Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

Guidelines for headers in original message


What are the general guidelines for headers and their values that are shown
in the original message of an email? I'm particularly interested in the
'Received from: foo by bar'. Do people generally append the actual
servernames along with their IP addresses for all the hops? Or, do they
make the mails come out from a common relay server.

Also, if it's fine to make mails come from a common relay, is it a bad idea
to set $myhostname to foo.relay for all the mails from foo domain, instead
of showing all the hops? I've seen people put this as $myorigin.

gmail blocking 6to4 ipv6 addresses

Does gmail universally block 6to4 addresses, or is there something else I
am doing wrong?

Jun 07 23:32:14 <a href="" title=""></a> postfix/smtp[19358]: 0695A2409C: to=<
... at gmail dot com>, orig_to=< ... at git dot icu>, relay=[2607:f8b0:400d:c08::1b]:25, delay=1.6,
delays=0.12/0.07/0.84/0.56, dsn=5.7.1, status=bounced (host[2607:f8b0:400d:c08::1b] said: 550-5.7.1
[2002:c62e:c6c6::1] Our system has detected that this message does not
550-5.7.1 meet IPv6 sending guidelines regarding PTR records and
authentication 550-5.7.1 .

sender_bcc_maps which use reply_to header ?

Hi !

I have a case I want to solve : a mail is sent from <a href="mailto: ... at example dot com"> ... at example dot com</a> with
reply_to defined to <a href="mailto: ... at example dot com"> ... at example dot com</a>.
I want to automaticaly BCC to <a href="mailto: ... at example dot com"> ... at example dot com</a> if reply_to is defined to
<a href="mailto: ... at example dot com"> ... at example dot com</a>.

sender_bcc_maps use "from" header, I want same with reply_to header.
It seems this doesn't exist.

What's the best solution to achieve this ?
Content filter ?


local mail submission sendmail fails when loopback is down

Hello all,

TL;DR: `sendmail <address>` fails with `sendmail: fatal: could not find
any active network interfaces` if loopback interface is not up. Is this
expected behaviour?


I know applications can expect the loopback interface to be available.
However, strictly speaking, sendmail when invoked for local mail
submission shouldn't attempt to access the network, all it has to do is
drop the file into the maildrop directory.

reject_sender_login_mismatch exception


I have all users in an LDAP database and store users' aliases, virtuals,
canonicals, forwards etc as attributes. For that purpose using the
`reject_sender_login_mismatch' seems to be a simple and powerful
solution for increasing security and I'm using it. Excluding some e-mail
addresses from this restriction if necessary is not a problem. The
problem is:
I'd like to allow sending mail from some certain hosts as some certain
users without SASL authentication.

Valid examples for mynetworks file

Good day,

i am working on a migration from an IBM Domino SMTP server to Postfix. In
Domino we had SMTP_allow documents with IP addresses of systems allowed for
sending mails via this server.

Standard IP addresses are fine so i add them like: OK

As far as i understand are *names *like allowed in the
mynetworks file ?
So this would be OK : OK

What about wildcards * ? Would that be also OK or do i need to translate it
into CIDR ?

192.168.*.* OK
192.168.50.* OK

Thank you,

not adding message-id


I have a issue with a message-id automatically added when not present.

Postfix mail system:
postfix 25 (content-filter) --> AV 10026 --> postfix 10025

Summary of the problem:
When a message arrives to the postfix mail system, if it not present, a message-id is added by the second postfix MTA (10025) while "always_add_missing_headers" is set to "no".
Note that this second MTA listens to the loopback interface (see below).

Jun 5 16:51:37 rhel62-agu-fe1 postfix/smtpd[3063]: C51FD40092: client=unknown[]
Jun 5 16:51:46 rhel62-agu-fe1 postfix/cleanup[3067]: C51F


I am trying to track a single email throughout the entire postfix process.
The idea is that when a customer calls us and says that a certain email
never reached them, we can quickly trace the email through the logs and see
that it died due to RBL, virus threshold, etc.

Ideally, I'd like to be able to get or set a unique message ID and then be
able to match that ID in the logfiles to see what the outcome of a specific
email was. Is there a way to trace a single email through everything
postfix does to it?


Question regardin postfix. postfwd and spam


I would like to have some help regarding this issue/scenario:

We have a "central" smtp-relay for (almost) all our servers.

progress with TLS connection reuse

Postfix TLS connection reuse will improve delivery performance,
especially for sites that punish clients that send one message per
connection. This feature is evolving in a 'non-production' Postfix
release, currently postfix-3.4-20180603-nonprod.

Instead of changing how Postfix schedules deliveries, this builds
on the Postfix connection caching infrastructure that already exists
for plaintext connections.

Emails from localhost


I'm seeing lot of emails coming from local IP address trying to send
message to non existing accounts. Sending accounts are valid and even
authenticated. They all try to send messages to domain matching the
sending one. For example:

<a href="mailto: ... at example dot org"> ... at example dot org</a> -> <a href="mailto: ... at example dot org"> ... at example dot org</a>
<a href="mailto: ... at example dot net"> ... at example dot net</a> -> <a href="mailto: ... at example dot net"> ... at example dot net</a>

and so on. support@* is valid, user@* is not. In logs they are coming
from inet_interfaces address set in

possiblities to release a mail

Hello Together

I ask me if are possible to view on console with postfix command witch
mail's are holding back, Status mailtraffic, and so on not mail.log about
different reasons - blacklisted, spam, or score - and to release this mail
for resend a blacklisted mail.

In the meantime I do this steps with ASSP but I see postfix are so stable I
don't think that no possibilities will exist. And I don't will play with 2
or 3 tools if this possibilities with Postfix exist.

Please kindly let my view and understand the aspect from us thanx for
discuss this possible aspect.



Email's from local users - with no accounts.

I think I've config issue.

I have some accounts:
<a href="mailto: ... at example dot com"> ... at example dot com</a>
<a href="mailto: ... at example dot com"> ... at example dot com</a>

I have noticed in the logs that spam is getting though as:

* ... at example dot com* sent to -> <a href="mailto: ... at example dot com"> ... at example dot com</a>

May 27 22:00:05 server amavis[12839]: (12839-13) Passed CLEAN
{RelayedInbound}, [] [X.X.X.X] < ... at example dot com> ->
< ... at example dot com>, Message-ID:
< ... at dcsgaakl01 dot>,
mail_id: aUZXib5w4tLp, Hits: -0.028, size: 1675, queued_as: 56B11204D5,
822 ms

* ... at example dot com* shouldn't be able to send to a local user

advice on postscreen setup / exception / dnsbls

I've recently updated Postfix from 2.1, and, enabled postscreen, all's
working well, though, just picked up a false positive:

several users inbound mail blocked with

I have like:

# grep
postscreen_dnsbl_sites =*5,*2,*2,*2,

as this is a server, should I whitelist ? or

smtp_bind_address and inet_interfaces


we have exactly one non-looopback address in inet_interfaces. In this cause
the address is also used as smtp_bind_address.

can we still configure postfix send from any address?

...maybe smtp_bind_address= ?

many le ssl certs assigned to postfix

I have server created based on Perfect Server tutorial for Ubuntu 16.04.
Is it possible to assign to postfix/dovecot as many lets encrypt ssl certs
as possible?

Same sender, same sasl user

Hello people
I'm trying to setup sender must be tha same sasl user authentication, but I don't care where the connection comes from or is going.
I'd like only to prevent fake sender. I've tried 'smtp_sender_dependent_authentication = yes', but I think that is not enough.
Some tip?


problem on a relay server


i am working on a relay server, but it isn't functionnal.

my is  :

<a href="" title=""></a>

but i ve theses errors in logs :

<a href="" title=""></a>

did i miss something or did i do something wrong ?


Patrice G

Log Messages

I am running a mail server that has a few local recipients and a bunch of forwarded recipients for one domain. All is working properly. However, there are some log messages that I find confusing. The server receives many messages delivery attempts where the user is not included in the virtual_alias_maps. All but one of them receive log messages like

Recipient address rejected: unverified address

That makes sense. However, one of them receives

Recipient address rejected: User unknown in virtual alias table

I don't see what is different for this particular user.

Question about disabling SSLv2 and SSLv3 and Opportunistic TLS

Hello all

I have opportunistic TLS (offering STARTLS) configured in my
file. I have been tasked to disable SSLv2 and SSLv3 as well as disable
medium strength ciphers (to use high strength ones instead) in my postfix
server. If I was to add the following to my


will this be enough to disable medium strength ciphers as well as disable
SSLv2/v3? Or will I need more?

