How to Set up Postfix SMTP Relay on Ubuntu with Mailjet

This tutorial is going to show you how to set up Postfix SMTP relay with Mailjet on Ubuntu. Postfix is a popular open-source SMTP server. Previously I wrote an article how to easily set up a full-blown email server on Ubuntu with iRedMail, which helped a lot of readers run their own email server.

However, some readers told me that port 25 is blocked by hosting provider or ISP as a way to control email spam, so they couldn’t send email. Vultr would unblock port 25 if you ask them to, and ScalaHosting doesn’t block port 25 at all, so I recommend using ScalaHosting VPS Some other hosting providers or ISPs like DigitalOcean would refuse to unblock port 25.

SMTP Relay To The Rescue

You can bypass port 25 and send emails to outside world with SMTP relay because it uses port 587. With SMTP relay, your own email server doesn’t directly send email to the destination email address. Instead, there’s an intermediate mail server, otherwise known as smart host or relay host , that sends emails on your behalf. Your email server communicates with smart host on port 587, then the smart host talks with the recipient’s mail server on port 25.

SMTP relay can also help you get around anti-spam blacklists, if your IP address is blacklisted for whatever reason. The recipient’s mail server checks the smart host’s IP address against public anti-spam blacklists, instead of your server IP address and because SMTP relay services maintain good IP reputation, so your emails can get through IP blacklists.

Using Mailjet To Send 200 Emails Per Day For Free

There are several email service providers (ESP) that can act as smart host. Some charge a little fee, some offer free quotas every month. In this article, I’d like to show you how to use Mailjet, which is an email service providers that allows you to send 200 emails per day for free.

The nice thing about Mailjet is that it doesn’t require you to enter your credit card details when you use the free SMTP relay service. There are other ESPs that offer free quota every month but requires you to enter credit card details. (I know how frustrated it can be when you don’t have a credit card.) Mailjet is also easier to set up, compared to other ESPs.

Create an account at mailjet.com. Then on the dashboard, you can see the 3 things that you need to do.

  • Setting up SMTP
  • Managing sender addresses
  • setting up domain authentication (SPF and DKIM)

postfix smtp relay

Step 1: Setting up Postfix SMTP Relay on Ubuntu

First, let’s install Postfix SMTP server on Ubuntu with the following command. If Postfix is already running on your server, then skip installing Postfix, but you still need to install the libsasl2-modules package.

sudo apt install postfix libsasl2-modules

When you see the following message, press the Tab key and press Enter.

postfix relayhost authentication

Then choose the second option: Internet Site.

postfix relayhost configuration

Next, set the system mail name. For example, I enter my domain name linuxbabe.com.

postfix smarthost ubuntu

After Postfix is installed, open the configuration file.

sudo nano /etc/postfix/main.cf

Find the following line.

relayhost =

By default, its value is not set. You need to get this value from your mailjet account. In mailjet dashboard, click setup my SMTP.

set up postfix smtp relay with mailjet

You will see the SMTP server address and SMTP credentials.

postfix bypass port 25

In the Postfix config file, set the value of relayhost to in-v3.mailjet.com:587.

relayhost = in-v3.mailjet.com:587

Then add the following lines to the end of this file.

# outbound relay configurations
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = may
header_size_limit = 4096000

Save and close the file. Then create the /etc/postfix/sasl_passwd file.

sudo nano /etc/postfix/sasl_passwd

Add the SMTP relay host and SMTP credentials to this file like below. Replace api-key and secret-key with your real Mailjet API key and secret key.

in-v3.mailjet.com:587  api-key:secret-key

Save and close the file. Then create the corresponding hash db file with postmap.

sudo postmap /etc/postfix/sasl_passwd

Now you should have a file /etc/postfix/sasl_passwd.db. Restart Postfix for the changes to take effect.

sudo systemctl restart postfix

By default, sasl_passwd and sasl_passwd.db file can be read by any user on the server.  Change the permission to 600 so only root can read and write to these two files.

sudo chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

From now on, Postfix will send emails via mailjet.

Step 2: Adding Sender Addresses

You need to add sender domain or sender address in order to send email via mailjet. In mailjet dashboard, click manage sender addresses. You can validate your entire domain or specific email addresses.

validate sender domain or sender address

Step 3: Setting up Domain Authentication

In this step, we need to set up SPF and DKIM record, which is strongly recommended if you want your emails to land in recipient’s inbox rather than spam folder.

  • SPF: Sender Policy Framework. This is a DNS record that specifies what IP addresses are allowed to send email from your domain.
  • DKIM: DomainKeys Identified Mail. Mailjet will digitally sign your emails with a private key. The DKIM record contains a public key that allows recipient’s email server to verify the signature.

In mailjet dashboard, click setup domain authentication. By default, SPF status and DKIM status are both in error. Click manage button and follow the instructions to add SPF and DKIM records.

smtp relay set up SPF and DKIM

After SPF and DKIM records are created, wait a few moments and refresh the mailjet web page. Your new DNS records can take some time to propagate on the Internet, depending on your DNS hosting service. If SPF and DKIM records are set up correctly and propagation is complete, mailjet would tell you that SPF and DKIM record are good.

mailjet spf dkim

Sending Test Email

Now we can send a test email with mailx command like below.

sudo apt install bsd-mailx

echo "this is a test email." | mailx -r from-address -s hello to-address

You can also send a test email from your webmail client or desktop mail client. It is also a good idea to test your email score at https://www.mail-tester.com. As you can see, I got a perfect score.

spam test result

Troubleshooting

If your email wasn’t delivered and you found the following message in the mail log (/var/log/mail.log),

Relay access denied (in reply to RCPT TO command))

then you might need to edit the /etc/postfix/sasl_passwd file and remove the port number after the hostname like below.

in-v3.mailjet.com    api-key:secret-key

Save and close the file. Then build the index file again.

sudo postmap /etc/postfix/sasl_passwd

Restart Postfix for the changes to take effect.

sudo systemctl restart postfix

Now you can flush the email queue (attempt to deliver the previous emails).

sudo postqueue -f

Adding Additional Domains

If you set up a mail server on a new machine for a new domain name, and you want to set up SMTP relay for this new domain name, then follow the same steps:

  • Configure Postfix SMTP relay settings,
  • Validate the new domain name in Mailjet dashboard
  • Set up SPF and DKIM verifications

Wrapping Up

That’s it! I hope this tutorial helped you set up Postfix SMTP relay on Ubuntu to bypass port 25 or IP blacklists. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care.

Rate this tutorial
[Total: 6 Average: 5]

44 Responses to “How to Set up Postfix SMTP Relay on Ubuntu with Mailjet

  • PhilMDev
    5 years ago

    I just wanted to comment on Digital Ocean. I used your wonderful (and very complete) tutorial on iRedMail on a DO droplet. I had no problems sending and receiving emails. And, in fact, it’s still running today.

    Thank you for continuing this great series!

    PhilMDev

    • Xiao Guo-An (Admin)
      5 years ago

      Well, I guess some people are just unlucky with DO. Good to know iRedMail works for you.

      • Carno Mercado
        4 years ago

        my sendinblue.com free account allows me to send 300 emails a day. I sent email via my own postfix, any email that bounces is sent via sendinblue smtp server. I set it up as a fallback_relay

        • Luciano Gonçalves
          3 years ago

          Boa tarde. Como você fez a configuração no Postfix usando fallback_relay e Sendinblue? Você poderia me passar as alterações no main.cf do Posfix? Desde já agradeço.

    • Xiao Guo-An (Admin)
      5 years ago

      Update: I created a droplet on DigitalOcean and finished iRedMail installation. I can not send email directly. Port 25 is blocked. DO refused to lift port restriction.

  • Philip Miller
    5 years ago

    iRedMail is a great program. But not for the faint of heart. It is not easy to install or maintain. But it allows you to have total control of your own private server. The only program that supports true POP3, SMTP. Every other server or ISP or service is subject to hacking and theft. Google is watching you.

    That latest version closes port 25. Why does that matter when you can program only port 465 and 587? All email should be secure to the extent that is possible.

    • Xiao Guo-An (Admin)
      5 years ago

      In my humble opinion, using iRedMail is a lot easier than manually setting up email server from scratch. It takes care of the heavy lifting so you don’t need to learn all the ins and outs of email server.

  • Philip Miller
    5 years ago

    There is no doubt that setting up a private email server is extremely complex. And that iRedMail is probably the best choice. But be under no illusion that it is easy. Some will say it is easy others such as myself have found it very successful. But only after multiple attempts. And updating is not an easy, straightforward task.

    There is nothing like a private email server, as you control everything. No one is stealing your mail. If carefully constructed his hack proof.

    • Xiao Guo-An (Admin)
      5 years ago

      Often times, someone says something is easy because he/she expects others to already know something. I guess I need to improve on explaining technologies.

  • JStargazer
    5 years ago

    I think running your own private email server is a great way of keeping your email more private. And iRedmain is great for that. But I have found one small problem when you are self-hosting (at home) and that is when your server goes down, or you have a power outage, or you lose your Internet connection (using ADSL).

    I have heard that you can host a small email server in the cloud (say on AWS for example) and when your self-hosted email server comes back on-line it will download any email sitting in your cloud server. The cloud server is acting like a temporary email holding server.
    How would you do this with iRedMail as your self-hosted email server?

    • Xiao Guo-An (Admin)
      5 years ago

      RFC 2821 says a sender SMTP server should retry a failed email delivery at least 4-5 days. After checking mail logs over a long period of time, I found many standard-compliant SMTP server did retry at least 4-5 days. So the chance of losing incoming email is super low.

      Of course you can set up a secondary email server to accept and queue the messages. I will look into this and create a new tutorial.

    • Xiao Guo-An (Admin)
      5 years ago
  • Hello,
    Thank you for your great tutorial,
    I have a question what if I want to rollback and want to not use relay,
    and use the normal or previous setting before doing relay.
    Many Thanks

    • Xiao Guo An (Admin)
      5 years ago

      Just open the /etc/postfix/main.cf file and remove what you added from this article. Then reload Postfix.

  • Boudewijn
    5 years ago

    Hi Linuxbabe,

    Thank you for your clear howto’s, I read some with interest over the months.

    Could you give me a pointer? I am not quite sure what I need to install/configure.

    The situation:
    * At home I run some servers. My ISP offers multiple fixed IPv4’s, besides a range of IPv6. No ports are blocked, so I can run a mailserver with no problem.
    * I configure homeservers (Yunohost) for the friends of my children. Their ISP’s often block port 25, so they can not have a fully functional mailserver.
    * Third party smarthosts could enable their mailserver, but I don’t like to force some (commercial) 3rd party on those families.

    I guess I can configure my own mailserver as relay/smarthost for their mailservers. In case of postfix, should I accomplish that via the ‘mynetworks = …’ configuration, and enter their domain names there? So that, if my domain is boudewijn.org, and their domain is linuxbabe.net, I would configure my postfix with ‘mynetworks=boudewijn.org,linuxbabe.net’ ?

    In that case, does the mailserver at boudewijn.org have the same role as mailjet in your tutorial? I probably have to tell my DNS the same as well, so that mail from linuxbabe.net being sent through boudewijn.org got DKIM signed?

    Thanks in advance, keep up the nice tutorials!

    Boudewijn

    • Xiao Guo An (Admin)
      5 years ago

      In your Postfix SMTP server, you can add the IP address or hostname of the friends of your children to the mynetworks parameter. Then on their mail server, add relayhost = mail.bouderwijn.org:25. Restart Postfix and your mail server will be able to relay emails.

      They should configure their SPF record to allow your mail server to send mail on their behalf. DKIM signing can be done on their mail server.

    • Xiao Guo An (Admin)
      5 years ago

      Never mind my previous answer. It’s for email relay via port 25.

      To relay email via port 587, you need to create a dedicated email account on your mail server. Then on the friends of your children’s mail server, add the relayhost parameter in Postifx like in this article. Replace

      in-v3.mailjet.com:587  api-key:secret-key

      with the hostname of your mail server and the username and password of the dedicated email account.

      They should configure their SPF record to allow your mail server to send mail on their behalf. If DKIM signing has already been set up on their mail server, you do not need to do anything about DKIM on your mail server.

      • Boudewijn
        5 years ago

        Hi Guo An,

        Sorry for not checking back earlier!

        Thank you for your detailed reply and clarification. I will let you know once it is running!

        Best regards,

        Boudewijn

  • Hi Xiao

    Great tutorial. I was just wondering is it possible to import emails from Microsoft Exchange 2003 Server into this setup?

    if so how would I go about it?

    Thanks
    Mark

    • Xiao Guoan (Admin)
      4 years ago

      I have never administrated Microsoft Exchange mail server.

  • Mårten Behm
    4 years ago

    I have a problem getting this to work. I think it might have something to do with my ddns provider dynu.com. Anyway, my /var/mail/mail.log says:

      status=deferred (SASL authentication failed; server in.mailjet.com[104.199.96.85] said: 535 5.7.8 Error: authentication failed: cmVhbG09IiIsbm9uY2U9IjFSNVZMVWRhTTVlL2JsNWJmdmhVeWc9PSIscW9wPSJhdXRoIixjaGFyc2V0PSJ1dGYtOCIsYWxnb3JpdGhtPSJtZDUtc2VzcyI=)
     

    Are there any clues to be extracted from that?
    Also, coming back to dynu.com, I can’t manage to set DomainKeys/DKIM correctly according to mailjet. It doesn’t accept my txt entry, although I did all that I could to enter it on one single line without returns anywhere.

    • Xiao Guoan (Admin)
      4 years ago

      SASL Authentication failure indicates your username or password is wrong. It has nothing to do with your DDNS provider.

      Maybe you need to wait DNS propagation so Mailjet can detect your DKIM record.

  • I followed this tutorial to the latter. However, I am not able to send a test email to the link you specified. There is no error I am getting on my end.

