listmonk icon indicating copy to clipboard operation
listmonk copied to clipboard
verified publisher icon knadh

How to configure SES webhooks to receive bounce notifications without session authentication?

Open ermoi opened this issue 1 month ago • 0 comments

Hi team, I'm trying to configure AWS SES webhooks in Listmonk v5.1.0 to automatically process bounces and complaints, but I'm encountering an authentication issue with the webhook endpoint.

Environment Listmonk version: 5.1.0 Deployment: Docker container Reverse proxy: Nginx Database: PostgreSQL

Current Configuration Enabled via Web UI: ✅ Bounces: Enabled ✅ SES: Enabled ✅ Webhooks: Enabled

Database settings: sqlbounce.enabled = true bounce.ses_enabled = true bounce.webhooks_enabled = true No [bounce] section in config.toml - all configuration was done through the web interface.

Problem When AWS SNS tries to confirm the HTTPS subscription to the webhook endpoint, it fails because Listmonk returns: curl -X POST http://localhost:9000/webhooks/bounce
-H "Content-Type: application/json"
-d '{"Type": "Notification"}' -v

Response:

< HTTP/1.1 403 Forbidden < Content-Type: application/json {"message":"invalid session"} The /webhooks/bounce endpoint requires web session authentication, which AWS SNS cannot provide.

What I've Tried

Tested different endpoints:

/webhooks/bounce → 403 Forbidden ("invalid session") /webhooks/service/ses → 404 Not Found

Questions

  1. Is there a public/unauthenticated webhook endpoint for external services like AWS SNS to POST notifications without web session cookies?

  2. What's the correct way to configure SES webhooks in v5.x? Should it be done via:

  • config.toml file?
  • Database settings table?
  • Web UI (and if so, where)?
  1. What's the expected endpoint URL that AWS SNS should use?
  • /webhooks/bounce
  • /api/webhooks/bounce
  • /webhooks/service/ses
  • Something else?
  1. Does the webhook endpoint require authentication? If so:
  • What type? (Basic Auth, Token, API Key?)
  • How do I configure it?
  • How does AWS SNS provide credentials?

Expected Behavior (https://listmonk.app/docs/bounces/) AWS SNS should be able to:

Confirm the HTTPS subscription by POSTing to the webhook endpoint Send bounce/complaint notifications without authentication errors Have Listmonk automatically process these events and update subscriber status

AWS SNS Configuration For reference, SNS will send:

  • Protocol: HTTPS
  • Endpoint: https://mailing.andalucia.org/webhooks/bounce or https://mailing.andalucia.org/webhooks/service/ses
  • Content-Type: text/plain; charset=UTF-8 or application/json
  • Headers: x-amz-sns-message-type, x-amz-sns-message-id, etc.

ermoi avatar Dec 03 '25 07:12 ermoi