Posted on

AWS gMail Relay Setup

SMTP Relay Banner

After moving to a new AWS server I discovered that my mail configuration files were not configured as part of my backup service on my old server. In addition my new server is using sendmail instead of postfix for mail services. That mean re-learning and re-discovering how to setup mail relay through gmail.

Why Relay?

Cloud servers tend to be blacklisted. Sure enough, my IP address on the new server is on the Spamhaus PBL list. While Amazon allows for elastic IP addresses, a quasi-permanent IP address that acts like a static IP, which can be added to the whitelist on the Spamhaus PBL it is not the best option. Servers change, especially in the cloud. I find the best option is to route email through a trusted email service. I use Google Business Apps email accounts and have one setup just for this purpose. Now to configure sendmail to re-route all outbound mail from my server to my gmail account.

Configuring Amazon Linux

Here are my cheat-sheet notes about getting an Amazon Linux (RHEL flavor of Linux) box to use the default sendmail to push content through gmail.

Install packages needed.

# sudo su -
# yum install cyrus-sasl ca-certificates sendmail make

Create your certificates

This is needed for the TLS authentication.

</p>
# cd /etc/pki/tls/certs
# make sendmail.pem
# cd /etc/mail
# mkdir certs
# chmod 700 certs
# cd certs
# cp /etc/pki/tls/certs/ca-bundle.crt /etc/mail/certs/ca-bundle.crt
# cp /etc/pki/tls/certs/sendmail.pem /etc/mail/certs/sendmail.pm

Setup your authinfo file

The AuthInfo entries start with the relay server host name and port.

U = the AWS server user that will be the source of the email.

I = your gmail user name, if using business apps it is likely @yourdomain.com not @gmail.com

P = your gmail email password

M = the method of authentication, PLAIN will suffice

# cd /etc/mail
# vim gmail-auth

AuthInfo:smtp-relay.gmail.com "U:ec2-user" "I:your-gmail-addy@gmail.com" "P:yourpassword" "M:PLAIN"
AuthInfo:smtp-relay.gmail.com "U:apache" "I:your-gmail-addy@gmail.com" "P:yourpassword" "M:PLAIN"
AuthInfo:smtp-relay.gmail.com:587 "U:ec2-user" "I:your-gmail-addy@gmail.com" "P:yourpassword" "M:PLAIN"
AuthInfo:smtp-relay.gmail.com:587 "U:apache" "I:your-gmail-addy@gmail.com" "P:yourpassword" "M:PLAIN"

# chmod 600 gmail-auth
# makemap -r hash gmail-auth < gmail-auth

Configure Sendmail

Edit the sendmail.mc file and run make to turn it into a sendmail.cf configuration file.  Look for each of the entries noted in the sendmail.mc comments.  Uncomment the entries and/or change them as noted.    A couple of new lines will need to be added to the sendmail.mc file.   I add the new lines just before the MAILER(smpt)dnl line at the end of the file.

Most of these exist throughout the file and are commented out.   I uncommented the lines and modified them as needed so they appear near the comment blocks that explain what is going on:

# vim /etc/mail/sendmail.mc
define(`SMART_HOST', `smtp-relay.gmail.com')dnl
define(`confAUTH_OPTIONS', `A p')dnl
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confCACERT_PATH', `/etc/mail/certs')dnl
define(`confCACERT', `/etc/mail/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/mail/certs/sendmail.pem')dnl
define(`confSERVER_KEY', `/etc/mail/certs/sendmail.pem')dnl

Add these lines to the end of sendmail.mc just above the first MAILER()dnl entries:

</p>
<p style="padding-left: 30px;">define(`RELAY_MAILER_ARGS', `TCP $h 587')dnl</p>
<p style="padding-left: 30px;">define(`ESMTP_MAILER_ARGS', `TCP $h 587')dnl</p>
<p style="padding-left: 30px;">FEATURE(`authinfo',`hash -o /etc/mail/gmail-auth.db')dnl</p>
<p style="padding-left: 30px;">

If you are using business apps you may need these settings to make the email come from your domain and to pass authentication based on your Gmail relay settings.    These are also in sendmail.mc:

MASQUERADE_AS(`charlestonsw.com')dnl
FEATURE(masquerade_envelope)dnl
FEATURE(masquerade_entire_domain)dnl
MASQUERADE_DOMAIN(localhost)dnl
MASQUERADE_DOMAIN(localhost.localdomain)dnl
MASQUERADE_DOMAIN(charlestonsw.com)dnl

Make the configuration-helper into a sendmail.mc file and restart sendmail:

# make
# service sendmail restart

Configure Gmail Services

This is for business apps users, you need to turn on relay.

Go to “manage this domain” for your business apps account.

Go to “Google Apps”.

Click on “Gmail”.

Click “advanced settings”.

Find the “SMTP relay service” entry.    Add a  new entry.

Only addresses in my domain, require SMTP, require TLS all need to be selected.

Give it a name.

Save.

Save again.

Posted on

Setting Up Stunnel On Linux

We need your help!


Cyber Sprocket is looking to qualify for a small business grant so we can continue our development efforts. We are working on a custom application builder platform so you can build custom mobile apps for your business. If we reach our 250-person goal have a better chance of being selected.

It is free and takes less than 2 minutes!

Go to www.missionsmallbusiness.com.
Click on the “Login and Vote” button.
Put “Cyber Sprocket” in the search box and click search.
When our name comes up click on the vote button.

 

And now on to our article…

 

Intro

This article was written while getting SMTP authentication working with AT&T Business Class DSL services.   The SMTP service requires authentication via a secure connection on port 465.   Other articles will get into further details, this article’s focus is on the stunnel part of the equation, which we use to wrap the standard sendmail/SMTP configuration.

In This Article

  • An example stunnel config file for talking to AT&T SMTP servers on port 465 (SMTPS)
  • Testing the connection to AT&T SMTPS is working via telnet
  • Getting stunnel running on system boot.

Our Environment

  • CentOS release 5.2
  • stunnel 4.15-2

We assume you have stunnel and telnet installed.  If not, research the yum install commands for CentOS.  You will also need superuser access to update the running services on your box.

Setting up stunnel

Stunnel will allow you to listen for data connections on a local port and redirect that traffic through an SSH wrapper to another system.  In our case we are using stunnel to listen on port 2525 on our local server, wrap the communication in ssh and send it along to our local AT&T SMTP Server at smtp.att.yahoo.com on port 465 (aka SMTPS).

Install

To do this you will need stunnel installed.   If yum is configured properly and the remote yum servers are online you can try this:

# yum install stunnel

Configure

You will then need to create or edit the stunnel configuration file and setup the AT&T SMTPS redirect.  Your config file should look like this (your remote SMTPS server may have a different URL, check with your ISP):

client=yes
[rev-smtps]
accept=127.0.0.1:2525
connect=smtp.att.yahoo.com:smtps

Test

Run stunnel in a detached daemon mode:

# stunnel &

Then telnet in to localhost port 2525, which should SSH wrap the connection to the AT&T SMTP Server

# telnet 127.0.0.1 2525

You should see something like this:

[root@dev xinetd.d]# telnet localhost 2525
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 smtp104.sbc.mail.re3.yahoo.com ESMTP
EHLO
250-smtp104.sbc.mail.re3.yahoo.com
250-AUTH LOGIN PLAIN XYMCOOKIE
250-PIPELINING
250 8BITMIME
quit

Connection closed by foreign host.

Stop the test process by killing the detached process.  Find the process ID with ps and kill it.

# ps -ef | grep stunnel

You should see something like this:

root      6181     1  0 11:37 ?        00:00:00 stunnel
root     10698  3626  0 14:11 pts/0    00:00:00 grep stunnel

Kill the process.

# kill <pid>

Starting up stunnel on boot.

stunnel can be started by using the simple # stunnel & command via a shell script that runs at startup.  This method allows for session caching and generally improves performance over an xinetd controlled session.

Configure

Create /etc/init.d/stunnel:

#!/bin/bash#
#       /etc/rc.d/init.d/stunnel
#
# Starts the stunnel daemon
#
# Source function library.
. /etc/init.d/functions
test -x /usr/sbin/stunnel || exit 0
RETVAL=0
#
#       See how we were called.
#
prog="stunnel"
start() {
    # Check if stunnel is already running
    if [ ! -f /var/lock/subsys/stunnel ]; then
    echo -n $"Starting $prog: "
    daemon /usr/sbin/stunnel
    RETVAL=$?
    [ $RETVAL -eq 0 ] && touch /var/lock/subsys/stunnel
    echo
    fi
    return $RETVAL
}
stop() {
    echo -n $"Stopping $prog: "
    killproc /usr/sbin/stunnel
    RETVAL=$?
    [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/stunnel
    echo
    return $RETVAL
}
restart() {
    stop
    start
}
reload() {
    restart
}
status_at() {
    status /usr/sbin/atd
}
case "$1" in
start)
    start
    ;;
stop)
    stop
    ;;
reload|restart)
    restart
    ;;
condrestart)
    if [ -f /var/lock/subsys/atd ]; then
    restart
    fi
    ;;status)
    status_at
    ;;
*)
    echo $"Usage: $0 {start|stop|restart|condrestart|status}"
    exit 1
esac
exit $?
exit $RETVAL

Set the stunnel script to run at startup level 3:

# ln -s /etc/init.d/stunnel /etc/rc3.d/S58stunnel

Test

Run the same telnet test to port 2525 on localhost as noted above.  Don’t kill the process when you are done.

Running via xinetd

xinetd runs various port listening services through a single program (xinet) that runs as a daemon.  Since our box (and most RHEL variants) runs xinetd by default, we simply need to create our configuration file for stunnel and put it in the xinet.d directory & restart the xinetd process.  This is NOT the recommended method for running stunnel.

Install

If xinetd is not installed and running on your system (it should be) then grab it with yum

# yum install xinetd

Configure

Create a new stunnel configuration file in the /etc/xinetd.d directory.

# description: stunnel listner to map local ports to outside ports
service stunnel
{
    disable         = no
    flags           = REUSE
    socket_type     = stream
    wait            = no
    user            = root
    port            = 2525
    server          = /usr/sbin/stunnel
}

You can learn more about xinetd configuration files here:
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-tcpwrappers-xinetd-config.html

You will also need to change your stunnel config file as the accept port is now handled by xinetd.  You can learn more via the stunnel manual by using # man stunnel at your linux prompt.

The new stunnel.conf file:

client=yes
connect=smtp.att.yahoo.com:smtps

Test

#service xinetd restart
#telnet 127.0.0.1 2525

You should see the same results as the stunnel test above.