535 5.7.8 Authentication failed - SMTP Error
-
Hello @webliska
Cloudron does enforce some rate limits as described in the documentation.- Email access (Port 25, 465, 587, 993, 4190) - 50 connections per second per IP/App.
- Email relay access - 500 connections per second per app.
- Email receive access - 50 connections per second per app.
So yes, you might have hit the rate limit.
You can check all rate limited entries when connect to your server via
sshandrootorsudoaccess with the following command:iptables -t filter -L CLOUDRON_RATELIMITYou could also view the
syslogand filter forIPTables RateLimitor watch the output in real time with:tail -f /var/log/syslog | grep -i 'IPTables RateLimit'You could try to simply restart the
cloudron-firewall.servicethat would also clear the rate limited table.
Suggested solution to clear all rate limited ips
systemctl restart cloudron-firewall.service -
Thank you!
I checked the logs but did not find anything here:
tail -f /var/log/syslog | grep -i 'IPTables RateLimit'
Also, I checked this:
iptables -t filter -L CLOUDRON_RATELIMIT confirms the rate limits are active.
So I went ahead and checked the logs with the IPs that the warmup services are using to connect, but did not find any logs of them in the /var/log/syslog
Also, one more thing, I confirmed with the Warmup service team about the connections limits per second and they toldme this:
If that´s the case, then it´s even more odd because we are not doing up to 50 connection attempts per second.So this also confirms that it's something odd.
Let me know.
Thanks!
Can you please let me know how to get this issue resolved?
I do not want to clear all rate-limited ips as this might also remove some unwanted users as well.
Is there a way to whitelist those IPs that I want?
Please help me with that.
Thanks!
-
@webliska said in 535 5.7.8 Authentication failed - SMTP Error:
Is there a way to whitelist those IPs that I want?
From the documentation. There is a Blacklist => https://docs.cloudron.io/networking/#blocklist
But also Trusted IPs, but I am unsure if the Trusted IPs feature is also whitelisting from rate limit.@staff can we get some insight about Trusted IPs?
Regarding the failing auth for smtp. I'd need the log / error message of why the auth failed to further analyze the issue.
But you can always test the credentials yourself with e.g. thunderbird. -
The credentials are all good and double tested multiple times.
What logs do you want, let me know.
@webliska
If the warmup provider gets SMTP: Authentication failed, a full error message from the client would be useful.
Also, the log frommy.DOMAIN.TLD/#/servicesmail service logs.
With a timestamp from the failed auth attempt and the log of the mail service we could find more details about why it is failing. -
Since Cloudron uses Haraka as the mailer.
There also further rate limiting factors from Haraka itself.
See => https://github.com/haraka/haraka-plugin-limit/blob/master/config/limit.iniExcerpt:
# limit number of connections per interval from IP/rDNS [rate_conn] enabled=true 127=0 172=0 default=60/1m ; Maximum number of recipients from an IP or host over an interval [rate_rcpt_host] enabled=true 127=0 172=0 ; 50 RCPT To: maximum in 5 minutes default=100/5mEditing these values out of the box is not possible.
So please reevaluate with your warmup provider if these rate limits also met. -
How do I send you the mail.log?
The full error code is the following: 535 5.7.8 Authentication failed
This indicates either an invalid SMTP username or password.
@webliska said in 535 5.7.8 Authentication failed - SMTP Error:
How do I send you the mail.log?
You can put the mail log into https://paste.cloudron.io/ and send the URL here or send me a private message in the forum.
