Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

How to start perl script using FCGID module


I am trying to run a perl script using fcgid module.
I have loaded mod_fcgid module.

I have created a directory in apache called fcgi-bin and added the below
snippet to my httpd.conf file.
<Directory '/home/ananya/apache-http-connector/apache-2.4.29/fcgi-bin/'>
AddHandler fcgid-script .pl
AllowOverride All
Options +Indexes +FollowSymLinks +ExecCGI
Require all granted

And have also added -
ScriptAlias /fcgi-bin/

My perl program is a simple hello world programme as follows-

print("Content-Type: tex

How to use fcgistarter in apache

Hi All,

I tried to run my perl on port 8070 and proxy my request to port using

I am using the following command
./fcgistarter -c /usr/bin/perl -p 8070

But none of the process gets started on port 8070.

Please help how to use fcgistarter, so that I can start python or perl on
some port and proxy request to it.


Feature request: More variables in smtpd_reject_footer

It would be nice if smtpd_reject_footer could include variables such as
the 4.x.x/5.x.x response code or even the full postfix error message,
this way one could make more helpful errors messages with more helpful


Help with SSL not working on Ubuntu 14.04


This is my first post to the group so testing the waters with an issue that
I am having. I run 4 Ubuntu servers, each controlled with Webmin and
Virtualmin. I am adding SSL to one of the sites but every time I visit the
<a href="" title=""></a> it gives me either one of the errors.



The Chrome one isn't very helpful but the Firefox error at least tells me
that it's an issue on the server.

question regarding virtual_alias_maps and virtual_mailboxes_map


i have a working setup, but since i want to expand the capabilities of
our system, i tampered with it and ran into an error at which i'm quite

excerpt from the settings:

# Valid virtual domains
virtual_mailbox_domains = proxy:hash:/etc/postfix/virtual_domains
virtual_alias_domains = proxy:hash:/etc/postfix/virtual_domains

/(btw postfix keeps complaining like this://
//Aug  8 11:54:15 rhyno postfix/trivial-rewrite[24427]: warning: do not
list domain in BOTH virtual_alias_domains and
//...but then how do i tell postfix that i need it to c

See a double-bounce mail generated by my postfix

I would like to be able to see an example of a double-bounce message
generated by my postfix (3.3.0) server. Can I get my postfix to send me
(say to an unrelated external mailbox) a double-bounce message?
Alternatively is there a way I can save, on the server, the double-bounce
message as and when it sends it to a third party?

Apache HTTPD not responding after running for several days

Hi all,

I'm using Apache HTTPD 2.4.29 and 2.4.33 on Solaris 10 and 11. These HTTPDs
were compiled from source with the latest APR, APR-util and PCRE.
Upon starting, the HTTPDs initially run fine. After running for several
days to 2 weeks, HTTPD would stop responding. It wouldn't accept any new
connections although the processes are running. In the whole period the
incoming traffic volumn is low.
When in the "not responding" situation, stopping and then starting the
HTTPD would workaround the issue temporarily.

The symptoms are:

is possible modify the source address based on the subject?

Is possible rewrite the sender address on a send mail when the subject
have some special expression?

By example: if i send an email from <a href="mailto: ... at domain dot com"> ... at domain dot com</a> with the word in
the subject UPDATES, so send the email like sended FROM
<a href="mailto: ... at domain dot com"> ... at domain dot com</a> ??????

can i do that with regrex?

<a href="" title=""></a>

Really and a little bit confused with that Readme.

Thanks in advance.

postfix issue with ecc certificates


I'm using Postfix 3.3. I am atempting to send mail from a remote
android phone running AquaMail Pro, which does support ECC
certificates of secp-256. So I got an ecc cert pair from letsencrypt
and installed it.

Apache 2.x version on QNX 6.X

Hello. Does anyone know what's the latest version of Apache that will run
on QNX 6.5? People have successfully compiled Apache 2.2, but current
version is 2.4. Thanks!

