Postings by Dominic Raferd

Local delivery to mbox / inode issue

I am using incrond to monitor an mbox file (in /var/mail) for changes, but
it is failing to trigger when postfix adds an incoming mail to the file.
(It triggers fine however if I touch the file.)

I may be barking up the wrong tree but I wonder if this is because instead
of merely appending to the existing mbox file, postfix/local rewrites the
file so that its inode changes (which I know breaks incrond's ability to
monitor a file).

See a double-bounce mail generated by my postfix

I would like to be able to see an example of a double-bounce message
generated by my postfix (3.3.0) server. Can I get my postfix to send me
(say to an unrelated external mailbox) a double-bounce message?
Alternatively is there a way I can save, on the server, the double-bounce
message as and when it sends it to a third party?

454 4.7.1 Relay access denied

Checking my logs I see that some senders are trying to fake our domain
and use our server to send mails to third parties masquerading as one
of our own domains (without authenticating first).

They are stopped by smtpd with response 'Relay access denied', but
instead of 5xx permanent rejection smtpd gives 454 4.7.1 temporary
rejection, which surely encourages them to keep trying. Why is this,
and can I change it?

warning: TLS library problem - messages in log

I have always received a number of warning messages (from
postfix/smtpd) stating 'TLS library problem' in my mail logs and I
think they are always followed by a dropped incoming connection. I
have hitherto assumed that they reflect a badly-configured (probably
spamming) foreign client/host, but the messages could be read as
implying an internal problem on my mailserver.

Shell script to remote test AUTH with STARTTLS at postfix/dovecot server

I regularly test my remote mail servers (which use postfix - with
dovecot for authentication) to check they are live and functioning,
including that they are responding correctly to authorised login with

I currently use this (sorry about line breaks, the original is on one line):

timeout 20 /bin/bash -c "{ time (sleep 2; echo \"EHLO $(hostname
-f)\"; sleep 0.3; echo -n \"AUTH PLAIN \"; printf '%s\0%s\0%s'
\"$USERNAME\" \"$USERNAME\" \"$PASSWORD\"|base64; sleep 0.3; echo
\"QUIT\"; sleep 2; exit) | openssl s_client -connect $MX -starttls
smtp 2>/dev/null >${TMPF}0; } 2>${TMPF}2"


Response to sender when mail is put to hold queue

I don't know what response is given to the sending client when postfix
puts an incoming mail into the hold queue, say because of an access
table HOLD action.

At the time of actioning the hold, is sender told the mail has been
delivered (250), or something else - or is no response given at all?

Is there an attempt to give any info back to original sender when the
mail is finally released for delivery, or deleted - which may of
course be much later? (I do not allow DSN requests from strangers, if
this makes any difference.)

bounce notify class

I want to turn off the the bounce error class to reduce clutter in my
postmaster mailbox, but don't want to miss something important.

The bounce error class is defined (
<a href="" title=""></a>) as: 'Send the
postmaster copies of the headers of bounced mail, and send transcripts of
SMTP sessions when Postfix rejects mail.'

I understand the second of these (and receive many of them, which I don't
want) but not the first (and don't seem to receive any).

What are 'copies of the headers of bounced mail' - would this be mail that
has been bounced by Postfix (not int

How to bounce a queued mail

We occasionally get emails in our postfix queue that can never be delivered
but which are held in the queue for a week before postfix bounces them
(example: sender has typed instead of I realise this
delay is the correct behaviour, but how can I - by exception - bounce a
queued mail immediately, with notification back to sender?

Recommended way to pause postfix local delivery while taking snapshot for backup

Is there a best/recommended way to pause postfix local deliveries so that I
can take an LVM snapshot of the local mails for backup purposes? The pause
only has to be momentary, while the snapshot is taken, but the files need
to be in a consistent state. If anyone also knows the way to pause Dovecot
imap/pop3 similarly (as this could also be accessing the same files), that
would be helpful too.

double bounce messages 'from'

One of the few remaining issues on my postfix server is that
double-bounce messages don't come from the 'right' envelope sender.

I would like it to be <a href="mailto: ... at mydomain dot tld"> ... at mydomain dot tld</a>, or (better)
double_bounce+ ... at mydomain dot tld. Instead it is
<a href="mailto: ... at vps3456789 dot mydomain.tld"> ... at vps3456789 dot mydomain.tld</a>. In other words the domain part
of the sender address contains a sub-domain. This breaks our spf and
is untidy; and it doesn't happen with other mail messages created on
the server (e.g. by cron), which come from <a href="mailto: ... at mydomain dot tld"> ... at mydomain dot tld</a>. Is
this fixable?

Response from gmail at end of transmisssion not passed to smtp_delivery_status_filter

I am puzzling over why postfix fails to pass a response from gmail at
the end of an outgoing transmission through to

I am trying to trap a transient failure code response from gmail and
replace it with a permanent code and to do this I am using
smtp_delivery_status_filter=pcre:/etc/postfix/smtp_dsn_filter. To
debug it I am running smtp with -v.

I give two real-life (obfuscated) examples below which happened
seconds apart.

Delay re-sending message following onward rejection

Is there a way to delay re-sending a message following an onward
rejection? I am getting occasional messages back from an onward server
(gmail) about a bad email; within a second we remove the bad email
from the queue and block the originator's ip.

Access table lookup not as expected

Obviously I am being thick but can someone explain why this does not
work as I would expect.

smtpd ... SSL_accept error from ... lost connection

In general my postfix mail server is working well, it is receiving
emails with optional STARTTLS. But I am occasionally seeing an error
message like this in the log:

2016-12-11 00:32:19 dl1 postfix/smtpd[13665]: SSL_accept error from
unknown[]: lost connection

The connection giving rise to the error is never from one of our
machines/users. Should I be worried about it? Does it indicate some
bad configuration on my side?


Retry onward server on transient error before using fallback relay

I'm using Postfix 3.1.0. If a message is rejected by an onward server
with a transient error message (e.g.

After smtps rejection, fails falling back to smtp (TLS) (Postfix 3.1.0)

I am using Postfix 3.1.0 and following instructions at
<a href="" title=""></a>
<>to set up for
sending some (recipient dependent) emails via smtps (whereas others go
over TLS to a different relay server). This uses the transport_maps
settings <>, a transport file (hashed) and
special routing (relay-smtps) <>.

This works - when the onward smtps server accepts the emails.

After smtps rejection, fails falling back to smtp (TLS) (Postfix 3.1.0)

I am using Postfix 3.1.0 and following instructions at
<a href="" title=""></a> to set up for sending
some (recipient dependent) emails via smtps (whereas others go over TLS to
a different relay server). This uses the transport_maps settings in,
a transport file (hashed) and special routing (relay-smtps) in

This works - when the onward smtps server accepts the emails. However in my
case this doesn't always happen - basically they sometimes block when we
are over quota.