Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

different message_size_limit per smtpd


My goal is to allow different message size on MX and submission.
As message_size_limit is a cleanup option, this is my (non working) setup
based on <a href="" title=""></a>
message_size_limit = 5120000
# define a separate cleanup service
submission-cleanup unix n - - - 0 cleanup
-o syslog_name=postfix/submission
-o message_size_limit=40000000

# MX smtpd use default cleanup with size=5 MB
smtp inet n - - - - smtp

Postfix VRFY

Hi folks,

i have just installed postfix on Debian 10 and want to test "SMTP VRFY

i have noticed that postfix only probing a mail to vrfy the recipient.

Is there any another way as probing mail delivery?
at this point we use a custom script ( we want only "default-tools")

by reject_unverified_sender:
would it not be better to check sending server? like accept connection
on port 25 not whole sender? this way dont work with mailing list ( it
would but its produce many mail probing)

Kind regards
Philipp Ewald

Canonicals and SRS


Due to SPF restrictions I'm interested in SRS address rewriting. For
this purpose I'm using postsrsd (do you have any better solution?).

Survey about the Relevance of Open Source Research

Dear all,

I'm conducting a Survey about the Relevance of Open Source Research as part of my Bachelor’s dissertation in Computer Science at the University Of Brasília (Brazil) and I kindly ask you to participate in it.

The study aims at identifying, through a systematic literature mapping, works on the Software Engineering literature that are focused on the Open Source model, and latter conduct the present Survey with developers and researchers that are related to the Open Source Community.

milter_default_action=accept not honored

Running postfix-2.10.1-7.0.1 on a fully updated CentOS 7.7 box.

may we suggest ICANN not run that many new tlds?

in the coming future, everything is a TLD, the cat, the dog, the pig,
the rose, the coffee, the wine, the bike ...
that would be terrible for domain based validation.
we have already too many TLDs today.
may we suggest ICANN not open a new TLD anymore?


relay based on sender and destination


I have a mail server relaying for different domains and using a
transport map to deliver local domains.

Now I need the following:

* Mail from and to to be relayed through
* the rest of mails, to be deliver or relayed according to transport_maps

I have found the sender_dependent_relayhost_maps but with this I
can only check the sender but not the destination.

Any idea?

how to setup storage for two different MX in different locations


We plan to setup two postfix as MX servers.
One is in west location, such as CA state.
Another is in east location, such as NYC.

The question is, how to make storage shared by two MX servers?
The messages should be stored in one place, such as webmail/IMAP could
read all messages directly from this location.

Thanks for any suggestion.


Relay attempt questions

Below is a postmaster notification about a relay attempt.

Page display on default html page

I have created a default html site that is displayed when visitors typed
in a domain that I own, but for which I haven't yet created a website for.

As this default site has a domain name that is not the name that a
visitor typed in, I would like to disply that domain name on its index
page like

'You requested'

<a href="" title=""></a>

'but unfortunately it doesn't have a site page yet'

Can someone tell me how I can do something like this without java script?


Client host rejected


I try to run postfix, rspamd and dovecot.

ReverseProxy for UserDir

Dear All,

My self Ninad. I am novice user of apache httpd and linux.

I  have an intranet web server ( with UserDir configured on
it. I am able to access it with following urls without any issue from my
LAN network.

Here "a", "x.y", and "p_q" are users on server. |

Now there is another httpd server which is connected to the internet 
( and I want to reverse proxy only for userDir hosted on 
my intranet server (

Non-ASCII bytes in email header and similar

Looking for protocol expertise that some here might have …

I understand that email header content should contain 7-bit ASCII-only.
However, as an implementor of email software such as a milter, how do I
best deal with non-conforming input?

Say I receive a header line in my milter that isn’t ASCII-only, what is
the most sensible (standards-compatible?) decoding I should apply –
Latin1? UTF-8? What works best with real email traffic?

Please ignore if this is completely off-topic here. Thank you.

IP addresses in helo

Is it safe (or mostly safe) to simply block attempts to deliver mail with a helo that is only an IP address? (I am talking about only on postfix/stmpd and obviously not on postfix/submit or related).

I have about 50,000 NOQUEUE reject from "helo=<[]>" over the last week, for example. I see very few otherwise, and all are obviously spam with return addresses like <a href="mailto:account-security- ... at 091773 dot com">account-security- ... at 091773 dot com</a> or <a href="mailto: ... at 0904 dot ru"> ... at 0904 dot ru</a>.

Hiding Spamhaus key from replies


I currently use postscreen with postscreen_dbl_sites pointing to my
instance of With postscreen_dnsbl_reply_map I hide the
secret key from the server responses.

Now, I also have/had "reject_rbl_client" a part of my

Vague error message - SASL plain authentication failed:


Postfix is giving me a very unhelpful message of just "SASL plain authentication failed:".

So I'm clueless as to where to start troubleshooting.

Dovecot config is as follows (I have tried both tcp and socket, both return the same vague error) :

ssl = no
service auth {
unix_listener /var/spool/postfix/private/dovecot-auth {
mode = 0660
user = postfix
group = postfix
inet_listener {
inet_listener {

postconf -n is below:

Postconf -n

alias_database =
alias_maps =
authorized_submit_users =

User unknown in virtual mailbox table problem

This is probably off-topic, but maybe slightly related. I can open a
support ticket with Gandi, but something's definitely amiss with their
support system these days, as I have two open tickets with them for
other things directly related to their service which have not yet even
been assigned numbers, so I thought I'd try here first.

I've re-initialized my Postfix setup. I can send mail, but probably
because of a DNS misconfiguration cannot receive anything.

My DNS records look like the following.

SCRAM-SHA-***(-PLUS) supports

Hello all,

Good news, Cyrus SASL now supports:
-> <a href="" title=""></a>
-> <a href="" title=""></a>

It is possible to add "compatibility" with?

I see on the github, a lot of informations about old unsecure passwords: CRAM-MD5 and DIGEST-MD5, please note that:
- CRAM-MD5: <a href="" title=""></a> CRAM-M

Trouble filtering incoming mail

Hi all,

I am having some trouble with filtering incoming mail. First, I do not
understand certain "access denied" actions. Second, I cannot get
filtering by sender domain to work correctly.

Relevant configuration snippets see below.


lots of connections that make no sense


I am wondering what is the purpose of connections like these:

postfix/smtpd[5147]: connect from unknown[]
postfix/smtpd[5147]: disconnect from unknown[] ehlo=1
auth=0/1 rset=1 quit=1 commands=3/4

I have lots of these in my logs, from different IP addresses.

What is the goal of these agents ? I mean, they don't try to do
anything. They don't try to deliver spam, they don't try to use my
postfix as relay.

Re: mime header check false positive

thankyou very much

it worked.


On 11/14/2019 12:56 PM, Rajesh M wrote:

mime header check false positive


i am trying to block bad mime attachments (bat com exe etc) at the smtp level itself.

i used this guide
<a href="" title=""></a>

/name=[^>]*\.(bat|com|exe|dll|vbs)/ REJECT

however the above rules scans the entire file name instead of just the file extension resulting in false positives, for example

.scr and .com present within filenames gets wrongly rejected

* name="strace.Scripting-with-the-xss.pdf.txt"
* filename="BOOKING.COM: Hotel 342802.PDF"

is there any working sample which somebody could share that blocks bad file attachments wit

apache dead pids

We are running apache in our environment with the version 2.4.27

apachectl -v
Server version: Apache/2.4.27 (Red Hat)
Server built: Jun 6 2018 13:30:38

over period of time I see httpd pids lying around holding memory and not
serving any more requests as I see no LISTEN attached to that pid.
ps -ef | grep httpd | wc -l
lsof -i | grep LISTEN | grep httpd
In this scenario I see 42 dead pids on one of our node,

<IfModule mpm_worker_module>
ServerLimit 100
StartServers 5
ThreadsPerChild 32
MinSpareThreads 160
MaxSpareThreads 320
MaxRequestWorkers 3200

Apache 2.4.41 checking env variable value

Hi Experts,

I want to check the value of an environment variable which is already set.

<Directory />
AllowOverride None
Require env XYZ == 'SUCCESS' || expr "%{REQUEST_URI} == '/xyz/register/register.rq'"

Here I want to check the variable is 'SUCCESS'. What is the correct syntax to check the value of the env variable.

Thanks in advance,


Postfix web interface for log analysis

Hi all,

Is there any web interface exists for postfix email log analysis? What I
need is to see all the logs through web interface, see the reports of
rejection, deferred, bounces, success etc. w.r.t. datetime and/or domain
filter etc.

Thanks in advance for your guidance.

Remove Apache 2.4


I need to remove version 2.4 from my laptop as it is going to my daughter,
factory reset is not a possibility. I plan on reinstalling on my new laptop
when I get it.

I've read everything I can find on Google searches show how to
uninstall via application uninstalling which Apache doesn't have.

I would be very grateful for any assistance you can provide.

Thank you and good day.

ldap and smtp relay domains

Hi folks, i have a postfix server which can relay some messages with ldap
integration in transport_maps.
It works well.

Now I have another feature to accomplish.

I wanted to keep this working for a specific domain but
I wanted now for another domain not relay it by ldap only with smtp.

How can I do this?

Many thanks.

Making Postfix know and use UNIX UIDs of local processes sending mail to localhost:25

Dear Postfix users,

I'm trying to set up email sending from local users on a shared
webhosting server. There are hundreds of different domains, each having
unique UNIX UID and they need smtp service directly available on
localhost:25, without any credentials checking. At the same time, I need
the service to permit/defer/deny an email and log all actions based on
the UID and its current reputation.

To achieve this, I'd like to set up Postfix+Linux -based outgoing mail
server, possibly with some helper daemon.

disable proxymap


I would like to simplify my postfix setup, and disable
components/services which I don't actually need.

I am not using chroot, and I don't need to "consolidate mysql
connections". So I believe, I don't really need proxymap.

I tried disabling the service by commenting out the lines in

but that alone did not work, I got this error:

warning: connect #1 to subsystem private/proxymap: Connection refused

I noticed that the default local_recipient_maps references proxy.

postscreen with IP-ranges?


I'm using postscreen on a mailserver.

Unfortunately, this does not work with some bigger mail providers, since
they send the mail from a random host in their mail-server-cluster, so
postscreen sees a new IP for each retry, and so sometimes never accepts
the mail.

Is there a way around this?
Is it possible to e.g. match against x.x.x.x/24 instead of the exact IP?


Sender verification for username@hostname style addresses

Hi all,

We have a setup where we have a relay server which in turn sends all
received mails through to another relay server (from a known anti-spam
vendor). We use Postfix 3.4.5 on Debian 10.

The important parts about our setup:

smtpd_sender_restrictions = reject_unknown_sender_domain
reject_unverified_sender permit_mynetworks
relayhost = []:587

Since has a very strict sender verification
process we want to reject the same mails. Hence we enabled

postfix startup sequence


I am trying to understand the postfix startup sequence.

I am using postfix 3.4.5 on Debian.

/etc/init.d/postfix, the init script that is used to start postfix does
not start master directly, but calls:

/usr/sbin/postfix quiet-quick-start

which in turn calls postfix-script.

reject mail if dns and rdns differ

Hello all!

Received: from ( [])

I would like to reject incoming email if dns- and rdns-entries differ.
Does this make sense and how could I achieve this?

Kind regards


build in EDH parameters

Hello Developers,

postfix comes - like many other software - with build in DH Parameter (file: src/tls/tls_dh.c)
The documentation also suggest one may want to generate own DH parameters. (<a href="" title=""></a>)

Is that still the best solution? RFC 7919 (<a href="" title=""></a>) offer a "Supported Groups Registry"


smtpd_tls_chain_files and EC PARAMETERS

Hi all,

As reported on 2019-11-08 on IRC, I have issues with ECC certificates in
smtpd_tls_chain_files, which don't happen with the older
smtpd_tls_eccert_file and smtpd_tls_eckey_file.

I use [0] to renew my certificates from let's encrypt: crontab extract:
@weekly /usr/local/sbin/ --renew --dns dns_ovh -d mail.domain.tld --keylength ec-256 --cert-file /usr/local/etc/ssl/mail.domain.tld/ecc.crt --key-file /usr/local/etc/ssl/mail.domain.tld/ecc.key --ca-file /usr/local/etc/ssl/mail.domain.tld/ --fullchain-file /usr/local/etc/ssl/mail.domain.tld/ecc.fullchain.cer

git push to apache produces return code 22


I'm trying to run git on FreeBSD with Apache 2.4 as the web server. My
issue is I can pull/clone from the repo via remote:

git clone <a href="" title=""></a>

This works fine.

Conditional LoadModule

Hi all,

I am attempting to conditionally load a module based on a previously set variable (which is, incidentally, contained in another file and included at the beginning of httpd.conf):

* spec_includes.conf

* httpd.conf
Include conf/spec_includes.conf
<If "${ENABLELDAP} == 1">
LoadModule authnz_sspi_module modules/

However this does not seem to be working, the module always ends up being loaded.
The value is correctly initialized (httpd.exe -S) :

Define: E

Problems with header checks


I’m using Debian 10 with postfix 3.4.5.

Trying to solve the problem with non-Re subjects I have found a regex for
header checks.

So I have a „/etc/postfix/header_check.pcre” with:
/eSubject:\s*((RE|AW|Aw|Antw|Antwort|RES|SV):\s*)+(.*)$/ REPLACE Subject: Re: $3

header_checks = pcre:/etc/postfix/header_check.pcre

Now I have noticed that this isn’t always working. Postfix logs if the
rule is getting used.

qname-minimization-and-privacy breaks dnsbl in postfix

can other confirm it ?

_ is not an ip

Nonprofit seeks advanced assistance with proxypass and rewrites


Our nonprofit works with people who lack Internet access in developing countries and U.S. prisons. We have created an offline solution that contains snapshots of over 3,600 Web sites on a 8TB hard drive that, when attached to their local area network, looks and acts just like the Internet. This solution has been adopted by over 2,000 universities, hospitals, prisons, and libraries around the world that serve millions of users.

<a href="" title=""></a>

The core of this innovation has been Apache.

Postfix with DKIM for a mail relay

Dear, my domain is "".

My cooperative mail server is an Exchange which does not implement DKIM at

But also I have a Postfix mail relay for the "" domain.

Is it possible to implement DKIM only in my Postfix server for all the
outgoing mails ??? Or doing this I affect the outgoing mails
from my Exchange server because it sends mails withouth DKIM
mechanism ???

Thanks a lot !!!


Disabling TLS 1.0/1.1, is it advisable?

Apple, Google, Microsoft, and Mozilla have all announced that they will
be deprecating TLS 1.0 and 1.1 in March 2020, in their web browsers.
Similarly, SSL Labs has announced that they will be downgrading web
server scores to a maximum of B, starting in January 2020, if that
webserver supports TLS 1.0/1.1.

Now, I know that what is good for web servers/browsers, isn't
necessarily the same for SMTP servers.

redirect HOLD queue to alternate MTA??

Hello Everyone:
      I am using OpenDKIM/OpenDMARC as some sort of anti spam. The
OpenDMARC could handle DMARC p=none or p=reject without any problem. But
if p=quarantine,OpenDMARC just let the incoming mail goes to Postfix
HOLD queue. Is it possible to let Postfix redirect incoming mail
alternate MTA when it got smfir_quarantine by milter??

Re: [users@httpd] Apache 2.4.41 checking env variable error

You can try like below,

SetEnvIf %{XYZ} "SUCCESS" xyz_env

Require env xyz_env


Apache 2.4.41 checking env variable error

Hi Apache experts,

We are in the process of upgrading apache for linux from 2.2 to 2.4.41.
We have a SSLRequire access control directive in the httpd configuration file as below
<Directory />
Options FollowSymLinks
AllowOverride None
SSLRequire %{XYZ} == "SUCCESS" || %{REQUEST_URI} == "/xyz/register/register.rq"

The above works fine with 2.2.

issues downloading zip files


I'm throwing this out there hoping someone can help me. I've got a
friend who has some zip files he periodically puts on his server to
download, monthly. Last month and this month some users including
myself had issues downloading them. For me the problem came at
approximately 64% of the file it timed out. This happened with both
IE, chrome on a desktop, and Android browser on Oreo.

I don't have any more details on there setup, does anyone have an idea
as to what might be going on?

How to convert mod_jk to mod_proxy_ajp on CentOS?

I had a CentOS 7.7 with Tomcat 8.5.9 and mod_jk working fine, but after updating to the latest Cpanel, which required installing EasyApache 4, mod_jk no longer works (appears it is not compatible with EasyApache 4).

I believe my next best option (correct me if wrong) is installing mod_proxy_ajp. Can someone summarize what I need to do to get mod_proxy_ajp installed and working in place of mod_jk?

I'm a newbie, so please be explicit.

Warning on Connection time

<a href="" title=""></a> reported a six second connection
time, with total transaction time of nearly 9 seconds, so I dug into the

5XX vs 4XX

I have a few email addresses that were valid 15 years ago, but they have
been invalid for 5+ years, we are rejecting them with a 450 message, my
thought is "Let's tie up this spammer's computer just a little bit"

Good idea? Bad idea? Effective? Ineffective?

Dictionary attacks

What is the best way to protect against dictionary attacks in Postfix?

Exim has a rcpt_fail_count variable I use to drop connections with the
  drop  condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
    log_message    = Dictionary Attack Rejected (Began blocking after
$rcpt_fail_count recipients failed). Ratelimit incremented.
    ratelimit      = 0 / 2h / strict / per_conn
    message        = Number of failed recipients exceeded.  Come back
in a few hours.

I am switching from Exim to Postfix and looking for a mechanism to block
these attacks.

Re: Cannot sign with DKIM on same-server web and mail

To have DKIM applied to messages posted via pickup, you have to include DKIM milter in non_smtpd_milters= . This parameter applies to messages posted via pickup, while smtpd_milters= applies to messages posted via SMTP client.

But if you do that and run spamassassin as content filter, every message will be signed twice. That's why you have to run spamassassin as milter as well.

What am I missing? DNSBL on submission port?


I _know_ I am overlooking something, and I need a clue-bat.

I use postscreen on the SMTP (25) port and smptd on the submission
port; the latter requires authentication via dovecot.

dual stack rbl

how will postfix handle connections if recipient domains see ip in rbl
blacklist, will it be trying agin until all ips on recipient domain is
tryed ?

does it make sense ?

will first reject just win on dual stack ipv4 / ipv6 hostname ?

i ask this since i like to know what to do with that problem, if at all

Cannot sign with DKIM on same-server web and mail

I've looked online for solutions to this problem (including postfix and
sendmail documentation) but with no luck so far.

I've been running a Postfix mail server for several years (currently Linux
Mint 18.1 (Ubuntu 16.4) with postfix 3.1.0) and implemented SPF, DKIM and
DMARC a few years ago. All works well for about two dozen domains.

I also have a Windows web server which sends out mail from web forms via the
mail server (using a local mail sender client) to the domains hosted on the
mail server through port 25.

Postfix ignores smtpd_tls_security_level = encrypt ?


I need a Postfix (3.3) installation to only accept mails sent after STARTTLS,
so I've set smtpd_tls_security_level = encrypt in However, Postfix
still allows sending mails withouth encryption.

Do the permit_mynetworks settings in smtpd_relay_restrictions and
smtpd_recipient_restrictions have an effect on the enforcement of TLS
encryption? Are hosts in mynetworks exempt from the smtpd_tls_security_level =
encrypt setting?

Thx and best regards

Avoidance of duplicate mails reg


We have migrated to a new domain We also continue to receive
mails on old domain

When a sender sends a mail to <a href="mailto: ... at xxx dot com"> ... at xxx dot com</a> (old domain), mail is
received and delivered to user abcd. Abcd when he replies to all (his
from email address will be <a href="mailto: ... at yyy dot com"> ... at yyy dot com</a> [new domain], and hence, mail
is also sent to <a href="mailto: ... at xxx dot com"> ... at xxx dot com</a> [old domain]. So, the sent mail is also
received back to the same sender.

When the actual recipient receives the mail, he will have <a href="mailto: ... at xxx dot com"> ... at xxx dot com</a>
and <a href="mailto: ... at yyy dot com"> ... at yyy dot com</a> in the address list.

Syndicate content