authelia: GMail smtp notification incorrectly detects TLS support

I’ve tried to figure out what the actual problem is here but can’t say exactly where the cause is but I have SMTP notifications turned on and I’m using the gmail smtp-relay server over TLS on port 587 with an app password. When my authelia container is first created and I visit my auth page and click the link to register or the link to send an email for a password reset it almost always comes back with an error stating There was a problem initiating the registration process. In the docker logs it shows

level=info msg="Logging severity set to debug"
level=debug msg="Notifier SMTP client initializing TLS configuration"
level=info msg="Authelia is listening for non-TLS connections on 0.0.0.0:9091"
level=info msg="Access to https://mydomain.tld/ is not authorized to user , redirecting to https://auth.mydomain.tld?rd=https%3A%2F%2Fmydomain.tld%2F" method=GET path=/api/verify remote_ip=192.168.1.128
level=info msg="Access to https://stats.mydomain.tld/ is not authorized to user , redirecting to https://auth.mydomain.tld?rd=https%3A%2F%2Fstats.mydomain.tld%2F" method=GET path=/api/verify remote_ip=192.168.1.128
level=debug msg="Credentials validation of user myuser is ok" method=POST path=/api/firstfactor remote_ip=192.168.1.128
level=debug msg="Mark authentication attempt made by user myuser" method=POST path=/api/firstfactor remote_ip=192.168.1.128
level=debug msg="Required level for the URL https://stats.mydomain.tld/ is 2" method=POST path=/api/firstfactor remote_ip=192.168.1.128
level=warning msg="https://stats.mydomain.tld/ requires 2FA, cannot be redirected yet" method=POST path=/api/firstfactor remote_ip=192.168.1.128
level=debug msg="Sending an email to user myuser (myuser@email.com) to confirm identity for registering a device." method=POST path=/api/secondfactor/totp/identity/start remote_ip=192.168.1.128
level=debug msg="Notifier SMTP client attempting connection to smtp-relay.email.com:587"
level=debug msg="Notifier SMTP client connected successfully"
level=warning msg="Notifier SMTP client encountered error during cleanup: EOF"
level=error msg="Notifier SMTP server does not support TLS and it is required by default (see documentation if you want to disable this highly recommended requirement)" method=POST path=/api/secondfactor/totp/identity/start remote_ip=192.168.1.128 stack="github.com/authelia/authelia/internal/middlewares/authelia_context.go:64      (*AutheliaCtx).Error\ngithub.com/authelia/authelia/internal/middlewares/identity_verification.go:86 IdentityVerificationStart.func1\ngithub.com/authelia/authelia/internal/middlewares/require_first_factor.go:15  RequireFirstFactor.func1\ngithub.com/authelia/authelia/internal/middlewares/authelia_context.go:49      AutheliaMiddleware.func1.1\ngithub.com/fasthttp/router@v1.2.2/router.go:348                               (*Router).Handler\ngithub.com/authelia/authelia/internal/middlewares/log_request.go:14           LogRequestMiddleware.func1\ngithub.com/valyala/fasthttp@v1.14.0/server.go:2162                            (*Server).serveConn\ngithub.com/valyala/fasthttp@v1.14.0/workerpool.go:223                         (*workerPool).workerFunc\ngithub.com/valyala/fasthttp@v1.14.0/workerpool.go:195                         (*workerPool).getCh.func1\nruntime/asm_amd64.s:1373                                                      goexit"

I’m running version 4.20 of Authelia and this only happens once or twice the very first time I try and reset a password or register a device after the container is created. After the initial failure or two, it works and sends the email without even needing to restart the container or navigate away from the page

existing Authelia configuration

host: 0.0.0.0
port: 9091
log_level: debug

jwt_secret: "super-secret"

default_redirection_url: https://mydomain.tld

totp:
  issuer: mydomain

authentication_backend:
  file:
    path: /config/users.yml
    password:
      algorithm: argon2id
      iterations: 1
      salt_length: 16
      parallelism: 8
      memory: 1024

access_control:
  default_policy: deny
  rules:
    - domain: "auth.mydomain.tld"
      policy: bypass

    - domain:
        - www.mydomain.tld
        - mydomain.tld
      resources:
        - "^/plugins/images/favicon/site.webmanifest$"
      policy: bypass

    - domain:
        - request.mydomain.tld
        - watch.mydomain.tld
        - www.mydomain.tld
        - mydomain.tld
      subject: group:users
      policy: two_factor

    - domain: "*.mydomain.tld"
      subject: group:admins
      policy: two_factor

session:
  name: mydomain_session
  secret: "super-long-secret"
  expiration: 7200
  inactivity: 3600
  domain: mydomain.tld
  remember_me_duration: 1M

regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 12h

storage:
  local:
    path: /config/db.sqlite3

notifier:
  disable_startup_check: true
  smtp:
    username: myuser@mydomain.tld
    password: google app password
    host: smtp-relay.gmail.com
    port: 587
    sender: no-reply@mydomain.tld
    subject: "[2FA] {title}"
    disable_require_tls: false

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 24 (19 by maintainers)

Most upvoted comments

Makes sense, probably would be helpful with the helm chart. It’s still in beta and people seem to regularly have issues. Thanks for the clarification!

+1
james-d-elliott on Jan 6, 2022

@nightah The different is that smtp-relay.gmail.com is a true smtp relay which allows you to send emails as someone else. For example, if I want to send an email to all my users as no-reply@mydomain.com I can do this with smtp-relay.gmail.com but not with smtp.gmail.com. With smtp.gmail.com I would need to send the email from my actual email address. Google also imposes more requirements and security around smtp-relay.gmail.com than it does with smtp.gmail.com since it’s a relay. Does that make sense?

EDIT: so for a temporary workaround, smtp.gmail.com will work but it exposes your real email address to your recipients so it’s not ideal but does work

+1
akusei on Oct 28, 2020

@wouterbouvy @nightah As a workaround for now, until this gets added, you can use the following postfix docker configuration. All it does is forward your mail from Authelia to gmail (gsuite) with the correct hostname. I’ve tested this and it works.

postfix:
  image: juanluisbaptiste/postfix:alpine
  container_name: postfix
  restart: unless-stopped
  expose:
    - 25
  environment:
    SMTP_SERVER: smtp-relay.gmail.com
    SMTP_PORT: 587
    SMTP_USERNAME: gmail_username
    SMTP_PASSWORD: gmail_password
    SERVER_HOSTNAME: yourdomain.com

And in the Authelia configuration.yml you would put this for the notifier

notifier:
  disable_startup_check: true
  smtp:
    host: postfix
    port: 25
    sender: from_email_address
    subject: "[2FA] {title}"
    disable_require_tls: true
+1
akusei on Oct 28, 2020

@akusei good find regarding the Google SMTP Relay limitation, for the record here’s an article with more detail including the following extract:

We recommend that you configure your mail server to present a unique identifier (such as your domain name or the name of your mail server) in the HELO or EHLO command in the SMTP relay connections your server makes to Google. Avoid using generic names such as “localhost” or “smtp-relay.gmail.com,” which can occasionally result in issues with DoS limits.

I think your suggestion is a sane one @akusei, perhaps we should just default to sending os.Hostname() which in the case of Docker will be a randomly generated hostname and can be also customised with the hostname option too. This should also carry a sane default for non-Docker based deployments. Thoughts @james-d-elliott?

+1
nightah on Oct 28, 2020

I also still have this same problem and diverted to smtp.gmail.com instead of smtp-relay.gmail.com as a workaround. Great find on the localhost @akusei

+1
wouterbouvy on Oct 27, 2020

@james-d-elliott This may need to be re-opened. Or would you prefer I create a new ticket?

+1
akusei on Oct 27, 2020

Turns out this is still a problem for gmail SMTP relay but I think I’ve figured out what the issue is. It appears Authelia is sending localhost as the hostname for the SMTP EHLO and HELO commands. Google doesn’t like this at all. I was able to reproduce the issue with an smtp command line testing tool and the issue was fixed when I told the tool to use my actual hostname/domain that google recognizes. Here’s a tcpdump of the traffic coming from Authelia going to the smtp relay.

00:31:26.339712 IP (tos 0x0, ttl 128, id 44057, offset 0, flags [none], proto TCP (6), length 97)
    74.125.137.28.submission > 192.168.111.128.60332: Flags [P.], cksum 0xcf98 (correct), seq 1:58, ack 1, win 64240, length 57
	0x0000:  4500 0061 ac19 0000 8006 8abb 4a7d 891c  E..a........J}..
	0x0010:  c0a8 6f80 024b ebac 409d 1a6b d928 322e  ..o..K..@..k.(2.
	0x0020:  5018 faf0 cf98 0000 3232 3020 736d 7470  P.......220.smtp
	0x0030:  2d72 656c 6179 2e67 6d61 696c 2e63 6f6d  -relay.gmail.com
	0x0040:  2045 534d 5450 206e 3236 736d 3130 3435  .ESMTP.n26sm1045
	0x0050:  3030 6f74 662e 3620 2d20 6773 6d74 700d  00otf.6.-.gsmtp.
	0x0060:  0a                                       .
00:31:26.339759 IP (tos 0x0, ttl 63, id 1698, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.111.128.60332 > 74.125.137.28.submission: Flags [.], cksum 0x03dd (incorrect -> 0x5cca), seq 1, ack 58, win 64183, length 0
	0x0000:  4500 0028 06a2 4000 3f06 316c c0a8 6f80  E..(..@.?.1l..o.
	0x0010:  4a7d 891c ebac 024b d928 322e 409d 1aa4  J}.....K.(2.@...
	0x0020:  5010 fab7 03dd 0000                      P.......
00:31:26.339881 IP (tos 0x0, ttl 63, id 1699, offset 0, flags [DF], proto TCP (6), length 56)
    192.168.111.128.60332 > 74.125.137.28.submission: Flags [P.], cksum 0x03ed (incorrect -> 0xf0f0), seq 1:17, ack 58, win 64183, length 16
	0x0000:  4500 0038 06a3 4000 3f06 315b c0a8 6f80  E..8..@.?.1[..o.
	0x0010:  4a7d 891c ebac 024b d928 322e 409d 1aa4  J}.....K.(2.@...
	0x0020:  5018 fab7 03ed 0000 4548 4c4f 206c 6f63  P.......EHLO.loc
	0x0030:  616c 686f 7374 0d0a                      alhost..
00:31:26.340031 IP (tos 0x0, ttl 128, id 44058, offset 0, flags [none], proto TCP (6), length 40)
    74.125.137.28.submission > 192.168.111.128.60332: Flags [.], cksum 0x5c81 (correct), seq 58, ack 17, win 64240, length 0
	0x0000:  4500 0028 ac1a 0000 8006 8af3 4a7d 891c  E..(........J}..
	0x0010:  c0a8 6f80 024b ebac 409d 1aa4 d928 323e  ..o..K..@....(2>
	0x0020:  5010 faf0 5c81 0000 0000 0000 0000       P...\.........
00:31:26.396425 IP (tos 0x0, ttl 128, id 44059, offset 0, flags [none], proto TCP (6), length 120)
    74.125.137.28.submission > 192.168.111.128.60332: Flags [FP.], cksum 0x0752 (correct), seq 58:138, ack 17, win 64240, length 80
	0x0000:  4500 0078 ac1b 0000 8006 8aa2 4a7d 891c  E..x........J}..
	0x0010:  c0a8 6f80 024b ebac 409d 1aa4 d928 323e  ..o..K..@....(2>
	0x0020:  5019 faf0 0752 0000 3432 3120 342e 372e  P....R..421.4.7.
	0x0030:  3020 5472 7920 6167 6169 6e20 6c61 7465  0.Try.again.late
	0x0040:  722c 2063 6c6f 7369 6e67 2063 6f6e 6e65  r,.closing.conne
	0x0050:  6374 696f 6e2e 2028 4548 4c4f 2920 6e32  ction..(EHLO).n2
	0x0060:  3673 6d31 3034 3530 306f 7466 2e36 202d  6sm104500otf.6.-
	0x0070:  2067 736d 7470 0d0a                      .gsmtp..

It’s not pretty to look at, sorry. If you can read through that, you’ll see Authelia sending localhost. Is there a way to change what hostname Authelia will send? I tried setting hostname on the container but that doesn’t work.

+1
akusei on Oct 27, 2020
Read more comments on GitHub
← authelia: forwardauth with traefik 2.0 doesn't appear to work
authelia: High memory usage in docker w/ file-based user database →