Different server/IP - no more connection? - mailgun

I'm using Mailgun through my local installation of Mautic. It used to connect correctly. Today however I got this error message: Unable to connect with TLS encryption Log data: ++ Starting Swift_SmtpTransport << 220-node6237.myfcloud.com ESMTP Exim 4.95 #2 Tue, 12 Apr 2022 13:38:14 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. >> EHLO dashboard.nsking.ee << 250-node6237.myfcloud.com Hello dashboard.nsking.ee [194.233.160.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP >> STARTTLS << 220 TLS go ahead !! Unable to connect with TLS encryption (code: 0) ++ Starting Swift_SmtpTransport << 220-node6237.myfcloud.com ESMTP Exim 4.95 #2 Tue, 12 Apr 2022 13:38:14 +0000 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. >> EHLO dashboard.nsking.ee << 250-node6237.myfcloud.com Hello dashboard.nsking.ee [194.233.160.33] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP >> STARTTLS << 220 TLS go ahead !! Unable to connect with TLS encryption (code: 0)
What is the cause of it? Keep in mind, nothing has changed in our installation except the server name and the IP.
I tried to change to SSL and I got this error:
Connection could not be established with host smtp.mailgun.org :stream_socket_client(): Peer certificate CN=node6237.myfcloud.com' did not match expected CN=smtp.mailgun.org' Log data: ++ Starting Swift_SmtpTransport !! Connection could not be established with host smtp.mailgun.org :stream_socket_client(): Peer certificate CN=node6237.myfcloud.com' did not match expected CN=smtp.mailgun.org' (code: 0)
++ Starting Swift_SmtpTransport !! Connection could not be established with host smtp.mailgun.org :stream_socket_client(): Peer certificate CN=node6237.myfcloud.com' did not match expected CN=smtp.mailgun.org' (code: 0)

Related

Postfix: Mailgun not triggered within same domain

The Configs
We did the usual main.cf (postfix) relay/sasl entries:
# Amavisd + SpamAssassin + ClamAV
#
content_filter = smtp-amavis:[127.0.0.1]:10024
# Concurrency per recipient limit.
smtp-amavis_destination_recipient_limit = 1
relayhost = [smtp.mailgun.org]:587
smtp_tls_security_level = encrypt
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = static:login#domain.com:password
smtp_sasl_security_options = noanonymous
This actually works perfectly fine, and mail deliveries are properly logged under Mailgun too.
The Problem
If we send an email within our domain, it's not triggering Mailgun. Means: if JohnDoe#ourXYZDomain.com sends an email to JaneDoe#ourXYZDomain, it is delivered via postfix. If JohnDoe#ourXYZDomain.com sends an email to JohnDoe#someOtherDomain.com, it is delivered and logged via Mailgun smtp.
The Analysis
Mails within same domain are sent and no errors are thrown. When looking into header of received email, it shows that postfix didn't even bother using Mailgun. See localhost [127.0.0.1] in line 6:
Subject:test - 00:11
Contact photo
From johndoe#ourXYZDomain.com Date Mon 00:11
Return-Path: <johndoe#ourXYZDomain.com>
Delivered-To: janedoe#ourXYZDomain.com
Received: from mail.ourXYZDomain.com (localhost [127.0.0.1])
by mail.ourXYZDomain.com (Postfix) with ESMTP id 49KwDw97hggXdtN
for <janedoe#ourXYZDomain.com>; Sun, 10 May 2020 20:11:12 +0000 (UTC)
Authentication-Results: mail.ourXYZDomain.com (amavisd-new); dkim=pass
reason="pass (just generated, assumed good)"
header.d=ourXYZDomain.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=
ourXYZDomain.com; h=user-agent:message-id:subject:subject
:to:from:from:date:date:content-transfer-encoding:content-type
:content-type:mime-version; s=dkim; t=1589141471; x=1591733472;
bh=WonWKNs0MVBQ4Md9bT3TQ0-----=; b=1lp9qX-----YE
HQwrRVwjLjcPcP/jkjhgjghgfWisfODNZ5xHnQto5Xa
D6/Wj8fAEpwiu8uG5Ujhugz778gjNZ8UhFXtJf2aK
1B8iZembDuiIsjg6fKj6snRjA=
X-Virus-Scanned: amavisd-new at mail.ourXYZDomain.com
Received: from mail.ourXYZDomain.com ([127.0.0.1])
by mail.ourXYZDomain.com (mail.ourXYZDomain.com [127.0.0.1]) (amavisd-new, port 10026)
with ESMTP id xzds0121548c for <janedoe#ourXYZDomain.com>;
Sun, 10 May 2020 20:11:11 +0000 (UTC)
Received: from _ (localhost [127.0.0.1])
by mail.ourXYZDomain.com (Postfix) with ESMTPSA id 49KwDv54101252XdtL
for <janedoe#ourXYZDomain.com>; Sun, 10 May 2020 20:11:11 +0000 (UTC)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
format=flowed
Content-Transfer-Encoding: 7bit
Date: Mon, 11 May 2020 00:11:11 +0400
From: johndoe#ourXYZDomain.com
To: janedoe#ourXYZDomain.com
Subject: test - 00:11
Message-ID: <1003f6125a2ff654101214#ourXYZDomain.com>
X-Sender: johndoe#ourXYZDomain.com
We have no explanation for this behaviour. Maybe we missed something?
Thank you for any hint
When You send mail from one $mydomain virtual mailbox to another $mydomain virtual mailbox postfix will not relay it to Mailgun and transport it locally.
You need to create multiple instances of Postfix where one instance will relay all mails to Mailgun without local delivery and second instance will listen 25 port for income mail and will deliver it to virtual boxes.
Explanation of this solution You can find there: http://www.postfix.org/MULTI_INSTANCE_README.html
Mailgun is one of many Mail Relay service mostly used to relay mails to outside networks. Mail relay is the process of transferring an email from one server to another for delivery. For example, if you work for Company A and send an email to someone at Company B, you connect to your company's SMTP server which then relays your email to the server owned by Company B.
To send mail on same network you do not need a relayhost. Mails here are deliver locally by postfix to other user's account. Local mails depend on "myorigin" "mydestination" mynetworks" settings in main.cf. The following mailhost configuration is an example which will make things clear to you.
/etc/postfix/main.cf:
myorigin = $mydomain
mydestination = $myhostname localhost.$mydomain localhost $mydomain
mynetworks = 127.0.0.0/8 10.0.0.0/24
relayhost = [smtp.mailgun.org]:587
# Optional: forward all non-local mail to firewall
#relayhost = [firewall.example.com]
You can find more information in following link
Postfix Standard Configuration Examples

AWS SES still uses from #us-west-2.amazonses.com

Domain is fully verified but sometimes we did get FROM 0101016efadf82da-b7e07022-37ba-4cae-aa6c-780052992485-000000#us-west-2.amazonses.com instead of using FROM from our domain this is log can you show me what could be possible the reason ?
<< 220 email-smtp.amazonaws.com ESMTP SimpleEmailService-d-XTDLI25GD
>> EHLO [IP]
<< 250-email-smtp.amazonaws.com
250-8BITMIME
250-SIZE 10485760
250-STARTTLS
250-AUTH PLAIN LOGIN
250 Ok
>> STARTTLS
<< 220 Ready to start TLS
>> EHLO [IP]
<< 250-email-smtp.amazonaws.com
250-8BITMIME
250-SIZE 10485760
250-STARTTLS
250-AUTH PLAIN LOGIN
250 Ok
>> AUTH LOGIN
<< 334 val
>> val
<< 334 val
>> Qk8=
<< 235 Authentication successful.
++ Swift_SmtpTransport started
>> MAIL FROM:<12345#example.com>
<< 250 Ok
>> RCPT TO:<500500500#msg.fi.google.com>
<< 250 Ok
>> DATA
<< 354 End data with <CR><LF>.<CR><LF>
>>
.
<< 250 Ok
First to understand, there are two things in SMTP:
Mailfrom (Envelope From): It's a SMTP command
From header (thats something you see in Outlook)
SES always changes Mailfrom address to message-id#amazonses.com or messageid#us-west-2.amazonses.com (if region used other than us-east-1).
SES does that so you can always pass in SPF. SPF check happens on mailfrom domain which is now us-west-2.amazonses.com and Amazon publishes the TXT/SPF record for it so you don't need to configure it your domain.
AWS SES provides an option to use custom mail from where you can use your own mailfrom but in this case you would need to publish a TXT record so SPF can be passed.
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/mail-from.html
Generally, you don't see Mailfrom in outlook or any webmail. The reason you're seeing it because in your telnet test, you're not adding from header. Try below test: (Add DATA command after "rcpt to" and add below line)
>> MAIL FROM:<12345#example.com>
<< 250 Ok
>> RCPT TO:<500500500#msg.fi.google.com>
Data
From: 12345#example.com
To: 500500500#msg.fi.google.com
Subject: Test
.
Once you add the From header, you should be able to see correct address in outlook or webmail.

