Have Postfix relay e-mail to GMail
May 10th, 2009
This post documents how I did set up Postfix 2.6 to relay all of its e-mail to GMail.
I used different sources to assemble what is described next. Worth mentioning are Getting Postfix to work on Ubuntu with Gmail, Gmail on Home Linux Box using Postfix and Fetchmail, Postfix Gmail SMTP Relay and finally Postfix TLS Support.
No client-side certificate, please
Some Web sites out there seem to insist on creating client-side certificates for Postfix when dealing with mail relaying to GMal. That is incorrect. Client-side certificates are not required when relaying mail to GMail. At the moment, GMail does only support user and password authentication, so trying to supply client-side certificates during the authentication phase might likely confuse the GMail SMTP servers and/or create problems.
Postfix main.cf main configuration file
The following configuration directives have to be added to a Postfix’s pristine main.cf configuration file. I added them at the end of the file:
# The e-mail sent will use this hostname as the e-mail origin. myhostname = my.dynamicdns.domain.name myorigin = $myhostname # Relay all e-mail via GMail. relayhost = [smtp.gmail.com]:587 # SASL authentication smtp_sasl_auth_enable=yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options = noanonymous # TLS smtp_tls_eccert_file = smtp_tls_eckey_file = smtp_tls_security_level = may # http://www.postfix.org/TLS_README.html#client_tls_may smtp_tls_CAfile = /etc/postfix/cacert.pem # Trusted root CAs smtpd_tls_received_header = yes tls_random_source = dev:/dev/urandom smtpd_tls_security_level = may # http://www.postfix.org/TLS_README.html#client_tls_may
Store authentication credentials
GMail MSA/SMTP servers require the sending user to authenticate using their standard GMail user name and password. This authentication data must be stored properly secured in the file /etc/postfix/sasl_passwd:
gmail-smtp.l.google.com user.name@gmail.com:password smtp.gmail.com user.name@gmail.com:password
Make sure the file is properly secured so that only the root user can dump its contents:
# chown root:root /etc/postfix/sasl_passwd # chmod 600 /etc/postfix/sasl_passwrd
Postfix requires the conversion of the plain-text file to a hashed table format. This is achieved by running:
# postmap /etc/postfix/sasl_passwd
This will create a filed named /etc/postfix/sasl_passwd.db.
Populate the list of trusted CA certificates
This is required because, by default, Postfix does not trust any CA out there. cacert.pem is just Postfix’s trusted CA root certificate store. Other software components, like Web browsers, use different stores, but this file is essentially equivalent to those.
GMail SSL/TLS certificates are signed by Thawte. Therefore, in order to get Postfix to be able to authenticate the GMail SMTP server, it is necessary to store Thawte’s root CA certificates somewhere. Else, when Postfix tries to foward a message to smtp.gmail.com the following errors are logged:
May 10 15:40:07 postfix postfix/smtp[10677]: certificate verification failed for smtp.gmail.com[72.14.221.111]:587: untrusted issuer /C=ZA /ST=Western Cape /L=Cape Town /O=Thawte Consulting cc /OU=Certification Services Division /CN=Thawte Premium Server CA /emailAddress=premium-server@thawte.com May 10 15:40:07 postfix postfix/smtp[10677]: warning: SASL authentication failure: No worthy mechs found
From a Ubuntu Linux box that had the ssl-cert package installed, I copied the certificates that correspond to Thawte’s CA to the Postfix machine. There, it’s just a matter of concatenating the multiple .pem files into just one file that Postfix will use: /etc/postfix/cacert.pem.
In order to generate cacert.pem from the individual Thawte certificates:
# cat {\
Thawte_Personal_Basic_CA,\
Thawte_Personal_Freemail_CA,\
Thawte_Personal_Premium_CA,\
Thawte_Premium_Server_CA,\
Thawte_Server_CA,\
Thawte_Time_Stamping_CA\
}.pem /etc/postfix/cacert.pem
Reload Postfix configuration
For example, by sending the SIGHUP signal to Postfix’s master process:
# pkill -1 master # tail /var/log/maillog May 10 15:58:42 postfix postfix/master[6921]: reload -- version 2.6-20090125, configuration /etc/postfix
Test
You can test by connecting port 25 of your Postfix machine or, as in my case, use the mail command:
# mail user.name@gmail.com Subject: Hola Este es un mensaje de prueba. .
Postfix should log some messages to /var/log/maillog that should be equivalent to the following ones:
May 10 15:58:52 postfix postfix/pickup[32213]: 1234567890: uid=0 from=<root> May 10 15:58:52 postfix postfix/cleanup[12716]: 1234567890: message id=<20090510135852.1234567890@my.dynamicdns.domain.name> May 10 15:58:52 postfix postfix/qmgr[8604]: 1234567890: from=<root@my.dynamicdns.domain.name>, size=323, nrcpt=1 (queue active) May 10 15:58:54 postfix postfix/smtp[32243]: 1234567890: to=<user.name@gmail.com>, relay=smtp.gmail.com[72.14.221.111]:587, delay=3.4, delays=1.1/0.21/0.76/1.3, dsn=2.0.0, status=sent (250 2.0.0 OK 1241963934 l12sm1383617fgb.4) May 10 15:58:54 postfix postfix/qmgr[8604]: 1234567890: removed
May 12th, 2009 at 5:32 AM
Felipe, thanks for your tip on not needing the client side certificate.
May 15th, 2009 at 11:03 PM
excuse me, i like if you will answer to my email
this method will let a private mail server to send email (through gmail) and let them sent to destination also if the destination server usually use the antispam method and usually don’t accept email from unknown relay server (my home server)?
September 25th, 2009 at 10:22 PM
Felipe.
This was a great piece of info. Thanks again for the information.
October 1st, 2009 at 10:33 AM
Thank you very much for this article! I copied your instructions almost verbatim and I succeeded on the first attempt.
By the way, I’m using debian etch. I found the Thawte .pem files in /etc/ssl/certs.
October 9th, 2009 at 7:52 PM
Thanks for the post. Helped me a lot. As a novice postfix user I did not recognised that the comments are not left out during the parsing. Dont simple just cut and paste the code above, do a little massage with the comments at the end of the line.
October 11th, 2009 at 6:55 AM
More interestingly, the narration frames the rewind as a question, explicitly asking how she got there and providing an answer through the narrative logic. ,
October 12th, 2009 at 3:12 AM
Really thanks a lot, finally it works after a lot of howtos
December 18th, 2009 at 8:52 PM
A pal encoraged me to look at this page, great post, fascinating read… keep up the good work!
March 7th, 2010 at 7:22 AM
Thanks for taking the time to write this up! Worked like a charm.
One thing, however, you might want to specify where the CRT files are located, I had to read through the comments to find out where they are. Then on the Ubuntu Karmic server I was configuring this on, the /etc/ssl/certs/*.pem files are just softlinks to the CRT files in /usr/share/ca-certificates/mozilla .
You didn’t mention that the ca-certificates package must be installed, it is only suggested by the ssl-cert package, so one might not necessarily have it installed ( I didn’t! )
Nothing major, thanks again!
March 7th, 2010 at 7:28 AM
[...] http://www.felipe-alfaro.org/blog/2009/05/10/have-postfix-relay-e-mail-to-gmail/ [...]
March 16th, 2010 at 10:04 PM
I have my mail server relaying through Gmail but I am still having problem with CA certificate here is my log can some one help. I did go through the steps mentioned about but I am still have certificate problem. funny thing is that email is being recieved when I send it.
postfix/smtp[5775]: certificate verification failed for smtp.gmail.com[74.125.127.109]:587: untrusted issuer /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
April 15th, 2010 at 4:17 PM
This worked wonderfully.
Note: I’m using Ubuntu Karmic 9.10, the part of main.cf, I got errors. Tried entering carriage returns before the comments in the TLS part helped. Postfix complained about invalid TLS level, fatal errors. When I made the changes, it worked.
May 27th, 2010 at 1:05 PM
I had been trying to set Postfix with Gmail for three days when I found your ‘howto’. THIS was the one to make it all work. Thanks heaps, all the way from Thailand.
August 13th, 2010 at 3:18 PM
Nice article,very Good.
September 17th, 2010 at 11:04 PM
It is sweet that you wrote about this. I found you on yahoo and I had been searching for info about this. Nice site, thanks for the info.
May 15th, 2011 at 2:24 AM
Bravo!
June 16th, 2011 at 1:08 AM
One other thing is that an online business administration diploma is designed for individuals to be able to easily proceed to bachelor degree education. The 90 credit certification meets the lower bachelor education requirements so when you earn your current associate of arts in BA online, you may have access to the most up-to-date technologies within this field. Several reasons why students need to get their associate degree in business is because they’re interested in this area and want to get the general education necessary in advance of jumping in to a bachelor diploma program. Many thanks for the tips you really provide within your blog.
October 16th, 2011 at 6:14 AM
naturally like your web-site but you have to check the spelling on quite a few of your posts. A number of them are rife with spelling problems and I find it very bothersome to tell the truth nevertheless I’ll certainly come back again.
December 8th, 2011 at 8:49 AM
Great post. I was checking continuously this blog and I’m impressed! Very helpful info particularly the last part
I care for such information much. I was seeking this certain information for a very long time. Thank you and good luck.
December 8th, 2011 at 8:55 PM
I am speechless. This can be a fantastic blog and really partaking too. Nice work! That’s not likely a lot coming from an amateur blogger like me, but it surely’s all I might think after enjoying your posts. Nice grammar and vocabulary. Not like other blogs. You really know what you are speaking about too. A lot that you made me wish to read more. Your blog has change into a stepping stone for me, my fellow blogger. Thanks for the detailed journey. I actually enjoyed the 6 posts that I’ve learned so far.
December 25th, 2011 at 7:16 AM
hey there and thank you for your information – I’ve definitely picked up something new from right here. I did however expertise several technical points using this site, since I experienced to reload the web site lots of times previous to I could get it to load correctly. I had been wondering if your web host is OK? Not that I’m complaining, but slow loading instances times will often affect your placement in google and can damage your high-quality score if advertising and marketing with Adwords. Anyway I am adding this RSS to my e-mail and could look out for much more of your respective exciting content. Ensure that you update this again soon..
December 27th, 2011 at 1:32 PM
Its like you read my mind! You seem to know so much about this, like you wrote the book in it or something. I think that you can do with a few pics to drive the message home a bit, but instead of that, this is magnificent blog. An excellent read. I’ll certainly be back.
January 9th, 2012 at 12:35 PM
Piping is essentially a cross-linked polyethylene tubing. The basic material is subjected to several adapting processes whereby it is optimised for use within plumbing applications. More specifically, during these processes, the material is made more resistant to extreme temperatures, be they hot or cold. They are also made more resistant to deformations which can occur through extreme stress and exposure to acids or alkalines.
January 23rd, 2012 at 7:17 AM
Have you ever ever thought of including up additional movies to your weblog posts to hold the readers extra entertained? I imply I just read via the whole piece of writing of yours and it was very first-class but since I am extra of a visual learner,I discovered that to change into further useful nicely let me know how it seems! I love what you’re at all times up too. Such vivid work and reporting! Continue the great works guys I’ll add it to my blogroll.