AWS ses medium security documentation change
Summary
Added note requiring public SMTP endpoints for SES SMTP relay and updated recipient verification examples
Security assessment
The change explicitly mandates public SMTP endpoints (private endpoints not supported) and emphasizes credential requirements. This clarifies security configuration requirements to prevent misconfigurations that could lead to unauthorized access or delivery failures.
Diff
diff --git a/ses/latest/dg/eb-relay.md b/ses/latest/dg/eb-relay.md index 15c60a730..671a1b4c5 100644 --- a//ses/latest/dg/eb-relay.md +++ b//ses/latest/dg/eb-relay.md @@ -17 +17,5 @@ When your ingress endpoint receives email, it uses a traffic policy to determine -For example, you could use the _SMTPRelay action_ to send email from your ingress endpoint to your on-premise Microsoft Exchange Server. You would set up your Exchange server to have a public SMTP endpoint that can only be accessed using certain credentials. When you create the SMTP relay, you enter the server name, port, and credentials of your Exchange server and give your SMTP relay a unique name, say, "RelayToMyExchangeServer". Then, you create a rule in your ingress endpoint's rule set that says, "When _From address_ contains _'gmail.com'_ , then perform _SMTPRelay action_ using the SMTP relay called _RelayToMyExchangeServer_ ". +For example, you could use the _SMTPRelay action_ to send email from your ingress endpoint to your on-premise Microsoft Exchange Server. You would set up your Exchange server to have a _public_ SMTP endpoint that can only be accessed using certain credentials. When you create the SMTP relay, you enter the server name, port, and credentials of your Exchange server and give your SMTP relay a unique name, say, "RelayToMyExchangeServer". Then, you create a rule in your ingress endpoint's rule set that says, "When _From address_ contains _'gmail.com'_ , then perform _SMTPRelay action_ using the SMTP relay called _RelayToMyExchangeServer_ ". + +###### Note + +All SMTP endpoints you configure with Amazon SES SMTP relay must be public as private SMTP endpoints are not supported. @@ -54 +58 @@ To help illustrate this, we have provided examples of how to configure Google Wo -Ensure that the domains of your intended recipient destinations are SES verified domain identities. For example, if you want to deliver email to recipients [email protected]_ and [email protected]_ , both the _example.com_ and _acme.com_ domains need to be verified in SES. If a recipient domain is not verified, SES will not attempt to deliver the email to the public SMTP server. For more information, see [Creating and verifying identities in Amazon SES](./creating-identities.html). +Ensure that your intended recipient destinations are SES verified email identities. For example, if you want to deliver email to recipients [email protected]_ , [email protected]_ , [email protected]_ , and [email protected]_ , then we'd recommend that you verify the `example.com` and `acme.com` domains in SES. If a recipient destination is not verified, SES will not attempt to deliver the email to the public SMTP server. @@ -77 +81 @@ Outbound - 3. Setup authentication for your SMTP server by selecting one of your secrets from **Secret ARN**. _If you select a previously created secret, it must contain the policies indicated in the following steps for creating a new secret._ + 3. Setup authentication for your public SMTP server by selecting one of your secrets from **Secret ARN**. _If you select a previously created secret, it must contain the policies indicated in the following steps for creating a new secret._