Postfix is silently discarding emails

In a special case Postfix (3.3.0 and 3.2.5 at least) will silently discard emails without logging
anything about it.

After moving to a new server a lot of mail was delivered to the luser_relay user, and when changing
this user to the main user of the system, all emails were lost with the only trace of them in the
maillog as one line of

postfix/qmgr[29592]: ACA2B201E3B00: removed

after received from amavisd.

The cause of this is the following:

The sequence of users in /etc/passwd had changed.

For historical reasons there are some users and groups in /etc/passwd and /etc/groups which

src/global/dict_mysql.c (postfix 3.2.0-5, 3.3.0 and current) to allow build against MySQL 8.x

From <a href="" title=""></a>
o MYSQL_OPT_SSL_VERIFY_SERVER_CERT (argument type: my_bool *)
This option is deprecated as of MySQL 5.7.11 and is removed in MySQL 8.0.

There are some issues in case postfix builds against mariadb or percona instead
mysql, because both define MYSQL_VERSION_ID >= 50711 and only mariadb also

mariadb (10.2.13):
#define MYSQL_VERSION_ID 100212
#define MARIADB_VERSION_ID 100212

percona (5.7.20-18):
#define MY

Postfix documentation patches not merged


I send an email to the list on August 22nd 2017 with some documentation
patches. They have not been merged yet. I can see my email in the
postfix-devel list archive. Is there something else I need to do to get
the patches merged?

Best regards,
-Sven Neuhaus

Writing a SMTP Extension


recently I got a project at university which includes an enhancement for Postfix. I read through the code already and tried to understand the various daemons. I feel a little lost because this is the first big open source project I am working on.

The project description states that I have to implement some SMTP extension which provides two features. (1) The owner of an SMTP account should be able to upload personal information in the vCard format onto his mail account after authentication.

doc: try to clarify owner- alias handling

First apologies if this is the wrong mailing list for
documentation patches.

This patch (based on the 3.2.4 sources) tries to improve the
documentation of the owner- alias handling.

OpenSSL fips mode

Hi all,

Attached please find a patch that adds a new configuration option to turn on OpenSSL FIPS mode (if supported by the installed version of OpenSSL lib).

Please feel free to modify the style/code and especially the documentation :)
and let me know of any required changes.

Kind regards,
Nik Kostaras

Nik Kostaras

Team Leader

[Telephone] +44 118 903 8635


[Clearswift] <>

1310 Waterside | Arlington Business Park | Theale | Berkshire | RG7 4SA | United Kingdom

Adaptive Security & Data Loss Prevention solutions for email, web, cloud app

Documentation patches


there's a semicolon missing in the MILTER_README.html, breaking a HTML
After noticing that I went looking and found two more missing semicolons
in the SMTPD_ACCESS_README.html and some unescaped ampersands in

I've attached patches against postfix-3.3-20170730.

-Sven Neuhaus

BAD signature from "Wietse Venema <>"

I seem to be having some trouble checking the sigs on

$ gpg --verify postfix-3.2.2.tar.gz.gpg1 postfix-3.3-20170613.tar.gz
gpg: Signature made 2017-06-13T13:35:00 PDT using RSA key ID C12BCD99
gpg: Note: signatures using the MD5 algorithm are rejected
gpg: Can't check signature: bad public key

Oops, try again:

$ gpg --allow-weak-digest-algos --verify postfix-3.2.2.tar.gz.gpg1
gpg: Signature made 2017-06-13T13:35:00 PDT using RSA key ID C12BCD99
gpg: WARNING: digest algorithm MD5 is deprecated
gpg: please see <a href="" title=""></a>

smtp outbound proxy protocol support

Attached is a patch that configurably enables smtp to send a v1 PROXY
protocol string before HELO.

We have a specific use case where want postfix to be able to specify the
sending IP to use to our network edges, and PROXY protocol seemed ideal for
this. We can just override the "source" ip to use in the protocol
string, and the edge proxy/firewall can SNAT using the provided IP. I
realize this is kind of an esoteric use case for PROXY protocol, but
figured I'd submit the patch for some eyes even if its not considered
for merging upstream.

Verify.db and hitting address verification limit on postfix-3.1.4


Last week one of our clients got DDoS:ed very badly and I noticed that
"Too many address verification requests" get cached in the verify.db as
negative hits. I really think that is wrong. Only negative hits that
come from the next hop should be cached.

Disabling negative hit caching kind of "nullifies" the idea of the
cache, even though it can be used temporarily to solve this.

Mika Ilmaranta

Spelling fixes

Hello. I've been offering spelling fixes to many projects for a long time.
I can't find the right entry-point for this project

My changes are here:
<a href="" title=""></a>

My goal, of course, is for them to be accepted, so if there's a
license waiver I need to sign, just let me know.

140 files changed, 339 insertions(+), 339 deletions(-)
wc: 3148 18117 143025

I'm not particularly interested in sending a 140k patch by email. Most
lists do not accept them. That said, I can do so if that's requested.

postfix-pgsql to use connection string


I am using postfix-pgsql with ssl authentication. Therefore I need to
provide a connection string for postgres connections. A patch is
attached to do so.

See <a href="" title=""></a> for
more details.

Static code checker research worth investigating (Communications of the ACM, 03/2016, Vol. 59, No. 03, p. 99)

Interesting article in latest issue of subject titled:

"A Differential Approach to Undefined Behavior Detection"

which may describe procedures not used in other static analysis programs.

Article references the authors' website here:

<a href="" title=""></a>

which contains more info links and a link to the software on github here:

<a href="" title=""></a>

Best regards,


Enforcing minimum TLS versions in postfix

We've currently reviving the STARTTLS Everywhere
(<a href="" title=""></a>) project at EFF. Some
of the features it currently has:

* Know about a set of major email domains that are guaranteed to
support STARTTLS, and what mx domains they point to
* Know about the minimum TLS version that those domains are guaranteed
to support
* Preliminary integration with the letsencrypt python client, allowing
automated installation of a valid cert from Let's Encrypt

The code can currently transform all of the above into tweaks to a
postfix configuration.

question on non-printable characters in logging


Postfix will convert the non-printable characters into "?" before logging.
Is there any way to conver those non-printable characters to UTF8 insteaded
of replacing with "?" ? Otherwise it not easy to dig out the sender or
msg-id if containing non-printable characters such as european characters.
Many thanks in advance.


RFE: postqueue top sender

Would it be possible to implement a new postqueue options that prints the top
senders currently in queue? Something like 'postqueue -t':

109 <a href="mailto: ... at example dot com"> ... at example dot com</a>
7 <a href="mailto: ... at example dot com"> ... at example dot com</a>
. ...

Of course I can do that with sort, awk, uniq etc.


smtpd_sender_login_maps and multiple lookup tables


This is perhaps old news, but couldn’t find anything related in the archives nor in the release notes.
So, just in case… ;-)

Up to now, I had :

smtpd_sender_login_maps = sqlite:db_sender_login_map
db_sender_login_map_dbpath = […]
db_sender_login_map_query = […]

submission_sender_restrictions =

submission inet n - n - - smtpd
-o smtpd_sender_restrictions=$submission_sender_restrictions

and everything seemed to be working as expected (Postfix 2.11.0 - 201401

RFE: Additional postqueue output format

The current postqueue output format is somewhat like this:

$ postqueue -p
----Queue ID----- --Size-- ---Arrival Time---- --Sender/Recipient------
3n97rq4vbmz1gT 2660 Tue Sep 8 03:18:03 <a href="mailto:dane-users- ... at sys4 dot de">dane-users- ... at sys4 dot de</a>
(connect to some.server.tld[]:25: Connection refused)
<a href="mailto: ... at server dot tld"> ... at server dot tld</a>
(conversation with some.otherserver.tld[] timed out while receiving the initial server greeting)
<a href="mailto:rcpt@remote-destination.tld">rcpt@remote-destination.tld</a>

I - at least I - find it hard to write scrip - multi IPv6 bindings but single IPv4 fallback in mixedmode possible??

Hi@ Developers

I have a setup in my for multiple IPv6 Addresses with SSL and
TLS configured and on my IPv6 Layer everything works as expected.
The Problem: Some of the Mailhosters doenst accept IPv6 MTA's at this
time and so i need a fallback, but i have only 1 IPv4 Address in my Root
Server Webhosting Package.

Can i run IPv4 Virtualhosts on one single IPv4 address at the same time
while IPv6 instances are running normally side by side?

Right now i use a single IPv4 / virtual host smtp.mydomain.tld but
unfortently in the rceived by header of Thunderbrid and other Mail

Hi there

Iam just a new postfix user/development interrested person

TLS shake broken but openssl s_client succeed


I know there are sevel similar mail threads to discuss the TLS handshake
failure issue (such as:
<a href="" title=""></a>). However, my
situation is that I use same cipher list on posttls-finger and openssl
s_client, posttls-finger failed but openssl s_client succeeded.

The remote MTA is MS exchange 2003, and it support RC4-MD5 cipher. On my
postfix machine, the openssl version is 1.0.1e.

I use this cipher list: 'ALL:+RC4:!3DES:@STRENGTH', the index of RC4-SHA is
77/78 in this list.

question on qmgr_transport_select()


I went thru the qmgr source code and found an odd logic, from the comments
we can know it will stop until we run out of "todo" entries. However the
implementation is:
if ((need -= MIN5af51743e4eef(queue->window - queue->busy_refcount,
queue->todo_refcount)) <= 0)

suppose if transport->pending is 1, so the value of need is 2 (pending+1),
queue->window is 5 by default(destination concurrent connection). Now there
is one todo entry and one busy entry, so min(queue->window -
queue->busy_refcount, queue->todo_refcount) is 1, which cause the
invalidation of if statement.

Postfix 3.0.1 dynamicmaps.c

dymap_init() reads /etc/postfix/ directory and we seem
to constantly get "warning: /etc/postfix/ directory
read error: No such file or directory".

Apr 21 16:41:47 foo7 postfix/qmgr[3538]: scan_dir_push: open
Apr 21 16:41:47 foo7 postfix/qmgr[3538]: scan_dir_next: skip .
Apr 21 16:41:47 foo7 postfix/qmgr[3538]: scan_dir_next: skip ..
Apr 21 16:41:47 foo7 postfix/qmgr[3538]: warning:
/etc/postfix/ directory read error: No such file or
Apr 21 16:41:47 foo7 postfix/qmgr[3538]: scan_dir_pop: close

missing include in allascii.c

We seem to be missing an #include <string.h> in allascii.c:

allascii.c: In function ‘allascii_len’:
allascii.c:51:8: warning: incompatible implicit declaration of built-in
function ‘strlen’
len = strlen(string);

--- src/util/allascii.c 2015-02-17 00:43:56.000000000 +0000
+++ src/util//allascii.c 2015-02-17 10:01:47.775727110 +0000
@@ -35,6 +35,7 @@

#include <sys_defs.h>
#include <ctype.h>
+#include <string.h>

/* Utility library. */

Possible problem with dead code in src/postlog/postlog.c

Hello all,

This is my first post on the postfix-devel mailing list.

