Actually , there was one thing additional i had to do for AWS to use SES as my mail relay. The required postfix settings did not transfer.
Previous discourse:
For posterity, updated:
Using MiaB in AWS presents challenges with regards to trustworthiness. Many of the public (elasticIP) address ranges have been greylisted on several address lists. If you’re unlucky enough to have this problem, receiving ends may drop your email. This happened to me before.
AWS realises this and provides a service to forward emails. SES. They require that you update your DNS records with TXT to prove domain or email address ownership, and provide a dash to help you determine if your mail server is behaving correctly. The only catch is that you can directly receive inbound emails using MiaB, but when sending outside the box to the internet at large, you must use the SES forwarding service. Their servers are trusted. It’s way too easy for bad actors to stand up a fly-by-night mail spam server with AWS, and this is the resolution to help legit users, like me.
They require that you implement an SSL tunnel (stunnel) and provide SASL credentials for the forwarding device.
As such, the modifications for postfix’s main.cf are as follows:
relayhost = 127.0.0.1:2525
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd.db
apt-get install stunnel
The stunnel config is as follows:
ubuntu@ip-172-31-15-250:/media/OLD14/etc$ cat stunnel/stunnel.conf
[smtp-tls-wrapper]
accept = 127.0.0.1:2525
client = yes
connect = email-smtp.us-east-1.amazonaws.com:465
delay = yes
#cert = /etc/stunnel/mail.pem
The SASL password generation is private, and per AWS user. It must be binary’d using postfix map:
/etc/posfix/sasl_passwd:
127.0.0.1:2525 AWSKEY:AWSSECRET
sudo postmap /etc/postfix/sasl_passwd
sudo chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
sudo chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
sudo systemctl restart postfix
In order to startup stunnel automatically, it is required:
/etc/default# more stunnel4
# /etc/default/stunnel
# Julien LEMOINE <speedblue@debian.org>
# September 2003
# Change to one to enable stunnel automatic startup
ENABLED=1
FILES="/etc/stunnel/*.conf"
OPTIONS=""
# Change to one to enable ppp restart scripts
PPP_RESTART=0
/etc/init.d/stunnel4 start
/etc/init.d/stunnel4 status
Verify
send email to external domain (like @google etc)
check /var/log/mail.log for information on SASL failures
check AWS SES dashboard to see daily usage mails sent increase