My Amazon Simple Email Service (Amazon SES) Simple Mail Transfer Protocol (SMTP) is timing out. How do I resolve SMTP connectivity or timeout errors with Amazon SES?

SMTP can time out for the following reasons:

  • The email application is unable to establish a Transmission Control Protocol (TCP) connection.
  • The email application creates a TCP connection successfully, but there are issues with SSL/TLS negotiations. (TLS Wrapper: port 465, 2465 or STARTTLS with port 25, 587, 2587)
  • The TCP connection establishment and SSL/TLS negotiations are successful, but the Amazon SES server sends an SMTP 420/421 timeout error.

Troubleshoot the application's TCP connection

1.    Run telnet or netcat (nc) as follows.

Be sure to replace the regional endpoint with the Amazon SES endpoints you're using.

telnet example:

telnet email-smtp.us-east-1.amazonaws.com 587
telnet email-smtp.us-east-1.amazonaws.com 25
telnet email-smtp.us-east-1.amazonaws.com 465

nc example:

nc -vz email-smtp.us-east-1.amazonaws.com 587
nc -vz email-smtp.us-east-1.amazonaws.com 25
nc -vz email-smtp.us-east-1.amazonaws.com 465

2.    Note the output.

3.    If the connection times out, check your local firewall rules, routes, and access control lists (ACLs).

If you use an Amazon Elastic Compute Cloud (Amazon EC2) instance, check the associated instance's security groups, the subnet's network ACL, and the subnet's route table to be sure that the required rules and routes are configured. For more information, see Connecting to the Amazon SES SMTP Endpoint.

Note: By default, Amazon EC2 throttles traffic on SMTP port 25 for all instances. If you continue to receive timeout errors using SMTP port 25, you can request that the throttle be removed or you can change the port that is used for sending (for example, 587). For more information, see How do I remove the throttle on port 25 from my EC2 instance?

Example TCP connection troubleshooting

If an EC2 instance is trying to send outbound traffic on TCP port 25, 587, or 465, check the following:

  • Be sure that the security group outbound (egress) rules allow traffic to the SMTP server on TCP port 25, 587, or 465. For more information, see Security Group Rules.
  • Be sure that the network ACL outbound (egress) rules allow traffic to the SMTP server on TCP port 25. Also be sure that network ACL inbound (ingress) rules allow traffic from the SMTP server on TCP ports 1024-65535. For more information, see Network ACL Rules.
  • Be sure that the EC2 instance has internet connectivity. For more information, see Enabling Internet Access.

If an EC2 instance is receiving inbound traffic on TCP port 25, 587, or 465, check the following:

  • Be sure that the security group inbound (ingress) rules allow traffic from SMTP clients on TCP port 25, 587, or 465.
  • Be sure that the network ACL inbound (ingress) rules allow traffic to the SMTP clients on TCP port 25. Also be sure that network ACL outbound (egress) rules allow traffic to SMTP clients on TCP ports 1024-65535.
  • Be sure that the EC2 instance has internet connectivity. For more information, see Enabling Internet Access.

Troubleshoot SSL/TLS negotiations

If you're still experiencing connectivity or timeout issues after troubleshooting the TCP connection (see the first section), check if there are issues with SSL/TLS.

1.    Run the command openssl as follows from an EC2 Linux instance launched from an Amazon Linux Amazon Machine Image (AMI).

Be sure to replace the endpoint with the Amazon SES endpoints you're using.

openssl s_client -crlf -connect email-smtp.us-east-1.amazonaws.com:465 
openssl s_client -crlf -starttls smtp -connect email-smtp.us-east-1.amazonaws.com:587

Note: If the location of the default CA bundle file has been modified, you might experience problems running these commands.

2.    Note the output. The expected responses for the commands in the previous step are SMTP 220 and SMTP 250.

Troubleshoot SMTP 420/421 timeout errors

If the TCP connection is established and SSL/TLS negotiations are successful but the Amazon SES server sends an SMTP 420/421 timeout error, this means that the connection was idle. This error typically only occurs when you try to send email manually using openssl.

Note: If you experience this error when using an email application, be sure to review the application's logic.

Create a test email as follows to improve manual SMTP testing.

1.    Create a test email message as follows.

Be sure to replace the email address with one for your domain name.

cat >message.txt <<EOF
From: Verified Address <example-user@example.com>
To: success@simulator.amazonses.com
Subject: Curl Test

Important: Be sure to leave an empty line after the Subject line.

2.    Note the output.

Example output:

This is a Test Email by CURL Agent.
EOF

3.    Depending on the port you're using to send the email, run one of the following curl commands with your SMTP credentials (note that base64-encoding isn't required) as follows:

curl -v --mail-from 'verified_address@customersdomain.com' --mail-rcpt 'success@simulator.amazonses.com' --user 'SMTP-USERNAME:SMTP-SECRET-KEY' --ssl-reqd 'smtp://email-smtp.us-east-1.amazonaws.com:587' -T ./message.txt
curl -v --mail-from 'verified_address@customersdomain.com' --mail-rcpt 'success@simulator.amazonses.com' --user 'SMTP-USERNAME:SMTP-SECRET-KEY' --ssl-reqd 'smtp://email-smtp.us-east-1.amazonaws.com:25' -T ./message.txt
curl -v --mail-from 'verified_address@customersdomain.com' --mail-rcpt 'success@simulator.amazonses.com' --user 'SMTP-USERNAME:SMTP-SECRET-KEY' 'smtps://email-smtp.us-east-1.amazonaws.com:465' -T ./message.txt

4.    Note the output.

5.    If your SMTP credentials are valid, the test email is sent successfully.

If Postfix, IIS SMTP, or your custom application receives a 530/535 authentication error, review your application's configuration for errors.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center.

Published: 2018-09-26