Make send test email command recipient parameter mandatory instead of sending test email to

Hi All,

I just noticed that passbolt sends the cli test email to even though a from email has been set in /etc/passbolt/passbolt.php

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
 Debug email shell
Email configuration
Port: 587
Password: *********
TLS: true
Sending email from: Passbolt | xxxxxx <>
Sending email to:
[220] SMTP Server ready November 3, 2022  PM PDT
> EHLO localhost
[250] Hello localhost ( (
[250] SIZE 53477376
[220] Ready to start TLS.
> EHLO localhost
[250] Hello localhost ( (
[235] Authentication Successful
> MAIL FROM:<*****>
[250] Sender <*****> OK
> RCPT TO:<>
[250] Recipient <> OK
[354] Ok Send data ending with <CRLF>.<CRLF>
> From: "Pasbolt Title" <*****>
Date: Thu, 03 Nov 2022 time +0000
Message-ID: <xxxxxxxxxxxxxxxxxxxxx@vault>
Subject: Passbolt test email
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If you receive this email, it means that your passbolt smtp configuration is working fine.

[250] Message received
The message has been successfully sent!

This is extremely concerning when it comes to security. :thinking:

How is the email security for handled ?
Is the data deleted or stored for viewing purposes ?
Are there any terms attached to sending data to ?


Found the source:

location: /usr/share/php/passbolt/src/Command/SendTestEmailCommand.php

line: 143 - 157

     * Get recipient email address.
     * @param \Cake\Console\Arguments $args Arguments.
     * @return string
    protected function getRecipient(Arguments $args): string
        $recipient = $args->getOption('recipient');
        if (!is_string($recipient) || empty($recipient)) {
            $recipient = '';

        return $recipient;

How come passbolt does not check for a valid admin user (userID == 1) before sending a test mail to


What is the security risk? Maybe a privacy issue if you don’t want passbolt to know your email address? Someone else will have to answer about the no-reply email account.

The command is supposed to include a --recipient=address parameter if you want it to go to a particular address. The from only sets where it will say it’s from. I do think it’s misleading (prone to misunderstanding) if the response language is suggesting the user should receive the email when it was actually sent to the no-reply at passbolt account. That could be changed for clarification.

However, the connection worked so it has value in that regard.

I’m not following this part, can you explain more:

The command requires root/webserver user to run if file permissions are set properly.

How come passbolt does not check for a valid admin user (userID == 1) before sending a test mail to [](

This is because this command can be used before any user is installed (e.g. for example the send test email during the webinstaller).

The doesn’t exist, it will just bounce. You can try it yourself by sending an email to this address. We do not read this messages.

We could change this command to make the recipient option mandatory though.

1 Like

The security risk would be the leaking of Public IPs to the no-reply email. In each email sent the mail headers container all the information of the client → sever → recipient and it can be viewed by the recipient.

It’s a security/privacy risk for the user end if the no-reply emails are viewed and mail headers are checked. In that way passbolt could locate private server ips that have passbolt installations.

I have tried sending to the no-reply email, that’s how noticed this. I was messing around with the cli interface and sent a test email. I saw the success response but i never received the email. Then I did the second try with --verbose enabled.

That’s when i saw a private IP of mine (mail headers) and had to make a few switches lol. Never leaked an IP like that before, which was funny and concerning at the same time.

No harm, no foul as you did say that the email does not exist and simply bounces.

I think personally that changing it for both the webInstaller and cli interface to require a recipient, would be a good idea for the client side end.


If you hadn’t tried sending to the no-reply email, what would be the risk then?

Also, hiding local/client ip addresses is configurable in postfix, not sure what mail server you are using.

I only noticed it from testing the cli send_test_email, there should not be a risk to passbolt due to this. In my case I leaked my server IP running the test command without the recipient. Privacy/security risk on the clients end not passbolt itself, although Remy has noted that the no-reply email does not exist and just bounces. So that’s a plus :slight_smile:

Maybe a notification would have stopped me from sending the test email.

Personally, i have not looked for security flaws, since passbolt has had a security audit in 2021.(if i’m not mistaken)

If I do find actual security flaws etc, that will be sent directly to passbolt team ( in order to avoid passbolt in the wild attacks. Don’t think it would be wise to post on the forum. This was a minor issue that does not lead to a security breach so it’s acceptable.

In my case, I need the IP in order to determine who sent mail from where etc.


The IP of the sending user wouldn’t be hidden from the mail server, only hidden from the recipient of the outgoing message. We can remove things from the headers like this: email - Remove/hide client sender ip from postfix? - Server Fault

Public IPs can’t really be leaked because they are public, but this helps with the local ones. The recipient’s mail server would still have the public IP of your mail server to run verifications so it won’t cause any problems there.