Amazon Simple Email Service
Developer Guide (API Version 2010-12-01)

Setting Up a Secure Tunnel to Connect to Amazon SES

The Amazon SES SMTP endpoint requires that all connections be encrypted using Transport Layer Security (TLS). If you want to use TLS Wrapper to connect to the Amazon SES SMTP endpoint, but your MTA does not support TLS Wrapper, you can set up a "secure tunnel" to provide TLS Wrapper support. One way to do this is by using the open source stunnel program. Note that stunnel is intended to be used for port 465, the SSL port, only.


Some MTAs have native support for TLS Wrapper, while others do not. Check the documentation for your mail server to determine whether it supports TLS Wrapper. If it supports TLS Wrapper, then you do not need to set up a secure tunnel.

These instructions were tested on a 64-bit Amazon EC2 instance using the following Amazon Machine Image (AMI), which is based on Red Hat:

  • Amazon Linux AMI 2014.09.2 (HVM) (ami-146e2a7c).

To launch an Amazon EC2 instance, which includes selecting an AMI, see Amazon Machine Images (AMIs).

To set up a secure tunnel to the Amazon SES US West (Oregon) endpoint using stunnel

  1. Download and install the stunnel software. For information, go to

  2. If you are using Ubuntu Linux, stunnel may require a certificate. To generate the certificate, go to the /etc/stunnel directory and at a command prompt, type the following:

    sudo openssl req -new -out mail.pem -keyout mail.pem -nodes -x509 -days 365
  3. Open or create a file called /etc/stunnel/stunnel.conf.

  4. To configure the secure tunnel, add the following lines to stunnel.conf. For the accept line, specify a port number that is outside the range of reserved ports and is not currently being used. For this example, we will use port 2525 for this purpose.

    These instructions assume that you want to use Amazon SES in the US West (Oregon) AWS region. If you want to use a different region, replace the instance of in these instructions with the SMTP endpoint of the desired region. For a list of SMTP endpoints, see Regions and Amazon SES.


    Be sure to include delay = yes, which delays the DNS look-up until it is needed. Otherwise, the stunnel connection may fail.

    [smtp-tls-wrapper] accept = 2525 client = yes connect = delay = yes
  5. If you are using stunnel version 4.36 or lower, add this additional line to stunnel.conf:

    sslVersion = TLSv1
  6. If you are using Ubuntu Linux, add this additional line to stunnel.conf:

    cert = /etc/stunnel/mail.pem
  7. Save stunnel.conf.

  8. At a command prompt, issue the following command to start stunnel:

    sudo stunnel /etc/stunnel/stunnel.conf

  9. At a command prompt, type the following command to verify that the tunnel has been created. We are using port 2525 for this example; if you have specified a different port number, modify the command accordingly.

    telnet localhost 2525