Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

Question about

I create a new account at <a href="" title=""></a> <> and add my primary domain in their portal.

I also request them to add my outgoing SMTP IPs (I think they manually check it before add).

To query their database, do I have to ask them to add my resolver's IPs too?

It looks like they allow access from "unknown" IPs (test it with nslookup), but I want to make sure that registering resolver's IPs is not needed to avoid them block the requests made by my resolvers in the future.

Relay mail from virtual domains and issue when the sender and recipient is on same server

What I want to do:

I want to disable local delivery for e-mails from virtual domains / mailboxes when sender / recipient is on same server. I want these e-mails to pass through a relay.

My setup :

I have postfix and dovecot on and acts as relay for MX for points to so incoming e-mails go to this server. Outgoing e-mails for domains not hosted in go through the relay.

Certificate Replacement

I am needing to replace the certificate and key. Are they read and cached when postfix starts, or are they read during normal mail handling? In other words, can I replace the files or do I need to do a reload or restart of the service afterwards?

-- Doug

Postfix [Postfwd2 error]


In /var/log/maillog i see this error, which produce an excessive cpu usage

postfwd2/policy[4807]: warning: Complex regular subexpression recursion
limit (32766) exceeded at /opt/postfix/postfwd/sbin/postfwd2 line 1168,
<$fh> line 230.?

any ideas?


problem with sending emails from second IP

I have ovh public cloud server.

Blocking mail from all but one domain

I have a postfix-3.1.4 installation and have been given a request to
block all incoming mail from all but a single specific domain and
block all outgoing mail with the exception of only that same single
specific domain.

Mail is received by a relay server,, then forwarded
to a pop/imap server, on the same network. We wish
to reject all inbound mail with the exception of
from being received by

Subject Regular expressión


I have a problem when locking with regular expressions

I need match

/^Subject: (Hello there(.*)|Hey man(.*))/ discard

The rule not work.!

the parameter. * is correct?

any ideas?

thanks for your help.

Emails from postfix are getting distorted/modified if it contains domain name

Hi All,

Recently we installed ssl certificates on our smtp postfix server which is
hosted on RHEL 6.9.

Problem we are facing is whenever the email are being sent from postfix
server the email gets modified when it encounters domain name with https
links. below is example:

original link :


Modified link which is received via email:

<a href="https://secure-cisco.wevdjkjdkfnfdfldkfne/ejkfejkfekekfsnsbbdgemmnd3565sd13d5ef/domaiddsjk5ef5ename/55%ccm/jkdfksf55%web" title="https://secure-cisco.wevdjkjdkfnfdfldkfne/ejkfejkfekekfsnsbbdgemmnd3565sd13d5ef/domaiddsjk5ef5ename/55%ccm/jkdfksf55%web">https://secure-cisco.wevdjkjdkfnfdfldkfne/ejkfejkfekekfsnsbbdgemmnd3565s...</a>

What could be the reason for the https links containing domain name to get


Is reject_unknown_{reverse_}client_hostname safe?


I have been using

smtpd_relay_restrictions =
warn_if_reject reject_unknown_client_hostname

for a long while in my configuration, where the warn_if_reject is there
because I thought that the more strict check could have blocked some
legitimate email.

Problema Postfix header from is empty (<>)

Hello, i use exim with relay connection to postfix (postfix is the mta

I use a autoreply in exim:

# Exim filter
if error_message then

if $message_headers contains ${local_part}\@${domain} then
  to ${reply_address}
  from "\"=?iso-8859-1?Q?Administraci=F3n_TRIXIE?=\"
  #reply_to $h_to:
  subject "Licencia de Vacaciones.

Substitute original address in virtual_alias_maps


If I have a virtual alias map like this:

@domain.tld <a href="mailto: ... at otherdomain dot tld"> ... at otherdomain dot tld</a> <a href="mailto: ... at somedomain dot tld"> ... at somedomain dot tld</a>

Then all e-mails to domain.tld will be forwarded to the two given
addresses, right?

Fine. But then, I want those e-mails to be delivered to the original
recipient too. For example, if <a href="mailto: ... at domain dot tld"> ... at domain dot tld</a> receives an e-mail, I
want it to be delivered to 3 addresses: <a href="mailto: ... at otherdomain dot tld"> ... at otherdomain dot tld</a>,
<a href="mailto: ... at somedomain dot tld"> ... at somedomain dot tld</a>, and <a href="mailto: ... at domain dot tld"> ... at domain dot tld</a> itself. If I could
add the address to the list, it would be fine, but... it's a variable.
How can I substitute a variable there?

Postfix configuration


Sorry for my english, I'm french.

I have some doubts about my Postfix configuration.

I have a private mail server, at my home, allowing me to have my
personal e-mails ( )

My architecture is the following one (on Raspberry Pi with Raspbian):

- 1 mail server with Postfix, Dovecot, Amavis, Spamassassin, ClamAV

- 3 others severs, not mail servers

I can send and receive e-mails, from inside and outside without any

I use a SMTP relay (my provider SMTP).

I have a domain and the MX record is OK.

But I'm not sure about my Postfix configuration.

Re: Keep Postfix running in the foreground

:) I don't write the code, just reporting the bad news!

I think however the reasoning is as follows: clearly a user-mode process
can send a signal to init to force it to re-read its config, etc.
At the time that said process generates the signal with the kill system
call, it could be masked.

Re: Keep Postfix running in the foreground

Correct. The Linux kernel doesn't allow you to send a signal to pid 1
that would cause its termination. pid 1 is normally the init process,
and terminating it essentially renders the system useless.

Use of separate storage for mailboxes


I am facing one issue which is mostly about concepts. I have to be clear on
that to move forward. I have tried finding solutions about it but couldn't
find anything which talks about it.

We have a setup which includes postfix and dovecot. We are using lmtp and
delivery of mail is happening through dovecot. We want that delivery of
mail should happen in a separate node. I was able to achieve it through
lmtp by providing ip address and using port 24.

But now I have been asked to just try to deliver to a separate storage
medium and not node.


Hello everybody,

I was wondering if anybody could advise please, on what does this log entry
mean postfix/smtp/smtpd? I know postfix/smtp is to send mails out to the
world, postfix/smtpd stands for daemon that rules out deliveries for
incoming mail. What about postfix/smtp/smtpd? Is it something in between
incoming and outgoing messages? Does it perhaps mean that some clients try
to connect to my 465 port? If that is the case then do they try to send or
receive here? Would appreciate any pointers from experts. Many thanks in

domain email autoconfiguration


If anyone has autoconfiguration going with their email domain please
email me privately. I'd like to ask you some questions about your
setup. What do you use?


reduce loging of postscreen and dnsblog

is it possible to reduce logs from subject and still keeping loging for
new connection that are not cached in postscreen cache ?

checked logs today, i have more logs of bots then real users :/

makes it waste of log lines for content already logged :/

Avoid double scanning from MailScanner

Hi All,

The question on the following is: how can I enable MailScanner filtering
for both incoming and outgoing emails, without having double scans at
incoming emails and none at outgoing?

I have setup the following:

Incoming emails are delivered with SMTP to server -> then forwarded to
MailScanner -> then to the filter script -> then to UUCP -> then to
alternate postfix server.

The Mailscanner is invoked with header_checks through
header_checks = regexp:/etc/postfix/header_checks

cat /etc/postfix/header_checks
/^Received:/ HOLD

The filter is invoked with smtpd options from m

Any one could explain the reason why postfix record log "smtp_get: EOF", Thanks!

I have add the client ip into mynetworks, but smtp connection from the
specified account from the specified device always be lost, after data

Any one could give me some suggesstion?

thanks very much!

postfix log:
2018-03-28T09:56:31.619016+08:00 localhost postfix/smtpd[2197]: smtp_get:
2018-03-28T09:56:31.619019+08:00 localhost postfix/smtpd[2197]:
match_hostname: smtpd_client_event_limit_exceptions: unknown ~?

Does postfix reject spoofed senders?

Is there a reliable way to reject incoming mails with a spoofed e-mail


Forcing TLS 1.2 on submission


I am attempting to restrict the TLS protocol version used by my SMTP AUTH’d clients on the submission service.

In I have added the following to the submission service:

-o smtpd_tls_ciphers=high
-o smtpd_tls_exclude_ciphers=EXPORT,MEDIUM
-o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,TLSv1.2

…however, when I test via the OpenSSL client:

openssl s_client -connect -starttls smtp -tls1

…it connects and negotiates TLS 1.0. It will also negotiate TLS 1.1 and TLS 1.2 on successive tests.

What am I doing wrong ?


- J

Bounced Messages -- LDA / Dovecot / Postfix

I am not totally even sure this is a Postfix issue, but since the error
is presented as "postfix" and I was not able to find answer elsewhere I
thought I would ask here.

I recently discovered that delivery of bounced messages is not working.
Of course as no messages were being delivered I thought everything was

Anyway, I am seeing this error in my maillog file:

Mar 29 10:48:09 firewall postfix/pipe[9089]: 19565807:
to=< ... at my dot domain>, relay=dovecot, delay=0.11,
delays=0.02/0.01/0/0.08, dsn=5.3.0, status=bounced (command line usage

550 Messages should have one or no Message-ID headers, not 2.

Dear list,

I sent out a newsletter(J!website with Acyba component) some times a month
Since two weeks (cannot remember the exact date) I get this message back
via Postfix after sending outthe newsletter.

I am thinking of the newsletter component (Acyba) in combination with
the phpmailer of my hosting provider.
Would that be an option?

MailEnable: Message could not be delivered to some recipients.
The following recipient(s) could not be reached:
     Recipient: [SMTP: ... at somedomain dot com]
     Reason: 550 Messages should have one or no Message-ID headers, not 2.


difference between /var/spool/postfix/etc/hosts and /etc/hosts


on debian , i am running postfix. I changed my IP ldap server in /etc/hosts
but /var/spool/postfix/etc/hosts is different. What shoud I do to make
postfix using the new IP ldap?


Suppressing (some) bounce messages

I run a gateway that delivers mail to a few different places, including
two Exchange servers. Now, some users on one of the Exchange systems
have managed to block certain senders, in a way that makes Exchange
reject such messages with "554 5.1.0 Sender denied". The Exchange admins
are trying to figure this out; in MOST cases blocking a sender results
in messages being placed in a Junk folder, which is the behaviour we
want. But sometimes, this happens.

generic rewrites not working for local

I'd like to use postfix to rewrite the "from" address on all my outgoing emails.

However, smtp_generic_maps/lmtp_generic_maps does not seem to work
with mail coming locally from my machine (from cron jobs, from a local
MUA, etc.).

Is there a way to rewrite mails from local?

problem confirming delivery of a deferred message in PostFix logs

We have recently begun using PostFix to replace one of our legacy systems. For the most part, the system appears to be running fine under load. Recently we have begun seeing some sporadic delivery errors.

monitoring outgoing emails

Hi people. Do you know is there any tool/plugin for monitoring outgoing
emails from server with postfix? Maybe postfix has this feature?

Postfix & logrotate

This problem is not strictly related to Postfix, but I'm going crazy
trying to solve it. I've a postfix mail server on Debian 9.

Postfix - catchall

Hi Everyone,

I'm facing a problem with the way postfix handle my catchall.

I am running Postfix 2.10.1 with Cyrus 2.4.17.
I use virtual_mailbox and virtual_alias to handle mailboxes. Everything works fine with users.
I would like to implement a catchall mailbox (I know it's not a good idea, but this is essential in my business) BUT only for alias that do not already exist.
Everything is flat file.

If I send a mail to <a href="mailto: ... at mail dot domain.tld"> ... at mail dot domain.tld</a> , this mail go to user1 mailbox.

clamav as a milter

Hello all,

Does anyone suffered performance loss when using clamav as a milter for

I would like to scan archives and emails with attachments. Is there any
other way to do than using a milter?

Thanks for your advices.


SSL_accept error on just one of several similar servers

I have several Postfix servers with virtually identical configurations.
That is, they have their own hostnames, IP addresses, etc. But the rest of and and various *_access, etc. files are the same.

I recently started having a problem with SSL_accept errors on just one of
the machines. Several people report (including me) that from the same
Thunderbird client, we can connect to all of the other servers and send a
message. But when we try to connect and send to the one server, it fails.

The Thunderbird client displays: "Sending of the message failed.

Is it possible to have Postfix mark debug_peer_list messages as "debug" syslog severity?

I'm trying to troubleshoot some occasional HAProxy health check
failures. HAProxy logs the health check failures and Postfix logs "lost
connection after RCPT" messages without a whole lot of other detail. I
learned Postfix's debug_peer_list and debug_peer_level options and have
added the IP Address used by HAProxy to the debug_peer_list setting.

I see that no matter the debug_peer_level chosen, this increases the log
levels significantly.

SASL login and Mail From field mismatch

Hello everyone !

I'm trying to achieve a simple thing. Then user logins via SASL and sends mail, I want postfix to check that SASL login
is identical to MAIL FROM filed.

As I can see, I can do that with 'reject_sender_login_mismatch', but usage of this option implies usage of
The problem is that I use MS AD as user list provider, so firstly, I thought about some tricky filter to achieve this,
but I can't think up something workable.

New debian server: install postfix from src or package?

I’m in the process of setting up a new server and want postfix.

My question is: should I install from source or use the debian packages?

I have installed fro source before, but I would like to ease my maintenance
burden as much as I can, but without sacrificing security.


Best regards,


Yahoo blocking emails from Postfix

I have an issue with email sending speeds on postfix. the email to yahoo are
getting throttled and getting suspended temporarily. I edited the
configuration to slower down the speeds and add a delay. This works fine
with email sending at delay but i have a problem here. the mails which are
there in deferred or retry queue, when they are sent, they are sent a very
high speed and throttles the connection.

header_checks UTF8 discard


i create this rule to block phishing intent

/^Subject: =?UTF-8?B?U3UgY3VlbnRhIHNlIGVuY3VlbnRyYSBlbiByZXZpc2nDs24u?=/

but not work

any ideas?


why is smtpd_recipient_restrictions ignored..?

Hi all,

This postfix 2.9.6 from wheezy. I have added to

and /etc/postfix/blacklisted_domains contains just one line:

I postmapped the file and restarted postfix.


Configure many users accounts.

Dears, i have a question.

In my enviroment i write a script, this need sending mails from 3 accounts
<a href="mailto: ... at gmail dot com"> ... at gmail dot com</a>, <a href="mailto: ... at gmail dot com"> ... at gmail dot com</a> and ... at gmail dot com; in my
posftix file config i have configure only <a href="mailto: ... at gmail dot com"> ... at gmail dot com</a> and all mail
output from <a href="mailto: ... at gmail dot com"> ... at gmail dot com</a>, setting default.
How i send mails accross mutt (script comand) and configure this 3 relays

postfix 2.6.6 / always_add_missing_headers behavior question


I'm confused by the docs at <a href="" title=""></a>, to wit:
"Always add (Resent-) From:, To:, Date: or Message-ID: headers when not present. Postfix 2.6 and later add these headers only when clients match the local_header_rewrite_clients parameter setting.

Howto configure Postfix to relay messages from a specific email address


Let's say my domain is We have a bunch of servers that are
authorised to use our SMTP server to relay their mail to the outside with
something like :


So far, so good.

Now I have a sister organisation with domain that operates a
web app than needs to send mail through our Postfix server and I want to
relay mails sent from this web app provided the messages sender meets a
specific email address (say <a href="mailto: ... at example2 dot com"> ... at example2 dot com</a>).

How can I do that in ?

Shell script to remote test AUTH with STARTTLS at postfix/dovecot server

I regularly test my remote mail servers (which use postfix - with
dovecot for authentication) to check they are live and functioning,
including that they are responding correctly to authorised login with

I currently use this (sorry about line breaks, the original is on one line):

timeout 20 /bin/bash -c "{ time (sleep 2; echo \"EHLO $(hostname
-f)\"; sleep 0.3; echo -n \"AUTH PLAIN \"; printf '%s\0%s\0%s'
\"$USERNAME\" \"$USERNAME\" \"$PASSWORD\"|base64; sleep 0.3; echo
\"QUIT\"; sleep 2; exit) | openssl s_client -connect $MX -starttls
smtp 2>/dev/null >${TMPF}0; } 2>${TMPF}2"


Strange errors in mail.warn log

How to avoid getting strange records in the mail.warn file?
I started to receive it after Debian upgrade from jessie to stretch and
postfix upgrade from 2.11.3 to 3.1.8.

repeated relay attempts

Just checking if I have things set up correctly. I'm returning a 554
code (rejected relay) yet the attempts keep coming.

Recording of DANE talk at ICANN61

[ Also posted to <a href="mailto:dane- ... at sys4 dot de">dane- ... at sys4 dot de</a>, please pardon the duplication if
you're reading both lists. I'm planning to also post to exim-users
and <a href="mailto: ... at ietf dot org"> ... at ietf dot org</a> ]

I gave a talk about DANE for SMTP at the ICANN61 conference last week.
Audio and slides are available, but not a synchronized recording so if
you want to follow along you'll need to figure out the slide transitions
from the context of the audio. I was promised 45 minutes, had too much
material even for that, but only got 35 minutes, and yet managed to get
to most of the key points.

Which user lookup wins?

When postfix checks for a local user it looks at any local user (like /home/fred), I assume by checking /etc/passwd or similar (I have local users who can receive mail who are not mentioned in any /etc/postfix/* file, so postfix knows about them from somewhere outside of postfix’s config file) and then it also checks for virtual_mailbox_domains and virtual_alias_maps, yes?

If a user lookup matches in BOTH locations due to a misconfiguration, which one “wins”?

Spammer rejected, but resends every 10 minutes. Any way to prevent this

I'm getting hit every 10 minutes from this spammer. As you can see I am
rejecting the message. I wonder if the offending email server doesn't
know the message is being rejected?

Mar 13 23:28:58 centos-1gb-sfo1-01 postfix/smtpd[22153]: NOQUEUE:
reject: RCPT from unknown[]: 450 4.7.1 Client host
rejected: cannot find your reverse hostname, [];
from=< ... at tradepro dot net> to=< ... at lazygranch dot com> proto=ESMTP

question about envelop from.

Im reading through rfc's but the following is still not clear for me.
E-mail is rejected base on the envelop-from adres from a mail-daemon with postfix + postfix-policyd-spf
I saw the following in the postfix logs.

Question regarding 8BITMIME / BINARYMIME


I have a question regarding 8BITMIME.

I know Postfix supports 8BITMIME and does not support BINARYMIME, but I am wondering why both 8BITMIME and BINARYMIME are ESMTP extensions. It would appear that 8BITMIME solves the same problem as BINARYMIME (allow 8-bit encoding of MIME), so why wasn’t BINARYMIME made obsolete in the RFC’s ?

Also - because 8BITMIME seems to solve the problem without CHUNKING, is that why Postfix supports it over BINARYMIME ?


- J

Reducing logging

I may have asked this before, but if so I can't find the thread.

I'd like to either reduce the amount that postfix logs or redirect certain events to a secondary log file (that I can put on a shorter rotation than the full mail log).

Is there anyway to redirect, for example, post screen events to a different log file or the warning hostname does not resolve messages?

Can't connect to server / migrating to iptables

I run my mail server on CENTOS 7. The server is modem/router and as such has
two NICs; internal and external.
Since migrating to iptables, I cannot access the mail server anymore; nor
telnet, neither web client.
My webserver works just fine. I can't find an error message in
/var/log/maillog or /var/log/messages.

I'd appreciate if somebody could go through the lines underneath and tell me
if I am missing a port or has some other idea why this is not working.

NOQUEUE: reject: RCPT from

I have only changed the DNSBL now it will come back with "NOQUEUE: reject

Mar 12 14:49:53 mail postfix/smtpd[5425]: disconnect from

Mar 12 14:49:54 mail postfix/smtp[5428]: 759654071A:
to=<*>,[135]:25, delay=1.1,
delays=0.1/0/0.68/0.27, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as

Mar 12 14:49:54 mail postfix/qmgr[5408]: 759654071A: removed

Mar 12 14:49:55 mail postfix/postscreen[5446]: CONNECT from [IP]:4458 to

Mar 12 14:49:55 mail postfix/dnsblog[5451]: addr IP listed by domain

Postfix - Amavis erroneus SPAM

Deal, a software that control an hardware has to send alarm mail when
something happens. Starting from two weeks ago, the alarms stops to be
sent and checking in the mail server logs I see the following message:

Mar 12 09:03:57 mailserver amavis[14797]: (14797-01) Blocked SPAM
{DiscardedOpenRelay,Quarantined}, [150.217.XXX.XXX]:3685 [150.217.XXX.XXX] <mail@mydomain> ->
<mail@externaldomain>, quarantine: M/spam-M9145UbnjoSh.gz, Queue-ID: CB9E3837E0F, Message-ID:
<5E7A686C7FD740989C918BF83AAEECF3@6204eng1>, mail_id: M9145UbnjoSh,
Hits: 6.57, size: 639, 551 ms

The alarms are blocked as SPAM.

how does relay_domains=$mydestination work?


out of curiosity: the compatibility readme documents "backwards-compatible
default setting relay_domains=$mydestination" and that the empty value
"default value has changed from "$mydestination" to the empty value. This

under which curcumstances can this cause an error?
if the domain is in "mydestination", it should be treated as local.

is it related to the parent_domain_matches_subdomains setting?


I  was just taking a look through my postfix configuration and noticed
that I have a "check_policy_service" for postgrey a greylisting service.

I greylisting still considered worthwhile or should I drop it?


John A

ping, please ignore

End-to-end verification. My last post was not distributed to the list.

Syndicate content