Amazon SES Web Api - SNS stuck in pending confirmation

Looks like the algorithm that the SNS Topic is using can be set when creating the SNS Topic. Which is happening here in the MW code: web/apps/common/models/DeliveryServerAmazonSesWebApi.php:309

So please change the the piece of code that comes after line 309 to this:

$result          = $this->getSnsClient()->createTopic([
'Name' => 'MWZSESHANDLER' . (int)$this->server_id,
 'Attributes' => [
'SignatureVersion' => \Aws\Sns\MessageValidator::SIGNATURE_VERSION_2

What I did, was to add the Attributes key where we set the signature based on this docs:

To test this, please remove the delivery server and try to re-validate it and re-do all the other steps that you did until now to check the signature.

It worked - we are almost there. I just did a test with new credentials and a new delivery server and it confirmed the subscription to the topic. The log is showing Algorithm: SHA256.

However, I sent a test campaign using the new delivery server to a couple of fake email addresses but the bounces do not show up in Mailwizz. They were processed successfully and show up in Amazon as bounces. And I checked Mailwizz crons, they are correctly set up.

I think maybe SHA1is used somewhere else in the code when it tries to get bounces/complaints or something like that.

Could you see where else this change might be needed? It looks like it is needed in the code that gets the bounces and the code that gets the complaints. Thank you.
Last edited:
@mwizz98 - the endpoint where bounces are sent and processed is the as the ione that confirms the subscription, in the DswhController in the processAmazonSes method.
if ($message['Type'] !== 'Notification') {
You can add some deugging to see if those bounces are ever sent to your endpoint.

We're doing the same in our tests and will get back to you with more info.

It worked
Well, this is progress!
It's strange I added log statements all over the place and it looks like it's not receiving any notifications for bounces because it's not logging anything. I'll wait to hear what you find out. The subscription is set up with SHA256 and perhaps it tries to use a different signature version for bounces and fails, just a guess.
We encountered also this issue with the bounces not being sent from AWS to MW. I think you should ask their support what is happening and why the bounces are not posted. A good start would be some logs inside AWS for those bounces notifications, but unfortunately we could not find any. Maybe you will have more luck, having an account with production access.

Just an update.

Today we ran a bunch of tests and we got proper results, we were able to get and process bounces when using v1 and v2 for signature version.
From next release, we included the ability to choose the version when creating delivery servers:
Screenshot 2024-03-25 at 12.01.06.png
This should cover all edge cases.
That is great news - if you can, please test it on a Redhat 9 Linux OS too, like Rocky Linux 9. Version 2 will be very useful to people who use Redhat 9 Linux and its variants, which will only increase as people upgrade. All other operating systems will probably drop SHA1 too like Redhat did. It's good that you solved this before it became a big issue.

Could you tell me when the update will be released?