Replies: 1 comment 4 replies
-
|
The problem with base64 is that those are flagged earlier as spam, especially if there are links in them. The RFC states that clients need to merge the line breaks, so the clients are the actual problem here, not Vaultwarden. |
Beta Was this translation helpful? Give feedback.
4 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Prerequisites
Vaultwarden Support String
Your environment (Generated via diagnostics page)
Config & Details (Generated via diagnostics page)
Show Config & Details
Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, INVITATIONS_ALLOWED, ADMIN_TOKEN, YUBICO_CLIENT_ID, YUBICO_SECRET_KEY, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_USERNAME, SMTP_PASSWORD
Config:
{ "_duo_akey": null, "_enable_duo": false, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "***************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": true, "dns_prefer_ipv6": false, "domain": "*****://********************", "domain_origin": "*****://********************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": true, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": null, "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "trace", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": false, "password_iterations": 600000, "purge_incomplete_sso_auth": "0 20 0 * * *", "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": true, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": false, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "******************", "smtp_from_name": "*******************", "smtp_host": "***************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "starttls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": "******************", "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "", "sso_authorize_extra_params": "", "sso_callback_path": "*****://*************************************************", "sso_client_cache_expiration": 0, "sso_client_id": "", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": false, "sso_master_password_policy": null, "sso_only": false, "sso_pkce": true, "sso_scopes": "email profile", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": 2048, "user_send_limit": 2048, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": "37438", "yubico_secret_key": "***", "yubico_server": null }Vaultwarden Build Version
v1.36.0
Deployment method
Official Container Image
Custom deployment method
No response
Reverse Proxy
nginx
Host/Server Operating System
Linux
Operating System Version
Debian 13
Clients
Desktop
Client Version
SOGo Webmail mailcow 2026-05c - K-9 Mail 20.0 - Geary 44.1
Steps To Reproduce
SIGNUPS_ALLOWED=falseandINVITATIONS_ALLOWED=truein your configuration.Expected Result
The pasted link should be the complete, functional URL including the full JWT token, allowing the user to accept the invitation and register.
Actual Result
The copied link is heavily truncated and broken. In my case, the email clients truncate the URL visually with
***right where thequoted-printablesoft line break occurs in the MIME source. When selecting "Copy Link", the clipboard contains this broken display value instead of the actualhreftarget:https://passwords.domain.de/#/accept-organization/?email=user%40domain.de&organization***=Because the token is missing, the registration is immediately blocked by Vaultwarden.
Note: This behavior is highly client-dependent. Testing with the "Geary" email client on Linux showed that it copies the link perfectly fine, properly decoding the quoted-printable format. However, since several major clients (like SOGo and K-9) fail at this, it's a significant usability roadblock.
Logs
Screenshots or Videos
E-Mail Source (Click to expand)
Just the body without the headers
Additional Context
I have verified the MIME source of the email. Vaultwarden generates a perfectly valid email with
Content-Transfer-Encoding: quoted-printable. However, because the JWT token makes the invitation URL extremely long, it forces soft line breaks (=) in the source code.Plaintext
While this is technically a client-side clipboard/parsing bug in SOGo and K-9 Mail (as proven by the fact that the "Geary" client handles it correctly), Vaultwarden's extremely long JWT-based URLs make the quoted-printable encoding highly fragile across the email ecosystem. Users often end up copying the truncated display value instead of the
hreftarget.Suggestion for Vaultwarden:
Instead of altering the token length or architecture, a robust and simple fix would be to change the
Content-Transfer-Encodingfor these emails fromquoted-printabletobase64.Using
base64would completely eliminate the need for soft line breaks (=) inside the long URLs within the MIME source, avoiding these widespread copy-paste rendering bugs in strict or flawed email clients.Beta Was this translation helpful? Give feedback.
All reactions