2009-10-15

Using Gmail with Postfix on Ubuntu

Postfix is a dependency of mdadm, but it took me a couple of separate attempts to get it configured to use Gmail as its SMTP relay. There are a lot of good Postfix tutorials out there, but this post will detail the steps I took for my particular situation. I'm currently running Ubuntu 11.10 Server 64-bit, so I needed mdadm to be able to send me notification emails, and I already had CA and server certs for Apache and ProFTP, so I'll skip those steps here.
I started out by following Ubuntu's community documentation on Postfix, which had some good information on generic configuration (I recommend using Maildir), but I ended up following a blog post by Mark Sanborn, because it focuses on using Gmail. I borrow heavily from that post, so I thank Mark for his work, but the post itself misses a couple of things that caused me trouble. Several comments to that post provided solutions, so I include those corrections.
If you need to generate certs, I suggest you follow steps 1-3 from Mark Sanborn's post, however in my example, the CA cert is /etc/ssl/certs/cacert.pem, the server cert is /etc/ssl/certs/hierax.crt, and the server key is /etc/ssl/private/hierax.key. The /etc/ssl tree is a more appropriate location for their storage when you have multiple applications sharing certs.
  1. Install the Postfix package.
    The Postfix package is built with and so has dependencies on the encryption library packages necessary to use Gmail as an SMTP relay, so we just install postfix.
    sudo aptitude install postfix
    You'll have to do some initial setup during the installation, an explanation for which I suggest you read the Configuration section of the Ubuntu community documentation link above.
  2. Install the SASL package.
    The libsasl2-modules package is required to use TLS which Google requires.
    sudo aptitude install libsasl2-modules
    Most likely because I'm running the 64-bit version of Ubuntu 11.10 Server, the SASL modules were installed into /usr/lib/x86_64-linux-gnu/sasl2/, but Postfix expects them in /usr/lib/sasl2/, so I created symlinks:
    sudo ln -s /usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so /usr/lib/sasl2/libanonymous.so
    sudo ln -s /usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so /usr/lib/sasl2/libcrammd5.so
    sudo ln -s /usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so /usr/lib/sasl2/libdigestmd5.so
    sudo ln -s /usr/lib/x86_64-linux-gnu/sasl2/liblogin.so /usr/lib/sasl2/liblogin.so
    sudo ln -s /usr/lib/x86_64-linux-gnu/sasl2/libntlm.so /usr/lib/sasl2/libntlm.so
    sudo ln -s /usr/lib/x86_64-linux-gnu/sasl2/libplain.so /usr/lib/sasl2/libplain.so
    sudo ln -s /usr/lib/x86_64-linux-gnu/sasl2/libsasldb.so /usr/lib/sasl2/libsasldb.so
  3. Bind Google's CA cert to ours.
    Ubuntu already comes with the Equifax Secure CA cert that Google uses (it used to be Thawte Premium Server CA), so we just have to append it to our CA cert. This command will have to be run as root.
    sudo su -
    cat /etc/ssl/certs/Equifax_Secure_CA.pem >> /etc/ssl/certs/cacert.pem
  4. Edit the Postfix configuration file.
    I can't guarantee that all of these parameters are necessary, as they're a combination of those from the two guides I linked above, but it works for me.
    #
    # TLS Settings
    #
    
    smtp_use_tls = yes
    smtp_tls_CAfile = /etc/ssl/certs/cacert.pem
    smtp_tls_cert_file = /etc/ssl/certs/hierax.crt
    smtp_tls_key_file = /etc/ssl/private/hierax.key
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtp_tls_note_starttls_offer = yes
    smtp_tls_security_level = encrypt
    
    tls_random_source = dev:/dev/urandom
    
    #
    # SASL Settings
    #
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_security_options = noanonymous
    smtp_sasl_tls_security_options = noanonymous
    
    broken_sasl_auth_clients = yes
    
    relayhost = [smtp.gmail.com]:587
    transport_maps = hash:/etc/postfix/transport
    
  5. Setup the transport file.
    The following line goes into /etc/postfix/transport and tells Postfix to send all mail through gmail; see the transport man page for more information.
    * smtp:[smtp.gmail.com]:587
    Next we turn the transport file into a lookup hash for Postfix; this will generate /etc/postfix/transport.db.
    sudo postmap /etc/postfix/transport
  6. Setup the SASL password file.
    The SASL password file we defined above as /etc/postfix/sasl_passwd stores login information for the SMTP server.
    [smtp.gmail.com]:587 <your_username>@gmail.com:<your_password>
    This file too has to be turned into a lookup hash; the resulting file is /etc/postfix/sasl_passwd.db.
    sudo postmap /etc/postfix/sasl_passwd
  7. Restart Postfix.
    sudo /etc/init.d/postfix restart
    You should see something like the following at the end of /var/log/mail.log:
    Oct 15 23:03:34 hierax postfix/master[4394]: terminating on signal 15
    Oct 15 23:03:35 hierax postfix/master[24450]: daemon started -- version 2.5.5, configuration /etc/postfix
  8. Test it out.
    You can test your configuration without actually sending an email; the -bv switch to sendmail just sends an email report to your local mailbox for testing.
    sendmail -bv <test email addr>
    You should see something like the following at the end of /var/log/mail.log:
    Oct 15 23:15:16 hierax postfix/smtp[24677]: AFD01BE2DE: to=<<test email addr>>, relay=smtp.gmail.com[74.125.93.109]:587, delay=1.5, delays=0.04/0.01/1.3/0.09, dsn=2.1.5, status=deliverable (250 2.1.5 OK 6sm1385198qwk.24)
So there you are. Again, thanks very much to Mark Sanborn for his post on this topic.

No comments:

Post a Comment