Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

Blocking phishing attempts with double domains

I have been receiving a lot of phishing attempt e-mails lately that have a
"from" address like this:
valid. ... at mydomain dot comaccounting

This appears to be an attempt to fool anyone who isn't paying close
attention into clicking one of the links in the message since it appears
to come from a valid user inside my domain.

I am wondering if there is anyway that I can stop messages with "from"
addresses like this.

server hw sizing

is exists any dokument for hardware sizing for postfix server ?
For example I need something like - for 500000 email per day where top is
100 emails per secunde minimal server configuration is ..

Thank you for help Roman

Can I do this with Postfix? Equal prioritization of email delivery from different users


we have a configuration where several bulk-mail users are sharing the
same email server.

For example:

When the first user1 sends out their bulk we have 1000x emails in queue.

Now one minute later user2 sends also out 1000 emails.

However from my experience the emails of user2 only will be sent out
after the emails of user1 are done.

Is there a way to have Postfix send the emails of the two users in equal

0 length robot.txt

This is probably a coincidence, but I had one of my hosted sites (with no php code anywhere, and certainly no .php files) returning a script error on load instead of showing the non-php webpage:

[proxy_fcgi:error] [pid 88148] [client xx.xx.xx.xx:63137] AH01071: Got error 'Primary script unknown\n’

And it would display a blank page for a few seconds, then “File Not Found” would appear.

check if envelope from and from is the same


we're running a small smtp send only service for authenticated users only.
Even though we only accept allowed combinations of authenticated user and
pre-defined envelope from addresses with access_maps, some smartasses
started to spoof From: addresses so we got bad reputation at receiver sites.

Is this a good idea to check if envelope from and from matches and if so,
howto do it in postfix?

thank you


Remove .php extension but still pass it to PHP-FPM

We would like to strip select .php extensions within a web site but still have them passed to PHP-FPM when they are clicked on.

Any help would be appreciated

Authenticating 'From' header to match envelope

Hi list,

I'm having an issue with my Postfix configuration: Currently I've it set
up so that one authentication SASL login (e.g., <a href="mailto: ... at foo dot com"> ... at foo dot com</a>) supports
multiple virtual email addresses (e.g., <a href="mailto: ... at foo dot com"> ... at foo dot com</a> but also
<a href="mailto: ... at foo dot com"> ... at foo dot com</a>, <a href="mailto: ... at foo dot com"> ... at foo dot com</a>).

Once authenticated with <a href="mailto: ... at foo dot com"> ... at foo dot com</a>, the envelope sender ("MAIL FROM")
is restricted to only the permissible variants.

However, as I've now painfully found out, when in Thunderbird someone
uses the "Custom From Address" feature, it doesn't change the envelope
sender, but only the actual "From" header field.

MaxSpareThreads not being honored

Could anyone tell me why Apache is not killing processes containing nothing
but idle threads and whose aggregate total exceeds MaxSpareThreads? Here are
some specs:

Server Version: Apache/2.4.35 (Unix) OpenSSL/1.0.2l
Server MPM: event

All MPM Event settings are default with the exception of MaxSpareThreads
which is set to 100. This means ServerLimit = 16 and ThreadsPerChild = 25.
According to mod_status, I have 16 total processes containing 399 idle

smptd_tls_security_level = encrypt


Running Postfix 2.10.1.

I am setting up an internal mail relay to receive mail from other
internal clients.  I have a requirement that all email be received via
TLS only.

I have configured TLS using our internal PKI and set the appropriate
settings in and mail is being received via TLS according to the

I have set smptd_tls_security_level = encrypt.  According to the

encrypt: Mandatory TLS encryption: announce STARTTLS support to remote
SMTP clients, and require that clients use TLS encryption.

However, the server is still willing to accept non

System User Authentication mod_authnz_external

Hi All ,

I am trying for system user authentication for my web page.

