We are running Penpot (v2.12.1) on Windows 11 using Docker, published over HTTPS via an IIS reverse proxy for internal use. User registration appears to accept name/email/password, but no verification email is received even with correct SMTP (Office 365) credentials. When SMTP is disabled and email verification is turned off, account creation still does not allow login and always returns “Email or password is incorrect.” This occurs even for the first admin user. We suspect an issue related to authentication flow, email verification dependency, or reverse-proxy/secure-cookie handling behind IIS. Guidance is needed on the correct way to bootstrap the first admin and create users without SMTP in an internal, self-hosted setup.
The registration process creates a “register token” and typically sends a confirmation email2. When email verification is disabled or the user has been invited to a team, the session opens directly without requiring email confirmation2.
If issues persist after applying these configurations, I recommend checking:
- That your
PENPOT_PUBLIC_URIexactly matches the URL users access - Your IIS reverse proxy headers are properly forwarding the original request information
- The Docker container logs for any authentication errors
