Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

postfix username and password for AWS SES #153

Open
aluminum-ice opened this issue Oct 16, 2023 · 1 comment
Open

postfix username and password for AWS SES #153

aluminum-ice opened this issue Oct 16, 2023 · 1 comment

Comments

@aluminum-ice
Copy link

aluminum-ice commented Oct 16, 2023
edited
Loading

Hi, I am familiar with Nagios but this is my first time running your docker image. I see the env variable for setting the relay host when using AWS SES but not a way to adding the necessary credentials? How do people enable this docker image to use AWS SES to send alerts? Normally I create an authentication file /etc/postfix/sasl_passwd with the AWS SES credentials but I don't see a way of doing that?

I use the following env variable to properly configure main.cf:

MAIL_RELAY_HOST=email-smtp.us-east-1.amazonaws.com:587\nsmtp_sasl_auth_enable = yes\nsmtp_sasl_security_options = noanonymous\nsmtp_use_tls = yes\nsmtp_tls_security_level = encrypt\nsmtp_tls_note_starttls_offer = yes\nsmtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd\nmyhostname=[HOSTNAME]\n

This approach does result in warning, which isn't ideal because I am overriding the value set above the 'relayhost=' line:

warning: /etc/postfix/main.cf, line 45: overriding earlier entry: smtp_tls_security_level=may

I redacted HOSTNAME above but that also seems a problem because the myhostname is defined already in the file but its a random string instead of taking the value of NAGIOS_FQDN which is what I expected it to do.

How to create /etc/postfix/sasl_passwd and hash it using postmap eludes me... any help is appreciated. Right now I have to log into the container, create the file sasl_passwd in /etc/postfix and then run 'postmap -v hash:/etc/postfix/sasl_passwd && postfix reload' which is not ideal.

My goal is to use this image in a kubernetes cluster.
@kevingoad-arcfield
Copy link

Two options:

  • Assuming you are running in AWS, modify your task role to add ses:SendEmail permissions, and modify/add a command definition to send via the awscli (this is probably better, but I haven't gotten around to it yet)
  • Continue to send via SMTP, and add this to start_nagios (we pull creds from a secret, since our credential generation is a separate managed process).

This currently works for us:

SMTP_SECRET=$(aws secretsmanager get-secret-value --secret-id "<your_secret_name_here>" | jq -r '.SecretString')
 
SMTP_USERNAME=$(echo $SMTP_SECRET | jq -r '.username')
SMTP_PASSWORD=$(echo $SMTP_SECRET | jq -r '.password')
SMTP_RELAYHOST=$(echo $SMTP_SECRET | jq -r '.relayhost')

cat << EOF > /etc/postfix/main.cf
relayhost = [$SMTP_RELAYHOST]:587
smtp_sasl_auth_enable = yes
smtp_sasl_security_options = noanonymous
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
EOF


cat << EOF > /etc/postfix/sasl_passwd
[$SMTP_RELAYHOST]:587 $SMTP_USERNAME:$SMTP_PASSWORD
EOF

mkdir /var/spool/postfix/hold
chown postfix /var/spool/postfix/hold

chown root:root /etc/postfix/sasl_passwd
chmod 0600 /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aluminum-ice @kevingoad-arcfield