Postings by J Doe

Postfix, milters and quarantine actions


I had some questions regarding milters in general, with the questions initially focused on the OpenDKIM milter (version 2.10.3), on Postfix 3.1.0

In man 5 opendkim.conf, under the CaptureUnknownErrors parameter, it specifies:

When set, and on systems where MTA quarantine is available, the
filter will request quarantine of a message that results in an internal
error or resource exhaustion.

My questions are:

1. Is this supported on Postfix 3.1.0 and later ?


Forcing TLS 1.2 on submission


I am attempting to restrict the TLS protocol version used by my SMTP AUTH’d clients on the submission service.

In I have added the following to the submission service:

-o smtpd_tls_ciphers=high
-o smtpd_tls_exclude_ciphers=EXPORT,MEDIUM
-o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,TLSv1.2

…however, when I test via the OpenSSL client:

openssl s_client -connect -starttls smtp -tls1

…it connects and negotiates TLS 1.0. It will also negotiate TLS 1.1 and TLS 1.2 on successive tests.

What am I doing wrong ?


- J

Question regarding 8BITMIME / BINARYMIME


I have a question regarding 8BITMIME.

I know Postfix supports 8BITMIME and does not support BINARYMIME, but I am wondering why both 8BITMIME and BINARYMIME are ESMTP extensions. It would appear that 8BITMIME solves the same problem as BINARYMIME (allow 8-bit encoding of MIME), so why wasn’t BINARYMIME made obsolete in the RFC’s ?

Also - because 8BITMIME seems to solve the problem without CHUNKING, is that why Postfix supports it over BINARYMIME ?


- J

Removing trace records on submission MSA


I have a question in regards to removing some trace records when providing submission on Postfix 3.1.x and later.

While reading RFC 6409 (“Message Submission for Mail”), I note that the RFC observes that:

"Even when submitted messages are complete, local site policy may dictate that the message text be
examined or modified in some way, e.g., to conceal local name or address spaces.”

By this I take it that I could remove perhaps the initial trace message that returns information about internal addresses
and network names.



I have been reading about the ESMTP CHUNKING extension (RFC 3030), after noticing that both Hotmail and Gmail advertise it on EHLO.

ETRN use and Postfix configuration


I read the “Postfix ETRN Howto” [1] as well as man 5 postconf with regards to:



Question regarding VRFY


I read in both the Postfix man file (man 5 postconf), and the SMTP RFC (5321), that VRFY can be disabled on a site-by-site basis.

I disabled this on my server for port 25 but am wondering if I should leave this enabled on my Postfix instance that provides submission (587) ?

General websites on e-mail administration that also cover Postfix ?


I was looking for some websites that covered e-mail administration in general and that also mentioned Postfix.

I checked the Postfix homepage [1] and on the link “Howtos and FAQs” there are two links at the bottom under the heading “General E-mail/System Administration”. Unfortunately the first link appears to be dead and the second link is more of a discussion of the C10K problem, which appears to be more of use to people writing software on the scale of Postfix.

Can anyone recommend any good sites that cover e-mail administration in general ?

IP ACL’s for smtpd port 25 and not submission


I currently use postscreen on my Postfix version 3.1.0 mail server. I implement IP ACL’s via it to ban malicious connections (generally from xDSL IP blocks), against smtpd running on port 25.

I have recently configured and turned on submission with SASL. With submission available, I don’t want to ban any particular xDSL IP blocks as clients that are travelling around the world may make use of Internet in cafes, hotels, etc.

Diffing man 5 postconf changes between releases


I currently use Postfix version 3.1.0. I know that there are announcements of feature changes between each release of Postfix via e-mail and I read these, but I was wondering if there was an easy way to see the changes to the configuration parameters between versions ?

For example, can I somehow diff the difference between man 5 postconf on version 3.1.0 and the current release of Postfix ?

Question regarding smtpd DNS resolution


I had a question about Postfix’s smtpd DNS resolution.

In my logs (generally from spam sources), I see the following:

Feb 4 15:05:46 server postfix/smptd[718]: warning: hostname does not resolve to address Name or service not known

Does this mean that:

1. smtpd receives a connection from an smtp client and does a reverse DNS lookup
2. smtpd performs a forward DNS lookup on the result and compares the resulting IP address to the initial IP
3. If the IP addresses don’t match it reports this error


submission configuration in


I was wondering about a configuration parameter listed with the default submission configuration in

One of the parameters that overrides the settings in “milter_macro_daemon_name” is set to “ORIGINATING” instead of the default value in

Why is this done ?


- J

Request for feedback on SMTPD restrictions


I have a basic SMTP server set up with what I believe to be good smtpd_*_ restrictions, but I was wondering if anyone could provide any insight on how to improve them or if I have been redundant in the restrictions.

Question regarding SASL auth only over TLS in SMTP server


I have a question about enabling SASL authentication in the Postfix SMTP server *ONLY* over TLS.

In the documentation [1] under the “Encrypted SMTP session (TLS)” heading, it lists recommended configurations for SASL auth that restrict the SASL mechanisms to noanonymous and noplaintext:

A more sophisticated policy . . .

Cyrus vs Dovecot for SASL AUTH and IMAP


I am looking to use either Cyrus or Dovecot for both SASL authentication and IMAP. While Postfix 3.1.0 supports both, I was wondering which to prefer if security is my most important deciding factor ? Does one have a better track record than the other ?


- J

Questions about auto replying in VIRTUAL_README


I have two questions about the “Autoreplies” section in the VIRTUAL_README [1].

If I was setting up auto replies for the virtually hosted domain of “”, would the correct configuration be:

virtual_alias_maps = hash:/etc/postfix/virtual
transport_maps = hash:/etc/postfix/transport

<a href="mailto: ... at example dot com"> ... at example dot com</a> <a href="mailto: ... at example dot com"> ... at example dot com</a>,
... at example dot ... at autoreply dot

/etc/postfix/transport autoreply:

autoreply unix - n n - - pipe

Questions regarding ecliptic curve support


I had two short questions regarding Postfix’s elliptic curve support for the SMTP server.

1. Under the man documentation for: tls_eecdh_strong_curve the documentation states “...approximately 128-bit security...”. Is that saying that it is equivalent to 128-bits RSA or it provides an elliptic curve key size of nearly 128-bits ?

2. To make use of ecliptic curve encryption a TLS certificate must have been made with support for ecliptic curves, correct ? A TLS certificate using RSA keys will not work ?


- J

Minor grammar mistake in man 5 postconf


I noticed a very small grammatical error under: man 5 postconf

Under the configuration parameter: tls_dane_digest_agility under the “maybe” option, the second last sentence states:

“When this constraint is violated, or any of the digest records are malformed,
digest algorithm agility will disabled.”

This should be changed to:

“When this constraint is violated, or any of the digest records are malformed,
digest algorithm agility will *BE* disabled”

- J

TLS session tickets versus TLS session cache


I have noticed in the Postfix documentation (man 5 postconf), that the smtpd_tls_session_cache_database parameter notes:

“As of Postfix 2.11 the preferred mechanism for session resumption is RFC 5077 TLS session tickets...for Postfix >= 2.11 this parameter should generally be left empty”

I note that this text is NOT in the smtp_tls_session_cache_database parameter notes.

For Postfix version 2.11 and later, should BOTH smtp_tls_session_cache_database and smtpd_tls_session_cache_database be left empty to use session tickets, instead, or is that only for the SMTP SERVER ?


- J

Question regarding smtpd_recipient_restrictions


I have a basic question regarding the smtpd_recipient_restrictions parameter.

From what I understand, these are restrictions applied to the SMTP RCP TO command.

In the case of a server that receives mail for a domain and also allows clients to send mail through it (via AUTH’d clients), does smtpd_recipent_restrictions apply to recipients at the domain or to recipients of mail sent by the AUTH’d clients or both ?

So, as an example, if the server handles mail for, do the restrictions apply to:

1. Recipients at (example: <a href="mailto: ... at example dot com"> ... at example dot com</a> is recipient)


Distinction between next-hop and nexthop ?


I was reading the documentation for the smtp_tls_verify_cert_match parameter in man 5 postconf and noted under the “nexthop” strategy that both next-hop and nexthop are specified.


“Match against the next-hop domain...”

“When MX lookups are not suppressed, this is the original nexthop domain...”

Up until this point, I had been viewing them as interchangeable, but are they in fact referring to two different things/terms ?


- J

Question regarding use of amavisd-new


I was wondering if fellow Postfix users would still recommend using amavisd-new when integrating AV (ClamAV), and spam filtering (SpamAssasin) ?

The site I have this in mind for receives a moderate amount of e-mail per day.

This appears to be the most mentioned configuration via web searches, but I was wondering if this still held true for 2017/2018 (amavisd-new’s last release was 2016/04/26) ?


- J

Question about CA’s for the smtp client


I have a question regarding specifying where the list of trusted CA’s are in regards to the smtp client.

In man 5 postconf, I can see there are two configuration parameters regarding this:


The documentation (as I understand it), notes that:

1. smtp_tls_CAfile

— Specifies file that contains CA certs of root CA’s trusted to sign either remote SMTP server certificates or intermediate CA certificates


Determine if Ubuntu 17.10 (desktop) is using Wayland


If I recall correctly, Ubuntu 17.10 (desktop version), uses Wayland if the computer’s hardware supports it. Is there an easy way for me to determine on a running 17.10 machine if Wayland is being used or if the OS is falling back to X ?


- J

Question regarding smtp_per_record_deadlne parameter


I currently have a server that is configured as a mail forwarding domain [1]. Using as an example:

virtual_alias_domains =
virtual_alias_maps = hash:/etc/postfix/virtual

<a href="mailto: ... at example dot com"> ... at example dot com</a> <a href="mailto:users-gmail- ... at gmail dot com">users-gmail- ... at gmail dot com</a>

As such, the SMTP client is used to forward the messages to each user’s existing Gmail addresses.

I was reading more about the smtp client parameters and read about smtp_per_record_deadline.

Question about postscreen_cache.db


I have an admittedly basic question, but I have been trying to troubleshoot this for a while with no success.

I have enabled postscreen(8) on Postfix 3.1 and receive a warning in mail.log:

“close database /var/spool/postfix/var/lib/postscreen_cache.db: No such file or directory (possible Berkeley DB bug)”

A quick Google of this returns that this is caused on Debian systems that run Postfix in a jail (which matches my system).

Question about message_drop_headers and DKIM


I have a question regarding the message_drop_headers configuration parameter.

The man page states that it:

“[specifies] names of message headers that the cleanup(8) daemon will
remove after applying header_checks(5) and *BEFORE* invoking Milter

Checking man 8 cleanup I note this relates to:

“...inbound mail...inserting into incoming mail queue...”

On the smtpd(8) server process, I have OpenDKIM configured to run as a Miller.

Removal or obfuscation of mail_name


I was reading about the mail_name parameter in

I was wondering (and I know the gains would be minor given that this falls into security through obscurity), is there anything to gain by either removing this or specifying something false ?

Is there any third-party servers or tools in the e-mail ecosystem that would depend on this being “Postfix” ?


- J

Question about relay_domains parameter


I currently have my server configured to perform virtual domain hosting. It forwards mail addressed to addresses for my virtual domain (ex:, to Gmail accounts.

Mail —> <a href="mailto: ... at example dot com"> ... at example dot com</a> —> <a href="mailto: ... at gmail dot com"> ... at gmail dot com</a>

I was reading more about the relay_domains parameter in “man 5 postconf”. It states:

“[specifies] destination domains (and subdomains thereof) this system
will relay mail *TO*”

I note that on Postfix 3.0 and later (my server is Postfix 3.1.0), this value defaults to an empty value.

Eliminating backscatter


One of my mail servers (Postfix 3.1.0), is configured to perform virtual domain hosting. It forwards mail to the virtual domain to mailboxes of users on Gmail.

I can see in my mail log that spam with forged origin addresses sometimes comes into my server that is addressed to virtual domain addresses. My server rejects some of this spam and then generates a non-delivery e-mail to the origin address of the spam.