Postfix as outbound relay(s)

and masquerading internal hosts


Note the difference between a relay and an MSA. We’re considering that the first one can still listen on port 25/tcp (with STARTTLS enforced) while the latter would only listen on 465/tcp (SSL-only). The following guide is for setting up a relay, not an SASL submission agent.


We need it to be able to talk outbound on the public network to other MXes. And those eventually do check if we have a valid IPREV. You absolutely need to make sure that you’ve got a public A and PTR according to $myhostname.


See Install Postfix for many details, otherwise on Ubuntu, it’s as simple as

apt install postfix bsd-mailx


mv -i /etc/postfix/ /etc/postfix/
grep -vE '^#|^$' /etc/postfix/ > /etc/postfix/
vi /etc/postfix/

myhostname myorigin and mydestination are already defined alright

smtpd_banner = $myhostname ESMTP

mynetworks =,

in case this is a host with both public and internal interfaces, and you want to listen only internally

#not CIDR but rather binding to an interface
inet_interfaces =, x.x.x.x
#mynetworks_style = subnet

and thereafter, check that you are listening on the internal interface only

netstat -lntup

netstat -an -f inet

in case it’s not already enabled by default, listen on port 25/tcp w/ or w/o chroot

mv -i /etc/postfix/ /etc/postfix/
    grep -vE '^#|^$' /etc/postfix/ > /etc/postfix/
vi /etc/postfix/

smtp      inet  n       -       y       -       -       smtpd 
#smtp      inet  n       -       n       -       -       smtpd 


as a client

More hardening is welcome for validating remote MXen – eventually enforce outbound STARTTLS SMTP. You’re good already with your self-signed certificate as for client side.

If that’s enough for you and don’t have the snakeoil certificate available, here’s a one-liner to generate a self-signed one

cd /etc/ssl/
#cd /etc/openssl/
openssl req -x509 -newkey rsa:2048 -out selfsign.crt -keyout selfsign.key -nodes -sha256 -days 9999

vi /etc/postfix/

smtpd_tls_cert_file = /etc/ssl/selfsign.crt
smtpd_tls_key_file = /etc/ssl/selfsign.key

as a server

You might want to secure your internal network against SMTP/STARTTLS interception also. Eventually enforce inbound STARTTLS also, and setup a valid certificate for that matter.


This changes the scenario of simple relaying altogether. In this situation, you might have to actually receive mail bounces also, which makes you an actual MX (even w/o a dedicated DNS record), not just a relay. Hence you need not only to be IPREV, but not only $myhostname needs to resolve on the public network. You also need to take care of $myorigin and mydestination.

We need an origin and destination to make mail bounces end-up somewhere while avoiding loops.

vi /etc/postfix/

smtpd_banner = relay for internal hosts
myhostname =
mydomain =
myorigin =
mydestination =

and do something like NAT for Sender addresses (Return-path)

masquerade_domains =
sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps = regexp:/etc/postfix/sender_canonical.regexp
#recipient_canonical_maps = hash:/etc/postfix/recipient_canonical

Dymanical for any internal host and domain (Received headers and data fields will still let you know which server originally sent the message)

vi /etc/postfix/sender_canonical.regexp


Note this has a mild security implication - any internal host, be it mallory, may use that relay and the return path will be yours.


Even in the case of masquerading, where we might receive mail bounces, we however don’t really want to host any messages locally. Check your mail aliases and apply

    vi /etc/aliases

    #vi /etc/mail/aliases



Ubuntu (deals with chroot on its own)

postfix check
systemctl restart postfix

anywhere else

postfix check
service postfix restart


mv /etc/postfix/transport /etc/postfix/transport.dist
vi /etc/postfix/transport       relay:[]:25

postmap /etc/postfix/transport
vi /etc/postfix/

transport_maps = hash:/etc/postfix/transport

postfix check
postfix reload


Send messages from hosts on your LAN or from your MUA

date | mail -s `hostname` root

and meanwhile check the logs on all the hosts on the way - source, relay, and eventually destination

tail -F /var/log/maillog
#tail -F /var/log/mail.log


Bind Postfix Mail Server To Localhost or Specific IP Address Only

Postfix Address Rewriting –> Address masquerading

Postfix masquerading or changing outgoing SMTP email or mail address

canonical - format of Postfix canonical table

Rewriting Addresses

How to masquerade domains in Postfix

Forcing the from address when postfix relays over smtp

Blog: How to rewrite outgoing address in Postfix

Address rewriting when mail is received

How To Install and Configure Postfix as a Send-Only SMTP Server on Debian 9


regexp_table - format of Postfix regular expression tables

postfix smtp_generic_maps with regular expression

postfix sender address rewriting

relayhost pools

Use Postfix Transport Map and Relayhost Map For Flexible Email Delivery


w/ generic maps –or–

vi /etc/postfix/

smtp_generic_maps = hash:/etc/postfix/generic

vi /etc/postfix/generic


postmap /etc/postfix/generic
ls -lF /etc/postfix/generic.db

w/ canonical maps –or–

vi /etc/postfix/

canonical_maps = hash:/etc/postfix/canonical

vi /etc/postfix/canonical


postmap /etc/postfix/canonical
ls -lF /etc/postfix/canonical.db