Raspberry Pi Email Server Part 1: Postfix

Postfix Logo

This is the first part of a five part tutorial that will show you how to install a full featured email server on your Raspberry Pi. This tutorial covers Postfix, the Mail Transfer Agent.

The parts are:
The Introduction & Contents Page (read first)
Raspberry Pi Email Server Part 1: Postfix
Raspberry Pi Email Server Part 2: Dovecot
Raspberry Pi Email Server Part 3: Squirrelmail
Raspberry Pi Email Server Part 4: Spam Detection with Spamassassin
Raspberry Pi Email Server Part 5: Spam Sorting with LMTP & Sieve

Installing Postfix

Note: While you are setting up the mail server on the Pi, it’s a good idea to turn off port forwarding rules for email to the Pi in your router’s firewall. If you don’t have any port forwarding rules now, that’s great, don’t worry – I’ll prompt you to set them up later.

First, log into your Pi with a SSH session and install postfix:

sudo apt-get update
sudo apt-get install postfix

You will see a menu with some choices. Select “Internet Site” and then set the mail name to your domain name, not including www. (e.g. samhobbs.co.uk).

The setup script will then do some automatic configuration for you. The output will look something like this:

Selecting previously unselected package postfix.                                              
(Reading database ... 67653 files and directories currently installed.)                       
Unpacking postfix (from .../postfix_2.9.6-2_armhf.deb) ...                                    
Processing triggers for man-db ...
Setting up postfix (2.9.6-2) ...
Adding group `postfix' (GID XXX) ...
Done.
Adding system user `postfix' (UID XXX) ...
Adding new user `postfix' (UID XXX) with group `postfix' ...
Not creating home directory `/var/spool/postfix'.
Creating /etc/postfix/dynamicmaps.cf
Adding tcp map entry to /etc/postfix/dynamicmaps.cf
Adding sqlite map entry to /etc/postfix/dynamicmaps.cf
Adding group `postdrop' (GID XXX) ...
Done.
setting myhostname: samhobbs
setting alias maps
setting alias database
changing /etc/mailname to samhobbs.co.uk
setting myorigin
setting destinations: samhobbs.co.uk, samhobbs, localhost.localdomain, localhost
setting relayhost: 
setting mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
setting mailbox_size_limit: 0
setting recipient_delimiter: +
setting inet_interfaces: all
/etc/aliases does not exist, creating it.
WARNING: /etc/aliases exists, but does not have a root alias.

You can edit all of this later.

You may also get some warnings like this:

postmulti: warning: inet_protocols: disabling IPv6 name/address support: Address family not supported by protocol

IPv6 is a new type of IP address that was introduced because we’re running out of the “old” IPv4 addresses. Not many ISPs support IPv6 yet, so you probably don’t need it. Unless you fix the warning, you’ll see it every time.

Change directory into the postfix configuration folder:

cd /etc/postfix/

Edit /etc/postfix/main.cf with your favourite command line text editor (e.g. sudo nano main.cf) and add inet_protocols = ipv4 to the end of the file.

Now is also a good time to check that your hostname is specified properly in /etc/postfix/main.cf. The setup script takes the hostname of the server and uses that, but it may not be in the right format, i.e. “samhobbs” instead of “samhobbs.co.uk”. Find the line that begins myhostname = and make sure it is your fully qualified domain name. This is important because your server will use this to talk to other mail servers, and some will reject your emails if you don’t use a fully qualified domain name to say hi! This is covered in more detail in the helo access restrictions later.

Restart postfix and you shouldn’t see the warnings any more:

sudo service postfix restart

Testing and Configuration

Before you start, it’s probably worth backing up the configuration files in their current state. This way, you’ll have something to compare to if you’re ever trying to work out which bits were defaults and which bits you changed yourself:

cd /etc/postfix
sudo cp main.cf main.cf.BAK
sudo cp master.cf master.cf.BAK

Mailbox Setup

There are a couple of different types of mailbox you can use, I’ve chosen to use a “Maildir” rather than “mbox” configuration. For users with “real” UNIX accounts on the system (like the one you’re using to log in), Maildir creates a folder in the user’s home directory and places emails inside it, one file for each email.

