Closed erjoalgo closed 11 months ago
I appreciate how detailed is the how-to guide to set up chasquid as an SMTP server from scratch. However, I haven't been able to get the setup to work. My
smtp-check
passes successfully with chasquid running on the target server:
Thanks for reporting this! I think there could be a few things going on, so I'll reply part by part.
Yet I've tried with a variety of email clients, including an nodejs smtp client, but get errors like the following:
When sending without encryption to port 25:
Error: SMTP server does not support the LOGIN authentication mechanism at exports.SMTPClient.authLogin (.../node_modules/smtp-client/src/index.js:375:13) at send (.../smtp.js:51:11) at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
This is because chasquid does not allow clients to authenticate on a non-encrypted connection. It doesn't even advertise it until an encrypted connection is established, and that's why your client complains.
This is working as intended.
When submitting with security enabled to port 25:
[Error: 40B8AC55587F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:354: ] { library: 'SSL routines', reason: 'wrong version number', code: 'ERR_SSL_WRONG_VERSION_NUMBER' }
This seems like your client tried to negotiate TLS directly on port 25, which is not going to work. On ports 25 (smtp) and 587 (submission), the TLS negotiation is done after establishing a plaintext connection, using a mechanism called STARTTLS.
If you want to do a TLS connection from the beginning (which is a great idea), use port 465 ("submission over tls", also called "submissions" (note the final "s")).
When setting listening on port 25 as the submission address instead of as the smtp server, I get a similar error:
This is not going to work well. Unfortunately the different ports have slightly different semantics.
I noticed what appears to be a warning,
No submission+TLS addresses/listeners
,No SMTP addresses/listeners
, not sure if this is relevant since the process is indeed listenting on the port specified in thechasquid.conf
file.
chasquid expects 3 different listening ports configured in chasquid.conf
: smtp_address, submission_address, and submission_over_tls_address.
You should set all 3. Unless you're doing something unusual, the using the examples I linked to should work just fine.
- What am I missing to be able to actually use chasquid as my SMTP server?
Based on the above, I think you have two problems:
1) chasquid listening ports are misconfigured, fix that first, which should be a simple edit to the chasquid.conf
file and make sure it has:
smtp_address: ":25"
submission_address: ":587"
submission_over_tls_address: ":465"
2) You need to tell the client that you're using to connect with "security enabled" on port 465, or use a client that can do STARTTLS negotiation on ports 25 or 587.
Let me know how it goes if you try these changes!
- Do you have any recommended client programs and steps to test the chasquid server email delivery? Would you consider enhancing the how-to guide to include this last but very important setup step?
This is a good suggestion, I think at least a generic note on how to configure clients can be useful to prevent confusion. I'll add something like that for sure.
chasquid should work with any reasonable client, and there's a lot of variation in what people use, but I can see if I find good generic links that I can include for people who want more detailed guides about setting up clients.
Thanks!
Thanks to your pointers I was able to get a little further, my SMTP client was able to talk to the submission_over_tls_address
.
(As an aside, I also had some issues with misconfigured DNS records -- My mail.example.com was a CNAME pointing to example.com, so I was getting errors like:
Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: Host: example.com.com. is not in the cert's altnames: DNS:mail.example.com.com
)
Now I am running into another error, Relay not allowed
:
. sts.go:480 STSCache.Refresh /var/lib/chasquid/sts-cache: 1 entries
. sts.go:488 STSCache.Refresh /var/lib/chasquid/sts-cache: gmail.com: refreshing
_ server.go:207 Server listening on :25 (SMTP)
_ server.go:207 Server listening on :465 (submission+TLS)
. sts.go:498 STSCache.Refresh /var/lib/chasquid/sts-cache: gmail.com: fetched
. sts.go:504 STSCache.Refresh /var/lib/chasquid/sts-cache: gmail.com: stored
. sts.go:508 STSCache.Refresh /var/lib/chasquid/sts-cache: refresh done
^[[A^[[A^[[A^[[A^[[A^[[A. conn.go:164 SMTP.Conn 172.56.72.246:45446: Connected, mode: submission+TLS
. conn.go:202 SMTP.Conn 172.56.72.246:45446: -> EHLO mail.example.om
. conn.go:247 SMTP.Conn 172.56.72.246:45446: <- 250 ssdnodes-81100 - Your hour of destiny has come.\n8BITMIME\nPIPELINING\nSMTPUTF8\nENHANCEDSTATUSCODES\nSIZE 52428800\nAUTH PLAIN\nHELP\n
. conn.go:200 SMTP.Conn 172.56.72.246:45446: -> AUTH <redacted>
. maillog.go:80 Authentication Incoming SMTP: 172.56.72.246:45446 auth succeeded for ealfonso@mail.example.om\n
. conn.go:247 SMTP.Conn 172.56.72.246:45446: <- 235 2.7.0 Authentication successful
. conn.go:202 SMTP.Conn 172.56.72.246:45446: -> MAIL FROM:<ealfonso@example.om>
. conn.go:459 SMTP.Conn 172.56.72.246:45446: SPF did not pass, skipping security level check
. conn.go:247 SMTP.Conn 172.56.72.246:45446: <- 250 2.1.5 You feel like you are being watched
. conn.go:202 SMTP.Conn 172.56.72.246:45446: -> RCPT TO:<erjoalgo@gmail.com>
. conn.go:247 SMTP.Conn 172.56.72.246:45446: <- 250 2.1.5 You have an eerie feeling...
. conn.go:202 SMTP.Conn 172.56.72.246:45446: -> DATA
. conn.go:565 SMTP.Conn 172.56.72.246:45446: <- 354 You experience a strange sense of peace
. conn.go:582 SMTP.Conn 172.56.72.246:45446: -> ... 124 bytes of data
. conn.go:740 Hook.Post-DATA 172.56.72.246:45446: running
_ conn.go:792 Hook.Post-DATA 172.56.72.246:45446: error: error parsing post-data output: '/usr/bin/dkimsign\n'
_ conn.go:608 SMTP.Conn 172.56.72.246:45446: Queued from ealfonso@example.om to [erjoalgo@gmail.com] - ufa0rFWa52M
. conn.go:247 SMTP.Conn 172.56.72.246:45446: <- 250 2.0.0 An invisible choir sings, and you are bathed in radiance...
_ queue.go:304 Queue.SendLoop ufa0rFWa52M: from ealfonso@example.om
. queue.go:347 Queue.SendLoop ufa0rFWa52M: erjoalgo@gmail.com sending
. smtp.go:64 Courier.SMTP erjoalgo@gmail.com: erjoalgo+fwd_from=ealfonso=example.om@gmail.com -> erjoalgo@gmail.com
. smtp.go:294 Courier.SMTP erjoalgo@gmail.com: MXs: [gmail-smtp-in.l.google.com. alt1.gmail-smtp-in.l.google.com. alt2.gmail-smtp-in.l.google.com. alt3.gmail-smtp-in.l.google.com. alt4.gmail-smtp-in.l.google.com.]
. sts.go:430 STSCache.Fetch gmail.com: cache hit: &{STSv1 enforce [gmail-smtp-in.l.google.com *.gmail-smtp-in.l.google.com] 24h0m0s}
. smtp.go:242 Courier.SMTP erjoalgo@gmail.com: got STS policy
. conn.go:202 SMTP.Conn 172.56.72.246:45446: -> QUIT
. smtp.go:177 Courier.SMTP erjoalgo@gmail.com: Secure - using TLS
. domaininfo.go:135 DomainInfo /var/lib/chasquid/domaininfo: gmail.com outgoing allowed: TLS_SECURE == TLS_SECURE
. smtp.go:202 Courier.SMTP erjoalgo@gmail.com: STS policy: connection is using valid TLS
_ smtp.go:220 Courier.SMTP erjoalgo@gmail.com: error: DATA closing 550 5.7.1 [1.2.3.4] Messages missing a valid messageId header are not\n5.7.1 accepted. bz25-20020a056a02061900b0055387ef9633si5886387pgb.804 - gsmtp
_ queue.go:355 Queue.SendLoop ufa0rFWa52M: error: erjoalgo@gmail.com permanent error: DATA closing 550 5.7.1 [1.2.3.4] Messages missing a valid messageId header are not\n5.7.1 accepted. bz25-20020a056a02061900b0055387ef9633si5886387pgb.804 - gsmtp
. queue.go:434 Queue.SendLoop ufa0rFWa52M: sending DSN
_ queue.go:462 Queue.SendLoop ufa0rFWa52M: queued DSN: bEH-o2zZlxg
_ queue.go:338 Queue.SendLoop ufa0rFWa52M: all done
_ queue.go:304 Queue.SendLoop bEH-o2zZlxg: from <>
. queue.go:347 Queue.SendLoop bEH-o2zZlxg: ealfonso@example.om sending
. smtp.go:64 Courier.SMTP ealfonso@example.om: <> -> ealfonso@example.om
. smtp.go:294 Courier.SMTP ealfonso@example.om: MXs: [mail.example.om.]
. sts.go:437 STSCache.Fetch example.om: failed to fetch: lookup _mta-sts.example.om on 8.8.8.8:53: no such host
. conn.go:164 SMTP.Conn 1.2.3.4:49136: Connected, mode: SMTP
. conn.go:202 SMTP.Conn 1.2.3.4:49136: -> EHLO ssdnodes-81100
. conn.go:247 SMTP.Conn 1.2.3.4:49136: <- 250 ssdnodes-81100 - Your hour of destiny has come.\n8BITMIME\nPIPELINING\nSMTPUTF8\nENHANCEDSTATUSCODES\nSIZE 52428800\nSTARTTLS\nHELP\n
. conn.go:202 SMTP.Conn 1.2.3.4:49136: -> STARTTLS
. conn.go:866 SMTP.Conn 1.2.3.4:49136: <- 220 You experience a strange sense of peace
. conn.go:874 SMTP.Conn 1.2.3.4:49136: <> ... jump to TLS was successful
. conn.go:202 SMTP.Conn 1.2.3.4:49136: -> EHLO ssdnodes-81100
. conn.go:247 SMTP.Conn 1.2.3.4:49136: <- 250 mail.example.om - Your hour of destiny has come.\n8BITMIME\nPIPELINING\nSMTPUTF8\nENHANCEDSTATUSCODES\nSIZE 52428800\nAUTH PLAIN\nHELP\n
. smtp.go:177 Courier.SMTP ealfonso@example.om: Secure - using TLS
. domaininfo.go:135 DomainInfo /var/lib/chasquid/domaininfo: example.om outgoing allowed: TLS_SECURE == TLS_SECURE
. conn.go:202 SMTP.Conn 1.2.3.4:49136: -> MAIL FROM:<> BODY=8BITMIME
. conn.go:247 SMTP.Conn 1.2.3.4:49136: <- 250 2.1.5 You feel like you are being watched
. conn.go:202 SMTP.Conn 1.2.3.4:49136: -> RCPT TO:<ealfonso@example.om>
. conn.go:247 SMTP.Conn 1.2.3.4:49136: <- 503 5.7.1 Relay not allowed
_ conn.go:251 SMTP.Conn 1.2.3.4:49136: error: RCPT failed: 503 5.7.1 Relay not allowed
_ smtp.go:206 Courier.SMTP ealfonso@example.om: error: MAIL+RCPT 503 5.7.1 Relay not allowed
_ queue.go:355 Queue.SendLoop bEH-o2zZlxg: error: ealfonso@example.om permanent error: MAIL+RCPT 503 5.7.1 Relay not allowed
_ conn.go:270 SMTP.Conn 1.2.3.4:49136: error: exiting with error: EOF
_ queue.go:338 Queue.SendLoop bEH-o2zZlxg: all done
. domaininfo.go:72 DomainInfo /var/lib/chasquid/domaininfo: loaded 2 domains
q^[[B
I haven't gotten a chance to try to understand what is going on but I wanted to update this bug in case this is related to chasquid misconfiguration.
Thanks to your pointers I was able to get a little further, my SMTP client was able to talk to the
submission_over_tls_address
.
Great!
Now I am running into another error,
Relay not allowed
:. conn.go:164 SMTP.Conn 172.56.72.246:45446: Connected, mode: submission+TLS . conn.go:202 SMTP.Conn 172.56.72.246:45446: -> EHLO mail.example.om . conn.go:247 SMTP.Conn 172.56.72.246:45446: <- 250 ssdnodes-81100 - Your hour of destiny has come.\n8BITMIME\nPIPELINING\nSMTPUTF8\nENHANCEDSTATUSCODES\nSIZE 52428800\nAUTH PLAIN\nHELP\n . conn.go:200 SMTP.Conn 172.56.72.246:45446: -> AUTH <redacted> . maillog.go:80 Authentication Incoming SMTP: 172.56.72.246:45446 auth succeeded for ealfonso@mail.example.om\n . conn.go:247 SMTP.Conn 172.56.72.246:45446: <- 235 2.7.0 Authentication successful
Here you authenticated successfully.
_ conn.go:608 SMTP.Conn 172.56.72.246:45446: Queued from ealfonso@example.om to [erjoalgo@gmail.com] - ufa0rFWa52M
And sent an email from ealfonso@example.om to erjoalgo@gmail.com. So far, all is well.
I'm assuming the "example.om" domain is you doing some substitution, but it is correct.
queue.go:304 Queue.SendLoop ufa0rFWa52M: from ealfonso@example.om smtp.go:220 Courier.SMTP erjoalgo@gmail.com: error: DATA closing 550 5.7.1 [1.2.3.4] Messages missing a valid messageId header are not\n5.7.1 accepted. bz25-20020a056a02061900b0055387ef9633si5886387pgb.804 - gsmtp _ queue.go:355 Queue.SendLoop ufa0rFWa52M: error: erjoalgo@gmail.com permanent error: DATA closing 550 5.7.1 [1.2.3.4] Messages missing a valid messageId header are not\n5.7.1 accepted. bz25-20020a056a02061900b0055387ef9633si5886387pgb.804 - gsmtp
Here, gmail's SMTP server is rejecting your email.
