Postings by LuKreme

SASL LOGIN authentication failed

In these log lines, what is "UGFzc3dvcmQ6"?

May 12 07:52:07 mail submit-tls/smtpd[32670]: warning:[]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 12 17:05:14 mail submit-tls/smtpd[87898]: warning:[]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 12 18:21:36 mail submit-tls/smtpd[65165]: warning:[]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Root user's sent mail

The root user sends out some periodic mails to users. These mails get placed in /root/sent (an mbox file) instead of in /root/Maildir/.Sent/ (a Maildir directory).

It’s not a big deal, but it makes clearing the mails periodically slightly more difficult.

The mails are sent via a crontab entry much like this:
<command> | mutt -e 'set content_type=text/html' -s "DMR $($YDAY)" <a href="mailto: ... at kreme dot com"> ... at kreme dot com</a> -b <a href="mailto: ... at kreme dot com"> ... at kreme dot com</a> = Maildir/

But I suspect the issue here is mutt and not postfix?

rsyslogd and postfix

This might be of use to others out there.


I changed my inet_interfaces setting this morning, and stopped and started postfix (postfix stop; postfix start)

# postconf -n inet_interfaces
inet_interfaces =,

But when I am trying to send emails to a certain company, I am getting an SPF error (even though my entire netblock is in the SPF settings) that claims I am connecting from a different IP (an IP that is assigned to the same physical machine as postfix) than specified in inet_interfaces.

status=bounced (host[] said: 550 5.7.1 < ... at synology dot com>: Recipient address rejected: Me

Read Only account

How would I configure a user so that they could only read mail and not send any mail (even to local users).

Not receiving messages from mail servers

I finally managed to isolate this. I have no been receiving mails from some mail servers and there's very little being logged. I obviously set some configuration that mucked things up.

TLS 1.3

Now that TLS 1.3 has been approved, what is the status of using it with Apache? Last I heard apache 2.4 couldn't build agains openssl 1.1, but that was a year ago.

Which user lookup wins?

When postfix checks for a local user it looks at any local user (like /home/fred), I assume by checking /etc/passwd or similar (I have local users who can receive mail who are not mentioned in any /etc/postfix/* file, so postfix knows about them from somewhere outside of postfix’s config file) and then it also checks for virtual_mailbox_domains and virtual_alias_maps, yes?

If a user lookup matches in BOTH locations due to a misconfiguration, which one “wins”?

Reducing logging

I may have asked this before, but if so I can't find the thread.

I'd like to either reduce the amount that postfix logs or redirect certain events to a secondary log file (that I can put on a shorter rotation than the full mail log).

Is there anyway to redirect, for example, post screen events to a different log file or the warning hostname does not resolve messages?

Suggestion on Redirect parsing

The syntax for redirect treats

Redirect / <a href="" title=""></a>

as a request to redirect, for example, index.html as ""

Since I can't think of any reason that this could possibly be desired, it seems the parser should understand that when only a FQDN is specified with a URL scheme, the final '/' is assumed.

this would still allow for <a href="" title=""></a> formats, etc, and would only apply to the specific format xxxx://FQDN

(Although I think even this syntax should assume a final / and that if the "append .

Setting up Apache 2.4 with Letsencrypt

I have dehydrate properly renewing certs from Let's Encrypt (which I am using successfully for mail authentication) and I ma trying to get them working for Apache 2.4, but no luck so far.

I created aliases in /usr/local/etc/apache24/ pointing to the files in /usr/local/etc/dehydrated/certs/domain.tld/fullchain.pem and privkey.pem

in httpd.conf I have:

LoadModule ssl_module libexec/apache24/

Include etc/apache24/extra/httpd-ssl.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

Listen 443

Berkeley DB and new install

I know that the Berkeley DB still works in postfix if compiled with that option, but is it the best choice for a new install of postfix?

I have only a couple of tables that use it, but since I am moving entirely to a new machine and new compiles, I don't want to drag along an "old" format if I don't need to.

What other options are there for a virtual table in the form of

<a href="mailto: ... at localdomain dot tld"> ... at localdomain dot tld</a> <a href="mailto: ... at fred dot"> ... at fred dot</a>

or the similar alias table

user: otheruser

(alias is used entirely on my system to redirect mail to the root account from names like admin, daemon, etc)

I mean, I could m

postfix upgrade-configuration

Looking at Postfix 3.3 and upgrade-configuration I get:

Note: the following files or directories still exist but are
no longer part of Postfix:

/usr/local/etc/postfix/access /usr/local/etc/postfix/aliases
/usr/local/etc/postfix/canonical /usr/local/etc/postfix/generic
/usr/local/etc/postfix/relocated /usr/local/etc/postfix/transport

All well and good, but what has replaced them, especially virtual and alias which are a pretty basic part of my mail configuration for local users.

I looked around on for 3.3 info and didn't stu

Watching the logs turn round and round

I don't have a question, but I thought I'd share that I've found this extremely useful recently for watching the logs:

tail -f /var/log/maillog | grep -v -E '(cleanup|dnsblog|postscreen|qmgr|anvil))'

It narrows the log down to the data that I'm most interested in (smtp, dovecot, amazes, etc).

Rejecting mail dorm a domain to specific user

Is it possible to reject a mail from a specific domain to a specific user?

Obviously, there are other ways to deal with this, but I have a case where I’d prefer to reject the mail before it is received but I do not want to block the domain for other users.

Copying IMAP messages instead of Forwarding?

Is there a method to use IMAP to move messages to another account on another server for which I have login credentials on delivery instead of simply forwarding? Or would this be a question for the Dovecot list?

I am trying to get around various spam checking and DKIM failures for a local user who uses gmail but whose address is on my server.

OT lightweight IMAP client

Figured someone on the list would have an opinion on a very lightweight feature-poor IMAP client. It doesn't need to do much else but access a single IMAP account and be able to forward emails as attachments. Search would be good, but not required. Searching for queueIDs in the Received header would be fantastic.

Primary considerations are fast and as light on memory use as possible and usable from a Mac (command-line is fine). I know mutt can do IMAP but I don't think it can forward messages as attachments though I am probably wrong. Windows 10 might be useful, but not required.

Forward to gmail and DMARC

I forward mail to a gmail user, but there are a lot of bounces from gmail. I don't honestly care about the ones that google says are spam, but recently I'm also getting DMARC failures on Facebook mails.

Again, not critical, but a bit annoying.

The only thing that I can think to do is disable the forwarding and tell the user to grab mail via POP3, but that means enabling POP3 which I'd rather not do. Gmail does not, IFAIK, allow you to combine your mail with another IMAP account.

Any other ideas?

apache 2.4 and php on Freebsd

Is anyone running Apache 2.4 and mod_php (either 5.6 or 7.0)?

Despite many times building out of ports or manually, I cannot get apache to launch successfully with php enabled. Is there something else I can do to get php working?

I can get apache to load with mod_php56, but loading php pages results in filter_var errors despite filter being definitely installed.

# php -m | grep filter


After installing the latest postfix I thought I’d look into postfwd.

1) is this the right place to ask about this package?

2) Is this package generally recommended or not?

3) It appears to me postfwd does largely what post screen would already do. Is that correct or am I missing something?

Supported versions

I used to have a bookmark for a page that showed the currently supported versions of Postfix and (I think) when support ended for previous versions). I seem mohave lost the bookmark and I can’t fin the page on which makes me think it isn’t there.

I can get the information by going to <> and looking in specific announcements to see what (if any versions) were obsoleted.

Just as an example, I was trying to find when 2.6 support ended, and after going through he major releases I found it in the 2.10 release announcements.

BBC mapping

if !/backup.*@/
/^([^+_]*).*@(.*)/ backup+${1}.${2}@domain.tld

I currently have the above in recipient_bbc


recipient_bcc_maps = pcre:$config_directory/recipient_bcc.pcre

And this works perfectly and stores a copy of all email (sent and received) in a backup account that is set to delete messages after 7 days. This allows me to recover messages which people have deleted or accidentally marked as spam.

However, I would like to exclude a specific domain from this backup including all mail TO and FROM the domain.


I have an email account that belonged to someone who died recently. Rather than simply shutdown the account and bounce all future emails, the family would like some sort of automated messages for at least a few months saying something like “<Name> died in November, 2016.

DNSBLOG and whitelisted domains

Only hosts with scores that exceed the postscreen_dnsbl_threshold get logged with their scores, and not IPs that reach the postscreen_dnsbl_whitelist_threshold, is that correct?

I certainly don’t see anything like a DNSBL rank for whitelisted domains. Am I missing it?

New machine

I’m going to setup a new machine and move all the mail onto it. I’ll go with the latest FreeBSD (11.0-RELEASE currently).

more core dumps on apache 2.4

So, I installed roundcube via portmaster, which installed (upgraded) the following:

Nov 24 12:02:08 mail pkg-static: icu-58.1,1 installed
Nov 24 12:03:00 mail pkg-static: pecl-intl-3.0.0_7 installed
Nov 24 12:03:11 mail pkg-static: php56-ldap-5.6.27 installed
Nov 24 12:03:17 mail pkg-static: roundcube-1.2.2,1 installed

At this point I realized that curl had been installed without openssl support, so I reconfigured it and reinstalled it.

Nov 24 12:18:11 mail pkg-static: curl-7.51.0_1 deinstalled
Nov 24 12:23:56 mail pkg-static: curl-7.51.0_1 installed

And here, apache core dump immediately

postscreen logging

I am wondering what the various possible types of events postscreen logs. I checked man postsreen(8) but it doesn’t seem to give them.

I know there are PASS NEW, PASS OLD, CONNECT, DISCONNECT, HANGUP, NOQUEUE, COMMAND, cache, and DNSBL. Any others I am missing?

Are these documented in some other man page?

(Currently I’m interested int he difference between HANGUP and DISCONNECT and NOQUEUE and why sometimes hosts that connect thousands of times with high RBL scores don’t necessarily get HANGUP.)

apache 2.4 core dump on launch, no error logging

When launching apache 2.4 I get a core dump. Nothing is logged to the http-error log. I’ve tried rebuilding it to no avail.

Full encryption

While I know this would result in lost mail, would it be possible with postfix to setup a mail server that:

1) Only accepts encrypted connections
2) Only sends encrypted emails
3) Keeps mail encrypted throughout, including only writing encrypted blobs.

and is there a way to setup an IMAP server to read that encrypted mail and, again, only serve/accept encrypted mail.

I assume there is some metadata that must be unencrypted (to and From_, I’d guess), can the rest of the metadata be encrypted (Data, received, any other headers).

Again, I know this is not practical for a normal mail server, b

A script for generating a user Daily Mail Report

No idea if this will be of interest to anyone, but my users are finding it useful so I’m sharing. I’m sure this is not especially efficient, but it’s running for only a handful of users who are super paranoid about their email.