macOS Postfix Relay
macOS ships with Postfix, a battle-tested mail transfer agent, pre-installed but disabled by default. You can configure Postfix as a smart-host relay: Xenocept (and any other app on your Mac) hands a message to Postfix on localhost, Postfix authenticates against your real email provider, and delivers it.
This is useful when:
- You want a single SMTP endpoint to point all apps at, regardless of which real provider relays the mail.
- You want to keep your email-provider app password out of every application’s config (Postfix is the only thing that knows it).
- Your real provider is being awkward about direct SMTP from an app and you’d rather authenticate from a tool like Postfix that’s been around forever.
Heads Up
You’ll be editing system config files in /etc/postfix/ and using sudo. You don’t strictly need to be a sysadmin to do this, but if sudo, vi, and editing config files aren’t comfortable territory, the per-provider guides in this section are the easier path.
1. Pick a Relay Provider
Postfix doesn’t send mail directly to recipients — it hands off to an upstream SMTP server (a “smart host”). Any of the providers in this section works. The most common choices:
| Provider | Host & port | See |
|---|---|---|
| Gmail | smtp.gmail.com:587 | Gmail for App Password setup |
| iCloud | smtp.mail.me.com:587 | iCloud for App-Specific Password setup |
| Fastmail | smtp.fastmail.com:465 | Fastmail |
| Outlook.com | smtp-mail.outlook.com:587 | Microsoft |
Get an app password from your provider following its guide. You’ll plug that password into Postfix in step 3.
2. Edit /etc/postfix/main.cf
Open a Terminal and edit the main Postfix config:
sudo vi /etc/postfix/main.cf
Add (or update) these lines at the bottom — adjust the relay host/port for your provider:
# Use your provider as the smart host.
relayhost = [smtp.gmail.com]:587
# Enable SASL auth and TLS for the outbound relay.
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/ssl/cert.pem
The square brackets around the hostname tell Postfix not to perform MX lookups — important when relaying through a smart host.
iCloud / Fastmail port 465. If your provider uses implicit-TLS port 465 instead of STARTTLS port 587, set
smtp_tls_wrappermode = yesalongside the other TLS lines.
3. Add the Relay Credentials
Create the password map:
sudo vi /etc/postfix/sasl_passwd
Add one line in this format — replace the values with yours:
[smtp.gmail.com]:587 [email protected]:YOUR-APP-PASSWORD
(Use your provider’s host, port, username, and the app password you generated. Not your regular account password.)
Save and exit. Then build the hash database Postfix uses for lookups:
sudo postmap /etc/postfix/sasl_passwd
You should see a new /etc/postfix/sasl_passwd.db appear.
For safety, tighten the permissions so the password file is only readable by root:
sudo chmod 600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
4. (Optional) Rewrite the From Address
Many providers will reject mail whose From address doesn’t match the authenticated user. If your local Mac account is wyatt, mail sent from the Mac defaults to [email protected] — which Gmail/iCloud/etc. will refuse to relay.
Map the local user to your real email address. Edit a generic table:
sudo vi /etc/postfix/generic
Add a line like:
[email protected] [email protected]
(Replace wyatt and your-mac-hostname.local with your real local account / hostname, and the right-hand side with your relay username.)
Build the hash and tell Postfix to use it:
sudo postmap /etc/postfix/generic
Then, back in /etc/postfix/main.cf, add:
smtp_generic_maps = hash:/etc/postfix/generic
5. Start / Reload Postfix
Start the Postfix service:
sudo postfix start
(If it’s already running from a previous setup, use sudo postfix reload to pick up the new config.)
To check Postfix is listening:
sudo lsof -iTCP -sTCP:LISTEN -P | grep master
You should see Postfix’s master daemon listening on port 25 (the local SMTP port).
6. Test From the Command Line
Before pointing Xenocept at the local relay, confirm end-to-end:
echo "Test message body" | mail -s "Postfix test" [email protected]
If everything is wired up, the message arrives in your inbox. If it doesn’t, check Postfix’s queue and logs:
mailq
sudo tail -F /var/log/mail.log
The log makes it pretty clear when authentication fails or TLS is misconfigured.
7. Configure the Email Destination in Xenocept
Open the Xenocept Settings UI → Destinations → New Destination → Email. Fill in:
| Field | Value |
|---|---|
| SMTP Host | 127.0.0.1 |
| SMTP Port | 25 |
| Security | None (or STARTTLS if you’ve configured Postfix to require it locally) |
| Username | leave blank (Postfix accepts local mail without auth on 127.0.0.1 by default) |
| Password | leave blank |
| From | The email address you mapped in step 4 (so the provider accepts the From header) |
| To | Where you want sessions delivered |
Save the destination and submit a test session. Xenocept hands the message to Postfix on localhost; Postfix relays it through your provider; your provider delivers it.
When This Is Worth It
Skip Postfix unless one of these applies:
- You have multiple apps on your Mac that all need to send mail and you’d rather configure provider credentials in one place.
- You want sending centralized so you can change providers without touching every app.
- You’re already comfortable in
/etc/postfix/and want the flexibility.
For the single-app case (“just get Xenocept to email me”), it’s faster and simpler to configure the Email destination directly against your provider. The per-provider guides cover that path.