How do I troubleshoot SMTP connectivity or timeout issues with Amazon SES?
Last updated: 2020-04-23
My Amazon Simple Email Service (Amazon SES) Simple Mail Transfer Protocol (SMTP) is timing out. How do I resolve SMTP connectivity or timeout errors with Amazon SES?
Timeout connections typically indicate that your client is unable to establish a TCP connection to the public Amazon SES endpoint. To resolve SMTP connectivity or timeout errors with Amazon SES, troubleshoot the following:
1. Troubleshoot the application's TCP connection.
2. If the TCP connection is successful, then troubleshoot the SSL/TLS negotiations.
Important: Amazon Elastic Compute Cloud (Amazon EC2) restricts Amazon Virtual Private Cloud (Amazon VPC) egress traffic on port 25 for all EC2 instances by default. If your application requires traffic on SMTP port 25, you can request to remove this restriction.
Troubleshoot the application's TCP connection
1. Run telnet or netcat (nc) commands, similar to the following:
Note: Be sure to replace the Regional endpoint with the Amazon SES endpoint that you're using.
telnet email-smtp.us-east-1.amazonaws.com 587 telnet email-smtp.us-east-1.amazonaws.com 25 telnet email-smtp.us-east-1.amazonaws.com 465
nc -vz email-smtp.us-east-1.amazonaws.com 587 nc -vz email-smtp.us-east-1.amazonaws.com 25 nc -vz email-smtp.us-east-1.amazonaws.com 465
2. Note the output. For example, if the connection is successful, then the telnet command returns an output similar to the following:
Trying 126.96.36.199... Connected to email-smtp.us-east-1.amazonaws.com. Escape character is '^]'. 220 email-smtp.amazonaws.com ESMTP SimpleEmailService-d-A12BCD3EF example0mJncW410pSau
If the connection times out, then the telnet command returns an output similar to the following:
Trying 188.8.131.52... telnet: connect to address 184.108.40.206: Connection timed out
3. If the connection times out, confirm that your local firewall rules, routes, and access control lists (ACLs) allow traffic on the SMTP port that you're using. Additionally, confirm that your sending application has access to the internet.
For example, if you're using an Amazon EC2 instance to send emails and connect to the SMTP endpoint, then check the following:
- Be sure that the security group outbound (egress) rules allow traffic to the SMTP server on TCP port 25, 587, or 465.
- Be sure that the network ACL outbound (egress) rules allow traffic to the SMTP server on TCP port 25, 587, or 465. Additionally, confirm that network ACL inbound (ingress) rules allow traffic from the SMTP server on TCP ports 1024-65535.
- Be sure that the EC2 instance has internet connectivity.
Troubleshoot SSL/TLS negotiations
If you're still having connectivity or timeout issues after troubleshooting the TCP connection, then check if there are problems with SSL/TLS.
1. From an Amazon EC2 Linux instance, run the openssl command, similar to the following:
Note: Be sure to replace the endpoint with the Amazon SES endpoint that you're using.
openssl s_client -crlf -connect email-smtp.us-east-1.amazonaws.com:465 openssl s_client -crlf -starttls smtp -connect email-smtp.us-east-1.amazonaws.com:587
Note: If the location of the default certificate authority (CA) bundle file has been modified, you might experience problems running these commands.
2. Note the output. The expected responses are SMTP 220 and SMTP 250.
3. If you don't get the expected output, then check the following:
- Be sure that the SSL/TLS certificate store is configured correctly.
- Be sure that your sending application has the correct path to the certificate.
- Be sure that the Amazon SES certificate is installed on your server.
Note: For instructions on testing whether you have the correct certificates installed, see the section About the Certificates in About the Amazon Trust Services Migration.