Use Postfix to get email from your Fedora system

Communication is key. Your computer might be trying to tell you something important. But if your mail transport agent (MTA) isn’t properly configured, you might not be getting the notifications. Postfix is a MTA that’s easy to configure and known for a strong security record. Follow these steps to ensure that email notifications sent from local services will get routed to your internet email account through the Postfix MTA.

Install packages

Use dnf to install the required packages (you configured sudo, right?):

$ sudo -i
# dnf install postfix mailx

If you previously had a different MTA configured, you may need to set Postfix to be the system default. Use the alternatives command to set your system default MTA:

$ sudo alternatives --config mta
There are 2 programs which provide 'mta'.
  Selection    Command
*+ 1           /usr/sbin/sendmail.sendmail
   2           /usr/sbin/sendmail.postfix
Enter to keep the current selection[+], or type selection number: 2

Create a password_maps file

You will need to create a Postfix lookup table entry containing the email address and password of the account that you want to use to for sending email:

# MY_EMAIL_ADDRESS=glb@gmail.com
# MY_EMAIL_PASSWORD=abcdefghijklmnop
# MY_SMTP_SERVER=smtp.gmail.com
# MY_SMTP_SERVER_PORT=587
# echo "[$MY_SMTP_SERVER]:$MY_SMTP_SERVER_PORT $MY_EMAIL_ADDRESS:$MY_EMAIL_PASSWORD" >> /etc/postfix/password_maps
# chmod 600 /etc/postfix/password_maps
# unset MY_EMAIL_PASSWORD
# history -c

If you are using a Gmail account, you’ll need to configure an “app password” for Postfix, rather than using your gmail password. See “Sign in using App Passwords” for instructions on configuring an app password.

Next, you must run the postmap command against the Postfix lookup table to create or update the hashed version of the file that Postfix actually uses:

# postmap /etc/postfix/password_maps

The hashed version will have the same file name but it will be suffixed with .db.

Update the main.cf file

Update Postfix’s main.cf configuration file to reference the Postfix lookup table you just created. Edit the file and add these lines.

relayhost = [smtp.gmail.com]:587
smtp_tls_security_level = verify
smtp_tls_mandatory_ciphers = high
smtp_tls_verify_cert_match = hostname
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/password_maps

The example assumes you’re using Gmail for the relayhost setting, but you can substitute the correct hostname and port for the mail host to which your system should hand off mail for sending.

For the most up-to-date details about the above configuration options, see the man page:

$ man postconf.5

Enable, start, and test Postfix

After you have updated the main.cf file, enable and start the Postfix service:

# systemctl enable --now postfix.service

You can then exit your sudo session as root using the exit command or Ctrl+D. You should now be able to test your configuration with the mail command:

$ echo 'It worked!' | mail -s "Test: $(date)" glb@gmail.com

Update services

If you have services like logwatch, mdadm, fail2ban, apcupsd or certwatch installed, you can now update their configurations so that their email notifications will go to your internet email address.

Optionally, you may want to configure all email that is sent to your local system’s root account to go to your internet email address. Add this line to the /etc/aliases file on your system (you’ll need to use sudo to edit this file, or switch to the root account first):

root: glb+root@gmail.com

Now run this command to re-read the aliases:

# newaliases
  • TIP: If you are using Gmail, you can add an alpha-numeric mark between your username and the @ symbol as demonstrated above to make it easier to identify and filter the email that you will receive from your computer(s).

Troubleshooting

View the mail queue:

$ mailq

Clear all email from the queues:

# postsuper -d ALL

Filter the configuration settings for interesting values:

$ postconf | grep "^relayhost\|^smtp_"

View the postfix/smtp logs:

$ journalctl --no-pager -t postfix/smtp

Reload postfix after making configuration changes:

$ systemctl reload postfix

Photo by Sharon McCutcheon on Unsplash.

FAQs and Guides For System Administrators Using Software

14 Comments

    • @Carl: When you’re talking about email, though, security is a real concern. It’s especially important if the system you’re using could trigger blacklisting or other side effects. Postfix has a good security stance and record (as well as longevity).

