In some situations it’s needed if you have an internal mail server with a dynamic IP address, or simply one server hosting an application that have one form contact for example and a mail daemon listening in localhost, it can be very useful relay smtp traffic to the gmail servers, using smtp.gmail.com, and using a valid account autheticating via SASL. It’s very easy to implement but you have to configure some rules to talk with the gmail smtp servers.

postfix_gmail_smarthost

– Edit postfix configuration:

# vi /etc/postfix/main.cf

#TLS parameters
 smtpd_use_tls=yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 smtp_tls_note_starttls_offer = yes
 smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

#Relay host configuration
 relayhost = [smtp.gmail.com]:587

# SASL Configuration
 smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
 smtp_sasl_security_options = noanonymous
 smtp_sasl_mechanism_filter = plain
 smtp_sasl_tls_security_options = noanonymous

– Add relay user to send the mail:

# vi /etc/postfix/sasl_passwd

 [smtp.gmail.com]:587 [email protected]:Password

# postmap /etc/postfix/sasl_passwd

– Config to force the use of ssl with the gmail smtp server:

 # vi /etc/postfix/tls_policy

[smtp.gmail.com]:587 encrypt

# postmap /etc/postfix/tls_policy

– Restart postfix service:

 # /etc/init.d/postfix restart

– If you have problems with mail traffic and see in mail.log file the next error:

Mar 29 15:10:36 www postfix/smtp[6927]: 7B39F1232BC: SASL authentication failed; cannot authenticate to server smtp.gmail.com[173.194.70.108]: no mechanism available

Probably you need to install the package libsasl2-modules and restart postfix again.

Postfix SMTP Relay to smtp.gmail.com
Tagged on:         

4 thoughts on “Postfix SMTP Relay to smtp.gmail.com

  • April 23, 2013 at 22:06
    Permalink

    Brilliant. Worked perfectly after trying a billion other ways of doing it. CentOS 6.4 BTW.

    Thanks!!

    Reply
  • June 4, 2013 at 19:14
    Permalink

    Thanks for the info. This will let me kill my ISP email account because the only thing I was using it for was for outbound email access on my centos / postfix box.

    Just a reminder: open tcp port 587 for INPUT and OUTPUT in iptables and any other upstream firewalls you might have. Depending on the situation (LOCALHOST only, for example) you can close down port 25.

    iptables -A OUTPUT -m tcp -p tcp -s wwww.xxxx.yyyy.zzz {your postfix server IP] -dport 587
    iptables -A INPUT -m tcp -p tcp -s wwww.xxxx.yyyy.zzz {your postfix server IP] -dport 587

    You might not need the INPUT rule, but I would include it to start with. Identifying the source IP address (-s) will help to limit (but not eliminate) mail server relay takeover attempts.

    Reply
  • June 4, 2013 at 19:25
    Permalink

    D’oh. Homer moment on the iptables rules. Try this instead:

    iptables -A OUTPUT -m tcp -p tcp -s wwww.xxxx.yyyy.zzzz {your postfix server IP} -dport 587 -j ACCEPT
    iptables -A INPUT -m tcp -p tcp -s wwww.xxxx.yyyy.zzzz {your postfix server IP} -dport 587 -j ACCEPT

    Reply
  • Pingback: CiberSeguridad by Elcos

Leave a Reply

Follow

Get every new post delivered to your Inbox

Join other followers: