Configuring[Ubuntu] Postfix and Gmail in 10+1 Easy Steps

So, yesterday I was cruising around rent-a-coder to see what I could see, and there I find this fellow who is looking for a PHP coder to do a mail form that will send images to cell phones. I thought to myself "hey, I could do that.. I just have to set up my machine to allow me to test it out". No problem right? BZZT... My wonderful ISP blocks the outbound e-mail (Port 25) so unless I want to send it through their server I am stuck. Now enters gmail. It is possible to easily set up any email program to use gmail as the SMTP server so I figured it would be no problem to set postfix up to do the same. BZZT... I was 0 for 2.

Here we go....

---------------------------------------------------------

Step 1:

Make sure our system is up to date. Open up a terminal window. You will see a '$' at the left. This is the prompt where you type the commands and in all my command from this point on it will be the left most character. After the first command it will ask you for your password. This should be the password you use to log into your machine. Non-Ubuntu machines will normally use the root user's password, which was determined during the installation of the operating system.

$sudo apt-get update
$sudo apt-get upgrade

Step 2:

We now need to install the tools used to make the connection happen. Gmail requires authentication using a password so we have to make sure to install all the necessary tools. Some questions will pop up while the system installs Postfix, just hit tab and enter for now.

$sudo apt-get install postfix libsasl2 sasl2-bin libsasl2-modules libdb3-util procmail

The previous command installs Postfix (our mail server program) adds sasl and tsl support for postfix (required for postfix to do the encrypted authentication needed by gmail) and procmail which is the Mail Delivery Agent that Postfix uses to rout the email coming into it.

Step 3:

Next we have to reconfigure Postfix so that the configuration file is set up correctly for us. You will be prompted with a series of questions which we will go over here. The answers are in bold.

If you have a domain name (bob.com, or some Dynamic DNS service domain name) for your network, you may put that in place of server1.example.com just make sure it matches what ever you list as your computer in /etc/hosts. Similarly, if you will be using this machine to rout e-mail from other machines on the network, make sure to add those machine names to the answer to "destinations" question and put your network IP (usually 192.168.1.0 check those first 3 numbers using ifconfig in the terminal to be sure though) in at the "local network" question

General type of configuration? Internet Site
Where should mail for root go? NONE
Mail name?server1.example.com
Other destinations to accept mail for? (blank for none)server1.example.com, localhost.example.com, localhost
Force synchronous updates on mail queue? No
Local networks? 127.0.0.0/8
Use procmail for local delivery? Yes
Mailbox size limit?0
Local address extension character? +
Internet protocols to use? all

Step 4:

Now we will run some commands that will put a few more tidbits of info in the file before we add the meat later on. Due to the constraints of the web, that first command may be on two lines.

$sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
$sudo postconf -e 'inet_interfaces = all'
$sudo postconf -e 'broken_sasl_auth_clients = yes'
$sudo echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
$sudo echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf

The last two commands allow Postfix to authenticate users connecting to it.

Step 5:

Before we enter into our configuration file, we have to create a certificate to use when contacting gmail. This certificate is a way for systems on the internet to identify that you really are the person or network that sent the message. Verisign issues these for companies, and they cost a lot of money because financial transactions require more stringent verification than what we will be doing. For our needs, we will make our own.

The first step is to create a Certificate Authority file. Both the server certificate and public key will be built using this file. To start the Certificate Authority generation script In Ubuntu, type:

$sudo /usr/lib/ssl/misc/CA.pl -newca

For other Linux versions the ssl directory may be located in /usr/local/ or /usr/share. Poke around if you cannot launch the CA.pl file using any of those paths.

Once you launch the script you should see this:

CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
.......++++++
...................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:

At this point you will have to pick a password that you will need to remember in order to generate the remainder of the files, as well as any other files you might want to make for yourself later on using this CA (pgp keys, apache ssl keys, etc). It will ask you to verify this password to make sure you typed it correctly.

