Amazon SES with Mail Forwarding

SYSTEM INFORMATION
OS type and version Ubuntu 24.04
Webmin version 2.303
Virtualmin version 7.30.8 Pro
Webserver version NGINX
Related packages SUGGESTED

Incoming email is working properly.

Outgoing email originating from Usermin (server) to external addresses is properly routing through Amazon SES (properly verified and production access)

Mail forwarding from Virtualmin or Usermin does not engage Amazon SES and attempts to route email directly, which failed because of port 25 being blocked.

When checking one of the blocked messages it looks like the outgoing email relay is EMPTY, versus when sending email from the server, it properly sets the relay to amazon like below
Outgoing email relay email-smtp.us-east-1.amazonaws.com

Please advise.

If the ‘forwarded’ address is for local email delivery then port 25 is not used. Also port 25 cannot be blocked for local use anyway.

Check /etc/hostname and /etc/mailname are the same.

In this case the forwards are to an external address from the server, not an internal address. The email arrives from an external address and is forwarded to a different external address.

The email arrives at the server properly but when it attempts to forward to an address off the server is doesnt used the ses relay, it attempts to use a standard port 25 route. Port 25 outbound isn’t allowed from OCI.

So you want to use outbound port 25 for some email but not through Amazon SES?

Is there an exception made for port 25 to Amazon SES or are you using another port , such as 465 or 587, to Amazon SES? I don’t know what the usual way too configure use of Amazon SES is.

If the above is correct then you have two options.

  1. Ask your service provider to lift the ban on outgoing port 25, stating you are committed to not sending spam.

  2. Send Amazon SES exceptions to a mail relay or directly to the desired servers on another port

No, my expectation when configuring a cloud mail delivery provider, is that ALL outbound mail would use the cloud provider.

The problem is that all emails use the outbound SES relay EXCEPT forwarded mail. The automatix mail forwards do not engage the relay and instead selects the default routing even with the templates are set to cloud delivery. It doesn’t matter if it is set from the server admin side, or a user configured mail forwarding rule. It does not use the ses relay as expected.

OK so the templates are set to use SES relay.

Have you confirmed the virtual servers servers doing the forwarding are set to use Amazon SES rather than default routing?

If they have then your issue looks like a bug that should be raised on GitHub.

If you want to send absolutely all outgoing email thrrough Amazon SES then an alternative is to turn off Amazon SES within Virtualmin and directly configure Postfix.

There is a guide at Integrating Amazon SES with Postfix - Amazon Simple Email Service

Although it looks like a bug, technically I don’t think it is one.

I would agree though the issue should be formally clarified by Virtualmin

Since virtualmin probably uses sender_dependent_relayhost_maps from Postfix for Amazon SES use and since this feature examines the From: header expecting domains of the virtual server, then using a virtual server to forward from another domain is not going to work without somehow including the forwarded domain in another map line. This is outside the scope of Virtualmin.

It looks like the best solution is to to directly configure Postfix, as mentioned.

Another solution is to request Virtualmin add in an enhancment to its ‘Cloud Mail Delivery Provider’ feature for an option to make cloud delivery the default relay, rather than depending on matching a sender, as now, to send by cloud.

@johnhe Thanks so much for all of the insights! I am hosting in oracle oci with no chance of 25 outbound. Thanks for the amazon article, I am going to look into that as well but ultimately I think I will need to fill a bug report or feature request it seems.

I understand the flow you are describing and can see how it’s a potential complication to make it the defaul behavior. It man be something I just have to test forward. Its a new server so I have only deployed test domains thus far. Thanks for your assistance and guidance.

Not if Virtualmin adds in a separate feature called something like ‘Default Relay Host’ for Webmin in addition to ‘Cloud Mail Delivery Providers’ for Virtualmin.

‘Cloud Mail Delivery Providers’ only adds in exceptions to a default (if one exists). A proposed ‘Default Relay Host’ for Webmin would add in a default. It is kind of odd this feature is not already in Webmin, given the mission of Webmin.

