By /
Postfix to Mailcow

Build a Modern Mail Relay: A Step-by-Step Guide to Integrating Postfix with Mailcow

In today’s digital world, ensuring your emails reach their destination is more critical than ever. Whether you’re sending transactional emails from a web application or running a newsletter, having your messages land in the spam folder is a recipe for disaster. A robust and properly configured mail relay is the key to maximizing deliverability and protecting your sender reputation.

This guide will walk you through building a modern, secure, and efficient mail relay using the powerful combination of Postfix and Mailcow. We’ll set up a centralized smarthost with Mailcow to handle all outgoing mail, and configure a Postfix server to securely relay messages through it. By the end of this tutorial, you’ll have a professional-grade email setup that will significantly improve your email deliverability.

Why a Modern Mail Relay?

Before we dive in, let’s quickly cover the benefits of this setup:

  • Improved Deliverability: By using a dedicated smarthost with proper authentication (SPF, DKIM, and DMARC), you’ll build a strong sender reputation and reduce the chances of your emails being marked as spam.
  • Centralized Management: All your outgoing mail is managed and monitored from a single, user-friendly interface (Mailcow).
  • Enhanced Security: Authenticated relaying ensures that only authorized servers can send email through your smarthost, preventing abuse and protecting your reputation.

The Setup: An Overview

Our setup consists of two main components:

  1. The Smarthost: A server running Mailcow, a modern and easy-to-use mail server suite. This will be our centralized mail relay.
  2. The Source Server: A server running Postfix, which will be configured to send all its outgoing mail to the Mailcow smarthost.

Ready to get started? Let’s begin with the Mailcow configuration.

Part 1: Configuring the Mailcow Smarthost

First, we need to set up Mailcow to accept and relay emails for our domain. These steps are all done within the Mailcow UI.

1. Add and Configure the Domain

  1. Log in to your Mailcow UI and navigate to E-Mail > Configuration > Domains.
  2. Click Add domain and enter the domain you want to relay (e.g., yourdomain.com).
  3. Here’s the important part: check both the Relay this domain and Relay all recipients boxes. This tells Mailcow to act as a relay for this domain and to accept mail for any recipient at that domain.
  4. For the DKIM selector, we’ll use sh as a convention for “Smart Host”.
  5. Click Add domain and restart SOGo.

2. Update DNS Records

Now that Mailcow is configured, we need to update our domain’s DNS records to authorize Mailcow to send emails on our behalf.

  1. Edit the domain you just added in Mailcow and go to the DNS tab.

  2. You’ll see a DKIM public key for the sh._domainkey record. Copy this value.

  3. In your DNS provider’s management console, create a new TXT record with the name sh._domainkey and paste the copied DKIM key.

  4. Next, you need to update your SPF record to include the IP address of your Mailcow server. For this guide, we’ll use 111.222.333.444. Your SPF record should look something like this:

    v=spf1 mx a ip4:111.222.333.444 ~all

3. Add a Relay Mailbox

We need to create a dedicated mailbox that our Postfix server will use to authenticate with Mailcow.

  1. In Mailcow, go to E-Mail > Configuration > Mailboxes and click Add mailbox.
  2. A good convention is to use relay as the username (e.g., relay@yourdomain.com).
  3. Use the built-in password generator to create a strong, secure password. You’ll need this password for the Postfix configuration, so save it somewhere safe.
  4. Under Allowed protocols for direct user access, select only SMTP. This mailbox is only for relaying, so it doesn’t need access to IMAP or POP3.
  5. Click Add.

4. Configure Mailbox Permissions

Finally, we need to adjust the permissions for our new relay mailbox.

  1. Edit the mailbox you just created and go to the Sender tab.
  2. Under Allow to send as, make sure that both {username}@{domainName} and Disable sender check from {DomainName} (+ Aliases) are selected. This is a crucial step that allows the server to relay emails for any user at your domain.
  3. Go to the Security tab and double-check that only SMTP is selected under Allowed protocols for direct user access.
  4. Click Save changes.

That’s it for the Mailcow side of things! Now, let’s configure our Postfix server to talk to our new smarthost.

Part 2: Configuring the Postfix Source Server

Now we’ll switch over to the source server and configure Postfix to use our Mailcow smarthost. This involves editing a few configuration files.

1. Configure main.cf for Sender-Dependent Relaying

First, we’ll edit the main Postfix configuration file, /etc/postfix/main.cf, to enable sender-dependent relaying. This allows us to specify our Mailcow smarthost for our domain.

Add the following lines to your main.cf file:

# Setup Sender Dependent domain (SDD) to make domains use a smarthost
sender_dependent_relayhost_maps = hash:/etc/postfix/sdd_relayhost_maps
smtp_sender_dependent_authentication = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_tls_security_options = noanonymous
# Optional: force TLS encryption to relay hosts
smtp_tls_security_level = may

2. Configure sdd_relayhost_maps

Next, we’ll create the /etc/postfix/sdd_relayhost_maps file to tell Postfix which domains to relay through our smarthost.

Create the file and add the following line, replacing yourdomain.com with your domain and smarthost.example.com with your Mailcow server’s address:

@yourdomain.com  [smarthost.example.com]:587

The square brackets [] tell Postfix to connect directly to the host, and :587 specifies the submission port.

3. Configure sasl_passwd

Now, we need to provide Postfix with the credentials for our relay mailbox in Mailcow. Create the /etc/postfix/sasl_passwd file and add the following line:

[smarthost.example.com]:587        relay@yourdomain.com:your-password

Replace smarthost.example.com with your Mailcow server’s address, relay@yourdomain.com with your relay mailbox username, and your-password with the password you generated earlier.

For security, it’s crucial to restrict the permissions of this file:

sudo chmod 600 /etc/postfix/sasl_passwd

4. Create Hash Databases and Reload Postfix

Finally, we need to create the hash database files that Postfix uses and then reload the service to apply the changes:

sudo postmap /etc/postfix/sdd_relayhost_maps
sudo postmap /etc/postfix/sasl_passwd
sudo postfix reload

Part 3: Verification – Don’t Skip This!

Configuration is complete, but we’re not done yet! We need to verify that everything is working as expected.

Mail Log Monitoring

Check your Postfix mail logs (/var/log/maillog or /var/log/mail.log) for entries that show emails being relayed through your smarthost. You should see lines containing relay=smarthost.example.com... status=sent.

Email Deliverability Testing

The best way to test your setup is to use an email testing service. These services will analyze your email for proper SPF, DKIM, and DMARC configuration and give you a deliverability score.

  • mail-tester.com: Visit https://www.mail-tester.com/, get a unique email address, and send an email to it from your domain. You should aim for a 10/10 score.
  • port25.com: Send an email to check-auth@verifier.port25.com. You’ll receive a reply with a detailed report on your email authentication status. Look for “pass” on the SPF and DKIM checks.

Conclusion

Congratulations! You’ve successfully built a modern, secure, and efficient mail relay with Postfix and Mailcow. By centralizing your outgoing mail and implementing proper authentication, you’ve taken a significant step towards improving your email deliverability and protecting your sender reputation.

We’d love to hear your experiences with this setup. If you have any questions or suggestions, feel free to drop a comment below!

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top