Postfix configuration alternative to gmail relay

After a bit of wailing and gnashing of teeth, I got gmail working to relay my email from my freePBX server but I am not comfortable with the way I had to configure gmail to allow a “less secure app”

Is there a good alternative to using gmail or what can I do to use my own smtp server?

I’m thinking of doing this with AWS SES

I switched over to AWS SES. Configuration was a little tricky but it works well.

If you don’t mind, please share the config to help future forum visitors. Thank you

The doco from AWS is very clear. Just need to create a verified identify. In my case, I created a domain identify, which creates three CNAME records for DKIM. If your using Route 53, it may add the records to your zone file. That was the tricky part.

You need to create a sasl_passwd.db file and refer to that in the main.cf file.

The sasl_passwd file will contain the smtp endpoint on port 587 with the username and password you set up in the AWS SES console. You then run postmap on that file to create the hashed sasl_passwd.db file.

I’ll send my main.cf later. I need to see if there is anything I need to redact.

One thing I noticed after switching to AWS was that I’m getting many more fail2ban emails than I was when I was using Gmail as the relay. AWS seems more reliable.

I’m not going to share my complete /etc/postfix/main.cf file but here are the pertinent lines to get it to work with AWS.

AWS documentation is here: https://docs.aws.amazon.com/ses/latest/dg/Welcome.html

Of course you will need an AWS account to use SES.

relayhost = email-smtp.us-east-2.amazonaws.com:587

This points to the SMTP server in the AWS Ohio region. Read AWS documentation. Identities are region specific.

smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd

The sasl_passwd file is actuall sasl_passwd.db but main.cf always adds the db so don’t append it here or it will look for sasl_passwd.db.db

smtp_tls_CAfile = /etc/asterisk/keys/freepbx.vietfeir.com.crt

This is where letsencrypt puts the CA file for TLS. AWS is happy to use it for TLS

Here is the sasl_passwd file with identity redacted

email-smtp.us-east-2.amazonaws.com:587 userid:password

Note, the smtp server name must match the relayhost

When you create your domain identity, it will create 3 CNAME records which you will put in your zone file. I used AWS Route 53 for my DNS server so it added them automatically.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.