Passbolt SMTP TLS Problems

Hi Folks, i was successful in installing and running passbolt on Ubuntu 20.04, also the https Url in my internal network is working great with a self signed certificate by my windows CA. The issue i have is that passbolt is not sending e-mails.

I already set up the e-mail configuration in passbolt.php but first of all im using an internal smtp relay server on port 25 with anonymus access so there is no need for an user.

If i am using the command

./bin/cake passbolt send_test_email --recipient=mymail@mail.com

im getting following error:

A test email could not be sent.
Error: SMTP server did not accept the connection or trying to connect to non TLS SMTP server using TLS.

my passbolt.php configuration is the following for email:

 // Email configuration.
    'EmailTransport' => [
        'default' => [
            'host' => 'relayserver',
            'port' => 25,
            'username' => null,
            'password' => null,
            // Is this a secure connection? true if yes, null if no.
            'tls' => true,

Can someone help me please cause im going ot of ideas how to fix that!

cheers

No one can help? im still cant find any solution for that and passbolt ist not working without email

Can you tell a bit more about what protocol / port / options you are trying to configure it for? Like foes your SMTP relay have TLS or not?

  • If not: did you try setting 'tls'=> null as indicated in the file?
  • If yes: did you make sure the self signed root CA / whichever certificate chain is included on the passbolt server?

the smtp relay is using TLS (port 25) and working well with several other internal servers for notifications.

i already tried it with ‘tls’=> null the passbolt Server then returns that TLS is activated on the smtp relay

what i did is to implement the self signed root CA in to the Ubuntu 20.04 system. When i am reaching https://passboltserver the certificate and also the chain is visible and working
do i have to put the root ca in to another place especially for passbolt?

Sending email to: example@mail.com

Warning Error: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in [/usr/share/php/passbolt/vendor/cak ephp/cakephp/src/Network/Socket.php, line 503]

2021-04-23 14:47:08 Warning: Warning (2): stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error me ssages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in [/usr/share/php/passbolt/vendor/cak ephp/cakephp/src/Network/Socket.php, line 503]

Trace
[220] ml-if-smtprelay.muc.intrafind.de Microsoft ESMTP MAIL Service, Version: 8.5.9600.16384 ready at Fri, 23 Apr 2021 16: 47:08 +0200

EHLO localhost
[250] internalsmtprelaysrv Hello [192.168.10.15]
[250] TURN
[250] SIZE 33554432
[250] ETRN
[250] PIPELINING
[250] DSN
[250] ENHANCEDSTATUSCODES
[250] 8bitmime
[250] BINARYMIME
[250] CHUNKING
[250] VRFY
[250] TLS
[250] STARTTLS
[250] OK
STARTTLS
[220] 2.0.0 SMTP server ready

A test email could not be sent.
Error: SMTP server did not accept the connection or trying to connect to non TLS SMTP server using TLS.

Hello,

Indeed there seems to be an issue with certificate validation in the context of PHP CLI with OpenSSL. I’m not sure how the custom certificate chain can be provided, I suspect either through PHP cli configuration and/or OpenSSL.

The team look into it next week if we have time.

Hello, I have the same problem, has something been advanced?

Hello!! in my case, this solution its fine.

Regards

Hello @intraUser and @abenest,

So I have reproduced the issue and this is the configuration I would advise you to consider to make passbolt works with self signed certificate :

// Email configuration.
    'EmailTransport' => [
        'default' => [
            'host' => 'relayserver',
            'port' => 25,
            'username' => null,
            'password' => null,
            // Is this a secure connection? true if yes, null if no.
            'tls' => true,
            'context' => [
                'ssl' => [
                    'allow_self_signed' => true
                ]
             ]

Set ssl_allow_self_signed to true to enable self-signed certificates to be accepted.

Setting ssl_verify_peer to false will disable SSL verification. This is not recommended for security matters.

Be sure that your certificate is in /etc/ssl/certs and that the key is in /etc/ssl/private and that your smtp config is matching these paths :

smtpd_tls_cert_file = /etc/ssl/certs/yourcertificate.prem
smtpd_tls_key_file = /etc/ssl/private/yourkey.key

If you’re using postfix, the configuration should be in /etc/postfix/main.cf, if you do any modification in this file, do not forget to reload postfix by doing :

systemctl reload postfix

I hope this configuration will work for you, do not hesitate to give any feedback if it helped or if you still encounter issues.

Cheers,
Gérold.

Hi!

Just figured out how to give CakePHP / Passbolt an exact path to the self-signed CA it should use to verify encrypted SMTP connections. On the web I could only find suggestions that involved disabling TLS verification for self-signed certs, which is undesirable.

Inside your Passbolt app config file where SMTP settings are located (hostname, creds, ports), you have to use this option to specify the file path to the CA file (I used a PEM certificate format):

'EmailTransport' => [
  'default' => [
    ...    
    'ssl_cafile' => '/usr/local/share/ca-certificates/CustomCA.crt',
    ...
],

Found that while reading the relevant source code of CakePHP, namely this file.

I used that successfully with SMTP over port 465 (smtps).
Maybe that will help someone!

2 Likes