nixCraft + Howto + Amazon Cloud Computing —» How to configure AWS SES with Postfix MTA & To search, type & hit enter. How to configure AWS SES with Postfix MTA Author: Vivek Gite + Last updated: July 16, 2024 - 14 comments | | ow do | configure Amazon SES With Postfix mail server to send email under a CentOS/RHEL/Fedora/Ubuntu/Debian Linux server? POSTFIX ‘Amazon Simple Email Service (SES) is a hosted email service for you to send and receive email using your email addresses and domains. Typically SES used for sending bulk email or routing emails without hosting MTA. We can use Perl/Python/PHP APIs to send an email via SES. Another option is to configure Linux or Unix box running Postfix to route all outgoing emails via SES Tutorial requirements Requirements Ubuntu/Debian/RHEL/CentOS Linux with Postfix Root privileges Yes Difficulty level Intermediate Est. reading time 5 minutesTutorial requirements Table of contents | 1 Remove sendmail 2 Install postfix 3 Configuring postfix for SES 4 Test postfix Procedure to configure AWS SES with Postfix Before getting started with Amazon SES and Postfix, you need to sign up for AWS, including SES. You need to verify your email address and other settings. Make sure you create a user for SES access and download credentials too. Step 1 - Uninstall Sendmail if installed If sendmail installed remove it. Debian/Ubuntu Linux user type the following apt command/apt-get command: $ sudo apt --purge remove sendmail CentOS/RHEL user type the following yum command or dnf command on Fedora/CentOS/RHEL 8.x/9.x: $ sudo yum remove sendmail $ sudo dnf remove sendmailSample outputs from CentOS 8 server: Dependencies resolved Package Architecture Version Repository s Removing sendmail x86_64 8.15.2-32.¢18 @AppStream 2 Removing unused dependencies: cyrus-sas1 x86_64 2.1.27-1.e18 eBase0S 1 procmail x86_64 3.22-47.e18 @AppStrean 3 Transaction Summary Remove 3 Packages Freed space: 2.9 M Is this ok [y/N]: y —EEEEE CD Step 2 - Install postfix The procedure for installing Postfix on a CentOS/RHEL/Fedora Linux is as follows: $ sudo dnf install postfix # < -- RHEL/CentOS 8.x/9.x or latest Fedora $ sudo yum install postfix # < -- RHEL/CentOS v7.x/6.x Last metadata expiration check: @:42:33 ago on Sat May 38 16:13:57 2620 Dependencies resolved. Package Architecture Version Repository Installing: postfix x86_64 2:3.3.1-9.e18 Bases Transaction SummaryInstall 1 Package Total download size: 1.5 4 Installed size: 5.4 M Is this ok [y/N] : If you are using a Debian or Ubuntu Linux, run: $ sudo apt install postfix Postf ux Configuration Please select the nail server configuration type that best meets your needs No configuration: Should be chesen to Leave the current configuration unchanged Internet site Mail is sent and received directly using SHIP. Internet with snarthost- Mail 1s recetved directly using SMTP or by running a uttltty such as fetchmail. Outgoing mail is sent using 2 smarthost Satellite systen AIL matl ts sent to another machine, called a ‘snarthost', for delivery Local only: The only delivered nail ts the matl for local users. There 1s no network General type of nail configuration: Internet Stte Internet with smarthost Satellite systen Local only Make sure you choose “No configuration” when prompted by the apt You can also select satellite system and enter SES smtp address as follows when prompted:Postftx Configuration, ————_} Please specify o donatn, host, host:port, [address] or [address] -port Use the form [destination] to turn off MX lookups. Leave this blank for no relay host. Do not specify more than one host The relayhost paraneter spectftes the default host to send matl to when no entry ts matched tn the optional transport(5) table. when no relay host ts given, matl ts routed directly to the destinatton SHTP relay host (blank for none): # I am using US West (Oregon) # Feel free to replace MTA as per your AWS region SES_NTA="email-smtp.us-west-2.amazonaws.com" Debian/Ubuntu Linux user type the following cp command to create a new default config file for your MTA: $ sudo cp -v -i /etc/postfix/main.cf{.proto, } */etc/postfix/main.cf.proto’ -> '/etc/postfix/main.cf* Next run the postconf command to configure Postfix with Amazon SES: sudo postconf -e "relayhost = [${SES_MTA}]:587" \ “smtp_sasl_auth_enable = yes" \ "smtp_sasl_security_options = noanonymous" \ "smtp_sasl_password_maps = hash: /etc/postfix/sasl_passwd” \ “smtp_use_tls = yes” \ “smtp_tls_security_level = encrypt” \ “smtp_tls_note_starttls_offer = yes” Set up Amazon SES USERNAME and PASSWORD for MTAEdit the /etc/postfix/sasl_passwd using a text editor such as nano command/vim command, enter: $ sudo vim /etc/postfix/sasl_passwd a or ## $ sudo nano /etc/postfix/sasl_passwd Append (replace SMTP_USER and SIMTP_PASSWORD as provided by AWS IMA/SES): [email-smtp.us-west-2.amazonaws.com] :587 SMTP_USER:SMTP_PASSWORD —— EE > Save and close the file. First secure file using the chmod command and then create a new database: $ sudo chmod -v 0600 /etc/postfix/sasl_passwd node of ’/etc/postfix/sasl_passud’ changed from 0644 (rw -) Ata Linux/Unix shell prompt, type the following postmap command to create a hashmap database for MTA credentials: § sudo postmap -v hash: /etc/postfix/sas1_passwd Dealing with setgid_group = error You might get an error as follows: postmap: fatal: bad string length @ < 1: setgid_group =Make sure you comment out the following line in /ete/postfix/main.cf: #setgid_group = Try again: $ sudo postmap hash: /etc/postfix/sasl_passwd Securing files Use the chown command and chmod command as follows: $ sudo chown -v root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db $ sudo chmod -v @68@ /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db Configure CA certificate path for verification Postfix server need to locate the CA certificate. Hence, to verify the Amazon SES server certificate, run any one of the following command as per your Linux distro: ## CentOS/RHEL/Fedora Linux user ## $ sudo postconf -e ‘smtp_tls_CAfile = /etc/ssl/certs/ca- bundle.ert' ## Debian/Ubuntu Linux ## $ sudo postconf -e '‘smtp_tls_CAfile = /etc/ssl/certs/ca- certificates.crt'Step 5 - Test configuration using the Linux/Unix CLI Now that we configured Postfix to use Amazon SES as a smarthost. It is time to start the Postfix server. First enable the service, run the following systemctl command: $ sudo systemctl enable postfix Start or restart the Postfix: $ sudo systemct1 start postfix OR $ sudo systemctl restart postfix Verify that our Postfix MTA started without any errors: $ sudo systemctl status postfix Outputs:© postfix.service - Postfix Mail Transport Agent Loaded: loaded (/lib/systemd/system/postfix.service; enabled Active: active (exited) since Sat 2020-05-30 17:53:37 UTC; 2 Process: 2758073 ExecStart=/bin/true (code=exited, status=0/S Main PID: 2758073 (code=exited, status=@/SUCCESS) May 30 17:53:37 ncbz@1 systemd[1]: Starting Postfix Mail Transpor May 30 17:53:37 ncbz@1 systemd[1]: Finished Postfix Mail Transpor Test integration of Amazon SES with Postfix Use the sendmail command as follows (type command where Postfix server is installed and replace [email protected] or webmaster@nixcraft .com with your actual email IDs): $ sendmail -f [email protected] [email protected] From: Vivek Gite Subject: Postfix email server integration with Amazon SES This message was sent using Amazon SES on my Ubuntu Linux server Pee erie:We can also install the bsd-mailx package and test it as follows in a Debian or Ubuntu Linux using the apt command: § sudo apt install bsd-mailx $ echo "This is a test email." \ | mail -r [email protected] -s ‘AWS SES test’ webmaster@nixcraft .com Dealing with postdrop message You may see the following message on screen postdrop: warning: unable to look up public/pickup: No such file or directory To fix this message, run: $ sudo mkfifo /var/spool/postfix/public/pickup $ sudo systemctl restart postfix View Postfix email log Run the following tail command or grep command: $§ sudo tail -f /var/log/mail.1og § sudo grep ‘[email protected]’ /var/log/mail.log $ sudo grep ‘[email protected]’ /var/log/maillog #<-- centos/rhel Sample outputs indicating message was sent using Amzaon SES from local Postfix running on Ubuntu Linux server:May 3@ 18:10:49 ncbz01 postfix/pickup [2778085] : 4F5B2A41631: uid= 1000 f May 3@ 18:10:49 ncbz01 postfix/cleanup [2777956] : 4F582A41631: message-ic May 38 18:18:49 ncbz01 postfix/qmgr [2778086] : 4F582A41631: from= To: Webmaster Subject: Postfix email server integration with Amazon SES SPF: PASS with IP [email protected] Learn more DKIM: PASS’ with domain cyberciti.biz Learn more DMARC: ‘PASS’ Learn more < Make sure you set up correct SPF, DKIM and DMARC. A note about system generated emails Typically system-generated emails sent from the following address will be rejected by AWS SES as they are from unauthenticated domain/email address: root@your-hostname root@your-hostname-domain-dot-com To fix this problem, see my page "Postfix masquerading or changing outgoing SMTP email or mail address" for more information. Conclusion In this tutorial, we learned how to use Postfix MTA with Amazon SES cloud service. | tested instructions on a CentOS/RHEL and Debian/Ubuntu server that send over 100k emails per day using Amazon SES with a high amount of email delivery rates. Please SES docs here for more info.@ Was this helpful? Please add a comment to show your appreciation or feedback. “i “> Im Vivek Gite, and | write about Linux, macOS, Unix, IT, programming, & infosec, and open source. Subscribe to my RSS feed or email newsletter for updates. & To search, type & hit enter... Related Tutorials FreeBSD configure AWS SES with Postfix MTA How to configure AWS SES with Postfix MTA on Debian Linux How to send emails with Postfix and Amazon AWS SES... Postfix setup catch-all email accounts using... Linux Configure Sendmail as SMTP Mail Client Configure Postfix for DNS Blackhole Lists such as... Postfix Configure Client SMTP Authentication (.Category Ansible Archiving Backup Management Database Server Download managers Driver Management Documentation Disk Management File Management Firewall KVM Virtualization Linux Desktop apps LxD Modern utilities Network Management Network Utilities List of Unix and Linux commands Check version + Fedora + FreeBSD + Linux « Ubuntu 18.04 Ubuntu + macOS. z commands Debian/Ubuntu * FreeBSD « RHEL Backup MySQL server + MariaDB Galera cluster « MariaDB TLS/SSL + MariaDB replication + MySQL Server * MySQL remote access wget Linux Nvidia driver + Ismod help + mandb + man + pinfo df + duf + nedu > pydf cat op + less + mkdir + more + tree Alpine Awall « CentOS 8 + OpenSUSE + RHEL 8 + Ubuntu 16.04 + Ubuntu 18.04 + Ubuntu 20.04 + Ubuntu 24.04 CentOS/RHEL 7 * CentOS/RHEL 8 + Debian 9/10/11 + Ubuntu 20.04 Chrome + Chromium + GIMP + Skype + Spotify + VLC 3 Backups CentOS/RHEL - Debian 11 + Fedora « Mount dir - Ubuntu 20.04 - Ubuntu 22.04 bat + exa Monitoring tools « Network services « RHEL static IP + Restart network interface + nmeli NetHogs « dig = host « ip + nmap « pingCategory OpenVPN Power Management Package Manager Processes Management Searching Shell bui system Management Terminal/ssh Text processing Text Editor User Environment User information User Management Web Server WireGuard VPN List of Unix and Linux commands CentOS 7 + CentOS 8 * Debian 10 + Debian 11 + Debian 8/9 + Ubuntu 18.04 + Ubuntu 20.04 upower apk + apt-get + apt» yum bg + chroot « cron = disown « fg + glances + gtop - iotop « jobs « killall «kill» pidof « pstree + pwdx + time + vtop ag egrep « grep « wheres + which ‘compgen + echo « printf reboot + shutdown sshpass * tty cut rev 6 Text editors + Save and exit vim exits who groups «id + lastcomm « last «lid/libuserlid « logname « members « users « whoami “w /etc/group /etc/passwd /etc/shadow + chsh Apache « Let's Encrypt certificate + Lighttpd + Nginx Security » Nginx Alpine + Amazon Linux * CentOS 8 + Debian 10 « Firewall « Ubuntu 20.04 + grencode 14 comments... add one | Robbie - Aug 19, 2020 @ 10:04| work for a small business and we have set up our website using EC2 FreeBSD Unix host. We choose FreeBSD as we already using macOS and FreeNAS server at work. Can you provide step by step guide for FreeBSD ec2 server to send email using Postfix and SES? © Vivek Gite - Aug 30, 2020 @ 13:39 See FreeBSD and Postfix SES MTA specific tutorial https://www.cyberciti.biz/faq/freebsd-configure-aws-ses-with-postfix-mta/ Charles Obrien - Jun 25, 2021 @ 11:50 +++ Thank you. Worked nicely on my RHEL 8 server sir. Eli - Jul 4, 2021 @ 8:49 Hi For some reason i’am not able to install libsasl2-modules, all i am getting is this : Reading package lists... Done Building dependency tree Reading state information... Done E: Unable to locate package libsal2-modules Ubuntu 20.04 plesk obsidian , please any suggestion . Thanks ee© Vivek Gite « Jul 4, 2021 @ 13:48 | don't use plesk obsidian, so chances are high that they have modified system. Jhoedram - Feb 5, 2022 @ 1:00 It works very well. However, | have a question about bounced emails, do they reach each email account or not? | think NO, because SES has a particular way of delivering these messages (bounce messages). |s that right friend or am | wrong? ee ( Vivek Gite « Feb 5, 2022 @ 2:17 Yes, do check https://docs.aws.amazon.com/ses/latest/dg/receiving- email-action-bounce.html HTH scottwb + Jun 7, 2023 @ 5:35 Nailed it. This guide was excellent. | used it to setup for SendGrid instead of SES, and it worked great with just using SendGrid domain/port/credentials. Thanks for this.Joti « Jul 31, 2023 @ 8:41 This is the most correct and precise solution which works in every server or application integrating Postfix. Thank you , you are cool! Greg Atkinson - Feb 3, 2024 @ 22:51 Very helpful! One minor comment is that one of your lines reads: sudo systemctl restart posfix It should be postfix (with aT) ( Vivek Gite - Feb 4, 2024 @ 19:14 | fixed it. Thank you for the feedback! Greg Atkinson - Feb 3, 2024 @ 23:34 This line was a little confusing to me. It displays as two lines on my screen, so | thought it was supposed to be two lines in the file. | figured out later that it was just supposed to be one line). [email-smtp.us-west-2.amazonaws.com]:587 SMTP_USER:SMTP_PASSWORDPaul Larwood « Mar 10, 2024 @ 3:19 Thanks for the guide. | was able to send email successfully from my EC2 instance running Fedora 39. Rb24 - Jun 19, 2024 @ 11:57 Any tricks to get it running on AL2023? I've got a roadblock with even the simplest setup Leave a Reply Your email address will not be published. Required fields are marked * Comment * Name Post Comment