Discourse doctor parsing SMTP credentials not working (+ admin registration email not working)

Well, to start off, this is production, and I can’t get the first registration email to send.

I am sure my SMTP settings are correct.
I am able to ping and telnet my mail server with the port used, but as soon as i do “EHLO mailserver” the connection is closed by the foreign host.

At the tail of my logs, it says:

  Rendering layouts/email_template.html.erb
  Rendered layouts/email_template.html.erb (Duration: 0.2ms | Allocations: 32)
Delivered mail f3853b94-b772-48c2-b1b7-a78bbcbfc5c1@discourse.mywebsite.com (60177.6ms)
Job exception: Net::ReadTimeout

And I tried ensuring my SMTP settings were correct so I ran /var/discourse/discourse-doctor, but it cannot validate my settings. It says:

==================== YML SETTINGS ====================
awk: not an option: --field-separator=:
DISCOURSE_HOSTNAME=
awk: not an option: --field-separator=:
SMTP_ADDRESS=
awk: not an option: --field-separator=:
DEVELOPER_EMAILS=
awk: not an option: --field-separator=:
SMTP_PASSWORD=
awk: not an option: --field-separator=:
SMTP_PORT=
awk: not an option: --field-separator=:
SMTP_USER_NAME=
awk: not an option: --field-separator=:
LETSENCRYPT_ACCOUNT_EMAIL=

But my YAML (./containers/app.yml) seems perfectly formatted.

  ## TODO: The SMTP mail server used to validate new accounts and send notifications
  # SMTP ADDRESS, username, and password are required
  # WARNING the char '#' in SMTP password can cause problems!
  DISCOURSE_SMTP_ADDRESS: mail.redacted.com
  DISCOURSE_SMTP_PORT: 465
  DISCOURSE_SMTP_USER_NAME: redacted@redacted.com
  DISCOURSE_SMTP_PASSWORD: "redacted"
  #DISCOURSE_SMTP_ENABLE_START_TLS: true           # (optional, default true)

  ## If you added the Lets Encrypt template, uncomment below to get a free SSL certificate
  LETSENCRYPT_ACCOUNT_EMAIL: redacted@redacted.com
1 Like

That sounds like something that needs to be solved. That’s consistent with the network error you described.

My guess is that special characters on your password are confusing Discourse-doctor.

3 Likes

This address seems not like a SMTP address.
I guess this “mail.redacted.com” is the http address.
I think U need check it.

@irwinstar, I removed the actual mail server for the sake of not exposing my mail server on a public forum. But I can guarantee it is correct because I copied the settings from my mail client (working) and also compared them to my actual mail server’s SMTP settings.

Thank you for your offer to help. I think the issue is SPF/DKIM records so I’m trying to fix those.

Nonetheless, discourse-doctor still should be parsing it correctly. Not sure what’s going on there, since I didn’t edit the file myself in vim/nano. To be clear, the YAML was generated using discourse-setup.

And I think discourse not support the protocol in 465 now. If your mail server support 587, you can change it to 587 instead.
Unfortunately, my mail server can not use 587, so I add a mail proxy out side discourse.

1 Like

@irwinstar, This is extremely important information if this is correct, and would explain why my email setup isn’t working. Do you have a source for this information?

I’m not sure about it, but I try 465 some times.
Finally, I ues this “hieulq/mailproxy” docker image as a mail proxy.
And use this app.yml setting for discourse.
This usage seems bad, but it works.
I try to find a mail plugin today, but I did not find any one.

  DISCOURSE_SMTP_ADDRESS: x.x.x.x
  DISCOURSE_SMTP_PORT: 2525
  DISCOURSE_SMTP_AUTHENTICATION: none
  DISCOURSE_SMTP_OPENSSL_VERIFY_MODE: none
  DISCOURSE_SMTP_ENABLE_START_TLS: false
1 Like

Hey @simbleau

My experience is that SendGrid works well (port 587).

You can also test with SendGrid for free!

2 Likes

Appreciate the suggestions.

I’m trying to avoid purchasing any cloud mail servers, or using proxies (because if I wanted a dirty solution I’d just rake an admin account at this point) when I already have a mail server on hostgator.

I’m sure the SPF records are set for my discourse server’s IP. I’m really just trying to validate the DKIM records now.

If someone can confirm 465 is not allowed, that would be fantastic news as it would stop me from going too far down the rabbit hole of a non-issue. 465 was an issue, noted in the post below.

I’ve made some leeway on the installation.

Using port 587 I can successfully telnet an entire email and authenticate fine. So I switched.

Now, when the email gets sent, I am receiving the following error:

Delivered mail d86b48cc-b0f4-4df3-8960-ab5ff96613a0@discourse.imbleau.com (251.0ms)
Job exception: hostname "mail.redacted.com" does not match the server certificate

But what I have noticed is that this is no longer a connection timeout (triggered after 60 whole seconds), but rather, this is a different exception received in 250ms.

This is probably because I’ve used an email which is system@discourse.redacted.com, but this email internally uses mail.redacted.com as the email server.

I’m not sure how to fix this, honestly. I tried the following:

./launcher enter app
rails r "SiteSetting.notification_email = 'system@mail.redacted.com'"
exit

and rebuilding, as to use it just this once. Still no avail. The same error.

FIXED THE EMAIL ISSUE! (discourse-doctor still parses incorrectly)

I researched a bit more about ruby and why this error was happening behind the scenes which led me to this stackoverflow issue

This was the culprit. The solution involved changing the SSL negotiation, which gave me the intuition to turn this setting off in the app.yml file
DISCOURSE_SMTP_ENABLE_START_TLS: false # (optional, default true)

Afterwards, SUCCESS!

That will disable TLS encryption, while the “only” issue is that you are using an incorrect hostname, i.e. the mail server is presenting a certificate which says something else than mail.redacted.com. Many email servers tend to be known by multiple different hostnames, you only need to find out which one it is using for its certificate.

You could try to find out which hostname it says it is and adjust your configuration accordingly.

echo | openssl s_client -connect mail.redacted.com:587 -starttls smtp -servername mail.redacted.com 2>/dev/null |openssl x509 -noout -subject

If that does not work, you can leave TLS encryption enabled and ONLY disable certificate verification:

DISCOURSE_SMTP_ENABLE_START_TLS: true
DISCOURSE_SMTP_OPENSSL_VERIFY_MODE: false
4 Likes

Thanks @RGJ! Weirdly enough, it’s saying the CN is one of my subdomains, completely unrelated to mail. That’s worth investigating. Thank you for the guidance.

All of your users will have the same information.

If you’ll share with me privately your app.yml I’ll see if I can figure out what’s confusing discourse-doctor.

Sent. Take a crack at it.

Oh. The problem is that you have some version of awk other than GNU awk and the --field-separator option is called something else in your awk.

What version of awk do you have? What OS are you running?

2 Likes

man awk is telling me Version 1.3.4 2019-12-31 MAWK(1)

cat /etc/os-release tells me:

~$ cat /etc/os-release 
NAME="Ubuntu"
VERSION="20.04.1 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.1 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
1 Like

Would you try editing discourse-doctor and replacing --field-separator with -F?

It looks like that will solve the problem. If you’ll confirm, I’ll submit a PR.

3 Likes

That partially worked. The error went away but it stopped returning anything.

==================== YML SETTINGS ====================
DISCOURSE_HOSTNAME=
SMTP_ADDRESS=
DEVELOPER_EMAILS=
SMTP_PASSWORD=
SMTP_PORT=
SMTP_USER_NAME=
LETSENCRYPT_ACCOUNT_EMAIL=

I solved it.

In discourse-doctor, change line 213 to the following:

  read_config_result=$(echo $config_line | awk  -F ":" '{print $2}')

This works because mawk hates -F=":", instead it literally demands a space instead like -F ":". :roll_eyes:

Opened a PR : Changed awk config command to be more cross platform by simbleau · Pull Request #513 · discourse/discourse_docker · GitHub

1 Like