monica icon indicating copy to clipboard operation
monica copied to clipboard

Published 20 hours ago verified publisher icon monicahq

Monica Mailer no longer working, tries to force TLS?

Open mikekay1 opened this issue 1 year ago • 19 comments

Describe the bug Used to work with internal mail server now I get and error and it hasn't been sending reminders since :(

Screenshots What I am seeing in the front end: image

If you can, add screenshots to help explain your problem. An image is always helpful. Docker Compose image

Which version are you using:

  • selfhosted latest 4.0.0

mikekay1 avatar Aug 25 '23 03:08 mikekay1

Apparently this is a known change. It is not a bug. By default Symfony Mailer does peer verification for security reasons. I guess it is a matter of adding a certificate to your SMTP server. It's what I will be doing, as it really is for security. The fact my server is only available to particular containers is unimportant. Forcing security like this isn't a bad thing.

ciphermenial avatar Aug 28 '23 02:08 ciphermenial

Hi thanks for the response.

I have a cert just internally it fail root trust, externally it resolves fine. I only let specfic ips use the relay. Going external involves some setup in and around resolving external domains then hairpin NAT back in before out theough gateway thats not quite working 100% from my docker server.

I will start there I supposed, no way to force no ssl/tls right?

mikekay1 avatar Aug 29 '23 15:08 mikekay1

It does not look like there is an easy way to force no TLS. I have switched to using a SMTP service (SMTP2Go) since I have only a need for a small amount of outbound email.

ciphermenial avatar Aug 30 '23 00:08 ciphermenial

Ah okay well anyway to ignore the cert check, again its self signed so I wont be installing a CA internally just to get my exchange server to correctly trust the self signed cert IIS created. I think this is kind of a huge oversight, for internal servers :(

mikekay1 avatar Aug 31 '23 16:08 mikekay1

If I am correct, this would be the verify_peer flag, is there any way to supply this hint from docker using env parameters?

mikekay1 avatar Aug 31 '23 16:08 mikekay1

this has been a hassle, I have literally spent over 48 hours trying to get this to work with exchange, are there any plans to have this communicate over ews protocols? Being 100% honest 25/465/587 ports wont be around forever, all mail servers are slowly migrating to mail over https/outlook anywhere/etc

mikekay1 avatar Aug 31 '23 20:08 mikekay1

Ah okay well anyway to ignore the cert check, again its self signed so I wont be installing a CA internally just to get my exchange server to correctly trust the self signed cert IIS created. I think this is kind of a huge oversight, for internal servers :(

You could install the root certificate from your IIS server. That should work.

ciphermenial avatar Sep 01 '23 22:09 ciphermenial

this has been a hassle, I have literally spent over 48 hours trying to get this to work with exchange, are there any plans to have this communicate over ews protocols? Being 100% honest 25/465/587 ports wont be around forever, all mail servers are slowly migrating to mail over https/outlook anywhere/etc

Email federates over port 25 (SMTP). That isn't going anywhere. 465 and 587 are for client to server connection and not for email host to host.

ciphermenial avatar Sep 01 '23 22:09 ciphermenial

Ah okay well anyway to ignore the cert check, again its self signed so I wont be installing a CA internally just to get my exchange server to correctly trust the self signed cert IIS created. I think this is kind of a huge oversight, for internal servers :(

You could install the root certificate from your IIS server. That should work.

That would require putting it into the docker, and everytime I rebuild doing it again. I like using ssl termination at proxy for this exact reason!

mikekay1 avatar Sep 03 '23 13:09 mikekay1

this has been a hassle, I have literally spent over 48 hours trying to get this to work with exchange, are there any plans to have this communicate over ews protocols? Being 100% honest 25/465/587 ports wont be around forever, all mail servers are slowly migrating to mail over https/outlook anywhere/etc

Email federates over port 25 (SMTP). That isn't going anywhere. 465 and 587 are for client to server connection and not for email host to host.

Correct about 25 forgot about server to server. But clients are starting to use https over 443 as its open on all clients usually.

Anyway to put the ssl_verify_peer into the docker image as an env? So I dont have to ssh in and install nano and edit mail.php everytime I docker-compose up?

Thanks!

mikekay1 avatar Sep 03 '23 13:09 mikekay1

so email is working when I try to add a user, but today it failed to notify me about a birthday with a yearly reminder, and it was working 2 days ago, doesn't it email day of? or is it just 7 days prior?

mikekay1 avatar Sep 05 '23 19:09 mikekay1

Hi, I had this too. i had to solve this by bind mounting my Linux host /etc/ssl/certs and /usr/local/share/ca-certificates and then I could send an email. I was using selfsigned also.

I was surprised about this, as standards say that an email exchange should downgrade to unencrypted as a last resort.

Then I could send a test email.

jcurl avatar Oct 24 '23 16:10 jcurl

It's still not working,

  • set verify_peer flag (any way to do this from the env file?
  • testing an add user and seeing they get the email works fine
  • there are no emailing out of reminders which makes the whole application a lot less applicable for my use case
  • this is the only application out of 100's that I run that is facing this issue can I switch to another mailer, this one is broken, and provides very little testing, at least we should have a send a test email in the admin panel

Let me know if I can provide more information about my deployment,

mikekay1 avatar Nov 24 '23 14:11 mikekay1

@mikekay1 are you using redis as your QUEUE_CONNECTION ?

vnghia avatar Nov 26 '23 12:11 vnghia

@mikekay1 are you using redis as your QUEUE_CONNECTION ?

Hello @vnghia ,

Can you elaborate on where that is? I don't believe I have specified that variable in my docker compose.

I have just the app and the db in my compose.

I missed a clients birthday and now making up for it and thought I could just check the main page every now and then. Long story short that doesn't work I need the emails.

mikekay1 avatar Feb 20 '24 16:02 mikekay1

I looked into the issue further, I am not using a cron container and using supervisor, which has cron integrated. so to answer your question -- neither redis, nor async for QUEUE_CONNECTION.

mikekay1 avatar Feb 20 '24 16:02 mikekay1

Can we just expose the

        "allow_self_signed"=>true,
        "verify_peer"=>false,

So I can enable it from the docker compose or in an env file? I think its ridiculous that a mailer forces TLS, internally, and does a horrible job at that. I should be able to use a self signed cert that is not verified by a peer. long as its encrypted its fine. it doesn't have to match internal ip's or intranet web addresses.

mikekay1 avatar Feb 21 '24 14:02 mikekay1

reopening -- I have a Letsencrypt certificate that matches the domain, and the still receiving the error:

STARTTLS: stream_socket_enable_crypto()

mikekay1 avatar Apr 12 '24 03:04 mikekay1

Still dont get why this awesome application is at the mercy of a horrible mailer... TLS is working fine and I have no idea why I am getting this error with just this container:

image

mikekay1 avatar Apr 22 '24 17:04 mikekay1