Configure Postfix to Relay Mail to an External SMTP Server on CentOS 7

The benefit of having two Postfix servers relaying email to an external SMTP server is redundancy.

This article is part of the Homelab Project with KVM, Katello and Puppet series.

Homelab

We have two CentOS 7 (minimal) servers installed which we want to configure as follows:

admin1.hl.local (10.11.1.2) – will be configured as a Postfix relay
admin2.hl.local (10.11.1.3) – will be configured as a Postfix relay

Both servers have SELinux set to enforcing mode.

See the image below to identify the homelab part this article applies to.

Software

Software used in this article:

  1. CentOS 7
  2. Postfix 2.10

Install Postfix

Note that this section applies to both servers.

Install Postfix and ensure that the service is enabled:

# yum install postfix cyrus-sasl-plain
# systemctl enable postfix

In case Sendmail is installed, remove it:

# yum remove -y sendmail*

Allow inbount firewall traffic:

# iptables -A INPUT -s 10.11.1.0/24 -p tcp -m state --state NEW --dport 25 -j ACCEPT

Configure Postfix Server as a Relay

Note that this section applies to both servers. Open /etc/postfix/main.cf for editing and configure the following:

smtpd_banner = $myhostname ESMTP
inet_interfaces = all
inet_protocols = ipv4

mynetworks = 127.0.0.0/8, 10.11.1.0/24
relayhost = [mail.example.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CApath = /etc/ssl/certs
smtp_use_tls = yes

Create a new file /etc/postfix/sasl_passwd and add the authentication details of the external SMTP server:

[mail.example.com]:587 [email protected]:passwd

Prevent non-root access:

# chmod 0600 /etc/postfix/sasl_passwd

Create a database file:

# postmap /etc/postfix/sasl_passwd

Check configuration and restart Postfix service:

# postfix check
# systemctl restart postfix

Configure Postfix on a Null Client

When we configure other homelab servers to us Postfix to relay emails via admin1 and admin2, we can have a fallback relay defined (taken from the Postfix configuration file /etc/postfix/main.cf that’s on the Katello server):

relayhost = [admin1.hl.local]
fallback_relay = [admin2.hl.local]

This gives us redundancy in a way so that if one of the SMTP relays is down, we can send emails out via the second one.

Here is an example taken from our Katello server when both relays are operational:

[katello]# echo test|mailx -s TEST [email protected]
Feb 18 18:09:52 katello postfix/pickup[23067]: 328C73D94: uid=0 from=<root>
Feb 18 18:09:52 katello postfix/cleanup[23089]: 328C73D94: message-id=<[email protected]>
Feb 18 18:09:52 katello postfix/qmgr[23068]: 328C73D94: from=<[email protected]>, size=421, nrcpt=1 (queue active)
Feb 18 18:09:52 katello postfix/smtp[23091]: 328C73D94: to=<[email protected]>, relay=admin1.hl.local[10.11.1.2]:25, delay=0.13, delays=0.04/0.02/0.03/0.03, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4A557532)
Feb 18 18:09:52 katello postfix/qmgr[23068]: 328C73D94: removed

We see that email was relayed via admin1. Now, if the admin1 server was down, the email would get relayed via admin2:

Feb 18 18:11:17 katello postfix/pickup[23067]: A81993D96: uid=0 from=<root>
Feb 18 18:11:17 katello postfix/cleanup[23089]: A81993D96: message-id=<[email protected]>
Feb 18 18:11:17 katello postfix/qmgr[23068]: A81993D96: from=<[email protected]>, size=421, nrcpt=1 (queue active)
Feb 18 18:11:17 katello postfix/smtp[23091]: connect to admin1.hl.local[10.11.1.2]:25: Connection refused
Feb 18 18:11:17 katello postfix/smtp[23091]: A81993D96: to=<[email protected]>, relay=admin2.hl.local[10.11.1.3]:25, delay=0.2, delays=0.01/0/0.08/0.11, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as C9F614D6)
Feb 18 18:11:17 katello postfix/qmgr[23068]: A81993D96: removed

Leave a Reply

Your email address will not be published. Required fields are marked *