This post documents how I did set up Postfix 2.6 to relay all of its e-mail to GMail.

I used different sources to assemble what is described next. Worth mentioning are Getting Postfix to work on Ubuntu with Gmail, Gmail on Home Linux Box using Postfix and Fetchmail, Postfix Gmail SMTP Relay and finally Postfix TLS Support.

No client-side certificate, please

Some Web sites out there seem to insist on creating client-side certificates for Postfix when dealing with mail relaying to GMal. That is incorrect. Client-side certificates are not required when relaying mail to GMail. At the moment, GMail does only support user and password authentication, so trying to supply client-side certificates during the authentication phase might likely confuse the GMail SMTP servers and/or create problems.

Postfix main.cf main configuration file

The following configuration directives have to be added to a Postfix’s pristine main.cf configuration file. I added them at the end of the file:

# The e-mail sent will use this hostname as the e-mail origin.
myhostname = my.dynamicdns.domain.name
myorigin = $myhostname

# Relay all e-mail via GMail.
relayhost = [smtp.gmail.com]:587

# SASL authentication
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous

# TLS
smtp_tls_eccert_file =
smtp_tls_eckey_file =
smtp_tls_security_level = may # http://www.postfix.org/TLS_README.html#client_tls_may
smtp_tls_CAfile = /etc/postfix/cacert.pem # Trusted root CAs
smtpd_tls_received_header = yes
tls_random_source = dev:/dev/urandom
smtpd_tls_security_level = may # http://www.postfix.org/TLS_README.html#client_tls_may

Store authentication credentials

GMail MSA/SMTP servers require the sending user to authenticate using their standard GMail user name and password. This authentication data must be stored properly secured in the file /etc/postfix/sasl_passwd:

gmail-smtp.l.google.com user.name@gmail.com:password
smtp.gmail.com user.name@gmail.com:password

Make sure the file is properly secured so that only the root user can dump its contents:

# chown root:root /etc/postfix/sasl_passwd
# chmod 600 /etc/postfix/sasl_passwrd

Postfix requires the conversion of the plain-text file to a hashed table format. This is achieved by running:

# postmap /etc/postfix/sasl_passwd

This will create a filed named /etc/postfix/sasl_passwd.db.

Populate the list of trusted CA certificates

This is required because, by default, Postfix does not trust any CA out there. cacert.pem is just Postfix’s trusted CA root certificate store. Other software components, like Web browsers, use different stores, but this file is essentially equivalent to those.

GMail SSL/TLS certificates are signed by Thawte. Therefore, in order to get Postfix to be able to authenticate the GMail SMTP server, it is necessary to store Thawte’s root CA certificates somewhere. Else, when Postfix tries to foward a message to smtp.gmail.com the following errors are logged:

May 10 15:40:07 postfix postfix/smtp[10677]: certificate verification failed
  for smtp.gmail.com[72.14.221.111]:587: untrusted issuer
  /C=ZA
  /ST=Western Cape
  /L=Cape Town
  /O=Thawte Consulting cc
  /OU=Certification Services Division
  /CN=Thawte Premium Server CA
  /emailAddress=premium-server@thawte.com
May 10 15:40:07 postfix postfix/smtp[10677]: warning: SASL authentication failure:
  No worthy mechs found

From a Ubuntu Linux box that had the ssl-cert package installed, I copied the certificates that correspond to Thawte’s CA to the Postfix machine. There, it’s just a matter of concatenating the multiple .pem files into just one file that Postfix will use: /etc/postfix/cacert.pem.

In order to generate cacert.pem from the individual Thawte certificates:

# cat {\
  Thawte_Personal_Basic_CA,\
  Thawte_Personal_Freemail_CA,\
  Thawte_Personal_Premium_CA,\
  Thawte_Premium_Server_CA,\
  Thawte_Server_CA,\
  Thawte_Time_Stamping_CA\
}.pem /etc/postfix/cacert.pem

Reload Postfix configuration

For example, by sending the SIGHUP signal to Postfix’s master process:

# pkill -1 master
# tail /var/log/maillog
May 10 15:58:42 postfix postfix/master[6921]: reload
  -- version 2.6-20090125, configuration /etc/postfix

Test

You can test by connecting port 25 of your Postfix machine or, as in my case, use the mail command:

# mail user.name@gmail.com
Subject: Hola
Este es un mensaje de prueba.
.

Postfix should log some messages to /var/log/maillog that should be equivalent to the following ones:

May 10 15:58:52 postfix postfix/pickup[32213]: 1234567890: uid=0 from=<root>
May 10 15:58:52 postfix postfix/cleanup[12716]: 1234567890:
  message id=<20090510135852.1234567890@my.dynamicdns.domain.name>
May 10 15:58:52 postfix postfix/qmgr[8604]: 1234567890:
  from=<root@my.dynamicdns.domain.name>, size=323, nrcpt=1 (queue active)
May 10 15:58:54 postfix postfix/smtp[32243]: 1234567890:
  to=<user.name@gmail.com>,
  relay=smtp.gmail.com[72.14.221.111]:587,
  delay=3.4,
  delays=1.1/0.21/0.76/1.3,
  dsn=2.0.0,
  status=sent (250 2.0.0 OK 1241963934 l12sm1383617fgb.4)
May 10 15:58:54 postfix postfix/qmgr[8604]: 1234567890: removed

8 Comments to “Have Postfix relay e-mail to GMail”  

  1. 1 Hone

    Felipe, thanks for your tip on not needing the client side certificate.

  2. 2 ug

    excuse me, i like if you will answer to my email
    this method will let a private mail server to send email (through gmail) and let them sent to destination also if the destination server usually use the antispam method and usually don’t accept email from unknown relay server (my home server)?

  3. 3 Matthew

    Felipe.

    This was a great piece of info. Thanks again for the information.

  4. 4 Jeffrey Hunt

    Thank you very much for this article! I copied your instructions almost verbatim and I succeeded on the first attempt.

    By the way, I’m using debian etch. I found the Thawte .pem files in /etc/ssl/certs.

  5. 5 gyf

    Thanks for the post. Helped me a lot. As a novice postfix user I did not recognised that the comments are not left out during the parsing. Dont simple just cut and paste the code above, do a little massage with the comments at the end of the line.

  6. 6 Wolf83

    More interestingly, the narration frames the rewind as a question, explicitly asking how she got there and providing an answer through the narrative logic. ,

  7. 7 Rob

    Really thanks a lot, finally it works after a lot of howtos

  8. 8 Jeff Hall

    A pal encoraged me to look at this page, great post, fascinating read… keep up the good work!

Leave a Reply