Howto configure Centos 5 + sendmail as a simple SMTP relay for Gmail

Discussion in 'Server Operation' started by peterpallesen, Jul 12, 2011.

  1. peterpallesen

    peterpallesen New Member

    If you use your own domain with gmail some mail clients display your email address as "[email protected] on behalf of [email protected]". To avoid this Google allow you to use your own sendmail to relay outgoing mail. The longer explanation is here

    I have a VPS server with plain Centos 5.5 - the basic install, including sendmail and saslauth that I'd like to use for this purpose.

    There's a lot of howtos explaining howto setup a fully fledged mail system with dovecot or whatever, but I just need the most basic sendmail for this purpose.

    I've set everything up and sendmail is now listening on the various optional ports:

    Code:
    # netstat -ptan | grep sendmail
    tcp        0      0 0.0.0.0:587                 0.0.0.0:*                   LISTEN      12270/sendmail: acc
    tcp        0      0 0.0.0.0:465                 0.0.0.0:*                   LISTEN      12270/sendmail: acc
    tcp        0      0 0.0.0.0:25                  0.0.0.0:*                   LISTEN      12270/sendmail: acc
    


    I'm pretty sure everything is setup right, including certificates (how can I verify they are ok?). I've created a standard Linux user (useradd) for authentication - that ought to work with PAM right? So why can't I authenticate with this user?

    Code:
    # grep -v ^dnl /etc/mail/sendmail.mc
    divert(-1)dnl
    include(`/usr/share/sendmail-cf/m4/cf.m4')dnl
    VERSIONID(`setup for linux')dnl
    OSTYPE(`linux')dnl
    define(`confLOG_LEVEL', `90')dnl
    define(`confDEF_USER_ID', ``8:12'')dnl
    define(`confTO_CONNECT', `1m')dnl
    define(`confTRY_NULL_MX_LIST', `True')dnl
    define(`confDONT_PROBE_INTERFACES', `True')dnl
    define(`PROCMAIL_MAILER_PATH', `/usr/bin/procmail')dnl
    define(`ALIAS_FILE', `/etc/aliases')dnl
    define(`STATUS_FILE', `/var/log/mail/statistics')dnl
    define(`UUCP_MAILER_MAX', `2000000')dnl
    define(`confUSERDB_SPEC', `/etc/mail/userdb.db')dnl
    define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
    define(`confAUTH_OPTIONS', `A p')dnl
    TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
    define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
    define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
    define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
    define(`confSERVER_CERT', `/etc/pki/tls/certs/sendmail.pem')dnl
    define(`confSERVER_KEY', `/etc/pki/tls/certs/sendmail.pem')dnl
    define(`confTO_IDENT', `0')dnl
    FEATURE(`no_default_msa', `dnl')dnl
    FEATURE(`smrsh', `/usr/sbin/smrsh')dnl
    FEATURE(`mailertable', `hash -o /etc/mail/mailertable.db')dnl
    FEATURE(`virtusertable', `hash -o /etc/mail/virtusertable.db')dnl
    FEATURE(redirect)dnl
    FEATURE(always_add_domain)dnl
    FEATURE(use_cw_file)dnl
    FEATURE(use_ct_file)dnl
    FEATURE(local_procmail, `', `procmail -t -Y -a $h -d $u')dnl
    FEATURE(`access_db', `hash -T<TMPF> -o /etc/mail/access.db')dnl
    FEATURE(`blacklist_recipients')dnl
    EXPOSED_USER(`root')dnl
    DAEMON_OPTIONS(`Port=smtp,Name=MTA')dnl
    DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
    DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl
    FEATURE(`accept_unresolvable_domains')dnl
    LOCAL_DOMAIN(`localhost.localdomain')dnl
    MAILER(smtp)dnl
    MAILER(procmail)dnl
    
    But when I add my server to Gmail they say: "We are having trouble authenticating with your other mail service. Please try a different port or connection option. If you continue to experience difficulties, please contact your other email provider for further instructions.", and when I look in the logfile I get following:

    Code:
    Jul 12 07:23:02 localhost sendmail[30074]: p6C7N2qv030074: --- 250-vpsxxx.xxx.net Hello mail-vw0-f44.google.com [209.85.212.44], pleased to meet you
    Jul 12 07:23:02 localhost sendmail[30074]: p6C7N2qv030074: --- 250-ENHANCEDSTATUSCODES
    Jul 12 07:23:02 localhost sendmail[30074]: p6C7N2qv030074: --- 250-PIPELINING
    Jul 12 07:23:02 localhost sendmail[30074]: p6C7N2qv030074: --- 250-8BITMIME
    Jul 12 07:23:02 localhost sendmail[30074]: p6C7N2qv030074: --- 250-SIZE
    Jul 12 07:23:02 localhost sendmail[30074]: p6C7N2qv030074: --- 250-DSN
    Jul 12 07:23:02 localhost sendmail[30074]: p6C7N2qv030074: --- 250-AUTH EXTERNAL
    Jul 12 07:23:02 localhost sendmail[30074]: p6C7N2qv030074: --- 250-DELIVERBY
    Jul 12 07:23:02 localhost sendmail[30074]: p6C7N2qv030074: --- 250 HELP
    Jul 12 07:23:02 localhost sendmail[30074]: STARTTLS=read, info: fds=7/4, err=2
    Jul 12 07:23:02 localhost sendmail[30074]: p6C7N2qv030074: <-- QUIT
    Jul 12 07:23:02 localhost sendmail[30074]: p6C7N2qv030074: --- 221 2.0.0 vpsxxx.xxx.net closing connection
    Jul 12 07:23:02 localhost sendmail[30074]: STARTTLS=server, SSL_shutdown not done
    Jul 12 07:23:02 localhost sendmail[30074]: p6C7N2qv030074: in background, pid=30074
    Jul 12 07:23:02 localhost sendmail[30074]: p6C7N2qv030074: mail-vw0-f44.google.com [209.85.212.44] did not issue MAIL/EXPN/VRFY/ETRN during connection to MSA
    Jul 12 07:23:02 localhost sendmail[30074]: p6C7N2qv030074: dropenvelope, e_flags=0x4001, OpMode=d, pid=30074
    Jul 12 07:23:02 localhost sendmail[30074]: p6C7N2qv030074: unlock
    Jul 12 07:23:02 localhost sendmail[30074]: NOQUEUE: finis, pid=30074
    
    Any idea what I'm doing wrong here?

    I mean, obviously there's a problem with that STARTTLS thing, but what? It is certainly supported by the server:

    Code:
    # telnet localhost 25
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    220 vpsxxx.xxx.net ESMTP Sendmail 8.13.8/8.13.8; Tue, 12 Jul 2011 09:57:12 GMT
    ehlo there
    250-vpsxxx.xxx.net Hello localhost.localdomain [127.0.0.1], pleased to meet you
    250-ENHANCEDSTATUSCODES
    250-PIPELINING
    250-8BITMIME
    250-SIZE
    250-DSN
    250-ETRN
    250-STARTTLS
    250-DELIVERBY
    250 HELP
    
    
     
    Last edited: Jul 12, 2011
  2. peterpallesen

    peterpallesen New Member

    Oh well. At least I'm not the only one who don't know ... :eek:
     
  3. falko

    falko Super Moderator Howtoforge Staff

    The problem is that you use Sendmail which is really hard to configure - you need to be a real expert to do this. It is years ago that I last worked with Sendmail (using Postfix instead).
     
  4. peterpallesen

    peterpallesen New Member

    Hm, actually I'm quite comfortable with Sendmail (even if I hit a snag this time) but unfamiliar with Postfix. Any howto you can recommend with Postfix proving this solution? Any searches for Postfix and Gmail comes up with a stack of solutions for the opposite problem (using gmail's smtp servers to relay mail).
     
  5. peterpallesen

    peterpallesen New Member

    Ok, so I removed sendmail and installed postfix, that was easy enough, but didn't bring me any further than before.

    The thing is, as I explained in the first post, this is supposed to be an outgoing relay for Gmail only, in order to get rid of the "send on behalf of" annoyance in Gmail. Many howto's discuss how to setup postfix with dovecot or cyrus-imap, but as there will not be any incoming mail to this server I don't want to have this unnecessary software installed.

    I have cyrus-sasl installed and it is (default) configured to use pam. This is fine with me as pam is supposed to be able to handle authentication through /etc/password (/etc/shadow) - but I can't find anywhere explaining how to configure this to work.
     
  6. falko

    falko Super Moderator Howtoforge Staff

  7. peterpallesen

    peterpallesen New Member

    Thanks but that again address the opposite of what I need.

    This explains how to relay your own mail through Google's smtp server.

    I want to route Gmail through my own server as explained in my first post.
     
  8. peterpallesen

    peterpallesen New Member

    I'm still trying to setup this mailserver to act as a mail relay for Gmail.

    There must be at least 10,000 howto's on the internet explaining how to relay your outgoing mail through gmail. I can see how this could be handy for those with a Linux on a PC with dynamic IP where they need a "real" smtp server to relay the outgoing mail, but I have the opposite problem. I want to avoid Gmails "sent on behalf of" which frankly is lame, and relay my outgoing mail through my vps server.

    I changed to postfix as recommended, as I was advised that sendmail was too complicated, but I frankly don't see postfix being any less complicated than sendmail.

    I have both setup as simple mail servers, able to handle outgoing mail originating on the server (i.e. through web forms etc) and it is correctly blocking relaying of mail that shouldn't be relayed.

    What I need is a simple howto explaining how to configure standard saslauth (using the standard cyrus saslauth as it comes with Centos) so that I can relay my gmail through my own smtp server.

    There are bits and pieces everywhere but it's like trying to watch a large painting through a toilet paper roll.
     
  9. peterpallesen

    peterpallesen New Member

    Here is one that seems to make an attempt.

    It appears to be from 2004.

    19 pages, with arrows, highlights, boxes, cross-references and written by a German (I don't have a problem with Germans but they tend to be a tad verbose and this one is certainly no exception)

    The first 9 pages goes with small talk about why we want to do this, and how to compile sendmail and saslauth from scratch. Have these guys not heard of yum?

    Finally on page 11 we start getting a little meat - http://postfix.state-of-mind.de/patrick.koetter/smtpauth/postfix_configuration.html - but check it out, endless yatter with multicolored boxes adding to the confusion.

    How about just explaining in simple text what you need to add to which files and then let that be it?
     
  10. peterpallesen

    peterpallesen New Member

    Here's another, slightly better one: http://thomer.com/howtos/postfix_sasl.html. It's only from 2009 but alas, was made for Debian.

    But, alas, it doesn't work either. For a start it doesn't even listen on port 587 (TLS).
     
  11. falko

    falko Super Moderator Howtoforge Staff

    I've added this to my To-Do list, so I might try to write a tutorial about this topic.
     
  12. peterpallesen

    peterpallesen New Member

    Sounds good. Looking forward to that. I feel a little lost here.
     

Share This Page