useful commands and hints..

in case of fast sending, spam problems, ..: always check the mailq! - it is stored in /var/lib/courier/msgs and /var/lib/courier/msgq - you may delete and loose all pending outgoing mail by deleting these folders after stopping courier-mta.

mailq displays a list of all messages that have not been delivered yet:


delete message from mailq - cancelmsg sends an an error mail to the user!:

cancelmsg msgID

Delete ALL messages from mailq - soft version - cancelmsg sends an an error mail to the user!

for i in `mailq | egrep '^[0-9]' | awk ' {print $1}'`; do echo "Dropping message $i..."; cancelmsg $i; done

Brutal way:

/etc/init.d/courier-mta stop
/etc/init.d/courier-mta-ssl stop
cd /var/lib/courier
mv msgs msgserror
mv msgq msgqerror
mkdir msgs
mkdir msgq
chown courier:courier msgs
chown courier:courier msgq

/etc/init.d/courier-mta start 
/etc/init.d/courier-mta-ssl start 

better scripts:

generate, check and activate aliases:

 makealiases; makealiases -chk; courier flush

find relay errors:

 grep "error,relay"  /var/log/mail.log|less

config tricks

SSL Certificates


All config files use these two variables, so I set them to the same cert files in all configs:

Private Key and Cert and intermediate-cert and root-cert(s) combined in one file. The order is unclear. I had the private key first for many years, but documentations speak about putting the cert first:

cat [intermediate.crt] > 

This contains the intermidiate-certs - i use the ca-bundle provided by the vert dealer This seems to be only used by eSMTP - IMAP and POP works without it



openssl s_client -starttls imap -connect

SMTP-Error after cert install: “no cipher suites found”: ~might~ have been a problem with gnutls, which was fixed by updating (2018.01). he cert order is irrelavant and an old TLS_TRUSTCERTS works, too.

disable sslv2 and insecure ciphers


set the following in /etc/courier/imapd-ssl, pop3d-ssl, esmtpd,esmtpd-ssl, courierd:


and additionally this in /etc/courier/imapd-ssl, pop3d-ssl



there are two ways, to configure forwarding of all mails:

1. use $HOME/.courier to setup $HOME/.forward for one account

|| dotforward
| /usr/bin/maildrop

2. NOT TESTED: use /etc/courier/courierd to setup “dotforward” for all accounts

| /usr/bin/maildrop"

Put the addresses to forward to in $HOME/.forward.,,

Slow Connections

Disable TCPDOPTS -noidentlookup for imap, pop, esamtp. It performs an ident lookup and waits for timeout then.

If SMTP sending is slow, e.g. in webmail, add “-noidentlookup” to /etc/courier/esmtpd's TCPDOPTS

Bugs & Fixes

outbound authentication

 courieresmtpd: error,relay=::ffff:9x.2x6.7x.1x5,from=<mymail@m<>,
 to=<>: 513 Relaying denied.

outbound authentication must be checked within the email client!

(This is the second method if pop-before-smtp fails.)

Please make sure that “Server requires authentication” is enabled in your email client.

554 error - blacklisted :(

importantDNS / reverse DNS rules:

  1. Mailserver-Software verwendet ausgehend einen vernünftigen DNS Namen z.B. servername.domain.tld
  2. A / AAAA Record setzen z.B. servername.domain.tld ⇒ IP
  3. PTR - ReverseDNS vom Provider setzen lassen z.B. IP ⇒ servername.domain.tld
  4. MX Record setzen z.B. MX1 PRIO 10 = servername.domain.tld
  5. DNS TXT / SPF Record setzen z.B. v=spf1 mx -all
  6. abuse@domain alias einrichten
  7. check blacklists!

556 Address unavailable error

There have been too many errors sending to this local address, so courier disables it for 2 hours to avoid backscatter.

This should show (all) 556 blocked addresses, but does not work:

courier show all | <email>

This releases the lock, so the address becomes available (maybe restart courier):

courier clear all | <email>


DNSBL AHBL is dead

DNS_FROM_AHBL_RHSBL RBL: Envelope sender listed in

remove it from /usr/share/spamassassin/


if someone sends spam, the address can get a high POSITIVE ranking which leads to spam

remove an address from spam - must be run as root in root's folder:

  • copy auto-whitelist to /root/.spamassassin/auto-whitelist
  • spamassassin –
  • check: sa-awl root/.spamassassin/auto-whitelist | grep
  • copy /root/.spamassassin/auto-whitelist back to user dir

check all auto-whitelists:

for i in /home/* ; do echo $i; sa-awl $i/.spamassassin/auto-whitelist| grep example; done;


Some useful Plugins and Settings:

We use these:

  • RelayCountry
  • local DNS Resolver to avoid getting blacklisted by blacklists for too many DNS queries
Back to top
linux/emailserver/courier.txt · Last modified: 2018/04/03 15:27 by tkilla