SMTPD(8) SMTPD(8)
NAME
smtpd - Postfix SMTP server
SYNOPSIS
smtpd [generic Postfix daemon options]
DESCRIPTION
The SMTP server accepts network connection requests and performs zero or more SMTP transactions per connection. Each received message is piped through the cleanup(8) daemon, and is placed into the incoming queue as one single queue file. For this mode of operation, the pro- gram expects to be run from the master(8) process manager. Alternatively, the SMTP server takes an established connection on stan- dard input and deposits messages directly into the maildrop queue. In this so-called stand-alone mode, the SMTP server can accept mail even while the mail system is not running. The SMTP server implements a variety of policies for connection requests, and for parameters given to HELO, ETRN, MAIL FROM, VRFY and RCPT TO commands. They are detailed below and in the main.cf configura- tion file.
SECURITY
The SMTP server is moderately security-sensitive. It talks to SMTP clients and to DNS servers on the network. The SMTP server can be run chrooted at fixed low privilege.
STANDARDS
RFC 821 (SMTP protocol) RFC 1123 (Host requirements) RFC 1652 (8bit-MIME transport) RFC 1869 (SMTP service extensions) RFC 1870 (Message Size Declaration) RFC 1985 (ETRN command) RFC 2554 (AUTH command) RFC 2821 (SMTP protocol) RFC 2920 (SMTP Pipelining)
DIAGNOSTICS
Problems and transactions are logged to syslogd(8). Depending on the setting of the notify_classes parameter, the postmas- ter is notified of bounces, protocol problems, policy violations, and of other trouble.
CONFIGURATION PARAMETERS
The following main.cf parameters are especially relevant to this pro- gram. See the Postfix main.cf file for syntax details and for default values. Use the postfix reload command after a configuration change. Compatibility controls strict_rfc821_envelopes Disallow non-RFC 821 style addresses in SMTP commands. For exam- ple, the RFC822-style address forms with comments that Sendmail allows. broken_sasl_auth_clients Support Microsoft clients that implement an older version of the AUTH protocol, and that expect an EHLO response of "250 AUTH=list" instead of "250 AUTH list". smtpd_noop_commands List of commands that are treated as NOOP (no operation) com- mands, without any parameter syntax checking and without any state change. This list overrides built-in command definitions. Content inspection controls content_filter The name of a mail delivery transport that filters mail and that either bounces mail or re-injects the result back into Postfix. This parameter uses the same syntax as the right-hand side of a Postfix transport table. Authentication controls smtpd_sasl_auth_enable Enable per-session authentication as per RFC 2554 (SASL). This functionality is available only when explicitly selected at pro- gram build time and explicitly enabled at runtime. smtpd_sasl_local_domain The name of the local authentication realm. smtpd_sasl_security_options Zero or more of the following. noplaintext Disallow authentication methods that use plaintext pass- words. noactive Disallow authentication methods that are vulnerable to non-dictionary active attacks. nodictionary Disallow authentication methods that are vulnerable to passive dictionary attack. noanonymous Disallow anonymous logins. smtpd_sender_login_maps Maps that specify the SASL login name that owns a MAIL FROM sender address. Used by the reject_sender_login_mismatch sender anti-spoofing restriction. Miscellaneous always_bcc Address to send a copy of each message that enters the system. authorized_verp_clients Hostnames, domain names and/or addresses of clients that are authorized to use the XVERP extension. debug_peer_level Increment in verbose logging level when a remote host matches a pattern in the debug_peer_list parameter. debug_peer_list List of domain or network patterns. When a remote host matches a pattern, increase the verbose logging level by the amount speci- fied in the debug_peer_level parameter. default_verp_delimiters The default VERP delimiter characters that are used when the XVERP command is specified without explicit delimiters. error_notice_recipient Recipient of protocol/policy/resource/software error notices. hopcount_limit Limit the number of Received: message headers. notify_classes List of error classes. Of special interest are: policy When a client violates any policy, mail a transcript of the entire SMTP session to the postmaster. protocol When a client violates the SMTP protocol or issues an unimplemented command, mail a transcript of the entire SMTP session to the postmaster. smtpd_banner Text that follows the 220 status code in the SMTP greeting ban- ner. smtpd_expansion_filter Controls what characters are allowed in $name expansion of rbl template responses and other text. smtpd_recipient_limit Restrict the number of recipients that the SMTP server accepts per message delivery. smtpd_timeout Limit the time to send a server response and to receive a client request. soft_bounce Change hard (5xx) reject responses into soft (4xx) reject responses. This can be useful for testing purposes. verp_delimiter_filter The characters that Postfix accepts as VERP delimiter charac- ters. Known versus unknown recipients show_user_unknown_table_name Whether or not to reveal the table name in the "User unknown" responses. The extra detail makes trouble shooting easier but also reveals information that is nobody elses business. unknown_local_recipient_reject_code The response code when a client specifies a recipient whose domain matches $mydestination or $inet_interfaces, while $local_recipient_maps is non-empty and does not list the recipi- ent address or address local-part. unknown_relay_recipient_reject_code The response code when a client specifies a recipient whose domain matches $relay_domains, while $relay_recipient_maps is non-empty and does not list the recipient address. unknown_virtual_alias_reject_code The response code when a client specifies a recipient whose domain matches $virtual_alias_domains, while the recipient is not listed in $virtual_alias_maps. unknown_virtual_mailbox_reject_code The response code when a client specifies a recipient whose domain matches $virtual_mailbox_domains, while the recipient is not listed in $virtual_mailbox_maps. Resource controls line_length_limit Limit the amount of memory in bytes used for the handling of partial input lines. message_size_limit Limit the total size in bytes of a message, including on-disk storage for envelope information. queue_minfree Minimal amount of free space in bytes in the queue file system for the SMTP server to accept any mail at all. smtpd_history_flush_threshold Flush the command history to postmaster after receipt of RSET etc. only if the number of history lines exceeds the given threshold. Tarpitting smtpd_error_sleep_time Time to wait in seconds before sending a 4xx or 5xx server error response. smtpd_soft_error_limit When an SMTP client has made this number of errors, wait error_count seconds before responding to any client request. smtpd_hard_error_limit Disconnect after a client has made this number of errors. smtpd_junk_command_limit Limit the number of times a client can issue a junk command such as NOOP, VRFY, ETRN or RSET in one SMTP session before it is penalized with tarpit delays. UCE control restrictions parent_domain_matches_subdomains List of Postfix features that use domain.tld patterns to match sub.domain.tld (as opposed to requiring .domain.tld patterns). smtpd_client_restrictions Restrict what clients may connect to this mail system. smtpd_helo_required Require that clients introduce themselves at the beginning of an SMTP session. smtpd_helo_restrictions Restrict what client hostnames are allowed in HELO and EHLO com- mands. smtpd_sender_restrictions Restrict what sender addresses are allowed in MAIL FROM com- mands. smtpd_recipient_restrictions Restrict what recipient addresses are allowed in RCPT TO com- mands. smtpd_etrn_restrictions Restrict what domain names can be used in ETRN commands, and what clients may issue ETRN commands. smtpd_data_restrictions Restrictions on the DATA command. Currently, the only restric- tion that makes sense here is reject_unauth_pipelining. allow_untrusted_routing Allow untrusted clients to specify addresses with sender-speci- fied routing. Enabling this opens up nasty relay loopholes involving trusted backup MX hosts. smtpd_restriction_classes Declares the name of zero or more parameters that contain a list of UCE restrictions. The names of these parameters can then be used instead of the restriction lists that they represent. smtpd_null_access_lookup_key The lookup key to be used in SMTPD access tables instead of the null sender address. A null sender address cannot be looked up. maps_rbl_domains (deprecated) List of DNS domains that publish the addresses of blacklisted hosts. This is used with the deprecated reject_maps_rbl restric- tion. permit_mx_backup_networks Only domains whose primary MX hosts match the listed networks are eligible for the permit_mx_backup feature. relay_domains Restrict what domains this mail system will relay mail to. The domains are routed to the delivery agent specified with the relay_transport setting. UCE control responses access_map_reject_code Response code when a client violates an access database restric- tion. default_rbl_reply Default template reply when a request is RBL blacklisted. This template is used by the reject_rbl_* and reject_rhsbl_* restric- tions. See also: rbl_reply_maps and smtpd_expansion_filter. defer_code Response code when a client request is rejected by the defer restriction. invalid_hostname_reject_code Response code when a client violates the reject_invalid_hostname restriction. maps_rbl_reject_code Response code when a request is RBL blacklisted. rbl_reply_maps Table with template responses for RBL blacklisted requests, indexed by RBL domain name. These templates are used by the reject_rbl_* and reject_rhsbl_* restrictions. See also: default_rbl_reply and smtpd_expansion_filter. reject_code Response code when the client matches a reject restriction. relay_domains_reject_code Response code when a client attempts to violate the mail relay policy. unknown_address_reject_code Response code when a client violates the reject_unknown_address restriction. unknown_client_reject_code Response code when a client without address to name mapping vio- lates the reject_unknown_client restriction. unknown_hostname_reject_code Response code when a client violates the reject_unknown_hostname restriction.
SEE ALSO
trivial-rewrite(8) address resolver cleanup(8) message canonicalization master(8) process manager syslogd(8) system logging
LICENSE
The Secure Mailer license must be distributed with this software.
AUTHOR(S)
Wietse Venema IBM T.J. Watson Research P.O. Box 704 Yorktown Heights, NY 10598, USA SMTPD(8)
Powered by man-cgi (2024-08-26). Maintained for NetBSD by Kimmo Suominen. Based on man-cgi by Panagiotis Christias.