Postfix user sender resctriction

Hello all !

Today we want to restrict local user to send mail to more destinations!

1 First step

postconf -e 'smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/restricted_senders'
postconf -e 'smtpd_restriction_classes = local_only'
postconf -e 'local_only = check_recipient_access hash:/etc/postfix/local_domains, reject'

2. Step 2 Then create the file /etc/postfix/restricted_senders which looks similar to this one:        local_only       local_only

3. Final step Afterwards create /etc/postfix/local_domains which should look similar to this:                  OK                 OK             OK

After this restart your server postfix! Enjoy!
(Source Thanks falko )

How remove a lot of mail from mailq with few cli comands.


We have a lot of mail with errors like:

D7AF9121256 34341 Tue Nov 21 11:19:27 MAILER-DAEMON ……….

We want to remove them.

First commands:

mailq | grep MAILER-DAEMON | awk ‘{ print $1 }’ > /root/mailq-201711.txt

Here we catch the ID like D7AF9121256 each mail and save in file /root/mailq-201711.txt.

cat /root/mailq-201711.txt


Now we have to remove caracacter * from each ID because we get error to next commands.
Open file /root/mailq-201711.txt with vim and execute commands :1,$ s/*/<space>/g   where 1 it’s first line and $ last line.   Save file and exit ( :wq )

And now delete mails form mailq with:

while read i; do postsuper -d $i; done </root/mailq-201711.txt

After read each line I delete ID with postsuper -d $i and read next line.   Enjoy!

Imapsync script or How to move more email account easy.

Today I will post a script that show you how to move easy more email account from old mail server to new server.
The story: We have have many account and we now details about every account ( user and password ).

The script

# Example for imapsync massive migration on Unix systems.
# Data is supposed to be in file.txt in the following format
# user001_1;password001_1;user001_2;password001_2
# Do not forget to put absolute path
# Separator is character semi-colon ; it can be changed
# by any character changing IFS=';'
# Each data line contains 4 columns, columns are 
# parameters for --user1 --password1 --user2 --password2
# Replace "" and "" 
# with your own hostname values. 
# This loop will also create a log file called 
# LOG/log_${u2}_$NOW.txt for each account transfer
# where u2 is just a variable containing the user2 
# account name, and NOW is the current date_time

mkdir -p LOG
{ while IFS=';' read  u1 p1 u2 p2
         { echo "$u1" | egrep "^#" ; } > /dev/null && continue
         NOW=`date +%Y_%m_%d_%H_%M_%S` 
         echo syncing to user "$u2"
         imapsync --host1 -addheader  --user1 "$u1" --password1 "$p1" \
                  --host2 --user2 "$u2" --password2 "$p2" \
                  > LOG/log_${u2}_$NOW.txt 2>&1
} < /etc/rc.d/file.txt
### Do not forget to put absolute path to your file "file.txt" or what ever you name it.

Example for file.txt. ( I put diferent example of user and password )


Hope will help you this page!

How to upgrade Postfixadmin from old version to new version.

Hello, we need now to upgrade from postfixadmin-2.3.5 to postfixadmin-3.0.2.

This document describes upgrading from an older PostfixAdmin version >= v1.5x on Centos Linux.

2: Backup the Database and file!

[root@mail html]# cp -p -R postfixadmin-2.3.5 postfixadmin-2.3.5-bkp
[root@mail html]# mysqldump -uroot -p –routines –single-transaction postfix > /root/work/postfix-sqldump.sql

2: Go to html directory

[root@mail html]# cd /var/www/html/

Get new archive

[root@mail html]# wget

Unarchive new Postfix Admin

[root@mail html]# tar -zxvf postfixadmin-3.0.2.tar.gz

3: Change permissions

[root@mail html]# cd /var/www/html/postfixadmin-3.0.2
[root@mail postfixadmin-3.0.2]# find -type f -print0 | xargs -0 chmod 640
[root@mail postfixadmin-3.0.2]# find -type f -print0 | xargs -0 chown root:apache
[root@mail postfixadmin-3.0.2]# chown -R apache. templates_c/

( if your Apache runs as user “apache” )

4: Configure

Check the file. There you can specify settings that are relevant to your setup.

Comparing with your previous using “diff” might save you some time.

You can use a config.local.php file to contain your local settings. These will override any defined in – and save some time when upgrading to a new version of PostfixAdmin 😉

5: Run setup.php

Go to you apache vhost and change the path.

[root@mail html]# vim /etc/httpd/conf/httpd.conf

ServerPath /postfixadmin-3.0.2
DocumentRoot /var/www/html/postfixadmin-3.0.2
CustomLog /var/log/httpd/postfixadmin_access.log combined
ErrorLog /var/log/httpd/postfixadmin_error.log

Restart apache service:
[root@mail html]# service httpd restart

Now we run setup.php
I open a new tab in my browser and type

If it is ok you should see like this:

Postfix Admin Setup Checker

Running software:

  • PHP version 5.3.3
  • Apache

Checking for dependencies:

  • Magic Quotes: Disabled – OK
  • Depends on: presence – OK
  • Checking $CONF[‘configured’] – OK
  • Smarty template compile directory is writable – OK
  • Depends on: MySQL 3.23, 4.0 – OK
  • Depends on: MySQL 4.1 – OK
    (change the database_type to ‘mysqli’ in if you want to use MySQL)
  • Depends on: SQLite – OK
    (change the database_type to ‘sqlite’ in if you want to use SQLite)
  • Testing database connection – OK – mysql://postfix:xxxxx@localhost/postfix
  • Depends on: session – OK
  • Depends on: pcre – OK
  • Depends on: multibyte string – OK
  • Depends on: IMAP functions – OK

Everything seems fine… attempting to create/update database structure

Database is up to date

Since version 2.3, PostfixAdmin supports alias domains ($CONF[‘alias_domain’]).
If you want to use them, you have to add some queries to your postfix config – see POSTFIX_CONF for details.

This is all that is needed.

How to setup DMARC for you domain.

The Domain-based Message Authentication, Reporting and Conformance (DMARC) DNS record allows an email sender (which is already using DKIM, SPF or both) to indicate to a mail receiver one or more of the following:

Indicate the mechanisms the sender uses to authenticate its email (DKIM, SPF or both). Some of this functionality is already provided for separately within DKIM (the ADSP capability) and SPF (the pre field) but DMARC enables a comprehensive definition covering both systems.

Indicate comprehensively for DKIM, SPF or both how to handle mail that fails validity checks.

Optionally requests the receiver to send a feedback report (defined by the Abuse Report Format – RFC 5965 or the Incident Object Description Exchange Format – RFC 5070) which allows the mail sender to monitor and change its policies based on receiver feedback. Both individual and aggregate report formats are allowed. This capability is uniquely triggered by the DMARC RR.

DMARC can be viewed as a meta RR that describes the sender’s email policy, comprising DKIM or SPF or both, for any domain. While the draft RFC does not explicitly say anything about the ADSP feature of DKIM it does go out of its way to identify ADSP shortcomings. On balance it would probably be confusing, if not a serious mistake, to have both ADSP and DMARC RRs for any domain.

DMARC is defined by RFC 7489. The web site claims that more than 2 billion email accounts are covered by DMARC. RFC 7960 describes various methods by which, what it charmingly calls ‘indirect email flows’, can be prevented from wreaking untold havoc on email delivery to DMARC enabled recipients.

1. Single Domain Name using DKIM and SPF – Aggressive
just add to you DNS zone line:

_dmarc TXT ( “v=DMARC1;p=reject;sp=reject;pct=100; adkim=r;aspf=r;fo=1;ri=86400;”)

If you want do not be aggresive change policy p=reject; with p=none;


How to install DKIM with OpenDKIM and Postfix on a CentOS 7

Hello, today we install DKIM in Centos 7 with Postfix.

# yum install opendkim

Next step to do is to configure OpenDKIM.

# cp /etc/opendkim.conf /etc/opendkim.conf.orig
# vim /etc/opendkim.conf

Options should be like this:

PidFile    /var/run/opendkim/
Mode    sv
Syslog    yes
SyslogSuccess    yes
LogWhy    yes
UserID    opendkim:opendkim
Socket    inet:8891@localhost
Umask    002
Canonicalization    relaxed/relaxed
Selector    default
MinimumKeyBits 1024
KeyTable    refile:/etc/opendkim/KeyTable
SigningTable    refile:/etc/opendkim/SigningTable
ExternalIgnoreList    refile:/etc/opendkim/TrustedHosts
InternalHosts    refile:/etc/opendkim/TrustedHosts

Next step we have to edit /etc/opendkim/TrustedHosts

# vim /etc/opendkim/TrustedHosts

Now we edit /etc/opendkim/KeyTable

vim /etc/opendkim/KeyTable

Now opendkim needs to know relation between mail adress and domains whe should configure SigningTable file.

vim /etc/opendkim/SigningTable


Now we generate one keypair for each domain

cd /etc/opendkim/keys
opendkim-genkey -D /etc/opendkim/keys/ -d -s

You will get:

[root@mail keys]# ls -l
total 8
-rw------- 1 root root 891 apr 25 22:02
-rw------- 1 root root 344 apr 25 22:02

We have to change private keys owner.

[root@mail keys]# chown -R opendkim. /etc/opendkim/keys/

Restart opendkim and enable

 systemctl restart opendkim.service
 systemctl enable opendkim.service

Integrate opendkim with postfix:

 vim /etc/postfix/

and append these lines

milter_default_action = accept
smtpd_milters = inet:

Finally the most important step is publish your public keys in DNS.


default._domainkey IN TXT ( “v=DKIM1; k=rsa; ”
“p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDh1hbzE5Ae83qLXL/DKAhTmOYXzLG3+RfdjG9nbv+zH/STABdYpU7kQKAs0M9X1bdIe8We8Bs//vKqqtgOB/j/jwcH+VMou3wBEULshzQK6qoBSb413qdGEnXIHUP3e9p4VttlebSp5w/3dLaOpNFNUMKz6Xb2Pa8xlxn5DgNrYQIDAQAB” ) ; —– DKIM key for

Restart Postfix:

 systemctl restart postfix.service

How we test if works ?

 dig TXT +short

P.S. in dns we start with default._domainkey IN TXT ……

Amavisd + SpamAssassin not working? No mail header X-Spam.

If you want Amavisd to insert X-Spam-* headers in each email, please decrease Amavisd setting $sa_tag_level_deflt (in Amavisd config file )to a very low score, e.g. -999, then restart Amavisd service:

$sa_tag_level_deflt  = -999;

That means Amavisd will insert X-Spam-Flag and other X-Spam-* headers when email score >= -999.

Do not forget to restart services Amavisd.


[Solved] Error: virtual_mailbox_limit is smaller than message_size_limit

If you get error from postfix mail log we have sollutions.

fatal: configuration error: mailbox_size_limit is smaller than message_size_limit

Show information about mailbox_size_limit and message_size_limit:

[root@email ~]# postconf -n | grep virtual_mailbox_limit
virtual_mailbox_limit = 51200000
[root@email ~]# postconf -n | grep message_size_limit
message_size_limit = 52928640

Now set a new value for virtual_mailbox_limit (bigger than message_size_limit) as follows:

postconf -e ‘virtual_mailbox_limit = 102400000’

(Replace 102400000 with a value of your choice.)

As an alternative, you can disable virtual_mailbox_limit by setting it to 0:

postconf -e ‘virtual_mailbox_limit = 0’

/etc/init.d/postfix restart