Test/notification emails work but registration/recovery emails only rarely

Checklist
I have read intro post:
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

We are running Red Hat Enterprise Linux release 8.7 (Ootpa) with Passbolt CE 3.8.0

The setup and installation went fine. Although health-check complains about few things which may or may not be false positives. More about it in a bit below. We started using Passbolt in the small 5 man team we have and everything went fine. At some point however we wanted to invite new member and some existing members wanted to setup Passbolt on different device and we started to have issues.

Issue #1: Recovery emails are not being sent to users always.
Issue #2: Registration email for new users is not being sent always.

I say “not always” as when user does the registration multiple times and perhaps trying also different browsers at some point the registration/recovery (same behavior in terms of the issue) email comes through. Both very likely have some, unknown root cause. At the same time other notification emails for shared passwords/changes/or even some user successfully completing registration come through seemingly without fault.

Healthcheck:

> 
> su - nginx -s /bin/bash -c "/usr/share/php/passbolt/bin/cake passbolt healthcheck"
> 
>      ____                  __          ____
>     / __ \____  _____ ____/ /_  ____  / / /_
>    / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
>   / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
>  /_/    \__,_/____/____/_.___/\____/_/\__/
> 
>  Open source password manager for teams
> -------------------------------------------------------------------------------
>  Healthcheck shell
> -------------------------------------------------------------------------------
> 
>  Environment
> 
>  [PASS] PHP version 8.2.3.
>  [PASS] PCRE compiled with unicode support.
>  [PASS] The temporary directory and its content are writable and not executable.
>  [PASS] The logs directory and its content are writable.
>  [PASS] GD or Imagick extension is installed.
>  [PASS] Intl extension is installed.
>  [PASS] Mbstring extension is installed.
> 
>  Config files
> 
>  [PASS] The application config file is present
>  [PASS] The passbolt config file is present
> 
>  Core config
> 
>  [PASS] Debug mode is off.
>  [PASS] Cache is working.
>  [PASS] Unique value set for security.salt
>  [PASS] Full base url is set to https :// fqdn
>  [PASS] App.fullBaseUrl validation OK.
>  [PASS] /healthcheck/status is reachable.
> 
>  SSL Certificate
> 
>  **[FAIL] SSL peer certificate does not validate**
>  **[FAIL] Hostname does not match when validating certificates.**
>  **[WARN] Using a self-signed certificate**
>  [HELP] Check help.passbolt.com/faq/hosting/troubleshoot-ssl
>  [HELP] cURL Error (60) SSL certificate problem: unable to get local issuer certificate
> 
>  Database
> 
>  [PASS] The application is able to connect to the database
>  [PASS] 26 tables found
>  [PASS] Some default content is present
>  [PASS] The database schema up to date.
> 
>  GPG Configuration
> 
>  [PASS] PHP GPG Module is installed and loaded.
>  [PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
>  [PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
>  [PASS] The server OpenPGP key is not the default one
>  [PASS] The public key file is defined in config/passbolt.php and readable.
>  [PASS] The private key file is defined in config/passbolt.php and readable.
>  [PASS] The server key fingerprint matches the one defined in config/passbolt.php.
>  [PASS] The server public key defined in the config/passbolt.php (or environment variables) is in the keyring.
>  [PASS] There is a valid email id defined for the server key.
>  [PASS] The public key can be used to encrypt a message.
>  [PASS] The private key can be used to sign a message.
>  [PASS] The public and private keys can be used to encrypt and sign a message.
>  [PASS] The private key can be used to decrypt a message.
>  [PASS] The private key can be used to decrypt and verify a message.
>  [PASS] The public key can be used to verify a signature.
>  [PASS] The server public key format is Gopengpg compatible.
>  [PASS] The server private key format is Gopengpg compatible.
> 
>  Application configuration
> 
>  **[FAIL] Could not connect to passbolt repository to check versions It is not possible check if your version is up to date.**
>  [HELP] Check the network configuration to allow this script to check for updates.
>  [PASS] Passbolt is configured to force SSL use.
>  [PASS] App.fullBaseUrl is set to HTTPS.
>  [PASS] Selenium API endpoints are disabled.
>  [PASS] Search engine robots are told not to index content.
>  [PASS] Registration is closed, only administrators can add users.
>  [PASS] Serving the compiled version of the javascript app
>  [PASS] All email notifications will be sent.
> 
>  JWT Authentication
> 
>  [PASS] The JWT Authentication plugin is enabled
>  [PASS] The /etc/passbolt/jwt/ directory is not writable.
>  [PASS] A valid JWT key pair was found
> 
>  SMTP Settings
> 
>  [PASS] The SMTP Settings plugin is enabled.
>  [PASS] SMTP Settings coherent. You may send a test email to validate them.
>  [PASS] The SMTP Settings source is: database.
> 
>  **[FAIL] 4 error(s) found. Hang in there!**
> 

Comments for failures:

SSL Certificate - We can sign our own certificates for internal use and we did that here. There are no errors when browsing https ://fqdn for the Passbolt server and the certificate registers as valid and trusted. This could be a false positive?

Repository access - our network access policies block direct internet access so this failure is to be excepted.

When looking at various logs there isn’t much to go by but clearly some emails are not just being sent by the server:

tail -f /var/log/passbolt/cron.log
Email 949 was not sent
Email 950 was sent
Email 951 was not sent
Email 952 was sent
Email 953 was not sent
tail: /var/log/passbolt/cron.log: file truncated
Email 949 was not sent
Email 951 was sent
Email 953 was not sent
Email 954 was sent
tail: /var/log/passbolt/cron.log: file truncated
Email 949 was not sent
Email 953 was sent
tail: /var/log/passbolt/cron.log: file truncated
Email 949 was not sent

I can send the test email without fail either from GUI or from CLI. (domain suffixes and names)

> sudo -H -u nginx bash -c "/usr/share/php/passbolt/bin/cake passbolt send_test_email --recipient=myemailaddress"
> 
>      ____                  __          ____
>     / __ \____  _____ ____/ /_  ____  / / /_
>    / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
>   / ____/ /_/ (__  |__  ) /_/ / /_/ / / /
>  /_/    \__,_/____/____/_.___/\____/_/\__/
> 
>  Open source password manager for teams
> -------------------------------------------------------------------------------
>  Debug email shell
> -------------------------------------------------------------------------------
> Email configuration
> -------------------------------------------------------------------------------
> Host: smtp_fqdn
> Port: 25
> Username:
> Password: *********
> TLS: false
> Sending email from: Passbolt <passbolt@ourdomain.com>
> Sending email to: myemailaddress
> -------------------------------------------------------------------------------
> Trace
> [220] oursmtpserver Microsoft ESMTP MAIL Service ready at Thu, 25 May 2023 18:58:05 +0800
>  EHLO localhost
> [250] oursmtpserver Hello [172.29.236.11]
> [250] SIZE 20971520
> [250] PIPELINING
> [250] DSN
> [250] ENHANCEDSTATUSCODES
> [250] STARTTLS
> [250] 8BITMIME
> [250] BINARYMIME
> [250] CHUNKING
> [250] SMTPUTF8
>  MAIL FROM:<passbolt@ourdomain.com>
> [250] 2.1.0 Sender OK
>  RCPT TO:<myemailaddress>
> [250] 2.1.5 Recipient OK
>  DATA
> [354] Start mail input; end with <CRLF>.<CRLF>
>  From: Passbolt <passbolt@ourdomain.com>
> To: myemailaddress
> Date: Thu, 25 May 2023 10:58:06 +0000
> Message-ID: <4498024bb6ae434e8c511dad4b970c70@eusamsitap02>
> Subject: Passbolt test email
> MIME-Version: 1.0
> Content-Type: text/plain; charset=UTF-8
> Content-Transfer-Encoding: 8bit
> 
> Congratulations!
> If you receive this email, it means that your passbolt smtp configuration is working fine.
> 
> 
> .
> [250] 2.6.0 <4498024bb6ae434e8c511dad4b970c70@passboltserver> [InternalId=40372692606816, Hostname=oursmtpserver] 1741 bytes in 0.076, 22.349 KB/sec Queued mail for delivery
>  QUIT
> The message has been successfully sent!

I’ve also been looking at the MariaDB for the email_queue table and it contains hundreds (close to thousand I believe based on the above logs #) of emails that I think include both sent and failed emails. Per that view (unfortunately cant post pictures) it tries 4 times before giving up.

In the DB view I can see on the “error” column two different errors which I don’t think are fatal as emails with both types of errors also sometimes come through:

More common (roughly 2/3 of them): SMTP authentication method not allowed, check if SMTP server requires TLS.
Less common error (roughly 1/3 of them): NULL

Other things I’ve managed to check that our internal SMTP relay does not have any filtering enabled and allows 100 emails per minute per source which we should not be anywhere near of.

Send help

Hi @mikkoh Welcome to the forum!

Give your description of efforts already made with your certificate it can probably be ignored, but that’s not to say it’s a false positive. It may reflect the server cannot verify the cert’s root CA in its own /etc/ssl directory? We have this on the help site: Passbolt Help | Troubleshoot SSL

Since it looks like you are using Microsoft for email services, I’d look at the Admin/Exchange logs there to see why it couldn’t deliver the emails. Some reasons I can think is the address doesn’t exist. Or, that your mail service is not set up right and the receiving mail server won’t accept the emails.

The test email process is a bit different in that verification is a bit looser.

There’s also this regarding troubleshooting emails: Passbolt Help | Why are my emails not being sent?

In the email settings you will want to check that TLS is set to true:

Hi garrett,

Thanks for the quick reply.

So I’ve been to both of the linked pages but just to triple check at this point I ran through them once more.

For the “Troubleshoot SSL” I do not get any errors from any of the steps and I can complete all of them except the last two which are the “Full chain of trust” as our root certificate is not exposed. Intermediate checks out just fine with the command

openssl s_client -quiet -connect passbolt.domain.tld:443

Also verification is OK up to the intermediate.pem point:

openssl verify -CAfile rootCA.pem intermediate.pem
/etc/passbolt/certs/passbolt.pem: OK

if you really think checking the full chain is needed I’ll try to get in touch with our certificate team.

For Exchange server part. I’ve already once asked and their comment was that as this is only passing through our internal relay there is nothing there that would stop emails from going through on the exchange side. The one and only limitation is the flood rate of 100 mails per minute. I would also note that sometimes the emails, even the registration/recovery ones, do come through occasionally so certainly the SMTP server exists and the email addresses for the registrants/ones trying recovery exist.

For the “Why are my emails not being sent” I think this was the first page I wondered into maybe few weeks ago when I started looking at this on and off.

Reason1: Test email works 100% of the time without errors
Reason 2: Everything is enabled. I’ve confirmed this both in GUI and in the DB
Reason 3: Cron is running - the output looks like this:

# journalctl -fu crond
-- Logs begin at Fri 2023-05-26 08:36:18 CEST. --
May 26 09:17:01 passboltserver su[3587]: pam_unix(su:session): session opened for user nginx by (uid=0)
May 26 09:17:01 passboltserver su[3587]: pam_unix(su:session): session closed for user nginx
May 26 09:18:01 passboltserver CROND[3612]: (root) CMD (su -s /bin/bash nginx $PASSBOLT_BASE_DIR/bin/cron 2>&1 > /var/log/passbolt/cron.log)
May 26 09:18:01 passboltserver su[3613]: (to nginx) root on none
May 26 09:18:01 passboltserver su[3613]: pam_unix(su:session): session opened for user nginx by (uid=0)
May 26 09:18:01 passboltserver su[3613]: pam_unix(su:session): session closed for user nginx
May 26 09:19:01 passboltserver CROND[3653]: (root) CMD (su -s /bin/bash nginx $PASSBOLT_BASE_DIR/bin/cron 2>&1 > /var/log/passbolt/cron.log)
May 26 09:19:01 passboltserver su[3654]: (to nginx) root on none
May 26 09:19:01 passboltserver su[3654]: pam_unix(su:session): session opened for user nginx by (uid=0)
May 26 09:19:02 passboltserver su[3654]: pam_unix(su:session): session closed for user nginx
May 26 09:20:01 passboltserver CROND[3706]: (root) CMD (su -s /bin/bash nginx $PASSBOLT_BASE_DIR/bin/cron 2>&1 > /var/log/passbolt/cron.log)
May 26 09:20:01 passboltserver su[3707]: (to nginx) root on none
May 26 09:20:01 passboltserver su[3707]: pam_unix(su:session): session opened for user nginx by (uid=0)

Reason 4: No such error and we’ve not updated Passbolt after installing it. However I’ve tried clearing the cache command multiple times in different instances:

 sudo -H -u nginx bash -c "/usr/share/php/passbolt/bin/cake cache clear_all"
Clearing default
Cleared default cache
Clearing _cake_core_
Cleared _cake_core_ cache
Clearing _cake_model_
Cleared _cake_model_ cache

Reason 5: Not using Gmail as you saw earlier

Last bit for “Use TLS”, we’ve never setup these SMTP emails that use our relay so that they would use TLS - I’m not sure if its setup on the Exchange side for it but I can try ask. If I enable it on Passbolt even the test email fails to this error:

[
    {
        "cmd": null,
        "response": [
            {
                "code": "220",
                "message": "ourExchange Microsoft ESMTP MAIL Service ready at Fri, 26 May 2023 15:26:11 +0800"
            }
        ]
    },
    {
        "cmd": "EHLO passboltserver",
        "response": [
            {
                "code": "250",
                "message": "ourExchange Hello [172.29.236.11]"
            },
            {
                "code": "250",
                "message": "SIZE 20971520"
            },
            {
                "code": "250",
                "message": "PIPELINING"
            },
            {
                "code": "250",
                "message": "DSN"
            },
            {
                "code": "250",
                "message": "ENHANCEDSTATUSCODES"
            },
            {
                "code": "250",
                "message": "STARTTLS"
            },
            {
                "code": "250",
                "message": "8BITMIME"
            },
            {
                "code": "250",
                "message": "BINARYMIME"
            },
            {
                "code": "250",
                "message": "CHUNKING"
            },
            {
                "code": "250",
                "message": "SMTPUTF8"
            }
        ]
    },
    {
        "cmd": "STARTTLS",
        "response": [
            {
                "code": "220",
                "message": "2.0.0 SMTP server ready"
            }
        ]
    }
]

I’ve noted that when sending the test emails I do not see it triggered in the cron job - I assume this is to be expected and only the recovery/registration/other emails go through it? Maybe there is some reason for it being like this but could that also relate to our issue?

For TLS we noticed that the SMTP-server address we use is load balanced and depending on the connecting protocol parameters it load balances to correct destination. e.g. for plain SMTP its one IP and for TLS its another. We tested by changing the SMTP server FQDN to IP for the plain SMTP relay and was very hopeful when the first test recovery email was send without delay however next 4 consecutive tests from same and also different clients failed to go through.

tail -f /var/log/passbolt/cron.log
Email 964 was not sent
tail: /var/log/passbolt/cron.log: file truncated
Email 964 was not sent
tail: /var/log/passbolt/cron.log: file truncated
Email 964 was not sent
tail: /var/log/passbolt/cron.log: file truncated
Email 964 was not sent
tail: /var/log/passbolt/cron.log: file truncated
Email 965 was not sent
tail: /var/log/passbolt/cron.log: file truncated
Email 965 was not sent
tail: /var/log/passbolt/cron.log: file truncated
Email 965 was not sent
tail: /var/log/passbolt/cron.log: file truncated
Email 965 was not sent
**Email 966 was sent** <<<<<<------------ HOPES GO UP
tail: /var/log/passbolt/cron.log: file truncated
Email 967 was not sent <<<<<<------------ HOPES CRASH AND BURN
tail: /var/log/passbolt/cron.log: file truncated
Email 967 was not sent
tail: /var/log/passbolt/cron.log: file truncated
Email 967 was not sent
tail: /var/log/passbolt/cron.log: file truncated
Email 967 was not sent

What if you change from FQDN to the ip for the TLS SMTP? What happens then?

Passbolt mail config is for smtp, but it seems you are saying the exchange endpoint is only a relay. Wouldn’t that mean then your passbolt server needs to be setup to pass all checks by the receiving mail servers with regards to spf and dkim? Are you only sending to internal email addresses?

I run a relay for a client and they get mail from one domain to their Gmail address… Google often kicks back at the sender for being blacklisted. But, there’s nothing wrong with my server and it’s not affected.

Meaning, with a relay you might be outside of what passbolt is set up to facilitate. Are you actually logging in to the mail server with credentials or just sending mail out to the exchange server because it’s available from a networking standpoint?

What if you change from FQDN to the ip for the TLS SMTP? What happens then?

The result is the same as above when just turning on TLS with FQDN.

My understanding of exchange servers is not that great but I think the exchange server in question is much more than just a relay but one of the roles it has is to act as an SMTP relay. We use the same server for literally hundreds of different services/applications.

When we only have a requirement to sent to internal addresses, like we almost always do including now with Passbolt, we don’t have to do authentication with credentials and its just anonymous relay connection (no idea if that is the correct terminology but hopefully you understand the meaning). Internally we control this with while listing allowed IP’s.

When we ever have SMTP issues in these type internal servers and services there are only few reasons for those:

1. Server IP isn’t white listed for SMTP
2. Firewall is blocking SMTP
3. Application is not configured to use correct SMTP server (with current load balanced DNS name it can’t go wrong anymore as there is only one)

Makes sense. Sounds like you did your part correctly, in my opinion.

Currently there is a limitation in the app related to resending of failed messages so your other option is to first send to a local mail service like sendmail which can receive and then re-queue the messages. But, that’s not ideal really… the exchange server should queue them for you and limit the outgoing vs the incoming if it’s all internal. If course, the mail team would have to deal with a bad app that sends 10k emails in error.

So it’s back on you.

I think I will add a rate limiting and resending feature request at this would help your case.

So I’m bit confused that what do you think is the issue? Our exchange (smtp) server configuration or the way Passbolt sends/resends emails?

If its something on our exchange then I’m sure that can be sorted out. I just need something to go from?? Although as said earlier I’m skeptic that the exchange/smtp server would be the reason to the huge amount of services and users that depend on it daily and configuration issues really should have been ironed out long time ago. Unless Passbolt is doing something very different when sending out mails but that seems very unlikely too.

That sendmail could be something I might try anyway if there isn’t anything else that would be worthwhile.

I think the issue is at the mail server. The logs you show don’t have timestamps but can you see that rate limiting is not the issue based on time?

If it’s not rate limiting, and your mail server does not require tls, or credentials, and it’s just a relay to internal addresses, and they want smtp at port 25 then I guess you’ve set it up correctly.

But when it sends the mail for you, what other servers are receiving? Or, is it the case that it actually IS receiving at port 25? Meaning, the mail server is the final destination for the message?

I’m certain we are not rate limited. We are not anywhere close to being limited.

But when it sends the mail for you, what other servers are receiving? Or, is it the case that it actually IS receiving at port 25? Meaning, the mail server is the final destination for the message?

“I think” the answer for this is that its not the final destination for the email. We run on-prem + 365 hybrid exchange setup. When looking at the properties for the emails I get to my inbox from my Passbolt server I see it come from the Passbolt server IP, to the Microsoft SMTP Server which is internal (that I have configured in the Passbolt) and from there I believe it bounces it way forward eventually to 365 side and eventually to my inbox (which is at 365). I see TLS being enabled, or so I think based on the properties headers, at some point too funnily enough but not surprisingly.

I wonder if you are able to simply send email from the passbolt server to your mail server, without smtp at all.

Does this work if you send to your internal email address that would be a receiving passbolt user:

mail -s "Test Subject" user@example.com < /dev/null

Yes that works just fine.

Do you have postfix or exim running on the server?
netstat -plunt | egrep "0.0.0.0:25"

I think so yea, your command doesn’t find anything but full output shows something on 127.0.0.1:25

netstat -plunt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1363/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1942/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1500/nginx: master
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1500/nginx: master
tcp6 0 0 :::22 :::* LISTEN 1363/sshd
tcp6 0 0 :::443 :::* LISTEN 1500/nginx: master
tcp6 0 0 :::3306 :::* LISTEN 1516/mysqld
tcp6 0 0 :::80 :::* LISTEN 1500/nginx: master
udp 0 0 0.0.0.0:123 0.0.0.0:* 992/chronyd
udp 0 0 127.0.0.1:323 0.0.0.0:* 992/chronyd
udp6 0 0 ::1:323 :::* 992/chronyd

and that pid 1942 is postfix it seems:

ps -ef |grep 1942
root 1942 1 0 May26 ? 00:00:00 /usr/libexec/postfix/master -w
postfix 1965 1942 0 May26 ? 00:00:00 qmgr -l -t unix -u
postfix 70910 1942 0 16:59 ? 00:00:00 tlsmgr -l -t unix -u
postfix 71987 1942 0 17:37 ? 00:00:00 pickup -l -t unix -u
root 73371 2158 0 18:27 pts/0 00:00:00 grep --color=auto 1942

In passbolt I would attempt to send mail to the local server mail service, as it might send it on for you.

• Change the mail host to 127.0.0.1, keep port 25
• turn off TLS at first and see what happens

Same results as before. Test email comes through instantly but recovery emails do not. I also checked that editing one of the shared passwords notification email comes through to me but curiously I saw issues with delivering that. Below is tail of the cron job log (yea doesn’t look nice) and

Email 969: My first recovery attempt. Tries 4 times and fails 4 times. If I interpret what actually happens and what the log says correctly.
Email 970: My second recovery attempt. Same result.
Emails 971-975 are the notification emails of an edited shared passwords to the 5 members to whom its shared to. My way of understanding the below log, with the benefit of watching it live (need to add the time stamps), is that in the first try 3 of the 5 emails come through. Including one to me. Then on the next try one more email comes through but email 974 fails couple more times before it stops trying at 4 failures. I could dig up from the DB’s email_queue that to whom the email did not get through and confirm it but I have high confidence on my reasoning here:

tail -f /var/log/passbolt/cron.log
Email 969 was not sent
tail: /var/log/passbolt/cron.log: file truncated
Email 969 was not sent
tail: /var/log/passbolt/cron.log: file truncated
Email 969 was not sent
tail: /var/log/passbolt/cron.log: file truncated
Email 969 was not sent
tail: /var/log/passbolt/cron.log: file truncated
Email 970 was not sent
tail: /var/log/passbolt/cron.log: file truncated
Email 970 was not sent
tail: /var/log/passbolt/cron.log: file truncated
Email 970 was not sent
Email 971 was sent
Email 972 was not sent
Email 973 was sent
Email 974 was not sent
Email 975 was sent
tail: /var/log/passbolt/cron.log: file truncated
Email 970 was not sent
Email 972 was sent
Email 974 was not sent
tail: /var/log/passbolt/cron.log: file truncated
Email 974 was not sent
tail: /var/log/passbolt/cron.log: file truncated
Email 974 was not sent
tail: /var/log/passbolt/cron.log: file truncated

We still don’t know why this is happening. I am noticing an every other one is failing pattern.

To create this pattern I would have two cron jobs, one that is run with a user that works, and one that is run by a user without sufficient privileges.

Can you check the cron settings for this? It should run once a minute. Maybe run a tail -f on the cron log to verify the timing.

Yeah I’ve picked up on that pattern before too and it seems to hold very well except in the case of recovery/registration emails and test emails. Test emails don’t up on the cron at all and recovery/reg ones usually always just fail, except on random occasions the come through.

Sample of cron log. It seems to just trigger once per minute.

May 27 20:48:01 passboltserver CROND[77396]: (root) CMD (su -s /bin/bash nginx $PASSBOLT_BASE_DIR/bin/cron 2>&1 > /var/log/passbolt/cron.log)
May 27 20:49:01 passboltserver CROND[77422]: (root) CMD (su -s /bin/bash nginx $PASSBOLT_BASE_DIR/bin/cron 2>&1 > /var/log/passbolt/cron.log)
May 27 20:50:01 passboltserver CROND[77448]: (root) CMD (su -s /bin/bash nginx $PASSBOLT_BASE_DIR/bin/cron 2>&1 > /var/log/passbolt/cron.log)
May 27 20:51:01 passboltserver CROND[77474]: (root) CMD (su -s /bin/bash nginx $PASSBOLT_BASE_DIR/bin/cron 2>&1 > /var/log/passbolt/cron.log)
May 27 20:52:01 passboltserver CROND[77501]: (root) CMD (su -s /bin/bash nginx $PASSBOLT_BASE_DIR/bin/cron 2>&1 > /var/log/passbolt/cron.log)
May 27 20:53:01 passboltserver CROND[77528]: (root) CMD (su -s /bin/bash nginx $PASSBOLT_BASE_DIR/bin/cron 2>&1 > /var/log/passbolt/cron.log)
May 27 20:54:01 passboltserver CROND[77554]: (root) CMD (su -s /bin/bash nginx $PASSBOLT_BASE_DIR/bin/cron 2>&1 > /var/log/passbolt/cron.log)
May 27 20:55:01 passboltserver CROND[77580]: (root) CMD (su -s /bin/bash nginx $PASSBOLT_BASE_DIR/bin/cron 2>&1 > /var/log/passbolt/cron.log)
May 27 20:56:01 passboltserver CROND[77607]: (root) CMD (su -s /bin/bash nginx $PASSBOLT_BASE_DIR/bin/cron 2>&1 > /var/log/passbolt/cron.log)
May 27 20:57:01 passboltserver CROND[77634]: (root) CMD (su -s /bin/bash nginx $PASSBOLT_BASE_DIR/bin/cron 2>&1 > /var/log/passbolt/cron.log)
May 27 20:58:01 passboltserver CROND[77663]: (root) CMD (su -s /bin/bash nginx $PASSBOLT_BASE_DIR/bin/cron 2>&1 > /var/log/passbolt/cron.log)
May 27 20:59:01 passboltserver CROND[77689]: (root) CMD (su -s /bin/bash nginx $PASSBOLT_BASE_DIR/bin/cron 2>&1 > /var/log/passbolt/cron.log)
May 27 21:00:01 passboltserver CROND[77715]: (root) CMD (su -s /bin/bash nginx $PASSBOLT_BASE_DIR/bin/cron 2>&1 > /var/log/passbolt/cron.log)
May 27 21:01:01 passboltserver CROND[77746]: (root) CMD (run-parts /etc/cron.hourly)
May 27 21:01:01 passboltserver CROND[77747]: (root) CMD (su -s /bin/bash nginx $PASSBOLT_BASE_DIR/bin/cron 2>&1 > /var/log/passbolt/cron.log)
May 27 21:01:01 passboltserver run-parts[77746]: (/etc/cron.hourly) starting 0anacron
May 27 21:01:01 passboltserver run-parts[77746]: (/etc/cron.hourly) finished 0anacron
May 27 21:02:01 passboltserver CROND[77784]: (root) CMD (su -s /bin/bash nginx $PASSBOLT_BASE_DIR/bin/cron 2>&1 > /var/log/passbolt/cron.log)

Cron config for Passbolt

cat /etc/cron.d/passbolt-ce-server
#
#
#  Cronjob to process emails for the Passbolt Web Service every minute.
#
#  This crontab script is part of the Passbolt Debian package,
#  see dh_installcron debhelper program for more details.
#

PATH=/bin:/usr/local/bin:/usr/bin
PASSBOLT_BASE_DIR=/usr/share/php/passbolt

* * * * * root su -s /bin/bash nginx $PASSBOLT_BASE_DIR/bin/cron 2>&1 > /var/log/passbolt/cron.log

There was another case recently where certain emails failed and others did not, due to spam filter and blocking.

He ultimately used gmail smtp and it was fine. His mail service was blocking due to content.

I’ve actually read that thread. I tried to read through anything that could relate both on this forum and few that were on reddit for whatever reason

The main difference I see to the thread you posted is that for them the error actually was saying that its being blocked due to content: “SMTP Error: 550 5.7.1 Mail contain spam content”. Now this I suppose could be different with our Microsoft SMTP server but SMTP should be SMTP right?

For us the error is the one I posted earlier:

SMTP authentication method not allowed, check if SMTP server requires TLS

Also to add details which probably aren’t useful but since I digged up the DB. The error is different when TLS was enabled to test:

SMTP Error: 503 5.5.1 Error: authentication not enabled
SMTP Error: 503 5.5.1 Error: authentication not enabled