How to enable inbound TLS(starttls) in Postfix with Signed Certificate from CA(LetsEncrypt)

Most of the time Postfix is configured with self signed certificate which works well because mostly certificate validation is not required by MTAs. Though it can be useful for applications or mailbox users connecting to central MTA to delivery of emails.

You can either buy SSL certificate from your provider or use free certificates(needs to be renewed every 3 months). In this guide, i will use letencrypt certificate for my mx host

I use letsencrypt utility to manage certificate for my domains, below command will generate standalone certificate for my host.

letsencrypt certonly --standalone -d

The output..

- Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:


vim /etc/postfix/

Replace the following lines :


to the following letsencrypt certificates path :


Reload postfix

systemctl reload postfix.service

You can verify certificate validation using See below test results after configuring for

Postfix inbound TLS with letsencrypt

How to include Gmail’s Feedback-ID header in DKIM signature

Feedback-ID is an additional header required by Gmail Feedback Loop to see aggregated data in Google Postmaster tools. Gmail requires it to include in DKIM-Signature. The following guide explains how it can be configured in OpenDKIM :

Edit opendkim.conf

vim /etc/opendkim.conf

Add the following line :

SignHeaders Feedback-ID

Reload openkdim :

systemctl reload opendkim.service

Reload postfix :

systemctl reload postfix.service

Send a test email with swaks to gmail :

swaks --from --to --h-Feedback-ID 123:asd:123 --server

My test mail results :

dkim=pass header.s=key1 header.b=oY1NVInb;
spf=pass ( domain of designates as permitted sender);
dmarc=pass (p=REJECT sp=REJECT dis=NONE)
Date: Sun, 12 Nov 2017 11:04:42 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=key1; t=1510484682;       
bh=ecGWgWCJeWxJFeM0urOVWP+KOlqqvsQYKOpYUP8nk7I=; h=From:Feedback-ID:From;     
Subject: test Sun, 12 Nov 2017 11:04:42 +0000
Message-Id: <>
X-Mailer: swaks v20170101.0
Feedback-ID: 123:asd:123

This is a test mailing

421 4.5.1 No more messages on this connection is an ISP from Denmark. As per the Postmaster guidelines, mail servers do not accept more than 3 messages per connection, if you attempt to send more emails, you would get the following error message :

421 4.5.1 No more messages on this connection, see

The following quick How-to explains, how to configure Postfix to limit number of messages per smtp connection / session to danish domains which are hosted by

Note: The following configurations worked on Postfix 3.2.3.

Add the following to /etc/postfix/

# transport
transport_maps = hash:/etc/postfix/transport
teledk_initial_destination_concurrency = 3
teledk_destination_concurrency_limit = 3

Add the following to /etc/postfix/transport        teledk:     teledk:
.tele.d         teledk:       teledk:     teledk:      teledk:   teledk: 

You can add more domains by reviewing logs. These are some of common domains. “” refers to any subdomain.

Add the following to /etc/postfix/

teledk unix    -       -       n       -       -       smtp

Update lookup table

postmap hash:/etc/postfix/transport

Reload Postfix

systemctl reload postfix

How to configure Postfix with SMTP-AUTH over SASL2 with authentication against PAM in Ubuntu

I would like to submit emails to Postfix using smtp authentication. I will authenticate my smtp users against PAM.

Install sasl2:

apt-get install sasl2-bin

Add the following to /etc/postfix/sasl/smtpd.conf:

pwcheck_method: saslauthd
mech_list: PLAIN LOGIN

Create saslauthd’s config file copy to /etc/default/saslauthd-postfix so that is used from postfix:

cp /etc/default/saslauthd /etc/default/saslauthd-postfix

Update the following in /etc/default/saslauthd-postfix:

OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd"

Since we have chrooted saslauthd to postfix so its good to symlink it:

rm -rf /run/saslauthd
ln -s /var/spool/postfix/var/run/saslauthd /run/saslauthd

Create required subdirectories:

dpkg-statoverride --add root sasl 710 /var/spool/postfix/var/run/saslauthd

Setup proper permission by adding postfix to ‘sasl’ group:

adduser postfix sasl

Restart saslauthd service

systemctl restart saslauthd.service

Add the following directives to /etc/postfix/

smtpd_sasl_local_domain = $myhostname
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_security_options = noanonymous
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination

Restart postfix service

systemctl restart postfix.service

Create linux user

useradd postmaster

Test authentication using ‘swaks’ mailing utility :

swaks --from --to --tls --auth LOGIN --auth-user --auth-password 123pass --server

How to configure OpenDKIM with Postfix

In this HowTo, you will find out how we configured OpenDKIM and Postfix(3.1.0) to sign our emails with DKIM. I will not talk about what is DKIM and settings like hash algorithms, DKIM Identity, Selectors etc.

Install OpenDKIM and tools.

apt-get install opendkim opendkim-tools

Add the following settings to /etc/opendkim.conf after “UserID” directive.

Map AuthorDomains to RSA keys.
KeyTable /etc/dkimkeys/rsakeys.table
SigningTable refile:/etc/dkimkeys/signingdomains.table

# "simple" recommended by DKIMCore
Canonicalization simple

Mode sv
SubDomains no
AutoRestart yes
AutoRestartRate 10/1M
Background yes
DNSTimeout 5
SignatureAlgorithm rsa-sha256
OversignHeaders From

Generate RSA key for

cd /etc/dkimkeys/
opendkim-genkey --bits=1024 --selector=key1 --append-domain

It will create two files. “key1.private” which is for server side and “key1.txt” which contain the following DNS record that needs to be created in zone. You can lookup my existing record with dig TXT +short IN TXT ( "v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDVgaYb2qaO92yF1DuoSIWybPgiwQ3dfjN1XhzstnEqfi/GroqtN87BrjEr9BGTTiisocbMZOtfErgfCSq+sCjHohEySdngfnxPUqLYqco+Xe3RlESYngKFU9YUUKXE9OcT3dt3v921h1pZ9BJwQ2RyJ+xANYR5DivfRT2gPCdIWwIDAQAB" )  ; ----- DKIM key key1 for

mv key1.private

Add RSAkey reference to KeyTable file in /etc/dkimkeys/rsakeys.table


Add AuthorDomain and RSAKey reference in /etc/dkimkeys/signingdomains.table

* postfixdkim

“*” says domain with any local-part should be signed with this key. “postfixdkim” is reference to RSA key in KeyTable.

Connect OpenDKIM to Postfix. Since Postfix runs in jail environment so its better to keep OpenDKIM also inside Postfix spool directory.

mkdir /var/spool/postfix/opendkim

Update opendkim.sock path to new location in /etc/default/opendkim


Configure opendkim in /etc/postfix/

# Connect OpenDKIM
milter_default_action = accept
milter_protocol = 6
smtpd_milters = local:/opendkim/opendkim.sock
non_smtpd_milters = local:/opendkim/opendkim.sock

Setup proper permissions.

chown -R opendkim:opendkim /etc/opendkim.conf /etc/dkimkeys
chown opendkim:postfix /var/spool/postfix/opendkim

Restart opendkim and postfix

systemctl restart opendkim.service
systemctl restart postfix.service

How to send emails over IPv4 with Postfix

“inet_protocols” directive is used to configure what Protocols Postfix should use to accept or make network connections. It also controls what DNS lookups Postfix will use.

On Ubuntu 16.10, we found Postfix(3.1.0) was configured to use both IPv6 and IPv4. See below :

inet_protocols = all        (enable IPv4, and IPv6 if supported)

IPv6 is always tried first and when it fails, it would try to deliver emails over IPv4. You can reconfigure it to listen on ipv4 IPs only :

vim /etc/postfix/

Replace “all” with “ipv4

inet_protocols = ipv4

Restart postfix

systemctl restart postfix.service

How to enable Outbound Opportunistic TLS in Postfix

Most ISPs like Gmail, Hotmail and Yahoo now support Server-side-tls. ESPs like Sendgrid, Sparkpost, Mailchimp have also enabled outbound TLS in their MTAs.

You can either enforce Postfix to always use TLS or the other recommend way is to use ‘Opportunistic TLS’ so Postfix should use TLS when the recipient domain supports it otherwise falls back to non-TLS connection.

vim /etc/postfix/

Add after “smtp_banner” settings.

smtp_tls_security_level = may

Reload Postfix

systemctl reload postfix.service

Verify logs for errors.

tail -f /var/log/mail.log

Expected output:

Nov 26 13:21:54 console postfix/postfix-script[9285]: refreshing the Postfix mail system
Nov 26 13:21:54 console postfix/master[2323]: reload -- version 3.1.0, configuration /etc/postfix