My Amazon Simple Email Service (Amazon SES) Simple Mail Transfer Protocol (SMTP) is timing out.
Short description
You experience connection timeout issues when your client can't establish a TCP connection to the public Amazon SES endpoint. To resolve SMTP connectivity or timeout errors with Amazon SES, first troubleshoot the application's TCP connection. If the TCP connection is successful, then troubleshoot the SSL/TLS negotiations.
By default, Amazon Elastic Compute Cloud (Amazon EC2) restricts Amazon Virtual Private Cloud (Amazon VPC) egress traffic on port 25 for all Amazon EC2 instances. For applications that require traffic on SMTP port 25, you can request to remove this restriction. Or, use SMTP connections on port 587 (STARTTLS) and port 465 (TLS Wrapper) that don't have the same default restrictions that port 25 has.
Resolution
Troubleshoot the application's TCP connection
Complete the following steps:
-
Run the following telnet commands:
telnet email-smtp.us-east-1.amazonaws.com 587
telnet email-smtp.us-east-1.amazonaws.com 25
telnet email-smtp.us-east-1.amazonaws.com 465
Note: Replace email-smtp.us-east-1.amazonaws.com with the Amazon SES SMTP endpoint that you're using.
-or-
Run the following netcat (nc) commands:
nc -vz email-smtp.us-east-1.amazonaws.com 587
nc -vz email-smtp.us-east-1.amazonaws.com 25
nc -vz email-smtp.us-east-1.amazonaws.com 465
-or-
In Windows PowerShell, run the following command to connect to the Amazon SES SMTP server:
Test-NetConnection -Port 587 --ComputerName email-smtp.us-west-2.amazonaws.com
-
Note the output. If the connection is successful, then proceed to the Troubleshoot SSL/TLS negotiations section. If the connection is unsuccessful, then proceed to step 3. If your connection is successful, then the telnet command returns an output that's similar to the following:
Trying 35.170.126.22...
Connected to email-smtp.us-east-1.amazonaws.com.
Escape character is '^]'.
220 email-smtp.amazonaws.com ESMTP SimpleEmailService-d-A12BCD3EF example0mJncW410pSau
If your connection times out, then the telnet command returns an output that's similar to the following:
Trying 18.232.32.150...
telnet: connect to address 18.232.32.150: Connection timed out
If your connection is successful, then the Test-NetConnection command returns an output that's similar to the following:
ComputerName : email-smtp.us-west-2.amazonaws.com
RemoteAddress : 198.51.100.126
RemotePort : 587
InterfaceAlias : Ethernet
SourceAddress : 203.0.113.46
TcpTestSucceeded : True
If the connection times out, then the Test-NetConnection command returns an that's output similar to the following:
WARNING: Ping to 52.39.11.136 failed with status: TimedOut
ComputerName : email-smtp.us-west-2.amazonaws.com
RemoteAddress : 35.155.47.104
RemotePort : 587
InterfaceAlias : Ethernet 2
SourceAddress : 10.0.0.140
PingSucceeded : False
PingReplyDetails (RTT) : 0 ms
TcpTestSucceeded : False
-
For unsuccessful connections, confirm that your local firewall rules, routes, and network access control lists (network ACLs) allow traffic on the SMTP port that you're using. Also, confirm that your sending application has access to the internet.
For example, if you're using an EC2 instance to send emails and connect to the SMTP endpoint, then verify the following:
Troubleshoot SSL/TLS negotiations
If your TCP connection is successful but you're still experiencing connectivity or timeout issues, then complete the following steps to check for issues with SSL/TLS:
-
Connect to the Amazon SES SMTP server.
For an EC2 Linux instance, run the following command:
openssl s_client -crlf -connect email-smtp.us-east-1.amazonaws.com:465
Note: Replace email-smtp.us-east-1.amazonaws.com with the Amazon SES SMTP endpoint that you're using.
For an EC2 Windows instance, see the PowerShell tab in Testing your connection to the Amazon SES SMTP interface using the command line.
-
To check for SSL issues, run the following command:
openssl s_client -crlf -quiet -connect email-smtp.us-west-2.amazonaws.com:465
If the connection is successful, then you get an SMTP 220 response that's similar to the following:
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = email-smtp.us-west-2.amazonaws.com
verify return:1
220 email-smtp.amazonaws.com ESMTP SimpleEmailService-d-VCSHDP1YZ A1b2C3d4E5f6G7h8I9j0
-
To check for TLS issues, run the following command:
openssl s_client -crlf -quiet -starttls smtp -connect email-smtp.us-west-2.amazonaws.com:587
If the connection is successful, then you get an SMTP 250 response that's similar to the following:
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = email-smtp.us-west-2.amazonaws.com
verify return:1
250 Ok
-
If you don't get an SMTP 220 response for SSL or an SMTP 250 response for TLS, then verify the following:
You correctly configured the SSL/TLS certificate store.
Your sending application has the correct path to the certificate.
You installed the Amazon SES certificate on your server.
Note: To verify whether you installed the correct certificates, see the About the certificates section in About the Amazon Trust Services migration.
Related information
Using the Amazon SES SMTP interface to send email