TLS not offered by host

When connecting to a server that does not offer TLS (or the right level) does postfix log (or can it) the level of security that was offered?

status=deferred (TLS is required, but was not offered by host

(I get very few of these (two servers in the last week), but I'd like to be able to tell the admin of the server what low-level security they are offering).

my smtp_tls* settings:
smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
smtp_tls_loglevel = 1
smtp_tls_security_level = encrypt


tls_preempt_cipherlist = yes
tls_ssl_options = no_ticket, no_compression

Rate Limiting users from different IPs

Hello all,
To overcome scam due to compromised accounts,Currently we are using a
beautiful software <a href="" title=""></a>

However we have a few issues. Generally spammers dont put a lot of
peple in cc or bcc. they send individual mails to a lot of users. This
software counts people in cc or bcc also. This blocks the HR or admin
people sending out announcements or notifications also.

So it needs to be fine tuned as below.

1. Allow a specifc subnet of trusted networks to send without restrictions.

Timeout while connecting to postfix via php socket

Good morning all.

I'm facing with a strange problem with PHP sockets and POSTFIX:

1) I have a Postfix machine that runs very well for sending/receiving
emails to/from outside (via Outlook)

2) I'm working on a CRM software that connect to this Postfix via PHP
socket_connect function. Well, now:

a. all socket connection to this Postfix from a machine outside my
cloud network, are ok (I can connect and interact with smtp)

b. when try to connect to Postfix with the same script used in 1) but
installed on a machine on the "same cloud network".

IPv6 in mod_status scoreboard


I am currently using Apache 2.4.25 from Debian Stretch on our

balancer manager issue

using the built-in balancer-manager ui or curl to disable a balancer member
does not actually do anything.

command: /usr/bin/curl --silent --insecure -o /dev/null -XPOST '
https://localhost:443/balancer-manager?' -d
-d w=https://on1-lbmo01c.aue1t.internal -d
nonce=20e16be2-eb5f-42c0-b061-57af2968c7db -d w_status_D=1

after running the above command, the status of the member reflects as
changed, but traffic is still flowing to the host (as evidenced by tailing
log files on the balancer member).

LoadBalancer Status for balancer://

please help, getting desperate


i have a question regarding the pipe, when being used to contact the LDA
(in my case, dovecot).

my virtual users are in LDAP, but they have their own UID and GID. since
i don't want to do a setuid script for the LDA (and obviously the LDA
needs to run with the correct permissions to be able to affect the
target user's mailbox files), is there a way to use the whole record
object from the LDAP query (which contains the uidNumber and gidNumber
attributes) and use some kind of substitution in the when
specifying the user=UID:GID parameter?

apache 2.4 pfs and cipher configuration


I'm upgrading my apache configuration.

bounced posts go to spam


I have a simple relay for sending emails from internal scanners and a
voicemail system.

access control and Apache load balancing

Any suggestions on how to implement access control for ip address ranges to specific files on back end hosts when going thru Apache load balancer?

For example, you do not want external IPs to access "filename.php" on your backend hosts thru load balancer

Rewrite header From:


My mail server received unsollecited emails with header From: similar to 'Heidi <info>'.

Users perceive that email comes from our company as the header From: has been rewrite in 'Heidi < ... at host dot domain.tld>'.


myorigin = $mydomain
mydomain = host.domain.tld


append_at_myorigin = yes
local_header_rewrite_clients = permit_inet_interfaces

Is there a way to block incoming e-mails whose 'Header From:' does not specify valid email address?



dnsblog and host or domain not found

I have a postfix-3.3.1 running on a fedora28 system and frequently see
warnings such as these in my logs:

Jul 26 10:42:09 mail03 postfix/dnsblog[3949]: warning: dnsblog_query:
lookup error for DNS query Host
or domain name not found. Name service error for type=A: Host not found, try

That indeed doesn't exist, but
the other postfix systems I have don't appear to log these warnings as

Fall back to relay after a 5XX reply from destination?


I've been running a small volume Postfix mail server on a fixed IP for
15+ years or so.

Recently, my provider forced me from ADSL (being phased out here) to
VDSL, and I now find myself sending mail from a "dynamic" IP address...

As expected, some destinations refuse to accept my outgoing mail with a
550 (usually with a "you're blacklisted" message on top of it).

So, I am now looking for some magic that would make Postfix:

a) first attempt to deliver outgoing mail straight to the destination MX
(as it does now), and,

b) if that fails with a "550 Bad IP" (or equivalent), fall back

Switching final delivery from Postfix to Dovecot


After using local filters (on Thunderbird) for a long time I'm trying to
get Dovecot / Sieve filtering working.  I think I'm almost there but
can't get Postfix to allow Dovecot to do the final delivery, which is (I
believe) the only thing stopping things working.

