Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

Configuration Syntax

I tried to implement RBL and postfwd. I placed everything in

smtpd_recipient_restrictions =
check_policy_service inet:

That worked, but it affected both the smtp and submission ports. I expected that, but it made it easier to test. However, I then needed to make the submission port work properly.

Returning an Error Response

When using virtual domains, is there a way to return a temp fail message for a specific user in a domain? I am not finding anything about that in the documentation.

Root certificate in `/etc/ssl/certs` not found

Dear Postfix users,

First I am sorry, for probably bringing up a topic, which has probably
discussed to end on this list, like [1], and in the end was probably a
user error. I’ll try to provide the information requested in [1]. Thank
you for your patience and help in advance.

The goal is to set up secure server certificate verification [2] for
messages sent to the domain [3].

How to fall back from `dane-only` to `secure`?

Dear Postfix folks,

There are several SMTP servers, where messages should only be sent over
a secure channel. But, the postmasters have set up the servers
differently. Some use CAs to sign their certificates and some DANE with
self-signed certificates.

To avoid maintaining two TLS policies, one where for
`smtp_tls_security_level` the value `secure` is specified, and another
with `dane-only` [1], and keeping an eye out, when SMTP switch to or
from DANE, is there a way to maintain one list?

something like smtp-limiter plugin for ISPConfig

Hi people,
I am looking for some plugin which is similar to smtp-limiter which is for
DirectAdmin. It would be nice if there would be any. If not, is there any
similar plugin which can be manage by the linux console?

don't use ADH in server-to-server


I have a setup where a MTA will forward mail to another node, based on
ldap configuration.
It works well, but it uses ADH

Received: from (unknown [])
(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by (Postfix) with ESMTPS id A96DF6C07D
for < ... at geekwu dot org>; Thu, 6 Jul 2017 01:52:53 +0200 (CEST)

I know I should not disable ADH on public interface, but I'd like to
prevent it on "private" interface (intra-cluster only), as "cluster"
nodes does communicate over Internet.


Apache configuration for multi-domain, multi-group access

This is a simplified Apache configuration that is intended to provide access to Subversion, for users that are members of either of two different ldap groups in two different domains: SVN_Group1 in Domain1 or SVN_Group2 in Domain2.

is there a RFC which suggests that the helo name should be DNS resolvable


is there a RFC or similar which suggests/requires that the helo name
should be DNS resolvable?



Service currently unavailable


i have the problem that all mails hang by postscreen. I think I be not
sure. I can not find a mistake in configuration. But local and from
outside hang all mails in postscreen and goes not through.

linker dependencies when making static build


I wonder if I'm building postfix wrong, but since it is configured to
build with gcc
and the mysql c connector seems to contain c++ code it finally fails to
link due to
lack of new and delete operators and some pthread stuff.
If I add -lstdc++ in the cmdline and -lpthread in the makedefs, it'll
link just fine.

make makefiles OPT='-static' 'CCARGS=-DHAS_MYSQL
'AUXLIBS_MYSQL=-L/data/libs/mysql_connector_install/lib/ -lmysqlclient
-lz -lm -lstdc++'

Maybe the above method is not the proper way of building postfix


Timeouts when submitting mail

We've set up two servers (ssd raid/64GB/fast dual cpu) with postmulti to
deliver the mail for our newsletter service (legitimate mail). Both servers
have 12 postfix instances running. Mails is injected from php scripts
running at a different server.

Lately we're seeing timeouts from the php scripts at busy moments. I've been
trying to debug this, but can't find the issue.


Is there a way to limit the amount of RAM being used without reducing
the number of servers/processes? Or is apache designed to just take as
must memory as it can and hold on to it?

Override global @catch-all alias

I have a global alias pointing to <a href="mailto: ... at example dot com"> ... at example dot com</a>, which
works fine, but when I add a real user, like <a href="mailto: ... at example dot com"> ... at example dot com</a>, the global
alias overrides the real entry in virtual_mailbox_maps (mysql). If I
remove the global alias from virtual_alias_maps then the
"real" mailbox entry in virtual_mailbox_maps works as expected.

