Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

hostnames in postscreen_access_list


I was recently trying to whitelist a client hostname that frequently
changes ip.

From the documentation check_client_access restriction for use with
smtpd allows to specify access table lookups which contains hostnames.

postscreen_access_list does not seem to allow hostnames in lookup tables.

Is my understanding correct? Is there a reason why hostnames should not
be supported in postscreen_access_list lookup tables?



Is this behavior an open relay or not ?

Hi people, suppose my domain is "".

My email users are as this: <a href="mailto: ... at company dot com"> ... at company dot com</a>

Is normal that I can send a mail from <a href="mailto: ... at company dot com"> ... at company dot com</a> to
<a href="mailto: ... at company dot com"> ... at company dot com</a>, from a public IP not belonging to my company?

In my case, I am at home and I execute:

$ telnet 25
mail from: <a href="mailto: ... at company dot com"> ... at company dot com</a>
rcpt to: ... at company dot com

and finally the message arrives to may Inbox.

Because I suppose that the normal behavior is sending mail from local
address just from an internal IP...not from external.

Thanks a lot, regards!!!

DKIM on submission


currently I enable OpenDKIM vi :

# OpenDKIM
smtpd_milters = inet:
non_smtpd_milters = $smtpd_milters
milter_default_action = accept

Since that server is both MX and Submission for the mailbox domain I am
tempted to instead define those parameters via

-o key=value

in for the smtps / submission service.

Is that advisable or is it not a good idea?

I realize it would mean mail sent by the host itself via sendmail
command is not DKIM signed but I'm not really worried about that.

It appears that when e-mail is sent from a user t

cisco pix TLS is required, but was not offere STARTTLS issue

Dear Users,

we trying to deliver mail to remote party with enforced encrcyption.

63FFB80805: TLS is required, but was not offered by host

But looks like, remote device is announcing TLS and can handle it:

# telnet 25
Connected to
Escape character is '^]'.
220 ****************
ehlo test
250-SIZE 52428800
220 Go ahead with TLS

But the minus "-" is missing in STARTTLS correct?

Is there a known workaround available?

Maybe some rewrite-voodoo?

Thank you.

Convert quoted-printable headers


I have a program (SOGo), installed on my mail server, that send emails
using the quoted-printable encoding for From/To headers.

Unfortunately, none of the email clients I use seems to display them

Is there any reason for that ?
is a header missing:

Source of the message:

a lot of spam or something?

I have a lot of line like below in log file:
2FEBF13C3F4 16366 Thu Nov 22 12:28:36 MAILER-DAEMON
(host[] said: 450 4.7.1 : Recipient
address rejected: Ratelimit (in reply to RCPT TO command))
<a href="mailto:www- ... at allegro dot pl">www- ... at allegro dot pl</a>

251AD13C3C6 16391 Thu Nov 22 13:48:10 MAILER-DAEMON
(host[] said: 450 4.7.1 : Recipient
address rejected: Ratelimit (in reply to RCPT TO command))
<a href="mailto:www- ... at allegro dot pl">www- ... at allegro dot pl</a>

2BC6013C3E3 16360 Thu Nov 22 10:58:11 MAILER-DAEMON
(host[] said: 450 4.7.1 : Recipient
address rejected: Ratelimit (i

IP address

Hi all,

We have installed postscreen on our mail servers, with a table lookup to a postgres database. The lookup also records the client details (IP address), and we have a basic Java front end with lookups to maxmind to get location information. The tools allows us to block by CIDR, and monitor connection over time to identify various forms of attacks. It has been an eye opener.

where is the fqdn coming from


I'm using Postfix 3.3.1-1+b1 (Debian testing).

I'm testing out the default for myhostname and am a little confused as to
where it is getting its value.

hostname is being appended to the From name

I'm trying to understand why this is happening and how to prevent it. I
have a relay where if an email is sent to it with just a name in the
Header From, then the server's hostname is added to the end of it. For
example, if I telnet to the server and send an email with "From:Test",
then I'll get an email from ... at hostname dot

spf and dmarc settings

Hello! I have mail-related question. What will happen if I set SPF to "soft
fail" but in DMARC I set "strict" to SPF Identifier Alignment - the "aspf"

A bit stuck compiling Postfix on Mac Mojave.

This is my make script.

make -f Makefile.init dynamicmaps=yes CCARGS='-DHAS_MYSQL -I/usr/local/include/mysql -I/usr/local/include -I/usr/local/include/openssl -I/usr/local/include/gnutls -DUSE_TLS -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -I/Applications/ -DDEF_SERVER_SASL_TYPE=\"dovecot\" -DHAS_PCRE -I/usr/local/include -DEF_COMMAND_DIR=\"/usr/local/sbin\" -DEF_CONGIG_DIR=\"/usr/local/etc/postfix\" -DEF_DAEMON_DIR=\"/usr/local/libexec/postfix\" -DEF_DATA_DIR=\"/var/lib/postfix\" -DEF_MAILQ_PATH=\"/usr/loc

how block specific ip address in Postfix

Hello. I saw in logs that some non existent mailbox from client domain
hosted on google tries send some mail to existing mailbox in this same
domain. Non existent mailbox is used from IP's:
and both are blacklisted.
I need to block these IP addresses in Postfix and also I would like to add
more blacklists to Postfix.

OpenPec Addon domain grabbed

Dear website maintainer,

The domain got grabbed and in my opinion the link on should be changed to
<a href="" title=""></a>

Thank you,

avoid external emails that the from=< and the to=< are the same user

Lately we are receiving spam mails that apparently the mail from the and
the to is the same. How is it possible to avoid this?. I have configured
postfix to avoid the relay of emails and to be able to send mail through
my postfix is necessary the auth , these emails are sent externally from
several ips and seeing the logs of those emails are not authenticated

Este mensaje y todos los archivos adjuntos son confidenciales y de uso exclusivo por parte
de su/sus destinatario/s.

rejecting 'nested' from address ?

a user started getting many spam/malware with like 'nested' from:

<" ... at cinkmedia dot comgeranc">

<" ... at cinkmedia dot">

I'm waiting for a full header from him, can anything be done in Postfix ?
or where ? to reject/block ?


Rejecting based on From is...not rejecting

Heya. Postfix 3.1.8 on Debian Stable.

I'm trying to use /etc/postfix/sender_access to pretty much reject
anything showing as 'From: *' as there's a plethora of spam
coming from that domain - and it's not rejecting. Suffice it to say, I
seem to be doing it wrong.

In sender_access, I have:


...and the reference to this file in is:

smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/sender_access,

...what'd I miss?

If needed I can stick the files up on a pastebin.

-Dennis Carr

Postscreen usually rejects based on DNSBLs. Good enough? Lower overhead options?

I see countless Postscreen rejections of this type

Nov 14 13:28:58 mx postfix/postscreen[11068]: CONNECT from []:19243 to [#.#.#.#]:25
Nov 14 13:28:58 mx postfix/dnsblog[11069]: addr listed by domain as
Nov 14 13:28:58 mx postfix/dnsblog[11072]: addr listed by domain as
Nov 14 13:28:58 mx postfix/dnsblog[11071]: addr listed by domain as
Nov 14 13:29:04 mx postfix/postscreen[11068]: DNSBL rank 9 for []:19243
Nov 14 13:29:05 mx postfix/postscr

OT: features / test criteria for email filtering/security product

I'm looking at Votiro, Proofpoint & Israel email security products
to reduce spam, emails from bad reputation IP, emails with
malicious attachments & URL.

What are the features/criteria to assess or look out for?

Esp if I'm on O365.

a) can link to SpamHaus, RBL etc to get bad reputation IP?
b) offers CDR, sandboxing?
c) can claw back malicious emails from users' mailbox once
Sandboxing completed analysis that an email or attachmt
is malicious (Proofpoint has one such product)
d) can withstand email blasting (eg: 80000/minute)
e) ... help add on ...

postqueue: warning: unix_trigger: write to public/qmgr: Broken pipe


postfix + postsrsd + clamav + spamassassin + dovecot

Everything seems to work OK. No changes done recently (used to work for
a long long time). No error messages in logs. Some mails are delivered
correctly and immediately. Outgoing mail - OK. The problems are:

1. About 20-50 mails shown by a `mailq'
2. Some mails are delivered veeeeeery sloooowly (I cannot find
differences between "bad" and "good" mails)

Milter header order

I have milter chain opendkim->opendmarc->amavisd-milter for incoming
external mail. Postfix 3.1.0 from Ubuntu 16.04.5.

As I understand, the correct positioning of milter inserted internal headers
would be above postfix's own.

address with illegal extension


We have discovered that our maillog file has numerous occurrences of
this sort of error report:

postfix/local[92211]: warning: A7F5413745E: address with illegal
extension: sysadmin+root/cron/transfers/imanet

This error does not prevent the correct delivery of messages into

Compiler error on 3.3.1. Mac Mojave

It’s almost through the build but failing on this.

Undefined symbols for architecture x86_64:
"_db_create", referenced from:
import-atom in libpostfix-util.dylib
"_db_env_create", referenced from:
import-atom in libpostfix-util.dylib
"_db_version", referenced from:
import-atom in libpostfix-util.dylib
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make: *** [master] Error 1
make: *** [update] Error 1
make: *** [update] Error 2

My Make script is this:

make -f Makefile.init dynamicmaps=ye

Error on make of the latest 3.3.1 source at dict_db.c

Hi, I can see what the error message says . But I confess at this moment, I’m at a loss as to how to fix it?
Where is it looking for this db?

-DMACOSX -c dict_db.c
dict_db.c:758:2: error: "Unsupported Berkeley DB version"
#error "Unsupported Berkeley DB version"
1 error generated.
make: *** [dict_db.o] Error 1
make: *** [update] Error 1
make: *** [update] Error 2

How do I turn on logging for postfix on mac

I have been asked how I turn on /var/log/mail.log for postfix on a Mac running Mohave.

I have it running on mine, but it always has - but I can’t remember if I had to do anything special to turn it on.
The person asking has no /var/log/mail.log at all and now I’m curious.


what does it mean?

I have domain deployed on the server with dns zone where
are configured google MX servers like, (and few more). Mailboxes are not on my server, all
email things are deployed on google. Yesterday I saw in log the message:

9FBE713D05F 1564 Tue Nov 6 06:34:55 <a href=""></a>
(host[] said: 421-4.7.0 [
15] Our system has detected that this message is 421-4.7.0 suspicious due
to the nature of the content and/or the links within.

Regenerating DHparams

Is there any recommended schedule for regenerating DHparams for Postfix? I
could not find anything specific about it.

looking for any options to better deal with mail looping

Hi, I have a domain that has MX point to O365 and then O365 relays mail to Postfix server.
Currently, Postfix does a lookup in a MySql table to know where to relay the email to, AFA next hop. If not found in table Postfix looks up MX and relays the email.

I want to know if there is a more graceful way of dealing with mail loops caused by sending to invalid addresses ?


A. TO: ... at test dot<mailto: ... at test dot> -> O365 -> postfix -> relay to destination server [cuz found in table]


Name Service error but resolver is working

On our IMAP service host I am seeing messages in the mailq similar to
the following:

50DFB12B2F7 7501 Tue Nov 6 17:22:42 MAILER-DAEMON
(delivery temporarily suspended: Host or domain name not found. Name
service error for type=MX: Host not found, try

Postfix on the IMAP host is configured to route outgoing mail through
MX31. And mail is flowing in and out of the IMAP system. Most things
are being delivered.

smtpd_delay_reject with rspamd milter

I'm having trouble with access_maps kicking in after an upgrade from a
Postfix 2.something to Postfix 3.1. on Ubuntu 14.06 and using postscreen
and rspamd milter.

After some testing I'm not sure yet, but it looks like the recommended
smtpd_delay_reject = yes in connection with having the access_map checks
listed in the smtpd_recipient_restrictions is the cause of this.

Strange issue

Mail service is working except for delivery to a single host, which is
reporting a strange error:

postfix/smtp[13722]: 629D7A7DF9: to=< ... at kpbsd dot>,
relay=none, delay=1099, delays=1097/0/1.5/0, dsn=4.4.3, status=deferred
(Host or domain name not found.

TLS X.509 certificate hygiene...

I've recently come across an interoperability problem between my
DANE survey scan engine and some STARTTLS implementations on remote
SMTP servers.

RFC 5321 address quoting for policy delegation protocol


Is there a reason why Postfix omits quoting the localpart (when that
would normally be necessary according to RFC 5321) of sender and
recipient addresses passed to a policy delegation service (in this case
Dovecot quota-status)?

So for:

RCPT TO:<"John Doe">

the following line (among others) is sent to the policy service:

recipient=John <a href="mailto: ... at example dot com"> ... at example dot com</a>

Other example:

RCPT TO:<"user@detail">


recipient=user@ ... at example dot com

Summarizing, postfix uses invalid addresses (at least in terms of RFC
5321) when communicating with a policy delegation ser

sender_dependent_relayhost_maps with different credentials for same relayhost


i have:
sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_maps
smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth

more /etc/postfix/relayhost_maps []:587 []:587

more /etc/postfix/smtp_auth
[]:587 mydomain:mydomainpass

How can i specify different credentials for same relayhost?

mails from should be relayed through 1und1 but with its own

Thank you.


postfix relay aunthentication error

I have setup Postfix to relay emails to our exchange 2016 server, but get an
error when i try to send:

Nov 5 15:35:00 GC-NAGIOS postfix/smtp[9093]: 3FA883E2A2D:
to=<my. ... at mymail dot>,[]:25,
delay=1100, delays=1095/0.01/5/0, dsn=4.7.3, status=deferred (SASL
authentication failed; server[] said: 535 5.7.3
Authentication unsuccessful)

The username and password are correct so i don't know why it wont
authenticate with the mail server, i have checked it is in the right format
(username:password), i don't know if there is anyth

what does these log lines mean?

