postconf man page

postconf — Postfix configuration parameters

Synopsis

postconf parameter ...

postconf -e "parameter=value" ...

Description

The Postfix main.cf configuration file specifies parameters that control the operation of the Postfix mail system. Typically the file contains only a small subset of all parameters; parameters not specified are left at their default values.

The general format of the main.cf file is as follows:

The remainder of this document is a description of all Postfix configuration parameters. Default values are shown after the  parameter name in parentheses, and can be looked up with the "postconf -d" command.

Note: this is not an invitation to make changes to Postfix configuration parameters. Unnecessary changes can impair the operation of the mail system.

2bounce_notice_recipient (default: postmaster)

The recipient of undeliverable mail that cannot be returned to the sender.  This feature is enabled with the notify_classes parameter.

access_map_defer_code (default: 450)

The numerical Postfix SMTP server response code for an access(5) map "defer" action, including "defer_if_permit" or "defer_if_reject". Prior to Postfix 2.6, the response is hard-coded as "450".

Do not change this unless you have a complete understanding of RFC 5321.

This feature is available in Postfix 2.6 and later.

access_map_reject_code (default: 554)

The numerical Postfix SMTP server response code for an access(5) map "reject" action.

Do not change this unless you have a complete understanding of RFC 5321.

address_verify_cache_cleanup_interval (default: 12h)

The amount of time between verify(8) address verification database cleanup runs. This feature requires that the database supports the "delete" and "sequence" operators.  Specify a zero interval to disable database cleanup.

After each database cleanup run, the verify(8) daemon logs the number of entries that were retained and dropped. A cleanup run is logged as "partial" when the daemon terminates early after "postfix reload", "postfix stop", or no requests for $max_idle seconds.

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

This feature is available in Postfix 2.7.

address_verify_default_transport (default: $default_transport)

Overrides the default_transport parameter setting for address verification probes.

This feature is available in Postfix 2.1 and later.

address_verify_local_transport (default: $local_transport)

Overrides the local_transport parameter setting for address verification probes.

This feature is available in Postfix 2.1 and later.

address_verify_map (default: see postconf -d output)

Lookup table for persistent address verification status storage.  The table is maintained by the verify(8) service, and is opened before the process releases privileges.

The lookup table is persistent by default (Postfix 2.7 and later). Specify an empty table name to keep the information in volatile memory which is lost after "postfix reload" or "postfix stop". This is the default with Postfix version 2.6 and earlier.

Specify a location in a file system that will not fill up. If the database becomes corrupted, the world comes to an end. To recover delete (NOT: truncate) the file and do "postfix reload".

Postfix daemon processes do not use root privileges when opening this file (Postfix 2.5 and later).  The file must therefore be stored under a Postfix-owned directory such as the data_directory. As a migration aid, an attempt to open the file under a non-Postfix directory is redirected to the Postfix-owned data_directory, and a warning is logged.

Examples:

address_verify_map = hash:/var/lib/postfix/verify
address_verify_map = btree:/var/lib/postfix/verify

This feature is available in Postfix 2.1 and later.

address_verify_negative_cache (default: yes)

Enable caching of failed address verification probe results.  When this feature is enabled, the cache may pollute quickly with garbage. When this feature is disabled, Postfix will generate an address probe for every lookup.

This feature is available in Postfix 2.1 and later.

address_verify_negative_expire_time (default: 3d)

The time after which a failed probe expires from the address verification cache.

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

This feature is available in Postfix 2.1 and later.

address_verify_negative_refresh_time (default: 3h)

The time after which a failed address verification probe needs to be refreshed.

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

This feature is available in Postfix 2.1 and later.

address_verify_pending_request_limit (default: see postconf -d output)

A safety limit that prevents address verification requests from overwhelming the Postfix queue. By default, the number of pending requests is limited to 1/4 of the active queue maximum size (qmgr_message_active_limit). The queue manager enforces the limit by tempfailing requests that exceed the limit. This affects only unknown addresses and inactive addresses that have expired, because the verify(8) daemon automatically refreshes an active address before it expires.

This feature is available in Postfix 3.1 and later.

address_verify_poll_count (default: normal: 3, overload: 1)

How many times to query the verify(8) service for the completion of an address verification request in progress.

By default, the Postfix SMTP server polls the verify(8) service up to three times under non-overload conditions, and only once when under overload.  With Postfix version 2.5 and earlier, the SMTP server always polls the verify(8) service up to three times by default.

Specify 1 to implement a crude form of greylisting, that is, always defer the first delivery request for a new address.

Examples:

# Postfix <= 2.6 default
address_verify_poll_count = 3
# Poor man's greylisting
address_verify_poll_count = 1

This feature is available in Postfix 2.1 and later.

address_verify_poll_delay (default: 3s)

The delay between queries for the completion of an address verification request in progress.

The default polling delay is 3 seconds.

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

This feature is available in Postfix 2.1 and later.

address_verify_positive_expire_time (default: 31d)

The time after which a successful probe expires from the address verification cache.

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

This feature is available in Postfix 2.1 and later.

address_verify_positive_refresh_time (default: 7d)

The time after which a successful address verification probe needs to be refreshed.  The address verification status is not updated when the probe fails (optimistic caching).

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

This feature is available in Postfix 2.1 and later.

address_verify_relay_transport (default: $relay_transport)

Overrides the relay_transport parameter setting for address verification probes.

This feature is available in Postfix 2.1 and later.

address_verify_relayhost (default: $relayhost)

Overrides the relayhost parameter setting for address verification probes. This information can be overruled with the transport(5) table.

This feature is available in Postfix 2.1 and later.

address_verify_sender (default: $double_bounce_sender)

The sender address to use in address verification probes; prior to Postfix 2.5 the default was "postmaster". To avoid problems with address probes that are sent in response to address probes, the Postfix SMTP server excludes the probe sender address from all SMTPD access blocks.

Specify an empty value (address_verify_sender =) or <> if you want to use the null sender address. Beware, some sites reject mail from <>, even though RFCs require that such addresses be accepted.

Examples:

address_verify_sender = <>
address_verify_sender = postmaster@my.domain

This feature is available in Postfix 2.1 and later.

address_verify_sender_dependent_default_transport_maps (default: $sender_dependent_default_transport_maps)

Overrides the sender_dependent_default_transport_maps parameter setting for address verification probes.

This feature is available in Postfix 2.7 and later.

address_verify_sender_dependent_relayhost_maps (default: $sender_dependent_relayhost_maps)

Overrides the sender_dependent_relayhost_maps parameter setting for address verification probes.

This feature is available in Postfix 2.3 and later.

address_verify_sender_ttl (default: 0s)

The time between changes in the time-dependent portion of address verification probe sender addresses. The time-dependent portion is appended to the localpart of the address specified with the address_verify_sender parameter. This feature is ignored when the probe sender addresses is the null sender, i.e. the address_verify_sender value is empty or <>.

Historically, the probe sender address was fixed. This has caused such addresses to end up on spammer mailing lists, and has resulted in wasted network and processing resources.

To enable time-dependent probe sender addresses, specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit).  Specify a value of at least several hours, to avoid problems with senders that use greylisting. Avoid nice TTL values, to make the result less predictable.  Time units are: s (seconds), m (minutes), h (hours), d (days), w (weeks).

This feature is available in Postfix 2.9 and later.

address_verify_service_name (default: verify)

The name of the verify(8) address verification service. This service maintains the status of sender and/or recipient address verification probes, and generates probes on request by other Postfix processes.

address_verify_transport_maps (default: $transport_maps)

Overrides the transport_maps parameter setting for address verification probes.

This feature is available in Postfix 2.1 and later.

address_verify_virtual_transport (default: $virtual_transport)

Overrides the virtual_transport parameter setting for address verification probes.

This feature is available in Postfix 2.1 and later.

alias_database (default: see postconf -d output)

The alias databases for local(8) delivery that are updated with "newaliases" or with "sendmail -bi".

This is a separate configuration parameter because not all the tables specified with $alias_maps have to be local files.

Examples:

alias_database = hash:/etc/aliases
alias_database = hash:/etc/mail/aliases

alias_maps (default: see postconf -d output)

The alias databases that are used for local(8) delivery. See aliases(5) for syntax details. Specify zero or more "type:name" lookup tables, separated by whitespace or comma. Tables will be searched in the specified order until a match is found. Note: these lookups are recursive.

The default list is system dependent.  On systems with NIS, the default is to search the local alias database, then the NIS alias database.

If you change the alias database, run "postalias /etc/aliases" (or wherever your system stores the mail alias file), or simply run "newaliases" to build the necessary DBM or DB file.

The local(8) delivery agent disallows regular expression substitution of $1 etc. in alias_maps, because that would open a security hole.

The local(8) delivery agent will silently ignore requests to use the proxymap(8) server within alias_maps. Instead it will open the table directly. Before Postfix version 2.2, the local(8) delivery agent will terminate with a fatal error.

Examples:

alias_maps = hash:/etc/aliases, nis:mail.aliases
alias_maps = hash:/etc/aliases

allow_mail_to_commands (default: alias, forward)

Restrict local(8) mail delivery to external commands.  The default is to disallow delivery to "|command" in :include:  files (see aliases(5) for the text that defines this terminology).

Specify zero or more of: alias, forward or include, in order to allow commands in aliases(5), .forward files or in :include:  files, respectively.

Example:

allow_mail_to_commands = alias,forward,include

allow_mail_to_files (default: alias, forward)

Restrict local(8) mail delivery to external files. The default is to disallow "/file/name" destinations in :include:  files (see aliases(5) for the text that defines this terminology).

Specify zero or more of: alias, forward or include, in order to allow "/file/name" destinations in aliases(5), .forward files and in :include:  files, respectively.

Example:

allow_mail_to_files = alias,forward,include

allow_min_user (default: no)

Allow a sender or recipient address to have `-' as the first character.  By default, this is not allowed, to avoid accidents with software that passes email addresses via the command line. Such software would not be able to distinguish a malicious address from a bona fide command-line option. Although this can be prevented by inserting a "--" option terminator into the command line, this is difficult to enforce consistently and globally.

As of Postfix version 2.5, this feature is implemented by trivial-rewrite(8).  With earlier versions this feature was implemented by qmgr(8) and was limited to recipient addresses only.

allow_percent_hack (default: yes)

Enable the rewriting of the form "user%domain" to "user@domain". This is enabled by default.

Note: as of Postfix version 2.2, message header address rewriting happens only when one of the following conditions is true:

To get the behavior before Postfix version 2.2, specify "local_header_rewrite_clients = static:all".

Example:

allow_percent_hack = no

allow_untrusted_routing (default: no)

Forward mail with sender-specified routing (user[@%!]remote[@%!]site) from untrusted clients to destinations matching $relay_domains.

By default, this feature is turned off.  This closes a nasty open relay loophole where a backup MX host can be tricked into forwarding junk mail to a primary MX host which then spams it out to the world.

This parameter also controls if non-local addresses with sender-specified routing can match Postfix access tables. By default, such addresses cannot match Postfix access tables, because the address is ambiguous.

alternate_config_directories (default: empty)

A list of non-default Postfix configuration directories that may be specified with "-c config_directory" on the command line (in the case of sendmail(1), with the "-C" option), or via the MAIL_CONFIG environment parameter.

This list must be specified in the default Postfix main.cf file, and will be used by set-gid Postfix commands such as postqueue(1) and postdrop(1).

Specify absolute pathnames, separated by comma or space. Note: $name expansion is not supported.

always_add_missing_headers (default: no)

Always add (Resent-) From:, To:, Date: or Message-ID: headers when not present.  Postfix 2.6 and later add these headers only when clients match the local_header_rewrite_clients parameter setting.  Earlier Postfix versions always add these headers; this may break DKIM signatures that cover non-existent headers. The undisclosed_recipients_header parameter setting determines whether a To: header will be added.

always_bcc (default: empty)

Optional address that receives a "blind carbon copy" of each message that is received by the Postfix mail system.

Note: with Postfix 2.3 and later the BCC address is added as if it was specified with NOTIFY=NONE. The sender will not be notified when the BCC address is undeliverable, as long as all down-stream software implements RFC 3461.

Note: with Postfix 2.2 and earlier the sender will be notified when the BCC address is undeliverable.

Note: automatic BCC recipients are produced only for new mail. To avoid mailer loops, automatic BCC recipients are not generated after Postfix forwards mail internally, or after Postfix generates mail itself.

anvil_rate_time_unit (default: 60s)

The time unit over which client connection rates and other rates are calculated.

This feature is implemented by the anvil(8) service which is available in Postfix version 2.2 and later.

The default interval is relatively short. Because of the high frequency of updates, the anvil(8) server uses volatile memory only. Thus, information is lost whenever the process terminates.

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is s (seconds).

anvil_status_update_time (default: 600s)

How frequently the anvil(8) connection and rate limiting server logs peak usage information.

This feature is available in Postfix 2.2 and later.

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is s (seconds).

append_at_myorigin (default: yes)

With locally submitted mail, append the string "@$myorigin" to mail addresses without domain information. With remotely submitted mail, append the string "@$remote_header_rewrite_domain" instead.

Note 1: this feature is enabled by default and must not be turned off. Postfix does not support domain-less addresses.

Note 2: with Postfix version 2.2, message header address rewriting happens only when one of the following conditions is true:

To get the behavior before Postfix version 2.2, specify "local_header_rewrite_clients = static:all".

append_dot_mydomain (default: Postfix >= 3.0: no, Postfix < 3.0: yes)

With locally submitted mail, append the string ".$mydomain" to addresses that have no ".domain" information. With remotely submitted mail, append the string ".$remote_header_rewrite_domain" instead.

Note 1: this feature is enabled by default. If disabled, users will not be able to send mail to "user@partialdomainname" but will have to specify full domain names instead.

Note 2: with Postfix version 2.2, message header address rewriting happens only when one of the following conditions is true:

To get the behavior before Postfix version 2.2, specify "local_header_rewrite_clients = static:all".

application_event_drain_time (default: 100s)

How long the postkick(1) command waits for a request to enter the Postfix daemon process input buffer before giving up.

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is s (seconds).

This feature is available in Postfix 2.1 and later.

authorized_flush_users (default: static:anyone)

List of users who are authorized to flush the queue.

By default, all users are allowed to flush the queue.  Access is always granted if the invoking user is the super-user or the $mail_owner user.  Otherwise, the real UID of the process is looked up in the system password file, and access is granted only if the corresponding login name is on the access list.  The username "unknown" is used for processes whose real UID is not found in the password file.

Specify a list of user names, "/file/name" or "type:table" patterns, separated by commas and/or whitespace. The list is matched left to right, and the search stops on the first match. A "/file/name" pattern is replaced by its contents; a "type:table" lookup table is matched when a name matches a lookup key (the lookup result is ignored).  Continue long lines by starting the next line with whitespace. Specify "!pattern" to exclude a name from the list. The form "!/file/name" is supported only in Postfix version 2.4 and later.

This feature is available in Postfix 2.2 and later.

authorized_mailq_users (default: static:anyone)

List of users who are authorized to view the queue.

By default, all users are allowed to view the queue.  Access is always granted if the invoking user is the super-user or the $mail_owner user.  Otherwise, the real UID of the process is looked up in the system password file, and access is granted only if the corresponding login name is on the access list.  The username "unknown" is used for processes whose real UID is not found in the password file.

Specify a list of user names, "/file/name" or "type:table" patterns, separated by commas and/or whitespace. The list is matched left to right, and the search stops on the first match. A "/file/name" pattern is replaced by its contents; a "type:table" lookup table is matched when a name matches a lookup key (the lookup result is ignored).  Continue long lines by starting the next line with whitespace. Specify "!pattern" to exclude a user name from the list. The form "!/file/name" is supported only in Postfix version 2.4 and later.

This feature is available in Postfix 2.2 and later.

authorized_submit_users (default: static:anyone)

List of users who are authorized to submit mail with the sendmail(1) command (and with the privileged postdrop(1) helper command).

By default, all users are allowed to submit mail.  Otherwise, the real UID of the process is looked up in the system password file, and access is granted only if the corresponding login name is on the access list.  The username "unknown" is used for processes whose real UID is not found in the password file. To deny mail submission access to all users specify an empty list.

Specify a list of user names, "/file/name" or "type:table" patterns, separated by commas and/or whitespace. The list is matched left to right, and the search stops on the first match. A "/file/name" pattern is replaced by its contents; a "type:table" lookup table is matched when a name matches a lookup key (the lookup result is ignored).  Continue long lines by starting the next line with whitespace. Specify "!pattern" to exclude a user name from the list. The form "!/file/name" is supported only in Postfix version 2.4 and later.

Example:

authorized_submit_users = !www, static:all

This feature is available in Postfix 2.2 and later.

authorized_verp_clients (default: $mynetworks)

What remote SMTP clients are allowed to specify the XVERP command. This command requests that mail be delivered one recipient at a time with a per recipient return address.

By default, only trusted clients are allowed to specify XVERP.

This parameter was introduced with Postfix version 1.1.  Postfix version 2.1 renamed this parameter to smtpd_authorized_verp_clients and changed the default to none.

Specify a list of network/netmask patterns, separated by commas and/or whitespace. The mask specifies the number of bits in the network part of a host address. You can also specify hostnames or .domain names (the initial dot causes the domain to match any name below it),  "/file/name" or "type:table" patterns.  A "/file/name" pattern is replaced by its contents; a "type:table" lookup table is matched when a table entry matches a lookup string (the lookup result is ignored).  Continue long lines by starting the next line with whitespace. Specify "!pattern" to exclude an address or network block from the list. The form "!/file/name" is supported only in Postfix version 2.4 and later.

Note: IP version 6 address information must be specified inside [] in the authorized_verp_clients value, and in files specified with "/file/name".  IP version 6 addresses contain the ":" character, and would otherwise be confused with a "type:table" pattern.

backwards_bounce_logfile_compatibility (default: yes)

Produce additional bounce(8) logfile records that can be read by Postfix versions before 2.0. The current and more extensible "name = value" format is needed in order to implement more sophisticated functionality.

This feature is available in Postfix 2.1 and later.

berkeley_db_create_buffer_size (default: 16777216)

The per-table I/O buffer size for programs that create Berkeley DB hash or btree tables.  Specify a byte count.

This feature is available in Postfix 2.0 and later.

berkeley_db_read_buffer_size (default: 131072)

The per-table I/O buffer size for programs that read Berkeley DB hash or btree tables.  Specify a byte count.

This feature is available in Postfix 2.0 and later.

best_mx_transport (default: empty)

Where the Postfix SMTP client should deliver mail when it detects a "mail loops back to myself" error condition. This happens when the local MTA is the best SMTP mail exchanger for a destination not listed in $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, or $virtual_mailbox_domains.  By default, the Postfix SMTP client returns such mail as undeliverable.

Specify, for example, "best_mx_transport = local" to pass the mail from the Postfix SMTP client to the local(8) delivery agent. You can specify any message delivery "transport" or "transport:nexthop" that is defined in the master.cf file. See the transport(5) manual page for the syntax and meaning of "transport" or "transport:nexthop".

However, this feature is expensive because it ties up a Postfix SMTP client process while the local(8) delivery agent is doing its work. It is more efficient (for Postfix) to list all hosted domains in a table or database.

biff (default: yes)

Whether or not to use the local biff service.  This service sends "new mail" notifications to users who have requested new mail notification with the UNIX command "biff y".

For compatibility reasons this feature is on by default.  On systems with lots of interactive users, the biff service can be a performance drain.  Specify "biff = no" in main.cf to disable.

body_checks (default: empty)

Optional lookup tables for content inspection as specified in the body_checks(5) manual page.

Note: with Postfix versions before 2.0, these rules inspect all content after the primary message headers.

body_checks_size_limit (default: 51200)

How much text in a message body segment (or attachment, if you prefer to use that term) is subjected to body_checks inspection. The amount of text is limited to avoid scanning huge attachments.

This feature is available in Postfix 2.0 and later.

bounce_notice_recipient (default: postmaster)

The recipient of postmaster notifications with the message headers of mail that Postfix did not deliver and of SMTP conversation transcripts of mail that Postfix did not receive.  This feature is enabled with the notify_classes parameter.

bounce_queue_lifetime (default: 5d)

Consider a bounce message as undeliverable, when delivery fails with a temporary error, and the time in the queue has reached the bounce_queue_lifetime limit.  By default, this limit is the same as for regular mail.

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is d (days).

Specify 0 when mail delivery should be tried only once.

This feature is available in Postfix 2.1 and later.

bounce_service_name (default: bounce)

The name of the bounce(8) service. This service maintains a record of failed delivery attempts and generates non-delivery notifications.

This feature is available in Postfix 2.0 and later.

bounce_size_limit (default: 50000)

The maximal amount of original message text that is sent in a non-delivery notification. Specify a byte count.  A message is returned as either message/rfc822 (the complete original) or as text/rfc822-headers (the headers only).  With Postfix version 2.4 and earlier, a message is always returned as message/rfc822 and is truncated when it exceeds the size limit.

Notes:

bounce_template_file (default: empty)

Pathname of a configuration file with bounce message templates. These override the built-in templates of delivery status notification (DSN) messages for undeliverable mail, for delayed mail, successful delivery, or delivery verification. The bounce(5) manual page describes how to edit and test template files.

Template message body text may contain $name references to Postfix configuration parameters. The result of $name expansion can be previewed with "postconf -b file_name" before the file is placed into the Postfix configuration directory.

This feature is available in Postfix 2.3 and later.

broken_sasl_auth_clients (default: no)

Enable interoperability with remote SMTP clients that implement an obsolete version of the AUTH command (RFC 4954). Examples of such clients are MicroSoft Outlook Express version 4 and MicroSoft Exchange version 5.0.

Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH support in a non-standard way.

canonical_classes (default: envelope_sender, envelope_recipient, header_sender, header_recipient)

What addresses are subject to canonical_maps address mapping. By default, canonical_maps address mapping is applied to envelope sender and recipient addresses, and to header sender and header recipient addresses.

Specify one or more of: envelope_sender, envelope_recipient, header_sender, header_recipient

This feature is available in Postfix 2.2 and later.

canonical_maps (default: empty)

Optional address mapping lookup tables for message headers and envelopes. The mapping is applied to both sender and recipient addresses, in both envelopes and in headers, as controlled with the canonical_classes parameter. This is typically used to clean up dirty addresses from legacy mail systems, or to replace login names by Firstname.Lastname.  The table format and lookups are documented in canonical(5). For an overview of Postfix address manipulations see the ADDRESS_REWRITING_README document.

Specify zero or more "type:name" lookup tables, separated by whitespace or comma. Tables will be searched in the specified order until a match is found. Note: these lookups are recursive.

If you use this feature, run "postmap /etc/postfix/canonical" to build the necessary DBM or DB file after every change. The changes will become visible after a minute or so.  Use "postfix reload" to eliminate the delay.

Note: with Postfix version 2.2, message header address mapping happens only when message header address rewriting is enabled:

To get the behavior before Postfix version 2.2, specify "local_header_rewrite_clients = static:all".

Examples:

canonical_maps = dbm:/etc/postfix/canonical
canonical_maps = hash:/etc/postfix/canonical

cleanup_service_name (default: cleanup)

The name of the cleanup(8) service. This service rewrites addresses into the standard form, and performs canonical(5) address mapping and virtual(5) aliasing.

This feature is available in Postfix 2.0 and later.

command_directory (default: see postconf -d output)

The location of all postfix administrative commands.

command_execution_directory (default: empty)

The local(8) delivery agent working directory for delivery to external command.  Failure to change directory causes the delivery to be deferred.

The following $name expansions are done on command_execution_directory before the directory is changed. Expansion happens in the context of the delivery request.  The result of $name expansion is filtered with the character set that is specified with the execution_directory_expansion_filter parameter.

$user

The recipient's username.

$shell

The recipient's login shell pathname.

$home

The recipient's home directory.

$recipient

The full recipient address.

$extension

The optional recipient address extension.

$domain

The recipient domain.

$local

The entire recipient localpart.

$recipient_delimiter

The address extension delimiter that was found in the recipient address (Postfix 2.11 and later), or the system-wide recipient address extension delimiter (Postfix 2.10 and earlier).

${name?value}

Expands to value when $name is non-empty.

${name:value}

Expands to value when $name is empty.

Instead of $name you can also specify ${name} or $(name).

This feature is available in Postfix 2.2 and later.

command_expansion_filter (default: see postconf -d output)

Restrict the characters that the local(8) delivery agent allows in $name expansions of $mailbox_command and $command_execution_directory. Characters outside the allowed set are replaced by underscores.

command_time_limit (default: 1000s)

Time limit for delivery to external commands. This limit is used by the local(8) delivery agent, and is the default time limit for delivery by the pipe(8) delivery agent.

Note: if you set this time limit to a large value you must update the global ipc_timeout parameter as well.

compatibility_level (default: 0)

A safety net that causes Postfix to run with backwards-compatible default settings after an upgrade to a newer Postfix version.

With backwards compatibility turned on (the main.cf compatibility_level value is less than the Postfix built-in value), Postfix looks for settings that are left at their implicit default value, and logs a message when a backwards-compatible default setting is required.

using backwards-compatible default setting name=value
    to [accept a specific client request]

using backwards-compatible default setting name=value
    to [enable specific Postfix behavior]

See COMPATIBILITY_README for specific message details. If such a message is logged in the context of a legitimate request, the system administrator should make the backwards-compatible setting permanent in main.cf or master.cf, for example:

# postconf name=value
# postfix reload

When no more backwards-compatible settings need to be made permanent, the administrator should turn off backwards compatibility by updating the compatibility_level setting in main.cf:

# postconf compatibility_level=N
# postfix reload

For N specify the number that is logged in your postfix(1) warning message:

warning: To disable backwards compatibility use "postconf
    compatibility_level=N" and "postfix reload"

This feature is available in Postfix 3.0 and later.

config_directory (default: see postconf -d output)

The default location of the Postfix main.cf and master.cf configuration files. This can be overruled via the following mechanisms:

With Postfix command that run with set-gid privileges, a config_directory override requires either root privileges, or it requires that the directory is listed with the alternate_config_directories parameter in the default main.cf file.

confirm_delay_cleared (default: no)

After sending a "your message is delayed" notification, inform the sender when the delay clears up. This can result in a sudden burst of notifications at the end of a prolonged network outage, and is therefore disabled by default.

See also: delay_warning_time.

This feature is available in Postfix 3.0 and later.

connection_cache_protocol_timeout (default: 5s)

Time limit for connection cache connect, send or receive operations.  The time limit is enforced in the client.

This feature is available in Postfix 2.3 and later.

connection_cache_service_name (default: scache)

The name of the scache(8) connection cache service.  This service maintains a limited pool of cached sessions.

This feature is available in Postfix 2.2 and later.

connection_cache_status_update_time (default: 600s)

How frequently the scache(8) server logs usage statistics with connection cache hit and miss rates for logical destinations and for physical endpoints.

connection_cache_ttl_limit (default: 2s)

The maximal time-to-live value that the scache(8) connection cache server allows. Requests that specify a larger TTL will be stored with the maximum allowed TTL. The purpose of this additional control is to protect the infrastructure against careless people. The cache TTL is already bounded by $max_idle.

content_filter (default: empty)

After the message is queued, send the entire message to the specified transport:destination. The transport name specifies the first field of a mail delivery agent definition in master.cf; the syntax of the next-hop destination is described in the manual page of the corresponding delivery agent.  More information about external content filters is in the Postfix FILTER_README file.

Notes:

cyrus_sasl_config_path (default: empty)

Search path for Cyrus SASL application configuration files, currently used only to locate the $smtpd_sasl_path.conf file. Specify zero or more directories separated by a colon character, or an empty value to use Cyrus SASL's built-in search path.

This feature is available in Postfix 2.5 and later when compiled with Cyrus SASL 2.1.22 or later.

daemon_directory (default: see postconf -d output)

The directory with Postfix support programs and daemon programs. These should not be invoked directly by humans. The directory must be owned by root.

daemon_table_open_error_is_fatal (default: no)

How a Postfix daemon process handles errors while opening lookup tables: gradual degradation or immediate termination.

no (default)

Gradual degradation: a daemon process logs a message of type "error" and continues execution with reduced functionality. Features that do not depend on the unavailable table will work normally, while features that depend on the table will result in a type "warning" message.
When the notify_classes parameter value contains the "data" class, the Postfix SMTP server and client will report transcripts of sessions with an error because a table is unavailable.

yes (historical behavior)

Immediate termination: a daemon process logs a type "fatal" message and terminates immediately.  This option reduces the number of possible code paths through Postfix, and may therefore be slightly more secure than the default.

For the sake of sanity, the number of type "error" messages is limited to 13 over the lifetime of a daemon process.

This feature is available in Postfix 2.9 and later.

daemon_timeout (default: 18000s)

How much time a Postfix daemon process may take to handle a request before it is terminated by a built-in watchdog timer.

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is s (seconds).

data_directory (default: see postconf -d output)

The directory with Postfix-writable data files (for example: caches, pseudo-random numbers).  This directory must be owned by the mail_owner account, and must not be shared with non-Postfix software.

This feature is available in Postfix 2.5 and later.

debug_peer_level (default: 2)

The increment in verbose logging level when a remote client or server matches a pattern in the debug_peer_list parameter.

debug_peer_list (default: empty)

Optional list of remote client or server hostname or network address patterns that cause the verbose logging level to increase by the amount specified in $debug_peer_level.

Specify domain names, network/netmask patterns, "/file/name" patterns or "type:table" lookup tables. The right-hand side result from "type:table" lookups is ignored.

Pattern matching of domain names is controlled by the presence or absence of "debug_peer_list" in the parent_domain_matches_subdomains parameter value.

Examples:

debug_peer_list = 127.0.0.1
debug_peer_list = example.com

debugger_command (default: empty)

The external command to execute when a Postfix daemon program is invoked with the -D option.

Use "command .. & sleep 5" so that the debugger can attach before the process marches on. If you use an X-based debugger, be sure to set up your XAUTHORITY environment variable before starting Postfix.

Note: the command is subject to $name expansion, before it is passed to the default command interpreter. Specify "$$" to produce a single "$" character.

Example:

debugger_command =
    PATH=/usr/bin:/usr/X11R6/bin
    ddd $daemon_directory/$process_name $process_id & sleep 5

default_database_type (default: see postconf -d output)

The default database type for use in newaliases(1), postalias(1) and postmap(1) commands. On many UNIX systems the default type is either dbm or hash. The default setting is frozen when the Postfix system is built.

Examples:

default_database_type = hash
default_database_type = dbm

default_delivery_slot_cost (default: 5)

How often the Postfix queue manager's scheduler is allowed to preempt delivery of one message with another.

Each transport maintains a so-called "available delivery slot counter" for each message. One message can be preempted by another one when the other message can be delivered using no more delivery slots (i.e., invocations of delivery agents) than the current message counter has accumulated (or will eventually accumulate - see about slot loans below). This parameter controls how often is the counter incremented - it happens after each default_delivery_slot_cost recipients have been delivered.

The cost of 0 is used to disable the preempting scheduling completely. The minimum value the scheduling algorithm can use is 2 - use it if you want to maximize the message throughput rate. Although there is no maximum, it doesn't make much sense to use values above say 50.

The only reason why the value of 2 is not the default is the way this parameter affects the delivery of mailing-list mail. In the worst case, their delivery can take somewhere between (cost+1/cost) and (cost/cost-1) times more than if the preemptive scheduler was disabled. The default value of 5 turns out to provide reasonable message response times while making sure the mailing-list deliveries are not extended by more than 20-25 percent even in the worst case.

Use transport_delivery_slot_cost to specify a transport-specific override, where transport is the master.cf name of the message delivery transport.

Examples:

default_delivery_slot_cost = 0
default_delivery_slot_cost = 2

default_delivery_slot_discount (default: 50)

The default value for transport-specific _delivery_slot_discount settings.

This parameter speeds up the moment when a message preemption can happen. Instead of waiting until the full amount of delivery slots required is available, the preemption can happen when transport_delivery_slot_discount percent of the required amount plus transport_delivery_slot_loan still remains to be accumulated. Note that the full amount will still have to be accumulated before another preemption can take place later.

Use transport_delivery_slot_discount to specify a transport-specific override, where transport is the master.cf name of the message delivery transport.

default_delivery_slot_loan (default: 3)

The default value for transport-specific _delivery_slot_loan settings.

This parameter speeds up the moment when a message preemption can happen. Instead of waiting until the full amount of delivery slots required is available, the preemption can happen when transport_delivery_slot_discount percent of the required amount plus transport_delivery_slot_loan still remains to be accumulated. Note that the full amount will still have to be accumulated before another preemption can take place later.

Use transport_delivery_slot_loan to specify a transport-specific override, where transport is the master.cf name of the message delivery transport.

default_delivery_status_filter (default: empty)

Optional filter to replace the delivery status code or explanatory text of successful or unsuccessful deliveries.  This does not allow the replacement of a successful status code (2.X.X) with an unsuccessful status code (4.X.X or 5.X.X) or vice versa.

Note: the (smtp|lmtp)_delivery_status_filter is applied only once per recipient: when delivery is successful, when delivery is rejected with 5XX, or when there are no more alternate MX or A destinations. Use smtp_reply_filter or lmtp_reply_filter to inspect responses for all delivery attempts.

The following parameters can be used to implement a filter for specific delivery agents: lmtp_delivery_status_filter, local_delivery_status_filter, pipe_delivery_status_filter, smtp_delivery_status_filter or virtual_delivery_status_filter. These parameters support the same filter syntax as described here.

Specify zero or more "type:table" lookup table names, separated by comma or whitespace. For each successful or unsuccessful delivery to a recipient, the tables are queried in the specified order with one line of text that is structured as follows:

enhanced-status-code SPACE explanatory-text

The first table match wins. The lookup result must have the same structure as the query, a successful status code (2.X.X) must be replaced with a successful status code, an unsuccessful status code (4.X.X or 5.X.X) must be replaced with an unsuccessful status code, and the explanatory text field must be non-empty. Other results will result in a warning.

Example 1: convert specific soft TLS errors into hard errors, by overriding the first number in the enhanced status code.

/etc/postfix/main.cf:
    smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter
/etc/postfix/smtp_dsn_filter:
    /^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/
        5$1
    /^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/
        5$1
    # Do not change the following into hard bounces. They may
    # result from a local configuration problem.
    # 4.\d+.\d+ TLS is required, but our TLS engine is unavailable
    # 4.\d+.\d+ TLS is required, but unavailable
    # 4.\d+.\d+ Cannot start TLS: handshake failure

Example 2: censor the per-recipient delivery status text so that it does not reveal the destination command or filename when a remote sender requests confirmation of successful delivery.

/etc/postfix/main.cf:
    local_delivery_status_filter = pcre:/etc/postfix/local_dsn_filter
/etc/postfix/local_dsn_filter:
    /^(2\S+ delivered to file).+/    $1
    /^(2\S+ delivered to command).+/ $1

Notes:

This feature is available in Postfix 3.0 and later.

default_destination_concurrency_failed_cohort_limit (default: 1)

How many pseudo-cohorts must suffer connection or handshake failure before a specific destination is considered unavailable (and further delivery is suspended). Specify zero to disable this feature. A destination's pseudo-cohort failure count is reset each time a delivery completes without connection or handshake failure for that specific destination.

A pseudo-cohort is the number of deliveries equal to a destination's delivery concurrency.

Use transport_destination_concurrency_failed_cohort_limit to specify a transport-specific override, where transport is the master.cf name of the message delivery transport.

This feature is available in Postfix 2.5. The default setting is compatible with earlier Postfix versions.

default_destination_concurrency_limit (default: 20)

The default maximal number of parallel deliveries to the same destination.  This is the default limit for delivery via the lmtp(8), pipe(8), smtp(8) and virtual(8) delivery agents. With per-destination recipient limit > 1, a destination is a domain, otherwise it is a recipient.

Use transport_destination_concurrency_limit to specify a transport-specific override, where transport is the master.cf name of the message delivery transport.

default_destination_concurrency_negative_feedback (default: 1)

The per-destination amount of delivery concurrency negative feedback, after a delivery completes with a connection or handshake failure. Feedback values are in the range 0..1 inclusive. With negative feedback, concurrency is decremented at the beginning of a sequence of length 1/feedback. This is unlike positive feedback, where concurrency is incremented at the end of a sequence of length 1/feedback.

As of Postfix version 2.5, negative feedback cannot reduce delivery concurrency to zero.  Instead, a destination is marked dead (further delivery suspended) after the failed pseudo-cohort count reaches $default_destination_concurrency_failed_cohort_limit (or $transport_destination_concurrency_failed_cohort_limit). To make the scheduler completely immune to connection or handshake failures, specify a zero feedback value and a zero failed pseudo-cohort limit.

Specify one of the following forms:

number
number / number

Constant feedback. The value must be in the range 0..1 inclusive. The default setting of "1" is compatible with Postfix versions before 2.5, where a destination's delivery concurrency is throttled down to zero (and further delivery suspended) after a single failed pseudo-cohort.

number / concurrency

Variable feedback of "number / (delivery concurrency)". The number must be in the range 0..1 inclusive. With number equal to "1", a destination's delivery concurrency is decremented by 1 after each failed pseudo-cohort.

A pseudo-cohort is the number of deliveries equal to a destination's delivery concurrency.

Use transport_destination_concurrency_negative_feedback to specify a transport-specific override, where transport is the master.cf name of the message delivery transport.

This feature is available in Postfix 2.5. The default setting is compatible with earlier Postfix versions.

default_destination_concurrency_positive_feedback (default: 1)

The per-destination amount of delivery concurrency positive feedback, after a delivery completes without connection or handshake failure. Feedback values are in the range 0..1 inclusive.  The concurrency increases until it reaches the per-destination maximal concurrency limit. With positive feedback, concurrency is incremented at the end of a sequence with length 1/feedback. This is unlike negative feedback, where concurrency is decremented at the start of a sequence of length 1/feedback.

Specify one of the following forms:

number
number / number

Constant feedback.  The value must be in the range 0..1 inclusive. The default setting of "1" is compatible with Postfix versions before 2.5, where a destination's delivery concurrency doubles after each successful pseudo-cohort.

number / concurrency

Variable feedback of "number / (delivery concurrency)". The number must be in the range 0..1 inclusive. With number equal to "1", a destination's delivery concurrency is incremented by 1 after each successful pseudo-cohort.

A pseudo-cohort is the number of deliveries equal to a destination's delivery concurrency.

Use transport_destination_concurrency_positive_feedback to specify a transport-specific override, where transport is the master.cf name of the message delivery transport.

This feature is available in Postfix 2.5 and later.

default_destination_rate_delay (default: 0s)

The default amount of delay that is inserted between individual deliveries to the same destination; the resulting behavior depends on the value of the corresponding per-destination recipient limit.

To enable the delay, specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit).

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is s (seconds).

NOTE: the delay is enforced by the queue manager. The delay timer state does not survive "postfix reload" or "postfix stop".

Use transport_destination_rate_delay to specify a transport-specific override, where transport is the master.cf name of the message delivery transport.

NOTE: with a non-zero _destination_rate_delay, specify a transport_destination_concurrency_failed_cohort_limit of 10 or more to prevent Postfix from deferring all mail for the same destination after only one connection or handshake error.

This feature is available in Postfix 2.5 and later.

default_destination_recipient_limit (default: 50)

The default maximal number of recipients per message delivery. This is the default limit for delivery via the lmtp(8), pipe(8), smtp(8) and virtual(8) delivery agents.

Setting this parameter to a value of 1 affects email deliveries as follows:

Use transport_destination_recipient_limit to specify a transport-specific override, where transport is the master.cf name of the message delivery transport.

default_extra_recipient_limit (default: 1000)

The default value for the extra per-transport limit imposed on the number of in-memory recipients.  This extra recipient space is reserved for the cases when the Postfix queue manager's scheduler preempts one message with another and suddenly needs some extra recipients slots for the chosen message in order to avoid performance degradation.

Use transport_extra_recipient_limit to specify a transport-specific override, where transport is the master.cf name of the message delivery transport.

default_filter_nexthop (default: empty)

When a content_filter or FILTER request specifies no explicit next-hop destination, use $default_filter_nexthop instead; when that value is empty, use the domain in the recipient address. Specify "default_filter_nexthop = $myhostname" for compatibility with Postfix version 2.6 and earlier, or specify an explicit next-hop destination with each content_filter value or FILTER action.

This feature is available in Postfix 2.7 and later.

default_minimum_delivery_slots (default: 3)

How many recipients a message must have in order to invoke the Postfix queue manager's scheduling algorithm at all.  Messages which would never accumulate at least this many delivery slots (subject to slot cost parameter as well) are never preempted.

Use transport_minimum_delivery_slots to specify a transport-specific override, where transport is the master.cf name of the message delivery transport.

default_privs (default: nobody)

The default rights used by the local(8) delivery agent for delivery to external file or command.  These rights are used when delivery is requested from an aliases(5) file that is owned by root, or when delivery is done on behalf of root. DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.

default_process_limit (default: 100)

The default maximal number of Postfix child processes that provide a given service. This limit can be overruled for specific services in the master.cf file.

default_rbl_reply (default: see postconf -d output)

The default Postfix SMTP server response template for a request that is rejected by an RBL-based restriction. This template can be overruled by specific entries in the optional rbl_reply_maps lookup table.

This feature is available in Postfix 2.0 and later.

The template is subject to exactly one level of $name substitution:

$client

The client hostname and IP address, formatted as name[address].

$client_address

The client IP address.

$client_name

The client hostname or "unknown". See reject_unknown_client_hostname for more details.

$reverse_client_name

The client hostname from address->name lookup, or "unknown". See reject_unknown_reverse_client_hostname for more details.

$helo_name

The hostname given in HELO or EHLO command or empty string.

$rbl_class

The blacklisted entity type: Client host, Helo command, Sender address, or Recipient address.

$rbl_code

The numerical SMTP response code, as specified with the maps_rbl_reject_code configuration parameter. Note: The numerical SMTP response code is required, and must appear at the start of the reply. With Postfix version 2.3 and later this information may be followed by an RFC 3463 enhanced status code.

$rbl_domain

The RBL domain where $rbl_what is blacklisted.

$rbl_reason

The reason why $rbl_what is blacklisted, or an empty string.

$rbl_what

The entity that is blacklisted (an IP address, a hostname, a domain name, or an email address whose domain was blacklisted).

$recipient

The recipient address or <> in case of the null address.

$recipient_domain

The recipient domain or empty string.

$recipient_name

The recipient address localpart or <> in case of null address.

$sender

The sender address or <> in case of the null address.

$sender_domain

The sender domain or empty string.

$sender_name

The sender address localpart or <> in case of the null address.

${name?text}

Expands to `text' if $name is not empty.

${name:text}

Expands to `text' if $name is empty.

Instead of $name you can also specify ${name} or $(name).

Note: when an enhanced status code is specified in an RBL reply template, it is subject to modification.  The following transformations are needed when the same RBL reply template is used for client, helo, sender, or recipient access restrictions.

default_recipient_limit (default: 20000)

The default per-transport upper limit on the number of in-memory recipients.  These limits take priority over the global qmgr_message_recipient_limit after the message has been assigned to the respective transports.  See also default_extra_recipient_limit and qmgr_message_recipient_minimum.

Use transport_recipient_limit to specify a transport-specific override, where transport is the master.cf name of the message delivery transport.

default_recipient_refill_delay (default: 5s)

The default per-transport maximum delay between recipients refills. When not all message recipients fit into the memory at once, keep loading more of them at least once every this many seconds.