Thursday, February 17, 2011

Gotcha of the Day: EC2 + Postfix + Amazon Simple E-mail Service - Getting all three to play nice

I was delighted to see that Amazon's Simple E-mail Service has instructions for integrating with Postfix. In theory, this means you can configure Postfix once, and then all services on the system - be it cron, /bin/mail or PHP, will automagically work with SES.

Alas, I ended up tripping over one key part of the process. Whenever I attempted to send mail both from a verified user and to a verified user, I got an error from Amazon saying I was using an invalid address.

To debug this, I created my own little dummy mail delivery script like so:

!/bin/bash

##
## Debug script
##
LOG=/tmp/debug.log

echo "---------------------------------------------" >> $LOG
date >> $LOG
echo $* >> $LOG
echo >> $LOG
cat >> $LOG

I then wired this into postfix by changing /etc/postfix/master.cf to say:

aws-email  unix  -       n       n       -       -       pipe
  flags=R user=mail argv=/etc/postfix/ses/bin/debug-send-email.sh -r -k /etc/postfix/creds -e https://email.us-east-1.amazonaws.com -f ${sender} ${recipient}

Sending e-mail then dumped the command and output to /tmp/debug.log.

I realized that while the From: header was correct, the command line value of ${sender} was using the internal hostname provided by amazon. Something like:

  apache@domU-12-38-82-88.compute-1.internal

Amazon was obviously choking on that address.

But how to convince postfix to rewrite that address? Turns out, it's not so tricky after all. After much experimenting, I found that sender_canonical_maps would do the trick nicely.

I created a new config file: /etc/postfix/sender_canonical with:

 /(.*?)@(.*)/   $1@realdomain.com

And then added it to my main.cf with:

  sender_canonical_maps = regexp:/etc/postfix/sender_canonical

Now, when postfix receives e-mail from foo@invalid.internal it rewrites it correctly to foo@realhost.com and passes that to Amazon. Sure, I needed to verify apache@realhost.com, but once that was out of the way, I was all set.

Consider me a happy camper.

5 comments:

  1. Hey Ben, thank you for the help on this. I was hitting my head on the wall trying to figure out why my SES emails weren't getting sent. This fix worked like a charm. Thanx!

    ReplyDelete
  2. So glad this helpful.

    -Ben

    ReplyDelete
  3. Thanks for this - really helpful. Do you know if there's a way to get postfix to honour the From: portion of the email rather than the Received From?

    ReplyDelete
  4. >> Do you know if there's a way to get postfix to honour the From: portion of the email rather than the Received From?

    I'm sorry, but I don't.

    Glad the article was helpful, though.

    ReplyDelete
  5. Anonymous10:58 AM

    Thank you so much.
    Ben, do you know if is possible use multiples verified Amazon SES emails via MTA? Because your solution shows always same email at FROM field.

    Thank again

    ReplyDelete