I'm trying to use Amazon SES as an SMTP gateway for my EC2 Ubuntu 'precise' server, using different SES accounts for different originating e-mail domains. The postfix documentation seems to imply that is possible, but SES always claims I'm using the wrong credentials ("535 Authentication Credentials Invalid"). The credentials work if I route all e-mail via the relayhost directive to the same SES account.
Here's what I have.
main.cf (relevant sections):
relayhost =
sender_dependent_relayhost_maps = regexp:/etc/postfix/sender_dependent_relayhost_map
smtp_sender_dependent_authentication = yes
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = regexp:/etc/postfix/smtp_sasl_password_map
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
sender_dependent_relayhost_map:
/.*@example\.com/ [email-smtp.us-east-1.amazonaws.com]:25
smtp_sasl_password_map:
/.*@example\.com/ AK...:34.../...
where AK... is the AWSAccessKeyId and 34.../... is the AWSSecretKey.
The error message in /var/log/mail.log is:
Aug 20 21:47:39 example postfix/smtp[18496]: DE1E14218D: SASL authentication failed; server email-smtp.us-east-1.amazonaws.com[23.23.139.32] said: 535 Authentication Credentials Invalid
Is there some way I can see what credentials it is attempting to use?
--
Update: To debug, I have replaced my regexp maps with mysql maps, and switched on SQL query logging. This way I can see how those maps are evaluated. It's sort of interesting. First, I'm getting:
SELECT host FROM sender_dependent_relayhost_map WHERE sender='[email protected]'
If this returns localhost:11111, I can run netcat at that port, and get an incoming SMTP connection. So that part seems to be working fine.
Then, I'm getting repeated queries of the type:
SELECT userpass FROM smtp_sasl_password_map WHERE sender=...
first evaluated with '[email protected]', then (if not found) with '@example.com' (not something I found in the docs), and then, surprisingly, with the smtp server found from the previous sender_dependent_relayhost_map query. and finally with '<>' (presumably the global default).
But if I return 'AK...:34.../...' (the Amazon SES credential) from that second table, I still get the same authentication error from Amazon. So there is progress, but no resolution yet.
I'd suspect the regexp is somehow failing. You might try the following which ties the user:pass to the relayhost.
/etc/postfix/sasl_pass
/etc/posfix/main.cf
You'd of course need to run sudo postmap /etc/postfix/sasl_pass (or whatever name of the file you use.
For the sasl credentials in postfix where you have 'AK...:34.../...' you need to use SMTP username and password not an AWSAccessKeyId and AWSSecretKey.
See "Obtaining Your Amazon SES SMTP Credentials" at http://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html
Important note. You MUST only have one SES SMTP account per region.
This wasn't always the case and we had two SMTP accounts. Refreshing the permissions recently wasn't working until I removed both accounts and recreated it.