SMTP error: Connection error: Connection error: invalid peer certificate: Other(OtherError(UnsupportedCertVersion))

[EnergeticMrMask]

Prerequisites

• I have searched the existing Closed AND Open Issues AND Discussions
• I have searched and read the documentation

Vaultwarden Support String

Your environment (Generated via diagnostics page)

• Vaultwarden version: v1.34.3
• Web-vault version: v2025.7.0
• OS/Arch: linux/x86_64
• Running within a container: true (Base: Debian)
• Database type: PostgreSQL
• Database version: PostgreSQL 17.6 (Debian 17.6-1.pgdg12+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 12.2.0-14+deb12u1) 12.2.0, 64-bit
• Uses config.json: true
• Uses a reverse proxy: true
• IP Header check: true (X-Real-IP)
• Internet access: true
• Internet access via a proxy: false
• DNS Check: true
• TZ environment: PRC
• Browser/Server Time Check: true
• Server/NTP Time Check: true
• Domain Configuration Check: false
• HTTPS Check: false
• Websocket Check: true
• HTTP Response Checks: true

Config & Details (Generated via diagnostics page)

Show Config & Details

Environment settings which are overridden: ADMIN_TOKEN

Config:

{
  "_duo_akey": null,
  "_enable_duo": true,
  "_enable_email_2fa": false,
  "_enable_smtp": true,
  "_enable_yubico": true,
  "_icon_service_csp": "",
  "_icon_service_url": "",
  "_ip_header_enabled": true,
  "_max_note_size": 10000,
  "_smtp_img_src": "****://**************************************",
  "admin_ratelimit_max_burst": 3,
  "admin_ratelimit_seconds": 300,
  "admin_session_lifetime": 20,
  "admin_token": "***",
  "allowed_connect_src": "",
  "allowed_iframe_ancestors": "",
  "attachments_folder": "data/attachments",
  "auth_request_purge_schedule": "30 * * * * *",
  "authenticator_disable_time_drift": false,
  "data_folder": "data",
  "database_conn_init": "",
  "database_max_conns": 10,
  "database_timeout": 30,
  "database_url": "********://**************************************************************************",
  "db_connection_retries": 15,
  "disable_2fa_remember": false,
  "disable_admin_token": false,
  "disable_icon_download": false,
  "domain": "****://***************************",
  "domain_origin": "****://***************************",
  "domain_path": "",
  "domain_set": true,
  "duo_context_purge_schedule": "30 * * * * *",
  "duo_host": null,
  "duo_ikey": null,
  "duo_skey": null,
  "duo_use_iframe": false,
  "email_2fa_auto_fallback": false,
  "email_2fa_enforce_on_verified_invite": false,
  "email_attempts_limit": 3,
  "email_change_allowed": true,
  "email_expiration_time": 600,
  "email_token_size": 6,
  "emergency_access_allowed": true,
  "emergency_notification_reminder_schedule": "0 3 * * * *",
  "emergency_request_timeout_schedule": "0 7 * * * *",
  "enable_db_wal": true,
  "enable_websocket": true,
  "enforce_single_org_with_reset_pw_policy": false,
  "event_cleanup_schedule": "0 10 0 * * *",
  "events_days_retain": null,
  "experimental_client_feature_flags": "",
  "extended_logging": true,
  "helo_name": "***************************",
  "hibp_api_key": null,
  "http_request_block_non_global_ips": true,
  "http_request_block_regex": null,
  "icon_blacklist_non_global_ips": true,
  "icon_blacklist_regex": null,
  "icon_cache_folder": "data/icon_cache",
  "icon_cache_negttl": 259200,
  "icon_cache_ttl": 2592000,
  "icon_download_timeout": 10,
  "icon_redirect_code": 302,
  "icon_service": "internal",
  "incomplete_2fa_schedule": "30 * * * * *",
  "incomplete_2fa_time_limit": 3,
  "increase_note_size_limit": false,
  "invitation_expiration_hours": 120,
  "invitation_org_name": "Vaultwarden",
  "invitations_allowed": true,
  "ip_header": "X-Real-IP",
  "job_poll_interval_ms": 30000,
  "log_file": null,
  "log_level": "info",
  "log_timestamp_format": "%Y-%m-%d %H:%M:%S.%3f",
  "login_ratelimit_max_burst": 10,
  "login_ratelimit_seconds": 60,
  "org_attachment_limit": null,
  "org_creation_users": "",
  "org_events_enabled": false,
  "org_groups_enabled": false,
  "password_hints_allowed": true,
  "password_iterations": 600000,
  "push_enabled": false,
  "push_identity_uri": "https://identity.bitwarden.com",
  "push_installation_id": "***",
  "push_installation_key": "***",
  "push_relay_uri": "https://push.bitwarden.com",
  "reload_templates": false,
  "require_device_email": false,
  "rsa_key_filename": "data/rsa_key",
  "send_purge_schedule": "0 5 * * * *",
  "sendmail_command": null,
  "sends_allowed": true,
  "sends_folder": "data/sends",
  "show_password_hint": false,
  "signups_allowed": false,
  "signups_domains_whitelist": "",
  "signups_verify": false,
  "signups_verify_resend_limit": 6,
  "signups_verify_resend_time": 3600,
  "smtp_accept_invalid_certs": true,
  "smtp_accept_invalid_hostnames": false,
  "smtp_auth_mechanism": "Login",
  "smtp_debug": false,
  "smtp_embed_images": false,
  "smtp_explicit_tls": null,
  "smtp_from": "***************************",
  "smtp_from_name": "Vaultwarden",
  "smtp_host": "**************************",
  "smtp_password": "***",
  "smtp_port": 587,
  "smtp_security": "starttls",
  "smtp_ssl": null,
  "smtp_timeout": 15,
  "smtp_username": "***************************",
  "templates_folder": "data/templates",
  "tmp_folder": "data/tmp",
  "trash_auto_delete_days": null,
  "trash_purge_schedule": "0 5 0 * * *",
  "use_sendmail": false,
  "use_syslog": false,
  "user_attachment_limit": null,
  "user_send_limit": null,
  "web_vault_enabled": true,
  "web_vault_folder": "web-vault/",
  "yubico_client_id": null,
  "yubico_secret_key": null,
  "yubico_server": null
}

Vaultwarden Build Version

v1.34.3

Deployment method

Official Container Image

Custom deployment method

I deployed Vaultwarden via TrueNAS Scale's application feature. More deployment details can be found in the screenshot below.

Reverse Proxy

nginx proxy manager v2.12.6

Host/Server Operating System

NAS/SAN

Operating System Version

TrueNAS Scale 25.04.2.1

Clients

Web Vault

Client Version

No response

Steps To Reproduce

1. Deploy poste.io via docker on ubuntu server as a self-hosted mail server.

2. Configure the SMTP Email Settings in the /admin page using STARTTLS on port 587. For specific settings, please refer to the screenshot below.

3. Send a test email after saving the settings.

Expected Result

The test email has been sent successfully.

Actual Result

An error pop-up appears with the following message:
SMTP error: Connection error: Connection error: invalid peer certificate: Other(OtherError(UnsupportedCertVersion)).

The test email was not sent.

Logs

2025-08-26 02:41:07.319420+00:00[2025-08-26 10:41:07.319][request][INFO] GET /admin
2025-08-26 02:41:07.319420+00:00[2025-08-26 10:41:07.319][request][INFO] GET /admin
2025-08-26 02:41:07.319420+00:00[2025-08-26 10:41:07.319][request][INFO] GET /admin
2025-08-26 02:41:07.330845+00:00[2025-08-26 10:41:07.330][response][INFO] (admin_page) GET /admin/ => 200 OK
2025-08-26 02:41:07.330845+00:00[2025-08-26 10:41:07.330][response][INFO] (admin_page) GET /admin/ => 200 OK
2025-08-26 02:41:07.330845+00:00[2025-08-26 10:41:07.330][response][INFO] (admin_page) GET /admin/ => 200 OK
2025-08-26 02:41:17.746920+00:00[2025-08-26 10:41:17.746][request][INFO] POST /admin/test/smtp
2025-08-26 02:41:17.746920+00:00[2025-08-26 10:41:17.746][request][INFO] POST /admin/test/smtp
2025-08-26 02:41:17.746920+00:00[2025-08-26 10:41:17.746][request][INFO] POST /admin/test/smtp
2025-08-26 02:41:17.825262+00:00[2025-08-26 10:41:17.824][vaultwarden::mail][ERROR] SMTP error: Connection error: Connection error: invalid peer certificate: Other(OtherError(UnsupportedCertVersion))
2025-08-26 02:41:17.825262+00:00[2025-08-26 10:41:17.824][vaultwarden::mail][ERROR] SMTP error: Connection error: Connection error: invalid peer certificate: Other(OtherError(UnsupportedCertVersion))
2025-08-26 02:41:17.825372+00:00[2025-08-26 10:41:17.825][response][INFO] (test_smtp) POST /admin/test/smtp application/json => 400 Bad Request
2025-08-26 02:41:17.825262+00:00[2025-08-26 10:41:17.824][vaultwarden::mail][ERROR] SMTP error: Connection error: Connection error: invalid peer certificate: Other(OtherError(UnsupportedCertVersion))
2025-08-26 02:41:17.825372+00:00[2025-08-26 10:41:17.825][response][INFO] (test_smtp) POST /admin/test/smtp application/json => 400 Bad Request
2025-08-26 02:41:17.825372+00:00[2025-08-26 10:41:17.825][response][INFO] (test_smtp) POST /admin/test/smtp application/json => 400 Bad Request

Screenshots or Videos

Additional Context

This issue has only emerged recently. Back in July of this year, Vaultwarden was able to send emails successfully under the same configuration. However, a few weeks ago (possibly after an update? I apologize for not being able to provide an exact timeline as I don’t use the email function daily), I stopped receiving password hint emails. I noticed this issue when checking the admin page.

I’ve tried modifying various settings—such as toggling Secure SMTP to off or force_ssl, changing SMTP Auth mechanism, and more—but none of these adjustments restored SMTP communication between Vaultwarden and poste.io. Even after completely removing and redeploying both Vaultwarden and poste.io, the problem persisted.

When configured to use other mail servers like Gmail or QQ Mail, Vaultwarden works perfectly and sends emails without issue. The problem seems isolated to its interaction with poste.io.

That said, I don’t believe the issue lies with poste.io itself, as several my other services (such as Uptime Kuma, Firefly III, ssmtp, and Send-MailKit-Message) are using the exact same poste.io configuration to send emails without any problems.

I haven’t yet tried deploying Vaultwarden via Docker, though I should note that six months ago, when I ran Vaultwarden in a Docker container, it worked flawlessly with the same poste.io settings. I migrated to TrueNAS Scale in May. If necessary, I can allocate time to test with a Docker deployment again.

I’m uncertain whether this is a bug or if a recent update has invalidated certain configurations. I’ve searched online but haven’t found any reports of the same error message. If the issue is due to a misconfiguration on my end or if there are known solutions, please let me know.

If it turns out the root cause isn’t related to Vaultwarden—for instance, if it’s an issue with poste.io or TrueNAS Scale—I will forward this issue (along with relevant details) to the appropriate developers.

I believe I’ve exhausted all feasible troubleshooting steps, and this problem has been frustrating me for weeks.

I’m happy to provide more detailed logs or information if needed. Please don’t hesitate to reach out.

[BlackDex]

This isn't an issue of Vaultwarden, but more of the server where you are connecting to, or something in between, like a mitmproxy/filtering-proxy or something like that.

The certificate returned is just invalid. Either a missing chain cert, or an expired cert somewhere in the chain.
I would suggest to try and check the certificate returned by that system. There are ways to test it with openssl.

openssl s_client -connect smtp.domain.tld:587 -starttls smtp -showcerts

[EnergeticMrMask]

Thank you for your reply.
And sorry for my late reply, I've been swamped :(

My mail server (poste.io) does not have a certificate configured. The situation is a bit complicated. To make a long story short, I've placed the server behind multiple layers of Cloudflare and a VPN for attack defense. This prevents the automatic renewal of Let's Encrypt certificates. I'm also quite lazy—manually renewing it every three months would be very difficult for me. So, I simply configured all services that require SMTP (and which have Accept Invalid Certs option) to be restricted to the VPN within my internal network (at my home, under my control).

My understanding of cert is very limited, just enough to use it at a basic level. I thought that since I checked the Accept Invalid Certs option in Vaultwarden (as shown in my screenshot), there shouldn’t be any issues. It used to work without problems, and other services are also working fine.

Currently, the server and Vaultwarden are directly connected, only configured with DDNS. Nginx Proxy Manager only proxies the web interface of the mail server.

Here is my openssl test result:

root@mailserver:~# openssl s_client -connect mailserver.mydomain.com:587 -starttls smtp -showcerts
Connecting to 192.168.0.243
CONNECTED(00000003)
depth=0 C=CZ, ST=Plzensky kraj, L=Susice, O=Poste.io
verify error:num=18:self-signed certificate
verify return:1
depth=0 C=CZ, ST=Plzensky kraj, L=Susice, O=Poste.io
verify return:1
---
Certificate chain
 0 s:C=CZ, ST=Plzensky kraj, L=Susice, O=Poste.io
   i:C=CZ, ST=Plzensky kraj, L=Susice, O=Poste.io
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 16 14:47:13 2020 GMT; NotAfter: Nov 14 14:47:13 2030 GMT
-----BEGIN CERTIFICATE-----
MIIEGTCCAgECFG1MlwFbEYS2IYe3AX+jJ+KK0TE1MA0GCSqGSIb3DQEBCwUAMEkx
CzAJBgNVBAYTAkNaMRYwFAYDVQQIDA1QbHplbnNreSBrcmFqMQ8wDQYDVQQHDAZT
dXNpY2UxETAPBgNVBAoMCFBvc3RlLmlvMB4XDTIwMTExNjE0NDcxM1oXDTMwMTEx
NDE0NDcxM1owSTELMAkGA1UEBhMCQ1oxFjAUBgNVBAgMDVBsemVuc2t5IGtyYWox
DzANBgNVBAcMBlN1c2ljZTERMA8GA1UECgwIUG9zdGUuaW8wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQC4paqlT18xfXmHiVUT811WJXW/E06fV9kcBU+g
hYmSO0InupeTvVxiRc6BxWJXfWqJbvwkhpRO8kWK6A34CBjyduixnj1yWwiUsXI4
be032hrbJgiMxJ0itIVno0uiDwl/m3fe5IMUhuj5VXv0u3U8ksvor2o2qBrYvuWo
QMBIWz4KU9IwgIMv/LfbZxIbFjGcQltH0s15VnIgqU8CoDvPyanog4ZNLOvUqltF
9R/G+YPWdhZPKACw9cVfJIDsX1QBsJCtlm5/2QkIZaxyNdF0wqK32dk81gVJn0Tk
NKjwUBp4YKE9p1YnzDPMxObAGd0DS5nXikDW3h95koq/ZAMzAgMBAAEwDQYJKoZI
hvcNAQELBQADggIBAGtLL3oFaq2Vamj3Oogep5JMg8ApFbgB89bh/MCsqCixsmHU
w7UbpIHOzUDAXMTIop5A8r9QzGTSBYtUTGvoTJMdk9PKN8LPDzYkbmgWipQJ6S6G
2Ysr0q8lZa6q2Fwv4sAylbSdCzubnJxcfojAr7so1WgDtSI0BzwG+RXQ+YaeYY4V
6+lgdthG23mYxifrSuEMPokp7gPJHI/I4/o+rTbTQPN0t7G/bkuf5Y5g1Lfeu9cl
Y25z64J2J37/h1a6/tUa/s1nijNti44rGuOS2v9b12KpbgCqZHeu5gmfNJdiQtUl
pOyoKY/6AOF7fIyMy0lEMUt9D6bfiWhKdWlCo1/JzDg6BkRVokvARCUvV0KwcMbj
G8+K8f1Hi+Aakspg9C9w+c4O+9DtJD/C5bhMH+BJyA9XRNftBoKhCcxq5TtnpT+N
UR7+2BLW+gOXAtNWgyLhhsTxJ0CwiEF1b1qNZ7LJvyioljttWONKXrqfopAqrUQm
nh7u5oFFmskAlSUYk9Clq5fQqwN4nVLjEOb26T4SK3MtpGh2H62c2bsFFhCpocGt
cGccjgp+A1i38Q8HrkR+ZU1H4B5eCEc2hJQaWXWO94Jzosq5wPaEq1Pq3Vih8s/+
N3QQb2W/Woz4bZNuUdh8FGMA1lQ1egaBfBprvlnSFncwGQAhLOxSKd0GBGi1
-----END CERTIFICATE-----
 1 s:C=CZ, ST=Plzensky kraj, L=Susice, O=Poste.io
   i:C=CZ, ST=Plzensky kraj, L=Susice, O=Poste.io
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Nov 16 14:42:44 2020 GMT; NotAfter: Nov 14 14:42:44 2030 GMT
-----BEGIN CERTIFICATE-----
MIIFczCCA1ugAwIBAgIUZ/ne+Ytxlfm7sAK67rIIq3+gZAAwDQYJKoZIhvcNAQEL
BQAwSTELMAkGA1UEBhMCQ1oxFjAUBgNVBAgMDVBsemVuc2t5IGtyYWoxDzANBgNV
BAcMBlN1c2ljZTERMA8GA1UECgwIUG9zdGUuaW8wHhcNMjAxMTE2MTQ0MjQ0WhcN
MzAxMTE0MTQ0MjQ0WjBJMQswCQYDVQQGEwJDWjEWMBQGA1UECAwNUGx6ZW5za3kg
a3JhajEPMA0GA1UEBwwGU3VzaWNlMREwDwYDVQQKDAhQb3N0ZS5pbzCCAiIwDQYJ
KoZIhvcNAQEBBQADggIPADCCAgoCggIBAMN5hFWtQm1VmEYtY/5DMocfwO3dlSOD
GUMiJ5z4b5tpEOlPykmCogFEVisouJlxiwZ/BpfJxwX50rNH+9HqFSxP+LHCoval
hNo5NbgrK/Jqk1Z+gPx/kW7HLEM2x2IfOzF58KCjFy+ZXib6E3chGqIiCUOQuapA
LN945AM3Awsb6C/SISvzKv8cEcVBMiW/jDrQjtEEKphi80s3ZjB55rNhWULU8ouK
COMzEVulYvFRCq/+oRvdXAiNruFZu8svxPGec/w9Dhji0wkuusL6TTuovM1VPKyS
DpO8c5bUvGsqauIu+1sYxIJz/NQLXcVR37VcoYYQc8OHvgDHqDIVXGNSPhHPDchw
ZFr0wzSocKeqtQBZRPtbJGj5ylJoko2f5s5mObdYRk0E8Rt29K29R685JAGtzm6Y
FMfNNLKs7/hxwTrUP3UI5xJFL59pE6OxbLLaHRRfl5CnoYxvxCw8nxGd3Ap8Gp3A
tRf5PzUoaYqm7bAUV3xoK6VEovYNzSXAohzu4j3Gnq/vUO6sx18w0Y62DJo12zYR
ZBRbh+aHZmHsckXuu2dOzVXhO94gavcEJE2agpYqri6RKQ5RRvNyvjq3RCFeuaiz
lqY1PiNgtzwBz9VmnldLb8SfFewLTWfWWI/T4eq5ic94Uj5BV9zJWQ1JpIA25BES
tKIfYmfOqzfZAgMBAAGjUzBRMB0GA1UdDgQWBBSHBi7VY+4VcBs0HsQ2AQwoaMgE
tjAfBgNVHSMEGDAWgBSHBi7VY+4VcBs0HsQ2AQwoaMgEtjAPBgNVHRMBAf8EBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQCbDbl9mu6Gmzjw5LYcAqvIfhVRptWfPoGe
pIy6jkCkhFpi9d20D7zl4ekZ/rVMbgjWs78gCKf1ZlHl1cKNYfOW6Z27JTbn7Eq5
HJoobjEC+SttkSCi061OrVxYnWCEmKouJ4CWFGM/mHvTkg0HszPiofzdZOg6nO2+
NndJlyNZZpRTbW7fgardjhN/c7oBIMUnc7h8XXfANyTBhZPAR+RcxG0ZF8VecMYM
R99w1yBxszRUG2WbX/oe92tPeWsHJEujEFG9OzXNvtTj2mH8wEle/4zn0aNO6wma
3EqBd+EYtQcHd9utSgJ16z4ucyQuKYnXe7qmy2rD0GwbN8o2FH3Q62R71RJHuVXg
4lsxr3L42mTfPtP6lR/yE96Ut3WHIlPIROTbCqZqw1GOKsc4hQyp7IG38E4emgRc
Yz3cHcNljjD3s7uNmtQ4oI94GUQcJSkGhR9LrZcblCEL8GP18qtdObo7n3czjMwg
Tz9lhV9tIRLqvv0enWZ6CjQpLhIaouC20yROCKzr8y9gwfl6Xww6dO0z7lUe1Ul5
G/MCe7gyQrs52nlE2CdlrPho4Ztr7U5t8kNbLtdeR5e9VVVyo4KM1hal1YGvwzCR
jGzlotklRAGJeCV7DJ9bO2X89qaxqgKJ77ooIRL1tizweZVyiOl/TQBttDDsdCb9
7l2V9XrSoA==
-----END CERTIFICATE-----
---
Server certificate
subject=C=CZ, ST=Plzensky kraj, L=Susice, O=Poste.io
issuer=C=CZ, ST=Plzensky kraj, L=Susice, O=Poste.io
---
No client certificate CA names sent
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ed25519:ed448:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3357 bytes and written 489 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
250 STARTTLS
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 3A88D05273D50C7C6B109AA0F62F486BE693AAEA8CB68A27F1C49BAF11123872
    Session-ID-ctx:
    Resumption PSK: DB43B5A4881CAF3D1301F92F77B98E423155C4AFDDDBEE05E1FBDF80A7BB047A2BC8208CE4303130FB7D7EFED8D871AE
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 33 89 35 3f 51 6c 14 66-6f c6 1e 63 8b 5d 26 5f   3.5?Ql.fo..c.]&_
    0010 - 2b cd 47 c8 e3 b8 f3 15-40 97 48 cb 08 ff aa f8   +.G.....@.H.....
    0020 - 05 99 63 3b de 4d f0 e9-ce f6 39 bd 73 f5 ea 77   ..c;.M....9.s..w
    0030 - 1b 6d f5 f1 92 db 88 25-57 ae 98 05 78 29 ae 95   .m.....%W...x)..
    0040 - 84 c0 2d 9e 02 a0 4a c7-f3 c3 e3 da 85 96 5a c2   ..-...J.......Z.
    0050 - c4 3f f4 0c 6b 1a 6c 1a-b5 22 3e 64 3c 62 fa bb   .?..k.l..">d<b..
    0060 - ab 83 82 88 7a 53 68 41-af d0 4c f7 2a f4 4b 3d   ....zShA..L.*.K=
    0070 - 82 bf 16 ca df 89 a7 ff-39 b6 85 67 ff 04 f5 32   ........9..g...2
    0080 - 95 10 52 46 46 29 6a 01-b4 41 f9 56 66 aa 8a f2   ..RFF)j..A.Vf...
    0090 - e2 68 be 3d c1 f6 87 dc-23 c5 4b 88 60 68 5e eb   .h.=....#.K.`h^.
    00a0 - 04 c6 cb c0 1c 9c f1 e6-8d b5 d8 ca a8 c5 c0 cd   ................
    00b0 - ce cd a8 5d 98 f2 a2 e4-64 4b 81 06 cd 7d f3 b4   ...]....dK...}..
    00c0 - e8 d7 1b 37 fe f8 66 2e-69 0e db 36 9a 0c 50 b2   ...7..f.i..6..P.

    Start Time: 1756366741
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: DAB3F543C51724ACCB76805D7FC8304D1BE2C95B9F14DCE5CDC1CC212AEBB76B
    Session-ID-ctx:
    Resumption PSK: AD7D7239B70ABF434B245CDEDCD48F4E2233E1FA7B38D32847CCDD13D638CC58ABFA17FF91C60C460068EB7FA0608A34
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 33 89 35 3f 51 6c 14 66-6f c6 1e 63 8b 5d 26 5f   3.5?Ql.fo..c.]&_
    0010 - 3b fe 93 3a 50 0e cd 85-51 9d b7 81 97 56 a7 48   ;..:P...Q....V.H
    0020 - e6 af 2d 0b 34 a6 8d 20-8e a8 a7 a3 63 f7 95 64   ..-.4.. ....c..d
    0030 - 25 44 44 7c 8c f5 78 51-68 25 43 39 b3 ba df 0c   %DD|..xQh%C9....
    0040 - 99 ec 7e c2 34 66 f1 c5-7a 5e 74 f6 2d 52 7e 66   ..~.4f..z^t.-R~f
    0050 - 07 02 dc a9 46 ac a2 8e-69 c3 68 02 34 a0 c6 de   ....F...i.h.4...
    0060 - e8 2d 69 fb 4c 9d 55 71-5e 13 47 a8 a4 57 05 f2   .-i.L.Uq^.G..W..
    0070 - cb 71 24 b1 23 85 03 05-98 d6 32 ec c6 29 05 9f   .q$.#.....2..)..
    0080 - 20 0a 48 a9 17 f0 ed 5a-cc 43 86 b3 d8 fa 3a 12    .H....Z.C....:.
    0090 - c0 3d 07 39 0e 64 74 56-71 39 67 b5 24 62 e0 3b   .=.9.dtVq9g.$b.;
    00a0 - d4 27 d1 07 a6 40 e5 77-1f ab f5 33 61 b1 2a 26   .'...@.w...3a.*&
    00b0 - 9a 51 70 75 45 a1 8b 6c-ae 3a 8f f5 4b f5 85 52   .QpuE..l.:..K..R
    00c0 - 99 9f 59 fb 98 58 e2 ae-b4 1d 3f 0f ad a1 47 c7   ..Y..X....?...G.

    Start Time: 1756366741
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK

The openssl result seems fine (based on my online research and consultations with AI). Shouldn’t checking the Accept Invalid Certs option allow it to work normally?

The current behavior makes it seem like the Accept Invalid Certs option in Vaultwarden isn’t working properly. I’m not very familiar with these details—could you please help me confirm this?

[BlackDex]

I tested this just recently, and it works fine, at least with the tests i conducted, which included self-signed and invalid hostnames.
You could also supply Vaultwarden with the Signing CA so that it can verify and allow this cert, instead of ignoring all certificates.

That would make it more secure also.

[jr-clark]

I am having the same issue as the OP.

openssl s_client -connect smtp.domain.tld:587 -starttls smtp -showcerts

Connects without a problem or error.

I found a possibly related issue in a different product when searching for a solution. My certs are V1.

rustls/rustls#2364

[EnergeticMrMask]

Sorry for the delay in following up. After some searching and testing, I can basically confirm the root cause: poste.io’s default certificate is a V1 certificate, and rustls no longer supports this old certificate type.
So the blame is not on vaultwarden but on the compatibility between the certificate version and the client’s TLS library.

OpenSSL still accepts these older certificates, while rustls explicitly rejects them. That explains why vaultwarden fails to send emails even though the command‑line test succeeds.

My own situation made things more complicated: I had placed quite a few restrictions on my poste.io instance, which made obtaining a Let’s Encrypt certificate a lot more troublesome than usual. In the end, I did manage to switch poste.io to a Let’s Encrypt certificate, and the problem was resolved—vaultwarden can now send emails without any errors.

Strictly speaking, rustls’ lack of support for old certificates still exists. A complete library‑level fix would require either poste.io to change its default certificate type or rustls to relax its restrictions, neither of which is very realistic. But since I now have a new certificate, the problem no longer exists in practice.