search
top

AWS Guides: How to use Amazon SES with Postfix

awsIf you have ever wondered how to use the Amazon SES SMTP endpoint with Postfix this is the guide for you. This is going to be very close to what is in the documentation on the AWS Website. I will cover some pain points that I have seen and ran into while trying to implement this.

Below we will cover integration to SES with both STARTTLS and Secure Tunnel (STUNNEL).

To configure integration using STARTTLS

1. On your mail server, open the main.cf file. Depending on your OS, this file resides in the /etc/postfix folder.
2. Add the following lines to the main.cf file, modifying them to reflect your particular situation, and then save the file.

relayhost = email-smtp.us-east-1.amazonaws.com:25
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes

3. Edit the /etc/postfix/sasl_passwd file. If the file does not exist, create it. Add the following lines to the file, replacing USERNAME and PASSWORD with your SMTP user name and password. Now this is where it gets confusing, you will want to create a SMTP User from the SES Console at: https://console.aws.amazon.com/ses/home?#smtp-settings. You will create a user here and be presented with the following Window not from the IAM Console as the credentials are different:

     smtpcreds

 

Please NOTE: These credentials are an example and are now invalid, please do not use them. 

email-smtp.us-east-1.amazonaws.com:25 USERNAME:PASSWORD ses-smtp-prod-335357831.us-east-1.elb.amazonaws.com:25 USERNAME:PASSWORD      

So it would be something like:

email-smtp.us-east-1.amazonaws.com:25 AKIAICGIRMNGVGXWNKA:Aq+M1pekvR3yibnqFfYe1MAJGZ1NJ4yduxP0svMwRO5 ses-smtp-prod-335357831.us-east-1.elb.amazonaws.com:25 AKIAICGIRMNGVGXWNKA:Aq+M1pekvR3yibnqFfYe1MAJGZ1NJ4yduxP0svMwRO5                    Save the sasl_passwd file.

At a command prompt, issue the following command to create an encrypted file containing your SMTP credentials.sudo postmap hash:/etc/postfix/sasl_passwd

Remove the /etc/postfix/sasl_passwd file.

Tell Postfix where to find the CA certificate (needed to verify the SES server certificate).If running on the Amazon Linux AMI:sudo postconf -e ‘smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt’If running on Ubuntu Linux:sudo postconf -e ‘smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt’

To configure integration using a secure tunnel

To begin, you will need to set up a secure tunnel as described in Secure Tunnel. In the following procedure, we use port 2525 as your stunnel port. If you are using a different port, modify the settings that you actually use accordingly.

1. On your mail server, open the main.cf file. On many systems, this file resides in the /etc/postfix folder.

2. Add the following lines to the main.cf file, modifying them to reflect your particular situation, and then save the file.

relayhost = 127.0.0.1:2525
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = may
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

3. Edit the /etc/postfix/sasl_passwd file. If the file does not exist, create it. Add the following line to the file, replacing USERNAME and PASSWORD with your SMTP user name and password.

127.0.0.1:2525 USERNAME:PASSWORD

And another example of what it should look like:

127.0.0.1:2525 AKIAICGIRMNGVGXWNKA:Aq+M1pekvR3yibnqFfYe1MAJGZ1NJ4yduxP0svMwRO5

4. Save the sasl_passwd file.
5. At a command prompt, issue the following command to create an encrypted file containing your SMTP credentials.

sudo postmap hash:/etc/postfix/sasl_passwd

6. Remove the /etc/postfix/sasl_passwd file.
7. When you have finished updating the configuration, restart Postfix. At the command line, type the following command and press ENTER.

sudo /etc/init.d/postfix restart

Testing the implementation
You can test functionality with “mail -s test email@domain.com < mail.txt” with mail.txt containing:

Date: Thu Jan 11 08:41:54 2013
To: email@domain.com
Subject: The subject of the message
From: sender@email.com

Body of message goes here

Now you also need to make sure that you correctly flag the from address and setup your mail server correctly with a verified domain otherwise you will get the error Email Address not verified. Also if you do not get the credentials right above you will end up with the following error: “Apr 16 05:26:33 domU-12-31-39-16-38-A6 postfix/smtp[1101]: CE19B421CD: SASL authentication failed; server email-smtp.us-east-1.amazonaws.com[50.19.243.

215] said: 535 Authentication Credentials Invalid”

 

If you’ve gotten this far without errors then I believe you are set! Let me know if you have any trouble with this guide and I will try and make any section clearer

  • Pingback: Properties in Alanya

  • Tapan Kumar Thapa

    Many thanks for this information as it helped me to solve my username/password issue.

  • Stewart Howell

    Thanks for your post.

    The post indicates that the content to be pasted into /etc/postfix/sasl_passwd should be entered as 1 line. But this gave me authentication errors. Fixed by changing it to 2 lines, where the second line starts with “ses- “

top