Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

smptd_tls_security_level = encrypt


Running Postfix 2.10.1.

I am setting up an internal mail relay to receive mail from other
internal clients.  I have a requirement that all email be received via
TLS only.

I have configured TLS using our internal PKI and set the appropriate
settings in and mail is being received via TLS according to the

I have set smptd_tls_security_level = encrypt.  According to the

encrypt: Mandatory TLS encryption: announce STARTTLS support to remote
SMTP clients, and require that clients use TLS encryption.

However, the server is still willing to accept non

postfix functional testing


we have pretty complicated setup. when we change something, we can break
something else.
however, we can describe "what must work".

is there a way of describing configuration testing like
<a href="" title=""></a>

Ilya Shipitsin

pickup performance


Looking for some hints on a performance problem i have with postfix and looping mail through a content filter and it slowly feedback back out via the maildrop.

It would seem that pickup process is trickle feeding the maildrop back into the active queue. I conscious that pickup is single thread but for comparison on reboot of the match postfix will seemingly take the maildrop items real fast and smtp send them out.

macOS X, Operation not permitted - rename sendmail

I’ve just tired to install Postfix 3.3.1 on macOS X 10.13.6 High Sierra.

Sudo make install finishes with:

Updating /usr/sbin/sendmail...
mv: rename /Users/jlbrown/Downloads/postfix-3.3.1/junk to /usr/sbin/sendmail: Operation not permitted
make: *** [install] Error 1

My make command was:

make -f Makefile.init makefiles CCARGS='-DUSE_TLS -DUSE_SASL_AUTH \
-DDEF_SERVER_SASL_TYPE=\"dovecot\" \
-DDEF_COMMAND_DIR=\"/usr/local/sbin\" \
-DDEF_CONFIG_DIR=\"/usr/local/etc/postfix\" \
-DDEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" \
-DHAS_PCRE -I/usr/local/opt//include \
-DHAS_SSL -I/usr/local/opt/o

Invalid address is accepted by postfix

After reading it seems that a valid local-part address is :

/The local-part of the email address may use any of these ASCII characters:

*) uppercase and lowercase Latin letters A to Z and a to z;
digits 0 to 9;
special characters !#$%&'*+-/=?^_`{|}~;

*) dot ., provided that it is not the first or last character unless
quoted, and provided also that it does not appear consecutively unless
quoted (e.g.

set-permissions fails: how to fix and/or manual set correct permissions?

-> minimal: no SElinux, no appArmor, readme_directory = no, etc.

environment: root user name is renamed
# postconf -n
command_directory = /opt/sbin
compatibility_level = 2
config_directory = /opt/etc/postfix
daemon_directory = /opt/libexec/postfix
data_directory = /opt/var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
default_database_type = cdb
inet_protocols = ipv4
mail_spool_directory = /opt/var/mail
manpage_directory = no
myhostname =
mynetworks =,

Can't enable SASL authentication


I'm wondering if anyone here can help me with a problem that I'm having.
I've run into an issue where I cannot enable SASL authentication.

My configuration is as follows:
* Slackware 64-bit 14.2
* cyrus-sasl 2.1.26 (recompiled with LDAP support)
* postfix 3.3.1 (with LDAP support and cyrus-sasl support)

My contains:
cyrus_sasl_config_path = /etc/sasl2
smtpd_sasl_auth_enable = yes

postconf -d produces:
cyrus_sasl_config_path =
smtpd_sasl_auth_enable = no

Has anyone run into this? If so, how did you fix this?

any api to read logs ?


we use automation to send messages.
from the automation point of view it is nice to know what happened to

I think about the following

1) automation send email via smtp --> id of message
2) automation ask postfix via (rest) api "hey, tell me history of message
id ..."

any suggestion ?

Ilya Shipitsin

rejecting mail on Envelope RCPT != to a header recipient

Hi all,

for certain envelope recipients, I'd like to subsequently go on to check
if we have any matching Recipient headers (TO: CC: etc) and reject the
email if none exist (preferably before the sending MTA completes the

I understand that this needs to be done after the DATA phase - so using
a before queue filter?

The docs seem to indicate that I wont have access to the To: stuff at
that stage - is that true?

pointers appreciated


Problem connecting any ips to mi postfix server

There are some ips that when wanting to connect with my postfix it is
impossible to do so when connecting in the same second they disconnect
without sending any data
for example:

Sep 26 21:20:47 ns postfix / smtpd [4679]: connect from []
Sep 26 21:20:47 ns postfix / smtpd [4679]: disconnect from []

This is my postconf -n configuration

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_percent_hack = no
allow_untrusted_routing = yes
append_dot_mydomain = no
biff = no

DNS lookups in check_policy_service configuretion line.

