Skip to content

Supabase SMTP Integration Issue with Gmail - Solution Proposal #22296

New issue
New issue
Closed
Closed
Supabase SMTP Integration Issue with Gmail - Solution Proposal#22296
Labels
authAll thing Supabase Auth relatedbugSomething isn't working
@saschTa

Description

@saschTa
saschTa
opened on Mar 27, 2024

Bug report

  • I confirm this is a bug with Supabase, not with my own application.
  • I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

SMTP Service degraded

I have setup a custom smtp service (Gmail Workspace relay) with supabase projects some while ago.
All worked flawlessly but now since the last week ( 21st of March 2024) sending out magic links and verification emails are timing out.

In Discord similar issues pop up.

Auth Logs just show:
info: /magiclink | request started

EdgeAPI Logs show this response error by POST /auth/v1/magiclink:

{
...
  "origin_time": 60127,
  "status_code": 504
}

To Reproduce

Configure gmail smtp relay service

Supabase Config

  • use smtp-relay.gmail.com:465 as host
  • use an admin account of workspace with 2fa enabled and create app password for said account
  • use email of this account as user in supabase smtp config
  • use app password as password
  • use custom smtp server in supabase
  • use any sender email from your domain

Gcloud Workspace:

  • enable smtp relay service in google workspace and force tls.
  • Don't enforce IPs
  • allow sending from emails in your domain
  • create app password in your account settings

Supabase Emails

  • trigger a magic link or try to login with email verification on

Expected behavior

Emails should be sent successfully as it worked before the 21st of March.
Emails work with the exact same credential configuration using telnet or openssl

Solution Proposal

Issue

So I digged through supabase auth code and found the culprit:

  • gmail workspace relay service does not accept HELO localhost !
  • gomail used in mailme default dialer uses the default dialer which again uses localhost as HELO message and gmail rejects it: gomail default

Example gmail relay with localhost:

220 smtp-relay.gmail.com ESMTP m17-20020a5d6a11000000b0033e55077fd9sm4288wru.69 - gsmtp
helo localhost
421-4.7.0 Try again later, closing connection. (EHLO)
421-4.7.0  For more information, go to
421 4.7.0  https://support.google.com/a/answer/3221692 m17-20020a5d6a11000000b0033e55077fd9sm4288wru.69 - gsmtp
read:errno=0

Solution Proposal

mailme
should do something along this:

	dial := gomail.NewPlainDialer(m.Host, m.Port, m.User, m.Pass)
        dial.LocalName = m.Host
	return dial.DialAndSend(mail)

GoMail PR

There is a gomail pr that aims to fix rejects because of default localhost HELO message but I think supabase / supabase/auth should make sure to not rely on defaults here.
go mail fix pr

Additional context

I created a ticket with google as well on this issue. Trying manual telnet to the smtp relay service works fine with the same credentials provided to supabase and basic setup.
Google adviced me, that the ip of supabase instance was not blocked so something must be wrong with the implementation now of the smtp service at supabase. Which I mentioned above.
Here is a working example using openssl with the same credentials used for supabase. Just HELO message is not localhost

openssl s_client -connect smtp-relay.gmail.com:465 -crlf
CONNECTED(00000005)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = smtp-relay.gmail.com
verify return:1
---
Certificate chain
 0 s:CN = smtp-relay.gmail.com
   i:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
 1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
---
Server certificate
{CERT}
subject=CN = smtp-relay.gmail.com

issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1C3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4306 bytes and written 402 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
{SSL INFO}
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
{SSL INFO}
---
read R BLOCK
220 smtp-relay.gmail.com ESMTP cm22-20020a170906f59600b00a4df3dcc089sm75400ejd.153 - gsmtp
HELO smtp-relay.gmail.com        
250 smtp-relay.gmail.com at your service
auth login
334 VXNlcm5hbWU6
{email of workspace user base64 encoded}
334 UGFzc3dvcmQ6
{App Password of workspace user base64 encoded}
235 2.7.0 Accepted
mail from:<{email in domain}>
250 2.1.0 OK cm22-20020a170906f59600b00a4df3dcc089sm75400ejd.153 - gsmtp
rcpt to:<{some other email}>
250 2.1.5 OK cm22-20020a170906f59600b00a4df3dcc089sm75400ejd.153 - gsmtp
data
354  Go ahead cm22-20020a170906f59600b00a4df3dcc089sm75400ejd.153 - gsmtp
This is a test.
.
250 2.0.0 OK  1711554331 cm22-20020a170906f59600b00a4df3dcc089sm75400ejd.153 - gsmtp
quit
221 2.0.0 closing connection cm22-20020a170906f59600b00a4df3dcc089sm75400ejd.153 - gsmtp
read:errno=0

Metadata

Metadata

Assignees

No one assigned

    Labels

    authAll thing Supabase Auth relatedbugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions