Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

httpd mod_cache_disk shared by two servers

I'm trying to get two servers using mod_cache_disk to share each other
cached files.

I got them to use the same share and use the same url > file using the
CacheKeyBaseURL directive, but while as long as I hit the same file on the
same server, I get caches hit, when I hit the file from the other server,
the cache entry gets cleaned up and recreated.

Apachectl configtest did not warn on a configuration error

While progressively disabling modules I don't need for my application, I found an issue with apachectl configtest returning Syntax OK, but the restart of httpd failing.

When I comment out:

LoadModule slotmem_shm_module modules/

And do a sudo apachectl configtest I get back "Syntax OK" but when I do a sudo apachectl restart I get back "Job for httpd.service failed because the control process exited with error code.


I have a new IP address of unknown quality (

I am therefore for the time being using an external smarthost.  But I
would like to test direct mail to various places by using a specific
sender address with no disturbance of other users.

So I have tried the following:

Which I h

Can't get X-Forwarded-For to be passed through to app with apache reverse proxy

I have tried everything and I can't get Apache (2.4.39) to pass the
X-Forwarded-For header to my tomcat (8.5) instance.

I have apache listening on port 8081 and bound to the public IP address as
a reverse proxy to a backend tomcat instance which is also bound to 8081
but on
My apache instance has the following modules loaded:

proxy_module (shared)
proxy_connect_module (shared)
proxy_ajp_module (shared)
proxy_http_module (shared)
proxy_wstunnel_module (shared)
remoteip_module (shared)

Here is my virtualhost stanza
<VirtualHost _default_:8081>
ProxyPreserveHost On

Apache-httpd 2.4.41 compiling/linking error


I am trying to cross-compile Apache-httpd along with APR and APR-util with the below recommended version.

APR 1.7.0, released April 5, 2019 and APR-util 1.6.1, released October 22, 2017

Compilation is failed with error

Making all in apr
Makefile:139: warning: undefined variable `LOCAL_LIBS'
/salim/test/obj/x86_64/apache-httpd/httpd-2.4.41/srclib/apr/build/ warning: undefined variable `EXTRA_SOURCE_DIRS'
Makefile:139: warning: undefined variable `LOCAL_LIBS'
libtool: compile: x86_64-montavista-linux-gnu-gcc -m64 -msse3 --sysroot /salim/test/distro/tmp/sysr

Postfix as backup MX

I've been running my own Postfix (Dovecot, MySQL, Rspamd) server thanks
to these instructions
(<a href="" title=""></a> ) for more than
a year without any issues.

I'm using a paid service (Mail Reflector) to handle the times my server
is down or (initially) to get the my mail server up and running.

I'd like set up another server as a backup and while there are some "How
To" out there, they seem to be 'ignoring' spam and/or security issues.

Could I just use the same approach I used when setting up my current
server with the exception of the following:


Postfix stable release 3.4.7 and legacy releases 3.3.6, 3.2.11, and 3.1.14

[An on-line version of this announcement will be available at]

Fixed in Postfix 3.4:

* Robustness: the tlsproxy(8) daemon could go into a loop, logging
a flood of error messages. Problem reported by Andreas Schulze
after enabling SMTP/TLS connection reuse.

Fixed in all supported stable releases:

* Workaround: OpenSSL changed an SSL_Shutdown() non-error result
value into an error result value, causing logfile noise.

* Configuration: the new 'TLS fast shutdown' parameter name was
implemented incorrectly.

Suggestions for less spam


I would like some suggestions on how to get less spam, I will paste my
configuration at the end of the mail.

Maybe somebody with a nice setup could post his/her setup?

As you can see, I am experimenting with reject_unknown_client_hostname.
What's your opinion about that setting?

I've never used greylisting.

multi-instance postfix with opendkim

I have 2 multi-instance postfix on one server. if for each instance it will
be different. For example:

for the instance1 the main:

for the instance2 the main:

For this I need to make a few configuration files /etc/opendkim.conf or do
different SOCKET = "inet: 8891 @ localhost" in /etc/default/opendkim or
something else? Or if there any guids for multi-instance postfix wihtn
opendkim? thanks.

a php initiation for GD question

HI, I have a problem with getting the following in the error log of apache at startup.
It is the least crazy variant of obfuscating the
extension_dir = "C:/php/" of the php.ini file; all other variants of back/forward stroke combinations gives all kinds of wierd paths
PHP Warning: PHP Startup: Unable to load dynamic library 'C:/php/php_gd2.dll' - Det g\xe5r inte att hitta den angivna modulen.\r\n in Unknown on line 0
the file php_gd2.dll is definitely in the C:\php dir (and also a copy in the C:\php\ext dir )
(further down in the php.ini I have the: extension=php_gd2.dll as I think approp

postfix multi-instances use the same port 25

I have two instances on one postfix server, The two instances have its own IP
and domain setting. The default instance is "postfix",The second instance is
"postfix1" created by using command "postmulti -I post1 -G outgoing -e

Error 46 with TLS


I have a problem with my postfix sever, I can't connect with TLS, I have
this error:

Sep 21 10:40:32 jolly postfix/smtpd[23341]: warning: TLS library
problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown:../ssl/record/rec_layer_s3.c:1536:SSL alert number 46:

Connection works fine without TLS.

I use a let's encrypt certificate. My server is a debian Buster

Thanks for help


trouble with multiple-instance postfix and dovecot

I recently had trouble with building a multi-instance postfix. The target
environment is a multi-IP server. I need to install the dovecot feature on
the multi-instance postfix, but now I only know how to use the default ip
address to authenticate with smtp, but I don't know how to add smtp
authentication to new instances.
Is there any guides of multiple-instance postfix with dovecot?
After searching for a huge amount of data, I still can't solve it. Can you
help me? thanks.

mod_cgi(d) vs mod_proxy_fcgi

Dearest Apache Gurus,

Do mod_cgi and mod_cgid have any sort of dependency relationship to mod_proxy_fcgi? I only want to use CGI as a means to execute PHP code so, mod_proxy, mod_proxy_fcgi and PHP-FPM sounds like the stack I need, but I wanted to confirm that “classic” mod_cgi(d) is not required, similar to how mod_php is not needed to support PHP-FPM. I don't see any relationship between them in the module documentation but I wanted to make sure I wasn't missing something.



mod_brotli vs / and / or / xor mod_deflate

Greetings Apache Gurus,

I am presently trying to form a content compression strategy for a new Apache 2.4 httpd server and have been looking at the mod_brotli and mod_deflate modules. The first thing I noticed about them, comparatively, is how very similar they are in terms of functionality, directives, etc.

Suggestions for submission protection

I have what seems to be a reasonably stable and functional filter
protecting my port 25 SMTP interface to the outside world. However, most
filters (including postscreen) state they are not intended for use
between MUAs and the MTA. Therefore my 587 submission port does not have
additional filters beyond TLS & SASL AUTH.

I'm seeing some higher levels of attempted logins from various sources.
Are there any automated filters that are suggested? Or do I simply add a
check_client_a_access and reference a manually maintained blacklist?

Still getting strange 550 error..

I get this for several accounts/servers (note I've masked the host and ip):

host[ip.ip.ip.ip] said: 550
Access denied - Invalid HELO name (See RFC2821 (in reply to MAIL
FROM command)


transport map from ldap

Hi All.

I would like the transport_maps to be driven from an ldap lookuop
but i am unsure of the format it should be returning

I have the following config

and my /etc/postfix/ looks like this

This returns the output when doing a postmap vq

but is that correct for a transport_map

why still host its email on Verizon Yahoo


though this is a little OT, but I was curious since verizon has bought
yahoo for long days, why ATT still host its customer email accounts on
yahoo platform? we know ATT and verizon are commercial competitors.

Thanks for any comments.

Issue with 'Require expr' and pattern indents

Hi list,

I'm not sure if this may be a bug or a lack of understanding on my side.
I do access control for various <Location>'s like this:

<Location /some/path>
Require expr %{HTTP:X-SSL-Client} in { \
'/DC=com/CN=Fool me not', \
'/C=DE/O=MyCompany/CN=Some Dude' \
Require expr %{HTTP:X-SSL-Issuer} in { \
'/C=DE/CN=My Project ROOT_CA', \
'/DC=com/DC=Some Other/DC=Root CA' \

'%{HTTP:X-SSL-Client}' and '%{HTTP:X-SSL-Issuer' is set in a upstream by a load balancer which

Refuse mail from hosts with closed port 25


How can I refuse mail from hosts who don't have an open port 25?

What do you think from such a check?

Is there more needed? E.g. a list of exceptions for some big providers?

I've investigated why somebody did not receive mail from a virtual
machine, and I found out her provider ( refuses all mail from
a host what does not have port 25 open. I have much problems with spam
and I would like to reduce it.

4xx when host not found


I'm running postfix with spamassassin as a relay (before-queue). The host is
connected via OpenVPN. If the tunnel is down mails bounce:

Sep 16 06:08:09 h2786452 postfix-in/smtp[12937]: 194853E04AA: to=<info@>,
relay=none, delay=0.01, delays=0.01/0/0.01/0, dsn=5.4.4, status=bounced
(Host or domain name not found.

4xx if host not found


I'm running postfix with spamassassin as a relay (before-queue). The
host is connected via OpenVPN. If the tunnel is down mails bounce:

Sep 16 06:08:09 h2786452 postfix-in/smtp[12937]: 194853E04AA:
to=<info@>, relay=none, delay=0.01, delays=0.01/0/0.01/0, dsn=5.4.4,
status=bounced (Host or domain name not found.

Apache 2.4.25 (Debian Stretch 9.11) reverse proxy load balancing


I am trying to set up reverse proxy load balancing using Apache.

I've read <a href="" title=""></a> and
<a href="" title=""></a> and
<a href="" title=""></a>

What I want to achieve is:

HTTPS connection to my load balancer (which has an appropriate SSL certificate
for its own URL) forwarding requests on to (currently two) HTTPS back-end
servers (each of which also has an appropriate SSL certificate for its distinct

I can get things working fine if I use HTTP for the

Apache 2.4.6 - ErrorLog

In use of CentOS7 servers and the included apache, I'm moving to

It appears something related to ErrorLog has changed.
I'm using what I have always used:
ErrorLog "logs/error_log"

and I do see messages going to logs/error_log such as start/stop and
certain types of errors such as access denied, but something simple like
a file not found error is not getting logged outside of certain scripts
not being found associated with SriptAlias definitions.

But just a request to https://'my_web_server'/no_such_file.html does not
get logged as not found as it used to in earlier apache.

Singapore Citizen Mr. Teo En Ming's Refugee Seeking Attempts, In The Search of a Substantially Better Life

In The Search of a Substantially Better Life

In reverse chronological order:

[1] Petition to the Government of Taiwan for Refugee Status, 5th
August 2019 Monday

Photo #1: At the building of the National Immigration Agency, Ministry
of the Interior, Taipei, Taiwan, 5th August 2019

Photo #2: Queue ticket no. 515 at the National Immigration Agency,
Ministry of the Interior, Taipei, Taiwan, 5th August 2019

Photo #3: Submission of documents/petition to the National Immigration
Agency, Ministry of the Interior, Taipei, Taiwan, 5th August 2019

Photos #4 and #5: Acknowledgement of Receipt (no.

Relay Though MTA

Hi All,

I have had a request in that is making my head hurt thinking of all the
moving parts, so i am asking for advice on the best way of doing the

We have domain, with MX records pointing to gsuite, domain is

I have now been asked to add to add to our internal mail systems (
zimbra , which uses poxtfix) that also hosts our other and )

All external mail ( i,,e leaving the company ) goes from zimbra to a MTA
postfix relay in which we have a transport map the routes and to

lmtp deliver issues


Being in the process of trying to upgrade an old postfix 2 (with a
postfix 1) configuration to postfix 3, using compatibility_level = 3, I
am having a bit a hard time getting lmtp up and running.

The logs read:

postfix/local[2856]: warning: connect #1 to subsystem private/lmpt: No
such file or directory

This error bears two riddles: First, the file
$queue_directory/private/lmpt does exist as a socket, with
postfix:postfix ownership.

However, there is nothing listening on the other side of the socket,
because, riddle no.

Change status code for "Host not found"


I'm running postfix as a relay connected via VPN. If the VPN is down
mails are rejected:

relay=none, delay=0.09, delays=0.06/0.02/0.01/0, dsn=5.4.4,
status=bounced (Host or domain name not found. Name service error for
name=EXCHANGE01 type=AAAA: Host not found)

Is there a way to change the dsn to 4xx and deliver it when the VPN is
up again?

Thank you!

php5.2 with apache 2.2 not working

Hi, I have installed Apache 2.2 on windows XP, which seems to work, accessed on localhost (<a href="" title=""></a>), I get the .html document hello content.
However, having installed php5.2, which seem fine from apache viewpoint, at least no errors, the <?php echo "xxx"; ?> included in the .html, just vanishes,
there is no trace of the statement.
What could be wrong
thanx for hints

Mail forwarding through a relay


I have a postfix-3.2.6 system that acts as a mail server and pop/imap using
dovecot for a small domain.

policyd v1 HRP (helo random db)

<a href="" title=""></a>

i dont know if it makes sense to add this to postscreen testing ?

will it be to expansive testing it and tracking it ?

more complex IfDefine directives

IfDefine currently only takes one argument, and even that one is pretty

Sometimes this leads to complex configuration files, where IfDefine is
repeated over and over, often with the same content.

Is there a way to create more complex IfDefine clauses, perhaps linking
together multiple conditions, using logical operators?


EHLO restrictions and address literals


I have a question regarding restrictions I can place on EHLO in the smtpd_helo_restrictions parameter.

I have a Postfix server that is Internet facing. I periodically receive e-mail where the other MTA sends a EHLO of an address literal.

compiling http-2.4.41 on linux variants

I am trying to compile http-2.4.41 and it works on Fedora 29 and Centos 
7 but

on Centos 6 and Ubuntu 18  the compile generates the following error:

/usr/local/apache2/build-1/libtool --silent --mode=compile gcc
-std=gnu99  -g -O2 -pthread      -DLINUX -D_REENTRANT -D_GNU_SOURCE    

Postfix, Amavis and DKIM body hashes

For quite some time, I have used OpenDKIM and lately dkimpy-milter to
sign messages entering Postfix via port 587:

# /etc/postfix/
submission inet n - n - - smtpd
-o smtpd_milters=unix:/run/dkimpy-milter/socket
-o content_filter=amavis:localhost:10124
amavis unix - - n - 2 smtp
-o smtp_send_xforward_command=yes

It turns out that messages containing German umlauts (or other symbols
causing Thunderbird to use "Content-Type: text/plain; charset=utf-8")
result in Google MXs reporting the following:

ARC-Authentication-Results: i=1;;

Warning mail to sender when seding to hotmail

Hi there

We have our servers IPs at OVH IP address-space and from time to time,
when we send emails to a small, particular set of very-well-known
domains owned by one very large corporation, there are periods where our
customer's emails go, by default, to the SPAM folder no-matter-what.
Under those periods I'm thinking of activating the sending of a
complimentary warning to the sender to let the recipient know they
should check the SPAM folder and brief guidelines to add them to the
list of safe senders.

What should be the best approach to accomplish this?



message_size_limit, queue_minfree, and mail spool not on root directory

My mail spool is not on my root directory:

data_directory = /mnt/xvdb/var/lib/postfix
mail_spool_directory = /mnt/xvdb/var/spool/mail
queue_directory = /mnt/xvdb/var/spool/postfix
virtual_mailbox_base = /mnt/xvdb/var/spool/mail

However, it seems that the capacity of my root mount has some bearing
on the evaluation of Postfix's message_size_limit and queue_minfree. I
am getting "insufficient system storage" errors despite having enough
space in /mnt/xvdb. I have much less space available on /.

I found some relevant functions in Postfix: fsspace() and

Question regarding DNSBL behaviour


I have a question regarding DNSBL usage with the smtpd_client_restrictions parameter.

I have a server configured to check SpamHaus:
. . .
smtpd_client_restrictions = reject_rbl_client[2..11],
. . .

This has been working very well, although I noticed the following error in my syslog:

Sep 7 16:13:08 server postfix/smtpd[28363]: warning: RBL lookup error: Host or domain name not found.

Qualys Full Standard Community Scan, Requires Login not qualys SSL Labs quick scan, Causes 100% CPU - 2.4.37 & 2.4.38 w/openssl_1.1.1a and 2.4.41 w/openssl-1.1.1c

Our production apache http 2.4.37 server running with openssl 1.1.1a have been getting hit with qualys scans like clockwork and every time our CPU goes to 100% and after more scans to 200% CPU. After reading the bug reports I upgraded to 2.4.38 which made no difference.

Modifying Headers Programmatically

I have an app that runs on frontend- and backend-servers. Customers login to the frontend-server and the same credentials are used for various apps available on the backend-servers. From within their session on the frontend-server, they select an app on the backend server, whereupon they automatically log into the backend-server app, using the same credentials. (Easy enough, so far).

For better security, I do not want to store username/password in the browser, but rather I'd like to store them on the frontend-server.

protect apache to stop work if logdir is missing


I need the web server to continue working if the user has deleted the
log directory.
I wrote a small patch. Are there any obvious errors in it that disrupt
the operation of the web server or lead to a memory / pointer leak?


Hello Postfix team,

Can you add support?

"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

Can you add support for?
-- <a href="" title=""></a>
-- <a href="" title=""></a>

-- <a href="" title=""></a> since 2015-11-02
-- <a href="" title=""></a> since 2019-06-21: <a href="" title=""></a>

I add SC

Change smtps to submissions in

Hi there,

currently the IANA assigned 465/tcp to urd and submissions and dropped support for smtps
thus I suggest to change smtps to submissions in the default

I checked Linux Distributions I have access to:
- Arch Linux uses submissions
- Scientific Linux 7.6 uses smtps (alias)
- Ubuntu 16.04.6, 18.04.3 uses smtps,ssmtp (alias)
- Ubuntu 19.04 uses submissions and ssmtp,smtps (alias)


Can postfix/pipe run external programs under a random UID?


One of arguments of pipe(8) is "user=" that instructs it to run an
external programunder specified user. For example, the following snippet will
run faxmail(1) under the user faxmail:
fax unix - n n - 1 pipe
flags= user=faxmail argv=/usr/bin/faxmail -d -n ${user}

Is it possible to have postfix select user at random from some list of
preallocated UIDs/usernames? (I'm looking for ways to isolate different
instances of the same command)


tlsproxy failed / flooded log


today I enabled smtp_tls_connection_reuse on some production server.
after approx.

issues with MTA's timestamp


I found if peer MTA's timestamp is too much different from my end, the
messages may not be displayed.

for example, when you try to sign up to apache projects' mailing list,
like one of this page:

<a href="" title=""></a>

The response message's (for user to confirm) timestamp is 12 hours ahead
of me.

Thus some email servers won't display the response messages correctly
(even no response messages appear in the inbox).

At least GMX's mail servers have this issue, as well as anyone
can test for it.

Can you give some suggestion?


username specification for email system


Is there the username specification for email system?
It seems most special characters like ".", "-", "+", "_", "#", "$" are
permitted in the username part.
And even <a href="mailto: ... at domain dot com"> ... at domain dot com</a> is right (like my sender account).
So I was confused.


I have been customizing all error pages in my Apache project. Everything
seemed to be ok until 403 Error (Forbidden) appeared. When you send an
special character through the URL (such as a blank space or an asterisk),
the custom error page is not loaded. If 403 error is caused by another
reason (not special chars) this error does not appear and the custom error
page is loaded correctly.

X-Forwarded-For and If directive

I am certain I'm missing something important about the <If> directive and the -ipmatch operator when used in conjunction with %{HTTP:X-Forwarded-For}.
Please permit me to illustrate the problem by way of example:
<If "%{HTTP:X-Forwarded-For} -ipmatch ''">
LogMessage "Got IP match [%{HTTP:X-Forwarded-For}]"
LogMessage "No IP match [%{HTTP:X-Forwarded-For}]"
produces the following log output:
[Wed Sep 04 17:57:03.611095 2019] [log_debug:info] [pid 11134] [client] No IP match []
Clearly X-Forwarded-For has the value '',

deal with google mailboxes


As a mailing list server, how does postfix deal with google's mailbox

for exmaple, all mailboxes below are indeed the same one:

<a href="mailto: ... at gmail dot com"> ... at gmail dot com</a>
<a href="mailto:user. ... at gmail dot com">user. ... at gmail dot com</a>
username+ ... at gmail dot com
<a href="mailto: ... at googlemail dot com"> ... at googlemail dot com</a>

Can list server know them and treat them as just one?


OWASP Apache 2.4 Security Cheatsheet Feedback

I am trying to create an Apache2 security cheatsheet for OWASP.

I am using a monolithic Apache2.conf file (purely for presentation
purposes) to show every single security config I can think of that can be

Any suggestions are welcome. I'm sure the document is missing things / has
errors currently.

<a href="" title=""></a>

OWASP Pull Request: <a href="" title=""></a>


Dan Ehrlich

Make postfix reject 8bit (non ASCII) 'mail from' address

Dear List

We use Postfix / Dovecot on our email plattform.

Lately I have started seeing more and more emails being accepted by
postfix, but then rejected by the local delivery agent dovecot with:

500 5.5.2 Invalid command
syntax (in reply to MAIL FROM command)

Looking at the headers, I see that the envelope sender contains 8 bit
characters, AFAIK against valid RFC. Example:

<Aloï ... at netfacilprovedor dot>

We use Postfix 3 but have NOT enabled SMTPUTF8 support.

maildir unread msg count: client .vs server


This isn't really a postfix specific issue, but I'm hoping someone here has the answer.

I'm trying to monitor per user unread msg count in a server side maildir based mail store.

I can see that the tmp/ and new/ dirs stay empty, so I tried to count unread emails with:

ls -1 /home/vmail/domain/user/.maildir/cur/ | grep ':2,$' | wc -l

Thus counting the number of filenames that end with :2, having no other flags appended.

However this is giving me a count that is less than the number of unread mail messages shown in the IMAP client (thunderbird).

Could anyone say why the server side

Problem with /etc/aliases

I have problem with postfix, which ignore /etc/aliases file.

My postfix configuration file is

TLS Session tickets and PFS

The Recommended Mozilla SSL configuration has TLS session tickets
disabled, see
<a href=";server-version=2.4.39&amp;config=intermediate" title=";server-version=2.4.39&amp;config=intermediate">;server-version=2.4.39&amp;conf...</a>

The docu says:

TLS session tickets are enabled by default. Using them without
restarting the web server with an appropriate frequency (e.g.

Syndicate content