Postfix mailing fails


(Spaceboy Ross01) #1

I’ve been spending the last two days trying to get discourse to work. And I’m stuck now. The system log shows:

Jan 30 22:17:30 SpaceboyRoss01 postfix/submission/smtpd[31050]: connect from unknown[172.17.0.2]
Jan 30 22:17:30 SpaceboyRoss01 postfix/submission/smtpd[31050]: lost connection after EHLO from unknown[172.17.0.2]
Jan 30 22:17:30 SpaceboyRoss01 postfix/submission/smtpd[31050]: disconnect from unknown[172.17.0.2] ehlo=1 auth=0/1 commands=1/2
Jan 30 22:17:47 SpaceboyRoss01 dovecot: imap-login: Aborted login (auth failed, 3 attempts in 20 secs): user=<receipts@ellenroed.no>, method=PLAIN, rip=109.238.139.220, lip=91.229.143.141, TLS, session=<mXvcb7OAwqVt7ovc>
Jan 30 22:17:47 SpaceboyRoss01 dovecot: imap-login: Aborted login (auth failed, 3 attempts in 20 secs): user=<pink@ellenroed.no>, method=PLAIN, rip=109.238.139.220, lip=91.229.143.141, TLS: Disconnected, session=<hFncb7OA5KVt7ovc>
Jan 30 22:17:47 SpaceboyRoss01 dovecot: imap-login: Aborted login (auth failed, 3 attempts in 20 secs): user=<ellen@halvekongeriket.org>, method=PLAIN, rip=109.238.139.220, lip=91.229.143.141, TLS: Disconnected, session=<Plncb7OAHp1t7ovc>

/etc/postfix/main.cf:

myhostname = mail.bluelightos.org
myorigin = /etc/mailname
mydestination = mail.bluelightos.org, bluelightos.org, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
smtpd_tls_cert_file=/etc/ssl/certs/mailcert.pem
smtpd_tls_key_file=/etc/ssl/private/mail.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_security_level=may
smtpd_tls_protocols = !SSLv2, !SSLv3
local_recipient_maps = proxy:unix:passwd.byname $alias_maps
home_mailbox = Maildir/
message_size_limit = 20480000
smtpd_recipient_restrictions = permit_mynetworks
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymou

(Jeff Atwood) #2

Looks like a networking problem to me?


(Spaceboy Ross01) #3

Running discourse-doctor said login worked but sending email failed.


(Jay Pfaffman) #4

Where is postfix running? On the host machine? Maybe docker cannot connect to it? But when it can, it’s a good bet that no one will accept mail from your server.

This is a docker/postfix problem, not a Discourse problem.


(Spaceboy Ross01) #5

Postfix is running on the local machine and it said connection established, you can see that in the logs I posted. I can even run sudo /var/discourse/launch enter and run telnet mail.bluelightos.org 587. The only issue is with discourse disconnecting immediately from the postfix server. You can see that it did that at this point in the logs:

Jan 30 22:17:30 SpaceboyRoss01 postfix/submission/smtpd[31050]: connect from unknown[172.17.0.2]
Jan 30 22:17:30 SpaceboyRoss01 postfix/submission/smtpd[31050]: lost connection after EHLO from unknown[172.17.0.2]
Jan 30 22:17:30 SpaceboyRoss01 postfix/submission/smtpd[31050]: disconnect from unknown[172.17.0.2] ehlo=1 auth=0/1 commands=1/2

There’s no way this can be a postfix/docker issue since I can connect to it from any mail client and the logs are saying that discourse is disconnecting.


(Jay Pfaffman) #6

When you connect from inside the container are you able to get a response from an ELHO?


(Spaceboy Ross01) #7

Yes, I get an ELHO response when telnetting to the postfix server.


(Michael Brown) #8

I’d guess that Discourse connected and did not attempt authentication as it got told it needed to engage TLS before attempting to login.

Run the following (you’ll need wireshark installed) on your mail server as root to watch traffic while you attempt to send mail from Discourse:

tshark -T text -f 'port 587' -Y smtp

(You may need to add -i docker0)

I suspect you’ll get something like:

$ tshark -f 'port 587' -Y smtp
Capturing on 'eth0'
    4 0.100406403 192.0.2.42 → 198.51.100.96 SMTP 120 S: 220 kronos.titans.net ESMTP Postfix (Debian/GNU)
    6 8.328068861 198.51.100.96 → 192.0.2.42 SMTP 82 C: EHLO discourse
    8 8.328194320 192.0.2.42 → 198.51.100.96 SMTP 224 S: 250-kronos.titans.net | 250-PIPELINING | 250-SIZE 10240000 | 250-VRFY | 250-ETRN | 250-STARTTLS | 250-ENHANCEDSTATUSCODES | 250-8BITMIME | 250-DSN | 250 SMTPUTF8
   10 11.465908653 198.51.100.96 → 192.0.2.42 SMTP 78 C: AUTH LOGIN
   11 11.465995385 192.0.2.42 → 198.51.100.96 SMTP 113 S: 530 5.7.0 Must issue a STARTTLS command first
   13 16.687879714 198.51.100.96 → 192.0.2.42 SMTP 72 C: QUIT
   14 16.688129320 192.0.2.42 → 198.51.100.96 SMTP 81 S: 221 2.0.0 Bye

:rotating_light: Do NOT post the contents of the AUTH PLAIN line - it’s your login and password in the clear :rotating_light:

If so, you’ll need to tell Discourse to use STARTTLS. Look for DISCOURSE_SMTP_ENABLE_START_TLS in your app.yml.


(Spaceboy Ross01) #9

I used a self signed certificate for the mail server as I was told to do in the guide I used for setting up the mail server. And here’s the tshark results:

Capturing on 'docker0'
    4 0.001618750 91.229.143.141 → 172.17.0.2   SMTP 106 S: 220 mail.bluelightos.org ESMTP Postfix
    6 0.001750268   172.17.0.2 → 91.229.143.141 SMTP 94 C: EHLO localhost.localdomain
    8 0.001864150 91.229.143.141 → 172.17.0.2   SMTP 209 S: 250-mail.bluelightos.org | 250-PIPELINING | 250-SIZE 20480000 | 250-VRFY | 250-ETRN | 250-STARTTLS | 250-ENHANCEDSTATUSCODES | 250-8BITMIME | 250 DSN
    9 0.002067775   172.17.0.2 → 91.229.143.141 SMTP 123 C: AUTH PLAIN <<PASSWORD>>
   10 0.002168331 91.229.143.141 → 172.17.0.2   SMTP 113 S: 530 5.7.0 Must issue a STARTTLS command first

(Spaceboy Ross01) #10

I set DISCOURSE_SMTP_ENABLE_START_TLS to true and seeing the output from wireshark looks like this but I don’t receive an email and it’s not in spam:

Capturing on 'docker0'
    4 0.036247949 91.229.143.141 → 172.17.0.2   SMTP 106 S: 220 mail.bluelightos.org ESMTP
Postfix
    6 0.036453887   172.17.0.2 → 91.229.143.141 SMTP 94 C: EHLO localhost.localdomain
    8 0.036583776 91.229.143.141 → 172.17.0.2   SMTP 209 S: 250-mail.bluelightos.org | 250-PIPELINING | 250-SIZE 20480000 | 250-VRFY | 250-ETRN | 250-STARTTLS | 250-ENHANCEDSTATUSCODES | 250-8BITMIME | 250 DSN
    9 0.036780140   172.17.0.2 → 91.229.143.141 SMTP 76 C: STARTTLS
   10 0.036851503 91.229.143.141 → 172.17.0.2   SMTP 96 S: 220 2.0.0 Ready to start TLS
   23 40.133784884 91.229.143.141 → 172.17.0.2   SMTP 106 S: 220 mail.bluelightos.org ESMTP Postfix
   25 40.133912738   172.17.0.2 → 91.229.143.141 SMTP 94 C: EHLO localhost.localdomain
   27 40.134027434 91.229.143.141 → 172.17.0.2   SMTP 209 S: 250-mail.bluelightos.org | 250-PIPELINING | 250-SIZE 20480000 | 250-VRFY | 250-ETRN | 250-STARTTLS | 250-ENHANCEDSTATUSCODES | 250-8BITMIME | 250 DSN
   28 40.134171580   172.17.0.2 → 91.229.143.141 SMTP 76 C: STARTTLS
   29 40.134387803 91.229.143.141 → 172.17.0.2   SMTP 96 S: 220 2.0.0 Ready to start TLS
   42 99.052843889 91.229.143.141 → 172.17.0.2   SMTP 106 S: 220 mail.bluelightos.org ESMTP Postfix
   44 99.052931267   172.17.0.2 → 91.229.143.141 SMTP 94 C: EHLO localhost.localdomain
   46 99.052994461 91.229.143.141 → 172.17.0.2   SMTP 209 S: 250-mail.bluelightos.org | 250-PIPELINING | 250-SIZE 20480000 | 250-VRFY | 250-ETRN | 250-STARTTLS | 250-ENHANCEDSTATUSCODES | 250-8BITMIME | 250 DSN
   47 99.053099039   172.17.0.2 → 91.229.143.141 SMTP 76 C: STARTTLS
   48 99.053141027 91.229.143.141 → 172.17.0.2   SMTP 96 S: 220 2.0.0 Ready to start TLS
   61 170.512192474 91.229.143.141 → 172.17.0.2   SMTP 106 S: 220 mail.bluelightos.org ESMTP Postfix
   63 170.512332886   172.17.0.2 → 91.229.143.141 SMTP 94 C: EHLO localhost.localdomain
   65 170.512412816 91.229.143.141 → 172.17.0.2   SMTP 209 S: 250-mail.bluelightos.org | 250-PIPELINING | 250-SIZE 20480000 | 250-VRFY | 250-ETRN | 250-STARTTLS | 250-ENHANCEDSTATUSCODES | 250-8BITMIME | 250 DSN
   66 170.512503835   172.17.0.2 → 91.229.143.141 SMTP 76 C: STARTTLS
   67 170.512554493 91.229.143.141 → 172.17.0.2   SMTP 96 S: 220 2.0.0 Ready to start TLS

(Michael Brown) #11

Are there logs from Discourse? I’m guessing that it’s rejecting the self-signed certificate.

If you set DISCOURSE_SMTP_OPENSSL_VERIFY_MODE: none, does it work?

I would recommend getting a free certificate from Let’s Encrypt for your mail server.


(Spaceboy Ross01) #12

I’ve never setup Let’s Encrypt but I know a guy who can help me with that so I’ll get the Let’s Encrypt setup tomorrow. Setting DISCOURSE_SMTP_OPENSSL_VERIFY_MODE: none doesn’t work. If there’s logs for Discourse then I don’t know where they are.


(Spaceboy Ross01) #13

Switched to use a Let’s Encrypt certificate and still doesn’t work. discourse-doctor says the login worked but fails to still send the email.


(Jay Pfaffman) #14

Check the logs on the mail server. My guess is that it’s not sending because the host name isn’t what it accepts.


(Spaceboy Ross01) #15

The only error I’m getting is for dovecot and is Couldn't parse private ssl_key.


(Michael Brown) #16

… that would be a great place to start. If the SSL negotiation doesn’t complete, it can’t auth, so it can’t send.


(Spaceboy Ross01) #17

I tried using Yandex.Mail and I’m getting the same results: connects but fails to send email. So it seems like there’s a specific option I’m not enabling correctly even though I’m using the standard configs in the email section but with different email, password, and SMTP domain. I’m going to try rebuilding again to see if that’ll help.


(Spaceboy Ross01) #18

I found out that STARTTLS shouldn’t be used:

======================================== ERROR ========================================
                                    UNEXPECTED ERROR

530 5.7.7 Email sending without SSL/TLS encryption is not allowed. Please see: http://help.yandex.ru/mail/mail-clients/ssl.xml

What’s the option for SSL/TLS?
EDIT: I replaced discourse with phpBB and the mailing works, so I believe that Discourse has an issue with mailing.