Are you controlling your own mail server as well? Do you really serve on 465 or would you rather do 587?
Edit: for 587 “smtpd” the following:
The unknown from postfix can be resolved by:
In main.cf:
smtpd_helo_restrictions =
permit_mynetworks
In /etc/postfix have a file named mynetworks and the contents:
10.20.0.8
And then in the mail server’s /etc/hosts:
10.20.0.8 ftspassbolt.fray.tech
Restart postfix: service postfix reload
Try that, see what happens then. The cert will likely still be a problem. But one thing at a time.
Also, I notice you are using mailcow - most recent solved thread is SMTP server configuration - FAILD SEND MAIL
Im using dockerized Mailcow instance for a mail server on a separate machine. Would the above still apply?
We are talking about two different things at once, so hopefully we are not confusing things too much.
- configure passbolt mail
- according to your mail server’s available services
Starting with #2 what does you mail server offer?
Yes, my mail server offers both services. If I use an SMTP tool online, can I send test emails using 587,465, and 993 which are the protocols available. I also have port 25 open but only because it has to be for the mail server to work properly. So it is definitely isolated to the some setting on Passbolt. Since I can’t use any of the protocols from passbolt. Is there a character limit for the password, it is a long password.
Sorry thought you were telling me to make that change on the mail server.
“Also, I notice you are using mailcow - most recent solved thread is SMTP server configuration - FAILD SEND MAIL”
Trust me, I want thru all the forums pages relating to the issue for the past week. Lol. Definitely read this and tried the things on that page. However, that was before I could get passbolt to use the passbolt.php.
In order for your mail client (passbolt in this case) to be known you need to either have:
- a publicly resolvable domain
- the steps above (permit_mynetworks, etc)
Let’s try to get it working with 587.
Even as it is, without any changes to postfix, try these two things:
- add your domain to the mail server
/etc/hosts
- add your domain to the
client field in passbolt SMTP settings
// Email configuration.
'EmailTransport' => [
'default' => [
'host' => 'ftssmtp.fray.tech',
'port' => '587',
'username' => 'username',
'password' => 'password',
// Is this a secure connection? true if yes, null if no.
'tls' => true,
//'timeout' => 30,
'client' => 'ftspassbolt.fray.tech',
],
],
sorry it took so long for me to reply.
The /etc/postfix/mynetworks doesnt exist, should I create it or is it expected to be there? In my main.cf there is a line for mynetworks but it contains the 172 addresses. Should I add it there?
I made the other changes. just didnt add mynetworks and currently still receiving the same error.
Yes you could add the ip address there as a space-separated list item. It’s whitelisting feature to add the ip address.
seems that doesnt work either. I also renewed the mailserver cert, as well as the passbolt server cert. keep receiving the same error.
Warning Error: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:0A000086:SSL routines::certificate verify failed
In [/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Network/Socket.php, line 489]
2023-04-28 16:28:54 warning: Warning (2): stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:0A000086:SSL routines::certificate verify failed in [/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Network/Socket.php, line 489]
Trace
[220] ftssmtp.fray.tech ESMTP Postcow
EHLO ftspassbolt.fray.tech
[250] ftssmtp.fray.tech
[250] PIPELINING
[250] SIZE 104857600
[250] ETRN
[250] STARTTLS
[250] ENHANCEDSTATUSCODES
[250] 8BITMIME
[250] DSN
[250] CHUNKING
STARTTLS
[220] 2.0.0 Ready to start TLS
Could not send the test email.
Error: SMTP server did not accept the connection or trying to connect to non TLS SMTP server using TLS.
this is what im seeing on the mailserver
postfix-mailcow_1 | Apr 28 12:44:50 eb2c658f1f93 postfix/submission/smtpd[6460]: connect from unknown[10.20.0.8]
postfix-mailcow_1 | Apr 28 12:44:50 eb2c658f1f93 postfix/submission/smtpd[6460]: TLS SNI ftssmtp.fray.tech from unknown[10.20.0.8] not matched, using default chain
postfix-mailcow_1 | Apr 28 12:44:50 eb2c658f1f93 postfix/submission/smtpd[6460]: SSL_accept error from unknown[10.20.0.8]: -1
postfix-mailcow_1 | Apr 28 12:44:50 eb2c658f1f93 postfix/submission/smtpd[6460]: warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1543:SSL alert number 48:
postfix-mailcow_1 | Apr 28 12:44:50 eb2c658f1f93 postfix/submission/smtpd[6460]: lost connection after STARTTLS from unknown[10.20.0.8]
postfix-mailcow_1 | Apr 28 12:44:50 eb2c658f1f93 postfix/submission/smtpd[6460]: disconnect from unknown[10.20.0.8] ehlo=1 starttls=0/1 commands=1/2
after some digging looks like its a version mismatch. what version does passbolt use?
root@ftspassbolt:/home/passboltadmin# openssl s_client -connect ftssmtp.fray.tech:587 -CAfile /usr/share/ca-certificates/FTSrootCA.crt -tls1_3
CONNECTED(00000003)
40B732AF847F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 251 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
root@ftspassbolt:/home/passboltadmin#
Ok your cert is causing a couple of things to error out.
On the passbolt side, you need to make sure the following is resolved:
- Your cert needs to be valid from a domain standpoint (even if self-signed). Make sure you review the help site troubleshooting SSL page which talks about cert chains, etc.
- The cert and key which you created need to be installed to a location that the server can reference (/etc/ssl/). Then it can be verified.
On the mail server side:
- When you ping your
ftspassbolt.fray.tech from the mail server, it should show attempts to 10.20.0.8.
- If it doesn’t, it’s because either it’s still not in
/etc/hosts on the mail server, or you need to reload postfix after adding it there. Unknown means it has no idea what domain is supposed to go with that ip address. Your cert needs to have the right domain as well.
ref Passbolt Help | Troubleshoot SSL
I use sudo dpkg-reconfigure passbolt-ce-server to configure the cert and it was saved in the user home directory, going to the server using the browser I can see that its using the assigned cert and is connection is secure. the Root CA is trusted on both passbolt and mail server. Are you saying I need to copy the passbolt cert to the /etc/ssl location?
Passbolt server resolves to the correct IP on the mail server.
For passbolt side:
I believe curl is used when sending the email, and it depends on the openssl library, which is supported by the files in the /etc/ssl directory. It’s a different process than the one that NGINX uses for web serving.
For mail side:
Did you try adding the ip in the mynetworks section yet?
I did I added the subnet 10.20.0.0/24 I can try adding the exact ip
And the cert needs to be added to the mail server as well…same reason as with passbolt. /etc/ssl
yeah certs are in both places. Not sure whats wrong. and its only passbolt having an issue.
Going to reinstall the OS and reinstall Passbolt.
So I’ve reinstalled the OS and passbolt continue to get the same issue. But im certain its a passbolt configuration issue. I installed swaks just to see if I could email from the same machine and here is the output for both.
root@ftspassbolt:/etc/passbolt# swaks --to frayr@fray.tech --from svc-passbolt@fray.tech --server ftssmtp.fray.tech --port 587 --auth LOGIN --auth-user svc-passbolt@fray.tech --auth-password 'password' --tls --tls-verify
=== Trying ftssmtp.fray.tech:587...
=== Connected to ftssmtp.fray.tech.
<- 220 ftssmtp.fray.tech ESMTP Postcow
-> EHLO ftspassbolt
<- 250-ftssmtp.fray.tech
<- 250-PIPELINING
<- 250-SIZE 104857600
<- 250-ETRN
<- 250-STARTTLS
<- 250-ENHANCEDSTATUSCODES
<- 250-8BITMIME
<- 250-DSN
<- 250 CHUNKING
-> STARTTLS
<- 220 2.0.0 Ready to start TLS
=== TLS started with cipher TLSv1.3:TLS_AES_256_GCM_SHA384:256
=== TLS no local certificate set
=== TLS peer DN="/C=US/ST=New Jersey/L=Orange/O=Fray Tech Solutions/OU=Tech Infra/CN=ftssmtp.fray.tech/emailAddress=mailcow@fray.tech"
~> EHLO ftspassbolt
<~ 250-ftssmtp.fray.tech
<~ 250-PIPELINING
<~ 250-SIZE 104857600
<~ 250-ETRN
<~ 250-AUTH PLAIN LOGIN
<~ 250-AUTH=PLAIN LOGIN
<~ 250-ENHANCEDSTATUSCODES
<~ 250-8BITMIME
<~ 250-DSN
<~ 250 CHUNKING
~> AUTH LOGIN
<~ 334 VXNlcm5hbWU6
~> c3ZjLXBhc3Nib2x0QGZyYXkudGVjaA==
<~ 334 UGFzc3dvcmQ6
~> IyxFbHBpTmcsNzI=
<~ 235 2.7.0 Authentication successful
~> MAIL FROM:<svc-passbolt@fray.tech>
<~ 250 2.1.0 Ok
~> RCPT TO:<frayr@fray.tech>
<~ 250 2.1.5 Ok
~> DATA
<~ 354 End data with <CR><LF>.<CR><LF>
~> Date: Sat, 29 Apr 2023 00:52:48 -0400
~> To: frayr@fray.tech
~> From: svc-passbolt@fray.tech
~> Subject: test Sat, 29 Apr 2023 00:52:48 -0400
~> Message-Id: <20230429005248.003627@ftspassbolt>
~> X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
~>
~> This is a test mailing
~>
~>
~> .
<~ 250 2.0.0 Ok: queued as 8FEE43C932E
~> QUIT
<~ 221 2.0.0 Bye
=== Connection closed with remote host.
root@ftspassbolt:/etc/passbolt# sudo -H -u www-data bash -c "/usr/share/php/passbolt/bin/cake passbolt send_test_email --recipient=frayr@fray.tech"
____ __ ____
/ __ \____ _____ ____/ /_ ____ / / /_
/ /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/
/ ____/ /_/ (__ |__ ) /_/ / /_/ / / /
/_/ \__,_/____/____/_.___/\____/_/\__/
Open source password manager for teams
-------------------------------------------------------------------------------
Debug email shell
-------------------------------------------------------------------------------
Email configuration
-------------------------------------------------------------------------------
Host: ftssmtp.fray.tech
Port: 587
Username: svc-passbolt@fray.tech
Password: *********
TLS: true
Sending email from: Passbolt Admin <svc-passbolt@fray.tech>
Sending email to: frayr@fray.tech
-------------------------------------------------------------------------------
Warning Error: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:0A000086:SSL routines::certificate verify failed
In [/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Network/Socket.php, line 489]
2023-04-29 04:53:44 warning: Warning (2): stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:0A000086:SSL routines::certificate verify failed in [/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Network/Socket.php, line 489]
Trace
[220] ftssmtp.fray.tech ESMTP Postcow
EHLO 10.20.0.8
[250] ftssmtp.fray.tech
[250] PIPELINING
[250] SIZE 104857600
[250] ETRN
[250] STARTTLS
[250] ENHANCEDSTATUSCODES
[250] 8BITMIME
[250] DSN
[250] CHUNKING
STARTTLS
[220] 2.0.0 Ready to start TLS
Could not send the test email.
Error: SMTP server did not accept the connection or trying to connect to non TLS SMTP server using TLS.
Update
I was able to get this working by changing which file cakephp uses for verification. editing the following line in this file /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Network/Socket.php
if (empty($this->_config['context']['ssl']['cafile'])) {
$this->_config['context']['ssl']['cafile'] = CaBundle::getBundledCaBundlePath();
with this
if (empty($this->_config['context']['ssl']['cafile'])) {
$this->_config['context']['ssl']['cafile'] = '/etc/ssl/certs/ca-certificates.crt';
Looks like whatever bundle it was grabbing didn’t include the CAs that was trusted by OS Truststore.
1 Like
Somewhere I think I saw environment fields that could stand in for that change, that way it won’t get overwritten on updates to the source. I will look.
Yes here it is Passbolt SMTP TLS Problems - #10 by secresearch-rg
This hasn’t happened enough for me to remember. Can you confirm this will also work for you?
That didn’t work for me. I tried that before as well. Changing the socket.php was the only thing that worked for me.
Actually, this is what I tried…
'tls_ca' => '/usr/share/ca-certificates/FTSrootCA.crt',
'cafile' => '/usr/share/ca-certificates/FTSrootCA.crt',
So it is possible I need to use what is recommended in the link you posted.
'ssl_cafile' => '/usr/local/share/ca-certificates/CustomCA.crt',