Hi! I’m interested in processing incoming email on fly for a project of mine. I’m picturing the fly app handling smtp + email parsing, then sending messages to a separate http service for handling. This seems like a convenient way to run the smtp part, and lets me keep my http server behind cloudflare (compared to also handling smtp on that server and pointing an unproxyed mx record at it). I gave this a shot with the experimental config mentioned in Custom TCP ports but couldn’t seem to get anything through on port 25.
If that’s the case, I’d also be interested to hear your thoughts on how tls would work. I imagine I wouldn’t be able to use the tls handler because of starttls, so either I’d need to provision certs myself or somehow access the ones that fly provisions.
I think we should open the SMTP ports for inbound email processing. We’re about halfway done allowing all ports, but we can look at doing these early. This sounds like a cool app to me!
TLS is interesting, I honestly don’t know much about TLS for SMTP. Assuming mail servers do SNI properly, it may just work with our TLS handler. If that doesn’t work, you will need your own certs. We’ve had requests for API access to the certs we manage but haven’t tackled that yet.
Just gave it a try, it lets me deploy the application on port 25, but I’m unable to connect to it from the outside.
From my test machine: telnet {ip} 25 results in telnet: Unable to connect to remote host: Connection refused
Whereas: telnet gmail-smtp-in.l.google.com 25 actually connects, so I at least know the issue isn’t outbound filtering.
I had the app previously successfully accepting mail by deploying it on port 10000 and proxying port 25 traffic to it from another server, and it’s passing the tcp healthchecks. Could the inbound port be blocked somewhere on your end?
I looked into tls briefly. My understanding is that a typical expectation for mail servers is:
port 25: try to upgrade via starttls; server decides whether non-upgraded sessions are allowed
port 465: smtp over tls
port 587: like port 25, but require tls upgrading
The port 465 standard does seem like it could work if the port was available: I set up a tls handler on another port and got mail through with swaks --tls-sni myapp.fly.dev --tlsc .... That flag was only recently added to swaks, though, so I have no idea how common it is for mail clients to actually do sni.
Ports 25 and 587 seem like they would work if I managed certs myself. Conceptually it seems simple to have something periodically write certs to a fly secret, but I’m fuzzy on the details. Doing an acme http challenge from my app on fly seems hairy since I’d need to serve smtp and http from one image, right? Or maybe I could run something externally that uses a dns challenge? Access to the raw TLS certs via the Fly API would also solve this, I think.
I’d been meaning to set up cert-manager anyway, so I’ve now got that running outside of fly with dns challenges. I’m still working on the best way to deploy the certs.
I was planning to put the key + cert into secrets so that my external cron could run flyctl secrets set instead of a build/deploy. But, the cert (in pem format) turns out to be too big for that: it’s ~5kb and secrets are limited to 4kb. For now I’ve set it via an env var in flyctl deploy.
I think could avoid a build by finding the current image via fly’s registry and passing it to flyctl deploy --image, but that seems like a hassle. My best idea right now is to just chop up the cert into 4kb chunks and concat them at startup. Anyone got a better idea?
Just investigating this, and noticed that the client IP (eg 93.187.216.173) that connects on port 25 is the edge proxy IP (I assume anyway, since it’s always the same regardless of which client I actually connect from).
Is there an option to setup a SMTP handler, like the HTTP ones, that support the SMTP proxy functionality, so that we can get the real client IP ?
To close the loop here: I finally got back to this project and everything is working beautifully! The secrets limit has been raised, and now that all ports are allowed I can run on 25, 465, and 587.
In case it’s helpful for others working on smtp, here’s the relevant bits of my fly.toml:
[[services]]
internal_port = 25
protocol = "tcp"
[[services.ports]]
port = 25
[[services.ports]]
handlers = ["tls"]
port = 465
[[services.ports]]
port = 587
Thanks for all the improvements along the way! I’m really excited to cut traffic over from my old server.
I’d be interested in seeing your postfix config & dockerfile if you are able to share. I’m struggling right now with starttls specifically, and am wondering if you have solved that.
