Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

deleting from the corrupt queue

How does one delete from the corrupt queue?

address extension fails for mailman

I have a mailman3 installation and postfix. One problem arises when a new
subscriber replies to listname*+token* Postfix doesn't
match the email with postfix_lmtp, and instead rejects the mail as no local
user is found.From postfix log:What have I done wrong?

Backscatter questions


I recently configured Postfix 3.1.0 on a low-volume, Internet facing server. Mail operations are normal, but I had two questions regarding backscatter.

1. From what I understand, “backscatter” refers to e-mails such as non-delivery reports being sent back to the originator of a spam message. As the originator is often a forged address, the non-delivery reports is essentially junk data. Would this be a correct definition for the term ?

2. Is it possible to white-list the generation of non-delivery reports for some hosts and prevent generation for all others ?

RESOLVED: RE: wrong From: and Return Path: address

This problem turned out to be a DNS issue. The Postfix 3.1.0 machine's
virtual domain in the From: address was entered in DNS with a CNAME record
pointing to the gateway machine (because they are, indeed, the same

Keep Postfix running in the foreground


I am currently having trouble to get postfix running in a Docker Container.

Docker requires a Process to stay alive and in foreground at ID 1, if
not the container dies.

Is there any way to make it stay in the foreground, like it is possible
for instance with _/apachectl -DFOREGROUND/_ (Without scripts,
supervisor, ...)?

Many thanks for helpful replies in advance!

Copying IMAP messages instead of Forwarding?

Is there a method to use IMAP to move messages to another account on another server for which I have login credentials on delivery instead of simply forwarding? Or would this be a question for the Dovecot list?

I am trying to get around various spam checking and DKIM failures for a local user who uses gmail but whose address is on my server.

Bombarded With Spam

I inadvertently set open relay on my server sometime ago. I've fixed it
but I am now bombarded with spam messages. I'm seeing messages like:

6C5C41FCB3     5940 Sun Sep 24 11:10:12  <a href="mailto: ... at sfilc dot com"> ... at sfilc dot com</a>
(delivery temporarily suspended: lost connection with[] while sending RCPT TO)

That fill up my mailq. I've since blocked but I get others
with a domain.

How do I block or reject these messages?

Postscreen blocked Gmail?

I am playing around postscreen and I just saw this in my log:

Sep 21 13:31:39 iota postfix/postscreen[5855]: CONNECT from
[]:52393 to []:25
Sep 21 13:31:40 iota postfix/dnsblog[5857]: addr listed
by domain as
Sep 21 13:31:40 iota postfix/dnsblog[5858]: addr listed
by domain as
Sep 21 13:31:45 iota postfix/postscreen[5855]: DNSBL rank 2 for
Sep 21 13:31:45 iota postfix/postscreen[5855]: NOQUEUE: reject: RCPT
from []:52393: 550 5.7.1 Ser

Virtual domain hosting “catch all” e-mail address


I am currently configuring virtual domain hosting on Postfix 3.1.0 and have a question about the “Postfix Virtual Domain Hosting Howto” document [1].

Under “Postfix virtual ALIAS example: separate domains, UNIX system accounts” there is an example of the virtual file. On line 10 it states:

# jim

This is referred to as a “catch-all address”.

My question is: does this receive ALL e-mail to: or does it only receive e-mail that is addressed to virtual users that do not exist in the virtual file ?


[1] <a href="" title=""></a>

wrong From: and Return Path: address

I have a problem that seems to have started when I upgraded from Ubuntu
14.04/Postfix 2.11.0 to Ubuntu 16.04/Postfix 3.1.0. It involves the From:
and Return Path: addresses seen by recipients of mail sent from a virtual
domain on that machine.

Clients of Google, Yahoo, Rackspace, . see the From: and Return Path:
address as <user>@<virtual-domain>, which is correct.
Clients of one (rather large) email service provider see the From: and
Return Path: address as <user>@<gateway-hostname>, which is wrong.

The one email provider might have something wrong on their end.

Postfix Mailrules from diffrend Source Systems

Hi Postfix Guys,
I am an newby in Postfix and i have read some Posts like this
<a href="" title=""></a>
<a href="" title=""></a>
in the Forum but I can`t find any Solution for me.
I will use Postfix as Mailrelay to filter out Mails from three different
Source Systems to Forward to different eMail Recipients.

check_recipient_access after rewrite happens


During migration of an inherited mail system I have the situation that I
would like to reject certain recipient address _after_ they have been
rewritten through the virtual_alias_maps.

The old system had a spam sink where users could redirect certain local
parts. e.g. a user has a catchall account on his domain but
has burned <a href="mailto: ... at example dot com"> ... at example dot com</a> and it is full of spam.

mailbox_transport and Cyrus


I'm setting up a server with Postfix and Cyrus with about 100 mailboxes
and modest expected traffic, about 1,000-2,000 messages per day.

The file offers the options:

mailbox_transport = lmtp:unix:/var/imap/socket/lmtp
mailbox_transport = cyrus

Would you please explain the advantages/disadvantages of these choices?

Postfix mail logging stops and starts

​Hi All,

We are facing an issue where the mail logging stops
and starts at regular intervals without an intervention, there
is no error and the email system keeps working, but only
problem is we keep missing the logs between intervals
when there is no mail logging happening, please suggest.​


Mixing of address classes per domain


I have inherited an older postfix and sendmail system with a cyrus imapd.
My plan now is to migrate that to a postfix 3.x MTA with a dovecot imap
Pretty standard so far.

When trying to migrate the existing mail routing logic I did come accross
certain rules which are working correctly on the old system but where I am
having problems fitting them into the current address classes logic.

Local addresses are handled currently through a mailbox_transport =
lmtp:private/dovecot-lmtp entry.

using postfix as a smart relay for many servers

Hi, I'm using Postfix to relay from my internal network, through postfix,
to mandrill, on to the destination. The issue is that I have multiple
internal servers, but once it gets to mandrill they all look like one
because the instructions I found only allowed for one mandrill relay. I
found instructions how to use a different relay depending on the domain in
the to: field, but how do I have it select the smart relay based on the
application server sending the email? The way mandrill works is it
separates mail into queues based on the username and password provided.

Communication between Postfix and Dovecot LDA


I am trying to solve a problem with error mails clogging my queue on a
system with the following components:

Incoming mail -> Postfix -> DSpam -> reinjection back to postfix queue
-> Dovecot LDA

The system also handles outgoing mail for non-local users, for any mail
address not found in a table of local users, Postfix just tries to
deliver it according to the MX records.

However, the Postfix handling the incoming messages for local users
(before DSpam) has incomplete information whether the local delivery
will be successful.

Authenticating clients based on CA/CN-match


As far as I can tell, postfix can authenticate its clients using
certificates in two ways:

check_ccert_access (also permit_tls_clientcerts), which
authorizes clients based on the cert fingerprint;

permit_tls_all_clientcerts, which authorizes clients if they
present a cert signed by a specific CA;

We've been using the former for years, requiring us to manually
deploy the new fingerprints every two years.

New DANE SMTP monitoring and diagnostic utility

I am pleased to offer to the DANE user community a new monitoring
and diagnostic utility. This is a one-shot variant of my survey
code specialized for monitoring cron jobs and troubleshooting.

Code and instructions at <a href="" title=""></a>

While Haskell may be an unfamiliar programming development toolchain
for many of you, I hope that it will not be difficult to install it
for the purpose of compiling an existing project.

Bounce messages like gmail


Im looking about how to customize the bounce messages.

I follow this guide

<a href="" title=""></a>

And work fine, but i wanna customize it using HTML (like gmail), but i
cant foud how do that.

Something like this

<a href="" title=""></a>

How can i do a similar on postfix?

thanks and regards.

Reject bounces


I have a mail server running postfix that sends a lot of emails and gets
back a lot of bounces. These bounces a filling up my server and causing
additional load.

Is there any way on a postfix level to reject/not accept any type of bounce
that gets sent to the mail server?

Please let me know.

Accurate install guide for Postfix on Ubuntu 16.04 LTS

I apologize if this is the wrong place.
Ive tryed to look through the internet on how to setup my own email server -
the whole package, and ive been trying for the last few day and had nothing
but errors and confusion.
ive been trying postfix with dovecot on Ubuntu 16.04 LTS, running on a
virtual machine provided by oracle virtualbox.

Prevent local delivery for unix accounts


Is it possible to prevent local delivery for unix accounts below 1000
(system accounts)?

I have read <a href="" title=""></a> and
<a href="" title=""></a> without success.

My problem is that spammers trie to deliver mails to system accounts
like "www-data" with a usurped sender envelope and postfix bounces to
the usurped address : the mailbox directory cannot be created.



stop receiving mail but keep processing mail in queue

How would we set Postfix to stop accepting incoming mail yet keep processing any queued mail? We are migrating from RHEL6 physical to RHEL7 virtual. Postfix version 3.2.2.

Also, can we copy the queue over?


Larry M. Rosenbaum
Oak Ridge National Laboratory

Header_Checks non-exsiting field check


is there a way with header_checks to check if a field does not exist ?

We want to reject mails that do not include the field

But unable to find it ...

Any hekp pls


postfix/postfix-script[6735] error: unknown command: 'quiet-quick-start'

hi all, use systemd start postfix faild, here is detail:

my os is ubuntu-gnome 16.04.03, first I use apt install postfix and other
software, for some reason, I reinstalled it by complied source code, version
was postfix-3.2.2, installed successfully, but when use systemctl start
postfix, it failed

postfix.service - LSB: Postfix Mail Transport Agent
Loaded: loaded (/etc/init.d/postfix; bad; vendor preset: enabled)
Drop-In: /run/systemd/generator/postfix.service.d
Active: failed (Result: exit-code) since 三 2017-09-13 09:13:09 CST; 8s

install postfix from source code, cannot start with systemd

first I install postfix use apt install postfix, everything goes right, can
use systemctl start postfix, but I want change some code, so I reinstall
postfix by compiling postfix, then use systemctl start postfix, it
complaint: I have googled, but failed to solve it.

Fail2ban integration questions

This is semi-hypothetical ...

I often see spews of failed connect attempts logged by postscreen:

Sep 12 11:13:09 minbar postfix/postscreen[9238]: CONNECT from
[]:54708 to []:25
Sep 12 11:13:09 minbar postfix/postscreen[9238]: PREGREET 14 after 0.12
from []:54708: EHLO ylmf-pc\r\n
Sep 12 11:13:10 minbar postfix/postscreen[9238]: HANGUP after 0.24 from
[]:54708 in tests after SMTP handshake
Sep 12 11:13:10 minbar postfix/postscreen[9238]: DISCONNECT
Sep 12 11:13:10 minbar postfix/postscreen[9238]: CONNECT from

Different certs on different interfaces

I have a running postfix 2.11.10 that binds to several interfaces, on
some of which I whish to enable TLS. I have a different certificate
for each interface; is that supported or I have to run two different

Thanks to everybody,


smtpd_discard_ehlo_keyword_address_maps support for hostnames

Hi all,

Postfix documentation mentions (for smtpd_discard_ehlo_keyword_address_maps):

“The tables are not searched by hostname for robustness reasons.”

Is it possible to describe what these reasons are? (performance related?)

Is it worth adding a new parameter that performs the same functionality on hostnames?

Increasing spam level to backup MX

Hi Friends,

activating a backup server I realized that some spammers using this
server to send spam to my relay_recipient_maps addresses. Spam is then
successfully forwarded to the main server.

Is there a parameter to prevent this type of action? A type check "do
not receive email if the main server is reachable...?

Or should I operate directly by SpamAssassin?

many many thanks


Letsencrypt tip

<html><head><meta http-equiv="Content-Security-Policy" content="script-src 'self'; img-src * cid: data:;"></head><body contenteditable="false"><div id="response_container_BBPPID" style="outline:none;font-size:initial;font-family:&quot;Calibri&quot;,&quot;Slate Pro&quot;,sans-serif,&quot;sans-serif&quot;" dir="auto"> <div name="BB10" id="BB10_response_div_BBPPID" dir="auto" style="width:100%;">As you know, letsencrypt certs can be automatically updated. However, you need to reload/restart Postfix/Dovecot to use the new cert. My email client insisted I had an expired cert.

how to use check file in

how to use parameters like
hash:/etc/postfix/recipient_access in, postfix will log fatal
error and process exit

Cannot send mail following upgrade to 3.1.4 - can't find user/alias info

I just upgraded my server from Debian old-stable (jessie) to stable
(stretch) - and with it came an update to Postfix 3.1.4.

(Quick note: I typically send from my workstation, 'shere-khan', by way
of an ssh tunnel. That domain name will pop up.)

Following the upgrade, I can't seem to process mail properly after
setting compatibility_level to 2.

outlook connect postfix use tls will fail,reject: RCPT from , 554 5.7.1,Client host rejected: Access denied

use outlook connect to postfix on ubuntu 16.04 will fail, it seemed tls
established, and can connect to imap success, but send test mail will fail,
if use roundcube without tls, can log imap and smtp, and send recevive mail
successfully,here is log:

Sep 10 18:40:01 xiedeacc postfix/smtpd[5536]: Anonymous TLS connection
established from unknown[]: TLSv1 with cipher
ECDHE-RSA-AES256-SHA (256/256 bits)
from here we can see tls established, but send mail will rejected by postfix

Sep 10 18:40:01 xiedeacc postfix/smtpd[5536]: NOQUEUE: reject: RCPT from
unknown[]: 554 5.

Throttling bursts of connections at postscreen? More to do here?

Every few hours I get bursts of these from random addresses -- always at "" (

Communicating with abuse@ is a lost cause. They're completely useless.

Is postscreen doing its "best" job here at reducing load?

OT lightweight IMAP client

Figured someone on the list would have an opinion on a very lightweight feature-poor IMAP client. It doesn't need to do much else but access a single IMAP account and be able to forward emails as attachments. Search would be good, but not required. Searching for queueIDs in the Received header would be fantastic.

Primary considerations are fast and as light on memory use as possible and usable from a Mac (command-line is fine). I know mutt can do IMAP but I don't think it can forward messages as attachments though I am probably wrong. Windows 10 might be useful, but not required.

RE: can't get server to start postfix --ISSUE RESOLVED

Hi again, thanks for the pointers everyone.

It was not a Postfix issue. I have no idea how it happened but permissions on / got changed some how.

This fixed the default Postfix install, and then I put my config in and we are running normally again.

root@mail2 ~]# ls -ld /

drw-------. 23 root root 4096 Sep 8 09:59 /

[root@mail2 ~]# chmod 555 /

[root@mail2 ~]# ls -ld /

dr-xr-xr-x. 23 root root 4096 Sep 8 09:59 /

Server was rebooted

[root@mail2 ~]# ps -ef | grep post

root 1821 1 0 10:15 ?

Postscreen exceptions and blacklisting


I have tried to whitelist some servers for postscreen, but I notice that
they continue to get blocked if they are blacklisted.

What I am doing wrong in whitelisting them?

How can I successfully whitelist them so that they are not blocked even
if they are blacklisted in a RBL/RSBL?

Here is a session with remote server (ours is

Aug 31 11:14:01 mailgw3 postfix/postscreen[6476]: CONNECT from
[]:50520 to []:25
Aug 31 11:14:02 mailgw3 postfix/dnsblog[6328]: addr
listed by domain as

Dupliacte messages from aliases

Hi list,

I have a postfix install on a debian 8 machine . I have some
distribution groups through
aliases and when a user sends a message to eg group1 which he is a
member and cc to group2
(which he might be a member or another member of group1 might be in )
they get the message twice.
Is there a way to avoid duplicate delivery on local defined alias

thanks and regards

Using a date in a bcc map

[This message bounced because the words "c h a n g e" and "a d d r e s s" were on the same line.]

I currently have recipient_bcc.pcre:

if !/backup.*@/
/^([^+_]*).*@(.*)/ backup+${1}.${2}@localdomain.tld

I would like to change
this to add a date field
to the backup address.

Chinese Spam

My server is being hit pretty hard by spam from China. Every email is from a different IP address. The only common item is the message id ends in Is there any way to block those with that ID?

-- Doug

can't get server to start postfix

All of a sudden postfix won't load ? where should I look next ? thanks.

I tried
[root@mail2 postfix]# service postfix start
Starting postfix: [ OK ]

Logs show
Sep 7 16:50:47 mail2 postfix/postfix-script[3214]: starting the Postfix mail system
Sep 7 16:50:47 mail2 postfix/master[3215]: fatal: open lock file /var/lib/postfix/master.lock: cannot open file: Permission denied

[root@mail2 postfix]# ls -l /var/lib/postfix/
total 0

We have a private cloud with all of the servers sending mail via mandrill,
and each app/server has its own key. We have a few legacy apps, for example
a .net 1.1 app, that can't send via TLS over 587 (and mandrill doesn't
support plan smtp over 25), so we set up a postfix server to do relay to
mandrill. I found how to use a different smart relay for different
destination domains, but not for different sending servers. In other words,
one server sending to gmail vs yahoo can use a different smart host.

We have a medium sized cloud with 90% of servers sending via mandrill and each app/server having its own key. We have a few legacy apps, for example a .net 1.1 app, that won't send via TLS over 587, and mandrill doesn't support plan smtp over 25, so we set up a postfix server to do relay to mandrill via sasl authentication and a single mandrill key. I found how to use a different smart relay for different destination domains, but not for different sending servers.

bind smtpd to UNIX socket

Hello everybody.
I want to start the another smtpd process, binded to a UNIX socket, and
configure this smtpd with maximally relaxed policies.
I added a line to
lsmtp unix n y n - - smtpd -o smtpd_tls_security_level=none -o
mynetworks_style=host -o smtpd_relay_restrictions=permit_mynetworks
But when I try to send a mail, I get an error:
[root@vps3 ~]# socat UNIX:/var/spool/postfix/public/lsmtp -
220 ESMTP Postfix
EHLO test
250-SIZE 1000000000
250 DSN
MAIL FROM:< ... at xyz dot com>
250 2.1.0 Ok

postfix and multiple mandrill keys, based on sending server?

We have a medium sized cloud with 90% of servers sending via mandrill and each app/server having its own key. We have a few legacy apps, for example a .net 1.1 app, that won't send via TLS over 587, and mandrill doesn't support plan smtp over 25, so we set up a postfix server to do relay to mandrill via sasl authentication and a single mandrill key. I found how to use a different smart relay for different destination domains, but not for different sending servers.

Postfix and Maildrop Config

Hi there,

I#m trying to get Maildrop to work with postfix but:

- if I run it in direct mode
- it insists on a user as arg even I have truesed user enabled and
setuid bit is enabled

- if I run it in indirect mode
- I got told postfix/qmgr[1116]: warning: connect to transport
private/maildrop: Connection refused

I followed the docs here and have a ldap directory for my user

Since I noticed ppl don't really bother with less information I like to
point out that I'm totally new to the whole postfix thing so just trow
me a bone even you don't like t

openldap lookup error


I have configured postfix to work with openldap server for lookups. configurations are as below,




Restrict outgoing/submission to defined local or virtual users

Postfix 3.2.2, Centos7. All functioning as configured. I have a few local accounts, several virtual addresses delivered to those accounts, and some domains relayed, the latter do not submit mail through this box.

All local accounts send via TLS authentication on 587. Currently I don't think I have any restrictions on what an outbound address can be. I do have some aliases so I do not want to restrict to logon names only.

Is it possible to restrict outgoing mail to be from one of my "valid" local or virtual aliases?

unknown mime types for some websites' postfix-3.2.2.RELEASE_NOTES & postfix-3.2.2.HISTORY?

On the web site, when the links for ReleaseNotes or History are

<a href="" title=""></a>

<a href="" title=""></a>

When I click on one of these, the link doesn't open the page in the browser to read. Instead it tries to DL it as a ".BIN" filetype.

LDAP related "postconf: warning" with most recent build

% postconf -h queue_directory

gives me a lot of LDAP related warnings:

postconf: warning: ldap:/etc/postfix/ unused parameter: query_filter=(proxyAddresses=smtp:%s)
postconf: warning: ldap:/etc/postfix/ unused parameter: start_tls=yes
postconf: warning: ldap:/etc/postfix/ unused parameter: bind_pw=xxx
postconf: warning: ldap:/etc/postfix/ unused parameter: version=3
postconf: warning: ldap:/etc/postfix/ unused parameter: bind_dn=yyy
postconf: warning: ldap:/etc/postfix/ unused p

Specify DNSBL reject code in postscreen reply map?

I'm trying to understand reply maps' use.

fetch to and forward on one server - how?

hi fellas

Before I start tampering with stuff I thought - better ask

Having one postfix box which for local users forward to a
remote/external box(probably postfix too) - can I have that
same my postfix box fetch from that external server?
Would I have to use fetchmail(or similar) or postfix could
do it itself?

What I'm hoping is that some expert could say if there is a
potential to cause a disaster like some loop where fetchmail
or postfix will be retrieving from remote and also, by
misconfiguration, by misuse will be forwarding that
retrieved emails again to external serv

change myhostname

I changed myhostname in /etc/postfix/ from serwer-1.localdomain to but postconf -d shows something different from both
mentioned earlier -> s1.localdomain.
myorigin = /etc/mailname which includes -> serwer-1.localdomain
hostname -f returns

Question is why after changed myhostname it still is different and why it
is different from value which I set and which were before setup.

Re: What user should be specified for the opendikm -u UID option?

fyi, if you prefer a dedicated user approach, just need to make sure you're

groupdel opendkim
groupadd opendkim
useradd opendkim -g opendkim -G "" -s /bin/false -d /var/run/opendkim -M
usermod -a -G opendkim postfix

id opendkim
uid=5117(opendkim) gid=5117(opendkim) groups=5117(opendkim)
id postfix
uid=5001(postfix) gid=5001(postfix)

cat /etc/systemd/system/opendkim.service

Syndicate content