Discourse/Jitsi, aqua network, and host's mail & LDAP servers

Hi all,

I installed nethserver-discourse on a LOCAL NethServer (titi.org) using Sparkpost as the mail server.
Absolutely everything is working flawlessly.

Instead of Sparkpost, I would like to use my main NethServer (toto.org) directly connected to the internet as the mail server. The Discourse NethServer (titi.org) is on the LOCAL network of toto.org.

app.yml

...
  ## TODO: The domain name this Discourse instance will respond to
  ## Required. Discourse will not work with a bare IP number.
  DISCOURSE_HOSTNAME: 'forum.titi.org'
...
  ## TODO: The SMTP mail server used to validate new accounts and send notifications
  # SMTP ADDRESS, username, and password are required
  # WARNING the char '#' in SMTP password can cause problems!
  DISCOURSE_SMTP_ADDRESS: 'mail.toto.org'
  DISCOURSE_SMTP_PORT: 587
  DISCOURSE_SMTP_USER_NAME: 'toto'
  DISCOURSE_SMTP_PASSWORD: 'password-toto'
  DISCOURSE_SMTP_ENABLE_START_TLS: true           # (optional, default true)
...

./discourse-doctor

...
==================== MAIL TEST ====================
For a robust test, get an address from http://www.mail-tester.com/
Or just send a test message to yourself.

Email address for mail test? ('n' to skip) [toto@toto.org]:
Sending mail to toto@toto.org. . .

Testing sending to toto@toto.org using mail.toto.org:587, username:toto with plain auth.
==================== YML SETTINGS ====================
DISCOURSE_HOSTNAME=forum.titi.org
SMTP_ADDRESS=mail.toto.org
DEVELOPER_EMAILS=toto@toto.org
SMTP_PASSWORD=toto-password
SMTP_PORT=587
SMTP_USER_NAME=toto
LETSENCRYPT_ACCOUNT_EMAIL=
==================== DOCKER INFO ====================
...

======================================== ERROR ========================================
                                    UNEXPECTED ERROR

503 5.5.1 Error: authentication not enabled


====================================== SOLUTION =======================================

I used the same mail setup with Mattermost before and it works correctly.

Questions:

  1. How can I solve “authentication not enabled” ?

  2. Is “username:toto with plain auth.” above the line =====YML SETTINGS===== has a relation to the problem ?

It looks like there is a missing Postfix setting on toto.org but its mail server is working correctly, I used it since a long time without any problem.

Any suggestion appreciated,

Michel-André

you may try SMTP_USER_NAME=toto@toto.org

Does discource use plain authentication by default or need this to be set explicitly ?

nethsever-mail accepts LOGIN, PLAIN and (with AD) GSSAPI
(personally would not bother to use GSSAPI though)

did you already found this?

Hi @mark_nl

Thank you very much for your answer.

I already checked that page and did the test suggested by:

Just a few more links on sending an email through telnet :

  1. Easy-to-follow tutorial on how to authenticate with SMTP server from telnet:
    How to Test SMTP AUTH using Telnet

According to this link:

# telnet smtp.toto.org 587
Trying 192.168.1.1...
Connected to smtp.toto.org.
Escape character is '^]'.
220 ns-1.toto.org ESMTP Postfix

EHLO forum.titi.org
250-ns-1.toto.org
250-PIPELINING
250-SIZE 50000000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

auth login
503 5.5.1 Error: authentication not enabled

The thing I don’t understand:

# postconf | grep smtpd_sasl_auth_enable
smtpd_sasl_auth_enable = no

# postconf | grep smtp_sasl_auth_enable
smtp_sasl_auth_enable = yes

EDIT:

But in the master.cf:

# cat /etc/postfix/master.cf | grep smtpd_sasl_auth_enable
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_auth_enable=yes

I googled a lot and found nothing that resolves this “503 5.5.1 Error: authentication not enabled:frowning:

EDIT:

Same problem.

Michel-André

Hi @dnutan

Thank you for your answer.

Very good. This link explains the error when trying to connect with telnet.




I tried with “DISCOURSE_SMTP_ENABLE_START_TLS: false” and rebuilding Discourse to see what it will give with discourse-doctor.
I changed "smtpd_tls_auth_only = yes " to “no” in /etc/postfix/main.cf, restarted postfix and tried discourse-doctor again

discourse-doctor

...
Mail accepted by SMTP server.
...

At least it is connecting but recipient doesn’t receive the mail.

