Hey guys... I'm looking mostly for kubernetes advi...
# kubernetes
Hey guys... I'm looking mostly for kubernetes advice/help, but of course I'd prefer the advice to support using pulumi. I have a asp.net core web application that is trying to send SMTP but it is failing. I think that my app can't talk using SMTP out of the container/pod and so it can't connect to the external email provider (ProofPoint). Any ideas on Kubernetes configuration that will be executed in Pulumi? My google-foo is failing, so I'm hoping I can find some guidance here.
do you have any error message? Generally, all outbound ports will work inf k8s in default setups, but it's very possible it's getting blocked by something externally
👍 1
Thanks for your thoughts Lee. Here are what I've found so far. This picture is what lead me to believe it was the SMTP provider. (ProofPoint)
I found these in the nginx ingress controller pod in the logs
Copy code
[Apr 13, 2020 11:06:49 AM GMT-6]
2020/04/13 17:06:49 [error] 35#35: *3067368 upstream timed out (110: Connection timed out) while reading response header from upstream, client:, server: auth.<snipped>.com, request: "POST /Manage/SendVerificationEmail HTTP/2.0", upstream: "<>", host: "auth.<snipped>.com"
[Apr 13, 2020 11:06:49 AM GMT-6] - - [13/Apr/2020:17:06:49 +0000] "POST /Manage/SendVerificationEmail HTTP/2.0" 504 173 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0" 405 60.407 [default-<snipped>-identity-sts-svc-80] [] 0 60.004 504 57dd3ac17974fbce71f247782d6f52ce
Mucking around with ports and config, I eventually get this from nginx as well.
I put a dnsutils sidecar in the pod and tried to ping proofpoint from within the pod.. this might be due to the k8s Services not being setup correctly as well. I'm flailing a little. This eventually did 30 rows of
* * *
And my currnent egress network policy for k8s
Copy code
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: NetworkPolicy
  name: backend-network-policy
  namespace: default
  podSelector: {}
  - Egress
  - {}
This may be a problem with proofpoint. We're going to try something else today.
By trying a different SMTP (not ProofPoint we are getting failure to authenticate messages from that server, so this is progress. It isn't the k8s egress policy. Thanks for helping!
looks like you went through most of the troubleshooting steps I would have recommended, glad I could be of some help! I had a quick search, and it seems proofpoint needs you to add your outbound address to allowed IPs: https://help.proofpoint.com/Proofpoint_Essentials/Unable_to_send_emails_through_Proofpoint_Essentials_outbound_relay_feature. Which would explain the connection timed out message
@billowy-army-68599 Thanks for your remote rubber duck debugging 😄 In the end, we sorted the authentication issues and created an account for the service to email from directly on O365. We do have a ticket in with ProofPoint to try and sort this out, but that may be a while, so we just forged ahead. So in the end, it was a Proofpoint problem and not a k8s problem, especially with my very liberal egress policy, which I'll work to dial back over time.