By using AWS re:Post, you agree to the AWS re:Post Terms of Use

535 Authentication Credentials Invalid - Help Please!

0

Hi,

I deleted the existing IAM User for SES SMTP from my account to create a new one.
After creating the new, I've retrieved the SMTP Username and SMTP Password (important: not the access key/secret, as some may ask) and configured my application. After that, I am only receiving "535 Authentication Credentials Invalid" message.

What I have already done:
-I've already seen the documentation.
-I've already searched on forums.
-I've already tried to delete/creating new SMTP credentials (about 5 times).
-I've borrowed another account's SMTP credentials that I manage to test in this application and this other account credentials worked fined on the installation that I am having issues (so it is not a software issue at my side)
-I've tried to manually talk SMTP to amazon's servers to put aside any application issues and still fails (see transcript bellow):

$ telnet email-smtp.us-east-1.amazonaws.com 2465
220 email-smtp.amazonaws.com ESMTP SimpleEmailService-d-HTY7JINI1 lWd7UFpRFGnP8gGTMYou
EHLO myservername.domain
250-email-smtp.amazonaws.com
250-8BITMIME
250-SIZE 10485760
250-AUTH PLAIN LOGIN
250 Ok
AUTH LOGIN
334 VXNlcm5hbWU6
base64_smtp_username
334 UGFzc3dvcmQ6
base64_smtp_password
535 Authentication Credentials Invalid
QUIT
221 Bye
Connection closed by foreign host.

My account is currently active and healthly and I am quite sure that there is something wrong at amazon's side.

Can somebody please help me?

asked 5 years ago8.9K views
5 Answers
2

For those that run into this thread via Google search, make sure you create the credentials via the SES console, and not the IAM console. I was attempted to rotate existing credentials for an individual user, and they continued to return authentication errors until I did it via SES instead. I could then see them via the IAM console as well, however I believe this method has additional back end calls that create the corresponding credentials in SES.

answered 3 years ago
  • @sandwormusmc1, how and where do you create the credentials via the SES console?

    As soon as I click "Create SMTP credentials" it opens up the IAM console.

    There is no other option other than IAM console to create a new user / credentials.

  • Look at the attached image to know which button to click: https://ibb.co/Y8ZyYdN

0

Hi pontomarket,

There are a few things to check.

First, how did you generate your credentials? SMTP credentials are region-specific, so if you used the console in another region (say us-west-1) to generate them, then they won't work in us-east-1.

Also, when you had the SMTP conversation via telnet, did you convert the credentials to base64 encoding first?

Thanks,

Brent @ AWS

AWS
answered 5 years ago
0

Hi Brent, thanks for your help!

Today I've found the following note on the documentation, which was exactly the first point you've mentioned. As I am a long time user for AWS SES in other accounts, I was using the same credentials for all regions and didn't know the specs had changed.

Here is the note transcription for anyone else who's facing the same issue:

Note

If you created SMTP credentials before January 10, 2019, your SMTP credentials might work in all AWS Regions where Amazon SES is available. However, credentials created after this date are created using the AWS Signature Version 4, and are unique to each Region.

For additional security, we recommend that you delete credentials that were created before this date, and replace them with newer, Region-specific credentials. You can delete older credentials by using the IAM console.

Edited by: pontomarket on Jan 6, 2020 6:34 PM

answered 5 years ago
0

I also "suffered" this issue and guess it was also related to the region. Just wondering if anyone can explain me how the h*** to find out or change the region a user or credentials are created for. I mean, looking at the IAM user lists how can I find out where it is registered to.

answered 3 years ago
0

Those who have come here after** rotating the IAM access key or after creating a new access key **for your existing SMTP IAM user. You cannot use the Secret Access Key generated after creating the Access key.

You must use the access key ID of the user and then derieve the SMTP password for that particular region as guided here: https://docs.aws.amazon.com/ses/latest/dg/smtp-credentials.html#smtp-credentials-convert

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions