Checklist
I have read intro post:
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue
We are running Red Hat Enterprise Linux release 8.7 (Ootpa) with Passbolt CE 3.8.0
The setup and installation went fine. Although health-check complains about few things which may or may not be false positives. More about it in a bit below. We started using Passbolt in the small 5 man team we have and everything went fine. At some point however we wanted to invite new member and some existing members wanted to setup Passbolt on different device and we started to have issues.
Issue #1: Recovery emails are not being sent to users always.
Issue #2: Registration email for new users is not being sent always.
I say “not always” as when user does the registration multiple times and perhaps trying also different browsers at some point the registration/recovery (same behavior in terms of the issue) email comes through. Both very likely have some, unknown root cause. At the same time other notification emails for shared passwords/changes/or even some user successfully completing registration come through seemingly without fault.
Healthcheck:
>
> su - nginx -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck"
>
> ____ __ ____
> / __ \____ _____ ____/ /_ ____ / / /_
> / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
> / ____/ /_/ (__ |__ ) /_/ / /_/ / / /
> /_/ \__,_/____/____/_.___/\____/_/\__/
>
> Open source password manager for teams
> -------------------------------------------------------------------------------
> Healthcheck shell
> -------------------------------------------------------------------------------
>
> Environment
>
> [PASS] PHP version 8.2.3.
> [PASS] PCRE compiled with unicode support.
> [PASS] The temporary directory and its content are writable and not executable.
> [PASS] The logs directory and its content are writable.
> [PASS] GD or Imagick extension is installed.
> [PASS] Intl extension is installed.
> [PASS] Mbstring extension is installed.
>
> Config files
>
> [PASS] The application config file is present
> [PASS] The passbolt config file is present
>
> Core config
>
> [PASS] Debug mode is off.
> [PASS] Cache is working.
> [PASS] Unique value set for security.salt
> [PASS] Full base url is set to https :// fqdn
> [PASS] App.fullBaseUrl validation OK.
> [PASS] /healthcheck/status is reachable.
>
> SSL Certificate
>
> **[FAIL] SSL peer certificate does not validate**
> **[FAIL] Hostname does not match when validating certificates.**
> **[WARN] Using a self-signed certificate**
> [HELP] Check help.passbolt.com/faq/hosting/troubleshoot-ssl
> [HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate
>
> Database
>
> [PASS] The application is able to connect to the database
> [PASS] 26 tables found
> [PASS] Some default content is present
> [PASS] The database schema up to date.
>
> GPG Configuration
>
> [PASS] PHP GPG Module is installed and loaded.
> [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
> [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
> [PASS] The server OpenPGP key is not the default one
> [PASS] The public key file is defined in config/passbolt.php and readable.
> [PASS] The private key file is defined in config/passbolt.php and readable.
> [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
> [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
> [PASS] There is a valid email id defined for the server key.
> [PASS] The public key can be used to encrypt a message.
> [PASS] The private key can be used to sign a message.
> [PASS] The public and private keys can be used to encrypt and sign a message.
> [PASS] The private key can be used to decrypt a message.
> [PASS] The private key can be used to decrypt and verify a message.
> [PASS] The public key can be used to verify a signature.
> [PASS] The server public key format is Gopengpg compatible.
> [PASS] The server private key format is Gopengpg compatible.
>
> Application configuration
>
> **[FAIL] Could not connect to passbolt repository to check versions It is not possible check if your version is up to date.**
> [HELP] Check the network configuration to allow this script to check for updates.
> [PASS] Passbolt is configured to force SSL use.
> [PASS] App.fullBaseUrl is set to HTTPS.
> [PASS] Selenium API endpoints are disabled.
> [PASS] Search engine robots are told not to index content.
> [PASS] Registration is closed, only administrators can add users.
> [PASS] Serving the compiled version of the javascript app
> [PASS] All email notifications will be sent.
>
> JWT Authentication
>
> [PASS] The JWT Authentication plugin is enabled
> [PASS] The /etc/passbolt/jwt/ directory is not writable.
> [PASS] A valid JWT key pair was found
>
> SMTP Settings
>
> [PASS] The SMTP Settings plugin is enabled.
> [PASS] SMTP Settings coherent. You may send a test email to validate them.
> [PASS] The SMTP Settings source is: database.
>
> **[FAIL] 4 error(s) found. Hang in there!**
>
Comments for failures:
SSL Certificate - We can sign our own certificates for internal use and we did that here. There are no errors when browsing https ://fqdn for the Passbolt server and the certificate registers as valid and trusted. This could be a false positive?
Repository access - our network access policies block direct internet access so this failure is to be excepted.
When looking at various logs there isn’t much to go by but clearly some emails are not just being sent by the server:
tail -f /var/log/passbolt/cron.log
Email 949 was not sent
Email 950 was sent
Email 951 was not sent
Email 952 was sent
Email 953 was not sent
tail: /var/log/passbolt/cron.log: file truncated
Email 949 was not sent
Email 951 was sent
Email 953 was not sent
Email 954 was sent
tail: /var/log/passbolt/cron.log: file truncated
Email 949 was not sent
Email 953 was sent
tail: /var/log/passbolt/cron.log: file truncated
Email 949 was not sent
I can send the test email without fail either from GUI or from CLI. (domain suffixes and names)
> sudo -H -u nginx bash -c "/usr/share/php/passbolt/bin/cake passbolt send_test_email --recipient=myemailaddress"
>
> ____ __ ____
> / __ \____ _____ ____/ /_ ____ / / /_
> / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
> / ____/ /_/ (__ |__ ) /_/ / /_/ / / /
> /_/ \__,_/____/____/_.___/\____/_/\__/
>
> Open source password manager for teams
> -------------------------------------------------------------------------------
> Debug email shell
> -------------------------------------------------------------------------------
> Email configuration
> -------------------------------------------------------------------------------
> Host: smtp_fqdn
> Port: 25
> Username:
> Password: *********
> TLS: false
> Sending email from: Passbolt <passbolt@ourdomain.com>
> Sending email to: myemailaddress
> -------------------------------------------------------------------------------
> Trace
> [220] oursmtpserver Microsoft ESMTP MAIL Service ready at Thu, 25 May 2023 18:58:05 +0800
> EHLO localhost
> [250] oursmtpserver Hello [172.29.236.11]
> [250] SIZE 20971520
> [250] PIPELINING
> [250] DSN
> [250] ENHANCEDSTATUSCODES
> [250] STARTTLS
> [250] 8BITMIME
> [250] BINARYMIME
> [250] CHUNKING
> [250] SMTPUTF8
> MAIL FROM:<passbolt@ourdomain.com>
> [250] 2.1.0 Sender OK
> RCPT TO:<myemailaddress>
> [250] 2.1.5 Recipient OK
> DATA
> [354] Start mail input; end with <CRLF>.<CRLF>
> From: Passbolt <passbolt@ourdomain.com>
> To: myemailaddress
> Date: Thu, 25 May 2023 10:58:06 +0000
> Message-ID: <4498024bb6ae434e8c511dad4b970c70@eusamsitap02>
> Subject: Passbolt test email
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
>
> Congratulations!
> If you receive this email, it means that your passbolt smtp configuration is working fine.
>
>
> .
> [250] 2.6.0 <4498024bb6ae434e8c511dad4b970c70@passboltserver> [InternalId=40372692606816, Hostname=oursmtpserver] 1741 bytes in 0.076, 22.349 KB/sec Queued mail for delivery
> QUIT
> The message has been successfully sent!
I’ve also been looking at the MariaDB for the email_queue table and it contains hundreds (close to thousand I believe based on the above logs #) of emails that I think include both sent and failed emails. Per that view (unfortunately cant post pictures) it tries 4 times before giving up.
In the DB view I can see on the “error” column two different errors which I don’t think are fatal as emails with both types of errors also sometimes come through:
More common (roughly 2/3 of them): SMTP authentication method not allowed, check if SMTP server requires TLS.
Less common error (roughly 1/3 of them): NULL
Other things I’ve managed to check that our internal SMTP relay does not have any filtering enabled and allows 100 emails per minute per source which we should not be anywhere near of.
Send help