The following Frequently Asked Questions come primarily from the Postfix mailing list. Information about the list is available from the official Postfix web site. This is a much expanded version of the FAQ in the Appendix of Postfix: The Definitive Guide, and it is continuing to grow. If you have any questions, comments, or suggestions for this page please send them to me at <kdent@seaglass.com>.

Questions are organized into the following categories:

*Postfix Mailing List *Compiling Postfix
*General Questions *Aliases
*Error and Warning Messages *Mail Queue
*Logging *DNS Issues
*Virtual Domains *UBE Blocking
*Anti-Virus

The entire FAQ is contained within this HTML file, so you can use your browser's Find function to search within the FAQ.


Last modified: Fri Oct 29 15:13:30 2004

Postfix Mailing List

1. How do I unsubscribe from the Postfix mailing list?
2. I sent a message to the list that did not get answered. Lots of other questions are answered. Did I do something wrong?

Compiling Postfix

3. When I execute make, I get lots of errors, like the following: gcc -Wmissing-prototypes -Wformat -g -o -I. -I../../Include -DLINUX2 -c ... How can I get around these errors?

General Questions

4. How do I change the banner Postfix uses when greeting connecting clients?
5. When Postfix sends a bounce message, it tells the sender, "For further assistance, please send mail to <postmaster>" But I want it to include my domain name in the address, e.g. <postmaster@example.com>. How can I do that?
6. How do I modify the source code?
7. Which is better mbox- or Maildir-style mailboxes?
8. Is there some kind of 'include' directive for main.cf?
9. How can I get confirmation of mail deliveries?
10. What's the best way to have an automated reply sent whenever a particular address receives an email message?
11. How can I add or append a disclaimer (or other text) to the bottom of every email that gets sent from my mail server?
12. How can I save a copy of every message?
13. How can I enable quotas or size limits on users' mailboxes?
14. Why do some addresses have my own domain name appended to them in the headers? For example, before I installed Postfix I might see a header like the following: To: billy Now it comes in as To: billy@mail.example.com
15. How can I tell if my Postfix was built with a particular feature? I got my copy of Postfix from a package and I want to know if it includes support for SASL and TLS.
16. How can I get Postfix to listen on a port other than 25?
17. What is the main difference between the 1.xx and 2.xx versions of Postfix?
18. Okay, but I'm mainly worried about my config files. How should I handle them when upgrading?
19. I have a few interfaces on my system. How can I get Postfix to bind to only one of them?
20. With Sendmail, I used to get a warning notice when a message couldn't be delivered for 4 hours or so. Can I get that with Postfix?
21. What's the difference between mailbox_transport and mailbox_command?
22. All of our internal systems relay through our mail gateway. Is there a way to remove or hide the hostnames and IP addresses of our internal systems from the messages headers before they go out?
23. How can I tell Postfix to forward all messages that are sent to non-existent mailboxes to a particular user?
24. Okay, how can I have Postfix initially accept all messages, but then bounce those that are addressed to non-existent users?
25. When I make changes to configuration files or lookup tables, do I have to reload Postfix?
26. According to my configuration Postfix should be replying with a permanent error code (554), but it keeps sending a temporary one (454). Why is it doing that?
27. I have a few users that travel regularly. How can I allow them to send mail through my server without creating an open relay? Can't I just tell Postfix to allow relaying when the sender address is from my domain?
28. I need to add some smtpd restrictions to my master.cf file, something like: -o smtpd_recipient_restrictions=check_recipient_access hash:/etc/postfix/recipient_access Any idea how I can do that with the space required between the check_recipient_access and the lookup table?
29. There seems to be a long delay whenever a client connects to my smtpd service. It can take as long as a minute from establishing a connection until Postfix sends the 220 banner. Any ideas on what might be causing this?
30. Is it possible to have Postfix running, but without the SMTPD server listening for outside connections?

Aliases

31. I have aliases where only the first address in the list receives messages. The others can receive mail fine when sent to them directly, but when they're part of an alias, their messages don't arrive.
32. If I have an alias like this, info: peter,heloise and somebody sends a message addressed to both info and peter, then peter receives the message twice. When I used Sendmail it detected the same mail going to the same user twice and prevented it. How can I do the same with Postfix?
33. I'm trying to test alias lists to see what addresses are expanded from particular lists. With other mail servers, I used the EXPN command to get a full recipient list, but it doesn't seem to work with Postfix.

Error and Warning Messages

34. I can't seem to receive messages. What does this error mean: "<test@example.com>: mail for example.com loops back to myself"?
35. Why am I getting messages like this in my log? Shouldn't all of these files be in /etc? warning: /var/spool/postfix/etc/services/services and /etc/services/services differ warning: /var/spool/postfix/etc/resolv.conf/resolv.conf and /etc/resolv.conf/resolv.conf differ warning: /var/spool/postfix/etc/hosts/hosts and /etc/hosts/hosts differ warning: /var/spool/postfix/etc/nsswitch.conf/nsswitch.conf and /etc/nsswitch.conf/nsswitch.conf differ
36. When mail arrives for an unknown user, Postfix rejects it with the message, "User unknown in (local|virtual|relay) recipient table." Is it possible to just say something like the user doesn't exist?
37. I'm getting postfix/smtp[18860]: fatal: unknown service: smtp/tcp What could be the problem?

Mail Queue

38. I have a whole bunch of mail queued up that I know I don't need. Is there any way to delete all of the queued messages?
39. I see strange differences between mailq and postqueue. My mailq command says there is nothing in the queue (/var/spool/mqueue is empty), but postqueue reports a lot of messages. How can that be?
40. How can I change how long messages stay in the queue before they expire and get bounced?
41. Is there a way to cause individual messages to be expired from the queue after some time? Or is there a way to have different queue lifetimes for different destinations?
42. I had a problem in my configuration. It's fixed now, but the system is still trying to deliver queued messages using the old, incorrect configuration. What do I have to do to make them use the new configuration?
43. I have a lot of mail in my queue that seems to originate from "MAILER-DAEMON" instead of an actual email address. Where is it coming from?

Logging

44. Where does Postfix log its information?
45. Is it possible to have Postfix log the subject of a message along with the other information like To and From addresses?
46. Is there some kind of debug or verbose logging option so that I can see exactly what happens with my mail?
47. My log doesn't seem to have any entries with the From address logged? What gives?
48. Are there any good programs to analyze Postfix log entries?
49. The way I use virus scanning, all messages are re-injected back into Postfix. This causes everything to be logged twice. Is there a way to configure Postfix not to log certain things?
50. My system time is correct but my mail log entries show a different time. What could be the problem?

DNS Issues

51. I get an error saying that the host cannot be found, but when I look up the host I get an answer. Why can't Postfix figure it out?
52. In my case, I'm doing host -t MX example.com. I get an answer, but Postfix complains with "Host not found, try again".
53. Postfix seems to be ignoring the MX record and trying to deliver directly to the A record system. Is this normal?

Virtual Domains

54. Is there any way I can have a virtual alias deliver a message to a program?
55. Is it possible to have global virtual aliases for addresses like postmaster, so that mail for postmaster at all of my domains can go to the same address?

UBE Blocking

56. Help! I think I'm an open relay. I see lots of messages in my log that look like this: Jun 20 06:38:46 scallop postfix/smtp[21383]: connect to mail.example.com[10.11.12.13]: Connection refused (port 25) Jun 20 06:38:46 scallop postfix/smtp[21383]: 79AA4234A9: to=<jenny796@example.com>, relay=none, delay=55262, status=deferred (connect to mail.example.com[10.11.12.13]: Connection refused) I don't know anything about the example.com domain. Should I be worried?
57. Help! I think I might be an open relay. How can I check?
58. Help! I'm definitely an open relay. I've been listed with various black lists and everything. I'm sure my Postfix configuration is correct. What could be causing my system to relay?
59. I get a lot of spam with a blank envelope sender address. How can I block these?
60. I have restrictions set up to block certain sender addresses. Why aren't messages from restricted senders blocked as soon as the client issues the MAIL FROM command?
61. Is there any way to know which entry for header_checks and body_checks caused a message to be rejected?
62. I get lots of mail for non-existent users that comes from servers that don't respond, so my queue is always full while it tries to deliver bounce notifications to these non-existent servers. How can I prevent this?
63. I added body and header checks to my configuration and set up the files with regular expressions to block certain subject lines and attachments, but when I test it, I can still send messages with subjects and attachments that should be blocked. What did I do wrong?
64. I added some body checks to my configuration that stop a lot of viruses. It mostly works well, but why is it that sometimes it doesn't seem to be used?
65. Using header_checks or body_checks can I make conditional comparisons? Something like, for example: /^to: joey/ AND /^subject: hot deals/ REJECT so that certain subjects are blocked only for certain users.
66. I'm using header_checks and body_checks to block spam, but some legitimate email is blocked by my checks. Is there any way to whitelist some mail so that the header and body checks are not applied?
67. Okay, but I just want to be able to receive my reports that include blocked strings from the logs. Is there no way to receive these?
68. I'm using one of the blacklists to block spam and it's working fine. Now one of our customers/partners has got themselves listed, so my mail server is dutifully rejecting their messages. Is there a way to allow just their messages but still use the blacklist?
69. How can I test the regular expressions I've created in my header_checks and body_checks?
70. If I block a domain with an access map like example.com REJECT No spam accepted Does that mean that subdomains like host.example.com are also blocked?
71. Do people generally have success with setting strict_7bit_headers = yes?
72. I have two MX hosts configured in my DNS. I have great spam checking set up on my first MX system, but I'm getting a lot of spam delivered directly to the backup MX even though the primary is available. Is there a way to force mail to the primary when it's up?

Anti-Virus

73. Can I block certain attachments based on the extension of the file name?

Postfix Mailing List

1. How do I unsubscribe from the Postfix mailing list?

Send a request to <majordomo@postfix.org> with the words "unsubscribe postfix-users" in the body of the message. Your message should look like this:

To: <majordomo@postfix.org>
From: <you@yourdomain.com>
Subject:

unsubscribe postfix-users

[Back][Top]


2. I sent a message to the list that did not get answered. Lots of other questions are answered. Did I do something wrong?

In fact, very seldom do questions go unanswered on the Postfix mailing list. It's a relatively generous list. But to make sure that your questions are answered and that you provide enough information, here are some basic rules for submissions:

  1. Do not send a general, "It's not working..." message. Explain the details of your problem. As you draft your message to the list, think of it as if you are proving that you have a problem. Show relevant log entries, configuration information, and any other details about your environment that you think might be a factor.

  2. Always send the output of postconf -n. Even if you think it's not necessary for your problem, there may be some piece of information that will enable list experts to answer your question immediately based on your configuration. Some list members won't bother with a question that doesn't include enough information to answer.

  3. Send plain text messages. Some list members use email clients that don't render HTML and won't even read messages in HTML.

  4. Don't hijack an existing thread with a new question. Start a new message and type in the address, or store it in your address book if it's too much to type.

[Back][Top]


Compiling Postfix

3. When I execute make, I get lots of errors, like the following:

gcc  -Wmissing-prototypes -Wformat -g -o -I.  -I../../Include -DLINUX2 -c ...

How can I get around these errors?

Those are not errors. The 'missing-prototypes' string is directive to the compiler telling it to print a warning if a global function is defined without a previous prototype declaration. The lines you see are the normal output from the build process.

[Back][Top]


General Questions

4. How do I change the banner Postfix uses when greeting connecting clients?

Set the parameter smtpd_banner. By default, it's set as:

smtpd_banner = $myhostname ESMTP $mail_name

You normally should not change the banner. If you do, the initial "$myhostname ESMTP" is required by the standards and should definitely be left as is.

[Back][Top]


5. When Postfix sends a bounce message, it tells the sender, "For further assistance, please send mail to <postmaster>" But I want it to include my domain name in the address, e.g. <postmaster@example.com>. How can I do that?

The idea behind this is that people who receive this notification should contact their own local postmasters, since they may very well be the ones who have to deal with the problem. If you really want to change it, you have to modify the source code.

[Back][Top]


6. How do I modify the source code?

If you have to ask, don't do it. Live with it or find somebody who knows C to make the change for you.

[Back][Top]


7. Which is better mbox- or Maildir-style mailboxes?

It depends on your situation. One critical point is that if your mail store is mounted over NFS, don't use mbox. Otherwise, mbox is almost universally supported, but might be susceptible to file locking problems when multiple programs need access to the mail file. The maildir format eliminates file locking issues, but might not scale adequately on your system for users who keep very large numbers of messages on your server.

As far as performance considerations, it depends again. With maildir, accessing a particular message and deleting is probably quicker, but with mbox appending new messages to the end of the mail file probably wins out. From the Postfix point-of-view, it doesn't really matter. You can let other factors such as your choice of POP/IMAP server drive the decision. All else being equal, you should probably choose maildir.

[Back][Top]


8. Is there some kind of 'include' directive for main.cf?

No. Most administrators with complex configurations create a Makefile that will cat the necessary files together. If you have other regular administrative tasks, add them to your Makefile too. Your Makefile can have an entry something like this:

main.cf: file1 file2 file3
        cat file1 file2 file3 > main.cf.new
        mv main.cf.new main.cf

Then type make main.cf to rebuild your configuration file.

[Back][Top]


9. How can I get confirmation of mail deliveries?

This is not currently available in Postfix.

[Back][Top]


10. What's the best way to have an automated reply sent whenever a particular address receives an email message?

Almost all versions of Unix include the vacation program, which serves this very purpose.

[Back][Top]


11. How can I add or append a disclaimer (or other text) to the bottom of every email that gets sent from my mail server?

By design this is not implemented in Postfix directly. It's not the job of an MTA, and it's not as simple a problem as it seems because of MIME and digital signatures. MIME messages have a structure that can be very complex. Digital signatures attest to the fact that a signed message has not been modified. Adding a footer to the bottom of a message, breaks both of these. Some people add short text to the headers of email messages, but the text is not likely to be seen by most users. The real solution is to configure your clients to add whatever text is required.

Having said that, it is possible to configure a content filter that appends the text for you. Follow the directions for configuring Postfix to work with a content filter. Your filter should be MIME aware, and you should be aware that digital signatures will no longer work.

[Back][Top]


12. How can I save a copy of every message?

Specify an address in the always_bcc parameter. It will receive copies of all messages. After version 2.1 (and earlier snapshot versions), you can also use sender_bcc_maps and recipient_bcc_maps to save messages for specific users only.

[Back][Top]


13. How can I enable quotas or size limits on users' mailboxes?

This is not really a function of Postfix, although if you are using mbox-style mailboxes, you may achieve what you're looking for with the mailbox_size_limit parameter. Be aware that if you use maildir style mailboxes this parameter only limits the size of individual mail files and not the size of the entire mailbox.

Mailbox quotas are best enforced by the mail store itself, which might be done through normal operating system accounting or your IMAP server configuration. Be aware that if your IMAP server receives messages over LMTP, over-quota situations won't be discovered until after Postfix has accepted the message, so it will have to be bounced. If you want to reject mail for users over their quotas, you'll have to use an access table listing users who are over their quotas.

