Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

Relay attempt questions

Below is a postmaster notification about a relay attempt.

Client host rejected


I try to run postfix, rspamd and dovecot.

Non-ASCII bytes in email header and similar

Looking for protocol expertise that some here might have …

I understand that email header content should contain 7-bit ASCII-only.
However, as an implementor of email software such as a milter, how do I
best deal with non-conforming input?

Say I receive a header line in my milter that isn’t ASCII-only, what is
the most sensible (standards-compatible?) decoding I should apply –
Latin1? UTF-8? What works best with real email traffic?

Please ignore if this is completely off-topic here. Thank you.

IP addresses in helo

Is it safe (or mostly safe) to simply block attempts to deliver mail with a helo that is only an IP address? (I am talking about only on postfix/stmpd and obviously not on postfix/submit or related).

I have about 50,000 NOQUEUE reject from "helo=<[]>" over the last week, for example. I see very few otherwise, and all are obviously spam with return addresses like <a href="mailto:account-security- ... at 091773 dot com">account-security- ... at 091773 dot com</a> or <a href="mailto: ... at 0904 dot ru"> ... at 0904 dot ru</a>.

Hiding Spamhaus key from replies


I currently use postscreen with postscreen_dbl_sites pointing to my
instance of With postscreen_dnsbl_reply_map I hide the
secret key from the server responses.

Now, I also have/had "reject_rbl_client" a part of my

Vague error message - SASL plain authentication failed:


Postfix is giving me a very unhelpful message of just "SASL plain authentication failed:".

So I'm clueless as to where to start troubleshooting.

Dovecot config is as follows (I have tried both tcp and socket, both return the same vague error) :

ssl = no
service auth {
unix_listener /var/spool/postfix/private/dovecot-auth {
mode = 0660
user = postfix
group = postfix
inet_listener {
inet_listener {

postconf -n is below:

Postconf -n

alias_database =
alias_maps =
authorized_submit_users =

User unknown in virtual mailbox table problem

This is probably off-topic, but maybe slightly related. I can open a
support ticket with Gandi, but something's definitely amiss with their
support system these days, as I have two open tickets with them for
other things directly related to their service which have not yet even
been assigned numbers, so I thought I'd try here first.

I've re-initialized my Postfix setup. I can send mail, but probably
because of a DNS misconfiguration cannot receive anything.

My DNS records look like the following.

SCRAM-SHA-***(-PLUS) supports

Hello all,

Good news, Cyrus SASL now supports:
-> <a href="" title=""></a>
-> <a href="" title=""></a>

It is possible to add "compatibility" with?

I see on the github, a lot of informations about old unsecure passwords: CRAM-MD5 and DIGEST-MD5, please note that:
- CRAM-MD5: <a href="" title=""></a> CRAM-M

Trouble filtering incoming mail

Hi all,

I am having some trouble with filtering incoming mail. First, I do not
understand certain "access denied" actions. Second, I cannot get
filtering by sender domain to work correctly.

Relevant configuration snippets see below.


lots of connections that make no sense


I am wondering what is the purpose of connections like these:

postfix/smtpd[5147]: connect from unknown[]
postfix/smtpd[5147]: disconnect from unknown[] ehlo=1
auth=0/1 rset=1 quit=1 commands=3/4

I have lots of these in my logs, from different IP addresses.

What is the goal of these agents ? I mean, they don't try to do
anything. They don't try to deliver spam, they don't try to use my
postfix as relay.

Re: mime header check false positive

thankyou very much

it worked.


On 11/14/2019 12:56 PM, Rajesh M wrote:

mime header check false positive


i am trying to block bad mime attachments (bat com exe etc) at the smtp level itself.

i used this guide
<a href="" title=""></a>

/name=[^>]*\.(bat|com|exe|dll|vbs)/ REJECT

however the above rules scans the entire file name instead of just the file extension resulting in false positives, for example

.scr and .com present within filenames gets wrongly rejected

* name="strace.Scripting-with-the-xss.pdf.txt"
* filename="BOOKING.COM: Hotel 342802.PDF"

is there any working sample which somebody could share that blocks bad file attachments wit

Postfix web interface for log analysis

Hi all,

Is there any web interface exists for postfix email log analysis? What I
need is to see all the logs through web interface, see the reports of
rejection, deferred, bounces, success etc. w.r.t. datetime and/or domain
filter etc.

Thanks in advance for your guidance.

ldap and smtp relay domains

Hi folks, i have a postfix server which can relay some messages with ldap
integration in transport_maps.
It works well.

Now I have another feature to accomplish.

I wanted to keep this working for a specific domain but
I wanted now for another domain not relay it by ldap only with smtp.

How can I do this?

Many thanks.

Making Postfix know and use UNIX UIDs of local processes sending mail to localhost:25

Dear Postfix users,

I'm trying to set up email sending from local users on a shared
webhosting server. There are hundreds of different domains, each having
unique UNIX UID and they need smtp service directly available on
localhost:25, without any credentials checking. At the same time, I need
the service to permit/defer/deny an email and log all actions based on
the UID and its current reputation.

To achieve this, I'd like to set up Postfix+Linux -based outgoing mail
server, possibly with some helper daemon.

disable proxymap


I would like to simplify my postfix setup, and disable
components/services which I don't actually need.

I am not using chroot, and I don't need to "consolidate mysql
connections". So I believe, I don't really need proxymap.

I tried disabling the service by commenting out the lines in

but that alone did not work, I got this error:

warning: connect #1 to subsystem private/proxymap: Connection refused

I noticed that the default local_recipient_maps references proxy.

postscreen with IP-ranges?


I'm using postscreen on a mailserver.

Unfortunately, this does not work with some bigger mail providers, since
they send the mail from a random host in their mail-server-cluster, so
postscreen sees a new IP for each retry, and so sometimes never accepts
the mail.

Is there a way around this?
Is it possible to e.g. match against x.x.x.x/24 instead of the exact IP?


Sender verification for username@hostname style addresses

Hi all,

We have a setup where we have a relay server which in turn sends all
received mails through to another relay server (from a known anti-spam
vendor). We use Postfix 3.4.5 on Debian 10.

The important parts about our setup:

smtpd_sender_restrictions = reject_unknown_sender_domain
reject_unverified_sender permit_mynetworks
relayhost = []:587

Since has a very strict sender verification
process we want to reject the same mails. Hence we enabled

postfix startup sequence


I am trying to understand the postfix startup sequence.

I am using postfix 3.4.5 on Debian.

/etc/init.d/postfix, the init script that is used to start postfix does
not start master directly, but calls:

/usr/sbin/postfix quiet-quick-start

which in turn calls postfix-script.

reject mail if dns and rdns differ

Hello all!

Received: from ( [])

I would like to reject incoming email if dns- and rdns-entries differ.
Does this make sense and how could I achieve this?

Kind regards


build in EDH parameters

Hello Developers,

postfix comes - like many other software - with build in DH Parameter (file: src/tls/tls_dh.c)
The documentation also suggest one may want to generate own DH parameters. (<a href="" title=""></a>)

Is that still the best solution? RFC 7919 (<a href="" title=""></a>) offer a "Supported Groups Registry"


smtpd_tls_chain_files and EC PARAMETERS

Hi all,

As reported on 2019-11-08 on IRC, I have issues with ECC certificates in
smtpd_tls_chain_files, which don't happen with the older
smtpd_tls_eccert_file and smtpd_tls_eckey_file.

I use [0] to renew my certificates from let's encrypt: crontab extract:
@weekly /usr/local/sbin/ --renew --dns dns_ovh -d mail.domain.tld --keylength ec-256 --cert-file /usr/local/etc/ssl/mail.domain.tld/ecc.crt --key-file /usr/local/etc/ssl/mail.domain.tld/ecc.key --ca-file /usr/local/etc/ssl/mail.domain.tld/ --fullchain-file /usr/local/etc/ssl/mail.domain.tld/ecc.fullchain.cer

Problems with header checks


I’m using Debian 10 with postfix 3.4.5.

Trying to solve the problem with non-Re subjects I have found a regex for
header checks.

So I have a „/etc/postfix/header_check.pcre” with:
/eSubject:\s*((RE|AW|Aw|Antw|Antwort|RES|SV):\s*)+(.*)$/ REPLACE Subject: Re: $3

header_checks = pcre:/etc/postfix/header_check.pcre

Now I have noticed that this isn’t always working. Postfix logs if the
rule is getting used.

qname-minimization-and-privacy breaks dnsbl in postfix

can other confirm it ?

_ is not an ip

Postfix with DKIM for a mail relay

Dear, my domain is "".

My cooperative mail server is an Exchange which does not implement DKIM at

But also I have a Postfix mail relay for the "" domain.

Is it possible to implement DKIM only in my Postfix server for all the
outgoing mails ??? Or doing this I affect the outgoing mails
from my Exchange server because it sends mails withouth DKIM
mechanism ???

Thanks a lot !!!


Disabling TLS 1.0/1.1, is it advisable?

Apple, Google, Microsoft, and Mozilla have all announced that they will
be deprecating TLS 1.0 and 1.1 in March 2020, in their web browsers.
Similarly, SSL Labs has announced that they will be downgrading web
server scores to a maximum of B, starting in January 2020, if that
webserver supports TLS 1.0/1.1.

Now, I know that what is good for web servers/browsers, isn't
necessarily the same for SMTP servers.

redirect HOLD queue to alternate MTA??

Hello Everyone:
      I am using OpenDKIM/OpenDMARC as some sort of anti spam. The
OpenDMARC could handle DMARC p=none or p=reject without any problem. But
if p=quarantine,OpenDMARC just let the incoming mail goes to Postfix
HOLD queue. Is it possible to let Postfix redirect incoming mail
alternate MTA when it got smfir_quarantine by milter??

Warning on Connection time

<a href="" title=""></a> reported a six second connection
time, with total transaction time of nearly 9 seconds, so I dug into the

5XX vs 4XX

I have a few email addresses that were valid 15 years ago, but they have
been invalid for 5+ years, we are rejecting them with a 450 message, my
thought is "Let's tie up this spammer's computer just a little bit"

Good idea? Bad idea? Effective? Ineffective?

Dictionary attacks

What is the best way to protect against dictionary attacks in Postfix?

Exim has a rcpt_fail_count variable I use to drop connections with the
  drop  condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
    log_message    = Dictionary Attack Rejected (Began blocking after
$rcpt_fail_count recipients failed). Ratelimit incremented.
    ratelimit      = 0 / 2h / strict / per_conn
    message        = Number of failed recipients exceeded.  Come back
in a few hours.

I am switching from Exim to Postfix and looking for a mechanism to block
these attacks.

Re: Cannot sign with DKIM on same-server web and mail

To have DKIM applied to messages posted via pickup, you have to include DKIM milter in non_smtpd_milters= . This parameter applies to messages posted via pickup, while smtpd_milters= applies to messages posted via SMTP client.

But if you do that and run spamassassin as content filter, every message will be signed twice. That's why you have to run spamassassin as milter as well.

What am I missing? DNSBL on submission port?


I _know_ I am overlooking something, and I need a clue-bat.

I use postscreen on the SMTP (25) port and smptd on the submission
port; the latter requires authentication via dovecot.

dual stack rbl

how will postfix handle connections if recipient domains see ip in rbl
blacklist, will it be trying agin until all ips on recipient domain is
tryed ?

does it make sense ?

will first reject just win on dual stack ipv4 / ipv6 hostname ?

i ask this since i like to know what to do with that problem, if at all

Cannot sign with DKIM on same-server web and mail

I've looked online for solutions to this problem (including postfix and
sendmail documentation) but with no luck so far.

I've been running a Postfix mail server for several years (currently Linux
Mint 18.1 (Ubuntu 16.4) with postfix 3.1.0) and implemented SPF, DKIM and
DMARC a few years ago. All works well for about two dozen domains.

I also have a Windows web server which sends out mail from web forms via the
mail server (using a local mail sender client) to the domains hosted on the
mail server through port 25.

Postfix ignores smtpd_tls_security_level = encrypt ?


I need a Postfix (3.3) installation to only accept mails sent after STARTTLS,
so I've set smtpd_tls_security_level = encrypt in However, Postfix
still allows sending mails withouth encryption.

Do the permit_mynetworks settings in smtpd_relay_restrictions and
smtpd_recipient_restrictions have an effect on the enforcement of TLS
encryption? Are hosts in mynetworks exempt from the smtpd_tls_security_level =
encrypt setting?

Thx and best regards

Avoidance of duplicate mails reg


We have migrated to a new domain We also continue to receive
mails on old domain

When a sender sends a mail to <a href="mailto: ... at xxx dot com"> ... at xxx dot com</a> (old domain), mail is
received and delivered to user abcd. Abcd when he replies to all (his
from email address will be <a href="mailto: ... at yyy dot com"> ... at yyy dot com</a> [new domain], and hence, mail
is also sent to <a href="mailto: ... at xxx dot com"> ... at xxx dot com</a> [old domain]. So, the sent mail is also
received back to the same sender.

When the actual recipient receives the mail, he will have <a href="mailto: ... at xxx dot com"> ... at xxx dot com</a>
and <a href="mailto: ... at yyy dot com"> ... at yyy dot com</a> in the address list.

"SPF no-mail record" clashing with reject_unknown_recipient_domain

Dear postfix users, admins and guru's.

Today I was alerted to a new 'problem'.

postfix filter to encrypt incoming emails with public gpg key


when new email arrives, and it is not already encrypted, I would like to
run it through a filter, which would encrypt the message with my public
gpg key, as if the original sender has sent the email encrypted.

Why do I want to do this ? Why not ask the sender to send encrypted
messages to start with ?

Lets say my bank sends me emails. I cannot forcer my bank to use gpg
encryption. I am happy they use email at all, instead of paper mail.

My email server is untrusted.

A blog post that I hope will help people, can the community help me improve it?

I created a blog post for something I needed to get done and figured out
how to do.

<a href="" title=""></a>

If the community has any pointers that would make this better, or
perhaps even a better way to accomplish it than what I came up with, I'm
open to constructive criticism.


Ambiguous logging of mail senders


recently I stumbled across a log line like this:

Oct 25 10:34:59 hostname postfix/smtpd[12345]: NOQUEUE: reject: RCPT
from client.example[]: 554 5.7.1 < ... at b dot com; ... at d dot com>: Relay access
denied; from=< ... at example dot com> to=< ... at b dot com; ... at d dot com> proto=ESMTP

The important part is the "to=< ... at b dot com; ... at d dot com>". Parsing this to find
out which part is the local-part and which is the domain isn't exactly
trivial, both for me as a human or for a machine automatically parsing
the log.

reject_unknown_sender_domain seems not to work


I am having trouble using reject_unknown_sender_domain.

OpenDKIM , Postfix , SpamAssassin, Amavisd-New, SPF and FreeBSD

I am trying to revive my OpenDKIM installation. I had it working but managed to break it when I updated my ports.

Re: block 'new style' TLDs ?

I've had the same problem for some time. I put the following into access_helo and header_checks.

block 'new style' TLDs ?

as of recently started getting heaps of spam from all kind of new domains
all ending in '.best'

what's the best way to block that, block entire '*.best' ?
how and where ?

or ?


using version 3.4.7

Return-Path: < ... at resolutionwine dot best>
Received: from (unknown [])
by (Postfix) with ESMTP id B36914195027
for <vvvv>; Thu, 24 Oct 2019 06:53:21 +1100 (AEDT)
MIME-Version: 1.0

running a content_filter upon reinjection of a message with sendmail command

Here's what I want to do:
1. Email is received for an address I have set to forward emails, let's call it <a href="mailto: ... at example dot com"> ... at example dot com</a>.
2. Postfix pipes the email through a command postforward, which in turn runs the email through postsrsd, to make spf and such validate (especially when forwarding to an email address I don't host).
3. Postforward reinjects the email with sendmail, now with a return_path of <something>

Replace semicolon in recipient list

Hello Group,

I have configured Postfix as a relay to forward all messages to the AWS
SES mail service.

