Postfix as your outbound mailserver with central signature logic — sounds complex but is set up in under 30 minutes.
Concept
Postfix gets a relayhost. Mails submit via SMTP to smtp.signaturehub.de:587, get authenticated, signature-injected, and forwarded. A marker header prevents loops.
Step 1: SASL credentials in /etc/postfix/sasl_passwd
[smtp.signaturehub.de]:587 tenant-abc123:s3cr3tP4ssw0rd!Secure file with chmod 600, convert to hash with postmap /etc/postfix/sasl_passwd.
Step 2: extend main.cf
relayhost = [smtp.signaturehub.de]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = login,plain
smtp_tls_security_level = encrypt
smtp_tls_loglevel = 1
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crtPlesk specifics
Plesk manages parts of the Postfix configuration itself. Tools & Settings → Mail Server Settings → Mail relay. Enter the smart host and enable SMTP AUTH. For multi-customer Plesk servers, use a separate SignatureHub tenant per customer domain via the reseller programme.
DKIM strategy
- Pass-through (default): SignatureHub modifies the mail and routes back to your outbound MTA, which signs.
- Sign-at-hub: SignatureHub signs with your DKIM private key.
- No-DKIM: for internal routes only.
Common pitfalls
- Forgot postmap — Postfix reads only the .db file.
- Permissions — sasl_passwd must be 600.
- Broken SPF — include:_spf.signaturehub.de in your sender domain's TXT record.
Verification
Test mail to Gmail or mail-tester.com. Check Authentication-Results: dkim=pass, spf=pass, dmarc=pass.