Unable to send email using SMTP connection

nash · October 13, 2020, 9:21pm

I use this configuration line for my SMTP server:

connection_uri: smtps://<username>:<password>@mail.gmx.net:587/?skip_ssl_verify=false
from_address: [email protected]

I get the following error message:

level=error msg=Unable to send email using SMTP connection. audience=application error=map[message:tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config] [email protected] service_name=kratos service_version= smtp_server=mail.gmx.net:587 smtp_ssl_enabled=true

Any idea why it doesn’t work? Should I inform Kratos about SSL certificates that I have?

hackerman · October 14, 2020, 12:26pm

Hey there, it’s unfortunately not possible to disable ssl verify for domains that aren’t localhost!

nash · October 14, 2020, 12:51pm

Thanks for the reply. According to my understanding, since skip_ssl_verify is set to false, then I state that I don’t wish to disable the SSL verification. Did I get it wrong?

If I set it to true, then I get the following error:

level=error msg=Unable to send email using SMTP connection. audience=application error=map[message:tls: first record does not look like a TLS handshake] [email protected] service_name=kratos service_version= smtp_server=mail.gmx.net:587 smtp_ssl_enabled=true

nash · October 15, 2020, 7:03am

By going over the docs, skip_ssl_verify seems relevant for self-signed certificates. Therefore my last message is probably irrelevant.
Since I’m using Nginx, in which I configure the SSL certificates, my current guess is that the communication to the SMTP server should go through that Nginx server, but is it possible to configure this in Kratos? @hackerman (sorry to nag on this)

hackerman · October 16, 2020, 9:06am

Hey, yes you’re right - it’s disabled (I misread it as true). I assume you’re not using NGINX to proxy the SMTP server though, right?

nash · October 16, 2020, 9:27am

Correct. I will need to look into how this can be done.

hackerman · October 16, 2020, 9:39am

I mean GMX should support SMTPS by default without the need to proxy it with NGinx?

nash · October 16, 2020, 10:52am

It indeed supports it. And so, if I understand correctly so far, the problem is caused due to the fact that the outgoing SMTPS communication from the Kratos service to the GMX service is done not on top of SSL. I’m baffled why is it so. Am I supposed to provide my own SSL certificate, or is it a problem with the GMX server? Unfortunately, I don’t know enough about this.

hackerman · October 16, 2020, 11:43am

No, it should just be enough to use smtps://<username>:<password>@mail.gmx.net:587 (make sure 587 is actually the port at gmx which does do TLS). It’s also important to check what type of TLS gmx supports, if it’s a really old version it might be rejected by the Golang mail library because it’s insecure.

nash · October 16, 2020, 5:43pm

Thanks for the info. I tried to use another smtp server (sendgrid.com), but I get the same error. Is there perhaps an smtp service provider (preferably a free one) in which you know/believe this works?

hackerman · October 19, 2020, 3:51pm

So we use mailgun where this works normally. Our config looks like this (we actually use smtp and not smtps - it might be a bug in Kratos…):

    courier:
      smtp:
        connection_uri: "smtp://postmaster%40**:***@smtp.mailgun.org:587"

nash · October 19, 2020, 3:54pm

It works! I’m really happy Thanks a lot!

To summarize: indeed changing from smtps to smtp solved the problem, and now it works for both gmx.net and sendgrid.com.

hackerman · October 20, 2020, 9:27am

Congratulations! I created an issue to track this ( https://github.com/ory/kratos/issues/781 ) - imo it should not fail with smtps!