I just noticed that passbolt sends the cli test email to no-reply@passbolt.com even though a from email has been set in /etc/passbolt/passbolt.php
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
Debug email shell
-------------------------------------------------------------------------------
Email configuration
-------------------------------------------------------------------------------
Host: smtp.domain.com
Port: 587
Username: no-reply@mydomain.com
Password: *********
TLS: true
Sending email from: Passbolt | xxxxxx <no-reply@mydomain.com>
Sending email to: no-reply@passbolt.com
-------------------------------------------------------------------------------
Trace
[220] mx.mydomain.com SMTP Server ready November 3, 2022 PM PDT
> EHLO localhost
[250] mx.mydomain.com Hello localhost (ipx.xxx.xxx.xxx (ipx.xxx.xxx.xxx))
[250] STARTTLS
[250] SIZE 53477376
> STARTTLS
[220] Ready to start TLS.
> EHLO localhost
[250] mx.mydomain.com Hello localhost (ipx.xxx.xxx.xxx (ipx.xxx.xxx.xxx))
[235] Authentication Successful
> MAIL FROM:<*****>
[250] Sender <*****> OK
> RCPT TO:<no-reply@passbolt.com>
[250] Recipient <no-reply@passbolt.com> OK
> DATA
[354] Ok Send data ending with <CRLF>.<CRLF>
> From: "Pasbolt Title" <*****>
To: no-reply@passbolt.com
Date: Thu, 03 Nov 2022 time +0000
Message-ID: <xxxxxxxxxxxxxxxxxxxxx@vault>
Subject: Passbolt test email
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Congratulations!
If you receive this email, it means that your passbolt smtp configuration is working fine.
.
[250] Message received
> QUIT
The message has been successfully sent!
This is extremely concerning when it comes to security.
How is the email security for no-reply@passbolt.com handled ?
Is the data deleted or stored for viewing purposes ?
Are there any terms attached to sending data to no-reply@passbolt.com ?
What is the security risk? Maybe a privacy issue if you don’t want passbolt to know your email address? Someone else will have to answer about the no-reply email account.
The command is supposed to include a --recipient=address parameter if you want it to go to a particular address. The from only sets where it will say it’s from. I do think it’s misleading (prone to misunderstanding) if the response language is suggesting the user should receive the email when it was actually sent to the no-reply at passbolt account. That could be changed for clarification.
However, the connection worked so it has value in that regard.
I’m not following this part, can you explain more:
The command requires root/webserver user to run if file permissions are set properly.
How come passbolt does not check for a valid admin user (userID == 1) before sending a test mail to [no-reply@passbolt.com](mailto:no-reply@passbolt.com)
This is because this command can be used before any user is installed (e.g. for example the send test email during the webinstaller).
The no-reply@passbolt.com doesn’t exist, it will just bounce. You can try it yourself by sending an email to this address. We do not read this messages.
We could change this command to make the recipient option mandatory though.
The security risk would be the leaking of Public IPs to the no-reply email. In each email sent the mail headers container all the information of the client → sever → recipient and it can be viewed by the recipient.
It’s a security/privacy risk for the user end if the no-reply emails are viewed and mail headers are checked. In that way passbolt could locate private server ips that have passbolt installations.
I have tried sending to the no-reply email, that’s how noticed this. I was messing around with the cli interface and sent a test email. I saw the success response but i never received the email. Then I did the second try with --verbose enabled.
That’s when i saw a private IP of mine (mail headers) and had to make a few switches lol. Never leaked an IP like that before, which was funny and concerning at the same time.
No harm, no foul as you did say that the email does not exist and simply bounces.
I think personally that changing it for both the webInstaller and cli interface to require a recipient, would be a good idea for the client side end.
I only noticed it from testing the cli send_test_email, there should not be a risk to passbolt due to this. In my case I leaked my server IP running the test command without the recipient. Privacy/security risk on the clients end not passbolt itself, although Remy has noted that the no-reply email does not exist and just bounces. So that’s a plus
Maybe a notification would have stopped me from sending the test email.
Personally, i have not looked for security flaws, since passbolt has had a security audit in 2021.(if i’m not mistaken)
If I do find actual security flaws etc, that will be sent directly to passbolt team (security@passbolt.com) in order to avoid passbolt in the wild attacks. Don’t think it would be wise to post on the forum. This was a minor issue that does not lead to a security breach so it’s acceptable.
In my case, I need the IP in order to determine who sent mail from where etc.
Public IPs can’t really be leaked because they are public, but this helps with the local ones. The recipient’s mail server would still have the public IP of your mail server to run verifications so it won’t cause any problems there.
