Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

Question about logging mismatched DNS in submission server

Lately it looks like some zombie bot farm is connecting to submission
(and looks to do nothing except connect), causing many of these in the

Oct 28 06:15:35 mail postfix/smtpd[12941]: warning: hostname x.y.z does
not resolve to address Name or service not known

For submission service where clients often connect from dynamic IP
address ranges, maybe seeing these is not important - just noise, so I
am curious about why postfix is logging this. Does this mean client is
somehow attempting to send before (without) doing any AUTH?

Recipient address rejected: User unknown in local recipient table

Hello everyone.
I have configured a zimbra and a postfix different pc.

MacOS High Sierra (10.13) and Postfix relaying

Hi all,

I use postfix to relay e-mail to a Google Account, which has been working
flawlessly up until now.
I'm running out of options here.

Try dane and still got "Untrusted TLS connection..."


I am trying to setup dane on my mail server. But I never seen a
"Verified TLS connection..." in the log. I always got:
Oct 26 13:52:23 cac postfix/smtp[18165]: Untrusted TLS connection
established to[]:25: TLSv1.2
with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

My system is Postfix 3.2.3 on Centos 7.4
# postconf -d | grep mail_version
mail_version = 3.2.3
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtp_tls_loglevel = 1

DNSSEC has been setup and added TLSA record.

Minimun postfix

Hello everyone.
We have contracted a mail service and we want to make some changes.
The idea is to install zimbra on a local server of ours and that zimbra take
the mails of the postfix of the contracted service.
To test, we are installing a postfix locally on another server.
(ie zimbra and postfix are installed on different servers and will be
published accessible to the internet with different ip to simulate the
scenario we want).
I wanted to ask if you can give me a hand with the postfix configuration.
For now this is my file

smtpd_banner = $ myhostname ESMTP $ mail_name (Ubuntu)

relayhost GMAIL submission (port 587)

I have read several guides from the internet including the ones from
postfix forums. It would appear that several people have configured
their postfix environments to use GMAIL as a relayhost and to use port
587 for communication.

Currently my relay host is setup for my ISP's email server which I
presume is going to port 25.

header out working in local apache but not on development environment

I used this apache C function

* apr_table_addn(r->err_headers_out , "Remote-Proxy-User",
I can see the result in my chrome dev tool when I use it in an apache
running locally but It does not work in the development environment.
what could be the reason?
Thank you

Forward local user email or another local user

I have a service running that requires me to configure an SMTP user X
with password to send daily statistics to.

Cannot use a virtual alias user (and forward to the final user Y)
because I have to provide a password as well.

So I set up a dedicated user X account (with password) for this to be
used to pass through incoming email to the final user Y account (which I
didn't want to use for that SMTP action).

Can you tell me how I can force this to be done with Postfix directly?
I can solve it by some forward action once it arrives in the inbox of
user X, and forward it to user Y, but wou

Postfix, mailman, and aliases problem

Hi list,

I recently migrated our mailman server from an old SLES 11 box to Ubuntu 16.04.3 LTS, and installed Mailman from the Ubuntu repositories along with Postfix and other prerequisites. Mailman itself is working fine, but I have a handful of regular email aliases in /etc/aliases which do not receive mail, and when examining the logs, get bounced with a “User unknown” error. What did I screw up?

(I’ve checked my aliases and they’re good, and I’ve run the newaliases command numerous times).


unable to send email to domain

I have strange irritating problem. When I send emails from my server to any
email address to any domain they reach the target without any problem. But
when I try send to address in "" I got bounce:
< ... at hotmail dot com>: host[] said: 550 5.7.1
Unfortunately, messages from [ip_of_my_server] weren't sent. Please
your Internet service provider since part of their network is on our
list (AS3140).

header check question

I have a stand-alone mail server with postfix 2.10.1 (CentOS7) that also
has an anti spam setup.

For privacy reasons I added a header check to submission to change the
header on incoming mails from authenticated users so the anti spam won't
freak out about SPF etc. Because of roaming mobile clients I can't white
list senders like I would do normally in an enterprise setup where the
server would be a gateway.

Start apache with tomcat

Hi All,

I am using tomcat-7.0.82 and httpd-2.4.25.

