smtpd - Postfix SMTP server
smtpd [generic Postfix daemon options]
The SMTP server accepts network connection requests and performs zero or more SMTP trans-
actions per connection. Each received message is piped through the cleanup(8) daemon, and
is placed into the incoming queue as one single queue file. For this mode of operation,
the program expects to be run from the master(8) process manager.
Alternatively, the SMTP server takes an established connection on standard input and
deposits messages directly into the maildrop queue. In this so-called stand-alone mode,
the SMTP server can accept mail even while the mail system is not running.
The SMTP server implements a variety of policies for connection requests, and for parame-
ters given to HELO, ETRN, MAIL FROM, VRFY and RCPT TO commands. They are detailed below
and in the main.cf configuration file.
The SMTP server is moderately security-sensitive. It talks to SMTP clients and to DNS
servers on the network. The SMTP server can be run chrooted at fixed low privilege.
RFC 821 (SMTP protocol)
RFC 1123 (Host requirements)
RFC 1652 (8bit-MIME transport)
RFC 1869 (SMTP service extensions)
RFC 1854 (SMTP Pipelining)
RFC 1870 (Message Size Declaration)
RFC 1985 (ETRN command)
RFC 2554 (AUTH command)
RFC 2821 (SMTP protocol)
Problems and transactions are logged to syslogd(8).
Depending on the setting of the notify_classes parameter, the postmaster is notified of
bounces, protocol problems, policy violations, and of other trouble.
The following main.cf parameters are especially relevant to this program. See the Postfix
main.cf file for syntax details and for default values. Use the postfix reload command
after a configuration change.
Disallow non-RFC 821 style addresses in SMTP commands. For example, the
RFC822-style address forms with comments that Sendmail allows.
Support older Microsoft clients that mis-implement the AUTH protocol, and that
expect an EHLO response of "250 AUTH=list" instead of "250 AUTH list".
List of commands that are treated as NOOP (no operation) commands, without any
parameter syntax checking and without any state change. This list overrides built-
in command definitions.
Content inspection controls
The name of a mail delivery transport that filters mail and that either bounces
mail or re-injects the result back into Postfix. This parameter uses the same syn-
tax as the right-hand side of a Postfix transport table.
Enable per-session authentication as per RFC 2554 (SASL). This functionality is
available only when explicitly selected at program build time and explicitly
enabled at runtime.
The name of the local authentication realm.
Zero or more of the following.
Disallow authentication methods that use plaintext passwords.
Disallow authentication methods that are vulnerable to non-dictionary active
Disallow authentication methods that are vulnerable to passive dictionary
Disallow anonymous logins.
Maps that specify the SASL login name that owns a MAIL FROM sender address. Used by
the reject_sender_login_mismatch sender anti-spoofing restriction.
Address to send a copy of each message that enters the system.
Location of Postfix support commands (default: $program_directory).
Increment in verbose logging level when a remote host matches a pattern in the
List of domain or network patterns. When a remote host matches a pattern, increase
the verbose logging level by the amount specified in the debug_peer_level parame-
The default VERP delimiter characters that are used when the XVERP command is spec-
ified without explicit delimiters.
Recipient of protocol/policy/resource/software error notices.
Limit the number of Received: message headers.
List of maps with user names that are local to $myorigin or $inet_interfaces. If
this parameter is defined, then the SMTP server rejects mail for unknown local
List of error classes. Of special interest are:
policy When a client violates any policy, mail a transcript of the entire SMTP ses-
sion to the postmaster.
When a client violates the SMTP protocol or issues an unimplemented command,
mail a transcript of the entire SMTP session to the postmaster.
Text that follows the 220 status code in the SMTP greeting banner.
Restrict the number of recipients that the SMTP server accepts per message deliv-
Limit the time to send a server response and to receive a client request.
Change hard (5xx) reject responses into soft (4xx) reject responses. This can be
useful for testing purposes.
The characters that Postfix accepts as VERP delimiter characters.
Limit the amount of memory in bytes used for the handling of partial input lines.
Limit the total size in bytes of a message, including on-disk storage for envelope
Minimal amount of free space in bytes in the queue file system for the SMTP server
to accept any mail at all.
Flush the command history to postmaster after receipt of RSET etc. only if the
number of history lines exceeds the given threshold.
Time to wait in seconds before sending a 4xx or 5xx server error response.
When an SMTP client has made this number of errors, wait error_count seconds before
responding to any client request.
Disconnect after a client has made this number of errors.
Limit the number of times a client can issue a junk command such as NOOP, VRFY,
ETRN or RSET in one SMTP session before it is penalized with tarpit delays.
UCE control restrictions
List of Postfix features that use domain.tld patterns to match sub.domain.tld (as
opposed to requiring .domain.tld patterns).
Restrict what clients may connect to this mail system.
Require that clients introduce themselves at the beginning of an SMTP session.
Restrict what client hostnames are allowed in HELO and EHLO commands.
Restrict what sender addresses are allowed in MAIL FROM commands.
Restrict what recipient addresses are allowed in RCPT TO commands.
Restrict what domain names can be used in ETRN commands, and what clients may issue
Allow untrusted clients to specify addresses with sender-specified routing.
Enabling this opens up nasty relay loopholes involving trusted backup MX hosts.
Declares the name of zero or more parameters that contain a list of UCE restric-
tions. The names of these parameters can then be used instead of the restriction
lists that they represent.
The lookup key to be used in SMTPD access tables instead of the null sender
address. A null sender address cannot be looked up.
List of DNS domains that publish the addresses of blacklisted hosts.
Only domains whose primary MX hosts match the listed networks are eligible for the
Restrict what domains or networks this mail system will relay mail from or to.
UCE control responses
Server response when a client violates an access database restriction.
Server response when a client violates the reject_invalid_hostname restriction.
Server response when a client violates the maps_rbl_domains restriction.
Response code when the client matches a reject restriction.
Server response when a client attempts to violate the mail relay policy.
Server response when a client violates the reject_unknown_address restriction.
Server response when a client without address to name mapping violates the
Server response when a client violates the reject_unknown_hostname restriction.
cleanup(8) message canonicalization
master(8) process manager
syslogd(8) system logging
The Secure Mailer license must be distributed with this software.
IBM T.J. Watson Research
P.O. Box 704
Yorktown Heights, NY 10598, USA