- changed status to closed
Monit attempts to use IPv6 to send email when IPv6 is disabled
When IPv6 is disabled in the kernel, Monit still tries to use it when contacting SMTP server which causes error:
Cannot create socket to [xxxxxxxx.yyyyyy.com]:1025 -- Cannot create socket to [2607:...:...:...::157]:1025 -- Address family not supported by protocol
Cannot open a connection to the mailserver xxxxxxxx.yyyyyy.com:1025 -- Address family not supported by protocol
Mail: Delivery failed -- no mail server is available
Alert handler failed, retry scheduled for next cycle
The SMTP server address resolves to both, IPv4 and IPv6.
Ideally, if IPv6 is disabled, Monit should ignore AAAA (IPv6) DNS records and only use A (IPv4).
If this is not possible or difficult to implement, Monit should at least try A (IPv4) record if AAAA (IPv6) fails.
With the current behavior email delivery doesn’t work at all if Monit happens to receive AAAA record first. Not even sure if there are any workarounds apart from adding SMTP address to the hosts file.
Comments (5)
-
-
Account Deleted reporter The name resolves correctly:
Non-authoritative answer: Name: xxxxxxxx.yyyyyy.com Address: aaa.bbb.ccc.ddd <-- IPv4 Name: xxxxxxxx.yyyyyy.com Address: 2607:...:...:...::157 <-- IPv6
This is what `getaddrinfo` returns for this address:
AddressFamily.AF_INET: 2, SocketKind.SOCK_STREAM: 1, aaa.bbb.ccc.ddd <-- IPv4 AddressFamily.AF_INET: 2, SocketKind.SOCK_DGRAM: 2, aaa.bbb.ccc.ddd <-- IPv4 AddressFamily.AF_INET: 2, SocketKind.SOCK_RAW: 3, 0, aaa.bbb.ccc.ddd <-- IPv4 AddressFamily.AF_INET6: 10, SocketKind.SOCK_STREAM: 1, 2607:...:...:...::157 <-- IPv6 AddressFamily.AF_INET6: 10, SocketKind.SOCK_DGRAM: 2, 2607:...:...:...::157 <-- IPv6 AddressFamily.AF_INET6: 10, SocketKind.SOCK_RAW: 3, 2607:...:...:...::157 <-- IPv6
Also, other apps (like
ssmtp
) can send emails without any problems to the same SMTP server, so whether bug or not, this is clearly specific to Monit.I will investigate this issue further and post the results here.
Not sure why you closed the bug though, as the issue is not resolved.
-
- changed status to open
Opening the issue again, hoping for more debug info then. It was closed because this looks like a local configuration issue. FYI: I have added a debug statement during connect so you can see the actual error message and how many times Monit tries to connect. Please checkout master and build Monit from source. To run Monit in debug mode and print debug messages to the console start Monit so;
monit -Iv
-
Account Deleted reporter So after some investigation it looks like the DNS resolution is indeed working as expected, but the real problem is in the missing log.
I added even more logs and re-compiled Monit, and it turns out that Monit actually first tries IPv4, but connection fails. However, no error message is logged at all for this failed attempt (unless running Monit with
-Iv
as you suggested), so when Monit goes to try nextaddrinfo
record (which is IPv6) and fails, it looks from the logs like it never actually tried IPv4.With extra logs I can see that first (IPv4) connection fails with
error:1408F10B:SSL routines:ssl3_get_record:wrong version number
, which is fine because the SMTP server only supports SSLV3 which Monit disables by default.So my suggestion is to fix logging and log an error when the first connection error happens. Also, when trying next
addrinfo
it may be helpful to indicate this in logs, something like this would be nice:Trying to create socket using next address record (2/2) ....
Also, I have a few questions about mailserver config, as I cannot find it in the documentation and not sure what is the right place to ask (but the questions somewhat related to this bug report anyway):
- Is there a way to explicitly tell Monit to use STARTTLS and LOGIN authentication? For example, my SMTP server supports PLAIN and LOGIN and they are reported as
AUTH=PLAIN LOGIN
, I obviously prefer to use LOGIN but Monit seems to always usePLAIN
(probably because it comes first). - Config for
MAILSERVER
has line[using SSL [with options {...}]
` but what is the exact format for ssl options? How can I tell Monit to only use obsolete SSLV3 for the mailserver? I triesusing SSL with options version SSLV3
but it doesn’t work.
- Is there a way to explicitly tell Monit to use STARTTLS and LOGIN authentication? For example, my SMTP server supports PLAIN and LOGIN and they are reported as
-
- changed status to closed
So after some investigation it looks like the DNS resolution is indeed working as expected, but the real problem is in the missing log.
I thought as much so added the debug statement. It can indeed be a problem that only the last error is logged, which might not indicate the root cause. Previously we logged all connection errors, but that was too much again. I think the current solution with debug output will have to suffice as a compromise.
This is not a support forum, but try
set mailserver localhost port 25 with username xxx and password yyy use SSL {version: SSLv3}
Both plain and login are supported, but plain has precedence and tried first if the server declare it supports plain. There is no way to set preferred auth method.
- Log in to comment
Monit does try to connect to all addresses the name resolve to. If it cannot connect to IPv6 it will try the next address. Maybe there is something wrong with this name in DNS? If you only need IPv4 support, you should compile Monit without IPv6 support and this problem at least should go away.
./configure --without-ipv6