Comments (6)
Is there anything else I could inspect/debug here from Haraka's perspective?
If you're making those connections from your AWS instance, that's a good indication that it's working "right now." Other things to check would be looking in the logs for the connection attempts to those servers. Are there long gaps in the connection log timestamps? Is DNS lookup inordinately slow? Are they publishing IPv6 records and you have a stack with broken IPv6 causing long delays? Etc...
from haraka.
Your steps to reproduce aren't sufficient for anyone to help you. Help us and help yourself by doing some debugging:
- verify that you can resolve the DNS for these problematic domains on your AWS instances
- verify that you can connect to the remote MXs from your AWS instances (ex:
openssl s_client -connect mx1.hostinger.in
)
I'd wager $0.05 that this problem is due to DNS or connectivity (IPv6 or incompatible TLS versions).
from haraka.
@msimerson I did some additional debugging, thanks to your pointers.
$ dig MX parkview.co.in +short
0 mail.parkview.co.in.
$ dig MX madinfotech.com +short
10 madinfotech.com.
0 mail.madinfotech.com.
$ dig MX knowtrichy.com +short
0 mail.knowtrichy.com.
For these mail servers, I am unable to reach the remote MXs:
$ openssl s_client -connect mail.knowtrichy.com
140688271476032:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
140688271476032:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111
$ openssl s_client -connect mail.madinfotech.com
140234593715520:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
140234593715520:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111
$ openssl s_client -connect mail.parkview.co.in
140637943125312:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
140637943125312:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111
Does this look like a case where the upstream mail servers have incompatible/non supported TLS versions? Thanks for your help!
from haraka.
Sorry, that openssl client wasn't quite a complete example. Since mail servers use STARTTLS to upgrade the connection on port 25, you have to tell openssl that.
# openssl s_client -connect mail.knowtrichy.com:25 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = knowtrichy.com
verify return:1
---
Certificate chain
0 s:CN = knowtrichy.com
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFNTCCBB2gAwIBAgISBHeXbmIJuoO9h16HxTmqSVjKMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA1MDkyMjQ2MjNaFw0yMzA4MDcyMjQ2MjJaMBkxFzAVBgNVBAMT
Dmtub3d0cmljaHkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
3H2jJ+pFaeIFESXEQpiBzbTfHqP11nBZ7DBX8g0DldC6DFQfl85JOkzKV8wXW5dd
Ak3ExvDgm/rVbqmg+NIjTRHDJok5jKcGCbIDNWsYKSVZ+vKSyggnwxKJFTqP3T/1
PZr8iOM/9iIzNFO95C9EZ9oMTl8vPJNBkR4uZJj+T0wl/sA5pXQClcRSOuVAsAg0
2vSFMJl7ERxlwYpCopB/8SuntXyrKahtTjEE+wRgnj/1fnM5XX2hgJAbU0QvwdvB
w2inoP+Uzx6GzfNYTvQbSIYbvIq8iONBb2ooSWOHNCwYS9n4cZ7idDRV5vXx1WVm
Eego/AzeMPDwFzCdUy3xbwIDAQABo4ICXDCCAlgwDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1Ud
DgQWBBSyKLENpnWpsM4+yUF5dCISBv+w9TAfBgNVHSMEGDAWgBQULrMXt1hWy65Q
CUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9y
My5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3Jn
LzArBgNVHREEJDAighAqLmtub3d0cmljaHkuY29tgg5rbm93dHJpY2h5LmNvbTBM
BgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIB
FhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYE
gfMA8QB3ALc++yTfnE26dfI5xbpY9Gxd/ELPep81xJ4dCYEl7bSZAAABiALosHUA
AAQDAEgwRgIhAJbyPvFeBXn3QxB2r/yd0HFoJONmLFa/rtAjJhGM53iKAiEAzj9q
ZDhTj2Y8euANAEXHZf1GtglioSR22r63BxXgftkAdgCt9776fP8QyIudPZwePhhq
tGcpXc+xDCTKhYY069yCigAAAYgC6LCaAAAEAwBHMEUCIHTv/hiLd03CMONIHQUQ
2vVx9R+39FLG08qZkpaciVERAiEA3Gs93z1fSzSoGS8rI+nO0Vwvt37rCsvK/fOC
y8wLpTcwDQYJKoZIhvcNAQELBQADggEBAEdl9nico4sjckhcjVVOoEOEJSeFNAz2
D6/6/a6RuENSNOoPr3u1UooqWBarlESvUAcXZQqv6rCcC+vAzPJBbzM1oegxGSc5
PxXHEUL/tcfKdJDeanTCKDSjCU7CFc9tFefYYoDXdCOeq3HgATiQA5qGjPHRZkdS
X+n+GRLrUdvCvgty/gQ4mnV0tKLToOQScGwSmcXL89bBjr1ArhZTuswY7ssQFu1y
z3U/KJPpLk9V7/BlTuM7vFFVSs8s8x3PJvhl9gopD7AWp64pIY41Wqtj5N1U6mkk
bhfPoIxXsxeedK40Y2+zjRvcf5zer83CvyTWhD2Vj9phJo/lwv9JTB8=
-----END CERTIFICATE-----
subject=CN = knowtrichy.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4908 bytes and written 480 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 71173BC86AEE22F5AA73773D4DFA261ED96ADDB8845B758A13261B827CDA3F1E
Session-ID-ctx:
Master-Key: 5C309C69475686BDE41D2DF15DC166F5C129949DEA80BF9F738D97669AFA5619BE1B778F33A8D8566D2280A886744C5D
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1686637756
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
250 HELP
EHLO mail.simerson.net
250-sh200.bigrock.com Hello mail.simerson.net [66.128.51.162]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-PIPE_CONNECT
250-AUTH PLAIN LOGIN
250 HELP
quit
221 sh200.bigrock.com closing connection
closed
from haraka.
