Closed Divide-By-0 closed 1 year ago
That's truly bizarre — that's just a normal TCP connect with nothing special about it. This feels like some kind of configuration error for your network or firewall. Maybe DNS lookup is slow? Does it work if you try to connect using the IP directly?
Hmm yeah I'm not sure. It works perfectly on my local laptop. On the ec2 server, nslookup imap.gmail.com
completes immediately, openssl s_client -connect imap.gmail.com:993
hangs, and traceroute -p 993 imap.gmail.com
seems to go slowly and hit the hop max. ip route
seems fine.
$ nslookup imap.gmail.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
Name: imap.gmail.com
Address: 142.250.101.108
Name: imap.gmail.com
Address: 142.250.101.109
Name: imap.gmail.com
Address: 2607:f8b0:4023:c0b::6d
Name: imap.gmail.com
Address: 2607:f8b0:4023:c0b::6c
$ traceroute -p 993 imap.gmail.com
traceroute to imap.gmail.com (142.250.101.108), 30 hops max, 60 byte packets
1 * * *
2 240.0.176.3 (240.0.176.3) 0.229 ms 0.221 ms *
3 240.0.176.23 (240.0.176.23) 0.220 ms 0.212 ms *
4 * 242.2.45.97 (242.2.45.97) 0.423 ms 242.2.44.193 (242.2.44.193) 0.519 ms
5 52.93.47.89 (52.93.47.89) 2.611 ms 241.0.6.130 (241.0.6.130) 0.191 ms 241.0.6.128 (241.0.6.128) 0.399 ms
6 52.93.237.248 (52.93.237.248) 2.632 ms 240.0.176.26 (240.0.176.26) 0.192 ms 54.240.242.66 (54.240.242.66) 1.713 ms
7 242.2.45.97 (242.2.45.97) 0.420 ms 242.2.45.193 (242.2.45.193) 0.358 ms 15.230.28.68 (15.230.28.68) 2.360 ms
8 52.93.237.211 (52.93.237.211) 1.464 ms 52.93.47.83 (52.93.47.83) 2.018 ms 74.125.118.78 (74.125.118.78) 1.811 ms
9 * * *
10 * 15.230.28.16 (15.230.28.16) 1.438 ms *
11 * 74.125.51.220 (74.125.51.220) 3.735 ms 72.14.203.108 (72.14.203.108) 3.422 ms
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
$ ip route
default via 172.31.0.1 dev ens5 proto dhcp src 172.31.7.227 metric 100
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.31.0.0/20 dev ens5 proto kernel scope link src 172.31.7.227 metric 100
172.31.0.1 dev ens5 proto dhcp scope link src 172.31.7.227 metric 100
172.31.0.2 dev ens5 proto dhcp scope link src 172.31.7.227 metric 100
The iptables seem open enough
$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ufw-before-logging-input all -- anywhere anywhere
ufw-before-input all -- anywhere anywhere
ufw-after-input all -- anywhere anywhere
ufw-after-logging-input all -- anywhere anywhere
ufw-reject-input all -- anywhere anywhere
ufw-track-input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ufw-before-logging-forward all -- anywhere anywhere
ufw-before-forward all -- anywhere anywhere
ufw-after-forward all -- anywhere anywhere
ufw-after-logging-forward all -- anywhere anywhere
ufw-reject-forward all -- anywhere anywhere
ufw-track-forward all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
...
Waiting for the openssl connection gives me this:
$ openssl s_client -connect imap.gmail.com:993
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = imap.gmail.com
verify return:1
---
Certificate chain
0 s:CN = imap.gmail.com
i:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
v:NotBefore: Apr 3 08:23:54 2023 GMT; NotAfter: Jun 26 08:23:53 2023 GMT
1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 13 00:00:42 2020 GMT; NotAfter: Sep 30 00:00:42 2027 GMT
2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=CN = imap.gmail.com
issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4292 bytes and written 396 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 9E7EBDE7DCBE92D7A995E3B619F512260FA6D66CE57986E3837B55F6633A6792
Session-ID-ctx:
Resumption PSK: A1B98CB7AB0649AF38AAD9F17405E895BB29DF1A116383AF6F575514179904EE80882DEC4FBDF19401C181DFCF2DFC5A
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 172800 (seconds)
TLS session ticket:
0000 - 02 56 7e 61 b9 5a
...
Start Time: 1682294873
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
* OK Gimap ready for requests from 54.<redacted> z5mb35023069oct
The fact that openssl s_client
also hangs suggests this isn't actually a problem with the imap
crate. Unfortunately I also don't have much of an idea of what else it can be, sorry!
On my EC2 server, Rust IMAP takes about 3 minutes to initially connect to
imap.gmail.com
, but the SMTP connection happens instantly. Also, it frequently drops connection after maybe 5-10 more minutes with "Connection Lost". Any idea what might be causing this?It stalls on the second line with port 993.
The specific library line it hangs on is