# Integrating Amazon SES with your existing email server
<a name="send-email-smtp-existing-server"></a>

If you currently administer your own email server, you can use the Amazon SES SMTP endpoint to send all of your outgoing email to Amazon SES. There is no need to modify your existing email clients and applications; the changeover to Amazon SES will be transparent to them.

Several mail transfer agents (MTAs) support sending email through SMTP relays. This section provides general guidance on how to configure some popular MTAs to send email using Amazon SES SMTP interface.

The Amazon SES SMTP endpoint requires that all connections be encrypted using Transport Layer Security (TLS).

**Topics**
+ [Integrating Amazon SES with Postfix](postfix.md)
+ [Integrating Amazon SES with Sendmail](send-email-sendmail.md)
+ [Integrating Amazon SES with Microsoft Windows Server IIS SMTP](send-email-windows-server.md)

# Integrating Amazon SES with Postfix
<a name="postfix"></a>

Postfix is an alternative to the widely used Sendmail Message Transfer Agent (MTA). For information about Postfix, go to [http://www.postfix.org](http://www.postfix.org). The procedures in this topic will work with Linux, macOS, or Unix.

**Note**  
Postfix is a third-party application, and isn't developed or supported by Amazon Web Services. The procedures in this section are provided for informational purposes only, and are subject to change without notice.

## Prerequisites
<a name="send-email-postfix-prereqs"></a>

Before you complete the procedures in this section, you have to perform the following tasks:
+ Uninstall the Sendmail application if it's installed on your system. The procedure for completing this step varies depending on the operating system you use.
**Important**  
Following references to *sendmail* refer to the Postfix command `sendmail`, not to be confused with the Sendmail application.
+ Install Postfix. The procedure for completing this step varies depending on the operating system you use.
+ Install a SASL authentication package. The procedure for completing this step varies depending on the operating system you use. For example, if you use a RedHat-based system, you should install the `cyrus-sasl-plain` package. If you use a Debian- or Ubuntu-based system, you should install the `libsasl2-modules` package.
+ Verify an email address or domain to use for sending email. For more information, see [Creating an email address identity](creating-identities.md#verify-email-addresses-procedure).
+ If your account is still in the sandbox, you can only send email to verified email addresses. For more information, see [Request production access (Moving out of the Amazon SES sandbox)](request-production-access.md).

## Configuring Postfix
<a name="send-email-postfix"></a>

Complete the following procedures to configure your mail server to send email through Amazon SES using Postfix.

**To configure Postfix**

1. At the command line, type the following command:

   ```
   sudo postconf -e "relayhost = [email-smtp.us-west-2.amazonaws.com]:587" \
   "smtp_sasl_auth_enable = yes" \
   "smtp_sasl_security_options = noanonymous" \
   "smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd" \
   "smtp_use_tls = yes" \
   "smtp_tls_security_level = secure" \
   "smtp_tls_note_starttls_offer = yes"
   ```
**Note**  
If you use Amazon SES in an AWS Region other than US West (Oregon), replace *email-smtp.us-west-2.amazonaws.com* in the preceding command with the SMTP endpoint of the appropriate Region. For more information, see [Regions and Amazon SES](regions.md).

1. In a text editor, open the file `/etc/postfix/master.cf`. Search for the following entry:

   ```
   -o smtp_fallback_relay=
   ```

   If you find this entry, comment it out by placing a `#` (hash) character at the beginning of the line. Save and close the file.

   Otherwise, if this entry isn't present, continue to the next step.

1. In a text editor, open the file `/etc/postfix/sasl_passwd`. If the file doesn't already exist, create it.

1. Add the following line to `/etc/postfix/sasl_passwd`:

   ```
   [email-smtp.us-west-2.amazonaws.com]:587 SMTPUSERNAME:SMTPPASSWORD
   ```
**Note**  
Replace *SMTPUSERNAME* and *SMTPPASSWORD* with your SMTP sign-in credentials. Your SMTP sign-in credentials aren't the same as your AWS access key ID and secret access key. For more information about credentials, see [Obtaining Amazon SES SMTP credentials](smtp-credentials.md).  
If you use Amazon SES in an AWS Region other than US West (Oregon), replace *email-smtp.us-west-2.amazonaws.com* in the preceding example with the SMTP endpoint of the appropriate Region. For more information, see [Regions and Amazon SES](regions.md).

   Save and close `sasl_passwd`.

