My notes for spinning up a small Debian linode server to act as an SMTP relay for my home network (note you will have to engage with linode support to enable mail ports for new accounts.)
Relay server configuration
Install postfix
sudo apt install postfix
Modify main.cf
sudo vim /etc/postfix/main.cf
Under TLS parameters, add TLS security to enable secure transfer of mail
smtp_tls_security_level = may
I decided not to open up postfix to the internet but instead my relay has a wireguard tunnel and postfix is allowed to relay only from that VPN subnet.
Add your subnets and relay restrictions further down:
mynetworks = 127.0.0.0/8 <YOUR_SERVER_SUBNET>
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated check_relay_domains
relay_domains = <MY_DOMAIN_NAME>
myhostname = <RELAYSERVER_HOSTNAME>
inet_interfaces = 127.0.0.1, <IP_OF_WIREGUARD_VPN_INTERFACE>
Zimbra configuration
In Zimmbra admin panel, edit your mail server
Configure / Servers / your_mail_server
MTA section
Add the DNS name and port of the relay system next to “Relay MTA for external deliverability”
If it won’t let you save, saying ::1 is required, you can add ::1 to MTA Trusted networks, however, on my Zimbra server this broke postfix. The symptoms were e-mails hanging and not sending. To fix, log into the Zimbra mail server and run as the zimbra user:
zmprov ms YOUR_MAIL_DOMAIN_NAME zimbraMtaMyNetworks ‘127.0.0.1 192.168.0.0/16’ (list of networks you had before but excluding ::1)
Then, issue postfix reload
That was it. A simple postfix SMTP relay which only accepts mail from my internal VPN (it doesn’t listen on the external interface at all.)
Troubleshooting
Realyed mail shows red unlock icon in Gmail (mail getting sent unencrypted)
Per postfix documentation I needed to enable secure transfer of mail by adding
smtp_tls_security_level = may
to main.cf
Mail does not send after adding ::1 to MTA Trusted Networks
Remove it via the CLI and reload postfix:
zmprov ms YOUR_MAIL_DOMAIN_NAME zimbraMtaMyNetworks '127.0.0.1 192.168.0.0/16' (list of networks you had before but excluding ::1)
postfix reload