Here's my postconf -n output, I suspect it's the virtual stuff messing
things up.

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 2
content_filter = smtp-amavis:
daemon_directory = /usr/libexec/postfix

Flags question in

Hi, i have this in my master file.

autoreply unix - n n - - pipe
flags=DF user=nobody
argv=/usr/local/bin/angelo $sender $recipient $original_recipient $user $domain

everything is working as I want. Is there a flag or macro that can get me the localpart of the $original_recipient ?

so I want "angelo" from ... at uconn dot edu<mailto: ... at uconn dot edu>.

If not possible fine, just want to know.

Open Relay on local lan

Hi All
I have my postfix server up and running now for some time. Recently though,
auditors made a deal that the server is an open relay. It is true that on
the local lan it is. What's the best way to change this behavior? For
example, is there a way to configure postfix to accept mail from say two
domains, and but no other?


configuring mod_proxy_ftp for client ip logging

The mod_proxy_ftp module is working fine for me using release 2.4.25 to
send urls matching a pattern to a proftpd server running on the same
system. I have noticed that the source IP address in the ftpd log is the
same as the httpd running the mod_proxy_ftp module. Am I correct in
assuming that neither mod_remoteip nor any other configuration options of
httpd can cause httpd's ftp proxy module to spoof the IP address of the
client sending the request to httpd? Otherwise this works nicely but we
need the correct IP addresses in the proftpd log for metrics.

Missing 'Received' in header

I receive email through Postfix, then relay it on to my Domino server. In
my old Sendmail
setup the Received were in the header, now they are missing.

what's smtpd_tls_wrappermode 'non standart' ?

Hi all.

Does 'the non-standard "wrapper" mode' refer to SMTPS using port 465?

<a href="" title=""></a>

I think SMTPS using port 465 is 'standard' in RFC8314
<a href="" title=""></a>

Is SMTPS using port 465 called 'standard' ?

How to white list

I have whitelisted the ip in postscreen_access.cidr. I can see the
'whitelisted' for postscreen in log.
But it does not get past smtpd.

I do not want to remove reject_invalid_helo_hostname as this really opens
up more spam.

Commenting multi line option

I would like to know if comments may be used in this fashion.

AllowMethods and Allow header

Hi all,

The "Allow" header seems to be broken when using the AllowMethods directive.

Without AllowMethods, an OPTIONS request gives:

$ curl -X OPTIONS -i localhost/test
HTTP/1.1 200 OK
Server: Apache/2.4.33 (Debian)
Content-Length: 0

and a PUT request gives:

$ curl -X PUT -i localhost/test
HTTP/1.1 405 Method Not Allowed
Server: Apache/2.4.33 (Debian)
Content-Length: 225

All is well.

SPF + outside backup MX relay = redelivery failures: Help requested

I am running Postfix with opendkim, rspamd, pypolicyd-spf, and DMARC.
This is working fine for mail delivered directly to my domain. However,
if my net connection goes down and mail gets queued by my backup MX at
another domain (which I do not control), then when my connection comes
back up and the MX relay attempts to redeliver all the queued mail,
delivery fails due to SPF failures like this one, because the sender's
domain has not authorized my mail relay to send mail on its behalf.

Mail loop sending external domain

I have receiving working well. And if I send outgoing mail via telnet,
it works.
But if I send from my Domino server, I get a mail loop.

I have Domino server running on a Windows machine (called mailserver).
It's configured to send to Linux machine running Postfix (Called postfix).
Postfix machine is suppose to deliver to internet.


I am putting to together a config for both RH6 and RH7 systems. RH6 used Apache/2.2.15, RH7 uses Apache/2.4.6.

I understand that in 2.4.8 SSLCertificateChainFile is deprecated and the intermediates should be appended to the file that SSLCertificateFile points to.

Can 2.2 and < 2.4.8 work properly if the SSLCertificateChainFile in the config is NOT used and instead the intermediates are appended the file that SSLCertificateChainFile points to as you would in 2.4.8 and greater.

