Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

Error in 3.2.4 on startup, service not found (rspamd milter)


I am getting the following error messages when starting up postfix 3.2.4

2018-02-17T21:50:34.594521+01:00 ms2 postfix/cleanup[9220]: fatal:
host/service localhost/11332 not found: Name or service not known

2018-02-17T21:50:35.594843+01:00 ms2 postfix/pickup[8886]: warning:
maildrop/4612EA0DCA: error writing 90F5AA0EB0: queue file write error

2018-02-17T21:50:35.595321+01:00 ms2 postfix/master[8885]: warning:
process /usr/libexec/postfix/cleanup pid 9220 exit status 1

2018-02-17T21:50:35.595521+01:00 ms2 postfix/master[8885]: warning:
/usr/libexec/postfix/cleanup: bad command startup -

MTA-STS when?


Hopefully, I am not one of several who already has asked this question
before, but here it goes:

When does postfix plans to implement MTA-STS?

Add additional smtp port in postfix

Hello all,

I need to add an additional port for postfix to listen for incoming connections (port 2525). Most of the stuff I've seen on the Internet simply states to add the following in my

smtp inet n - n - - smtpd
2525 inet n - n - - smtpd

However, since I have postscreen enabled my

#smtp inet n - n - - smtpd

Line in my is commented out, so I'm thinking the config is different in my case. Can someone help with this?

Thanks a lot

append_at_myorigin problem


i'm having quite severe problems with append_at_myorigin - Postfix is
appending myorigin to sneder name if it contains a colon character and
is encoded into quoted-printable format, for example (generated by

This is rewritten to:

I tried to disable it with this but it doesn't work:
append_dot_mydomain = no
append_at_myorigin = no
local_header_rewrite_clients =

Postfix 2.11.3. Any hints?


General websites on e-mail administration that also cover Postfix ?


I was looking for some websites that covered e-mail administration in general and that also mentioned Postfix.

I checked the Postfix homepage [1] and on the link “Howtos and FAQs” there are two links at the bottom under the heading “General E-mail/System Administration”. Unfortunately the first link appears to be dead and the second link is more of a discussion of the C10K problem, which appears to be more of use to people writing software on the scale of Postfix.

Can anyone recommend any good sites that cover e-mail administration in general ?

temp avoiding RBL block with client_checks OK?

one of the users is waiting for an email from server currently listed on
<a href="" title=""></a>

chances are it might get fixed in 12 hours, or, maybe not

short of removing from my RBL checks, is there a way to
'bypass' this current predicament, and, allow mails from the IP/host?

can I simply put IP ? hostname ? both ? in /etc/postfix/client_checks ?

or is it /etc/postfix/sender_checks ? as so: OK OK


Testing Postfix-3.3....0-RC1


so far, the RC1 works.

How to best test from VM with port 25 closed by ISP


how can I best test postfix delivery from a local VM if port 25 is
blocked by ISP.
My only intention is to setup another VM and make a network between them
and then send mails between them.
Or is there any other solution how I could get postfix from a VM to the


sender AND recipient based routing

I have a requirement to deliver via 'X' when sender = 'A' /and/ recipient =
'B', else deliver via configured defaults.
I see how I could use sender_dependent_default_transport_maps to set nexthop
to 'X' when sender = 'A' but I still need to deal with the additional
condition that recipient = 'B'.
It's like I need multiple transport tables, dependent upon sender.
Is there any way to fulfill this requirement within the postfix framework?

Postfix queue

Lately I wrote in python postfix policy service that can do something for
me what I want.
Now I am thinking about next service butI don't know maybe it is not

That is my question:

There is posssible write some service similar to eg.

check_policy_service unix:private/policy-spf

It is possible to write some policy service that will be working with
postfix queue ?

I would like have policy service that will be able to write do data base
some information eg. when exactly message was sent, message ID, DSN if
soemthing goes wrong.

aquamail connecting to postfix


Does anyone have Android's aquamail app successfully connecting to a
Postfix server? If so, w hat settings did you use? I keep getting an
authentication denied error. I've tried for authentication choose
automatically, sasl plain, sasl login. For server security I've tried
ssl strict check, ssl accept any (both on port 465), and starttls
strict check and starttls accept any (port 587).


