Postfix Send-Only SMTP Server setup on CentOS 8

 

On this article, I’ll present you the right way to arrange Postfix as a send-only SMTP server on CentOS 8. I’ll first present you the right way to do it for a single area, then you’ll be able to apply the steps for a number of domains if you want to.

Use Case

You’ve gotten an internet site/net software that should ship transactional emails to customers (equivalent to password-reset e mail). Almost certainly, there’s no want for customers to answer to those emails, or in the event that they reply, the reply emails might be despatched to your devoted mail server. On this case, you’ll be able to arrange a send-only SMTP server on the internet server utilizing Postfix, which is a well-liked SMTP server software program.

Conditions

With a purpose to ship emails out of your server, port 25 (outbound) should be open. Many ISPs and internet hosting corporations equivalent to DigitalOcean block port 25 to regulate spam. I like to recommend utilizing Hostwinds, as a result of it doesn’t block port 25 (outbound). After getting a Hostwinds server, set up CentOS Eight on it, and comply with the directions beneath.

Establishing Postfix send-only SMTP server for a number of domains isn’t tough really. First, we have to configure it for one area, then set it up for a number of domains.

Step 1: Set Hostname and PTR Report

By default, Postfix makes use of your server’s hostname to determine itself when speaking with different SMTP Servers. Some SMTP servers will reject your e mail in case your hostname isn’t legitimate. You must set a full-qualified area title (FQDN) like beneath.

sudo hostnamectl set-hostname mta1.yourdomain.com

To verify the hostname of your server, run

hostname -f

You’ll want to sign off and log again in to see hostname change on the command immediate. This hostname ought to have a DNS A file pointing to the IP deal with of your server.

Additionally, you want to set a PTR file (aka, pointer file), which maps an IP deal with to an FQDN. It’s the counterpart to the A file. Many SMTP server will reject your e mail in case your server’s IP deal with doesn’t have PTR file.

Since you get IP deal with out of your internet hosting supplier or ISP, not out of your area registrar, so it’s essential to set PTR file on your IP within the management panel of your internet hosting supplier, or ask your ISP. For instance, in Hostwinds, you’ll be able to set PTR file by clicking the Domains tab and clicking the Handle rDNS hyperlink. Though you’ll be able to set PTR file to any hostname, for finest apply, you must use the FQDN you simply set.

To see in case your PTR file is ready correctly, run the next command. Exchange 12.34.56.78 with your individual IP deal with.

host 12.34.56.78

Word that in case your server makes use of IPv6 deal with, it’s additionally a good suggestion so as to add AAAA file on your FQDN and set PTR file on your IPv6 deal with.

Step 2: Set up Postfix on CentOS 8

Run the next instructions to put in Postfix from the default CentOS Eight repository.

sudo dnf replace

sudo dnf set up postfix -y

As soon as it’s put in, begin Postfix SMTP server.

sudo systemctl begin postfix

And allow auto-start at boot time.

sudo systemctl allow postfix

Step 3: Configure Postfix

Setting the Postfix hostname

By default, Postfix SMTP server makes use of the OS’s hostname to determine itself when speaking with different SMTP server. Nonetheless, the OS hostname may change, so it’s an excellent apply to set the hostname straight in Postfix configuration file with the next command.

sudo postconf -e “myhostname = mta1.yourdomain.com”

Setting $mydomain Parameter

The $mydomain parameter specifies the native web area title. The default is to make use of $myhostname minus the primary part. You may show the present worth of $mydomain with:

postconf mydomain

It must be your apex area title, like

linuxbabe.com

If it’s not displaying your apex area title, then set the $mydomain parameter with:

sudo postconf -e “mydomain = yourdomain.com”

Setting $myorigin Parameter

The $myorigin parameter specifies the default area title that’s appended to sender and recipient addresses that haven’t any @area half. The default is to make use of the worth of $myhostname, as will be seen with:

postconf myorigin

Output:

myorigin = $myhostname

You may change its worth to yourdomain.com.

sudo postconf -e “myorigin = yourdomain.com”

Restarting Postfix

Lastly, we have to restart Postfix for the adjustments to take impact.

sudo systemctl restart postfix

Step 4: Set up and Configure OpenDKIM on CentOS 8

DKIM stands for DomainKeys Recognized Mail. You may set up OpenDKIM in your server and use it so as to add signatures to emails despatched out of your area, together with your personal key. Receiving SMTP servers confirm the signature by utilizing the corresponding public key, which is printed by you within the DNS. Including DKIM signature is a should if you need your emails to get into the recipient’s inbox.

Set up OpenDKIM from the EPEL (Additional Packages for Enterprise Linux) repository.

sudo dnf set up epel-release

sudo dnf set up opendkim perl-Getopt-Lengthy

Edit OpenDKIM fundamental configuration file.

sudo nano /and many others/opendkim.conf

Discover the next line.

Mode v

By default, OpenDKIM runs in verification mode (v), which can confirm the DKIM signature of incoming e mail messages. We have to signal outgoing emails, so change this line to the next to allow signing mode.

Mode sv

Discover the next line and remark it out, as a result of we are going to use separate keys for every area title.

KeyFile /and many others/opendkim/keys/default.personal

Subsequent, discover the next Four strains and uncomment them.

# KeyTable /and many others/opendkim/KeyTable

# SigningTable refile:/and many others/opendkim/SigningTable

# ExternalIgnoreList refile:/and many others/opendkim/TrustedHosts

# InternalHosts refile:/and many others/opendkim/TrustedHosts

Save and shut the file.

Create Signing Desk, Key Desk and Trusted Hosts File

Edit the signing desk file.

sudo nano /and many others/opendkim/SigningTable

Add the next line on the finish of this file. This tells OpenDKIM that if a sender in your server is utilizing a @your-domain.com deal with, then it must be signed with the personal key recognized by mta1._domainkey.your-domain.com.

*@your-domain.com mta1._domainkey.your-domain.com

mta1 is the DKIM selector. A site title might need a number of DKIM keys. The DKIM selector lets you select a selected DKIM key. You need to use no matter title for the DKIM selector. I feel it’s handy to make use of the leftmost a part of the hostname because the DKIM selector. Save and shut the file. Then edit the important thing desk file.

sudo nano /and many others/opendkim/KeyTable

Add the next line, which specifies the placement of the DKIM personal key.

mta1._domainkey.your-domain.com your-domain.com:mta1:/and many others/opendkim/keys/your-domain.com/mta1.personal

Save and shut the file. Subsequent, edit the trusted hosts file.

sudo nano /and many others/opendkim/TrustedHosts

127.0.0.0.1 and ::1 are included on this file by default. Now add the next line. This tells OpenDKIM that if an e mail is coming from your individual area title, then OpenDKIM mustn’t carry out DKIM verification on the e-mail.

*.your-domain.com

Save and shut the file.

Generate Personal/Public Keypair

Since DKIM is used to signal outgoing messages and confirm incoming messages, you want to generate a personal key to signal outgoing emails and a public key for receiving SMTP servers to confirm the DKIM signature of your e mail. Public key might be printed in DNS.

Create a separate folder for the area.

sudo mkdir /and many others/opendkim/keys/your-domain.com

Generate keys utilizing opendkim-genkey device.

sudo opendkim-genkey -b 2048 -d your-domain.com -D /and many others/opendkim/keys/your-domain.com -s mta1 -v

The above command will create 2048 bits keys. -d (area) specifies the area. -D (listing) specifies the listing the place the keys might be saved. I take advantage of mta1 because the DKIM selector. As soon as the command is executed, the personal key might be written to mta1.personal file and the general public key might be written to mta1.txt file.

By default, solely root can learn and write to the important thing recordsdata. Make opendkim because the proprietor of the personal key.

sudo chown opendkim:opendkim /and many others/opendkim/keys/ -R

Publish Your Public Key in DNS Data

Show the general public key

sudo cat /and many others/opendkim/keys/your-domain.com/mta1.txt

The string after the p parameter is the general public key.

In you DNS supervisor, create a TXT file, enter mta1._domainkey within the title subject. Then return to the terminal window, copy every part within the parentheses and paste it into the worth subject of the DNS file. You’ll want to delete all double quotes and line breaks within the worth subject. In the event you don’t delete them, then key take a look at within the subsequent step will in all probability fail.

Check DKIM Key

Enter the next command in your CentOS Eight server to check your key.

sudo opendkim-testkey -d your-domain.com -s mta1 -vvv

If every part is OK, you will note the important thing OK message.

opendkim-testkey: utilizing default configfile /and many others/opendkim.conf
opendkim-testkey: checking key ‘mta1._domainkey.linuxbabe.com’
opendkim-testkey: key OK

In the event you see “Key not safe”, don’t panic. It’s because DNSSEC isn’t enabled in your area title. DNSSEC is a safety customary for safe DNS question. Most domains haven’t enabled DNSSEC. You may proceed to comply with this information.

Now we are able to begin the opendkim service.

sudo systemctl begin opendkim

And allow auto-start at boot time.

sudo systemctl allow opendkim

OpenDKIM listens on 127.0.0.1:8891.

Step 5: Join Postfix to OpenDKIM

Edit Postfix fundamental configuration file.

sudo nano /and many others/postfix/fundamental.cf

Add the next strains on the finish of this file, so Postfix will have the ability to name OpenDKIM through the milter protocol. Word that you must use 127.0.0.1 because the deal with. Don’t use localhost.

# Milter configuration
milter_default_action = settle for
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters

Save and shut the file. Then add postfix consumer to opendkim group.

sudo gpasswd -a postfix opendkim

Restart postfix service.

sudo systemctl restart postfix

Step 6: Create SPF DNS Report

SPF (Sender Coverage Framework) file specifies which hosts or IP addresses are allowed to ship emails on behalf of a site. In your DNS administration interface, create a brand new TXT file like beneath. Use your individual IPv4 deal with and IPv6 deal with of your server.

TXT @ v=spf1 mx ip4:12.34.56.78 ip6:2600:3c01::f03c:93d8:f2c6:78advert ~all

Step 7: Set the From Tackle, From Identify and Return-Path

You may set customized From deal with, From title and Return-Path in your web site/net software. Let’s use WordPress for example. You may add the next strains in your WordPress theme’s capabilities.php file to override the default From deal with, From title and return-path. Exchange the purple textual content as essential.

// Perform to alter From e mail deal with
operate wpb_sender_email( $original_email_address ) {
return ‘[email protected]’;
}

// Perform to alter sender title
operate wpb_sender_name( $original_email_from ) {
return ‘LinuxBabe’;
}

// Set return-path the identical as From deal with
operate fix_my_email_return_path( $phpmailer ) {
$phpmailer->Sender = $phpmailer->From;
}

// Hooking up our capabilities to WordPress filters
add_filter( ‘wp_mail_from’, ‘wpb_sender_email’ );
add_filter( ‘wp_mail_from_name’, ‘wpb_sender_name’ );
add_action( ‘phpmailer_init’, ‘fix_my_email_return_path’ );

Save the file and you’re accomplished.

Step 8: Allow TLS Encryption for Outgoing Emails

By default, Postfix doesn’t use TLS encryption when sending outgoing emails. To allow TLS encryption, open the /and many others/postfix/fundamental.cf file and add the next two strains on the finish of this file.

smtp_tls_security_level = might
smtp_tls_loglevel = 1

The primary line permits TLS encryption for the Postfix SMTP shopper. The second line will log the TLS connection in /var/log/maillog file, so you’ll be able to verify if TLS encryption is working. Save and shut the file. Restart Postfix for the adjustments to take impact.

sudo systemctl restart postfix

Since Postfix doesn’t obtain incoming emails, there’s no have to configure a sound TLS certificates for the Postfix SMTP daemon.

Step 9: Testing Sender Rating

Now go to https://www.mail-tester.com. You will note a singular e mail deal with. Ship an e mail out of your web site on the Postfix SMTP server to this deal with after which verify your rating. As you’ll be able to see, I bought an ideal rating. Within the take a look at consequence, you must verify in case your PTR file, SPF and DKIM file is legitimate.

You may also open the /var/log/maillog file to verify if TLS encryption is used. For instance, the next line exhibits the connection to mail-tester.com is encrypted.

Nameless TLS connection established to mail-tester.com[94.23.206.89]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)

What if Your Emails Are Nonetheless Being Marked as Spam?

I’ve extra tips about e mail deliverability for you on this article: Tips on how to cease your emails being marked as spam. Though it can take some effort and time, your emails will finally be positioned within the inbox after making use of the following tips.

Tips on how to Configure Postfix Ship-only SMTP Server For A number of Domains

By default, Postfix lets you use any area title within the From header and return path deal with to ship outgoing emails. In case your server hosts a number of web sites, you simply have to create SPF DNS file on your different domains, which may be very simple to do, and configure OpenDKIM on your different domains.

To configure OpenDKIM for different domains, you want to add the opposite domains within the signing desk, key desk and trusted hosts file like beneath.

Signing desk:

*@instance.com mta1._domainkey.instance.com
*@instance.internet mta1._domainkey.instance.internet

Key desk:

mta1._domainkey.instance.com instance.com:mta1:/and many others/opendkim/keys/instance.com/mta1.personal
mta1._domainkey.instance.internet instance.internet:mta1:/and many others/opendkim/keys/instance.internet/mta1.personal

Trusted hosts:

127.0.0.1
localhost

*.instance.com
*.instance.internet

Then generate the DKIM Personal/Public keypair by following the identical steps as talked about above for different domains and add the DKIM public key in DNS. Restart OpenDKIM and you’re accomplished. Don’t neglect to check your sender rating.

Troubleshooting

In case your message will not be signed and DKIM verify failed, chances are you’ll need to verify postfix log (/var/log/maillog) to see what’s improper in your configuration.

Sending Emails From One other Server

There are two methods to permit different servers to ship emails by means of your send-only Postfix SMTP server.

• Use port 25 with out SMTP authentication: This methodology requires the opposite server doesn’t block port 25 (outbound).
• Use port 587 with SMTP authentication: If the opposite server blocks port 25 (outbound), you should use port 587.

Port 25 with out SMTP Authentication

By default, Postfix on CentOS Eight listens on localhost solely. You’ll want to configure Postfix to hear on 0.0.0.0, so different servers can hook up with the send-only Postfix SMTP server.

sudo postconf “inet_interfaces = all”

Then you want to add the IP deal with of the opposite server to the Postfix mynetworks parameter. Exchange 12.34.56.78 with the true IP deal with.

sudo postconf “$(postconf mynetworks) 12.34.56.78”

Restart Postfix for the adjustments to take impact.

sudo systemctl restart postfix

Run the next instructions to open port 25 (inbound).

sudo firewall-cmd –permanent –add-port=25/tcp

sudo systemctl reload firewalld

Now you’ll be able to configure SMTP shoppers to make use of mta1.yourdomain.com and port 25 to ship emails. You don’t have to specify username/password within the SMTP shopper.

Port 587 with SMTP Authentication

Open port 587 and 80 in firewall.

sudo firewall-cmd –permanent –add-service={smtp-submission,http}

sudo systemctl reload firewalld

By default, Postfix on CentOS Eight listens on localhost solely. You’ll want to configure Postfix to hear on 0.0.0.0, so different servers can hook up with the send-only Postfix SMTP server.

sudo postconf “inet_interfaces = all”

Then you want to allow the submission service of Postfix in order that the e-mail shopper can submit emails to Postfix SMTP server. Edit the grasp.cf file.

sudo nano /and many others/postfix/grasp.cf

In submission part, uncomment or add the next strains. Please enable no less than one whitespace (tab or spacebar) earlier than every -o.  In postfix configurations, a previous whitespace character implies that this line is continuation of the earlier line. (By default the submission part is commented out. You may copy the next strains and paste them into the file, so that you don’t should manually uncomment or add new textual content.)

submission inet n – y – – smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=no
-o smtpd_sasl_auth_enable=sure
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=personal/auth

The above configuration permits the submission daemon of Postfix and requires TLS encryption. Save and shut the file. To allow SMTP authentication, we have to set up Dovecot on CentOS 8/RHEL Eight server.

sudo dnf set up dovecot

Begin Dovecot and allow auto-start at boot time.

sudo systemctl begin dovecot

sudo systemctl allow dovecot

Edit the authentication config file.

sudo nano /and many others/dovecot/conf.d/10-auth.conf

Uncomment the next line.

disable_plaintext_auth = sure

It is going to disable plaintext authentication when there’s no SSL/TLS encryption. And if you wish to use full e mail deal with ([email protected]) to login, add the next line within the file.

auth_username_format = %n

In any other case, you’ll be able to login with username solely (with out @your-domain.com). Subsequent, discover the next line.

auth_mechanisms = plain

This line solely permits the PLAIN authentication mechanism. LOGIN is one other authentication mechanism you in all probability need to add to help older e mail shoppers.

auth_mechanisms = plain login

Save and shut the file. Then edit the next file.

sudo nano /and many others/dovecot/conf.d/10-master.conf

Change service auth part to the next in order that Postfix can discover the Dovecot authentication server.

service auth {
unix_listener /var/spool/postfix/personal/auth
mode = 0660
consumer = postfix
group = postfix

}

Save and shut the file. Restart Dovecot for the adjustments to take impact.

sudo systemctl restart dovecot

Subsequent, we have to acquire a sound TLS certificates. We will simply acquire a free TLS certificates from Let’s Encrypt. Concern the next instructions to put in Let’s Encrypt shopper (certbot) on CentOS 8/RHEL Eight from the EPEL repository.

sudo dnf set up certbot

Then use the standalone plugin to acquire TLS certificates (assuming there’s no net server working on the Postfix SMTP server).

sudo certbot certonly –standalone –agree-tos –email [email protected] -d mta1.yourdomain.com

After some time, you must see the next strains which implies the certificates is efficiently obtained. You may also see the listing underneath which your cert is saved.

Subsequent, we have to run the next two instructions to specify the placement of TLS certificates and personal key in Postfix configuration file. Your Let’s Encrypt certificates and personal key are saved underneath /and many others/letsencrypt/stay/mta1.your-domain.com/ listing.

sudo postconf “smtpd_tls_cert_file = /and many others/letsencrypt/stay/mta1.your-domain.com/fullchain.pem”

sudo postconf “smtpd_tls_key_file = /and many others/letsencrypt/stay/mta1.your-domain.com/privkey.pem”

Restart Postfix for the adjustments to take impact.

sudo systemctl restart postfix

Now you’ll be able to configure SMTP shoppers to make use of mta1.yourdomain.com and port 587 to ship emails. Use TLS encryption sort and plain as authentication mode. You’ll want to create e mail account on the SMTP server. That’s quite simple. Use the adduser command so as to add a consumer.

sudo adduser user1

Then set a password for this consumer.

sudo passwd user1

The e-mail deal with might be [email protected].

Conclusion

I hope this tutorial helped you arrange a Postfix send-only SMTP server on CentOS Eight for a number of domains. As at all times, if you happen to discovered this publish helpful, then subscribe to our free e-newsletter to get extra ideas and methods. Take care 🙂