Im having a hard time getting SMTP to work. Everything I’ve tried so far has failed. I think editing the settings from passbolt.php would help but for some reason, Passbolt is using the site SMTP settings instead of what’s in the PHP file. here is the error I’m getting. I can send and receive emails outside of passbolt.
Warning Error: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:0A000086:SSL routines::certificate verify failed
In [/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Network/Socket.php, line 489]
2023-04-27 12:08:29 warning: Warning (2): stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:0A000086:SSL routines::certificate verify failed in [/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Network/Socket.php, line 489]
[220] 2.0.0 Ready to start TLS
Could not send the test email.
Error: SMTP server did not accept the connection or trying to connect to non TLS SMTP server using TLS.
this is Passbolt install on ubuntu, any help would be greatly appreciated.
Hi @Brevoort29 ,
when disabling the SmtpSettings plugin, the SMTP settings in the DB will be ignored and the settings in passbolt.php will be used.
In order to do so you can set this env variable to false: PASSBOLT_PLUGINS_SMTP_SETTINGS_ENABLED
Or in passbolt.php:
'passbolt' => [
'plugins' => [
'smtpSettings' => [
'enabled' => false,
],
],
],
However all SMTP settings in passbolt.php are editable in the UI, so it would be interesting, once fixed on your side, to know what did not work on the UI.
Thanks for that, seems using the .php didnt solve my issue. Here are mt setting for smtp and the health check
// Email configuration.
'EmailTransport' => [
'default' => [
'host' => 'host',
'port' => '587',
'username' => 'username',
'password' => 'password',
// Is this a secure connection? true if yes, null if no.
'tls' => true,
//'timeout' => 30,
//'client' => null,
//'url' => null,
'ssl' => [
'verify_peer' => false,
'verify_peer_name' => false,
'allow_self_signed' => true,
],
],
],
[PASS] PHP version 8.1.2-1ubuntu2.11.
[PASS] PCRE compiled with unicode support.
[PASS] The temporary directory and its content are writable and not executable.
[PASS] The logs directory and its content are writable.
[PASS] GD or Imagick extension is installed.
[PASS] Intl extension is installed.
[PASS] Mbstring extension is installed.
Config files
[PASS] The application config file is present
[PASS] The passbolt config file is present
Core config
[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Full base url is set to https://host fqdn
[PASS] App.fullBaseUrl validation OK.
[FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
[HELP] Check that the domain name is correct in /etc/passbolt/passbolt.php
[HELP] Check the network settings
SSL Certificate
[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate
[HELP] Check https://help.passbolt.com/faq/hosting/troubleshoot-ssl
[HELP] cURL Error (6) Could not resolve host: ftspassbolt.fray.tech
Database
[PASS] The application is able to connect to the database
[PASS] 30 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.
GPG Configuration
[PASS] PHP GPG Module is installed and loaded.
[PASS] The environment variable GNUPGHOME is set to /var/lib/passbolt/.gnupg.
[PASS] The directory /var/lib/passbolt/.gnupg containing the keyring is writable by the webserver user.
[PASS] The server OpenPGP key is not the default one
[PASS] The public key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The private key file is defined in /etc/passbolt/passbolt.php and readable.
[PASS] The server key fingerprint matches the one defined in /etc/passbolt/passbolt.php.
[PASS] The server public key defined in the /etc/passbolt/passbolt.php (or environment variables) is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt a message.
[PASS] The private key can be used to sign a message.
[PASS] The public and private keys can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.
[PASS] The private key can be used to decrypt and verify a message.
[PASS] The public key can be used to verify a signature.
[PASS] The server public key format is Gopengpg compatible.
[PASS] The server private key format is Gopengpg compatible.
Application configuration
[PASS] Using latest passbolt version (3.12.2).
[PASS] Passbolt is configured to force SSL use.
[PASS] App.fullBaseUrl is set to HTTPS.
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[INFO] The Self Registration plugin is enabled.
[INFO] Registration is closed, only administrators can add users.
[PASS] The deprecated self registration public setting was not found in /etc/passbolt/passbolt.php.
[WARN] Host availability checking is disabled.
[HELP] Make sure this instance is not publicly available on the internet.
[HELP] Or set the PASSBOLT_EMAIL_VALIDATE_MX environment variable to true.
[HELP] Or set passbolt.email.validate.mx to true in /etc/passbolt/passbolt.php.
[PASS] Serving the compiled version of the javascript app.
[WARN] Some email notifications are disabled by the administrator.
JWT Authentication
[PASS] The JWT Authentication plugin is enabled
[PASS] The /etc/passbolt/jwt/ directory is not writable.
[PASS] A valid JWT key pair was found
SMTP Settings
[WARN] The SMTP Settings plugin is disabled. Enable the plugin in order to define SMTP settings in the database.
[FAIL] 3 error(s) found. Hang in there!
You could try adding the domain into your /etc/hosts file:
127.0.0.1 ftspassbolt.fray.tech
or maybe use the server private ip instead.
Thanks for that! That fixed the ssl issue in the health check but still receiving the following error for sending mail.
Sending email to: frayr@fray.tech
-------------------------------------------------------------------------------
Warning Error: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:0A000086:SSL routines::certificate verify failed
In [/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Network/Socket.php, line 489]
2023-04-27 16:32:38 warning: Warning (2): stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:0A000086:SSL routines::certificate verify failed in [/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Network/Socket.php, line 489]
Trace
[220] ftssmtp.fray.tech ESMTP Postcow
EHLO localhost
[250] ftssmtp.fray.tech
[250] PIPELINING
[250] SIZE 104857600
[250] ETRN
[250] STARTTLS
[250] ENHANCEDSTATUSCODES
[250] 8BITMIME
[250] DSN
[250] CHUNKING
STARTTLS
[220] 2.0.0 Ready to start TLS
Could not send the test email.
Error: SMTP server did not accept the connection or trying to connect to non TLS SMTP server using TLS.
The ssl settings you show above are not typically used for smtp tls on 587. Are you needing ssl on 465 or tls on 587?
i only change it to 587 tls because it kept hanging on 465 with tls null here is the test email output with 465
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
Debug email shell
-------------------------------------------------------------------------------
Email configuration
-------------------------------------------------------------------------------
Host: ftssmtp.fray.tech
Port: 465
Username: email address
Password: *********
TLS: false
Sending email from: FTS Passbolt Admin <email>
Sending email to: email
-------------------------------------------------------------------------------
Trace
Could not send the test email.
Error: SMTP timeout.
If you need ssl, it’s achieved by using ssl:// in front of the host name, along with 465.
See Mailer - 4.x
1 Like
i’ve tried that as well. This is what I receive from the mail server.
postfix-mailcow_1 | Apr 27 13:34:06 eb2c658f1f93 postfix/smtps/smtpd[1229]: SSL_accept error from unknown[10.20.0.8]: -1
postfix-mailcow_1 | Apr 27 13:34:06 eb2c658f1f93 postfix/smtps/smtpd[1229]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1543:SSL alert number 48:
this is what I receive on the passbolt server
Email configuration
-------------------------------------------------------------------------------
Host: ssl://hostname
Port: 465
Username: email address
Password: *********
TLS: false
Sending email from: FTS Passbolt Admin <email>
Sending email to: email
-------------------------------------------------------------------------------
Trace
Could not send the test email.
Error:
Are you controlling your own mail server as well? Do you really serve on 465 or would you rather do 587?
Edit: for 587 “smtpd” the following:
The unknown from postfix can be resolved by:
In main.cf:
smtpd_helo_restrictions =
permit_mynetworks
In /etc/postfix have a file named mynetworks and the contents:
10.20.0.8
And then in the mail server’s /etc/hosts:
10.20.0.8 ftspassbolt.fray.tech
Restart postfix: service postfix reload
Try that, see what happens then. The cert will likely still be a problem. But one thing at a time.
Also, I notice you are using mailcow - most recent solved thread is SMTP server configuration - FAILD SEND MAIL
Im using dockerized Mailcow instance for a mail server on a separate machine. Would the above still apply?
We are talking about two different things at once, so hopefully we are not confusing things too much.
- configure passbolt mail
- according to your mail server’s available services
Starting with #2 what does you mail server offer?
Yes, my mail server offers both services. If I use an SMTP tool online, can I send test emails using 587,465, and 993 which are the protocols available. I also have port 25 open but only because it has to be for the mail server to work properly. So it is definitely isolated to the some setting on Passbolt. Since I can’t use any of the protocols from passbolt. Is there a character limit for the password, it is a long password.
Sorry thought you were telling me to make that change on the mail server.
“Also, I notice you are using mailcow - most recent solved thread is SMTP server configuration - FAILD SEND MAIL”
Trust me, I want thru all the forums pages relating to the issue for the past week. Lol. Definitely read this and tried the things on that page. However, that was before I could get passbolt to use the passbolt.php.
In order for your mail client (passbolt in this case) to be known you need to either have:
- a publicly resolvable domain
- the steps above (permit_mynetworks, etc)
Let’s try to get it working with 587.
Even as it is, without any changes to postfix, try these two things:
- add your domain to the mail server
/etc/hosts
- add your domain to the
client field in passbolt SMTP settings
// Email configuration.
'EmailTransport' => [
'default' => [
'host' => 'ftssmtp.fray.tech',
'port' => '587',
'username' => 'username',
'password' => 'password',
// Is this a secure connection? true if yes, null if no.
'tls' => true,
//'timeout' => 30,
'client' => 'ftspassbolt.fray.tech',
],
],
sorry it took so long for me to reply.
The /etc/postfix/mynetworks doesnt exist, should I create it or is it expected to be there? In my main.cf there is a line for mynetworks but it contains the 172 addresses. Should I add it there?
I made the other changes. just didnt add mynetworks and currently still receiving the same error.
Yes you could add the ip address there as a space-separated list item. It’s whitelisting feature to add the ip address.
seems that doesnt work either. I also renewed the mailserver cert, as well as the passbolt server cert. keep receiving the same error.
Warning Error: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:0A000086:SSL routines::certificate verify failed
In [/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Network/Socket.php, line 489]
2023-04-28 16:28:54 warning: Warning (2): stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:0A000086:SSL routines::certificate verify failed in [/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Network/Socket.php, line 489]
Trace
[220] ftssmtp.fray.tech ESMTP Postcow
EHLO ftspassbolt.fray.tech
[250] ftssmtp.fray.tech
[250] PIPELINING
[250] SIZE 104857600
[250] ETRN
[250] STARTTLS
[250] ENHANCEDSTATUSCODES
[250] 8BITMIME
[250] DSN
[250] CHUNKING
STARTTLS
[220] 2.0.0 Ready to start TLS
Could not send the test email.
Error: SMTP server did not accept the connection or trying to connect to non TLS SMTP server using TLS.
this is what im seeing on the mailserver
postfix-mailcow_1 | Apr 28 12:44:50 eb2c658f1f93 postfix/submission/smtpd[6460]: connect from unknown[10.20.0.8]
postfix-mailcow_1 | Apr 28 12:44:50 eb2c658f1f93 postfix/submission/smtpd[6460]: TLS SNI ftssmtp.fray.tech from unknown[10.20.0.8] not matched, using default chain
postfix-mailcow_1 | Apr 28 12:44:50 eb2c658f1f93 postfix/submission/smtpd[6460]: SSL_accept error from unknown[10.20.0.8]: -1
postfix-mailcow_1 | Apr 28 12:44:50 eb2c658f1f93 postfix/submission/smtpd[6460]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1543:SSL alert number 48:
postfix-mailcow_1 | Apr 28 12:44:50 eb2c658f1f93 postfix/submission/smtpd[6460]: lost connection after STARTTLS from unknown[10.20.0.8]
postfix-mailcow_1 | Apr 28 12:44:50 eb2c658f1f93 postfix/submission/smtpd[6460]: disconnect from unknown[10.20.0.8] ehlo=1 starttls=0/1 commands=1/2
after some digging looks like its a version mismatch. what version does passbolt use?
root@ftspassbolt:/home/passboltadmin# openssl s_client -connect ftssmtp.fray.tech:587 -CAfile /usr/share/ca-certificates/FTSrootCA.crt -tls1_3
CONNECTED(00000003)
40B732AF847F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 251 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
root@ftspassbolt:/home/passboltadmin#