2

I have installed GitLab on a cloud VM and shortly after stood up a second VM as a postfix server with the same provider (Hetzner)

I first noticed a problem when I went back to the GitLab server to enable SMTP Email and nothing was being sent, not even any logs on the mail server to say a connection was attempted.

On the GitLab server

I tried to ping the mail server from gitlab and got back only a single response and no further responses not matter how long I wait.

root@gitlab:~# ping mail.simoncarr.co.uk
PING mail.simoncarr.co.uk(2a01:4f8:c2c:a992:: (2a01:4f8:c2c:a992::)) 56 data bytes

As you can see it is an IPV6 response. I don't remember doing anything other than enabling the ufw that would have impacted networking on gitlab.

I have turned off ufw on gitlab and the mail server, and get the same behaviour.

If I ping an external server I still get an IPV6 response, but I do at least get multiple responses.

root@gitlab:~# ping bbc.co.uk
PING bbc.co.uk(2a04:4e42:600::81 (2a04:4e42:600::81)) 56 data bytes
64 bytes from 2a04:4e42:600::81 (2a04:4e42:600::81): icmp_seq=1 ttl=58 time=3.68 ms
64 bytes from 2a04:4e42:600::81 (2a04:4e42:600::81): icmp_seq=2 ttl=58 time=3.47 ms
64 bytes from 2a04:4e42:600::81 (2a04:4e42:600::81): icmp_seq=3 ttl=58 time=3.52 ms
64 bytes from 2a04:4e42:600::81 (2a04:4e42:600::81): icmp_seq=4 ttl=58 time=3.50 ms
64 bytes from 2a04:4e42:600::81 (2a04:4e42:600::81): icmp_seq=5 ttl=58 time=3.49 ms

On the mail server

If I ping the gitlab server, I get IPV4 response and they are repeated as you would expect.

PING gitlab.simoncarr.co.uk (168.119.124.76) 56(84) bytes of data.
64 bytes from static.76.124.119.168.clients.your-server.de (168.119.124.76): icmp_seq=1 ttl=58 time=0.878 ms
64 bytes from static.76.124.119.168.clients.your-server.de (168.119.124.76): icmp_seq=2 ttl=58 time=0.463 ms
64 bytes from static.76.124.119.168.clients.your-server.de (168.119.124.76): icmp_seq=3 ttl=58 time=0.353 ms
64 bytes from static.76.124.119.168.clients.your-server.de (168.119.124.76): icmp_seq=4 ttl=58 time=0.419 ms

If I ping an external server from the mail server, I again get an IPV6 response.

root@mail:~# ping bbc.co.uk
PING bbc.co.uk(2a04:4e42:600::81 (2a04:4e42:600::81)) 56 data bytes
64 bytes from 2a04:4e42:600::81 (2a04:4e42:600::81): icmp_seq=1 ttl=58 time=6.68 ms
64 bytes from 2a04:4e42:600::81 (2a04:4e42:600::81): icmp_seq=2 ttl=58 time=6.24 ms
64 bytes from 2a04:4e42:600::81 (2a04:4e42:600::81): icmp_seq=3 ttl=58 time=6.23 ms
64 bytes from 2a04:4e42:600::81 (2a04:4e42:600::81): icmp_seq=4 ttl=58 time=6.16 ms

The only thing, that I have changed on the mail server, that is related to networking is to add reverse DNS addresses to both IPV4 and IPV6 addresses.

Getting back to my actual problem.

I want to be able to connect from GitLab server to my mail server to send SMTP email. Even with ufw disabled on both servers, GitLab is not communicating with the mail server. I can't help but think the issue is related to the behaviour I have described above.

HTTP web traffic to my GitLab server is working fine and my mail server is sending and receiving email fine, from mail clients and other SMTP servers.

PrestonDocks
  • 215
  • 3
  • 11
  • Modern versions of `ping` and `traceroute` prefer IPv6 to IPv4 when the user doesn't explicitly ask for a protocol and addresses for both protocols are available. It sounds like you haven't correctly set up IPv6 connectivity on one or both machines. – Michael Hampton Jan 31 '21 at 12:50
  • So, do I have to do something special to make IPV6 work? If so, would it better to just disable IPV6 (is that possible and is it advisable)? – PrestonDocks Jan 31 '21 at 13:02
  • @PrestonDocks: The IPv6 address of your mail server is wrong in the DNS: the correct address seems to be `2a01:4f8:c2c:a992::1` instead of `2a01:4f8:c2c:a992::0`. See my answer for details. – Esa Jokinen Jan 31 '21 at 13:05

1 Answers1

4

On suitable ways to debug your problem

When testing a service, it's always better to try and connect to the service instead of using ping. While ICMP echo might help in diagnosing some problems, it doesn't really tell much here, because there are too many reasons why it might respond or not, and it has less to do with the actual problem.

