我正在使用AWS简单电子邮件服务(SES(,但我希望有一个非常严格的限制策略。我想为设置一个策略
- 只能向域(mydomain(发送电子邮件
- 来自特定(internal@mydomain.com)电子邮件地址
- 使用特定配置集(仅限内部(
我已经尝试了下面的条目,但它不限制收件人。我看不出我做错了什么。
这个我已经嚼了好几天了,需要帮忙。有人能给我指正确的方向吗?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ses:SendRawEmail",
"Resource": "arn:aws:ses:eu-west-1:999999999:identity/internal@mydomain.com",
"Condition": {
"StringLike": {
"ses:FromAddress": "internal@mydomain.com"
},
"ForAllValues:StringLike": {
"ses:Recipients": "*@mydomain.com"
}
}
},
{
"Effect": "Allow",
"Action": "ses:SendRawEmail",
"Resource": "arn:aws:ses:eu-west-1:99999999999:configuration-set/internalonly",
"Condition": {
"StringLike": {
"ses:FromAddress": "internal@mydomain.com"
},
"ForAllValues:StringLike": {
"ses:Recipients": "*@mydomain.com"
}
}
}
]
}
在应用该策略后,我使用此处的详细信息对此进行了测试:https://docs.aws.amazon.com/ses/latest/dg/send-email-smtp-client-command-line.html
示例测试文件ses-internal.txt
EHLO mydomain.com
AUTH LOGIN
Base64EncodedSMTPUserName
Base64EncodedSMTPPassword
MAIL FROM: internal@mydomain.com
RCPT TO: internal@mydomain.com
DATA
X-SES-CONFIGURATION-SET: internalonly
From: PM Access <internal@mydomain.com>
To: luke@otherdomain.com
Subject: Amazon SES SMTP Test to luke
This message was sent using the Amazon SES SMTP interface.
.
QUIT
测试:当它应该阻止我发送到luke@otherdomain.com
% openssl s_client -crlf -quiet -starttls smtp -connect email-smtp.<region>.amazonaws.com:587 < ses-internal.txt
depth=4 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
verify return:1
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = email-smtp.<region>.amazonaws.com
verify return:1
250 Ok
250-email-smtp.amazonaws.com
250-8BITMIME
250-STARTTLS
250-AUTH PLAIN LOGIN
250 Ok
334 VXNlcm5hbWU6
334 UGFzc3dvcmQ6
235 Authentication successful.
250 Ok
250 Ok
354 End data with <CR><LF>.<CR><LF>
250 Ok 01020184133e8041-ba607190-5bf0-4610-9280-bbc38b9cb074-000000
451 4.4.2 Timeout waiting for data from client.
非常感谢@baduker 的建议
更多的阅读,我发现了错误。A( ";ses:收件人"应该是一个数组B( 我使用的测试文件中有一个学生SMTP错误。"收件人"字段是文档,"RCPT收件人"字段才是真正的收件人。
这是完整的解决方案
- 正确的IAM规则:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ses:SendRawEmail",
"Resource": "arn:aws:ses:eu-west-1: 999999999999:identity/internal@mydomain.com",
"Condition": {
"StringLike": {
"ses:FromAddress": "internal@mydomain.com"
},
"ForAllValues:StringLike": {
"ses:Recipients": [
"*@mydomain.com"
]
}
}
},
{
"Effect": "Allow",
"Action": "ses:SendRawEmail",
"Resource": "arn:aws:ses:eu-west-1: 999999999999:configuration-set/internalonly",
"Condition": {
"StringLike": {
"ses:FromAddress": "internal@mydomain.com"
},
"ForAllValues:StringLike": {
"ses:Recipients": [
"*@mydomain.com"
]
}
}
}
]
}
- 正确的测试文件
EHLO propertymonitor.com
AUTH LOGIN
Base64EncodedSMTPUserName
Base64EncodedSMTPPassword
MAIL FROM: internal@mydomainm.com
RCPT TO: luke@otherdomain.com
DATA
X-SES-CONFIGURATION-SET: internalonly
From: PM Access <internal@propertymonitor.com>
Subject: Amazon SES SMTP Test to luke
This message was sent using the Amazon SES SMTP interface.
.
QUIT
- 命令:
openssl s_client -crlf -quiet -starttls smtp -connect email-smtp.eu-west-1.amazonaws.com:587 < ses-internal-fail.txt
- 运行它会得到所需的结果:
depth=4 C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
verify return:1
depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
verify return:1
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = email-smtp.eu-west-1.amazonaws.com
verify return:1
250 Ok
250-email-smtp.amazonaws.com
250-8BITMIME
250-STARTTLS
250-AUTH PLAIN LOGIN
250 Ok
334 XXXXXX
334 YYYYYY
235 Authentication successful.
250 Ok
250 Ok
354 End data with <CR><LF>.<CR><LF>
554 Access denied: User `arn:aws:iam::999999999:user/ses-internal-user' is not authorized to perform `ses:SendRawEmail' on resource `arn:aws:ses:eu-west-1:999999999:identity/internal@mydomain.com'
451 4.4.2 Timeout waiting for data from client.
你能试试这个策略,看看收件人是否受到限制吗?
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AuthorizeAWS",
"Effect":"Allow",
"Resource":"arn:aws:ses:eu-west-1:999999999999:identity/internal@mydomain.com",
"Action":[
"ses:SendEmail",
"ses:SendRawEmail"
],
"Condition":{
"StringLike":{
"ses:FromAddress":"internal@mydomain.com"
}
}
},
{
"Sid":"AuthorizeInternal",
"Effect":"Allow",
"Resource":"arn:aws:ses:eu-west-1:999999999999:identity/internal@mydomain.com",
"Action":[
"ses:SendEmail",
"ses:SendRawEmail"
],
"Condition":{
"ForAllValues:StringLike":{
"ses:Recipients":"*@mydomain.com"
}
}
}
]
}
此外,请注意要在发送电子邮件时使用配置集,您必须在电子邮件的标题中传递配置集的名称。