Postfix config
Platforms:
any Linux distro
What You'll Need:
Postfix 2.2+
cyrus-sasl 2.1.19+
3rd party email account
A typical email scenario: you're a developer, and you've got a development Linux box at home. You need to be able to send emails from your code or cron jobs, but you're too lazy to set up a full fledged email server on your LAN. Or you just want to use an email account provided by Google Apps, Yahoo, or your ISP.
Enter the Postfix.
Most Linux distros come with Sendmail already installed, and is usually the default mail client used by the running services. However, Postfix beats the crap out of Sendmail and is a complete, seamless replacement. Here's how I got it going on my CentOS box.
Install
Install Postfix and cyrus-sasl with your application manager of choice. If you're compiling from source, be sure to make Postfix with the -DUSE_SASL_AUTH flag for SASL support and -DUSE_TLS for TLS support.
$ yum install postfix cyrus-sasl
Stop the sendmail service
$ /etc/init.d/sendmail stop
Remove sendmail from the startup runlevels
$ chkconfig --del sendmail
Typical Setup
Edit /etc/postfix/main.cf
# Set this to your server's fully qualified domain name. # If you don't have a internet domain name, # use the default or your email addy's domain - it'll keep # postfix from generating warnings all the time in the logs mydomain = local.domain myhostname = host.local.domain # Set this to your email provider's smtp server. # A lot of ISP's (ie. Cox) block the default port 25 # for home users to prevent spamming. So we'll use port 80 relayhost = yourisp.smtp.servername:80 smtpd_sasl_auth_enable = yes smtpd_sasl_path = smtpd smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_type = cyrus smtp_sasl_auth_enable = yes # optional: necessary if email provider uses load balancing and # forwards emails to another smtp server # for delivery (ie: smtp.yahoo.com --> smtp.phx.1.yahoo.com) smtp_cname_overrides_servername = no # optional: necessary if email provider # requires passwords sent in clear text smtp_sasl_security_options = noanonymous
There's roughly a 99.9% chance that your email provider's SMTP server requires authentication. We need to set that up with the username and password given by your email provider.
Add the following line to /etc/postfix/sasl_passwd
yourisp.smtp.servername:80 username:password
The above server hostname and port must exactly match the value for "relayhost" in /etc/postfix/main.cf.
Generate a postfix lookup table from the previous file
$ postmap hash:/etc/postfix/sasl_passwd
Test the lookup table, if all is good then the following will return the specified username:password
$ postmap -q yourisp.smtp.servername:80 /etc/postfix/sasl_passwd
Make sure the sasl_passwd and sasl_passwd.db files are readable/writable only by root
$ chmod 600 /etc/postfix/sasl_passwd $ chmod 600 /etc/postfix/sasl_passwd.db
Add postfix to be started at boot
$ chkconfig --add postfix
Fire up Postfix
$ /etc/init.d/postfix start
Test it out using sendmail alias from the command prompt
$ sendmail email@example.com Postfix is good to go. .
Gmail Setup
If you're attempting to relay mail using Gmail, then it will be necessary to use TLS with Postfix. You'll have to point Postfix at your server's trusted CA root certificate bundle, but luckily "...client-side certificates are not required when relaying mail to GMail".
First, double-check that Postfix was configured with SSL support (ie. ldd should return at least one line starting with libssl):
$ whereis -b postfix postfix: /usr/sbin/postfix /etc/postfix /usr/libexec/postfix $ ldd /usr/sbin/postfix ... libssl.so.6 => /lib/libssl.so.6 (0x00111000) ...
Now we need to find your server's CA root certificate bundle, which is typically distributed with openssl. The bundle file is used by Postfix to verify Gmail's SSL certificate (signed by Thawte). On my CentOS server, this file was located at /etc/pki/tls/certs/ca-bundle.crt, but may be in a different location on your box (ie. /etc/ssl/certs).
$ locate ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt
Edit /etc/postfix/main.cf with the following values:
relayhost = smtp.gmail.com:587 # your FQDN, or default value below mydomain = local.domain # your local machine name, or default value below myhostname = host.local.domain myorigin = $myhostname # SASL smtpd_sasl_path = smtpd smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_type = cyrus smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous # TLS smtp_sasl_tls_security_options = noanonymous smtp_use_tls = yes smtp_tls_CAfile = /path/to/your/ca-bundle.crt smtp_sasl_tls_security_options = noanonymous
If you haven't already, add the following to /etc/postfix/sasl_passwd
smtp.gmail.com:587 username:password
Generate a postfix lookup table from the previous file
$ postmap hash:/etc/postfix/sasl_passwd
Make sure the sasl_passwd and sasl_passwd.db files are readable/writable only by root
$ chmod 600 /etc/postfix/sasl_passwd $ chmod 600 /etc/postfix/sasl_passwd.db
Restart postfix and send a test email
$ postfix reload $ sendmail email@example.com Test relay thru Gmail .
Troubleshooting
Monitor postfix mail log in a separate session with the following command
$ tail -f /var/log/maillog
If the log is displaying the following error
(Authentication failed: cannot SASL authenticate to server ...: no mechanism available)
then set this variable in /etc/postfix/main.cf
smtp_sasl_security_options = noanonymous
If the log is displaying this error
553 Sorry, that domain isn't in my list of allowed rcpthosts. (in reply to RCPT TO command)
check your username and password in /etc/postfix/sasl_passwd. Your user name is usually your full email address. If you have to fix it, don't forget to use postmap to generate a new lookup table.
Im getting the following response from smart host:
550 relaying mail to gmail.com is not allowed
What does that mean? I have asked my ISP to add my domain name to their list, what else could be the problem? Wrong local hostname? ...
Thanks.
@David Montalvo
Have you tried enabling TLS with Postfix? I just added a new section to the post on configuring Postfix to relay with Gmail.
I'm getting "said: 530 5.7.1 Client was not authenticated (in reply to MAIL FROM command)". When I manually email using telnet, it works.
# telnet smtp.x.com 25
Trying x.x.120.200...
Connected to smtp.x.com (x.x.120.200).
Escape character is '^]'.
220
EHLO
250-exchange.x.net Hello [x.x.108.226]
250-SIZE 52428800
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-XXXXXXXA
250-AUTH LOGIN
250-8BITMIME
250-BINARYMIME
250 XXXXXXXB
AUTH LOGIN
334 VXNlcm5hbWU6
ZW1pc3lzdGVtQGVtaW1wx
334 UGFzc3dvcmQ63
SW1lOTg3NjU0MzIx3
235 2.7.0 Authentication successful
mail from: x@x.com
250 2.1.0 Sender OK
rcpt to: y@y.com
250 2.1.5 Recipient OK
data
354 Start mail input; end with .
Test001a
.
250 2.6.0 Queued mail for delivery
@Ed - try enabling this in /etc/postfix/main.cf:
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
And make sure you've exactly specified your smtp.x.com:80 username:password in /etc/postfix/sasl_passwd and generated a postfix lookup table from it. smtp.x.com:80 needs to match exactly what you've specified in /etc/postfix/main.cf:
$ postmap -q smtp.x.com:80 /etc/postfix/sasl_passwd
Also, check if your email provider's smtp server accepts connections over port 80 (or whichever port you're using above).
I did some more digging. It seems Postfix Client is not authenticating into my smtp server. It goes immediately into "MAIL FROM:". Do you know why this is so? I configured my main.cf and sasl_passwd similarly as you.
Dec 2 13:18:17 genre1 postfix/pickup[9038]: E231BE004D: uid=510 from=
Dec 2 13:18:17 genre1 postfix/cleanup[9082]: E231BE004D: message-id=
Dec 2 13:18:17 genre1 postfix/qmgr[9039]: E231BE004D: from=, size=496, nrcpt=1 (queue activex
Dec 2 13:18:18 genre1 postfix/smtp[9084]: exchange.x.net[165.212.120.200]:25: HELO x.com
Dec 2 13:18:18 genre1 postfix/smtp[9084]: exchange.x.net[165.212.120.200]:25: MAIL FROM:
Dec 2 13:18:23 genre1 postfix/smtp[9084]: < exchange.x.net[165.212.120.200]:25: 530 5.7.1 Client was not authenticated
I think I figured out my solution: postfix seems to insist on applying the Cisco PIX workaround. I added this line in main.cf:
smtp_pix_workarounds =
So now the smtp server is recognized as ESMTP and EHLO is used by default. Email started flowing!
@Ed - glad to hear you found a solution, thanks for posting it!
smart@smart:~$ sudo postfix stop
postfix: fatal: relayhost parameter setting must not contain multiple values: smtpout.servername.net:3535 name@isp.com:passwd
This is the correct information but, how should it be formatted?
Never mind. I put the wrong information in the wrong place. :D
@Wade - No problem, glad you got it working!
I totally screwed something up and had to reinstall just to get it working again. Im getting this error:
fatal: valid hostname or network address required in server description: [smtpout.secureserver.net:465]
The documentation says to put [ ] around it to keep mx lookup from happening. When I do not use [] I get this error:
to=, relay=none, delay=1164, delays=1144/0.01/20/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=smtpout.secureserver.net type=MX: Host not found, try again)
This is the setting I use in Thunderbird to connect.
