Setting up a relay host with Postfix

Relay host is defined as a server to which your emails are sent first from your server before being delivered to the actual recipient’s server. It is also known as a smart host. At times when many users start creating their mail servers, some of those mail servers might be labeled as spam servers. Hence it will get impossible to relay the emails to the recipients through these servers. Therefore, it is highly advisable to use a trusted relay host in between which ensures the timely delivery of your emails and also gives you the surety that your emails will not be marked as spam in any way.

In this article we will see how to configure Postfix to relay e-mail to another server: the OVH’s SMTP server. It implies that you already have a domain name registered at OVH. Also, an e-mail address must be configured: an MX Plan 1 is sufficient. This offer is free when you buy a domain name.

Information an requirements

These elements are to be taken into consideration to follow this article:

Update the system

sudo dnf -y update

Install required utilities

sudo dnf -y install fail2ban-mail postfix mail-utils cyrus-sasl cyrus-sasl-plain cyrus-sasl-lib postfix mailx whois

Configure Postfix

The file is located at /etc/postfix/main.cf. For existing options, modify them. For those that don’t exist, add them at the end of the file (mainly those that start with smtp_).

myhostname = domain.fr
myorigin = $myhostname
mydomain =  $myhostname
mynetworks = 127.0.0.0/8 [::1]/128
inet_interfaces = all
mydestination = $myhostname, localhost
relayhost = ssl0.ovh.net:587
disable_dns_lookups = yes
smtp_sasl_auth_enable = yes
smtpd_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_sasl_mechanism_filter = login
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtp_generic_maps = hash:/etc/postfix/generic
append_dot_mydomain = yes

The options are quite understandable compared to their names, if it is not clear to you, the official documentation is always here to help you. Make sure to change myhostname = domain.fr by your domain name. Please note that port 587 is used. This one is used for submission purpose: to relay outgoing mail to another mail server.

Create the password file

Copy the following snippet into /etc/postfix/sasl_passwd. Modify Password by the password for the e-mail address.

ssl0.ovh.net:587 contact@domain.fr:Password

Generate the password database

sudo postmap /etc/postfix/sasl_passwd

Set the correct permission

sudo chmod 600 /etc/postfix/sasl_passwd*

Create the address mapping file

Copy the following snippet into /etc/postfix/generic. Modify alert@domain.fr by the e-mail address through which you want to receive e-mails.

root	alert@domain.fr

Generate the address mapping database

sudo postmap /etc/postfix/generic

Set the correct permission

sudo chmod 600 /etc/postfix/generic

Test

You can test that everything works by sending an e-mail. Replace validemail@gmail.com to a valid e-mail address.

echo "E-mail's content" | mail -r "contact@domain.fr" -s "E-mail's subject" validemail@gmail.com

Use cases

Configure Fail2ban to send notification

Configure Fail2ban

sudo dnf -y install fail2ban-server fail2ban-firewalld
sudo systemctl enable --now fail2ban

Copy the following snippet into /etc/fail2ban/jail.d/sshd.local.

[DEFAULT]
maxretry = 3
bantime = 86400
findtime = 3600
ignoreip = <IP address>

[sshd]
enabled = true

Directives’ explanation:

Modify these options into /etc/fail2ban/jail.conf.

destmail = validemail@gmail.com
sender = contact@domain.fr
mta = mail
action = %(action_mwl)s

As soon as Fail2ban will ban an IP address, an e-mail will be sent to validemail@gmail.com with many details such as: logs, WHOIS report…