I run the Postfix mail server. I used to run Qmail, which is small, simple, and secure; but it’s also quirky, unmaintained, and arguably not RFC-compliant.

Postfix is modern and well-maintained, and the author, Wietse Venema, tends to write bug-free code. (Or so he says. ;-)

Configuring Postfix is reasonably straightforward, though there are a lot of options. The documentation is good and thorough.

However, I’m not here to laud Postfix or Wietse; I’m here to help solve the problem: how do I send my mail through Gmail’s SMTP server if I’m running Postfix on my machine?

Why would I want to do this in the first place? Why not use my ISP’s SMTP relay? I run Postfix on my laptop (running FreeBSD) and want to be able to send mail from wherever I am. If I’m using Gmail from a browser, there is no problem. But if I want to use mutt or to send mail from the command line (sometimes handy for sending the output of a script) I need the local SMTP daemon – Postfix – to be able to talk to an SMTP server that will be willing to relay mail for me. If I’m in a café, or at a friend’s, my settings will likely be wrong.

Because Gmail’s SMTP servers require authentication (to protect them from abuse by spammers) it’s possible for me to use them from anywhere. In contrast, most ISP’s SMTP servers only allow access from machines with IP addresses on their network. If you’re connected through someone else (at the café, say) you’re locked out.

So, how do we convince Postfix to relay outgoing mail through Gmail? Here’s what I did.

First I had to turn on POP access in my Gmail settings (on the web). This also turns on access (relaying) to their outgoing SMTP servers.

Then I had to make sure my Postfix was built with TLS and SASL support. I think I had to rebuild mine, but I don’t remember how I did it. I was using the FreeBSD ports tree, so I probably set some options in my /etc/make.conf. You’ll have to do it your way.

Once I had an up-to-snuff Postfix, I added the following lines to Postfix’s main.cf file:

  relayhost = [smtp.gmail.com]:587
  smtp_use_tls = yes
  smtp_sasl_auth_enable = yes
  smtp_sasl_password_maps = static:<gmail_username>:<gmail_password>
  smtp_sasl_security_options =

I ran “postfix reload” to get the new settings. I was able to send mail now, but in the log files I saw nasty messages for each mail sent that Postfix was unable to verify Gmail’s SSL certificate:

  Jun 11 15:29:35 stubb postfix/smtp[2098]: certificate verification failed for smtp.gmail.com: num=20:unable to get local issuer certificate
  Jun 11 15:29:35 stubb postfix/smtp[2098]: certificate verification failed for smtp.gmail.com: num=27:certificate not trusted
  Jun 11 15:29:35 stubb postfix/smtp[2098]: certificate verification failed for smtp.gmail.com: num=21:unable to verify the first certificate

It’s easy – but not trivial – to solve this problem. The first thing I did was turn on debugging of TLS so I could see what was going on. In main.cf:

  smtp_tls_loglevel = 1

With this turned on, I saw this:

  Jun 11 15:28:41 stubb postfix/smtp[2080]: Unverified: subject_CN=smtp.gmail.com, issuer=Thawte Premium Server CA

Aha! Now to find that Thawte cert...

I was able to download the Thawte root certificates by filling out their form that says I won’t somehow misuse the certs. Whatever. I got the file “thawte-roots.zip”, unzipped it, and copied the file

 Thawte Server Roots/ThawtePremiumServerCA.txt

to my Postfix configuration directory. Then I added

  smtp_tls_CAfile = <postfix>/ThawtePremiumServerCA.txt

to main.cf, and ran “postfix reload”. No more worrying error messages.