Postfix Gmail – Solve unencrypted mail which is not secure
To transform this:
Into this:
We need to configure our Postfix service with TLS.
1 Get your free Letsencrypt certificate:
certbot certonly --standalone -d mail.example.com
2 Configure Postfix with following commands:
sudo postconf -e 'smtpd_tls_cert_file = /etc/letsencrypt/live//fullchain.pem' sudo postconf -e 'smtpd_tls_key_file = /etc/letsencrypt/live//privkey.pem' sudo postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination' sudo postconf -e 'smtp_tls_security_level = may' sudo postconf -e 'smtpd_tls_security_level = may' sudo postconf -e 'smtp_tls_note_starttls_offer = yes' sudo postconf -e 'smtpd_tls_loglevel = 1' sudo postconf -e 'smtpd_tls_received_header = yes'
3 Edit /etc/postfix/master.cf, uncomment following lines:
submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
Optional, create or update your mail redirection
1 Edit /etc/postfix/virtual and add your redirections as follows:
account@your.domain your_mail@gmail.com
Note: You can use no mailbox definition to match any mailbox of target domain:
@your.domain your_mail@gmail.com
Any mail to any ‘account’ in your domain will be redirected to your_mail inbox at gmail.
2 Launch following command to translate /etc/postfix/virtual into a hashmap for Postfix:
postmap /etc/postfix/virtual
3 Configure Postfix account redirection with:
postconf -e 'virtual_alias_domains = your.domain' postconf -e 'virtual_alias_maps = hash:/etc/postfix/virtual'
Ready to test it?
As always, after configure the service, restart it!
service postfix restart
Want to see what’s going up with your service while you’re testing, track the log:
tail -f /var/log/maillog
If you see something like this:
Jan 20 23:34:18 coddns postfix/smtpd[14690]: connect from mail-lj1-f172.google.com[209.85.208.172] Jan 20 23:34:18 coddns postfix/smtpd[14690]: Anonymous TLS connection established from mail-lj1-f172.google.com[209.85.208.172]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) Jan 20 23:34:18 coddns postfix/smtpd[14690]: 6BB0627A4E7: client=mail-lj1-f172.google.com[209.85.208.172] Jan 20 23:34:18 coddns postfix/cleanup[14694]: 6BB0627A4E7: message-id=<XXXXXXXXXXXXXXXXXXXXXXXXX@mail.gmail.com> Jan 20 23:34:18 coddns postfix/qmgr[4908]: 6BB0627A4E7: from=<XXXXXX@gmail.com>, size=5266, nrcpt=1 (queue active) Jan 20 23:34:18 coddns postfix/smtpd[14690]: disconnect from mail-lj1-f172.google.com[209.85.208.172] Jan 20 23:34:18 coddns postfix/smtp[14695]: Untrusted TLS connection established to gmail-smtp-in.l.google.com[74.125.206.26]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) Jan 20 23:34:18 coddns postfix/smtp[14695]: 6BB0627A4E7: to=<YYYYYYYY@gmail.com>, orig_to=<XXXXX@your.domain>, relay=gmail-smtp-in.l.google.com[74.125.206.26]:25, delay=0.5, delays=0.1/0.01/0.19/0.2, dsn=2.0.0, status=sent (250 2.0.0 OK 1579559658 x17si33087706wrr.148 - gsmtp) Jan 20 23:34:18 coddns postfix/qmgr[4908]: 6BB0627A4E7: removed
If you can see the response status=sent… Then you got it!