Why Configure Email Relay on Your VPS
Running email directly from your VPS sounds straightforward until you hit deliverability problems. IP reputation, blacklists, and spam filters can block your server's outbound mail before it reaches recipients.
Email relay solves this by routing your server's mail through established SMTP providers with better reputation.
This tutorial shows you how to set up Postfix email relay on Ubuntu VPS using popular providers like Gmail, AWS SES, and SendGrid. You'll configure authentication, test delivery, and troubleshoot common issues.
Prerequisites and Initial Setup
You need root access to your Ubuntu VPS and a working Postfix installation. Most Ubuntu systems include Postfix, but verify it's installed:
sudo systemctl status postfixIf Postfix isn't running, install it:
sudo apt update
sudo apt install postfixDuring installation, select "Internet Site" when prompted. Enter your server's hostname or domain name as the system mail name.
Back up your current Postfix configuration before making changes:
sudo cp /etc/postfix/main.cf /etc/postfix/main.cf.backupConfigure Postfix for SMTP Relay
Open the main Postfix configuration file:
sudo nano /etc/postfix/main.cfAdd these lines to enable relay authentication. Replace any existing relayhost line:
# Enable SMTP relay
relayhost = [smtp.gmail.com]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yesThese settings configure Postfix to use TLS encryption and SASL authentication.
The password file location stores your SMTP credentials securely.
Create SMTP Authentication Credentials
Create the password file for your SMTP provider credentials:
sudo nano /etc/postfix/sasl_passwdAdd your SMTP provider details. For Gmail:
[smtp.gmail.com]:587 your-email@gmail.com:your-app-passwordFor AWS SES:
[email-smtp.us-east-1.amazonaws.com]:587 AKIAIOSFODNN7EXAMPLE:wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEYFor SendGrid:
[smtp.sendgrid.net]:587 apikey:SG.your-sendgrid-api-keySecure the password file and create the hash database:
sudo chmod 600 /etc/postfix/sasl_passwd
sudo postmap /etc/postfix/sasl_passwdThe postmap command creates a binary database file that Postfix uses for faster lookups.
Provider-Specific Configuration
Gmail SMTP Setup
Gmail requires app passwords for server authentication. Don't use your regular Gmail password.
Generate an app password from your Google Account security settings.
Update your main.cf relayhost setting:
relayhost = [smtp.gmail.com]:587Gmail works well for low-volume applications but has daily sending limits.
AWS SES Configuration
AWS SES offers better scalability for production applications.
Create SMTP credentials in the AWS SES console, not your regular AWS access keys.
Update the relayhost for your AWS region:
# US East (Virginia)
relayhost = [email-smtp.us-east-1.amazonaws.com]:587
# US West (Oregon)
relayhost = [email-smtp.us-west-2.amazonaws.com]:587
# Europe (Ireland)
relayhost = [email-smtp.eu-west-1.amazonaws.com]:587AWS SES requires domain verification before sending. Add your domain in the SES console and complete DNS verification.
SendGrid Setup
SendGrid uses API keys for authentication.
Create an API key with "Mail Send" permissions in your SendGrid dashboard.
Update your configuration:
relayhost = [smtp.sendgrid.net]:587SendGrid offers good deliverability and detailed analytics for transactional emails.
Configure TLS and Security Settings
Modern email providers require secure connections. Add these security settings to main.cf:
# TLS configuration
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scacheThese settings ensure Postfix validates SSL certificates and caches TLS sessions for better performance.
For production environments, consider these additional security options:
# Require TLS for all outbound mail
smtp_tls_security_level = encrypt
# Log TLS connections
smtp_tls_loglevel = 1Test Your Email Relay Configuration
Restart Postfix to apply your configuration changes:
sudo systemctl restart postfixCheck that Postfix started without errors:
sudo systemctl status postfix
sudo journalctl -u postfix -n 20Send a test email using the mail command:
echo "Test email via relay" | mail -s "Relay Test" recipient@example.comIf the mail command isn't available, install it:
sudo apt install mailutilsMonitor the mail queue to see if your message processes correctly:
sudo postqueue -pAn empty queue means your messages delivered successfully.
Check the Postfix logs for detailed information:
sudo tail -f /var/log/mail.logLook for successful authentication and delivery messages. SMTP relay authentication appears as "SASL authentication successful" in the logs.
Email services need reliable infrastructure and proper configuration. Our VPS hosting provides the stable platform you need for production email systems. Get dedicated resources and full root access to implement advanced mail configurations.
Troubleshoot Common Relay Issues
Authentication Failures
"Authentication failed" errors usually indicate incorrect credentials or security settings.
Verify your password file contains the right credentials:
sudo cat /etc/postfix/sasl_passwdRegenerate the hash database after credential changes:
sudo postmap /etc/postfix/sasl_passwdCheck that your SMTP provider allows the authentication method. Some providers require specific security options.
Connection Timeout Issues
Connection timeouts often indicate firewall or network problems.
Test direct connectivity to your SMTP provider:
telnet smtp.gmail.com 587If this fails, check your VPS firewall and network settings. Some providers block outbound SMTP on port 25 but allow 587.
TLS Certificate Problems
Certificate verification errors suggest CA certificate issues. Update your certificate store:
sudo apt update
sudo apt install ca-certificatesYou can temporarily bypass certificate verification for testing, but don't use this in production:
smtp_tls_security_level = mayMonitor and Maintain Your Email Relay
Set up log rotation to prevent mail logs from filling your disk:
sudo nano /etc/logrotate.d/postfixAdd this configuration:
/var/log/mail.log {
daily
rotate 7
compress
delaycompress
missingok
notifempty
sharedscripts
postrotate
systemctl reload postfix
endscript
}Monitor your relay usage to avoid hitting provider limits. Most SMTP services offer dashboards showing sending volumes and delivery rates.
Create a simple queue monitoring script:
#!/bin/bash
QUEUE_SIZE=$(postqueue -p | tail -n1 | cut -d' ' -f5)
if [ "$QUEUE_SIZE" -gt 100 ]; then
echo "High email queue: $QUEUE_SIZE messages" | mail -s "Queue Alert" admin@yourdomain.com
fiRun this script via cron to get alerts when mail queues back up unexpectedly.
Advanced Relay Configuration
For applications sending different types of email, you can configure multiple relay hosts using transport maps.
Create a transport file:
sudo nano /etc/postfix/transportDefine different routes:
marketing.example.com smtp:[smtp.sendgrid.net]:587
transactional.example.com smtp:[email-smtp.us-east-1.amazonaws.com]:587Enable transport maps in main.cf:
transport_maps = hash:/etc/postfix/transportGenerate the transport database:
sudo postmap /etc/postfix/transportThis setup lets you route different email types through different providers based on your specific needs and contracts.
Frequently Asked Questions
Can I use multiple SMTP relay providers simultaneously?
Yes, using transport maps. Configure different relay hosts for different domains or email types.
This provides redundancy and lets you optimize costs by using different providers for different purposes.
How do I handle relay authentication with two-factor authentication enabled?
Most SMTP providers require app passwords or API keys when 2FA is enabled on your account.
Don't use your regular login password. Generate provider-specific credentials through their security settings.
What happens if my relay provider is temporarily unavailable?
Postfix queues messages and retries delivery automatically.
Default retry intervals start at 5 minutes and increase up to several hours. Messages remain queued for 5 days by default before bouncing back to the sender.
Should I configure SPF and DKIM when using email relay?
Yes, especially for AWS SES and SendGrid. These providers support DKIM signing and require proper SPF records.
Set up SPF, DKIM, and DMARC to improve deliverability and prevent spoofing.
How can I test relay configuration without sending external emails?
Use Postfix's built-in testing tools. The postfix check command validates configuration syntax.
You can also send test emails to local accounts or use mail capture tools during development.
