SMTP cannot send mails

[efelon]

Description

Synapse is on a host where I can use ssmtp to a machine "mail.lan" on port 25 without authentication to send mails successfully. If I use the same configuration with Synapse:

#account_threepid_delegates:
email:
  smtp_host: mail.lan
  notif_from: "Your Friendly %(app)s homeserver <noreply@mydomain.com>"

In element I get An error was encountered when sending the email (Status 500) instantaneously and in the logs I get the error below. It really is suspiciously fast, as if it is not doing a real connection attempt.

On mail.lan I don't see any connection attempts. It also doesn't matter if I use the FQDN or the IP address as smtp_host, or if I give the smtp_port and even if I try an external server with username and password. I tried various other things without changing the error message at all.

Has anybody a good hint for me?

Steps to reproduce

• setup smtp server in homeserver.yaml as in the description (port 25 no auth.)
• try to add an email address to any user using element

Homeserver

my own

Synapse Version

"python_version": "3.7.3", "server_version": "1.66.0"

Installation Method

pip (from PyPI)

Platform

• Linux 5.10.103-v7l+ #1529 SMP Tue Mar 8 12:24:00 GMT 2022 armv7l GNU/Linux
• Distributor ID: Raspbian
  Description: Raspbian GNU/Linux 10 (buster)
  Release: 10
  Codename: buster

Relevant log output

2022-09-01 07:09:08,872 - synapse.access.http.8008 - 410 - DEBUG - OPTIONS-7 - fd23::7763:5fd0:9184:3d94 - 8008 - Received request: OPTIONS /_matrix/client/r0/account/3pid/email/requestToken
2022-09-01 07:09:08,873 - synapse.access.http.8008 - 471 - DEBUG - OPTIONS-7 - fd23::7763:5fd0:9184:3d94 - 8008 - {None} Processed request: 0.001sec/-0.000sec (0.000sec, 0.000sec) (0.000sec/0.000sec/0) 0B 204 "OPTIONS /_matrix/client/r0/account/3pid/email/requestToken HTTP/1.0" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Element/1.11.3 Chrome/102.0.5005.167 Electron/19.0.9 Safari/537.36" [0 dbevts]
2022-09-01 07:09:08,884 - synapse.access.http.8008 - 410 - DEBUG - POST-8 - fd23::7763:5fd0:9184:3d94 - 8008 - Received request: POST /_matrix/client/r0/account/3pid/email/requestToken
2022-09-01 07:09:08,888 - synapse.storage.txn - 691 - DEBUG - POST-8 - [TXN START] {get_user_id_by_threepid-2d}
2022-09-01 07:09:08,893 - synapse.storage.txn - 795 - DEBUG - POST-8 - [TXN END] {get_user_id_by_threepid-2d} 0.004706 sec
:2022-09-01 07:09:08,895 - synapse.storage.txn - 691 - DEBUG - POST-8 - [TXN START] {get_threepid_validation_session-2e}
2022-09-01 07:09:08,900 - synapse.storage.txn - 795 - DEBUG - POST-8 - [TXN END] {get_threepid_validation_session-2e} 0.004610 sec
2022-09-01 07:09:08,907 - synapse.handlers.send_email - 193 - INFO - POST-8 - Sending email to user@somewhere.org
2022-09-01 07:09:08,919 - synapse.metrics._gc - 118 - DEBUG - sentinel - Collecting gc 0
2022-09-01 07:09:08,934 - twisted - 274 - INFO - sentinel - SMTP Client retrying server. Retry: 5
2022-09-01 07:09:08,941 - twisted - 274 - INFO - sentinel - SMTP Client retrying server. Retry: 4
2022-09-01 07:09:08,947 - twisted - 274 - INFO - sentinel - SMTP Client retrying server. Retry: 3
2022-09-01 07:09:08,953 - twisted - 274 - INFO - sentinel - SMTP Client retrying server. Retry: 2
2022-09-01 07:09:08,959 - twisted - 274 - INFO - sentinel - SMTP Client retrying server. Retry: 1
2022-09-01 07:09:08,965 - synapse.handlers.identity - 396 - ERROR - POST-8 - Error sending threepid validation email to user@somewhere.org
Traceback (most recent call last):
  File "/opt/synapse/env/lib/python3.7/site-packages/synapse/handlers/identity.py", line 393, in send_threepid_validation
    await send_email_func(email_address, token, client_secret, session_id)
  File "/opt/synapse/env/lib/python3.7/site-packages/synapse/push/mailer.py", line 214, in send_add_threepid_mail
    template_vars,
  File "/opt/synapse/env/lib/python3.7/site-packages/synapse/push/mailer.py", line 332, in send_email
    text=plain_text,
  File "/opt/synapse/env/lib/python3.7/site-packages/synapse/handlers/send_email.py", line 207, in send_email
    force_tls=self._force_tls,
  File "/opt/synapse/env/lib/python3.7/site-packages/synapse/handlers/send_email.py", line 130, in _sendmail
    await make_deferred_yieldable(d)
twisted.internet.error.ConnectionRefusedError: Connection was refused by other side: 111: Connection refused.
2022-09-01 07:09:08,970 - synapse.http.server - 169 - INFO - POST-8 - <XForwardedForRequest at 0xb1e73750 method='POST' uri='/_matrix/client/r0/account/3pid/email/requestToken' clientproto='HTTP/1.0' site='8008'> SynapseError: 500 - An error was encountered when sending the email

### Anything else that would be useful to know?

- I had no success on https://matrix.to/#/#synapse:matrix.org
- setup works including federation
- registration closed
- email feature was not used before
- ssmtp on the same host works with the same settings
- `account_threepid_delegates:` is empty
- mail.lan has A and AAAA records (not the same as #7720)
- clients coming in via IPv4 and IPv6

[squahtx]

Are smtp_port or force_tls specified in the email config?
When force_tls is on, Synapse uses port 465 instead of 25.

Is Synapse containerized? I'm assuming not since pip was used.

What do curl -v mail.lan:25 -4 and curl -v mail.lan:25 -6 print when run on the same machine as Synapse? Do they successfully connect?

Is mail.lan listening on both IPv4 and IPv6? What does sudo netstat -plnt on that machine show?

Are there any firewalls that might block traffic?

If possible, it may be helpful to take a packet capture to find out what synapse is trying to connect to.

[efelon]

Are smtp_port or force_tls specified in the email config?

They are not present. I tried it also with them being 25 and false.

Is Synapse containerized?

No only a venv directly on the host.

curl -v mail.lan:25 -4 and curl -v mail.lan:25 -6

[...]
* Expire in 1 ms for 1 (transfer 0xda5950)
* Expire in 2 ms for 1 (transfer 0xda5950)
*   Trying 192.168.23.22...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0xda5950)
* Connected to mail.lan (192.168.23.22) port 25 (#0)
> GET / HTTP/1.1
> Host: mail.lan:25
> User-Agent: curl/7.64.0
> Accept: */*
>
220 mail.mydomain.com ESMTP NO UCE
221 2.7.0 Error: I can break rules, too. Goodbye.
* Closing connection 0

It's the same for -6 only with a IPv6 address.

sudo netstat -plnt on mail.lan

tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      10897/master
tcp6       0      0 :::25                   :::*                    LISTEN      10897/master

filtered with grep 25

Are there any firewalls that might block traffic?

ufw is running on mail.lan, but not blocking. (ssmtp is working from synapse.lan to mail.lan)
ssmtp config: root:synapse@mydomain.eu:mail.lan:25
test command: echo "Subject: sendmail test" | sendmail -v user@mydomain.de (also working with sudo -u synapse ...):

[<-] 220 mail.mydomain.eu ESMTP NO UCE
[->] HELO mydomain.eu
[<-] 250 mail.mydomain.eu
[->] MAIL FROM:<synapse@mydomain.eu>
[<-] 250 2.1.0 Ok
[->] RCPT TO:<user@mydomain.de>
[<-] 250 2.1.5 Ok
[->] DATA
[<-] 354 End data with <CR><LF>.<CR><LF>
[->] Received: by mydomain.eu (sSMTP sendmail emulation); Thu, 01 Sep 2022 17:15:20 +0200
[->] From: "root" <synapse@mydomain.eu>
[->] Date: Thu, 01 Sep 2022 17:15:20 +0200
[->] Subject: sendmail test
[->]
[->] .
[<-] 250 2.0.0 Ok: queued as 67FBD72037B
[->] QUIT
[<-] 221 2.0.0 Bye

it may be helpful to take a packet capture to find out what synapse is trying to connect to.

Ok. I just collected all information from above, installed tcpdump, and started the capture. But then it worked!
After 3 days of having the same error. I think I'm loosing my mind. I definitely did not change anything on mail.lan.
If I can reproduce the error again I will follow up here.😩

[squahtx]

It's good to hear that things are working for you now. If it happens again and it can be tracked down to an issue in Synapse, please feel free to file a new issue.

[efelon]

@squahtx I hope you don't mind if I investigate here a little more. It would be nice to get your opinion before creating a new issue, if necessary.

Analysis

As stated in the manual:

enable_tls: By default, if the server supports TLS, it will be used, and the server must present a certificate that is valid for 'smtp_host'. If this option is set to false, TLS will not be used.

So my mailserver rejects the TLS requests, which looks like this #6211 issue, which then leads to the ip from synapse being banned by fail2ban.

After allowing TLS1.0 again sending is possible:
Anonymous TLS connection established from synapse.lan[192.168.23.20]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)

Workaround

After reading through #6211, which is closed, I still don't know what to do about the TLS1.0 problem?

In my case of no authentication, plain connection and fail2ban on the mail server, I needed to add

enable_tls: false

to my config to prevent TLS connection attempts all together, which is not ideal but it works.

Config giving the error stated above

email:
  smtp_host: "mail.lan"
  notif_from: "Your Friendly %(app)s homeserver <noreply@mydomain.com>"

Error because of TLS1.0

mail.log on mail.lan

mail postfix/smtpd[29149]: connect from synapse.lan[192.168.23.20]
mail postfix/smtpd[29149]: SSL_accept error from synapse.lan[192.168.23.20]: -1
mail postfix/smtpd[29149]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../ssl/statem/statem_srvr.c:1686:
mail postfix/smtpd[29149]: lost connection after STARTTLS from synapse.lan[192.168.23.20]
mail postfix/smtpd[29149]: disconnect from synapse.lan[192.168.23.20] ehlo=1 starttls=0/1 commands=1/2

repeats 6 times

[richvdh]

After reading through #6211, which is closed, I still don't know what to do about the TLS1.0 problem?

#6211 was closed because Synapse should no longer use TLS1.0 for SMTP connections. I am somewhat surprised it is doing so. Can you get a tcpdump?

[richvdh]

sorry, can you get a raw dump with tcpdump -n -s0 -w dump.pcap port 25

[efelon]

Here it is: dump.zip

[richvdh]

thanks. Yes, that's certainly a TLS 1.0 handshake.

I can only imagine this must be something to do with the library versions installed on your Synapse server. Are you using a virtualenv? Do you have up-to-date versions of Twisted, pyOpenSSL and cryptography?

[efelon]

Are you using a virtualenv?

Yes. I installed it around December 2020. And upgrade synapse via:

pip install --upgrade pip
pip install --upgrade matrix-synapse

Do you have up-to-date versions of Twisted, pyOpenSSL and cryptography?

pip 22.2.2 from /opt/synapse/env/lib/python3.7/site-packages/pip (python 3.7)

Name: Twisted
Version: 20.3.0
Summary: An asynchronous networking framework written in Python
Home-page: https://twistedmatrix.com/
Author: Twisted Matrix Laboratories
Author-email: twisted-python@twistedmatrix.com
License: MIT
Location: /opt/synapse/env/lib/python3.7/site-packages
Requires: attrs, Automat, constantly, hyperlink, incremental, PyHamcrest, zope.interface
Required-by: matrix-synapse, treq
---
Name: pyOpenSSL
Version: 20.0.1
Summary: Python wrapper module around the OpenSSL library
Home-page: https://pyopenssl.org/
Author: The pyOpenSSL developers
Author-email: cryptography-dev@python.org
License: Apache License, Version 2.0
Location: /opt/synapse/env/lib/python3.7/site-packages
Requires: cryptography, six
Required-by: matrix-synapse
---
Name: cryptography
Version: 3.4.7
Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Home-page: https://github.com/pyca/cryptography
Author: The Python Cryptographic Authority and individual contributors
Author-email: cryptography-dev@python.org
License: BSD or Apache License, Version 2.0
Location: /opt/synapse/env/lib/python3.7/site-packages
Requires: cffi
Required-by: matrix-synapse, pyOpenSSL, service-identity

I though that all dependencies will update according to what synapse requires?

[richvdh]

Name: Twisted
Version: 20.3.0

This is the problem. #6211 was a bug in Twisted, fixed in Twisted 21.2.0. Upgrade Twisted and I think the problem will go away.

I though that all dependencies will update according to what synapse requires?

What synapse requires, yes, but Synapse doesn't require anything in Twisted 21.2. #13315 is related here.

[efelon]

This is the problem. #6211 was a bug in Twisted, fixed in Twisted 21.2.0. Upgrade Twisted and I think the problem will go away.

Ok, I will do this.

What synapse requires, yes, but Synapse doesn't require anything in Twisted 21.2. #13315 is related here.

Well, I read the ticket and was not aware of that problem with pip. Especially because during pip install --upgrade matrix-synapse following outputs suggest otherwise:

Requirement already satisfied: Twisted[tls]>=18.9.0 in /opt/synapse/env/lib/python3.7/site-packages (from matrix-synapse) (20.3.0)
Requirement already satisfied: pyOpenSSL>=16.0.0 in /opt/synapse/env/lib/python3.7/site-packages (from matrix-synapse) (20.0.1)
Requirement already satisfied: cryptography>=3.4.7 in /opt/synapse/env/lib/python3.7/site-packages (from matrix-synapse) (3.4.7)

So there is the pyproject.toml, and with the change in 1.66 to remove delegates, having the email settings work in the homeserver.yaml is even more important. Which, as seen in here, requires Twisted at some higher version.

I do get that maintaining the latest versions in that file can be troublesome. But for me the installation method with pip is the easiest one, because I don't use docker on small single board computers like raspberry pi.

Let me quote you from #11581 and refer to the "useful to us" part. Which would be given here? (I hope I'm not way out of context with the quote):

Sounds like we'd probably be fine bumping these dependencies then - but if there's nothing that's particularly useful to us in them, we shouldn't do so just for the sake of it.

[richvdh]

Our policy is not to force a dependency on particular versions of underlying libraries just to resolve some esoteric problem that will hit a tiny minority of users. The reason for this is to make it possible for Linux distributions to package Synapse.

This is not the place to debate that policy; I have already pointed you to the issue where we are discussing potential alternatives. If you have good ideas, feel free to weigh in there.

I'll close this issue since we have identified that it was caused by your use of an old version of Twisted.

[richvdh]

Duplicate of #6211

[efelon]

This is not the place to debate that policy; I have already pointed you to the issue where we are discussing potential alternatives. If you have good ideas, feel free to weigh in there.

Of course, I agree. It was never my intention to start a discussion here.

Just to follow up and conclude what I did to make it work in the end:

1. Following one suggestion from Installing as a module from PyPI leaves installations vulnerable to bugs in dependencies #13315, I installed a new virtual environment which pulls in all the latest packages. I had to manually install bcrypt 3.2.2, because since version 4 they need a quite recent version of the rust compiler (didn't have the time to go there as well).
2. Then I ran into the bug reported at Obscure exceptions when TLS cert on SMTP server is untrusted #9566, which I could easily solve by stating the correct FQDN in the synapse configuration. Previously I only configured the local domain name (smtp_host: "mail.lan"), which is not inside the TLS certificate. smtp_host: "mail.mydomain.com" did the trick.

Now I can send mails using these synapse email settings:

email:
  smtp_host: "mail.mydomain.com"
  smtp_port: 25
  enable_tls: true
  notif_from: "Your Friendly %(app)s homeserver <noreply@mydomain.com>"

Many thanks @richvdh for your time and great help.