- Published on
postfix SMTP Gateway
- Authors
- Name
- Jackson Chen
Configure postfix as SMTP Gateway
Basic Postfix Configuration
By default, Postfix does not accept network connections from any host other than the local host. Perform the following steps as root to enable mail delivery for other hosts on the network:
- Edit the /etc/postfix/main.cf file with a text editor, such as vi.
- Uncomment the mydomain line by removing the hash sign (#), and replace domain.tld with the domain the mail server is servicing, such as example.com.
- Uncomment the myorigin = $mydomain line.
- Uncomment the myhostname line, and replace host.domain.tld with the host name for the machine.
- Uncomment the mydestination = mydomain line.
- Uncomment the mynetworks line, and replace 168.100.189.0/28 with a valid network setting for hosts that can connect to the server.
- Uncomment the inet_interfaces = all line.
- Comment the inet_interfaces = localhost line.
- Restart the postfix service. Once these steps are complete, the host accepts outside emails for delivery.
Postfix has a large assortment of configuration options. One of the best ways to learn how to configure Postfix is to read the comments within the /etc/postfix/main.cf configuration file. Additional resources including information about Postfix configuration, SpamAssassin integration, or detailed descriptions of the /etc/postfix/main.cf parameters are available online at http://www.postfix.org/.
configure postfix as SMTP gateway
https://tuxfixer.com/configure-postfix-smtp-relay-smart-host-on-centos-8/
- Install postfix
# dnf install postfix
- Update configuration
Edit /etc/postfix/main.cf configuration file and update the below relevant lines:
meta_directory = /etc/postfix
myhostname = chronos <- update with RHEL smtp server hostname
mydomain = tuxfixer.com <- update with its local domain
local_transport = error: this is a null client
myorigin = $myhostname.$mydomain
# list of trusted network addresses, that can relay through this MTA
mynetworks = 127.0.0.0/8 [::1]/128 <- enter the hosts in email accepted clients
relayhost = [ssl0.ovh.net] <- update with the next hop
disable_dns_lookups = yes
# SASL authentication
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = static:admin@tuxfixer.com:mypassword
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
To check on RPM-based distros, use this command:
$ rpm -qa | grep postfix
Install the Postfix RPM with the following (on yum-based distros):
$ yum install -y postfix
After Postfix is installed, you can start the service and enable it to make sure it starts after reboot:
$ systemctl enable --now postfix
$ systemctl start postfix
$ firewall-cmd --add-service smtp --permanent
$ netstat -plnt | grep :25
Configuring Postfix
After Postfix is installed, you can start configuring the service to your liking. All of the options you need for the service are located in /etc/postfix. The main configuration file for the Postfix service is located at /etc/postfix/main.cf. Within the configuration file, there are many options that you can add, some of them more common than others.
myhostname declares the mail server’s hostname. Hostnames normally have prefixes in them, like this:
myhostname = mail.sinisterriot.com
mydomain declares the domain that is actually handling mail, like this:
mydomain = sinisterriot.com
mail_spool_directory declares the directory where mailbox files are placed, like so:
mail_spool_directory = /var/mail
mynetworks declares a list of trusted remote SMTP servers that can relay through the server, like this:
mynetworks = 127.0.0.0/8, 168.100.189.0/28
The list provided with mynetworks should only contain local network IP addresses, or network/netmask patterns that are separated by commas or whitespace. It’s important to only use local network addresses to avoid unauthorized users using your mail server for malicious activity, resulting in your server and addresses being blacklisted.
Configure relay host for mail delivery to the external or required mail server
relayhost = [smtp.nexthop.local]
or
relayhost = [1.2.3.4]
relayhost = smtp.nexthop.local # It will do DNS lookup for email delivery
relayhost = smtp.nexthop.local:857 # TLS email delivery
Note:
If we are to use TLS for email delivery, the following configuration is requried:
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hasl:/<path-2-password-file>
Where
password file contains: login name & password
then run
postmap /<path-2-password-file> # need to run postmap command
Testing Postfix
First, I recommend testing whether you can send an email to a local recipient. If successful, you can proceed to a remote recipient. I prefer to use the telnet command to test my mail server:
$ telnet mail.sinisterriot.com 25
Add the HELO command to tell the server which domain you are coming from:
HELO sinisterriot.com
Next is the sender. This ID can be added with the MAIL FROM command:
MAIL FROM: somewhere@sinisteriot.com
This entry is followed by the recipient, and you can add more than one by using the RCPT TO command multiple times:
RCPT TO: someone@sinisterriot.com
Finally, we can add the content of the message. To reach the content mode, we add the prefix DATA on a line by itself, followed by the Subject line, and the body message. Listed below is an example:
DATA
Subject: This is a test message
Hello,
This is a test message
.
In order to finish the message body and close it, you need to add a single period (.) or dot on a line by itself. Once this process is complete, the server will attempt to send the email with the information you provided. The code response will notify you if the email was successful or not. Once done, use the quit command to close the mailing window.
The code response will notify you if the email was successful or not. Once done, use the quit command to close the mailing window.
In any regard, check the mail logs for errors. They are located in /var/log/maillog by default, but this location can be changed to another place. As a system administrator, checking error logs is a good habit to have. This practice is great in troubleshooting and gives us insight into identifying and fixing an issue faster. Deciphering mail logs is an important part of admin work as well, as each part of the log lets us know what is important. In my past years, knowing these parts has helped me write scripts for specific requests while only needing to redact or leave out parts of the mail logs.
Securing Postfix
Securing your services is just as important as setting them up. It is safer to transfer data over a secure connection than over one that is unprotected. Next, we will cover how to secure our newly configured mail server. You can do that by generating an SSL session over Transport Layer Security (TLS) for the SMTP server.
First, you need to generate the private key and the Certificate Signing Request (CSR). You can do this via the openssl command:
$ openssl req -nodes -newkey rsa:2048 -keyout privatekey.key -out mail.csr
Then, generate a signing request and copy it to the /etc/postfix directory:
$ openssl x509 -req -days 365 -in mail.csr -signkey privatekey.key -out secure.crt
$ cp {privatekey.key,secure.crt} /etc/postfix
This sequence issues a signed certificate to the mail server, also known as a Certificate Authority (CA) certificate. This practice means that the CA must trust the certificate signer to secure the private key and transmit data over the internet. In the other kind of certificate, a self-signed, the CA does not trust the certificate signer, leaving the information vulnerable to steal and open to be compromised. It’s always better to go with a signed certificate.
Once this process is complete, you can add TLS options to the Postfix config file:
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/secure.crt
smtpd_tls_key_file = /etc/postfix/privatekey.key
smtp_tls_security_level = may
Next, restart the service to put the new options into effect:
$ systemctl restart postfix
Now, you have a functioning, secure email server.
Configure postfix to accept emails sent to required domains
https://www.postfix.org/SMTPD_ACCESS_README.html
- Method 1 We can configure postfix to accept emails that are sent to required email domains.
# In main.cf
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unknown_reverse_client_hostname,
reject_unknown_client_hostname,
check_client_access hash:/etc/postfix/whitelist,
reject
# In /etc/postfix/whitelist
my.whitelisted.tld OK
Change my.whitelisted.tld to domain you want to allow.
then run command to restart postfix
postmap /etc/postfix/whitelist and service postfix restart
Note:
It's better to use reject_unauth_pipelining in
smtpd_data_restrictions = reject_unauth_pipelining
# Only accept required relay domains
Add the following line to /etc/postfix/main.cf:
transport_maps = hash:/etc/postfix/transport
# Add the new file /etc/postfix/transport with this content:
.example.com :
example.com :
* discard:
Replace example.com with the domain your mailserver should still send mails to.
If you don't care about sub-domains then remove the first line.
- Alternative method Just create an access table /etc/postfix/access with the following content (example.com being the domain you want to allow to send mail to):
# Create /etc/postfix/access
example.com OK
# You can also allow only some specific addresses:
user1@example.com OK
user2@example.com OK
# Don't forget to hash the file after editing it with postmap(1):
postmap /etc/postfix/access
# Now put the following recipient restrictions in your main.cf:
smtpd_recipient_restrictions =
hash:/etc/postfix/access
reject
# and reload Postfix:
postfix reload
How to manually update /etc/postfix/main.cf file
# Run postconf command to update configuration
postconf -e 'relayhost = [smtp.lab.com]'
postconf -e 'myorigin = lab.com'
postconf -e 'mydestination = ""'
# "" means the postfix system will not accept email delivery to localhost
Troubleshooting
postqueue -p # Check mail queue
postqueue -f # flush mail queue