Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

ot: dkim "fail (message has been altered)" ?

I'm attempting to implement dkim/dmarc, noticed that many spam messages
have like "fail (message has been altered)":

Authentication-Results: (amavisd-new);
dkim=pass (1024-bit key);
domainkeys=fail (1024-bit key)
reason="fail (message has been altered)"
header.from= ... at dossierinfotech dot

is that something that can be rejected/blocked in Postfix, and how? or
where should that be utilized ?



Different SSL certificate per virtual domain

Hello All,
I've googled but a bit confused.
I have a server with an IP hosting two different virtual domains.
Both domains need to have their individual SSL certificate like and to download and send the same.
Is it possible in Postfix if I have only one public IP and achieve same?
Can you guide me to some links if possible.

re-route mails on demand during block of ip address


I'm running a pair of postfix-servers in different data-centers (different
ip networks) for outgoing-only delivery. once in a while my providers /22
appear on public blacklists, so mails from my nodes also gets rejected.

For this, i have now a third backup-instance in another data center that is
not visible to my users and only fairly with dummy mails used to keep
reputation up and good. Howto re-route traffic on demand with postfix in
case, ip-networks get blocked again?

How do others handle this?

Thank you.


Mail Delivery Status report

I am getting mail delivery status reports for every bcc email (that is, every email, since I use a bcc map to create a backup of all the mail).

I've looked through all the postfix files for any instance of sendmail -v, and have only found it as a comment in

# grep "sendmail -v" * address...) or for verbose mail delivery (sendmail -v address...).
recipient_bcc_maps = pcre:$config_directory/rbcc.pcre

if !/backup.*@/
/^([^+_]*).*@(.*)/ backup+151.${1}.${2}@<a local domain>

the MDSR is not really a pro

opendmarc.dat Permission denied issues

i'm trying to setup DKIM & DMARC, set it few days ago, it seemed to be
working ok(?), well, I did'nt notice errors

noticed today multiple "Permission denied" errors since last night, across
multiple domains

grep " Permission denied" /var/log/maillog | wc
1943 19430 200491

May 29 13:41:43 geko opendmarc[27677]: AAADD4E821C9:
/var/run/opendmarc.dat: fopen(): Permission denied

# grep AAADD4E821C9 /var/log/maillog
May 29 13:41:41 geko postfix/smtpd[30596]: AAADD4E821C9:[]
May 29 13:41:42 geko postfix/cleanup[30785]: AAADD4E821C9:

transfer mailq


We are busy with a POC building a new vessel mail system for are fleet at sea .
In our office we have now to postfix servers running behind a F5 that has failover when primary mail server goes down the second one takes over.

So far so good, we test this and everything is oke.

Now I want to know if it's possible to transfer mail files that are qued on server A to server B to get send when A goes down.

I would like to do this as follows

Create two folders on a nfs share

Server A writes his mails to folder A
Server B writes his mails to folder B

When server A crashes we copy/transfe

How to reject mails where from address and to address is myself.

Dear List,

Lot of SPAM mails are being received where from and to address is
myself and the mail has contents which are dirty/bad.

The original sender id will be different.

How to handle such mails.

postfix as relay server: sasl auth


We have setup a postfix server that serves as a relay server between the office and our fleet.

The postfix gets his mails from the exchange server onboard.
The restriction is set that only mails from the ip of the exchange are accepted.

And this security rule works, from no other ip mails can be send.

+But are sec officer is worried what is somebody gets in to the vm running the exchange server, or creates a vm that has the same ip as the exchange, than can you send mails without auth.

That's why I'm searching to a way to secure are postfix server with password and username.


Blacklist honeypot senders

I have an active email address that only receives spam (it is an address that wasn't used for years but I've recently reactive to see just how much spam an unprotected decades old account that hasn't accepted mail since 2006 would get).

Anyway, what I would like to do is somehow blacklist any IP that sends mail to that address for some period of time, configurable by me but not necessarily dynamic. (That is, if I could specify 1 day or 3 hours for any match, that is fine).

I suspect that postfix might be able to do this through some sort of helo_access check?

How to write more complex transport rules

Hi All , Need some guidance on how we can configure transport rules which has
to route email based on both Sender and recipient domains .

Our transport_maps ( in my org ) have been simple and configured in
traditional fashion:

like receive email from

Domain1 >> smtp:Gateway1
Domain2 >> smtp:Gateway2

however we have got a situation where we had to route email based on both
Sender and recipient domain.

DKIM doubled, which one to remove?

following earlier advice here, I've finally tried to set DKIM

I think I'm getting there, but I've noticed it's doubling up[1], with amavis

which one should be bypassed, and, how to do so ?

thanks, V

content_filter = smtp-amavis:[]:10024
smtp-amavis_destination_recipient_limit = 1
smtpd_milters = inet:, inet:
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

# grep 711344531867 /var/log/maillog
May 24 15:15:08 geko postfix/smtpd[20479]: 711344531867:[]
May 24 15:15:09 geko pos

Rejecting mails from one server

Greetings, All!

Can't seems to grasp the origin of the issue.
If I send the mail to the same addresses myself, it is coming through, so is
much of the other mail traffic.

info@ is virtual, bulk of the mail coming its way, no problem.
vera@ is real local address.

If I grep similar entries in the log, they are all spam or obvious typos.
(Like "1info@...") But this domain seems correctly configured.

On How to Insert a custom header on outgoing email

Hello Community

we were tasked at routing all outbound email from our mail relay postfix
server through an Anti-SPAM gateway and this introduces a requirement to
insert a custom header with a unique value ( shared by the Anti-SPAM vendor
) to let email relay thorough them.

so we want to insert a header

X-AUTH-TOKEN : xyz123

in every email leaving our postfix server.

Could any one of you please suggest how we can achieve this .

Configure failure on 5.x kernels?

I don't know if this is Gentoo specific.

Postscreen - fatal: btree:/var/db/postfix/postscreen_cache

Dear team,

I get this error messages in my logfile more frequently:

May 21 21:23:51 xxxx kernel: May 21 21:23:51 xxxx postfix/postscreen[77391]: fatal: btree:/var/db/postfix/postscreen_cache: unable to get exclusive lock: Resource temporarily unavailable

Can you tell me what exactly goes wrong and how to solve this? Thanks.

Best regards,
Jos Chrispijn

-- With both feet on the ground you can't make any step forward

header_checks apply to headers of attached messages?

If I send a message as attachment, header_checks are applied to the
headers of the attachment also. Why does it happen? Can I turn it off?

Modify logs for delivery?

I may have asked this in the past, but ion so it's been longe enough I don't remember and can't find it my mail archives.

Is there some way to modify what is logged from postfix/local and postfix/pipe so that the "status=sent" lines include the from address as well as the to address?

May 21 14:52:32 mail postfix/local[63216]: 457nyS31Y4zdrvK: to=< ... at covisp dot net>, orig_to=< ... at kreme dot com>, relay=local, delay=0.39, delays=0.34/0.01/0/0.04, dsn=2.0.0, status=sent (delivered to command: /usr/local/bin/procmail -t -a $EXTENSION)

May 21 14:53:16 mail postfix/pipe[67313]: 457nzJ4gd7zdrvL: t

Tell LMTP who is original recipient?

For some time it is possible to make postfix virtual tell a LDA who is
the original recipient, add x-original-to header. But not LMTP. This
create problems in final delivery, one example is autoreply vacation
program cannot check if message was addressed directly to this user or
not, so many autoreplyies are sent when it should not happen.

Feature request for this seems stalled, but in meantime, is there any

FYI, I use dovecot LMTP.

intermittent "cannot find your reverse hostname" for senders. Best workaround?

I run postfix 3.4.5.

I typically reject on unknown reverse hostname; it's a policy I'm comfortable with.

For a number of correspondents that use for outbound, I occasionally see failures crop up for the same sender, then just 'automagically' resolve.

E.g., for a single sender, here "them", in my logs

postfix.log:Apr 24 13:18:19 mx postfix/postscreen-internal/smtpd[6816]: NOQUEUE:[]
postfix.log:Apr 26 11:15:00 mx postfix/postscreen-internal/smtpd[18428]: NOQUEUE: client=mail-eopbgr790080.outb

Re: SNI support

Wietse Venema < ... at porcupine dot org> wrote ..
Oh, ok.

OT: Postscreen and scoring/blocking by ISP

Hi all,

I was looking through a few lists of RBLs and I’m not finding quite what I want.

I have quite a bit of my spam blocking working fairly well, but I’m seeing quite a bit of “snowshoe spam” from a few providers. Rather than look up their netblocks and outright block them, I’d like to incorporate them into the postscreen scoring process. As time goes on, I’m sure I’ll find others, but I do see ColoCrossing and Limestone Networks as pretty consistent sources.

Are there any RBLs that exclusively deal with blocking by netblock/owner that I’m missing?

Block spam at smtp time, but then still forward to users spam box

Good day Guys

Just want to check with the community.

My colleague has proposed that at smtp time, if a mail is deemed as
spam, the server issues a reject code, but then to too accept the mail
and forward the mail the user for incase its a false positive.

His logic is that, that the spammer does not build up a database.

Currently what we do is, if the score is between 5 and 15, just accept
and move the spam to the users SPAM box.

SNI support


SNI support for smtp server and client is said to be there, from what i read in release notes from 3.4.0.

Disable milter(s) for recipients (IP/addresses)


is there a way in postfix to disable milters for outoging to mail to
dedicated IPs, or better, dedicated recipient addresses?
I am just fed up from fixing DKIM signatures to a way that it is
insecure just to get mail accepted from several mailing list
implementations because they are munging headers to death.
And I don't want to get away from reject policy, too, because it is only
a problem with several mailing lists.
For postfix mailing list this is fine but munging headers like subject

DKIM milter: adding a TXT record

Hey, guys. Might be a little bit off topic, but I'll throw it out

I'm working to implent DKIM and DMARC at this time (DMARC is next), and
I've got DKIM just about down except for one thing: the TXT record.
Bind doesn't seem to want to load the TXT record, despite that I've even
re-edited it per what I found at
<a href="" title=""></a>.
(Running 9.10.3.dfs in Debian Stable.) There doesn't seem to be a clue
as to what's going on at this point, so I'm a bit lost. Help?

-Dennis Carr

Increasing Internal security

Hi All
We had an auditor to an internal pentest for our network. The result for our Postfix box was (My Words) Although your SMTP server prevents relay in some circumstances, it still allows email from an empty domain. I am aware that the empty domain <> is needed for bounce messages. Is there a way to prevent an initial email out form an empty domain but still allow Postfix to use it internally for bounce messages?

Thanks and Regards

GEO IP based restrictions?

Has anyone implemented geo based restrictions for postfix login connections, or is this something that needs to be done in dovecot?

I was thinking someway to add most of Asia and Eastern Europe to postscreen checks would be useful?

AWS timeout

Hello list,

Bit of a weird one here. I have hosts at AWS sending mail across a
Checkpoint VPN to my main private relay server (it basically serves to relay
mail to O365 for in house applications). The problem is that the sending
client never receives BYE from server after QUIT. The mail goes through and
is delivered ok. This is bad because our timeout is 300s and if you have
anything more than a small amount of mail to send, your connections waiting
to timeout build up at the client and cause problems with applications.

milter_header_checks don't forward the message to filter


The header is detected but it doesn't seems to forward the message to
the filter:

May 12 20:40:01 submitter1 postfix-y31/cleanup[32460]: 1B29DD5F7E66:
milter-header-filter: header X-Spam: Yes from[]; from=< ... at gmail dot com>
to=< ... at gmail dot com> proto=ESMTP helo=<>:

Any ideias?

Problem with logging


mail_version = 2.10.1

I have a serious problem with logging of postfix via rsyslog on one of my servers
on CentOS 7.

All I see in the log is

May 12 12:41:39 nimmini1 postfix/qmgr[19227]: E16FE20EA7: from=<a. ... at nimmini dot de>, size=2141, nrcpt=1 (queue active)
May 12 12:41:40 nimmini1 postfix/qmgr[19227]: E16FE20EA7: removed
May 12 12:44:33 nimmini1 postfix/qmgr[19227]: 067DE20F8B: from=< ... at nimmini dot de>, size=1562, nrcpt=1 (queue active)
May 12 12:44:46 nimmini1 postfix/qmgr[19227]: 067DE20F8B: removed
May 12 12:46:07 nimmini1 postgrey[2722]: action=pass, reason=client whitel

header_checks: From header not being changed in mail between local users

This is more a curiosity than a real need, but I was wondering why I can't
modify the "From" header when sending mails between local users.

It works perfectly when sending mail out (smtp_header_checks).
"sender_canonical_maps" with "local_header_rewrite_clients =
permit_mynetworks, permit_sasl_authenticated" works (though it only edits
the address, not the 'name' in the From)

Just in case something was interfering I reused the same file as with
smtp_header_checks and removed other options.
# postconf 'smtp_header_checks = ' 'sender_canonical_maps = '
'virtual_alias_maps = ' 'local_header_rew

Support for Proxy Protocol V2?

Hi curious if there are any plans for support for the proxy protocol v2?

mysql write support patch updated to 3.4.5

I have updated Stefan Jakobs' patch (see
<a href=";m=128714800025241" title=";m=128714800025241">;m=128714800025241</a> ) to apply to
postfix 3.4.5.

<a href="" title=""></a>

Trying to understand smtpd_recipient_restrictions order


I was under the impression, that smtpd_recipient_restrictions and other
restriction configuration items were being processed top to bottom.

I am running postfix 3.2.2 and as far as I can see my postfix is showing a
different behavior.

I have the following items in my config:

smtpd_recipient_restrictions = check_recipient_access proxy:mysql:/etc/postfix/
check_recipient_access proxy:mysql:/etc/postfix/

include full original message in bounce

Hi List,

searching the manual pages, the Internet and the postfix-users archives
gave me no answer to my question, so I post it here.

We have an application that sends out emails with attachments. These
attachments contain specific data not contained in the email body
accompanying the attachment.

Additional debug information in log file.

Recently I had to switch the IP address of my postfix server from to

After changing the IP address at the server level and rebooting, I am now seeing the following in the logs.

Virtual Mailbox Delivery with mixed address classes.


I am trying to wrap my head around the different address classes and how
to combine that with the virtual mailbox delivery system.

I currently have a mailserver that serves as final destination for a
domain, say which is configured as mydestination.

I have users on that domain (<a href="mailto: ... at example dot com"> ... at example dot com</a>) which are getting mail
delivered via lmtp configured under mailbox_transport to a dovecot server.

There are some virtual users that have mailroutes such as <a href="mailto: ... at example dot net"> ... at example dot net</a>
-> user.



From what I have read, smtputf8 is enabled by default to 'yes' in
postfix version greater than 3.

I also read through the Postfix documentation, that just because it's
supported by Postfix, there are many subsystems (like Dovecot) that do

I wouldn't have even given it much though, until today, some emails
(from one sender) were getting bounced back. If I read the logs
correctly, the emails were excepted by postfix, forwarded to Dovecot,
where they were rejected.

Blacklistd interaction

I am struggling to find some info about how postfix collaborates with
blacklistd but can't seem to find much. I assume this is only login
based so far (works REALLY great BTW). Besides the false logins, the
question I have is if it is possible to use blacklistd with postscreen
also (I assume it has no interaction???) and if there are any plans to
expand support up to that point.


External command delivery in alias file


I'm struggling with external command delivery in a simple /etc/aliases file:


The email bounces with <|/usr/local/bin/deliver_scan. ... at antipoul dot fr>
(expanded from < ... at antipoul dot fr>): unknown user:

I enabled verbosity in trivial-rewrite and cleanup, and it seems that
cleanup does the lookup in the /etc/aliases file, and after that, it
appends $my_origin.

I experienced this behavior with either an authenticated client or an
external sender.

And, of course, commands should be allowed:

# postconf -f | grep 'allow'

tlsproxy without port-220 tests?


does it make sense to run tlsproxy when post-220 tests are not run?

limiting content_filter concurrency (ask for advice)


I use amavisd-new as content filter on a few mailservers.

amavisfeed unix - - n - 5 lmtp

servers have different number of CPUs and I'd like to avoid overloading them
with too many mails being checked in parallel.

I can limit those by configuring "maxproc" in or
amavisfeed_destination_concurrency_limit in

Any recommendations for using either one?

gmail using sasl auth? (Non postfix question)

I hope you guys don't mind me asking here about a non Postfix issue.

I find this in the logs of our mail relay server.

Pix workaround should be (partially?) disabled when DANE is in use


Postfix by default enables the pix workarround for an server after a message
has been queued for more than 500s.

<a href="" title=""></a>

The 500second threshold is (probably) only triggered when the server greeting
in the SMTP Dialog is replaced by stars, which is still done (by default) by
newer Cisco ASAs, that at least support ESMTP and in the case we ran into this
also let the STARTTLS pass poperly.

Link for experimental postfix-3.5-20190418


is this the right link for the latest experimental release? I can't seem
to get it to work.

<a href="" title=""></a>


Sporadic, repeated connections from aws

I've had the following in my fqrdns.pcre checks for quite awhile:

/^ec2(-[12]?[0-9]{1,2}){4}\.compute-[0-9]\.amazonaws\.com$/ REJECT Generic - Please relay via ISP (

And I have noticed that I frequently get a series of 50 or more connection attempts from some aws server out there in a burst (50+ connections in a few minutes).

Fine, everything is working as it should with my settings, the connection is dropped right away (although the REJECT is not logged).

Am I right in blocking these connections?

postfix and MTA-STS


one way to implement MTA-STS in postfix is a server that generate responses
that smtp_tls_policy_maps can consume.

unable to find user

I am using postfix => spamass-milter => SpamAssassin and I get occasional errors like these.

spamd: handle_user (userdir) unable to find user: 'virtualuser'

For example, if I have a virtual user "john" who redirects to the local user jsmith, I get that error with the username of "john" while mail to jsmith goes through fine.

Is it possible to send the user name to the milter after virtual maps have been applied?

Inserting a Text inside body message


I would like to know if Postfix can insert a text inside the body of a
message before send it.

i have done my research in this forum and the closest post i have seen
similar to my problem is this
but it was 10 years old post so maybe now there are much more relevant

Inserting a Text inside body message


I would like to know if Postfix can insert a text inside the body of a
message before send it.

i have done my research in this forum and the closest post i have seen
similar to my problem is this
but it was 10 years old post so maybe now there are much more relevant
in my searching for the solution the relevant answer that i found is using
content filter or using milter application (which i don't know a thing
because i only heard and search postfix for 2 days) i found mimedefang which
is milter applicati

How "safe" is reject_unknown_helo_hostname?

I have been looking at the configuration parameter
"reject_unknown_helo_hostname", with a view to using it to resist spam.

I know it is reasonably safe to reject an incoming email on an invalid or
non-fqdn HELO hostname, but *UNKNOWN?*

I don't receive a sufficient corpus of email to make a reasoned judgment.

Your comments would be appreciated.

Allen C

Route unknown user to new domain

Hello. I'm using postfix + dovecot for my domain, but i want
that any missing local users change the mail to and go
to my relay host. I was configured luser in postfix but when I send a
mail to a unknown user is not working. I'm using LDA with dovecotEnviado
desde mi smartphone Samsung Galaxy.

sieve commands


Am trying to setup some server side rules using sieve.

It seems to work for junk/spamassassin.

My question is, using the fileinto command...and I want to send it into
a subdirectory, would I use a . or a /?

fileinto: "admin.postfix";


fileinto: "admin/postfix";

assuming there is a folder in my mailbox named admin, and
subdirectories within it.


postscreen pregreet still testing dnsbl

will it not make sense to not drop dnsbl rbl when its a pregreet ip that
are dropped ?

i see postfix doing rbl test even for pregreet users trying, is this
just using cache results ?

Apr 21 11:21:10 localhost postfix/postscreen[27441]: CONNECT from
[]:53055 to []:25
Apr 21 11:21:10 localhost postfix/dnsblog[27442]: addr
listed by domain as
Apr 21 11:21:10 localhost postfix/dnsblog[27442]: addr
listed by domain as
Apr 21 11:21:10 localhost postfix/postscreen[27441]: PREGREET 16 afte

Testing new server

I've setup a new server - and it *was* working fine...but then I enabled
a few more settings... I was attempting to make happy
(and I'm glad I did - it exposed some stupid mistakes on my part).

I'm able to send without issue and receive from most other servers. But
in particular, Google & Outlook seem unable to connect via TLS. It
looks like the initial handshakes are fine...but then nothing happens.

If anyone wants to test - please try sending to the address "pubtest at".

Thank you.

unknown tls certificate problem: EVP_MD_size:message digest is null


I am using a letsencrypt tls cert and whenever I receive email, I get
the following error. Is this a problem with my certificate? Or with
the configuration or something??

postfix/smtpd[526]: warning: TLS library problem:
error:060A209F:digital envelope routines:EVP_MD_size:message digest is

I have tried to search google for this error, but I haven't been able
to find anything. Can anybody explain it or knows what it means?


Syndicate content