chatgpt

Gotcha—two goals: (1) get Postfix+Dovecot working on Debian 13, and (2) stop deliverability problems from your dynamic IP by sending “from yourdomain.com” through Gmail.

Short answer: yes, you can make Postfix hand off all outbound mail to Google so recipients see From: you@yourdomain.com and the mail is authenticated properly. The clean way is Google Workspace’s SMTP relay; you keep IMAP/POP (Dovecot) and incoming MX wherever they are, but route outgoing through Google. Key points:

It works with dynamic IPs if you use the “Require SMTP authentication” option in Google’s SMTP relay (no fixed IP needed). Google Help

You’ll point Postfix to smtp-relay.gmail.com:587 (TLS). Google Help

Publish the right DNS records so shops trust your mail: SPF (include Google), DKIM (Google signs as your domain), and DMARC. Google Help +2 Google Help +2

Note: Google is phasing out password-based logins for apps; for SMTP relay with “Require SMTP Authentication,” plan on OAuth rather than a plain username/password. If you can’t use OAuth, you can instead allow by IPs—but that’s tough with a dynamic IP. Google Help

What this looks like, end to end

In Google Workspace (Admin): Apps → Google Workspace → Gmail → Routing → SMTP relay service → Allowed senders = “Only addresses in my domains” and tick Require SMTP authentication → Require TLS. Google Help

DNS for yourdomain.com:

SPF: v=spf1 include:_spf.google.com ~all (or merge with your other senders). Google Help

DKIM: generate in Admin Console and publish the TXT record, then turn on signing. Google Help

DMARC: start relaxed, e.g. v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com and tighten later. Google Help

In Postfix (concept): Set a relayhost to Google and enable TLS+SASL. (I’ll give you the exact main.cf lines and the auth method that fits your setup—OAuth vs. IP—once you confirm your Gmail plan.)

Why this fixes the “shop refuses mail” problem: recipients evaluate Google’s IPs and your domain’s SPF/DKIM/DMARC. Mail is delivered as yourdomain.com, signed by your domain, but carried by Google’s infrastructure, which avoids blocks against dynamic IPs. Google Help +2 Google Help +2

One caveat about regular (free) Gmail via smtp.gmail.com: it can work with Postfix, but DKIM typically signs as gmail.com (not yourdomain), sending limits are low, and alignment/“via gmail.com” issues can hurt deliverability. For consistent business mail, the Workspace SMTP relay is the right tool.