13

It says here...

Amazon EC2 imposes default sending limits on email sent via port 25 and throttles outbound connections if you attempt to exceed those limits. To remove these limits, submit a Request to Remove Email Sending Limitations. You can also connect to Amazon SES via port 465 or port 587, neither of which is throttled.

Why doesn't it throttle ports 465 and 587? Why doesn't everyone use these ports instead of 25 and avoid the throttling issue altogether?

Rodrigo M
  • 11,060
  • 2
  • 21
  • 43
Ian Warburton
  • 13,336
  • 19
  • 85
  • 164
  • 3
    A small PS, the title of this question and the content don't match, the quote is about EC2 imposing limits on port 25 (I'd change it but it would need authorising so I'll leave it to someone else!) – Michael B Jan 09 '16 at 15:13
  • So the limits only come into play when sending from EC2? – Ian Warburton Jan 09 '16 at 15:26
  • No you can send from anywhere with the proper credentials. The limits are global. – Rodrigo M Jan 09 '16 at 15:51
  • 2
    Within an AWS context, EC2 is the only place that you could *openly* send email from, for that reason the limits only apply to EC2. Once you send mail into SES, then they have more explicit message limits that are ramped up as you prove yourself as a none spammer. – Michael B Jan 09 '16 at 16:03

2 Answers2

21

This is an anti-spam measure.

Without this restriction you could create a new Amazon account, fire up an EC2 machine and send a few million spam messages before anything could be done. By throttling the connection, it makes that scenario unavailable to new user accounts.

465/587 are authenticated ports, and it specifically mentions Amazon Simple Email Service (SES) Which is specifically designed for bulk sending email and is tuned to detect use by spammers.

Edited to add SES information

When you first sign up for SES you are placed in a sandbox. This will place the following restrictions upon your account.

  • You can only send mail to the Amazon SES mailbox simulator and to verified email addresses and domains
  • You can only send mail from verified email addresses and domains.
  • You can send a maximum of 200 messages per 24-hour period.
  • Amazon SES can accept a maximum of one message from your account per second.

Which basically means that if you want to use SES in a production scenario because you can only send to / from accounts that you have explicitly verified. You need to request a sending limit raise. Which you can either do from the console or by raising a support ticket.

You will then have a new sending limit applied and a daily quota. For instance on my dev account I have a 50,000 per day daily quota and 14/second sending limit.

If I were to attempt to send more than 14 messages per second, over SMTP (regardless of port) you will get this SMTP error message 454 Throttling failure: Maximum sending rate exceeded if I tried to send more than 50,000 messages I would receive 454 Throttling failure: Daily message quota exceeded

In order to understand how throttling works, you need to think about the process that is occurring.

When you connect to SES over SMTP (on any port) you pass your credentials, AWS will check the limits on your account and start counting against your limits. At that point you are an authenticated user coming over an authenticated endpoint (you cannot send via SES anonymously - You can receive email in SES, but there are no incoming email limits applied, apart from message size) In that context you can see that throttling a particular port would be entirely pointless.

The only AWS service to have default throttling on port 25 is EC2.

the ONLY time that SES will throttle your messages is when you exceed your allowed limits.

Those limits can never be removed, they can only be increased (albeit increased to reasonably insane numbers)

Those limits will grow over time, if you are diligent in your use of SES and your handling of blocked / bounced messages your numbers will increase.

So, in summary.

  • SES Does not throttle port 25, port 465 or port 587.
  • SES will only rate limit messages based on your quotas.
  • SES Rate limits apply entirely independently to TCP port numbers.
Community
  • 1
  • 1
Michael B
  • 10,997
  • 4
  • 29
  • 65
  • Great answer. Sorry for asking here, I can find a lot information about what SES is, but not why it is needed when EC2 throttling can be removed? Is it because you hold the responsibility of not getting blacklisted when using EC2 - whereas through SES, worst case you will be blacklisted by SES and not the "world" (and can have that resolved?) – Jeppe May 17 '20 at 12:18
3

To be clear on SES sending limits, you have to understand there are two types of limits: Maximum Send Rate and Sending Quota

Apart from these limits, port 25 sending rate is throttled by default - but that throttle can be removed.

Maximum Send Rate

The maximum number of emails that Amazon SES can accept from your account per second.

Sending Quotas

The maximum number of emails that you can send in a 24-hour period. All new SES accounts are setup in a sandbox, and have a default Sending quota of 200 emails per 24-hour period. You can request this limit be raised, based on your needs and actual usage patterns.

To answer your questions directly:

Why doesn't it throttle ports 465 and 587?

Default rate limits are enforced on port 25, as this is the common sending port. This leads to a lot of spam being sent on this port. To prevent this, AWS EC2 throttles port 25 by default. Ports 465 and 587 are less well known, and are not as subject to as much spam abuse.

Why doesn't everyone use these ports instead of 25 and avoid the throttling issue altogether?

They can/should if their software allows use of those ports. Some legacy applications can only used port 25. In those cases, you can request the throttle be removed.

In summary regarding SES sending limits:

  • Ports TCP/465 and TCP/587 are not throttled
  • Port 25 is throttled by default, but it can be removed by request.
  • The Per Day Sending Quotas limits of your SES account always apply
  • The Per Second Maximum Send Rate limits of your SES account always apply
Rodrigo M
  • 11,060
  • 2
  • 21
  • 43
  • I've had emails failing to send via 25 even with restrictions removed. I've switched to 465. I'm hoping that will make a difference. The Maximum Send Rate has been 14 per second. I thought this would be sufficient. – Ian Warburton Jan 09 '16 at 17:15
  • 7
    This is incorrect, SES does not throttle port 25, EC2 does, there is no reason for SES to do so as you're authenticating.however if you send into SES via EC2 you're port 25 from the out bound EC2 network – Michael B Jan 09 '16 at 17:49
  • @Michael B - Sorry to disagree with you, but those definitely SES limits, *not* EC2 limits. SES is the service in question not EC2. EC2 instances do not have any way/reason of throttling SMTP port 25 sending by default. Additionally you can send via SES from *any* computer in the world, outside of EC2. Again SES would limit those messages per your account limits. I verified this information with AWS resources, forums, my own account, and their technical support to be sure. If you have any reference to how EC2 is throttling port 25, kindly provide it. I would be glad to update my answer. – Rodrigo M Jan 09 '16 at 18:08
  • 2
    Well, there are two SO questions [here](http://stackoverflow.com/questions/26311747/aws-ec2-email-sending-limit-when-using-third-party-smtp-server) and [here](http://stackoverflow.com/questions/5124128/amazon-ec2-mail-limit-reached-while-using-external-smtp-server-to-send-emails) an aws [forum post](https://forums.aws.amazon.com/message.jspa?messageID=399480) an [AWS blog](https://forums.aws.amazon.com/message.jspa?messageID=399480) and of course there is the second paragraph of this question "EC2 imposes default sending limits on email sent via port 25 and throttles outbound connections" – Michael B Jan 09 '16 at 18:15
  • 2
    Sorry @RodrigoM but you are definitely incorrect. From the link in the question: *"Amazon EC2 imposes default sending limits on email sent via port 25 and throttles outbound connections if you attempt to exceed those limits."* **The EC2 network infrastructure throttles outbound TCP 25 regardless of destination**, not just to SES, but the throttle impacts SES, hence the mention in the SES documentation. – Michael - sqlbot Jan 09 '16 at 18:19
  • and it makes absolutely no sense for SES to "port 25 sending rate is throttled by default" because at that side as long as you are within your message quotas the sending aspect is entirely Amazon's responsibility. There is no ability to specify what port SES Sends on! – Michael B Jan 09 '16 at 18:19
  • Users sometimes conflate the terms AWS, EC2 and services like SES. – Rodrigo M Jan 09 '16 at 18:20
  • 2
    @RodrigoM then it should be up to those of us who have the knowledge to correct their confusion. Else those who come to this question in future and continue to breed that confusion forward. SES and EC2 are very different services, with very different network requirements. – Michael B Jan 09 '16 at 18:25
  • @IanWarburton - back to the question. Are you getting "Throttling - Maximum sending rate exceeded" errors? Could you be blowing past the 14 per second account limit? – Rodrigo M Jan 09 '16 at 18:44
  • @RodrigoM I don't think so. I'm getting this error... http://stackoverflow.com/questions/4333068/asp-cdo-message-1-error-80040213-the-transport-failed-to-connect-to-the-server – Ian Warburton Jan 09 '16 at 19:59
  • That does not appear to be a rate limit issue? – Rodrigo M Jan 09 '16 at 20:52
  • @Michael B - I stand corrected. The port 25 rate limit is EC2 enforced. It is however, not enforced for on-premise instances using SES on port 25. I find it interesting this rate limit is only applied to EC2 instances. AWS seems to "trust" on-premise instances more in this regard. I have clarified my post to reflect this. See http://http://docs.aws.amazon.com/ses/latest/DeveloperGuide/limits.html#limits-ec2. My updated post is correct in every respect. If you feel I have missed anything, please let me know. – Rodrigo M Jan 09 '16 at 21:18
  • 2
    EC2 port 25 throttling limits apply because AWS care about having their IPs blacklisted. They care considerably less about your on prem IPs being black listed. Port 25 throttling is simply a blanket policy on the egress of the EC2 network. All you seem to have changed in your post is switching SES for EC2 in one location. Your updated post is still wrong in almost every respect. This is a bad answer. I have updated mine with correct information. – Michael B Jan 09 '16 at 22:24