!RJFCFtixHgPhzacdhW:tedomum.net

Mailu

1218 Members
Discussion about the Mailu mail server distribution https://mailu.io - feel free to ask for user support in this room -- See #mailu-dev:tedomum.net for dev discussions on the main project -- See #mailu-helm-chart:make-it.fr for dev discussions on the mailu kubernetes project -- Project-Meeting-Notes: https://github.com/Mailu/Mailu/issues/1582178 Servers

Load older messages


SenderMessageTime
17 May 2024
@tfa:richoux.metfa 07:29:47
@io-element-95:matrix.orgIO
In reply to @neo:shdw.fr
Found it - the destination folder has been moved... Probably a result from me fixing things after my cat jumped on my keyboard and hitting random keys while inside thunderbird ... sigh 🧐
ALWAYS - lock you computer when you stand up from the keyboard
12:46:07
@io-element-95:matrix.orgIO
In reply to @neo:shdw.fr
Found it - the destination folder has been moved... Probably a result from me fixing things after my cat jumped on my keyboard and hitting random keys while inside thunderbird ... sigh 🧐
* I ALWAYS lock my computer when I am not at the keyboard
12:46:47
@neo:shdw.frHaleyI always lock my computer too, especially since I have 2 cats. But sometimes you don't expect them to jump onto the keyboard, even if you're just there :) Just one hit is enough ;)12:48:16
@io-element-95:matrix.orgIOby the way, I am still interested to hear how people that installed mailu handled the email encryption on disk. I am on k3s, so my emails are on dovecot pod's disk which need encription12:53:51
@neo:shdw.frHaleyI had used back in time, a tool called Pigeon hole. But, since moving the Mailu, I stopped using it.13:59:32
18 May 2024
@saladcesar:matrix.orgsaladcesar Hi, I am having a problem with Mailu and I can't find my way around it. I want to use Mailu behind a reverse proxy, and I want to have my emails encrypted with a cert. So I want to use the mail-letsencrypt TLS flavor. For letsencrypt inside mailu to work, it needs to access mailudomain.com/.well-known subpath. The problem is that my reverse proxy also have certbot, meaning the subpath well-kown is not passed to the proxied application, as it needs it to get its own certificates. I think that is a problem that most people wanting to use Mailu behind a reverse proxy encounter (as most reverse proxy with auto certs like Caddy would have this problem). So my question is : How can I get around this ? How people typically reverse proxy Mailu with the mail-letsencryptTLS flavor ? Thanks in advance for any answer, have a nice day. 00:19:45
@saladcesar:matrix.orgsaladcesarI have read https://mailu.io/2.0/reverse.html and I am surprised it is not explained00:23:00
@saladcesar:matrix.orgsaladcesarSo I am very curious about how people do in similar cases, any answer is welcome, have a nice day00:24:00
@saladcesar:matrix.orgsaladcesar * Hi, I am having a problem with Mailu and I can't find my way around it. I want to use Mailu behind a reverse proxy, and I want to have my emails encrypted with a cert. So I want to use the mail-letsencrypt TLS flavor. For letsencrypt inside mailu to work, it needs to access mailudomain.com/.well-known subpath. The problem is that my reverse proxy also have certbot, meaning the subpath well-kown is not passed to the proxied application, as it needs it to get its own certificates. So the letsencrypt challenge fails. I don't understand how this TLS flavor is supposed to be used. I think that is a problem that most people wanting to use Mailu behind a reverse proxy encounter (as most reverse proxy with auto certs like Caddy would have this problem). So my question is : How can I get around this ? How people typically reverse proxy Mailu with the mail-letsencryptTLS flavor ? Thanks in advance for any answer, have a nice day. 00:26:47
@neo:shdw.frHaleyI use the dns validation of the cert. Bypasses all proxy/reverse validation stuff08:03:23
@sistason:asra.grKai/Sistason [they/them]
In reply to @saladcesar:matrix.org
Hi, I am having a problem with Mailu and I can't find my way around it. I want to use Mailu behind a reverse proxy, and I want to have my emails encrypted with a cert. So I want to use the mail-letsencrypt TLS flavor. For letsencrypt inside mailu to work, it needs to access mailudomain.com/.well-known subpath. The problem is that my reverse proxy also have certbot, meaning the subpath well-kown is not passed to the proxied application, as it needs it to get its own certificates. So the letsencrypt challenge fails. I don't understand how this TLS flavor is supposed to be used. I think that is a problem that most people wanting to use Mailu behind a reverse proxy encounter (as most reverse proxy with auto certs like Caddy would have this problem). So my question is : How can I get around this ? How people typically reverse proxy Mailu with the mail-letsencryptTLS flavor ? Thanks in advance for any answer, have a nice day.

dont think mail-letsencrypt AND a reverseproxy is common, as the reverseproxy can usually do LE way easier since its "in front".

Its easier to let the reverseproxy do the certificate, export/mount it into mailu /certs and make sure you only start mailu after the cert is there

11:55:08
@saladcesar:matrix.orgsaladcesar
In reply to @sistason:asra.gr

dont think mail-letsencrypt AND a reverseproxy is common, as the reverseproxy can usually do LE way easier since its "in front".

Its easier to let the reverseproxy do the certificate, export/mount it into mailu /certs and make sure you only start mailu after the cert is there

Good idea, I didn't think of that. The problem is that my email domain is mydomain.com, where I want the web ui to be accessible at mail.mydomain.com. So does the certificate need to match mydomain.com or mail.mydomain.com ? Does the hostnames I have set up have an impact on what it expects for the certificate ?
12:09:21
@sistason:asra.grKai/Sistason [they/them]
In reply to @sistason:asra.gr
no, I use DOMAIN=$domain and point mail.$domain to the front container. This cert I insert via /certs and all names I put into that cert, I can also use for mail. I use mail.$domain for the front container and also generate mx/smtp/imap.$domain as Sans certificate names, so I can use them to connect to imap.$domain as I find that more clean.

So just set your domain normally and then generate subdomain cert as you like for all mail component
☝️
12:44:25
@saladcesar:matrix.orgsaladcesar
In reply to @sistason:asra.gr
☝️
If I understand correctly, you mean that the subdomain the cert was created for doesn't matter and that it can be used mail no matter if the web ui is on another subdomain, right ?
13:36:20
@saladcesar:matrix.orgsaladcesar Also, what have you set in the HOSTNAMES env variable ? mydomain.com or mail.mydomain.com ? 13:36:44
@saladcesar:matrix.orgsaladcesarAlso, what is SANS certificate ? Did you mean CNAME ?13:52:23
@sistason:asra.grKai/Sistason [they/them]HOSTNAMES does contain the fqdn of the server, unsure if this (unknowingly) impacts anything here. I created a cert for mail.$domain for the UI and this cert contains additional subdomains (dunno, traefik calls them "sans"). These additional subdomains get used by mailu for smtp/imap crypto. You could as well only generate the subdomains in a second cert, if your reverseproxy handles https itself so mailu does not need the UI certificate.15:03:58
20 May 2024
@saladcesar:matrix.orgsaladcesar
In reply to @sistason:asra.gr
HOSTNAMES does contain the fqdn of the server, unsure if this (unknowingly) impacts anything here.
I created a cert for mail.$domain for the UI and this cert contains additional subdomains (dunno, traefik calls them "sans"). These additional subdomains get used by mailu for smtp/imap crypto.
You could as well only generate the subdomains in a second cert, if your reverseproxy handles https itself so mailu does not need the UI certificate.
Hi again. I tried doing as you suggested, using the mail tls flavor and mounting to the mailu containers a cert generated by my reverse proxy. The cert that has been generated for a domain matching the domain of mailu. But that doesn't work. Mailu correctly picks and uses this cert, but some clients have trouble connecting, with the error certificate signed by unknown authority . I ran an SSL test for my mail server and I am having the following errors:
19:00:46
@saladcesar:matrix.orgsaladcesarRedacted or Malformed Event19:00:51
@saladcesar:matrix.orgsaladcesarimage.png
Download image.png
19:01:18
@saladcesar:matrix.orgsaladcesarThis does not happen with the certs for another web app I have19:01:55
@saladcesar:matrix.orgsaladcesarimage.png
Download image.png
19:02:00
@saladcesar:matrix.orgsaladcesarWould you have an idea why I have these errors ? Unknown authority seems to be the main one causing troubles. What is strange is that it is generated the same way as all my other certs.19:02:38
@saladcesar:matrix.orgsaladcesar Found the solution ! There was indeed 2 problems. For the "Hostname mismatch", it was because as I have set HOSTNAMES=mail.mydomain.com, MX record in my DNS was redirecting to mail.mydomain.com. But the certificate was generated for mydomain.com, which is the value of my email domain. Then, for the unknown authority, the problem is that I was giving to mailu the cert.pem. I had to give it the fullchain.pem, which also includes the authority. 19:49:25
@saladcesar:matrix.orgsaladcesar

But I still have a question about that HOSTNAMES settings. I am still unsure if I should set mail.mydomain.com or mydomain.com. DOMAIN should stay mydomain.com as I want my users to be @mydomain.com and not @mail.mydomain.com. But with HOSTNAMES=mail.mydomain.com, the DNS entries mailu gives are for example

19:52:17
@saladcesar:matrix.orgsaladcesar *

But I still have a question about that HOSTNAMES settings. I am still unsure if I should set mail.mydomain.com or mydomain.com. DOMAIN should stay mydomain.com as I want my users to be @mydomain.com and not @mail.mydomain.com. But with HOSTNAMES=mail.mydomain.com, the DNS entries mailu gives are for example

mydomain.com. 600 IN MX 10 mail.mydomain.com.
mydomain.com. 600 IN TXT "v=spf1 mx a:mail.mydomain.com ~all"
dkim._domainkey.mydomain.com. 600 IN TXT "v=DKIM1; k=rsa; p=REDACTED"
_dmarc.mydomain.com. 600 IN TXT "v=DMARC1; p=reject; rua=mailto:admin@mydomain.com; ruf=mailto:admin@mydomain.com; adkim=s; aspf=s"
mydomain.com._report._dmarc.mydomain.com. 600 IN TXT "v=DMARC1;"
_submission._tcp.mydomain.com. 600 IN SRV 20 1 587 mail.mydomain.com.
_autodiscover._tcp.mydomain.com. 600 IN SRV 10 1 443 mail.mydomain.com.
_imaps._tcp.mydomain.com. 600 IN SRV 10 1 993 mail.mydomain.com.
autoconfig.mydomain.com. 600 IN CNAME mail.mydomain.com.

Clearly at least the MX is wrong as it leads to that hostname mismatch error. But I am unsure for the rest, which ones should lead to mydomain.com and which ones should lead to mail.mydomain.com. If anyone has answers on that, I'm very interested.

19:54:00
21 May 2024
@sistason:asra.grKai/Sistason [they/them]

looks correct to me.
domain contains dmarc/mx, everything leads to mail.domain.

your cert should be only for mail.domain, so there should be no mismatch.

01:02:32
@neo:shdw.frHaleyAlternative is to use a wildcard cert for a wildcard domain. 06:05:03
@audioscavenger:matrix.orgEricRedacted or Malformed Event16:29:49

Show newer messages


Back to Room ListRoom Version: