In a previous blog post, we covered how to Maintain AWS Security with AWS Keys Rotation, and in this post, I’ll discuss AWS SMTP relay.

In order to ensure optimal security, the objective is to minimize the number of Access Keys in use by leveraging EC2 Instances Role or AWS STS.

In our accounts, the only remaining IAM users and keys were the ones for SES SMTP. Therefore, we needed a way to either rotate those keys or remove them completely, and my preference was to remove them completely.

Current AWS SMTP Relay Installations

In most of our current deployments, the default is to install a local postfix with the configured access keys. Your applications can “talk” to the local postfix (via email), and then postfix relays the information to SES through SMTP protocol.

This is how this process looks:

Old Setup AWS SES IAM

New AWS SMTP Relay Architecture

To avoid using credentials, we leveraged the EC2 Instance role and created code for directly translating SMTP to SES API call.

To allow any of our applications to send emails without changing the application itself, we had to create a small SMTP server to relay data from SMTP command to an SES API call. Here is where our aws-smtp-relay project currently stands.

AWS SMTP Relay

The project is based on simple Java software that you can include on your server as .jar, and then launch it with the following:

java -jar aws-smtp-relay.jar

usage: aws-smtp-relay
 -b,--bindAddress <arg>     Address to listen to
 -c,--configuration <arg>   AWS SES configuration to use
 -h,--help                  Display this help
 -p,--port <arg>            Port number to listen to
 -r,--region <arg>          AWS region to use

With help from Nuxeo contributor Damien Metzler and external contributors Morgan Christiansson and Wilfried Martinache, we finished a Docker packaging that enables you to integrate this in your containerized infrastructure.

The Docker image is available on Docker Hub, and you can simply run it with:

docker run -p 10025:10025 loopingz/aws-smtp-relay

Finally just add to your instance role policy, this statement:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ses:SendRawEmail",
      "Resource": "*"
    }
  ]
}

Et voila!

This project can be found on GitHub: https://github.com/loopingz/aws-smtp-relay. Please feel free to give us feedback or contribution.

Blog Tag: AWS Blog Tag: How-To Blog Tag: Product & Development Blog Tag: Security