FWIW, port 465 gets standards-track blessing from RFC8314

<a href="" title=""></a>

The STARTTLS mechanism on port 587 is relatively widely deployed due
to the situation with port 465 (discussed in Section 7.3). This
differs from IMAP and POP services where Implicit TLS is more widely
deployed on servers than STARTTLS. It is desirable to migrate core
protocols used by MUA software to Implicit TLS over time, for
consistency as well as for the additional reasons discussed in
Appendix A.

IP ACL’s for smtpd port 25 and not submission


I currently use postscreen on my Postfix version 3.1.0 mail server. I implement IP ACL’s via it to ban malicious connections (generally from xDSL IP blocks), against smtpd running on port 25.

I have recently configured and turned on submission with SASL. With submission available, I don’t want to ban any particular xDSL IP blocks as clients that are travelling around the world may make use of Internet in cafes, hotels, etc.

Diffing man 5 postconf changes between releases


I currently use Postfix version 3.1.0. I know that there are announcements of feature changes between each release of Postfix via e-mail and I read these, but I was wondering if there was an easy way to see the changes to the configuration parameters between versions ?

For example, can I somehow diff the difference between man 5 postconf on version 3.1.0 and the current release of Postfix ?

t/s missing inbound mails with limited info

I've noticed I'm missing certain inbound emails addressed to me, the IT
support of sender is of limited help, as when I've asked for any rejection
notice or IP of sending server I was told "Please be informed that we
couldn't see failure/rejection notice from our end as we have received the
response from our transactional email provider which we are using in the

I was told 'we rectified the error', but, I don't think I'm getting these
emails, and, the sender is of no help with any info

looking at header of one email that I have received, they are using

Postfix lost connection after EHLO from


I am trying to figure out why my Postfix disconnect after EHLO command. A
customer is trying to email me something but Postfix disconnect: ( on the
customer side this is the bounced message "Remote Server returned '< #5.0.0 smtp; 554 Security violation. Email Session
ID:" )

your help is appreciated!

Feb 8 09:46:03 spring1 postfix/smtpd[47824]: connect from
Feb 8 09:46:03 spring1 postfix/smtpd[47824]: match_hostname:
smtpd_client_event_limit_exceptions: ~?

Designing a proper postfix/dovecot LMTP/LDAP layout

I want to replace old Sendmail server with new with Postfix. And although
I have read some documentation and howtos, I'm still disoriented in the
vast array of possibilities in Postfix itself and its interaction with
other pieces.

mail.log - verify_cache.db: No such file or directory


Last week I had problems with my mail server but now everything
has settled again. I have in my logs now the following error
message that I do not understand. As I've seen, this has
already been discussed a few times.

Please, how do I tackle this or how can I solve this!?

Re: Duplicate mails in mailq / always_bcc

This was one of the things I already tried without resolving the issue, as stated in my feedback mail:

Re: Duplicate mails in mailq / always_bcc

This is *only* the case with mails that later get deferred. Messages that are sucessfully sent to the appliance that archives the mails are only logged once, with the status "sent" obviously.
The recipients address in this and all other cases is always the appliances address ( ... at mailappliance dot local) .

Re: Duplicate mails in mailq / always_bcc


I did not change anything that I am not able to revert back to it's original settings.
I am not "blindly trying random changes" but implementing suggestions being made in this thread and / or I found elsewhere online when I searched for keywords like "postfix", "always_bcc", "content_filter" etc.

For the sake of keeping this mail readable, please refer to this link (<a href="" title=""></a>) , there you will find an excerpt of the maillog

Re: Duplicate mails in mailq / always_bcc

Hi list,

sorry for my belated reply.

First of all: thanks for the input to everyone suggesting where / what the error may be.