Following are my configuration :

in server.xml

<!-- Define an AJP 1.3 Connector on port 8009 -->

<Connector port="5644" enableLookups="false" redirectPort="8443"
protocol="AJP/1.3" URIEncoding="UTF-8" />

in httpd.conf

Listen 5643

Loaded mod_proxy_ajp and mod_proxy

Include /home/ananya/apache-2.4.25/other/ajp.conf

in ajp.conf

ProxyRequests Off

<Proxy *>

Require all granted


ProxyPass / ajp://

ProxyPassReverse / ajp://

I started both tomcat and apache server.

Problems routing to lmtp


I have my email server, running postfix.

I have an lmtp server running in a docker on the same machine.

The docker container (mailman 3) writes the transport maps for mailing lists which I have defined in postfix they're written and defined as regex.

When I send an email to the list address, it bounces with unknown recipient. It's listing the attempted recipient as:

The lmtp address @ the servers fqdn.

Obviously it should take the email addressed to the lists virtual address and simply route it to the lmtp server.

Re: [users@httpd] RE: [ANNOUNCE] Apache HTTP Server 2.4.29 Released

I’m not sure if this is what is referred to in the Apache 2.4.29 announcement, but please note that the Apache Portable Runtime v1.6.3 release resolved memory safety issues I found in functions used within HTTP server. This was released in conjunction with 2.4.29.

Using HTTP server linked to prior versions of APR exposes the risks outlined in my email sent to this list on Monday.

Best Regards,

The 2.4.29 changes document doesn't reference any CVE articles, though the announcement indicates that this is a security release.

Postfix, clamav and Spamassasin - delete high scoring spam


I use Postfix, clamav and spamassain to figth the spam in my server.

I my custom_rules from spamassasin i add the following rule to give 100
points to emails that contain infected attachments.

priority CLAMAV -900
shortcircuit CLAMAV spam
score CLAMAV 200

my question is, can be removed automatically through postfix?



check_sasl_access duplicates


I've configured check_sasl_access to be a sql map, like so:


and that check_sasl_access.sql file has the regular database DBI bits,
and then the following query:

query = SELECT CONCAT("PREPEND X-User-ID: ", encrypt_user_id(mailboxes.user_id)) FROM mailboxes WHERE mailboxes.address = '%s';

this encrypt_user_id(mailboxes.user_id) is a stored procedure in the
database which allows me to create a hash of the sasl authenticated
user_id, with a secret, and returns a header value that helps us
identify users (esp.

Module per crypt/decrypt using base64 coding

HI all,

is there a module that does it? I want to see its source code?


why postfix duplicate files

Hi, I have found in my /etc/postfix directory list of duplicated files. I
attach .txt file with this list. I don't do anything with postfix from few
months. If it's not normal please tell me how fix it.

How can I detect if SSLEngine is ON?


I am using virtualmin to run my site, and there is no method to set an apache template separately for an ssl site. that i am aware of. I am asking them this right now.

Independently, my question to this list is “in the apache configuration, how do I tell if SSLEngine is set to ON”.

Troubleshooting "SSL_accept error" that happens with only one domain , (a UPS company)


My office receives email from UPS, since we're a customer.

One of the domains that UPS emails from is apparently "".

We're not getting those emails.

From the Postfix mail server's logs there's this for one of the 'misses'

mail postfix/postscreen[4531]: PASS NEW []:56785
mail postfix/postscreen-smtpd/smtpd[4537]: connect from[]
mail postfix/postscreen-smtpd/smtpd[4537]: SSL_accept error from[]: -1
mail postfix/postscreen-smtpd/smtpd[4537]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post

Virtual alias maps question


I added a test domain for my email address only.

[root@mta4 postfix]# postmap -q "angelo. ... at uconn dot edu" /etc/postfix/virtual
angelo. ... at test dot<mailto:angelo. ... at test dot>

[root@mta4 postfix]# more|grep virtual_alias_maps
#virtual_alias_maps = mysql:/etc/postfix/files/
virtual_alias_maps = hash:/etc/postfix/virtual mysql:/etc/postfix/files/ regexp:/etc/postfix/maps/huskygroups regexp:/etc/postfix/maps/subaddressing

From reading the docs, addresses are evaluated in the order listed, so for me it's Virtual, and then

Customize log message of postfix proxy?


