We have been using Thunderbird to access a number of AWS-Workmail accounts. It can be a bit tricky to set-up, but once done it has been fine.
Recently we have received warnings from Amazon that the SMTP portion will soon require "Signature Version 4" instead of the current "Signature Version 2" which apparently we are using via Thunderbird.
Anyone know what this may mean to us? Will we just not be able to send email via Thunderbird?
Thunderbird and AWS-Workmail
-
tanstaafl
- Moderator
- Posts: 49647
- Joined: July 30th, 2003, 5:06 pm
Re: Thunderbird and AWS-Workmail
"Signature Version 4 is the process to add authentication information to AWS requests sent by HTTP. For security, most requests to AWS must be signed with an access key, which consists of an access key ID and secret access key. These two keys are commonly referred to as your security credentials."
I don't understand how that would effect Thunderbird since it uses the SMTP protocol over a secure connection to send a message to a SMTP server, not HTTP to a URL such as https://alias.awsapps.com/mail. Can you provide more detail, such as the full text of the warning?
Are you using a configuration similar to that described in https://docs.aws.amazon.com/workmail/la ... _IMAP.html ?
I don't understand how that would effect Thunderbird since it uses the SMTP protocol over a secure connection to send a message to a SMTP server, not HTTP to a URL such as https://alias.awsapps.com/mail. Can you provide more detail, such as the full text of the warning?
Are you using a configuration similar to that described in https://docs.aws.amazon.com/workmail/la ... _IMAP.html ?
-
quenton89
- Posts: 2
- Joined: February 16th, 2021, 6:14 am
Re: Thunderbird and AWS-Workmail
Thank you for the reply - I used a method of connection (from Thunderbird) that I found on some forum a few years ago, I will check it against the amazon link you provided above. I am an application developer (retired), and did not have much to do with internet communications.
The email we got from amazon was ... (sorry if its a bit lengthy) ...
------------
Hello,
If you have already migrated your credentials from Signature Version 2 to Signature Version 4, you can ignore this communication.
We have observed Signature Version 2 requests (on an Amazon SES SMTP endpoint) originating from your account over the last week. Please note that Amazon Simple Email Service (SES) is working on an infrastructure upgrade with improved security controls. As a result, Signature Version 2 is being deprecated in favor of Signature Version 4 which offers enhanced security for authentication and authorization of Amazon SES customers by using a signing key instead of your secret access key.
Amazon SES customers who are currently using Signature Version 2 must migrate to Signature Version 4 by March 26, 2021. Beginning March 27 2021, requests using Signature Version 2 will be progressively throttled in Amazon SES.
To migrate to Signature Version 4, please replace your existing SMTP credentials using the appropriate procedure relative to your setup:
* If you generated your SMTP credentials using the SES Console, simply create new credentials and replace your existing credentials with the new ones.
* If you derived your SMTP credentials from your AWS credentials, make sure you are using the Signature Version 4 algorithm. If you rely on a library to do this conversion, check if the library has a newer release that uses Signature Version 4 algorithm and migrate to it. Otherwise, you will need to either derive the credentials from another library that uses Signature Version 4 algorithm or generate credentials using the SES console.
To learn more about how to generate your Amazon SES SMTP credentials, please refer[1].
If you have any questions, please contact AWS Premium Support [2].
[1] https://docs.aws.amazon.com/ses/latest/ ... tials.html
[2] https://aws.amazon.com/support
Sincerely,
Amazon Web Services
The email we got from amazon was ... (sorry if its a bit lengthy) ...
------------
Hello,
If you have already migrated your credentials from Signature Version 2 to Signature Version 4, you can ignore this communication.
We have observed Signature Version 2 requests (on an Amazon SES SMTP endpoint) originating from your account over the last week. Please note that Amazon Simple Email Service (SES) is working on an infrastructure upgrade with improved security controls. As a result, Signature Version 2 is being deprecated in favor of Signature Version 4 which offers enhanced security for authentication and authorization of Amazon SES customers by using a signing key instead of your secret access key.
Amazon SES customers who are currently using Signature Version 2 must migrate to Signature Version 4 by March 26, 2021. Beginning March 27 2021, requests using Signature Version 2 will be progressively throttled in Amazon SES.
To migrate to Signature Version 4, please replace your existing SMTP credentials using the appropriate procedure relative to your setup:
* If you generated your SMTP credentials using the SES Console, simply create new credentials and replace your existing credentials with the new ones.
* If you derived your SMTP credentials from your AWS credentials, make sure you are using the Signature Version 4 algorithm. If you rely on a library to do this conversion, check if the library has a newer release that uses Signature Version 4 algorithm and migrate to it. Otherwise, you will need to either derive the credentials from another library that uses Signature Version 4 algorithm or generate credentials using the SES console.
To learn more about how to generate your Amazon SES SMTP credentials, please refer[1].
If you have any questions, please contact AWS Premium Support [2].
[1] https://docs.aws.amazon.com/ses/latest/ ... tials.html
[2] https://aws.amazon.com/support
Sincerely,
Amazon Web Services
-
tanstaafl
- Moderator
- Posts: 49647
- Joined: July 30th, 2003, 5:06 pm
Re: Thunderbird and AWS-Workmail
It sounds like you need to generate new credentials using the SES Console, delete the saved password for the AWS-Workmail SMTP server, exit and restart Thunderbird (since the deleted password was still in memory) and when prompted for the password enter it and check the checkbox to have the password manager save it.
https://docs.aws.amazon.com/ses/latest/ ... tials.html
https://docs.aws.amazon.com/ses/latest/ ... tials.html
It sort of sounds like you have IAM credentials for the IMAP account and SES SMTP credentials for the SMTP server (which is unusual because most email providers use the same credentials for both servers) . But I have no experience with AWS-Workmail so I could be completely mistaken.
https://docs.aws.amazon.com/ses/latest/ ... tials.html
https://docs.aws.amazon.com/ses/latest/ ... tials.html
It sort of sounds like you have IAM credentials for the IMAP account and SES SMTP credentials for the SMTP server (which is unusual because most email providers use the same credentials for both servers) . But I have no experience with AWS-Workmail so I could be completely mistaken.