Configuring Ubuntu 11.04 To Send Mail via Google Apps
Bear Giles | May 10, 2011Like many people I’ve abandoned running my own mail servers due to the sheer volume of spam and malware. Google Apps provides a nice solution – to the rest of the world I’m still running my own servers but Google deals with the spam, the sender authentication records, etc.
Aside: I can’t say too many good things about Google Apps. It is free for less than 10 users (according to recent email) and educational facilities and only $50/user/year for the business version. You aren’t even forced to use the webmail interface – it supports both IMAP and POP so you can use a traditional standalone mail application like thunderbird or evolution.
One big downside is that locally generated mail tended to get lost. I think of it as jurisdictional issues – my mail server knows my domain and doesn’t think it needs to send the mail to another system. It handles my domain! There’s probably a simple solution to this but I’ve never taken the time to search for it.
Fortunately it’s easy with Ubuntu 11.04.
- Install postfix if it isn’t installed. In this case specify a satellite site configuration.
- Edit /etc/postfix/main.cf and add the following lines:
- # comment out the following line - we want all mail to be forwarded
- #mydestination = domain, hostname, localhost.localdomain, etc.
- relayhost = [smtp.gmail.com]:587
- smtp_sasl_auth_enable = yes
- smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
- smtp_sasl_mechanism_filter = login
- smtp_sasl_security_options = noanonyous
- smtp_sasl_tls_security_options = noanonymous
- smtp_use_tls = yes
- # the next few items force the use of TLS encryption on outbound email
- smtp_tls_per_site = hash:/etc/postfix/tls_per_site
- # this will allow postfix to talk to any site Firefox recognizes
- #smtp_tls_CApath = /usr/share/ca-certificates/mozilla
- # this is much more restrictive - it will recognize GA/gmail.
- smtp_tls_CAfile = /usr/share/ca-certificates/mozilla/Equifax
# comment out the following line - we want all mail to be forwarded #mydestination = domain, hostname, localhost.localdomain, etc. relayhost = [smtp.gmail.com]:587 smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_mechanism_filter = login smtp_sasl_security_options = noanonyous smtp_sasl_tls_security_options = noanonymous smtp_use_tls = yes # the next few items force the use of TLS encryption on outbound email smtp_tls_per_site = hash:/etc/postfix/tls_per_site # this will allow postfix to talk to any site Firefox recognizes #smtp_tls_CApath = /usr/share/ca-certificates/mozilla # this is much more restrictive - it will recognize GA/gmail. smtp_tls_CAfile = /usr/share/ca-certificates/mozilla/Equifax
- Create the /etc/password/sasl_passwd file and add your GA (or gmail) credentials. IMPORTANT: as far as GA (or gmail) is concerned all of the mail sent from this system comes from you so you will want to take a different approach if multiple people use this system! Specifically you’ll want to look at setting up an ‘outbound gateway’ via Google Apps for Business or Education.
- [smtp.gmail.com]:587 user@mydomain.com:password
[smtp.gmail.com]:587 user@mydomain.com:password
- Create the /etc/postfix/tls_per_site file and specify that mail sent to GA (or gmail) MUST be encrypted. This map allows us to use different policies if we have explicit ‘transport’ entries for other destinations.
- [smtp.gmail.com]:587 MUST
[smtp.gmail.com]:587 MUST
- Create the hash files and change the permissions on the password files.
- $ postmap /etc/postfix/sasl_passwd
- $ chmod 0640 /etc/postfix/sasl_passwd*
- $ postmap /etc/postfix/tls_per_site
$ postmap /etc/postfix/sasl_passwd $ chmod 0640 /etc/postfix/sasl_passwd* $ postmap /etc/postfix/tls_per_site
- Make a small change in /etc/postfix/master.cf around line 36.
- smtp unix - - <strong>n</strong> - - smtp# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
- relay unix - - <strong>n</strong> - - smtp -o smtp_fallback_relay=
smtp unix - - <strong>n</strong> - - smtp# When relaying mail as backup MX, disable fallback_relay to avoid MX loops relay unix - - <strong>n</strong> - - smtp -o smtp_fallback_relay=
- Add yourself to /etc/aliases.
- # See man 5 aliases for format
- postmaster: root
- root: user@mydomain.com
# See man 5 aliases for format postmaster: root root: user@mydomain.com
- Verify that everything is okay, rebuild the alias file and restart the server.
- $ sudo postfix check
- $ sudo newaliases
- $ sudo service postfix restart
$ sudo postfix check $ sudo newaliases $ sudo service postfix restart
Improving Security: Restricting Certificate Authorities
Adding TLS encryption is only half of the problem. We need to make sure that we’re actually talking to GA/gmail. For that we need to verify the GA/gmail certificate – in fact postfix will refuse to deliver the mail if it can’t verify the certificate of the remote system.
This is simple in concept but it requires us to trust the certificate authorities that sign these certificates. Firefox (and Debian/Ubuntu) vet them but the nature of the current certificate authority architecture means that ANY CA can sign a certificate for ANY server. This means that some obscure CA in Unfreedonia under government pressure can sign a certificate for ‘smtp.gmail.com’ and it will be accepted by postfix as long as that certificate is in the CApath.
We can improve the situation by specifying only the file used by GA/gmail’s certificate. We can get that this by looking at the postfix logs and a bit of experimentation. I gave the appropriate CAfile above.
As an aside: we can’t delete the standard CAs in either firefox or chrome but we can remove permissions so we can greatly reduce the number of CAs we trust. I blogged about this a few months ago.
TaoSecurity
