Emails are not sent to Google emails

Termindiego25 · September 9, 2022, 7:40am

Good morning, first of all, I would like to apologize if I’m repeating a posted issue because I was searching the forum for a problem like mine but couldn’t find it even though there are also some issues with the email posted.
My issue is related to sending emails to external users not hosted on the same machine as the Passbolt server. The emails are sending correctly as all logs and checks say, but they are lost on the way to the mailboxes.
This was working in the past but I can’t remember if this left working after an update or before migrating from CE to Pro version because normally I don’t use an external email.

I have installed Passbolt Pro v3.7.1 from source code in my server running Debian 10, Apache/2.4.38 and PHP v8.0.22. Here is my healthcheck command output:

      ____                  __          ____
     / __ \____  _____ ____/ /_  ____  / / /_
    / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
   / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
  /_/    \__,_/____/____/_.___/\____/_/\__/
 
  Open source password manager for teams
 -------------------------------------------------------------------------------
  Healthcheck shell
 -------------------------------------------------------------------------------
 
  Environment
 
  [PASS] PHP version 8.0.22.
  [PASS] PCRE compiled with unicode support.
  [PASS] The temporary directory and its content are writable and not executable.
  [PASS] The logs directory and its content are writable.
  [PASS] GD or Imagick extension is installed.
  [PASS] Intl extension is installed.
  [PASS] Mbstring extension is installed.
 
  Config files
 
  [PASS] The application config file is present
  [PASS] The passbolt config file is present
 
  Core config
 
  [PASS] Debug mode is off.
  [PASS] Cache is working.
  [PASS] Unique value set for security.salt
  [PASS] Full base url is set to https://passbolt.domain.co
  [PASS] App.fullBaseUrl validation OK.
  [PASS] /healthcheck/status is reachable.
 
  SSL Certificate
 
  [PASS] SSL peer certificate validates
  [PASS] Hostname is matching in SSL certificate.
  [PASS] Not using a self-signed certificate
 
  Database
 
  [PASS] The application is able to connect to the database
  [PASS] 44 tables found
  [PASS] Some default content is present
  [PASS] The database schema up to date.
 
  GPG Configuration
 
  [PASS] PHP GPG Module is installed and loaded.
  [PASS] The environment variable GNUPGHOME is set to /home/passbolt/.gnupg.
  [PASS] The directory /home/passbolt/.gnupg containing the keyring is writable by the webserver user.
  [PASS] The server OpenPGP key is not the default one
  [PASS] The public key file is defined in config/passbolt.php and readable.
  [PASS] The private key file is defined in config/passbolt.php and readable.
  [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
  [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
  [PASS] There is a valid email id defined for the server key.
  [PASS] The public key can be used to encrypt a message.
  [PASS] The private key can be used to sign a message.
  [PASS] The public and private keys can be used to encrypt and sign a message.
  [PASS] The private key can be used to decrypt a message.
  [PASS] The private key can be used to decrypt and verify a message.
  [PASS] The public key can be used to verify a signature.
  [PASS] The server public key format is Gopengpg compatible.
  [PASS] The server private key format is Gopengpg compatible.
 
  Application configuration
 
  [PASS] Using latest passbolt version (3.7.1).
  [PASS] Passbolt is configured to force SSL use.
  [PASS] App.fullBaseUrl is set to HTTPS.
  [PASS] Selenium API endpoints are disabled.
  [PASS] Search engine robots are told not to index content.
  [PASS] Registration is closed, only administrators can add users.
  [PASS] Serving the compiled version of the javascript app
  [PASS] All email notifications will be sent.
 
  JWT Authentication
 
  [PASS] The JWT Authentication plugin is enabled
  [PASS] The /home/passbolt/public_html/config/jwt/ directory is not writable.
  [PASS] A valid JWT key pair was found
 
  [PASS] No error found. Nice one sparky!

As I have found on other posts and at Passbolt Help | Why are my emails not being sent?, I have tried to send test emails to my own address hosted on the same server (this account is able to send and receive emails without problems) and to an external address. The result inside the server is the same for both, but when searching in the mailboxes I got just the internal address one. Here are the tests:

 Internal email address: 
 root@server:~# sudo -H -u passbolt bash -c "/home/passbolt/public_html/bin/cake passbolt send_test_email --recipient=test@domain.co"
 
      ____                  __          ____
     / __ \____  _____ ____/ /_  ____  / / /_
    / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
   / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
  /_/    \__,_/____/____/_.___/\____/_/\__/
 
  Open source password manager for teams
 -------------------------------------------------------------------------------
  Debug email shell
 -------------------------------------------------------------------------------
 Email configuration
 -------------------------------------------------------------------------------
 Host: localhost
 Port: 25
 Username: pbt@passbolt.domain.co
 Password: *********
 TLS: false
 Sending email from: Passbolt <pbt@passbolt.domain.co>
 Sending email to: test@domain.co
 -------------------------------------------------------------------------------
 Trace
 [220] server.domain.co ESMTP Postfix (Debian/GNU)
 > EHLO passbolt.domain.co
 [250] server.domain.co
 [250] PIPELINING
 [250] SIZE 52428800
 [250] VRFY
 [250] ETRN
 [250] STARTTLS
 [250] AUTH PLAIN LOGIN
 [250] AUTH=PLAIN LOGIN
 [250] ENHANCEDSTATUSCODES
 [250] 8BITMIME
 [250] DSN
 [250] SMTPUTF8
 [250] CHUNKING
 > AUTH PLAIN AHBidEBwYnQuZGllZ29zci5lcwB5LHprRDZxO2xHYzNIQ1Mp
 [235] 2.7.0 Authentication successful
 > MAIL FROM:<*****>
 [250] 2.1.0 Ok
 > RCPT TO:<test@domain.co>
 [250] 2.1.5 Ok
 > DATA
 [354] End data with <CR><LF>.<CR><LF>
 > From: Passbolt <*****>
 To: test@domain.co
 Date: Fri, 09 Sep 2022 07:26:54 +0000
 Message-ID: <cc70f16cd8cf4a1bbaaf5e2fcd469e06@server.domain.co>
 Subject: Passbolt test email
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 
 Congratulations!
 If you receive this email, it means that your passbolt smtp configuration is working fine.
 
 
 
 
 .
 [250] 2.0.0 Ok: queued as 04E598298A
 > QUIT
 The message has been successfully sent!

 External email address:
 root@server:~# sudo -H -u passbolt bash -c "/home/passbolt/public_html/bin/cake passbolt send_test_email --recipient=external@gmail.com"
 
      ____                  __          ____
     / __ \____  _____ ____/ /_  ____  / / /_
    / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
   / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
  /_/    \__,_/____/____/_.___/\____/_/\__/
 
  Open source password manager for teams
 -------------------------------------------------------------------------------
  Debug email shell
 -------------------------------------------------------------------------------
 Email configuration
 -------------------------------------------------------------------------------
 Host: localhost
 Port: 25
 Username: pbt@passbolt.domain.co
 Password: *********
 TLS: false
 Sending email from: Passbolt <pbt@passbolt.domain.co>
 Sending email to: external@gmail.com
 -------------------------------------------------------------------------------
 Trace
 [220] server.domain.co ESMTP Postfix (Debian/GNU)
 > EHLO passbolt.domain.co
 [250] server.domain.co
 [250] PIPELINING
 [250] SIZE 52428800
 [250] VRFY
 [250] ETRN
 [250] STARTTLS
 [250] AUTH PLAIN LOGIN
 [250] AUTH=PLAIN LOGIN
 [250] ENHANCEDSTATUSCODES
 [250] 8BITMIME
 [250] DSN
 [250] SMTPUTF8
 [250] CHUNKING
 > AUTH PLAIN AHBidEBwYnQuZGllZ29zci5lcwB5LHprRDZxO2xHYzNIQ1Mp
 [235] 2.7.0 Authentication successful
 > MAIL FROM:<*****>
 [250] 2.1.0 Ok
 > RCPT TO:<external@gmail.com>
 [250] 2.1.5 Ok
 > DATA
 [354] End data with <CR><LF>.<CR><LF>
 > From: Passbolt <*****>
 To: external@gmail.com
 Date: Fri, 09 Sep 2022 07:28:06 +0000
 Message-ID: <5708db7cee6241edb469fad51a955c43@server.domain.co>
 Subject: Passbolt test email
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 
 Congratulations!
 If you receive this email, it means that your passbolt smtp configuration is working fine.
 
 
 
 
 .
 [250] 2.0.0 Ok: queued as 247B48298A
 > QUIT
 The message has been successfully sent!

I also checked cron service journal:

 root@server:~# sudo journalctl -fu cron.service
 -- Logs begin at Fri 2022-09-09 05:21:18 CEST. --
 Sep 09 09:27:01 server.domain.co CRON[30383]: (passbolt) CMD (/home/passbolt/public_html/bin/cake EmailQueue.sender >> /var/log/passbolt-email.log 2>&1)
 Sep 09 09:27:01 server.domain.co CRON[30385]: (passbolt) CMD (/home/passbolt/public_html/bin/cron >> /var/log/passbolt.log)
 Sep 09 09:27:02 server.domain.co CRON[30382]: pam_unix(cron:session): session closed for user passbolt
 Sep 09 09:27:02 server.domain.co CRON[30381]: pam_unix(cron:session): session closed for user passbolt
 Sep 09 09:28:01 server.domain.co CRON[30424]: pam_unix(cron:session): session opened for user passbolt by (uid=0)
 Sep 09 09:28:01 server.domain.co CRON[30426]: (passbolt) CMD (/home/passbolt/public_html/bin/cake EmailQueue.sender >> /var/log/passbolt-email.log 2>&1)
 Sep 09 09:28:01 server.domain.co CRON[30425]: pam_unix(cron:session): session opened for user passbolt by (uid=0)
 Sep 09 09:28:01 server.domain.co CRON[30427]: (passbolt) CMD (/home/passbolt/public_html/bin/cron >> /var/log/passbolt.log)
 Sep 09 09:28:01 server.domain.co CRON[30425]: pam_unix(cron:session): session closed for user passbolt
 Sep 09 09:28:01 server.domain.co CRON[30424]: pam_unix(cron:session): session closed for user passbolt

And passbolt log:

 root@server:~# tail /var/log/passbolt.log
 Email 399 was sent
 Email 400 was sent
 Email 401 was sent
 Email 402 was sent
 Email 403 was sent
 Email 404 was sent
 Email 405 was sent
 Email 406 was sent
 Email 407 was sent
 Email 408 was sent

This is the SMTP config at ~/config/passbolt.php:

     // Email configuration.
     'EmailTransport' => [
         'default' => [
             'host' => 'localhost',
             'port' => 25,
             'username' => 'pbt@passbolt.domain.co',
             'password' => 'password',
             // Is this a secure connection? true if yes, null if no.
             'tls' => null,
             //'timeout' => 30,
             'client' => 'passbolt.domain.co',
             //'url' => null,
         ],
     ],
     'Email' => [
         'default' => [
             // Defines the default name and email of the sender of the emails.
             'from' => ['pbt@passbolt.domain.co' => 'Passbolt'],
             //'charset' => 'utf-8',
             //'headerCharset' => 'utf-8',
         ],
     ],

Do you have any idea why is it not working?
If you need more information, do not hesitate to ask for it

remy · September 9, 2022, 7:48am

@Termindiego25 if the emails are sent correctly from passbolt perspective, you should check the logs further down the lines, like the logs on your SMTP server / relays, etc. It’s possible for example the emails are bouncing down the lines for multiple reasons (DNS issues, spam filtering issues, SMTP server configuration issues, etc.).

Termindiego25 · September 9, 2022, 8:05am

I have checked /var/log/mail.log and the email seems to be blocked by Google:

root@server:~# tail /var/log/mail.log
Sep  9 09:58:43 server postfix/qmgr[1094]: AD11182724: from=<pbt@passbolt.domain.co>, size=648, nrcpt=1 (queue active)
Sep  9 09:58:43 server postfix/smtpd[3261]: disconnect from localhost[127.0.0.1] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
Sep  9 09:58:44 server postfix/smtp[3265]: connect to gmail-smtp-in.l.google.com[2a00:1450:4010:c08::1a]:25: Cannot assign requested address
Sep  9 09:58:44 server postfix/smtp[3265]: AD11182724: to=<external@gmail.com>, relay=gmail-smtp-in.l.google.com[64.233.165.26]:25, delay=0.99, delays=0.11/0.01/0.45/0.41, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[64.233.165.26] said: 550-5.7.1 [161.97.163.96      12] Our system has detected that this message is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1  https://support.google.com/mail/?p=UnsolicitedMessageError 550 5.7.1  for more information. h20-20020a2ea494000000b0026bdc89e6e4si548830lji.75 - gsmtp (in reply to end of DATA command))
Sep  9 09:58:44 server postfix/cleanup[3264]: AA63682991: message-id=<20220909075844.AA63682991@server.domain.co>
Sep  9 09:58:44 server postfix/bounce[3266]: AD11182724: sender non-delivery notification: AA63682991
Sep  9 09:58:44 server postfix/qmgr[1094]: AA63682991: from=<>, size=4044, nrcpt=1 (queue active)

I also tried to send a test to a Microsoft account and it was delivered correctly, so I have to check why is Google blocking my emails when it was fine in the past

garrett · September 9, 2022, 11:27am

@Termindiego25 How are you sending it from the server? I see the settings are for passbolt to deliver it locally first, so that makes your server a mail server when it sends mail out. It would need to pass muster for spf and dkim.

EDIT: just noticed postfix in the logs. Google is picky but I don’t have any problems with them on my mail server. PTR is set for my ip (that’s one people disregard but it really makes a huge difference), SPF and DKIM. I’ve never had any issues.

Termindiego25 · September 9, 2022, 12:05pm

In the past, I configured SPF, DKIM and DMARC for my domain but I don’t know if something changed for Google.
I tried to send an email from the internal email to the Google account and it delivers correctly, so maybe there is something wrong with the mail configuration on Passbolt

garrett · September 9, 2022, 12:06pm

Maybe check on mxtoolbox[.]com to see if you are on any blacklists.

garrett · September 9, 2022, 12:09pm

Assuming it’s a public facing server (sending mail it should be) try adding in /etc/hosts a line where your server ip address has the domain name the mail is sent out with. This is to attempt to send out with something other than localhost for the sending domain.

Termindiego25 · September 9, 2022, 12:17pm

I found on mxtoolbox.com that my IP is blacklisted at UCEPROTECTL3 because the provider where I have the server has other IPs doing spam and they blacklisted a range of IPs.
I’m going to contact to my provider to try to solve this

Termindiego25 · September 9, 2022, 12:20pm

It’s a bit strange because I can send emails with my normal account but Passbolt emails are blocked from the same IP.
I’m not sure the blacklist is the main reason but it is something to solve of course

garrett · September 9, 2022, 1:22pm

The logs are showing the email is being sent from localhost 127.0.0.1 but this does not allow Gmail to verify the domain SPF and DKIM settings. This is a common point of failure. Are you able to notice a difference in the mail headers when comparing the email which is successfully received by Gmail from the same domain?

Maybe I am mistaken about the localhost. The headers on a successful email would help, and compare that to the queued email which is delayed and still on the server. Maybe in /var/spool/mqueue.

If you change localhost to passbolt.domain.co in the host field, that may help. The server should know it’s own domain, and the header may change as a result.

Termindiego25 · September 9, 2022, 3:19pm

I changed the host setting as you suggested and also I added an SPF record for the subdomain that the Passbolt server is serving (I had just the SPF record for the domain).
Now it seems to work, Google is not blocking my emails.

Thank you all to your ideas to solve my problem