Certificate error. fixed CN=simple-mail-forwarder.com about docker-simple-mail-forwarder HOT 13 CLOSED

The pull request I just made will allow you to use certificates generated on the server (not necessarily inside the image). By mapping a volume to /etc/postfix/cert and using the names smtp.cert and smtp.key
Original program always generates the certificates. This version will skip generate if one exists (which will be the case if a volume is mapped).

PS: How to generate letsencrypt for the server (if you have ssh access) relatively easy. First stop all web servers or anything that is using port 80, then run:
letsencrypt certonly --standalone -d yourdomain.com -d www.yourdomain.com -d mail.yourdomain.com
I put mail.yourdomain.com for your MX domain (the one that SMF should be using) so that you can use the same set of files.
This command takes care of everything by creating a temporary web server (so no need to put or copy files anywhere). After it's done, the files will be in /etc/letsencrypt/live/yourdomain.com and you need the full chain for "smtp.cert" (copy full chain to that) and the privkey to "smtp.key". Put those 2 files in the folder that you plan to mount and you're done

from docker-simple-mail-forwarder.

Hi @bcardiff ,

thanks for your suggestion. I agree with you that should use SMF_DOMAIN here.

Can you make a pull request?

from docker-simple-mail-forwarder.

Shameless PR sent.
This image is really simple to use. But for some users the certificate story might be a stopper.
After #11, even if the domain match the certificate is still not valid in a broad sense.

[000.617]       Cert NOT VALIDATED: self signed certificate
[000.618]       So email is encrypted but the domain is not verified

Either some workaround to allow peers to connect with the smtp server, or maybe even better: https://letsencrypt.org could be used to generate/renew licenses.

from docker-simple-mail-forwarder.

@bcardiff thanks for your PR!

so do you know any way to get a letsencrypt signed CA, via bash script automaticly? if smf could do that, there will be fantastic.

from docker-simple-mail-forwarder.

I don't have lots of experience with certificates and CA :-$.

certbot is unable to run as is in this image
https://certbot.eff.org/#pip-other

./certbot-auto
Sorry, I don't know how to bootstrap Certbot on your operating system!

You will need to bootstrap, configure virtualenv, and run pip install manually.
Please see https://letsencrypt.readthedocs.org/en/latest/contributing.html#prerequisites
for more info.

Either some more dependencies are needed or a companion docker container could be used to get the certificates. If the same volume is used that might be enough.
There is info about running certbot with docker in https://certbot.eff.org/docs/using.html#running-with-docker
From this last link there seems to be a plugin for postfix at https://github.com/EFForg/starttls-everywhere

from docker-simple-mail-forwarder.

I do not have it too. :-$

If you have any progress about this, please let me know.

Thanks!

from docker-simple-mail-forwarder.

@bcardiff It seems https://github.com/gheift/letsencrypt.sh should work for us.

but like the document said:

To verify a domain the letsencrypt service gives you a challenge, to which a response must be stored under this domain.

we need to verify the email server domain before we can use letsencrypt.

how can we do that, what do you think?

from docker-simple-mail-forwarder.

For a single interaction with the user the docker image could print the steps for publishing the challenge response. https://hub.docker.com/r/janeczku/dropbox/ does something like that .

I would think that the presence of LETSENCRYPT_EMAIL could switch from self signed cert to this.
If no account.key exist (in a mounted shared volume), create it. (I don't know if you can use multiple keys for the same account).
After that publish the challenge in the logs asking the user to publish it.
I would say that the location of the certificates should be in a location advertised in the documentation for backing up or putting your account.key

If someone is setting up a smtp server to run in the wild, it knows about DNS MX records, but not necessarily about certificates. That is the scenario to have in mind I think.

from docker-simple-mail-forwarder.

This image is able to generate letsencrypt certificates on the fly: https://github.com/BlackGlory/caddy-proxy
But as a first version, may be even allowing users to mount the certificate as a volume when the container starts could work?

from docker-simple-mail-forwarder.

I agree. It might be a good start to permit user using volume(-v) setting, or a ENV variable like SMF_CA to put CA files inside SMF.

Inside SMF, we could:

1. if the CA files exist, then do nothing with CA
2. if SMF_CA is set, use this setting to generate CA files
3. otherwise, generate a self-signed new one

It looks still keep simple.

from docker-simple-mail-forwarder.

@nelfer great guide for newbie of SSL configuration like me!

Could you please add the letsencrypt part of your article to the README? it really helps.

Also, I believe if we can embed this CA generate job inside SMF and do it for the user just by a port mapping, that will be awesome(keep the SMF being really simple even for SSL support).

from docker-simple-mail-forwarder.

this issue should be fixed by #15 , thanks @nelfer !

from docker-simple-mail-forwarder.

Thanks @nelfer / @zixia i will make a try in acouple of weeks (vacations :-) )

After talking to some coworkers they point me some (maybe outdated) way to setup de request/renew of the certificates at letsencrypt with docker: https://manas.tech/blog/2016/01/25/letsencrypt-certificate-auto-renewal-in-docker-powered-nginx-reverse-proxy.html

So we might have all the requiered pieces.

Thanks again!

from docker-simple-mail-forwarder.