Posted on

AWS gMail Relay Setup

SMTP Relay Banner

After moving to a new AWS server I discovered that my mail configuration files were not configured as part of my backup service on my old server. In addition my new server is using sendmail instead of postfix for mail services. That mean re-learning and re-discovering how to setup mail relay through gmail.

Why Relay?

Cloud servers tend to be blacklisted. Sure enough, my IP address on the new server is on the Spamhaus PBL list. While Amazon allows for elastic IP addresses, a quasi-permanent IP address that acts like a static IP, which can be added to the whitelist on the Spamhaus PBL it is not the best option. Servers change, especially in the cloud. I find the best option is to route email through a trusted email service. I use Google Business Apps email accounts and have one setup just for this purpose. Now to configure sendmail to re-route all outbound mail from my server to my gmail account.

Configuring Amazon Linux

Here are my cheat-sheet notes about getting an Amazon Linux (RHEL flavor of Linux) box to use the default sendmail to push content through gmail.

Install packages needed.

# sudo su -
# yum install cyrus-sasl ca-certificates sendmail make

Create your certificates

This is needed for the TLS authentication.

</p>
# cd /etc/pki/tls/certs
# make sendmail.pem
# cd /etc/mail
# mkdir certs
# chmod 700 certs
# cd certs
# cp /etc/pki/tls/certs/ca-bundle.crt /etc/mail/certs/ca-bundle.crt
# cp /etc/pki/tls/certs/sendmail.pem /etc/mail/certs/sendmail.pm

Setup your authinfo file

The AuthInfo entries start with the relay server host name and port.

U = the AWS server user that will be the source of the email.

I = your gmail user name, if using business apps it is likely @yourdomain.com not @gmail.com

P = your gmail email password

M = the method of authentication, PLAIN will suffice

# cd /etc/mail
# vim gmail-auth

AuthInfo:smtp-relay.gmail.com "U:ec2-user" "I:your-gmail-addy@gmail.com" "P:yourpassword" "M:PLAIN"
AuthInfo:smtp-relay.gmail.com "U:apache" "I:your-gmail-addy@gmail.com" "P:yourpassword" "M:PLAIN"
AuthInfo:smtp-relay.gmail.com:587 "U:ec2-user" "I:your-gmail-addy@gmail.com" "P:yourpassword" "M:PLAIN"
AuthInfo:smtp-relay.gmail.com:587 "U:apache" "I:your-gmail-addy@gmail.com" "P:yourpassword" "M:PLAIN"

# chmod 600 gmail-auth
# makemap -r hash gmail-auth < gmail-auth

Configure Sendmail

Edit the sendmail.mc file and run make to turn it into a sendmail.cf configuration file.  Look for each of the entries noted in the sendmail.mc comments.  Uncomment the entries and/or change them as noted.    A couple of new lines will need to be added to the sendmail.mc file.   I add the new lines just before the MAILER(smpt)dnl line at the end of the file.

Most of these exist throughout the file and are commented out.   I uncommented the lines and modified them as needed so they appear near the comment blocks that explain what is going on:

# vim /etc/mail/sendmail.mc
define(`SMART_HOST', `smtp-relay.gmail.com')dnl
define(`confAUTH_OPTIONS', `A p')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confCACERT_PATH', `/etc/mail/certs')dnl
define(`confCACERT', `/etc/mail/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/mail/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/mail/certs/sendmail.pem')dnl

Add these lines to the end of sendmail.mc just above the first MAILER()dnl entries:

</p>
<p style="padding-left: 30px;">define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl</p>
<p style="padding-left: 30px;">define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl</p>
<p style="padding-left: 30px;">FEATURE(`authinfo',`hash -o /etc/mail/gmail-auth.db')dnl</p>
<p style="padding-left: 30px;">

If you are using business apps you may need these settings to make the email come from your domain and to pass authentication based on your Gmail relay settings.    These are also in sendmail.mc:

MASQUERADE_AS(`charlestonsw.com')dnl
FEATURE(masquerade_envelope)dnl
FEATURE(masquerade_entire_domain)dnl
MASQUERADE_DOMAIN(localhost)dnl
MASQUERADE_DOMAIN(localhost.localdomain)dnl
MASQUERADE_DOMAIN(charlestonsw.com)dnl

Make the configuration-helper into a sendmail.mc file and restart sendmail:

# make
# service sendmail restart

Configure Gmail Services

This is for business apps users, you need to turn on relay.

Go to “manage this domain” for your business apps account.

Go to “Google Apps”.

Click on “Gmail”.

Click “advanced settings”.

Find the “SMTP relay service” entry.    Add a  new entry.

Only addresses in my domain, require SMTP, require TLS all need to be selected.

Give it a name.

Save.

Save again.

Posted on

Google Spam Filter FAIL

My favorite tech company has fallen off their pedestal and their new-found ego is going to give them a big ugly black eye.   The tech community is quickly becoming disenchanted with the ways of Google, thanks in a big way to the ultimate FAIL of the Google Spam Filter.    It turns out that Google decided the previously intelligent spam filter was not intelligent enough.   Obviously they decided that it needed to think more like a human.  And by more human-like we mean MAKING MISTAKES.  And big ones at that.

We started to realize about 3 weeks back (Last week of April, 2011) that some client emails were not showing up.   We assumed it was just an errant send from the other end.  You know, HUMAN ERROR.  Well it turns out that we had become so accustomed to Google’s spam filter being nearly flawless that we never thought to even check our spam folder.

Well we should have.  There was not only the missing client emails in the spam folder, but dozens… literally dozens… of other legitimate emails in there.  Sales leads.  Customers trying to contact us, and a LOT of customers complaining about not getting their product license.    Hmmm…  that’s odd.   We normally get one complaint/month about a license not going out.  A robot sends those out for us automatically when someone purchases a product.    But for some reason a half-dozen clients in less than a week did not get their license.

Then a client complained we never gave them a project update.  We did.  We sent MANY updates.   They were PISSED.   I resent the message.  The didn’t get them.   Then the lightbulb went off… “did you check your spam folder?”.    Turns out the client is using gmail and YES, ALL of our message are in their spam folder.    That was odd.  We are on their contact list & they are on ours.   Yet Google spammed us.

Then we went and looked at all the complaints about not getting a license.  Guess what?  ALL gmail people. Every one.    Then we noticed that any of our employees, customers, or clients that use gmail were not only getting legitimate messages put in the spam folder but that blatant spam was getting into their inbox much more frequently than before.

We are pretty damn certain that Google changed the spam filter across the board.  Luckily we have a paid Google mail account so we have support.  Or so we thought.  It turns out our contact refuses to admit they changed anything.  He has not said that they did NOT change anything, but after more than a week of back-and-forth he has pointed the finger at us EVERY TIME.  We have literally had to change or explain over a half-dozen settings, like why our MX records are on our server, the fact that the spam filter is turned off on our server, the fact that our gmail account allows for relay and incoming email from our email server IP.   Every time we tell him “GOOGLE CHANGED THE SPAM FORMULA” we get another “did you check <blah> answer.

Obviously Google didn’t do anything wrong.  There is no way they changed the formula, right?

Well HUNDREDS of posts on the Internet are creating a buzz that says otherwise.  Maybe we are wrong, but something smells of Google having just opened a can of rotten spam and they are going to have a bitch of a time getting that one back in the can.

Follow The Story Online

Twitter #GMAILFAIL

Google Spam Filter