GMail, y u no accept SMTP AUTH from Exim? Plus: app-specific passwords for your Exim4 satellite.

First, let me start off by saying I don’t have an answer to why GMail throws a “530-5.5.1 Authentication Required. Learn more at http://support.google.com/mail/bin/answer.py?answer=14257“, specifically the “y u no.”  I don’t know.  But I combined several searches into a workaround that appears to be getting mail through, though it’s coming from my GMail username and not the username actually sending mail from the Exim4 equipped Debian box.

Why use GMail as an Exim4 smarthost in the first place?

The most likely use case for doing this is so you can use something like apticron, or otherwise get emails from sad scripts on your doorstop server sent to someplace where you’ll actually see them.  Thus, I’ll assume you don’t care that they appear to come from yourname@gmail.com rather than root@yourbox.localdomain or whatever.  (In my experience with non-gmail Exim “smarthost” setups, emails do appear to come from their proper source.)

There are a couple other reasons to use GMail as an Exim smarthost: maybe you don’t have another email provider yet (though you should, and fully non-US), or maybe you have a great email provider who doesn’t yet support app-specific passwords.

An accurate representation of your life if your real email gets pwned.

To me, app-specific passwords are GMail’s killer app in providing SMTP smarthost service to random Linux boxes that might get pwned eventually.

You do not want your real email password in /etc/exim4/passwd.client.  NO NO NO.  If you are doing that, stop it right now and either use GMail or another provider which supports app-specific passwords, or a throwaway account.  Why?  Because if that machine gets cracked and the cracker gets your real email password?  You’re done.  Game over, man.  Game over.

Best practice for using GMail as an Exim SMTP “smarthost”

  1. For each machine where you do this, set up an app-specific password in the Google account you want to use. You should make a different password for every machine so you can revoke passwords for decommissioned or hacked machines.
  2. Run dpkg-reconfigure exim4-config as root, and set it to be a “smarthost” using smtp.gmail.com::587 as the SMTP server.
  3. Edit /etc/exim4/passwd.client to contain the following (herein lies the magic workaround which I don’t care to research further to explain why it works):

    gmail-smtp.l.google.com:your.name@gmail.com:appspecificpasswd
    *.google.com:your.name@gmail.com:appspecificpasswd
    smtp.gmail.com:your.name@gmail.com:appspecificpasswd

  4. As root, service exim4 restart
  5. Then, you might want to do something to test it, like this 1970s command. Test this as a normal user AND as root, since root often has forwards set up in that dpkg-reconfigure step (or elsewhere, like ~/.forward) that you might need to work on separately.

    mail -s 'lol test subject' some@email.com

    Now, type some stuff, and to send the mail, enter a period by itself on a blank line (I told you it was 70s).

  6. The mail should go through. (If you have problems with root, or with scripts that mail root, sometimes so do I and maybe I’ll come back and update this post.)  Just be aware that greylisting and other anti-spam techniques may cause your mail, especially when Google and your own receiving email provider aren’t “accustomed” to seeing it from this source, to be delayed or marked as spam.  Be patient, and check the spam folder.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: