| Kyle's Postfix FAQ |
The following Frequently Asked Questions come primarily from the Postfix mailing list. Information about the list is available from the official Postfix web site.
This is a much expanded version of the FAQ in the Appendix of Postfix: The Definitive Guide, and it is continuing to grow. If you have any questions, comments, or suggestions for this page please send them to me at <kdent@seaglass.com>.
Last modified: Mon Jan 19 20:53:21 20041. How do I unsubscribe from the Postfix mailing list?
Send a request to <majordomo@postfix.org> with the words "unsubscribe postfix-users" in the body of the message. Your message should look like this:
To: <majordomo@postfix.org> From: <you@yourdomain.com> Subject: unsubscribe postfix-users
2. I sent a message to the list that did not get answered. Lots of other questions are answered. Did I do something wrong?
In fact, very seldom do questions go unanswered on the Postfix mailing list. It's a relatively generous list. But to make sure that your questions are answered and that you provide enough information, here are some basic rules for submissions:
Do not send a general, "It's not working..." message. Explain the details of your problem. As you draft your message to the list, think of it as if you are proving that you have a problem. Show relevant log entries, configuration information, and any other details about your environment that you think might be a factor.
Always send the output of postconf -n. Even if you think it's not necessary for your problem, there may be some piece of information that will enable list experts to answer your question immediately based on your configuration. Some list members won't bother with a question that doesn't include enough information to answer.
Send plain text messages. Some list members use email clients that don't render HTML and won't even read messages in HTML.
3. How do I change the banner Postfix uses when greeting connecting clients?
Set the parameter smtpd_banner. By default, it's set as:
smtpd_banner = $myhostname ESMTP $mail_name
4. When Postfix sends a bounce message, it tells the sender, "For further assistance, please send mail to <postmaster>" But I want it to include my domain name in the address, e.g. <postmaster@example.com>. How can I do that?
The idea behind this is that people who receive this notification should contact their own local postmasters, since they may very well be the ones who have to deal with the problem. If you really want to change it, you have to modify the source code.
5. How do I modify the source code?
If you have to ask, don't do it. Live with it or find somebody who knows C to make the change for you.
6. Which is better mbox- or Maildir-style mailboxes?
It depends on your situation. One critical point is that if your mail store is mounted over NFS, don't use mbox. Otherwise, mbox is almost universally supported, but might be susceptible to file locking problems when multiple programs need access to the mail file. The maildir format eliminates file locking issues, but might not scale adequately on your system for users who keep very large numbers of messages on your server.
As far as performance considerations, it depends again. With maildir, accessing a particular message and deleting is probably quicker, but with mbox appending new messages to the end of the mail file probably wins out. From the Postfix point-of-view, it doesn't really matter. You can let other factors such as your choice of POP/IMAP server drive the decision.
7. Is there some kind of 'include' directive for main.cf?
No. Most administrators with complex configurations create a Makefile that will cat the necessary files together. If you have other regular administrative tasks, add them to your Makefile too. Your Makefile can have an entry something like this:
main.cf: file1 file2 file3
cat file1 file2 file3 > main.cf.new
mv main.cf.new main.cf
Then type make main.cf to rebuild your configuration file.
8. How can I get confirmation of mail deliveries?
This is not currently available in Postfix.
9. What's the best way to have an automated reply sent whenever a particular address receives an email message?
Almost all versions of Unix include the vacation program that serves this very purpose.
10. How can I add or append a disclaimer (or other text) to the bottom of every email that gets sent from my mail server?
By design this is not implemented in Postfix directly. It's not the job of an MTA, and it's not as simple a problem as it seems because of MIME and digital signatures. MIME messages have a structure that can be very complex. Digital signatures attest to the fact that a signed message has not been modified. Adding a footer to the bottom of a message, breaks both of these. Some people add short text to the headers of email messages, but the text is not likely to be seen by most users. The real solution is to configure your clients to do add whatever text is required.
Having said that, it is possible to configure a content filter that appends the text for you. Follow the directions for configuring Postfix to work with a content filter. Your filter should be MIME aware, and you should be aware that digital signatures will no longer work.
11. How can I save a copy of every message?
Specify an address in the always_bcc parameter. It will receive copies of all messages.
12. How can I enable quotas or size limits on users' mailboxes?
This is not really a function of Postfix, although if you are using mbox-style mailboxes, you may achieve what you're looking for with the mailbox_size_limit parameter. Be aware that if you use maildir style mailboxes this parameter only limits the size of individual mail files and not the size of the entire mailbox.
