1

I am looking to build a secure SMTP Listener behind an NLB using ECS to host the listener. The application will read incoming messages and extract the data and store in a durable storage.

The requirements are pretty straightforward:

  • The SMTP Listener must be listening on an encrypted connection
  • The SMTP Listener must have a static IP which the Client will forward SMTP Messages to

The second requirement is leading me to NLB which exposes a static IP. But I was curious, is this even a possible architecture?

  1. Could I use a simple TLS connection between client and my listener?
  2. Can I terminate the TLS connection on the NLB which would forward the request on HTTP?

enter image description here

Dorian McAllister
  • 670
  • 9
  • 22
  • Any reason you couldn't use AWS SES email receiving actions to automatically store the messages in S3 and optionally process them with a Lambda? – akerra Aug 01 '23 at 19:46
  • I've used an NLB in front of an SMTP server before, but I can't remember if we did TLS termination at the NLB or the server. You would definitely be able to use the NLB in TLS passthrough mode, where the TLS certificate is served by the backend server. – Mark B Aug 01 '23 at 19:52
  • @akerra SES is not an approved services in our organization unfortunately – Dorian McAllister Aug 01 '23 at 20:11
  • @MarkB did you install a certificate using ACM on your NLB? – Dorian McAllister Aug 01 '23 at 20:12
  • @DorianMcAllister that's the part I said I don't remember. But I think we did not. – Mark B Aug 01 '23 at 20:26

1 Answers1

1

Yes it's possible, but your requirements are a litle strange.

The SMTP Listener must be listening on an encrypted connection

OK, SMTPS is a thing. Nobody uses it and very few MTAs implement it, but it's simple enough to use stunnel or similar. Or do you mean at the end of a VPN connection? Either way you're going to need some funky stuff at the client end too.

Why not just use STARTTLS like normal people?

Can I terminate the TLS connection on the NLB which would forward the request on HTTP?

No, SMTP is not HTTP. You could use Lambda in the middle, or script something. But what's the point - you still need a MTA to terminate the SMTP traffic.

symcbean
  • 47,736
  • 6
  • 59
  • 94
  • interesting. I wasn't aware of STARTTLS - I just did some reading it sounds like a very plausible use case. Would you be able to share some Java/NodeJS based Server code examples I can peruse? – Dorian McAllister Aug 01 '23 at 20:21
  • All this software is available OFF THE SHELF. So are code samples. – symcbean Aug 01 '23 at 23:22