Discourse refuses mail (Relay access denied)

[strk]

I've tried replying to a message received by Discourse triggered by a message to the new GFOSS-IT category and got back:

host discourse.osgeo.org[140.211.15.13] said: 454 4.7.1
<1XXXXf915599a60e598698687d@discourse.osgeo.org>:
Relay access denied (in reply to RCPT TO command)

I've anonymized the actual address, but there should be enough info to dig into the logs and I can give more detail in private if needed.

Do rely-by-email need be enabled on a per-category basis or is this a new Discourse/Email issue ?

[robe]

strk,

Yes it is by category. Usually we have it so that you have to be a member of the group to create or reply. You have not joined the GFOSS.it group.

Though it looks like it allows anyone to reply, but not sure if that holds for email. Can you try joining the GFOSS.it group and then try replying again.

[strk]

I've now joined the group and re-sent the email, crafted by copying the same destination address and In-Reply-To headers, but the bounce back arrived after 5 days so I'm not sure if the destination address is still valid.

This is the thread I was replying to, my message is still not visible at the time of writing this comment: ​https://discourse.osgeo.org/t/un-messaggio-di-benvenuto-fissato-in-alto/28167

Looking at my SMTP logs it still shows relay denied:

May 13 18:02:33 hst.kbt.io postfix/smtp[1161618]: 5712E3C0006: to=<xxxe598698687d@…>, relay=discourse.osgeo.org[140.211.15.13]:25, delay=1.8, delays=0.34/0.07/1.2/0.26, dsn=4.7.1, status=deferred (host discourse.osgeo.org[140.211.15.13] said: 454 4.7.1 <xxxe598698687d@…>: Relay access denied (in reply to RCPT TO command))

[strk]

Response code 454, from Discourse, is a request to retry. The response comes from postfix on osgeo9 and the mail never reaches Discourse service itself.

[robe]

@strk,

We had discussed this before here is the ticket #3068 and it's still open.

Now I remember, yes the MX record for discourse.osgeo.org is set to meet.osgeo.org which is ip:

140.211.15.5.

So it seems for some reason your dns is trying to go thru 140.211.15.13 which explains why it never reaches discourse.osgeo.org and show in the mail logs there.

I'm trying to remember why I opted not to use the main web ip of osgeo9 (the main one) for discourse mail. But anyway I suspect

[robe]

submitted before I finish. Anyway I suspect the issue is your dns is for some reason pulling an old cache and not using our DNS entry.

Before the issue was because I had the IP different when I started and changed it and the dns had not propagated, now I think it's just DNS cache issue on your side.

[strk]

It is not just my side, even osgeo7 fails to find the MX record for discourse.osgeo.org I do agree this is about #3068 *but* maybe we should avoid introducing a new MX just for the Discourse service and reuse what we have already ? Or why do we need an MX at all ? Can't we just forward port 25 of osgeo9 to the discourse service for the moment ?

[robe]

We need an MX to receive mail for discourse.

I remembered the reason I couldn't use the main osgeo9 IP is because it is being used for lxd proxy ports, and when I tried to NAT it, it didn't work cause it was used for proxy or I couldn't figure out how to do both proxy and NAT. Eventually I plan to change it to all NAT.

The issue with proxy, is unless a service supports it (such as nginx proxy pass), it can not see the true ip and resolve dns of the sending party. In these cases you need a natted IP and I already had to do NAT for jitsi cause it was using udp or some such thing that didn't work via proxy.

So I put the discourse.osgeo.org mail receiver under the only Natted ip meet.osgeo.org.

In an ideal world, we'd have the mail server, natted, and it would receive all the mail, and redirect to discourse, or we'd change discourse to use IMAP or POP which would be stored on the main mail server.

Note we are going to have the same battle with gitea.

[strk]

I confirm that installing my own name server and restarting postfix finally gets aware of the MX (meet.osgeo.org) and delivers the email, so this ticket is really just a consequence of the bug reported in #3068

[strk]

I'll actually re-open this because this is the most user-facing issue and it is good for it to stay open until fixed.

[robe]

I tried running

host -t mx discourse.osgeo.org

on several different servers across several networks and it correctly returns for mx:

discourse.osgeo.org mail is handled by 1 meet.osgeo.osuosl.org.
discourse.osgeo.org mail is handled by 10 meet.osgeo.org.

meet.osgeo.osuosl.org really is same as meet.osgeo.org, but reverse pointer of the ip points to meet.osgeo.osuosl.org. meet.osgeo.osuosl.org I added today and showed up immediately on all servers and some mx tools on web I looked at.

@rduivenvoorde is having the same issue as strk did and strk thinks it's a cloudflare DNS issue.

I'm still not convinced it's a cloudflare dns issue.

[rduivenvoorde]

@strk where are you placing cloudflare in this picture? On the osgeo.org side or on my internet provider side (freedom.nl)?

For what it is worth, on my laptop in my local network I get this:

[richard@west ~]$ host -t mx discourse.osgeo.org
discourse.osgeo.org mail is handled by 10 meet.osgeo.org.
discourse.osgeo.org mail is handled by 1 meet.osgeo.osuosl.org.
[richard@west ~]$ host -t mx meet.osgeo.org
meet.osgeo.org has no MX record
[richard@west ~]$ host meet.osgeo.org
meet.osgeo.org has address 140.211.15.5

I do not have access to a server in the freedom.nl zone/network

[strk]

It's your SMTP server that needs to find the correct MX record for discourse.osgeo.org in order for mail to be delivered correctly. It looks like your local network resolves it fine. Mine does not.

Details of which other servers fail might be better reported in #3068