Set Up Postfix For Relaying Emails Through Another Mailserver

Version 1.0
Author: Falko Timme

This short guide shows how you can set up Postfix to relay emails through another mailserver. This can be useful if you run a Postfix mailserver in your local network and have a dynamic IP address because most dynamic IP addresses are blacklisted today. By relaying your emails through another mailserver that is hosted on a static IP address in a data center (e.g. your ISP's mailserver) you can prevent your emails from being categorized as spam.

There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

To configure relaying on your Postfix mailserver, you need a valid email account (with username and password) on another mailserver (provided that this mailserver makes use of SMTP-AUTH (which it should do)). This other mailserver should be hosted on a static IP address in some data center (e.g. your ISP's mailserver).

In this guide I use smtp.example.com as the remote mailserver on which I have a valid email account with the username someuser and the password howtoforge.

I assume you have already installed Postfix as I won't go into the details of installing Postfix here.

 

2 Configure Postfix For Relaying

To configure our Postfix server for relaying emails through smtp.example.com, we run

postconf -e 'relayhost = smtp.example.com'
postconf -e 'smtp_sasl_auth_enable = yes'
postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd'
postconf -e 'smtp_sasl_security_options ='

Our username (someuser) and password (howtoforge) for smtp.example.com must be stored in /etc/postfix/sasl_passwd, therefore we do this:

echo "smtp.example.com   someuser:howtoforge" > /etc/postfix/sasl_passwd

/etc/postfix/sasl_passwd must be owned by root, and noone else should have read access to that file, so we do this:

chown root:root /etc/postfix/sasl_passwd
chmod 600 /etc/postfix/sasl_passwd

Now we must convert /etc/postfix/sasl_passwd into a format that Postfix can read:

postmap /etc/postfix/sasl_passwd

This will create the file /etc/postfix/sasl_passwd.db.

All that is left to do is restart Postfix:

/etc/init.d/postfix restart

That's it. You can now test by sending emails over your mailserver and having a look at your mail log. You should see that all your emails are now passed on to smtp.example.com (except the ones that have a local recipient).

 

Share this page:

12 Comment(s)

Add comment

Comments

From:

Hi! If you are interested in allowing relay based on verfied tls client certificate, you could look at page http://www.iki.fi/petri.koistinen/postfix/postfix-tls-cacert.shtml

From: nandelbosc

I've  a question...

My postfix installation uses smtp.gmail.com as relay host, when I send an email using this server, the field "from" appears my gmail address instead of [email protected]

 It's possible to avoid this, and appears in field from the email of a user in my domain?

From:

Thank you for this excellent guide.  I used this method to set up a pair of external SMTP relays (one as fallback_relay).

Simon

From: neutrinodust

Thank you so much. Your post saved me countless hours of head banging.

From: Martin

This did it , followed your guide to the letter and now it work perfectly thru my (previously) blocked port 25 connection.

 Keep up the good work

From: Desp

Hi

I am having same problem with Relay access denied . I can send and recive local and recive external but I cant send external from the box getting the error Relay access denied . I tried many times to fix it but still cant please give some help and advice! 

This is how my main.cf looks like :

 smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix
# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = selman.us
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = selman.us, localhost
relayhost = smtp.selman.us
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
home_mailbox = Maildir/
mailbox_command =
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reje$
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =

and this is my logs from the mail server :

Jan 15 11:51:42 trinity postfix/smtpd[17995]: connect from selman.us[213.112.127.168]
Jan 15 11:51:42 trinity postfix/smtpd[17995]: NOQUEUE: reject: RCPT from selman.us[213.112.127.168]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<selman.us>
Jan 15 11:51:42 trinity postfix/smtpd[17995]: lost connection after RCPT from selman.us[213.112.127.168]
Jan 15 11:51:42 trinity postfix/smtpd[17995]: disconnect from selman.us[213.112.127.168]

Thats what I have in /etc/hosts:

92.168.1.64    trinity.selman.us       trinity    # Added by NetworkManager
127.0.0.1    localhost.localdomain    localhost
::1    trinity    localhost6.localdomain6    localhost6
127.0.1.1    trinity.selman.us    trinity
213.112.127.168    selman.us
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

####

Ports for mail are open ! and in my domain DNS I have set :

pop: pop.selman.us

smtp: smtp.selman.us

mail: mail.selman.us

imap: selman.us # cant run squirrelmail if I set to imap.selman.us

 

From: Willem

Thank you very much for this explication. It worked fine for me. My mails finally [email protected] Before I read this wonderful advice, I read in the logs that my mails where refused by (pratically) all email providers.

From: supermanwah

After hamming around with multiple other mail clients and threads, this worked its magic quickly.  My only suggestion for others is to make sure sendmail is un-installed first if it was enabled prior to your postfix install.  

 sw

From: Carlitos

check this out http://docs.homelinux.org/viewtopic.php?f=13&t=29 also very good tutorial with ldap check and content filter..

From: Eddlinux

Falko Timme,

Thank you so much. It's working very well on my local network.

 Regards,

Edd

 

From: Roslyn Scott

How To Setup Postfix With Zoho Mail On Ubuntu

Postfix SMTP client doesn’t work out of box with SSL/TLS (port 465), but with only the rather securer STARTTLS (port 587). Unfortunately Zoho email server doesn’t support STARTTLS. That’s the reason if you set “relayhost= smtp.zoho.com:465? in your Postfix main.cf file, you’ll get this error in /var/log/mail.log:

CLIENT wrappermode (port smtps/465) is unimplemented instead, send to (port submission/587) with STARTTLS 1 2 CLIENT wrappermode (port smtps/465) is unimplemented instead, send to (port submission/587) with STARTTLS

From: tudor

Is it possible to configure postfix to use amazon ses and sendgrid (for specified domains/email addresses ) - BOTH on the same server? For example when seeing email from domain domain.with.amazonses.smtp.com to use relayhost amazon ses and when seeing email from domain domain.with.sendgrid.smtp.com to use relayhost sendgrid and for local localhost?