Ubuntu Postfix Configuration for AWS SES

As part of my CheckMK configuration I needed to be able to send outgoing email for alerts. I was already using AWS SES (Simple Email Service) as a method to send email, via SMTP for this WordPress site so decided to continue using it for CheckMK.

Amazon SES

I’m not going into the detail of configuring AWS SES as Amazon have their own guides on how to get this working along with removing your account from the testing sandbox to allow sending to any address rather than just those that are registered. This post is to show how I managed to get it working with Ubuntu and Postfix.


Postfix Installation

Ensure the hostname of the server is set correctly. As this configuration was for my CheckMK server I set that as the hostname:

sudo hostnamectl set-hostname checkmk.shank.land

Installation of Postfix is very simple and can be achieved with just the following line:

sudo apt install mailutils

During the installation of mailutils, you will be presented with a screen similar to the following:

Postfix Config
Postfix Config

You will be asked a number of question through this configuration. In my scenario the answers were:

  • Mail Configuration: Satellite system
  • Mailname: shank.land (your domain name rather than the hostname)
  • SMTP Relay Host: email-smtp.eu-west-1.amazonaws.com:587

The Postfix configuration file (/etc/postfix/main.cf) now needs to be configured with all of the remaining AWS SES specific details:

sudo vim /etc/postfix/main.cf

Add the following into the configuration:

smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

The AWS SES credentials need to be added to the sasl_passwd file:

sudo vim /etc/postfix/sasl_passwd
email-smtp.eu-west-1.amazonaws.com:587 <username>:<password>

The sasl_passwd file needs to be secured so that only root can read it due to containing the AWS SES username and password:

sudo chown root:root /etc/postfix/sasl_passwd
sudo chmod 0600 /etc/postfix/sasl_passwd

A hashmap database now needs to be created from the sasl_passwd file we have edited and secured:

sudo postmap hash:/etc/postfix/sasl_passwd

Again, set the security on the hashmap database so that only root can read:

sudo chown root:root /etc/postfix/sasl_passwd.db
sudo chmod 0600 /etc/postfix/sasl_passwd.db

Tell Postfix where the CA certificate is for the encrypted AWS SES connection:

sudo postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt'

Finally, restart Postfix to ensure there are no errors and the new configuration is applied:

sudo service postfix restart

The following can be used to test all the changes:

echo test | mail -s "Test Message" -a "From: sender@example.com" recipient@example.com

You should have now received a test email but if not, you can run the following to see if there are any obvious issues listed:

tail -f /var/log/mail.log



sudo service postfix restart

The following can be used to test all the changes:

echo test | mail -s "Test Message" -a "From: sender@example.com" recipient@example.com

You should have now received a test email but if not, you can run the following to see if there are any obvious issues listed:

tail -f /var/log/mail.log


References

Leave a Reply

Your email address will not be published. Required fields are marked *