Setting up a cloud Virtual Private Server (VPS) to send emails can be a challenging task. One common hurdle is the fact that many cloud hosting providers block outbound email connections, preventing the VPS from directly sending emails. In this blog post, we will explore how to overcome this issue and configure a cloud VPS to send emails using the popular email server software, Postfix.
Email alerts and notifications play a crucial role in monitoring the health and performance of applications and servers. By setting up email notifications on a VPS, system administrators can receive real-time updates about critical events, server failures, security breaches, and other important system information.
Postfix Configuration
When configuring a cloud VPS to send emails, we want to ensure that all email appears to come from a designated relay account. By utilizing the suggested Postfix configuration, we can rewrite the sender address to a generic one, masking the actual sender’s identity and providing a unified appearance for all outgoing emails.
It is also important to prevent the VPS from sending email to external domains indiscriminately to avoid potential abuse or misuse of the server. The configuration settings below help enforce this restriction by blocking external email transmission, ensuring that the VPS remains focused on internal email traffic only, which enhances security and maintains a controlled email environment.
While there are many ways in which Postfix can be configured to achieve this, here is my recommended way. The following is the entire contents of the /etc/postix/main.cf configuration file:
compatibility_level = 3.6
inet_interfaces = loopback-only
mydomain = example.com
smtp_generic_maps = static:user@$mydomain
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_tls_security_options = noanonymous
smtp_tls_security_level = encrypt
transport_maps = static:smtp:[mail.example.com]:587
We also need to specify a username and password in /etc/postfix/sasl_passwd:
[mail.example.com]:587 [email protected]:password
With this configuration we achieve the following:
- All email will be sent through mail.example.com on port 587, which is the default email submission port.
- Connections to mail.example.com will be encrypted using TLS and authenticated with the username and password specified in /etc/postfix/sasl_passwd.
- All email sent will appear to come from [email protected] and any local email destination will also be redirected to [email protected]. For example, a cronjob running as root will will send an email From: [email protected] and To: [email protected].
- Emails to any non-local domains will be rejected and [email protected] will receive a copy of the error message.
Breaking Down the Configuration
compatibility_level = 3.6
This setting specifies the default version level for Postfix’s configuration. In this particular example, we indicate our preference for using the configuration defaults intended for Postfix version 3.6 and above. By explicitly setting this parameter, we can rely on known and safe configuration defaults.
inet_interfaces = loopback-only
We don’t want to accept email externally, so we make the SMTP daemon listen only locally.
mydomain = example.com
mydomain sets the domain name that Postfix considers itself as when sending emails. Replace this with your own domain name.
smtp_generic_maps = static:user@$mydomain
This parameter is used to rewrite the sender address to a generic address when sending external emails. In this case, we specify that any sender and recipient address is rewritten to our own domain. When relaying email from end users, most email servers will refuse emails if the email address does not match the account’s email address. By default Postfix will use our VPS’s hostname as the email address (for example [email protected]) and with this setting we can override that to [email protected]. It is also possible to override individual email addresses or to override only specific addresses.
This example would send email from or to root as [email protected] while email from or to user would be sent and received as [email protected]:
smtp_generic_maps = inline:{{root=sysadmin@$mydomain},{user=otheruser@$mydomain}}
Instead of specifying the mapping directly in the configuration file, you can use an external file:
smtp_generic_maps = hash:/etc/postfix/generic
Then create a file /etc/postfix/generic with the following contents:
root [email protected]
user [email protected]
* example.com
smtp_sasl_auth_enable = yes
Enabling this setting ensures that the VPS can authenticate itself before sending emails through the relay server.
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
This parameter specifies the location of the file containing the credentials (username and password) for authenticating with the remote SMTP server. In this case, the file is located at /etc/postfix/sasl_passwd. You would need to create this file and populate it with the appropriate credentials. After creating the file, we need to create a hash with the command postmap /etc/postfix/sasl_passwd
.
smtp_sasl_tls_security_options = noanonymous
This setting ensures that the client refuses to send emails to our relay without authentication.
smtp_tls_security_level = encrypt
This configures the level of encryption used for the SMTP connection. We set it to encrypt to enable TLS encryption.
transport_maps = static:smtp:[mail.example.com]:587
This parameter ensures that all emails, including those that would normally be delivered locally, are forwarded to the specified mail server. In this example we use the smtp transport to forward email to a remote SMTP server located at mail.example.com on port 587.
Conclusion
Configuring a cloud VPS to send email can be a challenge due to email blocking by hosting providers. However, by configuring Postfix with the suggested settings mentioned above, you can overcome this issue and enable your VPS to send emails. Remember to customize the configuration based on your specific setup, including replacing the domain name, SMTP server details, and providing the necessary authentication credentials. By following these steps, you can ensure smooth email delivery from your cloud VPS.