Have Postfix relay e-mail to GMail
May 10th, 2009
This post documents how I did set up Postfix 2.6 to relay all of its e-mail to GMail.
I used different sources to assemble what is described next. Worth mentioning are Getting Postfix to work on Ubuntu with Gmail, Gmail on Home Linux Box using Postfix and Fetchmail, Postfix Gmail SMTP Relay and finally Postfix TLS Support.
No client-side certificate, please
Some Web sites out there seem to insist on creating client-side certificates for Postfix when dealing with mail relaying to GMal. That is incorrect. Client-side certificates are not required when relaying mail to GMail. At the moment, GMail does only support user and password authentication, so trying to supply client-side certificates during the authentication phase might likely confuse the GMail SMTP servers and/or create problems.
Postfix main.cf main configuration file
The following configuration directives have to be added to a Postfix’s pristine main.cf configuration file. I added them at the end of the file:
# The e-mail sent will use this hostname as the e-mail origin. myhostname = my.dynamicdns.domain.name myorigin = $myhostname # Relay all e-mail via GMail. relayhost = [smtp.gmail.com]:587 # SASL authentication smtp_sasl_auth_enable=yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options = noanonymous # TLS smtp_tls_eccert_file = smtp_tls_eckey_file = smtp_tls_security_level = may # http://www.postfix.org/TLS_README.html#client_tls_may smtp_tls_CAfile = /etc/postfix/cacert.pem # Trusted root CAs smtpd_tls_received_header = yes tls_random_source = dev:/dev/urandom smtpd_tls_security_level = may # http://www.postfix.org/TLS_README.html#client_tls_may
Store authentication credentials
GMail MSA/SMTP servers require the sending user to authenticate using their standard GMail user name and password. This authentication data must be stored properly secured in the file /etc/postfix/sasl_passwd:
gmail-smtp.l.google.com user.name@gmail.com:password smtp.gmail.com user.name@gmail.com:password
Make sure the file is properly secured so that only the root user can dump its contents:
# chown root:root /etc/postfix/sasl_passwd # chmod 600 /etc/postfix/sasl_passwrd
Postfix requires the conversion of the plain-text file to a hashed table format. This is achieved by running:
# postmap /etc/postfix/sasl_passwd
This will create a filed named /etc/postfix/sasl_passwd.db.
Populate the list of trusted CA certificates
This is required because, by default, Postfix does not trust any CA out there. cacert.pem is just Postfix’s trusted CA root certificate store. Other software components, like Web browsers, use different stores, but this file is essentially equivalent to those.
GMail SSL/TLS certificates are signed by Thawte. Therefore, in order to get Postfix to be able to authenticate the GMail SMTP server, it is necessary to store Thawte’s root CA certificates somewhere. Else, when Postfix tries to foward a message to smtp.gmail.com the following errors are logged:
May 10 15:40:07 postfix postfix/smtp[10677]: certificate verification failed for smtp.gmail.com[72.14.221.111]:587: untrusted issuer /C=ZA /ST=Western Cape /L=Cape Town /O=Thawte Consulting cc /OU=Certification Services Division /CN=Thawte Premium Server CA /emailAddress=premium-server@thawte.com May 10 15:40:07 postfix postfix/smtp[10677]: warning: SASL authentication failure: No worthy mechs found
From a Ubuntu Linux box that had the ssl-cert package installed, I copied the certificates that correspond to Thawte’s CA to the Postfix machine. There, it’s just a matter of concatenating the multiple .pem files into just one file that Postfix will use: /etc/postfix/cacert.pem.
