Before You Begin
This tutorial shows you how to install and set up the Postfix email server software on an Oracle Linux 8 system to enable you to send messages within your network.
Postfix is a Mail Transfer Agent (MTA) server that was developed as a replacement for the sendmail server, the default MTA on many older Linux systems. Because of its modular pipeline-based architecture, Postfix is vesatile and integrates easily with many other services, such as spam and anti-virus processing, as well as with message store software, such as the Dovecot IMAP and POP server.
This tutorial describes how to set up and configure Postfix to function primarily as a Simple Mail Transfer Protocol (SMTP) server.
What Do You Need?
Any system with Oracle Linux 8 installed.
Set the server hostname
Set the full server domain and IP address in the
/etc/hosts file, for example:
You can also change your hostname by using the hostnamectl command:
$ sudo hostnamectl set-hostname server1.example.com
Note that if you change the system's hostname, you should revise the
/etc/hosts file accordingly.
Install the postfix package.
$ sudo dnf install postfix
Open TCP port 25 for the firewall to enable emails to be sent over SMTP.
$ sudo firewall-cmd --zone=public --add-service=smtp --permanent $ sudo firewall-cmd --reload
sendmailpackage is installed on the system, remove it to prevent any interference with the normal operation of Postfix.
$ sudo dnf remove sendmail $ sudo alternatives --set mta /usr/sbin/sendmail.postfix
Enable and start the
$ sudo systemctl enable --now postfix
Set your configuration in the
/etc/postfix/main.cffile, for example:
myhostname = server1.example.com mydomain = example.com myorigin = $mydomain inet_interfaces = all inet_protocols = all mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mynetworks = 192.168.1.0/24, 127.0.0.0/8 home_mailbox = mail/
$ sudo systemctl restart postfix
Configure Postfix for STARTTLS
As a bare minimum to secure the service, configure Postfix to support STARTTLS to perform TLS/SSL verification and encryption over an SMTP connection. Using STARTTLS helps to protect the integrity of your communications.
Oracle strongly recommends using a TLS/SSL certificate that has been signed by an external Certficate Authority (CA). See https://docs.oracle.com/en/operating-systems/oracle-linux/certmanage/ for more information.
If you already have a working SSL certificate, update your configuration in the
/etc/postfix/main.cffile, for example:
tls_random_source=dev:/dev/urandom # SMTPD TLS configuration for incoming connections smtpd_use_tls = yes smtpd_tls_cert_file = /etc/pki/tls/certs/mydomain.example.com.crt smtpd_tls_key_file = /etc/pki/tls/private/mydomain.example.com.key smtpd_tls_security_level = yes # SMTP TLS configuration for outgoing connections smtp_use_tls = yes smtp_tls_cert_file = /etc/pki/tls/certs/mydomain.example.com.crt smtp_tls_key_file = /etc/pki/tls/private/mydomain.example.com.key smtp_tls_security_level = yes
postfixservice to apply your changes:
$ sudo systemctl restart postfix
Configure Postfix as a Mail Submission Agent
A Mail Submission Agent (MSA) accepts mail from a Mail User Agent (MUA) or an email client application. Although most client applications can use a standard SMTP service directly, many SMTP servers are configured to perform validation, verification, and other anti-spam functions on this interface. An MSA is usually configured to perform authentication and reject non-authenticated connections that are not originating from a permitted network. Therefore, MSAs are nearly always also configured to use Transport Layer Security (TLS) to protect communications between client and server. This separation of functions can limit the amount of intensive processing of email for authenticated clients, as well as control who is able to send mail from of the Simple Mail Transfer Protocol (SMTP) server.
In this task, a legacy SMTPS service is also configured to handle mail connections from much older MUAs. Configuring this interface is optional and most modern mail clients no longer use SMTPS. Also, note that the default Cyrus SASL library is used for authentication, as this library is already linked with Postfix. Many implementations prefer to configure the Dovecot SASL implementation because it offers more flexibility and also comes with IMAP and POP3 services.
Install the Cyrus SASL authentication daemon.
$ sudo dnf install cyrus-sasl
Enable and start the SASL authentication service.
$ sudo systemctl enable --now saslauthd
/etc/postfix/main.cffile to configure some of the restriction parameters that you would apply for a typical MSA. Usually, this configuration would limit traffic to particular networks or force authentication. For example, add the following lines to the end of the file.
smtpd_restriction_classes = mua_sender_restrictions, mua_client_restrictions, mua_helo_restrictions mua_client_restrictions = permit_sasl_authenticated, reject mua_sender_restrictions = permit_sasl_authenticated, reject mua_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit
/etc/postfix/master.cffile to enable the
smtpsand submission services. The default configuration provides commented out entries for these services; it is sufficient to enable the lines for these services so that the entries read as follows:
submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_helo_restrictions=$mua_helo_restrictions -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING smtps inet n - n - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions=$mua_client_restrictions -o smtpd_helo_restrictions=$mua_helo_restrictions -o smtpd_sender_restrictions=$mua_sender_restrictions -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING
Create additional firewall rules for SMTPS and SMTP-Submission. Note that SMTPS listens on TCP port 465, while SMTP-Submission listens on TCP port 587.
$ sudo firewall-cmd --permanent --add-service=smtps $ sudo firewall-cmd --permanent --add-service=smtp-submission $ sudo firewall-cmd --reload
postfixservice to apply your changes.
$ sudo systemctl restart postfix
Send emails with Postfix
mailxcommand-line email client.
$ sudo dnf install mailx
Send a test email to an administrator address.
$ echo "External email" | mailx -r email@example.com -s "Test email subject" firstname.lastname@example.org
You can now configure other services that are running on Oracle Linux 8 to send notification emails.
If Postfix emails are not being received, troubleshoot the service as follows:
- Check the spam folder on your email client and add the sender email address to your "Safe Senders" list.
- Test your local configuration by sending an email to a local user on the same server as
the Postfix service.
For example, the user
oraclewould have the email address
email@example.com. Any emails that the
oracleuser receives from Postfix are saved as a message in plain text format in the
- Verify whether messages are currently stuck in the Postfix message queue:
$ sudo mailq
$ sudo tail -f /var/log/maillog
Want to Learn More?
Oracle Linux: Install the Postfix Email Server
Copyright © 2020, Oracle and/or its affiliates.
This tutorial shows you how to install and set up the Postfix email server software on an Oracle Linux 8 system so that you are able to send messages from inside your own network.
This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs) and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Government end users are "commercial computer software" or "commercial computer software documentation" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use, reproduction, duplication, release, display, disclosure, modification, preparation of derivative works, and/or adaptation of i) Oracle programs (including any operating system, integrated software, any programs embedded, installed or activated on delivered hardware, and modifications of such programs), ii) Oracle computer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in the license contained in the applicable contract. The terms governing the U.S. Government's use of Oracle cloud services are defined by the applicable contract for such services. No other rights are granted to the U.S. Government.
This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Inside are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Epyc, and the AMD logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.
This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.