Relaying Postfix SMTP via smtp.gmail.com

By | 2008/11/11

I’ve got a few servers in different places around the country and try to monitor them using the logwatch utility.  One problem that I’ve run into however is that a few of these servers are not able to send their logwatch emails to me, based on email restrictions by the ISPs.  I spent some time this afternoon researching what was required to have my servers authenticate to my gmail account and send me the mail that way.  This setup assumes Ubuntu 8.04 (or later) and Postfix.

Install the required packages

sudo aptitude install postfix libsasl2 ca-certificates libsasl2-modules

Configure Postfix

This tutorial will not outline how to configure your postfix server, but we’ll jump directly to the relayhost section.  You’ll want to add the following lines to your /etc/postfix/main.cf file:

relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_use_tls = yes

The above lines are telling Postfix that you want to relay mail through gmail on a specific port, telling it to authenticate, and where to find the username and password.  The last three lines specify the authentication types supported, where the certificate authority file is and that it should use tls.

Define Username and Password

Next we’ll need to populate the sasl_passwd file.  Create the file /etc/postfix/sasl_passwd with the following contents:

[smtp.gmail.com]:587    user.name@gmail.com:password

This file should have restrictive permissions and then needs to be translated into a .db that Postfix will read.

sudo chmod 400 /etc/postfix/sasl_passwd
sudo postmap /etc/postfix/sasl_passwd

At this point you can restart Postfix and it should work, however it will complain about not being able to authenticate the certificate.  To take care of this issue we’ll use the ca-certificate package we installed and tell it where it can validate the certificate.

cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem | sudo tee -a /etc/postfix/cacert.pem

Go ahead and reload postfix (sudo /etc/init.d/postfix reload) and you should be set.

50 thoughts on “Relaying Postfix SMTP via smtp.gmail.com

  1. lonnieolson.com/blog/

    I think you should mention that this setup is only good for a postfix server that will be serving only a single user. Gmail will save every outgoing message this way in the Sent Mail “folder” belonging to the user authenticated against in the sasl_passwd file.

    This is usually not desired by a multiuser mail relay. However, it could be a good method to archive all outgoing email in a small organization.

    Reply
  2. Hobbsee

    Things like msmtp and ssmtp are much lighter tools (either of them), and can be used to do the same things. Perhaps look into those?

    I’m using msmtp to go through the fastmail smtp servers (where I have an account), with no problems.

    Reply
  3. jadesro

    I tried using these instructions yesterday on a newly installed ubuntu server 8.10 but got tripped up by the very first command: “sudo aptitude install postfix libsasl2 ca-certificate” reported that libasal2 was no longer available (it suggested libasal2-2) and that there was no such thing as ca-certificate. Just me?

    Reply
  4. me.yahoo.com/a/krevSKMg2

    At least on debian testing I had to do:

    sudo apt-get install ca-certificates

    As for libsasl2, I use:

    $ apt-cache policy libsasl2
    libsasl2:
    Installed: 2.1.22.dfsg1-8
    Candidate: 2.1.22.dfsg1-8
    Version table:
    *** 2.1.22.dfsg1-8 0
    500 http://ftp.fr.debian.org stable/main Packages
    100 /var/lib/dpkg/status

    Reply
  5. kralph

    On Ubuntu 8.10 the package names have changed, as jadesro notes above. ca-certificates and libsasl2-2 are now the correct packages.

    Reply
  6. santosh

    i need smtp sever address for mailsoftwere
    plz help how to use &enable my smtp server
    mail me

    Reply
  7. donal whooley

    You are a genius. I’ve been struggling for 3 days to get sendmail or postfix to use SMTP but because I’m behind a residential dynamic IP address all emails get rejected with

    The IP you’re using to send mail is not authorized 550-5.7.1 to send email directly to our servers.

    Followed instructions exactly and it worked, except I already had sasl2 and ca.cerficiate installed. (Ubuntu 8.10 and postfix)

    Reply
  8. go2null

    Please fix ca-certificate to ca-certificates

    Reply
  9. Sureshkumar

    how can add 100 multiple users in the /etc/postfix/sasl_passwd…what is syntax
    already i was tried these syntax
    [smtp.gmail.com]:587 user1@gmail.com:user1
    [smtp.gmail.com]:587 user2@gmail.com:user2
    [smtp.gmail.com]:587 user3@gmail.com:user3

    [smtp.gmail.com]:587 usern@gmail.com:usern

    but it’s not working ………am waiting for your reply or if you please scrap my email id :krisuresh001@gmail.com

    Reply
  10. jack wooldridge

    I am a new computer user at 70 yrs old.My outgoing failed, because my “smtp” failed.
    What to do thank, JACK W.

    Reply
  11. Alexe Russkin

    Thanks! Thanks! Thanks! Thanks! Thanks! Thanks! :)

    In Mandriva 2009 have no ca-certificate.
    We must to install rootcerts:

    # urpmi rootcerts

    And add them:

    # cat /etc/pki/tls/cert.pem | tee -a /etc/postfix/cacert.pem

    Reply
  12. Joe Lencioni

    I have followed your instructions, and I can’t seem to quite get things to work. I am running Ubuntu 8.10 and whenever I send an email to my email address, I get an “Undelivered Mail Returned to Sender” error email with the following error: “relay access denied (in reply to RCPT TO command)” or “Relay access denied (state 14).”

    In mail.log I see errors like this one:

    NOQUEUE: reject: RCPT from mail.domain.com[###.###.###.###]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo=

    Any thoughts on what I’m doing incorrectly?

    Reply
  13. rupert

    Please use:
    $ sudo aptitude install postfix libsasl2-2 ca-certificates libsasl2-modules
    on Ubuntu.

    Reply
  14. ubestos

    thank you for this how to! It worked excellent with little changes on Ubuntu 9.10 but the Idea is right.

    Reply
  15. Anoop

    Hi,

    I would like to have a scenario where local mails (or as specified in /etc/postfix/transport file) are delivered within server and rest are delivered through relayhost. If I use transport file, “relayhost = ” is left to empty.

    So, how can I use above information togther with transport feature in order to route certain emails locally as defined in transport file and rest using relayhost with ssl authorization (gmail account).
    thanks,

    Reply
  16. eric g

    i’ve tried many diffrent tutorials, this one worked like a charm!

    many thanks!

    Reply
  17. Florian Löffler

    This worked great on my Ubuntu 10.04 installation. Now I can finally sent SMART and mdadm mails from my home server.
    Thx for the great writeup!

    Reply
  18. John

    Gmail now uses certificate from Equifax

    Use this instead of the Thawte certs

    cat /etc/ssl/certs/Equifax_Secure_CA.pem >> /etc/postfix/cacert.pem

    Reply
  19. papukaija

    Thanks John for the info about Gmail’s new certificate.

    Reply
  20. Alex

    Thanks for an excellent tutorial – it worked exactly as described on my Ubuntu 10.04 installation

    Reply
  21. trooper

    Thank you! Worked on my Ubuntu 10.10 server installation. How to change the “From” in the notifications? Email shows root as the sender.

    Thanks.

    @ techo

    Reply
  22. sergey

    Hi guys

    I see a lot of people succeeded … but apparently I’m unlucky one. Please help.
    I have the following configuration in /etc/postfix/main.cf

    root@nas:/etc/postfix# postconf -n
    alias_database = hash:/etc/aliases
    alias_maps = hash:/etc/aliases
    append_dot_mydomain = no
    biff = no
    broken_sasl_auth_clients = yes
    config_directory = /etc/postfix
    default_transport = smtp
    home_mailbox = Maildir/
    inet_interfaces = all
    inet_protocols = all
    mailbox_command =
    mailbox_size_limit = 0
    mydestination = localhost.localdomain, localhost, nas.NAME.no-ip.com
    myhostname = nas.NAME.no-ip.com
    mynetworks = 127.0.0.0/8, 172.19.3.0/24
    myorigin = /etc/mailname
    readme_directory = no
    recipient_delimiter = +
    relay_transport = smtp
    relayhost = [smtp.gmail.com]:587
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_security_options =
    smtp_tls_CAfile = /etc/postfix/cacert.pem
    smtp_tls_note_starttls_offer = yes
    smtp_tls_security_level = may
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtp_use_tls = yes
    smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
    smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_authenticated_header = no
    smtpd_sasl_local_domain =
    smtpd_sasl_security_options = noanonymous
    smtpd_sender_restrictions =
    smtpd_tls_CAfile = /etc/postfix/cacert.pem
    smtpd_tls_auth_only = no
    smtpd_tls_cert_file = /etc/ssl/certs/smtpd.crt
    smtpd_tls_key_file = /etc/ssl/private/smtpd.key
    smtpd_tls_loglevel = 4
    smtpd_tls_mandatory_ciphers = medium
    smtpd_tls_mandatory_protocols = SSLv3, TLSv1
    smtpd_tls_received_header = yes
    smtpd_tls_security_level = may
    smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
    smtpd_tls_session_cache_timeout = 3600s
    smtpd_use_tls = yes
    tls_random_source = dev:/dev/urandom

    If I’m trying to telnet to port 25 I’m getting AUTH options
    user@nas:~$ telnet localhost 25
    Trying ::1…
    Connected to localhost.
    Escape character is ‘^]’.
    220 nas.NAME.no-ip.com ESMTP Postfix (Ubuntu)
    ehlo localhost
    250-nas.NAME.no-ip.com
    250-PIPELINING
    250-SIZE 10240000
    250-VRFY
    250-ETRN
    250-STARTTLS
    250-AUTH LOGIN PLAIN
    250-AUTH=LOGIN PLAIN
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
    quit
    221 2.0.0 Bye
    Connection closed by foreign host.

    I have helper gmail account to relay all my messages set

    root@nas:/etc/postfix# cat sasl_passwd
    [smtp.gmail.com]:587 USER@gmail.com:PASSWORD

    These are permitions on the files I have in /etc/postfix
    root@nas:/etc/postfix# ls -l
    total 92
    -rw-r–r– 1 root root 1143 2010-12-19 21:37 cacert.pem
    -rw-r–r– 1 root root 318 2010-12-02 22:40 dynamicmaps.cf
    -rw-r–r– 1 root root 2217 2010-12-19 21:47 main.cf
    -rw-r–r– 1 root root 5301 2010-12-02 22:40 master.cf
    -rw-r–r– 1 root root 18992 2010-06-22 10:28 postfix-files
    -rwxr-xr-x 1 root root 8729 2010-06-22 10:28 postfix-script
    -rwxr-xr-x 1 root root 24256 2010-06-22 10:28 post-install
    drwxr-xr-x 2 root root 4096 2010-12-19 16:47 sasl
    -r——– 1 root root 58 2010-12-19 19:51 sasl_passwd
    -rw——- 1 root root 12288 2010-12-19 21:53 sasl_passwd.db

    when I’m trying to send email
    echo “test email” | mail -s “Hello” USER2@gmail.com

