Hi, it appears that Bitwarden is not correctly authenticating to my SMTP server. The output from Postfix when Bitwarden tries to send an email looks something like
Sep 26 03:11:00 mail postfix/submission/smtpd[23604]: connect from c-XXX-XXX-XXX-XXX.hsd1.in.comcast.net[XXX.XXX.XXX.XXX]
Sep 26 03:11:01 mail postfix/submission/smtpd[23604]: NOQUEUE: reject: RCPT from c-XXX-XXX-XXX-XXX.hsd1.in.comcast.net[XXX.XXX.XXX.XXX]: 554 5.7.1 <[email protected]>: Recipient address rejected: Access denied; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<bitwarden.example.com>
Sep 26 03:11:01 mail postfix/submission/smtpd[23604]: lost connection after RCPT from c-XXX-XXX-XXX-XXX.hsd1.in.comcast.net[XXX.XXX.XXX.XXX]
Sep 26 03:11:01 mail postfix/submission/smtpd[23604]: disconnect from c-XXX-XXX-XXX-XXX.hsd1.in.comcast.net[XXX.XXX.XXX.XXX] ehlo=2 starttls=1 mail=1 rcpt=0/1 commands=4/5
However, I can successfully send email with the same credentials and SSL settings from Thunderbird, with the Postfix log:
Sep 26 03:01:23 mail postfix/submission/smtpd[23449]: connect from c-XXX-XXX-XXX-XXX.hsd1.in.comcast.net[XXX.XXX.XXX.XXX]
Sep 26 03:01:40 mail postfix/submission/smtpd[23449]: 61063A35AD: client=c-XXX-XXX-XXX-XXX.hsd1.in.comcast.net[XXX.XXX.XXX.XXX], sasl_method=PLAIN, sasl_username=bitwarden
Sep 26 03:01:40 mail postfix/cleanup[23455]: 61063A35AD: message-id=<[email protected]>
Sep 26 03:01:40 mail postfix/qmgr[1291]: 61063A35AD: from=<[email protected]>, size=788, nrcpt=1 (queue active)
Sep 26 03:01:40 mail postfix/submission/smtpd[23449]: disconnect from c-XXX-XXX-XXX-XXX.hsd1.in.comcast.net[XXX.XXX.XXX.XXX] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
Notice, the essential difference is the sasl_method=PLAIN and sasl_username=bitwarden, as well as the auth=1 indicating that the connection was successfully authenticated. Is there some configuration flag I need to turn on to have Bitwarden attempt to login?
P.S. Obviously I have sanitized those log outputs a bit.
Does the authType setting solve this? https://github.com/bitwarden/core/issues/355
It doesn't appear to -- I've tried authType=PLAIN and authType=LOGIN, but no luck.
My mail server is set up not to advertise authentication being available until after STARTTLS has succeeded (to prevent passwords accidentally being sent plaintext) — is it possible that the SMTP library decides whether to do authentication before acquiring a secure channel?
It seems starttls is supported: https://docs.microsoft.com/en-us/dotnet/api/system.net.mail.smtpclient.enablessl?view=netframework-4.7.2#remarks
Hmm, then that doesn't seem to be the problem -- the STARTTLS is happening successfully. However, SmtpClient doesn't appear to be attempting authentication at all...
Is there anything else I can do to try to debug this?
I might have the same issue.
As mail server I use Mailu.
global.override.env:
globalSettings__mail__replyToEmail=noreply@MY_DOMAIN.TLD
globalSettings__mail__smtp__host=FQDN.MY_DOMAIN.TLD
globalSettings__mail__smtp__username=noreply@MY_DOMAIN.TLD
globalSettings__mail__smtp__password=MY_PASSWORD
globalSettings__mail__smtp__ssl=true
globalSettings__mail__smtp__port=587
globalSettings__mail__smtp__useDefaultCredentials=false
globalSettings__mail__smtp__authType=PLAIN
Bitwarden log:
2018-10-19 17:59:08.001 +00:00 [Error] Mail send failed.
System.Net.Mail.SmtpException: The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.7.1 Authentication required
at System.Net.Mail.MailCommand.CheckResponse(SmtpStatusCode statusCode, String response)
at System.Net.Mail.MailCommand.EndSend(IAsyncResult result)
at System.Net.Mail.SendMailAsyncResult.SendMailFromCompleted(IAsyncResult result)
--- End of stack trace from previous location where exception was thrown ---
at System.Net.Mail.SendMailAsyncResult.End(IAsyncResult result)
at System.Net.Mail.SmtpClient.SendMailCallback(IAsyncResult result)
Mailu log:
2018/10/19 18:05:57 [info] 9#9: *1007 client was rejected: "MAIL FROM:<noreply@MY_DOMAIN.TLD>__" while in auth state, client: MY_IP using starttls, server: 0.0.0.0:587
I have a similar setup and I'm also getting exactly the same errors in the logs. I've been back and forth for a day now trying different options and the best I've gotten is that when I use globalSettings_mail_smtp_authType=LOGIN I get somethingthat looks a bit closer to what I get on successful sends with systems other than Bitwarden.
With all other programs my server works fine with 465 or 587 and with SSL/TLS or STARTTLS.
I am not sure what else to suggest at the moment. Here is the code that we use for sending SMTP mail from .NET Core:
Thanks, we'll have a look over that and see if we can figure it out.
FYI for anyone interested, these are the first few lines from our docker logs using Thunderbird with STARTTLS
front_1_1b0c71b82edf | 2018/11/06 02:22:18 [info] 18#18: *27309 client 10.0.10.2:60115 connected to 0.0.0.0:587
front_1_1b0c71b82edf | 127.0.0.1 - - [06/Nov/2018:02:22:19 +0000] "GET /auth/email HTTP/1.0" 200 0 "-" "-"
admin_1_ab93d4744f7b | 172.18.0.3 - - [06/Nov/2018:02:22:19 +0000] "GET /internal/auth/email HTTP/1.0" 200 - "-" "-"
And this is what it looks like when we use the same settings with BItWarden.
front_1_1b0c71b82edf | 2018/11/06 02:19:26 [info] 18#18: *27308 client 10.0.10.2:44313 connected to 0.0.0.0:587
front_1_1b0c71b82edf | 2018/11/06 02:19:26 [info] 18#18: *27308 client was rejected: "MAIL FROM:
@plwc Please let us know if you figure anything out.
Same problem with this setup :
globalSettings__mail__replyToEmail=xxxxx
globalSettings__mail__smtp__host=smtp.gmail.com
globalSettings__mail__smtp__username=xxxxx
globalSettings__mail__smtp__password=xxxxx
globalSettings__mail__smtp__ssl=true
globalSettings__mail__smtp__port=587
globalSettings__mail__smtp__useDefaultCredentials=false
2018-12-06 08:41:32.605 +00:00 [Error] Mail send failed.
System.Net.Mail.SmtpException: The SMTP server requires a secure connection or the client was not authenticated. The server response was: 5.5.1 Authentication Required. Learn more at
at System.Net.Mail.MailCommand.CheckResponse(SmtpStatusCode statusCode, String response)
at System.Net.Mail.MailCommand.EndSend(IAsyncResult result)
at System.Net.Mail.SendMailAsyncResult.SendMailFromCompleted(IAsyncResult result)
--- End of stack trace from previous location where exception was thrown ---
at System.Net.Mail.SendMailAsyncResult.End(IAsyncResult result)
at System.Net.Mail.SmtpClient.SendMailCallback(IAsyncResult result)
@syrm For gmail you have to enable "less secure apps" to use SMTP: https://support.google.com/accounts/answer/6010255?hl=en
@syrm For gmail you have to enable "less secure apps" to use SMTP: https://support.google.com/accounts/answer/6010255?hl=en
Perfect !
@kspearrin I finally got back to this and figured out how to enable additional debugging on the postfix side -- I can now see a record of all the communication between Bitwarden and postfix. I can see that the Bitwarden SMTP client never issues an AUTH, even with SSL/TLS disabled. Do you have any idea what would be happening?
BTW, according to the .NET documentation, SmtpClient is obsolete and
SmtpClient and its network of types are poorly designed, we strongly recommend you use https://github.com/jstedfast/MailKit and https://github.com/jstedfast/MimeKit instead
This might just be a bug in an unsupported library...
@kc9jud An upgrade to MailKit has been made by @kspearrin. See #431.
@alelapeyre Great — I’ll check if this is fixed by the next release.
Just hit this issue after switching to Mailu as a mail server. I'm currently unable to login to the admin area.
My configuration matches @Dennis14e above.
@cooperaj My bitwarden can not send mails with mailu as well. Have you managed to solve the problem already?
My bitwarden works now with mailu.
My env variables:
globalSettings__mail__smtp__host=front.mailserver
globalSettings__mail__smtp__port=10025
globalSettings__mail__smtp__ssl=false
globalSettings__mail__smtp__startTls=false
globalSettings__mail__smtp__trustServer=true
front.mailserver solved to my front container from mailu.
globalSettings__mail__smtp__trustServer=true is what FINALLY fixed this!!!!!
Thank you @maaeps ! You answered it when Bitwarden themselves had no solutions for these.
Darn product is too sensitive with certs....biggest pain of all my services when I expected this to be one of the easiest.
The problem should be fixed just like #457 with the new update.
Most helpful comment
My bitwarden works now with mailu.
My env variables:
front.mailserver solved to my front container from mailu.