As you can see in the error, it complains that your message is invalid because it does not have a Message-ID
header. This is unrelated to chasquid (which is just passing your email along to gmail), it is something you need to fix on your client.
queue.go:462 Queue.SendLoop ufa0rFWa52M: queued DSN: bEH-o2zZlxg queue.go:304 Queue.SendLoop bEH-o2zZlxg: from <>
Because chasquid accepted your mail, but could not deliver it to gmail (due to gmail rejecting it as mentioned above), chasquid generates a "Bounce message" (also known as DSN, Delivery Status Notification), which is an email it sends to you to let you know about the failed delivery. This is standard, and all mail servers behave this way.
. conn.go:202 SMTP.Conn 1.2.3.4:49136: -> MAIL FROM:<> BODY=8BITMIME . conn.go:247 SMTP.Conn 1.2.3.4:49136: <- 250 2.1.5 You feel like you are being watched . conn.go:202 SMTP.Conn 1.2.3.4:49136: -> RCPT TO:ealfonso@example.om . conn.go:247 SMTP.Conn 1.2.3.4:49136: <- 503 5.7.1 Relay not allowed conn.go:251 SMTP.Conn 1.2.3.4:49136: error: RCPT failed: 503 5.7.1 Relay not allowed smtp.go:206 Courier.SMTP ealfonso@example.om: error: MAIL+RCPT 503 5.7.1 Relay not allowed _ queue.go:355 Queue.SendLoop bEH-o2zZlxg: error: ealfonso@example.om permanent error: MAIL+RCPT 503 5.7.1 Relay not allowed
When chasquid attempts to deliver that bounce message, it is rejected because "Relay not allowed".
I suspect this is due to a misconfiguration, because you did not tell your chasquid server it is responsible for example.om
.
I think it's likely you told chasquid it is responsible for mail.example.om
but not example.om
. This is a misconfiguration.
If your server is mail.example.com
but you want to receive messages for @example.com
, you need to:
mail.example.com
.mail.example.com
.example.com
, by mkdir -p /etc/chasquid/domains/example.com
I think you've done step 3 but with mail.example.com
instead of example.com
.
I hope this helps!
Thanks again! I hadn't noticed the first error related to the missing Message-ID header. I was able to successfully deliver to a non-gmail address, and to a gmail address after specifying the Message-Id (and strangely, sometimes this also worked without a Message-Id).
In case it is helpful to anyone, I used the following sample smtp client code to send the email:
const {SMTPClient} = require("smtp-client");
const uuid = require('uuid');
var spec = {
from: "user@example.com",
host: "mail.example.com",
dest: "user@gmail.com",
subject: "hola hola",
port: 465,
secure: true,
user: "user@example.com.com",
password: 'REDACTED',
contents: "email contents"
}
async function send( data ) {
console.log("email spec: " + JSON.stringify(data, 4));
let s = new SMTPClient({
host: data.host,
port: data.port,
secure: data.secure
});
mime = (
`From: <${data.from}>
To: <${data.dest}>
Subject: ${data.subject}
Message-ID: ${uuid.v4()}
${data.contents}`)
await s.connect();
await s.greet({hostname: data.host}); // runs EHLO command or HELO as a fallback
var auths = await s.getAuthMechanisms();
console.log("supported auths: " + JSON.stringify(auths, 4));
await s.authPlain({username: data.user,
password: data.password}); // authenticates a user
await s.mail({from: data.from}); // runs MAIL FROM command
await s.rcpt({to: data.dest}); // runs RCPT TO command (run this multiple times to add more recii)
await s.data(mime); // runs DATA command and streams email source
await s.quit(); // runs QUIT command
}
send(spec).catch(console.error);
Maybe we can close this issue and consider adding a brief troubleshooting guide at the end of the how-to at a future date?
Thanks, that sounds good to me!
I appreciate how detailed is the how-to guide to set up chasquid as an SMTP server from scratch. However, I haven't been able to get the setup to work. My
smtp-check
passes successfully with chasquid running on the target server:Yet I've tried with a variety of email clients, including an nodejs smtp client, but get errors like the following:
When sending without encryption to port 25:
When submitting without security enabled to port 25:
Server side:
When submitting with security enabled to port 25:
Server side:
When setting listening on port 25 as the submission address instead of as the smtp server, I get a similar error:
I noticed what appears to be a warning,
No submission+TLS addresses/listeners
,No SMTP addresses/listeners
, not sure if this is relevant since the process is indeed listenting on the port specified in thechasquid.conf
file.