How to configure AWS SES with Postfix MTA

How do I configure Amazon SES With Postfix mail server to send email under a CentOS/RHEL/Fedora/Ubuntu/Debian Linux server?

Amazon Simple Email Service (SES) is a hosted email service for you to send and receive email using your email addresses and domains. Typically SES used for sending bulk email or routing emails without hosting MTA. We can use Perl/Python/PHP APIs to send an email via SES. Another option is to configure Linux or Unix box running Postfix to route all outgoing emails via SES.
Tutorial requirements
Operating system/appUbuntu/Debian/RHEL/CentOS Linux
Root privileges requiredYes
DifficultyIntermediate (rss)
Estimated completion time10m
Table of contents

ADVERTISEMENTS

Procedure to configure AWS SES with Postfix

Before getting started with Amazon SES and Postfix, you need to sign up for AWS, including SES. You need to verify your email address and other settings. Make sure you create a user for SES access and download credentials too.

Step 1 – Uninstall Sendmail if installed

If sendmail installed remove it. Debian/Ubuntu Linux user type the following apt command/apt-get command:
$ sudo apt --purge remove sendmail
CentOS/RHEL user type the following yum command or dnf command on Fedora/CentOS/RHEL 8.x:
$ sudo yum remove sendmail
$ sudo dnf remove sendmail

Sample outputs from CentOS 8 server:

Dependencies resolved.
===============================================================================
 Package           Architecture  Version               Repository         Size
===============================================================================
Removing:
 sendmail          x86_64        8.15.2-32.el8         @AppStream        2.4 M
Removing unused dependencies:
 cyrus-sasl        x86_64        2.1.27-1.el8          @BaseOS           160 k
 procmail          x86_64        3.22-47.el8           @AppStream        369 k
 
Transaction Summary
===============================================================================
Remove  3 Packages
 
Freed space: 2.9 M
Is this ok [y/N]: y

Step 2 – Install postfix

The procedure for installing Postfix on a CentOS/RHEL/Fedora Linux is as follows:
$ sudo dnf install postfix # < -- RHEL/CentOS 8.x or latest Fedora
$ sudo yum install postfix # < -- RHEL/CentOS v7.x/6.x

Last metadata expiration check: 0:42:33 ago on Sat May 30 16:13:57 2020.
Dependencies resolved.
===============================================================================
 Package          Architecture    Version                Repository       Size
===============================================================================
Installing:
 postfix          x86_64          2:3.3.1-9.el8          BaseOS          1.5 M
 
Transaction Summary
===============================================================================
Install  1 Package
 
Total download size: 1.5 M
Installed size: 5.4 M
Is this ok [y/N]:

If you are using a Debian or Ubuntu Linux, run:
$ sudo apt install postfix

Postfix configuration

Make sure you choose “No configuration” when prompted by the apt

You can also select satellite system and enter SES smtp address as follows when prompted:
Satallite Postfix Smarthost SES

Step 3 – SASL authentication package

SASL means the Simple Authentication and Security Layer. It is a method for adding authentication and security support to connection-based protocols. In other words, install a SASL authentication package. For example, if you use a CentOS/RHEL/Fedora Linux, you should install the cyrus-sasl-plain package:
$ sudo dnf install cyrus-sasl-plain # < -- RHEL/CentOS 8.x or latest Fedora
$ sudo yum install cyrus-sasl-plain # < -- RHEL/CentOS v7.x/6.x

Last metadata expiration check: 0:57:13 ago on Sat May 30 16:13:57 2020.
Dependencies resolved.
===============================================================================
 Package                 Architecture  Version             Repository     Size
===============================================================================
Installing:
 cyrus-sasl-plain        x86_64        2.1.27-1.el8        BaseOS         47 k
 
Transaction Summary
===============================================================================
Install  1 Package
 
Total download size: 47 k
Installed size: 46 k
Is this ok [y/N]: y

If you use a Debian or Ubuntu-based Linux system, you should install the libsasl2-modules package as follows:
$ sudo apt install libsasl2-modules

Step 4 – Configuring postfix for Amazon SES

Let us see how to configure Postfix as outgoing MTA using a smarthost based upon Amazon SES. First, set SES zone:

# I am using US West (Oregon) 
# Feel free to replace MTA as per your AWS region 
SES_MTA="email-smtp.us-west-2.amazonaws.com"

Debian/Ubuntu Linux user type the following cp command to create a new default config file for your MTA:
$ sudo cp -v -i /etc/postfix/main.cf{.proto,}
'/etc/postfix/main.cf.proto' -> '/etc/postfix/main.cf'

Next run the postconf command to configure Postfix with Amazon SES:

sudo postconf -e "relayhost = [${SES_MTA}]:587" \
"smtp_sasl_auth_enable = yes" \
"smtp_sasl_security_options = noanonymous" \
"smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd" \
"smtp_use_tls = yes" \
"smtp_tls_security_level = encrypt" \
"smtp_tls_note_starttls_offer = yes"

Set up Amazon SES USERNAME and PASSWORD for MTA

Edit the /etc/postfix/sasl_passwd using a text editor such as NA command/vim command, enter:
$ sudo vim /etc/postfix/sasl_passwd
## or ##
$ sudo nano /etc/postfix/sasl_passwd

Append (replace SMTP_USER and SMTP_PASSWORD as provided by AWS IMA/SES):
[email-smtp.us-west-2.amazonaws.com]:587 SMTP_USER:SMTP_PASSWORD
Save and close the file. First secure file using the chmod command and then create a new database:
$ sudo chmod -v 0600 /etc/postfix/sasl_passwd
mode of '/etc/postfix/sasl_passwd' changed from 0644 (rw-r--r--) to 0600 (rw-------)

At a Linux/Unix shell prompt, type the following postmap command to create a hashmap database for MTA credentials:
$ sudo postmap -v hash:/etc/postfix/sasl_passwd

Dealing with setgid_group = error

You might get an error as follows:
postmap: fatal: bad string length 0 < 1: setgid_group =
Make sure you comment out the following line in /etc/postfix/main.cf:
#setgid_group =
Try again:
$ sudo postmap hash:/etc/postfix/sasl_passwd

Securing files

Use the chown command and chmod command as follows:
$ sudo chown -v root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
$ sudo chmod -v 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

Configure CA certificate path for verification

Postfix server need to locate the CA certificate. Hence, to verify the Amazon SES server certificate, run any one of the following command as per your Linux distro:
## CentOS/RHEL/Fedora Linux user ##
$ sudo postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt'
## Debian/Ubuntu Linux ##
$ sudo postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt'

How to configure AWS SES with Postfix

Step 5 - Test configuration using the Linux/Unix CLI

Now that we configured Postfix to use Amazon SES as a smarthost. It is time to start the Postfix server. First enable the service, run the following systemctl command:
$ sudo systemctl enable postfix
Start or restart the Postfix:
$ sudo systemctl start postfix
OR
$ sudo systemctl restart postfix
Verify that our Postfix MTA started without any errors:
$ sudo systemctl status postfix

 postfix.service - Postfix Mail Transport Agent
     Loaded: loaded (/lib/systemd/system/postfix.service; enabled; vendor preset: enabled)
     Active: active (exited) since Sat 2020-05-30 17:53:37 UTC; 2s ago
    Process: 2758073 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
   Main PID: 2758073 (code=exited, status=0/SUCCESS)

May 30 17:53:37 ncbz01 systemd[1]: Starting Postfix Mail Transport Agent...
May 30 17:53:37 ncbz01 systemd[1]: Finished Postfix Mail Transport Agent.

Test integration of Amazon SES with Postfix

Use the sendmail command as follows:
sendmail -f webmaster@cyberciti.biz webmaster@nixcraft.com
From: Vivek Gite <webmaster@cyberciti.biz>
Subject: Postfix email server integration with Amazon SES
This message was sent using Amazon SES on my Ubuntu Linux server
.

Ubuntu Linux Postfix Amazon SES verification
We can also install the bsd-mailx package and test it as follows:
$ sudo apt install bsd-mailx
$ echo "This is a test email." \
| mail -r webmaster@cyberciti.biz -s 'AWS SES test' webmaster@nixcraft.com

Dealing with postdrop message

You may see the following message on screen:
postdrop: warning: unable to look up public/pickup: No such file or directory
To fix this message, run:
$ sudo mkfifo /var/spool/postfix/public/pickup
$ sudo systemctl restart posfix

View Postfix email log

Run the following tail command or grep command:
$ sudo tail -f /var/log/mail.log
$ sudo grep 'webmaster@nicraft.com' /var/log/mail.log
$ sudo grep 'webmaster@nicraft.com' /var/log/maillog ## centos/rhel ##

Sample outputs indicating message was sent using Amzaon SES from local Postfix running on Ubuntu Linux server:

May 30 18:10:49 ncbz01 postfix/pickup[2770085]: 4F5B2A41631: uid=1000 from=<webmaster@cyberciti.biz>
May 30 18:10:49 ncbz01 postfix/cleanup[2777956]: 4F5B2A41631: message-id=<20200530181049.4F5B2A41631@ncbz01.localdomain>
May 30 18:10:49 ncbz01 postfix/qmgr[2770086]: 4F5B2A41631: from=<webmaster@cyberciti.biz>, size=419, nrcpt=1 (queue active)
May 30 18:10:50 ncbz01 postfix/smtp[2777958]: 4F5B2A41631: to=<webmaster@nixcraft.com>, relay=email-smtp.us-west-2.amazonaws.com[34.216.173.41]:587, delay=7.7, delays=6.5/0.01/0.74/0.46, dsn=2.0.0, status=sent (250 Ok 0101017266c78163-2701b997-ab08-4fa1-ab16-e782a9262962-000000)
May 30 18:10:50 ncbz01 postfix/qmgr[2770086]: 4F5B2A41631: removed

Here is what recipient see in their mail box:
Integrating Amazon SES with Postfix Mail Server

AWS SES with Postfix headers

Original Message

Message ID	<0101017266c78163-2701b997-ab08-4fa1-ab16-e782a9262962-000000@us-west-2.amazonses.com>
Created at:	Sat, May 30, 2020 at 11:40 PM (Delivered after 1 second)
From:	Vivek Gite <webmaster@cyberciti.biz>
To:	Webmaster <webmaster@nixcraft.com>
Subject: Postfix email server integration with Amazon SES
SPF:	PASS with IP 54.240.27.192 Learn more
DKIM:	'PASS' with domain cyberciti.biz Learn more
DMARC:	'PASS' Learn more

Make sure you set up correct SPF, DKIM and DMARC.

A note about system generated emails

Typically system-generated emails sent from the following address will be rejected by AWS SES as they are from unauthenticated domain/email address:
root@your-hostname
root@your-hostname-domain-dot-com

To fix this problem, see my page "Postfix masquerading or changing outgoing SMTP email or mail address" for more information.

Conclusion

In this tutorial, we learned how to use Postfix MTA with Amazon SES cloud service. I tested instructions on a CentOS/RHEL and Debian/Ubuntu server that send over 100k emails per day using Amazon SES with a high amount of email delivery rates. Please SES docs here for more info.

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallCentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
2 comments… add one

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.