Sending emails: Postfix using Fastmail (Rev: 05/31)

Sending emails: Postfix using Fastmail (Rev: 05/31)

Postfix is a free, open-source mail transfer agent (MTA) used to route and deliver email over the Internet. FastMail is a paid service that provides a secure, privacy-focused email provider supporting custom domains. This post details the setup instructions for using Postfix as a Send-Only SMTP server, using Fastmail, on a Ubuntu Linux 22.04 server.

Martial Martial
Mar 12, 2024
Guide Linux Ubuntu22 Ubuntu24 Postfix FastMail
Sending emails: Postfix using Fastmail (Rev: 05/31)
TABLE OF CONTENTS
Preamble
How to use this guide
Fastmail
Postfix
Setup
Fastmail email setup
Postfix setup
mailutils
Email Headers
Match local root user
Credentials
Postfix main configuration
Revision History
 
đź’ˇ
Instructions for a Linux host running Ubuntu 22.04 or 24.04 server to send emails using Postfix through Fastmail.
 
Revision: 20240531-0 (init: 20240312)
 
Postfix is a free, open-source mail transfer agent (MTA) that routes and delivers email over the Internet. FastMail is a paid service that provides a secure, privacy-focused email provider supporting custom domains. This post details the setup instructions for using Postfix as a Send-Only SMTP server, using Fastmail, on a Ubuntu Linux server host.
 

Preamble

How to use this guide

Our recommendation is to duplicate the content of this file and adapt it. Once you have obtained the source content, open it in an editor and perform a find and replace for the different values you will need to customize for your setup. This will allow you to copy/paste directly from the source file.
Values to adjust (in order of easier replacement): - [email protected], the email address set up in FastMail to send emails from. - host.example.com, the DNS name of your server (pointing to an unroutable private IP is fine) - [email protected] is the account owner of the FastMail account. - example.com is the domain from which we send emails. - [email protected], the destination email we will test sending to.

Fastmail

We will rely on fastmail.com to send emails. FastMail is an email service provider focusing on speed, privacy, and secure communication. It is a paid service for individuals and businesses that supports standard email protocols such as IMAP, SMTP, and CalDAV/CardDAV, making it compatible with many email clients and devices. FastMail offers robust support for custom domains, allowing users to personalize their email addresses with their own domain names. Users can create email addresses linked to their domain, such as [email protected]. More details on the above can be found at https://www.fastmail.help/hc/en-us/articles/360058753394-Custom-domains-with-Fastmail
Since setup differs, we will not cover the steps detailed in the URL above. We expect the domain’s MX points to Fastmail and that SPF and DKIM are correctly configured at your DNS. Fastmail has a valuable dashboard on its Domains page with checkmarks for those settings. Once properly configured, you will have “Your domain is correctly set up to send and receive mail!” on that domain’s dashboard on Fastmail.
We will use them to send emails from a user from the example.com domain using their outgoing SMTP services and app-specific passwords through Postfix.

Postfix

Postfix is a free and open-source mail transfer agent (MTA) that routes and delivers electronic mail. It is an alternative to the widely used Sendmail program and is designed to focus on security, ease of use, and efficient handling of large volumes of email. Postfix’s architecture is modular, which allows for flexibility and extensibility. It supports various mail protocols, including SMTP, and is highly configurable, enabling administrators to tailor its behavior to suit specific requirements. Due to its performance, security features, and simplicity in configuration, Postfix has become a popular choice for both small and large-scale mail systems.
We will use a “send-only” SMTP setup using Postfix to allow our server to send emails without the capability to receive incoming emails, which will enable us to send system notifications or any automated emails generated by scripts, applications, or monitoring tools.
Digital Ocean has an excellent primer on using Postfix (without Fastmail), see https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-postfix-as-a-send-only-smtp-server-on-ubuntu-22-04.

Setup

Fastmail email setup

Our Fastmail account is [email protected]. We will need this information later for the relay to work.
We will use the [email protected] email alias to send messages and adapt the domain and the email address as needed. Fastmail notes, “Every external program or app needs its own app password to access your information.” More details are available at https://www.fastmail.help/hc/en-us/articles/360058752854-App-passwords. The Fastmail “server name and ports” are detailed at https://www.fastmail.help/hc/en-us/articles/1500000278342-Server-names-and-ports. We will follow the instructions for SMTP on port 465.
From your Fastmail “Settings” dashboard, select Set Up -> My email address, then Add address, and then Create an Alias. Add [email protected], and on the next page, decide what you want to do “when a message is delivered to this address” and add a “Description.” You can also configure the “Advanced delivery preferences” and “Compose options” according to your needs.
From your Fastmail “Settings” dashboard, select Stay Secure -> Privacy & Security. In the Integrations tab, create a New App Password. Name it postfix and give it only SMTP access. Copy and store this “postfix smtp app password” in a password manager for future use, as “this is the password for your app. Spaces and capitals donʼt matter. For your security we wonʼt show this password again”.

Postfix setup

Although unlikely to occur with the header fixes, we invite you to set up the server’s hostname as a Fully Qualified Domain Main (FQDN). To do so, sudo nano /etc/hostname and replace the value with host.example.com. If your host is not publicly accessible (on a private network), add host.example.com in /etc/hosts with the local IP so the host can find itself and not attempt to do a DNS lookup. A reboot is recommended, but you can also sudo hostname host.example.com until the next reboot.

mailutils

Install the required tools (including postfix) and adapt example.com to your domain.
sudo apt-get update
sudo apt-get install mailutils
# during this step, you will be prompted to select the mail configuration that best matches your needs. 
# Select "Internet Site" as per the following dialogue: 
# "if a mail address on the local host is [email protected], the correct value for this option would be example.org"
# As such, give it example.com
If you made an entry error at this point, run sudo dpkg-reconfigure postfix. We will manually modify the configuration next.

Email Headers

We need to create a couple of files, which we will require later, so the headers of any emails relayed are sent from an authorized email on your FastMail account.
  • sudo nano /etc/postfix/header_check and add the following
/From:.*/ REPLACE From: [email protected]
  • sudo nano /etc/postfix/sender_canonical_maps and add the following
/.+/    [email protected]

Match local root user

Let’s ensure that emails to root will function, given that it will try to contact [email protected]. Edit a new file sudo nano /etc/postfix/recipient_canonical and add to it:
[email protected] [email protected]
Then create the file hash to be used later: 
sudo postmap /etc/postfix/recipient_canonical
Note: This was added to support sending emails when performing “Unattended Upgrades” (as root,) following details found in this post https://askubuntu.com/a/599513

Credentials

sudo nano /etc/postfix/sasl/fastmail with the below content, adapting the “postfix smtp app password” generated earlier.
Note that we use the FastMail account itself, not the email alias we created:
[smtp.fastmail.com]:465 [email protected]:apppassword
Make it only readable by the root user, using sudo chmod 400 /etc/postfix/sasl/fastmail
Tell postfix to use the credentials using its lookup table management utility to create a /etc/postfix/sasl/fastmail.db file:
sudo postmap /etc/postfix/sasl/fastmail

Postfix main configuration

sudo nano /etc/postfix/main.cf and:
  • modify myhostname to have our domain information (the DNS entry does not need to exist, but an unroutable network/private IP in your DNS will also work):
myhostname = host.example.com
  • empty the mydestination field so that all emails sent out are sent through the relay:
mydestination =
  • find the inet_interfaces and make it loopback-only so that our postfix does not listen on any other active network interface:
inet_interfaces = loopback-only
  • optionally, make it use IPv4 only by modifying inet_protocols
inet_protocols = ipv4
  • Comment the earlier smtp_tls_security_level and relayhost lines to avoid warnings, then add the following to the end of the file:
relayhost = [smtp.fastmail.com]:465
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/fastmail
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes
smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt
The/etc/postfix/sasl/fastmail file we created earlier is referenced. Additional details on TLS for postfix can be found at https://www.postfix.org/TLS_README.html. Because we are not using port 587 (Fastmail recommends using port 465 for SMTP), we are using the wrappermode.
  • Add the following lines to make use of the header modification files we created earlier
sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps =  regexp:/etc/postfix/sender_canonical_maps
smtp_header_checks = regexp:/etc/postfix/header_check
recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
  • Save the file, then reload postfix with its new configuration
sudo /etc/init.d/postfix reload
# content and subject
echo "Test mail content" | mail -s "Postfix Subject" [email protected]
You can check for errors using tail -n 30 /var/log/syslog. If all went well, you should have an entry with a status=sent value and looking similar to (###-ing variable content)
postfix/smtp[###]: ###: to=<[email protected]>, relay=smtp.fastmail.com[###.###.###.###]:465, delay=###, delays=###/###/###/###, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as ### ### via ###)
The real confirmation is the reception of the email sent by [email protected] at your [email protected] email.

Revision History

  • 20240531-0: Added support for sending root emails when also using “Unattended Upgrades.”
  • 20240523-0: Confirmed working on Ubuntu 24.04
  • 20240512-0: Migration to Notion
  • 20240312-0: local network clarification
  • 20240302-1: Added links to the introduction section.
  • 20240302-0: Introduction e
 
Martial
Martial

Related Posts

Ubuntu 24.04 VPS Hardening (Rev: 06/22)
Guide Ubuntu24 VPS Security

Ubuntu 24.04 VPS Hardening (Rev: 06/22)
Martial Martial
Jun 16, 2024

Hosting on a VPS is a great option to run a blogging service, but installing services that might expose ports needs to be done with some precaution (or not at all if the service is only to be used by the server itself).

Post-Steps: Ubuntu 24.04 Desktop (Rev: 07/30)
Ubuntu24

Post-Steps: Ubuntu 24.04 Desktop (Rev: 07/30)
Martial Martial
May 25, 2024

This is a more opinionated post than usual: I live on the command line on Linux. As such, I perform a few extra steps after a fresh installation to get to a “usable” system.

Setting up NVIDIA docker & podman (Ubuntu 24.04, Rev: 06/27)
Guide Linux Ubuntu24 NVIDIA Docker Podman

Setting up NVIDIA docker & podman (Ubuntu 24.04, Rev: 06/27)
Martial Martial
Apr 24, 2024

Instructions for a Linux host running Ubuntu 24.04 to install the Nvidia runtime for docker and podman.