1

I'm trying to send/receive emails on my AWS Ubuntu box. To do so, I'm following the instructions posted by Amazon here. (I skipped the section entitled "To configure integration using a secure tunnel")

However, I'm still unable to send any emails. When I try to send an email to my.user@gmail.com, it fails:

local_user@ip-172-XXX-XXX-XXX:~$ netcat mydomain.com 25
220 mydomain.com ESMTP Postfix (Ubuntu)
ehlo mydomain.com
250-mydomain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: root@mydomain.com
250 2.1.0 Ok
rcpt to: my.user@gmail.com
454 4.7.1 <my.user@gmail.com>: Relay access denied

Here is what log file shows:

$ sudo tail -F /var/log/mail.log
Oct 17 18:06:10 ip-172-XXX-XXX-XXX postfix/smtpd[22869]: warning: hostname ec2-54-XXX-XXX-XXX.us-west-2.compute.amazonaws.com does not resolve to address 54.XXX.XXX.XXX
Oct 17 18:06:10 ip-172-XXX-XXX-XXX postfix/smtpd[22869]: connect from unknown[54.XXX.XXX.XXX]
Oct 17 18:06:31 ip-172-XXX-XXX-XXX postfix/smtpd[22869]: NOQUEUE: reject: RCPT from unknown[54.XXX.XXX.XXX]: 454 4.7.1 <my.user@gmail.com>: Relay access denied; from=<root@mydomain.com> to=<my.user@gmail.com> proto=ESMTP helo=<mydomain.com>

How can I fix this? What is the problem? Please note that my EC2 is in AWS's US West (Oregon) region. But I have set the relay host to email-smtp.us-east-1.amazonaws.com:25 in the main.cf file. Is that the issue? I don't think it is.

My main.cf file is posted here

Saqib Ali
  • 529
  • 1
  • 8
  • 18

2 Answers2

3

You've got a typo on your relayhost.

relayhost = email-smtp.us-east.amazonaws.com:25

should be

relayhost = email-smtp.us-east-1.amazonaws.com:25
TrackZero
  • 81
  • 3
  • I fixed my main.cf: https://gist.github.com/syedsaqibali/ddd5ec91665b9b20f42b But the problem persists just the same. – Saqib Ali Oct 17 '14 at 19:00
  • 1
    Did you restart the service? Also make sure your username & password are the gibberish-looking ones, (made up examples: AIAIIAAAKKKIAAL and the longer AOAOOAAALALALLALJD/AALSLLS8772), not an IAM username & password that you might have named & set a password for. – TrackZero Oct 17 '14 at 19:33
  • Yes. I restarted the service by doing this: `sudo /etc/init.d/postfix restart`. And my sasl_passwd file looks like this: **mail-smtp.us-east-1.amazonaws.com:25 ASADSGG77G65HH4I8U5A:AdYjKUrwf/K40/YsJ57/wPYTESfhHTqwsBnnYUIpoyt7** (I have munged it. But that's kinda what it looks like. I got the creds from AWS.) – Saqib Ali Oct 17 '14 at 19:58
  • 1
    ...I can't reply to the other answer under @sebix because my rep is too low...but if you followed the amazon config doc, you set up the sasl auth.... There's a footnote on that doc, you may need to add this line to /etc/postfix/sasl_passwd: ses-smtp-prod-335357831.us-east-1.elb.amazonaws.com:25 USERNAME:PASSWORD – TrackZero Oct 17 '14 at 20:00
  • 1
    here's the link to the doc...go all the way to the bottom: http://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-issues.html – TrackZero Oct 17 '14 at 20:04
  • I **replaced** the entry in my sasl_passwd file with this: `ses-smtp-us-west-2-prod-14896026.us-west-2.elb.amazonaws.com:25 USERNAME:PASSWORD`. Then I did `sudo postmap hash:/etc/postfix/sasl_passwd` and `sudo /etc/init.d/postfix restart`. Same issue. Do I have to use this relayserver in my main.cf file as well? – Saqib Ali Oct 17 '14 at 21:05
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/17962/discussion-between-saqib-ali-and-trackzero). – Saqib Ali Oct 17 '14 at 21:38
1

This is expected behavior. Mailservers accept for unauthenticated incoming connections only mails to local users. For authenticated users, this restriction is not valid (see your permit_sasl_authenticated in smtpd_relay_restrictions) and thus these users are allowed to relay mails (the mailserver delivers to the internet).

To allow a specific host without authentication, add it to the mynetworks parameter.

You are btw missing commas between the values of smtpd_relay_restrictions.

sebix
  • 4,175
  • 2
  • 25
  • 45
  • Thanks. I added the commas. When you say "To allow a specific host without authentication", does this mean the host I'm trying to send to (gmail.com)? Currently, my mynetworks setting is this: `mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128`. What should I change it to? – Saqib Ali Oct 17 '14 at 19:53
  • That depends on what you want. If you have some servers other servers running applications that send mails through this mailserver, put their IPs in `mynetworks`. If you want to allow some users using mailclients to send mails, use autentication. However, I recommend some basic knowledge of networking, SMTP and server administration in general before running a mailserver facing the public net! – sebix Oct 17 '14 at 19:56
  • I just want to automatically forward all emails that are sent to my.user@mydomain.com to my.user@gmail.com. But I guess I need it to be working through AWS SES. – Saqib Ali Oct 17 '14 at 21:08
  • The problem description you gave in the question does not a bit match your new description of forwarding everything to gmail. Please search the net on how to do this. I won't put any further effort in answering/commenting this topic. – sebix Oct 18 '14 at 10:27