Configure Postfix on RHEL 7 to Forward All Email to a Central Mail Server

On RHEL 7, Postfix is used as the mail service. 

We are going to deploy Postfix on a null client. A null client is a machine that can only send mail. It receives no mail from the network, and it does not deliver any mail locally. We use a RHEL 7.0 virtual machine in this article.

Please check this post if you need to configure Postfix as a gateway.

Configure Postfix on a Null Client

The postfix package should be installed by default, do the following if it’s not the case:

# yum install -y postfix

Ensure the service is enabled on boot:

# systemctl enable postfix

Now, I saw some people adding a firewalld rule to allow incoming traffic for an smtp service. This is normally required for a central SMTP server, but makes little to no sense when talking about a null client. A null client cannot receive emails from outside, therefore no firewall configuration is required.

Only a few parameters are important for setting up an environment where email can be forwarded to a central mail server.

The file has quite a few Postfix configuration examples:

# less /usr/share/doc/postfix-2.10.1/README_FILES/STANDARD_CONFIGURATION_README

Check the “Postfix on a null client” section for more info.

Open the file /etc/postfix/main.cf for editing, and add the following:

myhostname = srv1.rhce.local
mydomain = rhce.local
myorigin = $mydomain
relayhost = [10.8.8.70]
inet_interfaces = loopback-only
mydestination =
mynetworks = 127.0.0.0/8 [::1]/128
local_transport = error: local delivery disabled

The relayhost prevents mail from getting stuck on the null client if it is turned off while some remote destination is unreachable.

The loopback-only tells to not accept mail from the network. Only messages that originate from the
127.0.0.0/8 network and the [::1]/128 network are forwarded to the relay host by the null client.

We prevent the local null client from sorting any mail into mailboxes by putting a local_transport parameter. We also disable local mail delivery by not specifying mydestination. All mail goes to the mail server as specified in relayhost. Note that we can also use a DNS name for the relayhost, as well as turn off MX lookups by putting a record in square brackets.

Check for syntax errors:

# postfix check

Restart the service:

# systemctl restart postfix

Send a test email to the root user:

# echo test | mailx -s Test root

Check /var/log/maillog:

postfix/pickup[2636]: 3DF9920832: uid=0 from=<root>
postfix/cleanup[2668]: 3DF9920832: message-id=<[email protected]>
postfix/qmgr[2637]: 3DF9920832: from=<[email protected]>, size=416, nrcpt=1 (queue active)
postfix/smtp[2670]: 3DF9920832: to=<[email protected]>, orig_to=<root>, relay=10.8.8.70[10.8.8.70]:25, delay=0.36, delays=0.3/0/0/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5794EC3287)
postfix/qmgr[2637]: 3DF9920832: removed

Configure Postfix as a Central Mail Server for a Domain

To test email delivery, we can use a FreeIPA server that we set up some time ago, and configure it as a central mail server for our rhce.local domain.

The following /etc/postfix/main.cf configuration should do the job:

myhostname = ipa.rhce.local
mydomain = rhce.local
myorigin = rhce.local
inet_interfaces = all
inet_protocols = ipv4
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain

The mydestination parameter specifies the list of domains that the server considers itself the final destination for.

Configure firewall and restart the Postfix service:

# firewall-cmd --add-service=smtp --permanent
# firewall-cmd --reload

Useful to know, we can delete all messages from the email queue with postsuper:

# postsuper -d ALL

43 thoughts on “Configure Postfix on RHEL 7 to Forward All Email to a Central Mail Server

  1. Hello,
    How do I figure out which IP is the relayhost in Exam?

    Relayhost meaning the main server right?

    Regards!

    • I don’t use Exim anymore, but I believe that I had a route_list configured to relay emails. Relayhost means the next server where you want to forward emails to, it may be the main server, or it may be just another relay.

  2. I have noticed that a null client doesnt require smtp to be enabled on the firewall ,which makes sense since no one is connecting to the server …

  3. Hi Tomas, will I fail the exam if I dont set the local_transport = error: local delivery disabled ?

    • Hi, if the exameexplicitly says that you have to configure the local_transport and you don´t, then you failed, but if the exam doesn´t require it, then is ok.

    • If that’s the case then you would obviously fail at this particular exam task, but I seriously doubt that making such a mistake would cause you to fail the whole exam. To drop a few points? Yes. To fail the exam? Highly unlikely.

  4. Hey Tomas, what about user-based security for SMTP? Are different smtpd_*_restrictions the exam objective?
    And what about mapping: virtual, relocated, transport…?

    • I appreciate you may have questions, but any exam objective related question is best raised directly with RedHat.

      You need to know smtpd_client_restrictions. Please take a look here, I’ve covered Postfix as well.

  5. The configuration given here for the ipa server results in mail delivery errors due to NIS failures. For example, you will see the following error in the mail logs.

    May 12 10:51:19 ipa.rhce.local postfix/smtpd[21492]: warning: lookup [email protected], NIS domain rhce.local, map mail.aliases: internal yp server or client error
    May 12 10:51:19 ipa.rhce.local postfix/smtpd[21492]: warning: nis:mail.aliases lookup error for “[email protected]
    May 12 10:51:19 ipa.rhce.local postfix/smtpd[21492]: NOQUEUE: reject: RCPT from srv1.rhce.local[10.8.8.71]: 451 4.3.0 : Temporary lookup failure; from= to= proto=ESMTP helo=

    To fix this the /etc/postfix/main.cf file should have a line added as follows.

    alias_maps = hash:/etc/aliases

    I’d also suggest setting inet_protocols to “all” as you are instructed to give the VM an IPv6 address along with IPv4.

  6. mail server : ipa.example.local ( with two ipa users u1 , u2 )
    null client ( client.example.local ) ( local users u3, u4 )
    null client ( client1.example.local ) ( local users u5, u6 )

    can we send email from client.example.local to user u5 or u6 ,, i.e. send email to local users who are not on email server ?

    • I’m not sure on what you mean by saying that “users are not on email server”, but you can send emails to users who have mailboxes. If users u5 and u6 have mailboxes, then the mail server should be able to deliver email.

  7. to rephrase,
    mail server : ipa.example.local ( with two ipa users u1 , u2 )
    null client ( client.example.local ) ( local users u3, u4 )
    null client ( client1.example.local ) ( local users u5, u6 )

    when i send emails from null client to ( two ipa users u1 , u2 ) >>>> its succssfull.
    but when i send email from ( client.example.local ) to ( client1.example.local ) ( local users u5, u6 ) , mail is delivered but mail box is emtpy on client1.example.local …

    as per my understanding , we cant only send email to users whose accounts are created on mail server . ipa.example.local — in this case ( and they are not local users )
    and we can not send email to users on { client.example.local , and client1.example.local } — users on these systems are local users.
    Please correct me if i am wrong

    I hope i have clarified my question

    • You cannot send emails from client.example.local to client1.example.local as both are null clients and neither of them can receive emails. A null client can only send mail, it cannot receive mail from your network. That’s the reason why the mailbox on client1.example.local is empty.

  8. Hi Toman,
    My environment is host with two virtual machines
    host.example.com, vm1.example.com, vm2.example.com.
    My question is how to configure postfix on vm2 (vm2.example.com) so that mail destined for host
    (host.example.com) from localhost for user robert have to receive mail on vm2 (vm2.example.com)

  9. Hello, Tomas!

    I think there’s small typo in “Configure Postfix on a Null Client” section. You list parameters from main.cf to be changed. In case of IPv6 in use, I think it should be:
    (…)
    mynetworks = 127.0.0.0/8 [::1]/128
    (…)

    Whereas your example is missing ‘1’ in IPv6 loopback address. (” [::]/128 “).

    Best Regards,
    Lukasz

  10. Hi, I found one question about relayhost.
    “All messages not addressed @srv1.rhce.local or @localhost[.localdomain]nshould be forwarded to the SMTP server”
    this mean I must write this domains in mydestination ?

  11. Hi Tomas

    I’m have small issue here.

    I have three machine lab setup

    serv1.rhce.local = 10.8.8.50
    serv2.rhce.local = 10.8.8.51
    ipa.rhce.local = 10.8.8.2

    i added following lines in main.conf file on serv2 machine

    myhostname = serv2.rhce.local
    mydomain = rhce.local
    myorigin = $mydomain
    relayhost = [10.8.8.2] <———- ipa ip
    inet_interfaces = loopback-only
    mydestination =
    mynetworks= 127.0.0.0/8, [::1]/128
    local_transport = error:local mail delivery is disabled

    when i try "echo test | mailx -s Test root" in maillog it is showing.

    Mar 10 12:48:26 serv2 postfix/pickup[6417]: 348EF22A419B: uid=0 from=
    Mar 10 12:48:26 serv2 postfix/cleanup[6516]: 348EF22A419B: message-id=
    Mar 10 12:48:26 serv2 postfix/qmgr[6418]: 348EF22A419B: from=, size=422, nrcpt=1 (queue active)
    Mar 10 12:48:26 serv2 postfix/smtp[6488]: connect to 10.8.8.2[10.8.8.2]:25: Connection refused
    Mar 10 12:48:26 serv2 postfix/smtp[6488]: 348EF22A419B: to=, orig_to=, relay=none, delay=0.11, delays=0.1/0/0/0, dsn=4.4.1, status=deferred (connect to 10.8.8.2[10.8.8.2]:25: Connection refused)
    Mar 10 12:51:58 serv2 postfix/qmgr[6418]: 632B622A4199: from=, size=422, nrcpt=1 (queue active)
    Mar 10 12:51:58 serv2 postfix/qmgr[6418]: 6AF8422A419A: from=, size=422, nrcpt=1 (queue active)
    Mar 10 12:51:58 serv2 postfix/smtp[6629]: connect to 10.8.8.2[10.8.8.2]:25: Connection refused
    Mar 10 12:51:58 serv2 postfix/smtp[6630]: connect to 10.8.8.2[10.8.8.2]:25: Connection refused
    Mar 10 12:51:58 serv2 postfix/smtp[6629]: 632B622A4199: to=, orig_to=, relay=none, delay=597, delays=597/0.09/0/0, dsn=4.4.1, status=deferred (connect to 10.8.8.2[10.8.8.2]:25: Connection refused)
    Mar 10 12:51:58 serv2 postfix/smtp[6630]: 6AF8422A419A: to=, orig_to=, relay=none, delay=459, delays=459/0.08/0/0, dsn=4.4.1, status=deferred (connect to 10.8.8.2[10.8.8.2]:25: Connection refused)

    And on serv1 when i run comamnd “postconf -d myhostname” it shows “serv1.localdomain” instead of “serv1.rhce.local” when on serv2 it is showing “serv2.rhce.local”

    • It looks like you SMTP relay is refusing connections. Make sure that the Postfix service is running, and that firewall is configured to allow traffic.

      For the second issue, re-configure myhostname variable with the correct value and restart the service.

    • Yes postfix is enabled and service running on relay [IPA-Server] and SMTP service + port 25/tcp is also added in firewall. But still same issue.

    • Did the telnet from serv2 –> IPA:25 connection refused

      Trying 10.8.8.2…
      telnet: connect to address 10.8.8.2: Connection refused

      On IPA server rules are allowed on port 25 and even added smtp service

      public (default, active)
      interfaces: enp0s3
      sources:
      services: dhcpv6-client dns smtp ssh
      ports: 443/tcp 80/tcp 88/udp 464/udp 88/tcp 25/tcp 123/udp 389/tcp 53/tcp 53/udp 636/tcp
      masquerade: no
      forward-ports:
      icmp-blocks:
      rich rules:
      rule family=”ipv4″ source address=”10.8.8.50″ masquerade

      ——————————————–

      [root@ipa (~)]$ > firewall-cmd –list-all –zone=dmz
      dmz (active)
      interfaces: enp0s8
      sources:
      services: dns iscsi-target smtp ssh
      ports: 443/tcp 80/tcp 88/udp 464/udp 88/tcp 25/tcp 123/udp 389/tcp 53/tcp 53/udp 636/tcp
      masquerade: no
      forward-ports:
      icmp-blocks:
      rich rules:

      And smtp service is running on IPA server

    • If you cannot telnet into the port then it’s likely a firewall issue. Disable firewall on the IPA server and try telneting again. If that works, then it’s the firewall on the IPA server.

      You seem to have different firewalld zones configured. What’s the output from:

      # firewall-cmd --get-active-zones
      # firewall-cmd --get-default-zone

      Also, what’s the output from:

      # netstat -nltp|grep :25
    • Stopped firewalld service

      And then did telnet on 25 and same connection refused

      Postfix is listening on port 25
      tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1793/master
      tcp6 0 0 ::1:25 :::* LISTEN 1793/master

      Yes i made two zones Public and DMZ and port and service is allowed on both Zones

      dmz
      interfaces: enp0s8
      public
      interfaces: enp0s3
      And public zone is default

    • You’ve configured Postfix to listen on localhost only. This is not going to work if you want to use it as a relay. Change this inet_interfaces = all, restart Postfix, and then try again.

  12. Thanks tomas it helped, Yes you are right i forgot configure postfix Server to listen on all interfaces.

    But after doing all things, when i again send the test message in logs it showed that “connection timed out” on null clinet(serv2) so i added 10.8.8.0/24 “mynetworks = 127.0.0.0/8, [::1]/128, 10.8.8.0/24” and restarted the postfix service and again send the message. This time no error. below are the logs.

    Mar 17 10:40:09 serv2 postfix/pickup[2881]: 0FDDB22730A0: uid=0 from=
    Mar 17 10:40:09 serv2 postfix/cleanup[2911]: 0FDDB22730A0: message-id=
    Mar 17 10:40:09 serv2 postfix/qmgr[2882]: 0FDDB22730A0: from=, size=439, nrcpt=1 (queue active)
    Mar 17 10:40:09 serv2 postfix/smtp[2897]: 0FDDB22730A0: to=, relay=10.8.8.2[10.8.8.2]:25, delay=0.17, delays=0.13/0/0.01/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 70FD644BC683)
    Mar 17 10:40:09 serv2 postfix/qmgr[2882]: 0FDDB22730A0: removed

    And by using postcat -vq “ID” it showed it is available in queue

    D3FCE4533719 2612 Sun Mar 17 10:44:59 MAILER-DAEMON
    (connect to serv2.rhce.local[10.8.8.51]:25: Connection refused)
    [email protected]

  13. hi i am having problem

    Apr 18 16:17:44 ipaserver postfix/pickup[70129]: 0B0E611ABD2A: uid=0 from=
    Apr 18 16:17:44 ipaserver postfix/cleanup[70142]: 0B0E611ABD2A: message-id=
    Apr 18 16:17:44 ipaserver postfix/qmgr[70130]: 0B0E611ABD2A: from=, size=441, nrcpt=1 (queue active)
    Apr 18 16:17:44 ipaserver postfix/smtp[70133]: warning: relayhost configuration problem
    Apr 18 16:17:44 ipaserver postfix/smtp[70133]: 0B0E611ABD2A: to=, orig_to=, relay=none, delay=0.21, delays=0.2/0/0/0, dsn=4.3.5, status=deferred (mail for 127.0.0.1 loops back to myself)

    why its getting into deferred

  14. in my system, the relay-host address has to be written as IP address, not as server name (FQDN hostname) into square brackets in order for the mail to be delivered; I use Linux CentOS Linux release 7.6.1810 (Core) with kernel 3.10.0-957.10.1.el7.x86_64; in other words,

    relayhost = [server.example.com] does NOT work
    relayhost = 192.168.189.140 works

  15. Can I view the mail in the second system ,it was sent from first system . The first system is the NIS Server and the second system is the NIS client. I sent mail from one NIS User to other NIS User. And I logged as NIS recipient User in second system. But I can’t view the mail I sent in the recipient User.

  16. I am getting below error while trying to send email , Server is RHEL 7 and postfix is configured properly
    Can you please help me with solution for it.

    root@xxxxxxxPROD # echo “Subject: sendmail test” | sendmail -v [email protected]
    [email protected]… Connecting to [127.0.0.1] via relay…
    [email protected]… Deferred: Connection refused by [127.0.0.1]
    root@xxxxxxxPROD #

    root@xxxx PROD # netstat -nltp | grep :25
    root@xxx PROD #
    root@xxxx PROD # telnet localhost 25
    Trying 127.0.0.1…
    telnet: connect to address 127.0.0.1: Connection refused
    Trying ::1…
    telnet: connect to address ::1: No route to host
    root@xxxx PROD #

Leave a Reply

Your email address will not be published. Required fields are marked *