Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

Flood 0.4 status? (was: flood 0.4 was never signed for?)

What's our position on this? Is it time to declare flood abandoned?

Are there any users of this tool who want to contribute to maintaining it?

Offhand, I expect it does not support TLS/SNI. Nor HTTP/2.

If abandoned, we can simply remove <a href="http://www.a.o/dist/httpd/flood" title="www.a.o/dist/httpd/flood">www.a.o/dist/httpd/flood</a>
to resolve Daniel's issue.

sasl auth LOGIN / PLAIN


Just a small question: we currently use posfix with sasl authentication,
and folowing many docs, we have enabled PLAIN and LOGIN authentication.

However, googling leads me to believe that LOGIN is mostly used by
Outlook Express, and that most (or all?) modern clients support the
PLAIN mechanism.

I also noticed that most failed authentication attempts are done using

Now, assuming that most of these failed authentications are simply
username/password guessing...

Custom HELO/EHLO response


When a postfix server replies to the HELO/EHLO command, the response
starts with this line:

However, when Exim or other server replies, the first line contains
additional information: Hello [],
pleased to meet you

I would like to know if there is a way to customize this reply in
Postfix, specifically, if there is a way to include the information
about the sender IP and reverse DNS name as in the second reply via
modifying Postfix configuration, and if it is possible, then I would
like to know

mail archiving with bcc to a local user account: any security issues?

I tried to follow the instructions in several links detailing how to use
the always bcc method to archive mail sent through my mail server. However,
I couldn't get the no-home user with a /var Maildir directory to work.

I did get it to work by using a local user as bcc and all the mail goes to
that account fine (the name I picked isn't ideal so I plan to change it

My question is: is that any less secure than the no-home methods?



majordomo postfix 2.10.1 No recipient addresses found in message header

Dear Mailing-List,

i was running the latest Version of Majordomo (1.94.5) successful on
CentOS 6.x with postfix 2.6 (2.6.6-8.el6.x86_64.rpm) for years.

Since i installed CentOS 7.x with postfix 2.10 (2.10.1-6.el7.x86_64.rpm)
majordomo isn't working any more (sendmail-error).

"No recipient addresses found in message header"

Majordomo-Logfile tells:
Sep 01 10:42:35 majordomo[29232] {My Name
<my. ... at agilolfinger dot de>} ABORT ... at agilolfinger dot de: My Name
<my. ... at agilolfinger dot de> is not a valid return address.

BUT: this address is working an can be used from e.g.

relay host & client throttling

Dear postfix community,

I got a few servers all running postfix 2.11.x
Then I got my main mail server and all other servers use this as relayhost.

authentication to relayhost is done via sasl auth and all is working
fine and as expected ;)

but let's say I do a fail2ban restart on one of the servers lots of
fail2ban notify emails will get send via the relayhost
resulting in the relayhost throttling down the other server

which is actually not a big thing as the mails stay in the queue for a
bit and get send later.

But is there an option in postfix to say: no worries! trust that client.

MX backup doesn't queue

Hi friends,
on a Debian Jessie and Postfix 2.11.x,

where DNS configuration seem fine, infact if I shutdonwn the primary
email server, the correspondence is delivered to the second correctly.
where SERVER1 is "the.backed-up.domain.tld"
where SERVER2 is "the backup MX)

My point is to understand why Postfix (on MX backup) store email into
mailbox and does not queue them.

It seems to me that the essential parameter is:

/relay_domains = . . .

MPM Modules Rule of Thumb

Hi All,

I've been scouring the internet for best practices or heuristics for
specifying parameter values of the MPM directives. My server seems to lock
up regardless of the values I enter. Are there "rules of thumb" for each
MPM type (prefork, worker, event)?


rejecting mail for unknown recipients

It's not clear to me about mail from the internet to non-local
addresses being automatically rejected unless they are explicitly
listed in the aliases file.

I think the docs mean that I don't have to worry about rejecting mail
from the internet sending to unknown user names.

using libmilter for header injection

I need to add some headers in mail to satisfy gmail and it looks like using
libmilter may be the way to go unless someone suggests otherwise.

I don't see any specific mailing lists for libmilter assistance. Is it fair
to ask here or go elsewhere? If elsewhere, where, then?



fast postfix smtp only

Hi, is it possible to create a fast smtp server only?

This is my scenario:

a customer have 2 sites: "site1" and "site2" , but only one mail server
that reside in "site2", with TLS sasl and all the user defined on it.

The connection of site1 is low.

