By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Issue sending emails from private subnet to SES through a VPC Endpoint on AWS Batch Job using Fargate

0

I was following this link, where it is explained how to set up a VPC endpoint for Amazon SES (https://docs.aws.amazon.com/ses/latest/dg/send-email-set-up-vpc-endpoints.html), but is not working when I try to send emails from a Batch Job docker container. If I execute the container locally, the container is able to send emails so it seems a problem reaching the "email-smtp.eu-west-1.amazonaws.com" from my container. I'm working on eu-west-1 region, I just have a VPC with 3 subnets and my security groups allows all the traffic for the inbounds and the outbounds rules (I set in that way just for testing). My container is implemented using .Net8 and the client uses a SMTP protocol instead of HTTPS:

    using var smtp = new SmtpClient();
    await smtp.ConnectAsync("email-smtp.eu-west-1.amazonaws.com", 587, SecureSocketOptions.StartTls);

Following the previous link, it seems pretty easy but I'm not able to make it to work. Is it possible to use the SES SMTP VPC Endpoint using Fargate or it only works for EC2? If it is possible to use it, what I'm missing or what I'm doing wrong?

Thanks for your help!

Topics
Networking & Content DeliveryServerlessContainersFront-End Web & MobileBusiness Applications
Tags
Amazon VPCAWS FargateAmazon Simple Email Service
Language
English
Ernest
asked 3 months ago255 views
2 Answers
2
Accepted Answer

It seems like the issue is that your container is not able to reach the Amazon SES SMTP endpoint due to being located within a private subnet in your VPC.

Make sure you have created a VPC endpoint for Amazon SES in the same VPC and subnets where your container is running. Refer to the AWS documentation on setting up VPC endpoints with Amazon SES for instructions.

Check that the security groups for your container allow outbound access to the SES SMTP endpoint on port 25. You may need to restrict this to just the SES endpoint address rather than allowing all traffic.

Try sending email from your container using the SES SMTP HTTPS endpoint instead of plain SMTP. This will avoid needing direct internet access. The AWS SDKs and libraries generally support both protocols.

As a test, try moving your container to a public subnet with a route to an internet gateway to confirm it can reach the SMTP endpoint when not going through the VPC.

profile picture
EXPERT
Giovanni Lauria
answered 3 months ago
profile picture
EXPERT
Oleksii Bebych
reviewed 2 months ago
  • Ernest
    3 months ago

    Hi Giovanni, you saved my day! After to change my outbound rules to allow all traffic to just the SES endpoint address it works (also changing the SmtpClient from MailKit to Microsoft System.Net.Mail)

0

Hi Giovanni Lauria, thank you for your prompt response. I truly appreciate your assistance. It seems you put me in the right direction, after to change to allow all traffic to just the SES endpoint address (port 587 because I'm using SMTP HTTPS) in my outbound rules, I've started to receive an error instead of timeout:

Unhandled exception. MailKit.Security.SslHandshakeException: An error occurred while attempting to establish an SSL or TLS connection. The server's SSL certificate could not be validated for the following reasons: • The server certificate has the following errors: • unable to get certificate CRL • unable to get certificate CRL • An intermediate certificate has the following errors: • unable to get certificate CRL • unable to get certificate CRL System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.

Ernest
answered 3 months ago
  • Ernest
    3 months ago

    I Fixed it switching from MailKit SmtpClient to Microsoft SmtpClient

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content