[GH-ISSUE #429] Allow TLS1.2 for sending emails with starttls

kerem commented

2026-03-03 01:27:16 +03:00

Owner

Originally created by @nicolaspernoud on GitHub (Mar 10, 2019).
Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/429

Hi,

Thanks for your amazing work.
I ran into the following issue : my mail server (https://github.com/mailcow/mailcow-dockerized) only allows TLS 1.2 when using ssl encryption with start tls.
It would seem bitwarden_rs doesn't manage to handshake with it.

Log :

[2019-03-10 13:08:56][_][INFO] Matched: POST /api/accounts/password-hint (password_hint)
[2019-03-10 13:08:56][lettre::smtp::client][DEBUG] connecting to *.*.*.*:587
[2019-03-10 13:08:56][lettre::smtp::client][DEBUG] Read: 220 mail.*.* ESMTP Postcow<CRLF>
[2019-03-10 13:08:56][lettre::smtp][INFO] connection established to *.*.*.*:587
[2019-03-10 13:08:56][lettre::smtp::client][DEBUG] Wrote: EHLO bc1a4c534636<CRLF>
[2019-03-10 13:08:56][lettre::smtp::client][DEBUG] Read: 250-mail.*.*<CRLF>250-PIPELINING<CRLF>250-SIZE 104857600<CRLF>250-ETRN<CRLF>250-STARTTLS<CRLF>250-ENHANCEDSTATUSCODES<CRLF>250-8BITMIME<CRLF>250 DSN<CRLF>
[2019-03-10 13:08:56][lettre::smtp][DEBUG] server mail.*.* with {StartTls, EightBitMime}
[2019-03-10 13:08:56][lettre::smtp::client][DEBUG] Wrote: STARTTLS<CRLF>
[2019-03-10 13:08:56][lettre::smtp::client][DEBUG] Read: 220 2.0.0 Ready to start TLS<CRLF>
[2019-03-10 13:08:56][lettre::smtp::client][DEBUG] Wrote: QUIT<CRLF>
[2019-03-10 13:08:56][bitwarden_rs::error][ERROR] Error sending email. handshake error

Could you do something about it ?

Thanks,

Best regards.

Originally created by @nicolaspernoud on GitHub (Mar 10, 2019). Original GitHub issue: https://github.com/dani-garcia/vaultwarden/issues/429 Hi, Thanks for your amazing work. I ran into the following issue : my mail server (https://github.com/mailcow/mailcow-dockerized) only allows TLS 1.2 when using ssl encryption with start tls. It would seem bitwarden_rs doesn't manage to handshake with it. Log : ```bash [2019-03-10 13:08:56][_][INFO] Matched: POST /api/accounts/password-hint (password_hint) [2019-03-10 13:08:56][lettre::smtp::client][DEBUG] connecting to *.*.*.*:587 [2019-03-10 13:08:56][lettre::smtp::client][DEBUG] Read: 220 mail.*.* ESMTP Postcow<CRLF> [2019-03-10 13:08:56][lettre::smtp][INFO] connection established to *.*.*.*:587 [2019-03-10 13:08:56][lettre::smtp::client][DEBUG] Wrote: EHLO bc1a4c534636<CRLF> [2019-03-10 13:08:56][lettre::smtp::client][DEBUG] Read: 250-mail.*.*<CRLF>250-PIPELINING<CRLF>250-SIZE 104857600<CRLF>250-ETRN<CRLF>250-STARTTLS<CRLF>250-ENHANCEDSTATUSCODES<CRLF>250-8BITMIME<CRLF>250 DSN<CRLF> [2019-03-10 13:08:56][lettre::smtp][DEBUG] server mail.*.* with {StartTls, EightBitMime} [2019-03-10 13:08:56][lettre::smtp::client][DEBUG] Wrote: STARTTLS<CRLF> [2019-03-10 13:08:56][lettre::smtp::client][DEBUG] Read: 220 2.0.0 Ready to start TLS<CRLF> [2019-03-10 13:08:56][lettre::smtp::client][DEBUG] Wrote: QUIT<CRLF> [2019-03-10 13:08:56][bitwarden_rs::error][ERROR] Error sending email. handshake error ``` Could you do something about it ? Thanks, Best regards.

kerem closed this issue

2026-03-03 01:27:17 +03:00

kerem commented

2026-03-03 01:27:17 +03:00

Author

Owner

@dani-garcia commented on GitHub (Mar 10, 2019):

As far as I know, we only specify a minimum of TLS 1.1, but not a maximum, so it should work fine with TLS 1.2 as it is. I'm not sure why it wouldn't work.

Anyway, this reminded me I needed to add an option to disable STARTTLS and instead use a normal TLS wrapped connection, so I've added that in github.com/dani-garcia/bitwarden_rs@e93538cea9. Maybe you can give that a try?

@dani-garcia commented on GitHub (Mar 10, 2019): As far as I know, we only specify a minimum of TLS 1.1, but not a maximum, so it should work fine with TLS 1.2 as it is. I'm not sure why it wouldn't work. Anyway, this reminded me I needed to add an option to disable STARTTLS and instead use a normal TLS wrapped connection, so I've added that in https://github.com/dani-garcia/bitwarden_rs/commit/e93538cea959568292a7d37f49a9f6c2ad196a92. Maybe you can give that a try?

kerem commented

2026-03-03 01:27:18 +03:00

Author

Owner

@nicolaspernoud commented on GitHub (Mar 10, 2019):

Thanks, I'll give it a try when the docker image will be updated.

In the meantime, for what it's worth, here's the postfix log when the connexion fails :

warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1399:SSL alert number 48:

... and the postfix options regarding tls :

smtpd_tls_cert_file = /etc/ssl/mail/cert.pem
smtpd_tls_key_file = /etc/ssl/mail/key.pem
smtpd_use_tls=yes
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
  proxy:mysql:/opt/postfix/conf/sql/mysql_tls_policy_override_maps.cf,
  proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf,
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_cert_file = /etc/ssl/mail/cert.pem
smtp_tls_key_file = /etc/ssl/mail/key.pem
smtp_tls_loglevel = 1
smtp_tls_security_level = dane
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_recipient_access proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf, reject_invalid_helo_hostname, reject_unknown_reverse_client_hostname, reject_unauth_destination
smtpd_tls_auth_only = yes
smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams.pem
smtpd_tls_eecdh_grade = auto
smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA, RC4, aNULL, DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA
smtpd_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
smtpd_tls_mandatory_ciphers = high
smtp_tls_policy_maps=proxy:mysql:/opt/postfix/conf/sql/mysql_tls_policy_override_maps.cf
  -o smtpd_tls_wrappermode=yes
  -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
  -o tls_preempt_cipherlist=yes
  -o smtpd_enforce_tls=yes
  -o smtpd_tls_security_level=encrypt
  -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
  -o tls_preempt_cipherlist=yes
  -o smtpd_tls_auth_only=no
  -o smtpd_tls_auth_only=no
smtp_enforced_tls      unix  -       -       n       -       -       smtp
  -o smtp_tls_security_level=encrypt
  -o syslog_name=enforced-tls-smtp

@nicolaspernoud commented on GitHub (Mar 10, 2019): Thanks, I'll give it a try when the docker image will be updated. In the meantime, for what it's worth, here's the postfix log when the connexion fails : ```bash warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1399:SSL alert number 48: ``` ... and the postfix options regarding tls : ```bash smtpd_tls_cert_file = /etc/ssl/mail/cert.pem smtpd_tls_key_file = /etc/ssl/mail/key.pem smtpd_use_tls=yes smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache proxy:mysql:/opt/postfix/conf/sql/mysql_tls_policy_override_maps.cf, proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf, smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_cert_file = /etc/ssl/mail/cert.pem smtp_tls_key_file = /etc/ssl/mail/key.pem smtp_tls_loglevel = 1 smtp_tls_security_level = dane smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_recipient_access proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_in_policy.cf, reject_invalid_helo_hostname, reject_unknown_reverse_client_hostname, reject_unauth_destination smtpd_tls_auth_only = yes smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams.pem smtpd_tls_eecdh_grade = auto smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA, RC4, aNULL, DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA smtpd_tls_loglevel = 1 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_protocols = !SSLv2, !SSLv3 lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_security_level = may tls_preempt_cipherlist = yes tls_ssl_options = NO_COMPRESSION smtpd_tls_mandatory_ciphers = high smtp_tls_policy_maps=proxy:mysql:/opt/postfix/conf/sql/mysql_tls_policy_override_maps.cf -o smtpd_tls_wrappermode=yes -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 -o tls_preempt_cipherlist=yes -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encrypt -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 -o tls_preempt_cipherlist=yes -o smtpd_tls_auth_only=no -o smtpd_tls_auth_only=no smtp_enforced_tls unix - - n - - smtp -o smtp_tls_security_level=encrypt -o syslog_name=enforced-tls-smtp ```

kerem commented

2026-03-03 01:27:18 +03:00

Author

Owner

@nicolaspernoud commented on GitHub (Mar 11, 2019):

I tried the new image, whith -e SMTP_EXPLICIT_TLS=true and the outcome was the same :

[2019-03-11 09:44:10][_][INFO] Matched: POST /api/accounts/password-hint (password_hint)
[2019-03-11 09:44:10][lettre::smtp::client][DEBUG] connecting to *.*.*.*:465
[2019-03-11 09:44:16][bitwarden_rs::error][ERROR] Error sending email. handshake error

The postfix log was the same : warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1399:SSL alert number 48:

It would seems that mailcow accept connections with TLS less than 1.2 if a certificate is present, and since there is no certificate, the connection fails.

Maybe an option to force TLS version on bitwarden_rs could do the trick...

@nicolaspernoud commented on GitHub (Mar 11, 2019): I tried the new image, whith `-e SMTP_EXPLICIT_TLS=true` and the outcome was the same : ```bash [2019-03-11 09:44:10][_][INFO] Matched: POST /api/accounts/password-hint (password_hint) [2019-03-11 09:44:10][lettre::smtp::client][DEBUG] connecting to *.*.*.*:465 [2019-03-11 09:44:16][bitwarden_rs::error][ERROR] Error sending email. handshake error ``` The postfix log was the same : `warning: TLS library problem: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:../ssl/record/rec_layer_s3.c:1399:SSL alert number 48:` It would seems that mailcow accept connections with TLS less than 1.2 if a certificate is present, and since there is no certificate, the connection fails. Maybe an option to force TLS version on bitwarden_rs could do the trick...

kerem commented

2026-03-03 01:27:18 +03:00

Author

Owner

@dani-garcia commented on GitHub (Mar 13, 2019):

That's interesting, on second thought, the tlsv1 alert unknown ca error seems unrelated to the TLS handshake. Is the certificate self signed? Can you check with another client if it's possible to connect?

@dani-garcia commented on GitHub (Mar 13, 2019): That's interesting, on second thought, the `tlsv1 alert unknown ca` error seems unrelated to the TLS handshake. Is the certificate self signed? Can you check with another client if it's possible to connect?

kerem commented

2026-03-03 01:27:18 +03:00

Author

Owner

@kennymc-c commented on GitHub (Mar 14, 2019):

The explicit TLS option at least helped me to solve my problem with sending mails from Bitwarden. So far there was always an unexpected error in the client when I wanted to send a master password hint and there was nothing in the log about it.

@kennymc-c commented on GitHub (Mar 14, 2019): The explicit TLS option at least helped me to solve my problem with sending mails from Bitwarden. So far there was always an unexpected error in the client when I wanted to send a master password hint and there was nothing in the log about it.

kerem commented

2026-03-03 01:27:18 +03:00

Author

Owner

@nicolaspernoud commented on GitHub (Mar 14, 2019):

It happens that my certificate was self signed (I use mailcow behind another auto let's encrypt reverse proxy so the web certificate was ok but not the one used by postfix). Replacing the certificate with the correct one works fine, with both port 587 + starttls or port 465 and the SMTP_EXPLICIT_TLS=true option.

Thanks a lot and kudos for your great work !

@nicolaspernoud commented on GitHub (Mar 14, 2019): It happens that my certificate was self signed (I use mailcow behind another auto let's encrypt reverse proxy so the web certificate was ok but not the one used by postfix). Replacing the certificate with the correct one works fine, with both port 587 + starttls or port 465 and the `SMTP_EXPLICIT_TLS=true` option. Thanks a lot and kudos for your great work !

Rows
Columns

[GH-ISSUE #429] Allow TLS1.2 for sending emails with starttls #253