to keep the main guide approximately clean, here’s some more comments


alternatives / more options

#smtpd_tls_security_level = may
#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

#smtp_tls_security_level = may
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

#both directions
#smtp_tls_enforce_peername = yes (default)

unverified_sender and its false-positives

we did NOT enable the unverified_sender feature as it is too restrictive – this prevents unreal addresses to send you messages. try to book a hotel or a flight with that and you will feel the pain. now in case you DO enable it,



unverified_sender_reject_code = 550
unverified_sender_reject_reason = Address verification failed
address_verify_map = proxy:btree:$data_directory/verify_cache
address_verify_cache_cleanup_interval = 72h

#unverified_sender_defer_code = 250 #Postfix 2.6 and later
#proxy_write_maps = $smtp_sasl_auth_cache_name $lmtp_sasl_auth_cache_name $address_verify_map $postscreen_cache_map

you will then need to deal with false-positives on the domains that do not pass through

vi /etc/postfix/client_access       OK

postmap /etc/postfix/sender_access


while starting Postfix

postfix/postfix-script: warning: group or other writable: /usr/lib/postfix/./sbin/lmtp

==> don’t give a fuck about it, it’s complaining about symlinks' rights which point to files with OKAY permissions.

in the logs

close database /var/lib/postfix/verify_cache.db: No such file or directory (possible Berkeley DB bug)

==> use proxy: in the address_verify_map statement as shown above.

you are triggering reject_unknown_client_hostname or reject_unknown_reverse_client_hostname while you’ve just updated client’s DNS records?

54 5.7.25 Client host rejected: cannot find your hostname, [x.x.x.x]

==> if something fails, it won’t re-check again for a certain time – restart postfix or alter address_verify_negative_cache (default: yes)


backup mx

Setting Up Postfix As A Backup MX

Configuring Postfix as backup MX host

Postfix as backup MX