Passbolt self hosted does not send password recovery email only from administrator

Hello friends!

I use the passbolt in my own structure and I have a very serious problem.

When I try to recover the password of the primary user, who holds all passwords and groups, the recovery email does not arrive in the inbox.

The recovery email usually arrives to the other users of my instance.

Has anyone been through this or have any idea how to solve it?

I have already managed to recover the password of this user several times, but this time the recovery email does not arrive.

I am desperate because this user is the administrator of all passwords and groups in my instance.


Hi @angelogelaskoctbz

Without knowing the issue of why your email is not being either delivered or received, you could attempt to manually begin the recovery through these two steps:

Step 1: Get the recovery token from the database with this SQL command:
select user_id, token from authentication_tokens where user_id = (select id from users where username = '') and type = 'recover' order by created DESC;

Replace with your email of record. Take the first one on the list of results.

Step 2: Build URL with user_id and token:

I’m experiencing the very same problem using passbolt-ce-server 3.6.0 (natively on Debian)

cake passbolt send_test_email successfully send emails (using localhost:25 which point to msmtpd), but recovery emails are not sent by Passbolt (no trace of even an attempt of sending them).

And still, tokens are created in the DB, eg:

| id                                   | foobar | 7474b79a-4626-4e39-a828-532c8b9c658f | active | created             | modified            | type     | data |
| 51b5b94a-6317-4f4b-8c2b-bfcbd505cc55 | foobar | 7474b79a-4626-4e39-a828-532c8b9c658f |      1 | 2022-07-01 00:45:54 | 2022-07-01 00:45:54 | recover  | NULL |
| d016b670-bf5f-4ff2-b326-4e3e9b094060 | foobar | 7474b79a-4626-4e39-a828-532c8b9c658f |      1 | 2022-07-01 00:19:37 | 2022-07-01 00:19:37 | recover  | NULL |
| 2743e292-2761-4368-88ab-0b1885af3f58 | foobar | 7474b79a-4626-4e39-a828-532c8b9c658f |      1 | 2022-07-01 00:14:31 | 2022-07-01 00:14:31 | recover  | NULL |
| 77862da0-1359-4a05-8090-dc9262534466 | foobar | 7474b79a-4626-4e39-a828-532c8b9c658f |      1 | 2022-06-30 23:58:44 | 2022-06-30 23:58:44 | recover  | NULL |
| 2b233ecc-c845-446b-af2c-0136f6cd5f18 | foobar | 7474b79a-4626-4e39-a828-532c8b9c658f |      1 | 2022-06-30 12:45:27 | 2022-06-30 12:45:27 | recover  | NULL |
| 32da1dba-46c2-4cbf-b60b-2a57a9728e37 | foobar | 7474b79a-4626-4e39-a828-532c8b9c658f |      1 | 2022-06-30 12:43:47 | 2022-06-30 12:43:47 | recover  | NULL |
| c357572e-c410-4614-88c9-95ccf9c8694b | foobar | 7474b79a-4626-4e39-a828-532c8b9c658f |      1 | 2022-06-30 12:39:35 | 2022-06-30 12:39:35 | recover  | NULL |
| c35e05f7-e4e4-4550-a8fc-582487ed2886 | foobar | 7474b79a-4626-4e39-a828-532c8b9c658f |      1 | 2022-06-30 11:56:04 | 2022-06-30 11:56:04 | recover  | NULL |

I tried to enable debug (/etc/passbolt/passbolt.php, "debug" => true, ...) but no /var/log/passbolt/debug.log even though owner/perms are correct and the error.log works, but does not provide any information)

How could I further debug the recovery email process and its state?

Thank you!

Hi @drzraf in the Administration/EmailNotifications section of the app do have you the second option enabled as show here:

Also: Passbolt Help | Why are my emails not being sent?
There are other possible reasons for this, like no CRON running, etc.

  1. I couldn’t access the backend (without launching mysql as suggested previously).
  2. In the administration, the notification are on (btw, I’d expect th admin to always recovery notifications independently of this setting)
    Screenshot from 2022-07-01 22-19-45
  3. I read Passbolt Help | Why are my emails not being sent? but none of the causes mentioned seems adequate.

How/where could I check the email where actually enqueued so that if it’s a cron problem, I should be able to find traces of pending/unsent emails somewhere in the DB or the FS ?

@drzraf Regarding CRON jobs on the current package install with debian, #3 in the email troubleshooting link above explains you should be able to find a job configured at /etc/cron.d/passbolt-ce-server which runs every minute and on my Ubuntu install appears in syslog and looks like:

Jul  1 23:00:01 pubweb60 CRON[334776]: (www-data) CMD ($PASSBOLT_BASE_DIR/bin/cron)

You mentioned you are sending to localhost at port 25…so I would guess (without knowing more about your email configuration) that your messages might be stored in the local mail queue.

Your /var/log/mail.log would have messages regarding outgoing emails and if there are none there, you might want to look for a file in /var/mail/ which would contain messages for a server user like www-data that were received locally.

Also, how is your healthcheck report?

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
 Healthcheck shell        


 [PASS] PHP version 7.4.28.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [FAIL] Debug mode is on.
 [HELP] Set debug = false; in config/passbolt.php
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://xxxx
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate


 [PASS] The application is able to connect to the database
 [PASS] 26 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [PASS] Using latest passbolt version (3.6.0).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 [FAIL] 1 error(s) found. Hang in there!

I tried enabling debug, but:

ll /var/log/passbolt/
-rw-r--r-- 1 www-data www-data    0  1 juil. 02:51 cli-error.log
-rw-r--r-- 1 www-data www-data    0  1 juil. 02:51 debug.log
-rw-r----- 1 www-data www-data    0  4 juil. 00:00 error.log
-rw-r----- 1 www-data www-data 1989  3 juil. 14:24 error.log.1  ## Just a couple of 404 / MissingRouteException

Regarding cron, it runs, indeed, every minute and it’s unlikely to be an issue with sendmail because I don’t see even an attempt to run anything mail-related. That’s why I want to know whether passbolt actually even tried.

If email are sent by bin/cron, it means that passbolt creates and store sent intents somewhere inside the DB or the filesystem (a queue). Could you help me find them? My guess is that the bug lays inside PHP which does not actually call sendmail() even though it shows “Check your inbox”.

@drzraf Look for a db table called email_queue.