Using Google gmail for outbound smtp on macOS (High Sierra)

Topic

You might want to use Google apps mail or Gmail for your outbound SMTP server on on your Apple Macintosh Computer. Postfix can be configured easily for this and then scripts and applications can send mail outside your Apple computer. There is no need to configure the server portion of SMTP (smtpd), just configure the smtp client. You do not need to create any certificates either. You can use the anonymous ciphers but to properly validate the Google TLS handshake certificate you will need to add some certificates. This post will show how to do it.

Create password File

First create /etc/postfix/relay_password with the server name, email account name and password as shown below. This configuration should work with Gmail accounts as well as with Google hosted personal domain email accounts. I use a personal domain email account. It also works with both Google smtp servers shown below. You will most likely need to preface all these commands with "sudo" to gain the needed privileges.

smtp.googlemail.com youremail@gmail.com:yourpassword
smtp.gmail.com youremail@googlehosteddomain.com:yourpassword

Then use postmap to create a .db file.

postmap /etc/postfix/relay_password

Make sure the map is ok with

postmap -q smtp.gmail.com /etc/postfix/relay_password 

It should show the entry for that server.

Root Certificate Authority Certificates

The Mac needs the Google certificate authority roots to validate Google's TLS certificate. Google uses GlobalSign certificates but its probably best to get them all. The down side is you have to manually update these certificates periodically. If you don't get the certificates you will get an "Untrusted" connection error in the logs from postfix.

Option 1

You can extract a single file with all the roots from the Mac keychain.

• security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain > apple-root-certs.pem
• put the file in /etc/ssl/certs
• use it in postfix with this main.cf line
• smtp_tls_CAfile = /etc/ssl/certs/apple-root-certs.pem

Option 2

I found them in the Raspberry Pi Debian distribution in the /etc/ssl/certs directory. Tar them up and put them in /etc/ssl/certs on the Mac. You will need to "rehash" them for postfix to read them. Its probably a setting in postfix that requires the reshash but I don't know where it is.

cd /etc/postfix/certs
for file in *.crt; do ln -s "$file" "$(openssl x509 -hash -noout -in "$file")".0; done

That 'for' loop replaces the old openssl c_rehash command that got lost with LibreSSL I guess.

Configure postfix

Now you are ready to configure postfix. Add these lines to the bottom of /etc/postfix/main.cf

# 2018-08-09
relayhost = smtp.googlemail.com:587
#
compatibility_level = 2
# auth
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/relay_password
smtp_sasl_security_options = noanonymous
smtp_sasl_mechanism_filter = login auth
# tls
smtp_tls_security_level = may
# choose an option and use only that line
smtp_tls_CAfile = /etc/ssl/certs/apple-root-certs.pem  #### Option 1
smtp_tls_CApath = /etc/postfix/certs   #### Option 2
smtp_tls_session_cache_database = btree:/etc/postfix/smtp_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_loglevel = 1
tls_random_source = dev:/dev/urandom

Testing

Test by using /usr/bin/mail to send an email. Apple got rid of /var/log/mail.log. Now you have to use sudo log stream --predicate '(process == "smtpd") || (process == "smtp")' --info This gives you a live log window, run this command before sending the mail to view its progress. Launchd watches a directory and will start postfix when the test email is sent.

You may need to let postfix re-read the config files.  Use launchctl or sudo postfix stop then sudo postfix start to stop/start the process.

Other

Another oddity of High Sierra is the duplication of the postfix launchd plist files in /System/Library/LaunchDaemons. It seems the new one is com.apple.postfix.master.plist the older one is org.postfix.master.plist. I unloaded the older one with launchctl unload -w org.postfix.master.plist.

Many references were used to finally get this figured out. One of the best was imamba. High Sierra caused me to do more research at various places. The key to fixng High Sierra was this line smtp_sasl_mechanism_filter = login auth.

This basically works on Raspberry Pi Debian also.

This is an updated version of an earlier post that got edited so much is was hard to follow