Postfix - MX records and receiving emails

So far, we have prepared the Slice, installed postfix and had a quick look at the postfix main.cf file.

From that solid base, we can send mail and we know it all works according to plan. Now we can move onto receiving emails. To do that, we need to create the correct MX records and open port 25 in our iptables firewall.


Single domain

Remember that at this stage we are dealing with a single domain. In the example articles I am using the domain 'demoslice.com'. You would, of course, replace that with your main domain.

MX records

Although there are existing articles on creating MX records (see here), let's have a quick run through of what we need.

Keeping with traditional naming conventions we need a subdomain named 'mail' (thus giving mail.demoslice.com). and the MX record for demoslice.com pointing to that subdomain.

Please refer to the article shown above for details of how to add the records to the DNS panel in the Slicemanager. However the two records will look like this when being created:

A Record

A record for demoslice.com

MX Record

MX record for demoslice.com

You may note I entered the figure '10' in the Auxliliary information section when adding the MX record.

It is possible to have multiple MX records and have multiple mail servers for your mail. The way a request works out which one to use is based on this figure: The lower the number the higher the priority.

I entered '10' as I don't know what the future will hold. I may set up a 'super' mail server and want to give that one a higher MX priority, As such, when I created records for the 'super' mail server I would enter '0'.

A little 'future proofing' never does any harm.

Dig

Once the records have been created they can be checked using the 'dig' command.

The moment the records have been created, you can check them on the nameserver itself. This saves waiting for the records to propagate only to find you made a mistake.

So, to check the 'mail' subdomain is correctly entered on the Slicehost nameserver:

dig mail.demoslice.com @dns1.stabletransit.com

The section we are looking for is:

;; ANSWER SECTION:
mail.demoslice.com.     86400   IN      A       208.75.84.20

Looks good.

Now we can check the MX record for the demoslice.com domain:

dig demoslice.com MX @dns1.stabletransit.com

The answer:

;; ANSWER SECTION:
demoslice.com.          86400   IN      MX      10 mail.demoslice.com.

Again, that is correct.

Iptables

When we set up the Slice we created a simple firewall using an iptables script (please see the Slice setup article for details).

The common port for receiving mail is port 25 and base setup didn't have that port open.

If you tried to send mail to the domain you would get an undeliverable notification.

Using the same files from the Slice setup article, let's open the iptables test file:

sudo nano /etc/iptables.test.rules

To open port 25, we need to add the following just after the 'Allows all outbound traffic' entry:

# Allows postfix to accept incoming connections
-A INPUT -p tcp --dport 25 -j ACCEPT

Note the line starting with the '#' is not compulsory but I find commenting a file makes for much easier administration at a later date when you have no idea what you entered.

Once done and saved, we need to make the new rule set active:

sudo iptables-restore < /etc/iptables.test.rules

The port will now be open but it's always good practice to check something so important:

sudo iptables -L

Amongst the output is the new line:

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp

So now we can accept smtp connections - it is named smtp as the default port (25) has been opened.

To save the final configuration to the script that is executed on a reboot, you need to be root rather than just use sudo:

sudo -i

The command is:

iptables-save > /etc/iptables.up.rules

Once done, exit root:

exit

Done. We now have the correct port open in our iptables firewall.

Complete

Now we have the Slice setup to receive mail for our domain.

The next article will look at the telnet package to conduct some final tests on the setup to ensure postfix is sending the correct identification details, we'll also take a look at checking the email from the command line (future articles will look at pop and imap access).

Summary

Setting the Slice to receive email for our domain requires the correct DNS entries and an open port in our iptables firewall.

Once done, the Slice can receive email.

PickledOnion

Article Comments:

Ralph Haygood commented Sun Aug 03 23:04:23 UTC 2008:

Your timing is perfect. I came here today specifically to find out how to configure my slice's IP tables for receiving email. Thanks very much.

hasakanyol commented Tue Aug 05 02:08:13 UTC 2008:

Will there be a multi-domain mail configuration guide too?

PickledOnion commented Tue Aug 05 09:57:50 UTC 2008:

Hi,

As mentioned several times in the mail articles and the comments:

there will be articles on multi-domains.

PickledOnion

Jonny commented Thu Aug 07 22:36:43 UTC 2008:

@PickledOnion - Thank you for all the time you put into making these guides. They are excellent!

Glen commented Fri Sep 05 13:00:51 UTC 2008:

Really great! Looking forward to the multi-domain stuff.

Dmitry commented Fri Oct 10 17:34:58 UTC 2008:

This article does not appear under http://articles.slicehost.com/email

Please add it there, if I did not notice it earlier, I could have spent quite some time behind the firewall. :)

PickledOnion commented Mon Oct 13 12:30:44 UTC 2008:

Dmitry,

Thanks for noting that. I have added it to the email list. I am not sure how I forgot to add it but thanks for the note!

PickledOnion

Duncan Gough commented Tue Dec 23 12:56:50 UTC 2008:

Note that I found this command didn't really work:

dig demoslice.com MX @ns1.slicehost.net

But this one did:

dig @ns1.slicehost.net mynewdomain.com MX

(taken from http://articles.slicehost.com/2007/10/25/create-a-mail-exchange-mx-record instead)

Seneca commented Wed Feb 04 02:02:44 UTC 2009:

I use google for my e-mail services. However, my application needs to receive e-mails. Do I need to create the A and MX records as per this article to be able to do that. Sorry, I am a little bit confused here.

Neelam commented Sat Feb 21 09:17:58 UTC 2009:

My postfix is not responding from telnet but mailx is working locally. Iam not able to send mail from outside(like from gmail, yahoomail). Please suggest something.

mcebisi viki commented Sat Mar 14 12:17:00 UTC 2009:

thats good nothing ican say

Jeff Schwab commented Wed Apr 08 23:13:07 UTC 2009:

Outstanding tutorial, as usual. I did have a problem with some forms of address no longer working; in particular, "mail demo" no longer worked. The problem was fixed by changing main.cf:

mydestination = $myhostname localhost.$mydomain localhost $mydomain www.$mydomain

That's per the Postfix documentation: http://www.postfix.org/BASICCONFIGURATIONREADME.html

I'm guessing the problem was that I had more A records than demosite.com. The Postfix site specifically cautions that you have to make sure to include all possible names for your host. (What do people do about globbed hostnames, e.g. *?)

Randy Schmidt commented Mon Jun 29 01:24:22 UTC 2009:

Hi! Thanks for the great articles! I was wondering how I would set it up so that the mail for some email addresses would go to Google Apps but the rest would go to the slice? Do I have to set up some kind of relay?

Thank you!

I want to host email for multiple domains commented Sun Aug 02 23:12:10 UTC 2009:

Hahah, when are we going to get an article about hosting email for multiple domains? 2010?

PickledOnion commented Mon Aug 03 12:24:20 UTC 2009:

With regard to the comment about hosting email for multiple domains - perhaps you could look at the email articles? (look under 'Servers' and then 'Email').

You will find a complete series on hosting email for multiple domains.

Thanks, PickledOnion

Mark commented Sun Nov 15 22:58:06 UTC 2009:

Hi. Is there a way to make a "catch all" account that will catch all the emails sent which do not have an email address created for them? I am getting alot of errors in my syslog saying that people are trying to send to email addresses that are not there. Thanks"

wulabs commented Sun Dec 06 04:34:44 UTC 2009:

Hi

We set this up to process inbound emails to a specific email address. Is there a way to also setup so we can use Google Apps to catch the rest of email addresses? Maybe a filter that redirects all uncaught received email to google apps?

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)