Deploy Postfix Gmail relay with Ansible on Raspberry Pi

Why would we want to do this?

The virtualization servers at work are running VMWare ESXi, with Vcenter Server Applicance (VCSA) as our bridge to using cool, free tools like Packer, and Terraform to automate my interactions with virtual resources.

A downside we discovered is VCSA's lack of support for SMTP that requires auth, which Google requires when you send mail through them.

Postfix can handle the anonymous request from VCSA, and send it out to gmail with provided creds.

How do I get started?

Since we wanted to get an email whenever there as an issue with the virtualization servers, it made sense to hostthis service on its own hardware.

I am going to be hosting this service using a Raspberry Pi 3 model B running Raspbian Stretch, and configuring it from my host using Ansible. This detail is not critical for following this guide. Any Debian-derived OS (like Ubuntu) that Ansible supports will work for hosting.

You just need to make sure SSH is turned on, and that you have the IP address. (The default username/pass on RasPis is pi/raspberry)

At minimum, you need the following tools installed on your host:

Download this helpful role for installing Postfix. At the time of this writing, it was the best public Postfix Ansible role, because its documentation had examples of how to configure the deployment as a gmail relay. Very straight forward.

If you install this role in your Ansible client's role_path, then you can use the example playbook I slightly modified, (and annotated) from the ansible-postfix README.

Example ansible playbook

name: Setup basic raspberry pi host as SMTP relay (Rasbian)
        # This is the IPv4 localhost loopback subnet
        - ''             
        # This is the IPv4 mapped IPv6 localhost loopback subnet
        - '[::ffff:]/104'  
        # This is the IPv6 localhost loopback address
        - '[::1]/128'               
        # This is the local private network subnet, like the IPv4 address space from your home router
        # This addition allows other hosts on the network to send mail through this relay!
        - ''          
        #  This says to permit requests if the client is in the $mynetworks whitelist
        - permit_mynetworks
        #  This says relay the request if client is authenticated to the smtp server
        - permit_sasl_authenticated
        #  This says to reject the request unless it knows about the destination (the domain)
        - reject_unauth_destination

        ## Lastly, I believe the order of these restrictions matter, so this last one must catch the rest of the garbage requests

    postfix_smtp_tls_cafile: /etc/ssl/certs/ca-certificates.crt
    postfix_relaytls: true
    postfix_sasl_user: ''
    postfix_sasl_password: 'apppasswordgeneratedgarbage'

Some additional notes

Test the configuration

Here is how to send a test email, from the Raspberry Pi, using mail

pi@raspberrypi:~ $ echo "Hello world, it's ya boi, RaspberryPi" | mail -s "[SMTP proxy] Hello World"