Oct 29, 2014

How to configure Postfix with Google Apps Gmail

This guide is compatible with Postfix 2.9.6 on Ubuntu 12.04 and Google Apps Gmail as of October 2014. 
# uname -a
Linux hostname 2.6.32-openvz-042stab090.5-amd64 #1 SMP 
Sat Jun 21 10:22:42 MSK 2014 i686 i686 i386 GNU/Linux

# cat /etc/issue
Ubuntu 12.04.5 LTS \n \l

# apt-cache policy postfix
postfix:
  Installed: 2.9.6-1~12.04.2
Only outgoing email is configured, email comes from trusted localhost service over plain SMTP. This is general case for websites that need to send notification emails such as registration confirmation, forgotten password emails, event notifications, etc.

See General Notes section below for debugging tips.

Install Postfix

  1. Run in shell: 
    apt-get install postfix
  2. During installation choose "Satellite system" for "General type of mail configuration" option and keep default values for remaining options

Most basic configuration

  1. Create Google Apps account
  2. Open Google Apps Admin console
  3. Go to Google Apps > Gmail > Advanced settings
  4. Scroll down to "SMTP relay service" and click "Configure"
  5. Type description for SMTP relay service
  6. In "Allowed Senders" select "Any addresses (not recommended)"
  7. In "Authentication" check "Only accept mail from the specified IP addresses" and add IP address of your Postfix host
  8. Click "Add setting"
  9. Click "Save Changes"
  10. Add this line to /etc/postfix/main.cf at Postfix host: 
    relayhost = smtp-relay.gmail.com:25
  11. Restart (or reload) Postfix: 
    service postfix restart
  12. Send test email from Postfix host: 
    echo "Test mail from postfix" | mail -s "Test Postfix" myuser@gmail.com -- -f test@mydomain.com

Notes

  1. You can only send email from users of your domain, see test@mydomain.com in the last step. If you change FROM address to something like test@test.com your email will be rejected by Google SMTP relay service and not sent to recipient. Sample message in /var/log/mail.log: 
    < smtp-relay.gmail.com[64.233.161.28]:25: 550 5.7.0 Mail relay denied [x.x.x.x]. - gsmtp
  2. Email will also be rejected if empty (<>) FROM address is supplied
  3. Note that test user does not exist in your Google Apps account
  4. If you add smtp_helo_name = mydomain.com to /etc/postfix/main.cf you may send FROM user@anydomain.com (such emails go to Spam in GMail) and FROM empty <> (such emails go to Updates tab in GMail).

Enable TLS

TLS will encrypt TCP traffic between your Postfix host and Google SMTP relay service (smtp-relay.gmail.com).
  1. Go to Google Apps > Gmail > Advanced settings
  2. Scroll down to "SMTP relay service" and click "Edit"
  3. Check "Require TLS encryprtion"
  4. Click "Save" and "Save changes"
  5. Edit to /etc/postfix/main.cf at Postfix host: 
    relayhost = smtp-relay.gmail.com:587
smtp_use_tls = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_security_level = secure
smtp_tls_mandatory_protocols = TLSv1
smtp_tls_mandatory_ciphers = high
smtp_tls_secure_cert_match = nexthop
  6. Restart (or reload) Postfix: 
    service postfix restart
  7. Send test email from Postfix host: 
    echo "Test mail from postfix" | mail -s "Test Postfix" myuser@gmail.com -- -f test@mydomain.com

Notes

  1. Before this configuration you can see unencrypted SMTP traffic between your Postfix host and Google SMTP relay service with 
    tcpdump -vv -x -X -i your_interface_ethX 'port 25'
  2. After this configuration you can see that SMTP traffic between your Postfix host and Google SMTP relay service is encrypted with 
    tcpdump -vv -x -X -i your_interface_ethX 'port 587'
  3. If you do not configure TLS on Postfix then Google SMTP relay service will reject you email with 
    < smtp-relay.gmail.com[64.233.161.28]:587: 550 5.7.1 Invalid credentials for relay [x.x.x.x]. - gsmtp
  4. smtp_tls_CAfile parameter points to a file with root CA certificates, it may be different for your operating system (/etc/ssl/certs/ca-certificates.crt is for Ubuntu 12.04). See also, smtp_tls_CApath.
  5. Consider this configuration snippet for educational purposes only. Please, refer to http://www.postfix.org/TLS_README.html and http://www.postfix.org/postconf.5.html#smtp_tls_security_level for production ready security and encryption tuning.

Restrict allowed senders

  1. Create Google Apps user in your account with username "no-reply"
  2. Go to Google Apps > Gmail > Advanced settings
  3. Scroll down to "SMTP relay service" and click "Edit"
  4. In "Allowed Senders" select "Only registered Apps users in my domain"
  5. Click "Save" and "Save changes"

Notes

  1. Now you may send emails only FROM no-reply@mydomain.com or other registered user, otherwise 
    < smtp-relay.gmail.com[64.233.161.28]:587: 550 5.7.1 Invalid credentials for relay [x.x.x.x]. - gsmtp
  2. This, actually, will not give you much more security until you enable SASL

Enable SASL

SASL will process password-based authentication for Google Apps users at Google SMTP relay service (smtp-relay.gmail.com).
  1. Go to Google Apps > Gmail > Advanced settings
  2. Scroll down to "SMTP relay service" and click "Edit"
  3. Check "Require SMTP Authentication"
  4. Click "Save" and "Save changes"
  5. Install SASL library modules (CAUTION! This is key point for Ubuntu 12.04, otherwise you will get "SASL authentication failure: No worthy mechs found" and "SASL authentication failed; cannot authenticate to server smtp-relay.gmail.com[64.233.161.28]: no mechanism available" in /var/log/mail.log): 
    apt-get install libsasl2-modules
  6. Edit to /etc/postfix/main.cf at Postfix host: 
    smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous
  7. Edit to /etc/postfix/sasl_passwd at Postfix host (replace PASSWORD with your password, you may need chmod 400 /etc/postfix/sasl_passwd): 
    smtp-relay.gmail.com:587 no-reply@mydomain:PASSWORD
  8. Change sasl_passwd permissions: 
    chmod 400 /etc/postfix/sasl_passwd
  9. Generate /etc/postfix/sasl_passwd.db: 
    postmap /etc/postfix/sasl_passwd
  10. Restart (or reload) Postfix: 
    service postfix restart
  11. Send test email from Postfix host: 
    echo "Test mail from postfix" | mail -s "Test Postfix" myuser@gmail.com -- -f test@mydomain.com

Notes

  1. Note that host specification "smtp-relay.gmail.com:587" in /etc/postfix/sasl_passwd should be exactly equal to the value of "relayhost" parameter in /etc/postfix/main.cf, otherwise postfix will not find a match (if you use square brackets [] around smtp  hostname, then use them in both files)
  2. You may find more information on SASL configuration here: http://www.postfix.org/SASL_README.html

General Notes

  1. Original Google instruction can be found here: Google Apps Admin console > Help (a question mark on the right hand upper conner) > SMTP relay service setting
  2. Blog posts I used http://mhawthorne.net/posts/postfix-configuring-gmail-as-relay.html and https://rtcamp.com/tutorials/linux/ubuntu-postfix-gmail-smtp/
  3. Postfix logs can be found in /var/log/mail.log
  4. Put these lines to /etc/postfix/main.cf for more verbose logging: 
    debug_peer_list=smtp-relay.gmail.com
debug_peer_level=3
  5. Older guides refer to smtp.gmail.com instead of smtp-relay.gmail.com, which would also work, but it looks like Google wished to switch to smtp-relay.gmail.com
Posted by at
Labels: ,

2 comments:

  1. AnonymousDec 3, 2014, 7:39:00 PM

    mail -f command doesn't work on Ubuntu 14.10
    Instead, you have to use:
    mail -s "Subject" -a "From: test@mydomain.com" recipient@gmail.com

    ReplyDelete
  2. MidinYquihiMay 25, 2022, 8:57:00 PM

    MidinYquihi Erica Griffin Free Download
    ozemzwalap

    ReplyDelete

Subscribe to: Post Comments (Atom)