How to configure your Postfix server to relay email through Amazon Simple Email Service (SES)

Amazon recently announced SMTP Support for the Amazon Simple Email Service (SES) which is very cool. Now you can configure your server to send email through it regardless of what platform your site is built in (my previous post was only relevant to PHP servers)  There are 3 main things you need to do to configure your Postfix server to relay email through SES: Verify a sender email address, create an IAM user for SMTP and configure your server to use SES.

Verify a sender email address

  1. In the SES section of the AWS Management Console, click on “Verified Senders”:
  2. Then click on the “Verify a New Sender” button:
  3. Enter the Sender’s Email Address and click “Submit”:
  4. Then you’ll see the confirmation message:
  5. Go to that email account and click on the link Amazon will email to you to confirm the address.

Create IAM Credentials

  1. In the SES section of the AWS Management Console, click on “SMTP Settings”:
  2. Click on the button “Create My SMTP Credentials”:
  3. Choose a User Name and click “Create”:
  4. Save the SMTP Username and SMTP Password that are displayed . We’ll need them when we’re configuring the server.

Configure the server

Now for the fun part. Here I assume you’re running Postfix as the MTA on your server.

  1. Install stunnel:
    apt-get install stunnel
  2. Add these lines to /etc/stunnel/stunnel.conf and make sure it starts properly (you may have to edit /etc/default/stunnel so that it starts automatically on boot):
    [smtp-tls-wrapper]
    accept = 127.0.0.1:1125
    client = yes
    connect = email-smtp.us-east-1.amazonaws.com:465
  3. Add this line to /etc/postfix/sender_dependent_relayhost:
    [email protected]  127.0.0.1:1125
  4. Generate the hashfile with this command:
    postmap /etc/postfix/sender_dependent_relayhost
  5. Add this line to /etc/postfix/password:
    127.0.0.1:1125 <your SMTP Username>:<your SMTP Password>
  6. Fix the permissions on /etc/postfix/password
    chown root:root /etc/postfix/password
    chmod 600 /etc/postfix/password
  7. Generate the hashfile with this command:
    postmap /etc/postfix/password
  8. Add these lines to /etc/postfix/main.cf:
    sender_dependent_relayhost_maps = hash:/etc/postfix/sender_dependent_relayhost
    smtp_sasl_auth_enable = yes
    smtp_sasl_password_maps = hash:/etc/postfix/password
    smtp_sasl_security_options =
  9. Load the new configuration with this command:
    postfix reload

Additional Notes

After setting it up, look closely at the mail logs on your server to verify that they are being delivered properly.  As I found through testing, in certain misconfigurations your email will not be delivered and will not remain in the queue on the server.  The mail logs are the only place that will indicate that delivery is failing.

If you need to add other senders in the future, edit /etc/postfix/sender_dependent_relayhost accordingly then run:
postmap /etc/postfix/sender_dependent_relayhost
postfix reload

The reason for using sender_dependent_relayhost is because you want to specify what email gets sent through SES. If you try to send all email from the server through SES, you’ll probably have some end up going into a black hole. When I was testing this previous to using sender_dependent_relayhost, I didn’t have my root@ email address verified and so emails ended up bouncing back, then bouncing into oblivion never to be seen again (because it would try to relay email to root@ through SES too.)

http://www.millcreeksys.com/how-to-configure-your-postfix-server-to-relay-email-through-amazon-simple-email-service-ses/

18 thoughts on “How to configure your Postfix server to relay email through Amazon Simple Email Service (SES)”

  1. You don’t need to follow the steps in “configure the server”. It works out of the box.

    1. Hi Daniel, I’m not quite sure what you mean.
      If you don’t follow the steps in “configure the server” Postfix won’t utilize SES to send out email, it will just send email out directly.

  2. Note that the “libsasl2-modules” package needs to be installed, otherwise you’ll probably get the following error in your mail.log:

    SASL authentication failed; cannot authenticate to server email-smtp.us-east-1.amazonaws.com[107.22.186.214]: no mechanism available

  3. Hi Michael,
    Do you know where I can find instructions like this for qmail? The amazon documentation site has integration instructions for postfix, exim, and sendmail, but not qmail. I setup the stunnel and verified that was working, but how do I tell qmail to use the stunnel port or point to the amazon server? I don’t think the smtproute control file will do it because I need to set a password somewhere.
    Thanks,
    Robert

    1. Well, you can always uninstall qmail and install postfix (just kidding)
      I haven’t used qmail in a long while, but this thread may help you out. It looks like it might be complicated, but it should work.

  4. Hello,

    I am actually trying your method, but sending speed is to slow. Is there any way to send at least 1,000 emails per minute?

    Thanks.

  5. You know, I’ve already did this, I’ve tuned postfix and it is not working at all, seems to be slower; I am now, using perl script from Amazon SES, with postfix which seems to be working a little bit more faster.

    Maybe, I need to improve it, because Amazon allows me to send more than 5,000 emails per minute, and I am actually sending 2,000 emails per minute.

    Anyway, thank you for your help!

    1. Hi Carlos,

      This may be obvious, but do you have a beefy enough of an instance to churn that much mail out per minute? Suffice to say a t1.micro, even without other services running may find itself starved of RAM and CPU. Virtualized instances (in my experience) are lucky to have up to 50% of their allotted resources available at any given time.

      If you’re finding this isn’t the case, you might want to try depending on a tmpfs ram disk to bypass ec2 storage completely for email processing. If the instance is reading mail from a file before sending, that can be a looooot of IO for ec2 storage. Check the normal culprits (top, strace, etc) and see if the bottleneck is actually postfix, or your instance.

  6. Michael, this is a fantastic article and very helpful! There is no way I could have gotten it working without this information. Two thumbs way up.

    I am unsure why this is happening, but even when I change my “from:” headers in the php mail function, the email that I receive always says that it is from “[email protected]”. I would imagine that is because I haven’t configured something appropriately, but I am novice enough at postfix that I don’t know what.

    Any ideas of things that I might try?

    Regards

  7. Hi Michael,

    This is great. Thanks for your help.

    Now that SES supports verified domains do you think you could update this guide to help us relay mail through SES for an entire domain rather than single addresses? I have tried to do this myself using the relay_transport setting but haven’t been able to get it working. Using wildcards like *@verifieddomain.com in the sender file doesn’t work either unfortunately.

    Thanks in advance!

    Oliver

Comments are closed.