> (empty)</b>
- The external command to execute when a Postfix dae-
- mon program is invoked with the -D option.
-
- <b><a href="postconf.5.html#debug_peer_level">debug_peer_level</a> (2)</b>
- The increment in verbose logging level when a
- remote client or server matches a pattern in the
- <a href="postconf.5.html#debug_peer_list">debug_peer_list</a> parameter.
-
- <b><a href="postconf.5.html#debug_peer_list">debug_peer_list</a> (empty)</b>
- Optional list of remote client or server hostname
- or network address patterns that cause the verbose
- logging level to increase by the amount specified
- in $<a href="postconf.5.html#debug_peer_level">debug_peer_level</a>.
-
-<b>ACCESS CONTROLS</b>
- Available in Postfix version 2.2 and later:
-
- <b><a href="postconf.5.html#authorized_flush_users">authorized_flush_users</a> (static:anyone)</b>
- List of users who are authorized to flush the
- queue.
-
- <b><a href="postconf.5.html#authorized_mailq_users">authorized_mailq_users</a> (static:anyone)</b>
- List of users who are authorized to view the queue.
-
- <b><a href="postconf.5.html#authorized_submit_users">authorized_submit_users</a> (static:anyone)</b>
- List of users who are authorized to submit mail
- with the <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command (and with the privi-
- leged <a href="postdrop.1.html"><b>postdrop</b>(1)</a> helper command).
-
-<b>RESOURCE AND RATE CONTROLS</b>
- <b><a href="postconf.5.html#bounce_size_limit">bounce_size_limit</a> (50000)</b>
- The maximal amount of original message text that is
- sent in a non-delivery notification.
-
- <b><a href="postconf.5.html#fork_attempts">fork_attempts</a> (5)</b>
- The maximal number of attempts to fork() a child
- process.
-
- <b><a href="postconf.5.html#fork_delay">fork_delay</a> (1s)</b>
- The delay between attempts to fork() a child
- process.
-
- <b><a href="postconf.5.html#hopcount_limit">hopcount_limit</a> (50)</b>
- The maximal number of Received: message headers
- that is allowed in the primary message headers.
-
- <b><a href="postconf.5.html#queue_run_delay">queue_run_delay</a> (version dependent)</b>
- The time between <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> scans by the queue
- manager.
-
-<b>FAST FLUSH CONTROLS</b>
- The <a href="ETRN_README.html">ETRN_README</a> file describes configuration and operation
- details for the Postfix "fast flush" service.
-
- <b><a href="postconf.5.html#fast_flush_domains">fast_flush_domains</a> ($<a href="postconf.5.html#relay_domains">relay_domains</a>)</b>
- Optional list of destinations that are eligible for
- per-destination logfiles with mail that is queued
- to those destinations.
-
-<b>VERP CONTROLS</b>
- The <a href="VERP_README.html">VERP_README</a> file describes configuration and operation
- details of Postfix support for variable envelope return
- path addresses.
-
- <b><a href="postconf.5.html#default_verp_delimiters">default_verp_delimiters</a> (+=)</b>
- The two default VERP delimiter characters.
-
- <b><a href="postconf.5.html#verp_delimiter_filter">verp_delimiter_filter</a> (-=+)</b>
- The characters Postfix accepts as VERP delimiter
- characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line
- and in SMTP commands.
-
-<b>MISCELLANEOUS CONTROLS</b>
- <b><a href="postconf.5.html#alias_database">alias_database</a> (see 'postconf -d' output)</b>
- The alias databases for <a href="local.8.html"><b>local</b>(8)</a> delivery that are
- updated with "<b>newaliases</b>" or with "<b>sendmail -bi</b>".
-
- <b><a href="postconf.5.html#command_directory">command_directory</a> (see 'postconf -d' output)</b>
- The location of all postfix administrative com-
- mands.
-
- <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
- <a href="master.5.html">master.cf</a> configuration files.
-
- <b><a href="postconf.5.html#daemon_directory">daemon_directory</a> (see 'postconf -d' output)</b>
- The directory with Postfix support programs and
- daemon programs.
-
- <b><a href="postconf.5.html#default_database_type">default_database_type</a> (see 'postconf -d' output)</b>
- The default database type for use in <a href="newaliases.1.html"><b>newaliases</b>(1)</a>,
- <a href="postalias.1.html"><b>postalias</b>(1)</a> and <a href="postmap.1.html"><b>postmap</b>(1)</a> commands.
-
- <b><a href="postconf.5.html#delay_warning_time">delay_warning_time</a> (0h)</b>
- The time after which the sender receives the mes-
- sage headers of mail that is still queued.
-
- <b><a href="postconf.5.html#enable_errors_to">enable_errors_to</a> (no)</b>
- Report mail delivery errors to the address speci-
- fied with the non-standard Errors-To: message
- header, instead of the envelope sender address
- (this feature is removed with Postfix version 2.2,
- is turned off by default with Postfix version 2.1,
- and is always turned on with older Postfix ver-
- sions).
-
- <b><a href="postconf.5.html#mail_owner">mail_owner</a> (postfix)</b>
- The UNIX system account that owns the Postfix queue
- and most Postfix daemon processes.
-
- <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
- tory.
-
- <b><a href="postconf.5.html#remote_header_rewrite_domain">remote_header_rewrite_domain</a> (empty)</b>
- Don't rewrite message headers from remote clients
- at all when this parameter is empty; otherwise, re-
- write message headers and append the specified
- domain name to incomplete addresses.
-
- <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
- The syslog facility of Postfix logging.
-
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
- becomes, for example, "postfix/smtpd".
-
-<b>FILES</b>
- /var/spool/postfix, mail queue
- /etc/postfix, configuration files
-
-<b>SEE ALSO</b>
- <a href="pickup.8.html">pickup(8)</a>, mail pickup daemon
- <a href="qmgr.8.html">qmgr(8)</a>, queue manager
- <a href="smtpd.8.html">smtpd(8)</a>, SMTP server
- <a href="flush.8.html">flush(8)</a>, fast flush service
- <a href="postsuper.1.html">postsuper(1)</a>, queue maintenance
- <a href="postalias.1.html">postalias(1)</a>, create/update/query alias database
- <a href="postdrop.1.html">postdrop(1)</a>, mail posting utility
- <a href="postfix.1.html">postfix(1)</a>, mail system control
- <a href="postqueue.1.html">postqueue(1)</a>, mail queue control
- syslogd(8), system logging
-
-<b>README_FILES</b>
- <a href="DEBUG_README.html">DEBUG_README</a>, Postfix debugging howto
- <a href="ETRN_README.html">ETRN_README</a>, Postfix ETRN howto
- <a href="VERP_README.html">VERP_README</a>, Postfix VERP howto
-
-<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
- software.
-
-<b>AUTHOR(S)</b>
- Wietse Venema
- IBM T.J. Watson Research
- P.O. Box 704
- Yorktown Heights, NY 10598, USA
-
- SENDMAIL(1)
-</pre> </body> </html>
--- /dev/null
+sendmail.1.html
\ No newline at end of file
<b>o</b> Postfix NIS+ map names use "<b>;</b>" instead of "<b>,</b>",
because the latter character is special in the
- Postfix <a href="postconf.5.html">main.cf</a> file. Postfix replaces "<b>;</b>" charac-
+ Postfix main.cf file. Postfix replaces "<b>;</b>" charac-
ters in the map name by "<b>,</b>" before making NIS+
queries.
Cambridge
CB10 1SB, UK
+ Based on the NIS client code:
+
Adopted and adapted by:
Wietse Venema
IBM T.J. Watson Research
pcre_table - format of Postfix PCRE tables
<b>SYNOPSIS</b>
- <b>postmap -q "</b><i>string</i><b>" <a href="pcre_table.5.html">pcre</a>:/etc/postfix/</b><i>filename</i>
+ <b>postmap -
fq "</b><i>string</i><b>" <a href="pcre_table.5.html">pcre</a>:/etc/postfix/</b><i>filename</i>
- <b>postmap -q - <a href="pcre_table.5.html">pcre</a>:/etc/postfix/</b><i>filename</i> <<i>inputfile</i>
+ <b>postmap -
fq - <a href="pcre_table.5.html">pcre</a>:/etc/postfix/</b><i>filename</i> <<i>inputfile</i>
<b>DESCRIPTION</b>
The Postfix mail system uses optional tables for address
Alternatively, lookup tables can be specified in Perl Com-
patible Regular Expression form. In this case, each input
- is compared against a list of patterns. When a match is
- found, the corresponding result is returned and the search
- is terminated.
+ is compared against a list of patterns, and when a match
+ is found the corresponding result is returned.
- To find out what types of lookup tables your Postfix sys-
+ To find out what types of lookup tables your Postfix sys-
tem supports use the "<b>postconf -m</b>" command.
- To test lookup tables, use the "<b>postmap -q</b>" command as
+ To test lookup tables, use the "<b>postmap -fq</b>" command as
described in the SYNOPSIS above.
-<b>COMPATIBILITY</b>
- With Postfix version 2.2 and earlier specify "<b>postmap -fq</b>"
- to query a table that contains case sensitive patterns.
- Patterns are case insensitive by default.
-
<b>TABLE FORMAT</b>
The general form of a PCRE table is:
responding <i>result</i> value.
<b>!/</b><i>pattern</i><b>/</b><i>flags result</i>
- When <i>pattern</i> does <b>not</b> match the input string, use
+ When <i>pattern</i> does <b>not</b> match the input string, use
the corresponding <i>result</i> value.
<b>if /</b><i>pattern</i><b>/</b><i>flags</i>
<b>endif</b> Match the input string against the patterns between
- <b>if</b> and <b>endif</b>, if and only if the input string also
+ <b>if</b> and <b>endif</b>, if and only if the input string also
matches <i>pattern</i>. The <b>if</b>..<b>endif</b> can nest.
- Note: do not prepend whitespace to patterns inside
+ Note: do not prepend whitespace to patterns inside
<b>if</b>..<b>endif</b>.
This feature is available in Postfix 2.1 and later.
<b>if !/</b><i>pattern</i><b>/</b><i>flags</i>
<b>endif</b> Match the input string against the patterns between
- <b>if</b> and <b>endif</b>, if and only if the input string does
+ <b>if</b> and <b>endif</b>, if and only if the input string does
<b>not</b> match <i>pattern</i>. The <b>if</b>..<b>endif</b> can nest.
- Note: do not prepend whitespace to patterns inside
+ Note: do not prepend whitespace to patterns inside
<b>if</b>..<b>endif</b>.
This feature is available in Postfix 2.1 and later.
blank lines and comments
- Empty lines and whitespace-only lines are ignored,
- as are lines whose first non-whitespace character
+ Empty lines and whitespace-only lines are ignored,
+ as are lines whose first non-whitespace character
is a `#'.
multi-line text
- A logical line starts with non-whitespace text. A
- line that starts with whitespace continues a logi-
+ A logical line starts with non-whitespace text. A
+ line that starts with whitespace continues a logi-
cal line.
Each pattern is a perl-like regular expression. The
- expression delimiter can be any character, except white-
- space or characters that have special meaning (tradition-
- ally the forward slash is used). The regular expression
+ expression delimiter can be any character, except white-
+ space or characters that have special meaning (tradition-
+ ally the forward slash is used). The regular expression
can contain whitespace.
By default, matching is case-insensitive, and newlines are
- not treated as special characters. The behavior is con-
- trolled by flags, which are toggled by appending one or
+ not treated as special characters. The behavior is con-
+ trolled by flags, which are toggled by appending one or
more of the following characters after the pattern:
<b>i</b> (default: on)
- Toggles the case sensitivity flag. By default,
+ Toggles the case sensitivity flag. By default,
matching is case insensitive.
<b>m</b> (default: off)
- Toggles the PCRE_MULTILINE flag. When this flag is
- on, the <b>^</b> and <b>$</b> metacharacters match immediately
- after and immediately before a newline character,
- respectively, in addition to matching at the start
+ Toggles the PCRE_MULTILINE flag. When this flag is
+ on, the <b>^</b> and <b>$</b> metacharacters match immediately
+ after and immediately before a newline character,
+ respectively, in addition to matching at the start
and end of the subject string.
<b>s</b> (default: on)
Toggles the PCRE_DOTALL flag. When this flag is on,
the <b>.</b> metacharacter matches the newline character.
With Postfix versions prior to 2.0, The flag is off
- by default, which is inconvenient for multi-line
+ by default, which is inconvenient for multi-line
message header matching.
<b>x</b> (default: off)
- Toggles the pcre extended flag. When this flag is
- on, whitespace in the pattern (other than in a
+ Toggles the pcre extended flag. When this flag is
+ on, whitespace in the pattern (other than in a
character class) and characters between a <b>#</b> outside
- a character class and the next newline character
- are ignored. An escaping backslash can be used to
- include a whitespace or <b>#</b> character as part of the
+ a character class and the next newline character
+ are ignored. An escaping backslash can be used to
+ include a whitespace or <b>#</b> character as part of the
pattern.
<b>A</b> (default: off)
- Toggles the PCRE_ANCHORED flag. When this flag is
- on, the pattern is forced to be "anchored", that
+ Toggles the PCRE_ANCHORED flag. When this flag is
+ on, the pattern is forced to be "anchored", that
is, it is constrained to match only at the start of
- the string which is being searched (the "subject
- string"). This effect can also be achieved by
+ the string which is being searched (the "subject
+ string"). This effect can also be achieved by
appropriate constructs in the pattern itself.
<b>E</b> (default: off)
- Toggles the PCRE_DOLLAR_ENDONLY flag. When this
- flag is on, a <b>$</b> metacharacter in the pattern
- matches only at the end of the subject string.
- Without this flag, a dollar also matches immedi-
+ Toggles the PCRE_DOLLAR_ENDONLY flag. When this
+ flag is on, a <b>$</b> metacharacter in the pattern
+ matches only at the end of the subject string.
+ Without this flag, a dollar also matches immedi-
ately before the final character if it is a newline
character (but not before any other newline charac-
- ters). This flag is ignored if PCRE_MULTILINE flag
+ ters). This flag is ignored if PCRE_MULTILINE flag
is set.
<b>U</b> (default: off)
Toggles the ungreedy matching flag. When this flag
- is on, the pattern matching engine inverts the
- "greediness" of the quantifiers so that they are
- not greedy by default, but become greedy if fol-
- lowed by "?". This flag can also set by a (?U)
+ is on, the pattern matching engine inverts the
+ "greediness" of the quantifiers so that they are
+ not greedy by default, but become greedy if fol-
+ lowed by "?". This flag can also set by a (?U)
modifier within the pattern.
<b>X</b> (default: off)
Toggles the PCRE_EXTRA flag. When this flag is on,
- any backslash in a pattern that is followed by a
+ any backslash in a pattern that is followed by a
letter that has no special meaning causes an error,
thus reserving these combinations for future expan-
sion.
<b>SEARCH ORDER</b>
- Patterns are applied in the order as specified in the ta-
- ble, until a pattern is found that matches the input
+ Patterns are applied in the order as specified in the ta-
+ ble, until a pattern is found that matches the input
string.
- Each pattern is applied to the entire input string.
- Depending on the application, that string is an entire
+ Each pattern is applied to the entire input string.
+ Depending on the application, that string is an entire
client hostname, an entire client IP address, or an entire
- mail address. Thus, no parent domain or parent network
- search is done, and <i>user@domain</i> mail addresses are not
- broken up into their <i>user</i> and <i>domain</i> constituent parts,
+ mail address. Thus, no parent domain or parent network
+ search is done, and <i>user@domain</i> mail addresses are not
+ broken up into their <i>user</i> and <i>domain</i> constituent parts,
nor is <i>user+foo</i> broken up into <i>user</i> and <i>foo</i>.
<b>TEXT SUBSTITUTION</b>
- Substitution of substrings from the matched expression
- into the result string is possible using the conventional
- perl syntax ($1, $2, etc.); specify $$ to produce a $
- character as output. The macros in the result string may
+ Substitution of substrings from the matched expression
+ into the result string is possible using the conventional
+ perl syntax ($1, $2, etc.); specify $$ to produce a $
+ character as output. The macros in the result string may
need to be written as ${n} or $(n) if they aren't followed
by whitespace.
- Note: since negated patterns (those preceded by <b>!</b>) return
+ Note: since negated patterns (those preceded by <b>!</b>) return
a result when the expression does not match, substitutions
are not available for negated patterns.
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
- before terminating voluntarily.
+ daemon process waits for the next service request
+ before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of incoming connections that a
- Postfix daemon process will service before termi-
- nating voluntarily.
+ The maximal number of connection requests before a
+ Postfix daemon process terminates.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>SEE ALSO</b>
syslogd(8), system logging
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
ware.
<b>null_sender</b>=<i>replacement</i> (default: MAILER-DAEMON)
- Replace the null sender address (typically used for
- delivery status notifications) with the specified
- text when expanding the <b>$sender</b> command-line macro,
- and when generating a From_ or Return-Path: message
- header.
+ Replace the null sender address, which is typically
+ used for delivery status notifications, with the
+ specified text when expanding the <b>$sender</b> command-
+ line macro, and when generating a From_ or Return-
+ Path: message header.
If the null sender replacement text is a non-empty
string then it is affected by the <b>q</b> flag for
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
- before terminating voluntarily.
+ daemon process waits for the next service request
+ before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of incoming connections that a
- Postfix daemon process will service before termi-
- nating voluntarily.
+ The maximal number of connection requests before a
+ Postfix daemon process terminates.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>SEE ALSO</b>
syslogd(8), system logging
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
</p>
<p>
-This feature is implemented by the <a href="anvil.8.html">anvil(8)</a> service which is available
-in Postfix version 2.2 and later.
+This feature is implemented by the <a href="anvil.8.html">anvil(8)</a> service which is not
+part of the stable Postfix version 2.1 release.
</p>
<p>
<ul>
-<li> a = time from message arrival to last <a href="QSHAPE_README.html#active_queue">active queue</a> entry
+<li> a = time before the queue manager, including message transmission
-<li> b = time from last <a href="QSHAPE_README.html#active_queue">active queue</a> entry to connection setup
+<li> b = time in queue manager
<li> c = time in connection setup, including DNS, EHLO and TLS
</p>
<p> Note 2: address information may be enclosed inside <tt>[]</tt>,
-but this form is not required here. </p>
+but this form is not recommended here. </p>
<p> When <a href="postconf.5.html#inet_interfaces">inet_interfaces</a> specifies just one IPv4 and/or IPv6 address
that is not a loopback address, the Postfix SMTP client will use
</DD>
<DT><b><a name="lmtp_discard_lhlo_keywords">lmtp_discard_lhlo_keywords</a>
-(default: empty)</b></DT><DD>
+(default: $<a href="postconf.5.html#myhostname">myhostname</a>)</b></DT><DD>
<p> A case insensitive list of LHLO keywords (pipelining, starttls,
auth, etc.) that the LMTP client will ignore in the LHLO response
(default: 100s)</b></DT><DD>
<p>
-The maximum amount of time that an idle Postfix daemon process waits
-for an incoming connection before terminating voluntarily. This
-parameter
+The maximum amount of time that an idle Postfix daemon process
+waits for the next service request before exiting. This parameter
is ignored by the Postfix queue manager and by other long-lived
Postfix daemon processes.
</p>
(default: 100)</b></DT><DD>
<p>
-The maximal number of incoming connections that a Postfix daemon
-process will service before terminating voluntarily. This parameter
-is ignored by the Postfix queue
+The maximal number of connection requests before a Postfix daemon
+process terminates. This parameter is ignored by the Postfix queue
manager and by other long-lived Postfix daemon processes.
</p>
</DD>
<DT><b><a name="minimal_backoff_time">minimal_backoff_time</a>
-(default: 300s)</b></DT><DD>
-
-<p>
-The minimal time between attempts to deliver a deferred message;
-prior to Postfix 2.4 the default value was 1000s.
-</p>
+(default: version dependent)</b></DT><DD>
<p>
+The minimal time between attempts to deliver a deferred message.
This parameter also limits the time an unreachable destination is
kept in the short-term, in-memory, destination status cache.
</p>
+<p> With Postfix 2.4 the default value was reduced from 1000s to
+300s. </p>
+
<p> This parameter should be set greater than or equal to
$<a href="postconf.5.html#queue_run_delay">queue_run_delay</a>. See also $<a href="postconf.5.html#maximal_backoff_time">maximal_backoff_time</a>. </p>
</DD>
<DT><b><a name="queue_run_delay">queue_run_delay</a>
-(default: 300s)</b></DT><DD>
+(default: version dependent)</b></DT><DD>
<p>
-The time between <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> scans by the queue manager;
-prior to Postfix 2.4 the default value was 1000s.
+The time between <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> scans by the queue manager.
+</p>
+
+<p>
+With Postfix 2.4 the default value was reduced from 1000s to 300s.
</p>
<p> This parameter should be set less than or equal to
<p> Optional lookup tables with all valid addresses in the domains
that match $<a href="postconf.5.html#relay_domains">relay_domains</a>. Specify @domain as a wild-card for
-domains that have no valid recipient list, and become a source of
-backscatter mail: Postfix accepts spam for non-existent recipients
-and then floods innocent people with undeliverable mail. Technically,
-tables
+domains that do not have a valid recipient list. Technically, tables
listed with $<a href="postconf.5.html#relay_recipient_maps">relay_recipient_maps</a> are used as lists: Postfix needs
to know only if a lookup string is found or not, but it does not
use the result from table lookup. </p>
<a href="postconf.5.html#inet_interfaces">inet_interfaces</a> documentation for more detail. </p>
<p> Note 2: address information may be enclosed inside <tt>[]</tt>,
-but this form is not required here. </p>
+but this form is not recommended here. </p>
</DD>
<a href="postconf.5.html#smtp_tls_mandatory_ciphers">smtp_tls_mandatory_ciphers</a> parameter and the optional "protocols"
keyword overrides the <a href="postconf.5.html">main.cf</a> <a href="postconf.5.html#smtp_tls_mandatory_protocols">smtp_tls_mandatory_protocols</a> parameter.
In the policy table, multiple protocols must be separated by colons,
-as attribute values may not contain whitespace or commas. </dd>
+as attribute values may not contain whitespace or commas. </p>
<dt><b>verify</b></dt> <dd>Mandatory TLS verification. At this security
level, DNS MX lookups are trusted to be secure enough, and the name
P.O. Box 830688, MC34
Richardson, TX 75083, USA
- IPv6 support originally by:
- Mark Huizer, Eindhoven University, The Netherlands
- Jun-ichiro 'itojun' Hagino, KAME project, Japan
- The Linux PLD project
- Dean Strik, Eindhoven University, The Netherlands
-
POSTFIX(1)
</pre> </body> </html>
postlog - Postfix-compatible logging utility
<b>SYNOPSIS</b>
- <b>postlog</b> [<b>-iv</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>] [<b>-p</b> <i>priority</i><b>] [-t</b> <i>tag</i>]
- [<i>text...</i>]
+ <b>postlog</b> [<b>-iv</b>] [<b>-c</b> <i>config</i><b>_</b><i>dir</i>]
+ [<b>-p</b> <i>priority</i><b>] [-t</b> <i>tag</i>] [<i>text...</i>]
<b>DESCRIPTION</b>
- The <a href="postlog.1.html"><b>postlog</b>(1)</a> command implements a Postfix-compatible
- logging interface for use in, for example, shell scripts.
+ The <a href="postlog.1.html"><b>postlog</b>(1)</a> command implements a Postfix-compatible
+ logging interface for use in, for example, shell scripts.
- By default, <a href="postlog.1.html"><b>postlog</b>(1)</a> logs the <i>text</i> given on the command
+ By default, <a href="postlog.1.html"><b>postlog</b>(1)</a> logs the <i>text</i> given on the command
line as one record. If no <i>text</i> is specified on the command
- line, <a href="postlog.1.html"><b>postlog</b>(1)</a> reads from standard input and logs each
+ line, <a href="postlog.1.html"><b>postlog</b>(1)</a> reads from standard input and logs each
input line as one record.
- Logging is sent to <b>syslogd</b>(8); when the standard error
- stream is connected to a terminal, logging is sent there
+ Logging is sent to <b>syslogd</b>(8); when the standard error
+ stream is connected to a terminal, logging is sent there
as well.
The following options are implemented:
<b>-c</b> <i>config</i><b>_</b><i>dir</i>
- Read the <a href="postconf.5.html"><b>main.cf</b></a> configuration file in the named
+ Read the <a href="postconf.5.html"><b>main.cf</b></a> configuration file in the named
directory instead of the default configuration
directory.
<b>-i</b> Include the process ID in the logging tag.
<b>-p</b> <i>priority</i>
- Specifies the logging severity: <b>info</b> (default),
+ Specifies the logging severity: <b>info</b> (default),
<b>warn</b>, <b>error</b>, <b>fatal</b>, or <b>panic</b>.
<b>-t</b> <i>tag</i> Specifies the logging tag, that is, the identifying
- name that appears at the beginning of each logging
- record. A default tag is used when none is speci-
+ name that appears at the beginning of each logging
+ record. A default tag is used when none is speci-
fied.
<b>-v</b> Enable verbose logging for debugging purposes. Mul-
- tiple <b>-v</b> options make the software increasingly
+ tiple <b>-v</b> options make the software increasingly
verbose.
<b>ENVIRONMENT</b>
Directory with the <a href="postconf.5.html"><b>main.cf</b></a> file.
<b>CONFIGURATION PARAMETERS</b>
- The following <a href="postconf.5.html"><b>main.cf</b></a> parameters are especially relevant
+ The following <a href="postconf.5.html"><b>main.cf</b></a> parameters are especially relevant
to this program.
- The text below provides only a parameter summary. See
+ The text below provides only a parameter summary. See
<a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
<b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
+ The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
<a href="master.5.html">master.cf</a> configuration files.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>SEE ALSO</b>
syslogd(8), syslog daemon
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
- before terminating voluntarily.
+ daemon process waits for the next service request
+ before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of incoming connections that a
- Postfix daemon process will service before termi-
- nating voluntarily.
+ The maximal number of connection requests before a
+ Postfix daemon process terminates.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#proxy_read_maps">proxy_read_maps</a> (see 'postconf -d' output)</b>
- The lookup tables that the <a href="proxymap.8.html"><b>proxymap</b>(8)</a> server is
+ The lookup tables that the <a href="proxymap.8.html"><b>proxymap</b>(8)</a> server is
allowed to access.
<b>SEE ALSO</b>
<a href="DATABASE_README.html">DATABASE_README</a>, Postfix lookup table overview
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>HISTORY</b>
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
- before terminating voluntarily.
+ daemon process waits for the next service request
+ before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of incoming connections that a
- Postfix daemon process will service before termi-
- nating voluntarily.
+ The maximal number of connection requests before a
+ Postfix daemon process terminates.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#qmqpd_authorized_clients">qmqpd_authorized_clients</a> (empty)</b>
- What clients are allowed to connect to the QMQP
+ What clients are allowed to connect to the QMQP
server port.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b><a href="postconf.5.html#verp_delimiter_filter">verp_delimiter_filter</a> (-=+)</b>
- The characters Postfix accepts as VERP delimiter
- characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line
+ The characters Postfix accepts as VERP delimiter
+ characters on the Postfix <a href="sendmail.1.html"><b>sendmail</b>(1)</a> command line
and in SMTP commands.
<b>SEE ALSO</b>
<a href="QMQP_README.html">QMQP_README</a>, Postfix ezmlm-idx howto.
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>HISTORY</b>
<b>qshape</b> [<b>-s</b>] [<b>-p</b>] [<b>-m</b> <i>min</i><b>_</b><i>subdomains</i>]
[<b>-b</b> <i>bucket</i><b>_</b><i>count</i>] [<b>-t</b> <i>bucket</i><b>_</b><i>time</i>]
[<b>-l</b>] [<b>-w</b> <i>terminal</i><b>_</b><i>width</i>]
- [<b>-N</b> <i>batch</i><b>_</b><i>msg</i><b>_</b><i>count</i>] [<b>-n</b> <i>batch</i><b>_</b><i>top</i><b>_</b><i>domains</i>]
[<b>-c</b> <i>config</i><b>_</b><i>directory</i>] [<i>queue</i><b>_</b><i>name</i> ...]
<b>DESCRIPTION</b>
narrow to show the domain name and all the coun-
ters, the terminal_width limit is violated.
- <b>-N</b> <i>batch</i><b>_</b><i>msg</i><b>_</b><i>count</i>
- When the output device is a terminal, intermediate
- results are shown each "batch_msg_count" messages.
- This produces usable results in a reasonable time
- even when the <a href="QSHAPE_README.html#deferred_queue">deferred queue</a> is large. The default
- is to show intermediate results every 1000 mes-
- sages.
-
- <b>-n</b> <i>batch</i><b>_</b><i>top</i><b>_</b><i>domains</i>
- When reporting intermediate or final results to a
- termainal, report only the top "batch_top_domains"
- domains. The default limit is 20 domains.
-
<b>-c</b> <i>config</i><b>_</b><i>directory</i>
- The <a href="postconf.5.html"><b>main.cf</b></a> configuration file is in the named
+ The <a href="postconf.5.html"><b>main.cf</b></a> configuration file is in the named
directory instead of the default configuration
directory.
Arguments:
<i>queue</i><b>_</b><i>name</i>
- By default <b>qshape</b> displays the combined distribu-
- tion of the <a href="QSHAPE_README.html#incoming_queue">incoming</a> and <a href="QSHAPE_README.html#active_queue">active queues</a>. To display
- a different set of queues, just list their direc-
+ By default <b>qshape</b> displays the combined distribu-
+ tion of the <a href="QSHAPE_README.html#incoming_queue">incoming</a> and <a href="QSHAPE_README.html#active_queue">active queues</a>. To display
+ a different set of queues, just list their direc-
tory names on the command line. Absolute paths are
- used as is, other paths are taken relative to the
- <a href="postconf.5.html"><b>main.cf</a> <a href="postconf.5.html#queue_directory">queue_directory</a></b> parameter setting. While
- <a href="postconf.5.html"><b>main.cf</b></a> supports the use of <i>$variable</i> expansion in
- the definition of the <b><a href="postconf.5.html#queue_directory">queue_directory</a></b> parameter,
- the <b>qshape</b> program does not. If you must use vari-
+ used as is, other paths are taken relative to the
+ <a href="postconf.5.html"><b>main.cf</a> <a href="postconf.5.html#queue_directory">queue_directory</a></b> parameter setting. While
+ <a href="postconf.5.html"><b>main.cf</b></a> supports the use of <i>$variable</i> expansion in
+ the definition of the <b><a href="postconf.5.html#queue_directory">queue_directory</a></b> parameter,
+ the <b>qshape</b> program does not. If you must use vari-
able expansions in the <b><a href="postconf.5.html#queue_directory">queue_directory</a></b> setting, you
- must specify an explicit absolute path for each
- queue subdirectory even if you want the default
+ must specify an explicit absolute path for each
+ queue subdirectory even if you want the default
<a href="QSHAPE_README.html#incoming_queue">incoming</a> and <a href="QSHAPE_README.html#active_queue">active queue</a> distribution.
<b>SEE ALSO</b>
$<a href="postconf.5.html#queue_directory">queue_directory</a>/deferred/, messages postponed for later delivery.
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
regexp_table - format of Postfix regular expression tables
<b>SYNOPSIS</b>
- <b>postmap -q "</b><i>string</i><b>" <a href="regexp_table.5.html">regexp</a>:/etc/postfix/</b><i>filename</i>
+ <b>postmap -
fq "</b><i>string</i><b>" <a href="regexp_table.5.html">regexp</a>:/etc/postfix/</b><i>filename</i>
- <b>postmap -q - <a href="regexp_table.5.html">regexp</a>:/etc/postfix/</b><i>filename</i> <<i>inputfile</i>
+ <b>postmap -
fq - <a href="regexp_table.5.html">regexp</a>:/etc/postfix/</b><i>filename</i> <<i>inputfile</i>
<b>DESCRIPTION</b>
The Postfix mail system uses optional tables for address
Alternatively, lookup tables can be specified in POSIX
regular expression form. In this case, each input is com-
- pared against a list of patterns. When a match is found,
- the corresponding result is returned and the search is
- terminated.
+ pared against a list of patterns, and when a match is
+ found the corresponding result is returned.
- To find out what types of lookup tables your Postfix sys-
+ To find out what types of lookup tables your Postfix sys-
tem supports use the "<b>postconf -m</b>" command.
- To test lookup tables, use the "<b>postmap -q</b>" command as
+ To test lookup tables, use the "<b>postmap -fq</b>" command as
described in the SYNOPSIS above.
-<b>COMPATIBILITY</b>
- With Postfix version 2.2 and earlier specify "<b>postmap -fq</b>"
- to query a table that contains case sensitive patterns.
- Patterns are case insensitive by default.
-
<b>TABLE FORMAT</b>
The general form of a Postfix regular expression table is:
responding <i>result</i> value.
<b>!/</b><i>pattern</i><b>/</b><i>flags result</i>
- When <i>pattern</i> does <b>not</b> match the input string, use
+ When <i>pattern</i> does <b>not</b> match the input string, use
the corresponding <i>result</i> value.
<b>if /</b><i>pattern</i><b>/</b><i>flags</i>
<b>if</b> and <b>endif</b>, if and only if that same input string
also matches <i>pattern</i>. The <b>if</b>..<b>endif</b> can nest.
- Note: do not prepend whitespace to patterns inside
+ Note: do not prepend whitespace to patterns inside
<b>if</b>..<b>endif</b>.
This feature is available in Postfix 2.1 and later.
<b>endif</b> Match the input string against the patterns between
<b>if</b> and <b>endif</b>, if and only if that same input string
- does <b>not</b> match <i>pattern</i>. The <b>if</b>..<b>endif</b> can nest.
+ does <b>not</b> match <i>pattern</i>. The <b>if</b>..<b>endif</b> can nest.
matches <i>pattern</i>. The <b>if</b>..<b>endif</b> can nest.
- Note: do not prepend whitespace to patterns inside
+ Note: do not prepend whitespace to patterns inside
<b>if</b>..<b>endif</b>.
This feature is available in Postfix 2.1 and later.
blank lines and comments
- Empty lines and whitespace-only lines are ignored,
- as are lines whose first non-whitespace character
+ Empty lines and whitespace-only lines are ignored,
+ as are lines whose first non-whitespace character
is a `#'.
multi-line text
- A logical line starts with non-whitespace text. A
- line that starts with whitespace continues a logi-
+ A logical line starts with non-whitespace text. A
+ line that starts with whitespace continues a logi-
cal line.
- Each pattern is a POSIX regular expression enclosed by a
+ Each pattern is a POSIX regular expression enclosed by a
pair of delimiters. The regular expression syntax is docu-
- mented in <b>re_format</b>(7) with 4.4BSD, in <b>regex</b>(5) with
+ mented in <b>re_format</b>(7) with 4.4BSD, in <b>regex</b>(5) with
Solaris, and in <b>regex</b>(7) with Linux. Other systems may use
other document names.
- The expression delimiter can be any character, except
+ The expression delimiter can be any character, except
whitespace or characters that have special meaning (tradi-
- tionally the forward slash is used). The regular expres-
+ tionally the forward slash is used). The regular expres-
sion can contain whitespace.
By default, matching is case-insensitive, and newlines are
- not treated as special characters. The behavior is con-
- trolled by flags, which are toggled by appending one or
+ not treated as special characters. The behavior is con-
+ trolled by flags, which are toggled by appending one or
more of the following characters after the pattern:
<b>i</b> (default: on)
- Toggles the case sensitivity flag. By default,
+ Toggles the case sensitivity flag. By default,
matching is case insensitive.
<b>x</b> (default: on)
- Toggles the extended expression syntax flag. By
- default, support for extended expression syntax is
+ Toggles the extended expression syntax flag. By
+ default, support for extended expression syntax is
enabled.
<b>m</b> (default: off)
- Toggle the multi-line mode flag. When this flag is
- on, the <b>^</b> and <b>$</b> metacharacters match immediately
- after and immediately before a newline character,
- respectively, in addition to matching at the start
+ Toggle the multi-line mode flag. When this flag is
+ on, the <b>^</b> and <b>$</b> metacharacters match immediately
+ after and immediately before a newline character,
+ respectively, in addition to matching at the start
and end of the input string.
<b>TABLE SEARCH ORDER</b>
- Patterns are applied in the order as specified in the ta-
- ble, until a pattern is found that matches the input
+ Patterns are applied in the order as specified in the ta-
+ ble, until a pattern is found that matches the input
string.
- Each pattern is applied to the entire input string.
- Depending on the application, that string is an entire
+ Each pattern is applied to the entire input string.
+ Depending on the application, that string is an entire
client hostname, an entire client IP address, or an entire
- mail address. Thus, no parent domain or parent network
- search is done, and <i>user@domain</i> mail addresses are not
- broken up into their <i>user</i> and <i>domain</i> constituent parts,
+ mail address. Thus, no parent domain or parent network
+ search is done, and <i>user@domain</i> mail addresses are not
+ broken up into their <i>user</i> and <i>domain</i> constituent parts,
nor is <i>user+foo</i> broken up into <i>user</i> and <i>foo</i>.
<b>TEXT SUBSTITUTION</b>
- Substitution of substrings from the matched expression
- into the result string is possible using $1, $2, etc.;
+ Substitution of substrings from the matched expression
+ into the result string is possible using $1, $2, etc.;
specify $$ to produce a $ character as output. The macros
- in the result string may need to be written as ${n} or
+ in the result string may need to be written as ${n} or
$(n) if they aren't followed by whitespace.
- Note: since negated patterns (those preceded by <b>!</b>) return
+ Note: since negated patterns (those preceded by <b>!</b>) return
a result when the expression does not match, substitutions
are not available for negated patterns.
file that serves as input to the <a href="postmap.1.html"><b>postmap</b>(1)</a> command. The
result, an indexed file in <b>dbm</b> or <b>db</b> format, is used for
fast searching by the mail system. Execute the command
- "<b>postmap /etc/postfix/relocated</b>" to rebuild an indexed
- file after changing the corresponding relocated table.
+ "<b>postmap /etc/postfix/relocated</b>" in order to rebuild the
+ indexed file after changing the relocated table.
When the table is provided via other means such as NIS,
LDAP or SQL, the same lookups are done as for ordinary
Alternatively, the table can be provided as a regular-
expression map where patterns are given as regular expres-
sions, or lookups can be directed to TCP-based server. In
- those case, the lookups are done in a slightly different
+ that case, the lookups are done in a slightly different
way as described below under "REGULAR EXPRESSION TABLES"
- or "TCP-BASED TABLES".
+ and "TCP-BASED TABLES".
Table lookups are case insensitive.
<a href="regexp_table.5.html"><b>regexp_table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>. For a description of the
TCP client/server table lookup protocol, see <a href="tcp_table.5.html"><b>tcp_table</b>(5)</a>.
This feature is not available up to and including Postfix
- version 2.4.
+ version 2.3.
Each pattern is a regular expression that is applied to
the entire address being looked up. Thus, <i>user@domain</i> mail
lookups are directed to a TCP-based server. For a descrip-
tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
<a href="tcp_table.5.html"><b>ble</b>(5)</a>. This feature is not available up to and including
- Postfix version 2.4.
+ Postfix version 2.3.
Each lookup operation uses the entire address once. Thus,
<i>user@domain</i> mail addresses are not broken up into their
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
- before terminating voluntarily.
+ daemon process waits for the next service request
+ before exiting.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
The process ID of a Postfix command or daemon
<b>SECURITY</b>
By design, this program is not set-user (or group) id.
- However, it must handle data from untrusted, possibly
- remote, users. Thus, the usual precautions need to be
- taken against malicious inputs.
+ However, it must handle data from untrusted users or
+ untrusted machines. Thus, the usual precautions need to
+ be taken against malicious inputs.
<b>DIAGNOSTICS</b>
Problems are logged to <b>syslogd</b>(8) and to the standard
<b>DIAGNOSTICS</b>
Problems and transactions are logged to <b>syslogd</b>(8).
+<b>BUGS</b>
+ The <a href="showq.8.html"><b>showq</b>(8)</a> daemon runs at a fixed low privilege; conse-
+ quently, it cannot extract information from queue files in
+ the <b>maildrop</b> directory.
+
<b>CONFIGURATION PARAMETERS</b>
Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically as <a href="showq.8.html"><b>showq</b>(8)</a>
processes run for only a limited amount of time. Use the
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
- before terminating voluntarily.
+ daemon process waits for the next service request
+ before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of incoming connections that a
- Postfix daemon process will service before termi-
- nating voluntarily.
+ The maximal number of connection requests before a
+ Postfix daemon process terminates.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>FILES</b>
syslogd(8), system logging
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
By default, connection caching is enabled temporarily for
destinations that have a high volume of mail in the active
- queue. Connection caching can be enabled permanently for
- specific destinations.
+ queue. Session caching can be enabled permanently for spe-
+ cific destinations.
<b>SMTP DESTINATION SYNTAX</b>
SMTP destinations have the following form:
the client is used for multiple domains.
Most smtp_<i>xxx</i> configuration parameters have an lmtp_<i>xxx</i>
- "mirror" parameter for the equivalent LMTP feature. This
+ "ghost" parameter for the equivalent LMTP feature. This
document describes only those LMTP-related parameters that
- aren't simply "mirror" parameters.
+ aren't simply "ghost" parameters.
Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as <a href="smtp.8.html"><b>smtp</b>(8)</a>
processes run for only a limited amount of time. Use the
LMTP client will ignore in the LHLO response from a
remote LMTP server.
- <b><a href="postconf.5.html#lmtp_discard_lhlo_keywords">lmtp_discard_lhlo_keywords</a> (empty)</b>
+ <b><a href="postconf.5.html#lmtp_discard_lhlo_keywords">lmtp_discard_lhlo_keywords</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
A case insensitive list of LHLO keywords (pipelin-
ing, starttls, auth, etc.) that the LMTP client
will ignore in the LHLO response from a remote LMTP
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
- before terminating voluntarily.
+ daemon process waits for the next service request
+ before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of incoming connections that a
- Postfix daemon process will service before termi-
- nating voluntarily.
+ The maximal number of connection requests before a
+ Postfix daemon process terminates.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#proxy_interfaces">proxy_interfaces</a> (empty)</b>
The network interface addresses that this mail sys-
- tem receives mail on by way of a proxy or network
+ tem receives mail on by way of a proxy or network
address translation unit.
<b><a href="postconf.5.html#smtp_bind_address">smtp_bind_address</a> (empty)</b>
- An optional numerical network address that the
- Postfix SMTP client should bind to when making an
+ An optional numerical network address that the
+ Postfix SMTP client should bind to when making an
IPv4 connection.
<b><a href="postconf.5.html#smtp_bind_address6">smtp_bind_address6</a> (empty)</b>
- An optional numerical network address that the
- Postfix SMTP client should bind to when making an
+ An optional numerical network address that the
+ Postfix SMTP client should bind to when making an
IPv6 connection.
<b><a href="postconf.5.html#smtp_helo_name">smtp_helo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
- The hostname to send in the SMTP EHLO or HELO com-
+ The hostname to send in the SMTP EHLO or HELO com-
mand.
<b><a href="postconf.5.html#lmtp_lhloname">lmtp_lhlo_name</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
The hostname to send in the LMTP LHLO command.
<b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b>
- What mechanisms when the Postfix SMTP client uses
+ What mechanisms when the Postfix SMTP client uses
to look up a host's IP address.
<b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b>
- Randomize the order of equal-preference MX host
+ Randomize the order of equal-preference MX host
addresses.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
Available with Postfix 2.2 and earlier:
<b><a href="postconf.5.html#fallback_relay">fallback_relay</a> (empty)</b>
- Optional list of relay hosts for SMTP destinations
+ Optional list of relay hosts for SMTP destinations
that can't be found or that are unreachable.
Available with Postfix 2.3 and later:
<b><a href="postconf.5.html#smtp_fallback_relay">smtp_fallback_relay</a> ($<a href="postconf.5.html#fallback_relay">fallback_relay</a>)</b>
- Optional list of relay hosts for SMTP destinations
+ Optional list of relay hosts for SMTP destinations
that can't be found or that are unreachable.
<b>SEE ALSO</b>
<a href="TLS_README.html">TLS_README</a>, Postfix STARTTLS howto
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
- before terminating voluntarily.
+ daemon process waits for the next service request
+ before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of incoming connections that a
- Postfix daemon process will service before termi-
- nating voluntarily.
+ The maximal number of connection requests before a
+ Postfix daemon process terminates.
<b><a href="postconf.5.html#myhostname">myhostname</a> (see 'postconf -d' output)</b>
The internet hostname of this mail system.
<b><a href="postconf.5.html#mynetworks">mynetworks</a> (see 'postconf -d' output)</b>
- The list of "trusted" SMTP clients that have more
+ The list of "trusted" SMTP clients that have more
privileges than "strangers".
<b><a href="postconf.5.html#myorigin">myorigin</a> ($<a href="postconf.5.html#myhostname">myhostname</a>)</b>
The domain name that locally-posted mail appears to
- come from, and that locally posted mail is deliv-
+ come from, and that locally posted mail is deliv-
ered to.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#recipient_delimiter">recipient_delimiter</a> (empty)</b>
sions (user+foo).
<b><a href="postconf.5.html#smtpd_banner">smtpd_banner</a> ($<a href="postconf.5.html#myhostname">myhostname</a> ESMTP $<a href="postconf.5.html#mail_name">mail_name</a>)</b>
- The text that follows the 220 status code in the
+ The text that follows the 220 status code in the
SMTP greeting banner.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
Available in Postfix version 2.2 and later:
<b><a href="postconf.5.html#smtpd_forbidden_commands">smtpd_forbidden_commands</a> (CONNECT, GET, POST)</b>
- List of commands that causes the Postfix SMTP
- server to immediately terminate the session with a
+ List of commands that causes the Postfix SMTP
+ server to immediately terminate the session with a
221 code.
<b>SEE ALSO</b>
<a href="XFORWARD_README.html">XFORWARD_README</a>, Postfix XFORWARD extension
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
- before terminating voluntarily.
+ daemon process waits for the next service request
+ before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of incoming connections that a
- Postfix daemon process will service before termi-
- nating voluntarily.
