Need Help Configuring Postfix Restrictions

Hi i have installed postfix 2.11.3 on debian jessie.Everthing works fine. I would like to restrict local users to send mails to a particular group email id and allow only few users with smtpd_restriction_classes , smtpd_recipient_restrictions following this link <a href="" title=""></a> which is not working. All the users are still able to send mails to the group id. I have the same restriction working fine with postfix 2.9 installed on wheezy.

fatal: no SASL authentication mechanisms please help!

Trying to setup sasl, postfix 2.7, dovecot 1.29. The following is in mail.log
fatal: no SASL authentication mechanisms
warning: deliver_request_get: error receiving common attributes
warning: unexpected end-of-input from dovecot socket while reading input attribute name
warning: process /usr/lib/postfix/smtpd pid 20380 exit status 1
myorigin = /etc/mailname
queue_directory = /var/spool/postfix/

biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

lmtp delivery to cyrus / sub-addressing

Hi all,

a while ago I thought it was a good opportunity to restrict our cyrus
imapd access control by only allowing the admin user ("cyrus") and the
mailbox owner itself to post to a mailbox, e.g.

Before, "anyone" had the access right to post ("p") to mailboxes.

Now, when delivering directly to a folder using sub-addressing (e.g.
foo+ ... at domain dot example) postfix is unable to do so and the mail gets
delivered to the user's inbox, instead.

using isp domain as a virtual address for specific users

I'm treating the email addresses my isp has given me as virtual addresses.

I also have $mydestination $virtual_mailbox_domains.

Eg: Presently, when a local machine wants to send mail <a href="mailto: ... at myisp dot com"> ... at myisp dot com</a>
to <a href="mailto: ... at myisp dot com"> ... at myisp dot com</a>, the mail is sent to the $relayhost.

This scenario is good when <a href="mailto: ... at myisp dot com"> ... at myisp dot com</a> is not one of my addresses.

However if <a href="mailto: ... at myisp dot com"> ... at myisp dot com</a> is also one of my addresses, I want the mail
to be delivered by the same dovecot lda that is used for my

This reduces load on both our systems and stops internal mails leaking

If an email address

Override a transport configuration parameter with its own name


1. In, is it possible to override a transport configuration
parameter with its own name ? Like this :

transportname unix - - n - 1 smtp
-o transportname_destination_rate_delay=1s

If I can't, why ?

2. Can I use 'default_xxx' or 'smtp_xxx' ? Like this :

transportname unix - - n - 1 smtp
-o default_destination_rate_delay=1s



Multiple interfaces

*​​Ciao!How are you?*

*​​Problem:*I need 2 interfaces, because the fast ISP blocks 25 port, the
slower is open.

*​​I can telnet with the required interface:*telnet -b 25

*​The wrong is not working*​
​​root@server:/etc/postfix# telnet -b 25
*telnet: Unable to connect to remote host: Connection refused*

*Correct interface w​Works:*Trying
Connected to
Escape character is '^]'.
220 ESMTP q14s

Accept all mail on separate port

Hi all.

Due to the demise of the Sixxs project, which I was using to bypass the
ISP’s filtering of port 25 (in/out), I would like to open a "private" port
on postfix.
It’s a non-standard port and I will be filtering the src range at firewall
level so I’m pretty confident there will be no abuse.
I also want to avoid adding the subnet to mynetworks since I find it
easier to work on the firewall rather than the mail server.

I was able to have postfix listen on the new port but I realized all
sender and client restrictions are still being enforced despite passing a
<permit> directive:


Delivery to accounts of the same domain on two different servers

Hi all!

I am gradually migrating the accounts of a server (let's say to another server (let's say

In I'm using something like this:

Where /etc/postfix/virtual has something like this:

Feature request: MX rollup

This is a followup of the following request:
<a href="" title=""></a>

The feature I am asking for is implemented in PowerMTA with the name "MX
<a href="" title=""></a>

I guess that the matter is to create a daemon receiving MX information from
smtp clients and making them available to the scheduler.