I have in mail.log file lines like below:

Nov 5 10:14:31 s1 postfix/smtpd[27320]: NOQUEUE: filter: RCPT from[]: < ... at pomagam dot online>:
Sender address triggers FILTER amavis:[]:10024;
from=< ... at pomagam dot online> to=< ... at skpkrakow dot pl> proto=ESMTP
Nov 5 10:14:31 s1 postfix/smtpd[27320]: NOQUEUE: reject: RCPT from[]: 454 4.7.1
< ... at skpkrakow dot pl>: Relay access denied;
from=< ... at pomagam dot online> to=< ... at skpkrakow dot pl> proto=ESMTP

faking a test message to a milter?

I'm starting to work on writing my own outbound milter for a Postfix instance.

While working on it, I'll want to test with message submissions "to" it.

Is there a good example of manually submitting a robust -- i.e., exactly as from a running, Postfix instance -- message example to a milter?

Without a Postfix instance around, just 'echo' a message to the milter listener?

A better way to do secure SMTP

Maybe better, I do not know. I do not know right place to recommend
this, I hope it is not too out of place here.

Opportunistic TLS is a concept I do not like. DANE fixes the issues for
system admins willing to implement DNSSEC and add a TLSA record but it
seems many are not, so MTA-STS was invented.

MTA-STS has the same flaw as opportunistic TLS.

postfix 2.6.6 configure IPV6 relayhost

I'm trying to configure a GNU server rel 6 to send mail to a remote mail-host.

lost connection after data


Our users try to get e-mail from, but we have error like
below. It seems same IP address with different mx records.

Postscreen newb questions

Hi, i am learning/testing Postscreen on Postfix 2.10.1
I read the man page and need a little help understanding this :

This program should not be used on SMTP ports that receive mail from end-user clients (MUAs). In a typical
deployment, postscreen(8) handles the MX service on TCP port 25, while MUA clients submit mail via the
submission service on TCP port 587 which requires client authentication.

Postscreen blacklist question

As a new user (postfix as well as postscreen) I monitor maillog to get a
feel for how things work.

Today I noticed a site trying to AUTH from unknown (and I happen to know
there is no possibly valid user at that address).

I decided to try out blacklisting:

*postscreen_access.cidr: reject*

Postscreen at once acknowledged the blacklisting but does not (yet?) block:

Oct 31 12:45:00 hermes postfix/postscreen[7300]: CONNECT from
[]:58505 to []:25
Oct 31 12:45:00 hermes postfix/postscreen[7300]: *BLACKLISTED*
Oct 31 12:45:01 herm

how to specify approved senders for recipient?

I want to setup a method by which only senders which are in a defined
list can send a message to a given recipient.

Something like the following (in pseudo code)

accept if sender <allowed_senders> and recipient <protected_mailboxes>

The idea being that each recipient will have their own whitelist, and
only messages from those addresses on the whitelist will be approved. I
get how to generate each list of addresses, what I'm missing is how I
combine them into a accept if statement, if you will. Doable? How?

Thank you,


Multiple delivery of queued message to local alias

Hello all,
For the past week I have been puzzled with the following case .
In local aliases I have defined an alias
alias1: user1, user2, user3
User2 is overquota and messages destined to user2 are deferred.
When a message is sent to alias1 it is delivered to user1 and user3,
deferred for user2 and put in queue with user2 AND alias as recipients !!!

"postqueue -p" looks like this (pseudo anonymized)

-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
B09367FF67 475 Fri Oct 26 17:19:13 <a href="mailto: ... at aueb dot gr"> ... at aueb dot gr</a>
(temporary failure.

Puzzling error: Mailbox file "too large"

One of my daughters cannot receive mail because Postfix apparently
thinks her mailbox file is too large:

Oct 28 16:05:31 minbar postfix/local[4960]: 4EF344037B962:
to=< ... at caerllewys dot net>, relay=local, delay=5.6,
delays=5.5/0.01/0/0.01, dsn=5.2.2, status=bounced (cannot update mailbox
/var/spool/mail/valkyrie for user valkyrie. error writing message: File
too large)

The file is only 50MB and contains just under a thousand messages. That
doesn't seem fatally oversized to me.

myorigin isn't appended to local senders

Hello everyone,

first some environment notes: I have a Vagrant VM provided by VirtualBox running Solaris 11.3 and OpenCSW postfix 2.9.4.

Thank you Wietse, supporters and contributors for Postfix

We just noticed once again, that postfix is so well designed in a way, that
often we did not even think of "corner cases" that are already handled by
default in a way, that is in most cases exactly how is should be setup.

Just picking a random setup - relaying mails to external relayhosts by
sender domain but having the option to define individual transport ways.
This is awesome to give the user/administrator a way to do a very fine
grained mail routing.

We're a "small" postfix uers (< 100.000 mails / month) but are very happy
with postfix.

Thank you.


Mailer-Daemon Domain Part


I'm not sure if i got myself confused but here is what I'd like/have to

If an internal user is sending an email and postfix receives a bounce, the
Mailer-daemon should have the hostname as domain part. I know that I can use
$myhostname to set $myorigin for that.

But I'm not sure if that affects anything that postfix may send to external
recipients. (that should continue to use $mydomain).

Thanks for clarification

OT: Sender header vs DKIM

Hi all,

This is offtopic in regards to postfix but I bring it up because of the last
few emails I've sent to the postfix mailing list.

I was originally signing all the headers mentioned in rfc6376 section 5.4,
whether they existed or not and mails to postfix mailing list failed because of
the added List-* headers. I fixed that up so that it will only sign those
headers when they exist.

TLSv1.2 only for auth connection


First of all, I apologize for my bad english.

I use postfix-3.3.1 and openssl-1.0.2.

Actual ssl config : tlsv1.0 minimum is set for smtp and smtpd. tlsv1.2
minimum is set for submission/starttls.

My goal : All auth connections must be done with tlsv1.2 minimum. Others
connections can be done with tlsv1.0 minimum.

If I use tlsv1.2 minimum everywhere, I can't send/receive mail to/from
mail provider still using tlsv1.0 so I had to set tlsv1.0 minimum.

how set postfix server as non-functional

Hi. I heard that having a non-functional server as the primary MX is a
well-known trick to reduce the amount of incoming spam, as most software
used by spammers will only ever try the highest-priority MX. How to do this?

sender_dependent_relayhost_maps failover

Is it possible to configure sender_dependent_relayhost_maps with
failover hosts, probably with priorities?

Enabling TLSv1.2 support in postfix 2.8.2


Currently my mail setup is using TLSv1 to connect to O365. Now that O365
has announced dropping their support for TLSv1, TLSv1.1, how to enable
support for TLSv1.2 in postfix 2.8.2?

My openssl version is OpenSSL 1.0.1e-fips 11 Feb 2013

It should also support TLSv1, TLSv1.1 for older clients/servers but higher
level should always be TLSv1.2

How to achieve this?

I changed the below configs,

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3

But that doesn't work. Still the connection is established using TLSv1.

Thank you.

Selective bounce notice


I am aware of the bounce_notice_recipient option but I only want it to
function for a certain domain. Or, even better, mail that originated
from a particular server.

To explain, we have a number of customers with dedicated servers and all
is channelled through the same Postfix instance. One wants a copy of all
their bounces. The only thing I have to go on is that the mail
originated on their server.

Can anybody think of a way to do this (or something like it)?


Multiple sasl configuration


I am currently managing a server that is used to send emails for multiple domains.

The currently look like this:

# See /usr/share/postfix/ for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first

# line of that file to be used as the name.  The Debian default

# is /etc/mailname.

#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)

biff = no

# appending .domain is the MUA's job.

append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings


Make upgrade doesn't copy new binaries

Hello, I have compiled 3.3.1 from sources with a few extra options, on OpenBSD 6.3.
I run make upgrade because I have an existing installation (from packages) whose configuration I want to keep.
I run make upgrade as root, it prints a lot but no errors as far as I can tell. I have run postfix stop as root prior to the make upgrade command.
The binaries are not replaced, and in the maillog postfix logs 3.3.0 when I start using postfix start.

Any pointers on where to start looking?


How to allow bounces to authenticaded users

I have a rather convoluted multi-instance setup that mostly works to my
liking, with spam-filters, hand-off to mailman, dkim-signing and
whatnot. One problem is that mis-typed outgoing addresses (host part)
from my local, authenticated users end up deferred (450) and not bounced
back to the sender.

Syndicate content