Postfix, der sichere Mailserver (MTA) unter CentOS 7.x
Für die eMailkommunikation in unserem SOHO1)-LAN wie auch für die Versorgung unserer Kunden bedienen wir uns des MTA2)/SMTP-Server Postfix. Dies nicht zuletzt, da dieser, im Gegensatz zum Dinosaurier verschrieenen Sendmail wesentlich einfacher zu konfigurieren ist und auch sicherheitstechnische Vorteile bietet.
Die nachfolgende Beschreibung zeigt, wie man unter CentOS 7.x einen Postfix-Mailserver MTA3) aufsetzen und sicher betreiben kann. Die Installation und Konfiguration des aktuellen stable Release Postfix 3.x wird nachfolgend ab dieser Seite beschrieben.
Grundvoraussetzung eines jeden Postmasters ist entweder der Besitz und das eingehende, auch mehrmalige Studium des:
- Postfix-Buchs Das Postfix-Buch (ISBN 978-3-937514-50-5) von Peer Heinlein bzw.
- der des Weltbestsellers Postfix: Einrichtung, Betrieb und Wartung
(ISBN 978-3-898645-18-8) von Ralf Hildebrandt und Patrick Ben Koetter.
Empfehlenswert ist natürlich der Besuch eines Postfix Kurses beim „Postfix-Meister“ Heinlein in der Heinlein Akademie.
Oder noch besser ist natürlich die Buchung eines Postfix/AMaViS-Kurses beim „Postfix-Joda“ Koetter bei der sys4.
Viele der Design und Konfigurationsvorschläge stammen aus einem der beiden Postfix-Büchern. Bei der genaueren Betrachtung der hier gezeigten Konfigurationsdokumentation, werden wir noch über den ein oder anderen Querverweis auf einzelne Seiten und Kapiteln der Bücher stoßen.
verschiedene Mailserver
Übersichtsskizze
Bevor wir uns in das Design und Konfiguration unseres Mailservers stürzen, werfen wir noch einen Blick auf die (möglichen) Mitspieler in Form von Servern, Diensten, Protokolle und Ports, die uns beim Verarbeiten der elektronischen begegnen werden.
Beschreibung
Wie wir der oben stehenden Skizze entnehmen können, sind im Verlauf einer eMail-Verarbeitung viele Mailsysteme und Dienste/Protokolle beteidigt. Eine zentrale Stellung nimmt dabei das DNS4) ein, ohne dessen Informationen keine Mailzustellung und Verarbeitung erfolgen kann. Wir werden uns daher diesem Thema in einem gesonderten Kapitel "DNS Einstellungen rund um Mailserver" hier im WIKI widmen.
Zuerst wollen wr aber noch einen gezielten Blick auf die Begrifflickeiten, die in der obigen Skizze genannt wurden, werfen. Viele interessante und erklärende Informationen findet man auch im entsprechedem Artikel bei der Wikipedia.
Systeme
- MHS: Mail Handling System, bezeichnet ein eMail-System welches mit Hilfe eines oder mehreren nachfolgend genannten Systemen Nachrichten annimmt, verarbeitet und zustellt.
- MSA: Als Mail Submission Agent bezeichnet man ein System oder einen Server, der eMails von einem MUA (Mail User Agent) annimmt und zur weiteren Verarbeitung einem nachgelagertem System übergibt. In der Regel wird der Mailserver zur Annahme der eMails den Submission-Port 587 verwenden.
- MTA: Ein Mail Transfer Agent beschreibt eine Anwendung eines MHS, die Emails annimmt, validiert und weiterleitet. Zur MTA - MTA Kommunikation zwischen zwei Mailservern, wird der SMTP-Port 25 verwendet. Zur Anbindung weiterer Subsysteme können weitere Ports oder Milter-Sockets geöffnet werden. Wird der MTA als Borderfilter oder als Front-Relay eingesetzt kommuniziert der MTA mit entfernten MTAs über Port 25 - erfolgt die Zustellung an einen MDA, so wird dessen LMTP5)-Port 24 verwendet.
- MDA: Mail Delivery Agent, bezeichnet den Teil eines Mail Handling Systems, welches für die Zustellung der elektronischen Post in die einzelnen Benutzerkonten verantwortlich ist. Die eMail nimmt der MDA in der Regel auf Port 24 entgegen; zur Kommunikation mit den Clients werden POP3 via Port 110, POP3s via Port 995, IMAP via Port 143, IMAPs über Port 993 und ggf. der Manage Sieve Port 4190 angeboten.
- MRA: Ein Mail Retrieval Agent holt eMails vom Mail Delivery Agent ab und speichert diese auf dem lokalen Rechner ab. Der MRA ist fester Bestandteil eines Mail User Agent der zum Herunterladen der Nachrichten mitteles POP3 verwendet wird. Der bekannteste Vertreter der MRAs ist z.B. das Konsolenprogramm fetchmail.
- MUA: Mail User Agent oder auch kurz das eMail-Programm/-client bezeichnet ein Programm/Applikation, die ein Anwender benutzt, um eMails zu schreiben, zu versenden, zu empfangen und zu verwalten. Bekannte Vertreter sind z.B. Thunderbird, kMail, Evolution oder R2Mail2. Zum Abholen der Nachrichten wird entweder POP3 via Port 110, POP3s via Port 995 oder IMAP über den Port 143, IMAPs über Port 993 und zum Versenden an den MSA Port 587 verwendet.
- ASAV: Mit Hilfe eines AntiSpam und AntiVirus Systems kann eine komplette eMail oder auch getrennt in Mail-Header und Mail-Body/Anhänge geprüft und bewertet werden, so dass keine unerwünschten Nachrichten versendet oder empfangen werden bzw. ob Schadcode enthalten ist.
Ports
Zur Kommunikation beim Senden, Transportieren und Abholen von eMails werden in der Regel folgende Ports verwendet bzw. von den Systemen angeboten.
- 24: LMTP - Annahmeport eines MDAs bei dem der MTA die eMails abliefert
- 25: SMTP - Port an dem ein MTA Nachrichten eines anderen MTAs entgegen nimmt
- 465: SMTP over SSL (TLS) - Port an dem ein MTA Nachrichten eines anderen MTAs entgegen nimmt
- 587: MSA - Mail Message Submission - Port auf dem der MSA die Nachrichten eines MUAs entgegennimmt.
- 110: POP version 3 - Port über den ein MRA oder MUA die Nachrichten abholen kann.
- 993: POP-3 over SSL - Port über den ein MRA oder MUA die Nachrichten „transportverschlüsselt“ abholen kann.
- 143: IMAP - Interim Mail Access Port - Port über den ein MUA z.B. IMAP-Client seine Nachrichten verwalten kann.
- 995: IMAP over SSL - Interim Mail Access Port - Port über den ein MUA z.B. IMAP-Client seine Nachrichten „transportverschlüsselt“ verwalten kann.
- 4190: ManageSieve Protocol - Port über den ein Endanwender mit Hilfe seines MUAs Filterregeln auf dem MDA verwalten und (de-)aktivieren kann.
Protokolle
Zu guter Letzt werfen wir noch einen Blick auf die beteidigten Protokolle.
- LMTP: LMTP Local Mail Transfer Protokoll benutzt der MTA zum Einliefern der eMails bei einem MDA.
- SMTP: SMTP Simple Mail Transfer Protokoll Verwendet sowohl ein MUA zum Einliefern seiner Nachrichten beim MSA, wie auch zur Interkommunikation von unterscheidlichen MTAs und auch ASAVs
- SMTPs: SMTPs - Port an dem ein MTA Nachrichten eines anderen MTAs entgegen nimmt
- POP3: Post Office Protokoll 3 - Ein MRA holt die Nachrichten mit Hilfe von POP3 ab.
- POP3s: secured Post Office Protokoll 3 - Ein MRA holt die Nachrichten mit Hilfe von POP3 „transportverschlüsselt“ beim MDA ab.
- IMAP: Interim Mail Access Protokoll - Ein MUA kann mit Hilfe des Interim Mail Access Protokolls die Nachrichten auf dem IMAP-Server verwalten.
- IMAPs secured Interim Mail Access Protokoll - Ein MUA kann mit Hilfe des Interim Mail Access Protokolls die Nachrichten auf dem IMAP-Server über einen „transportverschlüsselten Kanal „verwalten.
- SIEVE: Eine Scriptsprache mit deren Hilfe ein eMailkonteninhaber die serverseitige Filterung auf dem MDA steuern und verwalten kann.
Daemone, Queues und Dienste
Bevor wir uns nun mit den einzelnen Modulen, Daemons und/oder Delivery-Agents befassen, werfen wir zum besseren Verständnis dieser Komponenten erst einfach mal einen Blick unter die Motorhaube unseres 12-Zylinders. ;)
Welche Aufgaben und Funktionen die einzelnen Dienste mitbringen wollen wir uns kurz befassen.
master
Die Steuerung der in der obigen Übersichtskizze dargestellten Daemone und Module erfolgt mit Hilfe des master-Daemon, welcher den Postfix-Main-Prozess definiert. Dieser Master-Prozess steuert und überwacht zum einen die einzelnen Postfix-Module, definiert wie viele Instanzen den einzelnen Modulen zugewiesen werden sollen. Zum anderen werden durch den Master-Prozess in regelmäßigen Abständen die Module zum Verwalten und Steuern der Queues gestartet.
Weitere Hinweise zum master-Daemon findet man in dessen manpage.
# man 5 master
MASTER(5) File Formats Manual MASTER(5)
NAME
master - Postfix master process configuration file format
DESCRIPTION
The Postfix mail system is implemented by small number of (mostly) client com‐
mands that are invoked by users, and by a larger number of services that run in
the background.
Postfix services are implemented by daemon processes. These run in the back‐
ground under control of the master(8) process. The master.cf configuration file
defines how a client program connects to a service, and what daemon program runs
when a service is requested. Most daemon processes are short-lived and termi‐
nate voluntarily after serving max_use clients, or after inactivity for max_idle
or more units of time.
All daemons specified here must speak a Postfix-internal protocol. In order to
execute non-Postfix software use the local(8), pipe(8) or spawn(8) services, or
run the server under control by inetd(8) or equivalent.
After changing master.cf you must execute "postfix reload" to reload the config‐
uration.
SYNTAX
The general format of the master.cf file is as follows:
· Empty lines and whitespace-only lines are ignored, as are lines whose
first non-whitespace character is a `#'.
· A logical line starts with non-whitespace text. A line that starts with
whitespace continues a logical line.
· Each logical line defines a single Postfix service. Each service is
identified by its name and type as described below. When multiple lines
specify the same service name and type, only the last one is remembered.
Otherwise, the order of master.cf service definitions does not matter.
Each logical line consists of eight fields separated by whitespace. These are
described below in the order as they appear in the master.cf file.
Where applicable a field of "-" requests that the built-in default value be
used. For boolean fields specify "y" or "n" to override the default value.
Service name
The service name syntax depends on the service type as described next.
Service type
Specify one of the following service types:
inet The service listens on a TCP/IP socket and is accessible via the
network.
The service name is specified as host:port, denoting the host and
port on which new connections should be accepted. The host part
(and colon) may be omitted. Either host or port may be given in
symbolic form (host or service name) or in numeric form (IP
address or port number). Host information may be enclosed inside
"[]"; this form is necessary only with IPv6 addresses.
Examples: a service named 127.0.0.1:smtp or ::1:smtp receives mail
via the loopback interface only; and a service named 10025 accepts
connections on TCP port 10025 via all interfaces configured with
the inet_interfaces parameter.
Note: with Postfix version 2.2 and later specify "inet_interfaces
= loopback-only" in main.cf, instead of hard-coding loopback IP
address information in master.cf or in main.cf.
unix The service listens on a UNIX-domain socket and is accessible for
local clients only.
The service name is a pathname relative to the Postfix queue
directory (pathname controlled with the queue_directory configura‐
tion parameter in main.cf).
On Solaris 8 and earlier systems the unix type is implemented with
streams sockets.
fifo The service listens on a FIFO (named pipe) and is accessible for
local clients only.
The service name is a pathname relative to the Postfix queue
directory (pathname controlled with the queue_directory configura‐
tion parameter in main.cf).
pass The service listens on a UNIX-domain socket, and is accessible to
local clients only. It receives one open connection (file descrip‐
tor passing) per connection request.
The service name is a pathname relative to the Postfix queue
directory (pathname controlled with the queue_directory configura‐
tion parameter in main.cf).
On Solaris 8 and earlier systems the pass type is implemented with
streams sockets.
This feature is available as of Postfix version 2.5.
Private (default: y)
Whether or not access is restricted to the mail system. Internet (type
inet) services can't be private.
Unprivileged (default: y)
Whether the service runs with root privileges or as the owner of the
Postfix system (the owner name is controlled by the mail_owner configura‐
tion variable in the main.cf file).
The local(8), pipe(8), spawn(8), and virtual(8) daemons require privi‐
leges.
Chroot (default: y)
Whether or not the service runs chrooted to the mail queue directory
(pathname is controlled by the queue_directory configuration variable in
the main.cf file).
Chroot should not be used with the local(8), pipe(8), spawn(8), and vir‐
tual(8) daemons. Although the proxymap(8) server can run chrooted, doing
so defeats most of the purpose of having that service in the first place.
The files in the examples/chroot-setup subdirectory of the Postfix source
archive show set up a Postfix chroot environment on a variety of systems.
See also BASIC_CONFIGURATION_README for issues related to running daemons
chrooted.
Wake up time (default: 0)
Automatically wake up the named service after the specified number of
seconds. The wake up is implemented by connecting to the service and
sending a wake up request. A ? at the end of the wake-up time field
requests that no wake up events be sent before the first time a service
is used. Specify 0 for no automatic wake up.
The pickup(8), qmgr(8) and flush(8) daemons require a wake up timer.
Process limit (default: $default_process_limit)
The maximum number of processes that may execute this service simultane‐
ously. Specify 0 for no process count limit.
NOTE: Some Postfix services must be configured as a single-process ser‐
vice (for example, qmgr(8)) and some services must be configured with no
process limit (for example, cleanup(8)). These limits must not be
changed.
Command name + arguments
The command to be executed. Characters that are special to the shell
such as ">" or "|" have no special meaning here, and quotes cannot be
used to protect arguments containing whitespace.
The command name is relative to the Postfix daemon directory (pathname is
controlled by the daemon_directory configuration variable).
The command argument syntax for specific commands is specified in the
respective daemon manual page.
The following command-line options have the same effect for all daemon
programs:
-D Run the daemon under control by the command specified with the
debugger_command variable in the main.cf configuration file. See
DEBUG_README for hints and tips.
-o name=value
Override the named main.cf configuration parameter. The parameter
value can refer to other parameters as $name etc., just like in
main.cf. See postconf(5) for syntax.
NOTE 1: do not specify whitespace around the "=" or in parameter
values. To specify a parameter value that contains whitespace, use
commas instead of spaces, or specify the value in main.cf. Exam‐
ple:
/etc/postfix/master.cf:
submission inet .... smtpd
-o smtpd_mumble=$submission_mumble
/etc/postfix/main.cf
submission_mumble = text with whitespace...
NOTE 2: Over-zealous use of parameter overrides makes the Postfix
configuration hard to understand and maintain. At a certain
point, it might be easier to configure multiple instances of Post‐
fix, instead of configuring multiple personalities via master.cf.
-v Increase the verbose logging level. Specify multiple -v options to
make a Postfix daemon process increasingly verbose.
SEE ALSO
master(8), process manager
postconf(5), configuration parameters
README FILES
Use "postconf readme_directory" or "postconf html_directory" to locate this
information.
BASIC_CONFIGURATION_README, basic configuration
DEBUG_README, Postfix debugging
LICENSE
The Secure Mailer license must be distributed with this software.
AUTHOR(S)
Initial version by
Magnus Baeck
Lund Institute of Technology
Sweden
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
MASTER(5)
lmtp, smtp, smtps und relay
Der smtp-Client wird benutzt, um Nachrichten an vom Postfix zu anderen SMTP/LMTP-Daemons weiterzurouten, die dieser vom queue-Manager zugewiesen bekommt. Der Client ermittelt selbst die Routinginformationen, wie er den Empfänger erreichen kann und versucht je nach Priorität der Nachricht diese erfolgreich zuzustellen. Weiterhin übergibt der Client Statusberichte zur Zustellung von Nachrichten an den bounce-, defer- und trace-daemon. Nach der erfolgreichen Übertragung der Nachricht, kann eine Verbindung an den scache-Daemon übergeben werden, damit die bestehende Verbindung ggf für weitere Nachrichtenübertragungen genutzt werden kann. Der smtps-Client benutzt zur Übertragung entsprechend TLS-geschützten Übertragungsweg.
Weitere Hinweise können der smtp manpage entnommen werden.
# man 8 smtp
SMTP(8) System Manager's Manual SMTP(8)
NAME
smtp - Postfix SMTP+LMTP client
SYNOPSIS
smtp [generic Postfix daemon options]
DESCRIPTION
The Postfix SMTP+LMTP client implements the SMTP and LMTP mail delivery proto‐
cols. It processes message delivery requests from the queue manager. Each
request specifies a queue file, a sender address, a domain or host to deliver
to, and recipient information. This program expects to be run from the mas‐
ter(8) process manager.
The SMTP+LMTP client updates the queue file and marks recipients as finished, or
it informs the queue manager that delivery should be tried again at a later
time. Delivery status reports are sent to the bounce(8), defer(8) or trace(8)
daemon as appropriate.
The SMTP+LMTP client looks up a list of mail exchanger addresses for the desti‐
nation host, sorts the list by preference, and connects to each listed address
until it finds a server that responds.
When a server is not reachable, or when mail delivery fails due to a recoverable
error condition, the SMTP+LMTP client will try to deliver the mail to an alter‐
nate host.
After a successful mail transaction, a connection may be saved to the scache(8)
connection cache server, so that it may be used by any SMTP+LMTP client for a
subsequent transaction.
By default, connection caching is enabled temporarily for destinations that have
a high volume of mail in the active queue. Connection caching can be enabled
permanently for specific destinations.
SMTP DESTINATION SYNTAX
SMTP destinations have the following form:
domainname
domainname:port
Look up the mail exchangers for the specified domain, and connect to the
specified port (default: smtp).
[hostname]
[hostname]:port
Look up the address(es) of the specified host, and connect to the speci‐
fied port (default: smtp).
[address]
[address]:port
Connect to the host at the specified address, and connect to the speci‐
fied port (default: smtp). An IPv6 address must be formatted as
[ipv6:address].
LMTP DESTINATION SYNTAX
LMTP destinations have the following form:
unix:pathname
Connect to the local UNIX-domain server that is bound to the specified
pathname. If the process runs chrooted, an absolute pathname is inter‐
preted relative to the Postfix queue directory.
inet:hostname
inet:hostname:port
inet:[address]
inet:[address]:port
Connect to the specified TCP port on the specified local or remote host.
If no port is specified, connect to the port defined as lmtp in ser‐
vices(4). If no such service is found, the lmtp_tcp_port configuration
parameter (default value of 24) will be used. An IPv6 address must be
formatted as [ipv6:address].
SECURITY
The SMTP+LMTP client is moderately security-sensitive. It talks to SMTP or LMTP
servers and to DNS servers on the network. The SMTP+LMTP client can be run
chrooted at fixed low privilege.
STANDARDS
RFC 821 (SMTP protocol)
RFC 822 (ARPA Internet Text Messages)
RFC 1651 (SMTP service extensions)
RFC 1652 (8bit-MIME transport)
RFC 1870 (Message Size Declaration)
RFC 2033 (LMTP protocol)
RFC 2034 (SMTP Enhanced Error Codes)
RFC 2045 (MIME: Format of Internet Message Bodies)
RFC 2046 (MIME: Media Types)
RFC 2554 (AUTH command)
RFC 2821 (SMTP protocol)
RFC 2920 (SMTP Pipelining)
RFC 3207 (STARTTLS command)
RFC 3461 (SMTP DSN Extension)
RFC 3463 (Enhanced Status Codes)
RFC 4954 (AUTH command)
RFC 5321 (SMTP protocol)
DIAGNOSTICS
Problems and transactions are logged to syslogd(8). Corrupted message files are
marked so that the queue manager can move them to the corrupt queue for further
inspection.
Depending on the setting of the notify_classes parameter, the postmaster is
notified of bounces, protocol problems, and of other trouble.
BUGS
SMTP and LMTP connection caching does not work with TLS. The necessary support
for TLS object passivation and re-activation does not exist without closing the
session, which defeats the purpose.
SMTP and LMTP connection caching assumes that SASL credentials are valid for all
destinations that map onto the same IP address and TCP port.
CONFIGURATION PARAMETERS
Before Postfix version 2.3, the LMTP client is a separate program that imple‐
ments only a subset of the functionality available with SMTP: there is no sup‐
port for TLS, and connections are cached in-process, making it ineffective when
the client is used for multiple domains.
Most smtp_xxx configuration parameters have an lmtp_xxx "mirror" parameter for
the equivalent LMTP feature. This document describes only those LMTP-related
parameters that aren't simply "mirror" parameters.
Changes to main.cf are picked up automatically, as smtp(8) processes run for
only a limited amount of time. Use the command "postfix reload" to speed up a
change.
The text below provides only a parameter summary. See postconf(5) for more
details including examples.
COMPATIBILITY CONTROLS
ignore_mx_lookup_error (no)
Ignore DNS MX lookups that produce no response.
smtp_always_send_ehlo (yes)
Always send EHLO at the start of an SMTP session.
smtp_never_send_ehlo (no)
Never send EHLO at the start of an SMTP session.
smtp_defer_if_no_mx_address_found (no)
Defer mail delivery when no MX record resolves to an IP address.
smtp_line_length_limit (998)
The maximal length of message header and body lines that Postfix will
send via SMTP.
smtp_pix_workaround_delay_time (10s)
How long the Postfix SMTP client pauses before sending ".<CR><LF>" in
order to work around the PIX firewall "<CR><LF>.<CR><LF>" bug.
smtp_pix_workaround_threshold_time (500s)
How long a message must be queued before the Postfix SMTP client turns on
the PIX firewall "<CR><LF>.<CR><LF>" bug workaround for delivery through
firewalls with "smtp fixup" mode turned on.
smtp_pix_workarounds (disable_esmtp, delay_dotcrlf)
A list that specifies zero or more workarounds for CISCO PIX firewall
bugs.
smtp_pix_workaround_maps (empty)
Lookup tables, indexed by the remote SMTP server address, with per-desti‐
nation workarounds for CISCO PIX firewall bugs.
smtp_quote_rfc821_envelope (yes)
Quote addresses in Postfix SMTP client MAIL FROM and RCPT TO commands as
required by RFC 5321.
smtp_reply_filter (empty)
A mechanism to transform replies from remote SMTP servers one line at a
time.
smtp_skip_5xx_greeting (yes)
Skip remote SMTP servers that greet with a 5XX status code.
smtp_skip_quit_response (yes)
Do not wait for the response to the SMTP QUIT command.
Available in Postfix version 2.0 and earlier:
smtp_skip_4xx_greeting (yes)
Skip SMTP servers that greet with a 4XX status code (go away, try again
later).
Available in Postfix version 2.2 and later:
smtp_discard_ehlo_keyword_address_maps (empty)
Lookup tables, indexed by the remote SMTP server address, with case
insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
that the Postfix SMTP client will ignore in the EHLO response from a
remote SMTP server.
smtp_discard_ehlo_keywords (empty)
A case insensitive list of EHLO keywords (pipelining, starttls, auth,
etc.) that the Postfix SMTP client will ignore in the EHLO response from
a remote SMTP server.
smtp_generic_maps (empty)
Optional lookup tables that perform address rewriting in the Postfix SMTP
client, typically to transform a locally valid address into a globally
valid address when sending mail across the Internet.
Available in Postfix version 2.2.9 and later:
smtp_cname_overrides_servername (version dependent)
Allow DNS CNAME records to override the servername that the Postfix SMTP
client uses for logging, SASL password lookup, TLS policy decisions, or
TLS certificate verification.
Available in Postfix version 2.3 and later:
lmtp_discard_lhlo_keyword_address_maps (empty)
Lookup tables, indexed by the remote LMTP server address, with case
insensitive lists of LHLO keywords (pipelining, starttls, auth, etc.)
that the Postfix LMTP client will ignore in the LHLO response from a
remote LMTP server.
lmtp_discard_lhlo_keywords (empty)
A case insensitive list of LHLO keywords (pipelining, starttls, auth,
etc.) that the Postfix LMTP client will ignore in the LHLO response from
a remote LMTP server.
Available in Postfix version 2.4.4 and later:
send_cyrus_sasl_authzid (no)
When authenticating to a remote SMTP or LMTP server with the default set‐
ting "no", send no SASL authoriZation ID (authzid); send only the SASL
authentiCation ID (authcid) plus the authcid's password.
Available in Postfix version 2.5 and later:
smtp_header_checks (empty)
Restricted header_checks(5) tables for the Postfix SMTP client.
smtp_mime_header_checks (empty)
Restricted mime_header_checks(5) tables for the Postfix SMTP client.
smtp_nested_header_checks (empty)
Restricted nested_header_checks(5) tables for the Postfix SMTP client.
smtp_body_checks (empty)
Restricted body_checks(5) tables for the Postfix SMTP client.
Available in Postfix version 2.6 and later:
tcp_windowsize (0)
An optional workaround for routers that break TCP window scaling.
Available in Postfix version 2.8 and later:
smtp_dns_resolver_options (empty)
DNS Resolver options for the Postfix SMTP client.
Available in Postfix version 2.9 and later:
smtp_per_record_deadline (no)
Change the behavior of the smtp_*_timeout time limits, from a time limit
per read or write system call, to a time limit to send or receive a com‐
plete record (an SMTP command line, SMTP response line, SMTP message con‐
tent line, or TLS protocol message).
smtp_send_dummy_mail_auth (no)
Whether or not to append the "AUTH=<>" option to the MAIL FROM command in
SASL-authenticated SMTP sessions.
Available in Postfix version 2.11 and later:
smtp_dns_support_level (empty)
Level of DNS support in the Postfix SMTP client.
MIME PROCESSING CONTROLS
Available in Postfix version 2.0 and later:
disable_mime_output_conversion (no)
Disable the conversion of 8BITMIME format to 7BIT format.
mime_boundary_length_limit (2048)
The maximal length of MIME multipart boundary strings.
mime_nesting_limit (100)
The maximal recursion level that the MIME processor will handle.
EXTERNAL CONTENT INSPECTION CONTROLS
Available in Postfix version 2.1 and later:
smtp_send_xforward_command (no)
Send the non-standard XFORWARD command when the Postfix SMTP server EHLO
response announces XFORWARD support.
SASL AUTHENTICATION CONTROLS
smtp_sasl_auth_enable (no)
Enable SASL authentication in the Postfix SMTP client.
smtp_sasl_password_maps (empty)
Optional Postfix SMTP client lookup tables with one username:password
entry per remote hostname or domain, or sender address when sender-depen‐
dent authentication is enabled.
smtp_sasl_security_options (noplaintext, noanonymous)
Postfix SMTP client SASL security options; as of Postfix 2.3 the list of
available features depends on the SASL client implementation that is
selected with smtp_sasl_type.
Available in Postfix version 2.2 and later:
smtp_sasl_mechanism_filter (empty)
If non-empty, a Postfix SMTP client filter for the remote SMTP server's
list of offered SASL mechanisms.
Available in Postfix version 2.3 and later:
smtp_sender_dependent_authentication (no)
Enable sender-dependent authentication in the Postfix SMTP client; this
is available only with SASL authentication, and disables SMTP connection
caching to ensure that mail from different senders will use the appropri‐
ate credentials.
smtp_sasl_path (empty)
Implementation-specific information that the Postfix SMTP client passes
through to the SASL plug-in implementation that is selected with
smtp_sasl_type.
smtp_sasl_type (cyrus)
The SASL plug-in type that the Postfix SMTP client should use for authen‐
tication.
Available in Postfix version 2.5 and later:
smtp_sasl_auth_cache_name (empty)
An optional table to prevent repeated SASL authentication failures with
the same remote SMTP server hostname, username and password.
smtp_sasl_auth_cache_time (90d)
The maximal age of an smtp_sasl_auth_cache_name entry before it is
removed.
smtp_sasl_auth_soft_bounce (yes)
When a remote SMTP server rejects a SASL authentication request with a
535 reply code, defer mail delivery instead of returning mail as undeliv‐
erable.
Available in Postfix version 2.9 and later:
smtp_send_dummy_mail_auth (no)
Whether or not to append the "AUTH=<>" option to the MAIL FROM command in
SASL-authenticated SMTP sessions.
STARTTLS SUPPORT CONTROLS
Detailed information about STARTTLS configuration may be found in the TLS_README
document.
smtp_tls_security_level (empty)
The default SMTP TLS security level for the Postfix SMTP client; when a
non-empty value is specified, this overrides the obsolete parameters
smtp_use_tls, smtp_enforce_tls, and smtp_tls_enforce_peername.
smtp_sasl_tls_security_options ($smtp_sasl_security_options)
The SASL authentication security options that the Postfix SMTP client
uses for TLS encrypted SMTP sessions.
smtp_starttls_timeout (300s)
Time limit for Postfix SMTP client write and read operations during TLS
startup and shutdown handshake procedures.
smtp_tls_CAfile (empty)
A file containing CA certificates of root CAs trusted to sign either
remote SMTP server certificates or intermediate CA certificates.
smtp_tls_CApath (empty)
Directory with PEM format certificate authority certificates that the
Postfix SMTP client uses to verify a remote SMTP server certificate.
smtp_tls_cert_file (empty)
File with the Postfix SMTP client RSA certificate in PEM format.
smtp_tls_mandatory_ciphers (medium)
The minimum TLS cipher grade that the Postfix SMTP client will use with
mandatory TLS encryption.
smtp_tls_exclude_ciphers (empty)
List of ciphers or cipher types to exclude from the Postfix SMTP client
cipher list at all TLS security levels.
smtp_tls_mandatory_exclude_ciphers (empty)
Additional list of ciphers or cipher types to exclude from the Postfix
SMTP client cipher list at mandatory TLS security levels.
smtp_tls_dcert_file (empty)
File with the Postfix SMTP client DSA certificate in PEM format.
smtp_tls_dkey_file ($smtp_tls_dcert_file)
File with the Postfix SMTP client DSA private key in PEM format.
smtp_tls_key_file ($smtp_tls_cert_file)
File with the Postfix SMTP client RSA private key in PEM format.
smtp_tls_loglevel (0)
Enable additional Postfix SMTP client logging of TLS activity.
smtp_tls_note_starttls_offer (no)
Log the hostname of a remote SMTP server that offers STARTTLS, when TLS
is not already enabled for that server.
smtp_tls_policy_maps (empty)
Optional lookup tables with the Postfix SMTP client TLS security policy
by next-hop destination; when a non-empty value is specified, this over‐
rides the obsolete smtp_tls_per_site parameter.
smtp_tls_mandatory_protocols (!SSLv2)
List of SSL/TLS protocols that the Postfix SMTP client will use with
mandatory TLS encryption.
smtp_tls_scert_verifydepth (9)
The verification depth for remote SMTP server certificates.
smtp_tls_secure_cert_match (nexthop, dot-nexthop)
How the Postfix SMTP client verifies the server certificate peername for
the "secure" TLS security level.
smtp_tls_session_cache_database (empty)
Name of the file containing the optional Postfix SMTP client TLS session
cache.
smtp_tls_session_cache_timeout (3600s)
The expiration time of Postfix SMTP client TLS session cache information.
smtp_tls_verify_cert_match (hostname)
How the Postfix SMTP client verifies the server certificate peername for
the "verify" TLS security level.
tls_daemon_random_bytes (32)
The number of pseudo-random bytes that an smtp(8) or smtpd(8) process
requests from the tlsmgr(8) server in order to seed its internal pseudo
random number generator (PRNG).
tls_high_cipherlist (ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)
The OpenSSL cipherlist for "HIGH" grade ciphers.
tls_medium_cipherlist (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)
The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers.
tls_low_cipherlist (ALL:!EXPORT:+RC4:@STRENGTH)
The OpenSSL cipherlist for "LOW" or higher grade ciphers.
tls_export_cipherlist (ALL:+RC4:@STRENGTH)
The OpenSSL cipherlist for "EXPORT" or higher grade ciphers.
tls_null_cipherlist (eNULL:!aNULL)
The OpenSSL cipherlist for "NULL" grade ciphers that provide authentica‐
tion without encryption.
