Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

Current ideas on DKIM signing ?


Am currently refreshing my perimeter mail infrastructure.

The current state of affairs of DKIM signing looks pretty miserable!

DKIMProxy seems to be abandonware since 2010

OpenDKIM seems to be going the way of abandonware too (last release in 2015 and the bug tracker filling up).

I've had a quick search on github for DKIM but can't find much of interest.

We all know what software is like, you have to keep it fed and watered otherwise it starts growing bugs (or worse). I'm not too keen on using software of 2015 vintage.

What is everybody using these days ?

Visual Studio 2019

Here we go with the new Visual Studio 2019 download with APR 1.7 and
the warning fix from Ylavic

We call it now VS16, and it is backward compatible with VC14 and VC15

See the details at <a href="" title=""></a>

Good news that dsw/dsp conversion is still fully supported and is not

Strange responses


I operate my site with httpd 2.4.39 with ssl option.

Yesterday, strange responses were observed.

My site received the following abuse requests.  Except the following
requests, the httpd return 404 error to obvious abuse requets.

GF 3.3, unsupported dictionary type: mysql

I'm trying to migrate server to new vm, installed postfix* from GF (1)

but, after copying over get this:

Apr 6 00:34:46 emu postfix/proxymap[15601]: error: unsupported dictionary
type: mysql
Apr 6 00:34:46 emu postfix/proxymap[15601]: error: unsupported dictionary
type: mysql

postconf shows no mysql

Centos 6

daemon started -- version 3.3.3, configuration /etc/postfix

Linux 2.6.32-754.10.1.el6.x86_64 #1 SMP Tue Jan 15 17:07:28 UTC 2019
x86_64 x86_64 x86_64 GNU/Linux

what did I do wrong ?

# yum shell --enablerepo=gf-plus
Loaded plugins: fast

Question about configure not answered in documentation

I am guessing the answer to my question is probably "no", but I'm hoping
someone here has a silver bullet.

We are finally getting our act together and updating our Apache server instances.
Our chosen way to do this is as follows:

The /apps directory holds application software distributions, suche as

/apps/apache (this is a symbolic link to the current distribuiton)

We keep the DocumentRoot directory outside of the distribution tree because
when we want to update the server, we don't want to have to copy the HTML
and cgi file

SPF and Greylisting


policyd-spf and postgrey are implemented and working.

With exim, I was able to check the spf result and greylist upon receiving a
certain result. I'm using Mail_From_pass_restriction = mfrom_passed_spf in

Is there any way I can defer or greylist based on an spf result of Softfail?



selective 550 Reject for missing sender PTRs?

I've got a legitimate sender, FedEx, sending expected, automated emails, that's got a missing RDNS PTR record on their sending host.

Error while build apache 2.4.39 using CMake on Window machine

Hi Team,

While building apache 2.4.39 using CMake command, I face below issue

CMake Error at CMakeLists.txt:761 (ADD_LIBRARY):
Cannot find source file:


Tried extensions .c .C .c++ .cc .cpp .cxx .m .M .mm .h .hh .h++ .hm .hpp
.hxx .in .txx

CMake Error: CMake can not determine linker language for target: mod_http2
CMake Error: Cannot determine link language for target "mod_http2".
CMake Error:
Error evaluating generator expression:


TARGET_PDB_FILE is not supported by the target linker.

Can someone please help me

Re: Postfix and smfi_setmlreply() milter command resulting in SMTP protocol breakage.

Hi John,

True. But considering that Net::Milter also does the right thing, it seems like
a good conclusion that Postfix was doing line folding.

But you are right, it is good to verify.

Apache httpd 2.4.39 has a problem while rpmbuid



    CentOS Linux release 7.6.1810 (Core)
    kernel version: 3.10.0-957.10.1.el7.x86_64

I met a trouble during rpmbuild.

RPM buid error:
A installed, but not contained in the package ,file was found:
(The message was given in Japanese, so the above text was translated one.)

I found the following module statement was missing in httpd.spec.

Then, I could rpmbuild successfully using the changed spec file with the
above line.

Thank you all contributors to this project for this im

CVE-2019-0211 - Apache 2.2


i have still a bunch of apache 2.2 servers. ;(
Is apache 2.2 exploitable by CVE-2019-0211 ?
Description says that first affected version is 2.4.17, but may be 2.2
was not analyzed.


MAILER DAEMON email address question


I have configured postfix with local domains

mydestination = ldap:/etc/postfix/

and to check local recipients:

local_recipient_maps = ldap:/etc/postfix/

smtpd_relay_restrictions =

smtpd_recipient_restrictions =

There are no aliases:
alias_maps = hash:/etc/po

Rewriting recipient before routing the email

Hello again,

Is there an option to rewrite the final recipient, to remove some extra
characters, with some header checks, for the incoming emails.

This is what I want to achieve:

For instance, if postfix receives emails for <a href="mailto: ... at rodier dot me"> ... at rodier dot me</a>, the
final recipient would be rewritten as <a href="mailto: ... at rodier dot me"> ... at rodier dot me</a>, and an
additional header would be added, for instance, X-Valid-Date: 0304.

Maybe I can do this with recipient delimiter, but can I have more than
one character recipient delimiter in postfix?

The idea I have in mind, and the first tests are promising, is to allow
my users to register on w

Apache Timeouts, fastcgi, etc settings recommendations for Wordpress site servers?


If you have servers with dozens of standalone installations of Wordpress, what settings are typically changed from the Apache/Fastcgi/PHP defaults with regards to timeouts, execution time, etc.

On occasion when users are updating the application, we get a timeout error in Apache, and no one can access any PHP driven content. Regular html works ok. Only a reboot of the server seems to remedy it.

problems follow with certain rules

following the instructions given to me place the access in front of the
rule that is not supported ips unresolved, and as I still have the same
problems I added a debug to that ip that interests me and among other
things in this debug I find this:
16:43:05 ns postfix / smtpd [28258]: generic_checks: name =
Apr 2 16:43:05 ns postfix / smtpd [28258]: check_namadr_access: name
unknown addr
Apr 2 16:43:05 ns postfix / smtpd [28258]: check_domain_access: unknown
Apr 2 16:43:05 ns postfix / smtpd [28258]: maps_find: hash: / etc /
postfix / access: unknown: not

3rd party authentication - mod_auth_openidc

We're investigating the use of mod_auth_openidc<> for our applications that require 3rd party authentication (Facebook, Google, & etc). Does anyone have experience with this module? If so, has it proven to be reliable/stable?

Jay Leggett
Software Engineer
Lenovo United States

[Phone](919) 237-8165
[Email] ... at lenovo dot com<mailto: ... at lenovo dot com>


Bug report: problem with smtp_mx_address_limit = 0

According to the docs, the smtp_mx_address_limit parameter determines
"the maximal number of MX (mail exchanger) IP addresses that can result
from mail exchanger lookups, or zero (no limit)".

However, when setting it to zero, the SMTP client won't even attempt to
deliver to a server that has _both_ IPv4 _and_ IPv6 addresses.

Postfix and smfi_setmlreply() milter command resulting in SMTP protocol breakage.


I have a locally developed milter using the python-milter bindings which
seems to trigger a Postfix bug.

The milter in question uses the smfi_setmlreply() command to set a
multiline response as defined in rfc5321.

Multiline replies should result in the smtpd replying with something like
the following to e.g.

RE: nfs as storage for mail queue

Found a solution to my problem in archive

<a href="" title=""></a>

thanks Witse

Met vriendelijke groeten
Kind regards
De Petter Mattheas
Technical support engineer - projects team
IT-Department Jan De Nul Dredging N.V.
T +32 (0)53 73 95 53
F +32 (0)53 21 00 31<>


Can somebody help me?

So I have setup the nfs share on a windows se

Authentication attempts for addresses

Not sure if this is a Dovecot or Postfix issue we use Dovecot for authentication for Postfix. Mailboxes are stored in MySQL.

Have noticed this today:

auth-worker(42777): Info: sql( ... at com dot au, unknown user (given password: someone123)

Also <a href="mailto: ... at com dot au"> ... at com dot au</a> etc.

They are coming through on port 465.

Obviously my domain is not ‘’ - how can I stop these attempts from even being considered?

I did update to Postfix 3.4.5 yesterday. Running Dovecot 2.3.5.



Remove user agent information in the email header


I would like to delete automatically User-Agent or X-Mailer information
in the headers of outgoing emails.

I have tried the header_checks, and it works, but with all emails, even
those received.

Can you tell me how to proceed, please?


nfs as storage for mail queue


Can somebody help me?

So I have setup the nfs share on a windows server 2016 with nfs server role.

Security is set on the device ip of the postfix server read-write with allow root access.

In the main conf of postfix I have set the queue to the right dir

queue_directory = /mnt/mail

fstab is set as: /mnt/mail nfs defaults 0 0

When I start the postfix service it writes all the folder structure on the share but fails to start with error.

● postfix.service - Postfix Mail Transport Agent
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor pre

Ubuntu 18.04 /etc/aliases

i just did install postfix in Ubuntu 18.04 by `sudo apt-get install
postfix'. then just did type `cat /etc/aliases'.
#+BEGIN_SRC: text
(bionic)soyeomul@localhost:~$ cat /etc/aliases
# See man 5 aliases for format
postmaster: root

by the way there is no MAILER-DAEMON thing. is that normal state?

mod_cache_disk: AH00708: Cannot open data file

Hi all,

I have a apache-2.4.34 system on fedora28 and have set up disk caching
using "CacheQuickHandler off" to go through apache before being fetched
from the cache and having some problems.

[Mon Apr 01 14:16:48.908257 2019] [cache_disk:error] [pid 5955:tid
140305609242368] (2)No such file or directory: [client] AH00708: Cannot open data file /

Could this be caused by a configuration error?

CacheQuickHandler off
CacheLock on
CacheLockPath /tmp/mod_cache-lock
CacheLockMaxAge 5

Alias and local delivery issues (Edited)


I have an alias system that I need to deliver some mail via relay, and some locally for PAM accounts.

Alias and local delivery issues


I have an alias system that I need to deliver some mail via relay, and some locally for PAM accounts.

Postfix stable release 3.4.5 and legacy releases 3.3.4, 3.2.9, 3.1.12

[An on-line version of this announcement will be available at]

This update fixes 5+ year old bugs, and provides a Postfix 3.4 fix
for sites that depend on undocumented behavior.

Changes for all supported stable releases:

* Starting with Postfix 3.0, LMTP connections over UNIX-domain
sockets were cached but not reused. Therefore, idle cached
connections could exhaust LMTP server resources, resulting in
two-second pauses between email deliveries.

Postfix 3.4.4 compile problems on Solaris 11


Attempting to compile Postfix 3.4.4 on Solaris 11 with GCC 7.3.0, but I
am getting the following error when running "make makefiles":

Combining SSL and basic user (group) authentication

Dear all,

I’m trying to figure out how I can give access to documents by combining SSL and basic user authentication. The following is from my httpd config:

<Directory "${WEBAPPS_ROOT}/test/user">
AllowOverride None
Options None

AuthType Basic
AuthName "Test User"
AuthBasicProvider dbd
AuthDBDUserPWQuery "select human.get_user_password(%s);"
AuthzDBDQuery "select human.get_user_groups(%s);"

Require ssl
Require dbd-group user

The “Require ssl” denies access to the document for normal http:// connections which is what I want.

How to use the new server TLS SNI feature (3.4.x)


I've noticed the release of the new SNI feature in Postfix 3.4, but I
cannot get a successful setup. My last attempt was to
use tls_server_sni_maps, but I'm not sure about the correct format (I've
tried encoding the certificate as base64 according to the documentation).

For reference, what I'm trying is to have a main certificate for the mail
server and another certificate (letsencrypt) for a specific domain.

Thank you,

Apache httpd 2.4.39 GA for Windows


See <a href="" title=""></a>


This release is primarily a bug fix & stability release, several http2
bugs fixed,
and a new module mod_socache_redis.



how to check email delivered via MX backup host

When I try to block spam from repeaters, via access.db,
firewall, ... the first thing that happens is the blocked
mail gets delivered via my MX backup host. Mail received
by this route does not seem to be checked against the
access database.

Is there something I'm not turning on to enable checks
of mail received via the MX backup host?


close_notify packet being sent back to client an no response.

Hello, we are having a hard time tracking down why a very small number of our apache connections have close_notify packet sent back to the clients after the request is received and not a http response.

unknown tls_ssl_options value "tlsext_padding"


postfix-3.4.4 linked with openssl-1.1.1b

$ postconf tls_ssl_options
tls_ssl_options = no_compression, tlsext_padding

produce such log:
Mar 30 21:04:12 danube postfix/smtpd[9075]: warning: unknown tls_ssl_options value "tlsext_padding" in "no_compression, tlsext_padding"

while it does make no sense, I placed all options [1] and still get only errors regarding tlsext_padding:
Mar 30 21:10:48 danube postfix/smtpd[9222]: warning: unknown tls_ssl_options value "TLSEXT_PADDING" in "ENABLE_MIDDLEBOX_COMPAT, LEGACY_SERVER_CONNECT, NO_TICKET, NO_RENEGOTIATION, NO_SESSION_RESUMPTION_ON_RENEGO

Postfix and dovecot High avaliability

Hello, list,

I'm doing research for our company's email system, user would use
MUA(outlook or foxmail, and mobile phone client) so I have a few questions.

1. How to setup high availability for postfix and dovect? Does common
method like HAproxy or Nginx proxy apply them?

domain-specific virtual_alias_maps file


I'm setting up a new site that is going to handle all a mailing list
(with mailman, on its own domain and a few aliases

Is the limitation on password text in a file for smtp_sasl_password_maps


I faced with strange problem with my postfix configuration. I use the postfix as SMTP client to send emails from my host. Recently I changed the password on external email-server, updated file that stores passwords and now I see SASL authentication failures in log.

Recipient address rejected: User unknown in local recipient table


I'm new to postfix, and I use postfix + dovecot, and I add MX/A/PTR.

I use Mariadb as Dovecot passdb and Cyrus SASL Authentication.

And I configure email client (MUA) and try to send email to another user
in the same domain, it says,

"Recipient address rejected: User unknown in local recipient table"

I can read literally this user does not exist on this machine.

timed out while receiving the initial server greeting when sending to CPanel exim addresses

Hi All,

Cpanel environments have a artifical (“tar pitting”) delay in their smtp transaction when receiving email.

Cpanel’s exim config has a “delay = 20secs”.

Re: [users@httpd] Re: Apache web server devouring resources

No PHP on the system at all. The web server was down for 15-20 minutes so anything in the queue should have cleared, right?

Darryl Baker (he/him/his)

Apache web server devouring resources

I had an incident yesterday where the Apache web server host had a load average of over 170 and was performing very slowly. Stopping the web server did fix the issue but when I restarted the daemons the load started to increase very quickly. I ended up having to reboot the system to fix the issue. I don’t like that one bit, this is a Linux system not a Windows server. (Editorial remark: I have found that systems need reboots to fix stuff much more frequently since the adoption of systemd) I have been asked to do a root cause analysis, but I have not found anything as of yet.

mod_echo configuration


I am new on this mailing list and I hope to find an answer on my apache2
configuration problem.

My OS : Linux openSUSE 15.2 64 bit
Apache : apache2 2.4.33 standard install
   browser url : local host --> It works!

I try to use apache as a echo server for telnet.

reading <a href="" title=""></a>
"It provides a simple echo server.

Debug log level configuration

I want to configure postfix such that I get log level 4 for specific ip or
domain. And for rest of the cases it should give logs of log level 1
What I tried is :
debug_peer_level = 4
debug_peer_list = <ip-address>

In this case postfix is not providing all debug logs.(May be providing log
level 2 logs)

I was expecting that I will get debug logs of level 4 as we get when we set
smtp_tls_loglevel = 4 <This option gives debug logs for all I want it only
for specific ip or host>

Kindly suggest configuration ? feasibility ?

SASL configuration issue

postfix 3.3.1
opensuse 15.0 (linux )

AFAICT the configuration on this computer is the same as that on
another where postfix works just fine. Obviously, something is different.
The report of a mystery error is not much help.
I cannot determine the failure.

Does Apache do a "graceful" automatically over time?

As always, a "thank you" to everyone that works on Apache.

Some background and resultant question ...

We had made some changes in the afternoon to some virtual host configs that we intended to implement the next morning with a graceful restart of Apache.

That was going to be coordinated with a restart of php-fm which had to be done before the graceful of Apache

Anyway, the next morning the sites utilizing PHP were getting a 503 error before we restarted anything.

Postfix benchmark: bug or performance regression ?

Hi all!

We used to have postfix 2.6.11 in our systems, which was then updated with no
problems to 3.3.2.
However, during a benchmark, we realized 3.3.2 was 5 times slower than the
version before.

permit_tls_clientcerts with CN matching


we need to authenticate a SMTP client connection base on the CN of the
(trusted) client certificate. The client is not under our control
(O365 connector), so we will get no notification if the key
fingerprint will change. As far as i can see Postfix is only able to
use certificate fingerprints to allow relaying, not the CN string, no?

Have i missed something or is this not considered a valid use case?



difference between setting up an alias in virtual_alias_maps and virtual_mailbox_maps?

What is the difference between setting up an alias in virtual_alias_maps
and virtual_mailbox_maps?

I can make alias@domain point to a mailbox by pairing it with the path
to the maildir in virtual_mailbox_maps but it seems if I do that the
alias can only point to one mailbox not multiple.


user@domain     /path/to/user@domain/

alias@domain    /path/to/user@domain/

this works OK but if I was to do

user1@domain     /path/to/user1@domain/

user2@domain     /path/to/user2@domain/

alias@domain    /path/to/user1@domain/

alias@domain    /path/to/user2@domain/

this doesnt work.

nfs as mailq storage?


Is there a way for postfix to store its mailq on a nfs share?

And what do i need to change to make it store the q over there.

The nfs share is mounted to the postfix server in the fstab config file.

Case for this is, we are using postfix in a poc case for are vessel mail as= a relay host.

So when we have sat communication mail leaves the vessel on the spot, but w= hen we have not sat comm mail has to stay in queue until sat comes back.

Thing is when are vessel is in voyage on the ocean there are places where t= here is no coverage and mails get for long time in queue.


SPF Temperrors - minor thing


My SPF record appears to be in order, using the SPF query tool at
kitterman dot com.

Also, I do not appear to have any problems receiving or sending emails,
outside of this minor temperror message.

However, the header kind of irks me, since it always returns the
following header.

Received-SPF: Temperror(mailfrom)

But, I would like to receive this

Received-SPF: Pass (sender SPF authorized)

my domain is little-beak at com

I have included all my files below, also in case anyone is in the mood
to help a brother out.

What's new in log file parsers? Anything better than pflogsumm?

I'm looking for a postfix log file parser that can provide the number of
messages delivered,
broken down by sending domain, and per hour counts on a daily basis.

I have looked at pflogsumm, but it seems a bit dated, and isn't as flexible
as I had hoped.

Can someone suggest any alternatives?

Bypass landing page based upon cookie


Apache 2.4.27
OS: RHEL 7.6

We're using httpd as a reverse proxy to 3 back end application servers. We
have a landing page for users to select their geographical region.
Everything works as expected with the current setup, however, we'd like
users to not have to re-select their region on return visits.

So, ideally we set a cookie (or two) and use mod_rewrite to direct requests
that have the cookie(s) in place.

I have not been able to get this working as I am not that familiar with
what I need to be redirecting on.

reject_unknown_reverse_client_hostname query

I have the follosing restrictions in

smtpd_client_restrictions = permit_mynetworks,
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_non_fqdn_hostname,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_invalid_hostname, check_policy_service
unix:/var/spool/postfix/postgrey/socket, reject_unauth_pipelining,
reject_unknown_recipient_domain, reject_rbl_client
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_desti

Relay Access Denied

Hi folks.

I’m on a LAN, with a mail server on OS X Server Mountain Lion. It’s running Postfix as a mail server.

My LAN has a 192.168.x.x range. I’m getting that error when an app I’m developing, is trying to send an email out through this email server to the internet. A gmail address specifically.

$queue_directory/private permissions


I am running postfix (3.3.0-1ubuntu0.2) confined by Apparmor and I
noticed the tlsproxy process is apparently trying to connect to tlsmgr's
Unix socket while still running as root.

Since tlsmgr's socket is stored under $queue_directory/private that has
perms set to 0700 and owned by postfix:root, the tlsproxy process needs
to override the DAC checks using the CAP_DAC_READ_SEARCH capability.

I can think of 2 ways to workaround this.

I don't realize why this email was not delivered

To make it simple please take a look at
<a href="" title=""></a>
Thank you

SPF setup Temperror


Dovecot 2.2.27
Postfix 3.1.9

I had SPF setup proper, originally. Then, it stopped working properly
after some other configuration changes, as I tried to go through and
eliminate errors.

Here is my header information.

Received-SPF: Temperror (mailfrom) identity=mailfrom;
 envelope-from=bounces+9243903-ab61-me=example. ... at em8306 dot emailtester.o
 receiver= ... at example dot com 

My two questions:

1. The Temperror. How do I turn that into a pass?

Syndicate content