User Tools

Site Tools



Postfix is a lightweight (compared to sendmail), easy to configure mail server. It is free (as in freedom) software.


apt-get install postfix sasl2-bin libsasl2-modules dovecot-imapd

Note that the installation will remove an existing Sendmail installation!

Dovecot is the IMAP server that will cooperate with our Postfix installation

Using SASL

On the Debian Wiki you can find a nice article about using SASL with postfix on Debian. There a chroot environment is used for added security.

Using encryption

Unencrypted logins to your mail server should not be used anymore. Also your mail server should send out mail to other server via a transport encrypted connection. So we are going to use TLS.

Edit /etc/postfix/main.cfg:

# TLS parameters
tls_random_source = dev:/dev/urandom

Please note that /dev/urandom does not provide the same quality of entropy as /dev/random. But on virtual servers /dev/random often can not provide a steady enough stream to be used as random source for large amounts of data that must be encrypted.

There are two sets of configuration options that control the behavior for incoming mail (prefix smtpd_) and outgoing mail (prefix smpt_). This is a pitfall if you do not look at the configuration closely.

Define the TLS parameters for incoming mail:

# TLS for incoming mail (postfix is receiver)
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/letsencrypt/live/
smtpd_tls_key_file = /etc/letsencrypt/live/
smtpd_tls_CAfile = /etc/letsencrypt/live/
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_auth_only = yes
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_mandatory_ciphers = medium # 128 bit strength and above
Define the TLS parameters for outgoing mail.
<code ini>
# TLS for outgoing mail (postfix is sender)
smtp_tls_security_level = may
smtp_tls_cert_file = /etc/letsencrypt/live/
smtp_tls_key_file = /etc/letsencrypt/live/
smtp_tls_CAfile = /etc/letsencrypt/live/
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_note_starttls_offer = yes

You might be tempted to set smtp_tls_security_level = encrypt but this might be to restrictive since you can not guarantee that mail clients that you do not control offer TLS. You might lose emails.

Configuring Postfix

Adding an alias

To add an alias add a line like the following to /etc/aliases:

  <mail receipient without domain> : <user account>


  john.doe : johndoe
  support : johndoe
  info : janedoe

Then you have to tell postfix to re-read the aliases table:

postalias /etc/aliases

Beware of servers with multiple IP addresses

When I added a new virtual IP address to my server unfortunately the virtual network device had a lower number so that Postfix quietly took this devices IP address for sending messages. The problem was that my domain pointed to the old IP address. Other mail server which did reverse DNS lookup did not except messages from my server anymore.

To specifically bind Postfix to a certain IP address add the following line to the

  inet_interfaces = <IP address>

Migrating to a new server

The following section describes a way to migrate a postfix setup and the mailboxes from one server to a different one on Debian Linux.

You can check the Postfix version number with the following command:

postconf -d | grep 'mail_version *='

On both machines create a temporary directory under the /root directory. This makes sure no other users can read the files while we work on the migration.

mkdir /root/tmp

To make the migration easier we set an environment variable on the source host.

export TARGET_HOST='<hostname>'

Migrating the configuration files

If you are migrating to the exact same version of Postfix and the helper applications, copying the configuration files is an option. Otherwise you should spend the extra time to check if the configuration options are still the same or if you have to merge the settings into the new config file structure.

In the source host pack the configuration files and copy them to the new machine.

tar czvf /root/tmp/postfix-config.tar.gz /etc/postfix /etc/aliases
scp /root/tmp/postfix-config.tar.gz ${TARGET_HOST}:/root/tmp

On the destination machine unpack and install the configuration files:

cd /root/tmp
tar xzvf postfix-config.tar.gz
cp /root/tmp/etc/aliases /etc/
cp -r /root/tmp/etc/postfix/s*l /etc/postfix/

Compare the main configuration files. Write down what you have to merge. Copy only if you have written down what you need to adapt.

cp /root/tmp/etc/postfix/ /etc/postfix/
postalias /etc/aliases

Check the following options in /etc/postfix/ option and exchange where necessary:

  1. mydestination
  2. myhost
  3. inet_interfaces

Migrating the user mailboxes

Unless you plan to migrate the whole home directories, you can just copy the mailboxes.

Shutdown the mailservers on both machines. We do not want to risk copying mailboxes while a write operation might occur.

service postfix stop

No put the mailboxes into an archive and move them to the new machine.

tar -czvf /root/tmp/user_mailboxes.tar.gz /home/*/mail
scp /root/tmp/user_mailboxes.tar.gz ${TARGET_HOST}:/root/tmp

Create the empty user directories if you did not already do that.

adduser <username>

Unpack the mailboxes on the destination machine:

cd / && tar -xzvf /root/tmp/user_mailboxes.tar.gz

Copy the mail under /var/mail:

tar -czvf /root/tmp/var_mailboxes.tar.gz /var/mail
scp /root/tmp/var_mailboxes.tar.gz ${TARGET_HOST}:/root/tmp

Check if there is something in the mail spool directory. If yes, migrate analog to the user mailboxes.

du -h /var/spool/mail

Unpack the mail for ''/var/mail' on the destination machine:

cd / && tar -xzvf /root/tmp/var_mailboxes.tar.gz


Root gets mail from cron complaining about sendmail

If you get the following mails regularly

Cron <smmsp@yourserver> test -x /etc/init.d/sendmail && /usr/share/sendmail/sendmail cron-msp

Then sendmail was not properly installed with the installation of Postfix.

Remove the offending packages:

sudo apt-get --purge remove sendmail-base sendmail-cf sendmail-doc

Rejected email relaying due to DNS reverse lookup issues with Amazon AWS EC2 Elastic IPs

An Elastic IP is an Amazon AWS feature that allows you to keep a fixed IP address an migrate it to a different Using EC2 via the CLI compute node instance when necessary.

When you set up an email server on an EC2 though you will face a problem that the reverse DNS lookup for your Elastic IP address shows an Amazon subdomain. Some mail providers (e.g. GMX) do not accept that and reject your emails.

To fix this you have to fill out a form in the support section of your AWS root account:


postfix.txt · Last modified: 2016/02/21 12:21 by sebastian