Table of Contents
Few days ago I wrote a post about how to install and configure sSMTP, a simple and free alternative to Postfix and Sendmail which can be used to send e-mail through external SMTP services hosted by providers such as GMail, Aruba, Yahoo and so on.
Although sSMTP is a great piece of software, those who prefer to setup the real deal will definitely benefit from this article, in which I'll explain how to setup and configure Postfix 3 - the latest installment of the most efficient, secure and widely used mail server born as a (better) alternative to Sendmail.
Before proceeding, it's important to emphasize the fact that this article will only explain how to send e-mail using an external SMTP service using Postfix, being it nothing more than 10% of what this awesome piece of software can actually do. If you need further info about Postfix and its features, I strongly suggest to take a look on the Postfix official documentation at postfix.org. Also, the instructions below will be ok for a CentOS / Fedora / RHEL Linux machine: although the tutorial will also work for any other distribution, Ubuntu and Debian users might have to slightly adapt some commands to their package managers.
Step 1: Check Postfix version
The first thing we should do is to check if Postfix is already installed within our system, and - in case it is - the installed version. This can easily be done by executing the following terminal command:
|
1 |
# postconf -d | grep mail_version |
Regardless of how recent our CentOS version is, there's an high chance that we'll still have Postfix 2. Although such version can be good enough for most users, it has very limited capabilities when dealing with the deprecated SMTPS service, also known as SMTP over SSL (on TCP port 465). In short words, this basically means that - whenever we try to connect to a SMTP server using such protocol - it will most likely fail with the following error message in the /var/log/maillog file:
CLIENT wrappermode (port smtps/465) is unimplemented
instead, send to (port submission/587) with STARTTLS
Unfortunately such issue is not easy to overcome with Postfix 2, as the whole 2.x version tree does not natively support SMTP on SSL through TCP port 465. Our only chance to make the connection work is to either use the TCP port 587 and use STARTTLS - which is natively supported - or to forward the connection through Stunnel or other tools that can perform SSL tunneling of some sort.
Luckily enough, setting up a SSL tunnel is not the only option: we can also upgrade to Postfix 3, which features a built-in SMTPS support thanks to its new TLS Wrapper Mode feature.
Step 2: Uninstall Postfix 2 / Sendmail / sSMTP
The next thing we have to do is to ensure that there aren't any other mail sending softwares configured within our server, unless we really want to keep Postfix 3 and one (or more) of them. In case we don't, we can easily uninstall all of them with the following terminal commands:
|
1 2 3 |
# sudo yum remove postfix # sudo yum remove ssmtp # sudo yum remove sendmail |
Although performing a yum remove is a required step for Postfix - assuming we want to install a newer version - we could also choose to systemctl disable and systemctl stop sSMTP and/or Sendmail instead of removing them. The only important thing to do here is to ensure that neither of them will be up and running, otherwise they will prevent our soon-to-be-installed Postfix 3 from working properly.
Step 3: Install Postfix 3
Now it's the time to install Postfix 3. It's package name is postfix3, however there's a high chance that - if we just attempt a sudo yum install postfix3 - we'll get something like this:
No package postfix3 available.
Unfortunately, the postfix3 package isn't (yet) included in the default CentOS 7 repositories. In order to install it, we have to add a third-party repository - such as Ghettoforge's - to our repo list. Again, in case we're not using CentOS, we can choose a different repo from the official Postfix Packages and Ports page.
To add the Ghettoforge repo to your YUM repository list, create a new /etc/yum.repos.d/gf.repo file using nano, vim or any other text editor and fill it with the following contents:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
[gf] name=Ghettoforge packages that won't overwrite core distro packages. mirrorlist=http://mirrorlist.ghettoforge.org/el/7/gf/$basearch/mirrorlist enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-gf.el7 failovermethod=priority [gf-plus] name=Ghettoforge packages that will overwrite core distro packages. mirrorlist=http://mirrorlist.ghettoforge.org/el/7/plus/$basearch/mirrorlist # Please read http://ghettoforge.org/index.php/Usage *before* enabling this repository! enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-gf.el7 failovermethod=priority |
Before using that repo we'll also have to download the RPM-GPG-KEY-gf.el7 file from the Ghettoforge Key Page and save it within our /etc/pki/rpm-gpg/ folder.
Once done, we'll be able to issue the sudo yum install postfix3 terminal command and have Postfix 3.3.2 (at the time of writing) installed in few seconds. Don't forget to also execute a sudo yum enable postfix to ensure that the service will start upon each boot.
Step 4: Postfix 3 Setup
Now that Postfix 3 is installed on our system, we just have to configure it to have our e-mail messages sent through the external SMTP service. The configuration involves three files:
- The /etc/postfix/master.cf file, where we need to enable the smtps support.
- The /etc/postfix/sasl_passwd file, which we have to create and fill it with the login credentials to connect to our external SMTP server(s).
- The /etc/postfix/main.cf file, where we'll configure the service and tell it the SMTP service/account to use.
4.1: Enable SMTPS support
Open the /etc/postfix/master.cf file and uncomment (or add) the following lines to enable the smtps support:
|
1 2 3 4 5 6 7 8 |
smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING |
4.2: Setup Connection Info
Open the /etc/postfix/sasl_passwd file, or create it if it doesn't exist yet, and add your external SMTP servers and their respective login credentials, one per line, using the following format:
|
1 2 3 |
[smtp.yoursmtp.com]:25 user:password [smtps.aruba.it]:465 user:password [smtp.google.com]:587 user:password |
The square brackets are not mandatory, they will just make the system skip the DNS probe to these servers.
Once done, open a terminal window and type the following command to encrypt the password file:
|
1 |
# sudo postmap /etc/postfix/sasl_passwd |
The command will encrypt the plain-text connection info settings into a new encrypted /etc/postfix/sasl_passwd.db file. Before going further, it could be wise - for security reasons - to restrict both files permissions in the following way:
|
1 2 |
# sudo chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db # sudo chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db |
4.3: Configure Postfix
It's now time to open the /etc/postfix/main.cf file and finalize the Postfix setup by adding / uncommenting the following parameters and configure them in the following way:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
# receive mail only from localhost (prevents spammers from using your SMTP service) inet_interfaces = localhost # Enable IPv4, and IPv6 if supported inet_protocols = all # Set the external SMTP service to connect to (login info must be present in the sasl_passwd.db file) relayhost = [smtps.your_relay_host.com]:465 # enable SASL authentication smtp_sasl_auth_enable = yes # disallow methods that allow anonymous authentication. smtp_sasl_security_options = noanonymous # where to find sasl_passwd (the sasl_passwd.db file location) smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd # Enable STARTTLS encryption # smtp_use_tls = yes # TLS Security Level (encrypt = accept all certificates) smtp_tls_security_level = encrypt #enable Wrapper mode smtp_tls_wrappermode = yes |
In case you have a public hostname you want to be shown in the Return-Path mail header, it wouldn't hurt to also set the myhostname and mydomain parameters in the following way:
|
1 2 |
myhostname = www.yourserverhostname.com mydomain = yourserverhostname.com |
Step 5: Test run
We're ready for a test run to check that everything is working properly.
Before doing that, be sure to restart the Postfix service and reload the configuration by issuing the following commands:
|
1 2 |
# systemctl restart postfix # postfix reload |
Once done, we can send a test e-mail to a real e-mail address under our own control in the following way:
|
1 2 3 4 5 6 7 |
# sendmail [email protected] From: sender@email.com Subject: Postfix 3 Test Hello there, If you read this, it means that everything is working properly! . |
Right after that, we can check our mailbox and ensure that the e-mail are being sent.
Troubleshooting
In case you don't receive the e-mail, the best thing you can do is to check the postfix log file at the following path:
|
1 |
/var/log/maillog |
And see what is going wrong. For example, if you find something like this:
|
1 |
status=bounced (unknown user: "target") |
It probably means that you configured your postfix to use a myhostname and/or mydomain value that matches the domain part of target's e-mail, thus making it look for a local target user instead of relying the e-mail remotely. To fix that, replace these values or add a relay fallback that will tell postfix what to do if there are no local users matching that name:
|
1 |
fallback_transport = relay |
Right after that, restart postfix.
Conclusion
That's about it: I sincerely hope that this tutorial will help other System Administrator who wish to install Postfix on their system!
Hello
This is what you say: “terminal command and have Postfix 3.3.2” , but in real is 3.2.4-1.gf.el7
Thanks,
Gabriel
Fixed! Thanks,
There is no need to manually create the gf.repo file, just install the gf-release package as shown at http://ghettoforge.org/index.php/Usage#How_can_I_use_the_packages_produced_by_this_project.3F
Attempting to remove the old postfix package may cause a number of dependencies to be removed as well. Better to use yum shell or yum swap to replace the MTA instead of remove and then install the new one, then the dependencies will remain in place. Instructions for using yum shell are at http://ghettoforge.org/index.php/Postfix3#Instructions_for_replacing_the_EL_stock_postfix_packages_with_the_postfix3_packages_in_GhettoForge
Enabling smtps (which BTW is now called “submissions”) is pointless unless you generate and assign a TLS certificate to your server. You can also or alternatively enable the submission port.
You’re telling everyone to use your relayhost? Are you going to provide everyone with your username and password to connect to the relayhost as well or is it an open relay? I would think that using a relayhost would be beyond the scope of this tutorial, but if wanted would be better included in it’s own sub-section.
The Return-Path is set from the envelope sender which in turn is set by the MUA, except for your test where you’re using the sendmail binary and not supplying an envelope sender in which case postfix has to supply one for you.
There’s no reason to issue a postfix reload after restarting the service, it’s redundant.
Using fallback_transport to fix a broken configuration is … wrong. Fix your broken configuration instead. It probably has something to do with your relayhost setting.
I’m sure there are other issues as well.