On RHEL 7, Postfix is used as the mail service.
We are going to deploy Postfix on a null client. A null client is a machine that can only send mail. It receives no mail from the network, and it does not deliver any mail locally. We use a RHEL 7.0 virtual machine in this article.
Please check this post if you need to configure Postfix as a gateway.
Configure Postfix on a Null Client
The postfix package should be installed by default, do the following if it’s not the case:
# yum install -y postfix
Ensure the service is enabled on boot:
# systemctl enable postfix
Now, I saw some people adding a firewalld rule to allow incoming traffic for an smtp service. This is normally required for a central SMTP server, but makes little to no sense when talking about a null client. A null client cannot receive emails from outside, therefore no firewall configuration is required.
Only a few parameters are important for setting up an environment where email can be forwarded to a central mail server.
The file has quite a few Postfix configuration examples:
# less /usr/share/doc/postfix-2.10.1/README_FILES/STANDARD_CONFIGURATION_README
Check the “Postfix on a null client” section for more info.
Open the file /etc/postfix/main.cf for editing, and add the following:
myhostname = srv1.rhce.local mydomain = rhce.local myorigin = $mydomain relayhost = [10.8.8.70] inet_interfaces = loopback-only mydestination = mynetworks = 127.0.0.0/8 [::1]/128 local_transport = error: local delivery disabled
The relayhost prevents mail from getting stuck on the null client if it is turned off while some remote destination is unreachable.
The loopback-only tells to not accept mail from the network. Only messages that originate from the
127.0.0.0/8 network and the [::1]/128 network are forwarded to the relay host by the null client.
We prevent the local null client from sorting any mail into mailboxes by putting a local_transport parameter. We also disable local mail delivery by not specifying mydestination. All mail goes to the mail server as specified in relayhost. Note that we can also use a DNS name for the relayhost, as well as turn off MX lookups by putting a record in square brackets.
Check for syntax errors:
# postfix check
Restart the service:
# systemctl restart postfix
Send a test email to the root user:
# echo test | mailx -s Test root
Check /var/log/maillog:
postfix/pickup[2636]: 3DF9920832: uid=0 from=<root> postfix/cleanup[2668]: 3DF9920832: message-id=<[email protected]> postfix/qmgr[2637]: 3DF9920832: from=<[email protected]>, size=416, nrcpt=1 (queue active) postfix/smtp[2670]: 3DF9920832: to=<[email protected]>, orig_to=<root>, relay=10.8.8.70[10.8.8.70]:25, delay=0.36, delays=0.3/0/0/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 5794EC3287) postfix/qmgr[2637]: 3DF9920832: removed
Configure Postfix as a Central Mail Server for a Domain
To test email delivery, we can use a FreeIPA server that we set up some time ago, and configure it as a central mail server for our rhce.local domain.
The following /etc/postfix/main.cf configuration should do the job:
myhostname = ipa.rhce.local
mydomain = rhce.local
myorigin = rhce.local
inet_interfaces = all
inet_protocols = ipv4
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
The mydestination parameter specifies the list of domains that the server considers itself the final destination for.
Configure firewall and restart the Postfix service:
# firewall-cmd --add-service=smtp --permanent # firewall-cmd --reload
Useful to know, we can delete all messages from the email queue with postsuper:
# postsuper -d ALL
Hello,
How do I figure out which IP is the relayhost in Exam?
Relayhost meaning the main server right?
Regards!
I don’t use Exim anymore, but I believe that I had a route_list configured to relay emails. Relayhost means the next server where you want to forward emails to, it may be the main server, or it may be just another relay.
I have noticed that a null client doesnt require smtp to be enabled on the firewall ,which makes sense since no one is connecting to the server …
You are right, and that’s exactly what I mentioned in the blog post.
Hi Tomas, will I fail the exam if I dont set the local_transport = error: local delivery disabled ?
I honestly don’t know.
Hi, if the exameexplicitly says that you have to configure the local_transport and you don´t, then you failed, but if the exam doesn´t require it, then is ok.
If that’s the case then you would obviously fail at this particular exam task, but I seriously doubt that making such a mistake would cause you to fail the whole exam. To drop a few points? Yes. To fail the exam? Highly unlikely.
Hey Tomas, what about user-based security for SMTP? Are different smtpd_*_restrictions the exam objective?
And what about mapping: virtual, relocated, transport…?
I appreciate you may have questions, but any exam objective related question is best raised directly with RedHat.
You need to know smtpd_client_restrictions. Please take a look here, I’ve covered Postfix as well.
The configuration given here for the ipa server results in mail delivery errors due to NIS failures. For example, you will see the following error in the mail logs.
May 12 10:51:19 ipa.rhce.local postfix/smtpd[21492]: warning: lookup [email protected], NIS domain rhce.local, map mail.aliases: internal yp server or client error
May 12 10:51:19 ipa.rhce.local postfix/smtpd[21492]: warning: nis:mail.aliases lookup error for “[email protected]”
May 12 10:51:19 ipa.rhce.local postfix/smtpd[21492]: NOQUEUE: reject: RCPT from srv1.rhce.local[10.8.8.71]: 451 4.3.0 : Temporary lookup failure; from= to= proto=ESMTP helo=
To fix this the /etc/postfix/main.cf file should have a line added as follows.
alias_maps = hash:/etc/aliases
I’d also suggest setting inet_protocols to “all” as you are instructed to give the VM an IPv6 address along with IPv4.
Thanks, yes, I have this directive configured on my server.
mail server : ipa.example.local ( with two ipa users u1 , u2 )
null client ( client.example.local ) ( local users u3, u4 )
null client ( client1.example.local ) ( local users u5, u6 )
can we send email from client.example.local to user u5 or u6 ,, i.e. send email to local users who are not on email server ?
I’m not sure on what you mean by saying that “users are not on email server”, but you can send emails to users who have mailboxes. If users u5 and u6 have mailboxes, then the mail server should be able to deliver email.
to rephrase,
mail server : ipa.example.local ( with two ipa users u1 , u2 )
null client ( client.example.local ) ( local users u3, u4 )
null client ( client1.example.local ) ( local users u5, u6 )
when i send emails from null client to ( two ipa users u1 , u2 ) >>>> its succssfull.
but when i send email from ( client.example.local ) to ( client1.example.local ) ( local users u5, u6 ) , mail is delivered but mail box is emtpy on client1.example.local …
as per my understanding , we cant only send email to users whose accounts are created on mail server . ipa.example.local — in this case ( and they are not local users )
and we can not send email to users on { client.example.local , and client1.example.local } — users on these systems are local users.
Please correct me if i am wrong
I hope i have clarified my question
You cannot send emails from client.example.local to client1.example.local as both are null clients and neither of them can receive emails. A null client can only send mail, it cannot receive mail from your network. That’s the reason why the mailbox on client1.example.local is empty.
Do we need to setup postfix on Server1 and Server2?
Yes, if you want email to work.
Hi Toman,
My environment is host with two virtual machines
host.example.com, vm1.example.com, vm2.example.com.
My question is how to configure postfix on vm2 (vm2.example.com) so that mail destined for host
(host.example.com) from localhost for user robert have to receive mail on vm2 (vm2.example.com)
You can use relayhost and mydomain to configure Postfix to relay emails.
Hello, Tomas!
I think there’s small typo in “Configure Postfix on a Null Client” section. You list parameters from main.cf to be changed. In case of IPv6 in use, I think it should be:
(…)
mynetworks = 127.0.0.0/8 [::1]/128
(…)
Whereas your example is missing ‘1’ in IPv6 loopback address. (” [::]/128 “).
Best Regards,
Lukasz
You are right, thanks very much! I’ve updated the article.
Hi, I found one question about relayhost.
“All messages not addressed @srv1.rhce.local or @localhost[.localdomain]nshould be forwarded to the SMTP server”
this mean I must write this domains in mydestination ?
Yes, the mydestination parameter specifies what domains the machine will deliver locally.
Hi Tomas
I’m have small issue here.
I have three machine lab setup
serv1.rhce.local = 10.8.8.50
serv2.rhce.local = 10.8.8.51
ipa.rhce.local = 10.8.8.2
i added following lines in main.conf file on serv2 machine
myhostname = serv2.rhce.local
mydomain = rhce.local
myorigin = $mydomain
relayhost = [10.8.8.2] <———- ipa ip
inet_interfaces = loopback-only
mydestination =
mynetworks= 127.0.0.0/8, [::1]/128
local_transport = error:local mail delivery is disabled
when i try "echo test | mailx -s Test root" in maillog it is showing.
