Postfix Configuration Parameters


Postfix main.cf file format

The Postfix main.cf configuration file specifies a very small subset of all the parameters that control the operation of the Postfix mail system. Parameters not explicitly specified are left at their default values.

The general format of the main.cf file is as follows:

  • Each logical line is in the form "parameter = value". Whitespace around the "=" is ignored, as is whitespace at the end of a logical line.

  • Empty lines and whitespace-only lines are ignored, as are lines whose first non-whitespace character is a `#'.

  • A logical line starts with non-whitespace text. A line that starts with whitespace continues a logical line.

  • A parameter value may refer to other parameters.

    • The expressions "$name", "${name}" or "$(name)" are recursively replaced by the value of the named parameter.

    • The expression "${name?value}" expands to "value" when "$name" is non-empty. This form is supported with Postfix version 2.2 and later.

    • The expression "${name:value}" expands to "value" when "$name" is empty. This form is supported with Postfix version 2.2 and later.

  • When the same parameter is defined multiple times, only the last instance is remembered.

  • Otherwise, the order of main.cf parameter definitions does not matter.

The remainder of this document is a description of all Postfix configuration parameters. Default values are shown after the parameter name in parentheses, and can be looked up with the "postconf -d" command.

Note: this is not an invitation to make changes to Postfix configuration parameters. Unnecessary changes are likely to impair the operation of the mail system.

2bounce_notice_recipient (default: postmaster)

The recipient of undeliverable mail that cannot be returned to the sender. This feature is enabled with the notify_classes parameter.

access_map_reject_code (default: 554)

The numerical Postfix SMTP server response code when a client is rejected by an access(5) map restriction.

Do not change this unless you have a complete understanding of RFC 821.

address_verify_default_transport (default: $default_transport)

Overrides the default_transport parameter setting for address verification probes.

This feature is available in Postfix 2.1 and later.

address_verify_local_transport (default: $local_transport)

Overrides the local_transport parameter setting for address verification probes.

This feature is available in Postfix 2.1 and later.

address_verify_map (default: empty)

Optional lookup table for persistent address verification status storage. The table is maintained by the verify(8) service, and is opened before the process releases privileges.

By default, the information is kept in volatile memory, and is lost after "postfix reload" or "postfix stop".

Specify a location in a file system that will not fill up. If the database becomes corrupted, the world comes to an end. To recover delete the file and do "postfix reload".

Examples:

address_verify_map = hash:/etc/postfix/verify
address_verify_map = btree:/etc/postfix/verify

This feature is available in Postfix 2.1 and later.

address_verify_negative_cache (default: yes)

Enable caching of failed address verification probe results. When this feature is enabled, the cache may pollute quickly with garbage. When this feature is disabled, Postfix will generate an address probe for every lookup.

This feature is available in Postfix 2.1 and later.

address_verify_negative_expire_time (default: 3d)

The time after which a failed probe expires from the address verification cache.

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

This feature is available in Postfix 2.1 and later.

address_verify_negative_refresh_time (default: 3h)

The time after which a failed address verification probe needs to be refreshed.

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

This feature is available in Postfix 2.1 and later.

address_verify_poll_count (default: 3)

How many times to query the verify(8) service for the completion of an address verification request in progress.

The default poll count is 3.

Specify 1 to implement a crude form of greylisting, that is, always defer the first delivery request for a never seen before address.

Example:

address_verify_poll_count = 1

This feature is available in Postfix 2.1 and later.

address_verify_poll_delay (default: 3s)

The delay between queries for the completion of an address verification request in progress.

The default polling delay is 3 seconds.

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

This feature is available in Postfix 2.1 and later.

address_verify_positive_expire_time (default: 31d)

The time after which a successful probe expires from the address verification cache.

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

This feature is available in Postfix 2.1 and later.

address_verify_positive_refresh_time (default: 7d)

The time after which a successful address verification probe needs to be refreshed. The address verification status is not updated when the probe fails (optimistic caching).

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks).

This feature is available in Postfix 2.1 and later.

address_verify_relay_transport (default: $relay_transport)

Overrides the relay_transport parameter setting for address verification probes.

This feature is available in Postfix 2.1 and later.

address_verify_relayhost (default: $relayhost)

Overrides the relayhost parameter setting for address verification probes. This information can be overruled with the transport(5) table.

This feature is available in Postfix 2.1 and later.

address_verify_sender (default: postmaster)

The sender address to use in address verification probes. To avoid problems with address probes that are sent in response to address probes, the Postfix SMTP server excludes the probe sender address from all SMTPD access blocks.

Specify an empty value (address_verify_sender =) or <> if you want to use the null sender address. Beware, some sites reject mail from <>, even though RFCs require that such addresses be accepted.

Examples:

address_verify_sender = <>
address_verify_sender = [email protected]

This feature is available in Postfix 2.1 and later.

address_verify_sender_dependent_relayhost_maps (default: empty)

Overrides the sender_dependent_relayhost_maps parameter setting for address verification probes.

This feature is available in Postfix 2.3 and later.

address_verify_service_name (default: verify)

The name of the verify(8) address verification service. This service maintains the status of sender and/or recipient address verification probes, and generates probes on request by other Postfix processes.

address_verify_transport_maps (default: $transport_maps)

Overrides the transport_maps parameter setting for address verification probes.

This feature is available in Postfix 2.1 and later.

address_verify_virtual_transport (default: $virtual_transport)

Overrides the virtual_transport parameter setting for address verification probes.

This feature is available in Postfix 2.1 and later.

alias_database (default: see "postconf -d" output)

The alias databases for local(8) delivery that are updated with "newaliases" or with "sendmail -bi".

This is a separate configuration parameter because not all the tables specified with $alias_maps have to be local files.

Examples:

alias_database = hash:/etc/aliases
alias_database = hash:/etc/mail/aliases
alias_maps (default: see "postconf -d" output)

The alias databases that are used for local(8) delivery. See aliases(5) for syntax details.

The default list is system dependent. On systems with NIS, the default is to search the local alias database, then the NIS alias database.

If you change the alias database, run "postalias /etc/aliases" (or wherever your system stores the mail alias file), or simply run "newaliases" to build the necessary DBM or DB file.

The local(8) delivery agent disallows regular expression substitution of $1 etc. in alias_maps, because that would open a security hole.

The local(8) delivery agent will silently ignore requests to use the proxymap(8) server within alias_maps. Instead it will open the table directly. Before Postfix version 2.2, the local(8) delivery agent will terminate with a fatal error.

Examples:

alias_maps = hash:/etc/aliases, nis:mail.aliases
alias_maps = hash:/etc/aliases
allow_mail_to_commands (default: alias, forward)

Restrict local(8) mail delivery to external commands. The default is to disallow delivery to "|command" in :include: files (see aliases(5) for the text that defines this terminology).

Specify zero or more of: alias, forward or include, in order to allow commands in aliases(5), .forward files or in :include: files, respectively.

Example:

allow_mail_to_commands = alias,forward,include
allow_mail_to_files (default: alias, forward)

Restrict local(8) mail delivery to external files. The default is to disallow "/file/name" destinations in :include: files (see aliases(5) for the text that defines this terminology).

Specify zero or more of: alias, forward or include, in order to allow "/file/name" destinations in aliases(5), .forward files and in :include: files, respectively.

Example:

allow_mail_to_files = alias,forward,include
allow_min_user (default: no)

Allow a recipient address to have `-' as the first character. By default, this is not allowed, to avoid accidents with software that passes email addresses via the command line. Such software would not be able to distinguish a malicious address from a bona fide command-line option. Although this can be prevented by inserting a "--" option terminator into the command line, this is difficult to enforce consistently and globally.

allow_percent_hack (default: yes)

Enable the rewriting of the form "user%domain" to "[email protected]". This is enabled by default.

Note: with Postfix version 2.2, message header address rewriting happens only when one of the following conditions is true:

To get the behavior before Postfix version 2.2, specify "local_header_rewrite_clients = static:all".

Example:

allow_percent_hack = no
allow_untrusted_routing (default: no)

Forward mail with sender-specified routing (user[@%!]remote[@%!]site) from untrusted clients to destinations matching $relay_domains.

By default, this feature is turned off. This closes a nasty open relay loophole where a backup MX host can be tricked into forwarding junk mail to a primary MX host which then spams it out to the world.

This parameter also controls if non-local addresses with sender-specified routing can match Postfix access tables. By default, such addresses cannot match Postfix access tables, because the address is ambiguous.

alternate_config_directories (default: empty)

A list of non-default Postfix configuration directories that may be specified with "-c config_directory" on the command line, or via the MAIL_CONFIG environment parameter.

This list must be specified in the default Postfix configuration directory, and is used by set-gid Postfix commands such as postqueue(1) and postdrop(1).

always_bcc (default: empty)

Optional address that receives a "blind carbon copy" of each message that is received by the Postfix mail system.

Note: if mail to the BCC address bounces it will be returned to the sender.

Note: automatic BCC recipients are produced only for new mail. To avoid mailer loops, automatic BCC recipients are not generated for mail that Postfix forwards internally, nor for mail that Postfix generates itself.

anvil_rate_time_unit (default: 60s)

The time unit over which client connection rates and other rates are calculated.

This feature is implemented by the anvil(8) service which is not part of the stable Postfix version 2.1 release.

The default interval is relatively short. Because of the high frequency of updates, the anvil(8) server uses volatile memory only. Thus, information is lost whenever the process terminates.

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is s (seconds).

anvil_status_update_time (default: 600s)

How frequently the anvil(8) connection and rate limiting server logs peak usage information.

This feature is available in Postfix 2.2 and later.

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is s (seconds).

append_at_myorigin (default: yes)

With locally submitted mail, append the string "@$myorigin" to mail addresses without domain information. With remotely submitted mail, append the string "@$remote_header_rewrite_domain" instead.

Note 1: this feature is enabled by default and must not be turned off. Postfix does not support domain-less addresses.

Note 2: with Postfix version 2.2, message header address rewriting happens only when one of the following conditions is true:

To get the behavior before Postfix version 2.2, specify "local_header_rewrite_clients = static:all".

append_dot_mydomain (default: yes)

With locally submitted mail, append the string ".$mydomain" to addresses that have no ".domain" information. With remotely submitted mail, append the string ".$remote_header_rewrite_domain" instead.

Note 1: this feature is enabled by default. If disabled, users will not be able to send mail to "[email protected]" but will have to specify full domain names instead.

Note 2: with Postfix version 2.2, message header address rewriting happens only when one of the following conditions is true:

To get the behavior before Postfix version 2.2, specify "local_header_rewrite_clients = static:all".

application_event_drain_time (default: 100s)

How long the postkick(1) command waits for a request to enter the server's input buffer before giving up.

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is s (seconds).

This feature is available in Postfix 2.1 and later.

authorized_flush_users (default: static:anyone)

List of users who are authorized to flush the queue.

By default, all users are allowed to flush the queue. Access is always granted if the invoking user is the super-user or the $mail_owner user. Otherwise, the real UID of the process is looked up in the system password file, and access is granted only if the corresponding login name is on the access list. The username "unknown" is used for processes whose real UID is not found in the password file.

Specify a list of user names, "/file/name" or "type:table" patterns, separated by commas and/or whitespace. The list is matched left to right, and the search stops on the first match. Specify "!name" to exclude a name from the list. A "/file/name" pattern is replaced by its contents; a "type:table" lookup table is matched when a name matches a lookup key (the lookup result is ignored). Continue long lines by starting the next line with whitespace.

This feature is available in Postfix 2.2 and later.

authorized_mailq_users (default: static:anyone)

List of users who are authorized to view the queue.

By default, all users are allowed to view the queue. Access is always granted if the invoking user is the super-user or the $mail_owner user. Otherwise, the real UID of the process is looked up in the system password file, and access is granted only if the corresponding login name is on the access list. The username "unknown" is used for processes whose real UID is not found in the password file.

Specify a list of user names, "/file/name" or "type:table" patterns, separated by commas and/or whitespace. The list is matched left to right, and the search stops on the first match. Specify "!name" to exclude a name from the list. A "/file/name" pattern is replaced by its contents; a "type:table" lookup table is matched when a name matches a lookup key (the lookup result is ignored). Continue long lines by starting the next line with whitespace.

