SMTP error: Must issue a STARTTLS command first

I am trying to configure Discourse 2.7.0.beta4 with the Mailersend SMTP service.

After running ./discourse-doctor I got the error below.

SMTP error: Must issue a STARTTLS command first

This is my current app.yml configuration regarding SMTP.

  DISCOURSE_SMTP_ADDRESS: 'smtp.mailersend.net'
  DISCOURSE_SMTP_PORT: 587
  DISCOURSE_SMTP_USER_NAME: username@subdomain.domain.org
  DISCOURSE_SMTP_PASSWORD: mypasswordhere
 #DISCOURSE_SMTP_ENABLE_START_TLS: true           # (optional, default true)
 #DISCOURSE_SMTP_AUTHENTICATION: login
 #DISCOURSE_SMTP_OPENSSL_VERIFY_MODE: none

I’ve already tried to uncomment and set DISCOURSE_SMTP_ENABLE_START_TLS explicitly as true, but the error remains. The same for DISCOURSE_SMTP_AUTHENTICATION: login.

After any change in the YML file I am restarting the system with this:

./launcher destroy app; ./launcher start app

Any tip about what is going on?

Thanks in advance!

I made some changes to discourse-setup recently and also a change to the rake task you’re using (that I think isn’t merged yet).

If you want to give me access to your server I’ll take a look.

2 Likes

As I mentioned via PM, I can’t give access to the server due to security concerns. But thanks very much to @pfaffman for your help and for trying to solve this issue.

Let me add more context to this issue: a previous admin installed Discourse with the Mailgun SMTP service but it stopped to work and I don’t have access to that account.

As I said, I am trying to configure it now with Mailersend. I have read this topic [1] and others about STARTTLS here in the forum, but I am not sure about how to implement the changes needed.

I tried this setting below as well but the errror remains

DISCOURSE_SMTP_OPENSSL_VERIFY_MODE: none

If it is related to some recent update, maybe is it better to consider a downgrade then?

[1] Can't send email with certificate issue - #3 by supermathie

1 Like

Did you get this working?

No, I have decided to change for another mail service. Now it’s working fine with Mailjet.

1 Like

I’m experiencing a similar issue. Yesterday I debugged e-mail sending on a new Discourse instance for about three hours, without any success. I’m trying to send e-mail over Fastmail with STARTTLS on port 587. Other services are working with the same credentials.

I do not get the “Must issue a STARTTLS command first” error response with these settings:

DISCOURSE_SMTP_ADDRESS: 'smtp.fastmail.com'
DISCOURSE_SMTP_PORT: 587
DISCOURSE_SMTP_USER_NAME: 'myuser@fastmail.fm'
DISCOURSE_SMTP_PASSWORD: 'mypass'
DISCOURSE_SMTP_ENABLE_START_TLS: true

…followed by a ./launcher rebuild app, when I run ./discourse-doctor and send an e-mail, I get a 500 5.5.1 Invalid command error in response.

Today I started tracing the communication with tcpdump, and noticed that Discourse does not actually seem to use STARTTLS. Here’s what happens when I send a Grafana recovery email:

< 220 smtp.fastmail.com ESMTP ready
> EHLO 9b5ba1569f77
< 250-smtp.fastmail.com
< 250-PIPELINING
< 250-SIZE 71000000
< 250-ENHANCEDSTATUSCODES
< 250-8BITMIME
< 250 STARTTLS
> STARTTLS
< ...[encrypted]

But with Discourse, this happens:

< 220 smtp.fastmail.com ESMTP ready
> EHLO localhost
< 250-smtp.fastmail.com
< 250-PIPELINING
< 250-SIZE 71000000
< 250-ENHANCEDSTATUSCODES
< 250-8BITMIME
< 250 STARTTLS
> AUTH PLAIN [redacted]
< 500 5.5.1 Invalid command

So, it seems that Discourse is blasting my credentials through the internet in plain text, even though STARTTLS is enabled in the settings? Is this a bug?

I also noticed that when I run ./discourse-doctor, the “YML SETTINGS” summary at the top lists the following items:

==================== YML SETTINGS ====================
DISCOURSE_HOSTNAME=forum.[redacted]
SMTP_ADDRESS=smtp.fastmail.com
DEVELOPER_EMAILS=sysadmin@[redacted]
SMTP_PASSWORD=[redacted]
SMTP_PORT=587
SMTP_USER_NAME=[redacted]@fastmail.fm
LETSENCRYPT_ACCOUNT_EMAIL=

However, there is no mention of DISCOURSE_SMTP_ENABLE_START_TLS, even though it’s set in app.yml. Not sure if this issue is related.

2 Likes

Oh, this is weird. I created a user account manually (through rake admin:create) and then logged in, and suddenly e-mail notifications did work. However, sending through discourse-doctor still fails.

Maybe discourse-doctor is broken?

1 Like

Sorry. I know how frustrating that can be.

It’s possible. It does some stuff to try to debug what the issue is, so it may be that the logic it’s using is broken for your case…

There is also a rake task that likely would have been a better bet for you.

    rake emails:test[x@y.com]

Were you following Troubleshooting email on a new Discourse install?

2 Likes

I wasn’t aware of that command, that seems useful indeed! The result is the same though:

root@app:/var/www/discourse# rake emails:test redacted@example.com
Testing sending to  using smtp.fastmail.com:587, username:myuser@fastmail.fm with plain auth.
======================================== ERROR ========================================
                                    UNEXPECTED ERROR

500 5.5.1 Invalid command


====================================== SOLUTION =======================================
This is not a common error. No recommended solution exists!

Please report the exact error message above to https://meta.discourse.org/
(And a solution, if you find one!)
=======================================================================================

When I look at tcpdump, again I can see that it’s sending the AUTH PLAIN credentials in clear text without STARTTLS encryption.

I did look through that page, yes.

However, based on the tcpdump this looks like a bug in the diagnostics tools to me because STARTTLS is not being used even though the setting is enabled in app.yml. (The Discourse application itself does use STARTTLS. I assume that many email providers will allow non-encrypted email submission as well, so this issue will only arise if someone uses the diagnostics tools and uses a provider that does not accept unencrypted submission via SMTP.)

1 Like

Ah. I looks like that rake task is the same one that discourse-doctor calls. Sorry about that.

Maybe someone can take a look at how to make that rake task be more like the actual process, or at least not give up if it’s attempt to figure out what’s going on are hamfisted. A good first step would be to say “Well, XXX seems broken, but we’ll give it a try anyway…”

1 Like