Following the initial creation of the CA file, it will ask you some questions to uniquely identify this certificate. This is what you should see:

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

You can make up all this info, but make sure you can remember it as you will need to know it later on. All you need to fill in is the country code, the state (if you are from the US), your city, and the organization name (if it is a multi word name, use underscores for spaces). When you see it ask for your common name, just enter the domain name you used in the postfix configuration (it does not matter what you enter really as long as you enter something), Finally, enter an e-mail when it asks. Everything else can be left blank. This is what you should see on the screen:

Country Name (2 letter code) [US]:US
State or Province Name (full name) [Pennsylvania]:Michigan
Locality Name (eg, city) []:Detroit
Organization Name (eg, company) []:BMS_Industries

If you screw up, you can re-run the CA.pl script but make sure to delete the demoCA directory which will be located in the directory you are doing all this work.

Now that we have created a Certificate Authority file we can make the server certificate and the public key used in the authentication process. To make the server certificate run this command replacing the information in the single quotes with the information you put into your CA file:

$sudo openssl req -new -nodes -subj '/CN=squeezel.squeezel.com/O=BMS_Industries/C=US/ST=Michigan/L=Detroit/emailAddress=BMS@newsvine.com' -keyout FOO-key.pem -out FOO-req.pem -days 3650

CN is the place you put the common name you used, O is the organization name, C is the country, ST is the state, L is the city, emailAddress is... well.. the email address you used. Make sure you enter those items in EXACTLY the way you did above or your key will not authenticate.

What this command does is it creates a certificate key file called FOO-key.pem and a req file called FOO-req.pem. The second file will be used to create the certificate file we will need.

To create the certificate file we issue the command:

$sudo openssl ca -out FOO-cert.pem -infiles FOO-req.pem

This create a signed certificate file that will be used to verify your identity as the originating server. Simply answer yes to the prompts that follow.

Finally copy the certificate files to /etc/postfix and give them the needed permissions:

$sudo cp demoCA/cacert.pem FOO-key.pem FOO-cert.pem /etc/postfix
$sudo chmod 644 /etc/postfix/FOO-cert.pem /etc/postfix/cacert.pem
$sudo chmod 400 /etc/postfix/FOO-key.pem

Step 6:

Now we can go back to our postfix configuration and make some changes to the main.cf file and create some other needed files. From this point out, all the things we are checking are meant to make sure Postfix itself is operational and has nothing to do with the certificates we created above.

Check your computer's hostname by looking in the /etc/hostname file. If you are using another Linux system this may be different (/etc/sysconfig/network or the like). To check the hostname file you can simple type $cat /etc/hostname and it will display the information in the terminal. Using this information, we want to make sure everything knows what the hostname is so run the command $sudo hostname bob.com replacing "bob.com" with what ever your hostname file says. This simply makes sure we are in a known state off wellness for the rest of the configuration.

Next move to the /etc/postfix directory, back up main.cf $sudo mv main.cf main.cf.old and open up the main.cf file in your favorite text editor (I think HowTo writers are suppose to say vi to sound cool but you can use gedit or nano if you like):

$sudo gedit main.cf

Copy the following lines to the bottom of your main.cf. Being at the bottom, it will override any settings made at the top that have the same name.

## Add these lines to the bottom on main.cf
##
##


## TLS Settings
#
# For no logs set = 0
smtp_tls_loglevel = 1
#
# smtp_enforce_tls = yes
# Above is commented because doing it site by site below
smtp_tls_per_site = hash:/etc/postfix/tls_per_site
#
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/FOO-cert.pem
smtp_tls_key_file = /etc/postfix/FOO-key.pem
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
smtpd_tls_key_file = /etc/postfix/FOO-key.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom

## SASL Settings
# This is going in to THIS server
smtpd_sasl_auth_enable = no
# We need this
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_local_domain = $myhostname
smtp_sasl_security_options = noanonymous
#smtp_sasl_security_options =
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_application_name = smtpd


## Gmail Relay
relayhost = [smtp.gmail.com]:587

## Good for Testing
# sender_bcc_maps = hash:/etc/postfix/bcc_table

# Disable DNS Lookups
disable_dns_lookups = yes
#
# Great New feature Address Mapping
# for example may mchirico@localhost to mchirico@gmail.com
smtp_generic_maps = hash:/etc/postfix/generic
#
#
transport_maps = hash:/etc/postfix/transport

One of the key entries in this stuff is the GMAIL RELAY section. This is the setting that turns our postfix system into a smarthost configuration. This is what we need to use use gmail's SMTP servers. More importantly. we are using port 587 which is not the SMTP port. This is why using gmail to send our outgoing mail is beneficial... ISPs do not block this port. Also notice that we have what appears to be repeated lines for our certificates. If you look closely however, one is smtp the other is smtpd. One is the configuration for the service, the other is the configuration for the client. Finally you can see a number of 'hash:' lines. The top of your config file will have some hash lines as well. Do not worry about those since the initial setup took care of those. The hashes we refer to need to be created still. Lets go do that now.

Step 7:

Setting up the sasl_passwd file and hash is necessary to log into gmail. Remaining in the /etc/postfix directory issue the command:

$sudo gedit sasl_passwd

This creates a new file in /etc/postfix called sasl_passwd.

Place into that file the following:

[smtp.gmail.com]:587 bms@gmail.com:password

The smtp info needs to remain, but you must change the email address and the password to match your own.

Next we need to make a hash file out of this. Enter $sudo postmap sasl_passwd

That is all we have to do to make the sasl_passwd. Equally exciting is that the other hash files are just as easy to make.

Step 8:

Next create the generic file and hash using the same methods in the last section with this inside:

bms@squeezel.bob.com bms@gmail.com

replace bms@bob.com with your username on your linux box before the '@' sign and your hostname after the '@'. Similarly, replace 'bms@gmail.com' with your gmail address.

Step 9:

Now we need to make the transport file and hash. This is the file that tells postfix how to rout emails it gets.

Open a new text file called transport and enter into it:

# This sends mail to Gmail
gmail.com smtp:[smtp.gmail.com]:587
#
# Except mail going to the tape and closet server
comp1.bob.com relay:[comp1.bob.com]
comp2.bob.com relay:[comp2.bob.com]

What this tells postfix is to send all mail to gmail except for two cases. On my network I have two other computers. One called comp1 the other called comp2. I am telling postfix to send email meant for those two computers directly to them.

Remember to make the hash for the transport file.

Step 10:

We now need to create the tls_per_site file and hash. This is possibly the most important file to create after the main.cf. This file will protect us from "man-in-the-middle" attacks by forcing a secure connection to the remote machine BEFORE we send any passwords.

Create the file tls_per_site and enter:

smtp.gmail.com MUST
comp1.bob.com MUST
comp2.bob.com MUST
p>

Replacing my domains with your domains and making the hash with postmap.. yada yada. The 'MUST' keyword tells postfix to establish a secure connection with those domains before doing any password hanky panky. If you do not want to worry about your local network because it is small like mine and does not rely on wireless networking, then you can use the keyword MAY. Gmail is a MUST however.

Step 10 + 1:

Open master.cf using $sudo gedit master.cf and find the line that reads relay unix - - n - - smtp. It will be a little ways down. Beneath that line, you will probably see a few settings that start with '-o', we will be adding one more. Enter -o smtp_generic_maps= right below the relay line. This entry tells postfix to send out your emails with your gmail address as the originating address rather than your Ubuntu account and domain. When ever you edit the master.cf file you need to reload postfix. To do this simply issue the command
$sudo postfix reload.

That is all there is to it. Make sure your postfix server is started by typing $sudo postfix start. You should now have a working postfix server that sends messages out through gmail's smtp servers. Test it out and make sure it works.

Note: If you check the mail.log file you might notice that your certificate is not validating with gmail. I have not found a reason for this yet but it doe snot seem to impede the function

To fix the errors in you mail.log file follow These Instructions. However, replace Thawte_Premium_Server_CA.pem with Equifax_Secure_CA.pem

If you are experiencing any problems, please read through the comments section. Many problems have been asked and answered and the solution may exist there.

Back To Top