Amazon Simple Email Service (SES) is a hosted email service for you to send and receive email using your email addresses and domains. Typically SES used for sending bulk email or routing emails without hosting MTA with help of cloud servers provided by AWS. We can use Perl/Python/PHP APIs to send an email via SES. In this tutorial we are going to configure FreeBSD server or jail running Postfix to route all outgoing emails via AWS SES.
Tutorial requirements | |
---|---|
Operating system/app | FreeBSD with bash |
Root privileges required | Yes |
Difficulty | Intermediate (rss) |
Estimated completion time | 10m |
Procedure to configure AWS SES with Postfix
Before getting started with Amazon SES and Postfix for FreeBSD server, you need to sign up for AWS, including SES. You need to verify your email address and other settings. Make sure you create a user for SES access and download credentials too.
Step 1 – Disable Sendmail if enabled on FreeBSD
We need to use the sysrc command to safely edit system rc files. Let us disable sendmail, run:
## Make sure sendmail service stopped for Postfix ##
# service sendmail stop
## Disable sendmail service specific ##
# sysrc sendmail_enable="NO"
# sysrc sendmail_submit_enable="NO"
# sysrcsendmail_outbound_enable="NO"
# sysrc sendmail_msp_queue_enable="NO"
Also disable/remove sendmail server service specific cronjobs/tasks:
# vi /etc/periodic.conf
Append/modify as follows:
daily_clean_hoststat_enable="NO" daily_status_mail_rejects_enable="NO" daily_status_include_submit_mailq="NO" daily_submit_queuerun="NO"
Save and close the file in vim/vi.
Step 2 – Installing postfix
Run the pkg command as follows to install Postfix MTA on FreeBSD Unix cloud server:
# pkg update
# pkg upgrade
# pkg search postfix
## filter sasl specific postifx package using the grep command ##
# pkg search postfix | grep sasl
## Install it ##
# pkg install postfix-sasl
Enable postfix at FreeBSD boot time:
# sysrc postfix_enable="YES"
postfix_enable: -> YES
Make sure Postfix is activated in /usr/local/etc/mail/mailer.conf file as follows. Create a new directory using the mkdir command:
# mkdir -p /usr/local/etc/mail
Install the file using the install command:
# install -m 0644 /usr/local/share/postfix/mailer.conf.postfix /usr/local/etc/mail/mailer.conf
Step 3 – Configuring postfix for Amazon SES
Let us see how to configure Postfix as outgoing MTA using a smarthost based upon Amazon SES for FreeBSD. First, set SES zone:
# I am using US West (Oregon) # Feel free to replace MTA as per your AWS region SES_MTA="email-smtp.us-west-2.amazonaws.com"
Next run the postconf command to configure Postfix with Amazon SES:
postconf -e "relayhost = [${SES_MTA}]:587" \ "smtp_sasl_auth_enable = yes" \ "smtp_sasl_security_options = noanonymous" \ "smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwd" \ "smtp_use_tls = yes" \ "smtp_tls_security_level = encrypt" \ "smtp_tls_note_starttls_offer = yes"
Set up Amazon/AWS SES USERNAME and PASSWORD for Postfix MTA
Edit the /usr/local/etc/postfix/sasl_passwd using a text editor such as NA command/vim command, enter:
# vim /usr/local/etc/postfix/sasl_passwd
Append (replace SMTP_USER and SMTP_PASSWORD as provided by AWS IAM/SES):
[email-smtp.us-west-2.amazonaws.com]:587 SMTP_USER:SMTP_PASSWORD
Save and close the file. First secure file using the chmod command and then create a new database:
# chmod -v 0600 /usr/local/etc/postfix/sasl_passwd
/usr/local/etc/postfix/sasl_passw
At a Linux/Unix shell prompt, type the following postmap command to create a hashmap database for MTA credentials:
# postmap -v hash:/usr/local/etc/postfix/sasl_passwd
postmap: name_mask: ipv4 postmap: name_mask: host postmap: inet_addr_local: configured 3 IPv4 addresses postmap: been_here: 127.0.0.1/32: 0 postmap: been_here: 192.168.2.236/32: 0 postmap: been_here: 10.8.0.2/32: 0 postmap: mynetworks_core: 127.0.0.1/32 192.168.2.236/32 10.8.0.2/32 postmap: open hash /usr/local/etc/postfix/sasl_passwd postmap: Compiled against Berkeley DB version 1
Configure CA certificate path for verification
Postfix server need to locate the CA certificate. Hence, to verify the Amazon SES server certificate, run:
# postconf -e 'smtp_tls_CAfile = /etc/ssl/cert.pem'
Start Postfix service
Use the service command:
# service postfix start
# service postfix status
postfix is running as pid 15935.
