Sender-based relaying with Postfix


A lot of users of the Mailstation want to use it as a central mail-gateway for their LAN clients. Especially when using dynamic external addresses (as most of homeusers have) there is a bunch of problems. The main one is that a lot of providers use anti-spam solutions which use a dynamic sender ip as a main criteria for spammails. To achive that they use lists of networks which contain dynamic ips.

Now it depends from the provider how this solution is used: Some of the providers use dynamic ip as the only criteria for spam and some use a whole „army“ of filters. This means a mail can be blocked at different stages of the mail process

The easiest case is when a receiving server denies such a mail directly during the SMTP dialog. This would cause an error message sent to the sender and informs him/her about the problem. More problematic is the case when a spamfilter catches a mail, AFTER the sender received the OK-message from SMTP server. In that case the sender does not receive any information that his/her mail has been blocked or the reason for rejecting a mail. I use such lists as well, but I implemented those on my postfix server, so a sender will receive an immediate notification if a message has been blocked.

There are two different ways to reduce the chance of being caught as possible spam. The easiest one is to use external relay servers (with fixed ip addresses) to send mails. So the mail comes from a fixed IP and therefore lists based on dynamic IPs do not have a problem with the mail.

The second - more difficult - way is to send mails directly to the receiving server. This way the risk exists that a mail would be caught as spam. If you want to use this way, then you would have to check your IP, whether it's listed on Blacklists or not. To do so you can use a page like 1) to check your IP on several lists. Only if your IP does not appear on most lists it will be possible to send mails directly (direct-mx)

Pages for checking IPs

In the following it's about the relay way, as this mostly works without too much effort ;-)


There are several ways to use postfix to relay mail: One is to send all the mail via the same relay server regardless of sender or receiver. Further information can be found 2). The other way is to use a particular relayserver per mail address based on the sender address.

All mails via the same relay server

To achieve that the following value has to be set in


Here you define your global relay server. This means if you set this variable, then all mails to external receives will be sent via that relay

relay_host = mail.isp.tld
relay_host = mail.isp.tld:submission
relay_host = [mail.isp.tld]
relay_host = [mail.isp.tld]:submission

The examples above show four different kind of defining the relay server

  1. Mail will be sent to MX-Host in DNS for mail.isp.tld on port 25
  2. Mail will be sent to MX-Host in DNS for mail.isp.tld on port 587
  3. Mail will be sent to the IP for a DNS request on mail.isp.tld on port 25 (A-Record)
  4. Mail will be sent to the IP for a DNS request on mail.isp.tld on port 587 (A-Record)

The examples above show why a mailserver should NOT be a CNAME record on another host. Mailservers normally only look for MX- or A-Records.

smtp_sasl_password_maps = hash:/opt/etc/postfix/sasl_passwd

Here you define the file which contains the login credentials for your relay servers. This file needs to be created by root and must be converted with postmap into a format that postfix can read

mail.isp.tld      user@isp.tld:secret
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous

This activates SASL-Authentification and allows postfix to use non-secure login types such as login which send passwords in plaintext

smtp_use_tls = yes
smtp_tls_enforce_peername = no

This option allows the postfix smtp client to connect to servers via a secure way (like TLS/SSL)
Otherwise password credentials will be sent in plaintext

One relay server per sender address

This allows different users to use the same relay server but use different login credentials

sender_dependent_relayhost_maps = hash:/opt/etc/postfix/sender_relay

In this file a particular relay host will be „connected“ to a defined sender address

user@isp.tld   mail.isp.tld
foo@isp.tld    mail.isp.tld

user@isp.tld   user@isp.tld:secret
foo@isp.tld    foo@isp.tld:totalSecret
smtp_sender_dependent_authentication = yes

The last config „activates“ sender-dependent relaying
The following options from above do apply to sender-based realying as well

smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes
smtp_tls_enforce_peername = no
Melden Sie sich an, um einen Kommentar zu erstellen.