|« PreviousNext »|
|Did this page help you? Yes | No | Tell us about it...|
The Amazon SES SMTP endpoint (email-smtp.us-east-1.amazonaws.com) requires that all connections be encrypted using Transport Layer Security (TLS).
TLS is often referred to by the name of its predecessor protocol, SSL.
Amazon SES supports two mechanisms for establishing an encrypted connection: STARTTLS and TLS Wrapper. Check the documentation for your software to determine whether it supports STARTTLS, TLS Wrapper, or both.
If your software does not support STARTTLS or TLS Wrapper, you can use the open source stunnel program to set up an encrypted connection (called a "secure tunnel"), then use the secure tunnel to connect to the Amazon SES SMTP endpoint.
Elastic Compute Cloud (EC2) throttles email traffic over port 25 by default. To avoid timeouts when sending email through the SMTP endpoint from EC2, use a different port (587 or 2587) or fill out a Request to Remove Email Sending Limitations to remove the throttle.
STARTTLS is a means of upgrading an unencrypted connection to an encrypted connection. There are versions of STARTTLS for a variety of protocols; the SMTP version is defined in RFC 3207.
To set up a STARTTLS connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 25, 587, or 2587, issues an EHLO command, and waits for the server to announce that it supports the STARTTLS SMTP extension. The client then issues the STARTTLS command, initiating TLS negotiation. When negotiation is complete, the client issues an EHLO command over the new encrypted connection, and the SMTP session proceeds normally.
TLS Wrapper (also known as SMTPS or the Handshake Protocol) is a means of initiating an encrypted connection without first establishing an unencrypted connection. With TLS Wrapper, the Amazon SES SMTP endpoint does not perform TLS negotiation: it is the client's responsibility to connect to the endpoint using TLS, and to continue using TLS for the entire conversation. TLS Wrapper is an older protocol, but many clients still support it.
To set up a TLS Wrapper connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 465 or 2465. The server presents its certificate, the client issues an EHLO command, and the SMTP session proceeds normally.
If your software does not support STARTTLS or TLS Wrapper, you can set up a secure tunnel to allow your software to communicate with the Amazon SES SMTP endpoint. As this option is most commonly used by mail server administrators, details are given under Integrating Amazon SES with Your Existing Email Server.