PBX In A Flash: Send Email Using Gmail / Google Apps

Recently I’ve been experimenting with PBX in a Flash, a CentOS based distro meant to make setting up Asterisk quick and easy. It comes with sendmail, which is fine if you don’t already have an email system set up. However, most of my clients Google Apps for Business for email and so I wanted to integrate PIAF with existing Google Apps. I found a decent little tutorial aimed at Gmail users that helped me with set up sendmail as a SMTP relay to Google Apps It was missing a few bits and bobs and the English isn’t too good so I thought I’d write my own guide not only to remind me later but hopefully to provide a little clarity for others.

A big reason for using Google Apps was that until a few months ago the free version supported 50 users (now reduced to 10). 50 uses is more than enough for most small to medium businesses, and saves everyone the headache of having to maintain enterprise level email services for an SMB. Who wants to keep on top of spam, anti-phishing, etc. when Google will do such a fantastic job for you? Especially given the amazing other tools that come along with it like Google Docs and Google Voice. However, this method will work just fine with a regular Gmail account as well; the only difference is that you use your Gmail email address instead of your Google Apps email address for authentication.

Without further ado, here are the steps I took using PIAF 1.7.5.6.2 based on CentOS 5.6 (32bit). All commands are run as root. Beware, your mileage may vary!

Check sendmail has SASL & TLS

Google Apps uses TLS for encryption and SASL for authentification. You’ll need to have a version of sendmail that was compiled with these options on your machine.

$ /usr/sbin/sendmail -d0.1 -bv root
Version 8.13.8
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
TCPWRAPPERS USERDB USE_LDAP_INIT============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = pbx
(canonical domain name) $j = pbx.local
(subdomain name) $m = local
(node name) $k = pbx.local
========================================================root… deliverable: mailer local, user root

Bonus, this version of PIAF’s sendmail is already compiled with TLS and SASL! Nothing needed to be done.

Check SASL is version 2.1.21 or higher

$ yum list | grep sasl
cyrus-sasl.i386 2.1.22-5.el5_4.3 installed
cyrus-sasl-lib.i386 2.1.22-5.el5_4.3 installed
cyrus-sasl-plain.i386 2.1.22-5.el5_4.3 installed
cyrus-sasl-devel.i386 2.1.22-5.el5_4.3 base
cyrus-sasl-gssapi.i386 2.1.22-5.el5_4.3 base
cyrus-sasl-ldap.i386 2.1.22-5.el5_4.3 base
cyrus-sasl-md5.i386 2.1.22-5.el5_4.3 base
cyrus-sasl-ntlm.i386 2.1.22-5.el5_4.3 base
cyrus-sasl-sql.i386 2.1.22-5.el5_4.3 base

Excellent, PIAF is good to go for this as well!

Check that the SASL daemon is running as a service

On my machine, SASL wasn’t running as a service:

$ chkconfig –list saslauthd
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off

However, this is easy to fix:

$ chkconfig saslauthd on
$ /sbin/service saslauthd start

Now when you check, SASL should be running:

$ chkconfig –list saslauthd
saslauthd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Create SSL certificate

Using a secure channel requires a security certificate, so if you don’t have one already you’ll need to create one.

$ mkdir /usr/share/ssl
$ mkdir /usr/share/ssl/certs
$ cd /usr/share/ssl/certs
$ cp /etc/pki/tls/certs/ca-bundle.crt /usr/share/ssl/certs/
$ openssl req -new -x509 -keyout cakey.pem -out cacert.pem -days 3650
Generating a 1024 bit RSA private key
….++++++
……………………++++++
writing new private key to ‘deleteme.pem’
Enter PEM pass phrase: enter whatever passphrase you want here
Verifying – Enter PEM pass phrase: reenter the passphrase
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CA]:
State or Province Name (full name) [Alberta]:
Locality Name (eg, city) [Edmonton]:
Organization Name (eg, company) [MySolutions IT]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:nirdvana.com
Email Address []:none@none.com

Make sure you enter your own information for the country name, etc.

$ openssl req -nodes -new -x509 -keyout sendmail.pem -out sendmail.pem -days 3650

Generating a 1024 bit RSA private key
…………………………………………………++++++
……………………………………++++++
writing new private key to ‘sendmail.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CA]:
State or Province Name (full name) [Alberta]:
Locality Name (eg, city) [Edmonton]:
Organization Name (eg, company) [MySolutions IT]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:nirdvana.com
Email Address []:none@none.com

Great, the security cert should be generated!

Configure sendmail

Now we’ll create a new config file for the authentication information for the Google Apps account we’re going to use. Use your favourite text editor to create the file /etc/mail/authinfo with the following two lines of text:

AuthInfo:smtp.gmail.com "U:root" "I:AppAccountEmailAddress" "P:AppAccountPassword" "M:PLAIN"
AuthInfo:smtp.gmail.com:587 "U:root" "I:AppAccountEmailAddress" "P:AppAccountPassword" "M:PLAIN"

Next we need to hash the file and change the permissions to make it secure.

$ makemap hash /etc/mail/authinfo < /etc/mail/authinfo
$ chmod 600 /etc/mail/authinfo

We’ll also need to modify the sendmail configuration to tell it where to find the certs, what host to use for relay, etc. With your text editor, open /etc/mail/sendmail.mc and search for the line containing
MAILER(smtp)dnl. Just before this line, insert this text, save and exit the text editor:

FEATURE(`authinfo',`hash /etc/mail/authinfo.db')
define(`SMART_HOST',`smtp.gmail.com')dnl
define(`RELAY_MAILER_ARGS', `TCP $h 587')
define(`ESMTP_MAILER_ARGS', `TCP $h 587')
define(`confCACERT_PATH',`/usr/share/ssl/certs')
define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')
define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem')
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')
define(`confAUTH_OPTIONS', `A')dnl

Now we need to update sendmail with the config file information and restart the sendmail service.

$ m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
$ service sendmail restart

To check that everything is working, run sendmail in address text mode. This will show the steps in parsing, and if there are any errors you’ll have to go back and verify the previous steps.

$ echo ‘/map authinfo AuthInfo:smtp.gmail.com’ | /usr/sbin/sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> map_lookup: authinfo (AuthInfo:smtp.gmail.com) returns “U:root” “I:AppAccountEmailAddress” “P:AppAccountPassword” “M:PLAIN” (0)

Send a test email

Finally, the acid test: emailing via your sendmail Google Apps relay!

$ echo “This is a test” |
mail -s Test yourEmailAddress@yourDomain.com

If all has gone well, you should now be seeing your test email in your inbox.


Tags: , , ,
Copyright Tyler Style 2015. All rights reserved.

Posted 2011-06-26 by Tyler in category "Technology", "Telecommunications

About the Author

Totally a geek engineer type - I like to think, tinker and make things go BOOM! I'm also pretty introspective, and enjoy analyzing most things around me and talk about them (often to exasperation). I don't do much pop culture in general, and don't own a TV - give me lively debate with another inquiring mind instead any day of the week!

13 COMMENTS :

  1. By Yavor Tomov on

    Thanks for the great post.

    Watch when you copy and past the text before the “MAILER(smtp)dnl”. Make sure the quote are correct.

    Reply
  2. By Brian on

    Hi and thanks in advance. I have several questions

    (1) You post the following output twice “writing new private key to ‘deleteme.pem’” I, of course, actually see either “writing new private key to ‘cakey.pem'” or “writing new private key to ‘sendmail.pem'”. If you are suggesting that the output files be deleted, when is that to occur?

    (2) There are several email address entry fields. One is “Email Address []:none@none.com” and one is “AuthInfo:smtp.gmail.com “U:root” “I:AppAccountEmailAddress” “. Clearly the later is the gmail address. Is the former also? On a Debian Asterisk/FreePBX installation I had used Gmail as the SMTP server, but I want Asterisk to send the email to a non-gmail address. I was assuming “none@none.com” would/could be that “other” address. Am I incorrect?

    (3) I get to the step to hash — “hash the file and change the permissions to make it secure” — and I receive the following error:

    root@pbx:/usr/share/ssl/certs $ makemap hash /etc/mail/authinfo < /etc/mail/authinfo
    makemap: /etc/mail/authinfo: line 4: key p:{thekeyinquestion}: duplicate key

    What is the Key that is being duplicated? I see at least 3 different passwords/keys involved here:

    When you "-keyout cakey.pem -out cacert.pem"
    When you "-keyout sendmail.pem -out sendmail.pem"
    and the PW for the relevant gmail account (which is what I would be using)

    (and a 4th, if there is some checking being dne against the root password)

    Reply
    1. By Tyler Style on

      Wow, quite the list! Let’s see if I can clear those questions up for you:

      (1) You post the following output twice “writing new private key to ‘deleteme.pem’” I, of course, actually see either “writing new private key to ‘cakey.pem’” or “writing new private key to ‘sendmail.pem’”. If you are suggesting that the output files be deleted, when is that to occur?

      The second command output should be writing new private key to ‘sendmail.pem’. Copy/paste error. I’ve corrected it 🙂 The “deleteme.pem” file can indeed be deleted when you’re done both commands, it’s an interim file.

      (2) There are several email address entry fields. One is “Email Address []:none@none.com” and one is “AuthInfo:smtp.gmail.com “U:root” “I:AppAccountEmailAddress” “. Clearly the later is the gmail address. Is the former also? On a Debian Asterisk/FreePBX installation I had used Gmail as the SMTP server, but I want Asterisk to send the email to a non-gmail address. I was assuming “none@none.com” would/could be that “other” address. Am I incorrect?

      “none@none.com” is highlighted to indicate that you should replace it with your own value, just like all the other highlighted text. It doesn’t matter what you put in here, actually, as it’s just used for the self-generated SSL cert. If someone decides to inspect the cert, they’ll see that email address in it; it’s there solely to provide contact info. Nothing to do with configuring Asterisk.

      (3) I get to the step to hash — “hash the file and change the permissions to make it secure” — and I receive the following error:

      root@pbx:/usr/share/ssl/certs $ makemap hash /etc/mail/authinfo < /etc/mail/authinfo makemap: /etc/mail/authinfo: line 4: key p:{thekeyinquestion}: duplicate key

      /etc/mail/authinfo should only have two lines, one for AuthInfo:smtp.gmail.com and one for AuthInfo:smtp.gmail.com:587. If it has four, you have not created it correctly. Edit it or delete it and try again.

      The “key” has nothing to do with the previous cert steps; it’s referring to the hashing key (ie, the gmail account information).

      Reply
  3. By Stefan on

    Thanks for the great post, didn't think I would be able to get sendmail to work because my ISP (SBC) blocks outgoing port 25 so this is the perfect work around.  I did create another Gmail account just for this relay purpose so as not to "clutter up" my standard Gmail account.
    Worked great with PBX in a Flash "purple" install (iso 20624).  I did, however, have a few issues.  (Disclaimer – I am a Windows guy so this is my first attempt at the Linux world) Posting in case it helps someone else with limited Linux experience.
    I used VI as my editor and the copy/paste function from your sample files to my files always changed the quote symbol to a period.  So make sure you manually fix that prior to saving the file in VI. There may be another way, I just don't know what it is!
    When creating the AuthInfo file make sure to enter it as only 2 lines and not the four that it shows in the example.  Four lines won't work and comes up with an error when trying to send the test. Brian above also had this issue, just wanted to save you some time and trouble by mentioning again!
    I am sure that the experienced Linux guys know this, just not obvious to a Windows guy.

    Reply
    1. By Tyler Style on

      Hey Stefan, glad you found it useful.  Sounds like whatever you’re using for SSH is causing your problems.  I favour putty myself.

      And the Authinfo isn’t actually on four lines, it’s just that the browser formatting introduces a line wrap 🙂  If you copy/pasted it, sounds like your copy/paste inserted the wrap as a line break instead. I added some text to make it explicit that it’s two lines of text, regardless.

      Reply
      1. By albanyeye on

        Awesome write up!
        Thanks a lot!
        Changing the sender from root is as simple as adding username in authinfo? and adding user to sendmail trusted users? Can there be multiple users including root ?
        Mxtoolbox says my email server is does not have TLS. Cant, be true right?

        Reply
        1. By Tyler Style on

          Thanks for the compliment 🙂

          I’ve not tried relaying for multiple users, as I’ve only ever cared about root on my PIAF box. However, I don’t see any reason why not.

          As for MXtoolbox reporting that your email server doesn’t have TLS, I couldn’t possibly comment meaningfully with so little info.

          Reply
  4. By Frego on

    Wow, what a great article! Everything went fine for me up until I pasted in the text for /etc/mail/sendmail.mc (got an error on the m4 line). I think your closing quote should be the single tick near the enter key not the back tick. I made that change and then was able to get past the macro m4 line. But when I attempt to run sendmail in address text mode I get:

    root@pbx:/usr/share/ssl/certs $ echo ‘/map authinfo AuthInfo:smtp.gmail.com’ | /usr/sbin/sendmail -bt
    ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
    Enter
    > 8-bit character in mailbox address "authinfo AuthInfo:smtp.gmail.comb??"
    > root@pbx:/usr/share/ssl/certs $

    So it looks like it’s finding an invalid character on the authinfo line in the /etc/mail/sendmail.mc.

    Any idea which ticks are supposed to be which in that??

    Reply
  5. By Frego on

    OK… I got it. The quotes on the /etc/mail/authinfo for the credentials was also wrong. Great guide! Could only be improved by using the code tag to fix those pesky quotes. Thanks for the info!

    Reply
    1. By Tyler Style on

      Bah… sometimes WP can be most annoying. I originally entered those with HTML escape codes, but then WP converted them into characters, and then later converted them into “curly” quotes. Fie up on it! I’ve put <code> tags around them now. Thanks for the heads up, and I’m glad you found it helpful!

      Reply
  6. By James Mills on

    Thank you! This worked perfectly! I normally use esmtp which is much simpler to configure for use with an external SMTP relay host. Thanks again! –James

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *