FreeBSD configure AWS SES with Postfix MTA

How do I integrate and configure Amazon/AWS SES with Postfix running on my FreeBSD Unix server?

Amazon Simple Email Service (SES) is a hosted email service for you to send and receive email using your email addresses and domains. Typically SES used for sending bulk email or routing emails without hosting MTA with help of cloud servers provided by AWS. We can use Perl/Python/PHP APIs to send an email via SES. In this tutorial we are going to configure FreeBSD server or jail running Postfix to route all outgoing emails via AWS SES.
Tutorial requirements
Operating system/appFreeBSD with bash
Root privileges requiredYes
DifficultyIntermediate (rss)
Estimated completion time10m
Table of contents

ADVERTISEMENTS

Procedure to configure AWS SES with Postfix

Before getting started with Amazon SES and Postfix for FreeBSD server, you need to sign up for AWS, including SES. You need to verify your email address and other settings. Make sure you create a user for SES access and download credentials too.

Step 1 – Disable Sendmail if enabled on FreeBSD

We need to use the sysrc command to safely edit system rc files. Let us disable sendmail, run:
## Make sure sendmail service stopped for Postfix ##
# service sendmail stop
## Disable sendmail service specific ##
# sysrc sendmail_enable="NO"
# sysrc sendmail_submit_enable="NO"
# sysrcsendmail_outbound_enable="NO"
# sysrc sendmail_msp_queue_enable="NO"

Also disable/remove sendmail server service specific cronjobs/tasks:
# vi /etc/periodic.conf
Append/modify as follows:

daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"

Save and close the file in vim/vi.

Step 2 – Installing postfix

Run the pkg command as follows to install Postfix MTA on FreeBSD Unix cloud server:
# pkg update
# pkg upgrade
# pkg search postfix
## filter sasl specific postifx package using the grep command ##
# pkg search postfix | grep sasl
## Install it ##
# pkg install postfix-sasl

Installing postfix on FreeBSD
Enable postfix at FreeBSD boot time:
# sysrc postfix_enable="YES"

postfix_enable:  -> YES

Make sure Postfix is activated in /usr/local/etc/mail/mailer.conf file as follows. Create a new directory using the mkdir command:
# mkdir -p /usr/local/etc/mail
Install the file using the install command:
# install -m 0644 /usr/local/share/postfix/mailer.conf.postfix /usr/local/etc/mail/mailer.conf

Step 3 – Configuring postfix for Amazon SES

Let us see how to configure Postfix as outgoing MTA using a smarthost based upon Amazon SES for FreeBSD. First, set SES zone:

# I am using US West (Oregon) 
# Feel free to replace MTA as per your AWS region 
SES_MTA="email-smtp.us-west-2.amazonaws.com"

Next run the postconf command to configure Postfix with Amazon SES:

postconf -e "relayhost = [${SES_MTA}]:587" \
"smtp_sasl_auth_enable = yes" \
"smtp_sasl_security_options = noanonymous" \
"smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwd" \
"smtp_use_tls = yes" \
"smtp_tls_security_level = encrypt" \
"smtp_tls_note_starttls_offer = yes"

Set up Amazon/AWS SES USERNAME and PASSWORD for Postfix MTA

Edit the /usr/local/etc/postfix/sasl_passwd using a text editor such as NA command/vim command, enter:
# vim /usr/local/etc/postfix/sasl_passwd
Append (replace SMTP_USER and SMTP_PASSWORD as provided by AWS IAM/SES):
[email-smtp.us-west-2.amazonaws.com]:587 SMTP_USER:SMTP_PASSWORD
Save and close the file. First secure file using the chmod command and then create a new database:
# chmod -v 0600 /usr/local/etc/postfix/sasl_passwd
/usr/local/etc/postfix/sasl_passw