Available in Postfix version 2.4 and later:
smtp_sasl_tls_verified_security_options ($smtp_sasl_tls_security_options)
The SASL authentication security options that the Postfix SMTP client
uses for TLS encrypted SMTP sessions with a verified server certificate.
Available in Postfix version 2.5 and later:
smtp_tls_fingerprint_cert_match (empty)
List of acceptable remote SMTP server certificate fingerprints for the
"fingerprint" TLS security level (smtp_tls_security_level = fingerprint).
smtp_tls_fingerprint_digest (md5)
The message digest algorithm used to construct remote SMTP server cer‐
tificate fingerprints.
Available in Postfix version 2.6 and later:
smtp_tls_protocols (!SSLv2)
List of TLS protocols that the Postfix SMTP client will exclude or
include with opportunistic TLS encryption.
smtp_tls_ciphers (export)
The minimum TLS cipher grade that the Postfix SMTP client will use with
opportunistic TLS encryption.
smtp_tls_eccert_file (empty)
File with the Postfix SMTP client ECDSA certificate in PEM format.
smtp_tls_eckey_file ($smtp_tls_eccert_file)
File with the Postfix SMTP client ECDSA private key in PEM format.
Available in Postfix version 2.7 and later:
smtp_tls_block_early_mail_reply (no)
Try to detect a mail hijacking attack based on a TLS protocol vulnerabil‐
ity (CVE-2009-3555), where an attacker prepends malicious HELO, MAIL,
RCPT, DATA commands to a Postfix SMTP client TLS session.
Available in Postfix version 2.8 and later:
tls_disable_workarounds (see 'postconf -d' output)
List or bit-mask of OpenSSL bug work-arounds to disable.
Available in Postfix version 2.11 and later:
smtp_tls_trust_anchor_file (empty)
Zero or more PEM-format files with trust-anchor certificates and/or pub‐
lic keys.
smtp_tls_force_insecure_host_tlsa_lookup (no)
Lookup the associated DANE TLSA RRset even when a hostname is not an
alias and its address records lie in an unsigned zone.
tls_dane_trust_anchor_digest_enable (yes)
RFC 6698 trust-anchor digest support in the Postfix TLS library.
tlsmgr_service_name (tlsmgr)
The name of the tlsmgr(8) service entry in master.cf.
OBSOLETE STARTTLS CONTROLS
The following configuration parameters exist for compatibility with Postfix ver‐
sions before 2.3. Support for these will be removed in a future release.
smtp_use_tls (no)
Opportunistic mode: use TLS when a remote SMTP server announces STARTTLS
support, otherwise send the mail in the clear.
smtp_enforce_tls (no)
Enforcement mode: require that remote SMTP servers use TLS encryption,
and never send mail in the clear.
smtp_tls_enforce_peername (yes)
With mandatory TLS encryption, require that the remote SMTP server host‐
name matches the information in the remote SMTP server certificate.
smtp_tls_per_site (empty)
Optional lookup tables with the Postfix SMTP client TLS usage policy by
next-hop destination and by remote SMTP server hostname.
smtp_tls_cipherlist (empty)
Obsolete Postfix < 2.3 control for the Postfix SMTP client TLS cipher
list.
RESOURCE AND RATE CONTROLS
smtp_destination_concurrency_limit ($default_destination_concurrency_limit)
The maximal number of parallel deliveries to the same destination via the
smtp message delivery transport.
smtp_destination_recipient_limit ($default_destination_recipient_limit)
The maximal number of recipients per message for the smtp message deliv‐
ery transport.
smtp_connect_timeout (30s)
The Postfix SMTP client time limit for completing a TCP connection, or
zero (use the operating system built-in time limit).
smtp_helo_timeout (300s)
The Postfix SMTP client time limit for sending the HELO or EHLO command,
and for receiving the initial remote SMTP server response.
lmtp_lhlo_timeout (300s)
The Postfix LMTP client time limit for sending the LHLO command, and for
receiving the initial remote LMTP server response.
smtp_xforward_timeout (300s)
The Postfix SMTP client time limit for sending the XFORWARD command, and
for receiving the remote SMTP server response.
smtp_mail_timeout (300s)
The Postfix SMTP client time limit for sending the MAIL FROM command, and
for receiving the remote SMTP server response.
smtp_rcpt_timeout (300s)
The Postfix SMTP client time limit for sending the SMTP RCPT TO command,
and for receiving the remote SMTP server response.
smtp_data_init_timeout (120s)
The Postfix SMTP client time limit for sending the SMTP DATA command, and
for receiving the remote SMTP server response.
smtp_data_xfer_timeout (180s)
The Postfix SMTP client time limit for sending the SMTP message content.
smtp_data_done_timeout (600s)
The Postfix SMTP client time limit for sending the SMTP ".", and for
receiving the remote SMTP server response.
smtp_quit_timeout (300s)
The Postfix SMTP client time limit for sending the QUIT command, and for
receiving the remote SMTP server response.
Available in Postfix version 2.1 and later:
smtp_mx_address_limit (5)
The maximal number of MX (mail exchanger) IP addresses that can result
from Postfix SMTP client mail exchanger lookups, or zero (no limit).
smtp_mx_session_limit (2)
The maximal number of SMTP sessions per delivery request before the Post‐
fix SMTP client gives up or delivers to a fall-back relay host, or zero
(no limit).
smtp_rset_timeout (20s)
The Postfix SMTP client time limit for sending the RSET command, and for
receiving the remote SMTP server response.
Available in Postfix version 2.2 and earlier:
lmtp_cache_connection (yes)
Keep Postfix LMTP client connections open for up to $max_idle seconds.
Available in Postfix version 2.2 and later:
smtp_connection_cache_destinations (empty)
Permanently enable SMTP connection caching for the specified destina‐
tions.
smtp_connection_cache_on_demand (yes)
Temporarily enable SMTP connection caching while a destination has a high
volume of mail in the active queue.
smtp_connection_reuse_time_limit (300s)
The amount of time during which Postfix will use an SMTP connection
repeatedly.
smtp_connection_cache_time_limit (2s)
When SMTP connection caching is enabled, the amount of time that an
unused SMTP client socket is kept open before it is closed.
Available in Postfix version 2.3 and later:
connection_cache_protocol_timeout (5s)
Time limit for connection cache connect, send or receive operations.
Available in Postfix version 2.9 and later:
smtp_per_record_deadline (no)
Change the behavior of the smtp_*_timeout time limits, from a time limit
per read or write system call, to a time limit to send or receive a com‐
plete record (an SMTP command line, SMTP response line, SMTP message con‐
tent line, or TLS protocol message).
Available in Postfix version 2.11 and later:
smtp_connection_reuse_count_limit (0)
When SMTP connection caching is enabled, the number of times that an SMTP
session may be reused before it is closed, or zero (no limit).
TROUBLE SHOOTING CONTROLS
debug_peer_level (2)
The increment in verbose logging level when a remote client or server
matches a pattern in the debug_peer_list parameter.
debug_peer_list (empty)
Optional list of remote client or server hostname or network address pat‐
terns that cause the verbose logging level to increase by the amount
specified in $debug_peer_level.
error_notice_recipient (postmaster)
The recipient of postmaster notifications about mail delivery problems
that are caused by policy, resource, software or protocol errors.
internal_mail_filter_classes (empty)
What categories of Postfix-generated mail are subject to before-queue
content inspection by non_smtpd_milters, header_checks and body_checks.
notify_classes (resource, software)
The list of error classes that are reported to the postmaster.
MISCELLANEOUS CONTROLS
best_mx_transport (empty)
Where the Postfix SMTP client should deliver mail when it detects a "mail
loops back to myself" error condition.
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf configuration
files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take to handle a request
before it is terminated by a built-in watchdog timer.
delay_logging_resolution_limit (2)
The maximal number of digits after the decimal point when logging sub-
second delay values.
disable_dns_lookups (no)
Disable DNS lookups in the Postfix SMTP and LMTP clients.
inet_interfaces (all)
The network interface addresses that this mail system receives mail on.
inet_protocols (all)
The Internet protocols Postfix will attempt to use when making or accept‐
ing connections.
ipc_timeout (3600s)
The time limit for sending or receiving information over an internal com‐
munication channel.
lmtp_assume_final (no)
When a remote LMTP server announces no DSN support, assume that the
server performs final delivery, and send "delivered" delivery status
notifications instead of "relayed".
lmtp_tcp_port (24)
The default TCP port that the Postfix LMTP client connects to.
max_idle (100s)
The maximum amount of time that an idle Postfix daemon process waits for
an incoming connection before terminating voluntarily.
max_use (100)
The maximal number of incoming connections that a Postfix daemon process
will service before terminating voluntarily.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
proxy_interfaces (empty)
The network interface addresses that this mail system receives mail on by
way of a proxy or network address translation unit.
smtp_address_preference (any)
The address type ("ipv6", "ipv4" or "any") that the Postfix SMTP client
will try first, when a destination has IPv6 and IPv4 addresses with equal
MX preference.
smtp_bind_address (empty)
An optional numerical network address that the Postfix SMTP client should
bind to when making an IPv4 connection.
smtp_bind_address6 (empty)
An optional numerical network address that the Postfix SMTP client should
bind to when making an IPv6 connection.
smtp_helo_name ($myhostname)
The hostname to send in the SMTP EHLO or HELO command.
lmtp_lhlo_name ($myhostname)
The hostname to send in the LMTP LHLO command.
smtp_host_lookup (dns)
What mechanisms the Postfix SMTP client uses to look up a host's IP
address.
smtp_randomize_addresses (yes)
Randomize the order of equal-preference MX host addresses.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
Available with Postfix 2.2 and earlier:
fallback_relay (empty)
Optional list of relay hosts for SMTP destinations that can't be found or
that are unreachable.
Available with Postfix 2.3 and later:
smtp_fallback_relay ($fallback_relay)
Optional list of relay hosts for SMTP destinations that can't be found or
that are unreachable.
SEE ALSO
generic(5), output address rewriting
header_checks(5), message header content inspection
body_checks(5), body parts content inspection
qmgr(8), queue manager
bounce(8), delivery status reports
scache(8), connection cache server
postconf(5), configuration parameters
master(5), generic daemon options
master(8), process manager
tlsmgr(8), TLS session and PRNG management
syslogd(8), system logging
README FILES
Use "postconf readme_directory" or "postconf html_directory" to locate this
information.
SASL_README, Postfix SASL howto
TLS_README, Postfix STARTTLS howto
LICENSE
The Secure Mailer license must be distributed with this software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
Command pipelining in cooperation with:
Jon Ribbens
Oaktree Internet Solutions Ltd.,
Internet House,
Canal Basin,
Coventry,
CV1 4LY, United Kingdom.
SASL support originally by:
Till Franke
SuSE Rhein/Main AG
65760 Eschborn, Germany
TLS support originally by:
Lutz Jaenicke
BTU Cottbus
Allgemeine Elektrotechnik
Universitaetsplatz 3-4
D-03044 Cottbus, Germany
Revised TLS and SMTP connection cache support by:
Victor Duchovni
Morgan Stanley
SMTP(8)
pipe
Der pipe-Daemon ist neben den Mailclient-Programmen lmtp und smtp ein weiterer Dienst, der mit der Weiterverteilung der Nachrichten zu externen Mail-Transportprogrammen/-scripten zur Anwendung kommt. Bekannte Vertreter sind hier der Mailinglisten-Server Mailman oder auch der sks-keyserver oder ein Mail2Fax-Programm.
Detailinformationen zum pipe-Daemon findet man in dessen manpage.
# man 8 pipe
PIPE(8) System Manager's Manual PIPE(8)
NAME
pipe - Postfix delivery to external command
SYNOPSIS
pipe [generic Postfix daemon options] command_attributes...
DESCRIPTION
The pipe(8) daemon processes requests from the Postfix queue manager to deliver
messages to external commands. This program expects to be run from the mas‐
ter(8) process manager.
Message attributes such as sender address, recipient address and next-hop host
name can be specified as command-line macros that are expanded before the exter‐
nal command is executed.
The pipe(8) daemon updates queue files and marks recipients as finished, or it
informs the queue manager that delivery should be tried again at a later time.
Delivery status reports are sent to the bounce(8), defer(8) or trace(8) daemon
as appropriate.
SINGLE-RECIPIENT DELIVERY
Some destinations cannot handle more than one recipient per delivery request.
Examples are pagers or fax machines. In addition, multi-recipient delivery is
undesirable when prepending a Delivered-to: or X-Original-To: message header.
To prevent Postfix from sending multiple recipients per delivery request, spec‐
ify
transport_destination_recipient_limit = 1
in the Postfix main.cf file, where transport is the name in the first column of
the Postfix master.cf entry for the pipe-based delivery transport.
COMMAND ATTRIBUTE SYNTAX
The external command attributes are given in the master.cf file at the end of a
service definition. The syntax is as follows:
chroot=pathname (optional)
Change the process root directory and working directory to the named
directory. This happens before switching to the privileges specified with
the user attribute, and before executing the optional directory=pathname
directive. Delivery is deferred in case of failure.
This feature is available as of Postfix 2.3.
directory=pathname (optional)
Change to the named directory before executing the external command. The
directory must be accessible for the user specified with the user
attribute (see below). The default working directory is $queue_direc‐
tory. Delivery is deferred in case of failure.
This feature is available as of Postfix 2.2.
eol=string (optional, default: \n)
The output record delimiter. Typically one would use either \r\n or \n.
The usual C-style backslash escape sequences are recognized: \a \b \f \n
\r \t \v \ddd (up to three octal digits) and \\.
flags=BDFORXhqu.> (optional)
Optional message processing flags. By default, a message is copied
unchanged.
B Append a blank line at the end of each message. This is required
by some mail user agents that recognize "From " lines only when
preceded by a blank line.
D Prepend a "Delivered-To: recipient" message header with the enve‐
lope recipient address. Note: for this to work, the transport_des‐
tination_recipient_limit must be 1 (see SINGLE-RECIPIENT DELIVERY
above for details).
The D flag also enforces loop detection (Postfix 2.5 and later):
if a message already contains a Delivered-To: header with the same
recipient address, then the message is returned as undeliverable.
The address comparison is case insensitive.
This feature is available as of Postfix 2.0.
F Prepend a "From sender time_stamp" envelope header to the message
content. This is expected by, for example, UUCP software.
O Prepend an "X-Original-To: recipient" message header with the
recipient address as given to Postfix. Note: for this to work, the
transport_destination_recipient_limit must be 1 (see SINGLE-RECIP‐
IENT DELIVERY above for details).
This feature is available as of Postfix 2.0.
R Prepend a Return-Path: message header with the envelope sender
address.
X Indicate that the external command performs final delivery. This
flag affects the status reported in "success" DSN (delivery status
notification) messages, and changes it from "relayed" into "deliv‐
ered".
This feature is available as of Postfix 2.5.
h Fold the command-line $original_recipient and $recipient address
domain part (text to the right of the right-most @ character) to
lower case; fold the entire command-line $domain and $nexthop host
or domain information to lower case. This is recommended for
delivery via UUCP.
q Quote white space and other special characters in the command-line
$sender, $original_recipient and $recipient address localparts
(text to the left of the right-most @ character), according to an
8-bit transparent version of RFC 822. This is recommended for
delivery via UUCP or BSMTP.
The result is compatible with the address parsing of command-line
recipients by the Postfix sendmail(1) mail submission command.
The q flag affects only entire addresses, not the partial address
information from the $user, $extension or $mailbox command-line
macros.
u Fold the command-line $original_recipient and $recipient address
localpart (text to the left of the right-most @ character) to
lower case. This is recommended for delivery via UUCP.
. Prepend "." to lines starting with ".". This is needed by, for
example, BSMTP software.
> Prepend ">" to lines starting with "From ". This is expected by,
for example, UUCP software.
null_sender=replacement (default: MAILER-DAEMON)
Replace the null sender address (typically used for delivery status noti‐
fications) with the specified text when expanding the $sender command-
line macro, and when generating a From_ or Return-Path: message header.
If the null sender replacement text is a non-empty string then it is
affected by the q flag for address quoting in command-line arguments.
The null sender replacement text may be empty; this form is recommended
for content filters that feed mail back into Postfix. The empty sender
address is not affected by the q flag for address quoting in command-line
arguments.
Caution: a null sender address is easily mis-parsed by naive software.
For example, when the pipe(8) daemon executes a command such as:
Wrong: command -f$sender -- $recipient
the command will mis-parse the -f option value when the sender address is
a null string. For correct parsing, specify $sender as an argument by
itself:
Right: command -f $sender -- $recipient
This feature is available as of Postfix 2.3.
size=size_limit (optional)
Don't deliver messages that exceed this size limit (in bytes); return
them to the sender instead.
user=username (required)
user=username:groupname
Execute the external command with the user ID and group ID of the speci‐
fied username. The software refuses to execute commands with root privi‐
leges, or with the privileges of the mail system owner. If groupname is
specified, the corresponding group ID is used instead of the group ID of
username.
argv=command... (required)
The command to be executed. This must be specified as the last command
attribute. The command is executed directly, i.e. without interpretation
of shell meta characters by a shell command interpreter.
In the command argument vector, the following macros are recognized and
replaced with corresponding information from the Postfix queue manager
delivery request.
In addition to the form ${name}, the forms $name and $(name) are also
recognized. Specify $$ where a single $ is wanted.
${client_address}
This macro expands to the remote client network address.
This feature is available as of Postfix 2.2.
${client_helo}
This macro expands to the remote client HELO command parameter.
This feature is available as of Postfix 2.2.
${client_hostname}
This macro expands to the remote client hostname.
This feature is available as of Postfix 2.2.
${client_port}
This macro expands to the remote client TCP port number.
This feature is available as of Postfix 2.5.
${client_protocol}
This macro expands to the remote client protocol.
This feature is available as of Postfix 2.2.
${domain}
This macro expands to the domain portion of the recipient address.
For example, with an address user+foo@domain the domain is domain.
This information is modified by the h flag for case folding.
This feature is available as of Postfix 2.5.
${extension}
This macro expands to the extension part of a recipient address.
For example, with an address user+foo@domain the extension is foo.
A command-line argument that contains ${extension} expands into as
many command-line arguments as there are recipients.
This information is modified by the u flag for case folding.
${mailbox}
This macro expands to the complete local part of a recipient
address. For example, with an address user+foo@domain the mailbox
is user+foo.
A command-line argument that contains ${mailbox} expands to as
many command-line arguments as there are recipients.
This information is modified by the u flag for case folding.
${nexthop}
This macro expands to the next-hop hostname.
This information is modified by the h flag for case folding.
${original_recipient}
This macro expands to the complete recipient address before any
address rewriting or aliasing.
A command-line argument that contains ${original_recipient}
expands to as many command-line arguments as there are recipients.
This information is modified by the hqu flags for quoting and case
folding.
This feature is available as of Postfix 2.5.
${queue_id}
This macro expands to the queue id.
This feature is available as of Postfix 2.11.
${recipient}
This macro expands to the complete recipient address.
A command-line argument that contains ${recipient} expands to as
many command-line arguments as there are recipients.
This information is modified by the hqu flags for quoting and case
folding.
${sasl_method}
This macro expands to the name of the SASL authentication mecha‐
nism in the AUTH command when the Postfix SMTP server received the
message.
This feature is available as of Postfix 2.2.
${sasl_sender}
This macro expands to the SASL sender name (i.e. the original sub‐
mitter as per RFC 4954) in the MAIL FROM command when the Postfix
SMTP server received the message.
This feature is available as of Postfix 2.2.
${sasl_username}
This macro expands to the SASL user name in the AUTH command when
the Postfix SMTP server received the message.
This feature is available as of Postfix 2.2.
${sender}
This macro expands to the envelope sender address. By default, the
null sender address expands to MAILER-DAEMON; this can be changed
with the null_sender attribute, as described above.
This information is modified by the q flag for quoting.
${size}
This macro expands to Postfix's idea of the message size, which is
an approximation of the size of the message as delivered.
${user}
This macro expands to the username part of a recipient address.
For example, with an address user+foo@domain the username part is
user.
A command-line argument that contains ${user} expands into as many
command-line arguments as there are recipients.
This information is modified by the u flag for case folding.
STANDARDS
RFC 3463 (Enhanced status codes)
DIAGNOSTICS
Command exit status codes are expected to follow the conventions defined in
<sysexits.h>. Exit status 0 means normal successful completion.
In the case of a non-zero exit status, a limited amount of command output is
reported in an delivery status notification. When the output begins with a
4.X.X or 5.X.X enhanced status code, the status code takes precedence over the
non-zero exit status (Postfix version 2.3 and later).
Problems and transactions are logged to syslogd(8). Corrupted message files are
marked so that the queue manager can move them to the corrupt queue for further
inspection.
SECURITY
This program needs a dual personality 1) to access the private Postfix queue and
IPC mechanisms, and 2) to execute external commands as the specified user. It is
therefore security sensitive.
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically as pipe(8) processes run for only
a limited amount of time. Use the command "postfix reload" to speed up a change.
The text below provides only a parameter summary. See postconf(5) for more
details including examples.
RESOURCE AND RATE CONTROLS
In the text below, transport is the first field in a master.cf entry.
transport_destination_concurrency_limit ($default_destination_concurrency_limit)
Limit the number of parallel deliveries to the same destination, for
delivery via the named transport. The limit is enforced by the Postfix
queue manager.
transport_destination_recipient_limit ($default_destination_recipient_limit)
Limit the number of recipients per message delivery, for delivery via the
named transport. The limit is enforced by the Postfix queue manager.
transport_time_limit ($command_time_limit)
Limit the time for delivery to external command, for delivery via the
named transport. The limit is enforced by the pipe delivery agent.
Postfix 2.4 and later support a suffix that specifies the time unit: s
(seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is seconds.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf configuration
files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take to handle a request
before it is terminated by a built-in watchdog timer.
delay_logging_resolution_limit (2)
The maximal number of digits after the decimal point when logging sub-
second delay values.
export_environment (see 'postconf -d' output)
The list of environment variables that a Postfix process will export to
non-Postfix processes.
ipc_timeout (3600s)
The time limit for sending or receiving information over an internal com‐
munication channel.
mail_owner (postfix)
The UNIX system account that owns the Postfix queue and most Postfix dae‐
mon processes.
max_idle (100s)
The maximum amount of time that an idle Postfix daemon process waits for
an incoming connection before terminating voluntarily.
max_use (100)
The maximal number of incoming connections that a Postfix daemon process
will service before terminating voluntarily.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
queue_directory (see 'postconf -d' output)
The location of the Postfix top-level queue directory.
recipient_delimiter (empty)
The set of characters that can separate a user name from its extension
(example: user+foo), or a .forward file name from its extension (example:
.forward+foo).
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
SEE ALSO
qmgr(8), queue manager
bounce(8), delivery status reports
postconf(5), configuration parameters
master(5), generic daemon options
master(8), process manager
syslogd(8), system logging
LICENSE
The Secure Mailer license must be distributed with this software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
PIPE(8)
sendmail
Der sendmail-Client ersetzt das ürsprüngliche, von Eric Allmann entwickelte sendmail-binary. Jedes extere Script oder Programm, welches das Client-Programm unter /usr/sbin/sendmail aufruft, benutzt somit die von Wietse Venema erstellte, wesentlich sicherere Variante, die sich unmittelbar an den Sicherheitsstandards von Postfix einfügt. Nachrichten werden vom sendmail-Client in die maildrop-Queue abgelegt, wo diese vom pickup-Daemon zur weiteren Verarbeitung abgeholt werden.
Weitere Informationen findet man zum sendmail-Client in dessen manpage.
# man 8 sendmail
SENDMAIL(1) General Commands Manual SENDMAIL(1)
NAME
sendmail - Postfix to Sendmail compatibility interface
SYNOPSIS
sendmail [option ...] [recipient ...]
mailq
sendmail -bp
newaliases
sendmail -I
DESCRIPTION
The Postfix sendmail(1) command implements the Postfix to Sendmail compatibility
interface. For the sake of compatibility with existing applications, some Send‐
mail command-line options are recognized but silently ignored.
By default, Postfix sendmail(1) reads a message from standard input until EOF or
until it reads a line with only a . character, and arranges for delivery. Post‐
fix sendmail(1) relies on the postdrop(1) command to create a queue file in the
maildrop directory.
Specific command aliases are provided for other common modes of operation:
mailq List the mail queue. Each entry shows the queue file ID, message size,
arrival time, sender, and the recipients that still need to be delivered.
If mail could not be delivered upon the last attempt, the reason for
failure is shown. The queue ID string is followed by an optional status
character:
* The message is in the active queue, i.e. the message is selected
for delivery.
! The message is in the hold queue, i.e. no further delivery attempt
will be made until the mail is taken off hold.
This mode of operation is implemented by executing the postqueue(1) com‐
mand.
newaliases
Initialize the alias database. If no input file is specified (with the
-oA option, see below), the program processes the file(s) specified with
the alias_database configuration parameter. If no alias database type is
specified, the program uses the type specified with the default_data‐
base_type configuration parameter. This mode of operation is implemented
by running the postalias(1) command.
Note: it may take a minute or so before an alias database update becomes
visible. Use the "postfix reload" command to eliminate this delay.
These and other features can be selected by specifying the appropriate combina‐
tion of command-line options. Some features are controlled by parameters in the
main.cf configuration file.
The following options are recognized:
-Am (ignored)
-Ac (ignored)
Postfix sendmail uses the same configuration file regardless of whether
or not a message is an initial submission.
-B body_type
The message body MIME type: 7BIT or 8BITMIME.
-bd Go into daemon mode. This mode of operation is implemented by executing
the "postfix start" command.
-bh (ignored)
-bH (ignored)
Postfix has no persistent host status database.
-bi Initialize alias database. See the newaliases command above.
-bl Go into daemon mode. To accept only local connections as with Sendmail´s
-bl option, specify "inet_interfaces = loopback" in the Postfix main.cf
configuration file.
-bm Read mail from standard input and arrange for delivery. This is the
default mode of operation.
-bp List the mail queue. See the mailq command above.
-bs Stand-alone SMTP server mode. Read SMTP commands from standard input, and
write responses to standard output. In stand-alone SMTP server mode,
mail relaying and other access controls are disabled by default. To
enable them, run the process as the mail_owner user.
This mode of operation is implemented by running the smtpd(8) daemon.
-bv Do not collect or deliver a message. Instead, send an email report after
verifying each recipient address. This is useful for testing address
rewriting and routing configurations.
This feature is available in Postfix version 2.1 and later.
-C config_file
-C config_dir
The path name of the Postfix main.cf file, or of its parent directory.
This information is ignored with Postfix versions before 2.3.
With all Postfix versions, you can specify a directory pathname with the
MAIL_CONFIG environment variable to override the location of configura‐
tion files.
-F full_name
Set the sender full name. This overrides the NAME environment variable,
and is used only with messages that have no From: message header.
-f sender
Set the envelope sender address. This is the address where delivery prob‐
lems are sent to. With Postfix versions before 2.1, the Errors-To: mes‐
sage header overrides the error return address.
-G Gateway (relay) submission, as opposed to initial user submission.
Either do not rewrite addresses at all, or update incomplete addresses
with the domain information specified with remote_header_rewrite_domain.
This option is ignored before Postfix version 2.3.
-h hop_count (ignored)
Hop count limit. Use the hopcount_limit configuration parameter instead.
-I Initialize alias database. See the newaliases command above.
-i When reading a message from standard input, don´t treat a line with only
a . character as the end of input.
-L label (ignored)
The logging label. Use the syslog_name configuration parameter instead.
-m (ignored)
Backwards compatibility.
-N dsn (default: 'delay, failure')
Delivery status notification control. Specify either a comma-separated
list with one or more of failure (send notification when delivery fails),
delay (send notification when delivery is delayed), or success (send
notification when the message is delivered); or specify never (don't send
any notifications at all).
This feature is available in Postfix 2.3 and later.
-n (ignored)
Backwards compatibility.
-oAalias_database
Non-default alias database. Specify pathname or type:pathname. See
postalias(1) for details.
-O option=value (ignored)
Set the named option to value. Use the equivalent configuration parameter
in main.cf instead.
-o7 (ignored)
-o8 (ignored)
To send 8-bit or binary content, use an appropriate MIME encapsulation
and specify the appropriate -B command-line option.
-oi When reading a message from standard input, don´t treat a line with only
a . character as the end of input.
-om (ignored)
The sender is never eliminated from alias etc. expansions.
-o x value (ignored)
Set option x to value. Use the equivalent configuration parameter in
main.cf instead.
-r sender
Set the envelope sender address. This is the address where delivery prob‐
lems are sent to. With Postfix versions before 2.1, the Errors-To: mes‐
sage header overrides the error return address.
-R return
Delivery status notification control. Specify "hdrs" to return only the
header when a message bounces, "full" to return a full copy (the default
behavior).
The -R option specifies an upper bound; Postfix will return only the
header, when a full copy would exceed the bounce_size_limit setting.
This option is ignored before Postfix version 2.10.
-q Attempt to deliver all queued mail. This is implemented by executing the
postqueue(1) command.
Warning: flushing undeliverable mail frequently will result in poor
delivery performance of all other mail.
-qinterval (ignored)
The interval between queue runs. Use the queue_run_delay configuration
parameter instead.
-qIqueueid
Schedule immediate delivery of mail with the specified queue ID. This
option is implemented by executing the postqueue(1) command, and is
available with Postfix version 2.4 and later.
-qRsite
Schedule immediate delivery of all mail that is queued for the named
site. This option accepts only site names that are eligible for the "fast
flush" service, and is implemented by executing the postqueue(1) command.
See flush(8) for more information about the "fast flush" service.
-qSsite
This command is not implemented. Use the slower "sendmail -q" command
instead.
-t Extract recipients from message headers. These are added to any recipi‐
ents specified on the command line.
With Postfix versions prior to 2.1, this option requires that no recipi‐
ent addresses are specified on the command line.
-U (ignored)
Initial user submission.
-V envid
Specify the envelope ID for notification by servers that support DSN.
This feature is available in Postfix 2.3 and later.
-XV (Postfix 2.2 and earlier: -V)
Variable Envelope Return Path. Given an envelope sender address of the
form owner-listname@origin, each recipient user@domain receives mail with
a personalized envelope sender address.
By default, the personalized envelope sender address is owner-list‐
name+user=domain@origin. The default + and = characters are configurable
with the default_verp_delimiters configuration parameter.
-XVxy (Postfix 2.2 and earlier: -Vxy)
As -XV, but uses x and y as the VERP delimiter characters, instead of the
characters specified with the default_verp_delimiters configuration
parameter.
-v Send an email report of the first delivery attempt (Postfix versions 2.1
and later). Mail delivery always happens in the background. When multiple
-v options are given, enable verbose logging for debugging purposes.
-X log_file (ignored)
Log mailer traffic. Use the debug_peer_list and debug_peer_level configu‐
ration parameters instead.
SECURITY
By design, this program is not set-user (or group) id. However, it must handle
data from untrusted, possibly remote, users. Thus, the usual precautions need
to be taken against malicious inputs.
DIAGNOSTICS
Problems are logged to syslogd(8) and to the standard error stream.
ENVIRONMENT
MAIL_CONFIG
Directory with Postfix configuration files.
MAIL_VERBOSE (value does not matter)
Enable verbose logging for debugging purposes.
MAIL_DEBUG (value does not matter)
Enable debugging with an external command, as specified with the debug‐
ger_command configuration parameter.
NAME The sender full name. This is used only with messages that have no From:
message header. See also the -F option above.
CONFIGURATION PARAMETERS
The following main.cf parameters are especially relevant to this program. The
text below provides only a parameter summary. See postconf(5) for more details
including examples.
COMPATIBILITY CONTROLS
Available with Postfix 2.9 and later:
sendmail_fix_line_endings (always)
Controls how the Postfix sendmail command converts email message line
endings from <CR><LF> into UNIX format (<LF>).
TROUBLE SHOOTING CONTROLS
The DEBUG_README file gives examples of how to trouble shoot a Postfix system.
debugger_command (empty)
The external command to execute when a Postfix daemon program is invoked
with the -D option.
debug_peer_level (2)
The increment in verbose logging level when a remote client or server
matches a pattern in the debug_peer_list parameter.
debug_peer_list (empty)
Optional list of remote client or server hostname or network address pat‐
terns that cause the verbose logging level to increase by the amount
specified in $debug_peer_level.
ACCESS CONTROLS
Available in Postfix version 2.2 and later:
authorized_flush_users (static:anyone)
List of users who are authorized to flush the queue.
authorized_mailq_users (static:anyone)
List of users who are authorized to view the queue.
authorized_submit_users (static:anyone)
List of users who are authorized to submit mail with the sendmail(1) com‐
mand (and with the privileged postdrop(1) helper command).
RESOURCE AND RATE CONTROLS
bounce_size_limit (50000)
The maximal amount of original message text that is sent in a non-deliv‐
ery notification.
fork_attempts (5)
The maximal number of attempts to fork() a child process.
fork_delay (1s)
The delay between attempts to fork() a child process.
hopcount_limit (50)
The maximal number of Received: message headers that is allowed in the
primary message headers.
queue_run_delay (300s)
The time between deferred queue scans by the queue manager; prior to
Postfix 2.4 the default value was 1000s.
FAST FLUSH CONTROLS
The ETRN_README file describes configuration and operation details for the Post‐
fix "fast flush" service.
fast_flush_domains ($relay_domains)
Optional list of destinations that are eligible for per-destination log‐
files with mail that is queued to those destinations.
VERP CONTROLS
The VERP_README file describes configuration and operation details of Postfix
support for variable envelope return path addresses.
default_verp_delimiters (+=)
The two default VERP delimiter characters.
verp_delimiter_filter (-=+)
The characters Postfix accepts as VERP delimiter characters on the Post‐
fix sendmail(1) command line and in SMTP commands.
MISCELLANEOUS CONTROLS
alias_database (see 'postconf -d' output)
The alias databases for local(8) delivery that are updated with
"newaliases" or with "sendmail -bi".
command_directory (see 'postconf -d' output)
The location of all postfix administrative commands.
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf configuration
files.
daemon_directory (see 'postconf -d' output)
The directory with Postfix support programs and daemon programs.
default_database_type (see 'postconf -d' output)
The default database type for use in newaliases(1), postalias(1) and
postmap(1) commands.
delay_warning_time (0h)
The time after which the sender receives a copy of the message headers of
mail that is still queued.
enable_errors_to (no)
Report mail delivery errors to the address specified with the non-stan‐
dard Errors-To: message header, instead of the envelope sender address
(this feature is removed with Postfix version 2.2, is turned off by
default with Postfix version 2.1, and is always turned on with older
Postfix versions).
mail_owner (postfix)
The UNIX system account that owns the Postfix queue and most Postfix dae‐
mon processes.
queue_directory (see 'postconf -d' output)
The location of the Postfix top-level queue directory.
remote_header_rewrite_domain (empty)
Don't rewrite message headers from remote clients at all when this param‐
eter is empty; otherwise, rewrite message headers and append the speci‐
fied domain name to incomplete addresses.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
FILES
/var/spool/postfix, mail queue
/etc/postfix, configuration files
SEE ALSO
pickup(8), mail pickup daemon
qmgr(8), queue manager
smtpd(8), SMTP server
flush(8), fast flush service
postsuper(1), queue maintenance
postalias(1), create/update/query alias database
postdrop(1), mail posting utility
postfix(1), mail system control
postqueue(1), mail queue control
syslogd(8), system logging
README_FILES
Use "postconf readme_directory" or "postconf html_directory" to locate this
information.
DEBUG_README, Postfix debugging howto
ETRN_README, Postfix ETRN howto
VERP_README, Postfix VERP howto
LICENSE
The Secure Mailer license must be distributed with this software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
SENDMAIL(1)
smtpd
Der smtpd-Server nimmt Netzwerkverbindungen an und wickelt über die entsprechende Verbindung abhängig vom Prüfungsergebnis entweder keine, eine oder auch mehrere Nachrichten entgegen. Für diese Prüfung können DNS-Anfragen, black-/whitelists und noch viele weitere Kriterien herangezogen werden, die bei der Konfiguration dem smtpd-Daemon definiert worden sind. Auf diese Konfiguration werden wir später in einem weiterem Kapitel hier im Wiki eingehen. Jede akzeptierte Nachricht wird an den cleanup-Daemon weitergeleitet, der diese dann jeweils als separates Queue-File in die incoming-Queue stellt.
Weitere Informationen findet man natürlich auch in der manpage des smtpd-Servers.
# man 8 smtpd
SMTPD(8) System Manager's Manual SMTPD(8)
NAME
smtpd - Postfix SMTP server
SYNOPSIS
smtpd [generic Postfix daemon options]
sendmail -bs
DESCRIPTION
The SMTP server accepts network connection requests and performs zero or more
SMTP transactions per connection. Each received message is piped through the
cleanup(8) daemon, and is placed into the incoming queue as one single queue
file. For this mode of operation, the program expects to be run from the mas‐
ter(8) process manager.
Alternatively, the SMTP server be can run in stand-alone mode; this is tradi‐
tionally obtained with "sendmail -bs". When the SMTP server runs stand-alone
with non $mail_owner privileges, it receives mail even while the mail system is
not running, deposits messages directly into the maildrop queue, and disables
the SMTP server's access policies. As of Postfix version 2.3, the SMTP server
refuses to receive mail from the network when it runs with non $mail_owner priv‐
ileges.
The SMTP server implements a variety of policies for connection requests, and
for parameters given to HELO, ETRN, MAIL FROM, VRFY and RCPT TO commands. They
are detailed below and in the main.cf configuration file.
SECURITY
The SMTP server is moderately security-sensitive. It talks to SMTP clients and
to DNS servers on the network. The SMTP server can be run chrooted at fixed low
privilege.
STANDARDS
RFC 821 (SMTP protocol)
RFC 1123 (Host requirements)
RFC 1652 (8bit-MIME transport)
RFC 1869 (SMTP service extensions)
RFC 1870 (Message size declaration)
RFC 1985 (ETRN command)
RFC 2034 (SMTP enhanced status codes)
RFC 2554 (AUTH command)
RFC 2821 (SMTP protocol)
RFC 2920 (SMTP pipelining)
RFC 3207 (STARTTLS command)
RFC 3461 (SMTP DSN extension)
RFC 3463 (Enhanced status codes)
RFC 3848 (ESMTP transmission types)
RFC 4409 (Message submission)
RFC 4954 (AUTH command)
RFC 5321 (SMTP protocol)
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
Depending on the setting of the notify_classes parameter, the postmaster is
notified of bounces, protocol problems, policy violations, and of other trouble.
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically, as smtpd(8) processes run for
only a limited amount of time. Use the command "postfix reload" to speed up a
change.
The text below provides only a parameter summary. See postconf(5) for more
details including examples.
COMPATIBILITY CONTROLS
The following parameters work around implementation errors in other software,
and/or allow you to override standards in order to prevent undesirable use.
broken_sasl_auth_clients (no)
Enable inter-operability with remote SMTP clients that implement an obso‐
lete version of the AUTH command (RFC 4954).
disable_vrfy_command (no)
Disable the SMTP VRFY command.
smtpd_noop_commands (empty)
List of commands that the Postfix SMTP server replies to with "250 Ok",
without doing any syntax checks and without changing state.
strict_rfc821_envelopes (no)
Require that addresses received in SMTP MAIL FROM and RCPT TO commands
are enclosed with <>, and that those addresses do not contain RFC 822
style comments or phrases.
Available in Postfix version 2.1 and later:
smtpd_reject_unlisted_sender (no)
Request that the Postfix SMTP server rejects mail from unknown sender
addresses, even when no explicit reject_unlisted_sender access restric‐
tion is specified.
smtpd_sasl_exceptions_networks (empty)
What remote SMTP clients the Postfix SMTP server will not offer AUTH sup‐
port to.
Available in Postfix version 2.2 and later:
smtpd_discard_ehlo_keyword_address_maps (empty)
Lookup tables, indexed by the remote SMTP client address, with case
insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
that the Postfix SMTP server will not send in the EHLO response to a
remote SMTP client.
smtpd_discard_ehlo_keywords (empty)
A case insensitive list of EHLO keywords (pipelining, starttls, auth,
etc.) that the Postfix SMTP server will not send in the EHLO response to
a remote SMTP client.
smtpd_delay_open_until_valid_rcpt (yes)
Postpone the start of an SMTP mail transaction until a valid RCPT TO com‐
mand is received.
Available in Postfix version 2.3 and later:
smtpd_tls_always_issue_session_ids (yes)
Force the Postfix SMTP server to issue a TLS session id, even when TLS
session caching is turned off (smtpd_tls_session_cache_database is
empty).
Available in Postfix version 2.6 and later:
tcp_windowsize (0)
An optional workaround for routers that break TCP window scaling.
Available in Postfix version 2.7 and later:
smtpd_command_filter (empty)
A mechanism to transform commands from remote SMTP clients.
Available in Postfix version 2.9 and later:
smtpd_per_record_deadline (normal: no, overload: yes)
Change the behavior of the smtpd_timeout and smtpd_starttls_timeout time
limits, from a time limit per read or write system call, to a time limit
to send or receive a complete record (an SMTP command line, SMTP response
line, SMTP message content line, or TLS protocol message).
ADDRESS REWRITING CONTROLS
See the ADDRESS_REWRITING_README document for a detailed discussion of Postfix
address rewriting.
receive_override_options (empty)
Enable or disable recipient validation, built-in content filtering, or
address mapping.
Available in Postfix version 2.2 and later:
local_header_rewrite_clients (permit_inet_interfaces)
Rewrite message header addresses in mail from these clients and update
incomplete addresses with the domain name in $myorigin or $mydomain;
either don't rewrite message headers from other clients at all, or re‐
write message headers and update incomplete addresses with the domain
specified in the remote_header_rewrite_domain parameter.
BEFORE-SMTPD PROXY AGENT
Available in Postfix version 2.10 and later:
smtpd_upstream_proxy_protocol (empty)
The name of the proxy protocol used by an optional before-smtpd proxy
agent.
smtpd_upstream_proxy_timeout (5s)
The time limit for the proxy protocol specified with the
smtpd_upstream_proxy_protocol parameter.
AFTER QUEUE EXTERNAL CONTENT INSPECTION CONTROLS
As of version 1.0, Postfix can be configured to send new mail to an external
content filter AFTER the mail is queued. This content filter is expected to
inject mail back into a (Postfix or other) MTA for further delivery. See the
FILTER_README document for details.
content_filter (empty)
After the message is queued, send the entire message to the specified
transport:destination.
BEFORE QUEUE EXTERNAL CONTENT INSPECTION CONTROLS
As of version 2.1, the Postfix SMTP server can be configured to send incoming
mail to a real-time SMTP-based content filter BEFORE mail is queued. This con‐
tent filter is expected to inject mail back into Postfix. See the
SMTPD_PROXY_README document for details on how to configure and operate this
feature.
smtpd_proxy_filter (empty)
The hostname and TCP port of the mail filtering proxy server.
smtpd_proxy_ehlo ($myhostname)
How the Postfix SMTP server announces itself to the proxy filter.
smtpd_proxy_options (empty)
List of options that control how the Postfix SMTP server communicates
with a before-queue content filter.
smtpd_proxy_timeout (100s)
The time limit for connecting to a proxy filter and for sending or
receiving information.
BEFORE QUEUE MILTER CONTROLS
As of version 2.3, Postfix supports the Sendmail version 8 Milter (mail filter)
protocol. These content filters run outside Postfix. They can inspect the SMTP
command stream and the message content, and can request modifications before
mail is queued. For details see the MILTER_README document.
smtpd_milters (empty)
A list of Milter (mail filter) applications for new mail that arrives via
the Postfix smtpd(8) server.
milter_protocol (6)
The mail filter protocol version and optional protocol extensions for
communication with a Milter application; prior to Postfix 2.6 the default
protocol is 2.
milter_default_action (tempfail)
The default action when a Milter (mail filter) application is unavailable
or mis-configured.
milter_macro_daemon_name ($myhostname)
The {daemon_name} macro value for Milter (mail filter) applications.
milter_macro_v ($mail_name $mail_version)
The {v} macro value for Milter (mail filter) applications.
milter_connect_timeout (30s)
The time limit for connecting to a Milter (mail filter) application, and
for negotiating protocol options.
milter_command_timeout (30s)
The time limit for sending an SMTP command to a Milter (mail filter)
application, and for receiving the response.
milter_content_timeout (300s)
The time limit for sending message content to a Milter (mail filter)
application, and for receiving the response.
milter_connect_macros (see 'postconf -d' output)
The macros that are sent to Milter (mail filter) applications after com‐
pletion of an SMTP connection.
milter_helo_macros (see 'postconf -d' output)
The macros that are sent to Milter (mail filter) applications after the
SMTP HELO or EHLO command.
milter_mail_macros (see 'postconf -d' output)
The macros that are sent to Milter (mail filter) applications after the
SMTP MAIL FROM command.
milter_rcpt_macros (see 'postconf -d' output)
The macros that are sent to Milter (mail filter) applications after the
SMTP RCPT TO command.
milter_data_macros (see 'postconf -d' output)
The macros that are sent to version 4 or higher Milter (mail filter)
applications after the SMTP DATA command.
milter_unknown_command_macros (see 'postconf -d' output)
The macros that are sent to version 3 or higher Milter (mail filter)
applications after an unknown SMTP command.
milter_end_of_header_macros (see 'postconf -d' output)
The macros that are sent to Milter (mail filter) applications after the
end of the message header.
milter_end_of_data_macros (see 'postconf -d' output)
The macros that are sent to Milter (mail filter) applications after the
message end-of-data.
GENERAL CONTENT INSPECTION CONTROLS
The following parameters are applicable for both built-in and external content
filters.
Available in Postfix version 2.1 and later:
receive_override_options (empty)
Enable or disable recipient validation, built-in content filtering, or
address mapping.
EXTERNAL CONTENT INSPECTION CONTROLS
The following parameters are applicable for both before-queue and after-queue
content filtering.
Available in Postfix version 2.1 and later:
smtpd_authorized_xforward_hosts (empty)
What remote SMTP clients are allowed to use the XFORWARD feature.
SASL AUTHENTICATION CONTROLS
Postfix SASL support (RFC 4954) can be used to authenticate remote SMTP clients
to the Postfix SMTP server, and to authenticate the Postfix SMTP client to a
remote SMTP server. See the SASL_README document for details.
broken_sasl_auth_clients (no)
Enable inter-operability with remote SMTP clients that implement an obso‐
lete version of the AUTH command (RFC 4954).
smtpd_sasl_auth_enable (no)
Enable SASL authentication in the Postfix SMTP server.
smtpd_sasl_local_domain (empty)
The name of the Postfix SMTP server's local SASL authentication realm.
smtpd_sasl_security_options (noanonymous)
Postfix SMTP server SASL security options; as of Postfix 2.3 the list of
available features depends on the SASL server implementation that is
selected with smtpd_sasl_type.
smtpd_sender_login_maps (empty)
Optional lookup table with the SASL login names that own sender (MAIL
FROM) addresses.
Available in Postfix version 2.1 and later:
smtpd_sasl_exceptions_networks (empty)
What remote SMTP clients the Postfix SMTP server will not offer AUTH sup‐
port to.
Available in Postfix version 2.1 and 2.2:
smtpd_sasl_application_name (smtpd)
The application name that the Postfix SMTP server uses for SASL server
initialization.
Available in Postfix version 2.3 and later:
smtpd_sasl_authenticated_header (no)
Report the SASL authenticated user name in the smtpd(8) Received message
header.
smtpd_sasl_path (smtpd)
Implementation-specific information that the Postfix SMTP server passes
through to the SASL plug-in implementation that is selected with
smtpd_sasl_type.
smtpd_sasl_type (cyrus)
The SASL plug-in type that the Postfix SMTP server should use for authen‐
tication.
Available in Postfix version 2.5 and later:
cyrus_sasl_config_path (empty)
Search path for Cyrus SASL application configuration files, currently
used only to locate the $smtpd_sasl_path.conf file.
Available in Postfix version 2.11 and later:
smtpd_sasl_service (smtp)
The service name that is passed to the SASL plug-in that is selected with
smtpd_sasl_type and smtpd_sasl_path.
STARTTLS SUPPORT CONTROLS
Detailed information about STARTTLS configuration may be found in the TLS_README
document.
smtpd_tls_security_level (empty)
The SMTP TLS security level for the Postfix SMTP server; when a non-empty
value is specified, this overrides the obsolete parameters smtpd_use_tls
and smtpd_enforce_tls.
smtpd_sasl_tls_security_options ($smtpd_sasl_security_options)
The SASL authentication security options that the Postfix SMTP server
uses for TLS encrypted SMTP sessions.
smtpd_starttls_timeout (see 'postconf -d' output)
The time limit for Postfix SMTP server write and read operations during
TLS startup and shutdown handshake procedures.
smtpd_tls_CAfile (empty)
A file containing (PEM format) CA certificates of root CAs trusted to
sign either remote SMTP client certificates or intermediate CA certifi‐
cates.
smtpd_tls_CApath (empty)
A directory containing (PEM format) CA certificates of root CAs trusted
to sign either remote SMTP client certificates or intermediate CA cer‐
tificates.
smtpd_tls_always_issue_session_ids (yes)
Force the Postfix SMTP server to issue a TLS session id, even when TLS
session caching is turned off (smtpd_tls_session_cache_database is
empty).
smtpd_tls_ask_ccert (no)
Ask a remote SMTP client for a client certificate.
smtpd_tls_auth_only (no)
When TLS encryption is optional in the Postfix SMTP server, do not
announce or accept SASL authentication over unencrypted connections.
smtpd_tls_ccert_verifydepth (9)
The verification depth for remote SMTP client certificates.
smtpd_tls_cert_file (empty)
File with the Postfix SMTP server RSA certificate in PEM format.
smtpd_tls_exclude_ciphers (empty)
List of ciphers or cipher types to exclude from the SMTP server cipher
list at all TLS security levels.
smtpd_tls_dcert_file (empty)
File with the Postfix SMTP server DSA certificate in PEM format.
smtpd_tls_dh1024_param_file (empty)
File with DH parameters that the Postfix SMTP server should use with non-
export EDH ciphers.
smtpd_tls_dh512_param_file (empty)
File with DH parameters that the Postfix SMTP server should use with
export-grade EDH ciphers.
smtpd_tls_dkey_file ($smtpd_tls_dcert_file)
File with the Postfix SMTP server DSA private key in PEM format.
smtpd_tls_key_file ($smtpd_tls_cert_file)
File with the Postfix SMTP server RSA private key in PEM format.
smtpd_tls_loglevel (0)
Enable additional Postfix SMTP server logging of TLS activity.
smtpd_tls_mandatory_ciphers (medium)
The minimum TLS cipher grade that the Postfix SMTP server will use with
mandatory TLS encryption.
smtpd_tls_mandatory_exclude_ciphers (empty)
Additional list of ciphers or cipher types to exclude from the Postfix
SMTP server cipher list at mandatory TLS security levels.
smtpd_tls_mandatory_protocols (!SSLv2)
The SSL/TLS protocols accepted by the Postfix SMTP server with mandatory
TLS encryption.
smtpd_tls_received_header (no)
Request that the Postfix SMTP server produces Received: message headers
that include information about the protocol and cipher used, as well as
the remote SMTP client CommonName and client certificate issuer Common‐
Name.
smtpd_tls_req_ccert (no)
With mandatory TLS encryption, require a trusted remote SMTP client cer‐
tificate in order to allow TLS connections to proceed.
smtpd_tls_wrappermode (no)
Run the Postfix SMTP server in the non-standard "wrapper" mode, instead
of using the STARTTLS command.
tls_daemon_random_bytes (32)
The number of pseudo-random bytes that an smtp(8) or smtpd(8) process
requests from the tlsmgr(8) server in order to seed its internal pseudo
random number generator (PRNG).
tls_high_cipherlist (ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)
The OpenSSL cipherlist for "HIGH" grade ciphers.
tls_medium_cipherlist (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)
The OpenSSL cipherlist for "MEDIUM" or higher grade ciphers.
tls_low_cipherlist (ALL:!EXPORT:+RC4:@STRENGTH)
The OpenSSL cipherlist for "LOW" or higher grade ciphers.
tls_export_cipherlist (ALL:+RC4:@STRENGTH)
The OpenSSL cipherlist for "EXPORT" or higher grade ciphers.
tls_null_cipherlist (eNULL:!aNULL)
The OpenSSL cipherlist for "NULL" grade ciphers that provide authentica‐
tion without encryption.
Available in Postfix version 2.5 and later:
smtpd_tls_fingerprint_digest (md5)
The message digest algorithm to construct remote SMTP client-certificate
fingerprints or public key fingerprints (Postfix 2.9 and later) for
check_ccert_access and permit_tls_clientcerts.
Available in Postfix version 2.6 and later:
smtpd_tls_protocols (empty)
List of TLS protocols that the Postfix SMTP server will exclude or
include with opportunistic TLS encryption.
smtpd_tls_ciphers (export)
The minimum TLS cipher grade that the Postfix SMTP server will use with
opportunistic TLS encryption.
smtpd_tls_eccert_file (empty)
File with the Postfix SMTP server ECDSA certificate in PEM format.
smtpd_tls_eckey_file ($smtpd_tls_eccert_file)
File with the Postfix SMTP server ECDSA private key in PEM format.
smtpd_tls_eecdh_grade (see 'postconf -d' output)
The Postfix SMTP server security grade for ephemeral elliptic-curve
Diffie-Hellman (EECDH) key exchange.
tls_eecdh_strong_curve (prime256v1)
The elliptic curve used by the Postfix SMTP server for sensibly strong
ephemeral ECDH key exchange.
tls_eecdh_ultra_curve (secp384r1)
The elliptic curve used by the Postfix SMTP server for maximally strong
ephemeral ECDH key exchange.
Available in Postfix version 2.8 and later:
tls_preempt_cipherlist (no)
With SSLv3 and later, use the Postfix SMTP server's cipher preference
order instead of the remote client's cipher preference order.
tls_disable_workarounds (see 'postconf -d' output)
List or bit-mask of OpenSSL bug work-arounds to disable.
Available in Postfix version 2.11 and later:
tlsmgr_service_name (tlsmgr)
The name of the tlsmgr(8) service entry in master.cf.
OBSOLETE STARTTLS CONTROLS
The following configuration parameters exist for compatibility with Postfix ver‐
sions before 2.3. Support for these will be removed in a future release.
smtpd_use_tls (no)
Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but
do not require that clients use TLS encryption.
smtpd_enforce_tls (no)
Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
require that clients use TLS encryption.
smtpd_tls_cipherlist (empty)
Obsolete Postfix < 2.3 control for the Postfix SMTP server TLS cipher
list.
VERP SUPPORT CONTROLS
With VERP style delivery, each recipient of a message receives a customized copy
of the message with his/her own recipient address encoded in the envelope sender
address. The VERP_README file describes configuration and operation details of
Postfix support for variable envelope return path addresses. VERP style deliv‐
ery is requested with the SMTP XVERP command or with the "sendmail -V" command-
line option and is available in Postfix version 1.1 and later.
default_verp_delimiters (+=)
The two default VERP delimiter characters.
verp_delimiter_filter (-=+)
The characters Postfix accepts as VERP delimiter characters on the Post‐
fix sendmail(1) command line and in SMTP commands.
Available in Postfix version 1.1 and 2.0:
authorized_verp_clients ($mynetworks)
What remote SMTP clients are allowed to specify the XVERP command.
Available in Postfix version 2.1 and later:
smtpd_authorized_verp_clients ($authorized_verp_clients)
What remote SMTP clients are allowed to specify the XVERP command.
TROUBLE SHOOTING CONTROLS
The DEBUG_README document describes how to debug parts of the Postfix mail sys‐
tem. The methods vary from making the software log a lot of detail, to running
some daemon processes under control of a call tracer or debugger.
debug_peer_level (2)
The increment in verbose logging level when a remote client or server
matches a pattern in the debug_peer_list parameter.
debug_peer_list (empty)
Optional list of remote client or server hostname or network address pat‐
terns that cause the verbose logging level to increase by the amount
specified in $debug_peer_level.
error_notice_recipient (postmaster)
The recipient of postmaster notifications about mail delivery problems
that are caused by policy, resource, software or protocol errors.
internal_mail_filter_classes (empty)
What categories of Postfix-generated mail are subject to before-queue
content inspection by non_smtpd_milters, header_checks and body_checks.
notify_classes (resource, software)
The list of error classes that are reported to the postmaster.
smtpd_reject_footer (empty)
Optional information that is appended after each Postfix SMTP server 4XX
or 5XX response.
soft_bounce (no)
Safety net to keep mail queued that would otherwise be returned to the
sender.
Available in Postfix version 2.1 and later:
smtpd_authorized_xclient_hosts (empty)
What remote SMTP clients are allowed to use the XCLIENT feature.
Available in Postfix version 2.10 and later:
smtpd_log_access_permit_actions (empty)
Enable logging of the named "permit" actions in SMTP server access lists
(by default, the SMTP server logs "reject" actions but not "permit"
actions).
KNOWN VERSUS UNKNOWN RECIPIENT CONTROLS
As of Postfix version 2.0, the SMTP server rejects mail for unknown recipients.
This prevents the mail queue from clogging up with undeliverable MAILER-DAEMON
messages. Additional information on this topic is in the LOCAL_RECIPIENT_README
and ADDRESS_CLASS_README documents.
show_user_unknown_table_name (yes)
Display the name of the recipient table in the "User unknown" responses.
canonical_maps (empty)
Optional address mapping lookup tables for message headers and envelopes.
recipient_canonical_maps (empty)
Optional address mapping lookup tables for envelope and header recipient
addresses.
Parameters concerning known/unknown local recipients:
mydestination ($myhostname, localhost.$mydomain, localhost)
The list of domains that are delivered via the $local_transport mail
delivery transport.
inet_interfaces (all)
The network interface addresses that this mail system receives mail on.
proxy_interfaces (empty)
The network interface addresses that this mail system receives mail on by
way of a proxy or network address translation unit.
inet_protocols (all)
The Internet protocols Postfix will attempt to use when making or accept‐
ing connections.
local_recipient_maps (proxy:unix:passwd.byname $alias_maps)
Lookup tables with all names or addresses of local recipients: a recipi‐
ent address is local when its domain matches $mydestination, $inet_inter‐
faces or $proxy_interfaces.
unknown_local_recipient_reject_code (550)
The numerical Postfix SMTP server response code when a recipient address
is local, and $local_recipient_maps specifies a list of lookup tables
that does not match the recipient.
Parameters concerning known/unknown recipients of relay destinations:
relay_domains ($mydestination)
What destination domains (and subdomains thereof) this system will relay
mail to.
relay_recipient_maps (empty)
Optional lookup tables with all valid addresses in the domains that match
$relay_domains.
unknown_relay_recipient_reject_code (550)
The numerical Postfix SMTP server reply code when a recipient address
matches $relay_domains, and relay_recipient_maps specifies a list of
lookup tables that does not match the recipient address.
Parameters concerning known/unknown recipients in virtual alias domains:
virtual_alias_domains ($virtual_alias_maps)
Postfix is final destination for the specified list of virtual alias
domains, that is, domains for which all addresses are aliased to
addresses in other local or remote domains.
virtual_alias_maps ($virtual_maps)
Optional lookup tables that alias specific mail addresses or domains to
other local or remote address.
unknown_virtual_alias_reject_code (550)
The Postfix SMTP server reply code when a recipient address matches $vir‐
tual_alias_domains, and $virtual_alias_maps specifies a list of lookup
tables that does not match the recipient address.
Parameters concerning known/unknown recipients in virtual mailbox domains:
virtual_mailbox_domains ($virtual_mailbox_maps)
Postfix is final destination for the specified list of domains; mail is
delivered via the $virtual_transport mail delivery transport.
virtual_mailbox_maps (empty)
Optional lookup tables with all valid addresses in the domains that match
$virtual_mailbox_domains.
unknown_virtual_mailbox_reject_code (550)
The Postfix SMTP server reply code when a recipient address matches $vir‐
tual_mailbox_domains, and $virtual_mailbox_maps specifies a list of
lookup tables that does not match the recipient address.
RESOURCE AND RATE CONTROLS
The following parameters limit resource usage by the SMTP server and/or control
client request rates.
line_length_limit (2048)
Upon input, long lines are chopped up into pieces of at most this length;
upon delivery, long lines are reconstructed.
queue_minfree (0)
The minimal amount of free space in bytes in the queue file system that
is needed to receive mail.
message_size_limit (10240000)
The maximal size in bytes of a message, including envelope information.
smtpd_recipient_limit (1000)
The maximal number of recipients that the Postfix SMTP server accepts per
message delivery request.
smtpd_timeout (normal: 300s, overload: 10s)
The time limit for sending a Postfix SMTP server response and for receiv‐
ing a remote SMTP client request.
smtpd_history_flush_threshold (100)
The maximal number of lines in the Postfix SMTP server command history
before it is flushed upon receipt of EHLO, RSET, or end of DATA.
Available in Postfix version 2.3 and later:
smtpd_peername_lookup (yes)
Attempt to look up the remote SMTP client hostname, and verify that the
name matches the client IP address.
The per SMTP client connection count and request rate limits are implemented in
co-operation with the anvil(8) service, and are available in Postfix version 2.2
and later.
smtpd_client_connection_count_limit (50)
How many simultaneous connections any client is allowed to make to this
service.
smtpd_client_connection_rate_limit (0)
The maximal number of connection attempts any client is allowed to make
to this service per time unit.
smtpd_client_message_rate_limit (0)
The maximal number of message delivery requests that any client is
allowed to make to this service per time unit, regardless of whether or
not Postfix actually accepts those messages.
smtpd_client_recipient_rate_limit (0)
The maximal number of recipient addresses that any client is allowed to
send to this service per time unit, regardless of whether or not Postfix
actually accepts those recipients.
smtpd_client_event_limit_exceptions ($mynetworks)
Clients that are excluded from smtpd_client_*_count/rate_limit restric‐
tions.
Available in Postfix version 2.3 and later:
smtpd_client_new_tls_session_rate_limit (0)
The maximal number of new (i.e., uncached) TLS sessions that a remote
SMTP client is allowed to negotiate with this service per time unit.
Available in Postfix version 2.9 and later:
smtpd_per_record_deadline (normal: no, overload: yes)
Change the behavior of the smtpd_timeout and smtpd_starttls_timeout time
limits, from a time limit per read or write system call, to a time limit
to send or receive a complete record (an SMTP command line, SMTP response
line, SMTP message content line, or TLS protocol message).
TARPIT CONTROLS
When a remote SMTP client makes errors, the Postfix SMTP server can insert
delays before responding. This can help to slow down run-away software. The
behavior is controlled by an error counter that counts the number of errors
within an SMTP session that a client makes without delivering mail.
smtpd_error_sleep_time (1s)
With Postfix version 2.1 and later: the SMTP server response delay after
a client has made more than $smtpd_soft_error_limit errors, and fewer
than $smtpd_hard_error_limit errors, without delivering mail.
smtpd_soft_error_limit (10)
The number of errors a remote SMTP client is allowed to make without
delivering mail before the Postfix SMTP server slows down all its
responses.
smtpd_hard_error_limit (normal: 20, overload: 1)
The maximal number of errors a remote SMTP client is allowed to make
without delivering mail.
smtpd_junk_command_limit (normal: 100, overload: 1)
The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote SMTP
client can send before the Postfix SMTP server starts to increment the
error counter with each junk command.
Available in Postfix version 2.1 and later:
smtpd_recipient_overshoot_limit (1000)
The number of recipients that a remote SMTP client can send in excess of
the limit specified with $smtpd_recipient_limit, before the Postfix SMTP
server increments the per-session error count for each excess recipient.
ACCESS POLICY DELEGATION CONTROLS
As of version 2.1, Postfix can be configured to delegate access policy decisions
to an external server that runs outside Postfix. See the file SMTPD_POL‐
ICY_README for more information.
smtpd_policy_service_max_idle (300s)
The time after which an idle SMTPD policy service connection is closed.
smtpd_policy_service_max_ttl (1000s)
The time after which an active SMTPD policy service connection is closed.
smtpd_policy_service_timeout (100s)
The time limit for connecting to, writing to or receiving from a dele‐
gated SMTPD policy server.
ACCESS CONTROLS
The SMTPD_ACCESS_README document gives an introduction to all the SMTP server
access control features.
smtpd_delay_reject (yes)
Wait until the RCPT TO command before evaluating $smtpd_client_restric‐
tions, $smtpd_helo_restrictions and $smtpd_sender_restrictions, or wait
until the ETRN command before evaluating $smtpd_client_restrictions and
$smtpd_helo_restrictions.
parent_domain_matches_subdomains (see 'postconf -d' output)
What Postfix features match subdomains of "domain.tld" automatically,
instead of requiring an explicit ".domain.tld" pattern.
smtpd_client_restrictions (empty)
Optional restrictions that the Postfix SMTP server applies in the context
of a client connection request.
smtpd_helo_required (no)
Require that a remote SMTP client introduces itself with the HELO or EHLO
command before sending the MAIL command or other commands that require
EHLO negotiation.
smtpd_helo_restrictions (empty)
Optional restrictions that the Postfix SMTP server applies in the context
of a client HELO command.
smtpd_sender_restrictions (empty)
Optional restrictions that the Postfix SMTP server applies in the context
of a client MAIL FROM command.
smtpd_recipient_restrictions (see 'postconf -d' output)
Optional restrictions that the Postfix SMTP server applies in the context
of a client RCPT TO command, after smtpd_relay_restrictions.
smtpd_etrn_restrictions (empty)
Optional restrictions that the Postfix SMTP server applies in the context
of a client ETRN command.
allow_untrusted_routing (no)
Forward mail with sender-specified routing (user[@%!]remote[@%!]site)
from untrusted clients to destinations matching $relay_domains.
smtpd_restriction_classes (empty)
User-defined aliases for groups of access restrictions.
smtpd_null_access_lookup_key (<>)
The lookup key to be used in SMTP access(5) tables instead of the null
sender address.
permit_mx_backup_networks (empty)
Restrict the use of the permit_mx_backup SMTP access feature to only
domains whose primary MX hosts match the listed networks.
Available in Postfix version 2.0 and later:
smtpd_data_restrictions (empty)
Optional access restrictions that the Postfix SMTP server applies in the
context of the SMTP DATA command.
smtpd_expansion_filter (see 'postconf -d' output)
What characters are allowed in $name expansions of RBL reply templates.
Available in Postfix version 2.1 and later:
smtpd_reject_unlisted_sender (no)
Request that the Postfix SMTP server rejects mail from unknown sender
addresses, even when no explicit reject_unlisted_sender access restric‐
tion is specified.
smtpd_reject_unlisted_recipient (yes)
Request that the Postfix SMTP server rejects mail for unknown recipient
addresses, even when no explicit reject_unlisted_recipient access
restriction is specified.
Available in Postfix version 2.2 and later:
smtpd_end_of_data_restrictions (empty)
Optional access restrictions that the Postfix SMTP server applies in the
context of the SMTP END-OF-DATA command.
Available in Postfix version 2.10 and later:
smtpd_relay_restrictions (permit_mynetworks, permit_sasl_authenticated,
defer_unauth_destination)
Access restrictions for mail relay control that the Postfix SMTP server
applies in the context of the RCPT TO command, before smtpd_recipi‐
ent_restrictions.
SENDER AND RECIPIENT ADDRESS VERIFICATION CONTROLS
Postfix version 2.1 introduces sender and recipient address verification. This
feature is implemented by sending probe email messages that are not actually
delivered. This feature is requested via the reject_unverified_sender and
reject_unverified_recipient access restrictions. The status of verification
probes is maintained by the verify(8) server. See the file ADDRESS_VERIFICA‐
TION_README for information about how to configure and operate the Postfix
sender/recipient address verification service.
address_verify_poll_count (normal: 3, overload: 1)
How many times to query the verify(8) service for the completion of an
address verification request in progress.
address_verify_poll_delay (3s)
The delay between queries for the completion of an address verification
request in progress.
address_verify_sender ($double_bounce_sender)
The sender address to use in address verification probes; prior to Post‐
fix 2.5 the default was "postmaster".
unverified_sender_reject_code (450)
The numerical Postfix SMTP server response code when a recipient address
is rejected by the reject_unverified_sender restriction.
unverified_recipient_reject_code (450)
The numerical Postfix SMTP server response when a recipient address is
rejected by the reject_unverified_recipient restriction.
Available in Postfix version 2.6 and later:
unverified_sender_defer_code (450)
The numerical Postfix SMTP server response code when a sender address
probe fails due to a temporary error condition.
unverified_recipient_defer_code (450)
The numerical Postfix SMTP server response when a recipient address probe
fails due to a temporary error condition.
unverified_sender_reject_reason (empty)
The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
fied_sender.
unverified_recipient_reject_reason (empty)
The Postfix SMTP server's reply when rejecting mail with reject_unveri‐
fied_recipient.
unverified_sender_tempfail_action ($reject_tempfail_action)
The Postfix SMTP server's action when reject_unverified_sender fails due
to a temporary error condition.
unverified_recipient_tempfail_action ($reject_tempfail_action)
The Postfix SMTP server's action when reject_unverified_recipient fails
due to a temporary error condition.
Available with Postfix 2.9 and later:
address_verify_sender_ttl (0s)
The time between changes in the time-dependent portion of address verifi‐
cation probe sender addresses.
ACCESS CONTROL RESPONSES
The following parameters control numerical SMTP reply codes and/or text
responses.
access_map_reject_code (554)
The numerical Postfix SMTP server response code for an access(5) map
"reject" action.
defer_code (450)
The numerical Postfix SMTP server response code when a remote SMTP client
request is rejected by the "defer" restriction.
invalid_hostname_reject_code (501)
The numerical Postfix SMTP server response code when the client HELO or
EHLO command parameter is rejected by the reject_invalid_helo_hostname
restriction.
maps_rbl_reject_code (554)
The numerical Postfix SMTP server response code when a remote SMTP client
request is blocked by the reject_rbl_client, reject_rhsbl_client,
reject_rhsbl_reverse_client, reject_rhsbl_sender or reject_rhsbl_recipi‐
ent restriction.
non_fqdn_reject_code (504)
The numerical Postfix SMTP server reply code when a client request is
rejected by the reject_non_fqdn_helo_hostname, reject_non_fqdn_sender or
reject_non_fqdn_recipient restriction.
plaintext_reject_code (450)
The numerical Postfix SMTP server response code when a request is
rejected by the reject_plaintext_session restriction.
reject_code (554)
The numerical Postfix SMTP server response code when a remote SMTP client
request is rejected by the "reject" restriction.
relay_domains_reject_code (554)
The numerical Postfix SMTP server response code when a client request is
rejected by the reject_unauth_destination recipient restriction.
unknown_address_reject_code (450)
The numerical Postfix SMTP server response code when a sender or recipi‐
ent address is rejected by the reject_unknown_sender_domain or
reject_unknown_recipient_domain restriction.
unknown_client_reject_code (450)
The numerical Postfix SMTP server response code when a client without
valid address <=> name mapping is rejected by the
reject_unknown_client_hostname restriction.
unknown_hostname_reject_code (450)
The numerical Postfix SMTP server response code when the hostname speci‐
fied with the HELO or EHLO command is rejected by the
reject_unknown_helo_hostname restriction.
Available in Postfix version 2.0 and later:
default_rbl_reply (see 'postconf -d' output)
The default Postfix SMTP server response template for a request that is
rejected by an RBL-based restriction.
multi_recipient_bounce_reject_code (550)
The numerical Postfix SMTP server response code when a remote SMTP client
request is blocked by the reject_multi_recipient_bounce restriction.
rbl_reply_maps (empty)
Optional lookup tables with RBL response templates.
Available in Postfix version 2.6 and later:
access_map_defer_code (450)
The numerical Postfix SMTP server response code for an access(5) map
"defer" action, including "defer_if_permit" or "defer_if_reject".
reject_tempfail_action (defer_if_permit)
The Postfix SMTP server's action when a reject-type restriction fails due
to a temporary error condition.
unknown_helo_hostname_tempfail_action ($reject_tempfail_action)
The Postfix SMTP server's action when reject_unknown_helo_hostname fails
due to an temporary error condition.
unknown_address_tempfail_action ($reject_tempfail_action)
The Postfix SMTP server's action when reject_unknown_sender_domain or
reject_unknown_recipient_domain fail due to a temporary error condition.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf configuration
files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take to handle a request
before it is terminated by a built-in watchdog timer.
command_directory (see 'postconf -d' output)
The location of all postfix administrative commands.
double_bounce_sender (double-bounce)
The sender address of postmaster notifications that are generated by the
mail system.
ipc_timeout (3600s)
The time limit for sending or receiving information over an internal com‐
munication channel.
mail_name (Postfix)
The mail system name that is displayed in Received: headers, in the SMTP
greeting banner, and in bounced mail.
mail_owner (postfix)
The UNIX system account that owns the Postfix queue and most Postfix dae‐
mon processes.
max_idle (100s)
The maximum amount of time that an idle Postfix daemon process waits for
an incoming connection before terminating voluntarily.
max_use (100)
The maximal number of incoming connections that a Postfix daemon process
will service before terminating voluntarily.
myhostname (see 'postconf -d' output)
The internet hostname of this mail system.
mynetworks (see 'postconf -d' output)
The list of "trusted" remote SMTP clients that have more privileges than
"strangers".
myorigin ($myhostname)
The domain name that locally-posted mail appears to come from, and that
locally posted mail is delivered to.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
queue_directory (see 'postconf -d' output)
The location of the Postfix top-level queue directory.
recipient_delimiter (empty)
The set of characters that can separate a user name from its extension
(example: user+foo), or a .forward file name from its extension (example:
.forward+foo).
smtpd_banner ($myhostname ESMTP $mail_name)
The text that follows the 220 status code in the SMTP greeting banner.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
Available in Postfix version 2.2 and later:
smtpd_forbidden_commands (CONNECT, GET, POST)
List of commands that cause the Postfix SMTP server to immediately termi‐
nate the session with a 221 code.
Available in Postfix version 2.5 and later:
smtpd_client_port_logging (no)
Enable logging of the remote SMTP client port in addition to the hostname
and IP address.
SEE ALSO
anvil(8), connection/rate limiting
cleanup(8), message canonicalization
tlsmgr(8), TLS session and PRNG management
trivial-rewrite(8), address resolver
verify(8), address verification service
postconf(5), configuration parameters
master(5), generic daemon options
master(8), process manager
syslogd(8), system logging
README FILES
Use "postconf readme_directory" or "postconf html_directory" to locate this
information.
ADDRESS_CLASS_README, blocking unknown hosted or relay recipients
ADDRESS_REWRITING_README Postfix address manipulation
FILTER_README, external after-queue content filter
LOCAL_RECIPIENT_README, blocking unknown local recipients
MILTER_README, before-queue mail filter applications
SMTPD_ACCESS_README, built-in access policies
SMTPD_POLICY_README, external policy server
SMTPD_PROXY_README, external before-queue content filter
SASL_README, Postfix SASL howto
TLS_README, Postfix STARTTLS howto
VERP_README, Postfix XVERP extension
XCLIENT_README, Postfix XCLIENT extension
XFORWARD_README, Postfix XFORWARD extension
LICENSE
The Secure Mailer license must be distributed with this software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
SASL support originally by:
Till Franke
SuSE Rhein/Main AG
65760 Eschborn, Germany
TLS support originally by:
Lutz Jaenicke
BTU Cottbus
Allgemeine Elektrotechnik
Universitaetsplatz 3-4
D-03044 Cottbus, Germany
Revised TLS support by:
Victor Duchovni
Morgan Stanley
SMTPD(8)
postscreen
Mit Hilfe des postscreen-Daemon kann helfen, die smtpd-Serverprozesse vor unerwünschten Verkehr, die z.B. von SPAM-Botnetzen aus den Server mit SPAM überfluten wollen. Ein postscreen-Prozess kann mehrere smtpd-Prozesse absichern. Typischerweise schützt man damit den SMTP-Port 25, auf dem andere Mailserver ihre Nachrichten einliefern wollen. Zum “wie“ und „Warum“ werden wir hier im Wiki noch in einem gesonderten Kapitel eingehender vertiefen.
Weitere Informationen sind ggf. auch in der manpage von postscreen zu entnehmen.
# man 8 postscreen
POSTSCREEN(8) System Manager's Manual POSTSCREEN(8)
NAME
postscreen - Postfix zombie blocker
SYNOPSIS
postscreen [generic Postfix daemon options]
DESCRIPTION
The Postfix postscreen(8) server provides additional protection against mail
server overload. One postscreen(8) process handles multiple inbound SMTP connec‐
tions, and decides which clients may talk to a Postfix SMTP server process. By
keeping spambots away, postscreen(8) leaves more SMTP server processes available
for legitimate clients, and delays the onset of server overload conditions.
This program should not be used on SMTP ports that receive mail from end-user
clients (MUAs). In a typical deployment, postscreen(8) handles the MX service on
TCP port 25, while MUA clients submit mail via the submission service on TCP
port 587 which requires client authentication. Alternatively, a site could set
up a dedicated, non-postscreen, "port 25" server that provides submission ser‐
vice and client authentication, but no MX service.
postscreen(8) maintains a temporary whitelist for clients that have passed a
number of tests. When an SMTP client IP address is whitelisted, postscreen(8)
hands off the connection immediately to a Postfix SMTP server process. This min‐
imizes the overhead for legitimate mail.
By default, postscreen(8) logs statistics and hands off every connection to a
Postfix SMTP server process, while excluding clients in mynetworks from all
tests (primarily, to avoid problems with non-standard SMTP implementations in
network appliances). This mode is useful for non-destructive testing.
In a typical production setting, postscreen(8) is configured to reject mail from
clients that fail one or more tests. postscreen(8) logs rejected mail with the
client address, helo, sender and recipient information.
postscreen(8) is not an SMTP proxy; this is intentional. The purpose is to keep
spambots away from Postfix SMTP server processes, while minimizing overhead for
legitimate traffic.
SECURITY
The postscreen(8) server is moderately security-sensitive. It talks to
untrusted clients on the network. The process can be run chrooted at fixed low
privilege.
STANDARDS
RFC 821 (SMTP protocol)
RFC 1123 (Host requirements)
RFC 1652 (8bit-MIME transport)
RFC 1869 (SMTP service extensions)
RFC 1870 (Message Size Declaration)
RFC 1985 (ETRN command)
RFC 2034 (SMTP Enhanced Status Codes)
RFC 2821 (SMTP protocol)
Not: RFC 2920 (SMTP Pipelining)
RFC 3207 (STARTTLS command)
RFC 3461 (SMTP DSN Extension)
RFC 3463 (Enhanced Status Codes)
RFC 5321 (SMTP protocol, including multi-line 220 banners)
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
BUGS
The postscreen(8) built-in SMTP protocol engine currently does not announce sup‐
port for AUTH, XCLIENT or XFORWARD. If you need to make these services avail‐
able on port 25, then do not enable the optional "after 220 server greeting"
tests, and do not use DNSBLs that reject traffic from dial-up and residential
networks.
The optional "after 220 server greeting" tests involve postscreen(8)'s built-in
SMTP protocol engine. When these tests succeed, postscreen(8) adds the client to
the temporary whitelist, but it cannot not hand off the "live" connection to a
Postfix SMTP server process in the middle of a session. Instead, postscreen(8)
defers attempts to deliver mail with a 4XX status, and waits for the client to
disconnect. When the client connects again, postscreen(8) will allow the client
to talk to a Postfix SMTP server process (provided that the whitelist status has
not expired). postscreen(8) mitigates the impact of this limitation by giving
the "after 220 server greeting" tests a long expiration time.
CONFIGURATION PARAMETERS
Changes to main.cf are not picked up automatically, as postscreen(8) processes
may run for several hours. Use the command "postfix reload" after a configura‐
tion change.
The text below provides only a parameter summary. See postconf(5) for more
details including examples.
NOTE: Some postscreen(8) parameters implement stress-dependent behavior. This
is supported only when the default parameter value is stress-dependent (that is,
it looks like ${stress?X}${stress:Y}, or it is the $name of an smtpd parameter
with a stress-dependent default). Other parameters always evaluate as if the
stress parameter value is the empty string.
COMPATIBILITY CONTROLS
postscreen_command_filter ($smtpd_command_filter)
A mechanism to transform commands from remote SMTP clients.
postscreen_discard_ehlo_keyword_address_maps ($smtpd_discard_ehlo_key‐
word_address_maps)
Lookup tables, indexed by the remote SMTP client address, with case
insensitive lists of EHLO keywords (pipelining, starttls, auth, etc.)
that the postscreen(8) server will not send in the EHLO response to a
remote SMTP client.
postscreen_discard_ehlo_keywords ($smtpd_discard_ehlo_keywords)
A case insensitive list of EHLO keywords (pipelining, starttls, auth,
etc.) that the postscreen(8) server will not send in the EHLO response to
a remote SMTP client.
TROUBLE SHOOTING CONTROLS
postscreen_expansion_filter (see 'postconf -d' output)
List of characters that are permitted in postscreen_reject_footer
attribute expansions.
postscreen_reject_footer ($smtpd_reject_footer)
Optional information that is appended after a 4XX or 5XX postscreen(8)
server response.
soft_bounce (no)
Safety net to keep mail queued that would otherwise be returned to the
sender.
BEFORE-POSTSCREEN PROXY AGENT
Available in Postfix version 2.10 and later:
postscreen_upstream_proxy_protocol (empty)
The name of the proxy protocol used by an optional before-postscreen
proxy agent.
postscreen_upstream_proxy_timeout (5s)
The time limit for the proxy protocol specified with the
postscreen_upstream_proxy_protocol parameter.
PERMANENT WHITE/BLACKLIST TEST
This test is executed immediately after a remote SMTP client connects. If a
client is permanently whitelisted, the client will be handed off immediately to
a Postfix SMTP server process.
postscreen_access_list (permit_mynetworks)
Permanent white/blacklist for remote SMTP client IP addresses.
postscreen_blacklist_action (ignore)
The action that postscreen(8) takes when a remote SMTP client is perma‐
nently blacklisted with the postscreen_access_list parameter.
MAIL EXCHANGER POLICY TESTS
When postscreen(8) is configured to monitor all primary and backup MX addresses,
it can refuse to whitelist clients that connect to a backup MX address only. For
small sites, this requires configuring primary and backup MX addresses on the
same MTA. Larger sites would have to share the postscreen(8) cache between pri‐
mary and backup MTAs, which would introduce a common point of failure.
postscreen_whitelist_interfaces (static:all)
A list of local postscreen(8) server IP addresses where a non-whitelisted
remote SMTP client can obtain postscreen(8)'s temporary whitelist status.
BEFORE 220 GREETING TESTS
These tests are executed before the remote SMTP client receives the "220 server‐
name" greeting. If no tests remain after the successful completion of this
phase, the client will be handed off immediately to a Postfix SMTP server
process.
dnsblog_service_name (dnsblog)
The name of the dnsblog(8) service entry in master.cf.
postscreen_dnsbl_action (ignore)
The action that postscreen(8) takes when a remote SMTP client's combined
DNSBL score is equal to or greater than a threshold (as defined with the
postscreen_dnsbl_sites and postscreen_dnsbl_threshold parameters).
postscreen_dnsbl_reply_map (empty)
A mapping from actual DNSBL domain name which includes a secret password,
to the DNSBL domain name that postscreen will reply with when it rejects
mail.
postscreen_dnsbl_sites (empty)
Optional list of DNS white/blacklist domains, filters and weight factors.
postscreen_dnsbl_threshold (1)
The inclusive lower bound for blocking a remote SMTP client, based on its
combined DNSBL score as defined with the postscreen_dnsbl_sites parame‐
ter.
postscreen_greet_action (ignore)
The action that postscreen(8) takes when a remote SMTP client speaks
before its turn within the time specified with the postscreen_greet_wait
parameter.
postscreen_greet_banner ($smtpd_banner)
The text in the optional "220-text..." server response that postscreen(8)
sends ahead of the real Postfix SMTP server's "220 text..." response, in
an attempt to confuse bad SMTP clients so that they speak before their
turn (pre-greet).
postscreen_greet_wait (${stress?2}${stress:6}s)
The amount of time that postscreen(8) will wait for an SMTP client to
send a command before its turn, and for DNS blocklist lookup results to
arrive (default: up to 2 seconds under stress, up to 6 seconds other‐
wise).
smtpd_service_name (smtpd)
The internal service that postscreen(8) hands off allowed connections to.
Available in Postfix version 2.11 and later:
postscreen_dnsbl_whitelist_threshold (0)
Allow a remote SMTP client to skip "before" and "after 220 greeting" pro‐
tocol tests, based on its combined DNSBL score as defined with the
postscreen_dnsbl_sites parameter.
AFTER 220 GREETING TESTS
These tests are executed after the remote SMTP client receives the "220 server‐
name" greeting. If a client passes all tests during this phase, it will receive
a 4XX response to all RCPT TO commands. After the client reconnects, it will be
allowed to talk directly to a Postfix SMTP server process.
postscreen_bare_newline_action (ignore)
The action that postscreen(8) takes when a remote SMTP client sends a
bare newline character, that is, a newline not preceded by carriage
return.
postscreen_bare_newline_enable (no)
Enable "bare newline" SMTP protocol tests in the postscreen(8) server.
postscreen_disable_vrfy_command ($disable_vrfy_command)
Disable the SMTP VRFY command in the postscreen(8) daemon.
postscreen_forbidden_commands ($smtpd_forbidden_commands)
List of commands that the postscreen(8) server considers in violation of
the SMTP protocol.
postscreen_helo_required ($smtpd_helo_required)
Require that a remote SMTP client sends HELO or EHLO before commencing a
MAIL transaction.
postscreen_non_smtp_command_action (drop)
The action that postscreen(8) takes when a remote SMTP client sends non-
SMTP commands as specified with the postscreen_forbidden_commands parame‐
ter.
postscreen_non_smtp_command_enable (no)
Enable "non-SMTP command" tests in the postscreen(8) server.
postscreen_pipelining_action (enforce)
The action that postscreen(8) takes when a remote SMTP client sends mul‐
tiple commands instead of sending one command and waiting for the server
to respond.
postscreen_pipelining_enable (no)
Enable "pipelining" SMTP protocol tests in the postscreen(8) server.
CACHE CONTROLS
postscreen_cache_cleanup_interval (12h)
The amount of time between postscreen(8) cache cleanup runs.
postscreen_cache_map (btree:$data_directory/postscreen_cache)
Persistent storage for the postscreen(8) server decisions.
postscreen_cache_retention_time (7d)
The amount of time that postscreen(8) will cache an expired temporary
whitelist entry before it is removed.
postscreen_bare_newline_ttl (30d)
The amount of time that postscreen(8) will use the result from a success‐
ful "bare newline" SMTP protocol test.
postscreen_dnsbl_ttl (1h)
The amount of time that postscreen(8) will use the result from a success‐
ful DNS blocklist test.
postscreen_greet_ttl (1d)
The amount of time that postscreen(8) will use the result from a success‐
ful PREGREET test.
postscreen_non_smtp_command_ttl (30d)
The amount of time that postscreen(8) will use the result from a success‐
ful "non_smtp_command" SMTP protocol test.
postscreen_pipelining_ttl (30d)
The amount of time that postscreen(8) will use the result from a success‐
ful "pipelining" SMTP protocol test.
RESOURCE CONTROLS
line_length_limit (2048)
Upon input, long lines are chopped up into pieces of at most this length;
upon delivery, long lines are reconstructed.
postscreen_client_connection_count_limit ($smtpd_client_connection_count_limit)
How many simultaneous connections any remote SMTP client is allowed to
have with the postscreen(8) daemon.
postscreen_command_count_limit (20)
The limit on the total number of commands per SMTP session for
postscreen(8)'s built-in SMTP protocol engine.
postscreen_command_time_limit (${stress?10}${stress:300}s)
The time limit to read an entire command line with postscreen(8)'s built-
in SMTP protocol engine.
postscreen_post_queue_limit ($default_process_limit)
The number of clients that can be waiting for service from a real Postfix
SMTP server process.
postscreen_pre_queue_limit ($default_process_limit)
The number of non-whitelisted clients that can be waiting for a decision
whether they will receive service from a real Postfix SMTP server
process.
postscreen_watchdog_timeout (10s)
How much time a postscreen(8) process may take to respond to a remote
SMTP client command or to perform a cache operation before it is termi‐
nated by a built-in watchdog timer.
STARTTLS CONTROLS
postscreen_tls_security_level ($smtpd_tls_security_level)
The SMTP TLS security level for the postscreen(8) server; when a non-
empty value is specified, this overrides the obsolete parameters
postscreen_use_tls and postscreen_enforce_tls.
tlsproxy_service_name (tlsproxy)
The name of the tlsproxy(8) service entry in master.cf.
OBSOLETE STARTTLS SUPPORT CONTROLS
These parameters are supported for compatibility with smtpd(8) legacy parame‐
ters.
postscreen_use_tls ($smtpd_use_tls)
Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but
do not require that clients use TLS encryption.
postscreen_enforce_tls ($smtpd_enforce_tls)
Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
require that clients use TLS encryption.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf configuration
files.
delay_logging_resolution_limit (2)
The maximal number of digits after the decimal point when logging sub-
second delay values.
command_directory (see 'postconf -d' output)
The location of all postfix administrative commands.
max_idle (100s)
The maximum amount of time that an idle Postfix daemon process waits for
an incoming connection before terminating voluntarily.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
SEE ALSO
smtpd(8), Postfix SMTP server
tlsproxy(8), Postfix TLS proxy server
dnsblog(8), DNS black/whitelist logger
syslogd(8), system logging
README FILES
Use "postconf readme_directory" or "postconf html_directory" to locate this
information.
POSTSCREEN_README, Postfix Postscreen Howto
LICENSE
The Secure Mailer license must be distributed with this software.
HISTORY
This service was introduced with Postfix version 2.8.
Many ideas in postscreen(8) were explored in earlier work by Michael Tokarev, in
OpenBSD spamd, and in MailChannels Traffic Control.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
POSTSCREEN(8)
dnsblog
Der dnsblog-Daemon implementiert einen ad-hoc DNS white/blacklist lookup service. Wietse Venema plant diesen Daemon direkt als eigenes UDP-Client im postscreen-Modul zu implementieren. Weitere Hinweise findet man in der manpage zum dnsblog-Daemon.
# man 8 dnsblog
DNSBLOG(8) System Manager's Manual DNSBLOG(8)
NAME
dnsblog - Postfix DNS white/blacklist logger
SYNOPSIS
dnsblog [generic Postfix daemon options]
DESCRIPTION
The dnsblog(8) server implements an ad-hoc DNS white/blacklist lookup service.
This may eventually be replaced by an UDP client that is built directly into the
postscreen(8) server.
PROTOCOL
With each connection, the dnsblog(8) server receives a DNS white/blacklist
domain name, IP address, and an ID. If the address is listed under the DNS
white/blacklist, the dnsblog(8) server logs the match and replies with the query
arguments plus an address list with the resulting IP addresses separated by
whitespace. Otherwise it replies with the query arguments plus an empty address
list. Finally, The dnsblog(8) server closes the connection.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically, as dnsblog(8) processes run for
only a limited amount of time. Use the command "postfix reload" to speed up a
change.
The text below provides only a parameter summary. See postconf(5) for more
details including examples.
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf configuration
files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take to handle a request
before it is terminated by a built-in watchdog timer.
postscreen_dnsbl_sites (empty)
Optional list of DNS white/blacklist domains, filters and weight factors.
ipc_timeout (3600s)
The time limit for sending or receiving information over an internal com‐
munication channel.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
queue_directory (see 'postconf -d' output)
The location of the Postfix top-level queue directory.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
SEE ALSO
smtpd(8), Postfix SMTP server
postconf(5), configuration parameters
syslogd(5), system logging
LICENSE
The Secure Mailer license must be distributed with this software.
HISTORY
This service was introduced with Postfix version 2.8.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
DNSBLOG(8)
tlsproxy
Der tlsproxy Daemon stellt einen Serverseitigen TLS-Proxy-Dienst zur Verfügung, der von postscreen dazu benutzt wird, um mit Clients, die nicht in der whitelist stehen. Ebenso kann der tlsproxy für „Nicht-SMTP-Protokolle“ verwendet werden. Eine tlsproxy-Verbindung kann dabei für mehrere Session gleichzeitig genutzt werden. Somit kann die Load des Servers begrenzt werden, der daqnn auch unter hohen Verkehrsaufkommen erreichbar bleiben kann.
Weitere informationen zum tlsproxy Daemon findet man in dessen manpage.
# man 8 tlsproxy
TLSPROXY(8) System Manager's Manual TLSPROXY(8)
NAME
tlsproxy - Postfix TLS proxy
SYNOPSIS
tlsproxy [generic Postfix daemon options]
DESCRIPTION
The tlsproxy(8) server implements a server-side TLS proxy. It is used by
postscreen(8) to talk SMTP-over-TLS with remote SMTP clients that are not
whitelisted (including clients whose whitelist status has expired), but it
should also work for non-SMTP protocols.
Although one tlsproxy(8) process can serve multiple sessions at the same time,
it is a good idea to allow the number of processes to increase with load, so
that the service remains responsive.
PROTOCOL EXAMPLE
The example below concerns postscreen(8). However, the tlsproxy(8) server is
agnostic of the application protocol, and the example is easily adapted to other
applications.
After receiving a valid remote SMTP client STARTTLS command, the postscreen(8)
server sends the remote SMTP client endpoint string, the requested role
(server), and the requested timeout to tlsproxy(8). postscreen(8) then receives
a "TLS available" indication from tlsproxy(8). If the TLS service is available,
postscreen(8) sends the remote SMTP client file descriptor to tlsproxy(8), and
sends the plaintext 220 greeting to the remote SMTP client. This triggers TLS
negotiations between the remote SMTP client and tlsproxy(8). Upon completion of
the TLS-level handshake, tlsproxy(8) translates between plaintext from/to
postscreen(8) and ciphertext to/from the remote SMTP client.
SECURITY
The tlsproxy(8) server is moderately security-sensitive. It talks to untrusted
clients on the network. The process can be run chrooted at fixed low privilege.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
CONFIGURATION PARAMETERS
Changes to main.cf are not picked up automatically, as tlsproxy(8) processes may
run for a long time depending on mail server load. Use the command "postfix
reload" to speed up a change.
The text below provides only a parameter summary. See postconf(5) for more
details including examples.
STARTTLS SUPPORT CONTROLS
tlsproxy_tls_CAfile ($smtpd_tls_CAfile)
A file containing (PEM format) CA certificates of root CAs trusted to
sign either remote SMTP client certificates or intermediate CA certifi‐
cates.
tlsproxy_tls_CApath ($smtpd_tls_CApath)
A directory containing (PEM format) CA certificates of root CAs trusted
to sign either remote SMTP client certificates or intermediate CA cer‐
tificates.
tlsproxy_tls_always_issue_session_ids ($smtpd_tls_always_issue_session_ids)
Force the Postfix tlsproxy(8) server to issue a TLS session id, even when
TLS session caching is turned off.
tlsproxy_tls_ask_ccert ($smtpd_tls_ask_ccert)
Ask a remote SMTP client for a client certificate.
tlsproxy_tls_ccert_verifydepth ($smtpd_tls_ccert_verifydepth)
The verification depth for remote SMTP client certificates.
tlsproxy_tls_cert_file ($smtpd_tls_cert_file)
File with the Postfix tlsproxy(8) server RSA certificate in PEM format.
tlsproxy_tls_ciphers ($smtpd_tls_ciphers)
The minimum TLS cipher grade that the Postfix tlsproxy(8) server will use
with opportunistic TLS encryption.
tlsproxy_tls_dcert_file ($smtpd_tls_dcert_file)
File with the Postfix tlsproxy(8) server DSA certificate in PEM format.
tlsproxy_tls_dh1024_param_file ($smtpd_tls_dh1024_param_file)
File with DH parameters that the Postfix tlsproxy(8) server should use
with non-export EDH ciphers.
tlsproxy_tls_dh512_param_file ($smtpd_tls_dh512_param_file)
File with DH parameters that the Postfix tlsproxy(8) server should use
with export-grade EDH ciphers.
tlsproxy_tls_dkey_file ($smtpd_tls_dkey_file)
File with the Postfix tlsproxy(8) server DSA private key in PEM format.
tlsproxy_tls_eccert_file ($smtpd_tls_eccert_file)
File with the Postfix tlsproxy(8) server ECDSA certificate in PEM format.
tlsproxy_tls_eckey_file ($smtpd_tls_eckey_file)
File with the Postfix tlsproxy(8) server ECDSA private key in PEM format.
tlsproxy_tls_eecdh_grade ($smtpd_tls_eecdh_grade)
The Postfix tlsproxy(8) server security grade for ephemeral elliptic-
curve Diffie-Hellman (EECDH) key exchange.
tlsproxy_tls_exclude_ciphers ($smtpd_tls_exclude_ciphers)
List of ciphers or cipher types to exclude from the tlsproxy(8) server
cipher list at all TLS security levels.
tlsproxy_tls_fingerprint_digest ($smtpd_tls_fingerprint_digest)
The message digest algorithm to construct remote SMTP client-certificate
fingerprints.
tlsproxy_tls_key_file ($smtpd_tls_key_file)
File with the Postfix tlsproxy(8) server RSA private key in PEM format.
tlsproxy_tls_loglevel ($smtpd_tls_loglevel)
Enable additional Postfix tlsproxy(8) server logging of TLS activity.
tlsproxy_tls_mandatory_ciphers ($smtpd_tls_mandatory_ciphers)
The minimum TLS cipher grade that the Postfix tlsproxy(8) server will use
with mandatory TLS encryption.
tlsproxy_tls_mandatory_exclude_ciphers ($smtpd_tls_mandatory_exclude_ciphers)
Additional list of ciphers or cipher types to exclude from the
tlsproxy(8) server cipher list at mandatory TLS security levels.
tlsproxy_tls_mandatory_protocols ($smtpd_tls_mandatory_protocols)
The SSL/TLS protocols accepted by the Postfix tlsproxy(8) server with
mandatory TLS encryption.
tlsproxy_tls_protocols ($smtpd_tls_protocols)
List of TLS protocols that the Postfix tlsproxy(8) server will exclude or
include with opportunistic TLS encryption.
tlsproxy_tls_req_ccert ($smtpd_tls_req_ccert)
With mandatory TLS encryption, require a trusted remote SMTP client cer‐
tificate in order to allow TLS connections to proceed.
tlsproxy_tls_security_level ($smtpd_tls_security_level)
The SMTP TLS security level for the Postfix tlsproxy(8) server; when a
non-empty value is specified, this overrides the obsolete parameters
smtpd_use_tls and smtpd_enforce_tls.
Available in Postfix version 2.11 and later:
tlsmgr_service_name (tlsmgr)
The name of the tlsmgr(8) service entry in master.cf.
OBSOLETE STARTTLS SUPPORT CONTROLS
These parameters are supported for compatibility with smtpd(8) legacy parame‐
ters.
tlsproxy_use_tls ($smtpd_use_tls)
Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but
do not require that clients use TLS encryption.
tlsproxy_enforce_tls ($smtpd_enforce_tls)
Mandatory TLS: announce STARTTLS support to remote SMTP clients, and
require that clients use TLS encryption.
RESOURCE CONTROLS
tlsproxy_watchdog_timeout (10s)
How much time a tlsproxy(8) process may take to process local or remote
I/O before it is terminated by a built-in watchdog timer.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf configuration
files.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
SEE ALSO
postscreen(8), Postfix zombie blocker
smtpd(8), Postfix SMTP server
postconf(5), configuration parameters
syslogd(5), system logging
LICENSE
The Secure Mailer license must be distributed with this software.
HISTORY
This service was introduced with Postfix version 2.8.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
TLSPROXY(8)
submission
Zu Entgegennahme von Nachrichten bedient der smtpd Server auf Port 587 ausschließlich von authentifizierten Benutzer. Dieser Daemon stellt den MSA6)-Server zur Verfügung, auf dem die MUAs7) Ihre eMail einliefern können. Nach Prüfung gibt der Submission-Server die nachricht an den cleanup-Daemon weiter.
qmqpd
Der qmqpd, stellt aus kompatibilitätsgründen QMQP8) zur Verfügung. Der Postfix QMQP Server empfängt eine Nachricht pro Anschluss, die er dann zum cleanup-Modul weitergeleitet wird. In der incoming-Queue wird jede einzelne Nachricht in einem eigenen Queue-File geschrieben. Zur Absicherung des Daemon werden Verbindungen nur von extra berechtigten Clients angenommen (access policy). Nähere Hinweise zum qmqpd findet man in dessen manpage.
# man 8 qmqpd
QMQPD(8) System Manager's Manual QMQPD(8)
NAME
qmqpd - Postfix QMQP server
SYNOPSIS
qmqpd [generic Postfix daemon options]
DESCRIPTION
The Postfix QMQP server receives one message per connection. Each message is
piped through the cleanup(8) daemon, and is placed into the incoming queue as
one single queue file. The program expects to be run from the master(8) process
manager.
The QMQP server implements one access policy: only explicitly authorized client
hosts are allowed to use the service.
SECURITY
The QMQP server is moderately security-sensitive. It talks to QMQP clients and
to DNS servers on the network. The QMQP server can be run chrooted at fixed low
privilege.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
BUGS
The QMQP protocol provides only one server reply per message delivery. It is
therefore not possible to reject individual recipients.
The QMQP protocol requires the server to receive the entire message before
replying. If a message is malformed, or if any netstring component is longer
than acceptable, Postfix replies immediately and closes the connection. It is
left up to the client to handle the situation.
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically, as qmqpd(8) processes run for
only a limited amount of time. Use the command "postfix reload" to speed up a
change.
The text below provides only a parameter summary. See postconf(5) for more
details including examples.
CONTENT INSPECTION CONTROLS
content_filter (empty)
After the message is queued, send the entire message to the specified
transport:destination.
receive_override_options (empty)
Enable or disable recipient validation, built-in content filtering, or
address mapping.
RESOURCE AND RATE CONTROLS
line_length_limit (2048)
Upon input, long lines are chopped up into pieces of at most this length;
upon delivery, long lines are reconstructed.
hopcount_limit (50)
The maximal number of Received: message headers that is allowed in the
primary message headers.
message_size_limit (10240000)
The maximal size in bytes of a message, including envelope information.
qmqpd_timeout (300s)
The time limit for sending or receiving information over the network.
TROUBLE SHOOTING CONTROLS
debug_peer_level (2)
The increment in verbose logging level when a remote client or server
matches a pattern in the debug_peer_list parameter.
debug_peer_list (empty)
Optional list of remote client or server hostname or network address pat‐
terns that cause the verbose logging level to increase by the amount
specified in $debug_peer_level.
soft_bounce (no)
Safety net to keep mail queued that would otherwise be returned to the
sender.
TARPIT CONTROLS
qmqpd_error_delay (1s)
How long the Postfix QMQP server will pause before sending a negative
reply to the remote QMQP client.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf configuration
files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take to handle a request
before it is terminated by a built-in watchdog timer.
ipc_timeout (3600s)
The time limit for sending or receiving information over an internal com‐
munication channel.
max_idle (100s)
The maximum amount of time that an idle Postfix daemon process waits for
an incoming connection before terminating voluntarily.
max_use (100)
The maximal number of incoming connections that a Postfix daemon process
will service before terminating voluntarily.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
qmqpd_authorized_clients (empty)
What remote QMQP clients are allowed to connect to the Postfix QMQP
server port.
queue_directory (see 'postconf -d' output)
The location of the Postfix top-level queue directory.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
verp_delimiter_filter (-=+)
The characters Postfix accepts as VERP delimiter characters on the Post‐
fix sendmail(1) command line and in SMTP commands.
Available in Postfix version 2.5 and later:
qmqpd_client_port_logging (no)
Enable logging of the remote QMQP client port in addition to the hostname
and IP address.
SEE ALSO
http://cr.yp.to/proto/qmqp.html, QMQP protocol
cleanup(8), message canonicalization
master(8), process manager
syslogd(8), system logging
README FILES
Use "postconf readme_directory" or "postconf html_directory" to locate this
information.
QMQP_README, Postfix ezmlm-idx howto.
LICENSE
The Secure Mailer license must be distributed with this software.
HISTORY
The qmqpd service was introduced with Postfix version 1.1.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
QMQPD(8)
pickup
Der pickup-Daemon hat die Aufgabe Nachrichten aus der maildrop-Queue abzuholen, die dort vom sendmail-Client-Programm abgelegt wurden und übergibt die Nachricht dann nach erfolgter Prüfung an den cleanup-Daemon.
Weitere Hinweise zum pickup-Daemon findet man in dessen manpage.
# man 8 pickup
PICKUP(8) System Manager's Manual PICKUP(8)
NAME
pickup - Postfix local mail pickup
SYNOPSIS
pickup [generic Postfix daemon options]
DESCRIPTION
The pickup(8) daemon waits for hints that new mail has been dropped into the
maildrop directory, and feeds it into the cleanup(8) daemon. Ill-formatted
files are deleted without notifying the originator. This program expects to be
run from the master(8) process manager.
STANDARDS
None. The pickup(8) daemon does not interact with the outside world.
SECURITY
The pickup(8) daemon is moderately security sensitive. It runs with fixed low
privilege and can run in a chrooted environment. However, the program reads
files from potentially hostile users. The pickup(8) daemon opens no files for
writing, is careful about what files it opens for reading, and does not actually
touch any data that is sent to its public service endpoint.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
BUGS
The pickup(8) daemon copies mail from file to the cleanup(8) daemon. It could
avoid message copying overhead by sending a file descriptor instead of file
data, but then the already complex cleanup(8) daemon would have to deal with
unfiltered user data.
CONFIGURATION PARAMETERS
As the pickup(8) daemon is a relatively long-running process, up to an hour may
pass before a main.cf change takes effect. Use the command "postfix reload"
command to speed up a change.
The text below provides only a parameter summary. See postconf(5) for more
details including examples.
CONTENT INSPECTION CONTROLS
content_filter (empty)
After the message is queued, send the entire message to the specified
transport:destination.
receive_override_options (empty)
Enable or disable recipient validation, built-in content filtering, or
address mapping.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf configuration
files.
ipc_timeout (3600s)
The time limit for sending or receiving information over an internal com‐
munication channel.
line_length_limit (2048)
Upon input, long lines are chopped up into pieces of at most this length;
upon delivery, long lines are reconstructed.
max_idle (100s)
The maximum amount of time that an idle Postfix daemon process waits for
an incoming connection before terminating voluntarily.
max_use (100)
The maximal number of incoming connections that a Postfix daemon process
will service before terminating voluntarily.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
queue_directory (see 'postconf -d' output)
The location of the Postfix top-level queue directory.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
SEE ALSO
cleanup(8), message canonicalization
sendmail(1), Sendmail-compatible interface
postdrop(1), mail posting agent
postconf(5), configuration parameters
master(5), generic daemon options
master(8), process manager
syslogd(8), system logging
LICENSE
The Secure Mailer license must be distributed with this software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
PICKUP(8)
cleanup
Der cleanup-Daemon verarbeitet eingehende Nachrichten. So werden ggf. fehlende Mailheader From:, To:, Message-Id: sowie Date: ergänzt oder auch Adressen mit Hilfe der beiden Tabellen virtual_maps und cannonical_maps umgeschrieben. Nach der initialen Verarbeitung der Nachricht, legt der cleanup-Daemon die Nachricht in der incoming-Queue ab und informiert den qmgr-Daemon.
Nähere Informationen zum cleanup-Daemon findet man in dessen manpage.
# man 8 cleanup
CLEANUP(8) System Manager's Manual CLEANUP(8)
NAME
cleanup - canonicalize and enqueue Postfix message
SYNOPSIS
cleanup [generic Postfix daemon options]
DESCRIPTION
The cleanup(8) daemon processes inbound mail, inserts it into the incoming mail
queue, and informs the queue manager of its arrival.
The cleanup(8) daemon always performs the following transformations:
· Insert missing message headers: (Resent-) From:, To:, Message-Id:, and
Date:.
· Transform envelope and header addresses to the standard user@fully-quali‐
fied-domain form that is expected by other Postfix programs. This task
is delegated to the trivial-rewrite(8) daemon.
· Eliminate duplicate envelope recipient addresses.
The following address transformations are optional:
· Optionally, rewrite all envelope and header addresses according to the
mappings specified in the canonical(5) lookup tables.
· Optionally, masquerade envelope sender addresses and message header
addresses (i.e. strip host or domain information below all domains listed
in the masquerade_domains parameter, except for user names listed in mas‐
querade_exceptions). By default, address masquerading does not affect
envelope recipients.
· Optionally, expand envelope recipients according to information found in
the virtual(5) lookup tables.
The cleanup(8) daemon performs sanity checks on the content of each message.
When it finds a problem, by default it returns a diagnostic status to the
client, and leaves it up to the client to deal with the problem. Alternatively,
the client can request the cleanup(8) daemon to bounce the message back to the
sender in case of trouble.
STANDARDS
RFC 822 (ARPA Internet Text Messages)
RFC 2045 (MIME: Format of Internet Message Bodies)
RFC 2046 (MIME: Media Types)
RFC 2822 (Internet Message Format)
RFC 3463 (Enhanced Status Codes)
RFC 3464 (Delivery status notifications)
RFC 5322 (Internet Message Format)
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
BUGS
Table-driven rewriting rules make it hard to express if then else and other log‐
ical relationships.
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically, as cleanup(8) processes run for
only a limited amount of time. Use the command "postfix reload" to speed up a
change.
The text below provides only a parameter summary. See postconf(5) for more
details including examples.
COMPATIBILITY CONTROLS
undisclosed_recipients_header (see 'postconf -d' output)
Message header that the Postfix cleanup(8) server inserts when a message
contains no To: or Cc: message header.
Available in Postfix version 2.1 only:
enable_errors_to (no)
Report mail delivery errors to the address specified with the non-stan‐
dard Errors-To: message header, instead of the envelope sender address
(this feature is removed with Postfix version 2.2, is turned off by
default with Postfix version 2.1, and is always turned on with older
Postfix versions).
Available in Postfix version 2.6 and later:
always_add_missing_headers (no)
Always add (Resent-) From:, To:, Date: or Message-ID: headers when not
present.
Available in Postfix version 2.9 and later:
enable_long_queue_ids (no)
Enable long, non-repeating, queue IDs (queue file names).
BUILT-IN CONTENT FILTERING CONTROLS
Postfix built-in content filtering is meant to stop a flood of worms or viruses.
It is not a general content filter.
body_checks (empty)
Optional lookup tables for content inspection as specified in the
body_checks(5) manual page.
header_checks (empty)
Optional lookup tables for content inspection of primary non-MIME message
headers, as specified in the header_checks(5) manual page.
Available in Postfix version 2.0 and later:
body_checks_size_limit (51200)
How much text in a message body segment (or attachment, if you prefer to
use that term) is subjected to body_checks inspection.
mime_header_checks ($header_checks)
Optional lookup tables for content inspection of MIME related message
headers, as described in the header_checks(5) manual page.
nested_header_checks ($header_checks)
Optional lookup tables for content inspection of non-MIME message headers
in attached messages, as described in the header_checks(5) manual page.
Available in Postfix version 2.3 and later:
message_reject_characters (empty)
The set of characters that Postfix will reject in message content.
message_strip_characters (empty)
The set of characters that Postfix will remove from message content.
BEFORE QUEUE MILTER CONTROLS
As of version 2.3, Postfix supports the Sendmail version 8 Milter (mail filter)
protocol. When mail is not received via the smtpd(8) server, the cleanup(8)
server will simulate SMTP events to the extent that this is possible. For
details see the MILTER_README document.
non_smtpd_milters (empty)
A list of Milter (mail filter) applications for new mail that does not
arrive via the Postfix smtpd(8) server.
milter_protocol (6)
The mail filter protocol version and optional protocol extensions for
communication with a Milter application; prior to Postfix 2.6 the default
protocol is 2.
milter_default_action (tempfail)
The default action when a Milter (mail filter) application is unavailable
or mis-configured.
milter_macro_daemon_name ($myhostname)
The {daemon_name} macro value for Milter (mail filter) applications.
milter_macro_v ($mail_name $mail_version)
The {v} macro value for Milter (mail filter) applications.
milter_connect_timeout (30s)
The time limit for connecting to a Milter (mail filter) application, and
for negotiating protocol options.
milter_command_timeout (30s)
The time limit for sending an SMTP command to a Milter (mail filter)
application, and for receiving the response.
milter_content_timeout (300s)
The time limit for sending message content to a Milter (mail filter)
application, and for receiving the response.
milter_connect_macros (see 'postconf -d' output)
The macros that are sent to Milter (mail filter) applications after com‐
pletion of an SMTP connection.
milter_helo_macros (see 'postconf -d' output)
The macros that are sent to Milter (mail filter) applications after the
SMTP HELO or EHLO command.
milter_mail_macros (see 'postconf -d' output)
The macros that are sent to Milter (mail filter) applications after the
SMTP MAIL FROM command.
milter_rcpt_macros (see 'postconf -d' output)
The macros that are sent to Milter (mail filter) applications after the
SMTP RCPT TO command.
milter_data_macros (see 'postconf -d' output)
The macros that are sent to version 4 or higher Milter (mail filter)
applications after the SMTP DATA command.
milter_unknown_command_macros (see 'postconf -d' output)
The macros that are sent to version 3 or higher Milter (mail filter)
applications after an unknown SMTP command.
milter_end_of_data_macros (see 'postconf -d' output)
The macros that are sent to Milter (mail filter) applications after the
message end-of-data.
Available in Postfix version 2.5 and later:
milter_end_of_header_macros (see 'postconf -d' output)
The macros that are sent to Milter (mail filter) applications after the
end of the message header.
Available in Postfix version 2.7 and later:
milter_header_checks (empty)
Optional lookup tables for content inspection of message headers that are
produced by Milter applications.
MIME PROCESSING CONTROLS
Available in Postfix version 2.0 and later:
disable_mime_input_processing (no)
Turn off MIME processing while receiving mail.
mime_boundary_length_limit (2048)
The maximal length of MIME multipart boundary strings.
mime_nesting_limit (100)
The maximal recursion level that the MIME processor will handle.
strict_8bitmime (no)
Enable both strict_7bit_headers and strict_8bitmime_body.
strict_7bit_headers (no)
Reject mail with 8-bit text in message headers.
strict_8bitmime_body (no)
Reject 8-bit message body text without 8-bit MIME content encoding infor‐
mation.
strict_mime_encoding_domain (no)
Reject mail with invalid Content-Transfer-Encoding: information for the
message/* or multipart/* MIME content types.
Available in Postfix version 2.5 and later:
detect_8bit_encoding_header (yes)
Automatically detect 8BITMIME body content by looking at Content-Trans‐
fer-Encoding: message headers; historically, this behavior was hard-coded
to be "always on".
AUTOMATIC BCC RECIPIENT CONTROLS
Postfix can automatically add BCC (blind carbon copy) when mail enters the mail
system:
always_bcc (empty)
Optional address that receives a "blind carbon copy" of each message that
is received by the Postfix mail system.
Available in Postfix version 2.1 and later:
sender_bcc_maps (empty)
Optional BCC (blind carbon-copy) address lookup tables, indexed by sender
address.
recipient_bcc_maps (empty)
Optional BCC (blind carbon-copy) address lookup tables, indexed by recip‐
ient address.
ADDRESS TRANSFORMATION CONTROLS
Address rewriting is delegated to the trivial-rewrite(8) daemon. The cleanup(8)
server implements table driven address mapping.
empty_address_recipient (MAILER-DAEMON)
The recipient of mail addressed to the null address.
canonical_maps (empty)
Optional address mapping lookup tables for message headers and envelopes.
recipient_canonical_maps (empty)
Optional address mapping lookup tables for envelope and header recipient
addresses.
sender_canonical_maps (empty)
Optional address mapping lookup tables for envelope and header sender
addresses.
masquerade_classes (envelope_sender, header_sender, header_recipient)
What addresses are subject to address masquerading.
masquerade_domains (empty)
Optional list of domains whose subdomain structure will be stripped off
in email addresses.
masquerade_exceptions (empty)
Optional list of user names that are not subjected to address masquerad‐
ing, even when their address matches $masquerade_domains.
propagate_unmatched_extensions (canonical, virtual)
What address lookup tables copy an address extension from the lookup key
to the lookup result.
Available before Postfix version 2.0:
virtual_maps (empty)
Optional lookup tables with a) names of domains for which all addresses
are aliased to addresses in other local or remote domains, and b)
addresses that are aliased to addresses in other local or remote domains.
Available in Postfix version 2.0 and later:
virtual_alias_maps ($virtual_maps)
Optional lookup tables that alias specific mail addresses or domains to
other local or remote address.
Available in Postfix version 2.2 and later:
canonical_classes (envelope_sender, envelope_recipient, header_sender,
header_recipient)
What addresses are subject to canonical_maps address mapping.
recipient_canonical_classes (envelope_recipient, header_recipient)
What addresses are subject to recipient_canonical_maps address mapping.
sender_canonical_classes (envelope_sender, header_sender)
What addresses are subject to sender_canonical_maps address mapping.
remote_header_rewrite_domain (empty)
Don't rewrite message headers from remote clients at all when this param‐
eter is empty; otherwise, rewrite message headers and append the speci‐
fied domain name to incomplete addresses.
RESOURCE AND RATE CONTROLS
duplicate_filter_limit (1000)
The maximal number of addresses remembered by the address duplicate fil‐
ter for aliases(5) or virtual(5) alias expansion, or for showq(8) queue
displays.
header_size_limit (102400)
The maximal amount of memory in bytes for storing a message header.
hopcount_limit (50)
The maximal number of Received: message headers that is allowed in the
primary message headers.
in_flow_delay (1s)
Time to pause before accepting a new message, when the message arrival
rate exceeds the message delivery rate.
message_size_limit (10240000)
The maximal size in bytes of a message, including envelope information.
Available in Postfix version 2.0 and later:
header_address_token_limit (10240)
The maximal number of address tokens are allowed in an address message
header.
mime_boundary_length_limit (2048)
The maximal length of MIME multipart boundary strings.
mime_nesting_limit (100)
The maximal recursion level that the MIME processor will handle.
queue_file_attribute_count_limit (100)
The maximal number of (name=value) attributes that may be stored in a
Postfix queue file.
Available in Postfix version 2.1 and later:
virtual_alias_expansion_limit (1000)
The maximal number of addresses that virtual alias expansion produces
from each original recipient.
virtual_alias_recursion_limit (1000)
The maximal nesting depth of virtual alias expansion.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf configuration
files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take to handle a request
before it is terminated by a built-in watchdog timer.
delay_logging_resolution_limit (2)
The maximal number of digits after the decimal point when logging sub-
second delay values.
delay_warning_time (0h)
The time after which the sender receives a copy of the message headers of
mail that is still queued.
ipc_timeout (3600s)
The time limit for sending or receiving information over an internal com‐
munication channel.
max_idle (100s)
The maximum amount of time that an idle Postfix daemon process waits for
an incoming connection before terminating voluntarily.
max_use (100)
The maximal number of incoming connections that a Postfix daemon process
will service before terminating voluntarily.
myhostname (see 'postconf -d' output)
The internet hostname of this mail system.
myorigin ($myhostname)
The domain name that locally-posted mail appears to come from, and that
locally posted mail is delivered to.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
queue_directory (see 'postconf -d' output)
The location of the Postfix top-level queue directory.
soft_bounce (no)
Safety net to keep mail queued that would otherwise be returned to the
sender.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
Available in Postfix version 2.1 and later:
enable_original_recipient (yes)
Enable support for the X-Original-To message header.
FILES
/etc/postfix/canonical*, canonical mapping table
/etc/postfix/virtual*, virtual mapping table
SEE ALSO
trivial-rewrite(8), address rewriting
qmgr(8), queue manager
header_checks(5), message header content inspection
body_checks(5), body parts content inspection
canonical(5), canonical address lookup table format
virtual(5), virtual alias lookup table format
postconf(5), configuration parameters
master(5), generic daemon options
master(8), process manager
syslogd(8), system logging
README FILES
Use "postconf readme_directory" or "postconf html_directory" to locate this
information.
ADDRESS_REWRITING_README Postfix address manipulation
CONTENT_INSPECTION_README content inspection
LICENSE
The Secure Mailer license must be distributed with this software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
CLEANUP(8)
qmgr
Der qmgr-Daemon erwartet ankommende Nachrichten in der incoming-Queue und kümmert sich dann um die entsprechend richtige Zuordnung der eMails an die betreffenden ausgehenden Mail-Daemone lmtp, local, smtp bzw. pipe-Daemon. Dabei verwaltet der Queue-Manger-Daemon die gerade in der Verarbeit befindlichen Nachrichten in der active-Queue. Können Nachrichten gerade nicht zugestellt werden, verschiebt der qmgr-Daemon vom Arbeitsspeicher in Richtung deferred-Queue, also in Richtung Storage. Neben der drei bereits genannten Mail-Queues kenn postfix noch die hold-Queue, in der Nachrichten gehalten werden, bis diese wieder freigegeben werden. Die letzte Queue ist die corrupt-Queue, in der unlesbare bzw. beschädigte Queue-Dateien abgelegt werden, damit diese später separat (vom Mailadmin) geprüft werden können.
Nähere Hinweise findet man wie immer in der manpage des Daemon.
# man 8 qmgr
QMGR(8) System Manager's Manual QMGR(8)
NAME
qmgr - Postfix queue manager
SYNOPSIS
qmgr [generic Postfix daemon options]
DESCRIPTION
The qmgr(8) daemon awaits the arrival of incoming mail and arranges for its
delivery via Postfix delivery processes. The actual mail routing strategy is
delegated to the trivial-rewrite(8) daemon. This program expects to be run from
the master(8) process manager.
Mail addressed to the local double-bounce address is logged and discarded. This
stops potential loops caused by undeliverable bounce notifications.
MAIL QUEUES
The qmgr(8) daemon maintains the following queues:
incoming
Inbound mail from the network, or mail picked up by the local pickup(8)
daemon from the maildrop directory.
active Messages that the queue manager has opened for delivery. Only a limited
number of messages is allowed to enter the active queue (leaky bucket
strategy, for a fixed delivery rate).
deferred
Mail that could not be delivered upon the first attempt. The queue man‐
ager implements exponential backoff by doubling the time between delivery
attempts.
corrupt
Unreadable or damaged queue files are moved here for inspection.
hold Messages that are kept "on hold" are kept here until someone sets them
free.
DELIVERY STATUS REPORTS
The qmgr(8) daemon keeps an eye on per-message delivery status reports in the
following directories. Each status report file has the same name as the corre‐
sponding message file:
bounce Per-recipient status information about why mail is bounced. These files
are maintained by the bounce(8) daemon.
defer Per-recipient status information about why mail is delayed. These files
are maintained by the defer(8) daemon.
trace Per-recipient status information as requested with the Postfix "sendmail
-v" or "sendmail -bv" command. These files are maintained by the
trace(8) daemon.
The qmgr(8) daemon is responsible for asking the bounce(8), defer(8) or trace(8)
daemons to send delivery reports.
STRATEGIES
The queue manager implements a variety of strategies for either opening queue
files (input) or for message delivery (output).
leaky bucket
This strategy limits the number of messages in the active queue and pre‐
vents the queue manager from running out of memory under heavy load.
fairness
When the active queue has room, the queue manager takes one message from
the incoming queue and one from the deferred queue. This prevents a large
mail backlog from blocking the delivery of new mail.
slow start
This strategy eliminates "thundering herd" problems by slowly adjusting
the number of parallel deliveries to the same destination.
round robin
The queue manager sorts delivery requests by destination. Round-robin
selection prevents one destination from dominating deliveries to other
destinations.
exponential backoff
Mail that cannot be delivered upon the first attempt is deferred. The
time interval between delivery attempts is doubled after each attempt.
destination status cache
The queue manager avoids unnecessary delivery attempts by maintaining a
short-term, in-memory list of unreachable destinations.
preemptive message scheduling
The queue manager attempts to minimize the average per-recipient delay
while still preserving the correct per-message delays, using a sophisti‐
cated preemptive message scheduling.
TRIGGERS
On an idle system, the queue manager waits for the arrival of trigger events, or
it waits for a timer to go off. A trigger is a one-byte message. Depending on
the message received, the queue manager performs one of the following actions
(the message is followed by the symbolic constant used internally by the soft‐
ware):
D (QMGR_REQ_SCAN_DEFERRED)
Start a deferred queue scan. If a deferred queue scan is already in
progress, that scan will be restarted as soon as it finishes.
I (QMGR_REQ_SCAN_INCOMING)
Start an incoming queue scan. If an incoming queue scan is already in
progress, that scan will be restarted as soon as it finishes.
A (QMGR_REQ_SCAN_ALL)
Ignore deferred queue file time stamps. The request affects the next
deferred queue scan.
F (QMGR_REQ_FLUSH_DEAD)
Purge all information about dead transports and destinations.
W (TRIGGER_REQ_WAKEUP)
Wakeup call, This is used by the master server to instantiate servers
that should not go away forever. The action is to start an incoming queue
scan.
The qmgr(8) daemon reads an entire buffer worth of triggers. Multiple identical
trigger requests are collapsed into one, and trigger requests are sorted so that
A and F precede D and I. Thus, in order to force a deferred queue run, one would
request A F D; in order to notify the queue manager of the arrival of new mail
one would request I.
STANDARDS
RFC 3463 (Enhanced status codes)
RFC 3464 (Delivery status notifications)
SECURITY
The qmgr(8) daemon is not security sensitive. It reads single-character messages
from untrusted local users, and thus may be susceptible to denial of service
attacks. The qmgr(8) daemon does not talk to the outside world, and it can be
run at fixed low privilege in a chrooted environment.
DIAGNOSTICS
Problems and transactions are logged to the syslog daemon. Corrupted message
files are saved to the corrupt queue for further inspection.
Depending on the setting of the notify_classes parameter, the postmaster is
notified of bounces and of other trouble.
BUGS
A single queue manager process has to compete for disk access with multiple
front-end processes such as cleanup(8). A sudden burst of inbound mail can nega‐
tively impact outbound delivery rates.
CONFIGURATION PARAMETERS
Changes to main.cf are not picked up automatically as qmgr(8) is a persistent
process. Use the "postfix reload" command after a configuration change.
The text below provides only a parameter summary. See postconf(5) for more
details including examples.
In the text below, transport is the first field in a master.cf entry.
COMPATIBILITY CONTROLS
Available before Postfix version 2.5:
allow_min_user (no)
Allow a sender or recipient address to have `-' as the first character.
Available with Postfix version 2.7 and later:
default_filter_nexthop (empty)
When a content_filter or FILTER request specifies no explicit next-hop
destination, use $default_filter_nexthop instead; when that value is
empty, use the domain in the recipient address.
ACTIVE QUEUE CONTROLS
qmgr_clog_warn_time (300s)
The minimal delay between warnings that a specific destination is clog‐
ging up the Postfix active queue.
qmgr_message_active_limit (20000)
The maximal number of messages in the active queue.
qmgr_message_recipient_limit (20000)
The maximal number of recipients held in memory by the Postfix queue man‐
ager, and the maximal size of the short-term, in-memory "dead" destina‐
tion status cache.
qmgr_message_recipient_minimum (10)
The minimal number of in-memory recipients for any message.
default_recipient_limit (20000)
The default per-transport upper limit on the number of in-memory recipi‐
ents.
transport_recipient_limit ($default_recipient_limit)
Idem, for delivery via the named message transport.
default_extra_recipient_limit (1000)
The default value for the extra per-transport limit imposed on the number
of in-memory recipients.
transport_extra_recipient_limit ($default_extra_recipient_limit)
Idem, for delivery via the named message transport.
Available in Postfix version 2.4 and later:
default_recipient_refill_limit (100)
The default per-transport limit on the number of recipients refilled at
once.
transport_recipient_refill_limit ($default_recipient_refill_limit)
Idem, for delivery via the named message transport.
default_recipient_refill_delay (5s)
The default per-transport maximum delay between recipients refills.
transport_recipient_refill_delay ($default_recipient_refill_delay)
Idem, for delivery via the named message transport.
DELIVERY CONCURRENCY CONTROLS
initial_destination_concurrency (5)
The initial per-destination concurrency level for parallel delivery to
the same destination.
default_destination_concurrency_limit (20)
The default maximal number of parallel deliveries to the same destina‐
tion.
transport_destination_concurrency_limit ($default_destination_concurrency_limit)
Idem, for delivery via the named message transport.
Available in Postfix version 2.5 and later:
transport_initial_destination_concurrency ($initial_destination_concurrency)
Initial concurrency for delivery via the named message transport.
default_destination_concurrency_failed_cohort_limit (1)
How many pseudo-cohorts must suffer connection or handshake failure
before a specific destination is considered unavailable (and further
delivery is suspended).
transport_destination_concurrency_failed_cohort_limit ($default_destination_con‐
currency_failed_cohort_limit)
Idem, for delivery via the named message transport.
default_destination_concurrency_negative_feedback (1)
The per-destination amount of delivery concurrency negative feedback,
after a delivery completes with a connection or handshake failure.
transport_destination_concurrency_negative_feedback ($default_destination_con‐
currency_negative_feedback)
Idem, for delivery via the named message transport.
default_destination_concurrency_positive_feedback (1)
The per-destination amount of delivery concurrency positive feedback,
after a delivery completes without connection or handshake failure.
transport_destination_concurrency_positive_feedback ($default_destination_con‐
currency_positive_feedback)
Idem, for delivery via the named message transport.
destination_concurrency_feedback_debug (no)
Make the queue manager's feedback algorithm verbose for performance anal‐
ysis purposes.
RECIPIENT SCHEDULING CONTROLS
default_destination_recipient_limit (50)
The default maximal number of recipients per message delivery.
transport_destination_recipient_limit ($default_destination_recipient_limit)
Idem, for delivery via the named message transport.
MESSAGE SCHEDULING CONTROLS
default_delivery_slot_cost (5)
How often the Postfix queue manager's scheduler is allowed to preempt
delivery of one message with another.
transport_delivery_slot_cost ($default_delivery_slot_cost)
Idem, for delivery via the named message transport.
default_minimum_delivery_slots (3)
How many recipients a message must have in order to invoke the Postfix
queue manager's scheduling algorithm at all.
transport_minimum_delivery_slots ($default_minimum_delivery_slots)
Idem, for delivery via the named message transport.
default_delivery_slot_discount (50)
The default value for transport-specific _delivery_slot_discount set‐
tings.
transport_delivery_slot_discount ($default_delivery_slot_discount)
Idem, for delivery via the named message transport.
default_delivery_slot_loan (3)
The default value for transport-specific _delivery_slot_loan settings.
transport_delivery_slot_loan ($default_delivery_slot_loan)
Idem, for delivery via the named message transport.
OTHER RESOURCE AND RATE CONTROLS
minimal_backoff_time (300s)
The minimal time between attempts to deliver a deferred message; prior to
Postfix 2.4 the default value was 1000s.
maximal_backoff_time (4000s)
The maximal time between attempts to deliver a deferred message.
maximal_queue_lifetime (5d)
Consider a message as undeliverable, when delivery fails with a temporary
error, and the time in the queue has reached the maximal_queue_lifetime
limit.
queue_run_delay (300s)
The time between deferred queue scans by the queue manager; prior to
Postfix 2.4 the default value was 1000s.
transport_retry_time (60s)
The time between attempts by the Postfix queue manager to contact a mal‐
functioning message delivery transport.
Available in Postfix version 2.1 and later:
bounce_queue_lifetime (5d)
Consider a bounce message as undeliverable, when delivery fails with a
temporary error, and the time in the queue has reached the
bounce_queue_lifetime limit.
Available in Postfix version 2.5 and later:
default_destination_rate_delay (0s)
The default amount of delay that is inserted between individual deliver‐
ies to the same destination; the resulting behavior depends on the value
of the corresponding per-destination recipient limit.
transport_destination_rate_delay $default_destination_rate_delay
Idem, for delivery via the named message transport.
SAFETY CONTROLS
qmgr_daemon_timeout (1000s)
How much time a Postfix queue manager process may take to handle a
request before it is terminated by a built-in watchdog timer.
qmgr_ipc_timeout (60s)
The time limit for the queue manager to send or receive information over
an internal communication channel.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf configuration
files.
defer_transports (empty)
The names of message delivery transports that should not deliver mail
unless someone issues "sendmail -q" or equivalent.
delay_logging_resolution_limit (2)
The maximal number of digits after the decimal point when logging sub-
second delay values.
helpful_warnings (yes)
Log warnings about problematic configuration settings, and provide help‐
ful suggestions.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
queue_directory (see 'postconf -d' output)
The location of the Postfix top-level queue directory.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
FILES
/var/spool/postfix/incoming, incoming queue
/var/spool/postfix/active, active queue
/var/spool/postfix/deferred, deferred queue
/var/spool/postfix/bounce, non-delivery status
/var/spool/postfix/defer, non-delivery status
/var/spool/postfix/trace, delivery status
SEE ALSO
trivial-rewrite(8), address routing
bounce(8), delivery status reports
postconf(5), configuration parameters
master(5), generic daemon options
master(8), process manager
syslogd(8), system logging
README FILES
Use "postconf readme_directory" or "postconf html_directory" to locate this
information.
SCHEDULER_README, scheduling algorithm
QSHAPE_README, Postfix queue analysis
LICENSE
The Secure Mailer license must be distributed with this software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
Preemptive scheduler enhancements:
Patrik Rak
Modra 6
155 00, Prague, Czech Republic
QMGR(8)
tlsmgr
Der tlsmgr-Daemon verwendet die Postfix TLS Session Caches. Er speichert und empfängt Cache-Einträge des smtpd-Daemons und auch smtp-Clientprogramms und löscht diese wieder, sobald diese abgelaufen sind. Darüber hinaus verwaltet der tlsmgr-Daemon den PRNG9)-Pool.
Weitere Informationen findet man in der manpage des tlsmgr-Daemon.
# man 8 tlsmgr
TLSMGR(8) System Manager's Manual TLSMGR(8)
NAME
tlsmgr - Postfix TLS session cache and PRNG manager
SYNOPSIS
tlsmgr [generic Postfix daemon options]
DESCRIPTION
The tlsmgr(8) manages the Postfix TLS session caches. It stores and retrieves
cache entries on request by smtpd(8) and smtp(8) processes, and periodically
removes entries that have expired.
The tlsmgr(8) also manages the PRNG (pseudo random number generator) pool. It
answers queries by the smtpd(8) and smtp(8) processes to seed their internal
PRNG pools.
The tlsmgr(8)'s PRNG pool is initially seeded from an external source (EGD,
/dev/urandom, or regular file). It is updated at configurable pseudo-random
intervals with data from the external source. It is updated periodically with
data from TLS session cache entries and with the time of day, and is updated
with the time of day whenever a process requests tlsmgr(8) service.
The tlsmgr(8) saves the PRNG state to an exchange file periodically and when the
process terminates, and reads the exchange file when initializing its PRNG.
SECURITY
The tlsmgr(8) is not security-sensitive. The code that maintains the external
and internal PRNG pools does not "trust" the data that it manipulates, and the
code that maintains the TLS session cache does not touch the contents of the
cached entries, except for seeding its internal PRNG pool.
The tlsmgr(8) can be run chrooted and with reduced privileges. At process
startup it connects to the entropy source and exchange file, and creates or
truncates the optional TLS session cache files.
With Postfix version 2.5 and later, the tlsmgr(8) no longer uses root privileges
when opening cache files. These files should now be stored under the Postfix-
owned data_directory. As a migration aid, an attempt to open a cache file under
a non-Postfix directory is redirected to the Postfix-owned data_directory, and a
warning is logged.
DIAGNOSTICS
Problems and transactions are logged to the syslog daemon.
BUGS
There is no automatic means to limit the number of entries in the TLS session
caches and/or the size of the TLS cache files.
CONFIGURATION PARAMETERS
Changes to main.cf are not picked up automatically, because tlsmgr(8) is a per‐
sistent processes. Use the command "postfix reload" after a configuration
change.
The text below provides only a parameter summary. See postconf(5) for more
details including examples.
TLS SESSION CACHE
lmtp_tls_loglevel (0)
The LMTP-specific version of the smtp_tls_loglevel configuration parame‐
ter.
lmtp_tls_session_cache_database (empty)
The LMTP-specific version of the smtp_tls_session_cache_database configu‐
ration parameter.
lmtp_tls_session_cache_timeout (3600s)
The LMTP-specific version of the smtp_tls_session_cache_timeout configu‐
ration parameter.
smtp_tls_loglevel (0)
Enable additional Postfix SMTP client logging of TLS activity.
smtp_tls_session_cache_database (empty)
Name of the file containing the optional Postfix SMTP client TLS session
cache.
smtp_tls_session_cache_timeout (3600s)
The expiration time of Postfix SMTP client TLS session cache information.
smtpd_tls_loglevel (0)
Enable additional Postfix SMTP server logging of TLS activity.
smtpd_tls_session_cache_database (empty)
Name of the file containing the optional Postfix SMTP server TLS session
cache.
smtpd_tls_session_cache_timeout (3600s)
The expiration time of Postfix SMTP server TLS session cache information.
PSEUDO RANDOM NUMBER GENERATOR
tls_random_source (see 'postconf -d' output)
The external entropy source for the in-memory tlsmgr(8) pseudo random
number generator (PRNG) pool.
tls_random_bytes (32)
The number of bytes that tlsmgr(8) reads from $tls_random_source when
(re)seeding the in-memory pseudo random number generator (PRNG) pool.
tls_random_exchange_name (see 'postconf -d' output)
Name of the pseudo random number generator (PRNG) state file that is
maintained by tlsmgr(8).
tls_random_prng_update_period (3600s)
The time between attempts by tlsmgr(8) to save the state of the pseudo
random number generator (PRNG) to the file specified with $tls_ran‐
dom_exchange_name.
tls_random_reseed_period (3600s)
The maximal time between attempts by tlsmgr(8) to re-seed the in-memory
pseudo random number generator (PRNG) pool from external sources.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf configuration
files.
data_directory (see 'postconf -d' output)
The directory with Postfix-writable data files (for example: caches,
pseudo-random numbers).
daemon_timeout (18000s)
How much time a Postfix daemon process may take to handle a request
before it is terminated by a built-in watchdog timer.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
SEE ALSO
smtp(8), Postfix SMTP client
smtpd(8), Postfix SMTP server
postconf(5), configuration parameters
master(5), generic daemon options
master(8), process manager
syslogd(8), system logging
README FILES
Use "postconf readme_directory" or "postconf html_directory" to locate this
information.
TLS_README, Postfix TLS configuration and operation
LICENSE
The Secure Mailer license must be distributed with this software.
HISTORY
This service was introduced with Postfix version 2.2.
AUTHOR(S)
Lutz Jaenicke
BTU Cottbus
Allgemeine Elektrotechnik
Universitaetsplatz 3-4
D-03044 Cottbus, Germany
Adapted by:
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
TLSMGR(8)
trivial-rewrite
Der trivial-rewrite-Daemon ist für drei verschiedene Clientanfragen zuständig, den rewrite, resolve und verify.
- rewrite Hier werden Adressen, die nicht dem Standardformat „user@fqdn“ entsprechen geprüft, korrigiert und umgeschrieben.
- resolve Hier ermittelt der Daemon anhand der Informationen aus transport, nexthop, recipient und flags wohin die Nachricht vom qmgr als nächstes geroutet werden soll.
- verify Hier bearbeitet die Daemon entsprechende Adressverification-Anfragen.
Nähere Hinwiese zum trivial-rewrite-Daemon findet man in dessen manpage.
# man 8 trivial-rewrite
TRIVIAL-REWRITE(8) System Manager's Manual TRIVIAL-REWRITE(8)
NAME
trivial-rewrite - Postfix address rewriting and resolving daemon
SYNOPSIS
trivial-rewrite [generic Postfix daemon options]
DESCRIPTION
The trivial-rewrite(8) daemon processes three types of client service requests:
rewrite context address
Rewrite an address to standard form, according to the address rewriting
context:
local Append the domain names specified with $myorigin or $mydomain to
incomplete addresses; do swap_bangpath and allow_percent_hack pro‐
cessing as described below, and strip source routed addresses
(@site,@site:user@domain) to user@domain form.
remote Append the domain name specified with $remote_header_rewrite_domain
to incomplete addresses. Otherwise the result is identical to that
of the local address rewriting context. This prevents Postfix from
appending the local domain to spam from poorly written remote
clients.
resolve sender address
Resolve the address to a (transport, nexthop, recipient, flags) quadruple.
The meaning of the results is as follows:
transport
The delivery agent to use. This is the first field of an entry in
the master.cf file.
nexthop
The host to send to and optional delivery method information.
recipient
The envelope recipient address that is passed on to nexthop.
flags The address class, whether the address requires relaying, whether
the address has problems, and whether the request failed.
verify sender address
Resolve the address for address verification purposes.
SERVER PROCESS MANAGEMENT
The trivial-rewrite(8) servers run under control by the Postfix master server.
Each server can handle multiple simultaneous connections. When all servers are
busy while a client connects, the master creates a new server process, provided
that the trivial-rewrite server process limit is not exceeded. Each trivial-re‐
write server terminates after serving at least $max_use clients of after $max_idle
seconds of idle time.
STANDARDS
None. The command does not interact with the outside world.
SECURITY
The trivial-rewrite(8) daemon is not security sensitive. By default, this daemon
does not talk to remote or local users. It can run at a fixed low privilege in a
chrooted environment.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
CONFIGURATION PARAMETERS
On busy mail systems a long time may pass before a main.cf change affecting triv‐
ial-rewrite(8) is picked up. Use the command "postfix reload" to speed up a
change.
The text below provides only a parameter summary. See postconf(5) for more details
including examples.
COMPATIBILITY CONTROLS
resolve_dequoted_address (yes)
Resolve a recipient address safely instead of correctly, by looking inside
quotes.
Available with Postfix version 2.1 and later:
resolve_null_domain (no)
Resolve an address that ends in the "@" null domain as if the local host‐
name were specified, instead of rejecting the address as invalid.
Available with Postfix version 2.3 and later:
resolve_numeric_domain (no)
Resolve "user@ipaddress" as "user@[ipaddress]", instead of rejecting the
address as invalid.
Available with Postfix version 2.5 and later:
allow_min_user (no)
Allow a sender or recipient address to have `-' as the first character.
ADDRESS REWRITING CONTROLS
myorigin ($myhostname)
The domain name that locally-posted mail appears to come from, and that
locally posted mail is delivered to.
allow_percent_hack (yes)
Enable the rewriting of the form "user%domain" to "user@domain".
append_at_myorigin (yes)
With locally submitted mail, append the string "@$myorigin" to mail
addresses without domain information.
append_dot_mydomain (yes)
With locally submitted mail, append the string ".$mydomain" to addresses
that have no ".domain" information.
recipient_delimiter (empty)
The set of characters that can separate a user name from its extension
(example: user+foo), or a .forward file name from its extension (example:
.forward+foo).
swap_bangpath (yes)
Enable the rewriting of "site!user" into "user@site".
Available in Postfix 2.2 and later:
remote_header_rewrite_domain (empty)
Don't rewrite message headers from remote clients at all when this parame‐
ter is empty; otherwise, rewrite message headers and append the specified
domain name to incomplete addresses.
ROUTING CONTROLS
The following is applicable to Postfix version 2.0 and later. Earlier versions do
not have support for: virtual_transport, relay_transport, virtual_alias_domains,
virtual_mailbox_domains or proxy_interfaces.
local_transport (local:$myhostname)
The default mail delivery transport and next-hop destination for final
delivery to domains listed with mydestination, and for [ipaddress] destina‐
tions that match $inet_interfaces or $proxy_interfaces.
virtual_transport (virtual)
The default mail delivery transport and next-hop destination for final
delivery to domains listed with $virtual_mailbox_domains.
relay_transport (relay)
The default mail delivery transport and next-hop destination for remote
delivery to domains listed with $relay_domains.
default_transport (smtp)
The default mail delivery transport and next-hop destination for destina‐
tions that do not match $mydestination, $inet_interfaces, $proxy_inter‐
faces, $virtual_alias_domains, $virtual_mailbox_domains, or $relay_domains.
parent_domain_matches_subdomains (see 'postconf -d' output)
What Postfix features match subdomains of "domain.tld" automatically,
instead of requiring an explicit ".domain.tld" pattern.
relayhost (empty)
The next-hop destination of non-local mail; overrides non-local domains in
recipient addresses.
transport_maps (empty)
Optional lookup tables with mappings from recipient address to (message
delivery transport, next-hop destination).
Available in Postfix version 2.3 and later:
sender_dependent_relayhost_maps (empty)
A sender-dependent override for the global relayhost parameter setting.
Available in Postfix version 2.5 and later:
empty_address_relayhost_maps_lookup_key (<>)
The sender_dependent_relayhost_maps search string that will be used instead
of the null sender address.
Available in Postfix version 2.7 and later:
empty_address_default_transport_maps_lookup_key (<>)
The sender_dependent_default_transport_maps search string that will be used
instead of the null sender address.
sender_dependent_default_transport_maps (empty)
A sender-dependent override for the global default_transport parameter set‐
ting.
ADDRESS VERIFICATION CONTROLS
Postfix version 2.1 introduces sender and recipient address verification. This
feature is implemented by sending probe email messages that are not actually
delivered. By default, address verification probes use the same route as regular
mail. To override specific aspects of message routing for address verification
probes, specify one or more of the following:
address_verify_local_transport ($local_transport)
Overrides the local_transport parameter setting for address verification
probes.
address_verify_virtual_transport ($virtual_transport)
Overrides the virtual_transport parameter setting for address verification
probes.
address_verify_relay_transport ($relay_transport)
Overrides the relay_transport parameter setting for address verification
probes.
address_verify_default_transport ($default_transport)
Overrides the default_transport parameter setting for address verification
probes.
address_verify_relayhost ($relayhost)
Overrides the relayhost parameter setting for address verification probes.
address_verify_transport_maps ($transport_maps)
Overrides the transport_maps parameter setting for address verification
probes.
Available in Postfix version 2.3 and later:
address_verify_sender_dependent_relayhost_maps ($sender_dependent_relayhost_maps)
Overrides the sender_dependent_relayhost_maps parameter setting for address
verification probes.
Available in Postfix version 2.7 and later:
address_verify_sender_dependent_default_transport_maps ($sender_depen‐
dent_default_transport_maps)
Overrides the sender_dependent_default_transport_maps parameter setting for
address verification probes.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf configuration
files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take to handle a request before
it is terminated by a built-in watchdog timer.
empty_address_recipient (MAILER-DAEMON)
The recipient of mail addressed to the null address.
ipc_timeout (3600s)
The time limit for sending or receiving information over an internal commu‐
nication channel.
max_idle (100s)
The maximum amount of time that an idle Postfix daemon process waits for an
incoming connection before terminating voluntarily.
max_use (100)
The maximal number of incoming connections that a Postfix daemon process
will service before terminating voluntarily.
relocated_maps (empty)
Optional lookup tables with new contact information for users or domains
that no longer exist.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
queue_directory (see 'postconf -d' output)
The location of the Postfix top-level queue directory.
show_user_unknown_table_name (yes)
Display the name of the recipient table in the "User unknown" responses.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
Available in Postfix version 2.0 and later:
helpful_warnings (yes)
Log warnings about problematic configuration settings, and provide helpful
suggestions.
SEE ALSO
postconf(5), configuration parameters
transport(5), transport table format
relocated(5), format of the "user has moved" table
master(8), process manager
syslogd(8), system logging
README FILES
Use "postconf readme_directory" or "postconf html_directory" to locate this infor‐
mation.
ADDRESS_CLASS_README, Postfix address classes howto
ADDRESS_VERIFICATION_README, Postfix address verification
LICENSE
The Secure Mailer license must be distributed with this software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
TRIVIAL-REWRITE(8)
bounce, defer, trace
Die drei Daemons bounce, defer und trace bilden zwei wesentliche Funktionen des MTA ab. Zum einen verständigen diese bei Bedarf einen Absender, sofern seine eMail zugestellt wurde, verzögert zugestellt oder eben nicht zugestellt werden konnte. Dazu stehen diese Daemons in direktem Kontakt mit dem qmgr-Daemon damit diese die vorgenannten Statusberichte versenden oder Nachrichten, die nicht zugestellt worden sind, in die deferred-Queue verschieben können.
Weitere Hinweise findet man zu den drei Daemons in der manpage von bounce.
# man 8 bounce
BOUNCE(8) System Manager's Manual BOUNCE(8)
NAME
bounce - Postfix delivery status reports
SYNOPSIS
bounce [generic Postfix daemon options]
DESCRIPTION
The bounce(8) daemon maintains per-message log files with delivery status informa‐
tion. Each log file is named after the queue file that it corresponds to, and is
kept in a queue subdirectory named after the service name in the master.cf file
(either bounce, defer or trace). This program expects to be run from the mas‐
ter(8) process manager.
The bounce(8) daemon processes two types of service requests:
· Append a recipient (non-)delivery status record to a per-message log file.
· Enqueue a delivery status notification message, with a copy of a per-mes‐
sage log file and of the corresponding message. When the delivery status
notification message is enqueued successfully, the per-message log file is
deleted.
The software does a best notification effort. A non-delivery notification is sent
even when the log file or the original message cannot be read.
Optionally, a bounce (defer, trace) client can request that the per-message log
file be deleted when the requested operation fails. This is used by clients that
cannot retry transactions by themselves, and that depend on retry logic in their
own client.
STANDARDS
RFC 822 (ARPA Internet Text Messages)
RFC 2045 (Format of Internet Message Bodies)
RFC 2822 (Internet Message Format)
RFC 3462 (Delivery Status Notifications)
RFC 3464 (Delivery Status Notifications)
RFC 3834 (Auto-Submitted: message header)
RFC 5322 (Internet Message Format)
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically, as bounce(8) processes run for
only a limited amount of time. Use the command "postfix reload" to speed up a
change.
The text below provides only a parameter summary. See postconf(5) for more details
including examples.
2bounce_notice_recipient (postmaster)
The recipient of undeliverable mail that cannot be returned to the sender.
backwards_bounce_logfile_compatibility (yes)
Produce additional bounce(8) logfile records that can be read by Postfix
versions before 2.0.
bounce_notice_recipient (postmaster)
The recipient of postmaster notifications with the message headers of mail
that Postfix did not deliver and of SMTP conversation transcripts of mail
that Postfix did not receive.
bounce_size_limit (50000)
The maximal amount of original message text that is sent in a non-delivery
notification.
bounce_template_file (empty)
Pathname of a configuration file with bounce message templates.
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf configuration
files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take to handle a request before
it is terminated by a built-in watchdog timer.
delay_notice_recipient (postmaster)
The recipient of postmaster notifications with the message headers of mail
that cannot be delivered within $delay_warning_time time units.
deliver_lock_attempts (20)
The maximal number of attempts to acquire an exclusive lock on a mailbox
file or bounce(8) logfile.
deliver_lock_delay (1s)
The time between attempts to acquire an exclusive lock on a mailbox file or
bounce(8) logfile.
ipc_timeout (3600s)
The time limit for sending or receiving information over an internal commu‐
nication channel.
internal_mail_filter_classes (empty)
What categories of Postfix-generated mail are subject to before-queue con‐
tent inspection by non_smtpd_milters, header_checks and body_checks.
mail_name (Postfix)
The mail system name that is displayed in Received: headers, in the SMTP
greeting banner, and in bounced mail.
max_idle (100s)
The maximum amount of time that an idle Postfix daemon process waits for an
incoming connection before terminating voluntarily.
max_use (100)
The maximal number of incoming connections that a Postfix daemon process
will service before terminating voluntarily.
notify_classes (resource, software)
The list of error classes that are reported to the postmaster.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
queue_directory (see 'postconf -d' output)
The location of the Postfix top-level queue directory.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
FILES
/var/spool/postfix/bounce/* non-delivery records
/var/spool/postfix/defer/* non-delivery records
/var/spool/postfix/trace/* delivery status records
SEE ALSO
bounce(5), bounce message template format
qmgr(8), queue manager
postconf(5), configuration parameters
master(5), generic daemon options
master(8), process manager
syslogd(8), system logging
LICENSE
The Secure Mailer license must be distributed with this software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
BOUNCE(8)
verify
Der verify-Daemon erstellt und verwaltet eine Liste aller Empfängeradressen und vermerkt dabei, ob diese zustellbar bzw. unzustellbar sind. Dabei werden alle Routing und Rewrite-Mechanismen in der Mailzustellung bewertet. Das Prüfungsergebnis, ob eine Empfängeradresse als grundsätzlich erreichbar oder nicht erreichbar vermerkt wird, basieren auf dem nächsten MTA-Hop!
Weitere Informationen zum verify-Daemon findet man in dessen manpage.
# man 8 verify
VERIFY(8) System Manager's Manual VERIFY(8)
NAME
verify - Postfix address verification server
SYNOPSIS
verify [generic Postfix daemon options]
DESCRIPTION
The verify(8) address verification server maintains a record of what recipient
addresses are known to be deliverable or undeliverable.
Addresses are verified by injecting probe messages into the Postfix queue. Probe
messages are run through all the routing and rewriting machinery except for final
delivery, and are discarded rather than being deferred or bounced.
Address verification relies on the answer from the nearest MTA for the specified
address, and will therefore not detect all undeliverable addresses.
The verify(8) server is designed to run under control by the Postfix master
server. It maintains an optional persistent database. To avoid being interrupted
by "postfix stop" in the middle of a database update, the process runs in a sepa‐
rate process group.
The verify(8) server implements the following requests:
update address status text
Update the status and text of the specified address.
query address
Look up the status and text for the specified address. If the status is
unknown, a probe is sent and an "in progress" status is returned.
SECURITY
The address verification server is not security-sensitive. It does not talk to the
network, and it does not talk to local users. The verify server can run chrooted
at fixed low privilege.
The address verification server can be coerced to store unlimited amounts of
garbage. Limiting the cache expiry time trades one problem (disk space exhaustion)
for another one (poor response time to client requests).
With Postfix version 2.5 and later, the verify(8) server no longer uses root priv‐
ileges when opening the address_verify_map cache file. The file should now be
stored under the Postfix-owned data_directory. As a migration aid, an attempt to
open a cache file under a non-Postfix directory is redirected to the Postfix-owned
data_directory, and a warning is logged.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
BUGS
Address verification probe messages add additional traffic to the mail queue.
Recipient verification may cause an increased load on down-stream servers in the
case of a dictionary attack or a flood of backscatter bounces. Sender address
verification may cause your site to be blacklisted by some providers.
If the persistent database ever gets corrupted then the world comes to an end and
human intervention is needed. This violates a basic Postfix principle.
CONFIGURATION PARAMETERS
Changes to main.cf are not picked up automatically, as verify(8) processes are
long-lived. Use the command "postfix reload" after a configuration change.
The text below provides only a parameter summary. See postconf(5) for more details
including examples.
