Get the most out of your Centmin Mod LEMP stack
Become a Member

Amazon AWS Cloudflare Postfix + Amazon SES + Cloudflare - Forward root mail safely-er

Discussion in 'Domains, DNS, Email & SSL Certificates' started by diy, Nov 5, 2019.

  1. diy

    diy Premium Member Premium Member

    Jan 14, 2019
    Local Time:
    4:33 PM
    nginx 1.17.x
    MariaDB 10.4.x
    Disclaimer: This method works for me and the following demonstrates how I chose to bullrush through it. :)
    I am not an expert with any of these softwares. In fact, I have a reputation for being overconfident and ignoring best practices, amongst numerous other admitted faults... such as talking too much. Please error check and correct as you see fit..? Share with us your own solutions if you wish. And have fun. :)

    As many of you already know, sending your web apps' transactional SMTP mail with Amazon SES while your server is behind Cloudflare prevents your hostname/IP from being discovered via (unset) rDNS strategy & no actual domain MX records. All that is required on Cloudflare are orange-cloud records. No rDNS or DNS ONLY MX are necessary because Amazon SES proxies those.

    But unless you have Postfix configured to forward your root mail to your inbox via Amazon SES as well, you either read your root mail in ssh login sessions, or you must grey-cloud (DNS Only) your actual server MX record. You must have rDNS properly configured too. Along with DKIM, SPF, DMARC etc., set up on your dime.

    This tutorial provides a quick & easy method for you to send your root mail via Postfix + Amazon SES + Cloudflare directly to your inbox without risk of uncloaking your server.

    In my case Postfix remained fresh, completely untouched since the day it was installed by the Centmin Mod installer. I am going to assume that yours is stock and untouched too.

    If you have not taken advantage of Amazon SES yet you can find useful advice and getting started links provided by @eva2000 here: Amazon AWS - Amazon AWS SES SMTP Transactional Email Info

    Additional sources credits:
    Integrating Amazon SES with Postfix - Amazon Simple Email Service
    How to add Amazon's X-SES-CONFIGURATION-SET:ConfigSet to a my postfix mail server?
    Forwarding email with postfix via AWS SES

    Assuming you already have Cloudflare + Amazon SES set up and working And assuming Postfix is completely stock begin by following the Postfix guide by Amazon via the first link above.

    As root user in ssh session type (correct the SES email-smtp.* regional server entry if your account differs):
    postconf -e "relayhost = []:587" \
    Then following the postconf prompts type each of the following lines and press enter following each:
    "smtp_sasl_auth_enable = yes" \
    "smtp_sasl_security_options = noanonymous" \
    "smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd" \
    "smtp_use_tls = yes" \
    "smtp_tls_security_level = encrypt" \
    "smtp_tls_note_starttls_offer = yes"
    Open /etc/postfix/ in your editor:
    nano /etc/postfix/
    Find and comment with a # (hash) the following line if it is uncommented (Otherwise proceed to the next step):
    -o smtp_fallback_relay= 
    Open/create the file:
    nano /etc/postfix/sasl_passwd

    Add the following line to /etc/postfix/sasl_passwd. Replace SMTPUSERNAME and SMTPPASSWORD with your SMTP username and password. correct the SES email-smtp.* regional server entry if your account differs:
    Save and close sasl_passwd. CTRL + o, CTRL + x then type the following command to create a hashmap database file containing your SMTP credentials:
    postmap hash:/etc/postfix/sasl_passwd
    Type the following to change the ownership and the permissions of those two files that were created:
    chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
    chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
    Tell Postfix where to find the CA certificate:
    postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt'
    Reload Postfix:
    postfix reload
    Send a test email by typing the following at a command line, pressing Enter after each line. Replace [email protected] with your From email address. The From address has to be verified for use with Amazon SES. Replace [email protected] with the destination address. If your account is still in the sandbox, the recipient address also has to be verified. Finally, the final line of the message has to contain a single period (.) with no other content.
    sendmail -f [email protected] [email protected]
    From: Sender Name <[email protected]>
    Subject: Amazon SES Test                
    This message was sent using Amazon SES.                
    Check the mailbox associated with the recipient address. If the email doesn't arrive, check your junk mail folder. If you still can't locate the email, check the mail log:
    tail -25 /var/log/maillog
    Now were gonna begin to set up some mail header rewrites by creating 2 lines that append to your /etc/postfix/
    { echo '#AmazonSES Header Addresses Rewrites'; echo "smtp_header_checks = pcre:/etc/postfix/ses-configuration-set"; } > /etc/postfix/
    Create and populate the file with your SES configset name. Replace each email address listed between the <> with your own SES verified email(s). The "REPLACE From: <>" instance MUST contain your SES verified sending address, which is likely the same sending address that you use to send SES SMTP email from your web app. The "REPLACE Delivered-To: <>" and the "REPLACE To: <>" instances can be another of your SES verified email addresses (or another of your Domain addresses if you have verified at the domain level) Or those last two can be your SES verified sending address as well. Your choice, Amazon isn't looking... my example shows that I chose to enter a separate SES verified [email protected] address for those last two:
    { echo "/^From:(.*)/ REPLACE From: <[email protected]>"; echo "/^Delivered-To:(.*)/ REPLACE Delivered-To: <[email protected]>"; echo "/^To:(.*)/ REPLACE To: <[email protected]>"; } > /etc/postfix/ses-configuration-set
    Lets not forget to define the Envelope Sender:
    { echo '#AmazonSES Envelope Address Rewrite'; echo "sender_canonical_maps = pcre:/etc/postfix/sender_canonical"; echo "sender_canonical_classes = envelope_sender"; } > /etc/postfix/
    And create & populate that file. Again replace the email address in the line below with your SES verified sending address, same as in your web app SMTP config:
    echo "/.*/    [email protected]"; > /etc/postfix/sender_canonical
    Postmap & reload:
    postmap -q - pcre:/etc/postfix/ses-configuration-set < /etc/postfix/ses-configuration-set
    postmap -q - pcre:/etc/postfix/sender_canonical < /etc/postfix/sender_canonical
    postfix reload
    Final step: Enter/edit the email address(es) in the root user's ~/.forward file that you want to receive all of your root user emails.
    nano ~/.forward
    If more than one enter them all on a single line separated by commas (,) like so:
    You can test your config quickly by exiting su and logging back in via su, or logging out then logging back in if you logged in as root. You should receive an email containing "lfd on SU login alert - Successful login from....." on the subject line. Inspect the header to verify that nothing else exists that could compromise the secrecy and security of your server.

    I would show ya how to filter your ($hostname) from the root email subject line and replace it with if I knew how. Perhaps you might help us figure that final piece of puzzle out...? :)
  2. eva2000

    eva2000 Administrator Staff Member

    May 24, 2014
    Brisbane, Australia
    Local Time:
    7:33 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Yeah Postfix relay using Amazon SES is recommended if you are behind Cloudflare and need to hide your IP address. And you're linked guide is basically how to do it too Integrating Amazon SES with Postfix - Amazon Simple Email Service :)

    Thanks for sharing your write up :)

    some of it can be rewritten for last part to just
    Code (Text):
    { echo "/^From:(.*)/ REPLACE From: <[email protected]>"; echo "/^Delivered-To:(.*)/ REPLACE Delivered-To: <[email protected]>"; echo "/^To:(.*)/ REPLACE To: <[email protected]>"; } > /etc/postfix/ses-configuration-set
    echo "/.*/    [email protected]"; > /etc/postfix/sender_canonical
    postconf -e 'smtp_header_checks = pcre:/etc/postfix/ses-configuration-set'
    postconf -e 'sender_canonical_maps = pcre:/etc/postfix/sender_canonical'
    postconf -e 'sender_canonical_classes = envelope_sender'
    postmap pcre:/etc/postfix/ses-configuration-set
    postmap pcre:/etc/postfix/sender_canonical
    postfix reload

    though i believe you don't need to run postmap pcre commands for pcre regex files
    Last edited: Nov 5, 2019
    • Agree Agree x 1