postfix relay thru gmail

NeptunEz · 04-23-2005, 08:28 AM

Hi.

Gmail is using tls for security reasons to auth smtp clients.

I with my postfix system to do the same and relay all mail thru gmail. Currently it's using my isp.smtp server ant the configuration is this:

Code:

# These are changed by postfix install script
readme_directory = /usr/share/doc/postfix-2.1.5/README_FILES
sample_directory = /usr/share/doc/postfix-2.1.5/samples
html_directory = /usr/share/doc/postfix-2.1.5/html
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
command_directory = /usr/sbin
manpage_directory = /usr/share/man
daemon_directory = /usr/libexec/postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
queue_directory = /var/spool/postfix
mail_owner = postfix

# User configurable parameters
myorigin = neptune.degunino.net
myhostname = neptune.degunino.net
mydomain = degunino.net
mydestination = $myhostname, localhost
mynetworks_style = host
mynetworks=127.0.0.0/8
delay_warning_time = 1m
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Fedora Linux)
unknown_local_recipient_reject_code = 450
recipient_delimiter = +
owner_request_special = no
alias_maps = hash:/etc/aliases
sender_canonical_maps = hash:/etc/postfix/sender_canonical
relayhost = smtp.degunino.com
default_transport=smtp

# SASL SUPPORT FOR SERVERS
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =

Does anyone know how to add tls support?
Thx

mchirico · 05-05-2005, 07:23 PM

This article details the procedure:

http://souptonuts.sourceforge.net/postfix_tutorial.html

/etc/postfix/main.cf
transport_maps = hash:/etc/postfix/transport
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_generic_maps = hash:/etc/postfix/generic

/etc/postfix/transport # Contents of /etc/postfix/transport # # This sends mail to Gmail gmail.com smtp:[smtp.gmail.com] # # Except mail going to the tape and closet server tape.squeezel.com relay:[tape.squeezel.com] closet.squeezel.com relay:[closet.squeezel.com]

/etc/postfix/generic # Note hostname is squeezel.squeezel.com chirico@squeezel.squeezel.com mchirico@gmail.com

/etc/postfix/sasl_passwd # Contents of sasl_passwd # [smtp.gmail.com] mchirico@gmail.com

a33w0r8

Fetchmail

I would strongly recommend using Fetchmail with the ``sslcertck'' option, after you verify and copy the certificates. See the tutorial for a complete step by step approach on how to do this.

#
#
# Sample /home/chirico/.fetchmailrc file for Gmail
#
# Check mail every 90 seconds
set daemon 90
set syslog
set postmaster chirico
#set bouncemail
#
# Google Gmail is mchirico but on computer it is chirico
# To keep mail on the server use the you would put keep at the end.
# user 'mchirico@gmail.com' with pass "pa33w0r8" is 'chirico' here options ssl sslcertck sslcertpath '/home/chirico/certs/.certs' keep
#
poll pop.gmail.com with proto POP3 and options no dns
user 'mchirico@gmail.com' with pass "pa33w0r8" is 'chirico' here options ssl sslcertck sslcertpath '/home/chirico/certs/.certs'
smtphost localhost
# You would use this to by-pass Postfix
# mda '/usr/bin/procmail -d %T'

Hope this helps. You might want to view the link, since some formatting was off on this post.

Regards,

Mike Chirico

IamDaniel · 06-01-2005, 07:37 PM

During setup,

Quote:

$ openssl s_client -connect smtp.gmail.com:995 -showcerts

returned partial of this within,

Quote:

...
Verify return code: 21 (unable to verify the first certificate)
...

but, I was able to sending mail and fetchmail without any problems...just don't know does it support encryptions or not...below is the log when I sending mail.

Quote:

postfix/smtp[4164]: certificate verification failed for smtp.gmail.com: num=20:unable to get local issuer certificate
postfix/smtp[4164]: certificate verification failed for smtp.gmail.com: num=27:certificate not trusted
postfix/smtp[4164]: certificate verification failed for smtp.gmail.com: num=21:unable to verify the first certificate
postfix/smtp[4164]: Server certificate could not be verified

How to fix this?

NeptunEz · 06-02-2005, 02:18 AM

Same shit with openssl s_client -connect

But
Jun 2 04:08:32 neptune postfix/qmgr[4274]: 93B40ACB96: removed
Jun 2 10:19:09 neptune postfix/pickup[23616]: 38D8CACBA1: uid=509 from=<lj>
Jun 2 10:19:09 neptune postfix/cleanup[24838]: 38D8CACBA1: message-id=<20050602061909.38D8CACBA1@neptune.degunino.net>
Jun 2 10:19:09 neptune postfix/qmgr[4274]: 38D8CACBA1: from=<lj@neptune.degunino.net>, size=1359, nrcpt=1 (queue active)
Jun 2 10:19:13 neptune postfix/smtp[24840]: 38D8CACBA1: to=<komissar.88@mail.ru>, relay=smtp.gmail.com[64.233.185.111], delay=4, status=sent (250 2.0.0 OK 1117693168 11sm369099wrl)

IamDaniel · 06-02-2005, 07:53 PM

mind to show me your openssl version ?

Quote:

$ openssl version

I was thinking need to upgrade to current......

NeptunEz · 06-02-2005, 07:57 PM

Quote:

Originally posted by IamDaniel
mind to show me your openssl version ?

OpenSSL 0.9.7a Feb 19 2003 (openssl-0.9.7a-42.1)
postfix-2.1.5-5

IamDaniel · 06-03-2005, 08:21 PM

shit...so it's not a package issues...
I have:

Quote:

$ openssl version
OpenSSL 0.9.7d 17 Mar 2004

and postfix-2.2.3...

gonna figureout what the hell goin' on...

again mind to show your:

Quote:

#postconf -n

and

Quote:

#ldd `which postfix`

thanks...again..

NeptunEz · 06-04-2005, 03:21 AM

mind that my openssl is the latest.
The major version on redhat systems is not as important as minor. And these builds often include latests patches of major versions from the vendor.

[neptune@neptune ~]$ rpm -q --info openssl
Name : openssl Relocations: (not relocatable)
Version : 0.9.7a Vendor: Red Hat, Inc.
Release : 42.1 Build Date: Fri 20 May 2005 07:18:47 PM MSD
Install Date: Sat 21 May 2005 11:50:41 PM MSD Build Host: bugs.build.redhat.com
Group : System Environment/Libraries Source RPM: openssl-0.9.7a-42.1.src.rpm
Size : 2564531 License: BSDish
Signature : DSA/SHA1, Fri 20 May 2005 08:00:44 PM MSD, Key ID b44269d04f2a6fd2
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL : http://www.openssl.org/
Summary : The OpenSSL toolkit.
Description :
The OpenSSL toolkit provides support for secure communications between
machines. OpenSSL includes a certificate management tool and shared
libraries which provide various cryptographic algorithms and
protocols.

[neptune@neptune ~]$ rpm -q --info postfix
Name : postfix Relocations: (not relocatable)
Version : 2.1.5 Vendor: Red Hat, Inc.
Release : 5 Build Date: Fri 11 Feb 2005 04:56:09 PM MSK
Install Date: Sun 20 Mar 2005 07:12:47 PM MSK Build Host: bugs.build.redhat.com
Group : System Environment/Daemons Source RPM: postfix-2.1.5-5.src.rpm
Size : 6394469 License: IBM Public License
Signature : DSA/SHA1, Wed 16 Mar 2005 08:38:14 PM MSK, Key ID b44269d04f2a6fd2
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL : http://www.postfix.org
Summary : Postfix Mail Transport Agent
Description :
Postfix is a Mail Transport Agent (MTA), supporting LDAP, SMTP AUTH (SASL),
TLS and running in a chroot environment.

sure

[neptune@neptune ~]$ /usr/sbin/postconf -n
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
default_transport = smtp
delay_warning_time = 1m
html_directory = /usr/share/doc/postfix-2.1.5/html
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
mydestination = $myhostname, localhost
mydomain = degunino.net
myhostname = neptune.degunino.net
mynetworks = 127.0.0.0/8
mynetworks_style = host
myorigin = neptune.degunino.net
newaliases_path = /usr/bin/newaliases.postfix
owner_request_special = no
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.1.5/README_FILES
recipient_delimiter = +
relayhost = smtp.gmail.com
sample_directory = /usr/share/doc/postfix-2.1.5/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_tls_CAfile = /etc/postfix/certs/ca.crt
smtp_tls_cert_file = /etc/httpd/conf/ssl.crt/server.crt
smtp_tls_key_file = /etc/httpd/conf/ssl.key/server.key
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) (Fedora Linux)
smtpd_tls_CAfile = /etc/postfix/certs/ca.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/httpd/conf/ssl.crt/server.crt
smtpd_tls_key_file = /etc/httpd/conf/ssl.key/server.key
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 450

[neptune@neptune ~]$ cat /etc/postfix/sasl_passwd
smtp.gmail.com neptune.bot@gmail.com:PASSWORD

[neptune@neptune ~]$ cat /etc/postfix/sender_canonical
neptune.bot neptune.bot@gmail.com

[neptune@neptune ~]$ ldd /usr/sbin/postfix
libldap-2.2.so.7 => /usr/lib/libldap-2.2.so.7 (0xb7f89000)
liblber-2.2.so.7 => /usr/lib/liblber-2.2.so.7 (0xb7f7d000)
libpcre.so.0 => /lib/libpcre.so.0 (0xb7f6b000)
libsasl2.so.2 => /usr/lib/libsasl2.so.2 (0xb7f57000)
libssl.so.4 => /lib/libssl.so.4 (0xb7f23000)
libcrypto.so.4 => /lib/libcrypto.so.4 (0xb7e3a000)
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0xb7e26000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0xb7dc1000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0xb7dbd000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0xb7d9c000)
libresolv.so.2 => /lib/libresolv.so.2 (0xb7d88000)
libdl.so.2 => /lib/libdl.so.2 (0xb7d84000)
libz.so.1 => /usr/lib/libz.so.1 (0xb7d74000)
libdb-4.2.so => /lib/tls/i686/libdb-4.2.so (0xb7ca6000)
libnsl.so.1 => /lib/libnsl.so.1 (0xb7c8f000)
libc.so.6 => /lib/tls/libc.so.6 (0xb7b65000)
libcrypt.so.1 => /lib/libcrypt.so.1 (0xb7b37000)
/lib/ld-linux.so.2 (0xb7fd8000)
libpthread.so.0 => /lib/tls/libpthread.so.0 (0xb7b25000)

Good luck

IamDaniel · 06-08-2005, 07:20 PM

upon that, I had upgrade all to latest release/version:

Quote:

$ openssl version
OpenSSL 0.9.7g 11 Apr 2005

and postfix-2.2.3.

and turn on the

Quote:

smtp_tls_loglevel = 3

inside the /etc/postfix/main.cf.

Here is partial of the maillog:

Quote:

....
postfix/smtp[7821]:certificate verification depth=0 subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
postfix/smtp[7821]: certificate verification failed for smtp.gmail.com: num=20:unable to get local issuer certificate
postfix/smtp[7821]: verify return: 0
postfix/smtp[7821]: certificate verification depth=0 subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
postfix/smtp[7821]: certificate verification failed for smtp.gmail.com: num=27:certificate not trusted
postfix/smtp[7821]: verify return: 0
postfix/smtp[7821]: certificate verification depth=0 subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
postfix/smtp[7821]: certificate verification failed for smtp.gmail.com: num=21:unable to verify the first certificate
postfix/smtp[7821]: verify return: 0
...

I suspect it's google issues, am I correct?

NeptunEz · 06-09-2005, 06:55 AM

Not quite sure...

is your cert ok? how did you make it

IamDaniel · 06-16-2005, 07:49 PM

Sorry for late reply, school exam around the corner...

Anyway, I had repeat over and over creating the certificate.

Here is how I create:

[quote]
root@darkstar:/etc/ssl/misc# ./CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
.................................................................................................... ............++++++
........++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporat

NeptunEz · 06-16-2005, 09:28 PM

do you have 3 files on output? I used httpd files + CAfile generated by openssl (I didnt find worknig CA.pl for my distro)
smtp_tls_CAfile = /etc/postfix/certs/ca.crt
smtp_tls_cert_file = /etc/httpd/conf/ssl.crt/server.crt
smtp_tls_key_file = /etc/httpd/conf/ssl.key/server.key

IamDaniel · 06-18-2005, 07:43 PM

Quote:

Originally posted by NeptunEz
do you have 3 files on output? I used httpd files + CAfile generated by openssl (I didnt find worknig CA.pl for my distro)
smtp_tls_CAfile = /etc/postfix/certs/ca.crt
smtp_tls_cert_file = /etc/httpd/conf/ssl.crt/server.crt
smtp_tls_key_file = /etc/httpd/conf/ssl.key/server.key

Sorry, my browser goin' insane...the posted message run out...

Here is another version,

Quote:

root@darkstar:/etc/ssl/misc# ./CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 1024 bit RSA private key
.................................................................................................... ............++++++
........++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:MY
State or Province Name (full name) [Some-State]:Kedah
Locality Name (eg, city) []:Sungai Petani
Organization Name (eg, company) [Internet Widgits Pty Ltd]

arkstar Group
Organizational Unit Name (eg, section) []:blank here
Common Name (eg, YOUR name) []:foo.darkstar.my
Email Address []:blank here

Quote:

root@darkstar:/etc/ssl/misc# openssl req -new -nodes -subj '/CN=foo.darkstar.my/O=Darkstar Group/C=MY/ST=Kedah/L=Sungai Petani' \
-keyout FOO-key.pem -out FOO-req.pem -days 365
Generating a 1024 bit RSA private key
..........++++++
.......++++++
writing new private key to 'FOO-key.pem'
-----

Quote:

root@darkstar:/etc/ssl/misc# openssl ca -out FOO-cert.pem -infiles FOO-req.pem
...
Certificate is to be certified until May 27 10:45:01 2006 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

My 'main.cf' file contains:

Quote:

# TLS Settings
#
smtp_tls_CAfile = /etc/postfix/certs/cacert.pem
smtp_tls_cert_file = /etc/postfix/certs/FOO-cert.pem
smtp_tls_key_file = /etc/postfix/certs/FOO-key.pem
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_tls_loglevel = 3
smtp_use_tls = yes
smtpd_tls_CAfile = /etc/postfix/certs/cacert.pem
smtpd_tls_cert_file = /etc/postfix/certs/FOO-cert.pem
smtpd_tls_key_file = /etc/postfix/certs/FOO-key.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
smtpd_tls_loglevel = 3
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom

## SASL Settings
# This is going in to THIS server
smtpd_sasl_auth_enable = no
# We need this
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_local_domain = $myhostname
smtp_sasl_security_options = noanonymous
#smtp_sasl_security_options =
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_application_name = smtpd

## Gmail Relay
relayhost = [smtp.gmail.com]

## Good for Testing
# sender_bcc_maps = hash:/etc/postfix/bcc_table

# Disable DNS Lookups
disable_dns_lookups = yes
#
transport_maps = hash:/etc/postfix/transport

And the owner:group permission:

Quote:

root:root 0644 - cacert.pem
root:root 0644 - FOO-cert.pem
root:root 0400 - FOO-key.pem

Do I need to change the group to `postdrop'?

NeptunEz · 06-19-2005, 02:37 AM

i think you dont.
All seems ok.

Hmmmm. I didnt see that before

Jun 19 08:15:10 neptune postfix/smtp[15627]: certificate peer name verification failed for gmail-smtp.l.google.com: CommonName mis-match: smtp.gmail.com
Jun 19 10:29:52 neptune postfix/smtp[23377]: certificate peer name verification failed for gmail-smtp.l.google.com: CommonName mis-match: smtp.gmail.com
Jun 19 11:08:55 neptune postfix/smtp[25785]: certificate peer name verification failed for gmail-smtp.l.google.com: CommonName mis-match: smtp.gmail.com
Jun 19 11:11:49 neptune postfix/smtp[26011]: certificate peer name verification failed for gmail-smtp.l.google.com: CommonName mis-match: smtp.gmail.com
Jun 19 11:15:48 neptune postfix/smtp[26244]: certificate peer name verification failed for gmail-smtp.l.google.com: CommonName mis-match: smtp.gmail.com
Jun 19 11:27:29 neptune postfix/smtp[26899]: certificate peer name verification failed for gmail-smtp.l.google.com: CommonName mis-match: smtp.gmail.com
Jun 19 11:33:11 neptune postfix/smtp[27266]: certificate peer name verification failed for gmail-smtp.l.google.com: CommonName mis-match: smtp.gmail.com

IamDaniel · 06-19-2005, 07:54 PM

Quote:

Originally posted by NeptunEz
i think you dont.
All seems ok.

Hmmmm. I didnt see that before

Jun 19 08:15:10 neptune postfix/smtp[15627]: certificate peer name verification failed for gmail-smtp.l.google.com: CommonName mis-match: smtp.gmail.com
Jun 19 10:29:52 neptune postfix/smtp[23377]: certificate peer name verification failed for gmail-smtp.l.google.com: CommonName mis-match: smtp.gmail.com
Jun 19 11:08:55 neptune postfix/smtp[25785]: certificate peer name verification failed for gmail-smtp.l.google.com: CommonName mis-match: smtp.gmail.com
Jun 19 11:11:49 neptune postfix/smtp[26011]: certificate peer name verification failed for gmail-smtp.l.google.com: CommonName mis-match: smtp.gmail.com
Jun 19 11:15:48 neptune postfix/smtp[26244]: certificate peer name verification failed for gmail-smtp.l.google.com: CommonName mis-match: smtp.gmail.com
Jun 19 11:27:29 neptune postfix/smtp[26899]: certificate peer name verification failed for gmail-smtp.l.google.com: CommonName mis-match: smtp.gmail.com
Jun 19 11:33:11 neptune postfix/smtp[27266]: certificate peer name verification failed for gmail-smtp.l.google.com: CommonName mis-match: smtp.gmail.com

Wow...what's that ?

Do you think it's ok for me to ignore the `warning & verification failed` issues? it seems to getting nowhere...