DigitalOcean Droplet - Mail config

Hi All,

Thanks to the community for this droplet - disclaimer, I’m not a sysadmin which is why I am using this install method.

I’m attempting to get droplet Version 3.7.3-1 Ubuntu 20.04 up and running and am having issues with the mail config.

I’ve confirmed with DO that mail is not blocked on my account. When attempting to setup SMTP and send a test email I get

Email could not be sent: stream_socket_client(): unable to connect to tcp://smtp.localhost:587 (Connection refused)

I’ve tried all manner of SMTP hosts, tried sending through Google SMTP and How To Install and Configure Postfix as a Send-Only SMTP Server on Ubuntu 18.04 | DigitalOcean without any luck.

When running nmap I get:

25/tcp closed smtp
465/tcp closed smtps
587/tcp closed submission

which makes me suspect there is no mail server configured in the default droplet (see disclaimer above).

I’m following the guide here: Passbolt Help | Install Passbolt CE Digital Ocean

If someone can point out the error of my ways that would be much appreciated.

Thanks in advance!

Hi @vivahume,

Welcome to the Passbolt Community :slight_smile:

We are going to have to do a little bit of debugging.

Can you run a health check and provide the results please ?
You can use the following command to provide the health check results.

su - www-data -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck"

When you get that error, where does it come from ?
Could you specify if it comes from the terminal or the log files ?
Which SMTP hosts were you using, as that could mean the server you are trying to connect to might be blocking the port 587.

Your suspensions are correct, there is no mail server running or if there is a mail server the firewall might be blocking the ports.

Are you trying to run your own mail server or do you have a provider that you would like to use ?
According to the link you provided, I noticed the following:

Note : As of June 22, 2022, DigitalOcean is blocking SMTP for all new accounts. As a part of this new policy, we have partnered with SendGrid so our customers can still send emails with ease. You can learn more about this partnership and get started using SendGrid by checking out our DigitalOcean’s

If you are going to be running your own mail server you would need port 465,587 open for SSL/TLS connections.


1 Like

Hi @JamesBond ,

Thank-you & much appreciated for the assistance!

To answer your original questions:

When you get that error, where does it come from ?
Could you specify if it comes from the terminal or the log files ?

That error was displayed during the initial setup wizard on the mail config page (step 4) when attempting to send a test email. For now I am using localhost as the SMTP host. When I fallback to port 25 I get a mail was sent successfully message - but no email delivered (checked spam)

As an update, I did install mailutils so now when running nmap I get:

25/tcp  open   smtp
465/tcp closed smtps
587/tcp closed submission

As a sidebar - does the droplet come with a mailserver configured or is this something I should have to do?

At this point I am trying to run my own local server - I just need it to send outgoing. I’ve tried using ufw to open the other ports, but I suspect I’m not doing it correctly. I tried:

ufw allow Postfix
ufw allow "Postfix SMTPS"
ufw allow "Postfix Submission" 

But after these commands 465 & 587 still show closed via nmap (although maybe I need to reload a service)


healthcheck says:

    ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
 Healthcheck shell


 [PASS] PHP version 7.4.3.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to
 [PASS] App.fullBaseUrl validation OK.
 [FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
 [HELP] Check that the domain name is correct in config/passbolt.php
 [HELP] Check the network settings

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
 [HELP] Check
 [HELP] The PHP directive `allow_url_fopen` must be enabled.


 [PASS] The application is able to connect to the database
 [PASS] 26 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [FAIL] Could not connect to passbolt repository to check versions It is not possible check if your version is up to date.
 [HELP] Check the network configuration to allow this script to check for updates.
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 [FAIL] 4 error(s) found. Hang in there!

That would mean you are trying to send it to an external email service and the mail server is not configured correctly to send to external emails. Which it would probably still be stuck in postfix mail log.

Passbolt does not provide any mail utilities or configurations, that is done by the user.

Unfortunately in your situation this might not work.

I would only recommend SysAdmin’s setup mail servers as it can be a pain to maintain as well as open security holes if it’s not configured correctly.

What I would recommend is using SendGrid, Google (Gmail SMTP) or any other secure email services for outgoing mail as it would be much more secure as they are dedicated mail servers and they continuously update and maintain the best security practices.

Are you the only person that would be using this passbolt instance, if you are then i would suggest using Gmail’s SMTP service.

Health Check Results:

There are a few issues you will need to fix:

  1. Setup your ssl certificates to match your hostname (fully qualified domain name)
  2. In your php.ini file, locate allow_url_fopen and enable it by setting it to 1
  3. Re-run Health Check and repost the results here.



Appreciate the advice.

I am hoping not to pay for an external service (sendGrid), so I will try some of the other suggestions.

After enabling allow_url_fopen I get all green on the health check.

Question - am I able to try to send the test emails again from the command line?

[edit - pls disregard, found the command]

Thanks again,

As a sidenote -

while running the healthcheck from the command line results in no errors, if I try to visit https://my.domain/healthcheck/status in the browser I get a 404; but https://my.domain/healthcheck resolves (and correctly reports that /healthcheck/status is unreachable)

Any idea why the discrepancy?

Gmail’s SMTP service is free, you can try that out. If you want.


The health check url is only meant to be used via the passbolt cake script. Any direct access to the page would result in a 404 not found error for security reasons.


The problem I run into with this is an SMTP timeout :face_with_diagonal_mouth:

Ok success.

For the record (ie. future me) - you can use the settings found here to setup SMTP through google service (use 587 not 465), but when it comes to the password DO NOT use your google account password. Instead follow the steps from Google to create a unique App password.

Thanks @JamesBond for your patience!

1 Like