Help finding docs

Checklist
[ x] I have read intro post: About the Installation Issues category
[x ] I have read the tutorials, help and searched for similar issues
[N/A ] I provide relevant information about my server (component names and versions, etc.)
[x ] I provide a copy of my logs and healthcheck
[x ] I describe the steps I have taken to trouble shoot the problem
[x ] I describe the steps on how to reproduce the issue

Health check
/usr/share/php/passbolt$ sudo su -s /bin/bash -c "./bin/cake passbolt healthcheck" www-data

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 8.2.18.
 [PASS] PHP version is 8.1 or above.
 [PASS] PCRE compiled with unicode support.
 [PASS] Mbstring extension is installed.
 [PASS] Intl extension is installed.
 [PASS] GD or Imagick extension is installed.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Cache is working.
 [PASS] Debug mode is off.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://crtyrdpw.org
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates.
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate.

 SMTP settings

 [PASS] The SMTP Settings plugin is enabled.
 [PASS] SMTP Settings coherent. You may send a test email to validate them.
 [PASS] The SMTP Settings source is: database.
 [WARN] The SMTP Settings plugin endpoints are enabled.
 [HELP] It is recommended to disable the plugin endpoints.
 [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
 [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
 [PASS] No custom SSL configuration for SMTP server.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled.
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one.
 [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
 [PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [PASS] Using latest passbolt version (4.8.0).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [INFO] The Self Registration plugin is enabled.
 [INFO] Registration is closed, only administrators can add users.
 [PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
 [WARN] Host availability checking is disabled.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
 [HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
 [PASS] Serving the compiled version of the javascript app.
 [WARN] Some email notifications are disabled by the administrator.
 [PASS] The database schema up to date.

 Database

 [PASS] The application is able to connect to the database
 [PASS] 31 tables found.
 [PASS] Some default content is present.

 [PASS] No error found. Nice one sparky!

Although this post was provoked by my experience trying to fix a health check warning, it isn’t about fixing the config so much as it is about finding the docs that would tell me how to fix the config.

After installing the AWS AMI version and setting up TLS and SMTP, my Passbolt instance is functionally working. But when I run the healthcheck it returns a few warnings, including this:

[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.

This instance is publicly available on the Internet so validating the MX records seems like an essential setting. Following the Help lines, I go find the passbolt.php file. It doesn’t have the setting I need so I track down the defaults file and copy just the one setting over, plus it’s containing array element, into passbolt.php thus:

// Email settings
'email' => [
    // Additional email validation settings
    'validate' => [
        'mx' => filter_var(env('PASSBOLT_EMAIL_VALIDATE_MX', true), FILTER_VALIDATE_BOOLEAN),
    ],
],

I restart nginx but the healthcheck doesn’t report it as changed. When I go looking for the docs that tell me what to restart, I stumble upon a command to restart FPM so I try that. No change. Is there some other process to restart? Can’t find anything that explains these files or what uses them so I punt and reboot the server. Still. No. Change. Arrrrgh!

The HELP lines mention an environment variable so I look for that in the docs and find this page with a notice that reads “These are available for use with both the Docker installation and the Helm installation”. Hmmm…I’m not using either of those. Do these apply to any other installation? Doesn’t say. Well, I don’t have any users yet so I’ll just set it and see what happens. Let me see where and how these are set…wait, what? There’s no mention of that on the page.

As a rule, the docs are authoritative so I always try there first. Failing that I go to the forum to see if anyone else had this issue and fixed it. In this case I did find a few posts where updating the file worked so I know I’m on the right track, but the posts lacked the context to diagnose it when the recommended change has no effect.

Obviously, I’d LOVE to get my MX records validating. But more importantly, I’d love to be able to investigate and diagnose issues myself. So I have to ask…

Where is the doc that explains the settings in the config files, allowable values for each, and what to bounce after making changes? I’ve searched the Developer docs, the Hosting docs, and the Admin docs with no luck. Given the critical nature of these files it seems unlikely such a doc would not exist, so I am assuming the problem here is me dropping the ball on finding it. Any pointers appreciated.

(And in the off chance such a doc does not exist, I’d love some tips on how to get MX validation working. )

Thanks – T.Rob

Hmmm…I thought this was going to be an easy one. Theoretically, warnings surfaced in the health check have docs on how to remediate, right?

Hey @tdotrob welcome to the forum!

This check is actually related to verification of the domain names of email addresses of the users you create in your passbolt instance. So if you have this check set to false you can create obviously fake email addresses, such as me@somefakedomain.local where if you set this to true it will verify the MX record of the domain and not allow you to create accounts with fake domains.

To fix this make sure you are under the passbolt heading and then you pretty much nailed the format:

'passbolt' => [
  'email' => [
    'validate' => [
      'mx' => true
    ]
  ],
]

Just be careful that you don’t have this under the Email configuration headingas that is in regards to your SMTP server and this is in regards to a passbolt feature. So, not under this section

    // Email configuration.
    'EmailTransport' => [
        'default' => [
            'host' => 'localhost',
            'port' => 25,
            'username' => 'user',
            'password' => 'secret',
            // Is this a secure connection? true if yes, null if no.
            'tls' => null,
            //'timeout' => 30,
            //'client' => null,
            //'url' => null,
        ],
    ],
    'Email' => [
        'default' => [
            // Defines the default name and email of the sender of the emails.
            'from' => ['passbolt@your_organization.com' => 'Passbolt'],
            //'charset' => 'utf-8',
            //'headerCharset' => 'utf-8',
        ],
    ],

Thanks, that did the trick!