    log file looks like this

    root@nas:/etc/postfix# cat /var/log/mail.log | tail -n 20
    Dec 19 22:36:50 nas postfix/master[2637]: terminating on signal 15
    Dec 19 22:37:27 nas postfix/master[2783]: daemon started — version 2.7.1, configuration /etc/postfix
    Dec 19 22:39:09 nas postfix/pickup[2785]: E93EC174C1C8: uid=1000 from=
    Dec 19 22:39:09 nas postfix/cleanup[2805]: E93EC174C1C8: message-id=
    Dec 19 22:39:10 nas postfix/qmgr[2786]: E93EC174C1C8: from=, size=325, nrcpt=1 (queue active)
    Dec 19 22:39:10 nas postfix/tlsmgr[2808]: open smtpd TLS cache btree:/var/lib/postfix/smtpd_scache
    Dec 19 22:39:10 nas postfix/tlsmgr[2808]: tlsmgr_cache_run_event: start TLS smtpd session cache cleanup
    Dec 19 22:39:10 nas postfix/smtp[2807]: E93EC174C1C8: to=, relay=smtp.gmail.com[74.125.79.109]:587, delay=0.9, delays=0.14/0.13/0.59/0.04, dsn=5.5.1, status=bounced (host smtp.gmail.com[74.125.79.109] said: 530-5.5.1 Authentication Required. Learn more at 530 5.5.1 http://mail.google.com/support/bin/answer.py?answer=14257 b52sm2306539eei.13 (in reply to MAIL FROM command))
    Dec 19 22:39:10 nas postfix/cleanup[2805]: EA42D174C1CE: message-id=
    Dec 19 22:39:11 nas postfix/bounce[2809]: E93EC174C1C8: sender non-delivery notification: EA42D174C1CE
    Dec 19 22:39:11 nas postfix/qmgr[2786]: EA42D174C1CE: from=, size=2511, nrcpt=1 (queue active)
    Dec 19 22:39:11 nas postfix/qmgr[2786]: E93EC174C1C8: removed
    Dec 19 22:39:11 nas postfix/cleanup[2805]: 0AE67174C0D1: message-id=
    Dec 19 22:39:11 nas postfix/qmgr[2786]: 0AE67174C0D1: from=, size=2656, nrcpt=1 (queue active)
    Dec 19 22:39:11 nas postfix/local[2810]: EA42D174C1CE: to=, relay=local, delay=0.16, delays=0.07/0.02/0/0.07, dsn=2.0.0, status=sent (forwarded as 0AE67174C0D1)
    Dec 19 22:39:11 nas postfix/qmgr[2786]: EA42D174C1CE: removed
    Dec 19 22:39:11 nas postfix/smtp[2807]: 0AE67174C0D1: to=, orig_to=, relay=smtp.gmail.com[74.125.79.109]:587, delay=0.68, delays=0.07/0/0.57/0.04, dsn=5.5.1, status=bounced (host smtp.gmail.com[74.125.79.109] said: 530-5.5.1 Authentication Required. Learn more at 530 5.5.1 http://mail.google.com/support/bin/answer.py?answer=14257 t5sm2305993eeh.14 (in reply to MAIL FROM command))
    Dec 19 22:39:11 nas postfix/qmgr[2786]: 0AE67174C0D1: removed

    What I’m doing wrong????
    Please share you /etc/postfix/main.cf files?

    Kind regards,

    Sergey

    Reply
  23. Michael M

    I just got this working on my Ubuntu 10.10 box with Postfix 2.7.1. This is all I have in the /etc/postfix/main.cf file.

    relayhost = [smtp.gmail.com]:587
    smtp_use_tls = yes
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_security_options = noanonymous
    smtp_tls_loglevel = 1
    smtp_tls_per_site = hash:/etc/postfix/tls_per_site
    smtp_tls_CAfile = /etc/ssl/certs/Equifax_Secure_CA.pem
    smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache

    % cat sasl_passwd
    [smtp.gmail.com]:587 user@gmail.com:pass

    % cat tls_per_site
    smtp.gmail.com MUST

    Reply
  24. Alex Little

    Thanks for posting this. I’m running Ubuntu 10.10 with postfix 2.7.1 and now have it working well (using the configuration for main.cf posted by Michael M above).

    Cheers.

    Reply
  25. Chris

    My Ubuntu 10.10 configuration follows.

    /etc/postfix/main.cf file:

    relayhost = [smtp.gmail.com]:587
    smtp_use_tls = yes
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_sasl_security_options = noanonymous
    smtp_tls_CAfile = /etc/ssl/certs/Equifax_Secure_CA.pem

    /etc/postfix/sasl_passwd:

    [smtp.gmail.com]:587 user@gmail.com:pass

    /etc/postfix/tsl_per_side:

    smtp.gmail.com MUST

    Reply
  26. Mihai Lazarescu

    Works just fine on Fedora 14 using the distribution CA
    certificate:

    yum install ca-certificates
    cp /etc/pki/tls/cert.pem /etc/postfix/cacert.pem

    Thanks!

    Reply
  27. Alex

    Ubuntu 10.10

    For thoes who have just installed postfix for the first time, you’ll also need to do


    mkfifo /var/spool/postfix/public/pickup

    And restart – I know its not directly related to the post above, but thought I’d put it in here for completeness

    Reply
  28. Alex

    @ Alex

    Oh and don’t forget to

    sudo postmap sasl_passwd
    sudo postmap tls_per_site

    Again, unrelated, but HTH someone

    Reply
  29. mrreload

    Using the same config as Micheal M but I get “lost connection with smtp.gmail.com[74.125.93.109] while receiving the initial server greeting”
    Does anyone have any idea how to resolve this?

    Reply
  30. Francesc Rosàs

    Just found that instead of creating /etc/postfix/cacert.pem you can simply use

    smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

    At first I tried to use this

    smtp_tls_CApath = /etc/ssl/certs

    don’t know why but it didn’t work.

    BTW, it has the advantage that you don’t have to do anything when Google changes its certificates :)

    Reply
  31. Rob Izor

    I had a LOT of trouble getting gmail smtp to work on Debian Lenny. I had untrusted certificate problems which I thought were rectified by adding the latest Equifax certificate. But I kept getting a warning:

    warning: SASL authentication failure
    no mechanism found

    blah, blah. At this point I was no longer getting the untrusted logs in mail.log.

    So I eventually found this link:
    http://serverfault.com/questions/211749/sending-mail-from-postfix-via-gmail-unable-to-get-local-issuer-certificate-cert

    apt-get install libsasl2-modules

    And like MAGIC, it started sending my email to gmail smtp server!!! Hopefully this helps others find this solution faster!

    Reply
  32. sandip

    Hey, i am final year engg. student. My project is “Knowledge discvovery in corporate email”.

    I will have two computer(gmail user and server) in internet network resembling corporate network.
    I am postfix mail server on second computer.

    It has 3 steps:
    1. intercept employee email
    2. Perform processing on email body content at server using python.
    3. If content is not revealing any company secrets , forward it to gmail server.
    4. If found guilty , raise alert on server and do not forward email.

    Please , let me know how to do following:

    –> postfix server listen to other computer in network
    –> is any certificate required to forward message to gmail smtp server. If yes, Is it free and how to obtain certificate.

    My email addr is : sandy_patel91yahoo.in

    Reply
  33. arazortech

    Thanks for the article! worked perfectly. After struggling with sendmail, this was like a breath of fresh air.

    Reply
  34. Bernd Leuenroth

    worked fine with “Ubuntu 12.04.1 LTS” and postfix 2.9.3 – many thanks :-)

    Reply
  35. caibbor

    installed postfix with “local” settings (from the ncurses install menu), configured as per this guide, attempted to send a mail with the ‘sendmail’ program and:

    postdrop: warning: unable to look up public/pickup: No such file or directory

    Reply
  36. kira

    for me it only started working after adding to /etc/postfix/main.cf
    transport_maps = hash:/etc/postfix/transport

    and running
    touch /etc/postfix/transport
    postmap /etc/postfix/transport
    echo “message content” | mail -s “mail subject” user@domain.com

    Reply
  37. bunga

    are you sure to use []???
    mine doesn’t work
    [smtp.gmail.com]:port or smtp.gmail.com:port?
    thanx

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *