Menu
Amazon Simple Email Service
Developer Guide (API Version 2010-12-01)

Integrating Amazon SES with Postfix

Postfix was created as an alternative to the widely used Sendmail MTA. For information about Postfix, go to http://www.postfix.org.

These instructions were tested on a 64-bit Amazon EC2 instance using the following Amazon Machine Image (AMI), which is based on Red Hat:

  • Amazon Linux AMI 2014.09.2 (HVM) (ami-146e2a7c).

To launch an Amazon EC2 instance, which includes selecting an AMI, see Amazon Machine Images (AMIs).

Prerequisites

Before you perform one of the following procedures, verify the following:

  • You have uninstalled Sendmail (if you are not sure how to switch between Sendmail and Postfix).

  • You have installed Postfix.

  • You are able to successfully send an email using Postfix without Amazon SES.

  • You have verified your "From" address and, if your account is still in the sandbox, you have also verified your "To" addresses. For more information, see Verifying Email Addresses in Amazon SES.

  • (Optional) If you are sending email through Amazon SES from an Amazon EC2 instance, you may need to assign an Elastic IP Address to your Amazon EC2 instance for the receiving ISP to accept your email. For more information, see Amazon EC2 Elastic IP Addresses.

  • (Optional) If you are sending email through Amazon SES from an Amazon EC2 instance, you can fill out a Request to Remove Email Sending Limitations to remove the additional sending limit restrictions that are applied to port 25 by default.

To configure integration with the Amazon SES US West (Oregon) endpoint using STARTTLS

  1. On your mail server, open the main.cf file. On many systems, this file resides in the /etc/postfix folder.

    Important

    These instructions assume that you want to use Amazon SES in the US West (Oregon) AWS region. If you want to use a different region, replace all instances of email-smtp.us-west-2.amazonaws.com in these instructions with the SMTP endpoint of the desired region. For a list of SMTP endpoints, see Regions and Amazon SES.

  2. Add the following lines to the main.cf file.

    
    relayhost = [email-smtp.us-west-2.amazonaws.com]:25
    smtp_sasl_auth_enable = yes
    smtp_sasl_security_options = noanonymous
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
    smtp_use_tls = yes
    smtp_tls_security_level = encrypt
    smtp_tls_note_starttls_offer = yes

    Save and close the main.cf file.

  3. On your mail server, open the master.cf file. On many systems, this file resides in the /etc/postfix folder.

  4. Comment out the following line of the master.cf file by putting a # in front of it: -o smtp_fallback_relay=

    Save and close the master.cf file.

  5. Edit the /etc/postfix/sasl_passwd file. If the file does not exist, create it. Add the following lines to the file, replacing USERNAME and PASSWORD with your SMTP user name and password. If Postfix cannot authenticate with the Amazon SES SMTP endpoint because the hostname does not match, try adding the additional line specified in Amazon SES SMTP Issues.

    Important

    Use your SMTP user name and password, not your AWS access key ID and secret access key. Your SMTP credentials and your AWS credentials are not the same. For information about how to obtain your SMTP credentials, see Obtaining Your Amazon SES SMTP Credentials.

    [email-smtp.us-west-2.amazonaws.com]:25 USERNAME:PASSWORD

    Save and close the sasl_passwd file.

  6. At a command prompt, issue the following command to create a hashmap database file containing your SMTP credentials.

    sudo postmap hash:/etc/postfix/sasl_passwd

  7. (Optional but recommended) Remove the /etc/postfix/sasl_passwd file.

  8. (Optional but recommended) The /etc/postfix/sasl_passwd and /etc/postfix/sasl_passwd.db files you created in the previous steps are not encrypted. Because these files contain your SMTP credentials, it is a good idea to use the following commands to change the owner to root and set permissions to restrict access to the files as much as possible. (Note that if you deleted /etc/postfix/sasl_passwd in the previous step, you should omit it from the commands below.)

    sudo chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

    sudo chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

  9. Tell Postfix where to find the CA certificate (needed to verify the Amazon SES server certificate). You could use a self-signed certificate or you could use default certificates as follows:

    If running on the Amazon Linux AMI:

    sudo postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt'

    If running on Ubuntu Linux:

    sudo postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt'

  10. When you have finished updating the configuration, stop and start Postfix by typing the following at the command line:

    sudo postfix stop

    sudo postfix start

  11. Send a test email by typing the following at a command line, pressing Enter after each line. Note that you must replace from@example.com with your "From" email address, which you must have previously verified with Amazon SES. Replace to@example.com with your "To" address. If your account is still in the sandbox, the "To" address must also be verified. Also note that the final line is a single period.

    sendmail -f from@example.com to@example.com

    From: from@example.com

    Subject: Test

    This email was sent through Amazon SES!

    .

  12. Check your inbox for the email. If the message was not delivered, check your Junk box, and then check your system's mail log (typically /var/log/maillog) for errors. For example, you will get an "Email address not verified" error if you have not verified the "From" address that follows "-f" on the command line.

To configure integration using a secure tunnel

  1. To begin, you will need to set up a secure tunnel as described in Setting Up a Secure Tunnel to Connect to Amazon SES. In the following procedure, we use port 2525 as your stunnel port. If you are using a different port, modify the settings that you actually use accordingly.

  2. On your mail server, open the main.cf file. On many systems, this file resides in the /etc/postfix folder.

  3. Add the following lines to the main.cf file.

    relayhost = 127.0.0.1:2525
    smtp_sasl_auth_enable = yes
    smtp_sasl_security_options = noanonymous
    smtp_tls_security_level = may
    smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

    Save and close the main.cf file.

  4. On your mail server, open the master.cf file. On many systems, this file resides in the /etc/postfix folder.

  5. Comment out the following line of the master.cf file by putting a # in front of it: -o smtp_fallback_relay=

    Save and close the master.cf file.

  6. Edit the /etc/postfix/sasl_passwd file. If the file does not exist, create it. Add the following line to the file, replacing USERNAME and PASSWORD with your SMTP user name and password.

    Important

    Use your SMTP user name and password, not your AWS access key ID and secret access key. Your SMTP credentials and your AWS credentials are not the same. For information about how to obtain your SMTP credentials, see Obtaining Your Amazon SES SMTP Credentials.

    127.0.0.1:2525 USERNAME:PASSWORD

    Save the sasl_passwd file.

  7. At a command prompt, issue the following command to create a hashmap database file containing your SMTP credentials.

    sudo postmap hash:/etc/postfix/sasl_passwd

  8. (Optional but recommended) Remove the /etc/postfix/sasl_passwd file.

  9. (Optional but recommended) The /etc/postfix/sasl_passwd and /etc/postfix/sasl_passwd.db files you created in the previous steps are not encrypted. Because these files contain your SMTP credentials, it is a good idea to use the following commands to change the owner to root and set permissions to restrict access to the files as much as possible. (Note that if you deleted /etc/postfix/sasl_passwd in the previous step, you should omit it from the commands below.)

    sudo chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

    sudo chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

  10. When you have finished updating the configuration, stop and start Postfix by typing the following at the command line:

    sudo postfix stop

    sudo postfix start

  11. Send a test email by typing the following at a command line, pressing Enter after each line. Note that you must replace from@example.com with your "From" email address, which you must have previously verified with Amazon SES. Replace to@example.com with your "To" address. If your account is still in the sandbox, the "To" address must also be verified. Also note that the final line is a single period.

    sendmail -f from@example.com to@example.com

    From: from@example.com

    Subject: Test

    This email was sent through Amazon SES!

    .

  12. Check your inbox for the email. If the message was not delivered, check your Junk box, and then check your system's mail log (typically /var/log/maillog) for errors. For example, you will get an "Email address not verified" error if you have not verified the "From" address that follows "-f" on the command line.