[SOLVED] SES plugin failing with InvalidClientTokenId

Never mind, user error, see last post.

Not deleting any text, in case this thread helps others searching for answers. Read the settings screen closely!


I recently installed phpList 3.3.1 and immediately want to switch from using my Web host’s mail support to Amazon SES. I installed and activated the Amazon SES plugin (1.2.0+20170929), created a new IAM user, and copied the credentials to the plugin settings. I also added the relevant (Oregon) API endpoint to the plugin settings.

Trying to send a test message fails, always with InvalidClientTokenId errors like so:

MailSender http code: 403, result: HTTP/1.1 100 Continue HTTP/1.1 403 Forbidden x-amzn-RequestId: 8ea62136-d981-11e7-b621-ed8a74b2cdf4 Content-Type: text/xml Content-Length: 304 Date: Tue, 05 Dec 2017 06:00:12 GMT Connection: close Sender InvalidClientTokenId The security token included in the request is invalid 8ea62136-d981-11e7-b621-ed8a74b2cdf4 , curl error:

(Sorry, I don’t know a better way to share that here other than copying and pasting from System->Log of Events.)

I’ve tinkered with various permissions for the IAM user in AWS, including copying from an IAM user that I’ve successfully used before for sending mail through SES, but no matter what I do I always get the 403 error with InvalidClientTokenId being the apparent root cause. I did verify that there is no leading or trailing space in the credentials in the plugin settings. I also deleted the first IAM user that I created for this and created a new one, just to get a fresh start in case I’d done something wrong the first time, but still no change. Oh, also, I verified that the “from” email address I’m using in phpList is verified in SES.

I don’t think this is a bug, I’m assuming I have something configured wrong, but I don’t know where to look/what to adjust. As with much of AWS, SES is non-trivial to configure, but at this point I don’t know if I’ve done something wrong in AWS, in phpList, or in the plugin.

@Crenel84 I think that this is the area where you create a new access key within IAM


It might be an idea to create a new access key with a new secret key.

Thank you, I gave that a try. Same result. I also deleted and re-added the identity policy giving the relevant IAM user (with the new keys) SendEmail and SendRawEmail permissions for the verified email address I’m using as the “from” address. Same result.

Apparently it’s time to take a break because Comcast keeps dumping my connection. :unamused: Hard to debug what you can’t access!

Took a new approach. I have an existing IAM user (not an actual person, just a specific subset of permissions and keys) that I’m already using to send email in other ways, albeit via SMTP. I figured I would try adding a new set of keys to that user, instead of having a new user just for phpList. Alas, same result - 403 error with “InvalidClientTokenId The security token included in the request is invalid” at the heart of it.

So, I set up a new IAM user to try one more fresh start but, again, got nowhere. For some reason AWS is rejecting what is being sent to it, but I can find nothing on the AWS side that would indicate a problem. All I see on that side is that the phpList-only IAM user has never accessed anything, i.e., all of the calls are failing and – as far as AWS is concerned – that identity has never been used in any manner.

I think this is a dead end for me. I might try to set up phpList directly to use SES via SMTP, although the API seemed like the correct or more elegant solution than SMTP. If that doesn’t work, I’m going to have to ditch phpList entirely – not fun after sinking so many hours into it, but I’m way behind on the project this was supposed to support and I can’t keep monkeying around with it feeling like I’m half blind as I muddle with various settings.

Or maybe it’s all a “PEBKAC” error. Argh…

So… other things present the Access ID key first and the secret key second, and I originally tried configuring this when I was low on sleep, so I totally missed that the plugin prompts for the secret key first and the ID key second.

Switched the values, everything appears to be working normally. Sorry for the waste of time/forum space.

I have just changed the order of the two fields on the Settings page. That won’t help you now but might stop someone else making a similar mistake in the future.

1 Like