postfix username and password for AWS SES

[aluminum-ice]

Hi, I am familiar with Nagios but this is my first time running your docker image. I see the env variable for setting the relay host when using AWS SES but not a way to adding the necessary credentials? How do people enable this docker image to use AWS SES to send alerts? Normally I create an authentication file /etc/postfix/sasl_passwd with the AWS SES credentials but I don't see a way of doing that?

I use the following env variable to properly configure main.cf:

MAIL_RELAY_HOST=email-smtp.us-east-1.amazonaws.com:587\nsmtp_sasl_auth_enable = yes\nsmtp_sasl_security_options = noanonymous\nsmtp_use_tls = yes\nsmtp_tls_security_level = encrypt\nsmtp_tls_note_starttls_offer = yes\nsmtp_sasl_password_maps = hash:\/etc\/postfix\/sasl_passwd\nmyhostname=[HOSTNAME]\n

This approach does result in warning, which isn't ideal because I am overriding the value set above the 'relayhost=' line:

warning: /etc/postfix/main.cf, line 45: overriding earlier entry: smtp_tls_security_level=may

I redacted HOSTNAME above but that also seems a problem because the myhostname is defined already in the file but its a random string instead of taking the value of NAGIOS_FQDN which is what I expected it to do.

How to create /etc/postfix/sasl_passwd and hash it using postmap eludes me... any help is appreciated. Right now I have to log into the container, create the file sasl_passwd in /etc/postfix and then run 'postmap -v hash:/etc/postfix/sasl_passwd && postfix reload' which is not ideal.

My goal is to use this image in a kubernetes cluster.

[kevingoad-arcfield]

Two options:

• Assuming you are running in AWS, modify your task role to add ses:SendEmail permissions, and modify/add a command definition to send via the awscli (this is probably better, but I haven't gotten around to it yet)
• Continue to send via SMTP, and add this to start_nagios (we pull creds from a secret, since our credential generation is a separate managed process).

This currently works for us:

SMTP_SECRET=$(aws secretsmanager get-secret-value --secret-id "<your_secret_name_here>" | jq -r '.SecretString')

SMTP_USERNAME=$(echo $SMTP_SECRET | jq -r '.username')
SMTP_PASSWORD=$(echo $SMTP_SECRET | jq -r '.password')
SMTP_RELAYHOST=$(echo $SMTP_SECRET | jq -r '.relayhost')

cat << EOF > /etc/postfix/main.cf
relayhost = [$SMTP_RELAYHOST]:587
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
EOF

cat << EOF > /etc/postfix/sasl_passwd
[$SMTP_RELAYHOST]:587 $SMTP_USERNAME:$SMTP_PASSWORD
EOF

mkdir /var/spool/postfix/hold
chown postfix /var/spool/postfix/hold

chown root:root /etc/postfix/sasl_passwd
chmod 0600 /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd