How to configure Postfix relayhost to send email using an external SMTPS server on port 465

UPDATED for Debian 10

The SMTPS protocol (SMTP over SSL) has been depreciated by the end of 1998 with the introduction of STARTTLS and the IANA has reassigned the SMTPS port 465 for Source-Specific Multicast audio and video. The SMTPS protocol is only in use nowadays for backwards compatibility for mail servers that do not support ESMTP and for cheap shared hosting solution like the one proposed by OVH in France.

The motivation to configure Postfix as a send only client for smtps came about when I switched my NextcloudPi instance to a Odroid HC2 box. I used to generate a report of the server in HTML with deblan-report ( and I wanted to automate this operation and receive the report by mail.

The OVH service required for authentication the use of port 465 to submit an email for delivery.

let’s go:

server debian 10 (Buster)
Postfix version > 3.0
server.smtp.relay = for OVH
FQDN such as
email such as


#sudo -s

note the name for port #465 (smtps) from the details of the reserved ports on your system

#vi /etc/services
submissions for debian 10

verify that TCP port #465 is not listing state on

#netstat -tlpn
check running service by PID

verify firewall filtering

#ping server.smtp.relay

Set FQDN (

#vi /etc/hostname
#here’s where you put the server’s host name

activate hostname

#hostname -F /etc/hostname

#vi /etc/hosts
#heres you put the local Network IP of the server and the domain name
192.168.1.x servername

Set your server description here:

#vi /etc/machine-info
PRETTY_HOSTNAME=“MyServer” “HC2cloud”


#hostname -s

#hostname -d

#hostname - f
show the FQDN to use in the postfix’s configuration file

#hostname -i




is Postfix deamon active ?

#systemctl is-active Postfix

and whitch Posfix version i’am running ?

#postconf -d | grep mail_version

install Postfix, a mail client and pluggable authentication modules

#apt update
#apt install mailutils libsasl2-modules
#dpkg-reconfigure postfix (or #apt install postfix )

<ok> (Esc or Tab)
Internet Site
All default

Configuration files :
configuration in the file as shown:

Replace the myhostname (myhostname = [FQDN]), mydomain (mydomain =, relayhost variables to match your own configuration:

#vi /etc/postfix/

#See /usr/share/postfix/ for a commented, more complete version
#Debian specific: Specifying a file name will cause the first
#line of that file to be used as the name. The Debian default
#is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
#appending .domain is the MUA’s job.
append_dot_mydomain = no
#Uncomment the next line to generate “delayed mail” warnings
#delay_warning_time = 4h
readme_directory = no
#See – default to 2 on
#fresh installs.
compatibility_level = 2
#TLS parameters
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
#See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
#information on enabling SSL in the smtp client.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname =
myorigin = $mydomain
mydomain =
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = localhost
relayhost = [server.smtp.relay]:465
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
mynetworks = [::ffff:]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = loopback-only
inet_protocols = all
fallback_transport = relay

Create an auth file for login on your smtps host relay: (login = name or
such as[server.smtp.relay]:465

#touch /etc/postfix/sasl_passwd
#echo “[server.smtp.relay]:465 login:password” > /etc/postfix/sasl_passwd

Secure your login information :

#chown root:root /etc/postfix/sasl_passwd*
#chmod 600 /etc/postfix/sasl_passwd*

configuration in the file as shown :
Enable port 465 (smtps) in postfix mail server and remplace smtps by the service allocated to port 465 by editing (find and remove # for these parameters).

vi /etc/postfix/

#smtps inet n - y - - smtpd
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_reject_unlisted_recipient=no
#-o smtpd_client_restrictions=$mua_client_restrictions
#-o smtpd_helo_restrictions=$mua_helo_restrictions
#-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
#-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

After all configurations are in place, restart Postfix daemon to apply changes:
to build the necessary DB file

#postmap /etc/postfix/sasl_passwd

to reload configuration

#systemctl restart postfix

and verify if the service is running:

#systemctl status postfix*

verify that TCP port 465 is listing state on

#netstat -tulpn | grep :465

#postfix check

#postconf -n
command in order to dump Postfix configuration file and check eventual errors


#comm -23 <(postconf -n) <(postconf -d)
Replace “-23” with “-12” to show settings that duplicate built-in defaults.


#echo “Test mail from postfix” | mail -s “Test Postfix”


#tail -f /var/log/mail.log or cat /var/log/mail.log
#vi /var/log/mail.err (logging errors only)
#journalctl -u postfix


#postsuper -d ALL “-d ALL” to remove all messages; for example, specify “-d ALL deferred” to delete all mail in the deferred queue.

#postsuper -p Purge old temporary files that are left over after system or software crashes.


bibliography :