Enabling Postfix on OSX as a Relay: Revisited

Postfix on OSX: Revisited

A few years back, I had written a post on enabling the Postfix MTA as a relay server on OSX, which was quite well received. The article was originally written for OS X Lion, though it remained valid for OSX Mountain Lion, and more recently on
OSX Mavericks as well.

However, things have changed on the OS since the last two versions, which warrants a revisit of the instructions, and a refresh of some of the steps. While the old set of instructions still work, there are changes needed that will keep the configuration future-proof.

The key changes since the article was posted (in February 2012) are:

  1. The launchd configuration has changed somewhat, and a few elements of the launchctl plist file are now deprecated. The old configuration in the org.postfix.master.plist needs to be refreshed
  2. The old configuration depended on local mail-drop in the Postfix queues for the MTA daemon to be started. While this is quite correct (this is Unix, after all), there is another common scenario where the daemon is launched when a client connects to the SMTP ports (default port 25) on the
    local machine.

The Updated launchd Configuration

We would like to retain running the daemon on a mail-drop in the queue, but also enable running the MTA when a connection is made to the SMTP port (default 25). The updated org.postfix.master.plist configuration file listed below does this for us.

In addition, the redundant and deprecated plist tags have also been removed.

You can replace the existing copy with this version as a drop-in replacement at /System/Library/LaunchDaemons/ by using the following shell commands in Terminal.app (assuming you have downloaded the new version at ~/Desktop):

$ cd /System/Library/LaunchDaemons/
$ sudo cp org.postfix.master.plist org.postfix.master.plist.old
$ sudo cp ~/Desktop/org.postfix.master.plist .

The actual configuration file:

    <?xml version="1.0" encoding="UTF-8"?>
    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    <plist version="1.0">
    <dict>
        <key>Label</key>
        <string>org.postfix.master</string>
        <key>ProgramArguments</key>
        <array>
            <string>/usr/libexec/postfix/master</string>
            <string>-e</string>
            <string>60</string>
        </array>
        <key>Sockets</key>
        <dict>
            <key>Listeners</key>
            <dict>
                <key>SockServiceName</key>
                <string>smtp</string>
                <key>SockType</key>
                <string>stream</string>
            </dict>
        </dict>
        <key>QueueDirectories</key>
        <array>
            <string>/var/spool/postfix/maildrop</string>
        </array>
        <key>AbandonProcessGroup</key>
        <true/>
    </dict>
    </plist>

Once the file has been copied into the correct location (perhaps by using sudo), we need to reload the configuration into launchd:

$ cd /System/Library/LaunchDaemons/
$ sudo launchctl unload org.postfix.master.plist
$ sudo launchctl load -w org.postfix.master.plist

This should be sufficient to reload the new configuration.

Testing out the configuration

We can test the changes via the shell itself by trying to connect via telnet to the smtp port and trying out a few basic SMTP commands (HELO for checking a response, and QUIT to logout of the SMTP session):

$ cd ~                                  # Lets get back to $HOME directory
$ mail &lt;your_id&gt;                        # Send yourself an email to check mail-drop
$ telnet localhost smtp                 # Now lets telnet into the server
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 localhost.local ESMTP Postfix
HELO
501 Syntax: HELO hostname
QUIT
221 2.0.0 Bye
Connection closed by foreign host.

In the sample SMTP session above, the third line (starting with “220” response) indicates that the Postfix MTA is running, and is ready for accepting mail drops via the SMTP port (as opposed to the mail-drop via the mail command).

About these ads

10 Comments on “Enabling Postfix on OSX as a Relay: Revisited”

  1. […] on Dec 21, 2013: I have posted an update to the launchd setup for postfix. You should still read through this post, as most of the setup […]

  2. Philip says:

    First off, thanks for the walkthrough. Works like a charm for me to test email scripts locally i spite of Comcast blocking port 25. :-|

    However, I do want to point out a typo in the updated plist here; it gave me a brief roadblock until I found out how to check the syntax with plutil. On line 5, the element isn’t closed properly:

    Label

    should be

    Label

    Thanks again for the tutorial!

  3. Awesome. Works like a charm.

  4. BLD says:

    Everything works except getting the SMTP server to respond on port 25. Strangely, it works as described when I telnet via 127.0.0.1 to port 25 but not via localhost or an external interface. The telnet connection is opened in all cases — it’s just that I only get the ESMTP server prompts and responses on the 127.0.0.1 interface.

    I don’t have any firewall enabled (and I don’t think it would connect at all if that were the issue). This seems to be some issue within Postfix itself.

    • BLD says:

      The problem was I needed the following line in my main.cf:

      inet_interfaces = $myhostname, localhost

      The default or explicit ‘inet_interfaces = all” did not work because my MacPro has two NICs. When I tried “inet_interfaces = all” Postfix would fail to start with error messages about failing to bind to 0.0.0.0:25. Go figure.

  5. With Yosemite I had to edit /etc/postfix/main.cf and add this beneath the other sasl options:

    smtp_sasl_mechanism_filter = plain

    • You’ll know if you need the above if you see lines like this in mail.log:

      postfix/smtp[5351]: Untrusted TLS connection established to smtp.gmail.com[173.194.79.108]:587: TLSv1 with cipher RC4-SHA (128/128 bits)

      postfix/smtp[5351]: 7EC2A29B0B8: SASL authentication failed; cannot authenticate to server smtp.gmail.com[173.194.79.108]: generic failure


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 67 other followers