Docker-mailserver: Problem with ssl using letsencrypt

Created on 19 Jun 2018 · 9Comments · Source: tomav/docker-mailserver

Hello,

I have problems with ssl configuration using letsencrypt. I configured all files using ssl wiki. But when I get the certificate it sends a self-signed by dovecot.

This is my docker-compose.yml

` services:
mail:
image: tvial/docker-mailserver:latest
hostname: ${HOSTNAME}
domainname: ${DOMAINNAME}
container_name: ${CONTAINER_NAME}
ports:
- "25:25"
- "143:143"
- "587:587"
- "993:993"
volumes:
- maildata:/var/mail
- mailstate:/var/mail-state
- ./config/:/tmp/docker-mailserver/
- ./etc/letsencrypt/live/:/etc/letsencrypt/live/
environment:
- SSL_CERT_PATH=/etc/letsencrypt/live/systing.es/fullchain.pem
- SSL_KEY_PATH=/etc/letsencrypt/live/systing.es/privkey.pem

- DMS_DEBUG=${DMS_DEBUG}
- ENABLE_CLAMAV=${ENABLE_CLAMAV}
- ONE_DIR=${ONE_DIR}
- ENABLE_POP3=${ENABLE_POP3}
- ENABLE_FAIL2BAN=${ENABLE_FAIL2BAN}
- ENABLE_MANAGESIEVE=${ENABLE_MANAGESIEVE}
- OVERRIDE_HOSTNAME=${OVERRIDE_HOSTNAME}
- POSTMASTER_ADDRESS=${POSTMASTER_ADDRESS}
- POSTSCREEN_ACTION=${POSTSCREEN_ACTION}
- REPORT_RECIPIENT=${REPORT_RECIPIENT}
- REPORT_SENDER=${REPORT_SENDER}
- REPORT_INTERVAL=${REPORT_INTERVAL}
- SMTP_ONLY=${SMTP_ONLY}
- SSL_TYPE=${SSL_TYPE}
- TLS_LEVEL=${TLS_LEVEL}
- SPOOF_PROTECTION=${SPOOF_PROTECTION}
- ENABLE_SRS=${ENABLE_SRS}
- PERMIT_DOCKER=${PERMIT_DOCKER}
- VIRUSMAILS_DELETE_DELAY=${VIRUSMAILS_DELETE_DELAY}
- ENABLE_POSTFIX_VIRTUAL_TRANSPORT=${ENABLE_POSTFIX_VIRTUAL_TRANSPORT}
- POSTFIX_DAGENT=${POSTFIX_DAGENT}
- ENABLE_SPAMASSASSIN=${ENABLE_SPAMASSASSIN}
- SA_TAG=${SA_TAG}
- SA_TAG2=${SA_TAG2}
- SA_KILL=${SA_KILL}
- SA_SPAM_SUBJECT=${SA_SPAM_SUBJECT}
- ENABLE_FETCHMAIL=${ENABLE_FETCHMAIL}
- FETCHMAIL_POLL=${FETCHMAIL_POLL}
- ENABLE_LDAP=${ENABLE_LDAP}
- LDAP_START_TLS=${LDAP_START_TLS}
- LDAP_SERVER_HOST=${LDAP_SERVER_HOST}
- LDAP_SEARCH_BASE=${LDAP_SEARCH_BASE}
- LDAP_BIND_DN=${LDAP_BIND_DN}
- LDAP_BIND_PW=${LDAP_BIND_PW}
- LDAP_QUERY_FILTER_USER=${LDAP_QUERY_FILTER_USER}
- LDAP_QUERY_FILTER_GROUP=${LDAP_QUERY_FILTER_GROUP}
- LDAP_QUERY_FILTER_ALIAS=${LDAP_QUERY_FILTER_ALIAS}
- DOVECOT_TLS=${DOVECOT_TLS}
- DOVECOT_USER_FILTER=${DOVECOT_USER_FILTER}
- DOVECOT_PASS_FILTER=${DOVECOT_PASS_FILTER}
- ENABLE_POSTGREY=${ENABLE_POSTGREY}
- POSTGREY_DELAY=${POSTGREY_DELAY}
- POSTGREY_MAX_AGE=${POSTGREY_MAX_AGE}
- POSTGREY_TEXT=${POSTGREY_TEXT}
- ENABLE_SASLAUTHD=${ENABLE_SASLAUTHD}
- SASLAUTHD_MECHANISMS=${SASLAUTHD_MECHANISMS}
- SASLAUTHD_MECH_OPTIONS=${SASLAUTHD_MECH_OPTIONS}
- SASLAUTHD_LDAP_SERVER=${SASLAUTHD_LDAP_SERVER}
- SASLAUTHD_LDAP_SSL=${SASLAUTHD_LDAP_SSL}
- SASLAUTHD_LDAP_BIND_DN=${SASLAUTHD_LDAP_BIND_DN}
- SASLAUTHD_LDAP_PASSWORD=${SASLAUTHD_LDAP_PASSWORD}
- SASLAUTHD_LDAP_SEARCH_BASE=${SASLAUTHD_LDAP_SEARCH_BASE}
- SASLAUTHD_LDAP_FILTER=${SASLAUTHD_LDAP_FILTER}
- SASLAUTHD_LDAP_START_TLS=${SASLAUTHD_LDAP_START_TLS}
- SASLAUTHD_LDAP_TLS_CHECK_PEER=${SASLAUTHD_LDAP_TLS_CHECK_PEER}
- SASL_PASSWD=${SASL_PASSWD}
- SRS_EXCLUDE_DOMAINS=${SRS_EXCLUDE_DOMAINS}
- SRS_SECRET=${SRS_SECRET}
- RELAY_HOST=${RELAY_HOST}
- RELAY_PORT=${RELAY_PORT}
- RELAY_USER=${RELAY_USER}
- RELAY_PASSWORD=${RELAY_PASSWORD}
cap_add:
- NET_ADMIN
- SYS_PTRACE
restart: always

