Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

FYI: Logging mail on Postfix 3.4 and Mojave (OSX 10.11)

This streams in real time, and works ok:
log stream --predicate '(process == "smtpd") || (process == "smtp")' --info

gratefully accepted from the Apple user community.

Since 3.4 upgrade, no incoming mail to server is allowed in?

Well, I can't see what's happening here. 3.4 isn't presenting me with
mail.logs on the Mac. Mojave.
Internally, I can send mail to myself, but I now no longer get mail from

Sending to myself
/usr/sbin/sendmail -bv <my address> works.

3.4 postmap throwing Segmentation:11

I’ve just installed 3.4 and postmap connected to MySQL is throwing a
Segmentation Fault:11 on completion of a query. The query appears successful
but the error aborts it I think.

Configuring redirects from http to https

I have the following configuration file covering two virtual hosts:

# http redirect
<VirtualHost aaa.bbb.ccc.ddd:80>
ServerName <a href="" title=""></a>
ServerAlias *
Redirect "/" ""

<Virtualhost *:80>
ServerName <a href="" title=""></a>
ServerAlias *
Redirect / <a href="" title=""></a>

# https versions
<VirtualHost aaa.bbb.ccc.ddd:443>
ServerAdmin . . .
ServerName <a href="" title=""></a> <>
ServerAlias . . .
. .

This is done by ensuring that the web server can write to these locations.

I want to set up a folder so that I can use a plugin in wordpress, the
instructions work up to the point where I get this direction, but I
don't know how to ensure that the apache instance has write access to
the folder. I have admin rights. Suggestions? Reference?



OT: SMTP auth, 2FA, Outlook


Is there a way to setup 2FA in SMTP auth (with postfix) when the client is
Outlook? It seems it does not support either GSSAPI (Kerberos) or client
cert auth.

Is there any way to get a working 2FA with Outlook in a non MS

Thanks any tips!

Best regards,

The Require Directives


My environment is RHEL7 and apache 2.4.6

I am looking for the seemingly tricky combination of directives
(Require, RequireAll, RequireAny...) that will allow me to deny access
to an entire domain except for, say, one particular host.

For instance, how do deny access to
except for

Is this even possible? I have tried every combination of
authorization containers that I can think of, each of which so far is
either too restrictive or too weak.

Any ideas or suggestions for a good tutorial (believe me, I have searched)!!
Thanks in advance!
-- Bill

Upgraded to 3.4 today. All logging has Stopped?

I upgraded to and installed 3.4 today. It appears to be running, but all logging has stopped. The last entry in the log file was at the exact time I started the new version.

I’m also having trouble with the Mail program but that’s another story. Which is why I’m trying contact via my iPad.

Local mail, via sendmail seems to be working as does mail going off site again via sendmail. But no logging.
I haven’t changed my nor the in ages now, so what’s changed I wonder.

Before I actually type 'make upgrade"....

I have a clean compile of 3.4, and have various directories set, based on /usr/local generally.

These are the same as the existing installation that is running fine.

possibly stupid question

it may be a silly question but.Which option is appropriate to reject
emails from ip without ip resolved

smtp_fallback_relay TLS with authentication - possible?

Greetings, All!

I'm trying to set delivery on a new server, but hit a roadblock.

The premise is this:
1. All delivery should be handled directly, but…
2. Some of our clients are rejecting mail using particularly idiotic RBL,
3. I have a relay server that usually works ok, although slower, but…

forwarding mail like before queue filtering to remote mta


is there a way to keep an smtp session open and do before queue filtering
AND final delivery to remote mta? do only sent 250 if we have already
received 250. if not send temp error.

we would like to only accept mails if we can deliver them at the same time.
a local queue is not wanted due to privacy reasons.



Trying to configure clamav-milter with postfix-current-3.4.20181105,5 under FreeBSD 11.2-RELEASE, but I’ve missed something since no mail is actually getting processed by ClamAV-milter, including the EICAR test mails which sail through without triggering anything.

I’ve tried to provide everything that could be relevant (mostly in an effort to re-examine everything) but at this point I’m stumped.

smtpd_milters =

# sockstat | grep milter
root spamass-mi 24145 4 stream /var/run/spamass-milter.sock
clamav cla

queue "manipulation"


I have a little mailserver (MailMan).
It works fine, except for yahoo subscribers.

While the almost totallity of subscribers receive their messages in less
then a hour, in my queue remains (often until expire of queue_lifetime),
with this messages:

(host[] said: 452 Too many recipients (in reply to RCPT TO command))
. .

Relay access denied

All goolging has not helped. I hope to find here the solution.
Thanks in advance for your help.


* Background:
Getting error message: Relay access denied
The following command works fine: telenet localhost 25
The following command cretes above mentioned error message when entering
"rcpt to: email_address"

* Setup:
CENTOS 7.5 home server.

Compile error on Mojave (Postfix 3.3.2): 'openssl/opensslv.h' file not found

I have installed OpenSSL v1.1.1 via Homebrew. I’m trying to install Postfix 3.3.2 but it always ends with:

cc -I.

Installing LetsEncrypt For Postfix and Dovecot


With Mozilla recently dropping support for all Symantec certs, our security cert now throws errors on Thunderbird clients. We’d like to install certbot on Centos 6, but I’m not sure if it’s going to interfere with Postfix (2.11) or Dovecot (2.2.18).

rewrite rules - MS Edge VS Firefox

hi guys

I have a few rewrite rules:

  ProxyPass         /SASStudio <a href="" title=""></a>
  ProxyPassReverse  /SASStudio <a href="" title=""></a>
  RedirectMatch     permanent ^/SASStudio$ /SASStudio

  ProxyPass         /SASInformationCenter
<a href="" title=""></a>
  ProxyPassReverse  /SASInformationCenter
<a href="" title=""></a>
  RedirectMatch     permanent ^/SASInformationCenter^ /SASInformationCenter

and Firefox gets to the side but MS Edge fails, stays on a blank page.

It's https to http, in case it might matter.

Would you have any s


Hi all,

I am trying to run a fast CGI program on apache using fcgistarter. I am
running the following command-
./fcgistarter -c <path of my fast CGI application> -p 1122 -N 1

However no process has started on this port. Is there any way of checking
if this is working properly?


hostnames in postscreen_access_list


I was recently trying to whitelist a client hostname that frequently
changes ip.

From the documentation check_client_access restriction for use with
smtpd allows to specify access table lookups which contains hostnames.

postscreen_access_list does not seem to allow hostnames in lookup tables.

Is my understanding correct? Is there a reason why hostnames should not
be supported in postscreen_access_list lookup tables?



Is this behavior an open relay or not ?

Hi people, suppose my domain is "".

My email users are as this: <a href="mailto: ... at company dot com"> ... at company dot com</a>

Is normal that I can send a mail from <a href="mailto: ... at company dot com"> ... at company dot com</a> to
<a href="mailto: ... at company dot com"> ... at company dot com</a>, from a public IP not belonging to my company?

In my case, I am at home and I execute:

$ telnet 25
mail from: <a href="mailto: ... at company dot com"> ... at company dot com</a>
rcpt to: ... at company dot com

and finally the message arrives to may Inbox.

Because I suppose that the normal behavior is sending mail from local
address just from an internal IP...not from external.

Thanks a lot, regards!!!

Postfix 3.3.2, 3.2.7, 3.1.10, 3.0.14

[An on-line version of this announcement will be available at]

Changes for all supported stable releases:

* Support for OpenSSL 1.1.1, and support for TLSv1.3-specific

- Updated Postfix TLS documentation examples for TLSv1.3.

DKIM on submission


currently I enable OpenDKIM vi :

# OpenDKIM
smtpd_milters = inet:
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

Since that server is both MX and Submission for the mailbox domain I am
tempted to instead define those parameters via

-o key=value

in for the smtps / submission service.

Is that advisable or is it not a good idea?

I realize it would mean mail sent by the host itself via sendmail
command is not DKIM signed but I'm not really worried about that.

It appears that when e-mail is sent from a user t

cisco pix TLS is required, but was not offere STARTTLS issue

Dear Users,

we trying to deliver mail to remote party with enforced encrcyption.

63FFB80805: TLS is required, but was not offered by host

But looks like, remote device is announcing TLS and can handle it:

# telnet 25
Connected to
Escape character is '^]'.
220 ****************
ehlo test
250-SIZE 52428800
220 Go ahead with TLS

But the minus "-" is missing in STARTTLS correct?

Is there a known workaround available?

Maybe some rewrite-voodoo?

Thank you.

Convert quoted-printable headers


I have a program (SOGo), installed on my mail server, that send emails
using the quoted-printable encoding for From/To headers.

Unfortunately, none of the email clients I use seems to display them

Is there any reason for that ?
is a header missing:

Source of the message:

a lot of spam or something?

I have a lot of line like below in log file:
2FEBF13C3F4 16366 Thu Nov 22 12:28:36 MAILER-DAEMON
(host[] said: 450 4.7.1 : Recipient
address rejected: Ratelimit (in reply to RCPT TO command))
<a href="mailto:www- ... at allegro dot pl">www- ... at allegro dot pl</a>

251AD13C3C6 16391 Thu Nov 22 13:48:10 MAILER-DAEMON
(host[] said: 450 4.7.1 : Recipient
address rejected: Ratelimit (in reply to RCPT TO command))
<a href="mailto:www- ... at allegro dot pl">www- ... at allegro dot pl</a>

2BC6013C3E3 16360 Thu Nov 22 10:58:11 MAILER-DAEMON
(host[] said: 450 4.7.1 : Recipient
address rejected: Ratelimit (i

Using redis for caching Apache requests


I am trying to cache the requests coming on my Apache web server using the
mod_socache_redis module. After loading the module, I am sending a request
from Apache to my redis server in the following format-
SSLSessionCache redis://localhost:4321
4321 is the port on which the redis server has started.
However when I am checking the status of my redis server, there is no
update of the apache requests. Can anyone please guide me on how to go
about this? Particularly on how to set my request values onto the redis
cache directly from Apache.


IP address

Hi all,

We have installed postscreen on our mail servers, with a table lookup to a postgres database. The lookup also records the client details (IP address), and we have a basic Java front end with lookups to maxmind to get location information. The tools allows us to block by CIDR, and monitor connection over time to identify various forms of attacks. It has been an eye opener.

Graceful shutdown of apache


I am not able to shutdown apache gracefully if I am starting apache in
debug mode i:e (./httpd -X) with worker mpm. I am sending kill -term PID to
httpd process. wherease the same command is working with prefork.

How should I stop worker mpm if started in debug mode ?


where is the fqdn coming from


I'm using Postfix 3.3.1-1+b1 (Debian testing).

I'm testing out the default for myhostname and am a little confused as to
where it is getting its value.

Openssl-1.1.1 with apache-2.4.29


I am using openssl-1.1.1 with apache-2.4.29 so that I can use tlsv1.3 in my
server. I am able to build but when I am starting the server
with SSLProtocol TLSv1.3, server is not starting and giving the
error message "SSLProtocol: Illegal protocol 'TLSv1.3'

Does apache 2.4.29 supports openssl-1.1.1 for tlsv1.3 support ??


hostname is being appended to the From name

I'm trying to understand why this is happening and how to prevent it. I
have a relay where if an email is sent to it with just a name in the
Header From, then the server's hostname is added to the end of it. For
example, if I telnet to the server and send an email with "From:Test",
then I'll get an email from ... at hostname dot

spf and dmarc settings

Hello! I have mail-related question. What will happen if I set SPF to "soft
fail" but in DMARC I set "strict" to SPF Identifier Alignment - the "aspf"

A bit stuck compiling Postfix on Mac Mojave.

This is my make script.

make -f Makefile.init dynamicmaps=yes CCARGS='-DHAS_MYSQL -I/usr/local/include/mysql -I/usr/local/include -I/usr/local/include/openssl -I/usr/local/include/gnutls -DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/Applications/ -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DHAS_PCRE -I/usr/local/include -DEF_COMMAND_DIR=\"/usr/local/sbin\" -DEF_CONGIG_DIR=\"/usr/local/etc/postfix\" -DEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" -DEF_DATA_DIR=\"/var/lib/postfix\" -DEF_MAILQ_PATH=\"/usr/loc

how block specific ip address in Postfix

Hello. I saw in logs that some non existent mailbox from client domain
hosted on google tries send some mail to existing mailbox in this same
domain. Non existent mailbox is used from IP's:
and both are blacklisted.
I need to block these IP addresses in Postfix and also I would like to add
more blacklists to Postfix.

OpenPec Addon domain grabbed

Dear website maintainer,

The domain got grabbed and in my opinion the link on should be changed to
<a href="" title=""></a>

Thank you,

avoid external emails that the from=< and the to=< are the same user

Lately we are receiving spam mails that apparently the mail from the and
the to is the same. How is it possible to avoid this?. I have configured
postfix to avoid the relay of emails and to be able to send mail through
my postfix is necessary the auth , these emails are sent externally from
several ips and seeing the logs of those emails are not authenticated

Este mensaje y todos los archivos adjuntos son confidenciales y de uso exclusivo por parte
de su/sus destinatario/s.

rejecting 'nested' from address ?

a user started getting many spam/malware with like 'nested' from:

<" ... at cinkmedia dot comgeranc">

<" ... at cinkmedia dot">

I'm waiting for a full header from him, can anything be done in Postfix ?
or where ? to reject/block ?


Rejecting based on From is...not rejecting

Heya. Postfix 3.1.8 on Debian Stable.

I'm trying to use /etc/postfix/sender_access to pretty much reject
anything showing as 'From: *' as there's a plethora of spam
coming from that domain - and it's not rejecting. Suffice it to say, I
seem to be doing it wrong.

In sender_access, I have:


...and the reference to this file in is:

smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/sender_access,

...what'd I miss?

If needed I can stick the files up on a pastebin.

-Dennis Carr

Postscreen usually rejects based on DNSBLs. Good enough? Lower overhead options?

I see countless Postscreen rejections of this type

Nov 14 13:28:58 mx postfix/postscreen[11068]: CONNECT from []:19243 to [#.#.#.#]:25
Nov 14 13:28:58 mx postfix/dnsblog[11069]: addr listed by domain as
Nov 14 13:28:58 mx postfix/dnsblog[11072]: addr listed by domain as
Nov 14 13:28:58 mx postfix/dnsblog[11071]: addr listed by domain as
Nov 14 13:29:04 mx postfix/postscreen[11068]: DNSBL rank 9 for []:19243
Nov 14 13:29:05 mx postfix/postscr

RFE: DANE functions + log

Recently I have been struggling with configuring DANE and DNSSEC for a domain, for which my DNS is


Linux Fedora 28
BIND 9.12.3
Postfix 3.3.1

smtp_tls_dane_insecure_mx_policy = dane
smtp_tls_security_level = dane
tls_dane_digest_agility = on
tls_dane_digests = sha512 sha256
tls_dane_trust_anchor_digest_enable = yes
smtp_dns_support_level = dnssec
smtp_host_lookup = native, dns

DNSSEC is not the problem, but there are issues in setting up DANE in postfix, hvis could be

1) logging

More informative logging of what is happening, when smtp is trying to establ

Cleanup in apache

Hi All,

I am using apache-2.4.25 and apr-1.5.2.
When I am using mod_autoindex for indexing of icons directory, after
serving the request the process gets crashed.

I debugged and checked that it was getting crashed
from apr_pool_cleanup_kill ().
The line which causes the crash is "c->data == data && c->plain_cleanup_fn
== cleanup_f".

Please help me out the reason or this crash. Does anybody had this issue


OT: features / test criteria for email filtering/security product

I'm looking at Votiro, Proofpoint & Israel email security products
to reduce spam, emails from bad reputation IP, emails with
malicious attachments & URL.

What are the features/criteria to assess or look out for?

Esp if I'm on O365.

a) can link to SpamHaus, RBL etc to get bad reputation IP?
b) offers CDR, sandboxing?
c) can claw back malicious emails from users' mailbox once
Sandboxing completed analysis that an email or attachmt
is malicious (Proofpoint has one such product)
d) can withstand email blasting (eg: 80000/minute)
e) ... help add on ...

Apache 2.4 how to exclude certain GET requests from log using SetEnvIf

Hello to Apache Community,
I spent time with Apache docs and Google but did not find any real example for that.

I want to exclude from logging many unnecessary lines like that - - [27/Oct/2018:14:07:19 -0500] "GET HTTP/1.1" 200 3412 "" "Mozilla/5.0 (Windows NT 10.0; rv:56.0) Gecko/20100101 Firefox/56.0"

I tried
SetEnvIf Request_Method GET "^/maxtop\.php$" dontlog
SetEnvIf Request_Method "GET(.*)/maxtop\.php$" dontlog
...but no success.

Additional info
CentOS 7.5
Server version: Apache/2.4.6 (CentOS)
LogFormat "%h %l

Preserve Authorization header in load balacing


I have a stock httpd server on a CentOS 7 machine. I have added a file to the conf.d directory with the following contents :

<Proxy balancer://django>
BalancerMember <a href="http://django1" title="http://django1">http://django1</a> ping=5 disablereuse=on retry=5 ttl=120
BalancerMember <a href="http://django2" title="http://django2">http://django2</a> ping=5 disablereuse=on retry=5 ttl=120
BalancerMember <a href="http://django3" title="http://django3">http://django3</a> ping=5 disablereuse=on retry=5 ttl=120

So I have a load balancer to three machines.

postqueue: warning: unix_trigger: write to public/qmgr: Broken pipe


postfix + postsrsd + clamav + spamassassin + dovecot

Everything seems to work OK. No changes done recently (used to work for
a long long time). No error messages in logs. Some mails are delivered
correctly and immediately. Outgoing mail - OK. The problems are:

1. About 20-50 mails shown by a `mailq'
2. Some mails are delivered veeeeeery sloooowly (I cannot find
differences between "bad" and "good" mails)

Internal Server Error - strange characters "ę" and "ł"

Hi all,

I have a server with some software on called "EPrints". When uploading some
data via am EPrints form I get an "Internal Server Error" upon submission
and the data is not submitted.

I have found that the slightly unusual characters "ę" and "ł" cause this.
When they are both removed from the form, it all works as expected. I
suspect it's a server issue rather than an EPrints/software issue, but I am
an Apache novice.

Has anybody came across this before and is able to offer advice?

Permanently cache reverse-proxy results

The reverse-proxy receives the client's HTTP GET request, then:

1. Retrieves gzipped content from a back-end server
2. Inflates content
3. Performs many substitutions across various resources (JS, HTML, CSS, etc)
4. Deflates resulting content

URGENT: Apache HTTP Migration from 1.3 to 2.0 UNIX Solaris

Dear Team,

I have installed and set up httpd 2.0.65 version of apache server on
Solaris 11 and is running good and fine without the module.
I have compiled the module on httpd 2.0.65 with APR 0.9.20
and APR-UTIL 0.9.19.

Milter header order

I have milter chain opendkim->opendmarc->amavisd-milter for incoming
external mail. Postfix 3.1.0 from Ubuntu 16.04.5.

As I understand, the correct positioning of milter inserted internal headers
would be above postfix's own.

RewriteMap prg: How to pass value from Python3 script back to Apache24?


using Rewrite Map with MapType prg in Apache 2.4, I'm having trouble
passing the value back to Apache.

The log says "map lookup OK", but the value is empty.

On Stackoverflow and others, I found and tried out some examples, which
in some cases where quite old, so probably written for older versions.

The following is what I extracted from the more current hints I could find.

RewriteEngine On
RewriteMap extrw "prg:/opt/"
RewriteRule "^(.*)" "${extrw:%{REQUEST_URI}}"

import sys
while True:
newValue = "/index.html" # plac

address with illegal extension


We have discovered that our maillog file has numerous occurrences of
this sort of error report:

postfix/local[92211]: warning: A7F5413745E: address with illegal
extension: sysadmin+root/cron/transfers/imanet

This error does not prevent the correct delivery of messages into

Compiler error on 3.3.1. Mac Mojave

It’s almost through the build but failing on this.

Undefined symbols for architecture x86_64:
"_db_create", referenced from:
import-atom in libpostfix-util.dylib
"_db_env_create", referenced from:
import-atom in libpostfix-util.dylib
"_db_version", referenced from:
import-atom in libpostfix-util.dylib
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make: *** [master] Error 1
make: *** [update] Error 1
make: *** [update] Error 2

My Make script is this:

make -f Makefile.init dynamicmaps=ye

Error on make of the latest 3.3.1 source at dict_db.c

Hi, I can see what the error message says . But I confess at this moment, I’m at a loss as to how to fix it?
Where is it looking for this db?

-DMACOSX -c dict_db.c
dict_db.c:758:2: error: "Unsupported Berkeley DB version"
#error "Unsupported Berkeley DB version"
1 error generated.
make: *** [dict_db.o] Error 1
make: *** [update] Error 1
make: *** [update] Error 2

How do I turn on logging for postfix on mac

I have been asked how I turn on /var/log/mail.log for postfix on a Mac running Mohave.

I have it running on mine, but it always has - but I can’t remember if I had to do anything special to turn it on.
The person asking has no /var/log/mail.log at all and now I’m curious.


Syndicate content