Sending system mails over an other server

Sorry I think it’s no solution here. I can’t / must not route port 443 and 80 to the server.
Both server are only internal. They have a connection to get updates, but they aren’t reachable from outside.

@m.traeumner

As you can’t use LE certs, maybe try this:

You need to adapt the “triggering” of the script (Here done when LE renews), this is not needed with internal certs. I think “manual” triggering should be OK, as Neth doesn’t change the cert often…

As the source would be the local CA SSL certs, I think the correct SOURCE folder would be
/etc/ssl/certs… (SSL certs can be in different formats, I think here just use the .crt files?).

You’ll also need to adapt the TARGET to be your second server instead of the first server’s internal AD container. Use the same location as the SOURCE on server one, from where you copy the certs, but of course on server 2…

Don’t forget to exchange SSH Keys, so you can copy over via script without authentification…

Hope this helps…

My 2 cents
Andy

Thanks Andy for your answer,
my first problem is I how to get the letsencrypt certificate.
We use a lancom router as router and firewall, this router is the only hardware connected directly to the internet. So I think I have to get the certificate with this router. Then I have to copy it to the first and the second server, no one of this is the AD. The AD is a Windows Server.
A self created certificate for me would much be easier, if I know how to import.

@m.traeumner

Hi

As said, you CAN use the SSL certs from Server 1:

and copy them over to Server 2…

Make a backup first of the files in question (On server 2) - and for saftey reasons also a backup of the whole server, if possible!

LE on a LANcom should be possible, also copying them over to the two NethServers, but as I only use OPNsense firewalls now, I can’t help with LANcom. Also, LANcom is a commercial product, that may limit your options.
Another thing is the aliases (For both NethServers) need to be on the LE certs - this does work when NethServer or OPNsense get’s the SSL certs.
It also depends if your DNS Provider / Hoster supports the LE API (DNS API) - that makes life easier. Mine does not support DNS API… :frowning:

To get an “easy” LE SSL cert, it would be sufficient to pass Port 80 from your LANcom to the NethServer 1 and let NethServer request the LE cert. There is no risk and no “Web” changes needed on NethServer. The only html page viewable is static and as such, almost “unhackable”…
However, if your client does not want / allow this, then you need to do it the manual way with the self created certs / CA…

My 2 cents
Andy

1 Like

I copied localhost.crt, but this doesn’t work too. The NSRV I tested before, it doesn’t work also, and it couldn’t be a solution, it includes the server name.

Only for information, at /etc/ssl/certs is only a link to /etc/pki/tls/certs/.

@m.traeumner

I think the problem here is that NethServer doesn’t include a “full” CA…

See eg this thread about “Issues”… (Not specific CA related)

or (better) this one about implementing a CA in Neth:

my 2 cents
Andy

Thanks again Andy,
I’ve read the two threads.

I don’t think this is a problem, of course it could be a solution, but copying the tls/ssl certificate for mail from first to second server should also be a solution.
A thunderbird for example imports the certificate of the first server and works without any issues, why doesn’t it work to import it to the second server for smart host.

@m.traeumner

There is a BIG difference in certificates, depending on server or client application…
Thunderbird is a pure client application.

Servers need to have the server name in the certificate, wheras clients do not.

See this setting for creating a new certificate from the built in CA on OPNsense:

It’s already defined at the CA level, if it is a client or a server certificate, so that can’t be changed later on…

Server / Client attribute limits what the certificate can be used for.

But that isn’t the issue here, as the built in SSL Cert works for NethServer as a server.
I think it’s the server name, which is conflicting here.

My 2 cents
Andy

Thanks Andy for clarification, but one more question:
Isn’t server 2 acting as a client in this situation? I thought it is a mail client, which tries to send mail over the first server, which acts as mail server at my situation?

Hi Michael

In this sense you’re right, for Smarthost usage only “Client” usage is needed.

However, AFAIK, NethServer uses the same SSL Cert for almost everything (Problems with Cockpit & NethGUI…), besides which, there’s no option to add in a Cert just for one service (like Smarthost) in any of the GUIs… :frowning:

One Option for your environment:

You CAN create a Cert in MS AD, as the AD AFAIK comes with a built in CA (Like OPNsense has).
It’s NOT OpenSource, but can create a usable Cert eg for Mac or Linux, so why not try that out?
The CA is accessible, both NethServers would use that CA / SSL-Cert, so it should work…

I can’t really help you there, as it’s been a few years since I last needed to create Certs on MS-AD… But Google should be able to give pointers… :slight_smile:

My 2 cents
Andy

1 Like

I didn’t read the whole thread, but I can suggest a simple configuration.
If you have 2 servers inside the same LAN, and server A (client) should relay through machine B (mail server) you can:

  • go to server B and inside the “Relay” page add the IP of server A
  • got to server A and configure B as the relay server
2 Likes

Thanks @giacomo,
I tried this too, but get the same certificate error, I fear, I have to create the certificate at the windows AD as @Andy_Wismer said.

DNS validation is your friend here.

1 Like

I’m pretty sure you can do it without TLS, at least using a template-custom.

Maybe @stephdl already tried something similar.

1 Like

Sorry to have no time to read this full thread but maybe you are searching a s/bad/difficult/ solution

I do have some servers myself and all send emails to admin@domain.com, you just have to set the root email in the setting cockpit page with the email of admin@domain.com and use a smarthost to send email for your server.

I do not understand what is the issue :-?

Hi @stephdl,
thanks for your answer

The issue is a curl certificate error if I try to use the smarthost.

I tried this, then smarthost can’t connect because a missing authentication. I think mailserver expects a secure connection. Perhaps somebody can tell me how to disable this.

You issue is really simple, your smarthost is not compatible with nethserver, if you cannot pass the validation please use another smtp smarthost

You can use only smarttls, ssl over 465 is not supported

The smarthost is another nethserver, I hope it will be compatible :grinning:

1 Like

Then we need to launch the api action in the terminal to understand what it occurs but trust me it works

What do you mean, how should I do this?