[selfhosted] Forwarded email rejected by Amazon SES relayhost

[buxm]

I am experiencing a weird behaviour with my self hosted Anonaddy (v0.14.1) configured to use Amazon SES as a relay host to send emails (since my cloud provider blocks outbound connections to port 25).
I correctly set up the domain I use with Anonaddy as a verified identity in Amazon SES.
Also I moved my Amazon SES account out of the sandbox, so that only the sender needs to be a verified identity, not the recipient.
At least with one sender (not with all senders) to my Anonaddy alias, I get the following failed delivery when Anonaddy tries to forward the email to my mailbox:

Essentially, it looks as if the email was forwarded to my mailbox using the original sender, instead of using the Anonaddy alias as a sender.
Anonaddy logs say:

Jun 17 22:07:52 amail postfix/smtpd[966]: 8B4B620078: client=localhost[127.0.0.1]
Jun 17 22:07:52 amail postfix/cleanup[958]: 8B4B620078: message-id=<[email protected]>
Jun 17 22:07:52 amail postfix/qmgr[904]: 8B4B620078: from=<[email protected]>, size=4836, nrcpt=1 (queue active)
Jun 17 22:07:53 amail postfix/smtp[967]: 8B4B620078: to=<[email protected]>, relay=email-smtp.eu-west-1.amazonaws.com[34.249.178.157]:587, delay=0.79, delays=0.13/0.05/0.32/0.29, dsn=5.0.0, status=bounced (host email-smtp.eu-west-1.amazonaws.com[34.249.178.157] said: 554 Message rejected: Email address is not verified. The following identities failed the check in region EU-WEST-1: [email protected] (in reply to end of DATA command))

This does not happen with all original senders. But it also does not happen (with the same senders at least) using email relay services other than Amazon SES.
However Amazon SES offers the best pricing/lack of limitation combination for my needs.

Do you have any idea how I could troubleshoot that?

Amazon says This error could apply to the "From", "Source", "Sender", or "Return-Path" address.
However I am struggling to check what was actually sent to the SES relay server.
I could contact Amazon support.
But I guess I would need to check first what was sent to their relay server and that it complies with what their documentation say in order for them to look into a possible issue on their side.

[NagaseYami]

I have exactly the same issue as well, except for the sender being different.
Also using Amazon SES.

[buxm]

The new Addy.io version (1.0.9) allows you to download the message in failed deliveries.
This enabled me to analyse the message and see that it contained a Sender: header containing the original sender email address.
According to this Amazon SES documentation page, it looks like SES checks the From, Source, Sender and Return-Path headers for verified identities.
In this case the Sender header containing the original email address cannot clearly be a verified identity, hence the rejection.
Apparently Amazon SES is therefore not 100% compatible with Addy.io, unless either Amazon SES enables the user to configure which headers to check for a verified identities (which it doesn't seem to do right now), or Addy.io enables the user to strip off headers such as Sender from forwarded emails.

[buxm]

I found this page that helped me solving the issue.
Essentially what I did was:

1. add the following line to /etc/postfix/header_checks:

/^Sender:/      IGNORE

2. add the following lines to /etc/postfix/main.cf:

mime_header_checks = regexp:/etc/postfix/header_checks
header_checks = regexp:/etc/postfix/header_checks

3. run the following commands:

postmap /etc/postfix/header_checks
postfix reload

This sorted my issue.
It would be handier if there were options to strip off headers in the Addy.io web app. Or if there were variables to do so in anonaddy/docker.

[Bart1909]

Thanks for the solution @buxm - I've added this manually to my postfix configuration inside the docker container. Hopefully this will prevent the issue