Ajouter le SMTP de Gmail en SmartHost avec Postfix sous Ubuntu Server
Voici un petit tuto permettant d’utiliser le smtp de gmail en smarthost (relay) avec le serveur de messagerie Postfix sur la distribution Ubuntu Server, ici une 9.10.
Bien sur, vous devez avoir au préalable votre serveur Postfix d’installé.
Il vous faut générer un certificat SSL pour votre serveur
Aller dans votre $HOME
root@votrehostname:~#cd ~
Puis générer le nouveau certificat :
Création du fichier « Certificate Authority »
$ /usr/lib/ssl/misc/CA.pl -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ........................................++++++ .............................................................................................++++++ writing new private key to './demoCA/private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:FR State or Province Name (full name) [Some-State]:Nord Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]:Votre Organisation Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:votrehostname Email Address []:test@gmail.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: c4:22:ea:51:7c:ba:68:9b Validity Not Before: Apr 12 09:52:02 2010 GMT Not After : Apr 11 09:52:02 2013 GMT Subject: countryName = FR stateOrProvinceName = Nord organizationName = Votre Organisation commonName = votrehostname emailAddress = test@gmail.com X509v3 extensions: X509v3 Subject Key Identifier: 72:94:AE:2C:47:9E:A2:6E:28:6B:1A:68:51:E5:5A:3D:93:86:8C:95 X509v3 Authority Key Identifier: keyid:72:94:AE:2C:47:9E:A2:6E:28:6B:1A:68:51:E5:5A:3D:93:86:8C:95 DirName:/C=FR/ST=Nord/O=Votre Organisation/CN=votrehostname/emailAddress=test@gmail.com serial:C4:22:EA:51:7C:BA:68:9B X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until Apr 11 09:52:02 2013 GMT (1095 days) Write out database with 1 new entries Data Base Updated
Générer le certificat Serveur :
root@votrehostname:~# openssl req -new -nodes -subj '/CN=votrehostname/O=Votre Organisation/C=FR/ST=Nord/emailAddress=test@gmail.com' -keyout FOO-key.pem -out FOO-req.pem -days 3650 Generating a 1024 bit RSA private key ................................++++++ .++++++ writing new private key to 'FOO-key.pem' -----
Vous constaterez bien sur que j’utilise les valeurs données plus haut.
Signer le certificat :
root@votrehostname:~# openssl ca -out FOO-cert.pem -infiles FOO-req.pem Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: c4:22:ea:51:7c:ba:68:9c Validity Not Before: Apr 12 09:57:23 2010 GMT Not After : Apr 12 09:57:23 2011 GMT Subject: countryName = FR stateOrProvinceName = Nord organizationName = Votre Organisation commonName = votrehostname emailAddress = test@gmail.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: D8:65:D7:DA:68:6C:34:00:14:63:98:B0:BD:C9:9D:67:A0:04:74:2E X509v3 Authority Key Identifier: keyid:72:94:AE:2C:47:9E:A2:6E:28:6B:1A:68:51:E5:5A:3D:93:86:8C:95 Certificate is to be certified until Apr 12 09:57:23 2011 GMT (365 days) Sign the certificate? [y/n]:<strong>y</strong> 1 out of 1 certificate requests certified, commit? [y/n]<strong>y</strong> Write out database with 1 new entries Data Base Updated
Copier les certificats dans votre dossier postfix :
root@votrehostname:~# mkdir /etc/postfix/certif root@votrehostname:~# cp demoCA/cacert.pem FOO-key.pem FOO-cert.pem /etc/postfix/certif root@votrehostname:~# chmod 644 /etc/postfix/FOO-cert.pem /etc/postfix/certif/cacert.pem root@votrehostname:~# chmod 400 /etc/postfix/certif/FOO-key.pem
Gmail utilise un certificat Thawte Premium Server CA.
Il vous faut l’ajouter dans le fichier :
root@votrehostname:~# cat /etc/ssl/certs/Thawte_Premium_Server_CA.pem >> /etc/postfix/certif/cacert.pem
Si vous ne faites pas ça, vous aurez le message suivant :
Server certificate not trusted
Attention il semblerait que Gmail a changé de certificat, je m’en suis rendu compte le 27 Mai 2010.
Il n’utilise plus un certicat Thawte mais Equifax
J’ai rencontré ce message d’erreur :
May 23 06:53:21 hostname postfix/smtp[20658]: certificate verification failed for smtp.gmail.com[209.85.229.109]:587: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
Pour palier à ce problème, il suffit d’ajouter le bon certificat :
root@votrehostname:~# cat /etc/ssl/certs/Equifax_Secure_CA.pem >> /etc/postfix/cacert.pem
Configuration du serveur Postfix :
Pour cela, il faut modifier le fichier /etc/postfix/main.cf
## TLS Settings # smtp_tls_CAfile = /etc/postfix/certif/cacert.pem smtp_tls_cert_file = /etc/postfix/certif/FOO-cert.pem smtp_tls_key_file = /etc/postfix/certif/FOO-key.pem smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache smtp_use_tls = yes smtpd_tls_CAfile = /etc/postfix/certif/cacert.pem smtpd_tls_cert_file = /etc/postfix/certif/FOO-cert.pem smtpd_tls_key_file = /etc/postfix/certif/FOO-key.pem smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache smtpd_use_tls = yes tls_random_source = dev:/dev/urandom # ## SASL Settings # This is going in to THIS server smtpd_sasl_auth_enable = no smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtpd_sasl_local_domain = $myhostname smtp_sasl_security_options = noanonymous #smtp_sasl_security_options = smtp_sasl_tls_security_options = noanonymous smtpd_sasl_application_name = smtpd relayhost = [smtp.gmail.com]:587 transport_maps = hash:/etc/postfix/transport
Ajouter dans le fichier /etc/postfix/transport
gmail.com smtp:[smtp.gmail.com]:587
Ajouter dans le fichier /etc/postfix/sasl_passwd
[smtp.gmail.com]:587 test@gmail.com:password
Puis :
postmap sasl_passwd postmap transport /etc/init.d/postfix restart
Voilà, votre serveur est configuré
Nettoyer la création de certificat :
root@votrehostname:~# cd ~ rm FOO-req.pem FOO-cert.pem FOO-key.pem && rm -r demoCA/
Tester l’envoie de mail :
J’ai pour habitude de tester l’envoie de mail via telnet :
root@votrehostname:/etc/postfix# telnet localhost 25 Trying ::1... Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 hostname ESMTP Postfix (Ubuntu) <strong>EHLO test@gmail.com</strong> 250-hostname 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN <strong>MAIL FROM:test@gmail.com</strong> 250 2.1.0 Ok <strong>RCPT TO:test@gmail.com</strong> 250 2.1.5 Ok <strong>DATA</strong> 354 End data with <CR><LF>.<CR><LF> <strong>Subject:test</strong> <strong>test envoi de mail</strong> <strong>.</strong> 250 2.0.0 Ok: queued as 9D381812 <strong>quit</strong> 221 2.0.0 Bye Connection closed by foreign host.
Ce qui est en gras est a renseigner par vos soins bien sur 
Pour vérifier, faite un petit
mailq
ou
postqueue -pEt vérifier dans le fichier /var/log/mail.log que vous n’avez pas d’erreur.
A noter : La flèche utilisée pour illustrer cet article est sous licence libre, mais je ne sais pas laquelle et a été trouvée sur icones.pro
tags :
