How to Configure Postfix to Force a Static Envelope From Address with Amazon SES


3 views

When using Postfix as an SMTP relay for Amazon SES, WordPress often generates dynamic Envelope From addresses (Return-Path) based on the sender's email or website domain. SES strictly requires verified sender addresses in the Envelope From field, causing rejection errors like:

454 4.7.1 : Client host rejected: 
Sender address verification failed

Modify /etc/postfix/main.cf to enforce a static sender address:

# Force envelope sender for all outgoing mail
sender_canonical_maps = regexp:/etc/postfix/sender_canonical
default_transport = smtp
smtp_sasl_auth_enable = yes
smtp_sender_dependent_authentication = yes

Create /etc/postfix/sender_canonical with:

/.*/    myemail@mydomain.com

After reloading Postfix (postfix reload), test with:

echo "Test" | mail -s "Envelope Test" recipient@example.com

Check the logs for successful delivery:

tail -f /var/log/mail.log | grep status=sent

For Amazon SES, ensure your IAM policy includes ses:SendRawEmail permission and the sender address is verified in SES console. The Postfix SASL configuration should match your SES SMTP credentials.

# /etc/postfix/sasl_passwd
[email-smtp.us-west-2.amazonaws.com]:587 SMTP_USERNAME:SMTP_PASSWORD

# Set permissions and update Postfix
chmod 600 /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd

If you need different From headers while maintaining a consistent envelope sender, use:

# /etc/postfix/header_checks
/^From:.*/ REPLACE From: "Display Name" <noreply@mydomain.com>

This preserves your static Envelope From while allowing customized display headers.

When running a WordPress site on a Linux server using Postfix with Amazon SES as the SMTP relay, you might encounter rejection notices like this:

554 Message rejected: Email address is not verified.

This typically occurs when WordPress plugins or PHP mail() functions send emails with unpredictable envelope sender addresses. Amazon SES strictly requires all sending addresses to be verified.

To enforce a consistent envelope sender address in Postfix, we'll modify the main configuration file:

# Edit the Postfix main configuration file
sudo nano /etc/postfix/main.cf

Add or modify these parameters:

smtp_generic_maps = hash:/etc/postfix/generic
sender_canonical_maps = hash:/etc/postfix/generic
smtp_header_checks = regexp:/etc/postfix/header_checks

Create the generic mapping file to rewrite envelope senders:

sudo nano /etc/postfix/generic

Add these contents (replace with your actual domain):

@localhost myemail@mydomain.com
@hostname myemail@mydomain.com
@(none) myemail@mydomain.com

Create a header checks file to catch remaining cases:

sudo nano /etc/postfix/header_checks

Add this pattern:

/^From:.*/ REPLACE From: myemail@mydomain.com

After making these changes, run these commands:

sudo postmap /etc/postfix/generic
sudo postfix reload

Verify your setup with this command:

echo "Test email body" | mail -s "Test Subject" recipient@example.com

Check the mail logs to confirm the envelope sender:

sudo tail -f /var/log/mail.log

You should see your configured email address as the envelope sender in the logs.

If you're using SASL authentication with Amazon SES, you can also force the sender address through the SASL configuration:

sudo nano /etc/postfix/sasl_passwd

Add your SES credentials with the fixed sender:

[email-smtp.us-west-2.amazonaws.com]:587 myemail@mydomain.com:your-ses-smtp-password

Remember that with Amazon SES:

  • Your envelope sender (Return-Path) must be a verified email
  • The From header can be different but should still pass SPF/DKIM checks
  • SES has sending limits that apply per verified identity