Hi all,
I’ve installed a fresh install of passbolt, everthing is working well bu since the configuration for SMTP has been moved from from config/passbolt.php directly into the database, I can not find the location to add options for a RootCA or to allow_self_signed. I’ve tried configuring these options the passbolt.php, but they are now ignored. Where can I add additional options for TLS for smtp.
Thanks
Have you tried importing the certificate to your server trust store?
As of right now we don’t have a configuration option for the allow self signed for SMTP
Hi Clayton,
Thanks for getting back to me. I’ve added our rootCA to /usr/local/share/ca-certificates and ran update-ca-certificates, which then successfully imported the CA. Does passbolt use the system trust store or does it have another trust store?
Thanks,
Josh
Hello @clayton,
We are having the same issue. We imported our root ca certificate located under /usr/local/share/ca-certificates using the command update-ca-certificates. We see our ca certificate under /etc/ssl/certs/ as well as in the generated file /etc/ssl/certs/ca-certificates.crt
Unfortunately the smtp part of passbolt still doesn’t handle our root ca as trusted. So we have the same question as Josh: What trust store does the smtp part of passbolt use? And more importantly how can we set our root ca certificate to be trusted by the smtp part of passbolt.
Many thanks in advance
I wasn’t able to find a solution for this. In the end I continued to use without TLS. Which obviously isn’t great for a password management system
Hi @jzerotwo ,
In your /etc/passbolt/passbolt.php, do you have an Email transport section?
'EmailTransport' => [
'default' => [
'host' => 'localhost',
'port' => 587,
'username' => null,
'password' => null,
// Is this a secure connection? true if yes, null if no.
'tls' => null,
//'timeout' => 30,
//'client' => null,
//'url' => null,
],
],
On the other hand, an alternative would be to setup a local postfix smtp server who forward emails through tls to your email server, and configure passbolt to use this local postfix server.
Hi again,
I found this thread with a solution who seems to be the correct one: Passbolt SMTP TLS Problems - #10 by secresearch-rg
Can you try and let us know?
Best,
Hi @AnatomicJC ,
Thanks for your support.
I found the same thread when searching. The option “ssl_cafile” seems promising as it doesn’t skip the verifying part, which wouldn’t be a good solution.
The problem we have is, that we don’t see the file /etc/passbolt/passbolt.php
The only file we see in /etc/passbolt/ that comes close to it is “passbolt.default.php”.
The other option we see is setting “openssl.capath=” in the /etc/php/8.2/fpm/php.ini file. But here we aren’t sure why PHP isn’t using the systems trust store (/etc/ssl/certs/ca-certificates.crt) by default anyway.
Thanks @AnatomicJC for sharing this.
Sadly with recent changes related to email digest and SMTP settings, this solution won’t work.
We have internally (internal ticket reference: PB-26156) escalated this problem (since many users are facing it) and will try to provide a solution to use SMTP server with self-signed certificate with upcoming release (most probably v4.7.0).
Hi AnatomicJC,
I did try all those options and what I found was that passbolt was not respecting any changes to the configurations I made on file under email transport. I found was the config was stored encrypted in the database, but no way to modify what was in there. It seems as Ishan mentioned, that’s its currently not possible.
Thanks,
Josh
Thanks all for your feedback