• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Using Amazon SES for Plesk customer sites email

gbotica

Regular Pleskian
Hi,

I use Plesk Onyx on CentOS with the External SMTP Server option (MSMTP) to send all Plesk (notifications etc) and customer website emails (generated from customer websites) via Mailgun.

This has worked well for many months. Deliver-ability is usually very good and the from field in email clients looks like:

John Doe | johndoe.com <[email protected]> via mail.mypleskserver.com

I have been trying to switch this set up over to AWS SES. But I can't get SES to work the same that MailGun does. Set up is OK and I can send email from Plesk Panel etc, but any email generated from a Plesk customer site now logs:

Code:
... [email protected] [email protected] smtpstatus=554 smtpmsg='554 Message rejected: Email address is not verified. The following identities failed the check in region US-WEST-2: "John Doe | johndoe.com" <[email protected]>' errormsg='the server did not accept the mail' exitcode=EX_UNAVAILABLE

When I use Mailgun, it works perfectly:

Code:
... [email protected] [email protected] mailsize=60612 smtpstatus=250 smtpmsg='250 Great success' exitcode=EX_OK

I'm not sure why Mailgun is happy to pass through email from customer sites, but SES wants each sender to be individually verified? That would make SES useless for a shared web server environment?

All DNS settings are in place and verified in the SES console etc.

Is anyone successfully using SES for Plesk customer website email?

Any help on how / if this can work would be appreciated.

Thank you!
 
Last edited:
It's been a while since I've worked with AWS SES, but from what I remember you do have to authenticate at least every domain in SES you like to send email from. I believe this can be done by adding a DNS record to the DNS zone of the domain. The cool thing about AWS (imho) is that you can automate everything. If you combine the AWS API with the Plesk API or CLI you can automate the domain the SES authentication.
 
Last edited:
Thanks for replying.

I've started using Mailgun since yesterday, however not with MSMTP but relaying in postfix. (as not all domains on the server need the mails send through Mailgun)

Just in case someone is looking for a solution for this scenario and possibly also for AWS SES, I'll post how I did it:

Creating the files sasl_passwd and relay_map:
Code:
touch /etc/postfix/sasl_passwd
touch /etc/postfix/relay_map
chmod 600 /etc/postfix/sasl_passwd
chmod 600 /etc/postfix/relay_map

In sasl_passwd:
Code:
smtp.eu.mailgun.org postmaster@DOMAIN_A.TLD:MAILGUN_PASS
relay.DOMAIN_B.TLD postmaster@DOMAIN_B.TLD:MAILGUN_PASS

In rely_map:
Code:
@DOMAIN_A.TLD [smtp.eu.mailgun.org]:587
@DOMAIN_B.TLDe [relay.DOMAIN_B.TLD]:587

Here's the trick for DOMAIN_B.TLD: I added a CNAME record relay.DOMAIN_B.TLD to smtp.eu.mailgun.org (check for your own smtp host to use)
Otherwise, postfix will complain about duplicate entries. (I did the same for domain C, D, ...)

Now edit postfix's main.cf to include:
Code:
sender_dependent_relayhost_maps = hash:/etc/postfix/relay_map
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_sasl_mechanism_filter = AUTH LOGIN
smtpd_relay_restrictions =
    permit_mynetworks
    permit_sasl_authenticated
    defer_unauth_destination

Postmap the 2 files you've made:
Code:
postmap /etc/postfix/sasl_passwd
postmap /etc/postfix/relay_map

And finally, reload postfix:
Code:
systemctl reload postfix

Not sure if this is the correct approach but it seems to be working.
Postfix relays the e-mails from the domains mentioned in relay_map and takes the correct authentication line from sasl_passwd.
 
Last edited:
It's been a while since I've worked with AWS SES, but from what I remember you do have to authenticate at least every domain in SES you like to send email from. I believe this can be done by adding a DNS record to the DNS zone of the domain. The cool thing about AWS (imho) is that you can automate everything. If you combine the AWS API with the Plesk API or CLI you can automate the domain the SES authentication.
Hey buddy,

Reviving this old post. Do you have any resources or links on how to integrate AWS Cli using this method?

Thanks in advance.
Jimmy
 
Back
Top