Checklist
[ x] I have read intro post: About the Installation Issues category
[ x] I have read the tutorials, help and searched for similar issues
[ x] I provide relevant information about my server (component names and versions, etc.)
[ x] I provide a copy of my logs and healthcheck
[ x] I describe the steps I have taken to trouble shoot the problem
[ x] I describe the steps on how to reproduce the issue
Hello,
I’m trying to migrate a passbolt app running on a docker container with docker-compose to a kubernetes environment.
This is the docker-compose.yml file
version: "2"
services:
webpass:
hostname: webpass
container_name: webpass
image: passbolt/passbolt:latest-ce
#Alternatively you can use rootless:
#image: passbolt/passbolt:latest-ce-non-root
restart: always
external_links:
- mysql
environment:
APP_FULL_BASE_URL: https://subdomain.domain.com
DATASOURCES_DEFAULT_HOST: "database-host"
DATASOURCES_DEFAULT_USERNAME: "database-user"
DATASOURCES_DEFAULT_PASSWORD: "database-pass"
DATASOURCES_DEFAULT_DATABASE: "database-name"
EMAIL_DEFAULT_FROM_NAME: "From name"
EMAIL_DEFAULT_FROM: "from@address.com"
EMAIL_TRANSPORT_DEFAULT_HOST: "our-smpt-host-only-working-through-port-25"
EMAIL_TRANSPORT_DEFAULT_PORT: 25
EMAIL_TRANSPORT_DEFAULT_USERNAME: ""
EMAIL_TRANSPORT_DEFAULT_PASSWORD: ""
volumes:
- gpg_volume:/etc/passbolt/gpg
- jwt_volume:/etc/passbolt/jwt
command:
[
"/usr/bin/wait-for.sh",
"-t",
"0",
"mysql:3306",
"--",
"/docker-entrypoint.sh",
]
ports:
- 8081:80
- 8444:443
volumes:
gpg_volume:
jwt_volume:
networks:
default:
external: true
name: docker_network
The application is working behind a Nginx reverse proxy.
The version of Passbolt on this docker image is 4.4.2:
root@webpass:/usr/share/php/passbolt# bin/cake passbolt version
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
Passbolt CE 4.4.2
Cakephp 4.4.17
To migrate this application to kubernetes we have developed a custom helm chart and we can deploy it without problems on kubernetes. The env vars used on kubernetes are next:
env:
## passbolt
APP_FULL_BASE_URL: https://subdomain.domain.com
DATASOURCES_DEFAULT_HOST: "database-host"
DATASOURCES_DEFAULT_USERNAME: "database-user"
DATASOURCES_DEFAULT_PASSWORD: "database-pass"
DATASOURCES_DEFAULT_DATABASE: "database-name"
EMAIL_DEFAULT_FROM_NAME: "From name"
EMAIL_DEFAULT_FROM: "from@address.com"
EMAIL_TRANSPORT_DEFAULT_HOST: "our-smpt-host-only-working-through-port-25"
EMAIL_TRANSPORT_DEFAULT_PORT: 25
EMAIL_TRANSPORT_DEFAULT_USERNAME: ""
EMAIL_TRANSPORT_DEFAULT_PASSWORD: ""
PASSBOLT_GPG_SERVER_KEY_FINGERPRINT: "gpg-fingerprint-following-migration-instructions"
PASSBOLT_KEY_EMAIL: "passbolt@yourdomain.com"
As you can see, SMTP config is simply: plain sents through port 25 and empty user and pass without TLS or SSL encryption. The security is based on IP whitelist.
I followed your migrations instructions Migrate to a new Docker Container | Passbolt documentation. and it seems that everything is working because I can access to web interface but I can not login because system is not sending automatic email
BUT
test emails are been sent without problems:
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
Debug email shell
-------------------------------------------------------------------------------
Email configuration
-------------------------------------------------------------------------------
Host: smtp-server
Port: 25
Username:
Password: *********
TLS: false
Sending email from: WebPass <from@address.com>
Sending email to: francisco.galvez-ext@havasit.com
-------------------------------------------------------------------------------
Trace
[220] smtp-25-host Microsoft ESMTP MAIL Service, Version: 10.0.17763.1697 ready at Thu, 18 Apr 2024 14:54:11 +0200
EHLO localhost
[250] smtp-25-host Hello [193.111.67.2]
[250] TURN
[250] SIZE 36700160
[250] ETRN
[250] PIPELINING
[250] DSN
[250] ENHANCEDSTATUSCODES
[250] 8bitmime
[250] BINARYMIME
[250] CHUNKING
[250] VRFY
[250] OK
MAIL FROM:<from@address.com>
[250] 2.1.0 from@address.com....Sender OK
RCPT TO:<francisco.galvez-ext@havasit.com>
[250] 2.1.5 francisco.galvez-ext@havasit.com
DATA
[354] Start mail input; end with <CRLF>.<CRLF>
From: WebPass <from@address.com>
To: francisco.galvez-ext@havasit.com
Date: Thu, 18 Apr 2024 12:53:48 +0000
Message-ID: <825d74470b3b4bf7ba392e7f550093f5@pod-name-passbolt-b45cf96d7-b7r7z>
Subject: Passbolt test email
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Congratulations!
If you receive this email, it means that your passbolt smtp configuration is working fine.
.
[250] 2.6.0 <825d74470b3b4bf7ba392e7f550093f5@ns-pre-es-webpass-deploy-passbolt-b45cf96d7-b7r7z> Queued mail for delivery
QUIT
The message has been successfully sent!
When I check my email inbox I can see the email.
BUT
when I try to send pending emails throug console with bin/cake email_queue.sender there is no output. Investigating in database I found the table email_queue where I can see the error:
SMTP authentication method not allowed, check if SMTP server requires TLS.
There is no more info and log file /var/log/passbolt/error.log is empty.
I have read your documentation and your community forum but I do not have found anything useful. All matters are related to TLS or SSL but there is nothing about send email without encryption.
The main pages where I have found related info but not solve my problem are:
- .com – /docs/admin/emails/email-server/
- community --/t/email-configuration-needs-clarification-fails-without-username-password/1490
- community – /t/email-transport-default-tls-seemingly-ignored/2961
- .com – /docs/hosting/troubleshooting/docker/
- .com – /docs/hosting/troubleshooting/email/
To finish, this is the output for su -s /bin/bash -c "bin/cake passbolt healthcheck" www-data command:
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
Healthcheck shell
-------------------------------------------------------------------------------
Environment
[PASS] PHP version 8.2.7.
[PASS] PHP version is 8.1 or above.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.
Config files
[PASS] The application config file is present
[WARN] The passbolt config file is missing in /etc/passbolt/
[HELP] Copy /etc/passbolt/passbolt.default.php to /etc/passbolt/passbolt.php
[HELP] The passbolt config file is not required if passbolt is configured with environment variables
Core config
[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://pre-webpass.havasmedia.com
[PASS] App.fullBaseUrl validation OK.
[PASS] /healthcheck/status is reachable.
SSL Certificate
[WARN] SSL peer certificate does not validate
[WARN] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] Check https://help.passbolt.com/faq/hosting/troubleshoot-ssl
[HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate
Database
[PASS] The application is able to connect to the database
[PASS] 31 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.
Application configuration
[FAIL] Could not connect to passbolt repository to check versions It is not possible check if your version is up to date.
[HELP] Check the network configuration to allow this script to check for updates.
[FAIL] Passbolt is not configured to force SSL use.
[HELP] Set passbolt.ssl.force to true in /etc/passbolt/passbolt.php.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] Registration is closed, only administrators can add users.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.
JWT Authentication
[PASS] The JWT Authentication plugin is enabled
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found
SMTP Settings
[PASS] The SMTP Settings plugin is enabled.
[PASS] SMTP Settings coherent. You may send a test email to validate them.
[WARN] The SMTP Settings source is: env variables.
[HELP] It is recommended to set the SMTP Settings in the database through the administration section.
[WARN] The SMTP Settings plugin endpoints are enabled.
[HELP] It is recommended to disable the plugin endpoints.
[HELP] Set the PASSBOLT_SECURITY_SMTP_SETTINGS_ENDPOINTS_DISABLED environment variable to true.
[HELP] Or set passbolt.security.smtpSettings.endpointsDisabled to true in /etc/passbolt/passbolt.php.
[FAIL] 2 error(s) found. Hang in there!
There are 2 errors but I think they are not related to my problem.
Also, I have investigate the file /etc/passbolt/app.default.php and I have seen all is configured with env vars that have null as default value if they don’t exist.
'EmailTransport' => [
'default' => [
/*
* The keys host, port, timeout, username, password, client and tls
* are used in SMTP transports
*/
'host' => env('EMAIL_TRANSPORT_DEFAULT_HOST', 'localhost'),
'port' => env('EMAIL_TRANSPORT_DEFAULT_PORT', 25),
'timeout' => env('EMAIL_TRANSPORT_DEFAULT_TIMEOUT', 30),
/*
* It is recommended to set these options through your environment or passbolt.php
*/
'username' => env('EMAIL_TRANSPORT_DEFAULT_USERNAME', null),
'password' => env('EMAIL_TRANSPORT_DEFAULT_PASSWORD', null),
'client' => env('EMAIL_TRANSPORT_DEFAULT_CLIENT', null),
'tls' => env('EMAIL_TRANSPORT_DEFAULT_TLS', null),
'url' => env('EMAIL_TRANSPORT_DEFAULT_URL', null),
],
'Debug' => [
'className' => 'Debug'
],
],
I don’t know how to continue debugging. Please, can you tell me how to allow send automatic emails to a smtp server running on port 25 without tls and ssl?
Thanks in advance
Francisco Gálvez
