Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

sender_dependent_relayhost_maps problem

Dear all,

I am confronted with a problem in a mail-cluster of internal, external,
and a 3rd party postfix setup.

For simplicity I’ll reduce the setup to:

MX-I (internal mail relay, user authentication, .., also LMTP delivery)
MX-E (external mail relay, incoming/outgoing)
MX-3 (3rd party mail setup)

The setup itself has been running fine like this for years; the cluster
uses external (LDAP) lookups for mail routing and delivery.

Now a user needed to authenticate outgoing email to MX-3.

documentation dead link


May I allude the dead link <a href="" title=""></a>
<a href="" title=""></a> and others.

Have a good afternoon!


smtpd - high memory usage


I have a hobby server that does a little bit of everything, including
1) receiving email via Postfix as a backup MX,
2) receiving ~70k IPv6 routes via BGP.

The problem I'm having is that when all ~70k routes are loaded into
the kernel (Linux), this somehow causes high memory usage in Postfix
"smtpd" processes -- as soon as the first client connects, I get a
smtpd process that's around ~130 MB (compared to the more usual ~13 MB
when BGP is down).

Possible inconsistencies in the parsing of lookup table names and other oddities

Hello to everyone.

I've been trying to write a small parser to parse Postfix lookup table
calls for a piece of code I am developing.

I have taken a look at the source code and then resorted to postmap -q
invocations to empirically test the descriptions at
<a href="" title=""></a> .

I am writing since testing out possible table values for the inline table
has left me a bit stumped, since the results I get do no seem to match the
description I read.
Or, at least in a few cases, the description seems to mislead about what's
actually accepted.

Firstly, I haven't found around

Postfix+cyrus imap integration with active directory

Dear Experts

Currently I am using Postfix+cyrus imap with openldap as authentication

Is it possible to use Active Directory as authentication backend for postfix
and cyrus ?

Can I manage users mailboxes in Active directory ?

Bilal Ahmad

Network Administrator

LMTP Relayhost


is it possible to configure a LMTP only server as relayhost= in postfix?

I'd like to relay all mails to my local lmtp server

Best Regards,


Building new mail server

My existing mail server is running Centos 4 (yes, VERY old -- which is a
testament as to the continuing quality of Postfix), with port 25 exposed
to the whole wide world. Everything else is restricted by an IPTABLES
firewall and TCPwrapper. I was going to wait for CentOS 8 to be
released and get some run time by early adopters, but my poor mail
server is starting to show signs of wearing out and I may have to pull
the trigger sooner.

My question for the user community is this: any gotchas in bringing up
Postfix on Centos 7.6.1810 from the Red Hat distribution?

Question respecting the headers?

I am sure that the message associated with the header extract
reproduced below is fraudulent.

Installation and configuration problem Postfix / Dovecot Debian Buster


I am trying to install and configure Postifx / Dovecot on Debian Buster.
Note that the following procedure I used for the last time on a 8.6 and that
it worked very well.
I have no idea of the blockage and what has changed since.
I searched several days but I could not find my answer.

Here are my configuration files:




here is the following error:

In the file /etc/dovecot/dovecot.conf
I added :

But I still have some mistakes that I do not understand:

If I do a telnet:

I've done a lot of research in r

Sending to multiple recipients fails entirely if any of the RCPT is rejected (unknown domain)

The closest thread I could find for this is almost 10 years old:
<a href="" title=""></a>
that thread, my Postfix is somehow not handling the email properly as the
rejection done early on seems to result in setting the From to null / <> for
all other emails.I could reproduce every time I am sending an email to a
list of contacts containing 1 invalid address (bad domain).Main email
providers respond differently to it: - Googlemail blocks it and shouts
that "this message is not RFC 5322 compliant." - Mic

Migrating from Virtual domains to Postmulti setup


I have been using Postfix with Dovecot (lmtp/imaps) for a few years now for
5 domains with the virtual domains setup and self-signed certificates using
OpenSSL 1.0.x For spam/virus protection I use Postscreen, Spamassassin and
Clamav; I also use py-spfpolicyd, OpenDmarc, OpenDkim and Clamav.