Mutiple IP/Multiple SSL

Cannot determine if it's possible to run multiple SSL with individual IP/SSL site on same server(ubuntu). We run multiple domains and would like to stack these SSL sites if it's possible.
No issue multihoming the NIC, no issue multiple domains/server on port 80 - only issue is apache finding the correct SSL cert.

Avoiding sending backscatter

Hello everyone,

I have a postfix server (with amavis and clamav) that receives emails for
other domains. When it gets a mail for a non-existent email, it accepts it
anyways because it doesn't have the list of valid email addresses.

In other words, I'm generating backscatter and I want to avoid it.

One solution could be to never return a mail delivery notification for
external email, but I think that's not recommended, isn't it?

I'm already discarding all emails with viruses and using blacklists.

Does anybody knows any other solution?

Thanks in advance,
-- Diego.

Email architecture

Hey all,

I was wondering if someone knows about a good tutorial or design document
describing how to setup postfix, dovecot (or something else) and other
tools to create a good and secure email architecture, i.e.

- how to configure postfix in a DMZ to relay incoming emails to a dovecot
(or similar) server.
- how to configure postifx in a secure network to receive emails from users
and forward it to a DMZ server
- how to configure a postfix server in a DMZ for outbound SMTP traffic.

But also more in general, what are the best practices for designing an
email environment for a serious busine

httpd-2.4.34 successfully intalled via rpm on CentOS 7.5


I am pleased to inform you I installed httpd-2.4.34 through building
rpms on CentOS 7.5 successfully.

Thank you all for developing this nice application.

Thank you.

Yours truly,
Kazuhiko Kohmoto

"Permissions" lost after upgrade to 2.4.33

opensuse LEAP 15
linux 4.12.14-lp150.11-default x86_64
apache2 2.4.33

After the upgrade from v2.4.23 to v2.4.33, https requests yield error
Access forbidden!
You don't have permission to access the requested directory. There is
either no index document or the directory is read-protected.

Neither of the stated reasons are true.

Apache2 does not start after OS upgrade

opensuse LEAP 15
linux 4.12.14-lp150.11-default x86_64
apache2 2.4.33

On opensuse v42.3 apache2 v2.4.23 worked fine. On opensuse 15.0 apache2
v2.4.33 refuses to start.

Below is all of the info I could find regarding its failure to start.
The bit about "unit configuration" seems helpful, if only I knew what it

The part about "<whatever>_module is already loaded, skipping" was
listed in LEAP 42.3 as well.

Compile issue with apr-iconv


I was trying to compile Apache and hence included apr, apr-util and
apr-iconv. I am on AIX. I have used --with-apriconv=relative path. My
'make' fails with error 'cannot find library' I see a file but not Any help in this regard is


grep in Postfix logfiles


I'm looking for a search tool to analyze Postfix logfiles. It should be
something like a multiline grep application which is able to show all
lines, which are related to one incoming mail. Mainly I want to search
for the sender and the recipient at the same time. E.g. something like that:

mailgrep "from=<local1@domain1>.*to=<local2@domain2>" /var/log/mail.log

I assume, that I'm not the first Postfix user with this requirement. But
I couldn't find a suitable tool. Does somebody know an adequate
application or do I have to write it for my own?


DANE-TA(2) private CAs and SHA-1

By using DANE-TA(2) TLSA records you can associate your SMTP server
with a either a public or private (your own) issuer CA. This can
simplify the management of TLSA records of multiple MX hosts by
using a CNAME to a common location where you publish the shared CA
key hash.

Some care needs to be take to make sure that certificate chains
issued by a private CA can be successfully validated by correctly
configured DANE TLS clients.


haproxy protocol ipv6 support?

I've been successfully using Postfix 3.3.1 behind an Haproxy for a few
weeks now, and while this is a minor complaint, I just wondered if it
was known.

I have dual-stack ipv4/v6 support enabled and as a result most of my
mail that comes from Google comes from an ipv6 address.

The IP address is not parsed properly I think in the haproxy protocol,
and I suspect that was fixed in send-proxy-v2 which I believe Postfix
doesn't support.

