relayhost GMAIL submission (port 587)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

relayhost GMAIL submission (port 587)

sruckh
I have read several guides from the internet including the ones from
postfix forums.  It would appear that several people have configured
their postfix environments to use GMAIL as a relayhost and to use port
587 for communication.

Currently my relay host is setup for my ISP's email server which I
presume is going to port 25.  I would like to change this portion of the
postfix configuration to use GMAIL as my relayhost and use the
submission port (with authentication).

I have created /etc/postfix/sasl_passwd file:
[smtp.gmail.com]:587        [hidden email]:mypassword

I tried my normal google account and password and even created an "APP"
specific password (not having to use 2 Factor Authentication).

These file (along with the created .db file) have a mode of 0600 and
both files owned by root:root.

I have run this command postmap hash:/etc/postfix/sasl_passwd

I have tried many different combinations of these settings in my
/etc/postfix/main.cf file.

#relayhost = [smtp.gmail.com]:587
#smtpd_sasl_auth_enable = yes
#smtp_use_tls = yes
#smtp_sasl_security_options = noanonymous
#smtp_sasl_tls_security_options = noanonymous
#smtp_tls_security_level = encrypt
#smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
#smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
#smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt

Here is the output from 'postconf -n' : in a working state where email
is relayed through ISP's email address:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 3
debug_peer_list = smtp.gmail.com
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
dovecot_destination_recipient_limit = 1
header_checks = regexp:/etc/postfix/header_checks.regexp
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 31457280
milter_default_action = accept
mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp
mydestination = $myhostname, localhost, localhost.localdomain
myhostname = myhostname.my.domain
mynetworks = 127.0.0.0/8 a.b.c.d/24
myorigin = my.domain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
proxy_read_maps = $local_recipient_maps $mydestination
$virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps
$virtual_mailbox_domains $relay_recipient_maps $relay_domains
$canonical_maps $sender_canonical_maps $recipient_canonical_maps
$relocated_maps $transport_maps $mynetworks
queue_directory = /var/spool/postfix
relayhost = [my.isp.email.address]
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:8893
smtpd_recipient_restrictions = reject_invalid_hostname,
reject_unknown_recipient_domain, reject_unauth_pipelining,
permit_mynetworks, reject_unauth_destination, permit_sasl_authenticated,
check_policy_service unix:/var/spool/postfix/postgrey/socket,
reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.sorbs.net, reject_rbl_client cbl.abuseat.org,
reject_rbl_client b.barracudacentral.org, reject_rbl_client
dnsbl-1.uceprotect.net, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/pki/postfix/certs/my.domain.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_use_tls = yes
unknown_local_recipient_reject_code = 550
virtual_alias_domains =
virtual_alias_maps =
proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf,
mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000

This is the error that is being received:
Oct 25 17:44:11 hostname postfix/smtp[14188]: 17586F25:
to=<[hidden email]>, relay=smtp.gmail.com[74.125.28.108]:587,
delay=0.53, delays=0.1/0.03/0.35/0.05, dsn=5.5.1, status=bounced (host
smtp.gmail.com[74.125.28.108] said: 530-5.5.1 Authentication Required.
Learn more at 530 5.5.1  
https://support.google.com/mail/?p=WantAuthError x9sm7215456pfk.120 -
gsmtp (in reply to MAIL FROM command))

 From what I can tell other people have had success with similar
configurations, but everything I have tried gives more or less the same
results.  I assume some of the other stuff like amavisd, or something
like that might be doing something funky.  I have tried every
combination of configurations I could think of and have not had success
and thought maybe someone from here can spot my error.

Thank You.
Reply | Threaded
Open this post in threaded view
|

Re: relayhost GMAIL submission (port 587)

Viktor Dukhovni


> On Oct 26, 2017, at 12:12 PM, [hidden email] wrote:
>
> #relayhost = [smtp.gmail.com]:587
> #smtpd_sasl_auth_enable = yes

Look closely, that line has "smtpd_..." while all the ones below
have "smtp_...".  Check the docs.

> #smtp_use_tls = yes
> #smtp_sasl_security_options = noanonymous
> #smtp_sasl_tls_security_options = noanonymous
> #smtp_tls_security_level = encrypt
> #smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> #smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
> #smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: relayhost GMAIL submission (port 587)

Wietse Venema
Viktor Dukhovni:
>
>
> > On Oct 26, 2017, at 12:12 PM, [hidden email] wrote:
> >
> > #relayhost = [smtp.gmail.com]:587
> > #smtpd_sasl_auth_enable = yes
>
> Look closely, that line has "smtpd_..." while all the ones below
> have "smtp_...".  Check the docs.

You need to fix that, because Google does not emable SASL AUTH
over a PLAINTEXT connection (I just verified that).

        Wietse

> > #smtp_use_tls = yes
> > #smtp_sasl_security_options = noanonymous
> > #smtp_sasl_tls_security_options = noanonymous
> > #smtp_tls_security_level = encrypt
> > #smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> > #smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
> > #smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
>
> --
> Viktor.
>
>
Reply | Threaded
Open this post in threaded view
|

[SOLVED] relayhost GMAIL submission (port 587)

sruckh
On 2017-10-26 11:23, [hidden email] wrote:

> Viktor Dukhovni:
>>
>>
>> > On Oct 26, 2017, at 12:12 PM, [hidden email] wrote:
>> >
>> > #relayhost = [smtp.gmail.com]:587
>> > #smtpd_sasl_auth_enable = yes
>>
>> Look closely, that line has "smtpd_..." while all the ones below
>> have "smtp_...".  Check the docs.
>
> You need to fix that, because Google does not emable SASL AUTH
> over a PLAINTEXT connection (I just verified that).
>
> Wietse]

Yep.  That was it.  Lack of knowledge of that setting certainly did not
help.  That setting has been in my postfix config for years.  I had it
grouped with other settings like, smtpd_sasl_type and smtpd_sasl_path,
so the "d" did not look odd next to those settings.  Plus, since my
non-authenticated configuration has worked I had no reason to assume
that setting was wrong.

Although, now that I have seen this in action, it does not work as I
expected.  Now, everything looks like it comes from my username@gmail
account rather than the account where the email originated (the server
running postfix).  This did not happen when using my ISPs email address
as the relayhost.

Thank you for taking the time to look and pointing out the problem!