Translation(s): English - Italiano - Português (Brasil)

Postfix is a Secure Mail Transfer Agent.


Installing and Configuring Postfix on Debian

apt install postfix

cat /var/log/mail.log

dpkg-reconfigure postfix

postfix reload

Test the mailserver

telnet localhost 25

Connected to localhost.localdomain.
Escape character is '^]'.
220 ESMTP Postfix (Debian/GNU)

mail from:<>
rcpt to:<>
Subject: Hey my first email
This is my first email on debian postfix after installing configuring it.
It was easy.



Some useful commands

qshape deferred
postsuper -r ALL     # requeue all emails

Router, firewall and domain configuration

host -t MX yourdomain.tld

host -t A mx1.yourdomain.tld

anti-spam: smtp restrictions

smtpd_recipient_restrictions = reject_invalid_hostname,

smtpd_helo_restrictions = reject_invalid_helo_hostname,

anti-spam: Using RBL Lists

Insert this in your /etc/postfix/

smtpd_client_restrictions = reject_rbl_client

See what rbl is about: for pre 2.3 and for 2.3 and later

and avoid such blacklists

authenticated mail delivery

This subsection describes how to configure postfix to send authenticated emails using DKIM standard protocols.

ToDo document SPF and DMARC

Forward Emails

postconf -e "alias_maps = hash:/etc/aliases"

root: lucas


lucas: lucas


service postfix reload

Virtual Emails

postconf -e "virtual_alias_maps = hash:/etc/postfix/virtual"

vi /etc/postfix/virtual

someemail lucas

postmap /etc/postfix/virtual

service postfix reload


postconf -e "home_mailbox = Maildir/"
postconf -e "mailbox_command ="


vi /etc/Muttrc

set folder="~/Maildir"
set mask="!^\\.[^.]"
set mbox="~/Maildir"
set record="+.Sent"
set postponed="+.Drafts"
set spoolfile="~/Maildir"

Postfix and mailing lists

Mailman with Postfix

(!) The instructions below are WRONG! You should not and alias at the same time. Please read /etc/mailman/ instead.

apt install mailman

newlist mailman

/etc/init.d/mailman start

relay_domains =,

alias_maps = hash:/etc/aliases,hash:/var/lib/mailman/data/aliases

postconf -e "transport_maps = hash:/etc/postfix/transport"
postconf -e "mailman_destination_recipient_limit = 1"

mailman unix  -       n       n       -       -       pipe
   flags=FR user=list
   argv=/var/lib/mailman/bin/ ${nexthop} ${user}    mailman:

postmap /etc/postfix/transport

MTA = 'Postfix'

/etc/init.d/postfix reload
/etc/init.d/mailman restart

newlist list_name

Alias /pipermail/ /var/lib/mailman/archives/public/
Alias /images/mailman/ /usr/share/images/mailman/

Then you need to reload apache:

/etc/init.d/apache2 reload

Mailman Troubleshooting

Connection refused

Assuming your postfix is running and listening on localhost, another possible problem is that postfix is not configured to run in IPv6 mode, but your /etc/hosts file specifies ::1 as localhost. In that case mailman tries to send mails to ::1 which has no postfix listening, thus resulting in a (111, 'connection refused') error.

Postfix and TLS/SSL

Adding TLS/SSL

There are three options for transferring data to Postfix (smtpd):

  1. Do not use TLS/SSL at all (only unsecure connections are available).
  2. Use TLS/SSL, if possible. Fall back to unsecure connections otherwise.
  3. Only allow TLS/SSL (unsecure connections are not available).

The second option (called STARTTLS) is recommended for general purpose mail servers. It provides some sort of "compatibility mode". Secure data transfer is enabled but not enforced.

STARTTLS connections start unencrypted via the regular smtp port 25. If both sides agree the rest of the data transfer is encrypted, still using port 25.

Pure TLS/SSL uses it own port, usually smtps (465). See below.

Postfix version 2.3 and later employ's the parameter smtpd_tls_security_level to control TLS encryption (valid values are none, may or encrypt).

Previously two parameters (smtpd_use_tls and smtpd_enforce_tls) were used. They can be unset. See also the Debian bug report 520936.

With the following commands TLS is enforced (no STARTTLS) and the old configuration parameters are reset to default values:

~# postconf -e smtpd_tls_security_level=encrypt
~# postconf -e smtpd_use_tls
~# postconf -e smtpd_enforce_tls

Alternate TLS/SSL Ports

You may be interested in supporting the smtps and/or submission ports (see /etc/services) so that your mobile/remote users who may be on a system that blocks, filters or poorly proxies SMTP (port 25) traffic can still send mail through your server. Since these ports are not also used for MTA to MTA traffic, you can enforce extra restrictions such as requiring SSL/TLS.

We do this by modifying the file /etc/postfix/ to run additional smtpd services with special parameters on dedicated ports.


The submission port (587), covered in RFC 2476, is reserved for mail user agents (MUA)/ mail submission agents (MSA) to send email to a mail transfer agent (MTA).

In order to enable an additional service edit the file /etc/postfix/

In this example we disallow ETRN, require TLS and enable SASL Auth on the submission port.

submission inet n      -       -       -       -       smtpd
        -o smtpd_etrn_restrictions=reject
        -o smtpd_enforce_tls=yes 
        -o smtpd_sasl_auth_enable=yes


The smtps (or ssmtp) port (465) is the equivalent of https. The secure layer is expected from the get-go and not an optional negotiated parameter after connecting.

Whether the port is named smtps or ssmtp depends on the contents of your /etc/services file. On Debian both names seem to be defined. The output of netstat -tl shows ssmtp.

In order to enable an additional service edit the file /etc/postfix/

On Debian there is already a prepared entry for smtps but commented out. Remove the "#" characters to enable it.

smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING

Connections from Fetchmail to Postfix

It seems fetchmail is not able to setup a TLS connection to Postfix. (Not to be confused with fetchmail's capabilities to fetch mails via TLS connections.)

If Postfix is configured to only accept TLS connections (smtpd_tls_security_level=encrypt) fetchmail will fail with an error like "Must issue a STARTTLS command first".

One way to escape from this is to provide an unencrypted smtp service. Of course, this service should be available for a local fetchmail process only.

Edit /etc/postfix/ and add      inet  n       -       -       -       -       smtpd
    -o smtpd_tls_security_level=none

This will add an additional smtp service listening on port 40025 with TLS disabled but only accepting local connections.

Fetchmail has to be configured accordingly via the option smtphost.

Edit /etc/fetchmailrc

# Server options
poll ...

# User options
user a ...
user b ...

The smtphost option is a so called "user option". It must be added to every user section.

Alternatively fetchmail can be instructed to use an external TLS-capable program1 to forward mails. This is not handled here. And if fetchmail and Postfix run on the same machine it does not make much sense anyway.

Sending With SSL

With the following commands Postfix is configured to use TLS for sending mail:

~# postconf -e smtp_tls_security_level = may
~# postconf -e smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

Advanced options

SPF and multiple external ip addresses


I have some systems that are networked on an internal private ip address subnet ( For a few reasons I email reports and such to <user>@mail.internal where user is an address that is not valid for receiving mail via the external interfaces. These systems also share a public ip address subnet so they could email each other that way, but I'd prefer they didn't for local addresses. I have published SPF records for the public mail servers because all of our mail routes through those servers so if others care to check they can ignore email claiming to be from us but being delivered from other servers as per our SPF record.

Recently I have expanded the ip addresses these systems are using externally to support multiple instances of port-based services like https (adding :oddport doesn't impress the customers.) I could have expanded or added more liberal SPF record values, or added more forward and reverse DNS records but I wanted to stick with less ip addresses.

So to recap my system has:

By using the settings in /etc/postfix/, /etc/postfix/ and /etc/postfix/transport as outlined above I was able to get my outgoing smtp traffic to use my SPF published ip address once again.

Make SPF and multiple external ip addresses

If you are trying to implement SPF records while binding to one external ip address and still working with dual-homed multiple ip aliased systems, or have any other reason to support multi-homed systems with multiple ip addresses but want to limit postfix to use only two of them try this.

 smtp      unix  -       -       -       -       -       smtp
        -o smtp_bind_address=<spf published ip address>
 smtpinternal      unix  -       -       -       -       -       smtp
        -o smtp_bind_address=<internal ip address>

 transport_maps = hash:/etc/postfix/transport

 .internal smtpinternal:

Just postmap /etc/postfix/transport, invoke-rc.d postfix stop and invoke-rc.d postfix start and you should be in business. Email to <user>@<system>.internal will be delivered via the internal interface/ip address all other email will be delivered via default methods which means internet mail will go out the the spf published ip address.


Postfix and Sasl

See also

Please see Postfix/Tutorials

Debian-specific information

Upstream specific information

Other information

CategoryNetwork CategoryMail CategorySoftware

  1. The so called "lightweight" MTAs like msmtp or sSMTP. (1)