Minimal Postfix Configuration for Outbound-Only Email Relay with GMail Domains


6 views

Many sysadmins still running Sendmail face performance issues with its monolithic architecture. Postfix offers a modular, security-focused alternative with vastly better performance metrics. When you're already using Google Mail for Domains (or any cloud email service) for incoming mail, you only need Postfix as an outbound relay.

Here's the minimal /etc/postfix/main.cf setup for outbound-only operation:

# Basic identity
myhostname = mail.yourdomain.com
mydomain = yourdomain.com
myorigin = $mydomain

# Critical restrictions
inet_interfaces = loopback-only
inet_protocols = ipv4
mydestination = $myhostname, localhost.$mydomain, localhost
local_recipient_maps =
relayhost = [smtp.gmail.com]:587

For Gmail relay, you'll need SASL authentication. Add these to main.cf:

# SMTP relay authentication
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

Create /etc/postfix/sasl_passwd:

[smtp.gmail.com]:587 your.email@gmail.com:your-app-password

Even with Postfix locked down, enforce network-level restrictions:

# iptables example for CentOS/RHEL
iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -A INPUT -i lo -p tcp --dport 25 -j ACCEPT

# Alternative ufw command for Ubuntu
ufw deny 25/tcp
ufw allow from 127.0.0.1 to any port 25 proto tcp

After postfix reload, verify with:

echo "Test email" | mail -s "Postfix Test" recipient@example.com
tail -f /var/log/mail.log  # Check for errors

For high-volume sending, adjust these in main.cf:

default_process_limit = 100
smtp_connect_timeout = 30s
smtp_destination_concurrency_limit = 20
smtp_destination_rate_delay = 1s

When migrating from sendmail to Postfix for outbound-only email delivery with Google Workspace handling incoming mail, we need to achieve three key objectives:

  • Disable all incoming mail reception
  • Configure proper outbound delivery
  • Maintain localhost trust for system messages

Here's the minimal main.cf configuration needed:

# Basic identity
myhostname = mail.yourdomain.com
myorigin = $myhostname

# Network interfaces (listen only on localhost)
inet_interfaces = loopback-only

# Disable incoming mail relay
mydestination =

# Outbound mail configuration
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt

Create /etc/postfix/sasl_passwd with your Gmail credentials:

[smtp.gmail.com]:587 your-email@gmail.com:your-password-or-app-password

Then secure and compile the file:

chmod 600 /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd

To completely disable incoming mail:

# In master.cf
smtp      inet  n       -       n       -       -       smtpd -v -o smtpd_discard_ehlo_keywords=dsn,enhancedstatuscodes,size

After applying changes with postfix reload, test with:

echo "Test message" | mail -s "Test Subject" recipient@example.com

Check logs with:

tail -f /var/log/mail.log

If messages get stuck in queue:

postqueue -p  # View queue
postsuper -r ALL  # Release all held messages

For authentication errors, verify your Google account allows "less secure apps" or use App Passwords.