Configure postfix to use Google Apps SMTP relay in a Google Compute Engine instance

Question

What are the steps to set up postfix as SMTP relay that uses the Google Apps SMTP relay. There are a bunch of tutorials on the web that explain how to use the smtp.gmail.com gateway with SASL authentication but I could not find a working configuration for the Google Apps relay smtp-relay.google.com as described here, especially one that is specific to Google Compute.

I have setup the smtp relay service with 'Only addresses in my domains' as described here and verified that the IP is in fact the one I connect from.

I know that Google compute does not allow Port 25 as outgoing port as described here.

I am using debian linux or a debian derivative.

I have setup postfix as detailed in the docs but all i get in the mail.log is:

postfix/smtp[720]: send attr reason = host smtp-relay.gmail.com[66.102.1.28] said: 
550-5.7.1 Invalid credentials for relay [104.155.78.1]. The IP address you've
550-5.7.1 registered in Google Apps SMTP Relay service doesn't match domain of 
550-5.7.1 the accountthis email is being sent from. If you are trying to relay 
550-5.7.1 mail from a domain that isn't registered under your Googles Apps 
550-5.7.1 account or has empty envelope-from, you must configure your mail 
550-5.7.1 server either to use SMTP AUTH to identify the sending domain or to 
550-5.7.1 present one of your domain names in the HELO or EHLO command. For 
550-5.7.1 more information, please visit 
550 5.7.1  https://support.google.com/a/answer/6140680#invalidcred kg2sm505213wjb.4 - gsmtp (in reply to MAIL FROM command)

Answer 1

Install postfix with apt-get install postfix. When asked select "satellite system" or the option with smarthost. Accept the defaults of everything else for now.

Edit your main.cf according to the following file:

/etc/postfix/main.cf

# a file which should contain the google apps domain
myorigin = /etc/mailname
# if your google apps domain is in mydestination, remove it, or postfix will attempt to deliver your mail locally
mydestination = ...., localhost

# Google Apps Relay SMTP, must use Port 587 because, 25 is blocked
relayhost = [smtp-relay.gmail.com]:587

# Force ehlo behavior
smtp_always_send_ehlo = yes
smtp_helo_name = <yourappsdomainhere>

# Enable TLS
smtp_use_tls=yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

# limit smtp to loopback interface & compute engine doesn't support ipv6
inet_interfaces = loopback-only
inet_protocols = ipv4

# These lines can be used, if the result is not as expected
# debug_peer_list = smtp-relay.gmail.com
# debug_peer_level = 2

Restart postfix with service postfix restart. All should be good.

This may not be the cleanest all all solutions, but it works for me.

Answer 2

I have searched the internet for a few days to find the solution which you and I were looking for.

Be sure you have set the SMTP relay settings under Apps > Google Apps > Gmail > Advanced settings in your Google Apps account as follows:

Be sure you have installed postfix and libsasl2-modules.

sudo apt-get update
sudo apt-get install postfix
sudo apt-get install libsasl2-modules

Postfix configuration

During the Postfix configuration set the following settings:

• General type of mail configuration: Internet with smarthost.
• Mail name: example.com (fully qualified domain name)
• Relay host: [smtp.gmail.com]:587

Your /etc/postfix/main.cf file should look like this:

myhostname = yourdomain.com
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

myorigin = /etc/mailname
mydestination = yourdomain.com

relayhost = [smtp.gmail.com]:587
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

# Use IPv4 protocol
inet_protocols = ipv4

# enable SASL authentication 
smtp_sasl_auth_enable = yes

# disallow methods that allow anonymous authentication. 
smtp_sasl_security_options = noanonymous

# where to find sasl_passwd
smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd

# Enable STARTTLS encryption 
smtp_use_tls = yes

# where to find CA certificates
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

Create a /etc/postfix/sasl/passwd file and add your Google Apps username and password as follows:

[smtp.gmail.com]:587 you@yourdomain.com:yourpassword

Now create the hash db file for Postfix by running the postmap command:

sudo postmap /etc/postfix/sasl/passwd

Secure your Password and Hash Database files so that only root could read and write them:

sudo chown root:root /etc/postfix/sasl/passwd /etc/postfix/sasl/passwd.db
sudo chmod 0600 /etc/postfix/sasl/passwd /etc/postfix/sasl/passwd.db

Restart Postfix by:

sudo /etc/init.d/postfix restart

If you have installed mailutils you could test sending mails by:

echo "body of your email" | mail -s "This is a Subject" -a "From: you@yourdomain.com" receiver@otherdomain.com

If your mail is not received, check your mail.log file for any error messages:

sudo tail -f /var/log/mail.log

I have written a more detailed article: http://dev.robbertvermeulen.com/postfix-google-apps-smtp-relay-google-compute-engine/