255pages on
this wiki

Configuring Postfix as a relayEdit

This section gives configuration sections for Postfix in order to allow it to relay email through Fastmail's servers. This requires Postfix to know a username/password, but allows sending mail to any destination (not only to domains hosted at Fastmail).

This mode is appropriate for personal installations, where Postfix-via-Fastmail replaces the classical use of an ISP's outgoing mail servers.

Before You StartEdit

  • These instructions have been tested using Linux Fordoa Core 10 and Debian 7, and some Ubuntu versions. They should apply to all versions of Linux that have Postfix. The location of the configuration files may be different.
  • Postfix should already be installed. On install, postfix often has an interactive prompt. Many options are compatibile with this guide, but the "satelite system" option with relay host option described below has been tested to work.
  • These instructions assume Postfix has SASL authentication and OpenSSL installed (usually enabled by default on linux).

Basic SetupEdit

  • In order to get Postfix to be able to relay email through Fastmail's servers using the Postfix client mode, the lines should be added to the main Postfix configuration.
  • On Ubuntu and Fedora this is /etc/postfix/ These lines tell Postfix to use SASL authentication and STARTTLS encryption (both required by Fastmail) and point it to the file that contains the username and password to use when sending email. The square brackets around the host name are required
  • Note: postfix doesn't support pure SSL/TLS over port 465 for sending but it does support STARTTLS on port 587, which Fastmail also supports

relayhost = []:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = secure

In debian/ubuntu (not sure about other distros), postfix needs the following to find the system's certificates to validate fastmail's certificate.

smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

If you have a problem with validating the certificates, you can make the verification to be optional by changing smtp_tls_security_level from above to encrypt. This will still use tls encryption (which is required by fastmail), but not fail on an unverified certificate.

smtp_tls_security_level = encrypt

  • Next, create the password map file using your favourite text editor (vi, gedit, emacs) at /etc/postfix/sasl_passwd, and put the following in the file:
[]:587 <username>#<domain>:<password>
  • Don't forget to replace <username> with your Fastmail username and <domain> with the domain of your Fastmail account (eg,, etc), and <password> with your Fastmail password. The '#' seems to be important, using the regular '@' symbol caused authentication errors.
  • Now we need to hash the file so Postfix will actually use it. Execute the following at a command prompt. This will create the sasl_passwd.db file that is used by Postfix.
PROMPT> postmap hash:/etc/postfix/sasl_passwd

The password map file (/etc/postfix/sasl_passwd) contains your Fastmail password in plain text. It is good idea to restrict access to this file so only root can read it. Run the following as root at a command prompt:

PROMPT> chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
PROMPT> chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
  • At this point, you can restart Postfix and verify you can use it to send email through Fastmail's servers. Keep reading for some security tweaks.
postfix reload

For a quick verification of postfix working, do

echo "" > ~/.forward
echo test | mail -s "hello from postfix" $USER

Then open your webmail for The mail is usually delivered within a second or two.

Generating / Sending certificate to fastmail, for postfix serversEdit

This has been tested on a Linux Fedora Core 10 system. A similar configuration should work on any Unix-like system. Note: the other wiki sections in this article have had edits to improve them since fedora 10 days. The quality of this section may not be up to par with the rest of this artile. If someone does find this section to be high quality, please remove this, and cite a newer os verion!)

This mode is appropriate for server installations.

This section assumes you're running your own MSA --- that is, that you administer a Postfix instance that delivers mail by connecting directly to the destination's MX servers. While this case typically requires zero special configuration, there exist various knobs that may be useful for some better-than-average behaviour.

The directives below assume that the SSL certificates are installed in a folder at /etc/postfix/ssl. SSL certificates issues for securing web servers will work. The certificates could be located in the Postfix folder or another folder of your choice. The Postfix documentation mentions that certificates should be in PEM format. The internal format of the *.crt file is the same as the .pem file. The file extension is merely a convention is this case. There is no need to convert a *.crt file into a *.pem file.

The Postfix documentation also mentions that the TLS directives are in the format of smtpd_tls. The smtp_tls form shown below does indeed work.

You can obtain a certificate from a public certificate authority. The process to obtain a certificate is beyond the scope of this topic but the process is described at:

If you do not want the expense of a certificate from a public certificate authority you can generate a self-issued certificate using OpenSSL. The difference between a self issued certificate and a pubic certificate is that the authenticity of the self issued certificate cannot be verified by a 3rd party certificate authority. However in both types of certificates, the messages can be encrypted. Open a command shell or terminal and issue the following commands to create the self issued certificates that you will need. In the examples below the "" would typically be the common name (a.k.a. web address or DNS address) of your server. However, this file name is merely a convention and the file names of the certificates can be any legal file name.

#Become root
su root
#Make a folder to hold the certificates
mkdir /etc/postfix/ssl
#Generate your Private Key (*.key)
openssl genrsa -out /etc/postfix/ssl/ 2048
#Generate your Certificate Signing Request (CSR)
openssl req -new -key /etc/postfix/ssl/ -out
#Generate self Signed Public Key (*.crt)
openssl x509 -req -days 1825 -in /etc/postfix/ssl/ -signkey /etc/postfix/ssl/ -out /etc/postfix/ssl/

In the case of your public certificate, the file that contains your certificate (*.crt) can also contain a chain of intermediate certificates leading back to the root certificate. The intermediate certificates are appended to the end of your certificate in the *.crt file.

smtp_tls_security_level = may
smtp_tls_key_file = /etc/postfix/ssl/
smtp_tls_cert_file = /etc/postfix/ssl/
smtp_tls_CAfile = /etc/postfix/ssl/intermediate.crt
smtp_tls_loglevel = 1
tls_append_default_CA = yes
  • From a command prompt enter the command to cause Postfix to reload the
postfix reload

At the TLS log level 1, entries such as the following will be logged to /var/logs/mail:

Jun 30 12:07:52 localhost postfix/postfix-script[24211]: refreshing the Postfix mail system
Jun 30 12:07:52 localhost postfix/master[4374]: reload configuration /etc/postfix
Jun 30 12:08:15 localhost postfix/smtpd[24233]: connect from localhost.localdomain[]
Jun 30 12:08:15 localhost postfix/smtpd[24233]: 16EA9582057: client=localhost.localdomain[]
Jun 30 12:08:15 localhost postfix/cleanup[24237]: 16EA9582057: message-id=<1341076094.3451.50.camel@localhost.localdomain>
Jun 30 12:08:15 localhost postfix/qmgr[24215]: 16EA9582057: from=<>, size=618, nrcpt=1 (queue active)
Jun 30 12:08:15 localhost postfix/smtpd[24233]: disconnect from localhost.localdomain[]
Jun 30 12:08:15 localhost postfix/smtp[24238]: setting up TLS connection to[]:587
Jun 30 12:08:15 localhost postfix/smtp[24238]: Trusted TLS connection established to[]:587: TLSv1 with cipher AES256-SHA (256/256 bits)
Jun 30 12:08:15 localhost postfix/smtp[24238]: 16EA9582057: to=<>,[]:587, delay=0.74, delays=0.05/0.04/0.5/0.15, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as ACEF68E01D8)
Jun 30 12:08:15 localhost postfix/qmgr[24215]: 16EA9582057: removed

Note that the configuration shown above is for causing Postfix to use TLS in the relay to FastMail (MTA to MTA relay). The configuration is not adequate if you want Postfix to use TLS between the email client and Postfix. For example this might be the case if you are using Postfix as an smtp relay for email clients on you local area network.

See for background on configuring TLS in Postfix


Background on certificate checking errorEdit

Diagnosing and treating certificate check failure, as described earlier in the fix for debian.

If you get an error/warning like the one below in your Postfix logs:

Untrusted TLS connection established to[]

This is a known problem with postfix on Ubuntu/debian, where its not being able to lookup the certificate files.

More details here:

A summary of the solution copied from the above link:

The part that drove me nuts the last time I briefly looked into this, is that the CA cert it was complaining about was there, in "/etc/ssl/certs", along with many others, symlinked to "/usr/share/ca-certificates", but there just the same. All provided by the package ever so aptly named "ca-certificates". After scouring the web for a bit and coming across solutions that just seemed wrong, it finally dawned on me -- Postfix on Debian (and Ubuntu) runs chrooted by default. So of course it can't access the certs in "/etc"!

My first instinct was to just disable the chroot, which is done easily enough in, and be done with it. But that felt like a surrender, so kept digging, then after a few more minutes, a perfect solution emerged.

The certs are actually already inside the chroot, all in one big file "/var/spool/postfix/etc/ssl/certs/ca-certificates.crt", all we have to do is tell Postfix to look there, which can be done by adding the following to "/etc/postfix/":

smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

Restart Postfix and problem is solved. Yay.

Background on sasl security Edit

Earlier, this setting was recommended:

smtp_sasl_security_options = noanonymous

The default is noplaintext, noanonymous. Removing the noplaintext can sound like a bad idea, but don't worry. Fastmail does not support the noplaintext option. Instead, we encrypt the password via tls instead of sasl's mechanism. This is all well and good, as described in [1]


Around Wikia's network

Random Wiki