Does Amazon SES Signature Version 4 break phpList?

bLight · April 4, 2021, 3:17pm

Hi, I’ve recently received this eMail from Amazon after previously (successfully) using PHP List with the “AWS_ACCESSKEYID/AWS_SECRETKEY/AWS_POSTURL” configuration parameters:

Amazon Simple Email Service (SES) had extended support for Signature Version 3 to February 28th, 2021. To continue to use Amazon SES, you must migrate to Signature Version 4 which offers enhanced security for authentication and authorization of Amazon SES customers.

We have identified that, between 2021-03-22 and 2021-03-29, your AWS account [REDACTED] used Signature Version 3 to call Amazon SES APIs in the eu-west-1 Region.

Your Signature Version 3 requests were identified to be originating from:
- IAM Users: arn:aws:iam::[REDACTED]:user/[REDACTED]
- IPs: [REDACTED]
- User Agents: phpList (phpList version 3.5.2, https://www.phplist.com/)

Your Signature Version 3 requests were identified to be using the following SES actions:
- APIs: SendRawEmail

Example Request ID using Signature Version 3: [REDACTED]

You can identify API requests that use Signature Version 3 by looking at the request headers. Requests that use the Signature Version 3 resemble the following example (note the "AWS3"):
X-Amzn-Authorization: AWS3-HTTPS AWSAccessKeyId=[REDACTED],Algorithm=HMACSHA256,Signature=[REDACTED] ...

To move to Signature Version 4:
- If you are self-signing your requests, refer to our documentation for Authenticating requests to the Amazon SES API [1] and creating a canonical request for Signature Version 4 [2].
- If you are not self-signing your requests, simply update your SDK/CLI to the latest version.

The Amazon SES team will update the request information weekly and will stop notifications once we identify that Signature Version 3 is no longer being used from your account.

[1] https://docs.aws.amazon.com/ses/latest/DeveloperGuide/using-ses-api-authentication.html
[2] https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html

Sincerely,
Amazon Web Services

What does this eMail mean in my context, do I need to supply new values for the phpList config parameters from Amazon or is phpList’s SES functionality broken by this change?

Anything else I should know?

duncanc · April 4, 2021, 4:27pm

@bLight I think you are right about the core phplist functionality. That uses the version 3 signature.

You should install the Amazon SES plugin instead, which does use the version 4 signature.
See https://resources.phplist.com/plugin/amazonses

bLight · April 4, 2021, 4:34pm

Thank you, I will check out the plugin.

Any idea if/when v4 sig support is coming to the core phplist functionality? I would prefer to use core functionality.