One sending application is sending mail with a From: header containing a
semicolon-separated list of addresses.

about MX hosts


I saw my ESP has two MX records pointing to just the same host. 21 IN MX 5 21 IN MX 10

Does this have any value inprovement?


anvil statistics logging


can I disable the anvil statistics from being written to the logs ?

I have quite short "anvil_rate_time_unit" (60s), and I have set some of
the "smtpd_client" rate limits to 10.

My log is basically flooded with these anvil statistics, which I am not
really interested in.

statistics: max connection rate 1/60s for
statistics: max connection count 1 for
statistics: max message rate 1/60s for
statistics: max recipient rate 1/60s
statistics: max cache size

Can I still use these limits, but suppress the statistics ?


Problem with new installation

I am running a copy of configurations from a running version 2
installation from Ubuntu 14.04, now alive as version 3 on Ubuntu 18.04.

I thought I'd be slick and port over all the user mailbox directories in
/var/mail/vmail, all the customized .cf's, and the MySQL database.

Change info message to warning

I'd like to change the DNS blacklist message from msg_info (logged in the main log file) to msg_warn (logged in the warning file.) That is the second line in the log extract below.

I have:
a) looked through the postscreen source
b) grepped the distribution for NOQUEUE: and reject: piped through grep msg_info
and I can't find the code which generates that particular message

Oct 22 13:13:31 postfix[8412]: Connect: Unknown []
Oct 22 13:13:32 postfix[8412]: NOQUEUE: reject: RCPT from unknown[300.301.302.303]: 510 5.7.1 Your IP address is blacklisted - send from a different ne

Rewrite From header from old to new style

I would like to rewrite an old-style header in a locally-generated
mail (say by cron under Ubuntu 19.04 and earlier) e.g.

to the new-style header e.g.

It must be done before milters so that it can be signed by opendkim
milter after the header rewrite. canonical looks like the right tool
but the examples I have seen only show it working on an address not
the full header text.

I am using postfix 3.3.

Use of PERMIT in smtpd restriction lists

By (limited) experiment it seems to me that the action 'PERMIT' is
acceptable in access tables in smtpd restriction lists (e.g.

As far as I can tell it is undocumented in this context, but I think it is
synonymous with 'OK' i.e.

Unusual TLS setting logged by Postfix


I am aware that this is not an error on Postfix’s fault, but I found the following entry in one of mail server’s logs confusing. I am using Postfix 3.3.0:

Oct 21 06:09:51 server postfix/smtpd[31405]: Anonymous TLS connection established from unknown[]:33126: TLSv1 with cipher AES256-SHA (256/256 bits)

From what I gather, a TLS v1.0 connection was made with AES256 for the symmetric cipher and SHA-1 for integrity, but:

— There is neither DH/DHE/ECDHE at the start.

TCP maps security risks & mitigations; Trualias alias mapping

Hello everyone, and the 10 people who care.

Remove duplicate header 'MIME-Version'

Hello Group,

I have configured Postfix as a relay to forward all messages to the AWS
SES mail service.

SES bounces some messages with the following error:

status=bounced (host[]
said: 554 Transaction failed: Duplicate header 'MIME-Version'. (in reply
to end of DATA command))

These messages are sent by a scanner and I have no influence on the
scanner configuration.

Is there a way to remove the duplicate header in Postfix?

Alternatively, is it possible to remove the MIME-Version header(s)

Recipient address RESTRICTIONS are applied twice to the same e-mail with different parameters

Hi there,
The context is:
Ubuntu 19.10
postfix 3.4.7-1

in /etc/postfix/
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, permit_auth_destination

This setting should accept the e-mail sent to my domain from

Yet, I get in the log:

*>>> START Recipient address RESTRICTIONS <<<generic_checks:
mynetworks: <> ~?

how to add warning / banner in email body ?

Hi ,

For identifying external world & spoof emails , I am looking for
solution where we can add notification / warning banner in email body
like below .

"_This e-mail is received from external domain. Please review before
opening any attachment or link_"

This will help end user to identify risk while reply or URL click .

Is there any milter or postfix solution available where we can set
condition and then above warning will get append at the starting of
email ?
or is there any way to append disclaimer at the starting of email ?

Syndicate content