Setup Postfix with a remote SMTP relay host

Postfix config

Postfix config

any Linux distro

What You'll Need:
Postfix 2.2+
cyrus-sasl 2.1.19+
3rd party email account

Sending outgoing email thru a 3rd party SMTP relay service is a quick and easy alternative to setting up a full fledged local email server. Google Apps/Gmail, Yahoo, and many ISPs provide SMTP relaying for free. This guide will cover configuring Postfix on a CentOS server to relay outgoing email to a 3rd party.

Most Linux distros come with Sendmail already installed, and is usually the default mail client used by the running services. However, Postfix beats the crap out of Sendmail and is a complete, seamless replacement. Here's how I got it going on my CentOS box.


Install Postfix and cyrus-sasl with your application manager of choice. If you're compiling from source, be sure to make Postfix with the -DUSE_SASL_AUTH flag for SASL support and -DUSE_TLS for TLS support.

Note: CentOS 6+ now packages cyrus-sasl-plain separately, so if it's not specifically installed, you'll get a "Authentication failed: cannot SASL authenticate to server ...: no mechanism available" error.

$ yum install postfix cyrus-sasl cyrus-sasl-plain

Stop the sendmail service

$ /etc/init.d/sendmail stop

Remove sendmail from the startup runlevels

$ chkconfig --del sendmail

Typical Setup

Edit /etc/postfix/

# Set this to your server's fully qualified domain name.
# If you don't have a internet domain name,
# use the default or your email addy's domain - it'll keep
# postfix from generating warnings all the time in the logs
mydomain = local.domain
myhostname = host.local.domain

# Set this to your email provider's smtp server. 
# A lot of ISP's (ie. Cox) block the default port 25
# for home users to prevent spamming.  So we'll use port 80
relayhost = yourisp.smtp.servername:80

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = smtpd
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_type = cyrus
smtp_sasl_auth_enable = yes

# optional: necessary if email provider uses load balancing and
# forwards emails to another smtp server
# for delivery (ie: -->
smtp_cname_overrides_servername = no

# optional: necessary if email provider
# requires passwords sent in clear text
smtp_sasl_security_options = noanonymous

There's roughly a 99.9% chance that your email provider's SMTP server requires authentication. We need to set that up with the username and password given by your email provider.

Add the following line to /etc/postfix/sasl_passwd

yourisp.smtp.servername:80 username:password

The above server hostname and port must exactly match the value for "relayhost" in /etc/postfix/

Generate a postfix lookup table from the previous file

$ postmap hash:/etc/postfix/sasl_passwd

Test the lookup table, if all is good then the following will return the specified username:password

$ postmap -q yourisp.smtp.servername:80 /etc/postfix/sasl_passwd

Make sure the sasl_passwd and sasl_passwd.db files are readable/writable only by root

$ chmod 600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

Add postfix to be started at boot

$ chkconfig --add postfix

Fire up Postfix

$ /etc/init.d/postfix start

Test it out using sendmail alias from the command prompt

$ $ sendmail -t
Subject: Test 123
Postfix is good to go.

Gmail Setup

If you're attempting to relay mail using Gmail, then it will be necessary to use TLS with Postfix. You'll have to point Postfix at your server's trusted CA root certificate bundle, but luckily "...client-side certificates are not required when relaying mail to GMail".

First, double-check that Postfix was configured with SSL support (ie. ldd should return at least one line starting with libssl):
$ whereis -b postfix
postfix: /usr/sbin/postfix /etc/postfix /usr/libexec/postfix
$ ldd /usr/sbin/postfix
... => /lib/ (0x00111000)
Now we need to find your server's CA root certificate bundle, which is typically distributed with openssl. The bundle file is used by Postfix to verify Gmail's SSL certificate (signed by Thawte). On my CentOS server, this file was located at /etc/pki/tls/certs/ca-bundle.crt, but may be in a different location on your OS (ie. /etc/ssl/certs).
$ locate ca-bundle.crt
Edit /etc/postfix/ with the following values:
relayhost =

# your FQDN, or default value below
mydomain = local.domain

# your local machine name, or default value below
myhostname = host.local.domain
myorigin = $myhostname

smtpd_sasl_path = smtpd
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_type = cyrus
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous

smtp_use_tls  = yes
smtp_tls_CAfile = /path/to/your/ca-bundle.crt
smtp_sasl_tls_security_options = noanonymous
If you haven't already, add the following to /etc/postfix/sasl_passwd username:password

Generate a postfix lookup table from the previous file

$ postmap hash:/etc/postfix/sasl_passwd

Make sure the sasl_passwd and sasl_passwd.db files are readable/writable only by root

$ chmod 600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
Restart postfix and send a test email
$ postfix reload
$ sendmail -t
Subject: Testing 123
Test relay thru Gmail

If this is a new Google email account, make sure to login to the gmail web interface with it first. You'll need to accept the Google TOS before you can send any email thru the account.

Note that Google places daily limits on the amount of emails and recipients.

Sending from multiple email accounts

Postfix 2.3+ can also be setup to authenticate, relay, and send from multiple email accounts (see Configuring Sender-Dependent SASL authentication). Postfix will lookup and relay to the appropriate host based on the sender address specified by the client. This can be configured using a per-sender relayhost file that maps each sender addresses to a relay provider. Clients must specify a sender address when composing an email so that Postfix can lookup the appropriate sender's relay host info.

Let's assume we'll be sending from two email accounts: (which uses and (which uses We'll first add them to the /etc/postfix/sasl_passwd, along with a default relay host and user ( which will be used as the sender in case a client omits the sender address or a matching sender address is not found:

Generate a postfix lookup table from the previous file

$ postmap hash:/etc/postfix/sasl_passwd

Next, add the senders and their providers to a new /etc/postfix/sender_relay file

Generate a postfix lookup table from the previous file

$ postmap hash:/etc/postfix/sender_relay

Make sure the all above files are readable/writable only by root

$ chmod 600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db /etc/postfix/sender_relay /etc/postfix/sender_relay.db

Next, add the following directives to /etc/postfix/ for multiple relay host support (this assumes you've already added the smtp_sasl_* directives mentioned earlier in this article)

# multiple sender relayhost maps
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
smtp_sender_dependent_authentication = yes

Finally, reload Postfix and send some test messages

$ /etc/init.d/postfix reload
$ sendmail -tf ""
Test email should be from
$ sendmail -tf ""
This test email should be from

Note: the sendmail -f argument is required for Postfix to select the appropriate sender and relay host. Also, if the "From:" message header is omitted, Postfix will automatically set the NAME environment variable as the sender's display name (the correct sender relay host is still used). Use the -F argument to set a custom display name, or specify the "From:" message header (though this latter option seems to be buggy and is ignored).

A quick note about sending email from WordPress

At the current version of 3.6.1, WordPress does not set the sender on outgoing emails. So on a server configured to relay thru multiple outgoing email accounts, all outgoing WordPress emails will be sent via the default relay host (specified in /etc/postfix/sasl_passwd).

A quick fix is to set the Sender attribute of WordPress's phpmailer object. This can be done by adding the following code to your theme's functions.php file, which will set the sender as the address specified in the WordPress admin > General Settings > Email Address.

function phpmailer_set_sender_address($phpmailer){
    $phpmailer->Sender = get_option('admin_email');

add_action('phpmailer_init', 'phpmailer_set_sender_address', 10, 1);

Alternatively, the sender address could be hardcoded above instead of using the WordPress admin email.

Other notes

Anytime you change the /etc/postfix/sasl_passwd or /etc/postfix/sender_relay files, remember to rehash them and reload Postfix

$ postmap hash:/etc/postfix/sasl_passwd
$ postmap hash:/etc/postfix/sender_relay
$ /etc/init.d/postfix reload


Monitor postfix mail log in a separate session with the following command

$ tail -f /var/log/maillog

If the log is displaying the following error

(Authentication failed: cannot SASL authenticate to server ...: no mechanism available)

then set this variable in /etc/postfix/

smtp_sasl_security_options = noanonymous

If the log is displaying this error

553 Sorry, that domain isn't in my list of allowed rcpthosts. (in reply to RCPT TO command)

check your username and password in /etc/postfix/sasl_passwd. Your user name is usually your full email address. If you have to fix it, don't forget to use postmap to generate a new lookup table.


