Trouble getting SMTP to work

Hello,

I’m having difficulties getting SMTP to work to invite other users to my vault, the rest works fine. I’m using a self-hosted mail server which is also used by my Gitea container with the exact same login information. Neither force_tls over port 465 nor starttls using port 587 work, while both work for the rest of my services.

According to the logs, the login never reaches the mailserver, so I believe that this might be an error where my nginx reverse proxy does not properly forward the POST request to vaultwarden. Since I wasn’t able to solve it myself, any help is greatly appreciated!

Error message using force_tls:
Error sending SMTP test email
SMTP error: Connection error: Connection error: Connection reset by peer (os error 104)

Error message using starttls:
Error sending SMTP test email
SMTP error: response error: incomplete response

Reverse proxy configuration:
(the example by BlackDex)

 # The `upstream` directives ensure that you have a http/1.1 connection
# This enables the keepalive option and better performance
#
# Define the server IP and ports here.
upstream vaultwarden-default {
  zone vaultwarden-default 64k;
  server 127.0.0.1:<myport>;
  keepalive 2;
}

# Needed to support websocket connections
# See: https://nginx.org/en/docs/http/websocket.html
# Instead of "close" as stated in the above link we send an empty value.
# Else all keepalive connections will not work.
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      "";
}

# Redirect HTTP to HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name <my-domain>;

    return 301 https://$host$request_uri;
}

server {
    # For older versions of nginx appended http2 to the listen line after ssl and remove `http2 on`
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_name <my-domain>;

    <ssl-cert-configuration-here>

    client_max_body_size 525M;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    # If you use Cloudflare proxying, replace $remote_addr with $http_cf_connecting_ip
    # See https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/#nginx-1
    # alternatively use ngx_http_realip_module
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    location / {
      proxy_pass http://vaultwarden-default;
    }

SMTP configuration:

image1359×877 68.3 KB

Vaultwarden logs:
[2025-10-11 07:35:55.616][vaultwarden::mail][ERROR] SMTP error: response error: incomplete response
[2025-10-11 07:35:55.617][response][INFO] (test_smtp) POST /admin/test/smtp application/json => 400 Bad Request

Try to set `SMTP_DEBUG=true` and check again to see more detailed messages.

You can also try to connect from the container it self maybe.

Thanks, unfortunately even enabling SMTP_DEBUG does not provide any additional information.

[2025-10-11 08:16:16.352][vaultwarden::mail][ERROR] SMTP error: response error: incomplete response
[2025-10-11 08:16:16.353][response][INFO] (test_smtp) POST /admin/test/smtp application/json => 400 Bad Request

One thing I’ve noticed just now is that there is a time difference between the Vaultwarden logs and my server. TOTP tokens however work, so I’m assuming the logger just doesn’t apply time zone adjustments.

I will try connecting from the container itself once I’m on my PC.

Thanks, the information I got by connecting from within the container was very helpful.

=== Trying mail.issork.de:587...
*** Error connecting to mail.issork.de:587:
***     IO::Socket::INET6: connect: Connection refused

My docker knowledge in this regard is limited. If I can connect from my Gitea container and from another client, but can’t from within the Vaultwarden container, what might be blocking the connection?

The error message suggests it can’t connect using IPv6, which may be from dns. Can you configure it to use an IPv4 address to see if that helps?

Establishing connectivity is the first step. You might be able to get a shell into your VW docker container then ping / telnet / curl your email server to see what happens.

I’m not sure what exactly fixed my SMTP issues, but after doing the following, I was able to finally send out emails:

• add AAAA entries to my DNS records
• enable ipv6 in docker
• purge currently banned fail2ban ips

Considering this solved, many thanks!