At a Linux/Unix shell prompt, type the following postmap command to create a hashmap database for MTA credentials:
# postmap -v hash:/usr/local/etc/postfix/sasl_passwd

postmap: name_mask: ipv4
postmap: name_mask: host
postmap: inet_addr_local: configured 3 IPv4 addresses
postmap: been_here: 127.0.0.1/32: 0
postmap: been_here: 192.168.2.236/32: 0
postmap: been_here: 10.8.0.2/32: 0
postmap: mynetworks_core: 127.0.0.1/32 192.168.2.236/32 10.8.0.2/32 
postmap: open hash /usr/local/etc/postfix/sasl_passwd
postmap: Compiled against Berkeley DB version 1

Configure CA certificate path for verification

Postfix server need to locate the CA certificate. Hence, to verify the Amazon SES server certificate, run:
# postconf -e 'smtp_tls_CAfile = /etc/ssl/cert.pem'

Start Postfix service

Use the service command:
# service postfix start
# service postfix status

postfix is running as pid 15935.

See Postfix log file

Use the cat command/tail command:
# tail -f /var/log/maillog

Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: name_mask: host
Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: inet_addr_local: configured 3 IPv4 addresses
Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: been_here: 127.0.0.1/32: 0
Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: been_here: 192.168.2.236/32: 0
Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: been_here: 10.8.0.2/32: 0
Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: mynetworks_core: 127.0.0.1/32 192.168.2.236/32 10.8.0.2/32 
Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: open hash /usr/local/etc/postfix/sasl_passwd
Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: Compiled against Berkeley DB version 1
Aug 30 16:08:46 rsnapshot postfix/postfix-script[15933]: starting the Postfix mail system
Aug 30 16:08:46 rsnapshot postfix/master[15935]: daemon started -- version 3.5.4, configuration /usr/local/etc/postfix

Step 4 – Test integration of Amazon SES with Postfix on FreeBSD server

Use the sendmail command as follows:
sendmail -f webmaster@cyberciti.biz webmaster@nixcraft.com
From: Vivek Gite <webmaster@cyberciti.biz>
Subject: Postfix email server integration with Amazon SES
This message was sent using Amazon SES on my FreeBSD Unix server
I hope this works out 👿
.

FreeBSD configure AWS SES with Postfix MTA and test it
Here is my test email:
FreeBSD Unix AWS SES Test email

AWS SES with Postfix headers

Original Message

Message ID	<010101743efcd00e-462dbed6-5015-48bf-b74d-1f65305d7914-000000@us-west-2.amazonses.com>
Created at:	Sun, Aug 30, 2020 at 4:19 PM (Delivered after 1 second)
From:	Vivek Gite <webmaster@cyberciti.biz>
To:	webmaster@nixcraft.com
Subject:	Postfix email server integration with Amazon SES
SPF:	PASS with IP 54.240.27.116 Learn more
DKIM:	'PASS' with domain cyberciti.biz Learn more
DMARC:	'PASS' Learn more

Make sure you set up correct SPF, DKIM and DMARC.

A note about system generated emails

Typically system-generated emails sent from the following address will be rejected by AWS SES as they are from unauthenticated domain/email address. For example:
root@your-hostname
root@your-hostname-domain-dot-com
@freebsd-hostname.localdomain

To fix this problem, see my page “Postfix masquerading or changing outgoing SMTP email or mail address” for more information.

Conclusion

In this tutorial, we learned how to use Postfix MTA with Amazon SES cloud service running on FreeBSD Unix operating systems. I tested instructions on a FreeBSD 11.x/12.x server that send many emails per day using Amazon SES with a high amount of email delivery rates. Please see SES docs here for more info.

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
3 comments… add one
  • John Aug 31, 2020 @ 6:59

    Why install postfix-sasl instead of postfix?

  • Typical devops Sep 6, 2020 @ 21:06

    This was easy part but my email still gets rejected as they are coming from host like xyz.example.com? How can i tell ses to accept sub domains too?

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.