0

I use Amazon SES to send transactional emails (using SMTP connection) from my app and I wanna improve the credentials security by restricting access from specific IPs.

I've created an IAM Policy for that and applied to the user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": "ses:SendRawEmail",
            "Resource": "*",
            "Condition": {
                "NotIpAddress": {
                    "aws:SourceIp": [
                        "1.2.3.4",
                        "5.6.7.8",
                    ]
                }
            }
        }
    ]
}

I also tried a broader version:

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Deny",
        "Action": "*",
        "Resource": "*",
        "Condition": {
            "NotIpAddress": {
                "aws:SourceIp": [
                    "1.2.3.4",
                    "5.6.7.8"
                ]
            }
        }
    }
}

For my surprise, the user can still connect via SMTP from a not authorized IP.

$mail = new \PHPMailer(true);

$mail->Host = SES_HOST; // sets the SMTP server
$mail->Port = SES_PORT;                    // set the SMTP port for the GMAIL server
$mail->Username = SES_USERNAME; // SMTP account username
$mail->Password = SES_PASSWORD;        // SMTP account password

...

if($mail->smtpConnect()) {
    echo 'WTF?';

    $mail->smtpClose();
}

I guess the IAM Policy restriction applies to Amazon API, but not to direct SMTP connections. Am I wrong?

I look for IP restrictions in the SES section of amazon web panel, but with no luck.

What Am I missing?

Improve this question

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .