Setting up a send-only SMTP server with Postfix on Ubuntu 24 is something most developers need to do when their applications need to send emails but don’t require full mail server functionality. This setup is particularly useful for web applications, automated notifications, and system alerts where you want reliable email delivery without the security overhead of handling incoming mail. You’ll learn how to install and configure Postfix specifically for outbound email delivery, secure it properly, and avoid the common pitfalls that can land your emails in spam folders.

Understanding Postfix in Send-Only Mode

Postfix is a modular mail transfer agent (MTA) that can be configured in various modes. In send-only mode, it handles outgoing mail exclusively while rejecting all incoming connections. This configuration reduces the attack surface significantly since you’re not running a full mail server that accepts external connections.

The key components in a send-only setup include:

• Master daemon (postfix) that manages all other processes
• Pickup daemon that handles locally submitted mail
• Cleanup daemon that processes and validates messages
• Queue manager that handles message routing
• SMTP client that delivers messages to remote servers

Unlike full mail servers, you won’t need the SMTP daemon listening on port 25 for incoming connections, which eliminates most security concerns related to mail servers.

Installation and Initial Setup

First, update your system and install Postfix. Ubuntu’s package manager will prompt you for configuration during installation:

sudo apt update && sudo apt upgrade -y
sudo apt install postfix mailutils -y

During installation, select “Internet Site” when prompted for the configuration type, then enter your fully qualified domain name (FQDN). If you miss this prompt, reconfigure it later:

sudo dpkg-reconfigure postfix

Verify the installation by checking the Postfix version and status:

postconf -d mail_version
sudo systemctl status postfix

Your main configuration file is located at /etc/postfix/main.cf. Before making changes, create a backup:

sudo cp /etc/postfix/main.cf /etc/postfix/main.cf.backup

Core Configuration for Send-Only Mode

Edit the main configuration file to implement send-only functionality:

sudo nano /etc/postfix/main.cf

Replace or add these essential settings:

# Basic settings
myhostname = mail.yourdomain.com
mydomain = yourdomain.com
myorigin = $mydomain
inet_interfaces = loopback-only
mydestination = 

# Network and protocol settings
inet_protocols = ipv4
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128

# Disable local delivery
local_transport = error:local delivery is disabled

# Queue and size limits
message_size_limit = 26214400
mailbox_size_limit = 0

# Security settings
smtpd_banner = $myhostname ESMTP
disable_vrfy_command = yes
smtpd_helo_required = yes

The critical setting here is inet_interfaces = loopback-only, which prevents Postfix from accepting external connections. Setting mydestination = (empty) ensures no local delivery attempts.

For systems behind NAT or using cloud providers, add these settings to handle IP address resolution correctly:

# Cloud/NAT specific settings
smtp_address_preference = ipv4
smtp_bind_address = 0.0.0.0

Authentication and Relay Configuration

Most production environments require authenticated SMTP relay through providers like SendGrid, AWS SES, or Mailgun. Configure SASL authentication:

# SMTP relay settings
relayhost = [smtp.sendgrid.net]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

Create the password file for your SMTP provider:

sudo nano /etc/postfix/sasl_passwd

Add your relay credentials:

[smtp.sendgrid.net]:587 apikey:your_sendgrid_api_key

Secure the file and create the hash database:

sudo chmod 600 /etc/postfix/sasl_passwd
sudo postmap /etc/postfix/sasl_passwd
sudo systemctl restart postfix

Testing Your Configuration

Test local mail submission using the mail command:

echo "Test message body" | mail -s "Test Subject" recipient@example.com

Monitor the mail logs to verify delivery:

sudo tail -f /var/log/mail.log

For application testing, use a simple PHP or Python script:

# Python test
import smtplib
from email.mime.text import MIMEText

msg = MIMEText("Test message from Postfix")
msg['Subject'] = "Postfix Test"
msg['From'] = "noreply@yourdomain.com"
msg['To'] = "test@example.com"

smtp = smtplib.SMTP('localhost', 25)
smtp.send_message(msg)
smtp.quit()