+ The maximal number of connection requests before a
+ Postfix daemon process terminates.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>SEE ALSO</b>
syslogd(8), system logging
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
+++ /dev/null
-<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
- "http://www.w3.org/TR/html4/loose.dtd">
-<html> <head>
-<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
-<title> Postfix manual - bounce(8) </title>
-</head> <body> <pre>
-BOUNCE(8) BOUNCE(8)
-
-<b>NAME</b>
- bounce - Postfix delivery status reports
-
-<b>SYNOPSIS</b>
- <b>bounce</b> [generic Postfix daemon options]
-
-<b>DESCRIPTION</b>
- The <a href="bounce.8.html"><b>bounce</b>(8)</a> daemon maintains per-message log files with
- delivery status information. Each log file is named after
- the queue file that it corresponds to, and is kept in a
- queue subdirectory named after the service name in the
- <a href="master.5.html"><b>master.cf</b></a> file (either <b>bounce</b>, <b>defer</b> or <b>trace</b>). This pro-
- gram expects to be run from the <a href="master.8.html"><b>master</b>(8)</a> process manager.
-
- The <a href="bounce.8.html"><b>bounce</b>(8)</a> daemon processes two types of service
- requests:
-
- <b>o</b> Append a recipient (non-)delivery status record to
- a per-message log file.
-
- <b>o</b> Enqueue a delivery status notification message,
- with a copy of a per-message log file and of the
- corresponding message. When the delivery status
- notification message is enqueued successfully, the
- per-message log file is deleted.
-
- The software does a best notification effort. A non-deliv-
- ery notification is sent even when the log file or the
- original message cannot be read.
-
- Optionally, a bounce (defer, trace) client can request
- that the per-message log file be deleted when the
- requested operation fails. This is used by clients that
- cannot retry transactions by themselves, and that depend
- on retry logic in their own client.
-
-<b>STANDARDS</b>
- <a href="http://www.faqs.org/rfcs/rfc822.html">RFC 822</a> (ARPA Internet Text Messages)
- <a href="http://www.faqs.org/rfcs/rfc2045.html">RFC 2045</a> (Format of Internet Message Bodies)
- <a href="http://www.faqs.org/rfcs/rfc2822.html">RFC 2822</a> (ARPA Internet Text Messages)
- <a href="http://www.faqs.org/rfcs/rfc3462.html">RFC 3462</a> (Delivery Status Notifications)
- <a href="http://www.faqs.org/rfcs/rfc3464.html">RFC 3464</a> (Delivery Status Notifications)
- <a href="http://www.faqs.org/rfcs/rfc3834.html">RFC 3834</a> (Auto-Submitted: message header)
-
-<b>DIAGNOSTICS</b>
- Problems and transactions are logged to <b>syslogd</b>(8).
-
-<b>CONFIGURATION PARAMETERS</b>
- Changes to <a href="postconf.5.html"><b>main.cf</b></a> are picked up automatically, as
- <a href="bounce.8.html"><b>bounce</b>(8)</a> processes run for only a limited amount of time.
- Use the command "<b>postfix reload</b>" to speed up a change.
-
- The text below provides only a parameter summary. See
- <a href="postconf.5.html"><b>postconf</b>(5)</a> for more details including examples.
-
- <b><a href="postconf.5.html#2bounce_notice_recipient">2bounce_notice_recipient</a> (postmaster)</b>
- The recipient of undeliverable mail that cannot be
- returned to the sender.
-
- <b><a href="postconf.5.html#backwards_bounce_logfile_compatibility">backwards_bounce_logfile_compatibility</a> (yes)</b>
- Produce additional <a href="bounce.8.html"><b>bounce</b>(8)</a> logfile records that
- can be read by Postfix versions before 2.0.
-
- <b><a href="postconf.5.html#bounce_notice_recipient">bounce_notice_recipient</a> (postmaster)</b>
- The recipient of postmaster notifications with the
- message headers of mail that Postfix did not
- deliver and of SMTP conversation transcripts of
- mail that Postfix did not receive.
-
- <b><a href="postconf.5.html#bounce_size_limit">bounce_size_limit</a> (50000)</b>
- The maximal amount of original message text that is
- sent in a non-delivery notification.
-
- <b><a href="postconf.5.html#bounce_template_file">bounce_template_file</a> (empty)</b>
- Pathname of a configuration file with bounce mes-
- sage templates.
-
- <b><a href="postconf.5.html#config_directory">config_directory</a> (see 'postconf -d' output)</b>
- The default location of the Postfix <a href="postconf.5.html">main.cf</a> and
- <a href="master.5.html">master.cf</a> configuration files.
-
- <b><a href="postconf.5.html#daemon_timeout">daemon_timeout</a> (18000s)</b>
- How much time a Postfix daemon process may take to
- handle a request before it is terminated by a
- built-in watchdog timer.
-
- <b><a href="postconf.5.html#delay_notice_recipient">delay_notice_recipient</a> (postmaster)</b>
- The recipient of postmaster notifications with the
- message headers of mail that cannot be delivered
- within $<a href="postconf.5.html#delay_warning_time">delay_warning_time</a> time units.
-
- <b><a href="postconf.5.html#deliver_lock_attempts">deliver_lock_attempts</a> (20)</b>
- The maximal number of attempts to acquire an exclu-
- sive lock on a mailbox file or <a href="bounce.8.html"><b>bounce</b>(8)</a> logfile.
-
- <b><a href="postconf.5.html#deliver_lock_delay">deliver_lock_delay</a> (1s)</b>
- The time between attempts to acquire an exclusive
- lock on a mailbox file or <a href="bounce.8.html"><b>bounce</b>(8)</a> logfile.
-
- <b><a href="postconf.5.html#ipc_timeout">ipc_timeout</a> (3600s)</b>
- The time limit for sending or receiving information
- over an internal communication channel.
-
- <b><a href="postconf.5.html#internal_mail_filter_classes">internal_mail_filter_classes</a> (empty)</b>
- What categories of Postfix-generated mail are sub-
- ject to before-queue content inspection by
- <a href="postconf.5.html#non_smtpd_milters">non_smtpd_milters</a>, <a href="postconf.5.html#header_checks">header_checks</a> and <a href="postconf.5.html#body_checks">body_checks</a>.
-
- <b><a href="postconf.5.html#mail_name">mail_name</a> (Postfix)</b>
- The mail system name that is displayed in Received:
- headers, in the SMTP greeting banner, and in
- bounced mail.
-
- <b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
- The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
- before terminating voluntarily.
-
- <b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of incoming connections that a
- Postfix daemon process will service before termi-
- nating voluntarily.
-
- <b><a href="postconf.5.html#notify_classes">notify_classes</a> (resource, software)</b>
- The list of error classes that are reported to the
- postmaster.
-
- <b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
- process.
-
- <b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
- process.
-
- <b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
- tory.
-
- <b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
- The syslog facility of Postfix logging.
-
- <b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
- becomes, for example, "postfix/smtpd".
-
-<b>FILES</b>
- /var/spool/postfix/bounce/* non-delivery records
- /var/spool/postfix/defer/* non-delivery records
- /var/spool/postfix/trace/* delivery status records
-
-<b>SEE ALSO</b>
- <a href="bounce.5.html">bounce(5)</a>, bounce message template format
- <a href="qmgr.8.html">qmgr(8)</a>, queue manager
- <a href="postconf.5.html">postconf(5)</a>, configuration parameters
- <a href="master.5.html">master(5)</a>, generic daemon options
- <a href="master.8.html">master(8)</a>, process manager
- syslogd(8), system logging
-
-<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
- software.
-
-<b>AUTHOR(S)</b>
- Wietse Venema
- IBM T.J. Watson Research
- P.O. Box 704
- Yorktown Heights, NY 10598, USA
-
- BOUNCE(8)
-</pre> </body> </html>
--- /dev/null
+bounce.8.html
\ No newline at end of file
file that serves as input to the <a href="postmap.1.html"><b>postmap</b>(1)</a> command. The
result, an indexed file in <b>dbm</b> or <b>db</b> format, is used for
fast searching by the mail system. Execute the command
- "<b>postmap /etc/postfix/transport</b>" to rebuild an indexed
- file after changing the corresponding transport table.
+ "<b>postmap /etc/postfix/transport</b>" in order to rebuild the
+ indexed file after changing the transport table.
When the table is provided via other means such as NIS,
LDAP or SQL, the same lookups are done as for ordinary
Alternatively, the table can be provided as a regular-
expression map where patterns are given as regular expres-
sions, or lookups can be directed to TCP-based server. In
- those case, the lookups are done in a slightly different
+ that case, the lookups are done in a slightly different
way as described below under "REGULAR EXPRESSION TABLES"
- or "TCP-BASED TABLES".
+ and "TCP-BASED TABLES".
<b>CASE FOLDING</b>
The search string is folded to lowercase before database
lookups are directed to a TCP-based server. For a descrip-
tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
<a href="tcp_table.5.html"><b>ble</b>(5)</a>. This feature is not available up to and including
- Postfix version 2.4.
+ Postfix version 2.3.
Each lookup operation uses the entire recipient address
once. Thus, <i>some.domain.hierarchy</i> is not looked up via
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
- before terminating voluntarily.
+ daemon process waits for the next service request
+ before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of incoming connections that a
- Postfix daemon process will service before termi-
- nating voluntarily.
+ The maximal number of connection requests before a
+ Postfix daemon process terminates.
<b><a href="postconf.5.html#relocated_maps">relocated_maps</a> (empty)</b>
Optional lookup tables with new contact information
for users or domains that no longer exist.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#show_user_unknown_table_name">show_user_unknown_table_name</a> (yes)</b>
- Display the name of the recipient table in the
+ Display the name of the recipient table in the
"User unknown" responses.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
Available in Postfix version 2.0 and later:
<b><a href="postconf.5.html#helpful_warnings">helpful_warnings</a> (yes)</b>
- Log warnings about problematic configuration set-
+ Log warnings about problematic configuration set-
tings, and provide helpful suggestions.
<b>SEE ALSO</b>
<a href="ADDRESS_VERIFICATION_README.html">ADDRESS_VERIFICATION_README</a>, Postfix address verification
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
text file that serves as input to the <a href="postmap.1.html"><b>postmap</b>(1)</a> command.
The result, an indexed file in <b>dbm</b> or <b>db</b> format, is used
for fast searching by the mail system. Execute the command
- "<b>postmap /etc/postfix/virtual</b>" to rebuild an indexed file
- after changing the corresponding text file.
+ "<b>postmap /etc/postfix/virtual</b>" in order to rebuild the
+ indexed file after changing the text file.
When the table is provided via other means such as NIS,
LDAP or SQL, the same lookups are done as for ordinary
Alternatively, the table can be provided as a regular-
expression map where patterns are given as regular expres-
sions, or lookups can be directed to TCP-based server. In
- those case, the lookups are done in a slightly different
+ that case, the lookups are done in a slightly different
way as described below under "REGULAR EXPRESSION TABLES"
- or "TCP-BASED TABLES".
+ and "TCP-BASED TABLES".
<b>CASE FOLDING</b>
The search string is folded to lowercase before database
Redirect mail for other users in <i>domain</i> to <i>address</i>.
This form has the lowest precedence.
- Note: @<i>domain</i> is a wild-card. With this form, the
- Postfix SMTP server accepts mail for any recipient
- in <i>domain</i>, regardless of whether that recipient
- exists. This may turn your mail system into a
- backscatter source that returns undeliverable spam
- to innocent people.
-
<b>RESULT ADDRESS REWRITING</b>
The lookup result is subject to address rewriting:
- <b>o</b> When the result has the form @<i>otherdomain</i>, the
- result becomes the same <i>user</i> in <i>otherdomain</i>. This
+ <b>o</b> When the result has the form @<i>otherdomain</i>, the
+ result becomes the same <i>user</i> in <i>otherdomain</i>. This
works only for the first address in a multi-address
lookup result.
- <b>o</b> When
"<b><a href="postconf.5.html#append_at_myorigin">append_at_myorigin</a>=yes</b>", append "<b>@$<a href="postconf.5.html#myorigin">myorigin</a></b>"
+ <b>o</b> When
"<b><a href="postconf.5.html#append_at_myorigin">append_at_myorigin</a>=yes</b>", append "<b>@$<a href="postconf.5.html#myorigin">myorigin</a></b>"
to addresses without "@domain".
<b>o</b> When "<b><a href="postconf.5.html#append_dot_mydomain">append_dot_mydomain</a>=yes</b>", append "<b>.$<a href="postconf.5.html#mydomain">mydomain</a></b>"
<b>ADDRESS EXTENSION</b>
When a mail address localpart contains the optional recip-
- ient delimiter (e.g., <i>user+foo</i>@<i>domain</i>), the lookup order
+ ient delimiter (e.g., <i>user+foo</i>@<i>domain</i>), the lookup order
becomes: <i>user+foo</i>@<i>domain</i>, <i>user</i>@<i>domain</i>, <i>user+foo</i>, <i>user</i>, and
@<i>domain</i>.
- The <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a></b> parameter controls
- whether an unmatched address extension (<i>+foo</i>) is propa-
+ The <b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a></b> parameter controls
+ whether an unmatched address extension (<i>+foo</i>) is propa-
gated to the result of table lookup.
<b>VIRTUAL ALIAS DOMAINS</b>
- Besides virtual aliases, the virtual alias table can also
+ Besides virtual aliases, the virtual alias table can also
be used to implement <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domains</a>. With a virtual
- alias domain, all recipient addresses are aliased to
+ alias domain, all recipient addresses are aliased to
addresses in other domains.
Virtual alias domains are not to be confused with the vir-
tual mailbox domains that are implemented with the Postfix
<a href="virtual.8.html"><b>virtual</b>(8)</a> mail delivery agent. With virtual mailbox
- domains, each recipient address can have its own mailbox.
+ domains, each recipient address can have its own mailbox.
- With a virtual alias domain, the virtual domain has its
- own user name space. Local (i.e. non-virtual) usernames
- are not visible in a <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a>. In particular,
- local <a href="aliases.5.html"><b>aliases</b>(5)</a> and local mailing lists are not visible
+ With a <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a>, the virtual domain has its
+ own user name space. Local (i.e. non-virtual) usernames
+ are not visible in a <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a>. In particular,
+ local <a href="aliases.5.html"><b>aliases</b>(5)</a> and local mailing lists are not visible
as <i>localname@virtual-alias.domain</i>.
Support for a <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a> looks like:
/etc/postfix/<a href="postconf.5.html">main.cf</a>:
<a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a> = hash:/etc/postfix/virtual
- Note: some systems use <b>dbm</b> databases instead of <b>hash</b>.
- See the output from "<b>postconf -m</b>" for available data-
+ Note: some systems use <b>dbm</b> databases instead of <b>hash</b>.
+ See the output from "<b>postconf -m</b>" for available data-
base types.
/etc/postfix/<a href="virtual.8.html">virtual</a>:
<i>user1@virtual-alias.domain address1</i>
<i>user2@virtual-alias.domain address2, address3</i>
- The <i>virtual-alias.domain anything</i> entry is required for a
+ The <i>virtual-alias.domain anything</i> entry is required for a
<a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a>. <b>Without this entry, mail is rejected</b>
- <b>with "relay access denied", or bounces with "mail loops</b>
+ <b>with "relay access denied", or bounces with "mail loops</b>
<b>back to myself".</b>
- Do
not specify <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a> names in the <a href="postconf.5.html"><b>main.cf</b></a>
+ Do
not specify <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a> names in the <a href="postconf.5.html"><b>main.cf</b></a>
<b><a href="postconf.5.html#mydestination">mydestination</a></b> or <b><a href="postconf.5.html#relay_domains">relay_domains</a></b> configuration parameters.
- With a virtual alias domain, the Postfix SMTP server
- accepts mail for <i>known-user@virtual-alias.domain</i>, and
- rejects mail for <i>unknown-user</i>@<i>virtual-alias.domain</i> as
+ With a virtual alias domain, the Postfix SMTP server
+ accepts mail for <i>known-user@virtual-alias.domain</i>, and
+ rejects mail for <i>unknown-user</i>@<i>virtual-alias.domain</i> as
undeliverable.
- Instead of specifying the virtual alias domain name via
- the <b><a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a></b> table, you may also specify it via
+ Instead of specifying the <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domain</a> name via
+ the <b><a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a></b> table, you may also specify it via
the <a href="postconf.5.html"><b>main.cf</a> <a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a></b> configuration parameter.
- This
latter parameter uses the same syntax as the <a href="postconf.5.html"><b>main.cf</b></a>
+ This
latter parameter uses the same syntax as the <a href="postconf.5.html"><b>main.cf</b></a>
<b><a href="postconf.5.html#mydestination">mydestination</a></b> configuration parameter.
<b>REGULAR EXPRESSION TABLES</b>
- This section describes how the table lookups change when
+ This section describes how the table lookups change when
the table is given in the form of regular expressions. For
- a description of regular expression lookup table syntax,
+ a description of regular expression lookup table syntax,
see <a href="regexp_table.5.html"><b>regexp_table</b>(5)</a> or <a href="pcre_table.5.html"><b>pcre_table</b>(5)</a>.
- Each pattern is a regular expression that is applied to
+ Each pattern is a regular expression that is applied to
the entire address being looked up. Thus, <i>user@domain</i> mail
- addresses are not broken up into their <i>user</i> and <i>@domain</i>
+ addresses are not broken up into their <i>user</i> and <i>@domain</i>
constituent parts, nor is <i>user+foo</i> broken up into <i>user</i> and
<i>foo</i>.
- Patterns are applied in the order as specified in the ta-
- ble, until a pattern is found that matches the search
+ Patterns are applied in the order as specified in the ta-
+ ble, until a pattern is found that matches the search
string.
- Results are the same as with indexed file lookups, with
- the additional feature that parenthesized substrings from
+ Results are the same as with indexed file lookups, with
+ the additional feature that parenthesized substrings from
the pattern can be interpolated as <b>$1</b>, <b>$2</b> and so on.
<b>TCP-BASED TABLES</b>
- This section describes how the table lookups change when
+ This section describes how the table lookups change when
lookups are directed to a TCP-based server. For a descrip-
tion of the TCP client/server lookup protocol, see <a href="tcp_table.5.html"><b>tcp_ta-</b></a>
<a href="tcp_table.5.html"><b>ble</b>(5)</a>. This feature is not available up to and including
- Postfix version 2.4.
+ Postfix version 2.3.
Each lookup operation uses the entire address once. Thus,
- <i>user@domain</i> mail addresses are not broken up into their
+ <i>user@domain</i> mail addresses are not broken up into their
<i>user</i> and <i>@domain</i> constituent parts, nor is <i>user+foo</i> broken
up into <i>user</i> and <i>foo</i>.
Results are the same as with indexed file lookups.
<b>BUGS</b>
- The table format does not understand quoting conventions.
+ The table format does not understand quoting conventions.
<b>CONFIGURATION PARAMETERS</b>
- The following <a href="postconf.5.html"><b>main.cf</b></a> parameters are especially relevant
- to this topic. See the Postfix <a href="postconf.5.html"><b>main.cf</b></a> file for syntax
- details and for default values. Use the "<b>postfix reload</b>"
+ The following <a href="postconf.5.html"><b>main.cf</b></a> parameters are especially relevant
+ to this topic. See the Postfix <a href="postconf.5.html"><b>main.cf</b></a> file for syntax
+ details and for default values. Use the "<b>postfix reload</b>"
command after a configuration change.
<b><a href="postconf.5.html#virtual_alias_maps">virtual_alias_maps</a></b>
List of virtual aliasing tables.
<b><a href="postconf.5.html#virtual_alias_domains">virtual_alias_domains</a></b>
- List of <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domains</a>. This uses the same
+ List of <a href="ADDRESS_CLASS_README.html#virtual_alias_class">virtual alias domains</a>. This uses the same
syntax as the <b><a href="postconf.5.html#mydestination">mydestination</a></b> parameter.
<b><a href="postconf.5.html#propagate_unmatched_extensions">propagate_unmatched_extensions</a></b>
- A list of address rewriting or forwarding mecha-
- nisms that propagate an address extension from the
- original address to the result. Specify zero or
- more of <b>canonical</b>, <b>virtual</b>, <b>alias</b>, <b>forward</b>,
+ A list of address rewriting or forwarding mecha-
+ nisms that propagate an address extension from the
+ original address to the result. Specify zero or
+ more of <b>canonical</b>, <b>virtual</b>, <b>alias</b>, <b>forward</b>,
<b>include</b>, or <b>generic</b>.
Other parameters of interest:
<b><a href="postconf.5.html#inet_interfaces">inet_interfaces</a></b>
- The network interface addresses that this system
+ The network interface addresses that this system
receives mail on. You need to stop and start Post-
fix when this parameter changes.
<b><a href="postconf.5.html#mydestination">mydestination</a></b>
- List of domains that this mail system considers
+ List of domains that this mail system considers
local.
<b><a href="postconf.5.html#myorigin">myorigin</a></b>
- The domain that is appended to any address that
+ The domain that is appended to any address that
does not have a domain.
<b><a href="postconf.5.html#owner_request_special">owner_request_special</a></b>
<a href="VIRTUAL_README.html">VIRTUAL_README</a>, domain hosting guide
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
<b><a href="postconf.5.html#max_idle">max_idle</a> (100s)</b>
The maximum amount of time that an idle Postfix
- daemon process waits for an incoming connection
- before terminating voluntarily.
+ daemon process waits for the next service request
+ before exiting.
<b><a href="postconf.5.html#max_use">max_use</a> (100)</b>
- The maximal number of incoming connections that a
- Postfix daemon process will service before termi-
- nating voluntarily.
+ The maximal number of connection requests before a
+ Postfix daemon process terminates.
<b><a href="postconf.5.html#process_id">process_id</a> (read-only)</b>
- The process ID of a Postfix command or daemon
+ The process ID of a Postfix command or daemon
process.
<b><a href="postconf.5.html#process_name">process_name</a> (read-only)</b>
- The process name of a Postfix command or daemon
+ The process name of a Postfix command or daemon
process.
<b><a href="postconf.5.html#queue_directory">queue_directory</a> (see 'postconf -d' output)</b>
- The location of the Postfix top-level queue direc-
+ The location of the Postfix top-level queue direc-
tory.
<b><a href="postconf.5.html#syslog_facility">syslog_facility</a> (mail)</b>
The syslog facility of Postfix logging.
<b><a href="postconf.5.html#syslog_name">syslog_name</a> (postfix)</b>
- The mail system name that is prepended to the
- process name in syslog records, so that "smtpd"
+ The mail system name that is prepended to the
+ process name in syslog records, so that "smtpd"
becomes, for example, "postfix/smtpd".
<b>SEE ALSO</b>
<a href="VIRTUAL_README.html">VIRTUAL_README</a>, domain hosting howto
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>HISTORY</b>
- This delivery agent was originally based on the Postfix
- local delivery agent. Modifications mainly consisted of
- removing code that either was not applicable or that was
- not safe in this context: aliases, ~user/.forward files,
+ This delivery agent was originally based on the Postfix
+ local delivery agent. Modifications mainly consisted of
+ removing code that either was not applicable or that was
+ not safe in this context: aliases, ~user/.forward files,
delivery to "|command" or to /file/name.
The <b>Delivered-To:</b> message header appears in the <b>qmail</b> sys-
tem by Daniel Bernstein.
- The <b>maildir</b> structure appears in the <b>qmail</b> system by
+ The <b>maildir</b> structure appears in the <b>qmail</b> system by
Daniel Bernstein.
<b>AUTHOR(S)</b>
University of Texas at Dallas
P.O. Box 830688, MC34
Richardson, TX 75083, USA
-
-IPv6 support originally by:
-Mark Huizer, Eindhoven University, The Netherlands
-Jun-ichiro 'itojun' Hagino, KAME project, Japan
-The Linux PLD project
-Dean Strik, Eindhoven University, The Netherlands
.na
.nf
.fi
-.ad
\fBpostlog\fR [\fB-iv\fR] [\fB-c \fIconfig_dir\fR]
-[\fB-p \fIpriority\fB] [\fB-t \fItag\fR] [\fItext...\fR]
+ [\fB-p \fIpriority\fB] [\fB-t \fItag\fR] [\fItext...\fR]
.SH DESCRIPTION
.ad
.fi
\fBqshape\fR [\fB-s\fR] [\fB-p\fR] [\fB-m \fImin_subdomains\fR]
[\fB-b \fIbucket_count\fR] [\fB-t \fIbucket_time\fR]
[\fB-l\fR] [\fB-w \fIterminal_width\fR]
- [\fB-N \fIbatch_msg_count\fR] [\fB-n \fIbatch_top_domains\fR]
[\fB-c \fIconfig_directory\fR] [\fIqueue_name\fR ...]
.SH DESCRIPTION
.ad
parent domain rows are shown as '.+' followed by the last 16 bytes
of the domain name. If this is still too narrow to show the domain
name and all the counters, the terminal_width limit is violated.
-.IP "\fB-N \fIbatch_msg_count\fR"
-When the output device is a terminal, intermediate results are
-shown each "batch_msg_count" messages. This produces usable results
-in a reasonable time even when the deferred queue is large. The
-default is to show intermediate results every 1000 messages.
-.IP "\fB-n \fIbatch_top_domains\fR"
-When reporting intermediate or final results to a termainal, report
-only the top "batch_top_domains" domains. The default limit is 20
-domains.
.IP "\fB-c \fIconfig_directory\fR"
The \fBmain.cf\fR configuration file is in the named directory
instead of the default configuration directory.
.ad
.fi
By design, this program is not set-user (or group) id. However,
-it must handle data from untrusted, possibly remote, users.
+it must handle data from untrusted users or untrusted machines.
Thus, the usual precautions need to be taken against malicious
inputs.
.SH DIAGNOSTICS
.SH NAME
access
\-
-Postfix SMTP server access table
+Postfix access table format
.SH "SYNOPSIS"
.na
.nf
.SH DESCRIPTION
.ad
.fi
-This document describes access control on remote SMTP client
-information: host names, network addresses, and envelope
-sender or recipient addresses; it is implemented by the
-Postfix SMTP server. See \fBheader_checks\fR(5) or
-\fBbody_checks\fR(5) for access control on the content of
-email messages.
+The optional \fBaccess\fR(5) table directs the Postfix SMTP server
+to selectively reject or accept mail. Access can be allowed or
+denied for specific host names, domain names, networks, host
+addresses or mail addresses.
+
+For an example, see the EXAMPLE section at the end of this
+manual page.
Normally, the \fBaccess\fR(5) table is specified as a text file
that serves as input to the \fBpostmap\fR(1) command.
The result, an indexed file in \fBdbm\fR or \fBdb\fR format,
-is used for fast searching by the mail system. Execute the
-command "\fBpostmap /etc/postfix/access\fR" to rebuild an
-indexed file after changing the corresponding text file.
+is used for fast searching by the mail system. Execute the command
+"\fBpostmap /etc/postfix/access\fR" in order to rebuild the indexed
+file after changing the access table.
When the table is provided via other means such as NIS, LDAP
or SQL, the same lookups are done as for ordinary indexed files.
Alternatively, the table can be provided as a regular-expression
map where patterns are given as regular expressions, or lookups
-can be directed to TCP-based server. In those cases, the lookups
-are done in a slightly different way as described below under
-"REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
+can be directed to TCP-based server. In that case, the lookups are
+done in a slightly different way as described below under
+"REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
.SH "CASE FOLDING"
.na
.nf
match is found in the access table, or until further
truncation is not possible.
-NOTE 1: The access map lookup key must be in canonical form:
-do not specify unnecessary null characters, and do not
-enclose network address information with "[]" characters.
+NOTE 1: The information in the access map should be in
+canonical form, with unnecessary null characters eliminated.
+Address information must not be enclosed with "[]" characters.
NOTE 2: use the \fBcidr\fR lookup table type to specify
network/netmask patterns. See \fBcidr_table\fR(5) for details.
string representation of the IPv6 host address. Thus, not
all the ":" subnetworks will be tried.
-NOTE 2: The access map lookup key must be in canonical form:
-do not specify unnecessary null characters, and do not
-enclose network address information with "[]" characters.
+NOTE 2: The information in the access map should be in
+canonical form, with unnecessary null characters eliminated.
+Address information must not be enclosed with "[]" characters.
NOTE 3: use the \fBcidr\fR lookup table type to specify
network/netmask patterns. See \fBcidr_table\fR(5) for details.
specified, otherwise reply with a generic error response message.
.IP "\fBDEFER_IF_REJECT \fIoptional text...\fR
Defer the request if some later restriction would result in a
-REJECT action. Reply with "\fB450 4.7.1 \fI optional
-text...\fR when the
+REJECT action. Reply with "\fB450\fI optional text...\fR when the
optional text is specified, otherwise reply with a generic error
response message.
.sp
.IP "\fBDEFER_IF_PERMIT \fIoptional text...\fR
Defer the request if some later restriction would result in a
an explicit or implicit PERMIT action.
-Reply with "\fB450 4.7.1 \fI optional text...\fR when the
+Reply with "\fB450\fI optional text...\fR when the
optional text is specified, otherwise reply with a generic error
response message.
.sp
More information
about external content filters is in the Postfix FILTER_README file.
.sp
-Note: this action overrides the \fBcontent_filter\fR setting,
+Note: this action overrides the \fBmain.cf content_filter\fR setting,
and currently affects all recipients of the message.
.sp
This feature is available in Postfix 2.0 and later.
.sp
Note: use "\fBpostsuper -r\fR" to release mail that was kept on
hold for a significant fraction of \fB$maximal_queue_lifetime\fR
-or \fB$bounce_queue_lifetime\fR, or longer. Use "\fBpostsuper -H\fR"
-only for mail that will not expire within a few delivery attempts.
+or \fB$bounce_queue_lifetime\fR, or longer.
.sp
Note: this action currently affects all recipients of the message.
.sp
This feature is available in Postfix 2.0 and later.
.IP "\fBPREPEND \fIheadername: headervalue\fR"
Prepend the specified message header to the message.
-When more than one PREPEND action executes, the first
-prepended header appears before the second etc. prepended
-header.
+When this action is used multiple times, the first prepended
+header appears before the second etc. prepended header.
+.sp
+Note: this action does not support multi-line message headers.
.sp
-Note: this action must execute before the message content
-is received; it cannot execute in the context of
-\fBsmtpd_end_of_data_restrictions\fR.
+Note: this action must be used before the message content
+is received; it cannot be used in \fBsmtpd_end_of_data_restrictions\fR.
.sp
This feature is available in Postfix 2.1 and later.
.IP "\fBREDIRECT \fIuser@domain\fR"
This section describes how the table lookups change when lookups
are directed to a TCP-based server. For a description of the TCP
client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.4.
+This feature is not available up to and including Postfix version 2.3.
Each lookup operation uses the entire query string once.
Depending on the application, that string is an entire client
When the command fails, a limited amount of command output is
mailed back to the sender. The file \fB/usr/include/sysexits.h\fR
defines the expected exit status codes. For example, use
-\fB"|exit 67"\fR to simulate a "user unknown" error, and
-\fB"|exit 0"\fR to implement an expensive black hole.
+\fB|"exit 67"\fR to simulate a "user unknown" error, and
+\fB|"exit 0"\fR to implement an expensive black hole.
.IP \fB:include:\fI/file/name\fR
Mail is sent to the destinations listed in the named file.
Lines in \fB:include:\fR files have the same syntax
.nf
.ad
.fi
-To create a customized bounce template file, create a
-temporary
+To create customized bounce template file, create a temporary
copy of the file \fB/etc/postfix/bounce.cf.default\fR and
edit the temporary file.
that serves as input to the \fBpostmap\fR(1) command.
The result, an indexed file in \fBdbm\fR or \fBdb\fR format,
is used for fast searching by the mail system. Execute the command
-"\fBpostmap /etc/postfix/canonical\fR" to rebuild an indexed
-file after changing the corresponding text file.
+"\fBpostmap /etc/postfix/canonical\fR" in order to rebuild the indexed
+file after changing the text file.
When the table is provided via other means such as NIS, LDAP
or SQL, the same lookups are done as for ordinary indexed files.
Alternatively, the table can be provided as a regular-expression
map where patterns are given as regular expressions, or lookups
-can be directed to TCP-based server. In those cases, the lookups
-are done in a slightly different way as described below under
-"REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
+can be directed to TCP-based server. In that case, the lookups are
+done in a slightly different way as described below under
+"REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
By default the \fBcanonical\fR(5) mapping affects both message
header addresses (i.e. addresses that appear inside messages)
by legacy mail systems.
The \fBcanonical\fR(5) mapping is not to be confused with \fIvirtual
-alias\fR support or with local aliasing. To change the destination
-but not the headers, use the \fBvirtual\fR(5) or \fBaliases\fR(5)
-map instead.
+domain\fR support. Use the \fBvirtual\fR(5) map for that purpose.
+
+The \fBcanonical\fR(5) mapping is not to be confused with local aliasing.
+Use the \fBaliases\fR(5) map for that purpose.
.SH "CASE FOLDING"
.na
.nf
.IP "@\fIdomain address\fR"
Replace other addresses in \fIdomain\fR by \fIaddress\fR.
This form has the lowest precedence.
-.sp
-Note: @\fIdomain\fR is a wild-card. When this form is applied
-to recipient addresses, the Postfix SMTP server accepts
-mail for any recipient in \fIdomain\fR, regardless of whether
-that recipient exists. This may turn your mail system into
-a backscatter source that returns undeliverable spam to
-innocent people.
.SH "RESULT ADDRESS REWRITING"
.na
.nf
This section describes how the table lookups change when lookups
are directed to a TCP-based server. For a description of the TCP
client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.4.
+This feature is not available up to and including Postfix version 2.3.
Each lookup operation uses the entire address once. Thus,
\fIuser@domain\fR mail addresses are not broken up into their
The Postfix mail system uses optional lookup tables.
These tables are usually in \fBdbm\fR or \fBdb\fR format.
Alternatively, lookup tables can be specified in CIDR
-(Classless Inter-Domain Routing) form. In this case, each
-input is compared against a list of patterns. When a match
-is found, the corresponding result is returned and the search
-is terminated.
+(Classless Inter-Domain Routing) form.
To find out what types of lookup tables your Postfix system
supports use the "\fBpostconf -m\fR" command.
will be matched regardless of redundant zero characters.
Note: address information may be enclosed inside "[]" but
-this form is not required.
+this form is not recommended.
IPv6 support is available in Postfix 2.2 and later.
.IP "\fInetwork_address result\fR"
.nf
The CIDR table lookup code was originally written by:
Jozsef Kadlecsik
+kadlec@blackhole.kfki.hu
KFKI Research Institute for Particle and Nuclear Physics
POB. 49
1525 Budapest, Hungary
command. The result, an indexed file in \fBdbm\fR or
\fBdb\fR format, is used for fast searching by the mail
system. Execute the command "\fBpostmap /etc/postfix/generic\fR"
-to rebuild an indexed file after changing the corresponding
+in order to rebuild the indexed file after changing the
text file.
When the table is provided via other means such as NIS, LDAP
Alternatively, the table can be provided as a regular-expression
map where patterns are given as regular expressions, or lookups
-can be directed to TCP-based server. In those case, the lookups
-are done in a slightly different way as described below under
-"REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
+can be directed to TCP-based server. In that case, the lookups are
+done in a slightly different way as described below under
+"REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
.SH "CASE FOLDING"
.na
.nf
This section describes how the table lookups change when lookups
are directed to a TCP-based server. For a description of the TCP
client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.4.
+This feature is not available up to and including Postfix version 2.3.
Each lookup operation uses the entire address once. Thus,
\fIuser@domain\fR mail addresses are not broken up into their
.SH NAME
header_checks
\-
-Postfix built-in content inspection
+Postfix built-in header/body inspection
.SH "SYNOPSIS"
.na
.nf
.br
\fBbody_checks = pcre:/etc/postfix/body_checks\fR
.sp
-\fBpostmap -q "\fIstring\fB" pcre:/etc/postfix/\fIfilename\fR
+\fBpostmap -fq "\fIstring\fB" pcre:/etc/postfix/\fIfilename\fR
.br
-\fBpostmap -q - pcre:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
+\fBpostmap -fq - pcre:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
.SH DESCRIPTION
.ad
.fi
-This document describes access control on the content of
-message headers and message body lines; it is implemented
-by the Postfix cleanup(8) server before mail is queued.
-See \fBaccess\fR(5) for access control on remote SMTP client
-information.
-
-Each message header or message body line is compared against
-a list of patterns.
-When a match is found the corresponding action is executed, and
-the matching process is repeated for the next message header or
-message body line.
+Postfix provides a simple built-in content inspection mechanism that
+examines incoming mail one message header or one message body line
+at a time. Each input is compared against a list of patterns, and
+when a match is found the corresponding action is executed.
+This feature is implemented by the Postfix \fBcleanup\fR(8) server.
For examples, see the EXAMPLES section at the end of this
manual page.
.IP "\fBif /\fIpattern\fB/\fIflags\fR"
.IP "\fBendif\fR"
Match the input string against the patterns between \fBif\fR
-and \fBendif\fR, if and only if the same input string also
-matches \fIpattern\fR. The \fBif\fR..\fBendif\fR can nest.
+and \fBendif\fR, if and only if the input string also matches
+\fIpattern\fR. The \fBif\fR..\fBendif\fR can nest.
.sp
Note: do not prepend whitespace to patterns inside
\fBif\fR..\fBendif\fR.
.IP "\fBif !/\fIpattern\fB/\fIflags\fR"
.IP "\fBendif\fR"
Match the input string against the patterns between \fBif\fR
-and \fBendif\fR, if and only if the same input string does
-\fBnot\fR match \fIpattern\fR. The \fBif\fR..\fBendif\fR
-can nest.
+and \fBendif\fR, if and only if the input string does \fBnot\fR
+match \fIpattern\fR. The \fBif\fR..\fBendif\fR can nest.
.IP "blank lines and comments"
Empty lines and whitespace-only lines are ignored, as
are lines whose first non-whitespace character is a `#'.
.sp
This feature is available in Postfix 2.1 and later.
.IP "\fBFILTER \fItransport:destination\fR"
-Write a content filter request to the queue file, and
+Write a content filter request to the queue file and
inspect the next input line.
After the complete message is received it will be sent through
the specified external content filter. More information about
external content filters is in the Postfix FILTER_README file.
.sp
-Note: this action overrides the \fBcontent_filter\fR setting,
+Note: this action overrides the \fBmain.cf content_filter\fR setting,
and affects all recipients of the message. In the case that multiple
\fBFILTER\fR actions fire, only the last one is executed.
.sp
.sp
Note: use "\fBpostsuper -r\fR" to release mail that was kept on
hold for a significant fraction of \fB$maximal_queue_lifetime\fR
-or \fB$bounce_queue_lifetime\fR, or longer. Use "\fBpostsuper -H\fR"
-only for mail that will not expire within a few delivery attempts.
+or \fB$bounce_queue_lifetime\fR, or longer.
.sp
Note: this action affects all recipients of the message.
.sp
This feature is available in Postfix 2.0 and later.
.IP \fBIGNORE\fR
-Delete the current line from the input, and inspect
+Delete the current line from the input and inspect
the next input line.
.IP "\fBPREPEND \fItext...\fR"
-Prepend one line with the specified text, and inspect the next
+Prepend one line with the specified text and inspect the next
input line.
.sp
Notes:
.IP
This feature is available in Postfix 2.1 and later.
.IP "\fBREDIRECT \fIuser@domain\fR"
-Write a message redirection request to the queue file, and
+Write a message redirection request to the queue file and
inspect the next input line. After the message is queued,
it will be sent to the specified address instead of the
intended recipient(s).
.sp
This feature is available in Postfix 2.1 and later.
.IP "\fBREPLACE \fItext...\fR"
-Replace the current line with the specified text, and inspect the next
+Replace the current line with the specified text and inspect the next
input line.
.sp
This feature is available in Postfix 2.2 and later. The
"5.7.1".
.IP "\fBWARN \fIoptional text...\fR
Log a warning with the \fIoptional text...\fR (or log a
-generic message), and inspect the next input line. This
+generic message) and inspect the next input line. This
action is useful for debugging and for testing a pattern
before applying more drastic actions.
.SH BUGS
.ad
.fi
Many people overlook the main limitations of header and body_checks
-rules.
-.IP \(bu
-These rules operate on one logical message header or one body
-line at a time. A decision made for one line is not carried over
-to the next line.
-.IP \(bu
-If text in the message body is encoded
+rules. These rules operate on one logical message header or one body
+line at a time, and a decision made for one line is not carried over
+to the next line. If text in the message body is encoded
(RFC 2045) then the rules have to specified for the encoded
-form.
-.IP \(bu
-Likewise, when message headers are encoded (RFC
+form. Likewise, when message headers are encoded (RFC
2047) then the rules need to be specified for the encoded
form.
-.PP
+
Message headers added by the \fBcleanup\fR(8) daemon itself
are excluded from inspection. Examples of such message headers
are \fBFrom:\fR, \fBTo:\fR, \fBMessage-ID:\fR, \fBDate:\fR.
In order to use LDAP lookups, define an LDAP source as a lookup
table in main.cf, for example:
-
.ti +4
alias_maps = ldap:/etc/postfix/ldap-aliases.cf
return the key itself.
For example, NEVER do this in a map defining $mydestination:
-
.in +4
query_filter = domain=*
.br
.in -4
Do this instead:
-
.in +4
query_filter = domain=%s
.br
strings.
.IP "\fBserver_host (default: localhost)\fR"
The name of the host running the LDAP server, e.g.
-
.ti +4
server_host = ldap.example.com
trying them in order should the first one fail. It should also
be possible to give each server in the list a different port
(overriding \fBserver_port\fR below), by naming them like
-
.ti +4
server_host = ldap.example.com:1444
With OpenLDAP, a (list of) LDAP URLs can be used to specify both
the hostname(s) and the port(s):
-
.ti +4
server_host = ldap://ldap.example.com:1444
.ti +8
including connections over UNIX domain sockets, and LDAP SSL
(the last one provided that OpenLDAP was compiled with support
for SSL):
-
.ti +4
server_host = ldapi://%2Fsome%2Fpath
.ti +8
ldaps://ldap.example.com:636
.IP "\fBserver_port (default: 389)\fR"
The port the LDAP server listens on, e.g.
-
.ti +4
server_port = 778
.IP "\fBtimeout (default: 10 seconds)\fR"
The number of seconds a search can take before timing out, e.g.
-
.ti +4
timeout = 5
.IP "\fBsearch_base (No default; you must configure this)\fR"
The RFC2253 base DN at which to conduct the search, e.g.
-
.ti +4
search_base = dc=your, dc=com
.IP
The RFC2254 filter used to search the directory, where \fB%s\fR
is a substitute for the address Postfix is trying to resolve,
e.g.
-
.ti +4
query_filter = (&(mail=%s)(paid_up=true))
input key is \fIuser@mail.example.com\fR, then %1 is \fBcom\fR,
%2 is \fBexample\fR and %3 is \fBmail\fR. If the input key is
unqualified or does not have enough domain components to satisfy
-all the specified patterns, the search is suppressed and returns
+all the specified patterns, the saerch is suppressed and returns
no results.
.IP
The above %1, ..., %9 expansions are available with Postfix 2.2
are eligible for lookup: 'user' lookups, bare domain lookups
and "@domain" lookups are not performed. This can significantly
reduce the query load on the LDAP server.
-
.ti +4
domain = postfix.org, hash:/etc/postfix/searchdomains
The attribute(s) Postfix will read from any directory
entries returned by the lookup, to be resolved to an email
address.
-
.ti +4
result_attribute = mailbox, maildrop
-.IP "\fBspecial_result_attribute (default: empty)\fR"
+.IP "\fBspecial_result_attribute (No default)\fR"
The attribute(s) of directory entries that can contain DNs
or URLs. If found, a recursive subsequent search is done
using their values.
-
.ti +4
-special_result_attribute = memberdn
+special_result_attribute = member
DN recursion retrieves the same result_attributes as the
main query, including the special attributes for further
listed in "result_attribute". If the URI lists any of the
map's special result attributes, these are also retrieved
and used recursively.
-.IP "\fBterminal_result_attribute (default: empty)\fR"
-When one or more terminal result attributes are found in an LDAP
-entry, all other result attributes are ignored and only the terminal
-result attributes are returned. This is useful for delegating expansion
-of group members to a particular host, by using an optional "maildrop"
-attribute on selected groups to route the group to a specific host,
-where the group is expanded, possibly via mailing-list manager or
-other special processing.
-
-.ti +4
-terminal_result_attribute = maildrop
-
-This feature is available with Postfix 2.4 or later.
-.IP "\fBleaf_result_attribute (default: empty)\fR"
-When one or more special result attributes are found in a non-terminal
-(see above) LDAP entry, leaf result attributes are excluded from the
-expansion of that entry. This is useful when expanding groups and the
-desired mail address attribute(s) of the member objects obtained via
-DN or URI recursion are also present in the group object. To only
-return the attribute values from the leaf objects and not the
-containing group, add the attribute to the leaf_result_attribute list,
-and not the result_attribute list, which is always expanded. Note,
-the default value of "result_attribute" is not empty, you may want to
-set it explicitly empty when using "leaf_result_attribute" to expand
-the group to a list of member DN addresses. If groups have both
-member DN references AND attributes that hold multiple string valued
-rfc822 addresses, then the string attributes go in "result_attribute".
-The attributes that represent the email addresses of objects
-referenced via a DN (or LDAP URI) go in "leaf_result_attribute".
-
-.in +4
-result_attribute = memberaddr
-.br
-special_result_attribute = memberdn
-.br
-terminal_result_attribute = maildrop
-.br
-leaf_result_attribute = mail
-.in -4
-
-This feature is available with Postfix 2.4 or later.
.IP "\fBscope (default: sub)\fR"
The LDAP search scope: \fBsub\fR, \fBbase\fR, or \fBone\fR.
These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
Whether or not to bind to the LDAP server. Newer LDAP
implementations don't require clients to bind, which saves
time. Example:
-
.ti +4
bind = no
the clear.
.IP "\fBbind_dn (default: empty)\fR"
If you do have to bind, do it with this distinguished name. Example:
-
.ti +4
bind_dn = uid=postfix, dc=your, dc=com
.IP "\fBbind_pw (default: empty)\fR"
password. This is because main.cf needs to be world readable
to allow local accounts to submit mail via the sendmail
command. Example:
-
.ti +4
bind_pw = postfixpw
.IP "\fBcache (IGNORED with a warning)\fR"
LDAP SSL service can be requested by using a LDAP SSL URL
in the server_host parameter:
-
.ti +4
server_host = ldaps://ldap.example.com:636
STARTTLS can be turned on with the start_tls parameter:
-
.ti +4
start_tls = yes
Both forms require LDAP protocol version 3, which has to be set
explicitly with:
-
.ti +4
version = 3
Here's a basic example for using LDAP to look up local(8)
aliases.
Assume that in main.cf, you have:
-
.ti +4
alias_maps = hash:/etc/aliases,
.ti +8
ldap:/etc/postfix/ldap-aliases.cf
and in ldap:/etc/postfix/ldap-aliases.cf you have:
-
.in +4
-server_host = ldap.example.com
+server_host = ldap.my.com
.br
-search_base = dc=example, dc=com
+search_base = dc=my, dc=com
.in -4
Upon receiving mail for a local address "ldapuser" that
isn't found in the /etc/aliases database, Postfix will
-search the LDAP server listening at port 389 on ldap.example.com.
+search the LDAP server listening at port 389 on ldap.my.com.
It will bind anonymously, search for any directory entries
whose mailacceptinggeneralid attribute is "ldapuser", read
the "maildrop" attributes of those found, and build a list
Cambridge
CB10 1SB, UK
+Based on the NIS client code:
+
Adopted and adapted by:
Wietse Venema
IBM T.J. Watson Research
.SH "SYNOPSIS"
.na
.nf
-\fBpostmap -q "\fIstring\fB" pcre:/etc/postfix/\fIfilename\fR
+\fBpostmap -fq "\fIstring\fB" pcre:/etc/postfix/\fIfilename\fR
-\fBpostmap -q - pcre:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
+\fBpostmap -fq - pcre:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
.SH DESCRIPTION
.ad
.fi
Alternatively, lookup tables can be specified in Perl Compatible
Regular Expression form. In this case, each input is compared
-against a list of patterns. When a match is found, the
-corresponding result is returned and the search is terminated.
+against a list of patterns, and when a match is found the
+corresponding result is returned.
To find out what types of lookup tables your Postfix system
supports use the "\fBpostconf -m\fR" command.
-To test lookup tables, use the "\fBpostmap -q\fR" command as
+To test lookup tables, use the "\fBpostmap -fq\fR" command as
described in the SYNOPSIS above.
-.SH "COMPATIBILITY"
-.na
-.nf
-.ad
-.fi
-With Postfix version 2.2 and earlier specify "\fBpostmap
--fq\fR" to query a table that contains case sensitive
-patterns. Patterns are case insensitive by default.
.SH "TABLE FORMAT"
.na
.nf
The time unit over which client connection rates and other rates
are calculated.
.PP
-This feature is implemented by the \fBanvil\fR(8) service which is available
-in Postfix version 2.2 and later.
+This feature is implemented by the \fBanvil\fR(8) service which is not
+part of the stable Postfix version 2.1 release.
.PP
The default interval is relatively short. Because of the high
frequency of updates, the \fBanvil\fR(8) server uses volatile memory
.PP
The format of the "delays=a/b/c/d" logging is as follows:
.IP \(bu
-a = time from message arrival to last active queue entry
+a = time before the queue manager, including message transmission
.IP \(bu
-b = time from last active queue entry to connection setup
+b = time in queue manager
.IP \(bu
c = time in connection setup, including DNS, EHLO and TLS
.IP \(bu
Note 1: you need to stop and start Postfix when this parameter changes.
.PP
Note 2: address information may be enclosed inside [],
-but this form is not required here.
+but this form is not recommended here.
.PP
When inet_interfaces specifies just one IPv4 and/or IPv6 address
that is not a loopback address, the Postfix SMTP client will use
smtpd_discard_ehlo_keyword_address_maps.
.PP
This feature is available in Postfix 2.3 and later.
-.SH lmtp_discard_lhlo_keywords (default: empty)
+.SH lmtp_discard_lhlo_keywords (default: $myhostname)
A case insensitive list of LHLO keywords (pipelining, starttls,
auth, etc.) that the LMTP client will ignore in the LHLO response
from a remote LMTP server.
.ad
.ft R
.SH max_idle (default: 100s)
-The maximum amount of time that an idle Postfix daemon process waits
-for an incoming connection before terminating voluntarily. This
-parameter
+The maximum amount of time that an idle Postfix daemon process
+waits for the next service request before exiting. This parameter
is ignored by the Postfix queue manager and by other long-lived
Postfix daemon processes.
.PP
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).
The default time unit is s (seconds).
.SH max_use (default: 100)
-The maximal number of incoming connections that a Postfix daemon
-process will service before terminating voluntarily. This parameter
-is ignored by the Postfix queue
+The maximal number of connection requests before a Postfix daemon
+process terminates. This parameter is ignored by the Postfix queue
manager and by other long-lived Postfix daemon processes.
.SH maximal_backoff_time (default: 4000s)
The maximal time between attempts to deliver a deferred message.
Postfix refuses mail that is nested deeper than the specified limit.
.PP
This feature is available in Postfix 2.0 and later.
-.SH minimal_backoff_time (default: 300s)
-The minimal time between attempts to deliver a deferred message;
-prior to Postfix 2.4 the default value was 1000s.
-.PP
+.SH minimal_backoff_time (default: version dependent)
+The minimal time between attempts to deliver a deferred message.
This parameter also limits the time an unreachable destination is
kept in the short-term, in-memory, destination status cache.
.PP
+With Postfix 2.4 the default value was reduced from 1000s to
+300s.
+.PP
This parameter should be set greater than or equal to
$queue_run_delay. See also $maximal_backoff_time.
.PP
.PP
With Postfix versions 2.0 and earlier, a queue_minfree value of
zero means there is no minimum required amount of free space.
-.SH queue_run_delay (default: 300s)
-The time between deferred queue scans by the queue manager;
-prior to Postfix 2.4 the default value was 1000s.
+.SH queue_run_delay (default: version dependent)
+The time between deferred queue scans by the queue manager.
+.PP
+With Postfix 2.4 the default value was reduced from 1000s to 300s.
.PP
This parameter should be set less than or equal to
$minimal_backoff_time. See also $maximal_backoff_time.
.SH relay_recipient_maps (default: empty)
Optional lookup tables with all valid addresses in the domains
that match $relay_domains. Specify @domain as a wild-card for
-domains that have no valid recipient list, and become a source of
-backscatter mail: Postfix accepts spam for non-existent recipients
-and then floods innocent people with undeliverable mail. Technically,
-tables
+domains that do not have a valid recipient list. Technically, tables
listed with $relay_recipient_maps are used as lists: Postfix needs
to know only if a lookup string is found or not, but it does not
use the result from table lookup.
inet_interfaces documentation for more detail.
.PP
Note 2: address information may be enclosed inside [],
-but this form is not required here.
+but this form is not recommended here.
.SH smtp_bind_address6 (default: empty)
An optional numerical network address that the Postfix SMTP client
should bind to when making an IPv6 connection.
.SH "SYNOPSIS"
.na
.nf
-\fBpostmap -q "\fIstring\fB" regexp:/etc/postfix/\fIfilename\fR
+\fBpostmap -fq "\fIstring\fB" regexp:/etc/postfix/\fIfilename\fR
-\fBpostmap -q - regexp:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
+\fBpostmap -fq - regexp:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
.SH DESCRIPTION
.ad
.fi
Alternatively, lookup tables can be specified in POSIX regular
expression form. In this case, each input is compared against a
-list of patterns. When a match is found, the corresponding
-result is returned and the search is terminated.
+list of patterns, and when a match is found the corresponding
+result is returned.
To find out what types of lookup tables your Postfix system
supports use the "\fBpostconf -m\fR" command.
-To test lookup tables, use the "\fBpostmap -q\fR" command
-as described in the SYNOPSIS above.
-.SH "COMPATIBILITY"
-.na
-.nf
-.ad
-.fi
-With Postfix version 2.2 and earlier specify "\fBpostmap
--fq\fR" to query a table that contains case sensitive
-patterns. Patterns are case insensitive by default.
+To test lookup tables, use the "\fBpostmap -fq\fR" command as
+described in the SYNOPSIS above.
.SH "TABLE FORMAT"
.na
.nf
that serves as input to the \fBpostmap\fR(1) command.
The result, an indexed file in \fBdbm\fR or \fBdb\fR format,
is used for fast searching by the mail system. Execute the command
-"\fBpostmap /etc/postfix/relocated\fR" to rebuild an indexed
-file after changing the corresponding relocated table.
+"\fBpostmap /etc/postfix/relocated\fR" in order to rebuild the indexed
+file after changing the relocated table.
When the table is provided via other means such as NIS, LDAP
or SQL, the same lookups are done as for ordinary indexed files.
Alternatively, the table can be provided as a regular-expression
map where patterns are given as regular expressions, or lookups
-can be directed to TCP-based server. In those case, the lookups
-are done in a slightly different way as described below under
-"REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
+can be directed to TCP-based server. In that case, the lookups are
+done in a slightly different way as described below under
+"REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
Table lookups are case insensitive.
.SH "CASE FOLDING"
expression lookup table syntax, see \fBregexp_table\fR(5) or
\fBpcre_table\fR(5). For a description of the TCP client/server
table lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.4.
+This feature is not available up to and including Postfix version 2.3.
Each pattern is a regular expression that is applied to the entire
address being looked up. Thus, \fIuser@domain\fR mail addresses are not
This section describes how the table lookups change when lookups
are directed to a TCP-based server. For a description of the TCP
client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.4.
+This feature is not available up to and including Postfix version 2.3.
Each lookup operation uses the entire address once. Thus,
\fIuser@domain\fR mail addresses are not broken up into their
that serves as input to the \fBpostmap\fR(1) command.
The result, an indexed file in \fBdbm\fR or \fBdb\fR format, is used
for fast searching by the mail system. Execute the command
-"\fBpostmap /etc/postfix/transport\fR" to rebuild an indexed
-file after changing the corresponding transport table.
+"\fBpostmap /etc/postfix/transport\fR" in order to rebuild the indexed
+file after changing the transport table.
When the table is provided via other means such as NIS, LDAP
or SQL, the same lookups are done as for ordinary indexed files.
Alternatively, the table can be provided as a regular-expression
map where patterns are given as regular expressions, or lookups
-can be directed to TCP-based server. In those case, the lookups
-are done in a slightly different way as described below under
-"REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
+can be directed to TCP-based server. In that case, the lookups are
+done in a slightly different way as described below under
+"REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
.SH "CASE FOLDING"
.na
.nf
This section describes how the table lookups change when lookups
are directed to a TCP-based server. For a description of the TCP
client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.4.
+This feature is not available up to and including Postfix version 2.3.
Each lookup operation uses the entire recipient address once. Thus,
\fIsome.domain.hierarchy\fR is not looked up via its parent domains,
that serves as input to the \fBpostmap\fR(1) command.
The result, an indexed file in \fBdbm\fR or \fBdb\fR format,
is used for fast searching by the mail system. Execute the command
-"\fBpostmap /etc/postfix/virtual\fR" to rebuild an indexed
-file after changing the corresponding text file.
+"\fBpostmap /etc/postfix/virtual\fR" in order to rebuild the indexed
+file after changing the text file.
When the table is provided via other means such as NIS, LDAP
or SQL, the same lookups are done as for ordinary indexed files.
Alternatively, the table can be provided as a regular-expression
map where patterns are given as regular expressions, or lookups
-can be directed to TCP-based server. In those case, the lookups
-are done in a slightly different way as described below under
-"REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
+can be directed to TCP-based server. In that case, the lookups are
+done in a slightly different way as described below under
+"REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
.SH "CASE FOLDING"
.na
.nf
.IP "@\fIdomain address, address, ...\fR"
Redirect mail for other users in \fIdomain\fR to \fIaddress\fR.
This form has the lowest precedence.
-.sp
-Note: @\fIdomain\fR is a wild-card. With this form, the
-Postfix SMTP server accepts
-mail for any recipient in \fIdomain\fR, regardless of whether
-that recipient exists. This may turn your mail system into
-a backscatter source that returns undeliverable spam to
-innocent people.
.SH "RESULT ADDRESS REWRITING"
.na
.nf
This section describes how the table lookups change when lookups
are directed to a TCP-based server. For a description of the TCP
client/server lookup protocol, see \fBtcp_table\fR(5).
-This feature is not available up to and including Postfix version 2.4.
+This feature is not available up to and including Postfix version 2.3.
Each lookup operation uses the entire address once. Thus,
\fIuser@domain\fR mail addresses are not broken up into their
In this preliminary implementation, a count (or rate) limited server
can have only one remote client at a time. If a server reports
-multiple simultaneous clients, state is kept only for the last
-reported client.
+multiple simultaneous clients, all but the last reported client
+are ignored.
The \fBanvil\fR(8) server automatically discards client
request information after it expires. To prevent the
The time limit for sending or receiving information over an internal
communication channel.
.IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process waits
-for an incoming connection before terminating voluntarily.
+The maximum amount of time that an idle Postfix daemon process
+waits for the next service request before exiting.
.IP "\fBmax_use (100)\fR"
-The maximal number of incoming connections that a Postfix daemon
-process will service before terminating voluntarily.
+The maximal number of connection requests before a Postfix daemon
+process terminates.
.IP "\fBprocess_id (read-only)\fR"
The process ID of a Postfix command or daemon process.
.IP "\fBprocess_name (read-only)\fR"
Append a recipient (non-)delivery status record to a per-message
log file.
.IP \(bu
-Enqueue a delivery status notification message, with a copy
-of a per-message log file and of the corresponding message.
-When the delivery status notification message is
+Enqueue a bounce message, with a copy of a per-message log file
+and of the corresponding message. When the bounce message is
enqueued successfully, the per-message log file is deleted.
.PP
The software does a best notification effort. A non-delivery
The mail system name that is displayed in Received: headers, in
the SMTP greeting banner, and in bounced mail.
.IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process waits
-for an incoming connection before terminating voluntarily.
+The maximum amount of time that an idle Postfix daemon process
+waits for the next service request before exiting.
.IP "\fBmax_use (100)\fR"
-The maximal number of incoming connections that a Postfix daemon
-process will service before terminating voluntarily.
+The maximal number of connection requests before a Postfix daemon
+process terminates.
.IP "\fBnotify_classes (resource, software)\fR"
The list of error classes that are reported to the postmaster.
.IP "\fBprocess_id (read-only)\fR"
The time limit for sending or receiving information over an internal
communication channel.
.IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process waits
-for an incoming connection before terminating voluntarily.
+The maximum amount of time that an idle Postfix daemon process
+waits for the next service request before exiting.
.IP "\fBmax_use (100)\fR"
-The maximal number of incoming connections that a Postfix daemon
-process will service before terminating voluntarily.
+The maximal number of connection requests before a Postfix daemon
+process terminates.
.IP "\fBmyhostname (see 'postconf -d' output)\fR"
The internet hostname of this mail system.
.IP "\fBmyorigin ($myhostname)\fR"
The time limit for sending or receiving information over an internal
communication channel.
.IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process waits
-for an incoming connection before terminating voluntarily.
+The maximum amount of time that an idle Postfix daemon process
+waits for the next service request before exiting.
.IP "\fBmax_use (100)\fR"
-The maximal number of incoming connections that a Postfix daemon
-process will service before terminating voluntarily.
+The maximal number of connection requests before a Postfix daemon
+process terminates.
.IP "\fBprocess_id (read-only)\fR"
The process ID of a Postfix command or daemon process.
.IP "\fBprocess_name (read-only)\fR"
The Postfix \fBerror\fR(8) delivery agent processes delivery
requests from
the queue manager. Each request specifies a queue file, a sender
-address, the reason for non-delivery (specified as the
-next-hop destination), and recipient information.
+address, a domain or host name that is treated as the reason for
+non-delivery, and recipient information.
The reason may be prefixed with an RFC 3463-compatible detail code.
This program expects to be run from the \fBmaster\fR(8) process
manager.
The time limit for sending or receiving information over an internal
communication channel.
.IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process waits
-for an incoming connection before terminating voluntarily.
+The maximum amount of time that an idle Postfix daemon process
+waits for the next service request before exiting.
.IP "\fBmax_use (100)\fR"
-The maximal number of incoming connections that a Postfix daemon
-process will service before terminating voluntarily.
+The maximal number of connection requests before a Postfix daemon
+process terminates.
.IP "\fBnotify_classes (resource, software)\fR"
The list of error classes that are reported to the postmaster.
.IP "\fBprocess_id (read-only)\fR"
The time limit for sending or receiving information over an internal
communication channel.
.IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process waits
-for an incoming connection before terminating voluntarily.
+The maximum amount of time that an idle Postfix daemon process
+waits for the next service request before exiting.
.IP "\fBmax_use (100)\fR"
-The maximal number of incoming connections that a Postfix daemon
-process will service before terminating voluntarily.
+The maximal number of connection requests before a Postfix daemon
+process terminates.
.IP "\fBparent_domain_matches_subdomains (see 'postconf -d' output)\fR"
What Postfix features match subdomains of "domain.tld" automatically,
instead of requiring an explicit ".domain.tld" pattern.
.IP "\fBlocal_command_shell (empty)\fR"
Optional shell program for \fBlocal\fR(8) delivery to non-Postfix command.
.IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process waits
-for an incoming connection before terminating voluntarily.
+The maximum amount of time that an idle Postfix daemon process
+waits for the next service request before exiting.
.IP "\fBmax_use (100)\fR"
-The maximal number of incoming connections that a Postfix daemon
-process will service before terminating voluntarily.
+The maximal number of connection requests before a Postfix daemon
+process terminates.
.IP "\fBprepend_delivered_header (command, file, forward)\fR"
The message delivery contexts where the Postfix \fBlocal\fR(8) delivery
agent prepends a Delivered-To: message header with the address
The default maximal number of Postfix child processes that provide
a given service.
.IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process waits
-for an incoming connection before terminating voluntarily.
+The maximum amount of time that an idle Postfix daemon process
+waits for the next service request before exiting.
.IP "\fBmax_use (100)\fR"
-The maximal number of incoming connections that a Postfix daemon
-process will service before terminating voluntarily.
+The maximal number of connection requests before a Postfix daemon
+process terminates.
.IP "\fBservice_throttle_time (60s)\fR"
How long the Postfix \fBmaster\fR(8) waits before forking a server that
appears to be malfunctioning.
Upon input, long lines are chopped up into pieces of at most
this length; upon delivery, long lines are reconstructed.
.IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process waits
-for an incoming connection before terminating voluntarily.
+The maximum amount of time that an idle Postfix daemon process
+waits for the next service request before exiting.
.IP "\fBmax_use (100)\fR"
-The maximal number of incoming connections that a Postfix daemon
-process will service before terminating voluntarily.
+The maximal number of connection requests before a Postfix daemon
+process terminates.
.IP "\fBprocess_id (read-only)\fR"
The process ID of a Postfix command or daemon process.
.IP "\fBprocess_name (read-only)\fR"
by, for example, \fBUUCP\fR software.
.RE
.IP "\fBnull_sender\fR=\fIreplacement\fR (default: MAILER-DAEMON)"
-Replace the null sender address (typically used for delivery
-status notifications) with the specified text
+Replace the null sender address, which is typically used
+for delivery status notifications, with the specified text
when expanding the \fB$sender\fR command-line macro, and
when generating a From_ or Return-Path: message header.
The UNIX system account that owns the Postfix queue and most Postfix
daemon processes.
.IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process waits
-for an incoming connection before terminating voluntarily.
+The maximum amount of time that an idle Postfix daemon process
+waits for the next service request before exiting.
.IP "\fBmax_use (100)\fR"
-The maximal number of incoming connections that a Postfix daemon
-process will service before terminating voluntarily.
+The maximal number of connection requests before a Postfix daemon
+process terminates.
.IP "\fBprocess_id (read-only)\fR"
The process ID of a Postfix command or daemon process.
.IP "\fBprocess_name (read-only)\fR"
The time limit for sending or receiving information over an internal
communication channel.
.IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process waits
-for an incoming connection before terminating voluntarily.
+The maximum amount of time that an idle Postfix daemon process
+waits for the next service request before exiting.
.IP "\fBmax_use (100)\fR"
-The maximal number of incoming connections that a Postfix daemon
-process will service before terminating voluntarily.
+The maximal number of connection requests before a Postfix daemon
+process terminates.
.IP "\fBprocess_id (read-only)\fR"
The process ID of a Postfix command or daemon process.
.IP "\fBprocess_name (read-only)\fR"
The time limit for sending or receiving information over an internal
communication channel.
.IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process waits
-for an incoming connection before terminating voluntarily.
+The maximum amount of time that an idle Postfix daemon process
+waits for the next service request before exiting.
.IP "\fBmax_use (100)\fR"
-The maximal number of incoming connections that a Postfix daemon
-process will service before terminating voluntarily.
+The maximal number of connection requests before a Postfix daemon
+process terminates.
.IP "\fBprocess_id (read-only)\fR"
The process ID of a Postfix command or daemon process.
.IP "\fBprocess_name (read-only)\fR"
The time limit for sending or receiving information over an internal
communication channel.
.IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process waits
-for an incoming connection before terminating voluntarily.
+The maximum amount of time that an idle Postfix daemon process
+waits for the next service request before exiting.
.IP "\fBprocess_id (read-only)\fR"
The process ID of a Postfix command or daemon process.
.IP "\fBprocess_name (read-only)\fR"
.ad
.fi
Problems and transactions are logged to \fBsyslogd\fR(8).
+.SH BUGS
+.ad
+.fi
+The \fBshowq\fR(8) daemon runs at a fixed low privilege; consequently,
+it cannot extract information from queue files in the
+\fBmaildrop\fR directory.
.SH "CONFIGURATION PARAMETERS"
.na
.nf
The time limit for sending or receiving information over an internal
communication channel.
.IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process waits
-for an incoming connection before terminating voluntarily.
+The maximum amount of time that an idle Postfix daemon process
+waits for the next service request before exiting.
.IP "\fBmax_use (100)\fR"
-The maximal number of incoming connections that a Postfix daemon
-process will service before terminating voluntarily.
+The maximal number of connection requests before a Postfix daemon
+process terminates.
.IP "\fBprocess_id (read-only)\fR"
The process ID of a Postfix command or daemon process.
.IP "\fBprocess_name (read-only)\fR"
By default, connection caching is enabled temporarily for
destinations that have a high volume of mail in the active
-queue. Connection caching can be enabled permanently for
+queue. Session caching can be enabled permanently for
specific destinations.
.SH "SMTP DESTINATION SYNTAX"
.na
when the client is used for multiple domains.
Most smtp_\fIxxx\fR configuration parameters have an
-lmtp_\fIxxx\fR "mirror" parameter for the equivalent LMTP
+lmtp_\fIxxx\fR "ghost" parameter for the equivalent LMTP
feature. This document describes only those LMTP-related
-parameters that aren't simply "mirror" parameters.
+parameters that aren't simply "ghost" parameters.
Changes to \fBmain.cf\fR are picked up automatically, as \fBsmtp\fR(8)
processes run for only a limited amount of time. Use the command
case insensitive lists of LHLO keywords (pipelining, starttls,
auth, etc.) that the LMTP client will ignore in the LHLO response
from a remote LMTP server.
-.IP "\fBlmtp_discard_lhlo_keywords (empty)\fR"
+.IP "\fBlmtp_discard_lhlo_keywords ($myhostname)\fR"
A case insensitive list of LHLO keywords (pipelining, starttls,
auth, etc.) that the LMTP client will ignore in the LHLO response
from a remote LMTP server.
.IP "\fBlmtp_tcp_port (24)\fR"
The default TCP port that the Postfix LMTP client connects to.
.IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process waits
-for an incoming connection before terminating voluntarily.
+The maximum amount of time that an idle Postfix daemon process
+waits for the next service request before exiting.
.IP "\fBmax_use (100)\fR"
-The maximal number of incoming connections that a Postfix daemon
-process will service before terminating voluntarily.
+The maximal number of connection requests before a Postfix daemon
+process terminates.
.IP "\fBprocess_id (read-only)\fR"
The process ID of a Postfix command or daemon process.
.IP "\fBprocess_name (read-only)\fR"
The UNIX system account that owns the Postfix queue and most Postfix
daemon processes.
.IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process waits
-for an incoming connection before terminating voluntarily.
+The maximum amount of time that an idle Postfix daemon process
+waits for the next service request before exiting.
.IP "\fBmax_use (100)\fR"
-The maximal number of incoming connections that a Postfix daemon
-process will service before terminating voluntarily.
+The maximal number of connection requests before a Postfix daemon
+process terminates.
.IP "\fBmyhostname (see 'postconf -d' output)\fR"
The internet hostname of this mail system.
.IP "\fBmynetworks (see 'postconf -d' output)\fR"
The UNIX system account that owns the Postfix queue and most Postfix
daemon processes.
.IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process waits
-for an incoming connection before terminating voluntarily.
+The maximum amount of time that an idle Postfix daemon process
+waits for the next service request before exiting.
.IP "\fBmax_use (100)\fR"
-The maximal number of incoming connections that a Postfix daemon
-process will service before terminating voluntarily.
+The maximal number of connection requests before a Postfix daemon
+process terminates.
.IP "\fBprocess_id (read-only)\fR"
The process ID of a Postfix command or daemon process.
.IP "\fBprocess_name (read-only)\fR"
The time limit for sending or receiving information over an internal
communication channel.
.IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process waits
-for an incoming connection before terminating voluntarily.
+The maximum amount of time that an idle Postfix daemon process
+waits for the next service request before exiting.
.IP "\fBmax_use (100)\fR"
-The maximal number of incoming connections that a Postfix daemon
-process will service before terminating voluntarily.
+The maximal number of connection requests before a Postfix daemon
+process terminates.
.IP "\fBrelocated_maps (empty)\fR"
Optional lookup tables with new contact information for users or
domains that no longer exist.
The time limit for sending or receiving information over an internal
communication channel.
.IP "\fBmax_idle (100s)\fR"
-The maximum amount of time that an idle Postfix daemon process waits
-for an incoming connection before terminating voluntarily.
+The maximum amount of time that an idle Postfix daemon process
+waits for the next service request before exiting.
.IP "\fBmax_use (100)\fR"
-The maximal number of incoming connections that a Postfix daemon
-process will service before terminating voluntarily.
+The maximal number of connection requests before a Postfix daemon
+process terminates.
.IP "\fBprocess_id (read-only)\fR"
The process ID of a Postfix command or daemon process.
.IP "\fBprocess_name (read-only)\fR"
{
Again:
- if (/(-[<\/bB>]*|RFC)$/) {
+ if (/-[<\/bB>]*$/) {
$_ .= "\n";
$len1 = length;
$_ .= <>;
s;\bmilter_unknown_command_macros\b;<a href="postconf.5.html#milter_unknown_command_macros">$&</a>;g;
s;\bmilter_end_of_data_macros\b;<a href="postconf.5.html#milter_end_of_data_macros">$&</a>;g;
- # Hyperlink URLs and RFC documents
-
- s/(http:\/\/[^ ,"\(\)]*[^ ,"\(\):;!?.])/<a href="$1">$1<\/a>/;
- s/(ftp:\/\/[^ ,"\(\)]*[^ ,"\(\):;!?.])/<a href="$1">$1<\/a>/;
- s/\bRFC\s*([1-9]\d*)/<a href="http:\/\/www.faqs.org\/rfcs\/rfc$1.html">$&<\/a>/;
-
- # Split README/RFC/parameter/restriction hyperlinks that span line breaks
+ # Split *README, parameter or restriction hyperlinks across line breaks
s/(<a href="[^"]*">)([-A-Za-z0-9_]*)\b([-<\/bB>]*\n *[<bB>]*)\b([-A-Za-z0-9_]*)(<\/a>)/$1$2$5$3$1$4$5/;
s/(<a href="[^"]*">)([<bB>]*[-a-zA-Z0-9._]*[<bB>]*)<\/a>\1/$1$2/g;
s/(<a href="[^"]*">)([<bB>]*[-a-zA-Z0-9._]*[<bB>]*)<\/a>\1/$1$2/g;
+ # Hyperlink URLs and RFC documents
+
+ s/(http:\/\/[^ ,"\(\)]*[^ ,"\(\):;!?.])/<a href="$1">$1<\/a>/;
+ s/(ftp:\/\/[^ ,"\(\)]*[^ ,"\(\):;!?.])/<a href="$1">$1<\/a>/;
+ s/\bRFC *([1-9]\d*)/<a href="http:\/\/www.faqs.org\/rfcs\/rfc$1.html">$&<\/a>/;
+
# Hyperlink phrases not in headers.
if (/<\/*h\d>/) {
esac) || exit 1
continue;;
- # Hard link. Skip files that are not installed.
-
- h) eval echo $path | (IFS=/ read prefix file; test "$prefix" = "no" || (
- eval dest_path=$install_root$path
- check_parent $dest_path || exit 1
- eval source_path=$install_root$source
- compare_or_hardlink $source_path $dest_path || exit 1
- )) || exit 1
+ # Hard link
+
+ h) eval dest_path=$install_root$path
+ check_parent $dest_path || exit 1
+ eval source_path=$install_root$source
+ compare_or_hardlink $source_path $dest_path || exit 1
continue;;
- # Symbolic link. Skip files that are not installed.
+ # Symbolic link
- l) eval echo $path | (IFS=/ read prefix file; test "$prefix" = "no" || (
- eval dest_path=$install_root$path
- check_parent $dest_path || exit 1
- eval source_path=$install_root$source
- compare_or_symlink $source_path $dest_path || exit 1
- )) || exit 1
+ l) eval dest_path=$install_root$path
+ check_parent $dest_path || exit 1
+ eval source_path=$install_root$source
+ compare_or_symlink $source_path $dest_path || exit 1
continue;;
*) echo $0: Error: unknown type $type for $path in conf/postfix-files 1>&2
<li> <p> The list of domains that are a member of the class: for
example, all local domains, or all relay domains. </p>
-<li> <p> The default delivery transport. For example, the local,
-virtual or relay delivery transport (delivery transports are defined
-in master.cf). This helps to keep Postfix configurations simple,
-by avoiding the need for explicit routing information in transport
-maps. </p>
+<li> <p> The default delivery method. For example, the local or
+smtp delivery agent. This helps to keep Postfix configurations
+simple. </p>
<li> <p> The list of valid recipient addresses for that address
class. The Postfix SMTP server rejects invalid recipients with
<p> The sender/recipient address verification feature described in this
document is suitable only for low-traffic sites. It performs poorly
-under high load; excessive sender address verification activity may
-even cause your site to be blacklisted by some
+under high load and may cause your site to be blacklisted by some
providers. See the "<a href="#limitations">Limitations</a>" section
below for details. </p>
<p> Recipient address verification is relatively straightforward
and there are no surprises. If a recipient probe fails, then Postfix
rejects mail for the recipient address. If a recipient probe
-succeeds, then Postfix accepts mail for the recipient address.
-However, recipient address verification probes can increase the
-load on down-stream MTAs when you're being flooded by backscatter
-bounces, or when some spammer is mounting a dictionary attack. </p>
+succeeds, then Postfix accepts mail for the recipient address. </p>
<p> By default, address verification results are not saved. To avoid
probing the same address repeatedly, you can store the result in a
the same performance improvement as with a shared connection cache,
non-shared connections need to be kept open for a longer time. </p>
-<p> The scache(8) server, introduced with Postfix version 2.2,
-maintains the shared connection cache. With Postfix version 2.2,
-only the smtp(8) client has support to access this cache. </p>
-
<blockquote>
<table>
-<tr> <td> </td> <td> <tt> /-- </tt> </td> <td align="center"
-colspan="3" bgcolor="#f0f0ff"> smtp(8) </td> <td colspan="2"> <tt>
---> </tt> Internet </td> </tr>
-
-<tr> <td align="center" bgcolor="#f0f0ff"> qmgr(8) </td> <td> </td>
-<td align="center" rowspan="3"> </td> <td align="center"
-rowspan="3"><tt>|<br>|<br>|<br>|<br>v</tt></td> <td> </td>
-</tr>
-
-<tr> <td> </td> <td> <tt> \-- </tt> </td> <td align="center"
-colspan="2" bgcolor="#f0f0ff"> smtp(8) </td> <td align="left"> <tt>
---> </tt> Internet </td> </tr>
-
-<tr> <td colspan="3"> </td> <td align="center"><tt>^<br>|</tt></td>
-<td> </td> </tr>
-
-<tr> <td colspan="3"> </td> <td align="center" colspan="3"
-bgcolor="#f0f0ff"> scache(8) </td> </tr>
+<tr> <td> Internet <-- </td> <td align="center" bgcolor="#f0f0ff">
+<br> smtp(8) <br> </td> <td> <tt> <-> </tt> </td> <td
+align="center" bgcolor="#f0f0ff"> <br> scache(8) <br> </td>
+<td> <tt> <-> </tt> </td> <td align="center" bgcolor="#f0f0ff">
+<br> smtp(8) <br> </td> <td> --> Internet </td>
</table>
</blockquote>
+<p> The scache(8) server, introduced with Postfix version 2.2,
+maintains the shared connection cache. With Postfix version 2.2,
+only the smtp(8) client has support to access this cache. </p>
+
<p> When SMTP connection caching is enabled (see next section), the
smtp(8) client does not disconnect after a mail transaction, but
gives the connection to the scache(8) server which keeps the
-connection open for a limited amount of time. </p>
+connection open for a limited amount of time. </p>
<p> After handing over the open connection to the scache(8) server,
the smtp(8) client continues with some other mail delivery request.
--- /dev/null
+<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
+ "http://www.w3.org/TR/html4/loose.dtd">
+
+<html>
+
+<head>
+
+<title>Postfix Cyrus Howto</title>
+
+<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
+
+</head>
+
+<body>
+
+<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix Cyrus Howto</h1>
+
+<hr>
+
+<p> This document will be made available via http://www.postfix.org/. </p>
+
+</body>
+
+</html>
<li> You can use Berkeley DB files with fixed lookup strings for
simple address rewriting operations and you can use regular expression
-tables for the more complicated work. In other words, you don't
-have to put everything into the same table.
+tables for the more complicated work.
</ul>
postmap(1) or postalias(1) overwrite existing files. If the update
fails in the middle then you have no usable database, and Postfix
will stop working. This is not an issue with the CDB database type
-available with Postfix 2.2 and later: <a href="CDB_README.html">CDB</a>
-creates a new file, and renames the file upon successful completion.
-</p>
+available with Postfix 2.2 and later, because <a href="CDB_README.html">CDB</a>
+database rebuilds are atomic. </p>
<p> With multi-file databases such as DBM, there is no simple
solution. With Berkeley DB and other "one file" databases, it is
where "host" specifies a symbolic hostname or a numeric IP address,
and "port" specifies a symbolic service name or a numeric port
number. This protocol is not available up to and including Postfix
-version 2.4. </dd>
+version 2.2. </dd>
<dt> <b>unix</b> (read-only) </dt>
<h2><a name="no_db">Building Postfix on systems without Berkeley
DB</a></h2>
-<p> Some UNIXes ship without Berkeley DB support; for historical
-reasons these use DBM files instead. A problem with DBM files is
-that they can store only limited amounts of data. To build Postfix
-with
+<p> Many commercial UNIXes ship without Berkeley DB support. Examples
+are Solaris, HP-UX, IRIX, UNIXWARE. In order to build Postfix with
Berkeley DB support you need to download and install the source
-code from http://www.oracle.com/database/berkeley-db/. </p>
+code from http://www.sleepycat.com/ </p>
<p> Warning: some Linux system libraries use Berkeley DB, as do
some third-party libraries such as SASL. If you compile Postfix
with a different Berkeley DB implementation, then every Postfix
-program will dump core because either the system library, the SASL
+program will dump core because either the system library, SASL
library, or Postfix itself ends up using the wrong version. </p>
<p>The more recent Berkeley DB versions have a compile-time switch,
falling apart. </p>
<p> To build Postfix after you installed the Berkeley DB from
-source code, use something like: </p>
+http://www.sleepycat.com/, use something like: </p>
<blockquote>
<pre>
</pre>
</blockquote>
-<p> More information is available at
-http://www.oracle.com/database/berkeley-db/. </p>
+<p> More information is available at http://www.sleepycat.com/. </p>
</body>
permissions, incorrect configuration file settings that you can
fix. Postfix cannot proceed until this is fixed. </p>
-<li> <p> "<b>error</b>" reports an error condition. For safety
-reasons, a Postfix process will terminate when more than 13 of these
-happen. </p>
+<li> <p> "<b>error</b>" reports a fatal or non-fatal error condition.
+Postfix cannot proceed until this is fixed. </p>
<li> <p> "<b>warning</b>" indicates a non-fatal error. These are
problems that you may not be able to fix (such as a broken DNS
</ul>
<p> These reports contain information that is generated by Postfix
-delivery agents. Since these run as daemon processes that cannot
+delivery agents. Since these run as daemon processes and do not
interact with users directly, the result is sent as mail to the
sender of the test message. The format of these reports is practically
identical to that of ordinary non-delivery notifications. </p>
<h2><a name="sniffer">Record the SMTP session with a network sniffer</a></h2>
<p> This example uses <b>tcpdump</b>. In order to record a conversation
-you need to specify a large enough buffer with the "<b>-s</b>"
-option or else you will miss some or all of the packet payload.
-</p>
+you need to specify a large enough buffer with the "-s" option or
+else you will miss some or all of the packet payload. </p>
<blockquote>
<pre>
-# <b>tcpdump -w /file/name -s 0 host example.com and port 25</b>
+# <b>tcpdump -w /file/name -s 2000 host example.com and port 25</b>
</pre>
</blockquote>
-<p> Older tcpdump versions don't support "<b>-s 0</b>"; in that case,
-use "<b>-s 2000</b>" instead. </p>
-
<p> Run this for a while, stop with Ctrl-C when done. To view the
-data use a binary viewer, <b>ethereal</b>, or good old <b>less</b>.
+data use a binary viewer, or <b>ethereal</b>, or use my <b>tcpdumpx</b>
+utility that is available from ftp://ftp.porcupine.org/pub/debugging/.
</p>
<h2><a name="verbose">Making Postfix daemon programs more verbose</a></h2>
<p> Append one or more "<b>-v</b>" options to selected daemon
definitions in /etc/postfix/master.cf and type "<b>postfix reload</b>".
This will cause a lot of activity to be logged to the syslog daemon.
-For example, to make the Postfix SMTP server process more verbose: </p>
+Example: </p>
<blockquote>
<pre>
</pre>
</blockquote>
-<p> To diagnose problems with address rewriting specify a "<b>-v</b>"
+<p> This makes the Postfix SMTP server more verbose. To diagnose
+problems with address rewriting one would specify a "<b>-v</b>"
option for the cleanup(8) and/or trivial-rewrite(8) daemon, and to
-diagnose problems with mail delivery specify a "<b>-v</b>"
+diagnose problems with mail delivery one would specify a "<b>-v</b>"
option for the qmgr(8) or oqmgr(8) queue manager, or for the lmtp(8),
local(8), pipe(8), smtp(8), or virtual(8) delivery agent. </p>
<li> <p> Postfix logging. See the text at the top of the DEBUG_README
document to find out where logging is stored. Please do not frustrate
-the helpers by word wrapping the logging. If the logging is more
-than a few kbytes of text, consider posting an URL on a web or ftp
-site. </p>
+the helpers by word wrapping the logging. </p>
<li> <p> Consider using a test email address so that you don't have
to reveal email addresses or passwords of innocent people. </p>
<li> <p> If you can't use a test email address, please anonymize
-email addresses and host names consistently. Replace each letter
-by "A", each digit
+information consistently. Replace each letter by "A", each digit
by "D" so that the helpers can still recognize syntactical errors.
</p>
<li> <p> Output from "<b>postconf -n</b>". Please do not send your
-main.cf file, or 500+ lines of <b>postconf</b> output. </p>
+main.cf file or 400+ lines of <b>postconf</b> output. </p>
-<li> <p> Better, provide output from the <b>postfinger</b> tool.
+<li> <p> Better, provide output from the <b>postfinger</b> tool.
This can be found at http://ftp.wl0.org/SOURCES/postfinger. </p>
<li> <p> If the problem is SASL related, consider including the
including output from the <b>qshape</b> tool, as described in the
QSHAPE_README file. </p>
-<li> <p> If the problem is protocol related (connections time out,
+<li> <p> If the problem is protocol related (connections time out
or an SMTP server complains about syntax errors etc.) consider
recording a session with <b>tcpdump</b>, as described in the <a
href="#sniffer">DEBUG_README</a> document. </ul>
</ul>
<p> The implementation of DSN support involves extra parameters to
-the SMTP MAIL FROM and RCPT TO commands, as well as two Postfix
+the SMTP MAIL FROM and RCPT TO commands, as well as new Postfix
sendmail command line options that provide a sub-set of the functions
of the extra SMTP command parameters. </p>
not delivered via the connection that was used for sending ETRN.
</p>
+<p> Postfix versions before 1.0 (also known as version 20010228)
+implemented the ETRN command in an inefficient manner: they simply
+attempted to deliver all queued mail. This is slow on mail servers
+that queue mail for many customers. </p>
+
<p> As of version 1.0, Postfix has a fast ETRN implementation that
does not require Postfix to examine every queue file. Instead,
Postfix maintains a record of what queue files contain mail for
<blockquote>
<pre>
220 my.server.tld ESMTP Postfix
-<b>HELO my.client.tld</b>
+<b>helo my.client.tld</b>
250 Ok
-<b>ETRN some.customer.domain</b>
+<b>etrn some.customer.domain</b>
250 Queuing started
-<b>QUIT</b>
+<b>quit</b>
221 Bye
</pre>
</blockquote>
<p> The Postfix operator can request delivery for a specific customer
by using the command "sendmail -qR<i>destination</i>" and, with
Postfix version 1.1 and later, "postqueue -s<i>destination</i>".
-Access to this feature is controlled with the authorized_flush_users
-configuration parameter (Postfix version 2.2 and later).
</p>
<h2><a name="how">How Postfix fast ETRN works</a></h2>
with queue file names. When a request to "deliver mail now" arrives,
Postfix will attempt to deliver all recipients in the queue files
that have mail for the destination in question. This does not
-perform well with queue files that have recipients in many different
-domains, such as queue files with outbound mailing list traffic.
-</p>
+perform well when queue files have recipients in many different
+domains. </p>
<li> <p> The flush(8) daemon maintains per-destination logfiles
only for destinations listed with $fast_flush_domains. With other
-destinations you cannot request delivery with "sendmail
+destinations it not possible to trigger delivery with "sendmail
-qR<i>destination</i>" or, with Postfix version 1.1 and later,
"postqueue -s<i>destination</i>". </p>
the list of message delivery transports specified with the
defer_transports configuration parameter. </p>
-<li> <p> Up to and including Postfix version 2.3, the "fast flush"
-service may not deliver some messages if the request to "deliver
-mail now" arrives while an incoming queue scan is already in progress.
-</p>
-
</ul>
<h2><a name="config">Configuring the Postfix fast ETRN service</a></h2>
<blockquote>
<pre>
220 my.server.tld ESMTP Postfix
-<b>HELO my.client.tld</b>
+<b>helo my.client.tld</b>
250 Ok
-<b>ETRN some.customer.domain</b>
+<b>etrn some.customer.domain</b>
250 Queuing started
</pre>
</blockquote>
<blockquote>
<pre>
220 my.server.tld ESMTP Postfix
-<b>HELO my.client.tld</b>
+<b>helo my.client.tld</b>
250 Ok
-<b>ETRN some.other.customer.domain</b>
+<b>etrn some.other.customer.domain</b>
250 Queuing started
</pre>
</blockquote>
<blockquote>
<pre>
220 my.server.tld ESMTP Postfix
-<b>HELO my.client.tld</b>
+<b>helo my.client.tld</b>
250 Ok
-<b>ETRN not.a.customer.domain</b>
+<b>etrn not.a.customer.domain</b>
459 <not.a.customer.domain>: service unavailable
</pre>
</blockquote>
be covered by a later version of this document. </p>
<p> The after-queue content filter is not to be confused with the
-approaches described in the SMTPD_PROXY_README or MILTER_README
-documents,
+approach that is described in the SMTPD_PROXY_README document,
where incoming SMTP mail is filtered BEFORE it is stored into the
Postfix queue. </p>
<h2><a name="principles">Principles of operation</a> </h2>
-<p> An after-queue content filter receives unfiltered mail from Postfix
-(as described further below) and can do one of the following: </p>
+<p> An external content filter receives unfiltered mail from Postfix
+(as described further below) and does one of the following: </p>
<ol>
<li> <p> Re-inject the mail back into Postfix, perhaps after changing
content and/or destination. </p>
-<li> <p> Discard or quarantine the mail. </p>
-
<li> <p> Reject the mail (by sending a suitable status code back to
- Postfix). Postfix will send the mail back to the sender address. </p>
+ Postfix). Postfix will return the mail to the sender. </p>
</ol>
<h2><a name="simple_filter">Simple content filter example</a></h2>
-<p> The first example is simple to set up, but has major limitations
-that will be addressed in a second example. Postfix receives
+<p> The first example is simple to set up. Postfix receives
unfiltered mail from the network with the smtpd(8) server, and
delivers unfiltered mail to a content filter with the Postfix
pipe(8) delivery agent. The content filter injects filtered mail
<ul>
-<li> <p> Line 8: The -G option says the filter output is not a local
-mail submission: don't do silly things like appending the local
-domain name to addresses in message headers. This option does
-nothing before Postfix version 2.3. </p>
+<li> <p> Line 8: The -G option does nothing before Postfix 2.3,
+otherwise it disables address rewriting of message headers. </p>
<li> <p> Line 8: The -i option says don't stop reading input when
a line contains "." only. </p>
<li> <p> Line 8: NEVER NEVER NEVER use the "-t" command-line option
-here. It will mis-deliver mail, like sending messages from a mailing
-list back to the mailing list. </p>
+here. It will mis-deliver mail, like sending mailing list mail back
+to the mailing list. </p>
<li> <p> Line 21: The idea is to first capture the message to
file and then run the content through a third-party content filter
program. </p>
-<li> <p> Line 22: If the message cannot be captured to file, mail
+<li> <p> Line 22: If the mail cannot be captured to file, mail
delivery is deferred by terminating with exit status 75 (EX_TEMPFAIL).
Postfix places the message in the deferred mail queue and tries
again later. </p>
<li> <p> Line 26: If the content filter program finds a problem,
the mail is bounced by terminating with exit status 69 (EX_UNAVAILABLE).
-Postfix will send the message back to the sender as undeliverable
-mail.
+Postfix will return the message to the sender as undeliverable.
</p>
-<li> <p> NOTE: in this time of mail worms and spam, it is a BAD
+<li> <p> Note: in this time of mail worms and spam, it is a BAD
IDEA to send known viruses or spam back to the sender, because that
-address is likely to be forged. It is safer to discard known viruses
-and to quarantine suspicious content so that it can
+address is likely to be forged. It is safer to discard known to be
+bad content and to quarantine suspicious content so that it can
be inspected by a human being. </p>
<li> <p> Line 28: If the content is OK, it is given as input to
<blockquote>
<pre>
-% /path/to/script -f sender -- recipient... <message-file
+% /path/to/script -f sender recipient... <message-file
</pre>
</blockquote>
-o content_filter=filter:dummy
</pre>
-<p> The "-o content_filter" line causes Postfix to add one content
+<p> The "content_filter" line causes Postfix to add one content
filter request record to each incoming mail message, with content
"filter:dummy". This record overrides the normal mail routing
and causes mail to be given to the content filter instead. </p>
Postfix SMTP server. </p>
<li> <p> Execute "<b>postsuper -r ALL</b>" to remove content
-filter request records from existing queue files. </p>
+filter information from existing queue files. </p>
<li> <p> Execute another "<b>postfix reload</b>". </p>
<p> The example given here filters all mail, including mail that
arrives via SMTP and mail that is locally submitted via the Postfix
-sendmail command (local submissions enter Postfix via the pickup(8)
-server; to keep the figure simple we omit local submission details).
-See examples near the end of this document for
+sendmail command. See examples near the end of this document for
how to exclude local users from filtering, or how to configure a
destination dependent content filter. </p>
<li> <p> The "-o disable_mime_output_conversion=yes" is a workaround
that prevents the breaking of domainkeys and other digital signatures.
This is needed because some SMTP-based content filters don't announce
-8BITMIME support, even though they can handle 8-bit mail. </p>
+8BITMIME support, even though they can handle it just fine. </p>
<li> <p> The "-o smtp_generic_maps=" is a workaround that prevents
local address rewriting with generic(5) maps. Such rewriting should
dangerous mail content - that is why it should be a separate account.
</p>
-<li> <p> By default, Postfix will terminate a command that runs
-longer than command_time_limit seconds (default: 1000s). This is a
-safety measure that prevents filters from running forever. </p>
-
</ul>
<p> If you want to have your filter listening on port localhost:10025
<ul>
-<li> <p> NOTE: do not use spaces around the "=" or "," characters. </p>
+<li> <p> Note: do not use spaces around the "=" or "," characters. </p>
-<li> <p> NOTE: the SMTP server must not have a smaller process
+<li> <p> Note: the SMTP server must not have a smaller process
limit than the "filter" master.cf entry. </p>
<li> <p> The "-o content_filter=" overrides main.cf settings, and
requests no content filtering for mail from the content filter.
-This is required or else mail will loop. </p>
+This is required or else mail will stay in the content filtering
+loop. </p>
<li> <p> The "-o receive_override_options" overrides main.cf settings
to avoid duplicating work that was already done before the content
<li> <p> We specify "no_milters" to disable Milter applications
(this option is available only in Postfix 2.3 and later). </p>
- <li> <p> We don't specify "no_address_mappings" here. This
+ <li> <p> We don't specify "no_address_mapping" here. This
enables virtual alias expansion, canonical mappings, address
masquerading, and other address mappings after the content
filter. The main.cf setting of "receive_override_options"
</blockquote>
<li> <p> Execute "<b>postsuper -r ALL</b>" to remove content
-filter request records from existing queue files. </p>
+filter information from existing queue files. </p>
<li> <p> Execute another "<b>postfix reload</b>". </p>
<h2> <a name="1">1 - Purpose of this document</a> </h2>
-<p> If you are using a pre-compiled version of Postfix, you should
-start with BASIC_CONFIGURATION_README and the general documentation
-referenced by it. INSTALL is only a bootstrap document to get
-Postfix up and running from scratch with the minimal number of
-steps; it should not be considered part of the general documentation.
-</p>
+<p> This is a bootstrap document that helps you get Postfix up and
+running from scratch with the minimal number of steps. If you are
+using a pre-compiled version of Postfix, you should be reading the
+general Postfix documentation which aims to describe the system in
+more detail. This bootstrap document should not be considered part
+of the general Postfix documentation. </p>
<p> This document describes how to build, install and configure a
Postfix system so that it can do one of the following: </p>
</blockquote>
<p> Of particular interest is the postconf(5) manual page that
-lists all the 500+ configuration parameters. The HTML version of
+lists all the 400+ configuration parameters. The HTML version of
this text makes it easy to navigate around. </p>
<p> All Postfix source files have their own built-in manual page.
OSF1.V3 - OSF1.V5 (Digital UNIX) <br>
Reliant UNIX 5.x <br>
Rhapsody 5.x <br>
-SunOS 4.1.4 (March 2007) <br>
-SunOS 5.4 - 5.10 (Solaris 2.4..10) <br>
+SunOS 4.1.4 (July 2006) <br>
+SunOS 5.4 - 5.9 (Solaris 2.4..9) <br>
Ultrix 4.x (well, that was long ago) <br>
</p>
</blockquote>
<p> On Solaris, the "make" command and other utilities for software
development are in /usr/ccs/bin, so you MUST have /usr/ccs/bin in
-your command search path. If these files do not exist, install the
-development packages first. See the Solaris FAQ item "<a
-href="http://www.science.uva.nl/pub/solaris/solaris2.html#q6.2">Which
-packages do I need to install to support a C compiler?</a>". </p>
+your command search path. </p>
<p> If you need to build Postfix for multiple architectures, use the
"lndir" command to build a shadow tree with symbolic links to the
<h3>4.5 - Support for thousands of processes</h3>
-<p> The number of connections that Postfix can manage simultaneously
-is limited by the number of processes that it can run. This number
-in turn is limited by the number of files and sockets that a single
-process can open. For example, the Postfix queue manager has a
-separate connection to each delivery process, and the anvil(8)
-server has one connection per smtpd(8) process. </p>
-
-<p> Postfix version 2.4 and later have no built-in limits on the
-number of open files or sockets, when compiled on systems that
-support one of the following: </p>
-
-<ul>
-
-<li> BSD kqueue(2) (FreeBSD 4.1, NetBSD 2.0, OpenBSD 2.9),
-
-<li> Solaris 8 /dev/poll,
-
-<li> Linux 2.6 epoll(4).
-
-</ul>
-
-
-<p> With other Postfix versions or operating systems, the number
-of file descriptors per process is limited by the value of the
-FD_SETSIZE macro. If you expect to run more than 1000 mail delivery
-processes, you may need to override the definition of the FD_SETSIZE
-macro to make select() work correctly: </p>
+<p> In order to build Postfix for very large applications, where you
+expect to run more than 1000 mail delivery processes, you may need to
+override the definition of the FD_SETSIZE macro to make select()
+work correctly: </p>
<blockquote>
<pre>
overriding the __FD_SETSIZE macro. Beware, undocumented interfaces
can change at any time and without warning. </p>
-<p> But wait, there is more: none of this will work unless the
-operating system is configured to handle thousands of connections.
-See the TUNING_README guide for examples of how to increase the
-number of open sockets or files. </p>
-
<h3>4.6 - Compiling Postfix, at last</h3>
<p> If the command </p>
<p> This text describes how to install Postfix from source code.
See the PACKAGE_README file if you are building a package for
-distribution to other systems. </p>
+distribution to other systems. See auxiliary/MacOSX/README-INSTALL.OSX
+for information about installing Postfix from source on Mac OS X.
+</p>
<h3>6.1 - Save existing Sendmail binaries</h3>
<p> <a name="save">IMPORTANT</a>: if you are REPLACING an existing
Sendmail installation with Postfix, you may need to keep the old
sendmail program running for some time in order to flush the mail
-queue. </p>
-
-<ul>
-
-<li> <p> Some systems implement a mail switch mechanism where
-different MTAs (Postfix, Sendmail, etc.) can be installed at the
-same time, while only one of them is actually being used. Examples
-of such switching mechanisms are the FreeBSD mailwrapper(8) or the
-Linux mail switch. In this case you should try to "flip" the switch
-to "Postfix" before installing Postfix. </p>
-
-<li> <p> If your system has no mail switch mechanism, execute the
-following commands (your sendmail, newaliases and mailq programs
-may be in a different place): </p>
+queue. As superuser, execute the following commands (your sendmail,
+newaliases and mailq programs may be in a different place): </p>
+<blockquote>
<pre>
# mv /usr/sbin/sendmail /usr/sbin/sendmail.OFF
# mv /usr/bin/newaliases /usr/bin/newaliases.OFF
# chmod 755 /usr/sbin/sendmail.OFF /usr/bin/newaliases.OFF \
/usr/bin/mailq.OFF
</pre>
-
-</ul>
+</blockquote>
<h3>6.2 - Create account and groups</h3>
<ul>
-<li> <p> The interactive version ("make install") asks for pathnames
-for Postfix data and program files, and stores your preferences in
-the main.cf file. <b> If you don't want Postfix to overwrite
-non-Postfix "sendmail", "mailq" and "newaliases" files, specify
-pathnames that end in ".postfix"</b>. </p>
-
<li> <p> The non-interactive version ("make upgrade") needs the
/etc/postfix/main.cf file from a previous installation. If the file
does not exist, use interactive installation ("make install")
instead. </p>
+<li> <p> The interactive version offers suggestions for pathnames
+that you can override interactively, and stores your preferences
+in /etc/postfix/main.cf for convenient future upgrades. </p>
+
</ul>
<h3>6.4 - Configure Postfix</h3>
Postfix on a virtual interface address. Simply configure your mail
user agent to directly invoke the Postfix sendmail program. </p>
-<p> To create a virtual network interface address, study your
-system ifconfig manual page. The command syntax could be any
-of: </p>
-
-<blockquote>
-<pre>
-# <b>ifconfig le0:1 <address> netmask <mask> up</b>
-# <b>ifconfig en0 alias <address> netmask 255.255.255.255</b>
-</pre>
-</blockquote>
-
<p> In the /etc/postfix/main.cf file, I would specify </p>
<blockquote>
<li><a href="#example_virtual">Example: virtual domains/addresses</a>
-<li><a href="#example_group">Example: expanding LDAP groups</a>
-
<li><a href="#other">Other uses of LDAP lookups</a>
<li><a href="#hmmmm">Notes and things to think about</a>
<blockquote>
<pre>
-server_host = ldap.example.com
-search_base = dc=example, dc=com
+server_host = ldap.my.com
+search_base = dc=my, dc=com
</pre>
</blockquote>
<p> Upon receiving mail for a local address "ldapuser" that isn't
found in the /etc/aliases database, Postfix will search the LDAP
-server listening at port 389 on ldap.example.com. It will bind anonymously,
+server listening at port 389 on ldap.my.com. It will bind anonymously,
search for any directory entries whose mailacceptinggeneralid
attribute is "ldapuser", read the "maildrop" attributes of those
found, and build a list of their maildrops, which will be treated
fully qualified with their virtual domains. Finally, if you want
to designate a directory entry as the default user for a virtual
domain, just give it an additional mailacceptinggeneralid (or the
-equivalent in your directory) of "@fake.dom". That's right, no
+equivalent in your directory) of "@virtual.dom". That's right, no
user part. If you don't want a catchall user, omit this step and
mail to unknown users in the domain will simply bounce. </p>
maildrop, e.g. "normaluser@fake.dom" and "normaluser@real.dom".
</p>
-<h2><a name="example_group">Example: expanding LDAP groups</a></h2>
-
-<p>
-LDAP is frequently used to store group member information. There are a
-number of ways of handling LDAP groups. We will show a few examples in
-order of increasing complexity, but owing to the number of independent
-variables, we can only present a tiny portion of the solution space.
-We show how to:
-</p>
-
-<ol>
-
-<li> <p> query groups as lists of addresses; </p>
-
-<li> <p> query groups as lists of user objects containing addresses; </p>
-
-<li> <p> forward special lists unexpanded to a separate list server,
-for moderation or other processing; </p>
-
-<li> <p> handle complex schemas by controlling expansion and by treating
-leaf nodes specially, using features that are new in Postfix 2.4. </p>
-
-</ol>
-
-<p>
-The example LDAP entries and implied schema below show two group entries
-("agroup" and "bgroup") and four user entries ("auser", "buser", "cuser"
-and "duser"). The group "agroup" has the users "auser" (1) and "buser" (2)
-as members via DN references in the multi-valued attribute "memberdn", and
-direct email addresses of two external users "auser@example.org" (3) and
-"buser@example.org" (4) stored in the multi-valued attribute "memberaddr".
-The same is true of "bgroup" and "cuser"/"duser" (6)/(7)/(8)/(9), but
-"bgroup" also has a "maildrop" attribute of "bgroup@mlm.example.com"
-(5): </p>
-
-<blockquote>
-<pre>
- dn: cn=agroup, dc=example, dc=com
- objectclass: top
- objectclass: ldapgroup
- cn: agroup
- mail: agroup@example.com
-1 -> memberdn: uid=auser, dc=example, dc=com
-2 -> memberdn: uid=buser, dc=example, dc=com
-3 -> memberaddr: auser@example.org
-4 -> memberaddr: buser@example.org
-</pre>
-<br>
-
-<pre>
- dn: cn=bgroup, dc=example, dc=com
- objectclass: top
- objectclass: ldapgroup
- cn: bgroup
- mail: bgroup@example.com
-5 -> maildrop: bgroup@mlm.example.com
-6 -> memberdn: uid=cuser, dc=example, dc=com
-7 -> memberdn: uid=duser, dc=example, dc=com
-8 -> memberaddr: cuser@example.org
-9 -> memberaddr: duser@example.org
-</pre>
-<br>
-
-<pre>
- dn: uid=auser, dc=example, dc=com
- objectclass: top
- objectclass: ldapuser
- uid: auser
-10 -> mail: auser@example.com
-11 -> maildrop: auser@mailhub.example.com
-</pre>
-<br>
-
-<pre>
- dn: uid=buser, dc=example, dc=com
- objectclass: top
- objectclass: ldapuser
- uid: buser
-12 -> mail: buser@example.com
-13 -> maildrop: buser@mailhub.example.com
-</pre>
-<br>
-
-<pre>
- dn: uid=cuser, dc=example, dc=com
- objectclass: top
- objectclass: ldapuser
- uid: cuser
-14 -> mail: cuser@example.com
-</pre>
-<br>
-
-<pre>
- dn: uid=duser, dc=example, dc=com
- objectclass: top
- objectclass: ldapuser
- uid: duser
-15 -> mail: duser@example.com
-</pre>
-<br>
-
-</blockquote>
-
-<p> Our first use case ignores the "memberdn" attributes, and assumes
-that groups hold only direct "memberaddr" strings as in (3), (4), (8) and
-(9). The goal is to map the group address to the list of constituent
-"memberaddr" values. This is simple, ignoring the various connection
-related settings (hosts, ports, bind settings, timeouts, ...) we have:
-</p>
-
-<blockquote>
-<pre>
- simple.cf:
- ...
- search_base = dc=example, dc=com
- query_filter = mail=%s
- result_attribute = memberaddr
- $ postmap -q agroup@example.com ldap:simple.cf
- auser@example.org,buser@example.org
-</pre>
-</blockquote>
-
-<p> We search "dc=example, dc=com". The "mail" attribute is used in the
-query_filter to locate the right group, the "result_attribute" setting
-described in ldap_table(5) is used to specify that "memberaddr" values
-from the matching group are to be returned as a comma separated list.
-Always check tables using postmap(1) with the "-q" option, before
-deploying them into production use in main.cf. </p>
-
-<p> Our second use case instead expands "memberdn" attributes (1), (2),
-(6) and (7), follows the DN references and returns the "maildrop" of the
-referenced user entries. Here we use the "special_result_attribute"
-setting from ldap_table(5) to designate the "memberdn" attribute
-as holding DNs of the desired member entries. The "result_attribute"
-setting selects which attributes are returned from the selected DNs. It
-is important to choose a result attribute that is not also present in
-the group object, because result attributes are collected from both
-the group and the member DNs. In this case we choose "maildrop" and
-assume for the moment that groups never have a "maildrop" (the "bgroup"
-"maildrop" attribute is for a different use case). The returned data for
-"auser" and "buser" is from items (11) and (13) in the example data. </p>
-
-<blockquote>
-<pre>
- special.cf:
- ...
- search_base = dc=example, dc=com
- query_filter = mail=%s
- result_attribute = maildrop
- special_result_attribute = memberdn
- $ postmap -q agroup@example.com ldap:special.cf
- auser@mailhub.example.com,buser@mailhub.example.com
-</pre>
-</blockquote>
-
-<p> Note: if the desired member object result attribute is always also
-present in the group, you get surprising results: the expansion also
-returns the address of the group. This is a known limitation of Postfix
-releases prior to 2.4, and is addressed in the new with Postfix 2.4
-"leaf_result_attribute" feature described in ldap_table(5). </p>
-
-<p> Our third use case has some groups that are expanded immediately,
-and other groups that are forwarded to a dedicated mailing list manager
-host for delayed expansion. This uses two LDAP tables, one for users
-and forwarded groups and a second for groups that can be expanded
-immediately. It is assumed that groups that require forwarding are
-never nested members of groups that are directly expanded. </p>
-
-<blockquote>
-<pre>
- no_expand.cf:
- ...
- search_base = dc=example, dc=com
- query_filter = mail=%s
- result_attribute = maildrop
- expand.cf
- ...
- search_base = dc=example, dc=com
- query_filter = mail=%s
- result_attribute = maildrop
- special_result_attribute = memberdn
- $ postmap -q auser@example.com ldap:no_expand.cf ldap:expand.cf
- auser@mailhub.example.com
- $ postmap -q agroup@example.com ldap:no_expand.cf ldap:expand.cf
- auser@mailhub.example.com,buser@mailhub.example.com
- $ postmap -q bgroup@example.com ldap:no_expand.cf ldap:expand.cf
- bgroup@mlm.example.com
-</pre>
-</blockquote>
-
-<p> Non-group objects and groups with delayed expansion (those that have a
-maildrop attribute) are rewritten to a single maildrop value. Groups that
-don't have a maildrop are expanded as the second use case. This admits
-a more elegant solution with Postfix 2.4 and later. </p>
-
-<p> Our final use case is the same as the third, but this time uses new
-features in Postfix 2.4. We now are able to use just one LDAP table and
-no longer need to assume that forwarded groups are never nested inside
-expanded groups. </p>
-
-<blockquote>
-<pre>
- fancy.cf:
- ...
- search_base = dc=example, dc=com
- query_filter = mail=%s
- result_attribute = memberaddr
- special_result_attribute = memberdn
- terminal_result_attribute = maildrop
- leaf_result_attribute = mail
- $ postmap -q auser@example.com ldap:fancy.cf
- auser@mailhub.example.com
- $ postmap -q cuser@example.com ldap:fancy.cf
- cuser@example.com
- $ postmap -q agroup@example.com ldap:fancy.cf
- auser@mailhub.example.com,buser@mailhub.example.com,auser@example.org,buser@example.org
- $ postmap -q bgroup@example.com ldap:fancy.cf
- bgroup@mlm.example.com
-</pre>
-</blockquote>
-
-<p> Above, delayed expansion is enabled via "terminal_result_attribute",
-which, if present, is used as the sole result and all other expansion is
-suppressed. Otherwise, the "leaf_result_attribute" is only returned for
-leaf objects that don't have a "special_result_attribute" (non-groups),
-while the "result_attribute" (direct member address of groups) is returned
-at every level of recursive expansion, not just the leaf nodes. This fancy
-example illustrates all the features of Postfix 2.4 group expansion. </p>
-
<h2><a name="other">Other uses of LDAP lookups</a></h2>
Other common uses for LDAP lookups include rewriting senders and
recipients with Postfix's canonical lookups, for example in order
to make mail leaving your site appear to be coming from
-"First.Last@example.com" instead of "userid@example.com".
+"First.Last@site.dom" instead of "userid@site.dom".
<h2><a name="hmmmm">Notes and things to think about</a></h2>
<blockquote>
<pre>
-dn: cn=Accounting Staff List, dc=example, dc=com
+dn: cn=Accounting Staff List, dc=my, dc=com
cn: Accounting Staff List
-o: example.com
+o: my.com
objectclass: maillist
mailacceptinggeneralid: accountingstaff
mailacceptinggeneralid: accounting-staff
Victor Duchovni developed the common query, result_format, domain and
expansion_limit interface for LDAP, MySQL and PosgreSQL.</li>
-<li>Gunnar Wrobel provided a first implementation of a feature to
-limit LDAP search results to leaf nodes only. Victor generalized
-this into the Postfix 2.4 "leaf_result_attribute" feature. </li>
-
</ul>
And of course Wietse.
<h2>Berkeley DB issues</h2>
-<p> If you can't compile Postfix because the file "db.h"
+<p> Warning: if you can't compile Postfix because the file "db.h"
isn't found, then you MUST install the Berkeley DB development
package (name: db???-devel-???) that matches your system library.
You can find out what is installed with the rpm command. For example:
</blockquote>
<p> This means that you need to install db4-devel-4.3.29-2 (on
-some systems, specify "<b>rpm -qf /lib/libdb.so</b>" instead). </p>
+some systems, specify <tt>/lib/libdb.so</tt> in the rpm query). </p>
<p> DO NOT download some Berkeley DB version from the network.
Every Postfix program will dump core when it is built with a different
<p> On RedHat Linux 7.1 and later <b>procmail</b> no longer has
permission
-to write the mail spool directory. Workaround: </p>
-
-<blockquote>
-<pre>
-# chmod 1777 /var/spool/mail
-</pre>
-</blockquote>
+to write the mail spool directory. Workaround: chmod 1777
+/var/spool/mail.
+</p>
<h2>Syslogd performance</h2>
<p> That is, an empty value. With this setting, the Postfix SMTP
server will not reject mail with "User unknown in local recipient
-table". <b> Don't do this on systems that receive mail directly
-from the Internet. With today's worms and viruses, Postfix will
-become a backscatter source: it accepts mail for non-existent
-recipients and then tries to return that mail as "undeliverable"
-to the often forged sender address</b>. </p>
+table". </p>
<h2><a name="change">When you need to change the local_recipient_maps
setting in main.cf</a></h2>
--- /dev/null
+See the files in auxiliary/MacOSX for hints and tips to set up
+Postfix.
recipients that don't have UNIX home directories. </p>
<p> The following example shows how to use maildrop for some.domain
-and for someother.domain. The example comes in two parts. </p>
-
-<p> Part 1 describes changes to the main.cf file: </p>
+and for someother.domain. </p>
<blockquote>
<pre>
<p> Note: Do not use the postfix user as the maildrop user. </p>
-<p> Part 2 describes changes to the master.cf file: </p>
-
<blockquote>
<pre>
/etc/postfix/master.cf:
<p> The reason for adding Milter support to Postfix is that there
exists a large collection of applications, not only to block unwanted
mail, but also to verify authenticity (examples: <a
-href="http://sourceforge.net/projects/dkim-milter/">Domain keys
-identified mail</a>, <a
href="http://sourceforge.net/projects/sid-milter/">SenderID+SPF</a> and
<a href="http://sourceforge.net/projects/dk-milter/">Domain keys</a>)
-or to digitally sign mail (examples: <a
-href="http://sourceforge.net/projects/dkim-milter/">Domain keys
-identified mail</a>, <a
+or to digitally sign mail (example: <a
href="http://sourceforge.net/projects/dk-milter/">Domain keys</a>).
Having yet another Postfix-specific version of all that software
is a poor use of human and system resources. </p>
<p> On some Linux and *BSD distributions, the Sendmail libmilter
library is installed by default. With this, applications such as
-<a href="http://sourceforge.net/projects/dkim-milter/">dkim-milter</a>
+<a href="http://sourceforge.net/projects/dk-milter/">dk-milter</a>
and <a href="http://sourceforge.net/projects/sid-milter/">sid-milter</a>
build out of the box without requiring any tinkering:</p>
<blockquote>
<pre>
-$ <b>gzcat dkim-milter-<i>x.y.z</i>.tar.gz | tar xf -</b>
-$ <b>cd dkim-milter-<i>x.y.z</i></b>
+$ <b>gzcat dk-milter-<i>x.y.z</i>.tar.gz | tar xf -</b>
+$ <b>cd dk-milter-<i>x.y.z</i></b>
$ <b>make</b>
[...<i>lots of output omitted</i>...]
</pre>
<blockquote>
<pre>
-# <b>/some/where/dkim-filter -u <i>userid</i> -p inet:<i>portnumber</i>@localhost ...<i>other options</i>...</b>
+# <b>/some/where/dk-filter -u <i>userid</i> -p inet:<i>portnumber</i>@localhost ...<i>other options</i>...</b>
</pre>
</blockquote>
</pre>
</blockquote>
-<p> This happens because those Milter applications expect that the
+<p> This happens because some Milter applications expect that the
queue ID is known <i>before</i> the MTA accepts the MAIL FROM
(sender) command. Postfix, on the other hand, does not choose a
queue file name until <i>after</i> it accepts the first valid RCPT
-TO (recipient) command (Postfix queue file names must be unique
+TO (recipient) command. Postfix queue file names must be unique
across multiple directories, so the name can't be chosen before the
-file is created; if multiple messages were to use the same queue
-ID <i>simultaneously</i>, mail would be lost). </p>
+file is created. If multiple messages were to use the same queue
+ID <i>simultaneously</i>, mail would be lost. </p>
-</ul>
-
-<p> If you experience the ugly header problem, see if a recent
-version of the Milter application fixes it. For example, current
-versions of dkim-filter and dk-filter already have code that looks
-up the Postfix queue ID at a later protocol stage. </p>
-
-<p> To fix the ugly message header with sid-filter applications,
-we change the source code, so that it does the queue ID lookup after
-Postfix receives the end of the message. </p>
+<p> To work around the ugly message header from Milter applications,
+we add a little code to the Milter source to look up the queue ID
+after Postfix receives the end of the message. </p>
<ul>
-<li> <p> Edit the filter source file (named
-<tt>sid-filter/sid-filter.c</tt>). </p>
-
-<li> <p> Look up the <tt>smfilter</tt> table and replace
-<tt>mlfi_eoh</tt> by <tt>NULL</tt>.
-</p>
+<li> <p> Edit the filter source file (typically named
+<tt>dk-filter/dk-filter.c</tt> or similar). </p>
<li> <p> Look up the <tt>mlfi_eom()</tt> function and add code near
-the top that calls <tt>mlfi_eoh()</tt> as shown by the <b>bold</b>
-text below: </p>
+the top shown as <b>bold</b> text below: </p>
</ul>
<blockquote>
<pre>
- assert(ctx != NULL);
-#endif /* !DEBUG */
+dfc = cc->cctx_msg;
+assert(dfc != NULL);
<b>
- ret = mlfi_eoh(ctx);
- if (ret != SMFIS_CONTINUE)
- return ret;</b>
+/* Determine the job ID for logging. */
+if (dfc->mctx_jobid == 0 || strcmp(dfc->mctx_jobid, JOBIDUNKNOWN) == 0) {
+ char *jobid = smfi_getsymval(ctx, "i");
+ if (jobid != 0)
+ dfc->mctx_jobid = jobid;
+}</b>
+
+/* get hostname; used in the X header and in new MIME boundaries */
</pre>
</blockquote>
<ul>
-<li> <p> This was tested with sid-milter-0.2.10 and sid-milter-0.2.14. </p>
+<li> <p> Different mail filters use slightly different names for
+variables. If the above code does not compile, look for the code
+at the start of the <tt>mlfi_eoh()</tt> routine. </p>
<li> <p> This fixes only the ugly message header, but not the WARNING
-message. Fortunately, sid-milter logs that message only once. </p>
+message. Fortunately, dk-filter logs that message only once. </p>
</ul>
-<p> To fix the ugly message header with other Milter applications,
-you will need to do something like this: </p>
+<p> With some Milter applications we can fix both the WARNING and
+the "unknown-msgid" by postponing the call of <tt>mlfi_eoh()</tt>
+(or whatever routine logs the WARNING) until the end of the message.
+</p>
<ul>
<li> <p> Edit the filter source file (typically named
-<tt>xxx-filter/xxx-filter.c</tt> or similar). </p>
+<tt>sid-filter/sid-filter.c</tt> or similar). </p>
+
+<li> <p> Look up the <tt>smfilter</tt> table and replace
+<tt>mlfi_eoh</tt> (or whatever routine logs the WARNING) by NULL.
+</p>
<li> <p> Look up the <tt>mlfi_eom()</tt> function and add code near
-the top shown as <b>bold</b> text below: </p>
+the top that calls <tt>mlfi_eoh()</tt> as shown by the <b>bold</b>
+text below: </p>
</ul>
<blockquote>
<pre>
-dfc = cc->cctx_msg;
-assert(dfc != NULL);
+ assert(ctx != NULL);
+#endif /* !DEBUG */
<b>
-/* Determine the job ID for logging. */
-if (dfc->mctx_jobid == 0 || strcmp(dfc->mctx_jobid, JOBIDUNKNOWN) == 0) {
- char *jobid = smfi_getsymval(ctx, "i");
- if (jobid != 0)
- dfc->mctx_jobid = jobid;
-}</b>
-
-/* get hostname; used in the X header and in new MIME boundaries */
+ ret = mlfi_eoh(ctx);
+ if (ret != SMFIS_CONTINUE)
+ return ret;</b>
</pre>
</blockquote>
-<p> NOTES: </p>
-
-<ul>
-
-<li> <p> Different mail filters use slightly different names for
-variables. If the above code does not compile, look for the code
-at the start of the <tt>mlfi_eoh()</tt> routine. </p>
-
-<li> <p> This fixes only the ugly message header, but not the WARNING
-message. Fortunately, many Milters log that message only once. </p>
+<p> This works with sid-milter-0.2.10. Other Milter applications
+will dump core when you do this. </p>
</ul>
</pre>
</blockquote>
-<p> The solution is to use Postfix version 2.4 or later. </p>
+<p> The solution is to use a Postfix version that supports the
+missing functionality. </p>
<li> <p> Most Milter configuration options are global. Future Postfix
versions may support per-Milter timeouts, per-Milter error handling,
../html/CDB_README.html \
../html/CONNECTION_CACHE_README.html \
../html/CONTENT_INSPECTION_README.html \
+ ../html/CYRUS_README.html \
../html/DATABASE_README.html ../html/DB_README.html \
../html/DEBUG_README.html \
../html/DSN_README.html \
../html/MYSQL_README.html ../html/NFS_README.html \
../html/OVERVIEW.html \
../html/PACKAGE_README.html ../html/PCRE_README.html \
- ../html/PGSQL_README.html \
+ ../html/PGSQL_README.html ../html/QMQP_README.html \
../html/QSHAPE_README.html \
../html/RESTRICTION_CLASS_README.html ../html/SASL_README.html \
../html/SCHEDULER_README.html ../html/SMTPD_ACCESS_README.html \
../html/STANDARD_CONFIGURATION_README.html \
../html/TLS_README.html ../html/TLS_LEGACY_README.html \
../html/TUNING_README.html \
- ../html/UUCP_README.html \
+ ../html/UUCP_README.html ../html/ULTRIX_README.html \
../html/VERP_README.html ../html/VIRTUAL_README.html \
../html/XCLIENT_README.html ../html/XFORWARD_README.html \
../html/postconf.5.html
../README_FILES/CDB_README \
../README_FILES/CONNECTION_CACHE_README \
../README_FILES/CONTENT_INSPECTION_README \
+ ../README_FILES/CYRUS_README \
../README_FILES/DATABASE_README ../README_FILES/DB_README \
../README_FILES/DEBUG_README \
../README_FILES/DSN_README \
../README_FILES/MYSQL_README ../README_FILES/NFS_README \
../README_FILES/OVERVIEW \
../README_FILES/PACKAGE_README ../README_FILES/PCRE_README \
- ../README_FILES/PGSQL_README \
+ ../README_FILES/PGSQL_README ../README_FILES/QMQP_README \
../README_FILES/QSHAPE_README \
../README_FILES/RESTRICTION_CLASS_README \
../README_FILES/SASL_README ../README_FILES/SCHEDULER_README \
../README_FILES/STANDARD_CONFIGURATION_README \
../README_FILES/TLS_README ../README_FILES/TLS_LEGACY_README \
../README_FILES/TUNING_README \
- ../README_FILES/UUCP_README \
+ ../README_FILES/UUCP_README ../README_FILES/ULTRIX_README \
../README_FILES/VERP_README ../README_FILES/VIRTUAL_README \
../README_FILES/XCLIENT_README ../README_FILES/XFORWARD_README \
../README_FILES/AAAREADME
<p> When delivering mail to a destination with multiple mail servers,
connection caching can help to skip over a non-responding server,
-and thus dramatically speed up delivery. SMTP connection caching
-is available in Postfix version 2.2 and later. More information
-about this feature is in the CONNECTION_CACHE_README document. </p>
+and thus dramatically speed up delivery. </p>
<table>
-<tr> <td> </td> <td> <tt> /-- </tt> </td> <td align="center"
-colspan="3" bgcolor="#f0f0ff"> smtp(8) </td> <td colspan="2"> <tt>
---> </tt> Internet </td> </tr>
-
-<tr> <td align="center" bgcolor="#f0f0ff"> qmgr(8) </td> <td> </td>
-<td align="center" rowspan="3"> </td> <td align="center"
-rowspan="3"><tt>|<br>|<br>|<br>|<br>v</tt></td> <td> </td>
-</tr>
-
-<tr> <td> </td> <td> <tt> \-- </tt> </td> <td align="center"
-colspan="2" bgcolor="#f0f0ff"> smtp(8) </td> <td align="left"> <tt>
---> </tt> Internet </td> </tr>
-
-<tr> <td colspan="3"> </td> <td align="center"><tt>^<br>|</tt></td>
-<td> </td> </tr>
-
-<tr> <td colspan="3"> </td> <td align="center" colspan="3"
-bgcolor="#f0f0ff"> scache(8) </td> </tr>
+<tr> <td align="center" bgcolor="#f0f0ff"> <br> smtp(8) <br>
+ </td> <td> <tt> <-> </tt> </td> <td align="center"
+bgcolor="#f0f0ff"> <br> scache(8) <br> </td> <td> <tt>
+<-> </tt> </td> <td align="center" bgcolor="#f0f0ff"> <br>
+smtp(8) <br> </td>
</table>
file</h2>
<p> The installed main.cf file must be small. PLEASE resist the
-temptation to list all parameters in the main.cf file. Postfix
-is supposed to be easy to configure. Listing all parameters in main.cf
+temptation to list all 400+ parameters in the main.cf file. Postfix
+is supposed to be easy to configure. Listing all 400+ in main.cf
defeats the purpose. It is an invitation for hobbyists to make
random changes without understanding what they do, and gets them
into endless trouble. </p>
--- /dev/null
+<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
+ "http://www.w3.org/TR/html4/loose.dtd">
+
+<html>
+
+<head>
+
+<title>Postfix qmail and ezmlm support</title>
+
+<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
+
+</head>
+
+<body>
+
+<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix qmail and ezmlm support</h1>
+
+<hr>
+
+<p> This document will be made available via http://www.postfix.org/. </p>
+
+</body>
+
+</html>
<h2>Purpose of this document </h2>
-<p> This document is an introduction to Postfix queue congestion analysis.
-It explains how the qshape(1) program can help to track down the
-reason for queue congestion. qshape(1) is bundled with Postfix
-2.1 and later source code, under the "auxiliary" directory. This
-document describes qshape(1) as bundled with Postfix 2.4. </p>
+<p> This document describes the qshape(1) program which helps the
+administrator understand the Postfix queue message distribution
+sorted by time and by sender or recipient domain. qshape(1) is
+bundled with the Postfix 2.1 source under the "auxiliary" directory.
+</p>
+
+<p> In order to understand the output of qshape(1), it useful to
+understand the various Postfix queues. To this end the role of each
+Postfix queue directory is described briefly in the "Background
+info: Postfix queue directories" section near the end of this
+document. </p>
<p> This document covers the following topics: </p>
<li><a href="#backlog">Example 4: High volume destination backlog</a>
-<li><a href="#queues">Postfix queue directories</a>
+<li><a href="#queues">Background info: Postfix queue directories</a>
<ul>
<h2><a name="qshape">Introducing the qshape tool</a></h2>
+
<p> When mail is draining slowly or the queue is unexpectedly large,
run qshape(1) as the super-user (root) to help zero in on the problem.
The qshape(1) program displays a tabular view of the Postfix queue
</ul>
-<p> When the output is a terminal intermediate results showing the top 20
-domains (-n option) are displayed after every 1000 messages (-N option)
-and the final output also shows only the top 20 domains. This makes
-qshape useful even when the deferred queue is very large and it may
-otherwise take prohibitively long to read the entire deferred queue. </p>
-
<p> By default, qshape shows statistics for the union of both the
incoming and active queues which are the most relevant queues to
look at when analyzing performance. </p>
<blockquote>
<pre>
-$ qshape deferred
-$ qshape incoming active deferred
+$ qshape deferred | less
+$ qshape incoming active deferred | less
</pre>
</blockquote>
<p> The problem destinations or sender domains appear near the top
left corner of the output table. Remember that the active queue
can accommodate up to 20000 ($qmgr_message_active_limit) messages.
-To check whether this limit has been reached, use: </p>
+To check wether this limit has been reached, use: </p>
<blockquote>
<pre>
-$ qshape -s active <i>(show sender statistics)</i>
+$ qshape -s active | head <i>(show sender statistics)</i>
</pre>
</blockquote>
not yet saturated, any high volume sender domains show near the
top of the output.
-<p> With oqmgr(8) the active queue is also limited to at most 20000
-recipient addresses ($qmgr_message_recipient_limit). To check for
-exhaustion of this limit use: </p>
+<p> The active queue is also limited to at most 20000 recipient
+addresses ($qmgr_message_recipient_limit). To check for exhaustion
+of this limit use: </p>
<blockquote>
<pre>
-$ qshape active <i>(show recipient statistics)</i>
+$ qshape active | head <i>(show recipient statistics)</i>
</pre>
</blockquote>
take measures to ensure that the mail is deferred instead or even
add an access(5) rule asking the sender to try again later. </p>
-<p> If a high volume destination exhibits frequent bursts of consecutive
-connections refused by all MX hosts or "421 Server busy errors", it
-is possible for the queue manager to mark the destination as "dead"
-despite the transient nature of the errors. The destination will be
-retried again after the expiration of a $minimal_backoff_time timer.
-If the error bursts are frequent enough it may be that only a small
-quantity of email is delivered before the destination is again marked
-"dead". In some cases enabling static (not on demand) connection
-caching by listing the appropriate nexthop domain in a table included in
-"smtp_connection_cache_destinations" may help to reduce the error rate,
-because most messages will re-use existing connections. </p>
+<p> If a high volume destination exhibits frequent bursts of
+consecutive connections refused by all MX hosts or "421 Server busy
+errors", it is possible for the queue manager to mark the destination
+as "dead" despite the transient nature of the errors. The destination
+will be retried again after the expiration of a $minimal_backoff_time
+timer. If the error bursts are frequent enough it may be that only
+a small quantity of email is delivered before the destination is
+again marked "dead". </p>
<p> The MTA that has been observed most frequently to exhibit such
bursts of errors is Microsoft Exchange, which refuses connections
server propagate the refused connection to the client as a "421"
error. </p>
-<p> Note that it is now possible to configure Postfix to exhibit similarly
-erratic behavior by misconfiguring the anvil(8) service. Do not use
-anvil(8) for steady-state rate limiting, its purpose is (unintentional)
-DoS prevention and the rate limits set should be very generous! </p>
+<p> Note that it is now possible to configure Postfix to exhibit
+similarly erratic behavior by misconfiguring the anvil(8) server
+(not included in Postfix 2.1.). Do not use anvil(8) for steady-state
+rate limiting, its purpose is DoS prevention and the rate limits
+set should be very generous! </p>
-<p> If one finds oneself needing to deliver a high volume of mail to a
-destination that exhibits frequent brief bursts of errors and connection
-caching does not solve the problem, there is a subtle workaround. </p>
+<p> In the long run it is hoped that the Postfix dead host detection
+and concurrency control mechanism will be tuned to be more "noise"
+tolerant. If one finds oneself needing to deliver a high volume
+of mail to a destination that exhibits frequent brief bursts of
+errors, there is a subtle workaround. </p>
<ul>
transport (a number in the 10-20 range is typical). </p>
<li> <p> IMPORTANT!!! In main.cf configure a very large initial
-and destination concurrency limit for this transport (say 2000). </p>
+and destination concurrency limit for this transport (say 200). </p>
<pre>
/etc/postfix/main.cf:
- initial_destination_concurrency = 2000
- <i>transportname</i>_destination_concurrency_limit = 2000
+ initial_destination_concurrency = 200
+ <i>transportname</i>_destination_concurrency_limit = 200
</pre>
<p> Where <i>transportname</i> is the name of the master.cf entry
</ul>
-<p> The effect of this surprising configuration is that up to 2000
+<p> The effect of this surprising configuration is that up to 200
consecutive errors are tolerated without marking the destination
dead, while the total concurrency remains reasonable (10-20
processes). This trick is only for a very specialized situation:
high volume delivery into a channel with multi-error bursts
that is capable of high throughput, but is repeatedly throttled by
-the bursts of errors. </p>
+the bursts of errors.
<p> When a destination is unable to handle the load even after the
Postfix process limit is reduced to 1, a desperate measure is to
<p> Hopefully a more elegant solution to these problems will be
found in the future. </p>
-<h2><a name="queues">Postfix queue directories</a></h2>
+<h2><a name="queues">Background info: Postfix queue directories</a></h2>
<p> The following sections describe Postfix queues: their purpose,
what normal behavior looks like, and how to diagnose abnormal
<p> All mail that enters the main Postfix queue does so via the
cleanup(8) service. The cleanup service is responsible for envelope
and header rewriting, header and body regular expression checks,
-automatic bcc recipient processing, milter content processing, and
-reliable insertion of the message into the Postfix "incoming" queue. </p>
+automatic bcc recipient processing and guaranteed insertion of the
+message into the Postfix "incoming" queue. </p>
<p> In the absence of excessive CPU consumption in cleanup(8) header
or body regular expression checks or other software consuming all
disk I/O latency (+ CPU if not negligible) of the cleanup service.
</p>
-<p> Congestion in this queue is indicative of an excessive local message
-submission rate or perhaps excessive CPU consumption in the cleanup(8)
-service due to excessive body_checks, or (Postfix ≥ 2.3) high latency
-milters. </p>
+<p> Congestion in this queue is indicative of an excessive local
+message submission rate or perhaps excessive CPU consumption in
+the cleanup(8) service due to excessive body_checks. </p>
<p> Note, that once the active queue is full, the cleanup service
will attempt to slow down message injection by pausing $in_flow_delay
a consequence of congestion downstream, rather than a problem in
its own right. </p>
-<p> Note, you should not attempt to deliver large volumes of mail via
-the pickup(8) service. High volume sites should avoid using "simple"
-content filters that re-inject scanned mail via Postfix sendmail(1)
-and postdrop(1). </p>
+<p> Note also, that one should not attempt to deliver large volumes
+of mail via the pickup(8) service. High volume sites must avoid
+using content filters that reinject scanned mail via Postfix
+sendmail(1) and postdrop(1). </p>
<p> A high arrival rate of locally submitted mail may be an indication
of an uncaught forwarding loop, or a run-away notification program.
<p> The administrator can define "smtpd" access(5) policies, or
cleanup(8) header/body checks that cause messages to be automatically
diverted from normal processing and placed indefinitely in the
-"hold" queue. Messages placed in the "hold" queue stay there until
+"hold" queue. Messages placed in the "hold" queue stay there until
the administrator intervenes. No periodic delivery attempts are
made for messages in the "hold" queue. The postsuper(1) command
can be used to manually release messages into the "deferred" queue.
</p>
-<p> Messages can potentially stay in the "hold" queue longer than
-$maximal_queue_lifetime. If such "old" messages need to be released from
-the "hold" queue, they should typically be moved into the "maildrop"
-queue using "postsuper -r", so that the message gets a new timestamp and
-is given more than one opportunity to be delivered. Messages that are
-"young" can be moved directly into the "deferred" queue using
-"postsuper -H". </p>
+<p> Messages can potentially stay in the "hold" queue for a time
+exceeding the normal maximal queue lifetime (after which undelivered
+messages are bounced back to the sender). If such "old" messages
+need to be released from the "hold" queue, they should typically
+be moved into the "maildrop" queue, so that the message gets a new
+timestamp and is given more than one opportunity to be delivered.
+Messages that are "young" can be moved directly into the "deferred"
+queue. </p>
<p> The "hold" queue plays little role in Postfix performance, and
monitoring of the "hold" queue is typically more closely motivated
<p> The incoming queue grows when the message input rate spikes
above the rate at which the queue manager can import messages into
-the active queue. The main factors slowing down the queue manager
-are disk I/O and lookup queries to the trivial-rewrite service. If the queue
+the active queue. The main factor slowing down the queue manager
+is transport queries to the trivial-rewrite service. If the queue
manager is routinely not keeping up, consider not using "slow"
lookup services (MySQL, LDAP, ...) for transport lookups or speeding
-up the hosts that provide the lookup service. If the problem is I/O
-starvation, consider striping the queue over more disks, faster controllers
-with a battery write cache, or other hardware improvements. At the very
-least, make sure that the queue directory is mounted with the "noatime"
-option if applicable to the underlying filesystem. </p>
+up the hosts that provide the lookup service. </p>
<p> The in_flow_delay parameter is used to clamp the input rate
when the queue manager starts to fall behind. The cleanup(8) service
concurrency limit. </p>
<p> Multiple recipient groups (from one or more messages) are queued
-for delivery grouped by transport/nexthop combination. The
-<b>destination</b> concurrency limit for the transports caps the number
+for delivery via the common transport/nexthop combination. The
+destination concurrency limit for the transports caps the number
of simultaneous delivery attempts for each nexthop. Transports with
-a <b>recipient</b> concurrency limit of 1 are special: these are grouped
-by the actual recipient address rather than the nexthop, yielding
-per-recipient concurrency limits rather than per-domain
+a recipient concurrency limit of 1 are special: these are grouped
+by the actual recipient address rather than the nexthop, thereby
+enabling per-recipient concurrency limits rather than per-domain
concurrency limits. Per-recipient limits are appropriate when
performing final delivery to mailboxes rather than when relaying
to a remote server. </p>
<p> Congestion occurs in the active queue when one or more destinations
-drain slower than the corresponding message input rate. </p>
-
-<p> Input into the active queue comes both from new mail in the "incoming"
-queue, and retries of mail in the "deferred" queue. Should the "deferred"
-queue get really large, retries of old mail can dominate the arrival
-rate of new mail. Systems with more CPU, faster disks and more network
-bandwidth can deal with larger deferred queues, but as a rule of thumb
-the deferred queue scales to somewhere between 100,000 and 1,000,000
-messages with good performance unlikely above that "limit". Systems with
-queues this large should typically stop accepting new mail, or put the
-backlog "on hold" until the underlying issue is fixed (provided that
-there is enough capacity to handle just the new mail). </p>
-
-<p> When a destination is down for some time, the queue manager will
-mark it dead, and immediately defer all mail for the destination without
+drain slower than the corresponding message input rate. If a
+destination is down for some time, the queue manager will mark it
+dead, and immediately defer all mail for the destination without
trying to assign it to a delivery agent. In this case the messages
-will quickly leave the active queue and end up in the deferred queue
-(with Postfix < 2.4, this is done directly by the queue manager,
-with Postfix ≥ 2.4 this is done via the "retry" delivery agent). </p>
-
-<p> When the destination is instead simply slow, or there is a problem
-causing an excessive arrival rate the active queue will grow and will
-become dominated by mail to the congested destination. </p>
+will quickly leave the active queue and end up in the deferred
+queue. If the destination is instead simply slow, or there is a
+problem causing an excessive arrival rate the active queue will
+grow and will become dominated by mail to the congested destination.
+</p>
<p> The only way to reduce congestion is to either reduce the input
rate or increase the throughput. Increasing the throughput requires
is draining slowly and the system and network are not loaded, raise
the "smtp" and/or "relay" process limits! </p>
-<p> When a high volume destination is served by multiple MX hosts with
-typically low delivery latency, performance can suffer dramatically when
-one of the MX hosts is unresponsive and SMTP connections to that host
-timeout. For example, if there are 2 equal weight MX hosts, the SMTP
-connection timeout is 30 seconds and one of the MX hosts is down, the
-average SMTP connection will take approximately 15 seconds to complete.
-With a default per-destination concurrency limit of 20 connections,
-throughput falls to just over 1 message per second. </p>
-
-<p> The best way to avoid bottlenecks when one or more MX hosts is
-non-responsive is to use connection caching. Connection caching was
-introduced with Postfix 2.2 and is by default enabled on demand for
-destinations with a backlog of mail in the active queue. When connection
-caching is in effect for a particular destination, established connections
-are re-used to send additional messages, this reduces the number of
-connections made per message delivery and maintains good throughput even
-in the face of partial unavailability of the destination's MX hosts. </p>
-
-<p> If connection caching is not available (Postfix < 2.2) or does
-not provide a sufficient latency reduction, especially for the "relay"
-transport used to forward mail to "your own" domains, consider setting
-lower than default SMTP connection timeouts (1-5 seconds) and higher
-than default destination concurrency limits. This will further reduce
-latency and provide more concurrency to maintain throughput should
-latency rise. </p>
-
-<p> Setting high concurrency limits to domains that are not your own may
-be viewed as hostile by the receiving system, and steps may be taken
-to prevent you from monopolizing the destination system's resources.
-The defensive measures may substantially reduce your throughput or block
-access entirely. Do not set aggressive concurrency limits to remote
-domains without coordinating with the administrators of the target
-domain. </p>
-
-<p> If necessary, dedicate and tune custom transports for selected high
-volume destinations. The "relay" transport is provided for forwarding mail
-to domains for which your server is a primary or backup MX host. These can
-make up a substantial fraction of your email traffic. Use the "relay" and
-not the "smtp" transport to send email to these domains. Using the "relay"
-transport allocates a separate delivery agent pool to these destinations
-and allows separate tuning of timeouts and concurrency limits. </p>
-
-<p> Another common cause of congestion is unwarranted flushing of the
-entire deferred queue. The deferred queue holds messages that are likely
-to fail to be delivered and are also likely to be slow to fail delivery
-(time out). As a result the most common reaction to a large deferred queue
-(flush it!) is more than likely counter-productive, and typically makes
-the congestion worse. Do not flush the deferred queue unless you expect
-that most of its content has recently become deliverable (e.g. relayhost
-back up after an outage)! </p>
+<p> Especially for the "relay" transport, consider lower SMTP
+connection timeouts (1-5 seconds) and higher than default destination
+concurrency limits. Compute the expected latency when 1 out of N
+of the MX hosts for a high volume site is down and not responding,
+and make sure that the configured concurrency divided by this
+latency exceeds the required steady-state message rate. If the
+destination is managed by you, consider load balancers in front of
+groups of MX hosts. Load balancers have higher uptime and will be
+able to hide individual MX host failures. </p>
+
+<p> If necessary, dedicate and tune custom transports for high
+volume destinations. </p>
+
+<p> Another common cause of congestion is unwarranted flushing of
+the entire deferred queue. The deferred queue holds messages that
+are likely to fail to be delivered and are also likely to be slow
+to fail delivery (timeouts). This means that the most common reaction
+to a large deferred queue (flush it!) is more than likely counter-
+productive, and is likely to make the problem worse. Do not flush
+the deferred queue unless you expect that most of its content has
+recently become deliverable (e.g. relayhost back up after an outage)!
+</p>
<p> Note that whenever the queue manager is restarted, there may
already be messages in the active queue directory, but the "real"
the messages back and forth, redoing transport table (trivial-rewrite(8)
resolve service) lookups, and re-importing the messages back into
memory is expensive. At all costs, avoid frequent restarts of the
-queue manager (e.g. via frequent execution of "postfix reload"). </p>
+queue manager. </p>
<h3> <a name="deferred_queue"> The "deferred" queue </a> </h3>
might succeed later), the message is placed in the deferred queue.
</p>
-<p> The queue manager scans the deferred queue periodically. The scan
-interval is controlled by the queue_run_delay parameter. While a deferred
-queue scan is in progress, if an incoming queue scan is also in progress
-(ideally these are brief since the incoming queue should be short), the
-queue manager alternates between looking for messages in the "incoming"
-queue and in the "deferred" queue. This "round-robin" strategy prevents
-starvation of either the incoming or the deferred queues. </p>
+<p> The queue manager scans the deferred queue periodically. The
+scan interval is controlled by the queue_run_delay parameter.
+While a deferred queue scan is in progress, if an incoming queue
+scan is also in progress (ideally these are brief since the incoming
+queue should be short), the queue manager alternates between bringing
+a new "incoming" message and a new "deferred" message into the
+queue. This "round-robin" strategy prevents starvation of either
+the incoming or the deferred queues. </p>
<p> Each deferred queue scan only brings a fraction of the deferred
queue back into the active queue for a retry. This is because each
message in the deferred queue is assigned a "cool-off" time when
it is deferred. This is done by time-warping the modification
-time of the queue file into the future. The queue file is not
+times of the queue file into the future. The queue file is not
eligible for a retry if its modification time is not yet reached.
</p>
retried more often than old messages. </p>
<p> If a high volume site routinely has large deferred queues, it
-may be useful to adjust the queue_run_delay, minimal_backoff_time and
-maximal_backoff_time to provide short enough delays on first failure
-(Postfix ≥ 2.4 has a sensibly low minimal backoff time by default),
-with perhaps longer delays after multiple failures, to reduce the
-retransmission rate of old messages and thereby reduce the quantity
-of previously deferred mail in the active queue. If you want a really
-low minimal_backoff_time, you may also want to lower queue_run_delay,
-but understand that more frequent scans will increase the demand for
-disk I/O. </p>
+may be useful to adjust the queue_run_delay, minimal_backoff_time
+and maximal_backoff_time to provide short enough delays on first
+failure, with perhaps longer delays after multiple failures, to
+reduce the retransmission rate of old messages and thereby reduce
+the quantity of previously deferred mail in the active queue. </p>
<p> One common cause of large deferred queues is failure to validate
recipients at the SMTP input stage. Since spammers routinely launch
dictionary attacks from unrepliable sender addresses, the bounces
-for invalid recipient addresses clog the deferred queue (and at high
-volumes proportionally clog the active queue). Recipient validation
-is strongly recommended through use of the local_recipient_maps and
-relay_recipient_maps parameters. Even when bounces drain quickly they
-inundate innocent victims of forgery with unwanted email. To avoid
-this, do not accept mail for invalid recipients. </p>
+for invalid recipient addresses clog the deferred queue (and at
+high volumes proportionally clog the active queue). Recipient
+validation is strongly recommended through use of the local_recipient_maps
+and relay_recipient_maps parameters. </p>
<p> When a host with lots of deferred mail is down for some time,
it is possible for the entire deferred queue to reach its retry
time simultaneously. This can lead to a very full active queue once
the host comes back up. The phenomenon can repeat approximately
every maximal_backoff_time seconds if the messages are again deferred
-after a brief burst of congestion. Perhaps, a future Postfix release
+after a brief burst of congestion. Ideally, in the future Postfix
will add a random offset to the retry time (or use a combination
-of strategies) to reduce the odds of repeated complete deferred
+of strategies) to reduce the chances of repeated complete deferred
queue flushes. </p>
<h2><a name="credits">Credits</a></h2>
<h2><a name="build_sasl">Building the Cyrus SASL library</a></h2>
-<p> Postfix appears to work with cyrus-sasl-1.5.x or cyrus-sasl-2.1.x,
+<p> Postfix appears to work with cyrus-sasl-1.5.5 or cyrus-sasl-2.1.1,
which are available from: </p>
<blockquote>
<p> IMPORTANT: if you install the Cyrus SASL libraries as per the
default, you will have to symlink /usr/lib/sasl -> /usr/local/lib/sasl
-for version 1.5.x or /usr/lib/sasl2 -> /usr/local/lib/sasl2 for
-version 2.1.x. </p>
+for version 1.5.5 or /usr/lib/sasl2 -> /usr/local/lib/sasl2 for
+version 2.1.1. </p>
-<p> Reportedly, Microsoft Outlook (Express) requires the
-non-standard LOGIN authentication method. To enable this
+<p> Reportedly, Microsoft Internet Explorer version 5 requires the
+non-standard SASL LOGIN authentication method. To enable this
authentication method, specify ``./configure --enable-login''. </p>
<h2><a name="build_postfix">Building Postfix with Cyrus SASL support</a></h2>
<dl>
-<dt> (for Cyrus SASL version 1.5.x):
+<dt> (for Cyrus SASL version 1.5.5):
<dd>
<pre>
% make tidy # if you have left-over files from a previous build
-I/usr/local/include" AUXLIBS="-L/usr/local/lib -lsasl"
</pre>
-<dt> (for Cyrus SASL version 2.1.x):
+<dt> (for Cyrus SASL version 2.1.1):
<dd>
<pre>
% make tidy # if you have left-over files from a previous build
<dl>
-<dt> (for Cyrus SASL version 1.5.x):
+<dt> (for Cyrus SASL version 1.5.5):
<dd>
<pre>
% make tidy # if you have left-over files from a previous build
-R/usr/local/lib -lsasl"
</pre>
-<dt> (for Cyrus SASL version 2.1.x):
+<dt> (for Cyrus SASL version 2.1.1):
<dd>
<pre>
% make tidy # if you have left-over files from a previous build
<p> Older Microsoft SMTP client software implements a non-standard
version of the AUTH protocol syntax, and expects that the SMTP
-server replies to EHLO with "250 AUTH=mechanism-list" instead of
-"250 AUTH mechanism-list". To accommodate such clients (in addition
-to conformant
+server replies to EHLO with "250 AUTH=stuff" instead of "250 AUTH
+stuff". To accommodate such clients (in addition to conformant
clients) use the following: </p>
<blockquote>
<h2><a name="server_cyrus">Cyrus SASL configuration for the Postfix
SMTP server</a></h2>
-<p> You need to configure how the Cyrus SASL library should
-authenticate a client's username and password. These settings must
-be stored in a separate configuration file. </p>
-
-<p> The name of the configuration file (default: smtpd.conf) will
-be constructed from a value sent by Postfix to the Cyrus SASL
-library, which adds the suffix .conf. The value is configured using
-one of the following variables: </p>
-
-<blockquote>
-<pre>
-/etc/postfix/main.cf:
- # Postfix 2.3 and later
- smtpd_sasl_path = smtpd
- # Postfix < 2.3
- smtpd_sasl_application_name = smtpd
-</pre>
-</blockquote>
-
-<p> Cyrus SASL searches for the configuration file in /usr/local/lib/sasl/
-(Cyrus SASL version 1.5.5) or /usr/local/lib/sasl2/ (Cyrus SASL
-version 2.1.x). </p>
+<p> In /usr/local/lib/sasl/smtpd.conf (Cyrus SASL version 1.5.5) or
+/usr/local/lib/sasl2/smtpd.conf (Cyrus SASL version 2.1.1) you need to
+specify how the server should validate client passwords. </p>
<p> Note: some Postfix distributions are modified and look for
-the smtpd.conf file in /etc/postfix/sasl. </p>
+the smtpd.conf file in /etc/postfix. </p>
<p> Note: some Cyrus SASL distributions look for the smtpd.conf
file in /etc/sasl2. </p>
<ul>
-<li> <p> To authenticate against the UNIX password database, use: </p>
+<li> <p> To authenticate against the UNIX password database, try: </p>
<dl>
-<dt> (Cyrus SASL version 1.5.x)
+<dt> (Cyrus SASL version 1.5.5)
<dd>
<pre>
/usr/local/lib/sasl/smtpd.conf:
</pre>
-<p> IMPORTANT: pwcheck establishes a UNIX domain socket in /var/pwcheck
-and waits for authentication requests. Postfix processes must have
-read+execute permission to this directory or authentication attempts
-will fail. </p>
+<dt> (Cyrus SASL version 2.1.1)
+<dd>
+<pre>
+/usr/local/lib/sasl2/smtpd.conf:
+ pwcheck_method: pwcheck
+</pre>
+
+</dl>
+
+<p> The name of the file in /usr/local/lib/sasl (Cyrus SASL version
+1.5.5) or /usr/local/lib/sasl2 (Cyrus SASL version 2.1.1) used by
+the SASL
+library for configuration can be set with: </p>
+
+<blockquote>
+<pre>
+/etc/postfix/main.cf:
+ smtpd_sasl_application_name = smtpd (Postfix < 2.3)
+ smtpd_sasl_path = smtpd (Postfix 2.3 and later)
+</pre>
+</blockquote>
<p> The pwcheck daemon is contained in the cyrus-sasl source tarball. </p>
+<p> IMPORTANT: postfix processes need to have group read+execute
+permission for the /var/pwcheck directory, otherwise authentication
+attempts will fail. </p>
+
+<li> <p> Alternately, in Cyrus SASL 1.5.26 and later (including
+2.1.1), try: </p>
+
+<dl>
+
<dt> (Cyrus SASL version 1.5.26)
<dd>
<pre>
pwcheck_method: saslauthd
</pre>
-<dt> (Cyrus SASL version 2.1.x)
+<dt> (Cyrus SASL version 2.1.1)
<dd>
<pre>
/usr/local/lib/sasl2/smtpd.conf:
pwcheck_method: saslauthd
- mech_list: PLAIN LOGIN
</pre>
</dl>
can authenticate against PAM and various other sources. To use PAM,
start saslauthd with "-a pam". </p>
-<p> IMPORTANT: saslauthd usually establishes a UNIX domain socket
-in /var/run/saslauthd and waits for authentication requests. Postfix
-processes must have read+execute permission to this directory or
-authentication attempts will fail. </p>
-
-<p> Note: The directory where saslauthd puts the socket is configurable.
-See the command-line option "-m /path/to/socket" in the saslauthd
---help listing. </p>
-
<li> <p> To authenticate against Cyrus SASL's own password database: </p>
<dl>
-<dt> (Cyrus SASL version 1.5.x)
+<dt> (Cyrus SASL version 1.5.5)
<dd>
<pre>
/usr/local/lib/sasl/smtpd.conf:
- pwcheck_method: sasldb
+ pwcheck_method: sasldb
</pre>
-<dt> (Cyrus SASL version 2.1.x)
+<dt> (Cyrus SASL version 2.1.1)
<dd>
<pre>
/usr/local/lib/sasl2/smtpd.conf:
- pwcheck_method: auxprop
- auxprop_plugin: sasldb
- mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5
+ pwcheck_method: auxprop
</pre>
</dl>
<p> This will use the Cyrus SASL password file (default: /etc/sasldb in
-version 1.5.x, or /etc/sasldb2 in version 2.1.x), which is maintained
+version 1.5.5, or /etc/sasldb2 in version 2.1.1), which is maintained
with the saslpasswd or saslpasswd2 command (part of the Cyrus SASL
software). On some poorly-supported systems the saslpasswd command needs
to be run multiple times before it stops complaining. The Postfix SMTP
<p> EXAMPLE: </p>
<dl>
-<dt> (Cyrus SASL version 1.5.x)
+<dt> (Cyrus SASL version 1.5.5)
<dd>
<pre>
% saslpasswd -c -u `postconf -h myhostname` exampleuser
</pre>
-<dt> (Cyrus SASL version 2.1.x)
+<dt> (Cyrus SASL version 2.1.1)
<dd>
<pre>
% saslpasswd2 -c -u `postconf -h myhostname` exampleuser
</dl>
<p> You can find out SASL's idea about the realms of the users
-in sasldb with <i>sasldblistusers</i> (Cyrus SASL version 1.5.x) or
-<i>sasldblistusers2</i> (Cyrus SASL version 2.1.x). </p>
+in sasldb with <i>sasldblistusers</i> (Cyrus SASL version 1.5.5) or
+<i>sasldblistusers2</i> (Cyrus SASL version 2.1.1). </p>
<p> On the Postfix side, you can have only one realm per smtpd
instance, and only the users belonging to that realm would be able to
</ul>
-<p> IMPORTANT: The Cyrus SASL password verification services pwcheck
-and saslauthd can only support the plaintext mechanisms PLAIN or
-LOGIN. However, the Cyrus SASL library doesn't know this, and will
-happily advertise other authentication mechanisms that the SASL
-library implements, such as DIGEST-MD5. As a result, if an SMTP
-client chooses any mechanism other than PLAIN or LOGIN while pwcheck
-or saslauthd are used, authentication will fail. Thus you may need
-to limit the list of mechanisms advertised by Postfix. </p>
+<p> IMPORTANT: all users must be able to authenticate using ALL
+authentication mechanisms advertised by Postfix, otherwise the
+negotiation might end up with an unsupported mechanism, and
+authentication would fail. For example if you configure SASL to
+use <i>saslauthd</i> for authentication against PAM (pluggable
+authentication modules), only the PLAIN and LOGIN mechanisms are
+supported and stand a chance to succeed, yet the SASL library would also
+advertise other mechanisms, such as DIGEST-MD5. This happens because
+those mechanisms are made available by other plugins, and the SASL
+library have no way to know that your only valid authentication source
+is PAM. Thus you might need to limit the list of mechanisms advertised
+by Postfix. </p>
<ul>
library files from the SASL plug-in directory (and again whenever
the system is updated). </p>
-<li> <p> With Cyrus SASL version 2.1.x or later the mech_list variable
-can specify a list of authentication mechanisms that Cyrus SASL may
-offer: </p>
+<li> <p> With Cyrus SASL version 2.1.1 or later: </p>
<blockquote>
<pre>
<ul>
-<li> <p> With Cyrus SASL version 1.5.x your only choice is to
+<li> <p> With Cyrus SASL version 1.5.5 your only choice is to
delete the corresponding library files from the SASL plug-in
directory. </p>
-<li> <p> With SASL version 2.1.x: </p>
+<li> <p> With SASL version 2.1.1: </p>
<blockquote>
<pre>
/usr/local/lib/sasl2/smtpd.conf:
- pwcheck_method: auxprop
- auxprop_plugin: sql
+ pwcheck_method: auxprop
+ auxprop_plugin: sql
</pre>
</blockquote>
<h2><a name="debugging">Trouble shooting the SASL internals</a></h2>
<p> In the Cyrus SASL sources you'll find a subdirectory named
-"sample". Run make there, then create a symbolic link from sample.conf
-to smtpd.conf in your Cyrus SASL library directory /usr/local/lib/sasl2.
-"su" to the user <i>postfix</i> (or whatever your <i>mail_owner</i>
-directive is set to): </p>
+"sample". Run make there, "su" to the user <i>postfix</i> (or
+whatever your <i>mail_owner</i> directive is set to):
<blockquote>
<pre>
</blockquote>
<p> then run the resulting sample server and client in separate
-terminals. The sample applications send log messages to the syslog
-facility auth. Check the log to fix the problem or run strace /
-ktrace / truss on the server to see what makes it unhappy. Repeat
-the previous step until you can successfully authenticate with the
-sample client. Only then get back to Postfix. </p>
+terminals. Strace / ktrace / truss the server to see what makes
+it unhappy, and fix the problem. Repeat the previous step until
+you can successfully authenticate with the sample client. Only
+then get back to Postfix. </p>
<h2><a name="client_sasl">Enabling SASL authentication in the
Postfix SMTP client</a></h2>
</pre>
</blockquote>
-<p> The Postfix SASL client password file is opened before the SMTP
-server enters the optional chroot jail, so you can keep the file
-in /etc/postfix and set permissions read / write only for root to
-keep the username:password combinations away from other system
-users. </p>
-
<p> Postfix version 2.3 supports-per-sender SASL password
information. To search the Postfix SASL password by sender
before it searches by destination, specify: </p>
</pre>
</blockquote>
+<p> The Postfix SASL client password file is opened before the SMTP server
+enters the optional chroot jail, so you can keep the file in
+/etc/postfix. </p>
+
<p> Note: Some SMTP servers support authentication mechanisms that,
although available on the client system, may not in practice work or
possess the appropriate credentials to authenticate to the server. It
</blockquote>
<p> In the above example, Postfix will decline to use mechanisms
-that require special infrastructure such as Kerberos or TLS. </p>
+that require special infrastructure such as Kerberos. </p>
<p> The Postfix SMTP client is backwards compatible with SMTP
servers that use the non-standard "AUTH=method..." syntax in response
<li> The Dovecot SMTP server-only plug-in was originally implemented by
Timo Sirainen of Procontrol, Finland.
-<li> Patrick Ben Koetter revised this document for Postfix 2.4 and
-made much needed updates.
-
</ul>
</body>
<p> Policy delegation is now the preferred method for adding policies
to Postfix. It's much easier to develop a new feature in few lines
-of Perl, Python, Ruby, or TCL, than trying to do the same in C code.
-The difference in
+of Perl, than trying to do the same in C code. The difference in
performance will be unnoticeable except in the most demanding
environments. On active systems a policy daemon process is used
multiple times, for up to $max_use incoming SMTP connections. </p>
These attributes are empty in case of no certificate authentication.
As of Postfix 2.2.11 these attribute values are encoded as
xtext: some characters are represented by +XX, where XX is the
- two-digit hexadecimal representation of the character value.
+ two-digit hecadecimal representation of the character value.
</p>
<li> <p> The "encryption_*" attributes (Postfix 2.3 and later)
<li> <p> Re-inject the mail back into Postfix via SMTP, perhaps
after changing its content and/or destination. </p>
- <li> <p> Discard or quarantine the mail. </p>
-
<li> <p> Reject the mail by sending a suitable SMTP status code
back to Postfix. Postfix passes the status back to the remote
SMTP client. This way, Postfix does not have to send a bounce
This limit is not necessary if you receive all mail from a
trusted relay host. </p>
- <p> Note: this setting is available in Postfix version 2.2 and
- later. Earlier Postfix versions will ignore it. </p>
+ <p> Note: this setting is ignored by the stable Postfix 2.1
+ release. The feature will be available only in the experimental
+ release until Postfix 2.2. </p>
<li> <p> The "-o smtpd_proxy_filter=127.0.0.1:10025" tells the
before filter SMTP server that it should give incoming mail to
<pre>
/etc/postfix/main.cf:
smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
- smtp_tls_dkey_file = $smtp_tls_dcert_file
+ smtp_tls_dkey_file = $smtpd_tls_cert_file
</pre>
</blockquote>
is needed. Thus, the $smtp_tls_CApath directory needs to be accessible
inside the optional chroot jail. </p>
-<p> The choice between $smtp_tls_CAfile and $smtp_tls_CApath is
+<p> The choice between $smtp_tls_CAfile and $smtpd_tls_CApath is
a space/time tradeoff. If there are many trusted CAs, the cost of
preloading them all into memory may not pay off in reduced access time
when the certificate is needed. </p>
<pre>
/etc/postfix/main.cf:
smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
- smtp_tls_dkey_file = $smtp_tls_dcert_file
+ smtp_tls_dkey_file = $smtpd_tls_cert_file
</pre>
</blockquote>
is needed. Thus, the $smtp_tls_CApath directory needs to be accessible
inside the optional chroot jail. </p>
-<p> The choice between $smtp_tls_CAfile and $smtp_tls_CApath is
+<p> The choice between $smtp_tls_CAfile and $smtpd_tls_CApath is
a space/time tradeoff. If there are many trusted CAs, the cost of
preloading them all into memory may not pay off in reduced access time
when the certificate is needed. </p>
for TLS. </p>
<p> You can disable TLS for a subset of destinations, while leaving
-it enabled for the rest. With the Postfix 2.3
and later TLS <a
+it enabled for the rest. With the Postfix 2.3
+ TLS <a
href="#client_tls_policy">policy table</a>, specify the "none"
security level. With the obsolete <a href="#client_tls_obs">per-site</a>
table, specify the "NONE" keyword. </p>
be ignored with a warning written to the mail logs. </p>
<p> You can enable opportunistic TLS just for selected destinations. With
-the Postfix 2.3
and later TLS <a href="#client_tls_policy">policy table</a>,
+the Postfix 2.3
+ TLS <a href="#client_tls_policy">policy table</a>,
specify the "may" security level. With the obsolete <a
href="#client_tls_obs">per-site</a> table, specify the "MAY" keyword.</p>
TLS encryption as the default security level. </p>
<p> You can enable mandatory TLS encryption just for specific destinations.
-With the Postfix 2.3
and later TLS <a href="#client_tls_policy">policy
+With the Postfix 2.3
+ TLS <a href="#client_tls_policy">policy
table</a>, specify the "encrypt" security level. With the
obsolete <a href="#client_tls_obs">per-site</a> table, specify the
"MUST_NOPEERMATCH" keyword. While the obsolete approach still works
-with Postfix 2.3, it is strongly discouraged: users of Postfix 2.3 and later
+with Postfix 2.3, it is strongly discouraged: users of Postfix 2.3+
should use the new TLS policy settings. </p>
<p> Examples: </p>
</blockquote>
<p> Postfix 2.2 syntax (no support for sub-domains without resorting to
-regexp tables). With Postfix 2.3
and later, do not use the obsolete <a
+regexp tables). With Postfix 2.3
+, do not use the obsolete <a
href="#client_tls_obs">per-site</a> table. </p>
<blockquote>
use the destination (for example, "[example.net]:587"), as the <a
href="#client_tls_obs">per-site</a> table lookup key (a recipient domain
or MX-enabled transport nexthop with no port suffix may look like a bare
-hostname, but is still a suitable <i>destination</i>). With Postfix 2.3
-and later,
+hostname, but is still a suitable <i>destination</i>). With Postfix 2.3+,
do not use the obsolete <a href="#client_tls_obs">per-site</a> table;
use the new <a href="#client_tls_policy">policy table</a> instead. </p>
</p>
<p> You can enable mandatory server certificate verification just
-for specific destinations. With the Postfix 2.3
and later TLS <a
+for specific destinations. With the Postfix 2.3
+ TLS <a
href="#client_tls_policy">policy table</a>, specify the "verify"
security level. With the obsolete <a href="#client_tls_obs">per-site</a>
table, specify the "MUST" keyword. While the obsolete approach
still works with Postfix 2.3, it is strongly discouraged: users of
-Postfix 2.3 and later should use the new TLS policy settings. </p>
+Postfix 2.3+ should use the new TLS policy settings. </p>
<p> Example: </p>
STARTTLS support. </p>
<p> You can enable secure TLS verification just for specific destinations.
-With the Postfix 2.3
and later TLS <a href="#client_tls_policy">policy table</a>,
+With the Postfix 2.3
+ TLS <a href="#client_tls_policy">policy table</a>,
specify the "secure" security level. With the obsolete
<a href="#client_tls_obs">per-site</a> table, specify the "MUST"
keyword and <a href="#client_tls_harden">harden</a> the certificate
verification against DNS forgery. While the obsolete approach still
-works with Postfix 2.3, it is strongly discouraged: users of Postfix 2.3
-and later
+works with Postfix 2.3, it is strongly discouraged: users of Postfix 2.3+
should use the new TLS policy settings. </p>
<p> Examples: </p>
</pre>
</blockquote>
-<p> Postfix 2.2.9 and later syntax: </p>
+<p> Postfix 2.2.9+ syntax: </p>
<p> <b>Note:</b> Avoid policy lookups with the bare hostname (for
example, "tls.example.com"). Instead, use the destination (for
example, "[tls.example.com]") as the <a
href="#client_tls_obs">per-site</a> table lookup key (a recipient domain
or MX-enabled transport nexthop with no port suffix may look like a bare
-hostname, but is still a suitable <i>destination</i>). With Postfix 2.3
-and later,
+hostname, but is still a suitable <i>destination</i>). With Postfix 2.3+,
do not use the obsolete <a href="#client_tls_obs">per-site</a> table;
use the new <a href="#client_tls_policy">policy table</a> instead. </p>
full destination nexthop (enclosed in [] with a possible ":port"
suffix) as the per-site table lookup key (a recipient domain or
MX-enabled transport nexthop with no port suffix may look like a bare
-hostname, but is still a suitable <i>destination</i>). With Postfix 2.3
-and later,
+hostname, but is still a suitable <i>destination</i>). With Postfix 2.3+,
use of the obsolete approach documented here is strongly discouraged:
use the new <a href="#client_tls_policy">policy table</a> instead. </p>
<p> For a general discussion of TLS security for SMTP see <a
href="#client_tls_limits">TLS limitations</a> above. What follows applies
only to Postfix 2.2.9 and subsequent Postfix 2.2 patch levels. Do
-not use this approach with Postfix 2.3
-and later; instead see the instructions under <a
+not use this approach with Postfix 2.3+; instead see the instructions under <a
href="#client_tls_secure">secure</a> server certificate verification. </p>
<p> As long as no secure DNS lookup mechanism is available, false
<h2><a name="conn_limit">Measures against clients that make too many connections</a></h2>
-<p> Note: these features use the Postfix anvil(8) service, introduced
-with Postfix version 2.2. </p>
+<p> Note: this feature is not included with Postfix version 2.1. </p>
<p> The Postfix smtpd(8) server can limit the number of simultaneous
-connections from the same SMTP client, as well as the connection
-rate and the rate of certain SMTP commands from the same client.
+connections from the same SMTP client, as well as the number of
+connections that a client is allowed to make per unit time.
These statistics are maintained by the anvil(8) server (translation:
if anvil(8) breaks, then connection limits stop working). </p>
-<p> IMPORTANT: These limits must not be used to regulate legitimate
-traffic: mail will suffer grotesque delays if you do so. The limits
-are designed to protect the smtpd(8) server against abuse by
-out-of-control clients. </p>
+<p> IMPORTANT: These limits are designed to protect the smtpd(8) server
+against flagrant abuse. Do not use these limits to regulate legitimate
+traffic: mail will suffer grotesque delays if you do so. </p>
-<blockquote>
-
-<dl>
-
-<dt> smtpd_client_connection_count_limit (default: 50) </dt> <dd>
-The maximum number of connections than an SMTP client may make
-simultaneously. </dd>
+<ul>
-<dt> smtpd_client_connection_rate_limit (default: no limit) </dt>
-<dd> The maximum number of connections that an SMTP client may make
-in the time interval specified with anvil_rate_time_unit (default:
-60s). </dd>
+<li> <p> An SMTP client may make up to $smtpd_client_connection_count_limit
+simultaneous connections (default: 50). This is half the default
+process limit. </p>
-<dt> smtpd_client_message_rate_limit (default: no limit) </dt> <dd>
-The maximum number of message delivery requests that an SMTP client
-may make in the time interval specified with anvil_rate_time_unit
-(default: 60s). </dd>
+<li> <p> An SMTP client may make up to $smtpd_client_message_rate_limit
+message delivery requests per unit time (default: no limit). </p>
-<dt> smtpd_client_recipient_rate_limit (default: no limit) </dt>
-<dd> The maximum number of recipient addresses that an SMTP client
-may specify in the time interval specified with anvil_rate_time_unit
-(default: 60s). </dd>
+<li> <p> An SMTP client may send up to $smtpd_client_recipient_rate_limit
+recipient addresses per unit time (default: no limit). </p>
-<dt> smtpd_client_new_tls_session_rate_limit (default: no limit)
-</dt> <dd> The maximum number of new TLS sessions (without using
-the TLS session cache) that an SMTP client may negotiate in the
-time interval specified with anvil_rate_time_unit (default: 60s).
-</dd>
+<li> <p> An SMTP client may make up to $smtpd_client_connection_rate_limit
+connections per unit time (default: no limit). </p>
-<dt> smtpd_client_event_limit_exceptions (default: $mynetworks)
-</dt> <dd> SMTP clients that are excluded from connection and rate
-limits specified above. </dd>
+<li> <p> These limits are not applied to SMTP clients in the networks
+specified with $smtpd_client_event_limit_exceptions (default:
+clients in $mynetworks may make an unlimited number of connections).
-</dl>
+<li> <p> The anvil_rate_time_unit parameter specifies the time
+unit over which client connection rates are computed (default:
+60s).
-</blockquote>
+</ul>
<h2><a name="mailing_tips">General mail delivery performance tips</a></h2>
to the same recipient: if the recipient has an expensive shell
command in her .forward file, or if the recipient is a mailing list
manager, you don't want to run too many instances of those processes
-at the same time. </p>
+the same time. </p>
<li> <p> The default smtp_destination_concurrency_limit of 20 seems
enough to noticeably load a system without bringing it to its knees.
<dl>
-<dt> queue_run_delay (default: 300 seconds; before Postfix 2.4:
-1000s) </dt> <dd> How often
+<dt> queue_run_delay (default: 1000 seconds) </dt> <dd> How often
the queue manager scans the queue for deferred mail. </dd>
-<dt> minimal_backoff_time (default: 300 seconds; before Postfix
-2.4: 1000s) </dt> <dd> The
+<dt> minimal_backoff_time (default: 1000 seconds) </dt> <dd> The
minimal amount of time a message won't be looked at, and the minimal
amount of time to stay away from a "dead" destination. </dd>
always better than increasing the frequency of delivery attempts.
However, if you can control only the delivery attempt frequency,
consider using a dedicated fallback_relay "graveyard" machine for
-bad destinations, so that these destinations do not ruin the
-performance of normal
+bad destinations so that they do not ruin the performance of normal
mail deliveries. </p>
<h2><a name="proc_limit">Tuning the number of Postfix processes</a></h2>
<ul>
-<li> <p> Depending on your Postfix and operating system versions
-you may need to recompile Postfix if you need more than 1024 file
-descriptors per process: </p>
-
-<ul> <li> <p> No recompilation is needed for Postfix version 2.4
-and later, when it was compiled for systems that support BSD kqueue(2)
-(FreeBSD 4.1, NetBSD 2.0, OpenBSD 2.9), Solaris 8 /dev/poll, or
-Linux 2.6 epoll(4). </p>
-
-<li> <p> Otherwise, Postfix needs to be recompiled to override the
-default FD_SETSIZE value. </p>
-
-</ul>
-
<li> <p> Reduce the number of processes as described under "<a
href="#proc_limit">Tuning the number of Postfix processes</a>" above.
Fewer processes need fewer open files and sockets. </p>
<ul>
<li> <p> Some FreeBSD kernel parameters can be specified in
-/boot/loader.conf, and some can be specified in /etc/sysctl.conf
-or changed with sysctl commands.
+/boot/loader.conf, and some can be changed with sysctl commands.
Which is which depends on the version.
</p>
</pre>
<li> <p> Linux kernel parameters can be specified in /etc/sysctl.conf
-or changed with sysctl commands: </p>
+and can also be changed with sysctl commands: </p>
<pre>
fs.file-max=16384
<li> <p> Solaris kernel parameters can be specified in /etc/system,
as described in the <a
-href="http://www.science.uva.nl/pub/solaris/solaris2.html#q3.48">Solaris
+href="http://www.science.uva.nl/pub/solaris/solaris2.html#q3.46">Solaris
FAQ</a> entry titled "How can I increase the number of file
descriptors per process?" </p>
--- /dev/null
+<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"
+ "http://www.w3.org/TR/html4/loose.dtd">
+
+<html>
+
+<head>
+
+<title>Postfix and Ultrix </title>
+
+<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
+
+</head>
+
+<body>
+
+<h1><img src="postfix-logo.jpg" width="203" height="98" ALT="">Postfix and Ultrix </h1>
+
+<hr>
+
+<h2> Postfix on Ultrix </h2>
+
+<p> This document is probably only of historical value, because
+Ultrix version 4 dates from the early 1990s. However, as long as
+Wietse keeps Postfix alive for SunOS 4, it is likely to run on
+Ultrix 4 with very little change. Feedback is welcome if anyone
+actually still uses Postfix on any version of Ultrix. </p>
+
+<p> The source of this document is an email message by Christian von Roques
+that was sent on Jun 2, 1999. </p>
+
+<blockquote>
+
+<p> I've upgraded the MTA of our DECstation-3100 running Ultrix4.3a to
+postfix-19990317-pl05 and am sending you the patches I needed to get
+it running under Ultrix. </p>
+
+<p> . . . </p>
+
+<p> One of the bugs of Ultrix's /bin/sh is that shell-variables
+set in arguments of `:' expand to garbage if expanded in here-documents.
+Using a different shell helps. I needed to replace all calls of
+``sh .../makedefs'' by ``$(SHELL) .../makedefs'' in all the
+Makefile.in and am now able to use ``make SHELL=/bin/sh5'' or zsh.
+
+<p> . . . </p>
+
+<p> Ultrix's FD_SET_SIZE is 4096, but getdtablesize()
+returns 64 by default, if not increased when building a new
+kernel. getrlimit() doesn't know RLIMIT_NOFILE. This makes
+event_init() always log the warning: `could allocate space for
+only 64 open files'. </p>
+
+<p> I just reduced the threshold from 256 to 64, but this is not good.
+The initial problem still remains: How to disable this warning on
+Ultrix without making the source ugly? </p>
+
+</blockquote>
+
+<p> To work around the first problem, all the Makefile.in files
+have been updated to use `$(SHELL)' instead of `sh'. So you only
+need to supply a non-default shell in order to eliminate Ultrix
+shell trouble. </p>
+
+<p> To work around the latter, util/sys_defs.h was updated for
+Ultrix, with a default FD_SETSIZE of 100. This should be sufficient
+for a workstation. Even in 1999, no-one would run a major mail hub
+on Ultrix 4. </p>
+
+</body>
+
+</html>
<li> <p> Lines 4, 7-13: The virtual_mailbox_maps parameter specifies
the lookup table with all valid recipient addresses. The lookup
-result value is ignored by Postfix. In the above example,
-info@example.com
-and sales@example.com are listed as valid addresses; other mail for
-example.com is rejected with "User unknown" by the Postfix SMTP
-server. It's left up to the non-Postfix delivery agent to reject
-non-existent recipients from local submission or from local alias
-expansion. If you intend to
+result is ignored by Postfix. In the above example, info@example.com
+and sales@example.com are listed as valid addresses, and mail for
+anything else is rejected with "User unknown". If you intend to
use LDAP, MySQL or PgSQL instead of local files, be sure to review
the <a href="#local_vs_database"> "local files versus databases"</a>
section at the top of this document! </p>
# NAME
# access 5
# SUMMARY
-# Postfix SMTP server access table
+# Postfix access table format
# SYNOPSIS
# \fBpostmap /etc/postfix/access\fR
#
#
# \fBpostmap -q - /etc/postfix/access <\fIinputfile\fR
# DESCRIPTION
-# This document describes access control on remote SMTP client
-# information: host names, network addresses, and envelope
-# sender or recipient addresses; it is implemented by the
-# Postfix SMTP server. See \fBheader_checks\fR(5) or
-# \fBbody_checks\fR(5) for access control on the content of
-# email messages.
+# The optional \fBaccess\fR(5) table directs the Postfix SMTP server
+# to selectively reject or accept mail. Access can be allowed or
+# denied for specific host names, domain names, networks, host
+# addresses or mail addresses.
+#
+# For an example, see the EXAMPLE section at the end of this
+# manual page.
#
# Normally, the \fBaccess\fR(5) table is specified as a text file
# that serves as input to the \fBpostmap\fR(1) command.
# The result, an indexed file in \fBdbm\fR or \fBdb\fR format,
-# is used for fast searching by the mail system. Execute the
-# command "\fBpostmap /etc/postfix/access\fR" to rebuild an
-# indexed file after changing the corresponding text file.
+# is used for fast searching by the mail system. Execute the command
+# "\fBpostmap /etc/postfix/access\fR" in order to rebuild the indexed
+# file after changing the access table.
#
# When the table is provided via other means such as NIS, LDAP
# or SQL, the same lookups are done as for ordinary indexed files.
#
# Alternatively, the table can be provided as a regular-expression
# map where patterns are given as regular expressions, or lookups
-# can be directed to TCP-based server. In those cases, the lookups
-# are done in a slightly different way as described below under
-# "REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
+# can be directed to TCP-based server. In that case, the lookups are
+# done in a slightly different way as described below under
+# "REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
# CASE FOLDING
# .ad
# .fi
# match is found in the access table, or until further
# truncation is not possible.
#
-# NOTE 1: The access map lookup key must be in canonical form:
-# do not specify unnecessary null characters, and do not
-# enclose network address information with "[]" characters.
+# NOTE 1: The information in the access map should be in
+# canonical form, with unnecessary null characters eliminated.
+# Address information must not be enclosed with "[]" characters.
#
# NOTE 2: use the \fBcidr\fR lookup table type to specify
# network/netmask patterns. See \fBcidr_table\fR(5) for details.
# string representation of the IPv6 host address. Thus, not
# all the ":" subnetworks will be tried.
#
-# NOTE 2: The access map lookup key must be in canonical form:
-# do not specify unnecessary null characters, and do not
-# enclose network address information with "[]" characters.
+# NOTE 2: The information in the access map should be in
+# canonical form, with unnecessary null characters eliminated.
+# Address information must not be enclosed with "[]" characters.
#
# NOTE 3: use the \fBcidr\fR lookup table type to specify
# network/netmask patterns. See \fBcidr_table\fR(5) for details.
# specified, otherwise reply with a generic error response message.
# .IP "\fBDEFER_IF_REJECT \fIoptional text...\fR
# Defer the request if some later restriction would result in a
-# REJECT action. Reply with "\fB450 4.7.1 \fI optional
-# text...\fR when the
+# REJECT action. Reply with "\fB450\fI optional text...\fR when the
# optional text is specified, otherwise reply with a generic error
# response message.
# .sp
# .IP "\fBDEFER_IF_PERMIT \fIoptional text...\fR
# Defer the request if some later restriction would result in a
# an explicit or implicit PERMIT action.
-# Reply with "\fB450 4.7.1 \fI optional text...\fR when the
+# Reply with "\fB450\fI optional text...\fR when the
# optional text is specified, otherwise reply with a generic error
# response message.
# .sp
# More information
# about external content filters is in the Postfix FILTER_README file.
# .sp
-# Note: this action overrides the \fBcontent_filter\fR setting,
+# Note: this action overrides the \fBmain.cf content_filter\fR setting,
# and currently affects all recipients of the message.
# .sp
# This feature is available in Postfix 2.0 and later.
# .sp
# Note: use "\fBpostsuper -r\fR" to release mail that was kept on
# hold for a significant fraction of \fB$maximal_queue_lifetime\fR
-# or \fB$bounce_queue_lifetime\fR, or longer. Use "\fBpostsuper -H\fR"
-# only for mail that will not expire within a few delivery attempts.
+# or \fB$bounce_queue_lifetime\fR, or longer.
# .sp
# Note: this action currently affects all recipients of the message.
# .sp
# This feature is available in Postfix 2.0 and later.
# .IP "\fBPREPEND \fIheadername: headervalue\fR"
# Prepend the specified message header to the message.
-# When more than one PREPEND action executes, the first
-# prepended header appears before the second etc. prepended
-# header.
+# When this action is used multiple times, the first prepended
+# header appears before the second etc. prepended header.
+# .sp
+# Note: this action does not support multi-line message headers.
# .sp
-# Note: this action must execute before the message content
-# is received; it cannot execute in the context of
-# \fBsmtpd_end_of_data_restrictions\fR.
+# Note: this action must be used before the message content
+# is received; it cannot be used in \fBsmtpd_end_of_data_restrictions\fR.
# .sp
# This feature is available in Postfix 2.1 and later.
# .IP "\fBREDIRECT \fIuser@domain\fR"
# This section describes how the table lookups change when lookups
# are directed to a TCP-based server. For a description of the TCP
# client/server lookup protocol, see \fBtcp_table\fR(5).
-# This feature is not available up to and including Postfix version 2.4.
+# This feature is not available up to and including Postfix version 2.3.
#
# Each lookup operation uses the entire query string once.
# Depending on the application, that string is an entire client
# When the command fails, a limited amount of command output is
# mailed back to the sender. The file \fB/usr/include/sysexits.h\fR
# defines the expected exit status codes. For example, use
-# \fB"|exit 67"\fR to simulate a "user unknown" error, and
-# \fB"|exit 0"\fR to implement an expensive black hole.
+# \fB|"exit 67"\fR to simulate a "user unknown" error, and
+# \fB|"exit 0"\fR to implement an expensive black hole.
# .IP \fB:include:\fI/file/name\fR
# Mail is sent to the destinations listed in the named file.
# Lines in \fB:include:\fR files have the same syntax
# GENERAL PROCEDURE
# .ad
# .fi
-# To create a customized bounce template file, create a
-# temporary
+# To create customized bounce template file, create a temporary
# copy of the file \fB/etc/postfix/bounce.cf.default\fR and
# edit the temporary file.
#
# that serves as input to the \fBpostmap\fR(1) command.
# The result, an indexed file in \fBdbm\fR or \fBdb\fR format,
# is used for fast searching by the mail system. Execute the command
-# "\fBpostmap /etc/postfix/canonical\fR" to rebuild an indexed
-# file after changing the corresponding text file.
+# "\fBpostmap /etc/postfix/canonical\fR" in order to rebuild the indexed
+# file after changing the text file.
#
# When the table is provided via other means such as NIS, LDAP
# or SQL, the same lookups are done as for ordinary indexed files.
#
# Alternatively, the table can be provided as a regular-expression
# map where patterns are given as regular expressions, or lookups
-# can be directed to TCP-based server. In those cases, the lookups
-# are done in a slightly different way as described below under
-# "REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
+# can be directed to TCP-based server. In that case, the lookups are
+# done in a slightly different way as described below under
+# "REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
#
# By default the \fBcanonical\fR(5) mapping affects both message
# header addresses (i.e. addresses that appear inside messages)
# by legacy mail systems.
#
# The \fBcanonical\fR(5) mapping is not to be confused with \fIvirtual
-# alias\fR support or with local aliasing. To change the destination
-# but not the headers, use the \fBvirtual\fR(5) or \fBaliases\fR(5)
-# map instead.
+# domain\fR support. Use the \fBvirtual\fR(5) map for that purpose.
+#
+# The \fBcanonical\fR(5) mapping is not to be confused with local aliasing.
+# Use the \fBaliases\fR(5) map for that purpose.
# CASE FOLDING
# .ad
# .fi
# .IP "@\fIdomain address\fR"
# Replace other addresses in \fIdomain\fR by \fIaddress\fR.
# This form has the lowest precedence.
-# .sp
-# Note: @\fIdomain\fR is a wild-card. When this form is applied
-# to recipient addresses, the Postfix SMTP server accepts
-# mail for any recipient in \fIdomain\fR, regardless of whether
-# that recipient exists. This may turn your mail system into
-# a backscatter source that returns undeliverable spam to
-# innocent people.
# RESULT ADDRESS REWRITING
# .ad
# .fi
# This section describes how the table lookups change when lookups
# are directed to a TCP-based server. For a description of the TCP
# client/server lookup protocol, see \fBtcp_table\fR(5).
-# This feature is not available up to and including Postfix version 2.4.
+# This feature is not available up to and including Postfix version 2.3.
#
# Each lookup operation uses the entire address once. Thus,
# \fIuser@domain\fR mail addresses are not broken up into their
# The Postfix mail system uses optional lookup tables.
# These tables are usually in \fBdbm\fR or \fBdb\fR format.
# Alternatively, lookup tables can be specified in CIDR
-# (Classless Inter-Domain Routing) form. In this case, each
-# input is compared against a list of patterns. When a match
-# is found, the corresponding result is returned and the search
-# is terminated.
+# (Classless Inter-Domain Routing) form.
#
# To find out what types of lookup tables your Postfix system
# supports use the "\fBpostconf -m\fR" command.
# will be matched regardless of redundant zero characters.
#
# Note: address information may be enclosed inside "[]" but
-# this form is not required.
+# this form is not recommended.
#
# IPv6 support is available in Postfix 2.2 and later.
# .IP "\fInetwork_address result\fR"
# AUTHOR(S)
# The CIDR table lookup code was originally written by:
# Jozsef Kadlecsik
+# kadlec@blackhole.kfki.hu
# KFKI Research Institute for Particle and Nuclear Physics
# POB. 49
# 1525 Budapest, Hungary
# command. The result, an indexed file in \fBdbm\fR or
# \fBdb\fR format, is used for fast searching by the mail
# system. Execute the command "\fBpostmap /etc/postfix/generic\fR"
-# to rebuild an indexed file after changing the corresponding
+# in order to rebuild the indexed file after changing the
# text file.
#
# When the table is provided via other means such as NIS, LDAP
#
# Alternatively, the table can be provided as a regular-expression
# map where patterns are given as regular expressions, or lookups
-# can be directed to TCP-based server. In those case, the lookups
-# are done in a slightly different way as described below under
-# "REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
+# can be directed to TCP-based server. In that case, the lookups are
+# done in a slightly different way as described below under
+# "REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
# CASE FOLDING
# .ad
# .fi
# This section describes how the table lookups change when lookups
# are directed to a TCP-based server. For a description of the TCP
# client/server lookup protocol, see \fBtcp_table\fR(5).
-# This feature is not available up to and including Postfix version 2.4.
+# This feature is not available up to and including Postfix version 2.3.
#
# Each lookup operation uses the entire address once. Thus,
# \fIuser@domain\fR mail addresses are not broken up into their
# NAME
# header_checks 5
# SUMMARY
-# Postfix built-in content inspection
+# Postfix built-in header/body inspection
# SYNOPSIS
# \fBheader_checks = pcre:/etc/postfix/header_checks\fR
# .br
# .br
# \fBbody_checks = pcre:/etc/postfix/body_checks\fR
# .sp
-# \fBpostmap -q "\fIstring\fB" pcre:/etc/postfix/\fIfilename\fR
+# \fBpostmap -fq "\fIstring\fB" pcre:/etc/postfix/\fIfilename\fR
# .br
-# \fBpostmap -q - pcre:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
+# \fBpostmap -fq - pcre:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
# DESCRIPTION
-# This document describes access control on the content of
-# message headers and message body lines; it is implemented
-# by the Postfix cleanup(8) server before mail is queued.
-# See \fBaccess\fR(5) for access control on remote SMTP client
-# information.
-#
-# Each message header or message body line is compared against
-# a list of patterns.
-# When a match is found the corresponding action is executed, and
-# the matching process is repeated for the next message header or
-# message body line.
+# Postfix provides a simple built-in content inspection mechanism that
+# examines incoming mail one message header or one message body line
+# at a time. Each input is compared against a list of patterns, and
+# when a match is found the corresponding action is executed.
+# This feature is implemented by the Postfix \fBcleanup\fR(8) server.
#
# For examples, see the EXAMPLES section at the end of this
# manual page.
# .IP "\fBif /\fIpattern\fB/\fIflags\fR"
# .IP "\fBendif\fR"
# Match the input string against the patterns between \fBif\fR
-# and \fBendif\fR, if and only if the same input string also
-# matches \fIpattern\fR. The \fBif\fR..\fBendif\fR can nest.
+# and \fBendif\fR, if and only if the input string also matches
+# \fIpattern\fR. The \fBif\fR..\fBendif\fR can nest.
# .sp
# Note: do not prepend whitespace to patterns inside
# \fBif\fR..\fBendif\fR.
# .IP "\fBif !/\fIpattern\fB/\fIflags\fR"
# .IP "\fBendif\fR"
# Match the input string against the patterns between \fBif\fR
-# and \fBendif\fR, if and only if the same input string does
-# \fBnot\fR match \fIpattern\fR. The \fBif\fR..\fBendif\fR
-# can nest.
+# and \fBendif\fR, if and only if the input string does \fBnot\fR
+# match \fIpattern\fR. The \fBif\fR..\fBendif\fR can nest.
# .IP "blank lines and comments"
# Empty lines and whitespace-only lines are ignored, as
# are lines whose first non-whitespace character is a `#'.
# .sp
# This feature is available in Postfix 2.1 and later.
# .IP "\fBFILTER \fItransport:destination\fR"
-# Write a content filter request to the queue file, and
+# Write a content filter request to the queue file and
# inspect the next input line.
# After the complete message is received it will be sent through
# the specified external content filter. More information about
# external content filters is in the Postfix FILTER_README file.
# .sp
-# Note: this action overrides the \fBcontent_filter\fR setting,
+# Note: this action overrides the \fBmain.cf content_filter\fR setting,
# and affects all recipients of the message. In the case that multiple
# \fBFILTER\fR actions fire, only the last one is executed.
# .sp
# .sp
# Note: use "\fBpostsuper -r\fR" to release mail that was kept on
# hold for a significant fraction of \fB$maximal_queue_lifetime\fR
-# or \fB$bounce_queue_lifetime\fR, or longer. Use "\fBpostsuper -H\fR"
-# only for mail that will not expire within a few delivery attempts.
+# or \fB$bounce_queue_lifetime\fR, or longer.
# .sp
# Note: this action affects all recipients of the message.
# .sp
# This feature is available in Postfix 2.0 and later.
# .IP \fBIGNORE\fR
-# Delete the current line from the input, and inspect
+# Delete the current line from the input and inspect
# the next input line.
# .IP "\fBPREPEND \fItext...\fR"
-# Prepend one line with the specified text, and inspect the next
+# Prepend one line with the specified text and inspect the next
# input line.
# .sp
# Notes:
# .IP
# This feature is available in Postfix 2.1 and later.
# .IP "\fBREDIRECT \fIuser@domain\fR"
-# Write a message redirection request to the queue file, and
+# Write a message redirection request to the queue file and
# inspect the next input line. After the message is queued,
# it will be sent to the specified address instead of the
# intended recipient(s).
# .sp
# This feature is available in Postfix 2.1 and later.
# .IP "\fBREPLACE \fItext...\fR"
-# Replace the current line with the specified text, and inspect the next
+# Replace the current line with the specified text and inspect the next
# input line.
# .sp
# This feature is available in Postfix 2.2 and later. The
# "5.7.1".
# .IP "\fBWARN \fIoptional text...\fR
# Log a warning with the \fIoptional text...\fR (or log a
-# generic message), and inspect the next input line. This
+# generic message) and inspect the next input line. This
# action is useful for debugging and for testing a pattern
# before applying more drastic actions.
# BUGS
# Many people overlook the main limitations of header and body_checks
-# rules.
-# .IP \(bu
-# These rules operate on one logical message header or one body
-# line at a time. A decision made for one line is not carried over
-# to the next line.
-# .IP \(bu
-# If text in the message body is encoded
+# rules. These rules operate on one logical message header or one body
+# line at a time, and a decision made for one line is not carried over
+# to the next line. If text in the message body is encoded
# (RFC 2045) then the rules have to specified for the encoded
-# form.
-# .IP \(bu
-# Likewise, when message headers are encoded (RFC
+# form. Likewise, when message headers are encoded (RFC
# 2047) then the rules need to be specified for the encoded
# form.
-# .PP
+#
# Message headers added by the \fBcleanup\fR(8) daemon itself
# are excluded from inspection. Examples of such message headers
# are \fBFrom:\fR, \fBTo:\fR, \fBMessage-ID:\fR, \fBDate:\fR.
#
# In order to use LDAP lookups, define an LDAP source as a lookup
# table in main.cf, for example:
-#
# .ti +4
# alias_maps = ldap:/etc/postfix/ldap-aliases.cf
#
# return the key itself.
#
# For example, NEVER do this in a map defining $mydestination:
-#
# .in +4
# query_filter = domain=*
# .br
# .in -4
#
# Do this instead:
-#
# .in +4
# query_filter = domain=%s
# .br
# strings.
# .IP "\fBserver_host (default: localhost)\fR"
# The name of the host running the LDAP server, e.g.
-#
# .ti +4
# server_host = ldap.example.com
#
# trying them in order should the first one fail. It should also
# be possible to give each server in the list a different port
# (overriding \fBserver_port\fR below), by naming them like
-#
# .ti +4
# server_host = ldap.example.com:1444
#
# With OpenLDAP, a (list of) LDAP URLs can be used to specify both
# the hostname(s) and the port(s):
-#
# .ti +4
# server_host = ldap://ldap.example.com:1444
# .ti +8
# including connections over UNIX domain sockets, and LDAP SSL
# (the last one provided that OpenLDAP was compiled with support
# for SSL):
-#
# .ti +4
# server_host = ldapi://%2Fsome%2Fpath
# .ti +8
# ldaps://ldap.example.com:636
# .IP "\fBserver_port (default: 389)\fR"
# The port the LDAP server listens on, e.g.
-#
# .ti +4
# server_port = 778
# .IP "\fBtimeout (default: 10 seconds)\fR"
# The number of seconds a search can take before timing out, e.g.
-#
# .ti +4
# timeout = 5
# .IP "\fBsearch_base (No default; you must configure this)\fR"
# The RFC2253 base DN at which to conduct the search, e.g.
-#
# .ti +4
# search_base = dc=your, dc=com
# .IP
# The RFC2254 filter used to search the directory, where \fB%s\fR
# is a substitute for the address Postfix is trying to resolve,
# e.g.
-#
# .ti +4
# query_filter = (&(mail=%s)(paid_up=true))
#
# input key is \fIuser@mail.example.com\fR, then %1 is \fBcom\fR,
# %2 is \fBexample\fR and %3 is \fBmail\fR. If the input key is
# unqualified or does not have enough domain components to satisfy
-# all the specified patterns, the search is suppressed and returns
+# all the specified patterns, the saerch is suppressed and returns
# no results.
# .IP
# The above %1, ..., %9 expansions are available with Postfix 2.2
# are eligible for lookup: 'user' lookups, bare domain lookups
# and "@domain" lookups are not performed. This can significantly
# reduce the query load on the LDAP server.
-#
# .ti +4
# domain = postfix.org, hash:/etc/postfix/searchdomains
#
# The attribute(s) Postfix will read from any directory
# entries returned by the lookup, to be resolved to an email
# address.
-#
# .ti +4
# result_attribute = mailbox, maildrop
-# .IP "\fBspecial_result_attribute (default: empty)\fR"
+# .IP "\fBspecial_result_attribute (No default)\fR"
# The attribute(s) of directory entries that can contain DNs
# or URLs. If found, a recursive subsequent search is done
# using their values.
-#
# .ti +4
-# special_result_attribute = memberdn
+# special_result_attribute = member
#
# DN recursion retrieves the same result_attributes as the
# main query, including the special attributes for further
# listed in "result_attribute". If the URI lists any of the
# map's special result attributes, these are also retrieved
# and used recursively.
-# .IP "\fBterminal_result_attribute (default: empty)\fR"
-# When one or more terminal result attributes are found in an LDAP
-# entry, all other result attributes are ignored and only the terminal
-# result attributes are returned. This is useful for delegating expansion
-# of group members to a particular host, by using an optional "maildrop"
-# attribute on selected groups to route the group to a specific host,
-# where the group is expanded, possibly via mailing-list manager or
-# other special processing.
-#
-# .ti +4
-# terminal_result_attribute = maildrop
-#
-# This feature is available with Postfix 2.4 or later.
-# .IP "\fBleaf_result_attribute (default: empty)\fR"
-# When one or more special result attributes are found in a non-terminal
-# (see above) LDAP entry, leaf result attributes are excluded from the
-# expansion of that entry. This is useful when expanding groups and the
-# desired mail address attribute(s) of the member objects obtained via
-# DN or URI recursion are also present in the group object. To only
-# return the attribute values from the leaf objects and not the
-# containing group, add the attribute to the leaf_result_attribute list,
-# and not the result_attribute list, which is always expanded. Note,
-# the default value of "result_attribute" is not empty, you may want to
-# set it explicitly empty when using "leaf_result_attribute" to expand
-# the group to a list of member DN addresses. If groups have both
-# member DN references AND attributes that hold multiple string valued
-# rfc822 addresses, then the string attributes go in "result_attribute".
-# The attributes that represent the email addresses of objects
-# referenced via a DN (or LDAP URI) go in "leaf_result_attribute".
-#
-# .in +4
-# result_attribute = memberaddr
-# .br
-# special_result_attribute = memberdn
-# .br
-# terminal_result_attribute = maildrop
-# .br
-# leaf_result_attribute = mail
-# .in -4
-#
-# This feature is available with Postfix 2.4 or later.
# .IP "\fBscope (default: sub)\fR"
# The LDAP search scope: \fBsub\fR, \fBbase\fR, or \fBone\fR.
# These translate into LDAP_SCOPE_SUBTREE, LDAP_SCOPE_BASE,
# Whether or not to bind to the LDAP server. Newer LDAP
# implementations don't require clients to bind, which saves
# time. Example:
-#
# .ti +4
# bind = no
#
# the clear.
# .IP "\fBbind_dn (default: empty)\fR"
# If you do have to bind, do it with this distinguished name. Example:
-#
# .ti +4
# bind_dn = uid=postfix, dc=your, dc=com
# .IP "\fBbind_pw (default: empty)\fR"
# password. This is because main.cf needs to be world readable
# to allow local accounts to submit mail via the sendmail
# command. Example:
-#
# .ti +4
# bind_pw = postfixpw
# .IP "\fBcache (IGNORED with a warning)\fR"
#
# LDAP SSL service can be requested by using a LDAP SSL URL
# in the server_host parameter:
-#
# .ti +4
# server_host = ldaps://ldap.example.com:636
#
# STARTTLS can be turned on with the start_tls parameter:
-#
# .ti +4
# start_tls = yes
#
# Both forms require LDAP protocol version 3, which has to be set
# explicitly with:
-#
# .ti +4
# version = 3
#
# Here's a basic example for using LDAP to look up local(8)
# aliases.
# Assume that in main.cf, you have:
-#
# .ti +4
# alias_maps = hash:/etc/aliases,
# .ti +8
# ldap:/etc/postfix/ldap-aliases.cf
#
# and in ldap:/etc/postfix/ldap-aliases.cf you have:
-#
# .in +4
-# server_host = ldap.example.com
+# server_host = ldap.my.com
# .br
-# search_base = dc=example, dc=com
+# search_base = dc=my, dc=com
# .in -4
#
# Upon receiving mail for a local address "ldapuser" that
# isn't found in the /etc/aliases database, Postfix will
-# search the LDAP server listening at port 389 on ldap.example.com.
+# search the LDAP server listening at port 389 on ldap.my.com.
# It will bind anonymously, search for any directory entries
# whose mailacceptinggeneralid attribute is "ldapuser", read
# the "maildrop" attributes of those found, and build a list
# Cambridge
# CB10 1SB, UK
#
+# Based on the NIS client code:
+#
# Adopted and adapted by:
# Wietse Venema
# IBM T.J. Watson Research
# SUMMARY
# format of Postfix PCRE tables
# SYNOPSIS
-# \fBpostmap -q "\fIstring\fB" pcre:/etc/postfix/\fIfilename\fR
+# \fBpostmap -fq "\fIstring\fB" pcre:/etc/postfix/\fIfilename\fR
#
-# \fBpostmap -q - pcre:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
+# \fBpostmap -fq - pcre:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
# DESCRIPTION
# The Postfix mail system uses optional tables for address
# rewriting or mail routing. These tables are usually in
#
# Alternatively, lookup tables can be specified in Perl Compatible
# Regular Expression form. In this case, each input is compared
-# against a list of patterns. When a match is found, the
-# corresponding result is returned and the search is terminated.
+# against a list of patterns, and when a match is found the
+# corresponding result is returned.
#
# To find out what types of lookup tables your Postfix system
# supports use the "\fBpostconf -m\fR" command.
#
-# To test lookup tables, use the "\fBpostmap -q\fR" command as
+# To test lookup tables, use the "\fBpostmap -fq\fR" command as
# described in the SYNOPSIS above.
-# COMPATIBILITY
-# .ad
-# .fi
-# With Postfix version 2.2 and earlier specify "\fBpostmap
-# -fq\fR" to query a table that contains case sensitive
-# patterns. Patterns are case insensitive by default.
# TABLE FORMAT
# .ad
# .fi
</p>
<p> Note 2: address information may be enclosed inside <tt>[]</tt>,
-but this form is not required here. </p>
+but this form is not recommended here. </p>
<p> When inet_interfaces specifies just one IPv4 and/or IPv6 address
that is not a loopback address, the Postfix SMTP client will use
%PARAM max_idle 100s
<p>
-The maximum amount of time that an idle Postfix daemon process waits
-for an incoming connection before terminating voluntarily. This
-parameter
+The maximum amount of time that an idle Postfix daemon process
+waits for the next service request before exiting. This parameter
is ignored by the Postfix queue manager and by other long-lived
Postfix daemon processes.
</p>
%PARAM max_use 100
<p>
-The maximal number of incoming connections that a Postfix daemon
-process will service before terminating voluntarily. This parameter
-is ignored by the Postfix queue
+The maximal number of connection requests before a Postfix daemon
+process terminates. This parameter is ignored by the Postfix queue
manager and by other long-lived Postfix daemon processes.
</p>
The maximal size in bytes of a message, including envelope information.
</p>
-%PARAM minimal_backoff_time 300s
-
-<p>
-The minimal time between attempts to deliver a deferred message;
-prior to Postfix 2.4 the default value was 1000s.
-</p>
+%PARAM minimal_backoff_time version dependent
<p>
+The minimal time between attempts to deliver a deferred message.
This parameter also limits the time an unreachable destination is
kept in the short-term, in-memory, destination status cache.
</p>
+<p> With Postfix 2.4 the default value was reduced from 1000s to
+300s. </p>
+
<p> This parameter should be set greater than or equal to
$queue_run_delay. See also $maximal_backoff_time. </p>
zero means there is no minimum required amount of free space.
</p>
-%PARAM queue_run_delay 300s
+%PARAM queue_run_delay version dependent
<p>
-The time between deferred queue scans by the queue manager;
-prior to Postfix 2.4 the default value was 1000s.
+The time between deferred queue scans by the queue manager.
+</p>
+
+<p>
+With Postfix 2.4 the default value was reduced from 1000s to 300s.
</p>
<p> This parameter should be set less than or equal to
<p> Optional lookup tables with all valid addresses in the domains
that match $relay_domains. Specify @domain as a wild-card for
-domains that have no valid recipient list, and become a source of
-backscatter mail: Postfix accepts spam for non-existent recipients
-and then floods innocent people with undeliverable mail. Technically,
-tables
+domains that do not have a valid recipient list. Technically, tables
listed with $relay_recipient_maps are used as lists: Postfix needs
to know only if a lookup string is found or not, but it does not
use the result from table lookup. </p>
inet_interfaces documentation for more detail. </p>
<p> Note 2: address information may be enclosed inside <tt>[]</tt>,
-but this form is not required here. </p>
+but this form is not recommended here. </p>
%PARAM smtp_bind_address6
</p>
<p>
-This feature is implemented by the anvil(8) service which is available
-in Postfix version 2.2 and later.
+This feature is implemented by the anvil(8) service which is not
+part of the stable Postfix version 2.1 release.
</p>
<p>
<ul>
-<li> a = time from message arrival to last active queue entry
+<li> a = time before the queue manager, including message transmission
-<li> b = time from last active queue entry to connection setup
+<li> b = time in queue manager
<li> c = time in connection setup, including DNS, EHLO and TLS
<p> This feature is available in Postfix 2.3 and later. </p>
-%PARAM lmtp_discard_lhlo_keywords
+%PARAM lmtp_discard_lhlo_keywords $myhostname
<p> A case insensitive list of LHLO keywords (pipelining, starttls,
auth, etc.) that the LMTP client will ignore in the LHLO response
smtp_tls_mandatory_ciphers parameter and the optional "protocols"
keyword overrides the main.cf smtp_tls_mandatory_protocols parameter.
In the policy table, multiple protocols must be separated by colons,
-as attribute values may not contain whitespace or commas. </dd>
+as attribute values may not contain whitespace or commas. </p>
<dt><b>verify</b></dt> <dd>Mandatory TLS verification. At this security
level, DNS MX lookups are trusted to be secure enough, and the name
# SUMMARY
# format of Postfix regular expression tables
# SYNOPSIS
-# \fBpostmap -q "\fIstring\fB" regexp:/etc/postfix/\fIfilename\fR
+# \fBpostmap -fq "\fIstring\fB" regexp:/etc/postfix/\fIfilename\fR
#
-# \fBpostmap -q - regexp:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
+# \fBpostmap -fq - regexp:/etc/postfix/\fIfilename\fR <\fIinputfile\fR
# DESCRIPTION
# The Postfix mail system uses optional tables for address
# rewriting or mail routing. These tables are usually in
#
# Alternatively, lookup tables can be specified in POSIX regular
# expression form. In this case, each input is compared against a
-# list of patterns. When a match is found, the corresponding
-# result is returned and the search is terminated.
+# list of patterns, and when a match is found the corresponding
+# result is returned.
#
# To find out what types of lookup tables your Postfix system
# supports use the "\fBpostconf -m\fR" command.
#
-# To test lookup tables, use the "\fBpostmap -q\fR" command
-# as described in the SYNOPSIS above.
-# COMPATIBILITY
-# .ad
-# .fi
-# With Postfix version 2.2 and earlier specify "\fBpostmap
-# -fq\fR" to query a table that contains case sensitive
-# patterns. Patterns are case insensitive by default.
+# To test lookup tables, use the "\fBpostmap -fq\fR" command as
+# described in the SYNOPSIS above.
# TABLE FORMAT
# .ad
# .fi
# that serves as input to the \fBpostmap\fR(1) command.
# The result, an indexed file in \fBdbm\fR or \fBdb\fR format,
# is used for fast searching by the mail system. Execute the command
-# "\fBpostmap /etc/postfix/relocated\fR" to rebuild an indexed
-# file after changing the corresponding relocated table.
+# "\fBpostmap /etc/postfix/relocated\fR" in order to rebuild the indexed
+# file after changing the relocated table.
#
# When the table is provided via other means such as NIS, LDAP
# or SQL, the same lookups are done as for ordinary indexed files.
#
# Alternatively, the table can be provided as a regular-expression
# map where patterns are given as regular expressions, or lookups
-# can be directed to TCP-based server. In those case, the lookups
-# are done in a slightly different way as described below under
-# "REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
+# can be directed to TCP-based server. In that case, the lookups are
+# done in a slightly different way as described below under
+# "REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
#
# Table lookups are case insensitive.
# CASE FOLDING
# expression lookup table syntax, see \fBregexp_table\fR(5) or
# \fBpcre_table\fR(5). For a description of the TCP client/server
# table lookup protocol, see \fBtcp_table\fR(5).
-# This feature is not available up to and including Postfix version 2.4.
+# This feature is not available up to and including Postfix version 2.3.
#
# Each pattern is a regular expression that is applied to the entire
# address being looked up. Thus, \fIuser@domain\fR mail addresses are not
# This section describes how the table lookups change when lookups
# are directed to a TCP-based server. For a description of the TCP
# client/server lookup protocol, see \fBtcp_table\fR(5).
-# This feature is not available up to and including Postfix version 2.4.
+# This feature is not available up to and including Postfix version 2.3.
#
# Each lookup operation uses the entire address once. Thus,
# \fIuser@domain\fR mail addresses are not broken up into their
xxxxx
yy
zz
-AAAREADME
-API
-DAEMONs
-DHE
-DSL
-DataBase
-EMSTP
-EST
-HTTPS
-JOBIDUNKNOWN
-Jänicke
-Koetter
-Leandro
-MSA
-MUAs
-Netinfo
-ODRhu
-Outlook's
-PQexec
-Procontrol
-REJECTs
-Requeuing
-SDBM
-SSLv
-Santi
-Sirainen
-TCL
-TEMPFAILs
-TLSv
-Tallon
-Tinycdb
-Tokarev
-Wrobel
-aNULL
-agroup
-alloc
-antiantivirus
-apps
-arandom
-arounds
-auser
-beb
-bgroup
-buser
-callouts
-cctx
-cli
-cname
-corpit
-cuser
-ddd
-dfc
-dkim
-dmS
-domainkeys
-duser
-epoll
-esmtp
-exim
-gssapi
-heraccount
-herisp
-hisaccount
-hisisp
-ietf
-imc
-interoperate
-keysize
-koetter
-kqueue
-ldapgroup
-libcdb
-libdb
-lpr
-mailwrapper
-mctx
-memberaddr
-memberdn
-mjt
-mlm
-msa
-myisp
-myname
-netinfo
-nisplus
-noatime
-nopeer
-obs
-openspf
-orig
-passdb
-patrick
-preloading
-rpm
-saslfinger
-securetls
-spamware
-systemtype
-tinycdb
-unencoded
-uniquename
-william
-xxxxxxx
-yulszqocfzsficvzzju
-yyyyyy
-zzzzzz
# that serves as input to the \fBpostmap\fR(1) command.
# The result, an indexed file in \fBdbm\fR or \fBdb\fR format, is used
# for fast searching by the mail system. Execute the command
-# "\fBpostmap /etc/postfix/transport\fR" to rebuild an indexed
-# file after changing the corresponding transport table.
+# "\fBpostmap /etc/postfix/transport\fR" in order to rebuild the indexed
+# file after changing the transport table.
#
# When the table is provided via other means such as NIS, LDAP
# or SQL, the same lookups are done as for ordinary indexed files.
#
# Alternatively, the table can be provided as a regular-expression
# map where patterns are given as regular expressions, or lookups
-# can be directed to TCP-based server. In those case, the lookups
-# are done in a slightly different way as described below under
-# "REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
+# can be directed to TCP-based server. In that case, the lookups are
+# done in a slightly different way as described below under
+# "REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
# CASE FOLDING
# .ad
# .fi
# This section describes how the table lookups change when lookups
# are directed to a TCP-based server. For a description of the TCP
# client/server lookup protocol, see \fBtcp_table\fR(5).
-# This feature is not available up to and including Postfix version 2.4.
+# This feature is not available up to and including Postfix version 2.3.
#
# Each lookup operation uses the entire recipient address once. Thus,
# \fIsome.domain.hierarchy\fR is not looked up via its parent domains,
# that serves as input to the \fBpostmap\fR(1) command.
# The result, an indexed file in \fBdbm\fR or \fBdb\fR format,
# is used for fast searching by the mail system. Execute the command
-# "\fBpostmap /etc/postfix/virtual\fR" to rebuild an indexed
-# file after changing the corresponding text file.
+# "\fBpostmap /etc/postfix/virtual\fR" in order to rebuild the indexed
+# file after changing the text file.
#
# When the table is provided via other means such as NIS, LDAP
# or SQL, the same lookups are done as for ordinary indexed files.
#
# Alternatively, the table can be provided as a regular-expression
# map where patterns are given as regular expressions, or lookups
-# can be directed to TCP-based server. In those case, the lookups
-# are done in a slightly different way as described below under
-# "REGULAR EXPRESSION TABLES" or "TCP-BASED TABLES".
+# can be directed to TCP-based server. In that case, the lookups are
+# done in a slightly different way as described below under
+# "REGULAR EXPRESSION TABLES" and "TCP-BASED TABLES".
# CASE FOLDING
# .ad
# .fi
# .IP "@\fIdomain address, address, ...\fR"
# Redirect mail for other users in \fIdomain\fR to \fIaddress\fR.
# This form has the lowest precedence.
-# .sp
-# Note: @\fIdomain\fR is a wild-card. With this form, the
-# Postfix SMTP server accepts
-# mail for any recipient in \fIdomain\fR, regardless of whether
-# that recipient exists. This may turn your mail system into
-# a backscatter source that returns undeliverable spam to
-# innocent people.
# RESULT ADDRESS REWRITING
# .ad
# .fi
# This section describes how the table lookups change when lookups
# are directed to a TCP-based server. For a description of the TCP
# client/server lookup protocol, see \fBtcp_table\fR(5).
-# This feature is not available up to and including Postfix version 2.4.
+# This feature is not available up to and including Postfix version 2.3.
#
# Each lookup operation uses the entire address once. Thus,
# \fIuser@domain\fR mail addresses are not broken up into their
anvil.o: ../../include/mail_params.h
anvil.o: ../../include/mail_proto.h
anvil.o: ../../include/mail_server.h
-anvil.o: ../../include/mail_version.h
anvil.o: ../../include/msg.h
anvil.o: ../../include/mymalloc.h
anvil.o: ../../include/stringops.h
/*
/* In this preliminary implementation, a count (or rate) limited server
/* can have only one remote client at a time. If a server reports
-/* multiple simultaneous clients, state is kept only for the last
-/* reported client.
+/* multiple simultaneous clients, all but the last reported client
+/* are ignored.
/*
/* The \fBanvil\fR(8) server automatically discards client
/* request information after it expires. To prevent the
/* The time limit for sending or receiving information over an internal
/* communication channel.
/* .IP "\fBmax_idle (100s)\fR"
-/* The maximum amount of time that an idle Postfix daemon process waits
-/* for an incoming connection before terminating voluntarily.
+/* The maximum amount of time that an idle Postfix daemon process
+/* waits for the next service request before exiting.
/* .IP "\fBmax_use (100)\fR"
-/* The maximal number of incoming connections that a Postfix daemon
-/* process will service before terminating voluntarily.
+/* The maximal number of connection requests before a Postfix daemon
+/* process terminates.
/* .IP "\fBprocess_id (read-only)\fR"
/* The process ID of a Postfix command or daemon process.
/* .IP "\fBprocess_name (read-only)\fR"
#include <mail_conf.h>
#include <mail_params.h>
-#include <mail_version.h>
#include <mail_proto.h>
#include <anvil_clnt.h>
var_idle_limit = var_anvil_time_unit;
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - pass control to the multi-threaded skeleton */
int main(int argc, char **argv)
0,
};
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
multi_server_main(argc, argv, anvil_service,
MAIL_SERVER_TIME_TABLE, time_table,
MAIL_SERVER_POST_INIT, post_jail_init,
bounce.o: ../../include/mail_proto.h
bounce.o: ../../include/mail_queue.h
bounce.o: ../../include/mail_server.h
-bounce.o: ../../include/mail_version.h
bounce.o: ../../include/msg.h
bounce.o: ../../include/msg_stats.h
bounce.o: ../../include/rcpt_buf.h
bounce_notify_service.o: ../../include/dsn.h
bounce_notify_service.o: ../../include/dsn_buf.h
bounce_notify_service.o: ../../include/dsn_mask.h
-bounce_notify_service.o: ../../include/int_filt.h
bounce_notify_service.o: ../../include/mail_addr.h
bounce_notify_service.o: ../../include/mail_error.h
bounce_notify_service.o: ../../include/mail_params.h
bounce_notify_util.o: ../../include/dsn_buf.h
bounce_notify_util.o: ../../include/dsn_mask.h
bounce_notify_util.o: ../../include/events.h
-bounce_notify_util.o: ../../include/int_filt.h
bounce_notify_util.o: ../../include/iostuff.h
bounce_notify_util.o: ../../include/is_header.h
bounce_notify_util.o: ../../include/lex_822.h
bounce_notify_verp.o: ../../include/dsn.h
bounce_notify_verp.o: ../../include/dsn_buf.h
bounce_notify_verp.o: ../../include/dsn_mask.h
-bounce_notify_verp.o: ../../include/int_filt.h
bounce_notify_verp.o: ../../include/mail_addr.h
bounce_notify_verp.o: ../../include/mail_error.h
bounce_notify_verp.o: ../../include/mail_params.h
bounce_one_service.o: ../../include/dsn.h
bounce_one_service.o: ../../include/dsn_buf.h
bounce_one_service.o: ../../include/dsn_mask.h
-bounce_one_service.o: ../../include/int_filt.h
bounce_one_service.o: ../../include/mail_addr.h
bounce_one_service.o: ../../include/mail_error.h
bounce_one_service.o: ../../include/mail_params.h
bounce_trace_service.o: ../../include/dsn.h
bounce_trace_service.o: ../../include/dsn_buf.h
bounce_trace_service.o: ../../include/dsn_mask.h
-bounce_trace_service.o: ../../include/int_filt.h
bounce_trace_service.o: ../../include/mail_addr.h
bounce_trace_service.o: ../../include/mail_error.h
bounce_trace_service.o: ../../include/mail_params.h
bounce_warn_service.o: ../../include/dsn.h
bounce_warn_service.o: ../../include/dsn_buf.h
bounce_warn_service.o: ../../include/dsn_mask.h
-bounce_warn_service.o: ../../include/int_filt.h
bounce_warn_service.o: ../../include/mail_addr.h
bounce_warn_service.o: ../../include/mail_error.h
bounce_warn_service.o: ../../include/mail_params.h
/* Append a recipient (non-)delivery status record to a per-message
/* log file.
/* .IP \(bu
-/* Enqueue a delivery status notification message, with a copy
-/* of a per-message log file and of the corresponding message.
-/* When the delivery status notification message is
+/* Enqueue a bounce message, with a copy of a per-message log file
+/* and of the corresponding message. When the bounce message is
/* enqueued successfully, the per-message log file is deleted.
/* .PP
/* The software does a best notification effort. A non-delivery
/* The mail system name that is displayed in Received: headers, in
/* the SMTP greeting banner, and in bounced mail.
/* .IP "\fBmax_idle (100s)\fR"
-/* The maximum amount of time that an idle Postfix daemon process waits
-/* for an incoming connection before terminating voluntarily.
+/* The maximum amount of time that an idle Postfix daemon process
+/* waits for the next service request before exiting.
/* .IP "\fBmax_use (100)\fR"
-/* The maximal number of incoming connections that a Postfix daemon
-/* process will service before terminating voluntarily.
+/* The maximal number of connection requests before a Postfix daemon
+/* process terminates.
/* .IP "\fBnotify_classes (resource, software)\fR"
/* The list of error classes that are reported to the postmaster.
/* .IP "\fBprocess_id (read-only)\fR"
#include <mail_proto.h>
#include <mail_queue.h>
#include <mail_params.h>
-#include <mail_version.h>
#include <mail_conf.h>
#include <bounce.h>
#include <mail_addr.h>
/*
* Special case: dump bounce templates. This is not part of the master(5)
* public interface. This internal interface is used by the postconf
- * command. It was implemented before bounce templates were isolated into
- * modules that could have been called directly.
+ * command. It was implemented before bounce templates were isolated
+ * into modules that could have been called directly.
*/
if (strcmp(service_name, "dump_templates") == 0) {
bounce_templates_dump(VSTREAM_OUT, bounce_templates);
dsn_buf = dsb_create();
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - the main program */
int main(int argc, char **argv)
0,
};
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
/*
* Pass control to the single-threaded service skeleton.
*/
cleanup.o: ../../include/mail_proto.h
cleanup.o: ../../include/mail_server.h
cleanup.o: ../../include/mail_stream.h
-cleanup.o: ../../include/mail_version.h
cleanup.o: ../../include/maps.h
cleanup.o: ../../include/match_list.h
cleanup.o: ../../include/match_ops.h
/* The time limit for sending or receiving information over an internal
/* communication channel.
/* .IP "\fBmax_idle (100s)\fR"
-/* The maximum amount of time that an idle Postfix daemon process waits
-/* for an incoming connection before terminating voluntarily.
+/* The maximum amount of time that an idle Postfix daemon process
+/* waits for the next service request before exiting.
/* .IP "\fBmax_use (100)\fR"
-/* The maximal number of incoming connections that a Postfix daemon
-/* process will service before terminating voluntarily.
+/* The maximal number of connection requests before a Postfix daemon
+/* process terminates.
/* .IP "\fBmyhostname (see 'postconf -d' output)\fR"
/* The internet hostname of this mail system.
/* .IP "\fBmyorigin ($myhostname)\fR"
#include <mail_params.h>
#include <record.h>
#include <rec_type.h>
-#include <mail_version.h>
/* Single-threaded server skeleton. */
}
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - the main program */
int main(int argc, char **argv)
{
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
/*
* Clean up an incomplete queue file in case of a fatal run-time error,
* or after receiving SIGTERM from the master at shutdown time.
VAR_BODY_CHECKS, DEF_BODY_CHECKS, &var_body_checks, 0, 0,
VAR_PROP_EXTENSION, DEF_PROP_EXTENSION, &var_prop_extension, 0, 0,
VAR_ALWAYS_BCC, DEF_ALWAYS_BCC, &var_always_bcc, 0, 0,
- VAR_RCPT_WITHELD, DEF_RCPT_WITHELD, &var_rcpt_witheld, 0, 0,
+ VAR_RCPT_WITHELD, DEF_RCPT_WITHELD, &var_rcpt_witheld, 1, 0,
VAR_MASQ_CLASSES, DEF_MASQ_CLASSES, &var_masq_classes, 0, 0,
VAR_SEND_BCC_MAPS, DEF_SEND_BCC_MAPS, &var_send_bcc_maps, 0, 0,
VAR_RCPT_BCC_MAPS, DEF_RCPT_BCC_MAPS, &var_rcpt_bcc_maps, 0, 0,
#define VISIBLE_RCPT ((1 << HDR_TO) | (1 << HDR_RESENT_TO) \
| (1 << HDR_CC) | (1 << HDR_RESENT_CC))
- if ((state->headers_seen & VISIBLE_RCPT) == 0 && *var_rcpt_witheld)
+ if ((state->headers_seen & VISIBLE_RCPT) == 0)
cleanup_out_format(state, REC_TYPE_NORM, "%s", var_rcpt_witheld);
/*
}
if (line == start) {
cleanup_out_string(state, REC_TYPE_NORM, line);
- if ((state->milters || cleanup_milters)
- && line_len < REC_TYPE_PTR_PAYL_SIZE)
+ if (line_len < REC_TYPE_PTR_PAYL_SIZE)
rec_pad(state->dst, REC_TYPE_DTXT,
REC_TYPE_PTR_PAYL_SIZE - line_len);
} else if (IS_SPACE_TAB(*line)) {
discard.o: ../../include/flush_clnt.h
discard.o: ../../include/mail_queue.h
discard.o: ../../include/mail_server.h
-discard.o: ../../include/mail_version.h
discard.o: ../../include/msg.h
discard.o: ../../include/msg_stats.h
discard.o: ../../include/recipient_list.h
/* The time limit for sending or receiving information over an internal
/* communication channel.
/* .IP "\fBmax_idle (100s)\fR"
-/* The maximum amount of time that an idle Postfix daemon process waits
-/* for an incoming connection before terminating voluntarily.
+/* The maximum amount of time that an idle Postfix daemon process
+/* waits for the next service request before exiting.
/* .IP "\fBmax_use (100)\fR"
-/* The maximal number of incoming connections that a Postfix daemon
-/* process will service before terminating voluntarily.
+/* The maximal number of connection requests before a Postfix daemon
+/* process terminates.
/* .IP "\fBprocess_id (read-only)\fR"
/* The process ID of a Postfix command or daemon process.
/* .IP "\fBprocess_name (read-only)\fR"
#include <flush_clnt.h>
#include <sent.h>
#include <dsn_util.h>
-#include <mail_version.h>
/* Single server skeleton. */
flush_init();
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - pass control to the single-threaded skeleton */
int main(int argc, char **argv)
{
-
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
single_server_main(argc, argv, discard_service,
MAIL_SERVER_PRE_INIT, pre_init,
0);
error.o: ../../include/mail_proto.h
error.o: ../../include/mail_queue.h
error.o: ../../include/mail_server.h
-error.o: ../../include/mail_version.h
error.o: ../../include/msg.h
error.o: ../../include/msg_stats.h
error.o: ../../include/recipient_list.h
/* The Postfix \fBerror\fR(8) delivery agent processes delivery
/* requests from
/* the queue manager. Each request specifies a queue file, a sender
-/* address, the reason for non-delivery (specified as the
-/* next-hop destination), and recipient information.
+/* address, a domain or host name that is treated as the reason for
+/* non-delivery, and recipient information.
/* The reason may be prefixed with an RFC 3463-compatible detail code.
/* This program expects to be run from the \fBmaster\fR(8) process
/* manager.
/* The time limit for sending or receiving information over an internal
/* communication channel.
/* .IP "\fBmax_idle (100s)\fR"
-/* The maximum amount of time that an idle Postfix daemon process waits
-/* for an incoming connection before terminating voluntarily.
+/* The maximum amount of time that an idle Postfix daemon process
+/* waits for the next service request before exiting.
/* .IP "\fBmax_use (100)\fR"
-/* The maximal number of incoming connections that a Postfix daemon
-/* process will service before terminating voluntarily.
+/* The maximal number of connection requests before a Postfix daemon
+/* process terminates.
/* .IP "\fBnotify_classes (resource, software)\fR"
/* The list of error classes that are reported to the postmaster.
/* .IP "\fBprocess_id (read-only)\fR"
#include <dsn_util.h>
#include <sys_exits.h>
#include <mail_proto.h>
-#include <mail_version.h>
/* Single server skeleton. */
flush_init();
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - pass control to the single-threaded skeleton */
int main(int argc, char **argv)
{
-
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
single_server_main(argc, argv, error_service,
MAIL_SERVER_PRE_INIT, pre_init,
0);
flush.o: ../../include/mail_queue.h
flush.o: ../../include/mail_scan_dir.h
flush.o: ../../include/mail_server.h
-flush.o: ../../include/mail_version.h
flush.o: ../../include/maps.h
flush.o: ../../include/match_list.h
flush.o: ../../include/match_ops.h
/* The time limit for sending or receiving information over an internal
/* communication channel.
/* .IP "\fBmax_idle (100s)\fR"
-/* The maximum amount of time that an idle Postfix daemon process waits
-/* for an incoming connection before terminating voluntarily.
+/* The maximum amount of time that an idle Postfix daemon process
+/* waits for the next service request before exiting.
/* .IP "\fBmax_use (100)\fR"
-/* The maximal number of incoming connections that a Postfix daemon
-/* process will service before terminating voluntarily.
+/* The maximal number of connection requests before a Postfix daemon
+/* process terminates.
/* .IP "\fBparent_domain_matches_subdomains (see 'postconf -d' output)\fR"
/* What Postfix features match subdomains of "domain.tld" automatically,
/* instead of requiring an explicit ".domain.tld" pattern.
/* Global library. */
#include <mail_params.h>
-#include <mail_version.h>
#include <mail_queue.h>
#include <mail_proto.h>
#include <mail_flush.h>
/* flush_one_file - move one queue file to incoming queue */
static int flush_one_file(const char *queue_id, VSTRING *queue_file,
- struct utimbuf * tbuf, int how)
+ struct utimbuf * tbuf, int how)
{
const char *myname = "flush_one_file";
const char *queue_name;
var_fflush_domains);
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - pass control to the single-threaded skeleton */
int main(int argc, char **argv)
0,
};
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
single_server_main(argc, argv, flush_service,
MAIL_SERVER_TIME_TABLE, time_table,
MAIL_SERVER_PRE_INIT, pre_jail_init,
msg_fatal("usage: %s [-cr] [-s size] messages directory_entries", myname);
}
-MAIL_VERSION_STAMP_DECLARE;
-
int main(int argc, char **argv)
{
int op_count;
int ch;
int size = 2;
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
msg_vstream_init(argv[0], VSTREAM_ERR);
while ((ch = GETOPT(argc, argv, "crs:")) != EOF) {
switch (ch) {
input_transp.o: input_transp.c
input_transp.o: input_transp.h
input_transp.o: mail_params.h
-int_filt.o: ../../include/msg.h
int_filt.o: ../../include/name_mask.h
int_filt.o: ../../include/sys_defs.h
int_filt.o: ../../include/vbuf.h
int_filt.o: ../../include/vstring.h
-int_filt.o: cleanup_user.h
int_filt.o: int_filt.c
int_filt.o: int_filt.h
int_filt.o: mail_params.h
post_mail.o: ../../include/vstream.h
post_mail.o: ../../include/vstring.h
post_mail.o: cleanup_user.h
-post_mail.o: int_filt.h
post_mail.o: mail_date.h
post_mail.o: mail_params.h
post_mail.o: mail_proto.h
/* .IP special_result_attribute
/* The attribute(s) of directory entries that can contain DNs or URLs.
/* If found, a recursive subsequent search is done using their values.
-/* .IP leaf_result_attribute
-/* These are only returned for "leaf" LDAP entries, i.e. those that are
-/* not "terminal" and have no values for any of the "special" result
-/* attributes.
-/* .IP terminal_result_attribute
-/* If found, the LDAP entry is considered a terminal LDAP object, not
-/* subject to further direct or recursive expansion. Only the terminal
-/* result attributes are returned.
/* .IP scope
/* LDAP search scope: sub, base, or one.
/* .IP bind
int scope;
char *search_base;
ARGV *result_attributes;
- int num_terminal; /* Number of terminal attributes. */
- int num_leaf; /* Number of leaf attributes */
- int num_attributes; /* Combined # of non-special attrs */
+ int num_attributes; /* rest of list is DN's. */
int bind;
char *bind_dn;
char *bind_pw;
#define DICT_LDAP_CONN(d) ((LDAP_CONN *)((d)->ht->value))
- /*
- * Bitrot: LDAP_API 3000 and up (OpenLDAP 2.2.x) deprecated ldap_unbind()
- */
-#if LDAP_API_VERSION >= 3000
-#define dict_ldap_unbind(ld) ldap_unbind_ext((ld), 0, 0)
-#define dict_ldap_abandon(ld, msg) ldap_abandon_ext((ld), (msg), 0, 0)
-#else
-#define dict_ldap_unbind(ld) ldap_unbind(ld)
-#define dict_ldap_abandon(ld, msg) ldap_abandon((ld), (msg))
-#endif
+
/*
* Quoting rules.
static void dict_ldap_logprint(LDAP_CONST char *data)
{
const char *myname = "dict_ldap_debug";
- char *buf, *p;
+ char *buf,
+ *p;
buf = mystrdup(data);
if (*buf) {
myfree(buf);
}
-static int dict_ldap_get_errno(LDAP *ld)
+static int dict_ldap_get_errno(LDAP * ld)
{
int rc;
return rc;
}
-static int dict_ldap_set_errno(LDAP *ld, int rc)
+static int dict_ldap_set_errno(LDAP * ld, int rc)
{
(void) ldap_set_option(ld, LDAP_OPT_ERROR_NUMBER, &rc);
return rc;
return (dict_ldap_get_errno(ld));
if (dict_ldap_get_errno(ld) == LDAP_TIMEOUT) {
- (void) dict_ldap_abandon(ld, msgid);
+ (void) ldap_abandon_ext(ld, msgid, 0, 0);
return (dict_ldap_set_errno(ld, LDAP_TIMEOUT));
}
+
return LDAP_SUCCESS;
}
/* search_st - Synchronous search with timeout */
static int search_st(LDAP *ld, char *base, int scope, char *query,
- char **attrs, int timeout, LDAPMessage **res)
+ char **attrs, int timeout, LDAPMessage **res)
{
struct timeval mytimeval;
int msgid;
mytimeval.tv_usec = 0;
#define WANTVALS 0
-#define USE_SIZE_LIM_OPT -1 /* Any negative value will do */
+#define USE_SIZE_LIM_OPT -1 /* Any negative value will do */
if ((rc = ldap_search_ext(ld, base, scope, query, attrs, WANTVALS, 0, 0,
&mytimeval, USE_SIZE_LIM_OPT,
#if defined(LDAP_OPT_DEBUG_LEVEL) && defined(LBER_OPT_LOG_PRINT_FN)
if (dict_ldap->debuglevel > 0 &&
ber_set_option(NULL, LBER_OPT_LOG_PRINT_FN,
- (LDAP_CONST void *) dict_ldap_logprint) != LBER_OPT_SUCCESS)
+ (LDAP_CONST void *) dict_ldap_logprint) != LBER_OPT_SUCCESS)
msg_warn("%s: Unable to set ber logprint function.", myname);
#if defined(LBER_OPT_DEBUG_LEVEL)
if (ber_set_option(NULL, LBER_OPT_DEBUG_LEVEL,
* This and the rest of the handling of multiple attributes, DNs and URLs
* are thanks to LaMont Jones.
*/
-static void dict_ldap_get_values(DICT_LDAP *dict_ldap, LDAPMessage *res,
- VSTRING *result, const char *name)
+static void dict_ldap_get_values(DICT_LDAP *dict_ldap, LDAPMessage * res,
+ VSTRING *result, const char* name)
{
static int recursion = 0;
static int expansion;
int valcount;
LDAPURLDesc *url;
const char *myname = "dict_ldap_get_values";
- int is_leaf = 1; /* No recursion via this entry */
- int is_terminal = 0; /* No expansion via this entry */
if (++recursion == 1)
expansion = 0;
dict_ldap->size_limit);
dict_errno = DICT_ERR_RETRY;
}
-
- /*
- * Check for terminal attributes, these preclude expansion of all
- * other attributes, and DN/URI recursion. Any terminal attributes
- * are listed first in the attribute array.
- */
- if (dict_ldap->num_terminal > 0) {
- for (i = 0; i < dict_ldap->num_terminal; ++i) {
- attr = dict_ldap->result_attributes->argv[i];
- if (!(vals = ldap_get_values_len(dict_ldap->ld, entry, attr)))
- continue;
- is_terminal = (ldap_count_values_len(vals) > 0);
- ldap_value_free_len(vals);
- if (is_terminal)
- break;
- }
- }
-
- /*
- * Check for special attributes, these preclude expansion of
- * "leaf-only" attributes, and are at the end of the attribute array
- * after the terminal, leaf and regular attributes.
- */
- if (is_terminal == 0 && dict_ldap->num_leaf > 0) {
- for (i = dict_ldap->num_attributes;
- dict_ldap->result_attributes->argv[i]; ++i) {
- attr = dict_ldap->result_attributes->argv[i];
- if (!(vals = ldap_get_values_len(dict_ldap->ld, entry, attr)))
- continue;
- is_leaf = (ldap_count_values_len(vals) == 0);
- ldap_value_free_len(vals);
- if (!is_leaf)
- break;
- }
- }
for (attr = ldap_first_attribute(dict_ldap->ld, entry, &ber);
- attr != NULL; ldap_memfree(attr),
- attr = ldap_next_attribute(dict_ldap->ld, entry, ber)) {
-
+ attr != NULL;
+ ldap_memfree(attr), attr = ldap_next_attribute(dict_ldap->ld,
+ entry, ber)) {
vals = ldap_get_values_len(dict_ldap->ld, entry, attr);
if (vals == NULL) {
if (msg_verbose)
myname, recursion, attr);
continue;
}
+
valcount = ldap_count_values_len(vals);
/*
* We compute the attribute type (ordinary or special) from its
* index on the "result_attributes" list.
*/
- for (i = 0; dict_ldap->result_attributes->argv[i]; i++)
- if (strcasecmp(dict_ldap->result_attributes->argv[i],
- attr) == 0)
+ for (i = 0; dict_ldap->result_attributes->argv[i]; i++) {
+ if (strcasecmp(dict_ldap->result_attributes->argv[i], attr) == 0)
break;
+ }
/*
* Append each returned address to the result list, possibly
- * recursing (for dn or url attributes of non-terminal entries)
+ * recursing (for dn or url attributes).
*/
- if (i < dict_ldap->num_attributes || is_terminal) {
- if (is_terminal && i >= dict_ldap->num_terminal
- || !is_leaf &&
- i < dict_ldap->num_terminal + dict_ldap->num_leaf) {
- if (msg_verbose)
- msg_info("%s[%d]: skipping %ld value(s) of %s "
- "attribute %s", myname, recursion, i,
- is_terminal ? "non-terminal" : "leaf-only",
- attr);
- } else {
- /* Ordinary result attribute */
- for (i = 0; i < valcount; i++) {
- if (db_common_expand(dict_ldap->ctx,
- dict_ldap->result_format,
- vals[i]->bv_val,
- name, result, 0)
- && dict_ldap->expansion_limit > 0
- && ++expansion > dict_ldap->expansion_limit) {
- msg_warn("%s[%d]: %s: Expansion limit exceeded "
- "for key: '%s'", myname, recursion,
- dict_ldap->parser->name, name);
- dict_errno = DICT_ERR_RETRY;
- break;
- }
+ if (i < dict_ldap->num_attributes) {
+ /* Ordinary result attribute */
+ for (i = 0; i < valcount; i++) {
+ if (db_common_expand(dict_ldap->ctx,
+ dict_ldap->result_format,
+ vals[i]->bv_val,
+ name, result, 0)
+ && dict_ldap->expansion_limit > 0
+ && ++expansion > dict_ldap->expansion_limit) {
+ msg_warn("%s[%d]: %s: Expansion limit exceeded for key: '%s'",
+ myname, recursion, dict_ldap->parser->name, name);
+ dict_errno = DICT_ERR_RETRY;
+ break;
}
- if (dict_errno != 0)
- continue;
- if (msg_verbose)
- msg_info("%s[%d]: search returned %ld value(s) for"
- " requested result attribute %s",
- myname, recursion, i, attr);
}
+ if (dict_errno != 0)
+ continue;
+ if (msg_verbose)
+ msg_info("%s[%d]: search returned %ld value(s) for"
+ " requested result attribute %s",
+ myname, recursion, i, attr);
} else if (recursion < dict_ldap->recursion_limit
&& dict_ldap->result_attributes->argv[i]) {
/* Special result attribute */
if (rc == 0) {
rc = search_st(dict_ldap->ld, url->lud_dn,
url->lud_scope, url->lud_filter,
- url->lud_attrs, dict_ldap->timeout,
+ url->lud_attrs, dict_ldap->timeout,
&resloop);
ldap_free_urldesc(url);
}
msg_info("%s: Skipping lookup of '%s'", myname, name);
return (0);
}
+
#define INIT_VSTR(buf, len) do { \
if (buf == 0) \
buf = vstring_alloc(len); \
myname, dict_ldap->parser->name, dict_ldap->size_limit);
/*
- * Expand the search base and query. Skip lookup when the input key lacks
- * sufficient domain components to satisfy all the requested
- * %-substitutions.
- *
- * When the search base is not static, LDAP_NO_SUCH_OBJECT is expected and
- * is therefore treated as a non-error: the lookup returns no results
- * rather than a soft error.
+ * Expand the search base and query. Skip lookup when the
+ * input key lacks sufficient domain components to satisfy
+ * all the requested %-substitutions.
+ *
+ * When the search base is not static, LDAP_NO_SUCH_OBJECT is
+ * expected and is therefore treated as a non-error: the lookup
+ * returns no results rather than a soft error.
*/
if (!db_common_expand(dict_ldap->ctx, dict_ldap->search_base,
- name, 0, base, rfc2253_quote)) {
- if (msg_verbose > 1)
+ name, 0, base, rfc2253_quote)) {
+ if (msg_verbose > 1)
msg_info("%s: %s: Empty expansion for %s", myname,
dict_ldap->parser->name, dict_ldap->search_base);
- return (0);
+ return (0);
}
+
if (!db_common_expand(dict_ldap->ctx, dict_ldap->query,
name, 0, query, rfc2254_quote)) {
- if (msg_verbose > 1)
+ if (msg_verbose > 1)
msg_info("%s: %s: Empty expansion for %s", myname,
dict_ldap->parser->name, dict_ldap->query);
- return (0);
+ return (0);
}
/*
msg_info("%s: Lost connection for LDAP source %s, reopening",
myname, dict_ldap->parser->name);
- dict_ldap_unbind(dict_ldap->ld);
+ ldap_unbind_ext(dict_ldap->ld, 0, 0);
dict_ldap->ld = DICT_LDAP_CONN(dict_ldap)->conn_ld = 0;
dict_ldap_connect(dict_ldap);
return (0);
rc = search_st(dict_ldap->ld, vstring_str(base), dict_ldap->scope,
- vstring_str(query), dict_ldap->result_attributes->argv,
+ vstring_str(query), dict_ldap->result_attributes->argv,
dict_ldap->timeout, &res);
}
+
switch (rc) {
case LDAP_SUCCESS:
-
/*
* Search worked; extract the requested result_attribute.
*/
break;
case LDAP_NO_SUCH_OBJECT:
-
- /*
- * If the search base is input key dependent, then not finding it, is
- * equivalent to not finding the input key. Sadly, we cannot detect
- * misconfiguration in this case.
+ /*
+ * If the search base is input key dependent, then not finding it,
+ * is equivalent to not finding the input key. Sadly, we cannot
+ * detect misconfiguration in this case.
*/
- if (dict_ldap->dynamic_base)
+ if (dict_ldap->dynamic_base)
break;
msg_warn("%s: %s: Search base '%s' not found: %d: %s",
break;
default:
-
/*
* Rats. The search didn't work.
*/
* Tear down the connection so it gets set up from scratch on the
* next lookup.
*/
- dict_ldap_unbind(dict_ldap->ld);
+ ldap_unbind_ext(dict_ldap->ld, 0, 0);
dict_ldap->ld = DICT_LDAP_CONN(dict_ldap)->conn_ld = 0;
/*
if (msg_verbose)
msg_info("%s: Closed connection handle for LDAP source %s",
myname, dict_ldap->parser->name);
- dict_ldap_unbind(conn->conn_ld);
+ ldap_unbind_ext(conn->conn_ld, 0, 0);
}
binhash_delete(conn_hash, ht->key, ht->key_len, myfree);
}
myfree(dict_ldap->search_base);
myfree(dict_ldap->query);
if (dict_ldap->result_format)
- myfree(dict_ldap->result_format);
+ myfree(dict_ldap->result_format);
argv_free(dict_ldap->result_attributes);
myfree(dict_ldap->bind_dn);
myfree(dict_ldap->bind_pw);
dict_ldap->ldap_ssl = 1;
ldap_free_urldesc(url_desc);
if (VSTRING_LEN(url_list) > 0)
- VSTRING_ADDCH(url_list, ' ');
+ VSTRING_ADDCH(url_list, ' ');
vstring_strcat(url_list, h);
} else {
if (VSTRING_LEN(url_list) > 0)
- VSTRING_ADDCH(url_list, ' ');
+ VSTRING_ADDCH(url_list, ' ');
if (strrchr(h, ':'))
vstring_sprintf_append(url_list, "ldap://%s", h);
else
*/
dict_ldap->timeout = cfg_get_int(dict_ldap->parser, "timeout", 10, 0, 0);
-#if 0 /* No benefit from changing
- * this to match the
- * MySQL/PGSQL syntax */
+#if 0 /* No benefit from changing this to match the MySQL/PGSQL syntax */
if ((dict_ldap->query =
- cfg_get_str(dict_ldap->parser, "query", 0, 0, 0)) == 0)
+ cfg_get_str(dict_ldap->parser, "query", 0, 0, 0)) == 0)
#endif
- dict_ldap->query =
+ dict_ldap->query =
cfg_get_str(dict_ldap->parser, "query_filter",
"(mailacceptinggeneralid=%s)", 0, 0);
if ((dict_ldap->result_format =
- cfg_get_str(dict_ldap->parser, "result_format", 0, 0, 0)) == 0)
- dict_ldap->result_format =
- cfg_get_str(dict_ldap->parser, "result_filter", "%s", 1, 0);
+ cfg_get_str(dict_ldap->parser, "result_format", 0, 0, 0)) == 0)
+ dict_ldap->result_format =
+ cfg_get_str(dict_ldap->parser, "result_filter", "%s", 1, 0);
/*
- * Must parse all templates before we can use db_common_expand() If data
- * dependent substitutions are found in the search base, treat
- * NO_SUCH_OBJECT search errors as a non-matching key, rather than a
- * fatal run-time error.
+ * Must parse all templates before we can use db_common_expand()
+ * If data dependent substitutions are found in the search base,
+ * treat NO_SUCH_OBJECT search errors as a non-matching key, rather
+ * than a fatal run-time error.
*/
dict_ldap->ctx = 0;
dict_ldap->dynamic_base =
db_common_parse_domain(dict_ldap->parser, dict_ldap->ctx);
/*
- * Maps that use substring keys should only be used with the full input
- * key.
+ * Maps that use substring keys should only be used with the full
+ * input key.
*/
if (db_common_dict_partial(dict_ldap->ctx))
dict_ldap->dict.flags |= DICT_FLAG_PATTERN;
if (dict_flags & DICT_FLAG_FOLD_FIX)
dict_ldap->dict.fold_buf = vstring_alloc(10);
- /* Order matters, first the terminal attributes: */
- attr = cfg_get_str(dict_ldap->parser, "terminal_result_attribute", "", 0, 0);
+ attr = cfg_get_str(dict_ldap->parser, "result_attribute",
+ "maildrop", 0, 0);
dict_ldap->result_attributes = argv_split(attr, " ,\t\r\n");
- dict_ldap->num_terminal = dict_ldap->result_attributes->argc;
- myfree(attr);
-
- /* Order matters, next the leaf-only attributes: */
- attr = cfg_get_str(dict_ldap->parser, "leaf_result_attribute", "", 0, 0);
- if (*attr)
- argv_split_append(dict_ldap->result_attributes, attr, " ,\t\r\n");
- dict_ldap->num_leaf =
- dict_ldap->result_attributes->argc - dict_ldap->num_terminal;
- myfree(attr);
-
- /* Order matters, next the regular attributes: */
- attr = cfg_get_str(dict_ldap->parser, "result_attribute", "maildrop", 0, 0);
- if (*attr)
- argv_split_append(dict_ldap->result_attributes, attr, " ,\t\r\n");
dict_ldap->num_attributes = dict_ldap->result_attributes->argc;
myfree(attr);
- /* Order matters, finally the special attributes: */
- attr = cfg_get_str(dict_ldap->parser, "special_result_attribute", "", 0, 0);
+ attr = cfg_get_str(dict_ldap->parser, "special_result_attribute",
+ "", 0, 0);
if (*attr)
argv_split_append(dict_ldap->result_attributes, attr, " ,\t\r\n");
myfree(attr);
VSTREAM *stream;
int status;
int count = 0;
- int request_flags;
/*
* The client and server live in separate processes that may start and
*/
VSTRING_RESET(dict_proxy->result);
VSTRING_TERMINATE(dict_proxy->result);
- request_flags = (dict_proxy->in_flags & DICT_FLAG_RQST_MASK)
- | (dict->flags & DICT_FLAG_RQST_MASK);
for (;;) {
stream = clnt_stream_access(proxy_stream);
errno = 0;
if (attr_print(stream, ATTR_FLAG_NONE,
ATTR_TYPE_STR, MAIL_ATTR_REQ, PROXY_REQ_LOOKUP,
ATTR_TYPE_STR, MAIL_ATTR_TABLE, dict->name,
- ATTR_TYPE_INT, MAIL_ATTR_FLAGS, request_flags,
+ ATTR_TYPE_INT, MAIL_ATTR_FLAGS, dict_proxy->in_flags,
ATTR_TYPE_STR, MAIL_ATTR_KEY, key,
ATTR_TYPE_END) != 0
|| vstream_fflush(stream)
if (msg_verbose)
msg_info("%s: table=%s flags=%s key=%s -> status=%d result=%s",
myname, dict->name,
- dict_flags_str(request_flags), key,
+ dict_flags_str(dict_proxy->in_flags), key,
status, STR(dict_proxy->result));
switch (status) {
case PROXY_STAT_BAD:
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20070325"
-#define MAIL_VERSION_NUMBER "2.4"
+#define MAIL_RELEASE_DATE "20070228"
+#define MAIL_VERSION_NUMBER "2.4.0-RC1"
#ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
#define DEF_MAIL_RELEASE MAIL_RELEASE_DATE
extern char *var_mail_release;
- /*
- * The following macros stamp executable files as well as core dumps. This
- * information helps to answer the following questions:
- *
- * - What Postfix versions(s) are installed on this machine?
- *
- * - Is this installation mixing multiple Postfix versions?
- *
- * - What Postfix version generated this core dump?
- */
-#include <string.h>
-
-#define MAIL_VERSION_STAMP_DECLARE \
- char *mail_version_stamp
-
-#define MAIL_VERSION_STAMP_ALLOCATE \
- mail_version_stamp = strdup(VAR_MAIL_VERSION "=" DEF_MAIL_VERSION)
-
/* LICENSE
/* .ad
/* .fi
*/
if ((fp = safe_open(path, flags | O_NONBLOCK, mode, st,
chown_uid, chown_gid, why->reason)) == 0) {
- dsb_status(why, mbox_dsn(errno, def_dsn));
if (locked & MBOX_DOT_LOCK)
dot_unlockfile(path);
+ dsb_status(why, mbox_dsn(errno, def_dsn));
return (0);
}
close_on_exec(vstream_fileno(fp), CLOSE_ON_EXEC);
#define REC_TYPE_CONT 'L' /* long data record */
#define REC_TYPE_NORM 'N' /* normal data record */
-#define REC_TYPE_DTXT 'w' /* padding (was: deleted data) */
+#define REC_TYPE_DTXT 'w' /* deleted data record */
#define REC_TYPE_XTRA 'X' /* start extracted records */
* contains pure recipient sequences only, then the queue manager will not
* have to read all the queue file records before starting delivery. This is
* often the case with list mail, where such optimization is desirable.
- *
- * XXX These definitions include the respective segment terminators to avoid
- * special cases in the cleanup(8) envelope and extracted record processors.
*/
-#define REC_TYPE_ENV_RECIPIENT "MDRO/Kon"
-#define REC_TYPE_EXT_RECIPIENT "EDRO/Kon"
+#define REC_TYPE_ENV_RECIPIENT "DRO/Kon"
+#define REC_TYPE_EXT_RECIPIENT "DRO/Kon"
/*
* The types of records that I expect to see while processing different
local.o: ../../include/mail_conf.h
local.o: ../../include/mail_params.h
local.o: ../../include/mail_server.h
-local.o: ../../include/mail_version.h
local.o: ../../include/maps.h
local.o: ../../include/mbox_conf.h
local.o: ../../include/msg.h
/* .IP "\fBlocal_command_shell (empty)\fR"
/* Optional shell program for \fBlocal\fR(8) delivery to non-Postfix command.
/* .IP "\fBmax_idle (100s)\fR"
-/* The maximum amount of time that an idle Postfix daemon process waits
-/* for an incoming connection before terminating voluntarily.
+/* The maximum amount of time that an idle Postfix daemon process
+/* waits for the next service request before exiting.
/* .IP "\fBmax_use (100)\fR"
-/* The maximal number of incoming connections that a Postfix daemon
-/* process will service before terminating voluntarily.
+/* The maximal number of connection requests before a Postfix daemon
+/* process terminates.
/* .IP "\fBprepend_delivered_header (command, file, forward)\fR"
/* The message delivery contexts where the Postfix \fBlocal\fR(8) delivery
/* agent prepends a Delivered-To: message header with the address
#include <mail_conf.h>
#include <been_here.h>
#include <mail_params.h>
-#include <mail_version.h>
#include <ext_prop.h>
#include <maps.h>
#include <flush_clnt.h>
flush_init();
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - pass control to the single-threaded skeleton */
int main(int argc, char **argv)
0,
};
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
single_server_main(argc, argv, local_service,
MAIL_SERVER_INT_TABLE, int_table,
MAIL_SERVER_STR_TABLE, str_table,
master_service.o: master_service.c
master_sig.o: ../../include/events.h
master_sig.o: ../../include/iostuff.h
-master_sig.o: ../../include/killme_after.h
master_sig.o: ../../include/msg.h
master_sig.o: ../../include/posix_signals.h
master_sig.o: ../../include/sys_defs.h
/* The default maximal number of Postfix child processes that provide
/* a given service.
/* .IP "\fBmax_idle (100s)\fR"
-/* The maximum amount of time that an idle Postfix daemon process waits
-/* for an incoming connection before terminating voluntarily.
+/* The maximum amount of time that an idle Postfix daemon process
+/* waits for the next service request before exiting.
/* .IP "\fBmax_use (100)\fR"
-/* The maximal number of incoming connections that a Postfix daemon
-/* process will service before terminating voluntarily.
+/* The maximal number of connection requests before a Postfix daemon
+/* process terminates.
/* .IP "\fBservice_throttle_time (60s)\fR"
/* How long the Postfix \fBmaster\fR(8) waits before forking a server that
/* appears to be malfunctioning.
msg_fatal("usage: %s [-c config_dir] [-D (debug)] [-d (don't detach from terminal)] [-e exit_time] [-t (test)] [-v]", me);
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - main program */
int main(int argc, char **argv)
WATCHDOG *watchdog;
ARGV *import_env;
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
/*
* Initialize.
*/
msg_fatal("select unlock: %m");
if (fd < 0) {
if (errno != EAGAIN)
- msg_error("accept connection: %m");
+ msg_fatal("accept connection: %m");
if (time_left >= 0)
event_request_timer(multi_server_timeout, (char *) 0, time_left);
return;
msg_fatal("select unlock: %m");
if (fd < 0) {
if (errno != EAGAIN)
- msg_error("accept connection: %m");
+ msg_fatal("accept connection: %m");
if (time_left >= 0)
event_request_timer(multi_server_timeout, (char *) 0, time_left);
return;
msg_fatal("select unlock: %m");
if (fd < 0) {
if (errno != EAGAIN)
- msg_error("accept connection: %m");
+ msg_fatal("accept connection: %m");
if (time_left >= 0)
event_request_timer(multi_server_timeout, (char *) 0, time_left);
return;
if (redo_syslog_init)
msg_syslog_init(mail_task(var_procname), LOG_PID, LOG_FACILITY);
- /*
- * If not connected to stdin, stdin must not be a terminal.
- */
- if (daemon_mode && stream == 0 && isatty(STDIN_FILENO)) {
- msg_vstream_init(var_procname, VSTREAM_ERR);
- msg_fatal("do not run this command by hand");
- }
-
/*
* Application-specific initialization.
*/
if (user_name)
user_name = var_mail_owner;
+ /*
+ * If not connected to stdin, stdin must not be a terminal.
+ */
+ if (daemon_mode && stream == 0 && isatty(STDIN_FILENO)) {
+ msg_vstream_init(var_procname, VSTREAM_ERR);
+ msg_fatal("do not run this command by hand");
+ }
+
/*
* Can options be required?
*/
msg_fatal("select unlock: %m");
if (fd < 0) {
if (errno != EAGAIN)
- msg_error("accept connection: %m");
+ msg_fatal("accept connection: %m");
if (time_left >= 0)
event_request_timer(single_server_timeout, (char *) 0, time_left);
return;
msg_fatal("select unlock: %m");
if (fd < 0) {
if (errno != EAGAIN)
- msg_error("accept connection: %m");
+ msg_fatal("accept connection: %m");
if (time_left >= 0)
event_request_timer(single_server_timeout, (char *) 0, time_left);
return;
msg_fatal("select unlock: %m");
if (fd < 0) {
if (errno != EAGAIN)
- msg_error("accept connection: %m");
+ msg_fatal("accept connection: %m");
if (time_left >= 0)
event_request_timer(single_server_timeout, (char *) 0, time_left);
return;
if (redo_syslog_init)
msg_syslog_init(mail_task(var_procname), LOG_PID, LOG_FACILITY);
- /*
- * If not connected to stdin, stdin must not be a terminal.
- */
- if (daemon_mode && stream == 0 && isatty(STDIN_FILENO)) {
- msg_vstream_init(var_procname, VSTREAM_ERR);
- msg_fatal("do not run this command by hand");
- }
-
/*
* Application-specific initialization.
*/
if (user_name)
user_name = var_mail_owner;
+ /*
+ * If not connected to stdin, stdin must not be a terminal.
+ */
+ if (daemon_mode && stream == 0 && isatty(STDIN_FILENO)) {
+ msg_vstream_init(var_procname, VSTREAM_ERR);
+ msg_fatal("do not run this command by hand");
+ }
+
/*
* Can options be required?
*/
msg_fatal("select unlock: %m");
if (fd < 0) {
if (errno != EAGAIN)
- msg_error("accept connection: %m");
+ msg_fatal("accept connection: %m");
if (time_left >= 0)
event_request_timer(trigger_server_timeout, (char *) 0, time_left);
return;
msg_fatal("select unlock: %m");
if (fd < 0) {
if (errno != EAGAIN)
- msg_error("accept connection: %m");
+ msg_fatal("accept connection: %m");
if (time_left >= 0)
event_request_timer(trigger_server_timeout, (char *) 0, time_left);
return;
if (redo_syslog_init)
msg_syslog_init(mail_task(var_procname), LOG_PID, LOG_FACILITY);
- /*
- * If not connected to stdin, stdin must not be a terminal.
- */
- if (daemon_mode && stream == 0 && isatty(STDIN_FILENO)) {
- msg_vstream_init(var_procname, VSTREAM_ERR);
- msg_fatal("do not run this command by hand");
- }
-
/*
* Application-specific initialization.
*/
if (user_name)
user_name = var_mail_owner;
+ /*
+ * If not connected to stdin, stdin must not be a terminal.
+ */
+ if (daemon_mode && stream == 0 && isatty(STDIN_FILENO)) {
+ msg_vstream_init(var_procname, VSTREAM_ERR);
+ msg_fatal("do not run this command by hand");
+ }
+
/*
* Can options be required?
*
milter8.o: ../../include/header_opts.h
milter8.o: ../../include/iostuff.h
milter8.o: ../../include/is_header.h
-milter8.o: ../../include/mail_params.h
milter8.o: ../../include/mail_proto.h
milter8.o: ../../include/mime_state.h
milter8.o: ../../include/msg.h
qmgr.o: ../../include/mail_proto.h
qmgr.o: ../../include/mail_queue.h
qmgr.o: ../../include/mail_server.h
-qmgr.o: ../../include/mail_version.h
qmgr.o: ../../include/master_proto.h
qmgr.o: ../../include/msg.h
qmgr.o: ../../include/recipient_list.h
#include <recipient_list.h>
#include <mail_conf.h>
#include <mail_params.h>
-#include <mail_version.h>
#include <mail_proto.h> /* QMGR_SCAN constants */
#include <mail_flow.h>
#include <flush_clnt.h>
qmgr_deferred_run_event(0, (char *) 0);
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - the main program */
int main(int argc, char **argv)
0,
};
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
/*
* Use the trigger service skeleton, because no-one else should be
* monitoring our service port while this process runs, and because we do
pickup.o: ../../include/mail_proto.h
pickup.o: ../../include/mail_queue.h
pickup.o: ../../include/mail_server.h
-pickup.o: ../../include/mail_version.h
pickup.o: ../../include/msg.h
pickup.o: ../../include/mymalloc.h
pickup.o: ../../include/rec_attr_map.h
/* Upon input, long lines are chopped up into pieces of at most
/* this length; upon delivery, long lines are reconstructed.
/* .IP "\fBmax_idle (100s)\fR"
-/* The maximum amount of time that an idle Postfix daemon process waits
-/* for an incoming connection before terminating voluntarily.
+/* The maximum amount of time that an idle Postfix daemon process
+/* waits for the next service request before exiting.
/* .IP "\fBmax_use (100)\fR"
-/* The maximal number of incoming connections that a Postfix daemon
-/* process will service before terminating voluntarily.
+/* The maximal number of connection requests before a Postfix daemon
+/* process terminates.
/* .IP "\fBprocess_id (read-only)\fR"
/* The process ID of a Postfix command or daemon process.
/* .IP "\fBprocess_name (read-only)\fR"
#include <lex_822.h>
#include <input_transp.h>
#include <rec_attr_map.h>
-#include <mail_version.h>
/* Single-threaded server skeleton. */
input_transp_mask(VAR_INPUT_TRANSP, var_input_transp);
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - pass control to the multi-threaded server skeleton */
int main(int argc, char **argv)
0,
};
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
/*
* Use the multi-threaded skeleton, because no-one else should be
* monitoring our service socket while this process runs.
pipe.o: ../../include/mail_copy.h
pipe.o: ../../include/mail_params.h
pipe.o: ../../include/mail_server.h
-pipe.o: ../../include/mail_version.h
pipe.o: ../../include/msg.h
pipe.o: ../../include/msg_stats.h
pipe.o: ../../include/mymalloc.h
/* by, for example, \fBUUCP\fR software.
/* .RE
/* .IP "\fBnull_sender\fR=\fIreplacement\fR (default: MAILER-DAEMON)"
-/* Replace the null sender address (typically used for delivery
-/* status notifications) with the specified text
+/* Replace the null sender address, which is typically used
+/* for delivery status notifications, with the specified text
/* when expanding the \fB$sender\fR command-line macro, and
/* when generating a From_ or Return-Path: message header.
/*
/* The UNIX system account that owns the Postfix queue and most Postfix
/* daemon processes.
/* .IP "\fBmax_idle (100s)\fR"
-/* The maximum amount of time that an idle Postfix daemon process waits
-/* for an incoming connection before terminating voluntarily.
+/* The maximum amount of time that an idle Postfix daemon process
+/* waits for the next service request before exiting.
/* .IP "\fBmax_use (100)\fR"
-/* The maximal number of incoming connections that a Postfix daemon
-/* process will service before terminating voluntarily.
+/* The maximal number of connection requests before a Postfix daemon
+/* process terminates.
/* .IP "\fBprocess_id (read-only)\fR"
/* The process ID of a Postfix command or daemon process.
/* .IP "\fBprocess_name (read-only)\fR"
#include <recipient_list.h>
#include <deliver_request.h>
#include <mail_params.h>
-#include <mail_version.h>
#include <mail_conf.h>
#include <bounce.h>
#include <defer.h>
flush_init();
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - pass control to the single-threaded skeleton */
int main(int argc, char **argv)
0,
};
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
single_server_main(argc, argv, pipe_service,
MAIL_SERVER_TIME_TABLE, time_table,
MAIL_SERVER_PRE_INIT, pre_init,
postalias.o: ../../include/mail_dict.h
postalias.o: ../../include/mail_params.h
postalias.o: ../../include/mail_task.h
-postalias.o: ../../include/mail_version.h
postalias.o: ../../include/mkmap.h
postalias.o: ../../include/msg.h
postalias.o: ../../include/msg_syslog.h
#include <mail_conf.h>
#include <mail_dict.h>
#include <mail_params.h>
-#include <mail_version.h>
#include <mkmap.h>
#include <mail_task.h>
myname);
}
-MAIL_VERSION_STAMP_DECLARE;
-
int main(int argc, char **argv)
{
char *path_name;
int sequence = 0;
int found;
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
/*
* Be consistent with file permissions.
*/
postcat.o: ../../include/mail_params.h
postcat.o: ../../include/mail_proto.h
postcat.o: ../../include/mail_queue.h
-postcat.o: ../../include/mail_version.h
postcat.o: ../../include/msg.h
postcat.o: ../../include/msg_vstream.h
postcat.o: ../../include/rec_type.h
#include <mail_queue.h>
#include <mail_conf.h>
#include <mail_params.h>
-#include <mail_version.h>
#include <mail_proto.h>
/* Application-specific. */
myname);
}
-MAIL_VERSION_STAMP_DECLARE;
-
int main(int argc, char **argv)
{
VSTRING *buffer;
char **cpp;
int tries;
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
/*
* To minimize confusion, make sure that the standard file descriptors
* are open before opening anything else. XXX Work around for 44BSD where
}
}
/^(static| )*CONFIG_STR_TABLE .*\{/,/\};/ {
- if ($1 ~ /^VAR/) {
+ if ($1 ~ /VAR/) {
print "char *" substr($3,2,length($3)-2) ";" > "str_vars.h"
if (++stab[$1 $2 $4 $5 $6 $7 $8 $9] == 1) {
print |"sed 's/[ ][ ]*/ /g' > str_table.h"
}
}
/^(static| )*CONFIG_RAW_TABLE .*\{/,/\};/ {
- if ($1 ~ /^VAR/) {
+ if ($1 ~ /VAR/) {
print "char *" substr($3,2,length($3)-2) ";" > "raw_vars.h"
if (++rtab[$1 $2 $4 $5 $6 $7 $8 $9] == 1) {
print |"sed 's/[ ][ ]*/ /g' > raw_table.h"
}
}
/^(static| )*CONFIG_BOOL_TABLE .*\{/,/\};/ {
- if ($1 ~ /^VAR/) {
+ if ($1 ~ /VAR/) {
print "int " substr($3,2,length($3)-2) ";" > "bool_vars.h"
if (++btab[$1 $2 $4 $5 $6 $7 $8 $9] == 1) {
print |"sed 's/[ ][ ]*/ /g' > bool_table.h"
}
}
/^(static| )*CONFIG_TIME_TABLE .*\{/,/\};/ {
- if ($1 ~ /^VAR/) {
+ if ($1 ~ /VAR/) {
print "int " substr($3,2,length($3)-2) ";" > "time_vars.h"
if (++ttab[$1 $2 $4 $5 $6 $7 $8 $9] == 1) {
print |"sed 's/[ ][ ]*/ /g' > time_table.h"
}
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main */
int main(int argc, char **argv)
int junk;
ARGV *ext_argv = 0;
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
/*
* Be consistent with file permissions.
*/
postdrop.o: ../../include/mail_queue.h
postdrop.o: ../../include/mail_stream.h
postdrop.o: ../../include/mail_task.h
-postdrop.o: ../../include/mail_version.h
postdrop.o: ../../include/msg.h
postdrop.o: ../../include/msg_syslog.h
postdrop.o: ../../include/msg_vstream.h
#include <mail_proto.h>
#include <mail_queue.h>
#include <mail_params.h>
-#include <mail_version.h>
#include <mail_conf.h>
#include <mail_task.h>
#include <clean_env.h>
postdrop_sig(0);
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - the main program */
int main(int argc, char **argv)
const char *errstr;
char *junk;
struct timeval start;
- int saved_errno;
-
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
/*
* Be consistent with file permissions.
continue;
}
if (REC_PUT_BUF(dst->stream, rec_type, buf) < 0) {
- /* rec_get() errors must not clobber errno. */
- saved_errno = errno;
- while (rec_get_raw(VSTREAM_IN, buf, var_line_limit,
- REC_FLAG_NONE) > 0)
+ while ((rec_type = rec_get(VSTREAM_IN, buf, var_line_limit)) > 0
+ && rec_type != REC_TYPE_END)
/* void */ ;
- errno = saved_errno;
break;
}
if (rec_type == REC_TYPE_END)
* Finish the file.
*/
if ((status = mail_stream_finish(dst, (VSTRING *) 0)) != 0) {
- msg_warn("uid=%ld: %m", (long) uid);
postdrop_cleanup();
+ msg_warn("uid=%ld: %m", (long) uid);
}
/*
postfix.o: ../../include/clean_env.h
postfix.o: ../../include/mail_conf.h
postfix.o: ../../include/mail_params.h
-postfix.o: ../../include/mail_version.h
postfix.o: ../../include/msg.h
postfix.o: ../../include/msg_syslog.h
postfix.o: ../../include/msg_vstream.h
/* University of Texas at Dallas
/* P.O. Box 830688, MC34
/* Richardson, TX 75083, USA
-/*
-/* IPv6 support originally by:
-/* Mark Huizer, Eindhoven University, The Netherlands
-/* Jun-ichiro 'itojun' Hagino, KAME project, Japan
-/* The Linux PLD project
-/* Dean Strik, Eindhoven University, The Netherlands
/*--*/
/* System library. */
#include <mail_conf.h>
#include <mail_params.h>
-#include <mail_version.h>
/* Additional installation parameters. */
msg_fatal("setenv: %m");
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - run administrative script from controlled environment */
int main(int argc, char **argv)
0,
};
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
/*
* Be consistent with file permissions.
*/
postkick.o: ../../include/mail_conf.h
postkick.o: ../../include/mail_params.h
postkick.o: ../../include/mail_proto.h
-postkick.o: ../../include/mail_version.h
postkick.o: ../../include/msg.h
postkick.o: ../../include/msg_vstream.h
postkick.o: ../../include/mymalloc.h
#include <mail_proto.h>
#include <mail_params.h>
-#include <mail_version.h>
#include <mail_conf.h>
static NORETURN usage(char *myname)
msg_fatal("usage: %s [-c config_dir] [-v] class service request", myname);
}
-MAIL_VERSION_STAMP_DECLARE;
-
int main(int argc, char **argv)
{
char *class;
char *slash;
int c;
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
/*
* To minimize confusion, make sure that the standard file descriptors
* are open before opening anything else. XXX Work around for 44BSD where
postlock.o: ../../include/iostuff.h
postlock.o: ../../include/mail_conf.h
postlock.o: ../../include/mail_params.h
-postlock.o: ../../include/mail_version.h
postlock.o: ../../include/mbox_conf.h
postlock.o: ../../include/mbox_open.h
postlock.o: ../../include/msg.h
/* Global library. */
#include <mail_params.h>
-#include <mail_version.h>
#include <dot_lockfile.h>
#include <deliver_flock.h>
#include <mail_conf.h>
exit(EX_TEMPFAIL);
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - go for it */
int main(int argc, char **argv)
char *lock_style = 0;
MBOX *mp;
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
/*
* Be consistent with file permissions.
*/
postlog.o: ../../include/mail_conf.h
postlog.o: ../../include/mail_params.h
postlog.o: ../../include/mail_task.h
-postlog.o: ../../include/mail_version.h
postlog.o: ../../include/msg.h
postlog.o: ../../include/msg_output.h
postlog.o: ../../include/msg_syslog.h
/* Postfix-compatible logging utility
/* SYNOPSIS
/* .fi
-/* .ad
/* \fBpostlog\fR [\fB-iv\fR] [\fB-c \fIconfig_dir\fR]
-/* [\fB-p \fIpriority\fB] [\fB-t \fItag\fR] [\fItext...\fR]
+/* [\fB-p \fIpriority\fB] [\fB-t \fItag\fR] [\fItext...\fR]
/* DESCRIPTION
/* The \fBpostlog\fR(1) command implements a Postfix-compatible logging
/* interface for use in, for example, shell scripts.
/* Global library. */
#include <mail_params.h> /* XXX right place for LOG_FACILITY? */
-#include <mail_version.h>
#include <mail_conf.h>
#include <mail_task.h>
vstring_free(buf);
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - logger */
int main(int argc, char **argv)
int log_flags = 0;
int level = MSG_INFO;
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
/*
* Be consistent with file permissions.
*/
postmap.o: ../../include/mail_dict.h
postmap.o: ../../include/mail_params.h
postmap.o: ../../include/mail_task.h
-postmap.o: ../../include/mail_version.h
postmap.o: ../../include/mkmap.h
postmap.o: ../../include/msg.h
postmap.o: ../../include/msg_syslog.h
/* The \fIkey\fR and \fIvalue\fR are processed as is, except that
/* surrounding white space is stripped off. Unlike with Postfix alias
/* databases, quotes cannot be used to protect lookup keys that contain
-/* special characters such as `#' or whitespace.
+/* special characters such as `#' or whitespace.
/*
/* By default the lookup key is mapped to lowercase to make
/* the lookups case insensitive; as of Postfix 2.3 this case
#include <mail_conf.h>
#include <mail_dict.h>
#include <mail_params.h>
-#include <mail_version.h>
#include <mkmap.h>
#include <mail_task.h>
/* postmap_query - query a map and print the result to stdout */
static int postmap_query(const char *map_type, const char *map_name,
- const char *key, int dict_flags)
+ const char *key, int dict_flags)
{
DICT *dict;
const char *value;
/* postmap_deletes - apply multiple requests from stdin */
static int postmap_deletes(VSTREAM *in, char **maps, const int map_count,
- int dict_flags)
+ int dict_flags)
{
int found = 0;
VSTRING *keybuf = vstring_alloc(100);
/* postmap_delete - delete a (key, value) pair from a map */
static int postmap_delete(const char *map_type, const char *map_name,
- const char *key, int dict_flags)
+ const char *key, int dict_flags)
{
DICT *dict;
int status;
/* postmap_seq - print all map entries to stdout */
static void postmap_seq(const char *map_type, const char *map_name,
- int dict_flags)
+ int dict_flags)
{
DICT *dict;
const char *key;
myname);
}
-MAIL_VERSION_STAMP_DECLARE;
-
int main(int argc, char **argv)
{
char *path_name;
int sequence = 0;
int found;
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
/*
* Be consistent with file permissions.
*/
usage(argv[0]);
if (strcmp(delkey, "-") == 0)
exit(postmap_deletes(VSTREAM_IN, argv + optind, argc - optind,
- dict_flags | DICT_FLAG_LOCK) == 0);
+ dict_flags | DICT_FLAG_LOCK) == 0);
found = 0;
while (optind < argc) {
if ((path_name = split_at(argv[optind], ':')) != 0) {
found |= postmap_delete(argv[optind], path_name, delkey,
- dict_flags | DICT_FLAG_LOCK);
+ dict_flags | DICT_FLAG_LOCK);
} else {
found |= postmap_delete(var_db_type, argv[optind], delkey,
- dict_flags | DICT_FLAG_LOCK);
+ dict_flags | DICT_FLAG_LOCK);
}
optind++;
}
usage(argv[0]);
if (strcmp(query, "-") == 0)
exit(postmap_queries(VSTREAM_IN, argv + optind, argc - optind,
- dict_flags | DICT_FLAG_LOCK) == 0);
+ dict_flags | DICT_FLAG_LOCK) == 0);
while (optind < argc) {
if ((path_name = split_at(argv[optind], ':')) != 0) {
found = postmap_query(argv[optind], path_name, query,
- dict_flags | DICT_FLAG_LOCK);
+ dict_flags | DICT_FLAG_LOCK);
} else {
found = postmap_query(var_db_type, argv[optind], query,
- dict_flags | DICT_FLAG_LOCK);
+ dict_flags | DICT_FLAG_LOCK);
}
if (found)
exit(0);
while (optind < argc) {
if ((path_name = split_at(argv[optind], ':')) != 0) {
postmap_seq(argv[optind], path_name,
- dict_flags | DICT_FLAG_LOCK);
+ dict_flags | DICT_FLAG_LOCK);
} else {
postmap_seq(var_db_type, argv[optind],
- dict_flags | DICT_FLAG_LOCK);
+ dict_flags | DICT_FLAG_LOCK);
}
exit(0);
}
postqueue.o: ../../include/mail_queue.h
postqueue.o: ../../include/mail_run.h
postqueue.o: ../../include/mail_task.h
-postqueue.o: ../../include/mail_version.h
postqueue.o: ../../include/msg.h
postqueue.o: ../../include/msg_syslog.h
postqueue.o: ../../include/msg_vstream.h
#include <mail_proto.h>
#include <mail_params.h>
-#include <mail_version.h>
#include <mail_conf.h>
#include <mail_task.h>
#include <mail_run.h>
* establish frequent proof of client liveliness with challenge/response, or
* the client needs to restrict expensive requests to privileged users only.
