Configure Gmail SMTP Server

From WiDirect
Jump to: navigation, search

This document describes how to configure the WiClient and WiDirect to use Google for a SMTP relay. A Google account is required. It may be a good idea to create a unique one for use by the WiDirect or WiClient. Be sure the Gmail account has SMTP access enabled for remote mail sending.


Install packages

Run the command below to install necessary packages:

sudo yum install cyrus-sasl* openssl openssl-perl mailx

Create CA certificate

su -
cd /etc/pki/tls/misc
./CA.pl -newca

Be very careful when running the ./CA.pl script to enter in the correct values. It is not immediately clear how to restart the process if the fields are entered incorrectly. Hit enter when asked for the file name. Enter a pass phrase when asked (the pass phrase cannot be blank). The "challenge password" must be blank. You will be prompted for the pass phrase again towards the end of the process. Enter valid information in all the fields, and CA for the common name. The oganization used must match the organization used later. Example output:


[root@ip-10-185-46-87 misc]# ./CA.pl -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
...................................+++
..+++
writing new private key to '/etc/pki/CA/private/cakey.pem'
Enter PEM pass phrase: (Required - Enter some text here)
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Maryland
Locality Name (eg, city) [Default City]:Annapolis
Organization Name (eg, company) [Default Company Ltd]:AllCity Wireless
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:CA
Email Address []:enteremail@gmail.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            c4:6f:67:4b:76:27:7c:56
        Validity
            Not Before: Nov 14 14:56:09 2013 GMT
            Not After : Nov 13 14:56:09 2016 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = Maryland
            organizationName          = AllCity Wireless
            commonName                = CA
            emailAddress              = dveasey@allcitywireless.com
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                BC:40:0D:E6:97:99:0B:CB:E3:0E:81:EC:6A:86:3D:C4:1B:60:4C:5C
            X509v3 Authority Key Identifier:
                keyid:BC:40:0D:E6:97:99:0B:CB:E3:0E:81:EC:6A:86:3D:C4:1B:60:4C:5C

            X509v3 Basic Constraints:
                CA:TRUE
Certificate is to be certified until Nov 13 14:56:09 2016 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

Create connection key and certificate

Run the following commands to create a key and certificate to use when connecting to the SMTP server. You may be asked for information while running some of the commands. Most should be the same as what was entered above, but the common name should be updated to be the server's hostname.

 cd /etc/pki/tls
 mkdir gmail_relay
 cd gmail_relay
 openssl genrsa -out server.key 1024
 openssl req -new -key server.key -out server.csr
 openssl ca -out server.pem -infiles server.csr

Enter yes when asked to sign and save the certificate. Example output from above commands:

[root@ip-10-185-46-87 gmail_relay]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Maryland
Locality Name (eg, city) [Default City]:Annapolis
Organization Name (eg, company) [Default Company Ltd]:AllCity Wireless
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:ec2-54-204-152-94.compute-1.amazonaws.com
Email Address []:enteremailhere@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@ip-10-185-46-87 gmail_relay]#
[root@ip-10-185-46-87 gmail_relay]# ls
server.csr  server.key
[root@ip-10-185-46-87 gmail_relay]# openssl ca -out server.pem -infiles server.csr
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            c4:6f:67:4b:76:27:7c:57
        Validity
            Not Before: Nov 14 15:00:36 2013 GMT
            Not After : Nov 14 15:00:36 2014 GMT
        Subject:
            countryName               = US
            stateOrProvinceName       = Maryland
            organizationName          = AllCity Wireless
            commonName                = ec2-54-204-152-94.compute-1.amazonaws.com
            emailAddress              = veasey.awi@gmail.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                CF:EE:72:48:8C:FE:34:D9:55:DD:F2:B9:1F:0E:AE:46:EC:5D:1C:AB
            X509v3 Authority Key Identifier:
                keyid:BC:40:0D:E6:97:99:0B:CB:E3:0E:81:EC:6A:86:3D:C4:1B:60:4C:5C

Certificate is to be certified until Nov 14 15:00:36 2014 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Configure mail relay settings

The following text should be added to the end of the /etc/postfix/main.cf file.


#### GMail SSL SMTP Relay
relayhost = [smtp.gmail.com]:587
#auth
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

#tls
smtp_use_tls = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_note_starttls_offer = yes
tls_random_source = dev:/dev/urandom
smtp_tls_scert_verifydepth = 5
smtp_tls_key_file=/etc/pki/tls/gmail_relay/server.key
smtp_tls_cert_file=/etc/pki/tls/gmail_relay/server.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_req_ccert =no
smtp_tls_enforce_peername = no

Edit the "/etc/postfix/sasl_passwd" file and add the following text. Be sure to substitute in the correct username and password.

gmail-smtp.l.google.com user@gmail.com:password
smtp.gmail.com user@gmail.com:password

Run these commands:

chown postfix /etc/postfix
postmap /etc/postfix/sasl_passwd
chmod o-r /etc/postfix/sasl_passwd
chmod o-r /etc/postfix/sasl_passwd.db
chown postfix /etc/postfix/sasl_passwd
chown postfix /etc/postfix/sasl_passwd.db
service postfix reload


Send test message

Test that emails are sent by running this command and subsituting in the correct email address:

echo "Test message" | mail -s "Test message" enteremail@domain.com


View error log

If there are any errors you may want to check the error log to see what is being reported. This command will show recent entries in the mail log:

tail -n 20 /var/log/maillog


Additional Gmail options

You may need to visit http://www.google.com/accounts/DisplayUnlockCaptcha and login with the Gmail account for the WiDirect/WiClient.


Sources

http://blog.christian-stankowic.de/?p=5317&lang=en

http://carlton.oriley.net/blog/?p=31

http://serverfault.com/questions/240767/postmap-fatal-open-database-etc-postfix-sasl-passwd-db-permission-denied