Configure Postfix with Gmail and Google Apps on Debian or Ubuntu
Postfix is a Mail Transfer Agent (MTA) that can act as an SMTP server or client to send or receive email. There are many reasons why you would want to configure Postfix to send email using Google Apps and Gmail. One reason is to avoid getting your mail flagged as spam if your current server’s IP has been added to a blacklist.
In this guide, you will learn how to install and configure a Postfix server on Debian or Ubuntu to send email through Gmail and Google Apps.
Before You Begin
- Update your system:
sudo apt-get update && sudo apt-get upgrade
- Use your web browser to confirm your email login credentials by logging in to Gmail.
Note
This guide is written for a non-root user. Commands that require elevated privileges are prefixed withsudo
.
Install Postfix
In this section, you will install Postfix as well as libsasl2, a package which helps manage the Simple Authentication and Security Layer (SASL).
- Install Postfix and the
libsasl2-modules
package:sudo apt-get install libsasl2-modules postfix
- During the Postfix installation, a prompt will appear asking for your General type of mail configuration. Select Internet Site
- Enter the fully qualified name of your domain. In this example, fqdn.example.com
- Once the installation is complete, confirm that the
myhostname
parameter is configured with your server’s FQDN:- /etc/postfix/main.cf
myhostname = fqdn.example.com
Generate an App Password for Postfix
When Two-Factor Authentication (2FA) is enabled, Gmail is preconfigured to refuse connections from applications like Postfix that don’t provide the second step of authentication. While this is an important security measure that is designed to restrict unauthorized users from accessing your account, it hinders sending mail through some SMTP clients as you’re doing here. Follow these steps to configure Gmail to create a Postfix-specific password:
- Log in to your email, then click the following link: Manage your account access and security settings. Scroll down to “Password & sign-in method” and click 2-Step Verification. You may be asked for your password and a verification code before continuing. Ensure that 2-Step Verification is enabled.
- Click the following link to Generate an App password for Postfix
- Click Select app and choose Other (custom name) from the dropdown. Enter “Postfix” and click Generate.
- The newly generated password will appear. Write it down or save it somewhere secure that you’ll be able to find easily in the next steps, then click Done
Add Gmail Username and Password to Postfix
Usernames and passwords are stored in sasl_passwd
in the /etc/postfix/sasl/
directory. In this section, you’ll add your email login credentials to this file and to Postfix.
- Open or create the
/etc/postfix/sasl/sasl_passwd
file and add the SMTP Host, username, and password information:- /etc/postfix/sasl/sasl\\_passwd
[smtp.gmail.com]:587 [email protected]:password
- Create the hash db file for Postfix by running the
postmap
command:sudo postmap /etc/postfix/sasl/sasl_passwd
If all went well, you should have a new file named sasl_passwd.db
in the /etc/postfix/sasl/
directory.
Secure Your Postfix Hash Database and Email Password Files
The /etc/postfix/sasl/sasl_passwd
and the /etc/postfix/sasl/sasl_passwd.db
files created in the previous steps contain your SMTP credentials in plain text.
To restrict access to these files, change their permissions so that only the root user can read from or write to the file. Run the following commands to change the ownership to root and update the permissions for the two files:
sudo chown root:root /etc/postfix/sasl/sasl_passwd /etc/postfix/sasl/sasl_passwd.db
sudo chmod 0600 /etc/postfix/sasl/sasl_passwd /etc/postfix/sasl/sasl_passwd.db
Configure the Postfix Relay Server
In this section, you will configure the /etc/postfix/main.cf
file to use Gmail’s SMTP server.
- Find and modify
relayhost
in/etc/postfix/main.cf
to match the following example:- /etc/postfix/main.cf
relayhost = [smtp.gmail.com]:587
- At the end of the file, add the following parameters to enable authentication:
- /etc/postfix/main.cf
# Enable SASL authentication
smtp_sasl_auth_enable = yes
# Disallow methods that allow anonymous authentication
smtp_sasl_security_options = noanonymous
# Location of sasl_passwd
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
# Enable STARTTLS encryption
smtp_tls_security_level = encrypt
# Location of CA certificates
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
- Save your changes and close the file.
- Restart Postfix:
sudo systemctl restart postfix
Troubleshooting – Enable “Less secure apps” access
In some cases, Gmail might still block connections from what it calls “Less secure apps.” To enable access:
- Enable “Less secure apps” access
Select Turn on. A yellow “Updated” notice will appear at the top of the browser window and Gmail will automatically send a confirmation email. - Test Postfix as shown in the following section. If your test emails don’t appear after a few minutes, disable captcha from new application login attempts and click Continue.
Test Postfix
Use Postfix’s sendmail implementation to send a test email. Enter lines similar to those shown below, and note that there is no prompt between lines until the .
ends the process:
sendmail [email protected]
From: [email protected]
Subject: Test mail
This is a test email
.
Check the destination email account for the test email. Open syslog
using the tail -f
command to show changes as they appear live:
sudo tail -f /var/log/syslog
Without adding an extention, the best way is to add and configure PostFix for Gmail account (Tested on Mac & Linux):
SASL Authentication
Connecting to the Gmail SMTP server requires both SSL and authentication. To set up authentication you will need to edit the /etc/postfix/sasl_passwd file.
sudo vim /etc/postfix/sasl_passwd
Update the contents to include the following. Note that enclosing hostnames with square brackets – [] – tells Postfix to avoid doing an MX lookup. Make sure to replace EMAIL with your email address, and PASSWORD with your Gmail password, properly escaping any colons in it.
[smtp.gmail.com]:587 [email protected]:PASSWORD
Use the postmap command to update the SASL credentials in Postfix :
sudo postmap /etc/postfix/sasl_passwd
Postfix Relay Configuration
Next we need to edit the Postfix configuration found in /etc/postfix/main.cf
.
sudo vim /etc/postfix/main.cf
I was not able to route mail to the Gmail SMTP servers over IPv6, so force only IPv4 connections by searching for the inet_protocols key and updating the value.
inet_protocols = ipv4
If any of the following keys already exist in your configuration comment them out, and include the following at the bottom of the config file.
Gmail SMTP relay
relayhost = [smtp.gmail.com]:587
# Enable SASL authentication in the Postfix SMTP client.
smtpd_sasl_auth_enable = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_sasl_mechanism_filter = AUTH LOGIN
# Enable Transport Layer Security (TLS), i.e. SSL.
smtp_use_tls = yes
smtp_tls_security_level = encrypt
tls_random_source = dev:/dev/urandom
Restart Postfix & Test
Restart Postfix as root, then send a test email.
sudo postfix stop && sudo postfix start
date | mail -s "Test Email" [email protected]