Global Env parameter for SMTP

[mikebakke]

First a HUGE thank you for this capability - it is simply amazing.

My question (after checking wiki) is how to add a specific environment variable - globalSettings__mail__smtp__trustServer=true
to the SMTP configuration.

Prior to using your container I had installed from the 8bit site onto a Virtualbox VM. Initially configuring email to send via my Gmail didn't work but I found this parameter which I added to the global common file in /env and all was fine.

I've configure SMTP in the admin panel here but nothing is sent and I can't see how to add either via admin or at the command line. Is it possible?

Best Regards

Mike Bakke

[Ayitaka]

bitwarden_rs does not have a way to ignore certificate validation when using TLS for smtp, as far as I can tell.

what smtp_host and smtp_port are you using for gmail?

for TLS...
usual smtp host is: smtp.gmail.com (or smtp-relay.gmail.com for G Suite SMTP relay)
and port is: 587

[mikebakke]

Hi

Thanks for the response - yes, the settings you mention are exactly how I've configured in the admin page. This was exactly how I did it in my "official" VM instance on Linux mint and googling for the issue took me to these existing issues - hence my workaround using the parameter. I know it's not ideal but it worked ;-)

bitwarden/server#451
bitwarden/server#457

I did wonder if I could simply use -e=globalSettings__mail__smtp__trustServer=true but from your message it seems not.

My Letsencrypt certificates seem fine accessing online via web and apps so a bit stumped for now.

Thanks

Mike

[Ayitaka]

Hmmm thats frustrasting! Well, if you wanna try to diagnose the issue you can try these steps and maybe we can figure out whats wrong:

1. docker ps -a - copy the CONTAINER ID for bitrwarden_rs from the results of this (i.e. b95c6ce69ef6 )
2. docker exec -it b95c6ce69ef6 bash - using the CONTAINER ID to start a bash shell inside the container
3. openssl s_client -connect smtp.gmail.com:587 -starttls smtp - to see the results of a TLS connection to smtp.gmail.com
4. Paste the connection results portion of the results here i.e.:

I have no name!@b95c6ce69ef6:/$ openssl s_client -connect smtp.gmail.com:587 -starttls smtp
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = smtp.gmail.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=smtp.gmail.com
   i:/C=US/O=Google Trust Services/CN=GTS CA 1O1
 1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1
   i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=smtp.gmail.com
issuer=/C=US/O=Google Trust Services/CN=GTS CA 1O1
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3457 bytes and written 294 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported

[mikebakke]

Hi - output here - looks reasonable?

root@c449ef3c2d6f:/# openssl s_client -connect smtp.gmail.com:587 -starttls smtp
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = GTS CA 1O1
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = smtp.gmail.com
verify return:1

Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=smtp.gmail.com
i:/C=US/O=Google Trust Services/CN=GTS CA 1O1
1 s:/C=US/O=Google Trust Services/CN=GTS CA 1O1
i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign

Server certificate
-----BEGIN CERTIFICATE-----
MIIFjDCCBHSgAwIBAgIRAJVX5aRMpwr7AgAAAABB5qQwDQYJKoZIhvcNAQELBQAw
QjELMAkGA1UEBhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczET
MBEGA1UEAxMKR1RTIENBIDFPMTAeFw0xOTA4MjMxMDI4NTlaFw0xOTExMjExMDI4
NTlaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQH
Ew1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgTExDMRcwFQYDVQQDEw5z
bXRwLmdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK8R
HAw1pu5LelAj5QsWa8ai42StZlu/Do75lgum/6L+1m6R/DVjy/PE7FI78pqdvTcd
xx+yH6Q/EJDuvFWkGMDYIsG0WuGrqUzrCn9xwCrmktUceb50zUqeaLrTcupCgY/Z
h5Ap8U+lElPGdmeVRYThZDtA9t1Hcz3hrZ0IPC7dbwd5Wfn4ntmJCfLWB5MhLis8
9zzMTRQjSuWPCp9CO0oV+wIAmvCGnGOE7IL2Tjl9CNVpWCQ7wUYEvocud1mKrWFC
uIV9w02IRivS+V5oup1gG744vN2S43kRA9qQSGqJrro6dhgUUOe9EYmG7zXMypMD
fdafi4SWZJPanhAwxkECAwEAAaOCAlUwggJRMA4GA1UdDwEB/wQEAwIFoDATBgNV
HSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBShqJKCN9K4
rmyqmK/8L0QAy5pGLzAfBgNVHSMEGDAWgBSY0fhuEOvPm+xgnxiQG6DrfQn9KzBk
BggrBgEFBQcBAQRYMFYwJwYIKwYBBQUHMAGGG2h0dHA6Ly9vY3NwLnBraS5nb29n
L2d0czFvMTArBggrBgEFBQcwAoYfaHR0cDovL3BraS5nb29nL2dzcjIvR1RTMU8x
LmNydDAZBgNVHREEEjAQgg5zbXRwLmdtYWlsLmNvbTAhBgNVHSAEGjAYMAgGBmeB
DAECAjAMBgorBgEEAdZ5AgUDMC8GA1UdHwQoMCYwJKAioCCGHmh0dHA6Ly9jcmwu
cGtpLmdvb2cvR1RTMU8xLmNybDCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AGPy
283oO8wszwtyhCdXazOkjWF3j711pjixx2hUS9iNAAABbL48nbwAAAQDAEgwRgIh
APtyANJl2kBkWjE/34ksZlmt4dVnsIvWGZtY6dRc94J+AiEAryVS2ywIu4Waq4E+
xnyEVTRTk66TmXKNG98Ik8xSqKAAdgB0ftqDMa0zEJEhnM4lT0Jwwr/9XkIgCMY3
NXnmEHvMVgAAAWy+PJ35AAAEAwBHMEUCIGeJmcrMxBZl7VFmDEj1FW2vpBNUYimL
Q7ezu5y5Z4z7AiEAkJi2XmC+u2qYndbiphKum9fB17sYySOprNzPRpBMtOMwDQYJ
KoZIhvcNAQELBQADggEBAJURiBdNhPCSHyXLyRRXFLg+LM+w5rX2UAG2QGkKebbd
EwNhJWLVo6D/NclwlS3ZJiLP0gd1y+u9ftv6NGiny+E57cwZJI2UtLSpE9FJzEyf
bjbKdS+6oFidD/wd1L92cUkpo3BVd4m65iivoeCkWb3vIl/clnCM6e7q7wMQE+D/
VWVqVo33uMqLO//nndSqq3oVMdfk5lvud8AGrQZFT/5DGx//wjIV7H448fFf7/z4
8Z6a5ojnFkL2+Lw2aliBP336GwQykpcnaWg1KSVazJYFyhzeWJlhhdXocI3EQP68
8ps5TR3B5kV9S7/JSzuticHQiCMmO6ND4Vt8WfUWN2M=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=smtp.gmail.com
issuer=/C=US/O=Google Trust Services/CN=GTS CA 1O1

No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits

SSL handshake has read 3453 bytes and written 294 bytes
Verification: OK

New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: 51EC553C55EC90A72FCB95D77EA308AAA4776CEA5BA3206D2FE532A29D681A4F
Session-ID-ctx:
Master-Key: 221E26799BA46D76789B2BC21E12A2872CFECC2F0C922E02BB2FE8394A894E039C46F4B8DBA78ADC95316DB758AB21A0
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 00 c8 c9 40 cf 99 7e 6c-35 bb 52 12 3a 98 11 f3 ...@..l5.R.:...
0010 - cb 12 22 64 0d cd 5c a2-69 72 99 37 ae a6 d1 3e .."d...ir.7...>
0020 - b2 1b 91 24 8e 27 91 9b-9b 53 b2 e1 40 3c f5 59 ...$.'...S..@<.Y
0030 - ba c3 dc b3 5f 45 84 34-cd ac 91 29 87 b1 c9 f0 ...._E.4...)....
0040 - d0 09 78 e0 b9 a3 7d c2-28 4a 47 1b e6 2d 86 24 ..x...}.(JG..-.$
0050 - 89 97 f4 e6 59 d9 1e f8-d5 58 d5 99 ed aa 66 20 ....Y....X....f
0060 - bf e5 50 26 6e 86 0d e6-fa 0d 2b 54 84 a2 b1 95 ..P&n.....+T....
0070 - 88 e1 bf df 33 be 1f 28-da 2b 9b 02 aa b6 7d 05 ....3..(.+....}.
0080 - f9 99 ae bd 27 77 b6 39-c3 02 e0 40 31 98 b4 6d ....'w.9...@1..m
0090 - c5 fe f8 30 bf 93 e1 8f-8f 6c eb 57 69 a2 63 df ...0.....l.Wi.c.
00a0 - a4 fe 0b 84 88 e0 a6 15-7f 3f dd d5 0c 44 16 c6 .........?...D..
00b0 - 86 e5 54 1c 1f 7e 40 29-3d f7 ae 61 0c 15 a2 f4 ..T..@)=..a....
00c0 - b0 1d a4 d1 a0 da 22 76-54 8d d2 30 a2 7d e7 55 ......"vT..0.}.U
00d0 - b2 1b 7f ea f8 dc 0a 03-b2 c9 ..........

Start Time: 1568203656
Timeout   : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes

---

250 SMTPUTF8

[mikebakke]

Apologies - closed by mistake but re-opened...

[Ayitaka]

Hmmmm indeed, it all looks correct on your end. I'm unsure why you're having an issue connecting to gmail, given the results. Perhaps you might want to try to create an account on yahoo or some other provider and see if that works better, at least for your bitwarden installation. :( Wish I had a better answer for you.

[mikebakke]

It's not a deal breaker - I love this tool regardless. I'm sure I'm doing something wrong somewhere and it'll get cleared up. Many thanks your your support.

Regards

Mike