Postings by mrobti

postwhite? (why not?)

Asking for opinions about postwhite.
<a href="" title=""></a>

Below is the default whitelist domains. It's nice idea, but what about
the time when spammers got hold of 10.000 hotmail accounts?

OTOH this is only for postscreen and not whitelisted your antispam
engine so seems like a good idea.

postscreen_dnsbl_whitelist_threshold and SORBS and Google

Right now and for at least the last 24hours+ gmail IPs are on SORBS.
Good, I don't mind. However, it's causing Gmail to hit after-220 deep
protocol tests in postscreen and this causes long delays because Gmail
rotates sending IPs.

I scroe 2 points.

Deprecated? smtpd_tls_session_cache_database

I thought I had read somewhere that modern versions of Postfix you
shouldn't set up smtpd_tls_session_cache_database but I can't see
anything in the docs now.

Reading docs still it seems smtpd_tls_session_cache_database can be
useful. What is behavior when its empty(default)?

Whitelist some clients from helo restrictions

I use reject_unknown_helo_hostname even though it rejects legitimate
mail, it also catches a reasonable amount of bad things.

I want to whitelist some clients of course.

CAA records using PowerDNS from EPEL

PowerDNS supports CAA records beginning with version 4.0, but the pdns
package in EPEL for most recent centos versions is stuck at around
version 3.4 (3.4.11 is what I have).

Do I have no other choice but to manually compile and maintain my own
pdns installation? I prefer to avoid this but I need up-to-date

Perhaps there is a PowerDNS specific work-around? Maybe the EPEL
maintainers backported CAA record support?

Thank you for any assistance.

Question about logging mismatched DNS in submission server

Lately it looks like some zombie bot farm is connecting to submission
(and looks to do nothing except connect), causing many of these in the

Oct 28 06:15:35 mail postfix/smtpd[12941]: warning: hostname x.y.z does
not resolve to address Name or service not known

For submission service where clients often connect from dynamic IP
address ranges, maybe seeing these is not important - just noise, so I
am curious about why postfix is logging this. Does this mean client is
somehow attempting to send before (without) doing any AUTH?

How to fake Per-Recipient Data Responses (PRDR)?

Hello, short of Per-Recipient Data Responses (PRDR) becoming standard,
may I ask how administrators are faking it? I understand you can
temp-fail all but the first rcpt-to, but how to do this in Postfix? Does
it require a custom milter? Surely there must be a published solution

Outgoing rate limit based on number of bad recipients

Has anyone done something like this for Postfix who is willing to share?

Rate limit outgoing mail based on the number of bad recipients as a more
intelligent rule that won't impact regular users (intended to stop abuse
of compromised accounts).

<a href="" title=""></a>
<a href="" title=""></a>

reject_unknown_client_hostname allowing slight mismatch

I have reject_unknown_client_hostname in smtpd_client_restrictions.
Some clients are able to pass this restriction with accompanying warning
when the hostname does not point to the IP address of the client.

Testing reject_unknown_client_hostname

Hello, in Postfix v3.1 I'm having a hard time getting
reject_unknown_client_hostname to bounce test messages.

I set an external host's Postfix myhostname to be purposefully
incorrect, like and sent a message to the test
system. If I have reject_unknown_helo_hostname enabled, it will reject
such messages.

Bypass restrictions for postmaster/abuse

Hello all,

Is there a best practices for exempting the postmaster/abuse address
from certain smtpd_mumble_restrictions?

For example, we see some small businesses who have trouble getting past
reject_unknown_helo_hostname and reject_unknown_client_hostname and if
we reach out to them, we need to allow their reply to our postmaster
address to get delivered, obviously bypassing the checks that originally
caused the rejections.

I think each organization will have restrictions that they deem
important enough to place even before exemptions for postmaster, but I'd
like to learn what other

DNS problem (

Last few days, I'm seeing large amount of failures in a log file for
domains using

to=< ... at example dot com>, relay=none, delay=13190, delays=13187/0.08/2.2/0,
dsn=4.4.3, status=deferred (Host or domain name not found.

When is .forward handled?

I was recently surprised to see .forward file in user's home dir being
honoured in a context where mail is set to be delivered via LMTP to
dovecot for final delivery. A response I got on the dovecot list implied
that the MTA is responsible for this.

Does Postfix handle .forward just before it hands the message off using
LMTP? How does this work? I wouldn't have expected this unless Postfix
was doing the actual delivery, though it's not unwelcome - it's a mildly
helpful feature but I want to understand how it works.

How does envelope change?

I'd like to understand the differences in the envelope fields at points
where external filtering can happen:

* content_filter when receive_override_options=no_address_mappings (sent
to filter via SMTP)

* content_filter when address mappings have occurred (sent to filter via

* in the delivery agent (given to delivery agent via LMTP)

How would a content filter see the envelope fields in these cases? What
fields change? Can adding a X-Original-To header help the delivery agent
see the message as originally received?

Best place to filter spam (x-original-to, no_address_mappings)


I am looking at a system where SpamAssassin is called out from the
delivery agent. I know there will be a difference here in terms of the
envelope information but I'm not familiar enough to know the pitfalls of
this versus calling SA from the postfix content_filter.

Specifically, I believe it's recommended to call SA in context of
receive_override_options=no_address_mappings but this wouldn't be the
case when we are in the delivery agent I think.

Understanding reject_unknown_(recipient|sender)_domain


Reading the postconf explanation of reject_unknown_recipient_domain and
reject_unknown_sender_domain, I'm having trouble understanding where
these find their use.

For incoming mail: The first test criteria for both is that Postfix not
be the final destination for the recipient/sender domain, so when
Postfix is not set up with a catchall and rejects unknown users, am I
correct to think there is no use for these here?

Likewise for outgoing messages: The criteria for the domain needing to
have valid, well formed MX -- even without reject_unknown_sender_domain,
Postfix won't be able

Effects of very large message_size_limit?

Hi, I'm wondering what the downside of setting a large
message_size_limit are?

By "large" I mean 30MB, 40MB, 50MB

I think sendmail has a default of no restriction for message size - that
seems crazy, but maybe I don't understand the risks well enough.