Postfix with Google Apps SMTP relay (Google Compute Engine)

After setting up my first Compute Engine instance on the Google Cloud platform, I discovered that Google Compute Engine does not allow you to send outbound e-mail over port 25, 465 and 587. You need a third party service like Google Apps, Mandrill or Sendgrid to do the job. I have chosen for Google Apps, because I already have a Google Apps account and my website is also running on Google Cloud.

There are lots of articles and tutorials on the internet about configuring Postfix with Google Apps as SMTP relay service. I have searched for 4 days to find out how to do it the best way.

Important when you have a multiple domain Google Apps account

  • You can only set the configurations below when you are logged in as the top level Google Apps domain.
  • Be sure you connect the domain you want to use to your Google Apps account.
  • Be sure you create an e-mail address and password for the domain specific. So for example when you have Postfix running on domain: example.com, create an e-mail address like info@example.com and use these details for configuring your Postfix server. The reason why I am saying this is, because I have used the top-level e-mail address of my Google Apps account for configuring my Postfix server authentication for a long time and this will give you authentication problems, so your mail server will not work.

Configuring Google Apps admin settings

First lets get started with configuring the Google Apps admin settings side. This is the information which was the most unclear for me in all the articles that I have read the last 4 days.

  1. Log in into your Google Apps account.
  2. Go to Apps > Google Apps > Gmail > Advanced settings.
  3. Scroll down to SMTP relay service.
  4. Add a new service and insert the settings as the image showing below.

google-smtp-relay-settings

You have now successfully added a SMTP relay service that allows your domains in combination with your Google Apps account authentication (which we gonna configure on the server side later) to send e-mails.

Configuring Postfix (server side)

First, update apt-get for all the latest resources:

sudo apt-get update

Then install Postfix mail server

sudo apt-get install postfix

During the installation of Postfix you need to configure the following things:

  1. General type of mail configuration: Internet with smarthost.
  2. Mail name: example.com (fully qualified domain name)
  3. Relay host: [smtp.google.com]:587

After finishing the Postfix installation, you need to install libsasl2-modules. This is for handling the SASL authentication with Google Apps later.

sudo apt-get install libsasl2-modules

The last resource which is helpful to install is mailutils. So you can easily test whether sending mails are working.

sudo apt-get install mailutils

It is now important that your /etc/postfix/main.cf file looks like this:

myhostname = yourdomain.com
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

myorigin = /etc/mailname
mydestination = yourdomain.com

relayhost = [smtp.gmail.com]:587
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

# Use ipv4 protocol
inet_protocols = ipv4

# enable SASL authentication 
smtp_sasl_auth_enable = yes

# disallow methods that allow anonymous authentication. 
smtp_sasl_security_options = noanonymous

# where to find sasl_passwd
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd

# Enable STARTTLS encryption 
smtp_use_tls = yes

# where to find CA certificates
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

Most important is that myhostname and mydestination are set to your domain name and that inet_protocols is set to “ipv4”. Be also sure that your domain name is in the /etc/mailname file.

Now that your main.cf file is configured right, we need to configure the SASL files for the authentication with Google Apps.

Create a /etc/postfix/sasl/passwd file and add your Google Apps username and password as follows:

[smtp.gmail.com]:587 you@yourdomain.com:yourpassword

Now create the hash db file for Postfix by running the postmap command:

sudo postmap /etc/postfix/sasl/passwd

Secure your Password and Hash Database files so that root could only read and write them:

sudo chown root:root /etc/postfix/sasl/passwd /etc/postfix/sasl/passwd.db
sudo chmod 0600 /etc/postfix/sasl/passwd /etc/postfix/sasl/passwd.db

Restart Postfix by:

sudo /etc/init.d/postfix restart

And try sending a mail with:

echo "body of your email" | mail -s "This is a Subject" -a "From: you@yourdomain.com" receiver@otherdomain.com

If your mail not receives, check your mail.log file for any error messages:

sudo tail -f /var/log/mail.log

Resources