Amazon SES: "Must issue a STARTTLS command first"

OK! We do a preliminary connection test using Net::SMTP to first try and diagnose some common problems, but that was never trying to use STARTTLS so it would always fail if that was in play.

I tried enabling it, but Net::SMTP in our container doesn’t work with that (I tested against my server and gmail, both failed). My server complained:

Jan 15 03:54:36 ralakrid postfix/submission/smtpd[2046]: connect from unknown[178.128.235.9]
Jan 15 03:54:36 ralakrid postfix/submission/smtpd[2046]: SSL_accept error from unknown[178.128.235.9]: -1
Jan 15 03:54:36 ralakrid postfix/submission/smtpd[2046]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:
Jan 15 03:54:36 ralakrid postfix/submission/smtpd[2046]: lost connection after STARTTLS from unknown[178.128.235.9]
Jan 15 03:54:36 ralakrid postfix/submission/smtpd[2046]: disconnect from unknown[178.128.235.9] ehlo=1 starttls=0/1 commands=1/2

It isn’t really worth mucking about with Net::SMTP when this is the only place it’s used, so that error message is bypassed and we try using ActionMailer (which DOES reflect what Discourse will do) with this: https://github.com/discourse/discourse/pull/6883

5 Likes

Hey, @supermathie. So it looks like you’ve fixed the rake task so that discourse-doctor does not need to be updated for this. Thanks.

(And was it me who included a spurious j? I’ve spent too much time looking at history. I’ll try to let it go.)

3 Likes

:+1: Yep, that case just wasn’t handled in our rake task.

Nope, it leaked here.

2 Likes

Well, I can’t quite tell on mobile, but I’m thinking that it was me who submitted that PR. I thought that I’d tested all the paths though.

2 Likes

It’s a rather crude tool. It is resigned to help identify the most common problems for people who don’t know what bash is. If you can make aws work you’re not the target audience. Presumably you’d not be running it to test a site they wasn’t broken. :wink:

I have been trying to get AWS SES working for on a brand new discourse install for 2 days!

I’ve tried everything in the initial guide:

Discourse doctor also fails with 530 issue STARTTLS command.

My SES credentials are correct since I can send email from command line curl with the same settings, however discourse won’t send me my initial admin email.

 DISCOURSE_DEVELOPER_EMAILS: 'MYEMAIL'
 DISCOURSE_SMTP_ADDRESS: email-smtp.us-west-2.amazonaws.com
 DISCOURSE_SMTP_PORT: 587
 DISCOURSE_SMTP_USER_NAME: XXX
 DISCOURSE_SMTP_PASSWORD: "SESPASSWORD"

SES is not in sandbox. I can’t get the first initial email sent and can not login as admin. There are no errors in /var/discourse/shared/standalone/log/rails/production.log

Unless you change it, Discourse is sending from noreply@your.host.name. If SES won’t accept mail from that address, it won’t send. There’s a line at the end of app.yml where you can set it.

A fix is pending for this: Amazon SES: "Must issue a STARTTLS command first"

Do SES logs show that it accepted the email?

If you get into the rails console, you can Create Admin Account from Console and then follow up with testing the email setup.

3 Likes

Thank you!

I managed to login as admin and send test emails which all worked.

It was just the discourse doctor that was broken.

You shouldn’t go to the doctor if you’re not sick. :wink:

5 Likes

I have got this problem with aws ses (domain , dkim is verified)

==================== MAIL TEST ====================
For a robust test, get an address from http://www.mail-tester.com/
Sending mail to REDACTED  . . 
Testing sending to mydomain@gmail.com using AKI23AmyuserJLKJTT:1jFmypassword428t96Xh242e@email-smtp.eu-west-1.amazonaws.com:587.
SMTP server connection successful.
Sending to mydomain@gmail.com. . . 
Sending mail failed.

==================== DONE! ====================

How to fix this ?? I can send test mail from AWS site…

You seem to have hidden your domain but revealed the smtp username and password.

My guess is that you are sending from something like Discourse@forum.example.Com but the mail server is configured only for xxx@example.Com.

Thank you for Your answer.

No . The address of my forum is mymaindomain.com

1 Like
`root@ubuntu-s-1vcpu-2gb-fra1-01:/var/discourse# tail shared/standalone/log/rails/production.log`
  Rendering static/show.html.erb within layouts/crawler
  Rendered static/show.html.erb within layouts/crawler (3.4ms)
  Rendered layouts/_head.html.erb (1.9ms)
Completed 200 OK in 25ms (Views: 6.0ms | ActiveRecord: 12.1ms)
Creating scope :open. Overwriting existing method Poll.open.
Sent mail to mymail1@protonmail.com (1449.1ms)
Sent mail to mymail2@mailfence.com (1382.7ms)
**Job exception: 535 Authentication Credentials Invalid**


`./discourse-doctor`

==================== END DISK INFORMATION ====================

==================== MAIL TEST ====================
For a robust test, get an address from http://www.mail-tester.com/
Or just send a test message to yourself.
Email address for mail test? ('n' to skip) [mymail1@protonmail.com]: 
Sending mail to mymail1@protonmail.com. . . 
Testing sending to mymail1@protonmail.com using AKIAWmylogin:mypassword@email-smtp.eu-west-1.amazonaws.com:587.
SMTP server connection successful.
Sending to mymail1@protonmail.com. . . 
Sending mail failed.
Replacing: SMTP_PASSWORD
Replacing: LETSENCRYPT_ACCOUNT_EMAIL
Replacing: DEVELOPER_EMAILS
Replacing: DISCOURSE_DB_PASSWORD
Replacing: Sending mail to

==================== DONE! ====================

Looks like the smtp user /password are wrong?

has already tried it 10 times. Generates new passwords but still doesn’t work …

My domain is verified and lights up green
A test e-mails comes from any subaddress of my domain in aws console (for example mynewadres155@ mydomain.com.

So why in discourse doesn’t work ;/ ?

Do you have mailboxes on the domain too?

No. I have a domain on namecheap without mailboxes. Hosting is from DigitalOcean. Smtp from aws ses.

Btw my command telnet email-smtp.eu-west-1.amazonaws.com 587

shows this result

451 Timeout waiting for data from client.
Connection closed by foreign host.