    Actually, I got this error at first

    postdrop: warning: unable to look up public/pickup: No such file or directory

    Fixed it using this

     mkfifo /var/spool/postfix/public/pickup 

    What could I have done wrong?

  • Hey Thanks for the tutorial. It’s really helpful. I am now able to send an email to other providers but I am not able to receive an email.

    • Xiao Guoan (Admin)
      4 years ago

      iRedMail and Modoboa by default enable greylisting, which will delay incoming email messages.

      • Nevermind. Don’t know what was the issue. Earlier I hosted it GCP but because of Port 25 blocking and relayhost. I decided to host it on vultr as you suggested. Now Everything is working fine. It will be great if you can write a blog on Netdata monitoring. Once again Thank you so much for this awesome blog.

        • Nirmal
          4 years ago

          Hello It’s already configured. I am able to access it with https://mail.my-domain.com/netdata.

    • Xiao Guoan (Admin)
      4 years ago

      Yes, iRedMail automatically installs netdata on your server.

  • According to mailjet their service is only for transactional and campaign relay only. You should make that very clear in your article. They will block you if you decide to use it for any other purpose.

  • Considering you are setting up to relay your entire mail server. The obvious

  • Marton Baksa
    4 years ago

    Hey!
    Love the article. How would I do this if I have multiple domains on the same iredmail install?
    Thank you,
    Marton

  • RS BARI
    4 years ago

    When I setup domain authentication,
    “We detected that your domain has an existing SPF record but it does not allow us yet.”

    I try to click Force Refresh:

    Your SPF record is missing.
    

    Need your help. Thank you

    • RS BARI
      4 years ago

      On this step:
      Step 3: Setting up Domain Authentication

  • Caleb Sturges
    4 years ago

    Before I set this relay up I was getting a 10/10 score on the spam test. I had to delete my old DKIM which I set up using one of your other posts for iRedMail Server and replace it in Cloudflare with mailjet._domainkey.americankulak.org to get mail jet working. But once I deleted my old DKIM the test started to return 6.9 out of ten saying for DKIM failed because “We were not able to retrieve your public key.” https://www.mail-tester.com/test-0lnmzrcrr

    • Xiao Guoan (Admin)
      4 years ago

      You don’t need to delete the old DKIM record. Add it back.

  • Donald Ferris
    3 years ago

    Thanks for this great tutorial!

    To me, the (SPF/DKIM) instructions on mailjet aren’t clear. Set up SPF says, “Add this record in your DNS zone:” — I’m not sure exactly what that means. I created a new TXT record, used mydomain.com (for Name) and copied/pasted the “IN TXT” value supplied into the Content field. I did the same for DKIM. Is that all I need to do? I did it a while ago and I keep clicking “Force Refresh” on the Mailjet page but it keeps showing errors so I’m guessing there’s more to it.

  • Jayant Chakraborty
    3 years ago

    Thank you for this tutorial
    Last bit of this puzzle now how we can use email client with this postfix server?

  • Thank you SO MUCH! I am still relatively new to the Linux scene (after dealing with Windows and then HPE NonStop) – and the tutorial was perfectly done! 🙂

    The mail setup and then the mail relay was especially helpful and easy to read/follow!

  • Thank you. Another great tutorial, works as described.

    However, mail-tester.com reports that SpamAssassin gives the email -0.249 HEADER_FROM_DIFFERENT_DOMAINS. I assume this is because the bounce address ending @bnc3.mailjet.com is different to the from address ending [email protected].

    Mail-tester.com still gives me an overall 9.9, but Gmail doesn’t appear to like this as any emails sent to Gmail accounts are not received despite mail.log showing they’ve been delivered.

    Is there any way to make the bounce address match the from email address the same?

    Many thanks, Steve.

  • William Lau
    3 years ago

    Thanks for your great tutorial. And I have a question, can I remove the list unsubscribe header from the email I send? The unsubscribe button appears in every email I send. And I found it is because of this header. But I think it only appears when I use relay smtp. How can or should I remove it? Thanks.

    • Xiao Guoan (Admin)
      3 years ago

      If the list-unsubscribe header is added by Mailjet, I don’t think you can remove it. As a matter of fact, I never remove this header from my newsletter.

  • I am getting “Relay access denied” when I try to route external connections through, is there a way to allow any network to relay through it. I know that could be a security issue but it is behind a firewall and I am not worried about it.
    Thanks!

  • Trey Roberts
    2 years ago

    This was 1000% better than the documentation on MailJet. Google has similar documentation for SendGrid but it’s subtly different than what you laid out here. Thanks a million!

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.

The maximum upload file size: 2 MB. You can upload: image. Links to YouTube, Facebook, Twitter and other services inserted in the comment text will be automatically embedded. Drop file here