Amazon SES 403 Forbidden

BackOffice

New Member
Hello,

I have amazon SES account out of sandbox with 50 000 approved daily limit. i have searched on this forum but was not able to find appropriate solution.

Error:
Error executing "SetIdentityFeedbackForwardingEnabled" on "https://email.eu-west-1.amazonaws.com"; AWS HTTP error: Client error: `POST https://email.eu-west-1.amazonaws.com` resulted in a `403 Forbidden` response:
<ErrorResponse xmlns="http://ses.amazonaws.com/doc/2010-12-01/">
<Error>
<Type>Sender</Type>
<Code>SignatureDo (truncated...)
SignatureDoesNotMatch (client): The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details. - <ErrorResponse xmlns="http://ses.amazonaws.com/doc/2010-12-01/">
<Error>
<Type>Sender</Type>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.</Message>
</Error>
<RequestId>189be22f-e5c4-11e8-8461-5fda6e9205f0</RequestId>
</ErrorResponse>

I am using Amazon Ses Web Api
NTP is installed on the server and IAM user has bellow permissions

policy_icon.png
AdministratorAccess
policy_icon.png
AmazonSESFullAccess
policy_icon.png
AmazonCognitoPowerUser
policy_icon.png
AmazonSNSFullAccess
policy_icon.png
PowerUserAccess
 
Last edited:
@BackOffice - i can only give you hints based on the error we can see, which is:
Code:
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.</Message>
</Error>
And generally, when the signature does not match is because of the time difference between the servers.

Other than this, i don't know what to advise you, maybe generate a new set of keys and see if that makes any difference.
 
Ok so it is different, if i understand correctly i need to sync my server time and my amazon Endpoint Europe(Irland) times?
Please advise how to do so, because i am totally confused amazon is recommending to use chrony and their ip address rather than NTP (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-time.html)

i also searched the google and your forum for relevant solution but was not able to find guide or tutorial. i am using Centos 7.
 
I don't know how to uninstall NTP on CentOS7 and also the ip 169.254.169.123 mentioned on the page doesn't seem to work for me.

210 Number of sources = 5

.-- Source mode '^' = server, '=' = peer, '#' = local clock.
/ .- Source state '*' = current synced, '+' = combined , '-' = not combined,
| / '?' = unreachable, 'x' = time may be in error, '~' = time too variable.
|| .- xxxx [ yyyy ] +/- zzzz
|| Reachability register (octal) -. | xxxx = adjusted offset,
|| Log2(Polling interval) --. | | yyyy = measured offset,
|| \ | | zzzz = estimated error.
|| | | \
MS Name/IP address Stratum Poll Reach LastRx Last sample
===============================================================================
^? 169.254.169.123 0 8 0 - +0ns[ +0ns] +/- 0ns
^* stratum2-2.NTP.TechFak.N> 2 7 377 115 -1709us[-1514us] +/- 14ms
^- fra1.m-d.net 2 6 377 51 -1310us[-1310us] +/- 90ms
^+ ntp1.wtnet.de 2 7 377 114 +5271us[+5271us] +/- 21ms
^- time.sunrise.net 3 7 377 115 +1183us[+1378us] +/- 36ms

since Sunday i am trying to find the solution on my case.
 
Thank you, finally i have synced all the data and time is exactly same as on my amazon endpoint Europe(Ireland) but still i do get exactly same error in my mailwizz interface
 
Kindly assist on this one, i do understand that issue seems not directly linked with Mailwizz and it may seem out of your support scope.
But when i trace the issue on google based on error message, all the replies from other sources are pointing at wrong credentials or config and none of them points to time sync.

therefore can you kindly check if there is any issue on api code by trying to submit Amazon credentials from your end (If needed i can share my credentials).

And also in case if i am doing something wrong or chrony is not correct way of thinking time, more details about NTP from your side will be much appreciated.

unfortunately based on quantities of email database and budget i can only afford Amazon SES at the moment, i really do depend on it.
 
Hello. This same problem started with me yesterday. Until now i am unable to find a solution. It was working normal until yesterday. Reputation is ok, no problem at all. With the existing credencial api i am able to send confirmation email but customers cant send campaign. It returns an error saying the delivery server is temporarly stopped. When i tried to create a new api credencial, with same permissions from current, its returning the "403 Forbidden" error. I think this is not a isolated problem Twisted. Maybe you should take an action to check if everything is ok with the api. Please understand that Amazon announced yesterday the change of tax timing of their services. Maybe this has changed something within the api working proccess. Thank you.
 
@BackOffice / @Bruno - I am not sure there's anything i can particulary do, as far as we know, the issue is caused by desynchronized time on the servers vs what amazon expects. Their solution is to install/setup ntp/chrony to make it work, that's something which is not related to mailwizz so that's where our help stops.
 
Hey Serban. Now i was able to validate the server but customers still not able to send. It says the delivery server is temporarly disabled. Did you have this problem before? What can it be? There is any way to track the communication btw mailwizz to amazon servers using api? To see what kind of error is returning, instead of the generic one from client side.
 
Hey Serban. After lot of research and tests i was able to find the problem. Its nothing related to the API, because the same issue with the message saying "The email delivery is temporarly disabled" was happening also with PHPMail delivery server. To fix the issue i had to "reset" the sending quota of the customer. The problem here is that the customer quota usage was at 25%. This is happening to all the customers. Some customers has used 48%, others 8%. This doesnt make sense. This will messup the customers quota and will allow them to have free usage. Why this happened Serban?
 
*removed due to Serban recommendation.

@twisted1919 I just sent you an email to support@, please take a look in your side regarding to the quota issue.

Thank you very much.
 
Last edited:
@BackOffice / @Bruno - I am not sure there's anything i can particulary do, as far as we know, the issue is caused by desynchronized time on the servers vs what amazon expects. Their solution is to install/setup ntp/chrony to make it work, that's something which is not related to mailwizz so that's where our help stops.
Issue is that as mentioned above based on error messing from Mailwizz system i can't track any comments troubleshooting on time synchronization issues. all the sources from google are referring to wrong credentials advising to check if there are any extra spaces in digits etc.

Since you already have support of amazon SES API is it so hard to create one guide with full details on how to solve common issues like mine.

Can we also talk more in details about this issue since you have experience with them i believe it will be very easy for you to answer :
Do i need to just sync with NTC/Chrony or i need to change timezone as well?
In case if i need to change timezone do i need to change timezone on my server on in script configuration as well?
Should the time match with Amazon USA server or i need to sync it with Endpoint server time? (in my case Europe(Ireland))
Does the endpoint need strictly to be in my country or it is just for connection speed ?
 
@BackOffice - I hear you, thing is that in 99% of the cases, the issue is wrong credentials, or good credentials but for wrong geo zone. The rest of 1% is related to time sync. That's also what we can advise to fix, other than that, that's why amazon offer support.

Do i need to just sync with NTC/Chrony or i need to change timezone as well?
Just sync, do not change the timezone.

In case if i need to change timezone do i need to change timezone on my server on in script configuration as well?
No need for TZ changes.

Should the time match with Amazon USA server or i need to sync it with Endpoint server time? (in my case Europe(Ireland))
No, the time on the server should stay utc.

Does the endpoint need strictly to be in my country or it is just for connection speed ?
It has to be closer to your server to have a lower latency.
 
Hello,
As a test i have change my timezone to USA and i have received error message linked to time issue which looks like as bellow:

<Message>Signature not yet current: 20181121T000407Z is still later than 20181120T160908Z (20181120T160408Z + 5 min.)</Message>

After changing timezone back to my server time i received same error as in my first post, means that issue is not in time. and not in Key/Pass since i have checked it 100 times, even i have created new users. and checked them again 100 times.
 
Back
Top