Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

Why there is no `reject_rbl_sender` restriction?


why there is no `reject_rbl_sender` restriction? It probably does not
make so much sense as `reject_rbl_client`, but it would help me in my
spam battle.


I'm trying to get to know, if there is a chance to see in Milter, that the
"NOTIFY=xxx,yyy,zzz" was specified by a client at rcpt to command like


If there is a chance, where I should find it? Is it supposed to be to seen
in some of those params available in a "envelope recipient filter"

Still none of those macro params has given me the NOTIFY param, I
can see just the recipient address.

Best regards

Does reject_non_fqdn_helo_hostname violate RFC?


I was investigating a rejected e-mail that was sent with the following
error message:

NOQUEUE: reject: RCPT from unknown[]: 504 5.5.2
<taiwangun-1>: Helo command rejected: need fully-qualified hostname;
from=< ... at tajeb dot> to=< ... at mydomain dot> proto=ESMTP

It was rejected, because I have reject_non_fqdn_hostname set in my
postfix. Sending HELO (not EHLO) with a non-fqdn hostname seems wrong
and I wanted to find specific RFC that governs that.

TLS loglevel inbetween =1 & =2 ?



I get ALL of this in my logs

Aug 2 03:19:26 maryland postfix/handoff/smtpd[40383]: SSL_accept:before SSL initialization
Aug 2 03:19:26 maryland postfix/handoff/smtpd[40383]: SSL_accept:before SSL initialization
Aug 2 03:19:26 maryland postfix/handoff/smtpd[40383]: SSL_accept:SSLv3/TLS read client hello
Aug 2 03:19:26 maryland postfix/handoff/smtpd[40383]: SSL_accept:SSLv3/TLS write server hello
Aug 2 03:19:26 maryland postfix/handoff/smtpd[40383]: SSL_accept:SSLv3/TLS write certificate
Aug 2 03:19:26 maryland postfix/handoff/smtpd[40383]: SSL_accept:SSL

Does SHA1 deprecation apply for Mac=SHA1 in Postfix cipherlist?

SHA1 cert signing is (being) deprecated

<a href="" title=""></a>

So SHA1-signed certs < BAD!

Does that apply at all for ciphers using Mac=SHA1?

I don't *think* it does. And I don't find anything that says it does.

Is it possible to suppress NDR/Delayed delivery messages generated by messages to a particular RCPT?

Hello list

first of all: I know suppressing NDR/Delay Delivery Notifications is not
a "good" thing as they can be helpful.
But I have a case where I really need to suppress them :-)

My mailsystem consinsts of two postfix instances (mx and scanner) and
the mailbox servers where scanners deliver via lmtp.
The mail flow is

outside world (smtp) --> mx (smtp) --> scanner (lmtp) --> mailbox

Now I have several spamtrap addresses and catch-alls which are aliased
by mx to the same RCPT address <a href="mailto: ... at example dot tld"> ... at example dot tld</a>
This address does trigger some dovecot-sieve scripts on mbox upon
receiving msg via lmtp.

postfix-tls error


I have enabled tls in 2 postfix servers(MTA1, MTA2). when i try to send
mail from simple java client to server it is working fine. TLS negotiation
happened properly.

SMTP connection reuse with TLS

Hi, I was curious if there are any plans for postfix to eventually
support SMTP connection reuse with STARTTLS.

We were using postfix to deliver bulk mail (email newsletters) to a mail
relay. When TLS was disabled, Postfix was able to open up multiple
connections to the relay and reuse these connections for some period of
time, maintaining a high send rate with minimal RTT due to TCP connection.

After enabling TLS, postfix delivery was much slower, and packet capture
revealed the connection reset after each message was delivered.

Postscreen and reject_rhsbl

I'm using postfix-3.1.4 on fedora. I've just noticed I've configured
both postscreen to use spamhaus and other RBLs as well as have
configured the reject_rhsbl_* options.

Specify VPN for postfix

Can anyone tell me how to point postfix to a VPN connection? I have
setup a VPN listening at background on my Ubuntu and I want to point
postfix to that listening port whenever postfix try to connect to the


still use "aNULL:!aNULL:" in Postfix default cipherlists when tls policy is mandatory, == encrypt?

I'm reading about ciphers.


"why use "aNULL:!aNULL:" in Postfix default cipherlists?"
<a href="" title=""></a>

It talks about using anonymous ciphers when TLS policy is opportunistic == may.

I get that.

If instead you use MANDATORY tls policy, == encrypt, do you need to redefine the cipherlist to REMOVE that "aNull:-aNull"?


MX backup server: auto sync databases user and domains

Hi friends,
I would like to know how automate the users and domains list between primary
and backup MX server, where the primary (and secondary) mail server use
mysql for each user and domain list (and create so an MX backup server that
it does not become a "backscatter mail"!)

I've seen this dated tutorial, Gentoo made:

And I would like to know if is it possible to adapt this tutorial on a
Debian Jessie environment.

Many thanks!

fixing CONNECT-then-immediate-DISCONNECT from some senders?

I run Postfix 3.3.

My inbound mail is working great, except for a few 'newsletters' I sign up for.

From a few "legit" newsletter senders, i.e. those that I opt-in with, I get


pairs in my logs.

receive_override_options with 2 cleanups

Postfix 3.2.2

Post upgrade, I'm revisiting my configuration to be sure I'm taking advantage of current features relative to my old server.

I'm still using 2 cleanup services , pre-cleanup before the content_filter and the regular cleanup after-filter.

I was using Patrick Koetter's current postfix-amavisd readme as a reference.

verification levels and Milter


postfix smtp server may classify incoming TLS sessions as anonymous, untrusted and trusted.
(<a href="" title=""></a>)

Is it possible to access this information from within a milter?

I did not found such funktionallity on <a href="" title=""></a>
so I expect "not documented -> not implemented" but I would like to be sure. Maybe I've overseen it...


Restricting the scope of "success" notifications

Hello, our system is sometimes under attack of spammers using
"NOTIFY=SUCCESS" param in "rcpt to: " header.

no sasl listener on 587 clients can't send mail

I can't get postfix to listen on 587 so clients can't send mail

# See /usr/share/postfix/ for a commented, more complete version

# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name.

Attempting to whitelist sender domain with DUNNO result

I suppose it was out of ignorance, but I've used 'OK' in the past to
accept mail from specific domains that are blacklisted by Spamhaus or
have partial DNS records.

Recently I came across several threads here that noted how this was a
bad idea. Looking over the Postfix documentation I seemed to find
confirmation of that. As a result, I've attempted to start using 'DUNNO'
for whitelisting sender domains instead of 'OK'.

trying to hunt down meaning of warning in log file

Hi, I run RHEL6.9, postfix 2.6.6, and openssl 1.0.1e-57.el6.

I found this in the logs

Jul 28 08:39:32 mail6 postfix/smtpd[22622]: connect from[]

Jul 28 08:39:32 mail6 postfix/smtpd[22622]: SSL_accept error from[]: -1

Jul 28 08:39:32 mail6 postfix/smtpd[22622]: warning: TLS library problem: 22622:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:s3_pkt.c:486:

Jul 28 08:39:32 mail6 postfix/smtpd[22622]: lost connection after CONNECT from[]

Jul 28 08:39:

Deciphering maillog transaction that resulted in reply to spammer

Postfix 3.2.2, Centos7, amavisd, clamav

Upgrading my server, and recently migrated one of my older domains that gets
more spam. When checking my mail queue I saw a few deferred messages to
addresses that alarmed me. I had a moment of panic thinking maybe I had
configured something allowing a relay. Looked and decided I was OK there
but I want to understand what caused these deferred messages. I figure I
have something set wrong that allowed it in the first place. I *think* it's
a bounce where I would not want a bounce.

Can someone help me follow/decode this sample transaction?

List posting question

I'm trying to post: a question, a copy of 20 lines or so of a maillog, and
the output of postconf -n .

The list does not seem to be accepting it. Maybe because the log has some
IP's and and address of a spammer? What should I do to sanitize it so it
will post? Not sure what's triggering the block. I tried posting it from
my server and from as well. Nabble stays at "...not accepted

Thanks, Scott

Change gateway on bounce

Hey guys,

I have been thinking if postfix has capability to forward a bounced email to another server. I know I can relay emails using transport but can I relay (retry) an email from a different server? Let's say the target server says 'blacklisted' and I'd just forward that email to another server so it's sent out from there?

Strange behavior Postfix 3.1.4 address verification


first the logs:

Jul 27 12:52:46 mail postfix/smtpd[4341]: connect from
Jul 27 12:52:46 mail postfix/smtpd[4341]: Anonymous TLS connection
established from itexchange16.itbspa.local[]: TLSv1.2 with
cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Jul 27 12:52:46 mail postfix/cleanup[4345]: 3xJ82Q6ycVzyp9:
message-id=< ... at mail dot>
Jul 27 12:52:46 mail postfix/qmgr[4150]: 3xJ82Q6ycVzyp9:
from=<double- ... at itbspa dot de>, size=221, nrcpt=1 (queue active)
Jul 27 12:52:47 mail postfix/smtp[4346]: Untrusted TLS connec

Migrating 2.11 to 3.2


We are moving to a new (virtual) server (from CentOS 5 with Postfix
2.11.6 to CentOS 7 with Postfix 3.2.2).

I have moved the original configuration to the new server and Postfix
won't start; I am getting:

# systemctl status postfix
postfix.service - Postfix Mail Transport Agent
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled;
vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2017-07-27 12:25:14
EEST; 12min ago
Process: 21895 ExecStart=/usr/sbin/postfix start (code=exited,
Process: 21893 ExecStartPre=/usr/libe

DNS records, mail servers, and domains

I have been soliciting help from this list for some time now in the process
of planning my new single-server, multi-domain web and mail server, with
domains 'domain1.tld1' through 'domainN.tldN'.

I have been experimenting with Lets Encrypt clients with mixed success,
and, as of this morning, think I have all the bugs worked out for all my



I maintain multiple postfix servers with LMTP content filter set up.
last week we started receiving much spam that requests NOTIFY=SUCCESS
which results in many queued DSNs.

I got the idea of avoid notifications when they reach particular spam score.

My problem is, that on (at least) one of servers, postfix sends mail to
filter with SUCCESS stripped off NOTIFY= parameter, and sends bounce as the
mail gets delivered to LMTP filter. This way the filter is not able to
supress notifications.

Xforward with amavisd

Firstly here is the relevant config:

content_filter = amavisfeed:[]:10024

smtp inet n - n - - smtpd -o

smtp-amavis unix - - - - 2 smtp
-o smtp_data_done_timeout=1200
-o disable_dns_lookups=yes
-o smtp_send_xforward_command=yes inet n - - - - smtpd
-o content_filter=
-o strict_rfc821_envelopes=yes

This postfix server is a relay host which passes mail to a

Protecting mail addresses using check_sasl_access


Since Postfix is now (since v2.11) providing more extensive sasl access
restrictions, we are considering using the following model to protect
particular addresses so that only specific users can send mail to them:

allowed_list1= check_sasl_access

smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/protected_destinations


Use 1 TLS certificate for multiple domains

I'm running Postfix with MailScanner as a spamfilter for multiple
Is it possible to create a TLS configuration to force encryption for a set
of domains with one 1 SSL certificate for the FQDN of the mailserver?
The MX-records of the hosted domains are pointing to my mailserver and my
mailserver is forwarding the mail to the destionation mailserver of the
Does the SSL certificate need to contain the domainnames of the destination
Or is the FQDN of the active mailserver enough for good encryption?

Thanks in advance.

Using two content filter

Hi, today I have a policyd configured in my postfix server like:

smtpd_sender_restrictions = check_policy_service inet: reject_sender_login_mismatch
smtpd_end_of_data_restrictions = check_policy_service inet:

Today I need a content filter to modify my message and I created using shellscript and python, and configured in like:

submission inet n - - - - smtpd -o smtpd_sasl_auth_enable=yes
-o content_filter=altermime
altermime unix - n n - - pipe
flags=Rq user=altermime

What's a better error code than 554 to get a sending server to stop retrying?

I have a milter set up to REJECT on some body content.

It works like it should and REJECTS with the message

Jul 25 14:41:13 mariner postfix/handoff/smtpd[56542]: proxy-reject: END-OF-MESSAGE: 554 5.7.1 id=12969-07 - Rejected by next-hop MTA on relaying, from MTA(smtp:[]:16002): 554 5.7.1 BANNED CONTENT; from=< ... at send dot> to=< ... at MYDOMAIN dot COM> proto=ESMTP helo=<>

I've tested it by sending 'bad' email to myself from gmail. Seems to work as advertised.

The mailers on are for an otherwise fairly repsectable domain.

Which header check & reject method to use?


I'm getting Postfix setup to deal with "bad headers".

Looks like there's a bunch of ways to do it.

Three I'm looking at are

1) Postfix's built in headers check
2) A milter that'll check for & reject headers
3) Amavisd's built in header handling

I can actually get all three to work pretty much the way I want.

Is there any reason to use one over the other if they're all doing it PreQueue?

Is it more efficient to use a separate milter than to use Postfix's built in stuff?


postscreen log summary

Anyone have or know of a log parser/tool that includes postscreen logs? I
don't think Jim's pflogsum includes any type of postscreen data.

Would be nice to have some reporting that included how much I'm potentially
preventing vs. processing.

Thanks, Scott

Enforce TLS to MX


isn't it possible to enforce TLS outbound to an MX ?
In the example below, if isn't offering TLS the email is
sent unencrypted !?
Enforcing TLS to a domain ist working as expected.

[] encrypt
[] encrypt


alias_database = hash:/etc/mail/aliases
alias_maps = hash:/etc/mail/aliases
append_dot_mydomain = no
authorized_submit_users = root
canonical_classes = envelope_sender, envelope_recipient
canonical_maps = regexp:/etc/postfix-mx1/canonical
compatibility_level = 2
config_directory = /usr/local/postfix/

case sensitiv: relay_recipients ?

Iā€™m using postfix 3.1.4 and debian 9. I want to use a relay_recipients,
where the valid e-mail addresses are. The entry for my address is
<a href="mailto:firstname. ... at mydomain dot eu">firstname. ... at mydomain dot eu</a> (All in small letters). When I write to
<a href="mailto:firstname. ... at mydomain dot eu">firstname. ... at mydomain dot eu</a> everything works.

gratuitous failure on host address bits not zero

in ./src/util/cidr_match.c there is this bit of code:

240 /*
241 * Sanity check: all host address bits must be zero.
242 */
243 for (np = ip->net_bytes, mp = ip->mask_bytes;
244 np < ip->net_bytes + ip->addr_byte_count; np++, mp++) {
245 if (*np & ~(*mp)) {
246 mask_addr(ip->net_bytes, ip->addr_byte_count, ip->mask_shift);
247 if (inet_ntop(ip->addr_family, ip->net_bytes, hostaddr.buf,
248 sizeof(hostaddr.buf)) == 0)
249 msg_fatal("inet_ntop: %m");

LDAP: "unused parameter: start_tls=yes"?

postconf complains:
/usr/sbin/postconf: warning: ldap:/etc/postfix/ unused parameter: start_tls=yes

according to <a href="" title=""></a>

STARTTLS can be turned on with the start_tls parameter:
start_tls = yes
Both forms require LDAP protocol version 3, which has to be set explicitly with:
version = 3

I'm using:

=== snip ===
server_host =
search_base = dc=laborberlin,dc=intern
version = 3

bind_dn = CN=somecn
bind_pw = secret

query_filter = (proxyAddresses=smtp:%s)
result_attribute = mail


smtp_pix_workaround_threshold_time not working correctly?

In my log I found this:

Jul 21 07:23:09 mail-cvk postfix/smtp[7329]: 3xDK0Z6RBRz1Z1wy: enabling PIX workarounds: disable_esmtp delay_dotcrlf for[]:25

According to <a href="" title=""></a>

"By default, the workaround is turned off for mail that is queued for
less than 500 seconds.

problem with mails

I have mailbox on server configured with postfix.

Clear postscreen whitelist cache

Is it possible to inspect or clear postscreen's whitelist cache?

postdrop hangs until reboot: warning: mail_queue_enter: create file maildrop/...: Permission denied


FYI, I've just reported the following bugs in the Debian BTS
for postfix 3.2.2:

<a href="" title=""></a>

In summary, there's one problem that is hardly reproducible,
and an incorrect error message.

When I tried to send a mail with mutt (via the usual
"/usr/sbin/sendmail -oem -oi" command), it was hanging, and ps showed
that it was due to postdrop, which was hanging. There was no such
problem when I sent a mail 20 minutes before.

Setting up multiple transport mappings for fallback relay mailserver

Hi guys,

I'm using Postfix 3.0.4-1 with Postfix Admin GUI (with MySQL backend).
My mailserver is a spamfiltering server for multiple domains.
I would like to configure an extra transport mapping so when mail to can't be delivered to it should be sent to
Is this possible and how?

Thanks in advance!

Internal IP range bypass filters

I have a bunch of servers that send internal network only emails and
reports, e.g. logwatch data, etc. All servers are configured to use a
simple local postfix instance that delivers mail to my primary postfix
server, specified thus:

relayhost = []

That works fine, email hits that server on port 25 and is accepted
because the addresses are in mynetworks of postfix listening on But at the moment it is then processed through ->
amavisd lmtp / spamassassin -> Postfix on port 10025 -> delivered.

Sender dependent relay: Reject unknown senders

Hello, list!

My setup is this: I use postfix to relay mail to external SMTP servers
(of ISP, employer etc.) according to sender_dependent_relayhost_maps.
This works with multiple "From: " identities set by various MUAs. Local
delivery to dovecot is also set up for mail from cron etc.

postscreen fail2ban filter

As I watch the bots and spammers hammer my server with connection attempts,
I figured I might as well stop them even closer to the front door when they
try repeatedly.

I have fail2ban running already and once I enabled postscreen it didn't seem
to have much to do anymore.

My primary question is: Can I filter on the DISCONNECT log line for bad
connections (and only bad connections), or do some "good" connections also

postscreen dnsbl AND smtpd_recipient_restrictions rbl?

I'm converting to use postscreen.

OT - smartmontools

Pardon the OT post, but looking for comments on smartmontools and GSmartControl, disk monitoring software. Off list only replies are fine with me.

Log entries for one email

The following log entries have me confused. An email was received. The mail from address is shown, but I don't see the rcpt to address unless it is the "<>" shown in the one entry. However, I believe that should generate a bounce, but it does not appear to have done so.

Mailing list manager recommendation?

I need an mailing list manager (MLM) and plan to eventually use GNU Mailman
3 (MM3). Until its installation process is easier, I would like to use an
interim MLM that is easiest to install.

Block forged addresses

Hi all,

I was wondering what choices are there to block forged sender email

I was thinking SPF could assist.
The other option I saw is reject_sender_login_mismatch in postfix.

Do you have any other suggestion?

Many thanx

postfix mail parsing


i have installed postfix 2.10 from source code. we are sending mail to
postfix server with custom headers. Based on those headers, some actions
need to be taken at mail server. For that purpose i'm customizing postfix
source code.

In cleanup process, i'm able to parse all the custom headers. but in qmgr
process i'm not able to do that. In qmgr_active.c i have used
"attr_scan0_string" function to read header data from active queue file.
After reading the header data into a string, i'm printing the string value
using msg_info function.

With this I'm able to see all the header details.

Forward to gmail and DMARC

I forward mail to a gmail user, but there are a lot of bounces from gmail. I don't honestly care about the ones that google says are spam, but recently I'm also getting DMARC failures on Facebook mails.

Again, not critical, but a bit annoying.

The only thing that I can think to do is disable the forwarding and tell the user to grab mail via POP3, but that means enabling POP3 which I'd rather not do. Gmail does not, IFAIK, allow you to combine your mail with another IMAP account.

Any other ideas?

reject_unknown_client_hostname allowing slight mismatch

I have reject_unknown_client_hostname in smtpd_client_restrictions.
Some clients are able to pass this restriction with accompanying warning
when the hostname does not point to the IP address of the client.

UnTrusted CN presented

Wondering if anyone knows if it's possible to log the certificate CN presented when Postfix logs "Untrusted TLS connection established from.."

Postifx logs the 'UnTrusted' event well, but I'd like to know if you can see the CN of the certificate presented by the other party..


Postfix 3.2.0 - Sending to all MX records

Firstly, apologies if I haven't included all of the relevant information in
this initial post. Please let me know if I have missed anything.

I am currently running Postfix 3.2.0 and have a problem relating to MX
records and defered messages. What I have identified is, if a domain our
server is trying to send to has an MX record which returns no response, the
message is defered. Every time postfix attempts to redeliver this message,
it uses the same lowest priority MX record.

I have found examples in our mail queue which are deferred with the reason
"unknown mail transport error".

SMTP Authentication without Encryption


The SMTP server of my ISP requires authentification (user/password), but
I do not want to use SASL and SSL/TLS.
Is it possible to have a plain text/unencrypted connection but still use
authentification? - I tried with various settings in but without
success. I do not manage to get authentification without encryption.

Thanks & best regards,

Syndicate content