FreeBSD configure AWS SES with Postfix MTA

How do I integrate and configure Amazon/AWS SES with Postfix running on my FreeBSD Unix server?

Amazon Simple Email Service (SES) is a hosted email service for you to send and receive email using your email addresses and domains. Typically SES used for sending bulk email or routing emails without hosting MTA with help of cloud servers provided by AWS. We can use Perl/Python/PHP APIs to send an email via SES. In this tutorial we are going to configure FreeBSD server or jail running Postfix to route all outgoing emails via AWS SES.
Tutorial requirements
RequirementsFreeBSD with bash
Root privileges Yes
Difficulty Intermediate
Est. reading time 10m

Procedure to configure AWS SES with Postfix

Before getting started with Amazon SES and Postfix for FreeBSD server, you need to sign up for AWS, including SES. You need to verify your email address and other settings. Make sure you create a user for SES access and download credentials too.

Step 1 – Disable Sendmail if enabled on FreeBSD

We need to use the sysrc command to safely edit system rc files. Let us disable sendmail, run:
## Make sure sendmail service stopped for Postfix ##
# service sendmail stop
## Disable sendmail service specific ##
# sysrc sendmail_enable="NO"
# sysrc sendmail_submit_enable="NO"
# sysrcsendmail_outbound_enable="NO"
# sysrc sendmail_msp_queue_enable="NO"

Also disable/remove sendmail server service specific cronjobs/tasks:
# vi /etc/periodic.conf
Append/modify as follows:

daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"

Save and close the file in vim/vi.

Step 2 – Installing postfix

Run the pkg command as follows to install Postfix MTA on FreeBSD Unix cloud server:
# pkg update
# pkg upgrade
# pkg search postfix
## filter sasl specific postifx package using the grep command ##
# pkg search postfix | grep sasl
## Install it ##
# pkg install postfix-sasl


Enable postfix at FreeBSD boot time:
# sysrc postfix_enable="YES"

postfix_enable:  -> YES

Make sure Postfix is activated in /usr/local/etc/mail/mailer.conf file as follows. Create a new directory using the mkdir command:
# mkdir -p /usr/local/etc/mail
Install the file using the install command:
# install -m 0644 /usr/local/share/postfix/mailer.conf.postfix /usr/local/etc/mail/mailer.conf

Step 3 – Configuring postfix for Amazon SES

Let us see how to configure Postfix as outgoing MTA using a smarthost based upon Amazon SES for FreeBSD. First, set SES zone:

# I am using US West (Oregon) 
# Feel free to replace MTA as per your AWS region 
SES_MTA="email-smtp.us-west-2.amazonaws.com"

Next run the postconf command to configure Postfix with Amazon SES:

postconf -e "relayhost = [${SES_MTA}]:587" \
"smtp_sasl_auth_enable = yes" \
"smtp_sasl_security_options = noanonymous" \
"smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwd" \
"smtp_use_tls = yes" \
"smtp_tls_security_level = encrypt" \
"smtp_tls_note_starttls_offer = yes"

Set up Amazon/AWS SES USERNAME and PASSWORD for Postfix MTA

Edit the /usr/local/etc/postfix/sasl_passwd using a text editor such as NA command/vim command, enter:
# vim /usr/local/etc/postfix/sasl_passwd
Append (replace SMTP_USER and SMTP_PASSWORD as provided by AWS IAM/SES):
[email-smtp.us-west-2.amazonaws.com]:587 SMTP_USER:SMTP_PASSWORD
Save and close the file. First secure file using the chmod command and then create a new database:
# chmod -v 0600 /usr/local/etc/postfix/sasl_passwd
/usr/local/etc/postfix/sasl_passw

At a Linux/Unix shell prompt, type the following postmap command to create a hashmap database for MTA credentials:
# postmap -v hash:/usr/local/etc/postfix/sasl_passwd

postmap: name_mask: ipv4
postmap: name_mask: host
postmap: inet_addr_local: configured 3 IPv4 addresses
postmap: been_here: 127.0.0.1/32: 0
postmap: been_here: 192.168.2.236/32: 0
postmap: been_here: 10.8.0.2/32: 0
postmap: mynetworks_core: 127.0.0.1/32 192.168.2.236/32 10.8.0.2/32 
postmap: open hash /usr/local/etc/postfix/sasl_passwd
postmap: Compiled against Berkeley DB version 1

Configure CA certificate path for verification

Postfix server need to locate the CA certificate. Hence, to verify the Amazon SES server certificate, run:
# postconf -e 'smtp_tls_CAfile = /etc/ssl/cert.pem'

Start Postfix service

Use the service command:
# service postfix start
# service postfix status

postfix is running as pid 15935.

See Postfix log file

Use the cat command/tail command:
# tail -f /var/log/maillog

Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: name_mask: host
Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: inet_addr_local: configured 3 IPv4 addresses
Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: been_here: 127.0.0.1/32: 0
Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: been_here: 192.168.2.236/32: 0
Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: been_here: 10.8.0.2/32: 0
Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: mynetworks_core: 127.0.0.1/32 192.168.2.236/32 10.8.0.2/32 
Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: open hash /usr/local/etc/postfix/sasl_passwd
Aug 30 16:04:13 rsnapshot postfix/postmap[15781]: Compiled against Berkeley DB version 1
Aug 30 16:08:46 rsnapshot postfix/postfix-script[15933]: starting the Postfix mail system
Aug 30 16:08:46 rsnapshot postfix/master[15935]: daemon started -- version 3.5.4, configuration /usr/local/etc/postfix

Getting rid of alias database unavailable error

Run the newaliases command to rebuild the data base for the mail aliases file called /etc/mail/aliases (softlinked /etc/aliases). We need to create soft link with ln command:
# cd /etc/
# ln -s mail/aliases.db
# newaliases -v
# ls -l /etc/aliases*

Step 4 – Test integration of Amazon SES with Postfix on FreeBSD server

Use the sendmail command as follows:
sendmail -f webmaster@cyberciti.biz webmaster@nixcraft.com
From: Vivek Gite <webmaster@cyberciti.biz>
Subject: Postfix email server integration with Amazon SES
This message was sent using Amazon SES on my FreeBSD Unix server
I hope this works out 👿
.


Here is my test email:

AWS SES with Postfix headers

Original Message

Message ID	<010101743efcd00e-462dbed6-5015-48bf-b74d-1f65305d7914-000000@us-west-2.amazonses.com>
Created at:	Sun, Aug 30, 2020 at 4:19 PM (Delivered after 1 second)
From:	Vivek Gite <webmaster@cyberciti.biz>
To:	webmaster@nixcraft.com
Subject:	Postfix email server integration with Amazon SES
SPF:	PASS with IP 54.240.27.116 Learn more
DKIM:	'PASS' with domain cyberciti.biz Learn more
DMARC:	'PASS' Learn more

Make sure you set up correct SPF, DKIM and DMARC.

A note about system generated emails

Typically system-generated emails sent from the following address will be rejected by AWS SES as they are from unauthenticated domain/email address. For example:
root@your-hostname
root@your-hostname-domain-dot-com
@freebsd-hostname.localdomain

Use the hostname command to create a list of your hostname. For instance:

postconf -e 'smtp_generic_maps = hash:/usr/local/etc/postfix/generic'
echo "@$(hostname) webmaster@cyberciti.biz" >>/usr/local/etc/postfix/generic
echo "@$(hostname).localdomain webmaster@cyberciti.biz" >>/usr/local/etc/postfix/generic
# for AWS EC2 host add actual hostname too from /etc/hosts #
# echo "@ip-172-26-14-129.ec2.internal  webmaster@cyberciti.biz" >>/usr/local/etc/postfix/generic
postmap -v /usr/local/etc/postfix/generic
service postfix restart

See my page “Postfix masquerading or changing outgoing SMTP email or mail address” for more information.

Conclusion

In this tutorial, we learned how to use Postfix MTA with Amazon SES cloud service running on FreeBSD Unix operating systems. I tested instructions on a FreeBSD 11.x/12.x server that send many emails per day using Amazon SES with a high amount of email delivery rates. Please see SES docs here for more info.


🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 4 comments so far... add one


CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat cp mkdir tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
4 comments… add one
  • John Aug 31, 2020 @ 6:59

    Why install postfix-sasl instead of postfix?

  • Typical devops Sep 6, 2020 @ 21:06

    This was easy part but my email still gets rejected as they are coming from host like xyz.example.com? How can i tell ses to accept sub domains too?

    • EC2 freebsd admin Jan 26, 2021 @ 11:13

      You need to add those subdomains to aws and verify it too. Otherwise AWS SES will reject those email.

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum