this post was submitted on 11 Jun 2023
4 points (100.0% liked)

Lemmy Support

4645 readers
1 users here now

Support / questions about Lemmy.

Matrix Space: #lemmy-space

founded 5 years ago
MODERATORS
 

I cant get my email sending to work on my instance. After trying for hours, i wanted to ask for some support here since im quite stuck and dont understand.

I installed Lemmy using ansible so everything is set up in a very standard way - except email.

I want my instance to send email to an external smtp server (Fastmail) whenever there is a need to send an email (user registration, password reset, etc).

Currently the email settings in lemmy.hjson looks like this:

  email: {
    smtp_server: "postfix:25"
    smtp_login: "[email protected]"
    smtp_password: "fastmail_user_password_here"
    smtp_from_address: "[email protected]"
    tls_type: "tls"
  }

It seems like i need to have postfix:25 as the smtp server. What i really want is to put smtp.fastmail.com:465 here since thats what i want to use to send email. But that doesnt seem to work.

So I understand I need to send email through postfix, but then I wonder, how should the config look like to send emails to smtp.fastmail.com on port 465 (which is what they have on fastmail), with a specific username and password used on the fastmail server?

I think a lot of people are having issues with the email part of the setup, judging from the many reports of spinning buttons on user signup... this is a very likely reason, specially since there is no error message to the user.

Please help me sort this out, how should i configure this?

EDIT:

Ok after a lot of experiments and help from people below, this was the solution.

  email: {
    smtp_server: "smtp.fastmail.com:587"
    smtp_login: "[email protected]"
    smtp_password: "password"
    smtp_from_address: "[email protected]"
    tls_type: "starttls"
  }

Using this, email sending finally works. I couldnt use something else in the smtp_from_address. Which means my real email gets shown to users, so I will probably create another email address for this purpose completely.

Also specific to Hetzner instances, they dont block port 587 so you can use that with starttls.

top 25 comments
sorted by: hot top controversial new old
[–] [email protected] 2 points 1 year ago (1 children)

My instance had the same problem, the problem was that Hetzner (where I host my server) by default is not permitting outbound smtp ports. For me the solution was to use alternative port and even that a starttls alternative port which AWS SES luckily supports (that is what I am using for smtp server). Alternative would be also to just ask Hetzner to unblock the port (people have reported success with this method).

[–] [email protected] 1 points 1 year ago (3 children)

Actually it seems that port 587 is open (starttls) while port 465 (tls) is closed. I can connect to port 587 on my email server from my Hetzner instance (im also using them).

But how should the config look like to forward emails? How does your config look like?

[–] [email protected] 3 points 1 year ago

Btw, I do not use postfix

[–] [email protected] 3 points 1 year ago

if you use starttls, just use tls_type: "starttls" in your config

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

I was able to get Brevo working on Hetzner with the following block:

  email: {
    smtp_server: "smtp-relay.sendinblue.com:587"
    smtp_login: "your_email"
    smtp_password: "smtp_key"
    smtp_from_address: "your_email"
    tls_type: "starttls"
  }

Interestingly, it wasn't working when I gave up and went to bed. I happened to do something on the instance today and much to my surprise, an email came through. Maybe Brevo holds the emails/doesn't immediately allow SMTP?

if that hadn't worked, my next step was going to test sending email through the console as described in another comment.

[–] [email protected] 2 points 1 year ago (1 children)

following.... similar question!

[–] [email protected] 2 points 1 year ago (2 children)

I edited my original post with what actually worked for me in the end.

[–] [email protected] 2 points 1 year ago

Right on... Thank you. My VPS is blocking all smtp ports so I either have to get really creative or move hosts it's looking like. 😁

[–] [email protected] 1 points 1 year ago
[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Make sure you can connect from your server to ensure firewall rules, passwords, and SSL type are accurate.

openssl s_client -connect smtp.fastmail.com:465 -tls smtp

More directions here as you need to encode your username and password to login from the shell: https://www.stevenrombauts.be/2018/12/test-smtp-with-telnet-or-openssl/

You can replace postfix:25 with smtp.fastmail.com:465 in the config. Verify that you need tls and not starttls as the ssl type.

If this is docker then you need to ensure the container can route to their server and port. I don’t use docker so I can’t help you there but I think it’s something about internal vs external bridge.

[–] [email protected] 1 points 1 year ago (1 children)

This gets a connection:

openssl s_client -connect smtp.fastmail.com:587 -starttls smtp

So its open on port 587 to the email server, but I dont get any emails arriving there...

[–] [email protected] 1 points 1 year ago (1 children)

Did you try sending an email through OpenSSL using shell commands? Lemmy has no test email function so you need to be sure your credentials are correct.

It’s not uncommon for email servers to prevent you from sending as someone else even if you authenticate against your primary account. When using the OpenSSL shell commands it should end a successful test send with 250 ok queued or display an error like from not owned by primary account.

[–] [email protected] 1 points 1 year ago

I got as far as connecting and authenticating, that works fine with starttls and port 587. I didn't actually send an email though, maybe I should try that and put different things in the smtp_from field, if possible?

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Similar, I'm assuming gmail is a no go? I feel like theoretically it should work but it's not. However, this may be because I'm using elest.io -> docker, but something's fucked up with my domain's SSL and it's signed by itself. It gives the browser a big huge 'ol unsecured warning, so I would assume that because that's messed up it's causing gmail to not accept it? I've opened a ticket with them, so eventually maybe I can figure out if that's the case, I've never had a problem pointing namecheap domains to anything before.

It says this, but I assure you, the password is correct.

lemmy_server::api_routes_websocket: email_send_failed: permanent error (535): 5.7.8 Username and Password not accepted. Learn more at5.7.8  https://support.google.com/mail/?p=BadCredentials [long chain of numbers and letters I'm not sure matter] - gsmtp

The settings

  # Email sending configuration. All options except login/password are mandatory
  email: {
    # Hostname and port of the smtp server
    smtp_server: "smtp.gmail.com:587"
    smtp_login: "[email protected]"
    smtp_password: "[the password]"
    # Address to send emails from, eg "[email protected]"
    smtp_from_address: "[email protected]"
    # Whether or not smtp connections should use tls. Can be none, tls, or starttls
    tls_type: "tls"
  }

I also did start stattls and that didn't work. Tried swapping ports around, nope.

edit: fixed the ssl issue with elest.io, they just had a configuration wrong, but tbf lemmy support was added literally yesterday

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Hi there! Going to take a minute to read through your post, as I banged my head against a the SMTP setup wall for several hours.


Edit ah, ansible, not Docker. Could still be the same issue though. Look in your lemmy backend instance logs for any timeout errors. If you see any, it means your lemmy backend can’t make any outgoing calls and you need to fix that.

Your email setup looks fine, but if your lemmy instance can’t make outgoing calls (federation won’t work either).

Are you sure that’s the right port? Usually SMTP port 25 is blocked by most providers, and a different port is used.

[–] [email protected] 1 points 1 year ago (1 children)

Federation works fine, the only thing that doesnt is the email sending for some reason. :/

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago) (1 children)

Can you check lemmy and postfix logs?

Postfix logs are in /var/log/mail.log

[–] [email protected] 2 points 1 year ago (1 children)

I checked the logs for postfix (since I use docker I can just do "docker logs") but no errors.

It all silently fails. I guess it has to do with email servers dropping the emails. I will look into using some other email server, maybe on aws if that works for other people.

But I have verified that I can connect to the email server with starttls, and even base64 encoded my username and password and did an interactive "Auth login" session with the email server. All was fine, I was authenticated.

So probably something with the reply from, maybe.. Very confusing.

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

You are hosting your own postfix, right? Most mail servers will just outright reject your messages. You can add your site's certs to postfix, so that your mail is not clear text, and that would allow some to go through (but gmail would still block all of them).

What I ended up doing was signing up for brevo.com and their free tier allows 300 mail messages every 24 hours. Another option would be to use gmail's smtp relay, which I think allows 300 - 500 emails per day, or something long those lines.

brevo.com is actually pretty nice as it gives you stats on mail click throughs, etc.

[–] [email protected] 1 points 1 year ago (1 children)

Mine works fine sending to my SMTP TLS port.

Are you hosting your instance in a cloud provider? Some may block outgoing SMTP ports as a spam-prevention measure. Other instance admins have reported Digital Ocean as one of those providers.

[–] [email protected] 1 points 1 year ago (1 children)

yeah they block 465 but not 587, so i can connect to it with starttls. But dont get any emails, so something else is wrong....

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

I'm not sure about fastmail, but on my email provider, the "from" address has to be valid and assigned to the login account. Most reputable providers enforce this to prevent email spoofing. It is also required so DKIM signing and SFP records can be validated.

Is your [email protected] address valid in your fastmail account? If not, then try setting the "from" address to the address you use to log in.

[–] [email protected] 1 points 1 year ago (1 children)

No the fastmail account doesnt know anything about the lemmy.today address, so this could be an issue. And I dont have any DKIM or SFP records in my DNS. I could add that though, maybe thats a good next step?

But i tried to put the email I log in with as the "noreply" address, and I still dont any emails.

At least the signup page doesnt freeze up anymore, since it seemingly can talk to the email server, but no emails arrive. I also cant find anything in the logs about errors... i do "docker compose logs -n 100" to get the last 100 rows from each container but no errors there.

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago) (1 children)

From Lemmy's perspective, it's probably sending the email out just fine.

Many, if not most, providers will silently drop messages that it thinks have spoofed "from" addresses. If not the sending provider, then the recipient email server.

Long story short, if your "from" address is not linked to your login address, then it's probably going to be considered spoofed and treated as spam by at least one email server in the chain.

Edit: yeah, if your from address is under a domain where you have control of DNS, try adding fastmail to your SPF record. ~~You'd also need to add a DKIM record to provide their public signing key~~. Most providers also expect a DMARC record and policy for the "from" domain, too. Been a good while since I last set up a 3rd party to send under one of our domains, but I think that's all we had to do on our end.

[–] [email protected] 1 points 1 year ago

Yep I think so too. I turned off emails now but will try to figure something out later. Thanks for your help!

load more comments
view more: next ›