Kulisch Posted April 27, 2022 Share Posted April 27, 2022 A production-ready fullstack but simple mail server (SMTP, IMAP, LDAP, Antispam, Antivirus, etc.). Only configuration files, no SQL database. Keep it simple and versioned. Easy to deploy and upgrade. Documentation via MkDocs. Please post any questions/issues relating to this docker you have in this thread. If you need help but are not using unRAID, then please do not post here. Links: Github Documentation Environment variables Your best friend setup.sh Docker Hub 1 Quote Link to comment
TheBurgundyBear Posted April 29, 2022 Share Posted April 29, 2022 Thank you for this, @Kulisch! The one part that I'm having difficulty with is the SSL type and SSL mount path. I use Nginx Proxy Manager on UNRAID. Would the SSL path be to a letsencrypt folder in the Nginx Proxy Manager appdata? Quote Link to comment
Kulisch Posted April 29, 2022 Author Share Posted April 29, 2022 (edited) On 4/29/2022 at 5:08 AM, TheBurgundyBear said: Thank you for this, @Kulisch! The one part that I'm having difficulty with is the SSL type and SSL mount path. I use Nginx Proxy Manager on UNRAID. Would the SSL path be to a letsencrypt folder in the Nginx Proxy Manager appdata? During testing I noticed that the Key Path is NOT a variable. This is wrong and must be corrected. I will adjust the template as soon as possible. Update: Fixed the template There are several ways to setup SSL. Im using Swag as a reverse proxy to get my letsencrypt certificates. The certificates are saved in the following path: /mnt/user/appdata/swag/etc/letsencrypt/live/example.com/cert.pem /mnt/user/appdata/swag/etc/letsencrypt/live/example.com/privkey.pem /mnt/user/appdata/swag/etc/letsencrypt/live/example.com/chain.pem /mnt/user/appdata/swag/etc/letsencrypt/live/example.com/fullchain.pem /mnt/user/appdata/swag/etc/letsencrypt/live/example.com/priv-fullchain-bundle.pem That means I use letsencrypt as SSL_TYPE and Mount SSL Path: Host path: /mnt/user/appdata/swag/etc/letsencrypt/ Container: /etc/letsencrypt/ It is important with the letsencrypt option that the domain is recognized in the directory name. The mail server checks for <example.com> or <mail.example.com> depending on what was configured. Something like: /etc/letsencrypt/live/<example.com>/fullchain.pem or /etc/letsencrypt/live/<mail.example.com>/fullchain.pem If this is not possible, then choose SSL_Type as manual. Then it is important to specify where the certificates are located in the container. The variables already in Show more settings ... 1. Path: Mount SSL Path Host: /mnt/user/appdata/swag/etc/letsencrypt/ Container: /etc/letsencrypt/ 2. Environment Variable: SSL_Type = manual SSL_CERT_PATH = /etc/letsencrypt/live/example.com/fullchain.pem SSL_KEY_PATH = /etc/letsencrypt/live/example.com/privkey.pem Edited April 30, 2022 by Kulisch Fixed template 1 Quote Link to comment
TheBurgundyBear Posted April 30, 2022 Share Posted April 30, 2022 9 hours ago, Kulisch said: During testing I noticed that the Key Path is NOT a variable. This is wrong and must be corrected. I will adjust the template as soon as possible. There are several ways to setup SSL. Im using Swag as a reverse proxy to get my letsencrypt certificates. The certificates are saved in the following path: /mnt/user/appdata/swag/etc/letsencrypt/live/example.com/cert.pem /mnt/user/appdata/swag/etc/letsencrypt/live/example.com/privkey.pem /mnt/user/appdata/swag/etc/letsencrypt/live/example.com/chain.pem /mnt/user/appdata/swag/etc/letsencrypt/live/example.com/fullchain.pem /mnt/user/appdata/swag/etc/letsencrypt/live/example.com/priv-fullchain-bundle.pem That means I use letsencrypt as SSL_TYPE and Mount SSL Path: Host path: /mnt/user/appdata/swag/etc/letsencrypt/ Container: /etc/letsencrypt/ It is important with the letsencrypt option that the domain is recognized in the directory name. The mail server checks for <example.com> or <mail.example.com> depending on what was configured. Something like: /etc/letsencrypt/live/<example.com>/fullchain.pem or /etc/letsencrypt/live/<mail.example.com>/fullchain.pem If this is not possible, then choose SSL_Type as manual. Then it is important to specify where the certificates are located in the container. The variables already in Show more settings ... 1. Path: Mount SSL Path Host: /mnt/user/appdata/swag/etc/letsencrypt/ Container: /etc/letsencrypt/ 2. Environment Variable: SSL_Type = manual SSL_CERT_PATH = /etc/letsencrypt/live/example.com/fullchain.pem SSL_KEY_PATH = /etc/letsencrypt/live/example.com/privkey.pem Thank you, @Kulisch! Your instructions are very thorough and clear. I think I have this pretty much working now. I don't know if you know much about Nginx Proxy Manager (I used to use Swag). But when you create the letsencrypt keys, you need to specify a port. Do you happen to know which port that would be since a mail server uses several ports? Quote Link to comment
Kulisch Posted April 30, 2022 Author Share Posted April 30, 2022 (edited) 9 hours ago, TheBurgundyBear said: Thank you, @Kulisch! Your instructions are very thorough and clear. I think I have this pretty much working now. I don't know if you know much about Nginx Proxy Manager (I used to use Swag). But when you create the letsencrypt keys, you need to specify a port. Do you happen to know which port that would be since a mail server uses several ports? As I see it, you can get the certificates through the NginxProxyManager via HTTP or DNS Challenge. With HTTP Challenge LE (Letsencrypt) makes the request exclusively over port 80. Therefore it is important that your router listens on port 80 and then forwards the port you configured for the application to the proxy. LE -> HTTP 80 (TCP) -> 80:Router:11180 -> HTTP 11180 (TCP) -> NginxProxy (Custom or Unraid IP). As long as the web port is not the same as one of the mail server ports or the Unraid webinterface you can choose whatever you want. DNS: Have no experience in that one. Maybe this info will help you. If you have further questions about the NginxProxyManager, please use the appropriate forum. Edited April 30, 2022 by Kulisch Quote Link to comment
Bulletoverload Posted May 20, 2022 Share Posted May 20, 2022 (edited) I am new to some of these things and may need some help, if you dont mind. I have the server running and I added my user/password. No issues there. I have SSL off for now until I can get the basic functionality working. Logs aren't really showing any issues. Through NGINX proxy manager and duckdns, I have two domains; mailin.duckdns.org and mailout.duckdns.org. Both are forwarding to the appropriate internal addresses, 192.168.1.3:143 and 192.168.1.3:25, respectively. I have NGINX working with many other projects so I don't think that is the issue. When I attempt to connect to the server via SMTP (No SSL) using those domains, I cannot get through. Any ideas? UPDATE: When I attempt to go to these domains through a web-browser, I get non-smtp command errors, which proves the domains/NGINX are configured correctly. I still just cannot login. I tried outlook and one other mail client but no luck. So far I've gotten "* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Debian) ready. GET BAD Error in IMAP command received by server. Host: BAD Error in IMAP command received by server. * BYE Too many invalid IMAP commands." and "220-mail.REDACTED.org ESMTP 521 5.7.0 Error: I can break rules, too. Goodbye." Edited May 20, 2022 by Bulletoverload Quote Link to comment
Kulisch Posted May 20, 2022 Author Share Posted May 20, 2022 3 hours ago, Bulletoverload said: I am new to some of these things and may need some help, if you dont mind. I have the server running and I added my user/password. No issues there. I have SSL off for now until I can get the basic functionality working. Logs aren't really showing any issues. Through NGINX proxy manager and duckdns, I have two domains; mailin.duckdns.org and mailout.duckdns.org. Both are forwarding to the appropriate internal addresses, 192.168.1.3:143 and 192.168.1.3:25, respectively. I have NGINX working with many other projects so I don't think that is the issue. When I attempt to connect to the server via SMTP (No SSL) using those domains, I cannot get through. Any ideas? UPDATE: When I attempt to go to these domains through a web-browser, I get non-smtp command errors, which proves the domains/NGINX are configured correctly. I still just cannot login. I tried outlook and one other mail client but no luck. So far I've gotten "* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN AUTH=LOGIN] Dovecot (Debian) ready. GET BAD Error in IMAP command received by server. Host: BAD Error in IMAP command received by server. * BYE Too many invalid IMAP commands." and "220-mail.REDACTED.org ESMTP 521 5.7.0 Error: I can break rules, too. Goodbye." I'm not sure if I just understood this correctly, but if you are trying to use the NGINX reverse proxy to forward the communication to the email server then this is not possible. The port forwardings like SMTP 25 143 465 587 etc... should not be forwarded to the reverse proxy but must be forwarded to the mail server (192.168.1.3) directly. The mail server itself does not have a web interface via port 80 or 443. For this an additional container like Roundcube would have to be installed to have a WebUI. But this is another topic and should only be addressed when the mailserver itself is working. Make sure you have a static IP address and not a dynamic one. Because dynamic addresses are declared as spam and for mailing this is practically useless. First of all I would try the following to make sure the mailserver is configured correctly. The server is running without SSL for now, which is fine for local connections. If the mail server is in your local network (not on the internet) you can try to connect directly to it with a mail client (Thunderbird for example). First create two accounts ([email protected] & [email protected] for example). As SMTP Host and Outgoing Server you use your IP address 192.168.1.3. Accordingly you use [email protected] and [email protected] as username and password which you have choosen. If the server allows connections (even if over non SSL for now) and you can send and receive mails to another account on the same server, that means the server itself is working. The connections from outside I would just check by making sure that the ports 25 143 etc. are forwarded to your mail server 192.168.1.3. There are certain websites that check if the connection to the mail server can be established, if and how secure the connection itself is. Or use a smartphone mail client outside your WIFI to check if a connection can be established. Also make sure that the duckdns MX records are set correctly. These are also important. If the connection works outside and you can send an address from bob (sender) to max (receiver), most things will work. But after that you should definitely configure SSL because unencrypted connections should definitely be avoided for production use cases. If your mails to GMail, iCloud, or other providers are declaring your mails as spam, I would check if your domain appears in the DNSBL. If so, you can make a request that this can be taken out. I hope that this big amount of information does not overwhelm you. I hope I could help you. Quote Link to comment
Bulletoverload Posted May 21, 2022 Share Posted May 21, 2022 14 hours ago, Kulisch said: I'm not sure if I just understood this correctly, but if you are trying to use the NGINX reverse proxy to forward the communication to the email server then this is not possible. The port forwardings like SMTP 25 143 465 587 etc... should not be forwarded to the reverse proxy but must be forwarded to the mail server (192.168.1.3) directly. The mail server itself does not have a web interface via port 80 or 443. For this an additional container like Roundcube would have to be installed to have a WebUI. But this is another topic and should only be addressed when the mailserver itself is working. Make sure you have a static IP address and not a dynamic one. Because dynamic addresses are declared as spam and for mailing this is practically useless. First of all I would try the following to make sure the mailserver is configured correctly. The server is running without SSL for now, which is fine for local connections. If the mail server is in your local network (not on the internet) you can try to connect directly to it with a mail client (Thunderbird for example). First create two accounts ([email protected] & [email protected] for example). As SMTP Host and Outgoing Server you use your IP address 192.168.1.3. Accordingly you use [email protected] and [email protected] as username and password which you have choosen. If the server allows connections (even if over non SSL for now) and you can send and receive mails to another account on the same server, that means the server itself is working. The connections from outside I would just check by making sure that the ports 25 143 etc. are forwarded to your mail server 192.168.1.3. There are certain websites that check if the connection to the mail server can be established, if and how secure the connection itself is. Or use a smartphone mail client outside your WIFI to check if a connection can be established. Also make sure that the duckdns MX records are set correctly. These are also important. If the connection works outside and you can send an address from bob (sender) to max (receiver), most things will work. But after that you should definitely configure SSL because unencrypted connections should definitely be avoided for production use cases. If your mails to GMail, iCloud, or other providers are declaring your mails as spam, I would check if your domain appears in the DNSBL. If so, you can make a request that this can be taken out. I hope that this big amount of information does not overwhelm you. I hope I could help you. Thanks a ton for such an informational response. Ya, I had a lapse in understanding. I was thinking I could use NGINX to direct all of my web traffic and never open ports on my router again, but NGINX is specifically only listening on ports 80 and 443, meaning there is no way the SMTP requests would have gone anywhere. Am I understanding that correctly? Quote Link to comment
Kulisch Posted May 21, 2022 Author Share Posted May 21, 2022 19 minutes ago, Bulletoverload said: Thanks a ton for such an informational response. Ya, I had a lapse in understanding. I was thinking I could use NGINX to direct all of my web traffic and never open ports on my router again, but NGINX is specifically only listening on ports 80 and 443, meaning there is no way the SMTP requests would have gone anywhere. Am I understanding that correctly? That is correct. The requests to the reverse proxy are HTTP/HTTPS (80/443) requests only. Since SMTP IMAP etc. does not belong to this category, no communication can take place. Therefore the error messages you mentioned shows that the SMTP requests are invalid. As described, the router must forward these ports directly to the mail server. As soon as this should be enabled, SSL should definitely be configured. Quote Link to comment
Bulletoverload Posted May 22, 2022 Share Posted May 22, 2022 (edited) On 5/21/2022 at 9:46 AM, Kulisch said: That is correct. The requests to the reverse proxy are HTTP/HTTPS (80/443) requests only. Since SMTP IMAP etc. does not belong to this category, no communication can take place. Therefore the error messages you mentioned shows that the SMTP requests are invalid. As described, the router must forward these ports directly to the mail server. As soon as this should be enabled, SSL should definitely be configured. Thanks a ton for your help here and your info above. I've been able to get everything working 95%, including SSL via NGINX. I can receive email, but cannot send. Below are some logs and my settings. Currently I am using ports 993 and 465, but all are port-forwarded currently for testing purposes. Are these the two I should be using? None are working for submission, so...appreciate any insights! Incoming: *username* *password* *server IP*:993 SSL/TLS SPA Off Outgoing: *Server IP*:465 SSL/TLS Outgoing SMTP requires Authentication: On and using same credentials as incoming LOGS --UPDATE-- Unless you have any ideas, I think the problem is that Verizon blocks outbound:25 by default. I may be out of luck... Edited May 23, 2022 by Bulletoverload Quote Link to comment
Kulisch Posted May 23, 2022 Author Share Posted May 23, 2022 (edited) 7 hours ago, Bulletoverload said: Thanks a ton for your help here and your info above. I've been able to get everything working 95%, including SSL via NGINX. I can receive email, but cannot send. Below are some logs and my settings. Currently I am using ports 993 and 465, but all are port-forwarded currently for testing purposes. Are these the two I should be using? None are working for submission, so...appreciate any insights! Incoming: *username* *password* *server IP*:993 SSL/TLS SPA Off Outgoing: *Server IP*:465 SSL/TLS Outgoing SMTP requires Authentication: On and using same credentials as incoming LOGS --UPDATE-- Unless you have any ideas, I think the problem is that Verizon blocks outbound:25 by default. I may be out of luck... root@NotUnraid:~ $ nmap 209.222.82.253 -p 25 -Pn Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-23 08:17 CEST Nmap scan report for mail.ess.barracuda.com (209.222.82.253) Host is up (0.12s latency). PORT STATE SERVICE 25/tcp open smtp Nmap done: 1 IP address (1 host up) scanned in 5.90 seconds root@NotUnraid:~ $ nc 209.222.82.253 25 220 mail.ess.barracuda.com ESMTP (mx-inbound20-134.us-east-2b.ess.aws) It is best to try the same commands (vm, live linux, raspi, etc) as I did above. If this does not work for several target mail servers, then a blockage would not be impossible. Maybe it is also blocked at the router. If not, ask your provider. If 25 SMTP works, or partially, check if you can send mail to other addresses like gmail, microsoft, protonmail etc. Otherwise check again if you are forwarding all ports correctly and you are using the right ports on the client (SSL/TLS). If necessary check your domain at DNSBWL as mentioned in previous post. Edited May 23, 2022 by Kulisch Quote Link to comment
Bulletoverload Posted May 23, 2022 Share Posted May 23, 2022 12 hours ago, Kulisch said: root@NotUnraid:~ $ nmap 209.222.82.253 -p 25 -Pn Starting Nmap 7.80 ( https://nmap.org ) at 2022-05-23 08:17 CEST Nmap scan report for mail.ess.barracuda.com (209.222.82.253) Host is up (0.12s latency). PORT STATE SERVICE 25/tcp open smtp Nmap done: 1 IP address (1 host up) scanned in 5.90 seconds root@NotUnraid:~ $ nc 209.222.82.253 25 220 mail.ess.barracuda.com ESMTP (mx-inbound20-134.us-east-2b.ess.aws) It is best to try the same commands (vm, live linux, raspi, etc) as I did above. If this does not work for several target mail servers, then a blockage would not be impossible. Maybe it is also blocked at the router. If not, ask your provider. If 25 SMTP works, or partially, check if you can send mail to other addresses like gmail, microsoft, protonmail etc. Otherwise check again if you are forwarding all ports correctly and you are using the right ports on the client (SSL/TLS). If necessary check your domain at DNSBWL as mentioned in previous post. Ran what you suggested: PORT STATE SERVICE 25/tcp open smtp 53/tcp open domain 80/tcp open http 143/tcp open imap 443/tcp open https 465/tcp open smtps 587/tcp open submission 993/tcp open imaps 4567/tcp open tram Everything is open. These are just checking for inbound ports, no? My concern is that I think my ISP is blocking outbound 25. Does mail-server only use 25 for outgoing mail or can I swap/select something else? Not talking about mail client -> server but server actually sending out the mail. So far, I have tried emailing like 5 different emails, all various hosters, and nothing can get through. Quote Link to comment
Kulisch Posted May 23, 2022 Author Share Posted May 23, 2022 33 minutes ago, Bulletoverload said: Ran what you suggested: PORT STATE SERVICE 25/tcp open smtp 53/tcp open domain 80/tcp open http 143/tcp open imap 443/tcp open https 465/tcp open smtps 587/tcp open submission 993/tcp open imaps 4567/tcp open tram Everything is open. These are just checking for inbound ports, no? My concern is that I think my ISP is blocking outbound 25. Does mail-server only use 25 for outgoing mail or can I swap/select something else? Not talking about mail client -> server but server actually sending out the mail. So far, I have tried emailing like 5 different emails, all various hosters, and nothing can get through. As mentioned before, you can check your router and ask your ISP if outgoing SMTP is allowed or not. Do you have a static public IP address? You can set other ports for incoming connections, but how it is for outgoing requests, I can't tell you. I did not have such a case. Sorry. Quote Link to comment
Alfy1080 Posted June 7, 2022 Share Posted June 7, 2022 Hello. I'm trying to use sendgrid as a relay for outbound emails and I can't get this to work in any way. I'm doing this because even though my ISP did unblock port 25 for me upon my request, i immediately was blocked by google with the following message: smtp postfix/smtp[4920]: DFF6230000000742177: to=<example@gmail.com>, relay=gmail-smtp-in.l.google.com[142.250.27.27]:25, delay=1.1, delays=0.01/0/0.79/0.26, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[142.250.27.27] said: 550-5.7.1 [188.24.XX.XX 12] Our system has detected that this message is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1 https://support.google.com/mail/?p=UnsolicitedMessageError 550 5.7.1 for more information. h13-20020a1709063c0d00b006ff19100b37si8253899ejg.616 - gsmtp (in reply to end of DATA command)) I've configured my DNS according to sendgrid's setup guide and created an API key for the sendgrid SMTP relay. Once that was done I changed my container's configuration as follows: In advanced view in extra parameters: --hostname smtp.sendgrid.net --restart always --cap-add=NET_ADMIN --cap-add=SYS_PTRACE Based on the documentation from here https://docker-mailserver.github.io/docker-mailserver/edge/config/advanced/mail-forwarding/relay-hosts/#sender-dependent-relay-host= I ran the following command: setup.sh relay add-auth mydomain.net apiuser apikey Which created a postfix-sasl-password.cf file with the correct info from the above command. Then i ran this next command: setup.sh relay add-domain mydomain.net smtp.sendgrid.net 465 Which created a postfix-relaymap.cf file with the correct info from the above command. I then restarted the container and sent a test email to a gmail address (sendgrid wants to verify that the configuration is correct by sending an email from the server with the new configuration). I once again got the same error that I was getting before saying that my email is most likely unsolicited and sendgrid says that they did not pick up my test email yet: Since the email never goes anywhere near sendgrid I am assuming i misconfigured something so can you please help me identify what i've done wrong in this whole process? Let me know if you need any further details about my configuration. Quote Link to comment
Kulisch Posted June 7, 2022 Author Share Posted June 7, 2022 Hey @Alfy1080 Since I haven't worked with relays, I can't really give you any help specifically on this topic. 5 hours ago, Alfy1080 said: smtp postfix/smtp[4920]: DFF6230000000742177: to=<example@gmail.com>, relay=gmail-smtp-in.l.google.com[142.250.27.27]:25, delay=1.1, delays=0.01/0/0.79/0.26, dsn=5.7.1, status=bounced (host gmail-smtp-in.l.google.com[142.250.27.27] said: 550-5.7.1 [188.24.XX.XX 12] Our system has detected that this message is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1 https://support.google.com/mail/?p=UnsolicitedMessageError 550 5.7.1 for more information. h13-20020a1709063c0d00b006ff19100b37si8253899ejg.616 - gsmtp (in reply to end of DATA command)) This can happen for different reasons. Maybe because in the past the IP was used by another user for spam purposes and/or was/is a dynamic IP. If your IP/domain appears in the blacklist, you would have to make a request that it is whitelisted again. Check if the IP is listed and make a request for a whitelist. There are many options to check and whitelist IPs and Domains. https://check.spamhaus.org Sorry that I can't give you the help you need. Quote Link to comment
Sulframus Posted July 5, 2022 Share Posted July 5, 2022 Hi, I seem to be struggling with getting some parts right. I use Cloudflare as my DNS provider, where I already have my MX and TXT records setup and have the .pem and .key locations setup in template for manual. I have forwarded all the ports used by the docker at the moment for testing purposes onto the IP of the unraid server. Thunderbird does recognize these records, as it autofills the configuration with IMAP. However after this part it's when things starting falling apart - when trying to login, I get a message saying "Unable to log in at server. Probably wrong configuration, username or password." I have checked the username and password, which were correct. As there is not a specific error message, I am unsure what would be misconfigured. Would anybody happen to know what can be causing this issue and possibly the fix? Quote Link to comment
Kulisch Posted July 6, 2022 Author Share Posted July 6, 2022 10 hours ago, Sulframus said: However after this part it's when things starting falling apart - when trying to login, I get a message saying "Unable to log in at server. Probably wrong configuration, username or password." I have checked the username and password, which were correct. As there is not a specific error message, I am unsure what would be misconfigured. Would anybody happen to know what can be causing this issue and possibly the fix? Before you start, I hope you have Fail2Ban deactivated in the environment variables to make sure you dont get banned after some "failed" login attempts. The question is how you login. Do you use the username (<- wrong) and password or [email protected] (<- right) with password you set up. You can create a test account and delete it. Try something like [email protected] with password 123456. If that works just check the differences between your account name and password complexity (special characters, numeric- alpha numeric and whatsoever). Which commands did you used for the setup and configuration. Quote Link to comment
Sulframus Posted July 6, 2022 Share Posted July 6, 2022 2 minutes ago, Kulisch said: Before you start, I hope you have Fail2Ban deactivated in the environment variables to make sure you dont get banned after some "failed" login attempts. The question is how you login. Do you use the username (<- wrong) and password or [email protected] (<- right) with password you set up. You can create a test account and delete it. Try something like [email protected] with password 123456. If that works just check the differences between your account name and password complexity (special characters, numeric- alpha numeric and whatsoever). Which commands did you used for the setup and configuration. Thanks for the heads-up on the F2B, didn't decide to turn it off yet. Not sure if I may have gotten banned as the logs are not showing any alerts, what is the default duration for ban, or where would be the bans located, so I can clear them out? I have used [email protected] for the login in Thunderbird, which was already created prior in the console of the docker by going to the bin folder and running "setup email add [email protected] password". I did however use special characters during the setup. I will try later today again with a second account with basic password. Thank you. Quote Link to comment
Sulframus Posted July 6, 2022 Share Posted July 6, 2022 8 hours ago, Sulframus said: Thanks for the heads-up on the F2B, didn't decide to turn it off yet. Not sure if I may have gotten banned as the logs are not showing any alerts, what is the default duration for ban, or where would be the bans located, so I can clear them out? I have used [email protected] for the login in Thunderbird, which was already created prior in the console of the docker by going to the bin folder and running "setup email add [email protected] password". I did however use special characters during the setup. I will try later today again with a second account with basic password. Thank you. To correct myself on the first part. Seems like F2B was disabled, as that's what is default to the template. Using the test account, I was able to connect to the account now in Thunderbird and same for the original mail account when I updated the password to something basic. Now I have a new problem, which seems quite stupid. In Thunderbird when sending the first mail I get a warning "Sending of the message failed. Peer's Certificate issuer is not recognized. The configuration related to mail.domain.com must be corrected". As mentioned in my previous comment, I am using manual certificates provided by Cloudflare. I have a MX record created with name domain.com to point to mail.domain.com. Sending mails between the two local accounts doesn't do anything and trying to send a mail from a different SMTP server, such as Gmail yields error that "mail.domain.com could not be found". I have also tried adding e-mail routing in Cloudflare, which I don't think should be necessary, but no change. Quote Link to comment
Kulisch Posted July 7, 2022 Author Share Posted July 7, 2022 (edited) 16 hours ago, Sulframus said: Now I have a new problem, which seems quite stupid. In Thunderbird when sending the first mail I get a warning "Sending of the message failed. Peer's Certificate issuer is not recognized. The configuration related to mail.domain.com must be corrected". As mentioned in my previous comment, I am using manual certificates provided by Cloudflare. If you try to send the mail. Does the warning appear in Thunderbird or Docker logs? If there is a certificate error, maybe you dont have one for the tld (domain.com). I had also an error. After creating a certificate for domain.com and reconfigure the account in thunderbird, the problem didnt appear again. Certs for the subdomain (webmail.domain.com, mail.* smtp.* imap.*) were already there. If this dont work... What does the mailserver shows in the docker logs after sending the mail? Does it find the cert files? Which configuration did you use for "Key_Path" (ENV) "Cert_Path" (ENV) and "Mount SSL Path:" (Docker Mount). Can you find the cert files inside the container? 16 hours ago, Sulframus said: I have a MX record created with name domain.com to point to mail.domain.com. Sending mails between the two local accounts doesn't do anything and trying to send a mail from a different SMTP server, such as Gmail yields error that "mail.domain.com could not be found". I have also tried adding e-mail routing in Cloudflare, which I don't think should be necessary, but no change. Note: Recently I bought a new domain for the mailserver and I configured it like this. The censored A records are public IP adresses (example: 123.123.123.123) and the MX record has the TLD. (example: domain.com). NOT mail.domain.com. I'm not creating DNS entries very often but this setup works for me. I have following domain certs: domain.com, webmail.domain.com, smtp.domain.com, mail.domain.com, imap.domain.com After trying to send some mails, some providers (GMail in my case) started whining that I didnt configured DKIM so I created that. setup.sh config dkim keysize 2048 domain 'domain.com' After that, sending and recieving was no problem anymore. And check the following: --hostname mail.domain.com ..."Extra Parameters" in "Advanced View". I hope this informations helps. Edited July 7, 2022 by Kulisch Quote Link to comment
Sulframus Posted July 7, 2022 Share Posted July 7, 2022 (edited) 9 hours ago, Kulisch said: If you try to send the mail. Does the warning appear in Thunderbird or Docker logs? If there is a certificate error, maybe you dont have one for the tld (domain.com). I had also an error. After creating a certificate for domain.com and reconfigure the account in thunderbird, the problem didnt appear again. Certs for the subdomain (webmail.domain.com, mail.* smtp.* imap.*) were already there. If this dont work... What does the mailserver shows in the docker logs after sending the mail? Does it find the cert files? Which configuration did you use for "Key_Path" (ENV) "Cert_Path" (ENV) and "Mount SSL Path:" (Docker Mount). Can you find the cert files inside the container? Note: Recently I bought a new domain for the mailserver and I configured it like this. The censored A records are public IP adresses (example: 123.123.123.123) and the MX record has the TLD. (example: domain.com). NOT mail.domain.com. I'm not creating DNS entries very often but this setup works for me. I have following domain certs: domain.com, webmail.domain.com, smtp.domain.com, mail.domain.com, imap.domain.com After trying to send some mails, some providers (GMail in my case) started whining that I didnt configured DKIM so I created that. setup.sh config dkim keysize 2048 domain 'domain.com' After that, sending and recieving was no problem anymore. And check the following: --hostname mail.domain.com ..."Extra Parameters" in "Advanced View". I hope this informations helps. No warnings in Thunderbird, but even without sending anything I am being flooded in DMS logs with some connection and losing connection after EHLO from a Mexican domain, which I don't know at all. After blocking that IP in the firewall, the flood stopped. During the time when I send the mail I get the following logs: Quote postfix/submission/smtpd[1984]: connect from Thunderbird.localproxy[localipofdocker] postfix/submission/smtpd[1984]: Anonymous TLS connection established from thunderbird.localproxy[localipofdocker]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25510 server-signature RSA-PSS (2048 bits) server-digest SHA256 postfix/trivial-rewrite[1986]: warning: do not list domain mail.domain.com in BOTH mydestination and virtual_mailbox_domains postfix/trivial-rewrite[1986]: warning: do not list domain mail.domain.com in BOTH mydestination and virtual_mailbox_domains postfix/submission/smtpd[1984]:E48BB3B00000003A2672: client=Thunderbird.localproxy[localipofdocker], sasl method=PLAIN, [email protected] postfix/sender-cleanup/cleanup[1987]: E48BB3B00000003A2672: message-id=<[email protected]> postfix/sender-cleanup/cleanup[1987]: E48BB3B00000003A2672: replace: header MIME-version: 1.0 from Thunderbird.localproxy[localipofdocker]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<[localipofdocker]>: Mime-version: 1.0 opendkim[748]: E48BB3B00000003A2672: no signing table match for '[email protected]' opendkim[748]: E48BB3B00000003A2672: no signature data postfix/qmgr[1481]: E48BB3B00000003A2672: from=<[email protected]>, size=372, nrcpt=1 (queue active) postfix/submission/smtpd[1984]: disconnect from Thunderbird.localproxy[localipofdocker] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8 dovecot: imap([email protected])<1949><HXKMbDnjSoSsEwAU>: Logged out in=639 out=1302 deleted=0 expunged=0 trashed=0 hdr_count=0 hdr_bytes=0 body_count=0 body_bytes=0 postfix/smtpd-amavis/smtpd[1992]: connect from localhost[127.0.0.1] postfix/trivial-rewrite[1986]: warning: do not list domain mail.domain.com in BOTH mydestination and virtual_mailbox_domains postfix/trivial-rewrite[1986]: warning: do not list domain mail.domain.com in BOTH mydestination and virtual_mailbox_domains postfix/smtpd-amavis/smtpd[1992]: B131E3B0000003A267E: client=localhost[127.0.0.1] postfix/cleanup[1993]: B131E3B0000003A267E: message-id=<[email protected]> postfix/qmgr[1481]: B131E3B0000003A267E: from=<[email protected]>, size=585, nrcpt=1 (queue active) postfix/trivial-rewrite[1986]: warning: do not list domain mail.domain.com in BOTH mydestination and virtual_mailbox_domains amavis[1503]: (01503-01) Passed CLEAN {RelayedInbound}, [172.19.0.20]:51820 <[email protected]> -> <[email protected]>, Queue-ID: E48BB3B0000003A2672, Message-ID: <[email protected]>, mail_id: w_XsSRLpFw4Q, Hits: 1.975, size: 338, queued_as: B131E3B0000003A267E, 785 ms postfix/smtp-amavis/smtp[1988]: E48BB3B0000003A2672: to=<[email