Lab Notes

Things I want to remember how to do.

Production Mail server for AS

August 18, 2013

In the past I have detailed how I set up a mail server for development application servers. Today I want to explain how to set up a mail server for a production application server, or one that should interact with real-life mail systems.

The goal for this configuration is to create a mail server that only allows connections from localhost and can relay mail from localhost to other, real mail domains.

In this example I have configured the application server to send mail from a subdomain, mail.example.com. In the examples I am using 93.184.216.119 as the public IP for mail.example.com. You should replace these with your own values.

Once again we are working on a CentOS 6 installation. Postfix was already installed.

  1. Configure postfix
    1. Make the following configuration changes to /etc/postfix/main.cf:
      myhostname = mail.example.com
      # Use the public IP of mail.example.com
      proxy_interfaces = 93.184.216.119
      # Only accept mail from localhost
      mynetworks_style = host
      # Never forward mail from strangers
      relay_domains =

      See the postfix documentation at http://www.postfix.org/BASIC_CONFIGURATION_README.html if you need more information about any of these.

    2. Refresh postfix using the following commands:
      postfix reload
      service postfix restart
  2. Next configure your application server to use localhost as the mail server. Refer to your application server documentation for details.
  3. Configure your router and/or firewall
    1. Configure the router to use public IP 93.184.216.119 when the application server machine accesses the internet on port 25.
    2. If necessary, configure your router so that the application server is allowed to connect to your internal company mail server on port 25. This was necessary in my case because the application server and the company mail server were on separate subnets (DMZ-type configuration).
  4. Configure DNS
    1. Make sure the MX records for the domain includes the IP for mail.example.com, in this case 93.184.216.119.
    2. If an SPF record for the domain does not already exist, add one by creating a TXT record containing v=spf1 mx -all.

      If you already have an SPF record, you’ll have to figure out if it needs to be modified to accommodate the new server. You can test it by sending mail to a GMail account from the application server. Then view the raw source of the email, GMail will have added headers to the mail indicating whether SPF passed or not. You can also use this SPF validator. If you need to tweak the record, refer to the documentation at http://www.openspf.org/.

At this point you should have a production application server happily sending mail to any address.