Email delivery fails when responding to calendar invites

I'm having issues with Sogo responding to Calendar invites. I chatted with support briefly about his but am hoping someone in the community might have already solved this. I'm using SendGrid to relay emails. All regular emails both from SoGo and any other IMAP client work. I also confirmed Sending calendar invites via dding a calendar event in SoGo, correctly sends those invites. Only when responding to the calendar invite (Accept/Reject/Tentative) does SendGrid reject sending the message with an error:

Hi. This is the Mailer program at mail.domain.net.

I'm afraid I wasn't able to deliver your message
    "Accepted invitation: "test 2""
to the following addresses.

This is a permanent error; I've given up. Sorry it didn't work out.

Intended Recipients: <abc.123@gmail.com>
Failure Reason: Error: 550 The from address does not match a verified Sender Identity. Mail cannot be sent until this error is resolved. Visit https://sendgrid.com/docs/for-developers/sending-email/sender-identity/ to see the Sender Identity requirements

I have also confirmed sending invite responses from my phone also fails. That's connected to SoGo as well. I will admit, I don't know how these calendar apps choose to send mail, but however it is, it is in some way different than regular mail.

Support suggested that SendGrid isn't configured correctly, while very don't know what's wrong...cause every other app and domain I have works, it's only SoGo that's breaking...which to me suggests an issue with SoGo. However, in the name of trying things I authenticated the mail.domain.net domain on SendGrid just in case, this didn't help.

I will now add some mail logs from Cloudron showing successful and rejected mailing attempts, there are some minor differences, but I honestly don't understand how those could affect sending.

First, Logs from a successful email being sent to a 3rd party.

Queuing Log:

{
  "ts": 1665503392076,
  "type": "queued",
  "direction": "outbound",
  "uuid": "00278735-6322-474A-81E9-8F457E544792.1",
  "messageId": "<21-63459080-d-620c9e00@260959258>",
  "mailFrom": "<alex@domain.net>",
  "spamStatus": null,
  "rcptTo": [
    "<abc.123@gmail.com>"
  ],
  "remote": {
    "ip": "172.18.16.1",
    "port": 53624,
    "host": "01c1a130-00e5-491a-929d-c4fd612c2a63.cloudron",
    "info": "01c1a130-00e5-491a-929d-c4fd612c2a63.cloudron",
    "closed": false,
    "is_private": true,
    "is_local": false
  },
  "authUser": "alex@domain.net",
  "message": "Message Queued (00278735-6322-474A-81E9-8F457E544792.1)"
}

Successful delivery:

{
  "ts": 1665503392715,
  "type": "delivered",
  "direction": "outbound",
  "uuid": "00278735-6322-474A-81E9-8F457E544792.1.1",
  "messageId": "<21-63459080-d-620c9e00@260959258>",
  "mailFrom": "<alex@domain.net>",
  "spamStatus": null,
  "rcptTo": [
    "<abc.123@gmail.com>"
  ],
  "server": {
    "host": "smtp.sendgrid.net",
    "ip": "52.89.19.245",
    "port": 587
  },
  "response": "Ok: queued as IzMRJMtySiCKDtlwwXICRA"
}

Next Mail logs from the unsuccessful calendar response:
Queuing log:

{
  "ts": 1665503626494,
  "type": "queued",
  "direction": "outbound",
  "uuid": "59D7277F-8CF3-4FA7-BAD4-AC539A54CD0B.1",
  "messageId": "<21-63459180-11-620c9e00@260959324>",
  "mailFrom": "<alex@domain.net>",
  "spamStatus": null,
  "rcptTo": [
    "<abc.123@gmail.com>"
  ],
  "remote": {
    "ip": "172.18.16.1",
    "port": 35900,
    "host": "01c1a130-00e5-491a-929d-c4fd612c2a63.cloudron",
    "info": "01c1a130-00e5-491a-929d-c4fd612c2a63.cloudron",
    "closed": false,
    "is_private": true,
    "is_local": false
  },
  "authUser": "alex@domain.net",
  "message": "Message Queued (59D7277F-8CF3-4FA7-BAD4-AC539A54CD0B.1)"
}

bounce Log:

{
  "ts": 1665503626631,
  "type": "bounce",
  "direction": "outbound",
  "uuid": "59D7277F-8CF3-4FA7-BAD4-AC539A54CD0B.1.1",
  "messageId": "<21-63459180-11-620c9e00@260959324>",
  "mailFrom": "<alex@domain.net>",
  "spamStatus": null,
  "rcptTo": [
    "<abc.123@gmail.com>"
  ],
  "message": "550 The from address does not match a verified Sender Identity. Mail cannot be sent until this error is resolved. Visit https://sendgrid.com/docs/for-developers/sending-email/sender-identity/ to see the Sender Identity requirements",
  "mx": {
    "priority": 0,
    "exchange": "smtp.sendgrid.net",
    "port": 587,
    "auth_type": "plain",
    "auth_user": "apikey",
    "auth_pass": "an_api_key",
    "family": "A",
    "bind_helo": "mail.domain.net"
  }
}

The mailer daemon also provides "email headers" in the reject email, presumably of the email that is being rejected, again, to me all looks good, but

Received: (Haraka outbound); Tue, 11 Oct 2022 16:33:04 +0000
Authentication-Results: mail.domain.net;
	auth=pass (plain)
Received: from 01c1a130-00e5-491a-929d-c4fd612c2a63 (01c1a130-00e5-491a-929d-c4fd612c2a63.cloudron [172.18.16.1])
	by mail.domain.net (Haraka/2.8.28) with ESMTPA id 19568C7C-2C91-49DC-B44D-7365FB820E07.1
	envelope-from <alex@domain.net> (authenticated bits=0);
	Tue, 11 Oct 2022 16:33:04 +0000
From: =?utf-8?q?alex=40domain.net?= <alex@domain.net>
Content-Type: multipart/mixed; boundary="----=_=-_OpenGroupware_org_NGMime-34-1665505984.597003-5------"
MIME-Version: 1.0
Date: Tue, 11 Oct 2022 16:33:04 +0000
Subject: Accepted =?utf-8?q?invitation=3A?= "test3"
Message-ID: <22-63459b00-11-5014c880@149971544>
X-Sogo-Message-Type: calendar:invitation-reply
To: =?utf-8?q?abc.123=40gmail.com?= <abc.123@gmail.com>
DKIM-Signature: v=1;a=rsa-sha256;bh=54NCLA1YJ/EblvBtqz+0wt14xv9hjaaEZx90dGFvjPA=;c=relaxed/simple;d=domain.net;h=from:subject:date:message-id:to:mime-version;s=cloudron;b=1HIyB1PCMRYxCyM6vsx/mEybHPLeeETBgm1SvXPiPj2P4Puwyy9FjgMa/Z2GGLjBpMNnKQqETNnkNu5tw8Da6pE7ajwACyhy0S+fP2wsvhk9E5wRE7wr82hbS0sOKwzSPalh9kLBgXKymxuSmGzuqrDijc6C6Lo/B47V4=

Any help is greatly appreciated, not understanding how these messages are different, and what I need to do to fix. Thanks!

@mehdi said in Dedicated IP for App:

@moonmeister said in Dedicated IP for App:

cause Cloudron currently relies on domain for routing to containers

Actually, this is only for HTTP stuff : if you open a port for an app, everything that hits the server on that port should be redirected to the app. You should not need a dedicated IP for this. Actually, it would not change anything.

You're a genius! Thanks, so I had all the ports open and still couldn't figure out why this wasn't working. Long story short....the AdGuard panel displays your computer's IP address, not the servers...I had just assumed it was correct.

Maybe this can be fixed?

I'm not sure if this is possible but I'd like to be able add a second IP to my cloudron instance and add it to a specific App. My specific use case is for Ad guard. many devices (Windows, macOS) don't support DNS over HTTP so I want to be able to give them an IP address. But it seems this doesn't work cause Cloudron currently relies on domain for routing to containers. Anyway, if this better for Feature Requests please move it, but I thought I'd ask if it was possible. Thanks!

@moonmeister said in PhotoPrism - Personal Photo Management powered by Go and Google TensorFlow:

UPDATE: photoprism folks informed me they tried compiling ffmpeg for 20.04 but it was a huge nightmare and they gave up. A 20.10 21.04 base image sounds much easier if y'all can provide that.

@nebulon is this possible?

@robi Cause it's dynamically compiled. I'm not sure about statically compiling it but it's something I will look into doing.

UPDATE: Static binaries are not an option.

@nebulon so photoprism is running on 20.10 due to bugs in some dependencies on 20.04. Is it possible to get a 20.10 base image or do I need to figure out backport those dependencies?

See https://github.com/photoprism/photoprism/issues/1284#issuecomment-841406953 for context.

UPDATE: photoprism folks informed me they tried compiling ffmpeg for 20.04 but it was a huge nightmare and they gave up. A 20.10 21.04 base image sounds much easier if y'all can provide that.

@nebulon As to tensorflow...I just modified their production Dockerfile. I assume it works as of yet.

@nebulon Yes, If you checkout my GitHub issue on the PhotoPrism I address that issue. Basically, PhotoPrism doesn't release builds, they release a docker image. That image is built on Ubuntu 12.10. To make the build compatible with 12.04 I had to rebuild their dev image which is what that image is. Before I duplicated all that I was waiting to see if they had any feedback to optimize the process.

Okay, I decided to take a crack at packaging this and was surprisingly successful.

I've detailed some of the more technical things over on the PhotoPrism Github: https://github.com/photoprism/photoprism/issues/1284

For anyone who wants to expriment the docker image is moonmeister/cloudron-photoprism:0.1.3 and the configs can be found here https://github.com/moonmeister/photoprism/tree/feat/cloudron-image/docker/cloudron

PLEASE NOTE: "Working" is currently defined as "You can log in". Basic features like, uploading photos are still broken.

@girish I'm currious what you need when this is all working to publish. Meaning, do you need a dedicated repo with the manifest and Dockerfiles and all associated info? Can this be anywhere or does it need to be in the cloudron gitlab? Or can this stuff live in the PhotoPrism repository in a subfolder?

I think that's everything I have for now. Anything else I should know? thanks.

I've had a problem with various LDAP configs being contradictory in whether they require an email or username. My password manager, and I suppose any, can't know when to do one or the other short of duplicating the username and password for each site...which seems ridiculous.

Anyway, in WordPress I was able to modify the LDAP filter config:

Orginal: (username=%s)

Modified: (mail=%s)

This has worked well but seems to revert every time the app is restarted.

Ideally it'd be nice if apps could more consistently use email for login but that's probably a big ask that might be fraught with issues. I'd just be happy if the modified config was permanent. Is there anything that can be done about this? Thanks.

@girish will do

@nebulon I'd be interested in sponsoring this to happen. Not sure how much $$ that'd be but if you or someone else is interested please let me know.

Just ran across this tool: https://www.mail-tester.com

Could be super helpful for folks.

https://answers.microsoft.com/en-us/outlook_com/forum/all/how-to-request-to-whitelist-a-domain-on-microsoft/3b6e2b4c-32e9-4e76-af38-dd0982e526b6

Has good info on solving Microsoft specific problems.

@andxclfor I've run into this as well. Though I get an undeliverable error usually. Basically, Microsoft uses a very broad blacklist that adds entire subnets to the list if there is one bad actor on the subnet. So I get blocked because someone else on DO is being bad.

Looks like there is a an official Joplin server. https://discourse.joplinapp.org/t/joplin-server-pre-release-is-now-available/13605

It'd be nice to see that combined with the web app for cloudron.

@girish Just when I thought I understood DNS I learn about negative caching. Not sure if this was the issue, but it is possible. Thanks.

@girish Thanks

When I created a second site on my WP Multi-site setup it had no SMTP config in the new mail plugin(SMTP Mailer). I tried to configure it by copy paste but short of opening up the db or retrieving it from the env var via copy paste I had no way of accessing the SMTP password. Meaning if it ever changed mail would not send. I tried to see if I could setup the config globally but an old discussion confirmed it wasn't possible.

I switched back to WP Mail SMTP and saw it couldn't be configured via the Network UI without the PRO version. But after some digging I confirmed Setting the config via wp_config.php variables works just fine.

define( 'WPMS_ON', true ); // True turns on the whole constants support and usage, false turns it off.

define( 'WPMS_MAIL_FROM', getenv('CLOUDRON_MAIL_FROM') );
define( 'WPMS_MAIL_FROM_FORCE', true ); // True turns it on, false turns it off.
//define( 'WPMS_MAIL_FROM_NAME', 'From Name' );
define( 'WPMS_MAIL_FROM_NAME_FORCE', true ); // True turns it on, false turns it off.
define( 'WPMS_MAILER', 'smtp' ); // Possible values: 'mail', 'smtpcom', 'sendinblue', 'mailgun', 'sendgrid', 'gmail', 'smtp'.
define( 'WPMS_SET_RETURN_PATH', true ); // Sets $phpmailer->Sender if true, relevant only for Other SMTP mailer.

define( 'WPMS_SMTP_HOST', getenv('CLOUDRON_MAIL_SMTP_SERVER')); // The SMTP mail host.
define( 'WPMS_SMTP_PORT', getenv('CLOUDRON_MAIL_SMTP_PORT') ); // The SMTP server port number.
define( 'WPMS_SSL', '' ); // Possible values '', 'ssl', 'tls' - note TLS is not STARTTLS.
define( 'WPMS_SMTP_AUTH', true ); // True turns it on, false turns it off.
define( 'WPMS_SMTP_USER', getenv('CLOUDRON_MAIL_SMTP_USERNAME') ); // SMTP authentication username, only used if WPMS_SMTP_AUTH is true.
define( 'WPMS_SMTP_PASS', getenv('CLOUDRON_MAIL_SMTP_PASSWORD') ); // SMTP authentication password, only used if WPMS_SMTP_AUTH is true.
define( 'WPMS_SMTP_AUTOTLS', true ); // True turns it on, false turns it off.

This config means everything is configured across all sites in the install and each site can individually set the"From Name".

This seems like a much better default for the multi-site setup. The only thing that's not ideal is it'd be nice to be able to allow sending from different from address, including different domains configured in cloudron. username and password doesn't have to change but allowing different from address would be nice.

@girish Just read why you switched the plugin to SMTP Mailer...is there a solution I haven't found that can be used with that plugin?

I was just working on multi-site WP Setup and had an issue with not being able to reach a site I created. I had setup the wildcard alias, I confirmed it made it to my DNS provider (gandi.net). nslookup confirmed the lookup was failing.

$ nslookup gg.api.domain.net
Server:  UnKnown
Address:  2001:4888:24:ff00:223:d::

*** UnKnown can't find gg.api.domain.net: Non-existent domain

I randomly did a different subdomain and got an interesting result...it worked.

$ nslookup blah.api.domain.net
Server:  UnKnown
Address:  2001:4888:24:ff00:223:d::

Non-authoritative answer:
Name:    blah.api.domain.net
Address:  167.99.168.xxx

This mad me wonder if the 2 letter domain was causing the issue. I changed the subdomain in the WP Network panel to something longer, and everything started working.

I'm not sure if this is a Gandi limitation, a DNS limitation, or something else. But in-case others ran across this issue, I thought I'd give folks a heads up.

This would be great.