Send Mail Postfix through Gmail's SMTP on a Ubuntu LTS ServerWritten by Mark Sanborn: Oct 1, 2007
After looking on the internet for awhile I finally found a decent guide on how to setup Gmail SMTP through postifx; however, after following the guide I found that it left parts out or things didn’t work quite the same on a Ubuntu server. This guide is intended to get Gmail’s SMTP set up through postifx on a LTS Ubuntu server quickly and without too much information about other operating systems; although, you could probably adapt the guide to work on other systems.
Google’s Gmail service requires the protocols TLS and SASL2 to be built into Postfix. Luckily this is already done on the Ubuntu LTS Server.
In order to communicate with google we need to have Gmail’s certificate authority and we need to generate our own Certificate Authority (CA).
Step 1: Create a Certificate Authority
Since we will be creating temporary files and will want to delete them later, Change the directory to your home directory so we don’t forget to delete them later and leave what I call “mouse turds” laying around.
Create the CA
$ /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate … Generating a 1024 bit RSA private key …….++++++ ……………….++++++ writing new private key to ‘./demoCA/private/cakey.pem’ Enter PEM pass phrase: password
Verifying - Enter PEM pass phrase: password
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
Country Name (2 letter code) [US]:US State or Province Name (full name) [New York]:New York Locality Name (eg, city) :New York Organization Name (eg, company) :Sanborn_Widgets
Organizational Unit Name (eg, section) : Common Name (eg, YOUR name) :Mark Email Address :email@example.com
Please enter the following ‘extra’ attributes to be sent with your certificate request A challenge password : An optional company name : Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok
Step 2: Create a Server Certificate
Since these values have to match with the CA you just created. You may want to keep that output of what you just did to reference it for the next command. You can do this by opening another console or virtual terminal and switch back and forth between them.
openssl req -new -nodes -subj '/CN=domain.com/O=Sanborn_Widgets/C=US/ST=New York/L=New York/emailAddressfirstname.lastname@example.org' -keyout FOO-key.pem -out FOO-req.pem -days 3650
Step 3: Sign the Certificate
openssl ca -out FOO-cert.pem -infiles FOO-req.pem
Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok
Then press y for anything else it asks.
Step 4: Copy the certificates to the Postfix folder
cp demoCA/cacert.pem FOO-key.pem FOO-cert.pem /etc/postfix
chmod 644 /etc/postfix/FOO-cert.pem /etc/postfix/cacert.pem
chmod 400 /etc/postfix/FOO-key.pem
Gmail uses the Thawte Premium Server CA. You need to add this to the end of /etc/postfix/cacert.pem
If you do not trust me or don’t feel comfortable copying CA certs from me you can get it from www.thawte.com/roots and download all of the certs from them. The file is called, ‘ThawtePremiumServerCA_b64.txt’.
The following code would put it in cacert.pem from the ThawtePremiumServerCA_b64.txt
cat ThawtePremiumServerCA_b64.txt >>cacert.pem
If you want to understand how this command works I recommend checking out, Getting Familiar with the Linux Command Line.
Step 5: Add these lines to the bottom of /etc/postfix/main.cf
Note: When I first added these lines I had a space in front of the first line which would give me errors when trying to run postfix. The only problem was the error was misleading saying there was something wrong with the line above steering me into the wrong direction and I ended up trouble shooting something that wasn’t broke. So make sure you have copied these lines exactly into the bottom of main.cf without and spaces in front of any of the lines.
`## TLS Settings # smtp_tls_CAfile = /etc/postfix/cacert.pem smtp_tls_cert_file = /etc/postfix/FOO-cert.pem smtp_tls_key_file = /etc/postfix/FOO-key.pem smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache smtp_use_tls = yes smtpd_tls_CAfile = /etc/postfix/cacert.pem smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem smtpd_tls_key_file = /etc/postfix/FOO-key.pem smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache smtpd_use_tls = yes tls_random_source = dev:/dev/urandom #
This is going in to THIS server
smtpd_sasl_auth_enable = no
We need this
smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtpd_sasl_local_domain = $myhostname smtp_sasl_security_options = noanonymous #smtp_sasl_security_options = smtp_sasl_tls_security_options = noanonymous smtpd_sasl_application_name = smtpd`
Step 7: Create the transport file
`# Contents of /etc/postfix/transport #
This sends mail to Gmail
gmail.com smtp:[smtp.gmail.com]:587 #`
Step 8: Create the SASL password
Replace username/password with your actual username and password.
#contents of sasl_passwd
Step 9: Hash the password and transport files
postmap sasl_passwd && postmap transport
Step 10: Restart the postfix server and clean up
Enter the following command as root to restart postfix:
Go to your home directory where you made the temporary .pem files in step 1.
Clean up the mouse turds! :)
rm FOO-req.pem FOO-cert.pem FOO-key.pem && rm -r demoCA/
Does it work?
Send a test email to yourself, replace username with your actual username. Note this is a test and it only tests to see if it WOULD send. You will not get an email in your Gmail inbox.
sendmail -bv email@example.com
Check to see if it went
cat /var/log/mail.log | tail
If everything went ok you will see something like this in the log
Oct 1 12:22:04 localhost postfix/smtp: 671AD676BF: to=, relay=smtp.gmail.com[126.96.36.199], delay=3, status=deliverable (delivery via smtp.gmail.com[188.8.131.52]: 250 2.1.5 OK)
If it didn’t work out you will see this in the log
Oct 1 12:21:57 localhost postfix/local: 4E5BA676BF: to=, orig_to=, relay=local, delay=0, status=undeliverable (delivery via local: unknown user: "user")
After issuing the sendmail command you can check to see if it worked by checking your local email with any email client. I used mutt.
You can also check the email queue with
And deleting all messages in queue with
postsuper -d ALL
If all goes well you should know have a working outgoing email server through Gmail’s SMTP. Now you can write scripts on your server to alert you of all sorts of things happening on your server.
Need to print shipping labels on your site?
Checkout my product RocketShipIt for simple easy-to-use developer tools for UPS™ FedEx™ USPS™ and more.