This is an interesting one. In my ASP.NET (.NET 8) app with Identity authentication, I have an implementation of IEmailSender<AppUser> (we'll call it IdentityEmailService). The IdentityEmailService is registered with a transient scope and only depends on singletons. Internally, it uses Mailkit to send email via anonymous SMTP relay. The SMTP request is validated via IP address, so no certificate is needed.
I have a DebugController that I use in conjunction with Postman to test the SendEmailConfirmationLink method of the IdentityEmailService.
If I trigger the SendEmailConfirmationLink function via the debug controller, everything works fine. However, if I hit an Identity endpoint that triggers the same SendEmailConfirmationLink function, then I get an error from the relay server:
5.7.64 TenantAttribution; Relay Access Denied [ValidationStatus of '' is EmptyCertificate]
IdentityEmailService is definitely being used for both calls.Also, the Mailkit SmtpClient looks the same (if I put a breakpoint and compare the properties of both clients just before calling the send function).
The only difference I can think is that the Identity library invokes the service outside of any DI scope, whereas the DebugController does have a scope, but since the service only depends on singletons, I don't see how it would change anything.
Figured it out. It was because the SMTP server was apparently configured to only allow outbound recipients for certain domains. My two tests used different recipient addresses, one of which was a gmail address, which apparently is disallowed.