Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

Using server variables in CustomLog Directives

I have a server application, and for security reasons I'm trying to prevent
requests, which provide 'username' and 'password' as query parameters, from
being logged (providing these parameters as query parameters is a user
mistake, but still...)

I've tried this way:

* SetEnvIf QUERY_STRING "username.*password|password.*username" dontlog
CustomLog logs/my_log common env=!dontlog*

But the unwanted requests were still being printed to the log.

Excursus Retry 451 452 Strategies


imagine, a mail envolope contains many recipient, The server accepts the first recipients and rejects the last
recipients, meaning “Too many recipients in this transaction”.

RFC 821 specifies the reply code 452 as “Insufficient storage”, which RFC 5821 amends, by stating that 452 can mean also
too many recipients in this transaction.

RFC 3463 defines enhanced status code 4.5.3 stating “Too many recipients”. RFC 5248 attaches the ESC 4.5.3 to reply
code 451, stating that changing this binding requires a specification, and there is no such specitifaciton.

sender_dependent_relayhost_maps problem

Dear all,

I am confronted with a problem in a mail-cluster of internal, external,
and a 3rd party postfix setup.

For simplicity I’ll reduce the setup to:

MX-I (internal mail relay, user authentication, .., also LMTP delivery)
MX-E (external mail relay, incoming/outgoing)
MX-3 (3rd party mail setup)

The setup itself has been running fine like this for years; the cluster
uses external (LDAP) lookups for mail routing and delivery.

Now a user needed to authenticate outgoing email to MX-3.

documentation dead link


May I allude the dead link <a href="" title=""></a>
<a href="" title=""></a> and others.

Have a good afternoon!


smtpd - high memory usage


I have a hobby server that does a little bit of everything, including
1) receiving email via Postfix as a backup MX,
2) receiving ~70k IPv6 routes via BGP.

The problem I'm having is that when all ~70k routes are loaded into
the kernel (Linux), this somehow causes high memory usage in Postfix
"smtpd" processes -- as soon as the first client connects, I get a
smtpd process that's around ~130 MB (compared to the more usual ~13 MB
when BGP is down).

Possible inconsistencies in the parsing of lookup table names and other oddities

Hello to everyone.

I've been trying to write a small parser to parse Postfix lookup table
calls for a piece of code I am developing.

I have taken a look at the source code and then resorted to postmap -q
invocations to empirically test the descriptions at
<a href="" title=""></a> .

I am writing since testing out possible table values for the inline table
has left me a bit stumped, since the results I get do no seem to match the
description I read.
Or, at least in a few cases, the description seems to mislead about what's
actually accepted.

Firstly, I haven't found around

Postfix+cyrus imap integration with active directory

Dear Experts

Currently I am using Postfix+cyrus imap with openldap as authentication

Is it possible to use Active Directory as authentication backend for postfix
and cyrus ?

Can I manage users mailboxes in Active directory ?

Bilal Ahmad

Network Administrator

LMTP Relayhost


is it possible to configure a LMTP only server as relayhost= in postfix?

I'd like to relay all mails to my local lmtp server

Best Regards,


Building new mail server

My existing mail server is running Centos 4 (yes, VERY old -- which is a
testament as to the continuing quality of Postfix), with port 25 exposed
to the whole wide world. Everything else is restricted by an IPTABLES
firewall and TCPwrapper. I was going to wait for CentOS 8 to be
released and get some run time by early adopters, but my poor mail
server is starting to show signs of wearing out and I may have to pull
the trigger sooner.

My question for the user community is this: any gotchas in bringing up
Postfix on Centos 7.6.1810 from the Red Hat distribution?

Question respecting the headers?

I am sure that the message associated with the header extract
reproduced below is fraudulent.

Installation and configuration problem Postfix / Dovecot Debian Buster


I am trying to install and configure Postifx / Dovecot on Debian Buster.
Note that the following procedure I used for the last time on a 8.6 and that
it worked very well.
I have no idea of the blockage and what has changed since.
I searched several days but I could not find my answer.

Here are my configuration files:




here is the following error:

In the file /etc/dovecot/dovecot.conf
I added :

But I still have some mistakes that I do not understand:

If I do a telnet:

I've done a lot of research in r

AH02968: Can't check pipelined data

I am running 2.4.37. For certain requests (HTTP/1.1), I am receiving the following debug level message in the error log,, “AH02968: Can't check pipelined data”. This causes the response to hang until the configured keepalive timeout. Any ideas on what may be causing this?


