search

matrix-org / synapse

Synapse: Matrix homeserver written in Python/Twisted.
https://matrix-org.github.io/synapse
Apache License 2.0
11.83k stars 2.13k forks source link

Synapse cannot send mail to local Postfix server using STARTTLS #14934

Open nike4613 opened 1 year ago

nike4613 commented 1 year ago

Description

When I make Synapse try to send an email (e.g. by adding one to my account in the Element UI), it reports an internal error, with the attached error in the logs (duplicated 5 times, with the Retry: line counting down from 5.

Steps to reproduce

Homeserver

cirr.com

Synapse Version

1.75.0

Installation Method

Debian packages from packages.matrix.org

Database

PostgreSQL. Single server, no porting, no backups.

Workers

Single process

Platform

Debian 5.10.127-1 VPS

Configuration

No response

Relevant log output

2023-01-29 21:47:03,886 - twisted - 274 - CRITICAL - sentinel - Error during info_callback
Traceback (most recent call last):
  File "/opt/venvs/matrix-synapse/lib/python3.9/site-packages/twisted/protocols/tls.py", line 314, in dataReceived
    self._checkHandshakeStatus()
  File "/opt/venvs/matrix-synapse/lib/python3.9/site-packages/twisted/protocols/tls.py", line 237, in _checkHandshakeStatus
    self._tlsConnection.do_handshake()
  File "/opt/venvs/matrix-synapse/lib/python3.9/site-packages/OpenSSL/SSL.py", line 2074, in do_handshake
    result = _lib.SSL_do_handshake(self._ssl)
  File "/opt/venvs/matrix-synapse/lib/python3.9/site-packages/OpenSSL/SSL.py", line 1336, in wrapper
    callback(Connection._reverse_mapping[ssl], where, return_code)
--- <exception caught here> ---
  File "/opt/venvs/matrix-synapse/lib/python3.9/site-packages/twisted/internet/_sslverify.py", line 1064, in infoCallback
    return wrapped(connection, where, ret)
  File "/opt/venvs/matrix-synapse/lib/python3.9/site-packages/twisted/internet/_sslverify.py", line 1174, in _identityVerifyingInfoCallback
    verifyHostname(connection, self._hostnameASCII)
  File "/opt/venvs/matrix-synapse/lib/python3.9/site-packages/service_identity/pyopenssl.py", line 48, in verify_hostname
    verify_service_identity(
  File "/opt/venvs/matrix-synapse/lib/python3.9/site-packages/service_identity/_common.py", line 48, in verify_service_identity
    matches = _find_matches(cert_patterns, obligatory_ids) + _find_matches(
  File "/opt/venvs/matrix-synapse/lib/python3.9/site-packages/service_identity/_common.py", line 88, in _find_matches
    if sid.verify(cid):
  File "/opt/venvs/matrix-synapse/lib/python3.9/site-packages/service_identity/_common.py", line 284, in verify
    return _hostname_matches(pattern.pattern, self.hostname)
  File "/opt/venvs/matrix-synapse/lib/python3.9/site-packages/service_identity/_common.py", line 398, in _hostname_matches
    actual_head, actual_tail = actual_hostname.split(b".", 1)
builtins.ValueError: not enough values to unpack (expected 2, got 1)

2023-01-29 21:47:03,889 - twisted - 274 - INFO - sentinel - SMTP Client retrying server. Retry: 3

Anything else that would be useful to know?

The target mail server is a Postfix server configured to only accept TLS. I do not have issues sending mail through this server from any other application; I am able to send mail using Thunderbird, and my Nextcloud instance is able to send mail through it.

H-Shay commented 1 year ago

Thanks for reporting. Can you share how you have configured synapse for sending email?

nike4613 commented 1 year ago

With comments removed:

email:
  smtp_host: localhost
  smtp_port: 587
  require_transport_security: false
  enable_tls: true

Note: I have tried with require_transport_security set to both true and false with no difference. Disabling enable_tls causes failures because Postfix is configured to require TLS.

squahtx commented 1 year ago 
  File "/opt/venvs/matrix-synapse/lib/python3.9/site-packages/service_identity/_common.py", line 398, in _hostname_matches
    actual_head, actual_tail = actual_hostname.split(b".", 1)

That error happens when a hostname has no . in it.

Could you post the public part of the mail server's certificate too? In particular, what's the subject field of the certificate?

squahtx commented 1 year ago

That error happens when a hostname has no . in it.

Can you try changing the Synapse config to smtp_host: localhost., with a trailing .?

nike4613 commented 1 year ago

Could you post the public part of the mail server's certificate too? In particular, what's the subject field of the certificate?

CN = *.cirr.com

Can you try changing the Synapse config to smtp_host: localhost., with a trailing .?

This results in a different error in the log:

2023-01-31 13:42:30,925 - twisted - 274 - INFO - sentinel - SMTP Client retrying server. Retry: 5
2023-01-31 13:42:30,977 - twisted - 274 - INFO - sentinel - SMTP Client retrying server. Retry: 4
2023-01-31 13:42:31,030 - twisted - 274 - INFO - sentinel - SMTP Client retrying server. Retry: 3
2023-01-31 13:42:31,080 - twisted - 274 - INFO - sentinel - SMTP Client retrying server. Retry: 2
2023-01-31 13:42:31,136 - twisted - 274 - INFO - sentinel - SMTP Client retrying server. Retry: 1
2023-01-31 13:42:31,185 - synapse.handlers.identity - 395 - ERROR - POST-425 - Error sending threepid validation email to <redacted>
Traceback (most recent call last):
  File "/opt/venvs/matrix-synapse/lib/python3.9/site-packages/synapse/handlers/identity.py", line 393, in send_threepid_validation
    await send_email_func(email_address, token, client_secret, session_id)
  File "/opt/venvs/matrix-synapse/lib/python3.9/site-packages/synapse/push/mailer.py", line 210, in send_add_threepid_mail
    await self.send_email(
  File "/opt/venvs/matrix-synapse/lib/python3.9/site-packages/synapse/push/mailer.py", line 327, in send_email
    await self.send_email_handler.send_email(
  File "/opt/venvs/matrix-synapse/lib/python3.9/site-packages/synapse/handlers/send_email.py", line 208, in send_email
    await self._sendmail(
  File "/opt/venvs/matrix-synapse/lib/python3.9/site-packages/synapse/handlers/send_email.py", line 130, in _sendmail
    await make_deferred_yieldable(d)
twisted.internet.error.ConnectionAborted: Connection was aborted locally using ITCPTransport.abortConnection.
nike4613 commented 1 year ago

Can you try changing the Synapse config to smtp_host: localhost., with a trailing .?

It looks like changing the smtp_host to use the full domain name of the server works though. This strikes me as a somewhat unhelpful requirement, given that the two servers are running on the same physical machine.

nike4613 commented 1 year ago

Can you try changing the Synapse config to smtp_host: localhost., with a trailing .?

It looks like changing the smtp_host to use the full domain name of the server works though. This strikes me as a somewhat unhelpful requirement, given that the two servers are running on the same physical machine.

Notably, it seems like doing this only works when sending mail to local recipients. It seems like because its connecting via full domain, Postfix isn't recognizing it as local and as such is refusing to act as a relay like it should be.