Postfix SSL GMail SMTP Relay on Fedora (or CentOS)
The original directions for this came from here. I’ve only modified them for a clean build of a Fedora based server or box. They should work for Ubuntu, SUSE, etc if you have created a Certificate Authority already.
Make sure you’ve installed postfix and removed sendmail:
# yum install postfix
# yum remove sendmail
Make sure postfix has been built with the necessary dependencies (both commands below should return something, if not, then you will need a different version of postfix):
# ldd `which postfix` | grep libsasl
# ldd `which postfix` | grep libssl
Make sure openssl and openssl-perl are installed so we can generate certificates and create SSL connections to GMail
# yum install openssl openssl-perl
Need to create a Certificate Authority (if you don’t already have one):
# cd /etc/pki/tls/misc
# ./CA.pl -newca
You will be prompted for the file name (just hit Enter). Then you will be asked for a PEM pass phrase, which you need to remember. You can fill out the Country Name, State or Province Name, Locality Name, Organization Name, and Organizational Unit Name to your liking (or take the defaults). You need to remember the Organization Name (if you changed it) as it must match one in a key we create later. For the Common Name, fill in “CA” (without quotes). Take defaults for everything else and when prompted to enter the pass phrase you need to enter the same one you did above.
Create a client key that is sent to GMail to start the SSL encryption:
# cd /etc/pki/tls
# mkdir gmail_relay
# cd gmail_relay
# openssl genrsa -out server.key 1024
# openssl req -new -key server.key -out server.csr
# openssl ca -out server.pem -infiles server.csr
The second openssl command above will prompt you for the Country, State, Locality, etc parameters again. The only value that has to match what was entered for the Certificate Authority is the Organization Name. For the Common Name you should put your server name (fully qualified preferred, but does not really matter). The last command will prompt you for your CA pass phrase that you used earlier. When asked if you want to Sign the certificate, say yes. also when asked if you should commit it, say yes.
Add the following to the bottom of the file /etc/postfix/main.cf. The last setting for any option is the one that is saved, so anything above this will not be affect these final settings:
#### GMail SSL SMTP Relay
relayhost = [smtp.gmail.com]:587
#auth
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
#tls
smtp_use_tls = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_note_starttls_offer = yes
tls_random_source = dev:/dev/urandom
smtp_tls_scert_verifydepth = 5
smtp_tls_key_file=/etc/pki/tls/gmail_relay/server.key
smtp_tls_cert_file=/etc/pki/tls/gmail_relay/server.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_req_ccert =no
smtp_tls_enforce_peername = no
Create /etc/postfix/sasl_passwd file with your GMail login credentials that looks like below:
gmail-smtp.l.google.com
user@gmail.comassword
smtp.gmail.com
user@gmail.comassword
Create sasl_passwd DB file
Now that we have set correct ownership and permissions there is one more thing to do. A plaintext file can't be read as fast as database. Postfix requires this file to be a database, because it doesn't want to spend a lot of time looking the credentials up when it needs to get it's job done.
We create a sasl_passwd.db with the help of postmap:
[root@mail postfix]# postmap hash:/etc/postfix/sasl_passwd
Obviously, you need to change user to your username and password to your gmail password.
Protect the files with your GMail login data:
# chmod o-r /etc/postfix/sasl_passwd
# chmod o-r /etc/postfix/sasl_passwd.db
# chown postfix /etc/postfix/sasl_passwd
# chown postfix /etc/postfix/sasl_passwd.db
yum install cyrus-sasl-plain
# /etc/init.d/postfix restart