Testing Amazon SES SMTP with OpenSSL

Over the last few months, we are using Amazon Simple Email Service (SES) as our default mail service at fluig Identity. AWS SES is just like any other SMTP service, it also requires a username and password for authentication, but as SES is a AWS service, those credentials are based on IAM credentials, so Access Key ID in this case will be our username, and Secret Access Key, using a HMAC-SHA256 algorithm, will be our password.

This tutorial will show you how you can simulate a communication with AWS SES SMTP interface through OpenSSL, where you can troubleshoot IAM problems before setting them up in your application.

For this example, AKIAIOSFODNN7EXAMPLE will be our Access Key ID, wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY our Secret Access Key and noreply@malucelli.net the e-mail address registered and verified in AWS SES.

To create a password with HMAC-SHA256 algorithm, the first thing we need to do is to encode our Secret Access Key. You can use the Python function below to encode a string with HMAC-SHA256.

#!/usr/bin/env python

import base64, hmac, hashlib, sys

print base64.b64encode("{0}{1}".format('\x02', (hmac.new(sys.argv[1].encode('utf-8'), 'SendRawEmail', digestmod=hashlib.sha256)).digest()))

Now you can simply call the function by passing the Secret Access Key as a parameter, that you will get your password encoded in HMAC-SHA256.

$ python encode.py "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY"

To communicate with a AWS SES SMTP interface, both username and password need to be encoded in base64, as you can see below.

$ echo -n "AKIAIOSFODNN7EXAMPLE" | base64

$ echo -n "AlRfBgIG4YXDUfEVX5UTIZKnYjvlGay7eQtqp1ifwd7Z" | base64

Also the communication needs to be done using Transport Layer Security (TLS), so we will use openssl rather than telnet.

In the example below, we will open a SMTP connection, authenticate using our IAM credential encoded and send a simple message to myself.

$ openssl s_client -crlf -quiet -starttls smtp -connect email-smtp.us-east-1.amazonaws.com:587

HELO malucelli.net
MAIL FROM: <noreply@malucelli.net>
RCPT TO: <alexandre@malucelli.net>
Hi, this is a example mail.

This saved me time while we were implementing AWS SES, where I could test IAM credentials before setting them up in our applications. I hope this help you as well.

Alexandre Guimarães Malucelli

Alexandre Guimarães Malucelli is a Site Reliability Engineer and a DevOps Engineer at TOTVS. His main goal is to help growing companies on how to scale their business at Amazon Web Services.


For comments or any questions, feel free to ping me on