Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
How do I troubleshoot SMTP connectivity or timeout issues with Amazon SES?
My Amazon Simple Email Service (Amazon SES) Simple Mail Transfer Protocol (SMTP) is timing out.
Short description
You experience connection timeout issues when your client can't establish a TCP connection to the public Amazon SES endpoint. To resolve SMTP connectivity or timeout errors with Amazon SES, first troubleshoot the application's TCP connection. If the TCP connection is successful, then troubleshoot the SSL/TLS negotiations.
By default, Amazon Elastic Compute Cloud (Amazon EC2) restricts Amazon Virtual Private Cloud (Amazon VPC) egress traffic on port 25 for all Amazon EC2 instances. For applications that require traffic on SMTP port 25, you can request to remove this restriction. Or, use SMTP connections on port 587 (STARTTLS) and port 465 (TLS Wrapper) that don't have the same default restrictions that port 25 has.
Resolution
Troubleshoot the application's TCP connection
Complete the following steps:
-
Run the following telnet commands:
telnet email-smtp.us-east-1.amazonaws.com 587 telnet email-smtp.us-east-1.amazonaws.com 25 telnet email-smtp.us-east-1.amazonaws.com 465Note: Replace email-smtp.us-east-1.amazonaws.com with the Amazon SES SMTP endpoint that you're using.
-or-Run the following netcat (nc) commands:
nc -vz email-smtp.us-east-1.amazonaws.com 587 nc -vz email-smtp.us-east-1.amazonaws.com 25 nc -vz email-smtp.us-east-1.amazonaws.com 465-or-
In Windows PowerShell, run the following command to connect to the Amazon SES SMTP server:
Test-NetConnection -Port 587 --ComputerName email-smtp.us-west-2.amazonaws.com -
Note the output. If the connection is successful, then proceed to the Troubleshoot SSL/TLS negotiations section. If the connection is unsuccessful, then proceed to step 3. If your connection is successful, then the telnet command returns an output that's similar to the following:
Trying 35.170.126.22... Connected to email-smtp.us-east-1.amazonaws.com. Escape character is '^]'. 220 email-smtp.amazonaws.com ESMTP SimpleEmailService-d-A12BCD3EF example0mJncW410pSauIf your connection times out, then the telnet command returns an output that's similar to the following:
Trying 18.232.32.150... telnet: connect to address 18.232.32.150: Connection timed outIf your connection is successful, then the Test-NetConnection command returns an output that's similar to the following:
ComputerName : email-smtp.us-west-2.amazonaws.com RemoteAddress : 198.51.100.126 RemotePort : 587 InterfaceAlias : Ethernet SourceAddress : 203.0.113.46 TcpTestSucceeded : TrueIf the connection times out, then the Test-NetConnection command returns an that's output similar to the following:
WARNING: Ping to 52.39.11.136 failed with status: TimedOut ComputerName : email-smtp.us-west-2.amazonaws.com RemoteAddress : 35.155.47.104 RemotePort : 587 InterfaceAlias : Ethernet 2 SourceAddress : 10.0.0.140 PingSucceeded : False PingReplyDetails (RTT) : 0 ms TcpTestSucceeded : False -
For unsuccessful connections, confirm that your local firewall rules, routes, and network access control lists (network ACLs) allow traffic on the SMTP port that you're using. Also, confirm that your sending application has access to the internet.
For example, if you're using an EC2 instance to send emails and connect to the SMTP endpoint, then verify the following:
- The security group outbound rules allow traffic to the SMTP server on TCP port 25, 587, or 465.
- The network ACL outbound rules allow traffic to the SMTP server on TCP port 25, 587, or 465.
- The network ACL inbound rules allow traffic from the SMTP server on TCP ports 1024-65535.
- The instance has internet connectivity.
Troubleshoot SSL/TLS negotiations
If your TCP connection is successful but you're still experiencing connectivity or timeout issues, then complete the following steps to check for issues with SSL/TLS:
-
Connect to the Amazon SES SMTP server.
For an EC2 Linux instance, run the following command:openssl s_client -crlf -connect email-smtp.us-east-1.amazonaws.com:465Note: Replace email-smtp.us-east-1.amazonaws.com with the Amazon SES SMTP endpoint that you're using.
For an EC2 Windows instance, see the PowerShell tab in Testing your connection to the Amazon SES SMTP interface using the command line. -
To check for SSL issues, run the following command:
openssl s_client -crlf -quiet -connect email-smtp.us-west-2.amazonaws.com:465If the connection is successful, then you get an SMTP 220 response that's similar to the following:
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1 verify return:1 depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon verify return:1 depth=0 CN = email-smtp.us-west-2.amazonaws.com verify return:1 220 email-smtp.amazonaws.com ESMTP SimpleEmailService-d-VCSHDP1YZ A1b2C3d4E5f6G7h8I9j0 -
To check for TLS issues, run the following command:
openssl s_client -crlf -quiet -starttls smtp -connect email-smtp.us-west-2.amazonaws.com:587If the connection is successful, then you get an SMTP 250 response that's similar to the following:
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1 verify return:1 depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon verify return:1 depth=0 CN = email-smtp.us-west-2.amazonaws.com verify return:1 250 Ok -
If you don't get an SMTP 220 response for SSL or an SMTP 250 response for TLS, then verify the following:
You correctly configured the SSL/TLS certificate store.
Your sending application has the correct path to the certificate.
You installed the Amazon SES certificate on your server.
Note: To verify whether you installed the correct certificates, see the About the certificates section in About the Amazon Trust Services migration.
Related information
Relevant content
- AWS OFFICIALUpdated 2 months ago
