Visits: 2629
BE SURE!!! to back up your ec2 as an image from in the AWS Web UI console.
The Best way to have a completely secure Postfix server tnat can use ses, is to install our simple to install EC2 including Roundcube WebMail. Check it out AWS Marketplace: Mail Server on Linux Postfix using MySQL for tons of users (amazon.com)
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html?icmpid=docs_ses_console
sudo postconf -e “relayhost = [email-smtp.us-west-2.amazonaws.com]:587” \
“smtp_sasl_auth_enable = yes” \
“smtp_sasl_security_options = noanonymous” \
“smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd” \
“smtp_use_tls = yes” \
“smtp_tls_security_level = encrypt” \
“smtp_tls_note_starttls_offer = yes”
Lines got connect using postconf
In a text editor, open the file /etc/postfix/sasl_passwd. If the file doesn’t already exist, create it.
Add the following line to /etc/postfix/sasl_passwd:
[email-smtp.us-west-2.amazonaws.com]:587 SMTPUSERNAME:SMTPPASSWORD
At a command prompt, type the following command to create a hashmap database file containing your SMTP credentials:
sudo postmap hash:/etc/postfix/sasl_passwd
email-smtp.us-east-2.amazonaws.com
SMTP Username:
LongNAME
SMTP Password:
CONFUSINGPassword
Add the following line to /etc/postfix/sasl_passwd:
email-smtp.us-west-2.amazonaws.com:587 LONGSECRET
The postconf command was combining the last line of the previous main.cf with one of the lines in the command below. This is because the main.cf did not have a line ending at the end of the file.
docker exec -it postfix postconf -e “relayhost = email-smtp.us-east-2.amazonaws.com:587” \
“smtp_sasl_auth_enable = yes” \
“smtp_sasl_security_options = noanonymous” \
“smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd” \
“smtp_use_tls = yes” \
“smtp_tls_security_level = encrypt” \
“smtp_tls_note_starttls_offer = yes” ### THis line got smushed by postconf
The smushed line looked like this
smtpd_tls_auth_only = yessmtp_tls_note_starttls_offer = yes
the first half of the line is not part of the postconf command
Ask permission
You need to request from AWS to allow you to send emails via SES. They apporve you as long as it’s clear that you wont send spam.
Quota details – Sending quota | AWS Service Quotas (amazon.com)
It is best to use SES to send emails, however the server is setup to send emails too.
In order to send email via SES you need to get permission as well as to add the addresses and domains.
See:
Integrating Amazon SES with Postfix – Amazon Simple Email Service
when running postconf the last line without line ending gets combined with one of the lines in the postconf command
“`
docker exec -it postfix postconf -e \
“relayhost = email-smtp.us-east-1.amazonaws.com:587” \
“smtp_sasl_auth_enable = yes” \
“smtp_sasl_security_options = noanonymous” \
“smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd” \
“smtp_use_tls = yes” \
“smtp_tls_security_level = encrypt” \
“smtp_tls_note_starttls_offer = yes”
“`
the above would end up looking like
`
smtpd_tls_auth_only = yes
inet_protocols = ipv4smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = encrypt
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
relayhost = email-smtp.us-east-1.amazonaws.com:587
smtp_sasl_auth_enable = yes
`
The line starting with inet_protocols got combined
The line starting with inet_protocols got combined
The solution was to add the last line to the postconf command , then it worked.
```
docker exec -it postfix postconf -e \
"inet_protocols = ipv4" \
"relayhost = email-smtp.us-east-1.amazonaws.com:587" \
"smtp_sasl_auth_enable = yes" \
"smtp_sasl_security_options = noanonymous" \
"smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd" \
"smtp_use_tls = yes" \
"smtp_tls_security_level = encrypt" \
"smtp_tls_note_starttls_offer = yes" Instructions to add aws ses support to postfix, based on:
http://www.postfix.org/SASL_README.html
To make this possible, Postfix supports per-sender SASL passwords and per-sender relay hosts. In the example below, the Postfix SMTP client will search the SASL password file by sender address before it searches that same file by destination. Likewise, the Postfix trivial-rewrite(8) daemon will search the per-sender relayhost file, and use the default relayhost setting only as a final resort.
/etc/postfix/main.cf: smtp_sender_dependent_authentication = yes sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd relayhost = [mail.isp.example] # Alternative form: # relayhost = [mail.isp.example]:submission
/etc/postfix/sasl_passwd:
# Per-sender authentication; see also /etc/postfix/sender_relay.
user1@example.com username1:password1
user2@example.net username2:password2
# Login information for the default relayhost.
[mail.isp.example] username:password
# Alternative form:
# [mail.isp.example]:submission username:password
/etc/postfix/sender_relay:
# Per-sender provider; see also /etc/postfix/sasl_passwd.
user1@example.com [mail.example.com]:submission
user2@example.net [mail.example.net]
http://www.postfix.org/postconf.5.html
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/postfix.html