iredapd /


  • iRedAPD is a simple Postfix policy server, written in Python, with plugin support.
  • iRedAPD listens on port 7777, runs as a low-privileged user (iredapd by default).
  • The latest iRedAPD works with OpenLDAP, MySQL/MariaDB and PostgreSQL backends.
  • License: GPL v3 (except file libs/, BSD style as mentioned in this file by file author).
  • Author: Zhang Huangbin <zhb at>.


  • iRedAPD is a sub-project of iRedMail project.
  • iRedAPD is installed and enabled in iRedMail by default, so you don’t need this tutorial if you already have iRedMail running. Standalone installation guide is
  • You can manage iRedAPD with iRedMail web admin panel - iRedAdmin-Pro.

Available plugins

Plugins are files placed under plugins/ directory, plugin name is file name without file extension .py. It's recommended to read comment lines in plugin source files to understand how it works and what it does.

Plugins for all backends

  • reject_sender_login_mismatch: Reject sender login mismatch (addresses in From: and SASL username). It will verify user alias addresses against SQL/LDAP database.

  • reject_null_sender: Reject message submitted by sasl authenticated user but specifying null sender in From: header (from=<> in Postfix log). RECOMMEND to enable this plugin.

    If your user's password was cracked by spammer, spammer can use this account to bypass smtp authentication, but with a null sender in From: header, throttling won't be triggered.

  • amavisd_wblist: Whitelist/blacklist for both inbound and outbound messages.

  • amavisd_message_size_limit: Check per-recipient message size limit stored in Amavisd database (column policy.message_size_limit), reject email if message size exceeded.

Plugins for OpenLDAP backend

  • ldap_maillist_access_policy: restrict who can send email to mail list.
  • ldap_force_change_password_in_days: force users to change password in days (default 90 days). User cannot send email before resetting password.

Plugins for MySQL/MariaDB and PostgreSQL backends

  • sql_alias_access_policy: restrict who can send email to mail alias.
  • sql_force_change_password_in_days: force users to change password in days (default 90 days). User cannot send email before resetting password.