4

I'm trying to use Amazon SES as an SMTP gateway for my EC2 Ubuntu 'precise' server, using different SES accounts for different originating e-mail domains. The postfix documentation seems to imply that is possible, but SES always claims I'm using the wrong credentials ("535 Authentication Credentials Invalid"). The credentials work if I route all e-mail via the relayhost directive to the same SES account.

Here's what I have.

main.cf (relevant sections):

relayhost =
sender_dependent_relayhost_maps = regexp:/etc/postfix/sender_dependent_relayhost_map
smtp_sender_dependent_authentication = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = regexp:/etc/postfix/smtp_sasl_password_map
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

sender_dependent_relayhost_map:

/.*@example\.com/   [email-smtp.us-east-1.amazonaws.com]:25

smtp_sasl_password_map:

/.*@example\.com/   AK...:34.../...

where AK... is the AWSAccessKeyId and 34.../... is the AWSSecretKey.

The error message in /var/log/mail.log is:

Aug 20 21:47:39 example postfix/smtp[18496]: DE1E14218D: SASL authentication failed; server email-smtp.us-east-1.amazonaws.com[23.23.139.32] said: 535 Authentication Credentials Invalid

Is there some way I can see what credentials it is attempting to use?

--

Update: To debug, I have replaced my regexp maps with mysql maps, and switched on SQL query logging. This way I can see how those maps are evaluated. It's sort of interesting. First, I'm getting:

SELECT host FROM sender_dependent_relayhost_map WHERE sender='foo@example.com'

If this returns localhost:11111, I can run netcat at that port, and get an incoming SMTP connection. So that part seems to be working fine.

Then, I'm getting repeated queries of the type:

SELECT userpass FROM smtp_sasl_password_map WHERE sender=...

first evaluated with 'foo@example.com', then (if not found) with '@example.com' (not something I found in the docs), and then, surprisingly, with the smtp server found from the previous sender_dependent_relayhost_map query. and finally with '<>' (presumably the global default).

But if I return 'AK...:34.../...' (the Amazon SES credential) from that second table, I still get the same authentication error from Amazon. So there is progress, but no resolution yet.

Johannes Ernst
  • 1,037
  • 4
  • 16
  • 26
  • 1
    Yes this is possible. Just last week, I was part of a webinar hosted by Amazon on SES. One of the slides showed the Postfix config settings that you needed. Maybe you could contact Jenn Steele on the SES team and get a copy of the Powerpoint? – jamieb Aug 21 '12 at 05:57
  • Are you using the credentials created by [this process](http://docs.amazonwebservices.com/ses/latest/DeveloperGuide/SMTP.Credentials.html)? – mgorven Aug 21 '12 at 06:05
  • @mgorven: yes I am. They work when used with the default route setup that's described in Amazon's SES documentation. – Johannes Ernst Aug 21 '12 at 17:28
  • @jamieb: followed your suggestion. The slide in question seems to be the same as what's on the Amazon SES documentation site, which sets up a default route via SES. I've done that and it works. But what I'm trying to do here is to route differently based on sender e-mail domain, and that's where the problem occurs ... – Johannes Ernst Aug 21 '12 at 17:58

3 Answers3

3

I'd suspect the regexp is somehow failing. You might try the following which ties the user:pass to the relayhost.

/etc/postfix/sasl_pass

[email-smtp.us-east-1.amazonaws.com] AKAAAA:AAAAAAAAA

/etc/posfix/main.cf

smtp_sasl_password_maps = hash:/etc/postfix/sasl_pass

You'd of course need to run sudo postmap /etc/postfix/sasl_pass (or whatever name of the file you use.

Ramin
  • 336
  • 1
  • 5
  • Thank you for writing the "user":pass in that format. It helped me realize that I should not be using my user, but instead the key. – Tyler Collier Jun 21 '13 at 17:15
2

For the sasl credentials in postfix where you have 'AK...:34.../...' you need to use SMTP username and password not an AWSAccessKeyId and AWSSecretKey.

See "Obtaining Your Amazon SES SMTP Credentials" at http://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html

Stew-au
  • 245
  • 2
  • 8
0

Important note. You MUST only have one SES SMTP account per region.

This wasn't always the case and we had two SMTP accounts. Refreshing the permissions recently wasn't working until I removed both accounts and recreated it.

kerry Eade
  • 1