Always check out the original article at http://www.oraclequirks.com for latest comments, fixes and updates.
This is just a little reminder in case I forget (again) that the SMTP port on Amazon EC2 receives special attention due to the potential exploitation by spammers.
If you run multiple Apex instances on Amazon EC2, it may sound convenient to configure a single mail server for all instances. Ideally one should not even bother to set up a dedicated mail server and use Amazon Simple Mail Service, but unfortunately the service only accepts SSL connections which rules out the standard APEX_MAIL API.
It is also less than desirable, I guess, to maintain separate mail servers for each instance, therefore I consolidated the mail server on a micro instance that does almost only that job at a very reasonable price.
In order to allow the communication between two EC2 instances belonging to the same security group, normally it is sufficient to enable the inbound traffic for the whole EC2 security group instead of each and every IP address, resulting in a much shorter firewall rules list. For instance, if I have machine A and B and they both belong to a security group called default whose security group ID is SG-8ab12345, then I can configure this default security group to accept inbound connections on a whole range of ports for SG-8ab12345.
Unfortunately this simple and effective method doesn't apply to port 25 (or so it seems).
The fact is further complicated by the dynamic nature of the private IP addresses assigned to each machine at every start.
One way to work around the problem of dynamic IPs so far has been to use elastic IPs (public static IPs) which are internally resolved into private IPs but this technique works for all ports except port 25.
So, the only solution I know is to explicitly add each and every elastic IP address against port 25 in the relevant security group firewall rules.
In Apex terms it means that you need to specify the elastic IP of the mail server in the Manage Instance/Feature Configuration page, in the Apex administrator (INTERNAL) workspace.
If you later remove the rule for port 25 as I did accidentally this morning, the APEX_MAIL_LOG view will be cluttered with unsent messages reporting SMTP transient error: 421 Service not available in the MAIL_SEND_ERROR column.
The best news however is that just yesterday Amazon announced the preliminary availability of VPC (Amazon Virtual Private Cloud), a new type of service that addresses multi-tier application issues, so may be that we can finally say goodbye to all these workarounds and headaches and configure our own public and private subnets inside the Amazon EC2 network.