Mail being delayed for 5 minutes in active queue before being relayed

Hi there,

I've set up a mail server that should be relaying messages to a different
cluster of Postfix boxes. When I attempt to send a message to the first box,
mail sits in the active queue for 5 minutes before being (successfully)
relayed to the cluster of Postfix boxes. which is then delivered correctly.
I'm trying to figure out why this is and have it relay immediately (as

*My box I'm attempting to relay FROM is on:

*Here's my (sanitized) postconf -n:*

Thanks for your help.

Problem with virtual_alias_maps and backscatter


I got 2 domains, let's call them and and i want
them to share the same mail addresses. So <a href="mailto: ... at example dot org"> ... at example dot org</a> and
<a href="mailto: ... at example dot com"> ... at example dot com</a> should always reach the same destination.

The mail system consists of 2 MX hosts and a single backend MTA that
forwards all mails to my imap server.

How to setup a mailbox clone

I understand how a MX relay works and how to implement it in postfix, but
what I am looking to do is create a clone of all the mailboxes on our
system to another system. So is one server setup like a MX backup relay and
then there is some switch or option that I don't know or do I just setup
'virtual_alias_maps' in on both systems to save a copy of the email
and forward it to the other?

new strangeness with O365

Hi, wanted to ask if anyone has this issue and how they deal with it ?

My work email is on O365 and we just turned ATP and EOP on so emails with URLS
are being rewritten. That is fine, but my issue is with plain text emails from
this list.
when they come in i get the rewritten hyper link in the email instead of the URL
that was posted in the email. You are supposed to hover the mouse over the URL and then see the link below.
this big mess below is supposed to just be
http:// www.

postfix 3.3.0 and vda quota patch


it seems that "postfix vda" patch that brings quota support for virtual
maildirs is not updated / not mantained anymore. There is no patch for
<a href="" title=""></a>

I used that patch to create a custom mailserver on ubuntu 10.04 and 14.04,
but 18.04 uses postfix 3.3.0 and i'm stuck.

Is there any way to achieve the same result (maildirsize quota and
overquota replay) without the vda patch at this point ?

Thank you,
Roberto S.

Testing new server

I have an old machine I'm in the process of retiring, and want to test its
replacement. To do so, I'd like to send a copy of all locally-delivered
mail from the old machine to the new one to have it processed there.

Postfix does not authenticate to relayhost


I run two postfix servers. One on my server, which just runs fine and is used to sent mail directly. The other one on my local machine which should relay mail to other one.

Problem when I send a mail


When I send a mail with roundcube from my computer I find this message
on my maillog :

UNKNOWN[]_ is my box IP

My computer is in the same lan than my mailserver (home network).

I think I have a bad configuration somewhere, postfix or server network.

I takes any sugsestion.


check rcpt to, from and destination in one session - nested smtpd_restriction_classes?


postfix is configured as relay server. Other systems relay with postfix.
Here i want to allow for a specific group of hosts, when they use a
specific mail from address only a few specific destination domains. Other
hosts should not be bothered.

transport_maps and lookups reason


I have 'transport_maps = mysql:/etc/postfix/' in
configuration and want to understand the reason of every db lookup as I
have some actions in mysql server based on queries count. Please explain

When sending single email these lookups are made:

1. "*"
2. "source@emal"
3. "destination@email"
4. "destination@email"

Especially what directives cause lookups over "mail from" address and
why destination address is called twice?

I have single mysql inclusion in configuration.

postfix 3.3.0


OT: Risks & mitigations of allowing an external sender to send to us (with sender 'same domain' as us)

There is an external app server (that is our service provider) that we want
to blast emails to a team/department in our organization (email domain @
but these emails will have the sender to be in same domain as us ie

What are the risks of permitting such bypass (ie disable Norelay) in our
(it's MS Exchange) & if we have to permit it, what mitigations we can put
in place?


Question regarding OpenDKIM milter with Postfix 3.1.0


I apologize for asking a question that is only tangentially related to Postfix, however the OpenDKIM mailing lists do not appear to be accessible.

I am using Postfix 3.1.0 and OpenDKIM 2.10.3.

postfix PTR Lookup internals

Hello everybody!

I see following *maillog* records when new mail comes to server

connect from unknown []

But that IP address is GMail IP and it has valid PTR-record which
points to *
<>* My is here

*resolv.conf* content for Postfix listed below

# Generated by NetworkManager
nameserver [hosting_dns_servers_here]
# NOTE: the libc resolver may not support more than 3 nameservers.
# The nameservers listed belo

can 554 bounce be made soft, for retries?


is it possible to config the sending postfix to retry the delivery
to one specific target mailserver as if it was a soft-bounce?
Unfortunatly the target shows very often a full mailbox.

May 14 15:26:21 mailrouter postfix/smtp[8044]: [ID 197553]
2B6FC248FC: to=< ... at usersdomain dot tld>,[]:25, delay=1,
delays=0.16/0.01/0.52/0.31, dsn=5.2.2, status=bounced (host[] said: 554 5.2.2 Delivery failed: mailbox is
full (quota exceeded) (in reply to end of DATA command))

thanks much!

Lookup tables


In the online documentation for access tables
(<a href="" title=""></a>), it says:

Subnetworks are matched by repeatedly truncating
the last ".octet" from the remote IPv4 host address
string until a match is found in the access table, or
until further truncation is not possible.

This is supposedly subject only to the restriction that the table is an
indexed file "such as DB or DBM".

I have the following client_access table:
5.188.9 REJECT WebShield Network trying to hack Dovecot
2018-05-10 - test

SASL LOGIN authentication failed

In these log lines, what is "UGFzc3dvcmQ6"?

May 12 07:52:07 mail submit-tls/smtpd[32670]: warning:[]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 12 17:05:14 mail submit-tls/smtpd[87898]: warning:[]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
May 12 18:21:36 mail submit-tls/smtpd[65165]: warning:[]: SASL LOGIN authentication failed: UGFzc3dvcmQ6

real life reasons not to use reject_unknown_client_hostname

The documentation[1] and several e-mails here mention that
reject_unknown_client_hostname can reject legitimate e-mails.

What exactly are these scenarios? When do they occur in real life? Are
there really legitimate mail servers that don't have a reverse DNS
record that resolves to their IP?

I would like to know so that I can decide whether I should care and
whether I can use this option for my setup.

Toss load-balancer health checks, but BCC everything else (always_bcc, check_sender_access and 'smtpd_delay_reject = yes')

My apologies if I overlooked an answer somewhere, but I checked the docs
and performed a brief search of the archives before asking and didn't
spot the answer.


BCC everything EXCEPT for health check emails generated by our HAProxy

I originally tried following the directions provided by Victor Duchovni
(see link below), but I evidently didn't follow along well enough to
replicate the results.

I seem to have found a combination of settings which accomplishes my
goal and have listed them below.

Spam Assasin score below 5


I am using postfix and running multiple instances. I am using SPF, DKIM and
DMARC. However when I test using mail-tester, it shows a spam assasin score
of -5.2.

Have anyone worked around this problem.

The famous spam filter SpamAssassin. Score: -5.2.
A score below -5 is considered spam.
-0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
This negative score will become positive if the signature is validated. See
immediately below.
0.1 DKIM_VALID Message has at least one valid DKIM or DK signature

dkim appair twice


Please i dont understand why me dkim result will appair twice ?

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=mail;

t=1525915627; bh=o/rYrKxw/+ndhuZDfXCm7/KqiRRQm1XdBuvSJRaf+S8=;





DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=mail;


verify mail fom after authentication


i would like verify mail from address after authentication.

I set up a ldap authentication for my users that works very well.

Ptr DNS and domains


if I want to use several domains on my Postfix server do every domain need
a unique PTR DNS entry to an unique IP or is it enough to setup $myhostname
to the main domain?

smtp_helo_name = $myhostname
smtpd_proxy_ehlo = $myhostname




I have got a really strange issue with my transport table:

I use a regexp transport table, which contains about 100 entries.

When sending an email to a specific address: <a href="mailto: ... at bla dot"> ... at bla dot</a>

I get following error:

postfix/qmgr[12390]: warning: connect to transport
private/???????????????????????????????? smtp: No such file or directory

All other entries from transport table work...

The entry in transport table:

/^.* smtp:[]

Log connection time on smtpd disconnect


i recently had to analyse slow/long held connections
on postfix servers.
Parsing the logs for connect/disconnect lines can take
some time if you have a lot of logs.
So i patched the smtpd to log the connection time with
the disconnect stats:

May 9 10:30:07 server01 postfix/smtpd[1234]: disconnect from[] ehlo=1 mail=1 rcpt=0/1 commands=2/3

(connection took 13 seconds)

Would this be usefull for others too and should it be considered for
inclusion in postfix?


