How to Configure Postfix as Google Apps SMTP Relay on Google Compute Engine (GCE): A Complete Guide with Code Examples


4 views

When setting up Postfix to use Google's SMTP relay service (smtp-relay.google.com) on GCE, you need to meet specific authentication requirements. Unlike regular Gmail SMTP (smtp.gmail.com), the relay service has different authentication mechanisms:

  • IP-based authentication (recommended for GCE)
  • SMTP AUTH with TLS (alternative method)

Here's the complete /etc/postfix/main.cf configuration for IP-based authentication:


# Basic Postfix configuration
myhostname = yourdomain.com
mydomain = yourdomain.com
myorigin = $mydomain
inet_interfaces = loopback-only
mydestination = $myhostname, localhost.$mydomain, localhost
relayhost = [smtp-relay.google.com]:587

# TLS configuration
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

# Important for Google SMTP Relay
smtp_sasl_auth_enable = no
smtp_helo_name = yourdomain.com

Before proceeding, ensure your GCE instance's external IP is whitelisted in your Google Workspace admin console:


# Get your instance's external IP
curl ifconfig.me

The error you're seeing typically occurs when:

  1. The sending domain doesn't match your Google Workspace domain
  2. The HELO/EHLO identifier is incorrect
  3. Your GCE IP isn't properly whitelisted

Solution: Verify these settings in your main.cf:


# Critical for domain matching
smtp_helo_name = your-exact-domain.com
myorigin = your-exact-domain.com

After making changes, test with:


# Reload Postfix
sudo systemctl reload postfix

# Send test email
echo "Test email body" | mail -s "Test Subject" recipient@example.com

# Check logs
tail -f /var/log/mail.log

If you prefer SMTP authentication instead of IP whitelisting:


# In main.cf
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous

Create /etc/postfix/sasl_passwd:


[smtp-relay.google.com]:587 username@yourdomain.com:password

Then run:


sudo postmap /etc/postfix/sasl_passwd
sudo chmod 600 /etc/postfix/sasl_passwd*
sudo systemctl reload postfix

When setting up Postfix to use Google's SMTP relay service (smtp-relay.google.com) on Google Compute Engine (GCE), many developers encounter the frustrating 550-5.7.1 error regarding invalid credentials. This typically indicates a mismatch between your server configuration and Google's security requirements.

For successful SMTP relay through Google Apps on GCE, you need to satisfy these technical prerequisites:

  • Proper HELO/EHLO identification matching your Google Apps domain
  • Correct IP whitelisting in Google Admin Console
  • Port 587 or 465 configuration (GCE blocks port 25)
  • Appropriate Postfix relayhost setting

Here's the working configuration for /etc/postfix/main.cf:

# Basic configuration
myhostname = yourdomain.com
mydomain = yourdomain.com
myorigin = $mydomain
inet_interfaces = loopback-only

# Google SMTP Relay configuration
relayhost = [smtp-relay.google.com]:587
smtp_sasl_auth_enable = no
smtp_helo_name = yourdomain.com
smtpd_banner = $myhostname ESMTP $mail_name

# Security settings
smtp_tls_security_level = may
smtp_tls_CApath = /etc/ssl/certs

The error message reveals several key requirements from Google:

  1. Your server's outgoing IP must match the IP whitelisted in Google Admin Console
  2. The HELO/EHLO command must present a domain registered in your Google Apps
  3. Either SMTP AUTH or proper domain identification is mandatory

Ensure your domain is properly configured in Google Admin:

# Check your public IP
curl ifconfig.me

# Verify DNS settings
dig yourdomain.com MX
dig yourdomain.com TXT

For environments requiring more control, consider these additional settings:

# Restrict relay permissions
smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination

# Enable detailed logging
debug_peer_level = 2
debug_peer_list = smtp-relay.google.com

After applying changes, test with:

# Reload Postfix
systemctl reload postfix

# Send test email
echo "Test email" | mail -s "Postfix Test" your@email.com

# Check logs in real-time
tail -f /var/log/mail.log

If you still encounter issues:

  • Error 550-5.7.1: Double-check your HELO name matches exactly with your Google Apps domain
  • Connection timeouts: Verify GCE firewall rules allow outbound traffic on port 587
  • Authentication prompts: You might need to enable SMTP AUTH if IP-based auth fails