Emails not sending (sometimes)

Hello,

we have a problem with passbolt emails. Sometimes they are sent with no problem and sometimes they are not sent at all. I checked the email_queue table in a database and found some records and an error message.

Screenshot_1846958×147 5.92 KB

How can I fix this? My SMTP server is TLS optional and I configured passbolt to use the TLS.

Thanks.

Hi @Milan We would need more information if you can provide more. It basically comes down to:

1. knowing what are the requirements of your mail server,
2. making sure there is an SMTP connection made available to you
3. and then ensuring your passbolt settings are suitable for that connection.

Making sure passbolt host server can reliably resolve the domain of your mail server is also often needed.

Hi @garrett I am sending requested information:

1. Yes I know requirements of our mail server because we are using Exchange Online mail server. Basically there are three main methods how to send emails from application (or device) to the Exchange Online (M365): MS Documentation We are using the third option - SMTP Relay Connector because we want to send emails to external parties and we are using the Azure AD MFA
2. Yes it is available because this method and this configuration is working on other systems (and devices)
3. We are using passbolt in docker compose and I checked the SMTP settings in the docker-compose.yml file multiple times - they are correct as the MS documentation states

Our DNS records are indeed pointed to our private DNS servers but if our private DNS servers can not resolve the DNS they are forwarding a request to the Google DNS servers (8.8.8.8, 8.8.4.4).
In this scenario I think there is no problem with DNS resolving.

@Milan
I have not done this myself, but here are some thoughts.

You will either need to whitelist the ip address and use a username/password approach, or use a certificate. I’m not sure which of these would explain intermittent delivery, but if your passbolt host is not on a fixed ip address and it’s ip address changes and then does not qualify under the whitelisting, maybe this is why.

The use of a certificate is more difficult as I believe passbolt does not have this option documented for use (and it will likely require some modification of your config files), but you would maybe be looking to do something like this (stackoverflow) which addresses the connection itself, versus the encryption of the message content.

    'ssl' => [
        'verify_peer'  => true,
        'local_cert' => '/path/to/client_cert_and_key.pem'
    ]

The certificate is created on the M365 side of things, and installed for use on the passbolt host. Again, just thoughts based on your details provided. This would go under

'EmailTransport' => [
    'default' => [
        ...here    
    ]
]

@garrett
Our passbolt server have a static, public IP address which is configured in our SMTP Relay connector in the Exchange Online admin center. Also this public static IP is configured in the DNS spf record within our public (M365) domain.

Anyway I will probably try to use a certificate instead of a static public IP address because idk what else I can do to fix this issue. I will keep trying to solve it.

Thank you.

@garrett Can I ask if passbolt is supporting and using the TLS 1.2 protocol? If not, then the protocol TLS 1.0 or TLS 1.1 is used which is blocked in the M365 tenants and this will be the problem.

@Milan I require TLS1. 2 on my mail server and have no problem with passbolt SMTP so it’s not that.

Please post your passbolt mail config settings and obfuscate thanks.

@garrett My docker-compose.yml config:

Screenshot_1854705×359 32.6 KB

@Milan I’m re-reading the M365 link you provided. I now believe the issue is that it will not permit username/password authentication. I was wrong when I gave the options above - it’s either whitelisting by ip address on your tenant settings, or requirement of a cert. If the ip address has been whitelisted, I think the username/password fields variables need to be removed, or each set to null. If one does not work, try the other.

And the EMAIL_DEFAULT_FROM must be a legit email or alias in your organization.

@garrett
I tried to remove username and password fields but it is not working. I tried to set TLS to null and also to true but not helped either. I will probably make an exception in the Azure AD MFA and set it to the Option 1 - How to set up a multifunction device or application to send email using Microsoft 365 or Office 365 | Microsoft Docs - https://docs.microsoft.com/

Output from send_test_email

Screenshot_1857943×318 16.9 KB

@garrett
This is the same config but in the powershell running on my local machine and it is working - emails are sent.

Screenshot_18601286×185 16 KB

SMTP Relay is configured correctly, port 25 is opened (not blocked - i know it because i tried a tcp ping from passbolt server). So in the powershell it is working but in the passbolt it does not. I assume that passbolt somehow can not realize this type of email sending (SMTP Relay to Exchange Online). If I made a mistake somewhere I will be glad to find it but I can not see a difference between the passbolt configuration and the powershell configuration on my local machine.

@Milan Can you show the docker-compose.yml again after your changes? In powershell are you passing the username and password?

@Milan I also read this error you are showing from the passbolt test could be related to Azure AD being used - which may explain why your local machine is working fine.

@garrett in the powershell it doesn’t matter if I use the username and password or not. Emails are sent through the SMTP relay in both cases.

@Milan Then I would think the difference is the machines themselves i.e. whitelisted ip address.