Hi Marko,
I think I did the same as you:
With Webmail all is wordking fine, but did you try to create a user@vhost-fqdn and the mail server as smtp.vhost-fqdn in Thunderbird ?
If so, then I have an error because of the CAA/TLSA records missing, or somethig else ?
Michel-André
In Thunderbird I use the actual FQDN of the NethSwerver, usually also defined within DNS with SPF, etc.
With this one, Kerberos is actually working! 
The corresponding SMTP settings:
(In case anyone’s wondering, the lady married in the meantime, but the old login was retained, just added a new alias! - NethServer’s quite flexible, we didn’t want to touch the fine tuned Windows profile!)
My 2 cents
Andy
PS:
This client, a Hotel, had to close doors for the last time end of 2020, not due to Corona, but somewhat greedy Owners who did not want to extend the well paid 20 year lease!
6 years of NethServer, after 4 years SME, before that 4 years a hand configured SuSE…
At least the hotel managment will remain clients for future projects!
Salut Andy,
Thank you again for your great insight.
With the screen capture you included above, is the Server the same as user@Server ?
If not, then the DKIM will indicate the SERVER in d=SERVER; which is different from user@different-server?
EDIT: In Webmail both are exactly the same.
Michel-André
Yes, but as they’re closing (closed now!), we didn’t put too much effort when the Hotel-IT “moved out” in April.
We relocated almost the whole IT, as this will remain operational another 3 years (at least). Using TSplus (Terminal Service for a MultiUser Win10 VM), everything was connected via VPN and RDP.
This made the end of year cleanup, and vacating the Hotel, much more easier, as we do not have to worry about any IT stuff, except for a couple (5) ex-Windows10 PCs, now running Linux-Mint and Renmina RDP… We actually activated “Roving Profiles” on NethServer just for this move… (It worked better than expected!).
In a first step, all PCs were converted P2V with VMWare Converter, then converted to Proxmox using Proxmox.
Second Step was migrating the profiles all to the new Windows 10 “Terminal Server”.
One reason for this setting is that the server would move location, and change the FQDN (Client side). The Server, as AD, could not use a different FQDN.
And once set, we didn’t want to fiddle with the working mail settings!
We moved the whole IT while the hotel was open, the move created an outage of only 1 hour (as planned!) for the IT!
Yay to Proxmox, NethServer and OPNsense to make this possible!
My 2 cents
Andy
PS: The used mailserver name IS the FQDN shown in Server Name of the old NethGUI (980).
Hi Andy,
Unable to communicate in secure mode with the peer: the requested domain name does not match the server certificate.
Then:
Unable to get identify status for this site.
I think it is because the CAA record is missing …
Michel-André
As said, that server was set up more than 10 yaers ago… And all DNS “grew” to all the newer challenges in correct mail handling needed nowadays… (This was a Hotel with international guests…)
I can’t recall in detail at the moment what we put in, but I can look up a few stuff - the server, as said, is still running and will remain so, also mail etc.
Andy
Time for walk,
To be continued…
Michel-André
Hi Marc,
Thank you for your reply.
I did those alias but my problem is with Thunderbird that can’t get the certificate of the sending vhost server.
Looking at your reply: ThunderBird - Sieve not working?, I tried it as a partial solution by adding an exception for the certificate and now the DKIM for the mail from the secondary domaine shows the d=secondary-fqdn; which is what I want.
As said, this is a partial solution: but I would still like to have the real certificate from the sending server.
I didn’t take a walk yet… I am going to take it now…
Michel-André
Hi @michelandre,
I don’t have any experience with thunderbird, only using Apple Mail and iOS.
My Procedure was:
0. Creating all needed A-Records, CNAMES and MX-Records for my mymaindomain.tld and myseconddomain.tld, but not DMARC-; TLS-, SPF-, DKIM-Records within my external DNS-Provider.
What I did on my srv01.mymaindomain.tld
firstname_secondnamefirstname_secondname and orange mail address firstname_secondname@mymaindomain.tld point to the user firstname_secondnamefirstname.seconadname@mymaindomain.tldfirstname.seconadname@mymaindomain.tld to firstname_secondnamemyseconddomain_firstname_secondname and orange mail address myseconddomain_firstname_secondname@mymaindomain.tld point to the user myseconddomain_firstname_secondnamefirstname.seconadname@myseconddomain.tldfirstname.seconadname@myseconddomain.tld to myseconddomain_firstname_secondnameIn the mail clients I created accounts for my @mymaindomain.tld using
firstname.secondname@mymaindomain.tldimap.mymaindomain.tld and smtp.mymaindomain.tldfirstname_secondname and passwordIn the mail clients I created accounts for my @myseconddomain.tld using
firstname.secondname@myseconddomain.tldimap.myseconddomain.tld and smtp.myseconddomain.tldmyseconddomain_firstname_secondname and passwordMy friend who uses the also hosted @mythirddomain.tld uses Thunderbird and told me, it was tricky to configure Thunderbird. I believe he used
firstname.secondname@mythirddomain.tld mythirddomain_firstname_secondname and passwordAdditionally, he had to configure the ports manually.
Perhaps you should try this curios config.
Best regards, Marko
Hi all,
At the site: What's a CAA record? - DNSimple Help.
CAA records allow domain owners to declare which certificate authorities are allowed to issue a certificate for a domain. They also provide a means of indicating notification rules in case someone requests a certificate from an unauthorized certificate authority. If no CAA record is present, any CA is allowed to issue a certificate for the domain. If a CAA record is present, only the CAs listed in the record(s) are allowed to issue certificates for that hostname.
CAA records can set policy for the entire domain or for specific hostnames. CAA records are also inherited by subdomains. For example, a CAA record set on example.com also applies to any subdomain, like subdomain.example.com (unless overridden).
CAA record for titi.org:
titi.org. CAA 0 issue "letsencrypt.org"
For TLSA record:
At the site: ClouDNS: What is TLSA record?.
The TLS Authentication record (TLSA) is used to associate a TLS server certificate or public key with the domain name where the record is found. With a TLSA record, you can store the fingerprint of a TLS/SSL certificate in the DNS of your domain.
So this should resolve the problem of Thunderbird not able to get the certificate.
From the site: Steps to Create & Add DANE TLSA Record.
# cd /etc/pki/tls/certs/
# openssl x509 -noout -fingerprint -sha256 < ca-bundle.trust.crt |tr -d : |cut -d"=" -f2
9A6EC012E1A7DA9DBE34194D478AD7C0DB1822FB071DF12981496ED104384124
TLSA record:
*._tcp.titi.org. 3600 IN TLSA 3 1 1 9a6ec012e1a7da9dbe34194d478ad7c0db1822fb071df12981496ed104384124
QUESTION:
Is that the proper way to generate the Hash value and to create the TLSA record ?
Michel-André
If your DNS-Provider dont offer an assistant, you can use such generators.
and here for the Community more informations:
My DNS provider offers an assistant to create it from LE-Certificate.
In the former time, I created it manually. I do not remember exactly how, but I used these sources:
There are external generators:
You can check the success with:
Sincerely, MArko