Using Gmail as a Postfix relay on Ubuntu 16.04 for GitLab

A mini-adventure

This post assumes you have the packages postfix and mailutils installed and you're using Ubuntu 16.04 bc I don't know if it's the same in other distros. ¯\(ツ)

Recently I installed GitLab at home. It uses Postfix to send you mail. I didn't really want to go through the hassle of setting up a fully decked-out mail server. Anyway, here's how I set up Gmail as a relay.

We know that their SMTP server is at smtp.gmail.com. SMTP's default port is 25, but my ISP is probably blocking it. I can verify that using telnet.

Checking if port 25 is blocked:

btamayo@gitlab:~$ telnet smtp.gmail.com 25  
Trying 108.177.98.109...  
^C

It's blocked. Try 587.

btamayo@gitlab:~$ telnet smtp.gmail.com 587  
Trying 74.125.28.108...  
Connected to gmail-smtp-msa.l.google.com.  
Escape character is '^]'.  
220 smtp.gmail.com ESMTP b6sm53626027pfe.85 - gsmtp  

Success.

Here's a good summary on the history of SMTP ports (this is the material I like reading because reasons).

Here's an interesting (but long) debugging thread that reminded me that ISPs are shady as hell:

By stripping out [STARTTLS], these ISPs prevent the email servers from successfully encrypting their conversation, and by default the servers will proceed to send email unencrypted. [...] Unfortunately, this causes collateral damage: the sending server will proceed to transmit plaintext email over the public Internet, where it is subject to eavesdropping and interception. [src via the EFF]

💡 More links on privacy and ISPs and technical details in the Goodies Section at the end.

IMPORTANT DETOUR:

If you're going to use Gmail as a relay server, you most definitely should not use your main email address unless you're 100% sure of what you're doing and the security implications behind it (which I am no expert in). Create a separate account for this. Secure it with a good password, but do not send anything that contains sensitive or personal data to/from this address.

Unless you're using a G Suite account, You may need to turn on Less Secure Apps (Gmail Help Article) (G-Suite Users use this link) for the relay gmail account. I'm gonna call it myrelaygmail@gmail.com. Sign in to the account on gmail.com once and clear any CAPTCHAs or verification steps.

Okay, back:

For the following sections just remember two things:

  1. Prompt starting with $ is non-root sudo user
  2. Prompt starting with # is root

We now have a new gmail account now at myrelaygmail@gmail.com.

Edit /etc/postfix/main.cf and add the following lines to the bottom ensuring no duplicate or overriding keys:

relayhost = [smtp.gmail.com]:587  
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd  
smtp_sasl_security_options = noanonymous  
smtp_tls_CAfile = /etc/postfix/cacert.pem  
smtp_use_tls = yes  

Cool. Now, even though this will be encrypted over TLS, I want to stress here that you should most definitely use a new, separate account that you just made for this.

So this isn't going to work still. We still need to validate the CA cert and provide Postfix access to the Gmail account.

Create or edit /etc/postfix/sasl_passwd to have the following contents (replace myrelaygmail@gmail.com with the email address you created) and replace password with its password:

/etc/postfix/sasl_passwd:

[smtp.gmail.com]:587    myrelaygmail@gmail.com:password

Secure the file (0600 works too) then use postmap to hash it:

# chmod 400 /etc/postfix/sasl_passwd
# postmap /etc/postfix/sasl_passwd

Last part is to validate their CA cert. We can use GlobalSign's cert, which is already in our machine. However, there are other ways of obtaining a valid cert if needed1. In our config we had specified smtp_tls_CAfile = /etc/postfix/cacert.pem.

# cat /etc/ssl/certs/GlobalSign_Root_CA.pem | tee -a /etc/postfix/cacert.pem

Restart the service and test it:

# service postfix restart
# echo "Hello World" | mail -s "Test Message" mytestemail@gmail.com

Check the logs (could be in mail*.log, or syslog, mine was in syslog:

Feb 19 14:43:36 gitlab postfix/smtp[14917]: A1D012609B8: to=<mytestemail@gmail.com>, relay=smtp.gmail.com[74.125.28.109]:587, delay=1.3, delays=0.01/0/0.55/0.71, dsn=2.0.0, status=sent (250 2.0.0 OK 1519080216 o135sm64453540pfg.45 - gsmtp)  

250 2.0.0 OK

Mistakes? Grammar/spelling? Comments? You can always @ me on Twitter!


✨ GOODIES SECTION 🌈

For the extra nerdy/awesome/bored/nice of you all.

On smtp_tls_CAfile:

If you open the main.cf file, there's this line:

...
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.
...

You can see the doc via:

$ sudo apt-get install postfix-doc
$ zless /usr/share/doc/postfix/TLS_README.gz

(That's right. zless and zmore to less and more .gz files. 😎)

You'll find that it says:

If you want the Postfix SMTP client to accept remote SMTP server certificates  
issued by these CAs, append the root certificate to $smtp_tls_CAfile or install  
it in the $smtp_tls_CApath directory.  

There's also a copy on the internet which, yes, I realized out after I did all the steps above. It was 2am.

Footnotes:

Further reading on Gmail and SMTP:

🔗 ISPs are shady:

A post on Computerworld explaining in pretty good technical detail the security implications of xfinity/comcast shenanigans with xfinity wifi. It also refers to:

Fun blogs & links & tools!

  1. Postfix's TLS_README
  2. SSL-Tools Mailserver Test
  3. How SMTP Works with relaying
  4. Check TLS

More things you can do with Postfix:

   postalias(1), create/update/query alias database
   postcat(1), examine Postfix queue file
   postconf(1), Postfix configuration utility
   postfix(1), Postfix control program
   postfix-tls(1), Postfix TLS management
   postkick(1), trigger Postfix daemon
   postlock(1), Postfix-compatible locking
   postlog(1), Postfix-compatible logging
   postmap(1), Postfix lookup table manager
   postmulti(1), Postfix multi-instance manager
   postqueue(1), Postfix mail queue control
   postsuper(1), Postfix housekeeping
   mailq(1), Sendmail compatibility interface
   newaliases(1), Sendmail compatibility interface
   sendmail(1), Sendmail compatibility interface