Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

submission rate limit advice

I've tightened or rather overtightened several postfix limits, in what
seemed like a good idea at the time...

noticed now this warning, this user is on a dynamic IP, so can't add his
IP to exception:

going by the counter "Connection rate limit exceeded: 125", what values
should I alter?

Jan 31 14:01:09 geko postfix/smtpd[24223]: warning: Connection rate limit
exceeded: 124 from[] for
service submission
Jan 31 14:03:14 geko postfix/smtpd[24340]: warning: Connection rate limit
exceeded: 125 from[

Current ideas on DKIM signing ?


Am currently refreshing my perimeter mail infrastructure.

The current state of affairs of DKIM signing looks pretty miserable!

DKIMProxy seems to be abandonware since 2010

OpenDKIM seems to be going the way of abandonware too (last release in 2015 and the bug tracker filling up).

I've had a quick search on github for DKIM but can't find much of interest.

We all know what software is like, you have to keep it fed and watered otherwise it starts growing bugs (or worse). I'm not too keen on using software of 2015 vintage.

What is everybody using these days ?

GF 3.3, unsupported dictionary type: mysql

I'm trying to migrate server to new vm, installed postfix* from GF (1)

but, after copying over get this:

Apr 6 00:34:46 emu postfix/proxymap[15601]: error: unsupported dictionary
type: mysql
Apr 6 00:34:46 emu postfix/proxymap[15601]: error: unsupported dictionary
type: mysql

postconf shows no mysql

Centos 6

daemon started -- version 3.3.3, configuration /etc/postfix

Linux 2.6.32-754.10.1.el6.x86_64 #1 SMP Tue Jan 15 17:07:28 UTC 2019
x86_64 x86_64 x86_64 GNU/Linux

what did I do wrong ?

# yum shell --enablerepo=gf-plus
Loaded plugins: fast

SPF and Greylisting


policyd-spf and postgrey are implemented and working.

With exim, I was able to check the spf result and greylist upon receiving a
certain result. I'm using Mail_From_pass_restriction = mfrom_passed_spf in

Is there any way I can defer or greylist based on an spf result of Softfail?



selective 550 Reject for missing sender PTRs?

I've got a legitimate sender, FedEx, sending expected, automated emails, that's got a missing RDNS PTR record on their sending host.

Re: Postfix and smfi_setmlreply() milter command resulting in SMTP protocol breakage.

Hi John,

True. But considering that Net::Milter also does the right thing, it seems like
a good conclusion that Postfix was doing line folding.

But you are right, it is good to verify.

MAILER DAEMON email address question


I have configured postfix with local domains

mydestination = ldap:/etc/postfix/

and to check local recipients:

local_recipient_maps = ldap:/etc/postfix/

smtpd_relay_restrictions =

smtpd_recipient_restrictions =

There are no aliases:
alias_maps = hash:/etc/po

Rewriting recipient before routing the email

Hello again,

Is there an option to rewrite the final recipient, to remove some extra
characters, with some header checks, for the incoming emails.

This is what I want to achieve:

For instance, if postfix receives emails for <a href="mailto: ... at rodier dot me"> ... at rodier dot me</a>, the
final recipient would be rewritten as <a href="mailto: ... at rodier dot me"> ... at rodier dot me</a>, and an
additional header would be added, for instance, X-Valid-Date: 0304.

Maybe I can do this with recipient delimiter, but can I have more than
one character recipient delimiter in postfix?

The idea I have in mind, and the first tests are promising, is to allow
my users to register on w

problems follow with certain rules

following the instructions given to me place the access in front of the
rule that is not supported ips unresolved, and as I still have the same
problems I added a debug to that ip that interests me and among other
things in this debug I find this:
16:43:05 ns postfix / smtpd [28258]: generic_checks: name =
Apr 2 16:43:05 ns postfix / smtpd [28258]: check_namadr_access: name
unknown addr
Apr 2 16:43:05 ns postfix / smtpd [28258]: check_domain_access: unknown
Apr 2 16:43:05 ns postfix / smtpd [28258]: maps_find: hash: / etc /
postfix / access: unknown: not

Bug report: problem with smtp_mx_address_limit = 0

According to the docs, the smtp_mx_address_limit parameter determines
"the maximal number of MX (mail exchanger) IP addresses that can result
from mail exchanger lookups, or zero (no limit)".

However, when setting it to zero, the SMTP client won't even attempt to
deliver to a server that has _both_ IPv4 _and_ IPv6 addresses.

Postfix and smfi_setmlreply() milter command resulting in SMTP protocol breakage.


I have a locally developed milter using the python-milter bindings which
seems to trigger a Postfix bug.

The milter in question uses the smfi_setmlreply() command to set a
multiline response as defined in rfc5321.

Multiline replies should result in the smtpd replying with something like
the following to e.g.

RE: nfs as storage for mail queue

Found a solution to my problem in archive

<a href="" title=""></a>

thanks Witse

Met vriendelijke groeten
Kind regards
De Petter Mattheas
Technical support engineer - projects team
IT-Department Jan De Nul Dredging N.V.
T +32 (0)53 73 95 53
F +32 (0)53 21 00 31<>


Can somebody help me?

So I have setup the nfs share on a windows se

Authentication attempts for addresses

Not sure if this is a Dovecot or Postfix issue we use Dovecot for authentication for Postfix. Mailboxes are stored in MySQL.

Have noticed this today:

auth-worker(42777): Info: sql( ... at com dot au, unknown user (given password: someone123)

Also <a href="mailto: ... at com dot au"> ... at com dot au</a> etc.

They are coming through on port 465.

Obviously my domain is not ‘’ - how can I stop these attempts from even being considered?

I did update to Postfix 3.4.5 yesterday. Running Dovecot 2.3.5.



Remove user agent information in the email header


I would like to delete automatically User-Agent or X-Mailer information
in the headers of outgoing emails.

I have tried the header_checks, and it works, but with all emails, even
those received.

Can you tell me how to proceed, please?


nfs as storage for mail queue


Can somebody help me?

So I have setup the nfs share on a windows server 2016 with nfs server role.

Security is set on the device ip of the postfix server read-write with allow root access.

In the main conf of postfix I have set the queue to the right dir

queue_directory = /mnt/mail

fstab is set as: /mnt/mail nfs defaults 0 0

When I start the postfix service it writes all the folder structure on the share but fails to start with error.

● postfix.service - Postfix Mail Transport Agent
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; vendor pre

Ubuntu 18.04 /etc/aliases

i just did install postfix in Ubuntu 18.04 by `sudo apt-get install
postfix'. then just did type `cat /etc/aliases'.
#+BEGIN_SRC: text
(bionic)soyeomul@localhost:~$ cat /etc/aliases
# See man 5 aliases for format
postmaster: root

by the way there is no MAILER-DAEMON thing. is that normal state?

Alias and local delivery issues (Edited)


I have an alias system that I need to deliver some mail via relay, and some locally for PAM accounts.

Alias and local delivery issues


I have an alias system that I need to deliver some mail via relay, and some locally for PAM accounts.

Postfix 3.4.4 compile problems on Solaris 11


Attempting to compile Postfix 3.4.4 on Solaris 11 with GCC 7.3.0, but I
am getting the following error when running "make makefiles":

How to use the new server TLS SNI feature (3.4.x)


I've noticed the release of the new SNI feature in Postfix 3.4, but I
cannot get a successful setup. My last attempt was to
use tls_server_sni_maps, but I'm not sure about the correct format (I've
tried encoding the certificate as base64 according to the documentation).

For reference, what I'm trying is to have a main certificate for the mail
server and another certificate (letsencrypt) for a specific domain.

Thank you,

how to check email delivered via MX backup host

When I try to block spam from repeaters, via access.db,
firewall, ... the first thing that happens is the blocked
mail gets delivered via my MX backup host. Mail received
by this route does not seem to be checked against the
access database.

Is there something I'm not turning on to enable checks
of mail received via the MX backup host?


unknown tls_ssl_options value "tlsext_padding"


postfix-3.4.4 linked with openssl-1.1.1b

$ postconf tls_ssl_options
tls_ssl_options = no_compression, tlsext_padding

produce such log:
Mar 30 21:04:12 danube postfix/smtpd[9075]: warning: unknown tls_ssl_options value "tlsext_padding" in "no_compression, tlsext_padding"

while it does make no sense, I placed all options [1] and still get only errors regarding tlsext_padding:
Mar 30 21:10:48 danube postfix/smtpd[9222]: warning: unknown tls_ssl_options value "TLSEXT_PADDING" in "ENABLE_MIDDLEBOX_COMPAT, LEGACY_SERVER_CONNECT, NO_TICKET, NO_RENEGOTIATION, NO_SESSION_RESUMPTION_ON_RENEGO

Postfix and dovecot High avaliability

Hello, list,

I'm doing research for our company's email system, user would use
MUA(outlook or foxmail, and mobile phone client) so I have a few questions.

1. How to setup high availability for postfix and dovect? Does common
method like HAproxy or Nginx proxy apply them?

domain-specific virtual_alias_maps file


I'm setting up a new site that is going to handle all a mailing list
(with mailman, on its own domain and a few aliases

Is the limitation on password text in a file for smtp_sasl_password_maps


I faced with strange problem with my postfix configuration. I use the postfix as SMTP client to send emails from my host. Recently I changed the password on external email-server, updated file that stores passwords and now I see SASL authentication failures in log.

Recipient address rejected: User unknown in local recipient table


I'm new to postfix, and I use postfix + dovecot, and I add MX/A/PTR.

I use Mariadb as Dovecot passdb and Cyrus SASL Authentication.

And I configure email client (MUA) and try to send email to another user
in the same domain, it says,

"Recipient address rejected: User unknown in local recipient table"

I can read literally this user does not exist on this machine.

timed out while receiving the initial server greeting when sending to CPanel exim addresses

Hi All,

Cpanel environments have a artifical (“tar pitting”) delay in their smtp transaction when receiving email.

Cpanel’s exim config has a “delay = 20secs”.

Debug log level configuration

I want to configure postfix such that I get log level 4 for specific ip or
domain. And for rest of the cases it should give logs of log level 1
What I tried is :
debug_peer_level = 4
debug_peer_list = <ip-address>

In this case postfix is not providing all debug logs.(May be providing log
level 2 logs)

I was expecting that I will get debug logs of level 4 as we get when we set
smtp_tls_loglevel = 4 <This option gives debug logs for all I want it only
for specific ip or host>

Kindly suggest configuration ? feasibility ?

SASL configuration issue

postfix 3.3.1
opensuse 15.0 (linux )

AFAICT the configuration on this computer is the same as that on
another where postfix works just fine. Obviously, something is different.
The report of a mystery error is not much help.
I cannot determine the failure.

Postfix benchmark: bug or performance regression ?

Hi all!

We used to have postfix 2.6.11 in our systems, which was then updated with no
problems to 3.3.2.
However, during a benchmark, we realized 3.3.2 was 5 times slower than the
version before.

permit_tls_clientcerts with CN matching


we need to authenticate a SMTP client connection base on the CN of the
(trusted) client certificate. The client is not under our control
(O365 connector), so we will get no notification if the key
fingerprint will change. As far as i can see Postfix is only able to
use certificate fingerprints to allow relaying, not the CN string, no?

Have i missed something or is this not considered a valid use case?



difference between setting up an alias in virtual_alias_maps and virtual_mailbox_maps?

What is the difference between setting up an alias in virtual_alias_maps
and virtual_mailbox_maps?

I can make alias@domain point to a mailbox by pairing it with the path
to the maildir in virtual_mailbox_maps but it seems if I do that the
alias can only point to one mailbox not multiple.


user@domain     /path/to/user@domain/

alias@domain    /path/to/user@domain/

this works OK but if I was to do

user1@domain     /path/to/user1@domain/

user2@domain     /path/to/user2@domain/

alias@domain    /path/to/user1@domain/

alias@domain    /path/to/user2@domain/

this doesnt work.

nfs as mailq storage?


Is there a way for postfix to store its mailq on a nfs share?

And what do i need to change to make it store the q over there.

The nfs share is mounted to the postfix server in the fstab config file.

Case for this is, we are using postfix in a poc case for are vessel mail as= a relay host.

So when we have sat communication mail leaves the vessel on the spot, but w= hen we have not sat comm mail has to stay in queue until sat comes back.

Thing is when are vessel is in voyage on the ocean there are places where t= here is no coverage and mails get for long time in queue.


SPF Temperrors - minor thing


My SPF record appears to be in order, using the SPF query tool at
kitterman dot com.

Also, I do not appear to have any problems receiving or sending emails,
outside of this minor temperror message.

However, the header kind of irks me, since it always returns the
following header.

Received-SPF: Temperror(mailfrom)

But, I would like to receive this

Received-SPF: Pass (sender SPF authorized)

my domain is little-beak at com

I have included all my files below, also in case anyone is in the mood
to help a brother out.

What's new in log file parsers? Anything better than pflogsumm?

I'm looking for a postfix log file parser that can provide the number of
messages delivered,
broken down by sending domain, and per hour counts on a daily basis.

I have looked at pflogsumm, but it seems a bit dated, and isn't as flexible
as I had hoped.

Can someone suggest any alternatives?

reject_unknown_reverse_client_hostname query

I have the follosing restrictions in

smtpd_client_restrictions = permit_mynetworks,
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_non_fqdn_hostname,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_invalid_hostname, check_policy_service
unix:/var/spool/postfix/postgrey/socket, reject_unauth_pipelining,
reject_unknown_recipient_domain, reject_rbl_client
smtpd_relay_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_desti

Relay Access Denied

Hi folks.

I’m on a LAN, with a mail server on OS X Server Mountain Lion. It’s running Postfix as a mail server.

My LAN has a 192.168.x.x range. I’m getting that error when an app I’m developing, is trying to send an email out through this email server to the internet. A gmail address specifically.

$queue_directory/private permissions


I am running postfix (3.3.0-1ubuntu0.2) confined by Apparmor and I
noticed the tlsproxy process is apparently trying to connect to tlsmgr's
Unix socket while still running as root.

Since tlsmgr's socket is stored under $queue_directory/private that has
perms set to 0700 and owned by postfix:root, the tlsproxy process needs
to override the DAC checks using the CAP_DAC_READ_SEARCH capability.

I can think of 2 ways to workaround this.

I don't realize why this email was not delivered

To make it simple please take a look at
<a href="" title=""></a>
Thank you

SPF setup Temperror


Dovecot 2.2.27
Postfix 3.1.9

I had SPF setup proper, originally. Then, it stopped working properly
after some other configuration changes, as I tried to go through and
eliminate errors.

Here is my header information.

Received-SPF: Temperror (mailfrom) identity=mailfrom;
 envelope-from=bounces+9243903-ab61-me=example. ... at em8306 dot emailtester.o
 receiver= ... at example dot com 

My two questions:

1. The Temperror. How do I turn that into a pass?

SSL_CTX_set_mode(client_ctx, SSL_MODE_RELEASE_BUFFERS);


Could someone please have a look at this RPM patch:

<a href="" title=""></a>

I'm currently trying to update the RPM to 3.4.4 and I'd like to know
whether the above makes sense or whether it might even cause issues
especially with the new TLS connection handling in 3.4.x.

(Personally I hate obscure package patches anyway...)

Ciao, Michael.

Postfix hooking Dovecot quota (correct syntax)

Hi Friends,
on Debian Stretch, Postfix 3.1.9 and Dovecot 2.2.27 I'm enabling user
Following this tutorial (suggested from Dovecot mailing list):
<a href="" title=""></a>
it is suggested to add in ""

smtpd_recipient_restrictions =

I've a doubt: is it correct the space between "[..]service"
and "inet[..]"?

I've run:

postconf smtpd_recipient_restrictions=check_policy_service

obtaining the error:

postconf: fatal: missing '=' after attribute

pishing from ME

Hi everyone:
I have a small mail server with fewer emails account, The server is:

Today i receive a pishing email Words more or less say that i was hacked, that
he know my passwords blah blah blah and i must pay on bit_coins.

Postfix Active: active (exited) - (code=exited, status=0/SUCCESS)

Hi Friends,
on a VPS Debian Stretch, Postfix 3.1.9-0, Dovecot 2.2.27-3, rspamd
1.8.3-1, Clamav 0.100.2, postfix-mysql 3.1.9-0, dovecot-mysql 2.2.27-3

running "systemctl -l status postfix" obtain:

● postfix.service - Postfix Mail Transport Agent
Loaded: loaded (/lib/systemd/system/postfix.service; enabled; vendor
preset: enabled)
Active: active (exited) since Thu 2019-03-21 22:04:46 CET; 18h ago
Process: 4453 ExecReload=/bin/true (code=exited, status=0/SUCCESS)
Process: 4644 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 4644 (code=exited, status=0/SUCCESS)

Add Header only if sent via sendmail

<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>Hello,</div>


<div>I am looking for a simple way to add a header if and only if&nbsp;mail is sent locally via sendmail (mail/mailx) command.</div>

<div>We need to know who/what sent an email.&nbsp; We already get the client&#39;s IP address if sent using smtp&nbsp;via smtpd_client_restrictions, but if it is not sent via smtp I have no clue how to add a header except using header_checks that adds this header for all mails.</div>

<div>Any (simple)&nbsp;ideas?</div>



documentation of mnaillog_file


<a href="" title=""></a> say
"A non-empty value selects logging to syslogd"

I think it should say
"A empty value selects logging to syslogd"


Release from HOLD

Hi guys,

I had a failure in one of our postfix routines that sent all messages to HOLD.

Now, I'm trying to release from HOLD using 'postsuper -H ALL'.

The thing is that all messages are being deferred (mail transport unavailable).

So, is there a way to check current message transport and maybe move
to another one?

Thanks a lot.



Maildirs in AWS EFS?


AWS released one month ago a EFS system with administered life cycle,
which means that files not accessed in the last 30 days are moved to a
lower cost storage tier. Currently I hold my e-mail, delivered to
Maildir++ folders by postfix and retrieved with Dovecot, in standard EBS
volumes. This has the disadvantage that I need to allocate more than
enough space to ensure that the volume won't get filled too soon. And
this costs. Changing to standard EFS wasn't an option, since it's way
more expensive than EBS.

Permanent store of incoming mail.

Pointers to RTFM

Running Centos 7.x, latest postfix.

What is the best way to keep a permanent store for
incgoing e-mail. Doesn't have to be forever. 1 year perhaps.

Presently rsyncing main server:/home to backup server:/home without
--delete, so copied mail just accrues in cur and new. rsync runs
every two hours.

Cons, its slow, cpu intensive and does not get all mail if it is
deleted or .forwarded before rsync runs every 2 hours.

A double delivery system would be fine, mail comes in and is auto
forwarded to an identical server.

Understanding the importance of submission

Dear postfix,

I don't seem to get the idea of submission, I know I must be wrong, b/c
so many articles out there preach to use a different port for
submission, but I hope to find some argument in your replies that will
make me change my mind.
If I understand correctly, submission is a means for mail server admins
to enforce some policies on port 587 w/o interfering with mail relay
which occurs on port 25. These policies are mainly :

1/ Force TLS on all incoming connexions
2/ Force users to authenticate

While 1/ can't be enforced on port 25, 2/ can be enforced for relay,

Docker Postfix logging


since i don't want to mount /dev/log into a postfix container, i created
a small tool in golang to create a syslog unix socket and print all logs
to stdout,
the command `postfix start-fg` is wrapped.

Just want to share this with the community:

<a href="" title=""></a>

Best Regards

Matthias Schneider

"Chunk exceeds message size limit"


i am running postfix 3.4.1-1 (from debian sid).

i recently noticed that mails from multiple senders (most importantly google mail)
are being rejected with:
postfix logs:
this happens regardless of the actual message size,
even a one-line plaintext message is rejected.

/etc/postfix/ has:
header_size_limit = 4096000
message_size_limit = 0

downgrading to 3.3.2 fixed the issue.

i found th

How to retrieve queue_id after submission

Hi team,

I may have asked this years ago, but I can't find it in my email. I have a need to retrieve the queue_id of emails submitted at time of submission when issuing submissions with the -G option. I can see that there is a queue_id on all of the output specified in -vv.

~OT: status/replacement of "DMARC, DKIM and SPF Test System at NIST" ?

The list of DMARC et al deployment tools

<a href="" title=""></a>


"DMARC, DKIM and SPF Test System at NIST"
<a href="" title=""></a>

as one of available tests.

afaict, it's the only (?) test site that provides simple checks of
*inbound* to locally-deployed, Postfix-integrated authentication
services; e.g.,

bad-spf - Ask for a message that will fail SPF checks. A reply (sent to
the MAIL FROM address) will be sent from the test system. This reply
will have a spoofed MAIL FROM address, that will result in a failed SPF

transport_maps for autoreply

Im trying to configure Postifx to pass mail to a custom Python script
which performs an out of office autoreply function.

The server has virtual mailboxes only no local unix accounts.

I have set Postfix to send mail to the script if there is an entry in
transport_maps. If a user sets up an autoreply for their mail box an
appropriate entry is put in transport_maps

However it appears to be impossible using this method to then have the
Python script re-submit the message using the sendmail command for
delivery into the mailbox.

Howto reject only one recipient and not drop entire email?


My goal is to prevent our system from sending email to addresses that
for sure does not work, and attempt to send only email that has a
chance of being delivered.

I have this in my Postfix configuration:

smtpd_recipient_restrictions =
check_recipient_access hash:/etc/postfix/recipient_access

And recipient_access contents: reject

If somebody sends email to <a href="mailto: ... at example dot com"> ... at example dot com</a> the email is rejected as

Disable spamassassin scan in there is a virtual for the recipient


I have the standard, commonly mentioned spamassassin configuration for

spamassassin unix - n n - - pipe
user=nobody argv=/usr/bin/vendor_perl/spamc -e /usr/sbin/sendmail -oi
-f ${sender} -- ${recipient}
I'm wondering if it is possible to enable s

intermittent sasl auth fails?

I have a user with TBird saying they get ocassional error when trying to
send with SASL AUTH, looking at log, I see this;

Mar 17 22:10:44 postfix/smtpd[11975]: connect from[111.222.333.444]
Mar 17 22:10:45 postfix/smtpd[11975]: Anonymous TLS connection established
from[111.222.333.444]: TLSv1.2 with
cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Mar 17 22:10:47 postfix/smtpd[11975]: warning:[111.222.333.444]: SASL PLAIN
authentication failed:
Mar 17 22:10:53 postfix/smtpd[11975]: warnin

Syndicate content