Emails not sending

Hi, I have trouble sending emails, even the test emails.It is not a problem with my provider, since it is not working with any provider.

Below are the results of ./bin/cake passbolt send_test_email --recipient=myworking@email.com

220] mail1.systemli.org ESMTP Postfix (Debian/GNU)
> EHLO localhost
[250] mail1.systemli.org
[250] PIPELINING
[250] SIZE 40960000
[250] ETRN
[250] STARTTLS
[250] ENHANCEDSTATUSCODES
[250] 8BITMIME
[250] DSN
[250] CHUNKING
> STARTTLS
[220] 2.0.0 Ready to start TLS
> EHLO localhost
[250] mail1.systemli.org
[250] PIPELINING
[250] SIZE 40960000
[250] ETRN
[250] AUTH PLAIN
[250] AUTH=PLAIN
[250] ENHANCEDSTATUSCODES
[250] 8BITMIME
[250] DSN
[250] CHUNKING

A test email could not be sent.
Error: SMTP Error: 535 5.7.8 Error: authentication failed: Invalid authentication mechanism

I even tried echo QUIT | openssl s_client -starttls smtp -crlf -connect mail.systemli.org:587 which results in Verify return code: 0 (ok)

What could be the problem and how can I troubelshoot this?

Edit: healthcheck says everything is fine. This also does not work with my firewall disabled.

Ok, so I managed to send a mail with a different provider, that uses ssl only. Is there maybe something special I should put in my config to use STARTTLS?

Here are the only things I changed in the passbolt.php:

'host' => 'mail.systemli.org',
'port' => 587,
'username' => 'mymail@systemli.org',
'password' => 'mypass',
'tls' => true,

Did you see?
https://help.passbolt.com/configure/email/setup

I’m not sure what your issue is, but maybe did you try using SSL and not TLS?

I did, and I am sure the provider uses TLS, but out of desperation I also tried it with ssl://hostname and tls = null

nothing changed though. I will continue trying to manually connect to it via openssl.

OK, so I managed to connect to the smtp server with the right base64 command :slight_smile: This means, that the mailserver should be fine and accepting my username/password combo via STARTTLS and AUTH PLAIN. I think I should create a bug report, since I can connect to the server with 3 simple commands and my thunderbird never complained about the mail in the first place. This seems to be a problem with passbolt.

To recap, this is what I did to sucessfully authenticate to the server (from the the same machine that I want to run passbolt on). They are the same credentials that are in my passbolt config.

openssl s_client -starttls smtp -connect mail.systemli.org:587

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mail.systemli.org
verify return:1
---
Certificate chain
 0 s:CN = mail.systemli.org
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGbzCCBVegAwIBAgISBGHR1XwUmg1i7WGqRuGe4tv3MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA0MTAyMTIyMTRaFw0y
MDA3MDkyMTIyMTRaMBwxGjAYBgNVBAMTEW1haWwuc3lzdGVtbGkub3JnMIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArt8YLgp6BWixjaSXFCr7Chk8iE6T
XIsakxCAuI9Jc1rokfiDEeAWTkkuWtfw10dT/FrPfWvS4kfSaB+TYgMK3E1caGsi
OhQC64znlMFGrCX1uMNynu8xlZ72+hddpB6aKp4UElDas+X0LQbLDmET+eA09mSr
R1mDiBhIGel/lx1bdBhm0aPahjyxiB2CiHW3z91A8olKBv07UGu7vmLfrDIZQX9i
dfvJKULqmURFfFPJVqFSbco4zHfd56uJ+4qrTY5lJwP9DKGQbqu9G42O6MYdLu0X
BKFEE4K4l/jn73ZmLKfRHbvJBZOfxbNRMeYstXjNo98gQS8eYHLTwl0p3de0Ee2p
/YiBZWb++8O34rU5gT0f/XCnuz/7k7gvNapLp2FReWzL+YGU0gen/GZU9VmTPFWL
7OGQN0R40ugwiTky6tqfle4315VRUHOKgWQkt0rXJgvGMRCOuxv+YBxnY3tAmRbL
g78yDNmisyIxQa8t3eVBPRZrRfO0zhxyrRtkhLn2SyacYFJ+mGpFzW9O7DekFg7M
6FrxDgGGQhZlNkYrCRMM/iuQZlqrUHhZFQV7P4je9dGgPgfjlPh+aZYjp9A1kcls
AscNZarnd/qmfTJPJGEWOEuTCn2hOFXOn+Or+Nbg1SvTk6pvi5vJO4WN2PeJyGFm
RwOEzbHHjNg/gzcCAwEAAaOCAnswggJ3MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
5ssJNKJgFFKBAo7Um86p/GxXJV4wHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl
7/Oo7KEwbwYIKwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5p
bnQteDMubGV0c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5p
bnQteDMubGV0c2VuY3J5cHQub3JnLzAwBgNVHREEKTAnghFtYWlsLnN5c3RlbWxp
Lm9yZ4ISbWFpbDEuc3lzdGVtbGkub3JnMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcG
CysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5
cHQub3JnMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHcAsh4FzIuizYogTodm+Su5
iiUgZ2va+nDnsklTLe+LkF4AAAFxZi+yagAABAMASDBGAiEAve69ssDIltgZhIlB
Rm5+XnAhJdL0/gXvwCD4wpr7CxYCIQCJSiMEeRSciiO8ThR5MeD5HD84bFX52TPl
icw3qjXYcQB2AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABcWYv
spgAAAQDAEcwRQIgeZQH7X3jI6SESmXvt0RKQBjNMzTGTge0ETEkr+0x7JACIQDL
xy4ULaiCZcDWPuWdAmy0xpW16z3ZEbBsujG9TM2PBzANBgkqhkiG9w0BAQsFAAOC
AQEAlVJpYiCRXvuk0SO6W4OXl2M/0Z1wHGCRPVJkv43Cihx+uU3sncP7MWM+5F9I
7XLn0tdTQ06hGXzLKIE01DKjsOxSfoEgQ8dcWGWsvAYPFsAjMZzPLAsDxA3PRG9M
+IS3ygf+f1dxdeKQlJkJRP/Suc0/9/eQ/E4Jxxvt6h/xLBs7hrodclrb2Ruwe2qr
TUdPnGMTy77r7vHo+XSW8mkKJtE80hoka4MC3MkmPKuiRdyW7A4vrXu3cz5Z+PJv
LkXf+prBk+Wrs+Vr8EoaVl0r5Cw1kWxRiByfUyPj4vPop+cWwU+e85jf8pFzQ/Cg
PZRE86fUH9Mz2m3k+yA87hCopw==
-----END CERTIFICATE-----
subject=CN = mail.systemli.org

issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3868 bytes and written 422 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 CHUNKING
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: FB7CF9BC41D4F455C1B364E63E36B67331A796AB0FCFAD0C729852F9F41CE33A
    Session-ID-ctx: 
    Resumption PSK: 72341A5625DD998D121419EA935B3D28846B2F2E4A3E731E60A7C5BC488B0AC090FBDEDF42615E491ED87566295B48E7
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 9a a2 b4 1f b2 b1 7f 13-82 fc ba 3f 32 ce 7e 0d   ...........?2.~.
    0010 - 14 be 26 a3 de df 5d d9-1e 77 6a 00 2a d0 ae 6f   ..&...]..wj.*..o
    0020 - 51 02 27 9d 5a 10 81 9d-17 7d 82 2b 9f de f0 8b   Q.'.Z....}.+....
    0030 - 33 0c 73 3e 40 20 af 75-79 50 ce 17 5d 7b 4d 3f   3.s>@ .uyP..]{M?
    0040 - 90 fb e7 63 c9 17 d5 55-e1 f9 67 fb ed 08 49 81   ...c...U..g...I.
    0050 - 65 a1 20 b4 8c de 50 13-40 eb 4c 3b fb 9a a3 a9   e. ...P.@.L;....
    0060 - 60 16 ba 40 59 c8 b7 e0-78 ef 3c f4 fc 56 3e d5   `..@Y...x.<..V>.
    0070 - 0a 00 3b fb 65 b3 67 c3-33 11 7c 70 90 43 04 e9   ..;.e.g.3.|p.C..
    0080 - 14 70 41 a6 e5 5d 8c 3a-e5 d3 a0 68 4f 8f 7e 84   .pA..].:...hO.~.
    0090 - 59 31 2d 67 c4 40 aa 00-06 ca 37 c6 b8 71 83 c4   Y1-g.@....7..q..
    00a0 - 60 91 cd 33 6b 15 74 e2-0a 5c 49 ac 75 8c 35 2e   `..3k.t..\I.u.5.
    00b0 - b2 be 28 8f 8f 0f 1b 9c-16 9c 56 4f 92 1a 4f ea   ..(.......VO..O.
    00c0 - 6f 17 ca 49 53 ce 21 a0-75 6a 6d 78 49 64 9c 3f   o..IS.!.ujmxId.?

    Start Time: 1590242316
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

EHLO there
250-mail1.systemli.org
250-PIPELINING
250-SIZE 40960000
250-ETRN
250-AUTH PLAIN
250-AUTH=PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
AUTH PLAIN
334 
base64encoded \0user\0password
235 2.7.0 Authentication successful

Can you share your postfix configuration? Maybe someone with more experience can find some hint there.

I created an issue and am continuing the discussion there: