I'm trying to use Amazon SES as an SMTP gateway for my EC2 Ubuntu 'precise' server, using different SES accounts for different originating e-mail domains. The postfix documentation seems to imply that is possible, but SES always claims I'm using the wrong credentials ("535 Authentication Credentials Invalid"). The credentials work if I route all e-mail via the relayhost directive to the same SES account.
Here's what I have.
main.cf (relevant sections):
relayhost =
sender_dependent_relayhost_maps = regexp:/etc/postfix/sender_dependent_relayhost_map
smtp_sender_dependent_authentication = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = regexp:/etc/postfix/smtp_sasl_password_map
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
sender_dependent_relayhost_map:
/.*@example\.com/ [email-smtp.us-east-1.amazonaws.com]:25
smtp_sasl_password_map:
/.*@example\.com/ AK...:34.../...
where AK... is the AWSAccessKeyId and 34.../... is the AWSSecretKey.
The error message in /var/log/mail.log is:
Aug 20 21:47:39 example postfix/smtp[18496]: DE1E14218D: SASL authentication failed; server email-smtp.us-east-1.amazonaws.com[23.23.139.32] said: 535 Authentication Credentials Invalid
Is there some way I can see what credentials it is attempting to use?
--
Update: To debug, I have replaced my regexp maps with mysql maps, and switched on SQL query logging. This way I can see how those maps are evaluated. It's sort of interesting. First, I'm getting:
SELECT host FROM sender_dependent_relayhost_map WHERE sender='foo@example.com'
If this returns localhost:11111, I can run netcat at that port, and get an incoming SMTP connection. So that part seems to be working fine.
Then, I'm getting repeated queries of the type:
SELECT userpass FROM smtp_sasl_password_map WHERE sender=...
first evaluated with 'foo@example.com', then (if not found) with '@example.com' (not something I found in the docs), and then, surprisingly, with the smtp server found from the previous sender_dependent_relayhost_map query. and finally with '<>' (presumably the global default).
But if I return 'AK...:34.../...' (the Amazon SES credential) from that second table, I still get the same authentication error from Amazon. So there is progress, but no resolution yet.