Amazon SES Web Api - SNS stuck in pending confirmation

[twisted1919]

@mwizz98 - this will require a bit more testing on our end before we can give a definitive answer, we'll try to work on this today.

 

[ghimes]

Hello,
Looks like the algorithm that the SNS Topic is using can be set when creating the SNS Topic. Which is happening here in the MW code: web/apps/common/models/DeliveryServerAmazonSesWebApi.php:309

So please change the the piece of code that comes after line 309 to this:

$result          = $this->getSnsClient()->createTopic([
'Name' => 'MWZSESHANDLER' . (int)$this->server_id,
 'Attributes' => [
'SignatureVersion' => \Aws\Sns\MessageValidator::SIGNATURE_VERSION_2
    ]
]);

What I did, was to add the Attributes key where we set the signature based on this docs: https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-sns-2010-03-31.html#createtopic

To test this, please remove the delivery server and try to re-validate it and re-do all the other steps that you did until now to check the signature.

Cosmin

 

[mwizz98]

It worked - we are almost there. I just did a test with new credentials and a new delivery server and it confirmed the subscription to the topic. The log is showing Algorithm: SHA256.

However, I sent a test campaign using the new delivery server to a couple of fake email addresses but the bounces do not show up in Mailwizz. They were processed successfully and show up in Amazon as bounces. And I checked Mailwizz crons, they are correctly set up.

I think maybe SHA1is used somewhere else in the code when it tries to get bounces/complaints or something like that.

Could you see where else this change might be needed? It looks like it is needed in the code that gets the bounces and the code that gets the complaints. Thank you.

 

[twisted1919]

@mwizz98 - the endpoint where bounces are sent and processed is the as the ione that confirms the subscription, in the DswhController in the processAmazonSes method.
After:

if ($message['Type'] !== 'Notification') {
            app()->end();
            return;
        }

You can add some deugging to see if those bounces are ever sent to your endpoint.

We're doing the same in our tests and will get back to you with more info.

It worked

Well, this is progress!

 

[mwizz98]

It's strange I added log statements all over the place and it looks like it's not receiving any notifications for bounces because it's not logging anything. I'll wait to hear what you find out. The subscription is set up with SHA256 and perhaps it tries to use a different signature version for bounces and fails, just a guess.

 

[ghimes]

We encountered also this issue with the bounces not being sent from AWS to MW. I think you should ask their support what is happening and why the bounces are not posted. A good start would be some logs inside AWS for those bounces notifications, but unfortunately we could not find any. Maybe you will have more luck, having an account with production access.

Cosmin

 

[twisted1919]

Just an update.

Today we ran a bunch of tests and we got proper results, we were able to get and process bounces when using v1 and v2 for signature version.
From next release, we included the ability to choose the version when creating delivery servers:

This should cover all edge cases.

 

[mwizz98]

That is great news - if you can, please test it on a Redhat 9 Linux OS too, like Rocky Linux 9. Version 2 will be very useful to people who use Redhat 9 Linux and its variants, which will only increase as people upgrade. All other operating systems will probably drop SHA1 too like Redhat did. It's good that you solved this before it became a big issue.

Could you tell me when the update will be released?

 

[twisted1919]

Could you tell me when the update will be released?

Next week at some point I believe. However, we can provide you the patch file in case you can't wait till then, just ask it via a support ticket

 

[mwizz98]

No worries, I will just wait for the release. Thank you for the excellent support.

 

[mwizz98]

Is the patch release coming out soon? Thanks!

 

[twisted1919]

It's been inluced in the latest release already available for download

 

[mwizz98]

I just updated to 2.4.6 and created a new delivery server using V2 signature and created a new access key in aws.

The subscription gets confirmed just fine.

I sent a few test campaigns to fake emails to test the bounces. The bounces show up in aws but not in Mailwizz.

It looks like the confirmation process is fixed, but not the part where it gets the bounces.

Could you look into it? Thanks.

 

[ghimes]

Hello,
Can you please check your MW Application logs to see if you get anything from AWS? If the message validation fails there should be something n the log.

 

[mwizz98]

I just doublechecked Mailwizz, and the bounces now appear. They took a long time to show up,

test #1

Email sent: 4/28/24, 1:02 AM
Bounce time: 4/28/24, 3:32 PM

test #2

Email sent: 4/28/24, 1:25 AM
Bounce received: 4/28/24, 4:52 PM

The delay is because of the nature of the bounce: smtp; 550 4.4.7 Message expired: unable to deliver in 840 minutes.<421 4.4.0 Unable to lookup DNS...

Mailwizz seems to be fine.

Thanks!