SMTP Credentials Guide
Generate SMTP credentials for your AWS SES infrastructure. Use with WordPress, Nodemailer, PHPMailer, or any SMTP-compatible system.
Guide
SMTP Credentials
Generate SMTP credentials for legacy systems, WordPress, or any application that sends email over SMTP instead of the AWS SDK.
5 min setup
When to Use SMTP
Most applications should use the Wraps SDK or the AWS SES API directly. SMTP credentials are for systems that only support the SMTP protocol:
WordPress
WP Mail SMTP plugin or similar
PHP applications
PHPMailer, SwiftMailer, Laravel Mail
Nodemailer
Node.js SMTP transport
Legacy systems
Any SMTP-compatible client or appliance
Prerequisites
Before enabling SMTP credentials:
- Email infrastructure deployed via
wraps email init - At least one verified sending domain (check with
wraps email status) - CLI v2.18.4 or later (
wraps --version)
1Enable SMTP Credentials
Run the upgrade command and select Enable SMTP credentials:
terminal
wraps email upgradeThis creates a dedicated IAM user (wraps-email-smtp-user) with permission to send email via SES, then generates an access key and derives the SMTP password.
Save your credentials immediately
The SMTP password is derived from the IAM secret key and displayed once. It cannot be retrieved later. If you lose it, you'll need to rotate credentials.
2Connection Details
After enabling SMTP, the CLI outputs your connection details. Store them as environment variables:
terminal
SMTP_HOST=email-smtp.us-east-1.amazonaws.comSMTP_PORT=587SMTP_USER=AKIA...SMTP_PASS=BQADz...| Setting | Value |
|---|---|
| Server | email-smtp.{region}.amazonaws.com |
| Port | 587 (STARTTLS) or 465 (TLS Wrapper) |
| Encryption | Required (TLS or STARTTLS) |
| Username | IAM access key ID (starts with AKIA) |
| Password | Derived SMTP password (base64 string, not your AWS secret key) |
SMTP password is not your AWS secret key
SES derives the SMTP password from your IAM secret access key using HMAC-SHA256. The CLI does this automatically. Never use your raw AWS secret key as the SMTP password.
3Usage Examples
Nodemailer (Node.js)
send-email.ts
import nodemailer from "nodemailer";const transport = nodemailer.createTransport({ host: process.env.SMTP_HOST, port: 587, secure: false, // STARTTLS auth: { user: process.env.SMTP_USER, pass: process.env.SMTP_PASS, },});await transport.sendMail({ from: "hello@yourdomain.com", to: "user@example.com", subject: "Hello from Wraps", html: "<h1>It works!</h1>",});PHPMailer (PHP)
send-email.php
<?php// PHPMaileruse PHPMailer\PHPMailer\PHPMailer;$mail = new PHPMailer(true);$mail->isSMTP();$mail->Host = getenv('SMTP_HOST');$mail->SMTPAuth = true;$mail->Username = getenv('SMTP_USER');$mail->Password = getenv('SMTP_PASS');$mail->SMTPSecure = PHPMailer::ENCRYPTION_STARTTLS;$mail->Port = 587;$mail->setFrom('hello@yourdomain.com');$mail->addAddress('user@example.com');$mail->Subject = 'Hello from Wraps';$mail->Body = '<h1>It works!</h1>';$mail->isHTML(true);$mail->send();WordPress
Install the WP Mail SMTP plugin, then configure under WP Mail SMTP → Settings:
terminal
# WP Mail SMTP plugin settings:## Mailer: Other SMTP# SMTP Host: email-smtp.{region}.amazonaws.com# Encryption: TLS# SMTP Port: 587# Authentication: On# Username: (your SMTP_USER)# Password: (your SMTP_PASS)Managing Credentials
Rotate
If credentials are compromised or you need a fresh set, run the upgrade command again and select Manage SMTP credentials → Rotate credentials. This invalidates the old credentials immediately and generates new ones.
terminal
wraps email upgradeDisable
To remove SMTP credentials entirely, select Disable SMTP credentials from the same menu. This deletes the IAM user and access keys.
What Gets Created
Enabling SMTP credentials creates these resources in your AWS account:
| Resource | Name | Purpose |
|---|---|---|
| IAM User | wraps-email-smtp-user | Dedicated user for SMTP auth |
| IAM Policy | wraps-smtp-send-policy | Allows ses:SendRawEmail only |
| Access Key | Generated per user | Username + secret used to derive SMTP password |
The IAM user has a single permission: ses:SendRawEmail. It cannot read, delete, or modify any other AWS resources.
Next Steps
Production Access
Move your SES account out of sandbox mode to send to any recipient.
Request production accessDomain Verification
Add and verify additional sending domains for your SMTP setup.
Verify a domain