1. Tildeslash Avatar Tildeslash
  2. Untitled project
  3. Monit
  4. Issues

Monit attempts to use IPv6 to send email when IPv6 is disabled

Issue #833 closed
Former user created an issue

When IPv6 is disabled in the kernel, Monit still tries to use it when contacting SMTP server which causes error:

Cannot create socket to [xxxxxxxx.yyyyyy.com]:1025 -- Cannot create socket to [2607:...:...:...::157]:1025 -- Address family not supported by protocol
Cannot open a connection to the mailserver xxxxxxxx.yyyyyy.com:1025 -- Address family not supported by protocol
Mail: Delivery failed -- no mail server is available
Alert handler failed, retry scheduled for next cycle

The SMTP server address resolves to both, IPv4 and IPv6.

Ideally, if IPv6 is disabled, Monit should ignore AAAA (IPv6) DNS records and only use A (IPv4).

If this is not possible or difficult to implement, Monit should at least try A (IPv4) record if AAAA (IPv6) fails.

With the current behavior email delivery doesn’t work at all if Monit happens to receive AAAA record first. Not even sure if there are any workarounds apart from adding SMTP address to the hosts file.

Comments (5)

  2. Former user Account Deleted reporter

    The name resolves correctly:

    Non-authoritative answer:
Name:   xxxxxxxx.yyyyyy.com
Address: aaa.bbb.ccc.ddd        <-- IPv4
Name:   xxxxxxxx.yyyyyy.com
Address: 2607:...:...:...::157  <-- IPv6

    This is what `getaddrinfo` returns for this address:

    AddressFamily.AF_INET: 2, SocketKind.SOCK_STREAM: 1, aaa.bbb.ccc.ddd          <-- IPv4
AddressFamily.AF_INET: 2, SocketKind.SOCK_DGRAM: 2, aaa.bbb.ccc.ddd           <-- IPv4
AddressFamily.AF_INET: 2, SocketKind.SOCK_RAW: 3, 0, aaa.bbb.ccc.ddd          <-- IPv4
AddressFamily.AF_INET6: 10, SocketKind.SOCK_STREAM: 1, 2607:...:...:...::157  <-- IPv6
AddressFamily.AF_INET6: 10, SocketKind.SOCK_DGRAM: 2, 2607:...:...:...::157   <-- IPv6
AddressFamily.AF_INET6: 10, SocketKind.SOCK_RAW: 3, 2607:...:...:...::157     <-- IPv6

    Also, other apps (like ssmtp) can send emails without any problems to the same SMTP server, so whether bug or not, this is clearly specific to Monit.

    I will investigate this issue further and post the results here.

    Not sure why you closed the bug though, as the issue is not resolved.

  3. hauk
    • changed status to open

    Opening the issue again, hoping for more debug info then. It was closed because this looks like a local configuration issue. FYI: I have added a debug statement during connect so you can see the actual error message and how many times Monit tries to connect. Please checkout master and build Monit from source. To run Monit in debug mode and print debug messages to the console start Monit so; monit -Iv

  4. Former user Account Deleted reporter

    So after some investigation it looks like the DNS resolution is indeed working as expected, but the real problem is in the missing log.

    I added even more logs and re-compiled Monit, and it turns out that Monit actually first tries IPv4, but connection fails. However, no error message is logged at all for this failed attempt (unless running Monit with -Iv as you suggested), so when Monit goes to try next addrinfo record (which is IPv6) and fails, it looks from the logs like it never actually tried IPv4.

    With extra logs I can see that first (IPv4) connection fails with error:1408F10B:SSL routines:ssl3_get_record:wrong version number, which is fine because the SMTP server only supports SSLV3 which Monit disables by default.

    So my suggestion is to fix logging and log an error when the first connection error happens. Also, when trying next addrinfo it may be helpful to indicate this in logs, something like this would be nice:

    Trying to create socket using next address record (2/2) ....

    Also, I have a few questions about mailserver config, as I cannot find it in the documentation and not sure what is the right place to ask (but the questions somewhat related to this bug report anyway):

    • Is there a way to explicitly tell Monit to use STARTTLS and LOGIN authentication? For example, my SMTP server supports PLAIN and LOGIN and they are reported as AUTH=PLAIN LOGIN, I obviously prefer to use LOGIN but Monit seems to always use PLAIN(probably because it comes first).
    • Config for MAILSERVER has line [using SSL [with options {...}]` but what is the exact format for ssl options? How can I tell Monit to only use obsolete SSLV3 for the mailserver? I tries using SSL with options version SSLV3 but it doesn’t work.
  5. hauk

    So after some investigation it looks like the DNS resolution is indeed working as expected, but the real problem is in the missing log.

    I thought as much so added the debug statement. It can indeed be a problem that only the last error is logged, which might not indicate the root cause. Previously we logged all connection errors, but that was too much again. I think the current solution with debug output will have to suffice as a compromise.

    This is not a support forum, but try

    set mailserver localhost port 25
    with username xxx and password yyy
    use SSL {version: SSLv3}

    Both plain and login are supported, but plain has precedence and tried first if the server declare it supports plain. There is no way to set preferred auth method.

  6. Log in to comment
Assignee
Type
bug
Priority
major
Status
closed
Component
Monit
Version
5.25.1
Votes
0
Watchers
1