How to send Server Mails through Sendmail and Amazon SES (Ubunto 20.04)

You must have an Amazon SES account with a verified email address

Check whether Sendmail package is installed on your server:

dpkg -s sendmail 

dpkg -s sendmail-cf 

dpkg -s m4

To configure Sendmail to send email through the Amazon SES endpoint in US East (N. Virginia) using STARTTLS

1. Create or edit a file called /etc/mail/authinfo. Add the following line to the file, where:

• U:root—Do not modify.

• I:USERNAME—Replace with the Amazon SES username you obtained using the instructions in Obtaining Your Amazon SES SMTP Credentials. This is NOT the same as your AWS Access Key ID.

• P:PASSWORD—Replace with the Amazon SES password you obtained using the instructions in Obtaining Your Amazon SES SMTP Credentials. This is NOT the same as your AWS Secret Key.

• M:LOGIN—Replace with the method of authentication to use. For example, PLAIN, DIGEST-MD5, etc.

AuthInfo:email-smtp.us-east-1.amazonaws.com "U:root" "I:USERNAME" "P:PASSWORD" "M:LOGIN" 

If Sendmail cannot authenticate with the Amazon SES SMTP endpoint because the hostname does not match, try adding the additional line specified in Amazon SES SMTP Issues.

2. Save the authinfo file.

3. At a command prompt, type the following command to generate /etc/mail/authinfo.db:

sudo makemap hash /etc/mail/authinfo.db < /etc/mail/authinfo 

4. Open the /etc/mail/access file and include support for relaying to the Amazon SES SMTP endpoint by adding the following line. If Sendmail cannot authenticate with the Amazon SES SMTP endpoint because the hostname does not match, try adding the additional line specified in Amazon SES SMTP Issues.

Connect:email-smtp.us-east-1.amazonaws.com RELAY 

Save the file.

5. At a command prompt, type the following command to regenerate /etc/mail/access.db:

sudo makemap hash /etc/mail/access.db < /etc/mail/access 

6. Save a back-up copy of /etc/mail/sendmail.mc and /etc/mail/sendmail.cf.

7. Add the following group of lines to the /etc/mail/sendmail.mc file before any MAILER() definitions. If you add a FEATURE() line after a MAILER() definition, when you run m4 in a subsequent step, you will get the following error: "ERROR: FEATURE() should be before MAILER().":

Important Be sure to use the ` character and the apostrophe exactly as shown.

define(`SMART_HOST', `email-smtp.us-east-1.amazonaws.com')dnl 
define(`RELAY_MAILER_ARGS', `TCP $h 25')dnl 
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl 
FEATURE(`authinfo', `hash -o /etc/mail/authinfo.db')dnl 
MASQUERADE_AS(`YOUR_DOMAIN')dnl 
FEATURE(masquerade_envelope)dnl 
FEATURE(masquerade_entire_domain)dnl 

8. In the text you just added to sendmail.mc, in the line that starts with MASQUERADE_AS, replace YOUR_DOMAIN with the domain name from which you are sending your email. By adding this masquerade, you are making email from this host appear to be sent from your domain. Otherwise, the email will appear as if the email is being sent from the host name of the mail server, and you may get an "Email address not verified" error when you try to send an email.

9. Save the sendmail.mc file.

10. At a command prompt, type the following command to make sendmail.cf writeable:

sudo chmod 666 /etc/mail/sendmail.cf 

11. At a command prompt, type the following command to regenerate sendmail.cf:

sudo m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf 

Note If you encounter errors such as "Command not found" and "No such file or directory," make sure you have installed the m4 and sendmail-cf packages as specified in the prerequisites section above.

12. At a command prompt, type the following command to reset the permissions of sendmail.cf to read only:

sudo chmod 644 /etc/mail/sendmail.cf 

13. At a command prompt, type the following command to restart Sendmail:

sudo /etc/init.d/sendmail restart 

14. Send a test email by doing the following:

1. At a command prompt, type the following. Note that you should replace from@example.com with your "From" email address, which you must have verified with Amazon SES. Replace to@example.com with your "To" address. If you have not yet applied for production access, the "To" address must also be verified.

sudo /usr/sbin/sendmail -f from@example.com to@example.com 

2. Press . Type the body of the message, pressing after each line.

3. When you are finished typing the email, press CTRL+D to send the email.

15. Check the recipient email's client for the email. If you cannot find the email, check the Junk box in the recipient's email client. If you still cannot find the email, look at the Sendmail log on the mail server. The log is typically in /var/spool/mail/.

In the case of my Ubuntu server, the email log is at /var/log/mail.log

root@server /var/log # tail mail.log
Dec 23 10:35:42 sever sm-mta[18985]: 3BIHMM6O025833: to=, delay=4+16:13:20, xdelay=00:00:00, mailer=relay, pri=60870329, relay=email-smtp.ap-south-1.amazonaws.com., dsn=4.0.0, stat=Deferred
Dec 23 10:35:42 sever sm-mta[18985]: 3BIH7B7E015280: to=, delay=4+16:28:31, xdelay=00:00:00, mailer=relay, pri=60960316, relay=email-smtp.ap-south-1.amazonaws.com., dsn=4.0.0, stat=Deferred
Dec 23 10:35:42 server sm-mta[18985]: 3BIHEk4Y020496: to=, delay=4+16:20:56, xdelay=00:00:00, mailer=relay, pri=60960338, relay=email-smtp.ap-south-1.amazonaws.com., dsn=4.0.0, stat=Deferred
Dec 23 10:39:27 server sendmail[21677]: 3BN9dJoC021677: from=pqr@test.net, size=10, class=0, nrcpts=1, msgid=<202312230939.3BN9dJoC021677@xyz.com>, relay=root@localhost
Dec 23 10:39:28 server sm-mta[21768]: 3BN9dRvP021768: from=, size=282, class=0, nrcpts=1, msgid=<202312230939.3BN9dJoC021677@server.com>, proto=ESMTP, daemon=MTA-v4, relay=localhost.localdomain [127.0.0.1]
Dec 23 10:39:28 server sendmail[21677]: 3BN9dJoC021677: to=pqr@test.net, ctladdr=pqr@test.net (0/0), delay=00:00:09, xdelay=00:00:01, mailer=relay, pri=30010, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (3BN9dRvP021768 Message accepted for delivery)
Dec 23 10:39:28 server sm-mta[21770]: STARTTLS=client, relay=email-smtp.ap-south-1.amazonaws.com., version=TLSv1.2, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256
Dec 23 10:39:29 server sm-mta[21770]: 3BN9dRvP021768: AUTH=client, available mechanisms do not fulfill requirements
Dec 23 10:39:29 server sm-mta[21770]: AUTH=client, relay=email-smtp.ap-south-1.amazonaws.com., temporary failure, connection abort
Dec 23 10:39:29 server sm-mta[21770]: 3BN9dRvP021768: to=, delay=00:00:02, xdelay=00:00:01, mailer=relay, pri=120282, relay=email-smtp.ap-south-1.amazonaws.com. [13.126.76.118], dsn=4.0.0, stat=Deferred: Temporary AUTH failure

Check whether the firewall is blocking outbound connections over the port you're trying to send email from.

Try the following command:

telnet email-smtp.us-east-1.amazonaws.com 

where is the port you're trying to use (typically 25, 465, 587, or 2587).

If the connection is made, the following response is received.

root@server /var/log # telnet email-smtp.ap-south-1.amazonaws.com 25
Trying 65.1.8.173...
Connected to email-smtp.ap-south-1.amazonaws.com.
Escape character is '^]'.
220 email-smtp.amazonaws.com ESMTP SimpleEmailService-d-Z84JC76C2 YYg9AiTpo0btbw0gtOnO
451 4.4.2 Timeout waiting for data from client.
Connection closed by foreign host. 

openssl s_client -crlf -quiet -connect email-smtp.us-east-1.amazonaws.com:465 

openssl s_client -crlf -quiet -starttls smtp -connect email-smtp.us-east 1.amazonaws.com:25 

If you cannot connect to the Amazon SES SMTP endpoint using telnet or openssl, then something in your network (for example, a firewall) is blocking outbound connections over the port you're trying to use.

root@server# ufw status
Status: active

To                         Action      From
--                         ------      ----
22222                      ALLOW       Anywhere
80                         ALLOW       Anywhere
22                         ALLOW       Anywhere
443                        ALLOW       Anywhere
25                         ALLOW       Anywhere
22222 (v6)                 ALLOW       Anywhere (v6)
80 (v6)                    ALLOW       Anywhere (v6)
22 (v6)                    ALLOW       Anywhere (v6)
443 (v6)                   ALLOW       Anywhere (v6)
25 (v6)                    ALLOW       Anywhere (v6)

If that works, and you are trying to connect to Amazon SES using TLS Wrapper or STARTTLS, try the openssl commands shown in Using the Command Line to Send Email Through the Amazon SES SMTP Interface.

As stated here and here besides sasl2-bin, there is a need to also install libsasl2-modules.

sudo apt-get install sasl2-bin libsasl2-modules

This solved the problem and the server was able to send mails through Amazon SES.