Here's how I configured Postfix to relay mail from firstname.lastname@example.org through
smtp-relay.gmail.com:587 using the credentials set up for email@example.com
on Google Apps.
There are three parts to this: making Postfix relay mail based on the
sender address, teaching it to authenticate to gmail, and configuring
gmail to accept the relayed mail.
I created /etc/postfix/relay_hosts with the following contents:
Then I ran «postmap /etc/postfix/relay_hosts» and set
(Postfix was already configured to send outgoing mail directly, so mail
from any senders not listed in this map would be handled as before.)
SMTP SASL authentication
I created /etc/postfix/sasl_passwords (mode 0600) with the following
Update, 2020: Google now offers a facility to generate
for your account. You should generate and use a unique app password in
the file above, instead of using your main Google account password.
Then I ran «postmap /etc/postfix/sasl_passwords» and added the following
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
That enables SMTP AUTH in the Postfix SMTP client and tells Postfix
where to look up the username and password for a domain.
Gmail will accept SMTP AUTH only in a TLS session, so
TLS client support
must be configured in Postfix (which means setting
to "may"). But even once that's done, gmail advertises only the
following authentication mechanisms:
250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
I didn't want to worry about OAUTH, so I was left with PLAIN was the
only reasonable choice. Postfix will not use plaintext authentication
mechanisms by default, so I also had to remove "noplaintext" from the
default value for
As an additional precaution, I also set
to change the default TLS policy from "may" to "encrypt" for
When I tried to send mail through the relay, Postfix wasn't able to
SASL authentication failure: No worthy mechs found
SASL authentication failed; cannot authenticate to server smtp-relay.gmail.com[126.96.36.199]: no mechanism available
Google considers password authentication to be “less secure”, and you
must explicitly allow it on the
less secure apps settings page.
but I took the path of least resistance here. (You may not need to
enable this if you use an
to authenticate, as suggested above.)
I did that and tried again, only for mail to bounce with this error:
Invalid credentials for relay [188.8.131.52]. The IP address you've
registered in your G Suite SMTP Relay service doesn't match domain of
the account this email is being sent from. If you are trying to relay
mail from a domain that isn't registered under your G Suite account
or has empty envelope-from, you must configure your mail server
either to use SMTP AUTH to identify the sending domain or to present
one of your domain names in the HELO or EHLO command. For more
information, please visit https://support.google.com/a/answer/6140680#invalidcred
This message is misleading, as I found out by using openssl's s_client
to establish a TLS session and then authenticating by hand. SMTP AUTH
succeeded, but MAIL FROM was subsequently rejected.
I followed the
link in the message,
which led me to the
SMTP relay service
The Google Apps admin console doesn't use sensible URLs, but I followed
the breadcrumb trail to an “Advanced settings” page where I was able to
edit the SMTP relay service settings to set “Allowed senders” to “Only
addresses in my domains”, as well as to “Require SMTP authentication”
and “Require TLS encryption”. Remember to “Save” the changes.
The error I got was because the “Only accept mail from specified IP
addresses” option was checked for this particular domain. I could have
added the IP address of my server to the list, but SMTP authentication
was what was I wanted to use anyway.