gsuite gmail smtp-relay from google compute engine

rickb asked:

Can’t get this to work. Been over all of the doc sites multiple times and scoured issues here and elsewhere, have tried to follow responses and I’m getting nowhere.

This is on a GCE, minimal server, Debian stretch with postfix and mail installed.

The log from a mail attempt spews out a bunch of stuff, but this seems to be the most salient message[]:587, delay=8471,
delays=8470/0.03/0.41/0.05, dsn=5.7.1,
status=bounced (host[] said: 550-5.7.1 Invalid credentials for relay [].
The IP address you've 550-5.7.1 registered in your G Suite SMTP Relay service doesn't match domain of 550-5.7.1 the account this email is being sent from.
If you are trying to relay 550-5.7.1 mail from a domain that isn't registered under your G Suite account 550-5.7.1 or has empty envelope-from, you must configure your mail server 550-5.7.1 either to use SMTP AUTH to identify the sending domain or to present 550-5.7.1 one of your domain names in the HELO or EHLO command.

The GCE Domain and the GSuite domain are the same.

So, my postfix looks like this:

# See /usr/share/postfix/ for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# See -- default to 2 on
# fresh installs.
compatibility_level = 2

# TLS parameters
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
myhostname = <mydomain>
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = <mydomain>, localhost
mynetworks = [::ffff:]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all

relayhost =
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = 
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_use_tls = yes

The contents of the mailname file is:


The contents of the sasl_passwd file are:

[]:587 <gmail-user-name>:<gmail-password>

The GSuite settings are:

From Website
Allowed senders: Only addresses in my domains
Only accept mail from the specified IP addresses: Yes
Allowed IP addresses: Website Server
Require SMTP Authentication: Yes
Require TLS encryption: Yes

The ‘Allow IP addresses’ is set to the external address of the GCE.

So, I’m stumped.

Any thoughts appreciated.

My answer:

You can’t authenticate with your personal Gmail account, it has to be an account tied to your G Suite domain.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.