Symfony 5.1 already includes a new implementation of the SES transport, which uses the v4 signature rather than the v2 one.

So I'm closing this issue as being already solved by the next Symfony version.

Note that support for the v2 signature depends on the region. Some newer regions support only v4.

I tried it with Symfony 5.1 and got the same error. I checked the source code and it seems to me that it still uses the v2 signature.
$auth = sprintf('AWS3-HTTPS AWSAccessKeyId=%s,Algorithm=HmacSHA256,Signature=%s', $this->accessKey, $this->getSignature($date));

If you still facing this issue, you can fix it by installing a new lib composer require async-aws/ses
and use ses+api
But make sure to urlencode any special characters that you have in your secret key.

If you still facing this issue, you can fix it by installing a new lib composer require async-aws/ses
and use ses+api
But make sure to urlencode any special characters that you have in your secret key.

This is the best solution

This worked for me:
ses+smtp://$AWS_MAILER_USER:$WS_MAILER_PASSWORD@default?region=eu-west-1
using symfony/amazon-mailer and after urlencode the password.

since symfony 4.4 is still the last LTS, shouldn't this issue be resolved for symfony/amazon-mailer 4.4 ?

Sorry to blow up the closed thread, but the reason I commented above is because amazon is currently phasing out signature 2 on SES by March 27 or so, so this current LTS 4.4 will NO LONGER WORK with ses, so I would think it should be fixed in 4.4

Unfortunately, there is no way we can fix it in 4.4 as we never add a new feature in patch releases (and supporting this new feature is non trivial anyway). So, the only possibilities I see here is to upgrade to a newer version of Symfony or to switch to another email provider (or maybe try to upgrade only symfony/amazon-mailer to 5.2).

OK.
I have upgraded ONLY symfony/amazon-mailer to 5.2, even though it seems iffy based on version pinning, it worked for my application. Thank you for the reply.

Sorry to bump old issue, but I just hit this problem again (even if I have a similar configuration working).
So, is there something else I can check, after the following?

• Symfony 4.4
• symfony/amazon-mailer v5.2.0
• async-aws/ses 1.4.0
• properly configured env vars, with credentials checked in a smtp test tool, password urlencoded

The error is the infamous "The request signature we calculated does not match the signature you provided" if I use ses:// or ses+api:// prefix, or "535 Authentication Credentials Invalid" if I use ses+smtp://

The only difference I can see for config is that I have a transports key under framework.mailer (with a couple of named configuration, all pointing to configured env vars) instead of dsn key, can this be somehow relevant?

@garak Can you please bump amazon-mailer to the latest 5.2 release?

@derrabus thanks for your suggestion: tried with amazon-mailer 5.2.6, no luck :-(

If you use DSN, could you please check that the credentials are encoded?

AWS, often generates KEYs and SECRETs with special chars like + and /. When you copy-paste these credentials in the DSN (ie. ses://mykey:my+secret@default) the + is url_decoded and interpreted like a space ( ) as a result the credential used to signs the payload is invalid.

@jderusse already mentioned above: "password urlencoded"

Having "535 Authentication Credentials Invalid" if I use ses+smtp:// let me think this is related to the env var or credentials and not only the amazon-mailer bridge

After using the SMTP transport in debug mode, the SentMessage object contain a debug property that should contain all the command executed, maybe it can help to troubleshoot what's going on

I now tried again with ses+smtp://, but forcing region by appending ?region=eu-central-1. It's working for now, but I', not sure if I can keep it like so (or if it's better using ses+api://)

Just in case someone as issue this is what I am doing (in pseudo codish way).

$SES_SECRET = urlencode(exec("(echo -n \"\x02\"; echo -n 'SendRawEmail' | openssl dgst -sha256 -hmac \${SES_SECRET} -binary) | openssl enc -base64"));

MAILER_DSN= sprintf(
        'smtp://%s:%s@email-smtp.%s.amazonaws.com:587?encryption=tls&auth_mode=login',
        urlencode(getenv('SES_SMTP_ACCESS_KEY')),
        $SES_SECRET,
        getenv('REGION')
    )

Since it's using simple smtp transport you don't need to install the symfony/amazon-mailer

There might be some things specific to our infra (I am not handling it) but this would give a decent starting point

This worked for me: ses+smtp://$AWS_MAILER_USER:$WS_MAILER_PASSWORD@default?region=eu-west-1 using symfony/amazon-mailer and after urlencode the password.

The missing puzzle piece was urlencode the password, as it contained special char "/".