Amazon EC2/SES SMTP Timeout
Amazon Simple Email Service (Amazon SES) Simple Mail Transfer Protocol (SMTP) is timing out. How do I resolve SMTP connectivity or timeout errors with Amazon SES?
Troubleshoot the application's TCP connection
1. Run the following telnet or netcat (nc) commands, replacing email-smtp.us-east-1.amazonaws.com with the Amazon SES SMTP endpoint that you're using:
telnet email-smtp.us-east-1.amazonaws.com 587 telnet email-smtp.us-east-1.amazonaws.com 25 telnet email-smtp.us-east-1.amazonaws.com 465 nc -vz email-smtp.us-east-1.amazonaws.com 587 nc -vz email-smtp.us-east-1.amazonaws.com 25 nc -vz email-smtp.us-east-1.amazonaws.com 465
2. Note the output.
If the connection is successful, then the telnet command returns an output similar to the following:
Trying 22.214.171.124... Connected to email-smtp.us-east-1.amazonaws.com. Escape character is '^]'. 220 email-smtp.amazonaws.com ESMTP SimpleEmailService-d-A12BCD3EF example0mJncW410pSau
Note: If the connection is successful, then proceed to the Troubleshoot SSL/TLS negotiations section below.
If the connection times out, then the telnet command returns an output similar to the following:
Trying 126.96.36.199... telnet: connect to address 188.8.131.52: Connection timed out
Note: If the connection times out, then proceed to the next step.
3. Confirm that your local firewall rules, routes, and access control lists (ACLs) allow traffic on the SMTP port that you're using. Also, confirm that your sending application has access to the internet.
For example, if you're using an Amazon EC2 instance to send emails and connect to the SMTP endpoint, then verify the following:
- The security group outbound (egress) rules must allow traffic to the SMTP server on TCP port 25, 587, or 465.
- The network ACL outbound (egress) rules must allow traffic to the SMTP server on TCP port 25, 587, or 465.
- The network ACL inbound (ingress) rules must allow traffic from the SMTP server on TCP ports 1024-65535.
- The EC2 instance must have internet connectivity.
Troubleshoot SSL/TLS negotiations
If you're still having connectivity or timeout issues after troubleshooting the TCP connection, then check if there are problems with SSL/TLS.
1. From an Amazon EC2 Linux instance, run the openssl command, replacing email-smtp.us-east-1.amazonaws.com with the Amazon SES SMTP endpoint that you're using:
Note: For Amazon EC2 Windows instances, see Test your connection to the Amazon SES SMTP interface using the command line and choose the PowerShell tab.
openssl s_client -crlf -connect email-smtp.us-east-1.amazonaws.com:465 openssl s_client -crlf -starttls smtp -connect email-smtp.us-east-1.amazonaws.com:587
Note: If you've modified the location of the default certificate authority (CA), you might experience problems running these commands. Be sure to identify the location of the default CA bundle file when you installed openssl.
2. Note the output. The expected responses are SMTP 220 and SMTP 250.
3. If you don't get the expected output, then check the following:
- Verify that the SSL/TLS certificate store is configured correctly.
- Confirm that your sending application has the correct path to the certificate.
- Verify that the Amazon SES certificate is installed on your server.
Click Here to Visit