protected]>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.82, delays=0.03/0.01/0.01/0.78, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B131E3B0000003A267E) postfix/qmgr[1481]: E48BB3B0000003A2672: removed postfix/local[1994]: B131E3B0000003A267E: to=<[email protected]>, relay=local, delay=0.05, dealys=0.02/0.01/0.01, dsn=5.1.1, status=bounced (unknown user: "admin") postfix/cleanup[1993]: BAC593B000000A2680: message-id=<[email protected]> postfix/bounce[1999]: B131E3B0000003A267E: sender non-delivery notification: BAC593B0000003A2680 postfix/qmgr[1481]: BAC593B0000003A2680: from=<>, size=2510, nrcpt=1 (queue active) postfix/trivial-rewrite[1986]: warning: do not list domain mail.domain.com in BOTH mydestination and virtual_mailbox_domains postfix/qmgr[1481]: B131E3B0000003A267E: removed postfix/local[1994]: BAC593B0000003A2680: to=<[email protected]>, relay=local, delay=0.01, delays=0.01/0/0/0, dsn=5.1.1, status=bounced (unknown user: "test") postfix/qmgr[1481]: BAC593B0000003A2680: removed Certs in the template are setup followingly: Quote SSL Type: manual Mount SSL Path: /mnt/user/appdata/NginxProxyManager/custom_ssl/ Key path: /etc/letsencrypt/domain.com.key Cert Path: /etc/lesencrypt/domain.com.pem This is where I store my CloudFlare provided Edge certificates, which are in use by NPM, so they are valid. Was not aware, that any subdomains were required, as I thought that an A record pointing to my public IP, MX record pointing to A record and TXT records with spf, dkim and dmarc were enough. I do however have my A record proxied through Cloudflare, wondering if this could cause any issues. Would you be able to tell me what the subdomains are required for and what would they need to point to? I thought, that the ports on the firewall had to be routed due to NPM taking only HTTP and HTTPS requests. I see, that you use the webmail.domain.com for the IMAP and SMTP information in Thunderbird? How do you point it in NPM? I have a single cert, which I believe is either for TLD or wildcard. I believe, that I already did the DKIM config before, but have done so once again now just in case. However, I don't receive e-mails even internally. The hostname in the docker template was setup correctly. Seems like the issue with the warning message in Thunderbird for Certificate error only appears the first time a mail is sent on the account. EDIT: Just tested using Thunderbird, that is not running on the same host and I get configuration issue. Edited July 7, 2022 by Sulframus Quote Link to comment
Kulisch Posted July 13, 2022 Author Share Posted July 13, 2022 At first, sorry for the late response. On 7/7/2022 at 7:59 PM, Sulframus said: Was not aware, that any subdomains were required, as I thought that an A record pointing to my public IP, MX record pointing to A record and TXT records with spf, dkim and dmarc were enough. As far as I know, the mailserver checks the certificates everytime. So it's necessary to have one certificate for every sub/domain which are configured. On 7/7/2022 at 7:59 PM, Sulframus said: Would you be able to tell me what the subdomains are required for and what would they need to point to? Depends what you want. If your mailserver should have the name mail.domain.com you need following: Name Rec TTL Aux Value @ A 1h 0 123.123.123.123 (Public IP) mail A 1h 0 123.123.123.123 (Public IP) @ MX 1h 0 domain.com If you want webmail.domain.com instead of mail.domain.com or something else, you can change it as you wish. You will need the certificates for mail.domain.com and domain.com in this case. (change the --hostname mail.domain.com in advanced view too) On 7/7/2022 at 7:59 PM, Sulframus said: I thought, that the ports on the firewall had to be routed due to NPM taking only HTTP and HTTPS requests. I see, that you use the webmail.domain.com for the IMAP and SMTP information in Thunderbird? How do you point it in NPM? I guess you mean by npm the nginx proxy manager. If yes, I refer to the earlier posts here in the topic where the nginx proxy manager is used to obtain certificates. I hope you don't make the same mistake and forward all the traffic for SMTP, IMAP and so on to the proxy. The ports must be forwarded to the mail server directly. i don't use the Nginx Proxy Manager, so I can't give you a detailed instruction how to get the certs and configure it. Im using Swag to obtain Letsencrypt certs. Please read the previous posts here and maybe you find a solution. Obtaining (Letsencrypt) certs: On 4/30/2022 at 12:18 PM, Kulisch said: As I see it, you can get the certificates through the NginxProxyManager via HTTP or DNS Challenge. With HTTP Challenge LE (Letsencrypt) makes the request exclusively over port 80. Therefore it is important that your router listens on port 80 and then forwards the port you configured for the application to the proxy. LE -> HTTP 80 (TCP) -> 80:Router:11180 -> HTTP 11180 (TCP) -> NginxProxy (Custom or Unraid IP). Configure certs for the mailserver: On 4/29/2022 at 5:57 PM, Kulisch said: There are several ways to setup SSL. Im using Swag as a reverse proxy to get my letsencrypt certificates. The certificates are saved in the following path: /mnt/user/appdata/swag/etc/letsencrypt/live/example.com/cert.pem /mnt/user/appdata/swag/etc/letsencrypt/live/example.com/privkey.pem /mnt/user/appdata/swag/etc/letsencrypt/live/example.com/chain.pem /mnt/user/appdata/swag/etc/letsencrypt/live/example.com/fullchain.pem /mnt/user/appdata/swag/etc/letsencrypt/live/example.com/priv-fullchain-bundle.pem That means I use letsencrypt as SSL_TYPE and Mount SSL Path: Host path: /mnt/user/appdata/swag/etc/letsencrypt/ Container: /etc/letsencrypt/ It is important with the letsencrypt option that the domain is recognized in the directory name. The mail server checks for <example.com> or <mail.example.com> depending on what was configured. Something like: /etc/letsencrypt/live/<example.com>/fullchain.pem or /etc/letsencrypt/live/<mail.example.com>/fullchain.pem If this is not possible, then choose SSL_Type as manual. Then it is important to specify where the certificates are located in the container. The variables already in Show more settings ... 1. Path: Mount SSL Path Host: /mnt/user/appdata/swag/etc/letsencrypt/ Container: /etc/letsencrypt/ 2. Environment Variable: SSL_Type = manual SSL_CERT_PATH = /etc/letsencrypt/live/example.com/fullchain.pem SSL_KEY_PATH = /etc/letsencrypt/live/example.com/privkey.pem Quote Link to comment
Sulframus Posted July 14, 2022 Share Posted July 14, 2022 (edited) On 7/13/2022 at 10:04 AM, Kulisch said: At first, sorry for the late response. As far as I know, the mailserver checks the certificates everytime. So it's necessary to have one certificate for every sub/domain which are configured. Depends what you want. If your mailserver should have the name mail.domain.com you need following: Name Rec TTL Aux Value @ A 1h 0 123.123.123.123 (Public IP) mail A 1h 0 123.123.123.123 (Public IP) @ MX 1h 0 domain.com If you want webmail.domain.com instead of mail.domain.com or something else, you can change it as you wish. You will need the certificates for mail.domain.com and domain.com in this case. (change the --hostname mail.domain.com in advanced view too) I guess you mean by npm the nginx proxy manager. If yes, I refer to the earlier posts here in the topic where the nginx proxy manager is used to obtain certificates. I hope you don't make the same mistake and forward all the traffic for SMTP, IMAP and so on to the proxy. The ports must be forwarded to the mail server directly. i don't use the Nginx Proxy Manager, so I can't give you a detailed instruction how to get the certs and configure it. Im using Swag to obtain Letsencrypt certs. Please read the previous posts here and maybe you find a solution. Obtaining (Letsencrypt) certs: Configure certs for the mailserver: I think the response time is good for a forum, thank you! Unfortunately I am still having issues. I have decided to test with the least amount of security just for the testing purposes to see if I will be able to get access to the mail server from a VPN connection. I don't use NPM for actually port forwarding any of the ports used for DMS, this is done by the router instead, which points to Unraid, where the DMS is running. I have turned off the Cloudflare proxy for my A records and created them using the same way, that you mentioned. I have turned off SSL to avoid certificate issues. I have recreated the mail accounts. Thunderbird finds the IMAP configuration, but after trying to login it gets stuck on "checking password". Logs from DMS point to an account, that isn't created, which is weird, as I added both [email protected] and [email protected] Quote Jul 14 18:43:22 domain postfix/submission/smtpd[1338]: connect from unknown[181.214.206.90] Jul 14 18:43:22 domain postfix/submission/smtpd[1338]: improper command pipelining after EHLO from unknown[181.214.206.90]: QUIT\r\n Jul 14 18:43:22 domain postfix/submission/smtpd[1338]: disconnect from unknown[181.214.206.90] ehlo=1 quit=1 commands=2 Jul 14 18:43:38 domain dovecot: auth: passwd-file(admin,181.214.206.90,<9qJ2msbjBBm11s5a>): unknown user (SHA1 of given password: 7c4a8d) Jul 14 18:43:44 domain dovecot: auth: passwd-file(admin,181.214.206.90,<9qJ2msbjBBm11s5a>): unknown user (SHA1 of given password: 7c4a8d) Jul 14 18:43:50 domain dovecot: auth: passwd-file(admin,181.214.206.90,<9qJ2msbjBBm11s5a>): unknown user (SHA1 of given password: 7c4a8d) Jul 14 18:43:52 domain dovecot: imap-login: Disconnected (auth failed, 3 attempts in 14 secs): user=<admin>, method=PLAIN, rip=181.214.206.90, lip=172.19.0.20, session=<9qJ2msbjBBm11s5a> Edited July 14, 2022 by Sulframus Quote Link to comment
Kulisch Posted July 15, 2022 Author Share Posted July 15, 2022 Do you have a direct connection to the mail server or is something between? Intrusion Prevention System (IPS), Proxy, Firewall? Make sure everything between is not blocking any SMTP requests. DNS works, so there is no problem. Open the docker console of DMS and list all accounts by using setup email list If there are your accounts you created, then change the password in 123456 setup email update [email protected] 123456 setup email update [email protected] 123456 Or create a new account. setup email add [email protected] 123456 And configure DKIM (change 'domain') setup.sh config dkim keysize 2048 domain 'domain.com' If nothing works, try stop the container, clean the whole paths from DMS in appdata (make sure to backup files you want to keep) and recreate (not restarting) the container by changing something in docker template (add a space or something like that) and apply. Try to connect with the new credentials or the new account you have created. Quote Link to comment
Sulframus Posted July 15, 2022 Share Posted July 15, 2022 8 hours ago, Kulisch said: Do you have a direct connection to the mail server or is something between? Intrusion Prevention System (IPS), Proxy, Firewall? Make sure everything between is not blocking any SMTP requests. I did have IPS on, disabled it now for testing, still no change. No firewall rules. 8 hours ago, Kulisch said: If there are your accounts you created, then change the password in 123456 This was done multiple times during testing. They show up when doing "setup email list", tried updating the passwords again to 123456, but still the same error message with unknown user appears.. 8 hours ago, Kulisch said: And configure DKIM (change 'domain') Added it before, tried adding again. Tested with domain.com and mail.domain.com. 8 hours ago, Kulisch said: If nothing works, try stop the container, clean the whole paths from DMS in appdata (make sure to backup files you want to keep) and recreate (not restarting) the container by changing something in docker template (add a space or something like that) and apply. Try to connect with the new credentials or the new account you have created. Recreated the whole DMS docker, unfortunately still stuck on the same issue. Went through the "Troubleshooting" article on the DMS github page. The only part relevant is what is shown in docker logs in unraid anyway. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.