Ah noted. The connection and login attempt seems to be fine I guess, ruling out the connectivity issues. Is there anything else I could inspect/debug here from Haraka's perspective?
250 HELP
EHLO reportsmailer.zerodha.net
250-sh200.bigrock.com Hello reportsmailer.zerodha.net [3.108.85.51]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-PIPE_CONNECT
250-AUTH PLAIN LOGIN
250 HELP
quit
221 sh200.bigrock.com closing connection
closed
---
250 HELP
EHLO reportsmailer.zerodha.net
250-sh110.webhostingservices.com Hello reportsmailer.zerodha.net [3.108.85.51]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-PIPE_CONNECT
250-AUTH PLAIN LOGIN
250 HELP
quit
221 sh110.webhostingservices.com closing connection
closed
from haraka.
I found some more logs and I think the root cause is: socket timeout waiting on connect
which is getting logged consistently in all such failure cases:
{"log":"[INFO] [246AEE98-F8C2-4F27-A465-B4B2ABEC421F.53.1] [outbound] Attempting to deliver to: 69.16.243.32:25 (0) (6)\n","stream":"stdout","time":"2023-06-13T09:29:38.438100552Z"}
{"log":"[INFO] [-] [core] [outbound] [outbound::25:69.16.243.32:undefined:50] dispense() clients=1 available=0\n","stream":"stdout","time":"2023-06-13T09:29:38.438149503Z"}
{"log":"[INFO] [-] [core] [outbound] acquired socket 2ECD6A7D-BFA0-4EA6-A9A4-6C428DF641B6 for outbound::25:69.16.243.32:undefined:50\n","stream":"stdout","time":"2023-06-13T09:29:38.661406381Z"}
{"log":"[ERROR] [246AEE98-F8C2-4F27-A465-B4B2ABEC421F.53.1] [outbound] Ongoing connection failed to 69.16.243.32:25 : socket timeout waiting on connect\n","stream":"stdout","time":"2023-06-13T09:29:43.661179771Z"}
{"log":"[INFO] [246AEE98-F8C2-4F27-A465-B4B2ABEC421F.53.1] [outbound] Attempting to deliver to: 69.16.243.32:25 (0) (2)\n","stream":"stdout","time":"2023-06-13T09:30:48.534278434Z"}
{"log":"[INFO] [-] [core] [outbound] [outbound::25:69.16.243.32:undefined:50] dispense() clients=1 available=0\n","stream":"stdout","time":"2023-06-13T09:30:48.534315335Z"}
{"log":"[INFO] [-] [core] [outbound] acquired socket 6B3548AC-78F0-44DC-A98D-9E082F87782B for outbound::25:69.16.243.32:undefined:50\n","stream":"stdout","time":"2023-06-13T09:30:48.755820112Z"}
{"log":"[ERROR] [246AEE98-F8C2-4F27-A465-B4B2ABEC421F.53.1] [outbound] Ongoing connection failed to 69.16.243.32:25 : socket timeout waiting on connect\n","stream":"stdout","time":"2023-06-13T09:30:53.75672182Z"}
When I tried the to connect to remote MX in this case, I could notice that there is a delay of 30-40 seconds from the AWS EC2 Instance but from another network (local machine), I was able to connect instantly.
$ openssl s_client -connect shadeindia.com:25 -starttls smtp
CONNECTED(00000003)
It's stuck on this for ~30s before I could see 250 HELP
command and proceed to send an EHLO
.
Thanks a lot for your help, I guess I'll raise this with our AWS support team.
from haraka.
Related Issues (20)
- Dependency updates break v2 engine support HOT 1
- Worker crash with: Didn't find right amount of data in todo!: null does no create error. file
- Aliases and smtp_forward plugin won't send to multiple domains HOT 1
- Questionable use of Public Suffix List (PSL) in helo.checks module HOT 2
- Outbound mail not working, "550 I cannot deliver mail for <[email protected]>" HOT 1
- Haraka help displays registered plugins in the wrong run order
- tls usage per domain
- helo.checks timeout crashes Haraka HOT 3
- Gmail problem with empty Message-id HOT 1
- spamassassin: Cannot read properties of null (reading 'message_stream') HOT 3
- Calling .join() without parameter causes bad RegExp replacement on bounce HOT 2
- Need to build an email verification solution
- Allow configuring optional queue arguments in queue/rabbitmq_amqplib plugin
- TypeError: this.merge_redis_ini is not a function HOT 1
- queue/kafka plugin HOT 1
- npm install -g Haraka installs haraka-plugin-spf 1.2.0 when latest is 1.2.3 HOT 5
- Inconsistent user/group ownership when writing files in hooks HOT 11
- is it possible to use this as a util?
- Clarify state of SMTP smuggling attack prevention HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from haraka.