Hi all,
I’ve a question, I have two nethserverser installed, both are connected to the same Windows AD. The first one sends system mails like backup success to a mail address of a user. I setup this mail address at a thunderbird client. Now I’m searching for a solution to send system mails from second server over the first one. Is it possible?
Edit!!!
At the second server I tried the Smarthost setting to the first one, but I didn’t get a connection.
You should have internal DNS entries for both servers (available also to both servers!). The servers do not need to be in the same DNS Domain, but it does make things easier!
I helped a friend set up his Neth environment with 2 NethServers, each for a different DNS Domain.
All incoming was handled by NethServer A, B did not have a direct internet connection, as all mail ports were used by NethServer A.
Incoming mails for NethServer B were handled by a Domain in the Mailconfig of NethServer A, forwarding all mail for that domain to nethServer B.
Outgoing Mails used NethServer A as Smarthost.
Note: All Mailclients for NethServer B were in-house, so no issues making IMAP/SMTP available outside, as NethServer A already used all external Mail Ports…
It worked!
As I do not have access to this system anymore, I can’t provide detailed screenshots of the setup / config.
Hi Andi,
thanks for your answer. Both servers are at the same domain and have an entry at DNS, ping with FQDN works fine.
I think I miss a setting at the first server.
Have I to setup relay settings at the first server?
Michael
Normally not. Nethserver will normally allow outgoing mail from the LAN - even without authentification AFAIK…
I just remembered what I did:
I created a smtp-user (really called that!) just so server 2 can submit mail correctly.
Then used the settings for this smtp-user in the smarthost of server 2…
groupware.jonas.local is the FQDN of the first server. I tried with different users, but mtraeumner@jonas.local is the one which works in Thunderbird with the first server.
For SMTP, even authenticated, I almost always use Port 25…
For the Host, I use the IP. This will work even if DNS has problems.
Usually I’ll leave out encrypted, as this is all in the LAN…
Thanks for your answers. I tried everything you mentioned, but nothing works. At messages.log I can’t find anything, are there other logs I could have a look?
I didn’t find something of interest at the maillog, but after all I find the following certificate error at messages.log
May 25 11:37:56 project cockpit-bridge: * NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
May 25 11:37:56 project cockpit-bridge: * Peer's certificate issuer has been marked as not trusted by the user.
May 25 11:37:56 project cockpit-bridge: 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
May 25 11:37:56 project cockpit-bridge: * Closing connection 0
May 25 11:37:56 project cockpit-bridge: curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
May 25 11:37:56 project cockpit-bridge: More details here: http://curl.haxx.se/docs/sslcerts.html
May 25 11:37:56 project cockpit-bridge: curl performs SSL certificate verification by default, using a "bundle"
May 25 11:37:56 project cockpit-bridge: of Certificate Authority (CA) public keys (CA certs). If the default
May 25 11:37:56 project cockpit-bridge: bundle file isn't adequate, you can specify an alternate file
May 25 11:37:56 project cockpit-bridge: using the --cacert option.
May 25 11:37:56 project cockpit-bridge: If this HTTPS server uses a certificate signed by a CA represented in
May 25 11:37:56 project cockpit-bridge: the bundle, the certificate verification probably failed due to a
May 25 11:37:56 project cockpit-bridge: problem with the certificate (it might be expired, or the name might
May 25 11:37:56 project cockpit-bridge: not match the domain name in the URL).
Also I see the following:
May 25 11:37:56 project cockpit-bridge: * #011common name: groupware.jonas.local
But it is not the groupware server, it is the project server.
Thanks Ralf for your detailed answer,
Before writing a custom template I tried at cockpit again and I think I know the problem now. The problem is the self-signed certificate of the groupware-server (1), but I need some help to import it to the project-server (2) .
I copied the crt file of server 1 with a new name to
You’re welcome!
Did you also copy the key file? /etc/pki/tls/private/server.key (or something like this)
Then in cockpit: System / Certificate and apply the cert as standard (3 point menu at the very right)
Are you sure? If I choose the imported certificate as standard I think I will have a problem with browsing to cockpit at this server, because it has the wrong common name. Am I wrong?
Oh, I misunderstood you. Thought you want to install a new selfsigned cert for it.
Now I read the hole thread. I see the log entry about the not trusted issuer, but I don’t know how to get it trusted. Maybe it works if you copy it to the trusted certs in /etc/pki/ca-trust/extracted/pem, but I’m only guessing. Sorry.
PS:
My smarthost config works without the Encryptet connection. What happens if you untick the encryption?
@dev_team
Can somebody of you tell me how to / where to import the certificate of the first server (groupware) to the second one (project) to use smart host? Also the question is which certificate I have to import.
Thanks in advance.
Sorry I think it’s no solution here. I can’t / must not route port 443 and 80 to the server.
Both server are only internal. They have a connection to get updates, but they aren’t reachable from outside.
You need to adapt the “triggering” of the script (Here done when LE renews), this is not needed with internal certs. I think “manual” triggering should be OK, as Neth doesn’t change the cert often…
As the source would be the local CA SSL certs, I think the correct SOURCE folder would be
/etc/ssl/certs… (SSL certs can be in different formats, I think here just use the .crt files?).
You’ll also need to adapt the TARGET to be your second server instead of the first server’s internal AD container. Use the same location as the SOURCE on server one, from where you copy the certs, but of course on server 2…
Don’t forget to exchange SSH Keys, so you can copy over via script without authentification…