I’ve been working on creating a sample infrastructure on Amazon. I’m choosing to use the Debian AMI, mostly because all my servers for a number of years have been Debian, and I’m familiar with it. I wanted to install the logcheck package so I could get notifications, and in turn I wanted those messages to be mailed to me on my home mail address so I could review them.
Mail on AWS is sent using Amazon SES. There are instructions in the Amazon documentation for configuring exim, and I found different instructions around the net, but in general they resulted in all local mail also being delivered via SES. This is a problem for me as I haven’t configured any mail receipt for this domain, so lots of mail went into the aether, as well as being generally inefficient to send local mail out via SES. Finally, some of the configurations appeared to be pushing usernames and passwords into the exim config file, which I didn’t like much.
I managed to navigate my way to a more standard exim4 configuration that works, this documents how to achieve that.
Firstly, install exim on your machine. In my case, I actually wanted logcheck, which had a dependency on exim, so I did:
sudo aptitude install logcheck
Next, get some AWS configuration. You need to create an SES account, validate your domain, and you should get some SES credentials. These are an smtp_username and an smtp_password. You should also find, in the smtp settings, an smtp server name.
Next, configure your exim setup using
sudo dpkg-reconfigure exim4-config
In this you want to setup:
- mail sent by smarthost, received via SMTP or fetchmail
- your fully qualified domain name (e.g. example.com)
- 127.0.0.1 for listen address
- your fully qualified domain name (e.g. example.com) for final destination
- no relay servers
- your AWS SES smtp server as outgoing smarthost. Importantly, don’t use the default port of 25, as 25 is unencrypted, and exim4 won’t send passwords over unencrypted connections without messing around. So, for example, you might have “email-smtp.us-west-2.amazonaws.com::587”
- Accept defaults for everything else
Create a file /etc/exim4/passwd.client. This will give exim4 the logon credentials. Importantly, amazon will resolve to a different server name each time (via the load balancer), so you can’t just put your smtp server name in here. Your format should be something like:
# password file used when the local exim is authenticating to a remote # host as a client. # # see exim4_passwd_client(5) for more documentation # # Example: ### target.mail.server.example:login:password *.amazonaws.com:<smtp_username>:<smtp_password>
Obviously replacing <smtp_username> with your username, and <smtp_password> with your password.
Finally, check that you have a /etc/aliases file that collates all your e-mail to a single accound, and add a .forward file in the ~/ directory of that account. In my case, I have a default debian AMI, so my main user is admin. In /home/admin/.forward I have a single line, which is my home e-mail address. This file needs to be chmod 0400.
Useful debugging techniques I found along the way (for when you have difficulties):
- The key exim4 log is /var/log/exim4/mainlog. Many things are in here
- You can get more information on what’s going on by stopping exim, and then running it manually from the command line. Refer instructions, I used both exim -v and exim -d to work out what it was doing. Wikipedia provides a summary of what you should be seeing in the interaction with the smtp server.