Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

special catch-all processing

Hello List,

i have a question to processing of catch-all adresses between different
versions.  I see a difference between postfix 3.1 and 3.3 which i cant
I have this scenario:

Using virtual table i have a catch-all forward from a subdomain to a domain itself is also a forward to an external adress.
Additional there is a local mailbox <a href="mailto: ... at example dot com"> ... at example dot com</a>
Having this on a system with postfix 3.1 it is working like this:

A mail to a random adress to the catch-all subdomain forwards all mail
to the external adress.
A Mail to ... at sub dot example

SMTPS Submission

Just want a quick sanity check on enabling smts in

smtps inet n - n - - smtpd
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_wrappermode=yes
-o syslog_name=submit/smtps
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_path=private/auth
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination,reject
-o smtpd_helo_restriction

403 Forbidden on symbolic links - totally won't do it.

I have spent the past two hours trying to find the magic needed to get
my external drive symlink to be part of a friend's website. I've
never been able to do this in the past and have simply reinstalled
linux on larger and larger volumes as a solution to running out of
free space, but I'm simply too busy to deal with a reinstall this

I get a 403 Forbidden error at <a href="" title=""></a>

I told it to follow symlinks in the sites-available files and it
should just work, but doesn't... What on earth is wrong?

ot: dkim "fail (message has been altered)" ?

I'm attempting to implement dkim/dmarc, noticed that many spam messages
have like "fail (message has been altered)":

Authentication-Results: (amavisd-new);
dkim=pass (1024-bit key);
domainkeys=fail (1024-bit key)
reason="fail (message has been altered)"
header.from= ... at dossierinfotech dot

is that something that can be rejected/blocked in Postfix, and how? or
where should that be utilized ?



Different SSL certificate per virtual domain

Hello All,
I've googled but a bit confused.
I have a server with an IP hosting two different virtual domains.
Both domains need to have their individual SSL certificate like and to download and send the same.
Is it possible in Postfix if I have only one public IP and achieve same?
Can you guide me to some links if possible.

re-route mails on demand during block of ip address


I'm running a pair of postfix-servers in different data-centers (different
ip networks) for outgoing-only delivery. once in a while my providers /22
appear on public blacklists, so mails from my nodes also gets rejected.

For this, i have now a third backup-instance in another data center that is
not visible to my users and only fairly with dummy mails used to keep
reputation up and good. Howto re-route traffic on demand with postfix in
case, ip-networks get blocked again?

How do others handle this?

Thank you.


Mail Delivery Status report

I am getting mail delivery status reports for every bcc email (that is, every email, since I use a bcc map to create a backup of all the mail).

I've looked through all the postfix files for any instance of sendmail -v, and have only found it as a comment in

# grep "sendmail -v" * address...) or for verbose mail delivery (sendmail -v address...).
recipient_bcc_maps = pcre:$config_directory/rbcc.pcre

if !/backup.*@/
/^([^+_]*).*@(.*)/ backup+151.${1}.${2}@<a local domain>

the MDSR is not really a pro

opendmarc.dat Permission denied issues

i'm trying to setup DKIM & DMARC, set it few days ago, it seemed to be
working ok(?), well, I did'nt notice errors

noticed today multiple "Permission denied" errors since last night, across
multiple domains

grep " Permission denied" /var/log/maillog | wc
1943 19430 200491

May 29 13:41:43 geko opendmarc[27677]: AAADD4E821C9:
/var/run/opendmarc.dat: fopen(): Permission denied

# grep AAADD4E821C9 /var/log/maillog
May 29 13:41:41 geko postfix/smtpd[30596]: AAADD4E821C9:[]
May 29 13:41:42 geko postfix/cleanup[30785]: AAADD4E821C9:

Urgent: Apache log is not rotating after the upgrade


We have upgraded Apache 2.2 version to Apache 2.4.34 version on Red Hat Enterprise Linux Server release 6.10 (Santiago) server . After the upgrade the log is not rotating and we also check the log rotation file config looks good .

Can some one help me to figure out the issue..

Below is the config details of log rotation policy.

transfer mailq


We are busy with a POC building a new vessel mail system for are fleet at sea .
In our office we have now to postfix servers running behind a F5 that has failover when primary mail server goes down the second one takes over.

So far so good, we test this and everything is oke.

Now I want to know if it's possible to transfer mail files that are qued on server A to server B to get send when A goes down.

I would like to do this as follows

Create two folders on a nfs share

Server A writes his mails to folder A
Server B writes his mails to folder B

When server A crashes we copy/transfe

How to reject mails where from address and to address is myself.