While investigating a problem with postlog.c in postfix release 2.6.6
seg faulting when invoked as "postlog -h", we discovered that the code
was trying to print a string called tag, but the tag variable had been
set to a null pointer at line 209:

tag = 0;

In later versions (I checked 2.10 and 3.1) of the postlog.c code, that
line has been removed, eliminating the seg fault problem, however the
code after the while loop (line 243 in 2.6.6, and still present in 3.1)
still seems to expect that the value of tag can

Defensive liveness testing of DNSBLs

Over on another list, people were grousing that it's impossible to
shut down a DNSBL because no matter what you do, clueless people with
dusty mail configurations will keep hammering on it. You can list
nothing, or list everything, or put in long delays, or return
delegations to name servers on nonexistent networks, or return text
records with obscene insults, but they will keep hammering.

smtpd xclient and sasl

We use postfix with dovecot as a sasl backend, and have run into a small
issue with the XCLIENT extension and SASL. smtpd_sasl_activate is
called only upon the initial connection to smtpd, and that sets the sasl
structure to using the socket's remote ip address. When XCLIENT is
used, a new ip address is specified but the sasl structure is not

Adding transactional capabilities to Postfix


I'm using Postfix few months (before I use qmail for 10+ years). Its greate
piece of software. Because i'm using it also on smtp relay, i want to add
some transactional capabilities.

The primary reason is "monitoring activity of our smtp relay users" and
actively disabking problem users in realtime.

The one approach is to calculate succesfull ratio of sending email. Some
kind of transaction log statistics.

My idea is pretty simple: for each smtp user (sasl user name) store
statistics/log for each si ple delivery (based on queue id).

Cygwin port of postfix 2.11.3


just for info: I ported postfix 2.11.3 to Cygwin.

The patch:
<a href="" title=""></a>
Shouldn't break builds on other platforms. This was tested on Debian.

Binaries are available in the Cygwin net distribution:
<a href="" title=""></a>


Error building postfix-2.12-20141207

I am getting the following error when building postfix-2.12-20141207:

x86_64-pc-linux-gnu-gcc -I. -I../../include -DHAS_PCRE -DHAS_LDAP
-DUSE_TLS -DHAS_LMDB -DNO_NIS -DHAS_CDB -I/usr/include/cdb
-DSNAPSHOT -DDEF_SHLIB_DIR=\"/usr/lib64/postfix/\${mail_version}\"
-Wno-comment -I. -I../../include -DLINUX3 -c smtpd.c
smtpd.c:4678:22: error: ‘unimpl_cmd’ undeclared here (not in a function)
{SMTPD_CMD_AUTH, unimpl_cmd,},

tarball signature digest algorithm


while packaging postfix 2.11.1 I noticed that the corresponding pgp/gpg
signature is generated using the md5 digest algorithm. MD5 is now
disabled as an acceptable digest method for signatures for source
tarballs of openSUSE packages. Would it be possible to re-issue the
signature using a SHA-1 or any of the SHA-2 family?

Many thanks,
Andreas Stieger

beefing up Postfix macro processing

I've been looking into an old wish to make Postfix headers and (some
of the) Postfix logging configurable. But before that could happen,
the $name expansion logic needed to be extended because it is a bit

This week I added support for if-then-else logic in conditional
$name expansion and support for conditional expansions based
on the (in)equality of text strings. For example:

${{text1} == ${text2} ? {text3} : {text4}}

Where text1..text4 are subject to $name expansion. For the curious:
``${{text1} == ${text2}}'' evaluates to empty or "true".

Overriding earlier entry...


recently I noticed this warning about "overriding earlier entry". At
first I did not pay it much attention, but it became enough annoying
to look at it recently.

I am sending this email because I think that we need to do something
about it, and hope that this will help communicate valid ideas around.

Situation is a bit quirky, because of the following facts:
1. postfix manual clearly states: "When the same parameter is defined
multiple times, only the last instance is remembered."
2. Postfix uses almost no command line arguments

Re: [PATCH] smtpd_policy_service_(error_sleep_time|max_keepalive)

Am 27.06.2014 15:31 schrieb ... at porcupine dot org:



attached is a patch which adds the following configuration options
to postfix:


The first one will make the sleep(1) in attr_clnt_request configurable.
(line with comment /* XXX make configurable */)
In anvil_clnt.c and tls_mgr.c, where attr_clnt is also used, the current default 1 is used.
For check_policy_service (smtpd_check.c) the configuration parameter is used.

