FreeBSD configure AWS SES with Postfix MTA

See all FreeBSD related FAQ
How do I integrate and configure Amazon/AWS SES with Postfix running on my FreeBSD Unix server?

Amazon Simple Email Service (SES) is a hosted email service for you to send and receive email using your email addresses and domains. Typically SES used for sending bulk email or routing emails without hosting MTA with help of cloud servers provided by AWS. We can use Perl/Python/PHP APIs to send an email via SES. In this tutorial we are going to configure FreeBSD server or jail running Postfix to route all outgoing emails via AWS SES.
Tutorial requirements
RequirementsFreeBSD with bash
Root privileges Yes
Difficulty level Intermediate
Category Mail Server
Prerequisites AWS SES
OS compatibility FreeBSD Jails Unix
Est. reading time 6 minutes

Procedure to configure AWS SES with Postfix

Before getting started with Amazon SES and Postfix for FreeBSD server, you need to sign up for AWS, including SES. You need to verify your email address and other settings. Make sure you create a user for SES access and download credentials too.

Step 1 – Disable Sendmail if enabled on FreeBSD

We need to use the sysrc command to safely edit system rc files. Let us disable sendmail, run:
## Make sure sendmail service stopped for Postfix ##
# service sendmail stop
## Disable sendmail service specific ##
# sysrc sendmail_enable="NO"
# sysrc sendmail_submit_enable="NO"
# sysrc sendmail_outbound_enable="NO"
# sysrc sendmail_msp_queue_enable="NO"

Also disable/remove sendmail server service specific cronjobs/tasks:
# vi /etc/periodic.conf
Append/modify as follows:


Save and close the file in vim/vi.

Step 2 – Installing postfix

Run the pkg command as follows to install Postfix MTA on FreeBSD Unix cloud server:
# pkg update
# pkg upgrade
# pkg search postfix
## filter sasl specific postifx package using the grep command ##
# pkg search postfix | grep sasl
## Install it ##
# pkg install postfix-sasl

Installing postfix on FreeBSD
Enable postfix at FreeBSD boot time:
# sysrc postfix_enable="YES"

postfix_enable:  -> YES

Make sure Postfix is activated in /usr/local/etc/mail/mailer.conf file as follows. Create a new directory using the mkdir command:
# mkdir -p /usr/local/etc/mail
Install the file using the install command:
# install -m 0644 /usr/local/share/postfix/mailer.conf.postfix /usr/local/etc/mail/mailer.conf

Step 3 – Configuring postfix for Amazon SES

Let us see how to configure Postfix as outgoing MTA using a smarthost based upon Amazon SES for FreeBSD. First, set SES zone:

# I am using US West (Oregon) 
# Feel free to replace MTA as per your AWS region 

Next run the postconf command to configure Postfix with Amazon SES:

postconf -e "relayhost = [${SES_MTA}]:587" \
"smtp_sasl_auth_enable = yes" \
"smtp_sasl_security_options = noanonymous" \
"smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwd" \
"smtp_use_tls = yes" \
"smtp_tls_security_level = encrypt" \
"smtp_tls_note_starttls_offer = yes"

Set up Amazon/AWS SES USERNAME and PASSWORD for Postfix MTA

Edit the /usr/local/etc/postfix/sasl_passwd using a text editor such as nano command/vim command, enter:
# vim /usr/local/etc/postfix/sasl_passwd
Append (replace SMTP_USER and SMTP_PASSWORD as provided by AWS IAM/SES):
Save and close the file. First secure file using the chmod command and then create a new database:
# chmod -v 0600 /usr/local/etc/postfix/sasl_passwd

At a Linux/Unix shell prompt, type the following postmap command to create a hashmap database for MTA credentials:
# postmap -v hash:/usr/local/etc/postfix/sasl_passwd
Here is what I see:

postmap: name_mask: ipv4
postmap: name_mask: host
postmap: inet_addr_local: configured 3 IPv4 addresses
postmap: been_here: 0
postmap: been_here: 0
postmap: been_here: 0
postmap: mynetworks_core: 
postmap: open hash /usr/local/etc/postfix/sasl_passwd
postmap: Compiled against Berkeley DB version 1

Configure CA certificate path for verification

Postfix server need to locate the CA certificate. Hence, to verify the Amazon SES server certificate, run:
# postconf -e 'smtp_tls_CAfile = /etc/ssl/cert.pem'

Start Postfix service

Use the service command:
# service postfix start
# service postfix status


postfix is running as pid 15935.

See Postfix log file

Use the cat command/tail command:
# tail -f /var/log/maillog
Sample log entries:

Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: name_mask: host
Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: inet_addr_local: configured 3 IPv4 addresses
Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: been_here: 0
Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: been_here: 0
Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: been_here: 0
Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: mynetworks_core: 
Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: open hash /usr/local/etc/postfix/sasl_passwd
Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: Compiled against Berkeley DB version 1
Aug 30 16:08:46 rsnapshot postfix/postfix-script[15933]: starting the Postfix mail system
Aug 30 16:08:46 rsnapshot postfix/master[15935]: daemon started -- version 3.5.4, configuration /usr/local/etc/postfix

Getting rid of alias database unavailable error

Run the newaliases command to rebuild the data base for the mail aliases file called /etc/mail/aliases (softlinked /etc/aliases). We need to create soft link with ln command and cd command:
# cd /etc/
# ln -s mail/aliases.db
# newaliases -v
# ls -l /etc/aliases*

Step 4 – Test integration of Amazon SES with Postfix on FreeBSD server

Use the sendmail command as follows:
$ sendmail -f
From: Vivek Gite <>
Subject: Postfix email server integration with Amazon SES
This message was sent using Amazon SES on my FreeBSD Unix server
I hope this works out 👿

FreeBSD configure AWS SES with Postfix MTA and test it
Here is my test email:
FreeBSD Unix AWS SES Test email

AWS SES with Postfix headers

Original Message

Message ID	<>
Created at:	Sun, Aug 30, 2020 at 4:19 PM (Delivered after 1 second)
From:	Vivek Gite <>
Subject:	Postfix email server integration with Amazon SES
SPF:	PASS with IP Learn more
DKIM:	'PASS' with domain Learn more
DMARC:	'PASS' Learn more

Make sure you set up correct SPF, DKIM and DMARC.

A note about system generated emails

Typically system-generated emails sent from the following address will be rejected by AWS SES as they are from unauthenticated domain/email address. For example:

Use the hostname command to create a list of your hostname. For instance:

postconf -e 'smtp_generic_maps = hash:/usr/local/etc/postfix/generic'
echo "@$(hostname)" >>/usr/local/etc/postfix/generic
echo "@$(hostname).localdomain" >>/usr/local/etc/postfix/generic
# for AWS EC2 host add actual hostname too from /etc/hosts #
# echo "@ip-172-26-14-129.ec2.internal" >>/usr/local/etc/postfix/generic
postmap -v /usr/local/etc/postfix/generic
service postfix restart

See my page “Postfix masquerading or changing outgoing SMTP email or mail address” for more information.


In this tutorial, we learned how to use Postfix MTA with Amazon SES cloud service running on FreeBSD Unix operating systems. I tested instructions on a FreeBSD 11.x/12.x server that send many emails per day using Amazon SES with a high amount of email delivery rates. Please see SES docs here for more info.

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

4 comments… add one
  • John Aug 31, 2020 @ 6:59

    Why install postfix-sasl instead of postfix?

  • Typical devops Sep 6, 2020 @ 21:06

    This was easy part but my email still gets rejected as they are coming from host like How can i tell ses to accept sub domains too?

    • EC2 freebsd admin Jan 26, 2021 @ 11:13

      You need to add those subdomains to aws and verify it too. Otherwise AWS SES will reject those email.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.