Mail server

Provides an MTA (Mail Transfer Agent) to process incoming and outgoing customer emails.


  • Postfix
  • policyd-weight
  • postgrey
  • AMaViS
  • SpamAssassin


  • Overrule/extend standard system aliases in /etc/mail/local-aliases.
  • There are various maps in /etc/mail that allow customizing mail delivery and access control. User-customizable maps include:
    • access-client
    • access-helo
    • access-recipient
    • access-sender
    • canonical
    • canonical.pcre
    • external-networks
    • local-aliases
    • relay-domains
    • transport
    • virtual-aliases
  • The host name announced in HELO can be set in /etc/postfix/myhostname. Please note that DNS records (forward/reverse) must be in place before changing this file.
  • Customizations to parameters can be written into /etc/postfix/main.d/ It is also OK to create new files in the form /etc/postfix/main.d/

Sending mail from applications

Mails should generally be injected via the submission port (587). Port 25 is reserved for incoming mail delivery. Specifically, delivery to port 25 may result in a temporary failure (4xx response codes) and must be retried. Mails submitted via port 587 are always spooled by the mail server.

By default, mails from localhost are accepted without authentication. To submit mails from other hosts, choose one of two options:

  1. Set SMTP AUTH credentials on the mail server using sudo saslpasswd2 {USERNAME} and let submission clients authenticate against the mail server (preferred).
  2. List IP addresses or CIDR networks in /etc/mail/external-networks. Mail submission from one of the listed addresses will proceed without authentication.

Forwarding mail to applications

Custom pipe transports are generated automatically for each service user following the naming scheme “user-username”. For example, if the service user webapp is defined, there is a pipe transport named user-webapp. It delivers mails by calling HOME/bin/deliver in the respective service users’ home directory.

Use /etc/mail/transport rules to forward mails to user-specific transports. For example, a transport line  user-webapp:

causes all mails sent to a virtual domain being piped into the executable ~webapp/bin/deliver. The local delivery script is called for every incoming mail with the parameters

$HOME/bin/deliver -f $sender $nexthop $recipient [$recipient ...]


Set user-USER_destination_recipient_limit = 1 in /etc/postfix/main.d/ to avoid delivery to multiple recipients.

All other aspects like local mail server names etc. must be configured by an administrator.

DNS Setup

Mail servers require a special DNS setup. Please check with our Support that the following conditions hold. Unclean DNS setups may cause bad anti-spam scorings on remote mail servers.

Mail server name (HELO name)

Each mail server must have a distinguished own name (HELO name) which configured as MX of the server’s virtual domains and known internally as myhostname. In the following examples, the mail server’s name is

DNS configuration:     MX 10

Local configuration:

$ cat /etc/postfix/myhostname

IP addresses

The forward and reverse resolution of the mail server’s frontend addresses must match exactly its HELO name.

DNS configuration:   AAAA    2a02:238:f030:1c2::10   A

2a02:238:f030:1c2::10 PTR           PTR

Postfix configuration:

smtp_bind_address =
smtp_bind_address6 = 2a02:238:f030:1c2::10


By default external mail servers have to pass greylisting when delivering mail for the first time. Service users may whitelist specific clients or recipients by setting a whiteliste rule in /etc/postfix/postgrey_whitelist_clients.local or /etc/postfix/postgrey_whitelist_recipients.local as described on the postgrey man page.

To put changes into effect, invoke sudo /etc/init.d/postgrey restart as service user.


  • To put changed postfix maps and aliases into effect, invoke sudo /etc/init.d/postfix reload as service user.
  • Use sudo saslpasswd2 to edit the Postfix authentication database as service user. (see saslpasswd2(8)). Note that the -f option is not allowed. Use sudo sasldblistusers2 to inspect the SASL authentication database.

If the Antivirus role is also present on the same VM, all mails are automatically scanned for viruses. If the antivirus role is not present, mails are only scanned for spam.


An extensive range on checks is provided by default, including:

  • process checks
  • port checks for SMTP
  • rejection checks for spam and virus mails
  • stale postfix maps