Sometime you need just to allow system tools (i.e. cron) to send mail to the hostmaster. Setting up (and maintaining) a smtp server like sendmail, Postfix or Exim is too much. What you need is nullmailer, a sendmail/qmail/etc replacement MTA for hosts which relay to a fixed set of smart relays.

Here are some notes about how to setup nullmailer to use Amazon SES (Simple Email Service). This guide applies to Ubuntu boxes, but you can easily adapt it to other Linux flavors.

WARNING: this article refers to nullmailer BEFORE version 1.11 such as installed in UBUNTU 10.04 and 12.04.
Infact old versions of nullmailer do not support ssl, that's mandatory for SES. If you are running nullmailer 1.11 or later this article is useless because you can simply install nullmailer (i.e.sudo apt-get install nullmailer) and then put the string
<your_amazon_ses_smtp_host> smtp --ssl --port=465 --user=YOURAMAZON_SES_USENAME --pass=YOUR_AMAZON_SES_PASSWORDinto /etc/nullmaile/remotes file.

I assume that you already know how to setup an Amazon Simple Email Service account and how to test it in the sandbox . This means that you have signed the service, verified and tested at least a couple of e-mail address using Amazon Management Console facility. If this is not your case, please refer to this guide.

To begin, you will need to set up a secure tunnel using stunnel package. In the following procedure, we use port 2525 as your stunnel port. If you are using a different port, modify the settings that you actually use accordingly.

First install stunnel package.

sudo apt-get install stunnel

Edit /etc/default/stunnel4, change ENABLED=0 to ENABLED=1

Edit /etc/stunnel/stunnel.conf as shown in the example below:

sslVersion = SSLv3
chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4
pid = /
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
client = yes
accept =
connect =

Start up stunnel

sudo /etc/init.d/stunnel4 start

Verify that the Amazon smtp tunnel is listening on the local server.

netstat -an | grep -iw LISTEN
tcp localhost:2525* LISTEN

Now install and configure nullmailer package

sudo apt-get -y install nullmailer

Edit /etc/nullmailer/adminaddr . It should contain just a line with your verified Amazon SES address. This address will be used to dispatch to an external address,  mails adressed to local user (i.e. root@localhost): nullmailer ignores /etc/aliases.

Edit /etc/nullmailer/remotes and replace all with the following line, replacing USERNAME and PASSWORD with your SES SMTP user name and password:

localhost smtp --port=2525 --user=USERNAME --pass=PASSWORD

Now test the configuration:

sendmail -f "senderverifiedaddress" -F "YOUR FULL NAME" destinationfiedaddress
From: senderverifiedaddress
To: destinationfiedaddress
Body ot the message..

Remember always to include To: destination in the header of the message because the sendmail emulation (installed by nullmailer), when the message has no To or Cc fields, appends to the message header the field: Cc: recipient list not shown: ; this seams hurting Amazon SES smtp interface (smtp: Failed: 554 Transaction failed: User name is missing: 'recipient list not shown: ;').

Remember that, according with SES rules, the sender must be a verified address. The destination could be unverified only if production access is enabled for your SES account.

You can set the nullmailer "From" address via environment variables .

Usually you can set environment variables in the crontab.

5 0 * * * /usr/local/bin/

Check for errors in /var/logs/mail.* syslog files. For debuging purpose,  you can also edit messages in /var/spool/nullmailer/queue.

Note that nullmailer, by default, try to send queued message every 60 sec. You can increase it to 15 minutes typing:

echo "900" > /etc/nullmailer/pausetime

#  Paul K Moore  note:


Thanks for the taking the time to write this up, it was very helpful. 

A minor tweak I made to your configuration was to have stunnel listen on the loopback address, rather than 'all' addresses, as follows:

accept =

That at least keeps the tunnels away from any external connectivity.

As an aside, the adminaddr is where all 'local' mail is sent. This means that if you set the FQDN to, all local addresses and any destination in that domain will be routed to the adminaddr. This may / may not be what you want.

For example, forwarding root (local) to adminaddr is useful, forwarding Questo indirizzo email è protetto dagli spambots. È necessario abilitare JavaScript per vederlo. to adminaddr is less so. Just one to watch out for.

@panticz also has some interesting pre-configuration steps here ( which I found useful.

Thanks again for posting