The second one will cause postfix to disconnect after the specified
amount of requests made over a policyd connection.
If set to 0 it will be dis

Patch: Unicode email support (RFC 6531, 6532, 6533)


at <a href="" title=""></a> you will find a
patch to add unicode email support to Postfix. The patch is relative to

I tried to append it to a list posting, but the result was too large for
the list, hence the URL.

A short overview of the RFCs: You can use naked UTF8 in localparts and
domain, and you can usually forget about quoted-printable. There's an
interlock to make sure that UTF8 messages are only ever sent to servers
that understand UTF8 addresses.


I can't compile and install Postfix 2.10.3 and above with pcre 8.35 on
Mac OS X 10.9.2. Postfix 2.10.2 works.

RFC: Verify concurrency limit


I'm one of the maintainers of multi-node spam checking service. We were
recently hit by DDoS attack. We received hundreds of emails per second,
all targeted to <a href="mailto: ... at single dot"> ... at single dot</a>. Unfortunately
had "unknown receiver tarpit" feature enabled and we had (must have)
"reject_unverified_recipient" option enabled on our side. This resulted
hundreds of verify probes per second, but client replied to less that
one per second. This resulted HUGE mail queue of verify probes plus
couple of real emails.

Ambiguous description on "reject_unknown_recipient_domain"


When I checked the description of "reject_unknown_recipient_domain" on
official portal: <a href="" title=""></a>, I found the
description is ambiguous with the implementation.

Below is the quote from portal:
*reject_unknown_recipient_domain*Reject the request when Postfix is not
final destination for the recipient domain, and the RCPT TO domain has 1) *no
DNS A or MX record* or 2) .......

From the description, If one domain has no DNS A record or no DNS MX
record, it will be reject as unknown recipient domain, however, the
implementation is:
It will check MX record fi

What causes 550 Action not taken ?

I have a little server that pumps out spam to people who pay me for
it. (Yes, really.)

Looking at the logs, I'm seeing a lot of "550 Action not taken" at end
of data from recipient systems which I believe are running Postfix.
Can someone tell me what that means, so I can tell the recipients to
undo whatever they did to cause it?

The mail typically has a vast spamassasin score and often contains
viruses. Due to the volume it's common to have 20 open SMTP sessions
per recipient. The recipients use it to tune their spam filters, look
for phish campaigns, and the like.


TLS support


I've been looking at the current state of TLS support in postfix.
I notice that the documentation on the website says it will
support DANE in the 2.11 version.

DANE will make it possible for us to have mandatory encryption, so
I would like to see that we can get the best out of that.

So one thing I've noticed is that you currently only have settings
for dh512 and dh1024.

X-Original-To via XFORWARD?


on mailstores (read: Dovecot) we often would like to know X-Original-To in
order to apply SIEVE-Rules against the X-Original-To value.

Obviously it doesn't make sense to add that header and send it via SMTP/LMTP
if a message has more than one recipient. But what if we set

Would it then be safe and possible to forward X-Original-To via SMTP/LMTP?

Dovecot (or any other receiver) could use the information and add the header.


Patch: Support NOTIFY ESMTP parameter in SMFIR_ADDRCPT_PAR


The following patch adds support for setting the NOTIFY ESMTP parameter
via the SMFIR_ADDRCPT_PAR milter command, as per the milter spec
(previously, Postfix ignored all ESMTP parameters passed to this milter

The patch is simple and only touches two functions because most of the
required pieces were already there. All I needed to do was split the
argument list, parse the NOTIFY parameter (using the existing
dsn_notify_mask() function), and pass the result as the last argument to
cleanup_addr_bcc_dsn(), instead of always passing DEF_DSN_NOTIFY.

Patch: Expose custom data to postfix map lookups, and call for help

My organization has a requirement to expose a custom value to various
map lookups[1], such as the transport map. We wrote a patch to
accomplish this, and it has been working well in production for at least
a couple years, with postfix 2.8.2[4]. We have recently attempted to
port the patch to 2.10.2[5], but are experiencing some problems.

PATCH: Add support in dict_mysql.c for enabling SSL and reading from my.cnf files


The following patch adds support for using SSL when connecting to a
MySQL server and support for reading my.cnf files which can set other
connection related options.

New configuration parameters for SSL connections are -

tls_cert_file - File containing the client's public key.
tls_key_file - File containing the client's private key.
tls_CAfile - File containing the server's public key.
tls_CApath - Directory containing the server's public key.
tls_ciphers - A list of permissible ciphers to use for encryption.
tls_verify_cert - Verify that the name of th

Email Address length check


Why there is no length limitation on Email Address (there is max
length:320 on RFC: <a href="" title=""></a>)? Is there any plan
on it?
The workaround is that add such checking on PolicyD or Milter.


Patch to support multiple destination on transport


Currently Postfix doesn't support multiple destinations on transport (eg:
smtp: []:25, []:10025 this is not supported).
However Postfix support multiple destination on smtp_fallback_relay (eg:
smtp_fallback_relay = []:25, []:10025).
Now I have implemented this feature(support multiple destinations) based
on Postfix 2.8.8 (it's easy to add it on latest version).
My question is who can I contact with to check whether/how I add my patch
on source code tree.
Many thanks in advance.

King Cao

limits for slow messages (patch)


attached is my first take on the problem we have discussed few weeks ago -
limiting amount of deferred messages in the active queue and limiting
amount of delivery agents used by presumably "slow" deferred messages.

The patch contains several incremental parts which show how I developed
this and which make it more readable at the same time.

The first half of the patch implements the active queue limit. Few

- The qmgr_loop() now always round robins the queues. The original version
stopped doing that when active queue was full and incoming mail kept
flowing in.

'reject_unknown_helo_hostname' shouldn't exist


Postfix's documentation quotes for 'reject_unknown_helo_hostname':
"Reject the request when the HELO or EHLO hostname has no DNS A or MX

Under '3.6 Domains' of RFC 2821 it says:

"Only resolvable, fully-qualified, domain names (FQDNs) are permitted
when domain names are used in SMTP. In other words, names that can
be resolved to MX RRs or A RRs (as discussed in section 5) are
permitted, as are CNAME RRs whose targets can be resolved, in turn,
to MX or A RRs."

I have seen in Postfix's documentation that it caters for 'home-grown'
software for some attributes.

Bug in Postfix regarding the 'smtpd_helo_required' option


There is a bug in Postfix's 'smtpd_helo_required' option, with the
attribute 'reject_non_fqdn_helo_hostname'.

Postfix does not accept an address literal for a HELO or EHLO message,
and Postfix's documentation says a FQDN is required for a HELO or EHLO.

This is not RFC 2821 states under ' Extended HELLO (EHLO) or
HELLO (HELO)' that an address literal must be accepted.

Postfix documentation will also need to be updated with the correct

<a href="" title=""></a>

Also, my e-mail address was recently removed from the pos

Postfix and 'smtpd_helo_required'


Since I started using mailing-lists, my inbox has been attacked with
spam. At first it was not so bad, but now its ridiculous and I have to act.

I am currently looking at using the 'smtpd_helo_required' parameter in
my main/cf configuration file.

I am someone that won't use a spam prevention method that could block a
a legitimate e-mail, and as so, my way of fighting spam is by
protocol-compliance means only.

I wasn't sure if 'smtpd_helo_required' was suitable as I wasn't sure if
the SMTP 'HELO' message was a protocol requirement.

Separate transport for retried recipients


Some time ago I was setting up yet another postfix deployment, and I was
once again thinking about the case when (temporarily) undeliverable
recipients block most or all of the available delivery agents.

In enterprise environments this problem has been traditionally solved by
using the fallback_relay feature to pass these recipients to standalone
postfix server (or at least separate instance).

Draft design: Building email archival support into Postfix

This week I was asked to help out colleagues who were trying to
make Postfix work with some email archive system. I drafted up a
few solutions, one of which was adopted.

During this exercise I realized that this would be less painful if
Postfix had built-in support to create "archive-quality" copies of
email messages.

PATCH: MacOS X use select() instead of poll()

This patch implements the third solution that I described earlier:
use kqueue() for event handling, and use select() to enforce
read/write time limits.

This code will attempt to handle descriptors >=FD_SETSIZE, by
dup()ing them down if possible.

Postfix 2.10.0, Mac OS X 10.8.3 and kqueue

Since I needed to compile Postfix, I thought this could be the opportunity to check the state of kqueue on Mac OS X at the same time: the most recent thread I could find about those matters is the one that started with <a href=" ... at postfix dot org/2007-03/msg00051.html" title=" ... at postfix dot org/2007-03/msg00051.html"> ... at postfix dot org/2007-03...</a>.

This is with Postfix 2.10.0 on Mac OS X 10.8.3.

The change introduced in the makedefs file is:

--- makedefs.original 2013-02-04 02:33:13.000000000 +0100
+++ makedefs 2013-03-21 13:47:26.000000000 +0100
@@ -476,7 +476,11 @@

Mac OS X and setrlimit(2)


(Not sure whether the postfix-devel list is the right place for such matters; please let me know if another place, for example the postfix-users list, would be more suitable)

Starting with Mac OS X 10.5, the man page for setrlimit(2) comes with following compatibility section:

setrlimit() now returns with errno set to EINVAL in places that
historically succeeded. It no longer accepts "rlim_cur = RLIM_INFINITY"

Logging TLS level and used cipher in sent()

Hi All,

I'm looking for pointers how to get this information:
postfix/smtp[y]: Trusted TLS connection established to
mail.server.tld[x.x.x.x]:25: TLSv1 with cipher AES256-SHA (256/256 bits)

added to the log line that is generated by the sent() as now it's pretty
hard or time consuming to grep from logs if the recipient was encrypted
as that tls_client_start() doesn't log the queue ID.

Background: I'm using smtp_tls_policy_maps to enforce certain next hops
to use "encrypt" but for rest of the next-hops I'd like to produce
reports whether TLS was used/was available.

Toni Mattila

DANE, DNSSEC, GnuTLS, Postfix, Exim

When can we expect a Postfix release, that will support DANE
protocol ? so that it(postfix) can verify (using DANE & DNSSEC
protocols) the signed (and free) SSL/TLS certificates(cert) (or
fingerprints) which we can pre-add in TLSA, (CERT, HASTLS, etc) DNS
(DNSSEC) records, and then it(postfix) will use those(cert) for
secure (smtp) communication, and to verify SMTP servers.

Currently (Jan 12, 2013), the last+stable GnuTLS, now supports DANE,
(and as of right now, OpenSSL (or any openssl modules) yet does not
support DANE).

New feature: content filter rejects message but don't bounce


Postfix allows a content filter to be configured as part of the message
sending chain (via the content_filter parameter), and the content filter
can be a script which is invoked using the pipe delivery agent. Looking
at the pipe.c source code, it looks like the eval_command_status
function will always bounce or defer e-mail unless command_status is
PIPE_STAT_OK, in which case Postfix will log 2.0.0 (mail delivered via...)

The trouble is, a content filter may want to discard the e-mail (for
instance, if it is sure it's spam), yet not generate a bounce.

$myhostname passing through unresolved in ldap table queries

Hi all,

I've had an LDAP table in configured for a number of years containing the following filter, and this has worked fine. The filter matches all email addresses that should be delivered anywhere except for the local server:

ldapremote_query_filter = (&(|(mail=%s)(mailAlternateAddress=%s))(!(mailHost=$myhostname)))

I have since tried to update the LDAP table configuration to use separate files as recommended by the docs, for example ldap:/etc/postfix/, and after doing so delivery fails with a mail loop.

Syndicate content