4

I've setup Amazon SES, verified my domain, and have been approved for Production mode. When an email from the outside world is sent to an address in my domain, my server forwards it back out to a Gmail account, but the forward is rejected by Amazon SES with the error 

Email address is not verified

For example, if someone from yahoo.com sends an email to me at "me@mydomain.com", and that email is then immediately forwarded to "me@gmail.com" because of an entry in /etc/aliases, SES is rejecting the email to gmail.com, even though "mydomain.com" is a verified domain. When I turn on detailed logging in Postfix for the connection to gmail.com, the email appears to be from yahoo.com and going to gmail.com -- neither of which are my domain. Is it complaining about the fact that the email is originally from yahoo.com? If that's the case, then am I not able to use SES when relaying mail from outside domains, through my domain, to another (gmail) domain?

It works fine, however, if I send an email originating from my domain and going to the gmail address.

Here's the line in /var/log/maillog where the SES server rejects the forward to gmail.com:

Apr 15 02:11:43 ip-10-194-190-140 postfix/smtp10191: 9013922528: to=<myaddress@gmail.com>, orig_to=<myaddress@mydomain.com>, relay=email-smtp.us-east-1.amazonaws.comhttp://54.243.71.143:25, delay=0.32, delays=0.01/0/0.11/0.2, dsn=5.0.0, status=bounced (host email-smtp.us-east-1.amazonaws.comhttp://54.243.71.143 said: 554 Message rejected: Email address is not verified. (in reply to end of DATA command))`

And here are the lines I added to /etc/postfix/main.cf:

relayhost = email-smtp.us-east-1.amazonaws.com:25
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt

Followup question:

When this problem happens, where does the email end up? The email is being accepted by my Postfix server for "me@mydomain.com", but the forward to gmail.com is rejected by Amazon SES. But the email is not in the outgoing mail queue on my server, it's not in the mailbox for my account on my server, and it hasn't been bounced back to the original sender (at yahoo, in my example above). Where did it go?

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
Russell G
  • 151
  • 1
  • 1
  • 6
  • So, I suspect that you're having the same issue that I'm currently having. What I want is an address like support@mysite.com which is in my aliases file and forwards to my personal email address. I have my personal email address verified, I have support@mysite.com verified, and I have the entire mysite.com verified. The problem is that there is no way to verify the sender, and when Postfix receives the mail (let's say from bruce@batman.com) addressed to support@mysite.com then it will try to forward that to my personal email address from bruce@batman.com, and Amazon SES will reject it. Postfix – bratsche Apr 22 '13 at 23:45
  • Yes, exactly the same problem. I'm beginning to think it's not possible because nobody seems to have a solution, either here or on the AWS forums: https://forums.aws.amazon.com/thread.jspa?messageID=443997 – Russell G Apr 23 '13 at 11:58
  • I think it's solvable. I've got another question open on ServerFault here: http://serverfault.com/questions/501722/conditionally-rewriting-from-and-reply-to-headers-in-postfix I've got the start of a potential solution on there, but I'm hoping someone with stronger Postfix-fu than I have will be able to help me get it working. – bratsche Apr 23 '13 at 15:08

1 Answers1

7

Why does Amazon SES throw that error when sending email?

For example, you have verified your domain example.com. Now, someone@yahoo.com sends an email to myaccount@example.com. Postfix gladly accepts it and because of the alias file, postfix will forward it to otheraccount@gmail.com.

The problem is, postfix uses someone@yahoo.com as envelope sender in the SMTP transaction. It's a desired and default behavior of postfix. The purpose is to not lose the sender information when GMAIL receives that email from someone@yahoo.com. Unfortunately Amazon SES only allows envelope sender domain as example.com.

Solution

From the thread mentioned by OP in comment, there are some solutions to alter the envelope sender so it will be passing the Amazon SES restriction. One possible solution is using sender_canonical_maps. By default postfix will rewrite both sender in envelope and header. With proper configuration of sender_canonical_classes, postfix will only rewrite the envelope one.

In /etc/postfix/main.cf, add

sender_canonical_maps = regexp:/etc/postfix/sender_canonical
sender_canonical_classes = envelope_sender

In /etc/postfix/sender_canonical, add

/.*/    mysenderaddress@example.com

The problem is your original sender is unknown. One method to obtain the original is with a prepend action of check_sender_access as suggested by Postfix author.

In /etc/postfix/main.cf, add

smtpd_data_restrictions = check_sender_access pcre:/etc/postfix/sender_access

In /etc/postfix/sender_access, add

/(.*)/  prepend X-Envelope-From: <$1>

Those settings will add X-Envelope-From header which will contain the original sender email address.

When this problem happens, where does the email end up? Where did it go?

By default, postfix will bounce this message to the original sender (Yahoo address). You can trace it by following mail.log after the rejection. Of course, some postfix setting could suppress the bounce message, or maybe Yahoo silently rejects it.

Community
  • 1
masegaloeh
  • 17,978
  • 9
  • 56
  • 104