Update TLS connections to 1.2 for SES using SMTP

0

Hi,

I received the email with subject '[UPDATE][ACTION REQUIRED] - Update your TLS connections to 1.2 for SES using SMTP to maintain AWS endpoint connectivity [AWS Account: 456548611263]'.

We are not sure what to do since our .net clients are querying to Amazon S3 directly (using these Nuget packages AWSSDK.Core and AWSSDK.S3), never to Amazon SES (we have setup to transfer from SES to S3 automatically).

We received in that mail some logs about the last connections but we dont know where that IP comes from and as I said we never connect to Amazon SES.

Please see the following for further details on the TLS 1.0 or TLS 1.1 connections detected from your account to SES using Simple Mail Transfer Protocol (SMTP) to between June 29, 2023 and July 10, 2023. We are unable to provide UserAgent for these connections because it is part of the HTTP protocol, but is not part of SMTP connections.

Region | Event | Message ID | Source IP | TLS Version
eu-west-1 | SMTP Message|0102018935cd729c-bb46dbfa-2c21-432b-b606-3ec89b67a838-000000 | 147.29.25.156 | TLSv1 | eu-west-1 | SMTP Message|01020189333a4693-998f1f50-0935-4ad7-bcaf-7449ad26ca97-000000 | 147.29.25.156 | TLSv1 | eu-west-1 | SMTP Message|0102018924b09c3b-01a1b1b4-127d-4786-9903-1fe403e5cc21-000000 | 147.29.25.156 | TLSv1 |

Could you help us pls?

Many thanks.

  • I too received this message, and I'm also not sure what changes need to be made if any.
    Our SES is just a place holder to forward non-reply email messages as notifications using our domain in Route53 to save us the cost of an email server.

    We utilize port 587 and the EnableSsl is set to true. According to the Amazon documentation it states:

    "To set up a STARTTLS connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 25, 587, or 2587, issues an EHLO command, and waits for the server to announce that it supports the STARTTLS SMTP extension. The client then issues the STARTTLS command, initiating TLS negotiation. When negotiation is complete, the client issues an EHLO command over the new encrypted connection, and the SMTP session proceeds normally."

    So, I'm not manually setting any kind of "version" of TLS. Amazon is doing that all by itself when I set the port to 587 and invoke "EnableSsl" to true in my mySmtpClient settings if I'm reading this correctly.

    Basically I'm hoping that when Amazon changes the TLS requirements, they will simply create a different TLS version when I'm doing the exact same thing as now (no changes).

    Does this sound correct?

Juan
asked a year ago1193 views
3 Answers
0

AWS has recently implemented an update regarding the TLS requirement for all AWS service API endpoints. The minimum TLS version now required is TLS 1.2. https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints/

Based on the information you've given, it appears that Amazon SES has received SMTP traffic with TLSv1 from the source IP address 147.29.25.156. To avoid any disruptions, it is advised to update your SMTP clients behind the mentioned source IP address which is interacting with Amazon SES to support TLSv1.2 or later.

profile pictureAWS
Manas
answered a year ago
  • Hello.
    This answer appears to be the same text as the message in the email.

    Perhaps an example would help. Could you please direct us to a specific solution in for the situation BELOW if possible.

    C# .NET Framework 4.6.1

    using System.Net.Mail;

    //Example call to email service using (SmtpClient mySmtpClient = new SmtpClient()) { mySmtpClient.DeliveryMethod = SmtpDeliveryMethod.Network; mySmtpClient.UseDefaultCredentials = false; mySmtpClient.EnableSsl = true; mySmtpClient.Host = "email-smtp.us-east-2.amazonaws.com"; mySmtpClient.Port = 587; mySmtpClient.Credentials = new NetworkCredential(smtpAuth, smtpPass); }

    That's it. It sends the email through my SES using those credentials. Notice there is nothing there setting a version of TLS.
    I'm expecting Amazon SES to initialize the TLS negotiation based on the settings of my SMTP call. See that I've set enableSsl to true and the port to 587 as specified by the amazon documentation.

    Is there something I'm missing. Maybe I need to upgrade my version of .NET?

    Any help is greatly appreciated!!!

  • Updating your .NET framework alone may or may not resolve this issue. Because the version of TLS used by the SMTP client is also determined by the capabilities of the underlying operating system and the configuration of the sending server or application.

    Hence, you need to ensure that you are using a version of .NET Framework that supports TLS 1.2 first. However, the older versions of .NET framework may have limitations or compatibility issues when it comes to supporting newer versions of TLS. When you update your .NET framework, it typically includes updates to the underlying libraries and components that handle secure communications. These updates often include support for newer versions of TLS, including TLSv1.2.

    It looks like you are using .NET Framework 4.6.1 and according to the below Microsoft article, you need to use .NET Framework 4.7 or later versions on your apps for TLS 1.2 Reference: https://learn.microsoft.com/en-us/dotnet/framework/network-programming/tls

  • Hi, I received the same email, and I'm using java to connect and send mail via SES. As I know, java mail library version 1.6 supports tls 1.2. My application is running with jdk 1.7. Here is a piece of our code to prepare for sending mail:

    Properties props = System.getProperties();
    props.put("mail.transport.protocol", "smtp");
    props.put("mail.smtp.host", this.smtpHost);
    props.put("mail.smtp.port", this.smtpPort);
    props.put("mail.smtp.starttls.enable", "true");
    props.put("mail.smtp.auth", "true");
    

    I wonder if I have to specify tls version in my code to fix this, something likes:

    props.put("mail.smtp.ssl.protocols", "TLSv1.2");
    

    Or edit anything else? Thanks.

0

I received the same message from AWS. My client's .NET business applications also use SMTP to connect to Amazon SES to send transactional messages. NOTE: Amazon S3 is not in the mix for my client's use case.

My understanding is the following:

  • If you have not explicitly set a TLS version in your application code, then your applications will use the TLS version that is the server's default at the O/S level.
  • If you have explicitly set a TLS version in your application code, remove those lines of code and let the environment's TLS version default prevail.
  • Make sure TLS 1.2 is enabled in your environment. For a Windows server environment, see the following: https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-server

I have implemented the registry entries recommended by the link above. And our .NET code never explicitly set a TLS version. HTTP2 had been disabled at the server level a few years ago to solve some other issue, so that's why our SES messages indicate "TLSv1". HTTP2 has been re-enabled. However, I don't know how to verify that the messages in the Amazon SES message log (ie. the message entries in the email sent by AWS) are now indicating something other than TLSv1 ... I am assuming the entry will display "TLSv2" if TLS 1.2 was used to connect to Amazon SES?

InTech
answered a year ago
  • I mentioned elsewhere that I am checking the TLS version with packet captures. Not sure if that's an option for you.

0

I thought I'd share my solution in my particular case if anyone is facing a similar situation:

This was what I was doing to initiate an email to Amazon SES before I made any changes.

C# .NET Framework 4.6.1

using System.Net.Mail;

//Example call to email service
using (SmtpClient mySmtpClient = new SmtpClient())
{
    mySmtpClient.DeliveryMethod = SmtpDeliveryMethod.Network;
    mySmtpClient.UseDefaultCredentials = false;
    mySmtpClient.EnableSsl = true;
    mySmtpClient.Host = "email-smtp.us-east-2.amazonaws.com";
    mySmtpClient.Port = 587;
    mySmtpClient.Credentials = new NetworkCredential(smtpAuth, smtpPass);
} 

My solution was to first update to .NET version to 4.7.2. I also researched and found that SmtpClient is no longer recommended for emailing in .NET.
They recommended MailKit. I refactored all my email service calls to use MailKit instead so now a call looks like this:

            using (var mySmtpClient = new MailKit.Net.Smtp.SmtpClient())
            {
                if (smtpPort == 587)
                {
                    mySmtpClient.Connect(smtpClient, smtpPort, SecureSocketOptions.StartTls);
                    Console.WriteLine("client.SslProtocols = {0}", mySmtpClient.SslProtocols);
                }
                else
                {
                    mySmtpClient.Connect(smtpClient, smtpPort, true);
                }

                mySmtpClient.Authenticate(smtpAuth, smtpPass);

                mySmtpClient.Send(message);
                mySmtpClient.Disconnect(true);
        }

Note that in the console.write I get the following results:

"Tls12 | Tls13"

This verifies that it's establishing the StartTls correctly from my application...hopefully :)

answered a year ago
  • Thanks man, that's very helpful :)

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions