Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

Is it possible to simulate mod_ssl crl checks by hand?


Question: How do I craft an `openssl verify` command to test
validating the client's ssl cert in a way mimics what apache is
actually doing based on the configuration directives in use?

I have been looking through the source code, but its been over 25
years since I studied Kernighan and Ritche in college and I'm
struggling to follow it through.

My assumption has been that `SSLCARevocationCheck chain` is equivalent
to `openssl verify -crl_check_all` whereas `SSLCARevocationCheck leaf`
is equivalent to `openssl verify -crl_check`, but this seems to be
complicated by the SSLCARevocationPat

best practice for HA cluster


Which work method do you guys prefer for ha with postfix?

2 postfix nodes with f5 load balancer active passive and shared storage for the que
How can you share config between active and passive ?

Need a conditional rewrite/redirect rule

I don't write conditional rewrite rules often but this is a case where I need one.

Problems invoking amavis from postfix

I am building a new system on CentOS7 that has postfix 2.10.1 and
amavis-new 2.11.1

I am working from my notes of 2 years ago when I last did this
successfully so either something has changed since then (quite likely),
or I am missing something from my notes (also quite likely).

For I run:

postconf -e 'content_filter = amavis:[]:10024'

Then I append to the default (working from my understanding
that the last instruction in encountered is the one applied,
rather than trying to edit what is there):


Stopping acceptence from unowned networks address as from my domains

I got this email, which I thought I set up postfix to block

From <a href="mailto: ... at mrbrklyn dot com"> ... at mrbrklyn dot com</a> Wed Feb 6 06:26:12 2019
Return-Path: < ... at mrbrklyn dot com>
X-Original-To: <a href="mailto: ... at mrbrklyn dot com"> ... at mrbrklyn dot com</a>
Delivered-To: <a href="mailto: ... at mrbrklyn dot com"> ... at mrbrklyn dot com</a>
Received: from ( [])
by (Postfix) with ESMTP id BE463161132
for < ... at mrbrklyn dot com>; Wed, 6 Feb 2019 06:25:50 -0500 (EST)
Received: from ( by ( with Microsoft SMTP Server id; Wed,
6 Feb 2019 15:3

How to fix HTTP 100-continue from client HTTP 417 error in Apache 2.4.10?


I am using Apache 2.4.10 server on Debian 8.11.

I am having following issue = Request sender is sending Expect:
100-Continue" in header.

Reference URL suggesting the fix =
<a href="" title=""></a>

How to fix this issue? Thanks.


403 Forbidden Error on Apache 2.4

Dear All,
Our Site is Public Site and there is no restriction @ any level. We are
using apache on top of Java based CMS (Tomcat Server).
Recently we upgraded Apache from 2.2.21 to 2.4.25. Where ever Order
allow,deny & Allow from all coming there we changed it to Require all
granted but root page only loading without any issue. We are getting 403
Forbidden Message on Rest of the Pages.

SMTP_HELO_NAME can cause Blacklist triggers

I learned the hard way that if you don't set $myhostname to a FQDN you can quickly end up on a black list despite having valid SPF records.
The documentation is IMO insufficiently clear that $myhostname MUST be fully qualified and that Postfix will NOT tack on $mydomain if no 'dots' are detected.

Sure, this could be chalked up to "stupid admin error" but doesn't it make sense to either warn about a short $myhostname during server startup and/or add code to smtp_proto.c before calling smtp_chat_cmd(session, "EHLO %s", var_smtp_helo_name) that if 2 dots are not found in $myhostname to automatic

Question about order of execution

apache 2.4.38
linux 2.26.32 x86_64

We have de-commissioned a domain,, and have added
Redirects to point to the new locations for its information.
We recently received a query that a visitor's browser was complaining
about how unsafe was, what with an expired SSL
certificate and all. I am unclear how they got to the old site at all.

My question is: Does the certificate validation occur before or after
processing <.htaccess>?

----[ .htaccess ]----
Options +ExecCGI
# 20180722 jmm: De-commissioned.

Mysql and postfix mail que

hello you all

Can I set a mysql database for the mails that our in the mail que to get
send? and map that database to two postfix servers that our behind a F5 load
balancer set active passive?

so if active goes down the second one still could send the mails in the

or should we every time transfer the flat mail files from one host to the
other if active server fails?

AH01630: client denied by server configuration

I have google around and the obvious reasons for this..

I am working on a new setup with posrfixadmin ver 3.2 on Centos7-armv7
with SElinux enforcing.

Apache 2.2 Reinstall After a Crash Not Working With Perl and MyQL

I’ve had Apache 2.2 running on Windows Server2012 for several years. The
host hardware is a dedicated server. The Apache server suddenly crashed and
would not restart. Not being able to determine why, I reinstalled the
software and it now can be stopped and started. Apache was previously
hosting several websites (using the Vhost include)and a MySQL database
was/is on the Windows server. CGI programs are PERL and all worked prior to
the Apache reinstall.

JWT Authentication behind an apache2 proxy


I am using a Java application with JWT authentication through a
Authorization header with Bearer syntax.

I want to know how to configure Apache2 to transmit the Authorization
header to the Java application while proxying the request.

Thank you,


Stupid question time - VirtualHost

My usage of Apache has been pretty plain vanilla, and now I am required to
add a virtual host to a system, and I'm wondering what doing wrong.

Google blocking...again...

I'm about at my wits end with Google.

A couple of weeks ago, we had a user account get compromised.

multi smtp for a sub domain

can somebody help me with this problem. we want to send out to our vessels on sea by ssh connections and a direct vpn sow we want to create for each * 2 smtp routes one will be our vpn the other the ssh vpn can somebody tell me where i can configure this or how i can configure this?

multi smtp relay

can somebody help me with this problem.we want to send out to our vessels on
sea by ssh connections and a direct vpnsow we want to create for each
* 2 smtp routes one will be our vpn the other the ssh vpncan
somebody tell me where i can configure this or how i can configure this?this
will need to be done for 80 vessels on the server sow I know I will need the
transport map, but as i see it I can only enter one smtp relay host there

Forwarded mail problem

Dear all,

I having some problem forwarding some emails to Gmail addresses.
Sometime the emails are bounced cause:

This message does not have authentication information or fails to pass
550-5.7.1 authentication checks. To best protect our users from spam,
the 550-5.7.1 message has been blocked. Please visit 550-5.7.1
<a href="" title=""></a> for more
550 5.7.1 information. k11si3359248wrp.39 - gsmtp (in reply to end of
DATA command))

I'm sure that these emails aren't spam.

Someone can explain me why? Is there some misconfiguration in my mail

downgrading from postfix-3.4 fails - unix-dgram

Downgrading from postfix-3.4 fails with:

Updating /var/tmp/portage/mail-mta/postfix-3.3.2/image//usr/share/man/man8/smtp.8...
Updating /var/tmp/portage/mail-mta/postfix-3.3.2/image//usr/share/man/man8/smtpd.8...
Updating /var/tmp/portage/mail-mta/postfix-3.3.2/image//usr/share/man/man8/spawn.8...
Updating /var/tmp/portage/mail-mta/postfix-3.3.2/image//usr/share/man/man8/tlsproxy.8...
Updating /var/tmp/portage/mail-mta/postfix-3.3.2/image//usr/share/man/man8/tlsmgr.8...
Updating /var/tmp/portage/mail-mta/postfix-3.3.2/image//usr/share/man/man8/trace.8...
Updating /var/tmp/portage/mail-mt

Crash in mod_ssl after 2.4.29

Hello -

I have a simple ssl reverse proxy set up that has been working for years up through 2.4.29. When upgrading to 2.4.38, it now crashes periodically.

Support of "\"-like aliases feature?

Recently I rolled out a transition from sendmail to postfix. I've been very
happy with the changes except for one feature, which was supported by
sendmail but I'm not sure what to do about it in postfix.

This is the use of a backslash before a username in the aliases file. A
backslash inhibits further alias expanding. I have found it useful in
certain cases to stop mail loops.

Is there an equivalent feature supported by postfix?

Thanks in advance,


Blocked by

Even though this is not a postfix specific issue I was hoping someone in the community could help with this issue.

We recently changed IP addresses as we purchased a /24 to use as we plan to move Internet service provides in the near future.

Once we did this we now get the following from when trying to send email to anyone on their system.

<a href="mailto: ... at yahoo dot com"> ... at yahoo dot com</a> [mailto: ... at yahoo dot com]: host[] said: 553 5.7.2
[TSS09] All messages from x.x.x.x will be permanently deferred;
Retrying will NOT succeed.

disable logging of header_checks FILTER action


smtp_header_checks = pcre:/etc/postfix/header_chk

/^Subject: .*test.*/ FILTER test:

Postfix then logs:

Jan 30 12:44:16 mx2 postfix/cleanup[19243]: 096B95EAE2: filter: header

How to disable logging of this events? I simply do not want to have
sensitive informations (subject) in postfix logs.


Sender address rejected, but I didn't ask it to be checked.


I have been using postfix for many years. So far whenever I had a problem,
Google or the documentation helped out.
However today I got stuck and have no idea what to do.
This is a new machine, fresh Debian stretch install.
I am trying to use postfix with virtual users, Dovecot imap and
authentication. I have not used virtual users in the past, so maybe there is
some rookie mistake somewhere.

I have set up postfix, the machine can receive and send emails. I have set
up dovecot, I can log in and read the emails that I received.

WAMP64 Apache2.4 & PHP 5.2?

I'm running a very recent version of WAMP x64.  I inherited an 'ancient'
php app that requires php 5.2 and no higher.   I went through the
process of adding php 5.2 to WAMP, and I copied php5apache2_4.dll from
php 5.6 folder and did the other things in the instructions to add a php
version to WAMP.  But now apache won't start and says it can't find the
php5apache2_4.dll file.

I've seen several posts about this error message, but they all reference
different versions.  And I know the dll is good since it works fine on
php 5.6.

My question is...

Rethinking the Postfix release schedule

I'm reconsidering the once-per-year schedule for stable releases.
Basically, a Postfix stable release freezes development at a point
in time, forever. Primarily, this is good for stability.

* In this day and age it seems archaic to have to wait for up to a
year before useful code can be deployed in a stable release.

* The once-per-year schedule makes development a race to get things
into the upcoming release, so that it does not have to wait for
another year.

There is a downside to less than a year between stable releases:
the support time window will become less than four years.

Use of ProxyPassReverse

Hi all,

I am trying to connect my Apache webserver with my backend tomcat server. I
am using ProxyPass to do the same. Is there a need to put ProxyPassReverse
also along with it? I am not able to understand the working functionality
of the two in depth. Could someone please elaborate on the same .


Segmentation fault when builded with openssl 1.1.1


I have an issue with version httpd 2.4.38 when it is builded with openssl
1.1.1 and mod_cluster
There are repeated error messages in error.log:

AH00052: child pid xxxx exit signal Segmentation fault (11)

These error messages are suppressed when mod_ssl is disabled

Builded on Linux 3.10.0-693.1.1.el7.x86_64

httpd server builded with:


smtp_tls_security_level = dane but have encrypt as fallback


we would like to go the next step, enable smtp_tls_security_level = dane.
Currently we have encrypt site-wide.

But in cases where remote sites do not have published key material, the
fallback is may with dane, which is a step back in terms of security and
not wanted.

How can we specify:

1, Always use at least encrypt
2, When TLSA-records are found and valid, use only this to encrypt
3, When no TLSA-records are found or the ones found can not be used, fall
back to encrypt, if not possible, fail.


address_verify_negative_refresh_time = 30m is ignored


we have

address_verify_negative_refresh_time = 30m active
(root@mx2:/var/lib/postfix# postconf -n | grep verify
address_verify_negative_refresh_time = 30m)

but the verify behavior is strange.

Jan 23 21:15:21 mx2 postfix/postscreen[Jan 25 15:31:14 mx2
postfix/smtpd[10119]: NOQUEUE: reject: RCPT from[]: 550 5.1.1
< ... at domain dot tld: Recipient address rejected: undeliverable
address: host IP[IP] said: 550 5.1.1 < ... at domain dot tld: Recipient
address rejected: User unknown in virtual mailbox table (in reply to
RCPT TO command); from=<no_reply_supp

Scalability: Single Server with Multiple SSL cert and keys

Hi all,
I have one server and it is serving multiple websites:
<a href="" title=""></a>
<a href="" title=""></a> and such thousands of website and domains.

Each website has its own SSL certificate.
I made entry for each private key (SSLCertificateKeyFile), Certificate
(SSLCertificateFile), and CA Certificate (SSLCACertificateFile) of the
above in VirtualHost for each webiste.
But as the number of websites are thousands, its slow and this is not
Can any one suggest a scalable way to implement this scenario.
Thanks in advance

RequestReadTimeout not being overridden in VirtualHost

I am runnning Apache HTTP2.4.34 (built from source on RHEL6.10).

RequestReadTimeout is being set at the Server level:
RequestReadTimeout header=5-10,MinRate=500 body=5-20,MinRate=500

I'm attempting to override RequestReadTimeout for a VirtualHost, I have
tried completely de-restricting it inside the VirutalHost with:
RequestReadTimeout header=0 body=0
and have also tried upping the body restriction in the VirutalHost:
RequestReadTimeout header=5-10,MinRate=500 body=5-120,MinRate=500

Neither of these changes is working as I'd expected, and file uploads are
still timing out (4

Can I use If condition against custom header name that my request is passing in Apache 2.4

We are using Apache 2.4.12, I’m working to set a host in header based on header value passed in my request, was wondering if I can use IF statement to get the same, Request hitting my Apache server is having a header with header name “X-Proxy” and header value is Set to “Torbit”.

When this request with that header name hits my Apache I need to perform below action.

flat down postfix to simple local sendmail forwarder

Ok, so the title isn't really helpful, so I try to explain it:

I want to use Apache James as my primary MTA (please don't ask why -
just take it as given). Major issue: james doesn't have a local sendmail
command replacement. So I've looked up apache james doc wich is heavy
outdated. Also, I'm running opensuse 15.0 wich uses full postfix instead
of sendmail.

Unfortunately, I couldn't find any way to disable smtp-server but keep
rest of postfix running so it will take mails from sendmail command and
process its queue.

Regexps not unicode-compatible


When I use regexp from GNU tools, such as emacs or grep, which I
think use the GNU libc, regexps support pretty well, depending on
locale settings, all unicode, so with french locale [a-z] will
match « ç », and with C locale, [а-ю] will match « д » (or any
original cyrillic letter contained in all cyrillic languages, I
guess). [[:alnum:]] will correctly base on unicode class to
determine if a given codepoint is a letter or not, and will
support all languages.

However, I noticed that in apache these last ones won’t work and
will only support ascii. Why a such restriction?

500 Internal Server Error with no log entries

I'm running Apache v2.4.27 X64 for serving PHP files and it was running
fine until today that I'm seeing `500 Internal Server Error`.

Surprisingly nothing noticeable is logged neither in PHP error log file nor
Apache's. I attempted to set `LogLevel warn trace8` and found this:

[Wed Jan 23 12:06:58.344368 2019] [fcgid:warn] [pid 13700:tid 1180] (OS
109)The pipe has been ended.

Apache httpd 2.4.38 was installed successfully to CentOS 7.6 using rpm



    CentOS Linux release 7.6.1810 (Core)
    kernel version: kernel-3.10.0-957.1.3.el7.x86_64

I have installed the newly released Apache httpd 2.4.38 on the above 
platform through rpmbuilding successfully with no problems.

Thank you all contributors to this project for this excellent work.

Thank you.

Yours truly,
Kazuhiko Kohmoto

Apache Fake Story?

Is this true?

<a href="" title=""></a>

Was this security vulnerability really treated with such disregard by Apache HTTPD devs?

I am aware the work that they do is free, but I contribute to plenty of open source for free and take the responsibility very seriously.

This is extremely disturbing and we should all be concerned.

If there was an oversight I made or this story changed please respond and correct me and I apologize in advance.

Reverse proxy stalling forever


I’m trying to make Jitsi Meet work. Initially it worked, but since the
while it didn’t.

Fixing open relay problem

I've been running Postfix for many years now (so thanks to Wietse and all
the others who have put in hard work to make it such a great mail system)
and recently I built a new mail server and copied most of the config files
from the old one.

After a couple of months, I began to notice that it appeared to be getting
used (infrequently) as an open relay, despite my attempts to lock it down
so that couldn't happen. Then, the problem got worse.

Postfix logging without syslogd

postfix-3.4-20190121-nonprod-logger has lightly-tested code for
logging to file without using syslogd.

Changing the imaps port-number

I am trying to change the imaps port-number to a non-standard port (9999)
since it seems that is intercepting the standard imaps
port number and repeated emails requesting that they stop have been ignored.

This is only an issue when I am trying to access my personal mail server
when I am away from home.

I currently have the following configured in 10-master.conf -

service imap-login {
inet_listener imap {
address =, ::1
port = 143
inet_listener imaps {
port = 9999
process_min_avail = 3
service_count = 0
vsz_limit = 1 G

But I do

Trying to debug postfix 'unknown mail transport error'

FreeBSD 11.2, Postfix 3.3.2, Dovecot 2.3.4

Random user verification failures are occurring and I am not sure why.

Here's an example -

From /var/log/maillog:


Jan 21 12:20:41 ns postfix/smtpd[31736]: NOQUEUE: reject: RCPT from[]: 450 4.1.1 < ... at mahan dot org>:
Recipient address rejected: unverified address: unknown mail transport
error; from=<
bounce-299_HTML-404541337-2436561-7222883- ... at bounce dot>
to=< ... at mahan dot org> proto=ESMTP helo=<>
Jan 21 12:20:41 ns dovecot: lmtp(31763): Conn

Re: Forwarding received mail through AWS SES

On 2019-01-20 14:40, John Stoffel wrote:
The insane reason is phishing spam, and DO ignoring abuse notices.

And this is not an appropriate subject for the Postfix mailing list.

Windows Apache httpd 2.4.38 GA available

Apache httpd 2.4.38 GA available, see
<a href="" title=""></a>



Postfix is wrongly marking CA certificate expired

Randomly postfix is marking this as expired certificate and after some time
marking certificate as valid.
I have verified that certificate is not expired by taking pcap. Let me know
if is there any known defect in postfix of this sort ?

Reverse Proxy (Port Forwarding for just the port used in ProxyPass, or what?)

If I want to put my app behind Apache's reverse proxy, do I need to set up port forwarding for just the port that I set for the reverse proxy in ProxyPass directive, or do I also have to do it for the one Apache is listening on?

Also, I got a free DynDNS from and I'm serving my app on port 5501 on it, but is there no way I can use a URL where specifying the port number isn't a requirement? The URL is <a href="" title=""></a> . Transport type - piping to Perl. How can I specify path to Perl?

I have Postfix Admin’s Vacation setup and would like to use the Perl at /usr/local/bin/perl rather than /usr/bin/perl.

I have:

vacation unix - n n - - pipe
flags=DRhu user=_vacation argv="/usr/local/bin/perl /var/spool/vacation/" -f ${sender} -- ${recipient}

But Iog shows:

2019-01-21 15:48:09.726114+1100 localhost pipe[8806]: 8A484E5F63E: to=< ... at autoreply dot>, orig_to=< ... at bordo dot>, relay=vacation, delay=0.25, delays=0.21/0.02/0/0.03, dsn=4.3.0, status=deferred (temporary fail

Port Forwarding Help?

