Postfix¶

What Is It?¶

Postfix is an open-source Mail Transfer Agent (MTA) that routes and delivers email. It is the default MTA on many Linux distributions and handles SMTP communication between mail servers.

Installation¶

dnf install postfix

Key Files and Directories¶

Path	Purpose
/etc/postfix/main.cf	Main configuration
/etc/postfix/master.cf	Service definitions
/var/log/maillog	Mail log
/var/spool/mail/	Local mailboxes

Default Ports¶

Port	Protocol	Purpose
25	TCP	SMTP — server-to-server mail relay
465	TCP	SMTPS — implicit TLS (legacy)
587	TCP	Submission — authenticated client mail sending

Configuration¶

Postfix configuration is split across two main files:

/etc/postfix/main.cf — primary settings (hostname, domain, network restrictions, delivery)
/etc/postfix/master.cf — service definitions (which daemons run, on which ports, with which options)

Minimal Working Configuration¶

Key settings in /etc/postfix/main.cf for a functional mail server:

# Server identity
myhostname = mail.example.sysadm.ee
# mydomain is derived automatically from myhostname
myorigin = $mydomain

# Listen on all interfaces
inet_interfaces = all
inet_protocols = ipv4

# Accept mail for these destinations
mydestination = mail.example.sysadm.ee,
    localhost.example.sysadm.ee,
    localhost,
    example.sysadm.ee

# Trust only directly attached networks
mynetworks_style = host

# Hand incoming mail to Dovecot via LMTP
mailbox_transport = lmtp:unix:private/dovecot-lmtp

Submission port (587) configuration in /etc/postfix/master.cf — allows authenticated clients to send mail:

submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

This enables SASL authentication via Dovecot on the submission port, allowing only authenticated users to relay mail.

Important Directives¶

myhostname: The FQDN of the mail server. Should match the DNS A record for your mail subdomain (e.g. mail.example.sysadm.ee).
mydomain: Derived automatically by stripping the first component from $myhostname. Do not set manually unless needed.
myorigin: The domain appended to outbound mail addresses. Typically set to $mydomain so emails appear as user@example.sysadm.ee rather than user@mail.example.sysadm.ee.
inet_interfaces: Which network interfaces Postfix listens on. Set to all for a public mail server, loopback-only for local-only delivery.
mydestination: List of domains this server considers "local" — mail for these domains is delivered to local mailboxes rather than forwarded.
mynetworks_style: Set to host to trust only the local machine. Prevents open relay.
relayhost: If set, all outbound mail is forwarded through this host. Leave empty for direct delivery.
mailbox_transport: Defines how local mail is delivered. Set to lmtp:unix:private/dovecot-lmtp to hand delivery to Dovecot.

Common Commands¶

# Install
sudo dnf install postfix

# Start and enable
systemctl start postfix
systemctl enable postfix
systemctl restart postfix

# View active (non-default) configuration
postconf -n

# View default values
postconf -d

# Check a specific parameter
postconf myhostname

# View the mail queue
mailq

# Flush the mail queue (retry delivery)
postfix flush

# Send a test email from the command line
echo "Test body" | sendmail user@example.sysadm.ee

# Send with subject
echo -e "Subject: Test\n\nHello" | sendmail user@example.sysadm.ee

Logging and Debugging¶

All mail-related events are logged to /var/log/maillog. Each log entry shows:

Queue ID — tracks a message through the system
Sender and recipient addresses
Relay used for delivery
Status (sent, bounced, deferred)
Delay and size information

Example successful delivery:

Mar 14 08:35:38 vm postfix/local[2440731]: EA7172402742: to=<root@vm.sysadm.ee>,
  relay=local, delay=0.02, status=sent (delivered to mailbox)

Troubleshooting checklist:

systemctl status postfix — is the service running?
tail -f /var/log/maillog — watch mail flow in real time
postconf -n — verify configuration values
mailq — are messages stuck in the queue?
ss -tulpn | grep :25 — is Postfix listening?
dig -t MX example.sysadm.ee — does DNS resolve correctly?

Security Considerations¶

Prevent open relay: Never set mynetworks to a broad range or leave relayhost misconfigured. Use mynetworks_style = host and require SASL authentication on the submission port.
Use submission port (587) for clients: Port 25 should only accept mail from other servers. Client mail submission should go through port 587 with authentication.
SASL via Dovecot: Postfix delegates authentication to Dovecot through a UNIX socket (private/auth). This avoids duplicating user databases.
TLS encryption: In production, configure TLS on both port 25 (opportunistic, via STARTTLS) and port 587 (required for submission). Without TLS, credentials on port 587 are sent in plaintext.
Firewall: Open ports 25 (SMTP) and 587 (submission) in both firewalld and cloud security groups. Port 25 must be open for your server to receive mail from other servers.
Reverse DNS (PTR): Many mail servers reject mail from IPs without valid reverse DNS. Ensure your PTR record matches your myhostname.