Birds Like Wires

Feed the Birds

Fix Postfix for Gmail on Snow Leopard

This is a quick and dirty method for getting Postfix (as built-in on Mac OS X v10.6) to send mail via Gmail.

My little home server is a tweaked Mac mini, but Snow Leopard is the last version of OS X that will work on it without even more hacking around (besides, it’s the best version of OS X Server, IMHO). I had a search around on the web and after combining a few different methods, came up with this to make it work.

Sort out Certificates

Google changed to using Equifax as their certificate signing authority some time ago, but Postfix doesn’t know about them. So, you need to add their certificate (and we’ll add Thawte at the same time, for good measure).

Start by creating a certificates directory:

sudo mkdir /etc/postfix/certs

Jump into it and create a file called Equifax_Secure_CA.pem, then copy the following into it:

-----BEGIN CERTIFICATE-----
MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJVUzEQMA4GA1UE
ChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5
MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1MVowTjELMAkGA1UEBhMCVVMxEDAOBgNVBAoT
B0VxdWlmYXgxLTArBgNVBAsTJEVxdWlmYXggU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eTCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwV2xWGcIYu6gmi0fCG2RFGiYCh7+2gRvE4RiIcPR
fM6fBeC4AfBONOziipUEZKzxa1NfBbPLZ4C/QgKO/t0BCezhABRP/PvwDN1Dulsr4R+AcJkVV5MW
8Q+XarfCaCMczE1ZMKxRHjuvK9buY0V7xdlfUNLjUA86iOe/FP3gx7kCAwEAAaOCAQkwggEFMHAG
A1UdHwRpMGcwZaBjoGGkXzBdMQswCQYDVQQGEwJVUzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UE
CxMkRXF1aWZheCBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMBoG
A1UdEAQTMBGBDzIwMTgwODIyMTY0MTUxWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAUSOZo+SvS
spXXR9gjIBBPM5iQn9QwHQYDVR0OBBYEFEjmaPkr0rKV10fYIyAQTzOYkJ/UMAwGA1UdEwQFMAMB
Af8wGgYJKoZIhvZ9B0EABA0wCxsFVjMuMGMDAgbAMA0GCSqGSIb3DQEBBQUAA4GBAFjOKer89961
zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y7qj/WsjTVbJmcVfewCHrPSqnI0kB
BIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee95
70+sB3c4
-----END CERTIFICATE-----

Then you need to create the Thawte one as well. Call it Thawte_Premium_Server_CA.pem.

-----BEGIN CERTIFICATE-----
MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkExFTATBgNVBAgT
DFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3Vs
dGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UE
AxMYVGhhd3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZl
ckB0aGF3dGUuY29tMB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCzAJBgNVBAYT
AlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMU
VGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2
aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNlcnZlciBDQTEoMCYGCSqGSIb3DQEJARYZ
cHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2
aovXwlue2oFBYo847kkEVdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIh
Udib0GfQug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMRuHM/
qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQAm
SCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUIhfzJATj/Tb7yFkJD57taRvvBxhEf
8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZa4JMpAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7t
UCemDaYj+bvLpgcUQg==
-----END CERTIFICATE-----

Once that’s done, do this to make sure Postfix can find the certificates:

sudo c_rehash /etc/postfix/certs

Thanks to Steve Jenkins for his blog post regarding the certificates. Foxed me for a while.

That’s the first bit. Now the second bit.

Configure Postfix

Now we need to tell Postfix to use the certificates we just added, as well as your details for Gmail and the location of the mail server. Using your favourite editor, edit /etc/postfix/main.cf. Have a search for relayhost and you’ll find a section called ‘INTERNET OR INTRANET’. Add the following configuration information under the commented-out relayhost entries.

relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes
smtp_tls_CApath = /etc/postfix/certs

Usernames and Passwords

That’s all well and good, but how does Postfix know how to log in? Well, in this case, its a password saved as clear text in a file. Yeah, I know – but in my case I’ve not dug any deeper, as this is account is for the server alone and contains nothing interesting at all. If you’re going to do it this way, I recommend the same approach.

Store the username and password in /etc/postfix/sasl_passwd like this:

[smtp.gmail.com]:587 username@gmail.com:password

…and then:

chmod 600 /etc/postfix/sasl_passwd

to add a modicum of security to the deal. At least it’s encrypted as it flies over the internet.

You then need to create the /etc/postfix/sasl_passwd.db password database using this:

sudo postmap /etc/postfix/sasl_passwd

Using It

First of all, make sure Postfix has re-read all the changes.

sudo launchctl stop org.postfix.master
sudo launchctl start org.postfix.master

Then you should try a test email. Something like this should work:

ls -1 | mail -s "Subject" destination@somewhere.com -f username@gmail.com

That would send the output of the current directory to destination@somewhere.com. Just make sure that the address you put after the -f switch is one that’s allowed to send mail with your Gmail account, otherwise not very much will happen.

If you encounter troubles, check the logfile:

tail /var/log/mail.log

Now you should be all set to emeither from the command line!

Footnote

Annoyingly, as I have just discovered, you may get the following error:

“The IP you’re using to send mail is not authorized”

This would appear to be the risk you take having a dynamic IP address as I do. The allocation of addresses by your ISP may not have permission to send mail through Gmail’s servers in this way. I don’t entirely understand it, as I can certainly send mail via Mail.app. I shall be on the lookout for a solution.

← Recent Articles