Watchtower: Failed to send notification email: 504 5.7.4 Unrecognized authentication type

Created on 25 Mar 2020  路  13Comments  路  Source: containrrr/watchtower

trying to get e-mail notifications to work with the following config:

version: '3'

services:
   watchtower:
      container_name: watchtower
      restart: always
      image: containrrr/watchtower
      environment:
      - WATCHTOWER_NOTIFICATIONS=email
      - [email protected]
      - [email protected]
      - WATCHTOWER_NOTIFICATION_EMAIL_SERVER=host.domain.tld
      - WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT=587
      - WATCHTOWER_NOTIFICATION_EMAIL_SERVER_USER=email_username
      - WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PASSWORD=email_password
      - WATCHTOWER_NOTIFICATION_EMAIL_DELAY=2
      - TZ=America/New_York
      volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      command: --debug --interval 300 --cleanup --label-enable

However I'm getting the following error:
Failed to send notification email: 504 5.7.4 Unrecognized authentication type

I'm guessing this is a smtp auth TLS type of issue. I didn't see an option to set TLS or SSL in watchtower.

I would appreciate some help.

Medium Blocked Stale Question

Most helpful comment

Yep the following docker-compose config works for unauthenticated SMTP relay over 25:

environment:
      - WATCHTOWER_NOTIFICATIONS=email
      - [email protected]
      - WATCHTOWER_NOTIFICATION_EMAIL_SERVER=smtp.domain.tld
      - WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT=25
      - WATCHTOWER_NOTIFICATION_EMAIL_DELAY=2

All 13 comments

Hi there! 馃憢馃徏 As you're new to this repo, we'd like to suggest that you read our code of conduct as well as our contribution guidelines. Thanks a bunch for opening your first issue! 馃檹

Out of curiosity: Does it work if you skip the TLS verification? --notification-email-server-tls-skip-verify

In docker-compose.yml file I added the following:

WATCHTOWER_NOTIFICATION_EMAIL_SERVER_TLS_SKIP_VERIFY=yes

but I'm still having the same problem

As @piksel stated in https://github.com/containrrr/watchtower/issues/492#issuecomment-608553364, watchtower uses the go smtp library, which does not allow plain auth over unsecure connections, unless to localhost.

Is the email provider you're trying to integrate with actually serving tls/ssl connections on the port you specified?

It certainly is:

$ openssl s_client -starttls smtp -connect host.domain.tld:587

CONNECTED(00000005)
...
---
No client certificate CA names sent
Peer signing digest: SHA1
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5863 bytes and written 529 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-SHA256
    Session-ID: 781E000041ABDA51D0859E1E5503BBA6FD3B58A874465541E0AC319EFA81657B
    Session-ID-ctx:
    Master-Key: A46C9C59ACE7DE5BE098E18AE2A3DDB62F5F48A32882E8EB622A2E798F7D6171CEA785A1144653DAAAA0DA2F98400D35
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1585997102
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
250 CHUNKING


I'm not sure which provider @deeztek is using but this same issue occurs with Office365 / outlook.com's smtp mail server.

O365 is my provider also

Yep, it turns out that O365 doesn't support PLAIN authentication (which is what net/smtp supports):

250 SMTPUTF8
EHLO fnizhej
250-LO2P265CA0068.outlook.office365.com Hello [RE.DA.CT.ED]
250-SIZE 157286400
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH LOGIN XOAUTH2
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 SMTPUTF8

Found the following statement.
Not sure why they think that sending USER\r\nPASS\r\n is so much more secure than sending \0USER\0PASS\0

Since #470 was merged, this will be fixed when shoutrrr gains Office365 support.

Not clear on this, but does watchtower support smtp relay with no authentication over 25?

I think that should work, it's the PLAIN authentication method that refuses to send the credentials over an unencrypted channel. I have not tried it though.

Yep the following docker-compose config works for unauthenticated SMTP relay over 25:

environment:
      - WATCHTOWER_NOTIFICATIONS=email
      - [email protected]
      - WATCHTOWER_NOTIFICATION_EMAIL_SERVER=smtp.domain.tld
      - WATCHTOWER_NOTIFICATION_EMAIL_SERVER_PORT=25
      - WATCHTOWER_NOTIFICATION_EMAIL_DELAY=2

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Was this page helpful?
0 / 5 - 0 ratings