@Wade - sounds like you may have a DNS issue. Can you telnet into that host from the server? ie. Try:
telnet smtpout.secureserver.net 465
Also, I don't wrap host names in the brackets with postfix, never had much luck with it either :)
I'm having the same issue with GoDaddy's smtpout server. DNS lookup of smtpout.secureserver.net works fine, type=MX fails. I can telnet directly to smtpout.secureserver.net 25, but get the same "Host or domain name not found" in the mail.log.
@Wade: Working on the TLS/SSL check for GoDaddy, but keep the port outside of the []'s works fine. For whatever reason, Godaddy/SecureServer doesn't maintain MX records in DNS. Encapsulated the smtpout.secureserver.net in []'s worked fine to start moving mail. Just don't make my mistake and put the wrong password in.. you'll get a 451 Internal Error
Great post - short and to the point. great work.
[...] provider. Here's what you need to do to get postfix setup to use another smtp server (Thanks to http://www.zulius.com/how-to/set-up-postfix-with-a-remote-smtp-relay-host/ The instructions on this site worked great for [...]
sorry people can anyone help me. i compiled and install postfix, and i using relayhost that point to my ISP. but my "DNS server" is on the same server where is installed postfix. and there is running apache with vhosts so i have domain that point to that server and in zonefiles of my domain i'm not using POP3 or IMAP on my server my MX records points to Google Apps, to google's MX servers. But when i try send E-mail via sendmail to mail@mydomainonsameserver.com it not deliver mail to Google Apps totally, if i try to send to another E-mail everything fine it deliver it. so finally i done research this problem in Internet. And find that need to disable deliver mail to localhost. as i think postfix understand that the domain point to the same server where postfix have itself. and try to deliver mail local. but zonefile MX recod even the domain on same server can point to another server outside. So i disabled localdelivery in postfix. and problem not fixed. Do anyone have eny ideas?
I have a similar issue. I setup a postfix server with spam assassin to scan mails passing through my network. I intend to have uses send mail from their respective mail client with e.g. smtp.gmail.com configured on the mail client through the postfix server and the spam assassin will scan the mail and send it to smtp.gmail.com. I do not need to know the mail clients user password niether does he need to no my postfix server FQDN address(hostname.example.com)
thanks in anticipation
Hi,
My problem is very complicated. I'm using Zimbra on a Deb5, which runs on postfix. I can send emails through my zimbra server, but i cannot send anything with attachments. It either says, it cannot send becuase request timed out, or sometimes it just sends out error message saying cannot be copied onto sent folder on the server. I'm sure that it has nothing to do with proxy permissions because i can send any other email fine with just text in it and also less than 10 kB. I am using thunderbird client which cannot copy back to the server. I tried with different ports from 25, 465,587 but nothing works for it. Does anyone have any idea what could be problem.
I am working on it from past three weeks ... just on this one problem.. its tough for to find something from nothing. i dont see anything in the logs and zimbra support is helpless.
Hey
Thanks for great post on postfix install/troubleshoot.
I want to ask the question on the limiting the que to the 3rd party smtp server? How to do so?
Thanks
Thank you very much. After trying other HowTos for hours I finally found yours. It works perfect.
Thank you, thank you! I was all over the Internet looking for a solution and this one did the trick! Thanks!!!
Very simple, really a great job!!! thank you
Great post! I have postfix up and sending emails through google. There is one problem... I can't send emails to the gmail.com domain. I get the following error:
530-5.5.1 Authentication Required.
I know it is authenticating because I can send emails to other domains and I see they are being sent through google.
@ken - that's really weird. It almost sounds like postfix is attempting to authenticate with the recipient's gmail address.
Great Tutorial, works like a charm. Thanks for the work. Just a small question. I tested the Gmail setup with a strange output.
The sender mail account is being overridden by gmail, i.e. if I send a mail with the account dominique@mydomain.com it is being received as whateverrelaymailaccount@gmail.com
What am I missing?
@Dominique - I think you need to sign up for a Google Apps account and add google MX records to the DNS of your domain name. A plain gmail account won't be sufficient. This guy's tutorial came up on a quick google search.
Thank you very much Tim, I worked perfect for me.
[...] Remote SMTP on Linux [...]
