Have Postfix relay e-mail to GMail

This post documents how I did set up Postfix 2.6 to relay all of its e-mail to GMail.

I used different sources to assemble what is described next. Worth mentioning are Getting Postfix to work on Ubuntu with Gmail, Gmail on Home Linux Box using Postfix and Fetchmail, Postfix Gmail SMTP Relay and finally Postfix TLS Support.

No client-side certificate, please

Some Web sites out there seem to insist on creating client-side certificates for Postfix when dealing with mail relaying to GMal. That is incorrect. Client-side certificates are not required when relaying mail to GMail. At the moment, GMail does only support user and password authentication, so trying to supply client-side certificates during the authentication phase might likely confuse the GMail SMTP servers and/or create problems.

Postfix main.cf main configuration file

The following configuration directives have to be added to a Postfix’s pristine main.cf configuration file. I added them at the end of the file:

# The e-mail sent will use this hostname as the e-mail origin.
myhostname = my.dynamicdns.domain.name
myorigin = $myhostname

# Relay all e-mail via GMail.
relayhost = [smtp.gmail.com]:587

# SASL authentication
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous

# TLS
smtp_tls_eccert_file =
smtp_tls_eckey_file =
smtp_tls_security_level = may # http://www.postfix.org/TLS_README.html#client_tls_may
smtp_tls_CAfile = /etc/postfix/cacert.pem # Trusted root CAs
smtpd_tls_received_header = yes
tls_random_source = dev:/dev/urandom
smtpd_tls_security_level = may # http://www.postfix.org/TLS_README.html#client_tls_may

Store authentication credentials

GMail MSA/SMTP servers require the sending user to authenticate using their standard GMail user name and password. This authentication data must be stored properly secured in the file /etc/postfix/sasl_passwd:

gmail-smtp.l.google.com user.name@gmail.com:password
smtp.gmail.com user.name@gmail.com:password

Make sure the file is properly secured so that only the root user can dump its contents:

# chown root:root /etc/postfix/sasl_passwd
# chmod 600 /etc/postfix/sasl_passwrd

Postfix requires the conversion of the plain-text file to a hashed table format. This is achieved by running:

# postmap /etc/postfix/sasl_passwd

This will create a filed named /etc/postfix/sasl_passwd.db.

Populate the list of trusted CA certificates

This is required because, by default, Postfix does not trust any CA out there. cacert.pem is just Postfix’s trusted CA root certificate store. Other software components, like Web browsers, use different stores, but this file is essentially equivalent to those.

GMail SSL/TLS certificates are signed by Thawte. Therefore, in order to get Postfix to be able to authenticate the GMail SMTP server, it is necessary to store Thawte’s root CA certificates somewhere. Else, when Postfix tries to foward a message to smtp.gmail.com the following errors are logged:

May 10 15:40:07 postfix postfix/smtp[10677]: certificate verification failed
  for smtp.gmail.com[72.14.221.111]:587: untrusted issuer
  /C=ZA
  /ST=Western Cape
  /L=Cape Town
  /O=Thawte Consulting cc
  /OU=Certification Services Division
  /CN=Thawte Premium Server CA
  /emailAddress=premium-server@thawte.com
May 10 15:40:07 postfix postfix/smtp[10677]: warning: SASL authentication failure:
  No worthy mechs found

From a Ubuntu Linux box that had the ssl-cert package installed, I copied the certificates that correspond to Thawte’s CA to the Postfix machine. There, it’s just a matter of concatenating the multiple .pem files into just one file that Postfix will use: /etc/postfix/cacert.pem.

