Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

custom mail forwarder/relay program?

I need a way for Postfix to listen to SMTP (think smarthost) and then re-send all emails via HTTP POST operation. Is the correct way to tackle this (aside from telling them to go to hell) a transport definition using Pipe(8)? I've never done this before and it doesn't appear to be a very common scenario. Otherwise I could write a small Perl program that is launched via inetd, that would do the same even though it wouldn't be very efficient.

postfix p0f milter


I hope this isn't to off topic, but hopefully someone will have more
information on this than I do.

I've got a postfix with virtual mail users system going. I'm needing
to tighten my antispam setup.I'm wanting to integrate p0f in to my
system, and am hoping there's a milter out there that will do it. My
goal is I've got postfix going on port 25 for incoming connections, so
I'm wanting the milter to passively scan that port and only if a
client makes a successful connection, i.e. is able to deliver mail,
p0f kicks off and scans the tcp/ip connection.



im quite new to postfix and have a question about a scenario I would
like to achieve.

I would like to accomplish the following:

1. User A has an email account like <a href=""></a> at an standard
E-Mail Provider
1. He is either not able or willing to setup/use exchange or some
other mail server to accomplish the given scenario!
2. He is not able or willing to use some "Auto-BCC" Function (which
Outlook only gets through a Plugin) because of mobile use with
smartphone/tablet or E-Mail Programms that dont offer this function!

warning: hostname does not resolve to address

I'd appreciate you help with the following:

I'm looking after two server on 2 differents domains.

Delays in receiving mail

This is a small server with a few users that are all local. There are several domain names that point to this server, but all of them are just aliases for the main name. Received mail stops at the rcpt to: line. There is no OK that occurs until shortly after 3 minutes from that line being received. During that time ktrace shows multiple calls and sleeps for proxymap. After the 3+ minute delay, it issues the OK and then they rest proceeds normally. I suspect this is a configuration error since this server was just updated to 3.3.4 from an earlier version.

Duplicate spamd lines in Postfix log file


I hope someone can help with what is not a problem as such, but a query.

Duplicate spamd entries in log file - I think


I hope someone can help with what is not a problem as such, but a query. In
every Spamassassin (spamd) exchange there appears to be two lines that are
*almost* identicle.

It's the util: setuid lines. As stated, all is well, but can someone tell me
why this is the case, and if there is an actual problem?

Many thanks


NDR when failed to forward mail to external address, now blacklisted on backscatterer

Hello all,

A shared hosting web server of a customer (running a Postfix with local
e-mail addresses and mailboxes) was blacklisted on backscatterer. The
relevant information from the backscatterer page pointed me to a moment in
time and I was able to check the logs from that given moment (+- 2mins).
I read through some backscatterer descriptions I found and verified that
Postfix does not send NDR for non-existing addresses/mailboxes.

But this scenario is slightly different.
An e-mail was sent to destination e-mail address on that shared hosting

How to validate alias/map files?

Hey all,

I'm using procedurally-generated alias files from a database, and
distributing them with puppet, and would like to have postalias check the
files for duplicate entries and/or other errors before I install them.
I'd like to use the same program used to install the DB, rather than
hacking a validator together with perl or something.

As an example, an empty left-hand


would be an error I want to catch. I want to catch duplicate items, as

Rejecting mail based on a Milter results

The spamass-milter is not rejecting mail that scores above the number set in the -r flag for the milter (confirmed by other people this is a bug in spamass-milter).

Is there something I can do in postfix to reject mails that the Milter logs like:

spamd: result: Y 18

Where “18” is a something I set like “>=10”?

Seems a long shot, but it is unlikely anyone is working on spamass-milter at this point.

mbox format?

Apparently, and much to my surprise, there is more than one mbox format.

I just now stumbled across this, because I am going to be (re-)writing
some small tools I have that do useful things with mail messages stored
in "mbox format":

<a href="" title=""></a>

In the above Wikipedia page, four different flavors of "mbox format"
are described: mboxo, mboxrd, mboxcl, and mboxcl2.

When Postfix hands a message to something... say a script invoked via
some ~/.forward file... which one of these four formats will the message
be in?

Postfix SMTP client: dealing with multiline EHLO response?

Hi all, first post on the list and I've spent some time searching the docs
for an answer.

One of my list members has his own SMTP server. He's configured it to return
a large multiline response to the initial EHLO from a client. Apparently
when my Postfix installation connects to him, it sits idly after the multiline
response and never goes on to issue further SMTP commands.

Is there a configuration setting that I've overlooked to allow the Postfix
client to deal with this situation? I'm running version 3.3.0 on Ubuntu server.

Many thanks for your suggestions, Warren

The Prefix Whois milter, with Postfix On FreeBSD?


Has anyone got the Prefix Whois milter going with Postfix on a FreeBSD
system? I'm having compilation difficulties. If anyone has this going
please let me know.


best practice lookup table perormance - non hashed file


we're publishing lookup tables through our control git repo but hashing all
tables before commiting them to git is cumbersome. What do you recommend?

several postfix servers are getting same lookup table from central

we're using it this ways:

smtpd_sender_restrictions = check_sender_access

mail-addy or domain OK

with 600 entries so far.

I'm aware of <a href="" title=""></a>

but none of them look simple. we like it plain and simple.

Receiving mail from a host without a valid rDNS

I have a mail host that I want to receive mail from that dies not have a valid rDNS (it recently moved and their ISP is comcast and it seems to be taking a stupidly long time). Anyway, I first tried this:

check_sender_access pcre:$config_directory/sender_access.pcre

/ OK

This did not work.

Smptd intruder


I introduced "smtpd_reject_unlisted_sender=yes" in to avoid
attempts to login to my smtpd.

This morning it looks like an unknown ip-number succeded:

Jun 23 07:38:02 lunar postfix/smtpd[14806]: connect from
Jun 23 07:38:05 lunar amavis[15407]: starting.

dkim updating keys

Friendly Greetings,

I am going to update my email server's Dkim keys for the first time.

I can go to the original install instructions, and figure out how to
update them. What I can't find in that original tutorial is the

1. Do I delete/remove old key and references thereto? Namely, in the

2. Do I just create the new key, and update the key.table, and upload
the txt to my DNS?

3. Do I leave my old key information (including on the DNS) for a
"grace period" of a week or so?

Trying to figure this out with as little disruption as possible.

Thanks in advance.


havedane dns issues

Anybody on this list having contact to the maintainer / webmaster of ?
It's having dns issues when the TLSA record is queried with qname minimization
active (RFC 7186).
This is a bug in the dns server or dnssec signer and should be fixed.
Otherwise false negatives are generated!

See this dnsviz link for a description of what is wrong: <a href="" title=""></a>

- tmolitor

Gave up on my ISP, trying to get GMail to work but get - host[] said: 530-5.5.1 Authentication Required.

In my previous post - "How to tell my ISP there's a problem" I wasn't
able to figure out the problem and CenturyLink is no help so I decided
to use my GMail account to send my messages from cron. However I've run
into a problem that I keep getting the message that's in the subject.
I've pasted the complete output of a test run below:

<a href="" title=""></a>

Here is my

<a href="" title=""></a>

I'm sure I have something just not right but I can't see what it is.

Thanks for any advise


Re: TLS 1.3 on postfix (fixed)

Apologies for multiple emails to this list for the same problem.

Some internet searches got me to the right solution.

One of the other posters was correct; it was a certificate issue. Reissued my cert on my postfix SMTP mail gateways.

All seems to be working now. Gmail defaults to TLS 1.2

I saw some posts that TLS 1.3 still has issues with OpenSSL v1.1.1 and postfix 3.3.x

I am using Ubuntu Linux and the latest postfix which is 3.3.0 unfortunately

Edward Ray

Re: disable TLS 1.3 on postfix (logs enclosed)

Jun 22 10:31:19 mailgate postfix/smtpd[7180]: setting up TLS connection from[]
Jun 22 10:31:19 mailgate postfix/smtpd[7180]:[]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: SSL_accept:before SSL initialization
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: SSL_accept:before SSL initialization
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: SSL_accept:SSLv3/TLS read client hello
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: SSL_accept:SSLv3/TLS write server hello

disable TLS 1.3 on postfix

What is the correct procedure to disable TLS 1.3 negotiation on postfix?

Re: Unable to send or receive from Gmail (temp solution)


!TLSv1.3 added to "main.conf" fixed the issue hopefully.

Will work on updating certificate later...

I figured TLS 1.3 might be the culprit from the logs.

Best practices link for postscreen

Does anyone have best practices link for postscreen implementation.

Thank you

Unable to send or receive from Gmail

Within the last week or so I am suddenly unable to send or receive from Google Gmail.

Greylisting -- current recommendations?

I'm running Postfix 3.1.0 on an Ubuntu 16.04 LTS system.

II'm using Postfix's postscreen filtering, including
(with a large score) as one of my DNSBL sites, but it's not helping in
some cases because the spam sources are not showing up on Spamhaus at
the time I get e-mail from them -- only later on.

I'm wondering if it may be worthwhile for me to enable greylisting in
some form on my server.

Postfix (using haproxy) reporting inaccurate commands in log

Hi everyone,

I'm running postfix 3.2.3 on FreeBSD, with a separate submission service
receiving connections via haproxy and using the
smtpd_upstream_proxy_protocol=haproxy flag.

Unable to use pcre:


This is Debian 9, with a fresh install of postfix,
postfix-policyd-spf-python and postfix-pcre packages.
I am getting the following error:

root@elephant:/etc/postfix# postmap -q foo
postmap: warning: unsupported dictionary type: pcre (no/
No such file or directory)
postmap: fatal: unsupported dictionary type: pcre

Any help appreciated!

No logging possible from local pipe

Im using local to invoke a piped command with an alias like:

http_forward: "|/usr/local/bin/..."

from inside that bash script I try to log with systemd-cat but this results
in "Failed to create stream fd: Permission denied"

I have tried to use postlog instead, but it just dont emit anything to

invoking postlog from the shell works fine, e.g "sudo runuser -u nobody --
/usr/sbin/postlog -t sometag <<< somemsg"

Whats going on here ?

Rejecting mail if LDAP lookup returns empty


We are setting up Postfix to be an on-premise mail lookup and forward service for a cloud-based mail filter service (ProofPoint). Our campus uses LDAP to route email from a public alias ( to an internal mailbox (e.g., or external destination such as yahoo or gmail.

The issue we are seeing is that the lookups are working just fine, but if an email is sent to a bogus public alias or a valid alias without a defined routing address in LDAP, Postfix then attempts to pass on the address to the next hop instead of failing the lookup and bouncing.

Add header based on subject

Hello everyone.

Is possible add a header based on a regex in a subject?

Best regards.


Problem setting a TLS verified connection


I'm trying to establish smtp_tls_security_level=verify connection with
just one domain. I set a tls_policy in which I set domain verify,
smtp_tls_security_level=may in When we try to perform some test
I can receive messages but is not possible to send I get deferred 4.7.0
message. Any ideas?

Mails to gmail bouncing

I have a strange problem with mails to GMAIL.
A user sent out mails to 90 recipients, half of which are,
and those mostly bounced:

Jun 19 09:52:43 mail-cvk postfix/smtp[32063]: 45THH93PXyz1Z4Kq: to=<malgorzata. ... at gmail dot com>,[]:25, delay=4.8, delays=3.3/0.04/0.62/0.84, dsn=5.5.0, status=bounced (Protocol error: host[] said: 250 2.1.5 OK w9si551343wmd.47 - gsmtp (in reply to DATA command))
Jun 19 09:52:43 mail-cvk postfix/smtp[32063]: 45THH93PXyz1Z4Kq: to=<maxxxxxch. ... at gmail dot com>, relay=gma

Some mails just stay in Queue.

Hello all,
I am seeing a peculiar problem in on of our servers. Some mails in the
queue stay there forever. of course they are very few just 20 or 30 in
a month.
most of them are from MAILER-DAEMON

3291B6063914! 54880 Mon Jun 17 17:32:24 MAILER-DAEMON
<a href="mailto: ... at datasoftcomnet dot com"> ... at datasoftcomnet dot com</a>

2FF8A601819C! 29081 Mon Jun 17 18:44:24 MAILER-DAEMON
<a href="mailto: ... at datasoftcomnet dot com"> ... at datasoftcomnet dot com</a>


Milter vs. *_restrictions: evaluation order


I have a private (firewalled) outgoing-emails-only setup with
containing (among others):
smtpd_recipient_restrictions =
smtpd_milters =
[some local ip:port]

The (only) milter used replaces all recipients with a single,
hard-coded email address. The use is a production clone setup for an
application which sends emails. Production database contains real email
addresses to which we do not want to send any email from the clone

How to tell my ISP there's a problem

Apologies if the subject is vague however I'll attempt to explain
further. I run a cron job once a day that updates my Spamassassin
rules. Up until a couple of weeks ago I would get the output of that
cron job mailed to me. For some reason this is the only cron job output
that's not coming back. I've determined that size it not a factor since
some of my hourly logcheck messages are up to 400k if a restart has
taken place. Below is the output when it was working and the output
since them.

Stats recommendations?

I'm aware of the list of stats tools

<a href="" title=""></a>

Looking for experience/recommendations from users here.

grep's served me well enough for just a few servers.

As I switch to all/only Postfix at multiple locations, something easily
automated/deployed is of interest.
DIY is doable; I'd prefer a product/project that's still actively

I'm looking for as lightweight as possible.

I'm OK with just scheduled text/emailed reports; usual prefer them to
visual displays, whether static or dynamic/realtime, anyway.

What are folks here using & happy with?

5.7.1 issue relaying telnet, on same host


I'm trying to get a new mail server going. It's running in a FreeBSD
12.0 jail and it's postfix 3.4.5, and dovecot 2.3.6. The machine's ip
is i'm telnetting I'm on the host and telnetting to the
server on port 25 after rcpt I'm getting:

Jun 17 13:47:49 mail postfix/smtpd[29888]: NOQUEUE: reject: RCPT from
mail.example.local[]: 554 5.7.1 < ... at gmail dot com>: Relay
access denied; from=< ... at example dot com> to=< ... at gmail dot com> proto=ESMTP

I believe I've got a configuration issue with my *restrictions, i'd
appreciate any suggestions.

Header change

Switching to dovecot LMTP appears to have changed the information in the received header:

Here’s what the received header used to look like:

Received: from [] ( [])
by (Postfix) with ESMTPS id B67B8118AD59
for < ... at kreme dot com>; Sun, 16 Aug 2009 22:19:02 -0600 (MDT)

As opposed to now:

Received: from darth.lan ( [])
by 3.4.5/8.13.0) with SMTP id unknown;
Sun, 16 Jun 2019 15:26:32 -0600
(envelope-from < ... at kreme dot com>)

The first

Using always_bcc with FILTER action


We have a postfix instance that does internal routing based on headers. This
is implemented using header_checks like this:

/^header-A/ FILTER smtp:[]
/^header-B/ FILTER smtp:[]

Is it possible to send a copy of every email to a third server, say


Since I have moved all local users to virtual users and switched dovecot to lmtp from lda, I was able to add reject_unverified_recipient to my restrictions, and it occurred to me maybe some of the other restrictions could be eliminated.

Do reject_non_fqdn_recipient, reject_unauth_destination, do anything that isn’t done with the check for unverified recipient?

smtpd_recipient_restrictions = reject_unauth_destination

authenticate o365 users with postfix without smtp auth


we are running a small smtp relay service with postfix for authenticated
users. Unfortunately office 365 does not offer any smtp authentication
mechanism when sending mails via connectors to smarthosts.

how could one protect smtp submission in another way?

without authentication, everyone from MS ip ranges with valid sender
address could relay through our service. i dont like to open our service
'blind' to MS ip ranges.

Ideas/Thoughts are very welcome.


'SERVFAIL' error on DNS 'TXT' lookup

Hi folks,

Lately when I am trying to send an email to a specific customer domain I
have below error.

host[customer-mx-server-ip] said: 450 4.7.1 <
... at customerdomain dot com>: Recipient address rejected: SPF-Result= 'SERVFAIL' error on DNS 'TXT' lookup of '' (in reply to RCPT TO command))

<a href="mailto: ... at customerdomain dot com"> ... at customerdomain dot com</a>

I don't really understand the error but I tried to add an SPF record
("v=spf1 mx -all") to my dns domain but it didn't solve the issue.

Delay in qmgr


We have two servers with identical configuration running Postfix 2.6.6 on
Redhat 6.x.

One of the servers recently upgraded from Redhat 6.4 to Redhat 6.10. No
major changes are reported. Postfix configuration was unchanged.

On the upgraded server there is a strange delay in the active queue. The
messages are accepted, but they stay in the queue after delivery.

Getting Postfix to Honor SPF?

So how do you get postfix to honor (strictly) the SPF record in the DNS

Sorry if this is a dumb question, first post. :)


DANE with own CA

Hi, I already have a working DSNSEC with my own CA. Can I use DANE with
postfix or do I need a certificate from a known CA in order to do that?

Postfix LMTP to remote LMTP server


Been trying to set Postfix to deliver mail via LMTP to a remote LMTP server
which also supports the IMAP mailstore. This remote server is on the same

Postfix works fine by sending and receiving mail.

spoofing to my owndomain

Hi im using Postfix MTA and i have setup SPF,DKIM,DMARC records of my domain.
Someone is spoofing my domain address like *@mydomain to my own domain users
. How can i block this using postfix ?

Postfix update resulted in mails going to spam?


I recently upgraded my mail server OS (Debian 7 to Debian 9), and at the
same time got
the latest postfix package for Debian 9.

It is hosted in the cloud (Linode), and I completely rebuilt the
instance, rather than
doing an upgrade. The IP addresses (v4 and v6) are the same. The config
change (I use ansible to deploy both the software and config - no manual
steps required).

After the upgrade, I sent a test e-mail to my gmail account, and it went
to the
Junk folder.

Milter connection limit


I'm running into problems with OpenDKIM and a 1024 libmilter connection
limit (or port-reservation limit) during peak hours.

Is there any way to limit/throttle the number of connections made to a

Trying to resolve Client host rejected: Access denied errors

Hello everyone,

I am recently no longer able to send mail out from my postfix server. Receiving email works fine.

Postfix audit

Hi guys,

We're in an audit process here and this is giving us a headech.

Is there anyway to log the MTA to MTA transactions one per file?

For example, client requests to send a message, the MTA says OK, sends
the message and keep a log of the MTA to MTA transaction.

Thanks in advance.



Virtual users and local users in the same domain?

Given that I have two users, <a href="mailto: ... at example dot com"> ... at example dot com</a> and <a href="mailto: ... at example dot com"> ... at example dot com</a> who are currently both local users and given that, is it possible to configure postfix such that one of them is in the mysql database and one is still local?

postfix aliases not functioning with dovecot LDA; want to forward to command

I'm trying to use postforward[1] to use SRS on a small percentage of my
users to send their mail to their personal Gmail accounts. (Postforward
is specified as a command to run in /etc/mail/aliases.) I had this
working until I switched to using Dovecot's LMTP client as the LDA
(wanted sieve support).
I now get errors from Dovecot that indicate /etc/mail/aliases aren't
getting triggered.

Basic question...

All, sorry for posting a basic question…

I’ve got an old box running as my mail server.
I want to bring up Postfix on my new box and not only have it as my secondary MX server, I’ like to have my mail from the first server replicated to the second server.

What’s the best/easiest way to do this?

Its for my SOHO, so its a basic set up.




I'd very much like to move my (Postfix) mail server, which currently resides
on a (static IP) end-luser broadband line, to some VM in the cloud someplace,
and then use something like fetchmail to poll that periodically to pull
down all mail for my several domains and then have fetchmail re-inject
all of those mail messages into the local Postfix. The plan would be to
get all this running and then give up my local static IP here, exchanging
it for a dynamic one instead.

Regexp Postfix query doesn't stop at the first matching rule


I would be really thankful if someone could clarify it, please. It says the
following, "Postfix works as documented in regexp_table(5) and
pcre_table(5), i.e. each query stops at the first matching rule. Now the
following two rules are in conflict:

/^From:\s*assistant\@gmail\.com$/ REPLACE Subject: New Report.
/^Subject:\s*$/ REJECT Empty subjects fields are rejected.

I doesn't stop at the first matching rule where the subject is replaced.
Instead, it stops at the second matching rule where empty subject fields are

Syndicate content