Recently I’ve been experimenting with PBX in a Flash, a CentOS based distro meant to make setting up Asterisk quick and easy. It comes with sendmail, which is fine if you don’t already have an email system set up. However, most of my clients Google Apps for Business for email and so I wanted to integrate PIAF with existing Google Apps. I found a decent little tutorial aimed at Gmail users that helped me with set up sendmail as a SMTP relay to Google Apps It was missing a few bits and bobs and the English isn’t too good so I thought I’d write my own guide not only to remind me later but hopefully to provide a little clarity for others.
A big reason for using Google Apps was that until a few months ago the free version supported 50 users (now reduced to 10). 50 uses is more than enough for most small to medium businesses, and saves everyone the headache of having to maintain enterprise level email services for an SMB. Who wants to keep on top of spam, anti-phishing, etc. when Google will do such a fantastic job for you? Especially given the amazing other tools that come along with it like Google Docs and Google Voice. However, this method will work just fine with a regular Gmail account as well; the only difference is that you use your Gmail email address instead of your Google Apps email address for authentication.
Without further ado, here are the steps I took using PIAF 1.7.5.6.2 based on CentOS 5.6 (32bit). All commands are run as root. Beware, your mileage may vary!
Check sendmail has SASL & TLS
Google Apps uses TLS for encryption and SASL for authentification. You’ll need to have a version of sendmail that was compiled with these options on your machine.
Version 8.13.8
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
TCPWRAPPERS USERDB USE_LDAP_INIT
============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = pbx
(canonical domain name) $j = pbx.local
(subdomain name) $m = local
(node name) $k = pbx.local
========================================================
root… deliverable: mailer local, user root
Bonus, this version of PIAF’s sendmail is already compiled with TLS and SASL! Nothing needed to be done.
Check SASL is version 2.1.21 or higher
cyrus-sasl.i386 2.1.22-5.el5_4.3 installed
cyrus-sasl-lib.i386 2.1.22-5.el5_4.3 installed
cyrus-sasl-plain.i386 2.1.22-5.el5_4.3 installed
cyrus-sasl-devel.i386 2.1.22-5.el5_4.3 base
cyrus-sasl-gssapi.i386 2.1.22-5.el5_4.3 base
cyrus-sasl-ldap.i386 2.1.22-5.el5_4.3 base
cyrus-sasl-md5.i386 2.1.22-5.el5_4.3 base
cyrus-sasl-ntlm.i386 2.1.22-5.el5_4.3 base
cyrus-sasl-sql.i386 2.1.22-5.el5_4.3 base
Excellent, PIAF is good to go for this as well!
Check that the SASL daemon is running as a service
On my machine, SASL wasn’t running as a service:
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
However, this is easy to fix:
$ /sbin/service saslauthd start
Now when you check, SASL should be running:
saslauthd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
Create SSL certificate
Using a secure channel requires a security certificate, so if you don’t have one already you’ll need to create one.
$ mkdir /usr/share/ssl/certs
$ cd /usr/share/ssl/certs
$ cp /etc/pki/tls/certs/ca-bundle.crt /usr/share/ssl/certs/
$ openssl req -new -x509 -keyout cakey.pem -out cacert.pem -days 3650
Generating a 1024 bit RSA private key
….++++++
……………………++++++
writing new private key to ‘deleteme.pem’
Enter PEM pass phrase: enter whatever passphrase you want here
Verifying – Enter PEM pass phrase: reenter the passphrase
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CA]:
State or Province Name (full name) [Alberta]:
Locality Name (eg, city) [Edmonton]:
Organization Name (eg, company) [MySolutions IT]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:nirdvana.com
Email Address []:none@none.com
Make sure you enter your own information for the country name, etc.
$ openssl req -nodes -new -x509 -keyout sendmail.pem -out sendmail.pem -days 3650
Generating a 1024 bit RSA private key
…………………………………………………++++++
……………………………………++++++
writing new private key to ‘sendmail.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CA]:
State or Province Name (full name) [Alberta]:
Locality Name (eg, city) [Edmonton]:
Organization Name (eg, company) [MySolutions IT]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:nirdvana.com
Email Address []:none@none.com
Great, the security cert should be generated!
Configure sendmail
Now we’ll create a new config file for the authentication information for the Google Apps account we’re going to use. Use your favourite text editor to create the file /etc/mail/authinfo with the following text:
AuthInfo:smtp.gmail.com:587 “U:root” “I:AppAccountEmailAddress” “P:AppAccountPassword” “M:PLAIN”
Next we need to hash the file and change the permissions to make it secure.
$ chmod 600 /etc/mail/authinfo
We’ll also need to modify the sendmail configuration to tell it where to find the certs, what host to use for relay, etc. With your text editor, open /etc/mail/sendmail.mc and search for the line containing
MAILER(smtp)dnl. Just before this line, insert this text, save and exit the text editor:
define(`SMART_HOST’,`smtp.gmail.com’)dnl
define(`RELAY_MAILER_ARGS’, `TCP $h 587′)
define(`ESMTP_MAILER_ARGS’, `TCP $h 587′)
define(`confCACERT_PATH’,`/usr/share/ssl/certs’)
define(`confCACERT’,`/usr/share/ssl/certs/ca-bundle.crt’)
define(`confSERVER_CERT’,`/usr/share/ssl/certs/sendmail.pem’)
define(`confSERVER_KEY’,`/usr/share/ssl/certs/sendmail.pem’)
define(`confAUTH_MECHANISMS’, `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN’)
define(`confAUTH_OPTIONS’, `A’)dnl
Now we need to update sendmail with the config file information and restart the sendmail service.
$ service sendmail restart
To check that everything is working, run sendmail in address text mode. This will show the steps in parsing, and if there are any errors you’ll have to go back and verify the previous steps.
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> map_lookup: authinfo (AuthInfo:smtp.gmail.com) returns “U:root” “I:AppAccountEmailAddress” “P:AppAccountPassword” “M:PLAIN” (0)
Send a test email
Finally, the acid test: emailing via your sendmail Google Apps relay!
If all has gone well, you should now be seeing your test email in your inbox.
Thanks for the great post.
Watch when you copy and past the text before the “MAILER(smtp)dnl”. Make sure the quote are correct.
Hi and thanks in advance. I have several questions
(1) You post the following output twice “writing new private key to ‘deleteme.pem’” I, of course, actually see either “writing new private key to ‘cakey.pem’” or “writing new private key to ‘sendmail.pem’”. If you are suggesting that the output files be deleted, when is that to occur?
(2) There are several email address entry fields. One is “Email Address []:none@none.com” and one is “AuthInfo:smtp.gmail.com “U:root” “I:AppAccountEmailAddress” “. Clearly the later is the gmail address. Is the former also? On a Debian Asterisk/FreePBX installation I had used Gmail as the SMTP server, but I want Asterisk to send the email to a non-gmail address. I was assuming “none@none.com” would/could be that “other” address. Am I incorrect?
(3) I get to the step to hash — “hash the file and change the permissions to make it secure” — and I receive the following error:
root@pbx:/usr/share/ssl/certs $ makemap hash /etc/mail/authinfo < /etc/mail/authinfo
makemap: /etc/mail/authinfo: line 4: key p:{thekeyinquestion}: duplicate key
What is the Key that is being duplicated? I see at least 3 different passwords/keys involved here:
When you "-keyout cakey.pem -out cacert.pem"
When you "-keyout sendmail.pem -out sendmail.pem"
and the PW for the relevant gmail account (which is what I would be using)
(and a 4th, if there is some checking being dne against the root password)
Wow, quite the list! Let’s see if I can clear those questions up for you:
The second command output should be writing new private key to ‘sendmail.pem’. Copy/paste error. I’ve corrected it
The “deleteme.pem” file can indeed be deleted when you’re done both commands, it’s an interim file.
“none@none.com” is highlighted to indicate that you should replace it with your own value, just like all the other highlighted text. It doesn’t matter what you put in here, actually, as it’s just used for the self-generated SSL cert. If someone decides to inspect the cert, they’ll see that email address in it; it’s there solely to provide contact info. Nothing to do with configuring Asterisk.
/etc/mail/authinfo should only have two lines, one for AuthInfo:smtp.gmail.com and one for AuthInfo:smtp.gmail.com:587. If it has four, you have not created it correctly. Edit it or delete it and try again.
The “key” has nothing to do with the previous cert steps; it’s referring to the hashing key (ie, the gmail account information).
Thank you for this! Worked like a charm!