Apache on Mac Sierra 10.12.5

I followed this guide to install apache on Sierra 10.12.5:

<a href="" title=""></a> <>

And it worked locally for a while logged in using the same Mac user.

The only problem is I need this for dynamic dns and to have external global access.

Problem translating domain to UTF8 form


I'm using a fresh install of Postfix 3.2.2 and am seeing strange
warning messages in the log when mail bounces:

Jul 1 19:15:16 mail postfix/bounce[88353]: warning: midna_domain_to_utf8_create: Problem translating domain "" to UTF8 form: U_FILE_ACCESS_ERROR
Jul 1 19:15:16 mail postfix/bounce[88353]: warning: [built-in]:
conversion "myhostname" failed: input value: ""

Here's the output of postconf -Mf and postconf -n:

<a href="" title=""></a>

I've been using this same configuration for over a year, and
this problem appears to have app

Re: [users@httpd] Trouble using JEE IDE with apache tomcat on Macseseees saaswe

On my Mac 10.11.3 I've installed the Eclipse JEE IDE (Version: Neon.3
Release (4.6.3))
I also installed apache-tomcat 9 on my Mac, using the following commands :

sudo mkdir -p /usr/local
sudo mv ~/Downloads/apache-tomcat-9.0.0.M21 /usr/local
sudo rm-f /Library/Tomcat
sudo ln -s /usr/local/apache-tomcat-9.0.0.M21/ /Library/Tomcat
sudo chown -R roparzhhemon /Library/Tomcat
sudo chmod +x /Library/Tomcat/bin/*.sh

When I try "Run as server" on a minimal html file in JEE, I get the
error message :

Could not load the Tomcat server configuration at /Servers/Tomcat v9.0
at localhost


After installing the latest postfix I thought I’d look into postfwd.

1) is this the right place to ask about this package?

2) Is this package generally recommended or not?

3) It appears to me postfwd does largely what post screen would already do. Is that correct or am I missing something?

Mail Forwarding

I thought I had everything working, but something broke. What I need to do is to accept mail for local delivery for several users on a couple domains ( and one other) and relay mail for a number of users on domain ( to a variety of different locations. Each user could be on a different server. My tests seemed to work, but when adding in the full tables, it broke.

RAM output in server-status?

Apache 2.2.15

We have ExtendedStatus on

We have to toggle to “top” to try and catch RAM per httpd process. Is there some way to output RAM per process in server-status output?


Errors starting apachectl after installing 2.4.26

Good Afternoon,

I am new to Apache 2.4.x and needed some help with the error received when starting after successful configure/make/make install of Apache 2.4.26.
I have Apache 2.2.31 working for years now, trying to update to 2.4.x now. We are running this on AIX 5.3.

OT: Help implementing an alias with external addresses (LDAP)

Hi all,

I manage a postfix server for our company with only one mail domain All mailUser's are on a LDAP database as are mailGroup's,
transport tables, etc.

Where in the docs is the topic of check_*_access and unverified PTR/A DNS records covered?


I've read over several threads here in the mailing list archives and
have found authoritative answers from Viktor and Wietse re how Postfix
treats unverified PTR/A DNS records in relation to check_*_access
checks, but I believe I am overlooking where this is explicitly covered
in the documentation.


Trouble using JEE IDE with apache tomcat on Mac

On my Mac 10.11.3 I've installed the Eclipse JEE IDE (Version: Neon.3
Release (4.6.3))
I also installed apache-tomcat 9 on my Mac, using the following commands :

sudo mkdir -p /usr/local
sudo mv ~/Downloads/apache-tomcat-9.0.0.M21 /usr/local
sudo rm-f /Library/Tomcat
sudo ln -s /usr/local/apache-tomcat-9.0.0.M21/ /Library/Tomcat
sudo chown -R roparzhhemon /Library/Tomcat
sudo chmod +x /Library/Tomcat/bin/*.sh

When I try "Run as server" on a minimal html file in JEE, I get the following
error message :

Could not load the Tomcat server configuration at /Servers/Tomcat v9.0 Sever
at localhos

ownCloud / PHP-FPM problem after upgrade to 2.4.26

Hi all,

I've got a problem after upgrading to 2.4.26. Everything works fine
except my ownCloud instance.
I compile httpd by myself and used the exact same method for 2.4.26 as I
used for 2.4.25, where everything worked as expected. I noticed, that in
the current apr-util, theres no expat bundled anymore and manually
compiled it and expanded my configure to "--with-expat=...". Thats the
only difference to my working 2.4.25 compilation.

