跳转至

Email listener security(电子邮件监听器安全机制)

Email listeners apply multiple layers of security validation to incoming emails before processing them.

Email authentication

All incoming emails must pass the following AWS SES authentication checks before they are accepted.

Check Description
SPF (Sender policy framework) Verifies that the sending server is authorized to send on behalf of the sender's domain.
DKIM (DomainKeys identified mail) Verifies that the email has not been tampered with in transit using cryptographic signatures.
DMARC (Domain-based message authentication) Verifies that the email aligns with the sender domain's published authentication policy.
Spam detection Scans the email for known spam indicators.
Virus scanning Scans email content and attachments for malware.

If any of these checks fail, the email is rejected and is not forwarded for processing.

Sender allowlist

Each email listener must be configured with a sender allowlist that controls which senders can deliver email to the listener. You can restrict access to the following:

  • Specific email addresses: Only emails from the listed addresses are accepted.
  • Entire domains: All emails from a given domain are accepted.

:::callout{theme="warning" title="Security"} By default, email listeners do not accept email from any sender. You must explicitly configure which senders are permitted before the listener will process any incoming email. :::

Attachment restrictions

To prevent the delivery of potentially malicious content, email listeners block certain MIME types by default. Blocked types include executable and script formats, such as:

  • Application executables (for example, .exe, .msi)
  • Shell scripts (for example, .sh, .bat)
  • JavaScript files

Size limits

Individual email messages, including all attachments, are limited to 40 MB. Emails exceeding this limit are rejected.


中文翻译

电子邮件监听器安全机制

电子邮件监听器在处理传入邮件前会应用多层安全验证。

邮件身份验证

所有传入邮件必须通过以下 AWS SES 身份验证检查后方可被接收。

检查项 说明
SPF(发件人策略框架) 验证发送服务器是否获得授权,可代表发件人域名发送邮件。
DKIM(域名密钥识别邮件) 使用加密签名验证邮件在传输过程中未被篡改。
DMARC(基于域名的消息认证) 验证邮件是否符合发件人域名已发布的认证策略。
垃圾邮件检测 扫描邮件中是否存在已知的垃圾邮件特征。
病毒扫描 扫描邮件内容及附件中的恶意软件。

若上述任何一项检查失败,该邮件将被拒绝,不会进入后续处理流程。

发件人白名单

每个电子邮件监听器必须配置发件人白名单,以控制哪些发件人可向该监听器投递邮件。您可限制以下范围的访问权限:

  • 特定电子邮件地址: 仅接受来自所列地址的邮件。
  • 整个域名: 接受来自指定域名的所有邮件。

:::callout{theme="warning" title="安全提示"} 默认情况下,电子邮件监听器不接受任何发件人的邮件。您必须明确配置允许的发件人,监听器才会处理传入的邮件。 :::

附件限制

为防止潜在恶意内容的投递,电子邮件监听器默认阻止某些 MIME 类型。被阻止的类型包括可执行文件和脚本格式,例如:

  • 应用程序可执行文件(例如 .exe.msi
  • Shell 脚本(例如 .sh.bat
  • JavaScript 文件

大小限制

单封电子邮件(包括所有附件)的大小限制为 40 MB。超过此限制的邮件将被拒绝。