*
- * We don't have this problem with queue listings. The showq server detects an
- * EPIPE error after reporting a few queue entries.
+ * We don't have this problem with queue listings. The showq server detects
+ * an EPIPE error after reporting a few queue entries.
*/
#define PQ_MODE_DEFAULT 0 /* noop */
#define PQ_MODE_MAILQ_LIST 1 /* list mail queue */
msg_fatal_status(EX_USAGE, "usage: postqueue -f | postqueue -i queueid | postqueue -p | postqueue -s site");
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - the main program */
int main(int argc, char **argv)
ARGV *import_env;
int bad_site;
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
/*
* Be consistent with file permissions.
*/
postsuper.o: ../../include/mail_params.h
postsuper.o: ../../include/mail_queue.h
postsuper.o: ../../include/mail_task.h
-postsuper.o: ../../include/mail_version.h
postsuper.o: ../../include/msg.h
postsuper.o: ../../include/msg_syslog.h
postsuper.o: ../../include/msg_vstream.h
#include <mail_task.h>
#include <mail_conf.h>
#include <mail_params.h>
-#include <mail_version.h>
#include <mail_queue.h>
#include <mail_open_ok.h>
interrupted(0);
}
-MAIL_VERSION_STAMP_DECLARE;
-
int main(int argc, char **argv)
{
int fd;
0,
};
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
/*
* Be consistent with file permissions.
*/
proxymap.o: ../../include/mail_params.h
proxymap.o: ../../include/mail_proto.h
proxymap.o: ../../include/mail_server.h
-proxymap.o: ../../include/mail_version.h
proxymap.o: ../../include/msg.h
proxymap.o: ../../include/mymalloc.h
proxymap.o: ../../include/stringops.h
/* The time limit for sending or receiving information over an internal
/* communication channel.
/* .IP "\fBmax_idle (100s)\fR"
-/* The maximum amount of time that an idle Postfix daemon process waits
-/* for an incoming connection before terminating voluntarily.
+/* The maximum amount of time that an idle Postfix daemon process
+/* waits for the next service request before exiting.
/* .IP "\fBmax_use (100)\fR"
-/* The maximal number of incoming connections that a Postfix daemon
-/* process will service before terminating voluntarily.
+/* The maximal number of connection requests before a Postfix daemon
+/* process terminates.
/* .IP "\fBprocess_id (read-only)\fR"
/* The process ID of a Postfix command or daemon process.
/* .IP "\fBprocess_name (read-only)\fR"
#include <mail_conf.h>
#include <mail_params.h>
-#include <mail_version.h>
#include <mail_proto.h>
#include <dict_proxy.h>
}
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - pass control to the multi-threaded skeleton */
int main(int argc, char **argv)
0,
};
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
multi_server_main(argc, argv, proxymap_service,
MAIL_SERVER_STR_TABLE, str_table,
MAIL_SERVER_POST_INIT, post_jail_init,
qmgr.o: ../../include/mail_proto.h
qmgr.o: ../../include/mail_queue.h
qmgr.o: ../../include/mail_server.h
-qmgr.o: ../../include/mail_version.h
qmgr.o: ../../include/master_proto.h
qmgr.o: ../../include/msg.h
qmgr.o: ../../include/recipient_list.h
#include <recipient_list.h>
#include <mail_conf.h>
#include <mail_params.h>
-#include <mail_version.h>
#include <mail_proto.h> /* QMGR_SCAN constants */
#include <mail_flow.h>
#include <flush_clnt.h>
qmgr_deferred_run_event(0, (char *) 0);
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - the main program */
int main(int argc, char **argv)
0,
};
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
/*
* Use the trigger service skeleton, because no-one else should be
* monitoring our service port while this process runs, and because we do
qmqpd.o: ../../include/mail_proto.h
qmqpd.o: ../../include/mail_server.h
qmqpd.o: ../../include/mail_stream.h
-qmqpd.o: ../../include/mail_version.h
qmqpd.o: ../../include/match_list.h
qmqpd.o: ../../include/match_ops.h
qmqpd.o: ../../include/match_parent_style.h
/* The time limit for sending or receiving information over an internal
/* communication channel.
/* .IP "\fBmax_idle (100s)\fR"
-/* The maximum amount of time that an idle Postfix daemon process waits
-/* for an incoming connection before terminating voluntarily.
+/* The maximum amount of time that an idle Postfix daemon process
+/* waits for the next service request before exiting.
/* .IP "\fBmax_use (100)\fR"
-/* The maximal number of incoming connections that a Postfix daemon
-/* process will service before terminating voluntarily.
+/* The maximal number of connection requests before a Postfix daemon
+/* process terminates.
/* .IP "\fBprocess_id (read-only)\fR"
/* The process ID of a Postfix command or daemon process.
/* .IP "\fBprocess_name (read-only)\fR"
/* Global library. */
#include <mail_params.h>
-#include <mail_version.h>
#include <record.h>
#include <rec_type.h>
#include <mail_proto.h>
input_transp_mask(VAR_INPUT_TRANSP, var_input_transp);
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - the main program */
int main(int argc, char **argv)
0,
};
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
/*
* Pass control to the single-threaded service skeleton.
*/
scache.o: ../../include/mail_params.h
scache.o: ../../include/mail_proto.h
scache.o: ../../include/mail_server.h
-scache.o: ../../include/mail_version.h
scache.o: ../../include/msg.h
scache.o: ../../include/ring.h
scache.o: ../../include/scache.h
/* The time limit for sending or receiving information over an internal
/* communication channel.
/* .IP "\fBmax_idle (100s)\fR"
-/* The maximum amount of time that an idle Postfix daemon process waits
-/* for an incoming connection before terminating voluntarily.
+/* The maximum amount of time that an idle Postfix daemon process
+/* waits for the next service request before exiting.
/* .IP "\fBprocess_id (read-only)\fR"
/* The process ID of a Postfix command or daemon process.
/* .IP "\fBprocess_name (read-only)\fR"
/* Global library. */
#include <mail_params.h>
-#include <mail_version.h>
#include <mail_proto.h>
#include <scache.h>
scache_start_time = event_time();
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - pass control to the multi-threaded skeleton */
int main(int argc, char **argv)
0,
};
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
multi_server_main(argc, argv, scache_service,
MAIL_SERVER_TIME_TABLE, time_table,
MAIL_SERVER_POST_INIT, post_jail_init,
sendmail.o: ../../include/mail_run.h
sendmail.o: ../../include/mail_stream.h
sendmail.o: ../../include/mail_task.h
-sendmail.o: ../../include/mail_version.h
sendmail.o: ../../include/mime_state.h
sendmail.o: ../../include/msg.h
sendmail.o: ../../include/msg_stats.h
/* .ad
/* .fi
/* By design, this program is not set-user (or group) id. However,
-/* it must handle data from untrusted, possibly remote, users.
+/* it must handle data from untrusted users or untrusted machines.
/* Thus, the usual precautions need to be taken against malicious
/* inputs.
/* DIAGNOSTICS
#include <mail_queue.h>
#include <mail_proto.h>
#include <mail_params.h>
-#include <mail_version.h>
#include <record.h>
#include <rec_type.h>
#include <rec_streamlf.h>
exit(EX_TEMPFAIL);
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - the main program */
int main(int argc, char **argv)
const char *dsn_envid = 0;
int saved_optind;
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
/*
* Be consistent with file permissions.
*/
optind = saved_optind;
mail_conf_read();
if (strcmp(var_syslog_name, DEF_SYSLOG_NAME) != 0)
- msg_syslog_init(mail_task("sendmail"), LOG_PID, LOG_FACILITY);
+ msg_syslog_init(mail_task("sendmail"), LOG_PID, LOG_FACILITY);
get_mail_conf_str_table(str_table);
if (chdir(var_queue_dir))
showq.o: ../../include/mail_queue.h
showq.o: ../../include/mail_scan_dir.h
showq.o: ../../include/mail_server.h
-showq.o: ../../include/mail_version.h
showq.o: ../../include/msg.h
showq.o: ../../include/mymalloc.h
showq.o: ../../include/quote_822_local.h
/* outside world.
/* DIAGNOSTICS
/* Problems and transactions are logged to \fBsyslogd\fR(8).
+/* BUGS
+/* The \fBshowq\fR(8) daemon runs at a fixed low privilege; consequently,
+/* it cannot extract information from queue files in the
+/* \fBmaildrop\fR directory.
/* CONFIGURATION PARAMETERS
/* .ad
/* .fi
/* The time limit for sending or receiving information over an internal
/* communication channel.
/* .IP "\fBmax_idle (100s)\fR"
-/* The maximum amount of time that an idle Postfix daemon process waits
-/* for an incoming connection before terminating voluntarily.
+/* The maximum amount of time that an idle Postfix daemon process
+/* waits for the next service request before exiting.
/* .IP "\fBmax_use (100)\fR"
-/* The maximal number of incoming connections that a Postfix daemon
-/* process will service before terminating voluntarily.
+/* The maximal number of connection requests before a Postfix daemon
+/* process terminates.
/* .IP "\fBprocess_id (read-only)\fR"
/* The process ID of a Postfix command or daemon process.
/* .IP "\fBprocess_name (read-only)\fR"
#include <mail_proto.h>
#include <mail_date.h>
#include <mail_params.h>
-#include <mail_version.h>
#include <mail_scan_dir.h>
#include <mail_conf.h>
#include <record.h>
#define SENDER_FORMAT "%-11s %7ld %20.20s %s\n"
#define DROP_FORMAT "%-10s%c %7ld %20.20s (maildrop queue, sender UID %u)\n"
-static void showq_reasons(VSTREAM *, BOUNCE_LOG *, RCPT_BUF *, DSN_BUF *,
- HTABLE *);
+static void showq_reasons(VSTREAM *, BOUNCE_LOG *, RCPT_BUF *, DSN_BUF *,
+HTABLE *);
#define STR(x) vstring_str(x)
/* showq_reasons - show deferral reasons */
-static void showq_reasons(VSTREAM *client, BOUNCE_LOG *bp, RCPT_BUF *rcpt_buf,
- DSN_BUF *dsn_buf, HTABLE *dup_filter)
+static void showq_reasons(VSTREAM *client, BOUNCE_LOG *bp, RCPT_BUF *rcpt_buf,
+DSN_BUF *dsn_buf, HTABLE *dup_filter)
{
char *saved_reason = 0;
int padding;
}
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - pass control to the single-threaded server skeleton */
int main(int argc, char **argv)
0,
};
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
single_server_main(argc, argv, showq_service,
MAIL_SERVER_INT_TABLE, int_table,
MAIL_SERVER_STR_TABLE, str_table,
TESTSRC =
DEFS = -I. -I$(INC_DIR) -D$(SYSTYPE)
CFLAGS = $(DEBUG) $(OPT) $(DEFS)
-TESTPROG= smtp_unalias smtp_map11
+TESTPROG= smtp_unalias smtp_map11 legacy levels
PROG = smtp
INC_DIR = ../../include
LIBS = ../../lib/libmaster.a ../../lib/libtls.a ../../lib/libdns.a \
smtp_map11: smtp_map11.c $(LIBS)
$(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIBS) $(SYSLIBS)
+legacy: legacy.c $(LIBS)
+ $(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIBS)
+
+levels: levels.c $(LIBS)
+ $(CC) $(CFLAGS) -DTEST -o $@ $@.c $(LIBS)
+
# This needs trivial-rewrite service and myorigin==mydomain
smtp_map11_test: smtp_map11 map11_map smtp_map11.ref
../postmap/postmap map11_map
@$(EXPORT) make -f Makefile.in Makefile 1>&2
# do not edit below this line - it is generated by 'make depend'
+legacy.o: ../../include/msg.h
+legacy.o: ../../include/stringops.h
+legacy.o: ../../include/sys_defs.h
+legacy.o: ../../include/vbuf.h
+legacy.o: ../../include/vstream.h
+legacy.o: ../../include/vstring.h
+legacy.o: ../../include/vstring_vstream.h
+legacy.o: legacy.c
+levels.o: ../../include/argv.h
+levels.o: ../../include/attr.h
+levels.o: ../../include/deliver_request.h
+levels.o: ../../include/dict.h
+levels.o: ../../include/dsn.h
+levels.o: ../../include/dsn_buf.h
+levels.o: ../../include/htable.h
+levels.o: ../../include/maps.h
+levels.o: ../../include/match_list.h
+levels.o: ../../include/match_ops.h
+levels.o: ../../include/msg.h
+levels.o: ../../include/msg_stats.h
+levels.o: ../../include/name_code.h
+levels.o: ../../include/name_mask.h
+levels.o: ../../include/recipient_list.h
+levels.o: ../../include/resolve_clnt.h
+levels.o: ../../include/scache.h
+levels.o: ../../include/string_list.h
+levels.o: ../../include/stringops.h
+levels.o: ../../include/sys_defs.h
+levels.o: ../../include/tls.h
+levels.o: ../../include/tok822.h
+levels.o: ../../include/vbuf.h
+levels.o: ../../include/vstream.h
+levels.o: ../../include/vstring.h
+levels.o: ../../include/vstring_vstream.h
+levels.o: levels.c
+levels.o: smtp.h
lmtp_params.o: lmtp_params.c
smtp.o: ../../include/argv.h
smtp.o: ../../include/attr.h
smtp.o: ../../include/mail_conf.h
smtp.o: ../../include/mail_params.h
smtp.o: ../../include/mail_server.h
-smtp.o: ../../include/mail_version.h
smtp.o: ../../include/maps.h
smtp.o: ../../include/match_list.h
smtp.o: ../../include/match_ops.h
smtp_chat.o: ../../include/dsn_buf.h
smtp_chat.o: ../../include/dsn_util.h
smtp_chat.o: ../../include/htable.h
-smtp_chat.o: ../../include/int_filt.h
smtp_chat.o: ../../include/line_wrap.h
smtp_chat.o: ../../include/mail_addr.h
smtp_chat.o: ../../include/mail_error.h
--- /dev/null
+ /*
+ * The old legacy TLS per-site policy engine, implemented with multiple
+ * boolean variables, stripped down for exhaustive comparison with the new
+ * legacy policy engine.
+ */
+/* System library. */
+
+#include <sys_defs.h>
+#include <string.h>
+#include <stdlib.h>
+
+#ifdef STRCASECMP_IN_STRINGS_H
+#include <strings.h>
+#endif
+
+/* Utility library. */
+
+#include <msg.h>
+#include <vstring.h>
+#include <vstring_vstream.h>
+#include <stringops.h>
+
+ /*
+ * Global policy variables.
+ */
+int var_smtp_enforce_tls;
+int var_smtp_tls_enforce_peername;
+int var_smtp_use_tls;
+
+ /*
+ * Simplified session structure.
+ */
+typedef struct {
+ int tls_use_tls;
+ int tls_enforce_tls;
+ int tls_enforce_peername;
+} SMTP_SESSION;
+
+ /*
+ * Per-site policies can override main.cf settings.
+ */
+typedef struct {
+ int dont_use; /* don't use TLS */
+ int use; /* useless, see above */
+ int enforce; /* must always use TLS */
+ int enforce_peername; /* must verify certificate name */
+} SMTP_TLS_SITE_POLICY;
+
+/* smtp_tls_site_policy - look up per-site TLS policy */
+
+static void smtp_tls_site_policy(SMTP_TLS_SITE_POLICY *policy,
+ const char *lookup)
+{
+
+ /*
+ * Initialize the default policy.
+ */
+ policy->dont_use = 0;
+ policy->use = 0;
+ policy->enforce = 0;
+ policy->enforce_peername = 0;
+
+ /*
+ * Look up a non-default policy.
+ */
+ if (strcasecmp(lookup, "-")) {
+ if (!strcasecmp(lookup, "NONE"))
+ policy->dont_use = 1;
+ else if (!strcasecmp(lookup, "MAY"))
+ policy->use = 1;
+ else if (!strcasecmp(lookup, "MUST"))
+ policy->enforce = policy->enforce_peername = 1;
+ else if (!strcasecmp(lookup, "MUST_NOPEERMATCH"))
+ policy->enforce = 1;
+ else
+ msg_fatal("unknown TLS policy '%s'", lookup);
+ }
+}
+
+static void policy(SMTP_SESSION *session, const char *host, const char *dest)
+{
+ SMTP_TLS_SITE_POLICY host_policy;
+ SMTP_TLS_SITE_POLICY rcpt_policy;
+
+ session->tls_use_tls = session->tls_enforce_tls = 0;
+ session->tls_enforce_peername = 0;
+
+ /*
+ * Override the main.cf TLS policy with an optional per-site policy.
+ */
+ smtp_tls_site_policy(&host_policy, host);
+ smtp_tls_site_policy(&rcpt_policy, dest);
+
+ /*
+ * Fix 200601: a combined per-site (NONE + MAY) policy changed global
+ * MUST into NONE, and all weaker global policies into MAY. This was
+ * discovered with exhaustive simulation. Fix verified by comparing
+ * exhaustive simulation results with Postfix 2.3 which re-implements
+ * per-site policies from the ground up.
+ */
+#ifdef FIX200601
+ if ((host_policy.dont_use || rcpt_policy.dont_use)
+ && (host_policy.use || rcpt_policy.use)) {
+ host_policy.use = rcpt_policy.use = 0;
+ host_policy.dont_use = rcpt_policy.dont_use = 1;
+ }
+#endif
+
+ /*
+ * Set up TLS enforcement for this session.
+ */
+ if ((var_smtp_enforce_tls && !host_policy.dont_use && !rcpt_policy.dont_use)
+ || host_policy.enforce || rcpt_policy.enforce)
+ session->tls_enforce_tls = session->tls_use_tls = 1;
+
+ /*
+ * Set up peername checking for this session.
+ *
+ * We want to make sure that a MUST* entry in the tls_per_site table always
+ * has precedence. MUST always must lead to a peername check,
+ * MUST_NOPEERMATCH must always disable it. Only when no explicit setting
+ * has been found, the default will be used.
+ *
+ * Fix 200601: a per-site MUST_NOPEERMATCH policy could not override a
+ * global MUST policy. Fix verified by comparing exhaustive simulation
+ * results with Postfix 2.3 which re-implements per-site policy from the
+ * ground up.
+ */
+ if (host_policy.enforce && host_policy.enforce_peername)
+ session->tls_enforce_peername = 1;
+ else if (rcpt_policy.enforce && rcpt_policy.enforce_peername)
+ session->tls_enforce_peername = 1;
+ else if (
+#ifdef FIX200601
+ !host_policy.enforce && !rcpt_policy.enforce && /* Fix 200601 */
+#endif
+ var_smtp_enforce_tls && var_smtp_tls_enforce_peername)
+ session->tls_enforce_peername = 1;
+ else if ((var_smtp_use_tls && !host_policy.dont_use && !rcpt_policy.dont_use) || host_policy.use || rcpt_policy.use)
+ session->tls_use_tls = 1;
+}
+
+static void set_global_policy(const char *global)
+{
+ var_smtp_tls_enforce_peername = var_smtp_enforce_tls = var_smtp_use_tls = 0;
+
+ if (strcasecmp(global, "must") == 0) {
+ var_smtp_enforce_tls = 1; /* XXX */
+ var_smtp_tls_enforce_peername = 1;
+ } else if (strcasecmp(global, "must_nopeermatch") == 0) {
+ var_smtp_enforce_tls = 1;
+ } else if (strcasecmp(global, "may") == 0) {
+ var_smtp_use_tls = 1;
+ } else if (strcasecmp(global, "-") !=0) {
+ msg_fatal("unknown global policy: %s", global);
+ }
+}
+
+static const char *print_policy(SMTP_SESSION *session)
+{
+ if (session->tls_enforce_peername && session->tls_enforce_tls)
+ return ("must");
+ if (session->tls_enforce_tls)
+ return ("must_nopeermatch");
+ if (session->tls_use_tls)
+ return ("may");
+ return ("none");
+}
+
+int main(int argc, char **argv)
+{
+ SMTP_SESSION session;
+ VSTRING *buf = vstring_alloc(200);
+ char *cp;
+ const char *global;
+ const char *host;
+ const char *dest;
+ const char *result;
+ const char *sep = " \t\r\n";
+
+ vstream_printf("%-20s %-20s %-20s %s\n",
+ "host", "dest", "global", "result");
+ while (vstring_get_nonl(buf, VSTREAM_IN) >= 0) {
+ cp = vstring_str(buf);
+ if (*cp == 0 || *cp == '#') {
+ vstream_printf("%s\n", cp);
+ } else {
+ if ((host = mystrtok(&cp, sep)) == 0)
+ msg_fatal("missing host policy");
+ if ((dest = mystrtok(&cp, sep)) == 0)
+ msg_fatal("missing nexthop policy");
+ if ((global = mystrtok(&cp, sep)) == 0)
+ msg_fatal("missing global policy");
+ if (mystrtok(&cp, sep) != 0)
+ msg_fatal("garbage after global policy");
+ set_global_policy(global);
+ policy(&session, host, dest);
+ result = print_policy(&session);
+ vstream_printf("%-20s %-20s %-20s %s\n",
+ host, dest, global, result);
+ }
+ vstream_fflush(VSTREAM_OUT);
+ }
+ exit(0);
+}
--- /dev/null
+ /*
+ * The new legacy TLS per-site policy engine, re-implemented in terms of
+ * enforcement levels, stripped down for exhaustive comparisons with the old
+ * legacy policy engine.
+ *
+ * This is the code that will be used in Postfix 2.3 so that sites can upgrade
+ * Postfix without being forced to change to the new TLS policy model.
+ */
+
+/* System library. */
+
+#include <sys_defs.h>
+#include <string.h>
+#include <stdlib.h>
+
+#ifdef STRCASECMP_IN_STRINGS_H
+#include <strings.h>
+#endif
+
+/* Utility library. */
+
+#include <msg.h>
+#include <vstring.h>
+#include <vstring_vstream.h>
+#include <stringops.h>
+
+ /*
+ * TLS levels
+ */
+#include <tls.h>
+
+ /*
+ * Application-specific.
+ */
+#include <smtp.h>
+
+ /*
+ * Global policy variables.
+ */
+int var_smtp_enforce_tls;
+int var_smtp_tls_enforce_peername;
+int var_smtp_use_tls;
+
+/* smtp_tls_policy_lookup - look up per-site TLS policy */
+
+static void smtp_tls_policy_lookup(int *site_level, const char *lookup)
+{
+
+ /*
+ * Look up a non-default policy. In case of multiple lookup results, the
+ * precedence order is a permutation of the TLS enforcement level order:
+ * VERIFY, ENCRYPT, NONE, MAY, NOTFOUND. I.e. we override MAY with a more
+ * specific policy including NONE, otherwise we choose the stronger
+ * enforcement level.
+ */
+ if (strcasecmp(lookup, "-")) {
+ if (!strcasecmp(lookup, "NONE")) {
+ /* NONE overrides MAY or NOTFOUND. */
+ if (*site_level <= TLS_LEV_MAY)
+ *site_level = TLS_LEV_NONE;
+ } else if (!strcasecmp(lookup, "MAY")) {
+ /* MAY overrides NOTFOUND but not NONE. */
+ if (*site_level < TLS_LEV_NONE)
+ *site_level = TLS_LEV_MAY;
+ } else if (!strcasecmp(lookup, "MUST_NOPEERMATCH")) {
+ if (*site_level < TLS_LEV_ENCRYPT)
+ *site_level = TLS_LEV_ENCRYPT;
+ } else if (!strcasecmp(lookup, "MUST")) {
+ if (*site_level < TLS_LEV_VERIFY)
+ *site_level = TLS_LEV_VERIFY;
+ } else {
+ msg_fatal("unknown TLS policy '%s'", lookup);
+ }
+ }
+}
+
+static int policy(const char *host, const char *dest)
+{
+ int global_level;
+ int site_level;
+ int tls_level;
+
+ /*
+ * Compute the global TLS policy. This is the default policy level when
+ * no per-site policy exists. It also is used to override a wild-card
+ * per-site policy.
+ */
+ if (var_smtp_enforce_tls)
+ global_level = var_smtp_tls_enforce_peername ?
+ TLS_LEV_VERIFY : TLS_LEV_ENCRYPT;
+ else
+ global_level = var_smtp_use_tls ?
+ TLS_LEV_MAY : TLS_LEV_NONE;
+
+ /*
+ * Compute the per-site TLS enforcement level. For compatibility with the
+ * original TLS patch, this algorithm is gives equal precedence to host
+ * and next-hop policies.
+ */
+ site_level = TLS_LEV_NOTFOUND;
+
+ smtp_tls_policy_lookup(&site_level, dest);
+ smtp_tls_policy_lookup(&site_level, host);
+
+ /*
+ * Override a wild-card per-site policy with a more specific global
+ * policy.
+ *
+ * With the original TLS patch, 1) a per-site ENCRYPT could not override a
+ * global VERIFY, and 2) a combined per-site (NONE+MAY) policy produced
+ * inconsistent results: it changed a global VERIFY into NONE, while
+ * producing MAY with all weaker global policy settings.
+ *
+ * With the current implementation, a combined per-site (NONE+MAY)
+ * consistently overrides global policy with NONE, and global policy can
+ * override only a per-site MAY wildcard. That is, specific policies
+ * consistently override wildcard policies, and (non-wildcard) per-site
+ * policies consistently override global policies.
+ */
+ if (site_level == TLS_LEV_NOTFOUND
+ || (site_level == TLS_LEV_MAY
+ && global_level > TLS_LEV_MAY))
+ tls_level = global_level;
+ else
+ tls_level = site_level;
+
+ return (tls_level);
+}
+
+static void set_global_policy(const char *global)
+{
+ var_smtp_tls_enforce_peername = var_smtp_enforce_tls = var_smtp_use_tls = 0;
+
+ if (strcasecmp(global, "must") == 0) {
+ var_smtp_enforce_tls = 1; /* XXX */
+ var_smtp_tls_enforce_peername = 1;
+ } else if (strcasecmp(global, "must_nopeermatch") == 0) {
+ var_smtp_enforce_tls = 1;
+ } else if (strcasecmp(global, "may") == 0) {
+ var_smtp_use_tls = 1;
+ } else if (strcasecmp(global, "-") !=0) {
+ msg_fatal("unknown global policy: %s", global);
+ }
+}
+
+static const char *print_policy(int level)
+{
+ if (level == TLS_LEV_VERIFY)
+ return ("must");
+ if (level == TLS_LEV_ENCRYPT)
+ return ("must_nopeermatch");
+ if (level == TLS_LEV_MAY)
+ return ("may");
+ if (level == TLS_LEV_NONE)
+ return ("none");
+ msg_panic("unknown policy level %d", level);
+}
+
+int main(int argc, char **argv)
+{
+ VSTRING *buf = vstring_alloc(200);
+ char *cp;
+ const char *global;
+ const char *host;
+ const char *dest;
+ const char *result;
+ const char *sep = " \t\r\n";
+ int level;
+
+ vstream_printf("%-20s %-20s %-20s %s\n",
+ "host", "dest", "global", "result");
+ while (vstring_get_nonl(buf, VSTREAM_IN) > 0) {
+ cp = vstring_str(buf);
+ if (*cp == 0 || *cp == '#') {
+ vstream_printf("%s\n", cp);
+ } else {
+ if ((host = mystrtok(&cp, sep)) == 0)
+ msg_fatal("missing host policy");
+ if ((dest = mystrtok(&cp, sep)) == 0)
+ msg_fatal("missing nexthop policy");
+ if ((global = mystrtok(&cp, sep)) == 0)
+ msg_fatal("missing global policy");
+ if (mystrtok(&cp, sep) != 0)
+ msg_fatal("garbage after global policy");
+ set_global_policy(global);
+ level = policy(host, dest);
+ result = print_policy(level);
+ vstream_printf("%-20s %-20s %-20s %s\n",
+ host, dest, global, result);
+ }
+ vstream_fflush(VSTREAM_OUT);
+ }
+ exit(0);
+}
/*
/* By default, connection caching is enabled temporarily for
/* destinations that have a high volume of mail in the active
-/* queue. Connection caching can be enabled permanently for
+/* queue. Session caching can be enabled permanently for
/* specific destinations.
/* SMTP DESTINATION SYNTAX
/* .ad
/* when the client is used for multiple domains.
/*
/* Most smtp_\fIxxx\fR configuration parameters have an
-/* lmtp_\fIxxx\fR "mirror" parameter for the equivalent LMTP
+/* lmtp_\fIxxx\fR "ghost" parameter for the equivalent LMTP
/* feature. This document describes only those LMTP-related
-/* parameters that aren't simply "mirror" parameters.
+/* parameters that aren't simply "ghost" parameters.
/*
/* Changes to \fBmain.cf\fR are picked up automatically, as \fBsmtp\fR(8)
/* processes run for only a limited amount of time. Use the command
/* case insensitive lists of LHLO keywords (pipelining, starttls,
/* auth, etc.) that the LMTP client will ignore in the LHLO response
/* from a remote LMTP server.
-/* .IP "\fBlmtp_discard_lhlo_keywords (empty)\fR"
+/* .IP "\fBlmtp_discard_lhlo_keywords ($myhostname)\fR"
/* A case insensitive list of LHLO keywords (pipelining, starttls,
/* auth, etc.) that the LMTP client will ignore in the LHLO response
/* from a remote LMTP server.
/* .IP "\fBlmtp_tcp_port (24)\fR"
/* The default TCP port that the Postfix LMTP client connects to.
/* .IP "\fBmax_idle (100s)\fR"
-/* The maximum amount of time that an idle Postfix daemon process waits
-/* for an incoming connection before terminating voluntarily.
+/* The maximum amount of time that an idle Postfix daemon process
+/* waits for the next service request before exiting.
/* .IP "\fBmax_use (100)\fR"
-/* The maximal number of incoming connections that a Postfix daemon
-/* process will service before terminating voluntarily.
+/* The maximal number of connection requests before a Postfix daemon
+/* process terminates.
/* .IP "\fBprocess_id (read-only)\fR"
/* The process ID of a Postfix command or daemon process.
/* .IP "\fBprocess_name (read-only)\fR"
#include <deliver_request.h>
#include <mail_params.h>
-#include <mail_version.h>
#include <mail_conf.h>
#include <debug_peer.h>
#include <flush_clnt.h>
}
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - pass control to the single-threaded skeleton */
int main(int argc, char **argv)
#include "lmtp_params.c"
int smtp_mode;
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
/*
* XXX At this point, var_procname etc. are not initialized.
*/
* Send STARTTLS. Recurse when the server accepts STARTTLS, after
* resetting the SASL and EHLO features lists.
*
- * Reset the SASL mechanism list to avoid spurious warnings.
+ * XXX Reset the SASL mechanism list to avoid spurious warnings. We
+ * need a routine to reset the list instead of groping data here.
*
- * Use the smtp_sasl_tls_security_options feature to allow SASL
- * mechanisms that may not be allowed with plain-text
- * connections.
+ * XXX Should not there be an smtp_sasl_tls_security_options feature
+ * to allow different mechanisms across TLS tunnels than across
+ * plain-text connections?
*/
smtp_chat_cmd(session, "STARTTLS");
if ((resp = smtp_chat_resp(session))->code / 100 == 2) {
/* The UNIX system account that owns the Postfix queue and most Postfix
/* daemon processes.
/* .IP "\fBmax_idle (100s)\fR"
-/* The maximum amount of time that an idle Postfix daemon process waits
-/* for an incoming connection before terminating voluntarily.
+/* The maximum amount of time that an idle Postfix daemon process
+/* waits for the next service request before exiting.
/* .IP "\fBmax_use (100)\fR"
-/* The maximal number of incoming connections that a Postfix daemon
-/* process will service before terminating voluntarily.
+/* The maximal number of connection requests before a Postfix daemon
+/* process terminates.
/* .IP "\fBmyhostname (see 'postconf -d' output)\fR"
/* The internet hostname of this mail system.
/* .IP "\fBmynetworks (see 'postconf -d' output)\fR"
anvil_clnt = anvil_clnt_create();
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - the main program */
int main(int argc, char **argv)
0,
};
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
/*
* Pass control to the single-threaded service skeleton.
*/
qmqp-sink.o: ../../include/inet_proto.h
qmqp-sink.o: ../../include/iostuff.h
qmqp-sink.o: ../../include/listen.h
-qmqp-sink.o: ../../include/mail_version.h
qmqp-sink.o: ../../include/msg.h
qmqp-sink.o: ../../include/msg_vstream.h
qmqp-sink.o: ../../include/mymalloc.h
qmqp-source.o: ../../include/inet_proto.h
qmqp-source.o: ../../include/iostuff.h
qmqp-source.o: ../../include/mail_date.h
-qmqp-source.o: ../../include/mail_version.h
qmqp-source.o: ../../include/msg.h
qmqp-source.o: ../../include/msg_vstream.h
qmqp-source.o: ../../include/myaddrinfo.h
qmqp-source.o: ../../include/vstream.h
qmqp-source.o: ../../include/vstring.h
qmqp-source.o: qmqp-source.c
-smtp-sink.o: ../../include/chroot_uid.h
smtp-sink.o: ../../include/events.h
smtp-sink.o: ../../include/get_hostname.h
smtp-sink.o: ../../include/inet_proto.h
smtp-sink.o: ../../include/iostuff.h
smtp-sink.o: ../../include/listen.h
-smtp-sink.o: ../../include/mail_date.h
-smtp-sink.o: ../../include/mail_version.h
-smtp-sink.o: ../../include/make_dirs.h
smtp-sink.o: ../../include/msg.h
smtp-sink.o: ../../include/msg_vstream.h
-smtp-sink.o: ../../include/myaddrinfo.h
smtp-sink.o: ../../include/mymalloc.h
-smtp-sink.o: ../../include/myrand.h
smtp-sink.o: ../../include/sane_accept.h
smtp-sink.o: ../../include/smtp_stream.h
smtp-sink.o: ../../include/stringops.h
smtp-source.o: ../../include/inet_proto.h
smtp-source.o: ../../include/iostuff.h
smtp-source.o: ../../include/mail_date.h
-smtp-source.o: ../../include/mail_version.h
smtp-source.o: ../../include/msg.h
smtp-source.o: ../../include/msg_vstream.h
smtp-source.o: ../../include/myaddrinfo.h
/* Global library. */
#include <qmqp_proto.h>
-#include <mail_version.h>
/* Application-specific. */
msg_fatal("usage: %s [-cv] [-x time] [host]:port backlog", myname);
}
-MAIL_VERSION_STAMP_DECLARE;
-
int main(int argc, char **argv)
{
int sock;
const char *protocols = INET_PROTO_NAME_ALL;
INET_PROTO_INFO *proto_info;
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
/*
* Fix 20051207.
*/
#include <mail_date.h>
#include <qmqp_proto.h>
-#include <mail_version.h>
/* Application-specific. */
msg_fatal("usage: %s -cv -s sess -l msglen -m msgs -C count -M myhostname -f from -t to -R delay -w delay host[:port]", myname);
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - parse JCL and start the machine */
int main(int argc, char **argv)
const char *protocols = INET_PROTO_NAME_ALL;
INET_PROTO_INFO *proto_info;
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
signal(SIGPIPE, SIG_IGN);
msg_vstream_init(argv[0], VSTREAM_ERR);
#include <smtp_stream.h>
#include <mail_date.h>
-#include <mail_version.h>
/* Application-specific. */
msg_fatal("usage: %s [-468acCeEFLpPv] [-A abort_delay] [-f commands] [-h hostname] [-m max_concurrency] [-n quit_count] [-q commands] [-r commands] [-s commands] [-w delay] [-d dump-template] [-D dump-template] [-R root-dir] [-S start-string] [-u user_privs] [host]:port backlog", myname);
}
-MAIL_VERSION_STAMP_DECLARE;
-
int main(int argc, char **argv)
{
int backlog;
const char *root_dir = 0;
const char *user_privs = 0;
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
/*
* Fix 20051207.
*/
#include <smtp_stream.h>
#include <mail_date.h>
-#include <mail_version.h>
/* Application-specific. */
msg_fatal("usage: %s -cdLNov -s sess -l msglen -m msgs -C count -M myhostname -f from -t to -r rcptcount -R delay -w delay host[:port]", myname);
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - parse JCL and start the machine */
int main(int argc, char **argv)
const char *protocols = INET_PROTO_NAME_ALL;
INET_PROTO_INFO *proto_info;
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
signal(SIGPIPE, SIG_IGN);
msg_vstream_init(argv[0], VSTREAM_ERR);
spawn.o: ../../include/mail_conf.h
spawn.o: ../../include/mail_params.h
spawn.o: ../../include/mail_server.h
-spawn.o: ../../include/mail_version.h
spawn.o: ../../include/msg.h
spawn.o: ../../include/mymalloc.h
spawn.o: ../../include/set_eugid.h
/* The amount of time the command is allowed to run before it is
/* terminated.
/*
-/* Postfix 2.4 and later support a suffix that specifies the
+/* Postfix 2.4 and later support a suffix that specifies the
/* time unit: s (seconds), m (minutes), h (hours), d (days),
/* w (weeks). The default time unit is seconds.
/* MISCELLANEOUS
/* The UNIX system account that owns the Postfix queue and most Postfix
/* daemon processes.
/* .IP "\fBmax_idle (100s)\fR"
-/* The maximum amount of time that an idle Postfix daemon process waits
-/* for an incoming connection before terminating voluntarily.
+/* The maximum amount of time that an idle Postfix daemon process
+/* waits for the next service request before exiting.
/* .IP "\fBmax_use (100)\fR"
-/* The maximal number of incoming connections that a Postfix daemon
-/* process will service before terminating voluntarily.
+/* The maximal number of connection requests before a Postfix daemon
+/* process terminates.
/* .IP "\fBprocess_id (read-only)\fR"
/* The process ID of a Postfix command or daemon process.
/* .IP "\fBprocess_name (read-only)\fR"
#include <timed_wait.h>
#include <set_eugid.h>
-/* Global library. */
-
-#include <mail_version.h>
-
/* Single server skeleton. */
#include <mail_params.h>
static void pre_accept(char *unused_name, char **unused_argv)
{
const char *table;
-
+
if ((table = dict_changed_name()) != 0) {
msg_info("table %s has changed -- restarting", table);
exit(0);
set_eugid(var_owner_uid, var_owner_gid);
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - pass control to the single-threaded skeleton */
int main(int argc, char **argv)
0,
};
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
single_server_main(argc, argv, spawn_service,
MAIL_SERVER_TIME_TABLE, time_table,
MAIL_SERVER_POST_INIT, drop_privileges,
tlsmgr.o: ../../include/mail_params.h
tlsmgr.o: ../../include/mail_proto.h
tlsmgr.o: ../../include/mail_server.h
-tlsmgr.o: ../../include/mail_version.h
tlsmgr.o: ../../include/master_proto.h
tlsmgr.o: ../../include/msg.h
tlsmgr.o: ../../include/mymalloc.h
#include <mail_conf.h>
#include <mail_params.h>
-#include <mail_version.h>
#include <tls_mgr.h>
#include <mail_proto.h>
tls_prng_exch_update(rand_exch);
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - the main program */
int main(int argc, char **argv)
0,
};
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
/*
* Use the multi service skeleton, and require that no-one else is
* monitoring our service port while this process runs.
trivial-rewrite.o: ../../include/mail_params.h
trivial-rewrite.o: ../../include/mail_proto.h
trivial-rewrite.o: ../../include/mail_server.h
-trivial-rewrite.o: ../../include/mail_version.h
trivial-rewrite.o: ../../include/maps.h
trivial-rewrite.o: ../../include/msg.h
trivial-rewrite.o: ../../include/resolve_clnt.h
if ((newloc = mail_addr_find(relocated_maps, STR(nextrcpt),
IGNORE_ADDR_EXTENSION)) != 0) {
vstring_strcpy(channel, MAIL_SERVICE_ERROR);
- /* 5.1.6 is the closest match, but not perfect. */
- vstring_sprintf(nexthop, "5.1.6 User has moved to %s", newloc);
+ vstring_sprintf(nexthop, "User has moved to %s", newloc);
} else if (dict_errno != 0) {
msg_warn("%s lookup failure", VAR_RELOCATED_MAPS);
*flags |= RESOLVE_FLAG_FAIL;
/* The time limit for sending or receiving information over an internal
/* communication channel.
/* .IP "\fBmax_idle (100s)\fR"
-/* The maximum amount of time that an idle Postfix daemon process waits
-/* for an incoming connection before terminating voluntarily.
+/* The maximum amount of time that an idle Postfix daemon process
+/* waits for the next service request before exiting.
/* .IP "\fBmax_use (100)\fR"
-/* The maximal number of incoming connections that a Postfix daemon
-/* process will service before terminating voluntarily.
+/* The maximal number of connection requests before a Postfix daemon
+/* process terminates.
/* .IP "\fBrelocated_maps (empty)\fR"
/* Optional lookup tables with new contact information for users or
/* domains that no longer exist.
/* Global library. */
#include <mail_params.h>
-#include <mail_version.h>
#include <mail_proto.h>
#include <resolve_local.h>
#include <mail_conf.h>
var_idle_limit = 1;
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - pass control to the multi-threaded skeleton code */
int main(int argc, char **argv)
0,
};
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
multi_server_main(argc, argv, rewrite_service,
MAIL_SERVER_STR_TABLE, str_table,
MAIL_SERVER_BOOL_TABLE, bool_table,
/* attr_scan0(). The stream is not flushed.
/*
/* attr_vprint0() provides an alternate interface that is convenient
-/* for calling from within variadic functions.
+/* for calling from within variadoc functions.
/*
/* Attributes are sent in the requested order as specified with the
/* attr_print0() argument list. This routine satisfies the formatting
/* attr_scan64(). The stream is not flushed.
/*
/* attr_vprint64() provides an alternate interface that is convenient
-/* for calling from within variadic functions.
+/* for calling from within variadoc functions.
/*
/* Attributes are sent in the requested order as specified with the
/* attr_print64() argument list. This routine satisfies the formatting
/* attr_scan_plain(). The stream is not flushed.
/*
/* attr_vprint_plain() provides an alternate interface that is convenient
-/* for calling from within variadic functions.
+/* for calling from within variadoc functions.
/*
/* Attributes are sent in the requested order as specified with the
/* attr_print_plain() argument list. This routine satisfies the formatting
int inet_accept(int fd)
{
- struct sockaddr_storage ss;
- SOCKADDR_SIZE ss_len = sizeof(ss);
-
- return (sane_accept(fd, (struct sockaddr *) & ss, &ss_len));
+ return (sane_accept(fd, (struct sockaddr *) 0, (SOCKADDR_SIZE *) 0));
}
* timer.
*/
#if defined(BROKEN_READ_SELECT_ON_TCP_SOCKET) && defined(SO_KEEPALIVE)
- else if (sa && (sa->sa_family == AF_INET
-#ifdef HAS_IPV6
- || sa->sa_family == AF_INET6
-#endif
- )) {
+ else if (sa != 0 && sa->sa_family == AF_INET) {
int on = 1;
(void) setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE,
#define NATIVE_NEWALIAS_PATH "/usr/bin/newaliases"
#define NATIVE_COMMAND_DIR "/usr/sbin"
#define NATIVE_DAEMON_DIR "/usr/libexec/postfix"
-#define SOCKADDR_SIZE socklen_t
-#define SOCKOPT_SIZE socklen_t
#endif
/*
verify.o: ../../include/dict_ht.h
verify.o: ../../include/dsn.h
verify.o: ../../include/htable.h
-verify.o: ../../include/int_filt.h
verify.o: ../../include/iostuff.h
verify.o: ../../include/mail_conf.h
verify.o: ../../include/mail_params.h
verify.o: ../../include/mail_proto.h
verify.o: ../../include/mail_server.h
-verify.o: ../../include/mail_version.h
verify.o: ../../include/msg.h
verify.o: ../../include/msg_stats.h
verify.o: ../../include/mymalloc.h
#include <mail_conf.h>
#include <mail_params.h>
-#include <mail_version.h>
#include <mail_proto.h>
#include <post_mail.h>
#include <verify_clnt.h>
setsid();
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - pass control to the multi-threaded skeleton */
int main(int argc, char **argv)
0,
};
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
multi_server_main(argc, argv, verify_service,
MAIL_SERVER_STR_TABLE, str_table,
MAIL_SERVER_TIME_TABLE, time_table,
virtual.o: ../../include/mail_params.h
virtual.o: ../../include/mail_queue.h
virtual.o: ../../include/mail_server.h
-virtual.o: ../../include/mail_version.h
virtual.o: ../../include/maps.h
virtual.o: ../../include/mbox_conf.h
virtual.o: ../../include/msg.h
/* The time limit for sending or receiving information over an internal
/* communication channel.
/* .IP "\fBmax_idle (100s)\fR"
-/* The maximum amount of time that an idle Postfix daemon process waits
-/* for an incoming connection before terminating voluntarily.
+/* The maximum amount of time that an idle Postfix daemon process
+/* waits for the next service request before exiting.
/* .IP "\fBmax_use (100)\fR"
-/* The maximal number of incoming connections that a Postfix daemon
-/* process will service before terminating voluntarily.
+/* The maximal number of connection requests before a Postfix daemon
+/* process terminates.
/* .IP "\fBprocess_id (read-only)\fR"
/* The process ID of a Postfix command or daemon process.
/* .IP "\fBprocess_name (read-only)\fR"
#include <deliver_request.h>
#include <deliver_completed.h>
#include <mail_params.h>
-#include <mail_version.h>
#include <mail_conf.h>
#include <mail_params.h>
#include <mail_addr_find.h>
flush_init();
}
-MAIL_VERSION_STAMP_DECLARE;
-
/* main - pass control to the single-threaded skeleton */
int main(int argc, char **argv)
0,
};
- /*
- * Fingerprint executables and core dumps.
- */
- MAIL_VERSION_STAMP_ALLOCATE;
-
single_server_main(argc, argv, local_service,
MAIL_SERVER_INT_TABLE, int_table,
MAIL_SERVER_STR_TABLE, str_table,
projects / thirdparty / postfix.git / commitdiff
