Postings by =?iso-8859-1?Q?Christian_R=F6=DFner?=

Spool directories on ext4 with encryption


today I tried to use ext4 encryption for /var/spool/postfix*

1. Create static salt with:
head -c 16 /dev/urandom | xxd -p >~/tmp-salt.txt
echo 0x`cat ~/tmp-salt.txt` >~/.cryptoSalt

2. Adding key:
/usr/sbin/e4crypt add_key -S f:/root/.cryptoSalt

3. Stopping postfix
4. Create /var/spool/old
5. mv /var/spool/postfix* /var/spool/old/
6. mkdir -p /var/spool/postfix /var/spool/postfix-relay /var/spool/postfix-submission

7. Set policies:
e4crypt set_policy XXXXX /var/spool/postfix
e4crypt set_policy XXXXX /var/spool/postfix-relay
e4crypt set_policy XXXXX /var/spool/postfix-submission


Testing Postfix-3.3....0-RC1


so far, the RC1 works.

No milters have been used at around midnight


this morning I found a spam mail in my inbox, which normally should have been triggered by my spam milter. As I checked the headers, I found out that the milter service did not add any headers.

I checked the logs for the QID and found out that the milter was not even requested.

Sender dependent command_filter


does there exist some sender dependent command_filter?

I would like to activate NOTIFY=SUCCESS for some sender addresses and collect the results.

Based on this idea:

/^(RCPT\s+TO:.*)\bNOTIFY=\S+\b(.*)/ $1 NOTIFY=SUCCESS $2

Usecase for me:
- Development; The remote side sends automatically back all the headers and stuff.
- Knowing, when a mail has been sent. Some remote delay incoming mail.


‌Christian Rößner‌

log from= in postfix/smtp - or looking for unknown option


I have looked at man 5 postconf, if there exists an option to add the envelope sender to the postfix smtp client, but I didn'T find one.

If an account gets stolen and this account starts sending lots of mails, it often leads to RBLs. If you try to find the account that was compromised, a first command would be something like:

grep "postfix/smtp\[" mail.log | grep -i reject

which will only give you thousands of queue-IDs.



the more milters I use the more often I have to deal with certain hosts that do not need a milter processing.

Feature request for postscreen: "defer"

You are totally right. I created a new thread for this.

The idea is to give postscreen a "defer" option. At connect time, dynamic services can work with the IP address of a connecting client. In some cases, this can result in whitelisting, blacklisting or no decision.

Question for socketmap_table


I just looked into the socketmap_table man page. I try to understand several things:

First: Is it correct that request and response are not terminated by newline?

Second the respone:

OK <space> data
The requested data was found.

NOTFOUND <space>
The requested data was not found.

TEMP <space> reason

TIMEOUT <space> reason

PERM <space> reason
The request failed. The reason, if non-empty, is descriptive text.

Which of these return values do work with postscreen_access_list?

OT: ANN: rulestats - spamassassin and rspamd daily rule statistics


I was interested which spamassassin (including dspam) and rspamd rules are used in my mail system and I needed some statistical output. For this, I have written two little helper scripts that can be put into logrotate. They will produce reports for each filter.

<a href="" title=""></a>

The provided examples show reports for both filters.

Thanks for feedback. Have fun...


OT: ANN: S/MIME signing milter (for Postfix)


I developed a S/MIME signing milter that can be used with Postfix. It features a simple map file, where you can define email addresses and corresponding certs/keys. If a mail arrives, the milter checks the MAIL FROM address and looks up the map file. If it finds a record, it signs the mail with S/MIME.

The milter is written in C++ (14. Probably 11 will work as well).

I tested it on Mac OS X and Gentoo Linux. Readmes and Man-pages are included.

Is Postfix SMTPUTF8 compatible with milters?


just a short question:

If enabling smtputf8_enable feature in Postfix, is this compatible with milters? The most common library is libmilter and I have no idea, what exactly this Postfix feature means? By asking, I think about two callbacks in libmilter:

xxfi_header(SMFICTX *ctx, char *header_key, char *header_value)


xxfi_body(SMFICTX *ctx, unsigned char *bodyp, size_t body_len)

The first means to me: 7bit for keys and value of a header. The second 8 bit for body chunks (probably byte stream?).

Does this work together with SMTPUTF8 in Postfix?

Thanks in advance


Command pipelining between fully trusted Postfix servers


I searched allover the docs, but could not find information, if the smtp-client of Postfix can do the PIPELIING extension.

I have two Postfix instances on the same host. One is MX-out and the other one is a MSA for clients. The MSA uses dane-only, while the server has the fingerprint of the client. So I thought about the possibility to offer PIPELINING on the server side and to use it on the client side.

Is this possible?

Would this enhance throughput?



Why does SPF fail sometimes?


sorry, if this question might be a little off-topic, but I really do not understand some DMARC reports that I receive in conjunction to this mailing list and maybe someone can help me in digging down the problem:

<?xml version="1.0" encoding="UTF-8" ?>



simple question:

at which point adds Postfix the Return-Path header? Which component is doing that?

Is it also possible to see this header in a milter? In my tests on a submission connector, I do not get this header.

Background to my question: If I really want to do SPF/DKIM/DMARC checks at submission time, I could shoot myself in the feet, if I am not only checking for DMARC, but also having an own domain under DMARC policy. In that case, SPF would always fail. If I read the RFC for SPF correctly, SPF must use the Return-Path.

Kind regards


Transport based on next hop


I have a trivial question, which could become a wish list feature.

There are three MTAs. First is a web server postfix instance that relates all mail to the second MTAS, a relay server, which can send mail directly to the world. This relay server and a third MTA are two postfix multi instances.

The relay server is for all kinds of other satellites (other machines with i.e. Cron and log heck messages), for some business customers, who want to send newsletters or mails with a little bit larger attachments.

Question for syntax in snapshot 20120921


I read the RELEASE_NOTES and tried to modiy one milter.

TLS client certificate


I hope my question is not off topic. I try to create a self signed certificate, which is signed by my own CA. I have created a pkcs12 file, which includes cert, key, and CA:

openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -CAfile cacert.pem -chain -out croessner.p12

I have imported this file on Mac OS X. I explicitly have given a full trust to the CA certificate and hav moved it to „System“.

Postfix smtpd/tls segfault problem


yesterday I encountered a problem.

smtpd running chrooted


I just finished setting up Postfix to use sasl/external with auxprop
plugin ldapdb. So far, anything works like a charm.

SASL auxprop ldapdb result attribute


I want to have postfix do sasl with auxprop ldapdb and not with dovecot

Reason: I have a rnsMSDovecotEnable flag in ldap to disable imap/pop3
accounts. But this also would disable postfix as well, which I do not
want for accounts that just relay mail over postfix. I need to have this
"disable" flag, because iterate_query in dovecot shall not list accounts
that do not have an existing mailbox on the filesystem.



If I read correctly, these solutions are simple but only provide PLAIN
and LOGIN mechs.

vim syntax for 2.8.0


I have added all dnsblog*, tlsproxy*, postscreen* and main keywords to pfmain.vim (this file is taken from Ubuntu Lucid). If you like to have syntax highlighting for vi, put it under .vim/syntax/


relay question


sorry, if this question might sound a bit stupid, but if I specify relay_recipient_maps with all valid recipients that postfix should relay for, why does it need relay_domains set? As an example:

I have connected relay_domains to LDAP and have an object that returns all domains.

postscreen question


do you have nearer information on this:

Jan 1 06:35:00 mx postfix/postscreen[5599]: close database /var/lib/postfix/ps_cache.db: No such file or directory (possible Berkeley DB bug)
Jan 1 07:16:56 mx postfix/postscreen[6289]: close database /var/lib/postfix/ps_cache.db: No such file or directory (possible Berkeley DB bug)
Jan 1 07:19:59 mx postfix/postscreen[7574]: close database /var/lib/postfix/ps_cache.db: No such file or directory (possible Berkeley DB bug)
Jan 1 07:38:25 mx postfix/postscreen[7806]: close database /var/lib/postfix/ps_cache.db: No such file or directory (possible

PREPEND problems


I am a little bit stuck with prepending one and exactly one additional header to outgoing mails that are sent from local users. In fact I want to add a VBR-Info:- header for outgoing mails.

Local users use a seperate MSA port (own IP-socket in The socket is configured with smtpd_proxy_filter off and using content_filter. So the whole mails gets queued before giving it to amavis (in my setup).

Inside the MSA part, I first defined a check_sender_access rule and thought that would do the job. But today I saw that for _each_ To: address a header is prepended.

Understanding TLS


first of all, I am not an SSL expert, so I hope you could help me understanding something. I have Postfix configured as MSA/MTA with latest postfix experimental. On port 25 of the mx0.roessner-net, which is the main mail exchanger for other MTAs, I do not offer AUTH, but want to offer STARTTLS.

On the MSA side, the side to my clients, I wish to offer STARTTLS and AUTH.

Spamhaus DWL in postfix


I am interested in including the DWL feature from SpamHaus into postfix. First question:

Is there already a working mechanism to include this service and if not, how could this be done?

As far as I understood, DWL works in the way that a sender includes a VBR-Info:-Header. That can simply be done with client_sender_access and PREPEND, ok. But on the receiving side, it becomes a bit more complicated:

I use smtpd_recipient_restrictions for all of my tests. With DWL, this could become a problem, because the VBR-Header is sent in the DATA phase.

recipient limit in policy service


sorry to ask that, but I try to understand a problem that I found by writing a policy server.

OT: dns whitelisting with a postfix policy service


I have seen that several services on the internet started with DNS whitelists. So I was looking for a way on how to integrate it into Postfix. Blacklisting seems to be easy, but whitelisting not. So I was looking how to write a policy service. I have coded a python daemon called that currently can deal with spamhaus whitelists and lists as well. It is in early stage, but seems to work here.

Question to Wietse


sorry to use the list to contact you, but I tried to send you a mail off the list and it is not deliverable (yet):

-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
5191D520B4 6013 Sat Oct 9 09:54:10 <a href=""></a>
(host[] said: 450 4.1.7 <>: Sender address rejected: unverified address: host[] said: 450 4.3.2 Service currently unavailable (in reply to RCPT TO command) (in reply to RCPT TO command))

proxy_smtpd_filter vs FILTER action


I have a problem that the smtpd_proxy_filter option has higher priority than a FILTER setting in an access table:

Sep 30 12:33:04 mx0 postfix/smtpd[5250]: warning: access table cidr:/etc/postfix/maps/client_access.cidr: with smtpd_proxy_filter specified, action FILTER is unavailable

What I need is a mechanism to re-route a mail to a different policy-bank in amavis, if a MTA-client is found in a whitelist:

smtp inet n - - - 1 postscreen
smtpd pass - - - - 10 smtpd
-o smtp_bind_address=
-o smtpd_prox