In order to generate cacert.pem from the individual Thawte certificates:
# cat {\
Thawte_Personal_Basic_CA,\
Thawte_Personal_Freemail_CA,\
Thawte_Personal_Premium_CA,\
Thawte_Premium_Server_CA,\
Thawte_Server_CA,\
Thawte_Time_Stamping_CA\
}.pem /etc/postfix/cacert.pem
Reload Postfix configuration
For example, by sending the SIGHUP signal to Postfix’s master process:
# pkill -1 master # tail /var/log/maillog May 10 15:58:42 postfix postfix/master[6921]: reload -- version 2.6-20090125, configuration /etc/postfix
Test
You can test by connecting port 25 of your Postfix machine or, as in my case, use the mail command:
# mail user.name@gmail.com Subject: Hola Este es un mensaje de prueba. .
Postfix should log some messages to /var/log/maillog that should be equivalent to the following ones:
May 10 15:58:52 postfix postfix/pickup[32213]: 1234567890: uid=0 from=<root> May 10 15:58:52 postfix postfix/cleanup[12716]: 1234567890: message id=<20090510135852.1234567890@my.dynamicdns.domain.name> May 10 15:58:52 postfix postfix/qmgr[8604]: 1234567890: from=<root@my.dynamicdns.domain.name>, size=323, nrcpt=1 (queue active) May 10 15:58:54 postfix postfix/smtp[32243]: 1234567890: to=<user.name@gmail.com>, relay=smtp.gmail.com[72.14.221.111]:587, delay=3.4, delays=1.1/0.21/0.76/1.3, dsn=2.0.0, status=sent (250 2.0.0 OK 1241963934 l12sm1383617fgb.4) May 10 15:58:54 postfix postfix/qmgr[8604]: 1234567890: removed
May 12th, 2009 at 5:32 AM
Felipe, thanks for your tip on not needing the client side certificate.
May 15th, 2009 at 11:03 PM
excuse me, i like if you will answer to my email
this method will let a private mail server to send email (through gmail) and let them sent to destination also if the destination server usually use the antispam method and usually don’t accept email from unknown relay server (my home server)?
September 25th, 2009 at 10:22 PM
Felipe.
This was a great piece of info. Thanks again for the information.
October 1st, 2009 at 10:33 AM
Thank you very much for this article! I copied your instructions almost verbatim and I succeeded on the first attempt.
By the way, I’m using debian etch. I found the Thawte .pem files in /etc/ssl/certs.
October 9th, 2009 at 7:52 PM
Thanks for the post. Helped me a lot. As a novice postfix user I did not recognised that the comments are not left out during the parsing. Dont simple just cut and paste the code above, do a little massage with the comments at the end of the line.
October 11th, 2009 at 6:55 AM
More interestingly, the narration frames the rewind as a question, explicitly asking how she got there and providing an answer through the narrative logic. ,
October 12th, 2009 at 3:12 AM
Really thanks a lot, finally it works after a lot of howtos
December 18th, 2009 at 8:52 PM
A pal encoraged me to look at this page, great post, fascinating read… keep up the good work!
March 7th, 2010 at 7:22 AM
Thanks for taking the time to write this up! Worked like a charm.
One thing, however, you might want to specify where the CRT files are located, I had to read through the comments to find out where they are. Then on the Ubuntu Karmic server I was configuring this on, the /etc/ssl/certs/*.pem files are just softlinks to the CRT files in /usr/share/ca-certificates/mozilla .
You didn’t mention that the ca-certificates package must be installed, it is only suggested by the ssl-cert package, so one might not necessarily have it installed ( I didn’t! )
Nothing major, thanks again!
March 7th, 2010 at 7:28 AM
[...] http://www.felipe-alfaro.org/blog/2009/05/10/have-postfix-relay-e-mail-to-gmail/ [...]
March 16th, 2010 at 10:04 PM
I have my mail server relaying through Gmail but I am still having problem with CA certificate here is my log can some one help. I did go through the steps mentioned about but I am still have certificate problem. funny thing is that email is being recieved when I send it.
postfix/smtp[5775]: certificate verification failed for smtp.gmail.com[74.125.127.109]:587: untrusted issuer /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
April 15th, 2010 at 4:17 PM
This worked wonderfully.
Note: I’m using Ubuntu Karmic 9.10, the part of main.cf, I got errors. Tried entering carriage returns before the comments in the TLS part helped. Postfix complained about invalid TLS level, fatal errors. When I made the changes, it worked.
May 27th, 2010 at 1:05 PM
I had been trying to set Postfix with Gmail for three days when I found your ‘howto’. THIS was the one to make it all work. Thanks heaps, all the way from Thailand.
August 13th, 2010 at 3:18 PM
Nice article,very Good.