Piler Mailarchiv

stephdl · January 30, 2021, 2:16pm

ok we use a mysql mariadb 5.5, indeed I could use them, I am more concerned by the port 25 we have a workable solution of email server an obviously we use it…I am playing a bit with pilerimport but I read your concern about it, and It doesn’t work well I think with my tls policy, or I need to play a bit with it. However for a matter of test I used it without encryption and it is nice to see the email archived.

jsuto · January 30, 2021, 2:39pm

Just as nethserver (and many more projects) tries to monetize the product, the same is true for piler.
It comes in two flavors: an open source and a commercial edition.

The two sites are connected, however, a link to the commercial edition’s site alone doesn’t produce revenue. I regard its purpose is to raise awareness. I hope, it’s still ok.

jsuto · January 30, 2021, 2:41pm

Try using 127.0.0.1:2525:25 port scheme for piler’s mail server.

stephdl · January 30, 2021, 6:32pm

I know that free software is not enough clear in english, French are better for that

Programme libre != Programme gratuit

We have two different and clear statements on it.

I am a full advocate of sustainable development I have no problem on how a project can raise some incomes.

stephdl · January 31, 2021, 6:29pm

Well tested something

Install piler docker on aqua with docker-compose
bcc all email we receive to archive@archive.yourdomain.com
create a host esmith prop to make archive.yourdomain.com to aqua internal IP here 172.0.0.4
create a https reverse proxy to 172.0.0.4 for piler.example.com

I can see the email listed in the dashboard of piler, either sent by our postfix, or manually imported by piler-import

However I cannot retrieve them in the search function, it seems that the indexer has no errors

To be continued

mrmarkuz · January 31, 2021, 10:30pm

Good idea. It seems it’s used in many projects, see Peertube for instance.
For nethserver-docker we could download the latest docker compose with the update event when a status property is enabled like we do with portainer.
In our dev projects we could point to a specific bundled docker-compose version if needed.

jsuto · February 1, 2021, 10:03am

I also did some research deploying piler inside docker to nethserver. I created two DNS entries:
neth.acts.hu is for nethserver itself, and neth-archive.acts.hu a dedicated vhost for piler gui.

docker run -d
–name piler
-e MYSQL_ROOT_PASSWORD=xxxxxx
-e MYSQL_PILER_PASSWORD=abcde123
-e MYSQL_HOSTNAME=neth.acts.hu
-e PILER_HOSTNAME=neth-archive.acts.hu
-p 127.0.0.1:2525:25
-p 127.0.0.1:8080:80
-v etc-piler:/etc/piler
-v var-piler:/var/piler
sutoj/piler:1.3.10

It works almost just fine, I’ve got one final issue. I’ve decided to use a local ldap to provide user accounts both for emails and for piler. The idea is to let piler gui authenticate users against the common ldap database. However, it seems that eg. ldapsearch authenticates fine when it connects to 127.0.0.1:389, but it fails when you connect to the host IP, eg. 10.1.2.3:389. Unfortunately you can’t connect to 127.0.0.1:389 from inside the docker container.

A not that elegant workaround might be to authenticate against the imap server, but in that case you can’t have multiple email aliases, mailing / distribution list membership assigned to the users. At least not easily.

Can you suggest how to make the ldap authentication from a docker container possible?

Btw. I’m curious if you have any stats on how many percents of the nethserver deployments use local ldap vs. remote ldap or AD?

pike · February 1, 2021, 11:04am

Well… Piler should rely on SSSD, which can be connected to local LDAP, remote LDAP, AD.

mrmarkuz · February 1, 2021, 11:34am

You may add the needed container to the aqua network and setup a firewall rule to reach the host ldap server, see Nethserver Docker documentation.

stephdl · February 1, 2021, 12:15pm

@giacomo could you share us the percentage of ldap vs ad account provider, even remote vs local if you can have

If you look the documentation we allow 3306 from aqua to the firewall, It is the same I think for 389

I bet @jsuto for a remote authentication to ldap you need to enable starttls on 389

giacomo · February 1, 2021, 1:03pm

On Enterprise installations, 21% AD 79% OpenLDAP (including both local and remote)

stephdl · February 1, 2021, 4:52pm

Firstable I would like to propose my help for this work, ask me what you need, or I could even do it for you if you give me the configuration file.

In nethserver you have an helper try

account-provider-test dump

It will print all you need for an authentication, if the bind is local or remote, samba AD or OPENLDAP.

This is an example in perl how to authenticate user in dokuwiki, no matter it is samba or ldap, we detect and write the template accordingly

github.com

stephdl/nethserver-dokuwiki/blob/ns7/root/etc/e-smith/templates/etc/dokuwiki/local.protected.php/10auth

{

use esmith::util;
use NethServer::SSSD;
my $sssd = new NethServer::SSSD();

my $quotedBindPass = $sssd->bindPassword();
$quotedBindPass =~ s/\'/\\'/g;

#specific OpenLDAP
my $server = $sssd->ldapURI() .':'. $sssd->port();
my $usertree = $sssd->userDN();
my $grouptree = $sssd->groupDN();
my $binddn = $sssd->bindDN();
my $startTls = $sssd->startTls() || '0';

#specific Samba4 AD
my $host = $sssd->ldapURI();
my $baseDN = $sssd->baseDN();
$tls = $sssd->startTls();

This file has been truncated. show original

The idea is to do the same in the volume of docker, I assume it is possible in /var/lib/docker/volumes/docker_piler_etc/* we could create a template to write the configuration and restart the container once it is done (or restart only piler if it is possible)

jsuto · February 1, 2021, 8:05pm

I tried with the aqua network, I can reach mysql just fine. I even ran

db dockrules set pilerldap aqua TCPPorts 389,636 status enabled
signal-event firewall-adjust

However, the ldap server still doesn’t like me. I think the problem may be elsewhere. I believe that you must connect to 127.0.0.1:389 otherwise you can’t authenticate even with a correct password.

ldapsearch -x -h 127.0.0.1 -D “uid=piler,ou=People,dc=directory,dc=nh” -b “ou=People,dc=directory,dc=nh” -w piler123 “(&(objectclass=posixAccount)(uid=piler))” mail
piler, People, directory.nh
dn: uid=piler,ou=People,dc=directory,dc=nh
mail: piler@acts.hu

search result

search: 2
result: 0 Success

numResponses: 2

numEntries: 1

ldapsearch -x -h 172.28.0.1 -D “uid=piler,ou=People,dc=directory,dc=nh” -b “ou=People,dc=directory,dc=nh” -w piler123 “(&(objectclass=posixAccount)(uid=piler))” mail
ldap_bind: Invalid credentials (49)

Notice that the only difference is the ldap host IP-address I try to connect.

account-provider-test dump shows that it’s 127.0.0.1 as well:

{
“BindDN” : “cn=ldapservice,dc=directory,dc=nh”,
“LdapURI” : “ldap://127.0.0.1”,
“DiscoverDcType” : “dns”,
“StartTls” : “”,
“port” : 389,
“host” : “127.0.0.1”,
…
}

So I think the solution is to fix the ldap server to accept login attempts on any IP-address. How can we do that?

stephdl · February 1, 2021, 8:10pm

I bet you try to authenticate without starttls and anonymous

try with starttls on 389 or with ssl on 636 with the user ldapservice (the password is /var/lib/nethserver/secrets/ldapservice)

stephdl · February 1, 2021, 8:14pm

yes try “uid=ldapservice,ou=People,dc=directory,dc=nh” with the password

this remotely is workable

[root@ns7loc9 ~]# ldapsearch -D cn=ldapservice,dc=directory,dc=nh -w 'V_85617fr2bK3Csj' -H ldaps://192.168.56.12:636

jsuto · February 1, 2021, 8:31pm

Still no luck:

inside the vm running nethserver succeeds:
ldapsearch -H ldaps://172.28.0.1:636 -D cn=ldapservice,dc=directory,dc=nh -w 5TpsW_xgFCNx_hXN

from outside fails:
ldapsearch -H ldaps://192.168.122.84:636 -D cn=ldapservice,dc=directory,dc=nh -w 5TpsW_xgFCNx_hXN

What could I be doing wrong?

stephdl · February 1, 2021, 8:35pm

ldap made always some headache, sorry

however we have the same behaviour like LDAP usage on 6.6

stephdl · February 1, 2021, 8:44pm

could you try to bind remotely over starttls with the admin user

[root@ns7loc9 ~]# ldapsearch -b dc=directory,dc=nh -ZZ -h 192.168.56.12 -D uid=admin,ou=People,dc=directory,dc=nh -W

fill the admin password, it works on my VM

pike · February 1, 2021, 8:55pm

two-feet-brake-step.
1: IMVHO is not a nice thing have this binding working, because every admin password change the bind goes messy.
2: is aqua network part of the trusted networks?

stephdl · February 1, 2021, 8:56pm

no it is a specific network only reachable from the firewall