Sending Emails from an Ubuntu VM on Oracle Cloud (OCI)
Sending Emails from an Ubuntu VM on Oracle Cloud (OCI)
A complete setup, troubleshooting, and email‑auth guide (with diagrams)
Sending emails from a cloud VM sounds trivial — until you try it on Oracle Cloud Infrastructure (OCI).
If you’ve ever seen emails bounce with 535 Authentication required, or worse, show status=sent but never arrive, this guide is for you.
In this post, we’ll cover:
- Why OCI blocks direct SMTP
- How OCI Email Delivery really works
- A correct Postfix + OCI setup (copy‑paste ready)
- Visual diagrams of the mail flow
- Common errors and how to debug them
- How to fix sender issues permanently
- SPF, DKIM, and DMARC (and why they matter)
1. The OCI SMTP Reality (Read This First)
OCI blocks direct outbound SMTP from compute instances:
- ❌ Port 25 is always blocked
- ❌ Running Postfix alone won’t work
Instead, OCI provides Email Delivery, a managed SMTP relay.
High‑level flow
1
2
3
4
+-------------+ +---------------------+ +-------------+
| Ubuntu VM | -----> | OCI Email Delivery | -----> | Recipient |
| (Postfix) | 587 | (SMTP Relay) | | (Gmail, etc) |
+-------------+ +---------------------+ +-------------+
Your VM authenticates to OCI, and OCI sends the email on your behalf.
2. Create OCI Email Delivery SMTP Credentials
In the OCI Console:
1
Email Delivery → SMTP Credentials → Create SMTP Credential
You’ll get:
- SMTP username
- SMTP password
Regional SMTP endpoint, e.g.
1
smtp.email.uk-london-1.oci.oraclecloud.com
⚠️ These credentials are not your OCI user password.
3. Install Postfix on Ubuntu
1
2
sudo apt update
sudo apt install postfix mailutils libsasl2-modules -y
During setup:
- Select Internet Site
- System mail name: anything (we’ll fix sender later)
4. Configure Postfix to Use OCI SMTP
Edit Postfix config:
1
sudo nano /etc/postfix/main.cf
Add or verify:
1
2
3
4
5
6
7
8
9
relayhost = [smtp.email.uk-london-1.oci.oraclecloud.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
5. Configure SMTP Credentials
Create credential file:
1
sudo nano /etc/postfix/sasl_passwd
⚠️ The hostname must match relayhost exactly:
1
[smtp.email.uk-london-1.oci.oraclecloud.com]:587 SMTP_USERNAME:SMTP_PASSWORD
Apply and secure:
1
2
3
sudo chmod 600 /etc/postfix/sasl_passwd
sudo postmap /etc/postfix/sasl_passwd
sudo systemctl restart postfix
6. Test Email Sending
1
echo "Hello from OCI" | mail -s "OCI Test" your@gmail.com
Check logs:
1
sudo tail -f /var/log/mail.log
7. Understanding the Mail Flow (Diagram)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[Local App / cron]
|
v
+-----------------+
| Postfix (VM) |
| - Rewrites From |
| - Authenticates |
+-----------------+
|
v (SMTP 587 + SASL + TLS)
+---------------------------+
| OCI Email Delivery |
| - Checks approved sender |
| - Applies DKIM |
+---------------------------+
|
v
[Internet Mail Servers]
If any step fails, mail is bounced or silently suppressed.
8. Common Error #1: 535 Authentication required
Log output
1
2
status=bounced
535 Authentication required
Causes
sasl_passwdkey mismatch- Forgot
postmap - Wrong SMTP credentials
- Missing
libsasl2-modules
Debug command (golden command)
1
sudo postmap -q "[smtp.email.uk-london-1.oci.oraclecloud.com]:587" /etc/postfix/sasl_passwd
If this returns nothing → Postfix can’t see your credentials.
9. Common Error #2: status=sent but Email Never Arrives
Why this happens
OCI requires approved sender addresses.
If Postfix sends mail as:
1
ubuntu@dev.internal.oraclevcn.com
OCI may accept SMTP but drop delivery silently.
10. Fix: Set a Default Approved Sender
Step 1: Approve sender in OCI
1
Email Delivery → Approved Senders
Example:
1
no-reply@yourdomain.com
Step 2: Rewrite sender in Postfix
Create generic map:
1
sudo nano /etc/postfix/generic
1
2
ubuntu@dev.internal.oraclevcn.com no-reply@yourdomain.com
ubuntu@dev no-reply@yourdomain.com
Enable it:
1
sudo nano /etc/postfix/main.cf
1
smtp_generic_maps = hash:/etc/postfix/generic
Apply:
1
2
sudo postmap /etc/postfix/generic
sudo systemctl restart postfix
11. SPF, DKIM, and DMARC (Deliverability Essentials)
Without these, your emails will land in spam or be rejected.
SPF (Sender Policy Framework)
Tells receivers who is allowed to send for your domain.
Add this TXT record to your DNS:
1
v=spf1 include:spf.email.uk-london-1.oci.oraclecloud.com ~all
Diagram:
1
Receiver → DNS → "Is OCI allowed to send for this domain?"
DKIM (DomainKeys Identified Mail)
OCI signs outgoing emails with a cryptographic signature.
Steps:
- Enable DKIM in OCI Email Delivery
- Add the provided CNAME records to DNS
Diagram:
1
Email → Signed by OCI → Receiver verifies DKIM via DNS
DMARC (Policy & Reporting)
Tells receivers what to do if SPF/DKIM fails.
Start with monitoring mode:
1
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
Later, tighten it:
1
2
p=quarantine
p=reject
Diagram:
1
2
3
SPF/DKIM fail?
|
+--> Follow DMARC policy
12. Troubleshooting Checklist
- Check logs:
sudo tail -f /var/log/mail.log - Verify Postfix config:
postconf -n Check SMTP connectivity:
1
nc -vz smtp.email.uk-london-1.oci.oraclecloud.com 587Check OCI suppression list:
1
Email Delivery → Suppressions
Final Thoughts
OCI Email Delivery is reliable and production‑grade, but the setup has sharp edges:
- Authentication must be exact
- Sender must be approved
- DNS auth (SPF/DKIM/DMARC) is non‑optional
Once configured properly, it works beautifully for:
- System alerts
- Cron jobs
- Application notifications
If this post saved you time, feel free to share it — and happy emailing 🚀