Superfluo

A well know trouble with EC2 instances is to send mail reliably, in fact the dynamic nature of the IP numbers in the cloud makes them suspect for most spam countermeasures. The common workaround is to have an external SMTP server thorough which relaying every email message.

A natural choice is to use Google Apps for your domain and to exploit their service which is free up to 2000 messages per day and comes with all the Gmail goodies.
Jules Szemere has a good post (1) about how to do that with Postfix (note for Ubuntu users: the CA.sh script is in /usr/lib/ssl/misc).

Unfortunately, in my experience (and not only in mine) also messages from Google servers are sometimes considered SPAM. Perhaps switching to the premium edition could solve that, anyway I followed the recommendation (2) from Paul Dowman (EC2 on Rails author) and I'm using AuthSMTP. The minimum fee is lesser than Google Apps premium edition (though the cost per message is not) and it's actually reliable.

What I miss more with AuthSMTP is the lack of a copy of the message in the sent mail folder, I could always add a BCC field but this wastes the service quota.
The ideal solution is to use Google to send to safe addresses that are unlikely to drop the message (especially those in BCC) and to use AuthSMTP otherwise. In practice we have to put together the configurations in (1) and (2) in a smart way. So, thanks to the suggestions of my trusty system administrator, in /etc/postfix/main.cf:

transport_maps = hash:/etc/postfix/transport

# auth
smtp_sasl_auth_enable=yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

# tls
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtp_tls_note_starttls_offer = yes
tls_random_source = dev:/dev/urandom
smtp_tls_scert_verifydepth = 5
smtp_tls_key_file=/etc/postfix/certs/postfixclient.key
smtp_tls_cert_file=/etc/postfix/certs/postfixclient.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_req_ccert = no
smtp_tls_enforce_peername = no

Two maps need to be specified, transport_maps defines which relay server to use depending on the destination address:

gmail.com   :[smtp.gmail.com]:587
yahoo.com   :[smtp.gmail.com]:587
*           :[mail.authsmtp.com]

while smtp_tls_policy_maps defines the policy to use with the relaying server:

[mail.authsmtp.com]             none
[smtp.gmail.com]:587            may

Finally, in smtp_sasl_password_maps we specify both Google and AuthSMTP credentials:

gmail-smtp.l.google.com username@yourdomain.com:password
smtp.gmail.com username@yourdomain.com:password
mail.authsmtp.com username:password