Postings by LuKreme

Rejecting mail based on a Milter results

The spamass-milter is not rejecting mail that scores above the number set in the -r flag for the milter (confirmed by other people this is a bug in spamass-milter).

Is there something I can do in postfix to reject mails that the Milter logs like:

spamd: result: Y 18

Where “18” is a something I set like “>=10”?

Seems a long shot, but it is unlikely anyone is working on spamass-milter at this point.

Receiving mail from a host without a valid rDNS

I have a mail host that I want to receive mail from that dies not have a valid rDNS (it recently moved and their ISP is comcast and it seems to be taking a stupidly long time). Anyway, I first tried this:

check_sender_access pcre:$config_directory/sender_access.pcre

/ OK

This did not work.

Adding perl-cgi in apache 2.4

I need to enable perl-cgi for a specific directory local to a single site.

Header change

Switching to dovecot LMTP appears to have changed the information in the received header:

Here’s what the received header used to look like:

Received: from [] ( [])
by (Postfix) with ESMTPS id B67B8118AD59
for < ... at kreme dot com>; Sun, 16 Aug 2009 22:19:02 -0600 (MDT)

As opposed to now:

Received: from darth.lan ( [])
by 3.4.5/8.13.0) with SMTP id unknown;
Sun, 16 Jun 2019 15:26:32 -0600
(envelope-from < ... at kreme dot com>)

The first


Since I have moved all local users to virtual users and switched dovecot to lmtp from lda, I was able to add reject_unverified_recipient to my restrictions, and it occurred to me maybe some of the other restrictions could be eliminated.

Do reject_non_fqdn_recipient, reject_unauth_destination, do anything that isn’t done with the check for unverified recipient?

smtpd_recipient_restrictions = reject_unauth_destination

Virtual users and local users in the same domain?

Given that I have two users, <a href="mailto: ... at example dot com"> ... at example dot com</a> and <a href="mailto: ... at example dot com"> ... at example dot com</a> who are currently both local users and given that, is it possible to configure postfix such that one of them is in the mysql database and one is still local?

SMTPS Submission

Just want a quick sanity check on enabling smts in

smtps inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_wrappermode=yes
-o syslog_name=submit/smtps
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_path=private/auth
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
-o smtpd_helo_restriction

Mail Delivery Status report

I am getting mail delivery status reports for every bcc email (that is, every email, since I use a bcc map to create a backup of all the mail).

I've looked through all the postfix files for any instance of sendmail -v, and have only found it as a comment in

# grep "sendmail -v" * address...) or for verbose mail delivery (sendmail -v address...).
recipient_bcc_maps = pcre:$config_directory/rbcc.pcre

if !/backup.*@/
/^([^+_]*).*@(.*)/ backup+151.${1}.${2}@<a local domain>

the MDSR is not really a pro

Blacklist honeypot senders

I have an active email address that only receives spam (it is an address that wasn't used for years but I've recently reactive to see just how much spam an unprotected decades old account that hasn't accepted mail since 2006 would get).

Anyway, what I would like to do is somehow blacklist any IP that sends mail to that address for some period of time, configurable by me but not necessarily dynamic. (That is, if I could specify 1 day or 3 hours for any match, that is fine).

I suspect that postfix might be able to do this through some sort of helo_access check?

Modify logs for delivery?

I may have asked this in the past, but ion so it's been longe enough I don't remember and can't find it my mail archives.

Is there some way to modify what is logged from postfix/local and postfix/pipe so that the "status=sent" lines include the from address as well as the to address?

May 21 14:52:32 mail postfix/local[63216]: 457nyS31Y4zdrvK: to=< ... at covisp dot net>, orig_to=< ... at kreme dot com>, relay=local, delay=0.39, delays=0.34/0.01/0/0.04, dsn=2.0.0, status=sent (delivered to command: /usr/local/bin/procmail -t -a $EXTENSION)

May 21 14:53:16 mail postfix/pipe[67313]: 457nzJ4gd7zdrvL: t

GEO IP based restrictions?

Has anyone implemented geo based restrictions for postfix login connections, or is this something that needs to be done in dovecot?

I was thinking someway to add most of Asia and Eastern Europe to postscreen checks would be useful?

Sporadic, repeated connections from aws

I've had the following in my fqrdns.pcre checks for quite awhile:

/^ec2(-[12]?[0-9]{1,2}){4}\.compute-[0-9]\.amazonaws\.com$/ REJECT Generic - Please relay via ISP (

And I have noticed that I frequently get a series of 50 or more connection attempts from some aws server out there in a burst (50+ connections in a few minutes).

Fine, everything is working as it should with my settings, the connection is dropped right away (although the REJECT is not logged).

Am I right in blocking these connections?

unable to find user

I am using postfix => spamass-milter => SpamAssassin and I get occasional errors like these.

spamd: handle_user (userdir) unable to find user: 'virtualuser'

For example, if I have a virtual user "john" who redirects to the local user jsmith, I get that error with the username of "john" while mail to jsmith goes through fine.

Is it possible to send the user name to the milter after virtual maps have been applied?

apache service unavailable

Due to a large blizzard, we lost power for some period of time today, and the server's UPS didn't hold out. After the power was back, https responds to all attempts to connect with

"The service is not available. Please try again later."

displayed in the browser.

Nothing shows up in the httpd-error.log, but httpd-access.log looks odd.


Trying to configure clamav-milter with postfix-current-3.4.20181105,5 under FreeBSD 11.2-RELEASE, but I’ve missed something since no mail is actually getting processed by ClamAV-milter, including the EICAR test mails which sail through without triggering anything.

I’ve tried to provide everything that could be relevant (mostly in an effort to re-examine everything) but at this point I’m stumped.

smtpd_milters =

# sockstat | grep milter
root spamass-mi 24145 4 stream /var/run/spamass-milter.sock
clamav cla

0 length robot.txt

This is probably a coincidence, but I had one of my hosted sites (with no php code anywhere, and certainly no .php files) returning a script error on load instead of showing the non-php webpage:

[proxy_fcgi:error] [pid 88148] [client xx.xx.xx.xx:63137] AH01071: Got error 'Primary script unknown\n’

And it would display a blank page for a few seconds, then “File Not Found” would appear.

Updating to php 7.0 and having apache still work?

Once again I have tried, and failed, to move from php 5.6 to php 7.0 (using postmaster under FreeBSD 11.3-RELEASE). The results are largely the same, php pages don’t load either "Primary script unknown” or complaints about filter(0 (which is built in to both php56 and php70).

I’m sure this is all my doing.

So… is there a decent document or how-to or step-by-step on how to updated the php under apache without everything in apache breaking?

(php itself works fine, it’s the integration with apache 2.24 that I keep managing to FUBAR. Currently on apache 2.4.35)

Reverse proxy

If I have a secondary web service service running on <a href="" title=""></a> and I want to create a reverse proxy on port 8001, how do I prevent users from connecting to <IP>:8000 anyway?

DocumentRoot in ProxyPass?

Is it possible to do something along these lines in the apache.conf files?

DocumentRoot /usr/local/www/roundcube/
ProxyPassMatch ^/(.*\.php)$ fcgi://${DocumnetRoot}$1

(that is, not have to repeat the information that is already in the configuration)

TLS not offered by host

When connecting to a server that does not offer TLS (or the right level) does postfix log (or can it) the level of security that was offered?

status=deferred (TLS is required, but was not offered by host

(I get very few of these (two servers in the last week), but I'd like to be able to tell the admin of the server what low-level security they are offering).

my smtp_tls* settings:
smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
smtp_tls_loglevel = 1
smtp_tls_security_level = encrypt


tls_preempt_cipherlist = yes
tls_ssl_options = no_ticket, no_compression

Apache 2.4 and DirectoryIndex and htaccess

I have a working webroot, and it has an index.php file.

SASL LOGIN authentication failed

In these log lines, what is "UGFzc3dvcmQ6"?

May 12 07:52:07 mail submit-tls/smtpd[32670]: warning:[]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 12 17:05:14 mail submit-tls/smtpd[87898]: warning:[]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 12 18:21:36 mail submit-tls/smtpd[65165]: warning:[]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

Root user's sent mail

The root user sends out some periodic mails to users. These mails get placed in /root/sent (an mbox file) instead of in /root/Maildir/.Sent/ (a Maildir directory).

It’s not a big deal, but it makes clearing the mails periodically slightly more difficult.

The mails are sent via a crontab entry much like this:
<command> | mutt -e 'set content_type=text/html' -s "DMR $($YDAY)" <a href="mailto: ... at kreme dot com"> ... at kreme dot com</a> -b <a href="mailto: ... at kreme dot com"> ... at kreme dot com</a> = Maildir/

But I suspect the issue here is mutt and not postfix?

rsyslogd and postfix

This might be of use to others out there.


I changed my inet_interfaces setting this morning, and stopped and started postfix (postfix stop; postfix start)

# postconf -n inet_interfaces
inet_interfaces =,

But when I am trying to send emails to a certain company, I am getting an SPF error (even though my entire netblock is in the SPF settings) that claims I am connecting from a different IP (an IP that is assigned to the same physical machine as postfix) than specified in inet_interfaces.

status=bounced (host[] said: 550 5.7.1 < ... at synology dot com>: Recipient address rejected: Me

Read Only account

How would I configure a user so that they could only read mail and not send any mail (even to local users).

Not receiving messages from mail servers

I finally managed to isolate this. I have no been receiving mails from some mail servers and there's very little being logged. I obviously set some configuration that mucked things up.

TLS 1.3

Now that TLS 1.3 has been approved, what is the status of using it with Apache? Last I heard apache 2.4 couldn't build agains openssl 1.1, but that was a year ago.

Which user lookup wins?

When postfix checks for a local user it looks at any local user (like /home/fred), I assume by checking /etc/passwd or similar (I have local users who can receive mail who are not mentioned in any /etc/postfix/* file, so postfix knows about them from somewhere outside of postfix’s config file) and then it also checks for virtual_mailbox_domains and virtual_alias_maps, yes?

If a user lookup matches in BOTH locations due to a misconfiguration, which one “wins”?

Reducing logging

I may have asked this before, but if so I can't find the thread.

I'd like to either reduce the amount that postfix logs or redirect certain events to a secondary log file (that I can put on a shorter rotation than the full mail log).

Is there anyway to redirect, for example, post screen events to a different log file or the warning hostname does not resolve messages?