Dec 062010

This time i’ll show you how to randomize your smtp outbound’s IP addresses. This can be done via transport map. But, since ordinary Postfix lookup tables store information as (key, value) pairs. it will provide static value only. we need someting that can manipulate the value (right hand side) of a lookup table. In order to answer random transport value.

first come to mind was tcp_tables, tcp_tables lookup table gives some flexibility for us to execute our tiny perl script that will randomizing transport. that’s the basic idea.

Ok, here’s the first part, create perl script call, anyway this script only provide answer in “catch-all” manner. so it will randomized, all outgoing mail.

# cd /etc/postfix
# vi
#!/usr/bin/perl -w
# author: Hari Hendaryanto <hari.h -at->

use strict;
use warnings;
use Sys::Syslog qw(:DEFAULT setlogsock);

# our transports array, we will define this in as transport services

our @array = (

# Initalize and open syslog.

# Autoflush standard output.
select STDOUT; $|++;

while (<>) {
        # randomizing transports array
        my $random_smtp = int(rand(scalar(@array)));
        if (/^get\s(.+)$/i) {
                print "200 $array[$random_smtp]\n";
                syslog("info","Using: %s Transport Service", $random_smtp);

	print "200 smtp:";

Make it executable

# chmod 755 parts

Run the scripts via postfix spawn daemon service. inet  n       n       n       -       0      spawn
          user=nobody argv=/etc/postfix/

add 5 smtp client services called rotate1, rotate2, rotate3, rotate4, rotate5, that bind to its own ip
address and has uniq syslog/helo name.

# random smtp
rotate1  unix -       -       n       -       -       smtp
          -o syslog_name=postfix-rotate1
          -o smtp_bind_address=

rotate2  unix -       -       n       -       -       smtp
          -o syslog_name=postfix-rotate2
          -o smtp_bind_address=

rotate3  unix -       -       n       -       -       smtp
          -o syslog_name=postfix-rotate3
          -o smtp_bind_address=

rotate4  unix -       -       n       -       -       smtp
          -o syslog_name=postfix-rotate4
          -o smtp_bind_address=

rotate5  unix -       -       n       -       -       smtp
          -o syslog_name=postfix-rotate5
          -o smtp_bind_address=

Before we actually implement our randomize transport, let’s make sure that the setting actually work.

Reload postfix

# postfix reload

Run this query fiew times, and you’ll see the perl script will return “random answer” transport

# postmap -q "whatever" tcp:
# postmap -q "whatever" tcp:

And so on..

Note on “whatever”, since the script acted in “catch-all” mode as i’ve mentioned earlier, what ever postfix transport_maps client asked. it will be answered with random values such as rotate1, rotate2, rotate3, rotate4, rotate5 in randomized fashion. parts

Add these lines

transport_maps = tcp:[]:2527 = 3600s

Reload postfix
that’s it. example log would be like these and that’s indicate that randomizer is working.

Month date 12:26:53 host postfix-rotate1/smtp[4252]: A1CA68480A4: to=<>,[]:25], delay=3.6, delays=0.69/0.01/0.81/2, dsn=2.0.0, status=sent (250 ok dirdel)
Month date 12:27:06 host postfix-rotate5/smtp[4253]: 41C2E8480A4: to=<>,[]:25], delay=6, delays=0.14/0.01/0.85/5, dsn=2.0.0, status=sent (250 ok dirdel)
Month date 12:27:22 host postfix-rotate3/smtp[4277]: 4BA9F8480A4: to=<>,[]:25], delay=7.9, delays=0.85/0.02/0.61/6.4, dsn=2.0.0, status=sent (250 ok dirdel)

I’m not taking any responsible if the reader “misuse” this tutorial.the tutorial is provide as-is for experimental purposes.

use Sys::Syslog qw(:DEFAULT setlogsock);

  96 Responses to “Postfix Randomizing Outgoing IP Using TCP_TABLE And Perl”

Comments (96)
  1. Hi Leenoux, thank you for a wonderfull script.

    I am using it for over 2 years without issues but I have just noticed a strange behaviour/bug?

    It always uses the first MX record. When the recepient server replay with 4xx code than postfix should try a different MX server, but it does not. It just queues the message and tries the same MX server again.

    Without this script it works fine.

    Do you know where the issue could be? What should I fix? Thank you

  2. I have a question about headers. The rotation may or may not be working. Part of my header says server3, but the ip addresses being shown is actually server1. No matter which hostname is shown, it always shows the same ip address. Server3 would be the address. Any thoughts? Here is the header.

    Authentication-Results:; spf=pass (sender IP is XX.XXX.XXX.9); dkim=pass; x-hmca=pass
    X-AUTH-Result: PASS
    X-SID-Result: PASS
    Received: from ([XX.XXX.XXX.9]) by with Microsoft SMTPSVC(6.0.3790.4900);
    Tue, 15 Apr 2014 15:12:07 -0700

  3. show me your configuration for ip XX.XXX.XXX.9 and (smtp_bind_address), don’t forget to check dns part, are server1 and server3 point to the right ip address (both A record and PTR record)?

  4. DNS is fine okay

    .9 is pointing to server1
    .11 is pointing to server3
    .12 is pointing to server4

    PTR records are all set up correctly too.

    Here is my minus some stuff

    smtp inet n – n – – smtpd
    #smtp inet n – – – 1 postscreen
    #smtpd pass – – – – – smtpd
    #dnsblog unix – – – – 0 dnsblog
    #tlsproxy unix – – – – 0 tlsproxy
    submission inet n – n – – smtpd
    -o syslog_name=postfix/submission
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject
    # -o milter_macro_daemon_name=ORIGINATING
    smtps inet n – n – – smtpd
    -o syslog_name=postfix/smtps
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_sasl_authenticated,reject inet n – – – – smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_client_restrictions=
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o mynetworks=
    -o strict_rfc821_envelopes=yes
    -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
    yahoo unix – – n – – smtp
    -o syslog_name=postfix-yahoo
    #random inet n n n – 0 spawn
    user=nobody argv=/etc/postfix/
    # random smtp
    rotate1 unix – – n – – smtp
    -o syslog_name=postfix-rotate1

    rotate2 unix – – n – – smtp
    -o syslog_name=postfix-rotate2

    rotate3 unix – – n – – smtp
    -o syslog_name=postfix-rotate3

  5. part is okay, still not clear your real configuration on DNS, you can check your A record an PTR record at least, let me know your real hostname so i can check it out from here.


  7. looks fine from here
    # dig a +short
    # dig -x +short
    # dig a +short
    # dig -x +short

    might be hotmail resolver, just give another try

  8. Thanks for a great script. I got it working. But there is one question. Please tell me, how do I make it so tough to bind to each (rigidly designate) IP-address separate address Mail-From. For example:
    rotate1 Mail-From –
    rotate1 Mail-From –
    rotate1 Mail-From –
    It is necessary for the proper email provider is authenticated when checking SPF, DKIM-recording. For each IP/domen, its separate SPF, DKIM-record.

  9. i’m not really sure, maybe you should check this postfix feature: sender_dependent_default_transport_maps

  10. hy Leenoux, thanks for your amazing tutorials and scripts.

    I try to applicate this on zpanel/centos 6 without success how can i update my postfix for use tcp tables???

    thanks in advance cool dude!

  11. try download source package from here

  12. Hi!
    My program sends letters and mailing at the same address all mail-FROM (Return-Path 🙂
    To in headings incoming letters correctly formed DKIM signing, I need to replace the address of mail-FROM (Return-Path 🙂 to the address from which you are sending.
    To this I added to each transport one line:

    rotate1 unix – n – smtp
    -o smtp_bind_address = hhh.hh.28.20
    -o smtp_helo_name =
    -o myhostname =
    -o syslog_name = postfix-rotate1
    -o sender_canonical_maps = hash :/ etc/postfix/

    rotate2 unix – n – smtp
    -o smtp_bind_address = hhh.hh.28.21
    -o smtp_helo_name =
    -o myhostname =
    -o syslog_name = postfix-rotate2
    -o sender_canonical_maps = hash :/ etc/postfix/

    rotate3 unix – n – smtp
    -o smtp_bind_address = hhh.hh.30.83
    -o smtp_helo_name =
    -o myhostname =
    -o syslog_name = postfix-rotate3

    Then I created 2 files
    @ @
    @ @
    # Postmap hash :/ etc / postfix / canonical_maps
    for each file,

    But it does not work! Could you tell me where is the error?

  13. I’m not sure if this site is still alive in 2020, but I have a question about the “catch-all” behavior with this script. Is it possible to use it in conjunction with a regular transport_maps table in order to define specific destinations for discard or relay to other smtp servers while allowing all non-matching messages to be fed to the script?

  14. well, it’s still alive. sure, go ahead, i’ll give my best shot to answer your question. i’m little bit rusty though 😀

  15. Good to hear, Hari! I’ll rephrase my question with an example. If I’m using the script on this page with an array of IP addresses, and the following defined in /etc/postfix/

    transport_maps = hash:/etc/postfix/transport, tcp:

    And, if I put the following in /etc/postfix/transport: smtp:[] #relay this user to another SMTP server

    everything will work just fine. The email address above will get relayed elsewhere and all other non-matching email will get a random transport entry via your script. However, if I put the following in /etc/postfix/transport: smtp:[] #send ALL email for to another SMTP server

    this does not work at all. This entry is ignored and email for follows the same path as all other email. Any ideas why the pattern matching doesn’t work here, and any suggestions to fix?


  16. can i see your, transport_maps part. AFAIK, i will put all catch-all and exclussion in tcp_tables perl script(need some modification).

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>