PBX in a Flash is a CentOS based distro meant to make setting up Asterisk quick and easy. It comes with sendmail, which is fine if you don’t already have an email system set up. However, most of my clients use Google Apps for Business for email and so I wanted to integrate PIAF with existing Google Apps. I found a decent little tutorial aimed at Gmail users that helped me with set up sendmail as a SMTP relay to Google Apps. It was missing a few bits and bobs and the English isn’t too good so I thought I’d write my own guide based on the tutorial and my own experience.

A big reason for using Google Apps was that until a few months ago the free version supported 50 users (now reduced to 10). 50 uses is more than enough for most small to medium businesses, and saves everyone the headache of having to maintain enterprise level email services for an SMB. Who wants to keep on top of spam, anti-phishing, etc. when Google will do such a fantastic job for you? Especially given the amazing other tools that come along with it like Google Docs and Google Voice. However, this method will work just fine with a regular Gmail account as well; the only difference is that you use your Gmail email address instead of your Google Apps email address for authentication.

Without further ado, here are the steps I took using PIAF 1.7.5.6.2 based on CentOS 5.6 (32bit). All commands are run as root. Beware, your mileage may vary!

Check sendmail has SASL & TLS

Google Apps uses TLS for encryption and SASL for authentification. You’ll need to have a version of sendmail that was compiled with these options on your machine.

$ /usr/sbin/sendmail -d0.1 -bv root
Version 8.13.8
Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX
MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6
NETUNIX NEWDB NIS PIPELINING SASLv2 SCANF SOCKETMAP STARTTLS
TCPWRAPPERS USERDB USE_LDAP_INIT============ SYSTEM IDENTITY (after readcf) ============
(short domain name) $w = pbx
(canonical domain name) $j = pbx.local
(subdomain name) $m = local
(node name) $k = pbx.local
========================================================root… deliverable: mailer local, user root

 

Bonus, this version of PIAF’s sendmail is already compiled with TLS and SASL! Nothing needed to be done.

Check SASL is version 2.1.21 or higher

$ yum list | grep sasl
cyrus-sasl.i386 2.1.22-5.el5_4.3 installed
cyrus-sasl-lib.i386 2.1.22-5.el5_4.3 installed
cyrus-sasl-plain.i386 2.1.22-5.el5_4.3 installed
cyrus-sasl-devel.i386 2.1.22-5.el5_4.3 base
cyrus-sasl-gssapi.i386 2.1.22-5.el5_4.3 base
cyrus-sasl-ldap.i386 2.1.22-5.el5_4.3 base
cyrus-sasl-md5.i386 2.1.22-5.el5_4.3 base
cyrus-sasl-ntlm.i386 2.1.22-5.el5_4.3 base
cyrus-sasl-sql.i386 2.1.22-5.el5_4.3 base

 

Excellent, PIAF is good to go for this as well!

Check that the SASL daemon is running as a service

On my machine, SASL wasn’t running as a service:

$ chkconfig –list saslauthd
saslauthd 0:off 1:off 2:off 3:off 4:off 5:off 6:off

 

However, this is easy to fix:

$ chkconfig saslauthd on
$ /sbin/service saslauthd start

 

Now when you check, SASL should be running:

$ chkconfig –list saslauthd
saslauthd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

 

Create SSL certificate

Using a secure channel requires a security certificate, so if you don’t have one already you’ll need to create one.

$ mkdir /usr/share/ssl
$ mkdir /usr/share/ssl/certs
$ cd /usr/share/ssl/certs
$ cp /etc/pki/tls/certs/ca-bundle.crt /usr/share/ssl/certs/
$ openssl req -new -x509 -keyout cakey.pem -out cacert.pem -days 3650
Generating a 1024 bit RSA private key
….++++++
……………………++++++
writing new private key to ‘deleteme.pem’
Enter PEM pass phrase: enter whatever passphrase you want here
Verifying – Enter PEM pass phrase: reenter the passphrase
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CA]:
State or Province Name (full name) [Alberta]:
Locality Name (eg, city) [Edmonton]:
Organization Name (eg, company) [MySolutions IT]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:nirdvana.com
Email Address []:none@none.com

 

Make sure you enter your own information for the country name, etc.

$ openssl req -nodes -new -x509 -keyout sendmail.pem -out sendmail.pem -days 3650

Generating a 1024 bit RSA private key
…………………………………………………++++++
……………………………………++++++
writing new private key to ‘sendmail.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [CA]:
State or Province Name (full name) [Alberta]:
Locality Name (eg, city) [Edmonton]:
Organization Name (eg, company) [MySolutions IT]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:nirdvana.com
Email Address []:none@none.com

Great, the security cert should be generated!

Configure sendmail

Now we’ll create a new config file for the authentication information for the Google Apps account we’re going to use. Use your favourite text editor to create the file /etc/mail/authinfo with the following text:

AuthInfo:smtp.gmail.com “U:root” “I:AppAccountEmailAddress” “P:AppAccountPassword” “M:PLAIN”
AuthInfo:smtp.gmail.com:587 “U:root” “I:AppAccountEmailAddress” “P:AppAccountPassword” “M:PLAIN”

 

Next we need to hash the file and change the permissions to make it secure.

$ makemap hash /etc/mail/authinfo < /etc/mail/authinfo
$ chmod 600 /etc/mail/authinfo

 

We’ll also need to modify the sendmail configuration to tell it where to find the certs, what host to use for relay, etc. With your text editor, open /etc/mail/sendmail.mc and search for the line containing
MAILER(smtp)dnl. Just before this line, insert this text, save and exit the text editor:

FEATURE(`authinfo',`hash /etc/mail/authinfo.db')
define(`SMART_HOST',`smtp.gmail.com')dnl
define(`RELAY_MAILER_ARGS', `TCP $h 587')
define(`ESMTP_MAILER_ARGS', `TCP $h 587')
define(`confCACERT_PATH',`/usr/share/ssl/certs')
define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')
define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem')
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')
TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')
define(`confAUTH_OPTIONS', `A')dnl

Now we need to update sendmail with the config file information and restart the sendmail service.

$ m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
$ service sendmail restart

 

To check that everything is working, run sendmail in address text mode. This will show the steps in parsing, and if there are any errors you’ll have to go back and verify the previous steps.

$ echo ‘/map authinfo AuthInfo:smtp.gmail.com’ | /usr/sbin/sendmail -bt
ADDRESS TEST MODE (ruleset 3 NOT automatically invoked)
Enter <ruleset> <address>
> map_lookup: authinfo (AuthInfo:smtp.gmail.com) returns “U:root” “I:AppAccountEmailAddress” “P:AppAccountPassword” “M:PLAIN” (0)

 

Send a test email

Finally, the acid test: emailing via your sendmail Google Apps relay!

$ echo “This is a test” |
mail -s Test yourEmailAddress@yourDomain.com

If all has gone well, you should now be seeing your test email in your inbox. 

Related Posts
When I work with any organization that has more than a couple people who aren't sitting right next to each other, I almost always recommend adopting an instant messaging service ...
READ MORE
Moving Openfire Instant Messaging to a New Server