Test email sends properly, but 2FA email is blocked

[Wolbaz]

2FA email is rejected by Gmail

I have SMTP setup sufficiently that gmail allows the test emails to go through, yet when I try to set up 2FA through email, those messages get blocked.

Deployment environment

• vaultwarden version: 1.28.1

• Install method: Docker Container

• Clients used: Web Vault, Android

• Reverse proxy and version: traefik 2.6.7

• MySQL/MariaDB or PostgreSQL version:

• Other relevant details:

Steps to reproduce

Setup SMTP using gmail, send test email, attempt to send 2fa email.

Expected behaviour

Email sent

Actual behaviour

Email blocked by gmail. Have also tried a seperate email address not related to gmail and it was also blocked.

Troubleshooting data

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.28.1
• Web-vault version: v2023.3.0b
• OS/Arch: linux/x86_64
• Running within Docker: true (Base: Debian)
• Environment settings overridden: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.39.2
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: SIGNUPS_ALLOWED, INVITATIONS_ALLOWED, ADMIN_TOKEN

{
  "_duo_akey": null,
  "_enable_duo": false,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*************************",
  "domain_origin": "*****://*************************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 100000,
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": true,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": true,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*************************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "**************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "*************************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

[Wolbaz]

I was able to work around this by running my emails through Mailjet instead of Gmail.

[BlackDex]

If I'm correct, Google will also block if the from name deviates to much from the configured user. It may not do this the first few mails, but there AI or what ever you want to call it will do that after a few emails from what i understand.

Besides that, there is nothing we can do. We can't magically pass through there detection filtering.

I suggest to s see if emails will work when you change the from name from Vaultwarden to the actual name of that mailbox and see what happens. Other than that, we can't do anything I'm afraid.

[MuellerNicolas]

Same error for me. Verification mail was sent correctly, but when trying to enable 2FA, i receive this error in my gmail inbox.
I've tryed to change the SMTP_FROM_NAME to the Name of Google Account as well as to the E-Mail Address of the Google Account. Both did not work for me.

Do you think there is any chance, we could report this to google, that they are adapting their filters? (In my quick research, i wasn't able to find a support contact - seems like they do not care about "Home-Users" aside from workspace customers)

[BlackDex]

Google will not change anything to there filters. They will not tell how it works etc... etc... So, i doubt that will work.

[aureateflux]

Looking at the support page linked in the error (I can verify I'm getting it as well), it looks like it falls under "Message flagged as spam" or "Message Temporarily Rejected."

The only substantial difference I can see between the SMTP Test Email (which works consistently), the New Device Email (which appears to work consistently), and the Two-step Login Verification Code Email (which fails consistently) is the confirmation code itself. I thought perhaps it might be the link to the github page, but if that were the case all the emails would link it. Maybe there's something else that distinguishes them?

My particular setup does involve an email alias, which might be relevant as well.

[zeitue]

One thing I noticed on this is that the email subject line seems to be what is causing the email to be bounced so if we could change the subject line we could get it to work, most likely.

[BlackDex]

You are allowed to update it and create PR so that we can merge this into our current branch, that would be appreciated.

Having a feature to edit these items is a bit difficult, since we could update the templates during version updates, and then your changes would be gone, or doesn't match the new way.

The current way we support it right now is i think the best way, and that way people know they are changing stuff they need to check during updates.

[MuellerNicolas]

OK, it took a bit of trial and error to get the TEMPLATES_FOLDER variable set correctly, but once I did I was able to use a modified email template that changed the subject line from "Your Two-step Login Verification Code" to "Vaultwarden 2FA Code". I can verify that the altered subject line did make it through Google's filters, so that's confirmation of Zeitue's hypothesis.

If the template defaults are changed in the future, I would recommend something like "Vaultwarden Confirmation Code" (which I can verify also gets past Google).

As a future update, I think adding support in the Admin WebUI for editing the templates would be a useful feature.

@aureateflux what was the trick on the TEMPLATES_FOLDER variable?

I'm currently trying to set it to my custom templates, but the new template is not being loaded, even after restarting the docker compose. (It's sending with the old email subject)

My file structure:

vw-data
└─templates
     └─email
        │   twofactor_email.hbs
        │   twofactor_email.html.hbs

twofactor_email.hbs

Vaultwarden Confirmation Code
<!---------------->
Your two-step verification code is: {{token}}

Use this code to complete logging in with Vaultwarden.
{{> email/email_footer_text }}

twofactor_email.html.hbs

Vaultwarden Confirmation Code
<!---------------->
{{> email/email_header }}
<table width="100%" cellpadding="0" cellspacing="0" style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
        <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none;" valign="top">
            Your two-step verification code is: <b>{{token}}</b>
        </td>
    </tr>
    <tr style="margin: 0; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; -webkit-font-smoothing: antialiased; -webkit-text-size-adjust: none;">
        <td class="content-block" style="font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; box-sizing: border-box; font-size: 16px; color: #333; line-height: 25px; margin: 0; -webkit-font-smoothing: antialiased; padding: 0 0 10px; -webkit-text-size-adjust: none;" valign="top">
            Use this code to complete logging in with Vaultwarden.
        </td>
    </tr>
</table>
{{> email/email_footer }}

My docker compose config:

services:
  vaultwarden:
    environment:
       TEMPLATES_FOLDER: "/data/templates/email"
    volumes:
      - ./vw-data:/data

What am I doing wrong?

