Monday, July 08, 2013

Relaying mail through gmail from CentOS

The Issue

While having some emails sent from my server is handy, I do not want to handle all of postfix / DNS (mx records) involved in managing a real mail server. 
 Having a gmail account, I can have postfix relay (send through an external server) mail with this account. In the early internet days, relaying was open - every mail server would have the possibility to ask another mail server to handle the mail. Now, for security reasons (spam, anybody ?) this is no more the case so the configuration is a bit more complicated. 

The Solution

Just append the following lines to /etc/postfix/

relayhost = []:587 
smtp_sasl_auth_enable = yes 
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd smtp_sasl_security_options = noanonymous 
smtp_tls_CAfile = /etc/postfix/$hostname.pem 
smtp_use_tls = yes 
stmp_tls_loglevel = 1 
stmp_tls_per_site = hash:/etc/postfix/tls_per_site 

Append the following in /etc/postfix/sasl/passwd (create one if not already there).


Now, change permissions to the newly created file:

chmod 600 /etc/postfix/sasl/passwd

After that, you have to create the db file (binary) used by postfix with:

postmap /etc/postfix/sasl/passwd

The Certificate

 For all of this to correctly work, you need a certificate to be exchanged (for authentication purposes) among your server and gmail's.
So we create a new certificate (the cacert.pem referenced in the file) with the following steps:

cd /etc/pki/tls/certs

make $hostname.pem 

You will receive some questions (leave blank) after that you will find a new file (hostname.pem) to be copied in /etc/postfix

cp $hostname.pem /etc/postfix/$hostname.pem

Final Touches

Change Permissions to sensitive files

chmod o-r /etc/postfix/sasl_passwd
chmod o-r /etc/postfix/sasl_passwd.db
chown postfix /etc/postfix/sasl_passwd
chown postfix /etc/postfix/sasl_passwd.db 

 Restart postfix

/etc/init.d/postfix restart