Postfix – rewrite From address and add Reply-to header with primary address

So I had an objective to create a mailing server with one DKIM key which would serve as mailing server for contact forms … Idea is, that you don’t need multiple DKIM keys as mail is sent from single domain, but in the same time, it should add reply-to header with primary email address so that when reply to this mail, user will send to real mail address.

I had problem rewriting From header and add reply-to header with primary mail address at the same time. I then discovered that you can’t define From in header_checks multiple times. Only first one will be processed. At first, I had an idea that first rule would add reply-to header with primary mail, then second rule would rewrite primary address with new domain part.

My wish was also, that first (user) part of email address should be kept and rewrote with new domain. I used sender_canonical for rewriting domain, but still no luck. In mail headers there was still old From mail and DKIM was not signed as domain didn’t match. What did the trick was adding local_header_rewrite_clients. This allowed postfix to rewrite headers to authenticated users and those defined in mynetworks.

Here is the whole configuration:

main.cf:
### rewrite domain & add reply-to & rewrite message-id
local_header_rewrite_clients = permit_sasl_authenticated, permit_mynetworks
canonical_classes = envelope_sender, header_sender
canonical_maps = regexp:/etc/postfix/sender_canonical
header_checks = regexp:/etc/postfix/header_checks

header_checks:
/^From:\s*(.*<)?([^@]+)@([^>]+)>?/ PREPEND Reply-To: <${2}@${3}>
/^Message-Id:\s+<(.*?)@([^>]+)>/ REPLACE Message-Id: <${1}@newdomain.com>

sender_canonical:
/^<?([^@]+)@[^> ]+>?$/ ${1}@newdomain.com
DKIM SigningTable:
*@newdomain.com newdomain.com

Then define your hostname of mailing server in your application to use as mailing service. In my case, user has to authenticate. If you send mail from username@mydomain.com, reply-to header with the same address would be added, From would be replaced with username@newdomain.com and DKIM would be successfully signed with newdomain.com. If end user replyes to this mail, Return-to is defined and mail would be sent to primary address username@mydomain.com and not non-existing username@newdomain.com.

Slow email sending from cPanel SMTP

I received a few complaints from different people, that sending of email messages is really slow. This didn’t make any sense, because no modifications were made on the server.

After an hour, I found that this was caused by Exim setting “Delay SMTP Transaction”. Quoting cPanel: The SMTP receiver will wait a few additional seconds for a connection when it detects spam messages in order to reduce inbound spam. 

So it’s another weapon to fight spam mail, but it makes sending slower.

You can disable this feature in Exim Configuration Manager -> ACL Options -> Introduce a delay into the SMTP transaction for unknown hosts and messages detected as spam.

When disabled, your emails should be fast again.

CSF – whitelist user from SMTP_BLOCK

CSF features great option SMTP_BLOCK which block outgoing SMTP for all users except root, exim and mailman. I had a problem with one user which was using MailChimp as mass mailing within their application. Because of SMTP_BLOCK it wasn’t working. Disabling SMTP_BLOCK globally is not recommended, you can white list users for which you would like to allow sending.

Go to your CSF settings and find SMTP_ALLOWUSER. Then add user which should be allowed (users separated with coma). Don’t forget to restart CSF.

cPanel: Your server does not support the connection encryption type you have specified

If you’re getting message like “Your server does not support the connection encryption type you have specified” when try to set up email in your Outlook, then chances are that your cPanel mail server has disabled some needed encryption types.

By default, cPanel disables all those protocols: SSLv2, SSLv3, TLSv1, TLSv1.1. SSL2 and SSL3 should be disabled at all costs, but you may not get away with TLS 1.1 or even TLS 1 being disabled.

To enable TLS 1 and TLS 1.1 in your Exim, login as admin in your cpanel and then: Home -> Service Configuration -> Exim Configuration Manager. Select second option so you can insert your own directives and add this:

 +no_sslv2 +no_sslv3

malware acl condition: clamd: unable to send file body to socket (127.0.0.1)

If you see error like this in your mail logs, than chances are that your ClamAV is not able to process attachments files larger than limit set in clamav configuration. In this case, sender which sent email with larger attachment to your server, will get something like this in respond:

[10.10.10.10] #<[10.10.10.10] #5.0.0 smtp; 5.4.7 - Delivery expired (message too old) [Default] 451-'Temporary local problem - please try later' (delivery attempts: 75)> #SMTP#

In your mail log you’ll see something like this:

+++ 1e248B-000NMy-T6 has not completed +++
1969-08-15 01:40:21 1e248B-000NMy-T6 malware acl condition: clamd : unable to send file body to socket (127.0.0.1)
1969-08-25 01:40:21 1e248B-000NMy-T6 H=some.hostname.com [1.1.1.1] X=TLSv1:RC4-SHA:128 CV=no F=<prvs=449d2f142=senders@email.com> temporarily rejected after DATA

To solve this, open your clamav.conf file (/etc/clamav.conf or find your location) and change value for StreamMaxLength according to your needs. Default value is 25M.

Don’t forget to restart your ClamAV.

© 2025 geegkytuts.net
Hosted by SIEL


About author