Postfix mail server (outbound) Configure Postfix on a HolyCloud VPS for application mail (notifications, forms) with authentication and basic anti-spam. ~14 min read Advanced #postfix #mail #smtp #postfix Postfix mail server (outbound) Configuring Postfix as an outbound relay (MTA) on a HolyCloud Linux VPS lets your applications send email (alerts, password resets). Full inbound mail and deliverability require DNS (SPF, DKIM, DMARC) and a clean IP reputation — often difficult on new VPS IPs. Prerequisites HolyCloud VPS with FQDN hostname (mail.example.com → VPS IP) DNS records: A for mail.example.com, PTR/rDNS (request alignment from HolyCloud if possible) Ports 25 (SMTP) and 587 (submission) — verify they are not blocked outbound on your plan sudo access Tip: For production, an external relay (Brevo, Mailgun, Amazon SES) often improves deliverability. This guide remains useful for controlled direct sending. Step 1: Installation sudo apt update sudo apt install -y postfix mailutils libsasl2-modules During the Postfix dialog, choose Internet Site and machine name mail.example.com. Step 2: Minimal configuration /etc/postfix/main.cf sudo postconf -e "myhostname = mail.example.com" sudo postconf -e "mydomain = example.com" sudo postconf -e "myorigin = \$mydomain" sudo postconf -e "inet_interfaces = all" sudo postconf -e "inet_protocols = ipv4" sudo postconf -e "mydestination = localhost" sudo postconf -e "relayhost =" sudo postconf -e "smtpd_banner = \$myhostname ESMTP" Limit sending to local users and SASL for apps: sudo postconf -e "smtpd_tls_security_level = may" sudo postconf -e "smtp_tls_security_level = may" Step 3: Submission authentication (port 587) sudo nano /etc/postfix/master.cf Uncomment and adapt: submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING For simple sending without mailboxes, use a system user and sendmail: echo "Test depuis VPS HolyCloud" | mail -s "Test Postfix" [email protected] Step 4: SPF, DKIM, DMARC SPF (TXT record on example.com): v=spf1 ip4:IP_PUBLIQUE_VPS_HOLYCLOUD -all DKIM with OpenDKIM: sudo apt install -y opendkim opendkim-tools sudo mkdir -p /etc/opendkim/keys/example.com sudo opendkim-genkey -b 2048 -d example.com -D /etc/opendkim/keys/example.com -s default -v sudo chown -R opendkim:opendkim /etc/opendkim Publish default.txt content as TXT default._domainkey.example.com. Link Postfix to OpenDKIM (/etc/opendkim.conf, inet socket, milter in main.cf). DMARC (TXT _dmarc.example.com): v=DMARC1; p=quarantine; rua=mailto:[email protected] Step 5: Anti-relay restrictions sudo postconf -e "smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination" sudo postconf -e "mynetworks = 127.0.0.0/8 [::1]/128" Never leave the HolyCloud VPS as an open relay. Step 6: Logs and queue sudo systemctl restart postfix sudo systemctl enable postfix mailq sudo tail -f /var/log/mail.log SMTP test: swaks --to [email protected] --from [email protected] --server 127.0.0.1 --port 25 (sudo apt install swaks if needed.) Verification sudo postfix check sudo postconf -n dig +short TXT example.com dig +short -x IP_PUBLIQUE_VPS_HOLYCLOUD Send a test message to mail-tester.com and fix the score. HolyCloud support Mail queued, no outbound: port 25 blocked — contact HolyCloud support or use relayhost to a third-party SMTP (port 587) Spam / rejection: missing PTR, incorrect DKIM/SPF, new IP listed HolyCloud support: mail.log excerpt, postconf -n, VPS IP and SPF/DKIM DNS records Continue reading Previous article Optimize PHP-FPM Read Next article Python 3 and virtual environments Read
FR