Nav's Place: Nav's Home on the Interwebs

SMTP Relay Server with Gmail

This is a brief guide on installing a SMTP relay server on Fedora 12. I have taken these instructions from various sites and tried to merge them into one. These are the sites I used in my research:

Soup to Nuts
G-loaded Journal
Carlton’s Online Notebook

The commands and things used in this guide are explained in more details on those sites. If you want to know what the commands are for then please feel free to visit those sites.

Here is the guide:

Install postfix and remove sendmail

yum install postfix
yum remove sendmail

Check to see if postfix has been compiled with the necessary files

ldd `which postfix` | grep libsasl
ldd `which postfix` | grep libssl

They should hopefully return something like this:
# ldd `which postfix` | grep libsasl
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f646039a000)

# ldd `which postfix` | grep libssl
libssl.so.10 => /usr/lib64/libssl.so.10 (0x00007f0ed4b79000)

This should work for a base install of Fedora 12, if you do not see any outputs then you might need a different version of postfix.

Next we need to make sure that openssl and openssl-perl are both installed and up to date. These will be used to generate ssl certificates

yum install openssl openssl-perl

We need to make ourselves a Certificate Authority..You can skip this step if you already have certificated made

Peform these actions as root (su):

mkdir -m 0755 /etc/pki_jungle

mkdir -m 0755 \
/etc/pki_jungle/myCA \
/etc/pki_jungle/myCA/private \
/etc/pki_jungle/myCA/certs \
/etc/pki_jungle/myCA/newcerts \
/etc/pki_jungle/myCA/crlcp /etc/pki/tls/openssl.cnf /etc/pki_jungle/myCA/openssl.my.cnf

chmod 0600 /etc/pki_jungle/myCA/openssl.my.cnf

touch /etc/pki_jungle/myCA/index.txt

echo '01' > /etc/pki_jungle/myCA/serial

cd /etc/pki_jungle/myCA/

openssl req -config openssl.my.cnf -new -x509 -extensions v3_ca -keyout private/myca.key -out certs/myca.crt -days 1825

At this point you will be prompted for a passphrase, choose a strong passphrase

Country Name (2 letter code) [NZ]:ER
State or Province Name (full name) [Earth]:Earth
Locality Name (eg, city) []: Land
Organization Name (eg, company) [My Company Ltd]:My Network
Organizational Unit Name (eg, section) []:My Certificate Authority
Common Name (eg, your name or your server’s hostname) []:server.example.com
Email Address []:whatever@server.example.com

once that is done

chmod 0400 /etc/pki_jungle/myCA/private/myca.key

Next we need to edit the openssl.my.cnf, I would recommend using something like WinSCP if you are not comfortable with commandline text editors

Open /etc/pki_jungle/myCA/openssl.my.cnf and make the following changes

[ CA_default ]dir = . # <--CHANGE THIS
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
#unique_subject = no

new_certs_dir = $dir/newcerts

certificate = $dir/certs/myca.crt # <--CHANGE THIS
serial = $dir/serial
#crlnumber = $dir/crlnumber

crl = $dir/crl.pem
private_key = $dir/private/myca.key # <--CHANGE THIS
RANDFILE = $dir/private/.rand

x509_extensions = usr_cert

Next we will need to create the server certificate

cd /etc/pki_jungle/myCA/

openssl req -config openssl.my.cnf -new -nodes -keyout private/server.key -out server.csr -days 365

Fill out the fields as previously done

Country Name (2 letter code) [NZ]:ER
State or Province Name (full name) [Earth]:Earth
Locality Name (eg, city) []: Land
Organization Name (eg, company) [My Company Ltd]:My Network
Organizational Unit Name (eg, section) []:My Certificate Authority
Common Name (eg, your name or your server’s hostname) []:server.example.com
Email Address []:whatever@server.example.com

The Common Name (CN) is the info that uniquely distinguishes your service, so be sure that you type it correctly.
When prompted for some extra attributes (challenge password, optional company name) just hit the [Enter] key.

chown root.root /etc/pki_jungle/myCA/private/server.key
chmod 0400 /etc/pki_jungle/myCA/private/server.key

cd /etc/pki_jungle/myCA/

openssl ca -config openssl.my.cnf -policy policy_anything -out certs/server.crt -infiles server.csr

Download the Thawte certs from here https://www.thawte.com/roots/index.html

Unzip the file and copy the Thawte Roots\Thawte Personal Root Certificates\Thawte Personal Premium CA\Thawte Personal Premium CA.pem to /etc/pki_jungle/myCA/certs/ make sure to remove all the spaces from the filename

You will need to create a file called sasl_passwd in the /etc/postfix directory

Add the following to the sasl_passwd:

[smtp.gmail.com]:587 user@gmail.com:password

After the file is created run the following command

postmap /etc/postfix/sasl_passwd

chown root.postfix /etc/postfix/sasl_passwd*

chmod 0640 /etc/postfix/sasl_passwd*

Next edit /etc/postfix/main.cf and add the following to the bottom of the file

#### GMail SSL SMTP Relay
relayhost = [smtp.gmail.com]:587

#auth
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

#tls
smtp_use_tls = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_note_starttls_offer = yes
tls_random_source = dev:/dev/urandom
smtp_tls_scert_verifydepth = 5
smtp_tls_key_file=/etc/pki_jungle/myCA/private/server.key
smtp_tls_cert_file=/etc/pki_jungle/myCA/certs/server.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_req_ccert =no
smtp_tls_enforce_peername = no
smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtp_tls_CAfile = /etc/pki_jungle/myCA/certs/ThawtePersonalPremiumCA.pem

While you have main.cf open you might want to change a few other things aswell. Uncomment by removing the # character and fill in the settings which suit your network

myhostname = smtp.nav.local
mydomain = nav.local
myorigin = $mydomain
inet_interfaces = all
(comment out inet_interfaces = localhost so it reads #inet_interfaces = localhost)

Save the file

On your fedora box go to System > Administration > Firewall

Tick the Mail (SMTP) box and click on apply.

Next restart your postfix service by typing in

/etc/init.d/postfix restart

You should now be able to configure your mail client to use your server as an smtp server. If you cannot send mail out then have a look at /var/log/maillogs for some information.

You can follow any responses to this entry through the RSS 2.0 feed.