# [Solved] Allow Postfix to send email to Gmail

## solamour

When I send an email from my gentoo box to my Gmail account, I get the following error message.

```
Sep  3 13:45:51 gentoo postfix/smtp[31886]: 8E2871E0798: to=<MY_GOOGLE_ID@gmail.com>, relay=alt1.gmail-smtp-

in.l.google.com[209.85.200.26]:25, delay=11, delays=0.25/0.01/5.7/5.2, dsn=4.7.0, status=deferred (host alt1.gmail-smtp-

in.l.google.com[209.85.200.26] said: 421-4.7.0 This message does not have authentication information or fails to pass 421-4.7.0

authentication checks. To best protect our users from spam, the 421-4.7.0 message has been blocked. Please visit 421-4.7.0

https://support.google.com/mail/answer/81126#authentication for more 421 4.7.0 information. b79-v6si8427017itb.103 -

gsmtp (in reply to end of DATA command))

```

Google doesn't want any random person off the street to send email to their users, so I guess I need to somehow prove I am indeed who I say I am. I couldn't quite understand what I was supposed to do even after reading the instructions multiple times.

My gentoo box gets its dynamic IP from the internet service provider, and I use https://www.noip.com/ to map the dynamic IP to something easier to remember.

Not sure it's relevant or not, but I can send email from my Gmail account to my gentoo box. And if I reply, the mail does get delivered to Gmail; it's just the new email from my gentoo box that are not delivered to Gmail. I'd appreciate any suggestions.

__

solLast edited by solamour on Wed Sep 05, 2018 6:34 am; edited 1 time in total

----------

## Jaglover

Use your ISP mail server as a relay.

----------

## solamour

 *Jaglover wrote:*   

> Use your ISP mail server as a relay.

 

That was exactly what I've been doing, because it was the least complicated method. But then, the ISP changed the policy and asked $5/month for the email service. Being a cheapskate that I am, I didn't take the offer.

__

solLast edited by solamour on Tue Sep 04, 2018 1:11 am; edited 1 time in total

----------

## Jaglover

Well, I'm guessing they won't set up a reverse MX record for you, either.

----------

## khayyam

solamour ...

what are you using as the MTA on "gentoo box"? It's trivial to have the MTA authenticate with the relay via SASL. With postfix you would use 'sender_dependent_relayhost_maps', 'smtp_sasl_auth_enable', 'smtp_tls_policy_maps', and 'smtp_sasl_password_maps'. So, for example:

```
smtp_sender_dependent_authentication = yes

sender_dependent_relayhost_maps = hash:/etc/postfix/relay_host

smtp_sasl_auth_enable = yes

smtp_sasl_security_options = noanonymous

smtp_sasl_tls_security_options = noanonymous

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

smtp_use_tls = yes

smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

smtp_tls_note_starttls_offer = yes

smtp_tls_CApath = /etc/ssl/certs
```

```
mail.foo.org:587 encrypt

smtp.gmail.com:587 encrypt
```

```
solamour@foo.org solamour@foo.org:password123

solamour@gmail.com solamour@gmail.com:password123
```

```
solamour@foo.org [mail.foo.org]:587

solamour@gmail.com [smtp.gmail.com]:587
```

If your mail client is sending mail from solamour@foo.org it will be relayed to mail.foo.org, if solamour@gmail.com it will be relayed via mail.google.com ... both of which will authenticate via SASL.

EDIT: corrected tls_policy attribution.

HTH & best ... khayLast edited by khayyam on Tue Sep 04, 2018 9:37 pm; edited 1 time in total

----------

## szatox

Sending mail from my postfix to google "Just works" ™

Something tells me you're doing something nasty there, like spoofing sender's address. You can't just use random MTAs as relays anymore, administrators already know that spammers will abuse open relays, and developers hard-code "sane defaults" that will block all email unless one of the below is the case:

- The message comes from a foreign domain and is addressed to a domain served by this MTA (AKA receiving email).

- User is authenticated and owns FROM address (AKA sending email).

- Email comes from an otherwise trusted source / whitelisted IP (Mail relay)

If neither of those applies, any reasonably configured email server will reject that message to limit the amount of spam.

This message:

 *Quote:*   

>  This message does not have authentication information

 

screams DON'T SEND EMAIL FROM A DOMAIN OWNED BY _ME_

Bonus point: email servers tend to check if sender's IP address matches sender's domain, and often reject mail unless sender's domain's DNS server confirms you're allowed to send that mail.

----------

## Marlo

 *solamour wrote:*   

> ... it's just the new email from my gentoo box that are not delivered to Gmail. I'd appreciate any suggestions.

 

Your mail client is considered unsafe by Gmail. Your normal password will not be accepted.

You'll need to get an App password from Gmail. --> https://support.google.com/mail/answer/185833?hl=en

greetings

Ma.

----------

## solamour

 *khayyam wrote:*   

> 
> 
> ```
> mail.foo.org:587 encrypt
> 
> ...

 

That must be copy/paste gone awry, no?

__

sol

----------

## khayyam

 *khayyam wrote:*   

> 
> 
> ```
> mail.foo.org:587 encrypt
> 
> ...

 

 *solamour wrote:*   

> That must be copy/paste gone awry, no?

 

solamour ... a typo, the first should be '/etc/postfix/tls_policy' (corrected above).

best ... khay

----------

## solamour

After much mucking around, I was able to configure Postfix to use Google's SMTP server to send the email from my gentoo box to my Gmail account. It most likely is a smart idea to enable Google's 2-Step Verification and use the App Password (which will be used by Postfix only), but that didn't seem necessary. Or I already tried once, so perhaps Google knew my gentoo box and didn't ask again.

Anyhow, that's all good, except that when I send email from the gentoo box to my Gmail account, "from:" field is always my Gmail account (and "bcc:" is also my Gmail account). This shouldn't be a problem for most people, but I do need to set "from:" to my gentoo box. Well, I'm using Google's SMTP server, so technically, "from:" is indeed my Gmail account, but all mails from my gentoo box showing up as from "me" just doesn't suit me.

I also found out that https://www.noip.com/ does provide SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), so I could have avoided all this trouble, but those are for the paying customers only. It might be well worth for some people, but it's certainly way beyond what I need.

I ended up with the free service from https://sendgrid.com/. No particular reason other than their ample documentations and videos.

```

[/etc/postfix/main.cf]

smtp_sasl_auth_enable = yes

smtp_sasl_password_maps = hash:/etc/postfix/saslpass

smtp_sasl_security_options = noanonymous

smtp_sasl_tls_security_options = noanonymous

smtp_tls_security_level = encrypt

smtp_tls_wrappermode = yes

header_size_limit = 4096000

relayhost = [smtp.sendgrid.net]:465

[/etc/postfix/saslpass]

[smtp.sendgrid.net]:465 apikey:MY_SENDGRID_API_KEY

```

Thank you everyone for taking time to share your suggestions. Much appreciate it.

__

sol

----------

## khayyam

 *solamour wrote:*   

> After much mucking around, I was able to configure Postfix to use Google's SMTP server to send the email from my gentoo box to my Gmail account.[...] Anyhow, that's all good, except that when I send email from the gentoo box to my Gmail account, "from:" field is always my Gmail account (and "bcc:" is also my Gmail account). This shouldn't be a problem for most people, but I do need to set "from:" to my gentoo box. Well, I'm using Google's SMTP server, so technically, "from:" is indeed my Gmail account, but all mails from my gentoo box showing up as from "me" just doesn't suit me.

 

solamour ... what do you mean by "from my gentoo box to my Gmail account"? No authentication is required for this, anyone should be able to send email to your gmail account without authenticating. What (I thought) we're dealing with here is relaying via mail.google.com ... and so have the mail come from that account, mail server, etc. That is what the above relay_map is effectively doing, if the mail is from your gmail account then it is relayed via mail.google.com, otherwise not. Anyhow, it looks like all you need is to relay all mail, so it looks like I misunderstood.

best ... khay

----------

## solamour

 *khayyam wrote:*   

> solamour ... what do you mean by "from my gentoo box to my Gmail account"? No authentication is required for this, anyone should be able to send email to your gmail account without authenticating. What (I thought) we're dealing with here is relaying via mail.google.com ... and so have the mail come from that account, mail server, etc. That is what the above relay_map is effectively doing, if the mail is from your gmail account then it is relayed via mail.google.com, otherwise not. Anyhow, it looks like all you need is to relay all mail, so it looks like I misunderstood.

 

I just re-read what I wrote, and I can certainly see I could have worded differently to avoid confusion.

It's true that everyone should be able to send email to my Gmail account without authentication, and that should include the email from my gentoo box. But when I tried sending email from my gentoo box (with no relaying whatsoever), I received the following error message.

```
This message does not have authentication information or fails to pass 421-4.7.0

authentication checks. To best protect our users from spam, the 421-4.7.0 message has been blocked.
```

It looks like Gmail is trying to filter out spams, so it allows emails from only verified (or at least, verifiable) sources. My gentoo box gets its dynamic IP from the ISP, so it might not be considered as legit unless I configure SPF or DKIM.

The way I got around up to recently was to use my ISP's SMTP, but then the ISP started asking for additional charges, so my search began. Using Gmail's SMTP did work, but all the mails from my gentoo box were marked as "from: solamour@gmail.com". When I switched to a different SMTP provider, all looked well.

Anyhow, I learned a few things that I didn't know before, and I thank everyone for taking time to respond.

__

solLast edited by solamour on Wed Sep 05, 2018 9:03 pm; edited 1 time in total

----------

## szatox

If you don't want your email to come from your gmail address, why do you even bother to send those emails via gmail's MTA?

Why not send them directly to the recipient's email server?

----------

## solamour

 *szatox wrote:*   

> If you don't want your email to come from your gmail address, why do you even bother to send those emails via gmail's MTA?
> 
> Why not send them directly to the recipient's email server?

 

I do want to send email from me@my-dynamic-ip.net to solamour@gmail.com. If I send it directly, Gmail doesn't accept it. If I use Gmail's SMTP, the mail is "from: solamour@gmail.com" instead of "from: me@my-dynamic-ip.net". I'd still consider Gmail's SMTP option if I can somehow make the mail is "from: me@my-dynamic-ip.net".

__

solLast edited by solamour on Wed Sep 05, 2018 11:15 pm; edited 1 time in total

----------

## Ant P.

You might want to consider switching dyndns providers to freedns.afraid.org, which lets you use SPF for free (it's a single TXT record, charging for that is pure profiteering).

----------

## szatox

Considering you have a dynamic IP, SPF is not the best idea.

However, you can still use DKIM (also a TXT record in DNS) and you can check your PTR after connecting to the internet and set the result as MTA's hostname.

Many servers check if your reverse DNS matches your machine name, and many servers will accept email if either SPF or DKIM check succeeds.

Obviously, the best way would be to get a cheap VPS with a static IP and a way to define PTR by yourself. I wouldn't be surprised if dynamic IP pools were simply banned due to (possibly) common abuse by malware running on millions of windows machines, routers and even fridges and smart TVs.

Logging in to your account negates that ban -> you use account's reputation instead of IP reputation at this point.

----------

