Here's what I want to do. I have an Ubuntu box (Edgy-Eft) at home, and I want to be able to send out email, and I want to use gmail as my relayhost. There are several sites online that explain bits of how to do this, and Mike Chirico's is particularly good. I used his tutorial as a starting point, but I noticed I had to do a few things differently to get it working on my own system, so I'm documenting the differences.
Disclaimer: Different about my setup is that I am using the Ubuntu packages, whereas Chirico's tutorial has you compile the packages yourself. There's nothing wrong with doing that, in fact, it's probably good for your soul, but I'd prefer to make use of the Ubuntu package manager as much as possible. Further, I'm not interested in using fetchmail, so I've done nothing with that.
The first thing I did was install postfix.
# apt-get install postfixI told the configuration script that I was installing for an internet site. Happily, debian/ubuntu's postfix comes with TLS and SASL compiled in.
Generate Your CertificatesIn order to connect to gmail, you need a certificate. Here's what happened when I generated my certificate.
# /usr/lib/ssl/misc/CA.pl -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key .....................++++++ .........................++++++ writing new private key to './demoCA/private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Illinois Locality Name (eg, city) :Chicago Organization Name (eg, company) [Internet Widgits Pty Ltd]:Prancing Tarantula Organizational Unit Name (eg, section) : Common Name (eg, YOUR name) :Mattox Beckman Email Address :firstname.lastname@example.org Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name : Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: d5:0c:4b:bb:48:17:c3:b0 Validity Not Before: Jan 4 22:42:34 2007 GMT Not After : Jan 3 22:42:34 2010 GMT Subject: countryName = US stateOrProvinceName = Illinois organizationName = Prancing Tarantula commonName = Mattox Beckman emailAddress = email@example.com X509v3 extensions: X509v3 Subject Key Identifier: 33:0A:41:44:07:7D:0F:4C:10:B8:8C:4A:89:8C:CC:0E:18:EF:CA:92 X509v3 Authority Key Identifier: keyid:33:0A:41:44:07:7D:0F:4C:10:B8:8C:4A:89:8C:CC:0E:18:EF:CA:92 DirName:/C=US/ST=Illinois/O=Prancing Tarantula/CN=Mattox Beckman/emailAddressfirstname.lastname@example.org serial:D5:0C:4B:BB:48:17:C3:B0 X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until Jan 3 22:42:34 2010 GMT (1095 days) Write out database with 1 new entries Data Base UpdatedNow generate a private key...
# openssl req -new -nodes -subj '/CN=prancingtarantula.net/O=Prancing Tarantula/C=US/ST=Illinois/L=Chicago/emailAddressemail@example.com' -keyout FOO-key.pem -out FOO-req.pem -days 3650 Generating a 1024 bit RSA private key .........................................++++++ ....++++++ writing new private key to 'FOO-key.pem' -----And sign it...
# openssl ca -out FOO-cert.pem -infiles FOO-req.pem Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: d5:0c:4b:bb:48:17:c3:b1 Validity Not Before: Jan 4 22:48:47 2007 GMT Not After : Jan 4 22:48:47 2008 GMT Subject: countryName = US stateOrProvinceName = Illinois organizationName = Prancing Tarantula commonName = prancingtarantula.net emailAddress = firstname.lastname@example.org X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 16:B2:33:D3:E7:E9:4D:2B:76:71:5D:D7:EC:AF:47:22:FA:38:AB:54 X509v3 Authority Key Identifier: keyid:33:0A:41:44:07:7D:0F:4C:10:B8:8C:4A:89:8C:CC:0E:18:EF:CA:92 Certificate is to be certified until Jan 4 22:48:47 2008 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base UpdatedNow I copied them to the /etc/postfix directory.
# cp demoCA/cacert.pem FOO-key.pem FOO-cert.pem /etc/postfix # chmod 644 /etc/postfix/FOO-cert.pem /etc/postfix/cacert.pem # chmod 400 /etc/postfix/FOO-key.pemOne difference from the tutorial: when running postfix, you may get warnings like this one:
Jan 4 17:21:59 calvin postfix/smtp: setting up TLS connection to smtp.gmail.com Jan 4 17:21:59 calvin postfix/smtp: certificate verification failed for smtp.gmail.com: num=20:unable to get local issuer certificate Jan 4 17:21:59 calvin postfix/smtp: SSL_connect error to smtp.gmail.com: -1I've copied them in so people searching for them will find this. These warnings are because postfix doesn't know where to find the Thawte certificate that gmail used to sign its own certificate. Ubuntu includes it in its ssl package. You need to append it to the cacert.pem file you generated earlier.
cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem >> cacert.pem
TransportTo cause the mail to be routed, you need a transport file. Here's mine:
# Contents of /etc/postfix/transport # # This sends mail to Gmail * smtp:[smtp.gmail.com]:587Different from the tutorial is the specification of port 587. If you leave that off, postfix will attempt to connect to port 25, which is blocked by many ISPs now. If you get a timeout error in your log file, that's what's happening. The Gmail help pages say you should be able to use port 465 also, but that times out for me as well. You'll have to add another line if you expect to receive mail at your machine.
SASLYou now need to set the SASL passwords. My file looks like this one:
# Contents of sasl_passwd # [smtp.gmail.com]:587 email@example.com:passwordOf course, replace password and the email address with something appropriate for your system. Again, note the 587... if you leave that off, you will get very confusing log messages like this one:
Jan 4 18:20:30 calvin postfix/smtp: 49D438A6F: to=This will be very frustrating because you will see the passwords are there, but they just aren't being used. Be sure to hash the files:
, orig_to= , relay=smtp.gmail.com[18.104.22.168]:587, delay=7661, delays=7660/0.1/0.19/0.03, dsn=5.5.1, status=bounced (host smtp.gmail.com[22.214.171.124] said: 530 5.5.1 Authentication Required 16sm56842404nzo (in reply to MAIL FROM command))
# postmap sasl_passwd # postmap transport