# DO NOT EDIT THIS FILE. EDIT THE MAIN.CF FILE INSTEAD. THE STUFF # HERE JUST SERVES AS AN EXAMPLE. # # This file contains example settings of Postfix configuration parameters # that control the SMTP server program. # REJECTING MAIL FOR UNKNOWN LOCAL USERS # # The local_recipient_maps parameter specifies optional lookup tables # with all names or addresses of users that are local with respect # to $mydestination and $inet_interfaces. # # If this parameter is defined, then the SMTP server will reject # mail for unknown local users. This parameter is defined by default. # # To turn off local recipient checking in the SMTP server, specify # local_recipient_maps = (i.e. empty). # # The default setting assumes that you use the default Postfix local # delivery agent for local delivery. You need to update the # local_recipient_maps setting if: # # - You define $mydestination domain recipients in files other than # /etc/passwd, /etc/aliases, or the $virtual_alias_maps files. # For example, you define $mydestination domain recipients in # the $virtual_mailbox_maps files. # # - You redefine the local delivery agent in master.cf. # # - You redefine the "local_transport" setting in main.cf. # # - You use the "luser_relay", "mailbox_transport", or "fallback_transport" # feature of the Postfix local delivery agent (see sample-local.cf). # # Details are described in the LOCAL_RECIPIENT_README file. # # Beware: if the Postfix SMTP server runs chrooted, you probably have # to access the passwd file via the proxymap service, in order to # overcome chroot restrictions. The alternative, having a copy of # the system passwd file in the chroot jail is just not practical. # # The right-hand side of the lookup tables is conveniently ignored. # In the left-hand side, specify a bare username, an @domain.tld # wild-card, or specify a user@domain.tld address. # #local_recipient_maps = #local_recipient_maps = unix:passwd.byname $alias_maps local_recipient_maps = proxy:unix:passwd.byname $alias_maps # The unknown_local_recipient_reject_code specifies the SMTP server # response code when a recipient domain matches $mydestination or # $inet_interfaces, while $local_recipient_maps is non-empty and the # recipient address or address local-part is not found. # # The default setting is 550 (reject mail) but it is safer to start # with 450 (try again later) until you are certain that your # local_recipient_maps settings are OK. # #unknown_local_recipient_reject_code = 450 unknown_local_recipient_reject_code = 550 # REJECTING UNKNOWN RELAY USERS # # The relay_recipient_maps parameter specifies optional lookup tables # with all addresses in the domains that match $relay_domains. # # If this parameter is defined, then the SMTP server will reject # mail for unknown relay users. This feature is off by default. # # The right-hand side of the lookup tables is conveniently ignored. # In the left-hand side, specify an @domain.tld wild-card, or specify # a user@domain.tld address. # #relay_recipient_maps = hash:/etc/postfix/relay_recipients # # SENDER ANTI-SPOOFING # # The smtpd_sender_login_maps parameter specifies the (SASL) login # name that owns a sender (MAIL FROM) address. # # Specify zero or more maptype:mapname entries. Maps are created with # postmap(1) or with equivalent means. The maps are searched in the # specified order. Regexp tables are allowed. # # Each map entry specifies a sender address and the login name that # owns the address. The search order is: # # 1) user@domain owner # # This form has the highest precedence. # # 2) user owner # # This matches user@site when site is equal to $myorigin, when site # is listed in $mydestination, or when it is listed in $inet_interfaces. # # 3) @domain owner # # This matches every address in the specified domain, and has the # lowest precedence. # #smtpd_sender_login_maps = # # MISCELLANEOUS # # The disable_vrfy_command parameter allows you to disable the SMTP # VRFY command. This stops some techniques used by spammers to harvest # email addresses. # #disable_vrfy_command = no # The smtpd_banner parameter specifies the text that follows the 220 # status code in the SMTP greeting banner. Some people like to see # the mail version advertised. By default, Postfix shows no version. # # You MUST specify the $myhostname at the start of the text. # #smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_banner = $myhostname ESMTP $mail_name # The smtpd_etrn_restrictions parameter restricts what clients are # allowed to issue the ETRN command. # # The Postfix ETRN command accepts only destinations that are eligible # for the Postfix "fast flush" service. See the sample-flush.cf file # for details. # # The default is to allow ETRN from any host. The following restrictions # are available: # # reject_unknown_client: reject the request if the client hostname is unknown. # permit_mynetworks: permit if the client address matches $mynetworks. # check_client_access maptype:mapname # look up client name, parent domains, client address, # or networks obtained by stripping octets. # Skip this lookup table if the result is DUNNO. # Reject the ETRN command if the result is REJECT text... or "[45]xx text" # Permit the ETRN command if the result is OK or all numerical. # reject_rbl_client domain.tld: reject if the reverse client network # address is listed in an A record under domain.tld. # reject_rhsbl_client domain.tld: reject if the client hostname is listed # in an A record under domain.tld. # reject: reject the request. Place this at the end of a restriction. # permit: permit the request. Place this at the end of a restriction. # warn_if_reject: next restriction logs a warning instead of rejecting. # # You may also list any helo or client restrictions here (see below). # smtpd_etrn_restrictions = # The smtpd_history_flush_threshold specifies how many lines the SMTP # server command history is allowed to contain before it is flushed # to postmaster upon receipt of EHLO, RSET, or end of DATA. # smtpd_history_flush_threshold = 100 # The smtpd_noop_commands parameter specifies a list of commands that # the Postfix SMTP server replies to with "250 Ok", without doing any # syntax checks and without changing state. This list overrides any # commands built into the Postfix SMTP server. # smtpd_noop_commands = # The smtpd_recipient_limit parameter restricts the number of recipients # that the SMTP server accepts per message delivery. # smtpd_recipient_limit = 1000 # The smtpd_timeout parameter limits the time to send an SMTP server # response and to receive an SMTP client request. # # Note: if you set SMTP timeouts to large values you must update the # global ipc_timeout parameter as well. See sample-misc.cf for details. # # Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). # The default time unit is s (seconds). # smtpd_timeout = 300s # The strict_rfc821_envelopes configuration parameter controls whether # the Postfix SMTP server requires that MAIL FROM and RCPT TO addresses # are specified within <>, and that MAIL FROM and RCPT TO addresses # do not contain RFC822-style comments or phrases. It's great to # stop SPAM mailers. But it also trips up broken peecee clients. # # By default, Postfix SMTPD allows RFC822 syntax in MAIL FROM and RCPT TO. # strict_rfc821_envelopes = no # # TARPIT CONTROLS # # The smtpd_error_sleep_time parameter specifies the time in seconds # the SMTP server waits before sending a 4xx or 5xx SMTP server error # response. This prevents naive clients from going into an error - # disconnect - connect - error loop. # smtpd_error_sleep_time = 1s # The smtpd_soft_error_limit parameter specifies an error count lower # limit. When an SMTP client has made this number of errors within # a session, the server waits error_count seconds before responding # to any client request. # smtpd_soft_error_limit = 10 # The smtpd_hard_error_limit parameter specifies an error count upper # limit. The SMTP server disconnects after an SMTP client makes this # number of errors within a session. # smtpd_hard_error_limit = 20 # # UCE RESTRICTIONS # # The mynetworks parameter specifies the list of "trusted" SMTP # clients that have more privileges than "strangers". # # In particular, "trusted" SMTP clients are allowed to relay mail # through Postfix. See the smtpd_recipient_restrictions parameter # in file sample-smtpd.cf. # # You can specify the list of "trusted" network addresses by hand # or you can let Postfix do it for you (which is the default). # # By default (mynetworks_style = subnet), Postfix "trusts" SMTP # clients in the same IP subnetworks as the local machine. # # Specify "mynetworks_style = class" when Postfix should "trust" SMTP # clients in the same IP class A/B/C networks as the local machine. # Don't do this with a dialup site - it would cause Postfix to "trust" # your entire provider's network. Instead, specify an explicit # mynetworks list by hand, as described below. # # Specify "mynetworks_style = host" when Postfix should "trust" # only the local machine. # #mynetworks_style = class mynetworks_style = subnet #mynetworks_style = host # Alternatively, you can specify the mynetworks list by hand, in # which case Postfix ignores the mynetworks_style setting. # # Specify an explicit list of network/netmask patterns, where the # mask specifies the number of bits in the network part of a host # address. # # You can also specify the absolute pathname of a pattern file instead # of listing the patterns here. Specify type:table for table-based lookups # (the value on the table right-hand side is not used). # #mynetworks = 168.100.189.0/28, 127.0.0.0/8 #mynetworks = $config_directory/mynetworks #mynetworks = hash:/etc/postfix/network_table # The smtpd_client_restrictions parameter specifies optional restrictions # on SMTP client host names and addresses. # # The default is to allow connections from any host. The following # restrictions are available: # # reject_unknown_client: reject the request if the client hostname is unknown. # permit_mynetworks: permit if the client address matches $mynetworks. # check_client_access maptype:mapname # look up client name, parent domains, client address, # or networks obtained by stripping octets. # Skip this lookup table if the result is DUNNO. # Reject the SMTP client if the result is REJECT text... or "[45]xx text" # Discard the message if the result is DISCARD text... # Hold the message in the queue if the result is HOLD text... # Release mail "on hold" with the postsuper(1) command. # Filter the message if the result is FILTER transport:nexthop. # Permit the SMTP client if the result is OK or all numerical. # reject_rbl_client domain.tld: reject if the reversed client IP address # is listed in an A record under domain.tld. # reject_rhsbl_client domain.tld: reject if the client hostname is listed # in an A record under domain.tld. # reject: reject the request. Place this at the end of a restriction. # permit: permit the request. Place this at the end of a restriction. # warn_if_reject: next restriction logs a warning instead of rejecting. # # Restrictions are applied in the order as specified; the first # restriction that matches wins. # # You may also list any helo, sender or recipient restrictions here. # These will have effect only when smtpd_delay_reject=yes, so that all # restrictions are evaluated at the time of the RCPT TO command. # # Specify a list of restrictions, separated by commas and/or whitespace. # Continue long lines by starting the next line with whitespace. # #smtpd_client_restrictions = permit_mynetworks, reject_unknown_client smtpd_client_restrictions = # The smtpd_helo_required parameter optionally turns on the requirement # that SMTP clients must introduce themselves at the beginning of an # SMTP session. # #smtpd_helo_required = yes smtpd_helo_required = no # The smtpd_helo_restrictions parameter specifies optional restrictions # on what SMTP clients can send in SMTP HELO and EHLO commands. # # The default is to permit everything. The following restrictions # are available: # # permit_mynetworks: permit if the client address matches $mynetworks. # reject_invalid_hostname: reject HELO hostname with bad syntax. # reject_unknown_hostname: reject HELO hostname without DNS A or MX record. # reject_non_fqdn_hostname: reject HELO hostname that is not in FQDN form # check_helo_access maptype:mapname # look up HELO hostname or parent domains. # Skip this lookup table if the result is DUNNO. # Reject the HELO command if the result is REJECT text... or "[45]xx text" # Discard the message if the result is DISCARD text... # Hold the message in the queue if the result is HOLD text... # Release mail "on hold" with the postsuper(1) command. # Filter the message if the result is FILTER transport:nexthop. # Permit the HELO command if the result is OK or all numerical. # reject: reject the request. Place this at the end of a restriction. # permit: permit the request. Place this at the end of a restriction. # warn_if_reject: next restriction logs a warning instead of rejecting. # # Restrictions are applied in the order as specified; the first # restriction that matches wins. # # You may also list any client, sender or recipient restrictions here. # Sender and recipient restrictions will have effect only when # smtpd_delay_reject=yes, so that all restrictions are evaluated at # the time of the RCPT TO command. # # Specify a list of restrictions, separated by commas and/or whitespace. # Continue long lines by starting the next line with whitespace. # #smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname #smtpd_helo_restrictions = permit_mynetworks, reject_unknown_hostname smtpd_helo_restrictions = # The smtpd_sender_restrictions parameter specifies optional restrictions # on sender addresses that SMTP clients can send in MAIL FROM commands. # # The default is to permit any sender address. The following # restrictions are available: # # permit_mynetworks: permit if the client address matches $mynetworks. # reject_unknown_sender_domain: reject sender domain without A or MX record. # reject_rhsbl_sender domain.tld: reject sender domain name if it is listed # in an A record under domain.tld. # check_sender_access maptype:mapname # look up sender address, parent domain, or localpart@. # Skip this lookup table if the result is DUNNO. # Reject the sender if the result is REJECT text... or "[45]xx text" # Discard the message if the result is DISCARD text... # Hold the message in the queue if the result is HOLD text... # Release mail "on hold" with the postsuper(1) command. # Filter the message if the result is FILTER transport:nexthop. # Permit the sender if the result is OK or all numerical. # reject_sender_login_mismatch: reject if $smtpd_sender_login_maps specifies # a MAIL FROM address owner, but the client is not (SASL) logged in as # that MAIL FROM address owner; or if the client is (SASL) logged in, but # the client login name doesn't own the MAIL FROM address according to # $smtpd_sender_login_maps (see above). # reject_non_fqdn_sender: reject sender address that is not in FQDN form # reject: reject the request. Place this at the end of a restriction. # permit: permit the request. Place this at the end of a restriction. # warn_if_reject: next restriction logs a warning instead of rejecting. # # Restrictions are applied in the order as specified; the first # restriction that matches wins. # # You may also list any helo, client or recipient restrictions here. # Recipient restrictions will have effect only when smtpd_delay_reject=yes, # so that all restrictions are evaluated at the time of the RCPT TO # command. # # Specify a list of restrictions, separated by commas and/or whitespace. # Continue long lines by starting the next line with whitespace. # #smtpd_sender_restrictions = reject_unknown_sender_domain #smtpd_sender_restrictions = reject_unknown_sender_domain, hash:/etc/postfix/access smtpd_sender_restrictions = # The smtpd_recipient_restrictions parameter specifies restrictions on # recipient addresses that SMTP clients can send in RCPT TO commands. # # By default, Postfix relays mail # - from "trusted" clients (IP address matches $mynetworks) to any destination, # - from "untrusted" clients to destinations that match $relay_domains # or subdomains thereof, except addresses with sender-specified routing. # The default relay_domains value is $mydestination. # # In addition to the above, the Postfix SMTP server by default accepts mail # that Postfix is final destination for: # - destinations that match $inet_interfaces, # - destinations that match $mydestination # - destinations that match $virtual_alias_domains, # - destinations that match $virtual_mailbox_domains. # These destinations do not need to be listed in $relay_domains. # # The following restrictions are available (* is part of default setting): # # *permit_mynetworks: permit if the client address matches $mynetworks. # reject_unknown_sender_domain: reject sender domain without A or MX record. # reject_rhsbl_recipient domain.tld: reject recipient domain name if it is # listed in an A record under domain.tld. # permit_auth_destination: permit mail # - to destinations matching $inet_interfaces, $mydestination, # $virtual_alias_domains, or $virtual_mailbox_domains. # - to destinations matching $relay_domains or subdomain thereof, # except for addresses with sender-specified routing. # reject_unauth_destination: reject mail unless it is sent # - to destinations matching $inet_interfaces, $mydestination, # $virtual_alias_domains, or $virtual_mailbox_domains. # - to destinations matching $relay_domains or subdomain thereof, # except for addresses with sender-specified routing. # reject_unauth_pipelining: reject mail from improperly pipelining spamware # permit_mx_backup: accept mail for sites that list me as MX host. # Use the optional permit_mx_backup_networks parameter to also # require that the primary MX hosts match a list of network blocks. # reject_unknown_recipient_domain: reject domains without A or MX record. # check_recipient_access maptype:mapname # look up recipient address, parent domain, or localpart@. # Skip this lookup table if the result is DUNNO. # Reject the recipient if the result is REJECT text... or "[45]xx text" # Discard the message if the result is DISCARD text... # Hold the message in the queue if the result is HOLD text... # Release mail "on hold" with the postsuper(1) command. # Filter the message if the result is FILTER transport:nexthop. # Permit the recipient if the result is OK or all numerical. # reject_non_fqdn_recipient: reject recipient address that is not in FQDN form # reject: reject the request. Place this at the end of a restriction. # permit: permit the request. Place this at the end of a restriction. # warn_if_reject: next restriction logs a warning instead of rejecting. # # Restrictions are applied in the order as specified; the first # restriction that matches wins. # # You may also list any helo, client or sender restrictions here. # # Specify a list of restrictions, separated by commas and/or whitespace. # Continue long lines by starting the next line with whitespace. # # NOTE: YOU MUST SPECIFY AT LEAST ONE OF THE FOLLOWING RESTRICTIONS # OTHERWISE POSTFIX REFUSES TO RECEIVE MAIL: # reject, defer, defer_if_permit, reject_unauth_destination # smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination # # ADDITIONAL UCE CONTROLS # # The allow_untrusted_routing parameter controls if Postfix will # forward mail with sender-specified routing (user[@%!]remote[@%!]site) # from untrusted clients to destinations that are blessed by the # relay_domains parameter. # # By default, untrusted clients are not allowed to specify routing. # This closes a nasty open relay loophole where a backup MX host can # be tricked into forwarding junk mail to a primary MX host which # then spams it out to the world. # # This parameter also controls if non-local addresses with sender-specified # routing can match Postfix access tables. By default, such addresses # cannot match Postfix access tables, because the address is ambigous. # allow_untrusted_routing = no # The relay_domains parameter restricts what destination domains (and # subdomains thereof) this system will relay mail to. # # These domains are routed to the delivery agent specified with the # relay_transport parameter setting. # # By default, Postfix relays mail # - from trusted clients whose IP address matches $mynetworks, # - from any client to destinations that match $relay_domains or # subdomains thereof, except addresses with sender-specified routing. # The default relay_domains value is $mydestination. # # In addition to the above, the Postfix SMTP server by default accepts mail # that Postfix is final destination for: # - destinations that match $inet_interfaces, # - destinations that match $mydestination # - destinations that match $virtual_alias_domains, # - destinations that match $virtual_mailbox_domains. # These destinations do not need to be listed in $relay_domains. # # Specify a list of hosts or domains, /file/name patterns or type:name # lookup tables, separated by commas and/or whitespace. Continue # long lines by starting the next line with whitespace. A file name # is replaced by its contents; a type:name table is matched when a # (parent) domain appears as lookup key. # # NOTE: Postfix will not automatically forward mail for domains that # list this system as their primary or backup MX host. See the # permit_mx_backup restriction, in the description of the # smtpd_recipient_restrictions parameter. # relay_domains = $mydestination # The relay_recipient_maps parameter specifies optional lookup tables # with all addresses in the domains that match $relay_domains. # # If this parameter is defined, then the SMTP server will reject # mail to unknown relay users. This feature is off by default. # #relay_recipient_maps = hash:/etc/postfix/relay_recipients # # RESPONSE CODES # # The access_map_reject_code parameter specifies the SMTP server # response code when a client violates an access map restriction. # # Do not change this unless you have a complete understanding of RFC 821. # access_map_reject_code = 550 # The default_rbl_reply parameter specifies the SMTP server response # when an SMTP client request is rejected by a reject_rbl or reject_rhsbl # restriction. # # The template is subject to exactly one level of $name substitution: # # $client: client hostname and IP address, formatted as name[address]. # $client_name: client hostname or unknown. # $client_address: client IP address. # $helo_name: hostname given in HELO or EHLO command or empty string. # $sender: sender address or <> in case of the null address. # $sender_name: sender address localpart or <> in case of the null address. # $sender_domain: sender address domain or empty string. # $recipient: recipient address or <> in case of the null address. # $recipient_name: recipient address localpart or <> in case of null address. # $recipient_domain: recipient address domain or empty string. # $rbl_what: the entity that is blacklisted (an IP address, a hostname, # a domain name, or an email address whose domain was blacklisted). # $rbl_reason: reason why $rbl_what is blacklisted or empty string. # $rbl_domain: RBL domain where $rbl_what is blacklisted. # $rbl_class: the blacklisted entity type: Client host, Helo command, # Sender address, or Recipient address. # $rbl_code: numerical server reply code, as specified with the # maps_rbl_reject_code configuration parameter. # # The smtpd_expansion_filter configuration parameter controls what # characters may appear in $name expansions. # # Instead of $name you can also specify ${name} or $(name). # # Conditional expansion: # # ${name?text} expands to `text' if $name is not empty. # ${name:text} expands to `text' if $name is empty. # default_rbl_reply = $rbl_code Service unavailable; $rbl_class [$rbl_what] blocked using $rbl_domain${rbl_reason?; $rbl_reason} # The defer_code parameter specifies the SMTP server response code # when an SMTP client request is rejected by the "defer" restriction. # # Do not change this unless you have a complete understanding of RFC 821. # defer_code = 450 # The invalid_hostname_reject_code parameter specifies the SMTP server # response when a client violates the reject_invalid_hostname anti-UCE # restriction. # # Do not change this unless you have a complete understanding of RFC 821. # invalid_hostname_reject_code = 501 # The maps_rbl_reject_code parameter specifies the SMTP server response # when an SMTP client request is blocked by a reject_rbl or reject_rhsbl # restriction. # # Do not change this unless you have a complete understanding of RFC 821. # maps_rbl_reject_code = 550 # The rbl_reply_maps parameter specifies tables with RBL response # templates, indexed by RBL domain name. By default, Postfix uses # the default template as specified with the default_rbl_reply # configuration parameter. See there for a discussion of the syntax # of RBL reply templates. # rbl_reply_maps = # The reject_code parameter specifies the SMTP server response code # when an SMTP client matches a reject restriction. # # Do not change this unless you have a complete understanding of RFC 821. # reject_code = 550 # The relay_domains_reject_code parameter specifies the SMTP server # response when a client attempts to violate the mail relay policy. # # Do not change this unless you have a complete understanding of RFC 821. # relay_domains_reject_code = 550 # The smtpd_expansion_filter parameter specifies what characters are # allowed in $name expansions of RBL reply templates. Characters not # in the allowed set are replaced by "_". Use C like escapes to # specify special characters such as whitespace. # # This parameter is not subjected to the usual main.cf macro expansion. # smtpd_expansion_filter = \t\40!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~ # The unknown_address_reject_code parameter specifies the SMTP server # response when a client violates the reject_unknown_sender_domain # or reject_unknown_recipient_domain restrictions. # # Do not change this unless you have a complete understanding of RFC 821. # unknown_address_reject_code = 450 # The unknown_client_reject_code parameter specifies the SMTP server # response when a client without address to name mapping violates # the reject_unknown_client restriction. # # Do not change this unless you have a complete understanding of RFC 821. # unknown_client_reject_code = 450 # The unknown_hostname_reject_code parameter specifies the SMTP server # response when a client violates the reject_unknown_hostname # restriction. # # Do not change this unless you have a complete understanding of RFC 821. # unknown_hostname_reject_code = 450