Postfix — host system-mail relay to SendGrid
How the bare-metal hosts relay system mail — cron output, pg-maintenance
(VACUUM / pg_repack) reports, logwatch digests, ZED pool alerts, and root
mail — out through SendGrid. This is not application mail: the Rails app
sends directly to smtp.sendgrid.net; this relay carries only host/OS mail.
Provisioned automatically — don’t hand-configure it
Section titled “Provisioned automatically — don’t hand-configure it”Postfix is set up by
infra/terraform/files/provision-host.sh,
applied at boot by cloud-init and re-applied idempotently by the
heatwave-host-config Terraform workspace (the TFC agent SSHes in and re-runs
the script). There is no manual satellite-relay wizard to click through — change
the variable and re-run the host-config apply.
It installs postfix mailutils libsasl2-modules logwatch, configures postfix as
a send-only satellite of [smtp.sendgrid.net]:587 (overridable via
SMTP_RELAYHOST), and aliases root → sysadmin@warmlyyours.com.
What it configures
Section titled “What it configures”# postconf -e … (set programmatically, not by editing main.cf by hand)relayhost = [smtp.sendgrid.net]:587smtp_tls_security_level = encryptsmtp_sasl_auth_enable = yessmtp_sasl_password_maps = static:apikey:<SendGrid send-only API key from 1Password>smtp_sasl_security_options = noanonymoussmtp_sasl_tls_security_options = noanonymousheader_size_limit = 4096000The API key is passed to provision-host.sh as SENDGRID_API_KEY (never
committed); root mail routing is /etc/aliases → newaliases.
Critical gotcha — libsasl2-modules
Section titled “Critical gotcha — libsasl2-modules”libsasl2-modules must be installed, or SMTP-client SASL auth to SendGrid
fails with SASL authentication failure: No worthy mechs found and mail stays
deferred in the queue. Minimal Ubuntu images omit it; the Chicago box
(chi-latitude-heatwave-02) hit exactly this on 2026-06-07. provision-host.sh
now installs it, but if you ever see deferred system mail, check this first:
apt-get install -y libsasl2-modulessystemctl restart postfix && postqueue -fVerify
Section titled “Verify”echo "test body" | mail -s "test subject" you@warmlyyours.compostqueue -p # empty = delivered; entries = deferred/failedSee also
Section titled “See also”README_CLOUDFLARED.md— the sameprovision-host.sh/ host-config Terraform path provisions the tunnel and the other host services (pg-maintenance,logwatch, ZED).- SendGrid’s postfix guide: https://docs.sendgrid.com/for-developers/sending-email/postfix