Great tutorial, but I am having problems still with Godaddy/secureserver.net. I got my system to connect with smtpout.secureserver.net, but now I'm getting a different error:
Sep 13 11:10:32 homesrv postfix/smtp[19946]: 7C49D19C2167: to=, relay=smtpout.where.secureserver.net[173.201.193.101]:80, delay=836, delays=835/0.17/0.53/0.24, dsn=5.0.0, status=bounced (host smtpout.where.secureserver.net[173.201.193.101] said: 553 Sorry, that domain isn't in my list of allowed rcpthosts. (in reply to RCPT TO command))
Hello.
I can't find ca-bundle.crt in my system. Is it normal (debian Squeeze) ?
"locate" returns nothing.
I've downloaded a ca-bundle.crt here https://www.startssl.com/certs/ but ca-bundle shoudn't be updated with system updates ?
Thanks.
Good article!!
I'm having trouble to send my e-mails trhough GoDaddy... It looks like doesn't works with TLS, but only SSL.
My situation is that the messages reaches the Postfix Queue and stay processing status for more than 5 minutes. Then, a temporary error message apears:
lost connection with smtpout.secureserver.net[64.202.165.58] while receiving the initial server greeting
The message stays in Queue "ad eternum"
Any ideas? I think I have not been able to set up the SSL connection or mixed stuff with TLS.
Any help?
@Astral - I don't think Debian systems have a ca-bundle.crt file. Certs are instead stored in the /etc/ssl/certs directory, so instead of using this directive in main.cf:
smtp_tls_CAfile = /path/to/your/ca-bundle.crt
You'd use this one:
smtp_tls_CApath = /etc/ssl/certs
In my case I need [] in:
relayhost = [smtp.gmail.com]:587
[...] http://www.zulius.com/how-to/set-up-postfix-with-a-remote-smtp-relay-host/ Share this:TwitterFacebookDiggRedditLike this:LikeBe the first to like this post. [...]
Worked great first try! Thanks for this article. For those who are using Ubuntu, the ca.crt file is what you're looking for. I used this and it's fine:
/usr/share/ca-certificates/debconf.org/ca.crt
Thanks for the guide, it helped me get my Nagios setup on the road! I didn't know of the [host] trick, but I simply made a MX record on a unused subdomain.
Note: Debian Lenny's SSL crt file is /etc/ssl/certs/ca-certificates.crt.
Worked for a while, but then google stopped receiving mail from postfix ( "suspicious activity on your account" ). I did create dedicated account for forwarding and didn't log in via browser.
GMail, ubuntu 11.10, Courier (not cyrus)
Man I find mail server set-up to be arduous. But almost! first try your post resulted in success for me.
I must reinforce your kindly and carefully noted Troubleshooting entry RE: (Authentication failed: cannot SASL authenticate to server ...: no mechanism available) and the fix given, FIX: smtp_sasl_security_options = noanonymous
You see in my ubuntu setup the default was smtp_sasl_security_options = noplaintext, noanonymous
Looks good? Result was the exact error you point out. Had the drop the noplaintext
part and right away mail sent error free.
NICE!! thank you!
Also so others won't sweat like I did when the check for libssl failed, this set up works fine. Of course, that could be because I use the Courier Delivery Agent instead
of cyrus. Note: smtp_sasl_type = cyrus on this machine. I thought that would not work. I did not install cyrus.
For courier install I followed http://flurdy.com/docs/postfix/
@Ed, Tim
Thank you, Tim, for this article, but Ed was Godsend. I spent several days looking for answer why my clearos postfix can't authenticate with ISP's smtp server. Ed found this:
Thanks, with all my hart
I'm running Ubuntu Server 10.4.3 that hosts our in-house repair software and needs to relay messages from a php form to our isp's smtp server. Everything previously ran on a win2003 server and everything worked normally. I have smtp= set in php.ini and installed postfix, sasl2-bin, and ran through all the steps on your tutorial and still nothing goes through. I tried both with and without :80 after the smtp server specified in relayhost. When I check /var/log/mail.log, I'm getting server postfix/smtp[...]: fatal: open database /etc/postfix/sasl_passwd.db: No such file or directory. Help! I'm no linux expert, but I'm learning on the fly :/
@Matt - it sounds like you skipped running postmap on your plaintext /etc/postfix/sasl_passwd file, which creates the /etc/postfix/sasl_passwd.db file.
Thanks for the quick reply... everything is working now, what I ended up doing was purging postfix and reinstalling it, and choosing "no configuration" during install. I then added copied the default main.cf.debian to /etc/postfix/main.cf and added the lines you have in your setup. What's interesting is that when I used :80 on the smtp server, mail.log was showing the connections were refused, so I removed it and edited sasl_passwd and did the postmap thing again, and lo and behold, mail.log is now showing status=sent and I'm getting my test messages. Thanks!