Koozali.org: home of the SME Server

nuovo certificato

Offline ello

  • ***
  • 150
  • +0/-0
nuovo certificato
« on: August 26, 2022, 06:01:48 PM »
buonasera a tutti
ho appena installato sme 10 ed è andato finora tutto bene, mi si è presentato un problema riguardando le e-mail.
Sui client uso thunderbird che funzionava abbastanza bene sul vecchio sme 9.2, dico abbastanza perchè non ricevevo e non spedivo su tutti gli account di gmail. gli account di posta sono del tipo user@nomeazienda.it e sul server il dominio primario è nomeazienda.it.
Sul nuovo server installato non riesco ancora a spedire nulla e come errore mi ritorna che thunderbird non può spedire perche il certificato è autofirmato.
Ho provato ad installare il smeserver-letsencrypt ho generato il nuovo certificato ho abilitato la modalità di produzione ma a seguito di controllo su ssllab.com mi da ancora certificato autofirmato. Ho provato anche a spedire e ricevere email da webmail horde senza risultato alcuno. Ora io non so se tutte le funzionalita delle e-mail dipende dal certificato ma non vorrei trovarmi costretto a rimettere in produzione il vecchio ed ormai obsoleto sme 9.2. Ringrazio anticipatamente per consigli su come risolvere
Grazie

Offline Jean-Philippe Pialasse

  • *
  • 2,369
  • +9/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: nuovo certificato
« Reply #1 on: August 26, 2022, 11:05:27 PM »
Ello,

years after years SSL will become more and  more mandatory for anything. 

First, Thunderbird and Firefox should havr no problem using a self signed cert after you accept to permanently add it.


Second, Lets Encrypt cert generated with smeserver-dehydrated should be propagated to apache, qpsmtpd, dovecot (imap and pop), proftpd, radius and ldap services. 

If self signed certificate is still present this is either you did not managed to obtain a certificate from let’s encrypt or you had some custom-template in the way of the propagation of the certificate.

most common issue in failing to get the cert are:
- port 80 /443 not reachable
- .well-known folder in Primary ibay has not been deleted
- all needed domain are configured to get the certificate on sme and their respective dns are pointing to your server IP.


Offline ReetP

  • *
  • 3,376
  • +5/-0
Re: nuovo certificato
« Reply #2 on: August 27, 2022, 04:42:21 PM »
Follow the wiki. Enable test mode.

https://wiki.koozali.org/Letsencrypt#Enable_test_mode

Set letsencrypt status test and console-save.

Run dehydrated -c -x

Paste the output here.

Also paste
Code: [Select]
config show letsencrypt
Code: [Select]
cat /etc/dehydrated/domains.txt
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ello

  • ***
  • 150
  • +0/-0
Re: nuovo certificato
« Reply #3 on: August 27, 2022, 06:29:11 PM »
ringrazio sentitamente per vostro aiuto, ma il problema principale è cambiato ho fatto un test su MXToolBox e risulta che  non riesce a connettersi allo SMTP host, la configurazione DNS del mio ISP è quella che avevo con SME 9.2 e funzionava, quindi c'è qualcosa che non va sul mio server SMTP, sto sfogliando i wiki relativi alla configurazione senza risolvere

thank you very much for your help, but the main problem has changed i did a test on MXToolBox and it appears that it cannot connect to the SMTP host, my ISP's DNS configuration is the one I had with SME 9.2 and it worked so there is something that's wrong on my SMTP server, I'm browsing the configuration related wikis without solving

thanks

Offline ello

  • ***
  • 150
  • +0/-0
Re: nuovo certificato
« Reply #4 on: August 27, 2022, 09:05:18 PM »
dehydrated -c -x

Processing studiogelda.it with alternative names: mail.studiogelda.it sme.studiogelda.it www.studiogelda.it
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 4 authorizations URLs from the CA
 + Handling authorization for sme.studiogelda.it
 + Handling authorization for www.studiogelda.it
 + Handling authorization for studiogelda.it
 + Handling authorization for mail.studiogelda.it
 + 4 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for sme.studiogelda.it authorization...
 + Cleaning challenge tokens...
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]      "http-01"
["status"]      "invalid"
["error","type"]        "urn:ietf:params:acme:error:connection"
["error","detail"]      "151.84.109.14: Fetching http://sme.studiogelda.it/.well-known/acme-challenge/OESrSt_Pqrb5HDW9pNPIPMrh1Wgku9XD22YP0EZNQkA: Timeout during connect (likely firewall problem)"
["error","status"]      400
["error"]       {"type":"urn:ietf:params:acme:error:connection","detail":"151.84.109.14: Fetching http://sme.studiogelda.it/.well-known/acme-challenge/OESrSt_Pqrb5HDW9pNPIPMrh1Wgku9XD22YP0EZNQkA: Timeout during connect (likely firewall problem)","status":400}
["url"] "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3447132374/3dPuqg"
["token"]       "OESrSt_Pqrb5HDW9pNPIPMrh1Wgku9XD22YP0EZNQkA"
["validationRecord",0,"url"]    "http://sme.studiogelda.it/.well-known/acme-challenge/OESrSt_Pqrb5HDW9pNPIPMrh1Wgku9XD22YP0EZNQkA"
["validationRecord",0,"hostname"]       "sme.studiogelda.it"
["validationRecord",0,"port"]   "80"
["validationRecord",0,"addressesResolved",0]    "151.84.109.14"
["validationRecord",0,"addressesResolved"]      ["151.84.109.14"]
["validationRecord",0,"addressUsed"]    "151.84.109.14"
["validationRecord",0]  {"url":"http://sme.studiogelda.it/.well-known/acme-challenge/OESrSt_Pqrb5HDW9pNPIPMrh1Wgku9XD22YP0EZNQkA","hostname":"sme.studiogelda.it","port":"80","addressesResolved":["151.84.109.14"],"addressUsed":"151.84.109.14"}
["validationRecord"]    [{"url":"http://sme.studiogelda.it/.well-known/acme-challenge/OESrSt_Pqrb5HDW9pNPIPMrh1Wgku9XD22YP0EZNQkA","hostname":"sme.studiogelda.it","port":"80","addressesResolved":["151.84.109.14"],"addressUsed":"151.84.109.14"}]
["validated"]   "2022-08-27T19:02:07Z")

config show letsencrypt

letsencrypt=service
    ACCEPT_TERMS=yes
    configure=none
    email=admin@studiogelda.it
    hookScript=disabled
    status=test

cat /etc/dehydrated/domains.txt

studiogelda.it mail.studiogelda.it sme.studiogelda.it www.studiogelda.it




Offline Fumetto

  • *
  • 856
  • +0/-0
Re: nuovo certificato
« Reply #5 on: August 27, 2022, 11:05:14 PM »
Il problema principale (in questo momento) sta qua:
Quote
...Timeout during connect...
Sei sicuro di aver "girato" tutte le porte necessarie dal modem?
Smeserver.it -  Soluzioni e supporto su Sme server in Italia

Offline Jean-Philippe Pialasse

  • *
  • 2,369
  • +9/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: nuovo certificato
« Reply #6 on: August 28, 2022, 01:49:56 AM »
Il problema principale (in questo momento) sta qua:Sei sicuro di aver "girato" tutte le porte necessarie dal modem?

i would add does your SME 10 uses the same ip for your router as did the SME 9. looks like indeed a firewall issue.  either port are not pointing to the right server or are not open, or dns have changed in case of IP not static on side of your ISP.

Offline ello

  • ***
  • 150
  • +0/-0
Re: nuovo certificato
« Reply #7 on: August 28, 2022, 02:30:55 PM »
grazie per vostro aiuto

Quote
Sei sicuro di aver "girato" tutte le porte necessarie dal modem?
Le porte che ho aperto sono
80 tcp per http
80 , 5060, 4569, 10000-20000 udp per asterisk
25, 587 smtp, smtps
33875 redirect 3389 per desktop remoto
443 per https

Quote
looks like indeed a firewall issue
my iptaables -L
Quote
[root@sme ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
state_chk  all  --  anywhere             anywhere
local_chk  all  --  anywhere             anywhere
denylog    all  --  base-address.mcast.net/4  anywhere
denylog    all  --  anywhere             base-address.mcast.net/4
InboundICMP  icmp --  anywhere             anywhere
denylog    icmp --  anywhere             anywhere
InboundTCP  tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN
denylog    tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN
InboundUDP  udp  --  anywhere             anywhere
denylog    udp  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp spts:bootps:bootpc
denylog    all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
state_chk  all  --  anywhere             anywhere
SMTPProxy  tcp  --  anywhere             anywhere             tcp dpt:smtp
local_chk  all  --  anywhere             anywhere
ForwardedTCP  tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN
ForwardedUDP  udp  --  anywhere             anywhere
denylog    all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
denylog    all  --  base-address.mcast.net/4  anywhere
denylog    all  --  anywhere             base-address.mcast.net/4
ACCEPT     all  --  anywhere             anywhere

Chain ForwardedTCP (1 references)
target     prot opt source               destination
ForwardedTCP_15019  all  --  anywhere             anywhere
denylog    tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN

Chain ForwardedTCP_15019 (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             sme.studiogelda.it   tcp dpt:smtp
ACCEPT     tcp  --  anywhere             server-gelda2.studiogelda.it  tcp dpt:3389
ACCEPT     tcp  --  anywhere             sme.studiogelda.it   tcp dpt:http

Chain ForwardedUDP (1 references)
target     prot opt source               destination
ForwardedUDP_15019  all  --  anywhere             anywhere
denylog    udp  --  anywhere             anywhere

Chain ForwardedUDP_15019 (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             pbx1.studiogelda.it  udp dpts:10000:20000
ACCEPT     udp  --  anywhere             pbx1.studiogelda.it  udp dpt:4569
ACCEPT     udp  --  anywhere             pbx1.studiogelda.it  udp dpt:5060
ACCEPT     udp  --  anywhere             pbx1.studiogelda.it  udp dpt:http

Chain InboundICMP (1 references)
target     prot opt source               destination
InboundICMP_15019  all  --  anywhere             anywhere
denylog    icmp --  anywhere             anywhere

Chain InboundICMP_15019 (1 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     icmp --  anywhere             anywhere             icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
denylog    all  --  anywhere             anywhere

Chain InboundTCP (1 references)
target     prot opt source               destination
InboundTCP_15019  all  --  anywhere             anywhere
denylog    tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN

Chain InboundTCP_15019 (1 references)
target     prot opt source               destination
denylog    all  --  anywhere            !192.168.0.6
REJECT     tcp  --  anywhere             192.168.0.6          tcp dpt:auth reject-with tcp-reset
ACCEPT     tcp  --  anywhere             192.168.0.6          tcp dpt:http
ACCEPT     tcp  --  anywhere             192.168.0.6          tcp dpt:imaps
ACCEPT     tcp  --  anywhere             192.168.0.6          tcp dpt:https
ACCEPT     tcp  --  anywhere             192.168.0.6          tcp dpt:smtp
ACCEPT     tcp  --  anywhere             192.168.0.6          tcp dpt:smtps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission

Chain InboundUDP (1 references)
target     prot opt source               destination
InboundUDP_15019  all  --  anywhere             anywhere
denylog    udp  --  anywhere             anywhere

Chain InboundUDP_15019 (1 references)
target     prot opt source               destination
denylog    all  --  anywhere            !192.168.0.6

Chain SMTPProxy (1 references)
target     prot opt source               destination

Chain SSH_Autoblock (0 references)
target     prot opt source               destination
SSH_Whitelist  tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW
           all  --  anywhere             anywhere             recent: SET name: SSH side: source mask: 255.255.255.255
denylog    all  --  anywhere             anywhere             recent: CHECK seconds: 900 hit_count: 4 TTL-Match name: SSH side: source mask: 255.255.255.255

Chain SSH_Whitelist (1 references)
target     prot opt source               destination
SSH_Whitelist_15019  all  --  anywhere             anywhere

Chain SSH_Whitelist_15019 (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain denylog (18 references)
target     prot opt source               destination
DROP       udp  --  anywhere             anywhere             udp dpt:router
DROP       udp  --  anywhere             anywhere             udp dpts:netbios-ns:netbios-ssn
DROP       tcp  --  anywhere             anywhere             tcp dpts:netbios-ns:netbios-ssn
ULOG       all  --  anywhere             anywhere             ULOG copy_range 0 nlgroup 1 prefix "denylog:" queue_threshold 1
DROP       all  --  anywhere             anywhere

