Troubleshoot email on a new Discourse install

You just installed Discourse via the install guide, but email doesn’t seem to work. Unfortunately this means you can’t log in as an admin to finalize the install. :cry: Let’s troubleshootize!

Try the doctor :woman_health_worker:

If you run ./discourse-doctor it will check several ways that your mail configuration might be broken, and offer advice. Try that first.

Did you enter email settings correctly?

The simplest way is to run ./discourse-setup again. Did you enter everything correctly?

You can also double check the settings in your containers/app.yml file. A valid email section looks like this:

DISCOURSE_DEVELOPER_EMAILS: 'name@example.com'
DISCOURSE_SMTP_ADDRESS: smtp.mailgun.org
DISCOURSE_SMTP_PORT: 587
DISCOURSE_SMTP_USER_NAME: postmaster@discourse.example.com
DISCOURSE_SMTP_PASSWORD: aUd34cdWKCu6CTjfoH7ykk

Closely examine all values for correctness. Note that it all aligns, there are no leading # characters, and there are single quotes around the developer email field.

If you had any errors in your app.yml and made changes , you MUST rebuild the container for those changes to take effect!

cd /var/discourse/
./launcher rebuild app

Well, you don’t always need to rebuild

Doing a rebuild will often fix things that seem broken, but it takes a while. There are times when a full rebuild is not necessary; the above is usually the best advice, but If you change just SMTP settings, you can do just this to apply them without doing a full rebuild:

cd /var/discourse
./launcher destroy app
./launcher start app

Are your SMTP connections being blocked?

To confirm that your server can indeed contact the email server, issue this command:

telnet smtp.mailgun.org 587

If you can’t connect this way, you’re almost certainly blocked. (And if you do get connected, the escape character for SMTP is ctrl+], then use quit to exit telnet.)

If this happens, first try port 2525, and if that fails, contact your cloud provider support and confirm that your email connections are not being blocked.

What do the Discourse logs say?

From the command line, issue this command:

cd /var/discourse
tail shared/standalone/log/rails/production.log

This will show the last few lines of the log. Look for anything mail related. If you need to view the fuller logs, try

more shared/standalone/log/rails/production.log

To page through the complete log by pressing space. Look closely for any email related messages.

What do your email provider logs say?

Assuming there are no errors in the Discourse logs, or your Discourse mail configuration, the emails probably went out. The question, is what did your email provider do with them?

Most email providers have a log viewing function. Check the logs for your email domain and see what happened with the incoming emails.

Did you properly set up DKIM and SPF records for your domain?

You must enter those crucial DNS records for DKIM and SPF, otherwise your emails may arrive only sporadically, if at all.

Is the email domain correct?

The default email from address is based on the install domain plus subdomain, so if your URL is discourse.example.com it will be:

noreply@discourse.example.com

But if your mail provider is expecting:

noreply@example.com

… you may have problems! To get around this, edit and uncomment this line in app.yml

## If you want to set the 'From' email address for your first registration, uncomment and change:
#- exec: rails r "SiteSetting.notification_email='noreply@example.com'"
## After getting the first signup email, re-comment the line. It only needs to run once.

You’ll need to issue a rebuild after uncommenting the above line and setting the from email address as required.

You can also change this from the command line, if needed:

./launcher enter app
rails r "SiteSetting.notification_email = 'discourse@yoursite.com'"
exit

If using Mailgun – have you activated your domain and provided credit card info?

If you are using Mailgun, after you enter your DKIM and SPF records, you must visit https://mailgun.com/app/domains/YOUR.DISCOURSE.DOMAIN.com and click the “Check DNS Records Now” button. At the top of that page you should see “State ACTIVE” (in a calming green). If it says “State Unverified” (in a scary warning-yellow) Mailgun will not accept mail.

Mailgun now requires a credit card in order to deliver mail (other than to you). If your mailgun logs have a message about “free accounts,” this is your problem.

Other mail services have similar requirements.

Are you using an IP address as the mail domain?

This does not work in our experience. You must use a domain name when sending email, not an IP address like 192.168.1.1.

If you really want to go on with an IP address, try mail settings similar to these:

DISCOURSE_SMTP_ADDRESS: 172.17.0.1         # e.g. use internal docker IP here
DISCOURSE_SMTP_PORT: 587
DISCOURSE_SMTP_USER_NAME: "YOUR-SMTP-USER-NAME"
DISCOURSE_SMTP_PASSWORD: "YOUR-SMTP-PASSWORD"
DISCOURSE_SMTP_ENABLE_START_TLS: true     # (optional, default true)
DISCOURSE_SMTP_OPENSSL_VERIFY_MODE: none
DISCOURSE_SMTP_DOMAIN: example.com

Need to log in without receiving a registration email?

We don’t recommend this, because your email is still broken, and you have a broken Discourse until email is working. But if you absolutely must log in as admin with email broken, here’s what to do:

cd /var/discourse
./launcher enter app
rake admin:create

And answer the prompts. It takes a few seconds before they appear. When it asks for the password, you will not be able to see what you type. That is why it makes you type it twice.

Email smtp port selection (Using 465?)

The ability to be able to AUTH using ‘telnet’ is extremely important in your first steps of email troubleshooting.

Port 465 (SMTP over SSL) is largely deprecated in favor of STARTTLS on 25. You may need to try alternate ports such as port 2525 or port 587 (Mail Submission) when things do not seem to work as expected.

Command Line SMTP tests for experienced sysadmins

If you’re comfortable with the command line, these might help diagnose network or certificate problems. If these do not seem “easy-to-follow” then you should please ignore this section.

See also Test SMTP Authentication and StartTLS.

Office 365 Tweaks

If you’re using Office 365, be sure to include these (the first line is what you are likely missing):

DISCOURSE_SMTP_AUTHENTICATION: login
DISCOURSE_SMTP_ENABLE_START_TLS: true
DISCOURSE_SMTP_PORT: 587

and set the correct notification_email (which is likely different from your forum hostname).

Email still doesn’t work! What next?

Anything else I forgot here? Feel free to edit this.


Debug issues with first connection to smtp server from inside the Discourse container

1. Enter your container:

./launcher enter app

2. Check dns resolving for your smtp server name via getent hosts:

(dig, nslookup, ping etc. are not installed inside the container.)

getent hosts your.smtp.server

Result on success:

# IPv4
123.123.123.123 your.smtp.server

# IPv6
2001:db8:0:0:0:ff00:42:8329 your.smtp.server

3. Try to open a connection to your smtp server via openssl:

(telnet, nc etc. are not installed inside the container.)

Fiddle with some different settings until you succeed with a connection.

openssl s_client -connect your.smtp.server:465
openssl s_client -connect your.smtp.server:587 -starttls smtp

# IPv4
openssl s_client -connect 172.17.0.123:465
openssl s_client -connect 172.17.0.123:587 -starttls smtp

# IPv6
openssl s_client -6 -connect "[2001:db8:0:0:0:ff00:42:8329]:465"
openssl s_client -6 -connect "[2001:db8:0:0:0:ff00:42:8329]:587" -starttls smtp

See: How to check SMTP connection → Step 3: Checking SMTP Connection Over TLS Using Openssl

4. Use your found working connection settings with Discourse.

:rocket:

Bonus: show Discourse IP from inside docker container

( ifconfig , ip etc. are not installed inside the container.)

hostname -I

Result like:

172.17.0.2
55 Likes

Is this up to date information? It did not work for me; I had to rebuild the app after changing the SMTP port.

2 Likes

If discourse-doctor tells the connection to port 587 failed, but the openssl s_client -connect your.smtp.server:587 -starttls smtp works fine, try this, both commands should takes the same amount of time:

time openssl s_client -starttls smtp -connect your.smtp.server:587 </dev/null > /dev/null

docker run --rm discourse/base:2.0.20231023-1945 bash -c 'time openssl s_client -starttls smtp -connect your.smtp.server:587 </dev/null' > /dev/null

If docker version is far longer, you may have a wrong configuration in your /etc/docker/daemon.json file. You may try to put google nameserver in first place :

{
  "dns": ["8.8.8.8", "ww.xx.yy.zz", "ww.xx.yy.za"]
}

port 2525 works for mailjet.
587 failed.

1 Like

I edited the OP to suggest using port 2525. It’s your hosting service that blocks the port. Because of that, many mail services also support 2525.

1 Like

hey, just wanted to add a note about this;

Mailgun now requires a credit card in order to deliver mail (other than to you). If your mailgun logs have a message about “free accounts,” this is your problem.

I signed up this week (July 2024) and so far, its working without having to add a credit card, using the base free tier. Based on what I have seen in old forum threads, it seems like they have been flip-flopping on this policy, and their free tiers usage and limitations, perhaps

1 Like

Wow. That’s crazy and very different from how things have been for as long as I can remember.

It’s been very hard for people to figure out how to get changed to the pay-as-you-go plan and not sign up for some fairly expensive monthly plan.

Have you sent to users other than yourself?

1 Like

Yes, I have sent to users, and its working. Only hitch, is that for some reason AOL email addresses are blocking my emails, but I dont think that is MailGun’s fault. I am just as surprised as you :slight_smile:

update: seems that the reason some emails are getting blocked, is because the IP used to send the free emails from MailGun is shared, so it has been reported as “Spam” by some email platforms such as AOL, Yahoo Mail, and others. Seems like everyone who is not using Gmail is seeing bounced or rejected email delivery.

1 Like

Can you please explain how to check the settings in our containers/app.yml file? Us noobs don’t know how to do these things without explicit instruction. lol

If you don’t know how to use a tool like nano, then run discourse-setup again. After it’s saved the changes, you can control-c and then

./launcher destroy app;./launcher start app
1 Like

ok, but how do I check the settings in my containers/app.yml file so I can look at the email section and verify the data is correct?

If you don’t like my answer you can Google “nano”.

Arguably the OP should say something about nano, though, as I said, if you don’t know what it is then just running discourse-setup again is what to do, as it reads the values in the file and you can’t screw up the formatting

Oh I see what you mean now. When you run the destroy then start commands, it displays the data I need once it’s complete. My apologies! :slight_smile:

1 Like

I ran the doctor and got an error that says SMTPAuthenticationError. The doctor then says this is not a common error and they have no suggestions on how to fix it. If this happens, make sure to double check your SMTP username and password, as the Discourse setup process doesn’t tell you if it’s wrong, it just doesn’t work (doesn’t send emails) and leaves you stumped. Some things I did that helped was SSH into my server using Ubuntu instead of LISH (because I am using Linode) because LISH is terribly buggy and doesn’t support copy/paste. I then redid the setup process and copy/pasted everything this time instead of typing out 100 character passwords, lol. Anyways, I hope this helps some of my fellow noobs out there!

Your username or password is bad.

Not sure why I didn’t manage to fix that, but the error is pretty self explanatory.

It could be that you copy/pasted it wrong. It could be that it has characters that need to be escaped.

I use Brevo as my notification email sender, yet every single notification sent was rejected due to an error occurrence. I found a message in Brevo stating that “Sending has been rejected because the sender you used is not valid. Validate your sender or authenticate your domain”. Because of this, my forum cannot function at all. I’m wondering how to troubleshoot this - what kind of sender do I need? Thanks a lot!!!

For sender address can be set to mail subdomain you are using to send mail, such as mail@domain_address.

To authenticate subdomain + sender there are a few steps for that they have a guide here:

Hi Discourse people!

I have fought for several days with setting the emails parameters with port 465, and the solution is not here nor in any post I read on the forum (and I have really dug).

Of course it is a matter of what your mail server accepts. In my case, only 465 over TLS.

The two required config lines to add in app.yml are:

DISCOURSE_SMTP_FORCE_TLS: true
DISCOURSE_SMTP_ENABLE_START_TLS: false
Some details

Default settings resulted in a Net::ReadTimeout error when trying a test email with discourse-doctor. Sending test emails from within the container work fine with e.g. curl, exactly as in this post which led me to half of the solution: Cannot send email - problem with port 465 - #10 by schungx

I could only find out about the second setting after looking at app.yml content and modifying this parameter. I have the feeling that most programs (eg. Thunderbird) implicitly set the correct protocol when selecting port 465, so maybe Discourse should? This seems to be really standard, also as highlighted here:

(link to full post)

So I would really vouch for updating the section of this guide about port 465 or make discourse-setup automatically choose the best setting.

1 Like

Normally i dont comment on stuff, but that was actually helpfull!
Thanks man, the maintainer of the discourse absolutly should include this setting in the default config, i mean it was tedious to setup theirs software, still i have nothing to crictise accept that in such big project some information is not fast available and somebody should “deep into”.
OK works for me!