Digital Ocean is blocking outgoing mail!


(Jay Pfaffman) #9

Something is blocking the connection. File a ticket with mailgun (with your host’s ip number) and perhaps with your hosting provider. Say that your can’t connect and that the connection times out.

Now that your have exposed your password you should change it (or maybe you did before sharing it).

If you get a solution, please let me know. It might help with my clients similarly mysterious problem.

Perhaps your host has been blacklisted. Find the ticket with mailgun, then search for blacklist checkers and see if your host is on one.


#10

@pfaffman
Sure - I will be contacting Mailgun on this right away.

I will be updating my progress here.


#11

@pfaffman

I tried telnet for SendinBlue also - it didn’t work for SendinBlue either. I’m using DigitalOcean Droplet - with Ubuntu OS (Docker setup). Are you sure telnet is supposed to work? I checked firewall - there is no firewall setup at OS side.

Little more background about my problem
The reason I’m trying to switch from SendinBlue to a different provider is because - they have recently reduced my sending limit. They have made it to 5 per hour from 300 per hour. I’ve created a ticket with them to look into this - this is not the first time their system is acting weird. But this time, I don’t want to stick with them again - I’m going to switch. Now, due to this - in my dashboard I can see “TONS and TONS of pending email jobs”

Now, I’m starting to think

  1. Is it the pending jobs that is causing issues here?

#12

Screenshot of Sidekiq:

(listting pending email jobs etc)


(Jay Pfaffman) #13

That’s all consistent with outgoing mail ports being blocked.

Digital ocean has some new firewall stuff that is controlled from the web interface, not at the os level. I’m wondering if it’s somehow enabled,or if it was enabled on that ip and then you got assigned the same ip, the mail ports are still filtered, but you’ve had this droplet for a while, right?


#14

@pfaffman
I think that is a GOOD idea.

This guy had a similar issue here:

His issue was that:
The host had blocked SMTP (just like you’ve posted above)

So, let me check - in DO- if SMTP is blocked by them or not.


#15

@pfaffman
Yes - I’ve had this droplet for 4+ months now.


#16

@pfaffman

Its not blocked at DO end:

All - outgoing ports - “both UDP+TCP” - allowed.


(Jay Pfaffman) #17

File a ticket with DO. That’s what I’m doing.


#18

@pfaffman
Sure.

ALSO:

Something that is really weird is this:

When I checked in admin panel, I can see that the last email was sent like 23 hours ago.
(When I checked in SendinBlue logs - I can see - emails were sent very recently too (max 5 an hour).


(Jay Pfaffman) #19

The admin panel might think that mail Discourse tried to send was sent.

It may be that Discourse queued mail for the old SendinBlue server and will continue trying to send it there even though you’ve changed. I don’t know for sure, though, and that does seem strange. Also, if SendinBlue is still receiving mail from Discourse, then the “all smtp ports are blocked” hypothesis doesn’t hold.


#20

Yes I don’t think SMTP is blocked.
Because - I can see from the SendinBlue logs that - emails were sent very recently.


(Jay Pfaffman) #21

The telnet that you show that never connects shows that something is blocking SMTP connections.

I don’t have an explanation for how the other mail got sent recently.

I just filed a ticket with Digital Ocean.


#22

Thanks @pfaffman
I also just logged a ticket with DO.


#23

@pfaffman
You are a GENIUS!!!
Like you said yesterday - yes - SMTP was blocked by Digital Ocean - I contacted them - they unblocked it - and now 1)telnet works 2)Test email also works.


(Jay Pfaffman) #24

I’m elated that digital ocean is silently breaking things in a way that is hard to diagnose and requires human intervention to resolve. That’s fantastic.

Did they say anything about why?


#25

First response from Digital Ocean:

Second response from Digital Ocean:


(Jay Pfaffman) #26

Oh. Sigh. Spammers have ruined something else. It looks like Digital Ocean is going to be blocking out bound SMTP ports by default. It’s annoying as hell, but, I’m afraid, the responsible thing for them to do.

The solution, for mailgun, at least, is to use port 2525. This doesn’t require removing the SMTP block, and should you site get hacked, it won’t be able to send spam.

I’m changing my standard install script to use that port. Hey, @codinghorror, I think that I’ll also make discourse-setup use port 2525 for mailgun by default (and check to see if that’ll also work for sendgrid, and sparkpost). This problem is difficult to diagnose, and is going to cause a bunch of people confusion in the near future.

I’m changing the subject of this thread to be more descriptive. (Subject was: There was a problem sending the test email. Please double-check your mail settings, verify that your host is not blocking mail connections, and try again)


Proposed changes to discourse-setup because Digital Ocean blocks outbound smtp
(Jay Pfaffman) #28

It’s easy enough to test the connection to the smtp port selected during installation is open.


(Matt Palmer) #29

To curb a recent increase in abuse and SPAM, we have an initial SMTP block on new accounts created in certain contexts.

  1. It’s not recent, you’ve been doing it for years.
  2. It’s “spam”, not “SPAM”. “SPAM” is a registered trademark of Hormel.
  3. SMTP runs on port 25. Port 587 is submission, a whole other thing.

we comply fully with the CAN-SPAM Act

There are no provisions of the CAN-SPAM Act which require service providers to proactively block TCP ports.

this says that you may not send bulk email unless you maintain a double-authorized list of subscribed members including IP addresses and relevant contact information.

  1. “double-authorized list” is gibberish.
  2. The CAN-SPAM act doesn’t say anything like that; if it did, spam cannons like Mail-a-kimp would have been shut down years ago because they sure as hell don’t perform confirmed opt-in on the mailing lists they send to. Even if it did say that, though, DigitalOcean isn’t the mail sender, so IT’S IRRELEVANT.

Now I’m going to have to have a bex and a good lie down. I’ve gotten all worked up.