Now I wish to move onto a postmulti setup with separate instances for
incoming, outgoing, and a null-client per domain. So that would mean 15
instances of Postfix in total under postmulti.

Postfix upgrade, possible issue


I would to upgrade our mail server from Debian 9 to 10. The postfix
version on Debian 9 is 3.1.12 while on Debian 10 will be 3.4.5. Can I
encounter issue during the upgrade? Are there incompatible
configuration options between the two versions?



I have setup

but if I send an email with MUTT emai client or with 'echo "test" |
mail' <a href="mailto: ... at email dot de"> ... at email dot de</a> I get as email source

<a href="mailto: ... at mail dot"> ... at mail dot</a> (the name of the mailserver).

For testing I have added the to the mydestination and the mx
entry is set up right.

I am wondering why the source email adresse is still not
' ... at mydomain dot de' but instead ' ... at mail dot'?


encoding issue with header_checks Windows-1252


header_checks = regexp:/etc/postfix/headerstring
/^Subject: .*\[cleartext\].*/ FILTER cleartext:

And now, there is the following mail-Subject, that did not trigger the
above FILTER and i dont see why:


Any ideas?


Basic kind of question

I inherited a pair of postfix servers configured by someone else and I
think I've been a manager too long as I can't figure this one out because
I'm too rusty with postfix.
2 identical postfix servers that only accept mail from mynetworks (other
local servers in its /16) with various From domains that are NOT mydomain
which direct deliver to the recipients wherever they are in the world.
That all works fine. What doesn't work fine is if the recipient is *@ which IS mydomain to which delivery is not local, but the same

Postfix 3.4.5, openssl 1.1.x, and TLS 1.3?


I'm wanting to ensure my postfix configuration will work with TLS 1.3.
Any suggestions/howtos?


precedence and deny all


does rules like

smtpd_client_restrictions = permit_mynetworks

include a 'deny all' at the end? Or should I if it should have an effect
write something like

smtpd_client_restrictions = permit_mynetworks, recect


Queue lifetime


If I have configured a maximum queue lifetime of 2 days and during a major
outage 2000 mails accumulate in the deferred queue, what happens to these
2000 mails if I increase the queue lifetime to 5 days and reload Postfix?
Does the new lifetime only apply to new mails or also to existing mails in
the queue?

Duplicate mail servers again

Is there an easy way for postfix receiving incoming mail
on servier1 to simply mail a copy to an identical server2 for a duplicate
spool, or is that ridiculous.

Purpose is simply to have an emergency incoming spool that noone
ever looks at on a duplicate mail machine in case one dies totally.


SPF failure

I have mail from one specific domain (handled by Google) being rejected
by pypolicyd-spf because of an apparent DNS lookup problem — 'SPF
Permanent Error: Too many DNS lookups' — but it is not obvious to me
what the problem is, unless it's something to do with having five MX
forwarders to look up. Only this one domain seems to be affected. I
can SEND mail to them, but not RECEIVE mail from them.

postfix smtp auth with active directory

Hi ,

Is there any document for postfix smtp auth with active directory.
I have followed below document .
<a href="" title=""></a>

I am getting authentication failure while authenticating and logs says as below.

saslauthd[942406]: GSSAPI Error: Unspecified GSS failure.

postfix error in spf


I've got a postfix virtual domain setup in a freebsd jail. A separate
jail holds the webmail server. This is version 3.4.5 of Postfix. I've
got spf, and am trying to send out a test email.

Sending bounce notification via a relayhost


I’d like to configure postfix to send bounce notification via another host :

i’ve tried to setup something like this :

-> smtp_header_checks = regexp:/etc/postfix/header_checks

in /etc/postfix/header_checks

but i have this log :
Jul 11 15:46:00 test-GL postfix/smtp[9049]: warning: unsupported command in smtp_header_checks map: FILTER

I’ve also tried sender_dependent_relayhost_maps, it didn’t work.

is there any way to send bounce notification via a relay ?

Thanks in advan

Spoofing Emails to My Own Domain

Dear Experts,

I am facing a problem that someone is spoofing my domain address and sending
emails to my own domain users.

I have set valid SPF, DKIM, DMARC for my Mail server. How can I sort this
problem with postfix to stop this spoofing ?

If I filter emails based on SPF this also block many legitimate email with
spf not set properly.

Bilal Ahmad

Network Administrator

How in blazes is this still getting through?

header_checks = pcre:/etc/postfix/smtp_header_checks


/^X-Clacks-Overhead:/ IGNORE
/^Content-Transfer-Encoding:/i PREPEND X-Clacks-Overhead: GNU Terry
Pratchett, Iain M.

how to use per-recipient table

sorry for stupid me. I have read the document
<a href="" title=""></a>

and I understand " you can't specify a lookup table on the
right-hand side of a Postfix access table. This is because Postfix
needs to open lookup tables ahead of time"

now I want to restrict users who can send to " ... at example dot com" belongs to:

3. smtp-auth users

how can I config it? I lost in configuration parameters.
thanks a lot for hint!!

Ownership question

Currently running 3.4.5 on Slackware-14.2. After each upgrade I run 'postfix
set-permissions upgrade-configuration' then adjust ownerships as needed.

When I upgraded to 3.4.5 last weekend I found that when /var/spool/postfix
has of root.postfix the server would not start.

private/tlsmgr: No such file or directory

I've tried searching the internetz to no avail.

Bascially I'm setting up a secondary server.  Configs and SSL certs are all in place.

This is the error I'm seeing:

postfix/smtp[10175]: warning: connect to private/tlsmgr: No such file or directory                                        
postfix/smtp[10175]: warning: connect to private/tlsmgr: No such file or directory                                        
postfix/smtp[10175]:warning: problem talking to server private/tlsmgr: No such file or directory
postfix/smtp[10175]: warning: no entropy for TLS key generation: disabling TLS support


untrusted tls connection to google


I'm running postfix 3.4.5 and email sending/receiving is working. I am
however noticing an message:

Jul 2 14:59:44 mail postfix/smtp[14345]: Untrusted TLS connection
established to[]:25: TLSv1.3
with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature RSA-PSS (2048 bits) server-digest SHA256

I've googled and i've checked for the options smtpd_tls_CApath and
smtp_tls_CApath both of which are blank. My tls configuration is using
letsencrypt-generated certificates.

Is there a fix for this?


Multiple NIC Problem

I am occasionally using a VPN connection and while that connection is
up, postfix uses the wrong NIC to try to send email. When there is no
VPN connection, postfix uses the primary NIC named enp0s25. At the same
time there is another NIC named virbr0 created an used for VirtualBox.
In any case when the VPN is connected, the NIC is tun0 but instead of
using that or the primary NIC, postfix tries to use virbr0. How do I
configure postfix to use tun0, if it is up, otherwise enp0s25? TIA.

custom mail forwarder/relay program?

I need a way for Postfix to listen to SMTP (think smarthost) and then re-send all emails via HTTP POST operation. Is the correct way to tackle this (aside from telling them to go to hell) a transport definition using Pipe(8)? I've never done this before and it doesn't appear to be a very common scenario. Otherwise I could write a small Perl program that is launched via inetd, that would do the same even though it wouldn't be very efficient.

postfix p0f milter


I hope this isn't to off topic, but hopefully someone will have more
information on this than I do.

I've got a postfix with virtual mail users system going. I'm needing
to tighten my antispam setup.I'm wanting to integrate p0f in to my
system, and am hoping there's a milter out there that will do it. My
goal is I've got postfix going on port 25 for incoming connections, so
I'm wanting the milter to passively scan that port and only if a
client makes a successful connection, i.e. is able to deliver mail,
p0f kicks off and scans the tcp/ip connection.



im quite new to postfix and have a question about a scenario I would
like to achieve.

