gruchalski.com

For the domain this blog is running on I have a separate GMail account, I wanted my server to relay all email there. I was searching quite a lot for detailed info on how to set up postfix correctly but could not find any. All information was scattered across different blogs, websites, forums. I just achieved the target and I thought I will share what I just learned.

All command below were executed under the root account. If an account used is not root use sudo and make sure it is a sudoer.

Confirm that the openssl is installed and if not, install it (on my Ubuntu 8.10 I had it installed by default). If CA certificate was not generated before it is time to do it. On Ubuntu it is nothing else than running following command from the terminal:

[source lang='bash']
/usr/share/ssl/misc/CA.sh -newca
[/source]

If an error is returned it may suggest that the CA.sh script is somewhere else. To find it simply execute following:

[source lang='bash']
find / -name 'CA.sh'
[/source]

and run the first command again with correct CA.sh path. While generating CA certificate the script will ask some questions, just follow the instructions, it is really short and painless process.

The next step is to install postfix.

[source lang='bash']
apt-get install postfix
[/source]

Answer the questions using default options, it appears that in most cases they are fine. Just make sure first question is answered with Satellite system option.

To make sure this process is going to work postfix must be configured with SASL and TLS support and on Ubuntu it was by default, indeed. It can be verified with following command:

[source lang='bash']
ldd /usr/lib/postfix/smtp
[/source]

Look for the line starting with the libssl. I bet it will be there. BUT if not, postfix must be reconfigured with SASL and TLS. Here is just one of the articles of many I found showing how to do it: Setup Email Services on Ubuntu Using Postfix (TLS+SASL).

Once postfix is running:

[source lang='bash']
cd /etc/postfix
mkdir certs
cd certs
openssl genrsa -out itchy.key 1024
openssl req -new -key itchy.key -out itchy.csr
openssl ca -out itchy.pem -infiles itchy.csr
nano main.cf
[/source]

To search for the string in nano use CTRL+W. Look for myhostname key. I have a mx.gruchalski.com value but gruchalski.com would work just fine. Next important bit is mydestination key. I have changed it to smtp.gmail.com and I will explain why in a second. Last key to change is the relayhost. Set it to [smtp.gmail.com]:587. At the end of the file add following lines:

[source lang='bash']
# auth
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps=hash:/etc/postfix/sasl_passwd

# tls
smtp_use_tls=yes
smtp_sasl_security_options=noanonymous
smtp_sasl_tls_security_options=noanonymous
smtp_tls_note_starttls_offer=yes
tls_random_source=dev:/dev/urandom
smtp_tls_scert_verifydepth=5
smtp_tls_key_file=/etc/postfix/certs/itchy.key
smtp_tls_cert_file=/etc/postfix/certs/itchy.pem
smtpd_tls_ask_ccert=yes
smtpd_tls_req_ccert=no
smtp_tls_enforce_peername=no
[/source]

CTRL+O to save and CTRL+X to exit.

At this point /etc/postfix/sasl_passwd file does not exist yet, so:

[source lang='bash']
nano /etc/postfix/sasl_passwd
[/source]

Add these two files:

[source lang='bash']
gmail-smtp.l.google.com user@gmail.com:password
smtp.gmail.com user@gmail.com:password
[/source]

Make sure that the correct credentials are set. Save, exit the file and execute:

[source lang-'bash']
postmap /etc/postfix/sasl_passwd
/etc/init.d/postfix reload
apt-get install mailutils
[/source]

It is time to test postfix, that is why I installed mailutils.

[source lang='bash']
echo "Testing relay from terminal" | mail -s "Test relay" to@email -f from@email
[/source]

Well, the -f option is not going to work here anyway but it does not brake anything either :) If an email did not arrived please check /var/log/mail.log for details.

And now an explanation why mydestination key was changed. Let’s say my server name is funkyserver.com and from the terminal or Apache web server I am sending an email to d’oh@funkyserver.com. But I have a d’oh user on the server as well. Postfix is going to think oh, hang on mate, my name is funkyserver.com and you are sending an email to the user who BELONGS TO ME! I am so smart, I am not going to send it via GMail, I will just drop it to the /var/mail/d’oh mailbox!. That email will not appear in GMail. By changing mydestination I am telling postfix do not try to be smart dude, just send it to the outside world and let the others make the decision what to do with it.

The last thing to make sure is that the correct real name for the www-data account (used by Apache) is set. When a sent email is received it will have www-data-real-name <gmail@email> in the from field. By Changing it to WordPress for example, recipients will see it as WordPress <gmail@email> and not www-data <gmail@email>.

What about iptables and security? To make sure no one is going to use postfix as an open relay if it is incorrectly configured, just execute:

[source lang='bash']
iptables -I INPUT -p tcp --dport 110 -i eth0 -j DROP
[/source]

and save iptables rules.

This entry was posted on Monday, April 27th, 2009 at 12:45 am and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.