Postfix inet_interfaces Explained: Key Differences Between “all” vs “loopback-only” Settings


2 views

The inet_interfaces parameter in Postfix determines which network interfaces the SMTP server will listen on for incoming mail. This is a crucial security and configuration setting that affects how your mail server interacts with other systems.

When Postfix starts, it binds to specific network interfaces based on the inet_interfaces value in main.cf. The parameter accepts:

  • IP addresses (e.g., 192.168.1.100)
  • Hostnames (resolved at startup)
  • Special values like all or loopback-only

Here's what each setting actually does:


# Listens on ALL available network interfaces (DEFAULT)
inet_interfaces = all

# Restricts to localhost only (127.0.0.1 and ::1)
inet_interfaces = loopback-only

When to use 'all':

  • Mail server receiving external connections
  • Multi-homed servers with multiple IPs
  • When using Postfix as an SMTP gateway

When to use 'loopback-only':

  • Local development environments
  • When Postfix only needs to communicate with local apps
  • Security hardening for internal-only mail processing

For a secure internal mail relay:


# /etc/postfix/main.cf
inet_interfaces = loopback-only
mynetworks = 127.0.0.0/8, 192.168.1.0/24

For a public-facing mail server:


# /etc/postfix/main.cf
inet_interfaces = all
mynetworks = 127.0.0.0/8

Check active Postfix listeners:


sudo ss -tulnp | grep master

After configuration changes, always reload Postfix:


sudo systemctl reload postfix

The inet_interfaces parameter in Postfix determines which network interfaces the mail server will listen on for incoming SMTP connections. This is a critical security and functionality setting that affects how your mail server interacts with other systems.

By default, Postfix typically comes configured with:

inet_interfaces = all

This means Postfix will listen on all available network interfaces (eth0, eth1, lo, etc.). However, in many deployment scenarios, you might want to restrict this to:

inet_interfaces = loopback-only

which limits Postfix to only listen on the local loopback interface (127.0.0.1).

When using all:

  • Postfix accepts mail from external networks
  • Your server becomes visible to the outside world on port 25
  • You must implement proper security measures

When using loopback-only:

  • Postfix only accepts mail from local processes
  • Ideal for servers that only send mail (not receiving)
  • Common setup for web servers that need to send notifications

Here's how to properly set these values in main.cf:

# For a mail server that should receive external mail:
inet_interfaces = all
# or specify particular interfaces:
inet_interfaces = eth0, eth1

# For a send-only mail server:
inet_interfaces = loopback-only
# or equivalently:
inet_interfaces = 127.0.0.1

Using inet_interfaces = all exposes your server to potential attacks if not properly secured. Always combine this with:

smtpd_client_restrictions = permit_mynetworks, reject
mynetworks = 127.0.0.0/8, 192.168.1.0/24

For send-only servers, loopback-only is generally safer as it prevents external connections entirely.

After changing this setting, verify with:

postfix check
postfix reload
netstat -tulnp | grep :25

You should see Postfix only listening on the interfaces you specified.