Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

Policy-based aliases

Dear Community,

I need Policy-based aliases - the aliases that would be different for
different sender/recipient pairs.

For example if <a href="mailto: ... at somedomain dot com"> ... at somedomain dot com</a> writes to <a href="mailto: ... at mydomain dot com"> ... at mydomain dot com</a>, the
recipient address will expand to <a href="mailto: ... at mydomain dot com"> ... at mydomain dot com</a> and <a href="mailto: ... at mydomain dot com"> ... at mydomain dot com</a>.

But if <a href="mailto: ... at otherdomain dot com"> ... at otherdomain dot com</a> writes to <a href="mailto: ... at mydomain dot com"> ... at mydomain dot com</a>, the
recipient address will expand to <a href="mailto: ... at mydomain dot com"> ... at mydomain dot com</a> and <a href="mailto: ... at mydomain dot com"> ... at mydomain dot com</a>.

Is it possible in Postfix?

Deny rcpt alert notification


I have an idea to avoid sending spam from my server, Is it possible to
create a blocking rule so that when it is sent to a recipient, the mail
is discarded and an alert arrives via email?

My question is because I have represented cases where the computer is
infected with virus to my client and send spam from the email account.


Duplicate mails in mailq / always_bcc

Hi list,

I am experiencing an issue with my postfix setup.

The desired results:
We use an appliance that archives all mails (incoming and outgoing) - due to laws that have been enforced here in Germany.
The documentation of the appliance states, that the should be updated with the following lines, which has been done

In addition to that, in the transport_maps the IP and domain name of the appliance needs to be listed, which - again - has been done
bcc-domain.local smtp:[192.168.N.NN]:1025


Regarding ciphers


I did struggle alot to understand and deploy a secure cipher list that
<a href="" title=""></a> and <a href="" title=""></a> would not complain on, so
I came up with this:

smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3

Kill off one user's active sessions


We have a few scripts in place to handle (outgoing) spam outbreaks.

This works well, but we struggle a bit with one scenario where the
username and password are in the wild, and the spammer connects to the
email server and sends multiple emails through the same connection.

Because even if we lock the account, the session is still active so they
can spam until the connection is terminated.

The same scenario occurs if a botnet has set up multiple connections,
but the server is laggy or whatever so they've authenticated, but
haven't gotten to the "DATA" part of the SMTP dialogue yet (BTW:

Rejecting mail dorm a domain to specific user

Is it possible to reject a mail from a specific domain to a specific user?

Obviously, there are other ways to deal with this, but I have a case where I’d prefer to reject the mail before it is received but I do not want to block the domain for other users.

Need clarification about Content-Type on email


I need some clarification about Content-Type on an email.

Who does fix the Content-Type of an email?
The mail client?

Postfix TLS crash on MacOS 10.13 (High Sierra)


I recently upgraded a Mac server to 10.13 (High Sierra). This server
has been running for about 5 years and hosts Postfix. After upgrading the
OS I upgraded:
1. dovecot to
2. openssl to 1.1.0g
3. pcre to 8.41
4. postfix to 3.2.4

Everything appears to compile and work except TLS on Postfix. It crashes
with the same error
every few minutes.

Rewrite the To: header?

Is there a feature I can use to rewrite the To: header, of "virtual
alias domain" mail, with the result of the following lookup, *after*
smtpd_milters are applied?

SELECT ' ... at example dot com' FROM my_table WHERE sender = '%s'

Or do I need to use a milter of my own for this?

recipient_canonical_maps and recipient_canonical_classes seem pretty
close! I can exclude the From: header and the envelope_recipient from
being rewritten, but they're applied *before* smtpd_milters.

Backup mx relay got rejected due to SPF


I just built a postfix mail server( with PostfixAdmin,
SPF and DKIM.,etc. It works very well. Now I try to use the new built
server as the backup mail server of another server (,
so I add a backup domain in PostfixAdmin and setup DNS accordingly.
Later there is an email came with destination to <a href="mailto: ... at othermx dot com"> ... at othermx dot com</a>, the
relay attempt got rejected at because of SPF.

So what is the solution here? Should I add the to's SPF record and make it trust it?

Postfix now in Slackware-current

Slackware Linux has switched to the Postfix MTA as its default MTA as
of an update to the development version today.

<a href="" title=""></a>

"Default MTA" in Slackware terms means "the only MTA". Sendmail
8.15.2 has been moved out of the main distro into "extra" packages,
and a new libmilter package has been created therefrom, for Postfix
milter support.

Postfix has been available in the user build script
repository for many years, but there were a few issues with that
package for me.

always_bcc on outgoing mail

I have always_bcc set on my postfix-3.1.4 system on fedora25 and it's
working fine for incoming email, but not outgoing.

Outgoing mail is sent via submission.

Mail Routing Question

I have a domain, say: for which I receive mail. Currently I have A records in DNS for and as well as a MX record for All three of them point to the same IP address which is where postfix is running. There is a political issue with the A record for and it "needs" to be changed to elsewhere. I somehow seem to recall that there are some MTAs that do not use the MX records, but only check the A records. Will changing the A record for cause the loss of some incoming mail?

-- Doug

postmap db

Hello list,

When e.g. I have an access file with:

domain.tld reject
baduser@ reject

Postfix will reject " ... at domain dot tld" and " ... at anydomain dot anytld".

When I want to test these db's using "postmap -q", postmap only tests
the "real" entries in the database. Is there a *simple CLI* way to test
the db like Postfix does? I mean a simpler tool than "swaks" that I use
now to test the db's.


OCSP stapling

Hi all,

I'd like to ask your view about OCSP Stapling in postfix.
Do you think that it adds value for certificate revocation without overcomplicating the code and slowing down the performance
(assuming that the stapling process and OCSP caching would be handled outside the scope of postfix)

Is it something that will be in the roadmap?

Many thanks,

Nik Kostaras

Team Leader

[Telephone] +44 118 903 8635


[Clearswift] <>

1310 Waterside | Arlington Business Park | Theale | Berkshire | RG7 4SA | United Kingdom

Adaptive Security & Data Loss Pre

Is it compulsory for an outgoing smtp server to have FQDN.


My postfix server was rejecting emails from the following server. I
think it is because I am using "reject_unknown_helo_hostname".

Nov 15 13:20:13 mail postfix/smtpd[14663]: NOQUEUE: reject: RCPT from
unknown[]: 450 4.7.1 <>: Helo
command rejected: Host not found; from=<fromname@fromdomain>
to=<toname@todomain> proto=ESMTP helo=<>

From the helo, I can see

Header-Name: capitalization

I'm working on a milter that checks for certain headers. The RFCs specify
header names with specific capitalization. For example: "Message-ID". I
don't see anything the RFCs that indicates that alternate capitalization
should be accepted, such as "Message-Id". But perhaps I missed it.

So, I wonder: is it safe to match ONLY on the exact capitalization specified
in the RFCs, or should header name matching be done in a case-insensitive



check_recipient_a_access DISCARD leads to 451 4.3.5 Server configuration error


as described in the subject i tried to implement the new feature
I have encountered a strange error or maybe an bug.

The following settings result in an correct action follwed by an "4.3.5
Server configuration error" response.
smtpd_recipient_restrictions =

# cat /etc/postfix/lookup/recipient_a_access DISCARD

# maillog
Nov 14 10:53:54 fallback postfix/smtpd[7187]: NOQUEUE: discard:

dns lookup problem


I am getting a dns lookup problem when I move a postfix server inside a docker container. (the sole purpose of this internal server to deliver mail for the virtual addresses.

Finding why outbound mail is delayed

Running postfix-3.2.4 here on Slackware-14.2. I am a professional services
sole practitioner, not a professional system or network admin.

After several years having outbound mail forwarded through my ISP's mail
server I changed ISPs and now have a static IP address. The other recent change
here is replacing the old Netgear FVS318 router with a Ubiquiti EdgeRouter-X
fast enough to take advantage of the 15/5Mbps speeds of my fiber connection.

Since the end of last week I find many messages delayed 1-2 days; several
hundred are listed in logwatch's daily report.

Any plans to support setting ESMTP arguments with milter?


I would like to add DSN parameters to e-mails with milter.