Mar 10 12:48:26 serv2 postfix/pickup[6417]: 348EF22A419B: uid=0 from=
Mar 10 12:48:26 serv2 postfix/cleanup[6516]: 348EF22A419B: message-id=
Mar 10 12:48:26 serv2 postfix/qmgr[6418]: 348EF22A419B: from=, size=422, nrcpt=1 (queue active)
Mar 10 12:48:26 serv2 postfix/smtp[6488]: connect to 10.8.8.2[10.8.8.2]:25: Connection refused
Mar 10 12:48:26 serv2 postfix/smtp[6488]: 348EF22A419B: to=, orig_to=, relay=none, delay=0.11, delays=0.1/0/0/0, dsn=4.4.1, status=deferred (connect to 10.8.8.2[10.8.8.2]:25: Connection refused)
Mar 10 12:51:58 serv2 postfix/qmgr[6418]: 632B622A4199: from=, size=422, nrcpt=1 (queue active)
Mar 10 12:51:58 serv2 postfix/qmgr[6418]: 6AF8422A419A: from=, size=422, nrcpt=1 (queue active)
Mar 10 12:51:58 serv2 postfix/smtp[6629]: connect to 10.8.8.2[10.8.8.2]:25: Connection refused
Mar 10 12:51:58 serv2 postfix/smtp[6630]: connect to 10.8.8.2[10.8.8.2]:25: Connection refused
Mar 10 12:51:58 serv2 postfix/smtp[6629]: 632B622A4199: to=, orig_to=, relay=none, delay=597, delays=597/0.09/0/0, dsn=4.4.1, status=deferred (connect to 10.8.8.2[10.8.8.2]:25: Connection refused)
Mar 10 12:51:58 serv2 postfix/smtp[6630]: 6AF8422A419A: to=, orig_to=, relay=none, delay=459, delays=459/0.08/0/0, dsn=4.4.1, status=deferred (connect to 10.8.8.2[10.8.8.2]:25: Connection refused)
And on serv1 when i run comamnd “postconf -d myhostname” it shows “serv1.localdomain” instead of “serv1.rhce.local” when on serv2 it is showing “serv2.rhce.local”
It looks like you SMTP relay is refusing connections. Make sure that the Postfix service is running, and that firewall is configured to allow traffic.
For the second issue, re-configure myhostname variable with the correct value and restart the service.
Yes postfix is enabled and service running on relay [IPA-Server] and SMTP service + port 25/tcp is also added in firewall. But still same issue.
Can you telnet into 10.8.8.2:25 from serv2?
Did the telnet from serv2 –> IPA:25 connection refused
Trying 10.8.8.2…
telnet: connect to address 10.8.8.2: Connection refused
On IPA server rules are allowed on port 25 and even added smtp service
public (default, active)
interfaces: enp0s3
sources:
services: dhcpv6-client dns smtp ssh
ports: 443/tcp 80/tcp 88/udp 464/udp 88/tcp 25/tcp 123/udp 389/tcp 53/tcp 53/udp 636/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family=”ipv4″ source address=”10.8.8.50″ masquerade
——————————————–
[root@ipa (~)]$ > firewall-cmd –list-all –zone=dmz
dmz (active)
interfaces: enp0s8
sources:
services: dns iscsi-target smtp ssh
ports: 443/tcp 80/tcp 88/udp 464/udp 88/tcp 25/tcp 123/udp 389/tcp 53/tcp 53/udp 636/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
And smtp service is running on IPA server
If you cannot telnet into the port then it’s likely a firewall issue. Disable firewall on the IPA server and try telneting again. If that works, then it’s the firewall on the IPA server.
You seem to have different firewalld zones configured. What’s the output from:
Also, what’s the output from:
Stopped firewalld service
And then did telnet on 25 and same connection refused
Postfix is listening on port 25
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1793/master
tcp6 0 0 ::1:25 :::* LISTEN 1793/master
Yes i made two zones Public and DMZ and port and service is allowed on both Zones
dmz
interfaces: enp0s8
public
interfaces: enp0s3
And public zone is default
You’ve configured Postfix to listen on localhost only. This is not going to work if you want to use it as a relay. Change this
inet_interfaces = all, restart Postfix, and then try again.Thanks tomas it helped, Yes you are right i forgot configure postfix Server to listen on all interfaces.
But after doing all things, when i again send the test message in logs it showed that “connection timed out” on null clinet(serv2) so i added 10.8.8.0/24 “mynetworks = 127.0.0.0/8, [::1]/128, 10.8.8.0/24” and restarted the postfix service and again send the message. This time no error. below are the logs.
Mar 17 10:40:09 serv2 postfix/pickup[2881]: 0FDDB22730A0: uid=0 from=
Mar 17 10:40:09 serv2 postfix/cleanup[2911]: 0FDDB22730A0: message-id=
Mar 17 10:40:09 serv2 postfix/qmgr[2882]: 0FDDB22730A0: from=, size=439, nrcpt=1 (queue active)
Mar 17 10:40:09 serv2 postfix/smtp[2897]: 0FDDB22730A0: to=, relay=10.8.8.2[10.8.8.2]:25, delay=0.17, delays=0.13/0/0.01/0.02, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 70FD644BC683)
Mar 17 10:40:09 serv2 postfix/qmgr[2882]: 0FDDB22730A0: removed
And by using postcat -vq “ID” it showed it is available in queue
D3FCE4533719 2612 Sun Mar 17 10:44:59 MAILER-DAEMON
(connect to serv2.rhce.local[10.8.8.51]:25: Connection refused)
[email protected]
Great, I see from the logs that the message status is
status=sent. Well done sorting it out!hi i am having problem
Apr 18 16:17:44 ipaserver postfix/pickup[70129]: 0B0E611ABD2A: uid=0 from=
Apr 18 16:17:44 ipaserver postfix/cleanup[70142]: 0B0E611ABD2A: message-id=
Apr 18 16:17:44 ipaserver postfix/qmgr[70130]: 0B0E611ABD2A: from=, size=441, nrcpt=1 (queue active)
Apr 18 16:17:44 ipaserver postfix/smtp[70133]: warning: relayhost configuration problem
Apr 18 16:17:44 ipaserver postfix/smtp[70133]: 0B0E611ABD2A: to=, orig_to=, relay=none, delay=0.21, delays=0.2/0/0/0, dsn=4.3.5, status=deferred (mail for 127.0.0.1 loops back to myself)
why its getting into deferred
The error would suggets that you are using 127.0.0.1 as a mail relay.
in my system, the relay-host address has to be written as IP address, not as server name (FQDN hostname) into square brackets in order for the mail to be delivered; I use Linux CentOS Linux release 7.6.1810 (Core) with kernel 3.10.0-957.10.1.el7.x86_64; in other words,
relayhost = [server.example.com] does NOT work
relayhost = 192.168.189.140 works
Does the FQDN resolve to the same IP address as per your example?
Thanks for this, this little tutorial saved me a lot of time and trouble!
No worries, you’re welcome.
Can I view the mail in the second system ,it was sent from first system . The first system is the NIS Server and the second system is the NIS client. I sent mail from one NIS User to other NIS User. And I logged as NIS recipient User in second system. But I can’t view the mail I sent in the recipient User.
I am getting below error while trying to send email , Server is RHEL 7 and postfix is configured properly
Can you please help me with solution for it.
root@xxxxxxxPROD # echo “Subject: sendmail test” | sendmail -v [email protected]
[email protected]… Connecting to [127.0.0.1] via relay…
[email protected]… Deferred: Connection refused by [127.0.0.1]
root@xxxxxxxPROD #
root@xxxx PROD # netstat -nltp | grep :25
root@xxx PROD #
root@xxxx PROD # telnet localhost 25
Trying 127.0.0.1…
telnet: connect to address 127.0.0.1: Connection refused
Trying ::1…
telnet: connect to address ::1: No route to host
root@xxxx PROD #
Hi, there is no service listening on port 25, therefore your Postfix is most likely misconfigured.