This tutorial will be showing you how to set up a backup email server with Postfix on Ubuntu. A backup email server is often called a backup MX. MX stands for Mail Exchanger. Previously I wrote an article explaining how iRedMail can help you quickly run your own email server. Sometimes your email server can be offline, especially if you run email server at home instead of in a data center. You can set up a backup email server to receive and queue emails when your primary email server is down. The backup MX will relay queued emails to the primary when it’s back online.
Prerequisites
Since you’re going to set up a backup email server, you need a server with high uptime, so preferrably you should rent a virtual private server (VPS) in a data center. Make sure the server can send email on port 25. I set up my backup email server on a $4.49/month Hostwinds VPS instance. Once you have a VPS, install Ubuntu on it and follow the instructions below.
It’s assumed that your backup MX host isn’t a primary email server for any domains. It’s a good practice to separate the role of primary and secondary email servers on different hosts.
Creating DNS MX Record
The MX record specifies which host or hosts handle emails for a particular domain name. For example, the host that handles emails for linuxbabe.com is email.linuxbabe.com, which is the primary email server. You can query MX record with the dig utility.
dig MX short linuxbabe.com
If someone with a Gmail account sends an email to [email protected], then Gmail server will query the MX record of linuxbabe.com. When it finds out that email.linuxbabe.com is responsible for accepting email, it then query the A record of email.linuxbabe.com to get the IP address, thus the email can be delivered.
To set up a backup email server, you need to create another MX record in your DNS manager. Enter @ in the Name field to represent the main domain name, then enter the hostname for the backup email server in the Value field. I named my backup email server mx2.linuxbabe.com.
Now I have two MX records for my domain name. Notice that there are two numbers at the beginning. They are called preference value or priority value. A small number has higher priority than a big number.
A sending SMTP server will pick the email server with highest priority to deliver email. If that email server is unavailable, then the email server with second highest priority will be tried. You can set the preference vaule in your DNS manager. It can be any number between 0 and 65,356. Make sure the number for backup email server is bigger than that for primary email server. And don’t forget to create an A record for your backup MX.
Note: The hostname for MX record can not be an alias to another name. Also, It’s highly recommended that you use hostnames, rather than bare IP addresses for MX record.
Setting up Backup Email Server with Postfix on Ubuntu
We just need to install and configure Postfix SMTP server on the backup MX host. No other software is needed. Run the following commands to install Postfix on Ubuntu.
sudo apt update sudo apt install postfix
When you see the following message, press the Tab key and press Enter.
Then choose the second option: Internet Site.
Next, enter the backup MX hostname for the system mail name. For example, I entered mx2.linuxbabe.com. Note that you cannot enter your main domain name here. That is to say, I must not enter linuxbabe.com for the system mail name.
After Postfix is installed, open the configuration file.
sudo nano /etc/postfix/main.cf
By default, /etc/postfix/main.cf file contains the following line.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
Explanation:
Permit_mynetworkstells Postfix to relay emails from SMTP clients on its own network.Permit_sasl_authenticatedtells Postfix to relay emails from authenticated SMTP clients.Defer_unauth_destinationmakes Postfix reject request from other SMTP clients if the recipient’s domain name is in neither$relay_domainsnor$my_destination.
We need to add the relay_domains parameter, specifying the domain names, so that emails can be relayed to the primary email server when it’s back online.
relay_domains = linuxbabe.com
You can also specify multiple domain names if you want to make it as a backup MX host for multiple domain names.
relay_domains = linuxbabe.com, 2nd-domain.com
It’s recommended that you change the default value of myhostname to mx2.your-domain.com.
myhostname = mx2.linuxbabe.com
Make sure that the value of mydestination doesn’t include your main domain name, or your backup MX host will deliver emails to local system instead of relaying to the primary email server. The following values are fine.
mydestination = $myhostname, mx2.linuxbabe.com , localhost, localhost.localdomain, localhost
Postfix continues trying to deliver queued messages for the amount of time specified in the maximal_queue_lifetime parameter, which determines how long deferred messages stay in the queue before they are bounced back to the sender. The default value is 5 days, as can be seen with the command below.
postconf -d | grep maximal_queue_lifetime
output:
maximal_queue_lifetime = 5d
The SMTP protocol (RFC 2821) recommends that sending SMTP server should retry failed email delivery at least 4-5 days. So if you run a backup MX host, you probably want to extend the queue lifetime like 10 days. Add the following line at the end of main.cf file.
maximal_queue_lifetime = 10d
Save and close the file. Then restart Postfix for the changes to take effect.
sudo systemctl restart postfix
Make sure that your firewall allows inbound connection to TCP port 25.
Relay Recipients
By default, Postfix on the backup MX host will accept any address that belongs to $relay_domains. If the primary email server tells the backup MX host that the recipient’s email address doesn’t exist, then the backup MX host must bounce the message to the original sender.
Spammers often send messages to made-up addresses, so your backup MX host will unnecessarily accept a lot of email that must be bounced. If the spammer use other people’s real address as the sender address, then the innocent person will get bounce emails from your server. Sometimes they think that you are a spammer.
It’s highly recommended that you maintain a list of valid recipient addresses on the backup MX host. In /etc/postfix/main.cf file, add the following line.
relay_recipient_maps = hash:/etc/postfix/relay_recipients
Then you can specify valid recipient addresses in /etc/postfix/relay_recipients file like below.
[email protected] OK [email protected] OK [email protected] OK
Obviously, manually adding recipient address is only viable for small email servers. For large email servers, this is time-consuming. Instead, you can perform real-time lookups using MySQL or LDAP, which will be discussed in a later tutorial.
Once you set relay_recipient_maps parameter, you must include email addresses for all domains that you provide backup service to. If you don’t know all valid email addresses for a domain, you can use a wildcard entry like below.
[email protected] OK [email protected] OK [email protected] OK @2nd-domain.com OK
The last entry is a wildcard entry that allows any email address of the second domain.
Anti-Spam Filters
Spammers often target backup MX host to send email spam. So it’s important that you deploy anti-spam filters on both your primary and backup MX host. You can use my 6 tips to block email spam with Postfix. It’s worth mentioning that you need to make sure you backup MX host can get through the spam filters on the primary email server.
Enabling TLS Encryption
By default, Postfix does not encrypt connections from or to other email servers. It’s important that we enable TLS encryption so that emails won’t be snooped by a middle man listening on the network traffic. We can easily obtain a free TLS certificate from Let’s Encrypt. Issue the following commands to install Let’s Encrypt client (certbot) on Ubuntu server from official PPA.
sudo apt install software-properties-common sudo add-apt-repository ppa:certbot/certbot sudo apt update sudo apt install certbot
Now you can obtain a TLS certificate with one of three plugins (standalone, Apache, Nginx), depending on your server.
Obtaining TLS Certificate with the Standalone Plugin
If there’s no web server running on your backup MX host, then you can use the standalone plugin to obtain TLS certificate from Let’s Encrypt by executing the following command.
sudo certbot certonly --standalone --preferred-challenges http --agree-tos --email your-email-address -d mx2.your-domain.com
Explanation:
certonly: Obtain a certificate but don’t install it.--standalone: Use the standalone plugin to obtain a certificate--preferred-challenges http: Perform http-01 challenge to validate our domain, which will use port 80. By default the standalone plugin will perform tls-sni challenge, which uses port 443.--agree-tos: Agree to Let’s Encrypt terms of service.--email: Email address is used for account registration and recovery.-d: Specify your domain name.
As you can see the from the following screenshot, I successfully obtained the certificate.
Obtaining TLS Certificate with the Apache Plugin
If Apache web server is running on your backup MX host, you can use the Apache plugin to obtain TLS certificate. Run the following command to install the Apache plugin.
sudo apt install python3-certbot-apache
You need to have an Apache virtual host for mx2.your-domain.com before obtaining Let’s Encrypt TLS certificate. Create the virtual host file:
sudo nano /etc/apache2/sites-available/mx2.your-domain.com.conf
Then paste the following text into the file.
ServerName mx2.your-domain.com DocumentRoot /var/www/mx2.your-domain.com
Save and close the file. Then create the web root directory.
sudo mkdir /var/www/mx2.your-domain.com
Set www-data (Apache user) as the owner of the web root.
sudo chown www-data:www-data /var/www/mx2.your-domain.com -R
Enable this virtual host.
sudo a2ensite mx2.your-domain.com.conf
Reload Apache for the changes to take effect.
sudo systemctl reload apache2
Once virtual host is created and enabled, run the following command to obtain Let’s Encrypt TLS certificate.
sudo certbot --apache --agree-tos --redirect --hsts --email your-email-address -d mx2.your-domain.com
You should see the following message which means the certificate is successfully obtained.
Obtaining TLS Certificate with the Nginx Plugin
If Nginx web server is running on your backup MX host, you can use the Nginx plugin to obtain TLS certificate. Run the following command to install the Nginx plugin.
sudo apt install python3-certbot-nginx
You need to have a Nginx virtual host for mx2.your-domain.com before obtaining Let’s Encrypt TLS certificate. Create the virtual host file:
sudo nano /etc/nginx/conf.d/mx2.your-domain.com.conf
Next, paste the following text into the file.
server {
listen 80;
server_name mx2.your-domain.com;
root /var/www/mx2.your-domain.com/;
location ~ /.well-known/acme-challenge {
allow all;
}
}
Save and close the file. Then create the web root directory.
sudo mkdir /var/www/mx2.your-domain.com/
Set www-data (Nginx user) as the owner of the web root.
sudo chown www-data:www-data /var/www/mx2.your-domain.com -R
Reload Nginx for the changes to take effect.
sudo systemctl reload nginx
Once virtual host is created and enabled, run the following command to obtain and install Let’s Encrypt certificate with Nginx plugin.
sudo certbot --nginx --agree-tos --redirect --hsts --email your-email-address -d mx2.your-domain.com
You should see the following which means the certificate is successfully obtained. You can also see the directory under which your cert is stored.
Installing TLS Certificate in Postfix
Now we have obtained a valid TLS certificate, let’s install it in Postfix.
sudo nano /etc/postfix/main.cf
Find the TLS parameters section and the following two lines.
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
Replace them with:
smtpd_tls_cert_file=/etc/letsencrypt/live/mx2.your-domain.com/fullchain.pem smtpd_tls_key_file=/etc/letsencrypt/live/mx2.your-domain.com/privkey.pem
Then add the following 3 lines, which enables TLS in Postfix SMTP server.
smtpd_tls_security_level=may smtpd_tls_protocols = !SSLv2, !SSLv3 !TLSv1 smtpd_tls_loglevel = 1
Save and close the file. Restart Postfix for the changes to take effect.
sudo systemctl restart postfix
Now Postfix SMTP server can use STARTTLS to establish encrypted connection with SMTP clients on port 25. Note that end user email client won’t communicate with a backup MX host, so there’s no need to enable submission service on port 587 or 465.
Enforce TLS Connection Between the Primary and the Backup
Since your primary email server is also configured with a valid Let’s Encrypt TLS certificate, we can enforce the backup MX host to use TLS when delivering emails to the primary email server. In /etc/postfix/main.cf file, add the following parameters, which will make Postfix SMTP client to always use TLS and also verify the remote server certificate using trusted root CA certificates in /etc/ssl/certs directory.
smtp_tls_security_level = verify smtp_tls_verify_cert_match = hostname, nexthop, dot-nexthop smtp_tls_CApath = /etc/ssl/certs smtp_tls_loglevel = 1
Save and close the main.cf file. Then use the following command to create hash symbolic links.
Ubuntu 18.04: sudo openssl rehash /etc/ssl/certs Ubuntu 16.04: sudo c_rehash /etc/ssl/certs
Restart Postfix for the changes to take effect.
sudo systemctl restart postfix
Now you can send an email from your backup MX host to your email address with the following command.
echo "hello" | sendmail [email protected]
After the message is sent, you can find the following text in /var/log/mail.log file.
Verified TLS connection established
If your backup MX host tries to establish TLS connection but can not verify the primary email server’s certificate, then the following message can be found.
Untrusted TLS connection established
How to Identify Relayed Email
You can recognize relayed email by looking at the email headers in your email client. For example, I shut down my primary email server, then use my Gmail account to send an email to my domain email account. After a few minutes, I boot my primary email server up again. When chekcing the email headers, the client IP and HELO hostname belongs to my backup MX host, so I know it’s relayed via my backup MX host.
Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=13.115.185.252; helo=mx2.linuxbabe.com; [email protected]; receiver=
Notice that the SPF check result is Softfail, which means Gmail didn’t designate my backup MX host as being allowed to send emails on behalf of gmail.com, but if my backup MX host sends an email on behalf of gmail.com, the recipient’s SMTP server can accept it and mark it as Softfail.
I hope this tutorial helped you set up a backup email server with Postfix on Ubuntu. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care.
Rate this tutorial
[Total: 2 Average: 5]
