Recent Posts

81

Koozali SME Server 11.x / Re: Letsencrypt panel is looking great!

« Last post by Knuddi on August 21, 2025, 07:37:23 PM »

What ought to be the content of /var/service/qpsmtpd/ssl/cert.pem is a merge of privkey, cert, chain.pem but is the self signed certificate. ModSSL has been configured:

[root@mail dehydrated]# config show modSSL
modSSL=configuration
    CertificateChainFile=/etc/dehydrated/certs/swerts-knudsen.dk/chain.pem
    TCPPort=443
    access=public
    crt=/etc/dehydrated/certs/swerts-knudsen.dk/cert.pem
    key=/etc/dehydrated/certs/swerts-knudsen.dk/privkey.pem
    status=enabled

a "signal-event email-update" or/and "signal-event ssl-update" but the qpsmtpd certificate file does not update.

So start of the hack that ought to be expanded by lets' encrypt integration:

cp /etc/dehydrated/certs/<primary domain>/privkey.pem /var/service/qpsmtpd/ssl/cert.pem
cat /etc/dehydrated/certs/<primary domain>/cert.pem >> /var/service/qpsmtpd/ssl/cert.pem
cat /etc/dehydrated/certs/<primary domain>/chain.pem >> /var/service/qpsmtpd/ssl/cert.pem
systemctl restart qpsmtpd.service

Now SMTP (Port 25) is OK according to checktls.com but it will be overwritten anytime, and all other services (except from HTTP) seems not to be updated either

82

Koozali SME Server 11.x / Re: Letsencrypt panel is looking great!

« Last post by Knuddi on August 20, 2025, 10:50:04 AM »

Dehydrated works just fine for me (using the shell) and it gets certificates for all the hosts that I have enabled for LetsEncrypt. The retrieved certificates are also placed correctly for HTTPS, but for alle mail purposes it doesn't.

83

Koozali SME Server 11.x / Re: Letsencrypt panel is looking great!

« Last post by compdoc on August 20, 2025, 09:37:48 AM »

The Let's Encrypt certificates seems to work perferctly on HTTPS level,

It's odd that you say that. I've had letsencrypt working well on SME10 for a long time, using the instructions located at:

https://wiki.koozali.org/Letsencrypt

But after spending hours on a couple of attempts with Alpha and one attempt with Beta to manually set up letsencrypt using those same instructions, I've never managed to get Dehydrated to work with SME11.

For security purposes, it seems to me that SME has always been locked down in various ways. The letsencrypt panel it's only informational at this point, but someone with knowledge of the internal workings of SME needs to do the work of getting Dehydrated working manually first. That would make the creation of the smanager panel much simpler, IMO. 

84

Koozali SME Server 11.x / Re: Letsencrypt panel is looking great!

« Last post by Knuddi on August 20, 2025, 08:05:06 AM »

I have started to use SME 11 and it's looking great. The Let's Encrypt certificates seems to work perferctly on HTTPS level, but for email (SSMTP/IMAPS/TLS) it doesn't seem to get updated and it uses the self-signed certificates. Am I missing something and/or do you have a "manual hack" what and where to copy certificates if this is not yet part of the Beta?

I use https://www.checktls.com/TestReceiver to test the TLS.

SSLVersion in use: TLSv1_3
Cipher in use: TLS_AES_256_GCM_SHA384
Perfect Forward Secrecy: yes
Session Algorithm in use: Curve X25519 DHE(253 bits)
Certificate #1 of 2 (sent by MX):
Cert VALIDATION ERROR(S): self signed certificate
So email is encrypted but the recipient domain is not verified

85

Koozali SME Server 10.x / Re: CNAME_lookup_failed_temporarily

« Last post by ReetP on August 17, 2025, 11:48:07 AM »

I really wish I could be helping with testing Koozali 11 but don't think I would be much use.

I'm not sure why people say this. It needs ordinary users to test. Install, play, break, report. Fixing is not required.

That means everyone.

Plenty of posts here on what you can do to help & how.

86

Koozali SME Server 10.x / Re: CNAME_lookup_failed_temporarily

« Last post by Mace on August 17, 2025, 09:53:25 AM »

Thanks for all the replies and suggestions. I haven't changed anything on my server for a few years, but I only started needing to email wyo.gov a couple of months ago so it likely would have done that all along if i had tried emailing them sooner. Nothing but changing the server's DNS has worked so far, but doing that messes up spamassassin with

Code: [Select]

Query Refused. See http://uribl.com/refused.shtml errors preventing incoming mail delivery like Jean-Philippe said it might. I'll just use my gmail acct for wyo.gov until Koozali 11 is ready for production. I really wish I could be helping with testing Koozali 11 but don't think I would be much use.

87

Koozali SME Server 10.x / Re: CNAME_lookup_failed_temporarily

« Last post by bunkobugsy on August 15, 2025, 06:39:05 AM »

It is behind an HAProxy server though (which is also rebooted nightly), could that cause this issue somehow?

Maybe, see the other forum post, you could change network conditions to expose sme directly or try to remember what changed couple of months ago.
Just to be sure do a   signal-event reboot

88

Koozali SME Server 10.x / Re: CNAME_lookup_failed_temporarily

« Last post by Jean-Philippe Pialasse on August 15, 2025, 04:54:24 AM »

beta is beta.  no for production. 

89

Koozali SME Server 10.x / Re: CNAME_lookup_failed_temporarily

« Last post by Mace on August 14, 2025, 11:01:33 PM »

...
Start testing Sme11 beta, it switched to Postfix for mail delivery.

Do you think the beta is stable enough for operating only as a mail server?

90

Koozali SME Server 10.x / Re: CNAME_lookup_failed_temporarily

« Last post by bunkobugsy on August 14, 2025, 10:12:20 AM »

https://forums.koozali.org/index.php/topic,34321.msg163897.html#msg163897
"The failing site was OK until the ISP changed the IP to a new range of addresses, so it looks like the ISP has an issue."

"in my case, it was firewall's IDS rules which resets DNS queries that is greater than 512 bytes. I shutdown ip audit functions and it is working perfectly now."

https://serverfault.com/questions/189366/cname-lookup-failed-temporarily-4-4-3
"In short: qmail is b0rked. It chokes on DNS packets over 512 bytes and sends queries of type ANY which produces the largest replies to find MX records."

Start testing Sme11 beta, it switched to Postfix for mail delivery.