- Newest
- Most votes
- Most comments
Hi,
Yes, Mail-manager can handle outbound traffic as well. Its not really clear from the documentation but there is a "Send to internet" action that you can add to a rule set which allows you to send mail out email via SES. You will need to create a IAM role that can call SES to send mail and verify the identity to send mail to. Or have your account removed from Sandbox status.
Kind regards. Robin
Hi,
unfortunately I still haven't managed to configure Mail Manager correctly for sending.
-
I have verified in SES a test identity, a second level domain.
-
I created a traffic policy, with "Default action: Allow" and nothing else
-
in IAM I created a policy called "MailManager_send-to-internet", authorising as IPs those of the e-mail servers that are to use MailManager as smart hosts.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "arn:aws:ses:*:{MyAWSAccountId}:identity/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"123.123.123.123/32",
"123.123.123.124/32",
"123.123.123.125/32"
]
}
}
}
]
}
-
in IAM I created a group called 'MailManager-users' and attached the newly created policy
-
in IAM I created a new user called "MailManager-user01" and placed it in the "MailManager-users" group
-
in Mail Manager I created an SMTP Relay
-
in Mail Manager I created a set of rules:
rule1) SMTPRelay action -> Relay resource name: {the name of the SMTP relay created}
rule2) Send to internet -> IAM role: AWSServiceRoleForAmazonSES
I had already created an open ingress endpoint, but this procedure did not work. Since you told me about creating an authenticated ingress endpoint, I wanted to try it out by deactivating the open one and creating an authenticated one.
Unfortunately, it doesn't work that way either. On my e-mail server, I use:
- relay SMTP server (smart host): {ARecord of the ingress endpoint}
- port: 587 (or even 465)
but it fails to authenticate because the ingress endpoint does not respond and goes into timeout.
Where am I going wrong?
Hi,
Can you try port 25 for connecting to the ingress point?
Robin
Thank you for your response. I guess the documentation on this is not that comprehensive yet, as it is a new feature. However, I would need some clarification, I am not an expert on AWS, I have only recently gotten into it.
If it really can be used for sending as well, I would like to configure my current email systems to use Mail Manager as a "smart host," but to do this I would like to know what SMTP parameters to use, and if I need to do anything in particular on the AWS side to make Mail Manager work this way.
Thank you once again for your help. Gabriele
Hi,
This would be a very basic set-up where you can use Mail manager as a mail sending smart host. If you have not already done so, you will first need to verify your domain in the SES console and request production access. Without your domain verified you will not be able to send mail. Without production access your sending will be limited to recipients that are in the verified identities.
Once the domain set-up is done, the mail manager stack starts of with creating a Traffic policy and Rule set before you can create the Ingress point. You can create both of these resources to fit your needs. The traffic policy can allow all traffic as it will be an authenticated ingress point but feel free to set restrictions to secure the ingress point more strictly (For example, only accept traffic from your systems IP). For the Rule set you can create a empty rule set as I will describe what rules to you need later.
The Traffic policy and Rule set are required to create an Authenticated ingress point so select the one you just created during the creation (More details are in the docs). With the authenticated ingress point you can connect you system to that to route mail from your system into Mail manager.
For actual sending mail you will have to create a Rule in the Rule set with the "Send to internet" action. For this you will need a basic policy with permissions to allow send mail for the desired identity. You can use the policy below, add your account ID and if you want you can restrict it to a single identity (replace the * after identity/ with the identity).
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ses:SendEmail",
"ses:SendRawEmail"
],
"Resource": "arn:aws:ses:*:{AWSAcountId}:identity/*"
}
]
}
With the rule created you should be able route mail through Mail manager and out to the internet. The rules allow for many more actions to full manage your mail flow that fits your needs.
Kind regards. Robin
Relevant content
- asked 3 months ago
- asked 4 months ago
- asked 2 years ago
- asked 3 months ago
AWS OFFICIALUpdated 15 days ago- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
Are you sure? In "Get set up" screen it says that: A rule set is assigned to an ingress endpoint and contains rules that perform actions on email when rule conditions are met. It mentions "ingress" only, not "outgress".