Authentication for Postfix
Before you get started, make sure that you have a SASL authentication package like cyrus
or libsasl
. You can install them using one of these commands:
For Debian, Ubuntu, etc:
$ apt-get install libsasl2-modules
For CentOS, Fedora, RedHat:
$ yum install cyrus-sasl-plain
If you don't have one of these packages, or if you're getting a no mechanism found error, you may need to update the authentication package or package dependencies.
Check Your Hostname
To properly relay the mail, your hostname needs to be a fully-qualified domain name. The default specifies the local machine as the hostname, which may not be a FQDN. You can check by running:
$ hostname -f
If this outputs a FQDN, you're all set. Otherwise, you need to add a myhostname
or mydomain
parameter to your main.cf file.
Store Authentication Information for Transactional Email
If you already have a file in /etc/postfix/ for SASL passwords, open that file. If not, create a file with a name like sasl_passwd (or something else descriptive in /etc/postfix/). On a new line, add these values (replacing USERNAME with your account username, and API_KEY with an active API key for your Transactional Email account):
[smtp.mandrillapp.com] USERNAME:API_KEY
After you save this file, you should chmod it so that only the root can read or write the file:
$ chmod 600 /etc/postfix/sasl_passwd
Anytime you change your credentials, save the file and then postmap
it:
$ postmap /etc/postfix/sasl_passwd
Set Up Postfix to Relay Through Transactional Email
In your Postfix configuration file, typically /etc/postfix/main.cf, add or adjust these options:
# enable SASL authentication
smtp_sasl_auth_enable = yes
# tell Postfix where the credentials are stored
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
# use STARTTLS for encryption
smtp_use_tls = yes
relayhost = [smtp.mandrillapp.com]
After saving the configuration, reload or restart Postfix.
When you use TLS for encryption, you may need to add extra parameters so that Postfix knows where to find the certificate bundles on your system.
Relay only certain emails through Transactional Email
The configuration options shown earlier will relay all mail being sent for your Postfix server through Transactional Email. If you only want emails being sent from sender@yourdomain.com and sender1@sub.yourdomain.com relayed through Transactional Email, remove the relayhost
parameter value, and add the sender_dependent_relayhost_maps parameter
:
relayhost =
sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_maps
Then add this to /etc/postfix/relayhost_maps:
sender@yourdomain.com [smtp.mandrillapp.com]
sender1@sub.yourdomain.com [smtp.mandrillapp.com]
Add extra lines if you want emails for other senders relayed through specific relayhosts and make sure to modify your sasl_passwd file to ensure that you have a line for each relayhost being used).
Postmap that file:
$ postmap /etc/postfix/relayhost_maps
Reload or restart Postfix.
Send a Test Email With Postfix
Send a test email using sendmail
or another command-line mail client:
$ sendmail RECIPIENT@domain.com
From: you@yourdomain.com
Subject: Testing from Postfix
This is a test email
.
Take a look at the Postfix logs to see the status of the email:
$ tail -f /var/log/syslog
Routing Loops
If Postfix is accepting and relaying mail, make sure that you've configured all your local domains in Postfix so that Postfix doesn't try to relay those through Transactional Email (which can result in a mailing loop). Use the mydestination parameter in /etc/postfix/main.cf so Postfix doesn't relay those emails through Mandrill:
mydestination = localhost.localdomain, localhost, mydomain.com, mydomain.net
# make sure to list any domains that Postfix should use for local delivery
Note
You'll need to add SPF and DKIM records and verify ownership of your sending domains before you can send email through your account. Transactional Email will not send any email from unverified domains or domains without valid SPF and DKIM records, including public domains like gmail.com, yahoo.com, and more.
A message that is rejected with the reject reason unsigned indicates that the sending domain hasn't been properly set up, and that your account is unable to send and authenticate email from that domain.
Learn more about SPF and DKIM and domain verification, or manage sending domains in your Transactional Email account.