Chain local_chk (2 references)
target     prot opt source               destination
local_chk_15019  all  --  anywhere             anywhere

Chain local_chk_15019 (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  192.168.101.0/24     anywhere

Chain state_chk (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Offline Jean-Philippe Pialasse

  • *
  • 2,369
  • +9/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: nuovo certificato
« Reply #8 on: August 28, 2022, 09:01:29 PM »
Hi,

issue is not the iptables, but rather the router in front of your SME.
contrary to last time I tried, I am now able to access to your http://sme.studiogelda.it/.well-known/acme-challenge
both with https and http

also I can see that yous till have the self signe cert, and see your are in Server Gateway mode with 2 Class C private IP.

I would say that from now dehydrated -c should work

be carrefull to only enable
- studiogelda.it
- sme.studiogelda.it
- www.studiogelda.it

mail.studiogelda.it (listed in your try) will currently fails as it is not pointing toward your IP, same thing I see for your other defined domains/hosts: ftp.studiogelda.it, pbx1.studiogelda.it, proxy.studiogelda.it, serv-gelda2.studiogelda.it, wpad.studiogelda.it

either you add a dns entry to your DNS provider for mail.studiogelda.it
either you do

Code: [Select]
/sbin/e-smith/db hosts setprop mail.studiogelda.it letsencryptSSLcert disabled
expand-template /etc/dehydrated/domains.txt
dehydrated -c

then if it works, you can change your status from test to enabled to get the real cert.

Offline ello

  • ***
  • 150
  • +0/-0
Re: nuovo certificato
« Reply #9 on: August 29, 2022, 01:19:55 PM »
buongiorno
Effetivamente è stato un problema di porte, non so spiegare il motivo, dal pannello port forwarding del server-manager ho cancellato tutte le impostazioni e le ho riscritte nuovamente senza cambiare nulla ed ha funzionato. Ringrazio sentitamente per l'aiuto ricevuto è stato fondamentale

Actually it was a port problem, I don't know why, from the port forwarding panel of the server-manager I deleted all the settings and rewrote them again without changing anything and it worked. I sincerely thank you for the help received. It was fundamental

Offline Jean-Philippe Pialasse

  • *
  • 2,369
  • +9/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: nuovo certificato
« Reply #10 on: August 29, 2022, 01:39:50 PM »
you do not need to forward port to the sme server itself.

default port for known services are open to the web unless you used private server  as install mode.  If so by adding port redirection you fail other measures to control traffic. 

what gives:
config  getprop httpd-e-smith access
config get SystemMode

Offline ello

  • ***
  • 150
  • +0/-0
Re: nuovo certificato
« Reply #11 on: August 30, 2022, 10:51:13 AM »
buon giorno

Quote
[root@sme Primary]# config  getprop httpd-e-smith access
public
[root@sme Primary]# config get SystemMode
servergateway

sto tentendo di configurare le email e mi sono impantanato su DKIM, ho seguito le istruzioni fornite dal wiki, ho creato i tre record DNS relativi a spf, dkim e dmarc già da oltre 24 ore , ho provato sia con il t=y alla fine della chiave pubblica sia senza e il risultato è sempre lo stesso, analizzando l'estensione dell'email ricavo questo

good morning
i am trying to set up emails and got bogged down on DKIM, followed the instructions given by the wiki, created the three DNS records related to spf, dkim and dmarc for over 24 hours already, tried both with the t = y at the end of the public key is without and the result is always the same, analyzing the extension of the email I obtain this


Quote
Authentication-Results: mx.google.com;
       dkim=temperror (no key for signature) header.i=@studiogelda.it header.s=default header.b=RCB8If35;
       spf=pass (google.com: best guess record for domain of teresa@studiogelda.it designates 151.84.109.14 as permitted sender) smtp.mailfrom=teresa@studiogelda.it

Offline Jean-Philippe Pialasse

  • *
  • 2,369
  • +9/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: nuovo certificato
« Reply #12 on: August 30, 2022, 12:52:10 PM »
because there is no dkim key entered

dig TXT default._domainkey.studiogelda.it

;; QUESTION SECTION:
;default._domainkey.studiogelda.it. IN  TXT

check the procedure with your dns provider to enter more than 255 long string.

also your _dmarc is emtpy


check what to put using qpsmtpd-print-dns command.