SMTP Connection Error: "wrong version number" despite modern TLS/Cipher support #6

New Issue

AtHeartEngineer · 2025-07-08T08:37:14-04:00

AtHeartEngineer commented

2025-07-08 08:37:14 -04:00

Originally created by @cirilloblu on 7/5/2025

Vaultwarden Support String

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.34.1
Web-vault version: v2025.5.0
OS/Arch: linux/x86_64
Running within a container: true (Base: Debian)
Database type: PostgreSQL
Database version: PostgreSQL 17.5 (Debian 17.5-1.pgdg120+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit
Uses config.json: true
Uses a reverse proxy: true
IP Header check: true (X-Real-IP)
Internet access: true
Internet access via a proxy: false
DNS Check: true
Browser/Server Time Check: true
Server/NTP Time Check: true
Domain Configuration Check: true
HTTPS Check: true
Websocket Check: false
HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: DOMAIN, SIGNUPS_ALLOWED, INVITATIONS_ALLOWED, SHOW_PASSWORD_HINT, ADMIN_TOKEN, SMTP_HOST, SMTP_PORT, SMTP_FROM, SMTP_ACCEPT_INVALID_CERTS

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "/data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "/data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "**********://****************************************************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://***********************",
  "domain_origin": "*****://***********************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": "**************************",
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "/data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "/data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "/data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": true,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": true,
  "smtp_from": "******************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "*******************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "force_tls",
  "smtp_ssl": false,
  "smtp_timeout": 15,
  "smtp_username": "**********************",
  "templates_folder": "/data/templates",
  "tmp_folder": "/data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.34.1

Deployment method

Official Container Image

Custom deployment method

On kubernetes, deployment.
The env are inside a secret:

resource "kubernetes_secret" "vaultwarden-secrets" {
  metadata {
    name      = "vaultwarden-secrets"
    namespace = "cloud"
  }

  type = "generic"

  data = {
    ADMIN_TOKEN : var.secrets.vaultwarden.admintoken
    DATABASE_URL : "postgresql://${var.secrets.databases.vaultwarden.username}:${var.secrets.databases.vaultwarden.password}@vault-rw.database.svc.cluster.local:5432/vaultwarden"
    SMTP_FROM : "psw@${var.secrets.general.localdomainname}"
    SMTP_HOST : "mail.${var.secrets.general.localdomainname}"
    SMTP_PASS : var.secrets.mail.service.password
    SMTP_PORT : "587"
    SMTP_SSL : "false"
    SMTP_EXPLICIT_TLS : "true"
    SMTP_CA_FILE : "/data/certs/cert.crt"
    SMTP_ACCEPT_INVALID_CERTS : "true"
    SMTP_USER : var.secrets.mail.service.username
  }
}

Reverse Proxy

ingress-nginx v1.12.3

Host/Server Operating System

Linux

Operating System Version

gentoo

Clients

Browser Extension, Web Vault

Client Version

No response

Steps To Reproduce

Try to send an email, change my personal mail. No mail...

Expected Result

Mail sent

Actual Result

No mail, error in connection:

routines:ssl3_get_record:wrong version number

Logs

[2025-07-05 18:59:45.373][vaultwarden::mail][ERROR] SMTP error: Connection error: Connection error: error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
[2025-07-05 18:59:45.373][vaultwarden::api::core::accounts][ERROR] Error sending change-email email: SMTP error: Connection error: Connection error: error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:

Screenshots or Videos

No response

Additional Context

My mail server have tls1_2, tls1_3 and this cipher...

openssl s_client -connect mail.mydomain.lan:587 -starttls smtp -tls1_2 < /dev/null 2>&1 | grep -E 'Cipher is|Ciphers are'
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384

openssl s_client -connect mail.mydomain.lan:587 -starttls smtp -tls1_3 < /dev/null 2>&1 | grep -E 'Cipher is|Ciphers are'
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384

*Originally created by @cirilloblu on 7/5/2025* ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.1 * Web-vault version: v2025.5.0 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Debian) * Database type: PostgreSQL * Database version: PostgreSQL 17.5 (Debian 17.5-1.pgdg120+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit * Uses config.json: true * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: false * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Environment settings which are overridden:** DOMAIN, SIGNUPS_ALLOWED, INVITATIONS_ALLOWED, SHOW_PASSWORD_HINT, ADMIN_TOKEN, SMTP_HOST, SMTP_PORT, SMTP_FROM, SMTP_ACCEPT_INVALID_CERTS **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "/data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "/data", "database_conn_init": "", "database_max_conns": 10, "database_timeout": 30, "database_url": "**********://****************************************************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "domain": "*****://***********************", "domain_origin": "*****://***********************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": true, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": null, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": "**************************", "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "/data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": true, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "", "org_events_enabled": false, "org_groups_enabled": false, "password_hints_allowed": true, "password_iterations": 600000, "push_enabled": false, "push_identity_uri": "https://identity.bitwarden.com", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://push.bitwarden.com", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "/data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "/data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": true, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": true, "smtp_from": "******************", "smtp_from_name": "Vaultwarden", "smtp_host": "*******************", "smtp_password": "***", "smtp_port": 587, "smtp_security": "force_tls", "smtp_ssl": false, "smtp_timeout": 15, "smtp_username": "**********************", "templates_folder": "/data/templates", "tmp_folder": "/data/tmp", "trash_auto_delete_days": null, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": null, "yubico_secret_key": null, "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.34.1 ### Deployment method Official Container Image ### Custom deployment method On kubernetes, deployment. The env are inside a secret: ``` resource "kubernetes_secret" "vaultwarden-secrets" { metadata { name = "vaultwarden-secrets" namespace = "cloud" } type = "generic" data = { ADMIN_TOKEN : var.secrets.vaultwarden.admintoken DATABASE_URL : "postgresql://${var.secrets.databases.vaultwarden.username}:${var.secrets.databases.vaultwarden.password}@vault-rw.database.svc.cluster.local:5432/vaultwarden" SMTP_FROM : "psw@${var.secrets.general.localdomainname}" SMTP_HOST : "mail.${var.secrets.general.localdomainname}" SMTP_PASS : var.secrets.mail.service.password SMTP_PORT : "587" SMTP_SSL : "false" SMTP_EXPLICIT_TLS : "true" SMTP_CA_FILE : "/data/certs/cert.crt" SMTP_ACCEPT_INVALID_CERTS : "true" SMTP_USER : var.secrets.mail.service.username } } ``` ### Reverse Proxy ingress-nginx v1.12.3 ### Host/Server Operating System Linux ### Operating System Version gentoo ### Clients Browser Extension, Web Vault ### Client Version _No response_ ### Steps To Reproduce Try to send an email, change my personal mail. No mail... ### Expected Result Mail sent ### Actual Result No mail, error in connection: routines:ssl3_get_record:wrong version number ### Logs ```text [2025-07-05 18:59:45.373][vaultwarden::mail][ERROR] SMTP error: Connection error: Connection error: error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354: [2025-07-05 18:59:45.373][vaultwarden::api::core::accounts][ERROR] Error sending change-email email: SMTP error: Connection error: Connection error: error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354: ``` ### Screenshots or Videos _No response_ ### Additional Context My mail server have tls1_2, tls1_3 and this cipher... ``` openssl s_client -connect mail.mydomain.lan:587 -starttls smtp -tls1_2 < /dev/null 2>&1 | grep -E 'Cipher is|Ciphers are' New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 ``` ``` openssl s_client -connect mail.mydomain.lan:587 -starttls smtp -tls1_3 < /dev/null 2>&1 | grep -E 'Cipher is|Ciphers are' New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 ```

AtHeartEngineer closed this issue

2025-07-08 08:37:14 -04:00

AtHeartEngineer added the bug bug bug bug bug bug labels 2025-07-08 08:37:15 -04:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#6