KumoMTA internal: failed to connect to any candidate hosts: tls policy is Required but STARTTLS

poised-goat · August 20, 2024, 8:58am

Getting this error on a new setup for Kumo that I did…I’m betting I missed something obvious but I can’t figure it out…

inclusive-eagle · August 20, 2024, 8:58am

Hey there @poised-goat, thanks for posting. Please read the “Troubleshooting” and “How to Ask for Help” buttons below. If you would like a 1:1 support session from the KumoMTA team, details are at the “Book a Support Session” button below.

poised-goat · August 20, 2024, 9:04am

it works fine to an aboutmy.email test (and even says TLS is fine) but when I try and send an email to a Gmail test I get this while running tailer:

tls policy is Required but STARTTLS is not advertised by ResolvedAddress { name: \"gmail-smtp-in.l.google.com.\", addr: 172.253.63.27 }:25, connect to ResolvedAddress { name: \"gmail-smtp-in.l.google.com.\", addr: 2607:f8b0:4004:c08::1b } port 25 and read initial banner: bind MYSENDINGIP for source:ip-1 failed: Invalid argument (os error 22) while attempting to connect to [2607:f8b0:4004:c08::1b]:25, ```

poised-goat · August 20, 2024, 9:08am

I’m wondering if it’s a version mismatch between the 2 Kumo servers…

poised-goat · August 20, 2024, 9:09am

my old config which worked great had this in the shaping.lua:

    -- './assets/policy-extras/shaping.toml',
    '/opt/kumomta/share/policy-extras/shaping.toml',
  }
  if options.extra_files then
    for _, filename in ipairs(options.extra_files) do
      table.insert(file_names, filename)
    end
  end
  if options.subscribe then
    for _, url in ipairs(options.subscribe) do
      table.insert(
        file_names,
        string.format('%s/get_config_v1/shaping.toml', url)
      )
    end
  end```

but the new config (which I think pulled the /share/policy-extras/shaping.lua during install) has this:

```  local file_names = {}
  if not options.no_default_files then
    table.insert(file_names, '/opt/kumomta/share/policy-extras/shaping.toml')
  end

  if options.extra_files then
    for _, filename in ipairs(options.extra_files) do
      table.insert(file_names, filename)
    end
  end
  if options.subscribe then
    for _, url in ipairs(options.subscribe) do
      table.insert(
        file_names,
        string.format('%s/get_config_v1/shaping.toml', url)
      )
    end
  end```

Mike · August 20, 2024, 12:53pm

Can you put the full config in a gist?

wez · August 20, 2024, 1:08pm

and the output from kumod --version

wez · August 20, 2024, 1:10pm

please share the complete log line. Connection errors include a series of individual errors and the part you shared is only a fragment

poised-goat · August 20, 2024, 5:23pm

I pulled that bit of the log from the systemd journal, Is there a better place to do it? Or you’re saying don’t truncate it since it’s the same message over and over?

poised-goat · August 20, 2024, 5:23pm

I’ll try and find it when I get back to my desk

wez · August 20, 2024, 7:03pm

it’s a long line and the entire line is relevant

poised-goat · August 21, 2024, 6:55am

I’m sorry gents, my day really got away from me today

poised-goat · August 21, 2024, 6:59am

Please see attached (I think I scrubbed the personal identification stuff I was worried about)
message.txt (4.4 KB)

poised-goat · August 21, 2024, 7:02am

here’s the init.lua - https://gist.github.com/TeddJohnson/d4bc0a0d5e1d0628883ee2efc6abb89d

poised-goat · August 21, 2024, 7:04am

and here’s the opt/kumomta/etc/share/policy-extras/shaping.lua - https://gist.github.com/TeddJohnson/9628520cf05051a4323564397d65f5b9

poised-goat · August 21, 2024, 7:06am

kumod 2024.06.10-84e84b89```

wez · August 21, 2024, 1:14pm

Looking at the log line, you can split it on the commas to see the individual connection attempt status. Some are “invalid argument” errors that occur when attempting to use ipv6 on a machine that doesn’t support it. Those are normal and can be ignored; I’ve filtered them out in the text below:

KumoMTA internal: failed to connect to any candidate hosts:
  tls policy is Required but STARTTLS is not advertised by ResolvedAddress { name: \"gmail-smtp-in.l.google.com.\", addr: 142.251.111.27 }:25,
  tls policy is Required but STARTTLS is not advertised by ResolvedAddress { name: \"alt1.gmail-smtp-in.l.google.com.\", addr: 209.85.202.27 }:25,
  tls policy is Required but STARTTLS is not advertised by ResolvedAddress { name: \"alt2.gmail-smtp-in.l.google.com.\", addr: 64.233.184.26 }:25,
  tls policy is Required but STARTTLS is not advertised by ResolvedAddress { name: \"alt3.gmail-smtp-in.l.google.com.\", addr: 142.250.27.26 }:25,
  tls policy is Required but STARTTLS is not advertised by ResolvedAddress { name: \"alt4.gmail-smtp-in.l.google.com.\", addr: 142.250.153.26 }:25,

That error message should be fairly clear: the destination domain is configured to require TLS (likely because enable_mta_sts - KumoMTA Docs is enabled by default and gmail’s policy requires it), but the destination host didn’t report STARTTLS in the EHLO response.

Is there some kind of firewall between your kumod instance and google that might be intercepting outbound port 25?

wez · August 21, 2024, 1:15pm

You might wish to try running /opt/kumomta/sbin/kcli trace-smtp-client while injecting a test message to gmail to see what is going on in the SMTP protocol responses.

poised-goat · August 21, 2024, 8:41pm

so the thought is that gmail isn’t providing “STARTTLS” as an option

poised-goat · August 21, 2024, 8:42pm

(it’s just weird b/c AboutMy.Email works fine, and TLS is enabled there…so something’s amiss)