1. At a command prompt, type the following command to create a hashmap database file containing your SMTP credentials:

   ```
   sudo postmap hash:/etc/postfix/sasl_passwd
   ```

1. (Optional) The `/etc/postfix/sasl_passwd` and `/etc/postfix/sasl_passwd.db` files you created in the previous steps aren't encrypted. Because these files contain your SMTP credentials, we recommend that you modify the files' ownership and permissions in order to restrict access to them. To restrict access to these files:

   1. At a command prompt, type the following command to change the ownership of the files:

      ```
      sudo chown root:root /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
      ```

   1. At a command prompt, type the following command to change the permissions of the files so that only the root user can read or write to them:

      ```
      sudo chmod 0600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
      ```

1. Tell Postfix where to find the CA certificate (needed to verify the Amazon SES server certificate). The command you use in this step varies based on your operating system.
   + If you use Amazon Linux, Red Hat Enterprise Linux, or a related distribution, type the following command: 

     ```
     sudo postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt'
     ```
   + If you use Ubuntu or a related distribution, type the following command:

     ```
     sudo postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt'
     ```
   + If you use macOS, you can generate the certificate from your system keychain. To generate the certificate, type the following command at the command line:

     ```
     sudo security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain | sudo tee /etc/ssl/certs/ca-bundle.crt > /dev/null
     ```

     After you generate the certificate, type the following command:

     ```
     sudo postconf -e 'smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt'
     ```

1. Type the following command to start the Postfix server (or to reload the configuration settings if the server is already running):

   ```
   sudo postfix start; sudo postfix reload
   ```

1. Send a test email by typing the following at a command line, pressing Enter after each line. Replace *sender@example.com* with your From email address. The From address has to be verified for use with Amazon SES. Replace *recipient@example.com* with the destination address. If your account is still in the sandbox, the recipient address also has to be verified. Finally, the final line of the message has to contain a single period (.) with no other content.

   ```
   sendmail -f sender@example.com recipient@example.com
   From: Sender Name <sender@example.com>
   Subject: Amazon SES Test                
   This message was sent using Amazon SES.                
   .
   ```

1. Check the mailbox associated with the recipient address. If the email doesn't arrive, check your junk mail folder. If you still can't locate the email, check the mail log on the system that you used to send the email (typically located at `/var/log/maillog`) for more information.

## Advanced usage example
<a name="send-email-postfix-advanced"></a>

This example shows how to send an email that uses a [configuration set](using-configuration-sets.md), and that uses MIME-multipart encoding to send both a plain text and an HTML version of the message, along with an attachment. It also includes a [link tag](faqs-metrics.md#sending-metric-faqs-clicks-q5), which can be used for categorizing click events. The content of the email is specified in an external file, so that you do not have to manually type the commands in the Postfix session.

**To send a multipart MIME email using Postfix**

1. In a text editor, create a new file called `mime-email.txt`.

1. In the text file, paste the following content, replacing the values in red with the appropriate values for your account:

   ```
   X-SES-CONFIGURATION-SET: ConfigSet
   From:Sender Name <sender@example.com>
   Subject:Amazon SES Test
   MIME-Version: 1.0
   Content-Type: multipart/mixed; boundary="YWVhZDFlY2QzMGQ2N2U0YTZmODU"
   
   --YWVhZDFlY2QzMGQ2N2U0YTZmODU
   Content-Type: multipart/alternative; boundary="3NjM0N2QwMTE4MWQ0ZTg2NTYxZQ"
   
   --3NjM0N2QwMTE4MWQ0ZTg2NTYxZQ
   Content-Type: text/plain; charset=UTF-8
   Content-Transfer-Encoding: quoted-printable
   
   Amazon SES Test
   
   This message was sent from Amazon SES using the SMTP interface.
   
   For more information, see:
   http://docs.aws.amazon.com/ses/latest/DeveloperGuide/send-email-smtp.html
   
   --3NjM0N2QwMTE4MWQ0ZTg2NTYxZQ
   Content-Type: text/html; charset=UTF-8
   Content-Transfer-Encoding: quoted-printable
   
   <html>
     <head>
   </head>
     <body>
       <h1>Amazon SES Test</h1>
         <p>This message was sent from Amazon SES using the SMTP interface.</p>
         <p>For more information, see
         <a ses:tags="samplekey0:samplevalue0;samplekey1:samplevalue1;" 
         href="http://docs.aws.amazon.com/ses/latest/DeveloperGuide/send-email-smtp.html">
         Using the Amazon SES SMTP Interface to Send Email</a> in the <em>Amazon SES
         Developer Guide</em>.</p>
     </body>
   </html>
   --3NjM0N2QwMTE4MWQ0ZTg2NTYxZQ--
   --YWVhZDFlY2QzMGQ2N2U0YTZmODU
   Content-Type: application/octet-stream
   MIME-Version: 1.0
   Content-Transfer-Encoding: base64
   Content-Disposition: attachment; filename="customers.txt"
   
   SUQsRmlyc3ROYW1lLExhc3ROYW1lLENvdW50cnkKMzQ4LEpvaG4sU3RpbGVzLENh
   bmFkYQo5MjM4OSxKaWUsTGl1LENoaW5hCjczNCxTaGlybGV5LFJvZHJpZ3VleixV
   bml0ZWQgU3RhdGVzCjI4OTMsQW5heWEsSXllbmdhcixJbmRpYQ==
   --YWVhZDFlY2QzMGQ2N2U0YTZmODU--
   ```

   Save and close the file.

1. At the command line, type the following command. Replace *sender@example.com* with your email address, and replace *recipient@example.com* with the recipient's email address.

   ```
   sendmail -f sender@example.com recipient@example.com < mime-email.txt
   ```

   If the command runs successfully, it exits without providing any output.

1. Check your inbox for the email. If the message wasn't delivered, check your system's mail log.

# Integrating Amazon SES with Sendmail
<a name="send-email-sendmail"></a>

Sendmail was released in the early 1980s, and has been continuously improved ever since. It's a flexible and configurable message transfer agent (MTA) with a large community of users. Sendmail was acquired by Proofpoint in 2013, but Proofpoint continues to offer an open source version of Sendmail. You can download the [open source version of Sendmail](https://www.proofpoint.com/us/open-source-email-solution) from the Proofpoint website, or through the package managers of most Linux distributions.

The procedure in this section shows you how to configure Sendmail to send email through Amazon SES. This procedure was tested on a server running Ubuntu 18.04.2 LTS.

**Note**  
Sendmail is a third-party application, and isn't developed or supported by Amazon Web Services. The procedures in this section are provided for informational purposes only, and are subject to change without notice.

## Prerequisites
<a name="send-email-sendmail-prerequisites"></a>

Before you complete the procedure in this section, you should complete the following steps:
+ Install the Sendmail package on your server. 
**Note**  
Depending on which operating system distribution you use, you might also need to install the following packages: `sendmail-cf`, `m4`, and `cyrus-sasl-plain`.
+ Verify an identity to use as your From address. For more information, see [Creating an email address identity](creating-identities.md#verify-email-addresses-procedure).

  If your account is in the Amazon SES sandbox, you must also verify the addresses that you send email to. For more information, see [Request production access (Moving out of the Amazon SES sandbox)](request-production-access.md).

If you're using Amazon SES to send email from an Amazon EC2 instance, you should also complete the following steps:
+ You may need to assign an Elastic IP Address to your Amazon EC2 instance in order for receiving email providers to accept your email. For more information, see [Amazon EC2 Elastic IP addresses](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html) in the *Amazon EC2 User Guide*.
+ Amazon Elastic Compute Cloud (Amazon EC2) restricts email traffic over port 25 by default. To avoid timeouts when sending email through the SMTP endpoint from Amazon EC2, you can request that these restrictions be removed. For more information, see [How do I remove the restriction on port 25 from my Amazon EC2 instance or AWS Lambda function?](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-port-25-throttle/) in the AWS Knowledge Center.

  Alternatively, you can modify the procedure in this section to use port 587 rather than port 25.

## Configuring Sendmail
<a name="send-email-sendmail-procedure"></a>

Complete the steps in this section to configure Sendmail to send email by using Amazon SES.

**Important**  
The procedure in this section assumes that you want to use Amazon SES in the US West (Oregon) AWS Region. If you want to use a different Region, replace all instances of *email-smtp.us-west-2.amazonaws.com* in this procedure with the SMTP endpoint of the desired Region. For a list of SMTP endpoint URLs for the AWS Regions where Amazon SES is available, see [Amazon Simple Email Service (Amazon SES)](https://docs.aws.amazon.com/general/latest/gr/rande.html#ses_region) in the *AWS General Reference*.

**To configure Sendmail**

1. In a file editor, open the file `/etc/mail/authinfo`. If the file doesn't exist, create it.

   Add the following line to */etc/mail/authinfo*:

   ```
   AuthInfo:email-smtp.us-west-2.amazonaws.com "U:root" "I:smtpUsername" "P:smtpPassword" "M:PLAIN"
   ```

   In the preceding example, make the following changes:
   + Replace *email-smtp.us-west-2.amazonaws.com* with the Amazon SES SMTP endpoint that you want to use.
   + Replace *smtpUsername* with your Amazon SES SMTP user name.
   + Replace *smtpPassword* with your Amazon SES SMTP password.
**Note**  
Your SMTP sign-in credentials are different from your AWS Access Key ID and Secret Access Key. For more information about obtaining your SMTP sign-in credentials, see [Obtaining Amazon SES SMTP credentials](smtp-credentials.md).

   When you finish, save `authinfo`.

1. At the command line, enter the following command to generate the `/etc/mail/authinfo.db` file:

   ```
   sudo sh -c 'makemap hash /etc/mail/authinfo.db < /etc/mail/authinfo'
   ```

1. At the command line, type the following command to add support for relaying to the Amazon SES SMTP endpoint.

   ```
   sudo sh -c 'echo "Connect:email-smtp.us-west-2.amazonaws.com RELAY" >> /etc/mail/access'
   ```

   In the preceding command, replace *email-smtp.us-west-2.amazonaws.com* with the address of the Amazon SES SMTP endpoint that you want to use.

1. At the command line, type the following command to regenerate */etc/mail/access.db*:

   ```
   sudo sh -c 'makemap hash /etc/mail/access.db < /etc/mail/access'
   ```

1. At the command line, type the following command to create backups of the `sendmail.cf` and `sendmail.mc` files:

   ```
   sudo sh -c 'cp /etc/mail/sendmail.cf /etc/mail/sendmail_cf.backup && cp /etc/mail/sendmail.mc /etc/mail/sendmail_mc.backup'
   ```

1. Add the following lines to the */etc/mail/sendmail.mc* file before any `MAILER()` definitions.

   ```
   define(`SMART_HOST', `email-smtp.us-west-2.amazonaws.com')dnl
   define(`RELAY_MAILER_ARGS', `TCP $h 25')dnl
   define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
   FEATURE(`authinfo', `hash -o /etc/mail/authinfo.db')dnl
   MASQUERADE_AS(`example.com')dnl
   FEATURE(masquerade_envelope)dnl
   FEATURE(masquerade_entire_domain)dnl
   ```

   In the preceding text, do the following:
   + Replace *email-smtp.us-west-2.amazonaws.com* with the Amazon SES SMTP endpoint that you want to use.
   + Replace *example.com* with the domain that you want to use to send email.

   When you finish, save the file.
**Note**  
Amazon EC2 restricts communications over port 25 by default. If you're using Sendmail in an Amazon EC2 instance, you should complete the [Request to Remove Email Sending Limitations](https://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/ec2-email-limit-rdns-request).

1. At the command line, type the following command to make *sendmail.cf* writeable:

   ```
   sudo chmod 666 /etc/mail/sendmail.cf
   ```

1. At the command line, type the following command to regenerate *sendmail.cf*:

   ```
   sudo sh -c 'm4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf'
   ```
**Note**  
If you encounter errors such as "Command not found" and "No such file or directory," make sure that the `m4` and `sendmail-cf` packages are installed on your system.

1. At the command line, type the following command to reset the permissions of *sendmail.cf* to read only:

   ```
   sudo chmod 644 /etc/mail/sendmail.cf
   ```

1. At the command line, type the following command to restart Sendmail:

   ```
   sudo /etc/init.d/sendmail restart
   ```

   *Depending on the version of Linux or Sendmail, if the above doesn't work, try the following:*

   ```
   sudo su service sendmail restart
   ```

1. Complete the following steps to send a test email:

   1. At the command line, enter the following command.

      ```
      /usr/sbin/sendmail -vf sender@example.com recipient@example.com
      ```

      Replace *sender@example.com* with your From email address. Replace *recipient@example.com* with the To address. When you finish, press Enter.

   1. Enter the following message content. Press Enter at the end of each line.

      ```
      From: sender@example.com
      To: recipient@example.com
      Subject: Amazon SES test email
      
      This is a test message sent from Amazon SES using Sendmail.
      ```

      When you finish entering the content of the email, press Ctrl\$1D to send it.

1. Check the recipient email's client for the email. If you can't find the email, check the junk mail folder. If you still can't find the email, check the Sendmail log on your mail server. The log is often located at */var/log/mail.log* or */var/log/maillog*. 

# Integrating Amazon SES with Microsoft Windows Server IIS SMTP
<a name="send-email-windows-server"></a>

You can configure Microsoft Windows Server's IIS SMTP server to send email through Amazon SES. These instructions were written using Microsoft Windows Server 2022 on an Amazon EC2 instance. You can use the same configuration on Microsoft Windows Server 2016.

**Note**  
Windows Server is a third-party application, and isn't developed or supported by Amazon Web Services. The procedures in this section are provided for informational purposes only, and are subject to change without notice.

**To integrate the Microsoft Windows Server IIS SMTP server with Amazon SES**

1. First, set up Microsoft Windows Server 2022 using the following instructions.

   1. From the [Amazon EC2 management console](https://console.aws.amazon.com/ec2/home), launch a new Microsoft Windows Server 2022 Base Amazon EC2 instance.

   1. Connect to the instance and log into it using Remote Desktop by following the instructions in [Getting Started with Amazon EC2 Windows Instances](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/EC2Win_GetStarted.html).

   1. Launch the Server Manager Dashboard.

   1. Install the **Web Server** role. Be sure to include the **IIS 10 Management Compatibility tools** (an option under the **Web Server** check box).

   1. Install the **SMTP Server** feature.

1. Next, configure the IIS SMTP service using the following instructions.

   1. Return to the Server Manager Dashboard.

   1. From the **Tools** menu, choose **Internet Information Services (IIS) 10.0 Manager**.

   1. Right-click **SMTP Virtual Server \$11** and then select **Properties**.

   1. On the **Access** tab, under **Relay Restrictions**, choose **Relay**.

   1. In the **Relay Restrictions** dialog box, choose **Add**.

   1. Under **Single Computer**, enter **127.0.0.1** for the IP address. You have now granted access for this server to relay email to Amazon SES through the IIS SMTP service.

      In this procedure, we assume that your emails are generated on this server. If the application that generates the email runs on a separate server, you must grant relaying access for that server in IIS SMTP.
**Note**  
To extend the SMTP relay to private subnets, for **Relay Restriction**, use **Single Computer** 127.0.0.1 and **Group of Computers** 172.1.1.0 - 255.255.255.0 (in the netmask section). For **Connection**, use **Single Computer** 127.0.0.1 and **Group of Computers** 172.1.1.0 - 255.255.255.0 (in the netmask section).

1. Finally, configure the server to send email through Amazon SES using the following instructions.

   1. Return to the **SMTP Virtual Server \$11 Properties** dialog box and then choose the **Delivery** tab.

   1. On the **Delivery** tab, choose **Outbound Security**.

   1. Select **Basic Authentication** and then enter your Amazon SES SMTP credentials. You can obtain these credentials from the Amazon SES console using the procedure in [Obtaining Amazon SES SMTP credentials](smtp-credentials.md).
**Important**  
Your SMTP credentials are not the same as your AWS access key ID and secret access key. Do not attempt to use your AWS credentials to authenticate yourself against the SMTP endpoint. For more information about credentials, see [Types of Amazon SES credentials](send-email-concepts-credentials.md).

   1. Ensure that **TLS encryption** is selected.

   1. Return to the **Delivery** tab.

   1. Choose **Outbound Connections**.

   1. In the **Outbound Connections** dialog box, ensure that the port is 25 or 587. 

   1. Choose **Advanced**.

   1. For the **Smart host** name, enter the Amazon SES endpoint that you will use (for example, *email-smtp.us-west-2.amazonaws.com*). For a list of endpoint URLs for the AWS Regions where Amazon SES is available, see [Amazon Simple Email Service (Amazon SES)](https://docs.aws.amazon.com/general/latest/gr/rande.html#ses_region) in the *AWS General Reference*.

   1. Return to the Server Manager Dashboard.

   1. On the Server Manager Dashboard, right-click **SMTP Virtual Server \$11** and then restart the service to pick up the new configuration.

   1. Send an email through this server. You can examine the message headers to confirm that it was delivered through Amazon SES.