To set up a default only the following information is required: a username, a password, a host and a port number. For Amazon SES the Access Key, Secret Key and API region is used to extract this information, if necessary.

I know there are providers other than Amazon SES that welcome using port 587 to relay mail. Also, it would extend the range of providers easily available for Virtualmin users who could easily dump all email to another Virtualmin server thay have elsewhere without outgoing port 25 firewalled off.

If Virtualmin allowed the usrname and password fields to be left empty then only a one line change is required to the relayhost= line in /etc/postfix/main.cf. In this case the other server needs to be configured to allow relaying from individual approved hosts on appoved port, which does not have to port 25.

As opposed to additional line changes required for port 587 use. Using the example link above from Integrating Amazon SES with Postfix - Amazon Simple Email Service, the addiitonal line entries are:

relayhost = [email-smtp.us-west-2.amazonaws.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_tls_security_level = secure
smtp_tls_note_starttls_offer = yes

which also requires setup of /etc/postfix/sasl_passwd file.

Certificate files are already setup for you by Virtualmin, which are not even required for outgoing port 587 use.

Final comment. It is a pity port 587 uses is still being encouraged instead of port 465.

There is an option to set relayhost in webmin. I set it by directly editing /etc/postfix/main.cf.

This item is at Webmin, Servers, Postfix Mail Server, General Options, Other General Options

Would a port number option in the settings fix this?
It would be better to have a gui setting for this rather then search config files.

The port number for ‘Cloud Mail Delivery Provider’ is not an issue. It is assumed to be port 587 for Amazon SES.

There are a number of issues with the Cloud Mail setting.

  1. Only Amazon SES is offered
  2. It is a PRO feature
  3. It is opt in by virtual server only but can be set to be on through a template
  4. It only works for email that is specifically from the domain of the virtual server. That is it won’t work for email forwarded through the virtual server that is from a different domain. This is the OT issue..
  5. It does not set the default relayhost.

For the OT issue the best solution is to set the default relayhost instead and to allow any port 587 or 465 provider to be used. There is an option within Webmin to set relayhost. However it also requires a lot of other options to be set manually for relaying through ports 587 or 465. Kind of awkward and kind of begging for an added feature. It is not a ‘commercial use’ of webmin issue. It is a common problem brought on by banning outgoing port 25.

1 Like

From a user experience perspective, toggle that says something like “Route all mail through cloud provider” is more useful that a port. The problem is the system is attempting to use the local mailer, instead of engaging a full postfix takeover.

My expectation, when setting up Cloud Delivery, would be that all mail would use the cloud gateway negating the need for outbound port 25 communication. The toggle could set, and keep in sync, all of the postfix plumbing to use the external relay for relay off the host device.

Yes, solve your problem with an option button, but also generalise the solution!

Expanding:

The port number is irrelvant to the user experience when manual settings are not required.

The problem at the moment is that your forwarding issue cannot be solved without manual settings due to the likely nature of the Postfix feature used (sender_dependent_relayhost_maps).

A solution is to add in an option to the Cloud email that states “Would you prefer for all email for all domains to use Amazon SES?”.

But why stop at Amazon SES? Why not make it a general feature of Webmin to offer a choice to use port 587, 465 or 25, host as the default relayhost without having to enter unnecessary manual details, including port number? The minimum details for a general solution are host, choose port 587, 465 or 25 or enter an arbitrary port, username and password. Port 587 assumes starttls, port 465 ssl/tls, port 25 no assumptions or override. That is it. If Virtualmin wants they can allow extraction of port 587 details from Amazon keys as a PRO feature of Virtualmin

It is possible Virtualmin are loathe to offer general port 587/465 default relayhost solutions because of variations among providers causing a support headache.

In which case it is up to an admin to make manual postfix adjustments following the recommendations of provders.

I don’t see this as unreasonable.

In any case, for the particular OT issue right now, there appears to be little choice for a solution other than manual adjustments as recommended by Amazon because a sender_dependent_relayhost_maps solution does not cut it for their use case.