Not sure who to direct this one too…maybe @support_team or @webtop_team can look at my questions and provide some direction.
I’ve installed Webtop 5 and I’m testing out how I can use use email from nethserver to replace our ClearOS server (Zarafa). Here is what I have on our current mail server:
We use two generic accounts (accounting@mydomain.com and info@mydomain.com). Both these accounts are manned by people (bookkeeper and secretary respectively) and both these accounts have delegates assigned to them so both our company owners have access to these mail accounts (as well as their own).
Currently we don’t use the same domain login for our computers as our email accounts. So it was easy in ClearOS to setup an accounting@mydomain.com and info@mydomain.com and give them access to mail. Now I want to add into the mix the ability for these generic accounts to exist and to give our employees domain accounts for login.
Our bookkeeper will be given a domain account to login to their computer…but our bookkeeper will never need their own personal email account as all their mail goes through accounting@mydomain.com. How do I setup a personal domain login account and give them only this accounting@mydomain.com account for their mail?
Similar for our secretary. I will be giving her a domain login account but she will never need to have her own personal email account. All her mail correspondence goes through info@mydomain.com. Similar question…how do I setup a personal domain login account for our secretary, remove her personal email account and make the info@mydomain.com her only email account?
Let’s give an example of what I’m doing. Let’s say our secretary is named Mary Jane. She looks after our info@mydomain.com email account.
Do I create two user accounts in nethserver?:
info@mydomain.com
Mary really doesn’t need to have her own email account (mary.jane@mydomain.com) as she will never send or receive email from that account. How do I make the info@mydomain.com email account attached or owned to Mary’s domain account?
Hopefully I’ve given enough detail to you all. Thank you in advance for any direction you can provide me.
Hi Charles,
the problem may be related to the bounds of dovecot user and IP connections.
You can check the IMAP connections for each user with this command: doveadm who
Verify in /var/log/imap if you find a message like this:
Xxxxxx dovecot: imap-login: Maximum number of connections from user + IP exceeded (mail_max_userip_connections = 12): user = <mail@domain.com>, method = PLAIN, rip = 127.0.0.1, lip = 127.0.0.1, secured, Session =<zz/8iz1M1AB/AAAB>
In this case, you can solve this by increasing this limit (default = 12) with these two commands:
I’ve issued the doveadm who command but all that showed up was the following. Did I issue this command correctly?
username # proto (pids) (ips)
I then checked my /var/log/imap and repeatedly found this error:
nethserver dovecot: imap-login: Error: SSL: Stacked error: error:0608308E:digital envelope routines:EVP_PKEY_get1_EC_KEY:expecting a ec key
nethserver dovecot: imap-login: Fatal: Can’t load ssl_cert: error:0906D066:PEM routines:PEM_read_bio:bad end line
My Cert loaded correctly with no errors and when I access my nethserver or Nextcloud apps I can do so using my fqdn and my connection is secure - https. What do I need to do in order to have Webtop accept my nethserver certificate?
Ok @support_team or @webtop_team team…I’m not giving up yet on this problem. My ‘Fatal: Can’t load ssl_cert’ error has happened to others on the Internet. I found this post and it seems to be related to dovecot.
dovecot: imap-login: Fatal: Can’t load ssl_cert
You should check your config.
dovecot:
Code:
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
ssl_protocols = !SSLv2 !SSLv3
ssl_ca = </etc/ssl/startssl/ca-bundle.crt
ssl_client_ca_file = /etc/ssl/ca-bundle.crt
ssl=yes
But…where is this config file located on nethserver? I did find /etc/dovecot/dovecot.conf but when I searched through this config file I don’t see my ssl certs I uploaded listed? Is this the right config file location?
Hopefully this added detail helps leads us to a solution.
You’re right, your problem is not related to WebTop.
If you used the web interface to upload the certificate, dovecot is automatically configured.
I suspect you have some issues with your certificate (this could explain also the problems with ejabberd/nextcloud).
You can verify the validity of your certificate using these commands:
Hello @giacomo, I’m still investigating my ssl cert issue. I’m re-adding my ssl cert and on my Webtop page I can see my connection is secure. But I’m now seeing this error in Webtop:
You’re trying to decode an invalid JSON String: { data:[{id:‘INBOX’,text:‘Inbox’,folder:‘Inbox’,leaf:true,iconCls: ‘wtmail-icon-inbox-folder-xs’,unread:0,hasUnread:false,group: ‘’,isInbox: true, scanOn: true},{id:‘Junk’,text:‘Spam’,folder:‘Spam’,leaf:true,iconCls: ‘wtmail-icon-spam-folder-xs’,unread:0,hasUnread:false,group: ‘’,isSpam: true},{“message”:null,“success”:false}
Any idea what would be causing this. Perhaps @webtop_team has seen this as well?
I’ve found a problem with how Nethserver is importing in my ssl certs specifically with the name of my chain file.
When I import my chain file I can see that it gets put into the /etc/pki/tls/certs/ folder as a .crt file. I’ve been digging through posts here on Nethserver and noticed that @filippo_carletti had a chain file with a .pem at the end. I definetely had the wrong extension on my chain file so I took a long shot chance and renamed my chain file from .crt to .pem. I then re-issued the cert update ‘signal-event certificate-update’ and tried accessing my Webtop. My https is seen as secure and my Webtop now works!
I then called up my friend who experienced the exact same problem as I did. Before applying his ssl cert his webtop was working great. As soon as he applied his ssl cert his Webtop broke. I gave me the instructions that worked for me and he confirmed that renaming the chain file from .crt to .pem solved his problem. His Webtop works once again.
Giacomo, if you need access to my server again to look at anything to help you figure out why this change would fix my issue please let me know in private message.
I haven’t checked to see if this fixes my Ejabberd error yet with my Bosh server…I’ll be checking that next.
Are you saying that my chain file needs to have an extension of .pem before I select it from Nethserver? It doesn’t appear to be a problem with uploading a file with the wrong extension. This appears to be a bug in Nethserver in how you upload the chain file. I renamed my chain file to have a .pem as an extension and it still gets placed into the /etc/pki/tls/certs/ folder as a .crt file. If I rename that to .pem all works fine again.
Unless I’m using the wrong extension on my chain file when I select it from the Server Certificate GUI of Nethserver please let me know and I will retest again.
Hello @giacomo, more information for you to look at perhaps.
What is the chainfile in /etc/httpd/admin-conf/httpd.conf used for? I see a reference to chain file but i’s not using the one I have listed in my /etc/pki/tls/certs/ folder that I renamed.
It seems that there are multiple locations for ssl cert in Nethserver depending upon what’s installed?
Where is the ssl cert installed when we add our own for the Nethsever Dashboard?
Where is the ssl cert installed when we add Webtop 5 mail?
Where is teh ssl cert installed when we add Nextcloud?
Everything is always saved inside /etc/pki.
Sorry but I don’t have enough time to check the bug right now, I will report as soon as my todo-list will be a little bit shorter
Thanks @giacomo for the update. Hopefully yourself or someone else can get this checked and/or fixed soon in nethserver as it’s pretty critical to being able to use an ssl cert and get it working (at lesat for myself and my friend).
For now I can get mine working using my manual fix…hopefully this thread can help others if they have a similar issue.
Thanks for looking into this. I’ll level set with you because I can’t say I have the answer here either. All I know is myself and my friend both added our wildcard certs to our own nethservers and both times webtop became broken. I know you remoted into my server and looked around and confirmed that it was certificate problem. So I did some research on the nethserver forums and found this post by Filoppo Carletti where
his SSLCertificateChainFile in /etc/pki/tls/certs/ had an extension of .pem (not .crt)
So I took a chance and renamed my chain file from .crt to .pem and immediately my webtop started to work again. I then had my friend make the same change and sure enough his webtop suddenly started to work again.
I don’t know why it worked or what’s different about our chain files and the one you are using (where .crt works for you).