Outgoing Mail Server

On each server, a local Postfix instance is running as the local MTA to transport mails originated on the server to their destination.

Tip

Instead of using the local mail server, we recommend configuring your application to send mail by SMTP directly via an existing, external mail server.

This way, you can use a mail server (e.g. your company’s mail server), where SPF, DKIM and other settings are configured and monitored already anyway.

Also, this is the most robust setup to reliably send mail out from your server - and through the spam filters on the receiving side.

SPF Policy

To explicitly allow your web server to send mails from a particular domain, you need to add an SPF policy as a TXT record to your DNS zone:

example.com.              3600     IN      TXT     "v=spf1 mx a:<fqdn-or-smarthost> -all"

Warning

Make sure to include all other required systems as well. This example covers only the server behind the domain’s MX record and the web server with the mentioned hostname.

Note

Depending on your company’s guidelines, it might be forbidden to send mails directly out to the internet. Instead outgoing mails might have to be routed through a central smarthost / mail relay server for compliance reasons.

Configuration Options

Warning

Any change can have unintended consequences. Please make sure to plan and test carefully. Ask us for advice if you’re in doubt.

Trusted Networks

postfix::mynetworks (default: empty)

  • list of additional, trusted remote SMTP clients that have more privileges than strangers

  • see the Postfix documentation for details

Note

127.0.0.0/8 [::1]/128 is always prepended

Smarthost / Relay Host

postfix::relayhost (default: empty)

  • next-hop destination of non-local mail (e.g. instead of directly trying to submit to the corresponding MX host for the recipient domain, mails are all sent to this host for relaying it to the destination)

  • see the Postfix documentation for details

Authentication on Smarthost

In case your smarthost requires authentication prior to accepting mails for relaying, you can configure a password map:

postfix::smtp_sasl_password_maps (default: empty)

see the Postfix documentation for details

Fallback SMTP Relay

postfix::smtp_fallback_relay (default: empty)

  • optional list of relay hosts for SMTP destinations that can’t be found or that are unreachable

  • see the Postfix documentation for details

Interface IP addresses

postfix::inet_interfaces (default: loopback-only (localhost Port 25))

  • network interface addresses that this mail system receives mail on

  • see the Postfix documentation for details

Message size limit

postfix::message_size_limit (default: 25600000 (25MB))

  • the maximal size in bytes of a message, including envelope information

  • see the Postfix documentation for details

Monitoring

postfix::monitoring (default: true)

  • whether our external monitoring will check the healthyness of the mail service on this particular server

Custom certificate

postfix::smtpd_tls_cert_file (default: empty)

postfix::smtpd_tls_key_file (default: empty)

  • path to a TLS certificate / key pair used for incoming SMTP connections

SMTPUTF8 support

postfix::smtputf8_enable (default: yes)

  • Enable preliminary SMTPUTF8 support for the protocols described in RFC 6531 to 6533

  • see the Postfix documentation for details

Example Configuration

All postfix related configuration is set within the Custom JSON Server Level Configuration:

{
  "postfix::relayhost": "example.net",
}

Microsoft Blocklist

If the IP address is on their blocklist, emails to Microsoft (especially towards outlook.com addresses) are rejected with one of the following messages:

550 5.7.1 Unfortunately, messages from [x.x.x.x] weren't sent. Please contact your
Internet service provider since part of their network is on our block list (S3140).

S3140 means that the sending IP is completely blocked and not allowed to send mails to Microsoft mail servers.

550 5.7.1 Unfortunately, messages from [x.x.x.x] weren't sent. Please contact your
Internet service provider since part of their network is on our block list (S3150).

S3150 means that the sending IP addess is rate-limited and temporarily not allowed to submit mails.

Both situations stem from how Microsoft’s systems see and qualify the sending IP address reputation. From the outside it’s often hard or even impossible to figure out, why an IP is being blocked or rate-limited.

Tip

Before requesting unblocking, make sure that sending emails from the server and domain is configured correctly (SPF, DMARC etc). You can use tools such as mail-tester to check this.

To request a delisting and thus unblocking of the sending IP address, you can be request it through the Microsoft OLC (Outlook Consumer) support portal. A Microsoft account is required for this.

Usually, Micrososft communicates their decision within 24 hours with a (strangely worded) automated response. If the decision was negative, reply to their e-mail and ask for a review and the IP address will normally be unblocked within the next 24 hours.