fix: leverage Nodemailer error codes for better retry logic and UI messages

andris9 · andris9 · commit 0f3068abc4b6 · 2026-02-05T11:10:49.000+02:00
Add ENOAUTH and EOAUTH2 to SMTP error descriptions so OAuth2 failures
produce proper status objects. Discard non-retryable errors (EAUTH,
ENOAUTH, EOAUTH2, ETLS, EENVELOPE, EMESSAGE, EPROTOCOL) immediately in
the submit worker instead of retrying up to 10 times. Extend SMTP
verification switch statements with human-readable messages for six
additional error codes.
diff --git a/lib/email-client/message-builder.js b/lib/email-client/message-builder.js
@@ -467,7 +467,9 @@ const SMTP_ERROR_DESCRIPTIONS = {
     EDNS: settings => `EmailEngine failed to resolve DNS record for ${settings.host}`,
     ECONNECTION: settings => `EmailEngine failed to establish TCP connection against ${settings.host}`,
     EPROTOCOL: settings => `Unexpected response from ${settings.host}`,
-    EAUTH: () => 'Authentication failed'
+    EAUTH: () => 'Authentication failed',
+    ENOAUTH: () => 'Authentication credentials were not provided',
+    EOAUTH2: () => 'OAuth2 token generation or refresh failed'
 };
 
 /**
diff --git a/lib/routes-ui.js b/lib/routes-ui.js
@@ -4937,11 +4937,29 @@ ${Buffer.from(data.content, 'base64url').toString('base64')}
                             case 'EAUTH':
                                 verifyResult.smtp.error = request.app.gt.gettext('Invalid username or password');
                                 break;
+                            case 'ENOAUTH':
+                                verifyResult.smtp.error = request.app.gt.gettext('Authentication credentials were not provided');
+                                break;
+                            case 'EOAUTH2':
+                                verifyResult.smtp.error = request.app.gt.gettext('OAuth2 authentication failed');
+                                break;
+                            case 'ETLS':
+                                verifyResult.smtp.error = request.app.gt.gettext('TLS protocol error');
+                                break;
                             case 'ESOCKET':
                                 if (/openssl/.test(verifyResult.smtp.error)) {
                                     verifyResult.smtp.error = request.app.gt.gettext('TLS protocol error');
                                 }
                                 break;
+                            case 'ETIMEDOUT':
+                                verifyResult.smtp.error = request.app.gt.gettext('Connection timed out');
+                                break;
+                            case 'ECONNECTION':
+                                verifyResult.smtp.error = request.app.gt.gettext('Could not connect to server');
+                                break;
+                            case 'EPROTOCOL':
+                                verifyResult.smtp.error = request.app.gt.gettext('Unexpected server response');
+                                break;
                         }
                     }
                 }
diff --git a/lib/ui-routes/account-routes.js b/lib/ui-routes/account-routes.js
@@ -819,11 +819,29 @@ function init(args) {
                             case 'EAUTH':
                                 verifyResult.smtp.error = request.app.gt.gettext('Invalid username or password');
                                 break;
+                            case 'ENOAUTH':
+                                verifyResult.smtp.error = request.app.gt.gettext('Authentication credentials were not provided');
+                                break;
+                            case 'EOAUTH2':
+                                verifyResult.smtp.error = request.app.gt.gettext('OAuth2 authentication failed');
+                                break;
+                            case 'ETLS':
+                                verifyResult.smtp.error = request.app.gt.gettext('TLS protocol error');
+                                break;
                             case 'ESOCKET':
                                 if (/openssl/.test(verifyResult.smtp.error)) {
                                     verifyResult.smtp.error = request.app.gt.gettext('TLS protocol error');
                                 }
                                 break;
+                            case 'ETIMEDOUT':
+                                verifyResult.smtp.error = request.app.gt.gettext('Connection timed out');
+                                break;
+                            case 'ECONNECTION':
+                                verifyResult.smtp.error = request.app.gt.gettext('Could not connect to server');
+                                break;
+                            case 'EPROTOCOL':
+                                verifyResult.smtp.error = request.app.gt.gettext('Unexpected server response');
+                                break;
                         }
                     }
                 }
diff --git a/lib/ui-routes/admin-entities-routes.js b/lib/ui-routes/admin-entities-routes.js
@@ -2022,11 +2022,29 @@ return payload;`)
                             case 'EAUTH':
                                 verifyResult.smtp.error = request.app.gt.gettext('Invalid username or password');
                                 break;
+                            case 'ENOAUTH':
+                                verifyResult.smtp.error = request.app.gt.gettext('Authentication credentials were not provided');
+                                break;
+                            case 'EOAUTH2':
+                                verifyResult.smtp.error = request.app.gt.gettext('OAuth2 authentication failed');
+                                break;
+                            case 'ETLS':
+                                verifyResult.smtp.error = request.app.gt.gettext('TLS protocol error');
+                                break;
                             case 'ESOCKET':
                                 if (/openssl/.test(verifyResult.smtp.error)) {
                                     verifyResult.smtp.error = request.app.gt.gettext('TLS protocol error');
                                 }
                                 break;
+                            case 'ETIMEDOUT':
+                                verifyResult.smtp.error = request.app.gt.gettext('Connection timed out');
+                                break;
+                            case 'ECONNECTION':
+                                verifyResult.smtp.error = request.app.gt.gettext('Could not connect to server');
+                                break;
+                            case 'EPROTOCOL':
+                                verifyResult.smtp.error = request.app.gt.gettext('Unexpected server response');
+                                break;
                         }
                     }
                 }
diff --git a/workers/submit.js b/workers/submit.js
@@ -295,7 +295,19 @@ const submitWorker = new Worker(
                 // ignore
             }
 
-            if (err.statusCode >= 500 && err.statusCode !== 503 && job.attemptsMade < job.opts.attempts) {
+            const NON_RETRYABLE_CODES = new Set([
+                'EAUTH', // authentication failed
+                'ENOAUTH', // no credentials provided
+                'EOAUTH2', // OAuth2 token failure
+                'ETLS', // TLS handshake failed
+                'EENVELOPE', // invalid sender/recipients
+                'EMESSAGE', // message content error
+                'EPROTOCOL' // SMTP protocol mismatch
+            ]);
+
+            const isPermanentSmtp = err.statusCode >= 500 && err.statusCode !== 503;
+            const isPermanentCode = NON_RETRYABLE_CODES.has(err.code);
+            if ((isPermanentSmtp || isPermanentCode) && job.attemptsMade < job.opts.attempts) {
                 try {
                     // do not retry after 5xx error (except 503 which is transient)
                     await job.discard();
