I currently have a backend running in a container (ECS), this backend has a SES service for sending e-mail (user password recovery).
I implemented this same scenario using SUBNET for my backend, but sending e-mail is no longer working.
In both my old scenario (without using a subnet) and localhost, sending the email works perfectly.
I did a ping test from the container and got a timeout answer:
In this case it looks like you have the wrong address, you have
email-smtp.us-east-1.amazonaws.com (email-smtp) defined on your endpoint, and
email.us-east-1.amazonaws.com (email) in your ping.
Remember that a Ping may not respond if ICMP is not allowed through.
For a wider answer to this question, you have 2 options:
Make sure that you have an Internet Gateway configured correctly on your Subnet, and the security group added to your ECS host allows outgoing traffic to port 25 (this is throttled by AWS), 587 or 2587 depending on what you are using to talk to SES: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-connect.html
Create an SES VPC Endpoint on your subnet, then direct all of your SES requests to this new endpoint/IP Address: https://docs.aws.amazon.com/ses/latest/DeveloperGuide/send-email-set-up-vpc-endpoints.html
If any of these are not working, check:
You are not in SES Sandbox mode (raise a support request)
You are not being throttled on port 25 from your host (use port 587 or raise a support request)
You can connect to the internet from your EC2/ECS instance
Port 587 is enabled on your security group
The URL Address is correct (email-smtp.us-east-1.amazonaws.com)
The IAM Role on your EC2/ECS Host (or IAM User) is enabled for SES Sending.
Related
I have an AWS Cognito User Pool configured to talk to a SAML IDP and thats working fine, the SAML Assertion from the IDP to
https://XXXX.auth.eu-west-1.amazoncognito.com/saml2/idpresponse
works fine.
A request is then made to target group such as
https://xxxxxx:443/oauth2/idpresponse?code=2f6aab53-ad64....&state=.....
which is based on the settings in Cognito's App Client Settings (via the call back URL), and I am getting an internal server error.
HTTP/2.0 500 Internal Server Error
server: awselb/2.0
I have traced the logs and extracted the salient elements:
ELB Status Code: 500
Actions Executed: Authenticate
Lambda Reason Error AuthTokenEpRequestTimeout
I am guessing that the Cognito ALB authenticate process uses Lambda as part of its internal process maybe to build the X-AMZN-OIDC* headers before forwarding to the Target Group.
Our application is not using Lambda, and the Cogito Client App has no triggers enabled (i.e., where you can customize the workflow) we have no customization on the workflow process.
So there seems some internal error during the authentication process, I can't see where this timeout AuthTokenEpRequestTimeout could be fixed.
Anyone have ideas why this issue might happen or pointers to help resolve?
I just want to clarify a little about the AWS:
Load Balancer is internet facing.
We allow internet traffic on port 443 and port 80.
We have not outbound restrictions.
We can see that the SAML assertion is working fine.
In my case the issue related to the outbound rules on the Application Load Balancer. I had to ensure that port 443 was allowed in outbound mode.
Verify that the security groups for your load balancer and the network ACLs for your VPC allow outbound access to these endpoints. Verify that your VPC has internet access. If you have an internal-facing load balancer, use a NAT gateway to enable internet access.
I have a requirement where GCP VM instance which is behind a squid proxy and NAT gateway should be able to send emails to AWS SES.
SES: email-smtp.eu-west-1.amazonaws.com
as far as I know, GCP has port 25 blocked and after referring to few articles on stackoverflow, it seems squid does not support SMTP as well.
can someone please help if they have worked on similar thing before?.
Thanks
Max
Use port 587. As per AWS SES and GCP documentation port 587 is without any restriction.
Option 1, AWS SES HTTP API:
If the email sending application could support sending emails via AWS SES with the use of their HTTP API instead of the SMTP protocol, you could allow that regional HTTPS endpoint in the outbound firewall (Squid in your case.)
The advantages of this approach address your concerns on bypassing the proxy by going through Cloud NAT directly, and maintaining restrictions on traffic originating from the source subnet.
Option 2, AWS SES SMTP over TLS:
Configure the application to connect with AWS SES SMTP endpoints on port 465 or 2465 while using TLS. This is also called SMTPS (where the trailing S stands for SSL/TLS, just like in HTTPS.) This is documented under TLS Wrapper in AWS' documentation.
Since Squid is primarily a proxy for HTTP, you will be better of replacing it with an outbound firewall that supports filtering traffic by FQDNs for SSL/TLS connections wrapping any protocol within. (In this case, SMTP wrapped in TLS.) These are typically called NGFW and available from the GCP marketplace on a free trial. One advantage of using these is the applications don't need explicit proxy settings for connecting to the Internet as the operation is completely transparent.
I tried to unblock port 25 on my ec2 instance so I could send emails and I was asked to provide this:
A statement of the security measures and mechanisms you will be implementing to avoid being implicated in the sending of unwanted mail (Spam)
What does this mean, like what is an example of those security measures? I have no idea what I'm supposed to respond to with that. All I plan on doing is sending emails to verify email accounts and change passwords for user accounts on my website.
AWS actually restricts access to this port for security reasons. The suggestion is try using another port if you can (for example SES works over port 587 as well).
You can however request that this restriction is removed, to do this you will need to do the following steps:
First, create a corresponding DNS A record:
If you're using Amazon Route 53 as your DNS service, either create a new resource record set that includes an A record, or update your existing resource record set to include a new A record.
If you're using a service other than Amazon Route 53, ask your DNS provider to create an A record for you.
Then, request AWS to remove the port 25 restriction on your instance:
Sign in with your AWS account, and open the Request to Remove Email Sending Limitations form.
In the Use Case Description field, provide a description of your use case.
(Optional) Provide the AWS-owned Elastic IP addresses that you use to send outbound emails as well as any reverse DNS records that AWS needs to associate with the Elastic IP addresses. With this information, AWS can reduce the occurrences of emails sent from the
Elastic IP addresses being marked as spam.
Choose Submit.
How to connect an ELB HTTPS to an EC2 HTTPS Tomcat
Setup:
Classic ELB:
SSL CA Signed Certificate
EC2 Tomcat:
Keystore - Self Signed
Trust Store - Imported a certificate from
Salesforce
Client Auth = True
Additional Notes:
It is working if clientAuth='false'
Infrastructure Overview:
Salesforce -> SSL ELB -> SSL EC2
As SSL Certificate is deployed on ELB, it will terminate the connection on ELB with client, decrypt the requests and then send them to the backend instances. Thats why, the request works with clientAuth = false.
If you just need an authentication per Salesforce certificate(depends on your security policies), set security groups such that traffic is allowed on ELB only on port 443 and clientAuth = false as ELB has already made sure that the connection is encrypted with client.
In case, you need additional security, you can follow the instructions here to setup authentication with back-end instances as well.
Hope it helps.
I got this working by using TCP in both the Health check and the listener.
I have used Gmail SMTP service with port 587 on the local server and it's working fine.
But it's not working on AWS EC2 instance. So I added SMTP rules on EC2 instance security inbound rules see below image but SMTP port can not be editable.
Now the issue is if your domain does not configure secured connections. Gmail does not offer port 25 in an unsecured connection.
So, there is any way to use SMTP on unsecured connection with 25 port or any other way.
I have fixed issue as of now for a development server. Please, not it's not the correct way to a production site.
For sending an email from AWS EC2 using Gmail SMTP service please follow below steps.
Edit security group of your EC2 Instance.
Edit inbound rules of the security group.
Add 587 port in inbound rules. See below image.
you need to set your instance inbound rules for coming mail and outbound for send.
After that, you can send email using 587 SMTP port from AWS EC2.
Please read this article. https://support.google.com/accounts/answer/6010255?hl=en
https://myaccount.google.com/lesssecureapps
Because of the spam abuse that has historically been sent from people using EC2 instances, virtually ALL popular mail providers block the receipt of email from EC2 instances. The world of email and anti-spam measures is part-technical, part-political. For this reason, AWS offers Amazon Simple Email Service.
Step to fix it-
Go to google account setting and Turn on Two-step verification.
Now generate an app password for the app you want to send mail.
Use the generated password for the app in SMTP with the same Email.
That's it.
To send email from C# hosted on Amazon EC2, make sure you have two things done.
Use following setting in your Web.config
<mailSettings>
<smtp deliveryMethod="Network" from="<from email goes here>">
<network host="smtp.gmail.com" port="587" enableSsl="true" userName="email id goes here" password="<password goes here> />
</smtp>
</mailSettings>
Login the above gmail account onto the Amazon EC2. If you do not login, then gmail blocks the email being sent from code due to security reasons.
According to Googles documentation, you can use the G Suite SMTP relay service through port 25. You can read more information here:
https://support.google.com/a/answer/176600?hl=en
and here:
https://support.google.com/a/answer/2956491
Hope this helps!