Postfix MX MTA Server

This page assumes familiarity with the terminology defined on the main Mail Server Page.

This page assumes you have configured Unbound as a local DNSSEC caching resolver as described on the Unbound Page.

This page assumes you followed the Postfix Common Configuration Topics guidelines.


An MX (Mail eXchange) MTA is an MTA server that specifically listens on TCP Port 25 and accepts SMTP connections from MTA clients with mail to be delivered to a user at a mailbox domain the MX server accepts mail for. It is usually listed in the DNS MX record for the mailbox domain it accepts messages for. In a few cases, when it is running on the same host that the mailbox domain resolves to, there will not be an MX record but that is considered to be very bad practice.

It is strongly recommended that MX servers support TLS 1.2 however it is not required unless the server advertises MTA-STS compliance. To be RFC compliant however, they must accept plain text connections. They are the only type of MTA that must accept plain text connections.

For many organizations, the primary MX server is on the same host as the MDA and also shares the duty of the Submission server. For very high volume systems that is often not the case. Administrators of such high volume systems will not be reading this page, they will have an engineer who designed their system telling them how to administer it.

An SMTP server running Postfix is capable of being an MX server for more than one mailbox domain. Again that is beyond the scope of this document.

It is a really good idea to have a secondary MX server located at a geographically different hosting facility that can accept mail in the event the primary MX server can not be reached. The secondary MX server will act as a proxy to the primary MX server and deliver it to the primary MX server when it becomes available again.

TCP Port 25 and the Linux Firewall

An MX must listen for incoming connections on TCP Port 25.

The default LibreLAMP configuration for Postfix is not listening on the public interfaces. This must be changed or it will not be able to receive mail:

[root@host ~]# postconf -e "inet_interfaces = all"
[root@host ~]# postfix reload

Once you have done that, if you are running the the Linux firewall daemon, poke a hole in it. Assuming you are using the default public zone:

[root@host ~]# firewall-cmd --permanent --zone=public --add-port=25/tcp
[root@host ~]# firewall-cmd --reload

The mydestination and mynetworks_style Parameters