PROBE MESSAGE CONTROLS
address_verify_sender ($double_bounce_sender)
The sender address to use in address verification probes; prior to Postfix
2.5 the default was "postmaster".
Available with Postfix 2.9 and later:
address_verify_sender_ttl (0s)
The time between changes in the time-dependent portion of address verifica‐
tion probe sender addresses.
CACHE CONTROLS
address_verify_map (see 'postconf -d' output)
Lookup table for persistent address verification status storage.
address_verify_positive_expire_time (31d)
The time after which a successful probe expires from the address verifica‐
tion cache.
address_verify_positive_refresh_time (7d)
The time after which a successful address verification probe needs to be
refreshed.
address_verify_negative_cache (yes)
Enable caching of failed address verification probe results.
address_verify_negative_expire_time (3d)
The time after which a failed probe expires from the address verification
cache.
address_verify_negative_refresh_time (3h)
The time after which a failed address verification probe needs to be
refreshed.
Available with Postfix 2.7 and later:
address_verify_cache_cleanup_interval (12h)
The amount of time between verify(8) address verification database cleanup
runs.
PROBE MESSAGE ROUTING CONTROLS
By default, probe messages are delivered via the same route as regular messages.
The following parameters can be used to override specific message routing mecha‐
nisms.
address_verify_relayhost ($relayhost)
Overrides the relayhost parameter setting for address verification probes.
address_verify_transport_maps ($transport_maps)
Overrides the transport_maps parameter setting for address verification
probes.
address_verify_local_transport ($local_transport)
Overrides the local_transport parameter setting for address verification
probes.
address_verify_virtual_transport ($virtual_transport)
Overrides the virtual_transport parameter setting for address verification
probes.
address_verify_relay_transport ($relay_transport)
Overrides the relay_transport parameter setting for address verification
probes.
address_verify_default_transport ($default_transport)
Overrides the default_transport parameter setting for address verification
probes.
Available in Postfix 2.3 and later:
address_verify_sender_dependent_relayhost_maps ($sender_dependent_relayhost_maps)
Overrides the sender_dependent_relayhost_maps parameter setting for address
verification probes.
Available in Postfix 2.7 and later:
address_verify_sender_dependent_default_transport_maps ($sender_depen‐
dent_default_transport_maps)
Overrides the sender_dependent_default_transport_maps parameter setting for
address verification probes.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf configuration
files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take to handle a request before
it is terminated by a built-in watchdog timer.
ipc_timeout (3600s)
The time limit for sending or receiving information over an internal commu‐
nication channel.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
queue_directory (see 'postconf -d' output)
The location of the Postfix top-level queue directory.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
SEE ALSO
smtpd(8), Postfix SMTP server
cleanup(8), enqueue Postfix message
postconf(5), configuration parameters
syslogd(5), system logging
README FILES
Use "postconf readme_directory" or "postconf html_directory" to locate this infor‐
mation.
ADDRESS_VERIFICATION_README, address verification howto
LICENSE
The Secure Mailer license must be distributed with this software.
HISTORY
This service was introduced with Postfix version 2.1.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
VERIFY(8)
flush
Der flush-Daemon verwaltet die Nachrichten in der deferred-Queue und erstellt dazu eine zielabhängige Liste. Somit kann z.B. der smtp-delivery-agent mit Hilfe des ETRN-SMTP-Kommandos eine bestehende Verbindung zu einem anderen MTA weiterverwenden und somit während einer Verbindungs-Session die vom flush-Daemon generierte Liste abarbeiten, sprich alle Nachrichten zu einer Zieldomäne in einem Rutsch versenden.
Weitere Hinweise zum flush-Daemon findet man in dessen manpage.
# man 8 flush
FLUSH(8) System Manager's Manual FLUSH(8)
NAME
flush - Postfix fast flush server
SYNOPSIS
flush [generic Postfix daemon options]
DESCRIPTION
The flush(8) server maintains a record of deferred mail by destination. This
information is used to improve the performance of the SMTP ETRN request, and of
its command-line equivalent, "sendmail -qR" or "postqueue -f". This program
expects to be run from the master(8) process manager.
The record is implemented as a per-destination logfile with as contents the queue
IDs of deferred mail. A logfile is append-only, and is truncated when delivery is
requested for the corresponding destination. A destination is the part on the
right-hand side of the right-most @ in an email address.
Per-destination logfiles of deferred mail are maintained only for eligible desti‐
nations. The list of eligible destinations is specified with the
fast_flush_domains configuration parameter, which defaults to $relay_domains.
This server implements the following requests:
add sitename queueid
Inform the flush(8) server that the message with the specified queue ID is
queued for the specified destination.
send_site sitename
Request delivery of mail that is queued for the specified destination.
send_file queueid
Request delivery of the specified deferred message.
refresh
Refresh non-empty per-destination logfiles that were not read in
$fast_flush_refresh_time hours, by simulating send requests (see above) for
the corresponding destinations.
Delete empty per-destination logfiles that were not updated in
$fast_flush_purge_time days.
This request completes in the background.
purge Do a refresh for all per-destination logfiles.
SECURITY
The flush(8) server is not security-sensitive. It does not talk to the network,
and it does not talk to local users. The fast flush server can run chrooted at
fixed low privilege.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
BUGS
Fast flush logfiles are truncated only after a "send" request, not when mail is
actually delivered, and therefore can accumulate outdated or redundant data. In
order to maintain sanity, "refresh" must be executed periodically. This can be
automated with a suitable wakeup timer setting in the master.cf configuration
file.
Upon receipt of a request to deliver mail for an eligible destination, the
flush(8) server requests delivery of all messages that are listed in that destina‐
tion's logfile, regardless of the recipients of those messages. This is not an
issue for mail that is sent to a relay_domains destination because such mail typi‐
cally only has recipients in one domain.
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically as flush(8) processes run for only
a limited amount of time. Use the command "postfix reload" to speed up a change.
The text below provides only a parameter summary. See postconf(5) for more details
including examples.
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf configuration
files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take to handle a request before
it is terminated by a built-in watchdog timer.
fast_flush_domains ($relay_domains)
Optional list of destinations that are eligible for per-destination log‐
files with mail that is queued to those destinations.
fast_flush_refresh_time (12h)
The time after which a non-empty but unread per-destination "fast flush"
logfile needs to be refreshed.
fast_flush_purge_time (7d)
The time after which an empty per-destination "fast flush" logfile is
deleted.
ipc_timeout (3600s)
The time limit for sending or receiving information over an internal commu‐
nication channel.
max_idle (100s)
The maximum amount of time that an idle Postfix daemon process waits for an
incoming connection before terminating voluntarily.
max_use (100)
The maximal number of incoming connections that a Postfix daemon process
will service before terminating voluntarily.
parent_domain_matches_subdomains (see 'postconf -d' output)
What Postfix features match subdomains of "domain.tld" automatically,
instead of requiring an explicit ".domain.tld" pattern.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
queue_directory (see 'postconf -d' output)
The location of the Postfix top-level queue directory.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
FILES
/var/spool/postfix/flush, "fast flush" logfiles.
SEE ALSO
smtpd(8), SMTP server
qmgr(8), queue manager
postconf(5), configuration parameters
master(5), generic daemon options
master(8), process manager
syslogd(8), system logging
README FILES
Use "postconf readme_directory" or "postconf html_directory" to locate this infor‐
mation.
ETRN_README, Postfix ETRN howto
LICENSE
The Secure Mailer license must be distributed with this software.
HISTORY
This service was introduced with Postfix version 1.0.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
FLUSH(8)
proxymap, proxywrite
Der proxymap-Daemon stellt anderen Postix-Prozessen Lookup-Tabellen zur Verfügung, damit diese bei entsprechenden Anfragen bereits bestehende Verbindungen mit-/weiterbenutzen können. Somit fällt der Overhead beim Verbindungsauf- und -abbau z.B. zu einem mySQL- oder ldap-Datenbankbackendsystem weg und diue Systemressourcen werden weniger belastet. Abhängig vom verwendetetn Namen proxymap und proxywrite können diese Verbindungen readonly oder auch als beschreibbar definiert werden.
Zusätzliche informationen zum proxymap/proxywrite-Daemon findet man in dessen manpage.
# man 8 proxymap
PROXYMAP(8) System Manager's Manual PROXYMAP(8)
NAME
proxymap - Postfix lookup table proxy server
SYNOPSIS
proxymap [generic Postfix daemon options]
DESCRIPTION
The proxymap(8) server provides read-only or read-write table lookup service to
Postfix processes. These services are implemented with distinct service names:
proxymap and proxywrite, respectively. The purpose of these services is:
· To overcome chroot restrictions. For example, a chrooted SMTP server needs
access to the system passwd file in order to reject mail for non-existent
local addresses, but it is not practical to maintain a copy of the passwd
file in the chroot jail. The solution:
local_recipient_maps =
proxy:unix:passwd.byname $alias_maps
· To consolidate the number of open lookup tables by sharing one open table
among multiple processes. For example, making mysql connections from every
Postfix daemon process results in "too many connections" errors. The solu‐
tion:
virtual_alias_maps =
proxy:mysql:/etc/postfix/virtual_alias.cf
The total number of connections is limited by the number of proxymap server
processes.
· To provide single-updater functionality for lookup tables that do not reli‐
ably support multiple writers (i.e. all file-based tables).
The proxymap(8) server implements the following requests:
open maptype:mapname flags
Open the table with type maptype and name mapname, as controlled by flags.
The reply includes the maptype dependent flags (to distinguish a fixed
string table from a regular expression table).
lookup maptype:mapname flags key
Look up the data stored under the requested key. The reply is the request
completion status code and the lookup result value. The maptype:mapname
and flags are the same as with the open request.
update maptype:mapname flags key value
Update the data stored under the requested key. The reply is the request
completion status code. The maptype:mapname and flags are the same as with
the open request.
To implement single-updater maps, specify a process limit of 1 in the mas‐
ter.cf file entry for the proxywrite service.
This request is supported in Postfix 2.5 and later.
delete maptype:mapname flags key
Delete the data stored under the requested key. The reply is the request
completion status code. The maptype:mapname and flags are the same as with
the open request.
This request is supported in Postfix 2.5 and later.
sequence maptype:mapname flags function
Iterate over the specified database. The function is one of
DICT_SEQ_FUN_FIRST or DICT_SEQ_FUN_NEXT. The reply is the request comple‐
tion status code and a lookup key and result value, if found.
This request is supported in Postfix 2.9 and later.
The request completion status is one of OK, RETRY, NOKEY (lookup failed because
the key was not found), BAD (malformed request) or DENY (the table is not approved
for proxy read or update access).
There is no close command, nor are tables implicitly closed when a client discon‐
nects. The purpose is to share tables among multiple client processes.
SERVER PROCESS MANAGEMENT
proxymap(8) servers run under control by the Postfix master(8) server. Each
server can handle multiple simultaneous connections. When all servers are busy
while a client connects, the master(8) creates a new proxymap(8) server process,
provided that the process limit is not exceeded. Each server terminates after
serving at least $max_use clients or after $max_idle seconds of idle time.
SECURITY
The proxymap(8) server opens only tables that are approved via the proxy_read_maps
or proxy_write_maps configuration parameters, does not talk to users, and can run
at fixed low privilege, chrooted or not. However, running the proxymap server
chrooted severely limits usability, because it can open only chrooted tables.
The proxymap(8) server is not a trusted daemon process, and must not be used to
look up sensitive information such as UNIX user or group IDs, mailbox file/direc‐
tory names or external commands.
In Postfix version 2.2 and later, the proxymap client recognizes requests to
access a table for security-sensitive purposes, and opens the table directly. This
allows the same main.cf setting to be used by sensitive and non-sensitive pro‐
cesses.
Postfix-writable data files should be stored under a dedicated directory that is
writable only by the Postfix mail system, such as the Postfix-owned data_direc‐
tory.
In particular, Postfix-writable files should never exist in root-owned directo‐
ries. That would open up a particular type of security hole where ownership of a
file or directory does not match the provider of its content.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
BUGS
The proxymap(8) server provides service to multiple clients, and must therefore
not be used for tables that have high-latency lookups.
The proxymap(8) read-write service does not explicitly close lookup tables (even
if it did, this could not be relied on, because the process may be terminated
between table updates). The read-write service should therefore not be used with
tables that leave persistent storage in an inconsistent state between updates (for
example, CDB). Tables that support "sync on update" should be safe (for example,
Berkeley DB) as should tables that are implemented by a real DBMS.
CONFIGURATION PARAMETERS
On busy mail systems a long time may pass before proxymap(8) relevant changes to
main.cf are picked up. Use the command "postfix reload" to speed up a change.
The text below provides only a parameter summary. See postconf(5) for more details
including examples.
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf configuration
files.
data_directory (see 'postconf -d' output)
The directory with Postfix-writable data files (for example: caches,
pseudo-random numbers).
daemon_timeout (18000s)
How much time a Postfix daemon process may take to handle a request before
it is terminated by a built-in watchdog timer.
ipc_timeout (3600s)
The time limit for sending or receiving information over an internal commu‐
nication channel.
max_idle (100s)
The maximum amount of time that an idle Postfix daemon process waits for an
incoming connection before terminating voluntarily.
max_use (100)
The maximal number of incoming connections that a Postfix daemon process
will service before terminating voluntarily.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
proxy_read_maps (see 'postconf -d' output)
The lookup tables that the proxymap(8) server is allowed to access for the
read-only service.
Available in Postfix 2.5 and later:
data_directory (see 'postconf -d' output)
The directory with Postfix-writable data files (for example: caches,
pseudo-random numbers).
proxy_write_maps (see 'postconf -d' output)
The lookup tables that the proxymap(8) server is allowed to access for the
read-write service.
SEE ALSO
postconf(5), configuration parameters
master(5), generic daemon options
README FILES
Use "postconf readme_directory" or "postconf html_directory" to locate this infor‐
mation.
DATABASE_README, Postfix lookup table overview
LICENSE
The Secure Mailer license must be distributed with this software.
HISTORY
The proxymap service was introduced with Postfix 2.0.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
PROXYMAP(8)
showq
Der showq-Daemon zeigt den Inhalt der Mailqueue an und wird von dem Shell-Scrip mailq angesprochen.
Weitere Hinweise zum showq-Daemon entnimmt man dessen manpage.
# man 8 showq
SHOWQ(8) System Manager's Manual SHOWQ(8)
NAME
showq - list the Postfix mail queue
SYNOPSIS
showq [generic Postfix daemon options]
DESCRIPTION
The showq(8) daemon reports the Postfix mail queue status. It is the program that
emulates the sendmail `mailq' command.
The showq(8) daemon can also be run in stand-alone mode by the superuser. This
mode of operation is used to emulate the `mailq' command while the Postfix mail
system is down.
SECURITY
The showq(8) daemon can run in a chroot jail at fixed low privilege, and takes no
input from the client. Its service port is accessible to local untrusted users, so
the service can be susceptible to denial of service attacks.
STANDARDS
None. The showq(8) daemon does not interact with the outside world.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically as showq(8) processes run for only
a limited amount of time. Use the command "postfix reload" to speed up a change.
The text below provides only a parameter summary. See postconf(5) for more details
including examples.
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf configuration
files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take to handle a request before
it is terminated by a built-in watchdog timer.
duplicate_filter_limit (1000)
The maximal number of addresses remembered by the address duplicate filter
for aliases(5) or virtual(5) alias expansion, or for showq(8) queue dis‐
plays.
empty_address_recipient (MAILER-DAEMON)
The recipient of mail addressed to the null address.
ipc_timeout (3600s)
The time limit for sending or receiving information over an internal commu‐
nication channel.
max_idle (100s)
The maximum amount of time that an idle Postfix daemon process waits for an
incoming connection before terminating voluntarily.
max_use (100)
The maximal number of incoming connections that a Postfix daemon process
will service before terminating voluntarily.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
queue_directory (see 'postconf -d' output)
The location of the Postfix top-level queue directory.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
Available in Postfix version 2.9 and later:
enable_long_queue_ids (no)
Enable long, non-repeating, queue IDs (queue file names).
FILES
/var/spool/postfix, queue directories
SEE ALSO
pickup(8), local mail pickup service
cleanup(8), canonicalize and enqueue mail
qmgr(8), queue manager
postconf(5), configuration parameters
master(8), process manager
syslogd(8), system logging
LICENSE
The Secure Mailer license must be distributed with this software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
SHOWQ(8)
error, retry
Der error-delivery agent verarbeitet Zustellanfragen des qmgr-Daemon. Im Gegensatz zu den beiden Zustell-Agenten local oder smtp stellt der Agent aber keine Nachrichten zu, sondern generiert abhängig vom definierten Servicenamen in der master.cf-Datei entweder einen negativen Zustellbericht (Bounce) als error oder als retry. So kann der Absender informiert werden, dass eine einzelne Adresse oder auch eine ganze Mail-Domain nicht mehr oder gerade nicht zustellbar ist.
Weitere Hinweise zum Delivery-Agent error findet man in dessen manpage.
# man 8 error
ERROR(8) System Manager's Manual ERROR(8)
NAME
error - Postfix error/retry mail delivery agent
SYNOPSIS
error [generic Postfix daemon options]
DESCRIPTION
The Postfix error(8) delivery agent processes delivery requests from the queue
manager. Each request specifies a queue file, a sender address, the reason for
non-delivery (specified as the next-hop destination), and recipient information.
The reason may be prefixed with an RFC 3463-compatible detail code; if none is
specified a default 4.0.0 or 5.0.0 code is used instead. This program expects to
be run from the master(8) process manager.
Depending on the service name in master.cf, error or retry, the server bounces or
defers all recipients in the delivery request using the "next-hop" information as
the reason for non-delivery. The retry service name is supported as of Postfix
2.4.
Delivery status reports are sent to the bounce(8), defer(8) or trace(8) daemon as
appropriate.
SECURITY
The error(8) mailer is not security-sensitive. It does not talk to the network,
and can be run chrooted at fixed low privilege.
STANDARDS
RFC 3463 (Enhanced Status Codes)
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
Depending on the setting of the notify_classes parameter, the postmaster is noti‐
fied of bounces and of other trouble.
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically as error(8) processes run for only
a limited amount of time. Use the command "postfix reload" to speed up a change.
The text below provides only a parameter summary. See postconf(5) for more details
including examples.
2bounce_notice_recipient (postmaster)
The recipient of undeliverable mail that cannot be returned to the sender.
bounce_notice_recipient (postmaster)
The recipient of postmaster notifications with the message headers of mail
that Postfix did not deliver and of SMTP conversation transcripts of mail
that Postfix did not receive.
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf configuration
files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take to handle a request before
it is terminated by a built-in watchdog timer.
delay_logging_resolution_limit (2)
The maximal number of digits after the decimal point when logging sub-sec‐
ond delay values.
double_bounce_sender (double-bounce)
The sender address of postmaster notifications that are generated by the
mail system.
ipc_timeout (3600s)
The time limit for sending or receiving information over an internal commu‐
nication channel.
max_idle (100s)
The maximum amount of time that an idle Postfix daemon process waits for an
incoming connection before terminating voluntarily.
max_use (100)
The maximal number of incoming connections that a Postfix daemon process
will service before terminating voluntarily.
notify_classes (resource, software)
The list of error classes that are reported to the postmaster.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
queue_directory (see 'postconf -d' output)
The location of the Postfix top-level queue directory.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
SEE ALSO
qmgr(8), queue manager
bounce(8), delivery status reports
discard(8), Postfix discard delivery agent
postconf(5), configuration parameters
master(5), generic daemon options
master(8), process manager
syslogd(8), system logging
LICENSE
The Secure Mailer license must be distributed with this software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
ERROR(8)
discard
Der discard-delivery agent verarbeitet die Zustellanfragen des qmgr-Daemon. Zustellbenachrichtigungen übergibt der Agent gegebenenfalls dem trace-Daemon.
Weitere Hinweise entnimmt man bei Bedarf der manpage des discard-Daemon.
# man 8 discard
DISCARD(8) System Manager's Manual DISCARD(8)
NAME
discard - Postfix discard mail delivery agent
SYNOPSIS
discard [generic Postfix daemon options]
DESCRIPTION
The Postfix discard(8) delivery agent processes delivery requests from the queue
manager. Each request specifies a queue file, a sender address, a next-hop desti‐
nation that is treated as the reason for discarding the mail, and recipient infor‐
mation. The reason may be prefixed with an RFC 3463-compatible detail code. This
program expects to be run from the master(8) process manager.
The discard(8) delivery agent pretends to deliver all recipients in the delivery
request, logs the "next-hop" destination as the reason for discarding the mail,
updates the queue file, and either marks recipients as finished or informs the
queue manager that delivery should be tried again at a later time.
Delivery status reports are sent to the trace(8) daemon as appropriate.
SECURITY
The discard(8) mailer is not security-sensitive. It does not talk to the network,
and can be run chrooted at fixed low privilege.
STANDARDS
RFC 3463 (Enhanced Status Codes)
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
Depending on the setting of the notify_classes parameter, the postmaster is noti‐
fied of bounces and of other trouble.
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically as discard(8) processes run for
only a limited amount of time. Use the command "postfix reload" to speed up a
change.
The text below provides only a parameter summary. See postconf(5) for more details
including examples.
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf configuration
files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take to handle a request before
it is terminated by a built-in watchdog timer.
delay_logging_resolution_limit (2)
The maximal number of digits after the decimal point when logging sub-sec‐
ond delay values.
double_bounce_sender (double-bounce)
The sender address of postmaster notifications that are generated by the
mail system.
ipc_timeout (3600s)
The time limit for sending or receiving information over an internal commu‐
nication channel.
max_idle (100s)
The maximum amount of time that an idle Postfix daemon process waits for an
incoming connection before terminating voluntarily.
max_use (100)
The maximal number of incoming connections that a Postfix daemon process
will service before terminating voluntarily.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
queue_directory (see 'postconf -d' output)
The location of the Postfix top-level queue directory.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
SEE ALSO
qmgr(8), queue manager
bounce(8), delivery status reports
error(8), Postfix error delivery agent
postconf(5), configuration parameters
master(5), generic daemon options
master(8), process manager
syslogd(8), system logging
LICENSE
The Secure Mailer license must be distributed with this software.
HISTORY
This service was introduced with Postfix version 2.2.
AUTHOR(S)
Victor Duchovni
Morgan Stanley
Based on code by:
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
DISCARD(8)
local
Der local-Daemon, genauer gesagt der local-Agent, übernimmt die Nachrichten vom qmgr-Daemon und stellt diese an lokale Empfänger zu. Da der Agent auf die alias- und .forward-Tabellen zugreifen und auswerten kann, ist er im Gegensatz zum virtual-delivery agent in der Lage, Lieferstatus Berichte an den bounce-, defer- bzw. trace-Daemon zu senden.
Weitere Hinweise findet man in der ausführlichen manpage vom local-agent.
# man 8 local
LOCAL(8) System Manager's Manual LOCAL(8)
NAME
local - Postfix local mail delivery
SYNOPSIS
local [generic Postfix daemon options]
DESCRIPTION
The local(8) daemon processes delivery requests from the Postfix queue manager
to deliver mail to local recipients. Each delivery request specifies a queue
file, a sender address, a domain or host to deliver to, and one or more recipi‐
ents. This program expects to be run from the master(8) process manager.
The local(8) daemon updates queue files and marks recipients as finished, or it
informs the queue manager that delivery should be tried again at a later time.
Delivery status reports are sent to the bounce(8), defer(8) or trace(8) daemon
as appropriate.
CASE FOLDING
All delivery decisions are made using the bare recipient name (i.e. the address
localpart), folded to lower case. See also under ADDRESS EXTENSION below for a
few exceptions.
SYSTEM-WIDE AND USER-LEVEL ALIASING
The system administrator can set up one or more system-wide sendmail-style alias
databases. Users can have sendmail-style ~/.forward files. Mail for name is
delivered to the alias name, to destinations in ~name/.forward, to the mailbox
owned by the user name, or it is sent back as undeliverable.
The system administrator can specify a comma/space separated list of ~/.forward
like files through the forward_path configuration parameter. Upon delivery, the
local delivery agent tries each pathname in the list until a file is found.
Delivery via ~/.forward files is done with the privileges of the recipient.
Thus, ~/.forward like files must be readable by the recipient, and their parent
directory needs to have "execute" permission for the recipient.
The forward_path parameter is subject to interpolation of $user (recipient user‐
name), $home (recipient home directory), $shell (recipient shell), $recipient
(complete recipient address), $extension (recipient address extension), $domain
(recipient domain), $local (entire recipient address localpart) and $recipi‐
ent_delimiter. The forms ${name?value} and ${name:value} expand conditionally to
value when $name is (is not) defined. Characters that may have special meaning
to the shell or file system are replaced by underscores. The list of acceptable
characters is specified with the forward_expansion_filter configuration parame‐
ter.
An alias or ~/.forward file may list any combination of external commands, des‐
tination file names, :include: directives, or mail addresses. See aliases(5)
for a precise description. Each line in a user's .forward file has the same syn‐
tax as the right-hand part of an alias.
When an address is found in its own alias expansion, delivery is made to the
user instead. When a user is listed in the user's own ~/.forward file, delivery
is made to the user's mailbox instead. An empty ~/.forward file means do not
forward mail.
In order to prevent the mail system from using up unreasonable amounts of mem‐
ory, input records read from :include: or from ~/.forward files are broken up
into chunks of length line_length_limit.
While expanding aliases, ~/.forward files, and so on, the program attempts to
avoid duplicate deliveries. The duplicate_filter_limit configuration parameter
limits the number of remembered recipients.
MAIL FORWARDING
For the sake of reliability, forwarded mail is re-submitted as a new message, so
that each recipient has a separate on-file delivery status record.
In order to stop mail forwarding loops early, the software adds an optional
Delivered-To: header with the final envelope recipient address. If mail arrives
for a recipient that is already listed in a Delivered-To: header, the message is
bounced.
MAILBOX DELIVERY
The default per-user mailbox is a file in the UNIX mail spool directory
(/var/mail/user or /var/spool/mail/user); the location can be specified with the
mail_spool_directory configuration parameter. Specify a name ending in / for
qmail-compatible maildir delivery.
Alternatively, the per-user mailbox can be a file in the user's home directory
with a name specified via the home_mailbox configuration parameter. Specify a
relative path name. Specify a name ending in / for qmail-compatible maildir
delivery.
Mailbox delivery can be delegated to an external command specified with the
mailbox_command_maps and mailbox_command configuration parameters. The command
executes with the privileges of the recipient user (exceptions: secondary groups
are not enabled; in case of delivery as root, the command executes with the
privileges of default_privs).
Mailbox delivery can be delegated to alternative message transports specified in
the master.cf file. The mailbox_transport_maps and mailbox_transport configura‐
tion parameters specify an optional message transport that is to be used for all
local recipients, regardless of whether they are found in the UNIX passwd data‐
base. The fallback_transport_maps and fallback_transport parameters specify an
optional message transport for recipients that are not found in the aliases(5)
or UNIX passwd database.
In the case of UNIX-style mailbox delivery, the local(8) daemon prepends a "From
sender time_stamp" envelope header to each message, prepends an X-Original-To:
header with the recipient address as given to Postfix, prepends an optional
Delivered-To: header with the final envelope recipient address, prepends a
Return-Path: header with the envelope sender address, prepends a > character to
lines beginning with "From ", and appends an empty line. The mailbox is locked
for exclusive access while delivery is in progress. In case of problems, an
attempt is made to truncate the mailbox to its original length.
In the case of maildir delivery, the local daemon prepends an optional Deliv‐
ered-To: header with the final envelope recipient address, prepends an X-Origi‐
nal-To: header with the recipient address as given to Postfix, and prepends a
Return-Path: header with the envelope sender address.
EXTERNAL COMMAND DELIVERY
The allow_mail_to_commands configuration parameter restricts delivery to exter‐
nal commands. The default setting (alias, forward) forbids command destinations
in :include: files.
Optionally, the process working directory is changed to the path specified with
command_execution_directory (Postfix 2.2 and later). Failure to change directory
causes mail to be deferred.
The command_execution_directory parameter value is subject to interpolation of
$user (recipient username), $home (recipient home directory), $shell (recipient
shell), $recipient (complete recipient address), $extension (recipient address
extension), $domain (recipient domain), $local (entire recipient address local‐
part) and $recipient_delimiter. The forms ${name?value} and ${name:value}
expand conditionally to value when $name is (is not) defined. Characters that
may have special meaning to the shell or file system are replaced by under‐
scores. The list of acceptable characters is specified with the execu‐
tion_directory_expansion_filter configuration parameter.
The command is executed directly where possible. Assistance by the shell
(/bin/sh on UNIX systems) is used only when the command contains shell magic
characters, or when the command invokes a shell built-in command.
A limited amount of command output (standard output and standard error) is cap‐
tured for inclusion with non-delivery status reports. A command is forcibly
terminated if it does not complete within command_time_limit seconds. Command
exit status codes are expected to follow the conventions defined in <sysex‐
its.h>. Exit status 0 means normal successful completion.
Postfix version 2.3 and later support RFC 3463-style enhanced status codes. If
a command terminates with a non-zero exit status, and the command output begins
with an enhanced status code, this status code takes precedence over the non-
zero exit status.
A limited amount of message context is exported via environment variables. Char‐
acters that may have special meaning to the shell are replaced by underscores.
The list of acceptable characters is specified with the command_expansion_filter
configuration parameter.
SHELL The recipient user's login shell.
HOME The recipient user's home directory.
USER The bare recipient name.
EXTENSION
The optional recipient address extension.
DOMAIN The recipient address domain part.
LOGNAME
The bare recipient name.
LOCAL The entire recipient address localpart (text to the left of the rightmost
@ character).
ORIGINAL_RECIPIENT
The entire recipient address, before any address rewriting or aliasing
(Postfix 2.5 and later).
RECIPIENT
The entire recipient address.
SENDER The entire sender address.
Additional remote client information is made available via the following envi‐
ronment variables:
CLIENT_ADDRESS
Remote client network address. Available as of Postfix 2.2.
CLIENT_HELO
Remote client EHLO command parameter. Available as of Postfix 2.2.
CLIENT_HOSTNAME
Remote client hostname. Available as of Postfix 2.2.
CLIENT_PROTOCOL
Remote client protocol. Available as of Postfix 2.2.
SASL_METHOD
SASL authentication method specified in the remote client AUTH command.
Available as of Postfix 2.2.
SASL_SENDER
SASL sender address specified in the remote client MAIL FROM command.
Available as of Postfix 2.2.
SASL_USERNAME
SASL username specified in the remote client AUTH command. Available as
of Postfix 2.2.
The PATH environment variable is always reset to a system-dependent default
path, and environment variables whose names are blessed by the export_environ‐
ment configuration parameter are exported unchanged.
The current working directory is the mail queue directory.
The local(8) daemon prepends a "From sender time_stamp" envelope header to each
message, prepends an X-Original-To: header with the recipient address as given
to Postfix, prepends an optional Delivered-To: header with the final recipient
envelope address, prepends a Return-Path: header with the sender envelope
address, and appends no empty line.
EXTERNAL FILE DELIVERY
The delivery format depends on the destination filename syntax. The default is
to use UNIX-style mailbox format. Specify a name ending in / for qmail-compati‐
ble maildir delivery.
The allow_mail_to_files configuration parameter restricts delivery to external
files. The default setting (alias, forward) forbids file destinations in
:include: files.
In the case of UNIX-style mailbox delivery, the local(8) daemon prepends a "From
sender time_stamp" envelope header to each message, prepends an X-Original-To:
header with the recipient address as given to Postfix, prepends an optional
Delivered-To: header with the final recipient envelope address, prepends a >
character to lines beginning with "From ", and appends an empty line. The enve‐
lope sender address is available in the Return-Path: header. When the destina‐
tion is a regular file, it is locked for exclusive access while delivery is in
progress. In case of problems, an attempt is made to truncate a regular file to
its original length.
In the case of maildir delivery, the local daemon prepends an optional Deliv‐
ered-To: header with the final envelope recipient address, and prepends an X-
Original-To: header with the recipient address as given to Postfix. The enve‐
lope sender address is available in the Return-Path: header.
ADDRESS EXTENSION
The optional recipient_delimiter configuration parameter specifies how to sepa‐
rate address extensions from local recipient names.
For example, with "recipient_delimiter = +", mail for name+foo is delivered to
the alias name+foo or to the alias name, to the destinations listed in
~name/.forward+foo or in ~name/.forward, to the mailbox owned by the user name,
or it is sent back as undeliverable.
DELIVERY RIGHTS
Deliveries to external files and external commands are made with the rights of
the receiving user on whose behalf the delivery is made. In the absence of a
user context, the local(8) daemon uses the owner rights of the :include: file or
alias database. When those files are owned by the superuser, delivery is made
with the rights specified with the default_privs configuration parameter.
STANDARDS
RFC 822 (ARPA Internet Text Messages)
RFC 3463 (Enhanced status codes)
DIAGNOSTICS
Problems and transactions are logged to syslogd(8). Corrupted message files are
marked so that the queue manager can move them to the corrupt queue afterwards.
Depending on the setting of the notify_classes parameter, the postmaster is
notified of bounces and of other trouble.
SECURITY
The local(8) delivery agent needs a dual personality 1) to access the private
Postfix queue and IPC mechanisms, 2) to impersonate the recipient and deliver to
recipient-specified files or commands. It is therefore security sensitive.
The local(8) delivery agent disallows regular expression substitution of $1 etc.
in alias_maps, because that would open a security hole.
The local(8) delivery agent will silently ignore requests to use the proxymap(8)
server within alias_maps. Instead it will open the table directly. Before Post‐
fix version 2.2, the local(8) delivery agent will terminate with a fatal error.
BUGS
For security reasons, the message delivery status of external commands or of
external files is never checkpointed to file. As a result, the program may occa‐
sionally deliver more than once to a command or external file. Better safe than
sorry.
Mutually-recursive aliases or ~/.forward files are not detected early. The
resulting mail forwarding loop is broken by the use of the Delivered-To: message
header.
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically, as local(8) processes run for
only a limited amount of time. Use the command "postfix reload" to speed up a
change.
The text below provides only a parameter summary. See postconf(5) for more
details including examples.
COMPATIBILITY CONTROLS
biff (yes)
Whether or not to use the local biff service.
expand_owner_alias (no)
When delivering to an alias "aliasname" that has an "owner-aliasname"
companion alias, set the envelope sender address to the expansion of the
"owner-aliasname" alias.
owner_request_special (yes)
Give special treatment to owner-listname and listname-request address
localparts: don't split such addresses when the recipient_delimiter is
set to "-".
sun_mailtool_compatibility (no)
Obsolete SUN mailtool compatibility feature.
Available in Postfix version 2.3 and later:
frozen_delivered_to (yes)
Update the local(8) delivery agent's idea of the Delivered-To: address
(see prepend_delivered_header) only once, at the start of a delivery
attempt; do not update the Delivered-To: address while expanding aliases
or .forward files.
Available in Postfix version 2.5.3 and later:
strict_mailbox_ownership (yes)
Defer delivery when a mailbox file is not owned by its recipient.
reset_owner_alias (no)
Reset the local(8) delivery agent's idea of the owner-alias attribute,
when delivering mail to a child alias that does not have its own owner
alias.
DELIVERY METHOD CONTROLS
The precedence of local(8) delivery methods from high to low is: aliases, .for‐
ward files, mailbox_transport_maps, mailbox_transport, mailbox_command_maps,
mailbox_command, home_mailbox, mail_spool_directory, fallback_transport_maps,
fallback_transport, and luser_relay.
alias_maps (see 'postconf -d' output)
The alias databases that are used for local(8) delivery.
forward_path (see 'postconf -d' output)
The local(8) delivery agent search list for finding a .forward file with
user-specified delivery methods.
mailbox_transport_maps (empty)
Optional lookup tables with per-recipient message delivery transports to
use for local(8) mailbox delivery, whether or not the recipients are
found in the UNIX passwd database.
mailbox_transport (empty)
Optional message delivery transport that the local(8) delivery agent
should use for mailbox delivery to all local recipients, whether or not
they are found in the UNIX passwd database.
mailbox_command_maps (empty)
Optional lookup tables with per-recipient external commands to use for
local(8) mailbox delivery.
mailbox_command (empty)
Optional external command that the local(8) delivery agent should use for
mailbox delivery.
home_mailbox (empty)
Optional pathname of a mailbox file relative to a local(8) user's home
directory.
mail_spool_directory (see 'postconf -d' output)
The directory where local(8) UNIX-style mailboxes are kept.
fallback_transport_maps (empty)
Optional lookup tables with per-recipient message delivery transports for
recipients that the local(8) delivery agent could not find in the
aliases(5) or UNIX password database.
fallback_transport (empty)
Optional message delivery transport that the local(8) delivery agent
should use for names that are not found in the aliases(5) or UNIX pass‐
word database.
luser_relay (empty)
Optional catch-all destination for unknown local(8) recipients.
Available in Postfix version 2.2 and later:
command_execution_directory (empty)
The local(8) delivery agent working directory for delivery to external
command.
MAILBOX LOCKING CONTROLS
deliver_lock_attempts (20)
The maximal number of attempts to acquire an exclusive lock on a mailbox
file or bounce(8) logfile.
deliver_lock_delay (1s)
The time between attempts to acquire an exclusive lock on a mailbox file
or bounce(8) logfile.
stale_lock_time (500s)
The time after which a stale exclusive mailbox lockfile is removed.
mailbox_delivery_lock (see 'postconf -d' output)
How to lock a UNIX-style local(8) mailbox before attempting delivery.
RESOURCE AND RATE CONTROLS
command_time_limit (1000s)
Time limit for delivery to external commands.
duplicate_filter_limit (1000)
The maximal number of addresses remembered by the address duplicate fil‐
ter for aliases(5) or virtual(5) alias expansion, or for showq(8) queue
displays.
local_destination_concurrency_limit (2)
The maximal number of parallel deliveries via the local mail delivery
transport to the same recipient (when "local_destination_recipient_limit
= 1") or the maximal number of parallel deliveries to the same local
domain (when "local_destination_recipient_limit > 1").
local_destination_recipient_limit (1)
The maximal number of recipients per message delivery via the local mail
delivery transport.
mailbox_size_limit (51200000)
The maximal size of any local(8) individual mailbox or maildir file, or
zero (no limit).
SECURITY CONTROLS
allow_mail_to_commands (alias, forward)
Restrict local(8) mail delivery to external commands.
allow_mail_to_files (alias, forward)
Restrict local(8) mail delivery to external files.
command_expansion_filter (see 'postconf -d' output)
Restrict the characters that the local(8) delivery agent allows in $name
expansions of $mailbox_command and $command_execution_directory.
default_privs (nobody)
The default rights used by the local(8) delivery agent for delivery to
external file or command.
forward_expansion_filter (see 'postconf -d' output)
Restrict the characters that the local(8) delivery agent allows in $name
expansions of $forward_path.
Available in Postfix version 2.2 and later:
execution_directory_expansion_filter (see 'postconf -d' output)
Restrict the characters that the local(8) delivery agent allows in $name
expansions of $command_execution_directory.
Available in Postfix version 2.5.3 and later:
strict_mailbox_ownership (yes)
Defer delivery when a mailbox file is not owned by its recipient.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf configuration
files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take to handle a request
before it is terminated by a built-in watchdog timer.
delay_logging_resolution_limit (2)
The maximal number of digits after the decimal point when logging sub-
second delay values.
export_environment (see 'postconf -d' output)
The list of environment variables that a Postfix process will export to
non-Postfix processes.
ipc_timeout (3600s)
The time limit for sending or receiving information over an internal com‐
munication channel.
local_command_shell (empty)
Optional shell program for local(8) delivery to non-Postfix command.
max_idle (100s)
The maximum amount of time that an idle Postfix daemon process waits for
an incoming connection before terminating voluntarily.
max_use (100)
The maximal number of incoming connections that a Postfix daemon process
will service before terminating voluntarily.
prepend_delivered_header (command, file, forward)
The message delivery contexts where the Postfix local(8) delivery agent
prepends a Delivered-To: message header with the address that the mail
was delivered to.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
propagate_unmatched_extensions (canonical, virtual)
What address lookup tables copy an address extension from the lookup key
to the lookup result.
queue_directory (see 'postconf -d' output)
The location of the Postfix top-level queue directory.
recipient_delimiter (empty)
The set of characters that can separate a user name from its extension
(example: user+foo), or a .forward file name from its extension (example:
.forward+foo).
require_home_directory (no)
Require that a local(8) recipient's home directory exists before mail
delivery is attempted.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
FILES
The following are examples; details differ between systems.
$HOME/.forward, per-user aliasing
/etc/aliases, system-wide alias database
/var/spool/mail, system mailboxes
SEE ALSO
qmgr(8), queue manager
bounce(8), delivery status reports
newaliases(1), create/update alias database
postalias(1), create/update alias database
aliases(5), format of alias database
postconf(5), configuration parameters
master(5), generic daemon options
syslogd(8), system logging
LICENSE
The Secure Mailer license must be distributed with this software.
HISTORY
The Delivered-To: message header appears in the qmail system by Daniel Bern‐
stein.
The maildir structure appears in the qmail system by Daniel Bernstein.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
LOCAL(8)
virtual
Der virtual-delivery agent wurde von Wietse Venema für die virtuellen Maildomains entwickelt. Ursprünglich wurde dazu der local-delivery agent mit statischen hartcodierten Übersetzungstabellen benutzt. Im Gegensatz zum local-delivery agent wertet der virtual-delivery agent weder alias- noch .forward-Tabellen aus - Weiterleitungen oder Abwesenheitsnachrichten müssen daher über Mapping-Tabellen wie z.B. virtual_alias maps separat realisiert werden.
# man 8 virtual
VIRTUAL(8) System Manager's Manual VIRTUAL(8)
NAME
virtual - Postfix virtual domain mail delivery agent
SYNOPSIS
virtual [generic Postfix daemon options]
DESCRIPTION
The virtual(8) delivery agent is designed for virtual mail hosting services. Orig‐
inally based on the Postfix local(8) delivery agent, this agent looks up recipi‐
ents with map lookups of their full recipient address, instead of using hard-coded
unix password file lookups of the address local part only.
This delivery agent only delivers mail. Other features such as mail forwarding,
out-of-office notifications, etc., must be configured via virtual_alias maps or
via similar lookup mechanisms.
MAILBOX LOCATION
The mailbox location is controlled by the virtual_mailbox_base and virtual_mail‐
box_maps configuration parameters (see below). The virtual_mailbox_maps table is
indexed by the recipient address as described under TABLE SEARCH ORDER below.
The mailbox pathname is constructed as follows:
$virtual_mailbox_base/$virtual_mailbox_maps(recipient)
where recipient is the full recipient address.
UNIX MAILBOX FORMAT
When the mailbox location does not end in /, the message is delivered in UNIX
mailbox format. This format stores multiple messages in one textfile.
The virtual(8) delivery agent prepends a "From sender time_stamp" envelope header
to each message, prepends a Delivered-To: message header with the envelope recipi‐
ent address, prepends an X-Original-To: header with the recipient address as given
to Postfix, prepends a Return-Path: message header with the envelope sender
address, prepends a > character to lines beginning with "From ", and appends an
empty line.
The mailbox is locked for exclusive access while delivery is in progress. In case
of problems, an attempt is made to truncate the mailbox to its original length.
QMAIL MAILDIR FORMAT
When the mailbox location ends in /, the message is delivered in qmail maildir
format. This format stores one message per file.
The virtual(8) delivery agent prepends a Delivered-To: message header with the
final envelope recipient address, prepends an X-Original-To: header with the
recipient address as given to Postfix, and prepends a Return-Path: message header
with the envelope sender address.
By definition, maildir format does not require application-level file locking dur‐
ing mail delivery or retrieval.
MAILBOX OWNERSHIP
Mailbox ownership is controlled by the virtual_uid_maps and virtual_gid_maps
lookup tables, which are indexed with the full recipient address. Each table pro‐
vides a string with the numerical user and group ID, respectively.
The virtual_minimum_uid parameter imposes a lower bound on numerical user ID val‐
ues that may be specified in any virtual_uid_maps.
CASE FOLDING
All delivery decisions are made using the full recipient address, folded to lower
case. See also the next section for a few exceptions with optional address exten‐
sions.
TABLE SEARCH ORDER
Normally, a lookup table is specified as a text file that serves as input to the
postmap(1) command. The result, an indexed file in dbm or db format, is used for
fast searching by the mail system.
The search order is as follows. The search stops upon the first successful lookup.
· When the recipient has an optional address extension the user+exten‐
sion@domain.tld address is looked up first.
With Postfix versions before 2.1, the optional address extension is always
ignored.
· The user@domain.tld address, without address extension, is looked up next.
· Finally, the recipient @domain is looked up.
When the table is provided via other means such as NIS, LDAP or SQL, the same
lookups are done as for ordinary indexed files.
Alternatively, a table can be provided as a regular-expression map where patterns
are given as regular expressions. In that case, only the full recipient address is
given to the regular-expression map.
SECURITY
The virtual(8) delivery agent is not security sensitive, provided that the lookup
tables with recipient user/group ID information are adequately protected. This
program is not designed to run chrooted.
The virtual(8) delivery agent disallows regular expression substitution of $1 etc.
in regular expression lookup tables, because that would open a security hole.
The virtual(8) delivery agent will silently ignore requests to use the proxymap(8)
server. Instead it will open the table directly. Before Postfix version 2.2, the
virtual delivery agent will terminate with a fatal error.
STANDARDS
RFC 822 (ARPA Internet Text Messages)
DIAGNOSTICS
Mail bounces when the recipient has no mailbox or when the recipient is over disk
quota. In all other cases, mail for an existing recipient is deferred and a warn‐
ing is logged.
Problems and transactions are logged to syslogd(8). Corrupted message files are
marked so that the queue manager can move them to the corrupt queue afterwards.
Depending on the setting of the notify_classes parameter, the postmaster is noti‐
fied of bounces and of other trouble.
BUGS
This delivery agent supports address extensions in email addresses and in lookup
table keys, but does not propagate address extension information to the result of
table lookup.
Postfix should have lookup tables that can return multiple result attributes. In
order to avoid the inconvenience of maintaining three tables, use an LDAP or MYSQL
database.
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically, as virtual(8) processes run for
only a limited amount of time. Use the command "postfix reload" to speed up a
change.
The text below provides only a parameter summary. See postconf(5) for more details
including examples.
MAILBOX DELIVERY CONTROLS
virtual_mailbox_base (empty)
A prefix that the virtual(8) delivery agent prepends to all pathname
results from $virtual_mailbox_maps table lookups.
virtual_mailbox_maps (empty)
Optional lookup tables with all valid addresses in the domains that match
$virtual_mailbox_domains.
virtual_minimum_uid (100)
The minimum user ID value that the virtual(8) delivery agent accepts as a
result from $virtual_uid_maps table lookup.
virtual_uid_maps (empty)
Lookup tables with the per-recipient user ID that the virtual(8) delivery
agent uses while writing to the recipient's mailbox.
virtual_gid_maps (empty)
Lookup tables with the per-recipient group ID for virtual(8) mailbox deliv‐
ery.
Available in Postfix version 2.0 and later:
virtual_mailbox_domains ($virtual_mailbox_maps)
Postfix is final destination for the specified list of domains; mail is
delivered via the $virtual_transport mail delivery transport.
virtual_transport (virtual)
The default mail delivery transport and next-hop destination for final
delivery to domains listed with $virtual_mailbox_domains.
Available in Postfix version 2.5.3 and later:
strict_mailbox_ownership (yes)
Defer delivery when a mailbox file is not owned by its recipient.
LOCKING CONTROLS
virtual_mailbox_lock (see 'postconf -d' output)
How to lock a UNIX-style virtual(8) mailbox before attempting delivery.
deliver_lock_attempts (20)
The maximal number of attempts to acquire an exclusive lock on a mailbox
file or bounce(8) logfile.
deliver_lock_delay (1s)
The time between attempts to acquire an exclusive lock on a mailbox file or
bounce(8) logfile.
stale_lock_time (500s)
The time after which a stale exclusive mailbox lockfile is removed.
RESOURCE AND RATE CONTROLS
virtual_destination_concurrency_limit ($default_destination_concurrency_limit)
The maximal number of parallel deliveries to the same destination via the
virtual message delivery transport.
virtual_destination_recipient_limit ($default_destination_recipient_limit)
The maximal number of recipients per message for the virtual message deliv‐
ery transport.
virtual_mailbox_limit (51200000)
The maximal size in bytes of an individual virtual(8) mailbox or maildir
file, or zero (no limit).
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf configuration
files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take to handle a request before
it is terminated by a built-in watchdog timer.
delay_logging_resolution_limit (2)
The maximal number of digits after the decimal point when logging sub-sec‐
ond delay values.
ipc_timeout (3600s)
The time limit for sending or receiving information over an internal commu‐
nication channel.
max_idle (100s)
The maximum amount of time that an idle Postfix daemon process waits for an
incoming connection before terminating voluntarily.
max_use (100)
The maximal number of incoming connections that a Postfix daemon process
will service before terminating voluntarily.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
queue_directory (see 'postconf -d' output)
The location of the Postfix top-level queue directory.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
SEE ALSO
qmgr(8), queue manager
bounce(8), delivery status reports
postconf(5), configuration parameters
syslogd(8), system logging
README_FILES
Use "postconf readme_directory" or
"postconf html_directory" to locate this information.
VIRTUAL_README, domain hosting howto
LICENSE
The Secure Mailer license must be distributed with this software.
HISTORY
This delivery agent was originally based on the Postfix local delivery agent. Mod‐
ifications mainly consisted of removing code that either was not applicable or
that was not safe in this context: aliases, ~user/.forward files, delivery to
"|command" or to /file/name.
The Delivered-To: message header appears in the qmail system by Daniel Bernstein.
The maildir structure appears in the qmail system by Daniel Bernstein.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
Andrew McNamara
andrewm@connect.com.au
connect.com.au Pty. Ltd.
Level 3, 213 Miller St
North Sydney 2060, NSW, Australia
VIRTUAL(8)
anvil
Der anvil-Daemon sammelt mit Verbindungsdaten von Client-Verbindungen und Client-Anfragen. So können Client-Verbindungen und -Anfragen, entsprechend limitiert werden und die Ereichbarkeit des des MTA gesichert werden.
Konfigurationsdetails und weitere Informationen findet man in der manpage des anvil-Daemon.
# man 8 anvil
ANVIL(8) System Manager's Manual ANVIL(8)
NAME
anvil - Postfix session count and request rate control
SYNOPSIS
anvil [generic Postfix daemon options]
DESCRIPTION
The Postfix anvil(8) server maintains statistics about client connection counts or
client request rates. This information can be used to defend against clients that
hammer a server with either too many simultaneous sessions, or with too many suc‐
cessive requests within a configurable time interval. This server is designed to
run under control by the Postfix master(8) server.
In the following text, ident specifies a (service, client) combination. The exact
syntax of that information is application-dependent; the anvil(8) server does not
care.
CONNECTION COUNT/RATE CONTROL
To register a new connection send the following request to the anvil(8) server:
request=connect
ident=string
The anvil(8) server answers with the number of simultaneous connections and the
number of connections per unit time for the (service, client) combination speci‐
fied with ident:
status=0
count=number
rate=number
To register a disconnect event send the following request to the anvil(8) server:
request=disconnect
ident=string
The anvil(8) server replies with:
status=0
MESSAGE RATE CONTROL
To register a message delivery request send the following request to the anvil(8)
server:
request=message
ident=string
The anvil(8) server answers with the number of message delivery requests per unit
time for the (service, client) combination specified with ident:
status=0
rate=number
RECIPIENT RATE CONTROL
To register a recipient request send the following request to the anvil(8) server:
request=recipient
ident=string
The anvil(8) server answers with the number of recipient addresses per unit time
for the (service, client) combination specified with ident:
status=0
rate=number
TLS SESSION NEGOTIATION RATE CONTROL
The features described in this section are available with Postfix 2.3 and later.
To register a request for a new (i.e. not cached) TLS session send the following
request to the anvil(8) server:
request=newtls
ident=string
The anvil(8) server answers with the number of new TLS session requests per unit
time for the (service, client) combination specified with ident:
status=0
rate=number
To retrieve new TLS session request rate information without updating the counter
information, send:
request=newtls_report
ident=string
The anvil(8) server answers with the number of new TLS session requests per unit
time for the (service, client) combination specified with ident:
status=0
rate=number
SECURITY
The anvil(8) server does not talk to the network or to local users, and can run
chrooted at fixed low privilege.
The anvil(8) server maintains an in-memory table with information about recent
clients requests. No persistent state is kept because standard system library
routines are not sufficiently robust for update-intensive applications.
Although the in-memory state is kept only temporarily, this may require a lot of
memory on systems that handle connections from many remote clients. To reduce
memory usage, reduce the time unit over which state is kept.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
Upon exit, and every anvil_status_update_time seconds, the server logs the maximal
count and rate values measured, together with (service, client) information and
the time of day associated with those events. In order to avoid unnecessary over‐
head, no measurements are done for activity that isn't concurrency limited or rate
limited.
BUGS
Systems behind network address translating routers or proxies appear to have the
same client address and can run into connection count and/or rate limits falsely.
In this preliminary implementation, a count (or rate) limited server process can
have only one remote client at a time. If a server process reports multiple simul‐
taneous clients, state is kept only for the last reported client.
The anvil(8) server automatically discards client request information after it
expires. To prevent the anvil(8) server from discarding client request rate
information too early or too late, a rate limited service should always register
connect/disconnect events even when it does not explicitly limit them.
CONFIGURATION PARAMETERS
On low-traffic mail systems, changes to main.cf are picked up automatically as
anvil(8) processes run for only a limited amount of time. On other mail systems,
use the command "postfix reload" to speed up a change.
The text below provides only a parameter summary. See postconf(5) for more details
including examples.
anvil_rate_time_unit (60s)
The time unit over which client connection rates and other rates are calcu‐
lated.
anvil_status_update_time (600s)
How frequently the anvil(8) connection and rate limiting server logs peak
usage information.
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf configuration
files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take to handle a request before
it is terminated by a built-in watchdog timer.
ipc_timeout (3600s)
The time limit for sending or receiving information over an internal commu‐
nication channel.
max_idle (100s)
The maximum amount of time that an idle Postfix daemon process waits for an
incoming connection before terminating voluntarily.
max_use (100)
The maximal number of incoming connections that a Postfix daemon process
will service before terminating voluntarily.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
SEE ALSO
smtpd(8), Postfix SMTP server
postconf(5), configuration parameters
master(5), generic daemon options
README FILES
Use "postconf readme_directory" or "postconf html_directory" to locate this infor‐
mation.
TUNING_README, performance tuning
LICENSE
The Secure Mailer license must be distributed with this software.
HISTORY
The anvil service is available in Postfix 2.2 and later.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
ANVIL(8)
scache
Der scache-Daemon verwaltet den Cache-Speicher für mehrfach genutzte Verbindungen zu einem Ziel. Somit können die delivery-agents diese Verbindungen mit- und weiterbenutzen. Somit fällt der Overhaed beim Verbindungsauf- und abbau weg und der Server kann wesentlich performanter arbeiten.
Weitere Hinweise zum scache-Daemon findet man in dessen manpage.
# man 8 scache
SCACHE(8) System Manager's Manual SCACHE(8)
NAME
scache - Postfix shared connection cache server
SYNOPSIS
scache [generic Postfix daemon options]
DESCRIPTION
The scache(8) server maintains a shared multi-connection cache. This information
can be used by, for example, Postfix SMTP clients or other Postfix delivery
agents.
The connection cache is organized into logical destination names, physical end‐
point names, and connections.
As a specific example, logical SMTP destinations specify (transport, domain,
port), and physical SMTP endpoints specify (transport, IP address, port). An SMTP
connection may be saved after a successful mail transaction.
In the general case, one logical destination may refer to zero or more physical
endpoints, one physical endpoint may be referenced by zero or more logical desti‐
nations, and one endpoint may refer to zero or more connections.
The exact syntax of a logical destination or endpoint name is application depen‐
dent; the scache(8) server does not care. A connection is stored as a file
descriptor together with application-dependent information that is needed to re-
activate a connection object. Again, the scache(8) server is completely unaware of
the details of that information.
All information is stored with a finite time to live (ttl). The connection cache
daemon terminates when no client is connected for max_idle time units.
This server implements the following requests:
save_endp ttl endpoint endpoint_properties file_descriptor
Save the specified file descriptor and connection property data under the
specified endpoint name. The endpoint properties are used by the client to
re-activate a passivated connection object.
find_endp endpoint
Look up cached properties and a cached file descriptor for the specified
endpoint.
save_dest ttl destination destination_properties endpoint
Save the binding between a logical destination and an endpoint under the
destination name, together with destination specific connection properties.
The destination properties are used by the client to re-activate a passi‐
vated connection object.
find_dest destination
Look up cached destination properties, cached endpoint properties, and a
cached file descriptor for the specified logical destination.
SECURITY
The scache(8) server is not security-sensitive. It does not talk to the network,
and it does not talk to local users. The scache(8) server can run chrooted at
fixed low privilege.
The scache(8) server is not a trusted process. It must not be used to store infor‐
mation that is security sensitive.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
BUGS
The session cache cannot be shared among multiple machines.
When a connection expires from the cache, it is closed without the appropriate
protocol specific handshake.
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically as scache(8) processes run for only
a limited amount of time. Use the command "postfix reload" to speed up a change.
The text below provides only a parameter summary. See postconf(5) for more details
including examples.
RESOURCE CONTROLS
connection_cache_ttl_limit (2s)
The maximal time-to-live value that the scache(8) connection cache server
allows.
connection_cache_status_update_time (600s)
How frequently the scache(8) server logs usage statistics with connection
cache hit and miss rates for logical destinations and for physical end‐
points.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf and master.cf configuration
files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take to handle a request before
it is terminated by a built-in watchdog timer.
ipc_timeout (3600s)
The time limit for sending or receiving information over an internal commu‐
nication channel.
max_idle (100s)
The maximum amount of time that an idle Postfix daemon process waits for an
incoming connection before terminating voluntarily.
process_id (read-only)
The process ID of a Postfix command or daemon process.
process_name (read-only)
The process name of a Postfix command or daemon process.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (see 'postconf -d' output)
The mail system name that is prepended to the process name in syslog
records, so that "smtpd" becomes, for example, "postfix/smtpd".
SEE ALSO
smtp(8), SMTP client
postconf(5), configuration parameters
master(8), process manager
syslogd(8), system logging
README FILES
Use "postconf readme_directory" or "postconf html_directory" to locate this infor‐
mation.
CONNECTION_CACHE_README, Postfix connection cache
LICENSE
The Secure Mailer license must be distributed with this software.
HISTORY
This service was introduced with Postfix version 2.2.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
SCACHE(8)
Anforderungen an unseren Mailserver
Die wohl wesentlichste und auch unstrittigste Anforderungen an unseren Mailserver ist schlichtweg die Tatsache, dass dieser die Kommunikation zwischen Absender und Empfänger ermöglichen und dienlich sein soll. Der eMailverkehr, in vielen Fällen eine geschäftskritische Anwendung, soll soweit möglich 24/7 zur Verfügung stehen, möglichst nicht beeinträchtigt/verzögert oder gar unterbunden werden!
Aus den gerade erwähnten Punkten haben wir nachfolgende Anforderungen an unsere eigene Mailinfrastruktur bzw. wir werden uns Techniken und Lösungen genauer ansehen, mit denen wir unsere
Die wesentlichen Anforderungen an unsere eigene Mailinfrastruktur sind:
- Es werden nur noch eMails angenommen, die auch zugestellt werden können; d.h. unerwünschte bzw. unerlaubte Nachrichten werden geblockt (mit einem Returncode von 5xx abgewiesen).
- der Transportweg zwischen den MTAs10) wird TLS-verschlüsselt, soweit möglich.
- der Transportweg zwischen MUA11) muss zwingend transportverschlüsselt werden.
- Nachrichten von MUAs werden ausschließlich auf dem Submissionport 587 angenommen.
- eMails die unser Netzwerk nach extern verlassen unterliegen der gleichen Qualitäts- (SPAM) und Sicherheitsüberprüfung (Viren und Schadcode) wie ankommende elektronische Post.
- abgehende eMails werden mit einer DKIM-Signatur versehen, mit der der Empfänger (MTA) prüfen kann, ob die eMail auch von unserem Mailserver versandt wurde. Somit wird zB. die Reputation gegenüber AOL gesteigert, da dieser ISP eine valide DKIM-Signatur positiv bewertet.
- Für den ersten Grob-Viren-/SPAM-Schutz betrachten wir die beiden Lösungskandidaten Greylisting und Postscreen genauer und wägen dann ab, welche Variante zum Einsatz kommen soll.
- Die zweite Prüfung erfolgt mit Unterstützung des Policy-Daemon policyd-weight, der die Mail bei der Einlieferung anhand des Envelope Sender, des Envelope To und der HELO-Daten, die während des SMTP-Handshakes übertragen werden, überprüft. auch hier stellen wir uns die Frage, ob polycd-weight oder postscreen eingesetzt werden soll.
- Die Möglichkeit, Nachrichten auf Grund von verdächtigen Header-Zeilen und/oder Inhalten zu bewerten und/oder zu filtern, soll grundsätzlich gegeben sein.
- Die SPAM-Bewertung der Nachrichten selbst erfolgt mit Hilfe von Spamassassin
- Den dritten Teil unserer mehrstufigen Antivirenschutzmaßnahmen (1. Stufe: postscreen. 2. Stufe: body-/header-checks) übernimmt der freie Virenscanner ClamAV.
die Punkte SRS, SPF, DKIM und DMARC noch bei der Ausgestaltung der „Anforderungen an unseren Mailserver“ noch mit aufnehmen!
weitere Schritte zur Installation und Konfiguration
Nachdem wir uns nun eingehend mit dem Grundlagen zum Thema Mailserver und den einzelnen Komponenten des Postfix MTA beschäftigt haben, können wir uns nun mit der Installation und Konfiguration von Postfix beschäftigen.
Die Installation und Konfiguration des aktuellen stable Release Postfix 3.x wird nachfolgend ab dieser Seite beschrieben.
Links
1)
Small Office Home Office
4)
Domain Name System
5)
Local Mail Transfer Protokoll
6)
Mail Message Submission
7)
Mail User Agents
8)
Quick Mail Queueing Protocol
9)
Pseudo Random Number Generator
10)
Mail Transport Agent: z.B. Postfix, Exim oder Sendmail
11)
Mail User Agent: z.B. kMail, Thunderbird oder R2Mail2
12)
RealtimeBlackHoleLists
django