Docker-mailserver: Container not using Let's Encrypt certificates

Created on 5 Mar 2018  路  4Comments  路  Source: tomav/docker-mailserver

I'm trying to setup LE certificates into the container but it still uses the self signed one.

my docker-compose.yml :

version: '2'
services:
  mail:
    image: tvial/docker-mailserver:latest
    hostname: ${HOSTNAME}
    domainname: ${DOMAINNAME}
    container_name: ${CONTAINER_NAME}
    ports:
    - "25:25"
    - "143:143"
    - "587:587"
    - "993:993"
    volumes:
    - /etc/letsencrypt:/etc/letsencrypt:ro
    - maildata:/var/mail
    - mailstate:/var/mail-state
    - ./config/:/tmp/docker-mailserver/
    environment:
    - DMS_DEBUG=${DMS_DEBUG}
    - ENABLE_CLAMAV=${ENABLE_CLAMAV}
    - ONE_DIR=${ONE_DIR}
    - ENABLE_POP3=${ENABLE_POP3}
    - ENABLE_FAIL2BAN=${ENABLE_FAIL2BAN}
    - ENABLE_MANAGESIEVE=${ENABLE_MANAGESIEVE}
    - OVERRIDE_HOSTNAME=${OVERRIDE_HOSTNAME}
    - POSTMASTER_ADDRESS=${POSTMASTER_ADDRESS}
    - POSTSCREEN_ACTION=${POSTSCREEN_ACTION}
    - SMTP_ONLY=${SMTP_ONLY}
    - SSL_TYPE=${SSL_TYPE}
    - PERMIT_DOCKER=${PERMIT_DOCKER}
    - VIRUSMAILS_DELETE_DELAY=${VIRUSMAILS_DELETE_DELAY}
    - ENABLE_POSTFIX_VIRTUAL_TRANSPORT=${ENABLE_POSTFIX_VIRTUAL_TRANSPORT}
    - POSTFIX_DAGENT=${POSTFIX_DAGENT}
    - ENABLE_SPAMASSASSIN=${ENABLE_SPAMASSASSIN}
    - SA_TAG=${SA_TAG}
    - SA_TAG2=${SA_TAG2}
    - SA_KILL=${SA_KILL}
    - SA_SPAM_SUBJECT=${SA_SPAM_SUBJECT}
    - ENABLE_FETCHMAIL=${ENABLE_FETCHMAIL}
    - FETCHMAIL_POLL=${FETCHMAIL_POLL}
    - ENABLE_LDAP=${ENABLE_LDAP}
    - LDAP_START_TLS=${LDAP_START_TLS}
    - LDAP_SERVER_HOST=${LDAP_SERVER_HOST}
    - LDAP_SEARCH_BASE=${LDAP_SEARCH_BASE}
    - LDAP_BIND_DN=${LDAP_BIND_DN}
    - LDAP_BIND_PW=${LDAP_BIND_PW}
    - LDAP_QUERY_FILTER_USER=${LDAP_QUERY_FILTER_USER}
    - LDAP_QUERY_FILTER_GROUP=${LDAP_QUERY_FILTER_GROUP}
    - LDAP_QUERY_FILTER_ALIAS=${LDAP_QUERY_FILTER_ALIAS}
    - DOVECOT_TLS=${DOVECOT_TLS}
    - DOVECOT_USER_FILTER=${DOVECOT_USER_FILTER}
    - DOVECOT_PASS_FILTER=${DOVECOT_PASS_FILTER}
    - ENABLE_POSTGREY=${ENABLE_POSTGREY}
    - POSTGREY_DELAY=${POSTGREY_DELAY}
    - POSTGREY_MAX_AGE=${POSTGREY_MAX_AGE}
    - POSTGREY_TEXT=${POSTGREY_TEXT}
    - ENABLE_SASLAUTHD=${ENABLE_SASLAUTHD}
    - SASLAUTHD_MECHANISMS=${SASLAUTHD_MECHANISMS}
    - SASLAUTHD_MECH_OPTIONS=${SASLAUTHD_MECH_OPTIONS}
    - SASLAUTHD_LDAP_SERVER=${SASLAUTHD_LDAP_SERVER}
    - SASLAUTHD_LDAP_SSL=${SASLAUTHD_LDAP_SSL}
    - SASLAUTHD_LDAP_BIND_DN=${SASLAUTHD_LDAP_BIND_DN}
    - SASLAUTHD_LDAP_PASSWORD=${SASLAUTHD_LDAP_PASSWORD}
    - SASLAUTHD_LDAP_SEARCH_BASE=${SASLAUTHD_LDAP_SEARCH_BASE}
    - SASLAUTHD_LDAP_FILTER=${SASLAUTHD_LDAP_FILTER}
    - SASL_PASSWD=${SASL_PASSWD}
    cap_add:
    - NET_ADMIN
    - SYS_PTRACE
    restart: always
volumes:
  maildata:
    driver: local
  mailstate:
    driver: local

In my .env file I have correctly setup the following SSL_TYPE=letsencrypt

As I see in issue #94 the command :
docker exec mail openssl s_client -connect 0.0.0.0:25 -starttls smtp -CApath /etc/ssl/certs/
It should output something like 

...
Certificate chain
 0 s:/CN=domain.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
...

but instead I have 

Certificate chain
 0 s:/CN=96acabb157fb
   i:/CN=96acabb157fb

I also have tested within a mail client and it asks to allow certificate from DoveCot @commonName@

If I bash into the container I can see the folder mail.mydomain.com in /etc/letsencrypt/live

Is there anything else I should do?

question
Source
picture nicklayb

Most helpful comment

The hostname of the server should match the domain name of the mail certificate directory.

picture johansmitsnl on 5 Mar 2018
🎉1 👍1

All 4 comments

The hostname of the server should match the domain name of the mail certificate directory.

johansmitsnl picture johansmitsnl on 5 Mar 2018
🎉1 👍1

It does. The hostname of the container is mail.mydomain.com and so is the certificates

nicklayb picture nicklayb on 5 Mar 2018

You were right, I thought they where the same but my host hostname has to be the fqdn of the container.

I updated the OVERRIDE_HOSTNAME key in .env to the fqdn and it works perfectly

Thank you!

nicklayb picture nicklayb on 5 Mar 2018
👍1

A note to add for anyone who runs across a similar problem I had:

If you use LetsEncrypt and set the following:

volumes:
    - /etc/letsencrypt:/etc/letsencrypt

and your container's hostname is properly set via

hostname: ${HOSTNAME}

to something like mail, and your domainname

domainname: ${DOMAINNAME}

is properly set as well, to something like example.com, and yet your LetsEncrypt certificate does not get picked up and used, you might be running into a problem if you created a bunch of certs for a bunch of subdomains in bulk all at once, and they're all in a single location: /etc/letsencrypt/live/example.com/ which isn't what the container will be looking for.

The container in our scenario would be looking for /etc/letsencrypt/live/mail.example.com/, you can resolve this with a softlink and it won't interfere with renewals:

ln -s /etc/letsencrypt/live/example.com/ /etc/letsencrypt/live/mail.example.com/

...and now, the docker-mailserver will spot the mail.example.com cert just fine and use that instead of the default one under the name @commonName@.

rslay picture rslay on 8 Mar 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

cottonthread picture cottonthread  路  4Comments
Dubbeldrank picture Dubbeldrank  路  4Comments
strarsis picture strarsis  路  5Comments
domdorn picture domdorn  路  4Comments
alen12345 picture alen12345  路  4Comments