How can passbolt reference Root CA from organization for SMTP?

Apologies for resurrecting an old thread.

I’m currently deploying a Passbolt server internally and sending email via an internal smarthost server (Postfix). Which has a certificate signed by our internal CA. (All corporate CA’s are self-signed, if you will).

So if there a way to add a root CA to the trust store that Passbolt uses so that TLS can be used for sending email? We’d like to use TLS also for internal email transport.

This even older post alludes to pointing to a root ca for email TLS verification. Passbolt SMTP TLS Problems - #9 by Gerold

But there are several files which reference EmailTransport:

user@host:~$ sudo grep EmailTransport /etc/ -R
grep: /etc/systemd/system/sysinit.target.wants/systemd-timesyncd.service: No such file or directory
grep: /etc/systemd/system/dbus-org.freedesktop.timesync1.service: No such file or directory
grep: /etc/alternatives/php-fpm.sock: No such device or address
/etc/passbolt/passbolt.default.php:    'EmailTransport' => [
/etc/passbolt/app.default.php:    'EmailTransport' => [
/etc/passbolt/bootstrap.php:Configure::write('EmailTransport.default.className', SmtpTransport::class);
/etc/passbolt/bootstrap.php:Configure::write('EmailTransport.Debug.className', DebugTransport::class);
/etc/passbolt/bootstrap.php:TransportFactory::setConfig(Configure::consume('EmailTransport'));
/etc/passbolt/app.php:    'EmailTransport' => [

So which one to change, would these edits survive Passbolt updates? Wouldn’t it be nice to expose this option in the GUI?

Hi @dmgeurts , Welcome to the forum!

(I moved your question to a new thread.)

For internal email servers scenarios, the email server has all the power to require whatever it wants. Does it require TLS? These days passbolt SMTP settings are handled in the app itself: Administration > Email server. The Use TLS should be set to Yes:

Does your mail server establish the TLS connection using a self-signed cert? The issue that creates which you are I think noticing, is whether that cert is able to be validated by other machines (your passbolt install, for example).

Assuming you have installed passbolt via the package, and the app is running on the OS and not a Docker container, you would be needing to add your org’s CA to the existing ssl ca-certificates folder. This is typically found in /etc/ssl/certs. Most of the listings in that directory are likely symlinked to a cert found somewhere else. But, it’s possible to simply add your cert there.

In postfix on the mail server, you will typically find the following settings in main.cf:

smtpd_tls_key_file = 
smtpd_tls_cert_file = 
smtpd_tls_CAfile = 
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

(The above settings are for postfix version lower than 3.6)
ref: Postfix Configuration Parameters

Reference what is listed for the smtpd_tls_CAfile setting as that will be the cert you want to use.

The protocol settings will determine what protocol is permitted. The prior thread you posted in was confusing what is accommodated by passbolt vs what is required by the mail server. (If everything is internal, some may not need TLS at all, etc)

You won’t need to change anything in the source code, and you won’t need to disable host validation in config or anything like that. If your org’s CA cert is found in /etc/ssl/certs that should be enough when the handshake with the server occurs.

If you have concerns that the certs you are working with may not be complete or have all the required parts, please look at Passbolt Help | Troubleshoot SSL

Hope this helps

Edit: in addition to the post you referenced, feel free to try those settings. If it doesn’t work, post back with details of your OS, passbolt version, and provide your current config settings.