Newsvine - Configuring[Ubuntu] Postfix and Gmail in 10+1 Easy Steps
Now we can go back to our postfix configuration and make some changes to the main.cf file and create some other needed files. From this point out, all the things we are checking are meant to make sure Postfix itself is operational and has nothing to do with the certificates we created above.
Check your computer's hostname by looking in the /etc/hostname file. If you are using another Linux system this may be different (/etc/sysconfig/network or the like). To check the hostname file you can simple type $cat /etc/hostname and it will display the information in the terminal. Using this information, we want to make sure everything knows what the hostname is so run the command $sudo hostname bob.com replacing "bob.com" with what ever your hostname file says. This simply makes sure we are in a known state off wellness for the rest of the configuration.
Next move to the /etc/postfix directory, back up main.cf $sudo mv main.cf main.cf.old and open up the main.cf file in your favorite text editor (I think HowTo writers are suppose to say vi to sound cool but you can use gedit or nano if you like):
$sudo gedit main.cf
Copy the following lines to the bottom of your main.cf. Being at the bottom, it will override any settings made at the top that have the same name.
## Add these lines to the bottom on main.cf
## TLS Settings
# For no logs set = 0
smtp_tls_loglevel = 1
# smtp_enforce_tls = yes
# Above is commented because doing it site by site below
smtp_tls_per_site = hash:/etc/postfix/tls_per_site
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/FOO-cert.pem
smtp_tls_key_file = /etc/postfix/FOO-key.pem
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
smtpd_tls_key_file = /etc/postfix/FOO-key.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
## SASL Settings
# This is going in to THIS server
smtpd_sasl_auth_enable = no
# We need this
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_local_domain = $myhostname
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_application_name = smtpd
## Gmail Relay
relayhost = [smtp.gmail.com]:587
## Good for Testing
# sender_bcc_maps = hash:/etc/postfix/bcc_table
# Disable DNS Lookups
disable_dns_lookups = yes
# Great New feature Address Mapping
# for example may mchirico@localhost to firstname.lastname@example.org
smtp_generic_maps = hash:/etc/postfix/generic
transport_maps = hash:/etc/postfix/transport
One of the key entries in this stuff is the GMAIL RELAY section. This is the setting that turns our postfix system into a smarthost configuration. This is what we need to use use gmail's SMTP servers. More importantly. we are using port 587 which is not the SMTP port. This is why using gmail to send our outgoing mail is beneficial... ISPs do not block this port. Also notice that we have what appears to be repeated lines for our certificates. If you look closely however, one is smtp the other is smtpd. One is the configuration for the service, the other is the configuration for the client. Finally you can see a number of 'hash:' lines. The top of your config file will have some hash lines as well. Do not worry about those since the initial setup took care of those. The hashes we refer to need to be created still. Lets go do that now.
Setting up the sasl_passwd file and hash is necessary to log into gmail. Remaining in the /etc/postfix directory issue the command:
$sudo gedit sasl_passwd
This creates a new file in /etc/postfix called sasl_passwd.
Place into that file the following:
The smtp info needs to remain, but you must change the email address and the password to match your own.
Next we need to make a hash file out of this. Enter $sudo postmap sasl_passwd
That is all we have to do to make the sasl_passwd. Equally exciting is that the other hash files are just as easy to make.
Next create the generic file and hash using the same methods in the last section with this inside:
replace email@example.com with your username on your linux box before the '@' sign and your hostname after the '@'. Similarly, replace 'firstname.lastname@example.org' with your gmail address.
Now we need to make the transport file and hash. This is the file that tells postfix how to rout emails it gets.
Open a new text file called transport and enter into it:
# This sends mail to Gmail
# Except mail going to the tape and closet server
What this tells postfix is to send all mail to gmail except for two cases. On my network I have two other computers. One called comp1 the other called comp2. I am telling postfix to send email meant for those two computers directly to them.
Remember to make the hash for the transport file.
We now need to create the tls_per_site file and hash. This is possibly the most important file to create after the main.cf. This file will protect us from "man-in-the-middle" attacks by forcing a secure connection to the remote machine BEFORE we send any passwords.
Create the file tls_per_site and enter:
Replacing my domains with your domains and making the hash with postmap.. yada yada. The 'MUST' keyword tells postfix to establish a secure connection with those domains before doing any password hanky panky. If you do not want to worry about your local network because it is small like mine and does not rely on wireless networking, then you can use the keyword MAY. Gmail is a MUST however.
Step 10 + 1:
Open master.cf using $sudo gedit master.cf and find the line that reads relay unix - - n - - smtp. It will be a little ways down. Beneath that line, you will probably see a few settings that start with '-o', we will be adding one more. Enter -o smtp_generic_maps= right below the relay line. This entry tells postfix to send out your emails with your gmail address as the originating address rather than your Ubuntu account and domain. When ever you edit the master.cf file you need to reload postfix. To do this simply issue the command
$sudo postfix reload.
That is all there is to it. Make sure your postfix server is started by typing $sudo postfix start. You should now have a working postfix server that sends messages out through gmail's smtp servers. Test it out and make sure it works.
Note: If you check the mail.log file you might notice that your certificate is not validating with gmail. I have not found a reason for this yet but it doe snot seem to impede the function
To fix the errors in you mail.log file follow These Instructions. However, replace Thawte_Premium_Server_CA.pem with Equifax_Secure_CA.pem