SMTP(8)                                                                SMTP(8)

NAME
       smtp - Postfix SMTP+LMTP client

SYNOPSIS
       smtp [generic Postfix daemon options]

DESCRIPTION
       The  Postfix SMTP+LMTP client implements the SMTP and LMTP
       mail delivery protocols.  It  processes  message  delivery
       requests  from the queue manager. Each request specifies a
       queue file, a sender address, a domain or host to  deliver
       to, and recipient information.  This program expects to be
       run from the master(8) process manager.

       The SMTP+LMTP client updates  the  queue  file  and  marks
       recipients  as  finished,  or it informs the queue manager
       that delivery should be  tried  again  at  a  later  time.
       Delivery   status  reports  are  sent  to  the  bounce(8),
       defer(8) or trace(8) daemon as appropriate.

       The SMTP+LMTP client looks up a  list  of  mail  exchanger
       addresses  for  the  destination  host,  sorts the list by
       preference, and connects to each listed address  until  it
       finds a server that responds.

       When  a  server  is  not  reachable, or when mail delivery
       fails due to a recoverable error condition, the  SMTP+LMTP
       client  will try to deliver the mail to an alternate host.

       After a successful mail transaction, a connection  may  be
       saved to the scache(8) connection cache server, so that it
       may be used by  any  SMTP+LMTP  client  for  a  subsequent
       transaction.

       By  default, connection caching is enabled temporarily for
       destinations that have a high volume of mail in the active
       queue.  Connection  caching can be enabled permanently for
       specific destinations.

SMTP DESTINATION SYNTAX
       SMTP destinations have the following form:

       domainname

       domainname:port
              Look up  the  mail  exchangers  for  the  specified
              domain, and connect to the specified port (default:
              smtp).

       [hostname]

       [hostname]:port
              Look up the address(es) of the specified host,  and
              connect to the specified port (default: smtp).

       [address]

       [address]:port
              Connect  to  the host at the specified address, and
              connect to the specified port (default:  smtp).  An
              IPv6 address must be formatted as [ipv6:address].

LMTP DESTINATION SYNTAX
       LMTP destinations have the following form:

       unix:pathname
              Connect  to  the  local  UNIX-domain server that is
              bound to the specified  pathname.  If  the  process
              runs  chrooted, an absolute pathname is interpreted
              relative to the Postfix queue directory.

       inet:hostname

       inet:hostname:port

       inet:[address]

       inet:[address]:port
              Connect to the specified TCP port on the  specified
              local or remote host. If no port is specified, con-
              nect to the port defined as  lmtp  in  services(4).
              If no such service is found, the lmtp_tcp_port con-
              figuration parameter (default value of 24) will  be
              used.    An  IPv6  address  must  be  formatted  as
              [ipv6:address].

SECURITY
       The SMTP+LMTP client is moderately security-sensitive.  It
       talks  to  SMTP  or LMTP servers and to DNS servers on the
       network. The SMTP+LMTP client can be run chrooted at fixed
       low privilege.

STANDARDS
       RFC 821 (SMTP protocol)
       RFC 822 (ARPA Internet Text Messages)
       RFC 1651 (SMTP service extensions)
       RFC 1652 (8bit-MIME transport)
       RFC 1870 (Message Size Declaration)
       RFC 2033 (LMTP protocol)
       RFC 2034 (SMTP Enhanced Error Codes)
       RFC 2045 (MIME: Format of Internet Message Bodies)
       RFC 2046 (MIME: Media Types)
       RFC 2554 (AUTH command)
       RFC 2821 (SMTP protocol)
       RFC 2920 (SMTP Pipelining)
       RFC 3207 (STARTTLS command)
       RFC 3461 (SMTP DSN Extension)
       RFC 3463 (Enhanced Status Codes)

DIAGNOSTICS
       Problems  and transactions are logged to syslogd(8).  Cor-
       rupted message files are marked so that the queue  manager
       can move them to the corrupt queue for further inspection.

       Depending on the setting of the notify_classes  parameter,
       the  postmaster is notified of bounces, protocol problems,
       and of other trouble.

BUGS
       SMTP and LMTP connection caching does not work  with  TLS.
       The  necessary  support for TLS object passivation and re-
       activation does not exist  without  closing  the  session,
       which defeats the purpose.

       SMTP and LMTP connection caching assumes that SASL creden-
       tials are valid for all destinations  that  map  onto  the
       same IP address and TCP port.

CONFIGURATION PARAMETERS
       Before  Postfix version 2.3, the LMTP client is a separate
       program that implements only a subset of the functionality
       available with SMTP: there is no support for TLS, and con-
       nections are cached in-process, making it ineffective when
       the client is used for multiple domains.

       Most  smtp_xxx  configuration  parameters have an lmtp_xxx
       "mirror" parameter for the equivalent LMTP  feature.  This
       document describes only those LMTP-related parameters that
       aren't simply "mirror" parameters.

       Changes to main.cf are picked up automatically, as smtp(8)
       processes  run  for only a limited amount of time. Use the
       command "postfix reload" to speed up a change.

       The text below provides  only  a  parameter  summary.  See
       postconf(5) for more details including examples.

COMPATIBILITY CONTROLS
       ignore_mx_lookup_error (no)
              Ignore DNS MX lookups that produce no response.

       smtp_always_send_ehlo (yes)
              Always send EHLO at the start of an SMTP session.

       smtp_never_send_ehlo (no)
              Never send EHLO at the start of an SMTP session.

       smtp_defer_if_no_mx_address_found (no)
              Defer  mail  delivery when no MX record resolves to
              an IP address.

       smtp_line_length_limit (990)
              The maximal length of message header and body lines
              that Postfix will send via SMTP.

       smtp_pix_workaround_delay_time (10s)
              How  long  the  Postfix  SMTP  client pauses before
              sending ".<CR><LF>" in order to work around the PIX
              firewall "<CR><LF>.<CR><LF>" bug.

       smtp_pix_workaround_threshold_time (500s)
              How  long a message must be queued before the Post-
              fix  SMTP  client  turns  on   the   PIX   firewall
              "<CR><LF>.<CR><LF>"  bug  workaround  for  delivery
              through firewalls with "smtp fixup" mode turned on.

       smtp_pix_workarounds (disable_esmtp, delay_dotcrlf)
              A  list that specifies zero or more workarounds for
              CISCO PIX firewall bugs.

       smtp_pix_workaround_maps (empty)
              Lookup tables, indexed by the  remote  SMTP  server
              address, with per-destination workarounds for CISCO
              PIX firewall bugs.

       smtp_quote_rfc821_envelope (yes)
              Quote addresses in SMTP MAIL FROM and RCPT TO  com-
              mands as required by RFC 821.

       smtp_skip_5xx_greeting (yes)
              Skip SMTP servers that greet with a 5XX status code
              (go away, do not try again later).

       smtp_skip_quit_response (yes)
              Do not wait for the response to the SMTP QUIT  com-
              mand.

       Available in Postfix version 2.0 and earlier:

       smtp_skip_4xx_greeting (yes)
              Skip SMTP servers that greet with a 4XX status code
              (go away, try again later).

       Available in Postfix version 2.2 and later:

       smtp_discard_ehlo_keyword_address_maps (empty)
              Lookup tables, indexed by the  remote  SMTP  server
              address,  with  case insensitive lists of EHLO key-
              words (pipelining, starttls, auth, etc.)  that  the
              Postfix   SMTP  client  will  ignore  in  the  EHLO
              response from a remote SMTP server.

       smtp_discard_ehlo_keywords (empty)
              A case insensitive list of EHLO keywords  (pipelin-
              ing,  starttls,  auth,  etc.) that the Postfix SMTP
              client will ignore in  the  EHLO  response  from  a
              remote SMTP server.

       smtp_generic_maps (empty)
              Optional lookup tables that perform address rewrit-
              ing in the SMTP client, typically  to  transform  a
              locally valid address into a globally valid address
              when sending mail across the Internet.

       Available in Postfix version 2.2.9 and later:

       smtp_cname_overrides_servername (version dependent)
              Allow DNS CNAME records to override the  servername
              that the Postfix SMTP client uses for logging, SASL
              password lookup, TLS policy decisions, or TLS  cer-
              tificate verification.

       Available in Postfix version 2.3 and later:

       lmtp_discard_lhlo_keyword_address_maps (empty)
              Lookup  tables,  indexed  by the remote LMTP server
              address, with case insensitive lists of  LHLO  key-
              words  (pipelining,  starttls, auth, etc.) that the
              LMTP client will ignore in the LHLO response from a
              remote LMTP server.

       lmtp_discard_lhlo_keywords (empty)
              A  case insensitive list of LHLO keywords (pipelin-
              ing, starttls, auth, etc.)  that  the  LMTP  client
              will ignore in the LHLO response from a remote LMTP
              server.

MIME PROCESSING CONTROLS
       Available in Postfix version 2.0 and later:

       disable_mime_output_conversion (no)
              Disable the conversion of 8BITMIME format  to  7BIT
              format.

       mime_boundary_length_limit (2048)
              The  maximal  length  of  MIME  multipart  boundary
              strings.

       mime_nesting_limit (100)
              The maximal recursion level that the MIME processor
              will handle.

EXTERNAL CONTENT INSPECTION CONTROLS
       Available in Postfix version 2.1 and later:

       smtp_send_xforward_command (no)
              Send  the  non-standard  XFORWARD  command when the
              Postfix SMTP server EHLO response  announces  XFOR-
              WARD support.

SASL AUTHENTICATION CONTROLS
       smtp_sasl_auth_enable (no)
              Enable  SASL  authentication  in  the  Postfix SMTP
              client.

       smtp_sasl_password_maps (empty)
              Optional SMTP client lookup tables with  one  user-
              name:password  entry per remote hostname or domain,
              or sender address when sender-dependent authentica-
              tion is enabled.

       smtp_sasl_security_options (noplaintext, noanonymous)
              SASL  security  options; as of Postfix 2.3 the list
              of available features depends on  the  SASL  client
              implementation     that     is     selected    with
              smtp_sasl_type.

       Available in Postfix version 2.2 and later:

       smtp_sasl_mechanism_filter (empty)
              If non-empty, a Postfix SMTP client filter for  the
              remote  SMTP  server's  list of offered SASL mecha-
              nisms.

       Available in Postfix version 2.3 and later:

       smtp_sender_dependent_authentication (no)
              Enable sender-dependent authentication in the Post-
              fix  SMTP  client; this is available only with SASL
              authentication,  and   disables   SMTP   connection
              caching  to ensure that mail from different senders
              will use the appropriate credentials.

       smtp_sasl_path (empty)
              Implementation-specific information that is  passed
              through  to the SASL plug-in implementation that is
              selected with smtp_sasl_type.

       smtp_sasl_type (cyrus)
              The SASL plug-in type that the Postfix SMTP  client
              should use for authentication.

STARTTLS SUPPORT CONTROLS
       Detailed  information  about STARTTLS configuration may be
       found in the TLS_README document.

       smtp_tls_security_level (empty)
              The default SMTP TLS security level for the Postfix
              SMTP  client;  when a non-empty value is specified,
              this    overrides    the    obsolete     parameters
              smtp_use_tls,         smtp_enforce_tls,         and
              smtp_tls_enforce_peername.

       smtp_sasl_tls_security_options           ($smtp_sasl_secu-
       rity_options)
              The SASL authentication security options  that  the
              Postfix  SMTP  client  uses  for TLS encrypted SMTP
              sessions.

       smtp_starttls_timeout (300s)
              Time limit for Postfix SMTP client write  and  read
              operations  during  TLS  startup and shutdown hand-
              shake procedures.

       smtp_tls_CAfile (empty)
              The file with the certificate of the  certification
              authority  (CA) that issued the Postfix SMTP client
              certificate.

       smtp_tls_CApath (empty)
              Directory with  PEM  format  certificate  authority
              certificates  that  the Postfix SMTP client uses to
              verify a remote SMTP server certificate.

       smtp_tls_cert_file (empty)
              File with the Postfix SMTP client  RSA  certificate
              in PEM format.

       smtp_tls_mandatory_ciphers (medium)
              The  minimum TLS cipher grade that the Postfix SMTP
              client will use with mandatory TLS encryption.

       smtp_tls_exclude_ciphers (empty)
              List of ciphers or cipher types to exclude from the
              Postfix SMTP client cipher list at all TLS security
              levels.

       smtp_tls_mandatory_exclude_ciphers (empty)
              Additional list  of  ciphers  or  cipher  types  to
              exclude  from the SMTP client cipher list at manda-
              tory TLS security levels.

       smtp_tls_dcert_file (empty)
              File with the Postfix SMTP client  DSA  certificate
              in PEM format.

       smtp_tls_dkey_file ($smtp_tls_dcert_file)
              File  with  the Postfix SMTP client DSA private key
              in PEM format.

       smtp_tls_key_file ($smtp_tls_cert_file)
              File with the Postfix SMTP client RSA  private  key
              in PEM format.

       smtp_tls_loglevel (0)
              Enable  additional  Postfix  SMTP client logging of
              TLS activity.

       smtp_tls_note_starttls_offer (no)
              Log the hostname  of  a  remote  SMTP  server  that
              offers  STARTTLS,  when  TLS is not already enabled
              for that server.

       smtp_tls_policy_maps (empty)
              Optional lookup tables with the Postfix SMTP client
              TLS security policy by next-hop destination; when a
              non-empty value is specified,  this  overrides  the
              obsolete smtp_tls_per_site parameter.

       smtp_tls_mandatory_protocols (SSLv3, TLSv1)
              List  of TLS protocols that the Postfix SMTP client
              will use with mandatory TLS encryption.

       smtp_tls_scert_verifydepth (5)
              The verification depth for remote SMTP server  cer-
              tificates.

       smtp_tls_secure_cert_match (nexthop, dot-nexthop)
              The server certificate peername verification method
              for the "secure" TLS security level.

       smtp_tls_session_cache_database (empty)
              Name of the file containing  the  optional  Postfix
              SMTP client TLS session cache.

       smtp_tls_session_cache_timeout (3600s)
              The expiration time of Postfix SMTP client TLS ses-
              sion cache information.

       smtp_tls_verify_cert_match (hostname)
              The server certificate peername verification method
              for the "verify" TLS security level.

       tls_daemon_random_bytes (32)
              The  number  of pseudo-random bytes that an smtp(8)
              or smtpd(8) process  requests  from  the  tlsmgr(8)
              server  in order to seed its internal pseudo random
              number generator (PRNG).

       tls_high_cipherlist
       (ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH)
              The OpenSSL cipherlist for "HIGH" grade ciphers.

       tls_medium_cipherlist (ALL:!EXPORT:!LOW:+RC4:@STRENGTH)
              The OpenSSL cipherlist for "MEDIUM" or higher grade
              ciphers.

       tls_low_cipherlist (ALL:!EXPORT:+RC4:@STRENGTH)
              The  OpenSSL  cipherlist  for "LOW" or higher grade
              ciphers.

       tls_export_cipherlist (ALL:+RC4:@STRENGTH)
              The OpenSSL cipherlist for "EXPORT" or higher grade
              ciphers.

       tls_null_cipherlist (eNULL:!aNULL)
              The  OpenSSL  cipherlist  for  "NULL" grade ciphers
              that provide authentication without encryption.

       Available in Postfix version 2.4 and later:

       smtp_sasl_tls_verified_security_options
       ($smtp_sasl_tls_security_options)
              The SASL authentication security options  that  the
              Postfix  SMTP  client  uses  for TLS encrypted SMTP
              sessions with a verified server certificate.

OBSOLETE STARTTLS CONTROLS
       The following configuration parameters exist for  compati-
       bility with Postfix versions before 2.3. Support for these
       will be removed in a future release.

       smtp_use_tls (no)
              Opportunistic mode: use  TLS  when  a  remote  SMTP
              server  announces  STARTTLS support, otherwise send
              the mail in the clear.

       smtp_enforce_tls (no)
              Enforcement mode: require that remote SMTP  servers
              use  TLS  encryption,  and  never  send mail in the
              clear.

       smtp_tls_enforce_peername (yes)
              With mandatory TLS  encryption,  require  that  the
              remote SMTP server hostname matches the information
              in the remote SMTP server certificate.

       smtp_tls_per_site (empty)
              Optional lookup tables with the Postfix SMTP client
              TLS  usage  policy  by  next-hop destination and by
              remote SMTP server hostname.

       smtp_tls_cipherlist (empty)
              Obsolete Postfix < 2.3 control for the Postfix SMTP
              client TLS cipher list.

RESOURCE AND RATE CONTROLS
       smtp_destination_concurrency_limit      ($default_destina-
       tion_concurrency_limit)
              The  maximal  number  of parallel deliveries to the
              same destination  via  the  smtp  message  delivery
              transport.

       smtp_destination_recipient_limit        ($default_destina-
       tion_recipient_limit)
              The  maximal  number of recipients per delivery via
              the smtp message delivery transport.

       smtp_connect_timeout (30s)
              The SMTP client time limit  for  completing  a  TCP
              connection,  or  zero  (use  the  operating  system
              built-in time limit).

       smtp_helo_timeout (300s)
              The SMTP client time limit for sending the HELO  or
              EHLO  command, and for receiving the initial server
              response.

       lmtp_lhlo_timeout (300s)
              The LMTP client time limit  for  sending  the  LHLO
              command,  and  for  receiving  the  initial  server
              response.

       smtp_xforward_timeout (300s)
              The SMTP client time limit for sending the XFORWARD
              command, and for receiving the server response.

       smtp_mail_timeout (300s)
              The  SMTP  client  time  limit for sending the MAIL
              FROM  command,  and  for   receiving   the   server
              response.

       smtp_rcpt_timeout (300s)
              The  SMTP  client  time  limit for sending the SMTP
              RCPT TO  command,  and  for  receiving  the  server
              response.

       smtp_data_init_timeout (120s)
              The  SMTP  client  time  limit for sending the SMTP
              DATA  command,  and  for   receiving   the   server
              response.

       smtp_data_xfer_timeout (180s)
              The  SMTP  client  time  limit for sending the SMTP
              message content.

       smtp_data_done_timeout (600s)
              The SMTP client time limit  for  sending  the  SMTP
              ".", and for receiving the server response.

       smtp_quit_timeout (300s)
              The  SMTP  client  time  limit for sending the QUIT
              command, and for receiving the server response.

       Available in Postfix version 2.1 and later:

       smtp_mx_address_limit (5)
              The  maximal  number  of  MX  (mail  exchanger)  IP
              addresses  that  can  result  from  mail  exchanger
              lookups, or zero (no limit).

       smtp_mx_session_limit (2)
              The maximal number of SMTP  sessions  per  delivery
              request  before  giving up or delivering to a fall-
              back relay host, or zero (no limit).

       smtp_rset_timeout (20s)
              The SMTP client time limit  for  sending  the  RSET
              command, and for receiving the server response.

       Available in Postfix version 2.2 and earlier:

       lmtp_cache_connection (yes)
              Keep Postfix LMTP client connections open for up to
              $max_idle seconds.

       Available in Postfix version 2.2 and later:

       smtp_connection_cache_destinations (empty)
              Permanently enable SMTP connection caching for  the
              specified destinations.

       smtp_connection_cache_on_demand (yes)
              Temporarily  enable SMTP connection caching while a
              destination has a high volume of mail in the active
              queue.

       smtp_connection_reuse_time_limit (300s)
              The amount of time during which Postfix will use an
              SMTP connection repeatedly.

       smtp_connection_cache_time_limit (2s)
              When SMTP connection caching is enabled, the amount
              of  time  that an unused SMTP client socket is kept
              open before it is closed.

       Available in Postfix version 2.3 and later:

       connection_cache_protocol_timeout (5s)
              Time limit for connection cache  connect,  send  or
              receive operations.

TROUBLE SHOOTING CONTROLS
       debug_peer_level (2)
              The  increment  in  verbose  logging  level  when a
              remote client or server matches a  pattern  in  the
              debug_peer_list parameter.

       debug_peer_list (empty)
              Optional  list  of remote client or server hostname
              or network address patterns that cause the  verbose
              logging  level  to increase by the amount specified
              in $debug_peer_level.

       error_notice_recipient (postmaster)
              The recipient  of  postmaster  notifications  about
              mail  delivery  problems that are caused by policy,
              resource, software or protocol errors.

       internal_mail_filter_classes (empty)
              What categories of Postfix-generated mail are  sub-
              ject   to   before-queue   content   inspection  by
              non_smtpd_milters, header_checks and body_checks.

       notify_classes (resource, software)
              The list of error classes that are reported to  the
              postmaster.

MISCELLANEOUS CONTROLS
       best_mx_transport (empty)
              Where  the  Postfix SMTP client should deliver mail
              when it detects a "mail loops back to myself" error
              condition.

       config_directory (see 'postconf -d' output)
              The  default  location  of  the Postfix main.cf and
              master.cf configuration files.

       daemon_timeout (18000s)
              How much time a Postfix daemon process may take  to
              handle  a  request  before  it  is  terminated by a
              built-in watchdog timer.

       delay_logging_resolution_limit (2)
              The maximal number  of  digits  after  the  decimal
              point when logging sub-second delay values.

       disable_dns_lookups (no)
              Disable  DNS  lookups  in the Postfix SMTP and LMTP
              clients.

       inet_interfaces (all)
              The network interface addresses that this mail sys-
              tem receives mail on.

       inet_protocols (ipv4)
              The  Internet protocols Postfix will attempt to use
              when making or accepting connections.

       ipc_timeout (3600s)
              The time limit for sending or receiving information
              over an internal communication channel.

       lmtp_tcp_port (24)
              The  default  TCP port that the Postfix LMTP client
              connects to.

       max_idle (100s)
              The maximum amount of time  that  an  idle  Postfix
              daemon  process  waits  for  an incoming connection
              before terminating voluntarily.

       max_use (100)
              The maximal number of incoming connections  that  a
              Postfix  daemon  process will service before termi-
              nating voluntarily.

       process_id (read-only)
              The process ID  of  a  Postfix  command  or  daemon
              process.

       process_name (read-only)
              The  process  name  of  a Postfix command or daemon
              process.

       proxy_interfaces (empty)
              The network interface addresses that this mail sys-
              tem  receives  mail on by way of a proxy or network
              address translation unit.

       smtp_bind_address (empty)
              An optional  numerical  network  address  that  the
              Postfix  SMTP  client should bind to when making an
              IPv4 connection.

       smtp_bind_address6 (empty)
              An optional  numerical  network  address  that  the
              Postfix  SMTP  client should bind to when making an
              IPv6 connection.

       smtp_helo_name ($myhostname)
              The hostname to send in the SMTP EHLO or HELO  com-
              mand.

       lmtp_lhlo_name ($myhostname)
              The hostname to send in the LMTP LHLO command.

       smtp_host_lookup (dns)
              What  mechanisms  when the Postfix SMTP client uses
              to look up a host's IP address.

       smtp_randomize_addresses (yes)
              Randomize the order  of  equal-preference  MX  host
              addresses.

       syslog_facility (mail)
              The syslog facility of Postfix logging.

       syslog_name (postfix)
              The  mail  system  name  that  is  prepended to the
              process name in syslog  records,  so  that  "smtpd"
              becomes, for example, "postfix/smtpd".

       Available with Postfix 2.2 and earlier:

       fallback_relay (empty)
              Optional  list of relay hosts for SMTP destinations
              that can't be found or that are unreachable.

       Available with Postfix 2.3 and later:

       smtp_fallback_relay ($fallback_relay)
              Optional list of relay hosts for SMTP  destinations
              that can't be found or that are unreachable.

SEE ALSO
       qmgr(8), queue manager
       bounce(8), delivery status reports
       scache(8), connection cache server
       postconf(5), configuration parameters
       master(5), generic daemon options
       master(8), process manager
       tlsmgr(8), TLS session and PRNG management
       syslogd(8), system logging

README FILES
       SASL_README, Postfix SASL howto
       TLS_README, Postfix STARTTLS howto

LICENSE
       The Secure Mailer license must be  distributed  with  this
       software.

AUTHOR(S)
       Wietse Venema
       IBM T.J. Watson Research
       P.O. Box 704
       Yorktown Heights, NY 10598, USA

       Command pipelining in cooperation with:
       Jon Ribbens
       Oaktree Internet Solutions Ltd.,
       Internet House,
       Canal Basin,
       Coventry,
       CV1 4LY, United Kingdom.

       SASL support originally by:
       Till Franke
       SuSE Rhein/Main AG
       65760 Eschborn, Germany

       Connection caching in cooperation with:
       Victor Duchovni
       Morgan Stanley

       TLS support originally by:
       Lutz Jaenicke
       BTU Cottbus
       Allgemeine Elektrotechnik
       Universitaetsplatz 3-4
       D-03044 Cottbus, Germany

                                                                       SMTP(8)