Send Mail Postfix through Gmail’s SMTP on a Ubuntu LTS Server
After looking on the internet for awhile I finally found a decent guide on how to setup Gmail SMTP through postifx; however, after following the guide I found that it left parts out or things didn’t work quite the same on a Ubuntu server. This guide is intended to get Gmail’s SMTP set up through postifx on a LTS Ubuntu server quickly and without too much information about other operating systems; although, you could probably adapt the guide to work on other systems.
Google’s Gmail service requires the protocols TLS and SASL2 to be built into Postfix. Luckily this is already done on the Ubuntu LTS Server.
In order to communicate with google we need to have Gmail’s certificate authority and we need to generate our own Certificate Authority (CA).
Step 1: Create a Certificate Authority
Since we will be creating temporary files and will want to delete them later, Change the directory to your home directory so we don’t forget to delete them later and leave what I call “mouse turds” laying around.
cd ~
Create the CA
$ /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate …
Generating a 1024 bit RSA private key
…….++++++
……………….++++++
writing new private key to ‘./demoCA/private/cakey.pem’
Enter PEM pass phrase: password
Verifying – Enter PEM pass phrase: password
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [US]:US
State or Province Name (full name) [New York]:New York
Locality Name (eg, city) []:New York
Organization Name (eg, company) []:Sanborn_Widgets
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Mark
Email Address []:username@gmail.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Step 2: Create a Server Certificate
Since these values have to match with the CA you just created. You may want to keep that output of what you just did to reference it for the next command. You can do this by opening another console or virtual terminal and switch back and forth between them.
openssl req -new -nodes -subj '/CN=domain.com/O=Sanborn_Widgets/C=US/ST=New York/L=New York/emailAddress=username@gmail.com' -keyout FOO-key.pem -out FOO-req.pem -days 3650
Step 3: Sign the Certificate
# openssl ca -out FOO-cert.pem -infiles FOO-req.pem
Using configuration from
/usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Then press y for anything else it asks.
Step 4: Copy the certificates to the Postfix folder
# cp demoCA/cacert.pem FOO-key.pem FOO-cert.pem /etc/postfix
# chmod 644 /etc/postfix/FOO-cert.pem /etc/postfix/cacert.pem
# chmod 400 /etc/postfix/FOO-key.pem
Gmail uses the Thawte Premium Server CA. You need to add this to the end of /etc/postfix/cacert.pem
-----BEGIN CERTIFICATE-----
MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkEx
FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
biBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2Vy
dmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29t
MB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCzAJBgNVBAYTAlpB
MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsG
A1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNl
cnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkE
VdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQ
ug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMR
uHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
9w0BAQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI
hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZa4JM
pAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcUQg==
-----END CERTIFICATE-----
Alternative Method
If you do not trust me or don’t feel comfortable copying CA certs from me you can get it from www.thawte.com/roots and download all of the certs from them. The file is called, ‘ThawtePremiumServerCA_b64.txt’.
The following code would put it in cacert.pem from the ThawtePremiumServerCA_b64.txt
cat ThawtePremiumServerCA_b64.txt >>cacert.pem
If you want to understand how this command works I recommend checking out, Getting Familiar with the Linux Command Line.
Step 5: Add these lines to the bottom of /etc/postfix/main.cf
Note: When I first added these lines I had a space in front of the first line which would give me errors when trying to run postfix. The only problem was the error was misleading saying there was something wrong with the line above steering me into the wrong direction and I ended up trouble shooting something that wasn’t broke. So make sure you have copied these lines exactly into the bottom of main.cf without and spaces in front of any of the lines.
## TLS Settings
#
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/FOO-cert.pem
smtp_tls_key_file = /etc/postfix/FOO-key.pem
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
smtpd_tls_key_file = /etc/postfix/FOO-key.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
#
## SASL Settings
# This is going in to THIS server
smtpd_sasl_auth_enable = no
# We need this
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_local_domain = $myhostname
smtp_sasl_security_options = noanonymous
#smtp_sasl_security_options =
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_application_name = smtpd
Step 7: Create the transport file
# Contents of /etc/postfix/transport
#
# This sends mail to Gmail
gmail.com smtp:[smtp.gmail.com]:587
#
Step 8: Create the SASL password
Replace username/password with your actual username and password.
#contents of sasl_passwd
#
[smtp.gmail.com]:587 username@gmail.com:password
Step 9: Hash the password and transport files
postmap sasl_passwd && postmap transport
Step 10: Restart the postfix server and clean up
Enter the following command as root to restart postfix:
/etc/init.d/postfix restart
Go to your home directory where you made the temporary .pem files in step 1.
cd ~
Clean up the mouse turds! 
rm FOO-req.pem FOO-cert.pem FOO-key.pem && rm -r demoCA/
Does it work?
Send a test email to yourself, replace username with your actual username. Note this is a test and it only tests to see if it WOULD send. You will not get an email in your Gmail inbox.
sendmail -bv username@gmail.com
Check to see if it went
cat /var/log/mail.log | tail
If everything went ok you will see something like this in the log
Oct 1 12:22:04 localhost postfix/smtp[21389]: 671AD676BF: to=, relay=smtp.gmail.com[123.233.169.109], delay=3, status=deliverable (delivery via smtp.gmail.com[123.233.169.109]: 250 2.1.5 OK)
If it didn’t work out you will see this in the log
Oct 1 12:21:57 localhost postfix/local[21381]: 4E5BA676BF: to=, orig_to=, relay=local, delay=0, status=undeliverable (delivery via local: unknown user: "user")
Alternative Method
After issuing the sendmail command you can check to see if it worked by checking your local email with any email client. I used mutt.
You can also check the email queue with
postqueue -p
And deleting all messages in queue with
postsuper -d ALL
If all goes well you should know have a working outgoing email server through Gmail’s SMTP. Now you can write scripts on your server to alert you of all sorts of things happening on your server.
[...] the Valentine Angles looked down on me and guided me to this site , but whatever the case Postfix is working! I’m giving the author a trackback even though this [...]
Thank you very much. It work fine. Bye Bye
Sigh. I’ve been looking all over the net, but still not getting anywhere. I’m getting messages like this (machine name changed). I tried using the technique described here, looked at the souptonuts article, on the prancing tarantula blog, on the honewatson blog, using ca-certificates… all to no avail. Any ideas? I am using Gutsy.
Jun 1 08:33:54 my-desktop postfix/smtp[27774]: certificate verification failed for smtp.gmail.com[74.125.45.111]:587: untrusted issuer /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
Jun 1 08:33:54 my-desktop postfix/smtp[27774]: B0A47CCFA6: Server certificate not trusted
argh. ignore me. I accidentally typed smtp_tls_CA_file instead of smtp_tls_CAfile . Must’ve been too tired to notice until just now.
[...] Send Mail Postfix Through Gmail’s SMTP On A Ubuntu LTS Server ,Ubuntu上的实现。 [...]
THANK YOU. This worked perfectly. I wish I could donate money to you
Worked a treat. Thanks so much!
[...] Send Mail Postfix through Gmail’s SMTP on a Ubuntu LTS Server [...]
my password was not sent to gmail using the sasl_passwd example. when leaving out the brackets it worked.
*example
does not work:
[smtp.gmail.com]:587 sername@gmail.com:password
works fine:
smtp.gmail.com:587 sername@gmail.com:password
Thanks for a great guide!
haha fun! i messed with the config files, had forgotten about the bracket-issue and just found my own comment here again by nothing but fortune.
it must be karma!!
Stefan, Did your own comment in google or just remember this site?
Two evenings later… success!!! I had to add these lines to main.cf:
relayhost = [smtp.gmail.com]:587transport_maps = hash:/etc/postfix/transport
Thanks, this really helped me. The best explanation I found, and I’ve seen quite a few.
Anybody can say a comment about an error in the following command?
cat /var/log/mail.log | tail
cannot load RSA certificate and key data
What do I need to work the MTA?
Thanks a lot!
Thanks for this help. Together with
http://fletcherpenney.net/2008/08/using_gmail_and_postfix
this articles worked very well in setting up and configuring Pine for postfix/smtp and gmail on a Suse 10.3 system.
Best wishes,
David Murdoch
Thanks for help, unfortunatly I get an error message
Final-Recipient: rfc822; xxxxxx@gmail.com
Action: undeliverable
Status: 5.7.0
Remote-MTA: dns; smtp.gmail.com
Diagnostic-Code: smtp; 530 5.7.0 Must issue a STARTTLS command first.
27sm17947422ugp.25
any ideas?
hmm, Off the top of my head I am not sure what is wrong. Did you follow everything correctly?
Hey Marcin,
You must of generated your certificates in-correctly. I ran into the same issue and assumed I generated the certificates incorrectly. After I went through the process again it worked perfectly. Thanks Mark for the great tutorial
Thank you very much!!!! It was really helpful!!!
Thank you for this step by step guide. It worked perfectly.
Very-very useful article. Perfect step by step guide! Don’t forget about this row in main.cf:
transport_maps = hash:/etc/postfix/transport
and all will work.
Recommendation for troubleshooting — add one more row to main.cf:
smtp_tls_loglevel = 2 # by default 0
and you will get many additional messages in /var/log/mail.log. Don’t forget to comment it when all will work.
First time I read it when I installed Postfix my first time for Nagios to send the notifications. Postfix by default send mails to internal Exchange w/o any problem but send to my private gmail was a problem. I read the article but couldn’t setup the Postfix because of my little knowledge of it.
Second time I’ve returned here after I’ve read “The book of Postfix” and now my eyes are open and I’ve setup my server for sending to Gmail easily.
Thanks a lot!
Worked for me w/o a problem. Thanks!
A couple of misc notes- –
a) You might want to be a little more explicit and say “you must create two files, sasl_passwd and transport, in the /etc/postfix directory”.
b) AFAIK, postmap must be run as root. So it’s more like —
sudo postmap sasl_passwd && sudo postmap transport
# sendmail -bv xxxx@gmail.com
xxxxx@gmail.com… deliverable: mailer esmtp, host gmail.com., user xxxxx@gmail.com
Any idea on this?
Seemed too me that it’s working, not sure why I don’t get the same output as yours, but the above is confirmed to work as well as an output that I posted in the above comment.
Thanks for this great guide, now I can spam everyone?
Just kiddin, have a great day and thanks Mark
can you help I have followed each of your steps but still have this error email from gmail:
host smtp.gmail.com[216.239.59.109] said:
530-5.5.1 Authentication Required.
I have the correct user name and password in the sasl file but it does not seem to work still I get a response from gmail.
I re-created the files and it has finally worked thank you so much. I have one question the emails ‘from’ is my gmail account and not the account of my server so from is @gmail.com and not @tomred.net.
Thanks!
This worked great on Ubuntu 9.04 with Postfix from the Repos. I had some trouble a couple times.
Take the steps carefully. And if something is wrong, read the comments. I did have to make these changes:
sudo postmap sasl_passwd && sudo postmap transport
relayhost = [smtp.gmail.com]:587
transport_maps = hash:/etc/postfix/transport
Awesome!
all right, ignore the above, i screwed up your instructions. everything works now, thanks a million I had no luck with prior attempts to route outgoing mail through gmail.
Thank you! This is the only postfix/gmail tutorial that worked for me.
this rocks. I would have never figured this one out – and I’ve gone through many manuals trying to do so. The only thing I had to add was what Andy S said:
relayhost = [smtp.gmail.com]:587
Working perfectly now.
Thanks dude !!
Like @bryan this is the only postfix/gmail tutorial that worked for me.
Thank you guys for the kind comments!
Thanks Mark. Well written.
Just had to add to main.cf:
relayhost = [smtp.gmail.com]:587
transport_maps = hash:/etc/postfix/transport
as Andy S. had mentioned earlier.
Thanks — You saved me a ton of time !
Ubuntu 9.04 postfix/gmail … Working.
1. placed sasl_passwd files into /etc/postfix/sasl/ directory.
2. used the brackets i.e.:
[smtp.gmail.com]:587 username@gmail.com:password
3. changed main.cf
relayhost = [smtp.gmail.com]:587
transport_maps = hash:/etc/postfix/transport
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
Thank you all contributors..
Thanks for the tutorial… also got it working with Ubuntu 9.04 postfix/gmail. I had to add the two lines as above (to main.cf):
relayhost = [smtp.gmail.com]:587
transport_maps = hash:/etc/postfix/transport
I also had to play around with permissions to make main.cf readable (while the password files need only be visible by root):
sudo chmod og+rx /etc/postfix
sudo chmod 600 /etc/postfix/sasl_passwd*
Finally, I had a warning like like:
warning: unable to look up public/pickup: No such file or directory
so I used:
sudo mkfifo /var/spool/postfix/public/pickup
sudo /etc/init.d/postfix restart
Thanks again!
Forgot to mention:
When I was generating my certificate (and signing it), I was getting this warning:
unable to write ‘random state’.
Apparently there is a random seed file somewhere that I needed root privileges to access.
[...] Sometimes we want to enable our servers/desktops to be able to send email without setting up a full featured mail server or configuring postfix to route through Gmail. [...]
Just because I do not trust you
I did use the default debian certificate:
$ cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem >> cacert.pem
Otherwise everything worked out perfectly, thanks !
dude … thanks! this saved me
Worked perfectly for me!
Thanks alot
As another user, i also used:
http://fletcherpenney.net/2008/08/using_gmail_and_postfix
The sudo postmap password && transport dont work for me, I did it with two separate orders
sudo postmap password
sudo postmap transport
and fixed
It finally WORKED on a Karmic system! I’d read a few tutorials before but none worked.
Thanks, this seems to have worked fine.
I don’t like that my password is visible in sasl_passwd and sasl_passwd.db, but I changed permissions as suggested by First! above and at least only root can see it now.
Thanks again.
FYI — Google recently changed the certificate you’ll need to use. I wasn’t able to get this to work until I followed the steps outlined here:
http://www.google.com/support/forum/p/gmail/thread?tid=7e4a679f5917149e&hl=en
I had to add (only) “relayhost = [smtp.gmail.com]:587″ as Andy S suggested to get this to work. Otherwise postfix tried to use port 25, which is blocked by some ISPs (including mine).
Other than that, all went well with these instructions.
Miraculous!
Just wanted to add that this recipe works great for sending mail through Google Apps SMTP too – and you’ll even keep a copy in your sent mail!
You just need to change the login in sasl_passwd:
[smtp.gmail.com]:587 username@yourdomain.com:password
Great stuff! Thanks to you and commenter Andy S on August 27th, 2008 I had this working in not time on Karmic.
Thanks so much Mark! These worked like a charm for me.
Thank you very much Mark! It worked how you exactly how you described it. Running on Ubuntu 8.04.
Just what I was looking for and worked as described. Thanks.
Thanks a lot Mark, that is excellent, works fine on Ubuntu 9.10 minimal(-ish) server.