Learn how Amazon Simple Email Service (Amazon SES) just got simpler with Simple Mail Transfer Protocol (SMTP) support. Amazon SES is AWS’s highly scalable and cost-effective bulk and transactional email-sending service for businesses and developers.
You will learn how to:
• Create your Amazon SES SMTP credentials
• Discover and use SMTP settings
• Configure SMTP and Amazon SES with some common programs
Hello, and welcome to our webinar on using SMTP with Amazon Simple Email Service. I’m Jenn Steele, and I’m the product marketing manager for Amazon SES.
Today we have a simple agenda. To make sure we’re all on the same page, I’ll go through a brief overview of Amazon SES and how to get started. Then we’ll jump into using SMTP with Amazon SES. We’ll go through creating credentials in detail, and then we’ll look at a few examples of how you might use it.
What is Amazon Simple Email Service?Amazon SES is a highly scalable and cost-effective bulk and transactional email-sending service for businesses and developers. Amazon SES eliminates the complexity and expense of building an in-house email solution or licensing, installing, and operating a third-party email service. The service integrates with other AWS services, making it easy to send emails from applications being hosted on services such as Amazon EC2, and is an easy-to-use web service that lets you send email and maximize your business’s deliverability – the proportion of email that is delivered to the inbox.
Let’s take a look at how SES works. A client application acting as an email sender makes a request to Amazon SES to send email to one or more recipients.If the request is valid, Amazon SES composes an email message based on the request parameters and then queues it for delivery.The message is routed over the Internet to the recipient's Internet service provider (ISP). The ISP then delivers the message to the recipient's inbox.
If the recipient's email address does not exist, the ISP sends a bounce notification to Amazon SES. The service then forwards the notification to the sender.
A recipient who does not want to receive the message can register a complaint with the ISP by clicking their spam button. The ISP sends the complaint to Amazon SES, which then forwards it to the sender.
I wanted to take a minute to talk about Amazon SES Pricing. We have a flat rate of ten cents per thousand email messages. We do charge for data transfer out, but your first gig each month is free.
If you choose to send email with attachments, the attachments are billed separately at twelve cents per gig.And like many AWS services, we do have a free tier. If you are an Amazon EC2 user, you can send two thousand messages each day for free when you call SES from your EC2 instance directly or through AWS elastic beanstalk.
First, you need to sign up for AWS, if you don’t already have an account. You can get started with any of our services in a matter of minutes.
When you first have an AWS account, you’ll be in the SES Sandbox, where you can only send to or from verified email addresses, and you have a testing quota of 200 messages per day. Really, this is where you’re making sure you can get set up. You know you’re in the sandbox by the big yellow box at the top of this window here in your management console, or if your sending quota is only 200 emails per 24 hour period.In order to test SES, you first need to verify an email address. You should note that Amazon SES has a limit of 100 verified email addresses – these are the only addresses that can be used to send email. As I said before, while you’re in the sandbox, you can also only send TO these verified addresses. Once you have production access, you can only send from a verified address, but you can send to any email address in the world. We’ll review how to get production access in a bit.To start the process, click on the “Verify a New Sender” button, and enter the email address you want to verify in the dialog box that appears.
Then you go to the inbox for the address you’re verifying and find the verification email. Click on the URL or copy and paste it into your browser in order to verify the email address. You’ll get to a thank-you page telling you that you’re ready to start using that email address with SES!If it’s been a long time since you sent that address the verification email, you might get an error message when you try to click the link. If that’s the case, just go back into the management console and re-enter that email address for verification.If it has been an hour since you requested that your email address be verified and you have not received your email, there are two things that we have found are common culprits. The first is that you should check your spam folder. The second is that you should make sure that the email address you’re trying to verify is able to accept external email.
I wanted to take a moment to review the limitations of the sandbox, since that’s where we’ve been working thus far.You have a tiny quota – you can only send 200 messages per day.You can only send one message per second.You can only send from or to verified email addresses – basically, you can only email yourself.The sandbox is here so that you can run a proof-of-concept. It’s a testing environment. The production environment looks different, as we’ll see on our next slide.
When you’re in the production environment, your quota will be 10,000 messages per day and will continue to rise as you send your production email through SES.You will also see your TPS continue to rise as well, although you start at five.And while you can still only send FROM verified email addresses, you can send TO any email address in the world.
You will need to request production access in order to see the benefits we saw on our last slide. Again, you can see that you do not have production access as long as you only have a 200 message per day quota and you have a big yellow box at the top of your Management Console. To request production access, click on the “Request Production Access” button.
Clicking this button will take you to the Amazon SES Production Access form. Please fill it out completely. Production access requests take up to one business day to process, and if our team has any questions for you, we’ll get in contact with you. Please note that we will be looking at production access for the account you’re currently logged into. If you have multiple AWS accounts, make sure you’re logged into the correct one before filling out this form. Once we have processed your request, we will send you email confirmation to the primary email address of that AWS account. However, if you do not regularly check that account, there is a way to easily tell whether you have production access – just check the Management Console. A quota of more than 200 messages per day means that your production access has been granted.
As you can see in this view, you have moved up to a Production quota, and the big yellow box asking you to Request Production Access or Verify a New Sender is gone. When your Management Console looks like this screen shot, you can send email to any email address – no recipient verification necessary. You’ll still need to verify any new sender address through the same process we looked at before.Once you have Production Access, you should start sending your production email through SES. By sending as much of your production email as you can through SES, you’ll find that your sending quota will increase naturally.
Let’s move on to SMTP.Onceyou have production access, you’ll need to generate your SMTP credentials. Please note that you can generate SMTP credentials while you’re in the sandbox as well. To start the process – whether you’re in the sandbox or in production mode, log into your AWS Management Console, go to the Amazon SES tab, and click on SMTP Settings on the left.
When you get to the SMTP settings page, click on the “Create My SMTP Credentials” button. You may have to scroll down a bit to find it.
A dialog box will appear that will allow you to create your SMTP user. You can use the suggested user name, or – even better – you can create a username that is consistent with your internal naming policies. Amazon SES uses AWS Identity and Access Management (IAM) to manage SMTP credentials. The IAM user name is case sensitive and may contain only alphanumeric characters and the following symbols: +_=,.@-SMTP credentials consist of a username and a password. When you click the Create button, SMTP credentials will be generated for you.
You’ll see this dialog box next if your credentials are created successfully. Please note that this is the ONLY time that your SMTP credentials will be available – if you misplace them, you’ll have to generate a new user. If you click the Download Credentials button, you can download the credentials as a CSV file. Alternately, you can click Show User SMTP Security Credentials.
After clicking that, your SMTP Security Credentials will display. You can copy and paste them from this window. If you’re like me, you’ll both download them and copy and paste them – I’ve always preferred the belt and suspenders method. Once you’re finished, you can close the dialog box by clicking the Close Window button.
After you’ve created your SMTP credentials, you’ll be returned to the SMTP Settings page on the SES tab of the AWS Management Console. You use the credentials you just created in conjunction with <click> the settings on this page in order to configure your systems to use SMTP with Amazon SES.The server name is email-smtp.us-east-1.amazonaws.com, you’ll want to use port 465, use TLS, and use your SMTP credentials that you just generated for authentication.
I wanted to take a moment to talk about how Amazon SES uses Transport Layer Security, or TLS. OurSMTP endpoint requires that all connections be encrypted using TLS (Transport Layer Security). The SMTP endpoint uses TLS wrapper mode, which requires that SMTP clients will initiate the connection using TLS encryption. Wrapper mode means that the Amazon SES SMTP endpoint does not perform STARTTLS negotiation: it is the client's responsibility to connect to the endpoint using TLS, and to continue using TLS for the entire conversation.Again, at this time, Amazon SES does not support STARTTLS negotiation. If your system does not support TLS wrapper mode, you can use stunnel (http://www.stunnel.org) or a similar program to set up a secure tunnel.
Now I’ll go through two examples of how to implement SMTP with Amazon SES. First I’ll walk through setting it up with Microsoft Outlook 2010 – this example should give you guidance for configuring it with any software that can send via SMTP. Then we’ll take a look at Postfix, which is less graphically interesting, but will also allow me to show you how Stunnel works as well.
This is an example of how to configure a program with a graphical user interface to use SMTP with Amazon SES. I’m going to use Microsoft Outlook 2010 for this example, but the same basic principles would apply to similar programs like Jira and the like. Go to the file menu, click on Account Settings, and choose Account Settings…
In the Account Settings window, click on New.
In the Add New Account dialog box, make sure E-mail Account is selected, and click Next.
In the next window, select Manually configure server settings or additional server types and then click Next.
On the Choose Service window, choose Internet E-Mail and then click Next.
On the Internet E-mail settings form, fill in the following fields:-for Your Name, type the friendly name from which you’ll be sending the emails-for E-mail Address, put in the email address from which emails will be sent. Please note that this must be a verified email address.-for Account Type, select IMAP or POP3, depending on what your incoming mail server is. If you do not have an incoming mail server, select IMAP-for Incoming Mail server, put in your incoming mail server. Note that Amazon SES does NOT provide incoming mail servers – only outgoing. Outlook requires that you fill in this field, so if you don’t have an incoming mail server, type the word none into this field. -in the Outgoing mail server field, type in email-smtp.us-east-1.amazonaws.com – this is the same value you should have on your SMTP Settings page in your console.-in the User Name blank type the word “none”, because we’ll be configuring your credentials in a bit.Then click on the More Settings button.
In the Internet E-mail Settings window that appears, click on Outgoing Server.<click> Make sure “my outgoing server requires authentication” is selected. <click> Then select “log on using” and put your SMTP user name and password in the available spaces. Make sure you’re using the SMTP credentials that you generated in the AWS management console using the steps that we walked through earlier. <click> Then make sure that “remember password” is checked-off.<click> Once you’ve finished here, click on the Advanced tab.
Here on the advanced tab, you’ll want to fill out the following fields. <click> For Outgoing server, enter port 465. <click> Then select SSL as the type of encrypted connection. If you need to fill in any settings for your incoming mail server, do that as well. <click> When you’re finished with that, click the OK button.
This will take you back to the Internet E-mail Settings screen. You’ll want to test your configuration by clicking the Test Account Settings button. This lets you test your setup by having Outlook send an email through Amazon SES. <click> If the test message that Outlook sends through Amazon SES arrives successfully, click the Next button.
This will take you to the congratulations screen. You’re now ready to send email through Amazon SES with Outlook, and you can click the Finish button to exit.
Now let’s talk about using Amazon SES SMTP with Postfix. I’ll first talk about using Stunnel in order to set up TLS wrapper mode, and then we’ll talk about the Postfix configuration itself.
Not every application might be directly compatible with the SMTP interface’s strong TLS encryption requirement. If that’s the case, you can use Stunnel, which provides a local plaintext/vanilla SMTP interface for your application, and handles encrypted communication with Amazon SES under the covers.You should also note that Stunnel can be used whenever you need STARTTLS and it’s not natively supported.
Go to www.stunnel.org, and download and install STunnel.
Open the /etc/stunnel/stunnel.conf file. If the file does not exist, create it. Add these lines to configure the secure tunnel. For the accept line, specify a port number that is outside the range of reserved ports and is not currently being used. For this example, we will use port 2525 for this purpose, but you can use a different port. Then save the file.
To activate the tunnel, go to a command prompt and type in sudostunnel /etc/stunnel/stunnel.confNext we want to verify that the tunnel has been created. At your command prompt, type in telnet localhost 2525, or whatever port you specified in the stunnel.conf file. If you cannot establish the telnet connection, you should check to make sure the settings in the stunnel.conf file are correct.If you’ve been successful, you can move on to your server configuration.
For Postfix configuration, I’m assuming that you already have a mail server set up. Postfix doesn’t natively support the TLS wrapper mode, so make sure you’ve already set up Stunnel. Open the /etc/postfix/main.cf file and add the lines that you see here. Again, we’re using port 2525 as the Stunnel port, but you’ll have to use whatever port you used in your Stunnel configuration.
Now we’re going to create an encrypted file containing your Amazon SES SMTP credentials. First edit the /etc/postfix/sasl_passwd file. If the file does not exist, create it. Add the following line to the file, replacing USERNAME and PASSWORD with your SMTP user name and password – these are the same credentials I showed you how to create using the SES tab of the AWS Management Console. Save that file.To encrypt the file, type sudopostmap hash:/etc/postfix/sasl_passwd at a command prompt. Then remove the /etc/postfix/sasl_passwd file.Finally, restart postfix by typing the command to restart it at a command prompt. The command might not be exactly the same as this one for your server.You should be able to send email via Amazon SES at this point. If you cannot, you should make sure that port 465 isn’t blocked on your firewall, and you can do that by trying to telnet to email-smtp.us-east-1.amazonaws.com:465.
Next I wanted to talk about the support resources we have available for you. I’ll briefly go through our documentation, our forums, and our extended access form.
We have three different resources in our documentation for you, and you can get to these via the “Documentation” link on the SES home page, which is at aws.amazon.com/ses/.The first is the Amazon Simple Email Service Getting Started Guide. This guide will walk you through the getting started steps that I showed you earlier in this webinar in a little more detail.The second is the Amazon Simple Email Service Developer Guide. This guide gives you all of the detail you will need in order to set up your system to send email through Amazon SES. The third is the Amazon Simple Email Service API Reference. This reference contains all of the Amazon SES API calls, parameters, and data types you can use.
I particularly enjoy the Amazon SES forum, which you can get to via the “Community Forum” link on the SES page or through your management console. Here you’ll find all of our product and feature announcements, but that’s not what I find most interesting. Here is where SES users ask and answer questions about the service. You’ll also find almost every member of the Amazon SES team on here quite often, answering people’s questions.We read every single post on here, whether or not we answer, and we take your questions, concerns, and suggestions very seriously.
The final resource I wanted to discuss was how you increase your sending limits. As I mentioned earlier in the presentation, if you send production email through SES after you gain production access, your quota should naturally increase to meet your business needs. Sometimes, however, there are business events that make natural ramping impractical. To handle those cases please click on the “Request Increased Sending Limits” link in the Management Console.
This will take you to the Amazon SES Extended Access Request Form. We use the information you enter into this form to make sure that you have the quota you need for your business.Please fill out this form completely and let us know why you will need a manual quota increase and to what level. You might have a big launch coming up or your Facebook game is showing the signs of going viral. Please try to give us a good idea of exactly what your quota will need to be so that we can make sure we put you in the correct tier.Note that this request usually takes one business day to process, so you will want to plan ahead. If we require more information in order to process your request, someone will get in touch with you. Please note that we will advise you of your request results in an email that will be sent to the email address associated with that AWS account.
You can always check your quota through the Management Console or through the GetSendStatistics API call. In the Console, you can see your quota, how much of it you have used, and your maximum send rate. When your quota is increased either naturally or via a manual adjustment, you can see it right here.
And that’s using SMTP with Amazon SES. We tried to build the features that we thought you would find most useful, and your initial feedback has been great. If you want to tell us what you think or request any features, please visit our forums and tell us! Your input directly influences our product development – we love our customers and want to make sure that we’re developing features to meet your needs.