airkayu.com

I have to summarize past-experienced journey in my guide before I have to get this fix primary used on my Ubuntu server 8.xx. Some of the issues I got in the days were unable to support server-side-phpmail-out. I remember I did that, it was working out-of-box wonderfully using web-based SquirrelMail. But, this is definitely not the case anymore after some time even in Thunderbird or Evolution client-side-mail-apps. My server just doesn't allow me to send mail no matter what.. timeout/unreachable happens all the time. Dynamic IP residential SMTP port 25 is the killer even though you check that it is open to public, you have never thought that it is actually blocked at far end for better-spam-fights-prevention. Gmail has chosen port 587, a non-standard port and I have yet to monitor the performance.

The main reason I release this guide because most of them I found on were not straightforward, it was quite bumpy at the time I follow. Somehow, I manage to rock it slightly more than 1 day with closed-solution and more importantly not open-ended situation to other people like me trying to search around. I am relying on source of income online. Please consider to donate me by heart-care as we were in a same trip. This decent guide serves as a boat to send you to a desire location and a knowledge I dedicated to open-source community. The decision is with you.

You must have the protocols TLS and SASL2 to be built into Postfix. In case you don't have it, apply the following commands.
: sudo aptitude install postfix libsasl2-2 ca-certificates libsasl2-modules

We need to have Gmail’s certificate authority either to be generated at our own machine or thru 3rd party Certificate Authority (CA). In this case, Gmail uses Thawte Premium Server CA as at January 2010 before communication is established successfully using the protocols mention above. Do these steps:
: cd ~
: /usr/lib/ssl/misc/CA.pl -newca

In case you screw up with your first cert, just remove demoCA located at /home/$HOME and try again. If your OpenSSL unable to write 'random state'. You should apply the ownership to the proper user and group. Typically it's in the $HOME directory: (superadmin is the root user)
: sudo chown superadmin.superadmin ~/.rnd

Cont' to create autosign-server-certificate
Enter cakey.PEM pass phrase: password
Verifying – Enter PEM pass phrase: password
Country Name (2 letter code) [US]:US
State or Province Name (full name) [Los Angeles]:Los Angeles
Locality Name (eg, city) []:Los Angeles
Organization Name (eg, company) []:Airkayu
Common Name (eg, YOUR name) []:Mark
Email Address []:username@gmail.com

: openssl req -new -nodes -subj '/CN=domain.com/O=Airkayu/C=US/ST=Los Angeles/L=Los Angeles/emailAddress=username@gmail.com' -keyout FOO-key.pem -out FOO-req.pem -days 3650
: openssl ca -out FOO-cert.pem -infiles FOO-req.pem
: cp demoCA/cacert.pem FOO-key.pem FOO-cert.pem /etc/postfix
: chmod 644 /etc/postfix/FOO-cert.pem /etc/postfix/cacert.pem
: chmod 400 /etc/postfix/FOO-key.pem

Additional fingerprint should be added at the end of /etc/postfix/cacert.pem
-----BEGIN CERTIFICATE-----
MIIDJzCCApCgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBzjELMAkGA1UEBhMCWkEx
FTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMR0wGwYD
VQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv
biBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2Vy
dmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29t
MB4XDTk2MDgwMTAwMDAwMFoXDTIwMTIzMTIzNTk1OVowgc4xCzAJBgNVBAYTAlpB
MRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsG
A1UEChMUVGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNl
cnZlciBDQTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNv
bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0jY2aovXwlue2oFBYo847kkE
VdbQ7xwblRZH7xhINTpS9CtqBo87L+pW46+GjZ4X9560ZXUCTe/LCaIhUdib0GfQ
ug2SBhRz1JPLlyoAnFxODLz6FVL88kRu2hFKbgifLy3j+ao6hnO2RlNYyIkFvYMR
uHM/qgeN9EJN50CdHDcCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
9w0BAQQFAAOBgQAmSCwWwlj66BZ0DKqqX1Q/8tfJeGBeXm43YyJ3Nn6yF8Q0ufUI
hfzJATj/Tb7yFkJD57taRvvBxhEf8UqwKEbJw8RCfbz6q1lu1bdRiBHjpIUZa4JM
pAwSremkrj/xw0llmozFyD4lt5SZu5IycQfwhl7tUCemDaYj+bvLpgcUQg==
-----END CERTIFICATE-----

Origin source of cert. at www.thawte.com/roots known as 'ThawtePremiumServerCA_b64.txt'. Skip this step if you just wanna fix the mail-out issue. Error occurs and tail-able if genuinity doesn't match exactly.
: cat ThawtePremiumServerCA_b64.txt >>cacert.pem

Locate /etc/postfix/main.cf and add these lines below it.
## TLS Settings
#
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_cert_file = /etc/postfix/FOO-cert.pem
smtp_tls_key_file = /etc/postfix/FOO-key.pem
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_use_tls = yes
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_cert_file = /etc/postfix/FOO-cert.pem
smtpd_tls_key_file = /etc/postfix/FOO-key.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_session_cache
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
#
## SASL Settings
# This is going in to THIS server
smtpd_sasl_auth_enable = no
# We need this
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtpd_sasl_local_domain = $myhostname
smtp_sasl_security_options = noanonymous
#smtp_sasl_security_options =
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_application_name = smtpd

Locate /etc/postfix/transport and add these lines below it.
# Contents of /etc/postfix/transport
#
# This sends mail to Gmail
gmail.com smtp:[smtp.gmail.com]:587
#

Create /etc/postfix/sasl_passwd
#contents of sasl_passwd
#
[smtp.gmail.com]:587 username@gmail.com:password

: sudo chmod 400 /etc/postfix/sasl_passwd
: sudo postmap /etc/postfix/sasl_passwd
: sudo chmod 400 /etc/postfix/transport
: sudo postmap transport
: sudo /etc/init.d/postfix restart
: cd ~
: rm FOO-req.pem FOO-cert.pem FOO-key.pem && rm -r demoCA/

-== The end ==-

How do I check when my mail re-routing work or not?
: sendmail -bv username@gmail.com
: cat /var/log/mail.log | tail

View it carefully check the parameter on screen whether it is status=deliverable or status=STARTTLS/relay_access_denied or status=timeout