search

ix-ai / smtp

This is a SMTP docker container for sending emails. You can also relay emails to gmail and amazon SES.
MIT License
92 stars 14 forks source link

Can't access container from outside #3

Closed pavanfhw closed 3 years ago

pavanfhw commented 3 years ago

Hello, I'm trying to use your image in Kubernetes as a Gmail relay. I'm not being able to connect to the container from outside, from another container. Form inside the container it is working. I can use python to run a simple script to connect and send a mail the way I intent to. But from outside I can't connect to the relay. I think I'm not configuring my environment variables correctly for this case. Can you advise on what variables and values I should use? I'm trying with RELAY_NETWORKS and/or RELAY_DOMAINS but with no success. I can allow all connections because the container is only exposed inside the Kubernetes cluster. To illustrate: From inside

smtp.connect("email-relay", 587)
(220, 'email-relay ESMTP Exim 4.92 Wed, 03 Mar 2021 13:07:36 +0000')

From outside

smtp.connect("email-relay", 587)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/smtplib.py", line 317, in connect
    (code, msg) = self.getreply()
  File "/usr/lib/python2.7/smtplib.py", line 365, in getreply
    + str(e))
smtplib.SMTPServerDisconnected: Connection unexpectedly closed: timed out
tlex commented 3 years ago

While I don't use K8s, this looks to me like a network configuration problem. Basically, you need to tell K8s to permit the connection from your source container to the destination container. This error is a networking error, not an application error.

pavanfhw commented 3 years ago

I am able to do a curl request on port 587 to the relay container. Obviously it breaks, but the container logs it. So by this I assume the container is reachable from other containers in the cluster. Can you confirm this configuration should allow all incoming smtp connections to the container? Should something be changed?

/etc/exim4/update-exim4.conf.conf:

dc_eximconfig_configtype='smarthost'
dc_other_hostnames=''
dc_local_interfaces='[0.0.0.0]:587 ; [::0]:587'
dc_readhost=''
dc_relay_domains='*'
dc_minimaldns='false'
dc_relay_nets='10.42.3.40/24:0.0.0.0/0'
dc_smarthost='smtp.gmail.com::587'
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname=''
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'
tlex commented 3 years ago

The important part is dc_local_interfaces. I currently have it running on plain SMTP and this is my config:

dc_local_interfaces='[0.0.0.0]:25 ; [::0]:25'

You could give it like that a spin, to see how it works (without TLS), maybe you can narrow it down. As for RELAY_NETWORKS, I keep it on my infrastructure set to :192.168.0.0/16:172.16.0.0/12:10.0.0.0/8.

pavanfhw commented 3 years ago

@tlex Changing the port to 25 worked. Thank you! Can you help understand why? I am not familiar with smtp

tlex commented 3 years ago

Basically, port 587 assumes TLS (and everything that comes with it: a certificate). For this to work as expected, the variables KEY_PATH and CERTIFICATE_PATH need to be set.

Now, it would probably make sense to test with exim, how's the behavior if the port is set to 587 but there's no certificate there.

Thanks for your feedback, I'll close this now :-)