In order to generate cacert.pem from the individual Thawte certificates:

# cat {
  Thawte_Personal_Basic_CA,
  Thawte_Personal_Freemail_CA,
  Thawte_Personal_Premium_CA,
  Thawte_Premium_Server_CA,
  Thawte_Server_CA,
  Thawte_Time_Stamping_CA
}.pem /etc/postfix/cacert.pem

Reload Postfix configuration

For example, by sending the SIGHUP signal to Postfix’s master process:

# pkill -1 master
# tail /var/log/maillog
May 10 15:58:42 postfix postfix/master[6921]: reload
  -- version 2.6-20090125, configuration /etc/postfix

Test

You can test by connecting port 25 of your Postfix machine or, as in my case, use the mail command:

# mail user.name@gmail.com
Subject: Hola
Este es un mensaje de prueba.
.

Postfix should log some messages to /var/log/maillog that should be equivalent to the following ones:

May 10 15:58:52 postfix postfix/pickup[32213]: 1234567890: uid=0 from=<root>
May 10 15:58:52 postfix postfix/cleanup[12716]: 1234567890:
  message id=<20090510135852.1234567890@my.dynamicdns.domain.name>
May 10 15:58:52 postfix postfix/qmgr[8604]: 1234567890:
  from=<root@my.dynamicdns.domain.name>, size=323, nrcpt=1 (queue active)
May 10 15:58:54 postfix postfix/smtp[32243]: 1234567890:
  to=<user.name@gmail.com>,
  relay=smtp.gmail.com[72.14.221.111]:587,
  delay=3.4,
  delays=1.1/0.21/0.76/1.3,
  dsn=2.0.0,
  status=sent (250 2.0.0 OK 1241963934 l12sm1383617fgb.4)
May 10 15:58:54 postfix postfix/qmgr[8604]: 1234567890: removed
Advertisements

58 thoughts on “Have Postfix relay e-mail to GMail

  1. excuse me, i like if you will answer to my email
    this method will let a private mail server to send email (through gmail) and let them sent to destination also if the destination server usually use the antispam method and usually don’t accept email from unknown relay server (my home server)?

  2. Thank you very much for this article! I copied your instructions almost verbatim and I succeeded on the first attempt.

    By the way, I’m using debian etch. I found the Thawte .pem files in /etc/ssl/certs.

  3. Thanks for the post. Helped me a lot. As a novice postfix user I did not recognised that the comments are not left out during the parsing. Dont simple just cut and paste the code above, do a little massage with the comments at the end of the line.

  4. More interestingly, the narration frames the rewind as a question, explicitly asking how she got there and providing an answer through the narrative logic. ,

  5. Thanks for taking the time to write this up! Worked like a charm.

    One thing, however, you might want to specify where the CRT files are located, I had to read through the comments to find out where they are. Then on the Ubuntu Karmic server I was configuring this on, the /etc/ssl/certs/*.pem files are just softlinks to the CRT files in /usr/share/ca-certificates/mozilla .

    You didn’t mention that the ca-certificates package must be installed, it is only suggested by the ssl-cert package, so one might not necessarily have it installed ( I didn’t! )

    Nothing major, thanks again!

  6. Pingback: Great post on relaying Postfix through Gmail « Jeff.Robbins.ws

  7. I have my mail server relaying through Gmail but I am still having problem with CA certificate here is my log can some one help. I did go through the steps mentioned about but I am still have certificate problem. funny thing is that email is being recieved when I send it.
    postfix/smtp[5775]: certificate verification failed for smtp.gmail.com[74.125.127.109]:587: untrusted issuer /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

  8. This worked wonderfully.

    Note: I’m using Ubuntu Karmic 9.10, the part of main.cf, I got errors. Tried entering carriage returns before the comments in the TLS part helped. Postfix complained about invalid TLS level, fatal errors. When I made the changes, it worked.

  9. I had been trying to set Postfix with Gmail for three days when I found your ‘howto’. THIS was the one to make it all work. Thanks heaps, all the way from Thailand.

  10. It is sweet that you wrote about this. I found you on yahoo and I had been searching for info about this. Nice site, thanks for the info.

  11. One other thing is that an online business administration diploma is designed for individuals to be able to easily proceed to bachelor degree education. The 90 credit certification meets the lower bachelor education requirements so when you earn your current associate of arts in BA online, you may have access to the most up-to-date technologies within this field. Several reasons why students need to get their associate degree in business is because they’re interested in this area and want to get the general education necessary in advance of jumping in to a bachelor diploma program. Many thanks for the tips you really provide within your blog.

