Unable to send email using SMTP connection

I use this configuration line for my SMTP server:

connection_uri: smtps://<username>:<password>@mail.gmx.net:587/?skip_ssl_verify=false
from_address: [email protected]

I get the following error message:

level=error msg=Unable to send email using SMTP connection. audience=application error=map[message:tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config] [email protected] service_name=kratos service_version= smtp_server=mail.gmx.net:587 smtp_ssl_enabled=true

Any idea why it doesn’t work? Should I inform Kratos about SSL certificates that I have?

Hey there, it’s unfortunately not possible to disable ssl verify for domains that aren’t localhost!

Thanks for the reply. According to my understanding, since skip_ssl_verify is set to false, then I state that I don’t wish to disable the SSL verification. Did I get it wrong?

If I set it to true, then I get the following error:

level=error msg=Unable to send email using SMTP connection. audience=application error=map[message:tls: first record does not look like a TLS handshake] [email protected] service_name=kratos service_version= smtp_server=mail.gmx.net:587 smtp_ssl_enabled=true

By going over the docs, skip_ssl_verify seems relevant for self-signed certificates. Therefore my last message is probably irrelevant.
Since I’m using Nginx, in which I configure the SSL certificates, my current guess is that the communication to the SMTP server should go through that Nginx server, but is it possible to configure this in Kratos? @hackerman (sorry to nag on this)

Hey, yes you’re right - it’s disabled (I misread it as true). I assume you’re not using NGINX to proxy the SMTP server though, right?

Correct. I will need to look into how this can be done.

I mean GMX should support SMTPS by default without the need to proxy it with NGinx?

It indeed supports it. And so, if I understand correctly so far, the problem is caused due to the fact that the outgoing SMTPS communication from the Kratos service to the GMX service is done not on top of SSL. I’m baffled why is it so. Am I supposed to provide my own SSL certificate, or is it a problem with the GMX server? Unfortunately, I don’t know enough about this.

No, it should just be enough to use smtps://<username>:<password>@mail.gmx.net:587 (make sure 587 is actually the port at gmx which does do TLS). It’s also important to check what type of TLS gmx supports, if it’s a really old version it might be rejected by the Golang mail library because it’s insecure.

Thanks for the info. I tried to use another smtp server (sendgrid.com), but I get the same error. Is there perhaps an smtp service provider (preferably a free one) in which you know/believe this works?

So we use mailgun where this works normally. Our config looks like this (we actually use smtp and not smtps - it might be a bug in Kratos…):

        connection_uri: "smtp://postmaster%40**:***@smtp.mailgun.org:587"

It works! I’m really happy :grinning: Thanks a lot!

To summarize: indeed changing from smtps to smtp solved the problem, and now it works for both gmx.net and sendgrid.com.

1 Like

Congratulations! I created an issue to track this ( https://github.com/ory/kratos/issues/781 ) - imo it should not fail with smtps!