Below is the config i am using,

LoadModule authn_core_module modules/
LoadModule unixd_module modules/
LoadModule authz_core_module modules/
LoadModule authnz_external_module modules/
LoadModule auth_basic_module modules/
LoadModule authz_user_module modules/

DefineExternalAuth pwauth pipe /usr/bin/pwauth

<Location />
AuthType Basic
AuthName "Authentication Required"
AuthBasicProvider external

postfix functional testing


we have pretty complicated setup. when we change something, we can break
something else.
however, we can describe "what must work".

is there a way of describing configuration testing like
<a href="" title=""></a>

Ilya Shipitsin

pickup performance


Looking for some hints on a performance problem i have with postfix and looping mail through a content filter and it slowly feedback back out via the maildrop.

It would seem that pickup process is trickle feeding the maildrop back into the active queue. I conscious that pickup is single thread but for comparison on reboot of the match postfix will seemingly take the maildrop items real fast and smtp send them out.

macOS X, Operation not permitted - rename sendmail

I’ve just tired to install Postfix 3.3.1 on macOS X 10.13.6 High Sierra.

Sudo make install finishes with:

Updating /usr/sbin/sendmail...
mv: rename /Users/jlbrown/Downloads/postfix-3.3.1/junk to /usr/sbin/sendmail: Operation not permitted
make: *** [install] Error 1

My make command was:

make -f Makefile.init makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH \
-DDEF_SERVER_SASL_TYPE=\"dovecot\" \
-DDEF_COMMAND_DIR=\"/usr/local/sbin\" \
-DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" \
-DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" \
-DHAS_PCRE -I/usr/local/opt//include \
-DHAS_SSL -I/usr/local/opt/o

Invalid address is accepted by postfix

After reading it seems that a valid local-part address is :

/The local-part of the email address may use any of these ASCII characters:

*) uppercase and lowercase Latin letters A to Z and a to z;
digits 0 to 9;
special characters !#$%&'*+-/=?^_`{|}~;

*) dot ., provided that it is not the first or last character unless
quoted, and provided also that it does not appear consecutively unless
quoted (e.g.

set-permissions fails: how to fix and/or manual set correct permissions?

-> minimal: no SElinux, no appArmor, readme_directory = no, etc.

environment: root user name is renamed
# postconf -n
command_directory = /opt/sbin
compatibility_level = 2
config_directory = /opt/etc/postfix
daemon_directory = /opt/libexec/postfix
data_directory = /opt/var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
default_database_type = cdb
inet_protocols = ipv4
mail_spool_directory = /opt/var/mail
manpage_directory = no
myhostname =
mynetworks =,

Can't enable SASL authentication


I'm wondering if anyone here can help me with a problem that I'm having.
I've run into an issue where I cannot enable SASL authentication.

My configuration is as follows:
* Slackware 64-bit 14.2
* cyrus-sasl 2.1.26 (recompiled with LDAP support)
* postfix 3.3.1 (with LDAP support and cyrus-sasl support)

My contains:
cyrus_sasl_config_path = /etc/sasl2
smtpd_sasl_auth_enable = yes

postconf -d produces:
cyrus_sasl_config_path =
smtpd_sasl_auth_enable = no

Has anyone run into this? If so, how did you fix this?

Redirect vhost, with Wordpress

Hi,  i need a help.
I depoy a wordpress website in my httpd enviroment lab, and this website
redirect my request for default website, i change this website name,
from tiblog.domain to blog.domain. I change database(wordpress) but my
website not work.

tracker / pull requests / source control ?


I analyzed postfix using cppcheck and I would like to submit patches.
how can I do that ?

[src/milter/milter.c:778] -> [src/milter/milter.c:805]: (warning) Either
the condition 'milters!=0' is redundant or there is possible null pointer
dereference: milters.
[src/milter/test-milter.c:549]: (warning) sscanf() without field width
limits can crash with huge input data.
[src/posttls-finger/posttls-finger.c:878]: (warning) Redundant assignment
of 'stream' to itself.
[src/smtp/smtp_sasl_auth_cache.c:212]: (warning) sscanf() without field
width limits can crash with huge input data.

any api to read logs ?


we use automation to send messages.
from the automation point of view it is nice to know what happened to

I think about the following

1) automation send email via smtp --> id of message
2) automation ask postfix via (rest) api "hey, tell me history of message
id ..."

any suggestion ?

Ilya Shipitsin

Step-by-Step Tutorial: How to Setup Your Own e-Commerce Online Store using WooCommerce 3.4.5, Wordpress 4.9.8, and CentOS 1805 (LAMP) in Amazon AWS Cloud

Good morning from Singapore,

You can read my step-by-step tutorial on How to Setup Your Own e-Commerce Online Store using WooCommerce 3.4.5, Wordpress 4.9.8, and CentOS 1805 (LAMP) in Amazon AWS Cloud at any one of my two redundant blogs. My blogs were configured in RAID 1 mirroring array.

<a href="" title=""></a>

<a href="" title=""></a>

Thanks for reading!

Updating to php 7.0 and having apache still work?

Once again I have tried, and failed, to move from php 5.6 to php 7.0 (using postmaster under FreeBSD 11.3-RELEASE). The results are largely the same, php pages don’t load either "Primary script unknown” or complaints about filter(0 (which is built in to both php56 and php70).

I’m sure this is all my doing.

So… is there a decent document or how-to or step-by-step on how to updated the php under apache without everything in apache breaking?

(php itself works fine, it’s the integration with apache 2.24 that I keep managing to FUBAR. Currently on apache 2.4.35)

Connect mod_lbmethod_heartbeat to Tomcat

Hey all,

I'm new to server configurations and Apache, so I apologize if this is
overly simplistic or an inappropriate place to ask this question.

I have recently upgraded from Apache 2.2 to 2.4 and am looking into
changing the proxy method used by the server from the basic mod_proxy
to mod_lbmethod_heartbeat in mod_proxy_balancer.

virtual host

This is my first attempt to set up a virtual host with apache24 on a FreeBSD
11.2 machine, and it is not working out so well.

Assuming a site name of, I tried to configure a simple vhost.

<VirtualHost *:80>
ServerAdmin <a href="mailto: ... at example dot net"> ... at example dot net</a>
DocumentRoot "/usr/local/www/testdir"
ServerAlias <a href="" title=""></a>
ErrorLog "/var/log/stem.error.log"
CustomLog "/var/log/stem.access.log" common

AcceptPathInfo On

<Directory "/usr/local/www/testdir/">
AllowOverride all
Order Allow,Deny
Allow from all
# For Apac

403 error upon upgrade

Two days ago I upgraded my SUSE server. It serves three websites as virtual sites. All of the sites run php.

rejecting mail on Envelope RCPT != to a header recipient

Hi all,

for certain envelope recipients, I'd like to subsequently go on to check
if we have any matching Recipient headers (TO: CC: etc) and reject the
email if none exist (preferably before the sending MTA completes the

I understand that this needs to be done after the DATA phase - so using
a before queue filter?

The docs seem to indicate that I wont have access to the To: stuff at
that stage - is that true?

pointers appreciated


Get request of large file size greater than 100KB

Hi All,

I am trying to access large file(get request) of large file. This is
working properly if size of file is less than 52KB. But size greater than
52KB is giving me error 4022.

I have debugged and come to know that writev function can write maximum
upto 52KB only. Therefore I changed the default value of
THRESOLD_MAX_BUFFER to 42KB so that my writev will not reach to 52KB.
THRESOLD_MAX_BUFFER to 42KB helps me to solve the issue for PUT request.

But in get request while accessing large file, size of brigade crosses
52KB. As 52KB is greater than THRESOLD_MAX_BUFFER(42KB).

Apache httpd 2.4.35 was installed successfully to CentOS 7.5 using rpm



    CentOS Linux release 7.5.1804 (Core)
    kernel version: kernel-3.10.0-862.11.6.el7

I have installed the newly released Apache httpd 2.4.35 on the above 
platform through rpmbuild successfully with no problem.

Thank you all contributors to this project for this beautiful work.

Thank you.

Yours truly,
Kazuhiko Kohmoto

Problem connecting any ips to mi postfix server

There are some ips that when wanting to connect with my postfix it is
impossible to do so when connecting in the same second they disconnect
without sending any data
for example:

Sep 26 21:20:47 ns postfix / smtpd [4679]: connect from []
Sep 26 21:20:47 ns postfix / smtpd [4679]: disconnect from []

This is my postconf -n configuration

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_percent_hack = no
allow_untrusted_routing = yes
append_dot_mydomain = no
biff = no

DNS lookups in check_policy_service configuretion line.

Postfix version 2.10.1

I'm adding a check_policy_service for some quota checking, with the
following arguments


If i configure the line like this in it fails with the
following message
fatal: host/service not found: Device or
resource busy

If i on the other hand configure it with an ip address it work

check_policy_service inet:

The dns name resolves in the OS.

Is it now allowed to use fqdn's in the check_policy_service statement
or is there a setting i'm failing to find that

Auto-indexing of directory

Hi All,

I want to see the content of directory. I am able to access particular file
of the directory but when I am accessing whole directory then my process is
getting killed. Response is 200 for both the cases.

mod_authz_host partial IP addresses not effective

I have Apache 2.2 on Mac OS X 10.6.8
Used to display a directory list.
I’m trying to restrict access with several partial IP addresses.
I’m expecting IP’s in defined to be denied access, yet i’m still able to display all directories from IP’s not specified, and still seeing access log of unauthorised IP’s

httpd.conf I have the mod_authz_host module enabled.

Under document Root Directory I have added the rules.
The directives look correct based on the documentation but i’m failing to understand why they are not effective.

If anyone has and advice on how to correct i’d appreciate it.


mod_proxy_wstunnel intermittent empty response

I am running httpd-2.4.6 on CentOS7.

use cookie value as auth username


I'm trying to use an authz_dbd query to authorize based on the value
of a cookie (ie. if PHPSESSID cookie is set, a db query can test if it
should be authorized). It seems the only parameter AUTHzDBDQuery will
supply to the sql query is the username in place of %s; this could work
if I could set what REMOTE_USER should be prior to the query running,
but I haven't found a way to do so. Eg.

mod_ldap and Basic Auth

I have finally moved to Apache Httpd 2.4 from 2.2 and I am having issues getting our basic authentication to our ldap for some very specific areas. Below is what our 2.2 configuration used and worked just fine and the new 2.4 config that is not working. When I use the 2.4 it prompts for username and password but throws a Internal Server Error after submitting.

Devendra Fadnavis: Clean drinking municipal water for North West Virar residents


I just signed the petition "Devendra Fadnavis: Clean drinking municipal
water for North West Virar residents" and wanted to see if you could help
by adding your name.

Our goal is to reach 224 signatures and we need more support. You can read
more and sign the petition here:

<a href="" title=""></a>


TLS: Migrate from *encrypt* to *verify* for specific domain

Dear Postfix folks,

Currently, our `/etc/postfix/tls_policy` looks like below to force
encryption when sending messages to other servers in our organization. encrypt encrypt

We want to improve that. Unfortunately, DANE is not an option as the DFN
does not support that, and a lot of German research organizations and
institutes use that for receiving messages.

We do not have control over the other servers, but want to migrate to
*verify* [1].

Can you recommend a strategy how to do that?

empty MAIL FROM and check_sender_access


I'm using smtpd_sender_restrictions = check_sender_access

to make sure, my senders only send out with pre-defined and allowed domains.

Now i noticed, that if my users acknowledge "read confirmations" in
clients, mails in the following form arrive at postfix:

from=<> to=< ... at customer dot tld> proto=ESMTP helo=<W8PPCN130916>

and will be rejected as empty mail from is not allowed by

Howto deal with that?

tls_process_client_certificate:certificate verify failed - when using a PSS Signed intermediat


we use a Clientauth configuration for a location without problems for many

Ubuntu 16.04.5 LTS
Apache 2.4.18-2ubuntu3.9
openssl 1.0.2g-1ubuntu4.13

Now we upgraded Apache to use HTTP2

Ubuntu 16.04.5 LTS
Apache 2.4.34-1
openssl 1.1.0h-2.0

Apache Conf:

SSLEngine on
SSLVerifyDepth 2
SSLProxyEngine on
SSLProtocol -All +TLSv1.2 +TLSv1.1


postfix on loxcal network - smtpd_sender_restrictions problem


I am testing sender address syntax with :

smtpd_sender_restrictions = check_sender_access
pcre:/etc/postfix/sender_syntax.pcre, reject

And the file /etc/postfix/sender_syntax.pcre contains :

/^([a-zA-Z0-9.\-_]+)@troll-hathor.nwk$/ OK

/^\@/ REJECT 510 Invalid address format.

/[!%\@].*\@/ REJECT 511 This server disallows weird address syntax.

/.*/ REJECT You can't send E-Mails from this server.

When I test the lookup table with :
postmap -q ... at example dot ... at example dot com

I got this :
REJECT 511 This server disallows weir

Postfix 3.1 -> Postfix 3.3

Hello All,

I'm attempting to configure Postfix 3.3 on a freshly-installed Ubuntu 18.04 LTS
system. The system will do nothing more than relay mail (for status and
summary e-mails) to my main mail server. The same configuration works using
Postfix 3.1. What am I missing?

Rewrite with proxy adds document root

I have this config included via Include conf.d/myconfig/*.conf within my virtualhost.

<Location "/requested-uri">
ProxyAddHeaders off
RewriteEngine on
RewriteCond %{QUERY_STRING} ^123 [NC]
RequestHeader set "X-API-KEY" "proxied"
RewriteRule (.*) "https://${HOST}$1" [QSD,P,L]
But the above rule is also proxying the /var/www/html which is the document root. I have no idea why as this is not added via .htaccess

So if you curl for example /requested-uri/123/index.html the proxied path would look /var/www/html/requested-uri/123/index.html

Any ideas why ?

Thanks a lot !

spf dkim authentication-failure


Since last week i become everytime this messages if send any Email, i don't
find me mistake

Please can you give me the right search way that i need to view.. Or what
are here me trouble.

opendkim[714]: 8D328402FC: DKIM-Signature field added (s=mail,

What is postscreen_dnsbl_reply_map use for?

What is the meaning of `postscreen_dnsbl_reply_map` in postscreen (postfix) ?
I've read from documentation:

And from manual:

Apache crashes with: AH03104: apr_thread_create


Apache has been randomly crashing (for a few months now) and I cannot seem
to understand why. I cannot replicate the crash even when hitting the server
with 4,000 requests @ a concurrency of 500. This is a production server and
I am willing to compensate someone for their efforts resolving this.

IP address used by Apache reverse proxy?

How do I find the IP address?

Would it be possible to use that IP address with a subdomain name on a virtual host configuration? I want to use the free subdomain I got from <a href="" title=""></a>. - the largest free subdomain network<> offers you a free subdomain for your website.
<a href="" title=""></a>

BCC to a local account

I am trying to bcc all mail to a prticular user (currently
<a href="mailto: ... at lereta dot com"> ... at lereta dot com</a>) to a local account (mrcar).

I tried to setting an entry in recipient_bcc_maps:

/mrctest\ mrcar

but that just returns "status=deferred (unknown mail transport error)"

I also tried

/mrctest\ <a href="mailto: ... at mx02 dot"> ... at mx02 dot</a>

with the same result.

Is this even possible? If it is how can I make it work.

Apache PHP-FPM unix domain sockets questions

After looking at the documentation on and I have a few questions ...

1. I have seen examples of both "ProxyPassMatch" and "SetHandler" used to implement Unix Domain Sockets. Which is better?

2. On the wiki page it says "Using too many sockets will cause apache to give a (99)Cannot assign requested address: error"

If PHP-FPM is configured to use "ondemand" does this help avoid that problem?

3. If "ondemand" is used in PHP-FPM, is it still advisable to tweak /proc/sys/net/ipv4/tcp_tw_reuse?


Not sure if i have a DNS or Postfix issue ?

Hi, not sure if i am looking in the wrong place:
If you want my postconf I can get it.

User sends email to <a href="mailto:ling- ... at listserv dot">ling- ... at listserv dot</a> with client.

Reverse proxy

If I have a secondary web service service running on <a href="" title=""></a> and I want to create a reverse proxy on port 8001, how do I prevent users from connecting to <IP>:8000 anyway?

REMOTE_USER is not available at the time of external function call in httpd RewriteMap

I am trying to set HTTP basic auth header for an user which is already
authenticated by external application. For doing that, we have to set
base64 encoded of "username:dummy" where password is any dummy value. In
ssl config, REMOTE_USER is getting captured properly in RequestHeader(Line
5) but not in RewriteRule (Line 3). In line 3, I tried with REMOTE_USER,
LA-U:REMOTE_USER, HTTP:REMOTE_USER. But all these variables are null.

Vacation transport ignored

Good day Guys

Im trying to get vacationing going as per the link

<a href="" title=""></a>

Please can I ask if someone could please peer review my setup.

Its almost like postfix is ignoring the transport.

root@mail ~ # postconf |grep transport_maps
address_verify_sender_dependent_default_transport_maps =
address_verify_transport_maps = $transport_maps
empty_address_default_transport_maps_lookup_key = <>
fallback_transport_maps =
mailbox_transport_maps =
proxy_read_maps = $local_recipient_m

Address verification for a single domain

Hello everyone,

In order to avoid sending backscattering I'm going to implement
Address Verification (reject_unverified_recipient). Can I skip it for
one domain? If I configure postfix like this:

smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/no_reject_unverified_recipient

And in /etc/postfix/no_reject_unverified_recipient:

domain.tdl OK

I won't have the rbls check for that domain. I would like to skip just
the reject_unverified_recipient check. Is it possible?


DocumentRoot in ProxyPass?

Is it possible to do something along these lines in the apache.conf files?

DocumentRoot /usr/local/www/roundcube/
ProxyPassMatch ^/(.*\.php)$ fcgi://${DocumnetRoot}$1

(that is, not have to repeat the information that is already in the configuration)

Reverse Proxy and Virtual Host

Hi again.

I'm attaching my httpd.conf file here; please read it and tell me if I did it correctly. I start the Apache HTTP Web Server as a service and then try to navigate to the virtual host URL, but I get MS Edge's error page about it not being able to reach the page.

Apache httpd reverse proxy returns SSL_ERROR_RX_RECORD_TOO_LONG when HTTP redirects to HTTPS

Dear all,

I am setting up an Apache v2.4 httpd reverse proxy for another server
hosting Atlassian Confluence.

The proxy's private IP address is, its public IP address is, and a DNS A record maps the public IP to

There is a NAT in place:
- ->
- ->
which is necessary because the proxy's public IP address is used also
for other services.

Name resolution on the proxy is done via /etc/hosts, which maps to, the private IP of the Confluence

Here's /

Compiling 2.4.34 on linux against a non system openssl version


With gcc 4.3.x and apache 2.2.x I could compile apache against a non
system version
of openssl.

Syndicate content