Postfix master.cf versus main.cf

I see a lot of the time that the same settings can be specified in both main.cf, and also in master.cf using the -o prefix.

My question is, does one override the other, and if so, which file is given priority if the same setting (with a different value) is found in both?

For instance, if

smtpd_tls_auth_only=yes

was specified in main.cf, but

-o smtpd_tls_auth_only=no 

was specified in master.cf, which one would postfix pay attention to?

Solution 1:

As documented,

-o name=value
                 Override  the  named  main.cf  configuration
                 parameter.

main.cf sets the default values used by all services defined in master.cf; -o options in master.cf can override these on a per-service basis.

Solution 2:

Basically settings in main.cf are valid and used globally unless they are overridden in master.cf for specific Postfix daemons (smtpd, trivial-rewrite, cleanup, pickup, ...). You may specify, for example, smtp_tls_security_level = may in main.cf and disable it for the submission port bound to localhost for the smtpd daemon:

localhost:submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=none

But for the submission port on an external IP address you may enforce encryption:

1.2.3.4:submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o ...

In certain situations you might have to override a global setting, for example when using Amavisd, address mappings (alias expansion, etc) need to be disabled when sending mail through the Amavisd smtpd daemon. Otherwise recipients might receive duplicate messages:

127.0.0.1:10025 inet    n       -       -       -       -       smtpd
  -o content_filter=
  -o ...
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings
  -o ...

Of course, during regular operation, outside of Amavis, you want address mappings, so by default they are enabled in main.cf.