Configuring Postfix with SES

Recently I configured Postfix to send Nagios email alerts and was not able to find any tutorials that just worked.  Here is mine.

Please note that my focus during this project was only on sending emails. If you follow this tutorial I cannot guarantee receive email functionality.

I will assume you have:

• A vanilla Ubuntu 16.04 Amazon EC2 instance with port 25 exposed
• Amazon SES SMPT credentials (username and password)
• Two email addresses validated through SES (one to send emails and one to receive)
• Basic shell skills and the ability to edit files in the terminal

Let’s begin!

1. 1. SSH in to the EC2 instance and install postfix by running:
      sudo apt-get install postfix
      A pink configuration screen should appear. Follow along with the configuration screens by selecting:
      • Satellite System
      • Leave mail name as the default
      • Enter the server name found in SES/SMTP settings for the SMTP relay host
      • Leave the rest of the configuration options to the default values

 

1. 1. Add the following to the end of /etc/postfix/main.cf:

      smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

 

1. 1. Create /etc/postfix/sasl_passwd and add one line to it:
      SERVER USERNAME:PASSWORD
      Where SERVER is the relay host from step one and USERNAME and PASSWORD are your SES SMTP credentials.

 

1. 1. Run:

      sudo chown root:root /etc/postfix/sasl_passwd
sudo chmod 0600 /etc/postfix/sasl_passwd
sudo postmap hash:/etc/postfix/sasl_passwd
sudo chown root:root /etc/postfix/sasl_passwd.db
sudo chmod 0600 /etc/postfix/sasl_passwd.db
sudo postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt'
sudo service postfix restart

      The chown and chmod commands are security best practices and are not required to make it work.

 

1. 1. Install mailutils with:
      sudo apt-get install mailutils

 

1. To send a test email run:
   echo test | mail -s "test message" -a "From: sender@example" recipient@example.com
   with sender and recipient email addresses replaced with your verified email addresses.An email should appear in the recipient mailbox! Be sure to check the spam folder.

If the test email does not appear, check /var/log/mail.log for errors. If you get a bounce due to an email address not being verified, check the spelling of sender and receiver addresses and make sure they appear as verified on the SES/email addresses page.

Although the above should work correctly, the first time I attempted the Postfix configuration it kept sending emails from the root email address (ubuntu@example.com). To solve this problem I had to map one email address to another before it was sent to SES.

1. 1. Add the following line to /etc/postfix/main.cf
smtp_generic_maps = hash:/etc/postfix/generic

 

1. Create a file named /etc/postfix/generic containing:

   ubuntu@example.com   new_email@example.com

2. Perform the same security and hashing steps for /etc/postfix/generic as for the sasl_passwd file in step 4.

Because we installed mailutils, configuring nagios to send email alerts was simple and only required adding
-r sender@example.com
to the notify-host-by-email and the notify-service-by-email commands in /etc/nagios3/commands.cfg

For further information, the above is a combination of http://www.tothenew.com/blog/configuring-nagiospostfix-to-use-aws-ses-as-relay/, http://www.tothenew.com/blog/configuring-nagiospostfix-to-use-aws-ses-as-relay/ and http://semi-legitimate.com/blog/item/how-to-rewrite-outgoing-address-in-postfix.