“Unverified email addresses” are actually verified

Hey @pineros,

Unfortunately this little bug crept into v1.6.0.

It does not affect email sending, it’s just an annoying incorrect message.

We’ll be releasing a bug fix soon.

-IJ

Thanks!

Fixed in v1.6.1

-IJ

Hello,

I am still experiencing this issue as well, using 1.6.5.

@deliciousbrains more info on this, am using 1.6.5. Looks like the plugin is trying to ses:ListEmailIdentities and ses:GetAccount on * instead of just the resource it needs That’s probably why the verification is failing.

This is from the debug.log:

[27-Aug-2023 16:49:14 UTC] WP Offload SES #203: There was an error attempting to receive your SES identities. (Error executing "ListEmailIdentities" on "https://email.us-east-1.amazonaws.com/v2/email/identities?PageSize=1000"; AWS HTTP error: Client error: `GET https://email.us-east-1.amazonaws.com/v2/email/
identities?PageSize=1000<code>resulted in a</code>403 Forbidden` response:
{"Message":"User: arn:aws:iam::1234567890:user/my-username is not authorized to perform: ses:ListEmailIdentities on re (truncated...)
 AccessDeniedException (client): User: arn:aws:iam::1234567890:user/my-username is not authorized to perform: ses:ListEmailIdentities on resource: * because no identity-based policy allows the ses:ListEmailIdentities action - {"Message":"User: arn:aws:iam::1234567890:user/my-username is not authorized to perform: ses:ListEmailIdentities on resource: * because no identity-based policy allows the ses:ListEmailIdentities action"})
[27-Aug-2023 16:49:14 UTC] WP Offload SES #208: There was an error attempting to retrieve your SES account details. (Error executing "GetAccount" on "https://email.us-east-1.amazonaws.com/v2/email/account"; AWS HTTP error: Client error: GET https://email.us-east-1.amazonaws.com/v2/email/account resulted in a 403 Forbidden response:
{"Message":"User: arn:aws:iam::1234567890:user/my-username is not authorized to perform: ses:GetAccount on resource: * (truncated...)
 AccessDeniedException (client): User: arn:aws:iam::1234567890:user/my-username is not authorized to perform: ses:GetAccount on resource: * because no identity-based policy allows the ses:GetAccount action - {"Message":"User: arn:aws:iam::1234567890:user/my-username is not authorized to perform: ses:GetAccount on resource: * because no identity-based policy allows the ses:GetAccount action"})

For example, the user I have has a policy that gives access to the domain. I don’t want to give this one website access to all of my SES accounts, that would be a security issue. ??

SES policy:

{
"Version": "2012-10-17",
"Statement": [
  {
    "Sid": "VisualEditor0",
	"Effect": "Allow",
	"Action": [
	"ses:VerifyEmailIdentity",
	"ses:GetSendQuota",
	"ses:SendRawEmail",
	"ses:DeleteIdentity",
	"ses:GetIdentityVerificationAttributes",
	"ses:ListIdentities",
	"ses:VerifyDomainIdentity",
	"ses:GetAccount",
	"ses:ListEmailIdentities"
  ],
  "Resource": "arn:aws:ses:us-east-1:1234567890:identity/myDomain.com"
  }
 ]
}

The other issue I’m running into is that I cannot even send e-mail if I rely on the domain to verify because of this issue, I must use the e-mail address in the resource above. Meaning, the above actually doesn’t even let me send emails, only this will work…

"Resource": "arn:aws:ses:us-east-1:1234567890:identity/[email protected]"

So what I’m doing right now is…

{
"Version": "2012-10-17",
"Statement": [
  {
    "Sid": "VisualEditor0",
	"Effect": "Allow",
	"Action": [
	"ses:VerifyEmailIdentity",
	"ses:GetSendQuota",
	"ses:SendRawEmail",
	"ses:DeleteIdentity",
	"ses:GetIdentityVerificationAttributes",
	"ses:ListIdentities",
	"ses:VerifyDomainIdentity",
	"ses:GetAccount",
	"ses:ListEmailIdentities"
  ],
  "Resource": [
	"arn:aws:ses:us-east-1:1234567890:identity/domain.com",
	"arn:aws:ses:us-east-1:1234567890:identity/[email protected]"
 ]
  }
 ]
}

Specifying both as I have verified both.

• This reply was modified 1 year, 3 months ago by asheroto.

Hey @asheroto,

Looks like our custom IAM policy doc was not up to date, sorry.

I’ve updated the Custom IAM Policy for Amazon SES doc: https://deliciousbrains.com/wp-offload-ses/doc/custom-iam-policy-for-amazon-ses/

You’ll see from the doc that you need to have separate sections when using a specific resource, something like follows:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "IdentityManagement",
      "Effect": "Allow",
      "Action": [
        "ses:CreateEmailIdentity",
        "ses:DeleteEmailIdentity"
      ],
      "Resource": "arn:aws:ses:eu-west-2:123456789012:identity/example.com"
    },
    {
      "Sid": "SendEmail",
      "Effect": "Allow",
      "Action": "ses:SendRawEmail",
      "Resource": "arn:aws:ses:eu-west-2:123456789012:identity/example.com"
    },
    {
      "Sid": "AccountLevel",
      "Effect": "Allow",
      "Action": [
        "ses:GetAccount",
        "ses:ListEmailIdentities"
      ],
      "Resource": "*"
    }
  ]
}

-IJ

Thanks so much for your reply.

I updated the policy and was able to get the error message in the logs to go away, however message at the top “We’ve noticed that emails are being sent from the following unverified email addresses” still appears, even though I am able to see the e-mail address in the “VERIFIED SENDERS” table and it says “SUCCESS”.

Any ideas?

Hi @asheroto ,

Please could you try closing that notification message to see if it still comes back? Let us know what how it goes for you.

Haha wow, that fixed it. It didn’t fix it the other day, but I think that’s when the permissions were broken, so I didn’t think to X out again. Thanks again for your help on that.