In this session, I’ll demonstrate how to integrate Amazon SES with the Exim mail server software.

After migrating my mailserver to AWS, I had to ensure that SMTP is working on my mailserver EC2 instance. AWS blocks outbound traffic on port 25 (SMTP) of all EC2 instances by default. To send outbound traffic on port 25, you can request for this restriction to be removed.

Another option is to leverage Amazon SES. Amazon SES is an email platform that provides an easy, cost-effective way for you to send and receive email using your own email addresses and domains.

AWS offers an SES free tier usage of up to 62000 messages per month, which is more that my low traffic mail server handles in an entire year 😉

The first step to enable SES, is to verify the mail domain by creating an SES identity in the AWS console. Part of creating a domain identity is configuring its DKIM-based verification. DomainKeys Identified Mail (DKIM) is an email authentication method that Amazon SES uses to verify domain ownership, and receiving mail servers use to validate email authenticity.

  1. Sign in to the AWS Management Console https://console.aws.amazon.com/ses/.
  2. In the navigation pane, under Configuration, choose Verified identities.
  3. Choose Create identity.
  4. Under Identity details, select Domain as the type of identity.
  5. Enter the name of the domain or subdomain in the Domain field, e.g. heissler.at.
  6. Choose Create identity.

Now that we’ve created and configured our domain identity with DKIM, we must complete the verification process with our DNS provider. As I am using an AT TLD, as of May 2021, I cannot use Amazon Route 53, since AT TLDs are still not supported by this service. Instead, I’m adding the provided CNAME records for the heissler.at domain identity in the heissler.at zone at my DNS hoster, e.g.:

CNAME   xxx._domainkey.heissler.at xxx.dkim.amazonses.com
CNAME   xxx._domainkey.heissler.at xxx.dkim.amazonses.com
CNAME   xxx._domainkey.heissler.at xxx.dkim.amazonses.com

It can take up to 72 hours for changes to DNS settings to propagate. As soon as Amazon SES detects all of the required DKIM records in our domain’s DNS settings, the verification process is complete. The domain’s DKIM configuration appears as Successful and the Identity status appears as Verified.

The next step is to obtain SES SMTP credentials:

  1. Sign in to the AWS Management Console and open the Amazon SES console at https://console.aws.amazon.com/ses/.
  2. Choose Account dashboard in the left navigation pane – this will open the Account dashboard page.
  3. On the Account dashboard page, scroll down to the Simple Mail Transfer Protocol (SMTP) settings container and choose Create SMTP Credentials in the lower-left corner – the IAM console will open.
  4. For Create User for SMTP, type a name for your SMTP user in the IAM User Name field. Alternatively, you can use the default value that is provided in this field. When you finish, choose Create in the bottom-right corner.
  5. Expand Show User SMTP Security Credentials – your SMTP credentials are shown on the screen.
  6. Download these credentials by choosing Download Credentials or copy them and store them in a safe place, because you can’t view or save your credentials after you close this dialog box.
  7. Choose Close Window.

The last step is to connect an SMTP endpoint. In our case, this is our Exim mail server. The Amazon SES SMTP endpoint requires that all connections be encrypted using Transport Layer Security (TLS). AWS EC2 throttles email traffic over port 25 by default, thus to avoid timeouts when sending email through the SMTP endpoint from EC2, we configure the Exim mail server to send mails via submission port 587.

In the the Exim configuration file /etc/exim4/exim4.conf, we add the following to the top of the routers sections (after begin routers):

send_via_ses:
        driver = manualroute
        domains = ! +local_domains
        transport = ses_smtp
        route_list = * email-smtp.eu-central-1.amazonaws.com;

In the transports section, after the begin transports line, we add the following:

ses_smtp:
        driver = smtp
        port = 587
        hosts_require_auth = *
        hosts_require_tls = *

In the authenticators section, after the begin authenticators line, add the following (replace USERNAME with your SMTP user name, and PASSWORD with your SMTP password as defined in the above created SES SMTP credentials):

ses_login:
        driver = plaintext
        public_name = LOGIN
        client_send = : USERNAME : PASSWORD

After saving the configuration, we enter the following command to restart Exim:

sudo systemctl restart exim4.service

That’s all 🙂