Mailbox quotas are best enforced by the mail store itself, which might be done through normal operating system accounting or your POP/IMAP server configuration.
13. Why do some addresses have my own domain name appended to them in the headers. For example, before I installed Postfix I might see a header like the following:
To: billy
Now it comes in as
To: billy@mail.example.com
Postfix insists on fully qualified headers as required by the standards so it tries to fix incomplete addresses. The best solution is to make sure that your users specify correct addresses in their To: and From: headers. You should also reject messages without fully-qualified addresses received over the network by including the restriction reject_non_fqdn_recipient among your anti-spam rules. It is possible to turn off address completion by setting append_at_myorigin = no but that's likely to foul up other aspects of your system.
14. How can I tell if my Postfix was built with a particular feature? I got my copy of Postfix from a package and I want to know if it includes support for SASL and TLS.
One way to check what your SMTPD supports is to ask it. Try the following:
$ telnet mail.example.com 25 Trying 192.168.100.11... Connected to 192.168.100.11. Escape character is '^]'. 220 scallop.seaglass.com ESMTP Postfix EHLO localhost 250-scallop.seaglass.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-XVERP 250 8BITMIME quit
You type the emphasized lines. Use your own mail server hostname instead of mail.example.com, of course.
You might also be interested in the output of
$ postconf -m
which displays all supported lookup table types.
You can also check the libraries that have been compiled into your smtpd binary. Many platforms support a command to display the libraries such as ldd or elfdump.
15. How can I get Postfix to listen on a port other than 25?
Set the port in an smtpd entry in the master.cf file. You can change the existing smtpd entry or add an additional one depending on what you need.
An entry like the following causes Postfix to listen on port 10025:
10025 inet n - n - - smtpd
16. What is the main difference between the 1.xx and 2.xx versions of Postfix?
"See the RELEASE_NOTES files. It took me half a week to write them, and it would be a shame if people ignored them," Postfix author Wietse Venema.
Fair enough.
17. I have a few interfaces on my system. How can I get Postfix to bind to only one of them?
Specify the IP address of the interface(s) you want Postfix to use in the inet_interfaces parameter.
18. With Sendmail, I used to get a warning notice when a message couldn't be delivered for 4 hours or so. Can I get that with Postfix?
This is controlled by the delay_warning_time parameter. By default it's set to 0 for never.
19. What's the difference between mailbox_transport and mailbox_command?
The mailbox_transport parameter is set to a service from master.cf, while mailbox_command refers to an actual command on the mail server filesystem.
There are a few parameters that can affect mailbox delivery. The parameters in order of preference are mailbox_transport, mailbox_command_maps, mailbox_command, home_mailbox.
20. All of our internal systems relay through our mail gateway. Is there a way to remove or hide the hostnames and IP addresses of our internal systems from the messages headers before they go out?
Add header checks that match the header lines showing your internal systems and specify the IGNORE action for them.
/^received:.*192.168.144.32/ IGNORE
21. How can I tell Postfix to forward all messages that are sent to non-existent mailboxes to a particular user?
You can specify an address in the luser_relay parameter and disable local_recipient_maps.
luser_relay = info local_recipient_maps =
Be careful if you do this. With the prevalence of spam the address you specify is liable to catch a large amount of junk mail.
22. Okay, how can I have Postfix initially accept all messages, but then bounce those that are addressed to non-existent users?
Simply disabling local_recipient_maps does the trick. The SMTP server accepts everything, and only later does the local delivery agent discover that the user doesn't exist, so it bounces the message. You really don't want to do this. You will receive a large amount of junk for which your server will try to send bounce notices. Innocent souls whose addresses have been faked will be inundated with bogus bounce messages from your (and probably others') mail server.
23. When I make changes to configuration files or lookup tables, do I have to reload Postfix?
It depends on the type of file you are changing. Changes in files that Postfix reads into memory at startup require a reload. Examples of such files are main.cf, master.cf, and any lookup table using regular expressions. DB or DBM files are not read into memory and don't require reloading Postfix when they are changed.
24. According to my configuration Postfix should be replying with a permanent error code (554), but it keeps sending a temporary one (454). Why is it doing that?
You probably have soft_bounce = yes. Also, if there is a temporary DNS problem, Postfix automatically converts permanent errors to temporary ones.
25. I have a few users that travel regularly. How can I allow them to send mail through my server without creating an open relay? Can't I just tell Postfix to allow relaying when the sender address is from my domain?
Emphatically not. Spammers know to use your domain when trying to relay mail through your server. If your users have static IP addresses add them to your mynetworks parameter. Assuming they don't have static IP addresses, the easiest option is to see if they can use the SMTP server of the ISP they're connecting through. If none of these options are available, you will have to look into SMTP AUTH or one of the pop-before-smtp solutions.
26. I have aliases where only the first address in the list receives messages. The others can receive mail fine when sent to them directly, but when they're part of an alias, their messages don't arrive.
If you are using an external program for delivery, it might not handle more than one address at a time. Such is the case with maildrop, for example. To make sure that Postfix passes messages for delivery one at a time, set the transport_destination_recipient_limit parameter in main.cf to one. transport is the name of the transport method making the deliveries. If you are using maildrop, the parameter looks like the following.
maildrop_destination_recipient_limit = 1
27. If I have an alias like this,
info: peter,heloise
and somebody sends a message addressed to both info and peter, then peter receives the message twice. When I used Sendmail it detected the same mail going to the same user twice and prevented it. How can I do the same with Postfix?
You can't. The architecture of Postfix is such that detecting duplicates like this is too costly. It's the trade-off between a multi-component system with a high level of security and performance, and a monolithic one that can easily detect those duplications.
28. I'm trying to test alias lists to see what addresses are expanded from particular lists. With other mail servers, I used the EXPN command to get a full recipient list, but it doesn't seem to work with Postfix.
Postfix does not support EXPN. Because of Postfix's architecture and security design, the unprivileged SMTP server doesn't know anything about local aliases. It's the privileged local delivery agent that actually expands aliases at the point of delivery. If you use a mailing list manager, it most likely has a command to tell you who is on the list, or you may have to check the aliases file on the mail server system.
29. I can't seem to receive messages. What does this error mean: "<test@example.com>: mail for example.com loops back to myself"?
Postfix reports this error when a DNS reply points to your mail server, but Postfix has not been configured to accept mail for the domain. Postfix accepts mail for domains listed in mydestination, relay_domains, virtual_mailbox_domains, virtual_alias_domains, and domains that resolve to IP addresses listed in inet_interfaces and proxy_interfaces. Your domain must be listed in one of these parameters.
30. Why am I getting messages like this in my log? Shouldn't all of these files be in /etc?
warning: /var/spool/postfix/etc/services/services and /etc/services/services differ warning: /var/spool/postfix/etc/resolv.conf/resolv.conf and /etc/resolv.conf/resolv.conf differ warning: /var/spool/postfix/etc/hosts/hosts and /etc/hosts/hosts differ warning: /var/spool/postfix/etc/nsswitch.conf/nsswitch.conf and /etc/nsswitch.conf/nsswitch.conf differ
When Postfix components run within a chroot, their view of your file system is limited to subdirectories below the directory specified in queue_directory (default: /var/spool/postfix). Some system resources must be copied into the chrooted directory, and Postfix checks that the system versions are in sync with those in your chroot.
31. When mail arrives for an unknown user, Postfix rejects it with the message, "User uknown in (local|virtual|relay) recipient table." Is it possible to just say something like the user doesn't exist?
The idea here is to give you as the administrator good information about how to solve a problem. You can set
show_user_unknown_table_name = no
to have the message simply say "User unknown."
32. I have a whole bunch of mail queued up that I know I don't need. Is there any way to delete all of the queued messages?
# postsuper -d ALL
Note that the word ALL must be all capital letters, and that executing this command deletes all of the mail in your queue.
33. I see strange differences between mailq and postqueue. My mailq command says there is nothing in the queue (/var/spool/mqueue is empty), but postqueue reports alot of messages. How can that be?
Your mailq is from Sendmail. Somehow your Postfix installation is fouled up. Postfix installs a replacement mailq command. You need to fix your Postfix installation.
34. Is there a way to cause individual messages to be expired from the queue after some time? Or is there a way to have different queue lifetimes for different destinations?
There is no explicit expire option for queue files. The queue manager controls the expiration of messages based on how long they've been around. It's not possible to have different queue times for different destinations because queued messages may have multiple recipients.
35. I had a problem in my configuration. It's fixed now, but the system is still trying to deliver queued messages using the old, incorrect configuration. What do I have to do to make them use the new configuration?
You have to requeue the messages with the postsuper -r command.
36. Where does Postfix log its information?
Postfix logs messages to your system's syslogd daemon. Check your system documentation to find the actual log file.
37. Is it possible to have Postfix log the subject of a message along with the other information like To and From addresses?
You can get the subject logged by adding an entry to your header_checks file that always matches the Subject: header and uses a result of 'WARN.'
/^subject:/ WARN
38. Is there some kind of debug or verbose logging option so that I can see exactly what happens with my mail?
You can increase logging for a particular component by adding one or more -v options to the component's entry in your master.cf.
smtp inet n - n - - smtpd -v
You can also get additional information on transactions with a particular site by adding the site's name to the debug_peer_list parameter in main.cf. Then adjust debug_peer_level to get the amount of information you need.
debug_peer_list = example.com debug_peer_level = 2
39. My log doesn't seem to have any entries with the From address logged? What gives?
The From address is logged by the queue manager. If you run qmgr chrooted, you must have a syslog socket below /var/spool/postfix. See your system's syslog documentation.
40. Are there any good programs to analyze Postfix log entries?
See Logfile analysis on the Postfix home page.
41. The way I use virus scanning, all messages are reinjected back into Postfix. This causes everything to be logged twice. Is there a way to configure Postfix not to log certain things?
You don't really want to limit what Postfix logs. It logs all kinds of information that you might need sometime. Instead, Unix is rich with tools that let you manipulate, filter, and otherwise get the exact information you are looking for. If, for example, the second injection of a message includes relay=vscan, filter those lines out when you perform your log analysis.
$ grep -v "relay=vscan" maillog > analyze_log
42. My system time is correct but my mail log entries show a different time. What could be the problem?
You're running within a chroot. Make sure that whatever files your system uses to determine the TIMEZONE are below your chroot.
43. I get an error saying that the host cannot be found, but when I look up the host I get an answer. Why can't Postfix figure it out?
Postfix (like all MTAs) delivers mail to a mail exchanger (MX). When you're checking the DNS for a domain, be sure to look up the MX records.
44. In my case, I'm doing host -t MX example.com. I get an answer, but Postfix complains with "Host not found, try again".
Your Postfix is probably running within a chroot. Make sure you have all the necessary files withinin the chroot. Particularly common is a missing or incorrect resolv.conf. Be sure to check permissions on all necessary files to make sure that the postfix account can read them.
45. Postfix seems to be ignoring the MX record and trying to deliver directly to the A record system. Is this normal?
It's normal if you have disable_dns_lookups = yes specified in main.cf. You might also have a transport map specified in brackets, in which case Postfix delivers directly to the system in brackets.
example.com smtp:[mail.example.com]
46. Is there any way I can have a virtual alias deliver a message to a program?
Not directly. You have to use a virtual alias to rewrite the address to something that is delivered to a pipe transport or a local address on the system.
47. Help! I think I'm an open relay. I see lots of messages in my log that look like this:
May 20 06:38:46 mailr postfix/smtp[21383]: connect to mail.example.com[10.11.12.13]: Connection refused (port 25) May 20 06:38:46 mailr postfix/smtp[21383]: 79AA4234A9: to=<jenny796@example.com>, relay=none, delay=55262, status=deferred (connect to mail.example.com[10.11.12.13]: Connection refused)
I don't know anything about the example.com domain. Should I be worried?
Relax. That's most likely just a bounce notice that Postfix is trying to send for a bogus message that could not be delivered on your system. No doubt you have entries earlier in your logs for a message from jenny796@example.com that could not be delivered. You may not be an open relay, but you should configure your system not to accept messages for non-existent users. See information on local_recipient_maps.
48. Help! I think I might be an open relay. How can I check?
If you have access to a system outside of your network, use it to try to deliver a message through your system to an external address. From the outside system, set an email client to use your system as its SMTP server. Then try sending a message to an address that your system does not handle mail for. If it is delivered, then you're running an open relay.
49. Help! I'm definitely an open relay. I've been listed with various black lists and everything. I'm sure my Postfix configuration is correct. What could be causing my system to relay?
If you have a gateway machine like a firewall, router, or another mail system between the Internet and your Postfix system, the combination might be causing your network to relay mail freely. If the gateway system's IP address is in your mynetworks parameter, and it's configured to pass all mail to your Postfix system, it has carte blanche to relay anything. Removing the gateway system from your mynetworks parameter should fix it.
50. I get a lot of spam with a blank envelope sender address. How can I block these?
You don't want to block messages based on the fact that they have a null return path. Accepting null envelope addresses is required by the standards. The technique is used to prevent looping of error notifications. You'll have to identify the spam by some other means.
51. I have restrictions set up to block certain sender addresses. Why aren't messages from restricted senders blocked as soon as the client issues the MAIL FROM command?
By default Postfix does not reject clients until after it receives the RCPT TO command. The reason is that some SMTP clients do not recognize that they have been rejected, and they keep trying to send the message, causing connections to last longer than they should and a log full of warning messages. Another advantage to the default is that you get complete information about the connecting client before rejecting the message. You can change the default behavior by setting smtpd_delay_reject = no.
52. Is there any way to know which entry for header_checks and body_checks caused a message to be rejected?
Not really. Most people include a unique marker on the RHS to identify their rules. You can do something as simple as numbering your rules. For example,
/freehotsex/ REJECT Message content rejected [182]
will log "Message content rejected [182]" when this rule is used to reject a message.
53. I get lots of mail for non-existent users that come from servers that don't respond, so my queue is always full while it tries to deliver bounce notifications to these non-existent servers. How can I prevent this?
In the first place, make sure that you do not accept messages for non-existent users. Be sure that you're using local_recipient_maps or relay_recipient_maps as appropriate for your situation. You might also want to include the restriction rule reject_unknown_sender_domain among your smtpd restrictions.
54. I added body and header checks to my configuration and set up the files with regular expressions to block certain subject lines and attachements, but when I test it, I can still send messages with subjects and attachements that should be blocked. What did I do wrong?
Did you restart Postfix? Also, you should test your regular expressions with postmap to make sure they do what you expect them to.
Be aware that encoded messages (base64, etc.) will not be blocked although they'll appear normally in most email clients. Look for the header Content-Transfer-Encoding: to see whether the message originally arrived encoded.
55. I added some body checks to my configuration to stop a lot of viruses. It mostly works well, but why is it that sometimes it doesn't seem to be used?
The messages that pass through are probably using base64 or another encoding. See the previous question.
56. I'm using header_checks and body_checks to block spam, but some legitimate email is blocked by my checks. Is there any way to whitelist some mail so that the header and body checks are not applied?
No. Header and body checks are applied to every message and should be used for simple checks that can easily be applied to all mail. If you need anything more sophisticated, you should set up a content filter that has the smarts you need.
57. Okay, but I just want to be able to receive my reports that include blocked strings from the logs. Is there no way to receive these?
You could encode (base64, etc.) the report to get it past the checks, or compress it and send it as an attachment.
58. I'm using one of the blacklists to block spam and it's working fine. Now one of our customers/partners has got themselves listed, so my mail server is dutifully rejecting their messages. Is there a way to allow just their messages but still use the blacklist?
You can create a whitelist that will accept messages from certain addresses or domains.
# # main.cf # smtpd_sender_restriction = hash:/etc/postfix/whitelist reject_rbl_client dnsbl.njabl.org ...
# # whitelist # @customer_domain.com OK
Make sure the whitelist check occurs before the reject_rbl_client check.
59. How can I test the regular expressions I've created in my header_checks and body_checks?
Use the postmap command. You can specify a string representing one line of a message:
$ postmap -q "Content-Type:..." regexp:/etc/header_checks
Or redirect a file with the contents of a message to test a whole message:
$ postmap -q - regexp:/etc/body_checks < msg_file
There are a couple differences to be aware of when using postmap versus when Postfix actually checks a message. The postmap command doesn't understand header lines that span multiple lines, and postmap does not know the difference between header lines and body lines. Also, if you are testing regexp maps that use /.../i for case-sensitive matching, postmap needs the -f option.
60. If I block a domain with an access map like
example.com REJECT No spam accepted
Does that mean that subdomains like host.example.com are also blocked?
It depends on your setting for parent_domain_matches_subdomains. If it includes "smtpd_access_maps," then yes subdomains are blocked. If you don't want this set parent_domain_matches_subdomains without "smtpd_access_maps."
parent_domain_matches_subdomains =
debug_peer_list,fast_flush_domains,mynetworks,
permit_mx_backup_networks,qmqpd_authorized_clients,
relay_domains
You can still block subdomains on specific domains by adding an entry that starts with a period.
example.com REJECT No spam accepted .example.com REJECT No spam accepted
This achieves the same effect, even after you remove "smtpd_access_maps" from parent_domain_matches_subdomains.
61. Can I block certain attachments based on the extension of the file name?
Yes, you can achieve limited virus blocking with header_checks. Configure a check that will reject messages with attachments that have executable or otherwise dangerous extensions. Here's a check to get you started (regexp version):
/^content-(type|disposition):.*name[[:space:]]*=.*\.(exe|pif)/ REJECT We cannot accept executable attachments
and in pcre:
/^content-(type|disposition):.*name\s*=.*\.(exe|pif)/ REJECT We cannot accept executable attachments
You should add in as many dangerous extensions as you need for your users' platform(s) in addition to "exe" and "pif" (hint: there are alot for Windows). You're better off with an actual virus scanning package.