Professional Documents
Culture Documents
QUICK LINKS First of all, thank you for your interest in the Postfix project.
Home
Non-English Info What is Postfix? It is Wietse Venema's mailer that started life as
Web sites (text) an alternative to the widely-used Sendmail program.
Download (source)
Mailing lists Postfix attempts to be fast, easy to administer, and secure, while
Press and Interviews at the same time being sendmail compatible enough to not upset
Documentation existing users. Thus, the outside has a sendmail-ish flavor, but the
Howtos and FAQs inside is completely different.
Add-on Software
Packages and Ports
Becoming a mirror site
Search
http://www.subneural.net/postfix-master/01/16/2005 15:45:43
Non-English Postfix Information
Non-English Postfix
Information
To have information listed on this page, please send mail to
QUICK LINKS wietse@porcupine.org.
Home
brazilian | chinese | french | german | indonesian |
Non-English Info
Web sites (text) italian | japanese | korean | russian | spanish |
Download (source) turkish |
Mailing lists
Press and Interviews Brazilian
Documentation
Howtos and FAQs ● Brazilian Postfix mailing list.
Add-on Software ● Postfix+Clamav howto by
Packages and Ports
Gleydson Soares.
Becoming a mirror site ● Manual do Postfix (Postfix
configuration guide).
Search
● Postfix+PostgreSQL virtual
domain howto by Leandro
Mendes.
● Postfix howtos and
documentation by Deives
Michellis.
● Postfix, Sasl2, Courier-Imap,
Quota and PostgreSQL howto by
William da Rocha.
● Postfix mail relaying with SASL
authentication howto by William
da Rocha.
Chinese
French
German
Indonesian
Italian
Japanese
Korean
Spanish
Russian
Turkish
Non-English
● Brazilian: http://listas.softwarelivre.org/mailman/listinfo/
postfix-br/.
● Japanese: http://www.postfix-jp.info/ML/.
● Spanish: http://postfix.WL0.org/es/listas/.
This is the New York Times article that put Open Source
on the radar of IBM CEO Lou Gerstner. He called around,
found that IBM had no open source strategy, and tasked
people to come up with one. And the rest is history.
copy)
Postfix Documentation
General configuration SMTP Relay/access Specific environments
control
QUICK LINKS ● Basic ● Linux issues
configuration ● Relay/access ● NFS issues
Home
● Standard control ● Ultrix support
Non-English Info
Web sites (text) configuration overview
examples ● Access policy Other mail delivery
Download (source)
Mailing lists ● Address delegation agents
Press and Interviews rewriting ● Address
Howto Command
● XFORWARD
Content inspection
Mailing list support Command
● Content
inspection ● qmail/ezmlm
overview support (*)
● Stopping ● VERP
Support
backscatter mail
● Built-in content
inspection
● After-queue
content filter
● Before-queue
content Filter
TLS
SASL
Adding disclaimers
UCE/Virus
Miscellaneous
com)
● HA mail system tutorial by Damir Horvat.
PGP/SMIME Gateways
Policy servers/libraries
Certified email
(Italian site).
Configuration/user management
Fax<->Email software
List managers
Logfile analysis
Lookup tables
POP/IMAP servers
Webmail
Package management
Autoreply software
Quota software
Other software
http://www.subneural.net/postfix-master/packages.html01/16/2005 15:45:49
Becoming a Postfix mirror site
release/
❍ web pages: ftp://ftp.porcupine.org/mirrors/postfix-
master/
● Where: specify at what URLs the information will be
made available.
http://www.subneural.net/postfix-master/mirror.html01/16/2005 15:45:49
Postfix Basic Configuration
Introduction
Postfix has several hundred configuration parameters that are controlled via the main.cf file.
Fortunately, all parameters have sensible default values. In many cases, you need to configure
only two or three parameters before you can start to play with the mail system. Here's a quick
introduction to the syntax:
The text below assumes that you already have Postfix installed on the system, either by
compiling the source code yourself (as described in the INSTALL file) or by installing an
already compiled version.
This document covers basic Postfix configuration. Information about how to configure Postfix
for specific applications such as mailhub, firewall or dial-up client can be found in the
STANDARD_CONFIGURATION_README file. But don't go there until you already have
covered the material presented below.
The first parameters of interest specify the machine's identity and role in the network.
The default values for many other configuration parameters are derived from just these.
The next parameter of interest controls the amount of mail sent to the local postmaster:
Be sure to set the following correctly if you're behind a proxy or network address translator,
and you are running a backup MX host for some other domain:
Postfix daemon processes run in the background, and log problems and normal activity to the
syslog daemon. Here are a few things that you need to be aware of:
If your machine has unusual security requirements you may want to run Postfix daemon
processes inside a chroot environment.
If you run Postfix on a virtual network interface, or if your machine runs other mailers on
virtual interfaces, you'll have to look at the other parameters listed here as well:
● My own hostname
/etc/postfix/main.cf:
parameter = value
/etc/postfix/main.cf:
other_parameter = $parameter
You can use $parameter before it is given a value (that is the second main difference with
UNIX shell variables). The Postfix configuration language uses lazy evaluation, and does not
look at a parameter value until it is needed at runtime.
Postfix uses database files for access control, address rewriting and other purposes. The
DATABASE_README file gives an introduction to how Postfix works with Berkeley DB,
LDAP or SQL and other types. Here is a common example of how Postfix invokes a database:
/etc/postfix/main.cf:
virtual_alias_maps = hash:/etc/postfix/virtual
Whenever you make a change to the main.cf or master.cf file, execute the following command
as root in order to refresh a running mail system:
# postfix reload
For the sake of consistency between sender and recipient addresses, myorigin also specifies the
domain name that is appended to an unqualified recipient address.
/etc/postfix/main.cf:
You can specify zero or more domain names, "/file/name" patterns and/or "type:table" lookup
tables (such as hash:, btree:, nis:, ldap:, or mysql:), separated by whitespace and/or commas. A
"/file/name" pattern is replaced by its contents; "type:table" requests that a table lookup is done
and merely tests for existence: the lookup result is ignored.
IMPORTANT: If your machine is a mail server for its entire domain, you must list $mydomain
as well.
/etc/postfix/main.cf:
mydestination = $myhostname localhost.$mydomain
localhost
/etc/postfix/main.cf:
mydestination = $myhostname localhost.$mydomain
localhost $mydomain
/etc/postfix/main.cf:
mydestination = $myhostname localhost.$mydomain
localhost
www.$mydomain ftp.$mydomain
Caution: in order to avoid mail delivery loops, you must list all hostnames of the machine,
IMPORTANT: If your machine is connected to a wide area network then your default
mynetworks setting may be too friendly.
/etc/postfix/main.cf:
mynetworks_style = subnet (default: authorize
subnetworks)
mynetworks_style = host (safe: authorize local
machine only)
mynetworks = 127.0.0.0/8 (safe: authorize local
machine only)
mynetworks = 127.0.0.0/8 168.100.189.2/32
(authorize local machine)
You can specify the trusted networks in the main.cf file, or you can let Postfix do the work for
you. The default is to let Postfix do the work. The result depends on the mynetworks_style
parameter value.
● Specify "mynetworks_style = host" when Postfix should forward mail from only the
local machine.
● Specify "mynetworks_style = subnet" (the default) when Postfix should forward mail
from SMTP clients in the same IP subnetworks as the local machine. On Linux, this
works correctly only with interfaces specified with the "ifconfig" command.
● Specify "mynetworks_style = class" when Postfix should forward mail from SMTP
clients in the same IP class A/B/C networks as the local machine. Don't do this with a
dialup site - it would cause Postfix to "trust" your entire provider's network. Instead,
specify an explicit mynetworks list by hand, as described below.
Alternatively, you can specify the mynetworks list by hand, in which case Postfix ignores the
mynetworks_style setting. To specify the list of trusted networks by hand, specify network
blocks in CIDR (network/mask) notation, for example:
/etc/postfix/main.cf:
mynetworks = 168.100.189.0/28, 127.0.0.0/8
You can also specify the absolute pathname of a pattern file instead of listing the patterns in the
main.cf file.
/etc/postfix/main.cf:
relay_domains = $mydestination (default)
relay_domains = (safe: never forward
mail from strangers)
relay_domains = $mydomain (forward mail to my
domain and subdomains)
/etc/postfix/main.cf:
relayhost = (default: direct
delivery to Internet)
The form enclosed with [] eliminates DNS MX lookups. Don't worry if you don't know what
that means. Just be sure to specify the [] around the mailhub hostname that your ISP gave to
you, otherwise mail may be mis-delivered.
The STANDARD_CONFIGURATION_README file has more hints and tips for firewalled
and/or dial-up networks.
/etc/aliases:
postmaster: you
root: you
Execute the command "newaliases" after changing the aliases file. Instead of /etc/aliases, your
alias file may be located elsewhere. Use the command "postconf alias_maps" to find out.
The Postfix system reports problems to the postmaster alias. You may not be interested in all
types of trouble reports, so this reporting mechanism is configurable. The default is to report
only serious problems (resource, software) to postmaster:
Default setting:
/etc/postfix/main.cf:
notify_classes = resource, software
bounce
Some mail servers are connected to the Internet via a network address translator (NAT) or
proxy. This means that systems on the Internet connect to the address of the NAT or proxy,
instead of connecting to the network address of the mail server. The NAT or proxy forwards
the connection to the network address of the mail server, but Postfix does not know this.
If you run a Postfix server behind a proxy or NAT, you need to configure the proxy_interfaces
parameter and specify all the external proxy or NAT addresses that Postfix receives mail on.
You may specify symbolic hostnames instead of network addresses.
IMPORTANT: You must specify your proxy/NAT external addresses when your system is a
backup MX host for other domains, otherwise mail delivery loops will happen when the
primary MX host is down.
/etc/postfix/main.cf:
proxy_interfaces = 1.2.3.4 (the proxy/NAT
external network address)
/etc/syslog.conf:
mail.err /dev/
console
mail.debug /var/
log/maillog
After changing the syslog.conf file, send a "HUP" signal to the syslogd process.
IMPORTANT: many syslogd implementations will not create files. You must create files
before (re)starting syslogd.
IMPORTANT: on Linux you need to put a "-" character before the pathname, e.g., -/var/log/
maillog, otherwise the syslogd process will use more system resources than Postfix.
Hopefully, the number of problems will be small, but it is a good idea to run every night before
the syslog files are rotated:
# postfix check
# egrep '(reject|warning|error|fatal|panic):' /some/
log/file
● The first line (postfix check) causes Postfix to report file permission/ownership
discrepancies.
● The second line looks for problem reports from the mail software, and reports how
effective the relay and junk mail access blocks are. This may produce a lot of output.
You will want to apply some postprocessing to eliminate uninteresting information.
The DEBUG_README document describes the meaning of the "warning" etc. labels in
Postfix logging.
With the exception of Postfix daemons that deliver mail locally and/or that execute non-Postfix
commands, every Postfix daemon can run chrooted.
Sites with high security requirements should consider to chroot all daemons that talk to the
network: the smtp(8) and smtpd(8) processes, and perhaps also the lmtp(8) client. The author's
own porcupine.org mail server runs all daemons chrooted that can be chrooted.
The default /etc/postfix/master.cf file specifies that no Postfix daemon runs chrooted. In order
to enable chroot operation, edit the file /etc/postfix/master.cf, and follow instructions in the file.
When you're finished, execute "postfix reload" to make the change effective.
Note that a chrooted daemon resolves all filenames relative to the Postfix queue directory (/var/
spool/postfix). For successful use of a chroot jail, most UNIX systems require you to bring in
some files or device nodes. The examples/chroot-setup directory in the source code distribution
has a collection of scripts that help you set up Postfix chroot environments on different
operating systems.
Additionally, you almost certainly need to configure syslogd so that it listens on a socket inside
the Postfix queue directory. Examples of syslogd command line options that achieve this for
specific systems:
My own hostname
The myhostname parameter specifies the fully-qualified domain name of the machine running
the Postfix system. $myhostname appears as the default value in many other Postfix
configuration parameters.
By default, myhostname is set to the local machine name. If your local machine name is not in
fully-qualified domain name form, or if you run Postfix on a virtual interface, you will have to
specify the fully-qualified domain name that the mail system should use.
Alternatively, if you specify mydomain in main.cf, then Postfix will use its value to generate a
fully-qualified default value for the myhostname parameter.
/etc/postfix/main.cf:
myhostname = host.local.domain (machine name is
not FQDN)
myhostname = host.virtual.domain (virtual
interface)
myhostname = virtual.domain (virtual interface)
Conversely, if you specify mydomain in main.cf, then Postfix will use its value to generate a
fully-qualified default value for the myhostname parameter.
/etc/postfix/main.cf:
mydomain = local.domain
mydomain = virtual.domain (virtual interface)
You can override the inet_interfaces setting in the Postfix master.cf file by prepending an IP
address to a server name.
The default is to listen on all active interfaces. If you run mailers on virtual interfaces, you will
have to specify what interfaces to listen on.
IMPORTANT: If you run MTAs on virtual interfaces you must specify explicit inet_interfaces
values for the MTA that receives mail for the machine itself: this MTA should never listen on
the virtual interfaces or you would have a mailer loop when a virtual MTA is down.
/etc/postfix/main.cf:
inet_interfaces = all
Example: host running one or more virtual mailers. For each Postfix instance, specify only one
of the following.
/etc/postfix/main.cf:
inet_interfaces = virtual.host.tld
(virtual Postfix)
inet_interfaces = $myhostname localhost... (non-
virtual Postfix)
Note: you need to stop and start Postfix after changing this parameter.
This document describes how to build, install and configure a Postfix system so that it can do
one of the following:
2 - Typographical conventions
In the instructions below, a command written as
# command
A command written as
% command
3 - Documentation
Documentation is available as README files (start with the file README_FILES/
AAAREADME), as HTML web pages (point your browser to "html/index.html") and as UNIX-
style manual pages.
You should view the README files with a pager such as more(1) or less(1), because the files
use backspace characters in order to produce bold font. To print a README file without
backspace characters, use the col(1) command. For example:
In order to view the manual pages before installing Postfix, point your MANPATH
environment variable to the "man" subdirectory; be sure to use an absolute path.
Of particular interest is the postconf(5) manual page that lists all the 300+ configuration
parameters. The HTML version of this text makes it easy to navigate around.
All Postfix source files have their own built-in manual page. Tools to extract those embedded
manual pages are available in the mantools directory.
On Solaris, the "make" command and other utilities for software development are in /usr/ccs/
bin, so you MUST have /usr/ccs/bin in your command search path.
If you need to build Postfix for multiple architectures, use the "lndir" command to build a
shadow tree with symbolic links to the source files. "lndir" is part of X11R6.
If at any time in the build process you get messages like: "make: don't know how to ..." you
should be able to recover by running the following command from the Postfix top-level
directory:
If you copied the Postfix source code after building it on another machine, it is a good idea to
cd into the top-level directory and first do this:
% make tidy
This will get rid of any system dependencies left over from compiling the software elsewhere.
To build with GCC, or with the native compiler if people told me that is better for your system,
just cd into the top-level Postfix directory of the source tree and type:
% make
To build with a non-default compiler, you need to specify the name of the compiler. Here are a
few examples:
By default, Postfix builds as a mail system with relatively few bells and whistles. Support for
third-party databases etc. must be configured when Postfix is compiled. The following
documents describe how to build Postfix with support for extensions:
Note: IP version 6 is still separate from Postfix but is expected to be merged soon.
All Postfix configuration parameters can be changed by editing a Postfix configuration file,
except for one: the parameter that specifies the location of Postfix configuration files. In order
to build Postfix with a configuration directory other than /etc/postfix, use:
IMPORTANT: Be sure to get the quotes right. These details matter a lot.
In order to build Postfix for very large applications, where you expect to run more than 1000
mail delivery processes, you may need to override the definition of the FD_SETSIZE macro to
make select() work correctly:
Warning: the above has no effect on some Linux versions. Apparently, on these systems the
FD_SETSIZE value can be changed only by using undocumented interfaces. Currently, that
means including <bits/types.h> directly (which is not allowed) and overriding the
__FD_SETSIZE macro. Beware, undocumented interfaces can change at any time and without
warning.
If the command
% make
If the command produces compiler error messages, it may be time to search the web or to ask
the postfix-users@postfix.org mailing list, but be sure to search the mailing list archives first.
Some mailing list archives are linked from http://www.postfix.org/.
Add a case statement to the "makedefs" shell script in the source code top-level directory that
recognizes the new system reliably, and that emits the right system-specific information. Be
sure to make the code robust against user PATH settings; if the system offers multiple UNIX
flavors (e.g. BSD and SYSV) be sure to build for the native flavor, instead of the emulated one.
Add an "#ifdef SYSTEMTYPE" section to the central util/sys_defs.h include file. You may
have to invent new feature macro names. Please choose sensible feature macro names such as
HAS_DBM or FIONREAD_IN_SYS_FILIO_H.
I strongly recommend against using "#ifdef SYSTEMTYPE" in individual source files. While
this may look like the quickest solution, it will create a mess when newer versions of the same
SYSTEMTYPE need to be supported. You're likely to end up placing "#ifdef" sections all over
the source code again.
IMPORTANT: if you are REPLACING an existing Sendmail installation with Postfix, you
may need to keep the old sendmail program running for some time in order to flush the mail
queue. As superuser, execute the following commands (your sendmail, newaliases and mailq
programs may be in a different place):
# mv /usr/sbin/sendmail /usr/sbin/sendmail.OFF
# mv /usr/bin/newaliases /usr/bin/newaliases.OFF
# mv /usr/bin/mailq /usr/bin/mailq.OFF
# chmod 755 /usr/sbin/sendmail.OFF /usr/bin/
newaliases.OFF \
/usr/bin/mailq.OFF
Before you install Postfix for the first time you need to create an account and a group:
● Create a user account "postfix" with a user id and group id that are not used by any
other user account. Preferably, this is an account that no-one can log into. The account
does not need an executable login shell, and needs no existing home directory. My
password and group file entries look like this:
/etc/passwd:
postfix:*:12345:12345:postfix:/no/where:/no/
shell
/etc/group:
postfix:*:12345:
● Make sure there is a "postfix" alias in /etc/aliases, or whatever the pathname of your
aliases file is; the command "postconf alias_maps" will tell you.
/etc/aliases:
postfix: root
● Create a group "postdrop" with a group id that is not used by any other user account.
Not even by the postfix user account. My group file entry looks like:
/etc/group:
postdrop:*:54321:
To install or upgrade Postfix from compiled source code, run one of the following commands
as the super-user:
● The non-interactive version ("make upgrade") needs the /etc/postfix/main.cf file from a
previous installation. If the file does not exist, use interactive installation ("make
install") instead.
● The interactive version offers suggestions for pathnames that you can override
interactively, and stores your preferences in /etc/postfix/main.cf for convenient future
upgrades.
Proceed to the section on how you wish to run Postfix on your particular machine:
● Send mail only, without changing an existing Sendmail installation (section 7).
● Send and receive mail via a virtual host interface, still without any change to an existing
Sendmail installation (section 8).
Follow the instructions in the "Mandatory configuration file edits" in section 10, and review the
"To chroot or not to chroot" text in section 11.
You MUST comment out the "smtp inet" entry in /etc/postfix/master.cf, in order to avoid
conflicts with the real sendmail. Put a "#" character in front of the line that defines the smtpd
service:
/etc/postfix/master.cf:
#smtp inet n - n -
- smtpd
# postfix start
and watch your maillog file for any error messages. The pathname is /var/log/maillog, /var/log/
mail, /var/log/syslog, or something else. Typically, the pathname is defined in the /etc/syslog.
conf file.
Note: the most important error message is logged first. Later messages are not as useful.
In order to inspect the mail queue, use one of the following commands:
% mailq
% sendmail -bp
% postqueue -p
/etc/postfix/main.cf:
myhostname = virtual.host.tld
inet_interfaces = $myhostname
mydestination = $myhostname
Follow the instructions in the "Mandatory configuration file edits" in section 10, and review the
"To chroot or not to chroot" text in section 11.
# postfix start
and watch your maillog file for any error messages. The pathname is /var/log/maillog, /var/log/
mail, /var/log/syslog, or something else. Typically, the pathname is defined in the /etc/syslog.
conf file.
Note: the most important error message is logged first. Later messages are not as useful.
In order to inspect the mail queue, use one of the following commands:
% mailq
% sendmail -bp
% postqueue -p
# /usr/sbin/sendmail.OFF -q
Note: this is old sendmail syntax. Newer versions use separate processes for mail submission
and for running the queue.
After you have visited the "Mandatory configuration file edits" section below, you can start the
Postfix system with:
# postfix start
and watch your maillog file for any error messages. The pathname is /var/log/maillog, /var/log/
mail, /var/log/syslog, or someting else. Typically, the pathname is defined in the /etc/syslog.
conf file.
Note: the most important error message is logged first. Later messages are not as useful.
In order to inspect the mail queue, use one of the following commands:
% mailq
% sendmail -bp
% postqueue -p
By default, Postfix configuration files are in /etc/postfix. The two most important files are main.
cf and master.cf; these files must be owned by root. Giving someone else write permission to
main.cf or master.cf (or to their parent directories) means giving root privileges to that person.
/etc/postfix/main.cf:
parameter = value
/etc/postfix/main.cf:
other_parameter = $parameter
You can use $parameter before it is given a value (that is the second main difference with
UNIX shell variables). The Postfix configuration language uses lazy evaluation, and does not
look at a parameter value until it is needed at runtime.
Whenever you make a change to the main.cf or master.cf file, execute the following command
in order to refresh a running mail system:
# postfix reload
First of all, you must specify what domain will be appended to an unqualified address (i.e. an
address without @domain.tld). The "myorigin" parameter defaults to the local hostname, but
that is probably OK only for very small sites.
/etc/postfix/main.cf:
myorigin = $myhostname (send mail as "user@
$myhostname")
myorigin = $mydomain (send mail as "user@
$mydomain")
Next you need to specify what mail addresses Postfix should deliver locally.
/etc/postfix/main.cf:
mydestination = $myhostname, localhost.$mydomain,
localhost
mydestination = $myhostname, localhost.$mydomain,
localhost, $mydomain
mydestination = $myhostname
The first example is appropriate for a workstation, the second is appropriate for the mailserver
for an entire domain. The third example should be used when running on a virtual host
interface.
The proxy_interfaces parameter specifies all network addresses that Postfix receives mail on by
way of a proxy or network address translation unit. You may specify symbolic hostnames
instead of network addresses.
IMPORTANT: You must specify your proxy/NAT external addresses when your system is a
backup MX host for other domains, otherwise mail delivery loops will happen when the
primary MX host is down.
/etc/postfix/main.cf:
proxy_interfaces = 1.2.3.4 (the proxy/NAT
external network address)
If your machine is on an open network then you must specify what client IP addresses are
authorized to relay their mail through your machine into the Internet. The default setting
includes all subnetworks that the machine is attached to. This may give relay permission to too
many clients. My own settings are:
/etc/postfix/main.cf:
mynetworks = 168.100.189.0/28, 127.0.0.0/8
If your machine is on an open network then you must also specify whether Postfix will forward
mail from strangers. The default setting will forward mail to all domains (and subdomains of)
what is listed in $mydestination. This may give relay permission for too many destinations.
Recommended settings (use only one):
/etc/postfix/main.cf:
relay_domains = (do not forward mail
from strangers)
relay_domains = $mydomain (my domain and
subdomains)
relay_domains = $mydomain, other.domain.tld, ...
If you're behind a firewall, you should set up a relayhost. If you can, specify the organizational
domain name so that Postfix can use DNS lookups, and so that it can fall back to a secondary
MX host when the primary MX host is down. Otherwise just specify a hard-coded hostname.
/etc/postfix/main.cf:
relayhost = $mydomain
relayhost = [mail.$mydomain]
By default, the SMTP client will do DNS lookups even when you specify a relay host. If your
machine has no access to a DNS server, turn off SMTP client DNS lookups like this:
/etc/postfix/main.cf:
disable_dns_lookups = yes
The STANDARD_CONFIGURATION_README file has more hints and tips for firewalled
and/or dial-up networks.
Finally, if you haven't used Sendmail prior to using Postfix, you will have to build the alias
database with one of the following commands:
# newaliases
# sendmail -bi
Be sure to set up aliases for root and postmaster that forward mail to a real person. Postfix has
a sample aliases file /etc/postfix/aliases that you can adapt to local conditions.
With the exception of Postfix daemons that deliver mail locally and/or that execute non-Postfix
commands, every Postfix daemon can run chrooted.
Sites with high security requirements should consider to chroot all daemons that talk to the
network: the smtp(8) and smtpd(8) processes, and perhaps also the lmtp(8) client. The author's
own porcupine.org mail server runs all daemons chrooted that can be chrooted.
The default /etc/postfix/master.cf file specifies that no Postfix daemon runs chrooted. In order
to enable chroot operation, edit the file /etc/postfix/master.cf. Instructions are in the file.
Note that a chrooted daemon resolves all filenames relative to the Postfix queue directory (/var/
spool/postfix). For successful use of a chroot jail, most UNIX systems require you to bring in
some files or device nodes. The examples/chroot-setup directory in the source code distribution
has a collection of scripts that help you set up Postfix chroot environments on different
operating systems.
Additionally, you almost certainly need to configure syslogd so that it listens on a socket inside
the Postfix queue directory. Examples for specific systems:
FreeBSD:
# mkdir -p /var/spool/postfix/var/run
# syslogd -l /var/spool/postfix/var/run/log
Linux, OpenBSD:
# mkdir -p /var/spool/postfix/dev
# syslogd -a /var/spool/postfix/dev/log
/etc/syslog.conf:
mail.err /dev/
console
mail.debug /var/
log/maillog
IMPORTANT: the syslogd will not create files. You must create them before (re)starting
syslogd.
IMPORTANT: on Linux you need to put a "-" character before the pathname, e.g., -/var/log/
maillog, otherwise the syslogd will use more system resources than Postfix does.
Hopefully, the number of problems will be small, but it is a good idea to run every night before
the syslog files are rotated:
# postfix check
# egrep '(reject|warning|error|fatal|panic):' /some/
log/file
● The first line (postfix check) causes Postfix to report file permission/ownership
discrepancies.
● The second line looks for problem reports from the mail software, and reports how
effective the relay and junk mail access blocks are. This may produce a lot of output.
You will want to apply some postprocessing to eliminate uninteresting information.
The DEBUG_README document describes the meaning of the "warning" etc. labels in
Postfix logging.
Postfix Configuration
Parameters
● Each logical line is in the form "parameter = value". Whitespace around the "=" is
ignored, as is whitespace at the end of a logical line.
● Empty lines and whitespace-only lines are ignored, as are lines whose first non-
whitespace character is a `#'.
● A logical line starts with non-whitespace text. A line that starts with whitespace
continues a logical line.
● When the same parameter is defined multiple times, only the last instance is
remembered.
The recipient of undeliverable mail that cannot be returned to the sender. This feature is
enabled with the notify_classes parameter.
The numerical Postfix SMTP server response code when a client is rejected by an access
(5) map restriction.
Do not change this unless you have a complete understanding of RFC 821.
Optional lookup table for persistent address verification status storage. The table is
maintained by the verify(8) service, and is opened before the process releases privileges.
By default, the information is kept in volatile memory, and is lost after "postfix reload"
or "postfix stop".
Specify a location in a file system that will not fill up. If the database becomes
corrupted, the world comes to an end. To recover delete the file and do "postfix
reload".
Examples:
address_verify_map = hash:/etc/postfix/verify
address_verify_map = btree:/etc/postfix/verify
Enable caching of failed address verification probe results. When this feature is enabled,
the cache may pollute quickly with garbage. When this feature is disabled, Postfix will
generate an address probe for every lookup.
The time after which a failed probe expires from the address verification cache.
The time after which a failed address verification probe needs to be refreshed.
address_verify_poll_count (default: 3)
How many times to query the verify(8) service for the completion of an address
verification request in progress.
Specify 1 to implement a crude form of greylisting, that is, always defer the first
delivery request for a never seen before address.
Example:
address_verify_poll_count = 1
The delay between queries for the completion of an address verification request in
progress.
The time after which a successful probe expires from the address verification cache.
The time after which a successful address verification probe needs to be refreshed. The
address verification status is not updated when the probe fails (optimistic caching).
The sender address to use in address verification probes. To avoid problems with
address probes that are sent in response to address probes, the Postfix SMTP server
excludes the probe sender address from all SMTPD access blocks.
Specify an empty value (address_verify_sender =) or <> if you want to use the null
sender address. Beware, some sites reject mail from <>, even though RFCs require that
such addresses be accepted.
Examples:
address_verify_sender = <>
address_verify_sender = postmaster@my.domain
The name of the verify(8) address verification service. This service maintains the status
of sender and/or recipient address verification probes, and generates probes on request
by other Postfix processes.
The alias databases for local(8) delivery that are updated with "newaliases" or with
"sendmail -bi".
This is a separate configuration parameter because not all the tables specified with
$alias_maps have to be local files.
Examples:
alias_database = hash:/etc/aliases
alias_database = hash:/etc/mail/aliases
The alias databases that are used for local(8) delivery. See aliases(5) for syntax details.
The default list is system dependent. On systems with NIS, the default is to search the
local alias database, then the NIS alias database.
If you change the alias database, run "postalias /etc/aliases" (or wherever your system
stores the mail alias file), or simply run "newaliases" to build the necessary DBM or
DB file.
Examples:
Restrict local(8) mail delivery to external commands. The default is to disallow delivery
to "|command" in :include: files (see aliases(5) for the text that defines this
terminology).
Specify zero or more of: alias, forward or include, in order to allow commands in
aliases(5), .forward files or in :include: files, respectively.
Example:
allow_mail_to_commands = alias,forward,include
Restrict local(8) mail delivery to external files. The default is to disallow "/file/name"
destinations in :include: files (see aliases(5) for the text that defines this terminology).
Specify zero or more of: alias, forward or include, in order to allow "/file/name"
destinations in aliases(5), .forward files and in :include: files, respectively.
Example:
allow_mail_to_files = alias,forward,include
Allow a recipient address to have `-' as the first character. By default, this is not
allowed, to avoid accidents with software that passes email addresses via the command
line. Such software would not be able to distinguish a malicious address from a bona
fide command-line option. Although this can be prevented by inserting a "--" option
terminator into the command line, this is difficult to enforce consistently and globally.
Example:
allow_percent_hack = no
By default, this feature is turned off. This closes a nasty open relay loophole where a
backup MX host can be tricked into forwarding junk mail to a primary MX host which
then spams it out to the world.
This parameter also controls if non-local addresses with sender-specified routing can
match Postfix access tables. By default, such addresses cannot match Postfix access
tables, because the address is ambiguous.
A list of non-default Postfix configuration directories that may be specified with "-c
config_directory" on the command line, or via the MAIL_CONFIG environment
parameter.
This list must be specified in the default Postfix configuration directory, and is used by
set-gid Postfix commands such as postqueue(1) and postdrop(1).
Optional address that receives a "blind carbon copy" of each message that is received by
the Postfix mail system.
NOTE: if mail to the BCC address bounces it will be returned to the sender.
NOTE: automatic BCC recipients are produced only for new mail. To avoid mailer
loops, automatic BCC recipients are not generated for mail that Postfix forwards
internally, nor for mail that Postfix generates itself.
The time unit over which client connection rates and other rates are calculated.
This feature is implemented by the anvil(8) service which is not part of the stable
The default interval is relatively short. Because of the high frequency of updates, the
anvil(8) server uses volatile memory only. Thus, information is lost whenever the
process terminates.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
How frequently the anvil(8) connection and rate limiting server logs peak usage
information.
This feature is implemented by the anvil(8) service which is not part of the stable
Postfix 2.1 release.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
With locally submitted mail, append the string "@$myorigin" to mail addresses without
domain information. With remotely submitted mail, append the string "@
$remote_header_rewrite_domain" instead.
This feature is enabled by default and must not be turned off. Postfix does not support
domain-less addresses.
With locally submitted mail, append the string ".$mydomain" to addresses that have no
".domain" information. With remotely submitted mail, append the string ".
$remote_header_rewrite_domain" instead.
This feature is enabled by default. If disabled, users will not be able to send mail to
"user@partialdomainname" but will have to specify full domain names instead.
How long the postkick(1) command waits for a request to enter the server's input buffer
before giving up.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
By default, all users are allowed to flush the queue. Access is always granted if the
invoking user is the super-user or the $mail_owner user. Otherwise, the real UID of the
process is looked up in the system password file, and access is granted only if the
corresponding login name is on the access list. The username "unknown" is used for
processes whose real UID is not found in the password file.
By default, all users are allowed to view the queue. Access is always granted if the
invoking user is the super-user or the $mail_owner user. Otherwise, the real UID of the
process is looked up in the system password file, and access is granted only if the
corresponding login name is on the access list. The username "unknown" is used for
processes whose real UID is not found in the password file.
replaced by its contents; a "type:table" lookup table is matched when a name matches a
lookup key (the lookup result is ignored). Continue long lines by starting the next line
with whitespace.
List of users who are authorized to submit mail with the sendmail(1) command (and
with the privileged postdrop(1) helper command).
By default, all users are allowed to submit mail. Otherwise, the real UID of the process
is looked up in the system password file, and access is granted only if the corresponding
login name is on the access list. The username "unknown" is used for processes whose
real UID is not found in the password file. To deny mail submission access to all users
specify an empty list.
What SMTP clients are allowed to specify the XVERP command. This command
requests that mail be delivered one recipient at a time with a per recipient return
address.
This parameter was introduced with Postfix version 1.1. Postfix version 2.1 renamed
this parameter to smtpd_authorized_verp_clients and changed the default to none.
Produce additional bounce(8) logfile records that can be read by older Postfix versions.
The current and more extensible "name = value" format is needed in order to implement
more sophisticated functionality.
The per-table I/O buffer size for programs that create Berkeley DB hash or btree tables.
Specify a byte count.
The per-table I/O buffer size for programs that read Berkeley DB hash or btree tables.
Specify a byte count.
Where the Postfix SMTP client should deliver mail when it detects a "mail loops back
to myself" error condition. This happens when the local MTA is the best SMTP mail
exchanger for a destination not listed in $mydestination, $inet_interfaces,
$proxy_interfaces, $virtual_alias_domains, or $virtual_mailbox_domains. By default,
the Postfix SMTP client returns such mail as undeliverable.
Specify, for example, "best_mx_transport = local" to pass the mail from the SMTP
client to the local(8) delivery agent. You can specify any message delivery "transport"
or "transport:nexthop" that is defined in the master.cf file. See the transport(5) manual
page for the syntax and meaning of "transport" or "transport:nexthop".
However, this feature is expensive because it ties up a Postfix SMTP client process
while the local(8) delivery agent is doing its work. It is more efficient (for Postfix) to
list all hosted domains in a table or database.
Whether or not to use the local biff service. This service sends "new mail" notifications
to users who have requested new mail notification with the UNIX command "biff y".
Optional lookup tables for content inspection as specified in the body_checks(5) manual
page.
Note: with Postfix versions before 2.0, these rules inspect all content after the primary
message headers.
How much text in a message body segment (or attachment, if you prefer to use that
term) is subjected to body_checks inspection. The amount of text is limited to avoid
scanning huge attachments.
The recipient of postmaster notifications with the message headers of mail that Postfix
did not deliver and of SMTP conversation transcripts of mail that Postfix did not
receive. This feature is enabled with the notify_classes parameter.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is d (days).
The name of the bounce(8) service. This service maintains a record of failed delivery
attempts and generates non-delivery notifications.
The maximal amount of original message text that is sent in a non-delivery notification.
Specify a byte count. If you increase this limit, then you should increase the
mime_nesting_limit value proportionally.
Enable inter-operability with SMTP clients that implement an obsolete version of the
AUTH command (RFC 2554). Examples of such clients are MicroSoft Outlook Express
version 4 and MicroSoft Exchange version 5.0.
Optional address mapping lookup tables for message headers and envelopes. The
mapping is applied to both sender and recipient addresses, in both envelopes and in
headers, as controlled with the canonical_classes parameter. This is typically used to
clean up dirty addresses from legacy mail systems, or to replace login names by
Firstname.Lastname. The table format and lookups are documented in canonical(5).
If you use this feature, run "postmap /etc/postfix/canonical" to build the necessary
DBM or DB file after every change. The changes will become visible after a minute or
so. Use "postfix reload" to eliminate the delay.
Examples:
canonical_maps = dbm:/etc/postfix/canonical
canonical_maps = hash:/etc/postfix/canonical
The name of the cleanup(8) service. This service rewrites addresses into the standard
form, and performs canonical(5) address mapping and virtual(5) aliasing.
The local(8) delivery agent working directory for delivery to external command. Failure
to change directory causes the delivery to be deferred.
$user
Restrict the characters that the local(8) delivery agent allows in $name expansions of
$mailbox_command. Characters outside the allowed set are replaced by underscores.
Time limit for delivery to external commands. This limit is used by the local(8) delivery
agent, and is the default time limit for delivery by the pipe(8) delivery agent.
Note: if you set this time limit to a large value you must update the global ipc_timeout
parameter as well.
The default location of the Postfix main.cf and master.cf configuration files. This can be
overruled via the following mechanisms:
With Postfix command that run with set-gid privileges, a config_directory override
requires either root privileges, or it requires that the directory is listed with the
alternate_config_directories parameter in the default main.cf file.
The name of a mail delivery transport that filters mail after it is queued.
This parameter uses the same syntax as the right-hand side of a Postfix transport(5)
table. This setting has a lower precedence than a content filter that is specified with an
access(5) table or in a header_checks(5) or body_checks(5) table.
The directory with Postfix support programs and daemon programs. These should not
be invoked directly by humans. The directory must be owned by root.
How much time a Postfix daemon process may take to handle a request before it is
terminated by a built-in watchdog timer.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
debug_peer_level (default: 2)
The increment in verbose logging level when a remote client or server matches a pattern
in the debug_peer_list parameter.
Optional list of remote client or server hostname or network address patterns that cause
the verbose logging level to increase by the amount specified in $debug_peer_level.
Examples:
debug_peer_list = 127.0.0.1
debug_peer_list = some.domain
The external command to execute when a Postfix daemon program is invoked with the -
D option.
Use "command .. & sleep 5" so that the debugger can attach before the process marches
on. If you use an X-based debugger, be sure to set up your XAUTHORITY environment
variable before starting Postfix.
Example:
debugger_command =
PATH=/usr/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id &
sleep 5
The default database type for use in newaliases(1), postalias(1) and postmap(1)
commands. On many UNIX systems the default type is either dbm or hash. The default
setting is frozen when the Postfix system is built.
Examples:
default_database_type = hash
default_database_type = dbm
default_delivery_slot_cost (default: 5)
How often the Postfix queue manager's scheduler is allowed to preempt delivery of one
message with another.
Each transport maintains a so-called "available delivery slot counter" for each message.
One message can be preempted by another one when the other message can be delivered
using no more delivery slots (i.e., invocations of delivery agents) than the current
message counter has accumulated (or will eventually accumulate - see about slot loans
below). This parameter controls how often is the counter incremented - it happens after
each default_delivery_slot_cost recipients have been delivered.
The cost of 0 is used to disable the preempting scheduling completely. The minimum
value the scheduling algorithm can use is 2 - use it if you want to maximize the message
throughput rate. Although there is no maximum, it doesn't make much sense to use
values above say 50.
The only reason why the value of 2 is not the default is the way this parameter affects
the delivery of mailing-list mail. In the worst case, their delivery can take somewhere
between (cost+1/cost) and (cost/cost-1) times more than if the preemptive scheduler was
disabled. The default value of 5 turns out to provide reasonable message response times
while making sure the mailing-list deliveries are not extended by more than 20-25
percent even in the worst case.
Examples:
default_delivery_slot_cost = 0
default_delivery_slot_cost = 2
This parameter speeds up the moment when a message preemption can happen. Instead
of waiting until the full amount of delivery slots required is available, the preemption
can happen when transport_delivery_slot_discount percent of the required amount plus
transport_delivery_slot_loan still remains to be accumulated. Note that the full amount
will still have to be accumulated before another preemption can take place later.
default_delivery_slot_loan (default: 3)
This parameter speeds up the moment when a message preemption can happen. Instead
of waiting until the full amount of delivery slots required is available, the preemption
can happen when transport_delivery_slot_discount percent of the required amount plus
transport_delivery_slot_loan still remains to be accumulated. Note that the full amount
will still have to be accumulated before another preemption can take place later.
The default maximal number of parallel deliveries to the same destination. This is the
default limit for delivery via the lmtp(8), pipe(8), smtp(8) and virtual(8) delivery agents.
The default maximal number of recipients per message delivery. This is the default limit
for delivery via the lmtp(8), pipe(8), smtp(8) and virtual(8) delivery agents.
Setting this parameter to a value of 1 changes the meaning of the corresponding per-
destination concurrency limit from concurrency per domain into concurrency per
recipient.
The default value for the extra per-transport limit imposed on the number of in-memory
recipients. This extra recipient space is reserved for the cases when the Postfix queue
manager's scheduler preempts one message with another and suddenly needs some extra
recipients slots for the chosen message in order to avoid performance degradation.
default_minimum_delivery_slots (default: 3)
How many recipients a message must have in order to invoke the Postfix queue
manager's scheduling algorithm at all. Messages which would never accumulate at least
this many delivery slots (subject to slot cost parameter as well) are never preempted.
The default rights used by the local(8) delivery agent for delivery to external file or
command. These rights are used when delivery is requested from an aliases(5) file that
is owned by root, or when delivery is done on behalf of root. DO NOT SPECIFY A
PRIVILEGED USER OR THE POSTFIX OWNER.
The default maximal number of Postfix child processes that provide a given service.
This limit can be overruled for specific services in the master.cf file.
The default SMTP server response template for a request that is rejected by an RBL-
based restriction. This template can be overruled by specific entries in the optional
rbl_reply_maps lookup table.
$client
The client hostname and IP address, formatted as name[address].
$client_address
The client IP address.
$client_name
The client hostname or "unknown".
$helo_name
The hostname given in HELO or EHLO command or empty string.
$rbl_class
The blacklisted entity type: Client host, Helo command, Sender address, or
Recipient address.
$rbl_code
The numerical SMTP response code, as specified with the maps_rbl_reject_code
configuration parameter.
$rbl_domain
The RBL domain where $rbl_what is blacklisted.
$rbl_reason
The reason why $rbl_what is blacklisted, or an empty string.
$rbl_what
The entity that is blacklisted (an IP address, a hostname, a domain name, or an
email address whose domain was blacklisted).
$recipient
The recipient address or <> in case of the null address.
$recipient_domain
The recipient domain or empty string.
$recipient_name
The recipient address localpart or <> in case of null address.
$sender
The sender address or <> in case of the null address.
$sender_domain
The sender domain or empty string.
$sender_name
The sender address localpart or <> in case of the null address.
${name?text}
Expands to `text' if $name is not empty.
${name:text}
Expands to `text' if $name is empty.
The default per-transport upper limit on the number of in-memory recipients. These
limits take priority over the global qmgr_message_recipient_limit after the message has
been assigned to the respective transports. See also default_extra_recipient_limit and
qmgr_message_recipient_minimum.
The default mail delivery transport for domains that do not match $mydestination,
$inet_interfaces, $proxy_interfaces, $virtual_alias_domains,
$virtual_mailbox_domains, or $relay_domains. This information can be overruled with
the transport(5) table.
Specify a string of the form transport:nexthop, where transport is the name of a mail
delivery transport defined in master.cf. The :nexthop part is optional. For more details
see the transport(5) manual page.
Example:
default_transport = uucp:relayhostname
The two default VERP delimiter characters. These are used when no explicit delimiters
are specified with the SMTP XVERP command or with the "sendmail -V" command-
line option. Specify characters that are allowed by the verp_delimiter_filter setting.
The numerical Postfix SMTP server response code when a remote SMTP client request
is rejected by the "defer" restriction.
Do not change this unless you have a complete understanding of RFC 821.
The name of the defer(8) service. This service maintains a record of failed delivery
attempts and generates non-delivery notifications.
The names of message delivery transports that should not be delivered to unless
someone issues "sendmail -q" or equivalent. Specify zero or more names of mail
delivery transports names that appear in the first field of master.cf.
Example:
defer_transports = smtp
The recipient of postmaster notifications with the message headers of mail that cannot
be delivered within $delay_warning_time time units.
The time after which the sender receives the message headers of mail that is still
queued.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is h (hours).
The time between attempts to acquire an exclusive lock on a mailbox file or bounce(8)
logfile.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
Disable DNS lookups in the Postfix SMTP and LMTP clients. When disabled, hosts are
looked up with the gethostbyname() system library routine which normally also looks
in /etc/hosts.
Turn off MIME processing while receiving mail. This means that no special treatment is
given to Content-Type: message headers, and that all text after the initial message
headers is considered to be part of the message body.
Mime input processing is enabled by default, and is needed in order to recognize MIME
headers in message content.
Disable the conversion of 8BITMIME format to 7BIT format. Mime output conversion
is needed when the destination does not advertise 8BITMIME support.
Disable the SMTP VRFY command. This stops some techniques used to harvest email
addresses.
Example:
disable_vrfy_command = no
dont_remove (default: 0)
Don't remove queue files and save them to the "saved" mail queue. This is a debugging
aid. To inspect the envelope information and content of a Postfix queue file, use the
postcat(1) command.
The sender address of postmaster notifications that are generated by the mail system.
All mail to this address is silently discarded, in order to terminate mail bounce loops.
The maximal number of addresses remembered by the address duplicate filter for aliases
(5) or virtual(5) alias expansion, or for showq(8) queue displays.
The recipient of mail addressed to the null address. Postfix does not accept such
addresses in SMTP commands, but they may still be created locally as the result of
configuration or software error.
Report mail delivery errors to the address specified with the non-standard Errors-To:
message header, instead of the envelope sender address. This support is disabled by
default with Postfix 2.1 and later, and is always turned on with older Postfix versions.
Enable support for the X-Original-To message header. This header is needed for multi-
recipient mailboxes.
When this parameter is set to yes, the cleanup(8) daemon performs duplicate
elimination on distinct pairs of (original recipient, rewritten recipient), and generates
non-empty original recipient queue file records.
When this parameter is set to no, the cleanup(8) daemon performs duplicate elimination
on the rewritten recipient address only, and generates empty original recipient queue file
records.
This feature is available in Postfix 2.1 and later. With Postfix 2.0, support for the X-
Original-To message header is always turned on. Postfix versions before 2.0 have no
support for the X-Original-To message header.
The recipient of postmaster notifications about mail delivery problems that are caused
by policy, resource, software or protocol errors. These notifications are enabled with the
notify_classes parameter.
The name of the error(8) pseudo delivery agent. This service always returns mail as
undeliverable.
Restrict the characters that the local(8) delivery agent allows in $name expansions of
The list of environment variables that a Postfix process will export to non-Postfix
processes. The TZ variable is needed for sane time keeping on System-V-ish systems.
Example:
export_environment = TZ PATH=/bin:/usr/bin
The maximal number of recipient addresses that Postfix will extract from message
headers when mail is submitted with "sendmail -t".
Optional list of relay hosts for SMTP destinations that can't be found or that are
unreachable.
By default, mail is returned to the sender when a destination is not found, and delivery
is deferred if a destination is unreachable.
The fallback relays must be SMTP destinations. Specify a domain, host, host:port,
[host]:port, [address] or [address]:port; the form [host] turns off MX lookups. If you
specify multiple SMTP destinations, Postfix will try them in the specified order.
Optional message delivery transport that the local(8) delivery agent should use for
names that are not found in the aliases(5) database or in the UNIX passwd database.
Optional list of destinations that are eligible for per-destination logfiles with mail that is
queued to those destinations.
By default, Postfix maintains "fast flush" logfiles only for destinations that the Postfix
SMTP server is willing to relay to (i.e. the default is: "fast_flush_domains =
$relay_domains"; see the relay_domains parameter in the postconf(5) manual).
The time after which an empty per-destination "fast flush" logfile is deleted.
You can specify the time as a number, or as a number followed by a letter that indicates
the time unit: s=seconds, m=minutes, h=hours, d=days, w=weeks. The default time unit
is days.
The time after which a non-empty but unread per-destination "fast flush" logfile needs
to be refreshed. The contents of a logfile are refreshed by requesting delivery of all
messages listed in the logfile.
You can specify the time as a number, or as a number followed by a letter that indicates
the time unit: s=seconds, m=minutes, h=hours, d=days, w=weeks. The default time unit
is hours.
fault_injection_code (default: 0)
Force specific internal tests to fail, to test the handling of errors that are difficult to
reproduce otherwise.
The name of the flush(8) service. This service maintains per-destination logfiles with
the queue file names of mail that is queued for those destinations.
fork_attempts (default: 5)
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
Restrict the characters that the local(8) delivery agent allows in $name expansions of
$forward_path. Characters outside the allowed set are replaced by underscores.
The local(8) delivery agent search list for finding a .forward file with user-specified
delivery methods. The first file that is found is used.
The following $name expansions are done on forward_path before the search actually
happens. The result of $name expansion is filtered with the character set that is
specified with the forward_expansion_filter parameter.
$user
Examples:
forward_path = /var/forward/$user
forward_path =
/var/forward/$user/.forward$recipient_delimiter
$extension,
/var/forward/$user/.forward
hash_queue_depth (default: 1)
The number of subdirectory levels for queue directories listed with the
hash_queue_names parameter.
The names of queue directories that are split across multiple subdirectory levels.
The maximal number of address tokens are allowed in an address message header.
Information that exceeds the limit is discarded. The limit is enforced by the cleanup(8)
server.
Optional lookup tables for content inspection of primary non-MIME message headers,
as specified in the header_checks(5) manual page.
The maximal amount of memory in bytes for storing a message header. If a header is
larger, the excess is discarded. The limit is enforced by the cleanup(8) server.
The precedence of local(8) delivery features from high to low is: aliases, .forward files,
mailbox_transport, mailbox_command_maps, mailbox_command, home_mailbox,
mail_spool_directory, fallback_transport and luser_relay.
Examples:
home_mailbox = Mailbox
home_mailbox = Maildir/
The maximal number of Received: message headers that is allowed in the primary
message headers. A message that exceeds the limit is bounced, in order to stop a mailer
loop.
The location of Postfix HTML files that describe how to build, configure or operate a
specific Postfix subsystem or feature.
Ignore DNS MX lookups that produce no response. By default, the Postfix SMTP client
defers delivery and tries again after some delay. This behavior is required by the SMTP
standard.
The list of environment parameters that a Postfix process will import from a non-Postfix
parent process. Examples of relevant parameters:
TZ
Needed for sane time keeping on most System-V-ish systems.
DISPLAY
Needed for debugging Postfix daemons with an X-windows debugger.
XAUTHORITY
Needed for debugging Postfix daemons with an X-windows debugger.
MAIL_CONFIG
Needed to make "postfix -c" work.
Time to pause before accepting a new message, when the message arrival rate exceeds
the message delivery rate. This feature is turned on by default (it's disabled on SCO
UNIX due to an SCO bug).
With the default 100 SMTP server process limit, "in_flow_delay = 1s" limits the mail
inflow to 100 messages per second above the number of messages delivered per second.
The network interface addresses that this mail system receives mail on. By default, the
software claims all active interfaces on the machine. The parameter also controls
delivery of mail to user@[ip.address].
When inet_interfaces consists of just one IP address that is not a loopback (net 127)
address, the Postfix SMTP client will use this address as the IP source address for
outbound mail.
On a multi-homed firewall with separate Postfix instances listening on the "inside" and
"outside" interfaces, this can prevent each instance from being able to reach servers on
the "other side" of the firewall. Setting smtp_bind_address to 0.0.0.0 avoids the
potential problem.
A better solution is to leave inet_interfaces at the default value and instead use explicit
IP addresses in master.cf. This preserves SMTP loop detection, by ensuring that each
side of the firewall knows that the other IP address is still the same host. Setting
$inet_interfaces to a single IP address is primarily useful with virtual hosting of
domains on secondary IP addresses, when each IP address serves a different domain
(and has a different $myhostname setting).
See also the proxy_interfaces parameter, for network addresses that are forwarded to us
by way of a proxy or address translator.
Note: you need to stop and start Postfix when this parameter changes.
initial_destination_concurrency (default: 5)
The initial per-destination concurrency level for parallel delivery to the same
destination. This limit applies to delivery via smtp(8), and via the pipe(8) and virtual(8)
delivery agents.
Warning: with concurrency of 1, one bad message can be enough to block all mail to a
site.
The numerical Postfix SMTP server response code when the client HELO or EHLO
command parameter is rejected by the reject_invalid_hostname restriction.
Do not change this unless you have a complete understanding of RFC 821.
The time after which a client closes an idle internal communication channel. The
purpose is to allow servers to terminate voluntarily after they become idle. This is used,
for example, by the address resolving and rewriting clients.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
The time limit for sending or receiving information over an internal communication
channel. The purpose is to break out of deadlock situations. If the time limit is exceeded
the software aborts with a fatal error.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
The time after which a client closes an active internal communication channel. The
purpose is to allow servers to terminate voluntarily after reaching their client limit. This
is used, for example, by the address resolving and rewriting clients.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
Upon input, long lines are chopped up into pieces of at most this length; upon delivery,
long lines are reconstructed.
Keep Postfix LMTP client connections open for up to $max_idle seconds. When the
LMTP client receives a request for the same connection the connection is reused.
❍ The LMTP client idle time limit is reached. This limit is specified with the
Postfix max_idle configuration parameter.
❍ A delivery request specifies a different destination than the one currently cached.
❍ The per-process limit on the number of delivery requests is reached. This limit is
specified with the Postfix max_use configuration parameter.
❍ Upon the onset of another delivery request, the LMTP server associated with the
current session does not respond to the RSET command.
Most of these limitations will be removed after Postfix implements a connection cache
that is shared among multiple LMTP client programs.
The LMTP client time limit for completing a TCP connection, or zero (use the operating
system built-in time limit). When no connection can be made within the deadline, the
LMTP client tries the next address on the mail exchanger list.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
Example:
lmtp_connect_timeout = 30s
The LMTP client time limit for sending the LMTP ".", and for receiving the server
response. When no response is received within the deadline, a warning is logged that the
mail may be delivered multiple times.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
The LMTP client time limit for sending the LMTP DATA command, and for receiving
the server response.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
The LMTP client time limit for sending the LMTP message content. When the
connection stalls for more than $lmtp_data_xfer_timeout the LMTP client terminates
the transfer.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
The maximal number of parallel deliveries to the same destination via the lmtp message
delivery transport. This limit is enforced by the queue manager. The message delivery
transport name is the first field in the entry in the master.cf file.
The maximal number of recipients per delivery via the lmtp message delivery transport.
This limit is enforced by the queue manager. The message delivery transport name is
the first field in the entry in the master.cf file.
recipient.
The LMTP client time limit for receiving the LMTP greeting banner. When the server
drops the connection without sending a greeting banner, or when it sends no greeting
banner within the deadline, the LMTP client tries the next address on the mail
exchanger list.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
The LMTP client time limit for sending the MAIL FROM command, and for receiving
the server response.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
The LMTP client time limit for sending the QUIT command, and for receiving the
server response.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
The LMTP client time limit for sending the RCPT TO command, and for receiving the
server response.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
The LMTP client time limit for sending the RSET command, and for receiving the
server response. The LMTP client sends RSET in order to finish a recipient address
probe, or to verify that a cached connection is still alive.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
Optional LMTP client lookup tables with one username:password entry per host or
domain. If a remote host or domain has no username:password entry, then the Postfix
LMTP client will not attempt to authenticate to the remote host.
What authentication mechanisms the Postfix LMTP client is allowed to use. The list of
available authentication mechanisms is system dependent.
noplaintext
Disallow authentication methods that use plaintext passwords.
noactive
Disallow authentication methods that are vulnerable to non-dictionary active
attacks.
nodictionary
Disallow authentication methods that are vulnerable to passive dictionary attack.
noanonymous
Disallow anonymous logins.
Example:
lmtp_sasl_security_options = noplaintext
Send an XFORWARD command to the LMTP server when the LMTP LHLO server
response announces XFORWARD support. This allows an lmtp(8) delivery agent, used
for content filter message injection, to forward the name, address, protocol and HELO
name of the original client to the content filter and downstream queuing LMTP server.
Before you change the value to yes, it is best to make sure that your content filter
supports this command.
The default TCP port that the Postfix LMTP client connects to.
The LMTP client time limit for sending the XFORWARD command, and for receiving
the server response.
In case of problems the client does NOT try the next address on the mail exchanger list.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
Optional shell program for local(8) delivery to non-Postfix command. By default, non-
Postfix commands are executed directly; commands are given to given to /bin/sh only
when they contain shell meta characters or shell built-in commands.
"sendmail's restricted shell" (smrsh) is what most people will use in order to restrict
what programs can be run from e.g. .forward files (smrsh is part of the Sendmail
distribution).
Note: when a shell program is specified, it is invoked even when the command contains
no shell built-in commands or meta characters.
Example:
local_command_shell = /some/where/smrsh -c
local_destination_concurrency_limit (default: 2)
The maximal number of parallel deliveries via the local mail delivery transport to the
same recipient (when "local_destination_recipient_limit = 1") or the maximal number of
parallel deliveries to the same local domain (when "local_destination_recipient_limit >
1"). This limit is enforced by the queue manager. The message delivery transport name
is the first field in the entry in the master.cf file.
A low limit of 2 is recommended, just in case someone has an expensive shell command
in a .forward file or in an alias (e.g., a mailing list manager). You don't want to run lots
of those at the same time.
local_destination_recipient_limit (default: 1)
The maximal number of recipients per message delivery via the local mail delivery
transport. This limit is enforced by the queue manager. The message delivery transport
name is the first field in the entry in the master.cf file.
permit_mynetworks
Append the domain name in $myorigin or $mydomain when the client IP
address matches any network or network address listed in $mynetworks. This is
enabled by default.
permit_sasl_authenticated
Append the domain name in $myorigin or $mydomain when the client is
successfully authenticated via the RFC 2554 (AUTH) protocol. This is enabled
by default.
permit_tls_clientcerts
Append the domain name in $myorigin or $mydomain when the client TLS
Examples:
The backwards compatible setting: always rewrite message headers, and always append
my own domain to incomplete header addresses.
local_header_rewrite_clients = static:all
The purist setting: rewrite headers only in mail from Postfix sendmail and in SMTP
mail from this machine.
mynetworks_style = host
local_header_rewrite_clients = permit_mynetworks
The default setting: rewrite headers and append my own domain only with mail from
Postfix sendmail and from local or authorized SMTP clients.
local_header_rewrite_clients = permit_mynetworks,
permit_sasl_authenticated permit_tls_clientcerts
local_header_rewrite_clients = permit_mynetworks,
permit_sasl_authenticated permit_tls_clientcerts
check_address_map hash:/etc/postfix/pop-before-smtp
Lookup tables with all names or addresses of local recipients: a recipient address is local
when its domain matches $mydestination, $inet_interfaces or $proxy_interfaces.
Specify @domain as a wild-card for domains that do not have a valid recipient list.
Technically, tables listed with $local_recipient_maps are used as lists: Postfix needs to
know only if a lookup string is found or not, but it does not use the result from table
lookup.
If this parameter is non-empty (the default), then the Postfix SMTP server will reject
mail for unknown local users.
To turn off local recipient checking in the Postfix SMTP server, specify
"local_recipient_maps =" (i.e. empty).
The default setting assumes that you use the default Postfix local delivery agent for
local delivery. You need to update the local_recipient_maps setting if:
Beware: if the Postfix SMTP server runs chrooted, you need to access the passwd file
via the proxymap(8) service, in order to overcome chroot access restrictions. The
alternative, maintaining a copy of the system password file in the chroot jail is not
practical.
Examples:
local_recipient_maps =
The default mail delivery transport for domains that match $mydestination,
$inet_interfaces or $proxy_interfaces. This information can be overruled with the
transport(5) table.
By default, local mail is delivered to the transport called "local", which is just the name
Specify a string of the form transport:nexthop, where transport is the name of a mail
delivery transport defined in master.cf. The :nexthop part is optional. For more details
see the transport(5) manual page.
Beware: if you override the default local delivery agent then you need to review the
LOCAL_RECIPIENT_README document, otherwise the SMTP server may reject
mail for local recipients.
Optional catch-all destination for unknown local(8) recipients. By default, mail for
unknown recipients in domains that match $mydestination, $inet_interfaces or
$proxy_interfaces is returned as undeliverable.
$domain
The recipient domain.
$extension
The recipient address extension.
$home
The recipient's home directory.
$local
The entire recipient address localpart.
$recipient
The full recipient address.
$recipient_delimiter
The system-wide recipient address extension delimiter.
$shell
The recipient's login shell.
$user
The recipient username.
${name?value}
Expands to value when $name has a non-empty value.
${name:value}
Expands to value when $name has an empty value.
Note: luser_relay works only for the Postfix local(8) delivery agent.
NOTE: if you use this feature for accounts not in the UNIX password file, then you
must specify "local_recipient_maps =" (i.e. empty) in the main.cf file, otherwise the
Postfix SMTP server will reject mail for non-UNIX accounts with "User unknown in
local recipient table".
Examples:
luser_relay = $user@other.host
luser_relay = $local@other.host
luser_relay = admin+$local
The mail system name that is displayed in Received: headers, in the SMTP greeting
banner, and in bounced mail.
The UNIX system account that owns the Postfix queue and most Postfix daemon
processes. Specify the name of a user account that does not share a group with other
accounts and that owns no other files or processes on the system. In particular, don't
specify nobody or daemon. PLEASE USE A DEDICATED USER ID AND GROUP
ID.
The directory where local(8) UNIX-style mailboxes are kept. The default setting
depends on the system type. Specify a name ending in / for maildir-style delivery.
Note: maildir delivery is done with the privileges of the recipient. If you use the
mail_spool_directory setting for maildir style delivery, then you must create the top-
level maildir directory in advance. Postfix will not create it.
Examples:
mail_spool_directory = /var/mail
mail_spool_directory = /var/spool/mail
The version of the mail system. Stable releases are named major.minor.patchlevel.
Experimental releases also include the release date. The version string can be used in,
for example, the SMTP greeting banner.
Optional external command that the local(8) delivery agent should use for mailbox
delivery. The command is run with the user ID and the primary group ID privileges of
the recipient. Exception: command delivery for root executes with $default_privs
privileges. This is not a problem, because 1) mail for root should always be aliased to a
real user and 2) don't log in as root, use "su" instead.
CLIENT_ADDRESS
Remote client network address. Available in Postfix 2.2 and later.
CLIENT_HELO
Remote client EHLO command parameter. Available in Postfix 2.2 and later.
CLIENT_HOSTNAME
Remote client hostname. Available in Postfix 2.2 and later.
CLIENT_PROTOCOL
Remote client protocol. Available in Postfix 2.2 and later.
DOMAIN
The domain part of the recipient address.
EXTENSION
The optional address extension.
HOME
The recipient home directory.
LOCAL
The recipient address localpart.
LOGNAME
The recipient's username.
RECIPIENT
The full recipient address.
SASL_METHOD
If you can, avoid shell meta characters because they will force Postfix to run an
expensive shell process. If you're delivering via Procmail then running a shell won't
make a noticeable difference in the total cost.
Note: if you use the mailbox_command feature to deliver mail system-wide, you must
set up an alias that forwards mail for root to a real user.
The precedence of local(8) delivery features from high to low is: aliases, .forward files,
mailbox_transport, mailbox_command_maps, mailbox_command, home_mailbox,
mail_spool_directory, fallback_transport and luser_relay.
Examples:
mailbox_command = /some/where/procmail
mailbox_command = /some/where/procmail -a "$EXTENSION"
mailbox_command = /some/where/maildrop -d "$USER"
-f "$SENDER" "$EXTENSION"
Optional lookup tables with per-recipient external commands to use for local(8)
The precedence of local(8) delivery features from high to low is: aliases, .forward files,
mailbox_transport, mailbox_command_maps, mailbox_command, home_mailbox,
mail_spool_directory, fallback_transport and luser_relay.
How to lock a UNIX-style local(8) mailbox before attempting delivery. For a list of
available file locking methods, use the "postconf -l" command.
This setting is ignored with maildir style delivery, because such deliveries are safe
without explicit locks.
Note: The dotlock method requires that the recipient UID or GID has write access to
the parent directory of the mailbox file.
The maximal size of any local(8) individual mailbox or maildir file, or zero (no limit).
In fact, this limits the size of any file that is written to upon local delivery, including
files written by external commands that are executed by the local(8) delivery agent.
This limit must not be smaller than the message size limit.
Optional message delivery transport that the local(8) delivery agent should use for
mailbox delivery to all local recipients, whether or not they are found in the UNIX
passwd database.
The precedence of local(8) delivery features from high to low is: aliases, .forward files,
mailbox_transport, mailbox_command_maps, mailbox_command, home_mailbox,
mail_spool_directory, fallback_transport and luser_relay.
Sendmail compatibility feature that specifies where the Postfix mailq(1) command is
installed. This command can be used to list the Postfix mail queue.
The numerical Postfix SMTP server response code when a remote SMTP client request
is blocked by the reject_rbl_client, reject_rhsbl_client, reject_rhsbl_sender or
reject_rhsbl_recipient restriction.
Do not change this unless you have a complete understanding of RFC 821.
Optional list of domains whose subdomain structure will be stripped off in email
addresses.
The list is processed left to right, and processing stops at the first match. Thus,
"user@any.thing.else.example.com" to "user@example.com".
A domain name prefixed with ! means do not masquerade this domain or its
subdomains. Thus,
Example:
masquerade_domains = $mydomain
Optional list of user names that are not subjected to address masquerading, even when
their address matches $masquerade_domains.
Examples:
The maximum amount of time that an idle Postfix daemon process waits for the next
service request before exiting. This parameter is ignored by the Postfix queue manager.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is d (days).
The maximal length of MIME multipart boundary strings. The MIME processor is
unable to distinguish between boundary strings that do not differ in the first
$mime_boundary_length_limit characters.
Optional lookup tables for content inspection of MIME related message headers, as
described in the header_checks(5) manual page.
The maximal recursion level that the MIME processor will handle. Postfix refuses mail
that is nested deeper than the specified limit.
The minimal time between attempts to deliver a deferred message. This parameter also
limits the time an unreachable destination is kept in the short-term, in-memory,
destination status cache.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
The numerical Postfix SMTP server response code when a remote SMTP client request
is blocked by the reject_multi_recipient_bounce restriction.
Do not change this unless you have a complete understanding of RFC 821.
The list of domains that are delivered via the $local_transport mail delivery transport.
By default this is the Postfix local(8) delivery agent which looks up all recipients in /etc/
passwd and /etc/aliases. The SMTP server validates recipient addresses with
$local_recipient_maps and rejects non-existent recipients. See also the local domain
class in the ADDRESS_CLASS_README file.
The default mydestination value specifies names for the local machine only. On a mail
domain gateway, you should also include $mydomain.
The $local_transport delivery method is also selected for mail addressed to user@[the.
net.work.address] of the mail system (the IP addresses specified with the inet_interfaces
and proxy_interfaces parameters).
Warnings:
❍ Do not specify the names of virtual domains - those domains are specified
elsewhere. See VIRTUAL_README for more information.
❍ Do not specify the names of domains that this machine is backup MX host for.
See STANDARD_CONFIGURATION_README for how to set up backup MX
hosts.
❍ By default, the Postfix SMTP server rejects mail for recipients not listed with the
local_recipient_maps parameter. See the postconf(5) manual for a description of
the local_recipient_maps and unknown_local_recipient_reject_code parameters.
Examples:
The internet domain name of this mail system. The default is to use $myhostname
minus the first component. $mydomain is used as a default value for many other
configuration parameters.
Example:
mydomain = domain.tld
The internet hostname of this mail system. The default is to use the fully-qualified
domain name from gethostname(). $myhostname is used as a default value for many
other configuration parameters.
Example:
myhostname = host.domain.tld
The list of "trusted" SMTP clients that have more privileges than "strangers".
In particular, "trusted" SMTP clients are allowed to relay mail through Postfix. See the
smtpd_recipient_restrictions parameter description in the postconf(5) manual.
You can specify the list of "trusted" network addresses by hand or you can let Postfix do
it for you (which is the default). See the description of the mynetworks_style parameter
for more information.
If you specify the mynetworks list by hand, Postfix ignores the mynetworks_style
setting.
The netmask specifies the number of bits in the network part of a host address. You can
also specify "/file/name" or "type:table" patterns. A "/file/name" pattern is replaced by
its contents; a "type:table" lookup table is matched when a table entry matches a lookup
string (the lookup result is ignored).
The list is matched left to right, and the search stops on the first match. Specify "!
pattern" to exclude an address or network block from the list.
Examples:
The method to generate the default value for the mynetworks parameter. This is the list
of trusted networks for relay access control etc.
❍ Specify "mynetworks_style = host" when Postfix should "trust" only the local
machine.
The domain name that locally-posted mail appears to come from, and that locally posted
mail is delivered to. The default, $myhostname, is adequate for small sites. If you run a
domain with multiple machines, you should (1) change this to $mydomain and (2) set
up a domain-wide alias database that aliases each user to user@that.users.mailhost.
Example:
myorigin = $mydomain
command. This command can be used to rebuild the local(8) aliases(5) database.
The numerical Postfix SMTP server reply code when a client request is rejected by the
reject_non_fqdn_hostname, reject_non_fqdn_sender or reject_non_fqdn_recipient
restriction.
The list of error classes that are reported to the postmaster. The default is to report only
the most serious problems. The paranoid may wish to turn on the policy (UCE and mail
relaying) and protocol error (broken mail software) reports.
Examples:
Restrict the use of the permit_mx_backup SMTP access feature to only domains whose
primary MX hosts match the listed networks.
The name of the pickup(8) service. This service picks up local mail submissions from
the Postfix maildrop queue.
The message delivery contexts where the Postfix local(8) delivery agent prepends a
By default, the Postfix local delivery agent prepends a Delivered-To: header when
forwarding mail and when delivering to file (mailbox) and command. Turning off the
Delivered-To: header when forwarding mail is not recommended.
Example:
prepend_delivered_header = forward
process_id (read-only)
process_name (read-only)
What address lookup tables copy an address extension from the lookup key to the
lookup result.
For example, with a virtual(5) mapping of "joe@domain -> joe.user", the address "joe
+foo@domain" would rewrite to "joe.user+foo".
Specify zero or more of canonical, virtual, alias, forward or include. These cause
address extension propagation with canonical(5), virtual(5), and aliases(5) maps, and
with local(8) .forward and :include: file lookups, respectively.
Note: enabling this feature for types other than canonical and virtual is likely to cause
problems when mail is forwarded to other sites, especially with mail that is sent to a
mailing list exploder address.
Examples:
The network interface addresses that this mail system receives mail on by way of a
proxy or network address translation unit.
You must specify your "outside" proxy/NAT addresses when your system is a backup
MX host for other domains, otherwise mail delivery loops will happen when the
primary MX host is down.
Example:
proxy_interfaces = 1.2.3.4
The lookup tables that the proxymap(8) server is allowed to access. Table references
that don't begin with proxy: are ignored. The proxymap(8) table accesses are read-only.
The minimal delay between warnings that a specific destination is clogging up the
Postfix active queue. Specify 0 to disable.
Obsolete feature: the percentage of delivery resources that a busy mail system will use
up for delivery of a large mailing list message.
This feature exists only in the oqmgr(8) old queue manager. The current queue manager
solves the problem in a better way.
The maximal number of recipients held in memory by the Postfix queue manager, and
the maximal size of the size of the short-term, in-memory "dead" destination status
cache.
The minimal number of in-memory recipients for any message. This takes priority over
any other in-memory recipient limits (i.e., the global qmgr_message_recipient_limit and
the per transport _recipient_limit) if necessary. The minimum value allowed for this
parameter is 1.
By default, no client is allowed to use the service. This is because the QMQP server will
relay mail to any destination.
Specify a list of client patterns. A list pattern specifies a host name, a domain name, an
internet address, or a network/mask pattern, where the mask specifies the number of bits
in the network part. When a pattern specifies a file name, its contents are substituted for
the file name; when a pattern is a "type:table" table specification, table lookup is used
instead.
Patterns are separated by whitespace and/or commas. In order to reverse the result,
precede a non-file name pattern with an exclamation point (!).
Example:
How long the QMQP server will pause before sending a negative reply to the client. The
purpose is to slow down confused or malicious clients.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
The time limit for sending or receiving information over the network. If a read or write
operation blocks for more than $qmqpd_timeout seconds the QMQP server gives up and
disconnects.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
The location of the Postfix top-level queue directory. This is the root directory of
Postfix daemon processes that run chrooted.
The maximal number of (name=value) attributes that may be stored in a Postfix queue
file. The limit is enforced by the cleanup(8) server.
queue_minfree (default: 0)
The minimal amount of free space in bytes in the queue file system that is needed to
receive mail. This is currently used by the SMTP server to decide if it will accept any
mail at all.
By default, the Postfix 2.1 SMTP server rejects MAIL FROM commands when the
amount of free space is less than 1.5*$message_size_limit. To specify a higher
minimum free space limit, specify a queue_minfree value that is at least 1.5*
$message_size_limit.
With Postfix versions 2.0 and earlier, a queue_minfree value of zero means there is no
minimum required amount of free space.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
The name of the qmgr(8) service. This service manages the Postfix queue and schedules
delivery requests.
Optional lookup tables with RBL response templates. The tables are indexed by the
RBL domain name. By default, Postfix uses the default template as specified with the
default_rbl_reply configuration parameter. See there for a discussion of the syntax of
RBL reply templates.
The location of Postfix README files that describe how to build, configure or operate
a specific Postfix subsystem or feature.
Specify zero or more of the following options. The options override main.cf settings and
no_unknown_recipient_checks
Do not try to reject unknown recipients (SMTP server only). This is typically
specified AFTER an external content filter.
no_address_mappings
Disable canonical address mapping, virtual alias map expansion, address
masquerading, and automatic BCC (blind carbon-copy) recipients. This is
typically specified BEFORE an external content filter.
no_header_body_checks
Disable header/body_checks. This is typically specified AFTER an external
content filter.
Examples:
receive_override_options =
no_unknown_recipient_checks, no_header_body_checks
receive_override_options = no_address_mappings
Optional BCC (blind carbon-copy) address lookup tables, indexed by recipient address.
The BCC address (multiple results are not supported) is added when mail enters from
outside of Postfix.
Specify the types and names of databases to use. After change, run "postmap /etc/
postfix/recipient_bcc".
NOTE: if mail to the BCC address bounces it will be returned to the sender.
NOTE: automatic BCC recipients are produced only for new mail. To avoid mailer
loops, automatic BCC recipients are not generated for mail that Postfix forwards
internally, nor for mail that Postfix generates itself.
Example:
recipient_bcc_maps = hash:/etc/postfix/recipient_bcc
Optional address mapping lookup tables for envelope and header recipient addresses.
The table format and lookups are documented in canonical(5).
Example:
recipient_canonical_maps = hash:/etc/postfix/
recipient_canonical
The separator between user names and address extensions (user+foo). See canonical(5),
local(8), relocated(5) and virtual(5) for the effects this has on aliases, canonical, virtual,
relocated and on .forward file lookups. Basically, the software tries user+foo and .
forward+foo before trying user and .forward.
Example:
recipient_delimiter = +
The numerical Postfix SMTP server response code when a remote SMTP client request
is rejected by the "reject" restriction.
Do not change this unless you have a complete understanding of RFC 821.
The list of remote SMTP client certificates for which the Postfix SMTP server will
allow access with the permit_tls_clientcerts feature. This feature does not use certificate
names, because Postfix list manipulation routines treat whitespace and some other
characters as special. Instead we use certificate fingerprints as they are difficult to fake
but easy to use for lookup.
Postfix lookup tables are in the form of (key, value) pairs. Since we only need the key,
the value can be chosen freely, e.g. the name of the user or host: D7:04:2F:A7:0B:8C:
A5:21:FA:31:77:E1:41:8A:EE:80 lutzpc.at.home
Example:
relay_clientcerts = hash:/etc/postfix/relay_clientcerts
The maximal number of parallel deliveries to the same destination via the relay message
delivery transport. This limit is enforced by the queue manager. The message delivery
transport name is the first field in the entry in the master.cf file.
The maximal number of recipients per delivery via the relay message delivery transport.
This limit is enforced by the queue manager. The message delivery transport name is
the first field in the entry in the master.cf file.
What destination domains (and subdomains thereof) this system will relay mail to.
Subdomain matching is controlled with the parent_domain_matches_subdomains
parameter. For details about how the relay_domains value is used, see the description of
the permit_auth_destination and reject_unauth_destination SMTP recipient restrictions.
Domains that match $relay_domains are delivered with the $relay_transport mail
delivery transport. The SMTP server validates recipient addresses with
$relay_recipient_maps and rejects non-existent recipients. See also the relay domains
address class in the ADDRESS_CLASS_README file.
NOTE: Postfix will not automatically forward mail for domains that list this system as
their primary or backup MX host. See the permit_mx_backup restriction in the postconf
(5) manual page.
The numerical Postfix SMTP server response code when a client request is rejected by
the reject_unauth_destination recipient restriction.
Do not change this unless you have a complete understanding of RFC 821.
Optional lookup tables with all valid addresses in the domains that match
$relay_domains. Specify @domain as a wild-card for domains that do not have a valid
recipient list. Technically, tables listed with $relay_recipient_maps are used as lists:
Postfix needs to know only if a lookup string is found or not, but it does not use the
result from table lookup.
If this parameter is non-empty, then the Postfix SMTP server will reject mail to
unknown relay users. This feature is off by default.
See also the relay domains address class in the ADDRESS_CLASS_README file.
Example:
relay_recipient_maps = hash:/etc/postfix/relay_recipients
The default mail delivery transport and next-hop information for domains that match the
$relay_domains parameter value. This information can be overruled with the transport
(5) table.
Specify a string of the form transport:nexthop, where transport is the name of a mail
delivery transport defined in master.cf. The :nexthop part is optional. For more details
see the transport(5) manual page.
See also the relay domains address class in the ADDRESS_CLASS_README file.
The default host to send non-local mail to when no entry is matched in the optional
transport(5) table. When no relayhost is given, mail is routed directly to the destination.
On an intranet, specify the organizational domain name. If your internal DNS uses no
MX records, specify the name of the intranet gateway host instead.
If you're connected via UUCP, see the UUCP_README file for useful information.
Examples:
relayhost = $mydomain
relayhost = [gateway.my.domain]
relayhost = uucphost
relayhost = [an.ip.add.ress]
Optional lookup tables with new contact information for users or domains that no longer
exist. The table format and lookups are documented in relocated(5).
If you use this feature, run "postmap /etc/postfix/relocated" to build the necessary
DBM or DB file after change, then "postfix reload" to make the changes visible.
Examples:
relocated_maps = dbm:/etc/postfix/relocated
relocated_maps = hash:/etc/postfix/relocated
Don't rewrite message headers from remote clients at all when this parameter is empty;
otherwise, rewrite remote message headers and append the specified domain name to
incomplete addresses. The local_header_rewrite_clients parameter controls what clients
Postfix considers local.
Examples:
The safe setting: append "domain.invalid" to incomplete header addresses from remote
SMTP clients, so that those addresses cannot be confused with local addresses.
remote_header_rewrite_domain = domain.invalid
The default, purist, setting: don't rewrite headers from remote clients at all.
remote_header_rewrite_domain =
Whether or not a local(8) recipient's home directory must exist before mail delivery is
attempted. By default this test is disabled. It can be useful for environments that import
home directories to the mail server (NOT RECOMMENDED).
By default, the Postfix address resolver does not quote the address localpart as per RFC
822, so that additional @ or % or ! operators remain visible. This behavior is safe but it
is also technically incorrect.
If you specify "resolve_dequoted_address = no", then the Postfix resolver will not know
about additional @ etc. operators in the address localpart. This opens opportunities for
obscure mail relay attacks with user@domain@domain addresses when Postfix
provides backup MX service for Sendmail systems.
Resolve an address that ends in the "@" null domain as if the local hostname were
specified, instead of rejecting the address as invalid.
This feature is available in Postfix version 2.1 and later. Earlier versions always resolve
the null domain as the local hostname.
The Postfix SMTP server uses this feature to reject mail from or to addresses that end in
the "@" null domain, and from addresses that rewrite into a form that ends in the "@"
null domain.
The name of the address rewriting service. This service rewrites addresses to standard
form and resolves them to a (delivery method, next-hop host, recipient) triple.
Optional BCC (blind carbon-copy) address lookup tables, indexed by sender address.
The BCC address (multiple results are not supported) is added when mail enters from
outside of Postfix.
Specify the types and names of databases to use. After change, run "postmap /etc/
postfix/sender_bcc".
NOTE: if mail to the BCC address bounces it will be returned to the sender.
NOTE: automatic BCC recipients are produced only for new mail. To avoid mailer
loops, automatic BCC recipients are not generated for mail that Postfix forwards
internally, nor for mail that Postfix generates itself.
Example:
sender_bcc_maps = hash:/etc/postfix/sender_bcc
Optional address mapping lookup tables for envelope and header sender addresses. The
table format and lookups are documented in canonical(5).
Example:
sender_canonical_maps = hash:/etc/postfix/sender_canonical
A Sendmail compatibility feature that specifies the location of the Postfix sendmail(1)
command. This command can be used to submit mail into the Postfix queue.
How long the Postfix master(8) waits before forking a server that appears to be
malfunctioning.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
The name of the scache(8) connection cache service. This service maintains a limited
pool of cached sessions.
How frequently the scache(8) server logs usage statistics with connection cache hit and
miss rates for logical destinations and for physical endpoints.
The maximal time-to-live value that the connection cache server allows. Requests that
specify a larger TTL will be stored with the maximum allowed TTL. The purpose of
this additional control is to protect the infrastructure against careless people. The cache
TTL is already bounded by $max_idle.
Display the name of the recipient table in the "User unknown" responses. The extra
detail makes trouble shooting easier but also reveals information that is nobody elses
business.
The name of the showq(8) service. This service produces mail queue status reports.
With "smtp_always_send_ehlo = no", Postfix sends EHLO only when the word
"ESMTP" appears in the server greeting banner (example: 220 spike.porcupine.org
ESMTP Postfix).
An optional numerical network address that the SMTP client should bind to when
making a connection.
This can be specified in the main.cf file for all SMTP clients, or it can be specified in
the master.cf file for a specific client, for example:
/etc/postfix/master.cf:
smtp ... smtp -o smtp_bind_address=11.22.33.44
Note: when inet_interfaces specifies exactly one address that is a non-loopback address,
it is automatically used as the smtp_bind_address. This supports virtual IP hosting, but
can be a problem on multi-homed firewalls. See the inet_interfaces documentation for
more detail.
The SMTP client time limit for completing a TCP connection, or zero (use the operating
system built-in time limit).
When no connection can be made within the deadline, the SMTP client tries the next
address on the mail exchanger list. Specify 0 to disable the time limit (i.e. use whatever
timeout is implemented by the operating system).
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
Permanently enable SMTP connection caching for the specified destinations. With
SMTP connection caching, a connection is not closed immediately after completion of a
❍ if mail is sent without a relay host: a domain name (the right-hand side of an
email address, without the optional []),
❍ if mail is sent via a relay host: a relay host (without the optional [] or non-default
TCP port), as specified in main.cf or in the transport map,
❍ a /file/name with domains and/or relay hosts,
❍ a "type:table" with domains and/or relay hosts on the left-hand side. The right-
hand side result from "type:table" lookups is ignored.
Temporarily enable SMTP connection caching while a destination has a high volume of
mail in the active queue. With SMTP connection caching, a connection is not closed
immediately after completion of a mail transaction. Instead, the connection is kept open
for up to $smtp_connection_cache_time_limit seconds. This allows connections to be
reused for other deliveries, and can improve mail delivery performance.
When SMTP connection caching is enabled, the number of times that an SMTP session
is reused before it is closed.
When SMTP connection caching is enabled, the amount of time that an unused SMTP
client socket is kept open before it is closed. Do not specify larger values without
permission from the remote sites.
The SMTP client time limit for sending the SMTP ".", and for receiving the server
response.
When no response is received within the deadline, a warning is logged that the mail may
be delivered multiple times.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
The SMTP client time limit for sending the SMTP DATA command, and for receiving
the server response.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
The SMTP client time limit for sending the SMTP message content. When the
connection makes no progress for more than $smtp_data_xfer_timeout seconds the
SMTP client terminates the transfer.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
The default (no) is to return the mail as undeliverable. With older Postfix versions the
default was to keep trying to deliver the mail until someone fixed the MX record or until
the mail was too old.
Note: Postfix always ignores MX records with equal or worse preference than the local
MTA itself.
The maximal number of parallel deliveries to the same destination via the smtp message
delivery transport. This limit is enforced by the queue manager. The message delivery
transport name is the first field in the entry in the master.cf file.
The maximal number of recipients per delivery via the smtp message delivery transport.
This limit is enforced by the queue manager. The message delivery transport name is
the first field in the entry in the master.cf file.
Lookup tables, indexed by the remote SMTP server address, with case insensitive lists
of EHLO keywords (pipelining, starttls, auth, etc.) that the SMTP client will ignore in
the EHLO response from a remote SMTP server.
A case insensitive list of EHLO keywords (pipelining, starttls, auth, etc.) that the SMTP
client will ignore in the EHLO response from a remote SMTP server. Use the
smtp_discard_ehlo_keyword_address_maps feature to discard EHLO keywords
selectively.
Enforcement mode: require that remote SMTP servers use TLS encryption, and never
send mail in the clear. This also requires that the remote SMTP server hostname
matches the information in the remote server certificate, and that the remote SMTP
server certificate was issued by a CA that is trusted by the Postfix SMTP client. If the
certificate doesn't verify or the hostname doesn't match, delivery is deferred and mail
stays in the queue.
The server hostname is matched against all names provided as dNSNames in the
SubjectAlternativeName. If no dNSNames are specified, the CommonName is checked.
This option is useful only if you are definitely sure that you will only connect to servers
that support RFC 2487 _and_ that provide valid server certificates. Typical use is for
clients that send all their email to a dedicated mailhub.
This information can be specified in the main.cf file for all SMTP clients, or it can be
specified in the master.cf file for a specific client, for example:
/etc/postfix/master.cf:
mysmtp ... smtp -o smtp_helo_name=foo.bar.com
The SMTP client time limit for sending the HELO or EHLO command, and for
receiving the initial server response.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
What mechanisms when the SMTP client uses to look up a host's IP address. This
parameter is ignored when DNS lookups are disabled.
dns
Hosts can be found in the DNS (preferred).
native
Use the native naming service only (nsswitch.conf, or equivalent mechanism).
dns, native
Use the native service for hosts not found in the DNS.
The maximal length of message header and body lines that Postfix will send via SMTP.
Longer lines are broken by inserting "<CR><LF><SPACE>". This minimizes the
damage to MIME formatted mail.
By default, the line length is limited to 990 characters, because some server
implementations cannot receive mail with long lines.
The SMTP client time limit for sending the MAIL FROM command, and for receiving
the server response.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
smtp_mx_address_limit (default: 0)
The maximal number of MX (mail exchanger) IP addresses that can result from mail
exchanger lookups, or zero (no limit).
smtp_mx_session_limit (default: 2)
The maximal number of SMTP sessions per delivery request before giving up or
delivering to a fall-back relay host, or zero (no limit). This restriction ignores IP
addresses that fail to complete the SMTP initial handshake.
Never send EHLO at the start of an SMTP session. See also the smtp_always_send_ehlo
parameter.
How long the Postfix SMTP client pauses before sending ".<CR><LF>" in order to
work around the PIX firewall "<CR><LF>.<CR><LF>" bug.
Choosing a too short time makes this workaround ineffective when sending large
messages over slow network connections.
How long a message must be queued before the PIX firewall "<CR><LF>.<CR><LF>"
bug workaround is turned on.
By default, the workaround is turned off for mail that is queued for less than 500
seconds. In other words, the workaround is normally turned off for the first delivery
attempt.
The SMTP client time limit for sending the QUIT command, and for receiving the
server response.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
Quote addresses in SMTP MAIL FROM and RCPT TO commands as required by RFC
821. This includes putting quotes around an address localpart that ends in ".".
The default is to comply with RFC 821. If you have to send mail to a broken SMTP
server, configure a special SMTP client in master.cf:
/etc/postfix/master.cf:
broken-smtp . . . smtp -o
smtp_quote_rfc821_envelope=no
and route mail for the destination in question to the "broken-smtp" message delivery
with a transport(5) table.
The SMTP client time limit for sending the SMTP RCPT TO command, and for
receiving the server response.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
The SMTP client time limit for sending the RSET command, and for receiving the
server response. The SMTP client sends RSET in order to finish a recipient address
probe, or to verify that a cached session is still usable.
Enable SASL authentication in the Postfix SMTP client. By default, the Postfix SMTP
client uses no authentication.
Example:
smtp_sasl_auth_enable = yes
If non-empty, a Postfix SMTP client filter for the remote SMTP server's list of offered
SASL mechanisms. Different client and server implementations may support different
mechanism lists. By default, the Postfix SMTP client will use the intersection of the
Specify mechanism names, "/file/name" patterns or "type:table" lookup tables. The right-
hand side result from "type:table" lookups is ignored.
Examples:
Optional SMTP client lookup tables with one username:password entry per remote
hostname or domain. If a remote host or domain has no username:password entry, then
the Postfix SMTP client will not attempt to authenticate to the remote host.
The Postfix SMTP client opens the lookup table before going to chroot jail, so you can
leave the password file in /etc/postfix.
What authentication mechanisms the Postfix SMTP client is allowed to use. The list of
available authentication mechanisms is system dependent.
noplaintext
Disallow methods that use plaintext passwords.
noactive
Disallow methods subject to active (non-dictionary) attack.
nodictionary
Disallow methods subject to passive (dictionary) attack.
noanonymous
Disallow methods that allow anonymous authentication.
mutual_auth
Only allow methods that provide mutual authentication (not available with SASL
version 1).
Example:
smtp_sasl_security_options = noplaintext
The SASL authentication security options that the Postfix SMTP client uses for TLS
encrypted SMTP sessions.
Send the non-standard XFORWARD command when the Postfix SMTP server EHLO
response announces XFORWARD support.
This allows an "smtp" delivery agent, used for injecting mail into a content filter, to
forward the name, address, protocol and HELO name of the original client to the
content filter and downstream queuing SMTP server. This can produce more useful
logging than localhost[127.0.0.1] etc.
Skip SMTP servers that greet with a 4XX status code (go away, try again later).
This feature is available in Postfix version 2.0 and earlier. Later Postfix versions always
skip SMTP servers that greet with a 4XX status code.
Skip SMTP servers that greet with a 5XX status code (go away, do not try again later).
By default, the Postfix SMTP client moves on the next mail exchanger. Specify
"smtp_skip_5xx_greeting = no" if Postfix should bounce the mail immediately. The
default setting is incorrect, but it is what a lot of people expect to happen.
Time limit for Postfix SMTP client write and read operations during TLS startup and
shutdown handshake procedures.
The file with the certificate of the certification authority (CA) that issued the Postfix
SMTP client certificate. This is needed only when the CA certificate is not already
present in the client certificate file.
Example:
smtp_tls_CAfile = /etc/postfix/CAcert.pem
Directory with PEM format certificate authority certificates that the Postfix SMTP
client uses to verify a remote SMTP server certificate. Don't forget to create the
necessary "hash" links with, for example, "$OPENSSL_HOME/bin/c_rehash /etc/
postfix/certs".
To use this option in chroot mode, this directory (or a copy) must be inside the chroot
jail.
Example:
smtp_tls_CApath = /etc/postfix/certs
File with the Postfix SMTP client RSA certificate in PEM format. This file may also
contain the client private key, and these may be the same as the server certificate and
key file.
In order to verify certificates, the CA certificate (in case of a certificate chain, all CA
certificates) must be available. You should add these certificates to the server certificate,
the server certificate first, then the issuing CA(s).
Example: the certificate for "client.dom.ain" was issued by "intermediate CA" which
itself has a certificate of "root CA". Create the client.pem file with "cat client_cert.pem
intermediate_CA.pem root_CA.pem > client.pem".
If you want to accept remote SMTP server certificates issued by these CAs yourself,
you can also add the CA certificates to the smtp_tls_CAfile, in which case it is not
necessary to have them in the smtp_tls_cert_file or smtp_tls_dcert_file.
A certificate supplied here must be usable as SSL client certificate and hence pass the
"openssl verify -purpose sslclient ..." test.
Example:
smtp_tls_cert_file = /etc/postfix/client.pem
Controls the Postfix SMTP client TLS cipher selection scheme. For details, see the
OpenSSL documentation. Note: do not use "" quotes around the parameter value.
File with the Postfix SMTP client DSA certificate in PEM format. This file may also
contain the server private key.
Example:
smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
File with the Postfix SMTP client DSA private key in PEM format. The private key
must not be encrypted. In other words, the key must be accessible without password.
This file may be combined with the server certificate file specified with
$smtp_tls_cert_file.
When TLS encryption is enforced, require that the remote SMTP server hostname
matches the information in the remote SMTP server certificate. As of RFC 2487 the
requirements for hostname checking for MTA clients are not specified.
This option can be set to "no" to disable strict peer name checking. This setting has no
effect on sessions that are controlled via the smtp_tls_per_site table.
Disabling the hostname verification can make sense in closed environment where
special CAs are created. If not used carefully, this option opens the danger of a "man-in-
the-middle" attack (the CommonName of this attacker will be logged).
File with the Postfix SMTP client RSA private key in PEM format. This file may be
combined with the client certificate file specified with $smtp_tls_cert_file.
The private key must not be encrypted. In other words, the key must be accessible
without password.
Example:
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel (default: 0)
Enable additional Postfix SMTP client logging of TLS activity. Each logging level also
includes the information that is logged at a lower logging level.
Log the hostname of a remote SMTP server that offers STARTTLS, when TLS is not
already enabled for that server.
Optional lookup tables with the Postfix SMTP client TLS usage policy by next-hop
domain name and by remote SMTP server hostname.
Table format: domain names or server hostnames are specified on the left-hand side; no
wildcards are allowed. On the right hand side specify one of the following keywords:
NONE
Don't use TLS at all.
MAY
Try to use STARTTLS if offered, otherwise use the unencrypted connection.
NOTE: STARTTLS can be used only if TLS is already enabled via main.cf, so
that the client TLS engine is properly initialized at program startup.
MUST
Require usage of STARTTLS, require that the remote SMTP server hostname
matches the information in the remote SMTP server certificate, and require that
the remote SMTP server certificate was issued by a trusted CA.
MUST_NOPEERMATCH
Require usage of STARTTLS, but do not require that the remote SMTP server
hostname matches the information in the remote SMTP server certificate, or that
the server certificate was issued by a trusted CA.
Special hint for enforcement mode: since no secure DNS lookup mechanism is
available, the recommended setup is: specify local transport(5) table entries for sensitive
domains with explicit smtp:[mailhost] destinations (since you can assure security of this
table unlike DNS), then specify MUST for these mail hosts in the smtp_tls_per_site
table.
smtp_tls_scert_verifydepth (default: 5)
The verification depth for remote SMTP server certificates. A depth of 1 is sufficient, if
the certificate is directly issued by a CA listed in the CA files. The default value (5)
should suffice for longer chains (the root CA issues special CA which then issues the
actual certificate...).
Name of the file containing the optional Postfix SMTP client TLS session cache.
Specify a database type that supports enumeration, such as btree or sdbm; there is no
need to support concurrent access. The file is created if it does not exist.
NOTE: dbm databases are not suitable. TLS session objects are too large.
Example:
smtp_tls_session_cache_database = btree:/var/postfix/
smtp_scache
The expiration time of Postfix SMTP client TLS session cache information. A cache
cleanup is performed periodically every $smtp_tls_session_cache_timeout seconds.
Opportunistic mode: use TLS when a remote SMTP server announces STARTTLS
support, otherwise send the mail in the clear. Beware: some SMTP servers offer
STARTTLS even if it is not configured. If the TLS handshake fails, and no other server
is available, delivery is deferred and mail stays in the queue. If this is a concern for you,
use the smtp_tls_per_site feature instead.
The SMTP client time limit for sending the XFORWARD command, and for receiving
the server response.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
What SMTP clients are allowed to specify the XVERP command. This command
requests that mail be delivered one recipient at a time with a per recipient return
address.
This parameter was renamed with Postfix 2.1. The default value is backwards
compatible with Postfix 2.0.
What SMTP clients are allowed to use the XCLIENT feature. This command overrides
SMTP client information that is used for access control. Typical use is for SMTP-based
content filters, fetchmail-like programs, or SMTP server access rule testing. See the
XCLIENT_README document for details.
What SMTP clients are allowed to use the XFORWARD feature. This command
forwards information that is used to improve logging after SMTP-based content filters.
See the XFORWARD_README document for details.
The text that follows the 220 status code in the SMTP greeting banner. Some people
like to see the mail version advertised. By default, Postfix shows no version.
You MUST specify $myhostname at the start of the text. This is required by the SMTP
protocol.
Example:
How many simultaneous connections any client is allowed to make to this service. By
default, the limit is set to half the default process limit value.
WARNING: The purpose of this feature is to limit abuse. It must not be used to regulate
legitimate mail traffic.
smtpd_client_connection_rate_limit (default: 0)
The maximal number of connection attempts any client is allowed to make to this
service per time unit. The time unit is specified with the anvil_rate_time_unit
configuration parameter.
By default, a client can make as many connections per time unit as Postfix can accept.
WARNING: The purpose of this feature is to limit abuse. It must not be used to regulate
legitimate mail traffic.
Example:
smtpd_client_connection_rate_limit = 1000
Clients that are excluded from connection count, connection rate, message rate or
recipient rate restrictions.
By default, clients in trusted networks are excluded. Specify a list of network blocks,
hostnames or .domain names (the initial dot causes the domain to match any name
below it).
smtpd_client_message_rate_limit (default: 0)
The maximal number of message delivery requests that any client is allowed to make to
this service per time unit, regardless of whether or not Postfix actually accepts those
messages. The time unit is specified with the anvil_rate_time_unit configuration
parameter.
By default, a client can send as many message delivery requests per time unit as Postfix
can accept.
WARNING: The purpose of this feature is to limit abuse. It must not be used to regulate
legitimate mail traffic.
Example:
smtpd_client_message_rate_limit = 1000
smtpd_client_recipient_rate_limit (default: 0)
The maximal number of recipient addresses that any client is allowed to send to this
service per time unit, regardless of whether or not Postfix actually accepts those
recipients. The time unit is specified with the anvil_rate_time_unit configuration
parameter.
By default, a client can make as many recipient addresses per time unit as Postfix can
accept.
WARNING: The purpose of this feature is to limit abuse. It must not be used to regulate
legitimate mail traffic.
Example:
smtpd_client_recipient_rate_limit = 1000
Optional SMTP server access restrictions in the context of a client SMTP connection
request.
lines by starting the next line with whitespace. Restrictions are applied in the order as
specified; the first restriction that matches wins.
The following restrictions are specific to client hostname or client network address
information.
check_client_access type:table
Search the specified access database for the client hostname, parent domains,
client IP address, or networks obtained by stripping least significant octets. See
the access(5) manual page for details.
permit_mynetworks
Permit the request when the client IP address matches any network or network
address listed in $mynetworks.
permit_sasl_authenticated
Permit the request when the client is successfully authenticated via the RFC
2554 (AUTH) protocol.
permit_tls_all_clientcerts
Permit the request when the remote SMTP client certificate is verified
successfully. This option must be used only if a special CA issues the certificates
and only this CA is listed as trusted CA, otherwise all clients with a recognized
certificate would be allowed to relay.
permit_tls_clientcerts
Permit the request when the remote SMTP client certificate is verified
successfully, and the certificate fingerprint is listed in $relay_clientcerts.
reject_rbl_client rbl_domain=d.d.d.d
Reject the request when the reversed client network address is listed with the A
record "d.d.d.d" under rbl_domain (Postfix version 2.1 and later only). If no "=d.
d.d.d" is specified, reject the request when the reversed client network address is
listed with any A record under rbl_domain.
The maps_rbl_reject_code parameter specifies the response code for rejected
requests (default: 554), the default_rbl_reply parameter specifies the default
server reply, and the rbl_reply_maps parameter specifies tables with server
replies indexed by rbl_domain. This feature is available in Postfix 2.0 and later.
reject_rhsbl_client rbl_domain=d.d.d.d
Reject the request when the client hostname is listed with the A record "d.d.d.d"
under rbl_domain (Postfix version 2.1 and later only). If no "=d.d.d.d" is
specified, reject the request when the reversed client network address is listed
with any A record under rbl_domain. See the reject_rbl_client description above
for additional RBL related configuration parameters. This feature is available in
Postfix 2.0 and later.
reject_unknown_client
Reject the request when the client IP address has no PTR (address to name)
record in the DNS, or when the PTR record does not have a matching A (name to
address) record.
The unknown_client_reject_code parameter specifies the response code for
rejected requests (default: 450). The reply is always 450 in case the hostname
lookup failed due to a temporary problem.
In addition, you can use any of the following generic restrictions. These restrictions are
applicable in any SMTP command context.
check_policy_service servername
Query the specified policy server. See the SMTPD_POLICY_README
document for details. This feature is available in Postfix 2.1 and later.
defer
Defer the request. The client is told to try again later. This restriction is useful at
the end of a restriction list, to make the default policy explicit.
The defer_code parameter specifies the SMTP server reply code (default: 450).
defer_if_permit
Defer the request if some later restriction would result in an explicit or implicit
PERMIT action. This is useful when a blacklisting feature fails due to a
temporary problem. This feature is available in Postfix 2.1 and later.
defer_if_reject
Defer the request if some later restriction would result in a REJECT action. This
is useful when a whitelisting feature fails due to a temporary problem. This
feature is available in Postfix 2.1 and later.
permit
Permit the request. This restriction is useful at the end of a restriction list, to
make the default policy explicit.
reject_multi_recipient_bounce
Reject the request when the envelope sender is the null address, and the message
has multiple envelope recipients. Although this usage is technically allowed, it
seems to have no legitimate application.
NOTE: this restriction can only work reliably when used in
smtpd_data_restrictions or smtpd_end_of_data_restrictions, because the total
number of recipients is not known at an earlier stage of the SMTP conversation.
Use at the RCPT stage will only reject the second etc. recipient.
The multi_recipient_bounce_reject_code parameter specifies the response code
for rejected requests (default: 550). This feature is available in Postfix 2.1 and
later.
reject_unauth_pipelining
Reject the request when the client sends SMTP commands ahead of time where
it is not allowed, or when the client sends SMTP commands ahead of time
Example:
smtpd_client_restrictions = permit_mynetworks,
reject_unknown_client
Optional access restrictions that the Postfix SMTP server applies in the context of the
SMTP DATA command.
❍ Generic restrictions that can be used in any SMTP command context, described
under smtpd_client_restrictions.
❍ SMTP command specific restrictions described under smtpd_client_restrictions,
smtpd_helo_restrictions, smtpd_sender_restrictions or
smtpd_recipient_restrictions.
Examples:
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_data_restrictions = reject_multi_recipient_bounce
This feature is turned on by default because some clients apparently mis-behave when
the Postfix SMTP server rejects commands before RCPT TO.
The default setting has one major benefit: it allows Postfix to log recipient address
information when rejecting a client name/address or sender address, so that it is possible
to find out whose mail is being rejected.
Lookup tables, indexed by the remote SMTP client address, with case insensitive lists of
EHLO keywords (pipelining, starttls, auth, etc.) that the SMTP server will not send in
the EHLO response to a remote SMTP client.
A case insensitive list of EHLO keywords (pipelining, starttls, auth, etc.) that the SMTP
server will not send in the EHLO response to a remote SMTP client. Use the
smtpd_discard_ehlo_keyword_address_maps feature to discard EHLO keywords
selectively.
Optional access restrictions that the Postfix SMTP server applies in the context of the
SMTP END-OF-DATA command.
Enforcement mode: announce STARTTLS support to SMTP clients, and require that
clients use TLS encryption. According to RFC 2487 this MUST NOT be applied in case
of a publicly-referenced SMTP server. This option is off by default and should be used
only on dedicated servers.
Note 2: when invoked via "sendmail -bs", Postfix will never offer STARTTLS due to
insufficient privileges to access the server private key. This is intended behavior.
With Postfix 2.1 and later: the SMTP server response delay after a client has made more
than $smtpd_soft_error_limit errors, and fewer than $smtpd_hard_error_limit errors,
without delivering mail.
With Postfix 2.0 and earlier: the SMTP server delay before sending a reject (4xx or 5xx)
response, when the client has made fewer than $smtpd_soft_error_limit errors without
delivering mail.
Optional SMTP server access restrictions in the context of a client ETRN request.
The Postfix ETRN implementation accepts only destinations that are eligible for the
Postfix "fast flush" service. See the ETRN_README file for details.
lines by starting the next line with whitespace. Restrictions are applied in the order as
specified; the first restriction that matches wins.
The following restrictions are specific to the domain name information received with
the ETRN command.
check_etrn_access type:table
Search the specified access database for the ETRN domain name or its parent
domains. See the access(5) manual page for details.
❍ Generic restrictions that can be used in any SMTP command context, described
under smtpd_client_restrictions.
❍ SMTP command specific restrictions described under smtpd_client_restrictions
and smtpd_helo_restrictions.
Example:
What characters are allowed in $name expansions of RBL reply templates. Characters
not in the allowed set are replaced by "_". Use C like escapes to specify special
characters such as whitespace.
List of commands that causes the Postfix SMTP server to immediately terminate the
session with a 221 code. This can be used to disconnect clients that obviously attempt to
abuse the system. In addition to the commands listed in this parameter, commands that
follow the "Label:" format of message headers will also cause a disconnect.
The maximal number of errors a remote SMTP client is allowed to make without
delivering mail. The Postfix SMTP server disconnects when the limit is exceeded.
Require that a remote SMTP client introduces itself at the beginning of an SMTP
session with the HELO or EHLO command.
Example:
smtpd_helo_required = yes
Optional restrictions that the Postfix SMTP server applies in the context of the SMTP
HELO command.
The following restrictions are specific to the hostname information received with the
HELO or EHLO command.
check_helo_access type:table
Search the specified access(5) database for the HELO or EHLO hostname or
parent domains, and execute the corresponding action.
check_helo_mx_access type:table
Search the specified access(5) database for the MX hosts for the HELO or EHLO
hostname, and execute the corresponding action. Note: a result of "OK" is not
allowed for safety reasons. Instead, use DUNNO in order to exclude specific
hosts from blacklists. This feature is available in Postfix 2.1 and later.
check_helo_ns_access type:table
Search the specified access(5) database for the DNS servers for the HELO or
EHLO hostname, and execute the corresponding action. Note: a result of "OK" is
not allowed for safety reasons. Instead, use DUNNO in order to exclude specific
hosts from blacklists. This feature is available in Postfix 2.1 and later.
reject_invalid_hostname
Reject the request when the HELO or EHLO hostname syntax is invalid.
The invalid_hostname_reject_code specifies the response code to rejected
requests (default: 501).
reject_non_fqdn_hostname
Reject the request when the HELO or EHLO hostname is not in fully-qualified
domain form, as required by the RFC.
The non_fqdn_reject_code parameter specifies the response code to rejected
requests (default: 504).
reject_unknown_hostname
Reject the request when the HELO or EHLO hostname has no DNS A or MX
record.
The unknown_hostname_reject_code specifies the response code to rejected
requests (default: 450).
❍ Generic restrictions that can be used in any SMTP command context, described
under smtpd_client_restrictions.
❍ Client hostname or network address specific restrictions described under
smtpd_client_restrictions.
❍ SMTP command specific restrictions described under smtpd_sender_restrictions
or smtpd_recipient_restrictions. When sender or recipient restrictions are listed
under smtpd_helo_restrictions, they have effect only with "smtpd_delay_reject =
yes", so that $smtpd_helo_restrictions is evaluated at the time of the RCPT TO
command.
Examples:
smtpd_helo_restrictions = permit_mynetworks,
reject_invalid_hostname
smtpd_helo_restrictions = permit_mynetworks,
reject_unknown_hostname
The maximal number of lines in the Postfix SMTP server command history before it is
flushed upon receipt of EHLO, RSET, or end of DATA.
The number of junk commands (NOOP, VRFY, ETRN or RSET) that a remote SMTP
client can send before the Postfix SMTP server starts to increment the error counter with
each junk command. The junk command count is reset after mail is delivered. See also
the smtpd_error_sleep_time and smtpd_soft_error_limit configuration parameters.
List of commands that the Postfix SMTP server replies to with "250 Ok", without doing
any syntax checks and without changing state. This list overrides any commands built
into the Postfix SMTP server.
The lookup key to be used in SMTP access(5) tables instead of the null sender address.
The time after which an idle SMTPD policy service connection is closed.
The time after which an active SMTPD policy service connection is closed.
The time limit for connecting to, writing to or receiving from a delegated SMTPD
policy server.
How the Postfix SMTP server announces itself to the proxy filter. By default, the
Postfix hostname is used.
The hostname and TCP port of the mail filtering proxy server. The proxy receives all
mail from the Postfix SMTP server, and is supposed to give the result to another Postfix
SMTP server process.
The time limit for connecting to a proxy filter and for sending or receiving information.
When a connection fails the client gets a generic error message while more detailed
information is logged to the maillog file.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
The maximal number of recipients that the Postfix SMTP server accepts per message
delivery request.
The number of recipients that a remote SMTP client can send in excess of the limit
specified with $smtpd_recipient_limit, before the Postfix SMTP server increments the
per-session error count for each excess recipient.
The access restrictions that the Postfix SMTP server applies in the context of the RCPT
TO command.
IMPORTANT: If you change this parameter setting, you must specify at least one of the
following restrictions. Otherwise Postfix will refuse to receive mail:
The following restrictions are specific to the recipient address that is received with the
RCPT TO command.
check_recipient_access type:table
Search the specified access(5) database for the resolved RCPT TO address,
domain, parent domains, or localpart@, and execute the corresponding action.
check_recipient_mx_access type:table
Search the specified access(5) database for the MX hosts for the RCPT TO
address, and execute the corresponding action. Note: a result of "OK" is not
allowed for safety reasons. Instead, use DUNNO in order to exclude specific
hosts from blacklists. This feature is available in Postfix 2.1 and later.
check_recipient_ns_access type:table
Search the specified access(5) database for the DNS servers for the RCPT TO
address, and execute the corresponding action. Note: a result of "OK" is not
allowed for safety reasons. Instead, use DUNNO in order to exclude specific
hosts from blacklists. This feature is available in Postfix 2.1 and later.
permit_auth_destination
Permit the request when one of the following is true:
■ Postfix is mail forwarder: the resolved RCPT TO address matches
❍ Generic restrictions that can be used in any SMTP command context, described
under smtpd_client_restrictions.
❍ SMTP command specific restrictions described under smtpd_client_restrictions,
smtpd_helo_restrictions and smtpd_sender_restrictions.
Example:
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination
Request that the Postfix SMTP server rejects mail for unknown recipient addresses,
even when no explicit reject_unlisted_recipient access restriction is specified. This
prevents the Postfix queue from filling up with undeliverable MAILER-DAEMON
messages.
Request that the Postfix SMTP server rejects mail from unknown sender addresses,
even when no explicit reject_unlisted_sender access restriction is specified. This can
slow down an explosion of forged mail from worms or viruses.
User-defined aliases for groups of access restrictions. The aliases can be specified in
smtpd_recipient_restrictions etc., and on the right-hand side of a Postfix access(5) table.
One major application is for implementing per-recipient UCE control. See the
RESTRICTION_CLASS_README document for other examples.
The application name used for SASL server initialization. This controls the name of the
Enable SASL authentication in the Postfix SMTP server. By default, the Postfix SMTP
server does not use authentication.
smtpd_recipient_restrictions =
permit_mynetworks, permit_sasl_authenticated, ...
smtpd_client_restrictions = permit_sasl_authenticated,
reject
See the SASL_README file for SASL configuration and operation details.
What SMTP clients Postfix will not offer AUTH support to.
Some clients (Netscape 4 at least) have a bug that causes them to require a login and
password whenever AUTH is offered, whether it's necessary or not. To work around
this, specify, for example, $mynetworks to prevent Postfix from offering AUTH to local
clients.
Example:
smtpd_sasl_exceptions_networks = $mynetworks
Examples:
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_local_domain = $myhostname
Restrict what authentication mechanisms the Postfix SMTP server will offer to the
client. The list of available authentication mechanisms is system dependent.
noplaintext
Disallow methods that use plaintext passwords.
noactive
Disallow methods subject to active (non-dictionary) attack.
nodictionary
Disallow methods subject to passive (dictionary) attack.
noanonymous
Disallow methods that allow anonymous authentication.
mutual_auth
Only allow methods that provide mutual authentication (not available with SASL
version 1).
By default, the Postfix SMTP server accepts plaintext passwords but not anonymous
logins.
Warning: it appears that clients try authentication methods in the order as advertised by
the server (e.g., PLAIN ANONYMOUS CRAM-MD5) which means that if you disable
plaintext passwords, clients will log in anonymously, even when they should be able to
use CRAM-MD5. So, if you disable plaintext logins, disable anonymous logins too.
Postfix treats anonymous login as no authentication.
Example:
The SASL authentication security options that the Postfix SMTP server uses for TLS
encrypted SMTP sessions.
Optional lookup table with the SASL login names that own sender (MAIL FROM)
addresses.
Specify zero or more "type:table" lookup tables. With lookups from indexed files such
as DB or DBM, or from networked tables such as NIS, LDAP or SQL, the following
search operations are done with a sender address of user@domain:
1) user@domain
This table lookup is always done and has the highest precedence.
2) user
This table lookup is done only when the domain part of the sender address
matches $myorigin, $mydestination, $inet_interfaces or $proxy_interfaces.
3) @domain
This table lookup is done last and has the lowest precedence.
In all cases the result of table lookup must be either "not found" or a list of SASL login
names separated by comma and/or whitespace.
Optional restrictions that the Postfix SMTP server applies in the context of the MAIL
FROM command.
The following restrictions are specific to the sender address received with the MAIL
FROM command.
check_sender_access type:table
Search the specified access(5) database for the MAIL FROM address, domain,
parent domains, or localpart@, and execute the corresponding action.
check_sender_mx_access type:table
Search the specified access(5) database for the MX hosts for the MAIL FROM
address, and execute the corresponding action. Note: a result of "OK" is not
allowed for safety reasons. Instead, use DUNNO in order to exclude specific
hosts from blacklists. This feature is available in Postfix 2.1 and later.
check_sender_ns_access type:table
Search the specified access(5) database for the DNS servers for the MAIL
FROM address, and execute the corresponding action. Note: a result of "OK" is
not allowed for safety reasons. Instead, use DUNNO in order to exclude specific
hosts from blacklists. This feature is available in Postfix 2.1 and later.
reject_authenticated_sender_login_mismatch
Enforces the reject_sender_login_mismatch restriction for authenticated clients
only. This feature is available in Postfix version 2.1 and later.
reject_non_fqdn_sender
Reject the request when the MAIL FROM address is not in fully-qualified
domain form, as required by the RFC.
The non_fqdn_reject_code parameter specifies the response code to rejected
requests (default: 504).
reject_rhsbl_sender rbl_domain=d.d.d.d
Reject the request when the MAIL FROM domain is listed with the A record "d.
d.d.d" under rbl_domain (Postfix version 2.1 and later only). If no "=d.d.d.d" is
specified, reject the request when the reversed client network address is listed
with any A record under rbl_domain.
The maps_rbl_reject_code parameter specifies the response code for rejected
requests (default: 554); the default_rbl_reply parameter specifies the default
server reply; and the rbl_reply_maps parameter specifies tables with server
replies indexed by rbl_domain. This feature is available in Postfix 2.0 and later.
reject_sender_login_mismatch
Reject the request when $smtpd_sender_login_maps specifies an owner for the
MAIL FROM address, but the client is not (SASL) logged in as that MAIL
FROM address owner; or when the client is (SASL) logged in, but the client
❍ Generic restrictions that can be used in any SMTP command context, described
under smtpd_client_restrictions.
❍ SMTP command specific restrictions described under smtpd_client_restrictions
and smtpd_helo_restrictions.
❍ SMTP command specific restrictions described under
smtpd_recipient_restrictions. When recipient restrictions are listed under
smtpd_sender_restrictions, they have effect only with "smtpd_delay_reject =
yes", so that $smtpd_sender_restrictions is evaluated at the time of the RCPT TO
command.
Examples:
smtpd_sender_restrictions = reject_unknown_sender_domain
smtpd_sender_restrictions = reject_unknown_sender_domain,
check_sender_access hash:/etc/postfix/access
The number of errors a remote SMTP client is allowed to make without delivering mail
before the Postfix SMTP server slows down all its responses.
❍ With Postfix version 2.1 and later, the Postfix SMTP server delays all responses
by $smtpd_error_sleep_time seconds.
❍ With Postfix versions 2.0 and earlier, the Postfix SMTP server delays all
responses by (number of errors) seconds.
The time limit for Postfix SMTP server write and read operations during TLS startup
and shutdown handshake procedures.
The time limit for sending a Postfix SMTP server response and for receiving a remote
SMTP client request.
Note: if you set SMTP time limits to very large values you may have to update the
global ipc_timeout parameter.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
The file with the certificate of the certification authority (CA) that issued the Postfix
SMTP server certificate. This is needed only when the CA certificate is not already
present in the server certificate file. This file may also contain the CA certificates of
other trusted CAs. You must use this file for the list of trusted CAs if you want to use
chroot-mode.
Example:
smtpd_tls_CAfile = /etc/postfix/CAcert.pem
Directory with PEM format certificate authority certificates that the Postfix SMTP
server offers to remote SMTP clients for the purpose of client certificate verification.
Do not forget to create the necessary "hash" links with, for example,
"$OPENSSL_HOME/bin/c_rehash /etc/postfix/certs".
To use this option in chroot mode, this directory (or a copy) must be inside the chroot
jail. Please note that in this case the CA certificates are not offered to the client, so that e.
g. Netscape clients might not offer certificates issued by them. Use of this feature is
therefore not recommended.
Example:
smtpd_tls_CApath = /etc/postfix/certs
Ask a remote SMTP client for a client certificate. This information is needed for
certificate based mail relaying with, for example, the permit_tls_clientcerts feature.
Some clients such as Netscape will either complain if no certificate is available (for the
list of CAs in /etc/postfix/certs) or will offer multiple client certificates to choose from.
This may be annoying, so this option is "off" by default.
When TLS encryption is optional in the Postfix SMTP server, do not announce or
accept SASL authentication over unencrypted connections.
smtpd_tls_ccert_verifydepth (default: 5)
The verification depth for remote SMTP client certificates. A depth of 1 is sufficient if
the issuing CA is listed in a local CA file. The default value should also suffice for
longer chains (the root CA issues special CA which then issues the actual certificate...).
File with the Postfix SMTP server RSA certificate in PEM format. This file may also
contain the server private key.
Both RSA and DSA certificates are supported. When both types are present, the cipher
used determines which certificate will be presented to the client. For Netscape and
OpenSSL clients without special cipher choices the RSA certificate is preferred.
In order to verify a certificate, the CA certificate (in case of a certificate chain, all CA
certificates) must be available. You should add these certificates to the server certificate,
the server certificate first, then the issuing CA(s).
Example: the certificate for "server.dom.ain" was issued by "intermediate CA" which
itself has a certificate of "root CA". Create the server.pem file with "cat server_cert.pem
intermediate_CA.pem root_CA.pem > server.pem".
If you want to accept certificates issued by these CAs yourself, you can also add the CA
certificates to the smtpd_tls_CAfile, in which case it is not necessary to have them in
the smtpd_tls_dcert_file or smtpd_tls_cert_file.
A certificate supplied here must be usable as SSL server certificate and hence pass the
"openssl verify -purpose sslserver ..." test.
Example:
smtpd_tls_cert_file = /etc/postfix/server.pem
Controls the Postfix SMTP server TLS cipher selection scheme. For details, see the
OpenSSL documentation. Note: do not use "" quotes around the parameter value.
File with the Postfix SMTP server DSA certificate in PEM format. This file may also
contain the server private key.
Example:
smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
Instead of using the exact same parameter sets as distributed with other TLS packages,
it is more secure to generate your own set of parameters with something like the
following command:
Your actual source for entropy may differ. Some systems have /dev/random; on other
system you may consider using the "Entropy Gathering Daemon EGD", available at
http://www.lothar.com/tech/crypto/.
Example:
smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
File with DH parameters that the Postfix SMTP server should use with EDH ciphers.
Example:
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
File with the Postfix SMTP server DSA private key in PEM format. This file may be
combined with the server certificate file specified with $smtpd_tls_dcert_file.
The private key must not be encrypted. In other words, the key must be accessible
without password.
File with the Postfix SMTP server RSA private key in PEM format. This file may be
combined with the server certificate file specified with $smtpd_tls_cert_file.
The private key must not be encrypted. In other words, the key must be accessible
without password.
smtpd_tls_loglevel (default: 0)
Enable additional Postfix SMTP server logging of TLS activity. Each logging level also
includes the information that is logged at a lower logging level.
Request that the Postfix SMTP server produces Received: message headers that include
information about the protocol and cipher used, as well as the client CommonName and
client certificate issuer CommonName. This is disabled by default, as the information
may be modified in transit through other mail servers. Only information that was
recorded by the final destination can be trusted.
When TLS encryption is enforced, require a remote SMTP client certificate in order to
allow TLS connections to proceed. This option implies "smtpd_tls_ask_ccert = yes".
When TLS encryption is optional, remote SMTP clients can bypass the restriction by
simply not using STARTTLS at all. For this reason a TLS connection will be handled as
if only "smtpd_tls_ask_ccert = yes" is specified.
Name of the file containing the optional Postfix SMTP server TLS session cache.
Specify a database type that supports enumeration, such as btree or sdbm; there is no
need to support concurrent access. The file is created if it does not exist.
NOTE: dbm databases are not suitable. TLS session objects are too large.
Example:
smtpd_tls_session_cache_database = btree:/var/postfix/
smtpd_scache
The expiration time of Postfix SMTP server TLS session cache information. A cache
cleanup is performed periodically every $smtpd_tls_session_cache_timeout seconds.
Run the Postfix SMTP server in the non-standard "wrapper" mode, instead of using the
STARTTLS command.
If you want to support this service, enable a special port in master.cf, and specify "-o
smtpd_tls_wrappermode=yes" on the SMTP server's command line. Port 465 (smtps)
was once chosen for this purpose.
Opportunistic mode: announce STARTTLS support to SMTP clients, but do not require
that clients use TLS encryption.
Note: when invoked via "sendmail -bs", Postfix will never offer STARTTLS due to
insufficient privileges to access the server private key. This is intended behavior.
Safety net to keep mail queued that would otherwise be returned to the sender. This
parameter disables locally-generated bounces, and prevents the Postfix SMTP server
from rejecting mail permanently, by changing 5xx reply codes into 4xx. However,
Example:
soft_bounce = yes
The time after which a stale exclusive mailbox lockfile is removed. This is used for
delivery to file or mailbox.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
Reject mail with 8-bit text in message headers. This blocks mail from poorly written
applications.
This feature should not be enabled on a general purpose mail server, because it is likely
to reject legitimate email.
This feature should not be enabled on a general purpose mail server, because it is likely
to reject legitimate email.
Reject 8-bit message body text without 8-bit MIME content encoding information. This
blocks mail from poorly written applications.
Unfortunately, this also rejects majordomo approval requests when the included request
contains valid 8-bit MIME mail, and it rejects bounces from mailers that do not MIME
encapsulate 8-bit content (for example, bounces from qmail or from old versions of
Postfix).
This feature should not be enabled on a general purpose mail server, because it is likely
to reject legitimate email.
This feature should not be enabled on a general purpose mail server, because it will
reject mail after a single violation.
Require that addresses received in SMTP MAIL FROM and RCPT TO commands are
enclosed with <>, and that those addresses do not contain RFC 822 style comments or
phrases. This stops mail from poorly written software.
By default, the Postfix SMTP server accepts RFC 822 syntax in MAIL FROM and
RCPT TO addresses.
Enable the rewriting of "site!user" into "user@site". This is necessary if your machine is
connected to UUCP networks. It is enabled by default.
Example:
swap_bangpath = no
Warning: a non-default syslog_facility setting takes effect only after a Postfix process
has completed initialization. Errors during process initialization will be logged with the
default facility. Examples are errors while parsing the command line arguments, and
errors while accessing the Postfix main.cf configuration file.
The mail system name that is prepended to the process name in syslog records, so that
"smtpd" becomes, for example, "postfix/smtpd".
Warning: a non-default syslog_name setting takes effect only after a Postfix process has
completed initialization. Errors during process initialization will be logged with the
default name. Examples are errors while parsing the command line arguments, and
errors while accessing the Postfix main.cf configuration file.
The number of pseudo-random bytes that an smtp(8) or smtpd(8) process requests from
the tlsmgr(8) server in order to seed its internal pseudo random number generator
(PRNG). The default of 32 bytes (equivalent to 256 bits) is sufficient to generate a
128bit (or 168bit) session key.
The number of bytes that tlsmgr(8) reads from $tls_random_source when (re)seeding
the in-memory pseudo random number generator (PRNG) pool. The default of 32 bytes
(256 bits) is good enough for 128bit symmetric keys. If using EGD or a device file, a
maximum of 255 bytes is read.
Name of the pseudo random number generator (PRNG) state file that is maintained by
tlsmgr(8). The file is created when it does not exist, and its length is fixed at 1024 bytes.
Since this file is modified by Postfix, it should probably be kept in the /var file system,
instead of under $config_directory. The location should not be inside the chroot jail.
The time between attempts by tlsmgr(8) to save the state of the pseudo random number
generator (PRNG) to the file specified with $tls_random_exchange_name.
The maximal time between attempts by tlsmgr(8) to re-seed the in-memory pseudo
random number generator (PRNG) pool from external sources. The actual time between
re-seeding attempts is calculated using the PRNG, and is between 0 and the time
specified.
The external entropy source for the in-memory tlsmgr(8) pseudo random number
generator (PRNG) pool. Be sure to specify a non-blocking source. If this source is not a
regular file, the entropy source type must be prepended: egd:/path/to/egd_socket for a
source with EGD compatible socket interface, or dev:/path/to/device for a device file.
The name of the trace(8) service. This service maintains a record of mail deliveries and
produces a mail delivery report when verbose delivery is requested with "sendmail -v".
Optional lookup tables with mappings from recipient address to (message delivery
transport, next-hop destination). See transport(5) for details.
Specify zero or more "type:table" lookup tables. If you use this feature with local files,
run "postmap /etc/postfix/transport" after making a change.
Examples:
transport_maps = dbm:/etc/postfix/transport
transport_maps = hash:/etc/postfix/transport
The time between attempts by the Postfix queue manager to contact a malfunctioning
message delivery transport.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
The time limit for sending a trigger to a Postfix daemon (for example, the pickup(8) or
qmgr(8) daemon). This time limit prevents programs from getting stuck when the mail
system is under heavy load.
Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time
unit is s (seconds).
Message header that the Postfix cleanup(8) server inserts when a message contains no
To: or Cc: message header.
The numerical Postfix SMTP server response code when a sender or recipient address is
rejected by the reject_unknown_sender_domain or reject_unknown_recipient_domain
restriction.
Do not change this unless you have a complete understanding of RFC 821.
The numerical Postfix SMTP server response code when a client without valid address
<=> name mapping is rejected by the reject_unknown_client restriction. The SMTP
server always replies with 450 when the mapping failed due to a temporary error
condition.
Do not change this unless you have a complete understanding of RFC 821.
The numerical Postfix SMTP server response code when the hostname specified with
the HELO or EHLO command is rejected by the reject_unknown_hostname restriction.
Do not change this unless you have a complete understanding of RFC 821.
The numerical Postfix SMTP server response code when a recipient address is local,
and $local_recipient_maps specifies a list of lookup tables that does not match the
recipient. A recipient address is local when its domain matches $mydestination,
$proxy_interfaces or $inet_interfaces.
The default setting is 550 (reject mail) but it is safer to initially use 450 (try again later)
so you have time to find out if your local_recipient_maps settings are OK.
Example:
unknown_local_recipient_reject_code = 450
The numerical Postfix SMTP server reply code when a recipient address matches
$relay_domains, and relay_recipient_maps specifies a list of lookup tables that does not
match the recipient address.
The SMTP server reply code when a recipient address matches $virtual_alias_domains,
and $virtual_alias_maps specifies a list of lookup tables that does not match the
recipient address.
The numerical Postfix SMTP server response when a recipient address is rejected by the
reject_unverified_recipient restriction.
Unlike elsewhere in Postfix, you can specify 250 in order to accept the address anyway.
Do not change this unless you have a complete understanding of RFC 821.
The numerical Postfix SMTP server response code when a recipient address is rejected
by the reject_unverified_sender restriction.
Unlike elsewhere in Postfix, you can specify 250 in order to accept the address anyway.
Do not change this unless you have a complete understanding of RFC 821.
The characters Postfix accepts as VERP delimiter characters on the Postfix sendmail(1)
command line and in SMTP commands.
Postfix is final destination for the specified list of virtual alias domains, that is, domains
for which all addresses are aliased to addresses in other local or remote domains. The
SMTP server validates recipient addresses with $virtual_alias_maps and rejects non-
existent recipients. See also the virtual alias domain class in the
ADDRESS_CLASS_README file
This feature is available in Postfix 2.0 and later. The default value is backwards
compatible with Postfix 1.1.
The default value is $virtual_alias_maps so that you can keep all information about
virtual alias domains in one place. If you have many users, it is better to separate
information that changes more frequently (virtual address -> local or remote address
mapping) from information that changes less frequently (the list of virtual domain
names).
Example:
The maximal number of addresses that virtual alias expansion produces from each
original recipient.
Optional lookup tables that alias specific mail addresses or domains to other local or
remote address. The table format and lookups are documented in virtual(5).
This feature is available in Postfix 2.0 and later. The default value is backwards
If you use this feature with indexed files, run "postmap /etc/postfix/virtual" after
changing the file.
Examples:
virtual_alias_maps = dbm:/etc/postfix/virtual
virtual_alias_maps = hash:/etc/postfix/virtual
The maximal nesting depth of virtual alias expansion. Currently the recursion limit is
applied only to the left branch of the expansion graph, so the depth of the tree can in the
worst case reach the sum of the expansion and recursion limits. This may change in the
future.
The maximal number of parallel deliveries to the same destination via the virtual
message delivery transport. This limit is enforced by the queue manager. The message
delivery transport name is the first field in the entry in the master.cf file.
The maximal number of recipients per delivery via the virtual message delivery
transport. This limit is enforced by the queue manager. The message delivery transport
name is the first field in the entry in the master.cf file.
Lookup tables with the per-recipient group ID for virtual(8) mailbox delivery.
In a lookup table, specify a left-hand side of "@domain.tld" to match any user in the
Note 1: for security reasons, the virtual(8) delivery agent disallows regular expression
substitution of $1 etc. in regular expression lookup tables, because that would open a
security hole.
Note 2: for security reasons, the virtual(8) delivery agent will silently ignore requests to
use the proxymap(8) server. Instead it will open the table directly. Before Postfix
version 2.2, the virtual(8) delivery agent will terminate with a fatal error.
A prefix that the virtual(8) delivery agent prepends to all pathname results from
$virtual_mailbox_maps table lookups. This is a safety measure to ensure that an out of
control map doesn't litter the file system with mailboxes. While virtual_mailbox_base
could be set to "/", this setting isn't recommended.
Example:
virtual_mailbox_base = /var/mail
Postfix is final destination for the specified list of domains; mail is delivered via the
$virtual_transport mail delivery transport. By default this is the Postfix virtual(8)
delivery agent. The SMTP server validates recipient addresses with
$virtual_mailbox_maps and rejects mail for non-existent recipients. See also the virtual
mailbox domain class in the ADDRESS_CLASS_README file.
This parameter expects the same syntax as the mydestination configuration parameter.
This feature is available in Postfix 2.0 and later. The default value is backwards
compatible with Postfix 1.1.
The maximal size in bytes of an individual mailbox or maildir file, or zero (no limit).
How to lock a UNIX-style virtual(8) mailbox before attempting delivery. For a list of
available file locking methods, use the "postconf -l" command.
This setting is ignored with maildir style delivery, because such deliveries are safe
without application-level locks.
Note 1: The dotlock method requires that the recipient UID or GID has write access to
the parent directory of the recipient's mailbox file.
Optional lookup tables with all valid addresses in the domains that match
$virtual_mailbox_domains.
In a lookup table, specify a left-hand side of "@domain.tld" to match any user in the
specified domain that does not have a specific "user@domain.tld" entry.
The virtual(8) delivery agent uses this table to look up the per-recipient mailbox or
maildir pathname. If the lookup result ends in a slash ("/"), maildir-style delivery is
carried out, otherwise the path is assumed to specify a UNIX-style mailbox file. Note
that $virtual_mailbox_base is unconditionally prepended to this path.
Note 1: for security reasons, the virtual(8) delivery agent disallows regular expression
substitution of $1 etc. in regular expression lookup tables, because that would open a
security hole.
Note 2: for security reasons, the virtual(8) delivery agent will silently ignore requests to
use the proxymap(8) server. Instead it will open the table directly. Before Postfix
version 2.2, the virtual(8) delivery agent will terminate with a fatal error.
Optional lookup tables with a) names of domains for which all addresses are aliased to
addresses in other local or remote domains, and b) addresses that are aliased to
addresses in other local or remote domains. Available before Postfix version 2.0. With
Postfix 2.1 and later, this is replaced by separate controls: virtual_alias_domains and
virtual_alias_maps.
The minimum user ID value that the virtual(8) delivery agent accepts as a result from
$virtual_uid_maps table lookup. Returned values less than this will be rejected, and
the message will be deferred.
The default mail delivery transport for domains that match the
$virtual_mailbox_domains parameter value. This information can be overruled with the
transport(5) table.
Specify a string of the form transport:nexthop, where transport is the name of a mail
delivery transport defined in master.cf. The :nexthop part is optional. For more details
see the transport(5) manual page.
Lookup tables with the per-recipient user ID that the virtual(8) delivery agent uses while
writing to the recipient's mailbox.
In a lookup table, specify a left-hand side of "@domain.tld" to match any user in the
specified domain that does not have a specific "user@domain.tld" entry.
Note 1: for security reasons, the virtual(8) delivery agent disallows regular expression
substitution of $1 etc. in regular expression lookup tables, because that would open a
security hole.
Note 2: for security reasons, the virtual(8) delivery agent will silently ignore requests to
use the proxymap(8) server. Instead it will open the table directly. Before Postfix
version 2.2, the virtual(8) delivery agent will terminate with a fatal error.
ACCESS(5) ACCESS
(5)
NAME
access - format of Postfix access table
SYNOPSIS
postmap /etc/postfix/access
DESCRIPTION
The optional access table directs the Postfix SMTP
server
to selectively reject or accept mail. Access can
be
allowed or denied for specific host names, domain
names,
networks, host network addresses or mail addresses.
ordinary
indexed files.
TABLE FORMAT
The input format for the postmap(1) command is as
follows:
pattern action
When pattern matches a mail address, domain or
host
address, perform the corresponding action.
multi-line text
A logical line starts with non-whitespace text.
A
line that starts with whitespace continues a
logi-
cal line.
are
tried in the order as listed below:
user@domain
Matches the specified mail address.
domain.tld
Matches domain.tld as the domain part of an
email
address.
domain.tld
Matches domain.tld.
net.work.addr.ess
net.work.addr
net.work
ACCEPT ACTIONS
OK Accept the address etc. that matches the pattern.
all-numerical
An all-numerical result is treated as OK. This
for-
mat is generated by address-based relay
authoriza-
tion schemes.
REJECT ACTIONS
4NN text
5NN text
Reject the address etc. that matches the
pattern,
and respond with the numerical three-digit code
and
text. 4NN means "try again later", while 5NN
means
"do not try again".
OTHER ACTIONS
restriction...
Apply the named UCE restriction(s) (permit,
reject,
reject_unauth_destination, and so on).
the
lookup key (such as a subdomain name, or a
network
address subnetwork).
FILTER transport:destination
After the message is queued, send the entire
mes-
sage through the specified external content
filter.
The transport:destination syntax is described
in
the transport(5) manual page. More
information
about external content filters is in the
Postfix
FILTER_README file.
or
released with the postsuper(1) command.
REDIRECT user@domain
After the message is queued, send the message
to
the specified address instead of the
intended
recipient(s).
and
currently affects all recipients of the message.
the
table, until a pattern is found that matches the
search
string.
TCP-BASED TABLES
This section describes how the table lookups change
when
lookups are directed to a TCP-based server. For a
descrip-
tion of the TCP client/server lookup protocol,
see
tcp_table(5). This feature is not available in
Postfix
version 2.1.
EXAMPLE
The following example uses an indexed file, so that
the
order of table entries does not matter. The example
per-
mits access by the client at address 1.2.3.4 but
rejects
all other clients in 1.2.3.0/24. Instead of hash
lookup
tables, some systems use dbm. Use the command
"postconf
-m" to find out what lookup tables Postfix supports
on
your system.
/etc/postfix/main.cf:
smtpd_client_restrictions =
check_client_access hash:/etc/postfix/access
/etc/postfix/access:
1.2.3 REJECT
1.2.3.4 OK
BUGS
The table format does not understand quoting
conventions.
SEE ALSO
postmap(1), Postfix lookup table manager
smtpd(8), SMTP server
postconf(5), configuration parameters
transport(5), transport:nexthop syntax
README FILES
SMTPD_ACCESS_README, built-in SMTP server access control
DATABASE_README, Postfix lookup table overview
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
ACCESS
(5)
POSTMAP(1) POSTMAP
(1)
NAME
postmap - Postfix lookup table management
SYNOPSIS
postmap [-Nfinoprsvw] [-c config_dir] [-d key] [-q key]
[file_type:]file_name ...
DESCRIPTION
The postmap command creates or queries one or more
Postfix
lookup tables, or updates an existing one. The input
and
output file formats are expected to be compatible with:
ignored,
as are lines whose first non-whitespace
character
is a `#'.
COMMAND-LINE ARGUMENTS
-c config_dir
Read the main.cf configuration file in the
named
directory instead of the default
configuration
directory.
Arguments:
file_type
The database type. To find out what types are
sup-
ported, use the "postconf -m" command.
file_name
The name of the lookup table source file
when
rebuilding a database.
DIAGNOSTICS
Problems are logged to the standard error stream and
to
syslogd(8). No output means that no problems
were
detected. Duplicate entries are skipped and are
flagged
with a warning.
ENVIRONMENT
MAIL_CONFIG
Directory with Postfix configuration files.
MAIL_VERBOSE
Enable verbose logging for debugging purposes.
CONFIGURATION PARAMETERS
The following main.cf parameters are especially
relevant
to this program. The text below provides only a
parameter
summary. See postconf(5) for more details including
exam-
ples.
berkeley_db_create_buffer_size (16777216)
The per-table I/O buffer size for programs
that
create Berkeley DB hash or btree tables.
berkeley_db_read_buffer_size (131072)
The per-table I/O buffer size for programs
that
read Berkeley DB hash or btree tables.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
SEE ALSO
postalias(1), create/update/query alias database
README FILES
DATABASE_README, Postfix lookup table overview
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
POSTMAP
(1)
SENDMAIL(1) SENDMAIL
(1)
NAME
sendmail - Postfix to Sendmail compatibility interface
SYNOPSIS
sendmail [option ...] [recipient ...]
mailq
sendmail -bp
newaliases
sendmail -I
DESCRIPTION
The Postfix sendmail command implements the Postfix
to
Sendmail compatibility interface. For the sake of
compat-
ibility with existing applications, some Sendmail
command-
line options are recognized but silently ignored.
and
the recipients that still need to be delivered.
If
mail could not be delivered upon the last
attempt,
the reason for failure is shown. This mode of
oper-
ation is implemented by executing the postqueue
(1)
command.
newaliases
Initialize the alias database. If no input file
is
specified (with the -oA option, see below),
the
program processes the file(s) specified with
the
alias_database configuration parameter. If
no
alias database type is specified, the program
uses
the type specified with the
default_database_type
configuration parameter. This mode of operation
is
implemented by running the postalias(1) command.
-Am (ignored)
-Ac (ignored)
Postfix sendmail uses the same configuration
file
regardless of whether or not a message is an
ini-
tial submission.
-B body_type
The message body MIME type: 7BIT or 8BITMIME.
-bh (ignored)
-bH (ignored)
Postfix has no persistent host status database.
-bp List the mail queue. See the mailq command above.
the
mail_owner user.
-C config_file (ignored)
The path name of the sendmail.cf file. Postfix
con-
figuration files are kept in the /etc/
postfix
directory.
-F full_name
Set the sender full name. This is used only
with
messages that have no From: message header.
-f sender
Set the envelope sender address. This is
the
address where delivery problems are sent to,
unless
the message contains an Errors-To: message
header.
-G (ignored)
Gateway (relay) submission, as opposed to
initial
user submission.
-h hop_count (ignored)
Hop count limit. Use the hopcount_limit
configura-
tion parameter instead.
-L label (ignored)
The logging label. Use the syslog_name
configura-
tion parameter instead.
-m (ignored)
Backwards compatibility.
-N dsn (ignored)
Delivery status notification control.
Currently,
Postfix does not implement DSN.
-n (ignored)
Backwards compatibility.
-oAalias_database
Non-default alias database. Specify pathname
or
type:pathname. See postalias(1) for details.
-o7 (ignored)
-o8 (ignored)
To send 8-bit or binary content, use an
appropriate
MIME encapsulation and specify the appropriate -
B
command-line option.
-om (ignored)
The sender is never eliminated from alias
etc.
expansions.
-o x value (ignored)
Set option x to value. Use the equivalent
configu-
ration parameter in main.cf instead.
-r sender
Set the envelope sender address. This is
the
address where delivery problems are sent to,
unless
the message contains an Errors-To: message
header.
-R return_limit (ignored)
Limit the size of bounced mail. Use
the
bounce_size_limit configuration parameter
instead.
all
other mail.
-qinterval (ignored)
The interval between queue runs. Use
the
queue_run_delay configuration parameter instead.
-qRsite
Schedule immediate delivery of all mail that
is
queued for the named site. This option accepts
only
site names that are eligible for the "fast
flush"
service, and is implemented by executing
the
postqueue(1) command. See flush(8) for more
infor-
mation about the "fast flush" service.
-qSsite
This command is not implemented. Use the
slower
sendmail -q command instead.
-U (ignored)
Initial user submission.
envelope
sender address of the form owner-
listname@origin,
each recipient user@domain receives mail with
a
personalized envelope sender address.
-X log_file (ignored)
Log mailer traffic. Use the debug_peer_list
and
SECURITY
By design, this program is not set-user (or group)
id.
However, it must handle data from untrusted users
or
untrusted machines. Thus, the usual precautions need
to
be taken against malicious inputs.
DIAGNOSTICS
Problems are logged to syslogd(8) and to the
standard
error stream.
ENVIRONMENT
MAIL_CONFIG
Directory with Postfix configuration files.
MAIL_VERBOSE
Enable verbose logging for debugging purposes.
MAIL_DEBUG
Enable debugging with an external command, as
spec-
ified with the debugger_command
configuration
parameter.
CONFIGURATION PARAMETERS
The following main.cf parameters are especially
relevant
to this program. The text below provides only a
parameter
summary. See postconf(5) for more details including
exam-
ples.
trouble
shoot a Postfix system.
debugger_command (empty)
The external command to execute when a Postfix
dae-
mon program is invoked with the -D option.
debug_peer_level (2)
The increment in verbose logging level when
a
remote client or server matches a pattern in
the
debug_peer_list parameter.
debug_peer_list (empty)
Optional list of remote client or server
hostname
or network address patterns that cause the
verbose
logging level to increase by the amount
specified
in $debug_peer_level.
ACCESS CONTROLS
Available in Postfix version 2.2 and later:
authorized_flush_users (static:anyone)
List of users who are authorized to flush
the
queue.
authorized_mailq_users (static:anyone)
List of users who are authorized to view the
queue.
authorized_submit_users (static:anyone)
List of users who are authorized to submit
mail
with the sendmail(1) command (and with the
privi-
fork_attempts (5)
The maximal number of attempts to fork() a
child
process.
fork_delay (1s)
The delay between attempts to fork() a child
pro-
cess.
hopcount_limit (50)
The maximal number of Received: message
headers
that is allowed in the primary message headers.
queue_run_delay (1000s)
The time between deferred queue scans by the
queue
manager.
fast_flush_domains ($relay_domains)
Optional list of destinations that are eligible
for
per-destination logfiles with mail that is
queued
to those destinations.
VERP CONTROLS
default_verp_delimiters (+=)
The two default VERP delimiter characters.
verp_delimiter_filter (-=+)
The characters Postfix accepts as VERP
delimiter
characters on the Postfix sendmail(1) command
line
and in SMTP commands.
MISCELLANEOUS CONTROLS
alias_database (see 'postconf -d' output)
The alias databases for local(8) delivery that
are
updated with "newaliases" or with "sendmail -bi".
delay_warning_time (0h)
The time after which the sender receives the
mes-
sage headers of mail that is still queued.
mail_owner (postfix)
The UNIX system account that owns the Postfix
queue
and most Postfix daemon processes.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
trigger_timeout (10s)
The time limit for sending a trigger to a
Postfix
daemon (for example, the pickup(8) or qmgr(8)
dae-
mon).
FILES
/var/spool/postfix, mail queue
/etc/postfix, configuration files
SEE ALSO
pickup(8), mail pickup daemon
qmgr(8), queue manager
smtpd(8), SMTP server
README_FILES
DEBUG_README, Postfix debugging howto
ETRN_README, Postfix ETRN howto
VERP_README, Postfix VERP howto
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
SENDMAIL
(1)
POSTDROP(1) POSTDROP
(1)
NAME
postdrop - Postfix mail posting utility
SYNOPSIS
postdrop [-rv] [-c config_dir]
DESCRIPTION
The postdrop command creates a file in the maildrop
direc-
tory and copies its standard input to the file.
Options:
-c config_dir
The main.cf configuration file is in the
named
directory instead of the default
configuration
directory. See also the MAIL_CONFIG
environment
setting below.
SECURITY
The command is designed to run with set-group ID
privi-
leges, so that it can write to the maildrop queue
direc-
tory and so that it can connect to Postfix daemon
pro-
cesses.
DIAGNOSTICS
Fatal errors: malformed input, I/O error, out of
memory.
Problems are logged to syslogd(8) and to the
standard
error stream. When the input is incomplete, or when
the
process receives a HUP, INT, QUIT or TERM signal,
the
queue file is deleted.
ENVIRONMENT
MAIL_CONFIG
Directory with the main.cf file. In order to
avoid
exploitation of set-group ID privileges, a
non-
standard directory is allowed only if:
CONFIGURATION PARAMETERS
The following main.cf parameters are especially
relevant
to this program. The text below provides only a
parameter
summary. See postconf(5) for more details including
exam-
ples.
alternate_config_directories (empty)
A list of non-default Postfix configuration
direc-
tories that may be specified with "-c
config_direc-
tory" on the command line, or via the
MAIL_CONFIG
environment parameter.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
trigger_timeout (10s)
The time limit for sending a trigger to a
Postfix
daemon (for example, the pickup(8) or qmgr(8)
dae-
mon).
authorized_submit_users (static:anyone)
List of users who are authorized to submit
mail
with the sendmail(1) command (and with the
privi-
leged postdrop(1) helper command).
FILES
/var/spool/postfix/maildrop, maildrop queue
SEE ALSO
sendmail(1), compatibility interface
postconf(5), configuration parameters
syslogd(8), system logging
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
POSTDROP
(1)
PICKUP(8) PICKUP
(8)
NAME
pickup - Postfix local mail pickup
SYNOPSIS
pickup [generic Postfix daemon options]
DESCRIPTION
The pickup daemon waits for hints that new mail has
been
dropped into the maildrop directory, and feeds it into
the
cleanup(8) daemon. Ill-formatted files are deleted
with-
out notifying the originator. This program expects to
be
run from the master(8) process manager.
STANDARDS
None. The pickup daemon does not interact with the
outside
world.
SECURITY
The pickup daemon is moderately security sensitive.
It
runs with fixed low privilege and can run in a
chrooted
environment. However, the program reads files from
poten-
tially hostile users. The pickup daemon opens no
files
for writing, is careful about what files it opens
for
reading, and does not actually touch any data that is
sent
to its public service endpoint.
DIAGNOSTICS
BUGS
The pickup daemon copies mail from file to the cleanup
(8)
daemon. It could avoid message copying overhead by
send-
ing a file descriptor instead of file data, but then
the
already complex cleanup(8) daemon would have to deal
with
unfiltered user data.
CONFIGURATION PARAMETERS
As the pickup(8) daemon is a relatively long-running
pro-
cess, up to an hour may pass before a main.cf change
takes
effect. Use the command "postfix reload" command to
speed
up a change.
receive_override_options (empty)
Enable or disable recipient validation, built-
in
content filtering, or address mapping.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf
and
master.cf configuration files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take
to
handle a request before it is terminated by
a
built-in watchdog timer.
ipc_timeout (3600s)
The time limit for sending or receiving
information
over an internal communication channel.
line_length_limit (2048)
Upon input, long lines are chopped up into
pieces
of at most this length; upon delivery, long
lines
are reconstructed.
max_idle (100s)
The maximum amount of time that an idle
Postfix
daemon process waits for the next service
request
before exiting.
max_use (100)
The maximal number of connection requests before
a
Postfix daemon process terminates.
process_id (read-only)
The process ID of a Postfix command or daemon
pro-
cess.
process_name (read-only)
The process name of a Postfix command or
daemon
process.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
SEE ALSO
cleanup(8), message canonicalization
sendmail(1), Sendmail-compatible interface
postdrop(1), mail posting agent
postconf(5), configuration parameters
master(5), generic daemon options
master(8), process manager
syslogd(8), system logging
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
PICKUP
(8)
CLEANUP(8) CLEANUP
(8)
NAME
cleanup - canonicalize and enqueue Postfix message
SYNOPSIS
cleanup [generic Postfix daemon options]
DESCRIPTION
The cleanup daemon processes inbound mail, inserts it
into
the incoming mail queue, and informs the queue manager
of
its arrival.
STANDARDS
RFC 822 (ARPA Internet Text Messages)
RFC 2045 (MIME: Format of Internet Message Bodies)
RFC 2046 (MIME: Media Types)
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
BUGS
Table-driven rewriting rules make it hard to express
if
then else and other logical relationships.
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically,
as
cleanup(8) processes run for only a limited amount
of
time. Use the command "postfix reload" to speed up
a
change.
COMPATIBILITY CONTROLS
undisclosed_recipients_header (To: undisclosed-
recipi-
ents:;)
Message header that the Postfix cleanup(8)
server
inserts when a message contains no To: or Cc:
mes-
sage header.
body_checks (empty)
Optional lookup tables for content inspection
as
specified in the body_checks(5) manual page.
header_checks (empty)
Optional lookup tables for content inspection
of
primary non-MIME message headers, as specified
in
the header_checks(5) manual page.
body_checks_size_limit (51200)
How much text in a message body segment (or
attach-
ment, if you prefer to use that term) is
subjected
to body_checks inspection.
mime_header_checks ($header_checks)
Optional lookup tables for content inspection
of
MIME related message headers, as described in
the
header_checks(5) manual page.
nested_header_checks ($header_checks)
Optional lookup tables for content inspection
of
non-MIME message headers in attached messages,
as
described in the header_checks(5) manual page.
disable_mime_input_processing (no)
Turn off MIME processing while receiving mail.
mime_boundary_length_limit (2048)
The maximal length of MIME multipart
boundary
strings.
mime_nesting_limit (100)
The maximal recursion level that the MIME
processor
will handle.
strict_8bitmime (no)
Enable both strict_7bit_headers and
strict_8bit-
mime_body.
strict_7bit_headers (no)
Reject mail with 8-bit text in message headers.
strict_8bitmime_body (no)
Reject 8-bit message body text without 8-bit
MIME
content encoding information.
strict_mime_encoding_domain (no)
Reject mail with invalid Content-Transfer-
Encoding:
information for the message/* or multipart/*
MIME
content types.
always_bcc (empty)
Optional address that receives a "blind
carbon
copy" of each message that is received by the
Post-
fix mail system.
sender_bcc_maps (empty)
Optional BCC (blind carbon-copy) address
lookup
tables, indexed by sender address.
recipient_bcc_maps (empty)
Optional BCC (blind carbon-copy) address
lookup
tables, indexed by recipient address.
empty_address_recipient (MAILER-DAEMON)
The recipient of mail addressed to the
null
address.
canonical_maps (empty)
Optional address mapping lookup tables for
message
headers and envelopes.
recipient_canonical_maps (empty)
Optional address mapping lookup tables for
envelope
and header recipient addresses.
sender_canonical_maps (empty)
Optional address mapping lookup tables for
envelope
and header sender addresses.
masquerade_classes (envelope_sender,
header_sender,
header_recipient)
What addresses are subject to address
masquerading.
masquerade_domains (empty)
Optional list of domains whose subdomain
structure
masquerade_exceptions (empty)
Optional list of user names that are not
subjected
to address masquerading, even when their
address
matches $masquerade_domains.
virtual_maps (empty)
Optional lookup tables with a) names of domains
for
which all addresses are aliased to addresses
in
other local or remote domains, and b)
addresses
that are aliased to addresses in other local
or
remote domains.
virtual_alias_maps ($virtual_maps)
Optional lookup tables that alias specific
mail
addresses or domains to other local or
remote
address.
canonical_classes (envelope_sender,
envelope_recipient,
header_sender, header_recipient)
What addresses are subject to
canonical_maps
address mapping.
recipient_canonical_classes
(envelope_recipient,
header_recipient)
What addresses are subject to
recipient_canoni-
cal_maps address mapping.
remote_header_rewrite_domain (empty)
Don't rewrite message headers from remote
clients
at all when this parameter is empty;
otherwise,
rewrite remote message headers and append the
spec-
ified domain name to incomplete addresses.
header_size_limit (102400)
The maximal amount of memory in bytes for storing
a
message header.
hopcount_limit (50)
The maximal number of Received: message
headers
that is allowed in the primary message headers.
in_flow_delay (1s)
Time to pause before accepting a new message,
when
the message arrival rate exceeds the message
deliv-
ery rate.
message_size_limit (10240000)
The maximal size in bytes of a message,
including
envelope information.
header_address_token_limit (10240)
The maximal number of address tokens are allowed
in
an address message header.
mime_boundary_length_limit (2048)
The maximal length of MIME multipart
boundary
strings.
mime_nesting_limit (100)
The maximal recursion level that the MIME
processor
will handle.
queue_file_attribute_count_limit (100)
The maximal number of (name=value) attributes
that
may be stored in a Postfix queue file.
virtual_alias_expansion_limit (1000)
The maximal number of addresses that virtual
alias
virtual_alias_recursion_limit (1000)
The maximal nesting depth of virtual alias
expan-
sion.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf
and
master.cf configuration files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take
to
handle a request before it is terminated by
a
built-in watchdog timer.
delay_warning_time (0h)
The time after which the sender receives the
mes-
sage headers of mail that is still queued.
ipc_timeout (3600s)
The time limit for sending or receiving
information
over an internal communication channel.
max_idle (100s)
The maximum amount of time that an idle
Postfix
daemon process waits for the next service
request
before exiting.
max_use (100)
The maximal number of connection requests before
a
Postfix daemon process terminates.
myorigin ($myhostname)
The domain name that locally-posted mail appears
to
come from, and that locally posted mail is
deliv-
ered to.
process_id (read-only)
The process ID of a Postfix command or daemon
pro-
cess.
process_name (read-only)
The process name of a Postfix command or
daemon
process.
soft_bounce (no)
Safety net to keep mail queued that would
otherwise
be returned to the sender.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
enable_original_recipient (yes)
Enable support for the X-Original-To
message
header.
FILES
/etc/postfix/canonical*, canonical mapping table
/etc/postfix/virtual*, virtual mapping table
SEE ALSO
trivial-rewrite(8), address rewriting
qmgr(8), queue manager
header_checks(5), message header content inspection
body_checks(5), body parts content inspection
canonical(5), canonical address lookup table format
virtual(5), virtual alias lookup table format
postconf(5), configuration parameters
master(5), generic daemon options
master(8), process manager
syslogd(8), system logging
README FILES
ADDRESS_REWRITING_README Postfix address manipulation
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
CLEANUP
(8)
TRIVIAL-REWRITE(8) TRIVIAL-REWRITE
(8)
NAME
trivial-rewrite - Postfix address rewriting and
resolving
daemon
SYNOPSIS
trivial-rewrite [generic Postfix daemon options]
DESCRIPTION
The trivial-rewrite daemon processes three types of
client
service requests:
resolve address
Resolve an address to a (transport, nexthop,
recip-
ient, flags) quadruple. The meaning of the
results
is as follows:
transport
The delivery agent to use. This is the
first
field of an entry in the master.cf file.
nexthop
The host to send to and optional
delivery
method information.
recipient
The envelope recipient address that
is
passed on to nexthop.
verify address
Resolve an address for address verification
pur-
poses.
STANDARDS
None. The command does not interact with the
outside
world.
SECURITY
The trivial-rewrite daemon is not security sensitive.
By
default, this daemon does not talk to remote or
local
users. It can run at a fixed low privilege in a
chrooted
environment.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
CONFIGURATION PARAMETERS
On busy mail systems a long time may pass before a main.
cf
change affecting trivial_rewrite(8) is picked up. Use
the
command "postfix reload" to speed up a change.
COMPATIBILITY CONTROLS
resolve_dequoted_address (yes)
Resolve a recipient address safely instead of
cor-
rectly, by looking inside quotes.
resolve_null_domain (no)
Resolve an address that ends in the "@" null
domain
as if the local hostname were specified, instead
of
rejecting the address as invalid.
allow_percent_hack (yes)
Enable the rewriting of the form "user%domain"
to
"user@domain".
append_at_myorigin (yes)
With locally submitted mail, append the
string
"@$myorigin" to mail addresses without
domain
information.
append_dot_mydomain (yes)
With locally submitted mail, append the
string
".$mydomain" to addresses that have no ".
domain"
information.
recipient_delimiter (empty)
swap_bangpath (yes)
Enable the rewriting of "site!user"
into
"user@site".
remote_header_rewrite_domain (empty)
Don't rewrite message headers from remote
clients
at all when this parameter is empty;
otherwise,
rewrite remote message headers and append the
spec-
ified domain name to incomplete addresses.
ROUTING CONTROLS
The following is applicable to Postfix version 2.0
and
later. Earlier versions do not have support for:
vir-
tual_transport, relay_transport,
virtual_alias_domains,
virtual_mailbox_domains or proxy_interfaces.
local_transport (local:$myhostname)
The default mail delivery transport for
domains
that match $mydestination, $inet_interfaces
or
$proxy_interfaces.
virtual_transport (virtual)
The default mail delivery transport for
domains
that match the $virtual_mailbox_domains
parameter
value.
relay_transport (relay)
The default mail delivery transport and next-
hop
information for domains that match
the
$relay_domains parameter value.
default_transport (smtp)
The default mail delivery transport for
domains
that do not match $mydestination,
$inet_interfaces,
$proxy_interfaces, $virtual_alias_domains,
$vir-
tual_mailbox_domains, or $relay_domains.
relayhost (empty)
The default host to send non-local mail to when
no
entry is matched in the optional transport
(5)
table.
transport_maps (empty)
Optional lookup tables with mappings from
recipient
address to (message delivery transport, next-
hop
destination).
address_verify_local_transport ($local_transport)
Overrides the local_transport parameter setting
for
address verification probes.
address_verify_virtual_transport ($virtual_transport)
Overrides the virtual_transport parameter
setting
for address verification probes.
address_verify_relay_transport ($relay_transport)
Overrides the relay_transport parameter setting
for
address verification probes.
address_verify_default_transport ($default_transport)
Overrides the default_transport parameter
setting
for address verification probes.
address_verify_relayhost ($relayhost)
Overrides the relayhost parameter setting
for
address verification probes.
address_verify_transport_maps ($transport_maps)
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf
and
master.cf configuration files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take
to
handle a request before it is terminated by
a
built-in watchdog timer.
empty_address_recipient (MAILER-DAEMON)
The recipient of mail addressed to the
null
address.
ipc_timeout (3600s)
The time limit for sending or receiving
information
over an internal communication channel.
max_idle (100s)
The maximum amount of time that an idle
Postfix
daemon process waits for the next service
request
before exiting.
max_use (100)
The maximal number of connection requests before
a
Postfix daemon process terminates.
relocated_maps (empty)
Optional lookup tables with new contact
information
process_id (read-only)
The process ID of a Postfix command or daemon
pro-
cess.
process_name (read-only)
The process name of a Postfix command or
daemon
process.
show_user_unknown_table_name (yes)
Display the name of the recipient table in
the
"User unknown" responses.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
helpful_warnings (yes)
Log warnings about problematic configuration
set-
tings, and provide helpful suggestions.
SEE ALSO
postconf(5), configuration parameters
README FILES
ADDRESS_CLASS_README, Postfix address classes howto
ADDRESS_VERIFICATION_README, Postfix address verification
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
TRIVIAL-REWRITE
(8)
Introduction
Postfix version 2.0 introduces the concept of address classes. This is a way of grouping
recipient addresses by their delivery method. The idea comes from discussions with Victor
Duchovni. Although address classes introduced a few incompatibilities they also made it
possible to improve the handling of hosted domains and of unknown recipients.
● The list of domains that are a member of the class: for example, all local domains, or all
relay domains.
● The default delivery method. For example, the local or smtp delivery agent. This helps
to keep Postfix configurations simple.
● The list of valid recipient addresses for that address class. The Postfix SMTP server
rejects invalid recipients with "User unknown in <name of address class here> table".
This helps to keep the Postfix queue free of undeliverable MAILER-DAEMON
messages.
● Purpose: final delivery for traditional UNIX system accounts and traditional Sendmail-
style aliases. This is typically used for the canonical domains of the machine. For a
discussion of the difference between canonical domains, hosted domains and other
domains, see the VIRTUAL_README file.
● Domain names are listed with the mydestination parameter. This domain class also
includes mail for user@[ipaddress] when the IP address is listed with the
inet_interfaces or proxy_interfaces parameters.
● The mail delivery transport is specified with the local_transport parameter. The default
value is local:$myhostname for delivery with the local(8) delivery agent.
● Purpose: hosted domains where each recipient address is aliased to a local UNIX system
account or to a remote address. A virtual alias example is given in the
VIRTUAL_README file.
● Valid recipient addresses are listed with the virtual_alias_maps parameter. The Postfix
SMTP server rejects invalid recipients with "User unknown in virtual alias table". The
default value is $virtual_maps for Postfix 1.1 compatibility.
● There is no mail delivery transport parameter. Every address must be aliased to some
other address.
● Purpose: final delivery for hosted domains where each recipient address can have its
own mailbox, and where users do not need to have a UNIX system account. A virtual
mailbox example is given in the VIRTUAL_README file.
● Domain names are listed with the virtual_mailbox_domains parameter. The default
value is $virtual_mailbox_maps for Postfix 1.1 compatibility.
● Valid recipient addresses are listed with the virtual_mailbox_maps parameter. The
Postfix SMTP server rejects invalid recipients with "User unknown in virtual mailbox
table". If this parameter value is empty, the Postfix SMTP server accepts all recipients
for domains listed in $virtual_mailbox_domains.
● The mail delivery transport is specified with the virtual_transport parameter. The default
value is virtual for delivery with the virtual(8) delivery agent.
● Purpose: mail forwarding to remote destinations that list your system as primary or
backup MX host. For a discussion of the basic configuration details, see the
BASIC_CONFIGURATION_README document. For a discussion of the difference
between canonical domains, hosted domains and other domains, see the
VIRTUAL_README file.
● Valid recipient addresses are listed with the relay_recipient_maps parameter. The
Postfix SMTP server rejects invalid recipients with "User unknown in relay recipient
table". If this parameter value is empty, the Postfix SMTP server accepts all recipients
for domains listed with the relay_domains parameter.
● The mail delivery transport is specified with the relay_transport parameter. The default
value is relay which is a clone of the smtp(8) delivery agent.
● The mail delivery transport is specified with the default_transport parameter. The
default value is smtp for delivery with the smtp(8) delivery agent.
● You no longer need to specify all the virtual(8) mailbox domains in the Postfix transport
map. The virtual(8) delivery agent has become a first-class citizen just like local(8) or
smtp(8).
● On mail gateway systems, address classes provide separation of inbound mail relay
traffic ($relay_transport) from outbound traffic ($default_transport). This eliminates a
problem where inbound mail deliveries could become resource starved in the presence
of a high volume of outbound mail.
● The SMTP server rejects unknown recipients in a more consistent manner than was
possible with Postfix version 1. This is needed to keep undeliverable mail (and bounced
undeliverable mail) out of the mail queue. This is controlled by the
smtpd_reject_unlisted_recipient configuration parameter.
● As of Postfix version 2.1, the SMTP server also rejects unknown sender addresses (i.e.
addresses that it would reject as unknown recipient addresses). Sender "egress filtering"
can help to slow down an email worm explosion. This is controlled by the
smtpd_reject_unlisted_sender configuration parameter.
For backwards compatibility with Postfix version 1.1, the new virtual_alias_maps
parameter defaults to $virtual_maps, and the new virtual_alias_domains parameter
defaults to $virtual_alias_maps.
● Introduction of the relay_recipient_maps parameter. The Postfix SMTP server can use
this to block mail for relay recipients that don't exist. This list is empty by default,
which means accept any recipient.
● The local_recipient_maps feature is now turned on by default. The Postfix SMTP server
uses this to reject mail for unknown local recipients. See the
LOCAL_RECIPIENT_README file hints and tips.
● Introduction of the relay delivery transport in master.cf. This helps to avoid mail
delivery scheduling problems on inbound mail relays when there is a lot of outbound
mail, but may require that you update your "defer_transports" setting.
This document gives an overview of how Postfix can be used for hosting multiple Internet
domains, both for final delivery on the machine itself and for the purpose of forwarding to
destinations elsewhere.
The text not only describes delivery mechanisms that are built into Postfix, but also gives
pointers for using non-Postfix mail delivery software.
the canonical domains. They are usually implemented with the Postfix local domain address
class, as defined in the ADDRESS_CLASS_README file.
Besides the canonical domains, Postfix can be configured to be final destination for any number
of additional domains. These domains are called hosted, because they are not directly associated
with the name of the machine itself. Hosted domains are usually implemented with the virtual
alias domain address class and/or with the virtual mailbox domain address class, as defined in the
ADDRESS_CLASS_README file.
But wait! There is more. Postfix can be configured as a backup MX host for other domains. In
this case Postfix is not the final destination for those domains. It merely queues the mail when
the primary MX host is down, and forwards the mail when the primary MX host becomes
available. This function is implemented with the relay domain address class, as defined in the
ADDRESS_CLASS_README file.
Finally, Postfix can be configured as a transit host for sending mail across the internet.
Obviously, Postfix is not final destination for such mail. This function is available only for
authorized clients and/or users, and is implemented by the default domain address class, as
defined in the ADDRESS_CLASS_README file.
listed in the Postfix mydestination configuration parameter, and to add the user names to the
UNIX password file.
This approach makes no distinction between canonical and hosted domains. Each username can
receive mail in every domain.
In the examples we will use "example.com" as the domain that is being hosted on the local
Postfix machine.
/etc/postfix/main.cf:
mydestination = $myhostname localhost.$mydomain ...
example.com
● A total lack of separation: mail for info@my.host.name is delivered to the same UNIX
system account as mail for info@example.com.
● With users in the UNIX password file, administration of large numbers of users becomes
inconvenient.
With virtual alias domains, each hosted address is aliased to a local UNIX system account or to a
remote address. The example below shows how to use this mechanism for the example.com
domain.
1 /etc/postfix/main.cf:
2 virtual_alias_domains = example.com ...other
hosted domains...
3 virtual_alias_maps = hash:/etc/postfix/virtual
4
5 /etc/postfix/virtual:
6 postmaster@example.com postmaster
7 info@example.com joe
8 sales@example.com jane
9 # Uncomment entry below to implement a catch-all
address
10 # @example.com jim
11 ...virtual aliases for more domains...
Notes:
● Lines 3-8: the /etc/postfix/virtual file contains the virtual aliases. With the example above,
mail for postmaster@example.com goes to the local postmaster, while mail for
info@example.com goes to the UNIX account joe, and mail for sales@example.com goes
to the UNIX account jane. Mail for all other addresses in example.com is rejected with the
error message "User unknown".
● Line 10: the commented out entry (text after #) shows how one would implement a catch-
all virtual alias that receives mail for every example.com address not listed in the virtual
alias file. This is not without risk. Spammers nowadays try to send mail from (or mail to)
every possible name that they can think of. A catch-all mailbox is likely to receive many
spam messages, and many bounces for spam messages that were sent in the name of
anything@example.com.
Execute the command "postmap /etc/postfix/virtual" after changing the virtual file, and execute
the command "postfix reload" after changing the main.cf file.
Note: virtual aliases can resolve to a local address or to a remote address, or both. They don't
have to resolve to UNIX system accounts on your machine.
More details about the virtual alias file are given in the virtual(5) manual page, including multiple
addresses on the right-hand side.
Virtual aliasing solves one problem: it allows each domain to have its own info mail address. But
there still is one drawback: each virtual address is aliased to a UNIX system account. As you add
more virtual addresses you also add more UNIX system accounts. The next section eliminates
this problem.
With the Postfix virtual(8) mailbox delivery agent, every recipient address can have its own
virtual mailbox. Unlike virtual alias domains, virtual mailbox domains do not need the clumsy
translation from each recipient addresses into a different address, and owners of a virtual mailbox
address do not need to have a UNIX system account.
The Postfix virtual(8) mailbox delivery agent looks up the user mailbox pathname, uid and gid
via separate tables that are searched with the recipient's mail address. Maildir style delivery is
turned on by terminating the mailbox pathname with "/".
If you find the idea of multiple tables bothersome, remember that you can migrate the
information (once it works), to an SQL database. If you take that route, be sure to review the
"local files versus databases" section at the top of this document.
1 /etc/postfix/main.cf:
2 virtual_mailbox_domains = example.com ...more
domains...
3 virtual_mailbox_base = /var/mail/vhosts
4 virtual_mailbox_maps = hash:/etc/postfix/vmailbox
5 virtual_minimum_uid = 100
6 virtual_uid_maps = static:5000
7 virtual_gid_maps = static:5000
8 virtual_alias_maps = hash:/etc/postfix/virtual
9
10 /etc/postfix/vmailbox:
11 info@example.com example.com/info
12 sales@example.com example.com/sales/
13 # Comment out the entry below to implement a
catch-all.
14 # @example.com example.com/catchall
15 ...virtual mailboxes for more domains...
16
17 /etc/postfix/virtual:
18 postmaster@example.com postmaster
Notes:
● Line 3: The virtual_mailbox_base parameter specifies a prefix for all virtual mailbox
pathnames. This is a safety mechanism in case someone makes a mistake. It prevents mail
from being delivered all over the file system.
● Lines 4, 10-15: The virtual_mailbox_maps parameter specifies the lookup table with
mailbox (or maildir) pathnames, indexed by the virtual mail address. In this example, mail
for info@example.com goes to the mailbox at /var/mail/vhosts/example.com/info while
mail for sales@example.com goes to the maildir located at /var/mail/vhosts/example.com/
sales/.
● Lines 6, 7: The virtual_uid_maps and virtual_gid_maps parameters specify that all the
virtual mailboxes are owned by a fixed uid and gid 5000. If this is not what you want,
specify lookup tables that are searched by the recipient's mail address.
● Line 14: The commented out entry (text after #) shows how one would implement a catch-
all virtual mailbox address. Be prepared to receive a lot of spam, as well as bounced spam
that was sent in the name of anything@example.com.
● Lines 8, 17, 18: As you see, it is possible to mix virtual aliases with virtual mailboxes. We
use this feature to redirect mail for example.com's postmaster address to the local
postmaster. You can use the same mechanism to redirect an address to a remote address.
● Line 18: This example assumes that in main.cf, $myorigin is listed under the
mydestination parameter setting. If that is not the case, specify an explicit domain name
on the right-hand side of the virtual alias table entries or else mail will go to the wrong
domain.
Execute the command "postmap /etc/postfix/virtual" after changing the virtual file, execute
"postmap /etc/postfix/vmailbox" after changing the vmailbox file, and execute the command
"postfix reload" after changing the main.cf file.
Note: mail delivery happens with the recipient's UID/GID privileges specified with
virtual_uid_maps and virtual_gid_maps. Postfix 2.0 and earlier will not create mailDIRs in world-
writable parent directories; you must create them in advance before you can use them. Postfix
may be able to create mailBOX files by itself, depending on parent directory write permissions,
but it is safer to create mailBOX files ahead of time.
More details about the virtual mailbox delivery agent are given in the virtual(8) manual page.
While non-Postfix software is being used for final delivery, some Postfix concepts are still
needed in order to glue everything together. For additional background on this glue you may
want to take a look at the virtual mailbox domain class as defined in the
ADDRESS_CLASS_README file.
The text in this section describes what things should look like from Postfix's point of view. See
CYRUS_README or MAILDROP_README for specific information about Cyrus or about
Courier maildrop.
Here is an example for a hosted domain example.com that delivers to a non-Postfix delivery
agent:
1 /etc/postfix/main.cf:
2 virtual_transport = ...see below...
3 virtual_mailbox_domains = example.com ...more
domains...
4 virtual_mailbox_maps = hash:/etc/postfix/vmailbox
5 virtual_alias_maps = hash:/etc/postfix/virtual
6
7 /etc/postfix/vmailbox:
8 info@example.com whatever
9 sales@example.com whatever
10 # Comment out the entry below to implement a
catch-all.
11 # Configure the mailbox store to accept all
addresses.
12 # @example.com whatever
13 ...virtual mailboxes for more domains...
14
15 /etc/postfix/virtual:
16 postmaster@example.com postmaster
Notes:
● Line 2: With delivery to a non-Postfix mailbox store for hosted domains, the
virtual_transport parameter usually specifies the Postfix LMTP client, or the name of a
master.cf entry that executes non-Postfix software via the pipe delivery agent. Typical
examples (use only one):
Postfix comes ready with support for LMTP. And an example maildrop delivery method is
already defined in the default Postfix master.cf file. See the MAILDROP_README
document for more details.
● Lines 4, 7-13: The virtual_mailbox_maps parameter specifies the lookup table with all
valid recipient addresses. The lookup result is ignored by Postfix. In the above example,
info@example.com and sales@example.com are listed as valid addresses, and mail for
anything else is rejected with "User unknown". If you intend to use LDAP, MySQL or
PgSQL instead of local files, be sure to review the "local files versus databases" section at
the top of this document!
● Line 12: The commented out entry (text after #) shows how one would inform Postfix of
the existence of a catch-all address. Again, the lookup result is ignored by Postfix.
Note: if you specify a wildcard in virtual_mailbox_maps, then you still need to configure
the non-Postfix mailbox store to receive mail for any address in that domain.
● Lines 5, 15, 16: As you see above, it is possible to mix virtual aliases with virtual
mailboxes. We use this feature to redirect mail for example.com's postmaster address to
the local postmaster. You can use the same mechanism to redirect any addresses to a local
or remote address.
● Line 16: This example assumes that in main.cf, $myorigin is listed under the
mydestination parameter setting. If that is not the case, specify an explicit domain name
on the right-hand side of the virtual alias table entries or else mail will go to the wrong
domain.
Execute the command "postmap /etc/postfix/virtual" after changing the virtual file, execute
"postmap /etc/postfix/vmailbox" after changing the vmailbox file, and execute the command
"postfix reload" after changing the main.cf file.
1 /etc/postfix/main.cf:
2 virtual_alias_domains = example.com ...other
hosted domains...
3 virtual_alias_maps = hash:/etc/postfix/virtual
4
5 /etc/postfix/virtual:
6 postmaster@example.com postmaster
7 joe@example.com joe@somewhere
8 jane@example.com jane@somewhere-else
9 # Uncomment entry below to implement a catch-all
address
10 # @example.com jim@yet-another-site
11 ...virtual aliases for more domains...
Notes:
● Lines 3-11: The /etc/postfix/virtual file contains the virtual aliases. With the example
above, mail for postmaster@example.com goes to the local postmaster, while mail for
joe@example.com goes to the remote address joe@somewhere, and mail for
jane@example.com goes to the remote address jane@somewhere-else. Mail for all other
addresses in example.com is rejected with the error message "User unknown".
● Line 10: The commented out entry (text after #) shows how one would implement a catch-
all virtual alias that receives mail for every example.com address not listed in the virtual
alias file. This is not without risk. Spammers nowadays try to send mail from (or mail to)
every possible name that they can think of. A catch-all mailbox is likely to receive many
spam messages, and many bounces for spam messages that were sent in the name of
anything@example.com.
Execute the command "postmap /etc/postfix/virtual" after changing the virtual file, and execute
the command "postfix reload" after changing the main.cf file.
More details about the virtual alias file are given in the virtual(5) manual page, including multiple
addresses on the right-hand side.
Mailing lists
The examples that were given above already show how to direct mail for virtual postmaster
addresses to a local postmaster. You can use the same method to direct mail for any address to a
local or remote address.
There is one major limitation: virtual aliases and virtual mailboxes can't directly deliver to
mailing list managers such as majordomo. The solution is to set up virtual aliases that direct
virtual addresses to the local delivery agent:
/etc/postfix/main.cf:
virtual_alias_maps = hash:/etc/postfix/virtual
/etc/postfix/virtual:
listname-request@example.com listname-request
listname@example.com listname
owner-listname@example.com owner-listname
/etc/aliases:
listname: "|/some/where/majordomo/wrapper ..."
owner-listname: ...
listname-request: ...
This example assumes that in main.cf, $myorigin is listed under the mydestination parameter
setting. If that is not the case, specify an explicit domain name on the right-hand side of the
virtual alias table entries or else mail will go to the wrong domain.
More information about the Postfix local delivery agent can be found in the local(8) manual page.
Why does this example use a clumsy virtual alias instead of a more elegant transport mapping?
The reason is that mail for the virtual mailing list would be rejected with "User unknown". In
order to make the transport mapping work one would still need a bunch of virtual alias or virtual
mailbox table entries.
● In case of a virtual alias domain, there would need to be one identity mapping from each
mailing list address to itself.
● In case of a virtual mailbox domain, there would need to be a dummy mailbox for each
mailing list address.
Autoreplies
In order to set up an autoreply for virtual recipients while still delivering mail as normal, set up a
rule in a virtual alias table:
/etc/postfix/main.cf:
virtual_alias_maps = hash:/etc/postfix/virtual
/etc/postfix/virtual:
user@domain.tld user@domain.tld, user@domain.
tld@autoreply.mydomain.tld
This delivers mail to the recipient, and sends a copy of the mail to the address that produces
automatic replies. The address can be serviced on a different machine, or it can be serviced
locally by setting up a transport map entry that pipes all mail for autoreply.mydomain.tld into
some script that sends an automatic reply back to the sender.
/etc/postfix/main.cf:
transport_maps = hash:/etc/postfix/transport
/etc/postfix/transport:
autoreply.mydomain.tld autoreply:
/etc/postfix/master.cf:
#
=============================================================
# service type private unpriv chroot wakeup
maxproc command
# (yes) (yes) (yes) (never)
(100)
#
=============================================================
autoreply unix - n n -
- pipe
flags= user=nobody argv=/path/to/autoreply
$sender $mailbox
This invokes /path/to/autoreply with the sender address and the user@domain.tld recipient
address on the command line.
For more information, see the pipe(8) manual page, and the comments in the Postfix master.cf
file.
Introduction
As of Postfix version 2.0, the Postfix SMTP server rejects mail for unknown recipients in local
domains (domains that match $mydestination or the IP addresses in $inet_interfaces or
$proxy_interfaces) with "User unknown in local recipient table". This feature was optional
with earlier Postfix versions.
The good news is that this keeps undeliverable mail out of your queue, so that your mail queue
is not clogged up with undeliverable MAILER-DAEMON messages.
The bad news is that it may cause mail to be rejected when you upgrade from a Postfix system
that was not configured to reject mail for unknown local recipients.
This document describes what steps are needed in order to reject unknown local recipients
correctly.
The default setting, shown below, assumes that you use the default Postfix local(8) delivery
agent for local delivery, where recipients are either UNIX accounts or local aliases:
/etc/postfix/main.cf:
local_recipient_maps = proxy:unix:passwd.byname
$alias_maps
To turn off unknown local recipient rejects by the SMTP server, specify:
/etc/postfix/main.cf:
local_recipient_maps =
That is, an empty value. With this setting, the Postfix SMTP server will not reject mail with
"User unknown in local recipient table".
Solution: your local_recipient_maps setting needs to specify a database that lists all the
known user names or addresses for that delivery agent. For example, if you deliver users
in $mydestination etc. domains via the virtual(8) delivery agent, specify:
/etc/postfix/main.cf
mydestination = $myhostname localhost.$mydomain
localhost ...
local_transport = virtual
local_recipient_maps = $virtual_mailbox_maps
If you use a different delivery agent for $mydestination etc. domains, see the section
"Local recipient table format" below for a description of how the table should be
populated.
● Problem: you use the mailbox_transport or fallback_transport feature of the Postfix local
(8) delivery agent in order to deliver mail to non-UNIX accounts.
Solution: you need to add the database that lists the non-UNIX users:
/etc/postfix/main.cf
local_recipient_maps = proxy:unix:passwd.byname,
$alias_maps,
<the database with non-UNIX accounts>
See the section "Local recipient table format" below for a description of how the table
should be populated.
● Problem: you use the luser_relay feature of the Postfix local delivery agent.
Solution: you must disable the local_recipient_maps feature completely, so that Postfix
accepts mail for all local addresses:
/etc/postfix/main.cf
local_recipient_maps =
● You have to specify something on the right-hand side of the table, but the value is
ignored by local_recipient_maps.
If you use lookup tables based on NIS, LDAP, MYSQL, or PGSQL, then local_recipient_maps
does the same queries as for local files in postmap(1) format, and expects the same results.
With regular expression tables, Postfix only queries with the full recipient address, and not
with the bare username or the "@domain.tld" wild-card.
NOTE: a lookup table should always return a result when the address exists, and should always
return "not found" when the address does not exist. In particular, a zero-length result does not
count as a "not found" result.
LOCAL(8) LOCAL
(8)
NAME
local - Postfix local mail delivery
SYNOPSIS
local [generic Postfix daemon options]
DESCRIPTION
The local daemon processes delivery requests from
the
Postfix queue manager to deliver mail to local
recipients.
Each delivery request specifies a queue file, a
sender
address, a domain or host to deliver to, and one or
more
recipients. This program expects to be run from the
mas-
ter(8) process manager.
MAIL FORWARDING
For the sake of reliability, forwarded mail is re-
submit-
ted as a new message, so that each recipient has a
sepa-
rate on-file delivery status record.
MAILBOX DELIVERY
The default per-user mailbox is a file in the UNIX
mail
spool directory (/var/mail/user or /var/spool/mail/
user);
the location can be specified with the
mail_spool_direc-
tory configuration parameter. Specify a name ending
in /
for qmail-compatible maildir delivery.
value}
expand conditionally to value when $name is (is
not)
defined. Characters that may have special meaning to
the
shell or file system are replaced by underscores.
The
list of acceptable characters is specified with the
execu-
tion_directory_expansion_filter configuration parameter.
EXTENSION
The optional recipient address extension.
LOGNAME
The bare recipient name.
RECIPIENT
The entire recipient address.
CLIENT_ADDRESS
Remote client network address. Available as
of
Postfix 2.2.
CLIENT_HELO
Remote client EHLO command parameter. Available
as
of Postfix 2.2.
CLIENT_HOSTNAME
Remote client hostname. Available as of
Postfix
2.2.
CLIENT_PROTOCOL
Remote client protocol. Available as of
Postfix
2.2.
SASL_METHOD
SASL authentication method specified in the
remote
client AUTH command. Available as of Postfix 2.2.
SASL_SENDER
SASL sender address specified in the remote
client
MAIL FROM command. Available as of Postfix 2.2.
SASL_USERNAME
SASL username specified in the remote client
AUTH
command. Available as of Postfix 2.2.
ADDRESS EXTENSION
The optional recipient_delimiter configuration
parameter
specifies how to separate address extensions from
local
recipient names.
DELIVERY RIGHTS
Deliveries to external files and external commands
are
made with the rights of the receiving user on whose
behalf
the delivery is made. In the absence of a user
context,
the local daemon uses the owner rights of the :
include:
file or alias database. When those files are owned by
the
STANDARDS
RFC 822 (ARPA Internet Text Messages)
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
Cor-
rupted message files are marked so that the queue
manager
can move them to the corrupt queue afterwards.
BUGS
For security reasons, the message delivery status
of
external commands or of external files is never
check-
pointed to file. As a result, the program may
occasionally
deliver more than once to a command or external file.
Bet-
ter safe than sorry.
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically,
as
local(8) processes run for only a limited amount of
time.
COMPATIBILITY CONTROLS
biff (yes)
Whether or not to use the local biff service.
expand_owner_alias (no)
When delivering to an alias "aliasname" that has
an
"owner-aliasname" companion alias, set the
envelope
sender address to the expansion of the
"owner-
aliasname" alias.
owner_request_special (yes)
Give special treatment to owner-listname and
list-
name-request address localparts: don't split
such
addresses when the recipient_delimiter is set
to
"-".
sun_mailtool_compatibility (no)
Obsolete SUN mailtool compatibility feature.
mailbox_transport (empty)
Optional message delivery transport that
the
local(8) delivery agent should use for
mailbox
delivery to all local recipients, whether or
not
they are found in the UNIX passwd database.
mailbox_command_maps (empty)
Optional lookup tables with per-recipient
external
commands to use for local(8) mailbox delivery.
mailbox_command (empty)
Optional external command that the local(8)
deliv-
ery agent should use for mailbox delivery.
home_mailbox (empty)
Optional pathname of a mailbox file relative to
a
local(8) user's home directory.
fallback_transport (empty)
Optional message delivery transport that
the
local(8) delivery agent should use for names
that
are not found in the aliases(5) database or in
the
UNIX passwd database.
luser_relay (empty)
Optional catch-all destination for unknown local
(8)
recipients.
command_execution_directory (empty)
The local(8) delivery agent working directory
for
delivery to external command.
deliver_lock_delay (1s)
The time between attempts to acquire an
exclusive
lock on a mailbox file or bounce(8) logfile.
stale_lock_time (500s)
The time after which a stale exclusive
mailbox
lockfile is removed.
duplicate_filter_limit (1000)
The maximal number of addresses remembered by
the
address duplicate filter for aliases(5) or
vir-
tual(5) alias expansion, or for showq(8) queue
dis-
plays.
local_destination_concurrency_limit (2)
The maximal number of parallel deliveries via
the
local mail delivery transport to the same
recipient
(when "local_destination_recipient_limit = 1")
or
the maximal number of parallel deliveries to
the
same local domain (when
"local_destination_recipi-
ent_limit > 1").
local_destination_recipient_limit (1)
The maximal number of recipients per message
deliv-
ery via the local mail delivery transport.
mailbox_size_limit (51200000)
The maximal size of any local(8) individual
mailbox
or maildir file, or zero (no limit).
SECURITY CONTROLS
allow_mail_to_commands (alias, forward)
Restrict local(8) mail delivery to external
com-
mands.
default_privs (nobody)
The default rights used by the local(8)
delivery
agent for delivery to external file or command.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf
and
master.cf configuration files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take
to
handle a request before it is terminated by
a
built-in watchdog timer.
ipc_timeout (3600s)
The time limit for sending or receiving
information
over an internal communication channel.
local_command_shell (empty)
Optional shell program for local(8) delivery
to
non-Postfix command.
max_idle (100s)
The maximum amount of time that an idle
Postfix
daemon process waits for the next service
request
before exiting.
max_use (100)
The maximal number of connection requests before
a
Postfix daemon process terminates.
process_id (read-only)
The process ID of a Postfix command or daemon
pro-
cess.
process_name (read-only)
The process name of a Postfix command or
daemon
process.
recipient_delimiter (empty)
The separator between user names and address
exten-
sions (user+foo).
require_home_directory (no)
Whether or not a local(8) recipient's home
direc-
tory must exist before mail delivery is
attempted.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
FILES
The following are examples; details differ between
systems.
$HOME/.forward, per-user aliasing
/etc/aliases, sytem-wide alias database
/var/spool/mail, system mailboxes
SEE ALSO
qmgr(8), queue manager
bounce(8), delivery status reports
newaliases(1), create/update alias database
postalias(1), create/update alias database
aliases(5), format of alias database
postconf(5), configuration parameters
master(5), generic daemon options
syslogd(8), system logging
LICENSE
The Secure Mailer license must be distributed with
this
software.
HISTORY
The Delivered-To: message header appears in the qmail
sys-
tem by Daniel Bernstein.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
LOCAL
(8)
MASTER(8) MASTER
(8)
NAME
master - Postfix master process
SYNOPSIS
master [-Dtv] [-c config_dir] [-e exit_time]
DESCRIPTION
The master daemon is the resident process that runs
Post-
fix daemons on demand: daemons to send or receive
messages
via the network, daemons to deliver mail locally,
etc.
These daemons are created on demand up to a
configurable
maximum number per service.
Options:
-c config_dir
Read the main.cf and master.cf configuration
files
in the named directory instead of the default
con-
-e exit_time
Terminate the master process after exit_time
sec-
onds. Child processes terminate at their
conve-
nience.
Signals:
the
master.cf file, its running processes are
termi-
nated immediately. Otherwise, running
processes
are allowed to terminate as soon as is
convenient,
so that changes in configuration settings
affect
only new service requests.
SIGTERM
Upon receipt of a TERM signal (e.g., after
postfix
abort), the master process passes the signal on
to
its child processes and terminates. This is
useful
for an emergency shutdown. Normally one would
ter-
minate only the master (postfix stop) and
allow
running processes to finish what they are doing.
DIAGNOSTICS
Problems are reported to syslogd(8).
ENVIRONMENT
MAIL_DEBUG
After initialization, start a debugger as
specified
with the debugger_command configuration
parameter
in the main.cf configuration file.
MAIL_CONFIG
Directory with Postfix configuration files.
CONFIGURATION PARAMETERS
Unlike most Postfix daemon processes, the master(8)
server
does not automatically pick up changes to main.cf.
Changes
to master.cf are never picked up automatically. Use
the
postfix reload command after a configuration change.
default_process_limit (100)
The default maximal number of Postfix child
pro-
cesses that provide a given service.
max_idle (100s)
The maximum amount of time that an idle
Postfix
daemon process waits for the next service
request
before exiting.
max_use (100)
The maximal number of connection requests before
a
Postfix daemon process terminates.
service_throttle_time (60s)
How long the Postfix master(8) waits before
forking
a server that appears to be malfunctioning.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf
and
master.cf configuration files.
debugger_command (empty)
The external command to execute when a Postfix
dae-
mon program is invoked with the -D option.
inet_interfaces (all)
The network interface addresses that this mail
sys-
tem receives mail on.
mail_owner (postfix)
The UNIX system account that owns the Postfix
queue
and most Postfix daemon processes.
process_id (read-only)
The process ID of a Postfix command or daemon
pro-
cess.
process_name (read-only)
The process name of a Postfix command or
daemon
process.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
FILES
/etc/postfix/main.cf, global configuration file.
/etc/postfix/master.cf, master server configuration file.
/var/spool/postfix/pid/master.pid, master lock file.
SEE ALSO
qmgr(8), queue manager
verify(8), address verification
master(5), master.cf configuration file syntax
postconf(5), main.cf configuration parameter syntax
syslogd(8), system logging
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
MASTER
(8)
MASTER(5) MASTER
(5)
NAME
master - Postfix master process configuration file format
DESCRIPTION
The Postfix mail system is implemented by small number
of
(mostly) client commands that are invoked by users, and
by
a larger number of services that run in the background.
SYNTAX
The general format of the master.cf file is as follows:
Service name
The service name syntax depends on the service
type
as described next.
Service type
Specify one of the following service types:
Private (default: y)
Whether or not access is restricted to the
mail
system. Internet (type inet) services can't
be
private.
Unprivileged (default: y)
Whether the service runs with root privileges or
as
the owner of the Postfix system (the owner name
is
controlled by the mail_owner configuration
variable
in the main.cf file).
Chroot (default: y)
Whether or not the service runs chrooted to
the
mail queue directory (pathname is controlled by
the
queue_directory configuration variable in
the
main.cf file).
same
effect for all daemon programs:
-o name=value
Override the named main.cf
configuration
parameter. The parameter value can refer
to
other parameters as $name etc., just like
in
main.cf. See postconf(5) for syntax.
SEE ALSO
master(8), process manager
postconf(5), configuration parameters
README FILES
BASIC_CONFIGURATION_README, basic configuration
DEBUG_README, Postfix debugging
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Initial version by
Magnus Baeck
Lund Institute of Technology
Sweden
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
MASTER
(5)
BOUNCE(8) BOUNCE
(8)
NAME
bounce - Postfix message bounce or defer daemon
SYNOPSIS
bounce [generic Postfix daemon options]
DESCRIPTION
The bounce daemon maintains per-message log files
with
non-delivery status information. Each log file is
named
after the queue file that it corresponds to, and is
kept
in a queue subdirectory named after the service name
in
the master.cf file (either bounce, defer or trace).
This
program expects to be run from the master(8) process
man-
ager.
STANDARDS
RFC 822 (ARPA Internet Text Messages)
RFC 1894 (Delivery Status Notifications)
RFC 2045 (Format of Internet Message Bodies)
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically,
as
bounce(8) processes run for only a limited amount of
time.
Use the command "postfix reload" to speed up a change.
2bounce_notice_recipient (postmaster)
The recipient of undeliverable mail that cannot
be
returned to the sender.
backwards_bounce_logfile_compatibility (yes)
Produce additional bounce(8) logfile records
that
can be read by older Postfix versions.
bounce_notice_recipient (postmaster)
The recipient of postmaster notifications with
the
message headers of mail that Postfix did
not
deliver and of SMTP conversation transcripts
of
mail that Postfix did not receive.
bounce_size_limit (50000)
The maximal amount of original message text that
is
sent in a non-delivery notification.
daemon_timeout (18000s)
How much time a Postfix daemon process may take
to
handle a request before it is terminated by
a
built-in watchdog timer.
delay_notice_recipient (postmaster)
The recipient of postmaster notifications with
the
message headers of mail that cannot be
delivered
within $delay_warning_time time units.
deliver_lock_attempts (20)
The maximal number of attempts to acquire an
exclu-
sive lock on a mailbox file or bounce(8) logfile.
deliver_lock_delay (1s)
The time between attempts to acquire an
exclusive
lock on a mailbox file or bounce(8) logfile.
ipc_timeout (3600s)
The time limit for sending or receiving
information
over an internal communication channel.
mail_name (Postfix)
The mail system name that is displayed in
Received:
headers, in the SMTP greeting banner, and
in
bounced mail.
max_idle (100s)
The maximum amount of time that an idle
Postfix
daemon process waits for the next service
request
before exiting.
max_use (100)
The maximal number of connection requests before
a
Postfix daemon process terminates.
process_id (read-only)
The process ID of a Postfix command or daemon
pro-
cess.
process_name (read-only)
The process name of a Postfix command or
daemon
process.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
FILES
/var/spool/postfix/bounce/* non-delivery records
/var/spool/postfix/defer/* non-delivery records
/var/spool/postfix/trace/* delivery status records
SEE ALSO
qmgr(8), queue manager
postconf(5), configuration parameters
master(5), generic daemon options
master(8), process manager
syslogd(8), system logging
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
BOUNCE
(8)
QMGR(8) QMGR
(8)
NAME
qmgr - Postfix queue manager
SYNOPSIS
qmgr [generic Postfix daemon options]
DESCRIPTION
The qmgr daemon awaits the arrival of incoming mail
and
arranges for its delivery via Postfix delivery
processes.
The actual mail routing strategy is delegated to the
triv-
ial-rewrite(8) daemon. This program expects to be
run
from the master(8) process manager.
MAIL QUEUES
The qmgr daemon maintains the following queues:
incoming
Inbound mail from the network, or mail picked up
by
the local pickup agent from the maildrop
directory.
deferred
Mail that could not be delivered upon the
first
attempt. The queue manager implements
exponential
backoff by doubling the time between
delivery
attempts.
corrupt
Unreadable or damaged queue files are moved
here
for inspection.
with
the Postfix "sendmail -v" or "sendmail -bv"
com-
mand. These files are maintained by the trace
(8)
daemon.
STRATEGIES
The queue manager implements a variety of strategies
for
either opening queue files (input) or for message
delivery
(output).
leaky bucket
This strategy limits the number of messages in
the
active queue and prevents the queue manager
from
running out of memory under heavy load.
fairness
When the active queue has room, the queue
manager
takes one message from the incoming queue and
one
from the deferred queue. This prevents a large
mail
backlog from blocking the delivery of new mail.
slow start
This strategy eliminates "thundering herd"
problems
by slowly adjusting the number of parallel
deliver-
ies to the same destination.
round robin
exponential backoff
Mail that cannot be delivered upon the
first
attempt is deferred. The time interval
between
delivery attempts is doubled after each attempt.
TRIGGERS
On an idle system, the queue manager waits for the
arrival
of trigger events, or it waits for a timer to go off.
A
trigger is a one-byte message. Depending on the
message
received, the queue manager performs one of the
following
actions (the message is followed by the symbolic
constant
used internally by the software):
D (QMGR_REQ_SCAN_DEFERRED)
Start a deferred queue scan. If a deferred
queue
scan is already in progress, that scan will
be
restarted as soon as it finishes.
I (QMGR_REQ_SCAN_INCOMING)
Start an incoming queue scan. If an incoming
queue
scan is already in progress, that scan will
be
restarted as soon as it finishes.
A (QMGR_REQ_SCAN_ALL)
Ignore deferred queue file time stamps. The
request
affects the next deferred queue scan.
F (QMGR_REQ_FLUSH_DEAD)
Purge all information about dead transports
and
destinations.
W (TRIGGER_REQ_WAKEUP)
Wakeup call, This is used by the master server
to
instantiate servers that should not go away
for-
ever. The action is to start an incoming
queue
scan.
queue
run, one would request A F D; in order to notify the
queue
manager of the arrival of new mail one would request I.
STANDARDS
None. The qmgr daemon does not interact with the
outside
world.
SECURITY
The qmgr daemon is not security sensitive. It reads
sin-
gle-character messages from untrusted local users,
and
thus may be susceptible to denial of service attacks.
The
qmgr daemon does not talk to the outside world, and it
can
be run at fixed low privilege in a chrooted environment.
DIAGNOSTICS
Problems and transactions are logged to the syslog
daemon.
Corrupted message files are saved to the corrupt queue
for
further inspection.
BUGS
A single queue manager process has to compete for
disk
access with multiple front-end processes such as smtpd.
A
sudden burst of inbound mail can negatively impact
out-
bound delivery rates.
CONFIGURATION PARAMETERS
Changes to main.cf are not picked up automatically
as
qmgr(8) is a persistent process. Use the postfix
reload
command after a configuration change.
COMPATIBILITY CONTROLS
allow_min_user (no)
Allow a recipient address to have `-' as the
first
character.
qmgr_message_active_limit (20000)
The maximal number of messages in the active
queue.
qmgr_message_recipient_limit (20000)
The maximal number of recipients held in memory
by
the Postfix queue manager, and the maximal size
of
the size of the short-term, in-memory "dead"
desti-
nation status cache.
qmgr_message_recipient_minimum (10)
The minimal number of in-memory recipients for
any
message.
default_recipient_limit (10000)
The default per-transport upper limit on the
number
of in-memory recipients.
transport_recipient_limit ($default_recipient_limit)
Idem, for delivery via the named message
transport.
default_extra_recipient_limit (1000)
The default value for the extra per-transport
limit
imposed on the number of in-memory recipients.
transport_extra_recipient_limit
($default_extra_recipi-
ent_limit)
Idem, for delivery via the named message
transport.
default_destination_concurrency_limit (20)
The default maximal number of parallel
deliveries
to the same destination.
transport_destination_concurrency_limit
($default_destina-
tion_concurrency_limit)
Idem, for delivery via the named message
transport.
transport_destination_recipient_limit
($default_destina-
tion_recipient_limit)
Idem, for delivery via the named message
transport.
transport_delivery_slot_cost
($default_delivery_slot_cost)
Idem, for delivery via the named message
transport.
default_minimum_delivery_slots (3)
How many recipients a message must have in order
to
invoke the Postfix queue manager's scheduling
algo-
rithm at all.
transport_minimum_delivery_slots
($default_minimum_deliv-
ery_slots)
Idem, for delivery via the named message
transport.
default_delivery_slot_discount (50)
transport_delivery_slot_discount
($default_deliv-
ery_slot_discount)
Idem, for delivery via the named message
transport.
default_delivery_slot_loan (3)
The default value for transport-specific
_deliv-
ery_slot_loan settings.
transport_delivery_slot_loan
($default_delivery_slot_loan)
Idem, for delivery via the named message
transport.
maximal_backoff_time (4000s)
The maximal time between attempts to deliver
a
deferred message.
maximal_queue_lifetime (5d)
The maximal time a message is queued before it
is
sent back as undeliverable.
queue_run_delay (1000s)
The time between deferred queue scans by the
queue
manager.
transport_retry_time (60s)
The time between attempts by the Postfix queue
man-
ager to contact a malfunctioning message
delivery
transport.
bounce_queue_lifetime (5d)
The maximal time a bounce message is queued
before
it is considered undeliverable.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf
and
master.cf configuration files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take
to
handle a request before it is terminated by
a
built-in watchdog timer.
defer_transports (empty)
The names of message delivery transports
that
should not be delivered to unless someone
issues
"sendmail -q" or equivalent.
helpful_warnings (yes)
Log warnings about problematic configuration
set-
tings, and provide helpful suggestions.
ipc_timeout (3600s)
The time limit for sending or receiving
information
process_id (read-only)
The process ID of a Postfix command or daemon
pro-
cess.
process_name (read-only)
The process name of a Postfix command or
daemon
process.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
FILES
/var/spool/postfix/incoming, incoming queue
/var/spool/postfix/active, active queue
/var/spool/postfix/deferred, deferred queue
/var/spool/postfix/bounce, non-delivery status
/var/spool/postfix/defer, non-delivery status
/var/spool/postfix/trace, delivery status
SEE ALSO
trivial-rewrite(8), address routing
bounce(8), delivery status reports
postconf(5), configuration parameters
master(5), generic daemon options
master(8), process manager
README FILES
SCHEDULER_README, scheduling algorithm
QSHAPE_README, Postfix queue analysis
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
Scheduler enhancements:
Patrik Rak
Modra 6
155 00, Prague, Czech Republic
QMGR
(8)
TRANSPORT(5) TRANSPORT
(5)
NAME
transport - format of Postfix transport table
SYNOPSIS
postmap /etc/postfix/transport
DESCRIPTION
The optional transport table specifies a mapping
from
email addresses to message delivery transports and/
or
relay hosts. The mapping is used by the trivial-rewrite
(8)
daemon.
mydestination
A list of domains that is by default delivered
via
$local_transport. This also includes domains
that
match $inet_interfaces or $proxy_interfaces.
virtual_mailbox_domains
A list of domains that is by default delivered
via
$virtual_transport.
relay_domains
A list of domains that is by default delivered
via
$relay_transport.
TABLE FORMAT
The input format for the postmap(1) command is as
follows:
pattern result
When pattern matches the recipient address
or
domain, use the corresponding result.
multi-line text
A logical line starts with non-whitespace text.
A
line that starts with whitespace continues a
logi-
cal line.
TABLE LOOKUP
With lookups from indexed files such as DB or DBM, or
from
networked tables such as NIS, LDAP or SQL, patterns
are
tried in the order as listed below:
user+extension@domain transport:nexthop
Mail for user+extension@domain is delivered
through
transport to nexthop.
user@domain transport:nexthop
Mail for user@domain is delivered through
transport
to nexthop.
domain transport:nexthop
Mail for domain is delivered through transport
to
nexthop.
.domain transport:nexthop
Mail for any subdomain of domain is
delivered
through transport to nexthop. This applies
only
when the string transport_maps is not listed in
the
parent_domain_matches_subdomains configuration
set-
ting. Otherwise, a domain name matches itself
and
its subdomains.
RESULT FORMAT
The lookup result is of the form transport:nexthop.
The
transport field specifies a mail delivery transport
such
EXAMPLES
In order to deliver internal mail directly, while using
a
mail relay for all other mail, specify a null entry
for
my.domain :
.my.domain :
* smtp:outbound-relay.my.domain
example.com uucp:example
.example.com uucp:example
example.com slow:
example.com :[gateway.example.com]
.example.com :[gateway.example.com]
example.com smtp:bar.example:2025
Thus,
some.domain.hierarchy is not looked up via its
parent
domains, nor is user+foo@domain looked up as
user@domain.
TCP-BASED TABLES
This section describes how the table lookups change
when
lookups are directed to a TCP-based server. For a
descrip-
tion of the TCP client/server lookup protocol,
see
tcp_table(5). This feature is not available in
Postfix
version 2.1.
CONFIGURATION PARAMETERS
The following main.cf parameters are especially
relevant.
empty_address_recipient
The address that is looked up instead of the
null
sender address.
parent_domain_matches_subdomains
List of Postfix features that use domain.tld
pat-
terns to match sub.domain.tld (as opposed
to
requiring .domain.tld patterns).
transport_maps
List of transport lookup tables.
SEE ALSO
trivial-rewrite(8), rewrite and resolve addresses
postconf(5), configuration parameters
postmap(1), Postfix lookup table manager
README FILES
DATABASE_README, Postfix lookup table overview
FILTER_README, external content filter
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
TRANSPORT
(5)
CANONICAL(5) CANONICAL
(5)
NAME
canonical - format of Postfix canonical table
SYNOPSIS
postmap /etc/postfix/canonical
DESCRIPTION
The optional canonical table specifies an address
mapping
for local and non-local addresses. The mapping is used
by
the cleanup(8) daemon. The address mapping is
recursive.
TABLE FORMAT
The input format for the postmap(1) command is as
follows:
pattern result
When pattern matches a mail address, replace it
by
the corresponding result.
multi-line text
A logical line starts with non-whitespace text.
A
line that starts with whitespace continues a
logi-
cal line.
user@domain address
user@domain is replaced by address. This form
has
the highest precedence.
user address
user@site is replaced by address when site is
equal
to $myorigin, when site is listed in
$mydestina-
tion, or when it is listed in $inet_interfaces
or
$proxy_interfaces.
@domain address
Every address in domain is replaced by
address.
This form has the lowest precedence.
ADDRESS EXTENSION
When a mail address localpart contains the optional
recip-
ient delimiter (e.g., user+foo@domain), the lookup
order
becomes: user+foo@domain, user@domain, user+foo, user,
and
@domain.
TCP-BASED TABLES
This section describes how the table lookups change
when
lookups are directed to a TCP-based server. For a
descrip-
tion of the TCP client/server lookup protocol,
see
tcp_table(5). This feature is not available in
Postfix
version 2.1.
BUGS
CONFIGURATION PARAMETERS
The following main.cf parameters are especially
relevant.
The text below provides only a parameter summary.
See
postconf(5) for more details including examples.
canonical_classes
What addresses are subject to canonical
address
mapping.
canonical_maps
List of canonical mapping tables.
recipient_canonical_maps
Address mapping lookup table for envelope
and
header recipient addresses.
sender_canonical_maps
Address mapping lookup table for envelope
and
header sender addresses.
propagate_unmatched_extensions
A list of address rewriting or forwarding
mecha-
nisms that propagate an address extension from
the
original address to the result. Specify zero
or
more of canonical, virtual, alias, forward,
or
include.
inet_interfaces
proxy_interfaces
Other interfaces that this machine receives mail
on
by way of a proxy agent or network address
transla-
tor.
masquerade_classes
List of address classes subject to
masquerading:
zero or more of envelope_sender,
envelope_recipi-
ent, header_sender, header_recipient.
masquerade_domains
List of domains that hide their subdomain
struc-
ture.
masquerade_exceptions
List of user names that are not subject to
address
masquerading.
mydestination
List of domains that this mail system
considers
local.
myorigin
The domain that is appended to locally-posted
mail.
owner_request_special
Give special treatment to owner-xxx and xxx-
request
addresses.
SEE ALSO
cleanup(8), canonicalize and enqueue mail
postmap(1), Postfix lookup table manager
postconf(5), configuration parameters
virtual(5), virtual aliasing
README FILES
DATABASE_README, Postfix lookup table overview
ADDRESS_REWRITING_README, address rewriting guide
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
CANONICAL
(5)
VIRTUAL(5) VIRTUAL
(5)
NAME
virtual - format of Postfix virtual alias table
SYNOPSIS
postmap /etc/postfix/virtual
DESCRIPTION
The optional virtual alias table specifies address
alias-
ing for arbitrary local or non-local recipient
addresses.
Virtual aliasing is recursive, and is done by the
Postfix
cleanup(8) daemon.
recipient
address can have its own mailbox.
TABLE FORMAT
The input format for the postmap(1) command is as
follows:
pattern result
When pattern matches a mail address, replace it
by
the corresponding result.
multi-line text
A logical line starts with non-whitespace text.
A
line that starts with whitespace continues a
logi-
cal line.
ADDRESS EXTENSION
When a mail address localpart contains the optional
recip-
ient delimiter (e.g., user+foo@domain), the lookup
order
becomes: user+foo@domain, user@domain, user+foo, user,
and
@domain.
/etc/postfix/main.cf:
virtual_alias_maps = hash:/etc/postfix/virtual
/etc/postfix/virtual:
virtual-alias.domain anything (right-hand content
does not matter)
postmaster@virtual-alias.domain postmaster
user1@virtual-alias.domain address1
user2@virtual-alias.domain address2, address3
rejected
with "relay access denied", or bounces with "mail
loops
back to myself".
TCP-BASED TABLES
This section describes how the table lookups change
when
lookups are directed to a TCP-based server. For a
descrip-
tion of the TCP client/server lookup protocol,
see
tcp_table(5). This feature is not available in
Postfix
version 2.1.
BUGS
The table format does not understand quoting
conventions.
CONFIGURATION PARAMETERS
virtual_alias_maps
List of virtual aliasing tables.
virtual_alias_domains
List of virtual alias domains. This uses the
same
syntax as the mydestination parameter.
propagate_unmatched_extensions
A list of address rewriting or forwarding
mecha-
nisms that propagate an address extension from
the
original address to the result. Specify zero
or
more of canonical, virtual, alias, forward,
or
include.
inet_interfaces
The network interface addresses that this
system
receives mail on. You need to stop and start
Post-
fix when this parameter changes.
mydestination
List of domains that this mail system
considers
local.
myorigin
owner_request_special
Give special treatment to owner-xxx and xxx-
request
addresses.
proxy_interfaces
Other interfaces that this machine receives mail
on
by way of a proxy agent or network address
transla-
tor.
SEE ALSO
cleanup(8), canonicalize and enqueue mail
postmap(1), Postfix lookup table manager
postconf(5), configuration parameters
canonical(5), canonical address mapping
README FILES
DATABASE_README, Postfix lookup table overview
ADDRESS_REWRITING_README, address rewriting guide
VIRTUAL_README, domain hosting guide
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
VIRTUAL
(5)
VIRTUAL(8) VIRTUAL
(8)
NAME
virtual - Postfix virtual domain mail delivery agent
SYNOPSIS
virtual [generic Postfix daemon options]
DESCRIPTION
The virtual(8) delivery agent is designed for virtual
mail
hosting services. Originally based on the Postfix local
(8)
delivery agent, this agent looks up recipients with
map
lookups of their full recipient address, instead of
using
hard-coded unix password file lookups of the address
local
part only.
MAILBOX LOCATION
The mailbox location is controlled by the
virtual_mail-
box_base and virtual_mailbox_maps configuration
parameters
(see below). The virtual_mailbox_maps table is indexed
by
the recipient address as described under TABLE
SEARCH
ORDER below.
$virtual_mailbox_base/$virtual_mailbox_maps(recipient)
MAILBOX OWNERSHIP
Mailbox ownership is controlled by the
virtual_uid_maps
and virtual_gid_maps lookup tables, which are indexed
with
the full recipient address. Each table provides a
string
with the numerical user and group ID, respectively.
SECURITY
The virtual delivery agent is not security sensitive,
pro-
vided that the lookup tables with recipient user/group
ID
information are adequately protected. This program is
not
designed to run chrooted.
STANDARDS
RFC 822 (ARPA Internet Text Messages)
DIAGNOSTICS
Mail bounces when the recipient has no mailbox or when
the
recipient is over disk quota. In all other cases, mail
for
an existing recipient is deferred and a warning is
logged.
BUGS
This delivery agent supports address extensions in
email
addresses and in lookup table keys, but does not
propagate
address extension information to the result of
table
lookup.
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically, as
vir-
tual(8) processes run for only a limited amount of
time.
Use the command "postfix reload" to speed up a change.
virtual_mailbox_maps (empty)
Optional lookup tables with all valid addresses
in
the domains that match $virtual_mailbox_domains.
virtual_minimum_uid (100)
The minimum user ID value that the virtual
(8)
delivery agent accepts as a result from
$vir-
tual_uid_maps table lookup.
virtual_uid_maps (empty)
Lookup tables with the per-recipient user ID
that
the virtual(8) delivery agent uses while writing
to
the recipient's mailbox.
virtual_gid_maps (empty)
Lookup tables with the per-recipient group ID
for
virtual(8) mailbox delivery.
virtual_mailbox_domains ($virtual_mailbox_maps)
Postfix is final destination for the specified
list
of domains; mail is delivered via the
$vir-
tual_transport mail delivery transport.
virtual_transport (virtual)
The default mail delivery transport for
domains
that match the $virtual_mailbox_domains
parameter
value.
LOCKING CONTROLS
virtual_mailbox_lock (see 'postconf -d' output)
How to lock a UNIX-style virtual(8) mailbox
before
attempting delivery.
deliver_lock_attempts (20)
The maximal number of attempts to acquire an
exclu-
sive lock on a mailbox file or bounce(8) logfile.
deliver_lock_delay (1s)
The time between attempts to acquire an
exclusive
lock on a mailbox file or bounce(8) logfile.
stale_lock_time (500s)
The time after which a stale exclusive
mailbox
lockfile is removed.
transport.
virtual_destination_recipient_limit
($default_destina-
tion_recipient_limit)
The maximal number of recipients per delivery
via
the virtual message delivery transport.
virtual_mailbox_limit (51200000)
The maximal size in bytes of an individual
mailbox
or maildir file, or zero (no limit).
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf
and
master.cf configuration files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take
to
handle a request before it is terminated by
a
built-in watchdog timer.
ipc_timeout (3600s)
The time limit for sending or receiving
information
over an internal communication channel.
max_idle (100s)
The maximum amount of time that an idle
Postfix
daemon process waits for the next service
request
before exiting.
max_use (100)
The maximal number of connection requests before
a
Postfix daemon process terminates.
process_id (read-only)
The process ID of a Postfix command or daemon
pro-
cess.
process_name (read-only)
The process name of a Postfix command or
daemon
process.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
SEE ALSO
qmgr(8), queue manager
bounce(8), delivery status reports
postconf(5), configuration parameters
syslogd(8), system logging
README_FILES
VIRTUAL_README, domain hosting howto
LICENSE
The Secure Mailer license must be distributed with
this
software.
HISTORY
This delivery agent was originally based on the
Postfix
local delivery agent. Modifications mainly consisted
of
removing code that either was not applicable or that
was
not safe in this context: aliases, ~user/.forward
files,
delivery to "|command" or to /file/name.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
Andrew McNamara
andrewm@connect.com.au
connect.com.au Pty. Ltd.
Level 3, 213 Miller St
North Sydney 2060, NSW, Australia
VIRTUAL
(8)
In order to understand the output of qshape(1), it useful to understand the various Postfix
queues. To this end the role of each Postfix queue directory is described briefly in the
"Background info: Postfix queue directories" section near the end of this document.
● Credits
When mail is draining slowly or the queue is unexpectedly large, run qshape(1) as the super-
user (root) to help zero in on the problem. The qshape(1) program displays a tabular view of
the Postfix queue contents.
● On the horizontal axis, it displays the queue age with fine granularity for recent
messages and (geometrically) less fine granularity for older messages.
● The vertical axis displays the destination (or with the "-s" switch the sender) domain.
Domains with the most messages are listed first.
For example, in the output below we see the top 10 lines of the (mostly forged) sender domain
distribution for captured spam in the "hold" queue:
● The "T" column shows the total (in this case sender) count for each domain. The
columns with numbers above them, show counts for messages aged fewer than that
many minutes, but not younger than the age limit for the previous column. The row
labeled "TOTAL" shows the total count for all domains.
● In this example, there are 14 messages allegedly from yahoo.com, 1 between 10 and 20
minutes old, 1 between 320 and 640 minutes old and 12 older than 1280 minutes (1440
minutes in a day).
By default, qshape shows statistics for the union of both the incoming and active queues which
are the most relevant queues to look at when analyzing performance.
this will show the age distribution of the deferred queue or the union of the incoming active
and deferred queues.
Command line options control the number of display "buckets", the age limit for the smallest
bucket, display of parent domain counts and so on. The "-h" option outputs a summary of the
available switches.
The problem destinations or sender domains appear near the top left corner of the output table.
Remember that the active queue can accommodate up to 20000 ($qmgr_message_active_limit)
messages. To check wether this limit has been reached, use:
If the total sender count is below 20000 the active queue is not yet saturated, any high volume
sender domains show near the top of the output.
Having found the high volume domains, it is often useful to search the logs for recent messages
pertaining to the domains in question.
Also look for queue manager warning messages in the log. These warnings can suggest
strategies to reduce congestion.
When all else fails try the Postfix mailing list for help, but please don't forget to include the top
10 or 20 lines of qshape(1) output.
If one looks at the two queues separately, the incoming queue is empty or perhaps briefly has
one or two messages, while the active queue holds more messages and for a somewhat longer
time:
$ qshape incoming
$ qshape active
The domains shown are mostly bulk-mailers and all the volume is the tail end of the time
distribution, showing that short term arrival rates are moderate. Larger numbers and lower
message ages are more indicative of current trouble. Old mail still going nowhere is largely
harmless so long as the active and incoming queues are short. We can also see that the groups.
msn.com undeliverables are low rate steady stream rather than a concentrated dictionary attack
that is now over.
example.gov 2 0 0 0 0 0 0 0 1
0 1
example.mil 1 0 0 0 0 0 0 0 0
0 1
Looking at the sender distribution, we see that as expected most of the messages are bounces.
Using an older version of qshape(1) it was quickly determined that all the messages were for
just a few destinations:
T A 5 10 20 40 80
160 320 320+
TOTAL 11775 9996 0 0 1 1 42
94 221 1420
user.sourceforge.net 7678 7678 0 0 0 0
0 0 0 0
lists.sourceforge.net 2313 2313 0 0 0 0
0 0 0 0
gzd.gotdns.com 102 0 0 0 0 0
0 0 2 100
The "A" column showed the count of messages in the active queue, and the numbered columns
showed totals for the deferred queue. At 10000 messages (Postfix 1.x active queue size limit)
the active queue is full. The incoming was growing rapidly.
With the trouble destinations clearly identified, the administrator quickly found and fixed the
problem. It is substantially harder to glean the same information from the logs. While a careful
reading of mailq(1) output should yield similar results, it is much harder to gauge the
magnitude of the problem by looking at the queue one message at a time.
T 5 10 20 40 80 160 320
640 1280 1280+
TOTAL 5000 200 200 400 800 1600 1000 200
200 200 200
highvolume.com 4000 160 160 320 640 1280 1440 0
0 0 0
...
If the high volume destination is not down, but is instead slow, one might see similar
congestion in the active queue. Active queue congestion is a greater cause for alarm; one might
need to take measures to ensure that the mail is deferred instead or even add an access(5) rule
asking the sender to try again later.
If a high volume destination exhibits frequent bursts of consecutive connections refused by all
MX hosts or "421 Server busy errors", it is possible for the queue manager to mark the
destination as "dead" despite the transient nature of the errors. The destination will be retried
again after the expiration of a $minimal_backoff_time timer. If the error bursts are frequent
enough it may be that only a small quantity of email is delivered before the destination is again
marked "dead".
The MTA that has been observed most frequently to exhibit such bursts of errors is Microsoft
Exchange, which refuses connections under load. Some proxy virus scanners in front of the
Exchange server propagate the refused connection to the client as a "421" error.
Note that it is now possible to configure Postfix to exhibit similarly erratic behavior by
misconfiguring the anvil(8) server (not included in Postfix 2.1.). Do not use anvil(8) for steady-
state rate limiting, its purpose is DoS prevention and the rate limits set should be very
generous!
In the long run it is hoped that the Postfix dead host detection and concurrency control
mechanism will be tuned to be more "noise" tolerant. If one finds oneself needing to deliver a
high volume of mail to a destination that exhibits frequent brief bursts of errors, there is a
subtle workaround.
● In master.cf set up a dedicated clone of the "smtp" transport for the destination in
question.
● In master.cf configure a reasonable process limit for the transport (a number in the 10-
20 range is typical).
/etc/postfix/main.cf:
initial_destination_concurrency = 200
transportname_destination_concurrency_limit = 200
The effect of this surprising configuration is that up to 200 consecutive errors are tolerated
without marking the destination dead, while the total concurrency remains reasonable (10-20
processes). This trick is only for a very specialized situation: high volume delivery into a
channel with multi-error bursts that is capable of high throughput, but is repeatedly throttled by
the bursts of errors.
When a destination is unable to handle the load even after the Postfix process limit is reduced
to 1, a desperate measure is to insert brief delays between delivery attempts.
● In the transport map entry for the problem destination, specify a dead host as the
primary nexthop.
● In the master.cf entry for the transport specify the problem destination as the
fallback_relay and specify a small smtp_connect_timeout value.
/etc/postfix/transport:
problem.example.com slow:[dead.host]
/etc/postfix/master.cf:
# service type private unpriv chroot wakeup
maxproc command
slow unix - - n -
1 smtp
-o fallback_relay=problem.example.com
-o smtp_connect_timeout=1
This solution forces the Postfix smtp(8) client to wait for $smtp_connect_timeout seconds
between deliveries. The solution depends on Postfix connection management details, and needs
to be updated when SMTP connection caching is introduced.
Hopefully a more elegant solution to these problems will be found in the future.
Messages that have been submitted via the Postfix sendmail(1) command, but not yet brought
into the main Postfix queue by the pickup(8) service, await processing in the "maildrop" queue.
Messages can be added to the "maildrop" queue even when the Postfix system is not running.
They will begin to be processed once Postfix is started.
The "maildrop" queue is drained by the single threaded pickup(8) service scanning the queue
directory periodically or when notified of new message arrival by the postdrop(1) program.
The postdrop(1) program is a setgid helper that allows the unprivileged Postfix sendmail(1)
program to inject mail into the "maildrop" queue and to notify the pickup(8) service of its
arrival.
All mail that enters the main Postfix queue does so via the cleanup(8) service. The cleanup
service is responsible for envelope and header rewriting, header and body regular expression
checks, automatic bcc recipient processing and guaranteed insertion of the message into the
Postfix "incoming" queue.
In the absence of excessive CPU consumption in cleanup(8) header or body regular expression
checks or other software consuming all available CPU resources, Postfix performance is disk I/
O bound. The rate at which the pickup(8) service can inject messages into the queue is largely
determined by disk access times, since the cleanup(8) service must commit the message to
stable storage before returning success. The same is true of the postdrop(1) program writing the
As the pickup service is single threaded, it can only deliver one message at a time at a rate that
does not exceed the reciprocal disk I/O latency (+ CPU if not negligible) of the cleanup service.
Congestion in this queue is indicative of an excessive local message submission rate or perhaps
excessive CPU consumption in the cleanup(8) service due to excessive body_checks.
Note, that once the active queue is full, the cleanup service will attempt to slow down message
injection by pausing $in_flow_delay for each message. In this case "maildrop" queue
congestion may be a consequence of congestion downstream, rather than a problem in its own
right.
Note also, that one should not attempt to deliver large volumes of mail via the pickup(8)
service. High volume sites must avoid using content filters that reinject scanned mail via
Postfix sendmail(1) and postdrop(1).
A high arrival rate of locally submitted mail may be an indication of an uncaught forwarding
loop, or a run-away notification program. Try to keep the volume of local mail injection to a
moderate level.
The "postsuper -r" command can place selected messages into the "maildrop" queue for
reprocessing. This is most useful for resetting any stale content_filter settings. Requeuing a
large number of messages using "postsuper -r" can clearly cause a spike in the size of the
"maildrop" queue.
The administrator can define "smtpd" access(5) policies, or cleanup(8) header/body checks that
cause messages to be automatically diverted from normal processing and placed indefinitely in
the "hold" queue. Messages placed in the "hold" queue stay there until the administrator
intervenes. No periodic delivery attempts are made for messages in the "hold" queue. The
postsuper(1) command can be used to manually release messages into the "deferred" queue.
Messages can potentially stay in the "hold" queue for a time exceeding the normal maximal
queue lifetime (after which undelivered messages are bounced back to the sender). If such
"old" messages need to be released from the "hold" queue, they should typically be moved into
the "maildrop" queue, so that the message gets a new timestamp and is given more than one
opportunity to be delivered. Messages that are "young" can be moved directly into the
"deferred" queue.
The "hold" queue plays little role in Postfix performance, and monitoring of the "hold" queue is
typically more closely motivated by tracking spam and malware, than by performance issues.
All new mail entering the Postfix queue is written by the cleanup(8) service into the
"incoming" queue. New queue files are created owned by the "postfix" user with an access
bitmask (or mode) of 0600. Once a queue file is ready for further processing the cleanup(8)
service changes the queue file mode to 0700 and notifies the queue manager of new mail
arrival. The queue manager ignores incomplete queue files whose mode is 0600, as these are
still being written by cleanup.
The queue manager scans the incoming queue bringing any new mail into the "active" queue if
the active queue resource limits have not been exceeded. By default, the active queue
accommodates at most 20000 messages. Once the active queue message limit is reached, the
queue manager stops scanning the incoming (and deferred, see below) queue.
Under normal conditions the incoming queue is nearly empty (has only mode 0600 files), with
the queue manager able to import new messages into the active queue as soon as they become
available.
The incoming queue grows when the message input rate spikes above the rate at which the
queue manager can import messages into the active queue. The main factor slowing down the
queue manager is transport queries to the trivial-rewrite service. If the queue manager is
routinely not keeping up, consider not using "slow" lookup services (MySQL, LDAP, ...) for
transport lookups or speeding up the hosts that provide the lookup service.
The in_flow_delay parameter is used to clamp the input rate when the queue manager starts to
fall behind. The cleanup(8) service will pause for $in_flow_delay seconds before creating a
new queue file if it cannot obtain a "token" from the queue manager.
Since the number of cleanup(8) processes is limited in most cases by the SMTP server
concurrency, the input rate can exceed the output rate by at most "SMTP connection count" /
$in_flow_delay messages per second.
With a default process limit of 100, and an in_flow_delay of 1s, the coupling is strong enough
to limit a single run-away injector to 1 message per second, but is not strong enough to deflect
If a server is being hammered from multiple directions, consider raising the in_flow_delay to
10 seconds, but only if the incoming queue is growing even while the active queue is not full
and the trivial-rewrite service is using a fast transport lookup mechanism.
The queue manager is a delivery agent scheduler; it works to ensure fast and fair delivery of
mail to all destinations within designated resource limits.
The active queue is somewhat analogous to an operating system's process run queue. Messages
in the active queue are ready to be sent (runnable), but are not necessarily in the process of
being sent (running).
While most Postfix administrators think of the "active" queue as a directory on disk, the real
"active" queue is a set of data structures in the memory of the queue manager process.
Messages in the "maildrop", "hold", "incoming" and "deferred" queues (see below) do not
occupy memory; they are safely stored on disk waiting for their turn to be processed. The
envelope information for messages in the "active" queue is managed in memory, allowing the
queue manager to do global scheduling, allocating available delivery agent processes to an
appropriate message in the active queue.
Within the active queue, (multi-recipient) messages are broken up into groups of recipients that
share the same transport/nexthop combination; the group size is capped by the transport's
recipient concurrency limit.
Multiple recipient groups (from one or more messages) are queued for delivery via the
common transport/nexthop combination. The destination concurrency limit for the transports
caps the number of simultaneous delivery attempts for each nexthop. Transports with a
recipient concurrency limit of 1 are special: these are grouped by the actual recipient address
rather than the nexthop, thereby enabling per-recipient concurrency limits rather than per-
domain concurrency limits. Per-recipient limits are appropriate when performing final delivery
to mailboxes rather than when relaying to a remote server.
Congestion occurs in the active queue when one or more destinations drain slower than the
corresponding message input rate. If a destination is down for some time, the queue manager
will mark it dead, and immediately defer all mail for the destination without trying to assign it
to a delivery agent. In this case the messages will quickly leave the active queue and end up in
the deferred queue. If the destination is instead simply slow, or there is a problem causing an
excessive arrival rate the active queue will grow and will become dominated by mail to the
congested destination.
The only way to reduce congestion is to either reduce the input rate or increase the throughput.
Increasing the throughput requires either increasing the concurrency or reducing the latency of
deliveries.
For high volume sites a key tuning parameter is the number of "smtp" delivery agents allocated
to the "smtp" and "relay" transports. High volume sites tend to send to many different
destinations, many of which may be down or slow, so a good fraction of the available delivery
agents will be blocked waiting for slow sites. Also mail destined across the globe will incur
large SMTP command-response latencies, so high message throughput can only be achieved
with more concurrent delivery agents.
The default "smtp" process limit of 100 is good enough for most sites, and may even need to be
lowered for sites with low bandwidth connections (no use increasing concurrency once the
network pipe is full). When one finds that the queue is growing on an "idle" system (CPU, disk
I/O and network not exhausted) the remaining reason for congestion is insufficient concurrency
in the face of a high average latency. If the number of outbound SMTP connections (either
ESTABLISHED or SYN_SENT) reaches the process limit, mail is draining slowly and the
system and network are not loaded, raise the "smtp" and/or "relay" process limits!
Especially for the "relay" transport, consider lower SMTP connection timeouts (1-5 seconds)
and higher than default destination concurrency limits. Compute the expected latency when 1
out of N of the MX hosts for a high volume site is down and not responding, and make sure
that the configured concurrency divided by this latency exceeds the required steady-state
message rate. If the destination is managed by you, consider load balancers in front of groups
of MX hosts. Load balancers have higher uptime and will be able to hide individual MX host
failures.
If necessary, dedicate and tune custom transports for high volume destinations.
Another common cause of congestion is unwarranted flushing of the entire deferred queue. The
deferred queue holds messages that are likely to fail to be delivered and are also likely to be
slow to fail delivery (timeouts). This means that the most common reaction to a large deferred
queue (flush it!) is more than likely counter- productive, and is likely to make the problem
worse. Do not flush the deferred queue unless you expect that most of its content has recently
become deliverable (e.g. relayhost back up after an outage)!
Note that whenever the queue manager is restarted, there may already be messages in the active
queue directory, but the "real" active queue in memory is empty. In order to recover the in-
memory state, the queue manager moves all the active queue messages back into the incoming
queue, and then uses its normal incoming queue scan to refill the active queue. The process of
moving all the messages back and forth, redoing transport table (trivial-rewrite(8) resolve
service) lookups, and re-importing the messages back into memory is expensive. At all costs,
avoid frequent restarts of the queue manager.
When all the deliverable recipients for a message are delivered, and for some recipients
delivery failed for a transient reason (it might succeed later), the message is placed in the
deferred queue.
The queue manager scans the deferred queue periodically. The scan interval is controlled by
the queue_run_delay parameter. While a deferred queue scan is in progress, if an incoming
queue scan is also in progress (ideally these are brief since the incoming queue should be
short), the queue manager alternates between bringing a new "incoming" message and a new
"deferred" message into the queue. This "round-robin" strategy prevents starvation of either the
incoming or the deferred queues.
Each deferred queue scan only brings a fraction of the deferred queue back into the active
queue for a retry. This is because each message in the deferred queue is assigned a "cool-off"
time when it is deferred. This is done by time-warping the modification times of the queue file
into the future. The queue file is not eligible for a retry if its modification time is not yet
reached.
If a high volume site routinely has large deferred queues, it may be useful to adjust the
queue_run_delay, minimal_backoff_time and maximal_backoff_time to provide short enough
delays on first failure, with perhaps longer delays after multiple failures, to reduce the
retransmission rate of old messages and thereby reduce the quantity of previously deferred mail
in the active queue.
One common cause of large deferred queues is failure to validate recipients at the SMTP input
stage. Since spammers routinely launch dictionary attacks from unrepliable sender addresses,
the bounces for invalid recipient addresses clog the deferred queue (and at high volumes
proportionally clog the active queue). Recipient validation is strongly recommended through
use of the local_recipient_maps and relay_recipient_maps parameters.
When a host with lots of deferred mail is down for some time, it is possible for the entire
deferred queue to reach its retry time simultaneously. This can lead to a very full active queue
once the host comes back up. The phenomenon can repeat approximately every
maximal_backoff_time seconds if the messages are again deferred after a brief burst of
congestion. Ideally, in the future Postfix will add a random offset to the retry time (or use a
combination of strategies) to reduce the chances of repeated complete deferred queue flushes.
Credits
The qshape(1) program was developed by Victor Duchovni of Morgan Stanley, who also wrote
the initial version of this document.
QSHAPE(1) QSHAPE
(1)
NAME
qshape - Print Postfix queue domain and age distribution
SYNOPSIS
qshape [-s] [-p] [-m min_subdomains]
[-b bucket_count] [-t bucket_time]
[-l] [-w terminal_width]
[-c config_directory] [queue_name ...]
DESCRIPTION
The qshape program helps the administrator understand
the
Postfix queue message distribution in time and by
sender
domain or recipient domain. The program needs read
access
to the queue directories and queue files, so it must
run
as the superuser or the mail_owner specified in main.
cf
(typically postfix).
Options:
-m min_subdomains
When used with the -p option, sets the minimum
sub-
domain count needed to show a separate line for
a
parent domain. The default is 5.
-b bucket_count
The age distribution is broken up into a
sequence
of geometrically increasing intervals. This
option
sets the number of intervals or "buckets".
Each
bucket has a maximum queue age that is twice
as
large as that of the previous bucket. The
last
bucket has no age limit.
-t bucket_time
The age limit in minutes for the first time
bucket.
The default value is 5, meaning that the
first
bucket counts messages between 0 and 5 minutes
old.
later.
-w terminal_width
The output is right justified, with the counts
for
the last bucket shown on the 80th column, the
ter-
minal_width can be adjusted for wider
screens
allowing more buckets to be displayed without
trun-
cating the domain names on the left. When a row
for
a full domain name and its counters does not fit
in
the specified number of columns, only the last
17
bytes of the domain name are shown with the
prefix
replaced by a '+' character. Truncated
parent
domain rows are shown as '.+' followed by the
last
16 bytes of the domain name. If this is still
too
narrow to show the domain name and all the
coun-
ters, the terminal_width limit is violated.
-c config_directory
The main.cf configuration file is in the
named
directory instead of the default
configuration
directory.
Arguments:
queue_name
By default qshape displays the combined
distribu-
tion of the incoming and active queues. To
display
a different set of queues, just list their
direc-
tory names on the command line. Absolute paths
are
used as is, other paths are taken relative to
the
main.cf queue_directory parameter setting.
While
main.cf supports the use of $variable expansion
in
the definition of the queue_directory
parameter,
the qshape program does not. If you must use
vari-
able expansions in the queue_directory setting,
you
must specify an explicit absolute path for
each
queue subdirectory even if you want the
default
incoming and active queue distribution.
SEE ALSO
mailq(1) List all messages in the queue.
QSHAPE_README Examples and background material.
FILES
$config_directory/main.cf, Postfix installation
parameters.
$queue_directory/maildrop/, local submission directory.
$queue_directory/incoming/, new message queue.
$queue_directory/hold/, messages waiting for tech
support.
$queue_directory/active/, messages scheduled for
delivery.
$queue_directory/deferred/, messages postponed for later
delivery.
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Victor Duchovni
Morgan Stanley
QSHAPE
(1)
POSTQUEUE(1) POSTQUEUE
(1)
NAME
postqueue - Postfix queue control
SYNOPSIS
postqueue [-c config_dir] -f
postqueue [-c config_dir] -p
postqueue [-c config_dir] -s site
DESCRIPTION
The postqueue program implements the Postfix user
inter-
face for queue management. It implements operations
that
are traditionally available via the sendmail(1)
command.
See the postsuper(1) command for queue operations
that
require super-user privileges such as deleting a
message
from the queue or changing the status of a message.
-c config_dir
The main.cf configuration file is in the
named
directory instead of the default
configuration
directory. See also the MAIL_CONFIG
environment
setting below.
-s site
SECURITY
This program is designed to run with set-group ID
privi-
leges, so that it can connect to Postfix daemon
processes.
DIAGNOSTICS
Problems are logged to syslogd(8) and to the
standard
error stream.
ENVIRONMENT
MAIL_CONFIG
Directory with the main.cf file. In order to
avoid
exploitation of set-group ID privileges, a
non-
standard directory is allowed only if:
alternate_config_directories
configuration parameter.
CONFIGURATION PARAMETERS
The following main.cf parameters are especially
relevant
to this program. The text below provides only a
parameter
summary. See postconf(5) for more details including
exam-
ples.
alternate_config_directories (empty)
A list of non-default Postfix configuration
direc-
tories that may be specified with "-c
config_direc-
tory" on the command line, or via the
MAIL_CONFIG
environment parameter.
fast_flush_domains ($relay_domains)
Optional list of destinations that are eligible
for
per-destination logfiles with mail that is
queued
to those destinations.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
trigger_timeout (10s)
The time limit for sending a trigger to a
Postfix
daemon (for example, the pickup(8) or qmgr(8)
dae-
mon).
authorized_flush_users (static:anyone)
List of users who are authorized to flush
the
queue.
authorized_mailq_users (static:anyone)
List of users who are authorized to view the
queue.
FILES
/var/spool/postfix, mail queue
SEE ALSO
qmgr(8), queue manager
showq(8), list mail queue
flush(8), fast flush service
sendmail(1), Sendmail-compatible user interface
postsuper(1), privileged queue operations
README FILES
ETRN_README, Postfix ETRN howto
LICENSE
The Secure Mailer license must be distributed with
this
software.
HISTORY
The postqueue command was introduced with Postfix
version
1.1.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
POSTQUEUE
(1)
POSTSUPER(1) POSTSUPER
(1)
NAME
postsuper - Postfix superintendent
SYNOPSIS
postsuper [-psv] [-c config_dir] [-d queue_id]
[-h queue_id] [-H queue_id]
[-r queue_id] [directory ...]
DESCRIPTION
The postsuper command does maintenance jobs on the
Postfix
queue. Use of the command is restricted to the
superuser.
See the postqueue command for unprivileged queue
opera-
tions such as listing or flushing the mail queue.
Options:
-c config_dir
The main.cf configuration file is in the
named
directory instead of the default
configuration
directory. See also the MAIL_CONFIG
environment
setting below.
-d queue_id
Delete one message with the named queue ID from
the
named mail queue(s) (default: hold,
incoming,
active and deferred). If a queue_id of - is
speci-
fied, the program reads queue IDs from
standard
input. For example, to delete all mail from or
to
user@example.com:
sender).
-h queue_id
Put mail "on hold" so that no attempt is made
to
deliver it. Move one message with the named
queue
ID from the named mail queue(s) (default:
incoming,
active and deferred) to the hold queue. If
a
queue_id of - is specified, the program reads
queue
IDs from standard input.
-H queue_id
Release mail that was put "on hold". Move one
mes-
sage with the named queue ID from the named
mail
queue(s) (default: hold) to the deferred queue.
If
a queue_id of - is specified, the program
reads
queue IDs from standard input.
-r queue_id
Requeue the message with the named queue ID
from
the named mail queue(s) (default: hold,
incoming,
active and deferred). To requeue multiple
mes-
sages, specify multiple -r command-line
options.
Alternatively, if a queue_id of - is specified,
the
program reads queue IDs from standard input.
DIAGNOSTICS
Problems are reported to the standard error stream and
to
syslogd(8).
ENVIRONMENT
MAIL_CONFIG
Directory with the main.cf file.
BUGS
Mail that is not sanitized by Postfix (i.e. mail in
the
maildrop queue) cannot be placed "on hold".
CONFIGURATION PARAMETERS
The following main.cf parameters are especially
relevant
to this program. The text below provides only a
parameter
summary. See postconf(5) for more details including
exam-
ples.
hash_queue_depth (1)
The number of subdirectory levels for queue
direc-
tories listed with the hash_queue_names
parameter.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
SEE ALSO
sendmail(1), Sendmail-compatible user interface
postqueue(1), unprivileged queue operations
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
POSTSUPER
(1)
SHOWQ(8) SHOWQ
(8)
NAME
showq - list the Postfix mail queue
SYNOPSIS
showq [generic Postfix daemon options]
DESCRIPTION
The showq daemon reports the Postfix mail queue
status.
It is the program that emulates the sendmail `mailq'
com-
mand.
SECURITY
The showq daemon can run in a chroot jail at fixed
low
privilege, and takes no input from the client. Its
service
port is accessible to local untrusted users, so the
ser-
vice can be susceptible to denial of service attacks.
STANDARDS
None. The showq daemon does not interact with the
outside
world.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
BUGS
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically as showq
(8)
processes run for only a limited amount of time. Use
the
command "postfix reload" to speed up a change.
daemon_timeout (18000s)
How much time a Postfix daemon process may take
to
handle a request before it is terminated by
a
built-in watchdog timer.
duplicate_filter_limit (1000)
The maximal number of addresses remembered by
the
address duplicate filter for aliases(5) or
vir-
tual(5) alias expansion, or for showq(8) queue
dis-
plays.
empty_address_recipient (MAILER-DAEMON)
The recipient of mail addressed to the
null
address.
ipc_timeout (3600s)
The time limit for sending or receiving
information
over an internal communication channel.
max_idle (100s)
The maximum amount of time that an idle
Postfix
daemon process waits for the next service
request
before exiting.
max_use (100)
The maximal number of connection requests before
a
Postfix daemon process terminates.
process_id (read-only)
The process ID of a Postfix command or daemon
pro-
cess.
process_name (read-only)
The process name of a Postfix command or
daemon
process.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
FILES
/var/spool/postfix, queue directories
SEE ALSO
pickup(8), local mail pickup service
cleanup(8), canonicalize and enqueue mail
qmgr(8), queue manager
postconf(5), configuration parameters
master(8), process manager
syslogd(8), system logging
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
SHOWQ
(8)
ALIASES(5) ALIASES
(5)
NAME
aliases - format of the Postfix alias database
SYNOPSIS
newaliases
DESCRIPTION
The aliases table provides a system-wide mechanism
to
redirect mail for local recipients. The redirections
are
processed by the Postfix local(8) delivery agent.
address
Mail is forwarded to address, which is
compatible
with the RFC 822 standard.
/file/name
Mail is appended to /file/name. See local(8)
for
details of delivery to file. Delivery is not
lim-
ited to regular files. For example, to dispose
of
unwanted mail, deflect it to /dev/null.
|command
Mail is piped into command. Commands that
contain
special characters, such as whitespace, should
be
enclosed between double quotes. See local(8)
for
details of delivery to command.
:include:/file/name
Mail is sent to the destinations listed in
the
named file. Lines in :include: files have the
same
syntax as the right-hand side of alias entries.
ADDRESS EXTENSION
When alias database search fails, and the recipient
local-
part contains the optional recipient delimiter (e.
g.,
user+foo), the search is repeated for the
unextended
address (e.g., user).
CONFIGURATION PARAMETERS
The following main.cf parameters are especially
relevant.
The text below provides only a parameter summary.
See
postconf(5) for more details including examples.
alias_database
List of alias databases that are updated by
the
newaliases(1) command.
alias_maps
List of alias databases queried by the local
(8)
delivery agent.
allow_mail_to_commands
Restrict the usage of mail delivery to
external
command.
allow_mail_to_files
Restrict the usage of mail delivery to
external
file.
expand_owner_alias
When delivering to an alias that has an owner-
com-
panion alias, set the envelope sender address
to
the right-hand side of the owner alias,
instead
using of the left-hand side address.
owner_request_special
Give special treatment to owner-listname and
list-
name-request addresses.
recipient_delimiter
Delimiter that separates recipients from
address
extensions.
BUGS
Regular expression alias lookup tables are allowed,
but
substitution of $1 etc. is forbidden because that
would
open a security loophole.
STANDARDS
RFC 822 (ARPA Internet Text Messages)
SEE ALSO
local(8), local delivery agent
newaliases(1), create/update alias database
postalias(1), create/update alias database
postconf(5), configuration parameters
README FILES
DATABASE_README, Postfix lookup table overview
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
ALIASES
(5)
POSTALIAS(1) POSTALIAS
(1)
NAME
postalias - Postfix alias database maintenance
SYNOPSIS
postalias [-Nfinoprsvw] [-c config_dir] [-d key] [-q key]
[file_type:]file_name ...
DESCRIPTION
The postalias command creates or queries one or more
Post-
fix alias databases, or updates an existing one. The
input
and output file formats are expected to be compatible
with
Sendmail version 8, and are expected to be suitable
for
the use as NIS alias maps.
Options:
-c config_dir
Read the main.cf configuration file in the
named
directory instead of the default
configuration
directory.
Arguments:
file_type
The database type. To find out what types are
sup-
ported, use the "postconf -m" command.
named
file_name.db. This is available only
on
systems with support for db databases.
file_name
The name of the alias database source file
when
creating a database.
DIAGNOSTICS
Problems are logged to the standard error stream and
to
syslogd(8). No output means that no problems
were
detected. Duplicate entries are skipped and are
flagged
with a warning.
ENVIRONMENT
MAIL_CONFIG
Directory with Postfix configuration files.
MAIL_VERBOSE
Enable verbose logging for debugging purposes.
CONFIGURATION PARAMETERS
The following main.cf parameters are especially
relevant
to this program.
berkeley_db_create_buffer_size (16777216)
berkeley_db_read_buffer_size (131072)
The per-table I/O buffer size for programs
that
read Berkeley DB hash or btree tables.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
STANDARDS
RFC 822 (ARPA Internet Text Messages)
SEE ALSO
aliases(5), format of alias database input file.
local(8), Postfix local delivery agent.
postconf(1), supported database types
postconf(5), configuration parameters
postmap(1), create/update/query lookup tables
newaliases(1), Sendmail compatibility interface.
syslogd(8), system logging
README FILES
DATABASE_README, Postfix lookup table overview
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
POSTALIAS
(1)
POSTCONF(1) POSTCONF
(1)
NAME
postconf - Postfix configuration utility
SYNOPSIS
postconf [-dhmlnv] [-c config_dir] [parameter ...]
DESCRIPTION
The postconf command prints the actual value of
parameter
(all known parameters by default) one parameter per
line,
changes its value, or prints other information about
the
Postfix mail system.
Options:
-c config_dir
The main.cf configuration file is in the
named
directory instead of the default
configuration
directory.
dotlock
An application-level locking method.
An
application locks a file named filename
by
creating a file named filename.lock.
The
application is expected to remove its
own
lock file, as well as stale lock files
that
were left behind after abnormal
termination.
type.
environ
The UNIX process environment array.
The
lookup key is the variable name.
Originally
implemented for testing, someone may
find
this useful someday.
ldap (read-only)
Perform lookups using the LDAP
protocol.
This is described in ldap_table(5).
mysql (read-only)
Perform lookups using the MYSQL
protocol.
This is described in mysql_table(5).
pcre (read-only)
A lookup table based on Perl Compatible
Reg-
ular Expressions. The file format
is
described in pcre_table(5).
pgsql (read-only)
Perform lookups using the PostgreSQL
proto-
col. This is described in pgsql_table(5).
proxy (read-only)
A lookup table that is implemented via
the
Postfix proxymap(8) service. The table
name
syntax is type:name.
regexp (read-only)
A lookup table based on regular
expressions.
The file format is described in
reg-
exp_table(5).
static (read-only)
A table that always returns its name
as
lookup result. For example, static:
foobar
always returns the string foobar as
lookup
result.
tcp (read-only)
Perform lookups using a simple request-
reply
protocol that is described in tcp_table
(5).
This feature is not included with
Postfix
2.1.
unix (read-only)
A limited way to query the UNIX
authentica-
tion database. The following tables
are
implemented:
unix:passwd.byname
The table is the UNIX
password
database. The key is a login
name.
The result is a password file
entry
in passwd(5) format.
unix:group.byname
The table is the UNIX
group
database. The key is a group
name.
The result is a group file entry
in
group(5) format.
DIAGNOSTICS
Problems are reported to the standard error stream.
ENVIRONMENT
MAIL_CONFIG
Directory with Postfix configuration files.
CONFIGURATION PARAMETERS
The following main.cf parameters are especially
relevant
to this program.
FILES
/etc/postfix/main.cf, Postfix configuration parameters
SEE ALSO
postconf(5), configuration parameters
README FILES
DATABASE_README, Postfix lookup table overview
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
POSTCONF
(1)
CIDR_TABLE(5) CIDR_TABLE
(5)
NAME
cidr_table - format of Postfix CIDR tables
SYNOPSIS
postmap -q "string" cidr:/etc/postfix/filename
DESCRIPTION
The Postfix mail system uses optional lookup
tables.
These tables are usually in dbm or db format.
Alterna-
tively, lookup tables can be specified in CIDR
(Classless
Inter-Domain Routing) form.
TABLE FORMAT
The general form of a Postfix CIDR table is:
network_address/network_mask result
When a search string matches the specified
network
block, use the corresponding result value.
Specify
0.0.0.0/0 to match every address.
network_address result
When a search string matches the specified
network
multi-line text
A logical line starts with non-whitespace text.
A
line that starts with whitespace continues a
logi-
cal line.
SEARCH ORDER
Patterns are applied in the order as specified in
the
table, until a pattern is found that matches the
search
string.
/etc/postfix/client.cidr:
# Rule order matters. Put more specific whitelist
entries
# before more general blacklist entries.
192.168.1.1 OK
192.168.0.0/16 REJECT
SEE ALSO
postmap(1), Postfix lookup table manager
regexp_table(5) format of regular expression tables
pcre_table(5) format of PCRE tables
README FILES
DATABASE_README, Postfix lookup table overview
AUTHOR(S)
The CIDR table lookup code was originally written by:
Jozsef Kadlecsik
kadlec@blackhole.kfki.hu
KFKI Research Institute for Particle and Nuclear Physics
POB. 49
1525 Budapest, Hungary
CIDR_TABLE
(5)
REGEXP_TABLE(5) REGEXP_TABLE
(5)
NAME
regexp_table - format of Postfix regular expression
tables
SYNOPSIS
postmap -fq "string" regexp:/etc/postfix/filename
DESCRIPTION
The Postfix mail system uses optional tables for
address
rewriting or mail routing. These tables are usually in
dbm
or db format.
TABLE FORMAT
The general form of a Postfix regular expression table
is:
/pattern/flags result
When pattern matches the input string, use the
cor-
responding result value.
!/pattern/flags result
When pattern does not match the input string,
use
the corresponding result value.
if /pattern/flags
if !/pattern/flags
multi-line text
A logical line starts with non-whitespace text.
A
line that starts with whitespace continues a
logi-
cal line.
a
pair of delimiters. The regular expression syntax is
docu-
mented in re_format(7) with 4.4BSD, in regex(5)
with
Solaris, and in regex(7) with Linux. Other systems may
use
other document names.
i (default: on)
Toggles the case sensitivity flag. By
default,
matching is case insensitive.
x (default: on)
Toggles the extended expression syntax flag.
By
default, support for extended expression syntax
is
enabled.
m (default: off)
Toggle the multi-line mode flag. When this flag
is
on, the ^ and $ metacharacters match
immediately
TEXT SUBSTITUTION
Substitution of substrings from the matched
expression
into the result string is possible using $1, $2, etc..
The
macros in the result string may need to be written as
${n}
or $(n) if they aren't followed by whitespace.
SEE ALSO
postmap(1), Postfix lookup table manager
pcre_table(5), format of PCRE tables
cidr_table(5), format of CIDR tables
README FILES
DATABASE_README, Postfix lookup table overview
AUTHOR(S)
The regexp table lookup code was originally written by:
LaMont Jones
lamont@hp.com
by:
Andrew McNamara
andrewm@connect.com.au
connect.com.au Pty. Ltd.
Level 3, 213 Miller St
North Sydney, NSW, Australia
REGEXP_TABLE
(5)
PCRE_TABLE(5) PCRE_TABLE
(5)
NAME
pcre_table - format of Postfix PCRE tables
SYNOPSIS
postmap -fq "string" pcre:/etc/postfix/filename
DESCRIPTION
The Postfix mail system uses optional tables for
address
rewriting or mail routing. These tables are usually in
dbm
or db format.
TABLE FORMAT
The general form of a PCRE table is:
/pattern/flags result
When pattern matches the input string, use the
cor-
responding result value.
!/pattern/flags result
When pattern does not match the input string,
use
the corresponding result value.
if /pattern/flags
if !/pattern/flags
multi-line text
A logical line starts with non-whitespace text.
A
line that starts with whitespace continues a
logi-
cal line.
whites-
pace or characters that have special meaning
(tradition-
ally the forward slash is used). The regular
expression
can contain whitespace.
i (default: on)
Toggles the case sensitivity flag. By
default,
matching is case insensitive.
m (default: off)
Toggles the PCRE_MULTILINE flag. When this flag
is
on, the ^ and $ metacharacters match
immediately
after and immediately before a newline
character,
respectively, in addition to matching at the
start
and end of the subject string.
s (default: on)
Toggles the PCRE_DOTALL flag. When this flag is
on,
the . metacharacter matches the newline
character.
With Postfix versions prior to 2.0, The flag is
off
by default, which is inconvenient for multi-
line
message header matching.
x (default: off)
Toggles the pcre extended flag. When this flag
is
on, whitespace in the pattern (other than in
a
character class) and characters between a #
outside
a character class and the next newline
character
are ignored. An escaping backslash can be used
to
include a whitespace or # character as part of
the
pattern.
A (default: off)
Toggles the PCRE_ANCHORED flag. When this flag
is
on, the pattern is forced to be "anchored",
that
is, it is constrained to match only at the start
of
the string which is being searched (the
"subject
string"). This effect can also be achieved
by
appropriate constructs in the pattern itself.
E (default: off)
Toggles the PCRE_DOLLAR_ENDONLY flag. When
this
flag is on, a $ metacharacter in the
pattern
matches only at the end of the subject
string.
Without this flag, a dollar also matches
immedi-
ately before the final character if it is a
newline
character (but not before any other newline
charac-
ters). This flag is ignored if PCRE_MULTILINE
flag
is set.
U (default: off)
Toggles the ungreedy matching flag. When this
flag
is on, the pattern matching engine inverts
the
"greediness" of the quantifiers so that they
are
not greedy by default, but become greedy if
fol-
lowed by "?". This flag can also set by a (?
U)
modifier within the pattern.
X (default: off)
Toggles the PCRE_EXTRA flag. When this flag is
on,
any backslash in a pattern that is followed by
a
letter that has no special meaning causes an
error,
thus reserving these combinations for future
expan-
sion.
SEARCH ORDER
Patterns are applied in the order as specified in
the
table, until a pattern is found that matches the
input
string.
not
broken up into their user and domain constituent
parts,
nor is user+foo broken up into user and foo.
TEXT SUBSTITUTION
Substitution of substrings from the matched
expression
into the result string is possible using the
conventional
perl syntax ($1, $2, etc.). The macros in the
result
string may need to be written as ${n} or $(n) if
they
aren't followed by whitespace.
SEE ALSO
postmap(1), Postfix lookup table manager
postconf(5), configuration parameters
regexp_table(5), format of POSIX regular expression
tables
README FILES
DATABASE_README, Postfix lookup table overview
AUTHOR(S)
The PCRE table lookup code was originally written by:
Andrew McNamara
andrewm@connect.com.au
connect.com.au Pty. Ltd.
Level 3, 213 Miller St
North Sydney, NSW, Australia
PCRE_TABLE
(5)
Overview
This document covers the following topics:
/etc/postfix/main.cf:
alias_maps = hash:/etc/postfix/aliases
(local aliasing)
header_checks = regexp:/etc/postfix/header_checks
(content filtering)
transport_maps = hash:/etc/postfix/transport
(routing table)
virtual_alias_maps = hash:/etc/postfix/virtual
(address rewriting)
All Postfix lookup tables store information as (key, value) pairs. This interface may seem
simplistic at first, but it turns out to be very powerful. The (key, value) query interface
completely hides the complexities of LDAP or SQL from Postfix. This is a good example of
connecting complex systems with simple interfaces.
● You can implement Postfix lookup tables first with local Berkeley DB files and then
switch to LDAP or MySQL without any impact on the Postfix configuration itself, as
described under "Preparing Postfix for LDAP or SQL lookups" below.
● You can use Berkeley DB files with fixed lookup strings for simple address rewriting
operations and you can use regular expression tables for the more complicated work.
With some tables, however, Postfix needs to know only if the lookup key exists. The lookup
result itself is not used. Examples are the local_recipient_maps that determine what local
recipients Postfix accepts in mail from the network, the mydestination parameter that specifies
what domains Postfix delivers locally, or the mynetworks parameter that specifies the IP
addresses of trusted clients or client networks. Technically, these are lists, not tables. Despite
the difference, Postfix lists are described here because they use the same underlying
infrastructure as Postfix lookup tables.
Once you have local files working properly you can follow the instructions in ldap_table(5),
mysql_table(5) or pgsql_table(5) and replace local file lookups with LDAP or SQL lookups.
When you do this, you should use the postmap(1) command again, to verify that database
lookups still produce the exact same results as local file lookup:
Be sure to exercise all the partial address or parent domain queries that are documented under
"table search order" in the relevant manual page: access(5), canonical(5), virtual(5), transport
(5), or under the relevant configuration parameter: mynetworks, relay_domains,
parent_domain_matches_subdomains.
● If you change a network database such as LDAP, NIS or SQL, there is no need to
execute "postfix reload". The LDAP, NIS or SQL server takes care of read/write access
conflicts and gives the new data to Postfix once that data is available.
● If you change a regexp: or pcre: file then Postfix may or may not pick up the file
changes immediately. This is because a Postfix process reads the entire file into memory
once and never examines the file again.
● If you change a local file based database such as DBM or Berkeley DB, there is no need
to execute "postfix reload". Postfix uses file locking to avoid read/write access conflicts,
and whenever a Postfix daemon process notices that a file has changed it will terminate
before handling the next client request, so that a new process can initialize with the new
database.
With multi-file databases such as DBM, there is no simple solution. With Berkeley DB and
other "one file" databases, it is possible to add some extra robustness by using "mv" to
REPLACE an existing database file instead of overwriting it:
This converts the input file "access.in" into the output file "access.in.db", and replaces the file
"access.db" only when the postmap(1) command was successful. Of course typing such
commands becomes boring quickly, and this is why people use "make" instead, as shown
below. User input is shown in bold font.
# cat Makefile
all: aliases.db access.db virtual.db ...etcetera...
access.db: access.in
postmap access.in
mv access.in.db access.db
virtual.db: virtual.in
postmap virtual.in
mv virtual.in.db virtual.db
...etcetera...
# vi access.in
...editing session not shown...
# make
postmap access.in
mv access.in.db access.db
#
The "make" command updates only the files that have changed. In case of error, the "make"
command will stop and will not invoke the "mv" command, so that Postfix will keep using the
existing database file as if nothing happened.
btree
A sorted, balanced tree structure. This is available only on systems with
support for Berkeley DB databases. Database files are created with the
postmap(1) or postalias(1) command. The lookup table name as used in
"btree:table" is the database file name without the ".db" suffix.
cdb
A read-optimized structure with no support for incremental updates.
Database files are created with the postmap(1) or postalias(1) command.
The lookup table name as used in "cdb:table" is the database file name
without the ".cdb" suffix. This feature is available with Postfix 2.2 and
later.
cidr
A table that associates values with Classless Inter-Domain Routing
(CIDR) patterns. The table format is described in cidr_table(5).
dbm
An indexed file type based on hashing. This is available only on systems
with support for DBM databases. Database files are created with the
postmap(1) or postalias(1) command. The lookup table name as used in
"dbm:table" is the database file name without the ".dir" or ".pag" suffix.
environ
The UNIX process environment array. The lookup key is the variable
name. The lookup table name in "environ:table" is ignored.
hash
An indexed file type based on hashing. This is available only on systems
with support for Berkeley DB databases. Database files are created with
the postmap(1) or postalias(1) command. The database name as used in
"hash:table" is the database file name without the ".db" suffix.
ldap (read-only)
Perform lookups using the LDAP protocol. Configuration details are
given in the ldap_table(5).
mysql (read-only)
Perform MySQL database lookups. Configuration details are given in
mysql_table(5).
netinfo (read-only)
Perform Netinfo database lookups.
nis (read-only)
Perform NIS database lookups.
nisplus (read-only)
Perform NIS+ database lookups. Configuration details are given in
nisplus_table(5).
pcre (read-only)
A lookup table based on Perl Compatible Regular Expressions. The file
format is described in pcre_table(5). The lookup table name as used in
"pcre:table" is the name of the regular expression file.
pgsql (read-only)
Perform PostgreSQL database lookups. Configuration details are given in
pgsql_table(5).
proxy (read-only)
Access information via the Postfix proxymap(8) service. The lookup table
name syntax is "proxy:type:table".
regexp (read-only)
A lookup table based on regular expressions. The file format is described
in regexp_table(5). The lookup table name as used in "regexp:table" is the
name of the regular expression file.
sdbm
An indexed file type based on hashing. This is available only on systems
with support for SDBM databases. Database files are created with the
postmap(1) or postalias(1) command. The lookup table name as used in
"sdbm:table" is the database file name without the ".dir" or ".pag" suffix.
static (read-only)
Always returns its lookup table name as lookup result. For example, the
lookup table "static:foobar" always returns the string "foobar" as lookup
result.
tcp
Access information through a TCP/IP server. The protocol is described in
Other lookup table types may be available depending on how Postfix was built. With some
Postfix distributions the list is dynamically extensible as support for lookup tables is
dynamically linked into Postfix.
LDAP_TABLE(5) LDAP_TABLE
(5)
NAME
ldap_table - Postfix LDAP client configuration
SYNOPSIS
postmap -q "string" ldap:/etc/postfix/filename
DESCRIPTION
The Postfix mail system uses optional tables for
address
rewriting or mail routing. These tables are usually in
dbm
or db format.
BACKWARDS COMPATIBILITY
For backwards compatibility with Postfix version 2.0
and
earlier, LDAP parameters can also be defined in main.
cf.
Specify as LDAP source a name that doesn't begin with
a
slash or a dot. The LDAP parameters will then be
accessi-
ble as the name you've given the source in its
definition,
an underscore, and the name of the parameter. For
exam-
ple, if the map is specified as "ldap:ldapsource",
the
"server_host" parameter below would be defined in main.
cf
as "ldapsource_server_host".
LIST MEMBERSHIP
When using LDAP to store lists such as
$mynetworks,
$mydestination, $relay_domains,
$local_recipient_maps,
etc., it is important to understand that the table
must
store each list member as a separate key. The table
lookup
verifies the *existence* of the key. See "Postfix
lists
Do this instead:
query_filter = domain=%s
result_attribute = domain
timeout = 5
the
input keys to addresses in matching domains.
When
the "domain" parameter is non-empty, LDAP
queries
for unqualified addresses or addresses in
non-
matching domains are suppressed and return
no
results.
value.
Otherwise, %d is replaced by the
entire
attribute value.
also
retrieved and used recursively.
the
map configuration file readable only by the
Postfix
user. When using the obsolete ldap:ldapsource
syn-
tax, with map parameters in main.cf, it is not
pos-
sible to securely store the bind password. This
is
because main.cf needs to be world readable to
allow
local accounts to submit mail via the sendmail
com-
mand. Example:
bind_pw = postfixpw
expansion_limit (default: 0)
A limit on the total number of result
elements
returned (as a comma separated list) by a
lookup
against the map. A setting of zero disables
the
limit. Lookups fail with a temporary error if
the
limit is exceeded. Setting the limit to 1
ensures
that lookups do not return multiple values.
dereference (default: 0)
When to dereference LDAP aliases. (Note that
this
has nothing do with Postfix aliases.) The
permitted
values are those legal for the OpenLDAP/UM
LDAP
implementations:
0 never
1 when searching
3 always
chase_referrals (default: 0)
Sets (or clears) LDAP_OPT_REFERRALS (requires
LDAP
version 3 support).
version (default: 2)
Specifies the LDAP protocol version to use.
debuglevel (default: 0)
What level to set for debugging in the
OpenLDAP
libraries.
value,
which must hence be available. If more than one
CA
certificate with the same name hash value
exist,
the extension must be different (e.g.
9d66eef0.0,
9d66eef0.1 etc). The search is performed in
the
ordering of the extension number, regardless
of
other properties of the certificates. Use
the
c_rehash utility (from the OpenSSL distribution)
to
create the necessary links.
TLS
connections.
EXAMPLE
Here's a basic example for using LDAP to look up local
(8)
aliases. Assume that in main.cf, you have:
alias_maps = hash:/etc/aliases,
ldap:/etc/postfix/ldap-aliases.cf
SEE ALSO
postmap(1), Postfix lookup table manager
postconf(5), configuration parameters
mysql_table(5), MySQL lookup tables
pgsql_table(5), PostgreSQL lookup tables
README FILES
DATABASE_README, Postfix lookup table overview
LDAP_README, Postfix LDAP client guide
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Carsten Hoeger, Hery Rakotoarisoa, John Hensley,
Keith
Stevenson, LaMont Jones, Liviu Daia, Manuel Guesdon,
Mike
Mattice, Prabhat K Singh, Sami Haahtinen, Samuel
Tardieu,
Victor Duchovni, and many others.
LDAP_TABLE
(5)
SMTP(8) SMTP
(8)
NAME
smtp - Postfix remote delivery via SMTP
SYNOPSIS
smtp [generic Postfix daemon options]
DESCRIPTION
The SMTP client processes message delivery requests
from
the queue manager. Each request specifies a queue file,
a
sender address, a domain or host to deliver to, and
recip-
ient information. This program expects to be run from
the
master(8) process manager.
SMTP
client will try to deliver the mail to an alternate
host.
SECURITY
The SMTP client is moderately security-sensitive. It
talks
to SMTP servers and to DNS servers on the network.
The
SMTP client can be run chrooted at fixed low privilege.
STANDARDS
RFC 821 (SMTP protocol)
RFC 822 (ARPA Internet Text Messages)
RFC 1651 (SMTP service extensions)
RFC 1652 (8bit-MIME transport)
RFC 1870 (Message Size Declaration)
RFC 2045 (MIME: Format of Internet Message Bodies)
RFC 2046 (MIME: Media Types)
RFC 2554 (AUTH command)
RFC 2821 (SMTP protocol)
RFC 2920 (SMTP Pipelining)
RFC 3207 (STARTTLS command)
DIAGNOSTICS
BUGS
SMTP connection caching does not work with TLS. The
neces-
sary support for TLS object passivation and re-
activation
does not exist without closing the session, which
defeats
the purpose.
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically, as smtp
(8)
processes run for only a limited amount of time. Use
the
command "postfix reload" to speed up a change.
COMPATIBILITY CONTROLS
ignore_mx_lookup_error (no)
Ignore DNS MX lookups that produce no response.
smtp_always_send_ehlo (yes)
Always send EHLO at the start of an SMTP session.
smtp_never_send_ehlo (no)
Never send EHLO at the start of an SMTP session.
smtp_defer_if_no_mx_address_found (no)
Defer mail delivery when no MX record resolves
to
an IP address.
smtp_line_length_limit (990)
The maximal length of message header and body
lines
that Postfix will send via SMTP.
smtp_pix_workaround_delay_time (10s)
How long the Postfix SMTP client pauses
before
sending ".<CR><LF>" in order to work around the
PIX
firewall "<CR><LF>.<CR><LF>" bug.
smtp_pix_workaround_threshold_time (500s)
How long a message must be queued before the
PIX
firewall "<CR><LF>.<CR><LF>" bug workaround
is
turned on.
smtp_quote_rfc821_envelope (yes)
Quote addresses in SMTP MAIL FROM and RCPT TO
com-
mands as required by RFC 821.
smtp_skip_5xx_greeting (yes)
Skip SMTP servers that greet with a 5XX status
code
(go away, do not try again later).
smtp_skip_quit_response (yes)
Do not wait for the response to the SMTP QUIT
com-
mand.
smtp_skip_4xx_greeting (yes)
Skip SMTP servers that greet with a 4XX status
code
(go away, try again later).
smtp_discard_ehlo_keyword_address_maps (empty)
Lookup tables, indexed by the remote SMTP
server
address, with case insensitive lists of EHLO
key-
words (pipelining, starttls, auth, etc.) that
the
SMTP client will ignore in the EHLO response from
a
remote SMTP server.
smtp_discard_ehlo_keywords (empty)
A case insensitive list of EHLO keywords
(pipelin-
ing, starttls, auth, etc.) that the SMTP
client
will ignore in the EHLO response from a remote
SMTP
server.
disable_mime_output_conversion (no)
Disable the conversion of 8BITMIME format to
7BIT
format.
mime_boundary_length_limit (2048)
The maximal length of MIME multipart
boundary
strings.
mime_nesting_limit (100)
The maximal recursion level that the MIME
processor
will handle.
smtp_send_xforward_command (no)
Send the non-standard XFORWARD command when
the
Postfix SMTP server EHLO response announces
XFOR-
WARD support.
smtp_sasl_password_maps (empty)
Optional SMTP client lookup tables with one
user-
name:password entry per remote hostname or
domain.
smtp_sasl_mechanism_filter (empty)
If non-empty, a Postfix SMTP client filter for
the
smtp_use_tls (no)
Opportunistic mode: use TLS when a remote
SMTP
server announces STARTTLS support, otherwise
send
the mail in the clear.
smtp_enforce_tls (no)
Enforcement mode: require that remote SMTP
servers
use TLS encryption, and never send mail in
the
clear.
smtp_sasl_tls_security_options
($smtp_sasl_secu-
rity_options)
The SASL authentication security options that
the
Postfix SMTP client uses for TLS encrypted
SMTP
sessions.
smtp_starttls_timeout (300s)
Time limit for Postfix SMTP client write and
read
operations during TLS startup and shutdown
hand-
shake procedures.
smtp_tls_CAfile (empty)
The file with the certificate of the
certification
smtp_tls_CApath (empty)
Directory with PEM format certificate
authority
certificates that the Postfix SMTP client uses
to
verify a remote SMTP server certificate.
smtp_tls_cert_file (empty)
File with the Postfix SMTP client RSA
certificate
in PEM format.
smtp_tls_cipherlist (empty)
Controls the Postfix SMTP client TLS cipher
selec-
tion scheme.
smtp_tls_dcert_file (empty)
File with the Postfix SMTP client DSA
certificate
in PEM format.
smtp_tls_dkey_file ($smtp_tls_dcert_file)
File with the Postfix SMTP client DSA private
key
in PEM format.
smtp_tls_enforce_peername (yes)
When TLS encryption is enforced, require that
the
remote SMTP server hostname matches the
information
in the remote SMTP server certificate.
smtp_tls_key_file ($smtp_tls_cert_file)
File with the Postfix SMTP client RSA private
key
in PEM format.
smtp_tls_loglevel (0)
Enable additional Postfix SMTP client logging
of
TLS activity.
smtp_tls_note_starttls_offer (no)
Log the hostname of a remote SMTP server
that
offers STARTTLS, when TLS is not already
enabled
for that server.
smtp_tls_per_site (empty)
Optional lookup tables with the Postfix SMTP
client
TLS usage policy by next-hop domain name and
by
remote SMTP server hostname.
smtp_tls_scert_verifydepth (5)
The verification depth for remote SMTP server
cer-
tificates.
smtp_tls_session_cache_database (empty)
Name of the file containing the optional
Postfix
SMTP client TLS session cache.
smtp_tls_session_cache_timeout (3600s)
The expiration time of Postfix SMTP client TLS
ses-
sion cache information.
tls_daemon_random_bytes (32)
The number of pseudo-random bytes that an smtp
(8)
or smtpd(8) process requests from the tlsmgr
(8)
server in order to seed its internal pseudo
random
number generator (PRNG).
smtp_destination_recipient_limit
($default_destina-
tion_recipient_limit)
The maximal number of recipients per delivery
via
the smtp message delivery transport.
smtp_connect_timeout (30s)
The SMTP client time limit for completing a
TCP
connection, or zero (use the operating
system
built-in time limit).
smtp_helo_timeout (300s)
The SMTP client time limit for sending the HELO
or
EHLO command, and for receiving the initial
server
response.
smtp_xforward_timeout (300s)
The SMTP client time limit for sending the
XFORWARD
command, and for receiving the server response.
smtp_mail_timeout (300s)
The SMTP client time limit for sending the
MAIL
FROM command, and for receiving the
server
response.
smtp_rcpt_timeout (300s)
The SMTP client time limit for sending the
SMTP
RCPT TO command, and for receiving the
server
response.
smtp_data_init_timeout (120s)
The SMTP client time limit for sending the
SMTP
DATA command, and for receiving the
server
response.
smtp_data_xfer_timeout (180s)
The SMTP client time limit for sending the
SMTP
message content.
smtp_data_done_timeout (600s)
The SMTP client time limit for sending the
SMTP
".", and for receiving the server response.
smtp_quit_timeout (300s)
The SMTP client time limit for sending the
QUIT
command, and for receiving the server response.
smtp_mx_address_limit (0)
The maximal number of MX (mail exchanger)
IP
addresses that can result from mail
exchanger
lookups, or zero (no limit).
smtp_mx_session_limit (2)
The maximal number of SMTP sessions per
delivery
request before giving up or delivering to a
fall-
back relay host, or zero (no limit).
smtp_rset_timeout (20s)
The SMTP client time limit for sending the
RSET
command, and for receiving the server response.
smtp_connection_cache_destinations (empty)
Permanently enable SMTP connection caching for
the
specified destinations.
smtp_connection_cache_on_demand (yes)
Temporarily enable SMTP connection caching while
a
destination has a high volume of mail in the
active
queue.
smtp_connection_cache_reuse_limit (10)
When SMTP connection caching is enabled, the
number
of times that an SMTP session is reused before
it
is closed.
smtp_connection_cache_time_limit (2s)
When SMTP connection caching is enabled, the
amount
of time that an unused SMTP client socket is
kept
open before it is closed.
debug_peer_level (2)
The increment in verbose logging level when
a
remote client or server matches a pattern in
the
debug_peer_list parameter.
debug_peer_list (empty)
Optional list of remote client or server
hostname
or network address patterns that cause the
verbose
logging level to increase by the amount
specified
in $debug_peer_level.
error_notice_recipient (postmaster)
The recipient of postmaster notifications
about
mail delivery problems that are caused by
policy,
resource, software or protocol errors.
MISCELLANEOUS CONTROLS
best_mx_transport (empty)
Where the Postfix SMTP client should deliver
mail
when it detects a "mail loops back to myself"
error
condition.
daemon_timeout (18000s)
How much time a Postfix daemon process may take
to
handle a request before it is terminated by
a
built-in watchdog timer.
disable_dns_lookups (no)
Disable DNS lookups in the Postfix SMTP and
LMTP
clients.
fallback_relay (empty)
Optional list of relay hosts for SMTP
destinations
that can't be found or that are unreachable.
inet_interfaces (all)
The network interface addresses that this mail
sys-
tem receives mail on.
ipc_timeout (3600s)
The time limit for sending or receiving
information
over an internal communication channel.
max_idle (100s)
The maximum amount of time that an idle
Postfix
daemon process waits for the next service
request
before exiting.
max_use (100)
The maximal number of connection requests before
a
Postfix daemon process terminates.
process_id (read-only)
The process ID of a Postfix command or daemon
pro-
cess.
process_name (read-only)
The process name of a Postfix command or
daemon
process.
proxy_interfaces (empty)
The network interface addresses that this mail
sys-
tem receives mail on by way of a proxy or
network
address translation unit.
smtp_bind_address (empty)
An optional numerical network address that the
SMTP
client should bind to when making a connection.
smtp_helo_name">smtp_helo_name ($myhostname)
The hostname to send in the SMTP EHLO or HELO
com-
mand.
smtp_host_lookup (dns)
What mechanisms when the SMTP client uses to
look
up a host's IP address.
smtp_randomize_addresses (yes)
Randomize the order of equal-preference MX
host
addresses.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
SEE ALSO
qmgr(8), queue manager
bounce(8), delivery status reports
scache(8), connection cache server
postconf(5), configuration parameters
master(5), generic daemon options
master(8), process manager
tlsmgr(8), TLS session and PRNG management
syslogd(8), system logging
README FILES
SASL_README, Postfix SASL howto
TLS_README, Postfix STARTTLS howto
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
Lutz Jaenicke
BTU Cottbus
Allgemeine Elektrotechnik
Universitaetsplatz 3-4
D-03044 Cottbus, Germany
SMTP
(8)
SCACHE(8) SCACHE
(8)
NAME
scache - Postfix connection cache server
SYNOPSIS
scache [generic Postfix daemon options]
DESCRIPTION
The scache server maintains a shared multi-
connection
cache. This information can be used by, for example,
Post-
fix SMTP clients or other Postfix delivery agents.
descriptor
together with application-dependent information that
is
needed to re-activate a connection object. Again,
the
scache service is completely unaware about the details
of
that information.
find_endp endpoint
Look up cached properties and a cached
file
descriptor for the specified endpoint.
find_dest destination
Look up cached destination properties, cached
end-
point properties, and a cached file descriptor
for
the specified logical destination.
SECURITY
The connection cache server is not security-sensitive.
It
does not talk to the network, and it does not talk
to
local users. The scache server can run chrooted at
fixed
low privilege.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
BUGS
Sessions cannot be cached across multiple machines.
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically
as
scache(8) processes run for only a limited amount of
time.
Use the command "postfix reload" to speed up a change.
RESOURCE CONTROLS
connection_cache_ttl_limit (2s)
The maximal time-to-live value that the
connection
cache server allows.
connection_cache_status_update_time (600s)
How frequently the scache(8) server logs
usage
statistics with connection cache hit and miss
rates
for logical destinations and for physical
end-
points.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf
and
master.cf configuration files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take
to
handle a request before it is terminated by
a
built-in watchdog timer.
ipc_timeout (3600s)
The time limit for sending or receiving
information
over an internal communication channel.
max_idle (100s)
The maximum amount of time that an idle
Postfix
daemon process waits for the next service
request
before exiting.
process_id (read-only)
The process ID of a Postfix command or daemon
pro-
cess.
process_name (read-only)
The process name of a Postfix command or
daemon
process.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
SEE ALSO
smtp(8), SMTP client
postconf(5), configuration parameters
master(8), process manager
syslogd(8), system logging
LICENSE
The Secure Mailer license must be distributed with
this
software.
HISTORY
This service was introduced with Postfix version 2.2.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
SCACHE
(8)
WARNING
By turning on TLS support in Postfix, you not only get the ability to encrypt mail and to
authenticate clients or servers. You also turn on thousands and thousands of lines of OpenSSL
library code. Assuming that OpenSSL is written as carefully as Wietse's own code, every 1000
lines introduce one additional bug into Postfix.
Postfix version 2.2 TLS support is based on the Postfix/TLS patch by Lutz Jänicke, but differs
in a few minor ways.
● main.cf: Use btree instead of sdbm for TLS session cache databases.
TLS session cache databases are now accessed only by the tlsmgr(8) process, so there
are no more concurrency issues. Although Postfix has an sdbm client, the sdbm library
(1000 lines of code) is not included with Postfix.
TLS session caches can use any database that can store objects of several kbytes or
more, and that implements the sequence operation. In most cases, btree databases
should be adequate.
NOTE: You cannot use dbm databases. TLS session objects are too large.
The smtp(8) and smtpd(8) processes now use a client-server protocol in order to access
the tlsmgr(8) pseudo-random number generation (PRNG) pool, and in order to access
the TLS session cache databases. Such a protocol cannot be run across fifos.
To complete the build process, see the Postfix INSTALL instructions. Postfix has TLS support
turned off by default, so you can start using Postfix as soon as it is installed.
In order to use TLS, the Postfix SMTP server needs a certificate and a private key. Both must
be in "pem" format. The private key must not be encrypted, meaning: the key must be
accessible without password. Both certificate and private key may be in the same file.
Both RSA and DSA certificates are supported. Typically you will only have RSA certificates
issued by a commercial CA. In addition, the tools supplied with OpenSSL will by default issue
RSA certificates. You can have both at the same time, in which case the cipher used determines
which certificate is presented. For Netscape and OpenSSL clients without special cipher
choices, the RSA certificate is preferred.
In order for remote SMTP clients to check the Postfix SMTP server certificates, the CA
certificate (in case of a certificate chain, all CA certificates) must be available. You should add
these certificates to the server certificate, the server certificate first, then the issuing CA(s).
Example: the certificate for "server.dom.ain" was issued by "intermediate CA" which itself has
a certificate issued by "root CA". Create the server.pem file with:
A Postfix SMTP server certificate supplied here must be usable as SSL server certificate and
hence pass the "openssl verify -purpose sslserver ..." test.
A client that trusts the root CA has a local copy of the root CA certificate, so it is not necessary
to include the root CA certificate here. Leaving it out of the "server.pem" file reduces the
overhead of the TLS exchange.
If you want the Postfix SMTP server to accept remote SMTP client certificates issued by these
CAs, append the root certificate to $smtpd_tls_CAfile or install it in the $smtpd_tls_CApath
directory. When you configure trust in a root CA, it is not necessary to explicitly trust
intermediary CAs signed by the root CA, unless $smtpd_tls_verify_depth is less than the
number of CAs in the certificate chain for the clients of interest. With a verify depth of 1 you
can only verify certificates directly signed by a trusted CA, and all trusted intermediary CAs
need to be configured explicitly. With a verify depth of 2 you can verify clients signed by a
root CA or a direct intermediary CA (so long as the client is correctly configured to supply its
intermediate CA certificate).
/etc/postfix/main.cf:
smtpd_tls_cert_file = /etc/postfix/server.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
/etc/postfix/main.cf:
smtpd_tls_dcert_file = /etc/postfix/server-dsa.pem
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
To verify a remote SMTP client certificate, the Postfix SMTP server needs to trust the
certificates of the issuing certification authorities. These certificates in "pem" format can be
stored in a single $smtpd_tls_CAfile or in multiple files, one CA per file in the
$smtpd_tls_CApath directory. If you use a directory, don't forget to create the necessary "hash"
links with:
# $OPENSSL_HOME/bin/c_rehash /path/to/directory
The $smtpd_tls_CAfile contains the CA certificates of one or more trusted CAs. The file is
opened (with root privileges) before Postfix enters the optional chroot jail and so need not be
accessible from inside the chroot jail.
Additional trusted CAs can be specified via the $smtpd_tls_CApath directory, in which case
the certificates are read (with $mail_owner privileges) from the files in the directory when the
information is needed. Thus, the $smtpd_tls_CApath directory needs to be accessible inside the
optional chroot jail.
When you configure Postfix to request client certificates (by setting $smtpd_tls_asck_ccert =
yes), any certificates in $smtpd_tls_CAfile are sent to the client, in order to allow it to choose
an identity signed by a CA you trust. If no $smtpd_tls_CAfile is specified, no preferred CA list
is sent, and the client is free to choose an identity signed by any CA. Many clients use a fixed
identity regardless of the preferred CA list and you may be able to reduce TLS negotiation
overhead by installing client CA certificates mostly or only in $smtpd_tls_CApath. In the latter
case you need not specify a $smtpd_tls_CAfile.
Note, that unless client certificates are used to allow greater access to TLS authenticated
clients, it is best to not ask for client certificates at all, as in addition to increased overhead
some clients (notably in some cases qmail) are unable to complete the TLS handshake when
client certificates are requested.
Example:
/etc/postfix/main.cf:
smtpd_tls_CAfile = /etc/postfix/CAcert.pem
smtpd_tls_CApath = /etc/postfix/certs
To get additional information about Postfix SMTP server TLS activity you can increase the
loglevel from 0..4. Each logging level also includes the information that is logged at a lower
logging level.
Example:
/etc/postfix/main.cf:
smtpd_tls_loglevel = 0
To include information about the protocol and cipher used as well as the client and issuer
CommonName into the "Received:" message header, set the smtpd_tls_received_header
variable to true. The default is no, as the information is not necessarily authentic. Only
information recorded at the final destination is reliable, since the headers may be changed by
intermediate servers.
Example:
/etc/postfix/main.cf:
smtpd_tls_received_header = yes
By default, TLS is disabled in the Postfix SMTP server, so no difference to plain Postfix is
visible. Explicitly switch it on using "smtpd_use_tls = yes".
Example:
/etc/postfix/main.cf:
smtpd_use_tls = yes
With this, Postfix SMTP server announces STARTTLS support to SMTP clients, but does not
require that clients use TLS encryption.
Note: when an unprivileged user invokes "sendmail -bs", STARTTLS is never offered due to
insufficient privileges to access the server private key. This is intended behavior.
You can ENFORCE the use of TLS, so that the Postfix SMTP server announces STARTTLS
and accepts no mail without TLS encryption, by setting "smtpd_enforce_tls = yes". According
to RFC 2487 this MUST NOT be applied in case of a publicly-referenced Postfix SMTP
server. This option is off by default and should only seldom be used.
Example:
/etc/postfix/main.cf:
smtpd_enforce_tls = yes
TLS is sometimes used in the non-standard "wrapper" mode where a server always uses TLS,
instead of announcing STARTTLS support and waiting for clients to request TLS service.
Some clients, namely Outlook [Express] prefer the "wrapper" mode. This is true for OE
(Win32 < 5.0 and Win32 >=5.0 when run on a port<>25 and OE (5.01 Mac on all ports).
It is strictly discouraged to use this mode from main.cf. If you want to support this service,
enable a special port in master.cf and specify "-o smtpd_tls_wrappermode = yes" as an smtpd
(8) command line option. Port 465 (smtps) was once chosen for this feature.
Example:
/etc/postfix/master.cf:
smtps inet n - n -
- smtpd
-o smtpd_tls_wrappermode=yes -o
smtpd_sasl_auth_enable=yes
To receive a remote SMTP client certificate, the Postfix SMTP server must explicitly ask for
one (any contents of $smtpd_tls_CAfile are also sent to the client as a hint for choosing a
certificate from a suitable CA). Unfortunately, Netscape clients will either complain if no
matching client certificate is available or will offer the user client a list of certificates to choose
from. Additionally some MTAs (notably some versions of qmail) are unable to complete TLS
negotiation when client certificates are requested, and abort the SMTP session. So this option is
"off" by default. You will however need the certificate if you want to use certificate based
relaying with, for example, the permit_tls_clientcerts feature.
Example:
/etc/postfix/main.cf:
smtpd_tls_ask_ccert = no
You may also decide to REQUIRE a remote SMTP client certificate before allowing TLS
connections. This feature is included for completeness, and implies "smtpd_tls_ask_ccert =
yes".
Please be aware, that this will inhibit TLS connections without a proper client certificate and
that it makes sense only when non-TLS submission is disabled (smtpd_enforce_tls = yes).
Otherwise, clients could bypass the restriction by simply not using STARTTLS at all.
When TLS is not enforced, the connection will be handled as if only "smtpd_tls_ask_ccert =
yes" is specified, and a warning is logged.
Example:
/etc/postfix/main.cf:
smtpd_tls_req_ccert = no
Example:
/etc/postfix/main.cf:
smtpd_tls_ccert_verifydepth = 5
Sending AUTH data over an unencrypted channel poses a security risk. When TLS layer
encryption is required (smtpd_enforce_tls = yes), the Postfix SMTP server will announce and
accept AUTH only after the TLS layer has been activated with STARTTLS. When TLS layer
encryption is optional (smtpd_enforce_tls = no), it may however still be useful to only offer
AUTH when TLS is active. To maintain compatibility with non-TLS clients, the default is to
accept AUTH without encryption. In order to change this behavior, set "smtpd_tls_auth_only =
yes".
Example:
/etc/postfix/main.cf:
smtpd_tls_auth_only = no
The Postfix SMTP server and the remote SMTP client negotiate a session, which takes some
computer time and network bandwidth. By default, this session information is cached only in
the smtpd(8) process actually using this session and is lost when the process terminates. To
share the session information between multiple smtpd(8) processes, a persistent session cache
can be used. You can specify any database type that can store objects of several kbytes and that
supports the sequence operator. DBM databases are not suitable because they can only store
small objects. The cache is maintained by the tlsmgr(8) process, so there is no problem with
concurrent access.
Example:
/etc/postfix/main.cf:
smtpd_tls_session_cache_database = btree:/etc/
postfix/smtpd_scache
Cached Postfix SMTP server session information expires after a certain amount of time.
Postfix/TLS does not use the OpenSSL default of 300s, but a longer time of 3600sec (=1 hour).
RFC 2246 recommends a maximum of 24 hours.
Example:
/etc/postfix/main.cf:
smtpd_tls_session_cache_timeout = 3600s
Postfix TLS support introduces two additional features for Postfix SMTP server access control:
permit_tls_clientcerts
Allow the remote SMTP client SMTP request if the client certificate
passes verification, and if its fingerprint is listed in the list of client
certificates (see relay_clientcerts discussion below).
permit_tls_all_clientcerts
Allow the remote client SMTP request if the client certificate passes
verification.
The permit_tls_all_clientcerts feature must be used with caution, because it can result in too
many access permissions. Use this feature only if a special CA issues the client certificates, and
only if this CA is listed as trusted CA. If other CAs are trusted, any owner of a valid client
certificate would be authorized. The permit_tls_all_clientcerts feature can be practical for a
specially created email relay server.
It is however recommended to stay with the permit_tls_clientcerts feature and list all
certificates via $relay_clientcerts, as permit_tls_all_clientcerts does not permit any control
when a certificate must no longer be used (e.g. an employee leaving).
Example:
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
...
permit_tls_clientcerts
reject_unauth_destination
...
The Postfix list manipulation routines give special treatment to whitespace and some other
characters, making the use of certificate names unpractical. Instead we use the certificate
fingerprints as they are difficult to fake but easy to use for lookup. Postfix lookup tables are in
the form of (key, value) pairs. Since we only need the key, the value can be chosen freely, e.g.
the name of the user or host.
Example:
/etc/postfix/main.cf:
relay_clientcerts = hash:/etc/postfix/
relay_clientcerts
/etc/postfix/relay_clientcerts:
D7:04:2F:A7:0B:8C:A5:21:FA:31:77:E1:41:8A:EE:80
lutzpc.at.home
To influence the Postfix SMTP server cipher selection scheme, you can give cipherlist string.
A detailed description would go to far here; please refer to the OpenSSL documentation. If you
don't know what to do with it, simply don't touch it and leave the (openssl-)compiled in
default!
DO NOT USE " to enclose the string, specify just the string!!!
Example:
/etc/postfix/main.cf:
smtpd_tls_cipherlist = DEFAULT
If you want to take advantage of ciphers with EDH, DH parameters are needed. Instead of
using the built-in DH parameters for both 1024bit and 512bit, it is better to generate "own"
parameters, since otherwise it would "pay" for a possible attacker to start a brute force attack
against parameters that are used by everybody. For this reason, the parameters chosen are
already different from those distributed with other TLS packages.
Examples:
/etc/postfix/main.cf:
smtpd_tls_dh1024_param_file = /etc/postfix/
dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.
pem
The smtpd_starttls_timeout parameter limits the time of Postfix SMTP server write and read
operations during TLS startup and shutdown handshake procedures.
Example:
/etc/postfix/main.cf:
smtpd_starttls_timeout = 300s
During TLS startup negotiation the Postfix SMTP client may present a certificate to the remote
SMTP server. The Netscape client is rather clever here and lets the user select between only
those certificates that match CA certificates offered by the remote SMTP server. As the Postfix
SMTP client uses the "SSL_connect()" function from the OpenSSL package, this is not
possible and we have to choose just one certificate. So for now the default is to use _no_
certificate and key unless one is explicitly specified here.
Both RSA and DSA certificates are supported. You can have both at the same time, in which
case the cipher used determines which certificate is presented.
It is possible for the Postfix SMTP client to use the same key/certificate pair as the Postfix
SMTP server. If a certificate is to be presented, it must be in "pem" format. The private key
must not be encrypted, meaning: it must be accessible without password. Both parts (certificate
In order for remote SMTP servers to verify the Postfix SMTP client certificates, the CA
certificate (in case of a certificate chain, all CA certificates) must be available. You should add
these certificates to the client certificate, the client certificate first, then the issuing CA(s).
Example: the certificate for "client.example.com" was issued by "intermediate CA" which itself
has a certificate of "root CA". Create the client.pem file with:
A Postfix SMTP client certificate supplied here must be usable as SSL client certificate and
hence pass the "openssl verify -purpose sslclient ..." test.
A server that trusts the root CA has a local copy of the root CA certificate, so it is not necessary
to include the root CA certificate here. Leaving it out of the "client.pem" file reduces the
overhead of the TLS exchange.
If you want the Postfix SMTP client to accept remote SMTP server certificates issued by these
CAs, append the root certificate to $smtp_tls_CAfile or install it in the $smtp_tls_CApath
directory. When you configure trust in a root CA, it is not necessary to explicitly trust
intermediary CAs signed by the root CA, unless $smtp_tls_verify_depth is less than the
number of CAs in the certificate chain for the servers of interest. With a verify depth of 1 you
can only verify certificates directly signed by a trusted CA, and all trusted intermediary CAs
need to be configured explicitly. With a verify depth of 2 you can verify servers signed by a
root CA or a direct intermediary CA (so long as the server is correctly configured to supply its
intermediate CA certificate).
/etc/postfix/main.cf:
smtp_tls_cert_file = /etc/postfix/client.pem
smtp_tls_key_file = $smtp_tls_cert_file
/etc/postfix/main.cf:
smtp_tls_dcert_file = /etc/postfix/client-dsa.pem
smtp_tls_dkey_file = $smtpd_tls_cert_file
To verify a remote SMTP server certificate, the Postfix SMTP client needs to trust the
certificates of the issuing certification authorities. These certificates in "pem" format can be
stored in a single $smtp_tls_CAfile or in multiple files, one CA per file in the
$smtp_tls_CApath directory. If you use a directory, don't forget to create the necessary "hash"
links with:
# $OPENSSL_HOME/bin/c_rehash /path/to/directory
The $smtp_tls_CAfile contains the CA certificates of one or more trusted CAs. The file is
opened (with root privileges) before Postfix enters the optional chroot jail and so need not be
accessible from inside the chroot jail.
Additional trusted CAs can be specified via the $smtp_tls_CApath directory, in which case the
certificates are read (with $mail_owner privileges) from the files in the directory when the
information is needed. Thus, the $smtp_tls_CApath directory needs to be accessible inside the
optional chroot jail.
Example:
/etc/postfix/main.cf:
smtp_tls_CAfile = /etc/postfix/CAcert.pem
smtp_tls_CApath = /etc/postfix/certs
To get additional information about Postfix SMTP client TLS activity you can increase the
loglevel from 0..4. Each logging level also includes the information that is logged at a lower
logging level.
Example:
/etc/postfix/main.cf:
smtp_tls_loglevel = 0
The remote SMTP server and the Postfix SMTP client negotiate a session, which takes some
computer time and network bandwidth. By default, this session information is cached only in
the smtp(8) process actually using this session and is lost when the process terminates. To
share the session information between multiple smtp(8) processes, a persistent session cache
can be used. You can specify any database type that can store objects of several kbytes and that
supports the sequence operator. DBM databases are not suitable because they can only store
small objects. The cache is maintained by the tlsmgr(8) process, so there is no problem with
concurrent access.
Example:
/etc/postfix/main.cf:
smtp_tls_session_cache_database = btree:/etc/
postfix/smtp_scache
Cached Postfix SMTP client session information expires after a certain amount of time. Postfix/
TLS does not use the OpenSSL default of 300s, but a longer time of 3600s (=1 hour). RFC
2246 recommends a maximum of 24 hours.
Example:
/etc/postfix/main.cf:
smtp_tls_session_cache_timeout = 3600s
By default, TLS is disabled in the Postfix SMTP client, so no difference to plain Postfix is
visible. If you enable TLS, the Postfix SMTP client will send STARTTLS when TLS support is
announced by the remote SMTP server.
WARNING: MS Exchange servers will announce STARTTLS support even when the service
is not configured, so that the TLS handshake will fail. It may be wise to not use this option on
your central mail hub, as you don't know in advance whether you are going to connect to such a
host. Instead, use the smtp_tls_per_site recipient/site specific options that are described below.
When the TLS handshake fails and no other server is available, the Postfix SMTP client defers
the delivery attempt, and the mail stays in the queue.
Example:
/etc/postfix/main.cf:
smtp_use_tls = yes
You can ENFORCE the use of TLS, so that the Postfix SMTP client will not deliver mail over
unencrypted connections. In this mode, the remote SMTP server hostname must match the
information in the remote server certificate, and the server certificate must be issued by a CA
that is trusted by the Postfix SMTP client. If the remote server certificate doesn't verify or the
remote SMTP server hostname doesn't match, and no other server is available, the delivery
attempt is deferred and the mail stays in the queue.
The remote SMTP server hostname used in the check is beyond question, as it must be the
principal hostname (no CNAME allowed here). Checks are performed against all names
provided as dNSNames in the SubjectAlternativeName. If no dNSNames are specified, the
CommonName is checked. The behavior may be changed with the smtp_tls_enforce_peername
option which is discussed below.
This option is useful only if you know that you will only connect to servers that support RFC
2487 _and_ that present server certificates that meet the above requirements. An example
would be a client only sends email to one specific mailhub that offers the necessary
STARTTLS support.
Example:
/etc/postfix/main.cf:
smtp_enforce_tls = no
As of RFC 2487 the requirements for hostname checking for MTA clients are not set. When
TLS is required (smtp_enforce_tls = yes), the option smtp_tls_enforce_peername can be set to
"no" to disable strict remote SMTP server hostname checking. In this case, the mail delivery
will proceed regardless of the CommonName etc. listed in the certificate.
Note: the smtp_tls_enforce_peername setting has no effect on sessions that are controlled via
Disabling the remote SMTP server hostname verification can make sense in closed
environment where special CAs are created. If not used carefully, this option opens the danger
of a "man-in-the-middle" attack (the CommonName of this possible attacker is logged).
Example:
/etc/postfix/main.cf:
smtp_tls_enforce_peername = yes
Generally, trying TLS can be a bad idea, as some servers offer STARTTLS but the negotiation
will fail leading to unexplainable failures. Instead, it may be a good idea to choose the TLS
usage policy based on the recipient or the mailhub to which you are connecting.
Deciding the TLS usage policy per recipient may be difficult, since a single email delivery
attempt can involve several recipients. Instead, use of TLS is controlled by the Postfix next-hop
destination domain name and by the remote SMTP server hostname. If either of these matches
an entry in the smtp_tls_per_site table, appropriate action is taken.
The remote SMTP server hostname is simply the DNS name of the server that the Postfix
SMTP client connects to. The next-hop destination is Postfix specific. By default, this is the
domain name in the recipient address, but this information can be overruled by the transport(5)
table or by the relayhost parameter setting. In these cases the relayhost etc. must be listed in the
smtp_tls_per_site table, instead of the recipient domain name.
Format of the table: domain or host names are specified on the left-hand side; no wildcards are
allowed. On the right hand side specify one of the following keywords:
NONE
Don't use TLS at all.
MAY
Try to use STARTTLS if offered, otherwise use the unencrypted
connection. NOTE: STARTTLS can be used only if TLS is already
enabled via main.cf, so that the client TLS engine is properly initialized at
program startup.
MUST
Require usage of STARTTLS, require that the remote SMTP server
hostname matches the information in the remote SMTP server certificate,
and require that the remote SMTP server certificate was issued by a
trusted CA.
MUST_NOPEERMATCH
Require usage of STARTTLS, but do not require that the remote SMTP
server hostname matches the information in the remote SMTP server
certificate, or that the server certificate was issued by a trusted CA.
The actual TLS usage policy depends not only on whether the next-hop destination or remote
SMTP server hostname are found in the smtp_tls_per_site table, but also on the
smtp_enforce_tls setting:
● If a match was found, and the smtp_enforce_tls policy is "enforce", NONE explicitly
switches it off; otherwise the "enforce" mode is used even for entries that specify MAY.
Special hint for TLS enforcement mode: since no secure DNS lookup mechanism is available,
mail can be delivered to the wrong remote SMTP server. This is not prevented by specifying
MUST for the next-hop domain name. The recommended setup is: specify local transport(5)
table entries for sensitive domains with explicit smtp:[mailhost] destinations (since you can
assure security of this table unlike DNS), then specify MUST for these mail hosts in the
smtp_tls_per_site table.
Example:
/etc/postfix/main.cf:
smtp_tls_per_site = hash:/etc/postfix/tls_per_site
As we decide on a "per site" basis whether or not to use TLS, it would be good to have a list of
sites that offered "STARTTLS". We can collect it ourselves with this option.
If the smtp_tls_note_starttls_offer feature is enabled and a server offers STARTTLS while TLS
is not already enabled for that server, the Postfix SMTP client logs a line as follows:
Example:
/etc/postfix/main.cf:
smtp_tls_note_starttls_offer = yes
When verifying a remote SMTP server certificate, a verification depth of 1 is sufficient if the
certificate is directly issued by a CA specified with smtp_tls_CAfile or smtp_tls_CApath. The
default value of 5 should also suffice for longer chains (root CA issues special CA which then
issues the actual certificate...)
Example:
/etc/postfix/main.cf:
smtp_tls_scert_verifydepth = 5
To influence the Postfix SMTP client cipher selection scheme, you can give cipherlist string. A
detailed description would go to far here; please refer to the OpenSSL documentation. If you
don't know what to do with it, simply don't touch it and leave the (openssl-)compiled in
default!
DO NOT USE " to enclose the string, specify just the string!!!
Example:
/etc/postfix/main.cf:
smtp_tls_cipherlist = DEFAULT
The smtp_starttls_timeout parameter limits the time of Postfix SMTP client write and read
operations during TLS startup and shutdown handshake procedures. In case of problems the
Postfix SMTP client tries the next network address on the mail exchanger list, and defers
delivery if no alternative server is available.
Example:
/etc/postfix/main.cf:
smtp_starttls_timeout = 300s
The security of cryptographic software such as TLS depends critically on the ability to generate
unpredictable numbers for keys and other information. To this end, the tlsmgr(8) process
maintains a Pseudo Random Number Generator (PRNG) pool. This is queried by the smtp(8)
and smtpd(8) processes when they initialize. By default, these daemons request 32 bytes, the
equivalent to 256 bits. This is more than sufficient to generate a 128bit (or 168bit) session key.
Example:
/etc/postfix/main.cf:
tls_daemon_random_bytes = 32
In order to feed its in-memory PRNG pool, the tlsmgr(8) reads entropy from an external
source, both at startup and during run-time. Specify a good entropy source, like EGD or /dev/
urandom; be sure to only use non-blocking sources. If the entropy source is not a regular file,
you must prepend the source type to the source name: "dev:" for a device special file, or "egd:"
for a source with EGD compatible socket interface.
/etc/postfix/main.cf:
tls_random_source = dev:/dev/urandom
tls_random_source = egd:/var/run/egd-pool
By default, tlsmgr(8) reads 32 bytes from the external entropy source at each seeding event.
This amount (256bits) is more than sufficient for generating a 128bit symmetric key. With
EGD and device entropy sources, the tlsmgr(8) limits the amount of data read at each step to
255 bytes. If you specify a regular file as entropy source, a larger amount of data can be read.
Example:
/etc/postfix/main.cf:
tls_random_bytes = 32
In order to update its in-memory PRNG pool, the tlsmgr(8) queries the external entropy source
again after a pseudo-random amount of time. The time is calculated using the PRNG, and is
between 0 and the maximal time specified with tls_random_reseed_period. The default
maximal time interval is 1 hour.
Example:
/etc/postfix/main.cf:
tls_random_reseed_period = 3600s
The tlsmgr(8) process saves the PRNG state to a persistent exchange file at regular times and
when the process terminates, so that it can recover the PRNG state the next time it starts up.
This file is created when it does not exist. Its default location is under the Postfix configuration
directory, which is not the proper place for information that is modified by Postfix. Instead, the
file location should probably be on the /var partition (but not inside the chroot jail).
Examples:
/etc/postfix/main.cf:
tls_random_exchange_name = /etc/postfix/prng_exch
tls_random_prng_update_period = 3600s
In the examples below, user input is shown in bold font, and a "#" prompt indicates a super-
user shell.
● Become your own Certificate Authority, so that you can sign your own public keys.
This example uses the CA.pl script that ships with OpenSSL. By default, OpenSSL
installs this as /usr/local/ssl/misc/CA.pl, but your mileage may vary. The
script creates a private key in ./demoCA/private/cakey.pem and a public key
in ./demoCA/cacert.pem.
% /usr/local/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
.....++++++
writing new private key to './demoCA/private/
cakey.pem'
Enter PEM pass phrase:whatever
● Create an unpassworded private key for host FOO and create an unsigned public key
certificate.
● Sign the public key certificate for host FOO with the Certification Authority private key
● Install the host private key, the host public key certificate, and the Certification
Authority certificate files. This requires super-user privileges.
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/FOO-cert.pem
smtp_tls_key_file = /etc/postfix/FOO-key.pem
smtp_tls_session_cache_database = btree:/var/run/
smtp_tls_session_cache
smtp_use_tls = yes
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
smtpd_tls_key_file = /etc/postfix/FOO-key.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/run/
smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
Reporting problems
When reporting a problem, please be thorough in the report. Patches, when possible, are greatly
appreciated too.
Credits
● TLS support for Postfix was originally developed by Lutz Jänicke at Cottbus Technical
University.
● Wietse Venema adopted the code, did some restructuring, and compiled this part of the
documentation from Lutz's documents.
TLSMGR(8) TLSMGR
(8)
NAME
tlsmgr - Postfix TLS session cache and PRNG manager
SYNOPSIS
tlsmgr [generic Postfix daemon options]
DESCRIPTION
The tlsmgr(8) maintains the TLS session caches for
Postfix
SMTP client and server processes. It periodically
removes
entries that have expired, and entries that are no
longer
compatible with the currently running Postfix version.
reads
the exchange file when initializing its PRNG.
SECURITY
tlsmgr(8) is not security-sensitive. The code that
main-
tains the external and internal PRNG pools does
not
"trust" the data that it manipulates, and the code
that
maintains the TLS session cache does not touch the
con-
tents of the cached entries, except for seeding its
inter-
nal PRNG pool.
DIAGNOSTICS
Problems and transactions are logged to the syslog
daemon.
BUGS
There is no automatic means to limit the number of
entries
in the TLS session caches and/or the size of the TLS
cache
files.
CONFIGURATION PARAMETERS
Changes to main.cf are not picked up
automatically,
because tlsmgr(8) is a persistent processes. Use the
com-
mand "postfix reload" after a configuration change.
smtpd_tls_session_cache_timeout (3600s)
The expiration time of Postfix SMTP server TLS
ses-
sion cache information.
smtp_tls_session_cache_database (empty)
Name of the file containing the optional
Postfix
SMTP client TLS session cache.
smtp_tls_session_cache_timeout (3600s)
The expiration time of Postfix SMTP client TLS
ses-
sion cache information.
tls_random_bytes (32)
The number of bytes that tlsmgr(8) reads
from
$tls_random_source when (re)seeding the in-
memory
pseudo random number generator (PRNG) pool.
tls_random_exchange_name (${config_directory}/prng_exch)
tls_random_prng_update_period (3600s)
The time between attempts by tlsmgr(8) to save
the
state of the pseudo random number generator
(PRNG)
to the file specified with
$tls_ran-
dom_exchange_name.
tls_random_reseed_period (3600s)
The maximal time between attempts by tlsmgr(8)
to
re-seed the in-memory pseudo random number
genera-
tor (PRNG) pool from external sources.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf
and
master.cf configuration files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take
to
handle a request before it is terminated by
a
built-in watchdog timer.
process_id (read-only)
The process ID of a Postfix command or daemon
pro-
cess.
process_name (read-only)
The process name of a Postfix command or
daemon
process.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
SEE ALSO
smtp(8) Postfix SMTP client
smtpd(8) Postfix SMTP server
postconf(5), configuration parameters
master(5), generic daemon options
master(8), process manager
syslogd(8), system logging
README FILES
TLS_README, Postfix TLS configuration and operation
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Lutz Jaenicke
BTU Cottbus
Allgemeine Elektrotechnik
Universitaetsplatz 3-4
D-03044 Cottbus, Germany
Adapted by:
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
TLSMGR
(8)
SMTPD(8) SMTPD
(8)
NAME
smtpd - Postfix SMTP server
SYNOPSIS
smtpd [generic Postfix daemon options]
DESCRIPTION
The SMTP server accepts network connection requests
and
performs zero or more SMTP transactions per
connection.
Each received message is piped through the cleanup(8)
dae-
mon, and is placed into the incoming queue as one
single
queue file. For this mode of operation, the
program
expects to be run from the master(8) process manager.
SECURITY
STANDARDS
RFC 821 (SMTP protocol)
RFC 1123 (Host requirements)
RFC 1652 (8bit-MIME transport)
RFC 1869 (SMTP service extensions)
RFC 1870 (Message Size Declaration)
RFC 1985 (ETRN command)
RFC 2554 (AUTH command)
RFC 2821 (SMTP protocol)
RFC 2920 (SMTP Pipelining)
RFC 3207 (STARTTLS command)
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically,
as
smtpd(8) processes run for only a limited amount of
time.
Use the command "postfix reload" to speed up a change.
COMPATIBILITY CONTROLS
The following parameters work around implementation
errors
broken_sasl_auth_clients (no)
Enable inter-operability with SMTP clients
that
implement an obsolete version of the AUTH
command
(RFC 2554).
disable_vrfy_command (no)
Disable the SMTP VRFY command.
smtpd_noop_commands (empty)
List of commands that the Postfix SMTP
server
replies to with "250 Ok", without doing any
syntax
checks and without changing state.
strict_rfc821_envelopes (no)
Require that addresses received in SMTP MAIL
FROM
and RCPT TO commands are enclosed with <>, and
that
those addresses do not contain RFC 822 style
com-
ments or phrases.
resolve_null_domain (no)
Resolve an address that ends in the "@" null
domain
as if the local hostname were specified, instead
of
rejecting the address as invalid.
smtpd_reject_unlisted_sender (no)
Request that the Postfix SMTP server rejects
mail
smtpd_sasl_exceptions_networks (empty)
What SMTP clients Postfix will not offer AUTH
sup-
port to.
smtpd_discard_ehlo_keyword_address_maps (empty)
Lookup tables, indexed by the remote SMTP
client
address, with case insensitive lists of EHLO
key-
words (pipelining, starttls, auth, etc.) that
the
SMTP server will not send in the EHLO response to
a
remote SMTP client.
smtpd_discard_ehlo_keywords (empty)
A case insensitive list of EHLO keywords
(pipelin-
ing, starttls, auth, etc.) that the SMTP
server
will not send in the EHLO response to a remote
SMTP
client.
receive_override_options (empty)
Enable or disable recipient validation, built-
in
content filtering, or address mapping.
content_filter (empty)
The name of a mail delivery transport that
filters
mail after it is queued.
smtpd_proxy_filter (empty)
The hostname and TCP port of the mail
filtering
proxy server.
smtpd_proxy_ehlo ($myhostname)
How the Postfix SMTP server announces itself to
the
proxy filter.
smtpd_proxy_timeout (100s)
The time limit for connecting to a proxy filter
and
for sending or receiving information.
receive_override_options (empty)
Enable or disable recipient validation, built-
in
content filtering, or address mapping.
smtpd_authorized_xforward_hosts (empty)
What SMTP clients are allowed to use the
XFORWARD
feature.
authenti-
cate remote SMTP clients to the Postfix SMTP server,
and
to authenticate the Postfix SMTP client to a remote
SMTP
server. See the SASL_README document for details.
broken_sasl_auth_clients (no)
Enable inter-operability with SMTP clients
that
implement an obsolete version of the AUTH
command
(RFC 2554).
smtpd_sasl_auth_enable (no)
Enable SASL authentication in the Postfix
SMTP
server.
smtpd_sasl_application_name (smtpd)
The application name used for SASL server
initial-
ization.
smtpd_sasl_local_domain (empty)
The name of the local SASL authentication realm.
smtpd_sasl_security_options (noanonymous)
Restrict what authentication mechanisms the
Postfix
SMTP server will offer to the client.
smtpd_sender_login_maps (empty)
Optional lookup table with the SASL login
names
that own sender (MAIL FROM) addresses.
smtpd_sasl_exceptions_networks (empty)
What SMTP clients Postfix will not offer AUTH
sup-
port to.
smtpd_use_tls (no)
Opportunistic mode: announce STARTTLS support
to
SMTP clients, but do not require that clients
use
TLS encryption.
smtpd_enforce_tls (no)
Enforcement mode: announce STARTTLS support to
SMTP
clients, and require that clients use TLS
encryp-
tion.
smtpd_sasl_tls_security_options
($smtpd_sasl_secu-
rity_options)
The SASL authentication security options that
the
Postfix SMTP server uses for TLS encrypted
SMTP
sessions.
smtpd_starttls_timeout (300s)
The time limit for Postfix SMTP server write
and
read operations during TLS startup and
shutdown
handshake procedures.
smtpd_tls_CAfile (empty)
The file with the certificate of the
certification
authority (CA) that issued the Postfix SMTP
server
certificate.
smtpd_tls_CAfile (empty)
The file with the certificate of the
certification
authority (CA) that issued the Postfix SMTP
server
certificate.
smtpd_tls_ask_ccert (no)
Ask a remote SMTP client for a client
certificate.
smtpd_tls_auth_only (no)
When TLS encryption is optional in the Postfix
SMTP
server, do not announce or accept SASL
authentica-
tion over unencrypted connections.
smtpd_tls_ccert_verifydepth (5)
The verification depth for remote SMTP client
cer-
tificates.
smtpd_tls_cert_file (empty)
File with the Postfix SMTP server RSA
certificate
in PEM format.
smtpd_tls_cipherlist (empty)
Controls the Postfix SMTP server TLS cipher
selec-
tion scheme.
smtpd_tls_dcert_file (empty)
File with the Postfix SMTP server DSA
certificate
in PEM format.
smtpd_tls_dh1024_param_file (empty)
File with DH parameters that the Postfix
SMTP
server should use with EDH ciphers.
smtpd_tls_dh512_param_file (empty)
File with DH parameters that the Postfix
SMTP
server should use with EDH ciphers.
smtpd_tls_dkey_file ($smtpd_tls_dcert_file)
File with the Postfix SMTP server DSA private
key
in PEM format.
smtpd_tls_key_file ($smtpd_tls_cert_file)
File with the Postfix SMTP server RSA private
key
in PEM format.
smtpd_tls_loglevel (0)
Enable additional Postfix SMTP server logging
of
TLS activity.
smtpd_tls_received_header (no)
Request that the Postfix SMTP server
produces
Received: message headers that include
information
about the protocol and cipher used, as well as
the
client CommonName and client certificate
issuer
CommonName.
smtpd_tls_req_ccert (no)
When TLS encryption is enforced, require a
remote
SMTP client certificate in order to allow TLS
con-
nections to proceed.
smtpd_tls_session_cache_database (empty)
Name of the file containing the optional
Postfix
SMTP server TLS session cache.
smtpd_tls_session_cache_timeout (3600s)
The expiration time of Postfix SMTP server TLS
ses-
sion cache information.
smtpd_tls_wrappermode (no)
Run the Postfix SMTP server in the non-
standard
"wrapper" mode, instead of using the STARTTLS
com-
mand.
tls_daemon_random_bytes (32)
The number of pseudo-random bytes that an smtp
(8)
or smtpd(8) process requests from the tlsmgr
(8)
server in order to seed its internal pseudo
random
number generator (PRNG).
line
option and is available in Postfix version 1.1 and
later.
default_verp_delimiters (+=)
The two default VERP delimiter characters.
verp_delimiter_filter (-=+)
The characters Postfix accepts as VERP
delimiter
characters on the Postfix sendmail(1) command
line
and in SMTP commands.
authorized_verp_clients ($mynetworks)
What SMTP clients are allowed to specify the
XVERP
command.
smtpd_authorized_verp_clients ($authorized_verp_clients)
What SMTP clients are allowed to specify the
XVERP
command.
debug_peer_level (2)
The increment in verbose logging level when
a
remote client or server matches a pattern in
the
debug_peer_list parameter.
debug_peer_list (empty)
Optional list of remote client or server
hostname
or network address patterns that cause the
verbose
logging level to increase by the amount
specified
in $debug_peer_level.
error_notice_recipient (postmaster)
The recipient of postmaster notifications
about
mail delivery problems that are caused by
policy,
resource, software or protocol errors.
soft_bounce (no)
Safety net to keep mail queued that would
otherwise
be returned to the sender.
smtpd_authorized_xclient_hosts (empty)
What SMTP clients are allowed to use the
XCLIENT
feature.
show_user_unknown_table_name (yes)
Display the name of the recipient table in
the
"User unknown" responses.
canonical_maps (empty)
Optional address mapping lookup tables for
message
headers and envelopes.
recipient_canonical_maps (empty)
Optional address mapping lookup tables for
envelope
and header recipient addresses.
inet_interfaces (all)
The network interface addresses that this mail
sys-
tem receives mail on.
proxy_interfaces (empty)
The network interface addresses that this mail
sys-
tem receives mail on by way of a proxy or
network
address translation unit.
local_recipient_maps (proxy:unix:passwd.
byname
$alias_maps)
Lookup tables with all names or addresses of
local
recipients: a recipient address is local when
its
domain matches $mydestination, $inet_interfaces
or
$proxy_interfaces.
unknown_local_recipient_reject_code (550)
The numerical Postfix SMTP server response
code
when a recipient address is local,
and
$local_recipient_maps specifies a list of
lookup
tables that does not match the recipient.
relay_domains ($mydestination)
What destination domains (and subdomains
thereof)
this system will relay mail to.
relay_recipient_maps (empty)
Optional lookup tables with all valid addresses
in
the domains that match $relay_domains.
unknown_relay_recipient_reject_code (550)
The numerical Postfix SMTP server reply code when
a
recipient address matches $relay_domains,
and
relay_recipient_maps specifies a list of
lookup
virtual_alias_domains ($virtual_alias_maps)
Postfix is final destination for the specified
list
of virtual alias domains, that is, domains
for
which all addresses are aliased to addresses
in
other local or remote domains.
virtual_alias_maps ($virtual_maps)
Optional lookup tables that alias specific
mail
addresses or domains to other local or
remote
address.
unknown_virtual_alias_reject_code (550)
The SMTP server reply code when a recipient
address
matches $virtual_alias_domains, and
$vir-
tual_alias_maps specifies a list of lookup
tables
that does not match the recipient address.
virtual_mailbox_domains ($virtual_mailbox_maps)
Postfix is final destination for the specified
list
of domains; mail is delivered via the
$vir-
tual_transport mail delivery transport.
virtual_mailbox_maps (empty)
Optional lookup tables with all valid addresses
in
the domains that match $virtual_mailbox_domains.
unknown_virtual_mailbox_reject_code (550)
The SMTP server reply code when a recipient
address
matches $virtual_mailbox_domains, and
$vir-
tual_mailbox_maps specifies a list of lookup
tables
that does not match the recipient address.
line_length_limit (2048)
Upon input, long lines are chopped up into
pieces
of at most this length; upon delivery, long
lines
are reconstructed.
queue_minfree (0)
The minimal amount of free space in bytes in
the
queue file system that is needed to receive mail.
message_size_limit (10240000)
The maximal size in bytes of a message,
including
envelope information.
smtpd_recipient_limit (1000)
The maximal number of recipients that the
Postfix
SMTP server accepts per message delivery request.
smtpd_timeout (300s)
The time limit for sending a Postfix SMTP
server
response and for receiving a remote SMTP
client
request.
smtpd_history_flush_threshold (100)
The maximal number of lines in the Postfix
SMTP
server command history before it is flushed
upon
receipt of EHLO, RSET, or end of DATA.
smtpd_client_connection_count_limit (50)
How many simultaneous connections any client
is
allowed to make to this service.
smtpd_client_connection_rate_limit (0)
The maximal number of connection attempts
any
client is allowed to make to this service per
time
unit.
smtpd_client_message_rate_limit (0)
The maximal number of message delivery
requests
that any client is allowed to make to this
service
per time unit, regardless of whether or not
Postfix
actually accepts those messages.
smtpd_client_recipient_rate_limit (0)
The maximal number of recipient addresses that
any
client is allowed to send to this service per
time
unit, regardless of whether or not Postfix
actually
accepts those recipients.
smtpd_client_event_limit_exceptions ($mynetworks)
Clients that are excluded from connection
count,
connection rate, message rate or recipient
rate
restrictions.
TARPIT CONTROLS
When a remote SMTP client makes errors, the Postfix
SMTP
server can insert delays before responding. This can
help
to slow down run-away software. The behavior is
con-
trolled by an error counter that counts the number
of
errors within an SMTP session that a client makes
without
delivering mail.
smtpd_error_sleep_time (1s)
With Postfix 2.1 and later: the SMTP
server
response delay after a client has made more
than
$smtpd_soft_error_limit errors, and fewer
than
$smtpd_hard_error_limit errors, without
delivering
mail.
smtpd_soft_error_limit (10)
smtpd_hard_error_limit (20)
The maximal number of errors a remote SMTP
client
is allowed to make without delivering mail.
smtpd_junk_command_limit (100)
The number of junk commands (NOOP, VRFY, ETRN
or
RSET) that a remote SMTP client can send before
the
Postfix SMTP server starts to increment the
error
counter with each junk command.
smtpd_recipient_overshoot_limit (1000)
The number of recipients that a remote SMTP
client
can send in excess of the limit specified
with
$smtpd_recipient_limit, before the Postfix
SMTP
server increments the per-session error count
for
each excess recipient.
smtpd_policy_service_max_idle (300s)
The time after which an idle SMTPD policy
service
connection is closed.
smtpd_policy_service_max_ttl (1000s)
The time after which an active SMTPD policy
service
connection is closed.
smtpd_policy_service_timeout (100s)
The time limit for connecting to, writing to
or
receiving from a delegated SMTPD policy server.
ACCESS CONTROLS
The SMTPD_ACCESS_README document gives an introduction
to
all the SMTP server access control features.
smtpd_delay_reject (yes)
Wait until the RCPT TO command before
evaluating
$smtpd_client_restrictions,
$smtpd_helo_restric-
tions and $smtpd_sender_restrictions, or wait
until
the ETRN command before
evaluating
$smtpd_client_restrictions and
$smtpd_helo_restric-
tions.
smtpd_client_restrictions (empty)
Optional SMTP server access restrictions in
the
context of a client SMTP connection request.
smtpd_helo_required (no)
Require that a remote SMTP client introduces
itself
at the beginning of an SMTP session with the
HELO
or EHLO command.
smtpd_helo_restrictions (empty)
Optional restrictions that the Postfix SMTP
server
applies in the context of the SMTP HELO command.
smtpd_sender_restrictions (empty)
Optional restrictions that the Postfix SMTP
server
applies in the context of the MAIL FROM command.
smtpd_recipient_restrictions
(permit_mynetworks,
reject_unauth_destination)
The access restrictions that the Postfix
SMTP
server applies in the context of the RCPT TO
com-
mand.
smtpd_etrn_restrictions (empty)
Optional SMTP server access restrictions in
the
context of a client ETRN request.
allow_untrusted_routing (no)
Forward mail with sender-specified
routing
(user[@%!]remote[@%!]site) from untrusted
clients
to destinations matching $relay_domains.
smtpd_restriction_classes (empty)
User-defined aliases for groups of access
restric-
tions.
smtpd_null_access_lookup_key (<>)
The lookup key to be used in SMTP access(5)
tables
instead of the null sender address.
permit_mx_backup_networks (empty)
Restrict the use of the permit_mx_backup
SMTP
access feature to only domains whose primary
MX
hosts match the listed networks.
smtpd_data_restrictions (empty)
Optional access restrictions that the Postfix
SMTP
server applies in the context of the SMTP DATA
com-
mand.
smtpd_reject_unlisted_sender (no)
Request that the Postfix SMTP server rejects
mail
from unknown sender addresses, even when
no
smtpd_reject_unlisted_recipient (yes)
Request that the Postfix SMTP server rejects
mail
for unknown recipient addresses, even when
no
explicit reject_unlisted_recipient access
restric-
tion is specified.
smtpd_end_of_data_restrictions (empty)
Optional access restrictions that the Postfix
SMTP
server applies in the context of the SMTP END-
OF-
DATA command.
address_verify_poll_count (3)
How many times to query the verify(8) service
for
the completion of an address verification
request
in progress.
address_verify_poll_delay (3s)
The delay between queries for the completion of
an
address verification request in progress.
address_verify_sender (postmaster)
The sender address to use in address
verification
probes.
unverified_sender_reject_code (450)
The numerical Postfix SMTP server response
code
when a recipient address is rejected by
the
reject_unverified_sender restriction.
unverified_recipient_reject_code (450)
The numerical Postfix SMTP server response when
a
recipient address is rejected by the
reject_unveri-
fied_recipient restriction.
access_map_reject_code (554)
The numerical Postfix SMTP server response
code
when a client is rejected by an access(5)
map
restriction.
defer_code (450)
The numerical Postfix SMTP server response
code
when a remote SMTP client request is rejected
by
the "defer" restriction.
invalid_hostname_reject_code (501)
The numerical Postfix SMTP server response
code
when the client HELO or EHLO command parameter
is
rejected by the reject_invalid_hostname
restric-
tion.
maps_rbl_reject_code (554)
The numerical Postfix SMTP server response
code
when a remote SMTP client request is blocked by
the
reject_rbl_client,
reject_rhsbl_client,
reject_rhsbl_sender or
reject_rhsbl_recipient
restriction.
non_fqdn_reject_code (504)
The numerical Postfix SMTP server reply code when
a
client request is rejected by
the
reject_non_fqdn_hostname, reject_non_fqdn_sender
or
reject_non_fqdn_recipient restriction.
reject_code (554)
The numerical Postfix SMTP server response
code
when a remote SMTP client request is rejected
by
the "reject" restriction.
relay_domains_reject_code (554)
The numerical Postfix SMTP server response
code
when a client request is rejected by
the
reject_unauth_destination recipient restriction.
unknown_address_reject_code (450)
The numerical Postfix SMTP server response
code
when a sender or recipient address is rejected
by
the reject_unknown_sender_domain
or
reject_unknown_recipient_domain restriction.
unknown_client_reject_code (450)
The numerical Postfix SMTP server response
code
when a client without valid address <=> name
map-
ping is rejected by the
reject_unknown_client
restriction.
unknown_hostname_reject_code (450)
The numerical Postfix SMTP server response
code
when the hostname specified with the HELO or
EHLO
command is rejected by the
reject_unknown_hostname
restriction.
multi_recipient_bounce_reject_code (550)
The numerical Postfix SMTP server response
code
when a remote SMTP client request is blocked by
the
reject_multi_recipient_bounce restriction.
rbl_reply_maps (empty)
Optional lookup tables with RBL response
templates.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf
and
master.cf configuration files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take
to
handle a request before it is terminated by
a
built-in watchdog timer.
double_bounce_sender (double-bounce)
The sender address of postmaster notifications
that
are generated by the mail system.
ipc_timeout (3600s)
The time limit for sending or receiving
information
over an internal communication channel.
mail_name (Postfix)
The mail system name that is displayed in
Received:
headers, in the SMTP greeting banner, and
in
bounced mail.
mail_owner (postfix)
The UNIX system account that owns the Postfix
queue
and most Postfix daemon processes.
max_idle (100s)
The maximum amount of time that an idle
Postfix
daemon process waits for the next service
request
before exiting.
max_use (100)
The maximal number of connection requests before
a
Postfix daemon process terminates.
myorigin ($myhostname)
The domain name that locally-posted mail appears
to
come from, and that locally posted mail is
deliv-
ered to.
process_id (read-only)
The process ID of a Postfix command or daemon
pro-
cess.
process_name (read-only)
The process name of a Postfix command or
daemon
process.
recipient_delimiter (empty)
The separator between user names and address
exten-
sions (user+foo).
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
SMTP
server to immediately terminate the session with
a
221 code.
SEE ALSO
anvil(8), connection/rate limiting
cleanup(8), message canonicalization
tlsmgr(8), TLS session and PRNG management
trivial-rewrite(8), address resolver
verify(8), address verification service
postconf(5), configuration parameters
master(5), generic daemon options
master(8), process manager
syslogd(8), system logging
README FILES
ADDRESS_CLASS_README, blocking unknown hosted or relay
recipients
ADDRESS_REWRITING_README Postfix address manipulation
FILTER_README, external after-queue content filter
LOCAL_RECIPIENT_README, blocking unknown local recipients
SMTPD_ACCESS_README, built-in access policies
SMTPD_POLICY_README, external policy server
SMTPD_PROXY_README, external before-queue content filter
SASL_README, Postfix SASL howto
TLS_README, Postfix STARTTLS howto
VERP_README, Postfix XVERP extension
XCLIENT_README, Postfix XCLIENT extension
XFORWARD_README, Postfix XFORWARD extension
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
SMTPD
(8)
● Transform an incomplete address into a complete address. For example, transform "username" into
"username@example.com", or transform "username@hostname" into "username@hostname.
example.com".
