HTTP Webhooks multiple messages

dapper-yeti · July 22, 2024, 7:54pm

Hello KumoMTA team, getting some weird issue with the webhooks.
This is that I have in my init config:

local log_hooks = require 'policy-extras.log_hooks'
log_hooks:new_json {
  name = "webhook",
  log_parameters = {
    headers = { 'Subject', 'X-CUSTOMER-ID', 'From', 'X-Tenant', 'Message-Id' },
    meta = { 'tenant', 'domain_id', 'customer_id', 'direction' }
  },
  queue_config = {
    retry_interval = "1m",
    max_retry_interval = "20m",
  },
  url = LOG_WEBHOOK_URL
}

Shaping:

["webhook.log_hook"]
connection_limit = 50
max_connection_rate = "10000/min"
mx_rollup = false

My CURL:

curl --user jobs:jobs2024 -H 'Content-Type: application/json' 'https://api.XXX.org/api/inject/v1' -d '{
"envelope_sender": "test@erlangjobs.com",
"content": {
    "text_body": "This is the plain text part",
    "html_body": "<p>This is the <b>HTML</b> part</p>",
    "from": {
        "email": "test@erlangjobs.com",
        "name": "Jobs"
    },
    "subject": "This is the subject",
    "reply_to": {
        "email": "test@erlangjobs.com",
        "name": "Help"
    }
},
"recipients": [
    {
        "email": "kazanlug@gmail.com"
    }
]
}'

This is my curl request and I can see webhooks from this request, 2 messages: reception + delivered.
But after that I’m receiving like 5-10 webhooks with no data and about Rejection event.

Events log:
https://play.svix.com/view/e_yLnpCs4aLn2Ia4R8eVTO7UJFIRy/2jcDMeFoahwwTOLcknoSod3WlbL

Is that expected? Thanks

inclusive-eagle · July 22, 2024, 7:54pm

Hey there @dapper-yeti, thanks for posting. Please read the “Troubleshooting” and “How to Ask for Help” buttons below. If you would like a 1:1 support session from the KumoMTA team, details are at the “Book a Support Session” button below.

Mike · July 22, 2024, 8:03pm

It is if the host in question is misbehaving.

tom · July 22, 2024, 9:49pm

Please share the actual rejection event

dapper-yeti · July 23, 2024, 1:08am

@faithful-ostrich @passionate-grasshopp alopogies, it was a characters limit per message, and I shared the link, but looks like link is incorrect, just updated.
Example direct link:
https://play.svix.com/view/e_yLnpCs4aLn2Ia4R8eVTO7UJFIRy/2jcqbSPAwdXP2KEFlSt0pNrJ1hf

{
  "type": "Rejection",
  "id": "",
  "sender": "",
  "recipient": "",
  "queue": "",
  "site": "",
  "size": 0,
  "response": {
    "code": 504,
    "enhanced_code": {
      "class": 5,
      "subject": 5,
      "detail": 4
    },
    "content": "AUTH {sasl_mech} not supported",
    "command": null
  },
  "peer_address": {
    "name": "User",
    "addr": "94.141.120.143"
  },
  "timestamp": 1721678051,
  "created": 1721678051,
  "num_attempts": 0,
  "bounce_classification": "Uncategorized",
  "egress_pool": null,
  "egress_source": null,
  "feedback_report": null,
  "meta": {},
  "headers": {},
  "delivery_protocol": null,
  "reception_protocol": null,
  "nodeid": "eb2cef67-230c-45f6-bf4b-a09de355ed1c"
}

Mike · July 23, 2024, 1:09am

The error message seems pretty self-explanatory to me.

dapper-yeti · July 23, 2024, 1:10am

Hmm, sorry I’m not following, for me it looks like unrelated, like my message was delivered with success state, but why I’m receiving like 5-10 messages with rejection after?

dapper-yeti · July 23, 2024, 1:17am

I also noticed that addr in this messages is different sometimes

Mike · July 23, 2024, 1:17am

Reject is KumoMTA saying no to clients trying to inject.

Mike · July 23, 2024, 1:17am

Is your KMTA exposed to the public internet?

dapper-yeti · July 23, 2024, 1:25am

Yes, it’s exposed, is that the some sort of anti pattern right? Should I use only trusted hosts option or something like that? The idea is - provide SMTP/API access to some companies.

Mike · July 23, 2024, 1:34am

You should use authorized hosts and/or authentication. That said, you’ll always have reject lines because random hosts can connect.

Mike · July 23, 2024, 1:34am

Even if they are rejected.

tom · July 23, 2024, 1:56am

Reject lines are good. It means randos are not using your relay :). You’re welcome.

tom · July 23, 2024, 1:58am

Try this;

Look at the section in the helper that allows Auth only for certain domains. That is only one way to do it.

tom · July 23, 2024, 1:59am

# relay to anywhere, so long as the sender domain is auth-send.example.com
# and the connected peer has authenticated as any of the authorization identities
# listed below using SMTP AUTH
relay_from_authz = [ 'username1', 'username2' ]

dapper-yeti · July 23, 2024, 2:01am

Many thanks! I really appreciate your time and help!

Mike · July 23, 2024, 2:04am

Happy to

wez · July 23, 2024, 2:46pm

FWIW, rather than {sasl_mech} in that rejection log, the actual requested auth method should be shown. This is a minor bug that is fixed in smtp_server: fixup 'AUTH {sasl_mech} not supported' rejection message · KumoCorp/kumomta@4596063 · GitHub which I just pushed