SMTP fails to send mail when mail server certificate is signed with ecdsa-with-SHA512 #234

New Issue

MrUnknownDE · 2026-04-05T20:41:31+02:00

MrUnknownDE commented

2026-04-05 20:41:31 +02:00

Originally created by @Galaxy102 on 12/15/2025

Prerequisites

I have searched the existing Closed AND Open Issues AND Discussions
I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

Vaultwarden version: v1.34.3-57bdab15
Web-vault version: v2025.10.1
OS/Arch: linux/x86_64
Running within a container: true (Base: Alpine)
Database type: PostgreSQL
Database version: PostgreSQL 15.6 on x86_64-pc-linux-musl, compiled by gcc (Alpine 13.2.1_git20231014) 13.2.1 20231014, 64-bit
Uses config.json: false
Uses a reverse proxy: true
IP Header check: true (X-Real-IP)
Internet access: true
Internet access via a proxy: false
DNS Check: true
Browser/Server Time Check: true
Server/NTP Time Check: true
Domain Configuration Check: true
HTTPS Check: true
Websocket Check: true
HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": true,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "***:",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_idle_timeout": 600,
  "database_max_conns": 10,
  "database_min_conns": 2,
  "database_timeout": 30,
  "database_url": "**********://******************************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "dns_prefer_ipv6": false,
  "domain": "*****://************",
  "domain_origin": "*****://************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": false,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": 30,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": "************",
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": false,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "***************",
  "org_events_enabled": true,
  "org_groups_enabled": true,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "purge_incomplete_sso_auth": "0 20 0 * * *",
  "push_enabled": true,
  "push_identity_uri": "https://identity.bitwarden.eu",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://api.bitwarden.eu",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": true,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": false,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": null,
  "smtp_debug": false,
  "smtp_embed_images": true,
  "smtp_explicit_tls": null,
  "smtp_from": "*********************",
  "smtp_from_name": "***********",
  "smtp_host": "***************",
  "smtp_password": null,
  "smtp_port": 465,
  "smtp_security": "force_tls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": null,
  "sso_allow_unknown_email_verification": false,
  "sso_audience_trusted": null,
  "sso_auth_only_not_session": false,
  "sso_authority": "*****://************************************",
  "sso_authorize_extra_params": "",
  "sso_callback_path": "*****://*****************************************",
  "sso_client_cache_expiration": 0,
  "sso_client_id": "***********",
  "sso_client_secret": "***",
  "sso_debug_tokens": false,
  "sso_enabled": true,
  "sso_master_password_policy": null,
  "sso_only": false,
  "sso_pkce": true,
  "sso_scopes": "email profile",
  "sso_signups_match_email": true,
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": 14,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": "100981",
  "yubico_secret_key": "***",
  "yubico_server": null
}

Vaultwarden Build Version

v1.34.3-57bdab15

Deployment method

Official Container Image

Custom deployment method

No response

Reverse Proxy

Træfik 3.2.3

Host/Server Operating System

Linux

Operating System Version

Ubuntu 22.04 LTS

Clients

Web Vault

Client Version

Chromium 143 Web Vault 2025.10.1 Pre-Release

Steps To Reproduce

The problem occurs everytime Vaultwarden tries to send an email.

e.g.

Perform login -> login notification fails to send

Expected Result

Email can be sent

Actual Result

No emails can be sent

Logs

[vaultwarden::mail][ERROR] SMTP error: Connection error: Connection error: invalid peer certificate: UnsupportedSignatureAlgorithmContext { signature_algorithm_id: [6, 8, 42, 134, 72, 206, 61, 4, 3, 4], supported_algorithms: [0x06082a8648ce3d040302, 0x06082a8648ce3d040303, 0x06082a8648ce3d040302, 0x06082a8648ce3d040303, 0x06032b6570, 0x06092a864886f70d01010a3034a00f300d06096086480165030402010500a11c301a06092a864886f70d010108300d06096086480165030402010500a203020120, 0x06092a864886f70d01010a3034a00f300d06096086480165030402020500a11c301a06092a864886f70d010108300d06096086480165030402020500a203020130, 0x06092a864886f70d01010a3034a00f300d06096086480165030402030500a11c301a06092a864886f70d010108300d06096086480165030402030500a203020140, 0x06092a864886f70d01010b0500, 0x06092a864886f70d01010c0500, 0x06092a864886f70d01010d0500, 0x06092a864886f70d01010b, 0x06092a864886f70d01010c, 0x06092a864886f70d01010d] }
[2025-12-15 15:07:53.420][vaultwarden::api::identity][ERROR] Error sending new device email: SMTP error: Connection error: Connection error: invalid peer certificate: UnsupportedSignatureAlgorithmContext { signature_algorithm_id: [6, 8, 42, 134, 72, 206, 61, 4, 3, 4], supported_algorithms: [0x06082a8648ce3d040302, 0x06082a8648ce3d040303, 0x06082a8648ce3d040302, 0x06082a8648ce3d040303, 0x06032b6570, 0x06092a864886f70d01010a3034a00f300d06096086480165030402010500a11c301a06092a864886f70d010108300d06096086480165030402010500a203020120, 0x06092a864886f70d01010a3034a00f300d06096086480165030402020500a11c301a06092a864886f70d010108300d06096086480165030402020500a203020130, 0x06092a864886f70d01010a3034a00f300d06096086480165030402030500a11c301a06092a864886f70d010108300d06096086480165030402030500a203020140, 0x06092a864886f70d01010b0500, 0x06092a864886f70d01010c0500, 0x06092a864886f70d01010d0500, 0x06092a864886f70d01010b, 0x06092a864886f70d01010c, 0x06092a864886f70d01010d] }

Screenshots or Videos

No response

Additional Context

sslscan of the affected mail server: (Redacted server name and IP), I guess the issue is with the signature algorithm ecdsa-with-SHA512.

~> sslscan mailserver.org.tld:465
Version: 2.2.1
OpenSSL 3.6.0 1 Oct 2025

Connected to w.x.y.z

Testing SSL server mailserver.org.tld on port 465 using SNI name mailserver.org.tld

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   enabled
TLSv1.3   enabled

  TLS Fallback SCSV:
Server supports TLS Fallback SCSV

  TLS renegotiation:
Session renegotiation not supported

  TLS Compression:
OpenSSL version does not support compression
Rebuild with zlib1g-dev package for zlib support

  Heartbleed:
TLSv1.3 not vulnerable to heartbleed
TLSv1.2 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.3  128 bits  TLS_AES_128_GCM_SHA256        Curve 25519 DHE 253
Accepted  TLSv1.3  256 bits  TLS_AES_256_GCM_SHA384        Curve 25519 DHE 253
Accepted  TLSv1.3  256 bits  TLS_CHACHA20_POLY1305_SHA256  Curve 25519 DHE 253
Preferred TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve 25519 DHE 253
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve 25519 DHE 253
Accepted  TLSv1.2  256 bits  ECDHE-RSA-CHACHA20-POLY1305   Curve 25519 DHE 253

  Server Key Exchange Group(s):
TLSv1.3  128 bits  secp256r1 (NIST P-256)
TLSv1.3  192 bits  secp384r1 (NIST P-384)
TLSv1.3  260 bits  secp521r1 (NIST P-521)
TLSv1.3  128 bits  x25519
TLSv1.2  128 bits  secp256r1 (NIST P-256)
TLSv1.2  192 bits  secp384r1 (NIST P-384)
TLSv1.2  260 bits  secp521r1 (NIST P-521)
TLSv1.2  128 bits  x25519

  SSL Certificate:
Signature Algorithm: ecdsa-with-SHA512
RSA Key Strength:    4096

Subject:  mailserver.org.tld
Altnames: DNS:mailserver.org.tld
Issuer:   ORG Automated Intermediate CA

*Originally created by @Galaxy102 on 12/15/2025* ### Prerequisites - [x] I have searched the existing **Closed _AND_ Open** [Issues](https://github.com/dani-garcia/vaultwarden/issues?q=is%3Aissue%20) **_AND_** [Discussions](https://github.com/dani-garcia/vaultwarden/discussions?discussions_q=) - [x] I have searched and read the [documentation](https://github.com/dani-garcia/vaultwarden/wiki/) ### Vaultwarden Support String ### Your environment (Generated via diagnostics page) * Vaultwarden version: v1.34.3-57bdab15 * Web-vault version: v2025.10.1 * OS/Arch: linux/x86_64 * Running within a container: true (Base: Alpine) * Database type: PostgreSQL * Database version: PostgreSQL 15.6 on x86_64-pc-linux-musl, compiled by gcc (Alpine 13.2.1_git20231014) 13.2.1 20231014, 64-bit * Uses config.json: false * Uses a reverse proxy: true * IP Header check: true (X-Real-IP) * Internet access: true * Internet access via a proxy: false * DNS Check: true * Browser/Server Time Check: true * Server/NTP Time Check: true * Domain Configuration Check: true * HTTPS Check: true * Websocket Check: true * HTTP Response Checks: true ### Config & Details (Generated via diagnostics page) <details><summary>Show Config & Details</summary> **Config:** ```json { "_duo_akey": null, "_enable_duo": true, "_enable_email_2fa": true, "_enable_smtp": true, "_enable_yubico": true, "_icon_service_csp": "", "_icon_service_url": "", "_ip_header_enabled": true, "_max_note_size": 10000, "_smtp_img_src": "***:", "admin_ratelimit_max_burst": 3, "admin_ratelimit_seconds": 300, "admin_session_lifetime": 20, "admin_token": "***", "allowed_connect_src": "", "allowed_iframe_ancestors": "", "attachments_folder": "data/attachments", "auth_request_purge_schedule": "30 * * * * *", "authenticator_disable_time_drift": false, "data_folder": "data", "database_conn_init": "", "database_idle_timeout": 600, "database_max_conns": 10, "database_min_conns": 2, "database_timeout": 30, "database_url": "**********://******************************************************************", "db_connection_retries": 15, "disable_2fa_remember": false, "disable_admin_token": false, "disable_icon_download": false, "dns_prefer_ipv6": false, "domain": "*****://************", "domain_origin": "*****://************", "domain_path": "", "domain_set": true, "duo_context_purge_schedule": "30 * * * * *", "duo_host": null, "duo_ikey": null, "duo_skey": null, "duo_use_iframe": false, "email_2fa_auto_fallback": false, "email_2fa_enforce_on_verified_invite": false, "email_attempts_limit": 3, "email_change_allowed": false, "email_expiration_time": 600, "email_token_size": 6, "emergency_access_allowed": true, "emergency_notification_reminder_schedule": "0 3 * * * *", "emergency_request_timeout_schedule": "0 7 * * * *", "enable_db_wal": true, "enable_websocket": true, "enforce_single_org_with_reset_pw_policy": false, "event_cleanup_schedule": "0 10 0 * * *", "events_days_retain": 30, "experimental_client_feature_flags": "", "extended_logging": true, "helo_name": "************", "hibp_api_key": null, "http_request_block_non_global_ips": true, "http_request_block_regex": null, "icon_blacklist_non_global_ips": true, "icon_blacklist_regex": null, "icon_cache_folder": "data/icon_cache", "icon_cache_negttl": 259200, "icon_cache_ttl": 2592000, "icon_download_timeout": 10, "icon_redirect_code": 302, "icon_service": "internal", "incomplete_2fa_schedule": "30 * * * * *", "incomplete_2fa_time_limit": 3, "increase_note_size_limit": false, "invitation_expiration_hours": 120, "invitation_org_name": "Vaultwarden", "invitations_allowed": false, "ip_header": "X-Real-IP", "job_poll_interval_ms": 30000, "log_file": null, "log_level": "info", "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f", "login_ratelimit_max_burst": 10, "login_ratelimit_seconds": 60, "org_attachment_limit": null, "org_creation_users": "***************", "org_events_enabled": true, "org_groups_enabled": true, "password_hints_allowed": true, "password_iterations": 600000, "purge_incomplete_sso_auth": "0 20 0 * * *", "push_enabled": true, "push_identity_uri": "https://identity.bitwarden.eu", "push_installation_id": "***", "push_installation_key": "***", "push_relay_uri": "https://api.bitwarden.eu", "reload_templates": false, "require_device_email": false, "rsa_key_filename": "data/rsa_key", "send_purge_schedule": "0 5 * * * *", "sendmail_command": null, "sends_allowed": true, "sends_folder": "data/sends", "show_password_hint": false, "signups_allowed": true, "signups_domains_whitelist": "", "signups_verify": false, "signups_verify_resend_limit": 6, "signups_verify_resend_time": 3600, "smtp_accept_invalid_certs": false, "smtp_accept_invalid_hostnames": false, "smtp_auth_mechanism": null, "smtp_debug": false, "smtp_embed_images": true, "smtp_explicit_tls": null, "smtp_from": "*********************", "smtp_from_name": "***********", "smtp_host": "***************", "smtp_password": null, "smtp_port": 465, "smtp_security": "force_tls", "smtp_ssl": null, "smtp_timeout": 15, "smtp_username": null, "sso_allow_unknown_email_verification": false, "sso_audience_trusted": null, "sso_auth_only_not_session": false, "sso_authority": "*****://************************************", "sso_authorize_extra_params": "", "sso_callback_path": "*****://*****************************************", "sso_client_cache_expiration": 0, "sso_client_id": "***********", "sso_client_secret": "***", "sso_debug_tokens": false, "sso_enabled": true, "sso_master_password_policy": null, "sso_only": false, "sso_pkce": true, "sso_scopes": "email profile", "sso_signups_match_email": true, "templates_folder": "data/templates", "tmp_folder": "data/tmp", "trash_auto_delete_days": 14, "trash_purge_schedule": "0 5 0 * * *", "use_sendmail": false, "use_syslog": false, "user_attachment_limit": null, "user_send_limit": null, "web_vault_enabled": true, "web_vault_folder": "web-vault/", "yubico_client_id": "100981", "yubico_secret_key": "***", "yubico_server": null } ``` </details> ### Vaultwarden Build Version v1.34.3-57bdab15 ### Deployment method Official Container Image ### Custom deployment method _No response_ ### Reverse Proxy Træfik 3.2.3 ### Host/Server Operating System Linux ### Operating System Version Ubuntu 22.04 LTS ### Clients Web Vault ### Client Version Chromium 143 Web Vault 2025.10.1 Pre-Release ### Steps To Reproduce The problem occurs everytime Vaultwarden tries to send an email. e.g. 1. Perform login -> login notification fails to send ### Expected Result Email can be sent ### Actual Result No emails can be sent ### Logs ```text [vaultwarden::mail][ERROR] SMTP error: Connection error: Connection error: invalid peer certificate: UnsupportedSignatureAlgorithmContext { signature_algorithm_id: [6, 8, 42, 134, 72, 206, 61, 4, 3, 4], supported_algorithms: [0x06082a8648ce3d040302, 0x06082a8648ce3d040303, 0x06082a8648ce3d040302, 0x06082a8648ce3d040303, 0x06032b6570, 0x06092a864886f70d01010a3034a00f300d06096086480165030402010500a11c301a06092a864886f70d010108300d06096086480165030402010500a203020120, 0x06092a864886f70d01010a3034a00f300d06096086480165030402020500a11c301a06092a864886f70d010108300d06096086480165030402020500a203020130, 0x06092a864886f70d01010a3034a00f300d06096086480165030402030500a11c301a06092a864886f70d010108300d06096086480165030402030500a203020140, 0x06092a864886f70d01010b0500, 0x06092a864886f70d01010c0500, 0x06092a864886f70d01010d0500, 0x06092a864886f70d01010b, 0x06092a864886f70d01010c, 0x06092a864886f70d01010d] } [2025-12-15 15:07:53.420][vaultwarden::api::identity][ERROR] Error sending new device email: SMTP error: Connection error: Connection error: invalid peer certificate: UnsupportedSignatureAlgorithmContext { signature_algorithm_id: [6, 8, 42, 134, 72, 206, 61, 4, 3, 4], supported_algorithms: [0x06082a8648ce3d040302, 0x06082a8648ce3d040303, 0x06082a8648ce3d040302, 0x06082a8648ce3d040303, 0x06032b6570, 0x06092a864886f70d01010a3034a00f300d06096086480165030402010500a11c301a06092a864886f70d010108300d06096086480165030402010500a203020120, 0x06092a864886f70d01010a3034a00f300d06096086480165030402020500a11c301a06092a864886f70d010108300d06096086480165030402020500a203020130, 0x06092a864886f70d01010a3034a00f300d06096086480165030402030500a11c301a06092a864886f70d010108300d06096086480165030402030500a203020140, 0x06092a864886f70d01010b0500, 0x06092a864886f70d01010c0500, 0x06092a864886f70d01010d0500, 0x06092a864886f70d01010b, 0x06092a864886f70d01010c, 0x06092a864886f70d01010d] } ``` ### Screenshots or Videos _No response_ ### Additional Context sslscan of the affected mail server: (Redacted server name and IP), I guess the issue is with the signature algorithm `ecdsa-with-SHA512`. ``` ~> sslscan mailserver.org.tld:465 Version: 2.2.1 OpenSSL 3.6.0 1 Oct 2025 Connected to w.x.y.z Testing SSL server mailserver.org.tld on port 465 using SNI name mailserver.org.tld SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 disabled TLSv1.1 disabled TLSv1.2 enabled TLSv1.3 enabled TLS Fallback SCSV: Server supports TLS Fallback SCSV TLS renegotiation: Session renegotiation not supported TLS Compression: OpenSSL version does not support compression Rebuild with zlib1g-dev package for zlib support Heartbleed: TLSv1.3 not vulnerable to heartbleed TLSv1.2 not vulnerable to heartbleed Supported Server Cipher(s): Preferred TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve 25519 DHE 253 Accepted TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve 25519 DHE 253 Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve 25519 DHE 253 Preferred TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve 25519 DHE 253 Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve 25519 DHE 253 Accepted TLSv1.2 256 bits ECDHE-RSA-CHACHA20-POLY1305 Curve 25519 DHE 253 Server Key Exchange Group(s): TLSv1.3 128 bits secp256r1 (NIST P-256) TLSv1.3 192 bits secp384r1 (NIST P-384) TLSv1.3 260 bits secp521r1 (NIST P-521) TLSv1.3 128 bits x25519 TLSv1.2 128 bits secp256r1 (NIST P-256) TLSv1.2 192 bits secp384r1 (NIST P-384) TLSv1.2 260 bits secp521r1 (NIST P-521) TLSv1.2 128 bits x25519 SSL Certificate: Signature Algorithm: ecdsa-with-SHA512 RSA Key Strength: 4096 Subject: mailserver.org.tld Altnames: DNS:mailserver.org.tld Issuer: ORG Automated Intermediate CA ```

MrUnknownDE closed this issue

2026-04-05 20:41:31 +02:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#234

SMTP fails to send mail when mail server certificate is signed with ecdsa-with-SHA512 #234