SMTP Send Error

dmho · February 6, 2020, 4:55pm

Checklist
[X] I have read intro post:
[X] I have read the tutorials, help and searched for similar issues
[X] I provide relevant information about my server (component names and versions, etc.)
[X] I provide a copy of my logs and healthcheck
[X] I describe the steps I have taken to trouble shoot the problem
[X] I describe the steps on how to reproduce the issue

Server: Ubuntu 18.04 LTS
Mail config:
// Email configuration. 'EmailTransport' => [ 'default' => [ 'className' => 'Smtp', 'host' => 'smtp.strato.de', 'port' => 465, 'username' => 'xxxxxxxxx', 'password' => 'xxxxxxxxx', // Is this a secure connection? true if yes, null if no. 'tls' => true, //'timeout' => 30, //'client' => null, //'url' => null, ], ],

Trace of send_test_mail:
Trace

A test email could not be sent.
Error: SMTP timeout.

Healtcheck:
root@password:/var/www/passbolt# sudo su -s /bin/bash -c “./bin/cake passbolt healthcheck” www-data

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
---------------------------------------------------------------
 Healthcheck shell       
---------------------------------------------------------------

 Environment

 [PASS] PHP version 7.2.24-0ubuntu0.18.04.2.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable.
 [PASS] The public image directory and its content are writable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to xxxxx
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
  [HELP] fopen(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
fopen(): Failed to enable crypto
fopen(xxxxx): failed to open stream: operation failed

 Database

 [PASS] The application is able to connect to the database
 [PASS] 23 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /home/www-data/.gnupg.
 [PASS] The directory /home/www-data/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server gpg key is not the default one
 [PASS] The public key file is defined in config/passbolt.php and readable.
 [PASS] The private key file is defined in config/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
 [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.

 Application configuration

 [PASS] Using latest passbolt version (2.12.0).
 [FAIL] Passbolt is not configured to force SSL use.
  [HELP] Set passbolt.ssl.force to true in config/passbolt.php.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [PASS] Serving the compiled version of the javascript app
 [PASS] All email notifications will be sent.

  3 error(s) found. Hang in there!

Mails will not be sent, I’m using an external mail provider called Strato, which accepts SMTP via TLS on smtp.strato.de:465

garrett · February 7, 2020, 2:19pm

Hi @dmho, to have a timeout like this, I might look to see if there is any log on Strato’s end. If not, you could try to confirm that the passbolt server is indeed connecting to Strato. Maybe a tool like tcptrack.

apt install tcptrack
ip addr (get the interface name, like ens18)
tcptrack -i ens18

Then try sending the email again. Ubuntu does not have a firewall on by default, but you could confirm there is no server firewall with ufw status. Check also if there is an external firewall preventing outgoing connections to ports 465 on a remote ip address. A timeout suggests there may be an outgoing connection blocked at firewall somewhere.

The only other thought I had was that the mail server will not accept incoming connections except from established, resolvable domains - you’d have to look into Strato’s settings for that. But it might be something like whitelisting your Passbolt server’s IP address (or public IP address if the Passbolt server is not public-facing).

dmho · February 7, 2020, 11:39pm

Hi @garrett, thanks for your help so far.
Sadly Strato does not provide any logs.
tcptrack finds an outgoing connection onto an IPv6 address at port 465. ufw status says that no firewalls are enabled.
I tested around a bit with telnet, and if I connect to smtp.strato.de using port 465 I don’t get any response. If I connect with port 25 instead, I see normal SMTP messages.
I tried to change the port in the Passbolt config and disabling encryption, now I get a different trace:
Trace
[220] smtp.strato.de ESMTP RZmta (P3 -)
> EHLO localhost
[250] smtp.strato.de greets 2a01:4f8:c0c:5852::1
[250] ENHANCEDSTATUSCODES
[250] PIPELINING
[250] 8BITMIME
[250] DELIVERBY
[250] SIZE 104857600
[250] AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5
[250] STARTTLS
[250] BURL imap
[250] CHUNKING
[250] HELP
> AUTH LOGIN
[334] VXNlcm5hbWU6
> *****
[334] UGFzc3dvcmQ6

A test email could not be sent.
Error: SMTP server did not accept the password.

And yes, I double checked the password, it is right in the config.

garrett · February 8, 2020, 12:50am

Strato site says port 465 so you’re good there. You could try increasing the timeout.

garrett · February 8, 2020, 1:13pm

This really does seem like your host is blocking outgoing smtp to prevent spam. Try telnet -4 smtp.strato.de 465 see if strato allows ipv4. Maybe it’s a resolution problem.

dmho · February 8, 2020, 9:19pm

I tried on two different networks, one is my home network, the other the server network (server is at Hetzner to be specific) and both didn’t let me connect using port 465 on bot IPv4 and IPv6. I always get a Connection closed by foreign host. when using port 465, on port 25 I can communicate normal on both networks with IPv4 and IPv6.

garrett · February 9, 2020, 12:01am

It seems beyond Passbolt, so it’s hard to suggest more except what the Strato site speaks to. Like making sure your username is the full email address on the account. Bad credentials often result in closed connections, versus time outs.

dmho · February 10, 2020, 8:36am

Yep, the issue isn’t in Passbolt. Tried with another SMTP server and it works fine, even with TLS enabled. I have no idea what Strato does, another reason to abandon this provider.
Thanks for your help anyway!

system · February 15, 2020, 8:36am

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.