[TUTORIAL] Get Postfix to Send Notifications (Email) Externally

[pb21]

For those of you using zoho as smtp server I managed to get it working with the following:
/etc/postfix/main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

myhostname=proxmox.domain.com

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, localhost.$mydomain, localhost
# relayhost =
mynetworks = 127.0.0.0/8
inet_interfaces = loopback-only
recipient_delimiter = +

compatibility_level = 2

relayhost = smtp.zoho.com:465
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/ssl/certs/Entrust_Root_Certification_Authority.pem
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_tls_session_cache_timeout = 3600s
sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps = regexp:/etc/postfix/sender_canonical
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks

/etc/postfix/sasl_passwd
smtp.zoho.com user@domain.com:PASSWD

/etc/postfix/sender_canonical
/.+/ user@domain.com

/etc/postfix/smtp_header_checks
/^From:.*/ REPLACE From: Proxmox alert <user@domain.com>

/etc/postfix/tls_policy
smtp.zoho.com:465 encrypt

Then run the following to apply the changes

chmod 600 /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd
postmap /etc/postfix/tls_policy
apt-get install libsasl2-modules
postfix reload && systemctl restart postfix.service

Thank you. This works perfectly over port 465. What would need to change to make it work over port 587 with startTLS besides just changing the ports in the setup above?

Just changing the ports doesn't work. The log says warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331:

 

[Burny92]

Hey guys,
thanks so far for that awesome guide!
I have a question:
Is it also possible to change the subject? That would be great!
I have only found that thread, but that doesn't seem to work for me.
https://forum.proxmox.com/threads/vzdump-change-mail-subject-template.81399/

 

[mwjburrell]

d

For those of you using zoho as smtp server I managed to get it working with the following:
/etc/postfix/main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

myhostname=proxmox.domain.com

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, localhost.$mydomain, localhost
# relayhost =
mynetworks = 127.0.0.0/8
inet_interfaces = loopback-only
recipient_delimiter = +

compatibility_level = 2

relayhost = smtp.zoho.com:465
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/ssl/certs/Entrust_Root_Certification_Authority.pem
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_tls_session_cache_timeout = 3600s
sender_canonical_classes = envelope_sender, header_sender
sender_canonical_maps = regexp:/etc/postfix/sender_canonical
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks

/etc/postfix/sasl_passwd
smtp.zoho.com user@domain.com:PASSWD

/etc/postfix/sender_canonical
/.+/ user@domain.com

/etc/postfix/smtp_header_checks
/^From:.*/ REPLACE From: Proxmox alert <user@domain.com>

/etc/postfix/tls_policy
smtp.zoho.com:465 encrypt

Then run the following to apply the changes

chmod 600 /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd
postmap /etc/postfix/tls_policy
apt-get install libsasl2-modules
postfix reload && systemctl restart postfix.service

Hi Peter,

Thanks for the info as I'm trying to setup my email notification with zoho. The one area in get stuck in the authentication faild

SASL authentication failed; server smtp.zoho.com[136.143.190.56] said: 535 Authentication Failed)

I'm using a app password and the from and to address is my account, but still having no luck. I was hoping you could point me in the right direction.

Thanks

 

[Keyinator]

I just tried to set up exactly this to use my internal mailcow server.
I always got:
REDACTED postfix/error[3029476]: 40F413A0BB5: to=<admin@REDACTED>, relay=none, delay=0.04, delays=0.03/0/0/0.01, dsn=5.0.0, status=bounced (REDACTED:587)

What fixed it in the end was adding default_transport = smtp to main.cf!
(Found in https://www.linuxquestions.org/ques...tfix-to-connect-to-remote-smtp-server-806224/)

 

[Docop2]

I got problem with the config over a fresh prox install iso. While if i set a msmtp it work to direclty send mail.. i can't pass the notification using msmtp. So i try again on a new install with default postfix, but i always got this error message, from config with the 465 or 587 port :

pve74 postfix/smtp[24277]: 75DFE40E1E: SASL authentication failed; server smtp.emailprovider.com[xx.xxx.xx.ip] said: 535 5.7.0 authentication failed

config added:

relayhost = smtp.providermail.com:465
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
# for 465: add tls_policy  3line:
smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/ssl/certs/Entrust_Root_Certification_Authority.pem
#smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_tls_session_cache_timeout = 3600s

and with or without the : #mydestination = $myhostname, localhost.$mydomain, localhost and with or without : default_transport = smtp

============
or with this one :

#mydestination = $myhostname, localhost.$mydomain, localhost
relayhost = [smtp.providermail.com]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

Do we just need to install: libsasl2-modules or something else ?
*i don't put . canonical file.. as not sure what to put inside the file and if a postmap is needed too.. and no header put either.

 

[sroot]

For anyone on google workspace, you and I need to use

smtp_use_tls = yes
relayhost = smtp-relay.gmail.com

(instead of the relay.gmail.com)

Authentication is by your choice from the options at,
https://support.google.com/a/answer/2956491?hl=en&ref_topic=2921034

 

[905jay]

I'm not sure I did this in the proxmox way but I couldn't get email to relay to me and some posts were dated or didn't work for me, so I did the following:

Gmail for example:

Change /etc/postfix/main.cf to include/change these lines:

relayhost = [smtp.gmail.com]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

#mydestination = $myhostname, localhost.$mydomain, localhost

Be sure there are no dupes as the main.cf may have smtp_sasl_security_options = {} , and relayhost = {}. Just delete or comment those lines.

Create an /etc/postfix/sasl_passwd file with:

[smtp.gmail.com]:587    testmehere@gmail.com:PASSWD

run

chmod 600 /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd

install for passwd support:

apt-get install libsasl2-modules

Restart service:

systemctl restart postfix.service

Test:

echo "Test mail from postfix" | mail -s "Test Postfix" test@test.com

Test from PVE:

echo "test" | /usr/bin/pvemailforward

Logs:​

/var/log/mail.warn

is helpful as well as

/var/log/mail.info

Customize From:
This is nice so it's not from "root"​

Create smtp_header_checks file, this changes all outgoing mail:

/^From:.*/ REPLACE From: HOSTNAME-alert <HOSTNAME-alert@something.com>

Add to main.cf:

smtp_header_checks = pcre:/etc/postfix/smtp_header_checks

Don't forget to run postmap on the header file

#note. For pcre support you'll need to install apt install postfix-pcre and restart postfix service

This was exactly what I was looking for, thanks for putting it together for the community

 

[ikeurb]

I followed the instructions above, but it didn't work for me. Maybe I missed something.

relayhost = [smtp.mail.yahoo.com]:465 smtp_use_tls = yes smtp_sasl_auth_enable = yes smtp_sasl_security_options = noanonymous smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

/etc/postfix/sasl_passwd file:
[smtp.mail.yahoo.com]:465 myemailaccount@yahoo.com:myYahooAppGeneratedPassword


When testing PVE:
echo "test" | /usr/bin/pvemailforward I receive an error "No such file or directory"

Also the logs also state "No such file or directory"
/var/log/mail.warn /var/log/mail.info

 

[Tommmii]

When testing PVE:
echo "test" | /usr/bin/pvemailforward I receive an error "No such file or directory"

Also the logs also state "No such file or directory"
/var/log/mail.warn /var/log/mail.info

in 2023 testing with the PVE script should be done with :

echo "test" | /usr/bin/proxmox-mail-forward

Logging is now handled by systemd's Journal.
use the command journalctl to show the system log (including postfix messages)
To jump to the end of log, press shift+g

 

[Moses93]

Thanks. The tutorial was much appreciated. I've configured my servers to use a third party mail relay service.

I encountered one problem that was readily fixed:

postfix/smtp[1415]: SMTPS wrappermode (TCP port 465) requires setting "smtp_tls_wrappermode = yes", and "smtp_tls_security_level = encrypt" (or stronger)

I merely had to add these two lines into the main.cf, restart postfix, and after that, things worked as expected.

smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt

Thanks again.

Thank you very much, that solved my problem. I use a Mailserver via Mailu-Docker-Container(s).
Here is my main.

Spoiler: main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version

myhostname=proxmox07.example01.at

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, localhost.$mydomain, localhost
#relayhost =
mynetworks = 127.0.0.0/8,192.168.13.0/24
inet_interfaces = loopback-only
recipient_delimiter = +

compatibility_level = 2

####################################################
relayhost = [example02.com]:465
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
inet_protocols = ipv4
smtp_tls_wrappermode = yes
smtp_tls_security_level = encrypt
#mydestination = $myhostname, localhost.$mydomain, localhost

and my sasl_passwd (I used a auth token - Authentifizierungs-Tokens in mailu-admin-gui - instead of the password):

Spoiler: sasl_passwd

[example02.com]:465 proxmoxtest@example02.com:3ba51059d223a4f086a671391e74bf71

If i changed the sasl_passwd file:
I also had the thing, that the syslog-log (in PVE click on the node -> system -> syslog) said, that the sasl_passwd.db is older than the sasl_passwd file - i just deleted the sasl_passwd.db file and restartet the postfix twice and sent after every restart a testmail. After that, the sasl_passwd.db file got recreated.

 

[alfredo.pironti]

I was a happy user of this tutorial. I recently discovered that with Proxmox 8.1 a new notification system has been implemented, which supports configuring an SMTP endpoint to send emails (rather than having to configure postfix to relay via a preferred SMTP endpoint).

So here's my journey in migrating to this new notification system.

First, "undo" what was done by this tutorial:
I was able to undo the changes in main.cf (in my case, I just restored the default main.cf provided with proxmox), and remove the sasl_passwd (and sasl_passwd.db) file, and restart the postfix service.

Then, configure the new notification system to use SMTP: via the GUI -> Datacenter -> Notifications I did the following:
- Add a new notification target of type SMTP. Configure all the parameters much like you had for the postfix relay
- Add a new notification matcher, matching all notifications (or define filters as required), but using the newly created SMTP notification target

A note about backup notifications: it appears that to make the transition smoother to the new notification infrastructure, backup notifications will use the legacy "sendmail" (that is: postfix) if you defined an explicit email address in the Datacenter -> Backup entries. So, to switch to the new notification system for backup notifications, you have to edit each of your backup jobs and:
- either make the "send email to" field blank (that's what I did -- I assume the Send email field has no effect since the new matcher is used)
- or select "Notification System" in the "Notification mode" field

Hope this helps!

 

[dodg3r]

Hi.
I´ve managed to get my "ve" installation working with alfredos suggestion and it´s sending notification mail .

On my pbs I followed seeds guide because I don´t find any settings in the gui.

I keep getting mail with error:
"Undelivered mail returned to sender"
User (from mail) not authorized to send on behalf of (root@hostname).

Any suggestions?

 

[SunnyCloudy]

Hope this helps!

It helped a lot! I was about to configure postfix manually, lucky for me I read your reply on the last page

I've sent a notification test and it worked via gmail smtp since I installed proxmox at home and I've got a residential IP address blocked by default.

This is how my setup looks like:
(for password, create a new app password here https://myaccount.google.com/u/0/apppasswords)

 

[Digit@lAndy]

Don't forget to change the "Targets-to-notify" to your new SMTP mail address. By default mail-to-root (sendmail) is enabled and this will only work with a subscription. You can find this under Datacenter-Notifications-Notification Matchers, there modify the default-matcher and under the "Targets to notify" tab disable mail-to-root and enable your new mail address.

 

[opennas]

Hello everyone, I'm new.. I followed the guide in all respects but I don't receive mail what can it be ??

 

[jruth85]

It helped a lot! I was about to configure postfix manually, lucky for me I read your reply on the last page

I've sent a notification test and it worked via gmail smtp since I installed proxmox at home and I've got a residential IP address blocked by default.

This is how my setup looks like:
(for password, create a new app password here https://myaccount.google.com/u/0/apppasswords)

View attachment 64211

Thanks for the screenshot. I could get it to work via the cli but not the gui. With the cli I used port 587 so naturally I tried the same port in the gui and I just couldn't figure out why it wouldn't work. Finally I noticed the different port number in your screenshot and BAM! it's working. Kudos.