How do I find the SMTP clients using deprecated TLS versions?

9 minute read
Content level: Advanced
1

How do I find the SMTP clients using deprecated TLS versions in order to upgrade the clients?

I received an email or Personal Health Dashboard (PHD) notification highlighting TLS 1.0 or 1.1 calls to the Amazon Simple Email Service (SES) SMTP interface. How do I find these SMTP Clients?

Short Description

In June 2022, Amazon announced that TLS 1.2 will become the minimum TLS version used for AWS Service Public endpoints. AWS sent PHD notifications to customers if they used TLS 1.0 or 1.1 to send an SMTP email message.

SES provides two endpoints you can use to send emails. Users can invoke the standard AWS API, or an SMTP interface. SMTP is the protocol that third party products expect to use. The PHD notifications or messages you received relates to the email messages sent via the SMTP interface.

In order to continue using SES uninterrupted, you need to identify and upgrade the client (OS and/or third party software) to a version that supports TLS 1.2+.

Resolution

SES recently added the ability to log information about the email messages you send. You will be configuring it to log the email messages sent (Sends). This new capability provides the following information:

  • TO email addresses
  • FROM email address
  • IP address of the SMTP client
  • TLS version
  • Timestamp

Note: SES will not log blocked messages. If you are using TLS Wrapper port 465 or port 2465, the SES Logs will not contain the TLS Version. You will be able to identify these clients, but you will not be able to tell which ones you need to upgrade. If you need to verify the TLS version of these clients, please contact AWS Support.

This article will show you to how to configure SES events to be delivered to Amazon Kinesis Data Firehose and Amazon Simple Storage Service (S3). Once your event information is in S3, you can use Amazon Athena to list the above metadata from these emails and identify the SMTP clients you need to upgrade.

Your solution will look like this:

High level architecture

Please note: SES events can be costly to stream to Kinesis Data Firehose. For more information see the pricing documentation. You may stream the logs for a short period of time then consider stopping SES Send Event streaming when you have enough information to make the needed changes.

Optionally, configure a SES VPC endpoint

Your SMTP clients are configured to use SES in one of 3 ways:

  1. In a public subnet
  2. In a private subnet with VPC endpoints
  3. In a private subnet with a NAT Gateway

If you have configuration 1 or 2, SES will log the address of your SMTP client. However if you have configuration 3, SES will log the address of the NAT Gateway.

Optional Step If you have configuration 3, and want to know the actual source IP, you can send email using a VPC endpoint. The VPC endpoint will allow SES to provide the private IP address of the SMTP client. A VPC endpoint will keep your traffic within the AWS network. VPC endpoints increase security and may help reduce cost. For more information, see the VPC pricing documentation. When using VPC endpoint instead of a NAT Gateway, you are not charged for NAT Gateway data processing.

If you do not want to configure a VPC Endpoint for SES, please skip to the next section to Send your SES events to S3.

You can create a VPC Endpoint for any VPC you suspect may have SMTP clients. To configure a VPC Endpoint:

  1. Navigate to VPC in the AWS Console
  2. Select Endpoints
  3. If you already have an SMTP endpoint for this VPC, skip to the Send your SES events to S3 section
  4. If you do not have an a VPC endpint for SMTP for this VPC, select Create Endpoint
  5. Select AWS Services for the service category
  6. Type smtp in the search bar
  7. Select the SMTP service
  8. Select the VPC that is sending the SMTP message. If you don’t know which VPC is sending SMTP traffic, repeat the process for all VPCs that have a NAT Gateway. If you miss any VPCs that send SMTP, the SMTP event logs will show a NAT gateway address.
  9. Open Additional Settings
  10. Uncheck *Enable DNS NameEnable DNS Name will allow you to direct traffic to the endpoint automatically. AWS immediately changes the DNS record of the public SMTP endpoint to point to the VPC endpoint. The VPC endpoint may take up to 60 seconds to be available which can cause connection errors. To prevent any impact, we temporarily disable this option and will enable it in a later step.
  11. Select all relevant subnets.
  12. Select security groups that may be sending SMTP traffic.
  13. Optional — add tags.
  14. Press Create Endpoint.

Creating a VPC Endpoint

  1. Wait for the endpoint to become available. This usually takes less than 1 minute. Status of the endpoint

  2. Select the endpoint and select Actions/ Modify Endpoint Settings. Modify Endpoint Settings

  3. Select Enable Private DNS Names and press Save Changes. Enable Private DNS Names

Send your SES events to S3

  1. This blog post explains how to configure SES to deliver events to S3. Follow Step 1 and Step 2.
  2. Take note of the S3 bucket that contains the SES events. You will need it in a future step.
  3. Stop before you get to Use Athena database to find the messages sent by the SMTP clients

Use Athena database to find the messages sent by the SMTP clients

Set up the Athena database

  1. If you have used Athena before and have an Athena database you’d like to use you can skip to step 6
  2. Navigate to Athena and click Launch Query Editor
  3. Configure an S3 bucket to hold the results if you have not already done so. If you do not see the prompt, you already have a results set configured. Skip to Step 4

  1. Create an Athena Database by typing CREATE DATABASE ses_messages into the query window and pressing Run.

  1. Select the SES database in the left panel

  1. Create a table based on the SES data.
    1. Copy the SQL below into the query editor
    2. Update the last line with your AWS account number that owns the S3 bucket
    3. Press Run
    4. The query should execute within a second or two
CREATE EXTERNAL TABLE ses_events (
eventType string,
complaint struct < arrivaldate: string,
complainedrecipients: array < struct < emailaddress: string >>,
complaintfeedbacktype: string,
feedbackid: string,
`timestamp`: string,
useragent: string >,
bounce struct < bouncedrecipients: array < struct < action: string,
diagnosticcode: string,
emailaddress: string,
status: string >>,
bouncesubtype: string,
bouncetype: string,
feedbackid: string,
reportingmta: string,
`timestamp`: string >,
mail struct < timestamp: string,
source: string,
sourcearn: string,
sendingaccountid: string,
messageid: string,
destination: string,
headerstruncated: boolean,
headers: array < struct < name: string,
value: string >>,
commonheaders: struct < `from`: array < string >,
`to`: array < string >,
messageid: string,
subject: string >,
tags: struct < ses_source_tls_version: string,
ses_operation: string,
ses_configurationset: string,
ses_source_ip: string,
ses_outgoing_ip: string,
ses_from_domain: string,
ses_caller_identity: string >>,
send string,
delivery struct < processingtimemillis: int,
recipients: array < string >,
reportingmta: string,
smtpresponse: string,
`timestamp`: string >,
open struct < ipaddress: string,
`timestamp`: string,
userAgent: string >,
reject struct < reason: string >,
click struct < ipAddress: string,
`timestamp`: string,
userAgent: string,
link: string >
)
ROW FORMAT SERDE 'org.openx.data.jsonserde.JsonSerDe'
WITH SERDEPROPERTIES (
'mapping.ses_caller_identity' = 'ses:caller-identity',
'mapping.ses_configurationset' = 'ses:configuration-set',
'mapping.ses_from_domain' = 'ses:from-domain',
'mapping.ses_operation' = 'ses:opeation',
'mapping.ses_outgoing_ip' = 'ses:outgoing-ip',
'mapping.ses_recipient_isp' = 'ses:recipient-isp',
'mapping.ses_source_ip' = 'ses:source-ip',
'mapping.ses_source_tls_version' = 'ses:source-tls-version'
)
LOCATION 's3://aws-s3-ses-analytics-<YOUR-ACCOUNT-ID>/'
  1. Use Athena to find the messages you sent using deprecated TLS versions
    1. Copy the SQL below into the Query editor
    2. Update the query to the dates you are interested in. The example looks for messages between Oct 1 and the end of the 2023.
    3. Press Run
SELECT mail.timestamp, mail.commonheaders.to To, mail.commonheaders."from"[1] "From", mail.tags.ses_source_ip SourceIP, mail.tags.ses_source_tls_version TLSVersion
FROM ses_events
WHERE eventtype='Send' and mail.tags.ses_source_tls_version IN ( '["TLSv1"]', '["TLSv1.1"]')
AND mail.timestamp BETWEEN '2023-10-01' and '2024-01-01'
ORDER BY timestamp DESC

  1. The query results show one line for each message sent with deprecated TLS versions
    1. Time the message was sent
    2. To email addresses
    3. From email address
    4. SourceIP address has 3 options:
      1. SMTP Client is in a public subnet: IP of the SMTP client
      2. SES VPC Endpoint and the SMTP client in a private subnet: IP of the SMTP client
      3. Without SES VPC endpoint and SMTP Client sits behind a NAT gateway: the IP will be the one of the NAT gateway.

Cleanup

SES Events

As mentioned above, SES events can be costly to stream to Kinesis Data Firehose. For more information see the pricing documentation. You may want to update the default configuration set to not stream send events.

  1. Click on the name of the destination you created

Find the event destination

  1. Edit the Event Types

Edit the Event Types

  1. Uncheck Sends

Uncheck Sends

  1. Press Save Changes

Kinesis Data Firehose

Kinesis Data Firehose charges by the number of bytes sent. You will not incur additional charges if you do not send SES events. You can leave Kinesis Firehose configured in case you need the logs again.

VPC Endpoints

You can review how VPC endpoints increase security and help reduce cost to decide whether you should keep the VPC endpoints.

S3

You can configure a lifecycle policy to delete old logs or move them to a cheaper storage tier. You can keep the bucket in place in case you need to look at logs again.

Athena Athena only incurs charges when you execute queries. You may decide to leave your database configured should you ever need to look at logs again.

Conclusion

Once you have identified the source of your TLS 1.0 / 1.1 traffic, the next step is to upgrade the client and or the OS it runs on. You can find more information about how to upgrade the OS in our blog post. Refer to your SMTP client documentation for information how to upgrade it to use TLS 1.2.

For additional assistance, please open a support case, create a re:Post question, or contact your Technical Account Manager if you have Enterprise Support.

Article co-authors:

3 Comments

This article helped me to see logs of emails sent, but the events that I can see in S3 don't contain the TLS version (there are tags with source-ip, from-domain, etc. but not source-tls-version). Any ideas?

Thierry
replied 7 months ago

Did your query include

mail.tags.ses_source_tls_version TLSVersion

which pulls the TLS version out of the logs?

profile picture
replied 7 months ago

Thanks Andy for your answer. I don't do any query for the moment, I just look at the object in the S3 (see https://aws.amazon.com/fr/blogs/messaging-and-targeting/analyzing-amazon-ses-event-data-with-aws-analytics-services/, step 2, number 13). I download the json, and there is no mention of TLS version.

Thierry
replied 7 months ago