Introduction#

An SMTP server, which stands for Simple Mail Transfer Protocol server, is a computer or software application that sends and relays outgoing email messages according to the SMTP protocol

Postfix is a mail transfer agent (MTA), an application used to send and receive email. It can be configured so that it can be used to send emails by local application only. This is useful in situations when you need to regularly send email notifications from your apps or have a lot of outbound traffic that a third-party email service provider won’t allow. It’s also a lighter alternative to running a full-blown SMTP server, while retaining the required functionality.

To configure a Linux system so that whenever a user enters an incorrect password with the sudo command, an email alert is automatically sent to a Gmail account.

Postfix is the program that actually sends the emails.

Mailutils is used for testing emails from the terminal.

Libsasl2-modules allows Postfix to log in to Gmail using authentication.

Ca-certificates makes sure the connection to Gmail is secure and trusted.

Requirements#

  1. System

    • A Linux machine (Ubuntu/Debian recommended).
    • Internet access.
    • Root or sudo privileges.

  2. Software

    • postfix (Mail Transfer Agent).
    • mailutils (for testing mail delivery).
    • libsasl2-modules and ca-certificates (for authentication and TLS).
    • visudo (to edit the sudoers file safely).

    Install with:

    sudo apt update
sudo apt install -y postfix mailutils libsasl2-modules ca-certificates

  3. Google Account

    • A Gmail account (e.g., your.email@gmail.com).
    • 2-Step Verification enabled.
    • A 16-character App Password generated from Google Account security settings.

Procedure#

Step 1: Configure Postfix to Relay via Gmail#

Edit /etc/postfix/main.cf and add:

relayhost = [smtp.gmail.com]:587
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous

Postfix configuration file:

relayhost = [smtp.gmail.com]:587 tells Postfix to send all outgoing emails through Gmail’s SMTP server using port 587, which is the standard port for sending emails with authentication and TLS encryption.

smtp_use_tls = yes enables the use of TLS (Transport Layer Security), ensuring that communication between your server and Gmail’s server is encrypted.

smtp_tls_security_level = encrypt enforces that encryption must always be used when communicating with the relayhost. Without encryption, Postfix would refuse to send mail.

smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt specifies the file that contains trusted certificate authorities which Postfix will use to validate Gmail’s server certificate during TLS negotiation.

smtp_sasl_auth_enable = yes activates SASL authentication so Postfix can log into Gmail before sending mail.

smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd points Postfix to the file that contains your Gmail credentials (email and app password). The hash: means the file must be compiled into a hashed database format for Postfix to read efficiently.

smtp_sasl_security_options = noanonymous ensures that only authenticated sessions are allowed and prevents anonymous connections to Gmail’s SMTP server.

smtp_sasl_tls_security_options = noanonymous further tightens this by ensuring that SASL authentication itself also happens over TLS and not anonymously.

Step 2: Add Gmail Credentials#

Create /etc/postfix/sasl/sasl_passwd:

[smtp.gmail.com]:587    your.email@gmail.com:APP_PASSWORD

Secure and enable it:

sudo chmod 600 /etc/postfix/sasl/sasl_passwd
sudo postmap /etc/postfix/sasl/sasl_passwd
sudo systemctl restart postfix

sudo chmod 600 /etc/postfix/sasl_passwd locks the file so only root can read it.

sudo postmap /etc/postfix/sasl_passwd converts the password file into a format Postfix can use.

Step 3: Configure Sudoers#

Edit sudoers with visudo:

sudo visudo

Add:

Defaults    mailto = "your.email@gmail.com"
Defaults    mailfrom = "sudo@$(hostname -f)"
Defaults    mail_badpass
Defaults    mailsub = "*** SECURITY: sudo failed on %h ***"

Save and exit.

Observation#

  1. Clear cached sudo credentials:

    sudo -k

  2. Attempt to use sudo with the wrong password:

    sudo -v

sudo -v refreshes or checks sudo credentials, and a wrong password here will trigger the email alert.

  1. Verify that an alert email arrives in the configured Gmail inbox (or Spam folder).

Result#

The system successfully sends an email alert to the configured Gmail account whenever an incorrect sudo password is entered. This enhances system security by notifying the administrator of unauthorized or suspicious sudo attempts.