Postings by J Doe

EHLO restrictions and address literals


I have a question regarding restrictions I can place on EHLO in the smtpd_helo_restrictions parameter.

I have a Postfix server that is Internet facing. I periodically receive e-mail where the other MTA sends a EHLO of an address literal.

Question regarding DNSBL behaviour


I have a question regarding DNSBL usage with the smtpd_client_restrictions parameter.

I have a server configured to check SpamHaus:
. . .
smtpd_client_restrictions = reject_rbl_client[2..11],
. . .

This has been working very well, although I noticed the following error in my syslog:

Sep 7 16:13:08 server postfix/smtpd[28363]: warning: RBL lookup error: Host or domain name not found.

DKIM signing of bounce back messages


I have a question regarding DKIM signing on Postfix bounce back messages.

I was tuning my Dovecot installation around quotas. I sent a test message from Hotmail to a test account on my server to test generation of a bounce back when a user exceeds their quota. The message was successfully generated and then relayed via Postfix back to the Hotmail account, but I noticed the bounce back message went into the Hotmail junk folder.

Inspecting the message I saw that I was not DKIM signing messages generated by Postfix or via sendmail.

Connections from "unknown"


I noticed something interesting in my logs today. I am running Postfix 3.3.1:

Aug 24 21:09:25 server postfix/submission/smtpd[10256]: connect from unknown[unknown]:unknown
Aug 24 21:09:25 server postfix/submission/smtpd[10256]: lost connection after CONNECT from unknown[unknown]:unknown
Aug 24 21:09:25 server postfix/submission/smtpd[10256]: disconnect from unknown[unknown]:unknown commands=0/0

It is clear that this was a bad connection, but under what circumstances does Postfix consider a remote connection’s address as “unknown” ?

Best place for DNSBL restrictions


I manage a small mail server and have been using Spamcop as a DNSBL’s via postscreen:

postscreen_dnsbl_sites =
postscreen_dnsbl_action = drop

After reading RFC 5782 “DNS Blacklists and Whitelists”, I decided to add some more
DNSBL’s and specify filters and weighting. While looking at various samples of
using DNSBL’s, I came back to an old question - where should I implement DNSBL restrictions ?

On this list I seem to recall that using a DNSBL via postscreen is discouraged.

Question regarding OpenDKIM milter with Postfix 3.1.0


I apologize for asking a question that is only tangentially related to Postfix, however the OpenDKIM mailing lists do not appear to be accessible.

I am using Postfix 3.1.0 and OpenDKIM 2.10.3.

Postfix, milters and quarantine actions


I had some questions regarding milters in general, with the questions initially focused on the OpenDKIM milter (version 2.10.3), on Postfix 3.1.0

In man 5 opendkim.conf, under the CaptureUnknownErrors parameter, it specifies:

When set, and on systems where MTA quarantine is available, the
filter will request quarantine of a message that results in an internal
error or resource exhaustion.

My questions are:

1. Is this supported on Postfix 3.1.0 and later ?


Forcing TLS 1.2 on submission


I am attempting to restrict the TLS protocol version used by my SMTP AUTH’d clients on the submission service.

In I have added the following to the submission service:

-o smtpd_tls_ciphers=high
-o smtpd_tls_exclude_ciphers=EXPORT,MEDIUM
-o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,TLSv1.2

…however, when I test via the OpenSSL client:

openssl s_client -connect -starttls smtp -tls1

…it connects and negotiates TLS 1.0. It will also negotiate TLS 1.1 and TLS 1.2 on successive tests.

What am I doing wrong ?


- J

Question regarding 8BITMIME / BINARYMIME


I have a question regarding 8BITMIME.

I know Postfix supports 8BITMIME and does not support BINARYMIME, but I am wondering why both 8BITMIME and BINARYMIME are ESMTP extensions. It would appear that 8BITMIME solves the same problem as BINARYMIME (allow 8-bit encoding of MIME), so why wasn’t BINARYMIME made obsolete in the RFC’s ?

Also - because 8BITMIME seems to solve the problem without CHUNKING, is that why Postfix supports it over BINARYMIME ?


- J

Removing trace records on submission MSA


I have a question in regards to removing some trace records when providing submission on Postfix 3.1.x and later.

While reading RFC 6409 (“Message Submission for Mail”), I note that the RFC observes that:

"Even when submitted messages are complete, local site policy may dictate that the message text be
examined or modified in some way, e.g., to conceal local name or address spaces.”

By this I take it that I could remove perhaps the initial trace message that returns information about internal addresses
and network names.



I have been reading about the ESMTP CHUNKING extension (RFC 3030), after noticing that both Hotmail and Gmail advertise it on EHLO.

ETRN use and Postfix configuration


I read the “Postfix ETRN Howto” [1] as well as man 5 postconf with regards to:



Question regarding VRFY


I read in both the Postfix man file (man 5 postconf), and the SMTP RFC (5321), that VRFY can be disabled on a site-by-site basis.

I disabled this on my server for port 25 but am wondering if I should leave this enabled on my Postfix instance that provides submission (587) ?

General websites on e-mail administration that also cover Postfix ?


I was looking for some websites that covered e-mail administration in general and that also mentioned Postfix.

I checked the Postfix homepage [1] and on the link “Howtos and FAQs” there are two links at the bottom under the heading “General E-mail/System Administration”. Unfortunately the first link appears to be dead and the second link is more of a discussion of the C10K problem, which appears to be more of use to people writing software on the scale of Postfix.

Can anyone recommend any good sites that cover e-mail administration in general ?

IP ACL’s for smtpd port 25 and not submission


I currently use postscreen on my Postfix version 3.1.0 mail server. I implement IP ACL’s via it to ban malicious connections (generally from xDSL IP blocks), against smtpd running on port 25.

I have recently configured and turned on submission with SASL. With submission available, I don’t want to ban any particular xDSL IP blocks as clients that are travelling around the world may make use of Internet in cafes, hotels, etc.

Diffing man 5 postconf changes between releases


I currently use Postfix version 3.1.0. I know that there are announcements of feature changes between each release of Postfix via e-mail and I read these, but I was wondering if there was an easy way to see the changes to the configuration parameters between versions ?

For example, can I somehow diff the difference between man 5 postconf on version 3.1.0 and the current release of Postfix ?

Question regarding smtpd DNS resolution


I had a question about Postfix’s smtpd DNS resolution.

In my logs (generally from spam sources), I see the following:

Feb 4 15:05:46 server postfix/smptd[718]: warning: hostname does not resolve to address Name or service not known

Does this mean that:

1. smtpd receives a connection from an smtp client and does a reverse DNS lookup
2. smtpd performs a forward DNS lookup on the result and compares the resulting IP address to the initial IP
3. If the IP addresses don’t match it reports this error


submission configuration in


I was wondering about a configuration parameter listed with the default submission configuration in

One of the parameters that overrides the settings in “milter_macro_daemon_name” is set to “ORIGINATING” instead of the default value in

Why is this done ?


- J

Request for feedback on SMTPD restrictions


I have a basic SMTP server set up with what I believe to be good smtpd_*_ restrictions, but I was wondering if anyone could provide any insight on how to improve them or if I have been redundant in the restrictions.

Question regarding SASL auth only over TLS in SMTP server


I have a question about enabling SASL authentication in the Postfix SMTP server *ONLY* over TLS.

In the documentation [1] under the “Encrypted SMTP session (TLS)” heading, it lists recommended configurations for SASL auth that restrict the SASL mechanisms to noanonymous and noplaintext:

A more sophisticated policy . . .

Cyrus vs Dovecot for SASL AUTH and IMAP


I am looking to use either Cyrus or Dovecot for both SASL authentication and IMAP. While Postfix 3.1.0 supports both, I was wondering which to prefer if security is my most important deciding factor ? Does one have a better track record than the other ?


- J

Questions about auto replying in VIRTUAL_README


I have two questions about the “Autoreplies” section in the VIRTUAL_README [1].

If I was setting up auto replies for the virtually hosted domain of “”, would the correct configuration be:

virtual_alias_maps = hash:/etc/postfix/virtual
transport_maps = hash:/etc/postfix/transport

<a href="mailto: ... at example dot com"> ... at example dot com</a> <a href="mailto: ... at example dot com"> ... at example dot com</a>,
... at example dot ... at autoreply dot

/etc/postfix/transport autoreply:

autoreply unix - n n - - pipe

Questions regarding ecliptic curve support


I had two short questions regarding Postfix’s elliptic curve support for the SMTP server.

1. Under the man documentation for: tls_eecdh_strong_curve the documentation states “...approximately 128-bit security...”. Is that saying that it is equivalent to 128-bits RSA or it provides an elliptic curve key size of nearly 128-bits ?

2. To make use of ecliptic curve encryption a TLS certificate must have been made with support for ecliptic curves, correct ? A TLS certificate using RSA keys will not work ?


- J

Minor grammar mistake in man 5 postconf


I noticed a very small grammatical error under: man 5 postconf

Under the configuration parameter: tls_dane_digest_agility under the “maybe” option, the second last sentence states:

“When this constraint is violated, or any of the digest records are malformed,
digest algorithm agility will disabled.”

This should be changed to:

“When this constraint is violated, or any of the digest records are malformed,
digest algorithm agility will *BE* disabled”

- J

TLS session tickets versus TLS session cache


I have noticed in the Postfix documentation (man 5 postconf), that the smtpd_tls_session_cache_database parameter notes:

“As of Postfix 2.11 the preferred mechanism for session resumption is RFC 5077 TLS session tickets...for Postfix >= 2.11 this parameter should generally be left empty”

I note that this text is NOT in the smtp_tls_session_cache_database parameter notes.

For Postfix version 2.11 and later, should BOTH smtp_tls_session_cache_database and smtpd_tls_session_cache_database be left empty to use session tickets, instead, or is that only for the SMTP SERVER ?


- J

Question regarding smtpd_recipient_restrictions


I have a basic question regarding the smtpd_recipient_restrictions parameter.

From what I understand, these are restrictions applied to the SMTP RCP TO command.

In the case of a server that receives mail for a domain and also allows clients to send mail through it (via AUTH’d clients), does smtpd_recipent_restrictions apply to recipients at the domain or to recipients of mail sent by the AUTH’d clients or both ?

So, as an example, if the server handles mail for, do the restrictions apply to:

1. Recipients at (example: <a href="mailto: ... at example dot com"> ... at example dot com</a> is recipient)


Distinction between next-hop and nexthop ?


I was reading the documentation for the smtp_tls_verify_cert_match parameter in man 5 postconf and noted under the “nexthop” strategy that both next-hop and nexthop are specified.


“Match against the next-hop domain...”

“When MX lookups are not suppressed, this is the original nexthop domain...”

Up until this point, I had been viewing them as interchangeable, but are they in fact referring to two different things/terms ?


- J

Question regarding use of amavisd-new


I was wondering if fellow Postfix users would still recommend using amavisd-new when integrating AV (ClamAV), and spam filtering (SpamAssasin) ?

The site I have this in mind for receives a moderate amount of e-mail per day.

This appears to be the most mentioned configuration via web searches, but I was wondering if this still held true for 2017/2018 (amavisd-new’s last release was 2016/04/26) ?


- J

Question about CA’s for the smtp client


I have a question regarding specifying where the list of trusted CA’s are in regards to the smtp client.

In man 5 postconf, I can see there are two configuration parameters regarding this:


The documentation (as I understand it), notes that:

1. smtp_tls_CAfile

— Specifies file that contains CA certs of root CA’s trusted to sign either remote SMTP server certificates or intermediate CA certificates


Determine if Ubuntu 17.10 (desktop) is using Wayland


If I recall correctly, Ubuntu 17.10 (desktop version), uses Wayland if the computer’s hardware supports it. Is there an easy way for me to determine on a running 17.10 machine if Wayland is being used or if the OS is falling back to X ?


- J