How to install the Sender Rewriting Scheme (SRS) on PostFix?


This page is about the installation of postsrsd which implements Sender Rewriting Scheme (SRS) for Postfix. It's mandatory if you forward emails via the alias functionality.



Autoconf process

  • Package
yum install -y cmake unzip curl 
  • Temporary installation directory
mkdir -p /tmp/srs
cd /tmp/srs
  • Download
curl -L -o
# or
  • Unzip
  • Install
cd postsrsd-master
# Optionally cmake you config (by default installed into /usr/lib)
make install




cat /etc/default/postsrsd
# Default settings for postsrsd

# Local domain name.
# Addresses are rewritten to originate from this domain. The default value
# is taken from `postconf -h mydomain` and probably okay.

# Exclude additional domains.
# You may list domains which shall not be subjected to address rewriting.
# If a domain name starts with a dot, it matches all subdomains, but not
# the domain itself. Separate multiple domains by space or comma.

# First separator character after SRS0 or SRS1.
# Can be one of: -+=

# Secret key to sign rewritten addresses.
# When postsrsd is installed for the first time, a random secret is generated
# and stored in /etc/postsrsd.secret. For most installations, that's just fine.

# Length of hash to be used in rewritten addresses

# Minimum length of hash to accept when validating return addresses.
# When increasing SRS_HASHLENGTH, set this to its previous value and
# wait for the duration of SRS return address validity (21 days) before
# increading this value as well.

# Local ports for TCP list.
# These ports are used to bind the TCP list for postfix. If you change
# these, you have to modify the postfix settings accordingly. The ports
# are bound to the loopback interface, and should never be exposed on
# the internet.

# Drop root privileges and run as another user after initialization.
# This is highly recommended as postsrsd handles untrusted input.

# Bind to this address

# Jail daemon in chroot environment


In the conf file

sender_canonical_maps = tcp:localhost:10001
sender_canonical_classes = envelope_sender
recipient_canonical_maps = tcp:localhost:10002
recipient_canonical_classes= envelope_recipient,header_recipient

where the below parameters are for adress rewrite:


systemctl enable postsrsd # to start it at boot
systemctl start postsrsd
systemctl restart postfix



Send an email to your provider and check the received message. For instance, for gmail

You should see:

  • the email rewrite
  • and the added Return Path
  • and a successful SPF test

Postsrsd Spf Pass


In the output of postsrsd, you should see the rewrite.

sudo systemctl status postsrsd
Jun 16 17:31:34 postsrsd[30592]: srs_forward: <[email protected]> rewritten as <[email protected]>

Documentation / Reference

Discover More
Spf Dns Zone
What is the Sender Policy Framework (SPF) in Email?

The Sender Policy Framework (SPF) is a framework that determines if the sender of a email transaction is valid. It's part of the email authentication framework with DKIM where the goal is to: prevent...
Postsrsd Spf Pass
What is the Sender Rewriting Scheme (SRS) in Email?

Sender Rewriting Scheme (SRS) is a process that rewrite the sender address: into It is mandatory in order to conform to the SPF scheme when the emails are forwarded. With SRS, an MTA can circumvent...

Share this page:
Follow us:
Task Runner