Changes for page How to setup a postfix SMTP server

Last modified by Alexandru Pentilescu on 2025/02/09 14:17

From 6.1 to 7.1 From 10.1 to 11.1

From version 7.1

edited by Alexandru Pentilescu
on 2024/05/19 14:20

Change comment: There is no comment for this version

To version 10.1

edited by Alexandru Pentilescu
on 2024/05/19 14:41

Change comment: There is no comment for this version

Raw
Rendered

Summary

Page properties (1 modified, 0 added, 0 removed)

Details

Page properties

Content

@@ -5,6 +5,8 @@
  But why do we even need an SMTP server in the first place? Well, we don't really need one but, at the end of the day, it's very handy to have one, nonetheless.
++{{toc/}}
++
  = How does email work?=
  Email works on different levels but the general gist of it is that it all boils down to SMTP servers acting as the backbone of all email providers.
  SMTP is a protocol that allows email servers to send an email from one another, either encrypted with TLS on port 25 using the STARTTLS command, or even in plaintext.
@@ -81,6 +81,8 @@
  Next is the "smtpd_relay_restrictions" which has a bunch of values assigned to it. The only one relevant to talk about is "permit_mynetworks", which informs Postfix that it's fine to relay any outgoing email from the IP addresses and hosts defined in the "mynetworks" variable, without having to authenticate them with user passwords.
  Basically, this means that, as long as a service connects to port 25 of the current machine from an originating IP that's listed under "mynetworks" this means that Postfix will accept whatever email that service is trying to send and relay it over to its destination.
++Please note though that the above configuration **still allows emails from external entities to be relayed through this server, as has happened recently to me when Gmail was sending spam through to my Postfix instance because it was trying to send an email to "pentilescu.com", a previous domain that I still own, the email wouldn't reach its destination because the SSL certificates were not configured for that specific domain anymore, the sending would get rejected, Google would automatically send a bounce email to the originator (i.e. my VPS) again, and this would cause the VPS to flood my inbox with these unwanted emails**, which can be abused by those with ill intents.
++
  "mydestination = localhost" not sure about this one?
  "mynetworks" tells Postfix which machines are trusted. SMTP needs to trust sources of email before it can relay them. If you specify "permit_mynetworks" to "smtpd_relay_restrictions" then any machine whose IP is listed in this parameter can relay its email through this Postfix instance.
@@ -118,7 +118,7 @@
  Finally, there's the "inet_interfaces" configuration parameter. This one specifies under which identities the current installation of Postfix will be assumed by the server. Postfix will accept all requests destined to any of these addresses as its own and will handle them.
--In a docker configuration, assuming the services are using a "bridge" network driver, they will all have their own IP addresses in the aforementioned address space, and these addresses will be distinct from the proper address of the machine where Postfix is installed. As such, they need a target to resolve to reach the machine running Postfix. This target will be IP 172.16.0.1. When configuring each individual docker service, enter that IP as the IP of the SMTP server to use, as well as port 25, as its connection port. These should be the only parameters you should need to configure everything to work properly. 172.16.0.1 was a random address that I decided on. Really, it has no real relevance and can be changed to any private IPv4 address, whether in class B, C or A. The only point is that it should be reachable through this network driver.
++In a docker configuration, assuming the services are using a "bridge" network driver, they will all have their own IP addresses in the aforementioned address space, and these addresses will be distinct from the proper address of the machine where Postfix is installed. As such, they need a target to resolve to reach the machine running Postfix. This target will be IP 172.16.0.1. **IMPORTANT note: if you'll use TLS enabled in Postfix, please avoid using the raw IP address as mentioned here, as certain services like Nextcloud check the domain of the SMTP server against the TLS certificates being provided and, if they mismatch, it will reject the connection. This is why I added the "mail.transistor.one" hostname in there, as my TLS certificate is against all subdomains under *.transistor.one and, as such, can be verified successfully by it**. When configuring each individual docker service, enter that IP as the IP of the SMTP server to use, as well as port 25, as its connection port. These should be the only parameters you should need to configure everything to work properly. 172.16.0.1 was a random address that I decided on. Really, it has no real relevance and can be changed to any private IPv4 address, whether in class B, C or A. The only point is that it should be reachable through this network driver.
  = Instructing Postfix to relay emails through Google's servers, instead =
  Assuming that running your own postfix server is a pain in the ass (especially since it's quite difficult to get DMARC or other authenticity mechanisms configured by yourself), a proper workaround for that is to simply rely on a third party emailing service to relay your emails for you.
@@ -191,7 +191,36 @@
  Note, you need sudo privileges to read the mail.log file, as it is owned by the syslog user and it has restricted reading privileges.
++= Opening up port 587 for SMTP traffic =
++Certain services refuse to accept STARTTLS traffic on port 25, as is open, by default, on Postfix (looking at you, Gitea =__=). To account for them, we must open port 587 to attain this. To do so, we must open the master.cf configuration file (mine was under "/etc/postfix/master.cf") and add the following line:
++{{code}}
++smtp      inet  n       -       y       -       -       smtpd
++587       inet  n       -       n       -       -       smtpd
++{{/code}}
++
++The smtp line was already there. I only added the 587 line. This instructs Postfix to bind itself to the 587 port, such that, any services wanting to reach that port in order to start a STARTTLS connection, wil be able to do so.
++
++Once this is done, restart the Postfix daemon with a systemctl restart command and everything should almost be done. Almost.
++
++Ubuntu server also comes preinstalled with a firewall utility that will deny traffic towards its own port 587. This can be an impediment. As such, please allow traffic from your docker containers to be able to reach this port:
++
++{{code language="bash"}}
++sudo ufw allow from 172.16.0.0/16 to any port 587
++{{/code}}
++
++If you recall from above, 172.16.0.0/16 was the IP range we configured for our docker engine to use when assigning IPs to its container networks. So that command will effectively allow all traffic originating from docker containers to be explicitly allowed to reach the host's own 587 port, to be able to initiate a STARTTLS encrypted channel.
++
++While you're on it, you may also do
++
++{{code language="bash"}}
++sudo ufw status numbered
++sudo ufw delete <rule number for opening port 25>
++{{/code}}
++
++to delete the firewall rules that allow full access to port 25. This solved an issue where Google would spam my Gmail inbox with unnecessary garbage because it was trying to relay bounced email notifications to me, which was highly annoying to say the least.
++
++Please note, though, that
  = Wrapping it up=
  That's it! As soon as you finish editing the main configuration file, please remember to restart the Postfix service afterwards so that the changes can take effect immediately (or reboot the machine).