Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

Webmin and DKIM

Good day everyone. Quick question and please forgive me if this is
redundant. I have a Postfix server running on CentOS7 and I use Webmin to
manage it. Is there a way for me to set up and configure DKIM using Webmin?
I have been searching Google and the only thing I could find was something
back from 2009 which says that it was not possible. Ten years later.. I'm
hoping that it is. Can someone please let me know if this is possible and
perhaps point me at the instructions? Thanks in advance.

postfix not resolving mDNS lookups (make it work in a LAN-without-internet)



Few days ago I thought it would be a great idea to send emails to others
in the same LAN (each participant having their own postfix server) and
without reaching Internet. Applications of this is: a dynamic during a
conference, a workshop, emergency situation (where Internet or
centralized server in the LAN is not working), etc.

In my first attempt I thought mDNS [1] is very fine for this, to make it
work in debian you have to install avahi-daemon [2].

Adding DKIM and DMARC

When adding DMARC and DKIM do I only need to add it to the domain that is hosting the mail server (MX)?

For example, if is defined as the MX for and, do I need to add the DMARC/DKIM records to’s DNS as well?

Segmentation fault in xsasl_dovecot_server.c

Dear List

while implementing the Dovecot SASL protocol in a custom server I
noticed that the `smtpd` process crashes with a segmentation fault if a
specific protocol error occurs.

To reproduce I downloaded Postfix 3.4.6 and compiled it with:

make makefiles CCARGS='-DUSE_SASL_AUTH \

After `make install` I added the following configuration options to

smtpd_sasl_type = dovecot
smtpd_sasl_path = inet:localhost:2525
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $mydomain

and enabled `submi

ldap lookups timing out?

I am seeing a lot of Temporary lookup failure errors in the maillog. At first I thought it was an issue related to reverse DNS lookups as each of the sending servers had no reverse record in DNS (this is an internal only relay).
But when I added verbose logging, it appears to be related to LDAP lookups.

Most commonly, I get these errors:

warning: dict_ldap_connect: Unable to bind to server ldap:....

But also receive these:

maps_find: relay_recipient_maps: ... at mydomain dot com: search aborted

I can't find an exact solution for this in my searches.

server configuration error with non-ASCII records in passwd


I have upgraded debian 8 (postfix 2.11) to debian 9 (postfix 3.1) on a

Now, whenever user who has utf-8 character in /etc/passwd as part of their
username, has to receive mail, postfix outputs:

451 4.3.5 Server configuration error

there are many users who have utf-8 characters in their fullnames there.

changing smtputf8_autodetect_classes to all didn't seem to help.

What to configure (and how) to avoid this error?

I have LANG variable set to "C" because other values tend do change sorting

postfix with JMAP


will postfix get JMAP compatible in future?
see: <a href="" title=""></a>


Default connection limiting?

I have group of user behind single WAN using mine Postfix submission
service. Sometimes they cann't connect but I dont know why. I thought
its cause that Postfix has default connection maximum from single IP
source, is this true?

* What is error/fail message in logs which I could find to verify I have
that problem?

* What is relevant postconf setting I will have read more about?

Thank you!

Sorry for non-list post

They just send to UDP 53 and quit. What I want to do is deny the packet
in my router, but always allow the important IP(s).

email not accepted

Mindspring/earthkink isn't accepting email from at least 2 Postfix
configs on Linux. It's worked well in the past, but quit working a few
days ago.

The log says their server timed out waiting for data after responding to
HELO. Traceroute shows a routing loop at their network.

I tried from a friends place, and it went through. He uses Qmail on a
BSD. When he tried by hand with telnet. He got all the way through, and
the server accepted the mail for delivery, then said it'd timed out.

I wrote an expect script expecting 250s in the right places.

postfix with AWS S3


Does postfix have a plugin who can be integrated with AWS's S3 as object
storage? Coz for a large email service, the local disks are too limited.

thanks & regards,

What's with all the "l*.it" connections?


Kinda OT - as long as I didn't screw something up!

I'm just about ready to pull the trigger on moving our old Communigate mail system to a new, self-installed Postfix system.

It's been running in test for just a coupled of users for a few weeks now and looks really good!

I got postscreen set up out in front. It's been doing its thing. LOTS of bad connections rejected.

I'm curious about one group though.

build failure with glibc-2.30

glibc-2.30 removed RES_INSECURE1, RES_INSECURE2 and RES_USE_INET6
symbols[1] resulting in:

dns_str_resflags.c:55:13: warning: RES_AAONLY is deprecated
| ^~~~~~~~~~~~~~~~~
dns_str_resflags.c:57:13: warning: RES_PRIMARY is deprecated
| ^~~~~~~~~~~~~~~~~~~
dns_str_resflags.c:63:22: error: ‘RES_INSECURE1’ undeclared here (not in a function); did you mean ‘RES_RECURSE’?
| ^~~~~~~~~~~~~

default outgoing encoding


if MUA lacks to set encoding, where for postfix to setup the default
content encoding (for example, utf8) for outgoing messages?


postfix milter body chunk length


I was wondering why the transfer of a 100mb mail to my milter
application was slow, i found the bottleneck in the body chunk transfer.

The maximum packet length seems to be fixed to 64k, it would be great if
we could make that configurable in postfix (uint32 is possible).

best regards,

Matthias Schneider

Postfix for three domains on one host

I want to use my single VPS for three distinct domains. Simple for
webservers. I would also want to be able to send and receive email on
the three domains using Postfix. I understand there is postfix-multi.
Everything I have read so far uses separate IP addresses for this
scenario. Most VPS providers are loath to assign more than one or at
most two IPV4 address to a VPS, due to the global shortage. I have been
unable to get three at Linode.

Not just subdomains, but quite distinct ones.

SSL communication between MTAs


My MTA (postfix) has both 25 (non-SSL) and 465 (SSL) ports enabled.

How to enforce the peer MTA send messages only to 465 port for better
secure communication?

Can I just shutdown port 25?


Wirthy of a warning?

Are logs like the following really worthy of a warning log level?

postfix/submit/smtpd[84385]: warning: hostname does not resolve to address hostname nor servname provided, or not known
postfix/smtps/smtpd[96068]: warning: hostname does not resolve to address hostname nor servname provided, or not known

Looking for actual problems I have to sift through thousands of these (well, I simply grep -v resolve, but still…

postfix 2.6.6 "stuck queue"

Hey guys, I just took over some postfix gateways (my primary MTA is exim,
so getting used to a few differences), and ran into an issue that I'm not
quite sure how to solve. Unfortunately using an old postfix version
(2.6.6), I do want to get that upgraded and up to date but wont be able to
do that in the near future due to other business priorities at the moment.
Anyway, I'm seeing mail sit in the active queue (picked up by qmgr, but
not sent to smtp) for 20-40 mins.

Domain cannot be found?

Aug 14 09:25:41 mail postfix/smtpd[44179]: NOQUEUE: reject: RCPT from unknown[]: 550 5.7.25 Client host rejected: cannot find your hostname, []; from=<*munged*@*mybak*> to=< ... at covisp dot net> proto=ESMTP helo=<>

Sender IP reverse lookup rejected


One of our users reported a rejected email with the error code and message

Remote-MTA: dns;
Diagnostic-Code: smtp; 550 Sender IP reverse lookup rejected

We handle several domains with different outgoing smtp settings at
multiple mail gateways:

# /etc/postfix/
wignersmtp unix - - y - - smtp
-o smtp_bind_address=
-o smtp_bind_address6=2001:738:5001::56
-o syslog_name=postfix-wigner-smtp

# /etc/postfix/
default_transport = kfkismtp

CAfile problem with OpenSSL-1.1.1c


I recently upgraded my systems to have full openssl-1.1.1c support. After upgrading my mail-server, I realized that I had problems with trusting server certificates. I checked that the server still uses /etc/ssl/certs/ca-certificates.crt, but for some reason Postfix can not work with this file anymore.

check IP before permit_sasl_authenticated

I'd like to block certain IP's from attempting to authenticate on my submission port.

This is what I have now:
#port 587
submission inet n - n - - smtpd
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-o smtpd_sasl_auth_enable=yes

Is it possible to configure to use an access list before the permit_sasl_authenticated?

Where the access file contains:
# 550 reject 550 reject

Is this right?

Weird behavior with postfix and dovecot-lmtp

Hi all,

I’ve posed this question to the dovecot mailing list as well, but I’m asking here also because I think this more likely something that I’ve missed or misconfigured in postfix than dovecot.

Sending mail from a local address to gmail, I’d expect it to be forwarded through the configured relay host (the IMAP server doesn’t have direct internet accesss, only the relay box.):

I’ve got postfix setup to use dovecot-lmtp for (virtual) user delivery, and things to users or aliases that Dovecot knows about now get delivered correctly.

Format of ip address in /etc/postfix/access

Hi all,
Sorry for double posting (if done) as I could not locate my sent mail
while sending through my mobile.

I am curious what is the format of IP addresses in /etc/postfix/access.
i.e. will it understand instead of the common ?


OT: Omni Directional hostnames

Sorry for the OT post, but I'm stumped and hope someone here can enlighten me.

When sending to a mimecast users, our mailserver timed out with.

Postfix: Variable meanings table

Can someone tell me how I can get the meaning of these variables
(ehlo..commands) in the postfix log?
1) disconnect from xxxx.xxxx.xx [99.99.999.99] ehlo= 2 starttls= 1 mail=1
rcpt=1 data=1 quit=1 commands=7
2) disconnect from xxxx.xxxx.xx [99.99.999.99] ehlo=2 starttls=1 mail=1
rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8

Thank you very much!!

Postfix log


I upgraded Debian from version 9 to 10 and consequently postfix 3.1.12
to 3.4.5. I'm checking log with multitail in real time and with the new
postfix version, I've a strange behavior. When the logs rotate, postfix
continues to write in the old file renamed mail.log.1 instead of the
new mail.log.

RE: sasl config confusion postfix 2.10.1-- FIXED

Sorry for the noise,

I changed it to

relayhost = []:587
smtp_fallback_relay = []:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/nexus_passwd
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes

and ran

yum install cyrus-sasl-plain

and it works fine now.
Case closed.


<a href="mailto: ... at uconn dot edu"> ... at uconn dot edu</a>
University of Connecticut, ITS, SSG, Server Systems

transport_maps not taking on

Postfix 3.1.0, set up with virtual domains and users in a database via
virtual_ directives in
rspamd set up as a milter
-> everything works just fine.

I have one server where the client wants to get mail delivered to his
Exchange server remotely instead.

sasl config confusion postfix 2.10.1

Hi, I added this to

relayhost = []:587
smtp_fallback_relay = []:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/nexus_passwd
smtp_sasl_security_options =

I added this to
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o milter_macro_daemon_name=ORIGINATING

I reloaded postfix
And see this in logs

[root@production0 alf02013]# grep 89C1F121242FF /var/log/maillog
Aug 7 12:27:28 production0

Postfix not using LMTP Transport in map


I have a Postfix + PostfixAdmin + Dovecot + Mailman3 install. My longer
logs and configuration files are pasted here: <a href="" title=""></a>

Virtual aliases and domains are managed by PostfixAdmin, but stored and
confirmed by Dovecot. Postfix uses dovecot-lmtp to connect, confirm users,
and transmit mail to local users.

I am now attempting to install Mailman3. I have setup Mailman3 to receive
messages via my mailman3-lmtp.

Is it possible to run postfix in a container (e.g. docker, red-hot)?

Simple question:

Is it possible to run postfix in a container (e.g. docker, red-hot)?

I’m looking into a new platform for my postfix as my current platform (macOS High Sierra + Server with Apple-provided postfix) is end-of-life. I must either get postfix to run on macOS Mojave natively, or get it to run on some other platform. For other platforms, I am looking into platforms that will self-update (a bit like macOS) such as RedHat Fedora Core to minimise maintenance efforts.

Forwarding mail through a gateway


I have a postfix-3.2.6 with fedora30 configured as an imap system for a
subdomain that also relays mail for a few thousand users. Many users simply
create a ~/.forward entry that forwards their mail through the system to a
GMail account.

I believe this has created some issues with reputation, as the mail from
remote addresses appear to be coming from this system without
authorization. The MX for this host is a few other postfix relays at the
top-level for this domain.

Post-upgrade script finds wrong version

I'm migrating to a new desktop as my server/workstation. Postfix-3.3.2 was
installed so I just upgraded to -3.4.6. When I ran postfix set-permissions
upgrade-configuration it returned
chown: cannot access '/usr/doc/postfix-3.3.1/README_FILES': No such file or

I cannot find the set-permissions script so I can fix the version error.
What is the proper way to resolve this issue?



dynamically prepend a header in received emails

Hello all,

Is there a way to prepend a header in the received emails, according to
the FROM and TO email address, with a script?

I have a list of email addresses in a text file, which has to be
different for each user.

Is there an option, for instance in header_checks, to use something
like pcre:/etc/postfix/$recipient/

Or maybe an SQLite database would be enough. With a custom SQL query, I
should be able to return the header to add, but how?

Otherwise, I will start writing a custom milter.

Thanks for your help.

How to bypass / oversome mynetwork restriction

Hello all ,

We are trying to configure a relay server which should accept email from any system within our enterprise and our enterprise is spread across cloud and onprem , which makes it hard for us to get the list of all the subnets that we have to include under 'mynetworks' for the system to accept email for relay , wondering if there is a way to let postfix allow email from any where .

We wish to use ldap lookup against the recipient upon acceptance using the smtpd_recipient_restrictions.

Best Regards, VB.

MAILER-DAEMON and double-bounce sender domain


I have mail server named "" that handles mail in
"" (virtual) domain. I use postfix 3.4.6 for this server.
When something wrong happens, mail is dropped to postmaster with
"double- ... at mx dot" envelope sender and
"MAILER- ... at mx dot" in the "From" header, which leads to
SPF failure and spam filter triggering, because is not
intended for using as ordinary mail domain.

So I tried to change myorigin, but this not help.

combine a milter and a before-queue content filter

Is it possible to use milters in combination with a before-queue content filter?
What does the content filter see if the milter indicates a message should be rejected?

thank you.

Rob Maidment

Chief Architect

[Telephone] +44 118 903 8657


[Clearswift] <>

1310 Waterside | Arlington Business Park | Theale | Berkshire | RG7 4SA | United Kingdom

Adaptive Security & Data Loss Prevention solutions for email, web, cloud apps and endpoint.

smtp relay based on recipient domain

Hi, is there any way how to configure postfix to relay e-mails for particular
subdomain to different SMTP server. May be there is another way how to solve
my problem. So I described situation below.

We have domain And have mailserver with postfix configured. All
e-mails from our servers and user mail clients goes trough this server. Now
we need to use "2N VoiceBlue Next" gateway to change some e-mails to sms.
The gateway has hostname and has SMTP access.

Excursus Retry 451 452 Strategies


imagine, a mail envolope contains many recipient, The server accepts the first recipients and rejects the last
recipients, meaning “Too many recipients in this transaction”.

RFC 821 specifies the reply code 452 as “Insufficient storage”, which RFC 5821 amends, by stating that 452 can mean also
too many recipients in this transaction.

RFC 3463 defines enhanced status code 4.5.3 stating “Too many recipients”. RFC 5248 attaches the ESC 4.5.3 to reply
code 451, stating that changing this binding requires a specification, and there is no such specitifaciton.

sender_dependent_relayhost_maps problem

Dear all,

I am confronted with a problem in a mail-cluster of internal, external,
and a 3rd party postfix setup.

For simplicity I’ll reduce the setup to:

MX-I (internal mail relay, user authentication, .., also LMTP delivery)
MX-E (external mail relay, incoming/outgoing)
MX-3 (3rd party mail setup)

The setup itself has been running fine like this for years; the cluster
uses external (LDAP) lookups for mail routing and delivery.

Now a user needed to authenticate outgoing email to MX-3.

documentation dead link


May I allude the dead link <a href="" title=""></a>
<a href="" title=""></a> and others.

Have a good afternoon!


smtpd - high memory usage


I have a hobby server that does a little bit of everything, including
1) receiving email via Postfix as a backup MX,
2) receiving ~70k IPv6 routes via BGP.

The problem I'm having is that when all ~70k routes are loaded into
the kernel (Linux), this somehow causes high memory usage in Postfix
"smtpd" processes -- as soon as the first client connects, I get a
smtpd process that's around ~130 MB (compared to the more usual ~13 MB
when BGP is down).

Possible inconsistencies in the parsing of lookup table names and other oddities

Hello to everyone.

I've been trying to write a small parser to parse Postfix lookup table
calls for a piece of code I am developing.

I have taken a look at the source code and then resorted to postmap -q
invocations to empirically test the descriptions at
<a href="" title=""></a> .

I am writing since testing out possible table values for the inline table
has left me a bit stumped, since the results I get do no seem to match the
description I read.
Or, at least in a few cases, the description seems to mislead about what's
actually accepted.

Firstly, I haven't found around

Postfix+cyrus imap integration with active directory

Dear Experts

Currently I am using Postfix+cyrus imap with openldap as authentication

Is it possible to use Active Directory as authentication backend for postfix
and cyrus ?

Can I manage users mailboxes in Active directory ?

Bilal Ahmad

Network Administrator

LMTP Relayhost


is it possible to configure a LMTP only server as relayhost= in postfix?

I'd like to relay all mails to my local lmtp server

Best Regards,


Building new mail server

My existing mail server is running Centos 4 (yes, VERY old -- which is a
testament as to the continuing quality of Postfix), with port 25 exposed
to the whole wide world. Everything else is restricted by an IPTABLES
firewall and TCPwrapper. I was going to wait for CentOS 8 to be
released and get some run time by early adopters, but my poor mail
server is starting to show signs of wearing out and I may have to pull
the trigger sooner.

My question for the user community is this: any gotchas in bringing up
Postfix on Centos 7.6.1810 from the Red Hat distribution?

Question respecting the headers?

I am sure that the message associated with the header extract
reproduced below is fraudulent.

Installation and configuration problem Postfix / Dovecot Debian Buster


I am trying to install and configure Postifx / Dovecot on Debian Buster.
Note that the following procedure I used for the last time on a 8.6 and that
it worked very well.
I have no idea of the blockage and what has changed since.
I searched several days but I could not find my answer.

Here are my configuration files:




here is the following error:

In the file /etc/dovecot/dovecot.conf
I added :

But I still have some mistakes that I do not understand:

If I do a telnet:

I've done a lot of research in r

Sending to multiple recipients fails entirely if any of the RCPT is rejected (unknown domain)

The closest thread I could find for this is almost 10 years old:
<a href="" title=""></a>
that thread, my Postfix is somehow not handling the email properly as the
rejection done early on seems to result in setting the From to null / <> for
all other emails.I could reproduce every time I am sending an email to a
list of contacts containing 1 invalid address (bad domain).Main email
providers respond differently to it: - Googlemail blocks it and shouts
that "this message is not RFC 5322 compliant." - Mic

Migrating from Virtual domains to Postmulti setup


I have been using Postfix with Dovecot (lmtp/imaps) for a few years now for
5 domains with the virtual domains setup and self-signed certificates using
OpenSSL 1.0.x For spam/virus protection I use Postscreen, Spamassassin and
Clamav; I also use py-spfpolicyd, OpenDmarc, OpenDkim and Clamav.

Now I wish to move onto a postmulti setup with separate instances for
incoming, outgoing, and a null-client per domain. So that would mean 15
instances of Postfix in total under postmulti.

Postfix upgrade, possible issue


I would to upgrade our mail server from Debian 9 to 10. The postfix
version on Debian 9 is 3.1.12 while on Debian 10 will be 3.4.5. Can I
encounter issue during the upgrade? Are there incompatible
configuration options between the two versions?



I have setup

but if I send an email with MUTT emai client or with 'echo "test" |
mail' <a href="mailto: ... at email dot de"> ... at email dot de</a> I get as email source

<a href="mailto: ... at mail dot"> ... at mail dot</a> (the name of the mailserver).

For testing I have added the to the mydestination and the mx
entry is set up right.

I am wondering why the source email adresse is still not
' ... at mydomain dot de' but instead ' ... at mail dot'?


encoding issue with header_checks Windows-1252


header_checks = regexp:/etc/postfix/headerstring
/^Subject: .*\[cleartext\].*/ FILTER cleartext:

And now, there is the following mail-Subject, that did not trigger the
above FILTER and i dont see why:


Any ideas?


Basic kind of question

I inherited a pair of postfix servers configured by someone else and I
think I've been a manager too long as I can't figure this one out because
I'm too rusty with postfix.
2 identical postfix servers that only accept mail from mynetworks (other
local servers in its /16) with various From domains that are NOT mydomain
which direct deliver to the recipients wherever they are in the world.
That all works fine. What doesn't work fine is if the recipient is *@ which IS mydomain to which delivery is not local, but the same

Syndicate content