Postfix
Chapter 78: Postfix Mail Server
Section titled “Chapter 78: Postfix Mail Server”Comprehensive Postfix Configuration
Section titled “Comprehensive Postfix Configuration”Why This Matters in DevOps/SRE
Section titled “Why This Matters in DevOps/SRE”Email infrastructure is critical for business communication and transactional emails. As a DevOps/SRE, you’ll configure Postfix for sending emails, set up relay hosts, manage spam filtering, implement DKIM/DMARC, and troubleshoot email delivery issues. Email is one of the hardest services to get right.
┌─────────────────────────────────────────────────────────────────────────────┐│ POSTFIX IN DEVOPS OPERATIONS │├─────────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────────────────┐ ││ │ EMAIL DELIVERY FLOW │ ││ │ │ ││ │ App → Postfix → Relay (AWS SES/SendGrid) → Internet → Recipient │ ││ │ │ ││ └─────────────────────────────────────────────────────────────────────┘ ││ ││ ┌─────────────────────────────────────────────────────────────────────┐ ││ │ DEV OPS TASKS │ ││ │ │ ││ │ • Transactional emails: password resets, order confirmations │ ││ │ • Emailrelay: Forward through SES, SendGrid, Mailgun │ ││ │ • SPF/DKIM/DMARC: Authenticate emails │ ││ │ • Monitoring: Queue depth, delivery rates, bounce rates │ ││ │ │ ││ └─────────────────────────────────────────────────────────────────────┘ ││ ││ ┌─────────────────────────────────────────────────────────────────────┐ ││ │ COMMON ISSUES │ ││ │ │ ││ │ • Emails going to spam │ ││ │ • Blacklisting │ ││ │ • SPF/DKIM failures │ ││ │ • Queue buildup │ ││ │ │ ││ └─────────────────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────────┘Real-world DevOps scenarios:
- AWS SES relay: Forward all mail through SES for deliverability
- Transactional email: Sending password resets from application
- Email authentication: SPF, DKIM, DMARC setup for domain
- Monitoring: Alerting on queue buildup
78.1 Postfix Architecture
Section titled “78.1 Postfix Architecture” Postfix Components+------------------------------------------------------------------+| || Postfix is modular: || +----------------------------------------------------------+ || | smtpd | SMTP server daemon | || | smtp | SMTP client | || | local | Local delivery agent | || | virtual | Virtual alias delivery | || | bounce | Delivery status notifications | || | cleanup | Message canonicalization | || | qmgr | Queue manager | || | pickup | Mail pickup from queue | || | tlsmgr | TLS management | || | anvil | Connection tracking | || | spawn | Spawn external commands | || +----------------------------------------------------------+ || || Mail Flow: || +----------------------------------------------------------+ || | Internet → smtpd → cleanup → qmgr → local/smtp | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+78.2 Installation
Section titled “78.2 Installation”# Installsudo apt install postfix postfix-ldap postfix-pcre # Debian/Ubuntusudo yum install postfix # RHEL/CentOSsudo pacman -S postfix # Arch
# Start servicesudo systemctl enable --now postfix78.3 Configuration
Section titled “78.3 Configuration”main.cf
Section titled “main.cf”# Identitymyhostname = mail.example.commydomain = example.commyorigin = $mydomainmydestination = $myhostname, localhost, localhost.$mydomain, $mydomain
# Networkinet_interfaces = allinet_protocols = ipv4mynetworks = 127.0.0.0/8, 10.0.0.0/8mynetworks_style = subnet
# Mailboxhome_mailbox = Maildir/mailbox_command =
# Securitysmtpd_sasl_auth_enable = yessmtpd_sasl_type = dovecotsmtpd_sasl_path = private/authsmtpd_recipient_restrictions = permit_sasl_authenticated, reject
# TLSsmtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pemsmtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.keysmtpd_tls_security_level = may
# Outbound TLSsmtp_tls_security_level = may
# Size limitsmessage_size_limit = 52428800 # 50MBmailbox_size_limit = 1073741824 # 1GB
# Loggingmaillog_file = /var/log/postfix.log
# Virtual domainsvirtual_alias_domains = hash:/etc/postfix/virtualvirtual_alias_maps = hash:/etc/postfix/virtualmaster.cf
Section titled “master.cf”smtp inet n - y - - smtpdsubmission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes
smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
pickup unix n - y 60 pickupcleanup unix n - y - cleanupqmgr unix n - n 300 qmgrtlsmgr unix - - y 1000? tlsmgrrewrite unix - - y - trivial-rewritebounce unix - - y 0 bouncedefer unix - - y 0 bouncetrace unix - - y - bounceverify unix - - y 1 verifyflush unix n - y 1000? flushproxymap unix - - n - proxymapproxywrite unix - - n - proxymapsmtp unix - - y - smtprelay unix - - y - smtpshowq unix n - y - showqerror unix - - y - errorretry unix - - y - errordiscard unix - - y - discardlmtp unix - - y - lmtpanvil unix - - y 1 anvilscache unix - - y 1 scachepostlog unix n - n - postlogd78.4 Virtual Domains
Section titled “78.4 Virtual Domains”# virtual alias domains must be listed in main.cf as virtual_alias_domains
# Format: address or @domain targetuser@example.com actualuser@example.com catchall@example.com# Generate databasesudo postmap /etc/postfix/virtualsudo postfix reload78.5 Management Commands
Section titled “78.5 Management Commands”# Test configurationsudo postfix check
# Start/Stop/Reloadsudo systemctl start postfixsudo systemctl stop postfixsudo systemctl reload postfixsudo postfix reload
# Queue managementmailq # List queuepostqueue -p # Same as mailqpostsuper -d ALL # Delete all mailpostsuper -d <ID> # Delete specificpostsuper -r ALL # Requeue allpostsuper -r <ID> # Requeue specific
# Flush queuepostfix flush
# View mail logtail -f /var/log/mail.logtail -f /var/log/postfix/postfix.log78.6 Interview Questions
Section titled “78.6 Interview Questions”Basic Questions
Section titled “Basic Questions”-
What is Postfix?
- Mail transfer agent (MTA)
-
What are the main components?
- smtpd, smtp, local, qmgr
-
What is the difference between smtpd and smtp?
- smtpd: server, smtp: client
-
How do you check mail queue?
- mailq or postqueue -p
Common Mistakes & Anti-Patterns
Section titled “Common Mistakes & Anti-Patterns”1. Not Using Relay Host
Section titled “1. Not Using Relay Host”❌ WRONG: Direct delivery to internet
# Sending directlymydestination = $myhostname, localhost.$mydomain, localhost# Emails might be rejected!✅ CORRECT: Use relay host
# Use SES or email servicerelayhost = [email-smtp.us-east-1.amazonaws.com]:587smtp_sasl_auth_enable = yessmtp_sasl_security_options = noanonymoussmtp_sasl_tls_security_options = noanonymoussmtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crtsmtp_tls_security_level = encryptsmtp_tls_wrappermode = no2. Not Configuring SPF/DKIM
Section titled “2. Not Configuring SPF/DKIM”❌ WRONG: Emails go to spam
# No authentication# SPF not configured# DKIM not signed# Emails marked as spam!✅ CORRECT: Configure email authentication
# SPF: Add TXT recordv=spf1 include:_spf.aws.amazon.com ~all
# DKIM: Sign emails with DKIM selector# (configure in relay service or OpenDKIM)3. Open Relay
Section titled “3. Open Relay”❌ WRONG: Server used for spam
# DON'T do this!my networks = 0.0.0.0/0# Anyone can relay!✅ CORRECT: Restrict relay
# Only allow local/subnetmynetworks = 127.0.0.0/8 10.0.0.0/8
# Or use authenticationsmtpd_sasl_auth_enable = yessmtpd_sasl_tls_security_options = noanonymous4. Not Monitoring Queue
Section titled “4. Not Monitoring Queue”❌ WRONG: Queue buildup unnoticed
# Not checking queue# Messages pile up# Users complain about not receiving email✅ CORRECT: Monitor queue
# Add to monitoringpostqueue -p | tail -n +2 | awk 'BEGIN {rs=""} /^[0-9A-F]/{if (rs) print rs; rs=$0} END{print rs}' | wc -l# Alert if > 100 messages5. Wrong Permissions
Section titled “5. Wrong Permissions”❌ WRONG: Security issues
# Wrong permissionschmod 777 /var/spool/postfix# Security vulnerability!✅ CORRECT: Proper permissions
# Postfix runs as postfix userchown -R postfix:postfix /var/spool/postfixchmod -R 700 /var/spool/postfixSummary
Section titled “Summary” Quick Reference+------------------------------------------------------------------+| || Commands: || +----------------------------------------------------------+ || | sudo postfix check | Test config | || | sudo postfix reload | Reload config | || | mailq | View queue | || | postsuper -d ALL | Clear queue | || +----------------------------------------------------------+ || || Main config: /etc/postfix/main.cf || Daemon config: /etc/postfix/master.cf || |+------------------------------------------------------------------+