[Back][Top]


14. Why do some addresses have my own domain name appended to them in the headers? For example, before I installed Postfix I might see a header like the following:

To: billy

Now it comes in as

To: billy@mail.example.com

Postfix insists on fully qualified headers as required by the standards, so it tries to fix incomplete addresses. It is possible to turn off address completion by setting append_at_myorigin = no but that's likely to foul up other aspects of your system.

The best solution is to make sure that your users specify correct and complete addresses in their To: and From: headers. Then be sure to reject any messages without fully-qualified addresses by including the restriction reject_non_fqdn_recipient among your anti-spam rules.

[Back][Top]


15. How can I tell if my Postfix was built with a particular feature? I got my copy of Postfix from a package and I want to know if it includes support for SASL and TLS.

One way to check what your SMTPD supports is to ask it. Try the following:

$ telnet mail.example.com 25
Trying 192.168.100.11...
Connected to 192.168.100.11.
Escape character is '^]'.
220 scallop.seaglass.com ESMTP Postfix
EHLO localhost
250-scallop.seaglass.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-XVERP
250 8BITMIME
quit

You type the emphasized lines. Use your own mail server hostname instead of mail.example.com, of course.

You might also be interested in the output of

$ postconf -m

which displays all supported lookup table types.

You can also check the libraries that have been compiled into your smtpd binary. Many platforms support a command to display the libraries such as ldd or elfdump.

And finally, Simon Mudd maintains a utility called postfinger, which can be used to find out a lot of good information about your installation of Postfix.

[Back][Top]


16. How can I get Postfix to listen on a port other than 25?

Set the port in an smtpd entry in the master.cf file. You can change the existing smtpd entry or add an additional one depending on what you need.

An entry like the following causes Postfix to listen on port 10025:

10025      inet  n     -     n     -     -     smtpd

[Back][Top]


17. What is the main difference between the 1.xx and 2.xx versions of Postfix?

“See the RELEASE_NOTES files. It took me half a week to write them, and it would be a shame if people ignored them,” Postfix author, Wietse Venema.

Fair enough.

[Back][Top]


18. Okay, but I'm mainly worried about my config files. How should I handle them when upgrading?

Make a backup, of course, before upgrading, but the command make upgrade automatically updates your existing config files. Don't try to use your old files as they were when going from 1.0 to 2.0.

The upgrade has a couple of compatibility tweaks that you probably want to change once you're on the new version. Set local_recipient_maps to an appropriate map or use the default setting, and change unknown_local_recipient_reject_code to a permanent error (554).

[Back][Top]


19. I have a few interfaces on my system. How can I get Postfix to bind to only one of them?

Specify the IP address of the interface(s) you want Postfix to use in the inet_interfaces parameter.

[Back][Top]


20. With Sendmail, I used to get a warning notice when a message couldn't be delivered for 4 hours or so. Can I get that with Postfix?

This is controlled by the delay_warning_time parameter. By default it's set to 0 for never.

[Back][Top]


21. What's the difference between mailbox_transport and mailbox_command?

The mailbox_transport parameter is set to a service from master.cf, while mailbox_command refers to an actual command on the mail server filesystem.

There are a few parameters that can affect mailbox delivery. The parameters in order of preference are mailbox_transport, mailbox_command_maps, mailbox_command, and home_mailbox. When a user is not found on the system, the parameters fallback_transport and then luser_relay come into play.

[Back][Top]


22. All of our internal systems relay through our mail gateway. Is there a way to remove or hide the hostnames and IP addresses of our internal systems from the messages headers before they go out?

Add header checks that match the header lines showing your internal systems and specify the IGNORE action for them.

/^received:.*192\.168\.144\.32/     IGNORE

[Back][Top]


23. How can I tell Postfix to forward all messages that are sent to non-existent mailboxes to a particular user?

You can specify an address in the luser_relay parameter and disable local_recipient_maps.

luser_relay = info
local_recipient_maps =

Be careful if you do this. With the prevalence of spam the address you specify is liable to catch a large amount of junk mail.

[Back][Top]


24. Okay, how can I have Postfix initially accept all messages, but then bounce those that are addressed to non-existent users?

Simply disabling local_recipient_maps does the trick. The SMTP server accepts everything, and only later does the local delivery agent discover that the user doesn't exist, so it bounces the message. You really don't want to do this. You will receive a large amount of junk for which your server will try to send bounce notices. Innocent souls whose addresses have been faked will be inundated with bogus bounce messages from your (and probably others') mail server.

[Back][Top]


25. When I make changes to configuration files or lookup tables, do I have to reload Postfix?

It depends on the type of file you are changing.

Easy answer: Changes in files that Postfix reads into memory at startup require a reload for your changes to go into effect immediately. Examples of such files are main.cf, master.cf, and any lookup table using regular expressions. DB or DBM files are not read into memory and don't require reloading Postfix when they are changed. Note that with changes to the inet_interfaces parameter, a reload is not sufficient. You must stop and then start Postfix in this case.

Complete answer: Since most Postfix daemons are short-lived, your new settings are actually recognized automatically as those daemons expire and new ones are launched. However, longer running daemons such as pickup, qmgr, and possibly trivial-rewrite will not detect changes to main.cf, so changes to parameters used by these daemons require that you reload Postfix. Changes to master.cf always require a reload. Note that with changes to the inet_interfaces parameter, a reload is not sufficient. You must stop and then start Postfix in this case.

Special thanks to Vi[ck]tor Duchovni for information in this answer.

[Back][Top]


26. According to my configuration Postfix should be replying with a permanent error code (554), but it keeps sending a temporary one (454). Why is it doing that?

You probably have soft_bounce = yes. Also, if there is a temporary DNS problem, Postfix automatically converts permanent errors to temporary ones.

[Back][Top]


27. I have a few users that travel regularly. How can I allow them to send mail through my server without creating an open relay? Can't I just tell Postfix to allow relaying when the sender address is from my domain?

Emphatically not. Spammers know to use your domain when trying to relay mail through your server. If your users have static IP addresses add them to your mynetworks parameter. Assuming they don't have static IP addresses, the easiest option is to see if they can use the SMTP server of the ISP they're connecting through. If none of these options are available, you will have to look into SMTP AUTH or one of the pop-before-smtp solutions.

[Back][Top]


28. I need to add some smtpd restrictions to my master.cf file, something like:

-o smtpd_recipient_restrictions=check_recipient_access hash:/etc/postfix/recipient_access

Any idea how I can do that with the space required between the check_recipient_access and the lookup table?

You can use a comma instead of a space:

...
-o smtpd_recipient_restrictions=check_recipient_access,hash:/etc/postfix/recipient_access

Another option is to define a variable in main.cf with all the restrictions you need, then use the variable in master.cf:

#
# main.cf
#
...
other_restrictions = 
      check_recipient_access hash:/etc/postfix/recipient_access
      reject_unknown_recipient_domain
      ...

#
# master.cf
#
...
-o smtpd_recipient_restrictions=$other_restrictions

[Back][Top]


29. There seems to be a long delay whenever a client connects to my smtpd service. It can take as long as a minute from establishing a connection until Postfix sends the 220 banner. Any ideas on what might be causing this?

This delay is almost always due to the DNS resolver on your server. When a client connects, Postfix tries to look up the hostname for the connecting client's IP address. If your resolver is not configured correctly or your DNS server is slow to respond, you will see a delay. You should run a caching-only DNS server on the same system as your Postfix server.

The most common reason for a misconfigured resolver is that your smtpd service is running in a chroot, and you don't have all of the necessary configuration files within the chroot compartment.

[Back][Top]


30. Is it possible to have Postfix running, but without the SMTPD server listening for outside connections?

Yes, comment out the smtpd line in your master.cf file.

#smtp      inet  n       -       n       -       -       smtpd

[Back][Top]


Aliases

31. I have aliases where only the first address in the list receives messages. The others can receive mail fine when sent to them directly, but when they're part of an alias, their messages don't arrive.

If you are using an external program for delivery, it might not handle more than one address at a time. Such is the case with maildrop, for example. To make sure that Postfix passes messages for delivery one at a time, set the transport_destination_recipient_limit parameter in main.cf to one. transport is the name of the transport method making the deliveries. If you are using maildrop, the parameter looks like the following:

maildrop_destination_recipient_limit = 1

[Back][Top]


32. If I have an alias like this,

info:     peter,heloise

and somebody sends a message addressed to both info and peter, then peter receives the message twice. When I used Sendmail it detected the same mail going to the same user twice and prevented it. How can I do the same with Postfix?

You can't. The architecture of Postfix is such that detecting duplicates like this is too costly. It's the trade-off between a multi-component system with a high level of security and performance, and a monolithic one that can easily detect those duplications.

[Back][Top]


33. I'm trying to test alias lists to see what addresses are expanded from particular lists. With other mail servers, I used the EXPN command to get a full recipient list, but it doesn't seem to work with Postfix.

Postfix does not support EXPN. Because of Postfix's architecture and security design, the unprivileged SMTP server doesn't know anything about local aliases. It's the privileged local delivery agent that actually expands aliases at the point of delivery. If you use a mailing list manager, it most likely has a command to tell you who is on the list, or you may have to check the aliases file on the mail server system.

[Back][Top]


Error and Warning Messages

34. I can't seem to receive messages. What does this error mean: "<test@example.com>: mail for example.com loops back to myself"?

Postfix reports this error when a DNS reply points to your mail server, but Postfix hasn't been configured to deal with messages addressed to the domain. Postfix accepts mail for domains listed in mydestination, relay_domains, virtual_mailbox_domains, virtual_alias_domains, and domains that resolve to IP addresses listed in inet_interfaces and proxy_interfaces. The domain must be listed in one of these parameters.

[Back][Top]


35. Why am I getting messages like this in my log? Shouldn't all of these files be in /etc?

warning: /var/spool/postfix/etc/services/services and /etc/services/services differ
warning: /var/spool/postfix/etc/resolv.conf/resolv.conf and /etc/resolv.conf/resolv.conf differ
warning: /var/spool/postfix/etc/hosts/hosts and /etc/hosts/hosts differ
warning: /var/spool/postfix/etc/nsswitch.conf/nsswitch.conf and /etc/nsswitch.conf/nsswitch.conf differ

When Postfix components run within a chroot, their view of your file system is limited to subdirectories below the directory specified in queue_directory (default: /var/spool/postfix). Some system resources must be copied into the chrooted directory, and Postfix checks that the system versions are in sync with those in your chroot.

[Back][Top]


36. When mail arrives for an unknown user, Postfix rejects it with the message, "User unknown in (local|virtual|relay) recipient table." Is it possible to just say something like the user doesn't exist?

The idea here is to give you as the administrator good information about how to solve a problem. You can set

show_user_unknown_table_name = no

to have the message simply say "User unknown."

[Back][Top]


37. I'm getting

postfix/smtp[18860]: fatal: unknown service: smtp/tcp

What could be the problem?

Most likely you are missing or have an unreadable /var/spool/postfix/etc/services.

[Back][Top]


Mail Queue

38. I have a whole bunch of mail queued up that I know I don't need. Is there any way to delete all of the queued messages?

# postsuper -d ALL

Note that the word ALL must be all capital letters, and that executing this command deletes all of the mail in your queue.

[Back][Top]


39. I see strange differences between mailq and postqueue. My mailq command says there is nothing in the queue (/var/spool/mqueue is empty), but postqueue reports a lot of messages. How can that be?

Your mailq is from Sendmail. Somehow your Postfix installation is fouled up. Postfix installs a replacement mailq command. You need to fix your Postfix installation. The problem might be simple like the Sendmail mailq is in the path before the Postfix mailq (in which case, rename the Sendmail one to mailq.sendmail, for example) or your Postfix installation might not have completed successfully.

[Back][Top]


40. How can I change how long messages stay in the queue before they expire and get bounced?

The maximal_queue_lifetime parameter determines how long a message should stay in the queue before it is deemed undeliverable. The default is five days (5d).

[Back][Top]


41. Is there a way to cause individual messages to be expired from the queue after some time? Or is there a way to have different queue lifetimes for different destinations?

There is no explicit expire option for queue files. The queue manager controls the expiration of messages based on how long they've been around and the value of maximal_queue_lifetime (see previous question). It's not possible to have different queue times for different destinations because queued messages may have multiple recipients and therefore no single destination.

Also, later versions of Postfix introduced the bounce_queue_lifetime parameter, so you can shorten the time that non-deliverable non-delivery notifications stay in your queue.

[Back][Top]


42. I had a problem in my configuration. It's fixed now, but the system is still trying to deliver queued messages using the old, incorrect configuration. What do I have to do to make them use the new configuration?

You have to requeue the messages with the postsuper -r command.

[Back][Top]


43. I have a lot of mail in my queue that seems to originate from "MAILER-DAEMON" instead of an actual email address. Where is it coming from?

Those are bounce messages from your server that cannot be delivered to original senders of previously undeliverable mail. Most often this happens when your server is accepting messages for non-existent users. See a related question.

If you are already rejecting messages for non-existent users, this might be caused by one of your own users infected with a virus. Check your logs to see where the original messages are coming from.

[Back][Top]


Logging

44. Where does Postfix log its information?

Postfix logs messages to your system's syslogd daemon. Check your system documentation to find the actual log file.

[Back][Top]


45. Is it possible to have Postfix log the subject of a message along with the other information like To and From addresses?

You can get the subject logged by adding an entry to your header_checks file that always matches the Subject: header and uses a result of 'WARN.'

/^subject:/      WARN

[Back][Top]


46. Is there some kind of debug or verbose logging option so that I can see exactly what happens with my mail?

You can increase logging for a particular component by adding one or more -v options to the component's entry in your master.cf.

smtp      inet  n     -    n    -     -     smtpd -v

You can also get additional information on transactions with a particular site by adding the site's name to the debug_peer_list parameter in main.cf. Then adjust debug_peer_level to get the amount of information you need.

debug_peer_list = example.com
debug_peer_level = 2

[Back][Top]


47. My log doesn't seem to have any entries with the From address logged? What gives?

The From address is logged by the queue manager. If you run qmgr chrooted, you must have a syslog socket below /var/spool/postfix. Some platforms have a syslogd daemon that allows you to specify additional sockets when it starts up. Others will be a bit trickier to get working within the chroot. See your system's syslog documentation.

[Back][Top]


48. Are there any good programs to analyze Postfix log entries?

See Logfile analysis on the Postfix home page.

[Back][Top]


49. The way I use virus scanning, all messages are re-injected back into Postfix. This causes everything to be logged twice. Is there a way to configure Postfix not to log certain things?

You don't really want to limit what Postfix logs. It logs all kinds of information that you might need sometime. Instead, Unix is rich with tools that let you manipulate, filter, and otherwise get the exact information you are looking for. If, for example, the second injection of a message includes relay=vscan, filter those lines out when you perform your log analysis.

$ grep -v "relay=vscan" maillog > analyze_log

[Back][Top]


50. My system time is correct but my mail log entries show a different time. What could be the problem?

You're running within a chroot. Make sure that whatever files your system uses to determine the TIMEZONE are below your chroot.

[Back][Top]


DNS Issues

51. I get an error saying that the host cannot be found, but when I look up the host I get an answer. Why can't Postfix figure it out?

Postfix (like all MTAs) delivers mail to a mail exchanger (MX). When you're checking the DNS for a domain, be sure to look up the MX records.

[Back][Top]


52. In my case, I'm doing host -t MX example.com. I get an answer, but Postfix complains with "Host not found, try again".

Your Postfix is probably running within a chroot. Make sure you have all the necessary files within the chroot. Particularly common is a missing or incorrect resolv.conf. Be sure to check permissions on all necessary files to make sure that the postfix account can read them.

[Back][Top]


53. Postfix seems to be ignoring the MX record and trying to deliver directly to the A record system. Is this normal?

It's normal if you have disable_dns_lookups = yes specified in main.cf. You might also have a transport map specified in brackets, in which case Postfix delivers directly to the system in brackets.

example.com     smtp:[mail.example.com]

[Back][Top]


Virtual Domains

54. Is there any way I can have a virtual alias deliver a message to a program?

Not directly. You have to use a virtual alias to rewrite the address to something that is delivered to a pipe transport or a local address on the system.

[Back][Top]


55. Is it possible to have global virtual aliases for addresses like postmaster, so that mail for postmaster at all of my domains can go to the same address?

In a word, no. We can only recommend that your processes and scripts to add new domains should include the steps to create the aliases you need.

[Back][Top]


UBE Blocking

56. Help! I think I'm an open relay. I see lots of messages in my log that look like this:

Jun 20 06:38:46 scallop postfix/smtp[21383]: connect to 
mail.example.com[10.11.12.13]: Connection refused (port 25)
Jun 20 06:38:46 scallop postfix/smtp[21383]: 79AA4234A9: 
to=<jenny796@example.com>, relay=none, delay=55262, 
status=deferred (connect to mail.example.com[10.11.12.13]:
Connection refused)

I don't know anything about the example.com domain. Should I be worried?

Relax. That's most likely just a bounce notice that Postfix is trying to send for a bogus message that could not be delivered on your system. No doubt you have entries earlier in your logs for a message from jenny796@example.com that could not be delivered. You may not be an open relay, but you should configure your system not to accept messages for non-existent users. See information on local_recipient_maps.

[Back][Top]


57. Help! I think I might be an open relay. How can I check?

If you have access to a system outside of your network, use it to try to deliver a message through your system to an external address. From the outside system, set an email client to use your system as its SMTP server. Then try sending a message to an address that your system does not handle mail for. If it is delivered, then you're running an open relay.

[Back][Top]


58. Help! I'm definitely an open relay. I've been listed with various black lists and everything. I'm sure my Postfix configuration is correct. What could be causing my system to relay?

If you have a gateway machine like a firewall, router, or another mail system between the Internet and your Postfix system, the combination might be causing your network to relay mail freely. If the gateway system's IP address is in your mynetworks parameter, and it's configured to pass all mail to your Postfix system, it has carte blanche to relay anything. Removing the gateway system from your mynetworks parameter should fix it.

[Back][Top]


59. I get a lot of spam with a blank envelope sender address. How can I block these?

You don't want to block messages based on the fact that they have a null return path. Accepting null envelope addresses is required by the standards. The technique is used to prevent looping of error notifications. You'll have to identify the spam by some other means.

[Back][Top]


60. I have restrictions set up to block certain sender addresses. Why aren't messages from restricted senders blocked as soon as the client issues the MAIL FROM command?

By default Postfix does not reject clients until after it receives the RCPT TO command. The reason is that some SMTP clients do not recognize that they have been rejected, and they keep trying to send the message, causing connections to last longer than they should and a log full of warning messages. Another advantage to the default is that you get complete information about the connecting client before rejecting the message. You can change the default behavior by setting smtpd_delay_reject = no.

[Back][Top]


61. Is there any way to know which entry for header_checks and body_checks caused a message to be rejected?

Not really. Most people include a unique marker on the RHS to identify their rules. You can do something as simple as numbering your rules. For example,

/freehotsex/    REJECT Message content rejected [182]

will log "Message content rejected [182]" when this rule is used to reject a message.

[Back][Top]


62. I get lots of mail for non-existent users that comes from servers that don't respond, so my queue is always full while it tries to deliver bounce notifications to these non-existent servers. How can I prevent this?

You must not accept messages for non-existent users. Since From addresses are usually forged, your system will be bouncing messages to people who never sent them. You must configure Postfix to reject them without accepting them into the queue. Set local_recipient_maps or relay_recipient_maps as appropriate for your situation. You might also want to include the restriction rule reject_unknown_sender_domain among your smtpd restrictions. See LOCAL_RECIPIENT_README for more information.

[Back][Top]


63. I added body and header checks to my configuration and set up the files with regular expressions to block certain subject lines and attachments, but when I test it, I can still send messages with subjects and attachments that should be blocked. What did I do wrong?

Did you restart Postfix? Also, you should test your regular expressions with postmap to make sure they do what you expect them to.

Be aware that encoded messages (base64, etc.) will not be blocked although they'll appear normally in most email clients. Look for the header Content-Transfer-Encoding: to see whether the message originally arrived encoded.

[Back][Top]


64. I added some body checks to my configuration that stop a lot of viruses. It mostly works well, but why is it that sometimes it doesn't seem to be used?

The messages that pass through are probably using base64 or another encoding. See the previous question.

[Back][Top]


65. Using header_checks or body_checks can I make conditional comparisons? Something like, for example:

/^to: joey/ AND /^subject: hot deals/      REJECT

so that certain subjects are blocked only for certain users.

This won't work because Postfix header and body checks can only consider one logical message line at a time. They're meant for simple checks. If you need anything more sophisticated, you should set up a content filter that has the smarts you need.

[Back][Top]


66. I'm using header_checks and body_checks to block spam, but some legitimate email is blocked by my checks. Is there any way to whitelist some mail so that the header and body checks are not applied?

No. Header and body checks are applied to every message and should be used for simple checks that can easily be applied to all mail. If you need anything more sophisticated, you should set up a content filter that has the smarts you need. However, if you just want to disable content checks for your own users, see the How-To " Turning Off Body and Header Checks for Internal Users."

If you want to create your own content filter, you can certainly do that, but there are many spam-blocking tools already available such as SpamAssassin or Bogofilter. These tools generally allow you to specifiy whitelisting rules. See "Virus/SPAM content filters" on the Postfix Add-on Software page.

See Also:

[Back][Top]


67. Okay, but I just want to be able to receive my reports that include blocked strings from the logs. Is there no way to receive these?

You could encode (base64, etc.) the report to get it past the checks, or compress it and send it as an attachment.

[Back][Top]


68. I'm using one of the blacklists to block spam and it's working fine. Now one of our customers/partners has got themselves listed, so my mail server is dutifully rejecting their messages. Is there a way to allow just their messages but still use the blacklist?

You can create a whitelist that will accept messages from certain addresses or domains. For example:

#
# main.cf
#
smtpd_recipient_restrictions =
	permit_mynetworks
	reject_unauth_destination
	...
	check_sender_access hash:/etc/postfix/whitelist 
	reject_rbl_client dnsbl.njabl.org
	...

#
# whitelist
#
@customer_domain.com	OK

Make sure the whitelist check occurs before the reject_rbl_client check. Remember that email addresses are easily faked. Whenever you add whitelisting to your configuration be very careful that you don't expose your server to open relaying. Make sure that your whitelisting occurs after reject_unauth_destination (or another rejection restriction).

[Back][Top]


69. How can I test the regular expressions I've created in my header_checks and body_checks?

Use the postmap command. You can specify a string representing one line of a message:

$ postmap -q "Content-Type:..." regexp:/etc/header_checks

Or redirect a file with the contents of a message to test a whole message:

$ postmap -q - regexp:/etc/body_checks < msg_file

There are a couple differences to be aware of when using postmap versus when Postfix actually checks a message. The postmap command doesn't understand header lines that span multiple lines, and postmap does not know the difference between header lines and body lines. Also, if you are testing regexp maps that use /.../i for case-sensitive matching, postmap needs the -f option.

[Back][Top]


70. If I block a domain with an access map like

example.com     REJECT No spam accepted

Does that mean that subdomains like host.example.com are also blocked?

It depends on your setting for parent_domain_matches_subdomains. If it includes "smtpd_access_maps," then yes subdomains are blocked. If you don't want this set parent_domain_matches_subdomains without "smtpd_access_maps."

parent_domain_matches_subdomains =
      debug_peer_list,fast_flush_domains,mynetworks,
      permit_mx_backup_networks,qmqpd_authorized_clients,
      relay_domains

You can still block subdomains on specific domains by adding an entry that starts with a period.

example.com      REJECT No spam accepted
.example.com     REJECT No spam accepted

This achieves the same effect, even after you remove "smtpd_access_maps" from parent_domain_matches_subdomains.

[Back][Top]


71. Do people generally have success with setting strict_7bit_headers = yes?

That parameter tends to be quite strict and rejects a lot of mail. If you just want to block messages with lots of garbage characters in the header, try the following regexp check in your header_checks map:

/[^[:print:]]{7}/  REJECT Your mailer is not RFC 2047 compliant

This will block messages with at least seven non-printable characters in a header.

[Back][Top]


72. I have two MX hosts configured in my DNS. I have great spam checking set up on my first MX system, but I'm getting a lot of spam delivered directly to the backup MX even though the primary is available. Is there a way to force mail to the primary when it's up?

There's no way to force spammers to deliver anywhere. If you run a secondary MX system, make sure that it's configured with exactly the same UBE checks or it will let spam through. If you can't configure it the same for some reason, just eliminate it. Many sites now operate with a single mail exchanger for this very reason. Since legitimate messages are normally retried for a matter of days, you will only lose mail if your mail server goes down for an extended period of time.

[Back][Top]


Anti-Virus

73. Can I block certain attachments based on the extension of the file name?

Yes, you can achieve limited virus blocking with header_checks. Configure a check that will reject messages with attachments that have executable or otherwise dangerous extensions. Here's a check to get you started (regexp version):

/^content-(type|disposition):.*name*=.*\.(exe|pif)/    REJECT We cannot accept executable attachments

and in pcre:

/^content-(type|disposition):.*name\s*=.*\.(exe|pif)/    REJECT We cannot accept executable attachments

You should add in as many dangerous extensions as you need for your users' platform(s) in addition to "exe" and "pif" (hint: there are a lot for Windows). You're better off with an actual virus scanning package.