NethServer Version: 7.9.2009
Module: Core
Hi all,
I’ve a question, I have two nethserverser installed, both are connected to the same Windows AD. The first one sends system mails like backup success to a mail address of a user. I setup this mail address at a thunderbird client. Now I’m searching for a solution to send system mails from second server over the first one. Is it possible?
Edit!!!
At the second server I tried the Smarthost setting to the first one, but I didn’t get a connection.
Hi Michael
Smarthost is the right way to do this.
You should have internal DNS entries for both servers (available also to both servers!). The servers do not need to be in the same DNS Domain, but it does make things easier!
I helped a friend set up his Neth environment with 2 NethServers, each for a different DNS Domain.
All incoming was handled by NethServer A, B did not have a direct internet connection, as all mail ports were used by NethServer A.
Incoming mails for NethServer B were handled by a Domain in the Mailconfig of NethServer A, forwarding all mail for that domain to nethServer B.
Outgoing Mails used NethServer A as Smarthost.
Note: All Mailclients for NethServer B were in-house, so no issues making IMAP/SMTP available outside, as NethServer A already used all external Mail Ports…
It worked!
As I do not have access to this system anymore, I can’t provide detailed screenshots of the setup / config.
My 2 cents
Andy
Hi Andi,
thanks for your answer. Both servers are at the same domain and have an entry at DNS, ping with FQDN works fine.
I think I miss a setting at the first server.
Have I to setup relay settings at the first server?
Michael
Hi Michael
Normally not. Nethserver will normally allow outgoing mail from the LAN - even without authentification AFAIK…
I just remembered what I did:
I created a smtp-user (really called that!) just so server 2 can submit mail correctly.
Then used the settings for this smtp-user in the smarthost of server 2…
My 2 cents
Andy
Hi Andy,
thanks for your answer again. I didn’t get it work. Could you have a look at my settings please?
groupware.jonas.local is the FQDN of the first server. I tried with different users, but mtraeumner@jonas.local is the one which works in Thunderbird with the first server.
Hi Michael
For SMTP, even authenticated, I almost always use Port 25…
For the Host, I use the IP. This will work even if DNS has problems.
Usually I’ll leave out encrypted, as this is all in the LAN…
Hope these pointers help…
My 2 cents
Andy
Try a shot for port 465 instead of 587 if it fails.
Thanks for your answers. I tried everything you mentioned, but nothing works. At messages.log I can’t find anything, are there other logs I could have a look?
/var/log/maillog
I didn’t find something of interest at the maillog, but after all I find the following certificate error at messages.log
May 25 11:37:56 project cockpit-bridge: * NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
May 25 11:37:56 project cockpit-bridge: * Peer's certificate issuer has been marked as not trusted by the user.
May 25 11:37:56 project cockpit-bridge: 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
May 25 11:37:56 project cockpit-bridge: * Closing connection 0
May 25 11:37:56 project cockpit-bridge: curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
May 25 11:37:56 project cockpit-bridge: More details here: http://curl.haxx.se/docs/sslcerts.html
May 25 11:37:56 project cockpit-bridge: curl performs SSL certificate verification by default, using a "bundle"
May 25 11:37:56 project cockpit-bridge: of Certificate Authority (CA) public keys (CA certs). If the default
May 25 11:37:56 project cockpit-bridge: bundle file isn't adequate, you can specify an alternate file
May 25 11:37:56 project cockpit-bridge: using the --cacert option.
May 25 11:37:56 project cockpit-bridge: If this HTTPS server uses a certificate signed by a CA represented in
May 25 11:37:56 project cockpit-bridge: the bundle, the certificate verification probably failed due to a
May 25 11:37:56 project cockpit-bridge: problem with the certificate (it might be expired, or the name might
May 25 11:37:56 project cockpit-bridge: not match the domain name in the URL).Also I see the following:
May 25 11:37:56 project cockpit-bridge: * #011common name: groupware.jonas.localBut it is not the groupware server, it is the project server.
A entry relayhost = xxx.xxx.xxx.xxx in postfix main.cf should work, I think.
Maybe you have to template it.
I use a nethserver-guest on my proxmox as relay. Works fine.
Here is my main.cf of this pve:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version
myhostname=pve.jeckel.local
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
# appending .domain is the MUA's job.
append_dot_mydomain = no
# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, localhost.$mydomain, localhost
relayhost = 192.168.xxx.xxx
smtp_sasl_auth_enalbe = yes
smtp_sasl_password_maps = hash:/etc/postfix/smtp_auth
mynetworks = 192.168.xxx.xxx/24
inet_interfaces = localhost
recipient_delimiter = +
And the corresponding smtp_auth
# Ip, user and pw of relay
xxx.xxx.xxx.xxx user@domain.tld:passwordThanks Ralf for your detailed answer,
Before writing a custom template I tried at cockpit again and I think I know the problem now. The problem is the self-signed certificate of the groupware-server (1), but I need some help to import it to the project-server (2) .
I copied the crt file of server 1 with a new name to
/etc/pki/tls/certs/
of server 2, but I get the same error.
You’re welcome!
Did you also copy the key file?
/etc/pki/tls/private/server.key (or something like this)
Then in cockpit: System / Certificate and apply the cert as standard (3 point menu at the very right)
Are you sure? If I choose the imported certificate as standard I think I will have a problem with browsing to cockpit at this server, because it has the wrong common name. Am I wrong?
Oh, I misunderstood you. Thought you want to install a new selfsigned cert for it. 
Now I read the hole thread. I see the log entry about the not trusted issuer, but I don’t know how to get it trusted. Maybe it works if you copy it to the trusted certs in /etc/pki/ca-trust/extracted/pem, but I’m only guessing. Sorry.
PS:
My smarthost config works without the Encryptet connection. What happens if you untick the encryption?
I get another error, No known authentication mechanisms supported!
May 28 09:07:11 project cockpit-bridge: 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to connect() to groupware.jonas.local port 587 (#0)
May 28 09:07:11 project cockpit-bridge: * Trying 192.168.46.5...
May 28 09:07:11 project cockpit-bridge: * Connected to groupware.jonas.local (192.168.46.5) port 587 (#0)
May 28 09:07:11 project cockpit-bridge: < 220 groupware.jonas.local ESMTP Postfix
May 28 09:07:11 project cockpit-bridge: > EHLO project
May 28 09:07:11 project cockpit-bridge: < 250-groupware.jonas.local
May 28 09:07:11 project cockpit-bridge: < 250-PIPELINING
May 28 09:07:11 project cockpit-bridge: < 250-SIZE 20000000
May 28 09:07:11 project cockpit-bridge: < 250-VRFY
May 28 09:07:11 project cockpit-bridge: < 250-ETRN
May 28 09:07:11 project cockpit-bridge: < 250-STARTTLS
May 28 09:07:11 project cockpit-bridge: < 250-ENHANCEDSTATUSCODES
May 28 09:07:11 project cockpit-bridge: < 250-8BITMIME
May 28 09:07:11 project cockpit-bridge: < 250 DSN
May 28 09:07:11 project cockpit-bridge: * No known authentication mechanisms supported!
May 28 09:07:11 project cockpit-bridge: 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
May 28 09:07:11 project cockpit-bridge: * Closing connection 0
May 28 09:07:11 project cockpit-bridge: curl: (67) Login deniedEdit!
I tried with the file
email-ca-bundle.pem
Of course I renamed it, to not override the original file, but it doesn’t work.
@dev_team
Can somebody of you tell me how to / where to import the certificate of the first server (groupware) to the second one (project) to use smart host? Also the question is which certificate I have to import.
Thanks in advance.
If you’re using LE certs on the first server, it is not needed to copy over the certs…
Server 2 will accept them, as they’re valid certs…
My 2 cents
Andy
Sorry I think it’s no solution here. I can’t / must not route port 443 and 80 to the server.
Both server are only internal. They have a connection to get updates, but they aren’t reachable from outside.
As you can’t use LE certs, maybe try this:
You need to adapt the “triggering” of the script (Here done when LE renews), this is not needed with internal certs. I think “manual” triggering should be OK, as Neth doesn’t change the cert often…
As the source would be the local CA SSL certs, I think the correct SOURCE folder would be
/etc/ssl/certs… (SSL certs can be in different formats, I think here just use the .crt files?).
You’ll also need to adapt the TARGET to be your second server instead of the first server’s internal AD container. Use the same location as the SOURCE on server one, from where you copy the certs, but of course on server 2…
Don’t forget to exchange SSH Keys, so you can copy over via script without authentification…
Hope this helps…
My 2 cents
Andy