AWS SES: "Email address is not verified" error with Postfix relay

Why does Amazon SES throw that error when sending email?

For example, you have verified your domain example.com. Now, [email protected] sends an email to [email protected]. Postfix gladly accepts it and because of the alias file, postfix will forward it to [email protected].

The problem is, postfix uses [email protected] as envelope sender in the SMTP transaction. It's a desired and default behavior of postfix. The purpose is to not lose the sender information when GMAIL receives that email from [email protected]. Unfortunately Amazon SES only allows envelope sender domain as example.com.

Solution

From the thread mentioned by OP in comment, there are some solutions to alter the envelope sender so it will be passing the Amazon SES restriction. One possible solution is using sender_canonical_maps. By default postfix will rewrite both sender in envelope and header. With proper configuration of sender_canonical_classes, postfix will only rewrite the envelope one.

In /etc/postfix/main.cf, add

sender_canonical_maps = regexp:/etc/postfix/sender_canonical
sender_canonical_classes = envelope_sender

In /etc/postfix/sender_canonical, add

/.*/    [email protected]

The problem is your original sender is unknown. One method to obtain the original is with a prepend action of check_sender_access as suggested by Postfix author.

In /etc/postfix/main.cf, add

smtpd_data_restrictions = check_sender_access pcre:/etc/postfix/sender_access

In /etc/postfix/sender_access, add

/(.*)/  prepend X-Envelope-From: <$1>

Those settings will add X-Envelope-From header which will contain the original sender email address.

When this problem happens, where does the email end up? Where did it go?

By default, postfix will bounce this message to the original sender (Yahoo address). You can trace it by following mail.log after the rejection. Of course, some postfix setting could suppress the bounce message, or maybe Yahoo silently rejects it.