remedial mail server concepts

sneakyimp

I'm in the process of setting up a server in the cloud (Amazon EC2) and, because the address space of these cloud servers blocked by most spam filters, I need for all outgoing mail to be sent by some other machine. Also, for various reasons such as limited disk space and the fact that no one will ever check email on this machine, I would like to make sure that mail is never delivered to any local mailboxes on this machine. I.e., all mail for root or root@localhost or root@whatever will be sent instead to root@mydomain.com.

I have tried a variety of settings using postfix and trying to route everything through Amazon SES using a perl script they provide but have encountered problems. In particular, these two problems:
every sender (process/person/whatever) that wants to send mail via perl script must have their email address "verified" by the Amazon SES system. This requires me to receive a registration email and click a link for each and every different sending email on my server. this hassle is a show-stopper
bounce notifications (which I have managed to steer to an external domain rather than being delivered locally) fail to be delivered by Amazon SES due to an "illegal content type" error:

Oct 13 16:56:50 domU-12-31-39-02-82-53 postfix/pipe[7712]: 080BC20396: to=<root@example.com>, relay=aws-email, delay=0.62, delays=0.06/0/0/0.56, dsn=5.3.0, status=bounced (Command died with status 1: "/usr/src/bin/ses-send-email.pl". Command output: Illegal content type 'message/delivery-status'. <ErrorResponse xmlns="http://ses.amazonaws.com/doc/2010-12-01/">   <Error>     <Type>Sender</Type>     <Code>InvalidParameterValue</Code>     <Message>Illegal content type 'message/delivery-status'.</Message>   </Error>   <RequestId>f31709af-1944-11e2-afd8-4306477b7a3c</RequestId> </ErrorResponse> )

I believe that one can set up an SMTP access point through Amazon SES and am considering that approach, but I'm not really sure how to set up my server such that ALL mail will go through this SMTP server -- meaning emails intended for root, emails sent from PHP scripts, emails sent by any user or process. I think that such a configuration might be possible using postfix, but the documentation is sprawling and I haven't managed to figure out where the access credentials -- one user/pass for the entire server -- might go. Someone suggested a null client like msmtp or esmtp, but I'm not sure I can eliminate local mail delivery with those or not.

Has anyone done something like this before? I'd very much appreciate some help figuring this out. I've been tweaking postfix and trying stuff but still haven't sorted this.

laserlight

sneakyimp wrote:
I'm in the process of setting up a server in the cloud (Amazon EC2) and, because the address space of these cloud servers blocked by most spam filters, I need for all outgoing mail to be sent by some other machine.

I did the integration for email campaigns with MailChimp for my company and happened to check back their API documentation recently to find that they now have this service named Mandrill for transactional emails that is free for up to 12000 emails a month. Maybe this would work for you?

sneakyimp

Goodness am I grateful for a response on this. It's been rough going. It's hard to find help on postfix configuration.

I've seen Mandrill before. Finding a mail delivery service is not my primary problem. Amazon SES is designed to accomplish the same purpose as Mandrill, doesn't require me to create a yet another account, and is likely to enjoy low latency connections to EC2 services. The problem I have is rather one of how to configure the sending of mail on my server (the MTA???). After yet another long stretch of trial-and-error, I have managed to configure postfix so that
a) local mail delivery appears to be entirely disabled
b) email with a local address (e.g., root, root@localhost, etc) gets changed into a particular domain (e.g., root@example.com)
c) all mail is delivered by making a TLS connection to an SMTP gateway of Amazon SES

This feels like a triumph and yet I still have one problem. Amazon SES requires mail senders to be "verified" which involves clicking a link in an email sent to a particular email address. Because I have bothered to verify user1@example.com, Amazon SES works brilliantly when I login to my server via ssh as user1 and send a mail message using these commands:

user1@domain:~$ sendmail -t
To: somerone@gmail.com
Subject: Test Email

sent via SES!
.

If, however, I login as user2 on my server and try the same above, Amazon SES bounces the mail because I have not yet bothered to verify user2@example.com:

Amazon SES SMTP Gateway wrote:
status=bounced (host email-smtp.us-east-1.amazonaws.com[23.23.156.241] said: 554 Message rejected: Email address is not verified. (in reply to end of DATA command))

One of today's sobering realizations is that I don't really understand the relationship between postfix and sendmail. I understand (perhaps incorrectly) that postfix is a more modern replacement for the original sendmail MTA but the fact that a sendmail command exists on my server (probably postfix mimicking sendmail) and the many references to sendmail when folks talk about PHP mail sort of muddies the waters for me.

The issue I am trying to solve today is how to avoid having to "verify" every single sender of mail -- users and various processes like fail2ban or cron jobs, etc. -- that might want to send mail from this server. It is my intention to make a machine image of this server that I can use whenever I need to create a new website or bring a server online for some reason. Verifying a bunch of new addresses every time sounds like a pain. I'm wondering:
1) What aspect of a given email message is examined by the Amazon SES gateway to determine the "sender"? Is it one of the commands issued during the SMTP session? A mail header?
2) Is it possible to configure postfix to make all outgoing mail have one single sender such that Amazon SES accepts the outgoing mail for delivery?
3) If there's not some magic postfix trick, I will have to attempt to visit each mail-sending process and alter their configuration -- are these processes going to be configurable such that this problem can be fixed?
4) Might I be able to establish some envelope sender that solves this problem?

I'm not sure what this means, but I was able to send email through the gateway with sendmail while logged in as user2 by specifying user1 as sender with the -f flag:

user2@domain:/home/user2$ sendmail -tf user1@example.com

If anyone could provide advice or suggestions about how I might get to the bottom of this, I'd be most grateful.