  1. David Montalvo

    Im getting the following response from smart host:

    550 relaying mail to is not allowed

    What does that mean? I have asked my ISP to add my domain name to their list, what else could be the problem? Wrong local hostname? ...


  2. @David Montalvo

    Have you tried enabling TLS with Postfix? I just added a new section to the post on configuring Postfix to relay with Gmail.

  3. Ed

    I'm getting "said: 530 5.7.1 Client was not authenticated (in reply to MAIL FROM command)". When I manually email using telnet, it works.

    # telnet 25
    Trying x.x.120.200...
    Connected to (x.x.120.200).
    Escape character is '^]'.
    EHLO Hello [x.x.108.226]
    250-SIZE 52428800
    250-AUTH LOGIN
    250 XXXXXXXB
    334 VXNlcm5hbWU6
    334 UGFzc3dvcmQ63
    235 2.7.0 Authentication successful
    mail from:
    250 2.1.0 Sender OK
    rcpt to:
    250 2.1.5 Recipient OK
    354 Start mail input; end with .
    250 2.6.0 Queued mail for delivery

  4. @Ed - try enabling this in /etc/postfix/

    smtp_sasl_auth_enable = yes
    smtp_sasl_security_options = noanonymous

    And make sure you've exactly specified your username:password in /etc/postfix/sasl_passwd and generated a postfix lookup table from it. needs to match exactly what you've specified in /etc/postfix/

    $ postmap -q /etc/postfix/sasl_passwd

    Also, check if your email provider's smtp server accepts connections over port 80 (or whichever port you're using above).

  5. Ed

    I did some more digging. It seems Postfix Client is not authenticating into my smtp server. It goes immediately into "MAIL FROM:". Do you know why this is so? I configured my and sasl_passwd similarly as you.

    Dec 2 13:18:17 genre1 postfix/pickup[9038]: E231BE004D: uid=510 from=
    Dec 2 13:18:17 genre1 postfix/cleanup[9082]: E231BE004D: message-id=
    Dec 2 13:18:17 genre1 postfix/qmgr[9039]: E231BE004D: from=, size=496, nrcpt=1 (queue activex
    Dec 2 13:18:18 genre1 postfix/smtp[9084]:[]:25: HELO
    Dec 2 13:18:18 genre1 postfix/smtp[9084]:[]:25: MAIL FROM:
    Dec 2 13:18:23 genre1 postfix/smtp[9084]: <[]:25: 530 5.7.1 Client was not authenticated

  6. Ed

    I think I figured out my solution: postfix seems to insist on applying the Cisco PIX workaround. I added this line in
    smtp_pix_workarounds =
    So now the smtp server is recognized as ESMTP and EHLO is used by default. Email started flowing!

  7. @Ed - glad to hear you found a solution, thanks for posting it!

  8. smart@smart:~$ sudo postfix stop
    postfix: fatal: relayhost parameter setting must not contain multiple values:

    This is the correct information but, how should it be formatted?

  9. Wade Smart

    Never mind. I put the wrong information in the wrong place. :D

  10. @Wade - No problem, glad you got it working!

  11. Wade Smart

    I totally screwed something up and had to reinstall just to get it working again. Im getting this error:

    fatal: valid hostname or network address required in server description: []

    The documentation says to put [ ] around it to keep mx lookup from happening. When I do not use [] I get this error:

    to=, relay=none, delay=1164, delays=1144/0.01/20/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for type=MX: Host not found, try again)

    This is the setting I use in Thunderbird to connect.

  12. @Wade - sounds like you may have a DNS issue. Can you telnet into that host from the server? ie. Try:

    telnet 465

    Also, I don't wrap host names in the brackets with postfix, never had much luck with it either :)

  13. Ryan Trumbull

    I'm having the same issue with GoDaddy's smtpout server. DNS lookup of works fine, type=MX fails. I can telnet directly to 25, but get the same "Host or domain name not found" in the mail.log.

  14. Ryan Trumbull

    @Wade: Working on the TLS/SSL check for GoDaddy, but keep the port outside of the []'s works fine. For whatever reason, Godaddy/SecureServer doesn't maintain MX records in DNS. Encapsulated the in []'s worked fine to start moving mail. Just don't make my mistake and put the wrong password in.. you'll get a 451 Internal Error

  15. Great post - short and to the point. great work.

  16. [...] provider. Here's what you need to do to get postfix setup to use another smtp server (Thanks to The instructions on this site worked great for [...]

  17. sorry people can anyone help me. i compiled and install postfix, and i using relayhost that point to my ISP. but my "DNS server" is on the same server where is installed postfix. and there is running apache with vhosts so i have domain that point to that server and in zonefiles of my domain i'm not using POP3 or IMAP on my server my MX records points to Google Apps, to google's MX servers. But when i try send E-mail via sendmail to it not deliver mail to Google Apps totally, if i try to send to another E-mail everything fine it deliver it. so finally i done research this problem in Internet. And find that need to disable deliver mail to localhost. as i think postfix understand that the domain point to the same server where postfix have itself. and try to deliver mail local. but zonefile MX recod even the domain on same server can point to another server outside. So i disabled localdelivery in postfix. and problem not fixed. Do anyone have eny ideas?

  18. depp

    I have a similar issue. I setup a postfix server with spam assassin to scan mails passing through my network. I intend to have uses send mail from their respective mail client with e.g. configured on the mail client through the postfix server and the spam assassin will scan the mail and send it to I do not need to know the mail clients user password niether does he need to no my postfix server FQDN address(

    thanks in anticipation

  19. Ash

    My problem is very complicated. I'm using Zimbra on a Deb5, which runs on postfix. I can send emails through my zimbra server, but i cannot send anything with attachments. It either says, it cannot send becuase request timed out, or sometimes it just sends out error message saying cannot be copied onto sent folder on the server. I'm sure that it has nothing to do with proxy permissions because i can send any other email fine with just text in it and also less than 10 kB. I am using thunderbird client which cannot copy back to the server. I tried with different ports from 25, 465,587 but nothing works for it. Does anyone have any idea what could be problem.

    I am working on it from past three weeks ... just on this one problem.. its tough for to find something from nothing. i dont see anything in the logs and zimbra support is helpless.

  20. joe

    Thanks for great post on postfix install/troubleshoot.

    I want to ask the question on the limiting the que to the 3rd party smtp server? How to do so?


  21. Thank you very much. After trying other HowTos for hours I finally found yours. It works perfect.

  22. Thank you, thank you! I was all over the Internet looking for a solution and this one did the trick! Thanks!!!

  23. Carlos

    Very simple, really a great job!!! thank you

  24. ken

    Great post! I have postfix up and sending emails through google. There is one problem... I can't send emails to the domain. I get the following error:
    530-5.5.1 Authentication Required.

    I know it is authenticating because I can send emails to other domains and I see they are being sent through google.

  25. @ken - that's really weird. It almost sounds like postfix is attempting to authenticate with the recipient's gmail address.

  26. Dominique

    Great Tutorial, works like a charm. Thanks for the work. Just a small question. I tested the Gmail setup with a strange output.
    The sender mail account is being overridden by gmail, i.e. if I send a mail with the account it is being received as
    What am I missing?

  27. @Dominique - I think you need to sign up for a Google Apps account and add google MX records to the DNS of your domain name. A plain gmail account won't be sufficient. This guy's tutorial came up on a quick google search.

  28. Ashok

    Thank you very much Tim, I worked perfect for me.

  29. [...] Remote SMTP on Linux [...]

