Join Log in
Score:0
Tarik avatar Server

How to set up a postfix relay server for Google Workspace(gmail)?

al flag
Tarik

There is a need to make a relay server for the company's corporate mail. The need arose due to the presence of some google ip in the spam lists, and this sometimes leads to the fact that letters end up in spam. What exactly is needed? You want gmail to send all outgoing mail through this relay server. However, I did not find the possibility in the Google Workspace control panel to specify data for authorization on the server, only the host and port. It is necessary to limit the possibility of relaying only if the letter is sent from the corporate domain. Tell me, please, how can this be done?

There is a VPS (Ubuntu 22.04) server on hetzner with raised postfix (v 3.6.4).

config main.cf

# See /usr/share/postfix/main.cf.dist for a commented, more complete version
# Debian specific: Specifying a file name will cause the first
# line of that file to be used as the name. The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
readme_directory = no
# See www.postfix.org/COMPATIBILITY_README.html -- default to 3.6 on
# fresh installs.
compatibility_level = 3.6
# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/example.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/example.com/privkey.pem
smtpd_tls_security_level=may
smtp_use_tls=yes
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
myhostname = mail.example.com
mydomain = mail.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = localhost.$mydomain, localhost, $myhostname
relayhost =
#relay_domains = gmail.com, google.com, mail.example.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4

milter_protocol = 2
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

With these settings, I get an error that Relay access denied. This can be fixed by adding the subnets of Google mail services to the "mynetworks =" line, only with this configuration it is like an open relay server and there is a lot of spam from Google mail (thanks for explaining this point to me in the post: Postfix block spam email address ).

Jun 20 08:49:19 mail postfix/smtpd[1444537]: NOQUEUE: reject: RCPT from mail-qk1-f200.google.com[209.85.222.200]: 554 5.7.1 : Relay access denied; from= to= proto=ESMTP helo=
Jun 20 08:49:19 mail postfix/smtpd[1444537]: disconnect from mail-qk1-f200.google.com[209.85.222.200] ehlo=2 starttls=1 mail=1 rcpt=0/1 bdat=0/1 quit=1 commands=5/7
172
1 + 2
ws flag
symcbean
Don't do this. SMTP is hard. Google have teams of experts trying to ensure your deliverability. Even if you get relaying sorted you're g0oing to have deliverability issues. You've not configured SPF verification. I don't know what you're miler is doing but you do at least need DKIM.
1
Reply
Tarik avatar
al flag
Tarik
Thanks for your reply. When I limited relay access to Google subnets, everything worked correctly, letters were delivered and passed all the necessary checks (SPF, DKIM, DMARC).
0
Reply
Score:1
HBruijn avatar Server
in flag
HBruijn

The main problem is that when you configure what Google Workspace calls an outbound gateway you can't provide any "advanced" authentication.

The only mechanism available for the outbound gateway, your mail relay, are IP-based access controls.

That means that you must configure Postfix accept and forward email from all ​Google Workspace mail server IP addresses.

That requires you to retrieve (and possibly regularly update) the list of IP-addresses used by Google for e-mail forwarding according to the procedure here: https://support.google.com/a/answer/60764

retrieve the SPF records for the domain _spf.google.com:

nslookup -q=TXT _spf.google.com 8.8.8.8

This returns a list of the domains included in Google's SPF record, such as:

_netblocks.google.com, _netblocks2.google.com, _netblocks3.google.com

Look up the DNS records associated with those domains, one at a time:

nslookup -q=TXT _netblocks.google.com 8.8.8.8
nslookup -q=TXT _netblocks2.google.com 8.8.8.8
nslookup -q=TXT _netblocks3.google.com 8.8.8.8

That should result in something like:

on-authoritative answer:
_netblocks3.google.com    text = "v=spf1 ip4:172.217.0.0/19 ip4:172.217.32.0/20 ip4:172.217.128.0/19 ip4:172.217.160.0/20 ip4:172.217.192.0/19 ip4:172.253.56.0/21 ip4:172.253.112.0/20 ip4:108.177.96.0/19 ip4:35.191.0.0/16 ip4:130.211.0.0/22 ~all"

And that are the IP-address ranges you will need to grant access to the relay functionality.
Yes, that will be a great many IP-address ranges and addresses.
No, in contrast to what the comments on your other post suggested, that doesn't make your server an open relay.

For postfix that typically means adding them to your mynetworks = entry in main.cf and using the default or other appropriate smtpd_relay_restrictions :

mynetworks = 127.0.0.0/8 81.171.2.0/24 [::1]/128 [fe80::]/64 172.217.0.0/19  172.217.32.0/20 ... etc. etc. 
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination

Enforcing that mails are only relayed/forwarded when they have your own domains example.com and example.co.uk set as the sender / From: requires an additional refinement:

Set up a an access map

 #/etc/postfix/access

 example.com OK
 example.co.uk OK

run postmap /etc/postfix/access

and add check_sender_access hash:/etc/postfix/access to the smtpd_relay_restrictions in

     smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_access hash:/etc/postfix/access, defer_unauth_destination
+ 4
Tarik avatar
al flag
Tarik
Thanks for your reply. I returned the google subnets and also configured the access file as you indicated. At the moment everything is working and I will continue to monitor the behavior of the server. Previously, with this setting, there were many transfers from Google mail. Do I understand correctly that setting the */etc/postfix/access* file will most likely close this problem? I provided examples of such requests in the post I indicated. I can’t add to the comment because it’s a very big conclusion, sorry.
0
Reply
Tarik avatar
al flag
Tarik
Unfortunately setting the /etc/postfix/access file did not restrict relaying from other domains. I sent mail via my relay server from another Google workspace (respectively, another domain) and the letter was redirected. Can you tell me how to solve this problem?
0
Reply
HBruijn avatar
in flag
HBruijn
:facepalm: - smtpd_relay_restrictions (and similar settings) are checked left from right and the first match resulting in an allow or deny is applied. I don't think you can or at least I don't know how to configure that two or more access controls need to be met concurrently.
0
Reply
Tarik avatar
al flag
Tarik
This is sad :( In any case, thank you very much for your help, I will look for possible solutions :)
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.