Postings by Patrick Ben Koetter

Retiring oqmgr?

Configuring a new Postfix server I just ran across the commented entry for
oqmgr and I thought: It must have been ages qmgr had been renamed to oqmgr and
it might be time to remove that entry from


HAPROXY protocol version?


I'm trying to find out which version (1,2) of the haproxy protocol Postfix
supports. I couldn't find any reference in the documentaton nor in the src
files. Is there any and I missed it?



ANN: vim syntax highlighting for Postfix

vim comes with syntax highlighting for Postfix, but the syntax file is
outdated and doesn't cover LDAP and other drivers.

For those who like an up to date syntax highlighting that reflects your
Postfix installation take a look at <a href="" title=""></a>.

Christian (Rößner) took the time to create two scripts that will create syntax
files. The README tells how to install them. Worked out of the box for me.


ANN: savacli - Avira SAVAPI command-line client


I'd like to announce the release of savacli. It is a command-line client for
AVIRAs OEM Antivirus engine SAVAPI. You may download sources and documentation
at <a href="" title=""></a>.

The client 'savacli' was built in a project for a German company that wants to
remain anonymous. However they expressed a strong want to release savacli as
Open Source Software - a natural desire we hereby gladly follow. :)



For those who don't know AVIRA <>: AVIRA builds one of the
fastest and most effective AV-scanners on this planet.

postmulti woes: Invalid 'delete' option suggested as option in output

Erroneously I tried to use the option 'delete' instead of 'destroy' when I ran
the postmulti-command. My fault, but then the output - among many other
options - stated, I should use 'delete' instead of 'delete':

# postmulti -i postfix-test -e delete
postmulti: fatal: Invalid '-e' edit action 'delete'. Specify 'create', 'destroy', 'import', 'deport', 'enable', 'disable', 'assign', 'init' or 'delete'

This sounds like a bug to me. Some voice in the back of my head keeps telling
me 'delete' was replaced by 'destroy' during the development of multiple

postmulti woes

Yesterday I ran into a situation where I tried to create a new postfix
instance, but the *.proto files where missing (i.e. they were there, but in
the wrong place):

# postmulti -I postfix-test -e create
cp: cannot stat '/etc/postfix/': No such file or directory

Nevertheless the directories were created:

# ls -ld /etc/postfix-test/ /var/lib/postfix-test/ /var/spool/postfix-test/
drwxr-xr-x 3 root root 4096 24. Sep 08:39 /etc/postfix-test/
drwx------ 2 root root 4096 24. Sep 08:39 /var/lib/postfix-test/
drwxr-xr-x 2 root root 4096 24.

Postfix 3.x for RedHat/CentOS 7.x


is there anyone who knows a download location of Postfix 3.x packages for
RedHat/CentOS 7.x?



How do Milters and delays "a" play together?

The speed_adjust option for smtpd_proxy_options has a nice side effect. It
effects how Postfix logs delays "a" (a = time from message arrival to last
active queue entry). That's an important feature (to us), because we have SLAs
where the time spent within the MTA must not exceed a certain time.

If I don't enable speed_adjust Postfix will also account the time spent
receiving mail from e.g. slow sending clients. The sending speed is something
we can't control. But it influences the overall time a message seems to have
spent in Postfix.

MILTER_README: Update limitations?


I think the MILTER_README for Postfix 3.x and later should be updated to
reflect the recently added per-Milter settings documented in section
"Different settings for different Milter applications".

The update would remove the last item in the "Limitations" section at the end
of MILTER_README, which reads:

* Most Milter configuration options are global. Future Postfix versions may
support per-Milter timeouts, per-Milter error handling, etc.


Reporting problems to

Perhaps the list of recommendations could be expanded to recommend sending
"postconf -M" output along with "postconf -n". I'd expect this to complement
the overall picture.


ANN: The missing Cyrus SASL man pages

If you need to configure SMTP AUTH in Postfix you either have the choice to
use Cyrus SASL or Dovecot. Cyrus SASL is useful especially on boundary
filters, where you don't want to install Dovecot "just to get authentication".

But Cyrus SASL is a little underdocumented...

Long ago I began to write man pages for Cyrus SASL. During the recent x-mas
holidays I finally found time to finish them and put them online.

I hope they will be useful. Here's the page that links to all man pages:

<a href="" title=""></a>


smtpd_sasl_path ignores native DNS lookups?

Could it be smtpd_sasl_path ignores local (native) lookups even if I specified
native lookup for smtp/lmtp client like this in

smtp_host_lookup = native, dns
lmtp_host_lookup = native, dns

This works:
smtpd_sasl_path = inet:

Using a hostname set in /etc/hosts e.g.

Reverse DNS Failure Code

There's an RFC for "Email Authentication Status Codes"
<> out, which specifies a dedicated
status code "when an SMTP client's IP address failed a reverse DNS validation
check, contrary to local policy requirements" (see: 3.3. Reverse DNS Failure


Individual smtpd_tls_ask_ccert?

IIRC smtpd_tls_ask_ccert should not be enabled on publicly referenced MTAs,
because there are enough MTAs out there unable to handle client certificate
requests from a server they connect to.

It that is true, would it be possible to make smtpd_tls_ask_ccert client
dependent e.g. request a ccert when the client sends e.g. a specific HELO
hostname? ask_ccert ask_ccert


warning: dane configured, but no requisite library support


I am experiencing troubles enabling outbound DANE on a RHEL 6.5 system:

warning: dane configured, but no requisite library support

suggests, the underlying openssl library is too old. Viktor writes at least
openssl 1.0.0 would be required.

The machine in questions runs OpenSSL 1.0.1e-fips. This is where I got stuck.
Could it be the openssl package has been built without DANe support?

posttls-finger: RFE


I am looking for a switch in posttls-finger to tell it where (read: nameservr)
to lookup TLSA RRs.

Problem is: I've updated my zone, but I posttls-finger doesn't seem to 'see'
that because my local resolver has cached the DNS zones information.

Is there an option I didn't see? A better way to handle this?


ca-constraint trust-anchor sha256 digests disabled

Viktor (I guess..),

having followed recent DANE discussions on terminology I have to agree it
isn't really intuitive and I've come to ask for help setting up a correct TLSA

I've used your tlsagen script to create a TLSA RR and updated the ZONE.

OT: amavisd-new-milter rpm

Has anyone seen a recent (>= 1.5.0) RHEL 6 RPM for amavisd-new-milter or a
src.rpm to work/build from?


ANN: automx 0.10 stable

We've just released automx 0.10 <>. This release brings MacOS
and iOS support - it adds the capability to provision mail accounts on MacOS
and iOS devices.

MacOS and iOS-users simply need to point their web browser to an automx
webpage e.g. <a href="" title=""></a> (Testdomain), enter their login and - if
desired - password and automx will serve them a complete mail account profile.
Once the profile import has been confirmed the mailbox can be used

automx automates mail account provisioning, avoids configuration errors and
effectively reduces support costs.