0

I have a company intranet site programmed in Rails on an EC2 instance running OpenVPN. I'm using the basic email configuration for Rails similar to as described in the Rails guide:

config.action_mailer.delivery_method = :smtp
config.action_mailer.smtp_settings = {
  :address              => "smtp.gmail.com",
  :port                 => 587,
  :domain               => 'baci.lindsaar.net',
  :user_name            => '<username>',
  :password             => '<password>',
  :authentication       => 'plain',
  :enable_starttls_auto => true  }

The only real difference being it points to our Microsoft Online server instead of Gmail. Anyhow, If I kill the OpenVPN process, the mail sends fine. Obviously this is not a good solution. How should I configure OpenVPN to allow the outgoing email?

I'm the programmer of the intranet site, not the sysadmin who configured the OpenVPN so I'm a little unsure of where to begin or what to check.

David Mackintosh
  • 14,293
  • 7
  • 49
  • 78
blastula
  • 1
  • 1
  • Is it possible to check with the sysadmin who configured OpenVPN to see if he is blocking the ports you need or anything of that sort? – JonLim Jan 26 '11 at 19:48

1 Answers1

2

This sounds like a push redirect-gateway routing problem.

One of the options you can set your OpenVPN is to force the client to use the OpenVPN server as its' default gateway, the practical upshot of which is that all internet traffic from the client has to traverse the OpenVPN and exit to the internet from there.

This means that your VPN client's internet traffic is now affected by how the OpenVPN server is talking to the internet.

What in particular I've seen is that the OpenVPN network uses a private network internally, and the server is directly on the internet; however the server doesn't have any NAT rules which mask the source IP of the client. Which means the packets you are sending to Microsoft Online have a source IP of the client's OpenVPN IP address -- meaning Microsoft Online has no way to send answering packets back to you.

You can check this with traceroute when your OpenVPN client is active. Run a command like:

traceroute -n smtp.gmail.com

...and see what the next-hop IP address is. If it is your OpenVPN server, you have the push redirect-gateway option set.

Alternatively, if your OpenVPN server is behind a firewall, check the firewall for rules which either explicitly prevent (or fail to permit, depending on your firewall flavor) connections to the target port.

You can also try to telnet to the target port you are trying to reach; in your example:

telnet smtp.gmail.com 587

...and sometimes the error you get back from that can tell you what the firewall is doing with your connection attempt.

David Mackintosh
  • 14,293
  • 7
  • 49
  • 78
  • Thanks for this great post, it's very informative. This is beginning to look like a DNS issue perhaps. The traceroute times out and the telnet attempt reports: Temporary failure in name resolution smtp.mail.microsoftonline.com: Host name lookup failure. Thanks for your good ideas! – blastula Jan 27 '11 at 15:17