Postfix Configuration Priority: master.cf vs. main.cf – Which Overrides?


4 views

In Postfix, both main.cf and master.cf serve as configuration files, but they operate at different levels. The main.cf file contains global settings, while master.cf defines service-specific parameters using the -o option.

When the same parameter appears in both files, Postfix follows this rule:

master.cf (-o options) OVERRIDE main.cf settings

This means service-specific configurations in master.cf take precedence over global settings in main.cf.

Consider this scenario:

# In main.cf:
smtpd_tls_auth_only = yes

# In master.cf service definition:
smtp      inet  n       -       n       -       -       smtpd
  -o smtpd_tls_auth_only=no

Result: The SMTP service will use smtpd_tls_auth_only=no despite the global setting.

Use main.cf when:

  • You want settings to apply globally to all services
  • Maintaining consistency across all Postfix components

Use master.cf -o options when:

  • You need service-specific exceptions
  • Different services require different behaviors
  • Testing configurations without affecting global settings

To verify which value is actually being used:

postconf -n  # Shows main.cf settings
postconf -M  # Shows master.cf service definitions
postconf smtpd_tls_auth_only  # Shows effective value

1. Document overrides clearly in both files with comments

# Overrides main.cf setting - see ticket #1234
-o smtpd_tls_auth_only=no

2. Prefer main.cf for most settings to maintain clarity

3. Use master.cf overrides sparingly for special cases

You can create service-specific defaults in main.cf using:

smtpd_tls_auth_only = yes
default_process_name/smtpd_tls_auth_only = no

This provides more granular control without cluttering master.cf.

In Postfix administration, we often encounter situations where the same parameter appears in both main.cf (the primary configuration file) and master.cf (service-specific configurations using -o parameters). Understanding their interaction is crucial for proper mail server management.

Postfix follows this evaluation order when processing configurations:

1. Built-in defaults
2. main.cf settings
3. master.cf -o parameters (highest precedence)

The -o parameters in master.cf always override equivalent settings in main.cf. This design allows service-specific customization while maintaining global defaults.

Given your example:

# In main.cf:
smtpd_tls_auth_only=yes

# In master.cf service entry:
smtp      inet  n       -       n       -       -       smtpd
  -o smtpd_tls_auth_only=no

The final effective value will be no for this SMTP service, while other services without -o overrides would still use yes from main.cf.

Use main.cf when:

  • Setting global defaults for all services
  • Configuring parameters used by multiple services
  • Defining core mail system behavior

Use master.cf -o when:

  • Needing service-specific exceptions
  • Running multiple instances with different configurations
  • Testing new settings without affecting production services

Here's a practical multi-instance setup example:

# main.cf (global defaults)
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/ssl/certs/mail.pem
smtpd_tls_key_file = /etc/ssl/private/mail.key

# master.cf (service overrides)
submission inet n - - - - smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_cert_file=/etc/ssl/certs/submission.pem

smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_tls_security_level=encrypt

To verify effective parameters:

postconf -n  # Shows main.cf settings
postconf -M  # Shows master.cf service definitions
postconf -P  # Shows process-specific parameters

For service-specific verification:

postconf -F smtpd/inet  # Shows parameters for smtpd services