How to Set Up SMTP Relay Between 2 Postfix SMTP Servers on Ubuntu

Previously we discussed setting up Postfix SMTP relay with mailjet, which is useful when you have to use a commercial SMTP relay service. This tutorial will be showing you how to set up SMTP relay between 2 Postfix SMTP servers on Ubuntu.

Use Case Scenario

Let’s say there are two servers: server A and server B. You have set up a full-featured mail server on server A with Postfix as the SMTP server. You can use it to send emails directly to recipients, because port 25 isn’t blocked.

Later you use server B to set up a website, which needs to send notification emails to users. You can set up another mail server on server B, but it’s a waste of time and hardware resources. A more sensible solution is to install Postfix SMTP server on server B and configure it to send emails via server A, which can relay emails from server B to the final recipients. Server A has built up its IP reputation, so you don’t have to build IP reputation for server B.

If you run WordPress on your own Linux server, I recommend you follow this tutorial to set up Postfix SMTP relay. This way, you can get rid of SMTP plugins in WordPress. WordPress plugins slow down your site and they can be vulnerable, such as the recent vulnerability found in the Easy WP SMTP plugin, which allows unauthorized users to modify WordPress options and execute malicious code. My site has been compromised once, because of vulnerability in WordPress plugin. So I get rid of as many plugins as I can, when I can implement the same function with the underlying operating system.

Without further ado, let’s get started.

Installing Postfix SMTP Server on Server B

First, let’s install Postfix SMTP server on server B with the following command. If Postfix is already running on server B, then skip installing Postfix, but you still need to install the libsasl2-modules package.

sudo apt install postfix libsasl2-modules

When you see the following message, press Enter to choose the second option: Internet Site.

SMTP Relay Between 2 Postfix SMTP Servers

Next, set the system mail name. For example, I enter my domain name www.linuxbabe.com. Note that you should not enter your main domain name like linuxbabe.com, because that will make server B as a destination for your main domain name, which means emails generated from server B for [email protected] will be sent to server B itself, instead of server A.

SMTP relay system name

Once Postfix SMTP server is installed on server B, let’s configure SMTP relay.

Postfix SMTP Relay via port 587

Edit the Postfix main configuration file on server B.

sudo nano /etc/postfix/main.cf

Find the following line.

relayhost =

By default, its value is not set. You need to set the hostname of server A (your mail server) as the relay host like below.

relayhost = mail.linuxbabe.com:587

Then add the following lines to the end of this file to configure SASL authentication. We specify that the /etc/postfix/sasl_password file contains the username and password.

# outbound relay configurations
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = may
header_size_limit = 4096000

Save and close the file. Next, you should create a dedicated email account on your mail server, so server B can use this email account to login via port 587. After that, create the /etc/postfix/sasl_passwd file.

sudo nano /etc/postfix/sasl_passwd

Add the SMTP relay host and SMTP credentials to this file like below. Replace these values with the hostname of your own mail server, the email account and password. Notice that there’s a colon between the email account and password.

mail.linuxbabe.com:587  [email protected]:password

Save and close the file. Then create the corresponding hash db file with postmap.

sudo postmap /etc/postfix/sasl_passwd

Now you should have a file /etc/postfix/sasl_passwd.db. Restart Postfix for the changes to take effect.

sudo systemctl restart postfix

By default, sasl_passwd and sasl_passwd.db file can be read by any user on the server.  Change the permission to 600 so only root can read and write to these two files.

sudo chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

From now on, Websites on server B can use Postfix to send emails, which will be relayed through your mail server. Note that many web applications provides two email-sending modes:

  • SMTP
  • Sendmail

SMTP usually refers to the SMTP relay function in the web application itself and sendmail refers to using the SMTP server on the underlying operating system. You need to choose the sendmail option in order to use Postfix SMTP relay. If you installed SMTP plugin on your WordPress site, remove the SMTP plugin and WordPress will use Postfix SMTP relay.

If You Have iRedMail on Server A

If you used iRedMail to set up mail server on server A, then the iRedAPD policy daemon will likely to reject email relay from server B, because the sender is not same as SMTP authenticate username. To solve this problem, we need to add the SMTP authentication username to the allowed list.

Edit the iRedAPD configuration file.

sudo nano /opt/iredapd/settings.py

Add the following line at the end of the file. Replace the red text as necessary.

ALLOWED_LOGIN_MISMATCH_SENDERS = ['[email protected]']

Save and close the file. Then restart iRedAPD for the change to take effect.

sudo systemctl restart iredpad

Preventing Spammers on Server B

By default, Postfix SMTP server listens on all active interfaces on the machine. Since the Postfix SMTP server on server B is only used for sending transactional emails to users, we can make it listens on localhost only, so bad actors can’t send spam to it.

Edit the Postfix main configuration file on server B.

sudo nano /etc/postfix/main.cf

Find the following line.

inet_interfaces = all

Change it to:

inet_interfaces = loopback-only

Save and close the file. Restart Postfix for the change to take effect.

sudo systemctl restart postfix

Setting the From Address, From Name and Return-Path

By default, the From address and From name are the same as the email account that is used to authenticate login, and the return-path will be something like [email protected]. You can set custom From address, From name and Return-Path in your web application.

Let’s use WordPress as an example. You can add the following lines in your WordPress theme’s functions.php file to override the default From address, From name and return-path. Replace the red text as necessary. You should create the From email address on your mail server to prevent send failure.

// Function to change From email address
function wpb_sender_email( $original_email_address ) {
    return '[email protected]';
}

// Function to change sender name
function wpb_sender_name( $original_email_from ) {
    return 'LinuxBabe';
}

// Set return-path the same as From address
function fix_my_email_return_path( $phpmailer ) {
    $phpmailer->Sender = $phpmailer->From;
}

// Hooking up our functions to WordPress filters
add_filter( 'wp_mail_from', 'wpb_sender_email' );
add_filter( 'wp_mail_from_name', 'wpb_sender_name' );
add_action( 'phpmailer_init', 'fix_my_email_return_path' );

Save the file and you are done.

Checking Email Sender Score

Now you should go to https://www.mail-tester.com and send an email from the website on server B to the mail tester address. Check your sender score and see if SPF, DKIM and DMARC would pass. As you can see, I got a perfect score.

spam test result

If There Are Multiple Websites on Server B

If you have multiple websites running on server B, then you need to use different relay host for each domain name. Edit the Postfix main configuration file on server B.

sudo nano /etc/postfix/main.cf

Add the following line in the file, which tells Postfix that we want to use different relayhosts for each sender domain.

sender_dependent_relayhost_maps = hash:/etc/postfix/relay_by_sender

Then create the file.

sudo nano /etc/postfix/relay_by_sender

Add parameters like below. The lefthand side are the sender domains. The righthand side are the hostnames of the mail servers and the port number.

@domain1.com    mail.domain1.com:587
@domain2.com    mail.domain2.com:587

Save and close the file. Then edit the SASL authentication file.

sudo nano /etc/postfix/sasl_passwd

Add login credentials like below.

mail.domain1.com         [email protected]:password
mail.domain2.com         [email protected]:password

Save and close the file. Then create the hash db file.

sudo postmap /etc/postfix/relay_by_sender

sudo postmap /etc/postfix/sasl_passwd

Restart Postfix SMTP server for the changes to take effect.

sudo systemctl restart postfix

From here on out, emails with domain1.com in the Envelope From address will be relayed via mail.domain1.com and emails with domain2.com in the Envelope From address will be relayed via mail.domain2.com. Emails with other domains names in the Envelope From address will be relayed via the host specified for relayhost parameter.

Mail.domain1.com and mail.domain2.com can point to the same IP address, which means the two domain names are using the same mail server.  You can check one of the following tutorials to host multiple domains on a single mail server.

You can also host emails on different servers for the two domain names. If you have multiple WordPress sites on server B, you should also change each functions.php file in your WordPress themes to set custom From address and names for each domain name.

Removing Sensitive Information from Email Headers

By default, Postfix SMTP server will add a Received: email header, recording the IP address of server B, which can leak the IP address of your website (If it’s behind CDN). You can tell Postfix to ignore it. Create a header check file on server A.

sudo nano /etc/postfix/header_checks

Put the following lines into the file.

/^Received:/            IGNORE

Save and close the file. Then edit the Postfix main configuration file.

sudo nano /etc/postfix/main.cf

Add the following two lines at the end of the file.

header_checks = regexp:/etc/postfix/header_checks

Save and close the file. Then run the following command to rebuild hash table.

sudo postmap /etc/postfix/header_checks

Reload Postfix for the change to take effect.

sudo systemctl reload postfix

Now Postfix won’t include those sensitive information in email headers. Note that some folks may also like removing the MIME-Version header. I don’t recommend it, because this will cause DKIM verification failure.

Conclusion

I hope this tutorial helped you set up SMTP relay between 2 Postfix SMTP servers. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂

Rate this tutorial
[Total: 2 Average: 5]

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • If my answer helped you, please consider supporting this site. Thanks :)