Postfix FAQ
The following Frequently Asked Questions come primarily from the Postfix mailing list. Information about the list is available from the official Postfix web site. This is a much expanded version of the FAQ in the Appendix of Postfix: The Definitive Guide, and it is continuing to grow. If you have any questions, comments, or suggestions for this page please send them to me at <kdent@seaglass.com>.
Questions are organized into the following categories:
Postfix Mailing List | Compiling Postfix | ||
General Questions | Aliases | ||
Error and Warning Messages | Mail Queue | ||
Logging | DNS Issues | ||
Virtual Domains | UBE Blocking | ||
Anti-Virus |
The entire FAQ is contained within this HTML file, so you can use your browser's Find function to search within the FAQ.
Last modified: Fri Oct 29 15:13:30 2004
Postfix Mailing List
1. | How do I unsubscribe from the Postfix mailing list? |
---|---|
2. | I sent a message to the list that did not get answered. Lots of other questions are answered. Did I do something wrong? |
Compiling Postfix
3. | When I execute make, I get lots of errors, like the following: gcc -Wmissing-prototypes -Wformat -g -o -I. -I../../Include -DLINUX2 -c ... How can I get around these errors? |
---|
General Questions
Aliases
Error and Warning Messages
Mail Queue
Logging
DNS Issues
Virtual Domains
UBE Blocking
Anti-Virus
73. | Can I block certain attachments based on the extension of the file name? |
---|
Postfix Mailing List
1. How do I unsubscribe from the Postfix mailing list?
Send a request to <majordomo@postfix.org> with the words "unsubscribe postfix-users" in the body of the message. Your message should look like this:
To: <majordomo@postfix.org> From: <you@yourdomain.com> Subject: unsubscribe postfix-users
2. I sent a message to the list that did not get answered. Lots of other questions are answered. Did I do something wrong?
In fact, very seldom do questions go unanswered on the Postfix mailing list. It's a relatively generous list. But to make sure that your questions are answered and that you provide enough information, here are some basic rules for submissions:
- Do not send a general, "It's not working..." message. Explain the details of your problem. As you draft your message to the list, think of it as if you are proving that you have a problem. Show relevant log entries, configuration information, and any other details about your environment that you think might be a factor.
- Always send the output of postconf -n. Even if you think it's not necessary for your problem, there may be some piece of information that will enable list experts to answer your question immediately based on your configuration. Some list members won't bother with a question that doesn't include enough information to answer.
- Send plain text messages. Some list members use email clients that don't render HTML and won't even read messages in HTML.
- Don't hijack an existing thread with a new question. Start a new message and type in the address, or store it in your address book if it's too much to type.
Compiling Postfix
3. When I execute make, I get lots of errors, like the following:
gcc -Wmissing-prototypes -Wformat -g -o -I. -I../../Include -DLINUX2 -c ...
How can I get around these errors?
Those are not errors. The 'missing-prototypes' string is directive to the compiler telling it to print a warning if a global function is defined without a previous prototype declaration. The lines you see are the normal output from the build process.
General Questions
4. How do I change the banner Postfix uses when greeting connecting clients?
Set the parameter smtpd_banner. By default, it's set as:
smtpd_banner = $myhostname ESMTP $mail_name
You normally should not change the banner. If you do, the initial "$myhostname ESMTP" is required by the standards and should definitely be left as is.
5. When Postfix sends a bounce message, it tells the sender, "For further assistance, please send mail to <postmaster>" But I want it to include my domain name in the address, e.g. <postmaster@example.com>. How can I do that?
The idea behind this is that people who receive this notification should contact their own local postmasters, since they may very well be the ones who have to deal with the problem. If you really want to change it, you have to modify the source code.
6. How do I modify the source code?
If you have to ask, don't do it. Live with it or find somebody who knows C to make the change for you.
7. Which is better mbox- or Maildir-style mailboxes?
It depends on your situation. One critical point is that if your mail store is mounted over NFS, don't use mbox. Otherwise, mbox is almost universally supported, but might be susceptible to file locking problems when multiple programs need access to the mail file. The maildir format eliminates file locking issues, but might not scale adequately on your system for users who keep very large numbers of messages on your server.
As far as performance considerations, it depends again. With maildir, accessing a particular message and deleting is probably quicker, but with mbox appending new messages to the end of the mail file probably wins out. From the Postfix point-of-view, it doesn't really matter. You can let other factors such as your choice of POP/IMAP server drive the decision. All else being equal, you should probably choose maildir.
8. Is there some kind of 'include' directive for main.cf?
No. Most administrators with complex configurations create a Makefile that will cat the necessary files together. If you have other regular administrative tasks, add them to your Makefile too. Your Makefile can have an entry something like this:
main.cf: file1 file2 file3 cat file1 file2 file3 > main.cf.new mv main.cf.new main.cf
Then type make main.cf to rebuild your configuration file.
9. How can I get confirmation of mail deliveries?
This is not currently available in Postfix.
10. What's the best way to have an automated reply sent whenever a particular address receives an email message?
Almost all versions of Unix include the vacation program, which serves this very purpose.
11. How can I add or append a disclaimer (or other text) to the bottom of every email that gets sent from my mail server?
By design this is not implemented in Postfix directly. It's not the job of an MTA, and it's not as simple a problem as it seems because of MIME and digital signatures. MIME messages have a structure that can be very complex. Digital signatures attest to the fact that a signed message has not been modified. Adding a footer to the bottom of a message, breaks both of these. Some people add short text to the headers of email messages, but the text is not likely to be seen by most users. The real solution is to configure your clients to add whatever text is required.
Having said that, it is possible to configure a content filter that appends the text for you. Follow the directions for configuring Postfix to work with a content filter. Your filter should be MIME aware, and you should be aware that digital signatures will no longer work.
12. How can I save a copy of every message?
Specify an address in the always_bcc parameter. It will receive copies of all messages. After version 2.1 (and earlier snapshot versions), you can also use sender_bcc_maps and recipient_bcc_maps to save messages for specific users only.
13. How can I enable quotas or size limits on users' mailboxes?
This is not really a function of Postfix, although if you are using mbox-style mailboxes, you may achieve what you're looking for with the mailbox_size_limit parameter. Be aware that if you use maildir style mailboxes this parameter only limits the size of individual mail files and not the size of the entire mailbox.
Mailbox quotas are best enforced by the mail store itself, which might be done through normal operating system accounting or your IMAP server configuration. Be aware that if your IMAP server receives messages over LMTP, over-quota situations won't be discovered until after Postfix has accepted the message, so it will have to be bounced. If you want to reject mail for users over their quotas, you'll have to use an access table listing users who are over their quotas.
14. Why do some addresses have my own domain name appended to them in the headers? For example, before I installed Postfix I might see a header like the following:
To: billy
Now it comes in as
To: billy@mail.example.com
Postfix insists on fully qualified headers as required by the standards, so it tries to fix incomplete addresses. It is possible to turn off address completion by setting append_at_myorigin = no but that's likely to foul up other aspects of your system.
The best solution is to make sure that your users specify correct and complete addresses in their To: and From: headers. Then be sure to reject any messages without fully-qualified addresses by including the restriction reject_non_fqdn_recipient among your anti-spam rules.
15. How can I tell if my Postfix was built with a particular feature? I got my copy of Postfix from a package and I want to know if it includes support for SASL and TLS.
One way to check what your SMTPD supports is to ask it. Try the following:
$ telnet mail.example.com 25 Trying 192.168.100.11... Connected to 192.168.100.11. Escape character is '^]'. 220 scallop.seaglass.com ESMTP Postfix EHLO localhost 250-scallop.seaglass.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-XVERP 250 8BITMIME quit
You type the emphasized lines. Use your own mail server hostname instead of mail.example.com, of course.
You might also be interested in the output of
$ postconf -m
which displays all supported lookup table types.
