Hello everyone! Did anybody previously see such error

535 5.7.8 Username and Password not accepted

when setting up SMTP settings in Fleet UI? We use Google Workspace with our custom domain, I’ve enabled 2FA on service email account and generated application-specific password. When I set up SMTP config on Settings page, I don’t see any problems. Using Chrome Dev Console I see such SMTP settings:

"smtp_settings": {
    "enable_smtp": true,
    "configured": true,
    "sender_address": "<mailto:user@ourdomain.com|user@ourdomain.com>",
    "server": "<http://smtp.gmail.com|smtp.gmail.com>",
    "port": 587,
    "authentication_type": "authtype_username_password",
    "user_name": "<mailto:user@ourdomain.com|user@ourdomain.com>",
    "password": "********",
    "enable_ssl_tls": true,
    "authentication_method": "authmethod_plain",
    "domain": "",
    "verify_ssl_certs": true,
    "enable_start_tls": true
  }

But when I try to invite new user to Fleet I see such error:

535 5.7.8 Username and Password not accepted. Learn more at\n5.7.8  <https://support.google.com/mail/?p=BadCredentials> i27-20020a1c541b000000b003928e866d32sm1520496wmb.37 - gsmtp

@Artem Sorry SMTP is giving you trouble! Have you tried Google's Captcha Unlock?

Hi @Kathy Satterlee! I didn’t try it yet, will do it asap, thanks for advice!

btw on newer versions of Fleet you can still add users without email.

@zwass yea, that’s our current single option 😉

Hopefully Kathy's suggestion helps get this working

But it’s really interesting to find and fix the reason of the problem

Do you have 2FA enabled on this account? Might need to use app specific password.

@zwass yes, I have 2FA enabled and I use 16-char app specific password. With general password I see another type of error during SMTP configuration

Could not update settings. sending mail: client auth error: 534 5.7.9 Application-specific password required. Learn more at 5.7.9 <https://support.google.com/mail/?p=InvalidSecondFactor> i27-20020a1c541b000000b003928e866d32sm2111167wmb.37 - gsmtp

As far as that Captcha unblock goes, Google has some built-in protections against SPAM senders/scammers that can be a little overprotective. By doing the captcha unblock, you're essentially confirming that you're actually to do the thing it blocked you from doing. You should (hopefully) only need to do it once after the initial setup.

As I can see, I can not use Google Captcha with 2FA enabled 😞

It looks like it unblocked successfully. Try adding a new user and we'll see if that was the issue.

Sorry, but nothing is changed. I tried to invite new user right now and saw same error.

What version of Fleet are you running? I can test adding Google SMTP settings to see what happens.

Fleet 4.13.0 • Go go1.17.8

Give me a few minutes to test things out.

I think there is small probability about google workspace based reason of problem. Found such article https://stackoverflow.com/questions/63562314/535-b5-7-8-username-and-password-not-accepted-with-g-suite-and-django, but without solution

I think you'd have to use some sort of packet capture tool for that. The strange thing is that the same email sending code is used everywhere in the app: https://github.com/fleetdm/fleet/blob/main/server/mail/mail.go#L143

I'm getting the same error, so I'm digging in to see if I can get it resolved on my end.

@Kathy Satterlee thank you for such deep diving, hope you will find how to solve it!

Happy to help! Looking at one last setting and then we may need to call this one a bug.

@Kathy Satterlee thank you!

Happy to help 🙂

@Kathy Satterlee good luck with it! Hope you will find exact reason!

Me too! I ran into some unrelated technical issues I'm needing to clean up (went a little to rogue with some file permissions), so things are taking a while.

Hello @Kathy Satterlee! Did you manage to achieve any results in researching the problem?

No, and I've thrown everything I've got at it. I'll get a bug report filed to get some more eyes on it, but it may be something odd with Google.

Did I understand you correctly that I need to create an issue for this problem?

I've already gotten it filed!

@Kathy Satterlee okay, thanks! I didn’t find anything related to our problem in https://github.com/fleetdm/fleet/issues, so decided to ask you.

That's odd. I'll double check in a few minutes and file again if I need to.

@Kathy Satterlee thanks!

Hey @Artem, wanted to drop a quick line here so that you knew we were still on it! Engineering is still looking into this but it's definitely looking more and more like it's something on the Google end blocking the smtp.

Hi @Kathy Satterlee! Got it, thanks! Currently we found small “workaround” via adding user with SAML access, but I hope you will find the way to solve this bug!