Postfix setup on AWS EC2 using SMTP relay

amazon-web-services amazon-ec2 postfix smtp

On ec2 instance, the IP is dynamic, and if I want to use third party SMTP gateway such as sendgrid, what is the suggested values of the following fields?

myorigin
myhostname 
mydestination

Assume my instance hostname (FQDN) is

ip-12-34-56-78.us-west-2.compute.internal

And I don't have any more hostname mapped to this machine as it is purely dynamic in nature, however, I can receive email with address at [email protected]

Update: I cannot use Elastic IP since each region has only 5, and I want a solution that work without the use of fixed IP.


Solution 1:

On ec2 instance, the IP is dynamic,

This is precisely what EC2 Elastic IPs are for. Nab an EIP, associate it with your server, and then you can point a proper DNS record to that EIP.

Solution 2:

I have a similar set up relaying via mailgun.

Firstly, you can get the public IP of an instance using:

http://169.254.169.254/latest/meta-data/public-ipv4

From within the instance, in my case I use orchestration (ie. Chef + OpsWorks) to automatically create a DNS record in Route53 for the instance on boot.

You could probably also use:

http://169.254.169.254/latest/meta-data/public-hostname

To get the instance host name, and then insert it into your postfix config.

I use servername.servers.mydomain.com (which is created automatically on boot) as the hostname and mydomain and mydestination is empty.

I also had to create a transport file in /etc/postfix/transport with the following content:

*                smtp:smtp.mailgun.org

Solution 3:

First, most third party SMTP gateway providers support using their service as a authenticated, encrypted relay host:

  • sendgrid documentation
  • Dyn documentation
  • AWS SES documentation
  • mailjet documentation
  • mailgun documentation
  • etc. etc. etc.

The key is, you shouldn't have to do access control using IP addresses or hostname. You use encryption (TLS) and authentication, so the SMTP provider should "trust" all mail coming from your local instance of postfix once it's setup to do auth. Most have ways of using sendmail as well.

As for the configuration values:

  • myorigin should definitely be example.com - what you want users to see your mail as coming from.
  • In my opinion on myhostname would be set to either:
    1. leave myhostname as the default, since it should not matter to your SMTP provider
    2. just hard-code myhostname to an arbitrary name e.g. aws-web.example.com for the same reason - it should not matter to your SMTP provider
  • mydestination should be left to be the default - you're not delivering any mail locally.

If you want to get really fancy you can also use the sender_dependent_relayhost_maps option.

Finally, you haven't described what you're using to send email from your EC2 instances. Depending on the language and library (I'm looking at you php mail) your mail submission agent (MSA) might do hairy things to mangle your message, possibly ignoring the values set above. php mail is infamous because on most systems it tries to invoke the sendmail binary, which you have to work around explicitly to prevent the message from being sent as the user running the webserver (e.g. www-data or apache)

Solution 4:

sendgrid uses password based authentication (config details for that below). It won't care about your IP, or the hostnames you use (myhostname, myorigin, etc).

The hostname your server presents to sendgrid in the HELO (or EHLO) greeting is likely to appear in mail headers. Some recipients' spam software may check it, so use something that does exist in public DNS, and not associated with a dodgy domain, but few systems will notice this stuff. Good to do it well, but not critical.

I have a configuration where I send mail through sendgrid for multiple domains, so postfix needs to know which sendgrid account to use for each sender domain. (and if it's not a known sender domain it sends via a local relay, without using sendgrid). This is not really what you asked for, but my guess is that the problem you think is about domain names and your shifting IP is actually about authentication with sendgrid.

main.cf:

relayhost = smtp.example.com
smtp_sender_dependent_authentication = yes
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous

/etc/postfix/sender_relay:

@domain1.example.com       [smtp.sendgrid.net]:submission
@domain2.example.com       [smtp.sendgrid.net]:submission

/etc/postfix/sasl_passwd:

@domain1.example.com       sendgrid-user-1:Pa$$w0rd1
@domain2.example.com       sendgrid-user-2:Pa$$w0rd2

Related

Impossible remove Logical Volumes or Volume Group LVM2 [closed]
impact of HTTP CONNECT on a mandatory web proxy policy
Bare metal kubernetes DNS not forwarding
CentOS stopped loading after I added something to /etc/rc.d/rc.local
Postfix user is not allowed to submit mail
Android SimpleCursorAdapter doesn't update when database changes
Notify activity from service
Export table to file with column headers (column names) using the bcp utility and SQL Server 2008
Can I safely use OpenMP with C++11?
How to generate 11 char hash key for Sms Retriever with Google App signing
How to display an IFRAME inside a jQuery UI dialog
How to get all the AD groups for a particular user?