Letsencrypt Certificate SymLink

Using MiaB in AWS presents challenges with regards to trustworthiness. Many of the public (elasticIP) address ranges have been greylisted on several address lists. If you’re unlucky enough to have this problem, receiving ends may drop your email. This happened to me before.

AWS realises this and provides a service to forward emails. SES. They require that you update your DNS records with TXT to prove domain or email address ownership, and provide a dash to help you determine if your mail server is behaving correctly. The only catch is that you can directly receive inbound emails using MiaB, but when sending outside the box to the internet at large, you must use the SES forwarding service. Their servers are trusted. It’s way too easy for bad actors to stand up a fly-by-night mail spam server with AWS, and this is the resolution to help legit users, like me.

They require that you implement an SSL tunnel (stunnel) and provide SASL credentials for the forwarding device.

As such, the modifications for postfix’s main.cf are as follows:

relayhost = 127.0.0.1:2525
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

The stunnel config is as follows:

ubuntu@ip-172-31-15-250:/media/OLD14/etc$ cat stunnel/stunnel.conf
[smtp-tls-wrapper]
accept = 2525
client = yes
connect = email-smtp.us-east-1.amazonaws.com:465  #or whatever they tell you
delay = yes
#cert = /etc/stunnel/mail.pem

The SASL password generation is private, and per AWS user. It must be binary’d using postfix map:

/etc/posfix/sasl_passwd:

127.0.0.1:2525 AWSKEY:AWSSECRET

In order to startup stunnel automatically, it is required:

/etc/default# more stunnel4
# /etc/default/stunnel
# Julien LEMOINE <speedblue@debian.org>
# September 2003

# Change to one to enable stunnel automatic startup
ENABLED=1
FILES="/etc/stunnel/*.conf"
OPTIONS=""

# Change to one to enable ppp restart scripts
PPP_RESTART=0