Configure Postfix as a relay through Amazon SES on Debian 12
SASL authentication, TLS, and the smtpd_relay restrictions that prevent open-relay accidents. The setup I keep paste-deploying onto small boxes.
The small servers I run don’t need a real outbound mail stack — they just need cron, app, and unattended-upgrades to send mail when something is wrong. Postfix as a satellite relay through Amazon SES is the boring choice. It takes about ten minutes and survives reboots without thinking.
Install Postfix
Debian’s installer asks you to pick a mail role during package install. Pick Satellite system.
$ apt update && apt install -y postfix libsasl2-modules ca-certificates
# When prompted:
# General type of mail configuration: Satellite system
# System mail name: your.hostname.tld
# SMTP relay host: email-smtp.eu-central-1.amazonaws.com:587If you missed the prompts, run dpkg-reconfigure postfix to redo them.
Add SASL credentials
Get an SES SMTP user (from the SES console: SMTP settings → Create SMTP credentials). You’ll receive a username and password — both are different from your AWS access keys.
$ echo "[email-smtp.eu-central-1.amazonaws.com]:587 SES_USERNAME:SES_PASSWORD" \
> /etc/postfix/sasl_passwd
$ chmod 600 /etc/postfix/sasl_passwd
$ postmap /etc/postfix/sasl_passwdNote
The hashed file (/etc/postfix/sasl_passwd.db) is what Postfix actually reads. If you ever edit sasl_passwd, re-run postmap — Postfix will silently use the stale .db otherwise.
Configure Postfix
Edit /etc/postfix/main.cf and add (or update) these lines:
relayhost = [email-smtp.eu-central-1.amazonaws.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
header_size_limit = 4096000Reload and test:
$ systemctl reload postfix
$ echo "test from postfix" | mail -s "test" you@example.com
$ tail -f /var/log/mail.logA successful send shows relay=email-smtp.../[…]:587, status=sent. A 535 Authentication Credentials Invalid means the SES username/password is wrong (regenerate from the SES console — make sure you’re in the right region).
Verify you’re not an open relay
Critical sanity check — try sending from outside the loopback:
$ telnet your.hostname.tld 25
# from inside: HELO test \n MAIL FROM:...
# Postfix should reject with "Relay access denied"If it accepts the relay, your mynetworks setting is wrong. Default Debian config restricts to 127.0.0.0/8 and [::1]/128, which is what you want.