Passbolt CE Docker rootless :: Invitation emails are not received

Installation Issues
1

Hi everyone,

I have installed Passbolt CE using Docker Rootless.

Everything seems to be working regarding the SMTP configuration:

  • The test emails are sent successfully.

  • Notification emails (e.g., when a folder is shared) are also working fine.

However, users do not receive “invitation” emails. I don’t see any errors in the GUI, the logs, or the database. It seems like the invitation emails are stuck in the queue. But they are processed because I see the status changed.

Thanks for your help!

$ ./cake version
5.2.9
$ ./cake passbolt healthcheck

     ____                  __          ____
    / __ \____  _____ ____/ /_  ____  / / /_
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
 /_/    \__,_/____/____/_.___/\____/_/\__/

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell
 If you want to have more information about the different checks, please take a look at the documentation: https://www.passbolt.com/docs/admin/server-maintenance/passbolt-api-status/.                                                      
-------------------------------------------------------------------------------

 Environment

 [INFO] Linux 13c0fb742908 6.8.0-101-generic #101-Ubuntu SMP PREEMPT_DYNAMIC Mon Feb  9 10:15:05 UTC 2026 x86_64 GNU/Linux
 [PASS] PHP version 8.4.16.
 [PASS] PHP version is 8.2 or above.
 [PASS] 64-bit architecture system detected.
 [INFO] gpg (GnuPG) 2.4.7 / libgcrypt 1.11.0
 [PASS] PCRE compiled with unicode support.
 [PASS] Mbstring extension is installed.
 [PASS] Intl extension is installed.
 [PASS] GD or Imagick extension is installed.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory /var/log/passbolt/ and its content are writable.
 [WARN] System clock and NTP service information cannot be found.
 [HELP] See `timedatectl | grep -i -A 1 clock`. More information: https://www.passbolt.com/docs/hosting/configure/ntp/

 Config files

 [PASS] The application config file is present
 [WARN] The passbolt config file is missing in /etc/passbolt/
 [HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
 [HELP] The passbolt config file is not required if passbolt is configured with environment variables

 Core config

 [PASS] Cache is working.
 [PASS] Debug mode is off.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to http://192.168.2.20:8686
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates.
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate.

 SMTP settings

 [PASS] The SMTP Settings plugin is enabled.
 [PASS] SMTP Settings coherent. You may send a test email to validate them.
 [PASS] The SMTP Settings source is: database.
 [WARN] The SMTP Settings plugin endpoints are enabled.
 [HELP] It is recommended to disable the plugin endpoints.
 [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
 [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
 [PASS] No custom SSL configuration for SMTP server.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled.
 [FAIL] The /etc/passbolt/jwt/ directory should not be writable.
 [HELP] You can try:
 [HELP] sudo chown -Rf root:www-data /etc/passbolt/jwt/
 [HELP] sudo chmod 750 /etc/passbolt/jwt/
 [HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.key
 [HELP] sudo chmod 640 /etc/passbolt/jwt/jwt.pem
 [PASS] A valid JWT key pair was found.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one.
 [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
 [PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [PASS] Using latest passbolt version (5.9.0).
 [FAIL] Passbolt is not configured to force SSL use.
 [HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
 [FAIL] App.fullBaseUrl is not set to HTTPS.
 [HELP] Check App.fullBaseUrl url scheme in /etc/passbolt/passbolt.php.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [INFO] The Self Registration plugin is enabled.
 [INFO] Registration is closed, only administrators can add users.
 [PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
 [WARN] Host availability checking is disabled.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
 [HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
 [PASS] Serving the compiled version of the javascript app.
 [PASS] All email notifications will be sent.
 [PASS] The database schema is up to date.

 Database

 [PASS] The application is able to connect to the database
 [PASS] 35 tables found.
 [PASS] Some default content is present.
 [PASS] The database version is supported.

 Metadata

 [PASS] The server is able to decrypt the metadata private key.
 [PASS] Active metadata key found or not required.
 [PASS] The server has access to the metadata keys or does not require access to it.
 [PASS] The server metadata private key is valid.

 [FAIL] 3 error(s) found. Hang in there!

**
Checklist**
I have read intro post: https://community.passbolt.com/t/about-the-installation-issues-category/12
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

2

Hi christophe hope you’re doing well,

i just wanted to ask a few questions before :

which smtp server are you using?

did you enable the notifications in the passbolt interface ? see below

Screenshot 2026-03-10 at 10.38.57
Screenshot 2026-03-10 at 10.38.571297×456 45.8 KB

hope this helps.

Cheers

Thomas

3

Hi !

Thanks for your answer.
I use the Ovh SMTP server : ssl://ssl0.ovh.net
All notifications are checked .

Christophe

image
image1197×272 26.2 KB

4

okay thanks you the information , first can you send email in the shell like bellow ?

