- Newest
- Most votes
- Most comments
Install a network packet analyzer on your server e.g. Wireshark 4.0.7 freeware. Create a filter so you only see tcp port 587 traffic. The output from the packet analyzer will tell you the TLS protocol version being used.
See the accepted answer on the same question I posted on 07/26/2023.
How to verify TLS version used with .NET application to SES via SMTP
I have the exact same issue and i got no equivalent of WireShark on my debian pure CLI server. Therefore i tried to PAINFULLY set log chain (summoning many services : SES, CloudTrail, SNS, Lambda, CloudWatch, S3, IAM) hoping i'll see some TLS metrics for SMTP links ... After hours of hellish setup, documentation not being super clear nor flexible enough for various needs, i managed to obtain stacks of logs but NOTHING i need to verify TLS 1.2. I used Lake, Insights, direct log watch, various filters and queries adviced, no way out of this maze so far. I mean, simple connection logging on SES should be a very basic feature obtainable in few clicks. Hours of interface fight brought no result. Yet, Amazon sends me mails asking to upgrade and their support cannot give me more infos on which version TLS was used during my tests. It's a pity circle run.
I share your sentiment that AWS has "fallen down" on this one and issued an admittedly legitimate mandate but without providing any self-service tools whatsoever on their end to truly help us resolve the issue.
If you have root privileges on the Debain pure CLI server, you may want to consider installing a network monitoring tool that works on Linux O/S's. I did a quick online search for "network packet analyzer for debian pure CLI server" and found what hopefully is a good starting point for you at GeeksforGeeks with links to various network monitoring tools. Many of the offerings are command line/text based. The article is titled "Linux - Network Monitoring Tools": https://www.geeksforgeeks.org/linux-network-monitoring-tools/
I also found some information about tcpdump that might be a useful tool for you. Many Linux distributions ship with the tcpdump tool or you can search for a site where you can download it. The tcpdump tool can capture packets from a specific port using the following example command : tcp -i eth0 port 587. The tcpdump tool saves the dump file in pcap format that can be viewed by a tcpdump command or the Wireshark network protocol analyzer if you have access to a Windows based system and can install Wireshark there for the purposes of analyzing the dump file. See https://www.tecmint.com/12-tcpdump-commands-a-network-sniffer-tool/ as a starting point.
Hope this is somewhat helpful.
You can follow article : https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints/
Try using CloudWatch Log Insights , it will give you details. below is the sample query. You need to select corresponding CloduWatch logs group that is specific to your services. Below result will give connection TLSv1.1 connection. For 1.2, just modify parameters inside IN clause.
filter tlsDetails.tlsVersion in [ "TLSv1", "TLSv1.1" ]
| stats count(*) as numOutdatedTlsCalls by userIdentity.accountId, recipientAccountId, eventSource, eventName, awsRegion, tlsDetails.tlsVersion, tlsDetails.cipherSuite, userAgent
| sort eventSource, eventName, awsRegion, tlsDetails.tlsVersion
I hope this gives you an idea to find records.
Thanks Vikas, I have followed the guide here: https://aws.amazon.com/blogs/messaging-and-targeting/how-to-log-amazon-ses-details-using-amazon-cloudwatch/ to log Amazon SES details in Cloudwatch for mail delivery, however unfortunately these logs don't seem to have the TLS version information, so I am still unable to check.
What i'd seen is that for cloudtrail you can't see the TLS versions for SES. Only management events. which is a PITA here.
Relevant content
- asked 2 years ago
- asked 10 months ago
- Accepted Answerasked 9 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Thanks InTech, I was able to determine my fix worked correctly after analysing the packets using WireShark installed to the EC2 instance, and seeing the change of TLSv1 to TLSv1.2.
Tom: Glad I could help. Cheers!
Thanks Intech for advicing tcpdump : confirmed 100% as i had already figured out it was a way to go, documented here https://repost.aws/questions/QUZFigKzbuSomj0WkWlB6vjA/how-to-upgrade-tls-used-by-mta-towards-ses-on-linux
Quick detail: i spotted a "DOWNGRD" marker in the dumped handshake initial phase. Therefore simulated openssl connect w/ forced versions : marker is gone for any 1.2 or over. So i've tested several MTA configs from a test VM. At some point i managed to obtain connection without marker. Finally replicated the result config on my prod Cloud.
Hope it's over :)