The ssl settings you show above are not typically used for smtp tls on 587. Are you needing ssl on 465 or tls on 587?
The ssl settings you show above are not typically used for smtp tls on 587. Are you needing ssl on 465 or tls on 587?
i only change it to 587 tls because it kept hanging on 465 with tls null here is the test email output with 465
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
Debug email shell
-------------------------------------------------------------------------------
Email configuration
-------------------------------------------------------------------------------
Host: ftssmtp.fray.tech
Port: 465
Username: email address
Password: *********
TLS: false
Sending email from: FTS Passbolt Admin <email>
Sending email to: email
-------------------------------------------------------------------------------
Trace
Could not send the test email.
Error: SMTP timeout.
If you need ssl, it’s achieved by using ssl:// in front of the host name, along with 465.
See Mailer - 4.x
i’ve tried that as well. This is what I receive from the mail server.
postfix-mailcow_1 | Apr 27 13:34:06 eb2c658f1f93 postfix/smtps/smtpd[1229]: SSL_accept error from unknown[10.20.0.8]: -1
postfix-mailcow_1 | Apr 27 13:34:06 eb2c658f1f93 postfix/smtps/smtpd[1229]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1543:SSL alert number 48:
this is what I receive on the passbolt server
Email configuration
-------------------------------------------------------------------------------
Host: ssl://hostname
Port: 465
Username: email address
Password: *********
TLS: false
Sending email from: FTS Passbolt Admin <email>
Sending email to: email
-------------------------------------------------------------------------------
Trace
Could not send the test email.
Error:
Are you controlling your own mail server as well? Do you really serve on 465 or would you rather do 587?
Edit: for 587 “smtpd” the following:
The unknown from postfix can be resolved by:
In main.cf:
smtpd_helo_restrictions =
permit_mynetworks
In /etc/postfix have a file named mynetworks and the contents:
10.20.0.8
And then in the mail server’s /etc/hosts:
10.20.0.8 ftspassbolt.fray.tech
Restart postfix: service postfix reload
Try that, see what happens then. The cert will likely still be a problem. But one thing at a time.
Also, I notice you are using mailcow - most recent solved thread is SMTP server configuration - FAILD SEND MAIL
Im using dockerized Mailcow instance for a mail server on a separate machine. Would the above still apply?
We are talking about two different things at once, so hopefully we are not confusing things too much.
Starting with #2 what does you mail server offer?
Yes, my mail server offers both services. If I use an SMTP tool online, can I send test emails using 587,465, and 993 which are the protocols available. I also have port 25 open but only because it has to be for the mail server to work properly. So it is definitely isolated to the some setting on Passbolt. Since I can’t use any of the protocols from passbolt. Is there a character limit for the password, it is a long password.
Sorry thought you were telling me to make that change on the mail server.
“Also, I notice you are using mailcow - most recent solved thread is SMTP server configuration - FAILD SEND MAIL”
Trust me, I want thru all the forums pages relating to the issue for the past week. Lol. Definitely read this and tried the things on that page. However, that was before I could get passbolt to use the passbolt.php.
In order for your mail client (passbolt in this case) to be known you need to either have:
Let’s try to get it working with 587.
Even as it is, without any changes to postfix, try these two things:
/etc/hosts
client field in passbolt SMTP settings// Email configuration.
'EmailTransport' => [
'default' => [
'host' => 'ftssmtp.fray.tech',
'port' => '587',
'username' => 'username',
'password' => 'password',
// Is this a secure connection? true if yes, null if no.
'tls' => true,
//'timeout' => 30,
'client' => 'ftspassbolt.fray.tech',
],
],
sorry it took so long for me to reply.
The /etc/postfix/mynetworks doesnt exist, should I create it or is it expected to be there? In my main.cf there is a line for mynetworks but it contains the 172 addresses. Should I add it there?
I made the other changes. just didnt add mynetworks and currently still receiving the same error.
Yes you could add the ip address there as a space-separated list item. It’s whitelisting feature to add the ip address.
seems that doesnt work either. I also renewed the mailserver cert, as well as the passbolt server cert. keep receiving the same error.
Warning Error: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:0A000086:SSL routines::certificate verify failed
In [/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Network/Socket.php, line 489]
2023-04-28 16:28:54 warning: Warning (2): stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:0A000086:SSL routines::certificate verify failed in [/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Network/Socket.php, line 489]
Trace
[220] ftssmtp.fray.tech ESMTP Postcow
EHLO ftspassbolt.fray.tech
[250] ftssmtp.fray.tech
[250] PIPELINING
[250] SIZE 104857600
[250] ETRN
[250] STARTTLS
[250] ENHANCEDSTATUSCODES
[250] 8BITMIME
[250] DSN
[250] CHUNKING
STARTTLS
[220] 2.0.0 Ready to start TLS
Could not send the test email.
Error: SMTP server did not accept the connection or trying to connect to non TLS SMTP server using TLS.
this is what im seeing on the mailserver
postfix-mailcow_1 | Apr 28 12:44:50 eb2c658f1f93 postfix/submission/smtpd[6460]: connect from unknown[10.20.0.8]
postfix-mailcow_1 | Apr 28 12:44:50 eb2c658f1f93 postfix/submission/smtpd[6460]: TLS SNI ftssmtp.fray.tech from unknown[10.20.0.8] not matched, using default chain
postfix-mailcow_1 | Apr 28 12:44:50 eb2c658f1f93 postfix/submission/smtpd[6460]: SSL_accept error from unknown[10.20.0.8]: -1
postfix-mailcow_1 | Apr 28 12:44:50 eb2c658f1f93 postfix/submission/smtpd[6460]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1543:SSL alert number 48:
postfix-mailcow_1 | Apr 28 12:44:50 eb2c658f1f93 postfix/submission/smtpd[6460]: lost connection after STARTTLS from unknown[10.20.0.8]
postfix-mailcow_1 | Apr 28 12:44:50 eb2c658f1f93 postfix/submission/smtpd[6460]: disconnect from unknown[10.20.0.8] ehlo=1 starttls=0/1 commands=1/2
after some digging looks like its a version mismatch. what version does passbolt use?
root@ftspassbolt:/home/passboltadmin# openssl s_client -connect ftssmtp.fray.tech:587 -CAfile /usr/share/ca-certificates/FTSrootCA.crt -tls1_3
CONNECTED(00000003)
40B732AF847F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 251 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
root@ftspassbolt:/home/passboltadmin#
Ok your cert is causing a couple of things to error out.
On the passbolt side, you need to make sure the following is resolved:
On the mail server side:
ftspassbolt.fray.tech from the mail server, it should show attempts to 10.20.0.8./etc/hosts on the mail server, or you need to reload postfix after adding it there. Unknown means it has no idea what domain is supposed to go with that ip address. Your cert needs to have the right domain as well.I use sudo dpkg-reconfigure passbolt-ce-server to configure the cert and it was saved in the user home directory, going to the server using the browser I can see that its using the assigned cert and is connection is secure. the Root CA is trusted on both passbolt and mail server. Are you saying I need to copy the passbolt cert to the /etc/ssl location?
Passbolt server resolves to the correct IP on the mail server.
For passbolt side:
I believe curl is used when sending the email, and it depends on the openssl library, which is supported by the files in the /etc/ssl directory. It’s a different process than the one that NGINX uses for web serving.
For mail side:
Did you try adding the ip in the mynetworks section yet?
I did I added the subnet 10.20.0.0/24 I can try adding the exact ip
And the cert needs to be added to the mail server as well…same reason as with passbolt. /etc/ssl