How to Use Postfix to Send Email with Mandrill

Authentication for Postfix

Before you get started, make sure that you have a SASL authentication package like cyrus or libsasl. You can install them using one of these commands:

For Debian, Ubuntu, etc:

$ apt-get install libsasl2-modules

For CentOS, Fedora, RedHat:

$ yum install cyrus-sasl-plain

If you don't have one of these packages, or if you're getting a no mechanism found error, you may need to update the authentication package or package dependencies.

Check Your Hostname

To properly relay the mail, your hostname needs to be a fully-qualified domain name. The default specifies the local machine as the hostname, which may not be a FQDN. You can check by running:

$ hostname -f

If this outputs a FQDN, you're all set. Otherwise, you need to add a myhostname or mydomain parameter to your main.cf file.

Store Authentication Information for Mandrill

If you already have a file in /etc/postfix/ for SASL passwords, open that file. If not, create a file with a name like sasl_passwd (or something else descriptive in /etc/postfix/). On a new line, add these values (replacing USERNAME with your account username, and API_KEY with an active API key for your Mandrill account):

[smtp.mandrillapp.com] USERNAME:API_KEY

After you save this file, you should chmod it so that only the root can read or write the file:

$ chmod 600 /etc/postfix/sasl_passwd

Anytime you change your credentials, save the file and then postmap it:

$ postmap /etc/postfix/sasl_passwd

Set Up Postfix to Relay Through Mandrill

In your Postfix configuration file, typically /etc/postfix/main.cf, add or adjust these options:

# enable SASL authentication
smtp_sasl_auth_enable = yes
# tell Postfix where the credentials are stored
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd 
smtp_sasl_security_options = noanonymous
# use STARTTLS for encryption
smtp_use_tls = yes 
relayhost = [smtp.mandrillapp.com]

After saving the configuration, reload or restart Postfix.

When you use TLS for encryption, you may need to add extra parameters so that Postfix knows where to find the certificate bundles on your system.

Relay only certain emails through Mandrill

The configuration options shown earlier will relay all mail being sent for your Postfix server through Mandrill. If you only want emails being sent from sender@yourdomain.com and sender1@sub.yourdomain.com relayed through Mandrill, remove the relayhost parameter value, and add the sender_dependent_relayhost_maps parameter:

relayhost = 
sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_maps

Then add this to /etc/postfix/relayhost_maps:

sender@yourdomain.com       [smtp.mandrillapp.com]
sender1@sub.yourdomain.com  [smtp.mandrillapp.com]

Add extra lines if you want emails for other senders relayed through specific relayhosts and make sure to modify your sasl_passwd file to ensure that you have a line for each relayhost being used).

Postmap that file:

$ postmap /etc/postfix/relayhost_maps

Reload or restart Postfix.

Send a Test Email With Postfix

Send a test email using sendmail or another command-line mail client:

$ sendmail RECIPIENT@domain.com
From: you@yourdomain.com
Subject: Testing from Postfix
This is a test email
.

Take a look at the Postfix logs to see the status of the email:

$ tail -f /var/log/syslog

Routing Loops

If Postfix is accepting and relaying mail, make sure that you've configured all your local domains in Postfix so that Postfix doesn't try to relay those through Mandrill (which can result in a mailing loop). Use the mydestination parameter in /etc/postfix/main.cf so Postfix doesn't relay those emails through Mandrill:

mydestination = localhost.localdomain, localhost, mydomain.com, mydomain.net 
# make sure to list any domains that Postfix should use for local delivery

 

Note

You'll need to add SPF and DKIM records and verify ownership of your sending domains before you can send email through your account. Mandrill will not send any email from unverified domains or domains without valid SPF and DKIM records, including public domains like gmail.com, yahoo.com, and more.

A message that is rejected with the reject reason unsigned indicates that the sending domain hasn't been properly set up, and that your account is unable to send and authenticate email from that domain.

Learn more about SPF and DKIM and domain verification, or manage sending domains in your Mandrill account.