Unable to send SMTP recovery link when using SMTP port 25

[Xoffio]

Describe the bug
When setting up SMTP with port 25, n8n is unable to email a recovery link.

To Reproduce
Steps to reproduce the behavior:

1. Setup n8n with the next env variables:

N8N_EMAIL_MODE: smtp # even tho this was not needed i tried with this as well
N8N_SMTP_HOST: "yourSmtpServerHostnameOrIp"
N8N_SMTP_PORT: 25
N8N_SMTP_SENDER: "yourSenderEmail"
N8N_SMTP_SSL: false
# N8N_SMTP_USER: I did not set this one since i don't needed 
# N8N_SMTP_PASS: I did not set this one since i don't needed 

2. Start your container

3. Go to http://yourN8nHostOrIP/forgot-password and try to send an email. You will get this error:
   

4. Connect to the container to get the logs:

ValidationError: The 'X-Forwarded-For' header is set but the Express 'trust proxy' setting is false (default). This could indicate a misconfiguration which would prevent express-rate-limit from accurately identifying users. See https://express-rate-limit.github.io/ERR_ERL_UNEXPECTED_X_FORWARDED_FOR/ for more information. 
at Object.xForwardedForHeader (/usr/local/lib/node_modules/n8n/node_modules/express-rate-limit/dist/index.cjs:166:13)
at Object.wrappedValidations.<computed> [as xForwardedForHeader] (/usr/local/lib/node_modules/n8n/node_modules/express-rate-limit/dist/index.cjs:324:22) 
at Object.keyGenerator (/usr/local/lib/node_modules/n8n/node_modules/express-rate-limit/dist/index.cjs:579:20) 
at /usr/local/lib/node_modules/n8n/node_modules/express-rate-limit/dist/index.cjs:629:32 
at /usr/local/lib/node_modules/n8n/node_modules/express-rate-limit/dist/index.cjs:611:5 { 
code: 'ERR_ERL_UNEXPECTED_X_FORWARDED_FOR',
help: 'https://express-rate-limit.github.io/ERR_ERL_UNEXPECTED_X_FORWARDED_FOR/' 
}
Error: unable to verify the first certificate 
Failed to send email

Expected behavior
n8n should be able to send the email without any error.

Environment (please complete the following information):

• OS: docker image
• n8n Version: 1.18.2
• Node.js Version: v18.18.2
• Database system: Default SQLite
• Operation mode: Default Main

Additional context
I am able to send emails with the Send Email node, when the option Ignore SSL Issues is enable.
The error that i get when I try to reset my password Error: unable to verify the first certificate is the same error i get when i try to use Send Email with Ignore SSL Issues disabled. Maybe we can have a ENV variable to do the same?

[Joffcom]

Hey @Xoffio

Just to confirm do you have your mail server configured to use something like start tls with a self signed certificate?

[Xoffio]

Hi @Joffcom.
I am using Synology. I just check the certificates and it seems like it is using the certificate from Synology.

I have the ports 25, 465, and 587 open. Shouldn't 25 work without certificate?

[Joffcom]

Hey @Xoffio,

25 can work without a certificate but in your case it looks like it is trying to validate the cert so I suspect it is trying to negotiate for starttls. Although the certificate error could be unrelated, Can you enable debug logging and see if it shows anything else?

[Xoffio]

Hey @Joffcom

Here is what I got from the logs:

2023-12-17T04:41:24.087Z [Rudder] debug: queue is empty, nothing to flush
ValidationError: The 'X-Forwarded-For' header is set but the Express 'trust proxy' setting is false (default). This could indicate a misconfiguration which would prevent express-rate-limit from accurately identifying users. See https://express-rate-limit.github.io/ERR_ERL_UNEXPECTED_X_FORWARDED_FOR/ for more information.
    at Object.xForwardedForHeader (/usr/local/lib/node_modules/n8n/node_modules/express-rate-limit/dist/index.cjs:166:13)
    at Object.wrappedValidations.<computed> [as xForwardedForHeader] (/usr/local/lib/node_modules/n8n/node_modules/express-rate-limit/dist/index.cjs:324:22)
    at Object.keyGenerator (/usr/local/lib/node_modules/n8n/node_modules/express-rate-limit/dist/index.cjs:579:20)
    at /usr/local/lib/node_modules/n8n/node_modules/express-rate-limit/dist/index.cjs:629:32
    at /usr/local/lib/node_modules/n8n/node_modules/express-rate-limit/dist/index.cjs:611:5 {
  code: 'ERR_ERL_UNEXPECTED_X_FORWARDED_FOR',
  help: 'https://express-rate-limit.github.io/ERR_ERL_UNEXPECTED_X_FORWARDED_FOR/'
}
2023-12-17T04:41:34.405Z | �[31merror�[39m    | �[31mError: unable to verify the first certificate�[39m "{ file: 'LoggerProxy.js', function: 'exports.error' }"
2023-12-17T04:41:34.407Z | �[31merror�[39m    | �[31mFailed to send email�[39m "{\n  recipients: '[email protected]',\n  error: Error: unable to verify the first certificate\n      at TLSSocket.onConnectSecure (node:_tls_wrap:1600:34)\n      at TLSSocket.emit (node:events:517:28)\n      at TLSSocket.emit (node:domain:552:15)\n      at TLSSocket._finishInit (node:_tls_wrap:1017:8)\n      at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:803:12)\n      at TLSWrap.callbackTrampoline (node:internal/async_hooks:130:17) {\n    code: 'ESOCKET',\n    command: 'CONN'\n  },\n  file: 'NodeMailer.js',\n  function: 'sendMail'\n}"
2023-12-17T04:41:34.416Z [Rudder] debug: no existing flush timer, creating new one
2023-12-17T04:41:34.419Z | �[31merror�[39m    | �[31mInternalServerError: Please contact your administrator: unable to verify the first certificate�[39m "{ file: 'LoggerProxy.js', function: 'exports.error' }"
2023-12-17T04:41:54.424Z [Rudder] debug: in flush
2023-12-17T04:41:54.425Z [Rudder] debug: cancelling existing flushTimer...

[Joffcom]

Hey @Xoffio,

Alright so it looks like the mail service is using TLS for port 25, We would need to add an option to allow support for self signed certificates to work around this in the future.

[ovizii]

I'm getting the same first part of this error when trying to recover my password except I think this is unrelated to port 25 as n8n is trying to email via Gmail and its setup with N8N_SMTP_SSL=true and N8N_SMTP_PORT=587.

I thought issue is with "The 'X-Forwarded-For' header is set but the Express 'trust proxy' setting is false (default)." as I am indeed behind traefik as reverse proxy and setting X-Forwarded-For headers.

I will now try with a local smtp server without TLS and on port 25. Result: exactly the same error.

n8n             | ValidationError: The 'X-Forwarded-For' header is set but the Express 'trust proxy' setting is false (default). This could indicate a misconfiguration which would prevent express-rate-limit from accurately identifying users. See https://express-rate-limit.github.io/ERR_ERL_UNEXPECTED_X_FORWARDED_FOR/ for more information.
n8n             |     at Object.xForwardedForHeader (/usr/local/lib/node_modules/n8n/node_modules/express-rate-limit/dist/index.cjs:166:13)
n8n             |     at Object.wrappedValidations.<computed> [as xForwardedForHeader] (/usr/local/lib/node_modules/n8n/node_modules/express-rate-limit/dist/index.cjs:324:22)
n8n             |     at Object.keyGenerator (/usr/local/lib/node_modules/n8n/node_modules/express-rate-limit/dist/index.cjs:579:20)
n8n             |     at /usr/local/lib/node_modules/n8n/node_modules/express-rate-limit/dist/index.cjs:629:32
n8n             |     at /usr/local/lib/node_modules/n8n/node_modules/express-rate-limit/dist/index.cjs:611:5 {
n8n             |   code: 'ERR_ERL_UNEXPECTED_X_FORWARDED_FOR',
n8n             |   help: 'https://express-rate-limit.github.io/ERR_ERL_UNEXPECTED_X_FORWARDED_FOR/'

[Joffcom]

Hey @ovizii,

Your error seems to be unrelated to the mail server and is instead likely to be a configuration issue.

[netroy]

The 'X-Forwarded-For' message is completely unrelated, and you can "fix" it by setting N8N_PROXY_HOPS env variable to 1.

[Joffcom]

Good news, This was changed in #9415 and you can now disable StartTLS if you just want to use plain SMTP. To enable this option set N8N_SMTP_STARTTLS to false