Configure Postfix to Use Gmail SMTP on CentOS 8

Welcome to our tutorial on how to configure Postfix to use Gmail SMTP on CentOS 8 to relay mails. Postfix is a free and open-source mail transfer agent that routes and delivers electronic mail. Postfix MTA can be configured to relay mails through an external SMTP servers such as Gmail SMTP server for a reliable mail delivery.

Configuring Postfix to Use Gmail SMTP on CentOS 8

Install Postfix on CentOS 8

You can install Postfix by installing the postfix package itself or via the mailutils package which installs along with it.

dnf install postfix

Install SASL on CentOS 8

SASL (Simple Authentication and Security Layer) provides a mechanism of authenticating users using their username and password. The implementation of SASL is provided Cyrus SASL library which can be installed on a CentOS 8 system by running the command below;

dnf install cyrus-sasl-plain 

Install Mail Command on CentOS 8

Mail command on CentOS 8 is provided by mailx package.

dnf install mailx

Configuring Postfix to Use Gmail SMTP Relay

Postfix is now installed with the default configuration. You can view Postfix configuration values using the postconf command;

postconf

To make further configuration changes, edit the main Postfix configuration file, /etc/postfix/main.cf and make any necessary changes as needed.

Set the Postfix Relay server

Postfix can be configured to deliver mails indirectly via a relay host. A relay host can be defined on a Postfix configuration file using the relayhost parameter.

By default, the value of the relayhost parameter is empty. This configures Postfix is to try to deliver mail directly to the Internet, which is usually not desirable.

According to Postfix configuration, different values can be set for the relayhost parameter;

• On an intranet, you can specify your organizational domain name. If your internal DNS uses no MX records, specify the name of the intranet gateway host instead.
• In the case of SMTP or LMTP delivery, specify one or more destinations in the form of a domain name, hostname, hostname:port, [hostname]:port, [hostaddress] or [hostaddress]:port, separated by comma or whitespace. The form [hostname] turns off MX lookups.

In our case, we are setting Postfix relay to Gmail SMTP servers. Hence, open the Postfix main configuration file;

vim /etc/postfix/main.cf

Under the Intranet/Internet section, find the, relayhost =, lines and set its value to Gmail SMTP domain name as shown below;

...
#relayhost = $mydomain
#relayhost = [gateway.my.domain]
#relayhost = [mailserver.isp.tld]
#relayhost = uucphost
#relayhost = [an.ip.add.ress]
relayhost = [smtp.gmail.com]:587

Configure Postfix SASL Authentication

According to Postfix:

• SMTP servers need to decide whether an SMTP client is authorized to send mail to remote destinations, or only to destinations that the server itself is responsible for.
• Usually, SMTP servers accept mail to remote destinations when the client’s IP address is in the “same network” as the server’s IP address.
• SMTP clients outside the SMTP server’s network need a different way to get “same network” privileges. To address this need, Postfix supports SASL authentication. With this, a remote SMTP client can authenticate to the Postfix SMTP server, and the Postfix SMTP client can authenticate to a remote SMTP server.
• Once a client is authenticated, a server can give it “same network” privileges.

To enable SASL server authentication, you need to;

• Enable SMTP client-side authentication by setting the value of smtp_sasl_auth_enable to yes.
  
  smtp_sasl_auth_enable = yes
  
• Configure the Postfix SMTP client to send username and password information to the mail gateway server. This can be done by defining the path to sasl_passwd as using the smtp_sasl_password_maps parameter.
  
  smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
  
• Enforce STARTTLS encryption for outgoing SMTP to ensure that connection to the remote smtp server will be encrypted using the smtp_tls_security_level parameter.
  
  smtp_tls_security_level = encrypt
  
• Define the Postfix SMTP client SASL security options. This be zero or more of the following options;
  • noplaintext: Disallow methods that use plaintext passwords.
  • noactive: Disallow methods subject to active (non-dictionary) attack.
  • nodictionary: Disallow methods subject to passive (dictionary) attack.
  • noanonymous: Disallow methods that allow anonymous authentication.
  • mutual_auth: Only allow methods that provide mutual authentication.
    
    smtp_sasl_security_options = noanonymous

These configs can be updated on Postfix configuration file (See the highlighted lines);

...
relayhost = [smtp.gmail.com]:587
...
#
...
# SASL authentication
# change may to encrypt.
smtp_tls_security_level = encrypt
meta_directory = /etc/postfix
shlib_directory = /usr/lib64/postfix
# Added these lines
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous

Save and exit the configurtion file.

Set the SMTP SASL Credentials

As per our configurations above, the SASL credentials database file is set to /etc/postfix/sasl_passwd.

You should define the SMTP credentials in the format;

# destination                   credentials
[smtp.domain.name]              username:password

As shown below;

vim /etc/postfix/sasl_passwd

[smtp.gmail.com]:587 [email protected]:password

Replace the userid@gmail and password with your Gmail account credentials.

Note:

• If you specify the “[” and “]” in the relayhost destination, you must as well use the same format in the smtp_sasl_password_maps file.
• If you specify a non-default TCP Port (such as “:submission” or “:587“) in the relayhost destination, you must as well use the same form in the smtp_sasl_password_maps file.

Secure the SASL Password File

The credentials are set in plaintext. To protect access to the file by other users, make the file read+write only for root.

chown root:root /etc/postfix/sasl_passwd
chmod go-rwx /etc/postfix/sasl_passwd
chmod 600 /etc/postfix/sasl_passwd

Create SASL Password DB file

Postfix requires that the sasl_passwd file to be a database such that it can be read faster. Use postmap command to convert the file into a database, sasl_passwd.db.

postmap /etc/postfix/sasl_passwd

This will assign the same ownership and permissions to the database file as set for the sasl_passwd file above.

ls -l /etc/postfix/sasl_passwd*

-rw-------. 1 root root 56 Dec 2 22:02 /etc/postfix/sasl_passwd
-rw-------. 1 root root 12288 Dec 2 22:03 /etc/postfix/sasl_passwd.db

Check Postfix Configuration

Run the postfix check command to check the Postfix configuration for any error. Any error should printed on the output.

postfix check

You can ignore the warning, postfix/postfix-script: warning: symlink leaves directory: /etc/postfix/./makedefs.out.

Start and enable Postfix to run on system boot;

systemctl enable --now  postfix

To check the status;

systemctl status postfix

● postfix.service - Postfix Mail Transport Agent
   Loaded: loaded (/usr/lib/systemd/system/postfix.service; disabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-12-02 22:04:20 EAT; 6s ago
  Process: 3653 ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS)
  Process: 3651 ExecStartPre=/usr/libexec/postfix/chroot-update (code=exited, status=0/SUCCESS)
  Process: 3647 ExecStartPre=/usr/libexec/postfix/aliasesdb (code=exited, status=0/SUCCESS)
 Main PID: 3721 (master)
    Tasks: 3 (limit: 5027)
   Memory: 5.6M
   CGroup: /system.slice/postfix.service
           ├─3721 /usr/libexec/postfix/master -w
           ├─3722 pickup -l -t unix -u
           └─3723 qmgr -l -t unix -u

Dec 02 22:04:19 centos8.kifarunix-demo.com systemd[1]: Starting Postfix Mail Transport Agent...
Dec 02 22:04:20 centos8.kifarunix-demo.com postfix/master[3721]: daemon started -- version 3.3.1, configuration /etc/postfix
Dec 02 22:04:20 centos8.kifarunix-demo.com systemd[1]: Started Postfix Mail Transport Agent.

Send a Test Mail to Verify Postfix Gmail SMTP Relay

Once you are done with the configuration, you can try to send a test mail to verify that Gmail SMTP relay works fine. You can use mail client or any other for this purpose.

echo "Test Postfix Gmail SMTP Relay" | mail -s "Postfix Gmail SMTP Relay" [email protected]

You can tail the logs to check the delivery status;

tail /var/log/mail.log

If you get the error;

...status=deferred (SASL authentication failed; server smtp.gmail.com[74.125.133.108] said: 535-5.7.8 Username and Password not accepted.

You need to login to the account you used for the SASL authentication and enable Less secure app access.

NOTE that the use of less secure app access has been deprecated. See how you can use App password as an alternative in the guide below;

Configure Postfix to Use Gmail App Passwords

After that, retry to sent the test mail and check the logs and hurray, our test mail is delivered, status=sent.

...
Dec  2 22:04:56 ceph-admin postfix/qmgr[3723]: 46993C35EAC: from=<[email protected]>, size=513, nrcpt=1 (queue active)
Dec  2 22:05:00 ceph-admin postfix/smtp[3732]: 46993C35EAC: to=<[email protected]>, relay=smtp.gmail.com[108.177.127.109]:587, delay=4, delays=0.47/0.33/2/1.2, dsn=2.0.0, status=sent (250 2.0.0 OK  1606935899 f18sm554842edt.60 - gsmtp)
...

And that is how easy it is to configure Postfix to use Gmail as an SMTP relay host. That marks the end of our guide on how to install and configure Postfix to use Gmail SMTP relay host on CentOS 8.

Read more about Postfix Configuration on;

Postfix Basic Configuration

Related Tutorials

Configure Postfix to Use Gmail SMTP on Ubuntu 20.04

Configure Nagios Email Notification Using Gmail

Configure Sendmail to Use Gmail Relay on Ubuntu 18.04/Debian 10/9

Encrypt Emails using Enigmail on Thunderbird

Configure Postfix to Use Gmail SMTP on Ubuntu 18.04