Deprecate signature v2 and signature v3 authentication

sleg-aws commented 3 years ago

AWS SES is deprecating those 2 signing methods for authentication. The only method supported in the future will be signature v4.

makrmark commented 3 years ago

I'm getting this warning from AWS but I'm already running version 0.7.1 (the advice in email is to update to latest).

sleg-aws commented 3 years ago

The latest version doesn't have https://github.com/drewblas/aws-ses/pull/82 merged, so as long as the code path you're taking in this lib is relying on sigv2, you'll get notifications from AWS.

makrmark commented 3 years ago

So, sorry, but when is #82 going to be merged for release?

sleg-aws commented 3 years ago

you don't need #82 to use sigv4. #82 is making it the default, but you can already have sigv4 calls with current version of the lib by explicitly picking sigv4 by specifying :signature_version => 4 when creating AWS::SES::Base.new

makrmark commented 3 years ago

Okay great thanks for this advice. However when I implemented this I got an error:

[ActiveJob] [ActionMailer::DeliveryJob] [e917a956-2340-43e0-a51d-a6553fbe2323] Error performing ActionMailer::DeliveryJob (Job ID: e917a956-2340-43e0-a51d-a6553fbe2323) from Async(mailers) in 1515.03ms: AWS::SES::ResponseError (IncompleteSignature - Request must contain a signature that conforms to AWS standards):

My initializer:

Rails.application.reloader.to_prepare do
        ActionMailer::Base.add_delivery_method :ses, AWS::SES::Base,
          access_key_id: ENV['AMAZON_ACCESS_ID'],
          secret_access_key: ENV['AMAZON_SECRET_KEY'],
          signature_version: 4
end

When I remove signature_version: 4 everything works again.

sleg-aws commented 3 years ago

You're getting this error because something is off when AWS compares the signature computed server-side versus the signature computed in this lib. Try providing the region as well, it's used for sigv4 signature calculation (in 'sig_v4_auth_signature'. I don't know particularly know this lib or ruby, but I guess the sigv4 implementation may not be properly handling this, or something else (timestamp?).

makrmark commented 3 years ago

Sadly this is not working for me. I was anyway on the default domain for SES. I tried a number of variations including the below (I added region: 'us-east-1' out of desperation).

Rails.application.reloader.to_prepare do
    ActionMailer::Base.add_delivery_method :ses, AWS::SES::Base,
      access_key_id: ENV['AMAZON_ACCESS_ID'],
      secret_access_key: ENV['AMAZON_SECRET_KEY'],
      signature_version: 4,
      region: 'us-east-1',
      server: 'email.us-east-1.amazonaws.com',
      message_id_domain: 'us-east-1.amazonses.com'
end

However I still get the error. Any idea why this is the case?

gustianyuza commented 3 years ago

I also get an error like this, has anyone solved this problem

volonterx commented 3 years ago

@svmax provided solution for this in next issue: https://github.com/drewblas/aws-ses/issues/78 Worked for me.

Tried @svmax PR #79 - seems to work now without the error! Hopefully the AWS warning emails will come to an end now.

For reference for other interested parties:

I've added signature_version 4 to the credentials:
 ActionMailer::Base.add_delivery_method :ses, AWS::SES::Base, secrets...ses_credentials.merge(signature_version: 4)
And referenced the fork as a Gem:
# TODO: https://github.com/drewblas/aws-ses/pull/79
gem "aws-ses", git: "https://github.com/zebitex/aws-ses.git", ref: "78-sigv4-problem"
Until version >= 0.7.2 will be released.

makrmark commented 3 years ago

Thanks @volonterx - looks like that is far more significant than just adding signature_version: 4 into the options. Before I go using it though when can we expect the formal release? The Amazon emails suggest previous versions are already deprecated and I'm "in breach" by not using V4.

Amazon Simple Email Service (SES) had extended support for Signature Version 3 to February 28th, 2021. To continue to use Amazon SES, you must migrate to Signature Version 4 which offers enhanced security for authentication and authorization of Amazon SES customers.

volonterx commented 3 years ago

@makrmark, here https://github.com/drewblas/aws-ses/issues/78#issuecomment-811270479 @dnalbach said that @drewblas has no activity on GitHub since November '20, so it highly likely that it will be never released. Also he suggested to use official aws-sdk-rails gem. You can find examples of working with SES here: https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/ses-example-send-email.html And it uses signature v4 by default.

If as temporary solution you want to use "78-sigv4-problem" PR, make sure you provided :signature_version and :region in settings.

looks like that is far more significant than just adding signature_version: 4 into the options

Yeah, as I can see from #79 diff it has changes in structure and format of data that are not compatible with signature v3.

makrmark commented 3 years ago

Thanks @volonterx that's good advice - I updated to the official gem now and all appears fine. Will monitor for further messages from AWS :-)

dorianmariecom commented 3 years ago

thanks everyone, to summarize:

in Gemfile:

gem "aws-ses",
    github: "zebitex/aws-ses",
    branch: "78-sigv4-problem",
    require: "aws/ses"

in config/initializers/amazon_ses.rb:

Rails
  .application
  .reloader
  .to_prepare do
    ActionMailer::Base.add_delivery_method(
      :ses,
      AWS::SES::Base,
      access_key_id: ENV["AWS_ACCESS_KEY_ID"],
      secret_access_key: ENV["AWS_SECRET_ACCESS_KEY"],
      signature_version: 4,
      region: ENV["AWS_SES_REGION"]
    )
  end

(the to_prepare is for Zeitwerk)

hartator commented 3 years ago

Even simpler:

gem "aws-ses", github: "sertangulveren/aws-ses", require: "aws/ses"

@sertangulveren's branch works directly by just defaulting to signature version 4.

Maybe @sertangulveren can fork the gem to something like gem "aws-ses-v4" if @drewblas is not responsive? I don't mind forking it if @sertangulveren doesn't want to. That's too bad to lose that work, it fits so nicely in Rails. ❤️