Configuring Postfix on AlmaLinux VPS with port 25 outbound blocked

smtp port 25
Configuring an AlmaLinux VPS server to send and receive emails when port 25 outbound is blocked for outgoing traffic and securing the server with Let’s Encrypt certificates can be achieved through the following steps:

Step 1: Set Up an Alternative Port for SMTP (Outgoing)

Since port 25 is blocked for outgoing traffic, you’ll need to use an alternative port for SMTP. Common alternatives are port 587 (submission port) and port 465 (SMTPS). For this guide, we’ll use port 587.

  1. Install Postfix: If you haven’t already, install Postfix on your AlmaLinux server:
   sudo yum install postfix
  1. Edit the Postfix Configuration File: Open the main configuration file for Postfix:
   sudo nano /etc/postfix/main.cf
  1. Update the Configuration: Add or update the following lines to configure Postfix to use port 587:
   smtpd_tls_security_level = encrypt
   smtpd_sasl_auth_enable = yes
   smtpd_client_restrictions = permit_sasl_authenticated,reject
   submission inet n - y - - smtpd
  1. Restart Postfix: Apply the changes by restarting Postfix:
   sudo systemctl restart postfix

Step 2: Configure Firewall to Allow Port 587 (Outgoing)

  1. Open Port 587: Use firewalld to open port 587:
   sudo firewall-cmd --zone=public --add-port=587/tcp --permanent
   sudo firewall-cmd --reload

Step 3: Set Up SendPulse for Email Relay (Outgoing)

To send emails via a relay SMTP server using SendPulse, follow these steps:

  1. Sign Up for SendPulse: Create an account on SendPulse and navigate to the SMTP settings.
  2. Copy SMTP Credentials: Obtain your SMTP server address, port, login, and password from SendPulse.
  3. Configure Your Email Client: Use the SMTP credentials to configure your email client or application to send emails through SendPulse.

Step 4: Configure Postfix to Receive Emails (Incoming)

Since port 25 is open for incoming traffic, you can use it to receive emails.

  1. Edit the Postfix Configuration File: Open the main configuration file for Postfix:
   sudo nano /etc/postfix/main.cf
  1. Update the Configuration: Add or update the following lines to configure Postfix to receive emails on port 25:
   myhostname = yourdomain.com
   mydomain = yourdomain.com
   myorigin = $mydomain
   inet_interfaces = all
   mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
  1. Restart Postfix: Apply the changes by restarting Postfix:
   sudo systemctl restart postfix

Step 5: Configure Firewall to Allow Port 25 (Incoming)

  1. Open Port 25: Use firewalld to open port 25 for incoming traffic:
   sudo firewall-cmd --zone=public --add-port=25/tcp --permanent
   sudo firewall-cmd --reload

Step 6: Enable TLS for Encrypted Connections with Let’s Encrypt

To encrypt your email communications, we will use Let’s Encrypt certificates.

  1. Install Certbot: Certbot is a tool that automates the process of obtaining and installing Let’s Encrypt certificates:
   sudo yum install epel-release
   sudo yum install certbot
  1. Obtain a Certificate: Run Certbot to obtain a certificate for your domain:
   sudo certbot certonly --standalone -d yourdomain.com
  1. Configure Postfix to Use Let’s Encrypt Certificates: Open the main configuration file for Postfix:
   sudo nano /etc/postfix/main.cf
  1. Update Postfix Configuration: Add the following lines to enable TLS using Let’s Encrypt certificates:
   smtpd_tls_cert_file = /etc/letsencrypt/live/yourdomain.com/fullchain.pem
   smtpd_tls_key_file = /etc/letsencrypt/live/yourdomain.com/privkey.pem
   smtpd_tls_CAfile = /etc/letsencrypt/live/yourdomain.com/chain.pem
   smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
   smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
   smtpd_tls_security_level = may
   smtp_tls_note_starttls_offer = yes
   smtpd_tls_loglevel = 1
  1. Restart Postfix: Apply the changes by restarting Postfix:
   sudo systemctl restart postfix

Step 7: Enable SASL Authentication

To prevent unauthorized users from sending emails through your server, enable SASL authentication:

  1. Install Cyrus SASL: If not already installed, install Cyrus SASL:
   sudo yum install cyrus-sasl-plain
  1. Edit the Postfix Configuration File: Open the main configuration file for Postfix:
   sudo nano /etc/postfix/main.cf
  1. Update the Configuration: Add the following lines to enable SASL authentication:
   smtpd_sasl_auth_enable = yes
   smtpd_sasl_security_options = noanonymous
   broken_sasl_auth_clients = yes
   smtpd_sasl_local_domain = $myhostname
   smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
  1. Restart Postfix: Apply the changes by restarting Postfix:
   sudo systemctl restart postfix

Step 8: Configure Firewall Rules

Ensure your firewall rules are configured to allow only necessary ports:

  1. Open Required Ports: Use firewalld to allow necessary ports (25 for incoming, 587 for outgoing, 465 if using SMTPS):
   sudo firewall-cmd --zone=public --add-port=25/tcp --permanent
   sudo firewall-cmd --zone=public --add-port=587/tcp --permanent
   sudo firewall-cmd --zone=public --add-port=465/tcp --permanent
   sudo firewall-cmd --reload

Step 9: Configure Spam and Malware Protection

To protect your email server from spam and malware, use tools like SpamAssassin and ClamAV:

  1. Install SpamAssassin and ClamAV:
   sudo yum install spamassassin clamav
  1. Enable and Start SpamAssassin:
   sudo systemctl enable spamassassin
   sudo systemctl start spamassassin
  1. Enable and Start ClamAV:
   sudo systemctl enable clamd@scan
   sudo systemctl start clamd@scan

Step 10: Regularly Update Your System

Keep your system and software up to date to protect against vulnerabilities:

  1. Update System Packages:
   sudo yum update -y

Step 11: Monitor Server Logs

Regularly monitor your server logs to detect and respond to suspicious activity:

  1. Check Mail Logs:
   sudo tail -f /var/log/mail.log

Step 12: Set Up a Cron Job for Certificate Renewal

Let’s Encrypt certificates are valid for 90 days, so you need to set up a cron job to renew them automatically:

  1. Edit the Crontab: Open the crontab file:
   crontab -e
  1. Add a Renewal Command: Add the following line to renew the certificate automatically:
   0 3 * * * /usr/bin/certbot renew --quiet
  1. Save and Exit: Save the crontab file and exit the editor.

By following these steps, you can configure, secure, and use Let’s Encrypt certificates for your AlmaLinux VPS email server, ensuring that your email communications are encrypted and protected.

Want to install a web console to manage Postfix ? Read this article