We are going to have to do a little bit of debugging.
Can you run a health check and provide the results please ?
You can use the following command to provide the health check results.
su - www-data -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck"
When you get that error, where does it come from ?
Could you specify if it comes from the terminal or the log files ?
Which SMTP hosts were you using, as that could mean the server you are trying to connect to might be blocking the port 587.
Your suspensions are correct, there is no mail server running or if there is a mail server the firewall might be blocking the ports.
Are you trying to run your own mail server or do you have a provider that you would like to use ?
According to the link you provided, I noticed the following:
Note : As of June 22, 2022, DigitalOcean is blocking SMTP for all new accounts. As a part of this new policy, we have partnered with SendGrid so our customers can still send emails with ease. You can learn more about this partnership and get started using SendGrid by checking out our DigitalOcean’s
If you are going to be running your own mail server you would need port 465,587 open for SSL/TLS connections.
When you get that error, where does it come from ?
Could you specify if it comes from the terminal or the log files ?
That error was displayed during the initial setup wizard on the mail config page (step 4) when attempting to send a test email. For now I am using localhost as the SMTP host. When I fallback to port 25 I get a mail was sent successfully message - but no email delivered (checked spam)
As an update, I did install mailutils so now when running nmap I get:
PORT STATE SERVICE
25/tcp open smtp
465/tcp closed smtps
587/tcp closed submission
As a sidebar - does the droplet come with a mailserver configured or is this something I should have to do?
At this point I am trying to run my own local server - I just need it to send outgoing. I’ve tried using ufw to open the other ports, but I suspect I’m not doing it correctly. I tried:
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
Healthcheck shell
-------------------------------------------------------------------------------
Environment
[PASS] PHP version 7.4.3.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.
Config files
[PASS] The application config file is present
[PASS] The passbolt config file is present
Core config
[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://mydomain.name
[PASS] App.fullBaseUrl validation OK.
[FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
[HELP] Check that the domain name is correct in config/passbolt.php
[HELP] Check the network settings
SSL Certificate
[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] Check https://help.passbolt.com/faq/hosting/troubleshoot-ssl
[HELP] The PHP directive `allow_url_fopen` must be enabled.
Database
[PASS] The application is able to connect to the database
[PASS] 26 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in config/passbolt.php and readable.
[PASS] The private key file is defined in config/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in config/passbolt.php.
[PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.
Application configuration
[FAIL] Could not connect to passbolt repository to check versions It is not possible check if your version is up to date.
[HELP] Check the network configuration to allow this script to check for updates.
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.
JWT Authentication
[PASS] The JWT Authentication plugin is enabled
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found
[FAIL] 4 error(s) found. Hang in there!
That would mean you are trying to send it to an external email service and the mail server is not configured correctly to send to external emails. Which it would probably still be stuck in postfix mail log.
Passbolt does not provide any mail utilities or configurations, that is done by the user.
Unfortunately in your situation this might not work.
I would only recommend SysAdmin’s setup mail servers as it can be a pain to maintain as well as open security holes if it’s not configured correctly.
What I would recommend is using SendGrid, Google (Gmail SMTP) or any other secure email services for outgoing mail as it would be much more secure as they are dedicated mail servers and they continuously update and maintain the best security practices.
Are you the only person that would be using this passbolt instance, if you are then i would suggest using Gmail’s SMTP service.
Health Check Results:
There are a few issues you will need to fix:
Setup your ssl certificates to match your hostname (fully qualified domain name)
In your php.ini file, locate allow_url_fopen and enable it by setting it to 1
while running the healthcheck from the command line results in no errors, if I try to visit https://my.domain/healthcheck/status in the browser I get a 404; but https://my.domain/healthcheck resolves (and correctly reports that /healthcheck/status is unreachable)
Gmail’s SMTP service is free, you can try that out. If you want.
Cool.
The health check url is only meant to be used via the passbolt cake script. Any direct access to the page would result in a 404 not found error for security reasons.
For the record (ie. future me) - you can use the settings found here to setup SMTP through google service (use 587 not 465), but when it comes to the password DO NOT use your google account password. Instead follow the steps from Google to create a unique App password.
