SMTP & SSL Errors in Email Queue

Checklist
[–] I have read intro post: About the Installation Issues category
[–] I have read the tutorials, help and searched for similar issues
[–] I provide relevant information about my server (component names and versions, etc.)
[–] I provide a copy of my logs and healthcheck
[–] I describe the steps I have taken to trouble shoot the problem
[–] I describe the steps on how to reproduce the issue

– Server operating system name and version ==> Debian 11.5
– Web server name and version ==> Nginx
– Database server name and version ==> Mysql
– Php version ==> v7.433
– Passbolt version ==> 3.9

Hi,
I’m trying to setup a new passbolt server.
Everything goes well until the email login.
I tried a lot of different solutions found here but none worked.

First, I’m using a SMTP server located on the same private IP of my passbolt server.
The server is running behind a Pfsense , the web server is served by HAproxy.

My previous passbolt was working without mods, this setup needed tunning.
I had to add :

          'ssl' => [
            'verify_peer' => false,
            'verify_peer_name' => false,
            'allow_self_signed' => true
          ]
        ]

To send emails.

So using the command

sudo -H -u www-data bash -c "/usr/share/php/passbolt/bin/cake passbolt send_test_email --recipient=admi@DOMAIN.tld"

I receive emails, but if I add an user or reconnect, I don’t receive it.

I tried this command :

/usr/share/php/passbolt/bin/cake EmailQueue.sender

I get theses errors :

PHP Warning:  Use of undefined constant context - assumed 'context' (this will throw an Error in a future version of PHP) in /etc/passbolt/app.php on line 246
Warning Error: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
In [/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Network/Socket.php, line 489]

2023-01-29 21:47:00 warning: Warning (2): stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed in [/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Network/Socket.php, line 489]
SMTP server did not accept the connection or trying to connect to non TLS SMTP server using TLS.
Email 3 was not sent

I checked on my SMTP server, when sending a test mail, I see it passing.
When it’s supposed to be sent for registration or login, I see nothing and I get this error :

connect from passbolt-pass2.pf2.vl12[10.10.12.4]
mail postfix/submission/smtpd[25351]: SSL_accept error from passbolt-pass2.pf2.vl12[10.10.12.4]: -1
mail postfix/submission/smtpd[25351]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1543:SSL alert number 48:
mail postfix/submission/smtpd[25351]: lost connection after STARTTLS from passbolt-pass2.pf2.vl12[10.10.12.4]
mail postfix/submission/smtpd[25351]: disconnect from passbolt-pass2.pf2.vl12[10.10.12.4] ehlo=1 starttls=0/1 commands=1/2

####################################

Here my health check (Domain is anonymized):

~# su - www-data -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck"
PHP Warning:  Use of undefined constant context - assumed 'context' (this will throw an Error in a future version of PHP) in /etc/passbolt/app.php on line 246

     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell         
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 7.4.33.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://passbolt.DOMAIN.tld
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [FAIL] SSL peer certificate does not validate
 [FAIL] Hostname does not match when validating certificates.
 [WARN] Using a self-signed certificate
 [HELP] Check https://help.passbolt.com/faq/hosting/troubleshoot-ssl
 [HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 26 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
 [PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [PASS] Using latest passbolt version (3.9.0).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [WARN] Host availability checking is disabled.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
 [HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
 [PASS] Serving the compiled version of the javascript app.
 [PASS] All email notifications will be sent.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 SMTP Settings

 [PASS] The SMTP Settings plugin is enabled.
 [PASS] SMTP Settings coherent. You may send a test email to validate them.
 [PASS] The SMTP Settings source is: database.
 [WARN] The SMTP Settings plugin endpoints are enabled.
 [HELP] It is recommended to disable the plugin endpoints.
 [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
 [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

 [FAIL] 2 error(s) found. Hang in there!

Already tried to :

~# sudo -H -u www-data bash -c "/usr/share/php/passbolt/bin/cake cache clear_all"
PHP Warning:  Use of undefined constant context - assumed 'context' (this will throw an Error in a future version of PHP) in /etc/passbolt/app.php on line 246
Clearing default
Cleared default cache
Clearing _cake_core_
Cleared _cake_core_ cache
Clearing _cake_model_
Cleared _cake_model_ cache

And checked that my cron is running and the correct user is setup in cron command.

Been trying for the last 3 days without success , this forum is my last hope :sweat_smile:

Hi @Alk Welcome to the forum!

Although you have Debian and this other post is about CentOS, you might want to check cron user. Emails using SMTP not working in a new installation-CentOS 7 -version 3.9 [incorrect user in cron]

Hi @garrett ,
As mentioned, I’ve already checked that my cron is running and the correct user is present in cron command.
In the posted link, the user isn’t having issue when executing the EmailQueue command while I’m & it’s my main problem I think.

@Alk You’re right, my apologies.

One thing I don’t understand is if your mail server is on the same ip and not remote, why you are using smtp. It would seem to me you could just send out mail directly? Or, maybe just send to port 25 like typical incoming mail?

Do you mean the mail server is at the same ip address or same ip subnet?

My bad, on the same private ip subnet .

Ok, gotcha. It seems your mail server doesn’t like the TLSv1 cert used on the passbolt install because it has an unknown Certificate Authority, which it can’t find in its own records of CAs. This is preventing authentication at the mail server.

Did you create a cert?

This install, I’ve setup Cloudflare Origin cert.
I’ve tried another install from scratch today with Let’s Encrypt, same problem.

This was from the other day regarding the curl error 60 Emails (using SMTP) not working, issue with wildcard certificate and server key error - Oracle Linux 8.5 - New install v3.9.0 - #4 by garrett

just added curl.cainfo="/etc/ssl/cacert.pem" in

/etc/php/8.1/cli/php.ini 
/etc/php/8.1/fpm/php.ini

Reboot, same problem…

When you did the Let’s Encrypt, did it change the error in the healthcheck?

Here my last health check with my last attempt using Let’s Encrypt :


     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
 Healthcheck shell         
-------------------------------------------------------------------------------

 Environment

 [PASS] PHP version 8.1.2-1ubuntu2.10.
 [PASS] PCRE compiled with unicode support.
 [PASS] The temporary directory and its content are writable and not executable.
 [PASS] The logs directory and its content are writable.
 [PASS] GD or Imagick extension is installed.
 [PASS] Intl extension is installed.
 [PASS] Mbstring extension is installed.

 Config files

 [PASS] The application config file is present
 [PASS] The passbolt config file is present

 Core config

 [PASS] Debug mode is off.
 [PASS] Cache is working.
 [PASS] Unique value set for security.salt
 [PASS] Full base url is set to https://pass.DOMAIL.tld
 [PASS] App.fullBaseUrl validation OK.
 [PASS] /healthcheck/status is reachable.

 SSL Certificate

 [PASS] SSL peer certificate validates
 [PASS] Hostname is matching in SSL certificate.
 [PASS] Not using a self-signed certificate

 Database

 [PASS] The application is able to connect to the database
 [PASS] 26 tables found
 [PASS] Some default content is present
 [PASS] The database schema up to date.

 GPG Configuration

 [PASS] PHP GPG Module is installed and loaded.
 [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
 [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
 [PASS] The server OpenPGP key is not the default one
 [PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
 [PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
 [PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
 [PASS] There is a valid email id defined for the server key.
 [PASS] The public key can be used to encrypt a message.
 [PASS] The private key can be used to sign a message.
 [PASS] The public and private keys can be used to encrypt and sign a message.
 [PASS] The private key can be used to decrypt a message.
 [PASS] The private key can be used to decrypt and verify a message.
 [PASS] The public key can be used to verify a signature.
 [PASS] The server public key format is Gopengpg compatible.
 [PASS] The server private key format is Gopengpg compatible.

 Application configuration

 [PASS] Using latest passbolt version (3.9.0).
 [PASS] Passbolt is configured to force SSL use.
 [PASS] App.fullBaseUrl is set to HTTPS.
 [PASS] Selenium API endpoints are disabled.
 [PASS] Search engine robots are told not to index content.
 [PASS] Registration is closed, only administrators can add users.
 [WARN] Host availability checking is disabled.
 [HELP] Make sure this instance is not publicly available on the internet.
 [HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
 [HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
 [PASS] Serving the compiled version of the javascript app.
 [PASS] All email notifications will be sent.

 JWT Authentication

 [PASS] The JWT Authentication plugin is enabled
 [PASS] The /etc/passbolt/jwt/ directory is not writable.
 [PASS] A valid JWT key pair was found

 SMTP Settings

 [PASS] The SMTP Settings plugin is enabled.
 [PASS] SMTP Settings coherent. You may send a test email to validate them.
 [PASS] The SMTP Settings source is: database.
 [WARN] The SMTP Settings plugin endpoints are enabled.
 [HELP] It is recommended to disable the plugin endpoints.
 [HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
 [HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.

 [PASS] No error found. Nice one sparky!

As you can see, it’s a new VM running on Ubuntu.
Trying everything to find the solution :sweat_smile:

1 Like

Can you check again and provide a fresh error from both the passbolt VM /var/log/mail.log and the mail server log as well.

The health check was generated 10 min ago.
I have no /var/log/mail folder on my newest server.
On my mail server, same errors :

connect from rdns-hostname[i.p.v.4]
Jan 30 21:32:22 mail postfix/submission/smtpd[9443]: SSL_accept error from rdns-hostname[i.p.v.4]: -1
Jan 30 21:32:22 mail postfix/submission/smtpd[9443]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1543:SSL alert number 48:
Jan 30 21:32:22 mail postfix/submission/smtpd[9443]: lost connection after STARTTLS from rdns-hostname[i.p.v.4]

This could maybe help check the certificate you are using that the mail server doesn’t like.

Just tried to edit my last setup and send mail with sendinblue, it worked flawlessly.
Maybe it’s a problem with my mail server and not passbolt.

1 Like

Solved !

My postfix config on my email server didn’t have the correct file for CA smtpd_tls_CAfile.
Everything is running fine. Thanks @garrett for you help.

1 Like