Hi all friends ,
I have facing a big problem on my postal smtp server . I install certbot for ssl . Its working fine on web but not working smtp . I search internet for this solution . I find some post on github related postal ssl . But not working for me .
here is my nginx and postal.yml file
nginx >>>>>>>>>
server {
listen [::]:80;
listen 0.0.0.0:80;
server_name postal.snsohag.xyz;
return 301 https://$host$request_uri;
}
server {
listen [::]:443 ssl;
listen 0.0.0.0:443 ssl;
root /opt/postal/public;
server_name postal.snsohag.xyz;
ssl_certificate /etc/letsencrypt/live/postal.snsohag.xyz/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/postal.snsohag.xyz/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
location / {
client_max_body_size 50M;
try_files $uri $uri/index.html $uri.html @puma;
}
location /app/assets {
add_header Cache-Control max-age=3600;
}
location @puma {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://127.0.0.1:5000;
}
}
Postal.yml >>>>>>>>>>>>> remove all "#" for understand better reading
web:
The host that the management interface will be available on
host: postal.snsohag.xyz
The protocol that requests to the management interface should happen on
protocol: https
fast_server:
This can be enabled to enable click & open tracking on emails. It is disabled by
default as it requires a separate static IP address on your server.
enabled: false
bind_address:
general:
This can be changed to allow messages to be sent from multiple IP addresses
use_ip_pools: false
main_db:
Specify the connection details for your MySQL database
host: 127.0.0.1
username: postal
password: p0stalpassw0rd
database: postal
message_db:
Specify the connection details for your MySQL server that will be house the
message databases for mail servers.
host: 127.0.0.1
username: postal
password: p0stalpassw0rd
prefix: postal
rabbitmq:
Specify the connection details for your RabbitMQ server.
host: 127.0.0.1
username: postal
password: p0stalpassw0rd
vhost: /postal
dns:
Specifies the DNS record that you have configured. Refer to the documentation at
https://github.com/atech/postal/wiki/Domains-&-DNS-Configuration for further
information about these.
mx_records:
- mx.postal.snsohag.xyz
smtp_server_hostname: postal.snsohag.xyz
spf_include: spf.postal.snsohag.xyz
return_path: rp.postal.snsohag.xyz
route_domain: routes.postal.snsohag.xyz
track_domain: track.postal.snsohag.xyz
smtp:
Specify an SMTP server that can be used to send messages from the Postal management
system to users. You can configure this to use a Postal mail server once the
your installation has been set up.
host: 127.0.0.1
port: 2525
username: # Complete when Postal is running and you can
password: # generate the credentials within the interface.
from_name: Postal
from_address: [email protected]
smtp_server:
tls_enabled: true
tls_certificate_path: /etc/letsencrypt/live/postal.snsohag.xyz/fullchain.pem
tls_private_key_path: /etc/letsencrypt/live/postal.snsohag.xyz/privkey.pem
rails:
This is generated automatically by the config initialization. It should be a random
string unique to your installation.
secret_key: 75ae57fed7716d2e89a06cce79d02bef91c670b975d4eda884cd252f26bc6ee87be4d409dff07b12b02bd66f77053d9e92379316d37bdf6f3e8ff66a058de303a8bf9e4b15f1ca19cbedf392def8aa7a7a22cb7b6801d7dfe50ea40e6880a10d46d3c46e0e08a4e466cb4e75a9525debe616ae38e8a192b680f87fc8ab875c4b
I restart postal but not working . please help**
When you say not working, what is happening?
Hi @smsohagbd please reread your issue - it can't be read at all. It pain for eyes. Please remove unneeded bolt and headers text from issue.
I assume based on default certbot path that postal user simply doesn't have permissions to access to this files:
tls_certificate_path: /etc/letsencrypt/live/postal.snsohag.xyz/fullchain.pem
tls_private_key_path: /etc/letsencrypt/live/postal.snsohag.xyz/privkey.pem
Please check this. But I think that 99.9% is the root of your issue.
Also when certbot will rotate letsencrypt certificates you need to restart postal. I recommend you two thing to do:
tls_certificate_path: config/smtp.cert and tls_private_key_path: config/smtp.key is default one to check. If you will postdeploy them in such location, you can at all omnit this two strings in your postal config.Good luck
When you say not working, what is happening?
When i connect my smtp server without ssl its work fine and send mail . but when i enable ssl its show error and not send any mail .
Error : An error occurred while attempting to establish an SSL or TLS connection .
Thanks
Also noticed that every time lets encrypt renews that files permission are reset and postal loses access so SSL and TLS breaks.
@Igcorreia this isn't postal issues. This your setup isn't complete. Please use post deployment certbot option to place your certificate to correct place, assing owner, permission and restart postal.
@Igcorreia this isn't postal issues. This your setup isn't complete. Please use post deployment certbot option to place your certificate to correct place, assing owner, permission and restart postal.
Notice, any link in hand? Would be helpful. :)
@Igcorreia https://certbot.eff.org/docs/using.html#certbot-commands
Hi @smsohagbd please reread your issue - it can't be read at all. It pain for eyes. Please remove unneeded bolt and headers text from issue.
I assume based on default certbot path that postal user simply doesn't have permissions to access to this files:tls_certificate_path: /etc/letsencrypt/live/postal.snsohag.xyz/fullchain.pem tls_private_key_path: /etc/letsencrypt/live/postal.snsohag.xyz/privkey.pemPlease check this. But I think that 99.9% is the root of your issue.
Also when certbot will rotate letsencrypt certificates you need to restart postal. I recommend you two thing to do:
- Create systemd service to run postal. Note: if you will run postal update you need firstly stop systemd postal server and after this start systemd service.
- Create post deploy script in letsencrypt to put postal certificates to postal folder and run chown and chmod on this certificates and after this restart systemd postal service. Note: that privkey.pem must have strict permissions like 600 and be owned by postal user.
- Update postal.yml config to provide correct certificates path for smtp.
tls_certificate_path: config/smtp.certandtls_private_key_path: config/smtp.keyis default one to check. If you will postdeploy them in such location, you can at all omnit this two strings in your postal config.Good luck
sir , i am so much confuse how can i do now . i read your reply many times but can not understand . i am a beginner so I can not understand all
sorry for this type of questions
Hi @smsohagbd, first of all I asked you to fix your initial message and you doesn't done this.
Even that I had hard experience to read that I find potential case of problem and provided you info what you need check. You still not checked if problem in permissions or not. Or forgot to provide this info.
I can't take you by hand and explain you how to setup server in your environment from scratch. You even do not trying doing your part. I provided more then detailed information for you to start searching how to do by yourself. First 2 questions can be googled and you find how to do it. If you will not try to dig you will stay beginner. 3rd question isn't make any sense - this relative path from your postal home directory.
@smsohagbd as described above, you need to set tls_certificate_path and tls_private_key_path to point at a real SSL certificate you have installed on your server, by default they are set to a relative path which contains certificates that have been generated locally so are no good for real operation. the systemd configuration is optional
Does the postal user have enough permission?
You can check it with:
su postal
cat /etc/letsencrypt/live/postal.snsohag.xyz/fullchain.pem
@approached 100% no :) this default to 600 for root:root
Does the postal user have enough permission?
You can check it with:su postal cat /etc/letsencrypt/live/postal.snsohag.xyz/fullchain.pem
when I use this comment I see this
Last login: Fri Oct 30 13:39:06 2020 from 116.204.223.93
root@localhost:~# su postal
postal@localhost:/root$ cat /etc/letsencrypt/live/postal.snsohag.xyz/fullchain.p em
-----BEGIN CERTIFICATE-----
MIIFXDCCBESgAwIBAgISBDqZP5NwIQEXngztTurMOeB8MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA5MjAwNjE3MzlaFw0y
MDEyMTkwNjE3MzlaMB0xGzAZBgNVBAMTEnBvc3RhbC5zbnNvaGFnLnh5ejCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/poLW6TNgh4s5ai0yzfyPu3RK/
8Wys4RIaN1n/X1jQc9qrm6XDo88GU3rtuw98X2cp+I9CeAg4sPgnYIrWi6DAqV/6
4MsL6EpY+ln1kJnrthMju76yNLbDwjS+DBnyW/9YaZ/V+vEwq7aDbx7Du6bG6qee
Cd5rtoKqok9rKegBMlGgHqQtXBN91tXR9+wjhdhmISWPkwVP1cZTmju7UAxeWTMc
bsV4SAXtDSoiV8874+o71bQN4x+42yDOmluAWNb/qN1zeN+ShlwI5OIFBKzUZoUU
SOlR3RIQyxK6JAOdNHN3HtOuiju6JVpdPVbZY8QOkR1viXJU8G99A5PcDYkCAwEA
AaOCAmcwggJjMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUJwPJgykgQ1r7ntgX5qEx
bv++uHIwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUH
AQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5
cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5
cHQub3JnLzAdBgNVHREEFjAUghJwb3N0YWwuc25zb2hhZy54eXowTAYDVR0gBEUw
QzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDov
L2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdQBe
p3P531bA57U2SH3QSeAyepGaDIShEhKEGHWWgXFFWAAAAXSqYBwBAAAEAwBGMEQC
ICBuG4Q+O62PyX/BXbLFD/BBeWqto2mIO6/TJ9eeOAqdAiA5O51wMR8AXCdmWWGw
1rsxwUKAI2eh0dTT28zzw1g02AB3ALIeBcyLos2KIE6HZvkruYolIGdr2vpw57JJ
Uy3vi5BeAAABdKpgG+YAAAQDAEgwRgIhANvar1/K+PKqGFXoheOYeR2GAHg/r9Gv
R87LSrJUdc4tAiEAwLv56g+1eGUojVEy0GNM7Wd8VQopHVkAbfCjx5d9zMkwDQYJ
KoZIhvcNAQELBQADggEBAIr76/+864kGc73J9LH2zII2HLVr3Xp5FULVvKdzCkly
8clZRBPu8Oq2R7owqLgnN1IQ+pJhV4qwT9kO546o+ZW5NgMyTTwgwfqlCygHyXEx
bxxblNAVN/LXqzExfsrRfwIxdGgtbvrf0nnhkO2Hk/maIa432UMSUFAAS2qB0eJE
zd50QXp0jbn08CtrS4hx66BqTl1j1DB2/8jVKsceErex/v85lm5cN2AyHm6fSCF7
Vk9jsuK1BRr4LX5zuXG6mbcquHnG9kA3rNDqocvRFKDEqPdrrlX1yDgl8cVLY01E
67y0Veuf432XFZb/zA0P+nud+P9P6taxql3hFOQwzmw=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
postal@localhost:/root$
The only other thing I can suggest is restarting your Postal to ensure that the config is definitely being applied.
Is this issue fixed?
@saiful7 there wasn't issue with postal itself.