In some situations it’s needed if you have an internal mail server with a dynamic IP address, or simply one server hosting an application that have one form contact for example and a mail daemon listening in localhost, it can be very useful relay smtp traffic to the gmail servers, using smtp.gmail.com, and using a valid account autheticating via SASL. It’s very easy to implement but you have to configure some rules to talk with the gmail smtp servers.
– Edit postfix configuration:
# vi /etc/postfix/main.cf
#TLS parameters
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_note_starttls_offer = yes
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
#Relay host configuration
relayhost = [smtp.gmail.com]:587
# SASL Configuration
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = plain
smtp_sasl_tls_security_options = noanonymous
– Add relay user to send the mail:
# vi /etc/postfix/sasl_passwd [smtp.gmail.com]:587 [email protected]:Password # postmap /etc/postfix/sasl_passwd
– Config to force the use of ssl with the gmail smtp server:
# vi /etc/postfix/tls_policy [smtp.gmail.com]:587 encrypt # postmap /etc/postfix/tls_policy
– Restart postfix service:
# /etc/init.d/postfix restart
– If you have problems with mail traffic and see in mail.log file the next error:
Mar 29 15:10:36 www postfix/smtp[6927]: 7B39F1232BC: SASL authentication failed; cannot authenticate to server smtp.gmail.com[173.194.70.108]: no mechanism available
Probably you need to install the package libsasl2-modules and restart postfix again.
Brilliant. Worked perfectly after trying a billion other ways of doing it. CentOS 6.4 BTW.
Thanks!!
Thanks for the info. This will let me kill my ISP email account because the only thing I was using it for was for outbound email access on my centos / postfix box.
Just a reminder: open tcp port 587 for INPUT and OUTPUT in iptables and any other upstream firewalls you might have. Depending on the situation (LOCALHOST only, for example) you can close down port 25.
iptables -A OUTPUT -m tcp -p tcp -s wwww.xxxx.yyyy.zzz {your postfix server IP] -dport 587
iptables -A INPUT -m tcp -p tcp -s wwww.xxxx.yyyy.zzz {your postfix server IP] -dport 587
You might not need the INPUT rule, but I would include it to start with. Identifying the source IP address (-s) will help to limit (but not eliminate) mail server relay takeover attempts.
D’oh. Homer moment on the iptables rules. Try this instead:
iptables -A OUTPUT -m tcp -p tcp -s wwww.xxxx.yyyy.zzzz {your postfix server IP} -dport 587 -j ACCEPT
iptables -A INPUT -m tcp -p tcp -s wwww.xxxx.yyyy.zzzz {your postfix server IP} -dport 587 -j ACCEPT
Pingback:CiberSeguridad by Elcos