Configure Postfix to use Gmail as a Mail Relay

If you have a Gmail account, you can configure your MTA to relay outgoing mail through Gmail. This gives you the benefit of Gmail's reliability and robust infrastructure, and provides you with a simple means of sending email from the command line.

In this tutorial, we will use Postfix as our MTA. Postfix is a free, open-source, actively maintained, and highly secure mail transfer agent.

At each step, we'll cover instructions specific to the following operating systems:

  • Debian 9
  • Ubuntu 18.04 LTS
  • CentOS 7
  • OpenSUSE Leap 15.0
  • Arch Linux 2019.03.01
  • FreeBSD 12.0

We will also install mailutils/mailx so that we can send a test email. Where necessary, we will install supplemental SASL libraries.

All commands beginning with # require root privileges.

1. Install Required Software

Debian, Ubuntu:

apt-get update && apt-get install postfix mailutils

When prompted for "General type of mail configuration," choose Internet Site.

When prompted for a "Mail name," choose a hostname to be used in mail headers as the origin of your emails. A fully-qualified domain name is preferred, but using your machine's simple hostname is OK. Regardless of what you enter here, your return address will appear to recipients as your Gmail address.

You may be prompted to set the "Root and postmaster mail recipient." Enter root, or another user who should receive mail subsystem notifications.

For any other prompts, you can choose the default values.

Fedora:

dnf update && dnf install postfix mailx

CentOS:

yum update && yum install postfix mailx cyrus-sasl cyrus-sasl-plain

OpenSUSE:

zypper update && zypper install postfix mailx cyrus-sasl

Arch Linux:

pacman -Sy postfix mailutils

FreeBSD:

Compile Postfix from the ports collection to incorporate support for SASL:

portsnap fetch extract update
cd /usr/ports/mail/postfix
make config

In the configuration dialogs, select SASL support. All other options can remain the same. Then:

make install clean

Mailx can be installed from the binary package:

pkg install mailx

2. Configure Gmail Authentication

Create or modify a password file which will be used by Postfix to establish authentication with Gmail. In the authentication information below, replace username with your Gmail username and password with your Gmail password. If you are using a custom Gmail Apps domain name, you may replace gmail.com with your Google Apps domain.

The password file will reside in the Postfix configuration directory. The file can be named whatever you like, but the recommended filename is sasl_passwd.

Debian, Ubuntu, Fedora, CentOS, OpenSUSE, Arch Linux:

Postfix configuration files reside in the directory /etc/postfix. Create or edit the password file:

nano /etc/postfix/sasl_passwd

Add the line:

[smtp.gmail.com]:587    [email protected]:password

Save and close the file. Your Gmail password is stored as plaintext, so make the file accessible only by root:

chmod 600 /etc/postfix/sasl_passwd

FreeBSD:

Postfix configuration files reside in the directory /usr/local/etc/postfix. Create or edit the password file:

nano /usr/local/etc/postfix/sasl_passwd

Add the line:

[smtp.gmail.com]:587    [email protected]:password

Save and close the file. Make it accessible only by root:

chmod 600 /usr/local/etc/postfix/sasl_passwd

3. Configure Postfix

There are six parameters which must be set in the Postfix configuration file main.cf. The parameters are:

relayhost, which specifies the mail relay host and port number. The host name will be enclosed in brackets to specify that no MX lookup is required.

smtp_use_tls, which enables (or disables) transport layer security.

smtp_sasl_auth_enable, which enables (or disables) SASL authentication.

smtp_sasl_security_options, which in the following configuration will be set to empty, to ensure that no Gmail-incompatible security options are used.

smtp_sasl_password_maps, which specifies the password file to use. This file will be compiled and hashed by postmap in a later step.

smtp_tls_CAfile, which specifies the list of certificate authorities to use when verifying server identity.

Debian, Ubuntu, Arch Linux:

Edit the main Postfix configuration file:

nano /etc/postfix/main.cf

Add or modify the following values:

relayhost = [smtp.gmail.com]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

Save and close the file.

Fedora, CentOS:

Edit the main Postfix configuration file:

nano /etc/postfix/main.cf

Add or modify the following values:

relayhost = [smtp.gmail.com]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt

Save and close the file.

OpenSUSE:

Edit the main Postfix configuration file:

nano /etc/postfix/main.cf

Add or modify the following values:

relayhost = [smtp.gmail.com]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/ssl/ca-bundle.pem

Save and close the file.

OpenSUSE also requires that the Postfix master process configuration file master.cf be modified. Open it for editing:

nano /etc/postfix/master.cf

Locate the line which reads:

#tlsmgr unix - - n 1000? 1 tlsmg

Uncomment it, so it reads:

tlsmgr unix - - n 1000? 1 tlsmg

Save and close the file.

FreeBSD:

Edit the main Postfix configuration file:

nano /usr/local/etc/postfix/main.cf

Add or modify the following values:

relayhost = [smtp.gmail.com]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwd
smtp_tls_CAfile = /etc/mail/certs/cacert.pem

Save and close the file.

4. Process Password File

Use postmap to compile and hash the contents of sasl_passwd. The results will be stored in your Postfix configuration directory in the file sasl_passwd.db.

Debian, Ubuntu, Fedora, CentOS, OpenSUSE, Arch Linux:

postmap /etc/postfix/sasl_passwd

FreeBSD:

postmap /usr/local/etc/postfix/sasl_passwd

5. Restart Postfix

Restart the Postfix service, putting your changes into effect.

Debian, Ubuntu, Fedora, CentOS, OpenSUSE, Arch Linux:

systemctl restart postfix.service

FreeBSD:

To start the Postfix service for this session only:

service postfix onestart

To start Postfix automatically when the system initializes, open /etc/rc.conf for editing:

nano /etc/rc.conf

Add the line:

postfix_enable=YES

Save and close the file. You may then run:

service postfix start

To start Postfix.

6. Enable "Less Secure Apps" In Gmail

By default, only the most secure sign-ins, such as logging in to Gmail on the web, are allowed for your Gmail account. To permit relay requests, log in to your Gmail account and turn on Allow less secure apps.

For more information, review the Google Support document "Allowing less secure apps to access your account."

7. Send A Test Email

Test your new configuration by sending an email using the mail command. Run:

mail -s "Test subject" [email protected]

You will be presented with a blank line (or a CC: field, which you can bypass by pressing Enter). Type the body of your message, pressing Enter for new lines. When you are finished composing the email, type CTRL-D to send it. To cancel the email, press CTRL-C twice.

To send a precomposed email, use the command:

mail -s "Subject Here" [email protected] < textfile

Where textfile is the name of a file containing the text to be sent.

Troubleshooting

If it's not working, check the logs for any Postfix errors:

Debian:

less /var/log/mail.log

Ubuntu, Fedora, CentOS, OpenSUSE, Arch Linux:

journalctl

FreeBSD:

less /var/log/maillog

If you receive authentication errors from Gmail, verify that Allow Less Secure Apps is turned on in your Gmail account settings, as specified in Step 6.

Verify that the password file sasl_passwd exists and that its contents are formatted correctly, as specified in Step 2. If you make any changes to the password file, make sure to repeat Steps 4 and 5 to hash the new password file and restart Postfix.

If you see any TLS errors, double check the configuration in main.cf as specified in Step 3. If you make any configuration changes, restart Postfix as specified in Step 5.

Share this page:

Suggested articles

62 Comment(s)

Add comment

Comments

By: sjau
Reply  

I tried this once a while back but I noticed that GMail replaces the sender automagically with the GMail email account you're relaying through. Is this still the case?

By: Karen
Reply  

For Ubuntu 14.04.x, do not use `systemctl restart postfix.service` but:

$ sudo service postfix restart

By: JS
Reply  

Is it possible to setup postfix, if I don't want to use Step 6: Allowing less secure apps to access your account?

By: BW
Reply  

See reply below from Scott Mullen

By: Ronan
Reply  

Thanks - great writeup.

For Debian, I also needed to install libsasl2-modules for it to send the mail out.

apt-get install libsasl2-modules

 

 

By: Vale
Reply  

Following this guide I ontain on Centos 7 server the error message "...remote host said 550 relay through this server without authentication.." and postfix don't send emails.Some helps?

By: melih
Reply  

I've tried on Debian 8, seems okay. Thank you.

By: ustoopia
Reply  

Can I perform these installation instructions after having installed ispconf3 on Ubuntu 16.04 ? Will it break anything important if I do?

I only run the server locally at the moment to test webs so I don't need the email setup, but at the same time I would like to receive important system messages.

By: Tim Ryan
Reply  

Worked like a charm, thank you.

By: Scott Mullen
Reply  

Instead of enabling 'Less Secure Apps" In Gmail you can just use app passwords.  

https://support.google.com/accounts/answer/185833

By: rod
Reply  

Yes, I did this.: )

By: Carlo
Reply  

In Ubuntu, I think heirloom-mailx is better than mailutils, and heirloom-mailx in ubuntu = mailx in CentOS~

Sorry for my language!

By: Alcor
Reply  

Works in ubuntu server 14.10 LTS!!.

Very, very thanks.

By: Lukasz
Reply  

Thanks for this tutorial. It worked (Ubuntu 12.04)!

By: Tony
Reply  

Great tutorial done on Debian Jessie oa Raspberry PI and worked first up

By: newbridgeman
Reply  

Thanks for the tutorial. It was very easy to follow. I got mine working.

By: Jaques Viljoen
Reply  

Thanks very much for the clear and concise instructions :-)

I have tested the Ubuntu version for Raspbian Jessie on a Pi model B running nagios and I was able to get the test e-mail sent.

 

Regards

By: Amit khurchay
Reply  

I did same setting, there is no mail in gmail account.

By: mira
Reply  

Hello I made configuration on centos. Ok, but after I have send first email Gmail blocked my account because of "failure to comply with terms and conditions". Is this somethnig to do with settings or this way can be used anymore ?

By: Robin
Reply  

Hi, Great instructions.  I am on OpenSuse Leap 42.1 and every step in your instructions worked flawlessly.

Many thanks

By: Dan Ziemecki
Reply  

Awesome write-up.  Worked first time through.  Thanks!

By: Amit Khurchay
Reply  

Hi,

I had been installed postfix on my local server, but  dont know how to configure this?  Please help me I am using ubuntu 16.04 lts

 

By: Robert Klebe
Reply  

This article is GOLDEN. It WORKS. So happy. ^^

By: Mahita
Reply  

Awesome article.it saved my day

By: John
Reply  

i got an error saying "Invaild Email Address"

huh? Could it be "-" in email address?

By: Guybrush
Reply  

I had this error to avoid it do the following:# status=bounced (host smtp.gmail.com[74.125.206.109] said: 530 5.7.0 Must issue a STARTTLS command first. m201sm9925851wmd.15vi /etc/postfix/tls_policy# add linesmtp.gmail.com:587 encrypt#then runchown root:root /etc/postfix/tls_policy && chmod 600  /etc/postfix/tls_policypostmap /etc/postfix/tls_policysystemctl restart postfix

By: Mike R
Reply  

Thank you!  Works perfectly once I figured out how to read and solve a small issue :)

I used the wrong paths in the config file the first time (copied the FreeBSD config lines into my Raspbian config so paths were wrong.)  Once i did that, I noticed an error in the postfix log file regarding cert file cannot be found. For my Raspbian jesse, I left out the cert line in the postfix conf file:

smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

Also had to turn on Allow less secure apps in Google.

All worked well after that!

Thanks!

By: Thomas
Reply  

I receive mails on my mailbox (gmail) however when someone try to contact me  the FROM  field instead of

  FROM: NAME + EMAIL SENDER

I have

  FROM: NAME + MY EMAIL

config: only postfix relay via smtp gmail 

Any idea ?

By: Max
Reply  

THANX A LOT! EVERYTHING WORKS WELL!

By: Daniel
Reply  

I have a question: It's known that the Google App service have certain limits per day. Are those limits affected by this method? 

By: David
Reply  

You saved my nec.

May the force be with you !!!

:)

By: Lado
Reply  

postfixt was bouncing outgoing mail saying "Must issue a STARTTLS command first". On https://askubuntu.com/questions/507514/ I found suggestion to use:  "mailsmtp_enforce_tls = yes" in main.cf instead "smtpd_use_tls=yes" as instructed above.

I did that, now it works like a charm.

Thank for great tutorial!

By: Neil
Reply  

Worked for Ubuntu 17.04. It took me F O R E V E R, and one reinstall, but finally got joy. Good luck.

By: shareef
Reply  

Hi,

all sent emails are in mail queue with:

TLS is required, but was not offered by host smtp.gmail.com[74.125.206.108])

 What to do?

 

Thanks and Regards,

By: Joshua S
Reply  

Thank you so very much for this great tutorial.  I got it working on Ubuntu 17.10 Budgie.  I placed the file: sasl_passwd in /etc/postfix/sasl/ instead of /etc/postfix/.  Also, tailing the logs (tail -f /etc/mail.*) was very helpful in helping to diagnose any issues I had.  I made the hostname to the email address username and I had to re-run postfix install a couple of times before I got it working (dpkg-reconfigure postfix). I also set to IPv4 only instead of All during postfix setup.

By: Michael
Reply  

You do not need to do step 6. Step 6. Should be setting an app password then instead of using your regular password in sasl_passwd, you use the app password provided by gmail. Voila it works no need to turn on lesser secured apps choice.

By: Edison
Reply  

Thanks, this really worked for me. In my case allow less secure apps is not an option since I work with very sensitive stuff.

 

By: hajro
Reply  

Thanks, it's the only one working tutorial I've found.

By: Elicia Nesmith
Reply  

I liked your article. Did you know that Google has introduced Gmail Go? Go not only takes up significantly less space on your phone, but uses less data than the standard Gmail app.

By: bamboo092
Reply  

Under Debian 9 stretch, it is mandatory to replace in main.cf addendum "smtp_sasl_security_options =" by

"smtp_sasl_security_options = noanonymous", in order that poxtfix works well with the SMTP of Google.

By: shashi
Reply  

Worked great. Thanks very much.

 

Only downside is it won't send email to itself.. any ideas on a fix for that?

By: Nuno Catarino
Reply  

Opensuse rocks 100%

THX

By: Doug
Reply  

I tried this on a Ubuntu 18.x server... and it worked perfect the first time... Thanks for a clear and accurate writeup. I used 'systemctl restart postfix.service' and it seemed to work on this version of Ubuntu.... 

By: PBSLuvr
Reply  

echo "To echo an earlier compliment: This article is GOLDEN! Thank you." | mail -s "The Joys of Community Support" [email protected]

By: andy
Reply  

I have recently rebuilt my Ubuntu 18.04 server. Previously I had used your instructions to successfully enable the gmail replay but now it fails. I get errors relating to CPAN and as it cannot find the perl script Makefile.PL. Is this issue know and if so are there any solutions?

By: Barry Compton
Reply  

 On Fedora 30 - I was getting (SASL authentication failed; cannot authenticate to server smtp.gmail.com[108.177.8.108]: invalid parameter supplied)

I added smtp_sasl_mechanism_filter = plain  to  /etc/postfix/main.cf   and it is working fine now.

By: Angry Monkey
Reply  

Great article! I signed up so I could post the following feedback in the hopes I save some people some time.

The following took place on a CentOS 7.6.1810 server, kernel 3.10.0-957.21.3, Postfix version postfix-2.10.1-7

Long story short, this article exactly as described was not working. I enabled verbose logging with the following in main.cf

debug_peer_level = 10

Afterwards, I saw the following in /var/log/maillog when sending a test email:

 

connect to smtp.gmail.com[2607:f8b0:400d:c09::6c]:587: Network is unreachable

Jun 23 14:05:59 server postfix/smtp[104589]: 3B54DCD8268C: to=<[email protected]>, relay=none, delay=0.32, delays=0.02/0.04/0.27/0, dsn=4.4.1, status=deferred (connect to smtp.gmail.com[2607:f8b0:400d:c09::6c]:587: Network is unreachable)

Jun 23 14:06:33 server postfix/postfix-script[104637]: stopping the Postfix mail system

I remembered that my ISP still does not offer IPv6 functionality at all. I specified Postfix to use only IPv4 with the following in main.cf

inet_protocols = ipv4

I restarted Postfix and it started working properly.

By: Lalit
Reply  

/etc/ssl/certs/ca-certificates.crt

How this generate, or where it come from???

By: Leandro Alves
Reply  

Thank you very much.

   

By: J
Reply  

I have a two internet connections.Both internet connections use have dynamic IPs.

When I am using the primary internet connection, emails get sent out and work perfectly. When I use the secondary, here is the log (the log is very edited because I dont know if the information is sensible or not)

 

 

Oct 15 14:12:56 hostname postfix/smtp[ ]:  : to=<[email protected]>, relay=smtp.gmail.com[74.125.193.108]:587, delay=1.2, delays=0/0/1.2/0, dsn=4.7.14, status=deferred (SASL authentication failed; server smtp.gmail.com[74.125.193.108] said: 534-5.7.14 > Please?534-5.7.14 log in via your web browser and then try again.?534-5.7.14  Learn more at?534 5.7.14  https://support.google.com/mail/answer/78754 - gsmtp)

 

If I switch back to the primary WAN, it instantly works again.

 

I have checked my firewall as well and it is not a firewall issue.

 

 

By: NelP
Reply  

Would you be able to provide reference links or any books which allowed you to put together this configuration? I am struggling to find comprehensive materials that explain the various options.

 

By: Alex
Reply  

How do I send emails using my Postfix with relay?

By: Don Hirst
Reply  

Google is moving away from application passwords and requiring use of OAuth.  Is there any (hopefully relatively simple) way to revise the process you describe here to use that type of authentication?  Thanks.

By: Parker Johnson
Reply  

I managed to get this working from a centos 8 VM running in azure.

I needed to add the following to main.cf

inet_protocols = ipv4

relayhost = [smtp.gmail.com]:587

smtp_use_tls = yes

smtp_sasl_auth_enable = yes

smtp_sasl_security_options =

smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt

 

After that I was getting the "SASL authentication failed" error messages so...Then I followed the step "Generate an app Password for Postfix" here (I didn't follow any of the other steps): https://www.linode.com/docs/email/email-services/configure-postfix-to-send-mail-using-gmail-and-google-apps-on-debian-or-ubuntu/#generate-an-app-password-for-postfix

 

Then I put the app password in /etc/postfix/sasl_passwd like so:

[smtp.gmail.com]:587 <username>@gmail.com:xxxxxxxxxxxxxxxx   (where x is your 16 char app password)

postmap /etc/postfix/sasl_passwd

systemctl restart postfix.service

 

By: Aravinda
Reply  

Great... Worked for me (Fedora OS). Finally got a working solution out of hundreds of web resources. Thank you author for sharing this valuble information.

By: khaled
Reply  

thank u so much <3 <3 <3

By: hassan
Reply  

Feb 28 16:50:18 hassan postfix/master[46992]: warning: process /usr/lib/postfix/sbin/tlsmg pid 47017 exit status 1Feb 28 16:50:18 hassan postfix/master[46992]: warning: /usr/lib/postfix/sbin/tlsmg: bad command startup -- throttlingFeb 28 16:50:57 hassan postfix/master[46992]: warning: unix_trigger_event: read timeout for service private/tlsmgrFeb 28 16:51:18 hassan master[47029]: fatal: master_spawn: exec /usr/lib/postfix/sbin/tlsmg: No such file or directoryFeb 28 16:51:19 hassan postfix/master[46992]: warning: process /usr/lib/postfix/sbin/tlsmg pid 47029 exit status 1Feb 28 16:51:19 hassan postfix/master[46992]: warning: /usr/lib/postfix/sbin/tlsmg: bad command startup -- throttling

By: Wimpers
Reply  

Works!

I did however needed to change smtp_tls_CAfile to /etc/ssl/certs/ca-certificates.crt

And it seems to work with the password and the 16 digit code you can generate.

By: yogo
Reply  

hi, 

i got error like below

localhost postfix/smtp[4330]: connect to smtp.gmail.com[142.251.10.108]:587: Connection timed out

any suggest

 

By: JVB
Reply  

Great directions.  I had a clean rasbian install and I had to add one things to make it work.  And since Goggle is not going to allow lower account security as of 5/22 so I'll reiterate what another poster wrote.

Rather than putting in your google account password in step 2, create an App password as outlined here and put that in as the password instead

https://support.google.com/accounts/answer/185833

Then you can ingore step 6

After step 5, do the following

sudo apt-get install libsasl2-modules

After this works perfectly for me on raspbian!

 

By: ElLocoRando
Reply  

Just wanted to mention - now that less secure apps are disabled, you have to go to account.google.com, enable 2-factor authentication, and create "App passwords". Use that password as your password in the sasl_password file.

By: Tom Green
Reply  

Sjau asked a question regarding rewriting the from: header to the gmail address instead of the originating mail address.  I have noticed that this is currently happening (12/27/22).  I haven't found any articles to fix this.  Has anyone come up with a solution?