You can also check the libraries that have been compiled into your smtpd binary. Many platforms support a command to display the libraries such as ldd or elfdump.
And finally, Simon Mudd maintains a utility called postfinger, which can be used to find out a lot of good information about your installation of Postfix.
16. How can I get Postfix to listen on a port other than 25?
Set the port in an smtpd entry in the master.cf file. You can change the existing smtpd entry or add an additional one depending on what you need.
An entry like the following causes Postfix to listen on port 10025:
10025 inet n - n - - smtpd
17. What is the main difference between the 1.xx and 2.xx versions of Postfix?
“See the RELEASE_NOTES files. It took me half a week to write them, and it would be a shame if people ignored them,” Postfix author, Wietse Venema.
Fair enough.
18. Okay, but I'm mainly worried about my config files. How should I handle them when upgrading?
Make a backup, of course, before upgrading, but the command make upgrade automatically updates your existing config files. Don't try to use your old files as they were when going from 1.0 to 2.0.
The upgrade has a couple of compatibility tweaks that you probably want to change once you're on the new version. Set local_recipient_maps to an appropriate map or use the default setting, and change unknown_local_recipient_reject_code to a permanent error (554).
19. I have a few interfaces on my system. How can I get Postfix to bind to only one of them?
Specify the IP address of the interface(s) you want Postfix to use in the inet_interfaces parameter.
20. With Sendmail, I used to get a warning notice when a message couldn't be delivered for 4 hours or so. Can I get that with Postfix?
This is controlled by the delay_warning_time parameter. By default it's set to 0 for never.
21. What's the difference between mailbox_transport and mailbox_command?
The mailbox_transport parameter is set to a service from master.cf, while mailbox_command refers to an actual command on the mail server filesystem.
There are a few parameters that can affect mailbox delivery. The parameters in order of preference are mailbox_transport, mailbox_command_maps, mailbox_command, and home_mailbox. When a user is not found on the system, the parameters fallback_transport and then luser_relay come into play.
22. All of our internal systems relay through our mail gateway. Is there a way to remove or hide the hostnames and IP addresses of our internal systems from the messages headers before they go out?
Add header checks that match the header lines showing your internal systems and specify the IGNORE action for them.
/^received:.*192\.168\.144\.32/ IGNORE
23. How can I tell Postfix to forward all messages that are sent to non-existent mailboxes to a particular user?
You can specify an address in the luser_relay parameter and disable local_recipient_maps.
luser_relay = info local_recipient_maps =
Be careful if you do this. With the prevalence of spam the address you specify is liable to catch a large amount of junk mail.
24. Okay, how can I have Postfix initially accept all messages, but then bounce those that are addressed to non-existent users?
Simply disabling local_recipient_maps does the trick. The SMTP server accepts everything, and only later does the local delivery agent discover that the user doesn't exist, so it bounces the message. You really don't want to do this. You will receive a large amount of junk for which your server will try to send bounce notices. Innocent souls whose addresses have been faked will be inundated with bogus bounce messages from your (and probably others') mail server.
25. When I make changes to configuration files or lookup tables, do I have to reload Postfix?
It depends on the type of file you are changing.
Easy answer: Changes in files that Postfix reads into memory at startup require a reload for your changes to go into effect immediately. Examples of such files are main.cf, master.cf, and any lookup table using regular expressions. DB or DBM files are not read into memory and don't require reloading Postfix when they are changed. Note that with changes to the inet_interfaces parameter, a reload is not sufficient. You must stop and then start Postfix in this case.
Complete answer: Since most Postfix daemons are short-lived, your new settings are actually recognized automatically as those daemons expire and new ones are launched. However, longer running daemons such as pickup, qmgr, and possibly trivial-rewrite will not detect changes to main.cf, so changes to parameters used by these daemons require that you reload Postfix. Changes to master.cf always require a reload. Note that with changes to the inet_interfaces parameter, a reload is not sufficient. You must stop and then start Postfix in this case.
Special thanks to Vi[ck]tor Duchovni for information in this answer.
26. According to my configuration Postfix should be replying with a permanent error code (554), but it keeps sending a temporary one (454). Why is it doing that?
You probably have soft_bounce = yes. Also, if there is a temporary DNS problem, Postfix automatically converts permanent errors to temporary ones.
27. I have a few users that travel regularly. How can I allow them to send mail through my server without creating an open relay? Can't I just tell Postfix to allow relaying when the sender address is from my domain?
Emphatically not. Spammers know to use your domain when trying to relay mail through your server. If your users have static IP addresses add them to your mynetworks parameter. Assuming they don't have static IP addresses, the easiest option is to see if they can use the SMTP server of the ISP they're connecting through. If none of these options are available, you will have to look into SMTP AUTH or one of the pop-before-smtp solutions.
28. I need to add some smtpd restrictions to my master.cf file, something like:
-o smtpd_recipient_restrictions=check_recipient_access hash:/etc/postfix/recipient_access
Any idea how I can do that with the space required between the check_recipient_access and the lookup table?
You can use a comma instead of a space:
... -o smtpd_recipient_restrictions=check_recipient_access,hash:/etc/postfix/recipient_access
Another option is to define a variable in main.cf with all the restrictions you need, then use the variable in master.cf:
# # main.cf # ... other_restrictions = check_recipient_access hash:/etc/postfix/recipient_access reject_unknown_recipient_domain ...
# # master.cf # ... -o smtpd_recipient_restrictions=$other_restrictions
29. There seems to be a long delay whenever a client connects to my smtpd service. It can take as long as a minute from establishing a connection until Postfix sends the 220 banner. Any ideas on what might be causing this?
This delay is almost always due to the DNS resolver on your server. When a client connects, Postfix tries to look up the hostname for the connecting client's IP address. If your resolver is not configured correctly or your DNS server is slow to respond, you will see a delay. You should run a caching-only DNS server on the same system as your Postfix server.
The most common reason for a misconfigured resolver is that your smtpd service is running in a chroot, and you don't have all of the necessary configuration files within the chroot compartment.
30. Is it possible to have Postfix running, but without the SMTPD server listening for outside connections?
Yes, comment out the smtpd line in your master.cf file.
#smtp inet n - n - - smtpd
Aliases
31. I have aliases where only the first address in the list receives messages. The others can receive mail fine when sent to them directly, but when they're part of an alias, their messages don't arrive.
If you are using an external program for delivery, it might not handle more than one address at a time. Such is the case with maildrop, for example. To make sure that Postfix passes messages for delivery one at a time, set the transport_destination_recipient_limit parameter in main.cf to one. transport is the name of the transport method making the deliveries. If you are using maildrop, the parameter looks like the following:
maildrop_destination_recipient_limit = 1
32. If I have an alias like this,
info: peter,heloise
and somebody sends a message addressed to both info and peter, then peter receives the message twice. When I used Sendmail it detected the same mail going to the same user twice and prevented it. How can I do the same with Postfix?
You can't. The architecture of Postfix is such that detecting duplicates like this is too costly. It's the trade-off between a multi-component system with a high level of security and performance, and a monolithic one that can easily detect those duplications.
33. I'm trying to test alias lists to see what addresses are expanded from particular lists. With other mail servers, I used the EXPN command to get a full recipient list, but it doesn't seem to work with Postfix.
Postfix does not support EXPN. Because of Postfix's architecture and security design, the unprivileged SMTP server doesn't know anything about local aliases. It's the privileged local delivery agent that actually expands aliases at the point of delivery. If you use a mailing list manager, it most likely has a command to tell you who is on the list, or you may have to check the aliases file on the mail server system.
Error and Warning Messages
34. I can't seem to receive messages. What does this error mean: "<test@example.com>: mail for example.com loops back to myself"?