volumes:
maildata:
driver: local
mailstate:
driver: local
'

I tried all I can read from wiki and forum but can't get my certificate working. In apache it's working fine.

If anyone can help me..

frozen due to age

Source

Damki

All 9 comments

following the wiki https://github.com/tomav/docker-mailserver/wiki/Configure-SSL#example-using-the-letsencrypt-certificates-on-a-synology-nas
you should add "- SSL_TYPE=manual"

grimpows on 3 Jul 2018

Try this volume mount:

- ./etc/letsencrypt/:/etc/letsencrypt/

because the files in /etc/letsencrypt/live/ actually are symbolic links to /etc/letsencrypt/archive/ and will not be able to access from inside the container.

Also remove these:

- SSL_CERT_PATH=/etc/letsencrypt/live/systing.es/fullchain.pem
- SSL_KEY_PATH=/etc/letsencrypt/live/systing.es/privkey.pem

dashohoxha on 4 Jul 2018

👍1

you can access /etc/letsencrypt/live/ within the container i'm using cert generated with letsencrypt from there https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion and i mount cert generated to /etc/letsencrypt/live/${HOSTNAME}.${DOMAINENAME} and this work really well as explained in wiki

and SSL_CERT_PATH & SSL_KEY_PATH are valid environnement variable, they are used for define the exact emplacement of .pem (specialy when you dont copy your certs to the /live

but i agree that in the case he still keep SSL_CERT_PATH and SSL_KEY_PATH he dont have anymore to mount his .pem to the /etc/letsencrypt/live

he can just mount them to the /tmp/ssl and set SSL_CERT_PATH=/tmp/ssl/systing.es/fullchain.pem and SSL_KEY_PATH=/tmp/ssl/systing.es/privkey.pem

for a better answer we should know what method you would use for the cert @Damki

grimpows on 4 Jul 2018

you can access /etc/letsencrypt/live/ within the container i'm using cert generated with letsencrypt from there https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion

You are right. It depends on how you get the ssl certificates from letsencrypt.
In my case I tried the same thing as @Damki and i got the same problem. Then I figured out that certificates themselves were not accessible from the container due to being symbolic links. So, I fixed the mount directories and it worked.

In my case I am using wsproxy for managing the ssl certs: https://github.com/docker-scripts/wsproxy,
and it uses certbot: https://github.com/docker-scripts/wsproxy/blob/master/cmd/get-ssl-cert.sh
I am going to write some instructions soon about how I do it.

dashohoxha on 4 Jul 2018

Here are the steps that followed (I hope that I have not forgotten something):
https://github.com/docker-scripts/moodle/blob/master/docs/email-setup.md#building-a-simple-mailserver

dashohoxha on 5 Jul 2018

👎1 👍1

I'ver personally entered the full paths to the "host" certificates, which are created by certbot. So In my case it's mounting these (which, on the host, are symlinks to the certs in archive/):

- SSL_CERT_PATH=/etc/letsencrypt/live/<domain>/fullchain.pem:/tmp/ssl/fullchain.pem
- SSL_KEY_PATH=/etc/letsencrypt/live/<domain>/privkey.pem:/tmp/ssl/privkey.pem

However, I did have to make sure that both the symlinks in live/ and the base files in archive/ were readable by the user under which I started the containers. Otherwise it's no certs in the container and Dovecot keeps being restarted. A docker-compose logs -f shed some light for me.

doenietzomoeilijk on 16 Sep 2018

Same problem. I have mounted /etc/letsencrypt directory as suggested in the docs. And I can see all certificate by running docker exec <container-id> ls -la /etc/letsencrypt But when I saw my log it says :

TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1407:SSL alert number 46:

My gmail client says certificate not valid. I dont know whats wrong but its certainly a certificate problem. My email client configs:

SMTP server: example.com //not mail.example.com
PORT: 465 (SSL/TLS)

smitpatelx on 15 Dec 2019

@smitpatelx was you last comment resolved by https://github.com/tomav/docker-mailserver/issues/1341 as well?

fbartels on 16 Dec 2019

This issue was closed due to one or more of the following reasons:

Age
Contributor inactivity
The issue seems to be resolved

If you think this happened by accident, or feel like this issue was not actually resolved, please feel free to re-open it. If there is an issue you could resolve in the meantime, please open a PR based on the current master branch so we can review it.