What I tried so far:
1) reducing the MTU all the way down to 1400 - no change, error still persists.
2) sniffing the connection: nothing suspicious, one or two RST flags in a bunch of 1800 packets
3) Uncomment the filters we use, to rule them out as an error cause: this was partly successful; with every filter uncommented the error still persists
4) deactivate the tcp_window_scaling -> the problem still persists
5) removed the comment from this line:
relay unix

Upgrade unbound resolver to 1.6.8 if used for DANE

If you're using unbound as your local DNSSEC-validating
resolver and have enabled DANE, an issue is resolved in
unbound 1.6.8 where NSEC records for wildcards could be
misused for invalid denial-of-existence proofs. See:

<a href="" title=""></a>
<a href="" title=""></a>

The first article mentions that the same issue affected
PowerDNS and Dnsmasq. So if you're using one of those,
you might also need to update.

Question regarding smtpd DNS resolution


I had a question about Postfix’s smtpd DNS resolution.

In my logs (generally from spam sources), I see the following:

Feb 4 15:05:46 server postfix/smptd[718]: warning: hostname does not resolve to address Name or service not known

Does this mean that:

1. smtpd receives a connection from an smtp client and does a reverse DNS lookup
2. smtpd performs a forward DNS lookup on the result and compares the resulting IP address to the initial IP
3. If the IP addresses don’t match it reports this error


Trying to get VERP working with Majordomo

I have had a Majordomo configuration working for years (with help from
this list getting the aliases configured).

Postfix upgrade breaks emails accounts from Mac OS X


I apologize if tht has already been posted, but I could not find any

I recently upgraded my postfix server from 2.11.6 to 3.2.3_1.

Postfix server runs on a FreeBSD OS.

Achieving trusted TLS connection

Hi all,

I've read what Postfix documentation I can find on the subject, and I
don't understand why I'm seeing untrusted connections rather than
trusted.  I'm using an account at for testing purposes, they
use DNSSEC / DANE for there server (as do I), and I see a verified
connection when sending email to their server, but returned connections
are untrusted.

This is what's logged when TLS logging is set to 2 -

Jan 31 17:53:31 indium postfix/smtpd[30307]: setting up TLS connection
Jan 31 17:53:31 indium postfix/smtpd[30307]:[80.24

Connection reusing with port 465 or 587


I'm using Postfix inside Google Cloud Compute Engine with outbound
port 25 blocked by default and I want to use Postfix to relay email
from my org.

I've setup both SSL and TLS modes successfully (diff installations)
but the problem is that I generate an unique email for each of the
1000 recipients and sending this causes a DoS alert on Gmail after
about 50 consecutive emails.

Their support advice to reuse the connection to send more than 1 email
per connection, but as per the documentation TLS / 587 is not
supported for connection caching.

What about SMTPS on port 465?.

multi instance postfix with 2 IP address and 2 sending domains


I have configured server to support 2 sending IP addresses with
corresponding 2 sending domains. DKIM, SPF, reverse hostname works
correct, primary and secondary instances are setup with corresponding
myhostname and smtp_helo_name. smtp_bind_address also configured correct
on both instances. But for some reason Gmail or Microsoft Outlook
detecting second domain as spam but first one working well. How to debug
this? I can provide any details if needed.

Best regards,

Email and information helpfull to have in the headers/logs for police enquiries


We participated in some police enquiries about emails sent to blackmail people and get the source IP. The ISP answered
that they use proxy systems and they requires IP+port to be able to track the source. We just helped the case but it
sparkle the idea that i better start to log the tcp port as well on my servers logs.

In postfix the IP is logged but not the TCP port.

Duplicate email troubleshooting


I'm running into an issue with a mailbox that also has aliases assigned to it.

e.g. <a href="mailto: ... at domain dot net"> ... at domain dot net</a> <mailto: ... at domain dot net> has alias <a href="mailto: ... at domain dot net"> ... at domain dot net</a>, <mailto: ... at domain dot net,> <a href="mailto: ... at otherdomain dot net"> ... at otherdomain dot net</a>, <mailto: ... at otherdomain dot net,>and <a href="mailto: ... at otherdomain dot net"> ... at otherdomain dot net</a> <mailto: ... at otherdomain dot net>
What's weird is user1 and user2 are getting duplicate emails, but I don't have this problem with other users set up in a similar fashion.

I've tried to debug this, read the threads, pore over the logs, and do due diligence on this, but I'm stumped.

send specific NDR message for users in certain OU


The question can perhaps be made more generic like this:

Can postfix generate a *specific* NDR (or an autoreply) for accounts
that meet a specific criterium, such as:
- user account was found under OU=to-delete,CN=company...
contrary to the regular location CN=Users,CN=company...

