I thought I'd be clever and add amavis/spamassassin/clamav to my working Postfix installation. I got it working and then made a change. Walked away, had a beer, then found out I'd mucked up. This is what's happening now
Oct 2 22:01:59 wilma postfix/smtpd[1048101]: Anonymous TLS connection established from mail-pf1-f172.google.com[209.85.210.172]: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Oct 2 22:01:59 wilma postfix/smtpd[1048101]: warning: connect to private/policy: Connection refused
Oct 2 22:01:59 wilma postfix/smtpd[1048101]: warning: problem talking to server private/policy: Connection refused
Oct 2 22:02:00 wilma postfix/smtpd[1048101]: warning: connect to private/policy: Connection refused
Oct 2 22:02:00 wilma postfix/smtpd[1048101]: warning: problem talking to server private/policy: Connection refused
Oct 2 22:02:00 wilma postfix/smtpd[1048101]: NOQUEUE: reject: RCPT from mail-pf1-f172.google.com[209.85.210.172]: 451 4.3.5 <[email protected]>: Recipient address rejected: Server configuration problem; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<mail-pf1-f172.google.com>
Oct 2 22:02:02 wilma postfix/smtpd[1048101]: disconnect from mail-pf1-f172.google.com[209.85.210.172] ehlo=2 starttls=1 mail=1 rcpt=0/1 bdat=0/1 quit=1 commands=5/7
I've searched Google high and low looking for an answer, it seems that "451 4.3.5" is a generic error thing.
Here is master.cf …
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp -o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
smtp-amavis unix - - n - 2 smtp -o syslog_name=postfix/amavis -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 -o smtp_tls_security_level=none
127.0.0.1:10025 inet n - n - - smtpd -o syslog_name=postfix/10025 -o content_filter= -o mynetworks_style=host -o mynetworks=127.0.0.0/8 -o local_recipient_maps= -o relay_recipient_maps= -o strict_rfc821_envelopes=yes -o smtp_tls_security_level=none -o smtpd_tls_security_level=none -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_end_of_data_restrictions= -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings
main.cf is
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
content_filter = smtp-amavis:[127.0.0.1]:10024
data_directory = /var/lib/postfix
debug_peer_level = 1
debug_peer_list =
default_privs = mail
delay_warning_time = 4
header_checks = regexp:/etc/postfix/regexp_table
html_directory = no
in_flow_delay = 1s
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps = unix:passwd.byname $alias_maps
local_transport = local
mail_owner = postfix
mail_spool_directory = /var/virtual
mailbox_command = /usr/bin/procmail -a "$EXTENSION"
mailbox_size_limit = 3221225472
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 25971520
mydestination = $myhostname, localhost.$mydomain, $mydomain, lists.$mydomain
mydomain = mike-mac.gen.nz
myhostname = mail.mike-mac.gen.nz
mynetworks = 192.168.1.0/24 192.168.3.0/24 webmail.mike-mac.gen.nz localhost.localdomain localhost
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.0.13/README_FILES
receive_override_options = no_address_mappings
recipient_delimiter = +
reject_code = 550
sample_directory = /usr/share/doc/postfix-2.0.13/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtpd_hard_error_limit = 4
smtpd_helo_required = no
smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/helo_access
smtpd_proxy_options = speed_adjust
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_sender_domain, check_policy_service unix:private/policy, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_sender_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 2
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/letsencrypt/live/Email_cert/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/Email_cert/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
strict_mailbox_ownership = no
tls_random_source = dev:/dev/urandom
undisclosed_recipients_header = To: NotSayingWhoGetsThis:;
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_gid_maps = static:12
virtual_mailbox_base = /var/virtual
virtual_mailbox_domains = hash:/etc/postfix/vmaildomains
virtual_mailbox_limit = 2147483648
virtual_mailbox_maps = hash:/etc/postfix/vmailbox,hash:/etc/postfix/virtual-user-map-family.kiwi.nz,hash:/etc/postfix/virtual-user-map-coders.kiwi.nz,hash:/etc/postfix/virtual-user-map-mak.co.nz,hash:/etc/postfix/virtual-user-map-lessonplans.kiwi.nz
virtual_minimum_uid = 1
virtual_transport = virtual
virtual_uid_maps = static:8`
The running daemons are
systemctl status postfix postgrey amavis spamassassin clamav-freshclam
● postfix.service - Postfix Mail Transport Agent
Loaded: loaded (/lib/systemd/system/postfix.service; enabled; vendor preset: enabled)
Active: active (exited) since Sat 2021-10-02 21:58:34 NZDT; 29min ago
Process: 1047688 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 1047688 (code=exited, status=0/SUCCESS)
Oct 02 21:58:34 wilma systemd[1]: Starting Postfix Mail Transport Agent...
