postfix config for outgoing smarthost with TLS authentication

this is a short how-to, to get your postfix mailserver to send outgoing mail via a smarthost that requires TLS authenticatin:

create a password file with the following contents:

echo " username:password" > /etc/postfix/smarthost_password
chmod 600 /etc/postfix/smarthost_password
postmap /etc/postfix/smarthost_password


nano /etc/postfix/

and add / modify these lines:

relayhost =
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/smarthost_password
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt

also make sure you're not creating an open realy server for everybody to use. for example limit your accetpable mail networks to localhost only is a good starting point (in as well):

mynetworks = [::ffff:]/104 [::1]/128

make sure the necessary encryption libraries are installed

apt install libsasl2-modules

now check your neew config and reload it:

postfix check 
postfix reload 

montior your mail logs and send a test message to see what happens:

tail -f /var/log/mail.* 

in another terminal:

echo "this is a test " | mail -s test

in many cases, the sender domain of such a system is an internal domain and will be rejected by many spam filters. for that reason it may be necessary to rewrite the from address to an actual valid email address

to do that we can use sender_canonical_maps on postfix. Add the following line to /etc/postfix/

sender_canonical_maps = hash:/etc/postfix/canonical

and create a map in /etc/postfix/canonical that looks something like this:

@myserver.local   valid@email.address

instead of @myserver.local which will basically rewrite any local email address, we can also use a username like root if that better suits our needs.

finally use postmap to create the hash map and reload the config once more:

postmap /etc/postfix/canonical
postfix check 
postfix reload  
  • postfix_config_for_outgoing_smarthost.txt
  • Last modified: 14.10.2020 18:31
  • by Pascal Suter