Postfix Mail Relay Setup on RHEL / Rocky 9 & 10

Leave a Comment / By /

This setup configures a Postfix relay so that system mail (e.g., from root, cron jobs, or applications) is forwarded through an external SMTP provider (e.g., Easyname).
It also forwards local root mail to a real external address.

1. Install required packages

sudo dnf install -y postfix cyrus-sasl-plain s-nail

Enable and start Postfix:

sudo systemctl enable --now postfix

2. Configure Postfix for relay

Edit /etc/postfix/main.cf and add/modify the following:

# Listen on all interfaces
inet_interfaces = all
inet_protocols = all

# Networks allowed to send mail without authentication
mynetworks = 127.0.0.0/8 192.168.0.0/16 10.0.0.0/8

# Relay host (Easyname SMTP)
relayhost = [smtp.easyname.com]:587

# SASL authentication
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = lmdb:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt

# Rewrite local mail to appear from your domain
myorigin = yourdomain.com

3. Store SMTP credentials

Create /etc/postfix/sasl_passwd with your Easyname login:

[smtp.easyname.com]:587 user2jx8:password2938

Secure and compile the map:

sudo chmod 600 /etc/postfix/sasl_passwd
sudo postmap /etc/postfix/sasl_passwd

On RHEL/Rocky 9+, Postfix uses LMDB (not hash).
This will create /etc/postfix/sasl_passwd.lmdb.

4. Forward root/system mail

Edit /etc/aliases and add:

root: yourname@yourdomain.com

Rebuild aliases:

sudo newaliases

Fix for SELinux on RHEL9+

If you see permission issues with /etc/aliases.lmdb, move it under /etc/postfix/:

sudo cp -a /etc/aliases /etc/postfix/aliases
sudo postconf -e "alias_maps = lmdb:/etc/postfix/aliases"
sudo postconf -e "alias_database = lmdb:/etc/postfix/aliases"
sudo newaliases
sudo restorecon -Rv /etc/postfix

5. Test sending mail

Send a test message:

echo "This is a test mail" | mail -s "Postfix relay test" root

Check logs:

journalctl -u postfix -n 50

You should see something like:

status=sent (250 OK id=...)

6. Hardening & sanity checks

  • Verify you are not an open relay:smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination
  • Make sure only LAN hosts in mynetworks are allowed to send.
  • Set up SPF, DKIM, and DMARC for your domain in DNS for better deliverability.

Views: 3
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Scroll to Top