Oct 02 21:58:34 wilma systemd[1]: Finished Postfix Mail Transport Agent.
● postgrey.service - LSB: Start/stop the postgrey daemon
Loaded: loaded (/etc/init.d/postgrey; generated)
Active: active (running) since Sat 2021-10-02 21:58:34 NZDT; 29min ago
Docs: man:systemd-sysv-generator(8)
Process: 1047510 ExecStart=/etc/init.d/postgrey start (code=exited, status=0/SUCCESS)
Tasks: 1 (limit: 17839)
Memory: 18.7M
CGroup: /system.slice/postgrey.service
└─1039871 postgrey --pidfile=/var/run/postgrey.pid --daemonize --inet=10023
Oct 02 21:58:34 wilma postgrey[1047518]: whitelisted: 194.7.234.142/32
Oct 02 21:58:34 wilma postgrey[1047518]: whitelisted: 194.7.234.143/32
Oct 02 21:58:34 wilma postgrey[1047518]: whitelisted: 213.143.66.210/32
Oct 02 21:58:34 wilma postgrey[1047518]: Pid_file "/var/run/postgrey.pid" already exists. Overwriting!
Oct 02 21:58:34 wilma postgrey[1047583]: Process Backgrounded
Oct 02 21:58:34 wilma systemd[1]: Started LSB: Start/stop the postgrey daemon.
Oct 02 21:58:34 wilma postgrey[1047510]: ...done.
Oct 02 21:58:34 wilma postgrey[1047583]: 2021/10/02-21:58:34 postgrey (type Net::Server::Multiplex) starting! pid(1047583)
Oct 02 21:58:34 wilma postgrey[1047583]: Resolved [localhost]:10023 to [127.0.0.1]:10023, IPv4
Oct 02 21:58:34 wilma postgrey[1047583]: Binding to TCP port 10023 on host 127.0.0.1 with IPv4
● amavis.service - LSB: Starts amavisd-new mailfilter
Loaded: loaded (/etc/init.d/amavis; generated)
Active: active (running) since Sat 2021-10-02 21:58:35 NZDT; 29min ago
Docs: man:systemd-sysv-generator(8)
Process: 1047562 ExecStart=/etc/init.d/amavis start (code=exited, status=0/SUCCESS)
Tasks: 3 (limit: 17839)
Memory: 160.8M
CGroup: /system.slice/amavis.service
├─1047705 /usr/sbin/amavisd-new (master)
├─1047714 /usr/sbin/amavisd-new (virgin child)
└─1047715 /usr/sbin/amavisd-new (virgin child)
Oct 02 21:58:35 wilma amavis[1047705]: No ext program for .zoo, tried: zoo
Oct 02 21:58:35 wilma amavis[1047705]: No ext program for .doc, tried: ripole
Oct 02 21:58:35 wilma amavis[1047705]: No decoder for .F
Oct 02 21:58:35 wilma amavis[1047705]: No decoder for .doc
Oct 02 21:58:35 wilma amavis[1047705]: No decoder for .lrz
Oct 02 21:58:35 wilma amavis[1047705]: No decoder for .zoo
Oct 02 21:58:35 wilma amavis[1047562]: Starting amavisd: amavisd-new.
Oct 02 21:58:35 wilma amavis[1047705]: Using primary internal av scanner code for ClamAV-clamd
Oct 02 21:58:35 wilma systemd[1]: Started LSB: Starts amavisd-new mailfilter.
Oct 02 21:58:35 wilma amavis[1047705]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
● spamassassin.service - Perl-based spam filter using text analysis
Loaded: loaded (/lib/systemd/system/spamassassin.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2021-10-02 21:58:36 NZDT; 29min ago
Process: 1047534 ExecStart=/usr/sbin/spamd -d --pidfile=/run/spamd.pid $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 1047641 (spamd)
Tasks: 3 (limit: 17839)
Memory: 109.2M
CGroup: /system.slice/spamassassin.service
├─1047641 /usr/bin/perl -T -w /usr/sbin/spamd -d --pidfile=/run/spamd.pid --create-prefs --max-children 5 --username >
├─1047711 spamd child
└─1047712 spamd child
Oct 02 21:58:33 wilma systemd[1]: Starting Perl-based spam filter using text analysis...
Oct 02 21:58:36 wilma systemd[1]: Started Perl-based spam filter using text analysis.
● clamav-freshclam.service - ClamAV virus database updater
Loaded: loaded (/lib/systemd/system/clamav-freshclam.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2021-10-02 16:08:46 NZDT; 6h ago
Docs: man:freshclam(1)
man:freshclam.conf(5)
https://www.clamav.net/documents
Main PID: 990816 (freshclam)
Tasks: 1 (limit: 17839)
Memory: 227.4M
CGroup: /system.slice/clamav-freshclam.service
└─990816 /usr/bin/freshclam -d --foreground=true
Oct 02 21:09:46 wilma freshclam[990816]: Sat Oct 2 21:09:46 2021 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, >
Oct 02 21:09:46 wilma freshclam[990816]: Sat Oct 2 21:09:46 2021 -> bytecode.cld database is up-to-date (version: 333, sigs: 92, >
Oct 02 22:09:46 wilma freshclam[990816]: Sat Oct 2 22:09:46 2021 -> Received signal: wake up
Oct 02 22:09:46 wilma freshclam[990816]: Sat Oct 2 22:09:46 2021 -> ClamAV update process started at Sat Oct 2 22:09:46 2021
Oct 02 22:09:46 wilma freshclam[990816]: Sat Oct 2 22:09:46 2021 -> ^Your ClamAV installation is OUTDATED!
Oct 02 22:09:46 wilma freshclam[990816]: Sat Oct 2 22:09:46 2021 -> ^Local version: 0.103.2 Recommended version: 0.103.3
Oct 02 22:09:46 wilma freshclam[990816]: Sat Oct 2 22:09:46 2021 -> DON'T PANIC! Read https://www.clamav.net/documents/upgrading->
Oct 02 22:09:46 wilma freshclam[990816]: Sat Oct 2 22:09:46 2021 -> daily.cvd database is up-to-date (version: 26309, sigs: 19380>
Oct 02 22:09:46 wilma freshclam[990816]: Sat Oct 2 22:09:46 2021 -> main.cvd database is up-to-date (version: 62, sigs: 6647427, >
Oct 02 22:09:46 wilma freshclam[990816]: Sat Oct 2 22:09:46 2021 -> bytecode.cld database is up-to-date (version: 333, sigs: 92,
I realise my biggest mistake was one of stupidity, I should have taken backups of the main and master.cf files before starting. Having said that, can anyone see what I can't ?