● Replace an address by multiple addresses. For example, replace the address of an alias by the
addresses listed under that alias.
● Determine how and where to deliver mail for a specific address. For example, deliver mail for
"username@example.com" with the smtp(8) delivery agent, to the hosts that are listed in the DNS
as the mail servers for the domain "example.com".
Although Postfix currently has no address rewriting language, it can do surprisingly powerful address
manipulation via table lookup. Postfix typically uses lookup tables with fixed strings to map one address
to one or multiple addresses, and typically uses regular expressions to map multiple addresses to one or
multiple addresses. Fixed-string lookup tables may be in the form of local files, or in the form of NIS,
LDAP or SQL databases. The DATABASE_README document gives an introduction to Postfix lookup
tables.
❍ Address masquerading
❍ Virtual aliasing
Postfix versions 2.2 give you the option to either not rewrite message headers from remote SMTP clients
at all, or to label incomplete addresses in such message headers as invalid. Here is how it works:
● Postfix does not rewrite message headers from remote SMTP clients at all when the
remote_header_rewrite_domain parameter value is empty.
● Otherwise, Postfix appends the specified domain name to incomplete addresses in message headers
from remote SMTP clients. This feature can be used to append a reserved domain such as "domain.
invalid", so that incomplete addresses cannot be mistaken for local addresses.
The local_header_rewrite_clients parameter controls what SMTP clients Postfix considers local instead of
remote.
trivial- trivial-
rewrite(8) rewrite(8)
(std form) (resolve)
^ | ^ |
| v | v
smtp
smtpd(8)
(8)
qmqpd cleanup - - - - lmtp
>- incoming active qmgr(8)
(8) (8) > > > < (8)
pickup local
(8) (8)
^ ^ |
| | v
bounces
forwarding deferred
notices
The table below summarizes all Postfix address manipulations. If you're reading this document for the
first time, skip forward to "Address rewriting when mail is received". Once you've finished reading the
remainder of this document, the table will help you to quickly find what you need.
trivial-
Resolve address to
all mail rewrite none none
destination
(8)
trivial-
Mail transport switch all mail rewrite transport_maps none
(8)
trivial-
Relocated users table all mail rewrite relocated_maps none
(8)
Local alias database all mail local(8) alias_maps none
Local per-user .
all mail local(8) forward_path none
forward files
Local catch-all address all mail local(8) luser_relay none
The cleanup(8) server transforms the sender, recipients and message content into a standard form before
writing it to an incoming queue file. The server cleans up sender and recipient addresses in message
headers and in the envelope, adds missing message headers such as From: or Date: that are required by
mail standards, and removes message headers such as Bcc: that should not be present. The cleanup(8)
server delegates the more complex address manipulations to the trivial-rewrite(8) server as described later
in this document.
Before the cleanup(8) daemon runs an address through any address mapping lookup table, it first rewrites
the address to the standard "user@fully.qualified.domain" form, by sending the address to the trivial-
rewrite(8) daemon. The purpose of rewriting to standard form is to reduce the number of entries needed in
lookup tables.
Postfix versions 2.2 and later do not rewrite message headers from remote SMTP clients at all, unless a
non-empty domain name is specified with the remote_header_rewrite_domain configuration parameter.
The local_header_rewrite_clients parameter controls what SMTP clients Postfix considers local.
The Postfix trivial-rewrite(8) daemon implements the following hard-coded address manipulations:
In case you wonder what this is, the address form above is called a route address,
and specifies that mail for "user@site" be delivered via "hosta" and "hostb". Usage
of this form has been deprecated for a long time. Postfix has no ability to handle
route addresses, other than to strip off the route part.
Postfix versions 2.2 and later either do not rewrite message headers from remote
SMTP clients at all, or they append the domain name specified with the
remote_header_rewrite_domain configuration parameter.
If your machine is not the main machine for $myorigin and you wish to have some
users delivered locally without going via that main machine, make an entry in the
virtual alias table that redirects "user@$myorigin" to "user@$myhostname". See
also the "delivering some users locally" section in the
STANDARD_CONFIGURATION_README document.
Postfix versions 2.2 and later either do not rewrite message headers from remote
clients at all, or they append the domain name specified with the
remote_header_rewrite_domain configuration parameter.
Some will argue that rewriting "host" to "host.domain" is bad. That is why it can be
turned off. Others like the convenience of having Postfix's own domain appended
automatically.
A single trailing dot is silently removed. However, an address that ends in multiple
dots will be rejected as an invalid address.
The cleanup(8) daemon uses the canonical(5) tables to rewrite addresses in message envelopes and in
message headers. By default all header and envelope addresses are rewritten; this is controlled with the
canonical_classes configuration parameter.
Postfix versions 2.2 and later do not rewrite message headers from remote clients at all, unless a non-
empty domain name is specified with the remote_header_rewrite_domain configuration parameter. The
local_header_rewrite_clients parameter controls what SMTP clients Postfix considers local.
Address rewriting is done for local and remote addresses. The mapping is useful to replace login names
by "Firstname.Lastname" style addresses, or to clean up invalid domains in mail addresses produced by
legacy mail systems.
Canonical mapping is disabled by default. To enable, edit the canonical_maps parameter in the main.cf
file and specify one or more lookup tables, separated by whitespace or commas.
Example:
/etc/postfix/main.cf:
canonical_maps = hash:/etc/postfix/canonical
/etc/postfix/canonical:
wietse Wietse.Venema
For static mappings as shown above, lookup tables such as hash:, ldap:, mysql: or pgsql: are sufficient.
For dynamic mappings you can use regular expression tables. This requires that you become intimately
familiar with the ideas expressed in regexp_table(5), pcre_table(5) and canonical(5).
In addition to the canonical maps which are applied to both sender and recipient addresses, you can
specify canonical maps that are applied only to sender addresses or to recipient addresses.
Example:
/etc/postfix/main.cf:
sender_canonical_maps = hash:/etc/postfix/
sender_canonical
recipient_canonical_maps = hash:/etc/postfix/
recipient_canonical
The sender and recipient canonical maps are applied before the common canonical maps. The
sender_canonical_classes and recipient_canonical_classes parameters control what addresses are subject
to sender_canonical_maps and recipient_canonical_maps mappings, respectively.
Sender-specific rewriting is useful when you want to rewrite ugly sender addresses to pretty ones, and still
want to be able to send mail to the those ugly address without creating a mailer loop.
Canonical mapping can be turned off selectively for mail received by smtpd(8), qmqpd(8), or pickup(8),
by overriding main.cf settings in the master.cf file. This feature is available in Postfix version 2.1 and
later.
Example:
/etc/postfix/master.cf:
:10026 inet n - n -
- smtpd
-o receive_override_options=no_address_mapping
Address masquerading
Address masquerading is a method to hide hosts inside a domain behind their mail gateway, and to make
it appear as if the mail comes from the gateway itself, instead of from individual machines.
Postfix versions 2.2 and later do not rewrite message headers from remote SMTP clients at all, unless a
non-empty domain name is specified with the remote_header_rewrite_domain configuration parameter.
The local_header_rewrite_clients parameter controls what SMTP clients Postfix considers local.
Address masquerading is disabled by default, and is implemented by the cleanup(8) server. To enable,
edit the masquerade_domains parameter in the main.cf file and specify one or more domain names
separated by whitespace or commas. When Postfix tries to masquerade a domain, it processes the list from
left to right, and processing stops at the first match.
Example:
/etc/postfix/main.cf:
masquerade_domains = foo.example.com example.com
A domain name prefixed with "!" means do not masquerade this domain or its subdomains:
/etc/postfix/main.cf:
masquerade_domains = !foo.example.com example.com
The masquerade_exceptions configuration parameter specifies what user names should not be subjected to
address masquerading. Specify one or more user names separated by whitespace or commas.
Example:
/etc/postfix/main.cf:
masquerade_exceptions = root
Subtle point: by default, address masquerading is applied only to message headers and to envelope sender
addresses, but not to envelope recipients. This allows you to use address masquerading on a mail gateway
machine, while still being able to forward mail from outside to users on individual machines.
In order to subject envelope recipient addresses to masquerading, too, specify (Postfix version 1.1 and
later):
/etc/postfix/main.cf:
masquerade_classes = envelope_sender, envelope_recipient,
header_sender, header_recipient
If you rewrite the envelope recipient like this, Postfix will no longer be able to send mail to individual
machines.
Address masquerading can be turned off selectively for mail received by smtpd(8), qmqpd(8), or pickup
(8), by overriding main.cf settings in the master.cf file. This feature is available in Postfix version 2.1 and
later.
Example:
/etc/postfix/master.cf:
:10026 inet n - n -
- smtpd
-o receive_override_options=no_address_mapping
After applying the canonical and masquerade mappings, the cleanup(8) daemon can generate optional
BCC (blind carbon-copy) recipients. Postfix provides three mechanisms:
always_bcc = address
Deliver a copy of all mail to the specified address. In Postfix versions before 2.1,
this feature is implemented by smtpd(8), qmqpd(8), or pickup(8).
sender_bcc_maps = type:table
Search the specified "type:table" lookup table with the envelope sender address for
an automatic BCC address. This feature is available in Postfix 2.1 and later.
recipient_bcc_maps = type:table
Search the specified "type:table" lookup table with the envelope recipient address
for an automatic BCC address. This feature is available in Postfix 2.1 and later.
Note: automatic BCC recipients are produced only for new mail. To avoid mailer loops, automatic BCC
recipients are not generated for mail that Postfix forwards internally, nor for mail that Postfix generates
itself.
Automatic BCC recipients (including always_bcc) can be turned off selectively for mail received by smtpd
(8), qmqpd(8), or pickup(8), by overriding main.cf settings in the master.cf file. This feature is available
in Postfix version 2.1 and later.
Example:
/etc/postfix/master.cf:
:10026 inet n - n -
- smtpd
-o receive_override_options=no_address_mapping
Virtual aliasing
Before writing the recipients to the queue file, the cleanup(8) daemon uses the optional virtual(5) alias
tables to redirect mail for recipients. The mapping affects only envelope recipient addresses; it has no
effect on message headers or envelope sender addresses. Virtual alias lookups are useful to redirect mail
for virtual alias domains to real user mailboxes, and to redirect mail for domains that no longer exist.
Virtual alias lookups can also be used to transform " Firstname.Lastname " back into UNIX login names,
although it seems that local aliases may be a more appropriate vehicle. See the VIRTUAL_README
document for an overview of methods to host virtual domains with Postfix.
Virtual aliasing is disabled by default. To enable, edit the virtual_alias_maps parameter in the main.cf file
and specify one or more lookup tables, separated by whitespace or commas.
Example:
/etc/postfix/main.cf:
virtual_alias_maps = hash:/etc/postfix/virtual
/etc/postfix/virtual:
Wietse.Venema wietse
Addresses found in virtual alias maps are subjected to another iteration of virtual aliasing, but are not
subjected to canonical mapping, in order to avoid loops.
For static mappings as shown above, lookup tables such as hash:, ldap:, mysql: or pgsql: are sufficient.
For dynamic mappings you can use regular expression tables. This requires that you become intimately
familiar with the ideas expressed in regexp_table(5), pcre_table(5) and virtual(5).
Note: automatic BCC recipients are produced only for new mail. To avoid mailer loops, automatic BCC
recipients are not generated for mail that is forwarded internally, and are not generated for mail that is
generated by Postfix itself.
Virtual aliasing can be turned off selectively for mail received by smtpd(8), qmqpd(8), or pickup(8), by
overriding main.cf settings in the master.cf file. This feature is available in Postfix version 2.1 and later.
Example:
/etc/postfix/master.cf:
:10026 inet n - n -
- smtpd
-o receive_override_options=no_address_mapping
At this point the message is ready to be stored into the Postfix incoming queue.
Each Postfix delivery agent tries to deliver the mail to its destination, while encapsulating the sender,
recipients, and message content according to the rules of the SMTP, LMTP, etc. protocol. When mail
cannot be delivered, it is either returned to the sender or moved to the deferred queue and tried again later.
Address manipulations when mail is delivered via the local(8) delivery agent:
The remainder of this document presents each address manipulation step in more detail, with specific
examples or with pointers to documentation with examples.
The Postfix qmgr(8) queue manager selects new mail from the incoming queue or old mail from the
deferred queue, and asks the trivial-rewrite(8) address rewriting and resolving daemon where it should be
delivered.
As of version 2.0, Postfix distinguishes four major address classes. Each class has its own list of domain
names, and each class has its own default delivery method, as shown in the table below. See the
ADDRESS_CLASS_README document for the fine details. Postfix versions before 2.0 only distinguish
between local delivery and everything else.
Default delivery
Destination domain list Availability
method
$mydestination, $inet_interfaces,
$local_transport Postfix 1.0
$proxy_interfaces
$virtual_mailbox_domains $virtual_transport Postfix 2.0
$relay_domains $relay_transport Postfix 2.0
none $default_transport Postfix 1.0
Once the trivial-rewrite(8) daemon has determined a default delivery method it searches the optional
transport(5) table for information that overrides the message destination and/or delivery method. Typical
use of the transport(5) is to send mail to a system that is not connected to the Internet, or to use a special
SMTP client configuration for destinations that have special requirements. See, for example, the
STANDARD_CONFIGURATION_README and UUCP_README documents, and the examples in
the transport(5) manual page.
Transport table lookups are disabled by default. To enable, edit the transport_maps parameter in the main.
cf file and specify one or more lookup tables, separated by whitespace or commas.
Example:
/etc/postfix/main.cf:
transport_maps = hash:/etc/postfix/transport
Next, the trivial-rewrite(8) address rewriting and resolving daemon runs each recipient through the
relocated(5) database. This table provides information on how to reach users that no longer have an
account, or what to do with mail for entire domains that no longer exist. When mail is sent to an address
that is listed in this table, the message is returned to the sender with an informative message.
The relocated(5) database is searched after transport(5) table lookups, in anticipation of transport(5) tables
that can replace one recipient address by a different one.
Lookups of relocated users are disabled by default. To enable, edit the relocated_maps parameter in the
main.cf file and specify one or more lookup tables, separated by whitespace or commas.
Example:
/etc/postfix/main.cf:
relocated_maps = hash:/etc/postfix/relocated
/etc/postfix/relocated:
username@example.com otheruser@elsewhere.tld
As of Postfix version 2, mail for a relocated user will be rejected by the SMTP server with the reason
"user has moved to otheruser@elsewhere.tld". Older Postfix versions will receive the mail first, and then
return it to the sender as undeliverable, with the same reason.
When mail is to be delivered locally, the local(8) delivery agent runs each local recipient name through
the aliases(5) database. The mapping does not affect addresses in message headers. Local aliases are
typically used to implement distribution lists, or to direct mail for standard aliases such as postmaster to
real people. The table can also be used to map "Firstname.Lastname" addresses to login names.
Alias lookups are enabled by default. The default configuration depends on the operating system
environment, but it is typically one of the following:
/etc/postfix/main.cf:
alias_maps = hash:/etc/aliases
alias_maps = dbm:/etc/aliases, nis:mail.aliases
The pathname of the alias database file is controlled with the alias_database configuration parameter. The
value is system dependent. Usually it is one of the following:
/etc/postfix/main.cf:
alias_database = hash:/etc/aliases (4.4BSD, LINUX)
alias_database = dbm:/etc/aliases (4.3BSD, SYSV<4)
alias_database = dbm:/etc/mail/aliases (SYSV4)
An aliases(5) file can specify that mail should be delivered to a local file, or to a command that receives
the message in the standard input stream. For security reasons, deliveries to command and file
destinations are performed with the rights of the alias database owner. A default userid, default_privs, is
used for deliveries to commands or files in "root"-owned aliases.
With delivery via the local(8) deliver agent, users can control their own mail delivery by specifying
destinations in a file called .forward in their home directories. The syntax of these files is the same as with
the local aliases(5) file, except that the left-hand side of the alias (lookup key and colon) are not present.
When the local(8) delivery agent finds that a message recipient does not exist, the message is normally
returned to the sender ("user unknown"). Sometimes it is desirable to forward mail for non-existing
recipients to another machine. For this purpose you can specify an alternative destination with the
luser_relay configuration parameter.
Alternatively, mail for non-existent recipients can be delegated to an entirely different message transport,
as specified with the fallback_transport configuration parameter. For details, see the local(8) delivery
agent documentation.
Note: if you use the luser_relay feature in order to receive mail for non-UNIX accounts, then you must
specify:
/etc/postfix/main.cf:
local_recipient_maps =
(i.e. empty) in the main.cf file, otherwise the Postfix SMTP server will reject mail for non-UNIX accounts
with "User unknown in local recipient table". See the LOCAL_RECIPIENT_README file for more
information on this.
$user@other.host
$local@other.host
sysadmin+$user
sysadmin+$local
purposes. These reports not only show sender/recipient addresses after address rewriting and alias
expansion or forwarding, they also show information about delivery to mailbox, delivery to non-Postfix
command, responses from remote SMTP servers, and so on.
Postfix can produce two types of mail delivery reports for debugging:
● What-if: report what would happen, but do not actually deliver mail. This mode of operation is
requested with:
● What happened: deliver mail and report successes and/or failures, including replies from remote
SMTP servers. This mode of operation is requested with:
$ /usr/sbin/sendmail -v address...
Mail Delivery Status Report will be mailed to <your login name>.
These reports contain information that is generated by Postfix delivery agents. Since these run as daemon
processes and do not interact with users directly, the result is sent as mail to the sender of the test
message. The format of these reports is practically identical to that of ordinary non-delivery notifications.
As an example, below is the delivery report that is produced with the command "sendmail -bv postfix-
users@postfix.org". The first part of the report contains human-readable text. In this case, mail would be
delivered via mail.cloud9.net, and the SMTP server replies with "250 Ok". Other reports may show
delivery to mailbox, or delivery to non-Postfix command.
Content-Description: Notification
Content-Type: text/plain
The second part of the report is in machine-readable form, and includes the following information:
Some details are still preliminary and will change as Postfix implements the DSN (delivery status
notification) standards.
The third part of the report contains the message that Postfix would have delivered, including From: and
To: message headers, so that you can see any effects of address rewriting on those. Mail submitted with
"sendmail -bv" has no body content so none is shown in the example below.
Content-Description: Message
Content-Type: message/rfc822
Postfix Architecture
Overview
Introduction
This document presents an overview of the Postfix architecture, and is the place where you find
a pointer to every Postfix command or server program. The text gives the general context in
which each command or server program is used, and provides pointers to documents with
specific usage examples and background information.
trivial-
rewrite(8)
-
Network smtpd(8) ^ |
>
| v
\
- -
Network qmqpd(8) -> cleanup(8) incoming
> >
/
pickup(8) <- maildrop
^
|
- sendmail postdrop
Local ->
> (1) (1)
● Network mail enters Postfix via the smtpd(8) or qmqpd(8) servers. These servers
remove the SMTP or QMQP protocol encapsulation, enforce some sanity checks to
protect Postfix, and give the sender, recipients and message content to the cleanup(8)
server. The smtpd(8) server can be configured to block unwanted mail, as described in
the SMTPD_ACCESS_README document.
● Local submissions are received with the Postfix sendmail(1) compatibility command,
and are queued in the maildrop queue by the privileged postdrop(1) command. This
arrangement even works while the Postfix mail system is not running. The local pickup
(8) server picks up local submissions, enforces some sanity checks to protect Postfix,
and gives the sender, recipients and message content to the cleanup(8) server.
● Mail from internal sources is given directly to the cleanup(8) server. These sources are
not shown in the figure, and include: mail that is forwarded by the local(8) delivery
agent (see next section), messages that are returned to the sender by the bounce(8)
server (see second-next section), and postmaster notifications about problems with
Postfix.
● The cleanup(8) server implements the final processing stage before mail is queued. It
adds missing From: and other message headers, transforms addresses as described in the
ADDRESS_REWRITING_README document. Optionally, the cleanup(8) server can
be configured to do light-weight content inspection with regular expressions as
described in the BUILTIN_FILTER_README document. The cleanup(8) server places
the result as a single file into the incoming queue, and notifies the queue manager (see
next section) of the arrival of new mail.
trivial- -
smtp(8) Network
rewrite >
(8) /
-
^ | - lmtp(8) Network
>
| v
/
- - - File,
incoming active qmgr(8) --- local(8)
> > > command
\
^ |
virtual -
| v - File
(8) >
deferred \
-
pipe(8) Command
>
● The queue manager (the qmgr(8) server process in the figure) is the heart of Postfix mail
delivery. It contacts the smtp(8), lmtp(8), local(8), virtual(8), pipe(8), discard(8) or error
(8) delivery agents, and sends a delivery request for one or more recipient addresses.
The discard(8) and error(8) delivery agents are special: they discard or bounce all mail,
they are not shown in the figure above.
The queue manager maintains a small active queue with the messages that it has opened
for delivery. The active queue acts as a limited window on potentially large incoming or
deferred queues. The limited active queue prevents the queue manager from running out
of memory under heavy load.
The queue manager maintains a separate deferred queue for mail that cannot be
delivered, so that a large mail backlog will not slow down normal queue accesses. The
queue manager's strategy for delayed mail delivery attempts is described in the
● The trivial-rewrite(8) server resolves each recipient address according to its local and
remote address class, as defined in the ADDRESS_CLASS_README document.
Additional routing information can be specified with the optional transport(5) table. The
trivial-rewrite(8) server optionally queries the relocated(5) table for recipients whose
address has changed; mail for such recipients is returned to the sender with an
explanation.
● The smtp(8) client looks up a list of mail exchangers for the destination host, sorts the
list by preference, and tries each server in turn until it finds a server that responds. It
then encapsulates the sender, recipient and message content as required by the SMTP
protocol; this includes conversion of 8-bit MIME to 7-bit encoding.
● The lmtp(8) client speaks a protocol similar to SMTP that is optimized for delivery to
mailbox servers such as Cyrus. The advantage of this setup is that one Postfix machine
can feed multiple mailbox servers over LMTP. The opposite is true as well: one
mailbox server can be fed over LMTP by multiple Postfix machines. The
LMTP_README document gives examples of how to use the lmtp(8) client.
The local(8) delivery agent has hooks for alternative forms of local delivery: you can
configure it to deliver to mailbox files in user home directories, you can configure it to
delegate mailbox delivery to an external command such as procmail, or you can
delegate delivery to a different Postfix delivery agent.
● The virtual(8) delivery agent is a bare-bones delivery agent that delivers to UNIX-style
mailbox or qmail-style maildir files only. This delivery agent can deliver mail for
multiple domains, which makes it especially suitable for hosting lots of small domains
on a single machine. This is described in the VIRTUAL_README document.
● The pipe(8) mailer is the outbound interface to other mail processing systems (the
Postfix sendmail(1) command being the inbound interface). The interface is UNIX
compatible: it provides information on the command line and on the standard input
stream, and expects a process exit status code as defined in <sysexits.h>. Examples of
delivery via the pipe(8) mailer are in the MAILDROP_README and
UUCP_README documents.
● The resident master(8) server is the supervisor that keeps an eye on the well-being of the
Postfix mail system. It is typically started at system boot time with the "postfix start"
command, and keeps running until the system goes down. The master(8) server is
responsible for starting Postfix server processes to receive and deliver mail, and for
restarting servers that terminate prematurely because of some problem. The master(8)
server is also responsible for enforcing the server process count limits as specified in the
master.cf configuration file. The picture below gives the program hierarchy when
Postfix is started up. Only some of the mail handling daemon processes are shown.
postfix(1)
|
|
postfix-script
(1)
/ | \
/ | \
postsuper postlog
master(8)
(1) (1)
/ | \
/ | \
smtpd(8) qmgr(8) local(8)
● The anvil(8) server implements client connection and rate limiting for all smtpd(8)
servers. The TUNING_README document provides guidance for dealing with mis-
behaving SMTP clients. The anvil(8) service is not included with Postfix version 2.1 or
earlier.
- <-
Network smtpd(8) anvil(8)
> >
● The bounce(8), defer(8) and trace(8) servers each maintain their own queue directory
trees with per-message logfiles. This information is used to send delivery or non-
delivery notifications to the sender.
The trace(8) service implements support for the Postfix "sendmail -bv" and "sendmail -
v" commands which produce reports about how Postfix delivers mail, and is available
with Postfix version 2.1 and later. See DEBUG_README for examples.
qmgr(8)
cleanup Delivery
-> Postfix ->
(8) agents
queue
^ | |
| v v
(Non-) bounce(8) Queue id,
delivery <- defer(8) <- recipient,
notice trace(8) status
^ |
| v
Per-
message
logfiles
● The flush(8) servers maintain per-destination logs and implement both ETRN and
"sendmail -qRdestination", as described in the ETRN_README document. This moves
selected queue files from the deferred queue back to the incoming queue and requests
their delivery. The flush(8) service is available with Postfix version 1.0 and later.
incoming
^
deferred
^
|
smtpd(8) Delivery
sendmail(1) Deferred agents,
Destination -
- flush(8) <- destination, -
postqueue to flush > qmgr
queue id
(1) (8)
^ |
| v
Per-dest-
ination
logs
● The proxymap(8) servers provide read-only table lookup service to Postfix processes.
This overcomes chroot restrictions, and reduces the number of open lookup tables by
sharing one open table among multiple processes.
● The scache(8) server maintains the connection cache for the Postfix smtp(8) client.
When connection caching is enabled for selected destinations, the smtp(8) client does
not disconnect immediately after a mail transaction, but gives the connection to the
connection cache server. The smtp(8) client continues with some other mail delivery
request. Meanwhile, the connection cache server keeps the connection open for a
limited amount of time. During that time, any smtp(8) process can ask the scache(8)
server for that cached connection and use it for mail delivery.
● The showq(8) servers list the Postfix queue status. This is the queue listing service that
does the work for the mailq(1) and postqueue(1) commands.
mailq(1)
post- showq Postfix
Output <- <- <-
queue (8) queue
(1)
● The spawn(8) servers run non-Postfix commands on request, with the client connected
via socket or FIFO to the command's standard input, output and error streams. You can
find examples of its use in the SMTPD_POLICY_README document.
● The verify(8) server verifies that a sender or recipient address is deliverable before the
smtpd(8) server accepts it. The verify(8) server injects probe messages into the Postfix
queue and processes status updates from delivery agents and/or queue manager. This
process is described in the ADDRESS_VERIFICATION_README document. The
verify(8) service is available with Postfix version 2.1 and later.
qmgr(8)
- smtpd <- verify - cleanup - Delivery
Network -> Postfix
> (8) > (8) > (8) > agents
queue
\ | /
\ <- <- v /
● The postfix(1) command controls the operation of the mail system. It is the interface for
starting, stopping, and restarting the mail system, as well as for some other
administrative operations. This command is reserved to the super-user.
● The postalias(1) command maintains Postfix aliases(5) type databases. This is the
program that does the work for the newaliases(1) command.
● The postcat(1) command displays the contents of Postfix queue files. This is a limited,
preliminary utility. This program is likely to be superseded by something more powerful
that can also edit Postfix queue files.
● The postconf(1) command displays or updates Postfix main.cf parameters and displays
system dependent information about the supported file locking methods, and the
supported types of lookup tables.
● The postdrop(1) command is the mail posting utility that is run by the Postfix sendmail
(1) command in order to deposit mail into the maildrop queue directory.
● The postlock(1) command provides Postfix-compatible mailbox locking for use in, for
example, shell scripts.
● The postmap(1) command maintains Postfix lookup tables such as canonical(5), virtual
(5) and others. It is a cousin of the UNIX makemap command.
● The postqueue(1) command is the privileged command that is run by Postfix sendmail
(1) and mailq(1) in order to flush or list the mail queue.
● The postsuper(1) command maintains the Postfix queue. It removes old temporary files,
and moves queue files into the right directory after a change in the hashing depth of
queue directories. This command is run at mail system startup time and when Postfix is
restarted.
QMQPD(8) QMQPD
(8)
NAME
qmqpd - Postfix QMQP server
SYNOPSIS
qmqpd [generic Postfix daemon options]
DESCRIPTION
The Postfix QMQP server receives one message per
connec-
tion. Each message is piped through the cleanup(8)
dae-
mon, and is placed into the incoming queue as one
single
queue file. The program expects to be run from the
mas-
ter(8) process manager.
SECURITY
The QMQP server is moderately security-sensitive. It
talks
to QMQP clients and to DNS servers on the network.
The
QMQP server can be run chrooted at fixed low privilege.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
BUGS
The QMQP protocol provides only one server reply per
mes-
sage delivery. It is therefore not possible to
reject
individual recipients.
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically,
as
qmqpd(8) processes run for only a limited amount of
time.
Use the command "postfix reload" to speed up a change.
receive_override_options (empty)
Enable or disable recipient validation, built-
in
content filtering, or address rewriting.
hopcount_limit (50)
The maximal number of Received: message
headers
that is allowed in the primary message headers.
message_size_limit (10240000)
The maximal size in bytes of a message,
including
envelope information.
qmqpd_timeout (300s)
The time limit for sending or receiving
information
over the network.
debug_peer_list (empty)
Optional list of remote client or server
hostname
or network address patterns that cause the
verbose
logging level to increase by the amount
specified
in $debug_peer_level.
soft_bounce (no)
Safety net to keep mail queued that would
otherwise
be returned to the sender.
TARPIT CONTROLS
qmqpd_error_delay (1s)
How long the QMQP server will pause before
sending
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf
and
master.cf configuration files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take
to
handle a request before it is terminated by
a
built-in watchdog timer.
ipc_timeout (3600s)
The time limit for sending or receiving
information
over an internal communication channel.
max_idle (100s)
The maximum amount of time that an idle
Postfix
daemon process waits for the next service
request
before exiting.
max_use (100)
The maximal number of connection requests before
a
Postfix daemon process terminates.
process_id (read-only)
The process ID of a Postfix command or daemon
pro-
cess.
process_name (read-only)
The process name of a Postfix command or
daemon
process.
qmqpd_authorized_clients (empty)
What clients are allowed to connect to the
QMQP
server port.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
verp_delimiter_filter (-=+)
The characters Postfix accepts as VERP
delimiter
characters on the Postfix sendmail(1) command
line
and in SMTP commands.
SEE ALSO
http://cr.yp.to/proto/qmqp.html, QMQP protocol
cleanup(8), message canonicalization
master(8), process manager
syslogd(8), system logging
README FILES
QMQP_README, Postfix ezmlm-idx howto.
LICENSE
The Secure Mailer license must be distributed with
this
software.
HISTORY
The qmqpd service was introduced with Postfix version
1.1.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
QMQPD
(8)
http://www.subneural.net/postfix-master/QMQP_README.html01/16/2005 15:46:28
Postfix SMTP relay and access control
Introduction
The Postfix SMTP server receives mail from the network and is exposed to the big bad world
of junk email and viruses. This document introduces the built-in and external methods that
control what SMTP mail Postfix will accept, what mistakes to avoid, and how to test your
configuration.
By default, Postfix has a moderately restrictive approach to mail relaying. Postfix forwards
mail only from clients in trusted networks, or to domains that are configured as authorized
relay destinations. For a description of the default policy, see the smtpd_recipient_restrictions
parameter in the postconf(5) manual page, and the information that is referenced from there.
Most of the Postfix SMTP server access controls are targeted at stopping junk email.
● Protocol oriented: some SMTP server access controls block mail by being very strict
with respect to the SMTP protocol; these catch poorly implemented and/or poorly
configured junk email software, as well as email worms that come with their own non-
standard SMTP client implementations. Protocol-oriented access controls become less
useful over time as spammers and worm writers learn to read RFC documents.
● Blacklist oriented: some SMTP server access controls query blacklists with known to be
bad sites such as open mail relays, open web proxies, and home computers that have
been compromised and that are under remote control by criminals. The effectiveness of
these blacklists depends on how complete and how up to date they are.
● Threshold oriented: some SMTP server access controls attempt to raise the bar by either
making the client do more work (greylisting) or by asking for a second opinion (SPF
and sender/recipient address verification). The greylisting and SPF policies are
implemented externally, and are the subject of the SMTPD_POLICY_README
document. Sender/recipient address verification is the subject of the
ADDRESS_VERIFICATION_README document.
Unfortunately, all junk mail controls have the possibility of falsely rejecting legitimate mail.
This can be a problem for sites with many different types of users. For some users it is
unacceptable when any junk email slips through, while for other users the world comes to an
end when a single legitimate email message is blocked. Because there is no single policy that is
"right" for all users, Postfix supports different SMTP access restrictions for different users.
This is described in the RESTRICTION_CLASS_README document.
● Requiring that the client sends the HELO or EHLO command before sending the MAIL
FROM or ETRN command. This may cause problems with home-grown applications
that send mail. For this reason, the requirement is disabled by default
("smtpd_helo_required = no").
● Disallowing illegal syntax in MAIL FROM or RCPT TO commands. This may cause
problems with home-grown applications that send mail, and with ancient PC mail
clients. For this reason, the requirement is disabled by default ("strict_rfc821_envelopes
= no").
❍ Disallowing RFC 822 address syntax (example: "MAIL FROM: the dude
<dude@example.com>").
❍ Disallowing addresses that are not enclosed with <> (example: "MAIL FROM:
dude@example.com").
● Rejecting mail from a non-existent sender address. This form of egress filtering helps to
slow down worms and other malware, but may cause problems with home-grown
software that sends out mail software with an unreplyable address. For this reason the
requirement is disabled by default ("smtpd_reject_unlisted_sender = no").
● Rejecting mail for a non-existent recipient address. This form of ingress filtering helps
to keep the mail queue free of undeliverable MAILER-DAEMON messages. This
requirement is enabled by default ("smtpd_reject_unlisted_recipient = yes").
/etc/postfix/main.cf:
# Allow connections from trusted networks only.
smtpd_client_restrictions = permit_mynetworks, reject
Each restriction list is evaluated from left to right until some restriction produces a result of
PERMIT, REJECT or DEFER (try again later). The end of the list is equivalent to a PERMIT
result. By placing a PERMIT restriction before a REJECT restriction you can make exceptions
for specific clients or users. This is called whitelisting; the last example above allows mail
from local networks but otherwise rejects mail to arbitrary destinations.
The table below summarizes the purpose of each SMTP access restriction list. All lists use the
exact same syntax; they differ only in the time of evaluation and in the effect of a REJECT or
DEFER result.
Current Postfix versions postpone the evaluation of client, helo and sender restriction lists until
Around the time that smtpd_delay_reject was introduced, Postfix was also changed to support
mixed restriction lists that combine information about the client, helo, sender and recipient or
etrn command.
● Some SMTP clients do not expect a negative reply early in the SMTP session. When the
bad news is postponed until the RCPT TO reply, the client goes away as it is supposed
to, instead of hanging around until a timeout happens, or worse, going into an endless
connect-reject-connect loop.
● Postfix can log more useful information. For example, when Postfix rejects a client
name or address and delays the action until the RCPT TO command, it can log the
sender and the recipient address. This is more useful than logging only the client
hostname and IP address and not knowing whose mail was being blocked.
● Mixing is needed for complex whitelisting policies. For example, in order to reject local
sender addresses in mail from non-local clients, you need to be able to mix restrictions
on client information with restrictions on sender information in the same restriction list.
Without this ability, many per-user access restrictions would be impossible to express.
The purpose of the smtpd_recipient_restrictions feature is to control how Postfix replies to the
RCPT TO command. If the restriction list evaluates to REJECT or DEFER, the recipient
address is rejected; no surprises here. If the result is PERMIT, then the recipient address is
accepted. And this is where surprises can happen.
Here is an example that shows when a PERMIT result can result in too much access
permission:
1 /etc/postfix/main.cf:
2 smtpd_recipient_restrictions =
3 permit_mynetworks
4 check_helo_access hash:/etc/postfix/helo_access
5 reject_unknown_hostname
6 reject_unauth_destination
7
8 /etc/postfix/helo_access:
9 localhost.localdomain PERMIT
Line 5 rejects mail from hosts that don't specify a proper hostname in the HELO command.
Lines 4 and 9 make an exception to allow mail from some machine that announces itself with
"HELO localhost.localdomain".
In order to avoid surprises like these with smtpd_recipient_restrictions, you should place non-
recipient restrictions AFTER the reject_unauth_destination restriction, not before. In the above
example, the HELO based restrictions should be placed AFTER reject_unauth_destination, or
better, the HELO based restrictions should be placed under smtpd_helo_restrictions where they
can do no harm.
soft_bounce
This is a safety net that changes SMTP server REJECT actions into DEFER (try again
later) actions. This keeps mail queued that would otherwise be returned to the sender.
Specify "soft_bounce = yes" in the main.cf file to prevent the Postfix SMTP server from
rejecting mail permanently, by changing all 5xx SMTP reply codes into 4xx.
warn_if_reject
This is a different safety net that changes SMTP server REJECT actions into warnings.
Instead of rejecting a command, Postfix logs what it would reject. Specify
"warn_if_reject" in an SMTP access restriction list, before the restriction that you want
to test without actually rejecting mail.
XCLIENT
With this Postfix 2.1 feature, authorized SMTP clients can impersonate other systems,
so that you can do realistic SMTP access rule tests. Examples of how to impersonate
other systems for access rule testing are given at the end of the XCLIENT_README
document.
With this policy delegation mechanism, a simple greylist policy can be implemented with only
a dozen lines of Perl, as is shown at the end of this document. Another example of policy
delegation is the SPF policy server by Meng Wong at http://spf.pobox.com/. Examples of both
policies can be found in the Postfix source code, in the directory examples/smtpd-policy.
Policy delegation is now the preferred method for adding policies to Postfix. It's much easier to
develop a new feature in few lines of Perl, than trying to do the same in C code. The difference
in performance will be unnoticeable except in the most demanding environments.
Protocol description
The Postfix policy delegation protocol is really simple. The client request is a sequence of
name=value attributes separated by newline, and is terminated by an empty line. The server
reply is one name=value attribute and it, too, is terminated by an empty line.
Here is an example of all the attributes that the Postfix SMTP server sends in a delegated
SMTPD access policy request:
request=smtpd_access_policy
protocol_state=RCPT
protocol_name=SMTP
helo_name=some.domain.tld
queue_id=8045F2AB23
sender=foo@bar.tld
recipient=bar@foo.tld
client_address=1.2.3.4
client_name=another.domain.tld
instance=123.456.7
sasl_method=plain
sasl_username=you
sasl_sender=
size=12345
[empty line]
Notes:
● The order of the attributes does not matter. The policy server should ignore any
attributes that it does not care about.
● When the same attribute name is sent more than once, the server may keep the first
value or the last attribute value.
● When an attribute value is unavailable, the client either does not send the attribute, or
sends the attribute with an empty value ("name=").
● An attribute name must not contain "=", null or newline, and an attribute value must not
contain null or newline.
● The "instance" attribute value can be used to correlate different requests regarding the
● The "size" attribute value specifies the message size that the client specified in the
MAIL FROM command (zero if none was specified). With Postfix 2.2 and later, it
specifies the actual message size when the client sends the END-OF-DATA command.
● Protocol states are CONNECT, EHLO, HELO, MAIL, RCPT, DATA, END-OF-
DATA, VRFY or ETRN; these are the SMTP protocol states where the Postfix SMTP
server makes an OK/REJECT/HOLD/etc. decision.
● The SASL attributes are sent only when SASL support is built into Postfix.
The policy server replies with any action that is allowed in a Postfix SMTPD access(5) table.
Example:
This causes the Postfix SMTP server to reject the request with a 450 temporary error code and
with text "Service temporarily unavailable", if the Postfix SMTP server finds no reason to
reject the request permanently.
In case of trouble the policy server must not send a reply. Instead the server must log a warning
and disconnect. Postfix will retry the request at some later time.
inet:127.0.0.1:9998
unix:/some/where/policy
unix:private/policy
The first example specifies that the policy server listens on a TCP socket at 127.0.0.1 port
9998. The second example specifies an absolute pathname of a UNIX-domain socket. The third
example specifies a pathname relative to the Postfix queue directory; use this for policy servers
that are spawned by the Postfix master daemon.
To create a policy service that listens on a UNIX-domain socket called "policy", and that runs
under control of the Postfix spawn(8) daemon, you would use something like this:
1 /etc/postfix/master.cf:
2 policy unix - n n -
- spawn
3 user=nobody argv=/some/where/policy-server
4
5 /etc/postfix/main.cf:
6 smtpd_recipient_restrictions =
7 ...
8 reject_unauth_destination
9 check_policy_service unix:private/policy
10 ...
11 policy_time_limit = 3600
NOTES:
● Lines 2, 11: the Postfix spawn(8) daemon by default kills its child process after 1000
seconds. This is too short for a policy daemon that may run for as long as an SMTP
client is connected to an SMTP server process. The default time limit is overruled in
main.cf with an explicit "policy_time_limit" setting. The name of the parameter is the
name of the master.cf entry ("policy") concatenated with the "_time_limit" suffix.
● Solaris UNIX-domain sockets do not work reliably. Use TCP sockets instead:
1 /etc/postfix/master.cf:
2 127.0.0.1:9998 inet n n n
- - spawn
3 user=nobody argv=/some/where/policy-server
4
5 /etc/postfix/main.cf:
6 smtpd_recipient_restrictions =
7 ...
8 reject_unauth_destination
9 check_policy_service inet:127.0.0.1:9998
10 ...
11 127.0.0.1:9998_time_limit = 3600
Other configuration parameters that control the client side of the policy delegation protocol:
In the greylist.pl Perl script you need to specify the location of the greylist database file, and
how long mail will be delayed before it is accepted. The default settings are:
$database_name="/var/mta/greylist.db";
$greylist_delay=60;
The /var/mta directory (or whatever you choose) should be writable by "nobody", or by
whatever username you configure below in master.cf for the policy service.
Example:
# mkdir /var/mta
# chown nobody /var/mta
Note: DO NOT create the greylist database in a world-writable directory such as /tmp or /var/
tmp, and DO NOT create the greylist database in a file system that may run out of space.
Postfix can survive "out of space" conditions with the mail queue and with the mailbox store,
but it cannot survive a corrupted greylist database. If the file becomes corrupted you may not
be able to receive mail at all until you delete the file by hand.
The greylist.pl Perl script can be run under control by the Postfix master daemon. For example,
to run the script as user "nobody", using a UNIX-domain socket that is accessible by Postfix
processes only:
1 /etc/postfix/master.cf:
2 policy unix - n n -
- spawn
3 user=nobody argv=/usr/bin/perl /usr/libexec/
postfix/greylist.pl
4
5 /etc/postfix/main.cf:
6 policy_time_limit = 3600
Notes:
● Line 3: Specify "greylist.pl -v" for verbose logging of each request and reply.
● Lines 2, 6: the Postfix spawn(8) daemon by default kills its child process after 1000
seconds. This is too short for a policy daemon that may run for as long as an SMTP
client is connected to an SMTP server process. The default time limit is overruled in
main.cf with an explicit "policy_time_limit" setting. The name of the parameter is the
name of the master.cf entry ("policy") concatenated with the "_time_limit" suffix.
On Solaris you must use inet: style sockets instead of unix: style, as detailed in the "Policy
client/server configuration" section above.
1 /etc/postfix/master.cf:
2 127.0.0.1:9998 inet n n n
- - spawn
3 user=nobody argv=/usr/bin/perl /usr/libexec/
postfix/greylist.pl
4
5 /etc/postfix/main.cf:
6 127.0.0.1:9998_time_limit = 3600
1 /etc/postfix/main.cf:
2 smtpd_recipient_restrictions =
3 reject_unlisted_recipient
4 ...
5 reject_unauth_destination
6 check_sender_access hash:/etc/postfix/
sender_access
7 ...
8 restriction_classes = greylist
9 greylist = check_policy_service unix:private/
policy
10
11 /etc/postfix/sender_access:
12 aol.com greylist
13 hotmail.com greylist
14 bigfoot.com greylist
15 ... etcetera ...
NOTES:
● Line 9: On Solaris you must use inet: style sockets instead of unix: style, as detailed in
the "Example: greylist policy server" section above.
● Line 3: The greylist database gets polluted quickly with bogus addresses. It helps if you
protect greylist lookups with other restrictions that reject unknown senders and/or
recipients.
1 /etc/postfix/main.cf:
2 smtpd_recipient_restrictions =
3 reject_unlisted_recipient
4 ...
5 reject_unauth_destination
6 check_sender_access hash:/etc/postfix/
sender_access
7 check_policy_service unix:private/policy
8 ...
9
10 /etc/postfix/sender_access:
11 securityfocus.com OK
12 ...
NOTES:
● Line 7: On Solaris you must use inet: style sockets instead of unix: style, as detailed in
the "Example: greylist policy server" section above.
● Line 3: The greylist database gets polluted quickly with bogus addresses. It helps if you
precede greylist lookups with restrictions that reject unknown senders and/or recipients.
When the status file size exceeds some threshold you can simply rename or remove the file
without adverse effects; Postfix automatically creates a new file. In the worst case, new mail
will be delayed by an hour or so. To lessen the impact, rename or remove the file in the middle
of the night at the beginning of a weekend.
#
# greylist status database and greylist time interval. DO NOT
create the
# greylist status database in a world-writable directory such
as /tmp
# or /var/tmp. DO NOT create the greylist database in a file
system
# that can run out of space.
#
$database_name="/var/mta/greylist.db";
$greylist_delay=60;
#
# Demo SMTPD access policy routine. The result is an action
just like
# it would be specified on the right-hand side of a Postfix
access
# table. Request attributes are available via the %attr hash.
#
sub smtpd_access_policy {
my($key, $time_stamp, $now);
$now = time();
Introduction
This document requires Postfix version 2.1 or later.
Normally, Postfix receives mail, stores it in the mail queue and then delivers it. With the external content
filter described here, mail is filtered AFTER it is queued. This approach decouples mail receiving
processes from mail filtering processes, and gives you maximal control over how many filtering processes
you are willing to run in parallel.
Network or
Network or - Postfix - Content - Postfix -
local
local users > queue > filter > queue >
mailbox
This document describes implementations that use a single Postfix instance for everything: receiving,
filtering and delivering mail. Applications that use two separate Postfix instances will be covered by a
later version of this document.
The after-queue content filter is not to be confused with the approach that is described in the
SMTPD_PROXY_README document, where incoming SMTP mail is filtered BEFORE it is stored into
the Postfix queue.
This document describes two approaches to content filter all email, as well as several options to filter mail
selectively:
● Principles of operation
● Simple content filter
❍ Simple content filter example
Principles of operation
An external content filter receives unfiltered mail from Postfix (as described further below) and does one
of the following:
1. Re-inject the mail back into Postfix, perhaps after changing content and/or destination.
2. Reject the mail (by sending a suitable status code back to Postfix). Postfix will return the mail to
the sender.
NOTE: in this time of mail worms and forged spam, it is a VERY BAD IDEA to send viruses back to the
sender address, because the sender address is almost certainly not the originator. It is better to discard
known viruses, and to quarantine material that is suspect so that a human can decide what to do with it.
This means that mail submitted via the Postfix sendmail(1) command cannot be content filtered.
In the figure below, names followed by a number represent Postfix commands or daemon programs. See
the OVERVIEW document for an introduction to the Postfix architecture.
^ |
| v
Postfix Postfix
maildrop Content
<- postdrop <- sendmail <-
queue filter
(1) (1)
1 #!/bin/sh
2
3 # Simple shell-based filter. It is meant to be invoked as
follows:
4 # /path/to/script -f sender recipients...
5
6 # Localize these.
7 INSPECT_DIR=/var/spool/filter
8 SENDMAIL="/usr/sbin/sendmail -i"
9
10 # Exit codes from <sysexits.h>
11 EX_TEMPFAIL=75
12 EX_UNAVAILABLE=69
13
14 # Clean up when done or when aborting.
15 trap "rm -f in.$$" 0 1 2 3 15
16
17 # Start processing.
18 cd $INSPECT_DIR || {
19 echo $INSPECT_DIR does not exist; exit $EX_TEMPFAIL; }
20
21 cat >in.$$ || {
22 echo Cannot save mail to file; exit $EX_TEMPFAIL; }
23
24 # Specify your content filter here.
25 # filter <in.$$ || {
26 # echo Message content rejected; exit $EX_UNAVAILABLE; }
27
28 $SENDMAIL "$@" <in.$$
29
30 exit $?
Notes:
● Line 21: The idea is to first capture the message to file and then run the content through a third-
party content filter program.
● Line 22: If the mail cannot be captured to file, mail delivery is deferred by terminating with exit
status 75 (EX_TEMPFAIL). Postfix places the message in the deferred mail queue and tries again
later.
● Line 25: You will need to specify a real content filter program here that receives the content on
standard input.
● Line 26: If the content filter program finds a problem, the mail is bounced by terminating with exit
status 69 (EX_UNAVAILABLE). Postfix will return the message to the sender as undeliverable.
● Note: in this time of mail worms and spam, it is a BAD IDEA to send known viruses or spam back
to the sender, because that address is likely to be forged. It is safer to discard known to be bad
content and to quarantine suspicious content so that it can be inspected by a human being.
● Line 28: If the content is OK, it is given as input to the Postfix sendmail command, and the exit
status of the filter command is whatever exit status the Postfix sendmail command produces.
Postfix will deliver the message as usual.
● Line 30: Postfix returns the exit status of the Postfix sendmail command.
I suggest that you first run this script by hand until you are satisfied with the results. Run it with a real
message (headers+body) as input:
● Create a dedicated local user account called "filter". This user handles all potentially dangerous
mail content - that is why it should be a separate account. Do not use "nobody", and most certainly
do not use "root" or "postfix".
● Create a directory /var/spool/filter that is accessible only to the "filter" user. This is where the
content filtering script is supposed to store its temporary files.
● Configure Postfix to deliver mail to the content filter with the pipe(8) delivery agent.
/etc/postfix/master.cf:
# =============================================================
# service type private unpriv chroot wakeup maxproc command
# (yes) (yes) (yes) (never) (100)
# =============================================================
filter unix - n n - 10 pipe
flags=Rq user=filter argv=/path/to/script -f ${sender} --
${recipient}
This runs up to 10 content filters in parallel. Instead of a limit of 10 concurrent processes, use
whatever process limit is feasible for your machine. Content inspection software can gobble up a
lot of system resources, so you don't want to have too much of it running at the same time.
● To turn on content filtering for mail arriving via SMTP only, append "-o content_filter=filter:
dummy" to the master.cf entry that defines the Postfix SMTP server:
/etc/postfix/master.cf:
# =============================================================
# service type private unpriv chroot wakeup maxproc command
# (yes) (yes) (yes) (never) (100)
# =============================================================
smtp inet ...other stuff here, do not change... smtpd
-o content_filter=filter:dummy
The "content_filter" line causes Postfix to add one content filter request record to each incoming
mail message, with content "filter:dummy". This record overrides the normal mail routing and
causes mail to be given to the content filter instead.
The content_filter configuration parameter accepts the same syntax as the right-hand side in a
Postfix transport table.
The simple content filter method is not suitable for content filter actions that are invoked via
header_checks or body_checks patterns. These patterns will be applied again after mail is re-injected with
the Postfix sendmail command, resulting in a mail filtering loop. The advanced content filtering method
(see below) makes it possible to turn off header_checks or body_checks patterns for filtered mail.
● Edit the master.cf file, remove the "-o content_filter=filter:dummy" text from the entry that defines
the Postfix SMTP server.
● Execute "postsuper -r ALL" to remove content filter information from existing queue files.
For non-SMTP capable content filtering software, Bennett Todd's SMTP proxy implements a nice PERL/
SMTP content filtering framework. See: http://bent.latency.net/smtpprox/.
In the figure below, names followed by a number represent Postfix commands or daemon programs. See
the OVERVIEW document for an introduction to the Postfix architecture.
The example given here filters all mail, including mail that arrives via SMTP and mail that is locally
submitted via the Postfix sendmail command. See examples near the end of this document for how to
exclude local users from filtering, or how to configure a destination dependent content filter.
You can expect to lose about a factor of two in Postfix performance for mail that arrives and leaves via
SMTP, provided that the content filter creates no temporary files. Each temporary file created by the
content filter adds another factor to the performance loss.
To enable the advanced content filter method for all mail, specify in main.cf:
/etc/postfix/main.cf:
content_filter = scan:localhost:10025
receive_override_options = no_address_mappings
● The "content_filter" line causes Postfix to add one content filter request record to each incoming
mail message, with content "scan:localhost:10025". The content filter request records are added by
the smtpd(8) and pickup(8) servers (and qmqpd(8) if you decide to enable this service).
● Content filter requests are stored in queue files; this is how Postfix keeps track of what mail needs
filtering. When a queue file contains a content filter request, the queue manager will deliver the
mail to the specified content filter regardless of its final destination.
● The "receive_override_options" line disables address manipulation before the content filter, so that
the content filter sees the original mail addresses instead of the result of virtual alias expansion,
canonical mapping, automatic bcc, address masquerading, etc.
In this example, "scan" is an instance of the Postfix SMTP client with slightly different configuration
parameters. This is how one would set up the service in the Postfix master.cf file:
/etc/postfix/master.cf:
#
=============================================================
# service type private unpriv chroot wakeup maxproc
command
# (yes) (yes) (yes) (never) (100)
#
=============================================================
scan unix - - n - 10
smtp
-o smtp_send_xforward_command=yes
● This runs up to 10 content filters in parallel. Instead of a limit of 10 concurrent processes, use
whatever process limit is feasible for your machine. Content inspection software can gobble up a
lot of system resources, so you don't want to have too much of it running at the same time.
● With "-o smtp_send_xforward_command=yes", the scan transport will try to forward the original
client name and IP address to the after-filter smtpd process, so that filtered mail is logged with the
real client name IP address. See smtp(8) and XFORWARD_README for more information.
The content filter can be set up with the Postfix spawn service, which is the Postfix equivalent of inetd.
For example, to instantiate up to 10 content filtering processes on localhost port 10025:
/etc/postfix/master.cf:
#
===================================================================
# service type private unpriv chroot wakeup
maxproc command
# (yes) (yes) (yes) (never)
(100)
#
===================================================================
localhost:10025 inet n n n -
10 spawn
user=filter argv=/path/to/filter localhost 10026
● "filter" is a dedicated local user account. The user will never log in, and can be given a "*"
password and non-existent shell and home directory. This user handles all potentially dangerous
mail content - that is why it should be a separate account.
If you want to have your filter listening on port localhost:10025 instead of Postfix, then you must run your
filter as a stand-alone program, and must not use the Postfix spawn service.
The job of the content filter is to either bounce mail with a suitable diagnostic, or to feed the mail back
into Postfix through a dedicated listener on port localhost 10026.
The simplest content filter just copies SMTP commands and data between its inputs and outputs. If it has a
problem, all it has to do is to reply to an input of `.' from Postfix with `550 content rejected', and to
disconnect without sending `.' on the connection that injects mail back into Postfix.
/etc/postfix/master.cf:
#
===================================================================
# service type private unpriv chroot wakeup
maxproc command
# (yes) (yes) (yes) (never)
(100)
#
===================================================================
localhost:10026 inet n - n -
10 smtpd
-o content_filter=
-o
receive_override_options=no_unknown_recipient_checks,
no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,
reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
● Note: the SMTP server must not have a smaller process limit than the "filter" master.cf entry.
● The "-o content_filter=" overrides main.cf settings, and requests no content filtering for mail from
the content filter. This is required or else mail will stay in the content filtering loop.
❍ Disable attempts to find out if a recipient is unknown, and disable header/body checks. This
work was already done before the content filter and repeating it would be wasteful.
❍ Enable virtual alias expansion, canonical mappings, address masquerading, and other
address mappings.
These receive override options are either implemented by the SMTP server itself, or they are
passed on to the cleanup server.
● The "-o smtpd_xxx_restrictions" and "-o mynetworks=127.0.0.0/8" override main.cf settings. They
turn off junk mail controls that would only waste time here.
● With "-o smtpd_authorized_xforward_hosts=127.0.0.0/8", the scan transport will try to forward the
original client name and IP address to the after-filter smtpd process, so that filtered mail is logged
with the real client name and IP address. See XFORWARD_README and smtpd(8).
Currently, content filter performance tuning is a process of trial and error; analysis is handicapped because
filtered and unfiltered messages share the same queue. As mentioned in the introduction of this document,
content filtering with multiple Postfix instances will be covered in a future version.
● Delete or comment out the two following main.cf lines. The other changes made for advanced
content filtering have no effect when content filtering is turned off.
/etc/postfix/main.cf:
content_filter = scan:localhost:10025
receive_override_options = no_address_mappings
● Execute "postsuper -r ALL" to remove content filter information from existing queue files.
● Two SMTP server IP addresses for mail from inside users only, with content filtering turned off.
/etc/postfix.master.cf:
#
==================================================================
# service type private unpriv chroot wakeup maxproc
command
# (yes) (yes) (yes) (never) (100)
#
==================================================================
1.2.3.4:smtp inet n - n - -
smtpd
-o smtpd_client_restrictions=permit_mynetworks,reject
127.0.0.1:smtp inet n - n - -
smtpd
-o smtpd_client_restrictions=permit_mynetworks,reject
● One SMTP server address for mail from outside users with content filtering turned on.
/etc/postfix.master.cf:
#
=================================================================
After this, you can follow the same procedure as outlined in the "advanced" or "simple" content filtering
examples above, except that you must not specify "content_filter" or "receive_override_options" in the
main.cf file.
/etc/postfix.master.cf:
#
=================================================================
# service type private unpriv chroot wakeup
maxproc command
# (yes) (yes) (yes) (never) (100)
#
=================================================================
# SMTP service for domains that are content filtered with
foo:bar
1.2.3.4:smtp inet n - n -
- smtpd
-o content_filter=foo:bar
-o receive_override_options=no_address_mappings
After this, you can follow the same procedure as outlined in the "advanced" or "simple" content filtering
examples above, except that you must not specify "content_filter" or "receive_override_options" in the
main.cf file.
Set up MX records in the DNS that route each domain to the proper SMTP server instance.
/etc/postfix/access:
whatever FILTER foo:bar
/etc/postfix/header_checks:
/whatever/ FILTER foo:bar
You can do this in smtpd access maps as well as the cleanup server's header/body_checks. This feature
must be used with great care: you must disable all the UCE features in the after-filter smtpd and cleanup
daemons or else you will have a content filtering loop.
Limitations:
● FILTER actions from smtpd access maps and header/body_checks take precedence over filters
specified with the main.cf content_filter parameter.
● If a message triggers more than one filter action, only the last one takes effect.
● The same content filter is applied to all the recipients of a given message.
POSTCAT(1) POSTCAT
(1)
NAME
postcat - show Postfix queue file contents
SYNOPSIS
postcat [-oqv] [-c config_dir] [files...]
DESCRIPTION
The postcat command prints the contents of the named
files
in human-readable form. The files are expected to be
in
Postfix queue file format. If no files are specified
on
the command line, the program reads from standard input.
Options:
-c config_dir
The main.cf configuration file is in the
named
directory instead of the default
configuration
directory.
DIAGNOSTICS
Problems are reported to the standard error stream.
ENVIRONMENT
MAIL_CONFIG
Directory with Postfix configuration files.
CONFIGURATION PARAMETERS
The following main.cf parameters are especially
relevant
to this program.
FILES
/var/spool/postfix, Postfix queue directory
SEE ALSO
postconf(5), Postfix configuration
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
POSTCAT
(1)
TCP_TABLE(5) TCP_TABLE
(5)
NAME
tcp_table - Postfix client/server table lookup protocol
SYNOPSIS
postmap -q "string" tcp:host:port
DESCRIPTION
The Postfix mail system uses optional tables for
address
rewriting or mail routing. These tables are usually in
dbm
or db format. Alternatively, table lookups can be
directed
to a TCP server.
PROTOCOL DESCRIPTION
The TCP map class implements a very simple protocol:
the
client sends a request, and the server sends one
reply.
Requests and replies are sent as one line of ASCII
text,
terminated by the ASCII newline character. Request
and
reply parameters (see below) are separated by
whitespace.
seconds.
REQUEST FORMAT
Each request specifies a command, a lookup key, and
possi-
bly a lookup result.
REPLY FORMAT
Each reply specifies a status code and text. Replies
must
be no longer than 4096 characters including the
newline
terminator.
ENCODING
In request and reply parameters, the character %,
each
non-printing character, and each whitespace character
must
be replaced by %XX, where XX is the corresponding
ASCII
hexadecimal character value. The hexadecimal codes can
be
specified in any case (upper, lower, mixed).
SECURITY
Do not use TCP lookup tables for security critical
pur-
poses. The client-server connection is not protected
and
the server is not authenticated.
BUGS
Only the lookup method is currently implemented.
SEE ALSO
postmap(1), Postfix lookup table manager
regexp_table(5) format of regular expression tables
pcre_table(5) format of PCRE tables
cidr_table(5) format of CIDR tables
README FILES
DATABASE_README, Postfix lookup table overview
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
TCP_TABLE
(5)
SPAWN(8) SPAWN
(8)
NAME
spawn - Postfix external command spawner
SYNOPSIS
spawn [generic Postfix daemon options]
command_attributes...
DESCRIPTION
The spawn daemon provides the Postfix equivalent of
inetd.
It listens on a port as specified in the Postfix master.
cf
file and spawns an external command whenever a
connection
is established. The connection can be made over local
IPC
(such as UNIX-domain sockets) or over non-local IPC
(such
as TCP sockets). The command's standard input, output
and
error streams are connected directly to the
communication
endpoint.
user=username (required)
user=username:groupname
argv=command... (required)
The command to be executed. This must be
specified
as the last command attribute. The command is
exe-
cuted directly, i.e. without interpretation
of
shell meta characters by a shell command
inter-
preter.
BUGS
In order to enforce standard Postfix process resource
con-
trols, the spawn daemon runs only one external command
at
a time. As such, it presents a noticeable overhead
by
wasting precious process resources. The spawn daemon
is
expected to be replaced by a more structural solution.
DIAGNOSTICS
The spawn daemon reports abnormal child exits.
Problems
are logged to syslogd(8).
SECURITY
This program needs root privilege in order to
execute
external commands as the specified user. It is
therefore
security sensitive. However the spawn daemon does
not
talk to the external command and thus is not vulnerable
to
data-driven attacks.
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically as spawn
(8)
processes run for only a limited amount of time. Use
the
command "postfix reload" to speed up a change.
MISCELLANEOUS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf
and
master.cf configuration files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take
to
handle a request before it is terminated by
a
built-in watchdog timer.
ipc_timeout (3600s)
The time limit for sending or receiving
information
over an internal communication channel.
mail_owner (postfix)
The UNIX system account that owns the Postfix
queue
and most Postfix daemon processes.
max_idle (100s)
The maximum amount of time that an idle
Postfix
daemon process waits for the next service
request
before exiting.
max_use (100)
The maximal number of connection requests before
a
Postfix daemon process terminates.
process_id (read-only)
The process ID of a Postfix command or daemon
pro-
cess.
process_name (read-only)
The process name of a Postfix command or
daemon
process.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
SEE ALSO
postconf(5), configuration parameters
master(8), process manager
syslogd(8), system logging
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
SPAWN
(8)
ERROR(8) ERROR
(8)
NAME
error - Postfix error mail delivery agent
SYNOPSIS
error [generic Postfix daemon options]
DESCRIPTION
The Postfix error delivery agent processes
delivery
requests from the queue manager. Each request specifies
a
queue file, a sender address, a domain or host name
that
is treated as the reason for non-delivery, and
recipient
information. This program expects to be run from the
mas-
ter(8) process manager.
SECURITY
The error mailer is not security-sensitive. It does
not
STANDARDS
None.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically as error
(8)
processes run for only a limited amount of time. Use
the
command "postfix reload" to speed up a change.
2bounce_notice_recipient (postmaster)
The recipient of undeliverable mail that cannot
be
returned to the sender.
bounce_notice_recipient (postmaster)
The recipient of postmaster notifications with
the
message headers of mail that Postfix did
not
deliver and of SMTP conversation transcripts
of
mail that Postfix did not receive.
daemon_timeout (18000s)
How much time a Postfix daemon process may take
to
handle a request before it is terminated by
a
built-in watchdog timer.
double_bounce_sender (double-bounce)
The sender address of postmaster notifications
that
are generated by the mail system.
ipc_timeout (3600s)
The time limit for sending or receiving
information
over an internal communication channel.
max_idle (100s)
The maximum amount of time that an idle
Postfix
daemon process waits for the next service
request
before exiting.
max_use (100)
The maximal number of connection requests before
a
Postfix daemon process terminates.
process_id (read-only)
The process ID of a Postfix command or daemon
pro-
cess.
process_name (read-only)
The process name of a Postfix command or
daemon
process.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
SEE ALSO
qmgr(8), queue manager
bounce(8), delivery status reports
discard(8), Postfix discard delivery agent
postconf(5), configuration parameters
master(5), generic daemon options
master(8), process manager
syslogd(8), system logging
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
ERROR
(8)
Postfix Before-Queue
Content Filter
The before-queue content filter is not to be confused with the approach described in the
FILTER_README document, where mail is filtered AFTER it is stored in the Postfix mail
queue.
● Principles of operation
● Pros and cons of before-queue content filtering
● Configuring the Postfix SMTP pass-through proxy feature
● Configuration parameters
● How Postfix talks to the before-queue content filter
● Transparency
Principles of operation
The before-filter Postfix SMTP server receives mail from the Internet and does the usual relay
access control, SASL authentication, RBL lookups, rejecting non-existent sender or recipient
addresses, etc. The before-queue filter receives unfiltered mail content from Postfix and does one
of the following:
1. Re-inject the mail back into Postfix via SMTP, perhaps after changing its content and/or
destination.
2. Reject the mail by sending a suitable SMTP status code back to Postfix. Postfix passes the
status back to the remote SMTP client. This way, Postfix does not have to send a bounce
message.
The after-filter Postfix SMTP server receives mail from the content filter. From then on Postfix
processes the mail as usual.
The before-queue content filter described here works just like the after-queue content filter
described in the FILTER_README document. In many cases you can use the same software,
within the limitations as discussed in the "Pros and Cons" section below.
● Con: The remote SMTP client expects an SMTP reply within a deadline. As the system
load increases, fewer and fewer CPU cycles remain available to answer within the
deadline, and eventually you either have to stop accepting mail or you have to stop
filtering mail. It is for this reason that the before-queue content filter can be used only on
low-traffic sites.
● Con: Content filtering software can use lots of memory resources. In order to not run out
of memory you have to reduce the number of before-filter SMTP server processes so that
a burst of mail will not drive your system into the ground with too many content filter
processes. This, in turn, means that SMTP clients have to wait for a long time before they
receive service.
In the following example, the before-filter Postfix SMTP server gives mail to a content filter that
listens on localhost port 10025. The after-filter Postfix SMTP server receives mail from the
content filter via localhost port 10026. From then on mail is processed as usual.
The content filter itself is not described here. You can use any filter that is SMTP enabled. For
non-SMTP capable content filtering software, Bennett Todd's SMTP proxy implements a nice
PERL/SMTP content filtering framework. See: http://bent.latency.net/smtpprox/.
Postfix
Postfix
SMTP
SMTP filter on server Postfix Postfix
- server - localhost - - - incoming
Internet on cleanup
> on > port > > >
localhost server queue
port 10025
port
25
10026
/etc/postfix/master.cf:
#
=============================================================
# service type private unpriv chroot wakeup
maxproc command
# (yes) (yes) (yes) (never)
(100)
#
=============================================================
#
# Before-filter SMTP server. Receive mail from the
network and
# pass it to the content filter on localhost port
10025.
#
smtp inet n - n -
20 smtpd
-o smtpd_proxy_filter=127.0.0.1:10025
-o smtpd_client_connection_count_limit=10
#
# After-filter SMTP server. Receive mail from the
content filter
The before-filter SMTP server entry is a modified version of the default Postfix SMTP server
entry that is normally configured at the top of the master.cf file:
● The number of SMTP sessions is reduced from the default 100 to only 20. This prevents a
burst of mail from running your system into the ground with too many content filter
processes.
Note: this setting is ignored by the stable Postfix 2.1 release. The feature will be available
only in the experimental release until Postfix 2.2.
● The "-o smtpd_proxy_filter=127.0.0.1:10025" tells the before filter SMTP server that it
should give incoming mail to the content filter that listens on localhost port 10025.
● The "127.0.0.1:10026" makes the after-filter SMTP server listen on the localhost address
only, without exposing it to the network. NEVER expose the after-filter SMTP server to
the Internet :-)
server to receive remote SMTP client information from the before filter SMTP server, so
that the after-filter Postfix daemons log the remote SMTP client information instead of
logging localhost[127.0.0.1].
● The other after-filter SMTP server settings avoid duplication of work that is already done
in the "before filter" SMTP server.
By default, the filter has 100 seconds to do its work. If it takes longer then Postfix gives up and
reports an error to the remote SMTP client. You can increase this time limit (see configuration
parameter section below) but doing so is pointless because you can't control when the remote
SMTP client times out.
Configuration parameters
Parameters that control proxying:
● smtpd_proxy_filter (syntax: host:port): The host and TCP port of the before-queue content
filter. When no host or host: is specified in client context, localhost is assumed.
The content filter is expected to pass on unmodified SMTP commands from a before-filter
Postfix SMTP server to an after-filter Postfix SMTP server that usually listens on a non-standard
port. When the filter rejects content, it should send a negative SMTP response back to the before-
filter Postfix SMTP server, and it should abort the connection with the after-filter Postfix SMTP
server without completing the SMTP conversation with the after-filter Postfix SMTP server.
Transparency
The before-filter Postfix SMTP server forwards the MAIL FROM, RCPT TO and DATA
commands that it has approved, but it does not forward other commands such as TLS or SASL
commands. It can therefore not be transparent.
The real-time content filter, on the other hand, has to be transparent. In order to support non-
transparent real-time content filters, Postfix would have to reconcile the before-filter Postfix
ESMTP feature set with the feature set that Postfix receives from the real-time content filter.
● When a future Postfix version supports DSN, but the content filter does not announce
DSN support in the EHLO reply, then the before-filter SMTP server would have to either
1) suppress the DSN feature in its EHLO announcement, or 2) duplicate all the work that
needs to be done when delivering DSN-aware mail to a non-DSN destination.
● When the content filter does not announce 8BITMIME support in the EHLO reply, then
the before-filter SMTP server would have to either 1) suppress the 8BITMIME feature in
its EHLO announcement, or 2) convert the content to quoted-printable before giving it to
the content filter.
● Performance: when Postfix has to suppress elements from the before-filter EHLO reply
because they are incompatible with the real-time content filter, then Postfix has to connect
to the content filter as soon as the client sends a valid EHLO command. This wastes a lot
of resources when all the MAIL FROM or RCPT TO commands are rejected.
Therefore, the Postfix SMTP server cannot be transparent with respect to the before-queue
content filter.
PIPE(8) PIPE
(8)
NAME
pipe - Postfix delivery to external command
SYNOPSIS
pipe [generic Postfix daemon options]
command_attributes...
DESCRIPTION
The pipe daemon processes requests from the Postfix
queue
manager to deliver messages to external commands.
This
program expects to be run from the master(8) process
man-
ager.
SINGLE-RECIPIENT DELIVERY
Some external commands cannot handle more than one
recipi-
ent per delivery request. Examples of such transports
are
pagers, fax machines, and so on.
transport_destination_recipient_limit = 1
flags=BDFORhqu.> (optional)
Optional message processing flags. By default,
a
message is copied unchanged.
size=size_limit (optional)
Messages greater in size than this limit (in
bytes)
will be bounced back to the sender.
user=username (required)
user=username:groupname
The external command is executed with the rights
of
the specified username. The software refuses
to
execute commands with root privileges, or with
the
privileges of the mail system owner. If
groupname
is specified, the corresponding group ID is
used
instead of the group ID of username.
argv=command... (required)
The command to be executed. This must be
specified
as the last command attribute. The command is
exe-
cuted directly, i.e. without interpretation
of
shell meta characters by a shell command
inter-
preter.
${client_address}
This macro expands to the remote client
net-
work address.
${client_helo}
This macro expands to the remote client
HELO
command parameter.
${client_hostname}
This macro expands to the remote
client
hostname.
${client_protocol}
This macro expands to the remote client
pro-
tocol.
${extension}
This macro expands to the extension part
of
a recipient address. For example, with
an
address user+foo@domain the extension
is
foo.
${mailbox}
This macro expands to the complete
local
part of a recipient address. For
example,
with an address user+foo@domain the
mailbox
is user+foo.
${nexthop}
${recipient}
This macro expands to the complete
recipient
address.
${sasl_method}
This macro expands to the SASL
authentica-
tion mechanism used during the reception
of
the message. An empty string is passed
if
the message has been received without
SASL
authentication.
${sasl_sender}
This macro expands to the SASL sender
name
(i.e. the original submitter as per
RFC
2554) used during the reception of the
mes-
sage.
${sasl_username}
This macro expands to the SASL user
name
used during the reception of the message.
An
empty string is passed if the message
has
been received without SASL authentication.
${sender}
This macro expands to the envelope
sender
address.
${size}
This macro expands to Postfix's idea of
the
message size, which is an approximation
of
the size of the message as delivered.
${user}
This macro expands to the username part of
a
recipient address. For example, with
an
address user+foo@domain the username part
is
user.
DIAGNOSTICS
Command exit status codes are expected to follow the
con-
ventions defined in <sysexits.h>.
SECURITY
This program needs a dual personality 1) to access
the
private Postfix queue and IPC mechanisms, and 2) to
exe-
cute external commands as the specified user. It is
there-
fore security sensitive.
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically as pipe
(8)
processes run for only a limited amount of time. Use
the
command "postfix reload" to speed up a change.
transport_destination_concurrency_limit
($default_destina-
tion_concurrency_limit)
Limit the number of parallel deliveries to the
same
destination, for delivery via the named
transport.
The limit is enforced by the Postfix queue
manager.
transport_destination_recipient_limit
($default_destina-
tion_recipient_limit)
Limit the number of recipients per message
deliv-
ery, for delivery via the named transport.
The
limit is enforced by the Postfix queue manager.
transport_time_limit ($command_time_limit)
Limit the time for delivery to external
command,
for delivery via the named transport. The limit
is
enforced by the pipe delivery agent.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf
and
master.cf configuration files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take
to
handle a request before it is terminated by
a
ipc_timeout (3600s)
The time limit for sending or receiving
information
over an internal communication channel.
mail_owner (postfix)
The UNIX system account that owns the Postfix
queue
and most Postfix daemon processes.
max_idle (100s)
The maximum amount of time that an idle
Postfix
daemon process waits for the next service
request
before exiting.
max_use (100)
The maximal number of connection requests before
a
Postfix daemon process terminates.
process_id (read-only)
The process ID of a Postfix command or daemon
pro-
cess.
process_name (read-only)
The process name of a Postfix command or
daemon
process.
tory.
recipient_delimiter (empty)
The separator between user names and address
exten-
sions (user+foo).
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
SEE ALSO
qmgr(8), queue manager
bounce(8), delivery status reports
postconf(5), configuration parameters
master(5), generic daemon options
master(8), process manager
syslogd(8), system logging
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
PIPE
(8)
This extension is implemented as a separate command, and can be used to transmit client or
message attributes incrementally. It is not implemented by passing additional parameters via
the MAIL FROM command, because doing so would require extending the MAIL FROM
command length limit by another 600 or more characters beyond the space that is already
needed in order to support other extensions such as AUTH.
In SMTP server EHLO replies, the keyword associated with this extension is XFORWARD.
The keyword is followed by the names of the attributes that the XFORWARD implementation
supports.
The client may send the XFORWARD request at any time except in the middle of a mail
delivery transaction (i.e. between MAIL and DOT). The command may be pipelined when the
server supports ESMTP command pipelining.
The syntax of XFORWARD requests is described below. Upper case and quoted strings
specify terminals, lowercase strings specify meta terminals, and SP is whitespace. Although
command and attribute names are shown in upper case, they are in fact case insensitive.
● The NAME attribute specifies the up-stream hostname, or [UNAVAILABLE] when the
information is unavailable. The hostname may be a non-DNS hostname.
● The PROTO attribute specifies the mail protocol for receiving mail from the up-stream
host. This may be an SMTP non-SMTP protocol name of up to 64 characters, or
[UNAVAILABLE] when the information is unavailable.
● The HELO attribute specifies the hostname that the up-stream host announced itself
with (not necessarily via the SMTP HELO command), or [UNAVAILABLE] when the
information is unavailable. The hostname may be a non-DNS hostname.
● The SOURCE attribute specifies LOCAL when the message was received from a source
that is local with respect to the up-stream host, REMOTE for mail from a remote
source, or [UNAVAILABLE] when the information is unavailable. The down-stream
MTA may decide to enable header munging and address qualification with mail from
local sources.
Note 1: Attribute values must not be longer than 255 characters (specific attributes may impose
shorter lengths), must not contain control characters, non-ASCII characters, whitespace, or
other characters that are special in message headers. Future attributes that may violate this
should use xtext encoding as described in RFC 1891.
Note 2: DNS hostnames can be up to 255 characters long. The XFORWARD client
implementation must not send XFORWARD commands that exceed the 512 character limit for
SMTP commands.
Note 3: [UNAVAILABLE] may be specified in upper case, lower case or mixed case.
Note 4: the XFORWARD server implementation must not mix information from the current
SMTP session with forwarded information from an up-stream session.
Code Meaning
250 success
501 bad command parameter syntax
503 mail transaction in progress
unable to proceed,
421
disconnecting
XFORWARD Example
In the following example, information sent by the client is shown in bold font.
Security
The XFORWARD command changes audit trails. Use of this command must be restricted to
authorized clients.
HEADER_CHECKS(5) HEADER_CHECKS
(5)
NAME
header_checks - Postfix built-in header/body inspection
SYNOPSIS
header_checks = pcre:/etc/postfix/header_checks
mime_header_checks = pcre:/etc/postfix/mime_header_checks
nested_header_checks = pcre:/etc/postfix/
nested_header_checks
body_checks = pcre:/etc/postfix/body_checks
DESCRIPTION
Postfix provides a simple built-in content
inspection
mechanism that examines incoming mail one message
header
or one message body line at a time. Each input is
compared
against a list of patterns, and when a match is found
the
corresponding action is executed. This feature is
imple-
mented by the Postfix cleanup(8) server.
need
more sophisticated content analysis.
header_checks
These are applied to initial message
headers
(except for the headers that are processed
with
mime_header_checks).
body_checks
These are applied to all other content,
including
multi-part message boundaries.
TABLE FORMAT
This document assumes that header and body_checks
rules
are specified in the form of Postfix regular
expression
lookup tables. Usually the best performance is
obtained
with pcre (Perl Compatible Regular Expression) tables,
but
the slower regexp (POSIX regular expressions) support
is
more widely available. Use the command postconf -m
to
find out what lookup table types your Postfix system
sup-
ports.
/pattern/flags action
When pattern matches the input string, execute
the
corresponding action. See below for a list of
pos-
sible actions.
!/pattern/flags action
When pattern does not match the input string,
exe-
cute the corresponding action.
if /pattern/flags
if !/pattern/flags
multi-line text
A pattern/action line starts with non-
whitespace
text. A line that starts with whitespace
continues
a logical line.
is
inspected.
TEXT SUBSTITUTION
Substitution of substrings from the matched
expression
into the action string is possible using the
conventional
Perl syntax ($1, $2, etc.). The macros in the
result
string may need to be written as ${n} or $(n) if
they
aren't followed by whitespace.
ACTIONS
Action names are case insensitive. They are shown in
upper
case for consistency with other Postfix documentation.
DUNNO Pretend that the input line did not match any
pat-
tern, and inspect the next input line. This
action
can be used to shorten the table search.
FILTER transport:destination
Write a content filter request to the queue
file
and inspect the next input line. After the
com-
plete message is received it will be sent
through
the specified external content filter. More
infor-
mation about external content filters is in
the
Postfix FILTER_README file.
mes-
sage remains on hold until someone either
deletes
it or releases it for delivery. Log the
optional
text if specified, otherwise log a generic
message.
PREPEND text...
Prepend one line with the specified text
and
inspect the next input line.
REDIRECT user@domain
Write a message redirection request to the
queue
file and inspect the next input line. After
the
message is queued, it will be sent to the
specified
address instead of the intended recipient(s).
BUGS
Many people overlook the main limitations of header
and
body_checks rules. These rules operate on one
logical
message header or one body line at a time, and a
decision
made for one line is not carried over to the next
line.
If text in the message body is encoded (RFC 2045) then
the
rules have to specified for the encoded form.
Likewise,
when message headers are encoded (RFC 2047) then the
rules
need to be specified for the encoded form.
CONFIGURATION PARAMETERS
body_checks
Lookup tables with content filter rules for
message
body_checks_size_limit
The amount of content per message body
segment
(attachment) that is subjected to $body_checks
fil-
tering.
header_checks
disable_mime_input_processing
While receiving mail, give no special treatment
to
MIME related message headers; all text after
the
initial message headers is considered to be part
of
the message body. This means that header_checks
is
applied to all the initial message headers,
and
that body_checks is applied to the remainder of
the
message.
EXAMPLES
Header pattern to block attachments with bad file
name
extensions.
/etc/postfix/main.cf:
header_checks = regexp:/etc/postfix/header_checks
/etc/postfix/header_checks:
/^content-(type|disposition):.*name[[:space:]]*=.*\.
(exe|vbs)/
REJECT Bad attachment file name extension: $2
/etc/postfix/main.cf:
body_checks = regexp:/etc/postfix/body_checks
/etc/postfix/body_checks:
/^<iframe src=(3D)?cid:.* height=(3D)?0 width=(3D)?0>
$/
REJECT IFRAME vulnerability exploit
SEE ALSO
cleanup(8), canonicalize and enqueue Postfix message
pcre_table(5), format of PCRE lookup tables
regexp_table(5), format of POSIX regular expression
tables
postconf(1), Postfix configuration utility
postmap(1), Postfix lookup table management
postsuper(1), Postfix janitor
postcat(1), show Postfix queue file contents
RFC 2045, base64 and quoted-printable encoding rules
RFC 2047, message header encoding for non-ASCII text
README FILES
DATABASE_README, Postfix lookup table overview
CONTENT_INSPECTION_README, Postfix content inspection
overview
BUILTIN_FILTER_README, Postfix built-in content
inspection
BACKSCATTER_README, blocking returned forged mail
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
HEADER_CHECKS
(5)
Postfix Address
Verification Howto
The technique has obvious uses in order to reject junk mail with an unreplyable sender address.
The technique may also be useful to block mail for undeliverable recipients, for example on a
mail relay host that does not have a list of all the valid recipient addresses. This prevents
undeliverable junk mail from entering the queue, so that Postfix doesn't have to waste resources
trying to send MAILER-DAEMON messages back.
With Postfix address verification turned on, normal mail will suffer only a short delay of up to
6 seconds while an address is being verified for the first time. Once an address status is known,
the status is cached and Postfix replies immediately.
When verification takes too long the Postfix SMTP server defers the sender or recipient
address with a 450 reply. Normal mail clients will connect again after some delay. The address
verification delay is configurable with the main.cf address_verify_poll_count and
address_verify_poll_delay parameters. See postconf(5) for details.
● Sites like AOL may blacklist you when you are probing them too often (a probe is an
SMTP session that does not deliver mail), or when you are probing them too often for a
non-existent address.
● Normally, address verification probe messages follow the same path as regular mail.
However, some sites send mail to the Internet via an intermediate relayhost; this breaks
address verification. See below, section "Controlling the routing of address verification
probes", for how to override mail routing and for possible limitations when you have to
do this.
● Postfix assumes that an address is undeliverable when the nearest MTA for the address
rejects the probe, regardless of the reason for rejection (client rejected, HELO rejected,
MAIL FROM rejected, etc.). Thus, Postfix rejects mail when the sender's MTA rejects
mail from your machine. This is a good thing.
● Unfortunately, some major sites such as YAHOO do not reject unknown addresses in
reply to the RCPT TO command, but report a delivery failure in response to end of
DATA after a message is transferred. Postfix address verification does not work with
such sites.
You can change this into the null address ("address_verify_sender ="). This is UNSAFE
because address probes will fail with mis-configured sites that reject MAIL FROM: <>,
while probes from "postmaster@$myorigin" would succeed.
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
...
reject_unknown_recipient_domain
reject_unverified_recipient
...
/etc/postfix/main.cf:
smtpd_sender_restrictions = hash:/etc/postfix/
sender_access
unverified_sender_reject_code = 550
# Note 1: Be sure to read the "Caching" section
below!
# Note 2: Avoid hash files here. Use btree
instead.
address_verify_map = btree:/var/mta/verify
/etc/postfix/sender_access:
aol.com reject_unverified_sender
hotmail.com reject_unverified_sender
bigfoot.com reject_unverified_sender
... etcetera ...
NOTE: One of the first things you might want to do is to turn on sender address verification for
all your own domains.
To find out how sender address verification would affect your mail, specify "warn_if_reject
reject_unverified_sender" so that you can see what mail would be blocked:
/etc/postfix/main.cf:
smtpd_sender_restrictions =
permit_mynetworks
...
check_sender_access hash:/etc/postfix/
sender_access
reject_unknown_sender_domain
warn_if_reject reject_unverified_sender
...
# Note 1: Be sure to read the "Caching" section
below!
# Note 2: Avoid hash files here. Use btree
instead.
address_verify_map = btree:/var/mta/verify
This is also a good way to populate your cache with address verification results before you start
to actually reject mail.
The sender_access restriction is needed to whitelist domains or addresses that are known to be
OK. Although Postfix will not mark a known-to-be-good address as bad after a probe fails, it is
better to be safe than sorry.
NOTE: You will have to whitelist sites such as securityfocus.com and other sites that operate
mailing lists that use a different sender address for each posting (VERP). Such addresses
pollute the address verification cache quickly, and generate unnecessary sender verification
probes.
/etc/postfix/sender_access
securityfocus.com OK
...
The unverified_sender_reject_code parameter (default 450) specifies how Postfix replies when
a sender address is known to bounce. Change this setting into 550 when you trust Postfix's
judgments.
Address verification information is cached by the Postfix verify daemon. Postfix has a bunch of
parameters that control the caching of positive and negative results. Refer to the verify(8)
manual page for details.
/etc/postfix/main.cf:
# Note: avoid hash files here. Use btree instead.
address_verify_map = btree:/var/mta/verify
NOTE: Do not put this file in a file system that may run out of space. When the address
verification table gets corrupted the world comes to an end and YOU will have to
MANUALLY fix things as described in the next section. Meanwhile, you will not receive mail
via SMTP.
The verify(8) daemon process will create a new database when none exists, and will open/
create the file before it enters the chroot jail and before it drops root privileges.
Right now, no tools are provided to manage the address verification database. If the file gets
too big, or if it gets corrupted, you can manually rename or delete the file and run "postfix
reload". The new verify daemon process will then create a new database.
However, some sites have a complex infrastructure where mail is not sent directly to the
Internet, but is instead given to an intermediate relayhost. This is a problem for address
verification, because remote Internet addresses can be verified only when Postfix can access
remote destinations directly.
For this reason, Postfix allows you to override the routing parameters when it delivers an
address verification probe message.
First, the address_verify_relayhost parameter allows you to override the relayhost setting, and
the address_verify_transport_maps parameter allows you to override the transport_maps
setting.
Second, each address class is given its own address verification version of the message delivery
transport, as shown in the table below. Address classes are defined in the
ADDRESS_CLASS_README file.
Regular
Domain list Verify transport
transport
By default, the parameters that control delivery of address probes have the same value as the
parameters that control normal mail delivery.
/etc/postfix/main.cf:
relayhost = $mydomain
address_verify_relayhost =
...
Sites behind a network address translation box might have to use a different SMTP client that
sends the correct hostname information:
/etc/postfix/main.cf:
relayhost = $mydomain
address_verify_relayhost =
address_verify_default_transport = direct_smtp
/etc/postfix/master.cf:
direct_smtp .. .. .. .. .. .. .. .. .. smtp
-o smtp_helo_name=nat.box.tld
VERIFY(8) VERIFY
(8)
NAME
verify - Postfix address verification server
SYNOPSIS
verify [generic Postfix daemon options]
DESCRIPTION
The Postfix address verification server maintains a
record
of what recipient addresses are known to be deliverable
or
undeliverable.
query address
Look up the status and text for the
specified
address. If the status is unknown, a probe is
sent
and an "in progress" status is returned.
SECURITY
The address verification server is not security-
sensitive.
It does not talk to the network, and it does not talk
to
local users. The verify server can run chrooted at
fixed
low privilege.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
BUGS
The address verification service is suitable only
for
sites that handle a low mail volume. Verification
probes
add additional traffic to the mail queue and
perform
poorly under high load. Servers may blacklist sites
that
probe excessively, or that probe excessively for non-
exis-
tent recipient addresses.
CONFIGURATION PARAMETERS
Changes to main.cf are not picked up automatically,
as
verify(8) processes are persistent. Use the command
"post-
fix reload" after a configuration change.
CACHE CONTROLS
address_verify_map (empty)
Optional lookup table for persistent address
veri-
fication status storage.
address_verify_sender (postmaster)
The sender address to use in address
verification
probes.
address_verify_positive_expire_time (31d)
The time after which a successful probe
expires
from the address verification cache.
address_verify_positive_refresh_time (7d)
The time after which a successful address
verifica-
tion probe needs to be refreshed.
address_verify_negative_cache (yes)
address_verify_negative_expire_time (3d)
The time after which a failed probe expires
from
the address verification cache.
address_verify_negative_refresh_time (3h)
The time after which a failed address
verification
probe needs to be refreshed.
address_verify_relayhost ($relayhost)
Overrides the relayhost parameter setting
for
address verification probes.
address_verify_transport_maps ($transport_maps)
Overrides the transport_maps parameter setting
for
address verification probes.
address_verify_local_transport ($local_transport)
Overrides the local_transport parameter setting
for
address verification probes.
address_verify_virtual_transport ($virtual_transport)
Overrides the virtual_transport parameter
setting
for address verification probes.
address_verify_relay_transport ($relay_transport)
Overrides the relay_transport parameter setting
for
address verification probes.
address_verify_default_transport ($default_transport)
Overrides the default_transport parameter
setting
for address verification probes.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf
and
master.cf configuration files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take
to
handle a request before it is terminated by
a
built-in watchdog timer.
ipc_timeout (3600s)
The time limit for sending or receiving
information
over an internal communication channel.
process_id (read-only)
The process ID of a Postfix command or daemon
pro-
cess.
process_name (read-only)
The process name of a Postfix command or
daemon
process.
tory.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
SEE ALSO
smtpd(8), Postfix SMTP server
cleanup(8), enqueue Postfix message
postconf(5), configuration parameters
syslogd(5), system logging
README FILES
ADDRESS_VERIFICATION_README, address verification howto
LICENSE
The Secure Mailer license must be distributed with
this
software.
HISTORY
This service was introduced with Postfix version 2.1.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
VERIFY
(8)
Postfix Per-Client/User/etc.
Access Control
Having to specify lists of access restrictions for every recipient becomes tedious quickly.
Postfix restriction classes allow you to give easy-to-remember names to groups of UCE
restrictions (such as "permissive", "restrictive", and so on).
The real reason for the existence of Postfix restriction classes is more mundane: you can't
specify a lookup table on the right-hand side of a Postfix access table. This is because Postfix
needs to open lookup tables ahead of time, but the reader probably does not care about these
low-level details.
Example:
/etc/postfix/main.cf:
smtpd_restriction_classes = restrictive,
permissive
restrictive = reject_unknown_sender_domain
reject_unknown_client ...
permissive = permit
smtpd_recipient_restrictions =
permit_mynetworks
reject_unauth_destination
hash:/etc/postfix/recipient_access
/etc/postfix/recipient_access:
joe@my.domain permissive
jane@my.domain restrictive
With this in place, you can use "restrictive" or "permissive" on the right-hand side of your per-
client, helo, sender, or recipient SMTPD access tables.
The remainder of this document gives examples of how Postfix access restriction classes can
be used to:
These questions come up frequently, and the examples hopefully make clear that Postfix
restriction classes aren't really the right solution. They should be used for what they were
designed to do, different junk mail restrictions for different clients or users.
Postfix can implement per-address access controls. What follows is based on the SMTP client
IP address, and therefore is subject to IP spoofing.
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
hash:/etc/postfix/access
...the usual stuff...
/etc/postfix/access:
all@my.domain permit_mynetworks,reject
all@my.hostname permit_mynetworks,reject
Specify dbm instead of hash if your system uses dbm files instead of db files. To find out
what map types Postfix supports, use the command postconf -m.
Now, that would be sufficient when your machine receives all Internet mail directly from the
Internet. That's unlikely if your network is a bit larger than an office. For example, your backup
MX hosts would "launder" the client IP address of mail from the outside so it would appear to
come from a trusted machine.
In the general case you need two lookup tables: one table that lists destinations that need to be
protected, and one table that lists domains that are allowed to send to the protected destinations.
What follows is based on the sender SMTP envelope address, and therefore is subject to SMTP
sender spoofing.
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
hash:/etc/postfix/protected_destinations
...the usual stuff...
smtpd_restriction_classes = insiders_only
insiders_only = check_sender_access hash:/etc/
postfix/insiders, reject
/etc/postfix/protected_destinations:
all@my.domain insiders_only
all@my.hostname insiders_only
/etc/postfix/insiders:
my.domain OK matches my.domain and
subdomains
another.domain OK matches another.domain and
subdomains
Getting past this scheme is relatively easy, because all one has to do is to spoof the SMTP
sender address.
If the internal list is a low-volume one, perhaps it makes more sense to make it moderated.
bounce message. Please don't discuss whether such access restrictions are
necessary, it was not my decision.
Postfix has support for per-user restrictions. The restrictions are implemented by the SMTP
server. Thus, users that violate the policy have their mail rejected by the SMTP server. Like
this:
The implementation uses two lookup tables. One table defines what users are restricted in
where they can send mail, and the other table defines what destinations are local. It is left as an
exercise for the reader to change this into a scheme where only some users have permission to
send mail to off-site destinations, and where most users are restricted.
The example assumes DB/DBM files, but this could also be done with LDAP or SQL.
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
check_sender_access hash:/etc/postfix/
restricted_senders
...other stuff...
smtpd_restriction_classes = local_only
local_only =
check_recipient_access hash:/etc/postfix/
local_domains, reject
/etc/postfix/restricted_senders:
foo@domain local_only
bar@domain local_only
/etc/postfix/local_domains:
this.domain OK matches this.domain and
subdomains
that.domain OK matches that.domain and
subdomains
Specify dbm instead of hash if your system uses dbm files instead of db files. To find out
what map types Postfix supports, use the command postconf -m.
Note: this scheme does not authenticate the user, and therefore it can be bypassed in several
ways:
● By sending mail as someone else who does have permission to send mail to off-site
destinations.
The original purpose of the built-in filter is to stop an outbreak of specific email worms or viruses, and it
does this job well. The filter has also helped to block bounced junk email, bounced email from worms or
viruses, and notifications from virus detection systems. Information about this secondary application is
given in the BACKSCATTER_README document.
Because the built-in filter is optimized for stopping specific worms and virus outbreaks, it has limitations
that make it NOT suitable for general junk email and virus detection. For that, you should use one of the
external content inspection methods that are described in the FILTER_README and
SMTPD_PROXY_README documents.
The following diagram gives an over-all picture of how Postfix built-in content inspection works:
Postmaster
notifications
|
v
Network or
Network or - Built-in - Postfix - Delivery -
local
local users > filter > queue > agents >
mailbox
^ |
| v
Undeliverable mail
Forwarded mail
The picture makes clear that the filter works while Postfix is receiving new mail. This means that Postfix
can reject mail from the network without having to return undeliverable mail to the originator address
(which is often spoofed anyway). However, this ability comes at a price: if mail inspection takes too
much time, then the remote client will time out, and the client may send the same message repeatedly.
bounce(8)
(undeliverable)
smtpd(8) |
(network) \ v
qmqpd(8) -\ - incoming
cleanup(8)
(network) -/ > queue
pickup(8) / ^
(local) |
local(8)
(forwarded)
For efficiency reasons, only mail that enters from outside of Postfix is inspected with header/body
checks. It would be inefficient to filter already filtered mail again, and it would be undesirable to block
postmaster notifications. The table below summarizes what mail is and is not subject to header/body
checks.
Header/body
Message type Source
checks?
Undeliverable bounce
No
mail (8)
Network mail smtpd(8) Configurable
qmqpd
Network mail Configurable
(8)
pickup
Local submission Configurable
(8)
Local forwarding local(8) No
Postmaster notice many No
How does Postfix decide what mail needs to be filtered? It would be clumsy to make the decision in the
cleanup(8) server, as this program receives mail from so many different sources. Instead, header/body
checks are requested by the source. Examples of how to turn off header/body checks for mail received
with smtpd(8), qmqpd(8) or pickup(8) are given below under "Configuring header/body checks for mail
from outside users only" and "Configuring header/body checks for mail to some domains only".
● Header/body checks cannot filter on a combination of message headers or body lines. Header/
body checks examine content one message header at a time, or one message body line at a time,
and cannot carry a decision over to the next message header or body line.
❍ One message can have multiple recipients, and all recipients of a message receive the same
treatment. Workarounds have been proposed that involve selectively deferring some
recipients of multi-recipient mail, but that results in poor SMTP performance and does not
work for non-SMTP mail.
❍ Some sources of mail send the headers and content ahead of the recipient information. It
would be inefficient to buffer up an entire message before deciding if it needs to be
filtered, and it would be clumsy to filter mail and to buffer up all the actions until it is
known whether those actions need to be executed.
● Despite warnings, some people try to use the built-in filter feature for general junk email and/or
virus blocking, using hundreds or even thousands of regular expressions. This can result in
catastrophic performance failure. The symptoms are as follows:
❍ The cleanup(8) processes use up all available CPU time in order to process the regular
expressions, and/or they use up all available memory so that the system begins to swap.
❍ As Postfix needs more and more time to receive an email message, the number of
simultaneous SMTP sessions increases to the point that the SMTP server process limit is
reached.
❍ While all SMTP server processes are waiting for the cleanup(8) servers to finish, new
SMTP clients have to wait until an SMTP server process becomes available. This causes
mail deliveries to time out before they have even begun.
The remedy for this type of performance problem is simple: don't use header/body checks for
general junk email and/or virus blocking, and don't filter mail before it is queued. When
performance is a concern, use an external content filter that runs after mail is queued, as described
in the FILTER_README document.
You configure Postfix to do body checks, Postfix does its thing, Pflogsumm reports it and
Postfix catches the same string in the Pflogsumm report. There are several solutions to
this.
#!/usr/bin/perl
use MIME::Lite;
$msg->send;
Note by Wietse: if you run this on a machine that is accessible by untrusted users, it is safer to store the
Pflogsumm report in a directory that is not world writable.
Other solutions involve additional body_checks rules that make exceptions for daily mail status reports,
but this is not recommended. Such rules slow down all mail and complicate Postfix maintenance.
The easiest approach is to configure ONE Postfix instance with multiple SMTP server IP addresses in
master.cf:
● Two SMTP server IP addresses for mail from inside users only, with header/body filtering turned
off, and a local mail pickup service with header/body filtering turned off.
/etc/postfix.master.cf:
#
==================================================================
# service type private unpriv chroot wakeup maxproc
command
# (yes) (yes) (yes) (never) (100)
#
==================================================================
1.2.3.4:smtp inet n - n - -
smtpd
-o receive_override_options=no_header_body_checks
127.0.0.1:smtp inet n - n - -
smtpd
-o receive_override_options=no_header_body_checks
pickup fifo n - n 60 1
pickup
-o receive_override_options=no_header_body_checks
● One SMTP server address for mail from outside users with header/body filtering turned on via
main.cf.
/etc/postfix.master.cf:
#
=================================================================
# service type private unpriv chroot wakeup maxproc
command
# (yes) (yes) (yes) (never) (100)
#
=================================================================
1.2.3.5:smtp inet n - n - -
smtpd
If you are MX service provider and want to apply disable head/body checks for some domains, you can
configure ONE Postfix instance with multiple SMTP server IP addresses in master.cf. Each address
provides a different service.
/etc/postfix.master.cf:
#
=================================================================
# service type private unpriv chroot wakeup
maxproc command
# (yes) (yes) (yes) (never) (100)
#
=================================================================
# SMTP service for domains with header/body checks
turned on.
1.2.3.4:smtp inet n - n -
- smtpd
Once this is set up you can configure MX records in the DNS that route each domain to the proper
SMTP server instance.
MYSQL_TABLE(5) MYSQL_TABLE
(5)
NAME
mysql_table - Postfix MySQL client configuration
SYNOPSIS
postmap -q "string" mysql:/etc/postfix/filename
DESCRIPTION
The Postfix mail system uses optional tables for
address
rewriting or mail routing. These tables are usually in
dbm
or db format.
ALTERNATIVE CONFIGURATION
For compatibility with other Postfix lookup tables,
MySQL
parameters can also be defined in main.cf. In order to
do
that, specify as MySQL source a name that doesn't
begin
with a slash or a dot. The MySQL parameters will then
be
accessible as the name you've given the source in its
def-
inition, an underscore, and the name of the
parameter.
For example, if the map is specified as "mysql:
mysqlname",
the parameter "hosts" below would be defined in main.cf
as
"mysqlname_hosts".
LIST MEMBERSHIP
When using SQL to store lists such as $mynetworks,
$mydes-
tination, $relay_domains, $local_recipient_maps, etc.,
it
is important to understand that the table must store
each
list member as a separate key. The table lookup
verifies
the *existence* of the key. See "Postfix lists
versus
tables" in the DATABASE_README document for a
discussion.
MYSQL PARAMETERS
hosts The hosts that Postfix will try to connect to
and
query from. Specify unix: for UNIX domain
sockets,
inet: for TCP connections (default). Example:
hosts = host1.some.domain host2.some.domain
hosts = unix:/file/name
user, password
The user name and password to log into the
mysql
server. Example:
user = someone
password = some_password
dbname = customer_database
select_field
The SQL "select" parameter. Example:
select_field = forw_addr
where_field
The SQL "select .. where" parameter. Example:
where_field = alias
additional_conditions
Additional conditions to the SQL query. Example:
additional_conditions = and status = 'paid'
SEE ALSO
postmap(1), Postfix lookup table maintenance
postconf(5), configuration parameters
ldap_table(5), LDAP lookup tables
pgsql_table(5), PostgreSQL lookup tables
README FILES
DATABASE_README, Postfix lookup table overview
MYSQL_README, Postfix MYSQL client guide
LICENSE
The Secure Mailer license must be distributed with
this
software.
HISTORY
MySQL support was introduced with Postfix version 1.0.
AUTHOR(S)
Original implementation by:
Scott Cotton, Joshua Marcus
IC Group, Inc.
MYSQL_TABLE
(5)
PGSQL_TABLE(5) PGSQL_TABLE
(5)
NAME
pgsql_table - Postfix PostgreSQL client configuration
SYNOPSIS
postmap -q "string" pgsql:/etc/postfix/filename
DESCRIPTION
The Postfix mail system uses optional tables for
address
rewriting or mail routing. These tables are usually in
dbm
or db format.
ALTERNATIVE CONFIGURATION
For compatibility with other Postfix lookup tables,
Post-
greSQL parameters can also be defined in main.cf.
In
order to do that, specify as PostgreSQL source a name
that
doesn't begin with a slash or a dot. The
PostgreSQL
parameters will then be accessible as the name
you've
given the source in its definition, an underscore, and
the
name of the parameter. For example, if the map is
speci-
fied as "pgsql:pgsqlname", the parameter "hosts"
below
would be defined in main.cf as "pgsqlname_hosts".
LIST MEMBERSHIP
When using SQL to store lists such as $mynetworks,
$mydes-
tination, $relay_domains, $local_recipient_maps, etc.,
it
is important to understand that the table must store
each
list member as a separate key. The table lookup
verifies
the *existence* of the key. See "Postfix lists
versus
tables" in the DATABASE_README document for a
discussion.
uncommon
to return the key itself or a constant value.
PGSQL PARAMETERS
hosts The hosts that Postfix will try to connect to
and
query from. Specify unix: for UNIX-domain
sockets,
inet: for TCP connections (default). Example:
hosts = host1.some.domain host2.some.domain
hosts = unix:/file/name
user, password
The user name and password to log into the
pgsql
server. Example:
user = someone
password = some_password
select_field
The SQL "select" parameter. Example:
select_field = forw_addr
where_field
The SQL "select .. where" parameter. Example:
where_field = alias
additional_conditions
Additional conditions to the SQL query. Example:
additional_conditions = and status = 'paid'
select_function
This parameter specifies a database function
name.
Example:
select_function = my_lookup_user_alias
SEE ALSO
postmap(1), Postfix lookup table manager
postconf(5), configuration parameters
ldap_table(5), LDAP lookup tables
mysql_table(5), MySQL lookup tables
README FILES
DATABASE_README, Postfix lookup table overview
PGSQL_README, Postfix PostgreSQL client guide
LICENSE
The Secure Mailer license must be distributed with
this
software.
HISTORY
PgSQL support was introduced with Postfix version 2.1.
AUTHOR(S)
Based on the MySQL client by:
Scott Cotton, Joshua Marcus
IC Group, Inc.
PGSQL_TABLE
(5)
PROXYMAP(8) PROXYMAP
(8)
NAME
proxymap - Postfix lookup table proxy server
SYNOPSIS
proxymap [generic Postfix daemon options]
DESCRIPTION
The proxymap server provides read-only table lookup
ser-
vice to Postfix processes. The purpose of the service is:
local_recipient_maps =
proxy:unix:passwd.byname $alias_maps
virtual_alias_maps =
proxy:mysql:/etc/postfix/virtual_alias.cf
Each
server terminates after serving at least $max_use
clients
or after $max_idle seconds of idle time.
SECURITY
The proxymap server opens only tables that are
approved
via the proxy_read_maps configuration parameter, does
not
talk to users, and can run at fixed low
privilege,
chrooted or not. However, running the proxymap
server
chrooted severely limits usability, because it can
open
only chrooted tables.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
BUGS
The proxymap server provides service to multiple
clients,
and must therefore not be used for tables that have
high-
latency lookups.
CONFIGURATION PARAMETERS
On busy mail systems a long time may pass before
prox-
ymap(8) relevant changes to main.cf are picked up. Use
the
command "postfix reload" to speed up a change.
daemon_timeout (18000s)
How much time a Postfix daemon process may take
to
handle a request before it is terminated by
a
built-in watchdog timer.
ipc_timeout (3600s)
The time limit for sending or receiving
information
over an internal communication channel.
max_idle (100s)
The maximum amount of time that an idle
Postfix
daemon process waits for the next service
request
before exiting.
max_use (100)
The maximal number of connection requests before
a
Postfix daemon process terminates.
process_id (read-only)
The process ID of a Postfix command or daemon
pro-
cess.
process_name (read-only)
The process name of a Postfix command or
daemon
process.
SEE ALSO
postconf(5), configuration parameters
master(5), generic daemon options
README FILES
DATABASE_README, Postfix lookup table overview
LICENSE
The Secure Mailer license must be distributed with
this
software.
HISTORY
The proxymap service was introduced with Postfix 2.0.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
PROXYMAP
(8)
Postfix supports three content inspection methods, ranging from light-weight one-line-at-a-time
scanning before mail is queued, to heavy duty machinery that does sophisticated content
analysis after mail is queued. Each approach serves a different purpose.
This method inspects mail BEFORE it is stored in the queue, and uses Postfix's built-in
message header and message body inspection. Although the main purpose is to stop a
specific flood of mail from worms or viruses, it is also useful to block a flood of
bounced junk email and email notifications from virus detection systems. The built-in
regular expressions are not meant to implement general SPAM and virus detection. For
that, you should use one of the content inspection methods described below. Details are
described in the BUILTIN_FILTER_README and BACKSCATTER_README
documents.
This method inspects mail AFTER it is stored in the queue, and uses standard protocols
such as SMTP or "pipe to command and wait for exit status". After-queue inspection
allows you to use content filters of arbitrary complexity without causing timeouts while
receiving mail, and without running out of memory resources under a peak load. Details
of this approach are in the FILTER_README document.
This method inspects mail BEFORE it is stored in the queue, and uses the SMTP
protocol. Although this approach appears to be the more attractive one, it really
combines the worst of the other two. Because mail is inspected before it is queued,
content inspection software must finish in a limited amount of time, and must run in a
limited amount of memory. If content inspection needs too much time then incoming
mail deliveries will time out, and if content inspection needs too much memory then
software will crash under a peak load. Before-queue inspection limits the peak load that
your system can handle, and limits the sophistication of the content filter that you can
use. Details are in the SMTPD_PROXY_README document. This approach is
available only with Postfix version 2.1 and later.
The more sophisticated content filtering software is not built into Postfix for good reasons:
writing an MTA requires different skills than writing a SPAM or virus killer. Postfix
encourages the use of external filters and standard protocols because this allows you to choose
the best MTA and the best content inspection software for your purpose. Information about
external content inspection software can be found on the Postfix website at http://www.postfix.
org/, and on the postfix-users@postfix.org mailing list.
Overview
This document describes features that require Postfix version 2.0 or later.
If your machine runs Postfix 2.0 and earlier, disable the "pause before reject" feature in the
SMTP server. If your system is under stress then it should not waste time.
/etc/postfix/main.cf:
# Not needed with Postfix 2.1 and later.
smtpd_error_sleep_time = 0
Then I know that this is almost certainly forged mail (almost; see next section for the fly in the
ointment). Mail that is really sent by my systems looks like this:
For the same reason the following message headers are very likely to be the result of forgery:
Another frequent sign of forgery is the Message-ID: header. My systems produce a Message-
ID: of <stuff@hostname.porcupine.org>. The following are forgeries, especially the first one:
Message-ID: <1cb479435d8eb9.2beb1.qmail@porcupine.org>
Message-ID: <yulszqocfzsficvzzju@porcupine.org>
To block such backscatter I use header_checks and body_checks patterns like this:
/etc/postfix/main.cf:
header_checks = regexp:/etc/postfix/header_checks
body_checks = regexp:/etc/postfix/body_checks
/etc/postfix/header_checks:
/^Received: +from +(porcupine\.org) +/
reject forged client name in Received:
header: $1
/^Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|[he]
+lo +)(porcupine\.org)\)/
reject forged client name in Received:
header: $2
/^Message-ID:.*@(porcupine\.org)/
reject forged domain name in Message-ID:
header: $1
/etc/postfix/body_checks:
/^[> ]*Received: +from +(porcupine\.org) /
reject forged client name in Received:
header: $1
/^[> ]*Received: +from +[^ ]+ +\(([^ ]+ +[he]+lo=|
[he]+lo +)(porcupine\.org)\)/
reject forged client name in Received:
header: $2
/^[> ]*Message-ID:.*@(porcupine\.org)/
reject forged domain name in Message-ID:
header: $1
Notes:
● The example is simplified for educational purposes. In reality my patterns list multiple
domain names, as "(domain|domain|...)".
● The "\." matches "." literally. Without the "\", the "." would match any character.
● The "\(" and "\)" match "(" and ")" literally. Without the "\", the "(" and ")" would
be grouping operators.
Caveats
Netscape Messenger (and reportedly, Mozilla) sends a HELO name that is identical to the
sender address domain part. If you have such clients then the above patterns would block
legitimate email.
My network has only one such machine, and to prevent its mail from being blocked I have
configured it to send mail as user@hostname.porcupine.org. On the Postfix server, a canonical
mapping translates this temporary address into user@porcupine.org.
/etc/postfix/main.cf:
canonical_maps = hash:/etc/postfix/canonical
/etc/postfix/canonical:
@hostname.porcupine.org @porcupine.org
This is of course practical only when you have very few systems that send HELO commands
like this, and when you never have to send mail to a user on such a host.
Like many people I still have a few email addresses in domains that I used in the past. Mail for
those addresses is forwarded to my current address. Most of the backscatter mail that I get
claims to be sent from these addresses. Such mail is obviously forged and is very easy to stop.
/etc/postfix/main.cf:
header_checks = regexp:/etc/postfix/header_checks
body_checks = regexp:/etc/postfix/body_checks
/etc/postfix/header_checks:
/^(From|Return-Path):.*[[:<:]](user@domain\.tld)
[[:>:]]/
reject forged sender address in $1: header: $2
/etc/postfix/body_checks:
/^[> ]*(From|Return-Path):.*[[:<:]](user@domain\.
tld)[[:>:]]/
reject forged sender address in $1: header: $2
Notes:
● The example is simplified for educational purposes. In reality, my patterns list multiple
email addresses as "(user1@domain1\.tld|user2@domain2\.tld)".
● The "[[:<:]]" and "[[:>:]]" match the beginning and end of a word, respectively.
On some systems you should specify "\<" and "\>" instead. For details see your
system documentation.
● The "\." matches "." literally. Without the "\", the "." would match any character.
Another sign of forgery can be found in the IP address that is recorded in Received: headers
next to your HELO host or domain name. This information must be used with care, though.
Some mail servers are behind a network address translator and never see the true client IP
address.
With all the easily recognizable forgeries eliminated, there is one category of backscatter mail
that remains, and that is notifications from virus scanner software. Unfortunately, some virus
scanning software doesn't know that viruses forge sender addresses. To make matters worse,
the software also doesn't know how to report a mail delivery problem, so that we cannot use the
above techniques to recognize forgeries.
Recognizing virus scanner mail is an error prone process, because there is a lot of variation in
report formats. The following is only a small example of message header patterns. For a large
collection of header and body patterns that recognize virus notification email, see http://www.
dkuug.dk/keld/virus/ or http://www.t29.dk/antiantivirus.txt.
/etc/postfix/header_checks:
/^Subject: *Your email contains VIRUSES/ DISCARD
virus notification
/^Content-Disposition:.
*VIRUS1_DETECTED_AND_REMOVED/
DISCARD virus notification
/^Content-Disposition:.*VirusWarning.txt/ DISCARD
virus notification
A plea to virus or spam scanner operators: please do not make the problem worse by sending
return mail to forged sender addresses. You're only harassing innocent people. If you must
return mail to the purported sender, please return the full message headers, so that the sender
can defend against forgeries.
Postfix Standard
Configuration Examples
The first part of this document presents standard configurations that each solve one specific
problem.
The second part of this document presents additional configurations for hosts in specific
environments.
Internet access. At least, that is how Postfix installs when you download the Postfix source
code via http://www.postfix.org/.
You can use the command "postconf -n" to find out what settings are overruled by your main.
cf. Besides a few pathname settings, few parameters should be set on a stand-alone box,
beyond what is covered in the BASIC_CONFIGURATION_README document:
/etc/postfix/main.cf:
# Optional: send mail as user@domainname instead
of user@hostname.
#myorigin = $mydomain
See also the section "Postfix on hosts without a real hostname" if this is applicable to your
configuration.
In this example we assume that the Internet domain name is "example.com" and that the
machine is named "nullclient.example.com". As usual, the examples show only parameters that
are not left at their default settings.
1 /etc/postfix/main.cf:
2 myorigin = $mydomain
3 relayhost = $mydomain
4 inet_interfaces = 127.0.0.1
5 local_transport = error:local delivery is
disabled
6
7 /etc/postfix/master.cf:
Translation:
● Line 3: Forward all mail to the mail server that is responsible for the "example.com"
domain. This prevents mail from getting stuck on the null client if it is turned off while
some remote destination is unreachable.
● Lines 5-8: Disable local mail delivery. All mail goes to the mail server as specified in
line 3.
A drawback of sending mail as "user@example.com" is that mail for "root" and other system
accounts is also sent to the central mailhost. See the section "Delivering some but not all
accounts locally" below for possible solutions.
As usual, the examples show only parameters that are not left at their default settings.
First we present the non-mailhost configuration, because it is the simpler one. This machine
sends mail as "user@example.com" and is final destination for "user@hostname.example.
com".
1 /etc/postfix/main.cf:
2 myorigin = $mydomain
3 mynetworks = 127.0.0.0/8 10.0.0.0/24
4 relay_domains =
5 # Optional: forward all non-local mail to
mailhost
6 #relayhost = $mydomain
Translation:
● Line 4: This host does not relay mail from untrusted networks.
● Line 6: This is needed if no direct Internet access is available. See also below, "Postfix
behind a firewall".
Next we present the mailhost configuration. This machine sends mail as "user@example.com"
and is final destination for "user@hostname.example.com" as well as "user@example.com".
1 DNS:
2 example.com IN MX 10 mailhost.example.
com.
3
4 /etc/postfix/main.cf:
5 myorigin = $mydomain
6 mydestination = $myhostname localhost.
$mydomain localhost $mydomain
7 mynetworks = 127.0.0.0/8 10.0.0.0/24
8 relay_domains =
9 # Optional: forward all non-local mail to
firewall
10 #relayhost = [firewall.example.com]
Translation:
● Line 2: Send mail for the domain "example.com" to the machine mailhost.example.com.
Remember to specify the "." at the end of the line.
● Line 6: This host is the final mail destination for the "example.com" domain, in addition
to the names of the machine itself.
● Line 8: This host does not relay mail from untrusted networks.
● Line 10: This is needed only when the mailhost has to forward non-local mail via a mail
server on a firewall. The [] forces Postfix to do no MX record lookups.
In an environment like this, users access their mailbox in one or more of the following ways:
In the latter case, each user has an alias on the mailhost that forwards mail to her preferred
machine:
/etc/aliases:
joe: joe@joes.preferred.machine
jane: jane@janes.preferred.machine
On some systems the alias database is not in /etc/aliases. To find out the location for your
system, execute the command "postconf alias_maps".
Execute the command "newaliases" whenever you change the aliases file.
Note: this example requires Postfix version 2.0 and later. To find out what Postfix version you
have, execute the command "postconf mail_version".
The solution is presented in multiple parts. This first part gets rid of local mail delivery on the
firewall, making the firewall harder to break.
1 /etc/postfix/main.cf:
2 myorigin = example.com
3 mydestination =
4 local_recipient_maps =
5 local_transport = error:local mail delivery is
disabled
6
7 /etc/postfix/master.cf:
8 Comment out the local delivery agent
Translation:
● Line 2: Send mail from this machine as "user@example.com", so that no reason exists
to send mail to "user@firewall.example.com".
For the sake of technical correctness the firewall must be able to receive mail for postmaster@
[firewall ip address]. Reportedly, some things actually expect this ability to exist. The second
part of the solution therefore adds support for postmaster@[firewall ip address], and as a bonus
we do abuse@[firewall ip address] as well. All the mail to these two accounts is forwarded to
an inside address.
1 /etc/postfix/main.cf:
2 virtual_alias_maps = hash:/etc/postfix/virtual
3
4 /etc/postfix/virtual:
5 postmaster postmaster@example.com
6 abuse abuse@example.com
Translation:
● Because mydestination is empty (see the previous example), only address literals
matching $inet_interfaces or $proxy_interfaces are deemed local. So "localpart@[a.d.d.
r]" can be matched as simply "localpart" in canonical(5) and virtual(5). This avoids the
need to specify firewall IP addresses into Postfix configuration files.
The last part of the solution does the email forwarding, which is the real purpose of the firewall
email function.
1 /etc/postfix/main.cf:
2 mynetworks = 127.0.0.0/8 12.34.56.0/24
3 relay_domains = example.com
4 parent_domain_matches_subdomains =
5 debug_peer_list smtpd_access_maps
6 smtpd_recipient_restrictions =
7 permit_mynetworks reject_unauth_destination
8
9 relay_recipient_maps = hash:/etc/postfix/
relay_recipients
10 transport_maps = hash:/etc/postfix/transport
11
12 /etc/postfix/relay_recipients:
13 user1@example.com x
14 user2@example.com x
15 . . .
16
17 /etc/postfix/transport:
18 example.com smtp:[inside-gateway.example.com]
Translation:
● Lines 1-7: Accept mail from local systems in $mynetworks, and accept mail from
outside for "user@example.com" but not for "user@anything.example.com". The magic
is in lines 4-5.
● Lines 9, 12-14: Define the list of valid addresses in the "example.com" domain that can
receive mail from the Internet. This prevents the mail queue from filling up with
undeliverable MAILER-DAEMON messages. If you can't maintain a list of valid
recipients then you must specify "relay_recipient_maps =" (that is, an empty value), or
you must specify an "@example.com x" wild-card in the relay_recipients table.
● Lines 10, 17-18: Route mail for "example.com" to the inside gateway machine. The []
forces Postfix to do no MX lookup.
Specify dbm instead of hash if your system uses dbm files instead of db files. To find out
what lookup tables Postfix supports, use the command "postconf -m".
Execute the command "postmap /etc/postfix/transport" whenever you change the transport
table.
1 /etc/postfix/main.cf:
2 virtual_alias_maps = hash:/etc/postfix/virtual
3
4 /etc/postfix/virtual:
5 root root@localhost
6 . . .
Translation:
● Line 5: As described in the virtual(5) manual page, the bare name "root" matches
"root@site" when "site" is equal to $myorigin, when "site" is listed in $mydestination,
or when it matches $inet_interfaces or $proxy_interfaces.
In some installations, there may be separate instances of Postfix processing inbound and
outbound mail on a multi-homed firewall. The inbound Postfix instance has an SMTP server
listening on the external firewall interface, and the outbound Postfix instance has an SMTP
server listening on the internal interface. In such a configuration is it is tempting to configure
$inet_interfaces in each instance with just the corresponding interface address.
In most cases using inet_interaces in this way will not work, because as documented in the
$inet_interfaces reference manual, the smtp(8) delivery agent will also use the specified
interface address as the source address for outbound connections and will be unable to reach
hosts on "the other side" of the firewall. The symptoms are that the firewall is unable to
connect to hosts that are in fact up. See the inet_interfaces parameter documentation for
suggested work-arounds.
of that are shown in the local area network section above. A more sophisticated approach is to
send only external mail to the gateway host, and to send intranet mail directly. That's what
Wietse does at work.
Note: this example requires Postfix version 2.0 and later. To find out what Postfix version you
have, execute the command "postconf mail_version".
The following example presents additional configuration. You need to combine this with basic
configuration information as discussed the first half of this document.
1 /etc/postfix/main.cf:
2 transport_maps = hash:/etc/postfix/transport
3 relayhost =
4 # Optional for a machine that isn't "always on"
5 #fallback_relay = [gateway.example.com]
6
7 /etc/postfix/transport:
8 # Internal delivery.
9 example.com :
10 .example.com :
11 # External delivery.
12 * smtp:[gateway.example.com]
Translation:
● Lines 2, 7-12: Request that intranet mail is delivered directly, and that external mail is
given to a gateway. Obviously, this example assumes that the organization uses DNS
MX records internally. The [] forces Postfix to do no MX lookup.
● Line 5: This prevents mail from being stuck in the queue when the machine is turned
off. Postfix tries to deliver mail directly, and gives undeliverable mail to a gateway.
Specify dbm instead of hash if your system uses dbm files instead of db files. To find out
what lookup tables Postfix supports, use the command "postconf -m".
Execute the command "postmap /etc/postfix/transport" whenever you edit the transport table.
This section presents additional configuration. You need to combine this with basic
configuration information as discussed the first half of this document.
When your system is SECONDARY MX host for a remote site this is all you need:
1 DNS:
2 the.backed-up.domain.tld IN MX 100
your.machine.tld.
3
4 /etc/postfix/main.cf:
5 relay_domains = . . . the.backed-up.domain.tld
6 smtpd_recipient_restrictions =
7 permit_mynetworks reject_unauth_destination
8
9 # You must specify your NAT/proxy external
address.
10 #proxy_interfaces = 1.2.3.4
11
12 relay_recipient_maps = hash:/etc/postfix/
relay_recipients
13
14 /etc/postfix/relay_recipients:
15 user1@the.backed-up.domain.tld x
16 user2@the.backed-up.domain.tld x
17 . . .
When your system is PRIMARY MX host for a remote site you need the above, plus:
18 /etc/postfix/main.cf:
19 transport_maps = hash:/etc/postfix/transport
20
21 /etc/postfix/transport:
22 the.backed-up.domain.tld relay:[their.
mail.host.tld]
Important notes:
● Lines 1-7: Forward mail from the Internet for "the.backed-up.domain.tld" to the primary
MX host for that domain.
● Line 10: This is a must if Postfix receives mail via a NAT relay or proxy that presents a
different IP address to the world than the local machine.
Specify dbm instead of hash if your system uses dbm files instead of db files. To find out
what lookup tables Postfix supports, use the command "postconf -m".
Execute the command "postmap /etc/postfix/transport" whenever you change the transport
table.
This section presents additional configuration. You need to combine this with basic
configuration information as discussed the first half of this document.
If you do not have your own hostname (as with dynamic IP addressing) then you should also
study the section on "Postfix on hosts without a real hostname".
If your machine is disconnected most of the time, there isn't a lot of opportunity for
Postfix to deliver mail to hard-to-reach corners of the Internet. It's better to give the mail
to a machine that is connected all the time. In the example below, the [] prevents
Postfix from trying to look up DNS MX records.
/etc/postfix/main.cf:
relayhost = [smtprelay.someprovider.com]
● Disable spontaneous SMTP mail delivery (if using on-demand dialup IP only).
Normally, Postfix attempts to deliver outbound mail at its convenience. If your machine
uses on-demand dialup IP, this causes your system to place a telephone call whenever
you submit new mail, and whenever Postfix retries to deliver delayed mail. To prevent
such telephone calls from being placed, disable spontaneous SMTP mail deliveries.
/etc/postfix/main.cf:
defer_transports = smtp (Only for on-demand dialup IP
hosts)
/etc/postfix/main.cf:
disable_dns_lookups = yes (Only for on-demand dialup
IP hosts)
Put the following command into your PPP or SLIP dialup scripts:
The exact location of the sendmail command is system-specific. Use the command
"postconf sendmail_path" to find out where the Postfix sendmail command is located
on your machine.
In order to find out if the mail queue is flushed, use something like:
#!/bin/sh
If you have disabled spontaneous SMTP mail delivery, you also need to run the
"sendmail -q" command every now and then while the dialup link is up, so that newly-
posted mail is flushed from the queue.
The perfect solution would be for Postfix to do a mapping from local fantasy email addresses
to valid Internet addresses when mail leaves the machine (similar to Sendmail's generics table).
This is planned for the near future.
In the mean time, the solution with Postfix is to use valid Internet addresses where possible,
and to let Postfix map valid Internet addresses to local fantasy addresses. With this, you can
send mail to the Internet and to local fantasy addresses, including mail to local fantasy
addresses that don't have a valid Internet address of their own.
The following example presents additional configuration. You need to combine this with basic
configuration information as discussed the first half of this document.
1 /etc/postfix/main.cf:
2 myhostname = hostname.localdomain
3 mydomain = localdomain
4
5 canonical_maps = hash:/etc/postfix/canonical
6
7 virtual_alias_maps = hash:/etc/postfix/virtual
8
9 /etc/postfix/canonical:
10 your-login-name your-account@your-isp.com
11
12 /etc/postfix/virtual:
13 your-account@your-isp.com your-login-name
Translation:
● Lines 2-3: Substitute your fantasy hostname here. Do not use a domain name that is
already in use by real organizations on the Internet. See RFC 2606 for examples of
domain names that are guaranteed not to be owned by anyone.
1. Access control tests. SMTP server access rules are difficult to verify when decisions can
be triggered only by remote clients. In order to facilitate access rule testing, an
authorized SMTP client test program needs the ability to override the SMTP server's
idea of the SMTP client hostname, network address, and other client information, for
the entire duration of an SMTP session.
2. Client software that downloads mail from an up-stream mail server and injects it into a
local MTA via SMTP. In order to take advantage of the local MTA's SMTP server
access rules, the client software needs the ability to override the SMTP server's idea of
the remote client name, client address and other information. Such information can
typically be extracted from the up-stream mail server's Received: message header.
3. Post-filter access control and logging. With Internet->filter->MTA style content filter
applications, the filter can be simplified if it can delegate decisions concerning mail
relay and other access control to the MTA. This is especially useful when the filter acts
as a transparent proxy for SMTP commands. This requires that the filter can override
the MTA's idea of the SMTP client hostname, network address, and other information.
In SMTP server EHLO replies, the keyword associated with this extension is XCLIENT. It is
followed by the names of the attributes that the XCLIENT implementation supports.
The XCLIENT command may be sent at any time except in the middle of a mail delivery
transaction (i.e. between MAIL and DOT). The XCLIENT command may be pipelined when
the server supports ESMTP command pipelining.
The syntax of XCLIENT requests is described below. Upper case and quoted strings specify
terminals, lowercase strings specify meta terminals, and SP is whitespace. Although command
and attribute names are shown in upper case, they are in fact case insensitive.
● The NAME attribute specifies an SMTP client hostname (not an SMTP client address),
[UNAVAILABLE] when client hostname lookup failed due to a permanent error, or
[TEMPUNAVAIL] when the lookup error condition was transient.
● The ADDR attribute specifies an SMTP client numerical IPv4 network address, an IPv6
address prefixed with IPV6:, or [UNAVAILABLE] when the address information is
unavailable. Address information is not enclosed with [].
● The HELO attribute specifies an SMTP HELO parameter value, or the value
[UNAVAILABLE] when the information is unavailable.
Note 1: syntactically valid NAME and HELO attributes can be up to 255 characters long. The
client must not send XCLIENT commands that exceed the 512 character limit for SMTP
commands. To avoid exceeding the limit the client should send the information in multiple
XCLIENT commands.
Code Meaning
250 success
501 bad command parameter syntax
503 mail transaction in progress
unable to proceed,
421
disconnecting
XCLIENT Examples
In the first example, the client impersonates a mail originating system by passing all SMTP
session information via XCLIENT commands. Information sent by the client is shown in bold
font.
In the second example, the client impersonates a mail originating system by sending the
XCLIENT command before the EHLO or HELO command. This increases the realism of
impersonation, but requires that the client knows ahead of time what XCLIENT options the
server supports.
Security
The XCLIENT command changes audit trails and/or SMTP client access permissions. Use of
this command must be restricted to authorized SMTP clients. However, the XCLIENT
command should not override its own access control mechanism.
DISCARD(8) DISCARD
(8)
NAME
discard - Postfix discard mail delivery agent
SYNOPSIS
discard [generic Postfix daemon options]
DESCRIPTION
The Postfix discard delivery agent processes
delivery
requests from the queue manager. Each request specifies
a
queue file, a sender address, a domain or host name
that
is treated as the reason for discarding the mail,
and
recipient information. This program expects to be
run
from the master(8) process manager.
SECURITY
The discard mailer is not security-sensitive. It does
not
STANDARDS
None.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically as
dis-
card(8) processes run for only a limited amount of
time.
Use the command "postfix reload" to speed up a change.
daemon_timeout (18000s)
How much time a Postfix daemon process may take
to
handle a request before it is terminated by
a
built-in watchdog timer.
double_bounce_sender (double-bounce)
The sender address of postmaster notifications
that
ipc_timeout (3600s)
The time limit for sending or receiving
information
over an internal communication channel.
max_idle (100s)
The maximum amount of time that an idle
Postfix
daemon process waits for the next service
request
before exiting.
max_use (100)
The maximal number of connection requests before
a
Postfix daemon process terminates.
process_id (read-only)
The process ID of a Postfix command or daemon
pro-
cess.
process_name (read-only)
The process name of a Postfix command or
daemon
process.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
SEE ALSO
qmgr(8), queue manager
bounce(8), delivery status reports
error(8), Postfix error delivery agent
postconf(5), configuration parameters
master(5), generic daemon options
master(8), process manager
syslogd(8), system logging
LICENSE
The Secure Mailer license must be distributed with
this
software.
HISTORY
This service was introduced with Postfix version 2.2.
AUTHOR(S)
Victor Duchovni
Morgan Stanley
DISCARD
(8)
Introduction
The Postfix mysql map type allows you to hook up Postfix to a MySQL database. This
implementation allows for multiple mysql databases: you can use one for a virtual(5) table, one
for an access(5) table, and one for an aliases(5) table if you want. You can specify multiple
servers for the same database, so that Postfix can switch to a good database server if one goes
bad.
Busy mail servers using mysql maps will generate lots of concurrent mysql clients, so the
mysql server(s) should be run with this fact in mind. You can reduce the number of concurrent
mysql clients by using the Postfix proxymap(8) service.
The Postfix MySQL client utilizes the mysql client library, which can be obtained from:
http://www.mysql.com/downloads/
http://sourceforge.net/projects/mysql/
In order to build Postfix with mysql map support, you will need to add -DHAS_MYSQL and -I
for the directory containing the mysql headers, and the mysqlclient library (and libm) to
AUXLIBS, for example:
-lm'
Then, just run 'make'. This requires libz, the compression library. Older mysql implementations
build without libz.
alias_maps = mysql:/etc/postfix/mysql-aliases.cf
# The user name and password to log into the mysql server.
user = someone
password = some_password
status = 'paid'
#
# ($lookup is escaped so if it contains single quotes or other
odd
# characters, it will not cause trouble).
Additional notes
The MySQL configuration interface setup allows for multiple mysql databases: you can use
one for a virtual table, one for an access table, and one for an aliases table if you want.
Since sites that have a need for multiple mail exchangers may enjoy the convenience of using a
networked mailer database, but do not want to introduce a single point of failure to their
system, we've included the ability to have Postfix reference multiple hosts for access to a single
mysql map. This will work if sites set up mirrored mysql databases on two or more hosts.
Whenever queries fail with an error at one host, the rest of the hosts will be tried in random
order. If no mysql server hosts are reachable, then mail will be deferred until at least one of
those hosts is reachable.
Credits
● The initial version was contributed by Scott Cotton and Joshua Marcus, IC Group, Inc.
● Liviu Daia revised the configuration interface and added the main.cf configuration
feature.
Introduction
The Postfix pgsql map type allows you to hook up Postfix to a PostgreSQL database. This
implementation allows for multiple pgsql databases: you can use one for a virtual(5) table, one
for an access(5) table, and one for an aliases(5) table if you want. You can specify multiple
servers for the same database, so that Postfix can switch to a good database server if one goes
bad.
Busy mail servers using pgsql maps will generate lots of concurrent pgsql clients, so the pgsql
server(s) should be run with this fact in mind. You can reduce the number of concurrent pgsql
clients by using the Postfix proxymap(8) service.
In order to build Postfix with pgsql map support, you specify -DHAS_PGSQL, the directory
with the PostgreSQL header files, and the location of the libpq library file.
For example:
% make tidy
% make -f Makefile.init makefiles \
'CCARGS=-DHAS_PGSQL -I/usr/local/include/
pgsql' \
'AUXLIBS=-L/usr/local/lib -lpq'
/etc/postfix/main.cf:
alias_maps = pgsql:/etc/postfix/pgsql-aliases.cf
#
# The hosts that Postfix will try to connect to
hosts = host1.some.domain host2.some.domain
# The user name and password to log into the pgsql server.
user = someone
password = some_password
#
# ($lookup is escaped so if it contains single quotes or other
odd
# characters, it will not cause problems).
#
# You may also override the built-in SELECT template. See
pgsql_table(5)
# for details.
For this reason we've included the ability to have Postfix reference multiple hosts for access to
a single pgsql map. This will work if sites set up mirrored pgsql databases on two or more
hosts.
Whenever queries fail with an error at one host, the rest of the hosts will be tried in random
order. If no pgsql server hosts are reachable, then mail will be deferred until at least one of
those hosts is reachable.
Credits
● This code is based upon the Postfix mysql map by Scott Cotton and Joshua Marcus, IC
Group, Inc.
● The PostgreSQL changes were done by Aaron Sethman.
● Updates for Postfix 1.1.x and PostgreSQL 7.1+ and support for calling stored
procedures were added by Philip Warner.
● LaMont Jones was the initial Postfix pgsql maintainer.
● Liviu Daia revised the configuration interface and added the main.cf configuration
feature.
LMTP(8) LMTP
(8)
NAME
lmtp - Postfix local delivery via LMTP
SYNOPSIS
lmtp [generic Postfix daemon options]
DESCRIPTION
The LMTP client processes message delivery requests
from
the queue manager. Each request specifies a queue file,
a
sender address, a domain or host to deliver to, and
recip-
ient information. This program expects to be run from
the
master(8) process manager.
unix:pathname
Connect to the local UNIX-domain server that
is
bound to the specified pathname. If the
process
runs chrooted, an absolute pathname is
interpreted
relative to the changed root directory.
SECURITY
The LMTP client is moderately security-sensitive. It
talks
to LMTP servers and to DNS servers on the network.
The
LMTP client can be run chrooted at fixed low privilege.
STANDARDS
RFC 821 (SMTP protocol)
RFC 1651 (SMTP service extensions)
RFC 1652 (8bit-MIME transport)
RFC 1870 (Message Size Declaration)
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
Cor-
rupted message files are marked so that the queue
manager
can move them to the corrupt queue for further
inspection.
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically, as lmtp
(8)
processes run for only a limited amount of time. Use
the
command "postfix reload" to speed up a change.
COMPATIBILITY CONTROLS
lmtp_skip_quit_response (no)
Wait for the response to the LMTP QUIT command.
debug_peer_list (empty)
Optional list of remote client or server
hostname
or network address patterns that cause the
verbose
logging level to increase by the amount
specified
in $debug_peer_level.
error_notice_recipient (postmaster)
The recipient of postmaster notifications
about
mail delivery problems that are caused by
policy,
resource, software or protocol errors.
lmtp_send_xforward_command (no)
Send an XFORWARD command to the LMTP server
when
the LMTP LHLO server response announces
XFORWARD
support.
lmtp_sasl_password_maps (empty)
Optional LMTP client lookup tables with one
user-
name:password entry per host or domain.
lmtp_cache_connection (yes)
Keep Postfix LMTP client connections open for up
to
$max_idle seconds.
transport_destination_concurrency_limit
($default_destina-
tion_concurrency_limit)
Limit the number of parallel deliveries to the
same
destination via this mail delivery transport.
transport_destination_recipient_limit
($default_destina-
tion_recipient_limit)
Limit the number of recipients per message
delivery
via this mail delivery transport.
lmtp_connect_timeout (0s)
The LMTP client time limit for completing a
TCP
connection, or zero (use the operating
system
built-in time limit).
lmtp_lhlo_timeout (300s)
The LMTP client time limit for receiving the
LMTP
greeting banner.
lmtp_xforward_timeout (300s)
The LMTP client time limit for sending the
XFORWARD
command, and for receiving the server response.
lmtp_mail_timeout (300s)
The LMTP client time limit for sending the
MAIL
FROM command, and for receiving the
server
response.
lmtp_rcpt_timeout (300s)
The LMTP client time limit for sending the RCPT
TO
command, and for receiving the server response.
lmtp_data_init_timeout (120s)
lmtp_data_xfer_timeout (180s)
The LMTP client time limit for sending the
LMTP
message content.
lmtp_data_done_timeout (600s)
The LMTP client time limit for sending the
LMTP
".", and for receiving the server response.
lmtp_rset_timeout (20s)
The LMTP client time limit for sending the
RSET
command, and for receiving the server response.
lmtp_quit_timeout (300s)
The LMTP client time limit for sending the
QUIT
command, and for receiving the server response.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf
and
master.cf configuration files.
daemon_timeout (18000s)
How much time a Postfix daemon process may take
to
handle a request before it is terminated by
a
built-in watchdog timer.
disable_dns_lookups (no)
Disable DNS lookups in the Postfix SMTP and
LMTP
clients.
ipc_timeout (3600s)
The time limit for sending or receiving
information
over an internal communication channel.
lmtp_tcp_port (24)
The default TCP port that the Postfix LMTP
client
connects to.
max_idle (100s)
The maximum amount of time that an idle
Postfix
daemon process waits for the next service
request
before exiting.
max_use (100)
The maximal number of connection requests before
a
Postfix daemon process terminates.
process_id (read-only)
The process ID of a Postfix command or daemon
pro-
cess.
process_name (read-only)
The process name of a Postfix command or
daemon
process.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
SEE ALSO
bounce(8), delivery status reports
qmgr(8), queue manager
postconf(5), configuration parameters
master(5), generic daemon options
services(4), Internet services and aliases
master(8), process manager
syslogd(8), system logging
README FILES
LMTP_README, Postfix LMTP client howto
VIRTUAL_README, virtual delivery agent howto
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
LMTP
(8)
http://www.subneural.net/postfix-master/LMTP_README.html01/16/2005 15:46:43
Postfix Performance Tuning
For tuning external content filter performance, first read the respective information in the
FILTER_README and SMTPD_PROXY_README documents. Then make sure to avoid latency in the
content filter code. As much as possible avoid performing queries against external data sources with a high
or highly variable delay. Your content filter will run with a small concurrency to avoid CPU/memory
starvation, and if any latency creeps in, content filter throughput will suffer. High volume environments
should avoid RBL lookups, complex database queries and so on.
The following tools can be used to measure mail system performance under artificial loads. They are
normally not installed with Postfix.
● Run a local name server to reduce slow-down due to DNS lookups. If you run multiple Postfix
systems, point each local name server to a shared forwarding server to reduce the number of lookups
across the upstream network link.
● Eliminate unnecessary LDAP lookups, by specifying a domain filter. This eliminates lookups for
addresses in remote domains, and eliminates lookups of partial addresses. See ldap_table(5) for
details.
● Look for obvious signs of trouble as described in the DEBUG_README document, and eliminate
those problems first.
● Turn off your header_checks and body_checks patterns and see if the problem goes away.
● Turn off chroot operation as described in the DEBUG_README document and see if the problem
goes away.
● If Postfix logs the SMTP client as "unknown" then you have a name service problem: the name
server is bad, or the resolv.conf file contains bad information, or some packet filter is blocking the
DNS requests or replies.
● If the number of smtpd(8) processes has reached the process limit as specified in master.cf, new
SMTP clients must wait until a process becomes available. Increase the number of processes if
memory permits. See the instructions given under "Tuning the number of Postfix processes".
You can speed up the handling of smtpd(8) server error replies by turning off the delay:
/etc/postfix/main.cf:
# Not needed with Postfix 2.1
smtpd_error_sleep_time = 0
With the above setting, Postfix 2.0 and earlier can serve more SMTP clients with the same number SMTP
server processes. The next section describes how Postfix deals with clients that make a large number of
errors.
As the per-session error count increases, the smtpd(8) server changes behavior and begins to insert delays
into the responses. The idea is to slow down a run-away client in order to limit resource usage. The
behavior is Postfix version dependent.
IMPORTANT: These delays slow down Postfix, too. When too much delay is configured, the number of
simultaneous SMTP sessions will increase until it reaches the smtpd(8) server process limit, and new SMTP
clients must wait until an smtpd(8) server process becomes available.
● When the error count reaches $smtpd_soft_error_limit (default: 10), the Postfix smtpd(8) server
delays all non-error and error responses by $smtpd_error_sleep_time seconds (default: 1 second).
● When the error count reaches $smtpd_hard_error_limit (default: 20) the Postfix smtpd(8) server
breaks the connection.
● When the error count is less than $smtpd_soft_error_limit (default: 10) the Postfix smtpd(8) server
delays all error replies by $smtpd_error_sleep_time (1 second with Postfix 2.0, 5 seconds with
Postfix 1.1 and earlier).
● When the error count reaches $smtpd_soft_error_limit, the Postfix smtpd(8) server delays all
responses by "error count" seconds or $smtpd_error_sleep_time, whichever is more.
● When the error count reaches $smtpd_hard_error_limit (default: 20) the Postfix smtpd(8) server
breaks the connection.
The Postfix smtpd(8) server can limit the number of simultaneous connections from the same SMTP client,
as well as the number of connections that a client is allowed to make per unit time. These statistics are
maintained by the anvil(8) server (translation: if anvil(8) breaks, then connection limits stop working).
IMPORTANT: These limits are designed to protect the smtpd(8) server against flagrant abuse. Do not use
these limits to regulate legitimate traffic: mail will suffer grotesque delays if you do so.
● These limits are not applied to SMTP clients in the networks specified with
$smtpd_client_connection_limit_exceptions (default: clients in $mynetworks may make an
unlimited number of connections).
● The anvil_rate_time_unit parameter specifies the time unit over which client connection rates are
computed (default: 60s).
● In case of slow delivery, run the qshape tool as described in the QSHAPE_README document.
● Submit multiple recipients per message instead of submitting messages with only a few recipients.
● Submit mail via SMTP instead of /usr/sbin/sendmail. You may have to adjust the
smtpd_recipient_limit parameter setting.
● Don't overwhelm the disk with mail submissions. Optimize the mail submission rate by tuning the
number of parallel submissions and/or by tuning the Postfix in_flow_delay parameter setting.
● Run a local name server to reduce slow-down due to DNS lookups. If you run multiple Postfix
systems, point each local name server to a shared forwarding server to reduce the number of lookups
across the upstream network link.
● Reduce the smtp_connect_timeout and smtp_helo_timeout values so that Postfix does not waste lots
● Use a dedicated mail delivery transport for problematic destinations, with reduced timeouts and with
adjusted concurrency. See "Tuning the number of simultaneous deliveries" below.
● Use a fallback_relay host for mail that cannot be delivered upon the first attempt. This "graveyard"
machine can use shorter retry times for difficult to reach destinations. See "Tuning the frequency of
deferred mail delivery attempts" below.
● Speed up disk updates with a large (64MB) persistent write cache. This allows disk updates to be
sorted for optimal access speed without compromising file system integrity when the system crashes.
● Use a solid-state disk (a persistent RAM disk). This is an expensive solution that should be used in
combination with short SMTP timeouts and a fallback_relay "graveyard" machine that delivers mail
for problem destinations.
The Postfix queue manager implements the analog of the TCP slow start flow control strategy: when
delivering to a site, send a small number of messages first, then increase the concurrency as long as all goes
well; reduce concurrency in the face of congestion.
● The initial_destination_concurrency parameter (default: 5) controls how many messages are initially
sent to the same destination before adapting delivery concurrency. Of course, this setting is effective
only as long as it does not exceed the process limit and the destination concurrency limit for the
specific mail transport channel.
The above default values of the concurrency limits work well in a broad range of situations. Knee-jerk
changes to these parameters in the face of congestion can actually make problems worse. Specifically, large
destination concurrencies should never be the default. They should be used only for transports that deliver
mail to a small number of high volume domains.
A common situation where high concurrency is called for is on gateways relaying a high volume of mail
from between the Internet and an intranet mail environment. Approximately half the mail (assuming equal
volumes inbound and outbound) will be destined for the internal mail hubs. Since the internal mail hubs will
be receiving all external mail exclusively from the gateway, it is reasonable to configure the gateway to
make greater demands on the capacity of the internal SMTP servers.
The tuning of the inbound concurrency limits need not be trial and error. A high volume capable mailhub
should be able to easily handle 50 or 100 (rather than the default 20) simultaneous connections, especially if
the gateway forwards to multiple MX hosts. When all MX hosts are up and accepting connections in a
timely fashion, throughput will be high. If any MX host is down and completely unresponsive, the average
connection latency rises to at least 1/N * $smtp_connection_timeout, if there are N MX hosts. This limits
throughput to at most the destination concurrency * N / $smtp_connection_timeout.
For example, with a destination concurrency of 100 and 2 MX hosts, each host will handle up to 50
simultaneous connections. If one MX host is down and the default SMTP connection timeout is 30s, the
throughput limit is 100 * 2 / 30 ~= 6 messages per second. This suggests that high volume destinations with
good connectivity and multiple MX hosts need a lower connection timeout, values as low as 5s or even 1s
can be used to prevent congestion when one or more, but not all MX hosts are down.
If necessary, set a higher transport_destination_concurrency_limit (in main.cf since this is a queue manager
parameter) and a lower smtp_connection_timeout (with a "-o" override in master.cf since this parameter has
no per-transport name) for the relay transport and any transports dedicated for specific high volume
destinations.
If an email message exceeds the recipient limit for some destination, the Postfix queue manager breaks up
the list of recipients into smaller lists. Postfix will attempt to send multiple copies of the message in parallel.
IMPORTANT: Be careful when increasing the recipient limit per message delivery; some smtpd(8) servers
abort the connection when they run out of memory or when a hard recipient limit is reached, so that the
message will never be delivered.
The smtpd_recipient_limit parameter (default: 1000) controls how many recipients the Postfix smtpd(8)
server will take per delivery. The default limit is more than any reasonable SMTP client would send. The
limit exists to protect the local mail system against a run-away client.
● When the delivery agent blames the message, the queue manager gives the queue file a time stamp
into the future, so it won't be looked at for a while. By default, the amount of time to cool down is
the amount of time that has passed since the message arrived. This results in so-called exponential
backoff behavior.
● When the delivery agent blames the receiving party (for example a local recipient user, or a remote
host), the queue manager not only advances the queue file time stamp, but also puts the receiving
party on a "dead" list so that it will be skipped for some amount of time.
IMPORTANT: If you increase the frequency of deferred mail delivery attempts, or if you flush the deferred
mail queue frequently, then you may find that Postfix mail delivery performance actually becomes worse.
The symptoms are as follows:
● The active queue becomes saturated with mail that has delivery problems. New mail enters the active
queue only when an old message is deferred. This is a slow process that usually requires timing out
● All available Postfix delivery agents become occupied trying to connect to unreachable sites etc.
New mail has to wait until a delivery agent becomes available. This is a slow process that usually
requires timing out one or more SMTP connections.
When mail is being deferred frequently, fixing the problem is always better than increasing the frequency of
delivery attempts. However, if you can control only the delivery attempt frequency, consider using a
dedicated fallback_relay "graveyard" machine for bad destinations so that they do not ruin the performance
of normal mail deliveries.
You can change the global process limit by specifying a non-default default_process_limit in the main.cf
file. For example, to run up to 10 smtp client processes, 10 smtp server processes, and so on:
/etc/postfix/main.cf:
default_process_limit = 10
You need to execute "postfix reload" to make the change effective. The limits are enforced by the Postfix
master(8) daemon which does not automatically read main.cf when it changes.
You can override the process limit for specific Postfix daemons by editing the master.cf file. For example, if
you do not wish to receive 100 SMTP messages at the same time, but do not want to change the process
limits for local mail deliveries, you could specify:
/etc/postfix/master.cf:
#
====================================================================
# service type private unpriv chroot wakeup maxproc
command + args
# (yes) (yes) (yes) (never) (100)
#
====================================================================
. . .
smtp inet n - - - 10
smtpd
. . .
When Postfix opens too many files or sockets, processes will abort with fatal errors, and the system may log
"file table full" errors.
● Reduce the number of processes as described under "Tuning the number of Postfix processes" above.
Fewer processes need fewer open files and sockets.
● Configure the kernel for more open files and sockets. The details are extremely system dependent
and change with the operating system version. Be sure to verify the following information with your
system tuning guide:
❍ Some FreeBSD kernel parameters can be specified in /boot/loader.conf, and some can be
changed with sysctl commands. Which is which depends on the version.
kern.ipc.maxsockets="5000"
kern.ipc.nmbclusters="65536"
kern.maxproc="2048"
kern.maxfiles="16384"
kern.maxfilesperproc="16384"
❍ Linux kernel parameters can be specified in /etc/sysctl.conf and can also be changed with
sysctl commands:
fs.file-max=16384
kernel.threads-max=2048
❍ Solaris kernel parameters can be specified in /etc/system, as described in the Solaris FAQ
entry titled "How can I increase the number of file descriptors per process?"
The text assumes that the Postfix main.cf and master.cf configuration files are stored in directory /
etc/postfix. You can use the command "postconf config_directory" to find out the actual
location of this directory on your machine.
When Postfix does not receive or deliver mail, the first order of business is to look for errors that
prevent Postfix from working properly:
Note: the most important message is near the BEGINNING of the output. Error messages that
come later are less useful.
● "panic" indicates a problem in the software itself that only a programmer can fix. Postfix
cannot proceed until this is fixed.
● "fatal" is the result of missing files, incorrect permissions, incorrect configuration file
settings that you can fix. Postfix cannot proceed until this is fixed.
● "error" reports a fatal or non-fatal error condition. Postfix cannot proceed until this is
fixed.
● "warning" indicates a non-fatal error. These are problems that you may not be able to fix
(such as a broken DNS server elsewhere on the network) but may also indicate local
configuration errors that could become a problem later.
Postfix can produce two types of mail delivery reports for debugging:
● What-if: report what would happen, but do not actually deliver mail. This mode of
operation is requested with:
● What happened: deliver mail and report successes and/or failures, including replies from
$ /usr/sbin/sendmail -v address...
Mail Delivery Status Report will be mailed to <your login
name>.
These reports contain information that is generated by Postfix delivery agents. Since these run as
daemon processes and do not interact with users directly, the result is sent as mail to the sender of
the test message. The format of these reports is practically identical to that of ordinary non-
delivery notifications.
For a detailed example of a mail delivery status report, see the debugging section at the end of the
ADDRESS_REWRITING_README document.
The example below shows an SMTP server that is configured with chroot turned off:
/etc/postfix/master.cf:
#
=============================================================
# service type private unpriv chroot wakeup
maxproc command
# (yes) (yes) (yes) (never)
(100)
#
=============================================================
smtp inet n - n -
- smtpd
Inspect master.cf for any processes that have chroot operation not turned off. If you find any,
save a copy of the master.cf file, and edit the entries in question. After executing the command
"postfix reload", see if the problem has gone away.
If turning off chrooted operation made the problem go away, then congratulations. Leaving
Postfix running in this way is adequate for most sites. If you prefer chrooted operation, see the
Postfix BASIC_CONFIGURATION_README file for information about how to prepare
Postfix for chrooted operation.
/etc/postfix/main.cf:
debug_peer_list = 127.0.0.1
You can specify one or more hosts, domains, addresses or net/masks. To make the change
effective immediately, execute the command "postfix reload".
Run this for a while, stop with Ctrl-C when done. To view the data use a binary viewer, or
ethereal, or use my tcpdumpx utility that is available from ftp://ftp.porcupine.org/pub/
debugging/.
/etc/postfix/master.cf:
smtp inet n - n -
- smtpd -v
This makes the Postfix SMTP server more verbose. To diagnose problems with address rewriting
one would specify a "-v" option for the cleanup(8) and/or trivial-rewrite(8) daemon, and to
diagnose problems with mail delivery one would specify a "-v" option for the qmgr(8) or oqmgr
(8) queue manager, or for the lmtp(8), local(8), pipe(8), smtp(8), or virtual(8) delivery agent.
Tracing a running process can give valuable information about what a process is attempting to
do. This is as much information as you can get without running an interactive debugger program,
as described in a later section.
1. System call tracers such as trace, truss, strace, or ktrace. These show the communication
between the process and the kernel.
2. Library call tracers such as sotruss and ltrace. These show calls of library routines, and
give a better idea of what is going on within the process.
/etc/postfix/master.cf:
smtp inet n - n -
- smtpd -D
Edit the debugger_command definition in /etc/postfix/main.cf so that it invokes the call tracer of
your choice, for example:
/etc/postfix/main.cf:
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin;
(truss -p $process_id 2>&1 | logger -p mail.
info) & sleep 5
/etc/postfix/main.cf:
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/
bin
xxgdb $daemon_directory/$process_name
$process_id & sleep 5
Be sure that gdb is in the command search path, and export XAUTHORITY so that X access
control works, for example:
/etc/postfix/master.cf:
smtp inet n - n -
- smtpd -D
Stop and start the Postfix system. This is necessary so that Postfix runs with the proper
XAUTHORITY and DISPLAY settings.
Whenever the suspect daemon process is started, a debugger window pops up and you can watch
in detail what happens.
/etc/postfix/main.cf:
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin; export PATH;
(echo cont; echo
where; sleep 8640000) | gdb $daemon_directory/
$process_name
$process_id 2>&1
>$config_directory/$process_name.$process_id.
log & sleep 5
/etc/postfix/master.cf:
smtp inet n - n -
- smtpd -D
Whenever a suspect daemon process is started, an output file is created, named after the daemon
and process ID (for example, smtpd.12345.log). When the process crashes, a stack trace (with
output from the "where" command) is written to its logfile.
Unreasonable behavior
Sometimes the behavior exhibited by Postfix just does not match the source code. Why can a
program deviate from the instructions given by its author? There are two possibilities.
● The hardware has erred. Does the machine have ECC memory?
In both cases, the program being executed is not the program that was supposed to be executed,
so anything could happen.
Hardware-related failures usually do not reproduce in exactly the same way after power cycling
and rebooting the system. There's little Postfix can do about bad hardware. Be sure to use
hardware that at the very least can detect memory errors. Otherwise, Postfix will just be waiting
to be hit by a bit error. Critical systems deserve real hardware.
When a compiler makes an error, the problem can be reproduced whenever the resulting program
is run. Compiler errors are most likely to happen in the code optimizer. If a problem is
reproducible across power cycles and system reboots, it can be worthwhile to rebuild Postfix with
optimization disabled, and to see if optimization makes a difference.
% make tidy
% make makefiles OPT=
% make
% su
# make install
If the problem goes away, then it is time to ask your vendor for help.
● A summary of the problem. Please do not just send some logging without explanation of
what YOU believe is wrong.
● Consider using a test email address so that you don't have to reveal email addresses of
innocent people.
● If you can't use a test email address, please anonymize information consistently. Replace
each letter by "A", each digit by "D" so that the helpers can still recognize syntactical
errors.
● Complete error messages. Please use cut-and-paste, or use attachments, instead of reciting
information from memory.
● Postfix logging. See the text at the top of the DEBUG_README document to find out
where logging is stored. Please do not frustrate the helpers by word wrapping the logging.
● Output from "postconf -n". Please do not send your main.cf file. Or better, provide output
from the "postfinger" tool.
● If the problem is about too much mail in the queue, consider including output from the
qshape tool, as described in the QSHAPE_README file.
● If the problem is protocol related (connections time out or an SMTP server complains
about syntax errors etc.) consider recording a session with tcpdump, as described in the
DEBUG_README document.
SMTP-SOURCE(1) SMTP-SOURCE
(1)
NAME
smtp-source - multi-threaded SMTP/LMTP test generator
SYNOPSIS
smtp-source [options] [inet:]host[:port]
DESCRIPTION
smtp-source connects to the named host and TCP
port
(default: port 25) and sends one or more messages to
it,
either sequentially or in parallel. The program
speaks
either SMTP (default) or LMTP. Connections can be made
to
UNIX-domain and IPv4 or IPv6 servers. IPv4 and IPv6
are
the default.
Arguments:
-C count
When a host sends RESET instead of SYN|ACK,
try
count times before giving up. The default count
is
1. Specify a larger count in order to work around
a
problem with TCP/IP stacks that send RESET when
the
listen queue is full.
-f from
Use the specified sender address
(default:
<foo@myhostname>).
-l length
Send length bytes as message payload. The
length
does not include message headers.
-m message_count
Send the specified number of messages (default:
1).
better
approximating Postfix performance under real-
life
work-loads.
-r recipient_count
Send the specified number of recipients per
trans-
action (default: 1). Recipient names are
generated
by prepending a number to the recipient address.
-s session_count
Run the specified number of SMTP sessions in
paral-
lel (default: 1).
-S subject
Send mail with the named subject line
(default:
none).
-R interval
Wait for a random period of time 0 <= n <=
interval
between messages. Suspending one thread does
not
affect other delivery threads.
-w interval
Wait a fixed time between messages. Suspending
one
thread does not affect other delivery threads.
[inet:]host[:port]
Connect via TCP to host host, port port.
The
default port is smtp.
unix:pathname
Connect to the UNIX-domain socket at pathname.
BUGS
No SMTP command pipelining support.
SEE ALSO
smtp-sink(1), SMTP/LMTP message dump
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
SMTP-SOURCE
(1)
SMTP-SINK(1) SMTP-SINK
(1)
NAME
smtp-sink - multi-threaded SMTP/LMTP test server
SYNOPSIS
smtp-sink [options] [inet:][host]:port backlog
DESCRIPTION
smtp-sink listens on the named host (or address) and
port.
It takes SMTP messages from the network and throws
them
away. The purpose is to measure client performance,
not
protocol compliance.
Arguments:
whenever
an SMTP QUIT command is executed.
-f command,command,...
Reject the specified commands with a hard
(5xx)
error code.
-h hostname
Use hostname in the SMTP greeting, in the
HELO
response, and in the EHLO response. The
default
hostname is "smtp-sink".
-n count
Terminate after count sessions. This is for
testing
purposes.
-q command,command,...
Disconnect (without replying) after receiving
one
of the specified commands.
-r command,command,...
Reject the specified commands with a soft
(4xx)
error code.
-s command,command,...
Log the named commands to syslogd. Examples
of
commands that can be logged are HELO, EHLO,
LHLO,
MAIL, RCPT, VRFY, RSET, NOOP, and QUIT.
Separate
command names by white space or commas, and
use
quotes to protect white space from the shell.
Com-
mand names are case-insensitive.
-w delay
Wait delay seconds before responding to a DATA
com-
mand.
[inet:][host]:port
Listen on network interface host (default:
any
interface) TCP port port. Both host and port may
be
specified in numeric or symbolic form.
unix:pathname
Listen on the UNIX-domain socket at pathname.
backlog
The maximum length the queue of pending
connec-
tions, as defined by the listen(2) call.
SEE ALSO
smtp-source(1), SMTP/LMTP message generator
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
SMTP-SINK
(1)
QMQP-SOURCE(1) QMQP-SOURCE
(1)
NAME
qmqp-source - multi-threaded QMQP test generator
SYNOPSIS
qmqp-source [options] [inet:]host[:port]
DESCRIPTION
qmqp-source connects to the named host and TCP
port
(default 628) and sends one or more messages to it,
either
sequentially or in parallel. The program speaks the
QMQP
protocol. Connections can be made to UNIX-domain and
IPv4
or IPv6 servers. IPv4 and IPv6 are the default.
Options:
-C count
When a host sends RESET instead of SYN|ACK,
try
count times before giving up. The default count
is
1. Specify a larger count in order to work around
a
problem with TCP/IP stacks that send RESET when
the
listen queue is full.
-f from
Use the specified sender address
(default:
<foo@myhostname>).
-l length
Send length bytes as message payload. The
length
includes the message headers.
-m message_count
Send the specified number of messages (default:
1).
-r recipient_count
Send the specified number of recipients per
trans-
action (default: 1). Recipient names are
generated
by prepending a number to the recipient address.
-s session_count
Run the specified number of QMQP sessions in
paral-
lel (default: 1).
-R interval
Wait for a random period of time 0 <= n <=
interval
-w interval
Wait a fixed time between messages. Suspending
one
thread does not affect other delivery threads.
SEE ALSO
qmqp-sink(1), QMQP message dump
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
QMQP-SOURCE
(1)
QMQP-SINK(1) QMQP-SINK
(1)
NAME
qmqp-sink - multi-threaded QMQP test server
SYNOPSIS
qmqp-sink [-46cv] [-x time] [inet:][host]:port backlog
DESCRIPTION
qmqp-sink listens on the named host (or address) and
port.
It receives messages from the network and throws
them
away. The purpose is to measure QMQP client
performance,
not protocol compliance. Connections can be accepted
on
IPv4 or IPv6 endpoints, or on UNIX-domain sockets.
IPv4
and IPv6 are the default. This program is the
complement
of the qmqp-source(1) program.
-x time
Terminate after time seconds. This is to
facilitate
memory leak testing.
SEE ALSO
qmqp-source(1), QMQP message generator
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
QMQP-SINK
(1)
ANVIL(8) ANVIL
(8)
NAME
anvil - Postfix session count and request rate control
SYNOPSIS
anvil [generic Postfix daemon options]
DESCRIPTION
The Postfix anvil server maintains short-term
statistics
to defend against clients that hammer a server with
either
too many simultaneous sessions, or with too many
succes-
sive requests within a configurable time interval.
This
server is designed to run under control by the
Postfix
master server.
request=connect
ident=string
answers
with the number of simultaneous connections and the
number
of connections per unit time for that (service,
client)
combination:
status=0
count=number
rate=number
request=disconnect
ident=string
status=0
request=message
ident=string
status=0
rate=number
request=recipient
ident=string
status=0
rate=number
SECURITY
The anvil server does not talk to the network or to
local
users, and can run chrooted at fixed low privilege.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
time
of day associated with those events. In order to
avoid
unnecessary overhead, no measurements are done for
activ-
ity that isn't concurrency limited or rate limited.
BUGS
Systems behind network address translating routers
or
proxies appear to have the same client address and can
run
into connection count and/or rate limits falsely.
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically as anvil
(8)
processes run for only a limited amount of time. Use
the
command "postfix reload" to speed up a change.
anvil_rate_time_unit (60s)
The time unit over which client connection
rates
and other rates are calculated.
anvil_status_update_time (600s)
How frequently the anvil(8) connection and
rate
limiting server logs peak usage information.
daemon_timeout (18000s)
How much time a Postfix daemon process may take
to
handle a request before it is terminated by
a
built-in watchdog timer.
ipc_timeout (3600s)
The time limit for sending or receiving
information
over an internal communication channel.
max_idle (100s)
The maximum amount of time that an idle
Postfix
daemon process waits for the next service
request
before exiting.
max_use (100)
The maximal number of connection requests before
a
Postfix daemon process terminates.
process_id (read-only)
The process ID of a Postfix command or daemon
pro-
cess.
process_name (read-only)
The process name of a Postfix command or
daemon
process.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
SEE ALSO
smtpd(8), Postfix SMTP server
postconf(5), configuration parameters
master(5), generic daemon options
README FILES
TUNING_README, performance tuning
LICENSE
The Secure Mailer license must be distributed with
this
software.
HISTORY
The anvil service was introduced with Postfix 2.1.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
ANVIL
(8)
RELOCATED(5) RELOCATED
(5)
NAME
relocated - format of Postfix relocated table
SYNOPSIS
postmap /etc/postfix/relocated
DESCRIPTION
The optional relocated table provides the information
that
is used in "user has moved to new_location" bounce
mes-
sages.
different
way as described below under "REGULAR EXPRESSION
TABLES"
and "TCP-BASED TABLES".
TABLE FORMAT
The input format for the postmap(1) command is as
follows:
user@domain
Matches user@domain. This form has precedence
over
all other forms.
@domain
Matches every address in domain. This form has
the
lowest precedence.
ADDRESS EXTENSION
When a mail address localpart contains the optional
recip-
ient delimiter (e.g., user+foo@domain), the lookup
order
becomes: user+foo@domain, user@domain, user+foo, user,
and
@domain.
foo.
TCP-BASED TABLES
This section describes how the table lookups change
when
lookups are directed to a TCP-based server. For a
descrip-
tion of the TCP client/server lookup protocol,
see
tcp_table(5). This feature is not available in
Postfix
version 2.1.
BUGS
The table format does not understand quoting
conventions.
CONFIGURATION PARAMETERS
The following main.cf parameters are especially
relevant.
relocated_maps
List of lookup tables for relocated users or
sites.
inet_interfaces
The network interface addresses that this
system
receives mail on. You need to stop and start
Post-
fix when this parameter changes.
mydestination
List of domains that this mail system
considers
local.
myorigin
The domain that is appended to locally-posted
mail.
proxy_interfaces
Other interfaces that this machine receives mail
on
by way of a proxy agent or network address
transla-
tor.
SEE ALSO
trivial-rewrite(8), address resolver
postmap(1), Postfix lookup table manager
postconf(5), configuration parameters
README FILES
DATABASE_README, Postfix lookup table overview
ADDRESS_REWRITING_README, address rewriting guide
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
RELOCATED
(5)
Introduction
This document discusses various options to plug the maildrop delivery agent into Postfix:
The following example shows how to use maildrop for some.domain and for someother.
domain.
1 /etc/postfix/main.cf:
2 maildrop_destination_recipient_limit = 1
3 virtual_mailbox_domains = some.domain
someother.domain
4 virtual_transport = maildrop
5 virtual_mailbox_maps = hash:/etc/postfix/
virtual_mailbox
6 virtual_alias_maps = hash:/etc/postfix/
virtual_alias
7
8 /etc/postfix/virtual_mailbox:
● Line 2 is needed so that Postfix will provide one recipient at a time to the maildrop
delivery agent.
● Line 3 informs Postfix that some.domain and someother.domain are so-called virtual
mailbox domains. Instead of listing the names in main.cf you can also list them in a file;
see the virtual_mailbox_domains documentation for details.
● Line 4 specifies that mail for some.domain and someother.domain should be delivered
by the maildrop delivery agent.
● Lines 5 and 8-11 specify what recipients the Postfix SMTP server should receive mail
for. This prevents the mail queue from becoming clogged with undeliverable messages.
Specify an empty value ("virtual_mailbox_maps =") to disable this feature.
● Lines 6 and 13-15 redirect mail for postmaster to the local postmaster. RFC 821
requires that every domain has a postmaster address.
The vmail userid as used below is the user that maildrop should run as. This would be the
owner of the virtual mailboxes if they all have the same owner. If maildrop is suid (see
maildrop documentation), then maildrop will change to the appropriate owner to deliver the
mail.
/etc/postfix/master.cf:
maildrop unix - n n -
- pipe
flags=DRhu user=vmail argv=/path/to/maildrop -d
${recipient}
If you want to support user+extension@domain style addresses, use the following instead:
/etc/postfix/master.cf:
maildrop unix - n n -
- pipe
flags=DRhu user=vmail argv=/path/to/maildrop
-d ${user}@${nexthop} ${extension} ${recipient}
${user} ${nexthop}
The mail is delivered to ${user}@${nexthop} (match key for maildrop userdb lookup). The
${extension} and the other address components are available to maildrop rules as $1, $2, $3, ...
and can be omitted from master.cf or ignored by maildrop when not needed.
/etc/postfix/main.cf:
mailbox_command = /path/to/maildrop -d ${USER}
To enable maildrop delivery for specific users only, you can use the Postfix local(8) delivery
agent's mailbox_command_maps feature:
/etc/postfix/main.cf:
mailbox_command_maps = /etc/postfix/
mailbox_commands
/etc/postfix/mailbox_commands:
you /path/to/maildrop -d ${USER}
Maildrop delivery for specific users is also possible by invoking it from the user's $HOME/.
forward file:
/home/you/.forward:
"|/path/to/maildrop -d ${USER}"
Credits
● The original text was kindly provided by Russell Mosemann.
● Victor Duchovni provided tips for supporting user+foo@domain addresses.
● Tonni Earnshaw contributed text about delivery via the local(8) delivery agent.
LAN to Internet
Local network <--- <--- UUCP --- <--->
UUCP to UUCP
> > Internet
Gateway Gateway
● You need an rmail program that extracts the sender address from mail that arrives via
UUCP, and that feeds the mail into the Postfix sendmail command. Most UNIX
systems come with an rmail utility. If you're in a pinch, try the one bundled with the
Postfix source code in the auxiliary/rmail directory.
● Define a pipe(8) based mail delivery transport for delivery via UUCP:
/etc/postfix/master.cf:
uucp unix - n n -
- pipe
flags=F user=uucp argv=uux -r -n -z -a$sender -
$nexthop!rmail ($recipient)
This runs the uux command to place outgoing mail into the UUCP queue after replacing
$nexthop by the next-hop hostname (the receiving UUCP host) and after replacing
$recipient by the recipients. The pipe(8) delivery agent executes the uux command
without assistance from the shell, so there are no problems with shell meta characters in
command-line parameters.
● Specify that mail for example.com, should be delivered via UUCP, to a host named
uucp-host:
/etc/postfix/transport:
example.com uucp:uucp-host
.example.com uucp:uucp-host
/etc/postfix/main.cf:
transport_maps = hash:/etc/postfix/transport
Specify dbm instead of hash if your system uses dbm files instead of db files. To find
out what map types Postfix supports, use the command "postconf -m".
● Add example.com to the list of domains that your site is willing to relay mail for.
/etc/postfix/main.cf:
relay_domains = example.com ...other relay domains...
● You need an rmail program that extracts the sender address from mail that arrives via
UUCP, and that feeds the mail into the Postfix sendmail command. Most UNIX
systems come with an rmail utility. If you're in a pinch, try the one bundled with the
Postfix source code in the auxiliary/rmail directory.
● Specify that all remote mail must be sent via the uucp mail transport to your UUCP
gateway host, say, uucp-gateway:
/etc/postfix/main.cf:
relayhost = uucp-gateway
default_transport = uucp
Postfix 2.0 and later also allows the following more succinct form:
/etc/postfix/main.cf:
default_transport = uucp:uucp-gateway
● Define a pipe(8) based message delivery transport for mail delivery via UUCP:
/etc/postfix/master.cf:
uucp unix - n n -
- pipe
flags=F user=uucp argv=uux -r -n -z -a$sender -
$nexthop!rmail ($recipient)
This runs the uux command to place outgoing mail into the UUCP queue. It substitutes
the next-hop hostname (uucp-gateway, or whatever you specified) and the recipients
before executing the command. The uux command is executed without assistance from
POSTFIX(1) POSTFIX
(1)
NAME
postfix - Postfix control program
SYNOPSIS
postfix [-Dv] [-c config_dir] command
DESCRIPTION
This command is reserved for the superuser. To
submit
mail, use the Postfix sendmail command.
their
earliest convenience.
for
example, to change the mail_owner or
setgid_group
setting for an already installed Postfix system.
-c config_dir
Read the main.cf and master.cf configuration
files
in the named directory instead of the default
con-
figuration directory. Use this to
distinguish
between multiple Postfix instances on the
same
host.
parameter.
ENVIRONMENT
The postfix command exports the following
environment
variables before executing the postfix-script file:
MAIL_CONFIG
This is set when the -c command-line option is
pre-
sent.
MAIL_VERBOSE
This is set when the -v command-line option is
pre-
sent.
MAIL_DEBUG
This is set when the -D command-line option is
pre-
sent.
CONFIGURATION PARAMETERS
The following main.cf configuration parameters
are
exported as environment variables with the same names:
mail_owner (postfix)
The UNIX system account that owns the Postfix
queue
and most Postfix daemon processes.
setgid_group (postdrop)
The group ownership of set-gid Postfix commands
and
of group-writable Postfix directories.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
FILES
/etc/postfix/main.cf, Postfix configuration parameters
/etc/postfix/master.cf, Postfix daemon processes
/etc/postfix/postfix-files, file/directory permissions
/etc/postfix/postfix-script, administrative commands
/etc/postfix/post-install, post-installation
configuration
SEE ALSO
Commands:
postalias(1), create/update/query alias database
postcat(1), examine Postfix queue file
postkick(1), trigger Postfix daemon
postlock(1), Postfix-compatible locking
postlog(1), Postfix-compatible logging
postmap(1), Postfix lookup table manager
postqueue(1), Postfix mail queue control
postsuper(1), Postfix housekeeping
sendmail(1), Sendmail compatibility interface
Postfix configuration:
master(5), Postfix master.cf file syntax
postconf(5), Postfix main.cf file syntax
Table-driven mechanisms:
access(5), Postfix SMTP access control table
aliases(5), Postfix alias database
header_checks(5), body_checks(5), content inspection
canonical(5), Postfix address rewriting
relocated(5), Users that have moved
transport(5), Postfix routing table
virtual(5), Postfix virtual aliasing
Daemon processes:
Other:
syslogd(8), system logging
README FILES
OVERVIEW, overview of Postfix commands and processes
BASIC_CONFIGURATION_README, Postfix basic configuration
ADDRESS_REWRITING_README, Postfix address rewriting
SMTPD_ACCESS_README, SMTP relay/access control
CONTENT_INSPECTION_README, Postfix content inspection
QSHAPE_README, Postfix queue analysis
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
POSTFIX
(1)
POSTKICK(1) POSTKICK
(1)
NAME
postkick - kick a Postfix service
SYNOPSIS
postkick [-c config_dir] [-v] class service request
DESCRIPTION
The postkick command sends request to the specified
ser-
vice over a local transport channel. This command
makes
Postfix private IPC accessible for use in, for
example,
shell scripts.
Options:
-c config_dir
Read the main.cf configuration file in the
named
directory instead of the default
configuration
directory.
Arguments:
service
The name of a local transport endpoint within
the
named class.
request
A string. The list of valid requests is
service-
specific.
DIAGNOSTICS
Problems and transactions are logged to the standard
error
stream.
ENVIRONMENT
MAIL_CONFIG
Directory with Postfix configuration files.
MAIL_VERBOSE
Enable verbose logging for debugging purposes.
CONFIGURATION PARAMETERS
The following main.cf parameters are especially
relevant
to this program. The text below provides only a
parameter
summary. See postconf(5) for more details including
exam-
ples.
application_event_drain_time (100s)
How long the postkick(1) command waits for
a
request to enter the server's input buffer
before
giving up.
FILES
/var/spool/postfix/private, private class endpoints
/var/spool/postfix/public, public class endpoints
SEE ALSO
qmgr(8), queue manager trigger protocol
pickup(8), local pickup daemon
postconf(5), configuration parameters
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
POSTKICK
(1)
POSTLOCK(1) POSTLOCK
(1)
NAME
postlock - lock mail folder and execute command
SYNOPSIS
postlock [-c config_dir] [-l lock_style]
[-v] file command...
DESCRIPTION
The postlock command locks file for exclusive access,
and
executes command. The locking method is compatible
with
the Postfix UNIX-style local delivery agent.
Options:
-c config_dir
Read the main.cf configuration file in the
named
directory instead of the default
configuration
directory.
-l lock_style
Override the locking method specified via the
mail-
box_delivery_lock configuration parameter
(see
below).
Arguments:
command...
The command to execute while file is locked
for
exclusive access. The command is
executed
directly, i.e. without interpretation by a
shell
command interpreter.
DIAGNOSTICS
The result status is 75 (EX_TEMPFAIL) when postlock
could
not perform the requested operation. Otherwise, the
exit
status is the exit status from the command.
BUGS
With remote file systems, the ability to acquire a
lock
does not necessarily eliminate access conflicts.
Avoid
file access by processes running on different machines.
ENVIRONMENT
MAIL_CONFIG
Directory with Postfix configuration files.
MAIL_VERBOSE
Enable verbose logging for debugging purposes.
CONFIGURATION PARAMETERS
The following main.cf parameters are especially
relevant
to this program. The text below provides only a
parameter
summary. See postconf(5) for more details including
exam-
ples.
LOCKING CONTROLS
deliver_lock_attempts (20)
The maximal number of attempts to acquire an
exclu-
sive lock on a mailbox file or bounce(8) logfile.
deliver_lock_delay (1s)
The time between attempts to acquire an
exclusive
lock on a mailbox file or bounce(8) logfile.
stale_lock_time (500s)
The time after which a stale exclusive
mailbox
lockfile is removed.
fork_delay (1s)
The delay between attempts to fork() a child
pro-
cess.
MISCELLANEOUS CONTROLS
config_directory (see 'postconf -d' output)
The default location of the Postfix main.cf
and
master.cf configuration files.
SEE ALSO
postconf(5), configuration parameters
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
POSTLOCK
(1)
POSTLOG(1) POSTLOG
(1)
NAME
postlog - Postfix-compatible logging utility
SYNOPSIS
postlog [-iv] [-c config_dir]
[-p priority] [-t tag] [text...]
DESCRIPTION
The postlog command implements a Postfix-compatible
log-
ging interface for use in, for example, shell scripts.
-c config_dir
Read the main.cf configuration file in the
named
directory instead of the default
configuration
directory.
-p priority
ENVIRONMENT
MAIL_CONFIG
Directory with the main.cf file.
CONFIGURATION PARAMETERS
The following main.cf parameters are especially
relevant
to this program.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
SEE ALSO
postconf(5), configuration parameters
syslogd(8), syslog daemon
LICENSE
The Secure Mailer license must be distributed with
this
software.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
POSTLOG
(1)
NISPLUS_TABLE(5) NISPLUS_TABLE
(5)
NAME
nisplus_table - Postfix NIS+ client
SYNOPSIS
postmap -q "string" "nisplus:[name=%s];name.name."
DESCRIPTION
The Postfix mail system uses optional lookup
tables.
These tables are usually in dbm or db format.
Alterna-
tively, lookup tables can be specified as NIS+
databases.
QUERY SYNTAX
Most of the NIS+ query is specified via the NIS+ map
name.
The general format of a Postfix NIS+ map name is as
fol-
lows:
nisplus:[name=%s];name.name.name.:column
a
version of the lookup string. There can be
only
one "%s" instance in a Postfix NIS+ map name.
EXAMPLE
A NIS+ aliases map might be queried as follows:
alias_maps = dbm:/etc/mail/aliases,
nisplus:[alias=%s];mail_aliases.org_dir.
$mydomain.:1
SEE ALSO
postmap(1), Postfix lookup table manager
README FILES
DATABASE_README, Postfix lookup table overview
LICENSE
AUTHOR(S)
Geoff Gibbs
UK-HGMP-RC
Hinxton
Cambridge
CB10 1SB, UK
NISPLUS_TABLE
(5)
FLUSH(8) FLUSH
(8)
NAME
flush - Postfix fast flush server
SYNOPSIS
flush [generic Postfix daemon options]
DESCRIPTION
The flush server maintains a record of deferred mail
by
destination. This information is used to improve the
per-
formance of the SMTP ETRN request, and of its command-
line
equivalent, "sendmail -qR" or "postqueue -f". This
pro-
gram expects to be run from the master(8) process
manager.
send sitename
Request delivery of mail that is queued for
the
specified destination.
refresh
Refresh non-empty per-destination logfiles
that
were not read in $fast_flush_refresh_time hours,
by
simulating send requests (see above) for the
corre-
sponding destinations.
SECURITY
The fast flush server is not security-sensitive. It
does
not talk to the network, and it does not talk to
local
users. The fast flush server can run chrooted at
fixed
low privilege.
DIAGNOSTICS
Problems and transactions are logged to syslogd(8).
BUGS
Fast flush logfiles are truncated only after a
"send"
request, not when mail is actually delivered, and
there-
fore can accumulate outdated or redundant data. In
order
to maintain sanity, "refresh" must be executed
periodi-
cally. This can be automated with a suitable wakeup
timer
setting in the master.cf configuration file.
CONFIGURATION PARAMETERS
Changes to main.cf are picked up automatically as flush
(8)
processes run for only a limited amount of time. Use
the
command "postfix reload" to speed up a change.
daemon_timeout (18000s)
How much time a Postfix daemon process may take
to
handle a request before it is terminated by
a
built-in watchdog timer.
fast_flush_domains ($relay_domains)
Optional list of destinations that are eligible
for
per-destination logfiles with mail that is
queued
to those destinations.
fast_flush_refresh_time (12h)
The time after which a non-empty but unread
per-
destination "fast flush" logfile needs to
be
refreshed.
fast_flush_purge_time (7d)
The time after which an empty per-destination
"fast
flush" logfile is deleted.
ipc_timeout (3600s)
The time limit for sending or receiving
information
over an internal communication channel.
max_idle (100s)
The maximum amount of time that an idle
Postfix
daemon process waits for the next service
request
before exiting.
max_use (100)
The maximal number of connection requests before
a
Postfix daemon process terminates.
process_id (read-only)
The process ID of a Postfix command or daemon
pro-
cess.
process_name (read-only)
The process name of a Postfix command or
daemon
process.
syslog_facility (mail)
The syslog facility of Postfix logging.
syslog_name (postfix)
The mail system name that is prepended to the
pro-
cess name in syslog records, so that
"smtpd"
becomes, for example, "postfix/smtpd".
FILES
/var/spool/postfix/flush, "fast flush" logfiles.
SEE ALSO
smtpd(8), SMTP server
README FILES
ETRN_README, Postfix ETRN howto
LICENSE
The Secure Mailer license must be distributed with
this
software.
HISTORY
This service was introduced with Postfix version 1.0.
AUTHOR(S)
Wietse Venema
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA
FLUSH
(8)
Postfix versions before 1.0 (also known as version 20010228) implemented the ETRN command
in an inefficient manner: they simply attempted to deliver all queued mail. This is slow on mail
servers that queue mail for many customers.
As of version 1.0, Postfix has a fast ETRN implementation that does not require Postfix to
examine every queue file. Instead, Postfix maintains a record of what queue files contain mail for
destinations that are configured for ETRN service. ETRN service is no longer available for
domains that aren't configured for the service.
As mentioned in the introduction, the mail is delivered by connecting to the customer's SMTP
server; it is not sent over the connection that was used to send the ETRN command.
The Postfix operator can request delivery for a specific customer by using the command
"sendmail -qRdestination" and, with Postfix version 1.1 and later, "postqueue -sdestination".
One
Postfix Postfix
-(domain, queue ID)- -(queue ID)- logfile
delivery flush
> > per eligible
agent daemon
domain
When Postfix receives a request to "deliver mail for a domain now", the flush(8) daemon moves
all deferred queue files that are listed for that domain to the incoming queue, and requests that the
queue manager deliver them. In order to force delivery, the queue manager temporarily ignores
the lists of undeliverable destinations: the volatile in-memory list of dead domains, and the list of
message delivery transports specified with the defer_transports configuration parameter.
The design of the flush(8) server and of the flush queue introduce a few limitations that should
not be an issue unless you want to turn on fast ETRN service for every possible destination.
● The flush(8) daemon maintains per-destination logfiles with queue file names. When a
request to "deliver mail now" arrives, Postfix will attempt to deliver all recipients in the
queue files that have mail for the destination in question. This does not perform well when
queue files have recipients in many different domains.
● The flush(8) daemon maintains per-destination logfiles only for destinations listed with
$fast_flush_domains. With other destinations it not possible to trigger delivery with
"sendmail -qRdestination" or, with Postfix version 1.1 and later, "postqueue -
sdestination".
● Up to and including early versions of Postfix version 2.1, the "fast flush" service may not
deliver some messages if the request to "deliver mail now" is received while a deferred
queue scan is already in progress. The reason is that the queue manager does not ignore
the volatile in-memory list of dead domains, and the list of message delivery transports
specified with the defer_transports configuration parameter.
By default, Postfix "fast ETRN" service is available only for destinations that Postfix is willing to
relay mail to:
/etc/postfix/main.cf:
fast_flush_domains = $relay_domains
smtpd_etrn_restrictions = permit_mynetworks, reject
Notes:
● The relay_domains parameter specifies what destinations Postfix will relay to. For
destinations that are not eligible for the "fast ETRN" service, Postfix replies with an error
message.
● The smtpd_etrn_restrictions parameter limits what clients may execute the ETRN
command. By default, any client has permission.
/etc/postfix/main.cf:
fast_flush_domains = $relay_domains, some.other.
domain
To disable "fast ETRN", so that Postfix rejects all ETRN requests and so that it maintains no per-
destination logfiles, specify:
/etc/postfix/main.cf:
fast_flush_domains =
To prevent Postfix from making spontaneous delivery attempts you can configure Postfix to
always defer mail for the "ETRN" customer. Mail is delivered only after the ETRN command or
with "sendmail -q", with "sendmail -qRdomain", or with "postqueue -sdomain"(Postfix version
1.1 and later only),
In the example below we configure an "etrn-only" delivery transport which is simply a duplicate
of the "smtp" and "relay" mail delivery transports. The only difference is that mail destined for
this delivery transport is deferred as soon as it arrives.
1 /etc/postfix/master.cf:
2 #
=============================================================
3 # service type private unpriv chroot wakeup
maxproc command
4 # (yes) (yes) (yes) (never)
(100)
5 #
=============================================================
6 smtp unix - - n -
- smtp
7 relay unix - - n -
- smtp
8 etrn-only unix - - n -
- smtp
9
10 /etc/postfix/main.cf:
11 relay_domains = customer.tld ...other domains...
12 defer_transports = etrn-only
13 transport_maps = hash:/etc/postfix/transport
14
15 /etc/postfix/transport:
16 customer.tld etrn-only:[mailhost.customer.tld]
Translation:
● Line 8: The "etrn-only" mail delivery service is a copy of the "smtp" and "relay" service.
● Line 11: Don't forget to authorize relaying for this customer, either via relay_domains or
with the permit_mx_backup feature.
● Line 12: The "etrn-only" mail delivery service is configured so that spontaneous mail
delivery is disabled.
● Lines 13-16: Mail for the customer is given to the "etrn-only" mail delivery service.
● Line 16: The "[mailhost.customer.tld]" turns off MX record lookups; you must specify
this if your Postfix server is the primary MX host for the customer's domain.
To test the "fast ETRN" service, telnet to the Postfix SMTP server from a client that is allowed to
execute ETRN commands (by default, that's every client), and type the commands shown in
boldface:
where "some.customer.domain" is the name of a domain that has a non-empty logfile somewhere
under $queue_directory/flush.
In the maillog file, you should immediately see a couple of logfile records, as evidence that the
queue manager has opened queue files:
What happens next depends on whether the destination is reachable. If it's not reachable, the mail
queue IDs will be added back to the some.customer.domain logfile under $queue_directory/flush.
Repeat the exercise with some other destination that your server is willing to relay to (any
domain listed in $relay_domains), but that has no mail queued. The text in bold face stands for
the commands that you type:
This time, the "ETRN"" command should trigger NO mail deliveries at all. If this triggers
delivery of all mail, then you used the wrong domain name, or "fast ETRN" service is turned off.
Finally, repeat the exercise with a destination that your mail server is not willing to relay to. It
does not matter if your server has mail queued for that destination.
When receiving mail, Postfix logs the client-provided username, authentication method, and
sender address to the maillog file, and optionally grants mail access via the
permit_sasl_authenticated UCE restriction.
Postfix does not record the client's SASL authentication information in message headers, and
does not pass it on via SMTP commands when forwarding mail, because it is no-one else's
business to know the client username and authentication method. People who need to know can
find the information in the local Postfix maillog file. Some day, Postfix message headers will
be configurable and then one can record the SASL username without having to edit C code.
When sending mail, Postfix can look up the server hostname or destination domain (the address
right-hand part) in a table, and if a username/password is found, it will use that username and
password to authenticate to the server.
ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/.
IMPORTANT: if you install the Cyrus SASL libraries as per the default, you will have to
symlink /usr/lib/sasl -> /usr/local/lib/sasl for version 1.5.5 or /usr/lib/sasl2 -> /usr/local/lib/
sasl2 for version 2.1.1.
Reportedly, Microsoft Internet Explorer version 5 requires the non-standard SASL LOGIN
authentication method. To enable this authentication method, specify ``./configure --enable-
login''.
To build Postfix with SASL authentication support, the following assumes that the Cyrus
SASL include files are in /usr/local/include, and that the Cyrus SASL libraries are in /usr/local/
lib.
On Solaris 2.x you need to specify run-time link information, otherwise ld.so will not find the
SASL shared library:
/etc/postfix/main.cf:
smtpd_sasl_auth_enable = yes
/etc/postfix/main.cf:
smtpd_recipient_restrictions =
permit_mynetworks
permit_sasl_authenticated ...
/usr/local/lib/sasl/smtpd.conf:
pwcheck_method: pwcheck
/usr/local/lib/sasl2/smtpd.conf:
pwcheck_method: pwcheck
The name of the file in /usr/local/lib/sasl (SASL version 1.5.5) or /usr/local/lib/sasl2 (SASL
version 2.1.1) used by the SASL library for configuration can be set with:
/etc/postfix/main.cf:
smtpd_sasl_application_name = smtpd
IMPORTANT: postfix processes need to have group read+execute permission for the /var/
pwcheck directory, otherwise authentication attempts will fail.
/usr/local/lib/sasl/smtpd.conf:
pwcheck_method: saslauthd
/usr/local/lib/sasl2/smtpd.conf:
pwcheck_method: saslauthd
The saslauthd daemon is also contained in the cyrus-sasl source tarball. It is more flexible than
the pwcheck daemon, in that it can authenticate against PAM and various other sources. To use
PAM, start saslauthd with "-a pam".
/usr/local/lib/sasl/smtpd.conf:
pwcheck_method: sasldb
/usr/local/lib/sasl2/smtpd.conf:
pwcheck_method: auxprop
This will use the SASL password file (default: /etc/sasldb in version 1.5.5, or /etc/sasldb2 in
version 2.1.1), which is maintained with the saslpasswd or saslpasswd2 command (part of the
Cyrus SASL software). On some poorly-supported systems the saslpasswd command needs to
be run multiple times before it stops complaining. The Postfix SMTP server needs read access
to the sasldb file - you may have to play games with group access permissions. With the OTP
authentication mechanism, the SMTP server also needs write access to /etc/sasldb2 or /etc/
sasldb (or the back end SQL database, if used).
IMPORTANT: all users must be able to authenticate using ALL authentication mechanisms
advertised by Postfix, otherwise the negotiation might end up with an unsupported mechanism,
and authentication would fail. For example if you configure SASL to use saslauthd for
authentication against PAM (pluggable authentication modules), only the PLAIN and LOGIN
mechanisms are supported and stand a chance to succeed, yet the SASL library would also
advertise other mechanisms, such as DIGEST-MD5. This happens because those mechanisms
are made available by other plugins, and the SASL library have no way to know that your only
valid authentication source is PAM. Thus you might need to limit the list of mechanisms
advertised by Postfix. This is only possible with SASL version 2.1.1 or later:
/usr/local/lib/sasl2/smtpd.conf:
mech_list: plain login
For the same reasons you might want to limit the list of plugins used for authentication. With
SASL version 1.5.5 your only choice is to delete the corresponding libraries from /usr/local/lib/
sasl. With SASL version 2.1.1:
/usr/local/lib/sasl2/smtpd.conf:
pwcheck_method: auxprop
auxprop_plugin: sql
IMPORTANT: To get sasldb running, make sure that you set the SASL domain (realm) to a
fully qualified domain name.
EXAMPLE:
You can find out SASL's idea about the realms of the users in sasldb with sasldblistusers
(SASL version 1.5.5) or sasldblistusers2 (SASL version 2.1.1).
On the Postfix side, you can have only one realm per smtpd instance, and only the users
belonging to that realm would be able to authenticate. The Postfix variable
smtpd_sasl_local_domain controls the realm used by smtpd:
/etc/postfix/main.cf:
smtpd_sasl_local_domain = $myhostname
To run software chrooted with SASL support is an interesting exercise. It probably is not worth
the trouble.
Older Microsoft SMTP client software implements a non-standard version of the AUTH
protocol syntax, and expects that the SMTP server replies to EHLO with "250 AUTH=stuff"
instead of "250 AUTH stuff". To accommodate such clients in addition to conformant clients,
set "broken_sasl_auth_clients = yes" in the main.cf file.
In order to generate base64 encoded authentication information you can use one of the
following commands:
% perl -MMIME::Base64 -e \
'print encode_base64("username\0username
\0password");'
The mmencode command is part of the metamail software. MIME::Base64 is available from
http://www.cpan.org/.
When posting logs of the SASL negotiations to public lists, please keep in mind that username/
% su postfix
then run the resulting sample server and client in separate terminals. Strace / ktrace / truss the
server to see what makes it unhappy, and fix the problem. Repeat the previous step until you
can successfully authenticate with the sample client. Only then get back to Postfix.
/etc/postfix/main.cf:
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/
sasl_passwd
/etc/postfix/sasl_passwd:
foo.com username:password
bar.com username
Note: some SMTP servers support PLAIN or LOGIN authentication only. By default, the
Postfix SMTP client does not use authentication methods that send plaintext passwords, and
defers delivery with the following error message: "Authentication failed: cannot SASL
authenticate to server". To enable plaintext authentication specify, for example:
/etc/postfix/main.cf:
smtp_sasl_security_options =
The SASL client password file is opened before the SMTP server enters the optional chroot
jail, so you can keep the file in /etc/postfix.
Note: Some SMTP servers support authentication mechanisms that, although available on the
client system, may not in practice work or possess the appropriate credentials to authenticate to
the server. It is possible via the smtp_sasl_mechanism_filter parameter to further restrict the
list of server mechanisms that the smtp(8) client will take into consideration.
The Postfix SMTP client is backwards compatible with SMTP servers that use the non-
standard "AUTH=method..." syntax in response to the EHLO command; there is no Postfix
client configuration needed to work around it.
Credits
● Postfix SASL support was originally implemented by Till Franke of SuSE Rhein/Main
AG.
● Wietse trimmed down the code to only the bare necessities.
● Support for SASL version 2 was contributed by Jason Hoos.
● Liviu Daia added smtpd_sasl_application_name, split reject_sender_login_mismatch
into reject_authenticated_sender_login_mismatch and
reject_unauthenticated_sender_login_mismatch, and revised the docs.
For example, when VERP style delivery is requested, Postfix delivers mail from "owner-
listname@origin" for a recipient "user@domain", with a sender address that encodes
the recipient as follows:
owner-listname+user=domain@origin
Thus, undeliverable mail can reveal the undeliverable recipient address without requiring the
list owner to parse bounce messages.
The VERP concept was popularized by the qmail MTA and by the ezmlm mailing list
manager. See http://cr.yp.to/proto/verp.txt for the ideas behind this concept.
What VERP delimiter characters Postfix uses when VERP style delivery is requested
but no explicit delimiters are specified.
What SMTP clients are allowed to request VERP style delivery. The Postfix QMQP
server uses its own access control mechanism, and local submission (via /usr/sbin/
sendmail etc.) is always authorized. To authorize a host, list its name, IP address, subnet
(net/mask) or parent .domain.
With Postfix versions 1.1 and 2.0, this parameter is called authorized_verp_clients
(default: $mynetworks).
if Postfix sends one bounce report for multi-recipient VERP mail, or one bounce report
per recipient. The default, one per recipient, is what ezmlm needs.
The first form uses the default main.cf VERP delimiter characters. The second form allows you
to explicitly specify the VERP delimiter characters. The example shows the recommended
values.
This text assumes that you have set up an owner-listname alias that routes undeliverable mail to
a real person:
/etc/aliases:
owner-listname: yourname+listname
In order to process bounces we are going to make extensive use of address extension tricks.
You need to tell Postfix that + is the separator between an address and its optional address
extension, that address extensions are appended to .forward file names, and that address
extensions are to be discarded when doing alias expansions:
/etc/postfix/main.cf:
recipient_delimiter = +
forward_path = $home/.forward
${recipient_delimiter}${extension},
$home/.forward
propagate_unmatched_extensions = canonical,
virtual
You need to set up a file named .forward+listname with the commands that process all the mail
that is sent to the owner-listname address:
~/.forward+listname:
"|/some/where/command ..."
With this set up, undeliverable mail for user@domain will be returned to the following address:
owner-listname+user=domain@your.domain
which is processed by the command in your .forward+listname file. The message should
contain, among others, a To: header with the encapsulated recipient sender address:
To: owner-listname+user=domain@your.domain
It is left as an exercise for the reader to parse the To: header line and to pull out the
user=domain part from the recipient address.
The first form uses the default main.cf VERP delimiters, the second form overrides them
explicitly. The values shown are the recommended ones.
The first form uses the default main.cf VERP delimiters, the second form overrides them
explicitly. The values shown are the recommended ones.
listname-@your.domain-@[]
particular, the "=" delimiter is required for qmail compatibility (see the qmail addresses(5)
manual page for details).
Note 2: to use LDAP with Debian GNU/Linux's Postfix, all you need is to install the postfix-
ldap package and you're done. There is no need to recompile Postfix.
You need to have LDAP libraries and include files installed somewhere on your system, and
you need to configure the Postfix Makefiles accordingly.
For example, to build the OpenLDAP libraries for use with Postfix (i.e. LDAP client code
only), you could use the following command:
% make tidy
% make makefiles CCARGS="-I/usr/local/include -
DHAS_LDAP" \
AUXLIBS="-L/usr/local/lib -lldap -L/usr/local/lib
-llber"
On Solaris 2.x you may have to specify run-time link information, otherwise ld.so will not find
some of the shared libraries:
% make tidy
% make makefiles CCARGS="-I/usr/local/include -
DHAS_LDAP" \
AUXLIBS="-L/usr/local/lib -R/usr/local/lib -lldap
\
-L/usr/local/lib -R/usr/local/lib -llber"
The 'make tidy' command is needed only if you have previously built Postfix without LDAP
support.
Instead of '/usr/local' specify the actual locations of your LDAP include files and libraries. Be
sure to not mix LDAP include files and LDAP libraries of different versions!!
If your LDAP libraries were built with Kerberos support, you'll also need to include your
Kerberos libraries in this line. Note that the KTH Kerberos IV libraries might conflict with
Postfix's lib/libdns.a, which defines dns_lookup. If that happens, you'll probably want to link
with LDAP libraries that lack Kerberos support just to build Postfix, as it doesn't support
Kerberos binds to the LDAP server anyway. Sorry about the bother.
If you're using one of the Netscape LDAP SDKs, you'll need to change the AUXLIBS line to
point to libldap10.so or libldapssl30.so or whatever you have, and you may need to use the
appropriate linker option (e.g. '-R') so the executables can find it at runtime.
server_host = ldap.my.com
search_base = dc=my, dc=com
Upon receiving mail for a local address "ldapuser" that isn't found in the /etc/aliases database,
Postfix will search the LDAP server listening at port 389 on ldap.my.com. It will bind
anonymously, search for any directory entries whose mailacceptinggeneralid attribute is
"ldapuser", read the "maildrop" attributes of those found, and build a list of their maildrops,
which will be treated as RFC822 addresses to which the message will be delivered.
way to do that is to add the domain to the mailacceptinggeneralid attribute of some entry in the
directory. Next, you'll want to make sure all of your virtual recipient's mailacceptinggeneralid
attributes are fully qualified with their virtual domains. Finally, if you want to designate a
directory entry as the default user for a virtual domain, just give it an additional
mailacceptinggeneralid (or the equivalent in your directory) of "@virtual.dom". That's right, no
user part. If you don't want a catchall user, omit this step and mail to unknown users in the
domain will simply bounce.
In summary, you might have a catchall user for a virtual domain that looks like this:
1: Postfix knows fake.dom is a valid virtual domain when it looks for this and gets
something (the maildrop) back.
2: This causes any mail for unknown users in fake.dom to go to this entry ...
Normal users might simply have one mailacceptinggeneralid and maildrop, e.g.
"normaluser@fake.dom" and "normaluser@real.dom".
accordingly.
● You probably want to make sure that mailacceptinggeneralids are unique, and that not
just anyone can specify theirs as postmaster or root, say.
● If you use an LDAP map for lookups other than aliases, you may have to make sure the
lookup makes sense. In the case of virtual lookups, maildrops other than mail addresses
are pretty useless, because Postfix can't know how to set the ownership for program or
file delivery. Your query_filter should probably look something like this:
query_filter = (&(mailacceptinggeneralid=%s)(!(|
(maildrop="*|*")(maildrop="*:*")(maildrop="*/
*"))))
● And for that matter, even for aliases, you may not want users able to specify their
maildrops as programs, includes, etc. This might be particularly pertinent on a "sealed"
server where they don't have local UNIX accounts, but exist only in LDAP and Cyrus.
You might allow the fun stuff only for directory entries owned by an administrative
account, so that if the object had a program as its maildrop and weren't owned by
"cn=root" it wouldn't be returned as a valid local user. This will require some thought on
your part to implement safely, considering the ramifications of this type of delivery.
You may decide it's not worth the bother to allow any of that nonsense in LDAP
lookups, ban it in the query_filter, and keep things like majordomo lists in local alias
databases.
query_filter = (&(mailacceptinggeneralid=%s)(!(|
(maildrop="*|*")(maildrop="*:*")(maildrop="*/*"))
(owner=cn=root, dc=your, dc=com)))
● LDAP lookups are slower than local DB or DBM lookups. For most sites they won't be
a bottleneck, but it's a good idea to know how to tune your directory service.
● Multiple LDAP maps share the same LDAP connection if they differ only in their query
related parameters: base, scope, query_filter, and so on. To take advantage of this, avoid
spurious differences in the definitions of LDAP maps: host selection order, version,
bind, tls parameters, ... should be the same for multiple maps whenever possible.
Feedback
If you have questions, send them to postfix-users@postfix.org. Please include relevant
information about your Postfix setup: LDAP-related output from postconf, which LDAP
libraries you built with, and which directory server you're using. If your question involves your
directory contents, please include the applicable bits of some directory entries.
Credits
● Manuel Guesdon: Spotted a bug with the timeout attribute.
● John Hensley: Multiple LDAP sources with more configurable attributes.
● Carsten Hoeger: Search scope handling.
● LaMont Jones: Domain restriction, URL and DN searches, multiple result attributes.
● Mike Mattice: Alias dereferencing control.
● Hery Rakotoarisoa: Patches for LDAPv3 updating.
● Prabhat K Singh: Wrote the initial Postfix LDAP lookups and connection caching.
● Keith Stevenson: RFC 2254 escaping in queries.
● Samuel Tardieu: Noticed that searches could include wildcards, prompting the work on
RFC 2254 escaping in queries. Spotted a bug in binding.
● Sami Haahtinen: Referral chasing and v3 support.
● Victor Duchovni: ldap_bind() timeout. With fixes from LaMont Jones: OpenLDAP
cache deprecation. Limits on recursion, expansion and query results size. LDAP
connection sharing for maps differing only in the query parameters.
● Liviu Daia: Support for SSL/STARTTLS. Support for storing map definitions in
external files (ldap:/path/ldap.cf) needed to securely store passwords for plain auth.
Introduction
CDB (Constant DataBase) is an indexed file format designed by Daniel Bernstein. CDB is
optimized exclusively for read access and guarantees that each record will be read in at most
two disk accesses. This is achieved by forgoing support for incremental updates: no single-
record inserts or deletes are supported. CDB databases can be modified only by rebuilding
them completely from scratch, hence the "constant" qualifier in the name.
Postfix CDB databases are specified as "cdb:name", where name specifies the CDB file name
without the ".cdb" suffix (another suffix, ".tmp", is used temporarily while a CDB file is under
construction). CDB databases are maintained with the postmap(1) or postalias(1) command.
The DATABASE_README document has general information about Postfix databases.
CDB support is available with Postfix 2.2 and later releases. This document describes how to
build Postfix with CDB support.
● The original cdb library from Daniel Bernstein, available from http://cr.yp.to/cdb.html,
and
● tinycdb (version 0.5 and later) from Michael Tokarev, available from http://www.corpit.
ru/mjt/tinycdb.html.
Tinycdb is preferred, since it is a bit faster, has additional useful functionality and is much
simpler to use.
To build Postfix after you have installed CDB, use something like:
% make tidy
% CDB=../../../tinycdb-0.5
% make -f Makefile.init makefiles "CCARGS=-DHAS_CDB -I
$CDB" \
"AUXLIBS=$CDB/libcdb.a"
% make
% make tidy
% CDB=../../../cdb-0.75
% make -f Makefile.init makefiles "CCARGS=-DHAS_CDB -I
$CDB" \
"AUXLIBS=$CDB/cdb.a $CDB/alloc.a $CDB/buffer.a
$CDB/unix.a $CDB/byte.a"
% make
After postfix has been built with cdb support, you can use "cdb" tables wherever you can use
read-only "hash", "btree" or "dbm" tables. However, the "postmap -i" (incremental record
insertion) and "postmap -d" (incremental record deletion) command-line options are not
available. For the same reason the "cdb" map type cannot be used to store the volatile address
verification cache for the verify(8) service.
1. Round-robin selection by destination for mail that is delivered via the same message
delivery transport. The round-robin strategy was chosen with the intention to prevent a
single (destination) site from using up too many mail delivery resources. However, that
strategy penalized inbound mail on bi-directional gateways. The poor suffering inbound
destination would be selected only 1/number-of-destinations of the time, even when it
had more mail than other destinations, and thus mail could be delayed.
Victor Duchovni found a workaround: use different message delivery transports, and
thus avoid the starvation problem. The Patrik Rak scheduler solves this problem by
using FIFO selection.
2. A second limitation of the old Postfix scheduler was that delivery of bulk mail would
block all other deliveries, causing large delays. Patrik Rak's scheduler allows mail with
fewer recipients to slip past bulk mail in an elegant manner.
The following text is from Patrik Rak and should be read together with the postconf(5) manual
that describes each configuration parameter in detail.
From user's point of view, oqmgr(8) and qmgr(8) are both the same, except for how next
message is chosen when delivery agent becomes available. You already know that oqmgr(8)
uses round-robin by destination while qmgr(8) uses simple FIFO, except for some preemptive
magic. The postconf(5) manual documents all the knobs the user can use to control this
preemptive magic - there is nothing else to the preemption than the quite simple conditions
described below.
As for programmer-level documentation, this will have to be extracted from all those emails we
have exchanged with Wietse [rats! I hoped that Patrik would do the work for me -- Wietse] But
I think there are no missing bits which we have not mentioned in our conversations.
However, even from programmer's point of view, there is nothing more to add to the message
scheduling idea itself. There are few things which make it look more complicated than it is, but
the algorithm is the same as the user perceives it. The summary of the differences of the
programmer's view from the user's view are:
1. Simplification of terms for users: The user knows about messages and recipients. The
program itself works with jobs (one message is split among several jobs, one per each
transport needed to deliver the message) and queue entries (each entry may group
several recipients for same destination). Then there is the peer structure introduced by
qmgr(8) which is simply per-job analog of the queue structure.
2. Dealing with concurrency limits: The actual implementation is complicated by the fact
that the messages (resp. jobs) may not be delivered in the exactly scheduled order
because of the concurrency limits. It is necessary to skip some "blocker" jobs when the
concurrency limit is reached and get back to them again when the limit permits.
3. Dealing with resource limits: The actual implementation is complicated by the fact that
not all recipients may be read in-core. Therefore each message has some recipients in-
core and some may remain on-file. This means that a) the preemptive algorithm needs
to work with recipient count estimates instead of exact counts, b) there is extra code
which needs to manipulate the per-transport pool of recipients which may be read in-
core at the same time, and c) there is extra code which needs to be able to read
recipients into core in batches and which is triggered at appropriate moments.
4. Doing things efficiently: All important things I am aware of are done in the minimum
time possible (either directly or at least when amortized complexity is used), but to
choose which job is the best candidate for preempting the current job requires linear
search of up to all transport jobs (the worst theoretical case - the reality is much better).
As this is done every time the next queue entry to be delivered is about to be chosen, it
seemed reasonable to add cache which minimizes the overhead. Maintenance of this
candidate cache slightly obfuscates things.
The points 2 and 3 are those which made the implementation (look) complicated and were the
real coding work, but I believe that to understand the scheduling algorithm itself (which was
the real thinking work) is fairly easy.
http://www.subneural.net/postfix-master/CYRUS_README.html01/16/2005 15:47:00
Postfix Berkeley DB Howto
Introduction
Postfix uses databases of various kinds to store and look up information. Postfix databases are
specified as "type:name". Berkeley DB implements the Postfix database type "hash" and
"btree". The name of a Postfix Berkeley DB database is the name of the database file without
the ".db" suffix. Berkeley DB databases are maintained with the postmap(1) command.
2. How to build Postfix on BSD or Linux systems with multiple Berkeley DB versions.
Warning: some Linux system libraries use Berkeley DB, as do some third-party libraries such
as SASL. If you compile Postfix with a different Berkeley DB implementation, then every
Postfix program will dump core because either the system library, SASL library, or Postfix
itself ends up using the wrong version.
To build Postfix after you installed the Berkeley DB from http://www.sleepycat.com/, use
something like:
% make tidy
% make makefiles CCARGS="-DHAS_DB -I/usr/local/
BerkeleyDB.3.1/include" \
AUXLIBS="-L/usr/local/BerkeleyDB.3.1/lib -ldb"
% make
The exact pathnames depend on the DB version that you installed. For example, Berkeley DB
version 2 installs in /usr/local/BerkeleyDB.
Warning: the file format produced by Berkeley DB version 1 is not compatible with that of
versions 2 and 3 (versions 2 and 3 have the same format). If you switch between DB versions,
then you may have to rebuild all your Postfix DB files.
Warning: if you use Berkeley DB version 2 or later, do not enable DB 1.85 compatibility
mode. Doing so would break fcntl file locking.
Warning: if you use Perl to manipulate Postfix's Berkeley DB files, then you need to use the
same Berkeley DB version in Perl as in Postfix.
To build Postfix on BSD systems with a specific DB version, use a variant of the following
commands:
% make tidy
% make makefiles CCARGS=-I/usr/include/db3 AUXLIBS=-
ldb3
% make
Warning: the file format produced by Berkeley DB version 1 is not compatible with that of
versions 2 and 3 (versions 2 and 3 have the same format). If you switch between DB versions,
then you may have to rebuild all your Postfix DB files.
Warning: if you use Berkeley DB version 2 or later, do not enable DB 1.85 compatibility
mode. Doing so would break fcntl file locking.
Warning: if you use Perl to manipulate Postfix's Berkeley DB files, then you need to use the
same Berkeley DB version in Perl as in Postfix.
Warning: some Linux system libraries use Berkeley DB. If you compile Postfix with a non-
default Berkeley DB implementation, then every Postfix program will dump core because
either the system library or Postfix itself ends up using the wrong version.
On Linux, you need to edit the makedefs script in order to specify a non-default DB library.
The reason is that the location of the default db.h include file changes randomly between
vendors and between versions, so that Postfix has to choose the file for you.
Warning: the file format produced by Berkeley DB version 1 is not compatible with that of
versions 2 and 3 (versions 2 and 3 have the same format). If you switch between DB versions,
then you may have to rebuild all your Postfix DB files.
Warning: if you use Berkeley DB version 2 or later, do not enable DB 1.85 compatibility
mode. Doing so would break fcntl file locking.
Warning: if you use Perl to manipulate Postfix's Berkeley DB files, then you need to use the
same Berkeley DB version in Perl as in Postfix.
Tweaking performance
Postfix provides two configuration parameters that control how much buffering memory
Berkeley DB will use.
● berkeley_db_read_buffer_size (default: 128 kBytes per table). This setting is used by all
other Postfix programs. The buffer size is adequate for reading. If the cache is smaller
than the table, random read performance is hardly cache size dependent, except with
btree tables, where the cache size must be large enough to contain the entire path from
the root node. Empirical evidence shows that 64 kBytes may be sufficient. We double
the size to play safe, and to anticipate changes in implementation and bloat.
A description of how to use pcre tables, including examples, is given in the pcre_table(5)
manual page. Information about PCRE itself can be found at http://www.pcre.org/.
In some future, Postfix will have a plug-in interface for adding map types. Until then, you need
to compile PCRE support into Postfix.
First of all, you need the PCRE library (Perl Compatible Regular Expressions), which can be
obtained from:
ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/.
In order to build Postfix with PCRE support you need to add -DHAS_PCRE and a -I for the
PCRE include file to CCARGS, and add the path to the PCRE library to AUXLIBS, for
example:
Things to know
● When Postfix searches a pcre: or regexp: lookup table, each pattern is applied to the
entire input string. Depending on the application, that string is an entire client hostname,
an entire client IP address, or an entire mail address. Thus, no parent domain or parent
network search is done, "user@domain" mail addresses are not broken up into their user
and domain constituent parts, and "user+foo" is not broken up into user and foo.
● Regular expression tables such as pcre: or regexp: are not allowed to do $number
substitution in lookup results that can be security sensitive: currently, that restriction
applies to the local aliases(5) database or the virtual(8) delivery agent tables.
% sh postfix-install
You will be prompted for installation parameters. Specify an install_root directory other than /.
The mail_owner and setgid_group installation parameter settings will be recorded in the main.
cf file, but they won't take effect until the package is unpacked and installed on the destination
machine.
If you want to fully automate this process, specify all the non-default installation parameters on
the command line:
% sh postfix-install -non-interactive
install_root=/some/where ...
% cd INSTALL_ROOT
% rm -f SOMEWHERE/outputfile
% find . \! -type d -print | xargs tar cf SOMEWHERE/
outputfile
% gzip SOMEWHERE/outputfile
This way you will not include any directories that might cause trouble upon extraction.
# umask 022
# gzip -d <outputfile.tar.gz | (cd / ; tar xvpf -)
The umask command is necessary for getting the correct permissions on non-Postfix
directories that need to be created in the process.
● Create the necessary mail_owner account and setgid_group group for exclusive use by
Postfix.
● Execute the postfix command to set ownership and permission of Postfix files and
directories, and to update Postfix configuration files. If necessary, specify any non-
default settings for mail_owner or setgid_group on the postfix command line:
With Postfix versions before 2.1 you achieve the same result by invoking the post-
install script directly.
Introduction
Postfix 2.2 introduces support for the IPv6 (IP version 6) protocol, whose main feature of
interest is that it uses 128-bit IP addresses instead of the 32-bit addresses used by IPv4.
With this, Postfix can use the same SMTP protocol over IPv6 as it already uses over the older
IPv4 network, and Postfix can do AAAA record lookups in the DNS in addition to the older A
records. Information about IPv6 can be found at http://www.ipv6.org/.
● Supported platforms
● Configuration
● Known limitations
● Credits
Supported Platforms
Postfix version 2.2 supports IPv4 and IPv6 on the following platforms:
● AIX 5.1+
● Darwin 7.3+
● FreeBSD 4+
● Linux 2.4+
● NetBSD 1.5+
● OpenBSD 2+
● Solaris 8+
● Tru64Unix V5.1+
On other platforms Postfix will simply use IPv4 as it has always done.
Configuration
Postfix IPv6 support introduces two new main.cf configuration parameters, and introduces an
important change in address syntax notation in match lists such as mynetworks or
debug_peer_list.
Postfix IPv6 address syntax is a little tricky, because there are a few places where you must
enclose IPv6 address inside [] characters, and a few places where you must not. It is a good
idea to use [] only in the few places where you have to. Check out the postconf(5) manual
whenever you do IPv6 related configuration work with Postfix.
● The new inet_protocols parameter specifies what IP protocols Postfix will use. This
parameter also controls what DNS lookups Postfix will do.
/etc/postfix/main.cf:
# You must stop/start Postfix after changing
this parameter.
inet_protocols = ipv4 (DEFAULT: enable
IPv4 only)
inet_protocols = all (enable both IPv4
and IPv6)
inet_protocols = ipv4, ipv6 (enable both IPv4
and IPv6)
inet_protocols = ipv6 (enable IPv6 only)
By default, Postfix uses IPv4 only, because most systems aren't attached to an IPv6
network.
❍ On systems with combined IPv4/IPv6 stacks, attempts to deliver mail via IPv6
would always fail with "network unreachable", and those attempts would only
slow down Postfix.
❍ Linux kernels don't even load IPv6 protocol support by default. Any attempt to
use it would fail immediately.
Note 1: you must stop and start Postfix after changing the inet_protocols configuration
parameter.
Note 2: if you see error messages like the following, then you're running Linux and need
to turn on IPv6 in the kernel: see http://www.ipv6.org/ for hints and tips. Unlike other
systems, Linux does not have a combined stack for IPv4 and IPv6, and IPv6 protocol
support is not loaded by default.
Note 3: on older Linux and Solaris systems, the setting "inet_protocols = ipv6" will not
prevent Postfix from accepting IPv4 connections. Postfix will present the client IP
addresses in IPv6 format, though. In all other cases, Postfix always presents IPv4 client
IP addresses in the traditional dotted quad IPv4 format.
● The other new parameter is smtp_bind_address6. This sets the local interface address
for outgoing IPv6 SMTP connections, just like the smtp_bind_address parameter does
for IPv4:
/etc/postfix/main.cf:
smtp_bind_address6 = 2001:240:5c7:0:250:56ff:
fe89:1
● If you left the value of the mynetworks parameter at its default (i.e. no mynetworks
setting in main.cf) Postfix will figure out by itself what its network addresses are. This
is what a typical setting looks like:
% postconf mynetworks
mynetworks = 127.0.0.0/8 168.100.189.0/28
[::1]/128 [fe80::]/10 [2001:240:5c7::]/64
If you did specify the mynetworks parameter value in main.cf, you need update the
mynetworks value to include the IPv6 networks the system is in. Be sure to specify IPv6
address information inside [], like this:
/etc/postfix/main.cf:
mynetworks = ...IPv4 networks... [::1]/128
[2001:240:5c7::]/64 ...
NOTE: when configuring Postfix match lists such as mynetworks or debug_peer_list, you
must specify IPv6 address information inside [] in the main.cf parameter value and in
files specified with a "/file/name" pattern. IPv6 addresses contain the ":" character, and
would otherwise be confused with a "type:table" pattern.
Known Limitations
● The order of IPv6/IPv4 outgoing connection attempts is not yet configurable. Currently,
IPv6 is tried before IPv4.
● Postfix currently does not support DNSBL (real-time blackhole list) lookups for IPv6
client IP addresses; currently there are no blacklists that cover the IPv6 address space.
● IPv6 does not have class A, B, C, etc. networks. With IPv6 networks, the setting
"mynetworks_style = class" has the same effect as the setting "mynetworks_style =
subnet".
● On Tru64Unix, Postfix can't figure out the local subnet mask and always assumes a /128
network. This is a problem only with "mynetworks_style = subnet" and no explicit
mynetworks setting in main.cf.
Credits
The following information is in part based on information that was compiled by Dean Strik.
● Jun-ichiro 'itojun' Hagino of the KAME project made substantial improvements. Since
then, we speak of the KAME patch.
● The PLD Linux Distribution ported the code to other stacks (notably USAGI). We
speak of the PLD patch. A very important feature of the PLD patch was that it can work
with Lutz Jaenicke's TLS patch for Postfix.
● Dean Strik extended IPv6 support to platforms other than KAME and USAGI, updated
the patch to keep up with Postfix development, and provided a combined IPv6 + TLS
patch. Information about his effort can be found on Dean Strik's Postfix website at http://
www.ipnet6.org/postfix/.
● Wietse Venema took Dean Strik's IPv6 patch, merged it into Postfix 2.2, and took the
opportunity to eliminate all IPv4-specific code from Postfix that could be removed. For
systems without IPv6 support in the kernel and system libraries, Postfix has a simple
compatibility layer, so that it will use IPv4 as before.
Berkeley DB issues
On RedHat Linux 7.0 you must install the db3-devel RPM before you can compile the Postfix
source code.
Warning: do not use multiple Berkeley DB versions. Every Postfix program will dump core
when it is built with a different Berkeley DB version than the version that is used by the system
library routines. See the DB_README file for further information.
Procmail issues
On RedHat Linux 7.1 procmail no longer has permission to write the mail spool directory.
Workaround: chmod 1777 /var/spool/mail.
Syslogd performance
LINUX syslogd uses synchronous writes by default. Because of this, syslogd can actually use
more system resources than Postfix. To avoid such badness, disable synchronous mail logfile
writes by editing /etc/syslog.conf and by prepending a - to the logfile name:
/etc/syslog.conf:
mail.* -/var/log/mail.log
http://www.subneural.net/postfix-master/LINUX_README.html01/16/2005 15:47:10
Postfix and NFS
This question was asked on the postfix-users mailing list a while ago:
Also, what considerations are there for file locking or other potential problems
when running Postfix with a Netapp-style box for /var/mail delivery? I know that
FreeBSD has broken NFS file locking (both client and server?) but I'm not sure
if this is something Postfix can work around or not.
Postfix jumps several hoops in order to deal with NFS-specific problems. Thus, Postfix on NFS
is slightly less reliable than Postfix on a local disk. That is not a problem in Postfix; the
problem is in NFS and affects other MTAs as well.
For queue locking within Postfix, NFS is not an issue because you cannot share Postfix queues
among multiple Postfix instances.
In order to have mailbox locking over NFS, you have to configure everything to use fcntl()
locks for mailbox access (or switch to maildir style, which needs no application-level lock
controls).
/etc/postfix/main.cf:
virtual_mailbox_lock = fcntl
mailbox_delivery_lock = fcntl
Obviously, this approach is useful only if all other mailbox access software also uses fcntl()
locks.
/etc/postfix/main.cf:
Postfix on Ultrix
This document is probably only of historical value, because Ultrix version 4 dates from the
early 1990s. However, as long as Wietse keeps Postfix alive for SunOS 4, it is likely to run on
Ultrix 4 with very little change. Feedback is welcome if anyone actually still uses Postfix on
any version of Ultrix.
The source of this document is an email message by Christian von Roques that was sent on Jun
2, 1999.
...
One of the bugs of Ultrix's /bin/sh is that shell-variables set in arguments of `:'
expand to garbage if expanded in here-documents. Using a different shell helps. I
needed to replace all calls of ``sh .../makedefs'' by ``$(SHELL) .../makedefs'' in
all the Makefile.in and am now able to use ``make SHELL=/bin/sh5'' or zsh.
...
I just reduced the threshold from 256 to 64, but this is not good. The initial
problem still remains: How to disable this warning on Ultrix without making the
source ugly?
To work around the first problem, all the Makefile.in files have been updated to use `
$(SHELL)' instead of `sh'. So you only need to supply a non-default shell in order to eliminate
Ultrix shell trouble.
To work around the latter, util/sys_defs.h was updated for Ultrix, with a default FD_SETSIZE
of 100. This should be sufficient for a workstation. Even in 1999, no-one would run a major
mail hub on Ultrix 4.
Section Topic
1 Commands
Library
3
routines
5 File formats
8 Daemons
Commands
Postfix configuration
● master(5), Postfix master.cf file syntax
● postconf(5), Postfix main.cf file syntax
Table-driven mechanisms
● access(5), Postfix SMTP access control table
● aliases(5), Postfix alias database
● header_checks(5), body_checks(5), content inspection
● canonical(5), Postfix address rewriting
● relocated(5), Users that have moved
● transport(5), Postfix routing table
● virtual(5), Postfix virtual aliasing
Daemon processes
● anvil(8), Postfix connection/rate limiting
● bounce(8), defer(8), trace(8), Delivery status reports
● cleanup(8), canonicalize and enqueue message
● discard(8), Postfix discard delivery agent
● error(8), Postfix error delivery agent
● flush(8), Postfix fast ETRN service
● lmtp(8), Postfix LMTP client
● local(8), Postfix local delivery agent
● master(8), Postfix master daemon
● oqmgr(8), old Postfix queue manager
● pickup(8), Postfix local mail pickup
● pipe(8), deliver mail to non-Postfix command
● proxymap(8), Postfix lookup table proxy server
● qmgr(8), Postfix queue manager
● qmqpd(8), Postfix QMQP server
● scache(8), Postfix session cache manager
● showq(8), list Postfix mail queue
● smtp(8), Postfix SMTP client
● smtpd(8), Postfix SMTP server
● spawn(8), run non-Postfix server
● trivial-rewrite(8), Postfix address rewriting
● verify(8), Postfix address verification
● virtual(8), Postfix virtual delivery agent
Wietse Venema is best known for the software TCP Wrapper, which is still widely used
today and is included with almost all unix systems. Wietse is also the author of the Postfix
mail system and the co-author of the very cool suite of utilities called The Coroner's Toolkit
Today's Term or "TCT". He is currently working at the Thomas J. Watson Research Center and he has
penetration: gratiously agreed to allow us to catch up with him and and see what he's been up to lately.
Successful,
repeatable, Linuxsecurity.com: Thanks for taking the time to interview with us. How you doing these
unauthorized days? The most we hear from you is when Postfix is updated, the mailing lists, or
access to a something like that. What are you up to?
protected system
resource. (See:
Wietse: I have been finishing things, so that I can start work on new projects. After a major
attack,
violation.) ... documentation rewrite for the Postfix mail system, I finished the manuscript for a book on
computer forensic analysis with Dan Farmer. When I finish something, I normally start
reading everything that I can lay my hands on and then inspiration comes.
Wietse: Some tools such as TCP WRAPPER are complete, and adding more features does
not make them more useful. I would update them only so that they survive changes in
operating systems, language compilers and/or network protocols. Some tools such as
SATAN have served their purpose, and now have historical value only.
Linuxsecurity.com: Does the continued success of TCP Wrapper surprise you? If so, why
is that? What does TCP Wrapper have that makes it so valuable today.
Perhaps the biggest virtue is that tcp_wrappers works as expected. This means that not only
the software is relatively error free, it is also possible for human beings to install, configure,
and forget tcp_wrappers without getting into trouble.
It does not matter how well software is written when people can't figure out how to use it,
or when it has sharp edges that make it unsafe to use. Being safe and secure is hard enough
with software like tcp_wrappers that spans only a few thousand lines of code.
With a 10 times larger system such as Postfix, even relatively error-free software contains a
number of errors, and one has to build additional safety features into the architecture to
prevent accidents from happening. Just like elevators have safety brakes that prevent them
from crashing into the basement, Postfix has safety brakes that most people never notice
until they are needed.
Linuxsecurity.com: Postfix is a really good Mail Transport Agent (MTA), I've been using
it for a long time and I set it up for someone any chance I get. Why did you decide to write
a new MTA instead of scaling down an existing MTA? :-)
Wietse: Indeed, why would anyone spend so much time writing yet another UNIX-based
mail system, when Sendmail and qmail already existed? When I was looking for a
programming project, neither mail system was a desirable option for me, and enough
people felt the same way.
Writing a new mail system from scratch was a change from previous projects. Normally I
would retrofit security features almost invisibly, either by replacing an existing server such
as portmap by a hardened version that was 100% compatible, or by adding a very thin layer
such as tcp_wrappers. In the case of the Postfix mail system, there was no way that the
changes could be made in an invisible manner.
Linuxsecurity.com: What is your take on spam and the role the MTA plays in helping to
prevent it?
Wietse: Stopping email that contains spam is not fundamentally different from stopping
email that contains viruses.
In both cases, complex content analysis is better done outside the mail system. That allows
people to choose the best mail system and the best spam/virus software for their
environment.
And in both cases, a lot of spam or viral email comes from systems that have no business
sending email directly across the Internet. These are often PCs on residential networks that
have been compromised via some worm of virus, and that are under remote control by
criminals that use those systems to send spam and/or to infect more systems. These rogue
systems can often be recognized by the way they implement the email protocols wrongly, if
not by their residential IP address.
Blocking direct mail from rogue systems is best done by the ISP that hosts those systems,
but that happens rarely. The next best solution is to block direct mail from rogue systems at
the receiving end, and that is where Postfix can help.
Linuxsecurity.com: In one article, I wrote about how attackers are still breaking into
computer systems using well-known exploits. Any ideas on how to help instill basic
security practices in administrators and vendors?
Wietse: I think that learning by example is a good way to bring the point across. This is
what Dan Farmer and I attempted years ago with our white paper on improving the security
of your system by breaking into it.
I have the same experience when explaining how to build more secure software. People just
don't see that there is a problem until you can show good examples of software that does
not do the things that it obviously was meant to do. Security problems happen when there is
a mismatch between expected behavior and actual behavior.
Linuxsecurity.com: How did you get into the forensics side of computers?
Wietse: The initial motivation for getting involved with computer forensics was to
reconstruct computer break-ins, so that I could prevent them from happening again. An
amazing amount of information can be found after an incident. As computers become more
complex, humans have less control over when and where information is stored, and how
that storage is recycled when information is discarded.
Because of this it is practically impossible to erase all information about an incident from a
disk, without physically destroying the hardware. Erasing all memory is difficult too, if you
don't want to draw attention by crashing the system. How much reconstruction is possible
depends only on the amount of skill and effort you're willing to put in.
Linuxsecurity.com: You and Dan Farmer still work on The Coroner's Toolkit (TCT).
What research, seminars, or open source programs you working on in forensics?
Wietse: We just finished a manuscript for a book on computer forensic analysis that we
hope will come out this year. In this book we write about things that we learned after we
released the TCT. For some experiments we used the TCT, and for other measurements we
wrote a few new tools. When this book is published I will be happy to turn my attention to
other projects.
Linuxsecurity.com: We just wanted to catch up with you and see how things were going.
Can you please give us a final statement about keeping our systems secure?
Wietse: You don't make a system secure by patching the holes - if the system wasn't built
to be secure then it never will be.
"As long as there is support for ad hoc fixes and security packages for these inadequate
designs and as long as the illusory results of penetration teams are accepted as
demonstrations of computer system security, proper security will not be a reality."
Roger Schell et al., Preliminary notes on the Design of Secure Military Computer Systems,
1973. Archive of seminal security papers at http://seclab.cs.ucdavis.edu/projects/history/
seminal.html
Linuxsecurity.com: Okay one last thing, where were you and who drew that caricature on
your website?
Wietse: The caricature was drawn, by an artist whose name I do not know, at a conference
dinner in 1997 when the Forum of Incident Response and Security Teams (www.first.org)
met for its annual conference in Bristol, UK. I have supported this organization for many
years, and I even had the privilege of spending more than the maximal time as its chair.
http://www.subneural.net/postfix-master/linux-journal-20040501.html01/16/2005 15:47:15
HEC Montréal: Follow-up on the Large-Scale Mail Installation
http://www.subneural.net/postfix-master/linux-journal-20040413.html01/16/2005 15:47:16
Sharing Software, IBM to Release Mail Program Blueprint
The open-source model has been gaining popularity in the last year
based on the success of the free Linux operating system, and in
recent months several major technology corporations have
endorsed part or all of the idea.
Related Sites
These sites are not part of The New York Times on the Web, and The
Times has no control over their content or availability.
● IBM
● Sendmail
June 3, 2001
NEWS & ANALYSIS
THE INDUSTRY STANDARD MAGAZINE
Headlines
Money & Markets Behind the Big Blue Wall
Tech & Telecom By Elinor Abreu
Issue Date: Jan 22 2001
Media & Marketing
Metrics & Stats How IBM learned to quit worrying and love open-source
Policy & Politics software.
Careers
Lifestyle
Opinion
Just over two years RELATED CONTENT
International
ago, Nick Donofrio, * Companies (4)
senior vice president
* Articles (9)
SEARCH for technology at
GO IBM (IBM), received * Topics (2)
advanced search a surprise phone call * Research (3)
from his boss, Louis * Insights (1)
SERVICES
Gerstner. The
Company Index Printer-friendly version
company's CEO had
Newsletters
just read a New York Email to a friend
Research Store Write the author:
Times article about * Elinor Abreu
Conferences
an IBM developer who had released an e-
Wireless
mail program called SecureMailer, Subscribe to The
My Account
written in open-source code - freely
Industry Standard
PRINT EDITION distributed software that could be
Read the Magazine modified by anyone. Though he didn't
phrase it this way, Gerstner was essentially calling to ask,
"What the hell's going on here?"
MENTIONED COMPANIES
RELATED ARTICLES
RELATED TOPICS
RELATED INSIGHTS
ADVERTISEMENT
FEATURED LINKS
Visit www.Office.com. The #1 online business resource center.
NextCard Visa APRs as low as 0.00% Intro! Click NOW to apply
Check out Microsoft Office XP at a Launch Event near you
Click Here To Shop Ralph Lauren's Polo.com
Save time and $$$. Enroll in Hertz' Business Account Program
June 3, 2001
NEWS & ANALYSIS
THE INDUSTRY STANDARD MAGAZINE
Headlines
Money & Markets Behind the Big Blue Wall
Tech & Telecom continued
Media & Marketing
Metrics & Stats "Suddenly, IBM was the cool company RELATED CONTENT
Policy & Politics on the block," says James Berry, then * Companies (4)
Careers the WebSphere product manager at IBM
* Articles (9)
Lifestyle and now vice president of strategy at
* Topics (2)
Opinion open-source consulting firm Collab.Net.
International "The dot-com phenomenon was running * Research (3)
on Linux and Apache, and guess what? * Insights (2)
SEARCH
IBM had a product that ran on Linux and
GO Apache. For the first time, we were the Printer-friendly version
advanced search lead dog rather than the rear dog." Email to a friend
SERVICES Write the author:
Company Index Meanwhile, in Böblingen, Germany, 28- * Elinor Abreu
Newsletters year-old Boas Betzler was working on
Research Store IBM's System 390 mainframe technology Subscribe to The
Conferences at the office and on Linux at home. One Industry Standard
Wireless day in 1998, he suggested to a
My Account colleague that it might be fun to have
Linux running on S/390. His managers liked the idea and so did
PRINT EDITION
executives in the U.S. They brought Betzler and his wife to
Read the Magazine
IBM's Poughkeepsie, N.Y., headquarters in mid-1999 to
complete his work.
The visitors quickly realized that IBM was not the staid Big Blue
of old. "I remember being amazed to discover that the person
hosting me didn't wear a suit and tie," recalls Stallman.
The changes, in a sense, take IBM back to its roots. "For IBM,
open source is a return to an industry they understand better,"
says O'Reilly. "Some of [IBM's] operating systems were
originally user-developed. So in a way, this is a real
comfortable arena for them."
MENTIONED COMPANIES
RELATED ARTICLES
RELATED TOPICS
RELATED INSIGHTS
ADVERTISEMENT
FEATURED LINKS
Visit www.Office.com. The #1 online business resource center.
NextCard Visa APRs as low as 0.00% Intro! Click NOW to apply
Check out Microsoft Office XP at a Launch Event near you
Click Here To Shop Ralph Lauren's Polo.com
Save time and $$$. Enroll in Hertz' Business Account Program
Search About Salon Table Talk Newsletters Advertise in Salon Investor Relations
Search
OK
Let us Clean
your house
Directory for a Year!
FREE!
Hot Topics
Napster Looking for
Andrew Leonard Love? Try
Censorship Salon
Linux Chapter 7, part 1 Personals
Scott Rosenberg ------------
Java Extra goodies and
Technology Log great services in
Dottie Downturn
How Big Blue fell for Linux Salon Plus
View From the Top
When open-source developers and IBM took gambles on each
J.R.R. Tolkien other, free software showed it can flourish in the heartland of
corporate computing.
Articles by date
------------
● All of Salon.com By Andrew Leonard
By department
Free Software
●
Sept. 12, 2000 | The kitchen is the receptionist at Collab.net, a Project home
software start-up in the South of Market neighborhood of San page
Francisco. No one is present to greet an inquisitive visitor walking
through the open door on the fourth floor of a nondescript building
About Salon's
-- just stacked cases of Snapple fruit juice and giant bags of
pretzels; a refrigerator and a sink; a coffee machine and a water Free Software
dispenser. Project
The ambience screams of youthful coder necessities. On top of the Complete list of
refrigerator, huge boxes of Trix and Cap'n Crunch line up like published
crates of ammunition. Next to the sink sits a large jar of Twizzlers. chapters and
From the large, open room stretching beyond the kitchen, a discussions
seductive slither of spooky trance music pulses -- inviting, and yet
at the same time a little intimidating. People who work in this kind Full outline of
Arts & Entertainment of environment are almost too cool. the book
- The Movie Page
Books
A few concessions are made to the Andrew
Comics
Mothers Who Think
sensitivities of the less hip -- the potential Leonard
News investors or clients from the old world of biography
Print story
People computing who might drop by, looking to
Politics dump a million bucks here or there. Along one Glossary
Sex wall stands a free-standing rack packed with
E-mail story
Tech & Business hundreds of issues of business/high tech
- Free Software Project magazines -- The Industry Standard, Business
Audio
2.0, Red Herring, Fortune.
- Salon Radio
Letters The magazines may not make good marketing View Salon
Columnists
material right now. Collab.net, the brainchild privately with
Corrections
of open-source star Brian Behlendorf,* aims to SafeWeb
Salon Plus make a business out of, he says, "distilling the
Salon Shop principles of open source." But at least half of
Personals
the covers of these new-economy bibles are
screaming dire, boldface warnings about the current dot-com
meltdown, including Wall Street's sharp turn away from Linux-
related stocks in the spring and summer.
Table Talk
[Free, spirited
Salon forums]
It's a good thing the office tunes are soothing, because jangled
nerves are suddenly everywhere in that strange land where free
The OS wars Which software and dot-com start-ups mix. In the summer of 1999, Red
side are you on? Hat's IPO, occurring right in the middle of a packed LinuxWorld
convention, sent attendees into a dither of delight. But in mid-
Passion or pay? Why August, no less an authority than the New York Times takes
do you do what you do advantage of another LinuxWorld convention to declaim about
for a living? how Wall Street is souring on Linux.
Dear Clown in the
Corner Office ... What
The Gray Lady is a bit late to the story -- the trade press has been
do you really want to hooting about declining valuations since early in the spring, and
say to your boss? competitors have long become adept at using the stock price
declines of companies like Red Hat and VA Linux as evidence that
● Posts of the week the open-source upstarts don't pose a threat to established,
proprietary software enterprises. Critics of free software are also
muttering about continuing delays pushing back the release of the
The Well
next version of Linux, and the failure of Netscape's Mozilla project
[Pioneering members-
only discussions] to release a usable browser.
Supplanting tobacco But the Times may also be a bit overeager: Barely one week after
The war on drugs has August's LinuxWorld, Linux companies like Caldera and VA
warped more minds Linux handily beat analyst estimates and watch their stock prices
than drugs
themselves. surge. Linux investors suddenly rejoice.
And yet, those who take heart in a one-day surge are just as guilty
Sound Off
of overeagerness. Both cynics and Pollyannas are like marks
suckered into a New York huckster's game of three-card monte.
● E-mail Salon
While they busily stare, striving to follow the movements of the
● Send us a Letter to
the Editor
dealer's hand, they never notice that Times Square around them is
● Today's letters
meanwhile being transformed from pimp heaven into Disneyland.
Sure, companies in the business of selling Linux may have
questionable prospects -- but the open-source revolution is still in
full effect, rebuilding the software industry from top to bottom,
forcing everyone to adapt.
To see this process in action, you don't need to look further than
the computer industry's venerable giant, IBM -- which has become
perhaps the best corporate friend open-source software has ever
had.
Salon Search About Salon Table Talk Newsletters Advertise in Salon Investor Relations
Reproduction of material from any Salon pages without written permission is strictly prohibited
Copyright 2001 Salon.com
Salon, 22 4th Street, 16th Floor, San Francisco, CA 94103
Telephone 415 645-9200 | Fax 415 645-9204
E-mail | Salon.com Privacy Policy
Search About Salon Table Talk Newsletters Advertise in Salon Investor Relations
As it turned out, IBM had very good reasons for wanting Linux
running smoothly on the 390 -- as well as for keeping the project
quiet while it was still incomplete. But on the morning of Dec. 16,
nothing could have prevented Vepstas' shock from quickly turning
to anger. As he wrote to the Linux/390 mailing list on Dec. 18,
after IBM announced to the world what it had demonstrated to
Cox two days earlier:
Eight months later, Vepstas has let his grudges subside -- he's
immersed in a new project, GNUCash, a free personal-finance
management program. He's moved on. But at the time, Vepstas
could be excused for feeling slighted. One of the motivating forces
fueling free software hackers is the reputation game -- the better
the hack, the more cred you get in your community. But by
obliterating his project, IBM had eviscerated his chance for such
cred. His own background as a programmer who had worked for
IBM for 10 years made the blow hit especially hard.
The story of how IBM made friends with free software hackers,
from the early days when it dipped its toes into the Apache Project
to its current headfirst plunge into Linux, is not the story of a
carefully executed strategy. It is instead a tale of contingency,
luck, a few committed engineers and a few canny executives. Its
twists and turns hinge on the results of combating agendas,
political maneuvering and software ambition. At its most
mundane, it is a story that hints at how the battle for dominance
over new software markets will be waged over the next few years.
At its most metaphysical, it is a story that illuminates the
contradictions inherent in the very concept of a "corporation."
It's all too easy to see a company like IBM, or Sun, or even
Microsoft, in the terms of the legal fiction that is represented by
the word "corporation," to anthropomorphize it as a "body" and
give it attributes -- evil, good, brilliant, stupid, spunky, lumbering.
"In the beginning, we really did not think about how big an impact
we could make," says Betzler. "We always wanted to demonstrate
the power and capability of the mainframe and then give it to
someone who would know Linux and see the machine and use it
and say 'Wow, that's a really big Linux.'"
"I think many people don't realize how much the social dynamics
inside of large companies [such as IBM] resemble that of the open-
source community," says Vepstas. "It's just that within large
corporations the cooperation and the bickering are hidden from
public view. The Linux/390 guys within IBM were stepping on all
sorts of land mines internally."
Salon Search About Salon Table Talk Newsletters Advertise in Salon Investor Relations
Reproduction of material from any Salon pages without written permission is strictly prohibited
Copyright 2001 Salon.com
Salon, 22 4th Street, 16th Floor, San Francisco, CA 94103
Telephone 415 645-9200 | Fax 415 645-9204
E-mail | Salon.com Privacy Policy
Search About Salon Table Talk Newsletters Advertise in Salon Investor Relations
Arts & Entertainment attracted a huge following, and earlier that spring Netscape had the book
- The Movie Page made the dramatic announcement that it would be releasing the
Books source code to its Navigator Web browser. But the traditional Andrew
Comics
corporate world, at least from a managerial standpoint, still didn't Leonard
Mothers Who Think
News
seem to know what to make of this hacker frenzy. Software biography
People engineers everywhere were already gung-ho, but the suits were a
Politics step or two behind.
Glossary
Sex
Tech & Business James Barry and Yen-ping Shan weren't your ordinary IBM suits,
- Free Software Project however. Barry, the product manager for WebSphere, a set of
Audio
closely related e-business programs, was a jeans-in-the-office kind
- Salon Radio
of guy, and had been employed by IBM for little more than a year.
Letters Shan, IBM's chief architect for e-business tools, came from an
Columnists engineering background. The two men were complementary
Corrections
halves to the same coin. Barry was a gregarious and jovial 43-year-
Salon Plus old who in 1998 already had years of experience in online affairs,
Salon Shop dating back to a bulletin board he had operated in Boulder, Colo.,
Personals in the early '90s. He recalls, "Shan was the technical guy who
knew a lot about marketing, while I was the marketing guy who
knew a lot about the technology."
Table Talk Both men were certain of one thing: It was in IBM's interest to
[Free, spirited support the Apache Web server, a program developed by a loose
Salon forums]
group of volunteer programmers led by -- or, more accurately,
coordinated by -- Brian Behlendorf. But just getting as far as this
The OS wars Which
meeting had required mastering an internecine political process at
side are you on?
IBM that defied ordinary mortal comprehension. Engineers at IBM
Passion or pay? Why
had been fans of Apache since at least 1996, when it was used as
do you do what you do the Web server platform underlying IBM's Web-based front end to
for a living? the Atlanta Summer Olympic Games. But IBM also owned Lotus
software, which had its own Web server program: Domino Go.
Dear Clown in the IBM software executives kept squashing engineering's Apache
Corner Office ... What enthusiasm, tracing their mandate all the way back to the CEO,
do you really want to
Lou Gerstner. You've got to eat your own dog food; if IBM had a
say to your boss?
Web server product, it should be pushing that product and using it
● Posts of the week
for its own servers.
The only problem was, practically no one besides IBM itself was
The Well using Domino Go, which made it rather unwise to rely on the
[Pioneering members- program as a first step for penetrating other Internet software
only discussions]
markets. For months, Barry and Shan had been working to
persuade IBM of Apache's strategic advantage.
Supplanting tobacco
The war on drugs has
warped more minds First, Apache was what people were using. Shortly after Barry had
than drugs been hired, initially as a consultant to evaluate IBM's
themselves.
"middleware"* offerings, he had lectured IBM managers on the
fact that Apache was the most popular Web server program on the
Sound Off Internet -- and the single most widely used piece of software for
the hosting of Web sites. Even in the Fortune 500, IBM's home
● E-mail Salon territory, more companies were running their Web sites on Apache
● Send us a Letter to than on Domino Go. (Though, to be fair, some of those high-
the Editor
profile corporate sites, such as those belonging to Nike and Levi's,
● Today's letters
were actually being hosted by Organic Online.)
For a year and a half -- much of which, say his friends, was spent
in the air traveling from IBM office to IBM office -- Barry pushed
the open-source strategic imperative to anyone who would listen.
If IBM was interested in fending off Microsoft, if it cared at all
about creating the widest possible pool of customers for all the
fancy e-business services that IBM wanted to offer its customers,
then it must get with the real program -- the open-source program,
the Apache program.
There was just one niggling problem, even after Barry and Shan
finally won over higher levels of IBM management: IBM wanted
Apache, but did Apache want IBM?
Apache got the job done. It wasn't necessarily the best Web server,
the fastest, the most powerful or the most secure. But it was still
the most widely used, in large part because it handled, simply and
effectively (and freely), the tasks that most people needed
handling.
"I told him," recalls Shan, "that we are going to play by your rules,
because we believe that your structure and practice actually
works."
Fine. If IBM was going to play by Apache's rules, then that's what
it would have to do to win the Apache group's support. To do that
would require something a bit more substantive than taking
Behlendorf out to dinner.
And in the Apache group, good code always won the day.
Stoddard's contributions were accepted. IBM was accepted. IBM
endorsed Apache, and gave open source an entree into the land of
the suits. And Apache endorsed IBM, proving that hackers could
work with the biz guys. The announcement of the agreement
generated some 1,000 media stories -- which, more than any other
fact, Barry recalls with a rueful grin, sealed the deal for upper
management. That kind of positive press was by definition a
successful strategic move.
Salon Search About Salon Table Talk Newsletters Advertise in Salon Investor Relations
Reproduction of material from any Salon pages without written permission is strictly prohibited
Copyright 2001 Salon.com
Salon, 22 4th Street, 16th Floor, San Francisco, CA 94103
Telephone 415 645-9200 | Fax 415 645-9204
E-mail | Salon.com Privacy Policy
Search About Salon Table Talk Newsletters Advertise in Salon Investor Relations
Salon
"It was a huge risk," says Nick. "And the reason we were
ultimately successful was that we could show that by supporting
middle-tier Unix applications that are collaborative in a distributed
environment with the 390 back end and by running that entire
heterogeneous workload on our platform, we would actually in the
end be providing a bigger platform for our customers than we
would if we forced everything to be on OS/390. There's a huge
risk in that statement, but we are banking on the power of open
source."
In essence, pretty much the same thing that James Barry and Yen-
ping Shan were saying when they pushed Apache. There is a
whole world of people using Linux-based operating systems and
the vast ecology of programs that run on those operating systems
right now. An enormous amount of work is being done using a set
of tools that have a Unix heritage and are currently at home on
Linux-based systems.
The Linux generation is in some ways the heart and soul of the
Net, and its numbers, according to Nick, are surging. An entire
generation of programmers has adopted Linux. It doesn't matter
whether they are doing this because they hate Microsoft, or think
Linux-based systems are technically superior, or just like to hack
on free software. The fact is, it's happening. Market share for
Linux-based operating systems -- and mind share for Linux among
developers -- is continuing to rise.
By ensuring that Linux will run on the 390, IBM would ensure that
its mainframes would be an attractive environment for all those
programmers and system administrators to work in. A bank could
use its mainframe to handle its massive data-processing needs, and
at the same time allow its Linux-skilled programmers to do
whatever they needed to do -- in particular, to make use of all the
middle-tier software applications that have been developed to get
things done in an open, Internet environment. By expanding the
possibilities, IBM would be able to expand its own market
penetration.
"It would be great if you could do that," says Nick. "But the
difference is that because Linux is open source, which allows it to
be worked on by a large collaborative set of developers, it has also
been built to be platform agnostic. It's got what we call horizontal
layering of function, so you can easily port the OS to multiple
machine architectures and platforms. This is not true of NT and
this is not true of most Unixes -- where each operating system has
grown up tied to its machine architecture. "
And that's the business case for open source. At first listen, "worse
is better" sounds like Orwellian doublespeak, a phrase designed
more to confuse than enlighten. But in practice, "worse is better" is
an actual evolutionary success strategy -- and nothing exemplifies
its principles better than open source.
------------
salon.com
------------
Sound Off
Send us a Letter to the Editor
Salon.com >>
Technology
Salon Search About Salon Table Talk Newsletters Advertise in Salon Investor Relations
Reproduction of material from any Salon pages without written permission is strictly prohibited
Copyright 2001 Salon.com
Salon, 22 4th Street, 16th Floor, San Francisco, CA 94103
Telephone 415 645-9200 | Fax 415 645-9204
E-mail | Salon.com Privacy Policy
Summary
Good news -- there are better ways to do e-mail. Cameron and Kathryn introduce
two new open source mail products called Postfix and Mailman and explain how
you can begin to use them in your own work. Find out what you need to get
started with these interesting and rewarding technologies. (2,500 words)
hile e-mail is the most mature and most widely diffused Internet application, it hasn't
stopped growing. The last year alone has seen several exciting developments and
announcements, even in the oldest and least "sexy" domains: mail transfer agents and mailing
list managers.
Keep in mind the fundamental architecture of e-mail processing: At your desktop, you
compose a message. You use a mail user agent (MUA) as the user interface to pass your
message, along with such other information as the address for which it's intended, to an e-mail
server. A mail transfer agent (MTA) on the server takes responsibility for figuring out how best
to deliver your message (Is it local -- should it go through my LAN? Is it external? What server
on the other end will receive it?). Generally, it communicates with another MTA on the server
used by your intended recipient. Once the message has been received by that second MTA, it's
available for your recipient's MUA to access it.
Sendmail isn't perfect, though. It's bulky, difficult, and has a history of security problems. More
precisely, it's in just the shape you'd expect of a product originally built for a much different
computing environment, and it's been patched and rewritten during several computing
generations. Still, the Sendmail development team has achieved quite a feat in bringing it
forward from the far more relaxed security traditions of two decades ago.
Wietse Venema has an alternative, though. Venema, a security expert on the IBM Research
staff, started fresh, and has produced Postfix, a drop-in replacement for Sendmail which
promises to deliver e-mail more quickly, conveniently, and safely.
Postfix isn't Sendmail's only challenger. Zmailer, Smail, qmail, Post.Office, exim, the Sun
Internet Mail Server (SIMS), MMDF, CommuniGate, PMDF, Netscape Messaging Server, and
a variety of other products offer specific benefits for Unix-hosted e-mail service. Postfix is the
newest of these, however, and worth a look.
Postfix's heritage
Venema has a track record in secure computing. He says his "claim to fame is largely based on
the low incidence of error" in the systems he's written, including Security Administrator Tool
for Analyzing Networks (SATAN) and TCP Wrapper. In designing and implementing Postfix
(which began life as VMailer and Secure Mailer; don't be confused by the name changes),
Venema's goal was for it "to be fast, easy to administer, and hopefully secure, while at the same
time being Sendmail-compatible enough to not upset your users."
He's made enough progress toward that goal that IBM has agreed to release Postfix as an open
source product under an IBM license in the spirit of Perl's Artistic License. (Caution: While
IBM supports Venema, its marketing department occasionally garbles the message. Don't be
alarmed if you run into a Web page that suggests you must pay for Postfix, or that its use is
You might choose the first of these if your primary motivation is to improve the performance
of bulk mailing. This gives you a way to experiment and quantify the speed-up, while leaving
everything you've already configured to handle incoming e-mail in place and unaltered.
Postfix seems to be less scary to manage than Sendmail. Customizing or even configuring
Sendmail always feels like a big deal; on the other hand, Postfix is quite a bit easier to
experiment with because you can test just one thing at a time. Venema, for example, recently
added a "debugging" feature suggested by Bennett Todd, a Unix systems and security analyst
working on Wall Street: a "soft_bounce" selection to ensure that, even in the case of
misconfiguration, messages are not erroneously returned to their senders.
Our speed tests were equivocal: While Postfix consistently was zippier for us, the results were
so sensitive to configuration that anyone with serious performance requirements will need and
want to run his or her own tests. For the light loads the majority of hosts typically experience,
performance enhancements can be invisible. With very high traffic levels, though, whether
inbound or outbound, Postfix (and such alternatives as qmail and Post.Office) handles a
multiple of Sendmail's limits.
Both Sendmail's and Postfix's current releases run about 50,000 lines of source code. Postfix
has six times as many source files and they average, of course, only about a sixth the size of
Sendmail sources. That's the sort of thing that contributes to Postfix's approachability. It's much
easier to localize changes, problems, and opportunities in Postfix's sources.
Choosing an MTA
Should you stay with Sendmail? Try Postfix? Test-drive a commercial alternative? Here are the
main elements we consider when deciding between these possibilities:
Sendmail has it all. If you need features, Sendmail is likely to be the place they first appear and
are exercised the most. Sendmail has at least an order of magnitude more source-code hackers
than any of the other MTAs. Most Unix boxes ship with Sendmail. Sendmail's the easy choice
for most system administrators.
If you're using Sendmail, though, you have a professional responsibility to update it to a current
release. The security hazards of running an older version (some major Unix vendors still ship
Sendmail 5.65!) are simply unacceptable.
It takes less than an hour to do a basic installation of Postfix. If you inherit a complicated and
undocumented Sendmail.cf configuration, you might be tweaking your Postfix tables for a
while; Postfix does not support Sendmail.cf. Postfix's address-rewriting tables are easy enough
to use, though, so that even starting from scratch shouldn't take you all day. What you have
after such an investment is a far safer MTA that will probably perform much better.
Anyone considering Postfix should also know about qmail -- a more mature open source
project that occupies almost exactly the same niche as Postfix. Its security and performance are
very good, and it's had a couple more years to ripen than Postfix. It has about the same set of
features as Postfix, plus a clever built-in "aliasing" scheme that simplifies mailing list
management. Postfix's configuration files are fewer and perhaps more readable than qmail's;
choosing between their approaches seems to be a matter of personal taste. Venema and qmail's
inventor, Daniel J. Bernstein, have such strong personalities that some users decide between
their products based on compatibility with their authors. Also, note that the qmail license is an
unusual one. While Bernstein has liberalized it again recently, it generally has been more
restrictive than the licenses for many other open source products in that it restricts developers
from modifying the core of qmail or distributing binary images. This has been a predictably
contentious topic throughout qmail's history. On one side, Bernstein doesn't want people to
degrade qmail's security, even if inadvertently, and give his product a bad name. But then
proponents of license liberalization argue that the license is a practical inconvenience that
decreases the usefulness of qmail.
You're probably running Sendmail now, and all you need to do is pick up the latest release for
its tighter security and antispamming features. But do tens of thousands of people look to you
when they have e-mail problems? Is your domain a prominent one that might attract crackers?
Has your uptime been floating higher? In such cases, it's time you at least begin to experiment
with Postfix (or qmail, or one of the higher-end commercial products), which will give you
superior performance and security to Sendmail with all the reliability that the latter has gained
during two decades of refinement.
Finally, if you select or are leaning toward Postfix, strongly consider subscribing to the postfix-
announce, postfix-users, and/or postfix-testers mailing lists. The latter, in particular, is where
the design of new features is properly discussed. The Postfix home pages supplies more
information about these mailing lists.
and difficult to
manage.
One reassuring aspect of Postfix and Mailman is that their creators use them. Venema has
depended on Postfix as the only MTA on his own node for over a year, while Ken Manheimer,
John Viega, Scott Cotton, and Barry Warsaw developed Mailman largely as an extension of
their own needs for more convenient and higher performing mailing list management than
other products afford. Among other responsibilities, Mailman keeps the mailing lists of all
python.org activities, including the Python Special Interest Groups (Python SIGs), straight.
Performance primary
Warsaw, a system engineer at the Corporation for National Research Initiatives, told us,
"Performance was primary. We used Majordomo before, and when a lot of messages came
through, they just bogged the machine down. We're really happy with how Mailman's working
out." The migration from Majordomo has been easy: "It took five minutes to convert three
mailing lists, purely through the Web interface."
According to Warsaw, Mailman is coded in approximately 13,000 lines of Python code, along
with 600 lines of C which wrap security facilities. Mailman exposes Python as an extension
language that allows for customization of Mailman's interfaces.
Mailman further resembles Postfix in having a robust and swift generation. Warning: As a
practical matter, you'll need root access on your host to configure Mailman properly. Most
open source products can be generated and initially tested by ordinary Unix users. Some
organizations have a policy that requires this. With Mailman, though, you'll at least need to
create a new account and group (the default for both is "mailman") for Mailman's use.
The distributions for both Postfix and Mailman have clearly written README files that point
to details on licensing, installation procedures, and known problems. Be careful. Sometimes the
documentation lags the application. There have been a few cases where a fix appeared in a
release, but the documentation didn't catch up until later. In the worst case, this means that
something works, but you can only scrutinize further by reading source or experimenting with
the installation in getting Mailman to work in other environments.
Warsaw needs only a few words to explain his judgment of Mailman's progress: "I'm biased,
but I really see no reason to use Majordomo now. Mailman's performance is that much better, it
has more features, and it's just as reliable." He's working on making the conversion from one to
the other just as simple. While migrating a Majordomo mailing list into Mailman is
straightforward now, Warsaw intends to document and further automate it after the 1.0 release.
The final milestone before the Free Software Foundation releases Mailman as an official
product is resolution of a couple of faults reported on Linux file systems that Mailman's core
development team haven't yet reproduced.
Summary
The software you're already using to handle your e-mail requirements probably works reliably.
However, the scale of your operations is likely growing, while security threats become more
difficult, and your users' demands for convenience expand. It might be time for you to move to
a new technology -- one better suited to modern needs. Several of the best e-mail products are
open source. In particular, you can easily install Postfix and Mailman, and test their
performance in realistic settings. Postfix and Mailman already have healthy user communities.
You can have confidence that Postfix and Mailman will be fresh and well-supported for years
to come.
Home | Mail this Story | Comment on this Story | Resources and Related Links
http://www.sendmail.org/
● Sendmail Inc.
http://www.sendmail.com/
● The Postfix home page
http://www.postfix.org/
● MTA survey
ftp://koobera.math.uic.edu/www/surveys/smtpsoftware3.txt
● "The original 'killer app'" (a LinuxWorld-Tapping the Source feature on qmail)
http://www.linuxworld.com/linuxworld/expo/lw-email.html
● The Open Source page
http://www.opensource.org
● Mailman home page
http://www.list.org/
● The GNU Project and the Free Software Foundation
http://www.gnu.org
● Wietse Venema's tools
ftp://ftp.porcupine.org/pub/security/index.html
● "Report from SANS '98: Why Wietse Venema says Sendmail can never be made
http://www.greatcircle.com/majordomo/FAQ.html
● Cameron Laird's personal notes on Python
http://starbase.neosoft.com/~claird/comp.lang.python/python.html
Name:
Email:
URL: http://www.sunworld.com/swol-03-1999/swol-03-mailtools.html
Last modified: Thursday, March 30, 2000
SUBSCRIBE to our
Weekly Newsletters
Hot Topics!
IIS
Sulfnbk.exe
HEADLINES
Personal
Firewalls Kurt's Closet: Postfix - the Sendmail IWON:
NetWolves Says
Lopez Worm
replacement GE To Use Its
Services Internet
NetRadarEWS Security System
InfoSecU
Newsbytes:
Top News SETI At Home
September 15, 1999 – Most, if not all the readers of this column run a mail
All News server, and more then likely it is running Sendmail. In all fairness Sendmail is Servers
Linux a damn good MTA (Mail Transfer Agent), Eric Allman originally wrote it with Invaded, Users
Microsoft one main goal in mind: the mail must get through. Unfortunately, when Spammed
Virus Sendmail was originally written security wasn't a major concern on the Boston Internet:
Press Releases Internet and it shows. Sendmail runs almost exclusively as the root user on RSA Security
Features most systems, meaning any flaws are potentially very serious. In addition to Opens Ireland
Ask Buffy this Sendmail isn't very good at handling high loads. New mailers, such as Plant
K-Files Postfix, Zmailer, and Qmail are several times faster then Sendmail on the
Slashdot:
Kurt's Closet same hardware. Until recently most of the alternative mailers to Sendmail
OpenBSD 2.9
Top 20 Virus were not drop-in replacements, to replace Sendmail was a painful task, and
Released
Archives the new software typically behaved differently then Sendmail. Postfix was
designed from the start to address all these problems. CNET: Central
Centers Command
Firewalls Releases Its
Security
Virus/Malware Dirty Dozen --
Security 101 Top 12 --
Careers
Postfix does not run exclusively as root, instead a master program (called
Viruses For May
Community
"master") runs as root and spawns off processes to handle incoming,
2001
eForensics
outgoing and local mail delivery as needed. Using a series of modular
Networking
components, each task is handled by a separate program (which makes More News
Crypto/PKI
auditing it easier), for example outgoing email is dumped into the queue
Vendors
directory by your software, where "pickup" gets it and hands it to "cleanup", Send
Microsoft
which hands it to "trivial-rewrite" which handles the headers, and finally is
Feedback
Macintosh
given to "smtp" if bound for a foreign system. Postfix is also much easier to
More...
setup for a chroot'ed environment than Sendmail is, simply make a few edits
to the master.cf file (typically in /etc/postfix) and Postfix will run chroot'ed in
Weekly Digests its defined queue directory (usually /var/spool/postfix). It is also possible to
BSD set process limits for individual portions of postfix, again in the master.cf file.
Careers You can also easily set which user the Postfix programs run as, typically it
Check Point defaults to "postfix" (a user similar in concept to the "nobody" user for
Executive apache), which has access to certain queue directories. Another major benefit
Linux of Postfix is the clarity of the configuration files, if you haven't yet looked at
Microsoft the guts of a sendmail.cf file I would recommend that you don't (O'Reilly has
PGP an 800 page book on Sendmail).
Raptor
Solaris
The master.cf file:
Tools
Virus # ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (50)
CryptoArchive # ==========================================================================
smtp inet n - n - - smtpd
Discussion Forum pickup fifo n n n 60 1 pickup
cleanup unix - - n - 0 cleanup
Get SecurityPortal qmgr fifo n - n 300 1 qmgr
rewrite unix - - n - - trivial-rewrite
To Go
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
smtp unix - - n - - smtp
showq unix n - n - - showq
Replacing Sendmail
New problems
Of course replacing one software package with another will solve certain
problems, and create new ones, to which Postfix is no exception. Partly due
to it's design as a secure MTA you may experience some minor problems with
Postfix. The best example is email to root, Postfix, by default, does not like to
deliver email with elevated privileges (necessary to send email to root
typically). You will need to define an alias for root in the aliases file, such as:
"root: someuser". This also leads to problems with several mailing list
packages, especially SmartList, which by default does all sorts of funky things
that Postfix will not stand for. In any case I would advise switching to
Majordomo, it is easier to configure and maintain via email for owners of
mailing lists.
Scalability
Licensing
The IBM Open Source License is surprisingly liberal. Previous versions had a
rather ugly termination clause, which prevented wide spread acceptance of
Postfix, however this has been removed and Postfix is now "safe" to use. You
can distribute the software, develop it, make changes and so forth, the only
catch being that you must contribute any changes back to IBM (rather
reasonable since they paid Wietse to develop it).
Qmail
Some of you are probably wondering why I haven't mentioned Qmail yet, or
written an article "Qmail - the Sendmail replacement". I have tested Qmail,
and used it for a while, in general I found (and several sites I communicated
with, one being a large Linux vendor) Qmail to be very painful to configure
and maintain. In addition to this the Qmail license is very unclear, and
doesn't even ship with the software. To quote the author: "If you want to
distribute modified versions of qmail (including ports, no matter how minor
the changes are) you'll have to get my approval." This and other issues have
hindered Qmail's acceptance.
Kurt Seifried is a security analyst and the author of the "Linux Administrators
Security Guide", a source of natural fiber and Linux security, part of a
complete breakfast.
Related links:
Postfix:
http://www.postfix.org/
SUBSCRIBE to our
Weekly Newsletters
Hot Topics!
IIS
Sulfnbk.exe
HEADLINES
Personal
Firewalls Postfix - The Sendmail Replacement, IWON:
NetWolves Says
Lopez Worm
Part II GE To Use Its
Services Internet
NetRadarEWS Security System
By Kurt Seifried (seifried@securityportal.com) for SecurityPortal
InfoSecU
Newsbytes:
Top News SETI At Home
Kurt's Closet Archive
All News Servers
Linux Invaded, Users
Microsoft Spammed
Virus
Boston Internet:
Press Releases
RSA Security
Features Opens Ireland
Ask Buffy Plant
November 22, 2000 -
K-Files Subscribe to get FREE security
I've written about Postfix Slashdot:
Kurt's Closet news, commentary, and articles.
before, over a year ago, OpenBSD 2.9
Top 20 Virus and since then it has Released
Archives gotten even better. I (email address) Go
CNET: Central
Centers must confess that I've Command
Firewalls been using the 31 Dec. Releases Its
Virus/Malware 1999 release on my servers until last week, which, while Dirty Dozen --
Security 101 extremely stable, lacks a lot of the features now available in Top 12 --
Careers current snapshots of Postfix. Postfix is now more useful than ever Viruses For May
Community as a gateway mail server. I'll cover some of the more interesting 2001
eForensics available features and how you can use them to secure and
protect your email infrastructure. Most of these features are More News
Networking
Crypto/PKI actually quite old, but are probably news to most users.
Vendors Send
Microsoft This article was written using Postfix snapshot 20001030. Since Feedback
Macintosh then several things (like virtual) have changed, making some
More... points in this article incorrect.
Weekly Digests Print this
BSD Article
Careers Check_recipient_access
Check Point
Executive This is probably the best way of restricting incoming email to valid
Linux email accounts only. Let's assume you have a decent-sized
Microsoft corporate LAN based on Windows and are using Exchange server
PGP for email. Exchange can only validate incoming email based on the
Raptor domain, not the user, and since it will attempt to deliver the email
Solaris for 48 hours, your system can get quickly clogged up - with no
Tools easy way to clean it out. Place your Exchange server behind a
Virus firewall so no one on the Internet can connect to it directly, and
then place a Postfix server on the public side. Add this to your
main.cf:
CryptoArchive
Discussion Forum smtpd_sender_restrictions = check_recipient_access
hash:/etc/postfix/access-inbound
Get SecurityPortal
To Go Then in your /etc/postfix/access-inbound file, simply put,
validuser@example.org OK
example.org REJECT
You will also need to create the hash file. The following command
will do so:
postmap /etc/postfix/access
You could also use the generic access file, but splitting it up allows
for extremely selective access controls. You can then have the
mail delivered locally or forwarded to another (internal) system. If
an email is sent to an email address not listed specifically, and the
domain is covered by a reject rule, the sender will receive an
email with an error like,
You can also specify a custom error such as "useraccount does not
exist." However, a spammer could theoretically use this to build an
address list by simply testing all the email addresses - those that
generate an error message do not exist, and those that do not
generate one do exist.
Virtual
This feature can be used as intended, for having virtual users (i.e.,
if you handle multiple domains and more than one wants a
webmaster@ email address) as well as for protecting internal
servers.
virtual_maps = hash:/etc/postfix/virtual
userbob@example.org userbob@internal-mail.example.org
userbo@example.org userbo@internal-mail.example.org
userbill@example.org userbill@internal-mail.example.org
@example.org bounce-local
postmap /etc/postfix/virtual
smart host) and it will rewrite the email addresses outgoing from
@internal-mail.example.org to @example.org (or whatever you
want).
Local_recipient_maps
This keyword lets you allow only local delivery of email to valid
users and/or definitions in the aliases map. Thus any email bound
for a nonexistent user gets bounced immediately with an error
message saying the user does not exist. This is useful if you the
postmaster do not want to receive as many error messages.
Potentially, however, an attacker could use this to find valid
names (anything valid won't generate an error). This is probably
most useful for large installations such as ISPs and large
corporations. An additional consideration would be to use
relocated_maps. Simply put this in your main.cf:
This will accept any email defined in aliases or for user accounts in
the password database.
Relocated_maps
relocated_maps = hash:/etc/postfix/relocated
Blocking Spam
Database Backends
One thing I really love about Postfix is the ability to use databases
instead of flat text files or hash and dbm files. Currently only
MySQL is supported, but that is more than sufficient for most
users. You must first compile in support for MySQL. See the
"MYSQL_README" file for more information on this. Then you
simply create a table in the MySQL database of usernames, virtual
mappings or whatever. The cool thing is, this allows for very
efficient sharing of configuration files between servers; and since
you can specify multiple MySQL servers, you can replicate the
database and avoid a single point of failure as well as being able
to vary the order the databases are listed in on various servers, as
a simplistic form of load balancing.
alias_maps = mysql:/etc/postfix/mysql-aliases.cf
user = someone
password = some_password
dbname = customer_database
table = mxaliases
select_field = forw_addr
where_field = alias
additional_conditions = and status = 'paid'
hosts = maildb1.example.org maildbt2.example.org
TLS
Regular Expressions
header_checks = regexp:/etc/postfix/header-checks
And then add rules to your header-checks file; the target can be
REJECT, OK or a custom error.
See man regexp_table(5) for more information. You can also use
PCRE by simply specifying pcre: instead of regexp: in your main.
cf. The rules are basically the same, except that the syntax used
for pattern matching is a bit more advanced.
Summary
Postfix, on the other hand, comes under the IBM Public License,
which is surprisingly considerate to end users. My real favorite is
the simplicity of configuration. An average main.cf is under 30
lines of configuration directives. Hopefully more vendors will start
shipping Postfix with their distributions.
Related Links
Directories -
Downloads
The Journal
IT Focus
Tech Focus
Tech Workshop Search
Profiles
Users' Choice October 2, 1998
Departments Venema aims to make network software safe
About the Journal
What's Cool:
News Central by Cameron Laird John Law vs.
Training Center the virus
Discussions "It's a lot more work than I expected." -- Wietse Venema
Ask the Experts
What's New:
E-mail is so mature an Internet application that it now almost
Job Bank DHTML
doesn't seem like "technology"; it's just an expectation of late
Calendar Behaviors
Twentieth Century life, like clean water or falling gasoline
Search Central directory
prices. It hasn't become easy yet, though, for people like IBM
Books for Sale research staff member Wietse Venema, who's in the middle of a
project "to build a mail system that does not screw up your What's Hot:
Classifieds
machine," called VMailer. FREE trial
About us
subscription to
Venema's a good man for the job. He's ITKnowledge
worked for over a decade on a broad
range of "software whose existence you
don't notice because it works well":
Journal by E-mail: network security, inter-company
your e-mail financial transactions, terminal
emulation, and so on. "My software
Subscribe rarely fails ... My claim to fame is
Get the weekly e- largely based on the low incidence of error" in the infrastructural
mail highlights from applications he's written. Now he's moved permanently to the
the most popular "beautiful landscape" of central New York state from his native
online Journal for Netherlands to dedicate a year to VMailer.
developers!
Current issue
How e-mail moves
EarthWeb Sites: delivers mail through the network; it's a queue management
system, because sometimes mail can't be delivered right away;
it's a database management system, because it must deal with
multi-user access to the mailbox store. And of course, it has to be
DATAMATION safe, fast and secure, and easy to administer."
DEVELOPER.COM
DICE
EARTHWEB DIRECT
When things work right, you aren't aware of all these
GAMELAN complexities. You see only the so-called "user agent" on your
HTML GOODIES own machine, that manages communications with all the other
INTRANET JOURNAL pieces. You might have heard, though, of one of the most widely
ITKNOWLEDGE used of these other pieces: sendmail. It is an open-source
ITLIBRARY application originally written by Eric Allman in 1980 while a
JARS student. sendmail is the "transfer agent" in use on the
JAVA GOODIES
overwhelming majority of Internet servers; its job is to pass
JAVASCRIPTS.COM
ROADCODERS
letters along from one machine to another, until they arrive at
Y2KINFO their final destination.
VMailer's prospects
Before VMailer, Venema was probably best known for his work
with the Security Administrator Tool for Analyzing Networks
(SATAN). SATAN probes machines connected to the Net and
reports on problems or weaknesses it finds. This is a great
convenience for system administrators responsible for securing
these machines; it gives them a nicely formatted, thorough
explanation of the deficiencies they need to address. As with all
the tools Venema writes, "I have given away the programs ... so
that other people can inspect and use them, too."
Away from the keyboard, Venema and his wife Annita are
looking forward to replacing the bicycles they sold when they
moved. This will give them a chance to explore the North
Country Trailway, which runs near their new home. "This is
continent collision zone, with lots of weird geology. It's quite a
change from the Netherlands, which is all flat and which has
almost no trees."
● IBM Research
● Wietse Venema's home page
● Venema's VMailer Project
● Sendmail Consortium
● Sendmail, Inc.
● tcp wrappers BLURB
● SATAN
ANNOUNCEMENTS
Keep your tech team up to speed with a corporate subscription to
ITKnowledge, the largest and fastest growing online technical
reference library.
For tons of Windows technology resources, check out win.
developer.com.
WIN a 15" Flat Screen LCD Monitor with Built-In Speakers from
EarthWeb Direct!
Prentice Hall co-authors of Java Design Pete Coad, Mark Mayfield,
and Jon Kern are talking in our new forum. Join them!
The preeminent online programmers journal and resource for software developers, programmers, web
builders and information technology professionals working on software development, web building,
programming and need programmers news and updates.
mark durham
17 april 2000
Let's start with a question about Postfix. What are your plans for incorporating encryption? I'm
thinking specifically of Transport Layer Security (TLS) and SMTP authentication.
Hopefully those will be in the next official release. I've received several donated pieces of software
from people who use my Postfix program, and who have added things like authentication and
encryption. I'm in the process of merging that donated code into my software.
Do you foresee any legal issues with open sourcing that technology once it's been integrated?
There's no longer an issue in doing this from the United States, because as of January 15, it's legal to
export open source code with encryption functions. You only have to send a notice to the Bureau of
Export Administration.
Do you have any particular plans for September 20, the day the RSA patent runs out?
[laughs] Well, it expires several times, doesn't it? I think the US and Canadian expiration dates are
different.
I have no specific plans with respect to RSA. In any case, the encryption would not be shipped with
Postfix. All I would provide is a version of Postfix where you can throw in the encryption source code.
I don't think it makes sense to put a copy of all the SSL and related stuff inside of Postfix.
Exactly. And if somebody else fixes a problem in SSL, then I won't have more work to do. [laughs]
You seem to have plenty to do as it is. What projects are you working on right now besides
Postfix? Last I heard, you were porting TCP Wrappers to IPv6. Is that done already?
How's it going?
Slowly. It's a problem, because by now lots of vendors are shipping systems with IP version 6 support.
Postfix has taken a lot of my attention, and of course there are other things too, like the forensics tools
I've been working on with Dan Farmer. We gave a free, full-day class on computer forensics last
August and promised about six tools. The tools were given to the attendees as a beta release, but we
really want to finish a first public release. I was actually hoping we would do it in April.
In our class, we explained how to get evidence after a break-in. There are all kinds of little bits and
pieces of information that stay behind on a system when it's being used. And it's all very volatile,
because every bit on a computer will eventually be overwritten, so you have to be really careful to
recover the information or else it's gone forever. The most spectacular tools we have are for recovering
deleted files. And they turn out to work much better than we expected.
You used to say you wrote every single packet you received to disk as insurance against crackers.
Is that still true?
On my previous machine in the Netherlands, I used to do that. I'm not doing that currently, but I am in
the process of reinstalling this functionality again.
Well, that depends on how much disk you have and on the bandwidth of your network. When I
connected my own machine to the Internet a couple of years ago, I thought, "Well, maybe some people
will attack me. How will I find out?" One possibility was to record everything that came over my
network to a disc on a machine that no one could break into, and every now and then just look at the
logs. Even if somebody managed to break in, it would be recorded and I could still see what happened
and what the damage was.
Well, the unfortunate thing is that nothing ever happened. So I recorded several years of "nothing
happened." [laughter] I didn't do this when I came to the US, but I'm going to do it again, just as a kind
of insurance.
I post to it infrequently, and I follow it from a distance. I don't know if you've noticed, but there are
several new vulnerabilities every week. I don't think anybody on this planet is really keeping up to date
with all these vulnerabilities. [laughs]
When we interviewed Paul Vixie some months ago, he pointed out that Internet protocols simply
were not designed to deal with malice. They were designed for civilized people who behaved in a
civilized way - friends, fellow researchers, colleagues. Do you think vulnerability is built into the
protocols of the Internet? To what extent is IPv6 successful in solving that problem?
It's very difficult to build protocols that will survive and do well in an unfriendly world. By definition,
you're trying to connect systems to each other and exchange information between them. It's really hard
to design protocols that let you connect your machine to the network and still be immune against
malice. On the other hand, it's very easy to screw up and design protocols that act as amplifiers for the
kind of attacks we've seen in the last couple of years.
What elements of the Internet protocol do you see as having specific potential to amplify attacks?
One very well-known attack is where I send one IP packet to a broadcast address on your network, and
then every machine will respond. So if you have a network with one hundred machines, all I have to do
is to send one packet and they will send one hundred packets.
Yes. If I can spoof my sender address, now I can suddenly, with very little effort, make other machines
do a lot of work for me and do DOS-like attacks. You could do the same thing with application levels
in protocols. But the broadcast is a very popular example.
IP version 6 uses encryption and authentication - and again, it turns out to be very difficult to design
the cryptographic protocol such that a client cannot force the server into doing a lot of expensive
computations.
In your Bugtraq posting about the TCP data corruption problem, you mentioned that IPSEC's
limitations on traffic manipulation have provoked some controversy.
Yes, that's true. In fact, Steve Bellovin at AT&T is working on a proposal - at least, I understand he's
working on something along those lines. People do want to see some information about traffic. They
do want to do traffic analysis. If I'm a network provider, I want to know what kinds of traffic are going
over my network so I can do capacity planning. If all the traffic is totally encrypted, it's very difficult to
find out what's going on.
The problem we were dealing with in the Bugtraq posting was a bandwidth management system that
just changes a few parameters in TCP headers so that the traffic flows more smoothly. Those are things
that you simply cannot do when all the data is protected by digital signatures and such. So there are
several conflicting requirements, like people wanting to be able to see a bit more of traffic than they
would be able to see, and people actually wanting to do some management of the traffic, like
bandwidth allocation.
So there's an ease-of-administration tradeoff for the security that you get. The encryption has an
administrative cost.
Yes, the encryption makes it impossible to do certain operations. Now, from the point of view of
security, this is exactly what you want. All you want is to send your data to the other machine, and it
should be sent unchanged: no man-in-the-middle attacks by "helpful" intermediate systems. So these
are conflicting requirements.
You've been associated with IBM for a couple of years now, right? Did you come in '96, '97, '98?
Yes, yes, yes. [laughs] The answer is "yes" in all three instances. I came in 1996 as a visitor, and then I
stayed a bit longer, and then I joined IBM. So yes, the whole process extends from 1996 to the summer
of 1998.
Do you have pretty broad latitude in terms of the work you do there?
Beyond giving you the liberty to work on it, is IBM supportive of Postfix and the other software
you produce? Do they actually help you get it out there to people? Do they help you stay in touch
with users and so on?
Well, it's pretty much up to me, I think. You have to coordinate a few things with people, but it works
fine. I can do a lot of things. [laughs] I could probably do more.
How do you see the relationship between open source development and the commercial
marketplace? Companies like Red Hat and Sendmail have married the two to create a revenue
stream that can better support open source development. Does this seem like a valid approach to
you?
It seems to make sense. I don't have much to say much on this subject, but it seems to make sense.
You've described the creation of Postfix as a response to sendmail and an attempt to create an
alternative to sendmail. What do you think about cooperation versus competition in the free
software world? Is variety a good thing?
I think it's beneficial when multiple implementations coexist. Not too many, because that confuses
people. But a number of implementations can coexist, because it gives people more choice.
What about sharing features and ideas? Eric Allman has told me on several occasions of the high
regard he has both for you personally and for your work on Postfix. Are there things that you've
learned from sendmail and implemented in Postfix? Are there things sendmail can learn from
Postfix?
The same thing happens with everybody who implements a system from the ground up. Just as Eric
Allman had to solve problems as he was building sendmail over time, I ran into several problem
instances myself and tried to solve them. And then I looked at how sendmail solved it, or how other
systems solved it. Sometimes you find your solution is better, and sometimes you find your solution is
worse. Sometimes you find a security problem in the other person's solution. All these things happen.
But the end result, of course, is that people will have better software.
So you wouldn't be offended if Eric looked at Postfix and said, "Hey, what a great idea, Wietse. I
think I'll steal it."
Not at all. I stole some ideas from qmail. And of course, I stole the user interface from sendmail. But
that was also for compatibility reasons.
I guess you have the same problem whether you're developing a new application or doing a new
version of an existing application: you have to keep from scaring users off by changing things too
fast.
Yes, and in fact, these things become a problem very quickly. Once you give your software to other
people, that's where it starts. You can no longer just totally change the software anymore, because
people have become dependent on it.
Are you planning to implement message tracking in Postfix, at least once there's a standard
protocol?
Well, if there is a standard. I really don't like to invent my own wheels. But if people need this
functionality, it will eventually be part of the mail system, yes. But you really need a standard that goes
across multiple systems. Because mail usually goes from one system via a few other systems to its final
destination, and if you want to do tracking, all these different systems need to be doing something
comparable.
As you look forward at the future of email and Internet communication generally, aside from the
obvious things - many more users and much greater security issues - what do you see as the
forces shaping the evolution of these technologies? What direction do you see email going in,
beyond simple one-to-one messaging?
I'm actually surprised that email still works so well, and works the way it does. Because it hasn't
changed fundamentally over the last couple of decades. It is still doing the same thing, I believe.
Except that it's reaching a lot more people. But the basic model hasn't changed at all.
It's possible, but it hasn't really evolved at all. Instead, what you see is new applications coming up
and, side by side, email. There is the World Wide Web - and email has, of course, inherited some of its
features. But the basic model is still the same: I sit at my screen, I do stuff, I send it to you. You
receive my message and read it from your screen. And the two actions are completely disconnected.
That's the basic character of email. If people want realtime conversations, they have lots of choices
already.
Many people see email's asynchronous aspect as a big advantage. It gives you a rhythm of
communication that's much more appealing in certain ways.
Absolutely. I prefer email over telephone calls anytime. Not that - [laughter]
Jetzt bestellen!
Die Software Rebellen
Jahres-CD 2000
Täglich senden weltweit über 100 Millionen Benutzer E-Mails. Erstaunlich ist, daß nach wie vor Eric Allman's betagter Sendmail der am
weitesten verbreitete Mail Transfer Agent ist. Postfix hat das Zeug, Sendmail als Standard-Mailer abzulösen.
ahezu unüberschaubar ist die Flut von Diensten, die das Internet mittlerweile bietet. Einer der wichtigsten Dienste bleibt jedoch das
N Versenden und Empfangen von Mails. Ohne Open-Source-Tools wäre das undenkbar - gerade Sendmail gehört zu den am weitesten
verbreiteten Mail Transfer Agents (MTA).
Leider ist der monolithische Sendmail alles andere als leicht zu pflegen. In solch ein "Multifunktions-Tool" schleichen sich zwangsläufig Fehler
ein - eine neue Sicherheitslücke in Sendmail gehörte in der Vergangenheit zu den Treppenwitzen der Internet-Geschichte schlechthin.
Aber auch wenn die aktuelle Version - soweit bekannt - keine großen Sicherheitsmängel aufweist: alleine die Konfiguration von Sendmail
schreit geradezu nach einer Alternativlösung. Das Standardwerk zu Sendmail, das so genannte "bat book" von Bryan Costales und Eric Allman
[3] umfaßt 1021 Seiten.
Die beiden am häufigsten eingesetzten (freien) Alternativen zu Sendmail sind Dan Bernsteins Qmail und Postfix von Wietse Venema. Beide
sind wie Sendmail im Quelltext frei verfügbar - Qmail unter der GPL, Postfix unter einer von der Mozilla Public License abgeleiteten Lizenz
von IBM - und beide sind einfacher zu handhaben als das altehrwürdige Sendmail.
Ursprünglich hieß das Projekt "VMailer". IBMs Rechtsanwälte haben aber herausgefunden, daß der Name zu ähnlich dem eines eingetragenen
Markenzeichens war. Wietse Venemas Antwort auf meine Frage nach dem Namen seines Mailerprojekts:
Wieste's Ziel bei der Entwicklung von Postfix war, ein schnelles, einfach zu administrierendes und sicheres Programm(paket) zu entwickeln,
das so weit wie möglich zu Sendmail kompatibel sein soll. Das Interessanteste an Postfix ist sein innerer Aufbau (siehe Grafik): es besteht aus
mehreren kleinen Programmen, die über UNIX-Domain-Sockets kommunizieren. Auf diese Weise ist es viel einfacher, Probleme, Fehler oder
Sicherheitsmängel in den Griff zu bekommen. Beispielsweise kommt Postfix ganz ohne setuid-M©chanismen aus. Deshalb ist es für einen
potenziellen Angreifer unmöglich, Superuser-Rechte zu bekommen - selbst wenn er ein Sicherheitsloch von Postfix gefunden hätte. Sendmail
hingegen muß unter UID 0 (root) laufen, zumindest in einer Standardinstallation und ohne größere Klimmzüge.
Ebenfalls aus Sicherheitsgründen arbeitet Postfix mit vier verschiedenen Queues: "maildrop", "incoming", "active" und "deferred". Lokal
gesendete Mails landen in "maildrop" und werden von dort in die "incoming"-Queue kopiert, nachdem sie regelbasiert auf Größe, Inhalt und
anderes überprüft wurden. In der "active" Queue landen die Mails, die der Queue-Manager gerade bearbeitet und ausliefert (lokal oder remote).
Nachrichten, die Postfix nicht ausliefern kann (Dienst des Zielmailservers reagiert nicht, keine Route, keine Netzverbindung, ...), landen in der
"deferred" Queue. Da Postfix immer nur eine Mail gleichzeitig bearbeitet und die "active" Queue klein hält, ist es unempfindlich gegen
Ressourcenknappheit. Das Bearbeiten/Ausliefern von Mails kann also in keinem Fall, beispielsweise wegen eines vollen Dateisystems, blockiert
werden.
Die Grafik zeigt den modularen Aufbau von Postfix. Hierbei bedeuten:
Postfix bietet zudem einige Mechanismen, empfangende, möglicherweise ressourcenschwache Mailsysteme zu schützen. Der Autor bezeichnet
sein Mailsystem als "guten Nachbarn", der auch langsame Systeme nicht in Bedrängnis bringt.
Postfix befindet sich derzeit immer noch in der Entwicklungsphase. So findet man auf den verschiedenen FTP-Servern verschiedene Versionen:
die offiziellen und die experimentellen Releases (Snapshots). Operative Mailsysteme sollten nur eine offizielle Release verwenden, auch wenn
die Snapshots nach Aussagen des Autors stabil laufen. Nach dem Auspacken sollte ein einfaches make genügen, um Postfix zu compilieren.
Sollte Postfix bereits vorher für ein anderes Betriebssystem übersetzt worden sein, etwa in einem heterogenen Netz mit verschiedenen Unix-
Systemen (siehe Kasten "Postfix-Plattformen"), löscht make tidy alle betriebssystemspezifischen Einstellungen.
ach dem Übersetzen folgt etwas Handarbeit. Bei Ersetzen eines bestehenden Mailsystems (etwa Sendmail), empfiehlt sich das Anlegen einer
Sicherheitskopie der bestehenden Programme. Ein Beispiel:
mv /usr/sbin/sendmail /usr/sbin/sendmail.OFF
mv /usr/bin/newaliases /usr/bin/newaliases.OFF
mv /usr/bin/mailq /usr/bin/mailq.OFF
chmod 755 /usr/sbin/sendmail.OFF /usr/bin/newaliases.OFF
/usr/bin/mailq.OFF
Da Postfix nicht als "root" laufen sollte, ist es sinnvoll, einen neuen (virtuellen) Account einzurichten - etwa mit dem Namen "postfix" und ohne
Login Shell:
Postfix verwaltet die Systemmailbox (etwa /var/ mail oder /var/spool/mail) auf zwei mögliche Arten: als systemweit schreibbares Verzeichnis,
oder mittels SGID-Bit. Welche Methode sinnvoller ist, bleibt dem Systemadministrator überlassen. Ein SGID-Bit zu vergeben, ist immer mit
Risiken verbunden. Wenn Postfix mit SETGID installiert wird, führt das Installationsskript folgendes aus:
Das Installationsskript installiert die einzelnen Postfix-Dateien und ermöglicht gleichzeitig, einige Pfade interaktiv zu setzen. Diese werden
gespeichert, um bei einer Neuinstallation nicht alles nochmal eingeben zu müssen.
Postfix-Plattformen
Postfix ist derzeit auf folgende Unix-Systemen erfolgreich getestet:
AIX 3.2.5 AIX 4.1.x AIX 4.2.0
Nun folgt die eigentliche (Laufzeit-) Konfiguration des Postfix-Mailsystems. Die Konfigurationsdateien liegen alle in einem einzigen
Verzeichnis - in der Regel in /etc/postfix. Meistens braucht der System- oder Mailadministrator nicht viel einzustellen. Die Defaulteinstellungen
sind entsprechend gewählt, um ein einfaches Mailsystem abzudecken. Sollte die Installation ein "send-only" Mailsystem sein (etwa auf einem
Client, der über einen dedizierten Mailserver die Mails verschickt), kann Postfix einfach ohne weitere Konfigurierung gestartet werden.
Allenfalls kann man in der Datei main.cf den Eintrag "smtp" auskommentieren. So verbietet man eine Verbindung von außen per inetd/smtp auf
den Rechner.
Aber auch die Konfiguration eines "echten" Mailservers sollte keine Schwierigkeiten bereiten. Lediglich folgende Einträge in der Datei /etc/
postfix/main.cf sind bei Bedarf anzupassen, darunter in jedem Fall die eigene Domain:
myhostname = mail.softbaer.de
inet_interfaces = $myhostname
mydestination = $myhostname
mydomain = softbaer.de
myorigin = $mydomain
Setzt man diese Werte nicht explizit, ermittelt Postfix die Werte durch Systemaufrufe - etwa den Hostnamen durch gethostname(2). Die
Variable "myorigin" setzt den rechten Teil der Absenderadresse (longariva@MYORIGIN) der Mails. Setzt man "myorigin" nicht, setzt Postfix
den Hostname als Absenderadresse, etwa longariva@mail.softbaer.de. Meistens ist die Form longariva@softbaer.deaerwünscht. Vorausgesetzt
der MX-Eintrag im Nameserver ist richtig gesetzt, kann man dies durch
myorigin = $mydomain
erreichen. Die Datei /etc/postfix/main.cf sowie die im gleichen Verzeichnis liegenden Beispieldateien für weitere Konfigurationen sind ziemlich
gut kommentiert - damit sollten eventuell notwendige Feineinstellungen ohne weiteres möglich sein. Bleibt noch anzumerken, daß jede
zugewiesene Variable an beliebiger anderer Stelle der Konfigurationsdatei wieder verwendet werden kann:
mydomain = domaene.de
myorigin = $mydomain
relay_domains = $mydomain
Falls doch das eine oder andere Feintuning notwendig sein sollte, kann man sich auf die beiden zentralen Dateien main.cf und master.cf (siehe
Kasten "master.cf") beschränken. Erstere wurde bereits besprochen, letztere dient dem Steuern der Ressourcen, die Postfix verbraucht. Hier
kann unter anderem angegeben werden, wieviele Prozesse maximal gleichzeitig laufen dürfen.
Gestartet wird Postfix auf zweierlei Art: einmal so, wie der gute alte sendmail mit
oder durch
postfix start
Dadurch daß der "alte" Aufruf funktioniert, brauchen eventuell vorhandene rc- (BSD) oder init.d- (SystemV) Skripte nicht angepaßt werden.
Beim ersten Aufruf legt das Postfix-Startup-Skript einige Dateien und Verzeichnisse an. Dies sollte keine Probleme bereiten, sollte aber wie
bereits erwähnt nur beim ersten Start erfolgen. Sollten im laufenden Betrieb Änderungen in den Konfigurationsdateien gemacht werden, genügt
das Kommando
postfix reload
Um die Sicherheit von postfix noch etwas zu erhöhen ist es möglich, die einzelnen Postfix-Dämonen in einer "chroot"-Umgebung laufen zu
lassen. Beispiele dazu liegen in examples/chroot-setup des Sourcebaumes.
Datei master.cf
# ====================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (50)
# ====================================================================
. . .
smtp inet n - - - 5 smtpd
pickup fifo n n - 60 1 pickup
cleanup unix - - - - 0 cleanup
qmgr fifo n - - 300 1 qmgr
Postfix im Einsatz
Auch im laufenden Betrieb ist Postfix pflegeleicht. Die wenigen für den Mailadministrator relevanten Kommandozeilen-Utilities sind folgende:
Das Kommando postfix dient zum Steuern des gesamten Systems. Damit kann der Administrator das Mailsystem starten oder herunterfahren,
die Konfiguration neu laden, ohne das Mailsystem ganz runterfahren zu müssen. oder ähnliches. Dieses Kommando ist dem Superuser
vorbehalten.
ähnlich Sendmails Kommando newaliases ist postalias für die Mail-Aliases zuständig
postdrop wird auf solchen Systemen verwendet, die kein für alle schreibbares Verzeichnis für die "maildrop"-Queue haben. postdrop wird vom
Kommando sendmail ausgeführt.
postlock stellt ein Postfix-kompatibles Mailbox-Locking zur Verfügung, etwa für Shellskripts.
postlog stellt für externe Programme oder Shellskripts eine Postfix-kompatible Logging-Funktion bereit.
postmap stellt in etwa dieselbe Funktion wie makemap zur Verfügung und generiert die Lookup-Tabellen, je nach System als hash (db) oder
dbm.
postsuper ist das Tool, das die Mails in den verschiedenen Queues verschiebt. Das Postfix-Startskript führt dieses Kommando aus.
Wer den alten Sendmail gewöhnt ist, kann auch gewohnte Kommandos wie
sendmail -q
sendmail -bp
zum Anzeigen der Mail-Queue verwenden. Außer sendmail -v sollten alle gewohnten Befehle funktionieren. Dies erleichtert den Umstieg von
Sendmail auf Postfix ungemein.
Virtuelle Domains
Postfix kann auch mit "virtual domains" umgehen. Das ist vor allem für Internet Service Provider interessant. Anstatt für jede Domäne einen
eigenen Mailserver aufzubauen, kann Postfix das genauso wie Sendmail oder Qmail übernehmen. Wer das schon einmal unter Sendmail
konfiguriert hat, wird erstaunt sein, wie einfach es ist. Am besten verwendet man dazu die leere Datei /etc/postfix/virtual aus den Beispielen.
Die Einträge sollen in etwa folgendermaßen aussehen:
info@mein-zahnarzt.net info@softbaer.de
In der ersten Zeile wird die Domäne ohne Mailadresse angegeben. Der rechte Teil spielt hier keine Rolle - als Tipp: eine kurze Erklärung zur
Domäne kann ganz hilfreich sein. Darauf folgen die EMail-Adressen, die Postfix annehmen soll. Im rechten Teil stehen die (existierenden)
Benutzeraccounts oder externe EMail-Adressen, an die Postfix die Mail weiterleiten soll. Postfix akzeptiert nur die hier eingetragenen Adressen.
In /etc/postfix/main.cf muß man die Datei noch bekannt machen, je nach installiertem System mit db- oder dbm-Hashes:
#virtual_maps = dbm:/etc/postfix/virtual
virtual_maps = hash:/etc/postfix/virtual
Nach einer Änderung in der Datei sollte der Administrator nicht vergessen, postmap /etc/postfix/virtual aufzurufen, um die Hashtabelle für
Postfix zu generieren. Sollten Hosts über eine Dialin-Verbindung die Mails an den Mailserver abschicken, kann es not- wendig sein, die
Domäne des Providers, über den der Dialin erfolgt, zusätzlich als akzeptierte Relay-Domain einzutragen:
Verschickt nämlich jemand von einem solchen Host aus eine Mail - zwar mit korrekter Absenderadresse - an jemanden außerhalb einer von
Postfix verwalteten Domain, wird diese Mail nicht akzeptiert, weil Postfix die Domäne des Hosts überprüft.
Die meisten Provider bieten keine feste IP-Adresse für ihre Kunden; damit erscheinen die Dialin-Hosts unter der Domäne des Providers. Es
sollten hier wirklich nur die allernotwendigsten Domänen oder Hosts eingetragen wer- den! Abhilfe könnte hier das weiter unten erläuterte
"POP before SMTP" bieten.
Auf die Einträge in den DNS-Server soll hier nicht weiter eingegangen werden. Natürlich hat es keinen Sinn, virtuelle Domänen einzurichten,
wenn der entspre- chende MX-Eintrag nicht auf den Postfix-Server zeigt.
Generell ist es keine gute Idee, jedem Host zu erlauben, Mails auf dem Server abzulegen und weiterzuschicken. Genau dies benutzen nämlich
die Mail-Spammer, um ihre Mails zu verteilen: auf einem schlecht administrierten Mailserver werden Mails abgelegt. Der sichtbare Absender
einer solchen Mail ist in der Regel eine nichtexistierende Adresse (das SMTP Protokoll sieht hier keine Überprüfungsmechanismen vor), und
der oder die Empfänger sind real existierende Adressen. Die Mails werden zugestellt, und der Empfänger hat in der Regel keine Chance
festzustellen, woher die Mail tatsächlich kam. Der Absender ist gefälscht; als Absenderhost steht der angegriffene Mailhost im Header.
Lediglich der Rechner, der den Connect zum Mailhost aufgebaut hat, ist im Header ersichtlich. Meistens ist das ein Dialin-Account, der
einmalig für solche Aktionen verwendet und danach nie wieder benutzt wird. Außerdem kann ein "normaler" Benutzer nichts mit den
Informationen eines Mailheaders anfangen. Somit bleiben die Absender weitgehend anonym. Deshalb soll kein Rechner, der über das Internet
erreichbar ist, Mails relayen!
.procmailrc
VERBOSE=off
LOGABSTRACT=none
MAILHOME=$HOME/Mail
FRIENDS=$MAILHOME/friends
SPAM=$MAILHOME/spam
WORK=$MAILHOME/work
LISTS=$MAILHOME/lists
:0
* ^From.*bnreimer@(office\.|)softbaer\.de.*
$FRIENDS
:0
* ^(To|Cc).*info@softbaer\.de.*
$WORK
:0
* ^(From|To|Cc).*BUGTRAQ@SECURITYFOCUS.COM.*
$LISTS
:0
* ^Subject: .*FREE .*
$SPAM
Eine Möglichkeit um auftretende Probleme zu lösen - man will ja schließlich nicht wirklich jedem den Zugang verwehren - ist das so genannte
POP before SMTP. SMTP bietet per se keine Authentifizierungsmöglichkeit. Es gibt zwar einige Erweiterungen des SMTP-Protokolls; diese
muß aber auch der sendende Client unterstützen. Deshalb wird oft folgender einfacher Trick angewandt: Der Client (oder besser: der Benutzer)
loggt sich in den POP-Server ein und holt seine Mails ab. Dazu muß er sich Login und Paßwort authentifizieren. Nun kann man den POP Server
"aufbohren" und ihn anweisen, den gerade eben authentifizierten Host in eine Tabelle einzutragen. Beim Versenden von Mails schaut Postfix in
dieser Tabelle nach und gestattet das Weitersenden von Mails von eben diesem Host. Nach einer gewissen Zeit löscht Postfix die Einträge
wieder.
Das Paket DRAC (Dynamic Relay Authorization Control Daemon, [6]) wurde ursprünglich für Sendmail entwickelt. Es besteht aus einem Patch
für den weit verbreiteten (freien) POP-Daemon qpopper [7] von Qualcomm und einem Dämon. Der Patch bewirkt, daß qpopper sich nach
erfolgreicher Authentifizierung an den dracd verbindet und diesem die aktuelle Adresse des Rechners mitteilt. Der dracd schreibt diese dann in
eine bestimmte Datei, die Postfix ausliest.
smtpd_recipient_restrictions = permit_mynetworks \
check_client_access hash:/etc/postfix/client_access \
check_relay_domains
Auch hier ist zu beachten, ob man Hashes in db- oder dbm-Form verwendet. Den dracd muß man natürlich auch entsprechend konfigurieren.
Generell sollte man möglichst wenig Rechnern Zugriff gestatten; nicht nur um sich und seine Benutzer zu schützen, sondern auch um dem
Phänomen SPAM entgegenzuwirken, das täglich Millionen von Dollar an Kosten verursacht - irgendjemand muß ja für das Datenaufkommen
zahlen!
Postfix-Erweiterungen
Wegen des modularen Aufbaus von Postfix läßt sich das Paket sehr leicht erweitern. Es ist beispielsweise sehr leicht möglich, einen
Virenscanner für einkommende Mails in Postfix einzubauen. Dazu kann es ein externes Programm an zwei Stellen aufrufen: entweder gleich
beim Eintreffen der Mail, bevor die Mail in die Postfix-Queue übernommen wird, oder sobald die Mail in die Systemmailbox geschrieben wird
- also wenn die Mail die Postfix-Queue wieder verläßt. In /etc/postfix/main.cf ist dazu ein lokales Mailverteilprogramm aufzurufen:
mailbox_command = /local/bin/viruscheck
Man sollte nicht vergessen, die Mail nach dem Check auch wirklich in die Mailbox zu schreiben, etwa mit Procmail [8]. Das Verwenden von
Procmail hat übrigens den Vorteil, daß eventuell von den Benutzern definierte Filter automatisch verwendet werden. Das heißt, daß eine
möglicherweise vorhandene .procmailrc im Home-Verzeichnis eines Benutzers automatisch verwendet wird, ohne daß der Benutzer die Mails
mittels .forward an Procmail weiterleitet (siehe Kasten .procmailrc). Natürlich ist das nur ein sehr allgemeines Beispiel, das auf keinen Fall die
Funktion von procmail erklären kann. Es zeigt aber, wie die Regeln auf einfachen regulären Ausdrücken basieren - damit sollte jeder, der etwas
Perl, sed, awk oder grep>beherrscht, zurechtkommen. Lesen der Man-Pages von Procmail (procmail(1), procmailrc(5), procmailsc(5),
procmailex(5)) hilft in jedem Fall weiter.
● Unix ist mit einem Anteil von 65% das meistgebräuchliche Betriebssystem; etwa 22% der Hosts sind Windows, und bei zirka 8% ist
keine eindeutige Aussage möglich.
● Sendmail, Inc. spricht auf seiner Webseite von einem Marktanteil von "über 75 Prozent", diese Zahl ist aber schon ein paar Jahre alt.
● die meisten gefundenen Sendmail-Versionen sind bekanntermaßen fehlerhaft; in einigen Fällen kann man sich hierüber unautorisierten
Zugriff verschaffen. Die wenigsten Server haben eine aktuelle Sendmail-Version. Offenbar nehmen die meisten Sendmail-Nutzer, was
gerade auf einem System installiert ist.
Die Möglichkeiten, externe Programme in Postfix einzubinden, sind sehr vielfältig. Beispielsweise könnte der Administrator eine automatische
Ver/Entschlüsselung von Mails vom Firmensitz zu einer Außenstelle implementieren, damit sie "unterwegs" nicht lesûar sind. Außerdem kann
ein SPAM-Filter an zentraler Stelle eingebaut werden. Ein solcher ist wesentlich einfacher zu verwalten als Procmail-Filter für jeden einzelnen
Benutzer. Der Fantasie der Mailadministratoren sind (fast) keine Grenzen gesetzt. (hmi)
Infos
Der Autor
Gregor Longariva studierte Informatik an der Uni Erlangen. Während des Studiums gründete er die Firma SOFTbaer, die sich in erster Linie
mit dem Thema Sicherheit und Netzwerkadministration auf Unix-Basis beschäftigt. Nebenbei ist er noch als Administrator des CIP-Pools der
Informatik an der Uni Erlangen tätig und beschäftigt sich neben HPUX und Irix vor allem mit Solaris und Linux.
Linux Journal Home > Magazine > #78 October 2000 > Using
Postfix for Secure SMTP Gateways
Wednesday, September 13, 2000 | Last Updated 04:35:09 PM
E-mail is easily the most popular and important Internet service today, which has
made it a popular target of cyber-criminals and spam-happy miscreants. Adding to
the problem is the inescapable reality that configuring sendmail, the most
commonly used Mail Transfer Agent (MTA), is complicated, nonintuitive and
easy to get wrong.
This article is intended to bring you up to speed quickly on how to use postfix on
your network as a secure means of receiving e-mail from and delivering it to
Internet hosts. In particular we'll focus on deploying postfix on firewalls, in DMZs
and in other settings in which it will be exposed to contact with untrusted systems.
Is sendmail really that bad? That depends on what you need it to do--the learning
curve may not be justified if your e-mail architecture is simple. But sendmail is
unquestionably an extremely powerful, stable and widely deployed application
that isn't going away anytime soon, nor should it. In fact, The Paranoid Penguin
will probably feature a sendmail article some time in the next few months.
Both sendmail and postfix are Mail Transfer Agents. MTAs move e-mail from one
host or network to another. These are in contrast to Mail Delivery Agents, which
move mail within a system (i.e., from an MTA to a local user's mailbox, or from a
mailbox to a file or directory). In other words, MTAs are like the mail trucks (and
airplanes, trains, etc.) that move mail between post offices; Mail Delivery Agents
are like the letter-carriers who distribute the mail to their destination mail boxes.
In addition to MTAs and MDAs, there are also various kinds of e-mail readers,
including POP, POP3, and IMAP clients for retrieving e-mail from remote
systems. These are also known as Mail User Agents, or MUAs. (There is no real-
life simile for these, unless your mail is handed to you each day by a minion
whose sole duty is to check your mail box now and then!) But we're not concerned
with these or with MDAs, except to mention how they relate to MTAs.
By the way, if you still use UUCP, it's supported in postfix (and continues to be in
sendmail, too); most MTAs support a variety of delivery ``agents'', almost always
UUCP and SMTP at the very least. Still, for the remainder of this article we'll
assume you're interested in using postfix for SMTP (Simple Mail Transfer
Protocol) transfers.
One very common use of SMTP, especially in organizations which use other e-
mail protocols internally, is on an Internet e-mail gateway. Since SMTP is the
lingua franca for Internet e-mail, there must be at least one SMTP host on any
network that needs to exchange e-mail over the Internet. In such a network, the
SMTP gateway acts as a liason between non-SMTP mail servers on the inside and
SMTP hosts on the outside.
This ``liason'' functionality in and of itself isn't as important as it once was; the
current versions of Microsoft Exchange, Lotus Notes, and many other non-SMTP-
based e-mail server products have no problem communicating with SMTP servers
directly. But there are still reasons to have all inbound (and even outbound) e-mail
arrive at a single point, the chief reason being security.
There are two main security benefits to using an SMTP gateway. First, it's much
easier to secure a single SMTP gateway from external threats than it is to secure
multiple internal e-mail servers. Second, separating Internet mail from internal
mail allows one to move Internet mail transactions off the internal network
entirely. The logical place for an SMTP gateway is in a DMZ (``Demilitarized
Zone'') network, separated from both the Internet and the internal network by a
firewall.
As with DNS, FTP, WWW and any other publicly accessible service, the more
protection you can place between potential hackertargets and your internal
network, the better. Adding an extra NIC to your firewall, keeping public services
in a separate network, is one of the cheapest and most effective ways of doing
this--as long as you configure the firewall to carefully restrict traffic to/from the
DMZ). It's also good risk management; in the (hopefully) unlikely event that your
web server, for example, is compromised, it won't become nearly as convenient a
launch pad for attacks on the rest of your network.
(For additional information on the DMZ technique of firewalling, see the article
Securing DNS and BIND, page 92 of this issue.)
Thus, even organizations with only one e-mail server should still consider adding
an SMTP gateway, even if that e-mail server already has SMTP functionality.
But what if your firewall is your FTP server, e-mail server, etc.? Although the use
of firewalls for any service hosting is scowled upon by the truly paranoid, this is
common practice for very small networks (e.g., home users with broadband
Internet connections). And, in this foul-weather paranoiac's opinion, BIND and
postfix pose much less of an exposure for a firewall than other service
applications.
For starters, DNS and SMTP potentially involve less direct contact between
untrusted users and the server's file system. (I say ``potentially'' because it's
certainly possible, with badly written or sloppily configured software, to create
extremely insecure DNS and SMTP services.) In addition, both BIND and postfix
have ``chroot'' options and run as unprivileged users, two features that help reduce
the danger of either service being used to somehow gain root access (we'll discuss
both of these options in depth shortly.)
To understand how postfix works, it's useful to consider its background. The main
purpose for postfix's existence is sendmail's complexity. Postfix is a full-featured
MTA, and therefore its core functions are the same as any other's. But postfix was
written with unusual attention to:
http://www.subneural.net/postfix-master/linuxjournal.200010/index.html (3 of 11)01/16/2005 15:48:12
Linux Journal
A key contributor to the stability and the speed of postfix is the intelligent way in
which it queues mail. Postfix uses four different queues, each one of which is
handled differently (see Figure 1):
And now the part you've been waiting for (or have skipped directly to): postfix
setup. Like sendmail, postfix uses a ``.cf'' text file as its primary configuration file
called main.cf. However, ``.cf'' files in postfix use a simple ``parameter=
$value'' syntax. What's more, these files are extremely well commented and use
highly descriptive variable names.
In fact, if your e-mail needs are simple enough, it's probably possible for you to
figure out much of what you need to know by editing main.cf and reading its
comments as you go.
For many users, this is all one needs to do to configure postfix on an SMTP
gateway:
1. Install postfix from a binary package via your local package tool (rpm, etc.)
or by compiling from source and running postfix's INSTALL.sh script.
2. Open /etc/postfix/main.cf with the text editor of your choice.
3. Uncomment and set the parameter myhostname to equal your server's
fully qualified domain name (FQDN), e.g., ``myhostname = buford.
dogpeople.org''.
4. Uncomment and set the parameter mydestination as follows,
assuming this is the e-mail gateway for one's entire domain:
editing and/or adding aliases, save the file and enter the command
newaliases to convert it into a hash database.
3. Execute the command postfix start.
What did we just achieve? In only four steps, we installed, configured and started
SMTP services for our machine and its local name-domain. If this machine is a
firewall or an SMTP gateway on a firewall's DMZ network, it can now be used by
local users to route outbound e-mail, and can be pointed to by our domain's ``MX''
DNS record (i.e., it can be advertised to the outside world as a mail server for e-
mail addressed to our domain). We've also told it to directly process (rather than
forward) mail addressed to local hosts. Pretty good return on the investment of
about five minutes' worth of typing, no?
(NOTE: While this may be enough to get postfix working, it is not enough to
secure it. Don't stop reading yet!)
As cool as that was, it may not have been enough to get postfix to do what needs
to be done for your network. And even if it was, it behooves you to dig a little
deeper: ignorance nearly always leads to bad security. Let's take a closer look at
what we just did, and then move on to even niftier postfix tricks.
First, why did so little information need to be entered in main.cf? The only thing
we added to it was our fully qualified domain name. In fact, depending on how
your machine is configured, it may not have even been necessary to supply that!
You may need to add additional names to mydestination if your server has
more than one FQDN (that is, multiple ``A'' records in your domain's DNS). For
example, if your SMTP gateway doubles as your public FTP server, and thus has
the name ``ftp'' associated with it in addition to its normal host name, your
mydestination declaration might look something like this:
It's important that any name by which your server can be legitimately referred to
http://www.subneural.net/postfix-master/linuxjournal.200010/index.html (6 of 11)01/16/2005 15:48:12
Linux Journal
There were two other interesting things we did in the ``quick and dirty'' procedure.
One was to start postfix with the command postfix start. Just as BIND uses
ndc to control the various processes that comprise BIND, the postfix
command can be used to manage postfix. Like BIND, postfix is actually a suite of
commands, dæmons and scripts rather than a single monolithic program.
The other thing we did was to add a line to /etc/aliases to divert root's e-mail to an
unprivileged account. This is good healthy paranoia: we don't want to have to log
in as the superuser for mundane activities such as viewing system reports, which
are sometimes e-mailed to root. Be careful, however: if your unprivileged account
uses a ``.forward'' file to forward your mail to some other system, you may wind
up sending administrative messages over public bandwidth in clear text!
Aliases Revealed
As alluded to in the quick and dirty procedure, aliases are also useful for mapping
e-mail addresses for users who don't actually have accounts on the SMTP
gateway. This practice has two main benefits. First, most users prefer meaningful
e-mail names and short host /domain names, e.g., ``john.smith@acme.com'' rather
than ``jsmith023@mail77.midwest.acme.com''. Second, you probably don't want
your users connecting to and storing mail on a publicly accessible server. Again,
common sense tells us that any server the unwashed masses can commune with
must be kept at arm's length. The greater the separation between public servers
and private servers, the better. (And don't forget, POPmail passwords are
transmitted in clear text!)
Still another use of aliases is the maintenance of mailing lists. An alias can
point to not only an address or comma-separated list of addresses, but also to a
mailing list. This is achieved with the :include:tag--without this, postfix will
append mail to the file specified rather than using the file to obtain recipients.
(This is a feature, not a bug; it's useful sometimes to write certain types of
messages to a text file rather than to a mailbox.)
Here's part of an example alias file that contains all of these types of mappings:
postmaster: root<\n>
mailer-daemon: root
hostmaster: root
root: bdewinter
mailguys: bdewinter,mick.bauer
mick.bauer: mbauer@biscuit.stpaul.dogpeople.org
clients: :include:/etc/postfix/clientlist.txt
spam-reports: /home/bdewinter/spambucket.txt
One warning: if an alias points to a different mail server, that server must belong
to a domain for which the SMTP gateway is configured to relay mail (i.e., either
that server's FQDN or its domain must be listed in the mydestination
declaration in main.cf).
Don't forget to run either newaliases or, hipper still, postalias /etc/
aliases anytime you edit aliases. The postalias command is hipper because
it can accept any correctly formatted alias file as its input. Both commands
compress the alias file into a database file that can be searched repeatedly and
rapidly each time a destination address is parsed; neither postfix nor sendmail
directly use the text version of aliases.
If you have a large number of users and/or internal mail servers, alias-file updates
lend themselves to automation, especially via Secure Shell (ssh) and Secure Copy
(scp). Using scp with null-passphrase RSA (or DSS/El Gamal) keys, your internal
mail servers can periodically copy their local alias files to the SMTP gateway,
which can then merge them into a new /etc/aliases followed by postalias /
etc/aliases. (Unfortunately, telling you exactly how to use scp/ssh is beyond
the scope of this article.) This practice is especially useful in large organizations
where different people control different mail servers: day-to-day e-mail account
administration can be kept decentralized.
Junk mail is one of the most common and annoying types of e-mail abuse. Postfix
offers protection against UCE (Unsolicited Commercial E-mail) via a couple of
settings in main.cf. Some caution is in order, however: there's a fine line between
spam and legitimate dissemination, and it's entirely possible that even modest
UCE controls will cause some legitimate (i.e., desired) mail to be dropped.
Having said that, for most sites this is an acceptable risk (avoidable, too, through
end-user education), and we recommend that at a minimum, you set the following
in main.cf:
http://www.subneural.net/postfix-master/linuxjournal.200010/index.html (8 of 11)01/16/2005 15:48:12
Linux Journal
Now we come to one of the groovier things we can do to secure postfix: running it
in a ``chroot jail''. chroot is a UNIX command that confines the ``chrooted''
process to a specified directory; that directory becomes ``/'' for that process. This
usually requires you to first create copies of things needed by the process but
http://www.subneural.net/postfix-master/linuxjournal.200010/index.html (9 of 11)01/16/2005 15:48:12
Linux Journal
normally kept elsewhere. For example, if the process looks for ``/etc/mydaemon.
conf'' upon startup but is being chrooted to ``/var/mydaemon'', the process will
actually look for ``/var/mydaemon/etc/mydaemon.conf''.
Better still, some binary distributions of postfix have installation scripts that
automatically make these preparations for you after installing postfix. In SuSE, for
example, the postfix RPM package runs a script that creates a complete directory
tree for postfix to use when chrooted (etc, usr, lib, and so forth) in /var/spool/
postfix, with the appropriate ownerships and permissions.
After configuring the chroot jail and editing master.cf, all you need to do is start
postfix the way you normally would: postfix start. Postfix's master process
handles the actual chroot-ing.
Conclusion
That's more than enough information to get you started. May your mail arrive
promptly and the spamming filth stay out!
Resources
Root
Current
Archives IBM's Secure Mailer
Downloads
Solaris Corner Kyle Dent
LINUX Rookery
Wietse Venema, probably best known as the developer of SATAN and the TCP Wrapper security tools,
Tool Showcase
has now created Secure Mailer. In December of 1998, IBM released Secure Mailer as open source
Q&A software providing a new, freely available alternative to the nearly universal Sendmail program. The
Resources program, more commonly known in open-source circles as Postfix, attempts to be fast, easy to
Newsletters administer, and secure. One of the primary goals of Postfix is to be widely implemented in order to make
Marketing opps the most significant impact on the performance and security of Internet email overall.
Sendmail by some estimates handles nearly three-quarters of all email on the Internet, but it has had a
bit of a checkered past with a history of security problems. A scan through the CERT Advisories quickly
turned up more than a dozen Sendmail incidents. Although Sendmail developers have made a lot of
progress in bringing it up to date for an environment that was unimaginable when it was originally
created, Postfix offers a solid alternative that is inherently more secure.
In addition to tighter security, Postfix offers several advantages over Sendmail while maintaining a high
level of compatibility with it. The Postfix Web site claims that it is up to three times faster than its nearest
competitor. (There are several other Sendmail alternatives, such as qmail and various commercial
packages.) It is designed to be robust and behave well under stress. For example, runaway conditions
that might occur during error handling are diminished because the software pauses before sending error
messages or terminating with a fatal error. It operates under a "no thundering herd" policy when
delivering mail to other hosts. Initially, Postfix will make only two simultaneous connections. If the
deliveries succeed, Postfix will slowly increase connections up to a configurable limit. It will also detect
whether the receiving host can no longer handle the load and decrease the number of connections.
In processing its own queue, Postfix implements a few other policies to make it a well-behaved software
package. The queue manager sorts messages by destination and processes deliveries in a round-robin
fashion to hit all destinations in the queue. Postfix will only make simultaneous deliveries to the same
host when it does not have messages for other destinations waiting. If a message cannot be delivered,
the queue manager marks it with a time stamp. With each repeated delivery failure, Postfix will wait
longer each time before wasting resources trying to deliver a message to a host that is not available.
The queue manager also maintains a short-term list of unreachable destinations.
Postfix is designed to be compatible with Sendmail to make migration easier, and to make the change
transparent to users. In fact, you can continue to use Sendmail in conjunction with Postfix, allowing the
new mailer to replace specific mail functions as needed. Postfix continues support for /etc/aliases and
delivery to any of the standard mail directories as well as to a specified file or command. It also respects
user.lock files and will obey $HOME/.forward directives. Basically all the aspects of Sendmail are
present except one significant one -- sendmail.cf.
Sendmail makes extensive use of rewriting rules to ensure that addresses are in the correct form and to
select the correct mail delivery agent for a message site. Administrators can also use them to customize
delivery for their networks. The Postfix Web pages say that there is not yet support for rewriting rules;
rather, Postfix uses a rewriting table. In my opinion, Postfix should display this fact as its most prominent
feature and not suggest support for any rewriting rules in the future. Only a handful of sites would ever
need the full power of Sendmail's rewriting rules, and even fewer systems administrators understand the
black art of rewriting rules well enough to make reasonable modifications. If you do in fact modify
Sendmail rewriting rules, Postfix is probably not an option for you. However, you should look at the
address mapping table feature to see whether it can support your requirements.
Defensive Mailing
Overall, Postfix is written to be a highly secure network application. It employs multiple layers of
defense. All of its processes run at a fixed low privilege, and most can be run within a chrooted
environment. Sendmail is the classic monolithic program, and it runs with root privilege. These two facts
are largely the reason for the severity of Sendmail's security problems. If a vulnerability is discovered,
the possibility that it will allow root access is high.
It is quite possible that Postfix has security bugs, but because of its design, whatever vulnerabilities
might exist will be very limited and possibly not even exploitable over a network. Its modularity provides
flexibility and also security. There are various processes that perform specific tasks. There is a separate
process to send mail and receive mail and to deliver mail locally. Systems only run the processes they
need. If a process is not running, it is necessarily not vulnerable. Another side effect is that each
process is insulated, so that, for example, the local delivery agent has no communication with the
network. If a vulnerability is discovered within local delivery, it cannot be exploited from outside that host.
Some additional security aspects are that Postfix programs do not run under a user process, thereby
eliminating exploits that involve signals, open files, the environment, and other process attributes that
might be passed from a parent to a child. Postfix relies on the security notion of trust or lack of it. Postfix
processes do not even trust each other. Contents of queue files or IPC messages might have been
tampered with; therefore, each process tries to use only its own information in taking security-sensitive
actions.
Some other security lessons learned from Sendmail (among others) and incorporated into Postfix are
that there are no setuid programs, no /tmp race conditions, no remote data in shell variables or shell
commands, and no fixed-length string buffers. Memory is allocated dynamically for buffers and strings,
and long lines of messages are broken up into sequences that are reconstructed upon delivery.
Installing Postfix
After you have downloaded Postfix, it is a simple matter to uncompress the bundle and compile it. On
my system, I had to add one option for the compiler, which was easily accomplished by editing a
straightforward make file. The INSTALL file that comes with the distribution lists supported systems.
The normal UNIX platforms are all there. For most systems, compilation should be as simple as going to
the top-level directory and typing make. In my case compilation was less than a minute, and after I
corrected the makefile, reported no errors.
2. Send and receive mail via a virtual host interface, without changing an existing Sendmail installation.
I opted for the third choice. Documentation is available on the Postfix Web site and also comes with the
distribution as HTML files and man pages. The INSTALL file provides instructions for installing Postfix
after compilation is complete.
You will need root access on the machine where you are installing the package. As root, create a
directory for Postfix.
# mkdir /etc/postfix
Then execute the following commands from the Postfix source directory:
This will create the configuration directory for Postfix. The path /etc/postfix is hardcoded but can be
overridden by setting an environment variable MAIL_CONFIG.
# mkdir /var/spool/postfix
# chmod 755 /var/spool/postfix
Finally, you will need both a commands directory and a daemons directory. These paths are
configurable in /etc/postfix/main.cf. You can place them anywhere that makes sense for your system. I
chose the recommended /usr/sbin for commands and /usr/lib/postfix for daemons. If you are replacing
an existing Sendmail installation, you will want to rename the Sendmail program, because the Postfix
distribution includes a binary called Sendmail. After moving your Sendmail program out of the way (e.g.,
mv /usr/lib/sendmail /usr/lib/sendmail.orig) execute the following from the Postfix source directory:
# cp bin/* /usr/sbin
# mkdir /usr/lib/postfix
# cp libexec/* /usr/lib/postfix
You can copy the included man pages into place or adjust your MANPATH environment variable as
necessary.
Now, you need to replace the previous Sendmail installation. First, you will need to move mailq and
newaliases so that Postfix can assume their functions. Assuming your programs are in /usr/bin,
execute the following:
# mv /usr/bin/mailq /usr/bin/mailq.orig
# mv /usr/bin/newaliases /usr/bin/newaliases.orig
# chmod 755 /usr/bin/newaliases.orig /usr/bin/mailq.orig
# ln -s /usr/sbin/sendmail /usr/bin/mailq
# ln -s /usr/sbin/sendmail /usr/bin/newaliases
Create an account that will own the Postfix queue and most of its processes. The account should be set
up so that no one can log in using the userid, and it should not have a shell. Use your normal tools to
create the account. The /etc/passwd entry should resemble the following:
postfix:*:45128:45128:Postfix Mailer:/dev/null:/dev/null
Next, there are certain mandatory configuration options to set, and you can set any others as
appropriate for your system. Postfix parameters work like environment variables. Edit the file /etc/
postfix/main.cf. The default file is well documented. If you are following the above installation, set each
of the following as shown:
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
mail_owner = postfix
For myhostname and mydomain name, use your own host and domain names, but be sure to set
them because they are used as the defaults for other configuration options. Also, be sure to select
(uncomment) the correct mydestination line from the default configuration file.
You can get more configuration information from the online documentation or from the HTML directory
in the Postfix source directory. You should certainly familiarize yourself with most of the configuration
options to decide which settings are important for your environment.
In addition to configuration changes, you have the option of running most of the Postfix processes within
a chrooted environment. This is an excellent security measure that will add another layer of protection
from someone trying to penetrate your system. The steps for creating a chroot are a bit tricky, and they
vary from platform to platform. Also, the chroot will depend on how your binaries were compiled. The
Postfix distribution does include some help in the examples/chroot-setup directory, but these are a bit
skimpy and probably do not provide all the information you will need. You will have to investigate the
documentation for your system and experiment. From a security point of view, this is well worth the
effort.
There is another security decision you will have to make regarding Postfix's submission mechanism,
that is, the attributes on directories used for mail spooling. Postfix offers two options. The first uses a
world-writable, sticky (1733) directory for messages. Because it is world-writable there is no need to run
any program with special privileges (setuid or setgid), and the mail files themselves are not world-
writable or otherwise accessible to other users.
There is a possibility that a local user could do some small damage. For example, it would be possible
to create a hard link to a mail file so that it is not removed when Postfix deletes it. Or, a local user could
copy or hard link some system file to the directory to try to have it delivered as mail. Postfix does take
steps to prevent this (remember, trust no one), so the likelihood that this would work is significantly
diminished. However, if you have a lot of local users on the mail system, and your own security policies
would not permit world-write permissions, Postfix offers an alternative. You can set the directory
permissions more restrictively (1730) and install an additional program, called postdrop, provided to run
setgid. You will have to create a special group that has no members and set the mail spool directory's
group to the unique group you created. Postfix will automatically run postdrop when it detects that the
spool directory write permission is restricted.
You will need to copy the correct script into place to enable one of the submission modes. On my
system there are many mail accounts, but very few local users (only administrators), so I chose the first
option. From the /etc/postfix directory, type:
# cp postfix-script-nosgid postfix-script
Once you have selected your submission mechanism and you are satisfied with your configuration, you
can start your Postfix daemons:
# postfix start
The first time you start the application, you will see warning messages as it creates its various
directories. If you make any changes to configuration files, you should reload Postfix:
# postfix reload
Although the distribution does not provide an installation script, handling it manually is quite simple and
perhaps provides a better understanding of the program as a whole. In addition to the configuration
discussed above, there are a number of other options that deal with virtual hosting, antispam, resource
controls, and address manipulation.
One issue that might affect your decision in considering a switch to Postfix is that there is not yet any
commercial support for the product. If you now have support from your system vendor, or if you have
contracted with a third party for Sendmail support, you will probably be on your own for the near future if
you run Postfix. On the other hand, Postfix provides a stable and secure mail system that is easy to set
up, yet provides most of the flexibility of Sendmail. It is a new application that has not had much
experience in the real world, but based on its design and initial performance reports, it is an application
that has tremendous promise and is probably worth an investment of some time to investigate its
potential for your site.
References
http://www.alphaworks.ibm.com/
http://www.postfix.org/