Thanks in advance

header_checks and custom header fails to trigger


It's me again and the header_checks is driving me crazy

Mail comming from other mail system comes into postfix were header_checks is

The mail system adds a header :

route_gcgw: BE

This header is visible when the mail is received

I have a header_checks file where 'again' the if statement is not triggered

if /^route_gcgw: BE/
/^Received:.*test\.be/ WARN warningOOOtestdomainT
/^Received:.*testf\.be/ WARN warningOOOtestdomainF

I also tried

if /^route_gcgw:.*BE/


if /^route_gcgw:.*BE.*/

Nothing seems to be working.

What I'm a doing wrong here ?

tx All

Changing "mail from"


We have a few forwarders where we need to change the "mail from" during the
SMTP stage. Nothing else has to change and I know that spam would be seen as
coming from our mail server if we forward it. This last part is acceptable
for us. On the mail server that we want to retire this is done (but this is
Sendmail and difficult to maintain, so we want to switch to Postfix but
keeping this behavior).

Is it possible with Postfix to do this or do I need to look for a milter or
something else to do this?

Regards, Mark

New mail subdomain versus existing domain issues

I'm setting up a new server with the goal of using letsencrypt ‎versus my self signed cert. (I'm also going to try those SpamAssassin alternatives that require less RAM.) So I will run two VPS for a period as I debug the new server.

That said, is there any way to implement email going to both and That is I intend the email servers to be different.

non_smtpd_milters and canonical_maps - what goes first?


I'm reading <a href="" title=""></a> and I'm still not
quite sure. Both are performed by cleanup. What determines the order:
which goes first and which goes then? I can't find any variable
determining this... :-( Is it pre-defined (what order?). Can I force
changing the order?

Best regards,

using postfix mta with ldap

Good morning,

I am attempting to build a postfix mta server to act as a mail router based
on ldap queries to route users to one of two mail environments we have that
are on the same domain, but different providers. I have been unsuccessful in
finding a proper way of setting this up in postfix and was hoping that
someone else has run through a similar setup. Any information appreciated.

Sending e-mails using postdrop - possible ?

Hi All,

I have a MongoDB with a set of e-mails that I want to send. I want to be able to track their delivery / bounce / delayed status - plus link any replies back to the original e-mail.

I have already written a c++ service to handle incoming e-mails (by piping the incoming e-mails to my app) - which is still under development, but meeting that side of my needs.

Now I'm onto the actual sending side.

telnet hangs when I enable sasl


I have this in my :

smtpd_sasl_path = smtpd
smtpd_sasl_auth_enable = yes

in my sasl2 config file I have this :

pwcheck_method = auxprop
auxprop_plugin = sasldb
mech_list = plain login cram-md5 digest-md5 ntlm

but when I do telnet 25 and I do then ehlo locahost I see now respons
at all.

When I disable the smtpd_sasl_auth_enable_line telnet works but I do not see the
auth headers back.

What can be the culprit here


Transport Maps Clarification/Debugging

I have a Postfix server which receives mail for EXAMPLE.COM
(bogasified); for for specific addresses I need to send that mail to
another SMTP server. So transform_maps!

I have "transport_maps = hash://map-path" and If I "postmap -q
<a href="mailto: ... at EXAMPLE dot COM"> ... at EXAMPLE dot COM</a> hash://map-path" it returns "smtp:[other.smtp.server]".

However when I send a message through the server ... it is still
delivered using the local transport.

I have cranked up the debugging level for the host I am sending the
test from.

Access map matches sub domain with empty parent_domain_matches_subdomains

I'm using Postfix 3.2.0 from the FreeBSD ports collection

I experienced that access maps matches sub domains, even though
parent_domain_matches_subdomains is set to an empty value.

What did I miss?

disconnect after connect

Hello everyone,

I'm setting up a relay host that is going to do some rewrite for domain name consolidation from o365 , I am having some communication problem with connection from o365 basically( if needed I can show debug level 3 of those and tcpdump ) :

May 31 11:19:55 public59 postfix/smtpd[3480]: connect from[]
May 31 11:19:55 public59 postfix/smtpd[3480]: setting up TLS connection from[]
May 31 11:19:55 public59 postfix/smtpd[3480]: Anony

connect() no file or directory


<meta http-equiv="content-type" content="text/html; charset=utf-8">
<body text="#000000" bgcolor="#FFFFFF">
Hello, <br>
I did all the steps from this page :
<a class="moz-txt-link-freetext" href=""></a><br>
postconf -a gives cyrus and dovecot <br>
postconf -A gives me only cyrus. <br>
So it followed the cyrus steps on Centos 7. <br>
but as soon as I do :  <br>

Header_Checks & empty Return-Path expression


I'm trying to accomplish the following :

If the return-path is <> ( empty ) then do the following ;

if domain is or route via ; if domain
is then route via

if /^Return-Path:\s**$/
/(^From:.*robbya\.be|^From:.*robbyb\.be)/ FILTER smtp:[]
/^From:.*robbyc\.be/ FILTER smtp:[]

This works but throws a warning :

/cleanup[64212]: warning: pcre map /etc/xxx/mime_header_checks, line 1:
error in regex at offset 16: nothing to repeat
/cleanup[64212]: warning: pcre map /etc/xxx/mime_

Spam Quarantine Folder

Firstly I am unsure if this question is related to Postfix,
Spamassasin, Amavasid..

I am using Kolab for email and almost everything is working well with
spam being partially filtered.

My problem is when spam is moved to quarentine is it moved to
<a href="" title=""></a>

As each user has an individual "Spam" email folder I would like spam
emails to be moved to the individual user's spam folder instead where
the individual user can then review them.


I have researc

Is there any documentation on the binary format of the mail files under /var/spool/postfix/ ?

Posfix keeps mails in a binary format in folders under /var/spool/postfix, at
least by default.

I want to write some tools for searching and filtering by the meta data of a
large number (hundreds of thousands) of emails under
/var/spool/postfix/deferred. Among other things, I want to find all queue
IDs of mails sent from specific IP adresses so that they can be deleted.

I'm having some problems understanding the binary format of the files
though. It seems that the envelope records starts with the bytes "\x41\x16"
and ends at the bytes "\x4d\x00".

smtp_tls-security_level .may/dane/encrypt

I currently use "smtp_tls_security_level = dane" but recent discussion
have made me wonder if I should change that. Maybe encrypt.

john A

Can this SASL configuration be improved

In my I have:
# SASL stuff
smtp_sasl_auth_enable = yes
smtp_sasl_tls_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noplaintext, noanonymous
smtpd_sasl_auth_enable = no
# Because of POODLE vulnerability

​Is this

removing private data from headers

Hi all,

since three days I'm trying to remove my internal and external IP from the
Message header when I'm sending mails. But no solution has worked so far.

What I did:
created a new service in

header-cleanup unix n – – – 0 cleanup
-o syslog_name=postfix/header-cleanup
-o header_checks=pcre:/etc/postfix/header-cleanup.pcre

added to submission service:
-o cleanup_service_name=header-cleanup

created the file:
/^\s*Received/ IGNORE

Doenst work, the Received headers are still in there.

Any ideas ?


Postfix and FUSE: Function not implemented

To avoid running out of room on my mail server, I mounted a storage bucket
using FUSE and created a user with this as its home directory. To avoid
permissions issues, I used the arguments "allow_other" and
"default_permissions" and made sure my user owned its home directory.

Multiple recipients in BCC will not relay if it contains one bad email address.

Hi Everyone first time posting, I am hoping you can help me. We have an issue
when an email sent to multiple emails via BCC is deleted if an invalid email
address is in the list. The email is discarded all together and I don't see
any logs other then the bounces. They need to send via BCC for privacy to
other vendors. We need to bounce the back emails and continue to send to all
the valid recipients.

I have attached the postconf in this thread.

Running Postfix version 2.7.0 postconf.txt

Relay access denied

I have a Google Compute VM that I would like to use as a mail server.
<> However, outgoing ports 25, 465, and 587 are blocked
so I must use a third-party mail service. I followed the instructions for
Mailjet <>, but I changed inet_interfaces to all.

Issue with SASL authentication

Hi all!

Maybe this question is not 100% about Postfix, but it is related.

Why am I accepting this email?

The following is in my logs. I have no server called and no
user called aida.wanda. I don't see anything in that looks like
a wild card entry. Can anyone suggest why I would be accepting this
message in the first place?

TLS warning

Hi All

Should this TLS warning worry me?

cheers -- Rick


smtpd (total: 1)

1 TLS library problem: error:14094416:SSL routines:SSL3_READ_BYTE...


May 23 11:35:42 myHostName postfix/smtpd[6619]: connect from[]

May 23 11:35:43 myHostName postfix/smtpd[6619]: SSL_accept error from[]: 0

May 23 11:35:43 myHostName postfix/smtpd[6619]: warning: TLS library problem: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c

scan_dir_push: open directory defer: Permission denied

I went from an openSUSE system to a Debian 9 system.

I tried to copy and adapt my old config for the new system.

When running:
postfix check
I get:
postsuper: fatal: scan_dir_push: open directory defer: Permission denied

What could be the problem?

I already tried:
postfix -c /etc/postfix set-permissions

But that did not solve the problem.

Reject any sender having the word "welcome" in the email address.


I would like to block any sender having the word "welcome" in the email

I know this can be done with header_checks, I just need the syntax to add
this rule.

<a href="mailto: ... at domain dot com"> ... at domain dot com</a>
<a href="mailto:now- ... at otherdomain dot com">now- ... at otherdomain dot com</a>
<a href="mailto: ... at olddomain dot com"> ... at olddomain dot com</a>
<a href="mailto:welcome. ... at olddomain dot com">welcome. ... at olddomain dot com</a>
<a href="mailto: ... at newdomain dot com"> ... at newdomain dot com</a>


Feasible to encrypt the virtual_mailbox_base directory with ecryptfs?

Has anyone tried to do this? Was it feasible?

Restriction class not working


I have a fairly simple setup for my mail server running Ubuntu 16.04.

domain bl

I just added

smtpd_sender_restrictions =
[...further checks...]

This works fine. But if mail is sent from an ip which was already in the
postscreen cache database before activating the DBL check, the DBL check
is skipped, although this DBL check is made at the next hop AFAIUI.
Removing the ip from the cache makes the DBL check work again for that
particular ip.

Is this behaviour correct or did I make a config error somewhere?


split up mail

Hello list,

For a few reasons I use an outgoing postfix as smarthost. The source
mailserver is an exchange. Before the postfix server was in use,
sending mail to a bunch of recipients at a domain which is hosted by was no problem.

Why my host tekes relay mail??


mydomain =
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
mail.$mydomain, www.$mydomain, ftp.$mydomain
relay_domains = $mydestination

I'm wondering why after telnet connection to port 25 the host accepts
any `RCPT TO:' addresses ending with `' (for example:
` ... at 1 dot') and then tries to forward it. I thought
that only those explicitly listed above would be accepted. Which
parameter may be missing / responsible for it? How can I debug or change it?

Thanks a lot!
Best regards

Ok to put private network in mynetworks?


I run a docker container on my server.

Why does reject_unknown_reverse_client_hostname reject this mail?

Hello list

recently I setup rDNS rejects for postfix via

in smtpd_client_restrictions in

After that I saw in the logs that mails from the ntp mailinglist get rejected

I checked their rDNS on the same machine that rejected them and found

Can I disable a milter for authenticated senders?

Hi guys. I'm not sure if this is a possibility, but is there a way to
disable a milter from scanning a message from an authenticated sender? I
may have asked this before, but I'm not sure if I asked the correct
questions. I'm using the SNF-milter and it scans all incoming and outgoing
messages on all outbound ports which I think is a Postfix setting because
there is nowhere to specify this in the milter itself.

OT? - Blocking attachments

This may not be a Postfix problem, but bearing in mind the recent events
this forum may have some good ideas.

After the recent rasomeware attacks we are considering the idea of
blocking all attachments. I am not sure of the best way of doing this,
but several ideas have been put forward:

1. block all email with attachments - a little too drastic for some as
there are legit reasons for attachments.
block all email that is in any format that can hide executable code.
2. rename attachments so that they will not/cannot be executed/run by
just opening them.

Domain Relay Question


I have been using postfix for a long time to relay email in a backup or
filtering role.
DomainX mail to Postfix1, no response deliver to Postfix2.

MX weighting control the delivery from the sending servers to Postfix1 or

Now, in my transport file I have:
domainx smtp:[mailserver]

in DNS mailserver has 2 IP numbers and when delivering to IP1 it may fail
because of something on the client side and at that point we simply queue,
however we would like to deliver it to IP2 at that point.

What is my best approach to accomplish this.


** Note: mailserver only reccei

remove multi line config entry with sed


In postfix configuration files we have

keyword = value
keyword2 = some value
keyword3 = multi physical line
single logical line
keyword4 = also
multi line
stil keyword4
keyword5 = foo

I want to remove keyword4 with sed(1).

At <a href="" title=""></a>
is this
You can use the following:

sed '/{START-TAG/{:a;N;/END-TAG}/!ba};/ID: 222/d' data.txt


/{START-TAG/ { # Match '{START-TAG'
:a # Create label a
N # Read next line into pattern space

Running a transport action only as a catch-all

Dear all,

Is there a way that I can specify that a transport rule should only be
carried out as a "catch all" for email addresses that are not otherwise
delivered locally?

Normally I would avoid a catch-all for the obvious reasons, but we're
undertaking a migration, and for a short period we want to have the
Postfix server relay to another MX server any messages that it has no
specific action for (and that it would otherwise normally reject).

I realise I could individually specify all the local addresses in the
transport file for local delivery, and have the remainder relayed, but
there are

smtpd_*_rate_limit and anvil time unit

We are considering using smtpd_client_message_rate_limit on our central (internal) mail servers to protect against mail floods when some departmental server goes crazy. Since normal mail from any particular client sometimes comes in bursts, I am considering increasing anvil_rate_time_unit. Are there any side effects to increasing this parameter? I am thinking about 10 minutes instead of 1 minute.

We are running Postfix 3.2.0 on RHEL6.


Larry M. Rosenbaum
Oak Ridge National Laboratory

always_bcc only after reinjection from amavis


i have a server which relays mail to our content filter server
[amavis/spamassassin/etc], via:


and returns, via:

# reinjection from content filter
inet n - - - - smtpd
-o syslog_name=postfix/smtp-reinject-internal
-o smtpd_banner=${smtpd_reinjection_banner}
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_res



Is there any way of having in the log the debugging info for the

I have been using for a test smtp -v in, but this is producing
an enormous quantity of data, and policyd_spf -d in fails with

My target is to have a first impression after the installation, and then
collect the policyd_spf answers to verify the efficieny of SPF for my
sites (currently I see a lot of DONNO even for Google)



Problems with aliases

I have a situation that is most likely a problem with my understanding of postfix and not a code problem. I am getting ready to take over a domain name for mail service. A number of new addresses in that domain need to be forwarded to other mail servers. I setup postfix to do that and it worked fine. However, there is still some time before I actually take over the domain. In the meantime I was entering some of the addresses and forwarding addresses into the vmail alias file. Each entry was preceded by "# ". My understanding was that lines starting with a # would be ignored.

connection results

My boss wants me to write a plugin that will capture the send results from
the remote server when email is delivered or instantly bounced.

Messages like:

550-5.1.1 The email account that you tried to reach does not exist. Please
try\n550-5.1.1 double-checking the recipient's email address for typos
or\n550-5.1.1 unnecessary spaces.

Restarting milter application

Hi All,

I have a question about the correct way to restart a milter application.

I'm using postfix 2.6.6 with a milter application that was built using
sendmail's libmilter (8.14.7). The problem I'm having is when I need to
restart the milter application (due to a config change for example), I send
it a SIGTERM and then start it up again.

However, an smtpd instance that was running which was already connected to
milter will not try to connect to the milter after the milter has been

SPF best practices


I know this topic is not really postfix related but advice would
nevertheless be appreciated.

I'm adding a second mail server to my setup, my domains are
spf-protected by this simple entry:

v=spf1 mx -all

If I add second DNS A entry for my MX server will this still work or do
I have to list ips individually? Or should I create multiple MX entries?
The reason I don't want to do that in the first place is that there are
a lot of domains and I'd have to set the entries manually.


Sanity check - of my postfix setup.

I am trying to debug a problem with my mail system. I think the problem
is with Dovecot, or Thunderbird.

However, just to make sure i am not missing something really stupid
could I get a check on my postfix setup.


John A

multiple actions, SPF to skip greylist

Hi there,

I am open to suggestions but for now I am running Postfix 2.11.3
(Debian Stable), Postgrey 1.35 and postfix-policyd-spf-python 2.0.1,
joined together with

smtpd_recipient_restrictions = (...)
check_policy_service unix:private/policyd-spf
# postgrey
check_policy_service inet:

I not yet very familiar with the many details of Postfix but if I am
not mistaken a policy service can only return 1 action (AFAIK this is
still the case in 3.x, too!? cf. [1]).

So, policyd-spf is bound to either PREPEND a header _or_ send an OK.

Messages now rejected when previously accepted

I posted a message using an account that has been active for several
years. It was rejected with the results shown below.
I cannot send ANYTHING to the mailing list, or the majordomo address;
ALL messages are rejected with equal certainty.

I see the error message. I do not understand why the HELO command was

Spurious (?) LDAP log messages

opensuse v42.2
linux 4.4.62-18.6-default x86_64
postfix 2.11.8-1.4

We recently upgraded our system from opensuse 42.1 to 42.2.

Forged FROM Adresses deny based on actual user?

Lately I have been getting SPAM mails that mimic our typical adress (i.e.
user@domain) Ideally, the postfix server should only accept mail from
ACTUAL users (or aliases to users) on the server.

Is there a config change that can accomplish this easily? Seems like it
should be the default.

If the user does not exist, do not accept mail from them regardless of



Problem with spam and some connections not using my smtpd_recipient_restrictions


I have a problem with spam. Some connections do not seem to run my
smtpd_recipient_restrictions and therefore let spam into my system.
Specifically my rbl checks. I have 2 logs from the same postfix
system. One you can see the rbl checks being done and one where it
doesn't run and therefore lets spam in. I have put the listings on a
test server to keep this email a resonable size. See the URL's for the


Sharing a domain with Exchange


My first post to a mailing list, I am sure this is a simple thing that I am overlooking, but even a two week old case with RHEL and I am not hitting on the answer. Please help if you can/want.


Single postfix server and an exchange 2013 server. The company is wanting to keep the same domain across both systems. I am using ldap lookups for virtual domains, this is working great. Internet bound email is also working great. I attempted using an ldap transport lookup keying off a group (the idea is a user not in the group relay to the exchange FE for internal routing).

Syndicate content