3

I am trying to use SES to intercept an incoming email for a domain, do some processing and manipulation of the email with a lambda, then would like to continue sending the email to the final destination / original mail server.

For example:

  • Say I own mydomain.com
  • mydomain.com uses Google Mail services (GSuite)
  • I set the mydomain.com MX records to point SES from GSuite
  • sender@notmydomain.com sends an email to receiver@mydomain.com
  • email is received by SES and is processed by lambda
  • lambda then sends the email to the original Gsuite mailserver
  • end result is receiver@mydomain.com receives an email in gmail from sender@notmydomain.com (possibly with some elements of the email redacted by the lambda)

The main issue here being that the mydomain.com MX record would then point to SES and upon sending within the lambda the message would then send to SES not the original mail server.

Is there a good way around this problem? Is there a better best practice relating to the use case above, intercepting and manipulating emails? I'm also unsure if "Inbound Mail Gateway" is the correct term to describe my use case.

andrsnn
  • 165
  • 6
  • Hi @andrsnn if the below answer helped resolve your problem please upvote and accept it. That's the ServerFault way to say *thanks* to people who spent their free time answering your question. Thanks! – MLu Nov 21 '18 at 00:14

1 Answers1

1

To work around that your Lambda will have to explicitly initiate SMTP connection to the GSuite servers to deliver the email and not use SES as outbound relay.

So it will be:

[Internet] -> {DNS MX} -> [SES] -> [Lambda] -> {explicit SMTP} -> [Gsuite]
                                       ^
                                       |
                           {list of Gsuite servers}

In your case I would also de-couple the Receiving Lambda from the SMTP sending. That way you'll be able to keep receiving emails even if the delivery to Gsuite is failing for some reason. For instance something like this:

... [SES] -> [Receiving Lambda] -> [SQS queue] -> [Sending Lambda] -> {SMTP} ...

SQS will easily let you re-try failed delivery attempts. Of course also create a SQS DLQ (Dead Letter Queue) and some CloudWatch Alarms so you know when undelivered mails start piling up in your SQS queue or in DLQ!

Having "hidden" SMTP servers is not uncommon however note that a determined sender may be able to figure out that you use Gsuite (e.g. from email responses) and can bypass your SES processing. Not sure if it's actually a problem in your case but it's good to be aware of it.

Hope that helps :)

MLu
  • 23,798
  • 5
  • 54
  • 81