  30. Kyle

    Great tutorial, but I am having problems still with Godaddy/ I got my system to connect with, but now I'm getting a different error:

    Sep 13 11:10:32 homesrv postfix/smtp[19946]: 7C49D19C2167: to=,[]:80, delay=836, delays=835/0.17/0.53/0.24, dsn=5.0.0, status=bounced (host[] said: 553 Sorry, that domain isn't in my list of allowed rcpthosts. (in reply to RCPT TO command))

  31. Astral


    I can't find ca-bundle.crt in my system. Is it normal (debian Squeeze) ?

    "locate" returns nothing.

    I've downloaded a ca-bundle.crt here but ca-bundle shoudn't be updated with system updates ?


  32. Antonio

    Good article!!

    I'm having trouble to send my e-mails trhough GoDaddy... It looks like doesn't works with TLS, but only SSL.

    My situation is that the messages reaches the Postfix Queue and stay processing status for more than 5 minutes. Then, a temporary error message apears:

    lost connection with[] while receiving the initial server greeting

    The message stays in Queue "ad eternum"

    Any ideas? I think I have not been able to set up the SSL connection or mixed stuff with TLS.

    Any help?

  33. @Astral - I don't think Debian systems have a ca-bundle.crt file. Certs are instead stored in the /etc/ssl/certs directory, so instead of using this directive in

    smtp_tls_CAfile = /path/to/your/ca-bundle.crt

    You'd use this one:

    smtp_tls_CApath = /etc/ssl/certs

  34. Dmitry

    In my case I need [] in:
    relayhost = []:587

  35. [...] Share this:TwitterFacebookDiggRedditLike this:LikeBe the first to like this post. [...]

  36. Worked great first try! Thanks for this article. For those who are using Ubuntu, the ca.crt file is what you're looking for. I used this and it's fine:


  37. Thanks for the guide, it helped me get my Nagios setup on the road! I didn't know of the [host] trick, but I simply made a MX record on a unused subdomain.

    Note: Debian Lenny's SSL crt file is /etc/ssl/certs/ca-certificates.crt.

  38. i4o

    Worked for a while, but then google stopped receiving mail from postfix ( "suspicious activity on your account" ). I did create dedicated account for forwarding and didn't log in via browser.

  39. GMail, ubuntu 11.10, Courier (not cyrus)
    Man I find mail server set-up to be arduous. But almost! first try your post resulted in success for me.
    I must reinforce your kindly and carefully noted Troubleshooting entry RE: (Authentication failed: cannot SASL authenticate to server ...: no mechanism available) and the fix given, FIX: smtp_sasl_security_options = noanonymous
    You see in my ubuntu setup the default was smtp_sasl_security_options = noplaintext, noanonymous
    Looks good? Result was the exact error you point out. Had the drop the noplaintext
    part and right away mail sent error free.
    NICE!! thank you!
    Also so others won't sweat like I did when the check for libssl failed, this set up works fine. Of course, that could be because I use the Courier Delivery Agent instead
    of cyrus. Note: smtp_sasl_type = cyrus on this machine. I thought that would not work. I did not install cyrus.
    For courier install I followed

  40. Vladimir

    @Ed, Tim

    Thank you, Tim, for this article, but Ed was Godsend. I spent several days looking for answer why my clearos postfix can't authenticate with ISP's smtp server. Ed found this:

    I think I figured out my solution: postfix seems to insist on applying the Cisco PIX workaround. I added this line in
    smtp_pix_workarounds =
    So now the smtp server is recognized as ESMTP and EHLO is used by default. Email started flowing!

    Thanks, with all my hart

  41. I'm running Ubuntu Server 10.4.3 that hosts our in-house repair software and needs to relay messages from a php form to our isp's smtp server. Everything previously ran on a win2003 server and everything worked normally. I have smtp= set in php.ini and installed postfix, sasl2-bin, and ran through all the steps on your tutorial and still nothing goes through. I tried both with and without :80 after the smtp server specified in relayhost. When I check /var/log/mail.log, I'm getting server postfix/smtp[...]: fatal: open database /etc/postfix/sasl_passwd.db: No such file or directory. Help! I'm no linux expert, but I'm learning on the fly :/

  42. @Matt - it sounds like you skipped running postmap on your plaintext /etc/postfix/sasl_passwd file, which creates the /etc/postfix/sasl_passwd.db file.

  43. Thanks for the quick reply... everything is working now, what I ended up doing was purging postfix and reinstalling it, and choosing "no configuration" during install. I then added copied the default to /etc/postfix/ and added the lines you have in your setup. What's interesting is that when I used :80 on the smtp server, mail.log was showing the connections were refused, so I removed it and edited sasl_passwd and did the postmap thing again, and lo and behold, mail.log is now showing status=sent and I'm getting my test messages. Thanks!

  44. Rudger

    What is your "email addy" ?

  45. @Rudger: Email address.

  46. Norberto

    I am running CentOS 6.2, after the settings for gmail account, gives the following error:
    RCPT TO : : Relay access denied.

  47. Gavin Adams

    Nice clear and concise post. I haven't dealt with postfix and gmail in a couple years, so good to find an article on this!

  48. Hello everybody,

    I got something that may help in case you encounter this error with GMAIL relaying. I configured my postfix on centos 6.2 as mentionned in this tuto but postfix was keeping saying :

    [...][] said: 530-5.5.1 Authentication Required[...]

    I read the postfix doc and this little line kept my attention ( :

    This same error message will also be logged when the or modules are not installed in the /usr/lib/sasl2 directory.

    I remembered that gmail uses TLS/SSL but the password must be transmitted in plain text.

    Just install the package cyrus-sasl-plain and yatta ! I am now able to have an internal smtp with no authentication which relays mail to gmail using a specific user account.
    There is still a drawback : it seems that google replaces the sender mail address by the one contained into the account used to connect to google smtp.

    Anyway, thanks for the tuto, it has really helped me.

  49. [...] [...]

  50. Nel

    Thank you so much for this article!

    Just wanted to point out that in I had to specify relay_host as
    relayhost = []:587
    and in sasl_passwd I also had to specify the server as []:587
    to get it working.

  51. If you experience the postfix error "No mechanism" to gmail account.

    Then install the following:
    yum install cyrus-sasl-plain

    Kind Regards Alex

  52. Antonio

    @Alex Hansen
    Thank you Alex for the last solution about installing cyrus-sasl-plain. It worked also for me.
    Thanks also you Tim, for the great howto!

  53. [...] the mailx command and php mail() processing.  Pretty cool I think.  Mostly thanks to the doc at this web page.  Thank you Mr. White. This entry was posted in Linux by Tom Brennan. Bookmark the [...]

  54. Dave

    Thanks for your work! In the maillog, I see the error, that the system can't authenticate against the mail-host. But there is a wrong value in the Log. It seems, that postfix tries to authenticate against "", but all my values in the and also the sasl_passwd have the correct hostname "".

    I can resolve from the system.

    Any idea?

    Thank you!

  55. Brian

    When I run the postmap -q command I get an error that my googleju has not helped with:

    erver postfix # postmap -qv []:587 /etc/postfix/sasl_passwd
    postmap: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol
    postmap: fatal: unsupported dictionary type: []


  56. I drove myself absolutely batty with the same problem Ed had. Postfix was simply skipping the authentication and going straight to MAIL FROM. The PIX fix didn't help.

    I finally put:

    debug_peer_list =

    into my, ran "postfix reload", and could see the problem right away. I had used brackets around the hostname in for the relayhost entry, but for the name of the server in the passwords file (smtp_sasl_password_maps), I didn't, and that made the difference.

    So, make sure the server is specified exactly the same (brackets or no brackets, port number) in and your password map file.

  57. thx for helping me out with your docu :)

  58. […] An excellent write up covering the set up on CentOS: […]

  59. Thank you worked a treat and kept some pressure off me :)

  60. Ben Chapman

    Thanks! This was very useful.


  61. Harold

    The information found here was very useful.
    Thank You

Leave a Comment