Running an SMTP Relay for Home Lab Notifications
Every service in your homelab wants to send you notifications. Proxmox warns about ZFS scrub results. Grafana fires alert emails. Nextcloud sends sharing notifications. Cron jobs report failures. But most of these services don't know how to deliver email on their own — they expect a local SMTP server or relay to handle it.
Without a central SMTP relay, you end up configuring SMTP credentials in every single service. Change your email password? Update it in twenty places. Want to switch from Gmail to Fastmail? Touch every config. And some services — like basic cron jobs — only know how to pipe mail to a local sendmail command.
A local SMTP relay solves this. All your services point to one internal mail server, which handles authentication, TLS, and delivery to your actual email provider. Configure once, use everywhere.
Architecture Overview
The setup is straightforward:
- Your services send mail to
localhost:25ormailrelay.lan:25(no authentication needed for internal traffic) - The relay accepts mail from your trusted network
- The relay authenticates with an external SMTP provider (Gmail, Fastmail, Amazon SES, etc.) and forwards the mail
- You receive the notification in your inbox
For services that aren't email-native (you'd rather get a Discord ping than an email), Mailrise sits between your relay and notification platforms, converting SMTP messages into webhooks.
Option 1: msmtp (Simplest)
If you just need a system-wide sendmail replacement on a single machine, msmtp is the lightest option. It's not a server — it's a command-line SMTP client that replaces /usr/sbin/sendmail.
Installation
# Debian/Ubuntu
sudo apt install msmtp msmtp-mta
# Fedora/RHEL
sudo dnf install msmtp
The msmtp-mta package creates a symlink from /usr/sbin/sendmail to msmtp, so cron jobs and other tools that call sendmail will use it automatically.
Configuration
# /etc/msmtprc
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile /var/log/msmtp.log
# Your email provider
account default
host smtp.fastmail.com
port 587
from [email protected]
user [email protected]
password your-app-specific-password
Set restrictive permissions since the file contains credentials:
sudo chmod 600 /etc/msmtprc
Testing
echo "Subject: Test from homelab" | msmtp [email protected]
# Or with a body
printf "Subject: Disk Alert\n\nZFS pool degraded on nas01." | msmtp [email protected]
Cron Integration
With msmtp-mta installed, cron automatically uses it. Set the recipient in your crontab:
# /etc/crontab or user crontab
[email protected]
0 2 * * * root /usr/local/bin/backup.sh
Any cron job that produces output will email it to you.
Option 2: Postfix Relay (Multi-Service)
When multiple machines need to send mail, run Postfix as a network relay that all your servers and containers can use.
Installation
sudo apt install postfix libsasl2-modules # Debian/Ubuntu
sudo dnf install postfix cyrus-sasl-plain # Fedora/RHEL
During installation, select "Satellite system" or we'll configure it manually.
Configuration
# /etc/postfix/main.cf
# Basic identity
myhostname = mail.homelab.lan
mydomain = homelab.lan
myorigin = $mydomain
# Only relay mail — don't accept for local delivery from the network
mydestination = $myhostname, localhost
inet_interfaces = all
mynetworks = 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
# Relay through external SMTP provider
relayhost = [smtp.fastmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
# Rewrite the sender address (optional — forces all mail to come from one address)
smtp_generic_maps = hash:/etc/postfix/generic
# Size limits
message_size_limit = 10240000
SMTP Credentials
# /etc/postfix/sasl_passwd
[smtp.fastmail.com]:587 [email protected]:your-app-specific-password
# Generate the hash database and lock down permissions
sudo postmap /etc/postfix/sasl_passwd
sudo chmod 600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
Sender Rewriting
Some SMTP providers reject mail if the "From" address doesn't match your account. Rewrite all senders:
# /etc/postfix/generic
[email protected] [email protected]
[email protected] [email protected]
[email protected] [email protected]
@homelab.lan [email protected]
sudo postmap /etc/postfix/generic
sudo systemctl restart postfix
Testing
# Send a test email
echo "Test from Postfix relay" | mail -s "Homelab Test" [email protected]
# Check the mail queue
mailq
# View logs
sudo journalctl -u postfix -f
Docker Integration
Point your Docker containers at the Postfix relay. Most services have SMTP settings in their config:
# Example: Grafana pointing to the relay
environment:
GF_SMTP_ENABLED: "true"
GF_SMTP_HOST: "10.0.0.5:25"
GF_SMTP_FROM_ADDRESS: "[email protected]"
GF_SMTP_SKIP_VERIFY: "false"
Since the relay is on your trusted network and handles authentication with the external provider, your services don't need SMTP credentials.
Option 3: Mailrise (SMTP to Webhooks)
Mailrise accepts SMTP messages and routes them to notification services via Apprise — including Discord, Slack, Telegram, Pushover, Gotify, and dozens more. It's perfect for services that only support email notifications but you'd rather get a ping on Discord.
Docker Compose
services:
mailrise:
image: yoryan/mailrise:latest
container_name: mailrise
restart: unless-stopped
ports:
- "8025:8025"
volumes:
- ./mailrise.conf:/etc/mailrise.conf:ro
Configuration
# mailrise.conf
configs:
discord-alerts:
urls:
- discord://webhook_id/webhook_token
slack-ops:
urls:
- slack://token_a/token_b/token_c/#ops-channel
pushover-urgent:
urls:
- pover://user_key@app_token
email-backup:
urls:
- mailto://user:[email protected]:587/[email protected]&[email protected]
Services send email to addresses like [email protected], and Mailrise routes them to the corresponding notification channel.
Combining with Postfix
You can run Postfix as the primary relay and route specific recipients through Mailrise:
# /etc/postfix/transport
[email protected] smtp:[localhost]:8025
[email protected] smtp:[localhost]:8025
* smtp:[smtp.fastmail.com]:587
sudo postmap /etc/postfix/transport
# Add to main.cf:
# transport_maps = hash:/etc/postfix/transport
Now [email protected] goes to your email, but [email protected] goes to Discord.
Choosing an External SMTP Provider
| Provider | Free Tier | Cost | Notes |
|---|---|---|---|
| Gmail | 500/day | Free | Requires app-specific password. May flag automated mail as suspicious. |
| Fastmail | None | $5/mo | Reliable, supports app-specific passwords natively. |
| Amazon SES | 3,000/mo (EC2) | $0.10/1,000 | Best for high volume. Requires domain verification. |
| Mailgun | 100/day | $0.80/1,000 | Developer-friendly API. Good deliverability. |
| Brevo (Sendinblue) | 300/day | Free | Generous free tier for homelab use. |
| Resend | 100/day | Free | Modern API, good developer experience. |
For a homelab, the free tier of Brevo or a Gmail app password is usually sufficient. If you already pay for Fastmail or a similar provider, use that.
Monitoring Your Relay
A dead mail relay means silent failures — services break and you never know. Monitor it:
# Check Postfix queue size (should be near zero)
mailq | tail -1
# Prometheus: use postfix_exporter
# Alertmanager rule for queue backup:
# alertmanager rule
- alert: PostfixQueueBackup
expr: postfix_queue_length > 10
for: 15m
labels:
severity: warning
annotations:
summary: "Postfix queue has {{ $value }} messages"
Test your relay regularly. A cron job that sends a daily test email through the relay gives you confidence it's working:
# /etc/cron.daily/test-mail-relay
#!/bin/bash
echo "Mail relay heartbeat: $(date)" | mail -s "Homelab Mail Relay OK" [email protected]
Security Considerations
- Restrict relay access: Only accept mail from your trusted network (the
mynetworkssetting in Postfix). An open relay will be abused for spam within hours. - Use app-specific passwords: Never use your main email password. Generate a dedicated app password for the relay.
- TLS is mandatory: Always use
smtp_tls_security_level = encryptto ensure credentials are never sent in plaintext. - Rate limiting: Most providers have sending limits. If you're triggering hundreds of alerts, you'll get throttled or banned. Use Mailrise to route high-volume alerts to Discord or Slack instead.
A working SMTP relay is one of those foundational pieces that makes everything else in your homelab better. Set it up once, point all your services at it, and stop wondering whether you missed an alert because the notification never made it out.