8.9 KiB
8.9 KiB
SES SNS Bounce Handling Setup (Optional)
⚠️ NOTICE: Bounce handling is optional and disabled by default.
This document describes how to configure AWS SES and SNS to handle email bounces automatically in the Mail List Manager.
Prerequisites:
- SES production access (not available in sandbox mode)
- Valid HTTPS domain for webhook endpoint
- Bounce handling must be enabled in configuration
Overview
The system can optionally use AWS Simple Notification Service (SNS) to receive real-time bounce notifications from AWS Simple Email Service (SES). When bounce handling is enabled and an email bounces:
- SES sends a notification to an SNS topic
- SNS forwards the notification to your webhook endpoint
- The API processes the notification and updates the database
- Members with hard bounces are automatically deactivated
- Bounce history is tracked and displayed in the UI
Bounce Status Types
- Clean: No bounces recorded
- Soft Bounce: Temporary delivery issues (e.g., mailbox full, temporary server issues)
- After 3 soft bounces, the member is marked with soft bounce status
- Hard Bounce: Permanent delivery failure (e.g., invalid email address, domain doesn't exist)
- Member is automatically deactivated and cannot receive emails
Setup Instructions
1. Enable Bounce Handling
First, enable bounce handling in your .env file:
# Enable SNS webhook bounce handling
ENABLE_SNS_WEBHOOKS=true
ENABLE_BOUNCE_HANDLING=true
Restart the API container after making this change:
sudo docker-compose restart api
2. Prerequisites
- AWS account with SES configured and verified
- Your Mail List Manager deployed and accessible via HTTPS (required for SNS webhook)
- Domain or subdomain for webhook (e.g.,
https://lists.yourdomain.com)
3. Create SNS Topic
- Log in to AWS Console and navigate to SNS
- Click "Create topic"
- Choose "Standard" topic type
- Name:
ses-bounce-notifications(or your preferred name) - Display name:
SES Bounce Notifications - Click "Create topic"
- Save the Topic ARN (you'll need it in step 4) arn:aws:sns:eu-west-2:827164363113:ses-bounces
4. Subscribe Your Webhook to SNS Topic
- In the SNS topic details, click "Create subscription"
- Protocol:
HTTPS - Endpoint:
https://yourdomain.com:8000/webhooks/sns- Replace
yourdomain.comwith your actual domain - The API must be accessible via HTTPS (SNS doesn't support HTTP)
- Replace
- Enable raw message delivery: Unchecked
- Click "Create subscription"
- The subscription will be in "PendingConfirmation" status
5. Confirm SNS Subscription
When you create the subscription, SNS will send a SubscriptionConfirmation request to your webhook endpoint. The Mail List Manager API automatically confirms this subscription.
- Check your API logs:
sudo docker-compose logs -f api - You should see a log entry indicating the subscription was confirmed
- In the AWS SNS console, refresh the subscriptions list
- The status should change from "PendingConfirmation" to "Confirmed"
6. Configure SES to Send Bounce Notifications
- Navigate to AWS SES console
- Go to "Configuration Sets" (or "Verified identities" > select your domain > "Notifications")
- For configuration sets:
- Create a new configuration set or select existing
- Add "Event destination"
- Event types: Select "Bounce" (and optionally "Complaint")
- Destination: SNS topic
- Select your SNS topic created in step 2
- For verified identities:
- Select your sending domain/email
- Click "Edit" in the "Notifications" section
- Bounce feedback: Select your SNS topic
- Include original headers: Enabled (optional)
- Click "Save changes"
7. Verify Setup
Test with a Bounce Simulator
AWS SES provides bounce simulator addresses:
# From inside Postfix container
docker-compose exec postfix bash
echo "Test bounce" | mail -s "Test" bounce@simulator.amazonses.com
Or send to your mailing list with a test recipient:
- Add
bounce@simulator.amazonses.comas a member - Subscribe to a test list
- Send an email to the list
Check the Results
- Wait a few minutes for SES to process and send the notification
- Check API logs:
sudo docker-compose logs api | grep -i bounce - Log in to the web UI
- Go to Members tab
- Find the test member and click the "Bounces" button
- You should see the bounce event recorded
8. Security Considerations
SNS Signature Verification
The webhook endpoint automatically verifies SNS message signatures to ensure notifications are genuine AWS messages. This prevents unauthorized parties from sending fake bounce notifications.