This feature is available in Postfix 2.2 and later.

authorized_submit_users (default: static:anyone)

List of users who are authorized to submit mail with the sendmail(1) command (and with the privileged postdrop(1) helper command).

By default, all users are allowed to submit mail. Otherwise, the real UID of the process is looked up in the system password file, and access is granted only if the corresponding login name is on the access list. The username "unknown" is used for processes whose real UID is not found in the password file. To deny mail submission access to all users specify an empty list.

Specify a list of user names, "/file/name" or "type:table" patterns, separated by commas and/or whitespace. The list is matched left to right, and the search stops on the first match. Specify "!name" to exclude a name from the list. A "/file/name" pattern is replaced by its contents; a "type:table" lookup table is matched when a name matches a lookup key (the lookup result is ignored). Continue long lines by starting the next line with whitespace.

Example:

authorized_submit_users = !www, static:all

This feature is available in Postfix 2.2 and later.

authorized_verp_clients (default: $mynetworks)

What SMTP clients are allowed to specify the XVERP command. This command requests that mail be delivered one recipient at a time with a per recipient return address.

By default, only trusted clients are allowed to specify XVERP.

This parameter was introduced with Postfix version 1.1. Postfix version 2.1 renamed this parameter to smtpd_authorized_verp_clients and changed the default to none.

Specify a list of network/netmask patterns, separated by commas and/or whitespace. The mask specifies the number of bits in the network part of a host address. You can also specify hostnames or .domain names (the initial dot causes the domain to match any name below it), "/file/name" or "type:table" patterns. A "/file/name" pattern is replaced by its contents; a "type:table" lookup table is matched when a table entry matches a lookup string (the lookup result is ignored). Continue long lines by starting the next line with whitespace.

Note: IP version 6 address information must be specified inside [] in the authorized_verp_clients value, and in files specified with "/file/name". IP version 6 addresses contain the ":" character, and would otherwise be confused with a "type:table" pattern.

backwards_bounce_logfile_compatibility (default: yes)

Produce additional bounce(8) logfile records that can be read by Postfix versions before 2.0. The current and more extensible "name = value" format is needed in order to implement more sophisticated functionality.

This feature is available in Postfix 2.1 and later.

berkeley_db_create_buffer_size (default: 16777216)

The per-table I/O buffer size for programs that create Berkeley DB hash or btree tables. Specify a byte count.

This feature is available in Postfix 2.0 and later.

berkeley_db_read_buffer_size (default: 131072)

The per-table I/O buffer size for programs that read Berkeley DB hash or btree tables. Specify a byte count.

This feature is available in Postfix 2.0 and later.

best_mx_transport (default: empty)

Where the Postfix SMTP client should deliver mail when it detects a "mail loops back to myself" error condition. This happens when the local MTA is the best SMTP mail exchanger for a destination not listed in $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, or $virtual_mailbox_domains. By default, the Postfix SMTP client returns such mail as undeliverable.

Specify, for example, "best_mx_transport = local" to pass the mail from the Postfix SMTP client to the local(8) delivery agent. You can specify any message delivery "transport" or "transport:nexthop" that is defined in the master.cf file. See the transport(5) manual page for the syntax and meaning of "transport" or "transport:nexthop".

However, this feature is expensive because it ties up a Postfix SMTP client process while the local(8) delivery agent is doing its work. It is more efficient (for Postfix) to list all hosted domains in a table or database.

biff (default: yes)

Whether or not to use the local biff service. This service sends "new mail" notifications to users who have requested new mail notification with the UNIX command "biff y".

For compatibility reasons this feature is on by default. On systems with lots of interactive users, the biff service can be a performance drain. Specify "biff = no" in main.cf to disable.

body_checks (default: empty)

Optional lookup tables for content inspection as specified in the body_checks(5) manual page.

Note: with Postfix versions before 2.0, these rules inspect all content after the primary message headers.

body_checks_size_limit (default: 51200)

How much text in a message body segment (or attachment, if you prefer to use that term) is subjected to body_checks inspection. The amount of text is limited to avoid scanning huge attachments.

This feature is available in Postfix 2.0 and later.

bounce_notice_recipient (default: postmaster)

The recipient of postmaster notifications with the message headers of mail that Postfix did not deliver and of SMTP conversation transcripts of mail that Postfix did not receive. This feature is enabled with the notify_classes parameter.

bounce_queue_lifetime (default: 5d)

The maximal time a bounce message is queued before it is considered undeliverable. By default, this is the same as the queue life time for regular mail.

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is d (days).

Specify 0 when mail delivery should be tried only once.

This feature is available in Postfix 2.1 and later.

bounce_service_name (default: bounce)

The name of the bounce(8) service. This service maintains a record of failed delivery attempts and generates non-delivery notifications.

This feature is available in Postfix 2.0 and later.

bounce_size_limit (default: 50000)

The maximal amount of original message text that is sent in a non-delivery notification. Specify a byte count. If you increase this limit, then you should increase the mime_nesting_limit value proportionally.

bounce_template_file (default: empty)

Pathname of a configuration file with bounce message templates. These override the built-in templates of delivery status notification (DSN) messages for undeliverable mail, for delayed mail, successful delivery, or delivery verification. The bounce(5) manual page describes how to edit and test template files.

Template message body text may contain $name references to Postfix configuration parameters. The result of $name expansion can be previewed with "postconf -b file_name" before the file is placed into the Postfix configuration directory.

This feature is available in Postfix 2.3 and later.

broken_sasl_auth_clients (default: no)

Enable inter-operability with SMTP clients that implement an obsolete version of the AUTH command (RFC 2554). Examples of such clients are MicroSoft Outlook Express version 4 and MicroSoft Exchange version 5.0.

Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH support in a non-standard way.

canonical_classes (default: envelope_sender, envelope_recipient, header_sender, header_recipient)

What addresses are subject to canonical_maps address mapping. By default, canonical_maps address mapping is applied to envelope sender and recipient addresses, and to header sender and header recipient addresses.

Specify one or more of: envelope_sender, envelope_recipient, header_sender, header_recipient

This feature is available in Postfix 2.2 and later.

canonical_maps (default: empty)

Optional address mapping lookup tables for message headers and envelopes. The mapping is applied to both sender and recipient addresses, in both envelopes and in headers, as controlled with the canonical_classes parameter. This is typically used to clean up dirty addresses from legacy mail systems, or to replace login names by Firstname.Lastname. The table format and lookups are documented in canonical(5). For an overview of Postfix address manipulations see the ADDRESS_REWRITING_README document.

If you use this feature, run "postmap /etc/postfix/canonical" to build the necessary DBM or DB file after every change. The changes will become visible after a minute or so. Use "postfix reload" to eliminate the delay.

Note: with Postfix version 2.2, message header address mapping happens only when message header address rewriting is enabled:

To get the behavior before Postfix version 2.2, specify "local_header_rewrite_clients = static:all".

Examples:

canonical_maps = dbm:/etc/postfix/canonical
canonical_maps = hash:/etc/postfix/canonical
cleanup_service_name (default: cleanup)

The name of the cleanup(8) service. This service rewrites addresses into the standard form, and performs canonical(5) address mapping and virtual(5) aliasing.

This feature is available in Postfix 2.0 and later.

command_directory (default: see "postconf -d" output)

The location of all postfix administrative commands.

command_execution_directory (default: empty)

The local(8) delivery agent working directory for delivery to external command. Failure to change directory causes the delivery to be deferred.

The following $name expansions are done on command_execution_directory before the directory is changed. Expansion happens in the context of the delivery request. The result of $name expansion is filtered with the character set that is specified with the execution_directory_expansion_filter parameter.

$user
The recipient's username.
$shell
The recipient's login shell pathname.
$home
The recipient's home directory.
$recipient
The full recipient address.
$extension
The optional recipient address extension.
$domain
The recipient domain.
$local
The entire recipient localpart.
$recipient_delimiter
The system-wide recipient address extension delimiter.
${name?value}
Expands to value when $name is non-empty.
${name:value}
Expands to value when $name is empty.

Instead of $name you can also specify ${name} or $(name).

This feature is available in Postfix 2.2 and later.

command_expansion_filter (default: see "postconf -d" output)

Restrict the characters that the local(8) delivery agent allows in $name expansions of $mailbox_command. Characters outside the allowed set are replaced by underscores.

command_time_limit (default: 1000s)

Time limit for delivery to external commands. This limit is used by the local(8) delivery agent, and is the default time limit for delivery by the pipe(8) delivery agent.

Note: if you set this time limit to a large value you must update the global ipc_timeout parameter as well.

config_directory (default: see "postconf -d" output)

The default location of the Postfix main.cf and master.cf configuration files. This can be overruled via the following mechanisms:

  • The MAIL_CONFIG environment variable (daemon processes and commands).

  • The "-c" command-line option (commands only).

With Postfix command that run with set-gid privileges, a config_directory override requires either root privileges, or it requires that the directory is listed with the alternate_config_directories parameter in the default main.cf file.

connection_cache_protocol_timeout (default: 5s)

Time limit for connection cache connect, send or receive operations. The time limit is enforced in the client.

This feature is available in Postfix 2.3 and later.

connection_cache_service (default: scache)

The name of the scache(8) connection cache service. This service maintains a limited pool of cached sessions.

connection_cache_status_update_time (default: 600s)

How frequently the scache(8) server logs usage statistics with connection cache hit and miss rates for logical destinations and for physical endpoints.

connection_cache_ttl_limit (default: 2s)

The maximal time-to-live value that the scache(8) connection cache server allows. Requests that specify a larger TTL will be stored with the maximum allowed TTL. The purpose of this additional control is to protect the infrastructure against careless people. The cache TTL is already bounded by $max_idle.

content_filter (default: empty)

The name of a mail delivery transport that filters mail after it is queued.

This parameter uses the same syntax as the right-hand side of a Postfix transport(5) table. This setting has a lower precedence than a content filter that is specified with an access(5) table or in a header_checks(5) or body_checks(5) table.

daemon_directory (default: see "postconf -d" output)

The directory with Postfix support programs and daemon programs. These should not be invoked directly by humans. The directory must be owned by root.

daemon_timeout (default: 18000s)

How much time a Postfix daemon process may take to handle a request before it is terminated by a built-in watchdog timer.

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is s (seconds).

debug_peer_level (default: 2)

The increment in verbose logging level when a remote client or server matches a pattern in the debug_peer_list parameter.

debug_peer_list (default: empty)

Optional list of remote client or server hostname or network address patterns that cause the verbose logging level to increase by the amount specified in $debug_peer_level.

Specify domain names, network/netmask patterns, "/file/name" patterns or "type:table" lookup tables. The right-hand side result from "type:table" lookups is ignored.

Pattern matching of domain names is controlled by the parent_domain_matches_subdomains parameter.

Examples:

debug_peer_list = 127.0.0.1
debug_peer_list = some.domain
debugger_command (default: empty)

The external command to execute when a Postfix daemon program is invoked with the -D option.

Use "command .. & sleep 5" so that the debugger can attach before the process marches on. If you use an X-based debugger, be sure to set up your XAUTHORITY environment variable before starting Postfix.

Example:

debugger_command =
    PATH=/usr/bin:/usr/X11R6/bin
    xxgdb $daemon_directory/$process_name $process_id & sleep 5
default_database_type (default: see "postconf -d" output)

The default database type for use in newaliases(1), postalias(1) and postmap(1) commands. On many UNIX systems the default type is either dbm or hash. The default setting is frozen when the Postfix system is built.

Examples:

default_database_type = hash
default_database_type = dbm
default_delivery_slot_cost (default: 5)

How often the Postfix queue manager's scheduler is allowed to preempt delivery of one message with another.

Each transport maintains a so-called "available delivery slot counter" for each message. One message can be preempted by another one when the other message can be delivered using no more delivery slots (i.e., invocations of delivery agents) than the current message counter has accumulated (or will eventually accumulate - see about slot loans below). This parameter controls how often is the counter incremented - it happens after each default_delivery_slot_cost recipients have been delivered.

The cost of 0 is used to disable the preempting scheduling completely. The minimum value the scheduling algorithm can use is 2 - use it if you want to maximize the message throughput rate. Although there is no maximum, it doesn't make much sense to use values above say 50.

The only reason why the value of 2 is not the default is the way this parameter affects the delivery of mailing-list mail. In the worst case, their delivery can take somewhere between (cost+1/cost) and (cost/cost-1) times more than if the preemptive scheduler was disabled. The default value of 5 turns out to provide reasonable message response times while making sure the mailing-list deliveries are not extended by more than 20-25 percent even in the worst case.

Examples:

default_delivery_slot_cost = 0
default_delivery_slot_cost = 2
default_delivery_slot_discount (default: 50)

The default value for transport-specific _delivery_slot_discount settings.

This parameter speeds up the moment when a message preemption can happen. Instead of waiting until the full amount of delivery slots required is available, the preemption can happen when transport_delivery_slot_discount percent of the required amount plus transport_delivery_slot_loan still remains to be accumulated. Note that the full amount will still have to be accumulated before another preemption can take place later.

default_delivery_slot_loan (default: 3)

The default value for transport-specific _delivery_slot_loan settings.

This parameter speeds up the moment when a message preemption can happen. Instead of waiting until the full amount of delivery slots required is available, the preemption can happen when transport_delivery_slot_discount percent of the required amount plus transport_delivery_slot_loan still remains to be accumulated. Note that the full amount will still have to be accumulated before another preemption can take place later.

default_destination_concurrency_limit (default: 20)

The default maximal number of parallel deliveries to the same destination. This is the default limit for delivery via the lmtp(8), pipe(8), smtp(8) and virtual(8) delivery agents.

default_destination_recipient_limit (default: 50)

The default maximal number of recipients per message delivery. This is the default limit for delivery via the lmtp(8), pipe(8), smtp(8) and virtual(8) delivery agents.

Setting this parameter to a value of 1 changes the meaning of the corresponding per-destination concurrency limit from concurrency per domain into concurrency per recipient.

default_extra_recipient_limit (default: 1000)

The default value for the extra per-transport limit imposed on the number of in-memory recipients. This extra recipient space is reserved for the cases when the Postfix queue manager's scheduler preempts one message with another and suddenly needs some extra recipients slots for the chosen message in order to avoid performance degradation.

default_minimum_delivery_slots (default: 3)

How many recipients a message must have in order to invoke the Postfix queue manager's scheduling algorithm at all. Messages which would never accumulate at least this many delivery slots (subject to slot cost parameter as well) are never preempted.

default_privs (default: nobody)

The default rights used by the local(8) delivery agent for delivery to external file or command. These rights are used when delivery is requested from an aliases(5) file that is owned by root, or when delivery is done on behalf of root. DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.

default_process_limit (default: 100)

The default maximal number of Postfix child processes that provide a given service. This limit can be overruled for specific services in the master.cf file.

default_rbl_reply (default: see "postconf -d" output)

The default SMTP server response template for a request that is rejected by an RBL-based restriction. This template can be overruled by specific entries in the optional rbl_reply_maps lookup table.

This feature is available in Postfix 2.0 and later.

The template is subject to exactly one level of $name substitution:

$client
The client hostname and IP address, formatted as name[address].
$client_address
The client IP address.
$client_name
The client hostname or "unknown". See reject_unknown_client_hostname for more details.
$reverse_client_name
The client hostname from address->name lookup, or "unknown". See reject_unknown_reverse_client_hostname for more details.
$helo_name
The hostname given in HELO or EHLO command or empty string.
$rbl_class
The blacklisted entity type: Client host, Helo command, Sender address, or Recipient address.
$rbl_code
The numerical SMTP response code, as specified with the maps_rbl_reject_code configuration parameter. Note: The numerical SMTP response code is required, and must appear at the start of the reply. With Postfix version 2.3 and later this information may be followed by an RFC 3463 enhanced status code.
$rbl_domain
The RBL domain where $rbl_what is blacklisted.
$rbl_reason
The reason why $rbl_what is blacklisted, or an empty string.
$rbl_what
The entity that is blacklisted (an IP address, a hostname, a domain name, or an email address whose domain was blacklisted).
$recipient
The recipient address or <> in case of the null address.
$recipient_domain
The recipient domain or empty string.
$recipient_name
The recipient address localpart or <> in case of null address.
$sender
The sender address or <> in case of the null address.
$sender_domain
The sender domain or empty string.
$sender_name
The sender address localpart or <> in case of the null address.
${name?text}
Expands to `text' if $name is not empty.
${name:text}
Expands to `text' if $name is empty.

Instead of $name you can also specify ${name} or $(name).

Note: when an enhanced status code is specified in an RBL reply template, it is subject to modification. The following transformations are needed when the same RBL reply template is used for client, helo, sender, or recipient access restrictions.

  • When rejecting a sender address, the Postfix SMTP server will transform a recipient DSN status (e.g., 4.1.1-4.1.6) into the corresponding sender DSN status, and vice versa.

  • When rejecting non-address information (such as the HELO command argument or the client hostname/address), the Postfix SMTP server will transform a sender or recipient DSN status into a generic non-address DSN status (e.g., 4.0.0).

default_recipient_limit (default: 10000)

The default per-transport upper limit on the number of in-memory recipients. These limits take priority over the global qmgr_message_recipient_limit after the message has been assigned to the respective transports. See also default_extra_recipient_limit and qmgr_message_recipient_minimum.

default_transport (default: smtp)

The default mail delivery transport and next-hop destination for destinations that do not match $mydestination, $inet_interfaces, $proxy_interfaces, $virtual_alias_domains, $virtual_mailbox_domains, or $relay_domains. In order of decreasing precedence, the nexthop destination is taken from $default_transport, $sender_dependent_relayhost_maps, $relayhost, or from the recipient domain. This information can be overruled with the transport(5) table.

Specify a string of the form transport:nexthop, where transport is the name of a mail delivery transport defined in master.cf. The :nexthop part is optional. For more details see the transport(5) manual page.