[aureateflux]

Your file structure is correct, but TEMPLATES_FOLDER should be "/data/templates/" -- the way you have it, it's starting in vw-data/templates/email and expecting to see another folder there called 'email.' It may be helpful to log into the admin panel and check the read-only config to make sure whatever you've defined for the templates variable matches the format of the icons, attachments, etc folders.

Also remember that you need to restart or rebuild the container when you change environment variables; a restart is also necessary if you add or replace any templates while it's running.

@BlackDex I set up the pull request; hopefully didn't do anything dumb!

[zeitue]

Where did you get the email templates from? I don't see twofactor_email.hbs or twofactor_email.html.hbs in the container anywhere.

[MuellerNicolas]

You can find the templates here: https://github.com/dani-garcia/vaultwarden/tree/main/src/static/templates/email

[depoo-94]

Hello together,

my english is not the best but i hope that you guys can understand me. And yepp im a beginner i'm sorry.

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.30.3
• Web-vault version: v2024.1.2
• OS/Arch: linux/x86_64
• Running within Docker: true (Base: Debian)
• Environment settings overridden: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: true
• HTTPS Check: true
• Database type: SQLite
• Database version: 3.44.0
• Clients used:
• Reverse proxy and version:
• Other relevant information:

Config (Generated via diagnostics page)

Show Running Config

Environment settings which are overridden: DOMAIN, ADMIN_TOKEN, DISABLE_2FA_REMEMBER, ADMIN_SESSION_LIFETIME, SMTP_HOST, SMTP_SECURITY, SMTP_PORT, SMTP_FROM, SMTP_FROM_NAME, SMTP_USERNAME, SMTP_PASSWORD

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_smtp_img_src": "cid:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 5,
  "admin_token": "***",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "***************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "*****://*****************************",
  "domain_origin": "*****://*****************************",
  "domain_path": "",
  "domain_set": true,
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "fido2-vault-credentials",
  "extended_logging": true,
  "helo_name": null,
  "hibp_api_key": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "Info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "************************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "*********************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "************************",
  "templates_folder": "/volume4/vaultwarden/data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "websocket_address": "0.0.0.0",
  "websocket_enabled": false,
  "websocket_port": 3012,
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

I installed Vaultwarden without problems weeks ago. SMTP was working fine. Today i activated my 2FA for my hotmail-Account (now outlook). So it was necessary to verify each login in my Mobile phone, PC etc.

The SMTP Test in the admin Panel shows me the error:

SMTP 5xx error: permanent error (535): 5.7.139 Authentication unsuccessful, the user credentials were incorrect.

Yes of course beacuse i changed my security in my mail account.

My steps to solve the Problem without solution

I add to my existing environment (docker compose):

  TEMPLATES_FOLDER: "/volume4/vaultwarden/data/templates"

After then i add the files twofactor_email.hbs and twofactor_email.html.hbs in Path /volume4/vaultwarden/data/templates but know i don`t know what i have to do.

Inside the *.hbs files it is an variable(?) named token

Which kind of token does it mean? API; TOTP?

Actually i have the TOTP - Token

And the Question is, where i have to put the (right) token. Inside the files or in the Admin GUI? Because i can't find a input box.

[stefan0xC]

SMTP 5xx error: permanent error (535): 5.7.139 Authentication unsuccessful, the user credentials were incorrect.

This error message has nothing to do with the email templates. If you have enabled 2FA on your hotmail account you probably need to set up an app password for Vaultwarden so it can authenticate.

The {token} used in the template is generated by Vaultwarden and automatically replaced, so it's not something you have to think about. C.f.

vaultwarden/src/mail.rs

Lines 469 to 480 in 897bdf8

	pub async fn send_token(address: &str, token: &str) -> EmptyResult {
	let (subject, body_html, body_text) = get_text(
	"email/twofactor_email",
	json!({
	"url": CONFIG.domain(),
	"img_src": CONFIG._smtp_img_src(),
	"token": token,
	}),
	)?;
	send_email(address, &subject, body_html, body_text).await
	}

[depoo-94]

Thanks for your support.
So i have to generate a new password first in outlook for apps. After than i have to replace my "smtp_password" in environment with the app password?

[depoo-94]

I tried like try and error. The change does not worked in the environment but in the admin GUI.

Thank you so much!