4

Can't get this to work. Been over all of the doc sites multiple times and scoured issues here and elsewhere, have tried to follow responses and I'm getting nowhere.

This is on a GCE, minimal server, Debian stretch with postfix and mail installed.

The log from a mail attempt spews out a bunch of stuff, but this seems to be the most salient message

relay=smtp-relay.gmail.com[74.125.124.28]:587, delay=8471,
delays=8470/0.03/0.41/0.05, dsn=5.7.1,
status=bounced (host smtp-relay.gmail.com[74.125.124.28] said: 550-5.7.1 Invalid credentials for relay [34.66.70.41].
The IP address you've 550-5.7.1 registered in your G Suite SMTP Relay service doesn't match domain of 550-5.7.1 the account this email is being sent from.
If you are trying to relay 550-5.7.1 mail from a domain that isn't registered under your G Suite account 550-5.7.1 or has empty envelope-from, you must configure your mail server 550-5.7.1 either to use SMTP AUTH to identify the sending domain or to present 550-5.7.1 one of your domain names in the HELO or EHLO command.

The GCE Domain and the GSuite domain are the same.

So, my postfix main.cf looks like this:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = <mydomain>
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = <mydomain>, localhost
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

relayhost = smtp-relay.gmail.com:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = 
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_use_tls = yes

The contents of the mailname file is:

<mydomain>

The contents of the sasl_passwd file are:

[smtp.gmail.com]:587 <gmail-user-name>:<gmail-password>

The GSuite settings are:


From Website
Allowed senders: Only addresses in my domains
Only accept mail from the specified IP addresses: Yes
Allowed IP addresses: Website Server
Require SMTP Authentication: Yes
Require TLS encryption: Yes

The 'Allow IP addresses' is set to the external address of the GCE.

So, I'm stumped.

Any thoughts appreciated.

rickb
  • 141
  • 1
  • 4
  • Interesting development -- this is a Wordpress Site and my intent was to install and configure postfix to handle back-end mail. I stumbled upon a WP plugin called 'Post SMTP Mailer' that apparently runs its own connection. It discovered the e-mail configuration pretty much on its own (that I was using gmail, port 587, etc), I provided the exact same credentials I did in the postfix configuration, and it worked like butter. – rickb May 28 '19 at 20:57
  • So, that's good - the original motivation was to be able to send mail via wordpress forms, and that is happening. I'd still like to get the postfix configuration right, though, in case I want to be able to send mails from other than wordpress. – rickb May 28 '19 at 20:58
  • Hmmm. Just noticed the configuration is not specifying a HELO/EHLO parameter (although I *am* presumably using smtp authentication...). I had done the HELO/EHLO parameter in prior attempts, but looks like it may have been dropped in subsequent retries. I'll add it and see if it changes anything. – rickb May 28 '19 at 21:04
  • You could try swaks - ```echo "Hello world" | swaks -4 --server localhost --from user@your.gce.domain.com --to user@example.com --h-Subject "Test message" --body -``` – ALex_hha Jun 04 '19 at 09:49

4 Answers4

1

You can't authenticate with your personal Gmail account, it has to be an account tied to your G Suite domain.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • 1
    Don't understand. I have a domain registered via GSuite and that is the domain name I'm using. When I log into GSuite, I have to log in with an e-mail and password, the domain of the email is the domain that is registered with GSuite. When I say 'gmail-user-name' that's the name that I sign into GSuite or gmail and when I say 'gmail-password', that is the password I use to sign into GSuite or gmail. I'm not sure what is the distinction or what other credentials I would use in that place. – rickb May 28 '19 at 14:45
0

After many frustrating hours getting the above error message and thinking the problem was in my postfix configuration file, I discovered it was actually that the PTR record my hosting company (digitalocean) created was broken in that the IP address I had been allocated didn't match my chosen domain name.

Long story short, Google's SMTP relay service won't work unless reverse lookup of your domain name and IP is setup correctly. For digitalocean, that involved the completely unintuitive and undocumented process of clicking on your droplet's name, which turns it into an editable box, and replacing it with your domain name.

joeblog
  • 101
  • 2
0

Per design, Port 25 is always blocked and cannot be used, even through an SMTP relay using G Suite.

Google Compute Engine allows outbound connections on all ports but port 25, which is blocked because of the risk of abuse. All other ports are open, including ports 587 and 465.

This is fully documented in "Sending Email from an Instance" article.

Products such as SendGrid, Mailgun and Mailjet offer a free tier for Compute Engine customers to set up and send emails through their servers. I really recommend you to review the document referred and implement the email solution that meet with your expectations according to your solution.

user10880591
  • 24
  • 2
  • 2
    I presume this is a canned response. If you look at the configuration details I posted, you would see I'm specifying port 587, not 25. I've been over the document several times and would dispute that it is 'fully documented'. If it were, I would have gotten my direction from the document and not had to post this query. – rickb May 28 '19 at 20:51
0

I was taking a look at all the configuration settings you posted and looks pretty vanilla for me. What I see at this moment that could be a problem here is this line: 

Allowed IP addresses: Website Server

Maybe you have to use the IP address instead of the name of the instance. In documentation states that an IP address/range must be used . Do the change and post the results.

Alex6Zam
  • 46
  • 2