Vm: bitwarden SMTP blocked by iptables?

Created on 11 Aug 2020  ·  30Comments  ·  Source: nextcloud/vm

Hi

i can't get bitwarden SMTP sending to work, which is obviously needed for the admin login.
iptables and I never were friends, but this looks to me like iptables would be blocking SMTP traffic to outside targets?!

root@files:~/bwdata/env# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             172.19.0.2           tcp dpt:8443
ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:9300
ACCEPT     tcp  --  anywhere             172.19.0.2           tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             172.17.0.3           tcp dpt:9200

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DROP       all  -- !172.18.0.0/16        anywhere
DROP       all  --  anywhere            !172.18.0.0/16
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

please advise whether I'm on the right track or if it should just work. PS: my smtp service is on port 26, maybe that's adding up to the issue.

what would be a supported way to not break anything else with the appliance and your scripts to allow outgoing port 26 from the bitwarden container?

thanks!

All 30 comments

Actually, there have been reports regarding SMTP not working properly. I always thought it was the Bitwarden config itself, and never thought of iptables. I remember I had BIG issues getting it to work on my own instance, and I use normal ports (587).

Normally in Linux, all ports that are in use by a service are open. So if you enter 26 in the config, it should be open. At least to my knowledge, but hey I might be wrong.

Would be awesome if you could investigate this further. If you find a solution to the problem, we might just script the SMTP setup.

Thanks!

i am debugging and tcpdumping the sh*t out of it but up until now i have no clue. currently it looks like bitwarden doesn't even try to connect to the smtp server or to resolve its dns name. i have modified the iptables rules to allow outgoing traffic from the containers no matter what but still no luck. maybe i have to change the NAT rules as well? like i said, iptables and me never were friends. big corporate firewalls like ASA, Checkpoint, Fortinet, no problem. but iptables? nope.

currently installing visual studio to get a better view at the source code, maybe i can track down there what it should be doing.

i installed telnet into the bitwarden-nginx container and was able to send mails to my smtp server so iptables can't be the issue here.

imo this code part is total BS (from MailKitSmtpMailDeliveryService.cs):

using (var client = new SmtpClient())
            {
                if (_globalSettings.Mail.Smtp.TrustServer)
                {
                    client.ServerCertificateValidationCallback = (s, c, h, e) => true;
                }

                if (!_globalSettings.Mail.Smtp.StartTls && !_globalSettings.Mail.Smtp.Ssl &&
                    _globalSettings.Mail.Smtp.Port == 25)
                {
                    await client.ConnectAsync(_globalSettings.Mail.Smtp.Host, _globalSettings.Mail.Smtp.Port,
                        MailKit.Security.SecureSocketOptions.None);
                }
                else
                {
                    var useSsl = _globalSettings.Mail.Smtp.Port == 587 && !_globalSettings.Mail.Smtp.SslOverride ?
                        false : _globalSettings.Mail.Smtp.Ssl;
                    await client.ConnectAsync(_globalSettings.Mail.Smtp.Host, _globalSettings.Mail.Smtp.Port, useSsl);
                }

                if (CoreHelpers.SettingHasValue(_globalSettings.Mail.Smtp.Username) &&
                    CoreHelpers.SettingHasValue(_globalSettings.Mail.Smtp.Password))
                {
                    await client.AuthenticateAsync(_globalSettings.Mail.Smtp.Username,
                        _globalSettings.Mail.Smtp.Password);
                }

                await client.SendAsync(mimeMessage);
                await client.DisconnectAsync(true);
            }

how is port 26 supposed to work with this? who on earth says that 587 always has to be encrypted? also port 25 is perfectly suitable for starttls. jeeez.
anyway, changed to port 25 but still no luck, bitwarden is simply not sending any mails and according to the logs and tcpdump it isn't even trying. I'm kind of out of ideas, this is total BS...

Actually _globalSettings.Mail.Smtp.Port looks to me like a global setting which could probably get changed or added in /root/bwdata/env/global.override.env

a bit down the instructions on the following side, you find a good example for global bitwarden settings: https://dennisnotes.com/note/20181112-bitwarden-server/

Hi

/root/bwdata/env/global.override.env is the file which I have been editing/using the whole time for changing the settings, sorry for not pointing that out clearly.

But the point is, no matter what you configure in that file, the if conditions from the code snippet above are just plain BS. There is no if condition for a case where someone wants to use port 26 for unencrypted smtp.
Also, port 587 would only work with enabled encryption and port 25 would only work without encryption. That is just plain wrong...

I guess this is nothing that can get fixed on the VM-side. Please report it upstream: https://github.com/bitwarden/server/issues

true... there is an issue there already, but so far nobody apart from daniel responded there... https://github.com/bitwarden/server/issues/860

Thanks for confirming! Then I'll link this issue when someone else asks.

@mamama1 Please continue to debug, if you solved it and we can script it - then let's make it happen!

BTW: @mamama1 do the mailserver settings always have to be done inside global.override.env or can you change them from the webportal? And if you don't configure them, won't e-mails get sent out?

yes, they have to be done inside global.override.env. if you don't configure the settings, mailing won't work.

yes, they have to be done inside global.override.env. if you don't configure the settings, mailing won't work.

@enoch85 is this something we should provide a script for if it needs to be setup?
Or should we add it to the end of the bitwarden script?

talking about scripts...:

I'd suggest to prompt for a keystroke if anything fails. When the bitwarden installation was failing, it was very hard to catch a glimpse at the error message because the console would clear the screen and continue with the next step. Also, no summary was provided so one was left without knowledge that something has failed.
IMHO there are multiple solutions for this:

  • provide a path to a log file when everything is completed, where you can check the whole install process and/or
  • provide a summary when everything is finished with failed/successful items and warnings and/or
  • wait for a keystroke if an error occurs so one has a chance to see and report what went wrong

trust me, if I were anywhere near usable in bash scripting, I'd write that code for you but unfortunately all I can do is make suggestions :-)

regarding bitwarden mail config: you could either take the input from the nextcloud mail config prompts or make different ones specifically for bitwarden. anyway would sure come in handy...

I'd suggest to prompt for a keystroke if anything fails. When the bitwarden installation was failing, it was very hard to catch a glimpse at the error message because the console would clear the screen and continue with the next step. Also, no summary was provided so one was left without knowledge that something has failed.
IMHO there are multiple solutions for this:

  • provide a path to a log file when everything is completed, where you can check the whole install process and/or
  • provide a summary when everything is finished with failed/successful items and warnings and/or
  • wait for a keystroke if an error occurs so one has a chance to see and report what went wrong

@enoch85 is this something that we can do?

regarding bitwarden mail config: you could either take the input from the nextcloud mail config prompts or make different ones specifically for bitwarden. anyway would sure come in handy...

I would vote for an additional script to setup the mail account or just do it at the end of the bitwarden install script. @enoch85 Please tell what you'd like more.

Well, since Bitwarden is getting more and more sopisticated, maybe we should make a seperate Bitwarden menu like we are doing with the Documentserver?

Right now, there are three choices if we add mail as well.

I'm all in for a seperate script, yes.

@enoch85 is this something that we can do?

Sure, make a POC.

@enoch85 is this something that we can do?

Sure, make a POC.

Hm, actually I don't have any idea how to do that. It was more of a question if you have an idea how this could be done? :D

Well, since Bitwarden is getting more and more sopisticated, maybe we should make a seperate Bitwarden menu like we are doing with the Documentserver?

Right now, there are three choices if we add mail as well.

I'm all in for a seperate script, yes.

okay, then a seperate scipt 👍

Maybe @mamama1 can give the details on what's needed for sending email in Bitwarden, then we can just sed the values.

Hm... I thinks those section should cover all needed variables. Am I right?
https://github.com/nextcloud/vm/pull/1370/files#diff-446b80c06c2be03b4cb90e556840f44aR45-R55
https://github.com/nextcloud/vm/pull/1370#issuecomment-674436504

1370 (comment)

Yeah, seems correct. :+1:

side note, I had to set globalSettings__mail__smtp__trustServer=true even though I am sending on port 26 which is not a TLS port by default AND globalSettings__mail__smtp__ssl=false was set as well.

globalSettings__mail__smtp__trustServer=true

@enoch85 So do we need to implement that as well or is it so specific that this shouldn't be covered by the script?

you could make it a simple yes/no question while recommending to not disable ssl trust verification. or just leave a note that the option exists.
by default, that line does not exist in the global.override.env file, so you could insert it with "false" as well, so that one wouldn't have to look it up in the bitwarden documentation first.

you could make it a simple yes/no question while recommending to not disable ssl trust verification. or just leave a note that the option exists.
by default, that line does not exist in the global.override.env file, so you could insert it with "false" as well, so that one wouldn't have to look it up in the bitwarden documentation first.

I'll think about it 👍

BTW: @mamama1 do you know what adminSettings__admins does?

And do you know if a service restart is enough when changing sometthing inside global.override ?

yes, there is an admin panel which is reachable via https://bitwarden.yourdomain.com/admin. any e-mail address which is entered into adminSettings__admins is considered being an admin.

there is no password nor a registration for the admin login. once you enter an e-mail address into the admin portal login form which is contained in the adminSettings__admins parameter, you'll get an e-mail to that address which contains a passwordless login link.

yes, a service restart does the job, if you changed anything inside global.override.env.

yes, there is an admin panel which is reachable via https://bitwarden.yourdomain.com/admin. any e-mail address which is entered into adminSettings__admins is considered being an admin.

there is no password nor a registration for the admin login. once you enter an e-mail address into the admin portal login form which is contained in the adminSettings__admins parameter, you'll get an e-mail to that address which contains a passwordless login link.

Ah okay, thant this is also something we should let the user configure, thanks!

yes, a service restart does the job, if you changed anything inside global.override.env.

Nice, thanks!

So do we need to implement that as well or is it so specific that this shouldn't be covered by the script?

Just noticed you've alreade taken care of that. :+1:

Was this page helpful?
0 / 5 - 0 ratings

Related issues

enoch85 picture enoch85  ·  8Comments

EasyCompZLD picture EasyCompZLD  ·  4Comments

enoch85 picture enoch85  ·  4Comments

unamundan picture unamundan  ·  6Comments

mxschmitt picture mxschmitt  ·  9Comments