See Postfix log file
Use the cat command/tail command:
# tail -f /var/log/maillog
Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: name_mask: host Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: inet_addr_local: configured 3 IPv4 addresses Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: been_here: 127.0.0.1/32: 0 Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: been_here: 192.168.2.236/32: 0 Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: been_here: 10.8.0.2/32: 0 Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: mynetworks_core: 127.0.0.1/32 192.168.2.236/32 10.8.0.2/32 Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: open hash /usr/local/etc/postfix/sasl_passwd Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: Compiled against Berkeley DB version 1 Aug 30 16:08:46 rsnapshot postfix/postfix-script[15933]: starting the Postfix mail system Aug 30 16:08:46 rsnapshot postfix/master[15935]: daemon started -- version 3.5.4, configuration /usr/local/etc/postfix
Step 4 – Test integration of Amazon SES with Postfix on FreeBSD server
Use the sendmail command as follows:
sendmail -f webmaster@cyberciti.biz webmaster@nixcraft.com
From: Vivek Gite <webmaster@cyberciti.biz>
Subject: Postfix email server integration with Amazon SES
This message was sent using Amazon SES on my FreeBSD Unix server
I hope this works out 👿
.
Here is my test email:
AWS SES with Postfix headers
Original Message
Message ID <010101743efcd00e-462dbed6-5015-48bf-b74d-1f65305d7914-000000@us-west-2.amazonses.com> Created at: Sun, Aug 30, 2020 at 4:19 PM (Delivered after 1 second) From: Vivek Gite <webmaster@cyberciti.biz> To: webmaster@nixcraft.com Subject: Postfix email server integration with Amazon SES SPF: PASS with IP 54.240.27.116 Learn more DKIM: 'PASS' with domain cyberciti.biz Learn more DMARC: 'PASS' Learn more
Make sure you set up correct SPF, DKIM and DMARC.
A note about system generated emails
Typically system-generated emails sent from the following address will be rejected by AWS SES as they are from unauthenticated domain/email address. For example:
root@your-hostname
root@your-hostname-domain-dot-com
@freebsd-hostname.localdomain
To fix this problem, see my page “Postfix masquerading or changing outgoing SMTP email or mail address” for more information.
Conclusion
In this tutorial, we learned how to use Postfix MTA with Amazon SES cloud service running on FreeBSD Unix operating systems. I tested instructions on a FreeBSD 11.x/12.x server that send many emails per day using Amazon SES with a high amount of email delivery rates. Please see SES docs here for more info.
🐧 Get the latest tutorials on Linux, Open Source & DevOps via:
- RSS feed or Weekly email newsletter
- Share on Twitter • Facebook • 3 comments... add one ↓
Category | List of Unix and Linux commands |
---|---|
File Management | cat |
Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
Network Utilities | dig • host • ip • nmap |
OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
Package Manager | apk • apt |
Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
Searching | grep • whereis • which |
User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
Why install postfix-sasl instead of postfix?
Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols https://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer Hence it is needed with AWS SES or 3rd party SMPT for auth purposes along with TLS.
This was easy part but my email still gets rejected as they are coming from host like xyz.example.com? How can i tell ses to accept sub domains too?