Outgoing email originating from Usermin (server) to external addresses is properly routing through Amazon SES (properly verified and production access)
Mail forwarding from Virtualmin or Usermin does not engage Amazon SES and attempts to route email directly, which failed because of port 25 being blocked.
When checking one of the blocked messages it looks like the outgoing email relay is EMPTY, versus when sending email from the server, it properly sets the relay to amazon like below Outgoing email relayemail-smtp.us-east-1.amazonaws.com
In this case the forwards are to an external address from the server, not an internal address. The email arrives from an external address and is forwarded to a different external address.
The email arrives at the server properly but when it attempts to forward to an address off the server is doesnt used the ses relay, it attempts to use a standard port 25 route. Port 25 outbound isnât allowed from OCI.
So you want to use outbound port 25 for some email but not through Amazon SES?
Is there an exception made for port 25 to Amazon SES or are you using another port , such as 465 or 587, to Amazon SES? I donât know what the usual way too configure use of Amazon SES is.
If the above is correct then you have two options.
Ask your service provider to lift the ban on outgoing port 25, stating you are committed to not sending spam.
Send Amazon SES exceptions to a mail relay or directly to the desired servers on another port
No, my expectation when configuring a cloud mail delivery provider, is that ALL outbound mail would use the cloud provider.
The problem is that all emails use the outbound SES relay EXCEPT forwarded mail. The automatix mail forwards do not engage the relay and instead selects the default routing even with the templates are set to cloud delivery. It doesnât matter if it is set from the server admin side, or a user configured mail forwarding rule. It does not use the ses relay as expected.
If you want to send absolutely all outgoing email thrrough Amazon SES then an alternative is to turn off Amazon SES within Virtualmin and directly configure Postfix.
Although it looks like a bug, technically I donât think it is one.
I would agree though the issue should be formally clarified by Virtualmin
Since virtualmin probably uses sender_dependent_relayhost_maps from Postfix for Amazon SES use and since this feature examines the From: header expecting domains of the virtual server, then using a virtual server to forward from another domain is not going to work without somehow including the forwarded domain in another map line. This is outside the scope of Virtualmin.
It looks like the best solution is to to directly configure Postfix, as mentioned.
Another solution is to request Virtualmin add in an enhancment to its âCloud Mail Delivery Providerâ feature for an option to make cloud delivery the default relay, rather than depending on matching a sender, as now, to send by cloud.
@johnhe Thanks so much for all of the insights! I am hosting in oracle oci with no chance of 25 outbound. Thanks for the amazon article, I am going to look into that as well but ultimately I think I will need to fill a bug report or feature request it seems.
I understand the flow you are describing and can see how itâs a potential complication to make it the defaul behavior. It man be something I just have to test forward. Its a new server so I have only deployed test domains thus far. Thanks for your assistance and guidance.
Not if Virtualmin adds in a separate feature called something like âDefault Relay Hostâ for Webmin in addition to âCloud Mail Delivery Providersâ for Virtualmin.
âCloud Mail Delivery Providersâ only adds in exceptions to a default (if one exists). A proposed âDefault Relay Hostâ for Webmin would add in a default. It is kind of odd this feature is not already in Webmin, given the mission of Webmin.
To set up a default only the following information is required: a username, a password, a host and a port number. For Amazon SES the Access Key, Secret Key and API region is used to extract this information, if necessary.
I know there are providers other than Amazon SES that welcome using port 587 to relay mail. Also, it would extend the range of providers easily available for Virtualmin users who could easily dump all email to another Virtualmin server thay have elsewhere without outgoing port 25 firewalled off.
If Virtualmin allowed the usrname and password fields to be left empty then only a one line change is required to the relayhost= line in /etc/postfix/main.cf. In this case the other server needs to be configured to allow relaying from individual approved hosts on appoved port, which does not have to port 25.
The port number for âCloud Mail Delivery Providerâ is not an issue. It is assumed to be port 587 for Amazon SES.
There are a number of issues with the Cloud Mail setting.
Only Amazon SES is offered
It is a PRO feature
It is opt in by virtual server only but can be set to be on through a template
It only works for email that is specifically from the domain of the virtual server. That is it wonât work for email forwarded through the virtual server that is from a different domain. This is the OT issue..
It does not set the default relayhost.
For the OT issue the best solution is to set the default relayhost instead and to allow any port 587 or 465 provider to be used. There is an option within Webmin to set relayhost. However it also requires a lot of other options to be set manually for relaying through ports 587 or 465. Kind of awkward and kind of begging for an added feature. It is not a âcommercial useâ of webmin issue. It is a common problem brought on by banning outgoing port 25.
From a user experience perspective, toggle that says something like âRoute all mail through cloud providerâ is more useful that a port. The problem is the system is attempting to use the local mailer, instead of engaging a full postfix takeover.
My expectation, when setting up Cloud Delivery, would be that all mail would use the cloud gateway negating the need for outbound port 25 communication. The toggle could set, and keep in sync, all of the postfix plumbing to use the external relay for relay off the host device.
Yes, solve your problem with an option button, but also generalise the solution!
Expanding:
The port number is irrelvant to the user experience when manual settings are not required.
The problem at the moment is that your forwarding issue cannot be solved without manual settings due to the likely nature of the Postfix feature used (sender_dependent_relayhost_maps).
A solution is to add in an option to the Cloud email that states âWould you prefer for all email for all domains to use Amazon SES?â.
But why stop at Amazon SES? Why not make it a general feature of Webmin to offer a choice to use port 587, 465 or 25, host as the default relayhost without having to enter unnecessary manual details, including port number? The minimum details for a general solution are host, choose port 587, 465 or 25 or enter an arbitrary port, username and password. Port 587 assumes starttls, port 465 ssl/tls, port 25 no assumptions or override. That is it. If Virtualmin wants they can allow extraction of port 587 details from Amazon keys as a PRO feature of Virtualmin
It is possible Virtualmin are loathe to offer general port 587/465 default relayhost solutions because of variations among providers causing a support headache.
In which case it is up to an admin to make manual postfix adjustments following the recommendations of provders.
I donât see this as unreasonable.
In any case, for the particular OT issue right now, there appears to be little choice for a solution other than manual adjustments as recommended by Amazon because a sender_dependent_relayhost_maps solution does not cut it for their use case.