Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

emails stuck in maildrop


I had misconfigured postfix + amavisd-new combo for a few minutes.

openssl 1.0.2 and TLS 1.3]

----- Forwarded message from Matt Caswell < ... at openssl dot org> -----

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101

On 11/09/18 14:58, The Doctor wrote:

DKIM signing of bounce back messages


I have a question regarding DKIM signing on Postfix bounce back messages.

I was tuning my Dovecot installation around quotas. I sent a test message from Hotmail to a test account on my server to test generation of a bounce back when a user exceeds their quota. The message was successfully generated and then relayed via Postfix back to the Hotmail account, but I noticed the bounce back message went into the Hotmail junk folder.

Inspecting the message I saw that I was not DKIM signing messages generated by Postfix or via sendmail.

postfix add warning message for all external incoming emails

Hello Friends,
I would like to make postfix add a warning message for all external
incoming emails - Something like this at the top of each mail.

WARNING: This email originated outside of our organization. Do not
click any links or open any attachments unless you recognize the
sender and know the content is safe

How is this possible in postfix?


postfix does not bounce instantly when remote party does not offer TLS


delays=422/0.03/0.09/0, dsn=4.7.4, status=deferred (TLS is required, but
was not offered by host

seems to me like a permanent error - postfix sees it as a temporary one. I
would like to have instant bounce message for this case when TLS is not

sending postfix is configured 'encrypted' os no fallback is wanted.

smtp_tls_policy_maps on a per tls user basis


is there a way to specify on a per user basis (sasl authenticated user) if
TLS should be none or may or encrypted for a specific recipient domain?

I would like to have the user to decide if his mail to a specific domain
should be TLS encrypted and then maybe bounce back but let other users
mails to same destination domain go ahead with a may or none.

Host offered STARTTLS: [mxlb... without relation to destination domain

I like the option smtp_tls_note_starttls_offer = yes
but when a host is logged, it's hard to keep track to which recipient
domain that host belong without doing dns-lookups against all listed in

Can this be improved to maybe also list the appropriate recipient domain?

custom reject message for reject_sender_login_mismatch



smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
smtpd_sender_login_maps = hash:/etc/postfix/login_maps

rejects user with invalid mail from domain with

< ... at b dot c>: Sender address rejected: not owned by user abc; from=< ... at b dot c>
to=< ... at remote dot tld> proto=ESMTP helo=<[]>

How can i customize this reject message?

Thank you.


Custom oversize rejection notice

When someone sends an attachment via email that exceeds our limit, I'd like to return a custom error message directing them to our in-house web based file upload/download utility (similar to Dropbox in functionality). I've looked at the options, but I don't see an option to address message size. Is that a possibility?


why "allow_min_user = no"

Hello Wietse,

Could you explain me why "allow_min_user = no" ? Could we change to
= yes" ?

Thank you,Paul

What is Postfix telling me?

Starting shortly after midnight 20180906 our maillog file began to
record this sort of message pair every six minutes or so.

Sep 6 12:36:42 mx31 postgrey[85107]: action=pass, reason=client AWL,,
client_address=, sender= ... at airportcargo dot ca,

Sep 6 12:36:48 mx31 postfix-p25/smtpd[66636]: proxy-reject:
END-OF-MESSAGE: 451 4.5.0 Error in processing, id=29937-07, quar+notif
FAILED: mail_dispatch: no recognized protocol name: -2 at
/usr/local/sbin/amavisd line 9638.; from=< ... at airportcargo dot ca>

Heads up for Gentoo users: mail-mta/postfix-3.3.1-r1 has permissions problems

For anyone using Postfix on Gentoo, be aware that
mail-mta/postfix-3.3.1-r1 installs with many incorrect file permissions
that result in impaired functionality (specifically, postdrop won't
work). You may want to consider rolling back to 3.2.4 until the ebuild
is fixed. If you want to just fix the permissions, you'll need to do it
manually, because 'postfix set-permissions' isn't working correctly in
3.3.1-r1 either.

(See Gentoo bug #665280)

strict_rfc821_envelopes possibly broken on postfix-3.3.1

I was debugging issue with email system sending mail from in wrong

MAIL From: <a href="mailto: ... at domain dot tld"> ... at domain dot tld</a>

Adding <> to email address to (broken) software gui fixed smtp
sending, so this worked:

MAIL From: < ... at domain dot tld>

But I found out that strict_rfc821_envelope check should not be enabled
by default and verified same with postconf that it is not enabled.
Still postfix is behaving as strict_rfc821_envelopes would be enabled.

Is this a bug in postfix?

Patch: eliminate postfix-script warnings about symlinks


Running Postfix 3.3.1 under Linux, postfix-script produces pointless
warnings if/when there are symbolic links in or below $config_directory.

1. I installed (CA root) certificates in a subdir of /etc/postfix and
rehash with "openssl rehash <subdir>.

postscreen error with 3.4-20180903

with new snapshot 3.4-20180903

(probably related to error just reported with "postfix" command)

postscreen_reject_footer = \c; Contact <a href="mailto: ... at vbhcs dot org"> ... at vbhcs dot org</a> for
assistance. Include this data: servertime=($localtime)
client=([$client_address]:$client_port) server=($server_name)

Sep 4 13:46:46 mgate3 postfix/postscreen[8656]: fatal: open
dictionary: expecting "type:name" form instead of "\c;"

-- Noel Jones

error with 3.4-20180903 postfix command

Using the new 3.4-20180903 snapshot.

postscreen_reject_footer = \c; Contact <a href="mailto: ... at example dot com"> ... at example dot com</a> for
assistance. Include this data: servertime=($localtime)
client=([$client_address]:$client_port) server=($server_name) (postscr

run "postfix reload"

postconf: warning: /etc/postfix/ undefined parameter: localtime
postconf: warning: /etc/postfix/ undefined parameter:
postconf: warning: /etc/postfix/ undefined parameter:
postconf: warning: /etc/postfix/ undefined parameter:

-- Noel Jones

multiple/simultaneous virtual_transports?


I currently host three virtual domains with a postfix instance.

Postsuper remote


I would like to know if there is a command line tool for managing many
postfix servers from a central server. I have 4 servers running postfix
and I would like to manage the mail queues from one single machine.

Thanks in advance,

Postscreen vs. BDAT

Today a fellow postmaster (using Exim) called me, they were having problems sending
mail to

Postfwd question

I know, I know, it's offtopic since it'S not entirely postfix per se,
but I am at my wit's end here.

I'm trying to implement a (I think) simple ratelimiting feature:

* during our business hours 400 Mails per sender from internat host
* otherwise 100

Some of my limits work, others don't trigger at all:

# these are exceptions for high volume senders.

mydestination, subdomains and local delivery

Hi all,

I'm running postfix for a domain, e.g, "". Its intended
purpose is to receive mail for that domain and relay mail for authenticated
users (e.g., to gmail), otherwise reject mail.

In, I have set "mydestination =". When sending mail
to a certain user on that domain (<a href="mailto: ... at testdomain dot com"> ... at testdomain dot com</a>), the mail gets
delivered locally (no outbound connection). However, if I'm sending mail to
<a href="mailto: ... at subdomain dot"> ... at subdomain dot</a>, postfix tried to relay the mail to an
outbound server (namely that from my ISP).

Postfix invoking content filter for each recipient


I have been using Postfix 2.6.6 on CentOS 6 which I have configured
with an 'After-queue content filter'. The filter gets invoked when an
email is received by Postfix. The content filter does some processing
and pass on the message to another server from where the message is
sent to the recipients.

Recently I built version 2.11.11 and configured it to use the same
content filter. However, now Postfix is invoking the content filter
for each of the recipient. I would like it to invoke the filter once
per message and not per recipient.

Want to be sure i am not throttling user.

Hi, i am troubleshooting a client complaint.
This user "wellness"

Aug 28 10:22:27 mail5 postfix/smtpd[7534]: EE46E2FB: client=unknown[], sasl_method=LOGIN, sasl_username=wellness

Some user feedback :
On Friday I sent a batch of 436 and it took 11 minutes to send
This morning I sent a batch of 725 and it took 1 hour and 21 minutes

Do any of my settings throttle their ability to send to my postfix server ?

I think it is the client they use.

block sender/receiver pairs


I need to block certain combinations of sender/receiver on a postfix
MTA. What would be the best way?



New SMTP server protocol support: CHUNKING

Postfix snapshot 20180826 introduces server support for RFC 3030
CHUNKING (the BDAT command) without BINARYMIME, in both smtpd(8)
and postscreen(8).

Impact on existing configurations:
- There are no changes for smtpd_mumble_restrictions, smtpd_proxy_filter,
smtpd_milters, or for postscreen settings, except for the additional
option to suppress the SMTP server's CHUNKING service announcement,
for example, with:

smtpd_discard_ehlo_keywords = chunking

- There are no changes in the Postfix queue file content, no changes

Looking for an 'easy' postfix log file analysis tool

Hello there ;)

I'm looking for a simple, clean & easy logfile analysis tool for postfix

I'm runing postfix 3.2 on an opensuse box

I found a listing here: <a href="" title=""></a>

already had a look at mailgraph as it looked promising with the
graphical charts.
but while trying to setup it had a problem parsing the postfix log entries.

Error: the entry is not in syslog format

as far as I remember the box running postfix is using the rsyslog daemon

then also had a look at AWStats but here the perl
script wasn't able to parse the postfix log en

Reject mails coming from mailservers whos reverse DNS resolution match a certain pattern

my bank ing-diba is using a marketing company to spam me.

How does smtp_destination_concurrency_limit and smtp_destination_rate_delay relate?


Is I set:

smtp_destination_concurrency_limit = 2
smtp_destination_rate_delay = 1s

and send several messages to the same domain will each connection send
one message and wait 1 second (so I would have 2 messages delivered
per second, one from each connection) or both connections to the same
destination domain coordinate themselves and I would have only one
message delivered per second to the destination domain?


Rodrigo Severo

In transport_destination_concurrency_limit what does "destination" means exactly?


Trying to deal with a destination server that is really picky about
the speed I deliver messages to it.

In a setting like transport_destination_concurrency_limit what does
destination means exactly?

My doubt exists because I have more than one email address destination
domain that have the same MX records.

Connections from "unknown"


I noticed something interesting in my logs today. I am running Postfix 3.3.1:

Aug 24 21:09:25 server postfix/submission/smtpd[10256]: connect from unknown[unknown]:unknown
Aug 24 21:09:25 server postfix/submission/smtpd[10256]: lost connection after CONNECT from unknown[unknown]:unknown
Aug 24 21:09:25 server postfix/submission/smtpd[10256]: disconnect from unknown[unknown]:unknown commands=0/0

It is clear that this was a bad connection, but under what circumstances does Postfix consider a remote connection’s address as “unknown” ?

Mailing lists in the wild

I am developing a milter application to enforce certain properties of
both header From and envelop From fields of emails, both outgoing and
incoming to my server.

While reading through recent traffic on this list I realized that my
current rules were too strict and would break basically all mailling

POSTFIX - Lookup tables usage


I have some difficulties to understand how lookup tables are used in
From my own usage, I know two usages
A) Single column.
You query with a parameter. If the parameter is found in the table you get a
non null value ( index value for example ). Depending of your usage you
decide what to do with the result ( stop or continue )
B) Two columns
You query with a parameter.

Is that spoofing - General question


Postfix on a local network without a real internet domain name.
The mail server is on a specific computer.
Outbound mail are delivery by using a relay [] using tls on
port 465
Local mail stay on the server
Less than 40 users

In a company, a linux user (userA) need to send an email to a colleague
(userB), but he can't use his own computer and ask a colleague (userC) if he
can use his computer.

rewrite/masquerade configuration

SUSE Linux Enterprise Server 11
mail_version = 2.9.4

Our ERP recently was migrated from a HPUX/sendmail server to a SUSE/postfix server. I'm trying to get postfix configure to handle from/reply-to the way we want to do.

We have two 'domain' that the ERP can generate emails from, the first is for students (<a href="mailto: ... at student dot"> ... at student dot</a>) and the second is staff/faculty (<a href="mailto: ... at college dot edu"> ... at college dot edu</a>).

We can't have emails say they are from the server (<a href="mailto: ... at server dot"> ... at server dot</a>), this needs to be changed to <a href="mailto: ... at college dot edu"> ... at college dot edu</a>.

We also have a couple users accounts that need to stay local i.e.

Add UTF8 support in PostgreSQL lookup table interface

Hi Guys,

The dictionary interface to Postgresql found in src/global/dict_pgsql.c
does not support UTF8. It explicitly telles the database that Postfix will
send LATIN1.

With SMTPUTF8 support now in place, Postfix may try to look up addresses
with UTF8 in the local part in PostgreSQL virtual mailbox maps.

Sunch lookups now fail as the UTF8 sent by Postfix is taken as LATIN1 by

Postfix in Docker

Hello guys,

In order to keep my container applications to a minimum, i'm trying to slim them down.
One part of this is removing all unnecessary components.

I am running Postfix 3.3.1 on Alpine Linux 3.8 in Docker.
Is there some way to get postfix (with start-fg) to log to the console -without- having a syslog-ng running?
I see it requires /dev/log, but simply symlinking that to /dev/stdout doesn't seem to help.
Any help is appreciated.
Thank you.


documentation issue

<a href="" title=""></a> contains this:

To enable multiple deliveries per TLS connection, specify:

smtp_tls_connection_reuse = yes

However, that does not appear to be a valid postfix option.

Change "Return-Path" header on relayed mails

Some background:

We have an Exchange 2013 server that do not seems capable of setting a Return-Path header when a user has Autoreply on.

For example, I am mailing " ... at company dot com" and that user has an Autoreply/OOTO on his/her account, exchange sends an Autoreply back without an "Return-Path" header which causes it to be classified as spam - because it is technically spoofed.

GSSAPI and Success as a error code


I've been trying to setup GSSAPI in postfix via cyrus-sasl. The service
principal is configured and so is sasl2/smtpd.conf. All I get from the
postfix log file is that the GSSAPI auth failed and that the minor error
code was Success.

Success as an error code doesn't leave much to go on. log_level: 7 did
nothing to produce more verbose output.

How do I debug this? Is there a configuration flag to bring out trace
information? Perhaps postfix can be recompiled with some kind of SASL debug

Restrict sender to domain/s

I have a number of authenticated senders I would like to restrict to
certain recipient domains.

I.e. user " ... at example dot org" should only be able to send emails to
domains "" and "".
Recipient/s with any other domain (e.g. " ... at gmail dot com") should be

If this possible at all, what do I need to look at?


Does anyone have any good tips/tricks/guides for tuning MySQL/MariaDB for use with Postfix?

Hi all,

We've been using Postfix for years with good results, but in recent
years have moved to a load-balanced HAProxy front-end with multiple
backend relay nodes.

address verify

HI All
I am trying to implement the address_verify_map on my postfix email
gateway. I created a verify directory in /usr/local/etc/postfix and added
address_verify_map = btree:/usr/local/etc/postfix/verify
in Then I reloaded postfix. Shouldn't postfix create a db file in
there? I am still seeing it empty. Not sure what else I should do. Any help
would be appreciated.

Exempting submission from RBL lookups.

[ You really must start a new thread when posting on a new topic.
DO NOT reply to a previous message, that breaks message threading.

iOS Mail Client Not Copying to Sent Folder


We have many iOS clients, some report that they’re having problems with iOS mail copying messages to their Sent folder. This happens 2 - 3 times per day, and the phone just says Sending and the client never knows if it sends. Client says apparently email DOES go out, but there is no recording of it. This is usually on our LAN.

We’re not sure if this is solved via Postfix or Dovecot, or maybe something else, so I’m posting this message on both forums as a start.

Spool directories on ext4 with encryption


today I tried to use ext4 encryption for /var/spool/postfix*

1. Create static salt with:
head -c 16 /dev/urandom | xxd -p >~/tmp-salt.txt
echo 0x`cat ~/tmp-salt.txt` >~/.cryptoSalt

2. Adding key:
/usr/sbin/e4crypt add_key -S f:/root/.cryptoSalt

3. Stopping postfix
4. Create /var/spool/old
5. mv /var/spool/postfix* /var/spool/old/
6. mkdir -p /var/spool/postfix /var/spool/postfix-relay /var/spool/postfix-submission

7. Set policies:
e4crypt set_policy XXXXX /var/spool/postfix
e4crypt set_policy XXXXX /var/spool/postfix-relay
e4crypt set_policy XXXXX /var/spool/postfix-submission


Postfix 3.3.1 - Warning: mysql: ...... unused parameter: user

I upgraded to Postfix 3.3.1 from 2.x.x two days ago. I keep seeing the
following warnings:

This is repeated for the other files: and

I don't see any warnings for the file: even though it is
similiar to the above files.

I looked in the documentation (man pages and HTML readme files) and can't
find the answer. I have been using this setup since 2009 without a problem.
Is there a new database paradigm (connection style/template/method) that we
should switch too?

The documentation has not changed.

New to Postfix. 3 questions about security functions.


I'm starting the process of moving my mail from a hosted service to my own.

message-id logging broken by utf8?

I noticed a mail that broke logging syntax:

Aug 14 15:29:57 X postfix/cleanup[11962]: 41qYP05TZCz5xY9:

I guess the message-id contains non-ascii chars that break logging, or
something, is there any way to fix this or is it a bug?

mail_version = 3.3.1


"Recipient address rejected: User unknown in virtual mailbox table" and mydomain conf line

Hi people!

I have a problem with sending emails and I of course try dig.

Could somebody check my Postscreen setup?

Hi all,

I'm trying out Postscreen after having used Postgrey for some time.  The
reason for the switch is that Postgrey can cause emails from Google etc.
to take a long time to come through due to the large number of IP
addresses they use (and I don't want to whitelist the GMail addresses).

Here's the changes I've made, they're all default from the manual, and I
include the Postscreen logs, I was expecting more, but had been
receiving emails from the same GMail address so it was possibly already
whitelisted.  Note:  These are only the changes I've made.

smtp      inet  n       - 

Postfix and getmail, how to tell postfix to receive only specific adresses of a virtual domain?

Postfix 3.3.0, on OpenSuse 15.0

Hi to all,

my first post, as a list newbie :-)

I'm using postfix, along with dovecot, for about two years now, on my VPS.
virtual_mailbox_domains for virtual domains of recipients, virtual_mailbox_maps for recipient's addresses.

Blocking spammers who spoof From: addresses from my domain

Hi all,

A silly question, I did have a look around but I'm just struggling to
find the appropriate keywords to get a definitive answer.

We have a problem where some smart-arse spammers/phishers are spoofing
the From address, specifying our domain as their from address. In one
case, the person in question uses my personal address in the From, To
and Return-Path.

Timed out while sending end of data -- message may be sent more than once


I got this strange problem with postfix 3.1.0.
I got this one server that doesn't get all the mails, queued for it. Some mails gets the error in subject.
And if I do a tcpdump on the tcp stream I see this everytime:

(the content has been wiped for some information)
220 [794178adb94846f8975ac93c9a320e4a] SMTP Version: 21:18:18 12.

Feature request: More variables in smtpd_reject_footer

It would be nice if smtpd_reject_footer could include variables such as
the 4.x.x/5.x.x response code or even the full postfix error message,
this way one could make more helpful errors messages with more helpful


question regarding virtual_alias_maps and virtual_mailboxes_map


i have a working setup, but since i want to expand the capabilities of
our system, i tampered with it and ran into an error at which i'm quite

excerpt from the settings:

# Valid virtual domains
virtual_mailbox_domains = proxy:hash:/etc/postfix/virtual_domains
virtual_alias_domains = proxy:hash:/etc/postfix/virtual_domains

/(btw postfix keeps complaining like this://
//Aug  8 11:54:15 rhyno postfix/trivial-rewrite[24427]: warning: do not
list domain in BOTH virtual_alias_domains and
//...but then how do i tell postfix that i need it to c

See a double-bounce mail generated by my postfix

I would like to be able to see an example of a double-bounce message
generated by my postfix (3.3.0) server. Can I get my postfix to send me
(say to an unrelated external mailbox) a double-bounce message?
Alternatively is there a way I can save, on the server, the double-bounce
message as and when it sends it to a third party?

Syndicate content