Why am I getting time out errors when sending emails from Amazon ECS container?

Question

I have a Spring Boot API which has a service to send emails. This service works when I'm running the app locally or with a simple docker-compose inside an EC2 instance. However when I moved the app to Amazon ECS, it stopped working.

The error:

org.springframework.mail.MailSendException: Mail server connection failed; nested exception is
com.sun.mail.util.MailConnectException: Couldn't connect to host, port: email-smtp.us-east-
1.amazonaws.com, 587; timeout -1;

My application.yml (mail section):

spring:
    mail:
    host: ${MAIL_HOST}
    port: ${MAIL_PORT:587}
    username: ${MAIL_USER}
    password: ${MAIL_PASSWORD}
    properties:
      mail:
        smtp:
          auth: true
          starttls.enable: true

I've already tried to open the tcp port 587 in my security group, but it didn't work too.

More info about ECS:
I'm using ECS with EC2 launch type and an Application Load Balancer sitting in front of it.

Answer 1

Figured it out!

The formula to the problem:

problem = (ECS with EC2 launch type) + (Task definition with awsvpc network mode) + (public subnet) + (not reading the AWS manual)^999   

As stated in the Running a Task Using the EC2 Launch Type Guide

Only private subnets are supported for the awsvpc network mode. Because tasks do not receive public IP addresses, a NAT gateway is required for outbound internet access, and inbound internet traffic should be routed through a load balancer.

To deal with the problem I updated my task definition to use bridge network mode.

Ps: I'm not concerned about running multiple containers in the same instance though.

Answer 2

TL;DR

• Look at the docs here and decide how you want to access outbound services, either with a public su.net + inte.net gateway or with a private su.net + NAT.
• Go in the security groups of your service and add outbound rules for the port you want.

Here is a similar question to the problem .

My similar problem and how I solved it

I came up with a similar problem, where I was getting timeout errors from a ECS service and it took my a while to fix it, so I decided to post this answer for future readers.

First of all, you need to do one of the 2 ways to have outbound traffic (send requests, like email, from inside of you container to the outside, like external services on the inte.net) from Amazon Elastic Container Service - Connecting to the inte.net (Networking Outbound)

For my case, I was using ECS Fargate, and the Using a public su.net and inte.net gateway was already done in the process to setup Fargate.
In case that's not done, or you are using something different (EC2 instances), one thing you will need to do is create a public or private su.net and to understand more about it, you can check this answer .

So after that, I thought that everything was done and should work, but there's one thing missing that I didn't know.

You need to enable outbound routing, in security groups, for the port you want to use.
This question helped me a lot and probably have your answer.

For me, I wanted to enable SMTPS (Port 465), so what I did was

• Go in the Security Group used by my ECS container
• Go into Outbound Rules
• Add rule for SMTPS (it automatically add port 465)

And it worked.