Check the queue status and flush if needed:

postqueue -p
sudo postqueue -f

Performance and Security Optimization

Configure rate limiting and connection management to prevent abuse:

# Performance tuning
default_destination_concurrency_limit = 20
smtp_destination_concurrency_limit = 5
maximal_queue_lifetime = 1h
bounce_queue_lifetime = 1h

# Security enhancements
smtpd_client_restrictions = permit_mynetworks, reject
header_checks = regexp:/etc/postfix/header_checks

Create header checks to prevent information disclosure:

sudo nano /etc/postfix/header_checks

/^Received:.*with ESMTPSA/ REPLACE Received: from localhost
/^User-Agent:/ IGNORE
/^X-Originating-IP:/ IGNORE

Apply the changes:

sudo postmap /etc/postfix/header_checks
sudo systemctl reload postfix

Comparison with Alternative Solutions

Solution	Resource Usage	Configuration Complexity	Reliability	Best Use Case
Postfix (send-only)	Low (50-100MB RAM)	Medium	High	Production applications
msmtp	Very Low (5-10MB RAM)	Low	Medium	Simple scripts
Exim4	Medium (100-200MB RAM)	High	High	Complex routing needs
Direct SMTP libraries	Application dependent	Low	Application dependent	Single application use

Common Issues and Troubleshooting

The most frequent problems you’ll encounter include:

**Port 25 blocked by ISP**: Many providers block outbound port 25. Use submission port 587 with TLS:

relayhost = [smtp.provider.com]:587

**Emails marked as spam**: Implement SPF, DKIM, and DMARC records. For SPF, add this DNS TXT record:

v=spf1 include:sendgrid.net ~all

**Permission denied errors**: Check Postfix user permissions:

sudo chown -R postfix:postfix /var/spool/postfix
sudo chmod 755 /var/spool/postfix

**Queue buildup**: Monitor and clear stuck messages:

postqueue -p | grep -c "^[A-F0-9]"
sudo postsuper -d ALL deferred

**Authentication failures**: Verify SASL configuration:

sudo postconf -n | grep sasl
testsaslauthd -u username -p password -s smtp

Production Best Practices

Implement proper monitoring with log rotation and alerting:

sudo nano /etc/logrotate.d/postfix

/var/log/mail.log {
    daily
    rotate 30
    compress
    delaycompress
    missingok
    create 644 syslog adm
    postrotate
        systemctl reload rsyslog
    endscript
}

Set up firewall rules to block unnecessary ports:

sudo ufw deny 25/tcp
sudo ufw allow out 587/tcp
sudo ufw allow out 465/tcp

For high-volume applications, consider implementing connection pooling and using persistent connections. Monitor key metrics like queue length, delivery times, and bounce rates.

Regular maintenance should include updating TLS certificates, monitoring blacklist status using tools like MXToolbox, and reviewing the official Postfix documentation for security updates.

This configuration provides a robust foundation for send-only email functionality while maintaining security and reliability. The setup scales well from small applications to high-volume systems when paired with appropriate infrastructure from providers offering VPS solutions or dedicated servers for enterprise requirements.

---

---

This article incorporates information and material from various online sources. We acknowledge and appreciate the work of all original authors, publishers, and websites. While every effort has been made to appropriately credit the source material, any unintentional oversight or omission does not constitute a copyright infringement. All trademarks, logos, and images mentioned are the property of their respective owners. If you believe that any content used in this article infringes upon your copyright, please contact us immediately for review and prompt action.

This article is intended for informational and educational purposes only and does not infringe on the rights of the copyright owners. If any copyrighted material has been used without proper credit or in violation of copyright laws, it is unintentional and we will rectify it promptly upon notification. Please note that the republishing, redistribution, or reproduction of part or all of the contents in any form is prohibited without express written permission from the author and website owner. For permissions or further inquiries, please contact us.