Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

A blog post that I hope will help people, can the community help me improve it?

I created a blog post for something I needed to get done and figured out
how to do.

<a href="" title=""></a>

If the community has any pointers that would make this better, or
perhaps even a better way to accomplish it than what I came up with, I'm
open to constructive criticism.


Ambiguous logging of mail senders


recently I stumbled across a log line like this:

Oct 25 10:34:59 hostname postfix/smtpd[12345]: NOQUEUE: reject: RCPT
from client.example[]: 554 5.7.1 < ... at b dot com; ... at d dot com>: Relay access
denied; from=< ... at example dot com> to=< ... at b dot com; ... at d dot com> proto=ESMTP

The important part is the "to=< ... at b dot com; ... at d dot com>". Parsing this to find
out which part is the local-part and which is the domain isn't exactly
trivial, both for me as a human or for a machine automatically parsing
the log.

reject_unknown_sender_domain seems not to work


I am having trouble using reject_unknown_sender_domain.

OpenDKIM , Postfix , SpamAssassin, Amavisd-New, SPF and FreeBSD

I am trying to revive my OpenDKIM installation. I had it working but managed to break it when I updated my ports.

Re: block 'new style' TLDs ?

I've had the same problem for some time. I put the following into access_helo and header_checks.

block 'new style' TLDs ?

as of recently started getting heaps of spam from all kind of new domains
all ending in '.best'

what's the best way to block that, block entire '*.best' ?
how and where ?

or ?


using version 3.4.7

Return-Path: < ... at resolutionwine dot best>
Received: from (unknown [])
by (Postfix) with ESMTP id B36914195027
for <vvvv>; Thu, 24 Oct 2019 06:53:21 +1100 (AEDT)
MIME-Version: 1.0

running a content_filter upon reinjection of a message with sendmail command

Here's what I want to do:
1. Email is received for an address I have set to forward emails, let's call it <a href="mailto: ... at example dot com"> ... at example dot com</a>.
2. Postfix pipes the email through a command postforward, which in turn runs the email through postsrsd, to make spf and such validate (especially when forwarding to an email address I don't host).
3. Postforward reinjects the email with sendmail, now with a return_path of <something>

Replace semicolon in recipient list

Hello Group,

I have configured Postfix as a relay to forward all messages to the AWS
SES mail service.

One sending application is sending mail with a From: header containing a
semicolon-separated list of addresses.

about MX hosts


I saw my ESP has two MX records pointing to just the same host. 21 IN MX 5 21 IN MX 10

Does this have any value inprovement?


anvil statistics logging


can I disable the anvil statistics from being written to the logs ?

I have quite short "anvil_rate_time_unit" (60s), and I have set some of
the "smtpd_client" rate limits to 10.

My log is basically flooded with these anvil statistics, which I am not
really interested in.

statistics: max connection rate 1/60s for
statistics: max connection count 1 for
statistics: max message rate 1/60s for
statistics: max recipient rate 1/60s
statistics: max cache size

Can I still use these limits, but suppress the statistics ?


Problem with new installation

I am running a copy of configurations from a running version 2
installation from Ubuntu 14.04, now alive as version 3 on Ubuntu 18.04.

I thought I'd be slick and port over all the user mailbox directories in
/var/mail/vmail, all the customized .cf's, and the MySQL database.

Change info message to warning

I'd like to change the DNS blacklist message from msg_info (logged in the main log file) to msg_warn (logged in the warning file.) That is the second line in the log extract below.

I have:
a) looked through the postscreen source
b) grepped the distribution for NOQUEUE: and reject: piped through grep msg_info
and I can't find the code which generates that particular message

Oct 22 13:13:31 postfix[8412]: Connect: Unknown []
Oct 22 13:13:32 postfix[8412]: NOQUEUE: reject: RCPT from unknown[300.301.302.303]: 510 5.7.1 Your IP address is blacklisted - send from a different ne

Rewrite From header from old to new style

I would like to rewrite an old-style header in a locally-generated
mail (say by cron under Ubuntu 19.04 and earlier) e.g.

to the new-style header e.g.

It must be done before milters so that it can be signed by opendkim
milter after the header rewrite. canonical looks like the right tool
but the examples I have seen only show it working on an address not
the full header text.

I am using postfix 3.3.

Use of PERMIT in smtpd restriction lists

By (limited) experiment it seems to me that the action 'PERMIT' is
acceptable in access tables in smtpd restriction lists (e.g.

As far as I can tell it is undocumented in this context, but I think it is
synonymous with 'OK' i.e.

Unusual TLS setting logged by Postfix


I am aware that this is not an error on Postfix’s fault, but I found the following entry in one of mail server’s logs confusing. I am using Postfix 3.3.0:

Oct 21 06:09:51 server postfix/smtpd[31405]: Anonymous TLS connection established from unknown[]:33126: TLSv1 with cipher AES256-SHA (256/256 bits)

From what I gather, a TLS v1.0 connection was made with AES256 for the symmetric cipher and SHA-1 for integrity, but:

— There is neither DH/DHE/ECDHE at the start.

TCP maps security risks & mitigations; Trualias alias mapping

Hello everyone, and the 10 people who care.

Remove duplicate header 'MIME-Version'

Hello Group,

I have configured Postfix as a relay to forward all messages to the AWS
SES mail service.

SES bounces some messages with the following error:

status=bounced (host[]
said: 554 Transaction failed: Duplicate header 'MIME-Version'. (in reply
to end of DATA command))

These messages are sent by a scanner and I have no influence on the
scanner configuration.

Is there a way to remove the duplicate header in Postfix?

Alternatively, is it possible to remove the MIME-Version header(s)

Recipient address RESTRICTIONS are applied twice to the same e-mail with different parameters

Hi there,
The context is:
Ubuntu 19.10
postfix 3.4.7-1

in /etc/postfix/
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, permit_auth_destination

This setting should accept the e-mail sent to my domain from

Yet, I get in the log:

*>>> START Recipient address RESTRICTIONS <<<generic_checks:
mynetworks: <> ~?

how to add warning / banner in email body ?

Hi ,

For identifying external world & spoof emails , I am looking for
solution where we can add notification / warning banner in email body
like below .

"_This e-mail is received from external domain. Please review before
opening any attachment or link_"

This will help end user to identify risk while reply or URL click .

Is there any milter or postfix solution available where we can set
condition and then above warning will get append at the starting of
email ?
or is there any way to append disclaimer at the starting of email ?

Recipient address rejected: Service is unavailable (try later)

I am using Postfix as a filter, it is protecting end-users on Office
365, Google Apps and a cPanel server.

We are seeing quite a few "Recipient address rejected: Service is
unavailable (try later)" messages in mail.log.

The email will be accepted at 8:47, rejected at 8:51, then accepted
again at 9am

Any idea what's going on - and how to resolve the issue? Thursday, I
deleted /var/lib/postfix/verify_cache.db, it doesn't seem probable that
it's corrupted again.

Could someone, i.e. Viktor, please contact me regarding TCP maps?

I'm working on something, I've seen Viktor on some relevant changes. I
would like to discuss TCP maps, security implications, etc. Viktor
should know I'm one of the 50 kooks who care from dns-ops.

Thanks in advance...

Postfix: The Definitive Guide


I have the "Postfix: The Definitive Guide" book. I like the way it is
written and since Wietse wrote a foreword, I assume it has his "blessing".

But the book is from 2003. Is this still relevant today ? How much has
postfix changed since then ?

I could not find any more recent edition

thank you,

base64 encoded emails


I would like to ask what the Postfix community thinks about base64
encoded emails.

What is the legitimate reason to use base64 encoded emails ?

Seems to me, it is only being used by spammers to complicate body_checks

Would it be crazy to want to configure Postfix to not accept base64 ?

I believe email should be plaintext. I don't like HTML emails either. If
somebody feels that his message needs fancy formatting, he should send
it as pdf attachment.

Per User Relay to From Old to New Postfix


Our organization is deploying a new upgraded Postfix server and we're
looking for various options to migrate users from the old to the new. 
One possibility, we hope, is to do it on a per user basis rather than
doing it all at once for a whole domain (which is also viable, but seems
to result in more downtime for users until IT staff can make their
rounds to their computers).  I have done some reading of documentation,
but I'm not clear on whether using relay_recipient_maps is an option, or
perhaps the transport_maps directive.

So, is this possible in Postfix, to relay emai

How to hold a specific recipient

Hello everyone,

I read a lot of emails on this ML and on the web without finding the
solution, or I do something wrong.

I just want that all emails to a specific recipient are put on hold.

I thought this would work, but it doesn't :

* :
o smtpd_relay_restrictions = check_recipient_access
hash:/etc/postfix/recipient_access permit_mynetworks
permit_sasl_authenticated defer_unauth_destination
* /etc/postfix/recipient_access :
o ... at domain dot ch        HOLD
* postmap /etc/postfix/recipient_access

Thanks in advance a lot for any hint or help !


Possible to enforce 4XX error upon dns lookups which result in NXDomain?

Hi list

I wonder if the following idea is somehow "do-able" in postfix. We have
a fallback postfix instance which gets all mails that our scanners could
not send to our customers target server. Now the fallback tries to
submit those msg to our customers. Sometimes our customers do not know
how to manage dns and delete an important record (like the a-rec for the
target server).

Postfix is not open relay but send spam

Hi everyone,

I have a problem with postfix.

I use OBM as a mail server (postfix + cyrus + ldap, etc...).

Virtual Users not getting populated in verify_cache

One of everyone's favorite topics:

I added "virtual_alias_maps = hash:/etc/postfix/virtual" to

Then I added " ... at katy dot net ... at katy dot net" to /etc/postfix/virtual

/etc/postfix/ includes:
relay_domains = hash:/etc/pmg/domains
transport_maps = hash:/etc/pmg/transport
smtpd_recipient_restrictions =
        check_recipient_access  regexp:/etc/postfix/rcptaccess
check_sender_access  regexp:/etc/postfix/senderaccess
check_client_access  cidr:/etc/postfix/clientaccess check_policy_se

Centos 7 turn on pypolicyd-spf


I install via yum pypolicyd-spf in Centos 7.

Paquetes instalados
Nombre        : pypolicyd-spf
Arquitectura        : noarch
Versión     : 1.3.2
Lanzamiento     : 5.el7
Tamaño        : 105 k
Repositorio        : installed
Desde el repositorio   : epel
Resumen     : SPF Policy Server for Postfix (Python implementation)
URL         : <a href="" title=""></a>
Licencia     : ASL 2.0
Descripción :pypolicyd-spf is a Postfix policy engine for Sender Policy
Framework (SPF)
           : checking.

Block Email with Same Address in To & From

Dear All,
I want to block all emails having same address in To and From header .
Any solution plz

Sent from my Samsung Galaxy smartphone.

postscreen_pipelining_enable vs. Exim / BDAT

I've started noticing messages like these in my logs and the logs on in recent months:

Oct 13 00:58:21 rincewind postfix/postscreen[76460]: COMMAND PIPELINING
from []:59818 after BDAT: DKIM-Sig
nature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;;\r\n\t s=mail; h=Content-
Oct 13 17:12:51 rincewind postfix/postscreen[60205]: COMMAND PIPELINING
from []:37464 after BDAT: Received: from ([] helo=[])\r\n\tby with
Oct 13 17:12:59 rincewind postfix/postscreen[60205]: COMMAN

Postfix on a dynamic DNS server not receiving a handful of emails

This may sound rather vague, so I do apologise. I have my "own" email
server, which runs my own domain and seems to work absolutely fine the vast
majority of the time. I have a problem at the moment, specifically with
Epic Games - who are claiming that they are sending me password reset emails
- but I am never receiving them.

Trying to understand error message in logs

Hi, I am building new server RHEL7 and Postfix 2.10

The log file is constantly outputting this...

Oct 11 11:15:08 mail6 postfix/master[3266]: warning: process /usr/libexec/postfix/smtpd pid 18008 exit status 1
Oct 11 11:15:08 mail6 postfix/master[3266]: warning: /usr/libexec/postfix/smtpd: bad command startup -- throttling
Oct 11 11:16:08 mail6 postfix/submission/smtpd[18091]: fatal: open lock file pid/inet.submission: cannot open file: Permission denied
Oct 11 11:16:09 mail6 postfix/master[3266]: warning: process /usr/libexec/postfix/smtpd pid 18091 exit status 1
Oct 11 11:16:09 mail6 postf

Respecting MTA-STS

If we want to try and respect MTA-STS, when doing STARTTLS, the sender
needs to send the right information in the TLS SNI (Server Name
Inidication) extension.

Correct tls settings

I am running Postfix mail_version = 3.5-20190922, with OpenSSL 1.1.1d
on a FreeBSD 11 machine. I am just wondering what the recommended
settings are for the following items:


I have seen several recommendations on line, and I just want to make
sure I am using the proper ones.


how to get statistics about inbout/outbound messages

As the subject stated, how can I get the statistics on the numbers of
inbout/outbound messages every day from Postfix?

Thanks & regards.

Split Domain MTA relay access denied

Hi All,

We have a split domian with a MTA relay in the middle, the domain is

MAILTO without SIZE=


I have a Postfix set up to relay the messages to an Exchange server.

It declines the mails with,08D7265A6F30DBE4,12,,,*,Tarpit
for '0.00:00:05' due to '550 5.7.61 SMTP; Anonymous client does not have
permissions to send as this sender',

It works manually with telnet

I suspect it is because Postfix send in the Envelope address for some
reason the SIZE=423 with it

MAIL FROM:< ... at someurl dot de> SIZE=434,

How can I disable the sending of the SIZE parameter?



Morning List,

If default_destination_rate_delay = 0s this effects incoming and
outgoing que processing...

I'm trying to set the MTA (external emails) to send only at 5 second
intervals would that be smtpd_destination_rate_delay = 5s?

Curious because smptd_ and default_ have the same effect.


Encrypt outgoing emails.


We are not getting our emails stuck in the spam folders of gmail but they are saying our emails are not encrypted.

The emails received show a "red padlock" and when you click on the pad lock it says we are not encrypting our emails.

I thought I have the correct settings to encrypt our outgoing emails, but I see the following errors in my log files.


Oct 4 10:03:05 posta postfix/smtpd[29824]: [ID 947731 mail.crit] fatal: unexpected command-line argument: !SSLv3,
Oct 4 10:03:06 posta postfix/master[27581]: [ID 947731 mail.warning] warning: process /

How to make Postfix use hostnames from /etc/hosts ?

As I have trouble with sending emails to Gmail (I wrote about it in a
different thread), I try to configure Postfix to send mail to Gmail via a
different mail server as a relay.

Is this a good smtpd restrictions set?

I am revisiting my config and my config was made a long time ago (before relay_restrictions)

Would this be a good restrictions set? I think it is but I’m not 100% certain if this is efficient for instance. For instance, I am blocking reject_non_fqdn_recipient in smtpd_recipient_restrictions without the permit_mynetworks and such first. Isn’t it then not more efficient to do that at the start of smtpd_relay_restrictions? And I also wonder if it isn’t better to remove permit_mynetworks from smtpd_relay_restrictions so that if a device has broken into my network (e.g.

How to avoid being classified as spam by Google?


I hope this is not too off-topic, but I figure this is the best
mailing list because we're probably not in this boat alone, wherein
we're annoyed (very) and a bit helpless about Google. I have to ask
here, because Google of course doesn't care about us.

We operate several postfix mailservers with hundreds of users, and
the rate at which these users find their emails spamfiled on the
side of Gmail recipients is increasing.

And yet, we're doing everything we can! SPF is configured, DMARC is
configured, DKIM works.

Only logging from a connection when an unrelated error is forced in

Using postfix 3.4.6 on macOS. Using maillog as syslog is broken on macOS.

The postfix server is running on, dovecot and other parts of the mail setup not yet. I am connecting from on port 25, using telnet. I’m issuing an HELO and a VRFY (turned on temporarily in

Limiting mail relay


I am trying to understand how I am being a mail relay for (what I believe)
are unauthorized users. I have the following postfix config set -

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authentication,

mynetworks_style = subnet

However, an account seemingly seems to be used as a relay. The user is
complaining about seeing tons of MAIL REJECT messages.


I’m setting up a new postfix based on sources (via MacPorts) and master has this configuration snippet:

smtp inet n - y - 1 postscreen
smtpd pass - - y - - smtpd
-o receive_override_options=no_address_mappings
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy

My certificates live outside the chroot jail, but I expected tlsproxy to handle it (and it is not chrooted).