In your DNS, you have:

;; ANSWER SECTION:
simoncarr.co.uk.        14400   IN      MX      11 mail.simoncarr.co.uk.

;; ADDITIONAL SECTION:
mail.simoncarr.co.uk.   14400   IN      AAAA    2a01:4f8:c2c:a992::
mail.simoncarr.co.uk.   14400   IN      A       188.34.201.61

This means your mail server is advertised to have both IPv6 and IPv4 connectivity, but neither answers on the SMTP port 25:

$ nc 188.34.201.61 25 -vvv
nc: connect to 188.34.201.61 port 25 (tcp) failed: Connection timed out

$ nc 2a01:4f8:c2c:a992:: 25 -vvv
nc: connect to 2a01:4f8:c2c:a992:: port 25 (tcp) failed: Connection timed out

However, the IPv4 address answers on ports 465 (smtps, RFC 8314) and 587 (submission, RFC 6409), but the IPv6 address doesn't:

$ nc 188.34.201.61 465 -vvv
Connection to 188.34.201.61 465 port [tcp/submissions] succeeded!

$ nc 188.34.201.61 587 -vvv
Connection to 188.34.201.61 587 port [tcp/submission] succeeded!
220 mail.simoncarr.co.uk ESMTP Postfix (Ubuntu)

$ nc 2a01:4f8:c2c:a992:: 465 -vvv
nc: connect to 2a01:4f8:c2c:a992:: port 465 (tcp) failed: Connection timed out

$ nc 2a01:4f8:c2c:a992:: 587 -vvv
nc: connect to 2a01:4f8:c2c:a992:: port 587 (tcp) failed: Connection timed out

Knowing you have disabled the firewall, this suggests you either have wrong IPv6 address in your DNS or that the mail server doesn't have IPv6 connectivity altogether. Normally you could use ifconfig on the mail server to figure this out, but I got lucky as my first guess got right:

$ nc 2a01:4f8:c2c:a992::1 587 -vvv
Connection to 2a01:4f8:c2c:a992::1 587 port [tcp/submission] succeeded!
220 mail.simoncarr.co.uk ESMTP Postfix (Ubuntu)

How to fix your problems

  1. Change the AAAA record in your DNS. It should probably be (notice the additional 1):

    mail.simoncarr.co.uk.   14400   IN      AAAA    2a01:4f8:c2c:a992::1

  2. Fix your mail server. For incoming mail you need to have the SMTP server listening on TCP port 25. If you can connect to this port from the server itself, you might need to ask the service provider whether hosting mail servers are allowed or not. It's typical to block port 25 on connections not used for delivering mail as a way to fight SPAM from compromised computers.

Community
  • 1
Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • Thank you so much for the detailed response. Reading through it, I have learned a lot. I will make a start by adding the `1` to the IPV6 in DNS. With regard to port 25, I was led to believe that was only for insecure connections, do I need to open port 25? Thank you again. – PrestonDocks Jan 31 '21 at 13:07
  • @PrestonDocks You only need to open port 25 to receive mail from the rest of the Internet. – Michael Hampton Jan 31 '21 at 13:09
  • 1
    Mail is delivered between MTAs only through port `25/tcp`. The ports `465` and `587` are intended for mail *submission* i.e. for clients, as described in the linked RFC documents. Port `25` (like `587`) can accept both unencrypted and encrypted connections using `STARTTLS`. – Esa Jokinen Jan 31 '21 at 13:10
  • Of course, thank you. It's a while since I touched networking and mail servers, I did use to know that. I started at 7.30am yesterday and gave up at 3.30am this morning. My brain is still a bit of a fog. – PrestonDocks Jan 31 '21 at 13:15
  • 1
    It seems you have already fixed both these problems, and your mail server isn't an open relay, either. This is a good start. Welcome back to the world of networking! – Esa Jokinen Jan 31 '21 at 13:18
  • What a brilliant support community. Many thanks for all the prompt and concise help. Still struggling with getting email to send from Gitlab, but GitLab is now at least connecting to the mail server, so I think I just have to check my SMTP connection settings. – PrestonDocks Jan 31 '21 at 13:34