Koozali.org: home of the SME Server
Other Languages => Italiano => Topic started by: ello on August 26, 2022, 06:01:48 PM
-
buonasera a tutti
ho appena installato sme 10 ed è andato finora tutto bene, mi si è presentato un problema riguardando le e-mail.
Sui client uso thunderbird che funzionava abbastanza bene sul vecchio sme 9.2, dico abbastanza perchè non ricevevo e non spedivo su tutti gli account di gmail. gli account di posta sono del tipo user@nomeazienda.it e sul server il dominio primario è nomeazienda.it.
Sul nuovo server installato non riesco ancora a spedire nulla e come errore mi ritorna che thunderbird non può spedire perche il certificato è autofirmato.
Ho provato ad installare il smeserver-letsencrypt ho generato il nuovo certificato ho abilitato la modalità di produzione ma a seguito di controllo su ssllab.com mi da ancora certificato autofirmato. Ho provato anche a spedire e ricevere email da webmail horde senza risultato alcuno. Ora io non so se tutte le funzionalita delle e-mail dipende dal certificato ma non vorrei trovarmi costretto a rimettere in produzione il vecchio ed ormai obsoleto sme 9.2. Ringrazio anticipatamente per consigli su come risolvere
Grazie
-
Ello,
years after years SSL will become more and more mandatory for anything.
First, Thunderbird and Firefox should havr no problem using a self signed cert after you accept to permanently add it.
Second, Lets Encrypt cert generated with smeserver-dehydrated should be propagated to apache, qpsmtpd, dovecot (imap and pop), proftpd, radius and ldap services.
If self signed certificate is still present this is either you did not managed to obtain a certificate from let’s encrypt or you had some custom-template in the way of the propagation of the certificate.
most common issue in failing to get the cert are:
- port 80 /443 not reachable
- .well-known folder in Primary ibay has not been deleted
- all needed domain are configured to get the certificate on sme and their respective dns are pointing to your server IP.
-
Follow the wiki. Enable test mode.
https://wiki.koozali.org/Letsencrypt#Enable_test_mode
Set letsencrypt status test and console-save.
Run dehydrated -c -x
Paste the output here.
Also paste
config show letsencrypt
cat /etc/dehydrated/domains.txt
-
ringrazio sentitamente per vostro aiuto, ma il problema principale è cambiato ho fatto un test su MXToolBox e risulta che non riesce a connettersi allo SMTP host, la configurazione DNS del mio ISP è quella che avevo con SME 9.2 e funzionava, quindi c'è qualcosa che non va sul mio server SMTP, sto sfogliando i wiki relativi alla configurazione senza risolvere
thank you very much for your help, but the main problem has changed i did a test on MXToolBox and it appears that it cannot connect to the SMTP host, my ISP's DNS configuration is the one I had with SME 9.2 and it worked so there is something that's wrong on my SMTP server, I'm browsing the configuration related wikis without solving
thanks
-
dehydrated -c -x
Processing studiogelda.it with alternative names: mail.studiogelda.it sme.studiogelda.it www.studiogelda.it
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 4 authorizations URLs from the CA
+ Handling authorization for sme.studiogelda.it
+ Handling authorization for www.studiogelda.it
+ Handling authorization for studiogelda.it
+ Handling authorization for mail.studiogelda.it
+ 4 pending challenge(s)
+ Deploying challenge tokens...
+ Responding to challenge for sme.studiogelda.it authorization...
+ Cleaning challenge tokens...
+ Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"] "http-01"
["status"] "invalid"
["error","type"] "urn:ietf:params:acme:error:connection"
["error","detail"] "151.84.109.14: Fetching http://sme.studiogelda.it/.well-known/acme-challenge/OESrSt_Pqrb5HDW9pNPIPMrh1Wgku9XD22YP0EZNQkA: Timeout during connect (likely firewall problem)"
["error","status"] 400
["error"] {"type":"urn:ietf:params:acme:error:connection","detail":"151.84.109.14: Fetching http://sme.studiogelda.it/.well-known/acme-challenge/OESrSt_Pqrb5HDW9pNPIPMrh1Wgku9XD22YP0EZNQkA: Timeout during connect (likely firewall problem)","status":400}
["url"] "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/3447132374/3dPuqg"
["token"] "OESrSt_Pqrb5HDW9pNPIPMrh1Wgku9XD22YP0EZNQkA"
["validationRecord",0,"url"] "http://sme.studiogelda.it/.well-known/acme-challenge/OESrSt_Pqrb5HDW9pNPIPMrh1Wgku9XD22YP0EZNQkA"
["validationRecord",0,"hostname"] "sme.studiogelda.it"
["validationRecord",0,"port"] "80"
["validationRecord",0,"addressesResolved",0] "151.84.109.14"
["validationRecord",0,"addressesResolved"] ["151.84.109.14"]
["validationRecord",0,"addressUsed"] "151.84.109.14"
["validationRecord",0] {"url":"http://sme.studiogelda.it/.well-known/acme-challenge/OESrSt_Pqrb5HDW9pNPIPMrh1Wgku9XD22YP0EZNQkA","hostname":"sme.studiogelda.it","port":"80","addressesResolved":["151.84.109.14"],"addressUsed":"151.84.109.14"}
["validationRecord"] [{"url":"http://sme.studiogelda.it/.well-known/acme-challenge/OESrSt_Pqrb5HDW9pNPIPMrh1Wgku9XD22YP0EZNQkA","hostname":"sme.studiogelda.it","port":"80","addressesResolved":["151.84.109.14"],"addressUsed":"151.84.109.14"}]
["validated"] "2022-08-27T19:02:07Z")
config show letsencrypt
letsencrypt=service
ACCEPT_TERMS=yes
configure=none
email=admin@studiogelda.it
hookScript=disabled
status=test
cat /etc/dehydrated/domains.txt
studiogelda.it mail.studiogelda.it sme.studiogelda.it www.studiogelda.it
-
Il problema principale (in questo momento) sta qua:
...Timeout during connect...
Sei sicuro di aver "girato" tutte le porte necessarie dal modem?
-
Il problema principale (in questo momento) sta qua:Sei sicuro di aver "girato" tutte le porte necessarie dal modem?
i would add does your SME 10 uses the same ip for your router as did the SME 9. looks like indeed a firewall issue. either port are not pointing to the right server or are not open, or dns have changed in case of IP not static on side of your ISP.
-
grazie per vostro aiuto
Sei sicuro di aver "girato" tutte le porte necessarie dal modem?
Le porte che ho aperto sono
80 tcp per http
80 , 5060, 4569, 10000-20000 udp per asterisk
25, 587 smtp, smtps
33875 redirect 3389 per desktop remoto
443 per https
looks like indeed a firewall issue
my iptaables -L
[root@sme ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
state_chk all -- anywhere anywhere
local_chk all -- anywhere anywhere
denylog all -- base-address.mcast.net/4 anywhere
denylog all -- anywhere base-address.mcast.net/4
InboundICMP icmp -- anywhere anywhere
denylog icmp -- anywhere anywhere
InboundTCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
denylog tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
InboundUDP udp -- anywhere anywhere
denylog udp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp spts:bootps:bootpc
denylog all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
state_chk all -- anywhere anywhere
SMTPProxy tcp -- anywhere anywhere tcp dpt:smtp
local_chk all -- anywhere anywhere
ForwardedTCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
ForwardedUDP udp -- anywhere anywhere
denylog all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
denylog all -- base-address.mcast.net/4 anywhere
denylog all -- anywhere base-address.mcast.net/4
ACCEPT all -- anywhere anywhere
Chain ForwardedTCP (1 references)
target prot opt source destination
ForwardedTCP_15019 all -- anywhere anywhere
denylog tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
Chain ForwardedTCP_15019 (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere sme.studiogelda.it tcp dpt:smtp
ACCEPT tcp -- anywhere server-gelda2.studiogelda.it tcp dpt:3389
ACCEPT tcp -- anywhere sme.studiogelda.it tcp dpt:http
Chain ForwardedUDP (1 references)
target prot opt source destination
ForwardedUDP_15019 all -- anywhere anywhere
denylog udp -- anywhere anywhere
Chain ForwardedUDP_15019 (1 references)
target prot opt source destination
ACCEPT udp -- anywhere pbx1.studiogelda.it udp dpts:10000:20000
ACCEPT udp -- anywhere pbx1.studiogelda.it udp dpt:4569
ACCEPT udp -- anywhere pbx1.studiogelda.it udp dpt:5060
ACCEPT udp -- anywhere pbx1.studiogelda.it udp dpt:http
Chain InboundICMP (1 references)
target prot opt source destination
InboundICMP_15019 all -- anywhere anywhere
denylog icmp -- anywhere anywhere
Chain InboundICMP_15019 (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp parameter-problem
denylog all -- anywhere anywhere
Chain InboundTCP (1 references)
target prot opt source destination
InboundTCP_15019 all -- anywhere anywhere
denylog tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
Chain InboundTCP_15019 (1 references)
target prot opt source destination
denylog all -- anywhere !192.168.0.6
REJECT tcp -- anywhere 192.168.0.6 tcp dpt:auth reject-with tcp-reset
ACCEPT tcp -- anywhere 192.168.0.6 tcp dpt:http
ACCEPT tcp -- anywhere 192.168.0.6 tcp dpt:imaps
ACCEPT tcp -- anywhere 192.168.0.6 tcp dpt:https
ACCEPT tcp -- anywhere 192.168.0.6 tcp dpt:smtp
ACCEPT tcp -- anywhere 192.168.0.6 tcp dpt:smtps
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:submission
Chain InboundUDP (1 references)
target prot opt source destination
InboundUDP_15019 all -- anywhere anywhere
denylog udp -- anywhere anywhere
Chain InboundUDP_15019 (1 references)
target prot opt source destination
denylog all -- anywhere !192.168.0.6
Chain SMTPProxy (1 references)
target prot opt source destination
Chain SSH_Autoblock (0 references)
target prot opt source destination
SSH_Whitelist tcp -- anywhere anywhere tcp dpt:ssh state NEW
all -- anywhere anywhere recent: SET name: SSH side: source mask: 255.255.255.255
denylog all -- anywhere anywhere recent: CHECK seconds: 900 hit_count: 4 TTL-Match name: SSH side: source mask: 255.255.255.255
Chain SSH_Whitelist (1 references)
target prot opt source destination
SSH_Whitelist_15019 all -- anywhere anywhere
Chain SSH_Whitelist_15019 (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
Chain denylog (18 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:router
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
DROP tcp -- anywhere anywhere tcp dpts:netbios-ns:netbios-ssn
ULOG all -- anywhere anywhere ULOG copy_range 0 nlgroup 1 prefix "denylog:" queue_threshold 1
DROP all -- anywhere anywhere
Chain local_chk (2 references)
target prot opt source destination
local_chk_15019 all -- anywhere anywhere
Chain local_chk_15019 (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- 192.168.101.0/24 anywhere
Chain state_chk (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
-
Hi,
issue is not the iptables, but rather the router in front of your SME.
contrary to last time I tried, I am now able to access to your http://sme.studiogelda.it/.well-known/acme-challenge
both with https and http
also I can see that yous till have the self signe cert, and see your are in Server Gateway mode with 2 Class C private IP.
I would say that from now dehydrated -c should work
be carrefull to only enable
- studiogelda.it
- sme.studiogelda.it
- www.studiogelda.it
mail.studiogelda.it (listed in your try) will currently fails as it is not pointing toward your IP, same thing I see for your other defined domains/hosts: ftp.studiogelda.it, pbx1.studiogelda.it, proxy.studiogelda.it, serv-gelda2.studiogelda.it, wpad.studiogelda.it
either you add a dns entry to your DNS provider for mail.studiogelda.it
either you do
/sbin/e-smith/db hosts setprop mail.studiogelda.it letsencryptSSLcert disabled
expand-template /etc/dehydrated/domains.txt
dehydrated -c
then if it works, you can change your status from test to enabled to get the real cert.
-
buongiorno
Effetivamente è stato un problema di porte, non so spiegare il motivo, dal pannello port forwarding del server-manager ho cancellato tutte le impostazioni e le ho riscritte nuovamente senza cambiare nulla ed ha funzionato. Ringrazio sentitamente per l'aiuto ricevuto è stato fondamentale
Actually it was a port problem, I don't know why, from the port forwarding panel of the server-manager I deleted all the settings and rewrote them again without changing anything and it worked. I sincerely thank you for the help received. It was fundamental
-
you do not need to forward port to the sme server itself.
default port for known services are open to the web unless you used private server as install mode. If so by adding port redirection you fail other measures to control traffic.
what gives:
config getprop httpd-e-smith access
config get SystemMode
-
buon giorno
[root@sme Primary]# config getprop httpd-e-smith access
public
[root@sme Primary]# config get SystemMode
servergateway
sto tentendo di configurare le email e mi sono impantanato su DKIM, ho seguito le istruzioni fornite dal wiki, ho creato i tre record DNS relativi a spf, dkim e dmarc già da oltre 24 ore , ho provato sia con il t=y alla fine della chiave pubblica sia senza e il risultato è sempre lo stesso, analizzando l'estensione dell'email ricavo questo
good morning
i am trying to set up emails and got bogged down on DKIM, followed the instructions given by the wiki, created the three DNS records related to spf, dkim and dmarc for over 24 hours already, tried both with the t = y at the end of the public key is without and the result is always the same, analyzing the extension of the email I obtain this
Authentication-Results: mx.google.com;
dkim=temperror (no key for signature) header.i=@studiogelda.it header.s=default header.b=RCB8If35;
spf=pass (google.com: best guess record for domain of teresa@studiogelda.it designates 151.84.109.14 as permitted sender) smtp.mailfrom=teresa@studiogelda.it
-
because there is no dkim key entered
dig TXT default._domainkey.studiogelda.it
;; QUESTION SECTION:
;default._domainkey.studiogelda.it. IN TXT
check the procedure with your dns provider to enter more than 255 long string.
also your _dmarc is emtpy
check what to put using qpsmtpd-print-dns command.