Roots Discourse

Sendgrid - unable to connect - port 587

Got an error connecting to Sendgrid:Jan 25 08:33:42 domain sSMTP[16424]: Unable to connect to "smtp.sendgrid.net" port 587.

I did a check and saw that port is not open:

# netstat -ntlp | grep LISTEN
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      1500/nginx -g daemo
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      1343/memcached  
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1500/nginx -g daemo
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      23307/sshd      
tcp6       0      0 :::443                  :::*                    LISTEN      1500/nginx -g daemo
tcp6       0      0 :::3306                 :::*                    LISTEN      1618/mysqld     
tcp6       0      0 :::80                   :::*                    LISTEN      1500/nginx -g daemo

I did not see anything on the need to open the port in the Trellis documentation though and I think we did receive registration emails before. Only lately WooComerce purchase confirmations and so on arrive really late. How do you normally open up a port on Trellis? I think I should add a rule to trellis/group_vars/all/security.yml but could use some help with it…

I added

- type: dport_accept
dport: [587]
protocol: tcp
- type: dport_accept
dport: [587]
protocol: udp

to group_vars/all/security.yaml and re-provisioned. But when I checked the ports that were open again I did not see port 587 listed…

PS How can I just run that role or task? Would be way faster…

Just ran a : ansible-playbook server.yml --tags "ferm,ssmtp, mail" -e env=production and I saw:

TASK [ferm : ensure iptables INPUT rules are added] ******************************
ok: [xxx.xxx.xxx.xxx] => (item={u'dport': [u'http', u'https'], u'type': u'dport_accept', u'filename': u'nginx_accept'})
ok: [xxx.xxx.xxx.xxx] => (item={u'dport': [u'ssh'], u'type': u'dport_accept', u'saddr': [u'82.194.37.130']})
ok: [xxx.xxx.xxx.xxx] => (item={u'dport': [u'ssh'], u'seconds': 300, u'hits': 20, u'type': u'dport_limit'})
changed: [xxx.xxx.xxx.xxx] => (item={u'dport': [587], u'protocol': u'tcp', u'type': u'dport_accept'})
changed: [xxx.xxx.xxx.xxx] => (item={u'dport': [587], u'protocol': u'udp', u'type': u'dport_accept'})

So the security.yaml changes do seem to work. Just did not see it running a netstat -ntlp | grep LISTEN Also nmap states 587 is not open

nmap xxx.xxx.xxx.xxx

Starting Nmap 7.40 ( https://nmap.org ) at 2018-01-26 16:51 +03
Nmap scan report for xxx.xxx.xxx.xxx
Host is up (0.22s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
Nmap done: 1 IP address (1 host up) scanned in 13.93 seconds

Strange…

:thinking: so those ports are for incoming requests. Your SMTP requests to Sendgrid are outgoing. You won’t see a port open listening for connections for those.

roots.io uses Mailgun on port 587 and we didn’t need to do anything for security.

I suggest trying to connect manually via Telnet on your server to try and see if it really can’t connect.

3 Likes

Are you getting any 504 or 502 errors by chance?

I think this issue might be related to my recent issue: 504 Time-out - upstream timed out

If I were you, I’d download the Sendgrid Wordpress Plugin. So far using the API keys seems to fix the issue. I’ll probably stick with this fix rather than debug the port issue.

1 Like

Yeah, clearly need to learn some more here. Felt kinda silly there. I tried telnet from the Trellis Digital Ocean server itself after I removed these unnecessary port changes:

telnet smtp.sendgrid.net 587
Trying 108.168.183.160...
telnet: Unable to connect to remote host: Connection timed out

so got the same kind of time-out issue. From my own Mac I did get connected.

telnet smtp.sendgrid.net 587
Trying 159.122.219.43...
Connected to smtp.sendgrid.net.
Escape character is '^]'.
220 SG ESMTP service ready at ismtpd0002p1lon1.sendgrid.net

oddly enough different ips from both locations but perhaps that is related to from where you telnet in. So from the server I could not and from my box I could.

Update
See https://www.digitalocean.com/community/questions/outgoing-connections-on-port-25-587-143-blocked-over-ipv6 . On ipv6 port 587 seems to be blocked on several DO regions when ipv6 is used. Solutions offered there did not do the trick though.

I added the SendGrid WordPress Plugin to try the api. But when I went to settings things went all haywire. The settings page kept on reloading. Perhaps because wp mail is being used by other plugins… I mean they said if that was the case you would not be able to use the plugin. Not sure what plugin would be using it… Perhaps WooCommerce, AccessAlly or another. This is taking a lot more work than I anticipated…

I have Woocommerce on my install, and it’s working via API now. I changed mail.yml to default. Sorry I thought it would work straight out for you like it did for me. Hopefully you can figure it out soon. I was convinced our issues are related but possible not.

If you have the option of downgrading to ipv4, here’s a thread I’d done on that a couple years back: Composer.lock & Packagist Issues

Well I tried to add details once again in Chrome instead of Safari and there I did not have the issue. So added api key and email sender details. Now I wonder… How can I do a quick api test @masoninthesis ?

Update: Never mind that. Test was built in and things to seem to work when testing :slight_smile:

great man! :metal:

Yeah I’m gonna stick w/ the plugin now that I know about it. Anything to simplify things.

Wow that’s pretty awful on DO’s part :frowning:

Glad you got the workaround figured out.