--------

Transport Maps via Third-Party Relay Host

Example

                                 --------------------------------------------

localhost                local:

localhost.abcd.com       local:

mail.abcd.com            local:

mail2.abcd.com          smtp:[100.30.157.100]

mail3.abcd.com          smtp:[200.30.127.200]

gmail.com              smtp:mail.relay.com:25 .gmail.com             smtp:mail.relay.com:25

*  relay:relay.host:587           #[ All mail ID locay deleverd ]

abc.nl  relay:relay.host:587

eMail-Address@YOUR-DOMAIN.COM           smtp @YOUR-DOMAIN.COM                        smtp:[relay.host]

@gmail.com smtp:[smtp.gmail.com]:587

gsuite.worldcm.net  smtp:[100.200.100.1]

otherdomain.com     :[smtp.otherdomain.com]

Example,

Gmail.com    :[mail.xyz.com]

                                   -----------------------------------

We can also have the following configuration, which means that emails sent to your own domain are delivered locally. Email sent to gmail.com are delivered normally by performing MX lookup and all other emails are delivered via the relay host.

your-domain.com       local  gmail.com             smtp *                     relay:[mail.xyz.com]:587

                                   ---------------------------------

data/overrides/relay_hosts:

Relay all email sent from *@yetanotherdomain.com through Mailgun instead, relay *@example.com through mail.example.com, etc.

@yetanotherdomain.com     [smtp.mailgun.org]:587 @somegoogleappsdomain.com [smtp.gmail.com]:587 @example.com              [mail.example.com]:25

data/overrides/sasl_passwd:

credentials to use for remote smtp servers

[mail.example.com]:25  admin@example.com:passwordhere [smtp.mailgun.org]:587 postmaster@yetanotherdomain.com:mailgunpasswordhere [smtp.gmail.com]:587   username@gmail.com:passwordhere

---------------------------------------------------------

example.com        smtp:[192.168.23.56]:20025 oreilly.com        relay:[gateway.oreilly.com] oreillynet.com     smtp ora.com            maildrop kdent@ora.com      error:no mail accepted for kdent

-------------------------------------------------

configure your shared host as MX for subdomain.example.org. Then use transport_maps

transport_maps = hash:/etc/postfix/transport

in /etc/postfix/transport put

@subdomain.example.org smtp:[vps.relay.tld]

use postmap to update the lookup-table in transport.db with postmap /etc/postfix/transport.

If you need credentials for the relay you can configure them in /etc/postfix/saslpass

vps.relay.tld username:password

and use postmap /etc/postfix/saslpass to create/update the lookup-table.

                                  --------------------------------X----------------------------------------

Postfix relayhost/transport with authentication

Example: Outbound SMTP with authentication

SMTP: smtp.somehost.com

Username: pank

Password: 8888

Edit /etc/postfix/sasl_passwd

smtp.somehost.com pank:8888

Edit main.cf, add

relayhost=smtp.somehost.com

smtp_sasl_auth_enable=yes

smtp_sasl_password_maps=hash:/etc/postfix/sasl_passwd

smtp_sasl_security_options=noanonymous

postmap /etc/postfix/sasl_passwd

postfix reload

                                  ----------------------------X-------------------------------

Open or create the /etc/postfix/sasl/sasl_passwd file and add the SMTP Host, username, and password information:

[smtp.gmail.com]:587 username@gmail.com:password

Use the password from the 3d step.

Create the hash db file for Postfix by running the postmap command:

# postmap /etc/postfix/sasl/sasl_passwd

Run the following commands to change the ownership to root and update the permissions for the two files:

#  chown root:root /etc/postfix/sasl/sasl_passwd /etc/postfix/sasl/sasl_passwd.db

# chmod 0600 /etc/postfix/sasl/sasl_passwd /etc/postfix/sasl/sasl_passwd.db

Find and modify relayhost in /etc/postfix/main.cf to match the following example:

relayhost = [smtp.gmail.com]:587

Set this in the end of /etc/postfix/main.cf file:

# Enable SASL authentication

smtp_sasl_auth_enable = yes 

# Disallow methods that allow anonymous authentication 

smtp_sasl_security_options = noanonymous 

# Location of sasl_passwd 

smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd 

# Enable STARTTLS encryption 

smtp_tls_security_level = encrypt 

# Location of CA certificates 

smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

Restart Postfix:

# service postfix restart

  ----------------------------------X----------------------------------------------------

IMake Sure Postfix, The SASL Authentication Framework, And Mailx Are All Installed.

yum -y install postfix cyrus-sasl-plain mailx

Postfix will need to be restarted before the SASL framework will be detected.

systemctl restart postfix

Postfix should also be set to start on boot.

systemctl enable postfix

Configure Postfix

Open the # vi /etc/postfix/main.cf and add the following lines to the end of the file.

myhostname = hostname.example.com  relayhost = [smtp.gmail.com]:587 smtp_use_tls = yes smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options = noanonymous

The myhostname parameter is optional. If the hostname is not specified, Postfix will use the fully-qualified domain name of the Linux server.

Save the main.cf file and close the editor.

Configure Postfix SASL Credentials

The Gmail credentials must now be added for authentication. Create a # vi /etc/postfix/sasl_passwd file and add following line:

[smtp.gmail.com]:587 username:password

The username and password values must be replaced with valid Gmail credentials. The sasl_passwd file can now be saved and closed.

A Postfix lookup table must now be generated from the sasl_passwd text file by running the following command.

postmap /etc/postfix/sasl_passwd

Access to the sasl_passwd files should be restricted.

chown root:postfix /etc/postfix/sasl_passwd* chmod 640 /etc/postfix/sasl_passwd*

Lastly, reload the Postfix configuration.

systemctl reload postfix

Test The Relay

Use the mail command to test the relay.

echo "This is a test." | mail -s "test message" user@example.net

The destination address should receive the test message.

                                                    -------------------X-----------------------

Postfix SMTP Relay via port 587

Edit the Postfix main configuration file on server B.

# vi /etc/postfix/main.cf

Find the following line.

relayhost =

By default, its value is not set. You need to set the hostname of server A (your mail server) as the relay host like below.

relayhost = mail.worldcm.net:587

Then add the following lines to the end of this file to configure SASL authentication. We specify that the /etc/postfix/sasl_password file contains the username and password.

# outbound relay configurations smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_tls_security_level = may header_size_limit = 4096000

Save and close the file. Next, you should create a dedicated email account on your mail server, so server B can use this email account to login via port 587. After that, create the /etc/postfix/sasl_passwd file.

#  vi /etc/postfix/sasl_passwd

Add the SMTP relay host and SMTP credentials to this file like below. Replace these values with the hostname of your own mail server, the email account and password. Notice that there’s a colon between the email account and password.

mail.worldcm.net:587  account@worldcm.net:password

Save and close the file. Then create the corresponding hash db file with postmap.

# postmap /etc/postfix/sasl_passwd

Now you should have a file /etc/postfix/sasl_passwd.db. Restart Postfix for the changes to take effect.

systemctl restart postfix

By default, sasl_passwd and sasl_passwd.db file can be read by any user on the server.  Change the permission to 600 so only root can read and write to these two files.

# chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

From now on, Websites on server B can use Postfix to send emails, which will be relayed through your mail server. Note that many web applications provides two email-sending modes:

• • SMTP

 Postfix Transport Map and Relayhost Map For Flexible Email Delivery

How to Use Postfix Transport Map

The transport map defines mappings from recipient address to transport method. By default, the value of the transport_maps parameter in Postfix is not set, as can be checked with:

postconf transport_maps

Sample output:

transport_maps =

iRedMail and Modoboa uses MySQL/MariaDB database to store transport maps. If you used iRedMail to set up your mail server, then the output should be like:

transport_maps = proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf

If you used Modoboa to set up your mail server, then the output should be like:

transport_maps = proxy:mysql:/etc/postfix/sql-transport.cf proxy:mysql:/etc/postfix/sql-spliteddomains-transport.cf

The transport_maps parameter points to one or more transport lookup tables. You can edit the Postfix main configuration file.

sudo nano /etc/postfix/main.cf

And set a value by adding the following line at the end of the file. The /etc/postfix/transport file will contain the lookup table.

transport_maps = hash:/etc/postfix/transport

If you use iRedMail, you can find the transport_maps parameter and set the value to

transport_maps =     hash:/etc/postfix/transport     proxy:mysql:/etc/postfix/mysql/transport_maps_user.cf     proxy:mysql:/etc/postfix/mysql/transport_maps_domain.cf

If you use Modoboa, you can find the tranport_maps parameter and set the value to:

transport_maps =         hash:/etc/postfix/transport         proxy:mysql:/etc/postfix/sql-transport.cf         proxy:mysql:/etc/postfix/sql-spliteddomains-transport.cf

Lookup table can be a file, or in the form of MySQL/MariaDB database tables. Lookup tables will be searched in the specified order until a match is found.

Save and close the Postfix main configuration file. Next, we need to create the lookup table file.

sudo nano /etc/postfix/transport

In this file, we can define mappings from recipient addresses to transport method. For example, I found that many .pl (Poland) domains are using a particular blacklist that blocks my mail server’s IP address. I can add the following line in this file so that emails sent to .pl domains will be relayed through Mailjet.

.pl                relay:[in-v3.mailjet.com]:587

Some people find that it’s hard to get into the inbox of Microsoft mailboxes (hotmail.com, outlook.com, etc). It’s very likely that you email will be put in spam folder. Well, you can try using Mailjet to deliver emails to Microsoft mailbox users. Mailjet even allows you to see if the recipient opened or clicked links in your email. So I put the following lines in the file.

hotmail.com        relay:[in-v3.mailjet.com]:587 hotmail.co.uk      relay:[in-v3.mailjet.com]:587 hotmail.fr         relay:[in-v3.mailjet.com]:587 hotmail.de         relay:[in-v3.mailjet.com]:587 outlook.com        relay:[in-v3.mailjet.com]:587 outlook.de         relay:[in-v3.mailjet.com]:587 outlook.fr         relay:[in-v3.mailjet.com]:587 outlook.be         relay:[in-v3.mailjet.com]:587 outlook.in         relay:[in-v3.mailjet.com]:587 live.com           relay:[in-v3.mailjet.com]:587

If you want to use relay host to deliver emails to a particular recipient, but send emails directly to all other recipients in the same domain, then you can add a line like below.

someone@gmail.com  relay:[in-v3.mailjet.com]:587

If a certain SMTP server doesn’t use the default SMTP port 25, but uses a different port such as 2525 to receive incoming emails, you can add the following line

example.com        smtp:[mail.example.com]:2525

It’s a good practice to add your own domain name in this file like below.

your-domain.com    local

This tells Postfix that emails sent to your own domain should be delivered locally. This is the default behavior for canonical domains. If your mail server has multiple virtual domains, you should add all of your virtual domains.

your-domain1.com         local your-domain2.com         local

If you just put the following two lines in the file and don’t add other lines, this will make all emails, excluding emails sent to your own domain, delivered via the relay host. The asterisk (*) is a wild-card character that represent any email address.

your-domain.com       local *                     relay:[in-v3.mailjet.com]:587

We can also have the following configuration, which means that emails sent to your own domain are delivered locally. Email sent to gmail.com are delivered normally by performing MX lookup and all other emails are delivered via the relay host.

your-domain.com       local  gmail.com             smtp *                     relay:[in-v3.mailjet.com]:587

Save and close the file. Then run the following command to build the index file.

sudo postmap /etc/postfix/transport

Restart Postfix for the changes to take effect.

sudo systemctl restart postfix

Sender Dependent Relay Maps

The transport map defines defines mappings from recipient address to transport method. If you want to define mappings from sender address to relay hosts, use the sender_dependent_relay_maps parameter. By default, its value is empty, as can be seen with:

postconf sender_dependent_relayhost_maps

Output:

sender_dependent_relayhost_maps =

iRedMail uses MySQL/MariaDB database to store sender dependent relayhost maps. If you used iRedMail to set up your mail server, then the output should be like:

sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf

The sender_dependent_relayhost_maps parameter points to one or more lookup tables. You can edit the Postfix main configuration file.

sudo nano /etc/postfix/main.cf

And set a value by adding the following line at the end of the file. The /etc/postfix/relay_by_sender file will contain the lookup table.

sender_dependent_relayhost_maps = hash:/etc/postfix/relay_by_sender

If you use iRedMail, you can find the sender_dependent_relayhost_maps parameter and set the value to

sender_dependent_relayhost_maps =     hash:/etc/postfix/relay_by_sender     proxy:mysql:/etc/postfix/mysql/sender_dependent_relayhost_maps.cf

Lookup table can be a file, or in the form of MySQL/MariaDB database tables. Lookup tables will be searched in the specified order until a match is found.

Save and close the Postfix main configuration file. Next, we need to create the lookup table file.

sudo nano /etc/postfix/relay_by_sender

Add rules like below, this will make emails sent from user1@your-domain.com delivered via the relay host specified on the right side.

user1@your-domain.com           [in-v3.mailjet.com]:587

Let’s say if you have a Linux server that hosts two websites and each website have its own mail server running on two separate hosts, then you can add the following two lines to make each website uses its own mail server.

domain1.com                     [mail.domain1.com]:587 domain2.com                     [mail.domain2.com]:587

Save and close the file. Then build the index file.

sudo postmap /etc/postfix/relay_by_sender

Restart Postfix for the changes to take effect.

sudo systemctl restart postfix

Set Up SMTP Authentication

Now we need to set up SMTP authentication so that the Postfix SMTP client can use the relay host. Edit the Postfix main configuration file.

sudo nano /etc/postfix/main.cf

Add the following lines at the end of this file. The /etc/postfix/sasl_password will contain the username and password.

# outbound relay configurations smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_tls_security_level = may header_size_limit = 4096000

If you have set the relayhost parameter, then I recommend giving it an empty value like below, because we are now using transport maps and sender dependent relayhost maps.

relayhost =

Save and close the file. Then create the /etc/postfix/sasl_passwd file.

sudo nano /etc/postfix/sasl_passwd

Add the SMTP relay host and SMTP credentials to this file like below. Replace api-key and secret-key with your real Mailjet API key and secret key.

in-v3.mailjet.com:587  api-key:secret-key

Save and close the file. Then create the corresponding hash db file with postmap.

sudo postmap /etc/postfix/sasl_passwd

Now you should have a file /etc/postfix/sasl_passwd.db. Restart Postfix for the changes to take effect.

sudo systemctl restart postfix

By default, sasl_passwd and sasl_passwd.db file can be read by any user on the server.  Change the permission to 600 so only root can read and write to these two files.

sudo chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

Testing

Now you can send test email to the recipients defined in transport maps, or send an email from the address specified in sender dependent relayhost maps. Then check the mail log (/var/log/mail.log or /var/log/maillog) to see if it’s working.

Note that if you are using a third-party SMTP relay service like Mailjet, then it’s likely that you are required to validate your domain name in your account and edit SPF and DKIM record.

Troubleshooting

If your email wasn’t delivered and you found the following message in the mail log (/var/log/maillog),

Relay access denied (in reply to RCPT TO command))

then you might need to edit the /etc/postfix/sasl_passwd file and remove the port number after the hostname like below.

in-v3.mailjet.com    api-key:secret-key

Save and close the file. Then build the index file again.

sudo postmap /etc/postfix/sasl_passwd

Restart Postfix for the changes to take effect.

sudo systemctl restart postfix

Now you can flush the email queue (attempt to deliver the previous emails).

sudo postqueue -f

Bonus Tip: smtp_fallback_relay

You can specify a fallback relay host in Postfix. This way, if an SMTP destination can’t be reached (no MX record, no A record) or the primary relay host is offline, Postfix will use the fallback relay host.

Edit the main Postfix configuration file.

sudo nano /etc/postfix/main.cf

Add the following line in this file. Replace secondary.relayhost.com with the actual relayhost name. This relay host can be from Mailjet or any other SMTP relay services.

smtp_fallback_relay = [secondary.relayhost.com]:587

Save and close the file. Then you should edit the /etc/postfix/sasl_passwd file and add the SMTP credentials for the fallback relay host just like above. Finally, restart Postfix for the changes to take effect.

Note that if the SMTP destination is using greylisting to temporarily reject email messages, then your Postfix SMTP server will also use the fallback relay host.

------------