Setting up mail forwarding with Postfix

Setting an MX DNS record

First of all, for a domain like @example.org to be able to receive mails, an MX record is need.

I just added a MX record for example.org to mx.example.org, and a CNAME for mx.example.org to example.org, which finnally resolve to my VPS.

Enabling mail forwarding

It’s relatively easy to setup mail forwarding with Postfix as it’s capable of being both an SMTP client and an SMTP server.

Simply creating a virtual alias map at (e.g.) /etc/postfix/virtual with:

… and telling Postfix about that in main.cf:

… should work.

But also note that if Postfix correctly detected example.org is the same as your hostname, it may warn about that. To address this, remove example.org from mydestination in main.cf.

Enabling TLS

Well this’s where things go messy.

Being a project that started tens of years ago, Postfix comes with quite a few similar options, some of them are often deprecated.

We’ll be editing /etc/postfix/main.cf:

There’re also smtp_enforce_tls and smtpd_enforce_tls, but those are deprecated in favor of smtp[d]_tls_security_level. I’d like to stick to the newer one.

Notes about @outlook.com

Microsoft is really doing bad in supporting STARTTLS. Sending mails from @outlook.com to Postfix configured as above always fails due to failure in TLS handshake. It looks that the issue has been known since 2015 but never got fixed, forcing MX servers to disable TLS for @outlook.com. Shame to them.

If that bothers you, you might want to follow instructions there. I’m not gonna do that at the moment, though.

Notes about security

It should be noted that even we “enforce” TLS at the server side, it still quite vulnerable in fact. STARTTLS may get stripped, MITM may forge certificates as they’re sometimes not validated.

Personally I consider STARTTLS somewhat gives a false sense of security. But it still better than nothing.

A bonus

I actually received a mail from Cron Daemon on my VPS after enabling mail forwarding with Postfix (instead of using DNS registrar’s) telling me about the jobs’ output, as Cron Daemon is sending mail to root@[hostname], and handled by Postfix. That’s really convenient.

Leave a Reply

Your email address will not be published. Required fields are marked *