  12. naturally like your web-site but you have to check the spelling on quite a few of your posts. A number of them are rife with spelling problems and I find it very bothersome to tell the truth nevertheless I’ll certainly come back again.

  13. Great post. I was checking continuously this blog and I’m impressed! Very helpful info particularly the last part 🙂 I care for such information much. I was seeking this certain information for a very long time. Thank you and good luck.

  14. I am speechless. This can be a fantastic blog and really partaking too. Nice work! That’s not likely a lot coming from an amateur blogger like me, but it surely’s all I might think after enjoying your posts. Nice grammar and vocabulary. Not like other blogs. You really know what you are speaking about too. A lot that you made me wish to read more. Your blog has change into a stepping stone for me, my fellow blogger. Thanks for the detailed journey. I actually enjoyed the 6 posts that I’ve learned so far.

  15. hey there and thank you for your information – I’ve definitely picked up something new from right here. I did however expertise several technical points using this site, since I experienced to reload the web site lots of times previous to I could get it to load correctly. I had been wondering if your web host is OK? Not that I’m complaining, but slow loading instances times will often affect your placement in google and can damage your high-quality score if advertising and marketing with Adwords. Anyway I am adding this RSS to my e-mail and could look out for much more of your respective exciting content. Ensure that you update this again soon..

  16. Its like you read my mind! You seem to know so much about this, like you wrote the book in it or something. I think that you can do with a few pics to drive the message home a bit, but instead of that, this is magnificent blog. An excellent read. I’ll certainly be back.

  17. Piping is essentially a cross-linked polyethylene tubing. The basic material is subjected to several adapting processes whereby it is optimised for use within plumbing applications. More specifically, during these processes, the material is made more resistant to extreme temperatures, be they hot or cold. They are also made more resistant to deformations which can occur through extreme stress and exposure to acids or alkalines.

  18. Have you ever ever thought of including up additional movies to your weblog posts to hold the readers extra entertained? I imply I just read via the whole piece of writing of yours and it was very first-class but since I am extra of a visual learner,I discovered that to change into further useful nicely let me know how it seems! I love what you’re at all times up too. Such vivid work and reporting! Continue the great works guys I’ll add it to my blogroll.

  19. Thanks for this blog. Thats all I can say. You most definitely have made this weblog into something thats eye opening and important. You clearly know so much concerning the topic, youve lined so many bases. Great stuff from this part of the internet. Again, thanks for this blog.

  20. Hi! This is Anta from Top Liquidation Sales: http://TopLiquidationSales.com I wasn’t sure about the easiest way to get in touch with you so I’ll just post here. We are bulk liquidators and closeout managers. Do you have any goods/inventory that you must sell ASAP? Just feel free to contact me at support [at] topliquidationsales.com because I can probably buy it from you in less than 72 hours. We mostly specialize in below wholesale closeouts however and require a minimum of 1,000 units. We have very good connections because we have been in the industry for many years. Do NOT sit on your distressed merchandise. Call or email us today.

  21. Good website on-line! predilection the seventh heaven you may have on scheme here. Please run on the turning into occurring besides I consign equal skookum tumtum to go to terribly frequently.

  22. Simply want to say your article is as astounding. The clearness in your post is simply cool and i could assume you are an expert on this subject. Well with your permission let me to grab your feed to keep updated with forthcoming post. Thanks a million and please continue the gratifying work.

  23. Just want to say your article is as amazing. The clarity in your post is simply great and i could assume you’re an expert on this subject. Well with your permission let me to grab your RSS feed to keep up to date with forthcoming post. Thanks a million and please keep up the gratifying work.

  24. Magnificent web site. Lots of useful information here. I am sending it to some friends ans also sharing in delicious. And obviously, thanks for your effort!

  25. I saw a lot of website but I conceive this one contains something extra in it. “The object of war is not to die for your country but to make the other bastard die for his.” by George Smith Patton, Jr..

  26. Definitely believe that which you said. Your favorite justification seemed to be on the web the simplest thing to be aware of. I say to you, I certainly get annoyed while people think about worries that they plainly don’t know about. You managed to hit the nail upon the top and also defined out the whole thing without having side-effects , people could take a signal. Will likely be back to get more. Thanks

  27. I just could not depart your web site prior to suggesting that I actually enjoyed the standard information a person provide for your visitors? Is going to be back often to check up on new posts

  28. I not too long ago got here throughout your weblog and have been reading along. I believed I would leave my first comment. I don’t know what to say except that I’ve enjoyed reading. Nice weblog, I’ll maintain visiting this blog very often.

  29. I would like to show some appreciation to this writer for rescuing me from this particular challenge. Just after looking through the the web and getting recommendations which are not helpful, I was thinking my life was done. Existing minus the strategies to the problems you have solved all through your good post is a serious case, and the ones which may have in a wrong way damaged my entire career if I hadn’t discovered your site. Your own personal ability and kindness in taking care of all things was excellent. I don’t know what I would have done if I had not discovered such a point like this. I am able to now look forward to my future. Thanks a lot very much for this professional and sensible help. I will not be reluctant to refer your site to anybody who needs to have guidance about this subject matter.

  30. The two of us truly like this post.It seems like you’ve put lots of efort into your blog and human race wants way more like this these days. i haven’t got a big deal in retort,i simply wished to tell properly done.fantastic article.I never think of that.

  31. I wish i may write the way you do sometimes. I am definitely going to take pointers on how you write and apply it to my own. Thanks for all of your onerous work!

  32. very helpful data for me.As a result of i am new in blogging and i’m in want of good tutorials like your post. Nice to visit right here, and remember to go to our blog too and give me extra spirit to proceed my running a blog actions

  33. Thanks a lot. In Ubuntu 12 LTS, the cert is just thawte_Primary_Root_CA.pem (at /etc/ssl/certs) and cp thawte_Primary_Root_CA.pem /etc/postfix/cacert.pem

    was sufficient.

  34. It is a great site therefore We’ve bookmarked your website and definately will take one more examine yet one more day to give it a appropriate browse right after i can give this far more hours.

  35. This can be a brief publish to state, very simply, thanks a ton. I’ve had an opportunity to make amends for this submit and the comments right this moment and I’m really grateful for understanding the content material of this blog

  36. I’ve read several good stuff here. Definitely worth bookmarking for revisiting. I wonder how much effort you put to make such a wonderful informative web site.

  37. My brother suggested I might like this website. He
    was totally right. This post truly made my day. You cann’t imagine simply how much time I had spent
    for this info! Thanks!

  38. hey there and thank you for your information – I have certainly picked up
    anything new from right here. I did however expertise several technical points using this web site,
    since I experienced to reload the web site many times previous to I could get it to load correctly.
    I had been wondering if your web hosting is OK? Not
    that I’m complaining, but sluggish loading instances times will sometimes affect your placement in google and can damage your high quality score if advertising
    and marketing with Adwords. Anyway I am adding this RSS to my
    e-mail and can look out for much more of your respective intriguing content.

    Make sure you update this again very soon.

  39. Thanks a bunch for sharing this with all people you really understand what you are speaking about!

    Bookmarked. Please additionally discuss with my web site =).
    We may have a link alternate agreement between us

  40. Hi, for all time i used to check blog posts here in the early hours in the daylight,
    as i enjoy to find out more and more.

  41. Hey there I am so thrilled I found your site, I really found you
    by mistake, while I was researching on Askjeeve for something else,
    Regardless I am here now and would just like to say
    thanks a lot for a fantastic post and a all
    round entertaining blog (I also love the theme/design), I
    don’t have time to browse it all at the moment but I have bookmarked it and also added your RSS feeds, so when I have time I will be back to read
    a great deal more, Please do keep up the superb jo.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s