Trouble configuring SMTP

Ok your cert is causing a couple of things to error out.

On the passbolt side, you need to make sure the following is resolved:

  1. Your cert needs to be valid from a domain standpoint (even if self-signed). Make sure you review the help site troubleshooting SSL page which talks about cert chains, etc.
  2. The cert and key which you created need to be installed to a location that the server can reference (/etc/ssl/). Then it can be verified.

On the mail server side:

  1. When you ping your ftspassbolt.fray.tech from the mail server, it should show attempts to 10.20.0.8.
  2. If it doesn’t, it’s because either it’s still not in /etc/hosts on the mail server, or you need to reload postfix after adding it there. Unknown means it has no idea what domain is supposed to go with that ip address. Your cert needs to have the right domain as well.

ref Passbolt Help | Troubleshoot SSL

I use sudo dpkg-reconfigure passbolt-ce-server to configure the cert and it was saved in the user home directory, going to the server using the browser I can see that its using the assigned cert and is connection is secure. the Root CA is trusted on both passbolt and mail server. Are you saying I need to copy the passbolt cert to the /etc/ssl location?

Passbolt server resolves to the correct IP on the mail server.

For passbolt side:
I believe curl is used when sending the email, and it depends on the openssl library, which is supported by the files in the /etc/ssl directory. It’s a different process than the one that NGINX uses for web serving.

For mail side:
Did you try adding the ip in the mynetworks section yet?

I did I added the subnet 10.20.0.0/24 I can try adding the exact ip

And the cert needs to be added to the mail server as well…same reason as with passbolt. /etc/ssl

yeah certs are in both places. Not sure whats wrong. and its only passbolt having an issue.

Going to reinstall the OS and reinstall Passbolt.

So I’ve reinstalled the OS and passbolt continue to get the same issue. But im certain its a passbolt configuration issue. I installed swaks just to see if I could email from the same machine and here is the output for both.

root@ftspassbolt:/etc/passbolt# swaks --to frayr@fray.tech --from svc-passbolt@fray.tech --server ftssmtp.fray.tech --port 587 --auth LOGIN --auth-user svc-passbolt@fray.tech --auth-password 'password' --tls --tls-verify
=== Trying ftssmtp.fray.tech:587...
=== Connected to ftssmtp.fray.tech.
<-  220 ftssmtp.fray.tech ESMTP Postcow
 -> EHLO ftspassbolt
<-  250-ftssmtp.fray.tech
<-  250-PIPELINING
<-  250-SIZE 104857600
<-  250-ETRN
<-  250-STARTTLS
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250-DSN
<-  250 CHUNKING
 -> STARTTLS
<-  220 2.0.0 Ready to start TLS
=== TLS started with cipher TLSv1.3:TLS_AES_256_GCM_SHA384:256
=== TLS no local certificate set
=== TLS peer DN="/C=US/ST=New Jersey/L=Orange/O=Fray Tech Solutions/OU=Tech Infra/CN=ftssmtp.fray.tech/emailAddress=mailcow@fray.tech"
 ~> EHLO ftspassbolt
<~  250-ftssmtp.fray.tech
<~  250-PIPELINING
<~  250-SIZE 104857600
<~  250-ETRN
<~  250-AUTH PLAIN LOGIN
<~  250-AUTH=PLAIN LOGIN
<~  250-ENHANCEDSTATUSCODES
<~  250-8BITMIME
<~  250-DSN
<~  250 CHUNKING
 ~> AUTH LOGIN
<~  334 VXNlcm5hbWU6
 ~> c3ZjLXBhc3Nib2x0QGZyYXkudGVjaA==
<~  334 UGFzc3dvcmQ6
 ~> IyxFbHBpTmcsNzI=
<~  235 2.7.0 Authentication successful
 ~> MAIL FROM:<svc-passbolt@fray.tech>
<~  250 2.1.0 Ok
 ~> RCPT TO:<frayr@fray.tech>
<~  250 2.1.5 Ok
 ~> DATA
<~  354 End data with <CR><LF>.<CR><LF>
 ~> Date: Sat, 29 Apr 2023 00:52:48 -0400
 ~> To: frayr@fray.tech
 ~> From: svc-passbolt@fray.tech
 ~> Subject: test Sat, 29 Apr 2023 00:52:48 -0400
 ~> Message-Id: <20230429005248.003627@ftspassbolt>
 ~> X-Mailer: swaks v20201014.0 jetmore.org/john/code/swaks/
 ~> 
 ~> This is a test mailing
 ~> 
 ~> 
 ~> .
<~  250 2.0.0 Ok: queued as 8FEE43C932E
 ~> QUIT
<~  221 2.0.0 Bye
=== Connection closed with remote host.
root@ftspassbolt:/etc/passbolt# sudo -H -u www-data bash -c "/usr/share/php/passbolt/bin/cake passbolt send_test_email --recipient=frayr@fray.tech"
     ____                  __          ____  
    / __ \____  _____ ____/ /_  ____  / / /_ 
   / /_/ / __ `/ ___/ ___/ __ \/ __ \/ / __/ 
  / ____/ /_/ (__  |__  ) /_/ / /_/ / / /    
 /_/    \__,_/____/____/_.___/\____/_/\__/   

 Open source password manager for teams
-------------------------------------------------------------------------------
 Debug email shell
-------------------------------------------------------------------------------
Email configuration
-------------------------------------------------------------------------------
Host: ftssmtp.fray.tech
Port: 587
Username: svc-passbolt@fray.tech
Password: *********
TLS: true
Sending email from: Passbolt Admin <svc-passbolt@fray.tech>
Sending email to: frayr@fray.tech
-------------------------------------------------------------------------------
Warning Error: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:0A000086:SSL routines::certificate verify failed
In [/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Network/Socket.php, line 489]

2023-04-29 04:53:44 warning: Warning (2): stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages:
error:0A000086:SSL routines::certificate verify failed in [/usr/share/php/passbolt/vendor/cakephp/cakephp/src/Network/Socket.php, line 489]
Trace
[220] ftssmtp.fray.tech ESMTP Postcow
 EHLO 10.20.0.8
[250] ftssmtp.fray.tech
[250] PIPELINING
[250] SIZE 104857600
[250] ETRN
[250] STARTTLS
[250] ENHANCEDSTATUSCODES
[250] 8BITMIME
[250] DSN
[250] CHUNKING
 STARTTLS
[220] 2.0.0 Ready to start TLS
Could not send the test email.
Error: SMTP server did not accept the connection or trying to connect to non TLS SMTP server using TLS.

Update

I was able to get this working by changing which file cakephp uses for verification. editing the following line in this file /usr/share/php/passbolt/vendor/cakephp/cakephp/src/Network/Socket.php

if (empty($this->_config['context']['ssl']['cafile'])) {
            $this->_config['context']['ssl']['cafile'] = CaBundle::getBundledCaBundlePath();

with this

       if (empty($this->_config['context']['ssl']['cafile'])) {
            $this->_config['context']['ssl']['cafile'] = '/etc/ssl/certs/ca-certificates.crt';

Looks like whatever bundle it was grabbing didn’t include the CAs that was trusted by OS Truststore.

1 Like

Somewhere I think I saw environment fields that could stand in for that change, that way it won’t get overwritten on updates to the source. I will look.

Yes here it is Passbolt SMTP TLS Problems - #10 by secresearch-rg

This hasn’t happened enough for me to remember. Can you confirm this will also work for you?

That didn’t work for me. I tried that before as well. Changing the socket.php was the only thing that worked for me.
Actually, this is what I tried…

'tls_ca' => '/usr/share/ca-certificates/FTSrootCA.crt',
'cafile' => '/usr/share/ca-certificates/FTSrootCA.crt',

So it is possible I need to use what is recommended in the link you posted.

'ssl_cafile' => '/usr/local/share/ca-certificates/CustomCA.crt',

Maybe there is a settings/config cache that also needs to be cleared.

Maybe with: sudo -H -u www-data bash -c "/usr/share/php/passbolt/bin/cake cache clear_all"

i’ll revisit if breaks after an upgrade. For now, it’s working don’t want to risk messing something else up.

Thanks for you all your help. Now I can move on to leveraging the API with powershell.

1 Like