Postfix Relay

From Run Your Own
Jump to navigation Jump to search

Purpose: To make an existing working Postfix email server work as a relay for another Postfix email server.

Note: This documentation assumes there is already a working Postfix server able to send receive email via SASL authentication and with properly configured TLS.

Relay and Satellite configuration

Main Postfix relay server (relay.server.net)

  • Create user that will be used for the other Postfix server to authenticate itself:
adduser relay
  • Prevent ssh access for the user, in /etc/ssh/sshd_config, add:
DenyUsers relay
  • Test that the relay user can indeed send email
su relay
echo "Subject: this is a test" | /usr/sbin/sendmail -v some@where.nice
  • If all cool you can proceed :)

Postfix server(s) that need to have their email relayed (sat.server.net)

  • Install postfix as Satellite system so it can send emails to the relay server (if postfix was already installed and you need to reset the current config you can use `dpkg-reconfigure postfix`)
  • Set the FQDN of the server that needs to have its emails relayed:
sat.server.net
  • Give the FQDN of relay server:
[relay.server.net]:25
  • Rest of config is up to specific taste, but do not use address extension.
  • Configure Postfix to use the smarthost with TLS by adding the following to /etc/postfix/main.cf:
relayhost = [relay.server.net]:25   # THIS ONE SHOULD ALREADY BE IN
smtp_tls_security_level = encrypt
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth
smtp_sasl_security_options = noanonymous
  • Create the file /etc/postfix/smtp_auth to specify the account created in previous section:
[relay.server.net]:25 relay:password
  • Prepare file for postfix to use it (if you change it you need to re-run postmap):
chmod 600 /etc/postfix/smtp_auth
postmap /etc/postfix/smtp_auth
  • restart Postfix:
service postfix restart
  • try to send a mail from the sat server:
echo "Subject: this is a test from sat" | /usr/sbin/sendmail -v some@where.nice

PRO tips

Running the relay on a different port

Sometimes the satellite server may be prevented to establish an outgoing connection with the relay server on port 25 or submission port 587. The workaround is to make the relay also accept incoming connection on another non-blocked port.

  • On the relay server, allow listening on port 12345, edit /etc/postfix/master.cf, and below smtp entry, add:
12345 inet n - y - - smtpd
  • On the satellite server, edit /etc/postfix/main.cf and update the relay info:
relayhost = [relay.server.net]:12345
  • On the satellite server, edit /etc/postfix/smtp_auth and also update the relay info:
[relay.server.net]:12345 relay:password
postmap /etc/postfix/smtp_auth
  • restart both Postfix servers
service postfix restart

Troubleshooting

  • If problems, the places to look for useful info are:
/var/log/mail.info  # on relay and sat servers
mail                # to check reports received by Postix on sat when using sendmail