Dear List,

Lot of SPAM mails are being received where from and to address is
myself and the mail has contents which are dirty/bad.

The original sender id will be different.

How to handle such mails.

Log revoked certificate information


I'm looking for a way to track users who is using client certificate to log
in to Apache HTTPD. Especially, I wanted to know who is trying to use
revoked certificates to attempt login. Is there any possible way to log
some of the certificate information, such as the certificate's serial
number into the log so that whenever a revoked certificate is used, some
information about the specific certificate is logged instead of just
showing "certificate revoked" in error_log?



postfix as relay server: sasl auth


We have setup a postfix server that serves as a relay server between the office and our fleet.

The postfix gets his mails from the exchange server onboard.
The restriction is set that only mails from the ip of the exchange are accepted.

And this security rule works, from no other ip mails can be send.

+But are sec officer is worried what is somebody gets in to the vm running the exchange server, or creates a vm that has the same ip as the exchange, than can you send mails without auth.

That's why I'm searching to a way to secure are postfix server with password and username.


URL question

I have a web site accessible by:  <a href="" title=""></a>

But users that use: <a href="" title=""></a>

get a directory content of the files in directory bar.

What do I need to add so that those that use the shortcut of leaving off
.html still get the full web site.


Blacklist honeypot senders

I have an active email address that only receives spam (it is an address that wasn't used for years but I've recently reactive to see just how much spam an unprotected decades old account that hasn't accepted mail since 2006 would get).

Anyway, what I would like to do is somehow blacklist any IP that sends mail to that address for some period of time, configurable by me but not necessarily dynamic. (That is, if I could specify 1 day or 3 hours for any match, that is fine).

I suspect that postfix might be able to do this through some sort of helo_access check?

How to write more complex transport rules

Hi All , Need some guidance on how we can configure transport rules which has
to route email based on both Sender and recipient domains .

Our transport_maps ( in my org ) have been simple and configured in
traditional fashion:

like receive email from

Domain1 >> smtp:Gateway1
Domain2 >> smtp:Gateway2

however we have got a situation where we had to route email based on both
Sender and recipient domain.

Reverse Proxy Configuration

Hi everyone, I am looking for some help configuring Apache Web Server as a
reverse proxy.

A little background: I have a Debian 9 (stretch) server at my home, running
Nextcloud on Apache2. I have a static IP from my ISP, and a domain I own is
pointed to it. I have forwarded ports 80 and 443 on my router to the LAN IP
of my Debian server. Everything is configured and working, and I can access
my Nextcloud instance at <a href="" title=""></a>

What I would like – and tell me if I'm barking up the wrong tree here – is
a secure way of accessing different services on my home network from the

DKIM doubled, which one to remove?

following earlier advice here, I've finally tried to set DKIM

I think I'm getting there, but I've noticed it's doubling up[1], with amavis

which one should be bypassed, and, how to do so ?

thanks, V

content_filter = smtp-amavis:[]:10024
smtp-amavis_destination_recipient_limit = 1
smtpd_milters = inet:, inet:
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

# grep 711344531867 /var/log/maillog
May 24 15:15:08 geko postfix/smtpd[20479]: 711344531867:[]
May 24 15:15:09 geko pos

Rejecting mails from one server

Greetings, All!

Can't seems to grasp the origin of the issue.
If I send the mail to the same addresses myself, it is coming through, so is
much of the other mail traffic.

info@ is virtual, bulk of the mail coming its way, no problem.
vera@ is real local address.

If I grep similar entries in the log, they are all spam or obvious typos.
(Like "1info@...") But this domain seems correctly configured.

confirming proper heders

Hello, I have a project I have been working on where I need to dend "201
Created" then "Loction <a href="http://IPADDRESS/result" title="http://IPADDRESS/result">http://IPADDRESS/result</a>.

I am setting headers i PHP and have checked in wireshark and although I did
see 201 Creater and Location <a href="http://IPADDRESS/result" title="http://IPADDRESS/result">http://IPADDRESS/result</a> I was later informed
that the PHP code I was using needed to have a comma removed between 201
and Created. I then re-confirmed and see no difference.

My headers being set
header('HTTP/1.1 201 Created');
header('Location: http://localhost/eSCL/Scans', false);
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
header( 'Last-Modified: ' .

On How to Insert a custom header on outgoing email

Hello Community

we were tasked at routing all outbound email from our mail relay postfix
server through an Anti-SPAM gateway and this introduces a requirement to
insert a custom header with a unique value ( shared by the Anti-SPAM vendor
) to let email relay thorough them.

so we want to insert a header

X-AUTH-TOKEN : xyz123

in every email leaving our postfix server.

