I have a problem with emails sent by Postal an error appears unencrypted.
I wanted to know how to proceed.
No gmail information that is sent via email via prsp.domain.com
But I will configure letsencrypt in the file
/opt/postal/config/postal.yml
smtp_server:
tls_enabled: true
tls_certificate_path: /etc/letsencrypt/live/mail.domain.com/fullchai$
tls_private_key_path: /etc/letsencrypt/live/mail.domain.com/privkey.$
tls_ciphers: TLSv1_1
ssl_version: TLSv1_1
But this message appears
How to do psrp encryption?
Have you restarted Postal since setting the config?
Yes, I also reset the server and reactivated the Postal. He still says that domain.com did not encrypt this message.
You gave postal permission to the lets encrypt?
chown -R postal:postal /etc/letsencrypt
Hello, yes I gave permission for the certificate.
But the problem still remains
Would the Letsencrypt certificate I need be a wildcard?
That shouldn't be relevant. It sounds like you have everything you need.
How are you sending the message to your gmail?
I鈥檓 sending it directly from the Postal panel,
/etc/letsencrypt/live/mail.domain.com/fullchai$ tls_private_key_path: /etc/letsencrypt/live/mail.domain.com/privkey.$ tls_ciphers: TLSv1_1 ssl_version: TLSv1_1
mail.domain.com - you need to change this to your domain name. Also, I dont have the other stuff you got "fullchai$ tls_private_key_path: " and "privkey.$ tls_ciphers: TLSv1_1 ssl_version: TLSv1_1"
I have
tls_certificate_path: /etc/letsencrypt/live/mail.yourDomainName.com/fullchain.pem
tls_private_key_path: /etc/letsencrypt/live/mail.yourDomainName.com/privkey.pem
I have this below for mine,
smtp_server:
port: 25
tls_enabled: true
tls_certificate_path: /etc/letsencrypt/live/mail.yourDomainName.com/fullchain.pem
tls_private_key_path: /etc/letsencrypt/live/mail.yourDomainName.com/privkey.pem
proxy_protocol: false
log_connect: true
strip_received_headers: false
Make sure you restart postal when you update your config file: Command is:
postal stop
nano /opt/postal/config/postal.yml # change your config file and save it
postal initialize
postal start
Are you using the certificate for the main UI as well? Does it work fully there?
Also do not run postal initialize if you aren't installing, it can erase your database.
Yes is working normally in the interface (Nginx)
But when sending a message
The error that appears in GMAIL is that the domain did not encrypt the email.
Do you have any configuration you have to do for the domain?
No there shouldn't be any other configuration required. You could try using ssllabs.com to verify the certificate is fully valid for the interface.
I want to add: changing of owner at /etc/letsencrypt isn't nice at all - this way to get issues later.
Issue your cert with deploy-hook, f.e:
sudo cat <<\EOF > /etc/letsencrypt/renewal-hooks/deploy/postal.sh
#!/bin/sh
set -e
for domain in $RENEWED_DOMAINS; do
DAEMON_CERT_ROOT=/opt/postal/config
mkdir -p "$DAEMON_CERT_ROOT"
chown postal:postal "$DAEMON_CERT_ROOT"
cp "$RENEWED_LINEAGE/fullchain.pem" "$DAEMON_CERT_ROOT/smtp.cert"
cp "$RENEWED_LINEAGE/privkey.pem" "$DAEMON_CERT_ROOT/smtp.key"
chown postal:postal "$DAEMON_CERT_ROOT/*.cert"
chown postal:postal "$DAEMON_CERT_ROOT/*.key"
chown postal:postal "$DAEMON_CERT_ROOT/*.pem"
chmod 644 "$DAEMON_CERT_ROOT/*.cert"
chmod 400 "$DAEMON_CERT_ROOT/*.key"
chmod 400 "$DAEMON_CERT_ROOT/*.pem"
done
EOF
chmod +x /etc/letsencrypt/renewal-hooks/deploy/postal.sh
and then:
sudo certbot --nginx -d YOURDOMAIN -d YOURDOMAIN2 -d ETC --deploy-hook=/etc/letsencrypt/renewal-hooks/deploy/postal.sh
I have some Q to @willpower232:
tls_ciphers, ssl_version, proxy_protocol as not fully obvious what format I need to use. f.e.: default configuration use weak ciphers SSL_RSA_WITH_RC4_128_SHA and I want to disable themEdited:
removed systemctl restart postal
1 - we've never needed to restart Postal to apply an updated certificate but we have more API traffic than SMTP and regularly reboot the server for software updates. Its been a while since I specifically ran postal restart so I'm not sure how brutal that is.
2 - looking at lib/postal/smtp_server/server.rb these options are passed directly into ruby so you'd have to look up the documentation for ruby itself to see all possible values I believe
3 - there are already a few issues with newer openssl versions (#999 and others) so its likely that once these are resolved and you're using a recent version of openssl, you should be able to enable TLS 1.3 without too much bother
Hi @willpower232 thank you for detailed reply.
If somebody will try find correct way to set ssl_version and tls_ciphers check this:
https://ruby-doc.org/stdlib-2.5.1/libdoc/openssl/rdoc/OpenSSL/SSL/SSLContext.html#method-i-ciphers or https://www.rubydoc.info/gems/jruby-openssl/OpenSSL/SSL/SSLContext
I leaved ssl_version not set, to use default value from postal.default.yaml and set:
tls_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA and now all fine.
BTW:
ssl_version Sets the SSL/TLS protocol version for the context. This forces connections to use only the specified protocol version. This is deprecated and only provided for backwards compatibility. Use #min_version= and #max_version= instead.
Most helpful comment
You gave postal permission to the lets encrypt?
chown -R postal:postal /etc/letsencrypt