Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

replace trailing new line character


I need to do some content filtering on my output. Currently, I've got
mod_sed to remove some xml nodes that I don't want going out. via:

OutputSed "/<nodeToRemove/d"

The final step is that the last line in the content contains a newline
character \n, but I need to remove that.

How can I easily remove the trailing new line character at the end of the


Bounce message length

I have Postfix currently running as an outbound relay for a Microsoft
Exchange system. It's working beautifully, but we are having issues
with bounce messages:

It appears bounce messages are trucated to <80 chars (more like 75
according to the tcpdump).

This means the error code and message are not handled correctly by

How to bounce malformed addresses ?

Hi everyone,

I run some mass-mailing servers with Postfix 2.11.3.

I have some messages being deferred because of malformed addresses like
"john. ... at gmail dot co" ("" instead of "").

These messages stays a few days in queue and get removed then.

But no bounce is returned to the sender !

I have bounces from others servers like "user does not exist" but never
bounces for such addresses.

Is it the way Postfix is supposed to run ? How can I do to get bounces
for these messages ?

Thank you a lot.


Forward SRS with postfix


Numerous users of my system use forward to external MTAs. From time to
time it causes some issues with SPF on those MTAs. SRS could resolve those.
I'm wondering if you could recommend any SRS software which nicely
integrates with postfix and doesn't interfere with canonicals (postsrsd

[*]I need to rewrite both senders' addresses (`MAIL FROM:' and `From:')
for all outgoing mail with canonicals before SRS is applied.

why still store the mails on the home directory of a user


I try to make mailboxes on /var/spool/mail/

So I changed the virtual part to this :

virtual_gid_maps = static:5000
virtual_mailbox_base = /var/spool/mail
virtual_mailbox_domains = /etc/postfix/vhosts
virtual_mailbox_maps = hash:/etc/postfix/vmaps
virtual_minimum_uid = 1000
virtual_uid_maps = static:5000

I restarted the postfix service and send a test mail to a user like this :

mailx <a href="mailto: ... at example dot com"> ... at example dot com</a>

now roelof is a system user and a virtual user.


Yet another help with a rewrite rule :).

Basically, I need to rewrite from:

<a href="http://host:8080/context/8/13806050/model/834/data/modelData/90791" title="http://host:8080/context/8/13806050/model/834/data/modelData/90791">http://host:8080/context/8/13806050/model/834/data/modelData/90791</a>


<a href="http://host:8080/context/8/13806050/model/834/data/modelData/90791/raw" title="http://host:8080/context/8/13806050/model/834/data/modelData/90791/raw">http://host:8080/context/8/13806050/model/834/data/modelData/90791/raw</a>

where the constants of the url are "model" "data" "modelData" The other
parts are wild cards that can be anything.

Any help on a rewrite rule would be most appreciated. my regex is rather


Query on cgidtimeout

Hi Yann,
I have a query wrt cgidscripttimeout in apache 2.4
There is simple cgi script which runs in loop printing the env
However low the value of cgidscripttimeout ts set to the script
doesnt seem to terminate, but executes completely.
Is there anything i am missing, pls advise.


lmtp delivery to cyrus / sub-addressing

Hi all,

a while ago I thought it was a good opportunity to restrict our cyrus
imapd access control by only allowing the admin user ("cyrus") and the
mailbox owner itself to post to a mailbox, e.g.

Before, "anyone" had the access right to post ("p") to mailboxes.

Now, when delivering directly to a folder using sub-addressing (e.g.
foo+ ... at domain dot example) postfix is unable to do so and the mail gets
delivered to the user's inbox, instead.

using isp domain as a virtual address for specific users

I'm treating the email addresses my isp has given me as virtual addresses.

I also have $mydestination $virtual_mailbox_domains.

Eg: Presently, when a local machine wants to send mail <a href="mailto: ... at myisp dot com"> ... at myisp dot com</a>
to <a href="mailto: ... at myisp dot com"> ... at myisp dot com</a>, the mail is sent to the $relayhost.

This scenario is good when <a href="mailto: ... at myisp dot com"> ... at myisp dot com</a> is not one of my addresses.

However if <a href="mailto: ... at myisp dot com"> ... at myisp dot com</a> is also one of my addresses, I want the mail
to be delivered by the same dovecot lda that is used for my

This reduces load on both our systems and stops internal mails leaking

If an email address

Override a transport configuration parameter with its own name


1. In, is it possible to override a transport configuration
parameter with its own name ? Like this :

transportname unix - - n - 1 smtp
-o transportname_destination_rate_delay=1s

If I can't, why ?

2. Can I use 'default_xxx' or 'smtp_xxx' ? Like this :

transportname unix - - n - 1 smtp
-o default_destination_rate_delay=1s



Multiple interfaces

*​​Ciao!How are you?*

*​​Problem:*I need 2 interfaces, because the fast ISP blocks 25 port, the
slower is open.

*​​I can telnet with the required interface:*telnet -b 25

*​The wrong is not working*​
​​root@server:/etc/postfix# telnet -b 25
*telnet: Unable to connect to remote host: Connection refused*

*Correct interface w​Works:*Trying
Connected to
Escape character is '^]'.
220 ESMTP q14s

Accept all mail on separate port

Hi all.

Due to the demise of the Sixxs project, which I was using to bypass the
ISP’s filtering of port 25 (in/out), I would like to open a "private" port
on postfix.
It’s a non-standard port and I will be filtering the src range at firewall
level so I’m pretty confident there will be no abuse.
I also want to avoid adding the subnet to mynetworks since I find it
easier to work on the firewall rather than the mail server.

I was able to have postfix listen on the new port but I realized all
sender and client restrictions are still being enforced despite passing a
<permit> directive:


Delivery to accounts of the same domain on two different servers

Hi all!

I am gradually migrating the accounts of a server (let's say to another server (let's say

In I'm using something like this:

Where /etc/postfix/virtual has something like this:

Feature request: MX rollup

This is a followup of the following request:
<a href="" title=""></a>

The feature I am asking for is implemented in PowerMTA with the name "MX
<a href="" title=""></a>

I guess that the matter is to create a daemon receiving MX information from
smtp clients and making them available to the scheduler.

Thanks in advance

header_checks and custom header fails to trigger


It's me again and the header_checks is driving me crazy

Mail comming from other mail system comes into postfix were header_checks is

The mail system adds a header :

route_gcgw: BE

This header is visible when the mail is received

I have a header_checks file where 'again' the if statement is not triggered

if /^route_gcgw: BE/
/^Received:.*test\.be/ WARN warningOOOtestdomainT
/^Received:.*testf\.be/ WARN warningOOOtestdomainF

I also tried

if /^route_gcgw:.*BE/


if /^route_gcgw:.*BE.*/

Nothing seems to be working.

What I'm a doing wrong here ?

tx All

Apache 2.4.25 with openssl 1.1.0e


I am trying to build httpd-2.4.25 with openssl-1.1.0e. But getting
error in SSLv2_Client_Method,
CRYPTO_malloc_init functions .

Whether anyone encountered the same problem?
Does apache-2.4.25 support openssl 1.1.0e?


Changing "mail from"


We have a few forwarders where we need to change the "mail from" during the
SMTP stage. Nothing else has to change and I know that spam would be seen as
coming from our mail server if we forward it. This last part is acceptable
for us. On the mail server that we want to retire this is done (but this is
Sendmail and difficult to maintain, so we want to switch to Postfix but
keeping this behavior).

Is it possible with Postfix to do this or do I need to look for a milter or
something else to do this?

Regards, Mark

New mail subdomain versus existing domain issues

I'm setting up a new server with the goal of using letsencrypt ‎versus my self signed cert. (I'm also going to try those SpamAssassin alternatives that require less RAM.) So I will run two VPS for a period as I debug the new server.

That said, is there any way to implement email going to both and That is I intend the email servers to be different.

Vendor Connection via Proxy to SNI Server response 403 Forbidden

Hi Everyone,

There are few posts going around and I was wondering if any one had some advice or experienced a similar issues

Current Apache Version: httpd-2.4.12


- External Vendor WebServer enables SNI check
- I currently connect to vendor via proxy (from Http to Https)
- I disable ssl checks on the certificate
- Each time we make a connection I’m returned 403, the reason is the vendor enables SNI check and within the Client Hello (SSL Handshake) packet we set ServerName from vHost “”

Basic config

<VirtualHost *:*>

ServerName Internal-site.

Kerberos authentication exclusion by IP address

Apache 2.4.6

My site is behind an F5 load balancer. Apache sees all requests coming from The F5 sends the X-Forwarded-For header containing the actual client IP address. I need to attempt Kerberos auth for the entire site (<Location />) for internal (X-Forwarded-For header is users. This is working just fine. Apache should not even attempt Kerberos for external (X-Forwarded-For header is anything but users. It _can_ attempt it as long as the user does not see indication that Kerberos auth failed (which it always will for external users).

non_smtpd_milters and canonical_maps - what goes first?


I'm reading <a href="" title=""></a> and I'm still not
quite sure. Both are performed by cleanup. What determines the order:
which goes first and which goes then? I can't find any variable
determining this... :-( Is it pre-defined (what order?). Can I force
changing the order?

Best regards,

using postfix mta with ldap

Good morning,

I am attempting to build a postfix mta server to act as a mail router based
on ldap queries to route users to one of two mail environments we have that
are on the same domain, but different providers. I have been unsuccessful in
finding a proper way of setting this up in postfix and was hoping that
someone else has run through a similar setup. Any information appreciated.

Sending e-mails using postdrop - possible ?

Hi All,

I have a MongoDB with a set of e-mails that I want to send. I want to be able to track their delivery / bounce / delayed status - plus link any replies back to the original e-mail.

I have already written a c++ service to handle incoming e-mails (by piping the incoming e-mails to my app) - which is still under development, but meeting that side of my needs.

Now I'm onto the actual sending side.

What is configuration

i need redirect my apache for use cups and i need use Directory
/var/www/html/jasmine with another application. What is a configuration
correct? in apache show "Not Found" for directory of Jasmine, if i remove
proxy pass directory jasmine work.

<VirtualHost *:80>

ProxyPreserveHost Off
ProxyPass / <a href="http://localhost:631/" title="http://localhost:631/">http://localhost:631/</a>
ProxyPassReverse / <a href="http://localhost:631/" title="http://localhost:631/">http://localhost:631/</a>


<VirtualHost *:80>

<Directory "/var/www/html/jasmine">
Require all granted


Analog log file analyzer for Apache logs

Has anyone used these more recent versions (C:Amie) for Apache logs?

<a href="" title=""></a>


telnet hangs when I enable sasl


I have this in my :

smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes

in my sasl2 config file I have this :

pwcheck_method = auxprop
auxprop_plugin = sasldb
mech_list = plain login cram-md5 digest-md5 ntlm

but when I do telnet 25 and I do then ehlo locahost I see now respons
at all.

When I disable the smtpd_sasl_auth_enable_line telnet works but I do not see the
auth headers back.

What can be the culprit here


Transport Maps Clarification/Debugging

I have a Postfix server which receives mail for EXAMPLE.COM
(bogasified); for for specific addresses I need to send that mail to
another SMTP server. So transform_maps!

I have "transport_maps = hash://map-path" and If I "postmap -q
<a href="mailto: ... at EXAMPLE dot COM"> ... at EXAMPLE dot COM</a> hash://map-path" it returns "smtp:[other.smtp.server]".

However when I send a message through the server ... it is still
delivered using the local transport.

I have cranked up the debugging level for the host I am sending the
test from.

Access map matches sub domain with empty parent_domain_matches_subdomains

I'm using Postfix 3.2.0 from the FreeBSD ports collection

I experienced that access maps matches sub domains, even though
parent_domain_matches_subdomains is set to an empty value.

What did I miss?

disconnect after connect

Hello everyone,

I'm setting up a relay host that is going to do some rewrite for domain name consolidation from o365 , I am having some communication problem with connection from o365 basically( if needed I can show debug level 3 of those and tcpdump ) :

May 31 11:19:55 public59 postfix/smtpd[3480]: connect from[]
May 31 11:19:55 public59 postfix/smtpd[3480]: setting up TLS connection from[]
May 31 11:19:55 public59 postfix/smtpd[3480]: Anony

Trouble updating PHP version on MAMP on Mac

I'm trying to update the PHP version used in the built-in MAMP on my Mac,
as indicated at
<a href="" title=""></a>.

After obediently completing all the steps, the "CLI" version is
updated allright :
the output of php- v in my terminal is

PHP 7.1.4 (cli) (built: May 6 2017 10:02:00) ( NTS )
Copyright (c) 1997-2017 The PHP Group
Zend Engine v3.1.0, Copyright (c) 1998-2017 Zend Technologies
with Zend OPcache v7.1.4, Copyright (c) 1999-2017, by Zend Technologies
with Xdebug v2.5.3, Copyright (c) 2002-2017, by Derick Rethans

But I look at t

connect() no file or directory


<meta http-equiv="content-type" content="text/html; charset=utf-8">
<body text="#000000" bgcolor="#FFFFFF">
Hello, <br>
I did all the steps from this page :
<a class="moz-txt-link-freetext" href=""></a><br>
postconf -a gives cyrus and dovecot <br>
postconf -A gives me only cyrus. <br>
So it followed the cyrus steps on Centos 7. <br>
but as soon as I do :  <br>

Header_Checks & empty Return-Path expression


I'm trying to accomplish the following :

If the return-path is <> ( empty ) then do the following ;

if domain is or route via ; if domain
is then route via

if /^Return-Path:\s**$/
/(^From:.*robbya\.be|^From:.*robbyb\.be)/ FILTER smtp:[]
/^From:.*robbyc\.be/ FILTER smtp:[]

This works but throws a warning :

/cleanup[64212]: warning: pcre map /etc/xxx/mime_header_checks, line 1:
error in regex at offset 16: nothing to repeat
/cleanup[64212]: warning: pcre map /etc/xxx/mime_

Spam Quarantine Folder

Firstly I am unsure if this question is related to Postfix,
Spamassasin, Amavasid..

I am using Kolab for email and almost everything is working well with
spam being partially filtered.

My problem is when spam is moved to quarentine is it moved to
<a href="" title=""></a>

As each user has an individual "Spam" email folder I would like spam
emails to be moved to the individual user's spam folder instead where
the individual user can then review them.


I have researc

Is there any documentation on the binary format of the mail files under /var/spool/postfix/ ?

Posfix keeps mails in a binary format in folders under /var/spool/postfix, at
least by default.

I want to write some tools for searching and filtering by the meta data of a
large number (hundreds of thousands) of emails under
/var/spool/postfix/deferred. Among other things, I want to find all queue
IDs of mails sent from specific IP adresses so that they can be deleted.

I'm having some problems understanding the binary format of the files
though. It seems that the envelope records starts with the bytes "\x41\x16"
and ends at the bytes "\x4d\x00".

smtp_tls-security_level .may/dane/encrypt

I currently use "smtp_tls_security_level = dane" but recent discussion
have made me wonder if I should change that. Maybe encrypt.

john A

Server Side Includes question

1) Is it possible to auto add a footer to all web pages on a server, including all virtual hosts sites pages, with a Server Sides Includes, without editing any of the pages?

2) Is it possible to accomplish adding a javascript to the bottom of all pages on a server, including virtual hosts, automatically via Apache, without touching any of the sites pages?
If so, how?


Can this SASL configuration be improved

In my I have:
# SASL stuff
smtp_sasl_auth_enable = yes
smtp_sasl_tls_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noplaintext, noanonymous
smtpd_sasl_auth_enable = no
# Because of POODLE vulnerability

​Is this

apache in proxy mode introduces extra delay for sockjs in xhr poll mode

I need to handle users disconnecting from my sockjs application  running in xhr-polling mode . When I connect to localhost, everything works as expected. When I put apache between nodejs and browser, I get ~20 sec delay between closed browser and disconnect event inside nodejs. My apache proxy config is following:
ProxyPass <a href="" title=""></a>
ProxyPassReverse <a href="" title=""></a>
The rest of the file is default, you can see it  here .

adding footer to all web pages

If we wanted to add a Google Analytics footer to all pages on our server, meaning all virtual hosts, what is the best way to do that via Apache without having to touch the individual web sites?

'found' mod_proxy_html and mod_ssl


I did eventually figure out that these modules were created (or not)
by the configure script. Is this true of all of the modules supported
by Apache that aren't core functionality?

Jeff Cauhape
IT Professional III
Department of Employment, Training and Rehabilitation
Phone 1-775-684-3804
Email: <a href="mailto: ... at nvdetr dot org"> ... at nvdetr dot org</a>

removing private data from headers

Hi all,

since three days I'm trying to remove my internal and external IP from the
Message header when I'm sending mails. But no solution has worked so far.

What I did:
created a new service in

header-cleanup unix n – – – 0 cleanup
-o syslog_name=postfix/header-cleanup
-o header_checks=pcre:/etc/postfix/header-cleanup.pcre

added to submission service:
-o cleanup_service_name=header-cleanup

created the file:
/^\s*Received/ IGNORE

Doenst work, the Received headers are still in there.

Any ideas ?


Postfix and FUSE: Function not implemented

To avoid running out of room on my mail server, I mounted a storage bucket
using FUSE and created a user with this as its home directory. To avoid
permissions issues, I used the arguments "allow_other" and
"default_permissions" and made sure my user owned its home directory.

Multiple recipients in BCC will not relay if it contains one bad email address.

Hi Everyone first time posting, I am hoping you can help me. We have an issue
when an email sent to multiple emails via BCC is deleted if an invalid email
address is in the list. The email is discarded all together and I don't see
any logs other then the bounces. They need to send via BCC for privacy to
other vendors. We need to bounce the back emails and continue to send to all
the valid recipients.

I have attached the postconf in this thread.

Running Postfix version 2.7.0 postconf.txt

Relay access denied

I have a Google Compute VM that I would like to use as a mail server.
<> However, outgoing ports 25, 465, and 587 are blocked
so I must use a third-party mail service. I followed the instructions for
Mailjet <>, but I changed inet_interfaces to all.

Issue with SASL authentication

Hi all!

Maybe this question is not 100% about Postfix, but it is related.

Building httpd2.4.25 on powerpc-ibm-aix7.1.0.0

I have been trying to install/compile Apache Subversion 1.9.5 with HTTPD-2.2.32, and it's been failing consistently.
Someone mentioned that Subversion1.9.5 may not have been fully tested with HTTPD2.2.x. So I decided to install httpd-2.4.25 on the same machine and give it a try.
Except that I am getting errors when building httpd-2.2.32.
Config command line is as follows:
It was created by configure, which was
generated by GNU Autoconf 2.69.

Why am I accepting this email?

The following is in my logs. I have no server called and no
user called aida.wanda. I don't see anything in that looks like
a wild card entry. Can anyone suggest why I would be accepting this
message in the first place?

TLS warning

Hi All

Should this TLS warning worry me?

cheers -- Rick


smtpd (total: 1)

1 TLS library problem: error:14094416:SSL routines:SSL3_READ_BYTE...


May 23 11:35:42 myHostName postfix/smtpd[6619]: connect from[]

May 23 11:35:43 myHostName postfix/smtpd[6619]: SSL_accept error from[]: 0

May 23 11:35:43 myHostName postfix/smtpd[6619]: warning: TLS library problem: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c

compiling apache on ubuntu

hi all!

i try to compile Apache 2.2.32 on:

VERSION="16.04.2 LTS (Xenial Xerus)"
PRETTY_NAME="Ubuntu 16.04.2 LTS"

this is my configure:

./configure --enable-rewrite --enable-vhost-alias --enable-so
--enable-ssl --enable-deflate --enable-headers

i get this error on "make":

network_io/unix/sockaddr.c: In function ‘find_addresses’:
network_io/unix/sockaddr.c:518:20: error: storage size of ‘hs’ i

Rewrite REMOTE_USER environment variable

I am involved in migrating a legacy site, using Apache authentication and cgi
scripts, to a CMS based site which uses its own access control.

The legacy site used membership numbers as the user name, but the CMS site uses
zero padded versions of those numbers. So a user logging in to the legacy site
would enter 10123, but 00010123 on the CMS site.

scan_dir_push: open directory defer: Permission denied

I went from an openSUSE system to a Debian 9 system.

I tried to copy and adapt my old config for the new system.

When running:
postfix check
I get:
postsuper: fatal: scan_dir_push: open directory defer: Permission denied

What could be the problem?

I already tried:
postfix -c /etc/postfix set-permissions

But that did not solve the problem.

no return nor action of program

Dear list,

I am using an 64bit ArchLinux with gcc 6.3.1 and compiled apache 2.4.25.
This is done as part of the apache-tools package from AUR [0].
As you can see we apply a patch for openssl1.1, since AL switched to
that version recently.

Reject any sender having the word "welcome" in the email address.


I would like to block any sender having the word "welcome" in the email

I know this can be done with header_checks, I just need the syntax to add
this rule.

<a href="mailto: ... at domain dot com"> ... at domain dot com</a>
<a href="mailto:now- ... at otherdomain dot com">now- ... at otherdomain dot com</a>
<a href="mailto: ... at olddomain dot com"> ... at olddomain dot com</a>
<a href="mailto:welcome. ... at olddomain dot com">welcome. ... at olddomain dot com</a>
<a href="mailto: ... at newdomain dot com"> ... at newdomain dot com</a>


Apache 2.2.32 request header parsing and RFC7230 compliance

RFC7230 section 3.2.6 (<a href="" title=""></a> ) defines a HTTP header field as:

header-field = field-name ":" OWS field-value OWS
field-name = token
token = 1*tchar
tchar = "!" / "#" / "$" / "%" / "&" / "'" / "*"
/ "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
; any VCHAR, except delimiters

I believe Apache 2.2.32 fails to comply with the above definition for a single character request header.

Apache HTTP Server - 2.4.15-mod_prefork module

Any help how do I explicitly install and enable mod_prefork module for
Apache 2.4.15 proxy.

When I installed Apache proxy, chose mod_modules to all, but prefork is
not installed, cannot see it in modules folder.

Please help.


http/2 vs. Headername

Apache 2.4.25


i have a small .htaccess with following content to view Foldercontents:
Options +Indexes
Headername /foo/bar.htm
This is working by http, but fails in https if browser uses http/2.
Firefox: Secure Connection Failed

I dont see **any error in my logs, http/2 Browsers just stop loading.
When disabling http/2, also https is working.
What to do now?


Feasible to encrypt the virtual_mailbox_base directory with ecryptfs?

Has anyone tried to do this? Was it feasible?

Suggestion/Question about HTTP & HTTPS configurations


I am a user of Apache in the sense that I install it, configure it and run
it to host sites...I'm hoping this is the correct list to send this to.

Anyway, I recently did my first "from scratch" Apache install, build and
configuration in a cloud server (I had always used cPanel & WHM before).

My suggestion is that Apache should "assume" that port 80 for HTTP and port
443 for HTTPS and that they both serve the same content.

I'm not suggesting people shouldn't be able to customize it, but adding
duplicate and redundant directives for each Virtual Host for HTTP and HTTPS
seems unneeded.

Syndicate content