Issue sending emails from private subnet to SES through a VPC Endpoint on AWS Batch Job using Fargate

Question

I was following this link, where it is explained how to set up a VPC endpoint for Amazon SES (https://docs.aws.amazon.com/ses/latest/dg/send-email-set-up-vpc-endpoints.html), but is not working when I try to send emails from a Batch Job docker container. If I execute the container locally, the container is able to send emails so it seems a problem reaching the "email-smtp.eu-west-1.amazonaws.com" from my container. I'm working on eu-west-1 region, I just have a VPC with 3 subnets and my security groups allows all the traffic for the inbounds and the outbounds rules (I set in that way just for testing). My container is implemented using .Net8 and the client uses a SMTP protocol instead of HTTPS:

    using var smtp = new SmtpClient();
    await smtp.ConnectAsync("email-smtp.eu-west-1.amazonaws.com", 587, SecureSocketOptions.StartTls);

Following the previous link, it seems pretty easy but I'm not able to make it to work. Is it possible to use the SES SMTP VPC Endpoint using Fargate or it only works for EC2? If it is possible to use it, what I'm missing or what I'm doing wrong?

Thanks for your help!

using var smtp = new SmtpClient();
        await smtp.ConnectAsync("email-smtp.eu-west-1.amazonaws.com", 587, SecureSocketOptions.StartTls);

Following the previous link, it seems pretty easy but I'm not able to make it to work. Is it possible to use the SES SMTP VPC Endpoint using Fargate or it only works for EC2? If it is possible to use it, what I'm missing or what I'm doing wrong?

Thanks for your help!

Giovanni Lauria · Accepted Answer

It seems like the issue is that your container is not able to reach the Amazon SES SMTP endpoint due to being located within a private subnet in your VPC.

Make sure you have created a VPC endpoint for Amazon SES in the same VPC and subnets where your container is running. Refer to the AWS documentation on setting up VPC endpoints with Amazon SES for instructions.

Check that the security groups for your container allow outbound access to the SES SMTP endpoint on port 25. You may need to restrict this to just the SES endpoint address rather than allowing all traffic.

Try sending email from your container using the SES SMTP HTTPS endpoint instead of plain SMTP. This will avoid needing direct internet access. The AWS SDKs and libraries generally support both protocols.

As a test, try moving your container to a public subnet with a route to an internet gateway to confirm it can reach the SMTP endpoint when not going through the VPC.

Ernest · Answer

Hi Giovanni Lauria, thank you for your prompt response. I truly appreciate your assistance.
It seems you put me in the right direction, after to change to allow all traffic to just the SES endpoint address (port 587 because I'm using SMTP HTTPS) in my outbound rules, I've started to receive an error instead of timeout:

Unhandled exception. MailKit.Security.SslHandshakeException: An error occurred while attempting to establish an SSL or TLS connection.
The server's SSL certificate could not be validated for the following reasons:
• The server certificate has the following errors:
• unable to get certificate CRL
• unable to get certificate CRL
• An intermediate certificate has the following errors:
• unable to get certificate CRL
• unable to get certificate CRL
System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.

Issue sending emails from private subnet to SES through a VPC Endpoint on AWS Batch Job using Fargate

관련 콘텐츠