I use a pre-queue content filter via postfix proxy feature. Works fine :-)
My "problem" is the logmessage that is generated into maillog upon
reject of this pre-queue filter which currently looks like this:

Oct 24 09:48:29 myhost postfix/smtpd[16393]: proxy-reject:
END-OF-MESSAGE: 550 test.exe: Dangerous attachment type (Microsoft
kbid=883260); from=<REDACTED> to=<REDACTED> proto=ESMTP

What I'm missing here is the ip address of the sending client which
triggered that reject.

rpmbuild of httpd-2.4.29


I have finished  rpmbuild of httpd-2.4.29 perfectly and installed it
successfully using the rpm.
Thank you all relative to this release.

CentOS 7.4
kernel: 3.10.0-693.5.2

Yours truly,
Kazuhiko Kohmoto

How do I configure two subversion repositories on one apache server?

Hi I have two svn repositories on the same apache server under two virtual
hosts on port 9000. Both hosts have their own certificates. The problem
is, when I try to try and do an svn up I get this error below.

Memory Safety Issues Handling SDBM

Apache HTTP Server security may be impacted by missing bounds checks in the SDBM implementation from APR prior to version 1.6.3 (released October 22, 2017) [1]. SDBM can be used in various parts of Apache HTTP Server including most notably for authentication and object caching.

ErrorDocument doesn't work with non-pathed (root) URL?

I've got a virtual server with Wordpress installed in it (base dir install). Apache 2.4.6 (latest for RHEL). Apps group has a requirement that their entire site be protected (only certain "users" can access), and so a complex RequireAny was set up. That has been working fine for some time.

Now, the application group would like to add a custom page for any 403 for people who do not meet the RequireAny requirements. I've added an ErrorDocument (pointing to a different vserver, since this site is otherwise protected from even serving a 403).

Apache HTTP Server 2.4.29 Released

Apache HTTP Server 2.4.29 Released

October 23, 2017

The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.29 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases.

sendmail cannot read CDB tables

When I try to use a CDB table for authorized_submit_users with Postfix
3.1.6, the sendmail command exits with error "unsupported dictionary
type: cdb".

To reproduce:

# postconf -n
authorized_submit_users = cdb:/etc/postfix/authorized_users

# cat /etc/postfix/authorized_users
testuser OK

# postmap cdb:/etc/postfix/authorized_users
# ls -l /etc/postfix/authorized_users*
-rw-r--r-- 1 root root 12 Oct 23 14:34 /etc/postfix/authorized_users
-rw-r--r-- 1 root root 2082 Oct 23 14:54 /etc/postfix/authorized_users.cdb

# postconf -m | grep cdb

log in socket.c in APR

Hi All,

I want to add log statement in apr to check some function in apr. When I am
adding ap_log_perror in socket.c in apr, it is giving error..

Is there nay way to print logs of apr. please help.


Postfix -1 read errors

Hi all.
I’m a bit worried about the following read errors i see in my log lately. Mails still arrive and get sent fine, but what is going on with this? It doesn’t look good. Nothing has change on server side and i restarted all services (dovecot, postfix, saslauthd, sql ).

Maybe it’s a temporary iPhone thing (the device im using to read and send mails, not the first time that happened.

Compromised email server

I am not 100% sure however I suspect my email server has been compromised.

I am using Kolab.

I previously only logged inbound connections to my fw however I have
just tested logging outbound connections and I see multiple repeated
connections to a a few IPs on port 25.

The prime contender is which a google search reveals is
associated with ransomware.
<a href="" title=""></a>

I have checked the /var/log/mail.log file and can see the items being

Question regarding smtpd and log of “Untrusted TLS connection”


I currently have a Postfix 3.1.0 server with smtpd configured to use opportunistic TLS encryption:

smtpd_tls_security_level = may

In the documentation I have noted that even if STARTTLS is enabled, mail delivery will not be stopped even if the certificate at the other server is invalid or is a self-signed certificate.

Undefined Symbol Prevents from Loading

I am building Apache 2.4.28 on RedHat Linux 2.6.32-573.el6.x86_64 for use as a reverse proxy server, to upgrade from Apache 2.4.23.

How can I "reject_unverified_LOCAL_sender"?


I see a lot of spam entering that claims to have come from a local
domain, usually guessing a non-existent account. I've been looking for
a way to "reject_unverified_local_sender", by which I mean that the
sender address is verified iff it occurs in virtual_alias_domains (and
perhaps a few other lists).

One way to go could be to create a database of sender domains to
validate, enter my own domains in it, and use "external" access to my
own MTA and probing it. But that leads to cyclic probing!

easy DKIM question, at least i think it is...

Hi, i have a small DKIM question.

Block IP rcpt-to or block MX


Is it possible to create a list where the IP of certain recipients can
be blocked?

Here and example:

Oct 19 10:15:09 smtp01 postfix/smtpd[11048]: 5C28C20018459:
Oct 19 10:15:09 smtp01 postfix/cleanup[6836]: 5C28C20018459:
message-id=< ... at domain dot com>
Oct 19 10:15:09 smtp01 postfix/qmgr[3054]: 5C28C20018459:
from=< ... at domain dot com>, size=16981, nrcpt=1 (queue active)
Oct 19 10:15:25 smtp01 smht-101-41/smtp[7698]: 5C28C20018459:
to=< ... at hotmial dot com>,[]:25,
delay=16, delays=0.15/0/9.2/6.3, dsn=2.0.0, st

filter_readme nexthop lookup

Hi all, I'm trying to follow the FILTER_README howto for educational purpose.
As suggested I added the following line to my

smtp inet n - n - - smtpd
scan unix - - n - 2 smtp -o
smtp_send_xforward_command=yes -o disable_mime_output_conversion=yes -o

and the following directive to my

content_filter = scan:localhost:10025
receive_override_options = no_address_mappings

I entered the following command as proof of concept

while :; do cat <(echo '220 filtro.catorcio.tld ESMTP Postfix

disable receiving for particular email

Hi all. I would like to create "do not reply" email account. The simpliest
way is create an email account and disable receiving. Which option in
Postfix permit disable receiving for particular email?

weird error w procmail and spamassassin

I’m configuring a new mail server and I’ve set up postfix to call procmail which then calls spam assassin.

The problem is that spam assassin doesn’t seem to be getting hit.

I looked at the logs and I see postfix making a call to procmail but then nothing happens.

What am I missing?

What should I look for and how can I debug this further?


PS. This is set up the same way I have it on an earlier postfix/dovecot mail server on a different server.

Tailored filter


I run a small publishing company and for the sake of easing communication
between authors (who work in teams) I have provided each of them with a
local alias. Typically, mail sent to <firstname>.<lastname>@<mydomain> is
redirected to <firstname>.<lastname>, the usual email address of
the author.

I've been using this for 15+ years and it's been great. Unfortunately,
I'm losing the war against spam. In spite of careful configuration of
Postfix, the use of Postgrey and hand-drawn blacklists, too much spam
passes through.

SSL Session Timeout value



- My backend service is configured to TLS1.1 initially. Client support
all TLS versions.
- Upon sending a request SSL handshake happens like this.
*Client Hello TLS1.2 Server Hello TLS1.1*
- Then i configure backend service to TLS1.2
- Upon sending a request handshake fails.
*Client Hello TLS1.1 *(Due to previous session memory of 1.1 backend
service) And *connection fails*.

Full cache locking requested


In the Apache docs here:

<a href="" title=""></a>

it says: 'When a cached entry becomes stale'

It seems that this does not include the first call: the first uncached fragment is not protected by the cache lock, so all requests for the first fragment will hit the origin.

In the case of live video streaming players keep requesting the last (new) fragment as it is produced by an encoder.

Unfortunately, other caching tools (Nginx, Varnish) must be used as Apache itself cannot be used.

Is ‘full cache llocking’ something that has been discussed

noobie configuration problem

I want what must be a very common mail arrangement that I can seem to
make work...

I have a local network with a "fake" domain name (.home) with several
machines, each with postfix. I want any machine, say x.home, to be able
to send to any other other machine, say y.home, directly.

SSL hooks


I am looking at this file
<a href="" title=""></a>
and see that there are 3 hooks defined for handling SSL connections. Are
these available for modules/handlers to use?

Can my module register to thees hooks and manipulate SSL context?


Bounce message with transport_maps

Hi, I have a postfix using as a mail proxy.

Apache load module path


I have LoadModules configured under the default RedHat httpd directory.

LoadModule proxy_module /usr/lib64/httpd/modules/mod_proxy.

I would like the modules to be changed to another

Should I just update the new modules path in the httpd.conf file and
restart httpd?

Please let me know if it is correct. Are there any additional steps

Virtual Domains/ Users

My mail server will receive mail for 3 domains with 6 users, and the MUA
will be on another machine on The Internets.

I'm seeing conflicting info on setting this up.  The simplest recipe is
<a href="" title=""></a>


bcc emails to two addresses


I have a mail server running postfix, and another server running an email
archive software
which can talk smtp.

Postfix is configured to pass a copy of each emails to the archive, using
always_bcc = someuser@archive

When an email is received it's copied to the archive properly, so far, so

Now the problem: I have several customers and domains hosted on the mail
When customer1 sends an email to customer2, then the email appears only in
archive (it's a multitenant solution).

I've managed to narrow the issue, and it seems that the problem is that the
archive i

URI query string in a post method

Hello All,
I have an application where the client is sending a post method / form to
an apache reverse proxy and the request contains a uri query string.
Apache is throwing a 400 bad request on this. is there a way to tell
apache to ignore a malformed post method? I understand you cannot rewrite
it as they would lose their post data.

thx in advance,

PSA: US government to set DMARC to reject

<a href="" title=""></a>

Binding Operational Directive 18-01 enforces some basic email security, notably with DMARC set to reject. Perhaps this will set a trend. Not necessarily for DMARC settings, but at least more servers will be set up properly not to be rejected.

how to include ssl lib when running apxs

I am compiling my apache c module using this

sudo apxs -i -a -c mod_ex.c

now I need to use the lib openssl

what should I use to include this lib,

I tried with adding this option:

-I /usr/include/openssl

but it still seems that it does find some function.

Please how shall I do to include it?

Feature Request: deduplication with multiple X-Original-To values


Postfix currently allows two modes of operation when a message arrives
at the target more than once:

1. With recipient deduplication, but no X-Original-To


Jessie - Stretch to jump on Postfix 3.x

Hello Together

I'am running with Debain Jessie 8.9, i play with the ideea upgrade the
system 8.9 ->Stretch.

Please existing here any complication, or/after the upgrade i need to
reconfigure the hole mailserver?

I see that Stretch are armed with Postfix 3.x

I know this are not a specific Postfix question, but i am intressed to hear
your expiriences!



posttls-finger / DANE failure


This MTA is a dual stack postfix machine, which also has a dual stack
resolver running.

When testing DANE to a remove IPv4 only MTA, i see an attempt to lookup
a non-existent AAAA record by posttls-finger.

Question regarding Postfix virtual domains and SPF


I have two questions regarding using SPF when I am using Postfix with virtual domain hosting.

I currently have an SPF record in my DNS: TXT “v=spf1 ip4: ip6:1:2:3::4/128 ?all”

I virtually host a domain (in this example case,, that is set to forward mail to recipients on Gmail.

Self-Generating Postfix Key & Cert?

Anyone have handy the openssl commands to generate my own key and cert
for Postfix?

What is the upper limit allowed for smtp_line_length_limit?

Yes, I understand that setting smtp_line_length_limit above 998 is not

I agree that for most Postfix installations, where mail is relayed to
the outside world, this recommendation is your best bet for email
deliverability because lines longer than 1000 violates RFC 5321. I
totally agree with this if your Postfix installation is sending outbound

I manage several gateway mail servers that only accept inbound email and
deliver to internal servers. Lately we've been seeing more and more
DKIM signed messages. Most make it though these gateway servers without

OpenDKIM SOCK path on Debian Jessie

Hi Friends,

I've set on (Debian Jessie, Posfix 2.11.3-1, Opendkim 2.9.2-2)


and on /etc/postfix/

smtpd_milters = unix:/var/run/opendkim/opendkim.sock
non_smtpd_milters = unix:/var/run/opendkim/opendkim.sock

(on opendkim "local" and on posfix "unix" socket)

Apparently all works fine:

systemctl status -l opendkim
● opendkim.service - LSB: Start the OpenDKIM service
Loaded: loaded (/etc/init.d/opendkim)
Active: active (running) since lun 2017-10-16 18:27:39 CEST; 2min 31s

Syndicate content