Digital Ocean, SendGrid, Netlfity - Register Admin account email not coming through

I am using Digital Ocean(hosting), SendGrid(SMTP), Netlify (Domain, DNS) to setup my open forum for my blog.

I got Domain, DNS part setup and was able to get to the registration page.

But the email never gets to the Developer email.

I tried the configurations below in nano containers/app.yml
DISCOURSE_HOSTNAME: ‘discourse.myblog.com
DISCOURSE_DEVELOPER_EMAILS: ‘adminEmail@gmail.com’

DISCOURSE_SMTP_ADDRESS: smtp.sendgrid.net
DISCOURSE_SMTP_PORT: 2525
DISCOURSE_SMTP_USER_NAME: {myusername}
DISCOURSE_SMTP_PASSWORD: XX.xxxx.xxxxxxxxx
DISCOURSE_SMTP_ENABLE_START_TLS: true           # (optional, default true)

DISCOURSE_SMTP_ADDRESS: smtp.sendgrid.net
DISCOURSE_SMTP_PORT: 587
DISCOURSE_SMTP_USER_NAME: {myusername}
DISCOURSE_SMTP_PASSWORD: XX.xxxx.xxxxxxxxx
DISCOURSE_SMTP_ENABLE_START_TLS: true           # (optional, default true)

DISCOURSE_SMTP_ADDRESS: smtp.sendgrid.net
DISCOURSE_SMTP_PORT: 587
DISCOURSE_SMTP_USER_NAME: apiKey
DISCOURSE_SMTP_PASSWORD: XX.xxxx.xxxxxxxxx
DISCOURSE_SMTP_ENABLE_START_TLS: true           # (optional, default true)

DISCOURSE_SMTP_ADDRESS: smtp.sendgrid.net
DISCOURSE_SMTP_PORT: 25
DISCOURSE_SMTP_USER_NAME: {myusername}
DISCOURSE_SMTP_PASSWORD: XX.xxxx.xxxxxxxxx
DISCOURSE_SMTP_ENABLE_START_TLS: false           # (optional, default true)

DISCOURSE_SMTP_ADDRESS: smtp.sendgrid.net
DISCOURSE_SMTP_PORT: 25
DISCOURSE_SMTP_USER_NAME: {myusername}
DISCOURSE_SMTP_PASSWORD: XX.xxxx.xxxxxxxxx
DISCOURSE_SMTP_ENABLE_START_TLS: false           # (optional, default true)
DISCOURSE_SMTP_OPENSSL_VERIFY_MODE: none

When I run ./discourse-doctor and test sending an email, I get
535 Authentication failed: Bad username / password

It looks like you are using an API key as a username for sendgrid?

I tried both apiKey and my username (admin and teammate)
but still didn’t get it working.

AFAIK if you want to use an API key you need to use the username ‘apikey’ with the associated password. I can’t see anything on whether it’s case sensitive, but better to be safe.

You might want to reach out to DigitalOcean support, they’ve been known to block outbound SMTP to third party services on new accounts. Can you telnet to that port from the host?

1 Like

If not, use port 2525. You won’t have to wait for a ticket. I just use port 2525 by default. There is no downside.

I tried with 2525 as well…

I also just tried with apikey but not working…

Yes I tried to connect with telnet following this tutorial (https://sendgrid.com/docs/for-developers/sending-email/getting-started-smtp/)
And was able to succesfully connected
Screen Shot 2020-03-20 at 11.12.41 AM

@Stephen good idea that I will reach out to digital ocean for block outbound SMTP

There is no need for that because:

Are test messages showing up in your sendgrid logs?

To find out how to do that, you would ask the people at sendgrid

Okay I will get the log!

I think that there might be an issue with port being Filtered State

PORT     STATE    SERVICE
25/tcp   filtered smtp
587/tcp  filtered submission
2525/tcp filtered ms-v-worlds

Here is the message coming from Digital Ocean
Check whether you have opened Port-25 in the firewall. You can check with following command , nmap -p 25,465,587 “your Droplet’s IP address”

Sample nmap command:

nmap -p 25,465,587 142.93.189.227

Starting Nmap 7.70 ( [https://nmap.org](https://nmap.org/) ) at 2019-10-08 11:10 IST
Nmap scan report for [unms.adastratechnology.com](http://unms.adastratechnology.com/) (142.93.189.227)
Host is up (0.56s latency).
PORT STATE SERVICE
25/tcp closed smtp
465/tcp closed smtps
587/tcp closed submission

Here is the message from Digital ocean:

This will give you an idea of what is the current status of PORT 25. If it is in either Filtered state or closed state, you can open Cloud Firewall for PORT 25.

