SMTP Configuration: Form rejects blank credentials, blocking auth-less relays

[zachweyland]

Title

SMTP Configuration: Form rejects blank credentials, blocking auth-less relays

Description

The SMTP configuration form requires non-empty Username and Password fields, which prevents using SMTP servers that don't require authentication (IP-whitelisted relays, local Postfix/Mailpit, etc.).

This was previously reported in #77 and #58, both closed pointing at v0.2.0. Reproduced on a clean v0.2.0 install with a wiped data volume.

Root Cause

Form-level validation requires Username and Password to be non-empty before the config can be saved. There's no path to configure the client to skip AUTH LOGIN entirely.

This matters specifically for Google Workspace's SMTP relay (smtp-relay.gmail.com:587), which authenticates by source IP. Once a client sends AUTH LOGIN, Gmail validates the credentials and rejects with 535 5.7.8 Username and Password not accepted — there is no fallthrough to the IP allowlist. So filling dummy credentials isn't a workaround, it's a hard fail.

Expected Behavior

Blank Username + Password should save successfully, and the SMTP client should connect without sending AUTH LOGIN.

Current Behavior

• Blank Username + Password → "Configuration error" / "Please fill in all required fields"
• Dummy credentials → form saves, but Gmail rejects on send with 535 5.7.8 Username and Password not accepted
• "From Email" field disappears once Username is populated, blocking the send-as-alias workaround

Environment

• dartsteven/nutify:latest-amd64 (v0.2.0)
• Docker on UGREEN UGOS Pro NAS, Portainer-managed stack
• Single profile, macvlan network, dedicated LAN IP
• Fresh install, data volume wiped before upgrade from 0.1.7.1

Verification

Confirmed the relay path itself works — curl smtp://smtp-relay.gmail.com:587 from inside the container sends mail successfully with no auth (250 2.0.0 OK). The issue is purely Nutify's form-level validation.

Solution Options

1. Allow blank credentials — skip AUTH LOGIN when both fields are empty
2. Add an explicit "No authentication" toggle — clearer UX, same effect
3. Decouple "From Email" from Username — so send-as-alias setups still work when credentials are populated

Repro

1. Email Configuration → Custom Configuration
2. SMTP Server: smtp-relay.gmail.com, Port: 587, STARTTLS on, TLS/SSL off
3. Leave Username + Password blank
4. Save → "Configuration error"

Happy to pull logs or test patches.

[DartSteven]

Please, I have created the 0.2.2 build.

Try one of these images and let me know if it fixes the issues you were experiencing. If the problem persists, please let me know so I can investigate further.

Warning

Version 0.2.2 is not backward compatible with previous releases.

The database must be recreated from scratch.

To avoid incompatible or dirty data, it is strongly recommended to start from a completely clean environment using a new empty folder.
Do not reuse files or data from older versions.

docker pull dartsteven/nutify-internal-testing:0.2.2-mac-arm64
docker pull dartsteven/nutify-internal-testing:0.2.2-amd64
docker pull dartsteven/nutify-internal-testing:0.2.2-raspberrypi4-armv7
docker pull dartsteven/nutify-internal-testing:0.2.2-raspberrypi5-arm64

[zachweyland]

Opened #144 with a fix. Tested live against dartsteven/nutify-internal-testing:0.2.2-amd64 against Google Workspace SMTP relay – full diagnosis and verification in the PR body.

[DartSteven]

Thank you very much, sorry, I hadn’t seen it.

Thanks again. Tomorrow I’ll try it locally and send you an image to test.

[DartSteven]

docker pull dartsteven/nutify-internal-testing:0.2.2.1-amd64

I did not apply your patch as a byte-for-byte cherry-pick.
I applied an equivalent, slightly broader implementation adapted to this branch.

What I changed differently, and why

Patched additional no-auth execution paths beyond the original PR scope

Files:

• mail.py
• api_mail.py

Why:

In this codebase, there are runtime/test flows that still attempted password decryption unconditionally.
This breaks no-auth relays even if config save works.

I updated those paths so password decryption is required only when a username is configured.

---

Kept the core PR logic for SMTP auth handling, integrated into the current local code layout

In get_msmtp_config

• auth is off when both username and password are blank.
• Validation rejects only inconsistent pairs:
  • username without password
  • password without username

In save_mail_config

• New no-auth configs are accepted with username/password empty.
• Password is stored as None for no-auth.

In test_email_config

• No-auth test works without forcing password lookup.
• Existing-password fallback is used only for authenticated SMTP.

Why:

Same behavior target as the PR, but merged with the branch-specific current implementation.

---

Added the domain directive for msmtp EHLO with safe derivation

Added a helper to derive the domain from from_email first, then fall back to the SMTP host.

Why:

This prevents EHLO localhost behavior on strict relays, for example Google Workspace SMTP relay, matching the PR intent.

---

Improved generic msmtp error surfacing

In interpret_email_error, when a generic tmp/msmtp error appears, I now include useful tail lines from stderr/log when available.

Why:

This makes troubleshooting actionable for relay/auth/TLS issues instead of returning only Configuration Error.

---

Frontend delta vs PR

Your current frontend already had:

• From Email always visible.
• Username field not marked required.

So I did not need to re-apply those exact UI hunks from the patch.

Why:

They were already present in this branch.

---

Result

Behavior-equivalent to the patch goal, plus branch-specific fixes so no-auth works end-to-end in:

• save
• test
• runtime notification sending

[zachweyland]

Tested 0.2.2.1-amd64 against the Google Workspace SMTP relay setup that
originally triggered #141. Backend changes look solid as far as I could tell:

• Saving a no-auth relay config works
• Test Email returns success: true and the message delivers
• The improved error surfacing is a nice quality-of-life upgrade

One piece on the frontend side though: the saved no-auth config doesn't
appear in the Event Matrix's mail-config dropdown for any event. The dropdown
opens but the options list is empty (screenshot attached), so the config
can't be wired up to UPS notifications.

The cause looks like a config.username.trim().length > 0 filter still in
place in NotifySection.tsx and MailSection.tsx that excludes blank-username
configs from the selector. Dropping that one condition from the .filter()
call would let saved no-auth configs surface. ReportsPage.tsx has a similar
spot where the config-label fallback empty-strings when the username is blank,
so a saved no-auth config would render as a blank label there too.

Thanks again for the fast turnaround on this.

[DartSteven]

docker pull dartsteven/nutify-internal-testing:0.2.2.2-amd64

I’ve created a fix and also made a small backend adjustment for events, dashboards and related views when the password field is empty.

If you have some time, could you please test it? Ideally by simulating events, or even by physically unplugging the UPS USB cable, if that is convenient and safe for your setup.

....and thank you so much again for your help. You have been incredibly kind and helpful, especially because you explain very clearly what I should check and what I should do.

Once I have pushed the final 0.2.2 version, I would also like to ask you something: if you are interested and have time, would you be willing to help me more regularly with the project?

Of course, there is no pressure at all. I really appreciate the help you have already given me.

Thank you very much!

[zachweyland]

Tested 0.2.2.2-amd64 on the NAS end-to-end. The saved no-auth Google Workspace
relay config now shows up in the Notify Event Matrix dropdown. Wired it to all
events and ran through them:

• USB unplug: COMMBAD + NOCOMM emails
• USB reconnect: COMMOK
• Wall power pull: ONBATT
• Wall power restore: ONLINE

Five events in under a minute, all delivered cleanly with the full HTML render
(branding, runtime/load/voltage stats, trend snapshots). Looks great from this
side.

And on the bigger ask, yeah, I'd love to help in any way I can. Nutify's been
a solid piece of my home setup for a while now, so getting to contribute back
would be cool. Just let me know what would be most useful.