SMTP server to relay emails via AWS SES API using IAM roles.
AWS SES provides both an API and an SMTP interface to send emails.
The SMTP interface is useful for applications that must use SMTP to send emails, but it requires providing a set of SES SMTP Credentials.
For security reasons, using IAM roles is preferable, but only possible with the SES API and not the SMTP interface.
This is where this project comes into play, as it provides an SMTP interface that relays emails via SES API using IAM roles.
This repository provides a sample Dockerfile to build and run the project in a container environment.
A prebuilt Docker image is also available on Docker Hub:
docker pull blueimp/aws-smtp-relayThe aws-smtp-relay binary can be installed from source via
go get:
go get github.com/blueimp/aws-smtp-relayBy default, aws-smtp-relay listens on port 1025 on all interfaces when
started without arguments:
aws-smtp-relayAvailable options can be listed the following way:
aws-smtp-relay --helpUsage of aws-smtp-relay:
-a string
TCP listen address (default ":1025")
-c string
TLS cert file
-h string
Server hostname
-k string
TLS key file
-n string
SMTP service name (default "AWS SMTP Relay")
-s Require TLS via STARTTLS extension
-t Listen for incoming TLS connections only
Edit the openssl config file and change localhost to your
server hostname.
Generate a self-signed certificate with a passphrase encrypted key:
openssl req -new -x509 -config tls/openssl.conf -days 24855 \
-out tls/default.crt \
-keyout /dev/stdout |
openssl rsa -aes256 -out tls/default.keyPlease note:
Encrypted key files are only supported if they contain a
DEK-Infoheader, stating the encryption method used.
Theopenssl reqcommand does not create this header if encryption is enabled, which is why we pipe the unencrypted key output to theopenssl rsacommand, which outputs an encrypted key file with the requiredDEK-Infoheader.
The key file passphrase must be provided as TLS_KEY_PASS environment variable:
TLS_KEY_PASS=$PASSPHRASE aws-smtp-relay -c tls/default.crt -k tls/default.keyThe AWS_REGION must be set to configure the AWS SDK, e.g. by executing the
following command before starting aws-smtp-relay:
export AWS_REGION=eu-west-1On EC2 or ECS, security credentials for the IAM role are automatically retrieved:
Requests are logged in JSON format to stdout with an empty Error property:
{
"Time": "2018-04-18T15:08:42.4388893Z",
"IP": "172.17.0.1",
"From": "alice@example.org",
"To": [
"bob@example.org"
],
"Error": ""
}Errors are logged in the same format to stderr, with the Error property set:
{
"Time": "2018-04-18T15:08:42.4388893Z",
"IP": "172.17.0.1",
"From": "alice@example.org",
"To": [
"bob@example.org"
],
"Error": "MissingRegion: could not find region configuration"
}First, clone the project via go get and then switch into its source directory:
go get github.com/blueimp/aws-smtp-relay
cd "$GOPATH/src/github.com/blueimp/aws-smtp-relay"Please note:
This project relies on vgo for
automatic dependency resolution.
To use the original go tool instead, export the following environment variable:
export GO_CLI=goAnd install the project dependencies:
go get ./...To build the project, run
Make in the repository
directory, which creates the aws-smtp-relay binary:
makeAll components come with unit tests, which can be executed the following way:
make testSending mails can also be tested with the provided mail shell script:
echo TEXT | ./mail.sh -p 1025 -f alice@example.org -t bob@example.orgSee also Testing Amazon SES Email Sending.
The binary can also be built and installed in $GOPATH/bin/ with the following
command:
make installThe uninstall command removes the binary from $GOPATH/bin/:
make uninstallTo remove any build artifacts, run the following:
make cleanIncludes the smtpd package by Mark Hale.
Released under the MIT license.