Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

lots of € From: (Majordomo Pseudo User)

body only contained € chars

only me that was maked millionare ? :=)

Apache 2.4.25 Reverse Proxy - Stop and Start

Dear All,
I am using Apache 2.4.25 as a reverse proxy server and my back-end server
is weblogic.
I have specified multiple virtual host with different port in httpd.conf

How do I stop and start individual port and virtual host via apachectl -k

Is there anyway you restart the specific port rather than complete apache.


Check out my Kickstarter

Hooray! I’m finally ready to launch my new
business, EndFirst, on Kickstarter! It has
been a tough, but rewarding nearly 2
years since I left Intel to start my own
company. My goal was to create an awesome
communication service at the best price on
the Internet. With your support, we can
finish our work and improve communication
for businesses and organizations around
the world! In order to get the word out,
I scoured all the emails I’ve sent or
received to find all of my music friends
and associates, work colleagues, neighbors,
church friends, and more.

Check out my Kickstarter

Dear Postfix,
Hooray! I’m finally ready to launch my new
business, EndFirst, on Kickstarter! It has
been a tough, but rewarding nearly 2
years since I left Intel to start my own
company. My goal was to create an awesome
communication service at the best price on
the Internet. With your support, we can
finish our work and improve communication
for businesses and organizations around
the world! In order to get the word out,
I scoured all the emails I’ve sent or
received to find all of my music friends
and associates, work colleagues, neighbors,
church friends, and more.

unable to execute php-fpm properly

I am converting my web pages from mod_php to php-fpm, following the
directions found at: <a href="" title=""></a> Testing to
date indicates that on this server all scripts work properly under mod_php.

Both of the following were tried within a <VirtualHost> container for the
default virtual host.

If I use the "simple" approach from the Wiki:

ProxyPass "/*.php/" "fcgi://" enablereuse=on

then the page SOURCE is displayed, PHP never executes. Adding a first line
of #! /path-to-php-executable doesn't accomplish anything.

Issues with Piped Logs


I have successfully implemented piped logs scenario.

The setting in httpd.conf looks as follows :

ErrorLog "| /usr/bin/tee -a /var/log/httpd/error_log | /usr/bin/java -cp
/usr/local/bin/CustomProducer/producer.jar stdin.producer.StdInProducer
/usr/local/bin/CustomProducer/config.json >> /var/log/producer_init.log

Apache successfully starts the process and logs are sent to the producer as
will which consumes it from stdin. This is a Apache Kafka command line
producer. server-status interface

What is the new interface on this page?

<a href="" title=""></a>

Is all the previous interface information available?

Help with conditional ProxyPassMatch

Hi to all,

I want to make conditional forward proxy within Apache ,based on request
header if a given request header exists, I want to proxy the request, if
not, not proxy
and also I need to do this NOT with RewriteRule and [P] flags.

I can't find how to define conditional proxying based on some
environment variable or request header, to achieve the following:

<If RequestHeader - Some_Header == 1 >
ProxyPassMatch / <a href="" title=""></a>

Any help would be strong appreciated :)


cleanup writes incredible slowly to disk (very slow mail delivery)

hi all

I've noticed that for sending big mails (10MB) it can take up to 30 min
until they are sent. So I investigated a bit into the problem. I
deactivated amavis and dkim, so they do not seem to be part of the problem.
What happens is, that as soon as I write a bigger e-mail, the system
load goes up from 0 to around 2.5 and when the mail is send, goes back
to 0 again, but there is almost no cpu usage at all.

Malformed header "Content-Type: text/plain\t" with .el file


I am observing a behavior and don't really know how to make sense of
it. It may very well be that I hit a bug, but I wanted to ask for
feedback to confirm it.

When I download .el files (EMACS Lisp scripts) on an apache server I
get a very strange header back:
"Content-Type: text/plain\t"

Please note the "\t" at the end, which shouldn't be here.
I can reproduce this on different Gentoo systems, but not on Debian or

To reproduce:
* Put a .el script in the webroot, e.g.

Adding modules to apache

I am trying to configure Apache with freeRadius server. I am using
mod_auth_radius.c for the purpose. Now I want to load this module with
Apache. I tried apxs command to do this.
"apxs -c -i -a mod_auth_radius.c"
I got "apxs:Error: not found!."

How to overcome this issue. Is there any way of adding mod_auth_radius.C
module to Apache. I'm using apache2.4.20-r0
Operating system : yocto poky Linux kernel.


http/2 Misdirected Request

Apache 2.4.25


have an issue with http/2 and response "421 Misdirected Request".
I read this to inform about issues with multiple hosts and same

relay server - mass mailing tuning


in the next days our external service provider will push to our relay
server (Postfix) regulary ~300 000 - 500 000 E-mails with size 60-500kb.

External system provider has a SMTP server farm, so it will send messages
from ~20 IP`s to our single Postfix instance.

My question is, do I need to tune anything in our Postfix relay to receive
and transport such a big amount of messages in single session ?

What kind of settings should I setup to keep performance on the optimal
level and to avoid situation with too many connections etc.etc.

Could You please advice here ?

Thanks in advance

Postfix error message to Postmaster

We continue to receive messages addressed to Postmaster from our MX
host. All appear to be related to a single original transmission.
The issue seems to be some sort of time-out with the Amavis proxy.

Disabling SMTPUTF8 per destination

My system is configured with default SMTPUTF8 settings, i.e.:

root@rincewind:~ # postconf -d | grep utf8
smtputf8_autodetect_classes = sendmail, verify
smtputf8_enable = ${{$compatibility_level} < {1} ?

Postfix TLS/SSL with wildcard SSL certificate


I have a wildcard SSL certificate file in pfx format (Include private key
export from Windows Server). I'm little confuse with smtpd_tls_cert_file
,smtpd_tls_key_file settings. How can i prepare these cert_file and
key_file files with openssl command. Actually i know how i create private
key file but, i don't understand clearly tls_cert_file format

thanks in advance.

Apache substitute issue


I am facing 2 issues with Apache mod_proxy and substitute.

1. I have a substitute like say:
Substitute "s/http/https/ni"
It works perfectly fine when I do curl. But on browser, it somehow doesn't
seem to apply the substitute, it still remains http. What could be the
reason, how to debug this?


Obsolete NSA exploit for Postfix 2.0 - 2.2

A recent twitter post reveals the existence of an exploit for Postfix,
in a collection of what appear to be NSA tools.

<a href="" title=""></a>

This is an exploit for Postfix 2.0 - 2.2, for a bug that was fixed
11 years ago in Postfix 2.2.11 and later.

There was a memory corruption bug in a Postfix workaround for a
Sendmail bug (CERT advisory CA-2003-07, remote buffer overflow when
message headers contain lots of comment text before an email address).

Technical details: the Postfix strip_address() function, which
removes large comments from a mail header,

Apache fails to process a particular user-agent

Hi List - newbie so please be gentle!

I am trying to get a LAMP server (Ubuntu
14.02/PHP5.6/Mysql/CodeIgniter2.2) installation to process a callback
from "WebPurify(callback)" user-agent.

I can see the callback in the access log.

If I paste the callback string into my browser everything works fine and
CI re-routes the URL to the appropriate controller/method and I get my
DB update.

But at the moment I cannot get it to work under the covers.

Recommended way to pause postfix local delivery while taking snapshot for backup

Is there a best/recommended way to pause postfix local deliveries so that I
can take an LVM snapshot of the local mails for backup purposes? The pause
only has to be momentary, while the snapshot is taken, but the files need
to be in a consistent state. If anyone also knows the way to pause Dovecot
imap/pop3 similarly (as this could also be accessing the same files), that
would be helpful too.

Authentication BEFORE proxying

Hi All.

If I setup the following in a virtual-host,

Listen 9001
<VirtualHost *:9001>
DocumentRoot /var/www/html

<Directory "/var/www/html">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /home/f5a6b457ba0d416cb4847bb3c4c6e6b6/.htpasswd
Require valid-user

ProxyPass / <a href="" title=""></a>
ProxyPassReverse / <a href="" title=""></a>


ProxyPass and ProxyPassReverse not working for URLs other than /

Hi All.

When I have the following configuration :

<VirtualHost *:80>
ProxyPass / <a href="" title=""></a>
ProxyPassReverse / <a href="" title=""></a>

and I type <a href="" title=""></a> in the browser, the page is successfully proxied
to the forwarded port 9000, and the to-and-fro interaction is perfect.

However, if I use,

<VirtualHost *:80>
ProxyPass /9000/ <a href="" title=""></a>

How is processed?

I seem to have things running, now I am cleaning up my test setup before
building the new production server.

I perhaps got a little too fancy on modifying After I worked
out other packages like dovecot and roundcubemail, I started rethinking
how I alter for my needs. It comes down to a couple questions:

I am working on the basis that this file is processed sequentially.

connecting to mysql socket

I solved my mysql access problem with dovecot; turned out it was trying
a tcp connection and mysql is not listening on tcp. Fixed that to use

So this got me digging into how postfix was successfully accessing
mysql. I see in my various .cf files that access mysql that I have:

host= localhost

And reading the docs (what read the docs?), this tells postfix to
connect to mysql via the default UNIX domain socket. How does it know
what the file handle is? It seems to be working...

Should I force it with:

host = unix:/var/lib/mysql/mysql.sock


Check mail from and helo domain

I have problems with the relay

Mail from: <a href="mailto: ... at yahoo dot es"> ... at yahoo dot es</a>
Rcpt to: <a href="mailto: ... at mydomain dot com"> ... at mydomain dot com</a>

Sends it

What I want to do is check the mail from match helo


I want to install mod_wsgi statically in apache-2.4.25. It has multiple .c
files to link. Thats why it becomes complex. Is there any easy way to add
third party module statically which has multiple .c files.


Odd Date in http2 header

I just enabled http2 on our server and tested using curl. The test page is
a static html page with nothing but some random characters on it, and no
css or other secondary accesses.

The protocol line is set to allow http2
Protocols h2 h2c http/1.1

Everything seems to work with the exception of the date. The first file
following is the result of a curl head request BEFORE activating mod_http2
and the second one is after doing so.

One certificate per port

Hi all,

I wonder if it is possible to have one cert per port postfix is serving
on, eg one for 25 and one for 587.

Background of this:
for user interaction (mainly on port 587) I would like to use my signed
letsencrypt cert which changes fairly often.
For interaction of servers I would like to use DANE, and so a long-lifed
self-signed certificate would be beneficial to not break during
automated renewal and avoid frequent rollovers.

I hope my assumptions are correct.
Feedback much appreciated.

Thank you in advance

Postfix impatient with mysql?

It seems postfix is impatient with connecting with mysql, as I see in
maillog entries like:

Apr 6 11:48:30 z9m9z dovecot: dict: Error: mysql(localhost): Connect
failed to database (postfix): Can't connect to local MySQL server
through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 5 seconds
before retry
Apr 6 11:48:35 z9m9z dovecot: dict: Error: mysql(localhost): Connect
failed to database (postfix): Can't connect to local MySQL server
through socket '/var/lib/mysql/mysql.sock' (13) - waiting for 25 seconds
before retry

I suspect it does connect eventually.

Quick DANE / self-signed question

I *think* the answer to this is that I am fine.

Last year I only used CA issued certificates.

This year, I am wanting to move to self-signed for SMTP and for
infrastructure domains that are not intended for the public where DANE
can validate. I am convinced DANE does a better job at validating a host
is who it says it is than CA certs do.

I just updated one of my mail servers to self-signed. The signed
certificate expires in few weeks so I can switch back if I did something

<a href="" title=""></a>

That gives a red flag for Unknown Authority.

configured HTTP(80) on the standard HTTPS(443) port!

I just noticed the following in error_log on httpd startup:

[Tue Apr 04 21:20:43.030519 2017] [ssl:warn] [pid 15521] AH01916: Init:
( You configured HTTP(80) on the standard
HTTPS(443) port!
[Tue Apr 04 21:20:43.030759 2017] [ssl:warn] [pid 15521] AH02292: Init:
Name-based SSL virtual hosts only work for clients with TLS server name
indication support (RFC 4366)

What does this mean?

One of my .conf files is:

# cat 00-init.conf
ServerAdmin <a href=""></a>
<VirtualHost *:80>
<Directory "/var/www/html">


New 2.4 server on Centos; first attempt to connect via TLS and get:

An error occurred during a connection to
SSL received a record that exceeded the maximum permissible length.

my conf file has:

SSLEngine On

4 -rw-------. 1 root root 1395 Mar 22 11:14


4 -rw-r-----.

Piping ssl error logs to a program


I am writing messages to error_log file as well as sending to std out.

The setting looks like

ErrorLog "| /usr/bin/tee -a /var/log/httpd/error_log | java -cp
producer.jar stdin.producer.StdInProducer /CustomProducer/config.json

Now I want to do similar thing for ssl error logs. What is the setting that
controls this which is similar ErrorLog above ?

On the other hand, is there any way to send ssl_error_log sent to error_log
file as well as ssl_error_log file at the same time ?

smtpd_recipient_restrictions with ldap


I’m using following rules in

smtpd_recipient_restrictions = permit_mynetworks, check_recipient_access regexp:/opt/trend/imss/postfix/etc/postfix/access, reject_unauth_pipelining, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, ldap:ldaprfx, reject

where ldaprfx is configured with

ldaprfx_server_host = xx
ldaprfx_search_base = dc=cgprouter
ldaprfx_query_filter = mail=%s
ldaprfx_result_attribute = mail
ldaprfx_result_scope = one
ldaprfx_result_format = OK %s
ldaprfx_version = 3

I see not existent mail correctly denied with 4

file attachments for the domain only, and virtual mailbox size


I've got two issues. The first is I'm blocking file attachments in the
mime_headers file below. I'd like to allow those attachments but only
for hosts within the domain, so for example <a href="mailto: ... at example dot com"> ... at example dot com</a> can send
<a href="mailto: ... at example dot com"> ... at example dot com</a> a word document.

The second issue is I'm running virtual users out of a mysql database.
I'd like to ensure that each virtual user's mailbox is no larger than
250MB in size.



Postfix for bulk email and TLS


Does anyone in postfix mailing list have experience using Postifx software for sending bulk emails with TLS encryption? Can you share your experience with me? The amount of bulk email is quite large, normally for marketing purpose. In the past we have been using sendmail bundled with CentOS 6 OS for a few years already. But we need to upgrade our system and one new requirement is to use TLS. So I’m planning on using recent CentOS 7 operating system. But as I look at its repository, postfix and openssl appear to be old versions.

- xinhuan

postfix uses A record for MX less domains

Hi everyone,

i'm having a curious issue with our postfix instance.

It seems it is sending emails to a domain's A record when no MX is found.

Is that standard? If so, can i disable this somewhere?

connect to[]:25: Connection refused
to=< ... at bikinibottom dot com>, relay=none, delay=407,
delays=407/0.01/0.15/0, dsn=4.4.1, status=deferred (connect to[]:25: Connection refused)

# dig mx

# dig a

Lock down backuppc to an ip, and too ensure that an htpassword is presented

Good day Guys

Im trying to ensure a 'belt and braces' security solution for my backuppc.

What Im trying to do is ensure a that I lock down backuppc to an ip, and
too ensure that an htpassword is presented.

Please could someone review my config, for htpasswd is presented in my
browser, but 'Require ip' is not working / blocking.

<a href="" title=""></a>

If someone could assist, it would be appreciated.


Brent Clark

how to remove string "[MASSMAIL]" from the subject ?


will it be possible to remove string [MASSMAIL] from outgoing E-mails ?

I would like to have some thing like this.

Unfortunatelly Mailman adding this string to some of my mailing lists and I
do not know how to change it, maybe it will be possible to rewrite it with
Postfix ?

Thanks in advance for any support.



need help with setting LDAP search domains

Hi -

I have set up LDAP search queries for delivering mail. The queries appear to
be working correctly however, when checking the LDAP logs I am seeing
queries for any domain that mail is sent. (In the logs, it also appears that
the queries are being re-run, after the completion of a successful query,
with different portions of the original email address as search data.)

From what I have read, setting the /domain/ in the LDAP table should be what
I need but I can't seem to get it to work.

Send header apache to java (jboss) through ajp

Hi everyone,

i need send header content “*X-Client-Cert*” from Apache Web Server
<> to java application
deploy in Jboss, through AJP protocol.

With directive below, in Apache Virtual Host, i check Header reach Jboss
but application not found because can’t read public certificate client:

*RequestHeader set X-Client-Cert "%{SSL_CLIENT_CERT}s"*

When capture traffic in Jboss host with tcpdump i notice this trace:

*[truncated] X-Client-Cert: ——BEGIN

The Header name is sent!!

DH parameter selection on httpd 2.2

Hash: SHA256


I'm running httpd 2.2.31 on Amazon Linux, and the docs for
SSLCertificateFile say:

Beginning with version 2.2.30, mod_ssl makes use of standardized DH
parameters with prime lengths of 2048, 3072, 4096, 6144 and 8192 bits
(from RFC 3526), and hands them out to clients based on the length of
the certificate's RSA/DSA key.

I have a 4096-bit RSA key and yet I'm not getting a 100% on SSL Labs'
SSL testing tool.

Issue with proxy to IIS

We are running Apache 2.4.18 with mod_proxy and recently moved a backend site from a Weblogic server to an IIS server, and now we are facing intermittent issues when users connect.

message_size_limit - how to configure on multiple instances ?


I have a serious Problem. On my server I have 2 postfix instances.

On the master instance I have changed message size limit from 10Mb to 30Mb.
Unfortuantely postconf shows still 10MB.

problem with released spam getting bounced

Hi all,

We're running postfix-2.6.6-6.el6_5.x86_64 on RHEL 6.6 and running
into a problem where emails that have been released from our outside
spam protection company, *, are getting
rejected with messages like this:

Mar 26 06:00:56 mailhost postfix/smtpd[2270]: connect from[]
Mar 26 06:00:56 mailhost postfix/smtpd[2270]: 51235A07D1:[]
Mar 26 06:00:56 mailhost postfix/cleanup[2279]: 51235A07D1: message-id=<1490445496218.20153

Another yahoo problem


I have a problem with getting mails from yahoo, only from yahoo but now
from all servers.
here is the log:

Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: CONNECT from
Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: warning: TLS library
problem: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
certificate unknown:s3_pkt.c:1275:SSL alert number 46:
Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: DISCONNECT
Mar 30 13:48:16 wsrv postfix/postscreen[15245]: HANGUP after 0.84 from
[]:33591 in tests after SMTP handshake
Mar 30 13:48

Apache Builds on Linux

Preface this with new to this subject but:

We have always used an apache instance that was a bundled solution, such at IBM version, and now want to build our own.

No milters have been used at around midnight


this morning I found a spam mail in my inbox, which normally should have been triggered by my spam milter. As I checked the headers, I found out that the milter service did not add any headers.

I checked the logs for the QID and found out that the milter was not even requested.

What is preferred PHP interface?

Reading several sources there is conflicting information as to what is the
preferred way to implement PHP scripts.

using tee to feed logs to executable


I am using

*ErrorLog* *"| /usr/bin/tee -a /var/log/httpd/error_log | java

I also want the same program to consume ssl_error_log. Is it possible to
do that using similar syntax ?

Queue ID availability for milters on multi-message connections/sessions?

I came across a bit of an information-passing glitch on a system that
uses a milter (MIMEDefang) to glue together complex filter policies.

MIMEDefang is configured to log sender, first recipient, Message-ID (if
any), and the queue ID, along with some filter result data, for each

This works just fine for messages sent on their own connection.

However, if a remote system sends more than one message during a
connection/session, the queue IDs of the second and further messages are
not passed to/retrieved by the milter; instead they're logged as

advice books (electronic ones better) for Postfix.

Hi people:
I'm looking to buy/download your recommended books (I prefer electronic ones to avoid paper) of Postfix;
From novice to TopGun ones.


Este mensaje de correo electr?nico, incluidos los archivos adjuntos, es para el uso exclusivo de la persona a la que se ha enviado, y puede contener informaci?n que sea confidencial o protegida legalmente. Si usted no es el destinatario, o ha recibido este mensaje por error, no est? autorizado a copiar, distribuir, o utilizar de alguna manera este mensaje.

When to use mandatory TLS ("encrypt", ...)

You use mandatory TLS when all your mail is sent to a small set of
relay hosts that are known to support TLS. If these have usable
certificates you can verify, you should consider using "secure" to
guard against active attacks, otherwise use "encrypt".

Advice smtp-->mailhub+alias --> corporate mailhubs.

Hi people:
I feel in need to receive advice from you.
My main experience came from sendmail on Solaris 10 and Solaris 11.

We have this site with Solaris, CentOS, Ubuntu and Windows (with SMTP service) servers.

At first, every server was a SMTP server, but now we want that every box send email to a pair of postfix servers as mailhubs.

Recent upsurge of spam messages rate


this is not strictly Postfix related, but I don't know how to get in
contact with a similar crowd of experienced folks. Please direct me to a
more suitable mailing list, it one exist.

In the last two weeks I've seen an upsurge of the rate to which spam
messages are delivered to my domain inboxes. Nothing is changed in my
quite standard configuration, thus I guess that spammers found a way to
circumvent the basic protections I have in place. Did anyone notice
something similar?

why strict_hostname_check treats '+' invalid character

In apache 2.4.25, there has a new function in vhost.c, strict_hostname_check
<a href="" title=""></a>

I current get 400 response, if send a request likes the following:
<a href="http://abc+def:8088/test/auth.cgi" title="http://abc+def:8088/test/auth.cgi">http://abc+def:8088/test/auth.cgi</a>
Base on log, '+' is not a valid character.

I check history and find it comes from the following commit:
<a href="" title=""></a>

Is there any one know why strict_hostname_check implements the following
* for the host name in the URL or Host header:
- if a

Feature request: delay smtpd client connection response until queue item is removed


Normal smtpd client connection handling (after DATA) would be "Queued as

I would like to request a feature where the smtpd response is delayed
until the mail is completely actually handled (ie: removed from queue)
(of course not by default).

It would be (for example) only for trusted networks and be configured
with something like this:
* smtpd_delay_data_response = yes
* smtpd_max_delay_data_response = 60 (seconds)
* some parameters to limit this for specific connections (eg: client
connections or sender classes or similar)

The smtpd would then reply like this:
* T

Syndicate content