Magento2: Unable to log into Admin after clean install (without SMTP)
Preconditions (*)
- Apache 2.4
- PHP 7.4
- MySQL 8
- Elasticsearch 7
- Magento 2.4.0
Steps to reproduce (*)
- Clean install of Magento 2.4 (via composer)
- Creation of admin account via CLI (part of setup:install command)
Expected result (*)
- Logging into Magento 2.4 for the first time allows immediate Google 2FA setup
Actual result (*)
- Logging into Admin for the first time presents a warning "Failed to send the message. Please contact the administrator. You need to configure Two-Factor Authorization in order to proceed to your store's admin area An E-mail was sent to you with further instructions". An email is required to complete 2FA. Without an SMTP enabled server, there is no way of retrieving the link to complete 2FA.
Please provide Severity assessment for the Issue as Reporter. This information will help during Confirmation and Issue triage processes.
- [ ] Severity: S0 _- Affects critical data or functionality and leaves users without workaround._
- [x] Severity: S1 _- Affects critical data or functionality and forces users to employ a workaround._
- [ ] Severity: S2 _- Affects non-critical data or functionality and forces users to employ a workaround._
- [ ] Severity: S3 _- Affects non-critical data or functionality and does not force users to employ a workaround._
- [ ] Severity: S4 _- Affects aesthetics, professional look and feel, “quality” or “usability”._
If an SMTP enabled server is required to send a 2FA link to allow for an Admin to complete a first time login, then I feel this should be added as a prerequisite
However, if there is a way to get to the 2FA QR page without the need to receive an email then this should be documented more clearly.
I am aware of the Two-Factor Authentication (MFTF) documentation. Stating that you could bypass this by creating a "Base32-encoded string for the shared secret value" and then "Use the following key to add the encoded value to the MFTF .credentials file."
However, the documentation doesn't provide enough details on the requirements to do this. It also insinuates that this procedure is preferable for a Testing environment and not Development/Production.
If it turns out that these MFTF steps are considered "safe" to complete in a Development/Product environment then it would definately improve QoL if these variables could be set through the bin/magento setup:install values as stated in the Install the Magento software Documentation.
DigitalStartupUK
All 15 comments
Hi @DigitalStartupUK. Thank you for your report.
To help us process this issue please make sure that you provided the following information:
- Summary of the issue
- Information on your environment
- Steps to reproduce
- Expected and actual results
Please make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, please, add a comment to the issue:
@magento give me 2.4-develop instance - upcoming 2.4.x release
For more details, please, review the Magento Contributor Assistant documentation.
Please, add a comment to assign the issue: @magento I am working on this
Join Magento Community Engineering Slack and ask your questions in #github channel.
:warning: According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.
:clock10: You can find the schedule on the Magento Community Calendar page.
:telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, please join the Community Contributions Triage session to discuss the appropriate ticket.
:movie_camera: You can find the recording of the previous Community Contributions Triage on the Magento Youtube Channel
:pencil2: Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel
![m2-assistant[bot] picture](https://avatars0.githubusercontent.com/in/27048?v=4&s=40)
m2-assistant[bot]
on 29 Jul 2020
It's not directly related as this issue talks that smtp should be a documented requirement but current workaround for dev environments (that don't need to have smtp set up) is simply to disable 2fa
bin/magento mo:di Magento_TwoFactorAuth
speedupmate
on 29 Jul 2020
But at some point, 2FA needs to be enabled during Development/Production. And there is probably an argument that states "well, surely in a Development/Production environment you would have an SMTP enabled server." But speaking from experience, myself and many others use 3rd party SMTP providers - Which are normally configured in the Admin Backend. It just seems like a really overlooked part of the installation/setup process. What's the point of enforcing 2FA on installation to only immediately disable it?
I'd simply prefer a simple CLI config:set command to generate the same URL that gets sent in the Email. Or even better, have the URL output with the Admin Backend URL notification that you see on successful install.
Post installation file permissions check...
For security, remove write permissions from these directories: '/var/www/html/magento2/app/etc'
[Progress: 274 / 274]
[SUCCESS]: Magento installation complete.
[SUCCESS]: Admin Panel URI: /admin_puu71q
[SUCCESS]: Complete Admin 2FA URI: http://example.com/tfa/example...
I'm trying not to sound negative and whiny, but this lack of clarity is frustrating.
DigitalStartupUK
on 29 Jul 2020
Hi, i'am exactly on the same point ... same error, same step ... i will try another solution
ketby
on 29 Jul 2020
Hi,
What is another solution?
PawelP1977
on 29 Jul 2020
What a nightmare. Same issue here. This is the first time I encountered a 2fa setup situation that requires email. Usually you log into admin, enable 2fa and then set up the token logged into admin.
MichaelThessel
on 6 Aug 2020
In case anyone needs a temporary workaround to get this working without having SMTP set up:
- navigate to /admin and log in
- you should see the 2FA screen now
- add
var_dump($url);die;on line 86 invendor/magento/module-two-factor-auth/Model/EmailUserNotifier.php - refresh /admin
- copy the URL that is displayed
- remove the var_dump
- use the URL copied earlier to navigate to the 2FA setup
MichaelThessel
on 7 Aug 2020
A great Magento MX developer has created a module to disable double authentication.
This is the repo Module_EnableDisableTFA.
You can also install it from composer composer require wolfsellers/module-enabledisabletfa
by @Rus0
isaacBats
on 7 Aug 2020
Temporary solution to kick start your development, just disable Magento_TwoFactorAuth module. It worked for me.
bin/magento module:disable Magento_TwoFactorAuth
sudhanshu-bajaj
on 7 Aug 2020
Great security feature added for that administration login section of Magento however I have also ran into another weird issue that personally has stopped me from being able to set up 2FA on a fresh install. My issue is that magento does not use the domain name set for the outgoing email when sending the email out to set up 2FA on a fresh install instead it sends the email from [email protected]. I know normally that might not be a big issue but when sending emails from a server on a more security conscious Enterprise network that email may never actually go to the intended target because of the email domain of @example.com.
I have now disabled the Magento_TwoFactorAuth module as described above and have managed to login to the admin interface but I am now in the process of figuring out how to reenable/set up 2FA.
phanku
on 11 Aug 2020
Did you get it to work?
EstebanAorta
on 16 Aug 2020
I see the same problem. I cannot get 2FA to work, since the mail is sent from [email protected]
Since I'm working with a more secure mailserver, I cannot sent mails from example.com domain.
I suggest to add a parameter during installation to set the owners E-Mail adress.
w0d4
on 26 Aug 2020
Speechless @magento-admin ...
oviliz
on 10 Oct 2020
Same issue with me while following Installation quick reference (tutorial) from Magento
for now I have disabled module (until I setup SMTP), as suggested by @speedupmate
bin/magento mo:di Magento_TwoFactorAuth
fj-sfd
on 30 Nov 2020
Dropping this here for anyone having trouble configuring their mail in order to activate the 2FA.
To clarify, you do this on your Magento2 host, not your mail server.
Once finished just log out of Magento2 WebUI, then log back, you should receive the email.
Be sure to replace all occurrences of YourDomain.com with your domain name.
===============================================================================
configure postfix to be able to send mail
===============================================================================
sudo apt install -y mailutils
(after this first line, sudo is active, can paste entire block below)
echo "${HOSTNAME}.YourDomain.com" | sudo tee /etc/mailname
echo "/.+/ [email protected]" | sudo tee /etc/postfix/sender_canonical
echo "/.+/ [email protected]" | sudo tee /etc/postfix/recipient_canonical
#echo "/.*root.*/ [email protected]" | sudo tee --append /etc/postfix/recipient_canonical
#echo "/.*user2.*/ [email protected]" | sudo tee --append /etc/postfix/recipient_canonical
echo "myhostname = ${HOSTNAME}.YourDomain.com" | sudo tee /etc/postfix/main.cf
echo "mydestination = localhost.YourDomain.com, localhost, ${HOSTNAME}" | sudo tee --append /etc/postfix/main.cf
echo "masquerade_domains = YourDomain.com" | sudo tee --append /etc/postfix/main.cf
echo "smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)" | sudo tee --append /etc/postfix/main.cf
echo "sender_canonical_maps = regexp:/etc/postfix/sender_canonical" | sudo tee --append /etc/postfix/main.cf
echo "recipient_canonical_maps = regexp:/etc/postfix/recipient_canonical" | sudo tee --append /etc/postfix/main.cf
echo "biff = no" | sudo tee --append /etc/postfix/main.cf
echo "append_dot_mydomain = no" | sudo tee --append /etc/postfix/main.cf
echo "alias_maps = hash:/etc/aliases" | sudo tee --append /etc/postfix/main.cf
echo "alias_database = hash:/etc/aliases" | sudo tee --append /etc/postfix/main.cf
echo "relayhost =" | sudo tee --append /etc/postfix/main.cf
echo "mynetworks = 127.0.0.0/8" | sudo tee --append /etc/postfix/main.cf
echo "inet_interfaces = loopback-only" | sudo tee --append /etc/postfix/main.cf
echo "recipient_delimiter = +" | sudo tee --append /etc/postfix/main.cf
echo "compatibility_level = 2" | sudo tee --append /etc/postfix/main.cf
echo "myorigin = /etc/mailname" | sudo tee --append /etc/postfix/main.cf
echo "mailbox_size_limit = 0" | sudo tee --append /etc/postfix/main.cf
echo "inet_protocols = ipv4" | sudo tee --append /etc/postfix/main.cf
sudo postmap /etc/postfix/recipient_canonical
sudo postmap /etc/postfix/sender_canonical
sudo systemctl restart postfix
echo "${HOSTNAME} postfix test" | sudo mail -s "${HOSTNAME} Testing postfix configuration" [email protected]
sudo rm -rf /var/mail/root
sleep 1 && sudo postqueue -p
md5-24cbe93cc4ee12db8289871f5c2da71c
if it broke, read the error then delete it:
sudo postsuper -d ALL
sudo cat /etc/hosts
In the above block you will see two lines commented out, they are relevant to what is discussed below:
-------------------------------------------
The Regex in /etc/postfix/recipient_canonical can be adjusted
This line takes any and all destinations and changes them to goto [email protected],
mail delivery is guaranteed to work but you cannot send mail to other recipients
Perfectly Fine for Standalone services that ONLY need to mail one address.
-------------------------------------------
/.+/ [email protected]
-------------------------------------------
It can be customized to only catch certain recipients such as root, etc:
-------------------------------------------
/.*root.*/ [email protected]
For Magento2, you can just comment out the line for recipient_canonical_maps in your /etc/postfix/main.cf after you have 2FA configured.
xekon
on 1 Dec 2020
Related issues
fvillata
·
3Comments
punkstar
·
3Comments
MauroNigrele
·
3Comments
spyrule
·
3Comments
salelsol
·
3Comments
Most helpful comment
It's not directly related as this issue talks that smtp should be a documented requirement but current workaround for dev environments (that don't need to have smtp set up) is simply to disable 2fa
bin/magento mo:di Magento_TwoFactorAuth