Sunday, April 14, 2013

Mountain Lion: Getting Postfix to work with outbound Google SMTP authentication

Problem

Recently I upgraded to Mountain Lion, and getting some things like Postfix to work out of the box has been a chore. Normally when you configure Outlook or Thunderbird email, you must provide separate settings for sending and receiving email. Generally you'll see imap.myisp.com for reading mail and smtp.myisp.com for sending. The standard mail port is 25, but with the exploitation of open mail relays and spamming, you'll need to configure some sort of authentication and/or encryption when transmitting your message.

Just for giggles, I tried to send a quick message via the builtin text mail program, and here's what I saw:

$ mail ladiesman@gmail.com
Subject: Testing
blah blah blah
.
EOT


In /var/log/mail.log:

Apr 13 23:53:37 poly.ftrdhcpuser.net postfix/smtp[23687]: connect to alt1.gmail-smtp-in.l.google.com[2607:f8b0:400d:c02::1a]:25: No route to host


This happens because gmail.com has an MX record (MX records specify other machines for mail delivery options):

$ nslookup
> set q=mx
> gmail.com
Server:  192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
gmail.com mail exchanger = 5 gmail-smtp-in.l.google.com.
gmail.com mail exchanger = 10 alt1.gmail-smtp-in.l.google.com.
gmail.com mail exchanger = 20 alt2.gmail-smtp-in.l.google.com.
gmail.com mail exchanger = 30 alt3.gmail-smtp-in.l.google.com.
gmail.com mail exchanger = 40 alt4.gmail-smtp-in.l.google.com.

And Google likely doesn't allow port 25 mail transmission for security purposes, so trying to telnet to port 25 of any of these hosts results in a timeout.

Getting Postfix to Run at Boot

MacOS uses this annoying launchctl tool rather than the old Bourne-shell based /etc/rc system we remember from our UNIX days. It's more powerful and uses noisy XML files. Anyway, to understand the various settings you will want to take a look at the manpage for it via: man 5 launchd.plist.

At any rate, here are the contents of my /System/Library/LaunchDaemons/org.postfix.master.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>Label</key>
        <string>org.postfix.master</string>
        <key>Program</key>
        <string>/usr/libexec/postfix/master</string>
        <key>ProgramArguments</key>
        <array>
                <string>master</string>
        </array>
        <key>QueueDirectories</key>
        <array>
                <string>/Library/Server/Mail/Data/spool</string>
        </array>
        <key>AbandonProcessGroup</key>
        <true/>
        <key>RunAtLoad</key>
        <true/>
</dict>
</plist>


The key components to note here are the removal of the -e 60 that was there in the command-line for Postfix master or Postfix will exit after that specified amount of time and won't continue to deliver email. Also you will want the RunAtLoad setting enabled so that it launches at the time you load the file

$ sudo launchctl load /System/Library/LaunchDaemons/org.postfix.master.plist

Note that there are many examples floating around on the Internet using the OnDemand switch. According to the documentation, this has been deprecated, and I couldn't get it to work right by setting it to false anyway. If you want to dial in the behavior, they have a new KeepAlive switch for that. There are a couple of caveats with this plist file. If you try to stop Postfix using sudo postfix stop, launchctl will re-launch it automatically on your behalf. For fatal configuration problems, this will cause a re-launch loop until you unload the plist file. The problem is that if you relinquish control from launchctl and try to manually start/stop Postfix, you lose the process tracking feature of the tool.

Postfix Settings

Most of the settings that others provided were helpful, but there was one that cost me hours of aggravation. I'm hoping that by providing the correction I may save someone else the same pain. Postconf -n will show you the explicit settings you've put into main.cf. Here are the relevant ones for this problem.

relayhost = smtp.gmail.com:587
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =
smtp_tls_security_level = encrypt
smtp_use_tls = yes

You don't have to use the generic maps, but what this does is give you is the ability to rewrite the from address to be your gmail address. Here's an example I snarfed by searching:

clint@poly.local ladiesman@gmail.com
@poly.local      ladiesman@gmail.com

The sasl_passwd should look like:

smtp.gmail.com ladiesman@gmail.com:<Googlepassword>

Remember to regenerate your databases using sudo postmap <mapfile> after you've edited sasl_passwd or generic.

NOTE: The relayhost specifies port 587, but the sasl_passwd does NOT. This is important. At first I followed all the instructions online saying that it needs to match exactly what you put in the relayhost. This is WRONG. Postfix refused to use SASL authentication until I tried this. I had stmp.gmail.com:587. I also tried using square brackets around the hostname to avoid MX lookups. I was up until 3am trying to debug this.

Also bear in mind that if you have enabled 2-step verification, you will need to use an application-specific password rather than your regular Google password.

Credits

Thanks to the following articles which helped me along this journey:

http://slashusr.wordpress.com/2012/02/14/enabling-postfix-for-outbound-relay-via-gmail-on-os-x-lion-11/
http://benjaminrojas.net/configuring-postfix-to-send-mail-from-mac-os-x-mountain-lion/

Feedback


Please leave a comment if you have any feedback, thanks...

9 comments:

  1. This does not do anything for 10.8 Server, with gmail account as explained.
    mail() still not sending anything.
    same error "No route to host"

    ReplyDelete
  2. Thanks, I was keeping searching, I always add auth error because I let the "<" in the passwd and the port number! Thanks you so much for your time!

    ReplyDelete
  3. Thanks so much for your big note! I found your post after at least two hours of postfix troubleshooting, and it was the port number in ssl_passwd that was my issue.

    ReplyDelete
  4. I spent about 4 hours this evening getting this working, and your config and note about the sasl_passwd not matching the relay line are what finally did it. Thanks so much

    ReplyDelete
  5. According to the stackoverflow, we also need setting in main.cf:

    smtp_sasl_mechanism_filter = plain

    ReplyDelete
    Replies
    1. Hi:

      I already had this set to plain. I'm not quite sure why I left it out of my settings when I pasted in the article.

      Thanks,

      -Clint

      Delete
  6. http://stackoverflow.com/questions/26447316/mac-os-x-10-10-yosemite-postfix-sasl-authentication-failed the settings was referred in this page.

    ReplyDelete
  7. I apologize for not responding to anyone. I did not have notifications enabled and I'm not sure how to turn them on yet.

    I just thought I would update that I'm currently on Sierra 10.12.3, and most of my settings have migrated through a few OS updates. The postfix settings are still there, but I haven't updated a plist file to run Postfix as a daemon because newer versions of MacOS have System Integrity Protection (SIP) and you have to disable it through a reboot to modify files in areas like: /System/Library/LaunchDaemons/

    So, while outbound email works OK, I would not be able to receive mail in this manner.

    ReplyDelete