Wednesday, May 6, 2015

Enabling OpenBSD 6.1 OpenSMTPd to relay mail via Google's GMail (TLS+AUTH)

Just about every ISP blocks outbound mail, excepting mail that's forwarded via TLS.  Naturally, I have my own domain(s) and give my firewall an account on one particular domain to send eMail as it pleases as the mail is hosted by Google.  I've always taken it for granted that this "just works" until I was configuring it for someone else's firewall and stumbled on a bit of an issue, so I thought I might simply describe the entire process here for those who wish to enable it for themselves.

 First, we'll need to configure a basic implementation of OpenSMTPd.  Start with /etc/mail/secrets, where you'll need to enter your gmail account and password.

echo 'googlemail openbsduser@gmail.com:openbsdgmailpassword' >> /etc/mail/secrets
chown root:_smtpd /etc/mail/secrets
chmod 640 /etc/mail/secrets
makemap /etc/mail/secrets

Next, you'll need to log into your gmail account and navigate to the following URL and "Turn on" less secure apps.

 https://www.google.com/settings/security/lesssecureapps


Google will warn you that the sky is crashing, but honestly, this is a dedicated account strictly for /sending/ mail from your firewall. Right? .....

 Edit your /etc/mail/smtpd.conf file and add the following lines:

table secrets db:/etc/mail/secrets.db
accept for any relay via tls+auth://googlemail@smtp.googlemail.com:587 auth <secrets>

Restart OpenSMTPd:

/etc/rc.d/smtpd restart
smtpd(ok)
smtpd(ok)

Now try sending a message, until a route is enabled, it will likely fail.  This may take a few minutes, but once you see the 'smtp-out: Enabling route [] <->', it's likely good to go.

echo "Testing mail from t5220." | mail -s "Mail test from T5220" testuser@testdomain.com

Here's the /var/log/maillog from my test:

May  6 03:28:19 t5220 smtpd[23090]: smtp-out: Enabling route [] <-> 173.194.77.108 (ob-in-f108.1e100.net)
May  6 03:28:21 t5220 smtpd[23090]: smtp-out: Enabling route [] <-> 173.194.77.109 (ob-in-f109.1e100.net)
May  6 03:29:05 t5220 smtpd[23090]: smtp-in: New session 5c9e377d25bc3344 from host t5220.local [local]
May  6 03:29:05 t5220 smtpd[23090]: smtp-in: Accepted message 6f338ef3 on session 5c9e377d25bc3344: from=, to=, size=201, ndest=1, proto=ESMTP
May  6 03:29:05 t5220 smtpd[23090]: smtp-in: Closing session 5c9e377d25bc3344
May  6 03:29:05 t5220 smtpd[23090]: smtp-out: Connecting to tls://173.194.77.108:587 (ob-in-f108.1e100.net) on session 5c9e37803c19815b...
May  6 03:29:05 t5220 smtpd[23090]: smtp-out: Connected on session 5c9e37803c19815b
May  6 03:29:05 t5220 smtpd[23090]: smtp-out: Started TLS on session 5c9e37803c19815b: version=TLSv1/SSLv3, cipher=ECDHE-RSA-AES128-GCM-SHA256, bits=128
May  6 03:29:06 t5220 smtpd[23090]: smtp-out: Server certificate verification succeeded on session 5c9e37803c19815b
May  6 03:29:08 t5220 smtpd[23090]: relay: Ok for 6f338ef3fa99c038: session=5c9e37803c19815b, from=, to=, rcpt=<->, source=172.16.18.5, relay=173.194.77.108 (ob-in-f108.1e100.net), delay=3s, stat=250 2.0.0 OK 1430900948 ek11sm590095oeb.6 - gsmtp
May  6 03:29:18 t5220 smtpd[23090]: smtp-out: Closing session 5c9e37803c19815b: 1 message sent.

Let me know if you have other providers you use with a configuration like this, I'd be interested to know how yours works.
at

2 comments:

  1. AnonymousOctober 23, 2015 at 5:41 PM

    Don't just add the two lines to the bottom of smtpd.conf, but make sure to remove the "accept from local for any relay" line if you have it as that will cause smtpd to deliver the mail itself instead of through the relay.

    ReplyDelete

Subscribe to: Post Comments (Atom)