Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[Solved] Allow Postfix to send email to Gmail
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
solamour
l33t
l33t


Joined: 21 Dec 2004
Posts: 623
Location: San Diego, CA

PostPosted: Mon Sep 03, 2018 11:22 pm    Post subject: [Solved] Allow Postfix to send email to Gmail Reply with quote

When I send an email from my gentoo box to my Gmail account, I get the following error message.
Code:
Sep  3 13:45:51 gentoo postfix/smtp[31886]: 8E2871E0798: to=<MY_GOOGLE_ID@gmail.com>, relay=alt1.gmail-smtp-
in.l.google.com[209.85.200.26]:25, delay=11, delays=0.25/0.01/5.7/5.2, dsn=4.7.0, status=deferred (host alt1.gmail-smtp-
in.l.google.com[209.85.200.26] said: 421-4.7.0 This message does not have authentication information or fails to pass 421-4.7.0
authentication checks. To best protect our users from spam, the 421-4.7.0 message has been blocked. Please visit 421-4.7.0
https://support.google.com/mail/answer/81126#authentication for more 421 4.7.0 information. b79-v6si8427017itb.103 -
gsmtp (in reply to end of DATA command))


Google doesn't want any random person off the street to send email to their users, so I guess I need to somehow prove I am indeed who I say I am. I couldn't quite understand what I was supposed to do even after reading the instructions multiple times.

My gentoo box gets its dynamic IP from the internet service provider, and I use https://www.noip.com/ to map the dynamic IP to something easier to remember.

Not sure it's relevant or not, but I can send email from my Gmail account to my gentoo box. And if I reply, the mail does get delivered to Gmail; it's just the new email from my gentoo box that are not delivered to Gmail. I'd appreciate any suggestions.
__
sol


Last edited by solamour on Wed Sep 05, 2018 6:34 am; edited 1 time in total
Back to top
View user's profile Send private message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 6958
Location: Saint Amant, Acadiana

PostPosted: Mon Sep 03, 2018 11:59 pm    Post subject: Reply with quote

Use your ISP mail server as a relay.
_________________
Please learn how to denote units correctly!
Back to top
View user's profile Send private message
solamour
l33t
l33t


Joined: 21 Dec 2004
Posts: 623
Location: San Diego, CA

PostPosted: Tue Sep 04, 2018 12:08 am    Post subject: Reply with quote

Jaglover wrote:
Use your ISP mail server as a relay.


That was exactly what I've been doing, because it was the least complicated method. But then, the ISP changed the policy and asked $5/month for the email service. Being a cheapskate that I am, I didn't take the offer.
__
sol


Last edited by solamour on Tue Sep 04, 2018 1:11 am; edited 1 time in total
Back to top
View user's profile Send private message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 6958
Location: Saint Amant, Acadiana

PostPosted: Tue Sep 04, 2018 12:46 am    Post subject: Reply with quote

Well, I'm guessing they won't set up a reverse MX record for you, either.
_________________
Please learn how to denote units correctly!
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Tue Sep 04, 2018 10:46 am    Post subject: Reply with quote

solamour ...

what are you using as the MTA on "gentoo box"? It's trivial to have the MTA authenticate with the relay via SASL. With postfix you would use 'sender_dependent_relayhost_maps', 'smtp_sasl_auth_enable', 'smtp_tls_policy_maps', and 'smtp_sasl_password_maps'. So, for example:

/etc/postfix/main.cf:
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/relay_host
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/saslpass
smtp_use_tls = yes
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_note_starttls_offer = yes
smtp_tls_CApath = /etc/ssl/certs

/etc/postfix/tls_policy:
mail.foo.org:587 encrypt
smtp.gmail.com:587 encrypt

/etc/postfix/saslpass:
solamour@foo.org solamour@foo.org:password123
solamour@gmail.com solamour@gmail.com:password123

/etc/postfix/relay_host:
solamour@foo.org [mail.foo.org]:587
solamour@gmail.com [smtp.gmail.com]:587

If your mail client is sending mail from solamour@foo.org it will be relayed to mail.foo.org, if solamour@gmail.com it will be relayed via mail.google.com ... both of which will authenticate via SASL.

EDIT: corrected tls_policy attribution.

HTH & best ... khay


Last edited by khayyam on Tue Sep 04, 2018 9:37 pm; edited 1 time in total
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Tue Sep 04, 2018 6:26 pm    Post subject: Reply with quote

Sending mail from my postfix to google "Just works" ™

Something tells me you're doing something nasty there, like spoofing sender's address. You can't just use random MTAs as relays anymore, administrators already know that spammers will abuse open relays, and developers hard-code "sane defaults" that will block all email unless one of the below is the case:
- The message comes from a foreign domain and is addressed to a domain served by this MTA (AKA receiving email).
- User is authenticated and owns FROM address (AKA sending email).
- Email comes from an otherwise trusted source / whitelisted IP (Mail relay)

If neither of those applies, any reasonably configured email server will reject that message to limit the amount of spam.
This message:
Quote:
This message does not have authentication information

screams DON'T SEND EMAIL FROM A DOMAIN OWNED BY _ME_

Bonus point: email servers tend to check if sender's IP address matches sender's domain, and often reject mail unless sender's domain's DNS server confirms you're allowed to send that mail.
Back to top
View user's profile Send private message
Marlo
Veteran
Veteran


Joined: 26 Jul 2003
Posts: 1407

PostPosted: Tue Sep 04, 2018 8:16 pm    Post subject: Re: Q: Allow postfix to send email to Gmail Reply with quote

solamour wrote:
... it's just the new email from my gentoo box that are not delivered to Gmail. I'd appreciate any suggestions.


Your mail client is considered unsafe by Gmail. Your normal password will not be accepted.
You'll need to get an App password from Gmail. --> https://support.google.com/mail/answer/185833?hl=en

greetings
Ma.
_________________
Thank you for your attention, interest and support.
------------------------------------------------------------------
http://radio.garden/
Back to top
View user's profile Send private message
solamour
l33t
l33t


Joined: 21 Dec 2004
Posts: 623
Location: San Diego, CA

PostPosted: Tue Sep 04, 2018 8:20 pm    Post subject: Reply with quote

khayyam wrote:

/etc/postfix/relay_host:
mail.foo.org:587 encrypt
smtp.gmail.com:587 encrypt

/etc/postfix/relay_host:
solamour@foo.org [mail.foo.org]:587
solamour@gmail.com [smtp.gmail.com]:587



That must be copy/paste gone awry, no?
__
sol
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Tue Sep 04, 2018 9:34 pm    Post subject: Reply with quote

khayyam wrote:
/etc/postfix/relay_host:
mail.foo.org:587 encrypt
smtp.gmail.com:587 encrypt

/etc/postfix/relay_host:
solamour@foo.org [mail.foo.org]:587
solamour@gmail.com [smtp.gmail.com]:587

solamour wrote:
That must be copy/paste gone awry, no?

solamour ... a typo, the first should be '/etc/postfix/tls_policy' (corrected above).

best ... khay
Back to top
View user's profile Send private message
solamour
l33t
l33t


Joined: 21 Dec 2004
Posts: 623
Location: San Diego, CA

PostPosted: Wed Sep 05, 2018 6:34 am    Post subject: Reply with quote

After much mucking around, I was able to configure Postfix to use Google's SMTP server to send the email from my gentoo box to my Gmail account. It most likely is a smart idea to enable Google's 2-Step Verification and use the App Password (which will be used by Postfix only), but that didn't seem necessary. Or I already tried once, so perhaps Google knew my gentoo box and didn't ask again.

Anyhow, that's all good, except that when I send email from the gentoo box to my Gmail account, "from:" field is always my Gmail account (and "bcc:" is also my Gmail account). This shouldn't be a problem for most people, but I do need to set "from:" to my gentoo box. Well, I'm using Google's SMTP server, so technically, "from:" is indeed my Gmail account, but all mails from my gentoo box showing up as from "me" just doesn't suit me.

I also found out that https://www.noip.com/ does provide SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), so I could have avoided all this trouble, but those are for the paying customers only. It might be well worth for some people, but it's certainly way beyond what I need.

I ended up with the free service from https://sendgrid.com/. No particular reason other than their ample documentations and videos.

Code:

[/etc/postfix/main.cf]
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/saslpass
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
header_size_limit = 4096000
relayhost = [smtp.sendgrid.net]:465

[/etc/postfix/saslpass]
[smtp.sendgrid.net]:465 apikey:MY_SENDGRID_API_KEY


Thank you everyone for taking time to share your suggestions. Much appreciate it.
__
sol
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Wed Sep 05, 2018 1:35 pm    Post subject: Reply with quote

solamour wrote:
After much mucking around, I was able to configure Postfix to use Google's SMTP server to send the email from my gentoo box to my Gmail account.[...] Anyhow, that's all good, except that when I send email from the gentoo box to my Gmail account, "from:" field is always my Gmail account (and "bcc:" is also my Gmail account). This shouldn't be a problem for most people, but I do need to set "from:" to my gentoo box. Well, I'm using Google's SMTP server, so technically, "from:" is indeed my Gmail account, but all mails from my gentoo box showing up as from "me" just doesn't suit me.

solamour ... what do you mean by "from my gentoo box to my Gmail account"? No authentication is required for this, anyone should be able to send email to your gmail account without authenticating. What (I thought) we're dealing with here is relaying via mail.google.com ... and so have the mail come from that account, mail server, etc. That is what the above relay_map is effectively doing, if the mail is from your gmail account then it is relayed via mail.google.com, otherwise not. Anyhow, it looks like all you need is to relay all mail, so it looks like I misunderstood.

best ... khay
Back to top
View user's profile Send private message
solamour
l33t
l33t


Joined: 21 Dec 2004
Posts: 623
Location: San Diego, CA

PostPosted: Wed Sep 05, 2018 5:22 pm    Post subject: Reply with quote

khayyam wrote:
solamour ... what do you mean by "from my gentoo box to my Gmail account"? No authentication is required for this, anyone should be able to send email to your gmail account without authenticating. What (I thought) we're dealing with here is relaying via mail.google.com ... and so have the mail come from that account, mail server, etc. That is what the above relay_map is effectively doing, if the mail is from your gmail account then it is relayed via mail.google.com, otherwise not. Anyhow, it looks like all you need is to relay all mail, so it looks like I misunderstood.


I just re-read what I wrote, and I can certainly see I could have worded differently to avoid confusion.

It's true that everyone should be able to send email to my Gmail account without authentication, and that should include the email from my gentoo box. But when I tried sending email from my gentoo box (with no relaying whatsoever), I received the following error message.

Code:
This message does not have authentication information or fails to pass 421-4.7.0
authentication checks. To best protect our users from spam, the 421-4.7.0 message has been blocked.


It looks like Gmail is trying to filter out spams, so it allows emails from only verified (or at least, verifiable) sources. My gentoo box gets its dynamic IP from the ISP, so it might not be considered as legit unless I configure SPF or DKIM.

The way I got around up to recently was to use my ISP's SMTP, but then the ISP started asking for additional charges, so my search began. Using Gmail's SMTP did work, but all the mails from my gentoo box were marked as "from: solamour@gmail.com". When I switched to a different SMTP provider, all looked well.

Anyhow, I learned a few things that I didn't know before, and I thank everyone for taking time to respond.
__
sol


Last edited by solamour on Wed Sep 05, 2018 9:03 pm; edited 1 time in total
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Wed Sep 05, 2018 6:45 pm    Post subject: Reply with quote

If you don't want your email to come from your gmail address, why do you even bother to send those emails via gmail's MTA?
Why not send them directly to the recipient's email server?
Back to top
View user's profile Send private message
solamour
l33t
l33t


Joined: 21 Dec 2004
Posts: 623
Location: San Diego, CA

PostPosted: Wed Sep 05, 2018 9:10 pm    Post subject: Reply with quote

szatox wrote:
If you don't want your email to come from your gmail address, why do you even bother to send those emails via gmail's MTA?
Why not send them directly to the recipient's email server?


I do want to send email from me@my-dynamic-ip.net to solamour@gmail.com. If I send it directly, Gmail doesn't accept it. If I use Gmail's SMTP, the mail is "from: solamour@gmail.com" instead of "from: me@my-dynamic-ip.net". I'd still consider Gmail's SMTP option if I can somehow make the mail is "from: me@my-dynamic-ip.net".
__
sol


Last edited by solamour on Wed Sep 05, 2018 11:15 pm; edited 1 time in total
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5592

PostPosted: Wed Sep 05, 2018 10:58 pm    Post subject: Reply with quote

You might want to consider switching dyndns providers to freedns.afraid.org, which lets you use SPF for free (it's a single TXT record, charging for that is pure profiteering).
Back to top
View user's profile Send private message
szatox
Veteran
Veteran


Joined: 27 Aug 2013
Posts: 1717

PostPosted: Thu Sep 06, 2018 6:27 pm    Post subject: Reply with quote

Considering you have a dynamic IP, SPF is not the best idea.
However, you can still use DKIM (also a TXT record in DNS) and you can check your PTR after connecting to the internet and set the result as MTA's hostname.
Many servers check if your reverse DNS matches your machine name, and many servers will accept email if either SPF or DKIM check succeeds.
Obviously, the best way would be to get a cheap VPS with a static IP and a way to define PTR by yourself. I wouldn't be surprised if dynamic IP pools were simply banned due to (possibly) common abuse by malware running on millions of windows machines, routers and even fridges and smart TVs.

Logging in to your account negates that ban -> you use account's reputation instead of IP reputation at this point.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum