3

I tried to unblock port 25 on my ec2 instance so I could send emails and I was asked to provide this:

A statement of the security measures and mechanisms you will be implementing to avoid being implicated in the sending of unwanted mail (Spam)

What does this mean, like what is an example of those security measures? I have no idea what I'm supposed to respond to with that. All I plan on doing is sending emails to verify email accounts and change passwords for user accounts on my website.

SirSpeciam
  • 169
  • 10
  • Have you considered using a service rather than have a local `sendmail` type process? Amazon has SES, Sendgrid, Gmail, etc. all have services that don't require you to be the sender. In all likelyhood the vast majority of your emails will end up in spam folders because your EC2 is not on an approved sender list. See [this post](https://stackoverflow.com/questions/712392/send-email-using-the-gmail-smtp-server-from-a-php-page#2748837) for an example with GMail. – stdunbar Jun 18 '20 at 16:10

1 Answers1

3

AWS actually restricts access to this port for security reasons. The suggestion is try using another port if you can (for example SES works over port 587 as well).

You can however request that this restriction is removed, to do this you will need to do the following steps:

First, create a corresponding DNS A record:

  • If you're using Amazon Route 53 as your DNS service, either create a new resource record set that includes an A record, or update your existing resource record set to include a new A record.
  • If you're using a service other than Amazon Route 53, ask your DNS provider to create an A record for you.

Then, request AWS to remove the port 25 restriction on your instance:

  1. Sign in with your AWS account, and open the Request to Remove Email Sending Limitations form.
  2. In the Use Case Description field, provide a description of your use case.
  3. (Optional) Provide the AWS-owned Elastic IP addresses that you use to send outbound emails as well as any reverse DNS records that AWS needs to associate with the Elastic IP addresses. With this information, AWS can reduce the occurrences of emails sent from the Elastic IP addresses being marked as spam.
  4. Choose Submit.
Chris Williams
  • 32,215
  • 4
  • 30
  • 68
  • 1
    This is exactly what I did, and I got the response that I need to provide `A statement of the security measures and mechanisms you will be implementing to avoid being implicated in the sending of unwanted mail (Spam)`. Also, it is impossible for me to force smtp to use any other port than port 25 and thus why I need to unblock it. I've changed php.ini settings, and postfix's settings and still no luck. – SirSpeciam Jun 18 '20 at 15:54
  • Provide information to ensure no one is going to be able to login to your server to send spam basically. I.e. private instance, ssh key is restricted. That type of thing is what they are requesting – Chris Williams Jun 18 '20 at 16:01
  • I mean, I do not intend on letting anyone going into my ec2 instance. What do you mean by a restricted ssh key? I just have it saved on my computer to hop on the server. I'm sorry if I sound really stupid, I don't know that much about security. – SirSpeciam Jun 18 '20 at 16:32
  • Basically the AWS support team want to ensure that you have locked down your instance. So for example your security permissions for SSH/RDP are locked down to IP address ranges that you control. Additionally the pem key is restricted to a subset of people. Ideally the instance would be behind a load balancer too to distance between client and server. – Chris Williams Jun 18 '20 at 16:34
  • I do have a load balancer, and I'm the only one working on the ec2 instance so I'm the only one with the pem key. Could you explain further on the ip address range for ssh? Could I just set it to my ip therefore only a few select people can use ssh to get in? – SirSpeciam Jun 18 '20 at 16:37
  • 2
    Yes so things like setting the security group to restrict to your IP range is one of those measures. AWS just want to validate that you have not got an instance that could become compromised by a third party. You will also need to explain to them why your app cannot use another port for SMTP – Chris Williams Jun 18 '20 at 16:38
  • Okay thanks! I shall do that soon, and I’ll accept this as an answer due to the help from the comments. – SirSpeciam Jun 18 '20 at 16:47
  • No problem glad I could help, let me know if you need any additional support :) – Chris Williams Jun 18 '20 at 16:49