I’ve been spending the last two days trying to get discourse to work. And I’m stuck now. The system log shows:
Jan 30 22:17:30 SpaceboyRoss01 postfix/submission/smtpd[31050]: connect from unknown[172.17.0.2]
Jan 30 22:17:30 SpaceboyRoss01 postfix/submission/smtpd[31050]: lost connection after EHLO from unknown[172.17.0.2]
Jan 30 22:17:30 SpaceboyRoss01 postfix/submission/smtpd[31050]: disconnect from unknown[172.17.0.2] ehlo=1 auth=0/1 commands=1/2
Jan 30 22:17:47 SpaceboyRoss01 dovecot: imap-login: Aborted login (auth failed, 3 attempts in 20 secs): user=<receipts@ellenroed.no>, method=PLAIN, rip=109.238.139.220, lip=91.229.143.141, TLS, session=<mXvcb7OAwqVt7ovc>
Jan 30 22:17:47 SpaceboyRoss01 dovecot: imap-login: Aborted login (auth failed, 3 attempts in 20 secs): user=<pink@ellenroed.no>, method=PLAIN, rip=109.238.139.220, lip=91.229.143.141, TLS: Disconnected, session=<hFncb7OA5KVt7ovc>
Jan 30 22:17:47 SpaceboyRoss01 dovecot: imap-login: Aborted login (auth failed, 3 attempts in 20 secs): user=<ellen@halvekongeriket.org>, method=PLAIN, rip=109.238.139.220, lip=91.229.143.141, TLS: Disconnected, session=<Plncb7OAHp1t7ovc>
/etc/postfix/main.cf:
myhostname = mail.bluelightos.org
myorigin = /etc/mailname
mydestination = mail.bluelightos.org, bluelightos.org, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
smtpd_tls_cert_file=/etc/ssl/certs/mailcert.pem
smtpd_tls_key_file=/etc/ssl/private/mail.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_security_level=may
smtpd_tls_protocols = !SSLv2, !SSLv3
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
home_mailbox = Maildir/
message_size_limit = 20480000
smtpd_recipient_restrictions = permit_mynetworks
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymou
Looks like a networking problem to me?
Running discourse-doctor said login worked but sending email failed.
2 Likes
pfaffman
January 31, 2019, 2:45am
4
Where is postfix running? On the host machine? Maybe docker cannot connect to it? But when it can, it’s a good bet that no one will accept mail from your server.
This is a docker/postfix problem, not a Discourse problem.
Postfix is running on the local machine and it said connection established, you can see that in the logs I posted. I can even run sudo /var/discourse/launch enter and run telnet mail.bluelightos.org 587. The only issue is with discourse disconnecting immediately from the postfix server. You can see that it did that at this point in the logs:
Jan 30 22:17:30 SpaceboyRoss01 postfix/submission/smtpd[31050]: connect from unknown[172.17.0.2]
Jan 30 22:17:30 SpaceboyRoss01 postfix/submission/smtpd[31050]: lost connection after EHLO from unknown[172.17.0.2]
Jan 30 22:17:30 SpaceboyRoss01 postfix/submission/smtpd[31050]: disconnect from unknown[172.17.0.2] ehlo=1 auth=0/1 commands=1/2
There’s no way this can be a postfix/docker issue since I can connect to it from any mail client and the logs are saying that discourse is disconnecting.
pfaffman
January 31, 2019, 3:04am
6
When you connect from inside the container are you able to get a response from an ELHO?
Yes, I get an ELHO response when telnetting to the postfix server.
I’d guess that Discourse connected and did not attempt authentication as it got told it needed to engage TLS before attempting to login.
Run the following (you’ll need wireshark installed) on your mail server as root to watch traffic while you attempt to send mail from Discourse:
tshark -T text -f 'port 587' -Y smtp
(You may need to add -i docker0)
I suspect you’ll get something like:
$ tshark -f 'port 587' -Y smtp
Capturing on 'eth0'
4 0.100406403 192.0.2.42 → 198.51.100.96 SMTP 120 S: 220 kronos.titans.net ESMTP Postfix (Debian/GNU)
6 8.328068861 198.51.100.96 → 192.0.2.42 SMTP 82 C: EHLO discourse
8 8.328194320 192.0.2.42 → 198.51.100.96 SMTP 224 S: 250-kronos.titans.net | 250-PIPELINING | 250-SIZE 10240000 | 250-VRFY | 250-ETRN | 250-STARTTLS | 250-ENHANCEDSTATUSCODES | 250-8BITMIME | 250-DSN | 250 SMTPUTF8
10 11.465908653 198.51.100.96 → 192.0.2.42 SMTP 78 C: AUTH LOGIN
11 11.465995385 192.0.2.42 → 198.51.100.96 SMTP 113 S: 530 5.7.0 Must issue a STARTTLS command first
13 16.687879714 198.51.100.96 → 192.0.2.42 SMTP 72 C: QUIT
14 16.688129320 192.0.2.42 → 198.51.100.96 SMTP 81 S: 221 2.0.0 Bye
AUTH PLAIN line - it’s your login and password in the clear
If so, you’ll need to tell Discourse to use STARTTLS. Look for DISCOURSE_SMTP_ENABLE_START_TLS in your app.yml.
3 Likes
I used a self signed certificate for the mail server as I was told to do in the guide I used for setting up the mail server. And here’s the tshark results:
Capturing on 'docker0'
4 0.001618750 91.229.143.141 → 172.17.0.2 SMTP 106 S: 220 mail.bluelightos.org ESMTP Postfix
6 0.001750268 172.17.0.2 → 91.229.143.141 SMTP 94 C: EHLO localhost.localdomain
8 0.001864150 91.229.143.141 → 172.17.0.2 SMTP 209 S: 250-mail.bluelightos.org | 250-PIPELINING | 250-SIZE 20480000 | 250-VRFY | 250-ETRN | 250-STARTTLS | 250-ENHANCEDSTATUSCODES | 250-8BITMIME | 250 DSN
9 0.002067775 172.17.0.2 → 91.229.143.141 SMTP 123 C: AUTH PLAIN <<PASSWORD>>
10 0.002168331 91.229.143.141 → 172.17.0.2 SMTP 113 S: 530 5.7.0 Must issue a STARTTLS command first
I set DISCOURSE_SMTP_ENABLE_START_TLS to true and seeing the output from wireshark looks like this but I don’t receive an email and it’s not in spam:
Capturing on 'docker0'
4 0.036247949 91.229.143.141 → 172.17.0.2 SMTP 106 S: 220 mail.bluelightos.org ESMTP
Postfix
6 0.036453887 172.17.0.2 → 91.229.143.141 SMTP 94 C: EHLO localhost.localdomain
8 0.036583776 91.229.143.141 → 172.17.0.2 SMTP 209 S: 250-mail.bluelightos.org | 250-PIPELINING | 250-SIZE 20480000 | 250-VRFY | 250-ETRN | 250-STARTTLS | 250-ENHANCEDSTATUSCODES | 250-8BITMIME | 250 DSN
9 0.036780140 172.17.0.2 → 91.229.143.141 SMTP 76 C: STARTTLS
10 0.036851503 91.229.143.141 → 172.17.0.2 SMTP 96 S: 220 2.0.0 Ready to start TLS
23 40.133784884 91.229.143.141 → 172.17.0.2 SMTP 106 S: 220 mail.bluelightos.org ESMTP Postfix
25 40.133912738 172.17.0.2 → 91.229.143.141 SMTP 94 C: EHLO localhost.localdomain
27 40.134027434 91.229.143.141 → 172.17.0.2 SMTP 209 S: 250-mail.bluelightos.org | 250-PIPELINING | 250-SIZE 20480000 | 250-VRFY | 250-ETRN | 250-STARTTLS | 250-ENHANCEDSTATUSCODES | 250-8BITMIME | 250 DSN
28 40.134171580 172.17.0.2 → 91.229.143.141 SMTP 76 C: STARTTLS
29 40.134387803 91.229.143.141 → 172.17.0.2 SMTP 96 S: 220 2.0.0 Ready to start TLS
42 99.052843889 91.229.143.141 → 172.17.0.2 SMTP 106 S: 220 mail.bluelightos.org ESMTP Postfix
44 99.052931267 172.17.0.2 → 91.229.143.141 SMTP 94 C: EHLO localhost.localdomain
46 99.052994461 91.229.143.141 → 172.17.0.2 SMTP 209 S: 250-mail.bluelightos.org | 250-PIPELINING | 250-SIZE 20480000 | 250-VRFY | 250-ETRN | 250-STARTTLS | 250-ENHANCEDSTATUSCODES | 250-8BITMIME | 250 DSN
47 99.053099039 172.17.0.2 → 91.229.143.141 SMTP 76 C: STARTTLS
48 99.053141027 91.229.143.141 → 172.17.0.2 SMTP 96 S: 220 2.0.0 Ready to start TLS
61 170.512192474 91.229.143.141 → 172.17.0.2 SMTP 106 S: 220 mail.bluelightos.org ESMTP Postfix
63 170.512332886 172.17.0.2 → 91.229.143.141 SMTP 94 C: EHLO localhost.localdomain
65 170.512412816 91.229.143.141 → 172.17.0.2 SMTP 209 S: 250-mail.bluelightos.org | 250-PIPELINING | 250-SIZE 20480000 | 250-VRFY | 250-ETRN | 250-STARTTLS | 250-ENHANCEDSTATUSCODES | 250-8BITMIME | 250 DSN
66 170.512503835 172.17.0.2 → 91.229.143.141 SMTP 76 C: STARTTLS
67 170.512554493 91.229.143.141 → 172.17.0.2 SMTP 96 S: 220 2.0.0 Ready to start TLS
supermathie
January 31, 2019, 5:20am
11
Are there logs from Discourse? I’m guessing that it’s rejecting the self-signed certificate.
If you set DISCOURSE_SMTP_OPENSSL_VERIFY_MODE: none, does it work?
I would recommend getting a free certificate from Let’s Encrypt for your mail server.
3 Likes
I’ve never setup Let’s Encrypt but I know a guy who can help me with that so I’ll get the Let’s Encrypt setup tomorrow. Setting DISCOURSE_SMTP_OPENSSL_VERIFY_MODE: none doesn’t work. If there’s logs for Discourse then I don’t know where they are.
Switched to use a Let’s Encrypt certificate and still doesn’t work. discourse-doctor says the login worked but fails to still send the email.
pfaffman
February 2, 2019, 2:35am
14
Check the logs on the mail server. My guess is that it’s not sending because the host name isn’t what it accepts.
1 Like
The only error I’m getting is for dovecot and is Couldn't parse private ssl_key.
supermathie
February 2, 2019, 4:35am
16
… that would be a great place to start. If the SSL negotiation doesn’t complete, it can’t auth, so it can’t send.
3 Likes
I tried using Yandex.Mail and I’m getting the same results: connects but fails to send email. So it seems like there’s a specific option I’m not enabling correctly even though I’m using the standard configs in the email section but with different email, password, and SMTP domain. I’m going to try rebuilding again to see if that’ll help.
I found out that STARTTLS shouldn’t be used:
======================================== ERROR ========================================
UNEXPECTED ERROR
530 5.7.7 Email sending without SSL/TLS encryption is not allowed. Please see: http://help.yandex.ru/mail/mail-clients/ssl.xml
What’s the option for SSL/TLS?
Do NOT post the contents of the