Sending to multiple recipients fails entirely if any of the RCPT is rejected (unknown domain)

The closest thread I could find for this is almost 10 years old:
<a href="" title=""></a>
that thread, my Postfix is somehow not handling the email properly as the
rejection done early on seems to result in setting the From to null / <> for
all other emails.I could reproduce every time I am sending an email to a
list of contacts containing 1 invalid address (bad domain).Main email
providers respond differently to it: - Googlemail blocks it and shouts
that "this message is not RFC 5322 compliant." - Mic

Migrating from Virtual domains to Postmulti setup


I have been using Postfix with Dovecot (lmtp/imaps) for a few years now for
5 domains with the virtual domains setup and self-signed certificates using
OpenSSL 1.0.x For spam/virus protection I use Postscreen, Spamassassin and
Clamav; I also use py-spfpolicyd, OpenDmarc, OpenDkim and Clamav.

Now I wish to move onto a postmulti setup with separate instances for
incoming, outgoing, and a null-client per domain. So that would mean 15
instances of Postfix in total under postmulti.

Postfix upgrade, possible issue


I would to upgrade our mail server from Debian 9 to 10. The postfix
version on Debian 9 is 3.1.12 while on Debian 10 will be 3.4.5. Can I
encounter issue during the upgrade? Are there incompatible
configuration options between the two versions?

Issue with FastCGI module in Apache 2.4

I am upgrading apache version from 2.0 - 32 bit to 2.4 - 64 bit on Linux.

I am not able to convert the httpd.conf file to newer version.
Please help.
Especially I m finding difficulty in migration the variable 'FastCgiServer'

Httpd.conf in 2.0 version

<IfModule mod_fastcgi.c>
AddHandler fastcgi-script .fcgi

# Launch the FastCGI processes
FastCgiIpcDir /tmp
FastCgiServer /datlib/advantage/pc/envs/fo_b2_a/manager/bin/ -idle-timeout 300 -processes 3 -initial-env LD_LIBRARY_PATH

<VirtualHost *>
DocumentRoot /datlib/advantage/pc/envs/fo_b2_a/ma

any users of mod_pagespeed?


Do we have any users of mod_pagespeed with apache 2.4.x on a FreeBSD
system? I'm having no luck compiling it via system ports as one of
it's dependencies or one of it's dependencies dependencies requires
opencv which is failing to stage properly. I am therefor stuck.

Any ideas?




I have setup

but if I send an email with MUTT emai client or with 'echo "test" |
mail' <a href="mailto: ... at email dot de"> ... at email dot de</a> I get as email source

<a href="mailto: ... at mail dot"> ... at mail dot</a> (the name of the mailserver).

For testing I have added the to the mydestination and the mx
entry is set up right.

I am wondering why the source email adresse is still not
' ... at mydomain dot de' but instead ' ... at mail dot'?


Occasional "%T / The time taken to serve the request, in seconds" inaccuracy in Apache/2.4.39 access_log ?


I am running Apache/2.4.39 on Linux.

I am using a custom log format, and have included "%T / The time taken to
serve the request, in seconds" in my LogFormat command.

I occasionally see a real outlier number for that %T -- say 10 seconds or
more -- for a page element that almost always takes less than 1 second.

This number is not backed up by my firewall logging or my other logging --
they always show a much more realistic and reasonable number for that exact
request (as per timestamp and requesting IP addy).

Is it possible that %T is occasionally inaccurate???

Sorry if this has a

encoding issue with header_checks Windows-1252


header_checks = regexp:/etc/postfix/headerstring
/^Subject: .*\[cleartext\].*/ FILTER cleartext:

And now, there is the following mail-Subject, that did not trigger the
above FILTER and i dont see why:


Any ideas?


Regex in ServerAlias


i try somethink like

ServerAlias (www\.)(example)\.(com|info|

I have done, and reload config, no error is shown, but i do not see the
right page, only the default one.

Is there a way in Apache?

Best Regards,

Basic kind of question

I inherited a pair of postfix servers configured by someone else and I
think I've been a manager too long as I can't figure this one out because
I'm too rusty with postfix.
2 identical postfix servers that only accept mail from mynetworks (other
local servers in its /16) with various From domains that are NOT mydomain
which direct deliver to the recipients wherever they are in the world.
That all works fine. What doesn't work fine is if the recipient is *@ which IS mydomain to which delivery is not local, but the same

Postfix 3.4.5, openssl 1.1.x, and TLS 1.3?


I'm wanting to ensure my postfix configuration will work with TLS 1.3.
Any suggestions/howtos?


precedence and deny all


does rules like

smtpd_client_restrictions = permit_mynetworks

include a 'deny all' at the end? Or should I if it should have an effect
write something like

smtpd_client_restrictions = permit_mynetworks, recect


Queue lifetime


If I have configured a maximum queue lifetime of 2 days and during a major
outage 2000 mails accumulate in the deferred queue, what happens to these
2000 mails if I increase the queue lifetime to 5 days and reload Postfix?
Does the new lifetime only apply to new mails or also to existing mails in
the queue?

Duplicate mail servers again

Is there an easy way for postfix receiving incoming mail
on servier1 to simply mail a copy to an identical server2 for a duplicate
spool, or is that ridiculous.

Purpose is simply to have an emergency incoming spool that noone
ever looks at on a duplicate mail machine in case one dies totally.


SPF failure

I have mail from one specific domain (handled by Google) being rejected
by pypolicyd-spf because of an apparent DNS lookup problem — 'SPF
Permanent Error: Too many DNS lookups' — but it is not obvious to me
what the problem is, unless it's something to do with having five MX
forwarders to look up. Only this one domain seems to be affected. I
can SEND mail to them, but not RECEIVE mail from them.

postfix smtp auth with active directory

Hi ,

Is there any document for postfix smtp auth with active directory.
I have followed below document .
<a href="" title=""></a>

I am getting authentication failure while authenticating and logs says as below.

saslauthd[942406]: GSSAPI Error: Unspecified GSS failure.

postfix error in spf


I've got a postfix virtual domain setup in a freebsd jail. A separate
jail holds the webmail server. This is version 3.4.5 of Postfix. I've
got spf, and am trying to send out a test email.

Re: [users@httpd] Need Apache to return multiple error doc

Changing what an error return code points to should not effect your
server's ability to restart (even if there are errors in the
ErrorDocument itself).

Authdb NSS module


Upgrading manual tells that authdb NSS module was removed some time ago.
<a href="" title=""></a>

Can this change be reverted?
I'd like to use only as dovecot userdb source. It's also essential for me to enable files backend in nsswitch.conf so the system could use local user db. At the same time dovecot must not see local users at all. Authdb NSS module could help me there.
The other solution would be to use another instance of nsswitch.conf for dovecot authdb passwd module. Is it possible?


Sending bounce notification via a relayhost


I’d like to configure postfix to send bounce notification via another host :

i’ve tried to setup something like this :

-> smtp_header_checks = regexp:/etc/postfix/header_checks

in /etc/postfix/header_checks

but i have this log :
Jul 11 15:46:00 test-GL postfix/smtp[9049]: warning: unsupported command in smtp_header_checks map: FILTER

I’ve also tried sender_dependent_relayhost_maps, it didn’t work.

is there any way to send bounce notification via a relay ?

Thanks in advan

Need Apache to return multiple error doc

Hi all,
I have a requirement where I need send different error docs for same
error code depending upon specific error returned by application..
For example, if application returns 400,it means error may be due to non
availability of query param or url doesn't have mandatory fields etc,and
depending upon this exact error, I need to send proper error doc with exact

Spoofing Emails to My Own Domain

Dear Experts,

I am facing a problem that someone is spoofing my domain address and sending
emails to my own domain users.

I have set valid SPF, DKIM, DMARC for my Mail server. How can I sort this
problem with postfix to stop this spoofing ?

If I filter emails based on SPF this also block many legitimate email with
spf not set properly.

Bilal Ahmad

Network Administrator

How in blazes is this still getting through?

header_checks = pcre:/etc/postfix/smtp_header_checks


/^X-Clacks-Overhead:/ IGNORE
/^Content-Transfer-Encoding:/i PREPEND X-Clacks-Overhead: GNU Terry
Pratchett, Iain M.

how to use per-recipient table

sorry for stupid me. I have read the document
<a href="" title=""></a>

and I understand " you can't specify a lookup table on the
right-hand side of a Postfix access table. This is because Postfix
needs to open lookup tables ahead of time"

now I want to restrict users who can send to " ... at example dot com" belongs to:

3. smtp-auth users

how can I config it? I lost in configuration parameters.
thanks a lot for hint!!

Expose my server to internet


Out of curiosity, I just want to access my server over internet.
I have forwarded port 80.
I have got a free domain in NoIP.
In my router I've also configured the settings and successfully logged in.
But when I test whether my port 80 is accessible, it's not opened.
This is my home system, using Ubuntu 18.04. I've not enabled any firewall
by myself.

So just wanted to know whether should I configure anything in Apache httpd
to make port 80 accessible?

Thank you.

Ownership question

Currently running 3.4.5 on Slackware-14.2. After each upgrade I run 'postfix
set-permissions upgrade-configuration' then adjust ownerships as needed.

When I upgraded to 3.4.5 last weekend I found that when /var/spool/postfix
has of root.postfix the server would not start.

private/tlsmgr: No such file or directory

I've tried searching the internetz to no avail.

Bascially I'm setting up a secondary server.  Configs and SSL certs are all in place.

This is the error I'm seeing:

postfix/smtp[10175]: warning: connect to private/tlsmgr: No such file or directory                                        
postfix/smtp[10175]: warning: connect to private/tlsmgr: No such file or directory                                        
postfix/smtp[10175]:warning: problem talking to server private/tlsmgr: No such file or directory
postfix/smtp[10175]: warning: no entropy for TLS key generation: disabling TLS support


Postfix stable release 3.4.6 and legacy releases 3.3.5, 3.2.10, 3.1.13

[An on-line version of this announcement will be available at]

Fixed for all supported stable releases:

* Workaround for implementations that hang Postfix while shutting
down a TLS session, until Postfix times out. With
"tls_fast_shutdown_enable = yes" (the default), Postfix no
longer waits for the TLS peer to respond to a TLS 'close'
request. This is recommended with TLSv1.0 and later.

* Fixed a too-strict censoring filter that broke multiline Milter
responses for header/body events.

Looking for advice re getting mod_xml2enc for Apache 2.4.39


I built and have been using the 2.4.39 version of Apache for a while, and
been reasonably happy with it. However, I am porting some web pages
that require mod_proxy_html which in turn requires mod_xml2enc.

The problems are that I can’t seem to find mod_xml2enc anywhere,
and my 2.4.39 build environment got toasted.

Blocking particular URL/file patterns

apache 2.4.39
linux 4.12.14-lp151.28.7-default x86_64

Our site has beset with numerous search engine queries for URLs that
have *never* existed on the site. They have the form:


where the digits are randomly changed. The search bots of Google and
Bing are the most prevalent producing 1000s of 404s per day. Not a
particular CPU burden, to be sure.

untrusted tls connection to google


I'm running postfix 3.4.5 and email sending/receiving is working. I am
however noticing an message:

Jul 2 14:59:44 mail postfix/smtp[14345]: Untrusted TLS connection
established to[]:25: TLSv1.3
with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature RSA-PSS (2048 bits) server-digest SHA256

I've googled and i've checked for the options smtpd_tls_CApath and
smtp_tls_CApath both of which are blank. My tls configuration is using
letsencrypt-generated certificates.

Is there a fix for this?


Multiple NIC Problem

I am occasionally using a VPN connection and while that connection is
up, postfix uses the wrong NIC to try to send email. When there is no
VPN connection, postfix uses the primary NIC named enp0s25. At the same
time there is another NIC named virbr0 created an used for VirtualBox.
In any case when the VPN is connected, the NIC is tun0 but instead of
using that or the primary NIC, postfix tries to use virbr0. How do I
configure postfix to use tun0, if it is up, otherwise enp0s25? TIA.

custom mail forwarder/relay program?

I need a way for Postfix to listen to SMTP (think smarthost) and then re-send all emails via HTTP POST operation. Is the correct way to tackle this (aside from telling them to go to hell) a transport definition using Pipe(8)? I've never done this before and it doesn't appear to be a very common scenario. Otherwise I could write a small Perl program that is launched via inetd, that would do the same even though it wouldn't be very efficient.

postfix p0f milter


I hope this isn't to off topic, but hopefully someone will have more
information on this than I do.

I've got a postfix with virtual mail users system going. I'm needing
to tighten my antispam setup.I'm wanting to integrate p0f in to my
system, and am hoping there's a milter out there that will do it. My
goal is I've got postfix going on port 25 for incoming connections, so
I'm wanting the milter to passively scan that port and only if a
client makes a successful connection, i.e. is able to deliver mail,
p0f kicks off and scans the tcp/ip connection.



im quite new to postfix and have a question about a scenario I would
like to achieve.

I would like to accomplish the following:

1. User A has an email account like <a href=""></a> at an standard
E-Mail Provider
1. He is either not able or willing to setup/use exchange or some
other mail server to accomplish the given scenario!
2. He is not able or willing to use some "Auto-BCC" Function (which
Outlook only gets through a Plugin) because of mobile use with
smartphone/tablet or E-Mail Programms that dont offer this function!

warning: hostname does not resolve to address

I'd appreciate you help with the following:

I'm looking after two server on 2 differents domains.

Delays in receiving mail

This is a small server with a few users that are all local. There are several domain names that point to this server, but all of them are just aliases for the main name. Received mail stops at the rcpt to: line. There is no OK that occurs until shortly after 3 minutes from that line being received. During that time ktrace shows multiple calls and sleeps for proxymap. After the 3+ minute delay, it issues the OK and then they rest proceeds normally. I suspect this is a configuration error since this server was just updated to 3.3.4 from an earlier version.

Duplicate spamd lines in Postfix log file


I hope someone can help with what is not a problem as such, but a query.

Duplicate spamd entries in log file - I think


I hope someone can help with what is not a problem as such, but a query. In
every Spamassassin (spamd) exchange there appears to be two lines that are
*almost* identicle.

It's the util: setuid lines. As stated, all is well, but can someone tell me
why this is the case, and if there is an actual problem?

Many thanks


NDR when failed to forward mail to external address, now blacklisted on backscatterer

Hello all,

A shared hosting web server of a customer (running a Postfix with local
e-mail addresses and mailboxes) was blacklisted on backscatterer. The
relevant information from the backscatterer page pointed me to a moment in
time and I was able to check the logs from that given moment (+- 2mins).
I read through some backscatterer descriptions I found and verified that
Postfix does not send NDR for non-existing addresses/mailboxes.

But this scenario is slightly different.
An e-mail was sent to destination e-mail address on that shared hosting

How to validate alias/map files?

Hey all,

I'm using procedurally-generated alias files from a database, and
distributing them with puppet, and would like to have postalias check the
files for duplicate entries and/or other errors before I install them.
I'd like to use the same program used to install the DB, rather than
hacking a validator together with perl or something.

As an example, an empty left-hand


would be an error I want to catch. I want to catch duplicate items, as


Hello, at this day i didn t find the answer to the following question :

RewriteRule ^that-and-that$ talent\.php\?id=(.+)[E=BREAK:1,L]
RewriteCond %{ENV:REDIRECT_BREAK} !^1$
RewriteCond %{QUERY_STRING} ^id=([0-9]+)$ [NC]

RewriteRule ^this\.php$ /that-and-that [QSD,R=301,L]

This code works actually but it doesn t display the right product. I found
my php var_dump display this info ...["QUERY_STRING"]=> string(20)
"id=(.+)[E=BREAK:1,L]. ...

Rejecting mail based on a Milter results

The spamass-milter is not rejecting mail that scores above the number set in the -r flag for the milter (confirmed by other people this is a bug in spamass-milter).

Is there something I can do in postfix to reject mails that the Milter logs like:

spamd: result: Y 18

Where “18” is a something I set like “>=10”?

Seems a long shot, but it is unlikely anyone is working on spamass-milter at this point.

mbox format?

Apparently, and much to my surprise, there is more than one mbox format.

I just now stumbled across this, because I am going to be (re-)writing
some small tools I have that do useful things with mail messages stored
in "mbox format":

<a href="" title=""></a>

In the above Wikipedia page, four different flavors of "mbox format"
are described: mboxo, mboxrd, mboxcl, and mboxcl2.

When Postfix hands a message to something... say a script invoked via
some ~/.forward file... which one of these four formats will the message
be in?

Syndicate content