Configuring exim for Amazon mail – Debian, Exim4 and AWS SES

I’ve been working on creating a sample infrastructure on Amazon.  I’m choosing to use the Debian AMI, mostly because all my servers for a number of years have been Debian, and I’m familiar with it.  I wanted to install the logcheck package so I could get notifications, and in turn I wanted those messages to be mailed to me on my home mail address so I could review them.

Mail on AWS is sent using Amazon SES.  There are instructions in the Amazon documentation for configuring exim, and I found different instructions around the net, but in general they resulted in all local mail also being delivered via SES.  This is a problem for me as I haven’t configured any mail receipt for this domain, so lots of mail went into the aether, as well as being generally inefficient to send local mail out via SES.  Finally, some of the configurations appeared to be pushing usernames and passwords into the exim config file, which I didn’t like much.

I managed to navigate my way to a more standard exim4 configuration that works, this documents how to achieve that.

Firstly, install exim on your machine.  In my case, I actually wanted logcheck, which had a dependency on exim, so I did:

sudo aptitude install logcheck

Next, get some AWS configuration.  You need to create an SES account, validate your domain, and you should get some SES credentials.  These are an smtp_username and an smtp_password.  You should also find, in the smtp settings, an smtp server name.

Next, configure your exim setup using

sudo dpkg-reconfigure exim4-config

In this you want to setup:

  • mail sent by smarthost, received via SMTP or fetchmail
  • your fully qualified domain name (e.g. example.com)
  • 127.0.0.1   for listen address
  • your fully qualified domain name (e.g. example.com) for final destination
  • no relay servers
  • your AWS SES smtp server as outgoing smarthost.  Importantly, don’t use the default port of 25, as 25 is unencrypted, and exim4 won’t send passwords over unencrypted connections without messing around.  So, for example, you might have “email-smtp.us-west-2.amazonaws.com::587”
  • Accept defaults for everything else

Create a file /etc/exim4/passwd.client.  This will give exim4 the logon credentials.  Importantly, amazon will resolve to a different server name each time (via the load balancer), so you can’t just put your smtp server name in here.  Your format should be something like:

# password file used when the local exim is authenticating to a remote
# host as a client.
#
# see exim4_passwd_client(5) for more documentation
#
# Example:
### target.mail.server.example:login:password
*.amazonaws.com:<smtp_username>:<smtp_password>

Obviously replacing <smtp_username> with your username, and <smtp_password> with your password.

Finally, check that you have a /etc/aliases file that collates all your e-mail to a single accound, and add a .forward file in the ~/ directory of that account.  In my case, I have a default debian AMI, so my main user is admin.  In /home/admin/.forward I have a single line, which is my home e-mail address.  This file needs to be chmod 0400.

Useful debugging techniques I found along the way (for when you have difficulties):

  1. The key exim4 log is /var/log/exim4/mainlog.  Many things are in here
  2. You can get more information on what’s going on by stopping exim, and then running it manually from the command line.  Refer instructions, I used both exim -v and exim -d to work out what it was doing.  Wikipedia provides a summary of what you should be seeing in the interaction with the smtp server.

 

 

Advertisements

2 thoughts on “Configuring exim for Amazon mail – Debian, Exim4 and AWS SES

  1. if you use amazon SES, where you can send emal with a smpt server, why do you configure it with exim?
    what are the benefits about this integration?
    if you use only Amazon SES, it working same?
    EXIM allow you something that amazon SES no?

  2. The advantage was that I could then deliver mail locally for local mail – so mail that originated on my domain would be served locally rather than pushed out via SES.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s