Amazon Simple Email Service
Developer Guide (API Version 2010-12-01)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Connecting to the Amazon SES SMTP Endpoint

The following table shows the Amazon SES SMTP endpoints for the regions in which Amazon SES is available.

Region nameRegionSMTP endpoint

US East (N. Virginia) Region

us-east-1

email-smtp.us-east-1.amazonaws.com

US West (Oregon) Region

us-west-2

email-smtp.us-west-2.amazonaws.com

EU (Ireland)

eu-west-1

email-smtp.eu-west-1.amazonaws.com

The Amazon SES SMTP endpoint requires that all connections be encrypted using Transport Layer Security (TLS). (Note that TLS is often referred to by the name of its predecessor protocol, SSL.) Amazon SES supports two mechanisms for establishing a TLS-encrypted connection: STARTTLS and TLS Wrapper. Check the documentation for your software to determine whether it supports STARTTLS, TLS Wrapper, or both.

If your software does not support STARTTLS or TLS Wrapper, you can use the open source stunnel program to set up an encrypted connection (called a "secure tunnel"), then use the secure tunnel to connect to the Amazon SES SMTP endpoint.

Important

Elastic Compute Cloud (EC2) throttles email traffic over port 25 by default. To avoid timeouts when sending email through the SMTP endpoint from EC2, use a different port (587 or 2587) or fill out a Request to Remove Email Sending Limitations to remove the throttle.

STARTTLS

STARTTLS is a means of upgrading an unencrypted connection to an encrypted connection. There are versions of STARTTLS for a variety of protocols; the SMTP version is defined in RFC 3207.

To set up a STARTTLS connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 25, 587, or 2587, issues an EHLO command, and waits for the server to announce that it supports the STARTTLS SMTP extension. The client then issues the STARTTLS command, initiating TLS negotiation. When negotiation is complete, the client issues an EHLO command over the new encrypted connection, and the SMTP session proceeds normally.

TLS Wrapper

TLS Wrapper (also known as SMTPS or the Handshake Protocol) is a means of initiating an encrypted connection without first establishing an unencrypted connection. With TLS Wrapper, the Amazon SES SMTP endpoint does not perform TLS negotiation: it is the client's responsibility to connect to the endpoint using TLS, and to continue using TLS for the entire conversation. TLS Wrapper is an older protocol, but many clients still support it.

To set up a TLS Wrapper connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 465 or 2465. The server presents its certificate, the client issues an EHLO command, and the SMTP session proceeds normally.

Secure Tunnel

If your software does not support STARTTLS or TLS Wrapper, you can set up a secure tunnel to allow your software to communicate with the Amazon SES SMTP endpoint. As this option is most commonly used by mail server administrators, details are given under Integrating Amazon SES with Your Existing Email Server.