Setting up mail forwarding with PostfixSetting an MX DNS record
First of all, for a domain like @example.org to be able to receive mails, an MX record is need.
I just added a MX record for example.org to mx.example.org, and a CNAME for mx.example.org to example.org, which finnally resolve to my VPS.
Enabling mail forwarding
It’s relatively easy to setup mail forwarding with Postfix as it’s capable of being both an SMTP client and an SMTP server.
Simply creating a virtual alias map at (e.g.) /etc/postfix/virtual with:
1 @example.org receiver@gmail.com
… and telling Postfix about that in main.cf:
1 virtual_alias_maps = hash:/etc/postfix/virtual
… should work.
But also note that if Postfix correctly detected example.org is the same as your hostname, it may warn about that. To address this, remove example.org from mydestination in main.cf.
Enabling TLS
Well this’s where things go messy.
Being a project that started tens of years ago, Postfix comes with quite a few similar options, some of them are often deprecated.
We’ll be editing /etc/postfix/main.cf:
12345678910111213 smtpd_tls_cert_file=/etc/path/to/cert.cersmtpd_tls_key_file=/etc/path/to/key.keysmtp_tls_security_level = encryptsmtpd_tls_security_level = encryptsmtp_tls_mandatory_ciphers = highsmtpd_tls_mandatory_ciphers = highsmtp_tls_mandatory_exclude_ciphers = aNULLsmtpd_tls_mandatory_exclude_ciphers = aNULLsmtp_tls_mandatory_protocols = TLSv1.2 TLSv1.3smtpd_tls_mandatory_protocols = TLSv1.2 TLSv1.3smtpd_tls_eecdh_grade = strongsmtp_tls_CApath = /etc/path/to/CAcertssmtpd_tls_CApath = /etc/path/to/CAcerts
There’re also smtp_enforce_tls and smtpd_enforce_tls, but those are deprecated in favor of smtp[d]_tls_security_level. I’d like to stick to the newer one.
Notes about @outlook.com
Microsoft is really doing bad in supporting STARTTLS. Sending mails from @outlook.com to Postfix configured as above always fails due to failure in TLS handshake. It looks that the issue has been known since 2015 but never got fixed, forcing MX servers to disable TLS for @outlook.com. Shame to them.
If that bothers you, you might want to follow instructions there. I’m not gonna do that at the moment, though.
Notes about security
It should be noted that even we “enforce” TLS at the server side, it still quite vulnerable in fact. STARTTLS may get stripped, MITM may forge certificates as they’re sometimes not validated.
Personally I consider STARTTLS somewhat gives a false sense of security. But it still better than nothing.
A bonus
I actually received a mail from Cron Daemon on my VPS after enabling mail forwarding with Postfix (instead of using DNS registrar’s) telling me about the jobs’ output, as Cron Daemon is sending mail to root@[hostname], and handled by Postfix. That’s really convenient.
Setting an MX DNS record
First of all, for a domain like @example.org to be able to receive mails, an MX record is need.
I just added a MX record for example.org to mx.example.org, and a CNAME for mx.example.org to example.org, which finnally resolve to my VPS.
Enabling mail forwarding
It’s relatively easy to setup mail forwarding with Postfix as it’s capable of being both an SMTP client and an SMTP server.
Simply creating a virtual alias map at (e.g.) /etc/postfix/virtual with:
1 | @example.org receiver@gmail.com |
… and telling Postfix about that in main.cf:
1 | virtual_alias_maps = hash:/etc/postfix/virtual |
… should work.
But also note that if Postfix correctly detected example.org is the same as your hostname, it may warn about that. To address this, remove example.org from mydestination in main.cf.
Enabling TLS
Well this’s where things go messy.
Being a project that started tens of years ago, Postfix comes with quite a few similar options, some of them are often deprecated.
We’ll be editing /etc/postfix/main.cf:
1 2 3 4 5 6 7 8 9 10 11 12 13 | smtpd_tls_cert_file=/etc/path/to/cert.cer smtpd_tls_key_file=/etc/path/to/key.key smtp_tls_security_level = encrypt smtpd_tls_security_level = encrypt smtp_tls_mandatory_ciphers = high smtpd_tls_mandatory_ciphers = high smtp_tls_mandatory_exclude_ciphers = aNULL smtpd_tls_mandatory_exclude_ciphers = aNULL smtp_tls_mandatory_protocols = TLSv1.2 TLSv1.3 smtpd_tls_mandatory_protocols = TLSv1.2 TLSv1.3 smtpd_tls_eecdh_grade = strong smtp_tls_CApath = /etc/path/to/CAcerts smtpd_tls_CApath = /etc/path/to/CAcerts |
There’re also smtp_enforce_tls and smtpd_enforce_tls, but those are deprecated in favor of smtp[d]_tls_security_level. I’d like to stick to the newer one.
Notes about @outlook.com
Microsoft is really doing bad in supporting STARTTLS. Sending mails from @outlook.com to Postfix configured as above always fails due to failure in TLS handshake. It looks that the issue has been known since 2015 but never got fixed, forcing MX servers to disable TLS for @outlook.com. Shame to them.
If that bothers you, you might want to follow instructions there. I’m not gonna do that at the moment, though.
Notes about security
It should be noted that even we “enforce” TLS at the server side, it still quite vulnerable in fact. STARTTLS may get stripped, MITM may forge certificates as they’re sometimes not validated.
Personally I consider STARTTLS somewhat gives a false sense of security. But it still better than nothing.
A bonus
I actually received a mail from Cron Daemon on my VPS after enabling mail forwarding with Postfix (instead of using DNS registrar’s) telling me about the jobs’ output, as Cron Daemon is sending mail to root@[hostname], and handled by Postfix. That’s really convenient.