Need assistance with setting up generic email accounts

Hi Team,

Not sure who to direct this one too…maybe @support_team or @webtop_team can look at my questions and provide some direction.

I’ve installed Webtop 5 and I’m testing out how I can use use email from nethserver to replace our ClearOS server (Zarafa). Here is what I have on our current mail server:

We use two generic accounts (accounting@mydomain.com and info@mydomain.com). Both these accounts are manned by people (bookkeeper and secretary respectively) and both these accounts have delegates assigned to them so both our company owners have access to these mail accounts (as well as their own).
Currently we don’t use the same domain login for our computers as our email accounts. So it was easy in ClearOS to setup an accounting@mydomain.com and info@mydomain.com and give them access to mail. Now I want to add into the mix the ability for these generic accounts to exist and to give our employees domain accounts for login.

  1. Our bookkeeper will be given a domain account to login to their computer…but our bookkeeper will never need their own personal email account as all their mail goes through accounting@mydomain.com. How do I setup a personal domain login account and give them only this accounting@mydomain.com account for their mail?
  2. Similar for our secretary. I will be giving her a domain login account but she will never need to have her own personal email account. All her mail correspondence goes through info@mydomain.com. Similar question…how do I setup a personal domain login account for our secretary, remove her personal email account and make the info@mydomain.com her only email account?

Let’s give an example of what I’m doing. Let’s say our secretary is named Mary Jane. She looks after our info@mydomain.com email account.
Do I create two user accounts in nethserver?:

Hopefully I’ve given enough detail to you all. Thank you in advance for any direction you can provide me.

More questions for @support_team and perhaps @webtop_team.

I’ve installed Email and WebTop 5. When I open WebTop and login with a user that has email enabled…I get an error:

Mail Account Authentication Error

What could be causing this? Are there logs to help me determine why I get this error?

Thank you.

Hi Charles,
the problem may be related to the bounds of dovecot user and IP connections.

You can check the IMAP connections for each user with this command: doveadm who
Verify in /var/log/imap if you find a message like this:

Xxxxxx dovecot: imap-login: Maximum number of connections from user + IP exceeded (mail_max_userip_connections = 12): user = <mail@domain.com>, method = PLAIN, rip = 127.0.0.1, lip = 127.0.0.1, secured, Session =<zz/8iz1M1AB/AAAB>

In this case, you can solve this by increasing this limit (default = 12) with these two commands:

config setprop dovecot MaxUserConnectionsPerIp 20
signal-event nethserver-mail-server-update

It seems that WebTop 5 uses an excessive number of IMAP connections per user, especially when sharing entire accounts.

I’m investigating the real motive :unamused:

1 Like

Hello @lucag,

Very much appreciate your assistance.

I’ve issued the doveadm who command but all that showed up was the following. Did I issue this command correctly?
username # proto (pids) (ips)

I then checked my /var/log/imap and repeatedly found this error:
nethserver dovecot: imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting a ec key
nethserver dovecot: imap-login: Fatal: Can’t load ssl_cert: error:0906D066:PEM routines:PEM_read_bio:bad end line

My Cert loaded correctly with no errors and when I access my nethserver or Nextcloud apps I can do so using my fqdn and my connection is secure - https. What do I need to do in order to have Webtop accept my nethserver certificate?

Thank you.

Ok @support_team or @webtop_team team…I’m not giving up yet on this problem. My ‘Fatal: Can’t load ssl_cert’ error has happened to others on the Internet. I found this post and it seems to be related to dovecot.

This post gives some direction for us: email stopped working after ssl install | Howtoforge - Linux Howtos and Tutorials

dovecot: imap-login: Fatal: Can’t load ssl_cert
You should check your config.
dovecot:
Code:
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
ssl_protocols = !SSLv2 !SSLv3
ssl_ca = </etc/ssl/startssl/ca-bundle.crt
ssl_client_ca_file = /etc/ssl/ca-bundle.crt
ssl=yes

But…where is this config file located on nethserver? I did find /etc/dovecot/dovecot.conf but when I searched through this config file I don’t see my ssl certs I uploaded listed? Is this the right config file location?

Hopefully this added detail helps leads us to a solution.

You’re right, your problem is not related to WebTop.

If you used the web interface to upload the certificate, dovecot is automatically configured.
I suspect you have some issues with your certificate (this could explain also the problems with ejabberd/nextcloud).

You can verify the validity of your certificate using these commands:

  • IMAPS: openssl s_client -connect nethservice.nethesis.it:993
  • HTTPS: `openssl s_client -connect nethservice.nethesis.it:443`` (or you can inspect the certificate using a web browser)

Hello @giacomo, I’m still investigating my ssl cert issue. I’m re-adding my ssl cert and on my Webtop page I can see my connection is secure. But I’m now seeing this error in Webtop:

You’re trying to decode an invalid JSON String: { data:[{id:‘INBOX’,text:‘Inbox’,folder:‘Inbox’,leaf:true,iconCls: ‘wtmail-icon-inbox-folder-xs’,unread:0,hasUnread:false,group: ‘’,isInbox: true, scanOn: true},{id:‘Junk’,text:‘Spam’,folder:‘Spam’,leaf:true,iconCls: ‘wtmail-icon-spam-folder-xs’,unread:0,hasUnread:false,group: ‘’,isSpam: true},{“message”:null,“success”:false}

Any idea what would be causing this. Perhaps @webtop_team has seen this as well?

Thank you.

Major breakthrough on all my Webtop issues and ssl problems!

I’d like input from anyone who could tell me if this is by design or a bug - @giacomo, @dev_team , @webtop_team

I’ve found a problem with how Nethserver is importing in my ssl certs specifically with the name of my chain file.

When I import my chain file I can see that it gets put into the /etc/pki/tls/certs/ folder as a .crt file. I’ve been digging through posts here on Nethserver and noticed that @filippo_carletti had a chain file with a .pem at the end. I definetely had the wrong extension on my chain file so I took a long shot chance and renamed my chain file from .crt to .pem. I then re-issued the cert update ‘signal-event certificate-update’ and tried accessing my Webtop. My https is seen as secure and my Webtop now works!

I then called up my friend who experienced the exact same problem as I did. Before applying his ssl cert his webtop was working great. As soon as he applied his ssl cert his Webtop broke. I gave me the instructions that worked for me and he confirmed that renaming the chain file from .crt to .pem solved his problem. His Webtop works once again.

Giacomo, if you need access to my server again to look at anything to help you figure out why this change would fix my issue please let me know in private message.

I haven’t checked to see if this fixes my Ejabberd error yet with my Bosh server…I’ll be checking that next.

Thanks!

3 Likes

Thank you for your feedback Charles!

Do you think we should add a note the manual about certificate file format (pem)?

1 Like

Hi @giacomo,

Are you saying that my chain file needs to have an extension of .pem before I select it from Nethserver? It doesn’t appear to be a problem with uploading a file with the wrong extension. This appears to be a bug in Nethserver in how you upload the chain file. I renamed my chain file to have a .pem as an extension and it still gets placed into the /etc/pki/tls/certs/ folder as a .crt file. If I rename that to .pem all works fine again.

Unless I’m using the wrong extension on my chain file when I select it from the Server Certificate GUI of Nethserver please let me know and I will retest again.

Thank you.

Thank for you clarification, I didn’t correctly understand what was the problem.
I will try to reproduce and let you know!

1 Like

Let me know what I can do to help you @giacomo. Appreciate you looking into this.

Thanks!

Hello @giacomo, more information for you to look at perhaps.

What is the chainfile in /etc/httpd/admin-conf/httpd.conf used for? I see a reference to chain file but i’s not using the one I have listed in my /etc/pki/tls/certs/ folder that I renamed.

It seems that there are multiple locations for ssl cert in Nethserver depending upon what’s installed?
Where is the ssl cert installed when we add our own for the Nethsever Dashboard?
Where is the ssl cert installed when we add Webtop 5 mail?
Where is teh ssl cert installed when we add Nextcloud?

Thank you!

Everything is always saved inside /etc/pki.
Sorry but I don’t have enough time to check the bug right now, I will report as soon as my todo-list will be a little bit shorter :wink:

See https://github.com/NethServer/nethserver-base/blob/master/root/etc/e-smith/events/actions/nethserver-certificate-upload

Thanks @giacomo for the update. Hopefully yourself or someone else can get this checked and/or fixed soon in nethserver as it’s pretty critical to being able to use an ssl cert and get it working (at lesat for myself and my friend).

For now I can get mine working using my manual fix…hopefully this thread can help others if they have a similar issue.

Thank you.

Is it solved then? Please mark as solved. :wink:

I did a few tests but I can’t reproduce the misbehavior.

I downloaded a valid certificate from another machine and uploaded it to my server:

  • chain file: chain.pem
  • certificate: cert.pem
  • key: privkey.pem
  • name: service

After the upload, I checked the generated uploaded files:

config show pki
....
    ChainFile=/etc/pki/tls/certs/service-chain.crt
    CrtFile=/etc/pki/tls/certs/service.crt
    KeyFile=/etc/pki/tls/private/service.key
....

I don’t see anything wrong: dovecot and httpd are working well.
The chain file is copied under the “certs” dir but it doesn’t have any side effect.

1 Like

Hi @giacomo,

Thanks for looking into this. I’ll level set with you because I can’t say I have the answer here either. All I know is myself and my friend both added our wildcard certs to our own nethservers and both times webtop became broken. I know you remoted into my server and looked around and confirmed that it was certificate problem. So I did some research on the nethserver forums and found this post by Filoppo Carletti where
his SSLCertificateChainFile in /etc/pki/tls/certs/ had an extension of .pem (not .crt)

So I took a chance and renamed my chain file from .crt to .pem and immediately my webtop started to work again. I then had my friend make the same change and sure enough his webtop suddenly started to work again.

I don’t know why it worked or what’s different about our chain files and the one you are using (where .crt works for you).

Sorry I can’t give you more information.

1 Like