back to phpList.org

Amazon SES new endpoint

I have a working phplist configuration which uses amazon-ses plugin and delivers mail without any issue for the api endpoint:
Europe (Ireland) eu-west-1 email.eu-west-1.amazonaws.com

However when I try with new api endpoint, it always fails:
Asia Pacific (Mumbai) ap-south-1 email.ap-south-1.amazonaws.com

I get the following error: InvalidClientTokenId The security token included in the request is invalid.

All necessary things are done for ap-south-1 endpoint, such as domain and email verification, moved away from sandbox.

Tried with different access id and secret, in every case eu-west-1 is working and ap-south-1 fails.

Asia Pacific (Mumbai) API endpoint is newly available SES endpoint.

Anybody face similar problems and any known workarounds?

1 Like

@andrewcv I get the same error trying to send on two new regions using the same access key and secret key

https://email.eu-west-2.amazonaws.com/
and
https://email.ap-south-1.amazonaws.com/

but does work for the original region

https://email.us-east-1.amazonaws.com/

@danwaterloo Dan, do you know the steps to be able to send from a different region?

I believe your access key and secret key are only authorized for one region at a time. I would suggest to generate a new access key and secret key for the other regions…
I.e. I am authorized to send from us-west-1, but the keys to do that do not work for other regions. You need to setup new keys authorizations to send from other regions.

@danwaterloo thanks for the response. I have tried creating a new access key but sending fails for both of the “new” regions. From what I can see access keys are independent of regions.

Oddly, I also verified my domain with another region us-west-2 (Oregon) and sending works for that region with the same access key and secret key. Maybe my account is limited to the US regions but I cannot see that mentioned anywhere.

@andrewcv @danwaterloo I think that the problem is with the version of the AWS signature that the code uses. It uses version 2, and the new regions require version 4

https://docs.aws.amazon.com/general/latest/gr/signature-version-2.html

Hi @duncanc, Thanks for figuring this out…

Dan

@andrewcv @danwaterloo There is a new release, 1.3.0, of the plugin that uses AWS signature version 4, instead of version 2. That works for me with the “new” regions as well as the old ones.

You can update the Amazon SES plugin on the Manage Plugins page but you also need to update Common Plugin as well to version 3.12.0. Or you can continue using your currently installed plugins if you want to.

There is an additional field on the Settings page for the region, e.g. ap-south-1.