Is it possible to create a postfix smtp only server that reside on "site1".

My purpose is to "make" sending mail faster from "site1", on mail client

Is it possible to use TLS/sasl with this smtp server (site1) only?

Build apache without mpm


By which configuration I can build apache without threaded> I dont want to
sue mpm.


Milter order?

*TL;DR* - my milter works, but I want it to operate /after/
smtpd_helo_restrictions, smtpd_recipient_restrictions, and
smtpd_client_restrictions have done their magic because it's logging
information from spam that gets filtered out by those guys (and also by

Here's my config line:

smtpd_milters = unix:/var/run/spamass/spamass.sock
unix:/var/run/opendkim/opendkim.sock local:/var/run/mcdbcache/mcdb.sock


We are caching the to and from fields for a CRM system.

Outgoing rate limit based on number of bad recipients

Has anyone done something like this for Postfix who is willing to share?

Rate limit outgoing mail based on the number of bad recipients as a more
intelligent rule that won't impact regular users (intended to stop abuse
of compromised accounts).

<a href="" title=""></a>
<a href="" title=""></a>

no-cache header setting for 1 file

Hi team,

can you please help me in setting a single no-cache header for an single
file noImageIcon.jpg so that everytime its being accessed request should
go to the webserver to check for file.

currently we have setting like below:-

<LocationMatch /store.*/jawr/jawrTmp/>
CookieTracking off
FileETag None
Header Set Cache-Control "max-age=28800, s-maxage=28800, private"
Header unset Last-Modified
# need to remove these
Header unset Pragma
Header unset Expires

<LocationMatch /store.*/jawr/cssSprites/>
CookieTracking off
FileETag None
Header Set Cache-Control "max-age=28800,

451 4.3.5 Server configuration error

Hi, I'm getting such message logged after the warning: unknown smtpd
restriction: "milter_default_action"

All incoming mail is rejected.

What I'm trying to achieve is to get dkim validation working,
following this guide
<a href="" title=""></a>

regards in advance

cleanup(8) man page


I think that the description in this man page is confusing since cleanup
does not *always* insert missing headers (message-id etc).

The cleanup(8) daemon always performs the following transformations:

o Insert missing message headers: (Resent-) From:,

We hit this here :)

Thanks, Best regards.

sender_access question


This is the first time I have configured sender_access blacklisting -
although it works fine - i.e. the specific email address I have chosen to
blacklist get's their email blocked with /var/log/messages noting it as
"Sender address rejected:access denied". I notice that after an hour has
gone by- the email is attempted to be delivered again. Maybe I have missed
a subtlety here but I thought a REJECT would immediately return the message
to the sender but that doesn't appear to be the case.

ProxyPass, root "/" directory and DirectoryIndex


During the setup of an Apache (2.4.18) proxy pass, I noticed that when requesting the root “/“, Apache assumes that the resource asked is /index.html. In our test environment the machine beg the proxy by default serves index.php I found out the way to change is by tweaking the DirectoryIndex on the proxy pass.

However, we’d like to tell the proxy to simply forward the request to the machine behind it as is, that is, if requested “/“ pass that to the machine behind.

Am I missing something? How can I accomplish that?




Marfeel Solutions S.L.

MPM_Worker main process

Hi folks,

I have my apache-2.4.25 with worker mpm. For testing, I have killed the
master/main process and send simultaneous requests from apache j-meter and
my apache serves all the requests. What I have observed is that even with
loads number of worker threads are same, it means I lost forking
capability because of main process.

My query is without Master process, what functionalities will I loose?


mitigating gmail spam traps: how does one add the required headers?8

Gmail has a list of steps recommended to minimize spam identification,
particularly mail sent as bulk mail (as from mailing lists).

One of the recommendations is to use DKIM and that is clearly explained on
the postfix website.

The other steps are fairly straight forward, also, but how does one add the
various headers they recommend? I assume it's via a filter, but which one
and how is it done?



RHS item separators in alias and virtual lists: comma or space okay?

It's clear that list items in can be comma or space separated. Is
that also true for alias and virtual lists?



mod_rewrite + proxy + unix socket results in 400 bad request


I'm trying to configure a virtual host that, based on the host name,
forwards the request on a backend server listening on an unix socket.

My apache version is 2.4.18 as shipped by Ubuntu 16.04

The configuration I've tried so far is:

<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
LogLevel trace2

UseCanonicalName Off

RewriteEngine On
RewriteCond %{HTTP_HOST} ^(.+)\
RewriteRule "(.*)" "unix:/home/user/%1/server.sock|$1 [P,NE]

ErrorLog ${APACHE_LOG_DIR}/error.log

Feature request: References header in postfix bounce messages


Please consider adding option for including References header in postfix
bounce messages.

Sender app (i.e. ticket processing suff like OTRS) will be happy to use
it to automatically merge bounce message to the same thread as original
message which may save time in bigger setups.

Similar request:

<a href="" title=""></a>

Problems with Http11NioProtocol and proxy server


we've build a web application with JSF 2.1 and RichFaces 4.5.13.Final
running on JBoss EAP 6.4.12.

Suggested version for upgrade

I'm using Postfix 2.7.1 for some years now on our systems, built around our XStreamOS / illumos distro.
I'm considering to upgrade Postfix to a more recent version.
What is the best upgrade path I should choose?
Should I really consider to upgrade directly to latest (3.2.2) or maybe start by upgrading to 2.11.x?
What is my best option, keeping all my current configuration files untouched as a start?
Thanks for any help!
Sonicle S.r.l.
<a href="" title=""></a>
<a href="" title=""></a>
Quantum Mechanics :
<a href="" title=""></a>

''AH00288: scoreboard is full, not at MaxRequestWorkers'

Some malicious persons are flooding our server ( Server
Version: Apache/2.4.27 (cPanel) OpenSSL/1.0.2k mod_bwlimited/1.4
Server MPM: worker Server Built: Aug 17 2017 00:51:40 ) with bogus
traffic. It's been going down every few hours, often posting AH00288
errors first.
What does this error mean? Any suggestions for preventing

showing an recipient that doesn't receive the mail


    when composing an email, can I assign the header value "To" in a
way that it is shown by the email client but ignored by postfix?

    I've created a php-cronjob for a customer, that fetches mails from
an imap box (mta is postfix), recomposes them and forwards them to a
list of recipients. Mostly like a mailing list would do. Now the
customer doesn't want the final recipients to see their own addresses in
the to-field. Instead he wants the from- and the to-field of the mail to
seem unchanged.

Lists and spam prevention / use of Reply-To:


I've been studying SPF, DKIM, DMARC and a bit of ARC.

Can send but not receive

My remote postfix installation can send but not receive, and I'm sure
I have a bad setting somewhere. When sending to the remote server,
from my personal gmail account I finally get a response from gmail as
shown in the attached file.

I can put my, in a github gist if there is any
interest. My mail logs are not interesting at all, at least to me,
but I am happy to put one or more of them on github, too.



postfix log in mysql

Hi postfixers,

We have spam filter servers for our down, 5 of them to be exact. we use
amavisd, bitdefender & clamav for spam and virus filter.

we have a self help portal done in php/mysql for users to manage
whitelist/blacklist etc, now i want to allow users to check there email
logs to they can find if any wanted email is blocked,

so the question is, how can i log postfix to a mysql db where i can write
an interface for users to search for email and see what did the
blocking, such as rbl, amavis etc ?

antispam gateway rejecting unknown mailbox


I have a postfix server with antispam milter and policy daemons
forwarding messages to various distinct remote servers. It works very
well, all messages for the configured domains are forwarded using smtp /
lmtp transport to each server.

My ideia is keep the minimal configuration for each domain: domain
settings and the transport maps.

Postfix MX backup doesn't send to primary server

Hi friends,
I'm wondering about an Postfix MX backup server correct configuration.
I'm working on Debian Jessie and Postfix 2.11.x.

If I shut down the primary server, the MX backup receive the mail
correctly and mail goes into mailbox 'INBOX'.
The problem is that if I try to look into the postfix queue this is

postqueue -p
Mail queue is empty

and of course the message is not delivered to the main server!

I have recently approached Postfix and I would need help debugging this

These are the setups of the two different servers:

SERVER1: <a href="" title=""></a>

Issue with libaprutil after compiling Apache


I'm trying to start Apache 2.2 after compiling it on Synology NAS. There
were no errors during compile and make phases. When I try to start it I
get following error:

/usr/local/apache2/bin/apachectl start
/usr/local/apache2/bin/httpd: error while loading shared libraries:
/usr/local/apache2/lib/ internal error

Any idea how I can try to solve that?

LDAP maps and query_filters:

Hi all,

I am using the following version of postfix on CentOS7 as shipped by the distro:


I am trying to convert this configuration into the new per-file LDAP configuration, and I have run into a problem:

virtual_mailbox_domains = ldap:acceptdomains
acceptdomains_server_host = localhost
acceptdomains_server_port = 389
acceptdomains_bind = yes
acceptdomains_search_base = ...
acceptdomains_query_filter = (&(associatedDomain=%s)(!(associatedDomain=$myhostname)))
acceptdomains_result_attribute = associatedDomain

The “myhostname” value is interpolated correctly as de

Fresh start for a postfix setup: how best to do a clean "start over" without a new installation?

I am fooling around with various configuration settings for my postfix
installation and would like to be able to clean out all existing mail and
the existing configuration.

Is there any single command to do that? Or do I have to manually delete

I want the system to (1) start with empty queues and (2) no knowledge of
the previous configuration.

Is there any danger to the start-over method regarding external mail
servers which may been senders of mail that wasn't initially received for
some reason?

Is there any danger to the existing system if I do a start-over?

Many thanks.


Safari Can't Connect to the Server after Install of OS 10.12.6

Updated Mac OS 10.9.5 (Mavericks) to 10.12.6 (Sierra). Apache was recognizing localhost before update. Also had a user level directory working at <a href="http://localhost/~myusername/" title="http://localhost/~myusername/">http://localhost/~myusername/</a> <http://localhost/~myusername/> Google search found this to be a known problem with Sierra, so attempted to edit /private/etc/apache2/httpd.conf per suggestions.

Skip dot inside body

Hi, when I try send a message with a mail client and inside in the body a put a "." the postfix send message incomplete, exemple:

data message:

"see this example is


my name is Miguel"

When thunderbird send this message to postfix(587), the recipient receive only the first phrase.

What can I do to skip this?


Websockets not working with Apache proxypass, keep getting 400.

Distribution : Debian server. 3.2.0-4-amd64 #1 SMP Debian 3.2.73-2+deb7u2
x86_64 GNU/Linux
Server version: Apache/2.2.22 (Debian)

Hello friends,

I am working on integrating Websocket based functionality into our
Spring-MVC application.

AH00894: declining URL fcgi

Not sure if this is our problem, but after setting log level to debug we noticed this in the error_log. Not sure how to interpret what is happening. It looks like the fcgi connection to php-fpm is being declined initially, then it is successful. But I am not sure. Is this refusing to execute the php command?

Honouring the DNS ttl in proxy-pass


We’re trying to set a bunch of Apaches 2.4.18 to proxy pass the requests it receives to our partner's upstream server. Our partner uses Amazon’s Elastic Load Balancing and thus the only we know about their servers is its DNS names.

The TTL of the DNS records is 60 seconds and I’d like to know if Apache can honour that ttl, keeping the connection alive as long as the DNS record is valid and then requesting the translation when the TTL has expired.

Using mod_proxy DisableReuse = on forces opening a new connection every time a resource is needed upstream.

Prefix Apache Traces with Part of the Url

Hello list,

I try to customize my apache logs.

currently I have this setting:

LogFormat "%<U %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%<U %h %l %u %t \"%r\" %>s %b" common

resulting in this log format:

/iDM/iDM.php - - [23/Aug/2017:11:20:18 +0200] "POST /iDM/iDM.php HTTP/1.1" 401 -
/iAPI/db - - [23/Aug/2017:11:21:08 +0200] "GET /iAPI/db HTTP/1.1" 200 175

What i like to have is something where only part of the URL String is prefixed for
every entry.

Postscreen temporary whitelist

Is there any way of reducing the TTL of the postscreen temporary whitelist?

I am having problems with spammers repeatedly getting through postscreen
with a "PASS OLD" result.

While I can't stop them trying, at least I can cost them time by making
them run the full postscreen gauntlet more frequently...

Many thanks

Allen C

smtp_helo_name not changing.


I am trying to change smtp_helo_name in our email server(postfix 2.6.6) to
match with the one in mx record.

I have specified the value as the one given below in, and reloaded
the postfix. However telnet still shows the hostname as helo name. I could
change the smtp_banner, but not smtp_helo_name.

smtp_helo_name =

Any help on achieving this would be highly appreciated.

Postfix and postman smtp plugin for wordpress

This is a long shot, but does anyone have any experience with setting up the postman smtp plugin with postfix?

I can only send mails through without smtps or starttls (none). It seems to login with UNKNOWN and I get a "cannot open socket message" in the postman output when sending a test email.

Other clients work fine with SSL/TLS.

Sent from my iPhone

Best way to setup auto configure for mail clients

Does anyone know how to setup postfix in such a way so that clients can "auto configure" (you just fill in the email address and password and it guesses the settings)

I apologise if this is not a postfix thing perse.

Sent from my iPhone

verifying per site TLS policy -- maps override?


I just want to make sure I understand per-site domain policy maps' priority.

If I set up an outbound postfix instance with

-o smtp_tls_security_level=may
-o smtp_tls_policy_maps=lmdb:/etc/postfix/tls_policy_outbound

the way that works is that both are used, right?

In other words, the DEFAULT policy will =may, and will be OVERRIDDEN by matches in tls_policy_outbound?


Documentation patches


there's a semicolon missing in the MILTER_README.html, breaking a HTML
After noticing that I went looking and found two more missing semicolons
in the SMTPD_ACCESS_README.html and some unescaped ampersands in

I've attached patches against postfix-3.3-20170730.

-Sven Neuhaus

RewriteRule: Pattern matching and grouping part of the URL expands to its local filesystem path

Hello everybody,

I’ve checking all kinds of sources of information so far without success, I hope I didn’t miss anything.

I have a very simple RewriteRule which should take the requested resource part. What I want to achieve is to prepend an string before that matched path. Something like:

RewriteRule ^(.*)$ http://myserver/special_path/$1 [R=301]

I’d say that should take the requested resource path and redirect the client to a new location. It does work in some places, but I’d like to use under a conditional <If>.

no response from postfix on submission port (or 465)

It's open, but i just don't get any welcome message.

[ec2-user@www postfix]$ telnet localhost 587
Connected to localhost.
Escape character is '^]'.


Aug 21 22:29:01 www postfix/smtpd[26978]: initializing the server-side TLS engine
Aug 21 22:29:01 www postfix/smtpd[26978]: connect from<>[]
Aug 21 22:29:01 www postfix/smtpd[26978]: setting up TLS connection from<>[]
Aug 21 22:29:01 www postfix/smtpd[26978]:<

two duplicate instances httpd pid conflict issues


I am doing some experiments,
first I create separate instances by duplicating (copying) an existing
running instances. (apache 2.0x .. on solaris 10).

I update the instance parameters (such as server root), take out the site
When do apachectl start

I have
httpd (pid 3074) already running ...

I need to stop the older instance in order to let the new goes up

Have you guys seen it before?
Can you please help?

Thanks and regards,

Re: Is it possibl to map sender only in generic table?

Finally ,I found generic table does not work, but canonical table works fine:
local_header_rewrite_clients = static:all ### This config is important.

Can not find virtual alias with postmap


I have a problem with my virtual alias map. The file looks like this:

<a href="mailto:admin- ... at cs dot">admin- ... at cs dot</a> <a href=""></a>
<a href="mailto:admin- ... at cs dot">admin- ... at cs dot</a> <a href=""></a>

When I build the db file with "postmap virtual_alias" and then query
with "postmap -q <address> virtual_alias", I get a very peculiar
behaviour in that the lookup works just fine for <a href="mailto:admin- ... at cs dot">admin- ... at cs dot</a>,
but not for <a href="mailto:admin- ... at cs dot">admin- ... at cs dot</a>.

Any suggestions would be welcome.

Thanks in advance

Is it possibl to map sender only in generic table?

I have configed SASL client authentication with Exchange 2010.
I want map sender only, not recipient, in generic table.
Is it possible?

This e-mail and its attachments contain confidential information from TD Tech Ltd., which is intended only for the person or entity whose address is listed above.

User Auth type in apache-2.4.25

Hi ,

I have user and group in my httpd.config. I want to use user in Auth type
instead of basic or digest. so that whenever customer try to open
directory, promt will ask to enter username and password and customer can
enter "user" as username and password.

Is there any option to achieve this or I need to write my own module for


How to change Postfix config dir without recompilation


As I understand from the documentation to change default config dir I
need to use DEF_CONFIG_DIR flag and recompile.
What is the reason to not support ability to change it (cmd param?)
without recomppilation?

Apache httpd 2.4.27 SSL

Dear Team,
I have installed httpd 2.4.27 with SSL and while trying to verify the file the below error appear but the server can be started
normally and accessible through https:

AH00526: Syntax error on line 52 of
Invalid command 'SSLCipherSuite', perhaps misspelled or defined by a module
not included in the server configuration

After deep troublshooting, the httpd-ssl file will be veified correctly
'Syntax Ok' if we moved all the configuration of loading the modules from
httpd.conf to httpd-ssl.conf (eg.

Syndicate content