Have Postfix relay e-mail to GMail
8 Comments Published by Felipe Alfaro Solana May 10th, 2009 in PostfixThis post documents how I did set up Postfix 2.6 to relay all of its e-mail to GMail.
I used different sources to assemble what is described next. Worth mentioning are Getting Postfix to work on Ubuntu with Gmail, Gmail on Home Linux Box using Postfix and Fetchmail, Postfix Gmail SMTP Relay and finally Postfix TLS Support.
No client-side certificate, please
Some Web sites out there seem to insist on creating client-side certificates for Postfix when dealing with mail relaying to GMal. That is incorrect. Client-side certificates are not required when relaying mail to GMail. At the moment, GMail does only support user and password authentication, so trying to supply client-side certificates during the authentication phase might likely confuse the GMail SMTP servers and/or create problems.
Postfix main.cf main configuration file
The following configuration directives have to be added to a Postfix’s pristine main.cf configuration file. I added them at the end of the file:
# The e-mail sent will use this hostname as the e-mail origin. myhostname = my.dynamicdns.domain.name myorigin = $myhostname # Relay all e-mail via GMail. relayhost = [smtp.gmail.com]:587 # SASL authentication smtp_sasl_auth_enable=yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options = noanonymous # TLS smtp_tls_eccert_file = smtp_tls_eckey_file = smtp_tls_security_level = may # http://www.postfix.org/TLS_README.html#client_tls_may smtp_tls_CAfile = /etc/postfix/cacert.pem # Trusted root CAs smtpd_tls_received_header = yes tls_random_source = dev:/dev/urandom smtpd_tls_security_level = may # http://www.postfix.org/TLS_README.html#client_tls_may
Store authentication credentials
GMail MSA/SMTP servers require the sending user to authenticate using their standard GMail user name and password. This authentication data must be stored properly secured in the file /etc/postfix/sasl_passwd:
gmail-smtp.l.google.com user.name@gmail.com:password smtp.gmail.com user.name@gmail.com:password
Make sure the file is properly secured so that only the root user can dump its contents:
# chown root:root /etc/postfix/sasl_passwd # chmod 600 /etc/postfix/sasl_passwrd
Postfix requires the conversion of the plain-text file to a hashed table format. This is achieved by running:
# postmap /etc/postfix/sasl_passwd
This will create a filed named /etc/postfix/sasl_passwd.db.
Populate the list of trusted CA certificates
This is required because, by default, Postfix does not trust any CA out there. cacert.pem is just Postfix’s trusted CA root certificate store. Other software components, like Web browsers, use different stores, but this file is essentially equivalent to those.
GMail SSL/TLS certificates are signed by Thawte. Therefore, in order to get Postfix to be able to authenticate the GMail SMTP server, it is necessary to store Thawte’s root CA certificates somewhere. Else, when Postfix tries to foward a message to smtp.gmail.com the following errors are logged:
May 10 15:40:07 postfix postfix/smtp[10677]: certificate verification failed for smtp.gmail.com[72.14.221.111]:587: untrusted issuer /C=ZA /ST=Western Cape /L=Cape Town /O=Thawte Consulting cc /OU=Certification Services Division /CN=Thawte Premium Server CA /emailAddress=premium-server@thawte.com May 10 15:40:07 postfix postfix/smtp[10677]: warning: SASL authentication failure: No worthy mechs found
From a Ubuntu Linux box that had the ssl-cert package installed, I copied the certificates that correspond to Thawte’s CA to the Postfix machine. There, it’s just a matter of concatenating the multiple .pem files into just one file that Postfix will use: /etc/postfix/cacert.pem.
In order to generate cacert.pem from the individual Thawte certificates:
# cat {\
Thawte_Personal_Basic_CA,\
Thawte_Personal_Freemail_CA,\
Thawte_Personal_Premium_CA,\
Thawte_Premium_Server_CA,\
Thawte_Server_CA,\
Thawte_Time_Stamping_CA\
}.pem /etc/postfix/cacert.pem
Reload Postfix configuration
For example, by sending the SIGHUP signal to Postfix’s master process:
# pkill -1 master # tail /var/log/maillog May 10 15:58:42 postfix postfix/master[6921]: reload -- version 2.6-20090125, configuration /etc/postfix
Test
You can test by connecting port 25 of your Postfix machine or, as in my case, use the mail command:
# mail user.name@gmail.com Subject: Hola Este es un mensaje de prueba. .
Postfix should log some messages to /var/log/maillog that should be equivalent to the following ones:
May 10 15:58:52 postfix postfix/pickup[32213]: 1234567890: uid=0 from=<root> May 10 15:58:52 postfix postfix/cleanup[12716]: 1234567890: message id=<20090510135852.1234567890@my.dynamicdns.domain.name> May 10 15:58:52 postfix postfix/qmgr[8604]: 1234567890: from=<root@my.dynamicdns.domain.name>, size=323, nrcpt=1 (queue active) May 10 15:58:54 postfix postfix/smtp[32243]: 1234567890: to=<user.name@gmail.com>, relay=smtp.gmail.com[72.14.221.111]:587, delay=3.4, delays=1.1/0.21/0.76/1.3, dsn=2.0.0, status=sent (250 2.0.0 OK 1241963934 l12sm1383617fgb.4) May 10 15:58:54 postfix postfix/qmgr[8604]: 1234567890: removed
Felipe, thanks for your tip on not needing the client side certificate.
excuse me, i like if you will answer to my email
this method will let a private mail server to send email (through gmail) and let them sent to destination also if the destination server usually use the antispam method and usually don’t accept email from unknown relay server (my home server)?
Felipe.
This was a great piece of info. Thanks again for the information.
Thank you very much for this article! I copied your instructions almost verbatim and I succeeded on the first attempt.
By the way, I’m using debian etch. I found the Thawte .pem files in /etc/ssl/certs.
Thanks for the post. Helped me a lot. As a novice postfix user I did not recognised that the comments are not left out during the parsing. Dont simple just cut and paste the code above, do a little massage with the comments at the end of the line.
More interestingly, the narration frames the rewind as a question, explicitly asking how she got there and providing an answer through the narrative logic. ,
Really thanks a lot, finally it works after a lot of howtos
A pal encoraged me to look at this page, great post, fascinating read… keep up the good work!