How to get Sendgrid Inbound Parse Webhook working in rails app on production?

Question

I’m trying to build a rails app that will process inbound mail. I got the app to work on my localhost machine using the Rails conductor and action mailbox. When an email gets sent, I’m able to save the contents of the email. But I’m having difficulty getting it to work on a production environment…I’m not sure how to configure my domain and settings to get it to work.

I’ve been following the instructions here: https://edgeguides.rubyonrails.org/action_mailbox_basics.html#sendgrid and https://sendgrid.com/docs/for-developers/parsing-email/setting-up-the-inbound-parse-webhook/

I included this in my rails credentials:

action_mailbox: ingress_password: mypassword

I have set up an MX record on google domains:

parse.[mydomain].com



I pointed to a Hostname and URL.

https://actionmailbox:mypassword@parse.[mydomain].com/rails/action_mailbox/sendgrid/inbound_emails

I send an email from my email account to

parse@parse.[mydomain].com

but I’m not able to test or track what is happening to this email. I don’t receive an error message back to my email as a reply, so I think that’s a good sign but I’m not sure whether it’s being processed or how to troubleshoot. I even put a puts ‘test’ in my replies_mailbox.rb file but I don’t see anything in the console when I tail logs on production.

Any advice on what next steps I can take?

Answer 1

I spent two weeks on what seems like this same issue and found one possible answer that worked for me, crossposted in SendGrid's GH Issues: https://github.com/sendgrid/opensource/issues/22):

Problem:

• Localhost: my endpoint route was working correctly. I was able to receive and parse both SendGrid (through a local tunnel -- both cloudflare and localtunnel) and Postman POSTs.
• Production: my endpoint route was working fine when tested with Postman and when tested with SendGrid POSTs when sent to a cloudflare tunnel that pointed at my live site. However the SendGrid POSTs that were sent directly to my site seemed to fall into a black hole. They never made it. I did not have any agent blocks or any IPs blacklisted, so I wasn't sure what was going on.

Solution:

• After a lot of back and forth with the support team, I learned that SendGrid Inbound Parse seems to only support TLS 1.2... My site was using TLS 1.3. Local tunnels generated full backwards compatability SSL certs which is why the POSTs would work there, but not directly to my site.
• To identify if this is an issue for you, you can test your site at: https://www.ssllabs.com/ssltest/analyze.html ... once it is done, there will be a section that shows you what your site supports:
• If you don't have green for TLS 1.2, then you need to update your server to support this.

I used NGINX and CertBot. To update them:

• SSL into your server and use sudo NGINX -T to see what your current configuration is, and where it is.
• Open up that config with sudo /etc/nginx/snippets/ssl-params.conf (or whatever your actual path and preferred editors are.. and make sure to use the path from the -T call b/c you might end up updating the wrong config).
• Look for the line that says ssl_protocols.... you need to update it to read ssl_protocols TLSv1.3 TLSv1.2;
• You may also need to add specific ciphers and a path to a dhparam if you don't already have one generated and linked. This is what the relevant portion of my final file looks like:

ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;

• Exit out, make sure your new config works with sudo service nginx configtest and then restart NGINX with sudo service nginx restart
• Test your site again on SSLLabs and make sure it supports TLS 1.2

I then sent another inbound parse to SenGrid and was able to confirm that it hit my site, was logged, and was processed.

Answer 2

When dealing with integration testing it's useful to split the issue into smaller ones, in order of email path

1. Check if mx dns record has propagated, usually when you edit your zone - other dns servers may still respond with old records until zone TTL passes (it is usually set to several hours), use some remote dns checker
2. Check sendgrid settings (including "Post the raw, full MIME message" which is expected by actionmailbox, so that sendgrid posts 'email' field)
3. Check if the email is being dropped by spam filter in sengrid
4. check if the request is present in your web server/reverse proxy logs (like nginx, if you use one)
5. Try mimicking sendgrid's request to check if your app is accepting it (and if it is in logs), rails only reads params[:email], other fields are not necessary:

   curl -X POST "https://actionmailbox:mypassword@parse.[mydomain].com/rails/action_mailbox/sendgrid/inbound_emails" \
        -F email="From: foo <abc@localhost>\nTo: bar <bca@localhost>\nSubject: test\nMIME-Version: 1.0\n\nTest!"
   

I'd start with #5, to be sure your app is accepting email correctly and has logs, and then go up.

PS. puts might not appear in logs in production (or not where you expect it to appear) depending on you logging setup. Better way is to use Rails.logger.info