Postfix version 2.10.1

I'm adding a check_policy_service for some quota checking, with the
following arguments


If i configure the line like this in it fails with the
following message
fatal: host/service not found: Device or
resource busy

If i on the other hand configure it with an ip address it work

check_policy_service inet:

The dns name resolves in the OS.

Is it now allowed to use fqdn's in the check_policy_service statement
or is there a setting i'm failing to find that

Devendra Fadnavis: Clean drinking municipal water for North West Virar residents


I just signed the petition "Devendra Fadnavis: Clean drinking municipal
water for North West Virar residents" and wanted to see if you could help
by adding your name.

Our goal is to reach 224 signatures and we need more support. You can read
more and sign the petition here:

<a href="" title=""></a>


TLS: Migrate from *encrypt* to *verify* for specific domain

Dear Postfix folks,

Currently, our `/etc/postfix/tls_policy` looks like below to force
encryption when sending messages to other servers in our organization. encrypt encrypt

We want to improve that. Unfortunately, DANE is not an option as the DFN
does not support that, and a lot of German research organizations and
institutes use that for receiving messages.

We do not have control over the other servers, but want to migrate to
*verify* [1].

Can you recommend a strategy how to do that?

empty MAIL FROM and check_sender_access


I'm using smtpd_sender_restrictions = check_sender_access

to make sure, my senders only send out with pre-defined and allowed domains.

Now i noticed, that if my users acknowledge "read confirmations" in
clients, mails in the following form arrive at postfix:

from=<> to=< ... at customer dot tld> proto=ESMTP helo=<W8PPCN130916>

and will be rejected as empty mail from is not allowed by

Howto deal with that?

postfix on loxcal network - smtpd_sender_restrictions problem


I am testing sender address syntax with :

smtpd_sender_restrictions = check_sender_access
pcre:/etc/postfix/sender_syntax.pcre, reject

And the file /etc/postfix/sender_syntax.pcre contains :

/^([a-zA-Z0-9.\-_]+)@troll-hathor.nwk$/ OK

/^\@/ REJECT 510 Invalid address format.

/[!%\@].*\@/ REJECT 511 This server disallows weird address syntax.

/.*/ REJECT You can't send E-Mails from this server.

When I test the lookup table with :
postmap -q ... at example dot ... at example dot com

I got this :
REJECT 511 This server disallows weir

Postfix 3.1 -> Postfix 3.3

Hello All,

I'm attempting to configure Postfix 3.3 on a freshly-installed Ubuntu 18.04 LTS
system. The system will do nothing more than relay mail (for status and
summary e-mails) to my main mail server. The same configuration works using
Postfix 3.1. What am I missing?

spf dkim authentication-failure


Since last week i become everytime this messages if send any Email, i don't
find me mistake

Please can you give me the right search way that i need to view.. Or what
are here me trouble.

opendkim[714]: 8D328402FC: DKIM-Signature field added (s=mail,

What is postscreen_dnsbl_reply_map use for?

What is the meaning of `postscreen_dnsbl_reply_map` in postscreen (postfix) ?
I've read from documentation:

And from manual:

BCC to a local account

I am trying to bcc all mail to a prticular user (currently
<a href="mailto: ... at lereta dot com"> ... at lereta dot com</a>) to a local account (mrcar).

I tried to setting an entry in recipient_bcc_maps:

/mrctest\ mrcar

but that just returns "status=deferred (unknown mail transport error)"

I also tried

/mrctest\ <a href="mailto: ... at mx02 dot"> ... at mx02 dot</a>

with the same result.

Is this even possible? If it is how can I make it work.

Not sure if i have a DNS or Postfix issue ?

Hi, not sure if i am looking in the wrong place:
If you want my postconf I can get it.

User sends email to <a href="mailto:ling- ... at listserv dot">ling- ... at listserv dot</a> with client.

Vacation transport ignored

Good day Guys

Im trying to get vacationing going as per the link

<a href="" title=""></a>

Please can I ask if someone could please peer review my setup.

