I’m installing on Ubuntu 20.4 with Docker. So far so good. I’ve managed to install it properly and I can log in to my account with no problems. The only problem is that I cannot send emails.
I would like to connect to our SMTP Relay server of our gmail domain and receive the emails from ‘passbolt@mydoimain.com’. In our organitzation, we have no authentication and we authorize connections with a IP whitelist.
We don’t use TLS neither SMTP authentication on our SMTP-Relay server.
I tried to debug using telnet and I could send emails to any email address on my domain.
Anyone knows how to configure it properly?
Port 587 is a TLS port I think the relay is using port 25 or 2525 (not sure). Can you confirm the env variable EMAIL_TRANSPORT_DEFAULT_PORT is using the expected port (25) before executing the email testing command?
Something like env |grep EMAIL_TRANSPORT_DEFAULT_PORT
Have you configured the smtp relay to not use TLS and whitelisted a range of ip addresses? Otherwise it looks like you should use EMAIL_TRANSPORT_DEFAULT_TLS=true, point to port 587 and use credentials such as username and password.
Yes, my IP is whitelisted and I can send email with telnet using port 25.
root@e25057e20791:/var/www/passbolt# telnet smtp-relay.gmail.com 25
Trying 74.125.193.28...
Connected to smtp-relay.gmail.com.
Escape character is '^]'.
220 smtp-relay.gmail.com ESMTP d18sm357648wrw.11 - gsmtp
HELO mydomainname.com
250 smtp-relay.gmail.com at your service
MAIL FROM: <passbolt@mydomain.com>
250 2.1.0 OK d18sm357648wrw.11 - gsmtp
RCPT TO: <myuser@mydomain.com>
250 2.1.5 OK d18sm357648wrw.11 - gsmtp
DATA
354 Go ahead d18sm357648wrw.11 - gsmtp
test
.
250 2.0.0 OK 1605525972 d18sm357648wrw.11 - gsmtp
QUIT
221 2.0.0 closing connection d18sm357648wrw.11 - gsmtp
Connection closed by foreign host.
Maybe Passbolt email sender forces to use credentials (even they are empty) and thats why my smtp relay server is rejecting the connections?
Is there a way to flag this as a bug to see if the developers can fix it?
I’d really want to send emails not having to authenticate in the SMTP Server.
I’ve this same issue e find out the command EHLO is misconfigured sending “EHLO localhost” instead the public IP allowed in my G Suite environment.
For a while, I’ve edited the file [passbolt dir]/vendor/cakephp/src/Mailer/Transport/SmtpTransport;php as follow, just changing the variable {$host} in lines 234 and 238 to the public IP allowed and it works fine. Take in mind that I didn’t change the variable value, I replaced for “EHLO [myIP]”, since this variable is used in other script contexts.
@csbertran Since you were showing that a manual HELO of your domain was working, it may be an issue of what domain your sending server is declaring.
When reading this https://support.google.com/a/answer/2956491 it appears in #6 that the Allowed senders section must note the IP address, in addition to #7 where you can limited by IP address. When I read this, your server should also have a hostname (or mailname) of your domain approved domain.
@heitorcmj try changing the hostname of your server. Understandably we discourage the modification of source code in the dependent libraries, but it helps that you are showing what needs to change for it to work.
EDIT: can you clarify again which IP your changing the {host} variable to? The sending server’s public IP?
I have not set this up on a Google domain, so these are general thoughts:
It’s more a matter of how email is received than the restriction settings were are reviewing.
A server’s declared hostname is commonly checked against IP addresses. Maybe the Passbolt machine is internal-only and not public-facing and when Google tries to verify the domain it cannot. Hard to know, because this information was not provided yet. Using the IP address with a HELO command still has to be checked against the actual IP address from where the request is being made.
“Step-2” on the link above is to set the on-premises relay to point to Google. This thread however is treating a Passbolt machine as a relay. In the Configuration section of Step-2 it says:
We recommend that you configure your mail server to present a unique identifier (such as your domain name or the name of your mail server) in the HELO or EHLO command in the SMTP relay connections your server makes to Google. Avoid using generic names such as “localhost” or “smtp-relay.gmail.com,” which can occasionally result in issues with DoS limits.
So, my thought is that although the IP address is used for restriction, the declared domain (hostname) of the server is also being considered.
In my own mail server that I run, I have domain restrictions. The connecting servers can have credentials but my mail server will still not accept the connection if they do not present a whitelisted domain. In the case of an internal-only machine, this is even more relevant because my mail server cannot resolve it’s domain through normal means.
So in addition to a whitelisted domain, I also must note the IP address it has or else it gets flagged as incorrectly resolved.
Thank you so much for your effort to fix this issue.
Google says “we recommend… a unique identifier in the HELO or EHLO…” but, at least since now, it’s a requirement. I made the changes you suggested to set up the FQDN and in additional I publish it on my DNS (since it’s just internal) for some possible query made by Google, but it doesn’t work.
Reviewing the script SmtpTransport.php, I realized that the variable $host is set in line 34 as “localhost”. So no matter the FQDN, this script always form the command with “EHLO localhost” and I can’t find a way to configure it on passbolt.
Another approach to this would be to configure Sendmail, Postfix, etc locally on the server, include the settings in the Gmail relay documentation, and send all Passbolt mail to the local mail service which then is the relay to Gmail.