I would like to accomplish the following:

1. User A has an email account like <a href=""></a> at an standard
E-Mail Provider
1. He is either not able or willing to setup/use exchange or some
other mail server to accomplish the given scenario!
2. He is not able or willing to use some "Auto-BCC" Function (which
Outlook only gets through a Plugin) because of mobile use with
smartphone/tablet or E-Mail Programms that dont offer this function!

warning: hostname does not resolve to address

I'd appreciate you help with the following:

I'm looking after two server on 2 differents domains.

Delays in receiving mail

This is a small server with a few users that are all local. There are several domain names that point to this server, but all of them are just aliases for the main name. Received mail stops at the rcpt to: line. There is no OK that occurs until shortly after 3 minutes from that line being received. During that time ktrace shows multiple calls and sleeps for proxymap. After the 3+ minute delay, it issues the OK and then they rest proceeds normally. I suspect this is a configuration error since this server was just updated to 3.3.4 from an earlier version.

Duplicate spamd lines in Postfix log file


I hope someone can help with what is not a problem as such, but a query.

Duplicate spamd entries in log file - I think


I hope someone can help with what is not a problem as such, but a query. In
every Spamassassin (spamd) exchange there appears to be two lines that are
*almost* identicle.

It's the util: setuid lines. As stated, all is well, but can someone tell me
why this is the case, and if there is an actual problem?

Many thanks


NDR when failed to forward mail to external address, now blacklisted on backscatterer

Hello all,

A shared hosting web server of a customer (running a Postfix with local
e-mail addresses and mailboxes) was blacklisted on backscatterer. The
relevant information from the backscatterer page pointed me to a moment in
time and I was able to check the logs from that given moment (+- 2mins).
I read through some backscatterer descriptions I found and verified that
Postfix does not send NDR for non-existing addresses/mailboxes.

But this scenario is slightly different.
An e-mail was sent to destination e-mail address on that shared hosting

How to validate alias/map files?

Hey all,

I'm using procedurally-generated alias files from a database, and
distributing them with puppet, and would like to have postalias check the
files for duplicate entries and/or other errors before I install them.
I'd like to use the same program used to install the DB, rather than
hacking a validator together with perl or something.

As an example, an empty left-hand


would be an error I want to catch. I want to catch duplicate items, as

Rejecting mail based on a Milter results

The spamass-milter is not rejecting mail that scores above the number set in the -r flag for the milter (confirmed by other people this is a bug in spamass-milter).

Is there something I can do in postfix to reject mails that the Milter logs like:

spamd: result: Y 18

Where “18” is a something I set like “>=10”?

Seems a long shot, but it is unlikely anyone is working on spamass-milter at this point.

mbox format?

Apparently, and much to my surprise, there is more than one mbox format.

I just now stumbled across this, because I am going to be (re-)writing
some small tools I have that do useful things with mail messages stored
in "mbox format":

<a href="" title=""></a>

In the above Wikipedia page, four different flavors of "mbox format"
are described: mboxo, mboxrd, mboxcl, and mboxcl2.

When Postfix hands a message to something... say a script invoked via
some ~/.forward file... which one of these four formats will the message
be in?

Postfix SMTP client: dealing with multiline EHLO response?

Hi all, first post on the list and I've spent some time searching the docs
for an answer.

One of my list members has his own SMTP server. He's configured it to return
a large multiline response to the initial EHLO from a client. Apparently
when my Postfix installation connects to him, it sits idly after the multiline
response and never goes on to issue further SMTP commands.

Is there a configuration setting that I've overlooked to allow the Postfix
client to deal with this situation? I'm running version 3.3.0 on Ubuntu server.

Many thanks for your suggestions, Warren

The Prefix Whois milter, with Postfix On FreeBSD?


Has anyone got the Prefix Whois milter going with Postfix on a FreeBSD
system? I'm having compilation difficulties. If anyone has this going
please let me know.


best practice lookup table perormance - non hashed file


we're publishing lookup tables through our control git repo but hashing all
tables before commiting them to git is cumbersome. What do you recommend?

several postfix servers are getting same lookup table from central

we're using it this ways:

smtpd_sender_restrictions = check_sender_access

mail-addy or domain OK

with 600 entries so far.

I'm aware of <a href="" title=""></a>

but none of them look simple. we like it plain and simple.

Receiving mail from a host without a valid rDNS

I have a mail host that I want to receive mail from that dies not have a valid rDNS (it recently moved and their ISP is comcast and it seems to be taking a stupidly long time). Anyway, I first tried this:

check_sender_access pcre:$config_directory/sender_access.pcre

/ OK

This did not work.

Smptd intruder


I introduced "smtpd_reject_unlisted_sender=yes" in to avoid
attempts to login to my smtpd.

This morning it looks like an unknown ip-number succeded:

Jun 23 07:38:02 lunar postfix/smtpd[14806]: connect from
Jun 23 07:38:05 lunar amavis[15407]: starting.

dkim updating keys

Friendly Greetings,

I am going to update my email server's Dkim keys for the first time.

I can go to the original install instructions, and figure out how to
update them. What I can't find in that original tutorial is the

1. Do I delete/remove old key and references thereto? Namely, in the

2. Do I just create the new key, and update the key.table, and upload
the txt to my DNS?

3. Do I leave my old key information (including on the DNS) for a
"grace period" of a week or so?

Trying to figure this out with as little disruption as possible.

Thanks in advance.


havedane dns issues

Anybody on this list having contact to the maintainer / webmaster of ?
It's having dns issues when the TLSA record is queried with qname minimization
active (RFC 7186).
This is a bug in the dns server or dnssec signer and should be fixed.
Otherwise false negatives are generated!

See this dnsviz link for a description of what is wrong: <a href="" title=""></a>

- tmolitor

Gave up on my ISP, trying to get GMail to work but get - host[] said: 530-5.5.1 Authentication Required.

In my previous post - "How to tell my ISP there's a problem" I wasn't
able to figure out the problem and CenturyLink is no help so I decided
to use my GMail account to send my messages from cron. However I've run
into a problem that I keep getting the message that's in the subject.
I've pasted the complete output of a test run below:

<a href="" title=""></a>

Here is my

<a href="" title=""></a>

I'm sure I have something just not right but I can't see what it is.

Thanks for any advise


Re: TLS 1.3 on postfix (fixed)

Apologies for multiple emails to this list for the same problem.

Some internet searches got me to the right solution.

One of the other posters was correct; it was a certificate issue. Reissued my cert on my postfix SMTP mail gateways.

All seems to be working now. Gmail defaults to TLS 1.2

I saw some posts that TLS 1.3 still has issues with OpenSSL v1.1.1 and postfix 3.3.x

I am using Ubuntu Linux and the latest postfix which is 3.3.0 unfortunately

Edward Ray

Re: disable TLS 1.3 on postfix (logs enclosed)

Jun 22 10:31:19 mailgate postfix/smtpd[7180]: setting up TLS connection from[]
Jun 22 10:31:19 mailgate postfix/smtpd[7180]:[]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: SSL_accept:before SSL initialization
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: SSL_accept:before SSL initialization
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: SSL_accept:SSLv3/TLS read client hello
Jun 22 10:31:19 mailgate postfix/smtpd[7180]: SSL_accept:SSLv3/TLS write server hello

disable TLS 1.3 on postfix

What is the correct procedure to disable TLS 1.3 negotiation on postfix?

Re: Unable to send or receive from Gmail (temp solution)


!TLSv1.3 added to "main.conf" fixed the issue hopefully.

Will work on updating certificate later...

I figured TLS 1.3 might be the culprit from the logs.

Best practices link for postscreen

Does anyone have best practices link for postscreen implementation.

Thank you

Unable to send or receive from Gmail

Within the last week or so I am suddenly unable to send or receive from Google Gmail.

Greylisting -- current recommendations?

I'm running Postfix 3.1.0 on an Ubuntu 16.04 LTS system.

II'm using Postfix's postscreen filtering, including
(with a large score) as one of my DNSBL sites, but it's not helping in
some cases because the spam sources are not showing up on Spamhaus at
the time I get e-mail from them -- only later on.

I'm wondering if it may be worthwhile for me to enable greylisting in
some form on my server.

Syndicate content