Example:

default_transport = uucp:relayhostname
default_verp_delimiters (default: +=)

The two default VERP delimiter characters. These are used when no explicit delimiters are specified with the SMTP XVERP command or with the "sendmail -V" command-line option. Specify characters that are allowed by the verp_delimiter_filter setting.

This feature is available in Postfix 1.1 and later.

defer_code (default: 450)

The numerical Postfix SMTP server response code when a remote SMTP client request is rejected by the "defer" restriction.

Do not change this unless you have a complete understanding of RFC 821.

defer_service_name (default: defer)

The name of the defer service. This service is implemented by the bounce(8) daemon and maintains a record of failed delivery attempts and generates non-delivery notifications.

This feature is available in Postfix 2.0 and later.

defer_transports (default: empty)

The names of message delivery transports that should not deliver mail unless someone issues "sendmail -q" or equivalent. Specify zero or more names of mail delivery transports names that appear in the first field of master.cf.

Example:

defer_transports = smtp
delay_logging_resolution_limit (default: 2)

The maximal number of digits after the decimal point when logging sub-second delay values. Specify a number in the range 0..6.

Large delay values are rounded off to an integral number seconds; delay values below the delay_logging_resolution_limit are logged as "0", and small delay values are logged with at most two-digit precision.

The format of the "delays=a/b/c/d" logging is as follows:

  • a = time before the queue manager, including message transmission
  • b = time in queue manager
  • c = time in connection setup, including DNS, EHLO and TLS
  • d = time in message transmission

This feature is available in Postfix 2.3 and later.

delay_notice_recipient (default: postmaster)

The recipient of postmaster notifications with the message headers of mail that cannot be delivered within $delay_warning_time time units.

This feature is enabled with the delay_warning_time parameter.

delay_warning_time (default: 0h)

The time after which the sender receives the message headers of mail that is still queued.

To enable this feature, specify a non-zero time value (an integral value plus an optional one-letter suffix that specifies the time unit).

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is h (hours).

deliver_lock_attempts (default: 20)

The maximal number of attempts to acquire an exclusive lock on a mailbox file or bounce(8) logfile.

deliver_lock_delay (default: 1s)

The time between attempts to acquire an exclusive lock on a mailbox file or bounce(8) logfile.

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is s (seconds).

disable_dns_lookups (default: no)

Disable DNS lookups in the Postfix SMTP and LMTP clients. When disabled, hosts are looked up with the gethostbyname() system library routine which normally also looks in /etc/hosts.

DNS lookups are enabled by default.

disable_mime_input_processing (default: no)

Turn off MIME processing while receiving mail. This means that no special treatment is given to Content-Type: message headers, and that all text after the initial message headers is considered to be part of the message body.

This feature is available in Postfix 2.0 and later.

Mime input processing is enabled by default, and is needed in order to recognize MIME headers in message content.

disable_mime_output_conversion (default: no)

Disable the conversion of 8BITMIME format to 7BIT format. Mime output conversion is needed when the destination does not advertise 8BITMIME support.

This feature is available in Postfix 2.0 and later.

disable_verp_bounces (default: no)

Disable sending one bounce report per recipient.

The default, one per recipient, is what ezmlm needs.

This feature is available in Postfix 1.1 and later.

disable_vrfy_command (default: no)

Disable the SMTP VRFY command. This stops some techniques used to harvest email addresses.

Example:

disable_vrfy_command = no
dont_remove (default: 0)

Don't remove queue files and save them to the "saved" mail queue. This is a debugging aid. To inspect the envelope information and content of a Postfix queue file, use the postcat(1) command.

double_bounce_sender (default: double-bounce)

The sender address of postmaster notifications that are generated by the mail system. All mail to this address is silently discarded, in order to terminate mail bounce loops.

duplicate_filter_limit (default: 1000)

The maximal number of addresses remembered by the address duplicate filter for aliases(5) or virtual(5) alias expansion, or for showq(8) queue displays.

empty_address_recipient (default: MAILER-DAEMON)

The recipient of mail addressed to the null address. Postfix does not accept such addresses in SMTP commands, but they may still be created locally as the result of configuration or software error.

enable_errors_to (default: no)

Report mail delivery errors to the address specified with the non-standard Errors-To: message header, instead of the envelope sender address (this feature is removed with Postfix version 2.2, is turned off by default with Postfix version 2.1, and is always turned on with older Postfix versions).

enable_original_recipient (default: yes)

Enable support for the X-Original-To message header. This header is needed for multi-recipient mailboxes.

When this parameter is set to yes, the cleanup(8) daemon performs duplicate elimination on distinct pairs of (original recipient, rewritten recipient), and generates non-empty original recipient queue file records.

When this parameter is set to no, the cleanup(8) daemon performs duplicate elimination on the rewritten recipient address only, and generates empty original recipient queue file records.

This feature is available in Postfix 2.1 and later. With Postfix version 2.0, support for the X-Original-To message header is always turned on. Postfix versions before 2.0 have no support for the X-Original-To message header.

error_notice_recipient (default: postmaster)

The recipient of postmaster notifications about mail delivery problems that are caused by policy, resource, software or protocol errors. These notifications are enabled with the notify_classes parameter.

error_service_name (default: error)

The name of the error(8) pseudo delivery agent. This service always returns mail as undeliverable.

This feature is available in Postfix 2.0 and later.

execution_directory_expansion_filter (default: see "postconf -d" output)

Restrict the characters that the local(8) delivery agent allows in $name expansions of $command_execution_directory. Characters outside the allowed set are replaced by underscores.

This feature is available in Postfix 2.2 and later.

expand_owner_alias (default: no)

When delivering to an alias "aliasname" that has an "owner-aliasname" companion alias, set the envelope sender address to the expansion of the "owner-aliasname" alias. Normally, Postfix sets the envelope sender address to the name of the "owner-aliasname" alias.

export_environment (default: see "postconf -d" output)

The list of environment variables that a Postfix process will export to non-Postfix processes. The TZ variable is needed for sane time keeping on System-V-ish systems.

Specify a list of names and/or name=value pairs, separated by whitespace or comma. The name=value form is supported with Postfix version 2.1 and later.

Example:

export_environment = TZ PATH=/bin:/usr/bin
extract_recipient_limit (default: 10240)

The maximal number of recipient addresses that Postfix will extract from message headers when mail is submitted with "sendmail -t".

This feature was removed in Postfix version 2.1.

fallback_relay (default: empty)

Optional list of relay hosts for SMTP destinations that can't be found or that are unreachable. With Postfix 2.3 this parameter is renamed to smtp_fallback_relay.

By default, mail is returned to the sender when a destination is not found, and delivery is deferred when a destination is unreachable.

The fallback relays must be SMTP destinations. Specify a domain, host, host:port, [host]:port, [address] or [address]:port; the form [host] turns off MX lookups. If you specify multiple SMTP destinations, Postfix will try them in the specified order.

Note: before Postfix 2.2, do not use the fallback_relay feature when relaying mail for a backup or primary MX domain. Mail would loop between the Postfix MX host and the fallback_relay host when the final destination is unavailable.

  • In main.cf specify "relay_transport = relay",
  • In master.cf specify "-o fallback_relay =" (i.e., empty) at the end of the relay entry.
  • In transport maps, specify "relay:nexthop..." as the right-hand side for backup or primary MX domain entries.

Postfix version 2.2 and later will not use the fallback_relay feature for destinations that it is MX host for.

fallback_transport (default: empty)

Optional message delivery transport that the local(8) delivery agent should use for names that are not found in the aliases(5) or UNIX password database.

The precedence of local(8) delivery features from high to low is: aliases, .forward files, mailbox_transport_maps, mailbox_transport, mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory, fallback_transport_maps, fallback_transport and luser_relay.

fallback_transport_maps (default: empty)

Optional lookup tables with per-recipient message delivery transports for recipients that the local(8) delivery agent could not find in the aliases(5) or UNIX password database.

The precedence of local(8) delivery features from high to low is: aliases, .forward files, mailbox_transport_maps, mailbox_transport, mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory, fallback_transport_maps, fallback_transport and luser_relay.

For safety reasons, this feature does not allow $number substitutions in regular expression maps.

This feature is available in Postfix 2.3 and later.

fast_flush_domains (default: $relay_domains)

Optional list of destinations that are eligible for per-destination logfiles with mail that is queued to those destinations.

By default, Postfix maintains "fast flush" logfiles only for destinations that the Postfix SMTP server is willing to relay to (i.e. the default is: "fast_flush_domains = $relay_domains"; see the relay_domains parameter in the postconf(5) manual).

Specify a list of hosts or domains, "/file/name" patterns or "type:table" lookup tables, separated by commas and/or whitespace. Continue long lines by starting the next line with whitespace. A "/file/name" pattern is replaced by its contents; a "type:table" lookup table is matched when the domain or its parent domain appears as lookup key.

Specify "fast_flush_domains =" (i.e., empty) to disable the feature altogether.

fast_flush_purge_time (default: 7d)

The time after which an empty per-destination "fast flush" logfile is deleted.

You can specify the time as a number, or as a number followed by a letter that indicates the time unit: s=seconds, m=minutes, h=hours, d=days, w=weeks. The default time unit is days.

fast_flush_refresh_time (default: 12h)

The time after which a non-empty but unread per-destination "fast flush" logfile needs to be refreshed. The contents of a logfile are refreshed by requesting delivery of all messages listed in the logfile.

You can specify the time as a number, or as a number followed by a letter that indicates the time unit: s=seconds, m=minutes, h=hours, d=days, w=weeks. The default time unit is hours.

fault_injection_code (default: 0)

Force specific internal tests to fail, to test the handling of errors that are difficult to reproduce otherwise.

flush_service_name (default: flush)

The name of the flush(8) service. This service maintains per-destination logfiles with the queue file names of mail that is queued for those destinations.

This feature is available in Postfix 2.0 and later.

fork_attempts (default: 5)

The maximal number of attempts to fork() a child process.

fork_delay (default: 1s)

The delay between attempts to fork() a child process.

Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is s (seconds).

forward_expansion_filter (default: see "postconf -d" output)

Restrict the characters that the local(8) delivery agent allows in $name expansions of $forward_path. Characters outside the allowed set are replaced by underscores.

forward_path (default: see "postconf -d" output)

The local(8) delivery agent search list for finding a .forward file with user-specified delivery methods. The first file that is found is used.

The following $name expansions are done on forward_path before the search actually happens. The result of $name expansion is filtered with the character set that is specified with the forward_expansion_filter parameter.

$user
The recipient's username.
$shell
The recipient's login shell pathname.
$home
The recipient's home directory.
$recipient
The full recipient address.
$extension
The optional recipient address extension.
$domain
The recipient domain.
$local
The entire recipient localpart.
$recipient_delimiter
The system-wide recipient address extension delimiter.
${name?value}
Expands to value when $name is non-empty.
${name:value}
Expands to value when $name is empty.

Instead of $name you can also specify ${name} or $(name).

Examples:

forward_path = /var/forward/$user
forward_path =
    /var/forward/$user/.forward$recipient_delimiter$extension,
    /var/forward/$user/.forward
frozen_delivered_to (default: yes)

Update the local(8) delivery agent's idea of the Delivered-To: address (see prepend_delivered_header) only once, at the start of a delivery attempt; do not update the Delivered-To: address while expanding aliases or .forward files.

This feature is available in Postfix 2.3 and later. With older Postfix releases, the behavior is as if this parameter is set to "no". The old setting can be expensive with deeply nested aliases or .forward files. When an alias or .forward file changes the Delivered-To: address, it ties up one queue file and one cleanup process instance while mail is being forwarded.

hash_queue_depth (default: 1)

The number of subdirectory levels for queue directories listed with the hash_queue_names parameter.

After changing the hash_queue_names or hash_queue_depth parameter, execute the command "postfix reload".

hash_queue_names (default: deferred, defer)

The names of queue directories that are split across multiple subdirectory levels.

Before Postfix version 2.2, the default list of hashed queues was significantly larger. Claims about improvements in file system technology suggest that hashing of the incoming and active queues is no longer needed. Fewer hashed directories speed up the time needed to restart Postfix.

After changing the hash_queue_names or hash_queue_depth parameter, execute the command "postfix reload".

header_address_token_limit (default: 10240)

The maximal number of address tokens are allowed in an address message header. Information that exceeds the limit is discarded. The limit is enforced by the cleanup(8) server.

header_checks (default: empty)

Optional lookup tables for content inspection of primary non-MIME message headers, as specified in the header_checks(5) manual page.

header_size_limit (default: 102400)

The maximal amount of memory in bytes for storing a message header. If a header is larger, the excess is discarded. The limit is enforced by the cleanup(8) server.

helpful_warnings (default: yes)

Log warnings about problematic configuration settings, and provide helpful suggestions.

This feature is available in Postfix 2.0 and later.

home_mailbox (default: empty)

Optional pathname of a mailbox file relative to a local(8) user's home directory.

Specify a pathname ending in "/" for qmail-style delivery.

The precedence of local(8) delivery features from high to low is: aliases, .forward files, mailbox_transport_maps, mailbox_transport, mailbox_command_maps, mailbox_command, home_mailbox, mail_spool_directory, fallback_transport_maps, fallback_transport and luser_relay.

Examples:

home_mailbox = Mailbox
home_mailbox = Maildir/
hopcount_limit (default: 50)

The maximal number of Received: message headers that is allowed in the primary message headers. A message that exceeds the limit is bounced, in order to stop a mailer loop.

html_directory (default: see "postconf -d" output)

The location of Postfix HTML files that describe how to build, configure or operate a specific Postfix subsystem or feature.

ignore_mx_lookup_error (default: no)

Ignore DNS MX lookups that produce no response. By default, the Postfix SMTP client defers delivery and tries again after some delay. This behavior is required by the SMTP standard.

Specify "ignore_mx_lookup_error = yes" to force a DNS A record lookup instead. This violates the SMTP standard and can result in mis-delivery of mail.

import_environment (default: see "postconf -d" output)

The list of environment parameters that a Postfix process will import from a non-Postfix parent process. Examples of relevant parameters:

TZ
Needed for sane time keeping on most System-V-ish systems.
DISPLAY
Needed for debugging Postfix daemons with an X-windows debugger.
XAUTHORITY
Needed for debugging Postfix daemons with an X-windows debugger.
MAIL_CONFIG
Needed to make "postfix -c" work.

Specify a list of names and/or name=value pairs, separated by whitespace or comma. The name=value form is supported with Postfix version 2.1 and later.

in_flow_delay (default: 1s)

Time to pause before accepting a new message, when the message arrival rate exceeds the message delivery rate. This feature is turned on by default (it's disabled on SCO UNIX due to an SCO bug).

With the default 100 SMTP server process limit, "in_flow_delay = 1s" limits the mail inflow to 100 messages per second above the number of messages delivered per second.

Specify 0 to disable the feature. Valid delays are 0..10.

inet_interfaces (default: all)

The network interface addresses that this mail system receives mail on. Specify "all" to receive mail on all network interfaces (default), and "loopback-only" to receive mail on loopback network interfaces only (Postfix version 2.2 and later). The parameter also controls delivery of mail to [email protected][ip.address].

Note 1: you need to stop and start Postfix when this parameter changes.

Note 2: address information may be enclosed inside [], but this form is not recommended here.

When inet_interfaces specifies just one IPv4 and/or IPv6 address that is not a loopback address, the Postfix SMTP client will use this address as the IP source address for outbound mail. Support for IPv6 is available in Postfix version 2.2 and later.

On a multi-homed firewall with separate Postfix instances listening on the "inside" and "outside" interfaces, this can prevent each instance from being able to reach servers on the "other side" of the firewall. Setting smtp_bind_address to 0.0.0.0 avoids the potential problem for IPv4, and setting smtp_bind_address6 to :: solves the problem for IPv6.

A better solution for multi-homed firewalls is to leave inet_interfaces at the default value and instead use explicit IP addresses in the master.cf SMTP server definitions. This preserves the Postfix SMTP client's loop detection, by ensuring that each side of the firewall knows that the other IP address is still the same host. Setting $inet_interfaces to a single IPv4 and/or IPV6 address is primarily useful with virtual hosting of domains on secondary IP addresses, when each IP address serves a different domain (and has a different $myhostname setting).

See also the proxy_interfaces parameter, for network addresses that are forwarded to Postfix by way of a proxy or address translator.

Examples:

inet_interfaces = all (DEFAULT)
inet_interfaces = loopback-only (Postfix version 2.2 and later)
inet_interfaces = 127.0.0.1
inet_interfaces = 127.0.0.1, [::1] (Postfix version 2.2 and later)
inet_interfaces = 192.168.1.2, 127.0.0.1
inet_protocols (default: ipv4)

The Internet protocols Postfix will attempt to use when making or accepting connections. Specify one or more of "ipv4" or "ipv6", separated by whitespace or commas. The form "all" is equivalent to "ipv4, ipv6" or "ipv4", depending on whether the operating system implements IPv6.

This feature is available in Postfix 2.2 and later.

Note: you MUST stop and start Postfix after changing this parameter.

On systems that pre-date IPV6_V6ONLY support (RFC 3493), an IPv6 server will also accept IPv4 connections, even when IPv4 is turned off with the inet_protocols parameter. On systems with IPV6_V6ONLY support, Postfix will use separate server sockets for IPv6 and IPv4, and each will accept only connections for the corresponding protocol.

When IPv4 support is enabled via the inet_protocols parameter, Postfix will to DNS type A record lookups, and will convert IPv4-in-IPv6 client IP addresses (::ffff:1.2.3.4) to their original IPv4 form (1.2.3.4). The latter is needed on hosts that pre-date IPV6_V6ONLY support (RFC 3493).

When IPv6 support is enabled via the inet_protocols parameter, Postfix will do DNS type AAAA record lookups.

When both IPv4 and IPv6 support are enabled, the Postfix SMTP client will attempt to connect via IPv6 before attempting to use IPv4.

Examples:

inet_protocols = ipv4 (DEFAULT)
inet_protocols = all
inet_protocols = ipv6
inet_protocols = ipv4, ipv6
initial_destination_concurrency (default: 5)