Skip to main content

Postfix Mailtransport via SSH tunnel

Tobi Oetiker, 2010-03-18

The Issue

Every now and then I run into a situation where a site is cut-off from its usual internet connection. Often it is quite simple to jury rig a replacement internet connection. And quite quickly local access is fine again except for some loss in performance.

It gets a bit more complicated if there is a local mail server involved. The replacement internet link will in all likelihood not provide the same static IP as the original link, maybe not even a static IP at all.

Receive mail via SSH tunnel

If you have an off site secondary mailserver, the problem is pretty simple to solve. Create a reverse ssh tunnel from the primary (cut off) mail server to the secondary mail server.

primary$  ssh -f -o ServerAliveInterval=10 -R 12345:localhost:25 secondary sleep 31622400

On the secondary use a transport map to tell it of the new connection to the primary.

secondary# cat <<MAP >/etc/postfix/tranport   smtp:[]:12345
secondary# postmap /etc/postfix/tranport

Make sure the transport map is listed in /etc/postfix/ of the secondary. And while you are at it, make sure mail does not bounce. This might be a good thing on the primary server as well.

transport_maps = hash:/etc/postfix/transport  
soft_bounce = yes

Finally restart postfix, and flush the queue. Beware of mail loops and refusals.

Send via SSH tunnel

Free port 25 access is becoming more and more of a problem, so if your backup link does not allow your mailserver to send mail out, you may want to do the sending via ssh tunnel as well.

primary$  ssh -f -o ServerAliveInterval=10 -L 54321:localhost:25 secondary sleep 31622400

Setup a transport map on the primary mailserver, telling it to send all messages to the secondary for delivery.

primary# cat <<MAP >/etc/postfix/tranport   :
*             smtp:[]:54321
primary# postmap /etc/postfix/tranport

Again make sure the transport map and soft bounces are active in the primaries and then restart postfix and flush the queue.


It seems JavaScript has been disabled in your browser. This site, like most of the Internet contents these days, does not work properly without JavaScript. Please re-enable JavaScript, or use a different Browser.

If you need help fixing your browser, please send mail to