I prefer this to the alternatives, because it’s easier to see and understand: you can rummage around in your home folder and see all your emails as individual files.

To tell Postfix to use the Maildir format, add the following lines to /etc/postfix/main.cf:

home_mailbox = Maildir/
mailbox_command =

If there's already a line with mailbox_command, comment it out by adding a # at the start of the line.

We also need to create the mail directory and its subfolders for existing users, and add some things to /etc/skel (the template for new users) so that if you create a new account this will be done automatically.

These commands are part of Dovecot, so first we need to install it:

sudo apt-get update
sudo apt-get install dovecot-common dovecot-imapd

You will get a lot of output: some other dovecot packages will automatically be installed and the config files will be created. You will also see some errors – don’t worry about those for now, I’ll explain how to deal with them in part 2, later.

Now we can create those mail folders. Run the following commands to create the template files:

sudo maildirmake.dovecot /etc/skel/Maildir
sudo maildirmake.dovecot /etc/skel/Maildir/.Drafts
sudo maildirmake.dovecot /etc/skel/Maildir/.Sent
sudo maildirmake.dovecot /etc/skel/Maildir/.Spam
sudo maildirmake.dovecot /etc/skel/Maildir/.Trash
sudo maildirmake.dovecot /etc/skel/Maildir/.Templates

Next, copy the files over to existing users’ home directories, and change the ownership and permissions for privacy (replace USER with the username you are doing this for, and repeat for all existing usernames):

sudo cp -r /etc/skel/Maildir /home/USER/
sudo chown -R USER:USER /home/USER/Maildir
sudo chmod -R 700 /home/USER/Maildir

Initial Testing

Now, the best way to test Postfix during configuration is to use Telnet, because it is such a simple way of communicating between programs and there’s less to go wrong and get confused about.

First, install telnet:

sudo apt-get install telnet

Now, still inside the SSH session to your pi, type this command. It will connect you to port 25 on the Pi:

telnet localhost 25

You can now test sending an email using SMTP. Here are the steps:

  1. send an ehlo command to tell the server who you are, and it will tell you its capabilities
  2. use the mail from command to say who the email is from. If you are sending it from an address that exists on the server, you needn’t include the domain name (i.e. user instead of user@yourdomain.com)
  3. use the rcpt to command to tell the server where to send the email
  4. Use the data command to tell the server that you’re about to start giving it the message you want to send
  5. Type Subject: YOUR SUBJECT then enter to set a subject
  6. Type the body of your email. Once you’re done, press ENTER, then ., then ENTER again.
  7. Type quit to exit

Here’s an example:

telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 samhobbs.co.uk ESMTP Postfix (Debian/GNU)
ehlo foobar
250-samhobbs.co.uk
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: me        
250 2.1.0 Ok
rcpt to: me@outsideemail.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Subject: test
This is a test email
.
250 2.0.0 Ok: queued as A639C3EE6D
quit 
221 2.0.0 Bye

Some Access Restrictions

Add the following to /etc/postfix/main.cf to restrict who can send emails to external mail servers:

smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        permit_mynetworks,
        reject_unauth_destination

Reload postfix:

sudo service postfix reload
  • Line 1 begins the list of restrictions.
  • Line 2 permits users who have authenticated with Simple Authentication and Security Layer (SASL) to send email to any destination (this is part of the Dovecot config in Part 2, later).
  • Line 3 will let users send emails to any destination if they have connected from an IP address defined in mynetworks.
  • Line 4 will reject the email if none of the above conditions have been met unless the “rcpt to” address is one of the addresses that your server is accepting email to (as defined in main.cf with the mydestination parameter).

In its present state, the email server will allow you to send external emails because the connection is originating from the Pi itself (you are logged in via SSH) and not an unknown computer. Addresses of “trusted” computers are listed under the mynetworks setting in main.cf, e.g.

mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

Try sending an external email again, using telnet as before. You should be able to do so without any issues.

Now we want to see what kind of response someone would get if they were connecting from outside of the IP range defined in mynetworks, to make sure Pi won’t allow everyone to send outgoing emails from your server. To simulate this we can comment out permit_mynetworks under smtpd_recipient_restrictions:

smtpd_recipient_restrictions =
        permit_sasl_authenticated,
#       permit_mynetworks,
        reject_unauth_destination

Now reload the postfix configuration:

sudo service postfix reload

This will let you see what kind of response you would get if you weren’t sending the email from mynetworks. Try sending again, and you should receive an error “554: Relay access denied“:

admin@samhobbs /etc/postfix $ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 samhobbs.co.uk ESMTP Postfix (Debian/GNU)
ehlo samhobbs.co.uk
250-samhobbs
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: USER
250 2.1.0 Ok
rcpt to: me@externalemail.com
554 5.7.1 <me@externalemail.com>: Relay access denied
quit
221 2.0.0 Bye
Connection closed by foreign host.

Perfect. Leave permit_mynetworks commented out in your smtpd_recipient_restrictions (you'll see why in part 2).

Helo access restrictions

Helo access restrictions can be a very useful way of blocking spam.

Note that we’re not talking about unauthorised people being able to send email outside your network any more (that’s taken care of with the smtpd_recipient_restrictions); we’re now talking about stopping spammers from sending incoming mail to your email address.

Spammers try to conceal their identity so that they don’t end up on block lists, so they rarely use helo hostnames that could identify them – these hostnames are written to the mail log files. As a result, they often make up a random string or use an IP address instead of a domain name.

Luckily, these are easily taken care of.

Add the following to /etc/postfix/main.cf:

smtpd_helo_required = yes
smtpd_helo_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname,
        reject_unknown_helo_hostname
  • Line 1 requires people and programs to identify themselves when they send email, using the helo or ehlo commands I mentioned earlier.
  • Line 2 starts the list of restrictions.
  • Line 3 accepts any old rubbish in the ehlo if it comes from an IP address defined in mynetworks. If the connection isn’t connecting from an IP address in mynetworks, then the helo hostname is checked against the rest of the list.
  • Line 4 accepts any helo hostname if the client is authenticated with SASL (I added this to the tutorial recently after troubleshooting problems some people had in the comments – it allows you to connect from any network and still send messages through your Pi. Mobiles will usually work without this because most providers pass mail through their own proxies, so your Pi receives a connection from the proxy – which has a valid hostname – and not from the mobile, which may be called something like “android-b627cfe2efea7e67″).
  • Line 5 rejects connection attempts when the HELO hostname syntax is invalid.
  • Line 6 rejects non-fully qualified domain names (for example, foobar instead of foobar.com). This will also block those random strings, e.g. “kjhrsbvks”.
  • Line 7 rejects the helo hostname if it that domain doesn’t have a valid DNS A or MX record. For example, someone spamming you could make up a domain like theflyingspaghettimonster.com. If that domain doesn’t actually exist and have the right records, then your server won’t accept it as a hostname, and the email will be rejected.

If the helo hostname gets past line 7 and hasn’t been denied, it is accepted. You’d be surprised how much spam these helo access restrictions will block on their own (looking through my log files, I can see numerous spam scripts that have attempted to ehlo with my IP address), but there’s an extra step we can add in here to help:

Blocking people claiming to be your domain name

Many spammers try to send email to you after helo’ing with your own domain name. Since postfix doesn’t check whether or not they’re lying about their helo hostname, this will usually work.

But, since we’ve put permit_mynetworks at the top of the list, anyone actually sending an email from your domain will be accepted already. Anyone using your hostname who isn’t in mynetworks is an imposter.

So, add one more line to the end of the restrictions list:

smtpd_helo_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname,
        reject_unknown_helo_hostname,
        check_helo_access hash:/etc/postfix/helo_access

That last line checks a file for custom rules you’ve built in. Create the file:

sudo nano /etc/postfix/helo_access

Add the following lines, edited for your domain:

samhobbs.co.uk          REJECT          Get lost - you're lying about who you are
mail.samhobbs.co.uk      REJECT          Get lost - you're lying about who you are

Now tell postfix to map the file, and restart postfix:

sudo postmap /etc/postfix/helo_access
sudo service postfix restart

Now anyone who tries to ehlo with one of the hostnames you defined in that file gets rejected, and sees the “get lost” message. Your legitimate servers won’t have that problem, because they will already have been accepted higher up the list.

Neat, right? I found that little nugget of wisdom at unixwiz.net.

Moving on…

We’re almost done with Postfix now, athough there are a few bits of configuration that we’ll want to do once we’ve set up SASL with Dovecot, which I’ve chosen to lump in with the Dovecot tutorial.

In Raspberry Pi Email Server Part 2: Dovecot, we’ll set up Dovecot to provide SASL authentication and IMAP capability.

Please leave a comment if you’re having trouble with anything in this tutorial, and I’ll try and help you out!

Type: 

Comments

I tried to get back on to telnet but get

pi@MC_RPi3B_2:~ $ telnet localhost 25
Trying ::1...
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
pi@MC_RPi3B_2:~ $

Thanks for the reply Sam,

I get this

pi@MC_RPi3B_2:~ $ sudo service postfix status
● postfix.service - LSB: Postfix Mail Transport Agent
Loaded: loaded (/etc/init.d/postfix)
Drop-In: /run/systemd/generator/postfix.service.d
└─50-postfix-$mail-transport-agent.conf
Active: active (exited) since Sun 2017-11-19 17:15:55 UTC; 15h ago
Process: 706 ExecStart=/etc/init.d/postfix start (code=exited, status=0/SUCCES S)

Nov 19 17:15:54 MC_RPi3B_2 systemd[1]: Starting LSB: Postfix Mail Transport.....
Nov 19 17:15:54 MC_RPi3B_2 postmulti[711]: fatal: /etc/postfix/main.cf, line..."
Nov 19 17:15:55 MC_RPi3B_2 postfix[706]: Starting Postfix Mail Transport Age....
Nov 19 17:15:55 MC_RPi3B_2 systemd[1]: Started LSB: Postfix Mail Transport ...t.
Hint: Some lines were ellipsized, use -l to show in full.
pi@MC_RPi3B_2:~ $ telnet localhost 25
Trying ::1...
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused
pi@MC_RPi3B_2:~ $

Yep, looks like you have a syntax error/typo in main.cf, if you look in /var/log/mail.log (or /var/log/mail.err) you should find a good hint for where to look - postfix is pretty good at giving useful error messages.

If you want to do it the systemd way, you can use this command:

sudo journalctl -u postfix

Sam

Sorry for the torrent of question :)

I looked in the logs and nothing point to a failure but I didnt receive the mails. Checked spam etc. So I tried a few things
Should myhostname=www.domain.com or myhostname=domain.com?

OK i found this little bad boy in my mail.log
status=bounced (host eforward1.registrar-servers.com[162.255.118.61] said: 550 relay not permitted!
do i need to set something up on my host?

Yeah - that work now I think as I get the same as in the example and all the commands work and items are appearing in the mail.log.

I have looked around and seems Virgin Media dont block port 25 - read that it could be my host so change the relay to VM smtp to see if that worked but still get the 550 error.

Are you hosting on a VPS?

I can't really help you with things that are specific to your VPS - every VPS provider's setup is a bit different and the guide was written for people hosting at home.

Sam

I maybe explaing it wrong.

I have followed your guide to the point were I am testing Postfix. I have done this on my RPi Model 3B and am signed up and have my own domain name.

Doing some reading online I found that this 550 could have something to do with
-A loop in the return email /this is not the case
-ISP blocking port 25 /this does not seem to be the case from what I have read
-An IP range on a black list /cant confirm this but my IP is static.
-The domain host not allowing relays. /this is what I think my issue is.

So I was looking for a way around this.

When you said you thought the problem was that the domain host didn't allow relays, I assumed you meant your VPS provider was forcing you to use a relay and the outgoing email was failing because you didn't authenticate. If you are hosting at home, that is good because it's what I expected when I wrote the tutorial.

Let's say you are talking to my server and you want to send an email to a destination that is not in mydestinations (i.e. not a *.samhobbs.co.uk address), in this case you are asking my server to relay that email on to the server responsible for the destination address. If you are sending an email to a destination in mydestinations, that is not relaying. You normally have to authenticate when you are relaying, to prove that you have permission to send email to external accounts (to prevent spam).

I can't work out where your problem is, because you haven't said which test you are failing on - there are multiple tests at different stages of the tutorial, where the configuration is different in each step. Are you testing sending email to your own server, or to an external server? Please copy the full telnet session.

Sam

Thanks for the help with this - really appreciate it;

This is the test - it's under your heading "Initial Testing"

pi@MC_RPi3B_2:~ $ telnet localhost 25
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 www.madcarbon.tech ESMTP Postfix (Raspbian)
ehlo me
250-www.madcarbon.tech
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: me
250 2.1.0 Ok
rcpt to: dbarrett114@hotmail.co.uk
250 2.1.5 Ok
data
354 End data with .
Subject: test
This is a test email
.
250 2.0.0 Ok: queued as F114D229D9
quit
221 2.0.0 Bye
Connection closed by foreign host.
pi@MC_RPi3B_2:~ $

main.cf
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = www.madcarbon.tech
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = MC_RPi3B_2, localhost.localdomain, localhost
relayhost = madcarbon.tech
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4
home_mailbox = Maildir/
mailbox_command =

mail.log
Nov 20 16:27:58 MC_RPi3B_2 postfix/master[2026]: daemon started -- version 2.11.3, configuration /etc/postfix
Nov 20 16:28:03 MC_RPi3B_2 postfix/smtpd[2033]: connect from localhost[127.0.0.1]
Nov 20 16:28:24 MC_RPi3B_2 postfix/smtpd[2033]: AB13222B70: client=localhost[127.0.0.1]
Nov 20 16:28:40 MC_RPi3B_2 postfix/cleanup[2037]: AB13222B70: message-id=<20171120162824.AB13222B70@www.madcarbon.tech>
Nov 20 16:28:40 MC_RPi3B_2 postfix/qmgr[2031]: AB13222B70: from=, size=354, nrcpt=1 (queue active)
Nov 20 16:28:42 MC_RPi3B_2 postfix/smtpd[2033]: disconnect from localhost[127.0.0.1]
Nov 20 16:28:45 MC_RPi3B_2 postfix/smtp[2039]: 3006A22BB3: to=, relay=eforward2.registrar-servers.com[162.255.118.62]:25, delay=2.2, delays=0.010.01/0/1.4/0.74, dsn=5.0.0, status=bounced (host eforward2.registrar-servers.com[162.255.118.62] said: 550 relay not permitted! (in reply to RCPT TO command))
Nov 20 16:28:43 MC_RPi3B_2 postfix/cleanup[2037]: 3006A22BB3: message-id=<20171120162843.3006A22BB3@www.madcarbon.tech>
Nov 20 16:28:43 MC_RPi3B_2 postfix/bounce[2040]: AB13222B70: sender non-delivery notification: 3006A22BB3
Nov 20 16:28:43 MC_RPi3B_2 postfix/qmgr[2031]: 3006A22BB3: from=<>, size=2318, nrcpt=1 (queue active)
Nov 20 16:28:43 MC_RPi3B_2 postfix/qmgr[2031]: AB13222B70: removed
Nov 20 16:28:45 MC_RPi3B_2 postfix/smtp[2039]: 3006A22BB3: to=, relay=eforward2.registrar-servers.com[162.255.118.62]:25, delay=2.2, delays=30/0.02/1.4/0.75, dsn=5.0.0, status=bounced (host eforward2.registrar-servers.com[162.255.118.62] said: 550 relay not permitted! (in reply to RCPT TO command))
Nov 20 16:28:45 MC_RPi3B_2 postfix/qmgr[2031]: 3006A22BB3: removed

From your config:

relayhost = madcarbon.tech

What made you put that in there (it's not in the tutorial)? You are telling postfix that you want to relay all of your outgoing email through a 3rd party server. In this case, the server is rejecting your email. Looks like the server is namecheap's default mail server or something - probably because you don't have an MX record yet?

Also, you probably want:

myhostname = madcarbon.tech

Instead of www. - unless you are already running a web server that serves content on http://madcarbon.tech on a different IP address using this domain name, in which case I would recommend using mail.madcarbon.tech for your home server.

You should also have:

mydestination=madcarbon.tech

or your server won't know that it is the final destination for mails to your domain (*@madcarbon.tech).

There are quite a few odd things in your config - did you select different options in the postfix configuration wizard?

Sam

I made the change you said and I GOT MAIL :)

Thanks so much, I know I have been a pain. I though I selected the same options that you had on the tutorial.

Time to carry on with the install.

Thanks again for putting up with me!

I have gone through everything for setup according to what is listed here and for dovecot but can't send or receive emails. I **can** send an email to myself from myself but nothing external. I have ports 25, 465, 143, and 993 forwarded in my router to my server.

**What I can do**

If I use the following:

telnet localhost 25
helo xxx.com (replacing xxx with my domain name)
mail from:eric@xxx.com
rcpt to:eric@xxx.com
data
Subject: Test
Test Body
.

Then if I use:

telnet localhost 143
a login eric password
b select inbox

It lists that I have emails, as it says 2 EXISTS, indicating it received an email. This is great but only from itself.

I can also login to telnet using telnet xx.xxx.xxx.xx 143 (using my external IP address which shows the ports are being forwarded no problem) or telnet xx.xxx.xxx.xx 25

**Problem**

If I try to either send to my gmail or yahoo email addresses using a similar method to above, it queues fine but never sends. Also if I send from either my yahoo or gmail ones, I never receive anything in the inbox.

Upon sending an email to my gmail address, when I look in

/var/log/mail.log

I see:

connect to alt1.gmail.smtp.in.l.google.com[74.125.192.26]:25: Connection timed out

and under

/var/log/mail.err

nothing is listed so no internal errors..

Upon sending an email from my gmail account to this webaccount, I never receive anything either. Am I missing something? I would think my telnet connections show that my port is being forwarded properly to allow me to connect at all.

As I am sure it has to do something with my main.cf file, here is what I have in it (changing my domain to xxx.com for this question):

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Raspbian)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
defer_unauth_destination
myhostname = xxx.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = xxx.com, raspberrypi, eric, localhost.localdomain,
localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
#inet_protocols = all
inet_protocols = ipv4
home_mailbox = Maildir/
mailbox_command =
smtpd_recipient_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destinaion

smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
check_helo_access hash:/etc/postfix/helo_access
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_tls_auth_only = yes

See if you can connect to my server...

telnet samhobbs.co.uk 25

If your ISP is blocking port 25 then the connection should time out.

Sam

Sorry for the delay of myself due to the holiday weekend.

It appears my ISP must be blocking then a it does time out trying to telnet to your server. Are there any recommendations or will the email probably not work for sending to other providers since they will be looking on 25 as well? I mostly just want to use POP forwarding long term anyways, using gmail as my actual email interface with just my domain name as an address that forwards to it... Maybe this is still possible? Thank you by the way for all of your help and your quick responses!

If your ISP is blocking port 25 and you can't remove the block by asking them, or buying a static IP address, then you need to configure your server to relay all outgoing email through your ISP's email server. Every ISP's relay is slightly different - some require authentication and the port numbers aren't always the same. Since I've never had to do this it's not something I can help you with, sorry.

See if you can remove the ISP firewall restrictions by getting a static IP address.

Sam

That document is giving you settings for your ISP's email server, it's not relevant to your own server's connection settings unless you intend to use your ISP's mail server as a relay.

Sam

Also can't' I simply use a port other than 25 if I am only using my domain name to forward all my email to a gmail address anyways? Some have suggested to use port 26 instead.

Yes, that would be relaying through Gmail - I don't really understand why you would want to do that (isn't the point to avoid 3rd parties scraping your email for metadata?).

If you want to go down that road, I can't help you (as I said earlier, each relay's settings are different).

Sam

Hey Sam,

Great support in the comments, was a bit worried when I saw how old the article was but then I found updates for Stretch and saw you’re still answering comments so thought i’d Reach out.

Essentially, I’m unable to send emails via telnet. I’ve SSH to my pi, from iPad, all of which is connected to iPhone hotspot.

Depending on what I RCPT TO I’m getting these types of errors:


Dec 8 19:45:12 sutton_cloud postfix/smtp[2904]: 46E7463CE1: to=, relay=hotmail-com.olc.protection.outlook.com[104.47.38.33]:25, delay=34, delays=31/0.04/3.1/0.72, dsn=5.7.1, status=bounced (host hotmail-com.olc.protection.outlook.com[104.47.38.33] said: 550 5.7.1 Service unavailable, Client host [92.40.249.191] blocked using Spamhaus. To request removal from this list see http://www.spamhaus.org/lookup.lasso (AS3130). [BL2NAM02FT027.eop-nam02.prod.protection.outlook.com] (in reply to MAIL FROM command))
Dec 8 19:45:12 sutton_cloud postfix/smtp[2904]: 46E7463CE1: lost connection with hotmail-com.olc.protection.outlook.com[104.47.38.33] while sending RCPT TO

I ignored my tests and followed the guide most the way through part 2 to see if any of anti-spam measures you describe helped, but still no luck.

I did notice that the Dovecot install will install Dovecot-core, not Dovecot-Common. Is this an issue? Or, is my hotspot IP to blame, and if so, what can I do about it?

Cheers,
Nick

Hi Nick,

I think your hotspot IP is the problem, people won't expect a legitimate mail server to be running on a mobile device so I'm not surprised it's blocked - ISPs sometimes label whole blocks of IP addresses as residential or similar, so that the various spam lists can block them. People with dynamic home IP addresses often have the same problem.

Sam

Hey Sam.

Spot on, I was working whilst away from home and now it’s behind a regular network it’s behaving much more as expected!

Your articles are great! I’ve followed the email one all the way through and got everything working with SPAM filtering as well. Also got the SSL cert sorted this morning too! Great work on the articles, they are really good.

One question, there seems to be a lot user specific instructions. Now I’ve got things up and running, what is the best way off adding new users. Specifically adding email a new email address to take account of the SPAM functionality?

How do I send you beer funds?

Cheers,
Nick

Good stuff :)

You can add new users in the same way as we added the testmail account, and the Maildir folders should all be set up using the template files in /etc/skel.

Come to think of it, you could add the sieve file to /etc/skel and then it would be there for every new user too - I hadn't thought of that.

Note that the new users are system users, so in theory creating a login for them gives them SSH access too. If you require publickey auth (password auth disabled) then they won't be able to SSH in though. Just something to think about.

Sam

Pages

Add new comment