This post assumes you have the packages
mailutils installed and you're using Ubuntu 16.04 bc I don't know if it's the same in other distros. ¯\(ツ)/¯
Recently I installed GitLab at home. It uses Postfix to send you mail. I didn't really want to go through the hassle of setting up a fully decked-out mail server. Anyway, here's how I set up Gmail as a relay.
We know that their SMTP server is at smtp.gmail.com. SMTP's default port is 25, but my ISP is probably blocking it. I can verify that using
Checking if port 25 is blocked:
btamayo@gitlab:~$ telnet smtp.gmail.com 25 Trying 220.127.116.11... ^C
It's blocked. Try 587.
btamayo@gitlab:~$ telnet smtp.gmail.com 587 Trying 18.104.22.168... Connected to gmail-smtp-msa.l.google.com. Escape character is '^]'. 220 smtp.gmail.com ESMTP b6sm53626027pfe.85 - gsmtp
Here's an interesting (but long) debugging thread that reminded me that ISPs are shady as hell:
By stripping out [STARTTLS], these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. [...] Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception. [src via the EFF]
💡 More links on privacy and ISPs and technical details in the Goodies Section at the end.
If you're going to use Gmail as a relay server, you most definitely should not use your main email address unless you're 100% sure of what you're doing and the security implications behind it (which I am no expert in). Create a separate account for this. Secure it with a good password, but do not send anything that contains sensitive or personal data to/from this address.
Unless you're using a G Suite account, You may need to turn on Less Secure Apps (Gmail Help Article) (G-Suite Users use this link) for the relay gmail account. I'm gonna call it
[email protected]. Sign in to the account on gmail.com once and clear any CAPTCHAs or verification steps.
For the following sections just remember two things:
- Prompt starting with $ is non-root sudo user
- Prompt starting with # is root
We now have a new gmail account now at [email protected].
/etc/postfix/main.cf and add the following lines to the bottom ensuring no duplicate or overriding keys:
relayhost = [smtp.gmail.com]:587 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_tls_CAfile = /etc/postfix/cacert.pem smtp_use_tls = yes
Cool. Now, even though this will be encrypted over TLS, I want to stress here that you should most definitely use a new, separate account that you just made for this.
So this isn't going to work still. We still need to validate the CA cert and provide Postfix access to the Gmail account.
Create or edit
/etc/postfix/sasl_passwd to have the following contents (replace [email protected] with the email address you created) and replace
password with its password:
[smtp.gmail.com]:587 [email protected]:password
Secure the file (
0600 works too) then use
postmap to hash it:
# chmod 400 /etc/postfix/sasl_passwd # postmap /etc/postfix/sasl_passwd
Last part is to validate their CA cert. We can use GlobalSign's cert, which is already in our machine. However, there are other ways of obtaining a valid cert if needed1. In our config we had specified
smtp_tls_CAfile = /etc/postfix/cacert.pem.
# cat /etc/ssl/certs/GlobalSign_Root_CA.pem | tee -a /etc/postfix/cacert.pem
Restart the service and test it:
# service postfix restart # echo "Hello World" | mail -s "Test Message" [email protected]
Check the logs (could be in mail*.log, or syslog, mine was in syslog:
Feb 19 14:43:36 gitlab postfix/smtp: A1D012609B8: to=<[email protected]>, relay=smtp.gmail.com[22.214.171.124]:587, delay=1.3, delays=0.01/0/0.55/0.71, dsn=2.0.0, status=sent (250 2.0.0 OK 1519080216 o135sm64453540pfg.45 - gsmtp)
250 2.0.0 OK
Mistakes? Grammar/spelling? Comments? You can always @ me on Twitter!
✨ GOODIES SECTION 🌈
If you open the
main.cf file, there's this line:
... # See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for # information on enabling SSL in the smtp client. ...
You can see the doc via:
$ sudo apt-get install postfix-doc $ zless /usr/share/doc/postfix/TLS_README.gz
(That's right. zless and zmore to
.gz files. 😎)
You'll find that it says:
If you want the Postfix SMTP client to accept remote SMTP server certificates issued by these CAs, append the root certificate to $smtp_tls_CAfile or install it in the $smtp_tls_CApath directory.
There's also a copy on the internet which, yes, I realized out after I did all the steps above. It was 2am.
Further reading on Gmail and SMTP:
- Google KB: Less secure apps
- Google KB: Send email from a printer, scanner, or app
- Google KB: SMTP relay: Route outgoing non-Gmail messages through Google
🔗 ISPs are shady:
A post on Computerworld explaining in pretty good technical detail the security implications of xfinity/comcast shenanigans with xfinity wifi. It also refers to:
- Ars Technica + NPR's joint experiment
- SF Gate: Comcast sued for turning home Wi-Fi routers into public hotspots
Fun blogs & links & tools!
More things you can do with Postfix:
postalias(1), create/update/query alias database postcat(1), examine Postfix queue file postconf(1), Postfix configuration utility postfix(1), Postfix control program postfix-tls(1), Postfix TLS management postkick(1), trigger Postfix daemon postlock(1), Postfix-compatible locking postlog(1), Postfix-compatible logging postmap(1), Postfix lookup table manager postmulti(1), Postfix multi-instance manager postqueue(1), Postfix mail queue control postsuper(1), Postfix housekeeping mailq(1), Sendmail compatibility interface newaliases(1), Sendmail compatibility interface sendmail(1), Sendmail compatibility interface