Error: Mail command failed: 530 5.7.0 Must issue a STARTTLS command first


I am trying to set up SMTP for my RC instance. To do this, I have entered the credentials for a mail account. RC needs to log in at port 587. When I try to send a test email, I get the error message from the topic of this thread.

So how do I get RC to issue a STARTTLS command when it logs in to the mail account? (I am running various other servers and they all log in fine - just RC is acting up.

Server Setup Information

  • Version of Rocket.Chat Server: 4.5.2
  • Operating System: Dbian 11
  • Deployment Method: Docker
  • Number of Running Instances: 1
  • DB Replicaset Oplog: enabled
  • NodeJS Version: 14.18.3
  • MongoDB Version: 5.0.6
  • Proxy: haproxy
  • Firewalls involved: pfsense

Any additional Information


Can you check if checking IgnoreTLS (and the server allows) it will work?

I have faced a similar issue and have been investigating it.


Sorry, forgot to mention - this is with IgnoreTLS checked.


What is the smtp server on the other side? What other open source softwares have you successfully used with this same server?

I have a working deployment of this mail stack:

for researching, this is where Rocket.Chat ‘mounts’ the MAIL_URL:

My mail server is mailcow which employs postfix.

I use it successfully for gitlab, onlyoffice, bitwarden, friendica and nextcloud.

They all allow to turn off checking the counterparty’s ssl certificate - which is necessary in my case, as they connect directly to the mail server (on its local IP) instead of via the reverse proxy (which terminates SSL for web access). (I do copy over the reverse proxy’s SSL certificate into the mail server.)

Not sure, if “IgnoreTLS” is supposed to do the same. In any case, it doesn’t work for me.


IgnoreTLS will not have effect here.

Please, can you try this?

Happy to try, but before I start I want to make sure I understand exactly what you want me to do here:

Should I do what the poster in this other thread did (and what did not work for him)? That is install ca-certificates and copy the self sign certificate authority certificate into the rocket chat docker container?

The certificate I am using is not a self signed certificate. It is a proper certificate that my reverse proxy obtains from let’s encrypt (but which, therefore, resides on the proxy and which I then copy over to my mail server).

So, it shouldn’t be necessary to save the let’s encrypt (intermediate) certificate in rocket chat, as it should already be trusted system-wide, right?

Or did I misunderstand and it is something else you want me to try?

So, I just tried and copied the cert file to /usr/share/ca-certificates and ran update-ca-certificates (just to be clear: I set up Rocket.Chat under Docker (via docker-compose) and I copied the certificate to the path mentioned on the host (not into the Rocket.Chat container).

Unfortunately, no change in outcome:
Without “IgnoreTLS”: Can’t verify the first certificate
With “IgnoreTLS”: Musst issue a STARTTLS command first

So it seems the only solution for me would be to have the option to skip verifying the SSL certificate. Any chance to get this implemented (or is it maybe even there, undocumented)?


Can you try settings this up in you environment?


  • MAIL_URL=smtp://user:password@smtp_server:smtp_port&secure=false&ignoreTLS=true


  • OVERWRITE_SETTING_MAIL_URL=smtp://user:password@smtp_server:smtp_port&secure=false&ignoreTLS=true

The configuration you do in the Interface will ultimately be rendered to MAIL_URL. This should add the secure=false to the SMTP connection string.

ah, I see. So the setting is there, just not accessible through the settings page.

Unfortunately, it did not work: I used OVERWRITE_SETTINGS_MAIL_URL=smtp://user:password@smtp_server:smtp_port&secure= false &ignoreTLS=false (because I need TLS, just not the verification of the certificate) and restarted everything.

But the outcome is the same as before: unable to verfiy the first certificate

How can I be sure the settings override went through? On the settings page it is not reflected. Can I check somewhere which settings are actually employed?


I guess we can open an issue for that in Issues · RocketChat/Rocket.Chat · GitHub

Okay, will do.

Just to be sure: “user:password@smpt_server” I translated to “” which looks odd to me due to the two “@”. Is that the correct way? And the password ends on a “#” - might that cause a problem?

And when I create the issue, I am supposed to describe the expected outcome. Is part of the expected outcome that the settings supplied via the environment be reflected on the settings page or is it okay that they don’t show up there (and the expected outcome would only be that the mail gets sent out?


Not really.

if you define environments like:

      - OVERWRITE_SETTING_SMTP_Host=mailhog

those should come up on the admin page. Those are used to render the MAIL_URL

Also, it should be OVERWRITE_SETTING_, considering here:

Ah, thanks.

I had copied the “OVERWRITE_SETTINGS_…” from another setting in my environment (that is associated with another feature that does not work yet - and this might explain why).

However, also with “OVERWRITE_SETTING_…” the settings do not propagate to the admin page (I stopped and removed the rocketchat container and created a new one but when navigating to the admin page I still find the old settings that do not reflect the OVERWRITE-SETTINGS… :frowning:

I will now open an issue on GitHub.


I just set up Rocket.Chat completely new (wanted to do this for a while anyway).

So completely fresh install (with docker-compose).

I put the MAIL_URL in the environment section (this time without OVERWRITE_SETTINGS, as this is the first start). No part of the smtp setting showed up in the admin page… It’s all empty.

So now I am wondering whether there might be a problem with the environment variables (not) getting translated into actual settings (which would also explain why I can’t switch off certificate checking).

Edit: I found this Github issue Environment variables are not working · Issue #11968 · RocketChat/Rocket.Chat ( where the answer was that MAIL_URL is not the right setting but that one has to use


Now, this issue is four years old. Things may have changed. Just throwing it out there…

EDIT: I have tried and SMTP_Host and SMTP_Port actually do put the values onto the admin page.

SMTP_IgnoreTLS does not work for me - is that the right name for this setting?

But the more important question now is: What is the name of the setting for disabling checking the ssl certificate?



Sorry for the late response.

Were you able to get it thru?

This is where the code you are looking for lives:


Thanks for following up.

I am not familiar with JS, but the code above does not seem to contain a switch for disabling the verification of certificates. “secure” seems to be set to “false”, if I choose “smtp” as my protocol (and I assume that if I choose “smpts”, some other code would set “secure” to “true”). But that would seem to be unrelated to the verification of SSL certificates (but I may be mistaken).

And no, I was not able to get this thing to work (the way I want it to).

As a workaround I installed msmtp on the docker host and configured it to talk to my mail server and to not verify my mail server’s certificate. Then I configured RC to send emails via localhost (so that it talks to msmtp). That works but I would much rather get RC to directly talk to my mail server…