starred/lldap-lldap
1
0
Fork 0
mirror of https://github.com/lldap/lldap.git synced 2026-04-25 08:15:52 +03:00
Code Issues 101 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #1151] [BUG] Can't use TLS with SMTP to reset password #412

New issue
Open
opened 2026-02-27 08:17:09 +03:00 by kerem · 12 comments
kerem commented 2026-02-27 08:17:09 +03:00
Owner
Copy link

Originally created by @6C656C65 on GitHub (Apr 7, 2025).
Original GitHub issue: https://github.com/lldap/lldap/issues/1151

Describe the bug
I want to configure email sending with TLS to encrypt requests.
When I try to reset my password, I get this error on the web UI:

Could not initiate password reset[500 Internal Server Error]: Internal server error: `Could not send email: Error sending email: Connection error: Connection error: received fatal alert: ProtocolVersion`

To Reproduce
Steps to reproduce the behavior:

  1. Add environment variables in docker-compose.yml :
      - LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_RESET=true
      - LLDAP_SMTP_OPTIONS__SERVER=REDACTED
      - LLDAP_SMTP_OPTIONS__PORT=465
      - LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION=TLS
      - LLDAP_SMTP_OPTIONS__USER=REDACTED
      - LLDAP_SMTP_OPTIONS__PASSWORD=REDACTED
  1. After starting docker, I reset the password of an existing account and I get the error described above

Logs
I put the LLDAP log file in debug mode with attachment

Additional context
Even using STARTTLS (587/tcp) I have the same problem.
I have a firewall, which allows 465/tcp and 587/tcp flows between LLDAP and the SMTP server.
I also have a reverse proxy in front of LLDAP.

I also tried using these variables but nothing changed :

      #- LLDAP_SMTP_OPTIONS__FROM="REDACTED <REDACTED>"
      #- LLDAP_SMTP_OPTIONS__REPLY_TO="REDACTED <REDACTED>"

lldap_lops_redacted.txt

Originally created by @6C656C65 on GitHub (Apr 7, 2025). Original GitHub issue: https://github.com/lldap/lldap/issues/1151 **Describe the bug** I want to configure email sending with TLS to encrypt requests. When I try to reset my password, I get this error on the web UI: ``` Could not initiate password reset[500 Internal Server Error]: Internal server error: `Could not send email: Error sending email: Connection error: Connection error: received fatal alert: ProtocolVersion` ``` **To Reproduce** Steps to reproduce the behavior: 1. Add environment variables in docker-compose.yml : ``` - LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_RESET=true - LLDAP_SMTP_OPTIONS__SERVER=REDACTED - LLDAP_SMTP_OPTIONS__PORT=465 - LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION=TLS - LLDAP_SMTP_OPTIONS__USER=REDACTED - LLDAP_SMTP_OPTIONS__PASSWORD=REDACTED ``` 2. After starting docker, I reset the password of an existing account and I get the error described above **Logs** I put the LLDAP log file in debug mode with attachment **Additional context** Even using STARTTLS (`587/tcp`) I have the same problem. I have a firewall, which allows `465/tcp` and `587/tcp` flows between LLDAP and the SMTP server. I also have a reverse proxy in front of LLDAP. I also tried using these variables but nothing changed : ``` #- LLDAP_SMTP_OPTIONS__FROM="REDACTED <REDACTED>" #- LLDAP_SMTP_OPTIONS__REPLY_TO="REDACTED <REDACTED>" ``` [lldap_lops_redacted.txt](https://github.com/user-attachments/files/19637020/lldap_lops_redacted.txt)
kerem commented 2026-02-27 08:17:09 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Apr 9, 2025):

That usually means a mismatch between the protocol (tls/starttls) and the port, but you seem to have them the right way around.

Do you have any other service that can send emails with a similar config, behind the same firewall?

<!-- gh-comment-id:2788044578 --> @nitnelave commented on GitHub (Apr 9, 2025): That usually means a mismatch between the protocol (tls/starttls) and the port, but you seem to have them the right way around. Do you have any other service that can send emails with a similar config, behind the same firewall?
kerem commented 2026-02-27 08:17:09 +03:00
Author
Owner
Copy link

@6C656C65 commented on GitHub (Apr 9, 2025):

I have a Vaultwarden running in another container on the same machine.
The Vaultwarden and the LLDAP use the same address IP to pass through the firewall, so they have the same filtering rules. Besides the vaultwarden I also have a backup that sends emails (ttionya/vaultwarden-backup:latest)
Both of these apps are good at sending emails.

For your information, I am using the lldap/lldap:stable image which is in version 0.6.1.

<!-- gh-comment-id:2788715415 --> @6C656C65 commented on GitHub (Apr 9, 2025): I have a Vaultwarden running in another container on the same machine. The Vaultwarden and the LLDAP use the same address IP to pass through the firewall, so they have the same filtering rules. Besides the vaultwarden I also have a backup that sends emails (`ttionya/vaultwarden-backup:latest`) Both of these apps are good at sending emails. For your information, I am using the `lldap/lldap:stable` image which is in version `0.6.1`.
kerem commented 2026-02-27 08:17:09 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Apr 9, 2025):

It's a bit hard to debug without access to your system... We have had many users successfully send emails, with both tls and starttls.
What I would recommend is to go back to tls/465, and double check your settings as parsed by LLDAP: when you start it in verbose mode, the config is printed at the top, and it contains your SMTP settings. Make sure that they are correct; it's possible that you have a typo in your environment variables that prevents LLDAP from getting them.

<!-- gh-comment-id:2789262738 --> @nitnelave commented on GitHub (Apr 9, 2025): It's a bit hard to debug without access to your system... We have had many users successfully send emails, with both tls and starttls. What I would recommend is to go back to tls/465, and double check your settings as parsed by LLDAP: when you start it in verbose mode, the config is printed at the top, and it contains your SMTP settings. Make sure that they are correct; it's possible that you have a typo in your environment variables that prevents LLDAP from getting them.
kerem commented 2026-02-27 08:17:09 +03:00
Author
Owner
Copy link

@6C656C65 commented on GitHub (Apr 9, 2025):

I've set the LLDAP log file to debug mode with an attachment. The SMTP-related configurations are present.
Can you confirm that from and reply_to can be empty?

I will try to debug more deeply to see if it comes from the SMTP server, the libraries used or something else...

lldap_logs_startup.txt

<!-- gh-comment-id:2789520575 --> @6C656C65 commented on GitHub (Apr 9, 2025): I've set the LLDAP log file to debug mode with an attachment. The SMTP-related configurations are present. Can you confirm that `from` and `reply_to` can be empty? I will try to debug more deeply to see if it comes from the SMTP server, the libraries used or something else... [lldap_logs_startup.txt](https://github.com/user-attachments/files/19666733/lldap_logs_startup.txt)
kerem commented 2026-02-27 08:17:09 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Apr 9, 2025):

Everything looks correct. As long as the user is populated, from and reply-to should be optional.

I'm sorry I can't help you much more. If it helps, it's just a thin wrapper around the lettre library, maybe you can get help from them?

<!-- gh-comment-id:2789588226 --> @nitnelave commented on GitHub (Apr 9, 2025): Everything looks correct. As long as the user is populated, from and reply-to should be optional. I'm sorry I can't help you much more. If it helps, it's just a thin wrapper around the lettre library, maybe you can get help from them?
kerem commented 2026-02-27 08:17:10 +03:00
Author
Owner
Copy link

@6C656C65 commented on GitHub (Apr 9, 2025):

I quickly tried some Rust code with the lettre 0.10.1 and rustls 0.20 libraries, using the same versions you're using in lldap 0.6.1, to test, and the email is successfully sent via TLS with my SMTP server.
When I have more time, I'll test it by debugging LLDAP directly.

I also tested with the mail command directly in the container and it worked fine in TLS, so no filtering issues

Thank you for your time

Here is the code I tested with. If I missed a library you use or something else, please let me know. I didn't have time to dig into your code perfectly.

Cargo.toml

[package]
name = "email_test"
version = "0.1.0"
edition = "2021"

[dependencies]
lettre = { version = "0.10.1", features = ["builder", "serde", "smtp-transport", "tokio1-rustls-tls"], default-features = false }
rustls = { version = "0.20", features = ["dangerous_configuration"] }
tokio = { version = "1", features = ["full"] }
serde = { version = "1.0", features = ["derive"] }
serde_json = "1.0"

main.rs

use lettre::{Message, SmtpTransport, Transport};
use lettre::transport::smtp::client::{Tls, TlsParameters};

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let tls_params = TlsParameters::new("REDACTED".to_string())?;
    let tls = Tls::Required(tls_params);

    let email = Message::builder()
        .from("REDACTED".parse()?)
        .to("REDACTED".parse()?)
        .subject("Testing sending email from Rust")
        .body("This is a test of sending email from Rust with letter and rustls.".to_string())?;

    let mailer = SmtpTransport::starttls_relay("REDACTED")?
        .credentials(("REDACTED", "REDACTED").into())
        .tls(tls)
        .build();

    let result = mailer.send(&email);
    match result {
        Ok(_) => println!("Email sent successfully!"),
        Err(e) => println!("Error sending: {:?}", e),
    }

    Ok(())
}
<!-- gh-comment-id:2789779183 --> @6C656C65 commented on GitHub (Apr 9, 2025): I quickly tried some Rust code with the `lettre 0.10.1` and `rustls 0.20` libraries, using the same versions you're using in `lldap 0.6.1`, to test, and the email is successfully sent via TLS with my SMTP server. When I have more time, I'll test it by debugging LLDAP directly. I also tested with the mail command directly in the container and it worked fine in TLS, so no filtering issues Thank you for your time --- *Here is the code I tested with. If I missed a library you use or something else, please let me know. I didn't have time to dig into your code perfectly.* *Cargo.toml* ``` [package] name = "email_test" version = "0.1.0" edition = "2021" [dependencies] lettre = { version = "0.10.1", features = ["builder", "serde", "smtp-transport", "tokio1-rustls-tls"], default-features = false } rustls = { version = "0.20", features = ["dangerous_configuration"] } tokio = { version = "1", features = ["full"] } serde = { version = "1.0", features = ["derive"] } serde_json = "1.0" ``` *main.rs* ``` use lettre::{Message, SmtpTransport, Transport}; use lettre::transport::smtp::client::{Tls, TlsParameters}; fn main() -> Result<(), Box<dyn std::error::Error>> { let tls_params = TlsParameters::new("REDACTED".to_string())?; let tls = Tls::Required(tls_params); let email = Message::builder() .from("REDACTED".parse()?) .to("REDACTED".parse()?) .subject("Testing sending email from Rust") .body("This is a test of sending email from Rust with letter and rustls.".to_string())?; let mailer = SmtpTransport::starttls_relay("REDACTED")? .credentials(("REDACTED", "REDACTED").into()) .tls(tls) .build(); let result = mailer.send(&email); match result { Ok(_) => println!("Email sent successfully!"), Err(e) => println!("Error sending: {:?}", e), } Ok(()) } ```
kerem commented 2026-02-27 08:17:10 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Apr 9, 2025):

You can compare with what LLDAP does: https://github.com/lldap/lldap/blob/main/server%2Fsrc%2Fmail.rs

It looks similar at a glance, but I haven't carefully compared it

<!-- gh-comment-id:2791179805 --> @nitnelave commented on GitHub (Apr 9, 2025): You can compare with what LLDAP does: https://github.com/lldap/lldap/blob/main/server%2Fsrc%2Fmail.rs It looks similar at a glance, but I haven't carefully compared it
kerem commented 2026-02-27 08:17:10 +03:00
Author
Owner
Copy link

@6C656C65 commented on GitHub (Apr 12, 2025):

Well, I have good news: I was able to send emails.
After several tests, analyzing libraries and code, I have some clues as to what was causing the problem.
My SMTP server's host only accepts certain versions of TLS (TLSv1.2 and TLSv1.3). This caused the Alert ProtocolVersion message.

But I still haven't figured out why the Lettre library can't always perform the TLS handshake with my SMTP server. So I have to click the button several times to send an email.

I also changed the format of the variables, I removed the double quotes in my compose. I have things like that :

      - LLDAP_SMTP_OPTIONS__SERVER=REDACTED
      - LLDAP_SMTP_OPTIONS__PORT=465
      - LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION=TLS
      - LLDAP_SMTP_OPTIONS__USER=REDACTED
      - LLDAP_SMTP_OPTIONS__PASSWORD=REDACTED
      - LLDAP_SMTP_OPTIONS__FROM="REDACTED"

Before I had things like this because I deploy the application with ansible :

      - LLDAP_SMTP_OPTIONS__SERVER="{{ server }}"
      - LLDAP_SMTP_OPTIONS__PORT=465
      - LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION=TLS
      - LLDAP_SMTP_OPTIONS__USER="{{ user }}"
      - LLDAP_SMTP_OPTIONS__PASSWORD="{{ pass }}"
      - LLDAP_SMTP_OPTIONS__FROM="{{ from }}"
<!-- gh-comment-id:2799072163 --> @6C656C65 commented on GitHub (Apr 12, 2025): Well, I have good news: I was able to send emails. After several tests, analyzing libraries and code, I have some clues as to what was causing the problem. My SMTP server's host only accepts certain versions of TLS (`TLSv1.2` and `TLSv1.3`). This caused the `Alert ProtocolVersion` message. But I still haven't figured out why the `Lettre` library can't always perform the TLS handshake with my SMTP server. So I have to click the button several times to send an email. --- I also changed the format of the variables, I removed the double quotes in my compose. I have things like that : ``` - LLDAP_SMTP_OPTIONS__SERVER=REDACTED - LLDAP_SMTP_OPTIONS__PORT=465 - LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION=TLS - LLDAP_SMTP_OPTIONS__USER=REDACTED - LLDAP_SMTP_OPTIONS__PASSWORD=REDACTED - LLDAP_SMTP_OPTIONS__FROM="REDACTED" ``` Before I had things like this because I deploy the application with `ansible` : ``` - LLDAP_SMTP_OPTIONS__SERVER="{{ server }}" - LLDAP_SMTP_OPTIONS__PORT=465 - LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION=TLS - LLDAP_SMTP_OPTIONS__USER="{{ user }}" - LLDAP_SMTP_OPTIONS__PASSWORD="{{ pass }}" - LLDAP_SMTP_OPTIONS__FROM="{{ from }}" ```
kerem commented 2026-02-27 08:17:10 +03:00
Author
Owner
Copy link

@mevgmbh commented on GitHub (Jul 30, 2025):

The SMTP setting are a bit "picky" as I tested with my local hosting company netcup.de, SMTP relay mailbaby https://www.mail.baby and with free=0US$ SMTP2Go https://www.smtp2go.com/, which works well with:
- LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_RESET=true
- LLDAP_SMTP_OPTIONS__SERVER=mail.smtp2go.com
- LLDAP_SMTP_OPTIONS__PORT=587
- LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION=STARTTLS
- LLDAP_SMTP_OPTIONS__USER=email@domain.com # The SMTP user, usually your email address
- LLDAP_SMTP_OPTIONS__PASSWORD=WhatEverItIs # The SMTP password of the SMTP2Go User
- LLDAP_SMTP_OPTIONS__FROM=WhereEver email@domain.com
- LLDAP_SMTP_OPTIONS__TO=WhereEver email@domain.com

<!-- gh-comment-id:3137115510 --> @mevgmbh commented on GitHub (Jul 30, 2025): The SMTP setting are a bit "picky" as I tested with my local hosting company netcup.de, SMTP relay mailbaby https://www.mail.baby and with free=0US$ SMTP2Go https://www.smtp2go.com/, which works well with: - LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_RESET=true - LLDAP_SMTP_OPTIONS__SERVER=mail.smtp2go.com - LLDAP_SMTP_OPTIONS__PORT=587 - LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION=STARTTLS - LLDAP_SMTP_OPTIONS__USER=email@domain.com # The SMTP user, usually your email address - LLDAP_SMTP_OPTIONS__PASSWORD=WhatEverItIs # The SMTP password of the SMTP2Go User - LLDAP_SMTP_OPTIONS__FROM=WhereEver <email@domain.com> - LLDAP_SMTP_OPTIONS__TO=WhereEver <email@domain.com>
kerem commented 2026-02-27 08:17:10 +03:00
Author
Owner
Copy link

@nitnelave commented on GitHub (Jul 30, 2025):

I found that usually, when people have an issue with the SMTP settings, it's due to quoting of the password (or lack thereof). Can you check whether that's the case here?

<!-- gh-comment-id:3137183083 --> @nitnelave commented on GitHub (Jul 30, 2025): I found that usually, when people have an issue with the SMTP settings, it's due to quoting of the password (or lack thereof). Can you check whether that's the case here?
kerem commented 2026-02-27 08:17:10 +03:00
Author
Owner
Copy link

@mevgmbh commented on GitHub (Jul 30, 2025):

I tried Netcup and MailBaby, no special characters/only a-z/A-Z/0-9, with/without quotes and none worked on 587:STARTTLS, SMTP2Go works out of the box (and should be limitation due to 200 0€ emails/day) without ""

<!-- gh-comment-id:3137196505 --> @mevgmbh commented on GitHub (Jul 30, 2025): I tried Netcup and MailBaby, no special characters/only a-z/A-Z/0-9, with/without quotes and none worked on 587:STARTTLS, SMTP2Go works out of the box (and should be limitation due to 200 0€ emails/day) without ""
kerem commented 2026-02-27 08:17:10 +03:00
Author
Owner
Copy link

@mevgmbh commented on GitHub (Jul 30, 2025):

SMTP2Go works out of the box (and should be NO limitation due to 200 0€ emails/day) without "", password as well a-z/A-Z/0-9

<!-- gh-comment-id:3137199573 --> @mevgmbh commented on GitHub (Jul 30, 2025): SMTP2Go works out of the box (and should be **NO** limitation due to 200 0€ emails/day) without "", password as well a-z/A-Z/0-9
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dependabot/github_actions/codecov/codecov-action-6
copilot/fix-equality-filters-list-attributes
dependabot/github_actions/docker/build-push-action-7
dependabot/github_actions/docker/metadata-action-6
dependabot/github_actions/docker/setup-buildx-action-4
dependabot/github_actions/docker/login-action-4
copilot/update-download-artifact-action
copilot/fix-opensuse-warnings
copilot/fix-1268
copilot/fix-727
copilot/fix-898
copilot/fix-1256
copilot/fix-1251
copilot/fix-1249
copilot/fix-1206
user-attribute-form
user-ui
group-ui
server-user-attribute-schema
crates
haveibeenpwned
v0.6.2
v0.6.1
v0.6.0
v0.5.0
v0.4.3
v0.4.2
v0.4.1
v0.4.0
v0.3.0
v0.2.0
v0.0.1
Labels
Clear labels   
backend

   
blocked

   
bug

   
cleanup

   
dependencies

   
docker

   
documentation

   
duplicate

   
enhancement

   
enhancement

   
frontend

   
github_actions

   
good first issue

   
help wanted

   
help wanted

   
integration

   
invalid

   
ldap

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
rust

   
rust

   
tests

   
wontfix
No labels
backend
blocked
bug
cleanup
dependencies
docker
documentation
duplicate
enhancement
enhancement
frontend
github_actions
good first issue
help wanted
help wanted
integration
invalid
ldap
pull-request
question
rust
rust
tests
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/lldap-lldap#412
No description provided.