Describe the bug We self host Haraka SMTP servers o

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

Unable to deliver emails on some domains about haraka HOT 6 CLOSED

mr-karan commented on May 28, 2024 1

Unable to deliver emails on some domains

from haraka.

Comments (6)

msimerson commented on May 28, 2024 1

Is there anything else I could inspect/debug here from Haraka's perspective?

If you're making those connections from your AWS instance, that's a good indication that it's working "right now." Other things to check would be looking in the logs for the connection attempts to those servers. Are there long gaps in the connection log timestamps? Is DNS lookup inordinately slow? Are they publishing IPv6 records and you have a stack with broken IPv6 causing long delays? Etc...

from haraka.

msimerson commented on May 28, 2024

Your steps to reproduce aren't sufficient for anyone to help you. Help us and help yourself by doing some debugging:

verify that you can resolve the DNS for these problematic domains on your AWS instances
verify that you can connect to the remote MXs from your AWS instances (ex: openssl s_client -connect mx1.hostinger.in)

I'd wager $0.05 that this problem is due to DNS or connectivity (IPv6 or incompatible TLS versions).

from haraka.

mr-karan commented on May 28, 2024

@msimerson I did some additional debugging, thanks to your pointers.

$ dig MX parkview.co.in +short
0 mail.parkview.co.in.

$ dig MX madinfotech.com +short
10 madinfotech.com.
0 mail.madinfotech.com.

$ dig MX knowtrichy.com +short
0 mail.knowtrichy.com.

For these mail servers, I am unable to reach the remote MXs:

$ openssl s_client -connect mail.knowtrichy.com 
140688271476032:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
140688271476032:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111

$ openssl s_client -connect mail.madinfotech.com 
140234593715520:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
140234593715520:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111

$ openssl s_client -connect mail.parkview.co.in 
140637943125312:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
140637943125312:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111

Does this look like a case where the upstream mail servers have incompatible/non supported TLS versions? Thanks for your help!

from haraka.

msimerson commented on May 28, 2024

Sorry, that openssl client wasn't quite a complete example. Since mail servers use STARTTLS to upgrade the connection on port 25, you have to tell openssl that.

# openssl s_client -connect mail.knowtrichy.com:25 -starttls smtp
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = knowtrichy.com
verify return:1
---
Certificate chain
 0 s:CN = knowtrichy.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFNTCCBB2gAwIBAgISBHeXbmIJuoO9h16HxTmqSVjKMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA1MDkyMjQ2MjNaFw0yMzA4MDcyMjQ2MjJaMBkxFzAVBgNVBAMT
Dmtub3d0cmljaHkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
3H2jJ+pFaeIFESXEQpiBzbTfHqP11nBZ7DBX8g0DldC6DFQfl85JOkzKV8wXW5dd
Ak3ExvDgm/rVbqmg+NIjTRHDJok5jKcGCbIDNWsYKSVZ+vKSyggnwxKJFTqP3T/1
PZr8iOM/9iIzNFO95C9EZ9oMTl8vPJNBkR4uZJj+T0wl/sA5pXQClcRSOuVAsAg0
2vSFMJl7ERxlwYpCopB/8SuntXyrKahtTjEE+wRgnj/1fnM5XX2hgJAbU0QvwdvB
w2inoP+Uzx6GzfNYTvQbSIYbvIq8iONBb2ooSWOHNCwYS9n4cZ7idDRV5vXx1WVm
Eego/AzeMPDwFzCdUy3xbwIDAQABo4ICXDCCAlgwDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1Ud
DgQWBBSyKLENpnWpsM4+yUF5dCISBv+w9TAfBgNVHSMEGDAWgBQULrMXt1hWy65Q
CUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9y
My5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3Jn
LzArBgNVHREEJDAighAqLmtub3d0cmljaHkuY29tgg5rbm93dHJpY2h5LmNvbTBM
BgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIB
FhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYE
gfMA8QB3ALc++yTfnE26dfI5xbpY9Gxd/ELPep81xJ4dCYEl7bSZAAABiALosHUA
AAQDAEgwRgIhAJbyPvFeBXn3QxB2r/yd0HFoJONmLFa/rtAjJhGM53iKAiEAzj9q
ZDhTj2Y8euANAEXHZf1GtglioSR22r63BxXgftkAdgCt9776fP8QyIudPZwePhhq
tGcpXc+xDCTKhYY069yCigAAAYgC6LCaAAAEAwBHMEUCIHTv/hiLd03CMONIHQUQ
2vVx9R+39FLG08qZkpaciVERAiEA3Gs93z1fSzSoGS8rI+nO0Vwvt37rCsvK/fOC
y8wLpTcwDQYJKoZIhvcNAQELBQADggEBAEdl9nico4sjckhcjVVOoEOEJSeFNAz2
D6/6/a6RuENSNOoPr3u1UooqWBarlESvUAcXZQqv6rCcC+vAzPJBbzM1oegxGSc5
PxXHEUL/tcfKdJDeanTCKDSjCU7CFc9tFefYYoDXdCOeq3HgATiQA5qGjPHRZkdS
X+n+GRLrUdvCvgty/gQ4mnV0tKLToOQScGwSmcXL89bBjr1ArhZTuswY7ssQFu1y
z3U/KJPpLk9V7/BlTuM7vFFVSs8s8x3PJvhl9gopD7AWp64pIY41Wqtj5N1U6mkk
bhfPoIxXsxeedK40Y2+zjRvcf5zer83CvyTWhD2Vj9phJo/lwv9JTB8=
-----END CERTIFICATE-----
subject=CN = knowtrichy.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4908 bytes and written 480 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 71173BC86AEE22F5AA73773D4DFA261ED96ADDB8845B758A13261B827CDA3F1E
    Session-ID-ctx: 
    Master-Key: 5C309C69475686BDE41D2DF15DC166F5C129949DEA80BF9F738D97669AFA5619BE1B778F33A8D8566D2280A886744C5D
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1686637756
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
250 HELP
EHLO mail.simerson.net
250-sh200.bigrock.com Hello mail.simerson.net [66.128.51.162]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-PIPE_CONNECT
250-AUTH PLAIN LOGIN
250 HELP
quit
221 sh200.bigrock.com closing connection
closed

from haraka.

mr-karan commented on May 28, 2024

Ah noted. The connection and login attempt seems to be fine I guess, ruling out the connectivity issues. Is there anything else I could inspect/debug here from Haraka's perspective?

250 HELP
EHLO reportsmailer.zerodha.net
250-sh200.bigrock.com Hello reportsmailer.zerodha.net [3.108.85.51]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-PIPE_CONNECT
250-AUTH PLAIN LOGIN
250 HELP
quit
221 sh200.bigrock.com closing connection
closed

---
250 HELP
EHLO reportsmailer.zerodha.net
250-sh110.webhostingservices.com Hello reportsmailer.zerodha.net [3.108.85.51]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-PIPE_CONNECT
250-AUTH PLAIN LOGIN
250 HELP
quit
221 sh110.webhostingservices.com closing connection
closed

from haraka.

mr-karan commented on May 28, 2024

I found some more logs and I think the root cause is: socket timeout waiting on connect which is getting logged consistently in all such failure cases:

{"log":"[INFO] [246AEE98-F8C2-4F27-A465-B4B2ABEC421F.53.1] [outbound] Attempting to deliver to: 69.16.243.32:25 (0) (6)\n","stream":"stdout","time":"2023-06-13T09:29:38.438100552Z"}
{"log":"[INFO] [-] [core] [outbound] [outbound::25:69.16.243.32:undefined:50] dispense() clients=1 available=0\n","stream":"stdout","time":"2023-06-13T09:29:38.438149503Z"}
{"log":"[INFO] [-] [core] [outbound] acquired socket 2ECD6A7D-BFA0-4EA6-A9A4-6C428DF641B6 for outbound::25:69.16.243.32:undefined:50\n","stream":"stdout","time":"2023-06-13T09:29:38.661406381Z"}
{"log":"[ERROR] [246AEE98-F8C2-4F27-A465-B4B2ABEC421F.53.1] [outbound] Ongoing connection failed to 69.16.243.32:25 : socket timeout waiting on connect\n","stream":"stdout","time":"2023-06-13T09:29:43.661179771Z"}
{"log":"[INFO] [246AEE98-F8C2-4F27-A465-B4B2ABEC421F.53.1] [outbound] Attempting to deliver to: 69.16.243.32:25 (0) (2)\n","stream":"stdout","time":"2023-06-13T09:30:48.534278434Z"}
{"log":"[INFO] [-] [core] [outbound] [outbound::25:69.16.243.32:undefined:50] dispense() clients=1 available=0\n","stream":"stdout","time":"2023-06-13T09:30:48.534315335Z"}
{"log":"[INFO] [-] [core] [outbound] acquired socket 6B3548AC-78F0-44DC-A98D-9E082F87782B for outbound::25:69.16.243.32:undefined:50\n","stream":"stdout","time":"2023-06-13T09:30:48.755820112Z"}
{"log":"[ERROR] [246AEE98-F8C2-4F27-A465-B4B2ABEC421F.53.1] [outbound] Ongoing connection failed to 69.16.243.32:25 : socket timeout waiting on connect\n","stream":"stdout","time":"2023-06-13T09:30:53.75672182Z"}

When I tried the to connect to remote MX in this case, I could notice that there is a delay of 30-40 seconds from the AWS EC2 Instance but from another network (local machine), I was able to connect instantly.

$ openssl s_client -connect shadeindia.com:25 -starttls smtp
CONNECTED(00000003)

It's stuck on this for ~30s before I could see 250 HELP command and proceed to send an EHLO.

Thanks a lot for your help, I guess I'll raise this with our AWS support team.

from haraka.

Unable to deliver emails on some domains about haraka HOT 6 CLOSED

Comments (6)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent