Linux Admin

Postfix relay basics

Practical Linux guide: postfix relay basics without the usual guesswork.

14 min read Intermediate Updated 9 Jun 2026
Linux library Start the guide

Step-by-step guide

Work through each section in order. Stop when your issue is resolved — you do not need every step for every situation.

What you will achieve

Configure Postfix on Debian/Ubuntu to relay outbound mail through SMTP providers (SES, SendGrid, Gmail relay) — so cron and app mail actually deliver.

1) Install Postfix

sudo apt install postfix libsasl2-modules
# Internet Site or Satellite as prompted

2) Relay host and SASL

# /etc/postfix/main.cf
relayhost = [smtp.example.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_security_level = encrypt
sudo postmap /etc/postfix/sasl_passwd
sudo chmod 600 /etc/postfix/sasl_passwd*
sudo systemctl restart postfix

3) Test

echo "test" | mail -s "relay test" you@example.com
sudo tail -f /var/log/mail.log

Verify

mailq
sudo postfix check

5) Sender canonical maps

# /etc/postfix/canonical
root    alerts@example.com
@machine.local  @example.com
sudo postmap /etc/postfix/canonical
# main.cf: canonical_maps = hash:/etc/postfix/canonical

6) Restrict relay to localhost

smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination

7) OpenDKIM signing (optional)

Improve deliverability — pair with SPF and DMARC DNS records. Without DKIM, relay providers may still accept but Gmail scrutinises more.

Debugging mail queue

sudo postqueue -p
sudo postsuper -d ALL

Flush deferred queue only after fixing relay auth — otherwise messages bounce repeatedly.

8) SPF record for relay domain

DNS TXT: v=spf1 include:sendgrid.net ~all — without SPF, relayed mail lands in spam regardless of Postfix config perfection.

Prerequisites

Relay provider credentials. Outbound TCP 587 open. Hostname matching PTR/rDNS if possible. SPF/DKIM DNS planned. Local apps or cron need mail only via localhost:25.

Test without spamming

swaks --to you@example.com --from server@example.com --server 127.0.0.1

myhostname and HELO

myhostname = mail.example.com

Must resolve publicly — mismatched HELO causes relay providers to reject mail as spam.

Null client configuration

Workstation relaying only outbound: relayhost set, mydestination = empty, inet_interfaces = loopback-only — prevents becoming open relay accidentally.

TLS outbound cert verify

smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

Prevents MITM on relay path on untrusted networks.

bounce handling

Monitor bounce queue — relay auth failure fills queue with deferred mail — alert on mailq depth threshold via cron nagios plugin.

sender_dependent_relayhost_maps

Multiple domains different relays — map sender domain to relay host for multi-tenant outbound mail from single postfix instance.

message_size_limit

message_size_limit = 52428800

50MB cap prevents accidental mail loop filling disk with giant attachment bounces from misconfigured app.

defer queue alert

mailq growing over 100 deferred — pager on-call before queue fills disk partition /var/spool/postfix.

Reverse DNS alignment

Ensure PTR for server public IP matches myhostname — many relays reject or spam-folder mail when forward and reverse DNS disagree.

Loopback-only test

Verify relay with swaks --server 127.0.0.1 --to you@example.com before opening postfix to LAN — confirms relay auth without exposing misconfiguration externally.

Related guides

linux postfix relay setup

Related guides

Continue with these next if you are building a fuller setup or troubleshooting path.

Admin
Manage users and groups
Practical Linux guide: manage users and groups without the usual guesswork.
Read guide
Admin
Configure logrotate
Practical Linux guide: configure logrotate without the usual guesswork.
Read guide