Configure sendmail to work with Gmail smtp relay

Ok this one was really a thinker. I spent at least 5 hours to get this to work and finally I was able to use Sendmail to relay through my Gmail account.

A little background:

I have a Linux VPS with CentOS installed. The only email MTA is the default Sendmail. Everything else is pretty much the standard CentOS 4 installation. I don’t intend to use this box as a mail server or any other type of email processor. What I was trying to do is to add some basic capability to send out email from the box using my existing email accounts hosted in Gmail. And I didn’t want to install any additional software such as Postfix for this.

That being said, let me continue to take you down the path that I have gone through, without the stumbling blocks.

My approach was basically: problem -> Google for solutions -> trouble shoot -> Google again. So I found a lot of useful content on the web during the process.

1. Check sendmail

Since gmail uses TLS, you will need to make sure your sendmail is compiled with TLS (for encryption) and SASL (for authentication). This is the command to use to check it:

/usr/sbin/sendmail -d0.1 -bv root

In my case, sendmail does have the necessary compilation flags so I was good. If yours doesn’t, you’ll need to re-compile sendmail and update the binary that is used to start the sendmail service, which is not covered here.

2. Upgrading Cyrus SASL

If your SASL installation doesn’t have the “plain” and “login” lib you will have authentication problem with Gmail. You can see why when you get to the sendmail configuration in the later steps. The common error in the /var/log/maillog is this:

AUTH=client, available mechanisms do not fulfill requirements

It was a vague error and I was so frustrated with it at one point I was ready to give up. However, this article about setting up Postfix with Gmail casted some light and helped me figured out the cause.

The problem is that SASL doesn’t have all the necessary plugins. The “login” and “plain” are the plugins necessary to talk to Gmail smtp. So I had to upgrade SASL to fix the problem. Here is what I did:

$ wget http://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.21.tar.gz
$ tar -xzf cyrus-sasl-2.1.21.tar.gz
$ cd cyrus-sasl-2.1.21
$ ./configure
$ make
$ make install

$ mv /usr/lib/sasl2 /usr/lib/sasl2.orig
$ ln -s /usr/local/lib/sasl2 /usr/lib/sasl2

Note: if you have issue installing Cyrus SASL around compiling digestmd5.c, it’s because your compiler is too new. Read here to find out how to patch it.

Since I just switched out the old sasl2 lib without recompiling sendmail, I was concerned sendmail would poop during runtime. Luckily that didn’t happen. Dynamic lib rocks!

3. Generate SSL certificate

I made a directory called certs under /etc/mail. Here are the commands that I used to generate the SSL certificates.

openssl req -new -x509 -keyout cakey.pem -out cacert.pem -days 3650
openssl req -nodes -new -x509 -keyout sendmail.pem -out sendmail.pem -days 3650

Notice I made the certificates good for almost 10 years. I didn’t needed the cacert.pem to be exact.

I also copied /usr/share/ssl/ca-bundle.crt to /ect/mail/certs and included it in the sendmail configuration file. Other wise you’ll see some error like this:

unable to get local issuer certificate

The reason is that the ca bundle file has the Gmail certificate issuer. Although I read it somewhere that email still goes out with this error. Nonetheless, we don’t need to see this if we can fix it.

4. Configure sendmail

With the preparations above we are ready to configure sendmail. I found this tutorial very useful in terms of getting the correct sendmail configurations.

In summary, I have the /etc/mail/auth/client-info looks like this:

AuthInfo:smtp.gmail.com “U:root” “I:username@gmail.com” “P:password” “M:PLAIN”
AuthInfo:smtp.gmail.com:587 “U:root” “I:username@gmail.com” “P:password” “M:PLAIN”

If you use Gmail hosted email with your own domain name, you will have username@hostname.tld in there.

Make sure run:

$ makemap -r hash client-info.db < client-info

and chmod 600 on client info files.

Essential lines in my sendmail.mc

FEATURE(`authinfo’,`hash /etc/mail/auth/client-info.db’)dnl
define(`SMART_HOST’,`smtp.gmail.com’)dnl
define(`RELAY_MAILER_ARGS’, `TCP $h 587′)
define(`ESMTP_MAILER_ARGS’, `TCP $h 587′)

define(`CERT_DIR’, `/etc/mail/certs’)
define(`confCACERT_PATH’, `CERT_DIR’)
define(`confCACERT’, `CERT_DIR/ca-bundle.crt’)
define(`confCRL’, `CERT_DIR/ca-bundle.crt’)
define(`confSERVER_CERT’, `CERT_DIR/sendmail.pem’)
define(`confSERVER_KEY’, `CERT_DIR/sendmail.pem’)
define(`confCLIENT_CERT’, `CERT_DIR/sendmail.pem’)
define(`confCLIENT_KEY’, `CERT_DIR/sendmail.pem’)

define(`confAUTH_MECHANISMS’, `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)

NOTE: Be aware that smart-quotes used in the code examples will not be recognised if pasted into your files! Ensure replacing smart-quotes by regular quotes (see comments below for further detail). – thanks Johnny for the suggestion.

The certificate files are generated/copied from the previous step. I’m no sendmail expert so the configuration lines may not be perfect. But it works. Let me know if you have better settings.

One tip I found very useful is to use the debugging feature. You can set a high log level in the sendmail.mc to see at which step sendmail choked and for what reason.

Also, make sure run “make” or m4 every time you touch the sendmail.mc.

m4 sendmail.mc > sendmail.cf

So that’s pretty much it. I restart the sendmail service and out goes my email.

UPDATE:

Recently I installed Sendmail on a brand new VPS and had hard time get the authentication working. It turned out saslauthd was not running. So a note for new system is to make sure saslauthd has to be up and running (better use chkconfig to make sure it starts up at run level 3) in order to get Sendmail authentication working. This may help resolve some issues in the comments.

This entry was posted in server setup. Bookmark the permalink.

56 Responses to Configure sendmail to work with Gmail smtp relay

  1. mav3 says:

    hi folks,

    iam getting this error, any idea?

    m4:sendmail.mc:176: Warning: excess arguments to builtin `define’ ignored
    m4:sendmail.mc:176: cannot open `/usr/share/sendmail-cf/feature/’authinfo’.m4′: No such file or directory
    *** ERROR: MAILER(smtp) already included

    My config

    FEATURE(‘authinfo’,’hash /etc/mail/client-info.db’)dnl
    define(‘SMART_HOST’,’smtp.gmail.com’)dnl
    define(‘RELAY_MAILER_ARGS’, ‘TCP $h 587?)
    define(‘ESMTP_MAILER_ARGS’, ‘TCP $h 587?)
    define(‘CERT_DIR’, ‘/etc/mail/certs’)
    define(‘confCACERT_PATH’, ‘CERT_DIR’)
    define(‘confCACERT’, ‘CERT_DIR/ca-bundle.crt’)
    define(‘confCRL’, ‘CERT_DIR/ca-bundle.crt’)
    define(‘confSERVER_CERT’, ‘CERT_DIR/sendmail.pem’)
    define(‘confSERVER_KEY’, ‘CERT_DIR/sendmail.pem’)
    define(‘confCLIENT_CERT’, ‘CERT_DIR/sendmail.pem’)
    define(‘confCLIENT_KEY’, ‘CERT_DIR/sendmail.pem’)
    define(‘confAUTH_MECHANISMS’, ‘EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)
    TRUST_AUTH_MECH(‘EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)

  2. Pingback: Gmail SMTP? sendmail ???? ???? « Help Work

  3. Pingback: Setup sendmail (notifications) for GMAIL SMTP « darryn van tonder

  4. Marco says:

    Thank you, thank you, thank you for your tutorial. I have discovered another caveat though.

    If you are using a *brand new* Gmail account you may get the following error in /var/log/maillog:

    relay=smtp.gmail.com, dsn=5.0.0, stat=Service unavailable

    One cause for this error is that you have to log-in at least once into your Gmail account from your browser! This is due to the fact that Google needs you to accept the terms of service.

    After spending half a day tweaking my sendmail configuration I finally bothered to read a “Delivery Status Notification” that bounced back and it was right there in front of my eyes:

    —– Transcript of session follows —–
    … while talking to smtp.gmail.com:
    >>> AUTH dialogue
    <<< 535-5.7.1 Please log in with your web browser and then try again. Learn more
    at
    <<< 535 5.7.1 https://mail.google.com/support/bin/answer.py?answer=78754 cv10sm1
    20709067igc.0

    It never hurts to double check every part of your system!

  5. Thanks-a-mundo for the post.Really thank you! Wonderful.

  6. Sameer says:

    Hello. I need your help to get this working.I have followed this guide. I am struck here. I am unable to figure it out. Thanks in advance.
    # sendmail -v user@gmail.com
    test mail
    .
    user@gmail.com… Connecting to [127.0.0.1] via relay…
    220 mailserver ESMTP Sendmail 8.14.4/8.14.4/Debian-2ubuntu1; Thu, 9 Feb 2012 23:35:34 +0530; (No UCE/UBE) logging access from: domain.com(OK)-domain.com [127.0.0.1]
    >>> EHLO domain.com
    250-mailserver Hello domain.com [127.0.0.1], pleased to meet you
    250-ENHANCEDSTATUSCODES
    250-PIPELINING
    250-EXPN
    250-VERB
    250-8BITMIME
    250-SIZE
    250-DSN
    250-ETRN
    250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
    250-DELIVERBY
    250 HELP
    >>> VERB
    250 2.0.0 Verbose mode
    >>> MAIL From: SIZE=7 AUTH=root@domain.com
    250 2.1.0 … Sender ok
    >>> RCPT To:
    >>> DATA
    250 2.1.5 … Recipient ok
    354 Enter mail, end with “.” on a line by itself
    >>> .
    050 … Connecting to smtp.gmail.com via relay…
    050 220 mx.google.com ESMTP r9sm5865836pbi.6
    050 >>> EHLO mailserver
    050 250-mx.google.com at your service, [144.16.79.25]
    050 250-SIZE 35882577
    050 250-8BITMIME
    050 250-STARTTLS
    050 250 ENHANCEDSTATUSCODES
    050 >>> STARTTLS
    050 220 2.0.0 Ready to start TLS
    050 >>> EHLO mailserver
    050 250-mx.google.com at your service, [144.16.79.25]
    050 250-SIZE 35882577
    050 250-8BITMIME
    050 250-AUTH LOGIN PLAIN XOAUTH
    050 250 ENHANCEDSTATUSCODES
    050 >>> MAIL From: SIZE=285 AUTH=
    050 530-5.5.1 Authentication Required. Learn more at
    050 530 5.5.1 http://support.google.com/mail/bin/answer.py?answer=14257 r9sm5865836pbi.6
    050 … Using cached ESMTP connection to smtp.gmail.com via relay…
    050 >>> RSET
    050 250 2.1.5 Flushed r9sm5865836pbi.6
    050 >>> MAIL From:
    050 530-5.5.1 Authentication Required. Learn more at
    050 530 5.5.1 http://support.google.com/mail/bin/answer.py?answer=14257 r9sm5865836pbi.6
    050 MAILER-DAEMON… aliased to postmaster
    050 postmaster… aliased to root
    050 postmaster… aliased to root
    050 root… Connecting to local…
    050 root… Deferred: local mailer (/usr/sbin/sensible-mda) exited with EX_TEMPFAIL
    250 2.0.0 q19I5Y90018775 Message accepted for delivery
    user@gmail.com… Sent (q19I5Y90018775 Message accepted for delivery)
    Closing connection to [127.0.0.1]
    >>> QUIT
    221 2.0.0 mailserver closing connection

Comments are closed.