I have been trying to configure my Amazon EC2 instance (running Ubuntu 20.04) to send mail via Amazon SES. I have various settings I've borrowed from an earlier (successful) configuration to prevent any local mail delivery on this machine and to make sure all outgoing mail is coming from a single sender address. For some reason, postfix refuses to send the mail. The errors always look like this (I have redacted identifiable domains etc):
May 11 21:24:43 ip-172-30-2-193 postfix/pickup[3918]: 256D03EEA0: uid=1001 from=<noreply@mydomain.com>
May 11 21:24:43 ip-172-30-2-193 postfix/cleanup[3928]: 256D03EEA0: message-id=<20200511212443.256D03EEA0@www.mydomain.com>
May 11 21:24:43 ip-172-30-2-193 postfix/qmgr[3919]: 256D03EEA0: from=<noreply@mydomain.com>, size=723, nrcpt=1 (queue active)
May 11 21:24:43 ip-172-30-2-193 postfix/smtp[3921]: 256D03EEA0: to=<example-email@gmail.com>, relay=none, delay=14, delays=14/0/0/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=email-smtp.us-east-1.amazonaws.com type=A: Host not found, try again)
Here is my postconf:
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
html_directory = no
inet_interfaces = loopback-only
inet_protocols = ipv4
local_transport = error:local delivery is disabled
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, envelope_recipient, header_sender, header_recipient
masquerade_domains = $mydomain
mydestination =
mydomain = mydomain.com
myhostname = www.mydomain.com
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
readme_directory = /usr/share/doc/postfix
relayhost = [email-smtp.us-east-1.amazonaws.com]:587
sample_directory = /usr/share/doc/postfix/examples
sender_canonical_maps = regexp:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
smtp_generic_maps = hash:/etc/postfix/generic
smtp_sasl_auth_enable = yes
smtp_sasl_mechanism_filter = plain
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = secure
smtpd_banner = $myhostname ESMTP $mail_name
unknown_local_recipient_reject_code = 550
The file /etc/postfix/sasl_passwd file is root:root and 640 and looks like this:
# NOTE: these are credentials for IAM User [REDACTED]
[email-smtp.us-east-1.amazonaws.com]:587 XXXXXXXXXXXXXXXXXXXXX:YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY
where the XXX... and YYY... are credentials that currently work from an older server.
I have seen a variety of posts on this forum addressing this type of error, but the solutions they suggest don't solve my problem:
- network connection problem -- I can telnet without any problem form this server to email-smtp.us-east-1.amazonaws.com on both port 25 and 587
- attempting ipv6 transport - i specifically set inet_protocols to ipv4.
- presence/absence of square brackets around email-smtp.us-east-1.amazonaws.com -- I have tried setting relayhost with and without square brackets and have always taken care to re-hash the sasl_passwd file. If I put the brackets in, the error says
type=A: Host not found, try again. If I take the brackets out, it saystype=MX: Host not found, try again. This is the only difference. - DNS not resolving and/or resolv.conf not readable -- A
dig email-smtp.us-east-1.amazonaws.comcommand always yields about half a dozen AWS addresses. The file/etc/resolv.confis world-readable. I have not tried copying or symlinking this file anywhere. - bad relay host or missing credentials - all mail should be routed thru Amazon SES which is what I have relayhost set to and the file
/etc/postfix/sasl_passwdis owned/readable by root and the credentials it contains match relayhost in main.cf and also work on another, older server.