Postfix reports this error when a DNS reply points to your mail server, but Postfix hasn't been configured to deal with messages addressed to the domain. Postfix accepts mail for domains listed in mydestination, relay_domains, virtual_mailbox_domains, virtual_alias_domains, and domains that resolve to IP addresses listed in inet_interfaces and proxy_interfaces. The domain must be listed in one of these parameters.
35. Why am I getting messages like this in my log? Shouldn't all of these files be in /etc?
warning: /var/spool/postfix/etc/services/services and /etc/services/services differ warning: /var/spool/postfix/etc/resolv.conf/resolv.conf and /etc/resolv.conf/resolv.conf differ warning: /var/spool/postfix/etc/hosts/hosts and /etc/hosts/hosts differ warning: /var/spool/postfix/etc/nsswitch.conf/nsswitch.conf and /etc/nsswitch.conf/nsswitch.conf differ
When Postfix components run within a chroot, their view of your file system is limited to subdirectories below the directory specified in queue_directory (default: /var/spool/postfix). Some system resources must be copied into the chrooted directory, and Postfix checks that the system versions are in sync with those in your chroot.
36. When mail arrives for an unknown user, Postfix rejects it with the message, "User unknown in (local|virtual|relay) recipient table." Is it possible to just say something like the user doesn't exist?
The idea here is to give you as the administrator good information about how to solve a problem. You can set
show_user_unknown_table_name = no
to have the message simply say "User unknown."
37. I'm getting
postfix/smtp[18860]: fatal: unknown service: smtp/tcp
What could be the problem?
Most likely you are missing or have an unreadable /var/spool/postfix/etc/services.
Mail Queue
38. I have a whole bunch of mail queued up that I know I don't need. Is there any way to delete all of the queued messages?
# postsuper -d ALL
Note that the word ALL must be all capital letters, and that executing this command deletes all of the mail in your queue.
39. I see strange differences between mailq and postqueue. My mailq command says there is nothing in the queue (/var/spool/mqueue is empty), but postqueue reports a lot of messages. How can that be?
Your mailq is from Sendmail. Somehow your Postfix installation is fouled up. Postfix installs a replacement mailq command. You need to fix your Postfix installation. The problem might be simple like the Sendmail mailq is in the path before the Postfix mailq (in which case, rename the Sendmail one to mailq.sendmail, for example) or your Postfix installation might not have completed successfully.
40. How can I change how long messages stay in the queue before they expire and get bounced?
The maximal_queue_lifetime parameter determines how long a message should stay in the queue before it is deemed undeliverable. The default is five days (5d).
41. Is there a way to cause individual messages to be expired from the queue after some time? Or is there a way to have different queue lifetimes for different destinations?
There is no explicit expire option for queue files. The queue manager controls the expiration of messages based on how long they've been around and the value of maximal_queue_lifetime (see previous question). It's not possible to have different queue times for different destinations because queued messages may have multiple recipients and therefore no single destination.
Also, later versions of Postfix introduced the bounce_queue_lifetime parameter, so you can shorten the time that non-deliverable non-delivery notifications stay in your queue.
42. I had a problem in my configuration. It's fixed now, but the system is still trying to deliver queued messages using the old, incorrect configuration. What do I have to do to make them use the new configuration?
You have to requeue the messages with the postsuper -r command.
43. I have a lot of mail in my queue that seems to originate from "MAILER-DAEMON" instead of an actual email address. Where is it coming from?
Those are bounce messages from your server that cannot be delivered to original senders of previously undeliverable mail. Most often this happens when your server is accepting messages for non-existent users. See a related question.
If you are already rejecting messages for non-existent users, this might be caused by one of your own users infected with a virus. Check your logs to see where the original messages are coming from.
Logging
44. Where does Postfix log its information?
Postfix logs messages to your system's syslogd daemon. Check your system documentation to find the actual log file.
45. Is it possible to have Postfix log the subject of a message along with the other information like To and From addresses?
You can get the subject logged by adding an entry to your header_checks file that always matches the Subject: header and uses a result of 'WARN.'
/^subject:/ WARN
46. Is there some kind of debug or verbose logging option so that I can see exactly what happens with my mail?
You can increase logging for a particular component by adding one or more -v options to the component's entry in your master.cf.
smtp inet n - n - - smtpd -v
You can also get additional information on transactions with a particular site by adding the site's name to the debug_peer_list parameter in main.cf. Then adjust debug_peer_level to get the amount of information you need.
debug_peer_list = example.com debug_peer_level = 2
47. My log doesn't seem to have any entries with the From address logged? What gives?
The From address is logged by the queue manager. If you run qmgr chrooted, you must have a syslog socket below /var/spool/postfix. Some platforms have a syslogd daemon that allows you to specify additional sockets when it starts up. Others will be a bit trickier to get working within the chroot. See your system's syslog documentation.
48. Are there any good programs to analyze Postfix log entries?
See Logfile analysis on the Postfix home page.
49. The way I use virus scanning, all messages are re-injected back into Postfix. This causes everything to be logged twice. Is there a way to configure Postfix not to log certain things?
You don't really want to limit what Postfix logs. It logs all kinds of information that you might need sometime. Instead, Unix is rich with tools that let you manipulate, filter, and otherwise get the exact information you are looking for. If, for example, the second injection of a message includes relay=vscan, filter those lines out when you perform your log analysis.
$ grep -v "relay=vscan" maillog > analyze_log
50. My system time is correct but my mail log entries show a different time. What could be the problem?
You're running within a chroot. Make sure that whatever files your system uses to determine the TIMEZONE are below your chroot.
DNS Issues
51. I get an error saying that the host cannot be found, but when I look up the host I get an answer. Why can't Postfix figure it out?
Postfix (like all MTAs) delivers mail to a mail exchanger (MX). When you're checking the DNS for a domain, be sure to look up the MX records.
52. In my case, I'm doing host -t MX example.com. I get an answer, but Postfix complains with "Host not found, try again".
Your Postfix is probably running within a chroot. Make sure you have all the necessary files within the chroot. Particularly common is a missing or incorrect resolv.conf. Be sure to check permissions on all necessary files to make sure that the postfix account can read them.
53. Postfix seems to be ignoring the MX record and trying to deliver directly to the A record system. Is this normal?
It's normal if you have disable_dns_lookups = yes specified in main.cf. You might also have a transport map specified in brackets, in which case Postfix delivers directly to the system in brackets.
example.com smtp:[mail.example.com]
Virtual Domains
54. Is there any way I can have a virtual alias deliver a message to a program?
Not directly. You have to use a virtual alias to rewrite the address to something that is delivered to a pipe transport or a local address on the system.
55. Is it possible to have global virtual aliases for addresses like postmaster, so that mail for postmaster at all of my domains can go to the same address?
In a word, no. We can only recommend that your processes and scripts to add new domains should include the steps to create the aliases you need.
UBE Blocking
56. Help! I think I'm an open relay. I see lots of messages in my log that look like this:
Jun 20 06:38:46 scallop postfix/smtp[21383]: connect to mail.example.com[10.11.12.13]: Connection refused (port 25) Jun 20 06:38:46 scallop postfix/smtp[21383]: 79AA4234A9: to=<jenny796@example.com>, relay=none, delay=55262, status=deferred (connect to mail.example.com[10.11.12.13]: Connection refused)
I don't know anything about the example.com domain. Should I be worried?
Relax. That's most likely just a bounce notice that Postfix is trying to send for a bogus message that could not be delivered on your system. No doubt you have entries earlier in your logs for a message from jenny796@example.com that could not be delivered. You may not be an open relay, but you should configure your system not to accept messages for non-existent users. See information on local_recipient_maps.
57. Help! I think I might be an open relay. How can I check?
If you have access to a system outside of your network, use it to try to deliver a message through your system to an external address. From the outside system, set an email client to use your system as its SMTP server. Then try sending a message to an address that your system does not handle mail for. If it is delivered, then you're running an open relay.
58. Help! I'm definitely an open relay. I've been listed with various black lists and everything. I'm sure my Postfix configuration is correct. What could be causing my system to relay?
If you have a gateway machine like a firewall, router, or another mail system between the Internet and your Postfix system, the combination might be causing your network to relay mail freely. If the gateway system's IP address is in your mynetworks parameter, and it's configured to pass all mail to your Postfix system, it has carte blanche to relay anything. Removing the gateway system from your mynetworks parameter should fix it.
59. I get a lot of spam with a blank envelope sender address. How can I block these?
You don't want to block messages based on the fact that they have a null return path. Accepting null envelope addresses is required by the standards. The technique is used to prevent looping of error notifications. You'll have to identify the spam by some other means.
60. I have restrictions set up to block certain sender addresses. Why aren't messages from restricted senders blocked as soon as the client issues the MAIL FROM command?
By default Postfix does not reject clients until after it receives the RCPT TO command. The reason is that some SMTP clients do not recognize that they have been rejected, and they keep trying to send the message, causing connections to last longer than they should and a log full of warning messages. Another advantage to the default is that you get complete information about the connecting client before rejecting the message. You can change the default behavior by setting smtpd_delay_reject = no.
61. Is there any way to know which entry for header_checks and body_checks caused a message to be rejected?
Not really. Most people include a unique marker on the RHS to identify their rules. You can do something as simple as numbering your rules. For example,
/freehotsex/ REJECT Message content rejected [182]
will log "Message content rejected [182]" when this rule is used to reject a message.
62. I get lots of mail for non-existent users that comes from servers that don't respond, so my queue is always full while it tries to deliver bounce notifications to these non-existent servers. How can I prevent this?
You must not accept messages for non-existent users. Since From addresses are usually forged, your system will be bouncing messages to people who never sent them. You must configure Postfix to reject them without accepting them into the queue. Set local_recipient_maps or relay_recipient_maps as appropriate for your situation. You might also want to include the restriction rule reject_unknown_sender_domain among your smtpd restrictions. See LOCAL_RECIPIENT_README for more information.
63. I added body and header checks to my configuration and set up the files with regular expressions to block certain subject lines and attachments, but when I test it, I can still send messages with subjects and attachments that should be blocked. What did I do wrong?
Did you restart Postfix? Also, you should test your regular expressions with postmap to make sure they do what you expect them to.
Be aware that encoded messages (base64, etc.) will not be blocked although they'll appear normally in most email clients. Look for the header Content-Transfer-Encoding: to see whether the message originally arrived encoded.
64. I added some body checks to my configuration that stop a lot of viruses. It mostly works well, but why is it that sometimes it doesn't seem to be used?
The messages that pass through are probably using base64 or another encoding. See the previous question.
65. Using header_checks or body_checks can I make conditional comparisons? Something like, for example:
/^to: joey/ AND /^subject: hot deals/ REJECT
so that certain subjects are blocked only for certain users.
This won't work because Postfix header and body checks can only consider one logical message line at a time. They're meant for simple checks. If you need anything more sophisticated, you should set up a content filter that has the smarts you need.
66. I'm using header_checks and body_checks to block spam, but some legitimate email is blocked by my checks. Is there any way to whitelist some mail so that the header and body checks are not applied?
No. Header and body checks are applied to every message and should be used for simple checks that can easily be applied to all mail. If you need anything more sophisticated, you should set up a content filter that has the smarts you need. However, if you just want to disable content checks for your own users, see the How-To " Turning Off Body and Header Checks for Internal Users."
If you want to create your own content filter, you can certainly do that, but there are many spam-blocking tools already available such as SpamAssassin or Bogofilter. These tools generally allow you to specifiy whitelisting rules. See "Virus/SPAM content filters" on the Postfix Add-on Software page.
See Also:
- Postfix Content Inspection (www.postfix.org)
- Postfix Built-in Content Inspection (www.postfix.org)
- Postfix After-Queue Content Filter (www.postfix.org)
- Postfix: The Definitive Guide pp. 144-147, 174-182
67. Okay, but I just want to be able to receive my reports that include blocked strings from the logs. Is there no way to receive these?
You could encode (base64, etc.) the report to get it past the checks, or compress it and send it as an attachment.
68. I'm using one of the blacklists to block spam and it's working fine. Now one of our customers/partners has got themselves listed, so my mail server is dutifully rejecting their messages. Is there a way to allow just their messages but still use the blacklist?
You can create a whitelist that will accept messages from certain addresses or domains. For example:
# # main.cf # smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination ... check_sender_access hash:/etc/postfix/whitelist reject_rbl_client dnsbl.njabl.org ...
# # whitelist # @customer_domain.com OK
Make sure the whitelist check occurs before the reject_rbl_client check. Remember that email addresses are easily faked. Whenever you add whitelisting to your configuration be very careful that you don't expose your server to open relaying. Make sure that your whitelisting occurs after reject_unauth_destination (or another rejection restriction).
69. How can I test the regular expressions I've created in my header_checks and body_checks?
Use the postmap command. You can specify a string representing one line of a message:
$ postmap -q "Content-Type:..." regexp:/etc/header_checks
Or redirect a file with the contents of a message to test a whole message:
$ postmap -q - regexp:/etc/body_checks < msg_file
There are a couple differences to be aware of when using postmap versus when Postfix actually checks a message. The postmap command doesn't understand header lines that span multiple lines, and postmap does not know the difference between header lines and body lines. Also, if you are testing regexp maps that use /.../i for case-sensitive matching, postmap needs the -f option.
70. If I block a domain with an access map like
example.com REJECT No spam accepted
Does that mean that subdomains like host.example.com are also blocked?
It depends on your setting for parent_domain_matches_subdomains. If it includes "smtpd_access_maps," then yes subdomains are blocked. If you don't want this set parent_domain_matches_subdomains without "smtpd_access_maps."
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks, permit_mx_backup_networks,qmqpd_authorized_clients, relay_domains
You can still block subdomains on specific domains by adding an entry that starts with a period.
example.com REJECT No spam accepted .example.com REJECT No spam accepted
This achieves the same effect, even after you remove "smtpd_access_maps" from parent_domain_matches_subdomains.
71. Do people generally have success with setting strict_7bit_headers = yes?
That parameter tends to be quite strict and rejects a lot of mail. If you just want to block messages with lots of garbage characters in the header, try the following regexp check in your header_checks map:
/[^[:print:]]{7}/ REJECT Your mailer is not RFC 2047 compliant
This will block messages with at least seven non-printable characters in a header.
72. I have two MX hosts configured in my DNS. I have great spam checking set up on my first MX system, but I'm getting a lot of spam delivered directly to the backup MX even though the primary is available. Is there a way to force mail to the primary when it's up?
There's no way to force spammers to deliver anywhere. If you run a secondary MX system, make sure that it's configured with exactly the same UBE checks or it will let spam through. If you can't configure it the same for some reason, just eliminate it. Many sites now operate with a single mail exchanger for this very reason. Since legitimate messages are normally retried for a matter of days, you will only lose mail if your mail server goes down for an extended period of time.
Anti-Virus
73. Can I block certain attachments based on the extension of the file name?
Yes, you can achieve limited virus blocking with header_checks. Configure a check that will reject messages with attachments that have executable or otherwise dangerous extensions. Here's a check to get you started (regexp version):
/^content-(type|disposition):.*name*=.*\.(exe|pif)/ REJECT We cannot accept executable attachments
and in pcre:
/^content-(type|disposition):.*name\s*=.*\.(exe|pif)/ REJECT We cannot accept executable attachments
You should add in as many dangerous extensions as you need for your users' platform(s) in addition to "exe" and "pif" (hint: there are a lot for Windows). You're better off with an actual virus scanning package.