TLS1.3 only


postfix-3.3.1 + openssl-1.1.1pre8

For fun I tried to disable all TLS protocol versions other then TLS1.3
submission.local inet n - - - - smtpd
-o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2

but I'm still able to connect using TLS1.2

$ openssl version
OpenSSL 1.1.1-pre8 (beta) 20 Jun 2018

$ openssl s_client -connect submission.local:587 -starttls smtp -tls1_2
Start Time: 1531425453
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
Shouldn't that fail like this one?

$ openssl

RE: new strangeness with O365 [OT] --TESTING

I'm conducting a test to see if the URL rewrite issue is better, for me anyway.

SMTP access restriction lists


I intend to protect some internal email distribution lists in a way,
which is described here:

<a href="" title=""></a>

I would need to add "check_recipient_access ..." to the parameter
"smtpd_recipient_restrictions". The actual value of this parameter in is:

smtpd_recipient_restrictions =

"smtpd_relay_restrictions" is not explicitly defined in

postfix cleanup process dropping messages

My postfix servers remain pretty busy throughout the day getting around
100 - 200 mails / second

I have seen that for every 100 k mails around 20 mails disappear from
the queue.
From maillogs , I can see smtpd accepting the connection , creating a
queue-id and then cleanup picking it up.
But nothing after that , no qmgr lines no discard etc

If I enable cleanup in  debug mode I can see  errors like this  ( esp
cleanup_flush: status 1 )

How do I debug this further ?

Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: open incoming/6262B115F
Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]:

mail for ... loops back to myself

I suspect the answer to this is going to be "Well, don't do that then." but I may as well ask...

I have a VM that's running two services. One of them is a vanilla postfix smarthost - it accepts mail on port 587 and relays it out to the world.

The other is an unrelated smtp server that listens for inbound email on port 25. They use unrelated domains and hostnames, but are both on the same IP address.

If I try and send mail via the smarthost to the inbound smtp server the postfix rejects the attempt with "mail for <the destination domain> loops back to myself".


Hi Im an oldie, who once installed an Apache server, now I was on to make a new installation BUT OHHHH,
things have become so complexity, so inflated, I can make no sense of what to download, or from where........

How to autoreply with "Undelivered Mail Returned to Sender" unknown user for


Let's say that I do have a user "user" on my system, but I would like
for emails sent to "user+ ... at domain dot org" to bounce back the
"Undelivered mail" message with something like:

<user+ ... at domain dot org>: unknown user: "user+doesnotexist"

How would I do this? I naively tried adding

user+doesnotexist: doesnoteixst

to my /etc/aliases file, but it was still delivered to my user account.

Thanks for any help.


Disable SSL/TLS renegotiation

Hello postfix-users,

While checking the SSL configuration of a Postfix server, I noticed that
so-called "Client-initiated secure renegotiation" is available at
Postfix by default.
You can verify it with following openssl command and press "R" once the
connection is successfully established:

openssl s_client -connect <hostname/IP>:25 -starttls smtp

250 DSN
depth=2 C = US, O = XXX, OU = <a href="" title=""></a>, CN = XXX Root CA
verify return:1
depth=1 C = US, O = XXX, OU = <a href="" title=""></a>, CN = XXX Server CA
verify return:1
depth=0 C = XX, ST = XXX, L = XXX, O = XX, CN = XXX
verify return:

check_client_access not blocking /8 /16 /24 etc.

I'm curious to know what I've done wrong with my client checks file.

I can reject a specific IP but it won't reject when I use net blocks...

STARTTLS / DANE difficulties?

We are migrating our Postfix MX services and in the process have
disrupted a setup which has been very stable for the past couple of

SSL-Settings for Healthchecks (mod_proxy_balancer)

Hello all apache-users!
I'm trying to set up load-balancing to backends which use different SSL/TLS settings.
I'm using version 2.4.33 of apache.
According to documentation it should be possible to set SSLProxy* directives inside a <Proxy> section.

Register now for ApacheCon and save $250

Greetings, Apache software enthusiasts!

(You’re getting this because you’re on one or more dev@ or users@ lists
for some Apache Software Foundation project.)

ApacheCon North America, in Montreal, is now just 80 days away, and
early bird prices end in just two weeks - on July 21. Prices will be
going up from $550 to $800 so register NOW to save $250, at
<a href="" title=""></a>

And don’t forget to reserve your hotel room. We have negotiated a
special rate and the room block closes August 24.

Syndicate content