Smokes your problems, coughs fresh air.

Tag: postfix

Sending mail from a NATed host with Postfix

When sending mail from a host behind NAT, you will run into trouble when the “From” says “root@host.localdomain”, because receiving servers will refuse that domain.

I’m not quite sure why, but setting myorigin used to be enough. Now I need to do this in

# For when you have a host behind NAT that is refusing to 
# use as specified as origin.
# You can test with: 
# postmap -q "fubar@hostname.somelocaldomain" regexp:/etc/postfix/sender_canonical
sender_canonical_maps = regexp:/etc/postfix/sender_canonical

And in sender_canonical:

/^(.*@)host.*$/     ${1}

Or more generic:

/^(.*@.*\.)company$/     ${1}

And as usual, I use a relay host.

Postfix, SASL and rimap: making sure the domain is not stripped from the user name

When you want to use your IMAP account as authentication for Postfix, you can set the SASL mechanism to “rimap”. However, by default, it will not supply the realm (domain) and therefore will authenticate with an incomplete username (john instead of

To fix that, you need to add “-r” to the options in /etc/default/saslauthd (in Debian based distro’s):

OPTIONS="-r -c -m /var/run/saslauthd"

Setting up a postfix fallback MX

These are some short stepts and pointers to setup a postfix fallback MX. It does not describe postfix basics, nor how to install Mailscanner (a necessisity, because spammers like sending spam to fallback MX’s because they’re usually not as well protected).

First, postfix has a special transport, called ‘relay’, which is the same as SMTP, except that it doesn’t send to the backup MX. In this case, that means it doesn’t send to itself, avoiding loops. The relay transport is the default for all the domains you specify in the relay_domains parameter.

Should the machine have a relayhost defined, you need to disable that for each of the domains you’re a backup MX for. You can do that with transport_maps. In my case, the transport_maps is hash:/etc/postfix/transport_maps. That is a key-value file on which you run ‘postmap’ after you’ve edited it. In it, specify this (the comments explain it):

# When you specify a transport without nexthop, it resets the relay to the
# recipient domain (see man 5 transport). And, when the transport is relay,
# postfix will not relay to the backup MX, to prevent loops back to itself. So,
# because this host has a default relayhost, use the folowwing when you want to
# specify a domain for which we are backup MX: 
#            relay 

The next step you want to do is take measures to prevent mails to non-existent users piling up in the queue. Because spam is sent to the backup MX all the time, it will relay it to the primary, which rejects it. Your backup host will then bounce all kinds of spam mails…

To fix that, we instruct postfix to use recipient address verification. This causes it to probe the primary host to check the address exists (and caches that info) before relaying.

To enable it, do this:

smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain, reject_unverified_recipient
unverified_recipient_reject_reason = Address lookup failed
# Prevent caching non-existent users, to prevent delivery failures when new users are unknown still.
address_verify_negative_cache = no
# Setting to 550 to make a reject a fatal error, not a defer.
unverified_recipient_reject_code = 550
# The point of a backup MX is to accept mail when the primary is down, so setting this prevents incoming mail being deferred when the address probe cannot be done.
# TODO: find out how to actually implement it, because it doesn't work; permit it not a valid option here.
#unverified_recipient_tempfail_action = permit 

The reject_unknown_recipient_domain prevents probes to domains that don’t exist.

Some extra options, not strictly related to being a backup MX:

smtpd_sender_restrictions = reject_unknown_sender_domain, reject_unknown_helo_hostname
unknown_address_reject_code = 550
# Override the default of 5 days, because the point of a backup MX is to keep it around for a while.
maximal_queue_lifetime = 21d

Adding SPF support to Postfix

(Hmm, this suggests the python version might be better).


aptitude -P install postfix-policyd-spf-perl

Add this to (but perhaps change the path to the script):

policy  unix  -       n       n       -       -       spawn
        user=nobody argv=/usr/bin/perl /usr/lib/postfix/policyd-spf-perl

Add this to, directly below/after reject_unauth_destination (if you do it before, you are an open relay):

check_policy_service unix:private/policy


smtpd_recipient_restrictions = permit_mynetworks,
  check_policy_service unix:private/policy

The source article has stuff about testing.

Working with a postfix mail queue

Some useful commands when working with a postfix mailqueue:

  • “postsuper -r ALL”. Requeues all messages.
  • “postcat [file]”. Views queue files in /var/spool/bla.
  • “postqueue”. Deal with queue.
This one is to remove all messages with a certain recipient:
mailq | tail -n +2 | grep -v '^ *(' | awk  'BEGIN { RS = "" }  { if ($8 == "" && $9 == "") print $1 } ' | tr -d '*!' | postsuper -d -

I believe there were more, but I can’t remember them. Wish I had blogged earlier…

Enabling authentication and SSL for Postfix on Debian

I used this document as main source. This blogpost is also useful.

First install libsasl2 and configure it. Enable it in /etc/default/sasl.

First make the sasl config file in /etc/postfix/sasl which says:

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Then configure the ssl paramters in postfix (the following is deprecated. See aforementioned official postfix docs for good way):

# According to official docs, this should be in one pem file.
# This should be smtp_tls_security_level = may, because use_tls is deprecated.
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
# I don't know if this one is also needed.
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
# When TLS encryption is optional in the Postfix SMTP server, do not announce or accept SASL authentication over unencrypted connections. 

Then enable the three smtps lines in

smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

Then you need to do some hacking to get the jailed postfix to access /var/run/saslauthd:

rm -r /var/run/saslauthd/
mkdir -p /var/spool/postfix/var/run/saslauthd
ln -s /var/spool/postfix/var/run/saslauthd /var/run
chgrp sasl /var/spool/postfix/var/run/saslauthd
# Add user postfix to group sasl
adduser postfix sasl

Then you should be good to go. Start all daemons.

Configuring fetchmail to deliver to Zimbra with custom header added

I needed to fetch mail from a POP3 account and deliver it to a Zimbra account. Because I’m doing this for multiple POP3 accounts, I want to add a header which I can use in Zimbra to filter. This is what we made:

poll server user "user" pass "secret" mda "formail -A 'X-Zimbra-To:'| /opt/zimbra/postfix/sbin/sendmail -i -t"

The -i tells sendmail to ignore a single dot on a line, because that would normally mean end of mail. The -t is “to” (not the header “To:“).

It is a bit unclear why postfix delivers locally to Zimbra, since doing mail routes through an external SMTP server, which is configured in Zimbra to be used as MTA for outgoing mail. It is configured as ‘webmail MTA’.

Set proper origin domain for Zimbra server

(This turned out not to be how I fixed it. I just configured exim and /etc/mailname as I do always and that fixed it. However, exim does not run as the SMTP server listening on port 25, that is the postfix installed by Zimbra. I don’t know how and if this exim configuration conflicts with zimbra.)

I have a zimbra server fooled into thinking it hosts a particular domain. Part of the fooling involves setting a different SMTP server than localhost for all outgoing mail. Luckily, Zimbra can do that.

The downside of that is that when you send mail to “root”, the other SMTP server qualifies it with its domain and the mail appears to be coming from the wrong server.

To fix it, specify this in the /opt/zimbra/postfix/conf/

myorigin =

This seems to work without caveats. However, I don’t know if zimbra overwrites this config file at some point.

As always, pick a domain that exists, otherwise a lot of mailservers won’t accept it. You don’t even need an MX record, A or CNAME if enough.

© 2024 BigSmoke

Theme by Anders NorenUp ↑