I put back "smtpd_tls_auth_only = yes "

Michel-André

Hi all,

Unbelievable, I found a working solution but I don’t understand why it’s working in Discourse but not with discourse-doctor.

app.yml

(Same as before)

...
  ## TODO: The domain name this Discourse instance will respond to
  ## Required. Discourse will not work with a bare IP number.
  DISCOURSE_HOSTNAME: 'forum.titi.org'
...
  ## TODO: The SMTP mail server used to validate new accounts and send notifications
  # SMTP ADDRESS, username, and password are required
  # WARNING the char '#' in SMTP password can cause problems!
  DISCOURSE_SMTP_ADDRESS: 'mail.toto.org'
  DISCOURSE_SMTP_PORT: 587
  DISCOURSE_SMTP_USER_NAME: 'toto'
  DISCOURSE_SMTP_PASSWORD: 'password-toto'
  DISCOURSE_SMTP_ENABLE_START_TLS: true           # (optional, default true)
...

Discourse administration

Settings Required

image
Usually notification email should be no-reply@toto.org

Admin Emails Settings

Send Test Email → toto@toto.org received the test email.

Using TOR, if a new user sing-in and gives his email address; he receives his notification email, clicks on the link in it, his account is created and he can login.

Someone has an explanation ?

Michel-André

EDIT:

I created an email-alias “no-reply” for the user “toto” and now I can use “no-reply@toto.org” and it’s working with Discourse but still not with discourse-doctor.
image

In the email received, the field FROM: shows no-reply@toto.org

1 Like

Hi all and especially @mrmarkuz,

I created a user postier with Cockpit on the NethServer running Discourse.
I also created an alias noreply for portier.

After googling around about aqua network, I saw Markus’ how-to at How to install nxfilter and pihole with docker

I have done these procedures on the NethServer running Discourse.

MIRACLE, Discourse can send notifications using its own mail server.
No more need of a special mail server to send notifications.

The only problem is:

In a production environment you should leave this step and set firewall rules.

QUESTION:

How can I set those required firewall rules (only to communicate with the host mail server) ?

All suggestions will be greatly appreciated,

Michel-André

You can define firewall rules in the dockrules db, to let the aqua network connect to the local mail ports, for example:

db dockrules set allowMailserver aqua TCPPorts 25,587 status enabled
signal-event firewall-adjust

See also the documentation.

2 Likes

Hi @mrmarkuz,

Absolutely wonderful, your suggestion works like a charm.

I’ll add another star to your name on my List of the Greatest.

I will start over to make sure everything is working properly.

Once again, thank you a thousand times for your great support,

Michel-André

EDIT:
I’m intrigued, where did you get the name of the parameter allowMailserver?
I found it at: https://github.com/NethServer/nethserver-docker: it’s a “customName”.

1 Like

Hi @mrmarkuz,

I confirm that after an installation from scratch and using Discourse’s NethServer mail server for notifications and for email for confirmation of an invitation, everything works perfectly.

Michel-André

3 Likes

Hi @mrmarkuz and @stephdl,

I am rereading my documentation to correct any errors that may have crept in.

For the db dockrules file ( /var/lib/nethserver/db/dockrules), I notice the warning:

# DO NOT MODIFY THIS FILE.
# This file is automatically maintained by NethServer
# software configuration. Manually editing this file may put your
# system in an unknown state.
#

Could a future update of nethserver-discourse remove the rule I added or is it just a warning to be very careful with any additions of a dockrule?

Just to make sure,

Michel-André

It’s just a warning to not edit the files directly. A future update won’t remove a rule from the db.

1 Like

Hi @mrmarkuz and all,

NethServer-201, Cahier-10: Forum Discourse

The version: 0.0.1 is on the web.

Michel-André

2 Likes

Hi @mrmarkuz,

Previously, following your advice, I configured Discourseapp” container to be able to talk to the host mail server through the “aqua” network using “dockrules” .

I finished installing Jitsi Meet using nethserver-docker.
It can use my main NethServer LDAP for authentication; it worked perfectly.

I would like to do the same scenario for Jitsi Meet as I did for Discourse i.e. enable container Prosody to talk to the LDAP server on the host through the aqua network.

How I did it:

  • Open port 636 with Cockpit
  • Create custom-template: /etc/e-smith/templates-custom/etc/shorewall/policy/35aqua
  • Create the dockrules to open the port 636 on the aqua network
  • Using Portainer, I connected aqua to prosody.
  • Rebuild with docker-compose up -d

There should be another way to do that without the use of Portainer, something like:

  • Using the parameter nethworks: in the prosody “section” in the file docker-compose.yml. Something like:

      networks:
          meet.jitsi:
              aliases:
                  - ${XMPP_SERVER}
          # Here to add the aqua network
          aqua:
    

I saw somewhere how the aqua network was defined, but I can’t find it again :frowning:

QUESTION

  1. What is the best and secure way to do that with Jitsi Meet?

  2. Is there a command to activate the aqua network?

Thank you,

Michel-André

Hi @mrmarkuz and all,

What I found so far.

For security reason, there is definitely no need for a custom-template for the fragment
/etc/e-smithe/templates/etc/shorewall/policy/35 aqua

Dockrules

[root@titi ~] # db dockrules set allowLDAPserver aqua TCPPorts 636 status enabled

[root@titi ~] # signal-event firewall-adjust

[root@titi ~] # cat /var/lib/nethserver/db/dockrules

# DO NOT MODIFY THIS FILE.
# This file is automatically maintained by NethServer
# configuration software.  Manually editing this file may put your
# system in an unknown state.
#
# updated: Sun Aug  8 16:08:35 2021
allowLDAPserver=aqua|TCPPorts|636|status|enabled
#

Command: docker network connect

Usage

docker network connect [OPTIONS] NETWORK CONTAINER

What is the name of the Prosody container?

[root@titi ~] # docker ps -a | egrep 'prosody|CONTAINER'

CONTAINER ID   IMAGE                       COMMAND                  CREATED        STATUS                   PORTS                                                                                      NAMES
5677b3e48e8e   jitsi/prosody:stable-5870   "/init"                  30 hours ago   Up 2 hours               5222/tcp, 5280/tcp, 5347/tcp                                                               jitsi_prosody_1

We connect aqua network to Prosody container.

[root@titi ~] # docker network connect aqua jitsi_prosody_1

[root@titi ~] # docker network inspect aqua

[
    {
        "Name": "aqua",
        "Id": "a4bedcaf014694ba14109a12e14c2dfeb4e88067c3e2a856cbba9a7c1c6ef620",
        "Created": "2021-08-05T21:46:05.197765242-04:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "172.28.0.0/16",
                    "Gateway": "172.28.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "5677b3e48e8ee8755bf4c8356c5bee09e70026b08eacfc75e88772eaab9186a4": {
                "Name": "jitsi_prosody_1",
                "EndpointID": "66a8ea9c9038b4acbb1736281ccbdadf12e857e5a02a9f4f4c8cfee89cf5565f",
                "MacAddress": "02:42:ac:1c:00:02",
                "IPv4Address": "172.28.0.2/16",
                "IPv6Address": ""
            }
        },
        "Options": {
            "com.docker.network.bridge.name": "aqua0"
        },
        "Labels": {}
    }
]

Search from the console of the host server

[root@titi ~] # ldapsearch -x -H ldaps://jitsi.toto-dev.org -D cn=ldapservice,dc=directory,dc=nh -w "0123456789abcdef" -b dc=directory,dc=nh  |  grep "testeur-jitsi"

# testeur-jitsi, People, directory.nh
dn: uid=testeur-jitsi,ou=People,dc=directory,dc=nh
uid: testeur-jitsi
homeDirectory: /var/lib/nethserver/home/testeur-jitsi
sn: testeur-jitsi
mail: testeur-jitsi@jitsi.toto-dev.org

Search from inside the Prosody container

We enter inside the Prosody container.

[root@titi ~] # docker exec -it jitsi_prosody_1 /bin/bash

root@5677b3e48e8e:/# apt update

root@5677b3e48e8e:/# apt install -y ldap-utils

We launch a request to find the user “testeur-jitsi” in the LDAP of the host server.

root@5677b3e48e8e:/# ldapsearch -x -H ldaps://jitsi.toto-dev.org -D cn=ldapservice,dc=directory,dc=nh -w "0123456789abcdef" -b dc=directory,dc=nh  |  grep "testeur-jitsi"

# testeur-jitsi, People, directory.nh
dn: uid=testeur-jitsi,ou=People,dc=directory,dc=nh
uid: testeur-jitsi
homeDirectory: /var/lib/nethserver/home/testeur-jitsi
sn: testeur-jitsi
mail: testeur-jitsi@jitsi.toto-dev.org
root@5677b3e48e8e:/#

root@5677b3e48e8e:/# exit

TESTED: Rebuilding containers, updating Docker, updating or upgrading Jitsi Meet, restarting Docker or NethServer.

EDIT:
Anything that involves rebuilding the Prosody container such as:

  • modification of a configuration file,
  • an update of Jitsi Meet,
  • and especially an upgrade of Jitsi Meet

breaks the connection of the aqua network to the Prosody container.

Then, you have to redo the connection with:

docker network connect aqua jitsi_prosody_1

Michel-André

2 Likes