An orange envelope icon with a white letter under a blue cloud on a light blue background, with the text ‘Postfix External SMTP Server.’

Configuring Postfix to Use an External SMTP Server

Last updated on | 25 replies

Introduction

Relaying your email through an external SMTP provider (such as Gmail, SendGrid, or Amazon SES) can improve your email deliverability and reliability. This guide walks you through installing (if needed) and configuring Postfix to send email via an external SMTP server with secure authentication and TLS encryption.

Prerequisites

Before you begin, ensure you have the following details from your email provider:

  • SMTP server address (e.g., smtp.example.com)
  • SMTP port (587 for STARTTLS or 465 for implicit TLS)
  • A valid username and password for the SMTP account
  • (Optional) A CA certificate or chain file if required

Installation of Postfix

If Postfix is not already installed on your system, follow the instructions below based on your distribution:

Debian/Ubuntu

sudo apt-get update
sudo apt-get install -y mailutils postfix

During installation, select Internet Site when prompted and enter your system mail name (e.g., example.com).

CentOS / Fedora

sudo dnf install -y postfix mailx
# or
sudo yum install -y postfix mailx

Ensure Postfix is enabled and started using your system’s service manager.

1. Configure Postfix

1.1 Edit the Main Configuration File

Open the Postfix main configuration file (/etc/postfix/main.cf):

sudo nano /etc/postfix/main.cf

Add or update the following settings at the bottom of the file. Replace smtp.example.com and 587 with your provider’s settings:

/etc/postfix/main.cf 
# Define the external SMTP relay (square brackets prevent MX lookups)
relayhost = [smtp.example.com]:587

# Enable SMTP authentication and specify the password file
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous

# Enable TLS encryption
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes

# (Optional) Specify the CA certificate file if required
# smtp_tls_CAfile = /etc/postfix/cacert.pem

Save and exit (press CTRL + X, press Y, then press ENTER)

1.2 Configure Optional CA Certificate

If your SMTP provider requires a specific CA certificate, copy it to /etc/postfix/cacert.pem:

sudo cp /path/to/your/provider-ca.pem /etc/postfix/cacert.pem

2. Create and Secure the SASL Password File

2.1 Create the Credentials File

Create the file /etc/postfix/sasl_passwd:

sudo nano /etc/postfix/sasl_passwd

Add the following line (replace with your SMTP details):

/etc/postfix/sasl_passwd 
[smtp.example.com]:587 username:password

Save and exit (press CTRL + X, press Y, then press ENTER)

2.2 Secure the File and Generate the Hash Map

Set the correct file permissions to protect your credentials:

sudo chmod 600 /etc/postfix/sasl_passwd

Generate the Postfix lookup table:

sudo postmap /etc/postfix/sasl_passwd

3. Reload Postfix and Verify the Configuration

Reload Postfix to apply the changes:

sudo systemctl reload postfix

Alternatively, on older systems use:

sudo service postfix reload

Check the configuration syntax:

sudo postfix check

4. Test Your Setup

Send a test email from the command line:

echo "This is a test email body." | mail -s "Test Email Subject" [email protected]

If the email does not arrive, check your mail logs. For example, on Debian/Ubuntu:

sudo tail -n 50 /var/log/mail.log

Or if your logs appear in syslog:

sudo tail -n 50 /var/log/syslog | grep postfix

Additional Considerations

  • Gmail Users: If using Gmail, you may need to create an App Password and enable two-factor authentication. Ensure SMTP relay is permitted in your account settings.
  • Missing CA Certificates: If you encounter errors such as cat: /etc/ssl/certs/thawte_Primary_Root_CA.pem: No such file or directory, verify the certificate path or download the certificate using wget.
  • Sender Address Verification: Errors like Sender verify failed indicate that the sender address (e.g., root@your_domain.com or [email protected]) is rejected. Use canonical mapping to rewrite the sender address to the valid email configured in your SASL settings.
  • Routing Local Domain Mail: If sending mail to addresses on your own domain, review the mydestination parameter in /etc/postfix/main.cf or set up virtual aliases to force external delivery. See this article for guidance.
  • IPv6 Connectivity Issues: Errors like Network is unreachable when connecting to an IPv6 address suggest your system may not have proper IPv6 connectivity. Consider disabling IPv6 in Postfix or configuring your network accordingly.
  • Security Modules: Consider SELinux (RHEL/CentOS/Fedora) or AppArmor (Ubuntu) which might require extra configuration adjustments.

Conclusion

You have now configured Postfix to relay email through an external SMTP server with secure authentication and TLS encryption. Test your configuration thoroughly and consult the logs for any issues. Happy emailing!

Let me know if this helped. Follow me on Twitter, Facebook and YouTube, or 🍊 buy me a smoothie.

Green background with a stylized server icon sending an envelope, accompanied by the text 'Postfix and PHP mail()'.

How to Configure PHP mail() on Linux with Postfix (Ubuntu, Debian, CentOS & More)

How To Configure Postfix To Use Gmail SMTP on Ubuntu 22.04, 20.04, 18.04 and 16.04
Minimal design with layered pastel background and an icon representing mail, with the text ‘Read Mail in Linux CLI.’

“You have mail” – How to Read Mail in Linux Command Line

25 replies

Leave a reply

Your email address will not be published. Required fields are marked *

  1. [root@mailserver postfix]# cat /etc/ssl/certs/thawte_Primary_Root_CA.pem | sudo tee -a /etc/postfix/cacert.pem
    cat: /etc/ssl/certs/thawte_Primary_Root_CA.pem: No such file or directory

    Reply

  2. Mar 25 12:47:27 ubuntu postfix/smtp[5794]: E0DADC51F5: to=, relay=none, delay=2.1, delays=0.01/0.01/2.1/0, dsn=4.4.1, status=deferred (connect to smtp.gmail.com[2404:6800:4003:c03::6c]:587: Network is unreachable)

    Reply

  5. [root@mantisbt ssl]# cat /etc/ssl/certs/thawte_Primary_Root_CA.pem | sudo tee -a /etc/postfix/cacert.pem
    cat: /etc/ssl/certs/thawte_Primary_Root_CA.pem: No such file or directory

    Reply

    1. What is your distribution of Linux?

      Also see if you can locate the cert

      locate thawte_Primary_Root_CA.pem

      Reply

      1. I have the same issue, i.e. 257 certs in /etc/ssl/certs but no thawte_Primary_Root_CA.pem:

        “cat: /etc/ssl/certs/thawte_Primary_Root_CA.pem: No such file or directory.”

        I’m on Raspbian Buster, deritive of Debian 10. Locate drew a blank on “thawte_Primary_Root_CA.pem” as did find.

        Can I substitute another cert?

        Reply

  6. Awesome! Thank you so much for this. I’ve been trying to find a simple solution to allow my home server to email me via SMTP and this worked on the initial try.

    Reply

  7. Cannot send email, the following error occur:
    (Host or domain name not found. Name service error for name=mail.khmerdeliveryservices.com
    type=AAAA: Host found)

    I did set up A record and AAAA record for mail.khmerdeliveryservices.com correctly from my domain registrar.

    Reply

    1. What have you got for relayhost in /etc/postfix/main.cf?

      According to a DNS scan for you domain, you are using Namecheap for mail, is that right?

      Reply

  8. I’ve set this up with Mailgun so that WordPress comments will be emailed to my Gmail, however, I get this error in the log when I post a reply to someone.

    status=bounced (host smtp.mailgun.org[52.32.113.201] said: 550 5.1.0 Recipient rejected: <root@your_domain.co> (in reply to RCPT TO command))
    Reply

    1. What is the email address in Mailgun? I assume it’s not root@your_domain.com and that’s why Mailgun is rejecting it. In that case, you will need to add a canonical map for postfix.

      For example, if your Mailgun email address is info@your_domain.com, your canonical map would be:

      root@your_domain.co info@your_domain.co

      Please see below comment on how to set up a canonical map.

      Reply

  9. The syslog shows this error when trying to send a test. Using mailgun.

    status=bounced (host smtp.mailgun.org[34.237.7.101] said: 550 5.7.1 Relaying denied (in reply to RCPT TO command)
    Reply

  10. When I do a test email, nothing comes in. The syslog says this:

    postfix/smtp[19504]: 1EDFD41921: to=, relay=server81.web-hosting.com[192.64.118.70]:587, delay=1.9, delays=0.04/0.05/1.7/0.18, dsn=5.0.0, status=bounced (host server81.web-hosting.com[192.64.118.70] said: 550-Verification failed for 550-The mail server could not deliver mail to myname@linuxserver. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries. 550 Sender verify failed (in reply to RCPT TO command))

    Reply

    1. The problem is the from email address myname@linuxserver is invalid and the SMTP server is rejecting it.

      You will need to use a valid email address here, the same one you set up in sasl_passwd.

      To do this, we must do Postfix Address Rewriting.

      sudo nano /etc/postfix/main.cf

      Paste this to the bottom, save and exit.

      sender_canonical_maps = hash:/etc/postfix/canonical

      Edit this file

      sudo nano /etc/postfix/canonical

      Add in this file:

      myname@linuxserver [email protected]

      Where myname@linuxserver is what’s showing in the error log, and [email protected] is the email address of the account you’re trying to send email through.

      Save file and close.

      Now create the db file.

      sudo postmap hash:/etc/postfix/canonical

      Restart postfix service

      sudo service postfix restart

      Now try send another test email

      echo "Test Email message body" | mail -s "Email test subject" [email protected]
      Reply

      1. This works, I can send that test message. But when I try to send via PHP, nothing is received. Here is a new error.

        postfix/qmgr[20768]: 8AF5C41923: from=, size=1252, nrcpt=1 (queue active)
postfix/local[20955]: 8AF5C41923: to=, relay=local, delay=0.04, delays=0.03/0.01/0/0.01, dsn=5.1.1, status=bounced (unknown user: "webmaster")
        Reply

          1. OK I did that, now I have a different error when trying to send PHP mail.

            status=bounced (host server81.web-hosting.com[192.64.118.70] said: 550-Verification failed for  550-No Such User Here" 550 Sender verify failed (in reply to RCPT TO command))

          2. This address: [email protected] is being rejected by the SMTP server because it doesn’t exist. Remember, this SMTP server will only except mail if the From email matches the account you are trying to send mail through.

            You will need to add another canonical map for [email protected].

            sudo nano /etc/postfix/canonical

            Add

            [email protected] [email protected]

            Where [email protected] is what’s showing in the error log, and [email protected] is the email address of the account you’re trying to send email through.

            Save file and close.

            Now create the db file.

            sudo postmap hash:/etc/postfix/canonical

            Restart postfix service

            sudo service postfix restart

            Now try send another test email