Set Up Postfix For Relaying Emails Through Another Mailserver

Version 1.0
Author: Falko Timme
Last edited 01/10/2007

This short guide shows how you can set up Postfix to relay emails through another mailserver. This can be useful if you run a Postfix mailserver in your local network and have a dynamic IP address because most dynamic IP addresses are blacklisted today. By relaying your emails through another mailserver that is hosted on a static IP address in a data center (e.g. your ISP's mailserver) you can prevent your emails from being categorized as spam.

There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

 

1 Preliminary Note

To configure relaying on your Postfix mailserver, you need a valid email account (with username and password) on another mailserver (provided that this mailserver makes use of SMTP-AUTH (which it should do)). This other mailserver should be hosted on a static IP address in some data center (e.g. your ISP's mailserver).

In this guide I use smtp.example.com as the remote mailserver on which I have a valid email account with the username someuser and the password howtoforge.

I assume you have already installed Postfix as I won't go into the details of installing Postfix here.

 

2 Configure Postfix For Relaying

To configure our Postfix server for relaying emails through smtp.example.com, we run

postconf -e 'relayhost = smtp.example.com'
postconf -e 'smtp_sasl_auth_enable = yes'
postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd'
postconf -e 'smtp_sasl_security_options ='

Our username (someuser) and password (howtoforge) for smtp.example.com must be stored in /etc/postfix/sasl_passwd, therefore we do this:

echo "smtp.example.com   someuser:howtoforge" > /etc/postfix/sasl_passwd

/etc/postfix/sasl_passwd must be owned by root, and noone else should have read access to that file, so we do this:

chown root:root /etc/postfix/sasl_passwd
chmod 600 /etc/postfix/sasl_passwd

Now we must convert /etc/postfix/sasl_passwd into a format that Postfix can read:

postmap /etc/postfix/sasl_passwd

This will create the file /etc/postfix/sasl_passwd.db.

All that is left to do is restart Postfix:

/etc/init.d/postfix restart

That's it. You can now test by sending emails over your mailserver and having a look at your mail log. You should see that all your emails are now passed on to smtp.example.com (except the ones that have a local recipient).

 

3 Links

Share this page:

11 Comment(s)

Add comment

Comments

From: at: 2007-01-25 14:30:14

Hi! If you are interested in allowing relay based on verfied tls client certificate, you could look at page http://www.iki.fi/petri.koistinen/postfix/postfix-tls-cacert.shtml

From: nandelbosc at: 2009-12-03 15:17:26

I've  a question...

My postfix installation uses smtp.gmail.com as relay host, when I send an email using this server, the field "from" appears my gmail address instead of [email protected]

 It's possible to avoid this, and appears in field from the email of a user in my domain?

From: at: 2009-09-03 21:03:58

Thank you for this excellent guide.  I used this method to set up a pair of external SMTP relays (one as fallback_relay).

Simon

From: neutrinodust at: 2010-01-12 01:17:14

Thank you so much. Your post saved me countless hours of head banging.

From: Martin at: 2010-04-04 16:51:37

This did it , followed your guide to the letter and now it work perfectly thru my (previously) blocked port 25 connection.

 Keep up the good work

From: Desp at: 2011-01-15 10:57:29

Hi

I am having same problem with Relay access denied . I can send and recive local and recive external but I cant send external from the box getting the error Relay access denied . I tried many times to fix it but still cant please give some help and advice! 

This is how my main.cf looks like :

 smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = /usr/share/doc/postfix
# TLS parameters
smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
smtpd_tls_key_file = /etc/ssl/private/smtpd.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
myhostname = selman.us
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = selman.us, localhost
relayhost = smtp.selman.us
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
html_directory = /usr/share/doc/postfix/html
home_mailbox = Maildir/
mailbox_command =
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reje$
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =

and this is my logs from the mail server :

Jan 15 11:51:42 trinity postfix/smtpd[17995]: connect from selman.us[213.112.127.168]
Jan 15 11:51:42 trinity postfix/smtpd[17995]: NOQUEUE: reject: RCPT from selman.us[213.112.127.168]: 554 5.7.1 <[email protected]>: Relay access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<selman.us>
Jan 15 11:51:42 trinity postfix/smtpd[17995]: lost connection after RCPT from selman.us[213.112.127.168]
Jan 15 11:51:42 trinity postfix/smtpd[17995]: disconnect from selman.us[213.112.127.168]

Thats what I have in /etc/hosts:

92.168.1.64    trinity.selman.us       trinity    # Added by NetworkManager
127.0.0.1    localhost.localdomain    localhost
::1    trinity    localhost6.localdomain6    localhost6
127.0.1.1    trinity.selman.us    trinity
213.112.127.168    selman.us
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

####

Ports for mail are open ! and in my domain DNS I have set :

pop: pop.selman.us

smtp: smtp.selman.us

mail: mail.selman.us

imap: selman.us # cant run squirrelmail if I set to imap.selman.us

 

From: Willem at: 2011-07-12 11:44:56

Thank you very much for this explication. It worked fine for me. My mails finally arrive@destination. Before I read this wonderful advice, I read in the logs that my mails where refused by (pratically) all email providers.

From: supermanwah at: 2012-08-13 20:03:45

After hamming around with multiple other mail clients and threads, this worked its magic quickly.  My only suggestion for others is to make sure sendmail is un-installed first if it was enabled prior to your postfix install.  

 sw

From: Carlitos at: 2013-07-05 08:50:05

check this out http://docs.homelinux.org/viewtopic.php?f=13&t=29 also very good tutorial with ldap check and content filter..

From: Eddlinux at: 2013-11-19 02:33:31

Falko Timme,

Thank you so much. It's working very well on my local network.

 Regards,

Edd

 

From: Roslyn Scott at: 2015-01-08 14:27:41

How To Setup Postfix With Zoho Mail On Ubuntu

Postfix SMTP client doesn’t work out of box with SSL/TLS (port 465), but with only the rather securer STARTTLS (port 587). Unfortunately Zoho email server doesn’t support STARTTLS. That’s the reason if you set “relayhost= smtp.zoho.com:465? in your Postfix main.cf file, you’ll get this error in /var/log/mail.log:

CLIENT wrappermode (port smtps/465) is unimplemented instead, send to (port submission/587) with STARTTLS 1 2 CLIENT wrappermode (port smtps/465) is unimplemented instead, send to (port submission/587) with STARTTLS