HTTPS Requirement
SNS requires HTTPS for webhooks. You'll need:
- Valid SSL/TLS certificate for your domain
- Reverse proxy (e.g., Nginx, Apache) in front of the API container
- Or use AWS API Gateway as a proxy
Example Nginx Configuration
server {
listen 443 ssl http2;
server_name lists.yourdomain.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
# Webhook endpoint
location /webhooks/sns {
proxy_pass http://localhost:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Optional: proxy API for web UI
location /api {
proxy_pass http://localhost:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
9. Managing Bounces in the UI
View Bounce Status
In the Members tab, bounced emails are indicated with:
- Warning badge showing bounce count
- Color-coded status (yellow for soft bounce, red for hard bounce)
- Last bounce timestamp
View Bounce History
- Click the "Bounces" button next to a member
- View detailed bounce history including:
- Bounce type (Permanent, Transient, Undetermined)
- Bounce subtype
- Diagnostic code from the receiving mail server
- Timestamp of each bounce
Reset Bounce Status
If a member's email has been corrected or verified:
- Open the bounce history modal
- Click "Reset Bounce Status"
- Confirm the action
- The member's bounce count is cleared and they can receive emails again
Note: Only users with write access (administrators and operators) can reset bounce status.
10. Monitoring and Maintenance
Check Bounce Logs
# View all bounces in database
sudo docker-compose exec mysql mysql -u maillist -p maillist -e "SELECT * FROM bounce_logs ORDER BY timestamp DESC LIMIT 20;"
# Count bounces by type
sudo docker-compose exec mysql mysql -u maillist -p maillist -e "SELECT bounce_type, COUNT(*) as count FROM bounce_logs GROUP BY bounce_type;"
# Find members with bounces
sudo docker-compose exec mysql mysql -u maillist -p maillist -e "SELECT name, email, bounce_count, bounce_status FROM members WHERE bounce_count > 0;"
API Health Check
# Check if webhook is accessible
curl -X POST https://yourdomain.com:8000/webhooks/sns \
-H "Content-Type: application/json" \
-d '{"Type":"test"}'
Clean Up Old Bounce Records
Periodically review and clean up old bounce records:
-- Delete bounce logs older than 90 days
DELETE FROM bounce_logs WHERE created_at < DATE_SUB(NOW(), INTERVAL 90 DAY);
Troubleshooting
SNS Subscription Not Confirming
- Ensure the API container is running and accessible via HTTPS
- Check API logs for errors
- Verify firewall rules allow HTTPS traffic to port 8000
- Test the endpoint manually:
curl https://yourdomain.com:8000/health
Bounces Not Being Recorded
- Verify SNS topic is receiving messages:
- Check SNS topic metrics in AWS Console
- Verify subscription is active:
- Check subscription status in SNS console
- Check API logs for webhook errors:
sudo docker-compose logs api | grep -i "sns\|bounce" - Test signature verification:
- Temporarily add debug logging to the webhook endpoint
Members Not Being Deactivated
- Check if bounce type is "Permanent"
- Review member's bounce_status in database:
sudo docker-compose exec mysql mysql -u maillist -p maillist -e "SELECT * FROM members WHERE email='problem@example.com';" - Verify bounce processing logic in API logs
SSL Certificate Issues
If using self-signed certificates, SNS will reject the webhook. You must use:
- Valid certificate from a trusted CA (Let's Encrypt, etc.)
- Or use AWS Certificate Manager with API Gateway