Setting up a Google Relay host using Postfix on Fedora 19.

When I set up my Amahi Home Server a few years ago, one of the things that I wanted to do was be able to send the logs and other emails that normally go to the root account to my gmail account. This way, I could quickly scan the information without having to actively log into the server. My options were to either register my own domain name and go through the steps to set up MX records and servers, or to relay it through another gmail account. I chose the second, since I already have the accounts, and registering and hosting the domain costs money (plus I’m already given a .yourhda.com domain with Amahi).

When I started to set up the relay, it took a while. I ended up finding quite a few sites on the Internet with different methods of configuring the relay (most of which didn’t work right). When I reinstalled my Amahi Server this past weekend (upgrading it to their latest version), I forgot to save the postfix configurations, so I had to redo them. Thankfully it was a simple matter this time. I’ve only done this on Fedora 14/19, but I’m pretty sure the steps will be similar, if not the same, for an Ubuntu based distribution. All of these steps are being done as the root (superuser) account. If you’re using your administrator account, you’ll have to precede each command with sudo.

Creating your Relay

If you haven’t done so already, you need to install postfix first.

yum install postfix

Next you need to open the /etc/postfix/main.cf file in your favorite editor (I use nano, but you can use whatever you prefer).

nano /etc/postfix/main.cf

At the bottom, add the following lines:

# sets gmail as relay
relayhost = [smtp.gmail.com]:587

# use tls
smtp_use_tls=yes

# use sasl when authenticating to foreign SMTP servers
smtp_sasl_auth_enable = yes

# path to password map file
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

# list of CAs to trust when verifying server certificate
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

# eliminates default security options which are imcompatible with gmail
smtp_sasl_security_options =

Next you’ll have to edit (or create) the sasl_passwd file that’s used in the postfix configuration above

nano /etc/postfix/sasl_passwd

The format of this file is this:

[smtp.gmail.com]:587 username:password

After creating this file, you need to run the postmap command to create the hash of the password file and then make sure that postfix owns the files (as they are created by root originally).

postmap /etc/postfix/sasl_passwd

and

chown postfix /etc/postfix/sasl_passwd*

Finally reload postfix using this command:

/etc/init.d/postfix reload

Testing your configurations

If everything worked correctly, you should be able to test your mail setup by sending an email from the command line.  There are multiple methods for this, but I’ll show you two of them here.

The first method uses the mail command. (you should be able to do this as either root or a regular user) youruser@emaildomain.com should be replaced with your intended recipient’s email address.

mail -s “Subject: Test email from linux server” youruser@emaildomain.com

The editor will open up, so you can type a message in the body. You’ll use CTRL+D to exit this editor.

Next, if you want to CC anyone, you can add their email addresses, and/or press CTRL+D to exit this portion.

The email should send. Check your inbox (and spam folders) to see if it’s arrived. If not, you can check /var/log/maillog (or in /var/log/mail) to find out what’s wrong.

The second method uses the echo command to send everything to the mail command for you.

 echo “Enter the body part of the email” | mail -s “Subject: Test email from linux server” youruser@emaildomain.com

If you want to CC someone else into the email, the format of the command is

 echo “Enter the body part of the email” | mail -s “Subject: Test email from linux server” youruser@emaildomain.com -c seconduser@emaildomain.com

Forwarding the root emails to your relay

Now this is all pointless unless you make sure that all emails destined for the root mailbox get forwarded to your external account. You could do this a number of ways (such as configuring each application that might send an email to your root to send them to the external account also), but the two easiest ways are to create a .forward file, or create an alias.

Creating a .forward file:

nano /root/.forward

Add the email address that you want to forward the emails to and save the file.

youruser@emaildomain.com

Note that this will bypass the root mailbox altogether. If you want root to continue to receive the emails, you have to add root to the file with the following format

\root

youruser@emaildomain.com

Editing the aliases file and adding the root alias

nano /etc/aliases

Then add the following entry (replacing youruser@emaildomain.com with your external email address)

root: youruser@emaildomain.com

Finally run the newaliases command to make sure you’re using the updated version of /etc/aliases.

newaliases

With that, you should be set up. Now anytime an application sends a message to root, you’ll receive it on your external email account as well. Please note that you’ll still need to log in and clean out the root mail account occasionally, as the messages are still being sent there.

 

Troubleshooting and Updates for Fedora 19

If you run into any issues with postfix, you need to check /var/log/maillog for problems. The easiest way to do this is with cat /var/log/maillog | tail and then attempt to resend your email that you used to test the configuration.

If you run into any issues, such as gmail rejecting your email with something similar to “530 5.7.0 Must issue a STARTTLS command first.” (and you have the smtp_use_starttls=yes command in your main.cf) file, you need to do the following things:

In main.cf, add the following line

smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

then create a tls_policy file in /etc/postfix that has the following line

[smtp.gmail.com]:587 encrypt

Then run postmap /etc/postfix/tls_policy to create the hash of the file.

If you run into a warning or error similar to “warning: TLS library problem: 25188:error:02001002:system library:fopen:No such file or directory:bss_file.c:169:fopen(‘/etc/ssl/certs/ca-certificates.crt’,'r’):”, you need to change that line in main.cf to ca-bundle.crt. This is because Fedora 19 doesn’t have the ca-certificates.crt file anymore. It uses ca-bundle.crt instead. Something to note here is that after you fix the certificate issue, the email will send. So if you’re testing your configuration, you’ll end up with multiple test emails.