Comments (13)
The pull request I just made will allow you to use certificates generated on the server (not necessarily inside the image). By mapping a volume to /etc/postfix/cert
and using the names smtp.cert
and smtp.key
Original program always generates the certificates. This version will skip generate if one exists (which will be the case if a volume is mapped).
PS: How to generate letsencrypt for the server (if you have ssh access) relatively easy. First stop all web servers or anything that is using port 80, then run:
letsencrypt certonly --standalone -d yourdomain.com -d www.yourdomain.com -d mail.yourdomain.com
I put mail.yourdomain.com
for your MX domain (the one that SMF should be using) so that you can use the same set of files.
This command takes care of everything by creating a temporary web server (so no need to put or copy files anywhere). After it's done, the files will be in /etc/letsencrypt/live/yourdomain.com and you need the full chain for "smtp.cert" (copy full chain to that) and the privkey to "smtp.key". Put those 2 files in the folder that you plan to mount and you're done
from docker-simple-mail-forwarder.
Hi @bcardiff ,
thanks for your suggestion. I agree with you that should use SMF_DOMAIN here.
Can you make a pull request?
from docker-simple-mail-forwarder.
Shameless PR sent.
This image is really simple to use. But for some users the certificate story might be a stopper.
After #11, even if the domain match the certificate is still not valid in a broad sense.
[000.617] Cert NOT VALIDATED: self signed certificate
[000.618] So email is encrypted but the domain is not verified
Either some workaround to allow peers to connect with the smtp server, or maybe even better: https://letsencrypt.org could be used to generate/renew licenses.
from docker-simple-mail-forwarder.
@bcardiff thanks for your PR!
so do you know any way to get a letsencrypt signed CA, via bash script automaticly? if smf could do that, there will be fantastic.
from docker-simple-mail-forwarder.
I don't have lots of experience with certificates and CA :-$.
certbot is unable to run as is in this image
https://certbot.eff.org/#pip-other
./certbot-auto
Sorry, I don't know how to bootstrap Certbot on your operating system!
You will need to bootstrap, configure virtualenv, and run pip install manually.
Please see https://letsencrypt.readthedocs.org/en/latest/contributing.html#prerequisites
for more info.
Either some more dependencies are needed or a companion docker container could be used to get the certificates. If the same volume is used that might be enough.
There is info about running certbot with docker in https://certbot.eff.org/docs/using.html#running-with-docker
From this last link there seems to be a plugin for postfix at https://github.com/EFForg/starttls-everywhere
from docker-simple-mail-forwarder.
I do not have it too. :-$
If you have any progress about this, please let me know.
Thanks!
from docker-simple-mail-forwarder.
@bcardiff It seems https://github.com/gheift/letsencrypt.sh should work for us.
but like the document said:
To verify a domain the letsencrypt service gives you a challenge, to which a response must be stored under this domain.
we need to verify the email server domain before we can use letsencrypt.
how can we do that, what do you think?
from docker-simple-mail-forwarder.
For a single interaction with the user the docker image could print the steps for publishing the challenge response. https://hub.docker.com/r/janeczku/dropbox/ does something like that .
I would think that the presence of LETSENCRYPT_EMAIL
could switch from self signed cert to this.
If no account.key
exist (in a mounted shared volume), create it. (I don't know if you can use multiple keys for the same account).
After that publish the challenge in the logs asking the user to publish it.
I would say that the location of the certificates should be in a location advertised in the documentation for backing up or putting your account.key
If someone is setting up a smtp server to run in the wild, it knows about DNS MX records, but not necessarily about certificates. That is the scenario to have in mind I think.
from docker-simple-mail-forwarder.
This image is able to generate letsencrypt certificates on the fly: https://github.com/BlackGlory/caddy-proxy
But as a first version, may be even allowing users to mount the certificate as a volume when the container starts could work?
from docker-simple-mail-forwarder.
I agree. It might be a good start to permit user using volume(-v
) setting, or a ENV variable like SMF_CA
to put CA files inside SMF.
Inside SMF, we could:
- if the CA files exist, then do nothing with CA
- if SMF_CA is set, use this setting to generate CA files
- otherwise, generate a self-signed new one
It looks still keep simple.
from docker-simple-mail-forwarder.
@nelfer great guide for newbie of SSL configuration like me!
Could you please add the letsencrypt part of your article to the README? it really helps.
Also, I believe if we can embed this CA generate job inside SMF and do it for the user just by a port mapping, that will be awesome(keep the SMF being really simple even for SSL support).
from docker-simple-mail-forwarder.
this issue should be fixed by #15 , thanks @nelfer !
from docker-simple-mail-forwarder.
Thanks @nelfer / @zixia i will make a try in acouple of weeks (vacations :-) )
After talking to some coworkers they point me some (maybe outdated) way to setup de request/renew of the certificates at letsencrypt with docker: https://manas.tech/blog/2016/01/25/letsencrypt-certificate-auto-renewal-in-docker-powered-nginx-reverse-proxy.html
So we might have all the requiered pieces.
Thanks again!
from docker-simple-mail-forwarder.
Related Issues (20)
- Forwarding to a server rather than an email address? HOT 1
- Use port 110 instead of port 25? HOT 4
- Exec format error on arm64 and arm/v7 HOT 6
- Feature Request: Specify DKIM Key Size HOT 3
- Email forwarded by SMF lands in target spam folder HOT 1
- Why does SMF tinker with DKIM?
- Auto clean up logs?
- Emails will not forward to destination HOT 4
- DKIM does not actually work HOT 2
- config file instead of config environment variable HOT 2
- Help for prefix or suffix / regex forwarding HOT 1
- Override return-path for passing SPF?
- Support for ARC HOT 3
- Issues getting container running.
- Forwarding failed HOT 7
- Google and other Mail Services do not receive my mail HOT 2
- DevOps fail: buildx not work in GitHub Actions HOT 1
- Allow for setting any Postfix variables in the config file (both main.cf and master.cf)
- Update README.md on DockerHub schedule? HOT 8
- Test FAILED! HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from docker-simple-mail-forwarder.