NULL pointer deref in pcf_check_dbms_client() with unreadable map file



we got a bug report (<a href="" title=""></a>
1753470) where postconf was crashing if had a map pointing to a
file that the user couldn't read.

ubuntu@bionic-postfix:~$ l /etc/postfix/
-rw-r----- 1 root root 169 May 7 14:08 /etc/postfix/

ubuntu@bionic-postfix:~$ cat /etc/postfix/
cat: /etc/postfix/ Permission denied

ubuntu@bionic-postfix:~$ postconf
Segmentation fault (core dumped)


gdb shows the crash is in vstream_fileno(fp):
Program received signal SIGSEGV, S

Can't seem to allow relay from IP


I am attempting to allow mail relay from a specific IP address but can't
seem to make it work correctly.

Gmail discard my emails

I have a small postfix server with the following data:
-6 emails accounts
-2 users ( my wife and me).
-No spam or UCE never.
- Fixed IP
- SSL certificate from certbot.
- SPF records are OK.
- No Blacklisted
-Email politics published ( requred by hotmail)

All work, but the problem is when i send to gmail.

not able to telnet on port 25 for second instances

The smtp service is not working for other instances of postfix.

It is only running on the main instance. Using a nmap,i found that smtp is
stopped for other service.

Zimbra Red Hat repositories

People, I want to add the Zimbra repositories to my current Red Hat
server, and I can't find them anywhere.

Please can you give me the offcial Zimbra repos for Red Hat?

Special thanks

trigger script at login

is it possible to trigger a script to run when a user logs in to send an
email?  ideally the script would also have access to username, ip
address and user agent?

Postfix Multiple Instances Load Balance

Hi All

I have a CentOS server with 4 public IPs. I want to configure multiple
instances of postfix on those 4 IPs.

I have created multiple instances

multi_instance_directories = /etc/postfix-1 /etc/postfix-2 /etc/postfix-3

/etc/postfix/ will have 1 ip while the above 3 will have rest of teh

I want to know, once i have configured all the IPs, and when i send email
using the main postfix IP, would the emails be rotated and sent across the 4
ips, sort of load balanced or not.

Source of spam


I have a postfix mail server on the same server where is my website.
This website have some form for contacting me. Mail is sent to
<a href="mailto: ... at my dot"> ... at my dot</a> (delivered localy) and it is than forwarded to
my gmail account (postifix.admin setup). I'm receiving spam sent to this
address and I'm trying to find out what is the entry point for these

Delays in writing to INBOX

Hello all,
I am seeing consistent delays in writing to disk (my System redhat 7.2
using GFS2 file system cluster)

May 4 10:03:34 mail1 postfix/lmtp[11662]: E4EB75048C19:
to=< ... at xyz dot com>,[private/dovecot-lmtp], delay=50,
delays=0.02/0/0/50, dsn=2.0.0, status=sent (250 2.0.0 < ... at xyz dot com>
IIt4Ejji61o3LgAAuUaIWw Saved)

during major bursts of receiving mailq delays goes upto 600+ also.

GFS2 writing is OK. Not as great as XFS but OK.

Central filtering postfix relay


We are using postfix as a central email relay that forwards to an external
provider for trusted sending to our customers. Centralising this relay is a
must to limit the distribution of sasl creds required for sending to our
external provider. We have several products, each with dev, staging and
production environments and each with their own defined Class A address
ranges (

Only accept "MAIL FROM:" one specific domain - REJECT all others


I’m trying to setup an internal postfix mail server for a very specific use for a client. They need to REJECT all mail that is attempted to be sent with a MAIL FROM: value of anything other than an address at “” (for this example).

Reliably identify email forwarded from inside to outside


What would be the best way to identify email which is forwarded to
external addresses by .forward, procmail or sieve rules?

We have control over the mail gateways which handle all incoming-outgoing
traffic, but no real access to the internal servers where the forward
rules may be entered.

Add a specific header (e.g. X-Delivered-To) to the incoming email (it
could be deleted, but let's ignore the possibility) and check it in the
ougoing ones? What are the possibilities for false positives and

Root user's sent mail

The root user sends out some periodic mails to users. These mails get placed in /root/sent (an mbox file) instead of in /root/Maildir/.Sent/ (a Maildir directory).

It’s not a big deal, but it makes clearing the mails periodically slightly more difficult.

The mails are sent via a crontab entry much like this:
<command> | mutt -e 'set content_type=text/html' -s "DMR $($YDAY)" <a href="mailto: ... at kreme dot com"> ... at kreme dot com</a> -b <a href="mailto: ... at kreme dot com"> ... at kreme dot com</a> = Maildir/

But I suspect the issue here is mutt and not postfix?

Syndicate content