Docs/Configuration/Postfix Integration

Postfix Integration

Configure SecZim to work with standalone Postfix mail servers.

Overview

SecZim integrates with Postfix as a policy delegation server. Postfix queries SecZim for every email, and SecZim decides whether to accept, reject, or defer the message based on your policies.

Automatic Setup

The SecZim installer automatically configures Postfix integration. This guide is for manual setup or troubleshooting.

Configuration

SecZim uses the Postfix policy delegation protocol on port 10031.

main.cf Settings

Add SecZim to your recipient restrictions:

# /etc/postfix/main.cf smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service inet:127.0.0.1:10031

For Outbound (Submission Port)

To also check outbound mail on port 587, add to master.cf:

# /etc/postfix/master.cf submission inet n - n - - smtpd -o smtpd_relay_restrictions=permit_sasl_authenticated,check_policy_service inet:127.0.0.1:10031,reject

Apply Changes

# Reload Postfix configuration sudo postfix reload # Verify configuration postconf smtpd_recipient_restrictions

Test the Integration

Verify SecZim is responding to policy queries:

# Test policy server connection telnet 127.0.0.1 10031 # Send a test query request=smtpd_access_policy sender=test@example.com recipient=user@yourdomain.com # Press Enter twice, expect: action=DUNNO or action=OK

Postfix Variables

SecZim receives these variables from Postfix for each email:

  • sender - Envelope sender address
  • recipient - Envelope recipient address
  • client_address - Connecting IP address
  • client_name - Reverse DNS of client
  • helo_name - HELO/EHLO hostname
  • sasl_username - Authenticated user (if any)
  • ccert_subject - Client certificate (if TLS)

Troubleshooting

Policy Server Not Responding

# Check if SecZim daemon is running sudo systemctl status seczim-daemon # Check if port 10031 is listening ss -tlnp | grep 10031 # View daemon logs sudo journalctl -u seczim-daemon -f

Emails Being Rejected

  • Check the SecZim dashboard for recent blocked emails
  • Review your policies - a restrictive policy may be triggering
  • Check RBL settings if legitimate senders are blocked

Postfix Errors

# Check Postfix logs sudo tail -f /var/log/mail.log # Verify configuration syntax postfix check
Important

If SecZim is unavailable, Postfix will temporarily defer emails (4xx response). Ensure the SecZim daemon is set to start automatically on boot.