Setting up postfix in OS X 10.14 (Mojave)

I wrote this post because there are lots of articles that describe how to set up postfix on OS X which recommend strange things, like disabling System Integrity Protection. I’ll show you how it can be achieved easily without any ugly hacks.

Here’s why you may want to use postfix on OS X:

if you are managing an OS X server (like in a build farm) and want to be able to send automated emails
if you use mutt or other mailer like mu4e and want a persistent outgoing mail queue that works offline
to write and debug scripts that use default system mailer

First thing you need to know about postfix in OS X is that it is already set up and running! If you open /System/Library/LaunchDaemons/com.apple.postfix.master.plist in your favorite editor, you can see that it is set up to restart every 60 seconds or so (the -e 60 argument). So it is started, runs for 60 seconds and then exits to be automatically respawned by launchd. This means that you don’t ever need to start or restart it yourself after you edit the configuration.

What confuses many people is that the Apple-flavored postfix doesn’t write logs into the places you expect it to (/var/log). This is because Apple rewrites some unix tools to use their own logging subsystem, and you just need to learn the proper incantation to filter through those logs. Theoretically you could do it with the tool called “Console”, but I didn’t have much luck with it. Instead I was successfully debugging problems with email delivery using this command in the terminal:

log stream --predicate '(process == "smtpd") || (process == "smtp") || (process == "master")' --info

Also, when you get to actually configuring postfix, you absolutely must make sure that your /etc/postfix/main.cf contains at least the following:

mail_owner=_postfix
setgid_group=_postdrop
myhostname=localhost.localdomain
compatibility_level = 2

The mail_owner and setgid_group must be like that because Apple has a bit different security model than regular unix.

The myhostname can be arbitrary, but it must be a fully-qualified domain name (with the domain part).

Without setting compatibility_level to 2 I just failed to make it work.

From here, you can proceed to configure postfix in any way you want.