Ingress endpoints
An ingress endpoint is the key infrastructure component in Mail Manager that receives, routes, and manages your email by utilizing policies and rules you configure to determine which emails should be rejected, which ones should be allowed, and which ones should be acted upon.
Each ingress endpoint has its own traffic policy to determine which emails to block or allow, and its own rule set to perform actions on the email you do allow in; therefore, by creating multiple ingress endpoints, you can delegate each one to manage and route specific types of email. This level of granularity will help you to build an email management system that's tailored to your business needs.
Prerequisite workflow to create an ingress endpoint
At the time of creating your ingress endpoint, you must assign it a traffic policy and a rule set that have already been created. Therefore, the workflow for creating an ingress endpoint should be in the following order:
-
Start by creating a traffic policy to determine the email you want to block or allow. For details, see Creating traffic policies and policy statements in the SES console.
-
Next, create a rule set to perform actions on the email you allow in. For details, see Creating rule sets and rules in the SES console.
-
Finally, create your ingress endpoint and assign to it the traffic policy and rule set you just created or any others you previously created.
Once you create your ingress endpoint, you must configure it with the environment you're using to receive email, whether that be the configuration of an on-premise SMTP client or a web-based DNS domain host. This is discussed below in Configuring your environment to use an ingress endpoint.
Configuring your environment to use an ingress endpoint
Using the "A" record
At the time you create an ingress endpoint, an "A" record for the endpoint will be generated and its value displayed on the ingress endpoint's summary screen in the SES console. The way you use the value of this record depends on the type of endpoint you created and your use case:
-
Open endpoint – Mail sent to your domain will resolve directly to your ingress endpoint—no authentication required.
-
Copy and paste the value of the "A" record either directly into the SMTP configuration of an on-premise SMTP client or into an MX record for your domain in your DNS configuration.
-
Supported port: 25
-
Supports STARTTLS: Yes
-
-
Authenticated endpoint – Mail sent to your domain has to come from authorized senders whom you’ve shared your SMTP credentials with, such as your on-premise email servers.
-
Copy and paste the value of the "A" record directly into the SMTP configuration of an on-premise SMTP client as well as your user name and password.
-
Supported ports: 25, 587 (RFC 2476
) -
Supports STARTTLS: Yes
-
If you're using an MX record in your configuration, keep in mind that while every DNS provider has different procedures and interfaces for configuring records, the key pieces of information you need to put into you DNS settings are listed in the following example:
All email sent to recipient@marketing.example.com will go to your ingress endpoint because you entered the ingress endpoint's "A" record as the value for an MX record in your domain’s DNS settings:
-
Domain –
marketing.example.com
-
MX record value –
890123abcdef.ghijk.mail-manager-smtp.amazonaws.com
(This is the "A" record value copied from your ingress endpoint.) -
Priority –
10
Connecting to the authenticated endpoint
For the authorized senders whom you’ve shared your SMTP credentials with in order to connect to your authenticated endpoint, the following protocols must be followed for the username and password in order to establish a successful connection to the server:
-
Username – This is the ingress endpoint ID and must be encoded in Base64. (See Step 10. in the console procedures to learn how to find the ingress endpoint ID.)
-
Password – This is the one used during ingress endpoint creation and must be encoded in Base64.
The following example shows a typical SMTP AUTH server and client exchange establishing connection:
S: 250 AUTH LOGIN PLAIN C: AUTH LOGIN S: 334 VXNlcm5hbWU6 C: SW5ncmVzc1BvaW50 S: 334 UGFzc3dvcmQ6 C: SW5ncmVzc1Bhc3N3b3Jk S: 235 Authentication successful
This example contains the following properties:
-
S
means "Server"—the SMTP server accepting messages. -
C
means "Client"—the SMTP client establishing connection with the server and sending messages to server. -
250 AUTH LOGIN PLAIN
is a response from the server with AUTH methods supported,AUTH LOGIN
orAUTH PLAIN
, the sender could choose either of them, and send SMTP commands compliant with the SMTP Service Extension for Authentication specification RFC 2554. AUTH LOGIN
is used here. -
334 VXNlcm5hbWU6
– Server prompting for the username in Base64. -
SW5ncmVzc1BvaW50
– Client responding with ingress endpoint ID in Base64. -
334 UGFzc3dvcmQ6
– Server prompting for the password in Base64. -
SW5ncmVzc1Bhc3N3b3Jk
– Client responding with ingress endpoint password in Base64.
The procedure in the next section will walk you through creating an ingress endpoint in the SES console.
Creating an ingress endpoint in the SES console
The following procedure shows you how to use the Ingress endpoint page in the SES console to create ingress endpoints and manage the ones you've already created.
To create an manage ingress endpoints using the console
Sign in to the AWS Management Console and open the Amazon SES console at https://console.aws.amazon.com/ses/
. -
In the left navigation panel, choose Ingress endpoints under Mail Manager.
-
On the Ingress endpoints page, select Create ingress endpoint.
-
On the Create new ingress endpoint page, enter a unique name for your ingress endpoint.
-
Choose whether it will be a Open or Authenticated endpoint.
-
If you choose Authenticated, select either SMTP password and enter a password (to be shared with authorized senders), or Secret and select one of your secrets from Secret ARN. If you select a previously created secret, it must contain the policies indicated in the following steps for creating a new secret.
-
You have the option to create a new secret by choosing Create new—the AWS Secrets Manager console will open where you can continue to create a new key:
-
Choose Other type of secret in Secret type.
-
In Key/value pair, enter
password
for the key, and your actual password for the value.Note
For Key, you must only enter
password
(anything else will cause authentication to fail). -
Select Add new key to create a KMS customer managed key (CMK) in Encryption key—the AWS KMS console will open.
-
Choose Create key on the Customer manged keys page.
-
Keep the default values on the Configure key page and select Next.
-
Enter a name for your key in Alias (optionally, you can add a description and tag), followed by Next.
-
Select any users (other than yourself) or roles you want to permit to administer the key in Key administrators followed by Next.
-
Select any users (other than yourself) or roles you want to permit to use the key in Key users followed by Next.
-
Copy and paste the KMS CMK policy into the Key policy JSON text editor at the
"statement"
level by adding it as an additional statement separated by a comma. Replace the region and account number with your own. -
Choose Finish.
-
Select your browser's tab where you have the AWS Secrets Manager Store a new secret page open and select the refresh icon (circular arrow) next to the Encryption key field, then click inside the field and select your newly created key.
-
Enter a name in the Secret name field on the Configure secret page.
-
Select Edit permissions in Resource permissions.
-
Copy and paste the Secrets resource policy into the Resource permissions JSON text editor and replace the region and account number with your own. (Be sure to delete any example code in the editor.)
-
Choose Save followed by Next.
-
Optionally configure rotation followed by Next.
-
Review and store your new secret by choosing Store.
-
Select your browser's tab where you have the SES Create new ingress endpoint page open and choose Refresh list, then select your newly created secret in Secret ARN.
-
-
Select a traffic policy to determine the email you want to block or allow.
-
Select a rule set containing the rule actions you want to perform on the email you allow in.
-
Select Create ingress endpoint.
-
In General details, "Provisioning" will be displayed while your ingress endpoint is being created—refresh the page until "Active" is displayed and the ARecord field contains a value. Copy the "A" record value and paste it into your DNS configuration or your SMTP client as discussed in Configuring your environment.
-
Just above the General details container on the console, there is a large, unlabeled number prefixed by "inp" (also replicated in the breadcrumb trail at the top of the page), for example, inp-1abc2de3fghi4jkl5mnop6qr. This is referred to as the ingress endpoint ID, its value is used as the username to login to your ingress server. (You'll need to share this with your authorized senders to connect to your endpoint.)
-
You can view and manage the ingress endpoints you've already created from the Ingress endpoints page. If there's an ingress endpoint you want to remove, select it's radio button followed by Delete.
-
To edit an ingress endpoint, select its name to open its summary page:
-
You can change the endpoint's active status by choosing Edit in General details followed by Save changes.
-
You can select a different rule set or traffic policy by choosing Edit in either Rule set or Traffic policy followed by Save changes.
-