Using Gmail as a Postfix relay on Ubuntu 16.04 for GitLab
A mini-adventure
This post assumes you have the packages postfix
and mailutils
installed and you're using Ubuntu 16.04 bc I don't know if it's the same in other distros. ¯\(ツ)/¯
Recently I installed GitLab at home. It uses Postfix to send you mail. I didn't really want to go through the hassle of setting up a fully decked-out mail server. Anyway, here's how I set up Gmail as a relay.
We know that their SMTP server is at smtp.gmail.com. SMTP's default port is 25, but my ISP is probably blocking it. I can verify that using telnet
.
Checking if port 25 is blocked:
btamayo@gitlab:~$ telnet smtp.gmail.com 25
Trying 108.177.98.109...
^C
It's blocked. Try 587.
btamayo@gitlab:~$ telnet smtp.gmail.com 587
Trying 74.125.28.108...
Connected to gmail-smtp-msa.l.google.com.
Escape character is '^]'.
220 smtp.gmail.com ESMTP b6sm53626027pfe.85 - gsmtp
Success.
Here's an interesting (but long) debugging thread that reminded me that ISPs are shady as hell:
By stripping out [STARTTLS], these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. [...] Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception. [src via the EFF]
💡 More links on privacy and ISPs and technical details in the Goodies Section at the end.
IMPORTANT DETOUR:
If you're going to use Gmail as a relay server, you most definitely should not use your main email address unless you're 100% sure of what you're doing and the security implications behind it (which I am no expert in). Create a separate account for this. Secure it with a good password, but do not send anything that contains sensitive or personal data to/from this address.
Unless you're using a G Suite account, You may need to turn on Less Secure Apps (Gmail Help Article) (G-Suite Users use this link) for the relay gmail account. I'm gonna call it myrelaygmail@gmail.com
. Sign in to the account on gmail.com once and clear any CAPTCHAs or verification steps.
Okay, back:
For the following sections just remember two things:
- Prompt starting with $ is non-root sudo user
- Prompt starting with # is root
We now have a new gmail account now at myrelaygmail@gmail.com.
Edit /etc/postfix/main.cf
and add the following lines to the bottom ensuring no duplicate or overriding keys:
relayhost = [smtp.gmail.com]:587
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_use_tls = yes
Cool. Now, even though this will be encrypted over TLS, I want to stress here that you should most definitely use a new, separate account that you just made for this.
So this isn't going to work still. We still need to validate the CA cert and provide Postfix access to the Gmail account.
Create or edit /etc/postfix/sasl_passwd
to have the following contents (replace myrelaygmail@gmail.com with the email address you created) and replace password
with its password:
/etc/postfix/sasl_passwd
:
[smtp.gmail.com]:587 myrelaygmail@gmail.com:password
Secure the file (0600
works too) then use postmap
to hash it:
# chmod 400 /etc/postfix/sasl_passwd
# postmap /etc/postfix/sasl_passwd
Last part is to validate their CA cert. We can use GlobalSign's cert, which is already in our machine. However, there are other ways of obtaining a valid cert if needed1. In our config we had specified smtp_tls_CAfile = /etc/postfix/cacert.pem
.
# cat /etc/ssl/certs/GlobalSign_Root_CA.pem | tee -a /etc/postfix/cacert.pem
Restart the service and test it:
# service postfix restart
# echo "Hello World" | mail -s "Test Message" mytestemail@gmail.com
Check the logs (could be in mail*.log, or syslog, mine was in syslog:
Feb 19 14:43:36 gitlab postfix/smtp[14917]: A1D012609B8: to=<mytestemail@gmail.com>, relay=smtp.gmail.com[74.125.28.109]:587, delay=1.3, delays=0.01/0/0.55/0.71, dsn=2.0.0, status=sent (250 2.0.0 OK 1519080216 o135sm64453540pfg.45 - gsmtp)
250 2.0.0 OK
Mistakes? Grammar/spelling? Comments? You can always @ me on Twitter!
✨ GOODIES SECTION 🌈
On smtp_tls_CAfile
:
If you open the main.cf
file, there's this line:
...
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
...
You can see the doc via:
$ sudo apt-get install postfix-doc
$ zless /usr/share/doc/postfix/TLS_README.gz
(That's right. zless and zmore to less
and more
.gz
files. 😎)
You'll find that it says:
If you want the Postfix SMTP client to accept remote SMTP server certificates
issued by these CAs, append the root certificate to $smtp_tls_CAfile or install
it in the $smtp_tls_CApath directory.
There's also a copy on the internet which, yes, I realized out after I did all the steps above. It was 2am.
Footnotes:
Further reading on Gmail and SMTP:
- Google KB: Less secure apps
- Google KB: Send email from a printer, scanner, or app
- Google KB: SMTP relay: Route outgoing non-Gmail messages through Google
🔗 ISPs are shady:
A post on Computerworld explaining in pretty good technical detail the security implications of xfinity/comcast shenanigans with xfinity wifi. It also refers to:
- Ars Technica + NPR's joint experiment
- SF Gate: Comcast sued for turning home Wi-Fi routers into public hotspots
Fun blogs & links & tools!
More things you can do with Postfix:
postalias(1), create/update/query alias database
postcat(1), examine Postfix queue file
postconf(1), Postfix configuration utility
postfix(1), Postfix control program
postfix-tls(1), Postfix TLS management
postkick(1), trigger Postfix daemon
postlock(1), Postfix-compatible locking
postlog(1), Postfix-compatible logging
postmap(1), Postfix lookup table manager
postmulti(1), Postfix multi-instance manager
postqueue(1), Postfix mail queue control
postsuper(1), Postfix housekeeping
mailq(1), Sendmail compatibility interface
newaliases(1), Sendmail compatibility interface
sendmail(1), Sendmail compatibility interface