Hi all,
I’m having trouble with email delivery in a Passbolt setup running on Kubernetes.
The “Send test email” from the UI works, but:
-
queued emails (user invite, recovery, etc.) never get sent, and
-
CLI
bin/cake passbolt send_test_emailfails,
even though the healthcheck says SMTP is OK and the email queue shows pending entries.
I’ve read this earlier topic and tried the suggested fix, but it did not solve it in my case:
https://community.passbolt.com/t/test-email-sends-but-newly-created-users-do-not-receive-invite-email/10033/3
Specifically, I set EMAIL_DEFAULT_TRANSPORT to Google Workspace but invites/recovery emails are still stuck in the queue. I am also still wondering whether when using Google Workspace, you still need an app username and password or if only whitelisting instance ip in Google Workspace is sufficient**
Checklist**
I have read intro post: https://community.passbolt.com/t/about-the-installation-issues-category/12
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue
System information
– Server operating system name and version → OpenSUSE Leap 15.6, passbolt installed using helm chart
– Web server name and version → ingress-nginx
– Database server name and version → PostgreSQL 17.6 (Managed DBaaS)
– Php version → 8.4.11
– Passbolt version → 5.6.0
Email / SMTP setup
I’m using Google Workspace with the Google SMTP relay:
- Host:
smtp-relay.gmail.com - Port:
587 - TLS:
true - Auth: no username/password, IP-whitelisted relay (Google Workspace SMTP relay service)
- From:
Passbolt <sallah@X>
Healthcheck Logs
Environment
[INFO] Linux passbolt-depl-srv-5fc78cb4df-qvx9v 6.4.0-150600.23.73-default #1 SMP PREEMPT_DYNAMIC Tue Oct 7 08:43:02 UTC 2025 (46f6a23) x86_64 GNU/Linux
[PASS] PHP version 8.4.11.
[PASS] PHP version is 8.2 or above.
[PASS] 64-bit architecture system detected.
[INFO] gpg (GnuPG) 2.4.7 / libgcrypt 1.11.0
[PASS] PCRE compiled with unicode support.
[PASS] Mbstring extension is installed.
[PASS] Intl extension is installed.
[PASS] GD or Imagick extension is installed.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory /var/log/passbolt/ and its content are writable.
[WARN] System clock and NTP service information cannot be found.
[HELP] See `timedatectl | grep -i -A 1 clock`. More information: https://www.passbolt.com/docs/hosting/configure/ntp/
Config files
[PASS] The application config file is present
[WARN] The passbolt config file is missing in /etc/passbolt/
[HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
[HELP] The passbolt config file is not required if passbolt is configured with environment variables
Core config
[PASS] Cache is working.
[PASS] Debug mode is off.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://passbolt.X
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.
SSL Certificate
[PASS] SSL peer certificate validates.
[PASS] Hostname is matching in SSL certificate.
[PASS] Not using a self-signed certificate.
SMTP settings
[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[PASS] The SMTP Settings source is: database.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
[PASS] No custom SSL configuration for SMTP server.
JWT Authentication
[PASS] The JWT Authentication plugin is enabled.
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[FAIL] A valid JWT key pair is missing.
[HELP] Run the create JWT keys script to create a valid JWT secret and public key pair:
[HELP] sudo su -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt create_jwt_keys" www-data
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one.
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[FAIL] The private key cannot be used to decrypt and verify a message
[FAIL] The public key cannot be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.
Application configuration
[FAIL] This installation is not up to date. Currently using 5.6.0 and it should be 5.7.1.
[HELP] See https://www.passbolt.com/help/tech/update
[FAIL] Passbolt is not configured to force SSL use.
[HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] The self registration provider is: Email domain safe list.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[PASS] All email notifications will be sent.
[PASS] The database schema is up to date.
Database
[PASS] The application is able to connect to the database
[PASS] 34 tables found.
[PASS] Some default content is present.
Metadata
[PASS] The server is able to decrypt the metadata private key.
[PASS] Active metadata key found or not required.
[PASS] The server has access to the metadata keys or does not require access to it.
[PASS] The server metadata private key is valid.
[FAIL] 5 error(s) found. Hang in there!
Send test email through the UI logs
[
{
"cmd": null,
"response": [
{
"code": "220",
"message": "smtp-relay.gmail.com ESMTP 5b1f17b1804b1-47787ea3bb2sm15649715e9.10 - gsmtp"
}
]
},
{
"cmd": "EHLO passbolt.tst.kubiqo.eu",
"response": [
{
"code": "250",
"message": "smtp-relay.gmail.com at your service, [X]"
},
{
"code": "250",
"message": "SIZE 157286400"
},
{
"code": "250",
"message": "8BITMIME"
},
{
"code": "250",
"message": "STARTTLS"
},
{
"code": "250",
"message": "ENHANCEDSTATUSCODES"
},
{
"code": "250",
"message": "PIPELINING"
},
{
"code": "250",
"message": "CHUNKING"
},
{
"code": "250",
"message": "SMTPUTF8"
}
]
},
{
"cmd": "STARTTLS",
"response": [
{
"code": "220",
"message": "2.0.0 Ready to start TLS"
}
]
},
{
"cmd": "EHLO passbolt.tst.kubiqo.eu",
"response": [
{
"code": "250",
"message": "smtp-relay.gmail.com at your service, [X]"
},
{
"code": "250",
"message": "SIZE 157286400"
},
{
"code": "250",
"message": "8BITMIME"
},
{
"code": "250",
"message": "AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH"
},
{
"code": "250",
"message": "ENHANCEDSTATUSCODES"
},
{
"code": "250",
"message": "PIPELINING"
},
{
"code": "250",
"message": "CHUNKING"
},
{
"code": "250",
"message": "SMTPUTF8"
}
]
},
{
"cmd": "AUTH PLAIN *****",
"response": [
{
"code": "235",
"message": "2.7.0 Accepted"
}
]
},
{
"cmd": "MAIL FROM:<*****>",
"response": [
{
"code": "250",
"message": "2.1.0 OK 5b1f17b1804b1-47787ea3bb2sm15649715e9.10 - gsmtp"
}
]
},
{
"cmd": "RCPT TO:<sallah@X>",
"response": [
{
"code": "250",
"message": "2.1.5 OK 5b1f17b1804b1-47787ea3bb2sm15649715e9.10 - gsmtp"
}
]
},
{
"cmd": "DATA",
"response": [
{
"code": "354",
"message": "Go ahead 5b1f17b1804b1-47787ea3bb2sm15649715e9.10 - gsmtp"
}
]
},
{
"cmd": "From: Passbolt <*****>\r\nTo: sallah@X\r\nDate: Fri, 14 Nov 2025 15:40:28 +0000\r\nMessage-ID: <3e9e2cfcc6ac43358bc544a28fbdfbac@passbolt.tst.kubiqo.eu>\r\nSubject: Passbolt test email\r\nMIME-Version: 1.0\r\nContent-Type: text/plain; charset=UTF-8\r\nContent-Transfer-Encoding: 8bit\r\n\r\nCongratulations!\r\nIf you receive this email, it means that your passbolt smtp configuration is working fine.\r\n\r\n\r\n\r\n\r\n.",
"response": [
{
"code": "250",
"message": "2.0.0 OK 1763134831 5b1f17b1804b1-47787ea3bb2sm15649715e9.10 - gsmtp"
}
]
},
{
"cmd": "QUIT",
"response": []
}
]
Cron / email queue setup
I enabled the email processing CronJob in Helm, this the output
kubectl -n passbolt logs job/passbolt-cron-proc-email-XXXX
Sending emails
However, bin/cake passbolt show_queued_emails shows queued entries that never get their Sent field set:
List of queued emails:
+--------------------+-----------------------------------------------+-------+---------------------+------+
| Email | Subject | Error | Created | Sent |
+--------------------+-----------------------------------------------+-------+---------------------+------+
| sallah@X | Your account recovery, Sallah! | | 2025-11-13 21:42:59 | |
| sallah@X | Vincent just created an account on passbolt! | | 2025-11-13 14:52:01 | |
| sallah@X | You edited the self registration settings. | | 2025-11-13 14:50:37 | |
| sallah@X | Your account recovery, Sallah! | | 2025-11-13 14:36:28 | |
| sallah@X | Welcome to passbolt, Sallah! | | 2025-11-13 14:19:26 | |
+--------------------+-----------------------------------------------+-------+---------------------+------+
Things I’ve already tried
- Switched from using only env SMTP config to using the SMTP Settings plugin backed by DB.
- Imported server GPG key into
/var/lib/passbolt/.gnupgand setPASSBOLT_GPG_SERVER_KEY_FINGERPRINT. - Confirmed healthcheck now reports:
- SMTP Settings coherent; source: database.
- Cache and DB connectivity working.
- Enabled
cronJobEmailin Helm and verified the cron jobs run every minute. - Checked
passboltEnvenv variables in the deployment pod:
EMAIL_DEFAULT_TRANSPORT=Google Workspace
EMAIL_TRANSPORT_DEFAULT_HOST=smtp-relay.gmail.com
EMAIL_TRANSPORT_DEFAULT_PORT=587
EMAIL_TRANSPORT_DEFAULT_TLS=true
EMAIL_DEFAULT_FROM=sallah@X
EMAIL_TRANSPORT_DEFAULT_USERNAME=
EMAIL_TRANSPORT_DEFAULT_PASSWORD=
- Read this community thread and set
EMAIL_DEFAULT_TRANSPORTas suggested, but it didn’t fix it:
https://community.passbolt.com/t/test-email-sends-but-newly-created-users-do-not-receive-invite-email/10033/3