Thursday, August 6, 2015

How to Configure Sendmail to Work with Gmail SMTP Relay on CentOS 7

I was trying to setup notifications on my home Nagios server. However I couldn't get sendmail to send an email because I don't have a static IP with my home internet connection. Every time I restart my modem, my external IP gets changed and it seems to be black listed and I couldn't send any emails to my iColud account.

The solution was simple. All I had to do is to configure sendmail to relay all my mail though Google's SMTP servers. However configuring this wasn't as smooth as I though. There were dependency requirements and after almost giving up, I got this to work! Here's how...

Installing Sendmail

Install sendmail with yum (sendmail-cf is needed for configation of sendmail)

yum install sendmail sendmail-cf

Then install sendmail-cf for configation of sendmail.

Additional Packages

Then Install cyrus-sasl-plain package.

yum install cyrus-sasl-plain.x86_64

If your SASL installation doesn’t have the “plain” and “login” lib you will have authentication problem with Gmail. You can see why when you get to the sendmail configuration in the later steps. The common error in the /var/log/maillog is this:

AUTH=client, available mechanisms do not fulfill requirements

This took me a really log time to debug, because this error message isn't very clear.


 Creating Certificates

Then go to /etc/mail directory and create a directory called certs inside.

Generate cakey.pem private key and sendmail.pem certificate by running following two command.

openssl req -new -x509 -keyout cakey.pem -out cacert.pem -days 3650
openssl req -nodes -new -x509 -keyout sendmail.pem -out sendmail.pem -days 3650

Enter the appropriate information when you're generating the certificates, such as your name, organization and email address.

I also copied /etc/pki/tls/certs/ca-bundle.crt to /ect/mail/certs and included it in the sendmail configuration file.

cp /etc/pki/tls/certs/ca-bundle.crt /etc/mail/certs

Other wise you’ll see some error like this:

unable to get local issuer certificate

The reason is that the ca bundle file has the Gmail certificate issuer. Although I read it somewhere that email still goes out with this error. Nonetheless, we don’t need to see this if we can fix it.


Configuration Gmail Authentication

Then I have the /etc/mail/auth/client-info looks like the following. This is to store the authentication details to my Gmail account. (Create a directory called auth inside /etc/mail to keep this file separate form other files) “U:root” “” “P:password” “M:PLAIN” “U:root” “” “P:password” “M:PLAIN”

If you use Gmail hosted email with your own domain name, you will have username@hostname.tld in there.

Make sure run:

makemap -r hash /etc/mail/auth/client-info.db < /etc/mail/auth/client-info

and chmod 600 on client info files


 Sendmail Configuration

Now open  /etc/mail/ file

Add the following lines after "dnl # be sent out through an external mail server:" line

FEATURE(`authinfo',`hash /etc/mail/authinfo/gmail-auth.db')dnl
define(`RELAY_MAILER_ARGS', `TCP $h 587')
define(`ESMTP_MAILER_ARGS', `TCP $h 587')

define(`CERT_DIR', `/etc/mail/certs')
define(`confCACERT_PATH', `CERT_DIR')
define(`confCACERT', `CERT_DIR/ca-bundle.crt')
define(`confCRL', `CERT_DIR/ca-bundle.crt')
define(`confSERVER_CERT', `CERT_DIR/sendmail.pem')
define(`confSERVER_KEY', `CERT_DIR/sendmail.pem')
define(`confCLIENT_CERT', `CERT_DIR/sendmail.pem')
define(`confCLIENT_KEY', `CERT_DIR/sendmail.pem')


Build from Use the following command,

m4 >

Now restart sendmail.

systemctl restart sendmail

Send an email using the following command

echo "Subject: test" | /usr/lib/sendmail -v

For debugging data, please look at /var/log/maillog file.


 Additional Information

To empty your mail queue run the following command,

rm -rf /var/spool/mqueue/*

To delete all mail for root, run the following command,

cat /dev/null > /var/spool/mail/root

When I was doing this configuration, I found this article to be greatly helpful.

1 comment: