NS8 Mail Relay for outdated software that glitches with TLS

NethServer Version: NS8
Module: Mail
Just a quick question. I have an outdated system that doesn’t pay nice with the TLS of the NS8 mail system. I tried adding a custom mynetworks with the following

podman exec -ti postfix vi /etc/postfix/main.cf.d/myoverride.cf
systemctl --user reload postfix

and added in a mynetworks address

then i did

systemctl --user status postfix dovecot 

but the ns8 server is still causing an authentication error. Setting the mail server to an old NS7 server, I have running, using the Allow relay from IP addresses (one per line) in the Relay option works. No error is created. Is the mynetworks overridden or have I made a very basic mistake.

You correctly applied the customization procedure documented by the module readme, however for the mynetworks parameter a special care is needed because it is controlled by a SQLite table. It is planned to control that table from the UI. For today

  1. remove the mynetworks override from your custom config file

  2. Insert a record in the table with the following command (replace mail1 with your module ID and your network in cidr notation)

    runagent -m mail1 podman exec postfix sqlite3 /srv/pcdb.sqlite 'INSERT INTO mynetworks (network) VALUES("");'

I hope the command syntax is correct, I can’t test it now. You can insert also a single IP.

As alternative, Postfix provides some parameters that select the TLS cipher suite: you’d find how to configure them for your old clients in Internet.

I must add a warning in the readme, to say that before changing any parameter it is wise to check its current value with postconf -n.

Thanks Davide,

I’m glad the relay address option is getting added to the web ui. I will try the command tomorrow when back at work. Have a great night.

An update on this. If you are using NethSecurity and forward email port 25 to your nethserver 8 cloud instance, using the above allows remote attackers to send spam. I locked down to a local single ip, but still got remote ip’s able to end email by port 25 (using an bogus email but with my domain), so had to remove the above. Obviously an issue with some rules. in Postfix.

Until fixed I don’t recommend using non secure applications with ns8.