How to install and configure Postfix on CentOS?

I like digitalocean’s tutorials about setting up servers and VPS, which is usually easy to understand, and if not (like this Postfix tutorial), at least works!

I composed a tutorial about setting up sendmail. In that tutorial, you can see I’ve got a lot of trouble making sendmail work, so I think this time I should try Postfix, which is said to be more advanced than sendmail, and easier to use. But frankly speaking, I do not think the concepts in Postfix are easier to understand than sendmail. In fact, they use the same set of concepts. But with the guide of the digitalocean’s tutorial, the configuration work is indeed simpler  than sendmail. The point is you need not understand the complex concepts involved in it. What you need to do is just to copy/paste the code provided in the tutorial and change the domain name to your real domain name.

Install postfix

This also installs the depending  cyrus-sasl package.

Configure Postfix

vi /etc/postfix/ to use the following configuration:

Do not care much about the meaning of every parameter. Just replace in the configuration file with your own domain name. Note the format of this file is composed of logical lines which take the form of parameter=value. A logical line can include several physical lines. Every physical line that starts with whitespace continues the preceding logical line. So, in the above configuration, the debugger_command logical line consists of 3 physical lines and the smtpd_recipient_restrictions logical line consists of more physical lines. If you miss the whitespace at the beginning, you may encounter syntax errors.

Create Postmap

vi /etc/postfix/virtual to add an email:   admin\


Set up Cyrus

vi /etc/sasl2/smtpd.conf

After editing, the file should contain the following content:

Postfix smtpd is linked against Cyrus SASL lib to use it to authenticate smtp client. The configuration file name “smtpd.conf” and its location: /etc/sasl2/ are not chosen at will. When you set smtpd_sasl_application_name to “smtpd” in, Postfix code will send “smtpd” to Cyrus SASL lib code at authentication. Cyrus SASL lib will then know the configuration file is smtpd.conf and it will try to find it in /etc/sasl2/. The configuration file tells Cyrus SASL lib how to do the authentication. It can communicate with an independent process(service) saslauthd to do the authentication. It can also use a plugin(like the above example) to do the authentication. The plugin is in the Cyrus  SASL lib code and thus part of the smtpd process, no independent process is involved here.  There are advantages and disadvantages of using the plugin mechanism compared to using  saslauthd. The cost is apparently reduced by using an in-process plugin. But since smtpd is run by the user postfix, it can not access resources that need root privileges, while saslauthd is run by the user root and can then access sensitive files like /etc/shadow to do the authentication.

vi /etc/imapd.conf

This file has nothing to do with postfix but the configuration file for cyrus-imapd. Remember to replace with your own domain name.


Start Postfix service

using netstat -antp, you will see the process “master”(the control process of postfix) is listening  on port 25.


Install a mail client to send emails


Enable SMTPS for postfix

Now you can send mails using the mail command. But the configurations above is far from perfect in real production environment. We’ll add more configuration to make a real email system. First, we will add the ssl support for postfix. By default, postfix listens on port 25 to receive emails from peer mta or email clients. The messages transported via port 25 are not encrypted and easy to be sniffed, even tampered. Some email clients can use STARTTLS command to enter encrypted communication mode via port 25. But old email client does not support STARTTLS. Here we use smtps to implement the encrypted communication. SMTPS uses port 465 to receive packets over SSL. To enable postfix for smtps, edit /etc/postfix/ to un-comment the line:

restart postfix and you will find the process “master” is now listening on port 25 as well as port 465.

You can use openssl to connect to the server via port 465. But openssl will quit during the ssl handshaking phase, complaining  “no peer certificate available”. You should modify the settings in /etc/postfix/ to add TLS support:

smtps.crt and smtps.key are the server certification and server key. You can generate the two files according to this guide. Alternatively, you can get the certificate and the key file through letsencrypt because you need a domain name to send emails and the domain name can be used to get the free ssl certificate. In CentOS7 and apache environment, you can get the files with the following steps:

  1. set up an http website for the domain
  2. enable EPEL repo:
  3. install certbot:
  4. get a certificate for the domain( and

The certificate is in /etc/letsencrypt/live/, and the key is in /etc/letsencrypt/live/ You need to modify to point to them. Note the suffix is pem, not .crt and .key, which does not matter.

However, after adding the ssl setting parameters, openssl still exits with the same error( “SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol”…). You should un-comment the following line in

Now, you should see the server certification during the handshaking phase in the openssl command, although it complains “unable to verify the first certificate” because the server certification is issued by myself, not a real CA. This is a good signal indicating the TLS settings for postfix are ok. The bad news is that openssl still quits after ssl handshaking.


Config SASL authentication

By checking the postfix log file:/var/log.maillog, you will see the following error messages:

This is because we’ve not installed any SASL authentication package although we’ve installed the cyrus-sasl package. For simplicity, here we only add one SASL authentication package: cyrus-sasl-plain

This time the openssl command does not exit and stops at the line:

Openssl waits for us to input commands. If you try to send an mail, you will fail after you input the “rcpt to:” command. The error is “Relay access denied”.  This is caused by the smtpd_recipient_restrictions setting in We do not allow email relay for unauthorized people. You need to complete the authentication before sending an email.

If you follow the instruction in the guide to submit your login credentials, you will get the error:

Error: authentication failed: authentication failure

Meanwhile, you will see the following errors in /var/log/maillog:

This is because we’ve not set up Cyrus correctly for authentication. Remember we specified the authentication method as “pwcheck_method: auxprop” in the “set up Cyrus” step? This authentication method uses a database file to store user accounts that are independent of the Linux system accounts. You need to create that database and add user accounts in that database. You can follow this guide to do this.

Now you should be able to complete the auth command and send emails in openssl.

Occasionally, you may forget the password for a user account. How to see the password of a user in /etc/sasldb2? Unfortunately, I can not figure out how to recover the password.  /etc/sasldb2 is a binary file, something like /etc/shadow. You can not see the password in it. But I have a way to change the password.  First, list the user account in /etc/sasldb2 using sasldblistusers2. The command’s output looks like: userPassword

But userPassword is not the real password for the user To change the password, use “saslpasswd2”

Please refer to the post for sasl management.



Receive emails using Cyrus-IMAP

At this point, you can send emails using the postfix system without a problem. However, as to receiving emails, there are more configurations to be done.

First, you should change the following line in


Otherwise, you will get the following error:

That is because according to smtpd_recipient_restrictions, only emails to are accepted, emails to are rejected.

Even you change the “mydestination” variable, there is still an error:


You should start the service cyrus-imapd:


Postfix will talk with this service to deliver received emails to mailbox.

cyrus-imapd will save the emails in  /var/spool/imap(specified by the partition-default parameter in /etc/imapd.conf). Every email address has a directory under  /var/spool/imap. Every email is saved as a file like 1., 2., 3.,…. Note that even there is no account in /etc/sasldb2, the emails postfix receives are still saved in /var/spool/imap, because for email destined to the server postfix controls, no authentication is required. But if you, as an email client, want to retrieve emails from the system using cyrus-imap, you will be asked to pass the authentication. In our example,  cyrus-imapd  uses /etc/sasldb2 for authentication(sasl_pwcheck_method:    auxprop). Thus we need to add an account in /etc/sasdb2 to retrieve emails associated with that account. For example, if you want to get the emails to, you need to add a user named “” as follows:

If you use an email client such as outlook, you need to input the account information in the “receiving server’s account name” and “receiving server’s password”. The account name is “”, not “admin”.


Postfix management commands:

delete emails from message queue:

delete deferred emails:

Check emails in message queue:

Posted in tips of hosting