Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

Postfix as backup MX

I've been running my own Postfix (Dovecot, MySQL, Rspamd) server thanks
to these instructions
(<a href="" title=""></a> ) for more than
a year without any issues.

I'm using a paid service (Mail Reflector) to handle the times my server
is down or (initially) to get the my mail server up and running.

I'd like set up another server as a backup and while there are some "How
To" out there, they seem to be 'ignoring' spam and/or security issues.

Could I just use the same approach I used when setting up my current
server with the exception of the following:


Suggestions for less spam


I would like some suggestions on how to get less spam, I will paste my
configuration at the end of the mail.

Maybe somebody with a nice setup could post his/her setup?

As you can see, I am experimenting with reject_unknown_client_hostname.
What's your opinion about that setting?

I've never used greylisting.

multi-instance postfix with opendkim

I have 2 multi-instance postfix on one server. if for each instance it will
be different. For example:

for the instance1 the main:

for the instance2 the main:

For this I need to make a few configuration files /etc/opendkim.conf or do
different SOCKET = "inet: 8891 @ localhost" in /etc/default/opendkim or
something else? Or if there any guids for multi-instance postfix wihtn
opendkim? thanks.

postfix multi-instances use the same port 25

I have two instances on one postfix server, The two instances have its own IP
and domain setting. The default instance is "postfix",The second instance is
"postfix1" created by using command "postmulti -I post1 -G outgoing -e

Error 46 with TLS


I have a problem with my postfix sever, I can't connect with TLS, I have
this error:

Sep 21 10:40:32 jolly postfix/smtpd[23341]: warning: TLS library
problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert
certificate unknown:../ssl/record/rec_layer_s3.c:1536:SSL alert number 46:

Connection works fine without TLS.

I use a let's encrypt certificate. My server is a debian Buster

Thanks for help


trouble with multiple-instance postfix and dovecot

I recently had trouble with building a multi-instance postfix. The target
environment is a multi-IP server. I need to install the dovecot feature on
the multi-instance postfix, but now I only know how to use the default ip
address to authenticate with smtp, but I don't know how to add smtp
authentication to new instances.
Is there any guides of multiple-instance postfix with dovecot?
After searching for a huge amount of data, I still can't solve it. Can you
help me? thanks.

Suggestions for submission protection

I have what seems to be a reasonably stable and functional filter
protecting my port 25 SMTP interface to the outside world. However, most
filters (including postscreen) state they are not intended for use
between MUAs and the MTA. Therefore my 587 submission port does not have
additional filters beyond TLS & SASL AUTH.

I'm seeing some higher levels of attempted logins from various sources.
Are there any automated filters that are suggested? Or do I simply add a
check_client_a_access and reference a manually maintained blacklist?

Still getting strange 550 error..

I get this for several accounts/servers (note I've masked the host and ip):

host[ip.ip.ip.ip] said: 550
Access denied - Invalid HELO name (See RFC2821 (in reply to MAIL
FROM command)


transport map from ldap

Hi All.

I would like the transport_maps to be driven from an ldap lookuop
but i am unsure of the format it should be returning

I have the following config

and my /etc/postfix/ looks like this

This returns the output when doing a postmap vq

but is that correct for a transport_map

why still host its email on Verizon Yahoo


though this is a little OT, but I was curious since verizon has bought
yahoo for long days, why ATT still host its customer email accounts on
yahoo platform? we know ATT and verizon are commercial competitors.

Thanks for any comments.

Refuse mail from hosts with closed port 25


How can I refuse mail from hosts who don't have an open port 25?

What do you think from such a check?

Is there more needed? E.g. a list of exceptions for some big providers?

I've investigated why somebody did not receive mail from a virtual
machine, and I found out her provider ( refuses all mail from
a host what does not have port 25 open. I have much problems with spam
and I would like to reduce it.

4xx when host not found


I'm running postfix with spamassassin as a relay (before-queue). The host is
connected via OpenVPN. If the tunnel is down mails bounce:

Sep 16 06:08:09 h2786452 postfix-in/smtp[12937]: 194853E04AA: to=<info@>,
relay=none, delay=0.01, delays=0.01/0/0.01/0, dsn=5.4.4, status=bounced
(Host or domain name not found.

4xx if host not found


I'm running postfix with spamassassin as a relay (before-queue). The
host is connected via OpenVPN. If the tunnel is down mails bounce:

Sep 16 06:08:09 h2786452 postfix-in/smtp[12937]: 194853E04AA:
to=<info@>, relay=none, delay=0.01, delays=0.01/0/0.01/0, dsn=5.4.4,
status=bounced (Host or domain name not found.

Relay Though MTA

Hi All,

I have had a request in that is making my head hurt thinking of all the
moving parts, so i am asking for advice on the best way of doing the

We have domain, with MX records pointing to gsuite, domain is

I have now been asked to add to add to our internal mail systems (
zimbra , which uses poxtfix) that also hosts our other and )

All external mail ( i,,e leaving the company ) goes from zimbra to a MTA
postfix relay in which we have a transport map the routes and to

lmtp deliver issues


Being in the process of trying to upgrade an old postfix 2 (with a
postfix 1) configuration to postfix 3, using compatibility_level = 3, I
am having a bit a hard time getting lmtp up and running.

The logs read:

postfix/local[2856]: warning: connect #1 to subsystem private/lmpt: No
such file or directory

This error bears two riddles: First, the file
$queue_directory/private/lmpt does exist as a socket, with
postfix:postfix ownership.

However, there is nothing listening on the other side of the socket,
because, riddle no.

Change status code for "Host not found"


I'm running postfix as a relay connected via VPN. If the VPN is down
mails are rejected:

relay=none, delay=0.09, delays=0.06/0.02/0.01/0, dsn=5.4.4,
status=bounced (Host or domain name not found. Name service error for
name=EXCHANGE01 type=AAAA: Host not found)

Is there a way to change the dsn to 4xx and deliver it when the VPN is
up again?

Thank you!

Mail forwarding through a relay


I have a postfix-3.2.6 system that acts as a mail server and pop/imap using
dovecot for a small domain.

policyd v1 HRP (helo random db)

<a href="" title=""></a>

i dont know if it makes sense to add this to postscreen testing ?

will it be to expansive testing it and tracking it ?

EHLO restrictions and address literals


I have a question regarding restrictions I can place on EHLO in the smtpd_helo_restrictions parameter.

I have a Postfix server that is Internet facing. I periodically receive e-mail where the other MTA sends a EHLO of an address literal.

Postfix, Amavis and DKIM body hashes

For quite some time, I have used OpenDKIM and lately dkimpy-milter to
sign messages entering Postfix via port 587:

# /etc/postfix/
submission inet n - n - - smtpd
-o smtpd_milters=unix:/run/dkimpy-milter/socket
-o content_filter=amavis:localhost:10124
amavis unix - - n - 2 smtp
-o smtp_send_xforward_command=yes

It turns out that messages containing German umlauts (or other symbols
causing Thunderbird to use "Content-Type: text/plain; charset=utf-8")
result in Google MXs reporting the following:

ARC-Authentication-Results: i=1;;

Warning mail to sender when seding to hotmail

Hi there

We have our servers IPs at OVH IP address-space and from time to time,
when we send emails to a small, particular set of very-well-known
domains owned by one very large corporation, there are periods where our
customer's emails go, by default, to the SPAM folder no-matter-what.
Under those periods I'm thinking of activating the sending of a
complimentary warning to the sender to let the recipient know they
should check the SPAM folder and brief guidelines to add them to the
list of safe senders.

What should be the best approach to accomplish this?



message_size_limit, queue_minfree, and mail spool not on root directory

My mail spool is not on my root directory:

data_directory = /mnt/xvdb/var/lib/postfix
mail_spool_directory = /mnt/xvdb/var/spool/mail
queue_directory = /mnt/xvdb/var/spool/postfix
virtual_mailbox_base = /mnt/xvdb/var/spool/mail

However, it seems that the capacity of my root mount has some bearing
on the evaluation of Postfix's message_size_limit and queue_minfree. I
am getting "insufficient system storage" errors despite having enough
space in /mnt/xvdb. I have much less space available on /.

I found some relevant functions in Postfix: fsspace() and

Question regarding DNSBL behaviour


I have a question regarding DNSBL usage with the smtpd_client_restrictions parameter.

I have a server configured to check SpamHaus:
. . .
smtpd_client_restrictions = reject_rbl_client[2..11],
. . .

This has been working very well, although I noticed the following error in my syslog:

Sep 7 16:13:08 server postfix/smtpd[28363]: warning: RBL lookup error: Host or domain name not found.


