How to Set up a Backup Email Server with Postfix on Ubuntu (Complete Guide)

This tutorial will be showing you how to set up a backup email server with Postfix on Ubuntu. A backup email server is often called a backup MX. MX stands for Mail Exchanger. Previously I wrote an article explaining how iRedMail can help you quickly run your own email server. Sometimes your email server can be offline, especially if you run email server at home instead of in a data center. You can set up a backup email server to receive and queue emails when your primary email server is down. The backup MX will relay queued emails to the primary when it’s back online.

Prerequisites

Since you’re going to set up a backup email server, you need a server with high uptime, so preferrably you should rent a virtual private server (VPS) in a data center. Make sure the server can send email on port 25. I set up my backup email server on a $5/month Linode instance because port 25 isn’t blocked on Linode. Once you have a VPS, install Ubuntu on it and follow the instructions below.

It’s assumed that your backup MX host isn’t a primary email server for any domains. It’s a good practice to separate the role of primary and secondary email servers on different hosts.

Creating DNS MX Record

The MX record specifies which host or hosts handle emails for a particular domain name. For example, the host that handles emails for linuxbabe.com is email.linuxbabe.com, which is the primary email server. You can query MX record with the dig utility.

dig MX +short linuxbabe.com

how to setup a backup email server

If someone with a Gmail account sends an email to [email protected], then Gmail server will query the MX record of linuxbabe.com. When it finds out that email.linuxbabe.com is responsible for accepting email, it then query the A record of email.linuxbabe.com to get the IP address, thus the email can be delivered.

To set up a backup email server, you need to create another MX record in your DNS manager. Enter @ in the Name field to represent the main domain name, then enter the hostname for the backup email server in the Value field. I named my backup email server mx2.linuxbabe.com.

backup mx server

Now I have two MX records for my domain name. Notice that there are two numbers at the beginning. They are called preference value or priority value. A small number has higher priority than a big number.

postfix backup mx server

A sending SMTP server will pick the email server with highest priority to deliver email. If that email server is unavailable, then the email server with second highest priority will be tried. You can set the preference vaule in your DNS manager. It can be any number between 0 and 65,356. Make sure the number for backup email server is bigger than that for primary email server. And don’t forget to create an A record for your backup MX.

Note: The hostname for MX record can not be an alias to another name. Also, It’s highly recommended that you use hostnames, rather than bare IP addresses for MX record.

Setting up Backup Email Server with Postfix on Ubuntu

We just need to install and configure Postfix SMTP server on the backup MX host. No other software is needed. Run the following commands to install Postfix on Ubuntu.

sudo apt update

sudo apt install postfix

When you see the following message, press the Tab key and press Enter.

redundant mail server

Then choose the second option: Internet Site.

secondary mail server

Next, enter the backup MX hostname for the system mail name. For example, I entered mx2.linuxbabe.com. Note that you cannot enter your main domain name here. That is to say, I must not enter linuxbabe.com for the system mail name.

postfix relay domains

After Postfix is installed, open the configuration file.

sudo nano /etc/postfix/main.cf

By default, /etc/postfix/main.cf file contains the following line.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination

Explanation:

  • Permit_mynetworks tells Postfix to relay emails from SMTP clients on its own network.
  • Permit_sasl_authenticated tells Postfix to relay emails from authenticated SMTP clients.
  • Defer_unauth_destination makes Postfix reject request from other SMTP clients if the recipient’s domain name is in neither $relay_domains nor $my_destination.

We need to add the relay_domains parameter, specifying the domain names, so that emails can be relayed to the primary email server when it’s back online.

relay_domains = linuxbabe.com

You can also specify multiple domain names if you want to make it as a backup MX host for multiple domain names.

relay_domains = linuxbabe.com, 2nd-domain.com

It’s recommended that you change the default value of myhostname to mx2.your-domain.com.

myhostname = mx2.linuxbabe.com

Make sure that the value of mydestination doesn’t include your main domain name, or your backup MX host will deliver emails to local system instead of relaying to the primary email server. The following values are fine.

mydestination = $myhostname, mx2.linuxbabe.com , localhost, localhost.localdomain, localhost

Postfix continues trying to deliver queued messages for the amount of time specified in the maximal_queue_lifetime parameter, which determines how long deferred messages stay in the queue before they are bounced back to the sender. The default value is 5 days, as can be seen with the command below.

postconf -d | grep maximal_queue_lifetime

output:

maximal_queue_lifetime = 5d

The SMTP protocol (RFC 2821) recommends that sending SMTP server should retry failed email delivery at least 4-5 days. So if you run a backup MX host, you probably want to extend the queue lifetime like 10 days. Add the following line at the end of main.cf file.

maximal_queue_lifetime = 10d

Save and close the file. Then restart Postfix for the changes to take effect.

sudo systemctl restart postfix
Make sure that your firewall allows inbound connection to TCP port 25.

Relay Recipients

By default, Postfix on the backup MX host will accept any address that belongs to $relay_domains. If the primary email server tells the backup MX host that the recipient’s email address doesn’t exist, then the backup MX host must bounce the message to the original sender.

Spammers often send messages to made-up addresses, so your backup MX host will unnecessarily accept a lot of email that must be bounced. If the spammer use other people’s real address as the sender address, then the innocent person will get bounce emails from your server. Sometimes they think that you are a spammer.

It’s highly recommended that you maintain a list of valid recipient addresses on the backup MX host. In /etc/postfix/main.cf file, add the following line.

relay_recipient_maps = hash:/etc/postfix/relay_recipients

Then you can specify valid recipient addresses in /etc/postfix/relay_recipients file like below.

[email protected]       OK
[email protected]       OK
[email protected]       OK

Obviously, manually adding recipient address is only viable for small email servers. For large email servers, this is time-consuming. Instead, you can perform real-time lookups using MySQL or LDAP, which will be discussed in a later tutorial.

Once you set relay_recipient_maps parameter, you must include email addresses for all domains that you provide backup service to. If you don’t know all valid email addresses for a domain, you can use a wildcard entry like below.

[email protected]       OK
[email protected]       OK
[email protected]       OK
@2nd-domain.com             OK

The last entry is a wildcard entry that allows any email address of the second domain.

Anti-Spam Filters

Spammers often target backup MX host to send email spam. So it’s important that you deploy anti-spam filters on both your primary and backup MX host. You can use my 6 tips to block email spam with Postfix. It’s worth mentioning that you need to make sure you backup MX host can get through the spam filters on the primary email server.

Enabling TLS Encryption

By default, Postfix does not encrypt connections from or to other email servers. It’s important that we enable TLS encryption so that emails won’t be snooped by a middle man listening on the network traffic. We can easily obtain a free TLS certificate from Let’s Encrypt. Issue the following commands to install Let’s Encrypt client (certbot) on Ubuntu server from official PPA.

sudo apt install software-properties-common
sudo add-apt-repository ppa:certbot/certbot
sudo apt update
sudo apt install certbot

Now you can obtain a TLS certificate with one of three plugins (standalone, Apache, Nginx), depending on your server.

Obtaining TLS Certificate with the Standalone Plugin

If there’s no web server running on your backup MX host, then you can use the standalone plugin to obtain TLS certificate from Let’s Encrypt by executing the following command.

sudo certbot certonly --standalone --preferred-challenges http --agree-tos --email your-email-address -d mx2.your-domain.com

Explanation:

  • certonly: Obtain a certificate but don’t install it.
  • --standalone: Use the standalone plugin to obtain a certificate
  • --preferred-challenges http: Perform http-01 challenge to validate our domain, which will use port 80. By default the standalone plugin will perform tls-sni challenge, which uses port 443.
  • --agree-tos: Agree to Let’s Encrypt terms of service.
  • --email: Email address is used for account registration and recovery.
  • -d: Specify your domain name.

As you can see the from the following screenshot, I successfully obtained the certificate.

postfix backup mx how to

Obtaining TLS Certificate with the Apache Plugin

If Apache web server is running on your backup MX host, you can use the Apache plugin to obtain TLS certificate. Run the following command to install the Apache plugin.

sudo apt install python3-certbot-apache

You need to have an Apache virtual host for mx2.your-domain.com before obtaining Let’s Encrypt TLS certificate. Create the virtual host file:

sudo nano /etc/apache2/sites-available/mx2.your-domain.com.conf

Then paste the following text into the file.

<VirtualHost *:80>        
        ServerName mx2.your-domain.com

        DocumentRoot /var/www/mx2.your-domain.com
</VirtualHost>

Save and close the file. Then create the web root directory.

sudo mkdir /var/www/mx2.your-domain.com

Set www-data (Apache user) as the owner of the web root.

sudo chown www-data:www-data /var/www/mx2.your-domain.com -R

Enable this virtual host.

sudo a2ensite mx2.your-domain.com.conf

Reload Apache for the changes to take effect.

sudo systemctl reload apache2

Once virtual host is created and enabled, run the following command to obtain Let’s Encrypt TLS certificate.

sudo certbot --apache --agree-tos --redirect --hsts --email your-email-address -d mx2.your-domain.com

You should see the following message which means the certificate is successfully obtained.

postfix backup mx tls encryption

Obtaining TLS Certificate with the Nginx Plugin

If Nginx web server is running on your backup MX host, you can use the Nginx plugin to obtain TLS certificate. Run the following command to install the Nginx plugin.

sudo apt install python3-certbot-nginx

You need to have a Nginx virtual host for mx2.your-domain.com before obtaining Let’s Encrypt TLS certificate. Create the virtual host file:

sudo nano /etc/nginx/conf.d/mx2.your-domain.com.conf

Next, paste the following text into the file.

server {
      listen 80;
      server_name mx2.your-domain.com;

      root /var/www/mx2.your-domain.com/;

      location ~ /.well-known/acme-challenge {
         allow all;
      }
}

Save and close the file. Then create the web root directory.

sudo mkdir /var/www/mx2.your-domain.com/

Set www-data (Nginx user) as the owner of the web root.

sudo chown www-data:www-data /var/www/mx2.your-domain.com -R

Reload Nginx for the changes to take effect.

sudo systemctl reload nginx

Once virtual host is created and enabled, run the following command to obtain and install Let’s Encrypt certificate with Nginx plugin.

sudo certbot --nginx --agree-tos --redirect --hsts --email your-email-address -d mx2.your-domain.com

You should see the following which means the certificate is successfully obtained. You can also see the directory under which your cert is stored.

postfix backup mx tls encryption

Installing TLS Certificate in Postfix

Now we have obtained a valid TLS certificate, let’s install it in Postfix.

sudo nano /etc/postfix/main.cf

Find the TLS parameters section and the following two lines.

smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key

Replace them with:

smtpd_tls_cert_file=/etc/letsencrypt/live/mx2.your-domain.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mx2.your-domain.com/privkey.pem

Then add the following 3 lines, which enables TLS in Postfix SMTP server.

smtpd_tls_security_level=may
smtpd_tls_protocols = !SSLv2, !SSLv3 !TLSv1
smtpd_tls_loglevel = 1

Save and close the file. Restart Postfix for the changes to take effect.

sudo systemctl restart postfix

Now Postfix SMTP server can use STARTTLS to establish encrypted connection with SMTP clients on port 25. Note that end user email client won’t communicate with a backup MX host, so there’s no need to enable submission service on port 587 or 465.

Enforce TLS Connection Between the Primary and the Backup

Since your primary email server is also configured with a valid Let’s Encrypt TLS certificate, we can enforce the backup MX host to use TLS when delivering emails to the primary email server. In /etc/postfix/main.cf file, add the following parameters, which will make Postfix SMTP client to always use TLS and also verify the remote server certificate using trusted root CA certificates in /etc/ssl/certs directory.

smtp_tls_security_level = verify
smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_loglevel = 1

Save and close the main.cf file. Then use the following command to create hash symbolic links.

Ubuntu 18.04: sudo openssl rehash /etc/ssl/certs

Ubuntu 16.04: sudo c_rehash /etc/ssl/certs

Restart Postfix for the changes to take effect.

sudo systemctl restart postfix

Now you can send an email from your backup MX host to your email address with the following command.

echo "hello" | sendmail [email protected]

After the message is sent, you can find the following text in /var/log/mail.log file.

Verified TLS connection established

If your backup MX host tries to establish TLS connection but can not verify the primary email server’s certificate, then the following message can be found.

Untrusted TLS connection established

How to Identify Relayed Email

You can recognize relayed email by looking at the email headers in your email client. For example, I shut down my primary email server,  then use my Gmail account to send an email to my domain email account. After a few minutes, I boot my primary email server up again. When chekcing the email headers, the client IP and HELO hostname belongs to my backup MX host, so I know it’s relayed via my backup MX host.

Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=13.115.185.252; helo=mx2.linuxbabe.com; [email protected]; receiver=<UNKNOWN>

Notice that the SPF check result is Softfail, which means Gmail didn’t designate my backup MX host as being allowed to send emails on behalf of gmail.com, but if my backup MX host sends an email on behalf of gmail.com, the recipient’s SMTP server can accept it and mark it as Softfail.

I hope this tutorial helped you set up a backup email server with Postfix on Ubuntu. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care.

Rate this tutorial
[Total: 0 Average: 0]

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • If my answer helped you, please consider supporting this site. Thanks :)