If I set these with smfi_chgfrom and smfi_addrcpt_par, I get:
warning: 3ybBmq5Wxvz43: cleanup_chg_from: ignoring ESMTP arguments
"ret=hdrs envid=qid"

I've read <a href="" title=""></a> and it mislead me,
because I thought only 2.6 has these limitations, but checking
cleanup_milter.c it seems 3.2 does the same.

Is this hard to do in the postfix mailflow and are there any plans to
remove this limitation from milter?


Question about postscreen_cache.db


I have an admittedly basic question, but I have been trying to troubleshoot this for a while with no success.

I have enabled postscreen(8) on Postfix 3.1 and receive a warning in mail.log:

“close database /var/spool/postfix/var/lib/postscreen_cache.db: No such file or directory (possible Berkeley DB bug)”

A quick Google of this returns that this is caused on Debian systems that run Postfix in a jail (which matches my system).

Mac Server 5.4 Mail Service TLS Error

Mac Mini, 10.13 High Sierra running Mac Server 5.4. From a Mac client,
specifying "Use TLS/SSL" in SMTP settings works just fine when sending out

Postscreen: whitelist domain

I have postscreen setup according to the how-to. I use the following
configuration for the access list. As I understand it, I can only add IP
addresses or ranges to this list. Is it possible to whitelist the domain
name in the from address?

postscreen_access_list = permit_mynetworks,

Helo rejected


my user don't receive mail from a real sender cause our mail server
reject the Helo command:

NOQUEUE: reject: RCPT from[]: 450 4.7.1
<NTFYOHSrvNLES05.ntfy.local>: Helo command rejected: Host not found; from=< ... at xxx dot xxx.xx> to=< ... at xxx dot xxx.xx> proto=ESMTP
Nov 8 17:55:46 genio postfix/smtpd[3667]: disconnect from[] ehlo=1 mail=1
rcpt=0/1 rset=1 quit=1 commands=4/5

Is there a way to receive these mails?


Virtual mailbox domains vs relay domains

Hey all,

I've been reading the tutorial on and it uses the
variable 'virtual_mailbox_domains' to list all the domains
Postfix/Dovecot needs to receive emails for. Of course this also means
you need to change the 'virtual_transport' setting to use
LMTP/dovecot-lda to deliver the email to Dovecot - instead of using
'virtual' to store the email on your local drive.

Prioritize header checks

Hi list

I have a content filter running in prequeue mode to which postfix talks
via smtpd_proxy_filter.
Runs fine, but ;-) it seems to me that postfix header checks are
evaluated after the msg has been processed by the content filter.

Is it somehow possible to tell postfix to run those checks **before**
msg is passed to the content filter?



Wrong mysql syntax

I try to setup a debian/Mysql/Postfix/dovecot server
Here is the error i got in mail.log.

guidance on data persistence?


When moving postfix to docker, I run into the issue that when the
containers go away postfix queued mail will get lost unless I made an
effort to persist on the host.

A naive attempt to simply map an empty folder on the host as
`/var/spool/postifx` on the container does not work, because postfix
expects some empty folders there.

My first question is that given a postfix installation, is there a command
I can run to initialize the directory tree to be saved on a persisted
volume which is to be mounted in the container?

There may be a way to pre-create this folder structure on the host

PCRE on Received Header


I would like to re-write the Received header on some messages being
sent using ESMTPSA through my mail server.

Server with postfix, exim, clamav, spamassin....amavis is recommended??


i use this scenario

exim ==> relay to ==> postfix

clamav ==> antivirus

spamassasin ==> antispam

I recommended use amavis??

Does it bring benefits?



iOS Connection Problems


We’re running Postfix 2.11.1 and have been having ongoing intermittent problems with iOS devices connecting to the SMTP service, or so it seems. Sometime, iOS devices don’t even seem to connect at all and they have to be restarted in order to connect. This is intermittent on some devices. Some devices don’t seem have any problems, one in particular has it constantly. E.g. we have a newer iPhone with the latest iOS and it’s constantly needing to be restarted in order to send mail.

bounce notify class

I want to turn off the the bounce error class to reduce clutter in my
postmaster mailbox, but don't want to miss something important.

The bounce error class is defined (
<a href="" title=""></a>) as: 'Send the
postmaster copies of the headers of bounced mail, and send transcripts of
SMTP sessions when Postfix rejects mail.'

I understand the second of these (and receive many of them, which I don't
want) but not the first (and don't seem to receive any).

What are 'copies of the headers of bounced mail' - would this be mail that
has been bounced by Postfix (not int

Question about message_drop_headers and DKIM


I have a question regarding the message_drop_headers configuration parameter.

The man page states that it:

“[specifies] names of message headers that the cleanup(8) daemon will
remove after applying header_checks(5) and *BEFORE* invoking Milter

Checking man 8 cleanup I note this relates to:

“...inbound mail...inserting into incoming mail queue...”

On the smtpd(8) server process, I have OpenDKIM configured to run as a Miller.

Removal or obfuscation of mail_name


I was reading about the mail_name parameter in

I was wondering (and I know the gains would be minor given that this falls into security through obscurity), is there anything to gain by either removing this or specifying something false ?

Is there any third-party servers or tools in the e-mail ecosystem that would depend on this being “Postfix” ?


- J

it's working as i want??

Hi to all.
I have two servers, in one Zimbra and in another Postfix.

I want that zimbra use that postfix to send and receive.

bloc domains with all variants of tld


We need to bloc some incoming emails from certain domains.
How to write rules to bloc a domain with all its variant of tld?
if we want to bloc the example domain we write the rules like this REJECT REJECT REJECT

How to write one rule to express all tlds? something like

exemple*.** REJECT


sans virus.

Propper way to deliver email messages to gmail


could someone tell, in his opinion, which would be the right way to
deliver remote messages to gmail? Looking at this [1] URL looks like
the only way available is through port 25. If i wanted my Postfix to
communicate through 465 or 587 it would need a user/pass but it looks
weird to me. I mean, should an MTA really need an account for each
other MTA where to deliver email messages? Of course not.

smtp-sink on ipv4 and ipv6?


postfix usually listen on both protocols if contain "inet_protocols = all" and myhostname is setup properly.
May I expect that also for smtp-sink?

$ host has address has IPv6 address 2001:db8::25

$ smtp-sink &

now I've only a listener on 2001:db8::25 but not on, but I would like smtp-sink listen on ipv4 AND ipv6.
is that possible?


ldap query and custom error response - broken

Hi -

I have postfix configured to deliver emails based on custom LDAP queries. One of these queries issues a custom error response.

If an email is received from an upstream server and in the initial lookup, the custom error response is generated, the custom error response is returned properly.

Emails are not passed to Amavis after redirection by header check

I have an issue with the postfix configuration. Amavis is configured and
running fine when emails are received directly to clients but when an email
is forwarded by a header check rule, the mail is send straight to the
alternative email mailbox without having the email scanned by Amavis.

Does anyone have a clue?

Conditional sender rewrite based on recipient address


I'm running Postfix 2.9.6 and I'm trying to do a conditional sender
rewrite based on recipient address.

Question about relay_domains parameter


I currently have my server configured to perform virtual domain hosting. It forwards mail addressed to addresses for my virtual domain (ex:, to Gmail accounts.

Mail —> <a href="mailto: ... at example dot com"> ... at example dot com</a> —> <a href="mailto: ... at gmail dot com"> ... at gmail dot com</a>

I was reading more about the relay_domains parameter in “man 5 postconf”. It states:

“[specifies] destination domains (and subdomains thereof) this system
will relay mail *TO*”

I note that on Postfix 3.0 and later (my server is Postfix 3.1.0), this value defaults to an empty value.

greeted me with my own hostname (mail for loops back to myself)

Hi to all.
Please help......
im going crazy (i try a lot of thing and nothing) i cand send mails but, i
cant receive.

This is the desing:

local network
(zimbra ( --------- (postfix (
in different machines (yes i know that zimbra have postfix, but i want
config postfix in a different machine), so i dont have users in the postfix
machine for receive mails.

How to financially support Postfix project?

Dear Postfix folks,

Looking at the Postfix Web site [1], I couldn’t find any information if
Postfix needs financial support to ensure the maintenance and
improvement of the code.

As the background, a lot of public organizations use Postfix in their
infrastructure, and, as for example with OpenSSL, they do not pay
anything for it, but they expect that it is maintained and improved.
This is a fatal attitude in my opinion. Additionally, the administrators
normally do not need training or support, as a lot of them are quite
capable, and know their way around Postfix.

bounce_template_file with content type HTML

How can I specify the content of bounce messages as HTML in

Relay access denied

Im having trouble with config postfix.

Restricting From:


tl;dr: Is there really no way in postfix to restrict what "From" headers
a user may specify?

For outgoing mail, we would like to restrict the "From" header to match
the address users SASL authenticate with, or is configured as an alias
in their account. We have setup smtpd_sender_login_maps to use a SQL map
and configured smtpd_sender_restrictions to have the configuration
option reject_authenticated_sender_login_mismatch before
permit_sasl_authenticated. This works as expected.

However the problem is that the envelope "From" is being restricted, not
the header "From".

Eliminating backscatter


One of my mail servers (Postfix 3.1.0), is configured to perform virtual domain hosting. It forwards mail to the virtual domain to mailboxes of users on Gmail.

I can see in my mail log that spam with forged origin addresses sometimes comes into my server that is addressed to virtual domain addresses. My server rejects some of this spam and then generates a non-delivery e-mail to the origin address of the spam.


(Apologies if this is a duplicate post. I sent the first one before I
confirmed my list membership and I don't see it in the online archives so I
am assuming it wasn't sent)

Hi postfix-users. I am the author of the swaks SMTP tool. A user pointed
out to me recently that swaks, postfix, xclient, and starttls don't play
well together.

If a user requests both STARTTLS and XCLIENT, swaks attempts XCLIENT

Question about default_destination_concurrency_limit


I had a question regarding the parameter “default_destination_concurrency_limit”. The man page (man 5 postconf), states it is: “The default maximal number of parallel deliveries to the same destination.” and that this applies to the smtp(8) delivery agent.

This got me wondering . . . how would one adjust this parameter ? I am thinking it is only through benchmarking trial and error, as a number of factors would seem to affect this (server load, bandwidth, etc.).

directing logs to remote syslog with any local syslog instance

I had successfully used postfix for years and now I am trying to recreate
postfix clusters in docker and in particular interested in how I can direct
all postfix logs from a container to other places.

I do not find in postfix configuration how one can achieve this without any
local syslog daemon.

Question about logging mismatched DNS in submission server

Lately it looks like some zombie bot farm is connecting to submission
(and looks to do nothing except connect), causing many of these in the

Oct 28 06:15:35 mail postfix/smtpd[12941]: warning: hostname x.y.z does
not resolve to address Name or service not known

For submission service where clients often connect from dynamic IP
address ranges, maybe seeing these is not important - just noise, so I
am curious about why postfix is logging this. Does this mean client is
somehow attempting to send before (without) doing any AUTH?

Recipient address rejected: User unknown in local recipient table

Hello everyone.
I have configured a zimbra and a postfix different pc.

MacOS High Sierra (10.13) and Postfix relaying

Hi all,

I use postfix to relay e-mail to a Google Account, which has been working
flawlessly up until now.
I'm running out of options here.

Try dane and still got "Untrusted TLS connection..."


I am trying to setup dane on my mail server. But I never seen a
"Verified TLS connection..." in the log. I always got:
Oct 26 13:52:23 cac postfix/smtp[18165]: Untrusted TLS connection
established to[]:25: TLSv1.2
with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

My system is Postfix 3.2.3 on Centos 7.4
# postconf -d | grep mail_version
mail_version = 3.2.3
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtp_tls_loglevel = 1

DNSSEC has been setup and added TLSA record.

Minimun postfix

Hello everyone.
We have contracted a mail service and we want to make some changes.
The idea is to install zimbra on a local server of ours and that zimbra take
the mails of the postfix of the contracted service.
To test, we are installing a postfix locally on another server.
(ie zimbra and postfix are installed on different servers and will be
published accessible to the internet with different ip to simulate the
scenario we want).
I wanted to ask if you can give me a hand with the postfix configuration.
For now this is my file

smtpd_banner = $ myhostname ESMTP $ mail_name (Ubuntu)

relayhost GMAIL submission (port 587)

I have read several guides from the internet including the ones from
postfix forums. It would appear that several people have configured
their postfix environments to use GMAIL as a relayhost and to use port
587 for communication.

Currently my relay host is setup for my ISP's email server which I
presume is going to port 25.

Syndicate content