Hello Postfix team,

Can you add support?

"When using the SASL SCRAM mechanism, the SCRAM-SHA-256-PLUS variant SHOULD be preferred over the SCRAM-SHA-256 variant, and SHA-256 variants [RFC7677] SHOULD be preferred over SHA-1 variants [RFC5802]".

Can you add support for?
-- <a href="" title=""></a>
-- <a href="" title=""></a>

-- <a href="" title=""></a> since 2015-11-02
-- <a href="" title=""></a> since 2019-06-21: <a href="" title=""></a>

I add SC

Change smtps to submissions in

Hi there,

currently the IANA assigned 465/tcp to urd and submissions and dropped support for smtps
thus I suggest to change smtps to submissions in the default

I checked Linux Distributions I have access to:
- Arch Linux uses submissions
- Scientific Linux 7.6 uses smtps (alias)
- Ubuntu 16.04.6, 18.04.3 uses smtps,ssmtp (alias)
- Ubuntu 19.04 uses submissions and ssmtp,smtps (alias)


Can postfix/pipe run external programs under a random UID?


One of arguments of pipe(8) is "user=" that instructs it to run an
external programunder specified user. For example, the following snippet will
run faxmail(1) under the user faxmail:
fax unix - n n - 1 pipe
flags= user=faxmail argv=/usr/bin/faxmail -d -n ${user}

Is it possible to have postfix select user at random from some list of
preallocated UIDs/usernames? (I'm looking for ways to isolate different
instances of the same command)


tlsproxy failed / flooded log


today I enabled smtp_tls_connection_reuse on some production server.
after approx.

issues with MTA's timestamp


I found if peer MTA's timestamp is too much different from my end, the
messages may not be displayed.

for example, when you try to sign up to apache projects' mailing list,
like one of this page:

<a href="" title=""></a>

The response message's (for user to confirm) timestamp is 12 hours ahead
of me.

Thus some email servers won't display the response messages correctly
(even no response messages appear in the inbox).

At least GMX's mail servers have this issue, as well as anyone
can test for it.

Can you give some suggestion?


username specification for email system


Is there the username specification for email system?
It seems most special characters like ".", "-", "+", "_", "#", "$" are
permitted in the username part.
And even <a href="mailto: ... at domain dot com"> ... at domain dot com</a> is right (like my sender account).
So I was confused.


deal with google mailboxes


As a mailing list server, how does postfix deal with google's mailbox

for exmaple, all mailboxes below are indeed the same one:

<a href="mailto: ... at gmail dot com"> ... at gmail dot com</a>
<a href="mailto:user. ... at gmail dot com">user. ... at gmail dot com</a>
username+ ... at gmail dot com
<a href="mailto: ... at googlemail dot com"> ... at googlemail dot com</a>

Can list server know them and treat them as just one?


Make postfix reject 8bit (non ASCII) 'mail from' address

Dear List

We use Postfix / Dovecot on our email plattform.

Lately I have started seeing more and more emails being accepted by
postfix, but then rejected by the local delivery agent dovecot with:

500 5.5.2 Invalid command
syntax (in reply to MAIL FROM command)

Looking at the headers, I see that the envelope sender contains 8 bit
characters, AFAIK against valid RFC. Example:

<Aloï ... at netfacilprovedor dot>

We use Postfix 3 but have NOT enabled SMTPUTF8 support.

maildir unread msg count: client .vs server


This isn't really a postfix specific issue, but I'm hoping someone here has the answer.

I'm trying to monitor per user unread msg count in a server side maildir based mail store.

I can see that the tmp/ and new/ dirs stay empty, so I tried to count unread emails with:

ls -1 /home/vmail/domain/user/.maildir/cur/ | grep ':2,$' | wc -l

Thus counting the number of filenames that end with :2, having no other flags appended.

However this is giving me a count that is less than the number of unread mail messages shown in the IMAP client (thunderbird).

Could anyone say why the server side

Problem with /etc/aliases

I have problem with postfix, which ignore /etc/aliases file.

My postfix configuration file is

Postfix MX resolving issue on a chrooted setup


I’ve been trying to setup postfix 3.4.6 ( <> package) with dovecot, mailscanner and the mailwatch frontend on a centos 7 (cloudlinux 7.6) server.
Everything appears to work properly except that, when I setup smtp and lmtp as chrooted and try to send mail, a curious name resolution error happen. The exact error is as follow:

unable to look up host Device or resource busy

This is particularly strange considering that to identify the MX of my domain, it was able to read its zone.

about MTA's 4xx response code

I know postfix returns 4xx Response Code for Temporarily Deferred, as below:

[Status: Error, Address: < ... at chinabuckets dot com>, ResponseCode 421, 4.7.0
Temporarily Deferred]

Message will be retried for 4 more day(s)

I don't like every MTA returns this 4xx code, that would make the
incoming messages delay a lot time.

How do you think of this? should RFC reconsider to disable 4xx code?


Webmin and DKIM

Good day everyone. Quick question and please forgive me if this is
redundant. I have a Postfix server running on CentOS7 and I use Webmin to
manage it. Is there a way for me to set up and configure DKIM using Webmin?
I have been searching Google and the only thing I could find was something
back from 2009 which says that it was not possible. Ten years later.. I'm
hoping that it is. Can someone please let me know if this is possible and
perhaps point me at the instructions? Thanks in advance.

postfix not resolving mDNS lookups (make it work in a LAN-without-internet)



Few days ago I thought it would be a great idea to send emails to others
in the same LAN (each participant having their own postfix server) and
without reaching Internet. Applications of this is: a dynamic during a
conference, a workshop, emergency situation (where Internet or
centralized server in the LAN is not working), etc.

In my first attempt I thought mDNS [1] is very fine for this, to make it
work in debian you have to install avahi-daemon [2].

Adding DKIM and DMARC

When adding DMARC and DKIM do I only need to add it to the domain that is hosting the mail server (MX)?

For example, if is defined as the MX for and, do I need to add the DMARC/DKIM records to’s DNS as well?

Segmentation fault in xsasl_dovecot_server.c

Dear List

while implementing the Dovecot SASL protocol in a custom server I
noticed that the `smtpd` process crashes with a segmentation fault if a
specific protocol error occurs.

To reproduce I downloaded Postfix 3.4.6 and compiled it with:

make makefiles CCARGS='-DUSE_SASL_AUTH \

After `make install` I added the following configuration options to

smtpd_sasl_type = dovecot
smtpd_sasl_path = inet:localhost:2525
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $mydomain

and enabled `submi

ldap lookups timing out?

I am seeing a lot of Temporary lookup failure errors in the maillog. At first I thought it was an issue related to reverse DNS lookups as each of the sending servers had no reverse record in DNS (this is an internal only relay).
But when I added verbose logging, it appears to be related to LDAP lookups.

Most commonly, I get these errors:

warning: dict_ldap_connect: Unable to bind to server ldap:....

But also receive these:

maps_find: relay_recipient_maps: ... at mydomain dot com: search aborted

I can't find an exact solution for this in my searches.

server configuration error with non-ASCII records in passwd


I have upgraded debian 8 (postfix 2.11) to debian 9 (postfix 3.1) on a

Now, whenever user who has utf-8 character in /etc/passwd as part of their
username, has to receive mail, postfix outputs:

451 4.3.5 Server configuration error

there are many users who have utf-8 characters in their fullnames there.

changing smtputf8_autodetect_classes to all didn't seem to help.

What to configure (and how) to avoid this error?

I have LANG variable set to "C" because other values tend do change sorting

postfix with JMAP


will postfix get JMAP compatible in future?
see: <a href="" title=""></a>


Default connection limiting?

I have group of user behind single WAN using mine Postfix submission
service. Sometimes they cann't connect but I dont know why. I thought
its cause that Postfix has default connection maximum from single IP
source, is this true?

* What is error/fail message in logs which I could find to verify I have
that problem?

* What is relevant postconf setting I will have read more about?

Thank you!

Sorry for non-list post

They just send to UDP 53 and quit. What I want to do is deny the packet
in my router, but always allow the important IP(s).

email not accepted

Mindspring/earthkink isn't accepting email from at least 2 Postfix
configs on Linux. It's worked well in the past, but quit working a few
days ago.

The log says their server timed out waiting for data after responding to
HELO. Traceroute shows a routing loop at their network.

I tried from a friends place, and it went through. He uses Qmail on a
BSD. When he tried by hand with telnet. He got all the way through, and
the server accepted the mail for delivery, then said it'd timed out.

I wrote an expect script expecting 250s in the right places.

postfix with AWS S3


Does postfix have a plugin who can be integrated with AWS's S3 as object
storage? Coz for a large email service, the local disks are too limited.

thanks & regards,

What's with all the "l*.it" connections?


Kinda OT - as long as I didn't screw something up!

I'm just about ready to pull the trigger on moving our old Communigate mail system to a new, self-installed Postfix system.

It's been running in test for just a coupled of users for a few weeks now and looks really good!

I got postscreen set up out in front. It's been doing its thing. LOTS of bad connections rejected.

I'm curious about one group though.

build failure with glibc-2.30

glibc-2.30 removed RES_INSECURE1, RES_INSECURE2 and RES_USE_INET6
symbols[1] resulting in:

dns_str_resflags.c:55:13: warning: RES_AAONLY is deprecated
| ^~~~~~~~~~~~~~~~~
dns_str_resflags.c:57:13: warning: RES_PRIMARY is deprecated
| ^~~~~~~~~~~~~~~~~~~
dns_str_resflags.c:63:22: error: ‘RES_INSECURE1’ undeclared here (not in a function); did you mean ‘RES_RECURSE’?
| ^~~~~~~~~~~~~

default outgoing encoding


if MUA lacks to set encoding, where for postfix to setup the default
content encoding (for example, utf8) for outgoing messages?


postfix milter body chunk length


I was wondering why the transfer of a 100mb mail to my milter
application was slow, i found the bottleneck in the body chunk transfer.

The maximum packet length seems to be fixed to 64k, it would be great if
we could make that configurable in postfix (uint32 is possible).

best regards,

Matthias Schneider

Postfix for three domains on one host

I want to use my single VPS for three distinct domains. Simple for
webservers. I would also want to be able to send and receive email on
the three domains using Postfix. I understand there is postfix-multi.
Everything I have read so far uses separate IP addresses for this
scenario. Most VPS providers are loath to assign more than one or at
most two IPV4 address to a VPS, due to the global shortage. I have been
unable to get three at Linode.

Not just subdomains, but quite distinct ones.

SSL communication between MTAs


My MTA (postfix) has both 25 (non-SSL) and 465 (SSL) ports enabled.

How to enforce the peer MTA send messages only to 465 port for better
secure communication?

Can I just shutdown port 25?


Wirthy of a warning?

Are logs like the following really worthy of a warning log level?

postfix/submit/smtpd[84385]: warning: hostname does not resolve to address hostname nor servname provided, or not known
postfix/smtps/smtpd[96068]: warning: hostname does not resolve to address hostname nor servname provided, or not known

Looking for actual problems I have to sift through thousands of these (well, I simply grep -v resolve, but still…

postfix 2.6.6 "stuck queue"

Hey guys, I just took over some postfix gateways (my primary MTA is exim,
so getting used to a few differences), and ran into an issue that I'm not
quite sure how to solve. Unfortunately using an old postfix version
(2.6.6), I do want to get that upgraded and up to date but wont be able to
do that in the near future due to other business priorities at the moment.
Anyway, I'm seeing mail sit in the active queue (picked up by qmgr, but
not sent to smtp) for 20-40 mins.

Domain cannot be found?

Aug 14 09:25:41 mail postfix/smtpd[44179]: NOQUEUE: reject: RCPT from unknown[]: 550 5.7.25 Client host rejected: cannot find your hostname, []; from=<*munged*@*mybak*> to=< ... at covisp dot net> proto=ESMTP helo=<>

Sender IP reverse lookup rejected


One of our users reported a rejected email with the error code and message

Remote-MTA: dns;
Diagnostic-Code: smtp; 550 Sender IP reverse lookup rejected

We handle several domains with different outgoing smtp settings at
multiple mail gateways:

# /etc/postfix/
wignersmtp unix - - y - - smtp
-o smtp_bind_address=
-o smtp_bind_address6=2001:738:5001::56
-o syslog_name=postfix-wigner-smtp

# /etc/postfix/
default_transport = kfkismtp

CAfile problem with OpenSSL-1.1.1c


I recently upgraded my systems to have full openssl-1.1.1c support. After upgrading my mail-server, I realized that I had problems with trusting server certificates. I checked that the server still uses /etc/ssl/certs/ca-certificates.crt, but for some reason Postfix can not work with this file anymore.

Syndicate content