How to confirm that SMTP SES connections are using TLSv1.2

0

I recently received the below (greatly abbreviated) email, informing me of TLS 1.0 or TLS 1.1 usage on my account. Whilst I have made what I believe to be the necessary changes on a test environment to upgrade to TLS 1.2, I have been unable to determine how to use AWS to confirm that these changes have been successful. The below email suggests to me that there should be some area where I can check the TLS versions used for SMTP Messages sent, however all my current attempts of CloudWatch, CloudTrail (as recommended in the longer non abbreviated email) etc. have been unsuccessful with this.

Any advice would be greatly appreciated.

"Please see the following for further details on the TLS 1.0 or TLS 1.1 connections detected from your account to SES using Simple Mail Transfer Protocol (SMTP) to between July 16, 2023 and July 30, 2023. We are unable to provide UserAgent for these connections because it is part of the HTTP protocol, but is not part of SMTP connections.

Region | Event | Message ID | Source IP | TLS Version eu-west-1 | SMTP Message|010201896f70e64e-a3b64f36-b7ed-41da-97b7-5afe5a74249b-000000 | (IP Removed) | TLSv1 |"

3 個答案
1
已接受的答案

Install a network packet analyzer on your server e.g. Wireshark 4.0.7 freeware. Create a filter so you only see tcp port 587 traffic. The output from the packet analyzer will tell you the TLS protocol version being used.

See the accepted answer on the same question I posted on 07/26/2023.

How to verify TLS version used with .NET application to SES via SMTP

InTech
已回答 1 年前
profile picture
專家
已審閱 1 年前
  • Thanks InTech, I was able to determine my fix worked correctly after analysing the packets using WireShark installed to the EC2 instance, and seeing the change of TLSv1 to TLSv1.2.

  • Tom: Glad I could help. Cheers!

  • Thanks Intech for advicing tcpdump : confirmed 100% as i had already figured out it was a way to go, documented here https://repost.aws/questions/QUZFigKzbuSomj0WkWlB6vjA/how-to-upgrade-tls-used-by-mta-towards-ses-on-linux

    Quick detail: i spotted a "DOWNGRD" marker in the dumped handshake initial phase. Therefore simulated openssl connect w/ forced versions : marker is gone for any 1.2 or over. So i've tested several MTA configs from a test VM. At some point i managed to obtain connection without marker. Finally replicated the result config on my prod Cloud.

    Hope it's over :)

0

I have the exact same issue and i got no equivalent of WireShark on my debian pure CLI server. Therefore i tried to PAINFULLY set log chain (summoning many services : SES, CloudTrail, SNS, Lambda, CloudWatch, S3, IAM) hoping i'll see some TLS metrics for SMTP links ... After hours of hellish setup, documentation not being super clear nor flexible enough for various needs, i managed to obtain stacks of logs but NOTHING i need to verify TLS 1.2. I used Lake, Insights, direct log watch, various filters and queries adviced, no way out of this maze so far. I mean, simple connection logging on SES should be a very basic feature obtainable in few clicks. Hours of interface fight brought no result. Yet, Amazon sends me mails asking to upgrade and their support cannot give me more infos on which version TLS was used during my tests. It's a pity circle run.

已回答 1 年前
  • I share your sentiment that AWS has "fallen down" on this one and issued an admittedly legitimate mandate but without providing any self-service tools whatsoever on their end to truly help us resolve the issue.

    If you have root privileges on the Debain pure CLI server, you may want to consider installing a network monitoring tool that works on Linux O/S's. I did a quick online search for "network packet analyzer for debian pure CLI server" and found what hopefully is a good starting point for you at GeeksforGeeks with links to various network monitoring tools. Many of the offerings are command line/text based. The article is titled "Linux - Network Monitoring Tools": https://www.geeksforgeeks.org/linux-network-monitoring-tools/

    I also found some information about tcpdump that might be a useful tool for you. Many Linux distributions ship with the tcpdump tool or you can search for a site where you can download it. The tcpdump tool can capture packets from a specific port using the following example command : tcp -i eth0 port 587. The tcpdump tool saves the dump file in pcap format that can be viewed by a tcpdump command or the Wireshark network protocol analyzer if you have access to a Windows based system and can install Wireshark there for the purposes of analyzing the dump file. See https://www.tecmint.com/12-tcpdump-commands-a-network-sniffer-tool/ as a starting point.

    Hope this is somewhat helpful.

-1

You can follow article : https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints/

Try using CloudWatch Log Insights , it will give you details. below is the sample query. You need to select corresponding CloduWatch logs group that is specific to your services. Below result will give connection TLSv1.1 connection. For 1.2, just modify parameters inside IN clause.


filter tlsDetails.tlsVersion in [ "TLSv1", "TLSv1.1" ]
| stats count(*) as numOutdatedTlsCalls by userIdentity.accountId, recipientAccountId, eventSource, eventName, awsRegion, tlsDetails.tlsVersion, tlsDetails.cipherSuite, userAgent
| sort eventSource, eventName, awsRegion, tlsDetails.tlsVersion

I hope this gives you an idea to find records.

profile picture
Vikas
已回答 1 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南