~2 min read • Updated Jan 27, 2026
1. What is iRedAPD?
iRedAPD is a Policy Server for Postfix. It:
- Does NOT scan email content
- Does NOT detect spam
- Does NOT inspect attachments
Its only job is to decide whether an SMTP action is allowed or denied.
2. iRedAPD in iRedMail Architecture
Client / Internet
↓
Postfix
↓ (policy check)
iRedAPD ← decision-making
↓
Amavis / Queue
iRedAPD communicates directly with Postfix.
3. Core Responsibilities of iRedAPD
1️⃣ Rate Limiting
- Limits number of emails per hour/day
- Prevents outbound spam bursts
2️⃣ Sender Restrictions
- Prevents sending from forged addresses
- Enforces sender login matching
3️⃣ Recipient Restrictions
- Prevents abuse toward a specific recipient
4️⃣ Greylisting (optional)
- Reduces automated spam
4. Components of iRedAPD
- iredapd (daemon) — main Python service
- Backend database — MariaDB/MySQL or PostgreSQL
5. Important iRedAPD Paths
| Path | Description |
|---|---|
| /opt/iredapd/ | Main program directory |
| /opt/iredapd/settings.py | Configuration file |
| /etc/postfix/main.cf | Postfix policy integration |
| /var/log/iredapd/ | Logs |
6. Connecting iRedAPD to Postfix
In main.cf:
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_policy_service inet:127.0.0.1:7777
Default port: 7777
7. Key Settings in settings.py
Path:
/opt/iredapd/settings.py
7.1 Enable/Disable Plugins
plugins = [
'reject_null_sender',
'reject_sender_login_mismatch',
'throttle',
]
7.2 Rate Limiting (critical)
THROTTLE_SENDER = {
'inbound': (60, 3600),
'outbound': (200, 3600),
}
This means: 200 outbound emails per hour.
7.3 Prevent Sender Spoofing
REJECT_SENDER_LOGIN_MISMATCH = True
8. Logs & Debugging
View logs:
tail -f /var/log/iredapd/iredapd.log
Example log:
REJECT Throttled sender
9. Security Best Practices
- Always configure rate limits
- Outbound limits should be stricter than inbound
- Enable greylisting only if your SMTP server is strong enough
- Ensure iRedAPD is always running
10. Common Issues
Email not sending
- Rate limit too low
- Incorrect plugin enabled
Server blacklisted
- iRedAPD disabled
- Outbound unlimited
11. iRedAPD vs Rspamd (Policy Layer)
| Feature | iRedAPD | Rspamd |
|---|---|---|
| Rate limiting | ✅ | ✅ |
| Greylisting | ✅ | ❌ |
| Simplicity | ✅ | ❌ |
| Modern features | ❌ | ✅ |
Conclusion
iRedAPD is the first line of defense before emails enter the Postfix queue. If misconfigured, it can cause major delivery issues; if configured correctly, it provides stability, protection, and peace of mind. It prevents spoofing, controls outbound traffic, and ensures your mail server stays healthy and trusted.
Written & researched by Dr. Shahin Siami