Screenshot 2026-03-10 at 11.35.49
Screenshot 2026-03-10 at 11.35.491537×971 44.8 KB

did you tried to check and follow this troubleshooting guide ? it’s could be from many reasons the most commun one are :

  • The cron job to send email is missing
  • Email notifications are disabled in the config

Let me know once you checked the documentation and if it’s still not working

hope this help

thomas

5

Hi ,

I have already checked on the troubleshooting guide.
Also I have seen lot of messages telling invitation message was not sent on the forum , but each solution did not work.
Here the test send mail result :

$ ./cake passbolt send_test_email --recipient=*************************

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/

Open source password manager for teams

Debug email shell

Email configuration

Host: ssl://ssl0.ovh.net

Port: 465
Username: *************************
Password: *********
TLS: false
Sending email from: *************************
Sending email to: *************************

Trace
[220] GARM-103G005 Tuesday, March 10, 2026
EHLO ssl0.ovh.net
[250] OVH SMTP PROXY Hello
[250] SIZE 104857600
[250] ENHANCEDSTATUSCODES
[250] AUTH LOGIN PLAIN
[250] AUTH=LOGIN PLAIN
[250] 8BITMIME
AUTH PLAIN *****
[235] 2.7.0 Authentication successful
MAIL FROM:<>
[250] 2.1.0 Ok
RCPT TO:****************************
[250] 2.1.5 Ok
DATA
[354] OK
From:*** ************************* <>
To: *************************
Date: Tue, 10 Mar 2026 12:48:03 +0000
Message-ID: c621c32a0c254fa5a07c59cf18890b90@13c0fb742908
Subject: Passbolt test email
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Congratulations!
If you receive this email, it means that your passbolt smtp configuration is working fine.

.
[250] 2.0.0 Ok: 937 bytes queued as 9BB94C03C8
QUIT
The message has been successfully sent!

I

6

Okay thank you for the reply

If your smtp server is still not working I need you to provide me more information:

Can you show me your email queue entries to see what errror do you got?

Did you using a self signed certificate ?

Your ENV variables in your docker-compose.yaml

And your logs in /var/www/passbolt/error.log or /var/passbolt/error.log

i will help you until you can send emails :slightly_smiling_face:
Thanks

thomas

1 Like
7

G’day Christophe,

Since your test emails and folder sharing notifications work fine, the cron job and SMTP configuration are clearly functioning. The issue is specific to invitation emails. A few things to check:

1. Check the email queue for errors on invitation emails

./cake passbolt show_queued_emails --failed

Also check the full queue to see the status of the invitation entries:

./cake passbolt show_queued_emails --limit 50

If the invitation emails show errors, that will point to the cause.

2. Try manually processing the queue

./cake passbolt email_digest send

Watch the output for any errors. This forces immediate processing and will show you if something fails.

3. Check App.fullBaseUrl

Your healthcheck shows App.fullBaseUrl is set to http://192.168.2.20:8686 . Invitation emails contain a registration link using this URL. Some SMTP providers (including OVH) may flag or silently drop emails containing links to private/non-routable IP addresses. If possible, try setting App.fullBaseUrl to a proper hostname or public URL instead.

4. Verify the invitation notification is enabled

Check that the environment variable PASSBOLT_EMAIL_SEND_USER_CREATE is not set to 0 , or verify in Administration > Email Notifications that “When a new user is invited” is ticked.

The most likely culprit is point 3: the private IP in the registration link may be causing OVH to silently reject or filter the invitation emails, while simpler notification emails (like folder sharing) pass through fine because their content is less likely to trigger filtering.

Let us know what show_queued_emails reveals.

Cheers
Gareth

8

Here the queue

image
image931×331 14.2 KB

I don’t have certificate. I don’t have /var/passbolt/error.log, neither /var/www/passbolt/error.log .

9

Hi !

Thanks for your help.
Here some answers :

$ ./cake passbolt show_queued_emails --failed

 ____                  __          ____
/ __ \____  _____ ____/ /_  ____  / / /_

/ // / __ `/ / / __ / __ / / _/
/ / // ( | ) // / // / / /
// _,///./_//__/

Open source password manager for teams

List of queued emails:
No records found.

  1. for ./cake passbolt email_digest send , I don’t get any result.

  2. I need more time for this one

  3. When I try to display the env var PASSBOLT_EMAIL_SEND_USER_CREATE, I have no things, In the db it seams to to be ok :

    image
    image1210×289 26.9 KB

10

Hi ,

I think I solve the issue adding synchronization of the time . Also in the mean time , I add the use of the uri instead of an ip addresse.

But, I just found another issue. Each new user have a warning “missing metadata key” Can it be due to a bad configuration due to my previues config use an ip address ?
After fixing this, I will to do some fixe like this https://community.passbolt.com/t/the-server-metadata-private-key-is-not-valid-unable-to-validate-metadata-private-key-id-uuid-cleartext-data/13666/4 ?

image
image499×240 15.6 KB

And in the health status I have this :

image
image599×274 15.1 KB

11

Hi,

I successfully fix the metadata private key issue with the solution from https://community.passbolt.com/t/the-server-metadata-private-key-is-not-valid-unable-to-validate-metadata-private-key-id-uuid-cleartext-data/13666/4

Christophe

1 Like