Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

postfix issue with ecc certificates


I'm using Postfix 3.3. I am atempting to send mail from a remote
android phone running AquaMail Pro, which does support ECC
certificates of secp-256. So I got an ecc cert pair from letsencrypt
and installed it.

TLS not offered by host

When connecting to a server that does not offer TLS (or the right level) does postfix log (or can it) the level of security that was offered?

status=deferred (TLS is required, but was not offered by host

(I get very few of these (two servers in the last week), but I'd like to be able to tell the admin of the server what low-level security they are offering).

my smtp_tls* settings:
smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
smtp_tls_loglevel = 1
smtp_tls_security_level = encrypt


tls_preempt_cipherlist = yes
tls_ssl_options = no_ticket, no_compression

Rate Limiting users from different IPs

Hello all,
To overcome scam due to compromised accounts,Currently we are using a
beautiful software <a href="" title=""></a>

However we have a few issues. Generally spammers dont put a lot of
peple in cc or bcc. they send individual mails to a lot of users. This
software counts people in cc or bcc also. This blocks the HR or admin
people sending out announcements or notifications also.

So it needs to be fine tuned as below.

1. Allow a specifc subnet of trusted networks to send without restrictions.

Timeout while connecting to postfix via php socket

Good morning all.

I'm facing with a strange problem with PHP sockets and POSTFIX:

1) I have a Postfix machine that runs very well for sending/receiving
emails to/from outside (via Outlook)

2) I'm working on a CRM software that connect to this Postfix via PHP
socket_connect function. Well, now:

a. all socket connection to this Postfix from a machine outside my
cloud network, are ok (I can connect and interact with smtp)

b. when try to connect to Postfix with the same script used in 1) but
installed on a machine on the "same cloud network".

please help, getting desperate


i have a question regarding the pipe, when being used to contact the LDA
(in my case, dovecot).

my virtual users are in LDAP, but they have their own UID and GID. since
i don't want to do a setuid script for the LDA (and obviously the LDA
needs to run with the correct permissions to be able to affect the
target user's mailbox files), is there a way to use the whole record
object from the LDAP query (which contains the uidNumber and gidNumber
attributes) and use some kind of substitution in the when
specifying the user=UID:GID parameter?

bounced posts go to spam


I have a simple relay for sending emails from internal scanners and a
voicemail system.

Rewrite header From:


My mail server received unsollecited emails with header From: similar to 'Heidi <info>'.

Users perceive that email comes from our company as the header From: has been rewrite in 'Heidi < ... at host dot domain.tld>'.


myorigin = $mydomain
mydomain = host.domain.tld


append_at_myorigin = yes
local_header_rewrite_clients = permit_inet_interfaces

Is there a way to block incoming e-mails whose 'Header From:' does not specify valid email address?



dnsblog and host or domain not found

I have a postfix-3.3.1 running on a fedora28 system and frequently see
warnings such as these in my logs:

Jul 26 10:42:09 mail03 postfix/dnsblog[3949]: warning: dnsblog_query:
lookup error for DNS query Host
or domain name not found. Name service error for type=A: Host not found, try

That indeed doesn't exist, but
the other postfix systems I have don't appear to log these warnings as

Fall back to relay after a 5XX reply from destination?


I've been running a small volume Postfix mail server on a fixed IP for
15+ years or so.

Recently, my provider forced me from ADSL (being phased out here) to
VDSL, and I now find myself sending mail from a "dynamic" IP address...

As expected, some destinations refuse to accept my outgoing mail with a
550 (usually with a "you're blacklisted" message on top of it).

So, I am now looking for some magic that would make Postfix:

a) first attempt to deliver outgoing mail straight to the destination MX
(as it does now), and,

b) if that fails with a "550 Bad IP" (or equivalent), fall back

Switching final delivery from Postfix to Dovecot


After using local filters (on Thunderbird) for a long time I'm trying to
get Dovecot / Sieve filtering working.  I think I'm almost there but
can't get Postfix to allow Dovecot to do the final delivery, which is (I
believe) the only thing stopping things working.

Here's my postconf -n output, I suspect it's the virtual stuff messing
things up.

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 2
content_filter = smtp-amavis:
daemon_directory = /usr/libexec/postfix

Flags question in

Hi, i have this in my master file.

autoreply unix - n n - - pipe
flags=DF user=nobody
argv=/usr/local/bin/angelo $sender $recipient $original_recipient $user $domain

everything is working as I want. Is there a flag or macro that can get me the localpart of the $original_recipient ?

so I want "angelo" from ... at uconn dot edu<mailto: ... at uconn dot edu>.

If not possible fine, just want to know.

Open Relay on local lan

Hi All
I have my postfix server up and running now for some time. Recently though,
auditors made a deal that the server is an open relay. It is true that on
the local lan it is. What's the best way to change this behavior? For
example, is there a way to configure postfix to accept mail from say two
domains, and but no other?


Missing 'Received' in header

I receive email through Postfix, then relay it on to my Domino server. In
my old Sendmail
setup the Received were in the header, now they are missing.

what's smtpd_tls_wrappermode 'non standart' ?

Hi all.

Does 'the non-standard "wrapper" mode' refer to SMTPS using port 465?

<a href="" title=""></a>

I think SMTPS using port 465 is 'standard' in RFC8314
<a href="" title=""></a>

Is SMTPS using port 465 called 'standard' ?

How to white list

I have whitelisted the ip in postscreen_access.cidr. I can see the
'whitelisted' for postscreen in log.
But it does not get past smtpd.

I do not want to remove reject_invalid_helo_hostname as this really opens
up more spam.

Commenting multi line option

I would like to know if comments may be used in this fashion.

SPF + outside backup MX relay = redelivery failures: Help requested

I am running Postfix with opendkim, rspamd, pypolicyd-spf, and DMARC.
This is working fine for mail delivered directly to my domain. However,
if my net connection goes down and mail gets queued by my backup MX at
another domain (which I do not control), then when my connection comes
back up and the MX relay attempts to redeliver all the queued mail,
delivery fails due to SPF failures like this one, because the sender's
domain has not authorized my mail relay to send mail on its behalf.

Mail loop sending external domain

I have receiving working well. And if I send outgoing mail via telnet,
it works.
But if I send from my Domino server, I get a mail loop.

I have Domino server running on a Windows machine (called mailserver).
It's configured to send to Linux machine running Postfix (Called postfix).
Postfix machine is suppose to deliver to internet.

Avoiding sending backscatter

Hello everyone,

I have a postfix server (with amavis and clamav) that receives emails for
other domains. When it gets a mail for a non-existent email, it accepts it
anyways because it doesn't have the list of valid email addresses.

In other words, I'm generating backscatter and I want to avoid it.

One solution could be to never return a mail delivery notification for
external email, but I think that's not recommended, isn't it?

I'm already discarding all emails with viruses and using blacklists.

Does anybody knows any other solution?

Thanks in advance,
-- Diego.

Email architecture

Hey all,

I was wondering if someone knows about a good tutorial or design document
describing how to setup postfix, dovecot (or something else) and other
tools to create a good and secure email architecture, i.e.

- how to configure postfix in a DMZ to relay incoming emails to a dovecot
(or similar) server.
- how to configure postifx in a secure network to receive emails from users
and forward it to a DMZ server
- how to configure a postfix server in a DMZ for outbound SMTP traffic.

But also more in general, what are the best practices for designing an
email environment for a serious busine

grep in Postfix logfiles


I'm looking for a search tool to analyze Postfix logfiles. It should be
something like a multiline grep application which is able to show all
lines, which are related to one incoming mail. Mainly I want to search
for the sender and the recipient at the same time. E.g. something like that:

mailgrep "from=<local1@domain1>.*to=<local2@domain2>" /var/log/mail.log

I assume, that I'm not the first Postfix user with this requirement. But
I couldn't find a suitable tool. Does somebody know an adequate
application or do I have to write it for my own?


DANE-TA(2) private CAs and SHA-1

By using DANE-TA(2) TLSA records you can associate your SMTP server
with a either a public or private (your own) issuer CA. This can
simplify the management of TLSA records of multiple MX hosts by
using a CNAME to a common location where you publish the shared CA
key hash.

Some care needs to be take to make sure that certificate chains
issued by a private CA can be successfully validated by correctly
configured DANE TLS clients.


haproxy protocol ipv6 support?

I've been successfully using Postfix 3.3.1 behind an Haproxy for a few
weeks now, and while this is a minor complaint, I just wondered if it
was known.

I have dual-stack ipv4/v6 support enabled and as a result most of my
mail that comes from Google comes from an ipv6 address.

The IP address is not parsed properly I think in the haproxy protocol,
and I suspect that was fixed in send-proxy-v2 which I believe Postfix
doesn't support.

TLS1.3 only


postfix-3.3.1 + openssl-1.1.1pre8

For fun I tried to disable all TLS protocol versions other then TLS1.3
submission.local inet n - - - - smtpd
-o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2

but I'm still able to connect using TLS1.2

$ openssl version
OpenSSL 1.1.1-pre8 (beta) 20 Jun 2018

$ openssl s_client -connect submission.local:587 -starttls smtp -tls1_2
Start Time: 1531425453
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
Shouldn't that fail like this one?

$ openssl

RE: new strangeness with O365 [OT] --TESTING

I'm conducting a test to see if the URL rewrite issue is better, for me anyway.

SMTP access restriction lists


I intend to protect some internal email distribution lists in a way,
which is described here:

<a href="" title=""></a>

I would need to add "check_recipient_access ..." to the parameter
"smtpd_recipient_restrictions". The actual value of this parameter in is:

smtpd_recipient_restrictions =

"smtpd_relay_restrictions" is not explicitly defined in

postfix cleanup process dropping messages

My postfix servers remain pretty busy throughout the day getting around
100 - 200 mails / second

I have seen that for every 100 k mails around 20 mails disappear from
the queue.
From maillogs , I can see smtpd accepting the connection , creating a
queue-id and then cleanup picking it up.
But nothing after that , no qmgr lines no discard etc

If I enable cleanup in  debug mode I can see  errors like this  ( esp
cleanup_flush: status 1 )

How do I debug this further ?

Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]: open incoming/6262B115F
Jul 12 18:20:35 smtpbp1 smtpbp1/cleanup[9121]:

mail for ... loops back to myself

I suspect the answer to this is going to be "Well, don't do that then." but I may as well ask...

I have a VM that's running two services. One of them is a vanilla postfix smarthost - it accepts mail on port 587 and relays it out to the world.

The other is an unrelated smtp server that listens for inbound email on port 25. They use unrelated domains and hostnames, but are both on the same IP address.

If I try and send mail via the smarthost to the inbound smtp server the postfix rejects the attempt with "mail for <the destination domain> loops back to myself".

How to autoreply with "Undelivered Mail Returned to Sender" unknown user for


Let's say that I do have a user "user" on my system, but I would like
for emails sent to "user+ ... at domain dot org" to bounce back the
"Undelivered mail" message with something like:

<user+ ... at domain dot org>: unknown user: "user+doesnotexist"

How would I do this? I naively tried adding

user+doesnotexist: doesnoteixst

to my /etc/aliases file, but it was still delivered to my user account.

Thanks for any help.


Disable SSL/TLS renegotiation

Hello postfix-users,

While checking the SSL configuration of a Postfix server, I noticed that
so-called "Client-initiated secure renegotiation" is available at
Postfix by default.
You can verify it with following openssl command and press "R" once the
connection is successfully established:

openssl s_client -connect <hostname/IP>:25 -starttls smtp

250 DSN
depth=2 C = US, O = XXX, OU = <a href="" title=""></a>, CN = XXX Root CA
verify return:1
depth=1 C = US, O = XXX, OU = <a href="" title=""></a>, CN = XXX Server CA
verify return:1
depth=0 C = XX, ST = XXX, L = XXX, O = XX, CN = XXX
verify return:

check_client_access not blocking /8 /16 /24 etc.

I'm curious to know what I've done wrong with my client checks file.

I can reject a specific IP but it won't reject when I use net blocks...

STARTTLS / DANE difficulties?

We are migrating our Postfix MX services and in the process have
disrupted a setup which has been very stable for the past couple of

Trouble Postfix ClamSMTP - Help


Please now i troubleshooting 2 days about my problem with ClamSmtp

and "Postfix" after write ClamAV_Mailinglist the people there are not

helping and im standing still.

Setting per user/domain smtpd_recipient_limit

Is it possible to set smtpd_recipient_limit via maps?

We have multiple domains and the need to remove such a limitation on a domain or user basis.


Making relay_access_denied permanent?


I was wondering why the following error is returned as tempfail:

Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: connect from[]
Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: NOQUEUE: reject: RCPT
from[]: 454 4.7.1
< ... at gmail dot com>: Relay access denied;
from=< ... at jpkessler dot de> to=< ... at gmail dot com> proto=ESMTP
Jul  8 09:49:03 mx3 postfix-cluster/smtpd[3420]: lost connection after
RCPT from[

FreeBSD-11 (Jail) Saslauthd rimap authentication fails

I seem to have a configuration issue with respect to sender
authentication. On the Postfix-3.3.0 host I can do this:

[root@mx32 ~]# testsaslauthd -u testuser -p testuser-password #
expires 20180703
0: OK "Success."

However, when I try to send an email through this Postfix service from
a remote Squirrelmail instance using that same username and password
it fails saslauth in postfix:

[root@mx32 ~]# grep 'Jul 3 12:57:' /var/log/maillog
. .

Long-running cron job emails appearing in queue with large delay value


When a long-running (24hr) cron job runs with log output sent to STDOUT,
it's emailed in the standard way but the resulting email appears in the
queue with a delay value of ~86000 seconds. Our monitoring system,
depending on timing, occasionally spots these and raises an alert about
a potential delivery issue.

Is there any way of tweaking postfix so that it starts the clock only
once the sendmail/postdrop process has received the entire mail from the
cron job?


Server side S/MIME EFail (partial) Mitigation


I read carefully the technical paper about the exfiltration attack (efail) on decrypted S/MIME or PGP content.

<a href="" title=""></a> <>
<a href="" title=""></a> <>

According to my understanding, sanitizing text/html content to a certain extend in the mail body should mitigate the attack.

smtp_address_preference default


according to [1] since 2.8 postfix uses ipv6 as default for
smtp_address_preference. But as stated in the doc, it is unsafe as only
IPv6 connectivity is broken, so the safe variant would be any.

Wouldn't it be an alternative that smtp_address_preference could be set
to "ipv6, ipv4" or "ipv4, ipv6" instead of any?

Kind regards


may not be appropriate question but figured what the hay... -- Dovecot

Hi, based on commands below, anyone know why i would get these errors ?

Jun 29 12:05:02 mail2 dovecot: imap-login: Login: user=<cec-support-comment>, method=PLAIN, rip=, lip=, mpid=6752, TLS
Jun 29 12:05:02 mail2 dovecot: imap(cec-support-comment): Error: user cec-support-comment: Initialization failed: Initializing mail storage from mail_location setting failed: mkdir(/home/cec_support_comment/mail) failed: Permission denied (euid=593(cec-support-comment) egid=594(cec-support-comment) missing +w perm: /home, euid is not dir owner)

Back story, user wanted names to h

RE: Can postfix send encrypted but not authenticated emails ? -- FIXED

Hi, I only needed to add one setting and all the deferred test emails on O365 started flowing into my inbox

RAN vi /etc/postfix/
# -ALF 2018-06-28
smtpd_tls_security_level = may
RAN service postfix reload

Case closed, thanks.


ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

<a href="mailto: ... at uconn dot edu"> ... at uconn dot edu</a>
University of Connecticut,  ITS, SSG, Server Systems

Reject unknown users, even when sent from 'mydomain'

I have a LAN behind a firewall with port 25 forwarded to machine running
postfix. That machine sends email on to
a Domino server. However, I am using a VM for testing and I cannot change
the forwarded port. So I am doing it
all from the postfix machine. I use the command below to send an email to
an unknown user (from command line).
But it delivers it to Domino anyway. I have only one user defined in
/etc/postfix/aliases file. Do I have the right
configuration to reject unknown users?

Defer mail instead of bounce

I have email relays that relay/filter email between the internet and our
internal network. I must use the DNS servers we maintain and those
servers use a DNS blacklisting service. The problem I'm having is that
when a legitimate domain is blacklisted, I see log messages like the
ones below and the email is bounced. In the situation that brought this
up, both the sender and recipient domain were blocked so the bounce went
nowhere. Since these blacklistings are temporary, maybe several hours,
I'd like to defer this mail and have postfix try again later.

Can postfix send encrypted but not authenticated emails ?

Hi, I have been reading the online docs for TLS_README.html and SASL_README.html but still having trouble deducing if I can get Postfix 2.6 to accept email over port 587 without giving Postfix a username and password ?

My current understanding of how my server deals with mail is traffic on port 25 with no username and password needed is only allowed from on-campus, and traffic on ports 465 and 587 is allowed when you provide a username and password, and postfix encrypts the email.

I would like to change it so postfix will accept email without a username and password, specifically from Offic

Can a ISP block partially the traffic over the port 25 ??


I'm have a very strange issue with a mail server, locate in the main
company office. Until the last five weeks we are experimenting
problems to deliver emails to some domains stored on and
other servers.

how to restrict subnets to send only to specific domains


i have to setup Postfix that clients or printers from subnets like or specific ip addresses like are allowed to
send mails to every destination.

I have done this by this

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
mynetworks = [::ffff:]/104 [::1]/128

In the txt file are the specific mail addresses.

Now i have to restrict some subnets to send mails only to domains like or

I found


Hi all,

I was reading Postfix documentation and found this configuration parameter.

disable_vrfy_command (default: no)
Disable the SMTP VRFY command. This stops some techniques used to harvest email addresses.

I am not a native English speaker so a bit confused with the sentence above. So, if the value is set to 'no', it stops some techniques used to harvest email addresses. Is it correct? The parameter itself has disable in its name so it look like a double negative.

Sorry for this silly question but I would really appreciate it if anyone could help me.

error when atempting to send a message


I'm running Postfix 3.3.1 with rspamd as an antti-spam solution.

Header has unknown for IP address


I don’t believe my Postfix install is doing the PTR lookups, or it broke in some way.

I have this enabled:
# postconf |grep smtpd_peername_lookup
smtpd_peername_lookup = yes

and my DNS can resolve the name:
# host domain name pointer

But the headers give unknown:
Received: from (unknown [])
by (Postfix) with ESMTPS id BA9143C
for < ... at example dot com>; Wed, 27 Jun 2018 15:48:44 +0000 (UTC)

How could I debug/enable this? What was missed in the config.

Many thanks, S.

Need to understand mynetworks_style more

In our live system, I have firewall forwarding port 25 to mail server.
That mail server then delivers mail to Domino server.

I am testing on a VM, and I have this much configured and working within
our LAN.

I am unclear as to delivery restrictions. The default for
mynetworks_style is subnet, so email will be accepted from any machine on
Does this restrict email coming in from internet? Since I can't test with
live system, I can't forward port 25 to VM for testing.

My goal:
I am migrating from Sendmail.

What is postfix telling me to do?

I am configuring a new Postfix-3.3.0 service to act as one of our
public MX providers. The address of this new MX service has been
published in our DNS but with a lower precedence (higher priority
number) than our active MX service.

Naturally enough there are countless spam bots regularly hitting the
low priority MX services and so when I activate Postfix for testing we
get numerous opportunistic connections.

New EFF certbot plugin for Postfix

The EFF announced a certbot plugin for Postfix today, which
is still in beta. A couple of things to keep in mind:

* If you've already deployed DANE, this stands a good chance
of breaking your DANE TLSA records. For the moment do not
deploy this if have inbound DANE.

* Do consider sharing any substantive experience (issues you
had to resolve that may say others grief).

unable to get smtpd_recipient_restrictions to work

I have setup postfix using virtualmin on ubuntu 16.04
Have setup DKIM, MX, SPF etc
For webmail have setup roundcube and rainloop.
SSL is setup using let's encrypt.
Everything works great for emails.

Now we need to restrict some users to be able to send local emails only.
For this I found this <a href="" title=""></a>
and followed steps for Restricting what users can send mail to off-site

I have tried all options and searched all options online but none of it
seems to work for this.

Here's content from my file


Blocking TLDs with check_sender_access


I have a check_sender_access restriction that blocks many TLDs like
.red and .space. Problem is that we have one legitimate .red customer
(what was he thinking?) that needs to send us mail.

performance question


for a period of time we need to route ~ 2.000 mail addresses to our old
I would add those addresses into the transport file like

<a href="mailto: ... at domain dot com"> ... at domain dot com</a>
<a href="mailto: ... at domain dot com"> ... at domain dot com</a>

Will the larger transport file now affect the performance of the Postfix
server ?

Best place for DNSBL restrictions


I manage a small mail server and have been using Spamcop as a DNSBL’s via postscreen:

postscreen_dnsbl_sites =
postscreen_dnsbl_action = drop

After reading RFC 5782 “DNS Blacklists and Whitelists”, I decided to add some more
DNSBL’s and specify filters and weighting. While looking at various samples of
using DNSBL’s, I came back to an old question - where should I implement DNSBL restrictions ?

On this list I seem to recall that using a DNSBL via postscreen is discouraged.

Specific recipient restrictions

Hi list,

I have a few users which use a metered mobile connection and I need them to
have restriction in monthly volume used and in each msg size different
than my normal
recipients. eg Normal users can send or receive up to 10MB message but for
them I need
to have a much lower restriction. Is it possible to achieve this through
some add on ?

I would appreciate any direction to look at.

thanks in advance


Syndicate content