I've moved a cluster from SendGrid to Amazon SES via the Smart Host setting. It works, but only after a Postfix hack on the app server that I'd rather not need.
Setup: app1 (application role) on Enhance
Smart Host = SES SMTP. Around 50 sender domains verified in SES with Custom MAIL FROM Domains (bounce.<domain>) and DKIM via DNS.
Every send was rejected:
554 Message rejected: Email address is not verified ... <unix_user>@enhance-app1.localdomain
myhostname on the app server is enhance-app1.localdomain, myorigin = $myhostname, so PHP mail() ends up with envelope MAIL FROM <user>@enhance-app1.localdomain.
SES strictly checks that envelope against verified identities, doesn't match, rejects.
Fix I'm using: smtp_generic_maps = hash:/etc/postfix/generic with one line, @enhance-app1.localdomain noreply@mydomain.io. mydomain.io is a verified SES identity.
SES then rewrites the outbound envelope to bounce.<domain> as expected via Custom MAIL FROM Domain.
Works end-to-end, DMARC aligned, no "via amazonses.com".
The problem: Enhance regenerates main.cf and wipes that line on agent updates. I've got a systemd path-unit watchdog that re-applies it, but there's a race window where bounces could happen silently.
Is there an Enhance-supported way to set the envelope MAIL FROM (or myorigin, or any equivalent) for outbound when using SES? Or — could the Smart Host UI gain a "MAIL FROM rewrite" option so this works without per-server hacks? Curious how others on SES are running this.
