AWS SES
From Notes
Amazon Simple Email Service (SES) can be used to send outbound email from an EC2 instance. Several steps are involved to fully enable outbound mail.
- Sign up
- Verify sending address
- Send a test message
- Request production access
- Configuration of MTA (postfix is used in the article)
The steps documented here are taken directly from the SES website. If you require a more in-depth explanation of the steps (or SES in general), please visit the SES website.
It should be noted that one of the most common failure points is having a from: address, which is not a verified address, in your message. Various applications may auto-designate an email address when sending, eg: myapp@mydomain.org. This goes for the messages headers as well as the SES command line utilities. SES will require a great deal of debugging... Postfix's sender_canonical functionality can help resolve most of this headache.
Contents |
Sign Up
Signing up is by far the easiest step. Simple login to AWS and then navigate to the SES page. Click the "Sign Up" link and follow the instructions. Once sign up is complete, you should receive an email at your designed email address.
Email Address Verification
Before you can send your first message, Amazon SES requires that you verify your email address. This is to confirm that you own the email address, and to prevent others from using it. The SES API should already be installed on your ES2 instance. The SES API scripts require your AWS Acccess Key ID and AWS Secret Key. If you do not already have your Access Key ID and Secret, (and/or if do do not have the required file created) see AWS Credentials for details.
The script /opt/aws/bin/ses-verify-email-address.pl should be in root's path. Run this script to validate your email address.
]# ses-verify-email-address.pl -k /opt/aws/creds/AWS-Credentials -v my.email@domain.com ]#
No output should be generated, except errors. If all goes well, you should receive an email from no-reply-aws@amazonaws.com. Simple click the link provided in the body of the message to verify your email address. This will enable you to send email to only the verified address (sandbox mode).
Send a Test Message
Once your email address has been verified, you can send a test message from your EC2 instance to the verified email address. Keep in mind you may only send mail to verified addresses until you receive production access.
]# cat > messsage.txt <<EOF > This is a message sent using Amazon SES. > EOF ]# ses-send-email.pl \ -k /opt/aws/creds/AWS-Credentials \ -s "Test message from ec2 instance" \ -f my.email@domain.com my.email@domain.com < messsage.txt ]#
If everything functioned correctly, you should receive a test message.
Request Production Access
To be able to send email to any outbound address, you must request production access. From the SES website, click the "Request Production Access" link and fill out the form.
Configure MTA
While you're waiting for production access, you may configure your MTA to send outbound mail though Amazon SES. This article assumes your EC2 instance will utilize postfix. Documentation for other MTAs can be found at [1].
Install Postfix
]# yum -y install postfix ... ]# yum -y remove sendmail ... ]# rm -f /var/log/mail/statistics.rpmsave
master.cf
The following two lines need to be added to /etc/postfix/master.cf
aws-email unix - n n - - pipe
flags=R user=ec2-user argv=/opt/aws/bin/ses-send-email.pl -r -k /opt/aws/creds/AWS-Credentials -e https://email.us-east-1.amazonaws.com -f my.email@domain.com ${recipient}
- The flags line must begin with one whitespace character.
- The user field should be a non-root user which to run the ses-send-email.pl script as.
- the -f parameter should be the verified email address above.
main.cf
Add the following two lines to /etc/postfix/main.cf
default_transport = aws-email sender_canonical_maps = hash:/etc/postfix/sender_canonical
sender_canonical
Sender Canonical Maps are used to re-write the from: field of mail sent from local accounts (such as root) to the ses verified email address. Create the file /etc/postfix/sender_canonical and add one or more mappings
root@my-ec2.example.org my.email@domain.com
Next, run postmap /etc/postfix/sender_canonical to hash the tables.
]# postmap /etc/postfix/sender_canonical ]#
Reload postfix
Either reload (postfix reload) or restart postfix to enable the configuration.
Configure PHP
If you intend to send email from PHP, you will need to update the directive sendmail_path to force sendmail (postfix) to fix up the outgoing messages as if they are coming from your verified email address:
;; /etc/php.ino ;; ... sendmail_path = /usr/sbin/sendmail -t -i -f my.email@domain.com -r my.email@domain.com ;; ...