postconf -n
access_map_reject_code = 550
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
content_filter = smtp-amavis:[127.0.0.1]:10024
data_directory = /var/lib/postfix
debug_peer_level = 1
debug_peer_list =
default_privs = mail
delay_warning_time = 4
header_checks = regexp:/etc/postfix/regexp_table
html_directory = no
in_flow_delay = 1s
inet_interfaces = all
inet_protocols = ipv4
local_recipient_maps = unix:passwd.byname $alias_maps
local_transport = local
mail_owner = postfix
mail_spool_directory = /var/virtual
mailbox_command = /usr/bin/procmail -a "$EXTENSION"
mailbox_size_limit = 3221225472
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 25971520
mydestination = $myhostname, localhost.$mydomain, $mydomain, lists.$mydomain
mydomain = mike-mac.gen.nz
myhostname = mail.mike-mac.gen.nz
mynetworks = 192.168.1.0/24 192.168.3.0/24 webmail.mike-mac.gen.nz localhost.localdomain localhost
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.0.13/README_FILES
receive_override_options = no_address_mappings
recipient_delimiter = +
reject_code = 550
sample_directory = /usr/share/doc/postfix-2.0.13/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtpd_hard_error_limit = 4
smtpd_helo_required = no
smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/etc/postfix/helo_access
smtpd_proxy_options = speed_adjust
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_sender_domain, check_policy_service unix:private/policy, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_sender_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, reject_rbl_client cbl.abuseat.org
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 2
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/letsencrypt/live/Email_cert/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/Email_cert/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
strict_mailbox_ownership = no
tls_random_source = dev:/dev/urandom
undisclosed_recipients_header = To: NotSayingWhoGetsThis:;
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_gid_maps = static:12
virtual_mailbox_base = /var/virtual
virtual_mailbox_domains = hash:/etc/postfix/vmaildomains
virtual_mailbox_limit = 2147483648
virtual_mailbox_maps = hash:/etc/postfix/vmailbox,hash:/etc/postfix/virtual-user-map-family.kiwi.nz,hash:/etc/postfix/virtual-user-map-coders.kiwi.nz,hash:/etc/postfix/virtual-user-map-mak.co.nz,hash:/etc/postfix/virtual-user-map-lessonplans.kiwi.nz
virtual_minimum_uid = 1
virtual_transport = virtual
virtual_uid_maps = static:8
postconf -M
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp -o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
smtp-amavis unix - - n - 2 smtp -o syslog_name=postfix/amavis -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes -o max_use=20 -o smtp_tls_security_level=none
127.0.0.1:10025 inet n - n - - smtpd -o syslog_name=postfix/10025 -o content_filter= -o mynetworks_style=host -o mynetworks=127.0.0.0/8 -o local_recipient_maps= -o relay_recipient_maps= -o strict_rfc821_envelopes=yes -o smtp_tls_security_level=none -o smtpd_tls_security_level=none -o smtpd_restriction_classes= -o smtpd_delay_reject=no -o smtpd_client_restrictions=permit_mynetworks,reject -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o smtpd_end_of_data_restrictions= -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_count_limit=0 -o smtpd_client_connection_rate_limit=0 -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_address_mappings
Best Answer
Postfix cannot process mail because your
smtpd_recipient_restrictions
configuration instructs tocheck_policy_service
, but the referenced policy service cannot be queried (likely, because it is no longer started).That setting specifies a UNIX socket path relative to the chroot (i.e.
/var/spool/postfix/private
), but neither does the name say what this is, nor does yourmaster.cf
contain a line that would make postfix start such policy service to listen on that socket.Since your
postconf -M
dump does not mention it.. you may have unintentionally deleted a line in yourmaster.cf
that was supposed start it. If it was started by other means, it would not likely be placed into theprivate
directory.Did you setup any additional mail filters, like rate limiting, SPF or temporary deferrals ("greylisting")? If my guess is correct and this was previously configured in your
master.cf
, all you have to do isunix:private/policy
is queried.You may find useful information on what was previously listening on that UNIX socket by investigating file ownership, or searching for logs mentioning
private/policy
but predating your recent changes.