E-mail with SES

Sending e-mail is simple, making sure it gets delivered is really hard.  Amazon actually submits all their public EC2 IPs to all the major e-mail blacklists out there.  So if you try to send e-mail directly from your server it won't get delivered to most inboxes.  While it is possible to have Amazon unblacklist your IP, unless you plan on blasting out more than 10,000 e-mails on the first day, it is much better to just let Amazon do the e-mailing.  Amazon calls it their Simple EMail Service (SES) and if you have at least one EC2 instance then it's totally free.  Initially the service is in a sandbox mode to prevent spammers from abusing it.  You'll be required to verify your e-mail address or domain before you get full access.  This is where using Route 53 really comes in handy.  With just a few clicks SES can automatically insert the verification records into your DNS hosted zones.  Once verification is done SES can also automatically create SPF and DKIM DNS record sets which will significantly reduce the chance that your e-mail is sent to a user's SPAM folder.  To send mail you will need to generate an SMTP credential set that is separate from your IAM credentials.  You may then configure your apps to use that login and password combo to send mail.

Inbound E-mail

Of course SES only covers sending e-mail, how do you receive it?  First lets start by creating a new user to receive email.  Sure, we could just use the root or ec2-user accounts but they have godlike privileges and we want to minimize our risk.  You can create a new user on the command line with the following commands:

sudo useradd bob

sudo passwd bob

Now that we have a user ready to receive email, lets go ahead and configure the sendmail server which just happens to come already deployed on Amazon Linux instances.  Start by installing a few additional packages:

sudo yum install sendmail-cf spamassassin

As the name implies, SpamAssassin is a free industry-leading SPAM filter.  You'll definitely want to use it if you choose to receive e-mail.  It ships well configured and automatically integrates into sendmail.  It can also periodically download and install improved rule sets by running as a daemon so don't forget to start it:

sudo service spamassassin start

sudo chkconfig spamassassin on

Now that we have a way to identify SPAM lets configure the sendmail server to receive e-mail.

Configuring sendmail is about as fun as pulling your fingernails out, but luckily for this setup we only need to edit a couple of lines.  Sendmail configuration files are actually binary so we must edit some config text files, which themselves are in a cryptic format, and then compile them.  By default sendmail won't listen on external interfaces so lets edit the main sendmail config at /etc/mail/sendmail.mc:

Find
DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl
and replace it with:
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl

We also need to point all our email to our new user we made above.  To do this we need to edit the /etc/aliases file.  Uncomment the last line of the file and replace the fake user marc with the real user you created above like so:

root:    bob

Now that we've edited the plain text configs we need to compile them into the sendmail binary format.  Head to the /etc/mail directory and then type: sudo ./make.  Finally lets restart sendmail to apply the new configuration:

sudo service sendmail restart

To ensure your e-mail gets delivered to the right place you'll need to add a MX record in your DNS zone.  If you're using Route 53 it's as simple as creating a new record set, selecting MX from the type drop-down, and following the example below the value box.  The final step is to open the EC2 dashboard and edit your security group to allow TCP port 25.  Your server is now ready to receive e-mail.  If you plan on reading your e-mail through a terminal or web interface on the server then no further configuration is required.  If you plan on sending e-mail remotely or through lots of different applications then lets do some further configuration.

Simple and Remote E-mail Sending E-mail

Wouldn't it be nice to send e-mail with SES through sendmail so we don't have to reconfigure every application?  This is such a common configuration that Amazon has written a very helpful guide on the subject (follow the top STARTTLS guide).  That's all there is to it.

Now that we've simplified sending what about using a remote application to send e-mail?  For obvious security and anti-spam reasons, sendmail doesn't allow relaying e-mail from an outside address.  Open your /etc/mail/sendmail.mc file again, find the following lines, and remove the dnl tag in front to enable them like so:

TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl

You may already have the confAUTH_MECHANISMS configured from the Amazon guide above so feel free to replace it.  Then, just like before, you'll need to compile your sendmail config and restart the server.  Finally, to authenticate you'll need to run the SASL daemon:

sudo service saslauthd start

sudo chkconfig saslauthd on

Now you should be ready to send e-mail remotely.  Just configure your e-mail program to connect to port 25 and use the login credentials for the bob user you setup above.  Of course SMTP is only for sending, how do you recieve it?  For that you'll need an IMAP server.

Reading E-mail Through IMAP

To retrieve e-mail with your favorite e-mail client we'll setup an IMAP/POP server called dovecot.  Lets install it:

sudo yum install dovecot

We'll make a quick config change to the /etc/dovecot/conf.d/10-mail.conf file.  Find the mail_location line and change it to:

mail_location = mbox:~/mail:INBOX=/var/mail/%u

I also like to turn off all the other protocols except for IMAP in the /etc/dovecot/dovecot.conf file.  Find the protocols line and set it to:

protocols = imap

Now lets start the service and make sure it runs on boot:

sudo service dovecot start

sudo chkconfig dovecot on

Finally, in order to access the server you'll need to make one last trip to the EC2 Dashboard where you'll need to open up the IMAP port (143) in your server's security group.  Now you should be able to login with the user you created and read their e-mail with your favorite IMAP compatible reader.

If you intend on sending and receiving lots of e-mail remotely you should look into using SSL.  Without it, anyone can eavesdrop your login and password.

I hope you enjoyed this guide and if you screw up, don't worry.  Just terminate (delete) your instance and start over.  You can do this as often as you like without penalty!