I'm not sure if this is okay to ask here, but I'll try anyway.

I tried to set up port forwarding but the port is still coming up as closed when I check on (it says "Connection timed out"). And while I can get to my router's settings using my Default Gateway IP address, trying to do so with my computer's own private IP address doesn't work for some reason (all I see is a blank page--the login form doesn't come up either).

I asked here as well: <a href="" title=""></a> .

unsuccessful build of postfix 3.3.2 on solaris (sparc) with sunstudio compiler

Hi postfix-users,

today I have the pleasure to update sparc some machines, that haven't
been touched for more than 2.5 years :/

The systems use sunstudio compiler. Openssl, bind, ... went fine but
now, as it comes to postfix, I'm failing.

Forwarding received mail through AWS SES


I use Debian 9 on AWS EC2. If mail is sent directly from EC2 host then
some mail service provider such as Gmail rejects receiving it. So I set up
so that mail is sent through AWS SES with following steps.

1. Obtain SES SMTP credential accoring to following document
<a href="" title=""></a>
2. Verify domain with SES accoring to following document
<a href="" title=""></a>

spam with doutle at (fake@domain1@domain2)


My server is crying with a spam problem. we are receiving a lot of
fake messages with virus attached.

the messages comming from an account like
... at mydomain dot ... at spammerdomain dot com with content very simlilar
to the messages sended by our real contacts.

How can i block that? im trying with amavisd-new and postgrey but dont work.

maybe can i use some regexp?

thanks a lot

logfile support for MacOS

I'm implementing logfile support for Postfix on MacOS, because not
providing results in a bad experience.

This is a retrofit workaround, therefore it will have limitations
that do not exist with the default syslog-based implementation.

- The logfile pathname is configured in, and therefore the
logfile cannot contain information from programs that fail before
they finish processing and command-line options.

- The logfile is written by a new postlogd daemon.

bypassing localhost as NoProxy within mod_proxy ProxyRemote

Hi all,
I am setting up an HTTP(s)_PROXY in *.conf at the side of httpd.conf and it works.
However, although I have tried NoProxy for localhost, it still tried to use the proxy for localhost:19000 and fails the request of course.
Please advise, here is the snippet of configuration relevant I think but please let me know any more info, versions are latest, apache httpd 2.4.37, is there a separate version for mod_proxy which I can provide?

ProxyRemote "*" "http://proxy:3128"
NoProxy "localhost" "" ""

Thank you very much,

Technical Leader

Question on how to deal with bad recipient address


I have a blackbox UPS that send this email when I look at it with postcat

*** MESSAGE CONTENTS deferred/B/BFE60169 ***
regular_text: Received: from ( [])
regular_text: by (Postfix) with ESMTP id BFE60169
regular_text: for <g. ... at nsd dot org>; Wed, 16 Jan 2019
15:24:32 -0800 (PST)
regular_text: Subject: TMS MDF ALARM USHA Test Message
regular_text: From: < ... at nsd dot org>
regular_text: To:
g. ... at nsd dot org<g. ... at nsd dot org>

Notice that there is no space between nsd,org and <g.emergen...> When I

detecting TLS issues in delivery - Cannot start TLS: handshake failure


how can the following error be detected and an instant bounce/reject will
be send to the sender?

-- 880 Kbytes in 3 Requests.
root@mx1:~# mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
A97288008B 776694 Sun Jan 13 13:14:29 sender@sender
(Cannot start TLS: handshake

Jan 15 14:23:01 mx1 smtp[5985]: SSL_connect error to recipient.tld[ip]:25:
Jan 15 14:23:01 mx1 smtp[5985]: warning: TLS library problem:
error:141A318A:SSL routines:tls_process_ske_dhe

Syndicate content