Linux: Postfix with a remote SMTP relay host
This is short guide how to setup postfix to use another server as email relay. Most of the dynamic IP address assigned to broadband (home) network are blacklisted. This is desired behavior as users should use email service instead of direct email delivery. If your are using server or Linux box to send notifications from local services then you may find problem to deliver such a notifications. Configuration of postfix is flexible and it is possible to configure it to act as "user" which use user/pass for authentication. Once postfix is authenticated on relay host it's possible to send emails through it. Here is example how to configure postifx in this way:
You should have running postfix. It should be installed with options
ssl enabled. I don't cover installation itself here.
In order to configure postfix set following options in
/etc/postfix/main.cf by editing configuration file or by
- by editing:
relayhost = mail.example.com:587 smtp_use_tls = yes smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
- via command:
postconf -e 'relayhost = mail.example.com:587' postconf -e 'smtp_use_tls = yes' postconf -e 'smtp_sasl_auth_enable = yes' postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd' postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt'
Description of configuration:
relayhost- dns name (or IP) used for client connection on remote server
smtp_use_tls- enable TLS/SSL connection to remote servers
smtp_sasl_auth_enable- sasl authentication to remote SMTP server (e.g. client login)
smtp_sasl_password_maps- map file with password
smtp_tls_CAfile- list of CAs to trust
Syntax for password file (
Once this file is in place access should be secured. I recommend
root:root owner and
chown root:root /etc/postfix/sasl_passwd chmod 600 /etc/postfix/sasl_passwd
Postfix access its files in binary form so before restart it is necessary to convert password file:
Last step is restart or reload of postfix:
Sender email rewrite
If relay host is configured properly and you are using client connection credential then there is one problem. Email service provider should refuse to resend emails with different user details and envelope information. For example if your email account is email@example.com then email from firstname.lastname@example.org should be rejected. Reason is simple. Clients should use theirs own email address not address of someone else.
Rewriting of sender/recipient address is really simple with postfix but there is one catch. If you rewrite all source addresses then also postmaster address is rewritten. In case of delivery error postfix try to return email to source which is rewritten address. As error message is handled in similar way then also origin of it is rewritten and email is stuck in bounce loop. To prevent this there are two possibilities.
static rewrite of sender and recipient
sender_canonical_maps = static:email@example.com recipient_canonical_maps = static:firstname.lastname@example.org
Each message will be rewritten to match one "source" address and delivered to one specific recipient. This is good option if there is one recipient for all emails generated on system. For example I am using this configuration on my media PC. If there is some kind of problem then I would like to see it in my mailbox. This will also disable local delivery. If you would like to deliver notification to several recipients depending on some condition then check second option
regular expression rewrite rule
Sender and also recipient can be rewritten using regular expression or by simple combination of key:value. During mail delivery postfix examine file line by line and if match is found then address from this line is used. Configuration type
regexp is read by postfix directly so it is not necessary to create binary representation via command
sender_canonical_maps = regexp:/etc/postfix/sender_map
Content of the file is in format:
Note: I don't recommend following configuration.
/.*/ email@example.com or /.+/ firstname.lastname@example.org
Both of them rewrite also
postmaster and "empty" source used for bounce message. If you would like to use such a configuration then make sure that system accounts (postmaster, double-bounce, root, etc.) are in configuration so you will not end up with bounce loop.
To ensure that postfix server is not misused it is necessary to restrict access. Simple way how to restrict access only to local is set following options:
inet_interfaces = localhost mynetworks_style = host