Ubuntu – What’s wrong with the postfix setup routing through Amazon/SES? (smtp_sender_dependent_authentication)

amazon-sespostfixUbuntu

I'm trying to use Amazon SES as an SMTP gateway for my EC2 Ubuntu 'precise' server, using different SES accounts for different originating e-mail domains. The postfix documentation seems to imply that is possible, but SES always claims I'm using the wrong credentials ("535 Authentication Credentials Invalid"). The credentials work if I route all e-mail via the relayhost directive to the same SES account.

Here's what I have.

main.cf (relevant sections):

relayhost =
sender_dependent_relayhost_maps = regexp:/etc/postfix/sender_dependent_relayhost_map
smtp_sender_dependent_authentication = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = regexp:/etc/postfix/smtp_sasl_password_map
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

sender_dependent_relayhost_map:

/.*@example\.com/   [email-smtp.us-east-1.amazonaws.com]:25

smtp_sasl_password_map:

/.*@example\.com/   AK...:34.../...

where AK… is the AWSAccessKeyId and 34…/… is the AWSSecretKey.

The error message in /var/log/mail.log is:

Aug 20 21:47:39 example postfix/smtp[18496]: DE1E14218D: SASL authentication failed; server email-smtp.us-east-1.amazonaws.com[23.23.139.32] said: 535 Authentication Credentials Invalid

Is there some way I can see what credentials it is attempting to use?

—

Update: To debug, I have replaced my regexp maps with mysql maps, and switched on SQL query logging. This way I can see how those maps are evaluated. It's sort of interesting. First, I'm getting:

SELECT host FROM sender_dependent_relayhost_map WHERE sender='foo@example.com'

If this returns localhost:11111, I can run netcat at that port, and get an incoming SMTP connection. So that part seems to be working fine.

Then, I'm getting repeated queries of the type:

SELECT userpass FROM smtp_sasl_password_map WHERE sender=...

first evaluated with 'foo@example.com', then (if not found) with '@example.com' (not something I found in the docs), and then, surprisingly, with the smtp server found from the previous sender_dependent_relayhost_map query. and finally with '<>' (presumably the global default).

But if I return 'AK…:34…/…' (the Amazon SES credential) from that second table, I still get the same authentication error from Amazon. So there is progress, but no resolution yet.

Best Answer

I'd suspect the regexp is somehow failing. You might try the following which ties the user:pass to the relayhost.

/etc/postfix/sasl_pass

[email-smtp.us-east-1.amazonaws.com] AKAAAA:AAAAAAAAA

/etc/posfix/main.cf

smtp_sasl_password_maps = hash:/etc/postfix/sasl_pass

You'd of course need to run sudo postmap /etc/postfix/sasl_pass (or whatever name of the file you use.

Related Solutions

Amazon SES and Amavis

with smtp_tls_security_level = encrypt you force postfix to use TLS, even through your local amavis filter which might not support it

you could add -o smtp_tls_security_level=none to the amavis/reinject instance in master.cf to get this working

so, copying from from your how-to page, your master.cf should probably look like this:

amavis unix - - - - 2 smtp 
  -o smtp_data_done_timeout=1200 
  -o smtp_send_xforward_command=yes 
  -o disable_dns_lookups=yes 
  -o max_use=20
  -o smtp_tls_security_level=none        <----- add this line



 127.0.0.1:10025 inet n - - - - smtpd 
  -o content_filter= 
  -o local_recipient_maps= 
  -o relay_recipient_maps= 
  -o smtpd_restriction_classes= 
  -o smtpd_delay_reject=no 
  -o smtpd_client_restrictions=permit_mynetworks,reject 
  -o smtpd_helo_restrictions= 
  -o smtpd_sender_restrictions= 
  -o smtpd_recipient_restrictions=permit_mynetworks,reject 
  -o smtpd_data_restrictions=reject_unauth_pipelining 
  -o smtpd_end_of_data_restrictions= 
  -o mynetworks=127.0.0.0/8 
  -o smtpd_error_sleep_time=0 
  -o smtpd_soft_error_limit=1001 
  -o smtpd_hard_error_limit=1000 
  -o smtpd_client_connection_count_limit=0 
  -o smtpd_client_connection_rate_limit=0 
  -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
  -o smtp_tls_security_level=none    <----- add this line

Postfix SMTP authentication per domain

You should read up a bit on this option: smtp_sender_dependent_authentication, with that, and two other related DB mappings, sender_dependent_relayhost_maps, and smtp_sasl_password_maps, you can create per sender password entries.

In the sender_dependent_relayhost maps, you map username@domain [smtp_host], and in the smtp_sasl_password maps, you map email user:password or domain user:password(whatever those might be). These are classic postfix lookup tables, they can be in mysql, dbm, hash, etc.

With a combination of mysql and some duplication, you could quite possibly do what you want.

You could make a table with 4 fields, email, smtp_relay, user, password, then have postfix look up the email and smtp_relay for the sender_dependent_relay_maps, then email user:password for smtp_sasl_password_maps. This would have to be populated with each email address that has to relay, each server that you relay through, and each user:password combo for the authentication.

Best Answer

Related Solutions

Amazon SES and Amavis

Postfix SMTP authentication per domain

Related Topic