Broken LAMPS; Missing Pieces – Email
As we dive deeper into our LAMPS / WordPress setup, we find a missing piece. Namely, the ability to send emails to deliver WAF alerts, password resets, and all sorts of annoyances. Personally, I regard systems capable of sending automated emails with disfavor as I have seen these types of systems configured in many levels of competency and as such suborned and abused in many ways. One supposes this means I must provide a more substantial configuration to avoid those abuses.
In Ubuntu 20.04, the standard and installed package for this function is Postfix. So we shall configure said package using Gmail as our smart host. (NO, I am not opening my webserver to the various SMTP ports and their attendant vulnerabilities.)
We shall begin by setting our postfix main.cf to a default configuration with the following command:
# As always, lets check for package updates and apply them sudo apt-get update && sudo apt-get upgrade # Install postfix and sasl sudo apt-get install libsasl2-modules postfix mailutils
We are now presented with the basic postfix installation and configuration screens:
We shall select Internet Site and ok.
And we shall provide our Fully Qualified Domain Name (FQDN). (One should use your own host-name. You DID DNS it, right?)
At this point the installation shall continue to modify various files and systems settings in an automated fashion, after which we can begin to add Gmail as a relay (Smart) host.
Let us begin by configuring authentication for the Gmail system. We will edit/create the file /etc/postfix/sasl_passwd and add our credentials there.
# Configure Credentials sudo nano /etc/postfix/sasl_passwd [smtp.gmail.com]:587 email@example.com:password # Exit and Save; then set permissions sudo chown root:root /etc/postfix/sasl_passwd sudo chmod 600 /etc/postfix/sasl_passwd # We will use this file to create a hash file later in our install
Once we have our credentials in place, we shall configure the postfix main.cf file to use Gmail as a relay host. We have six parameters that need to be touched/created:
- relayhost, which specifies the mail relay host and port number. The hostname will be enclosed in brackets to specify that no MX lookup is required.
- smtp_use_tls, which enables (or disables) transport layer security.
- smtp_sasl_auth_enable, which enables (or disables) SASL authentication.
- smtp_sasl_security_options, which in the following configuration will be set to empty, to ensure that no Gmail-incompatible security options are used.
- smtp_sasl_password_maps, which specifies the password file to use. This file will be compiled and hashed by postmap in a later step.
- smtp_tls_CAfile, which specifies the list of certificate authorities to use when verifying server identity.
# configure /etc/postfix/main.cf sudo nano /etc/postfix/main.cf relayhost = [smtp.gmail.com]:587 smtp_use_tls = yes smtp_sasl_auth_enable = yes smtp_sasl_security_options = smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt # Save and close the file
We will now need to create the hash file for /etc/postfix/sasl_passwd..
# Create postfix map / hash file for /etc/postfix/sasl_passwd sudo postmap /etc/postfix/sasl_passwd
At this point postfix is configured, and we are ready to restart and test.
#Restart Postfix to read the new configs sudo systemctl restart postfix.service # And send a test message . mail -s "Test subject" firstname.lastname@example.org #Enter any CC's #Enter sometext, perhaps #Test email from hostname at date and time # press control-D to send
One may need to configure your Gmail account to relay messages from your instance. For more information, review the Google Support document “Allowing less secure apps to access your account.” This leads one to the comment(s):
- DO NOT USE YOUR GMAIL ADMIN ACCOUNT FOR THIS
- Do create a separate Gmail address/account for handling relayed alerts and messages
Comments on troubleshooting, (Yes, we can assume all will not go as planned).
Examine /var/log/mail.log for errors; if one receives authentication errors from Gmail, verify the Gmail username/password and configuration. Check the /etc/postfix/sasl_passwd for proper credentials, whitespace, and format.
If one receives TLS errors, check the main.cf configuration as noted above, if one has followed the instructions above, it should CLOSELY resemble the stanza shown above. Correct any defects and restart postfix, thence test again.