We would like to move to-be-deleted users to this container, before
actually deleting them.

python-policyd-spf doesn't check mail from my own domain

I've installed the opendmarc milter. I'm not rejecting mail from it at
the moment. I've noticed that if I send myself a message, the
policyd-spf milter isn't run. That in turn causes mail I send myself to
fail in opendmarc. Any ideas?

The various email verifiers do show that my email passes spf.

It is easy enough just to whitelist your own domains from opendmarc,
but that would allow spoofed email to get through.

Server will send spam


Since today me Email Server will be send a lot of rubish, and i dont know

please can any one give me here any little Help!

I have a lot of "Mail Delivery System <MAILER- ... at nmail dot>" error

and i dont see from where this mails will come and why me Server this email

will be send!

me Server will be run now over 1 Year without any problems, today....

Upgrade to -3.2.5: permissions question

I just upgraded from 3.2.4 to 3.2.5 and ensured that /usr/sbin/postdrop
and /usr/sbin/postqueue were set gid:

-rwxr-sr-x 1 root root 13888 Jan 28 08:58 /usr/sbin/postdrop*
-rwxr-sr-x 1 root root 18012 Jan 28 08:58 /usr/sbin/postqueue*

Yet, when I start postfix I see these messages:

Jan 28 09:31:55 salmo postfix/postfix-script[16119]: warning: not owned by
group postdrop: /usr/sbin/postqueue
Jan 28 09:31:55 salmo postfix/postfix-script[16120]: warning: not owned by
group postdrop: /usr/sbin/postdrop
Jan 28 09:31:55 salmo postfix/postfix-script[16124]: starting the Postfix mail


Hi list,

I'm trying to eliminate a problem with duplicate emails in alias expansion
and I have seen that some (local generated and SMTP also) messages don't
have the
Message-ID header .

TCP_TABLE Request Format

Hi all,

Could someone clarify the following passage from the TCP_TABLE manual:

Each request specifies a command, a lookup key, and possibly a lookup

Look up data under the specified key.

This request is currently not implemented.

What does the "... and possibly a lookup result." part mean? Does this
mean that, possibly, a request could look like this?:

get SPACE key SPACE lookup_result NEWLINE

Kind regards,

Configure Postfix for High Volume


I have single mail server that send relatively large amounts of emails at
least 3 times a day ranging from 15K to 50K each time ..

80% of emails are going to one domain owned by my company *(Domain1)*..

Don't send "sender non-delivery notification" to one sender

Is it possible to exempt one sender from receiving non-delivery
notifications? We have a DMARC policy that forces DKIM headers on all mail
and when Postfix sends a non-delivery notification to this bulk mail sender
(a fake e-mail alias) it fails because of our DMARC policy.

I have set notify_classes= to not receive any e-mails about errors/bounces
but it looks like the non-delivery notifications still occur.

How could I block one sender from receiving those notifications?


Domain is spam sender reject


I'm trying to understand where this message is coming from.

enable automatic stress-adaptive behavior


Now my Postfix run with empty value stress= :
$ ps auxw | grep smtpd
postfix 26176 0.0 0.0 92072 4812 ?

warning: TLS library problem

routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:

Should I be blocking some encryption method? I thought openssl dropped
support for the hackable protocols.

mass mailing management web interface recomendation

I would like to ask what is the best web gui to manage mass mailing with
Any advices greatly appreciated.


Postfix sometimes does not write all the data to maillog


Sometimes when server is busy Postfix does not write all the data to
maillog. I see difference between data from maillog and content of file
with data in format: Date --From email --To email

It's seems that drops some info before writing to maillog i.e. maillog
does not contain every activity that Postfix does.

Maybe need to add some parameter in to force logging all info to

Response to sender when mail is put to hold queue

I don't know what response is given to the sending client when postfix
puts an incoming mail into the hold queue, say because of an access
table HOLD action.

At the time of actioning the hold, is sender told the mail has been
delivered (250), or something else - or is no response given at all?

Is there an attempt to give any info back to original sender when the
mail is finally released for delivery, or deleted - which may of
course be much later? (I do not allow DSN requests from strangers, if
this makes any difference.)

removing postgrey - reconfigring postix

I have been using postgrey for some time, but recently I have seen some
posting that indicate that this is not the "best" way of spam control.

Is there a write up of how to setup up postscreen for maximum spam control.


John A

using two different sending domains and IP addresses on one postfix server


I am configuring postfix send only mail server with 2x sending domain
lets say and I have configured almost
all the pieces and
sender_dependent_default_transport_maps in

4.7.0 too many connections from Tbird client

one of the users reported getting on TBird client:

"Alert an error occurred when sending mail: the mail server sent incorrect
greeting 4.7.0 error too many connections from"

# grep '' /var/log/maillog | wc
1349 24838 304573

I've tried
# grep 'too many' /var/log/maillog
Jan 23 22:13:24 geko postfix/postscreen[14348]: NOQUEUE: reject: CONNECT
from []:64523: too many connections
Jan 23 23:32:43 geko postfix/postscreen[14348]: NOQUEUE: reject: CONNECT
from []:55473: too many connections
Jan 24 06:42:00 geko postfix/postscreen[3426

submission configuration in


I was wondering about a configuration parameter listed with the default submission configuration in

One of the parameters that overrides the settings in “milter_macro_daemon_name” is set to “ORIGINATING” instead of the default value in

Why is this done ?


- J

Self-signed TLS certificates

Hi all,

Apologies if this has been discussed before, but currently I use
self-signed certificates on my Postfix servers for TLS negotiation, I'm
doing this mainly to keep the costs down.  As far as I'm aware I don't
have any problems sending / receiving email to / from the major
providers, but could that change in the future?  Could the likes of
Google start insisting on a chain of trust for mail delivery?

I see wildcard SSL certificates are coming down in price, I use SSL on
one or two websites and am starting to consider one of these to cover
everything I do.  Am I right in assuming a stan

Request for feedback on SMTPD restrictions


I have a basic SMTP server set up with what I believe to be good smtpd_*_ restrictions, but I was wondering if anyone could provide any insight on how to improve them or if I have been redundant in the restrictions.

canonical based on login name

hi list

I run a webservice (and a mail service). All websites run under the same
UID of <a href="mailto: ... at webserver dot"> ... at webserver dot</a>. I know, not ideal, but i cannot
change that bit. Problem is that if one site gets hacked, user apache
starts sending spam with no way to figure out which website is
misbehaving. Thus we are going to enforce websites to use SASL-auth.

Now the remaining problem is that ,even with SMTP-auth, the MAIL FROM
username sometimes is still apache.

Question regarding SASL auth only over TLS in SMTP server


I have a question about enabling SASL authentication in the Postfix SMTP server *ONLY* over TLS.

In the documentation [1] under the “Encrypted SMTP session (TLS)” heading, it lists recommended configurations for SASL auth that restrict the SASL mechanisms to noanonymous and noplaintext:

A more sophisticated policy . . .

Relay via command-line MTA instead of 'relayhost' SMTP server?

I'm trying to figure out how to set up an SMTP server that accepts
incoming mail and relays it by invoking a command-line MTA
(e.g. /usr/bin/sendmail or equivalent) instead of connecting to a
'smarthost' SMTP server.

Can Postfix do that?

Debian Stretch reboot problem

Does anyone know a robust workaround for the bug in Debian Stretch whereby on reboot Postfix services do not fully start, and mail is not accepted? It’s recorded as bug#877992 but there seems to have been no solution through a number of upgrades.

It’s especially a nuisance right now with reboots needed to apply Meltdown fixes! Otherwise, the server would probably run for a long time without needing reboot.

Best regards, Martin

Postfix using all CPU after nightly mail submission


We use a Postfix installation on Debian 9 in our network to serve as a
send-only SMTP server for a very large application in our school district.
This application does not have its own built-in SMTP server and requires a
relay to send notification e-mails to students, teachers, and parents
topping out at around 10,000 e-mails per day.

Setup SquirreMail with Virtual Host

Dear, i have a problem in config vhost squirremail.
I'm following the steps in the tutorial [
br/postfix-squirrelmail-outlook/] .

Syndicate content