Betfair API'ing Certificate login using C++ boost SSL Sockets

Firstly, thanks for coming here. I'm trying to login with betfair using a certificate login using boost's ssl sockets however, once I send my http login POST, I receive the message CERT_AUTH_REQUIRED. On the betfair website it says this means "Certificate required or certificate present but could not authenticate with it".
I am able to connect, handshake and send/receive data. However, I just can't seem to login with my code. I've tested the exact certificates using curl without any problems.
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=IE; ST=Leinster; L=Dublin; O=Paddy Power Betfair Public Limi
ted Company; OU=IT Networks; CN=betfair.com
* start date: Sep 11 05:50:38 2018 GMT
* expire date: Sep 11 05:59:00 2020 GMT
* issuer: C=US; O=HydrantID (Avalanche Cloud Corporation); CN=HydrantID S
SL ICA G2
* SSL certificate verify result: self signed certificate in certificate c
hain (19), continuing anyway.
> POST /api/certlogin HTTP/1.1
> Host: identitysso-cert.betfair.com
> User-Agent: curl/7.46.0
> Accept: */*
> X-Application: AOxcQMZwVN3jOsLZ4
> Content-Length: 41
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 41 out of 41 bytes
< HTTP/1.1 200 OK
< Content-Type: text/plain;charset=ISO-8859-1
< Content-Length: 87
< Date: Wed, 06 Mar 2019 11:09:35 GMT
<
{"sessionToken":"ZFbyo3HeAh07UFTHzhhGjOyQFeX2MKdHHHHtAm2S7FXw=","loginStatus":"SU
CCESS"}* Connection #0 to host identitysso-cert.betfair.com left intact
I have further tested these certificates with python code that also works.
My C++ code is below. I've tried sending incorrect passwords which result in the status from server INVALID_USERNAME_OR_PASSWORD instead.
boost::asio::ssl::context ctx(boost::asio::ssl::context::tlsv12);
// load certificates
ctx.load_verify_file(cert_filename.c_str());
// ctx.use_private_key_file(private_filename.c_str(), boost::asio::ssl::context::pem);
ctx.use_rsa_private_key_file(private_filename.c_str(), boost::asio::ssl::context::pem);
mSocket.reset(new boost::asio::ssl::stream<tcp::socket>(mIoService, ctx));
mSocket->set_verify_mode(boost::asio::ssl::verify_peer);
mSocket->set_verify_callback(
boost::bind(&BetfairSession::VerifyCertificate, this, _1, _2));
tcp::resolver resolver(mIoService);
tcp::resolver::query query("identitysso-cert.betfair.com", port);
tcp::resolver::iterator endpointIter = resolver.resolve(query);
Many thanks in advance :)
I think you are confusing the client certificate and the CA List.
This:
ctx.load_verify_file(cert_filename.c_str());
Is loading a list of CA certificates to verify the server certificate against.
You can find a example of this list here:
http://curl.haxx.se/ca/cacert.pem
You also need to setup the certificate to use for the SSL connection, you do this with the "use_certificate_chain_file" method.
e.g.
ctx.use_certificate_chain_file(cert_filename.c_str());

ASP.NET Core + Amazon SES: The remote certificate is invalid according to the validation procedure

I am trying to send email using ASP.NET Core, MailKit and Amazon SES:
using (SmtpClient client = new SmtpClient(new ProtocolLogger("smtp.log"))) {
client.Connect("email-smtp.us-east-1.amazonaws.com", 587, SecureSocketOptions.StartTls);
client.Authenticate("myusername", "mypassword");
await client.SendAsync(message);
client.Disconnect(true);
}
I keep getting the error "The remote certificate is invalid according to the validation procedure.".
And the log file shows:
Connected to smtp://email-smtp.us-east-1.amazonaws.com:587/?starttls=always
S: 220 email-smtp.amazonaws.com ESMTP SimpleEmailService-1737464811 qt5bXhIgVseJaHPspjp4
C: EHLO [127.0.0.1]
S: 250-email-smtp.amazonaws.com
S: 250-8BITMIME
S: 250-SIZE 10485760
S: 250-STARTTLS
S: 250-AUTH PLAIN LOGIN
S: 250 Ok
C: STARTTLS
S: 220 Ready to start TLS
What am I missing?
You need to provide your own client.ServerCertificateValidationCallback method to verify the server certificate. It can be as simple as always returning true or it can check the fingerprint against a known fingerprint for the server or any number of other possibilities.
For more information, see http://www.mimekit.org/docs/html/P_MailKit_MailService_ServerCertificateValidationCallback.htm

using wsock32 to send email with gmail and startTLS

Hello and good evening to you,
This topic has been sort of a trouble to me and to many, suppose i want to send EMail in a C++ program to use smtp and StartTLS , what do i do, i culled a simple source code from google and i saw this code from here
http://www.drdobbs.com/sending-e-mail-using-smtp-and-winsock/184416591
now i want to use google mail and it uses authentication for smtp and also startTLS how do i do this
the sourcecode i saw looks like this
#pragma comment(lib, "wsock32.lib")
#include <windows.h>
#include "MailMessage.h"
int main(int argc, char **argv)
{
MailMessage mail("A Sender",
"someone#someplace.com",
"mail.someplace.com");
mail.To("A Recipient",
"you#yourplace.com");
mail.Subject("Sample message");
mail.Body("Plain text body",
"<HTML><BODY>\r\n"
" <H2>HTML Body</H2>\r\n"
"</BODY></HTML>""\r\n");
mail.Attach("C:\\Attach.txt");
const char *result =
mail.Send().data();
if (result[0] == '\0')
result = "Success";
MessageBox(NULL, result, "Result",
MB_ICONINFORMATION|MB_OK);
return 0;
}
After connecting to the server and issuing a EHLO (not HELO) command, if the server's reply includes the STARTTLS capability then you can issue a STARTTLS command at any time to create a secure session with the server. Upon receiving a successful STARTTLS reply, you need to send and complete an SSL/TLS handshake. Once the session has been created, you can continue sending your SMTP commands and receiving SMTP replies, starting with a new EHLO command (as the server's capabilities can change after the connection is secured). You have to encrypt your commands and decrypt the replies as you go. The communication would look like this (this example assumes an Application-Specific password has been configured in GMail if two-step verification is enabled):
S: 220 smtp.gmail.com ESMTP dg12sm55710335pac.47 - gsmtp
C: EHLO <hostname>
S: 250-smtp.gmail.com at your service, [<ip address>]
S: 250-SIZE 35882577
S: 250-8BITMIME
S: 250-STARTTLS
S: 250-ENHANCEDSTATUSCODES
S: 250-PIPELINING
S: 250-CHUNKING
S: 250 SMTPUTF8
C: STARTTLS
S: 220 2.0.0 Ready to start TLS
C/S: (Exchange SSL/TLS handshake)
C/S: (Everything from here on is now encrypted)
C: EHLO <hostname>
S: 250-smtp.gmail.com at your service, [<ip address>]
S: 250-SIZE 35882577
S: 250-8BITMIME
S: 250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH
S: 250-ENHANCEDSTATUSCODES
S: 250-PIPELINING
S: 250-CHUNKING
S: 250 SMTPUTF8
C: AUTH LOGIN
S: 334 VXNlcm5hbWU6
C: (Send base64 encoded username)
S: 334 UGFzc3dvcmQ6
C: (Send base64 encoded password)
S: 235 2.7.0 Accepted
C: (Send email as needed)
C: QUIT
S: 221 2.0.0 closing connection m1sm91929700pfi.27 - gsmtp
Now, how you actually handle the encryption is up to you. You can use a library like OpenSSL, or you can use Microsoft's Crypto/SChannel API. There are plenty of online tutorials and books on how to use them with sockets.