[Support] Sendgrid email API can't use admin login or email verification

[Shotman]

Hello,

I can't seem to manage to make sendgrid work with bitwarden, at some point I managed to make it work but I don't remember how, and since my API key changed because the trial for the premium version expired I had to recreate an API Key and since then it doesn't work anymore I end up with "504 Gateway Time-out" on either admin login or email verification for account.

Here is the config :

globalSettings__mail__replyToEmail=no-reply@[mydomain.com]
globalSettings__mail__smtp__authType=Login (tried basic as well)
globalSettings__mail__smtp__host=smtp.sendgrid.net
globalSettings__mail__smtp__port=587
globalSettings__mail__smtp__ssl=false (tried true)
globalSettings__mail__smtp__username=apikey
globalSettings__mail__smtp__password=SG.[API_KEY] (tried encoding the api key in base64 as well)
globalSettings__mail__smtp__useDefaultCredentials=false (tried with and without)
globalSettings__mail__smtp__trustServer=true (tried with and without)

So since it worked at some point I know it's possible but I don't have any more ideas on what to do, knowing that I trid sendgrid python test script from the host server and it worked so my credentials arent wrong

Any Ideas ?

[cscharf]

Hi @Shotman , sorry for the late response, as far as SMTP settings for SendGrid:

1. seeing that you're using port 587 you would need ssl=true (which it says you've tried)
2. I would recommend you set trustServer=false to ensure certificates are validated from send-grid (security measure)
3. For 587 (TLS) you also need to ensure ssl=false (although the application code already overrides this setting when using this port)
4. Add globalSettings__mail__smtp__startTls=true
5. authType is ignored
6. useDefaultCredentials is ignored
7. I believe password should be in plain text

If those changes/settings don't work let me know.

[Shotman]

I've tried changing the settings accordingly and still no thing on the admin login or email verification, I get a gateway timeout

[cscharf]

Sorry, I meant ssl=false as my 1. and 3. bullets were conflicting (as I dug in a little bit), 3. would be the correct setting.

Somewhat perplexed on this one as using SendGrid through MailKit should be pretty straightforward, e.g. https://blog.reyno.co.uk/sending-email-in-asp-net-core-2-0-with-sendgrid/

Is the 504 Gateway Time-out response coming from SendGrid on connect, on auth or coming from the Bitwarden API itself?

[cscharf]

And, can you post your python test script (w/o credentials of course) so I can compare what you're testing with on that host vs. our MailKit mail delivery implementation?

[Shotman]

Here is what I have now in the override :

globalSettings__mail__replyToEmail=no-reply@[domain]
globalSettings__mail__smtp__host=smtp.sendgrid.net
globalSettings__mail__smtp__port=587
globalSettings__mail__smtp__ssl=false
globalSettings__mail__smtp__startTls=true
globalSettings__mail__smtp__username=apikey
globalSettings__mail__smtp__password=SG.[API_KEY]

And here is my Python code :

import sendgrid
import os
from sendgrid.helpers.mail import *

sg = sendgrid.SendGridAPIClient(api_key=os.environ.get('SENDGRID_API_KEY'))
from_email = Email("test@example.com")
to_email = To("my@email.com")
subject = "Sending with SendGrid is Fun"
content = Content("text/plain", "and easy to do anywhere, even with Python")
mail = Mail(from_email, to_email, subject, content)
response = sg.client.mail.send.post(request_body=mail.get())
print(response.status_code)
print(response.body)
print(response.headers)

And the 504 - Gateway Timeout apprears on the browser itself so my guess it's from the bitwarden api

[SreekanthThummala]

Hi Team,

I have installed the self hosted setup and the email functionality is not working for me as well.
I tried the above mentioned steps using opensmtp and sendgrid but nothing works.

[SreekanthThummala]

Any update on this issue ?

[mpbw2]

Not sure if this will help anybody but sendgrid is working perfectly for me using only the following:

globalSettings__mail__replyToEmail=no-reply@[mydomain.com]
globalSettings__mail__smtp__host=smtp.sendgrid.net
globalSettings__mail__smtp__port=587
globalSettings__mail__smtp__ssl=true
globalSettings__mail__smtp__username=apikey
globalSettings__mail__smtp__password=SG.[API_KEY]
globalSettings__mail__smtp__trustServer=true

API_KEY was pasted as displayed in my sendgrid account (no special encoding)

[Shotman]

Not sure if this will help anybody but sendgrid is working perfectly for me using only the following:

globalSettings__mail__replyToEmail=no-reply@[mydomain.com]
globalSettings__mail__smtp__host=smtp.sendgrid.net
globalSettings__mail__smtp__port=587
globalSettings__mail__smtp__ssl=true
globalSettings__mail__smtp__username=apikey
globalSettings__mail__smtp__password=SG.[API_KEY]
globalSettings__mail__smtp__trustServer=true

API_KEY was pasted as displayed in my sendgrid account (no special encoding)

I tried your configs and still the same for me with bitwarden 2.16.2 I get a 504 Gateway Timeout, do you have a paid Sendgrid account of a free one ? Cause it worked during the premium trial for me but I don't know if it's the free tier or bitwarden config that causes an issue

[mpbw2]

@Shotman I'm using the free plan (100 emails/day) and confirmed it's still working. I don't recall any special config on sendgrid either, aside from setting up the apikey. Let me know if there is anything there I can look at for you.

[SreekanthThummala]

Finally, I made it work with smtp.gmail.com. Even this smtp was complaining that the "an unsecure app is trying to access the account". I had to manually allow this logging into the gmail account mentioned in the config. Hope this helps you..

Both email verification and the admin account are working fine now...

[Shotman]

globalSettings__mail__smtp__host=smtp.gmail.com
globalSettings__mail__smtp__port=587
globalSettings__mail__smtp__username=my_email@gmail.com
globalSettings__mail__smtp__password=[password app generated in google console]

These settings don't work either so I have no idea what is happening to my instance ...

I even tried using my real google password and I have NO notification or anything telling me that an app is trying to login to my account

EDIT : I've tried using a different email for the admin login, maybe it was conflicting with the user email. Same result 504 Bad Gateway but the strange thing is that if I use a random email like test@gmail.com I have a green flash message telling me that if it's a registered admin email I should get a magic link there

[Shotman]

2020-12-14 19:48:06.024 +00:00 [Error] The operation has timed out.
System.TimeoutException: The operation has timed out.
   at MailKit.Net.SocketUtils.ConnectAsync(String host, Int32 port, IPEndPoint localEndPoint, Int32 timeout, Boolean doAsync, CancellationToken cancellationToken)
   at MailKit.MailService.ConnectSocket(String host, Int32 port, Boolean doAsync, CancellationToken cancellationToken)
   at MailKit.Net.Smtp.SmtpClient.ConnectAsync(String host, Int32 port, SecureSocketOptions options, Boolean doAsync, CancellationToken cancellationToken)
   at Bit.Core.Services.MailKitSmtpMailDeliveryService.SendEmailAsync(MailMessage message) in /home/runner/work/server/server/src/Core/Services/Implementations/MailKitSmtpMailDeliveryService.cs:line 84
   at Bit.Core.Services.HandlebarsMailService.SendPasswordlessSignInAsync(String returnUrl, String token, String email) in /home/runner/work/server/server/src/Core/Services/Implementations/HandlebarsMailService.cs:line 232
   at Bit.Core.Identity.PasswordlessSignInManager`1.PasswordlessSignInAsync(String email, String returnUrl) in /home/runner/work/server/server/src/Core/Identity/PasswordlessSignInManager.cs:line 43
   at Bit.Admin.Controllers.LoginController.Index(LoginModel model) in /home/runner/work/server/server/src/Admin/Controllers/LoginController.cs:line 42
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.TaskOfIActionResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextExceptionFilterAsync>g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)

Maybe this error log could help troubleshoot the problem ?

[SreekanthThummala]

@Shotman, Google ( gmail account you use) is considering the bitwarden as a insecure app trying to access it and is blocking by default. Please check the account settings and allow low secure apps in the google account., this fixed my issue.

[Shotman]

@SreekanthThummala I used an app password because I have 2FA activated so it shouldn't cause any problem, and I don't want to lower my gmail account overall security by enabling low secure apps, and even if I wanted I tried to and this option isn't available to me because I have other security options that aren't compatible with it

[clayadams5226]

hey @Shotman,Thank you for getting in touch and bringing this to our attention! We'd like to assist you further. We ask that you please contact us using our contact page, here: https://bitwarden.com/contact. You can include a link to this issue in the message content. The issue here will be closed and moved over to our Help Desk.