Firstly you need postfix compiled with SASL and ssl support.
Enter this command into your shell.
ldd /usr/lib/postfix/smtp
Here is the output:
linux-gate.so.1 => (0xffffe000)
libpostfix-master.so.1 => /usr/lib/libpostfix-master.so.1 (0xb7f43000)
libpostfix-tls.so.1 => /usr/lib/libpostfix-tls.so.1 (0xb7f38000)
libpostfix-dns.so.1 => /usr/lib/libpostfix-dns.so.1 (0xb7f33000)
libpostfix-global.so.1 => /usr/lib/libpostfix-global.so.1 (0xb7f0c000)
libpostfix-util.so.1 => /usr/lib/libpostfix-util.so.1 (0xb7ee6000)
libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7ea9000)
libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7d7b000) libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7d67000)
libdb-4.3.so => /usr/lib/libdb-4.3.so (0xb7c8a000)
libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7c75000)
libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7c62000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7b33000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7b30000)
libz.so.1 => /usr/lib/libz.so.1 (0xb7b1b000)
/lib/ld-linux.so.2 (0xb7f59000)
If you dont see libssl and libsasl, this wont work, and you’ll need to recompile with support.
Generate a CSR for this server
openssl genrsa -out itchy.key 1024
openssl req -new -key itchy.key -out itchy.csr
openssl ca -out itchy.pem -infiles itchy.csr
Now include these main.cf modifications:
relayhost = [smtp.gmail.com]:587
#auth
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd#tls
smtp_use_tls = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_note_starttls_offer = yes
tls_random_source = dev:/dev/urandom
smtp_tls_scert_verifydepth = 5
smtp_tls_key_file=/etc/postfix/certs/itchy.key
smtp_tls_cert_file=/etc/postfix/certs/itchy.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_req_ccert =no
smtp_tls_enforce_peername = no
Create /etc/postfix/sasl_passwd file
This is the format of the sasl_passwd file.
Copy this text and edit with your account details then highlight and copy.
gmail-smtp.l.google.com user@gmail.com:password
smtp.gmail.com user@gmail.com:password
Enter these commands line by line and press enter after each line.
vim /etc/postfix/sasl_passwd
a
ctr + shift + v
esc
!wq
postmap /etc/postfix/sasl_passwd
/etc/init.d/postfix reload
That should work. Thanks to IMamba for original.
26 Comments
good tutorial, thank you.
you might want to fix this line though:
smtp_tks_note_starttls_offer = yes
it should read
smtp_tls_note_starttls_offer = yes
instead (the typo is already there upstream)
cheers
Finally some useful information. I’ve been searching for 2 months. Tried countless other tutorials. This one finally did the trick.
Thank You…
Hi there,
does somebody know, what to write into sasl_passwd if my password contains a SPACE?
Thanks:
Andrzej
It should be the “+” symbol.
On my Ubuntu box, this command failed
openssl ca -out itchy.pem -infiles itchy.csr
because openssl is unable to find the CA private key. I think I need to create a CA first.
Thanks for a well written and very helpful tutorial.
Works well from most places but I think my workplace proxy is blocking access to googlmail on port 587.
Has anyone found a proxy tunnel solution?
i was tried to create a certificate for gmail account but it were shown error ..so could go throught error please send reply
i have mention my email id please scrap me…
#openssl ca -out itchy.pem -infiles itchy.csr
Using configuration from /usr/share/ssl/openssl.cnf
Error opening CA private key ./demoCA/private/cakey.pem
22719:error:02001002:system library:fopen:No such file or directory:bss_file.c:356:fopen(‘./demoCA/private/cakey.pem’,'r’)
22719:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:358:
unable to load CA private key
On my Debian machine the command:
openssl ca -out itchy.pem -infiles itchy.csr
failed also. Since I’m thinking the same as a previous post (create CA) and I’m new to ssl and stuff, could someone indicate me how to do this?
Thanks in advance,
Eric
To address the problem raised by Sureshkumar, on a CentOS 5.1 system I did the following >
yum -y install openssl-perl
Run >
/etc/pki/tls/misc/CA.pl -newca
That will create the cakey.pem file in /etc/pki/CA/private
Then edit the file /etc/pki/tls/openssl.cnf and set
dir = /etc/pki/CA
You should be able to create a new CA with the scripts included in openssl:
$ /usr/local/ssl/misc/CA.pl -newca
Give it the appropriate name and enter appropriate info when prompted.
Tried it with Ubuntu 9.04. Works fine!
It Works for me ! ( ubuntu 8.04 )
But for generate the CA : the file ca.pl was in /usr/lib/ssl/misc/
Thanks for this tuto
Been working on this all day. This tutorial got me there! Whoot! Thank you!
This worked really well for me. Took a bit though since Arch Linux’s CA.pl has a hardcoded CA prefix of /etc/ssl. My openssl config was looking for root CA’s in ./demoCA/. Perhaps Arch package managers will fix that at some point. Until then, I just changed the CA.pl file to use ./demoCA as the prefix when creating all the required dirs for the root CA.
Thanks for this great walk through
Followed instructions but got a
530 5.7.0 Must issue a STARTTLS command first.
I checked for the tks typo but looks like it was fixed on the faq, so I dunno postfix.cf well enough to know what might have gone wrong
Where do i find postfix? I can not figure this out at all and am growing desperate.. days into trying to get mailpress to work.
Anyone?
Please?
Thanks man. Great tutorial
It work’s! Yeah!
I keep getting the following error in my mail.log
“smtp.gmail.com[74.125.93.109] said: 530-5.5.1 Authentication Required”
Any help with this?
I have a question, what is all the fuss about setting up a SMTP server that at the other end uses google’s SMTP to send mails?
why not use google’s SMTP service directly, without using postfix?
Alex
for me (Centos) i had to make “ldd /usr/libexec/postfix/smtp” instead of “ldd /usr/lib/postfix/smtp” to work
Thank you. Great tutorial. Worked within minutes. I just added in main.cf
smtp_tls_CApath = /etc/ssl/certs
In mail.log I still see a minor: Nov 12 14:27:27 voice postfix/smtp[5081]: certificate verification failed for smtp.gmail.com[209.85.227.109]:587: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Thank you. Great tutorial.
I just got this working on my Ubuntu 10.10 box with Postfix 2.7.1. This is all I have in the /etc/postfix/main.cf file.
relayhost = [smtp.gmail.com]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_loglevel = 1
smtp_tls_per_site = hash:/etc/postfix/tls_per_site
smtp_tls_CAfile = /etc/ssl/certs/Equifax_Secure_CA.pem
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
—
% cat sasl_passwd
[smtp.gmail.com]:587 user@gmail.com:pass
—
% cat tls_per_site
smtp.gmail.com MUST
Thaks for everything !!
I got this working on Ubuntu 10.10 Cheers
Great article, thanks – still very useful today, despite being a few years old!
I found that simply relaying from a server containing a postfix install via google can work without having to create the SSL certs at all. I created the /etc/postfix/sasl_passwd file and added this to /etc/postfix/main.cf instead: -
relayhost = [smtp.gmail.com]:587
#auth
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
#tls
smtp_use_tls = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_note_starttls_offer = yes
tls_random_source = dev:/dev/urandom
smtp_tls_enforce_peername = no
Very easy as creating the cert was the fiddly bit – and one that I wished to automate, as I’m adding a profile for an Amazon EC2 instances which will do this automatically when you start up a new instance (it is a pain to relay email from Amazon EC2 as it is generally not trusted).
Once written the profile will be here: http://www.practicalclouds.com/content/guide/gmailrelay (I’ll be sure to link back here)
Many thanks
Dave
7 Trackbacks/Pingbacks
[...] sending you can either use smtp relay with a service like gmail or google [...]
[...] finally sending my email through gmail’s smtp service from my roaming laptop – i found a simple ready-made configuration and just used it. (there is a typo in the configuration on that blog – i left a comment to the [...]
[...] http://bookmarks.honewatson.com/2008/04/20/postfix-gmail-smtp-relay/ [...]
[...] Getting Postfix to work on Ubuntu with Gmail, Gmail on Home Linux Box using Postfix and Fetchmail, Postfix Gmail SMTP Relay and finally Postfix TLS [...]
[...] original directions for this came from here. I’ve only modified them for a clean build of a Fedora based server or box. They should work [...]
[...] Here's another good tutorial on setting up a Gmail relay using Postfix. And here's another excellent tutorial. Then run the test again until you achieve [...]
[...] Alt jeg har gjort er å sette opp at scriptet sender en mail til ønsket mailadresse når scriptet er ferdig med å kjøre. For at dette skal fungere må pakken mutt være installert. (aptitude install mutt) og at serveren din kan sende mail. Jeg velger å sende via Google (Gmail) sine SMTP servere. Her er en guide for å få til dette: http://bookmarks.honewatson.com/2008/04/20/postfix-gmail-smtp-relay/ [...]