How to Set Up Postfix SMTP Relay on Debian with Mailjet
This tutorial is going to show you how to set up Postfix SMTP relay with Mailjet on Debian. Postfix is a popular open-source SMTP server. Previously I wrote an article how to quickly set up your own email server on Debian with Modoboa, which helped a lot of readers run their own email server.
However, some readers told me that port 25 is blocked by hosting provider or ISP as a way to control email spam, so they couldn’t send email. Vultr would unblock port 25 if you ask them to, and ScalaHosting doesn’t block port 25 at all, so I recommend using ScalaHosting VPS. Some other hosting providers or ISPs like DigitalOcean would not unblock port 25, so what can you do to bypass this blocking, if you can’t or don’t want to change your hosting provider?
SMTP Relay To The Rescue
You can bypass port 25 and send email to outside world with SMTP relay because it uses port 587. With SMTP relay, your own email server doesn’t directly send email to the destination email address. Instead, there’s an intermediate mail server, otherwise known as smart host or relay host , that sends email on your behalf. Your email server communicates with smart host on port 587, then the smart host talks with the recipient’s mail server on port 25.
SMTP relay can also help you get around anti-spam blacklists, if your IP address is blacklisted for whatever reason. The recipient’s mail server checks the smart host’s IP address against public anti-spam blacklists, instead of your server IP address and because SMTP relay services maintain good IP reputation, so your emails can get through IP blacklists.
Using Mailjet To Send 200 Emails Per Day For Free
There are several email service providers (ESP) that can act as smart host. Some charge a little fee, some offer free quotas every month. In this article, I’d like to show you how to use Mailjet, which is an email service providers that allows you to send 200 emails per day for free.
The nice thing about Mailjet is that it doesn’t require you to enter your credit card details when you use the free SMTP relay service. There are other ESPs that offer free quota every month but requires you to enter credit card details. (I know how frustrated it can be when you don’t have a credit card.) Mailjet is also easier to set up, compared to other ESPs.
Create an account at mailjet.com. Then on the dashboard, you can see the 3 things that you need to do.
- Setting up SMTP
- Managing sender addresses
- setting up domain authentication (SPF and DKIM)
Step 1: Setting up Postfix SMTP Relay on Debian
First, let’s install Postfix SMTP server on Debian with the following command. If Postfix is already running on your server, then skip installing Postfix, but you still need to install the libsasl2-modules package.
sudo apt install postfix libsasl2-modules
When you see the following message, press the Tab key and press Enter.
Then choose the second option: Internet Site.
Next, set the system mail name. For example, I enter my domain name linuxbabe.com.
After Postfix is installed, open the configuration file.
sudo nano /etc/postfix/main.cf
Find the following line.
relayhost =
By default, its value is not set. You need to get this value from your mailjet account. In mailjet dashboard, click setup my SMTP.
You will see the SMTP server address and SMTP credentials.
In the Postfix config file, set the value of relayhost to in-v3.mailjet.com:587.
relayhost = in-v3.mailjet.com:587
Then add the following lines to the end of this file.
# outbound relay configurations smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_tls_security_level = may header_size_limit = 4096000
Save and close the file. Then create the /etc/postfix/sasl_passwd file.
sudo nano /etc/postfix/sasl_passwd
Add the SMTP relay host and SMTP credentials to this file like below. Replace api-key and secret-key with your real Mailjet API key and secret key.
in-v3.mailjet.com:587 api-key:secret-key
Save and close the file. Then create the corresponding hash db file with postmap.
sudo postmap /etc/postfix/sasl_passwd
Now you should have a file /etc/postfix/sasl_passwd.db. Restart Postfix for the changes to take effect.
sudo systemctl restart postfix
By default, sasl_passwd and sasl_passwd.db file can be read by any user on the server. Change the permission to 600 so only root can read and write to these two files.
sudo chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
From now on, Postfix will send emails via mailjet.
Step 2: Adding Sender Addresses
You need to add sender domain or sender address in order to send email via mailjet. In mailjet dashboard, click manage sender addresses. You can validate your entire domain or specific email addresses.
Step 3: Setting up Domain Authentication
In this step, we need to set up SPF and DKIM record, which is strongly recommended if you want your emails to land in recipient’s inbox rather than spam folder.
- SPF: Sender Policy Framework. This is a DNS record that specifies what IP addresses are allowed to send email from your domain.
- DKIM: DomainKeys Identified Mail. Mailjet will digitally sign your emails with a private key. The DKIM record contains a public key that allows recipient’s email server to verify the signature.
In mailjet dashboard, click setup domain authentication. By default, SPF status and DKIM status are both in error. Click manage button and follow the instructions to add SPF and DKIM records.
After SPF and DKIM records are created, wait a few moments and refresh the mailjet web page. Your new DNS records can take some time to propagate on the Internet, depending on your DNS hosting service. If SPF and DKIM records are set up correctly and propagation is complete, mailjet would tell you that SPF and DKIM record are good.
Sending Test Email
Now we can send a test email with mailx command like below.
sudo apt install bsd-mailx echo "this is a test email." | mailx -r from-address -s hello to-address
You can also send a test email from your webmail client or desktop mail client. It is also a good idea to test your email score at https://www.mail-tester.com. As you can see, I got a perfect score.
Troubleshooting
If your email wasn’t delivered and you found the following message in the mail log (/var/log/mail.log),
Relay access denied (in reply to RCPT TO command))
then you might need to edit the /etc/postfix/sasl_passwd file and remove the port number after the hostname like below.
in-v3.mailjet.com api-key:secret-key
Save and close the file. Then build the index file again.
sudo postmap /etc/postfix/sasl_passwd
Restart Postfix for the changes to take effect.
sudo systemctl restart postfix
Now you can flush the email queue (attempt to deliver the previous emails).
sudo postqueue -f
Adding Additional Domains
If you set up a mail server on a new machine for a new domain name, and you want to set up SMTP relay for this new domain name, then follow the same steps:
- Configure Postfix SMTP relay settings,
- Validate the new domain name in Mailjet dashboard
- Set up SPF and DKIM verifications
Wrapping Up
That’s it! I hope this tutorial helped you set up Postfix SMTP relay on Debian to bypass port 25 or IP blacklists. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care.
Having already set up the mail server according to your three-part tutorial series, what do I do with the SPF and DKIM on my own server? Mail-tester complains that I have double set-ups, as far as I understood. More specifically, it complains that I have more than one DKIM signature in my message. But maybe they are both from my own server. I am still very much a beginner at this. I suppose I will have to uninstall and reinstall several times to gradually get it to work better.
I should also say that I am using dynu.com as smtp relay provider, and not mailjet, since they are my ddns provider and more. Also mailjet and dynu didn’t play well when I followed this tutorial
The SMTP relay will add a DKIM signature to your emails, so you don’t have to sign emails with OpenDKIM. The following line in /etc/opendkim.conf enables both the signing mode and verification mode.
You can change it to:
So OpenDKIM won’t sign your emails on your mail server but only verify incoming emails.
Hello,
I love your tutorials which helped me pass through the spams, thank you !
Just a question : with this setup, do I have to setup DMARC ?
Thank you again !
SMTP relay doesn’t require you to change anything in your DMARC setup. You only need to create a DMARC DNS record. If you already have DMARC DNS record, there’s no need to change anything.
Ok thanks a lot !
hello, again thank you so much
I just tried this on Debian 10
but /etc/postfix/main.cf
doesn’t seem to have a line
relayhost =
anymore
I just added the line relayhost = in-v3.mailjet.com:587
and continued as per tutorial and it seemed to work?
was I just lucky?
Your configuration isn’t wrong.
thank you Xiao, it is definitely working via mailjet;
not sure, has the /etc/postfix/main.cf file changed since this tutorial? or is it – sorry I forgot to mention – that I set up iRedMail first and then was following this tutorial. I couldn’t find the line relayhost =
btw, if you use Namecheap, there was no problem setting up SPF, but trying to set up the DomainKeys/DKIM I kept getting errors and needed to contact Namecheap support. They wrote if ‘ the record is for any subdomain, there is no need to indicate the root domain in Host field as well. So you need to change the host for TXT record from [using your example]
mailjet._domainkey.linuxbabe.com. to
mailjet._domainkey.
with a full stop at the end; and remove the domainame; obviously this is on Namecheap.
Yes, iRedMail might changed the default configuration in /etc/postfix/main.cf file, but it doesn’t really matter.
You can follow the tutorial below to create DNS records in NameCheap.
How to Create DNS Records in NameCheap