Here is our guide to common iptables commands: https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands#service-mail

The issue isn’t port 25 of your sever (i.e. inbound), it’s outbound traffic from your server to a remote host on port 587.

DigitalOcean has a history of blocking that, because sometimes people spin up new accounts to do Bad Things.

1 Like

Yes, I filled a support ticket and waiting for their response.

Do you think that it has anything to do with SendGrid?
@Stephen

Almost certainly not. We see a lot of new installs with outbound port issues on new accounts, there’s nothing specific to Sendgrid.

If you have a linux or Mac workstation you can test SMTP over 587 to Sendgrid independently by doing something like:

openssl s_client -starttls smtp -connect smtp.sendgrid.com:587

If it fails from your VPS and works from anywhere else then the problem is the outbound traffic from DO.

I just tested it from my Mac and it connects successfully.

1 Like

I ran this code in my mac (catalina)

I called openssl s_client -starttls smtp -connect smtp.sendgrid.net:587

got this return

CONNECTED(00000006)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.smtp.sendgrid.net
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=*.smtp.sendgrid.net
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGvzCCBaegAwIBAgIIR8KHdm5J8J0wDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMTgxMjI4MjAyMjIwWhcN
MjAxMjI4MjAyMjIwWjBBMSEwHwYDVQQLExhEb21haW4gQ29udHJvbCBWYWxpZGF0
ZWQxHDAaBgNVBAMMEyouc210cC5zZW5kZ3JpZC5uZXQwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC/xYdx1oyPHcE6EdH61RXJK9JYA9p9GOrYhJ6rVq2c
zpGR3/4EHwaZO/daZxvTn5p3LRBBW5KBBBNCLa0Vl84dLt6skUg3oWo17mim2ly1
AegTwN15/wxqq8Hf2G4Sr9g00zlBAEs2HeOyr3SxEvLCLscYtIKG7cD+CsUi0JT6
EeDXCVL04nJIheFh4h9TRcCook97yuqt7muySrarzekatOnpv4kuU8bk0uq4ym5K
NO4zRUiCRy7JXAC2KZ4+0qhSlPFACRvygdPxK5ICvQq8/ZPlRWVn3yrWnQ4kEekp
jDT4ucOpv8V/SxYmsBRqFD35ASDj6PZLYmJFb9XdzGCzAgMBAAGjggNFMIIDQTAM
BgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNV
HQ8BAf8EBAMCBaAwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDovL2NybC5nb2RhZGR5
LmNvbS9nZGlnMnMxLTkwMS5jcmwwXQYDVR0gBFYwVDBIBgtghkgBhv1tAQcXATA5
MDcGCCsGAQUFBwIBFitodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3Jl
cG9zaXRvcnkvMAgGBmeBDAECATB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUHMAGG
GGh0dHA6Ly9vY3NwLmdvZGFkZHkuY29tLzBABggrBgEFBQcwAoY0aHR0cDovL2Nl
cnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5L2dkaWcyLmNydDAfBgNV
HSMEGDAWgBRAwr0njsw0gzCiM9f7bLPwtCyAzjAxBgNVHREEKjAoghMqLnNtdHAu
c2VuZGdyaWQubmV0ghFzbXRwLnNlbmRncmlkLm5ldDAdBgNVHQ4EFgQUqLajl4xR
pZ1YZD2l6KsTfcmd8t4wggF9BgorBgEEAdZ5AgQCBIIBbQSCAWkBZwB2AKS5CZC0
GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABZ/Z7aIYAAAQDAEcwRQIhAOhF
95cuap1qIlSVtRzNkaUbNHxpgj+RoBfxcSFgqlBZAiBNsRnVaIwWMBoR9s+a9YwC
neLWWN777jRjew5mv2DVbwB2AO5Lvbd1zmC64UJpH6vhnmajD35fsHLYgwDEe4l6
qP3LAAABZ/Z7bY8AAAQDAEcwRQIgJZMibCSMJDwTwEp64XSQQXCuYtKJDvhT7FwK
rxoyH6oCIQCz1HVQbPLwMOXQPBRQFtpYEb18JCVdzlh8+f0hITgC5gB1AF6nc/nf
VsDntTZIfdBJ4DJ6kZoMhKESEoQYdZaBcUVYAAABZ/Z7cugAAAQDAEYwRAIgQoxF
Fak6Aq9tVDo5BjaSl+90pZ8928SmDpA3XrQ7BrQCIHdOuigFbYK96gJ/GPaVNGqc
w5FKxw9Z8TnpjZH1GEC/MA0GCSqGSIb3DQEBCwUAA4IBAQBbBTL603nJ9H7ClsKR
g/XmFpGwQ4C5OftGmZ/Z/CG9iqOkLB2TPqdJ9NZRruMpWjnOnvDFoQ3NMSfDYdsn
25fzh30fx2+zIWW2IdKa1yO4A9tr3cxn4iINy/+dcNmF6tciGJtdBhZZgpyqhymu
kjuMCQRL17uVkLyrYA/+Ti5N02fzRchprOydiasnhHSdDM3HVZQOqjOvoB5omtuf
D1aldjrgW+TcILlnZxYvaqDPeMvUIZxQPzealRniQ7tmMOAgJfjZXxzuXatqXqw0
zbvQOiY2pSDn7WPxLbGafLAOFWIWhHtkEZMRC2n3WpupiZuC0pacmQeUgVY6Vabs
KU8W
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.smtp.sendgrid.net
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5002 bytes and written 357 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: F315CBBB90B16A8F85D95F0CD18C07135A128B5FE6CE53D50C7CF81310B28732
    Session-ID-ctx: 
    Master-Key: E4C09CCC8AECB9C596D608B79E9A5360B88E2C31EB98C770E96A5037177F7F5D92B9CFA449B8ECA7AEA5D4CB873601D4
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - f7 61 88 44 b6 0d 7c ce-0c 35 b3 ba 33 03 ce 33   .a.D..|..5..3..3
    0010 - 95 99 62 e9 f9 ea 5e e6-00 f8 09 66 47 bd 28 cf   ..b...^....fG.(.
    0020 - 51 64 c5 76 3a ac b2 e2-ff 2a be 29 63 8c a8 d2   Qd.v:....*.)c...
    0030 - 76 2e ba 08 32 74 4a 4b-24 c8 69 ef 71 8e da e6   v...2tJK$.i.q...
    0040 - e3 dd c3 a8 19 84 02 c9-9e e7 7a 7a b8 b7 78 f3   ..........zz..x.
    0050 - 02 8c e6 ff 85 0e f5 4d-f3 5a 49 b1 22 40 12 ee   .......M.ZI."@..
    0060 - 7d d5 8c f4 d9 50 57 0a-c2 82 06 52 9e 64 89 fd   }....PW....R.d..
    0070 - 21 7b e4 f0 f3 e8 2c 61-09 a7 99 1f c8 7e c5 1b   !{....,a.....~..
    0080 - 23 fc 11 bc a7 8d 21 d6-05 6f 86 66 5b e9 2e 87   #.....!..o.f[...
    0090 - d0 98 8f b2 2b 7d 18 90-50 62 67 8f 77 8b c2 37   ....+}..Pbg.w..7

    Start Time: 1584738375
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
250 AUTH=PLAIN LOGIN

Right, and if you type EHLO and hit enter this should be the response:

250-smtp.sendgrid.net
250-8BITMIME
250-PIPELINING
250-SIZE 31457280
250-STARTTLS
250-AUTH PLAIN LOGIN
250 AUTH=PLAIN LOGIN

Which proves you can connect to SendGrid. If that fails from the DO droplet then you have your answer.

I think that I got it conneced? so I think we are good with SendGrid

EHLO
250-smtp.sendgrid.net
250-8BITMIME
250-PIPELINING
250-SIZE 31457280
250-STARTTLS
250-AUTH PLAIN LOGIN
250 AUTH=PLAIN LOGIN

@Stephen Am still waiting to get a response back from digital ocean on how to unblock outbound email

Ok, so if you repeat that from droplet via SSH does it connect?

I’ve just checked from one of my droplets in DO and it behaves the same as port 587 is open.

If I was correct earlier, the connection should fail. If it fails then you’re waiting on the right thing - better to know for sure than to wait only to find the issue resided elsewhere!

You have demonstrated at least two different ways that outbound mail is not blocked by Digital Ocean.

I’m going to go out on a limb and suggest that you are not using the correct username and or password.

2 Likes