We want to send mails which are authenticated by a mail server, but the application can only send mails to a unauthenticated mail server. We achieve this end result of authenticated mails, by using postfix (a mail relay/forwarding tool ).
What is Postfix? Its a mail server program written by "Wietse Zweitze Venema" that started life at IBM Research as an alternative to the most popular linux "Sendmail" tool. Now he works at Google, and continues to support Postfix.
Postfix attempts to be fast, easy to setup, and secure. After using postfix you may feel that it's just a sendmail tool, but from inside its completely different. Most Linux OS would have postfix installed by default, if not you can install it using yum or apt-get based on your OS. Before setting up postfix make sure you also have the mail tool installed. Lets try to go through the flow we want to achieve.
Configuration Steps (RedHat):
1. Install the tools
yum update && yum install postfix mailx
2. Setup Gmail Authentication
Create or modify a credentials file which will be used by Postfix to establish authentication with GMail or any other mail server.
Add your credentials to a file (these are the details of the "mail from" user)
echo "[smtp.gmail.com]:587 starkadmin@gmail.com:password" >/etc/postfix/sasl_passwd
3. Secure this credentials file
chmod 600 /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd
4. Create the security configurations file and secure it
echo "smtp.gmail.com:587 encrypt" >/etc/postfix/tls_policy
postmap /etc/postfix/tls_policy
postmap /etc/postfix/tls_policy
5. Fetch the remote server's signer certificate
Note: Its a one line command
echo -n | openssl s_client -connect gmail.com:443 | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >/etc/postfix/cacert.pem
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >/etc/postfix/cacert.pem
6. Create the mail re-write policy file
The file /etc/postfix/smtp_header_checks contains rules to be used to rewrite the headers of the emails about to be sent.
This is the most important file in our case as it rewrites the sender so that it always matches our GMail account, starkadmin@gmail.com
No more 'Relaying disallowed' errors!
echo "/^From:.*/ REPLACE From:starkdmin@gmail.com" > /etc/postfix/smtp_header_checks
7. Configure postfix
Edit postfix configuration file /etc/postfix/main.cf with following values:
relayhost = smtp.gmail.com:587
smtp_header_checks = pcre:/etc/postfix/smtp_header_checks
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtpd_use_tls = yes
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_header_checks = pcre:/etc/postfix/smtp_header_checks
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_password
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtpd_use_tls = yes
smtp_tls_CAfile = /etc/postfix/cacert.pem
8. Enable IMAP for gmail user's (eg: starkadmin@gmail.com) account.
9. Restart postfix service and send a sample mail
service restart postfix
10. Enable "Less Secure Apps" In GMail
By default, only the most secure sign-ins, such as logging in to GMail on the web, are allowed for your GMail account. To permit relay requests, log in to your GMail account and turn on Allow less secure apps. For more information, review the Google Support document
"Allowing less secure apps to access your account."
11. All DONE
Let's send a test mail to confirm all our efforts...
echo "This mail is generated by the configuration steps from 'http://www.cubicrace.com'" | mail -s "Postfix configuration" "piyush@cubicrace.com"
Troubleshooting
For postfix log, see /var/log/maillog
Still not working, try this ...
In the file /etc/postfix/master.cf, I uncommented this line:
smtps inet n - - - - smtpd
Thinking to automate this ?
Here's a script to do all the above steps in a ONE single script !
http://www.cubicrace.com/2017/11/automate-script-postfix-setup.html
0 comments:
Post a Comment