If you have scripts or other services that run as root that need to send to outside email addresses, via postfix, without being root@hostname, this is what you need to do:
- sudo vi /etc/postfix/generic
- sudo vi /etc/postfix/main.cf
smtp_generic_maps = hash:/etc/postfix/generic
- sudo postmap /etc/postfix/generic
- sudo systemctl restart postfix
Done! Now root will send as firstname.lastname@example.org instead. Substitute whatever you want for email@example.com
Recently, emails sent from my Postfix mail server to my Gmail account were getting tagged as ‘insecure’. Come to find out, they were no longer sending with TLS. They were defaulting back to open SMTP over port 25. Why? Because Debian’s ca-certificates.crt had updated and that removed the CA needed to make my site’s certificate valid – and I use that same certificate to encrypt my TLS SMTP traffic.
First, to diagnose the problem, I forced TLS in my main.cf and turned on TLS logging with the following settings:
I then restarted Postfix with:
sudo service postfix restart
After restarting, Postfix provides the following error in its logs when attempting to send email:
TLS is required, but our TLS engine is unavailable
Earlier in the log file, it indicates a failure to load the CA file that validates the cert and key files. So, here’s the solution:
- Make sure your cert and CA files are located in /etc/ssl/certs
- Run the following command: sudo update-ca-certificates –fresh
- Then go to your Postfix main.cf and verify the following lines are there (and comment out any conflicting lines):
- Restart the Postfix service again.
- Send an email to an @gmail.com address – you should no longer see the unlocked icon under the sender information.