Unable to setup mail on internal network

System version
NethServer release 7.8.2003 (final)
Kernel release
3.10.0-1127.19.1.el7.x86_64

I notice some strange behavior with setting up mail accounts that they are not being able to be configured on my internal network.

I suspect its got something to do with my security certificates not being applied correctly as when i setup the email account it doesnt resolve automatically and when i set it up manually i get a security certificate warning and when i view the certificate its not the letsencrypt certificate it appears to be the nethserver certificate

If i manually install the certificate it still doesn’t setup the mail account

However if i do this from outside my local network the email can be setup without an issue and dont get the security certificate warning.

I also notice that even if i setup the account externally that every three months when the lets encrypt certificate gets renewed i get a message on the mail client asking me to renew the certificate so it appears the renewed certificate from lets encrypt is not automatically being applied?

When i ping my mail server from the internal network i also get the public IP instead of the local IP?

Tried researching the issue but i don’t appear to find anyone else with the same problem

Your assistance would be greatly appreciated.

Hi Thyran,

Welcome to the forum and glad to have you with us.

You can have a look at the Let’s Encrypt log if the sub-domain mail.FQDN responds correctly to the Let’s Encrypt challenge.

Last week, with a friend’s server, I had a simular Let’s Encrypt renewal and ping problem. It was the DNS records for mail. I had to delete the CNAME, add a MX record and also an A record for mail.FQDN. First time I had to add an A record pointing to the public IP of the server for mail, but after adding it, it worked. I do not undertand why. The domain’s registrar was Gandi.

You can check your mail config at https://www.mail-tester.com/ (maximum of 3 checks / day).

Michel-André

1 Like

Hi

I am trying to reply but it says new users are only allowed two links per post so will have to try anD break up my post into parts to see what this community forum restrictions define as a link

Hi There

thanks for your feedback
I cant imagine the dns records at the external registrar being a problem since these have not changed from before the issue arose. However I could be wrong.
See attached zone records I have two A records for @ and www pointing at my public IP where the nethserver is.

I have checked the logs for Lets encrypt:
I am concerned about these lines from the log entry.

2020-10-28 08:33:40,814:DEBUG:certbot._internal.cert_manager:Renewal conf file /etc/letsencrypt/renewal/wrightway.nz.conf is broken. Skipping.
2020-10-28 08:33:40,839:DEBUG:certbot._internal.cert_manager:Traceback was:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/_internal/cert_manager.py”, line 384, in _search_lineages
candidate_lineage = storage.RenewableCert(renewal_file, cli_config)
File “/usr/lib/python2.7/site-packages/certbot/_internal/storage.py”, line 447, in init
“file reference”.format(self.configfile))
CertStorageError: renewal config file {} is missing a required file reference

When i check the conf
/etc/letsencrypt/renewal/wrightway.nz.conf

There is nothing in it

I see another conf
/etc/letsencrypt/renewal/wrightway.nz-001.conf which has the following

Could it be that its looking at the wrong conf file?

renew_before_expiry = 30 days

version = 1.7.0
archive_dir = /etc/letsencrypt/archive/wrightway.nz-0001
cert = /etc/letsencrypt/live/wrightway.nz-0001/cert.pem
privkey = /etc/letsencrypt/live/wrightway.nz-0001/privkey.pem
chain = /etc/letsencrypt/live/wrightway.nz-0001/chain.pem
fullchain = /etc/letsencrypt/live/wrightway.nz-0001/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
account = 25b7b1c3cf58ac7b8cbc180c3fb3f604
webroot_path = /var/www/html,
server = https://acme-v02.api.letsencrypt.org/directory
[[webroot_map]]

cant attach the whole letsencrypt log for today as it detects more than two links in it and I am unable to post it because of a two link limitation per post for new users

Sorry for the inconvenience with the limitation. It is there to prevent abuse from spammers/robots and so on, and goes away after spending some time in the community. You’ve been promoted to a more trusted user level. If you want to try again…

Damn algorithms…
example of human taken for a robot

Here’s some more info on why the limitations and how to format post and use the forum:

1 Like

thank you

Hi Thyran,

It looks exactly like the problem @capote had: Wordpress installation on Nethserver (multiple vhosts) - #134 by capote

Should be archive_dir = /etc/letsencrypt/archive/wrightway.nz

I would say that there are already directories named: /etc/letsencrypt/archive/wrightway.nz and /etc/letsencrypt/archive/wrightway.nz-0001 and maybe soon a 3rd one that will be name /etc/letsencrypt/archive/wrightway.nz-0002

DNS Record:
● You have an A record www pointing to your IP; it should be a CNAME www pointing at @.
● The A record for mail should be named mail.wrightway.nz pointing to your IP.
● I do not understand why some CNAMEs are pointing at mail.xxxxx. (You have more than one mail server?). Maybe you can delete those CNAMEs as they are not realy necessary for now.

For sure, you have problems with your DNS records.
For a start, have a look at Stéphane’s email_protection_resources [NethServer Wiki].

Michel-André

Hi There
Thank you for the feedback
There is already a directory
/etc/letsencrypt/archive/ wrightway.nz
and a directory
/etc/letsencrypt/archive/ wrightway.nz-0001

So what must I do to resolve the problem?

I am also unable to navigate to my nethserver gui environment using FQDN i have to use the local ip and ports

Its as if though the nethserver dns is not working or something however if i ping my mail server using the FQDN i get a result from the IP

The DNS records for A and www have been configured this way on my external registrar from the start and havent been an issue

surely i should be pointing autodiscover imap smtp to the mail server?

the others are virtual hosts

Hy Thyran, i solved this problem: Wordpress installation on Nethserver (multiple vhosts) - #135 by michelandre

the easier way seems to be: Improved Certificate Management - #10 by danb35

I am also unable to navigate to my nethserver gui environment using FQDN i have to use the local ip and ports

Have you checked System → Hostname/Alias?

in my case works well:
Hostname FQDN: srv01.mydomain01.tld
Alias: mydomain01.tld, mydomain02.tld, sub.mydomain02.tld

I can address my Nethserver UI using https://mydomain01.tld:9090 or https://srv01.mydomain01.tld:9090

Best regards, Marko

Hi Thyran,

You have more than one problems. Don’t worry, the forum is here to help you.

  • You should start by resolving the DNS records then, the certificate. (One problem at the time.)
  • Use the default NethServer certificate for now, then later when the DNS records are working properly, you can use Let’s Encrypt. (Start with simple configurationt, then more complicated.)
  • Use only the default domain for mail, then later when it is working properly, you can configure the one for the other domains. (Again, start with simple configurationt, then more complicated.)

When you register a domain, usually the registrar thinks (hopes) that you will be hosting your new domain with them and not on your own server; that is why he configures the DNS the way it is. The registrar Gandi thinks that way, maybe not yours.

Can you tell us who is your domain registrar so we know how he wants the DNS records ?
Example: The registrar Gandi wants to have a final period (.) at the end of the A record for mail, but not all other registrars require it.

Michel-André

Hi I finally managed to resolve this issue after dealing with it for a few years.

It turns out it was a misconfiguration in my DNS i pointed my router to nethserver as the DNS provider and removed the secondary DNS from it.

I then set my DNS on ns dashboard to use itself as the primary and googles as the secondary

I am now finally able to send and receive email / configure clients on my internal network and even access my FQDN on server manager instead of my local IP

Thanks for your assistance

Appreciate the support