LEDE / OpenWRT: Relaying Mail to G Suite / Gmail With Postfix

by

Configure a device running LEDE to accept SMTP messages unauthenticated and relay them to a Gmail / G Suite SMTP server with credentials.

Configure a Gmail / G Suite Account

Direct access to google’s SMTP servers is rarely needed by the average user and less secure, so you will have to enable access to less secure apps. I HIGHLY recommend creating a new gmail account or user in your G Suite organization. Allow less secure apps: Gmail or G Suite.

Install Postfix

The postfix package will take up ~3.75MB of space on your device. If your device does not have enough internal storage, you may have to install packages to an external storage device.

Backup your existing configuration, copy it to a remote device, and delete it:
sysupgrade --create-backup ~/backup.tar.gz
scp ~/backup.tar.gz user@host:/path
rm ~/backup.tar.gz
Install and then stop postfix:
opkg upate
opkg install postfix
/etc/init.d/postfix stop

Configure Postfix

Create a file called /etc/postfix/sasl_passwd and add the following line to it. If you are using G Suite, replace gmail.com with your domain.
[smtp.gmail.com]:587	username@gmail.com:password
Edit the file /etc/postfix/main.cf
By default postfix listens on port 25 of all internal interfaces. Override that by adding:
inet_interfaces = ipaddress
Add the settings from the Gmail SMTP server section of this document.
relayhost = [smtp.gmail.com]:587                              
smtp_use_tls = yes                  
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = texthash:/etc/postfix/sasl_passwd
smtp_sasl_security_options =

Postfix grants the ability to relay mail to clients defined in the variable mynetworks. By default /etc/postfix/main.cf contains the line mynetworks_style = subnet which causes postfix to define mynetworks as any subnet that postfix has an interface on, including the WAN.

To see what is currently in mynetworks, run:
postconf | grep mynetworks\ =
Manually defining mynetworks causes postfix to ignore mynetworks_style. Do so by adding the following line:
mynetworks = 192.168.1.1 192.168.2.0/24 192.168.0.0/16
Harden your system by adding the following line:
disable_vrfy_command = yes
Apply these changes by running:
/etc/init.d/postfix start

Backups

By default the password file we created (/etc/postfix/sasl_passwd) will not be backed up or preserved after a firmware upgrade.

To add it to manifest of files that will be backed up run:
echo '/etc/postfix/sasl_passwd' >> /etc/sysupgrade.conf

Troubleshooting

Show queued, delayed, and pending messages:
postqueue -p
Process queued mail:
postqueue -f
Delete all queued mail:
postsuper -d ALL

Leave a Comment