| View previous topic :: View next topic |
| Author |
Message |
solamour
l33t
Joined: 21 Dec 2004
Posts: 726
Location: San Diego, CA
|
 Posted: Mon Sep 03, 2018 11:22 pm Post subject: [Solved] Allow Postfix to send email to Gmail |
 |
|
When I send an email from my gentoo box to my Gmail account, I get the following error message.
| Code: | Sep 3 13:45:51 gentoo postfix/smtp[31886]: 8E2871E0798: to=<MY_GOOGLE_ID@gmail.com>, relay=alt1.gmail-smtp-
in.l.google.com[209.85.200.26]:25, delay=11, delays=0.25/0.01/5.7/5.2, dsn=4.7.0, status=deferred (host alt1.gmail-smtp-
in.l.google.com[209.85.200.26] said: 421-4.7.0 This message does not have authentication information or fails to pass 421-4.7.0
authentication checks. To best protect our users from spam, the 421-4.7.0 message has been blocked. Please visit 421-4.7.0
https://support.google.com/mail/answer/81126#authentication for more 421 4.7.0 information. b79-v6si8427017itb.103 -
gsmtp (in reply to end of DATA command))
|
Google doesn't want any random person off the street to send email to their users, so I guess I need to somehow prove I am indeed who I say I am. I couldn't quite understand what I was supposed to do even after reading the instructions multiple times.
My gentoo box gets its dynamic IP from the internet service provider, and I use https://www.noip.com/ to map the dynamic IP to something easier to remember.
Not sure it's relevant or not, but I can send email from my Gmail account to my gentoo box. And if I reply, the mail does get delivered to Gmail; it's just the new email from my gentoo box that are not delivered to Gmail. I'd appreciate any suggestions.
__
sol
Last edited by solamour on Wed Sep 05, 2018 6:34 am; edited 1 time in total |
|
| Back to top |
|
 |
Jaglover
Watchman
Joined: 29 May 2005
Posts: 8291
Location: Saint Amant, Acadiana
|
|
| Back to top |
|
|
solamour
l33t
Joined: 21 Dec 2004
Posts: 726
Location: San Diego, CA
|
| Posted: Tue Sep 04, 2018 12:08 am Post subject: |
|
|
| Jaglover wrote: | | Use your ISP mail server as a relay. |
That was exactly what I've been doing, because it was the least complicated method. But then, the ISP changed the policy and asked $5/month for the email service. Being a cheapskate that I am, I didn't take the offer.
__
sol
Last edited by solamour on Tue Sep 04, 2018 1:11 am; edited 1 time in total |
|
| Back to top |
|
|
Jaglover
Watchman
Joined: 29 May 2005
Posts: 8291
Location: Saint Amant, Acadiana
|
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Tue Sep 04, 2018 10:46 am Post subject: |
|
|
solamour ...
what are you using as the MTA on "gentoo box"? It's trivial to have the MTA authenticate with the relay via SASL. With postfix you would use 'sender_dependent_relayhost_maps', 'smtp_sasl_auth_enable', 'smtp_tls_policy_maps', and 'smtp_sasl_password_maps'. So, for example:
| /etc/postfix/main.cf: | smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/relay_host
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/saslpass
smtp_use_tls = yes
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_note_starttls_offer = yes
smtp_tls_CApath = /etc/ssl/certs |
| /etc/postfix/tls_policy: | mail.foo.org:587 encrypt
smtp.gmail.com:587 encrypt |
| /etc/postfix/saslpass: | solamour@foo.org solamour@foo.org:password123
solamour@gmail.com solamour@gmail.com:password123 |
| /etc/postfix/relay_host: | solamour@foo.org [mail.foo.org]:587
solamour@gmail.com [smtp.gmail.com]:587 |
If your mail client is sending mail from solamour@foo.org it will be relayed to mail.foo.org, if solamour@gmail.com it will be relayed via mail.google.com ... both of which will authenticate via SASL.
EDIT: corrected tls_policy attribution.
HTH & best ... khay
Last edited by khayyam on Tue Sep 04, 2018 9:37 pm; edited 1 time in total |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3494
|
| Posted: Tue Sep 04, 2018 6:26 pm Post subject: |
|
|
Sending mail from my postfix to google "Just works" ™
Something tells me you're doing something nasty there, like spoofing sender's address. You can't just use random MTAs as relays anymore, administrators already know that spammers will abuse open relays, and developers hard-code "sane defaults" that will block all email unless one of the below is the case:
- The message comes from a foreign domain and is addressed to a domain served by this MTA (AKA receiving email).
- User is authenticated and owns FROM address (AKA sending email).
- Email comes from an otherwise trusted source / whitelisted IP (Mail relay)
If neither of those applies, any reasonably configured email server will reject that message to limit the amount of spam.
This message:
| Quote: | | This message does not have authentication information |
screams DON'T SEND EMAIL FROM A DOMAIN OWNED BY _ME_
Bonus point: email servers tend to check if sender's IP address matches sender's domain, and often reject mail unless sender's domain's DNS server confirms you're allowed to send that mail. |
|
| Back to top |
|
|
Marlo
Veteran
Joined: 26 Jul 2003
Posts: 1591
|
| Posted: Tue Sep 04, 2018 8:16 pm Post subject: Re: Q: Allow postfix to send email to Gmail |
|
|
| solamour wrote: | | ... it's just the new email from my gentoo box that are not delivered to Gmail. I'd appreciate any suggestions. |
Your mail client is considered unsafe by Gmail. Your normal password will not be accepted.
You'll need to get an App password from Gmail. --> https://support.google.com/mail/answer/185833?hl=en
greetings
Ma.
_________________
------------------------------------------------------------------
http://radio.garden/ |
|
| Back to top |
|
|
solamour
l33t
Joined: 21 Dec 2004
Posts: 726
Location: San Diego, CA
|
| Posted: Tue Sep 04, 2018 8:20 pm Post subject: |
|
|
| khayyam wrote: |
| /etc/postfix/relay_host: | mail.foo.org:587 encrypt
smtp.gmail.com:587 encrypt |
| /etc/postfix/relay_host: | solamour@foo.org [mail.foo.org]:587
solamour@gmail.com [smtp.gmail.com]:587 |
|
That must be copy/paste gone awry, no?
__
sol |
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Tue Sep 04, 2018 9:34 pm Post subject: |
|
|
| khayyam wrote: | | /etc/postfix/relay_host: | mail.foo.org:587 encrypt
smtp.gmail.com:587 encrypt |
| /etc/postfix/relay_host: | solamour@foo.org [mail.foo.org]:587
solamour@gmail.com [smtp.gmail.com]:587 |
|
| solamour wrote: | | That must be copy/paste gone awry, no? |
solamour ... a typo, the first should be '/etc/postfix/tls_policy' (corrected above).
best ... khay |
|
| Back to top |
|
|
solamour
l33t
Joined: 21 Dec 2004
Posts: 726
Location: San Diego, CA
|
| Posted: Wed Sep 05, 2018 6:34 am Post subject: |
|
|
After much mucking around, I was able to configure Postfix to use Google's SMTP server to send the email from my gentoo box to my Gmail account. It most likely is a smart idea to enable Google's 2-Step Verification and use the App Password (which will be used by Postfix only), but that didn't seem necessary. Or I already tried once, so perhaps Google knew my gentoo box and didn't ask again.
Anyhow, that's all good, except that when I send email from the gentoo box to my Gmail account, "from:" field is always my Gmail account (and "bcc:" is also my Gmail account). This shouldn't be a problem for most people, but I do need to set "from:" to my gentoo box. Well, I'm using Google's SMTP server, so technically, "from:" is indeed my Gmail account, but all mails from my gentoo box showing up as from "me" just doesn't suit me.
I also found out that https://www.noip.com/ does provide SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), so I could have avoided all this trouble, but those are for the paying customers only. It might be well worth for some people, but it's certainly way beyond what I need.
I ended up with the free service from https://sendgrid.com/. No particular reason other than their ample documentations and videos.
| Code: |
[/etc/postfix/main.cf]
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/saslpass
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_tls_wrappermode = yes
header_size_limit = 4096000
relayhost = [smtp.sendgrid.net]:465
[/etc/postfix/saslpass]
[smtp.sendgrid.net]:465 apikey:MY_SENDGRID_API_KEY
|
Thank you everyone for taking time to share your suggestions. Much appreciate it.
__
sol |
|
| Back to top |
|
|
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Wed Sep 05, 2018 1:35 pm Post subject: |
|
|
| solamour wrote: | | After much mucking around, I was able to configure Postfix to use Google's SMTP server to send the email from my gentoo box to my Gmail account.[...] Anyhow, that's all good, except that when I send email from the gentoo box to my Gmail account, "from:" field is always my Gmail account (and "bcc:" is also my Gmail account). This shouldn't be a problem for most people, but I do need to set "from:" to my gentoo box. Well, I'm using Google's SMTP server, so technically, "from:" is indeed my Gmail account, but all mails from my gentoo box showing up as from "me" just doesn't suit me. |
solamour ... what do you mean by "from my gentoo box to my Gmail account"? No authentication is required for this, anyone should be able to send email to your gmail account without authenticating. What (I thought) we're dealing with here is relaying via mail.google.com ... and so have the mail come from that account, mail server, etc. That is what the above relay_map is effectively doing, if the mail is from your gmail account then it is relayed via mail.google.com, otherwise not. Anyhow, it looks like all you need is to relay all mail, so it looks like I misunderstood.
best ... khay |
|
| Back to top |
|
|
solamour
l33t
Joined: 21 Dec 2004
Posts: 726
Location: San Diego, CA
|
| Posted: Wed Sep 05, 2018 5:22 pm Post subject: |
|
|
| khayyam wrote: | | solamour ... what do you mean by "from my gentoo box to my Gmail account"? No authentication is required for this, anyone should be able to send email to your gmail account without authenticating. What (I thought) we're dealing with here is relaying via mail.google.com ... and so have the mail come from that account, mail server, etc. That is what the above relay_map is effectively doing, if the mail is from your gmail account then it is relayed via mail.google.com, otherwise not. Anyhow, it looks like all you need is to relay all mail, so it looks like I misunderstood. |
I just re-read what I wrote, and I can certainly see I could have worded differently to avoid confusion.
It's true that everyone should be able to send email to my Gmail account without authentication, and that should include the email from my gentoo box. But when I tried sending email from my gentoo box (with no relaying whatsoever), I received the following error message.
| Code: | This message does not have authentication information or fails to pass 421-4.7.0
authentication checks. To best protect our users from spam, the 421-4.7.0 message has been blocked. |
It looks like Gmail is trying to filter out spams, so it allows emails from only verified (or at least, verifiable) sources. My gentoo box gets its dynamic IP from the ISP, so it might not be considered as legit unless I configure SPF or DKIM.
The way I got around up to recently was to use my ISP's SMTP, but then the ISP started asking for additional charges, so my search began. Using Gmail's SMTP did work, but all the mails from my gentoo box were marked as "from: solamour@gmail.com". When I switched to a different SMTP provider, all looked well.
Anyhow, I learned a few things that I didn't know before, and I thank everyone for taking time to respond.
__
sol
Last edited by solamour on Wed Sep 05, 2018 9:03 pm; edited 1 time in total |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3494
|
| Posted: Wed Sep 05, 2018 6:45 pm Post subject: |
|
|
If you don't want your email to come from your gmail address, why do you even bother to send those emails via gmail's MTA?
Why not send them directly to the recipient's email server? |
|
| Back to top |
|
|
solamour
l33t
Joined: 21 Dec 2004
Posts: 726
Location: San Diego, CA
|
| Posted: Wed Sep 05, 2018 9:10 pm Post subject: |
|
|
| szatox wrote: | If you don't want your email to come from your gmail address, why do you even bother to send those emails via gmail's MTA?
Why not send them directly to the recipient's email server? |
I do want to send email from me@my-dynamic-ip.net to solamour@gmail.com. If I send it directly, Gmail doesn't accept it. If I use Gmail's SMTP, the mail is "from: solamour@gmail.com" instead of "from: me@my-dynamic-ip.net". I'd still consider Gmail's SMTP option if I can somehow make the mail is "from: me@my-dynamic-ip.net".
__
sol
Last edited by solamour on Wed Sep 05, 2018 11:15 pm; edited 1 time in total |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Wed Sep 05, 2018 10:58 pm Post subject: |
|
|
| You might want to consider switching dyndns providers to freedns.afraid.org, which lets you use SPF for free (it's a single TXT record, charging for that is pure profiteering). |
|
| Back to top |
|
|
szatox
Advocate
Joined: 27 Aug 2013
Posts: 3494
|
| Posted: Thu Sep 06, 2018 6:27 pm Post subject: |
|
|
Considering you have a dynamic IP, SPF is not the best idea.
However, you can still use DKIM (also a TXT record in DNS) and you can check your PTR after connecting to the internet and set the result as MTA's hostname.
Many servers check if your reverse DNS matches your machine name, and many servers will accept email if either SPF or DKIM check succeeds.
Obviously, the best way would be to get a cheap VPS with a static IP and a way to define PTR by yourself. I wouldn't be surprised if dynamic IP pools were simply banned due to (possibly) common abuse by malware running on millions of windows machines, routers and even fridges and smart TVs.
Logging in to your account negates that ban -> you use account's reputation instead of IP reputation at this point. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