  1. Configuring postfix is NOT easy. The only people that should attempt it are experts who know it all.

    • It’s not too hard to set up the simple configurations like this one. As a proof point, Greg figured it out for this article! You can do very complex things too, of course. Saying no one should do it sounds a lot like “no one should do Linux.” 😉

  2. Are there ways to do this? Not using postfix.

    Right now I get a message via Pushover that triggers a script in sshrc when I ssh into my box.

    Beyond that I’ve failed to find a good solution, or optional solution that passes system messages via other means, such as the mentioned solution, triggering a script that might send the information via an API.

    The solution above wasn’t easy to find might I add.

    For system messages Pushover might not be well suited, but I’d consider using Mailgun and their API.

    • Hi Dokter:

      Sorry, I haven’t really looked into alternatives beyond sendmail/postfix. The only alternative that comes to mind would be to use a sms gateway. I’ve never tried it though, so I really can’t vouch for how reliable it is.

  3. Guus Bonnema

    When running the commands you suggested, I got a warning from postmap:

    postmap: warning: /etc/postfix/password_maps, line 1: expected format: key whitespace value
    postmap: warning: /etc/postfix/password_maps, line 2: expected format: key whitespace value

    So I changed the layout to servername space emailname followed by the same line for password with the “:” replaced by a space. Of course this did not work (I should have used a keyword-value stuff as the message indicated). So when I used exactly what you said it worked.

    What is it with this message? Why do I get it? Why do I use a different layout (with [] and 🙂 to get it working?

    • This was a problem in the initial version but should be fixed now. Something got goofed up in the edits, because Greg’s original version was correct.

    • Hi Guus:

      Glad you figured it out and sorry that the directions weren’t exactly correct initially.

      The “key” in the password_maps file should match the value for “relayhost” in main.cf exactly (brackets and all).

      If you are still seeing warnings about the formatting of the password_maps file, you might want to open the file with a text editor and delete any extra lines that might be left over from previous attempts.

      The brackets around the relayhost address indicate that the address is for an SMTP server. Without the brackets the address is taken to be a domain name against which a MX record lookup should be done to find the address of the SMTP server. I think Google has patched their server in such a way that it might work without the brackets, but the MX mechanism has some limitations and you should probably use the brackets to get the best/nearest SMTP server. Google uses DNS to load balance their SMTP servers. You might be able to see it in action by running “nslookup smtp.gmail.com” several times consecutively.

      As for why the syntax is what it is, I doubt there is a really good reason for it. A separate setting like “do_mx_lookup = false” would certainly be easier to understand.

  4. GiP

    I don’t understand…

    I wanted to be able to use mail from my PC to send the results or errors from cron jobs and I did two things:
    install postfix
    enable postfix
    And it just works! I can use a
    mail -s “Cron job Log” myaddress <job.log
    from the script.
    Is all the other stuff really necessary?

    G

    • Hi GiP:

      That sort of auto-configuration is possible but, as I understand it, a couple of things are required that probably aren’t available in most people’s environment.

      In order for MTA auto-configuration to work, you need:

      A network administrator (or possibly a spambot) to configure option 69 on your DHCP server (or home router).
      A open mail relay on your network (a SMTP server that requires neither authentication nor encryption).

      If you are lucky enough that both the above conditions are met, then just turning the postfix service on will work. Unfortunately, I don’t think that is the case for most people, so they will have to explicitly configure Postfix to route their email through a mail server that they trust.

  5. GiP

    Hi,
    Thanks for the answer!

    I see, but I don’t have either… On the other hand, as I said, I don’t want to receive mail, just send, and for this it seems that postfix can act as SMTP and (at least) Gmail and my own provider accept the messages without problems.
    Well, Gmail has in the headers:
    ” best guess record for domain of gip@ designates as permitted sender)”.

    But it just works….

    Thanks again,
    GiP

  6. GiP

    Hi,
    my reply was somehow mangled by the system…
    The GM header should have been ” best guess record for domain of gip@ MYHOST designates MYIPADDRESS as permitted sender)”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions

%d bloggers like this: