Configure Postfix Mail Relay Authentication on Ubuntu VPS

Understanding Mail Relay Authentication for VPS Email

Mail relay authentication lets your Ubuntu VPS send email through external SMTP servers instead of directly from your server's IP. This solves deliverability problems that hit most VPS installations hard. Major email providers routinely block or filter messages from unknown server IPs.

Your VPS authenticates with established services like Gmail, SendGrid, or Mailgun using credentials. These services have proven sender reputations and much higher delivery rates than typical VPS addresses.

This tutorial shows you how to configure Postfix mail relay authentication, secure the connection with TLS, and test everything works. Your emails will skip spam folders and reach inboxes reliably.

Prerequisites and System Requirements

Before starting, make sure your Ubuntu VPS has:

• Ubuntu 20.04 or newer with root or sudo access
• Postfix already installed (install with apt install postfix)
• External SMTP service credentials (Gmail, SendGrid, Mailgun, etc.)
• Basic familiarity with text editors like nano or vim

Check if Postfix is running:

systemctl status postfix

If it's not active, start it:

sudo systemctl start postfix
sudo systemctl enable postfix

Hostperl VPS hosting comes with Postfix pre-configured for basic operation. You'll still need relay authentication for optimal deliverability.

Setting Up SMTP Relay Credentials

Create a secure credentials file for Postfix SMTP authentication. This file contains sensitive login information, so permissions matter.

Create the SASL password file:

sudo nano /etc/postfix/sasl_passwd

Add your relay server and credentials in this format:

[smtp.gmail.com]:587 username@gmail.com:app_password
[smtp.sendgrid.net]:587 apikey:your_sendgrid_api_key
[smtp.mailgun.org]:587 postmaster@your-domain.com:mailgun_password

Use the line matching your SMTP provider. Gmail needs app-specific passwords, not regular account passwords. SendGrid uses "apikey" as the username with your API key as the password.

Secure the credentials file:

sudo chmod 600 /etc/postfix/sasl_passwd
sudo chown root:root /etc/postfix/sasl_passwd

Create the Postfix database from your credentials:

sudo postmap /etc/postfix/sasl_passwd

This generates /etc/postfix/sasl_passwd.db that Postfix reads for authentication.

Configuring Postfix Main Settings

Edit the main Postfix configuration to enable relay authentication:

sudo nano /etc/postfix/main.cf

Add these relay settings at the end:

# SMTP Relay Configuration
relayhost = [smtp.gmail.com]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes

Replace [smtp.gmail.com]:587 with your SMTP provider. Popular options:

• SendGrid: [smtp.sendgrid.net]:587
• Mailgun: [smtp.mailgun.org]:587
• Amazon SES: [email-smtp.region.amazonaws.com]:587

The smtp_tls_security_level = encrypt setting forces TLS encryption for all outbound mail. This protects your credentials and content.

Save and reload Postfix:

sudo systemctl reload postfix

Installing Required SASL Authentication Packages

Ubuntu VPS installations often lack SASL libraries Postfix needs for relay authentication. Install them:

sudo apt update
sudo apt install libsasl2-modules

Some distributions also need the plain text authentication module:

sudo apt install libsasl2-modules-db

Restart Postfix to load the SASL modules:

sudo systemctl restart postfix

Verify Postfix recognizes your SASL configuration:

sudo postconf | grep sasl

You should see your SASL settings in the output. If missing, check your main.cf syntax and reload.

Testing Your Mail Relay Setup

Test authentication by sending a command-line message:

echo "Test message from VPS relay" | mail -s "Relay Test" your-email@example.com

Install the mail command if needed:

sudo apt install mailutils

Monitor logs to verify successful authentication:

sudo tail -f /var/log/mail.log

Successful authentication shows:

postfix/smtp[12345]: ABCD1234: SASL authentication succeeded
postfix/smtp[12345]: ABCD1234: to=<recipient@example.com>, relay=smtp.gmail.com[74.125.136.108]:587, status=sent

Authentication failures appear as:

postfix/smtp[12345]: SASL authentication failed; server smtp.gmail.com said: 535-5.7.8 Username and Password not accepted

If you see errors, check credentials in /etc/postfix/sasl_passwd. Regenerate the database with postmap.

Advanced Relay Security Configuration

Add security enhancements to /etc/postfix/main.cf:

# Enhanced TLS Configuration
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, SRP, DSS, AECDH, ADH

These settings verify relay server SSL certificates and exclude weak encryption. Your mail travels through secure, authenticated channels.

For multi-domain servers, configure sender-dependent authentication:

sudo nano /etc/postfix/sender_relay

Add domain-specific mappings:

@domain1.com     [smtp.gmail.com]:587
@domain2.com     [smtp.sendgrid.net]:587
user@domain3.com [smtp.mailgun.org]:587

Update main.cf:

sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay

Create the database and reload:

sudo postmap /etc/postfix/sender_relay
sudo systemctl reload postfix

Troubleshooting Common Authentication Issues

When relay authentication fails, check these problems:

Wrong credentials format: Gmail requires app passwords, not account passwords. Generate one in Google Account security settings. SendGrid uses "apikey" as username.

Missing SASL modules: Install libsasl2-modules if you see "no worthy mechs found" errors.

Blocked SMTP ports: Test connectivity:

telnet smtp.gmail.com 587

Connection timeouts indicate firewall or network policy blocks.

TLS certificate issues: Update certificates:

sudo apt update && sudo apt upgrade ca-certificates

For detailed debugging, enable verbose TLS logging:

# Add to main.cf
smtp_tls_loglevel = 1

Watch /var/log/mail.log for TLS negotiation details after reloading Postfix.

Monitoring and Maintaining Your Relay Configuration

Set up log rotation to prevent disk space issues:

sudo nano /etc/logrotate.d/postfix

Add this configuration:

/var/log/mail.log {
    daily
    rotate 30
    compress
    delaycompress
    missingok
    notifempty
    create 644 root root
    postrotate
        systemctl reload postfix
    endscript
}

Create a monitoring script for relay status:

#!/bin/bash
echo "=== Relay Authentication Summary ==="
grep "SASL authentication" /var/log/mail.log | tail -20
echo "=== Recent Delivery Status ==="
grep "status=sent" /var/log/mail.log | tail -10

Save as /usr/local/bin/mail-status.sh and make executable:

sudo chmod +x /usr/local/bin/mail-status.sh

Run periodically to verify your relay works correctly.

Frequently Asked Questions

Can I use multiple SMTP relays simultaneously?

Yes, configure sender-dependent relaying in /etc/postfix/sender_relay to route different domains through different SMTP providers based on sender address.

Why does Gmail reject my VPS mail relay authentication?

Gmail requires app-specific passwords, not regular account passwords. Enable 2FA on your Google account, then generate an app password in Security settings for Postfix.

How do I switch from one SMTP provider to another?

Update the relay host in /etc/postfix/main.cf, modify credentials in /etc/postfix/sasl_passwd, run postmap to rebuild the database, then reload Postfix.

What happens if my SMTP relay service goes down?

Postfix queues messages and retries delivery according to your queue settings. Configure fallback relays using transport maps for better reliability during outages.

Should I use port 587 or 465 for SMTP relay?

Use port 587 with STARTTLS for modern SMTP relay authentication. Port 465 (SMTPS) works but has less provider support and requires different TLS configuration.