Now the problem:

ownCloud uses ocs as API to do different things. One is maintaining the
folder shares.

redirect vs. rewrite

I'm using apache 2.4. What is the difference between these lines?

Redirect permanent / <a href="" title=""></a>
RewriteRule ^/?(.*)$1 [R,L]

They both redirect.


Finding lost e-mails collected during misconfiguration.


Glad to be back here again. I migrated my server to a Raspberry PI and
away from my aging EeePC netbook that was running Ubuntu Server. I am
virtual hosting email across a few domains I own using MariaDB to store
the virtual aliases and virtual user's information. Ultimately, e-mail
is read within Squirrelmail.

I have to admit, it took a risky path towards configuring (I blindly
copied the configuration files for Dovecot/Postfix from the old machine).
Both packages on Raspbian were a downgrade to a lower version number. It
didn't work.

Access control by root CA of the client certificate


In our reverse proxy, we have a virtual host serving
​more than one Location.

Both locations require client cert
​ SSLCACertificateFile includes all root CAs trusted by both locations.

in Location2 I would like to allow access only to
​certificates where
the chain is:

​ \_
​ \_​
ROOT_CA (issuer's
​ <-- can I access this with SSLRequire?​


​is ​
there a way to
​control access by the root CA that is on top of the chain?

I tried SSLRequire but it seems I can't access the root cert, only the

Ownership question: version 3.2.2

I just upgraded postfix from 3.1.2 to 3.2.2.

rpmbuild of httpd-2.4.26 on CentOS 7


I tried "rpmbuild -tb --clean httpd-2.4.26.tar.bz2" but rpmbuild failed
with error telling " was compiled but not included in
the package".

The error seems the one I met in the case of httpd-2.4.25.

I modified spec file to add the line
"%{_libdir}/httpd/modules/" and then tried "rpmbuild
-bb --clean rpmbuild/SPECS/httpd.spec".

Limit the damage of a hacked sender acount

I had a couple of accounts with too simple passwords hacked. And obviously
my mail server is entirely too efficient - I think about 50k spams got
blasted out before I caught it (because we got in the DNSBL's).

Separate from improving the password security - what can I do to limit the
damage a compromised account can cause? Without receiving user complaints
about not being able to send the latest cute kitty pictures to their whole

Are there per-sender limits that can/should be applied?

phishing / spoofing question with 404

My apologies for posting this question if it has already been hashed out
before. I figured I should post this question here then just an arbitrary
bug report.

My question relates to a recent penetration test that reported a content
spoofing finding against that the root cause was simply the Apache default
404 response code. This appears to just be the generic nature of the 404
message that it returns the response of what the user input was and while
there is quite a bit from OWASP on the content spoofing topic I wasnt sure
if this is truly a bug or up for interpretation.

Problems building httpd-2.4.26 with apr-1.6.2 and apr-util-1.6.0


first post to this lists. Please be friendly :-)

For some years now I have been building httpd-2.4.x with apr and apr-util
the same way without problems:

- unload httpd archive
- unload apr-xxx into HTTPD/scrlib and rename to apr
- unload apr-util-yyy into HTTPD/srclib and rename to apr-util
- ./configure
- make
- be happy

This works fine up to httpd-2.4.26+apr-1.5.2+apr-util-1.5.4.

No I discovered that there are new apr versions available. So I tried the
above procedure with apr-1.6.2 and apr-util-1.6.0 (maybe a mistake to try
something.0 :-).

SMTP session failure: 501 5.1.7 - how to solve it ?

Dear Colleagues,

I have a problem with my Postfix/Mailman configuration.

Message not retransmitted immediately after opportunistic TLS handshake failure

Hi all,

In one of my tests I'm configuring Postfix client (smtp) to use opportunistic TLS with TLSv1.2 protocol only and the next MTA (server side) to use opportunistic TLS with TLSv1.1 only,
to see the behaviour of Postfix after a failed handshake.
As expected the TLS handshake fails, but Postfix moves the message to deferred queue rather than retrying immediately in plaintext.

What is the reason of the timeout between the incoming_arrival and active_arrival (var_min_backoff_time) of a message, before the message is allowed to be immediately retransmitted?

Many thanks,

Nik Kostaras


sender_dependent_default_transport_maps ignored ?


I have a fairly (at least to me) complex mail system based on postfix
2.11.2 where our users entering e-mails are forwarded to amavis to be
DKIM signed then forwarded back to postfix for the final delivery.

Lately, I wanted to have mails sent from ` ... at asmodee dot net` to
be relayed by our ESP, so I added the following

/etc/postfix/sender_transport_maps: sendgrid:[]:587

Unfortunately this is not applied.

Here are the important bits of my config:
# incoming from Amavis DKIM signature proce

determine transport based on sender and receiver

I try to get a setup like to following ready:

1. I have multiple ip postfix should be able to send mails to other MTA
2. I setup different transport in each with a smtp_bind_address corresponding to a single ip
so far, so good! that setup already works

But now I need to handle slow ISPs like yahoo etc.

reload specific vhost configuration

Hi everyone,

I was wondering, how hard would it be for apache to be able to reload one specific vhost configuration file ?
I'm not a developer, but I would like to have your point of view about this subject.

I know, it's possible to configure dynamic vhost , using specific pattern in the vhost configuration .

How mpm_workers work

Hi all,

In my configuration for mpm_worker, I set following datas

Case 1)

StartServer 3
ThreadPerChild 25
MinSpareThreads 75

In this case, when I start apache I found 5 servers start.

Case 2)

StartServer 6
ThreadPerChild 25
MinSpareThreads 150

In this case, when I start apache I found 8 servers start.

Case 3)

StartServer 1
ThreadPerChild 25
MinSpareThreads 25

In this case, when I start apache I found 3 servers start.

My Query is why two extra server is starting.
Can I change serverlimit?


Mod_ Backtrace in apache-2.4.25


Can mod_backtrace is available to support apache-2.4.25. I want to support
it on HPE Non-stop.
If no then order module which can work as backtrace.


Apache 2.4 and letsencrypt challenge setup issue?


I'm trying to get letsencrypt certificates working with
security/acme-client on FreeBSD 10.3, which I like much better than
the python certbot client.

That being said I'm having a problem where authentication is failing,
account keys are created, and from the output below it looks like the
tokens are being successfully generated, not retrieved.

htaccess help

Good Evening,
I'm trying to create a rule with the following scenario ...

Mail delivery failed : returning message to sender

This message was created automatically by mail delivery software at Junk Email Filter.

The message from "Wietse Venema [Masked]" <> is being returned by server on Tue, 20 Jun 2017 16:22:06 -0700

A message that you sent could not be delivered to all of its recipients.

NOTE: And this is important - Junk Email Filter is a front end spam filtering service. We accept email for our customers, filter it, and pass the good email on.

propagate_unmatched_extensions broken with virtual aliases in postfix 3.2?


there seems to be a regression after upgrading from postfix 3.1.4 to 3.2.2 on arch linux. I'm using virtual aliases with

recipient_delimiter = .
propagate_unmatched_extensions = canonical, virtual

For a given virtual mapping

<a href="mailto: ... at example dot tld"> ... at example dot tld</a> => <a href="mailto: ... at domain dot tld"> ... at domain dot tld</a>

postfix 3.1 will map <a href="mailto:foobar. ... at example dot tld">foobar. ... at example dot tld</a> to <a href="mailto:user. ... at domain dot tld">user. ... at domain dot tld</a>.

operations error using ldap for MTA

Setting up a Postfix MTA to use ldap and I am getting an error when testing:

The command and the results:

postmap -vq "EMAILADDRESS" ldap:/etc/postfix/

postmap: name_mask: all

postmap: inet_addr_local: configured 2 IPv4 addresses

postmap: inet_addr_local: configured 2 IPv6 addresses

postmap: dict_ldap_open: Using LDAP source /etc/postfix/

postmap: cfg_get_str: /etc/postfix/ server_host = LDAP

postmap: cfg_get_int: /etc/postfix/ server_port = 389

postmap: cfg_get_int: /etc/postfix/ version =

forensic logs with virtual hosts

Is there some global way to utilize mod_log_forensic with virtual hosts without having to add “ForensicLog logfilepathname” to every virtual host config?

CVE-2017-7679: mod_mime buffer overread

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.2.0 to 2.2.32
httpd 2.4.0 to 2.4.25

mod_mime can read one byte past the end of a buffer when sending a
malicious Content-Type response header.

2.2.x users should either apply the patch available at
<a href="" title=""></a>
or upgrade in the future to 2.2.33, which is currently unreleased.

2.4.x users should upgrade to 2.4.26.

The Apache HTTP Server security team would like to thank ChenQin and
Hanno Böck for reporting

CVE-2017-7668: ap_find_token buffer overread

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.2.32
httpd 2.4.24 (unreleased)
httpd 2.4.25

The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
bug in token list parsing, which allows ap_find_token() to search past
the end of its input string.

CVE-2017-3169: mod_ssl null pointer dereference

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.2.0 to 2.2.32
httpd 2.4.0 to 2.4.25

mod_ssl may dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port.

2.2.x users should either apply the patch available at
<a href="" title=""></a>
or upgrade in the future to 2.2.33, which is currently unreleased.

2.4.x users should upgrade to 2.4.26.

The Apache HTTP Server security team would like to thank Vasil

CVE-2017-3167: ap_get_basic_auth_pw authentication bypass

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.2.0 to 2.2.32
httpd 2.4.0 to 2.4.25

Use of the ap_get_basic_auth_pw() by third-party modules outside of the
authentication phase may lead to authentication requirements being

2.2.x users should either apply the patch available at
<a href="" title=""></a>
or upgrade in the future to 2.2.33, which is currently unreleased.

2.4.x users should upgrade to 2.4.26.

Third-party module writers SHOULD use ap_get_basic_auth_comp

check_forensic script on Red Hat?

Does check_forensic still exist?

I am not finding it.

CVE-2017-7659: mod_http2 null pointer dereference

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
httpd 2.4.24 (unreleased)
httpd 2.4.25

A maliciously constructed HTTP/2 request could cause mod_http2 to
dereference a NULL pointer and crash the server process.

2.4.25 users of mod_http2 should upgrade to 2.4.26.

The Apache HTTP Server security team would like to thank Robert Święcki
for reporting this issue.

<a href="" title=""></a>

Apache HTTP Server 2.4.26 Released

Apache HTTP Server 2.4.26 Released

June 19, 2017

The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.26 of the Apache
HTTP Server ("Apache"). This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases.

apache2 mod_rewrite memleak


We detect memleak in apache2 with mod_rewrite

steps for repeat:

create directory structure
└── categories
└── test
└── .htaccess

cat ./categories/.htaccess

RewriteEngine On
RewriteBase /categories/
RewriteRule "^(.*)\ (.*)$" "$1-$2" [R=301,N,QSA]

after it sent request to apache
curl -H "Host:"
<a href="" title=""></a>

apache eating all memory and we got this in strace output
{st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0

AllowOverride - Mis-behaving Default


According to the documentation[1], the default for `AllowOverride` is
`None`, and when `AllowOverride` is set to `None`, .htaccess files are
not read at all.

When I set `AllowOverride` to `None` explicitly, I find that is the
behaviour I see, but when I don't specify it at all, the .htaccess file
is still read and I receive a ".htaccess: [...] not allowed here" error.

Fix check for file descriptor passing

On a musl-based system, postfix incorrectly assumes that file descriptor
passing is not available, because of this line in sys_defs.h:

It builds fine, but when used with a milter or the postscreen daemon, it
will fail at runtime with this error:

See also [1] and [2].

[1] - <a href="" title=""></a>

Mod_proxy_http2 - got a 503

Hello all

We are trying to use the mod_proxy_http2 of httpd.

New 2.4 configuration, need sanity and security check


I'm doing a config rewrite. I'm using apache 2.4. If someone who does
security could give my setup a check from a security perspective i'd
appreciate it.

I'm also wondering in particular about my cache setup and virtual

Syndicate content