Could any one of you please suggest how we can achieve this .

Need some advice - thread safe php module


I am porting some older web pages from Apache 2.4.6 to Apache 2.4.37 on Linux
and apparently need to find a thread-safe version of to use, since we're
running MPM.

* Does anyone know where I can download the apache thread safe php module?
* If not, can someone give me a clue about the configuration options I should use
to build a new version of PHP which contains the php module for Apache?

I have been unable to find a download for the php module, and building PHP is not
producing a php module either.


Jeffrey Cauhape - IT Professional III - Linux and Solaris

Control / Modify the HTTP Status Line

This is my first message on this user list, hope that's the right place for
my question.

I am using Apache for proxying a backend server.
The backend server may return, in some occaisons, a 302 response code for
successful requests.
As I cannot alter the backend behavior nor the client's to consider such
302 responses as successful, I am looking for a way to manipulate the
response code on Apache.

While going through the options in and trying ways to alter data which is
sent back to clients I found two:
1. mod_substitute - to manipulate respose body.

Configure failure on 5.x kernels?

I don't know if this is Gentoo specific.

Postscreen - fatal: btree:/var/db/postfix/postscreen_cache

Dear team,

I get this error messages in my logfile more frequently:

May 21 21:23:51 xxxx kernel: May 21 21:23:51 xxxx postfix/postscreen[77391]: fatal: btree:/var/db/postfix/postscreen_cache: unable to get exclusive lock: Resource temporarily unavailable

Can you tell me what exactly goes wrong and how to solve this? Thanks.

Best regards,
Jos Chrispijn

-- With both feet on the ground you can't make any step forward

header_checks apply to headers of attached messages?

If I send a message as attachment, header_checks are applied to the
headers of the attachment also. Why does it happen? Can I turn it off?

Modify logs for delivery?

I may have asked this in the past, but ion so it's been longe enough I don't remember and can't find it my mail archives.

Is there some way to modify what is logged from postfix/local and postfix/pipe so that the "status=sent" lines include the from address as well as the to address?

May 21 14:52:32 mail postfix/local[63216]: 457nyS31Y4zdrvK: to=< ... at covisp dot net>, orig_to=< ... at kreme dot com>, relay=local, delay=0.39, delays=0.34/0.01/0/0.04, dsn=2.0.0, status=sent (delivered to command: /usr/local/bin/procmail -t -a $EXTENSION)

May 21 14:53:16 mail postfix/pipe[67313]: 457nzJ4gd7zdrvL: t

Tell LMTP who is original recipient?

For some time it is possible to make postfix virtual tell a LDA who is
the original recipient, add x-original-to header. But not LMTP. This
create problems in final delivery, one example is autoreply vacation
program cannot check if message was addressed directly to this user or
not, so many autoreplyies are sent when it should not happen.

Feature request for this seems stalled, but in meantime, is there any

FYI, I use dovecot LMTP.

intermittent "cannot find your reverse hostname" for senders. Best workaround?

I run postfix 3.4.5.

I typically reject on unknown reverse hostname; it's a policy I'm comfortable with.

For a number of correspondents that use for outbound, I occasionally see failures crop up for the same sender, then just 'automagically' resolve.

E.g., for a single sender, here "them", in my logs

postfix.log:Apr 24 13:18:19 mx postfix/postscreen-internal/smtpd[6816]: NOQUEUE:[]
postfix.log:Apr 26 11:15:00 mx postfix/postscreen-internal/smtpd[18428]: NOQUEUE: client=mail-eopbgr790080.outb

Re: SNI support

Wietse Venema < ... at porcupine dot org> wrote ..
Oh, ok.

OT: Postscreen and scoring/blocking by ISP

Hi all,

I was looking through a few lists of RBLs and I’m not finding quite what I want.

I have quite a bit of my spam blocking working fairly well, but I’m seeing quite a bit of “snowshoe spam” from a few providers. Rather than look up their netblocks and outright block them, I’d like to incorporate them into the postscreen scoring process. As time goes on, I’m sure I’ll find others, but I do see ColoCrossing and Limestone Networks as pretty consistent sources.

Are there any RBLs that exclusively deal with blocking by netblock/owner that I’m missing?

Block spam at smtp time, but then still forward to users spam box

Good day Guys

Just want to check with the community.

My colleague has proposed that at smtp time, if a mail is deemed as
spam, the server issues a reject code, but then to too accept the mail
and forward the mail the user for incase its a false positive.

His logic is that, that the spammer does not build up a database.

Currently what we do is, if the score is between 5 and 15, just accept
and move the spam to the users SPAM box.

SNI support


SNI support for smtp server and client is said to be there, from what i read in release notes from 3.4.0.

Disable milter(s) for recipients (IP/addresses)


is there a way in postfix to disable milters for outoging to mail to
dedicated IPs, or better, dedicated recipient addresses?
I am just fed up from fixing DKIM signatures to a way that it is
insecure just to get mail accepted from several mailing list
implementations because they are munging headers to death.
And I don't want to get away from reject policy, too, because it is only
a problem with several mailing lists.
For postfix mailing list this is fine but munging headers like subject

Files POSTed are not saved, instead 404

Hi I am new to the list .

I posted this earlier but am afraid for lack of subject it was ignored.
Posting here again with update.

I have an issue which I believe to be an apache configuration issue

When I POST a file with CURL or android app I get 404 error however the
path exists.

As I understand It i do not need a handler to POST and the file should

DKIM milter: adding a TXT record

Hey, guys. Might be a little bit off topic, but I'll throw it out

I'm working to implent DKIM and DMARC at this time (DMARC is next), and
I've got DKIM just about down except for one thing: the TXT record.
Bind doesn't seem to want to load the TXT record, despite that I've even
re-edited it per what I found at
<a href="" title=""></a>.
(Running 9.10.3.dfs in Debian Stable.) There doesn't seem to be a clue
as to what's going on at this point, so I'm a bit lost. Help?

-Dennis Carr

Hi I am new to the list .

I have an issue which I believe to be an apache configuration issue

When I POST a file with CURL or android app I get 404 error however the
path exists.

As I understand It i do not need a handler to POST and the file should
appear. I am trying to replicfate AirScan/eSCL Protocol

I have tried numerous solutions from modifying .htaccess, php.ini and

Thanks in advance for any advice .

Increasing Internal security

Hi All
We had an auditor to an internal pentest for our network. The result for our Postfix box was (My Words) Although your SMTP server prevents relay in some circumstances, it still allows email from an empty domain. I am aware that the empty domain <> is needed for bounce messages. Is there a way to prevent an initial email out form an empty domain but still allow Postfix to use it internally for bounce messages?

Thanks and Regards

how to put geodata into $_SERVER for php-fpm using proxy_fcgid

Hello List,

we use latest apache 2.4.39 and various php-version connected with

previously we used mod_fastcgi to bind php-fpm to apache.  Watching a
phpinfo() in this scenario offered also complete geodata section in
mod_geoip ist installed and mod_fastcgi put this into $_SERVER
Environment for phpfpm, so geodata was easys to use in scripts.

Now with new method using proxy_fcgid this geo-section is lost.  As an
alternative we could install geoip-extension for php.

GEO IP based restrictions?

Has anyone implemented geo based restrictions for postfix login connections, or is this something that needs to be done in dovecot?

I was thinking someway to add most of Asia and Eastern Europe to postscreen checks would be useful?

AWS timeout

Hello list,

Bit of a weird one here. I have hosts at AWS sending mail across a
Checkpoint VPN to my main private relay server (it basically serves to relay
mail to O365 for in house applications). The problem is that the sending
client never receives BYE from server after QUIT. The mail goes through and
is delivered ok. This is bad because our timeout is 300s and if you have
anything more than a small amount of mail to send, your connections waiting
to timeout build up at the client and cause problems with applications.

milter_header_checks don't forward the message to filter


The header is detected but it doesn't seems to forward the message to
the filter:

May 12 20:40:01 submitter1 postfix-y31/cleanup[32460]: 1B29DD5F7E66:
milter-header-filter: header X-Spam: Yes from[]; from=< ... at gmail dot com>
to=< ... at gmail dot com> proto=ESMTP helo=<>:

Any ideias?

Problem with logging


mail_version = 2.10.1

I have a serious problem with logging of postfix via rsyslog on one of my servers
on CentOS 7.

All I see in the log is

May 12 12:41:39 nimmini1 postfix/qmgr[19227]: E16FE20EA7: from=<a. ... at nimmini dot de>, size=2141, nrcpt=1 (queue active)
May 12 12:41:40 nimmini1 postfix/qmgr[19227]: E16FE20EA7: removed
May 12 12:44:33 nimmini1 postfix/qmgr[19227]: 067DE20F8B: from=< ... at nimmini dot de>, size=1562, nrcpt=1 (queue active)
May 12 12:44:46 nimmini1 postfix/qmgr[19227]: 067DE20F8B: removed
May 12 12:46:07 nimmini1 postgrey[2722]: action=pass, reason=client whitel

header_checks: From header not being changed in mail between local users

This is more a curiosity than a real need, but I was wondering why I can't
modify the "From" header when sending mails between local users.

It works perfectly when sending mail out (smtp_header_checks).
"sender_canonical_maps" with "local_header_rewrite_clients =
permit_mynetworks, permit_sasl_authenticated" works (though it only edits
the address, not the 'name' in the From)

Just in case something was interfering I reused the same file as with
smtp_header_checks and removed other options.
# postconf 'smtp_header_checks = ' 'sender_canonical_maps = '
'virtual_alias_maps = ' 'local_header_rew

Support for Proxy Protocol V2?

Hi curious if there are any plans for support for the proxy protocol v2?

mysql write support patch updated to 3.4.5

I have updated Stefan Jakobs' patch (see
<a href=";m=128714800025241" title=";m=128714800025241">;m=128714800025241</a> ) to apply to
postfix 3.4.5.

<a href="" title=""></a>

Trying to understand smtpd_recipient_restrictions order


I was under the impression, that smtpd_recipient_restrictions and other
restriction configuration items were being processed top to bottom.

I am running postfix 3.2.2 and as far as I can see my postfix is showing a
different behavior.

I have the following items in my config:

smtpd_recipient_restrictions = check_recipient_access proxy:mysql:/etc/postfix/
check_recipient_access proxy:mysql:/etc/postfix/

include full original message in bounce

Hi List,

searching the manual pages, the Internet and the postfix-users archives
gave me no answer to my question, so I post it here.

We have an application that sends out emails with attachments. These
attachments contain specific data not contained in the email body
accompanying the attachment.

mod_proxy_balancer / mod_proxy_http question - stick tables support based on url

Hi all,

I've got a question about:

<a href="" title=""></a>
<a href="" title=""></a>

Can balancing of apache httpd be configured to use stick tables to
balance requests (having HAProxy in mind)?

With HAProxy you could define something like:

stick-table type string len 256 size 1M expire 1h
stick on path,field(3,/) table mytable

I want to balance requests with httpd based on a part of the URL (no
cookies there) (/r/${balancePart}/...) and it should balance that in a
way that there are some preferred rules like:

Collecting Metrics from Apache Server

Hi all,

I'm investigating ways of collecting metrics from the Apache server.
Specifically, I'm trying to figure out a way to collect throughput
(req/sec) and the average latency. I have tried using mod_status, but it
only gives throughput. I'm thinking of using the following approach.

Current Approach:
1. Create a new Log Format including the request processing time.
2. Use Logstatsh to read Apache access logs.
3. Output the timestamp and request processing times to Elasticsearch

Additional debug information in log file.

Recently I had to switch the IP address of my postfix server from to

After changing the IP address at the server level and rebooting, I am now seeing the following in the logs.

Why am I getting Openssl library mismatch with mod_ldap??


I successfully built a FIPS openssl based mod_ssl for Apache 2.4.39.
Everything works great via SSL when I boot Apache, EXCEPT when I then
turn on mod_ldap/mod_authnz_ldap, THEN I get the below openssl library
version mismatch.

Virtual Mailbox Delivery with mixed address classes.


I am trying to wrap my head around the different address classes and how
to combine that with the virtual mailbox delivery system.

I currently have a mailserver that serves as final destination for a
domain, say which is configured as mydestination.

I have users on that domain (<a href="mailto: ... at example dot com"> ... at example dot com</a>) which are getting mail
delivered via lmtp configured under mailbox_transport to a dovecot server.

There are some virtual users that have mailroutes such as <a href="mailto: ... at example dot net"> ... at example dot net</a>
-> user.



From what I have read, smtputf8 is enabled by default to 'yes' in
postfix version greater than 3.

I also read through the Postfix documentation, that just because it's
supported by Postfix, there are many subsystems (like Dovecot) that do

I wouldn't have even given it much though, until today, some emails
(from one sender) were getting bounced back. If I read the logs
correctly, the emails were excepted by postfix, forwarded to Dovecot,
where they were rejected.

dns_lookup: Fix compilation with uClibc-ng

uClibc-ng does not have res_send or res_nsend.

dns_lookup: Fix compilation with uClibc-ng

uClibc-ng does not have res_send or res_nsend.
diff --git a/src/dns/dns_lookup.c b/src/dns/dns_lookup.c
index 1ea98b3..18073b4 100644
--- a/src/dns/dns_lookup.c
+++ b/src/dns/dns_lookup.c
@@ -311,9 +311,17 @@ typedef struct DNS_REPLY {
static int dns_res_query(const char *name, int class, int type,
unsigned char *answer, int anslen)
+ int len;
+#ifndef __UCLIBC__
+ len = res_query(name, class, type, an

Syndicate content