Blocking an address from submission mail

How would I go about blocking mail to a valid address if it is sent from a user on my postfix mail server.

For example, let’s say I have <a href="mailto: ... at example dot com"> ... at example dot com</a> and that address is only for people outside to send mail to, so when a local user or a user in virtual.

warning: hostname does not resolve to address

I am getting several warning a day of the form

postfix/smtpd[6969]: warning: hostname domain does not resolve to address ip
postfix/smtpd[10614]: warning: hostname domain does not resolve to
address ip: Name or service not known

My question is, why are these logged with syslog priority warning/4?

Deriving from <a href="" title=""></a>
they are mostly for explaining the hostname string unknown in the
So from my view they have no importance by themselves.

I mainly ask because it clutters loganalysis, e.g.


Do I really have to whitelist all the IPs of in postgrey?

Oct 2 10:57:28 bitclusive1 postfix/smtpd[20061]: NOQUEUE: reject: RCPT from[]: 450 4.2.0 <a. ... at bitclusive dot de>: Recipient address rejected: Greylisted for 60 seconds; from=<bounces+SRS=6CNNV= ... at senpluspluseop dot> to=<a. ... at bitclusive dot de> proto=ESMTP helo=<>

Kind regards


Specifying certificates in

I have been running postfix for several years. The latest certificate has
almost run out so I switched to letsencrypt. Whilst installing the
certificate and key in it occurred to me to wonder if I wasn't
over-specifying their use. I have checked around the web and found nothing
like my setup for

Sending mail to Gmail users via Gmail server?

as Gmail is often putting e-mails from me into recipients' Spam folder, and
there seems to be no solution for this (I tried everything to no avail), I'm
considering an idea of sending e-mail to Gmail users via Gmail server, with
help of a Gmail account specially created for that purpose. (If that doesn't
help then - I guess - nothing helps :( ).

I have a few questions regarding how to configure this in Postfix.

1) It's obvious that Postfix has to authenticate to Google SMTP server to
submit mail through it (with credentials of that specially-created Gmail

Is there a version 2.11 or higher of postfix supportting cyrus ?

I have tried to install postfix which support cyrus by using source code but
failed. when "postconf -a" can not support cyrus.Is there a version 2.11
or higher of postfix supportting cyrus ? tks.

Connection reuse and tlsproxy


I started to deploy TLS connection reuse on some non trivial outboud
gateway setups.

First I was hit by an non obvious configuration behavior:
On my gateway I have:

If I switch to TLS session reuse with

I get:
tlsproxy: warning: TLS service is requested, but disabled with
tlsproxy_tls_security_level or tlsproxy_use_tls
smtp: warning: private/tlsproxy service role "client" is not available.

By default tlsproxy_tls_security_level=$smtpd_tls_security_level
I overwrite it with tlsproxy_tls_securi

copy of mails with specific From-field


how can I put copies of outgoing mails with specific From-fields in the
outgoing-folder of a specific user?

Best regards

Prevent sender address spoofing


I am using postfix 3.1.12 in a network which does not currently accept
sending mail from outside.

However some spammers change the From header in the data section and
use an internal address.

The problem is that if I use header_checks to reject my domain, it's
applied globally so mail from within the local network is rejected as

Since there is no check_data_access method, I tried to do something

In :

header_checks =

smtpd_restriction_classes = anti_spoofing

anti_spoofing =
check_client_access cidr:/etc/postfix/localnets.c

dovecot lmtp and virtual_mailbox_maps

Good afternoon.

Dovecot is relaying mails to users that do not exist in the
virtual_mailbox_maps to the dovecot lmtp. I'm using dovecot's lmtp to
deliver mails for a virtual domain.

How to pass "no_milters" option to pickup daemon?

Hello All,
I am using spamassassin with my postfix setup in form of "simple
content filter", as described here:
<a href="" title=""></a> . That means, smtp
server has the option "-o content_filter=spamassassin" defined in
file, and also a service named "spamassassin", which calls the filter
script, is defined in file.

This works fine except for one thing.

Syndicate content