aws-ses-relay
A Go SMTP front-end for Amazon SES that authenticates with an IAM role instead of static SMTP credentials or AWS secret keys. Apps and alerting tools speak plain SMTP; the relay forwards through the SES v2 API with an IP allowlist, sender and recipient filters, per-IP rate limiting, a send-quota guard, and Prometheus metrics.
About
aws-ses-relay is a small Go service that lets any SMTP-speaking client send mail through Amazon SES without handling AWS credentials itself. It listens for SMTP submission on port 1025 and forwards each message through the SES v2 API using the AWS default credential chain, so on EC2, ECS, or EKS it picks up the instance or task IAM role and needs no static SMTP username, password, or AWS secret key on the client side. Around that core it adds the controls you want before pointing production traffic at it: an IP/CIDR allowlist enforced when a connection is accepted, sender and recipient regular-expression filters, a per-IP token-bucket rate limiter, and a send-quota guard that polls the SES account limit and backs off before you hit the 24-hour cap. A separate admin port serves health, readiness, and Prometheus metrics. The published image is distroless and runs as a non-root user.