Its almost like postfix is ignoring the transport.

root@mail ~ # postconf |grep transport_maps
address_verify_sender_dependent_default_transport_maps =
address_verify_transport_maps = $transport_maps
empty_address_default_transport_maps_lookup_key = <>
fallback_transport_maps =
mailbox_transport_maps =
proxy_read_maps = $local_recipient_m

Address verification for a single domain

Hello everyone,

In order to avoid sending backscattering I'm going to implement
Address Verification (reject_unverified_recipient). Can I skip it for
one domain? If I configure postfix like this:

smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/no_reject_unverified_recipient

And in /etc/postfix/no_reject_unverified_recipient:

domain.tdl OK

I won't have the rbls check for that domain. I would like to skip just
the reject_unverified_recipient check. Is it possible?


How to make Postfix filter spam for entries in virtual?

My postfix installation is working correctly (delivery via dovecot, spam
filtering via amavis - spamassasin).

I have some aliases in virtual, eg:

<a href="mailto: ... at mydomain dot com"> ... at mydomain dot com</a> johnDoe

However, for the emails that match an entry in virtual, amavis is not
filtering for spam (resulting in lots of spam reaching my inbox).

How can the configuration be changed so that the emails that match virtual
entries are also filtered for spam?

You can find my file here

Thank you in advance for your help!


best practice anti virus integration & custom reject messages


I like the clean and easy milter way and having clamd this way integrated
in postfix. But i can not use custom reject message in case clamd detects

postfix/cleanup[4292]: BD6BA80ACA: milter-reject: END-OF-MESSAGE from
(...): 5.7.1 Command rejected; from=<me> to=<recipient> proto=ESMTP
helo=<my internal mailserver>

This message lacks basic information - virus detected.

smtp_delivery_status_filters seems to not work in this case.

delay all email to a defined sender list

Hi List,

It happened just one time too many today, in a rushed moment
sending the wrong email to the wrong person.

Is it possible to exclusively delay sending mail to specific
recipients that appear on in a list?

This way I suspected such an error of an email to one the special
recipients, then I could still delete the email from the queue.


reject_unverified_recipient and /ect/aliases delay/issue


we use reject_unverified_recipient and have

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases

after changes in aliases and issuing postalias /etc/aliases

verify_cache.db seems to get corrupted or at least not updated properly as
new/updated entries do not get correctly verified and postfix logs:

close database /var/lib/postfix/verify_cache.db: No such file or directory
only a postfix stop, rm verify_cache* , postfix start helps.

are there known limitations?

FW: RE: Double-Bounce

In order of messages.  ( i got 11 message for 1 postfix list mail ). 
I only see this these when .
1) someone tries to mail out of my domainname.
2) when i mail the postfix list.
I never figured this out, why this happens at the postfix list.


Hi all!  I am getting messages in my logs where postfix is doing its
double-bounce email thing.  I am trying to send email to an email server
sitting behind my mail filter appliance (eFA) which routes emails to my
main mail server on my network after scanning inbound messages.

It seems messages get through to one of the users on my mail server,
just not to me, which generates the double-bounce@ email which is
totally annoying.

dnsblog and "Name service error"

Hi, I've been experiencing these weird "Name service error" problems
for a month or so and can't figure out what's causing them.

Sep 13 10:04:59 mail03 postfix/dnsblog[30902]: warning: dnsblog_query:
lookup error for DNS query Host
or domain name not found. Name service error for type=A: Host not found, try
Sep 13 10:04:59 mail03 postfix/dnsblog[30920]: warning: dnsblog_query:
lookup error for DNS query Host
or domain name not found.

Stop sasl mail submission on port 25

Hello dear Postfix users,
I am managing a postfix server (version 2.5.5), but I did not installed it.
This server accept mail submission on port 25 after sasl authentication... I
would like to stop it, because this is a security issue.

emails stuck in maildrop


I had misconfigured postfix + amavisd-new combo for a few minutes.

openssl 1.0.2 and TLS 1.3]

----- Forwarded message from Matt Caswell < ... at openssl dot org> -----

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101

On 11/09/18 14:58, The Doctor wrote:

DKIM signing of bounce back messages


I have a question regarding DKIM signing on Postfix bounce back messages.

I was tuning my Dovecot installation around quotas. I sent a test message from Hotmail to a test account on my server to test generation of a bounce back when a user exceeds their quota. The message was successfully generated and then relayed via Postfix back to the Hotmail account, but I noticed the bounce back message went into the Hotmail junk folder.

Inspecting the message I saw that I was not DKIM signing messages generated by Postfix or via sendmail.

postfix add warning message for all external incoming emails

Hello Friends,
I would like to make postfix add a warning message for all external
incoming emails - Something like this at the top of each mail.

WARNING: This email originated outside of our organization. Do not
click any links or open any attachments unless you recognize the
sender and know the content is safe

How is this possible in postfix?


postfix does not bounce instantly when remote party does not offer TLS


delays=422/0.03/0.09/0, dsn=4.7.4, status=deferred (TLS is required, but
was not offered by host

seems to me like a permanent error - postfix sees it as a temporary one. I
would like to have instant bounce message for this case when TLS is not

sending postfix is configured 'encrypted' os no fallback is wanted.

smtp_tls_policy_maps on a per tls user basis


is there a way to specify on a per user basis (sasl authenticated user) if
TLS should be none or may or encrypted for a specific recipient domain?

I would like to have the user to decide if his mail to a specific domain
should be TLS encrypted and then maybe bounce back but let other users
mails to same destination domain go ahead with a may or none.

Host offered STARTTLS: [mxlb... without relation to destination domain

I like the option smtp_tls_note_starttls_offer = yes
but when a host is logged, it's hard to keep track to which recipient
domain that host belong without doing dns-lookups against all listed in

Can this be improved to maybe also list the appropriate recipient domain?

custom reject message for reject_sender_login_mismatch



smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch
smtpd_sender_login_maps = hash:/etc/postfix/login_maps

rejects user with invalid mail from domain with

< ... at b dot c>: Sender address rejected: not owned by user abc; from=< ... at b dot c>
to=< ... at remote dot tld> proto=ESMTP helo=<[]>

How can i customize this reject message?

Thank you.


Custom oversize rejection notice

When someone sends an attachment via email that exceeds our limit, I'd like to return a custom error message directing them to our in-house web based file upload/download utility (similar to Dropbox in functionality). I've looked at the options, but I don't see an option to address message size. Is that a possibility?


why "allow_min_user = no"

Hello Wietse,

Could you explain me why "allow_min_user = no" ? Could we change to
= yes" ?

Thank you,Paul

What is Postfix telling me?

Starting shortly after midnight 20180906 our maillog file began to
record this sort of message pair every six minutes or so.

Sep 6 12:36:42 mx31 postgrey[85107]: action=pass, reason=client AWL,,
client_address=, sender= ... at airportcargo dot ca,

Sep 6 12:36:48 mx31 postfix-p25/smtpd[66636]: proxy-reject:
END-OF-MESSAGE: 451 4.5.0 Error in processing, id=29937-07, quar+notif
FAILED: mail_dispatch: no recognized protocol name: -2 at
/usr/local/sbin/amavisd line 9638.; from=< ... at airportcargo dot ca>

Heads up for Gentoo users: mail-mta/postfix-3.3.1-r1 has permissions problems

For anyone using Postfix on Gentoo, be aware that
mail-mta/postfix-3.3.1-r1 installs with many incorrect file permissions
that result in impaired functionality (specifically, postdrop won't
work). You may want to consider rolling back to 3.2.4 until the ebuild
is fixed. If you want to just fix the permissions, you'll need to do it
manually, because 'postfix set-permissions' isn't working correctly in
3.3.1-r1 either.

(See Gentoo bug #665280)

strict_rfc821_envelopes possibly broken on postfix-3.3.1

I was debugging issue with email system sending mail from in wrong

MAIL From: <a href="mailto: ... at domain dot tld"> ... at domain dot tld</a>

Adding <> to email address to (broken) software gui fixed smtp
sending, so this worked:

MAIL From: < ... at domain dot tld>

But I found out that strict_rfc821_envelope check should not be enabled
by default and verified same with postconf that it is not enabled.
Still postfix is behaving as strict_rfc821_envelopes would be enabled.

Is this a bug in postfix?

Patch: eliminate postfix-script warnings about symlinks


Running Postfix 3.3.1 under Linux, postfix-script produces pointless
warnings if/when there are symbolic links in or below $config_directory.

1. I installed (CA root) certificates in a subdir of /etc/postfix and
rehash with "openssl rehash <subdir>.

postscreen error with 3.4-20180903

with new snapshot 3.4-20180903

(probably related to error just reported with "postfix" command)

postscreen_reject_footer = \c; Contact <a href="mailto: ... at vbhcs dot org"> ... at vbhcs dot org</a> for
assistance. Include this data: servertime=($localtime)
client=([$client_address]:$client_port) server=($server_name)

Sep 4 13:46:46 mgate3 postfix/postscreen[8656]: fatal: open
dictionary: expecting "type:name" form instead of "\c;"

-- Noel Jones

error with 3.4-20180903 postfix command

Using the new 3.4-20180903 snapshot.

postscreen_reject_footer = \c; Contact <a href="mailto: ... at example dot com"> ... at example dot com</a> for
assistance. Include this data: servertime=($localtime)
client=([$client_address]:$client_port) server=($server_name) (postscr

run "postfix reload"

postconf: warning: /etc/postfix/ undefined parameter: localtime
postconf: warning: /etc/postfix/ undefined parameter:
postconf: warning: /etc/postfix/ undefined parameter:
postconf: warning: /etc/postfix/ undefined parameter:

-- Noel Jones

multiple/simultaneous virtual_transports?


I currently host three virtual domains with a postfix instance.

Postsuper remote


I would like to know if there is a command line tool for managing many
postfix servers from a central server. I have 4 servers running postfix
and I would like to manage the mail queues from one single machine.

Thanks in advance,

Postscreen vs. BDAT

Today a fellow postmaster (using Exim) called me, they were having problems sending
mail to

Postfwd question

I know, I know, it's offtopic since it'S not entirely postfix per se,
but I am at my wit's end here.

I'm trying to implement a (I think) simple ratelimiting feature:

* during our business hours 400 Mails per sender from internat host
* otherwise 100

Some of my limits work, others don't trigger at all:

# these are exceptions for high volume senders.

mydestination, subdomains and local delivery

Hi all,

I'm running postfix for a domain, e.g, "". Its intended
purpose is to receive mail for that domain and relay mail for authenticated
users (e.g., to gmail), otherwise reject mail.

In, I have set "mydestination =". When sending mail
to a certain user on that domain (<a href="mailto: ... at testdomain dot com"> ... at testdomain dot com</a>), the mail gets
delivered locally (no outbound connection). However, if I'm sending mail to
<a href="mailto: ... at subdomain dot"> ... at subdomain dot</a>, postfix tried to relay the mail to an
outbound server (namely that from my ISP).

Postfix invoking content filter for each recipient


I have been using Postfix 2.6.6 on CentOS 6 which I have configured
with an 'After-queue content filter'. The filter gets invoked when an
email is received by Postfix. The content filter does some processing
and pass on the message to another server from where the message is
sent to the recipients.

Recently I built version 2.11.11 and configured it to use the same
content filter. However, now Postfix is invoking the content filter
for each of the recipient. I would like it to invoke the filter once
per message and not per recipient.

Want to be sure i am not throttling user.

Hi, i am troubleshooting a client complaint.
This user "wellness"

Aug 28 10:22:27 mail5 postfix/smtpd[7534]: EE46E2FB: client=unknown[], sasl_method=LOGIN, sasl_username=wellness

Some user feedback :
On Friday I sent a batch of 436 and it took 11 minutes to send
This morning I sent a batch of 725 and it took 1 hour and 21 minutes

Do any of my settings throttle their ability to send to my postfix server ?

I think it is the client they use.

block sender/receiver pairs


I need to block certain combinations of sender/receiver on a postfix
MTA. What would be the best way?



New SMTP server protocol support: CHUNKING

Postfix snapshot 20180826 introduces server support for RFC 3030
CHUNKING (the BDAT command) without BINARYMIME, in both smtpd(8)
and postscreen(8).

Impact on existing configurations:
- There are no changes for smtpd_mumble_restrictions, smtpd_proxy_filter,
smtpd_milters, or for postscreen settings, except for the additional
option to suppress the SMTP server's CHUNKING service announcement,
for example, with:

smtpd_discard_ehlo_keywords = chunking

- There are no changes in the Postfix queue file content, no changes

Looking for an 'easy' postfix log file analysis tool

Hello there ;)

I'm looking for a simple, clean & easy logfile analysis tool for postfix

I'm runing postfix 3.2 on an opensuse box

I found a listing here: <a href="" title=""></a>

already had a look at mailgraph as it looked promising with the
graphical charts.
but while trying to setup it had a problem parsing the postfix log entries.

Error: the entry is not in syslog format

as far as I remember the box running postfix is using the rsyslog daemon

then also had a look at AWStats but here the perl
script wasn't able to parse the postfix log en

Syndicate content