Hey Folks,
I just spent the last couple of days doing a deep dive into using Swoosh with Amazon’s simple email service, check out this troubleshooting post for a bit of background.
While doing so, I came to two different working solutions, one that sent emails via interacting with AmazonSES
API directly, and the other used Swoosh’s SMTP adapter and sent emails via AmazonSES’s SMTP endpoint. Both seemed to have their own pros and cons. I thought this would be a good discussion to have and I’m genuinely interested in seeing what the more popular choice is.
Swoosh.Adapters.AmazonSES
To use Swoosh’s AmazonSES adapter the setup is somewhat simple. Your configuration is fairly straight forward and is as follows:
config :app_name, AppName.Mailer,
adapter: Swoosh.Adapters.AmazonSES,
region: "us-east-2", # yours may be different
access_key: "ROOT_AWS_ACCESS_KEY",
secret: "ROOT_AWS_SECRET_KEY"
This is where the simplicity ends. Because you’re not using the the standard SMTP adapter Swoosh.Adapters.SMTP
you need to enable an API client and add a few dependencies.
To enable an API client first change this line in your config.exs
from:
config :swoosh, :api_client, false
To
config :swoosh, :api_client, Swoosh.ApiClient.Hackney
# or
config :swoosh, :api_client, Swoosh.ApiClient.Finch
Swoosh works well with both Finch and Hackney out of the box. The next step is to add your dependencies to mix.exs
, fetch and restart the phoenix server.
defp deps do
[
{:gen_smtp, "~> 1.1.1"},
{:hackney, "~> 1.18.0"} # or Finch
]
end
You’ll also notice that you need to add gen_smtp
, this is required for non SMTP adapters as they require a SMTP client.
The Swoosh.Adapters.AmazonSES
has a very simple config but requires additional dependencies and if you noticed requires you to use and include your root admin AWS credentials. Because the Swoosh.Adapters.AmazonSE
adapter interacts with the SES APIs directly, you need to use your root AWS access and secrete key and you cannot use a SMTP user/credentials with limited access. I.e. if your Phoenix secretes are compromised an attacker will have access to all of your AWS services not just AmazonSES
.
Swoosh.Adapters.SMTP
The config.exs
has a couple more fields and is as follows:
config :app_name, AppName.Mailer,
adapter: Swoosh.Adapters.SMTP,
relay: "email-smtp.us-east-2.amazonaws.com", # yours may be different
username: "SMTP_AWS_ACCESS_KEY",
password: "SMTP_AWS_SECRET_KEY",
port: 25,
retries: 2,
no_mx_lookups: false
This should be all you need! Simply create an SMTP IAM user that has restricted access to the AmazonSES
service and use those credentials as your username
and password
.
The Swoosh.Adapters.SMTP
is easier to use out of box, has less additional dependencies and you can use SMTP credentials NOT your admin AWS credentials. However, this solution comes with all of the issues that SMTP has.
Conclusion
The Swoosh.Adapters.AmazonSES
adapter has a fairly basic config.exs
and I like that it directly interacts with the SES APIs. However, it creates a bit of a security issue as you have to have an admin level AWS credential in your Phoenix secrets. This doc outlines which credentials should be used in each situation and further illustrates this issue. The Swoosh.Adapters.AmazonSES
also requires additional dependencies which might be confusing for those new to Phoenix or time consuming for those who just want something up and running as quickly as possible.
The Swoosh.Adapters.SMTP
adapter has less dependencies and works right out of the box. It’s also not dependant on AmazonSES
or a specific SMTP implementation. You can very quickly adapt it to work with another SMTP server. Also, when using it with AmazonSES
you can use an IAM user/credentials that only has access to the AmazonSES
service. However, you inevitably get all of the issues that come with SMTP. It’s an older protocol that’s showing it’s age and I’ve run into issues getting it to work with certain security protocols.
To be honest I’m a bit divided. I like interacting directly with the AmazonSES
APIs but having to add admin credentials makes me a bit nervous. I like the simplicity of SMTP but, maybe I’m showing bias here, am not a fan of the protocol. It feels clunky, dated and restrictive in some situations. I’d love to hear everyone’s thoughts on this.
Also, if anyone has figured out how to use the Swoosh.Adapters.AmazonSES
without admin AWS credentials, please post here! I was unable to figure it out and after reading the doc linked above came to the conclusion you couldn’t. But I’d love to be wrong on this for obvious reasons.
Thanks,
Scott