Postfix mit Smarthost


This article is meant to give an example to get your own Linux server ready to send mails by himself without configure a whole mail environment. This is suitable to send notification mails containing some infos about the status or errors.
This is not an advisory to create a complete mail server.

1. Create password maps file

(it assigns username/passwords to specified mail servers). You can choose any name, let's say it is /etc/postfix/relay_passwd. It's content should be as follows: USERNAME:PASSWORD 

Note: Replace USERNAME and PASSWORD with your DNS EXIT mail relay username and PASSWORD.

2. Set proper permissions for that file

# chown root:root /etc/postfix/relay_passwd  
# chmod 600 /etc/postfix/relay_passwd     

3. Create hash from maps file

(remember to do it each time you change your maps file)

#  postmap /etc/postfix/relay_passwd   

4. Configure your /etc/postfix/

a) Without encryption but with authentication

relayhost = []
smtp_fallback_relay = []
smtp_sasl_auth_enable = yes  
smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd  
smtp_sasl_security_options =  noanonymous

Note: If your ISP blocks outgoing port 25. You can choose to use alternative SMTP ports by appending the port at the end:

relayhost = []:26


b) With encryption and authentication

relayhost = []:465
### Note:the line in relay_passwd has to contain the full relayhost name; here: "[]:465"
smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd  
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_CApath = /etc/ssl/certs
smtp_use_tls = yes
smtp_enforce_tls = yes
smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt
inet_interfaces = all
## if only ipv4 available use only this:
# inet_protocols = ipv4
## otherwise allow all protocols 
inet_protocols = all
## allow only mails sent by this host, otherwise add more networks, separated by blanks
## example: [fe80::]/16
mynetworks = [::ffff:]/104 [::1]/128

When using tls then create your own certificate, either by creating an official one or an self-signed:

# cd /etc/ssl/private/
# openssl genrsa -out selfmail.key 2048
# openssl req -new -key selfmail.key -out selfmail.csr
# openssl x509 -req -days 3650 -in selfmail.csr -out selfmail.cert -signkey selfmail.key

Using tls needs the tlsmanager in the ensure that this line is active:

tlsmgr    unix  -       -       n       1000?   1       tlsmgr


5. Reload or restart your postfix

# /etc/init.d/postfix restart


Other notes about postfix:

If the above settings don't work, you need to make sure the SASL support (smtp authentication) is compiled into Postfix. To do so, you may need to upgrade to latest version of Postfix.


Adding IMAP support

If you like to add a simple way to access the emails stored for a user on this host, you may add Dovecot. If done so, you can also use this as a kind of "relay station" in order to store all mails from an official mail account outside on this host.


Installing Dovecot

First you have to install the software which ist able to give access to the locally stored mails. For this example I will use dovecot:

apt-get install aptitude dovecot-imapd

Beware: Postfix stores mails by default in mbox format in /usr/spool/mail, but dovecot only works with the maildir format, stored in the user directory on the local host. For this, We have to tell postfix to use dovecot to store mails in the proper way:
Add this line to file /etc/postfix/

mailbox_command = /usr/lib/dovecot/dovecot-lda -f "$SENDER" -a "$RECIPIENT"

After restarting postfix, mails will be stored in /home//mail


Configuring Dovecot

a)Set local PAM authentication in file /etc/dovecot/conf.d/10-auth.conf

auth_mechanisms = plain
!include auth-system.conf.ext

Please look into the file auth-system.conf.ext if the local authentication ist configured properly


b) Set encryption: Since there will be already a sutable key/certificate pair for postfix in the same server, we can reuse them here in file /etc/dovecot/conf.d/10-ssl.conf:

ssl = yes
ssl_cert = </etc/ssl/private/selfmail.cert
ssl_key = </etc/ssl/private/selfmail.key

Prease beware of the brackets "<" it will not work without!


Using Fetchmail

You can import Mail from a Mailserver outsite in order to get them accessable on the local system. In this way you can build a local quasi-Mailserver with the advantage to hold all mails on the local system and treat it just the same way like a "real" mailserver.

First of all install fetchmail

apt-get install fetchmail


We assume now, the local mailserver should get new mails from the distant server every 5 minutes by using imap with ssl. For this a file /etc/fetchmailrc must be created containing this:

set postmaster "<local_user>"
set bouncemail
set no spambounce
set properties ""
set syslog
set daemon 300

poll  protocol imap service 993:
     username "<foreign_user>" password "<foreigen_password>" is "<local_user>" here options keep ssl


At last you have to make sure that the fetchmail daemons is activated. In Debian based systems have a look into /etc/default/fetchmail.