search

hardware / mailserver

:warning: UNMAINTAINED - Simple and full-featured mail server using Docker
https://store.docker.com/community/images/hardware/mailserver
MIT License
1.29k stars 322 forks source link

certificate ssl not trusted #301

Closed albjeremias closed 6 years ago

albjeremias commented 6 years ago

Classification

Please delete options that are not relevant.

Docker information

$ docker images hardware/mailserver --digests --filter "dangling=false"
REPOSITORY            TAG                 DIGEST                                                                    IMAGE ID            CREATED             SIZE
hardware/mailserver   1.1-stable          sha256:2b3438858bab140572ea51b8ca03c036c3f892abab04e9b36c00056cb0c2eb3c   c0d77fd44594        3 weeks ago         378MB

Description

So, when i try to connect thunderbird or other softwares they can't automatically trust the imap/smtp server, they request the user to manually trust the certificates.. here some screenshots: image image

Configuration (docker-compose.yml, traefik.toml...etc)

# FROM: https://github.com/hardware/mailserver
version: "3"

# IPv4 only
# docker network create http_network

# IPv4/IPv6 network
# docker network create http_network --ipv6 --subnet "fd00:0000:0000:0000::/64"
# Refer to https://github.com/hardware/mailserver/#ipv6-support for more information.

networks:
  world:
      external: true
  mail_network:
    external: false

services:

  mailserver:
    image: hardware/mailserver:${MAILSERVER_DOCKER_TAG}
    container_name: mailserver
    restart: ${RESTART_MODE}
    domainname: ${MAILSERVER_DOMAIN}                    # Mail server A/MX/FQDN & reverse PTR = mail.domain.tld.
    hostname: ${MAILSERVER_HOSTNAME}
    labels:
      - traefik.enable=true
      - traefik.frontend.rule=Host:mail.${MAILSERVER_DOMAIN}
      - traefik.port=11334
      - traefik.docker.network=world
    ports:
      - "25:25"       # SMTP                - Required
    # - "110:110"     # POP3       STARTTLS - Optional - For webmails/desktop clients
      - "143:143"     # IMAP       STARTTLS - Optional - For webmails/desktop clients
    # - "465:465"     # SMTPS      SSL/TLS  - Optional - Enabled for compatibility reason, otherwise disabled
      - "587:587"     # Submission STARTTLS - Optional - For webmails/desktop clients
      - "993:993"     # IMAPS      SSL/TLS  - Optional - For webmails/desktop clients
    # - "995:995"     # POP3S      SSL/TLS  - Optional - For webmails/desktop clients
      - "4190:4190"   # SIEVE      STARTTLS - Optional - Recommended for mail filtering
    environment:
      - DBPASS=${DATABASE_USER_PASSWORD}       # MariaDB database password (required)
      - RSPAMD_PASSWORD=${RSPAMD_PASSWORD}     # Rspamd WebUI password (required)
    volumes:
      - ${VOLUMES_ROOT_PATH}/mail:/var/mail
    depends_on:
      - mariadb
      - redis
    networks:
      - mail_network
      - world

  # Administration interface
  # https://github.com/hardware/postfixadmin
  # http://postfixadmin.sourceforge.net/
  # Configuration : https://github.com/hardware/mailserver/wiki/Postfixadmin-initial-configuration
  postfixadmin:
    image: hardware/postfixadmin
    container_name: postfixadmin
    restart: ${RESTART_MODE}
    domainname: ${MAILSERVER_DOMAIN}
    hostname: ${MAILSERVER_HOSTNAME}
    labels:
      - traefik.enable=true
      - traefik.frontend.rule=Host:postfixadmin.${MAILSERVER_DOMAIN}
      - traefik.port=8888
      - traefik.docker.network=world
    environment:
      - DBPASS=${DATABASE_USER_PASSWORD}
    depends_on:
      - mailserver
      - mariadb
    networks:
      - mail_network
      - world

  # Webmail (Optional)
  # https://github.com/hardware/rainloop
  # https://www.rainloop.net/
  # Configuration : https://github.com/hardware/mailserver/wiki/Rainloop-initial-configuration
  rainloop:
    image: hardware/rainloop
    container_name: rainloop
    restart: ${RESTART_MODE}
    labels:
      - traefik.enable=true
      - traefik.port=8888
      - traefik.frontend.rule=Host:webmail.${MAILSERVER_DOMAIN}
      - traefik.docker.network=world
    volumes:
      - ${VOLUMES_ROOT_PATH}/rainloop:/rainloop/data
    depends_on:
      - mailserver
      - mariadb
    networks:
      - mail_network
      - world

  # Alternative webmail (Optional)
  # https://github.com/hardware/afterlogic-webmail-lite
  # https://afterlogic.org/webmail-lite
  # Configuration : https://github.com/hardware/mailserver/wiki/AfterLogic-Webmail-Lite-initial-configuration
  # afterlogic-webmail-lite:
  #   image: hardware/afterlogic-webmail-lite
  #   container_name: afterlogic-webmail-lite
  #   restart: ${RESTART_MODE}
  #   labels:
  #     - traefik.enable=true
  #     - traefik.port=8888
  #     - traefik.frontend.rule=Host:webmail.${MAILSERVER_DOMAIN}
  #     - traefik.docker.network=http_network
  #   volumes:
  #     - ${VOLUMES_ROOT_PATH}/afterlogic-webmail-lite:/afterlogic-webmail-lite/data
  #   depends_on:
  #     - mailserver
  #     - mariadb
  #   networks:
  #     - mail_network
  #     - http_network

  # Authoritative DNS server (Optional)
  # https://github.com/hardware/nsd-dnssec
  # https://www.nlnetlabs.nl/projects/nsd/
  # Configuration : https://github.com/hardware/mailserver/wiki/NSD-initial-configuration
  # nsd:
  #   image: hardware/nsd-dnssec
  #   container_name: nsd
  #   restart: ${RESTART_MODE}
  #   ports:
  #     - "53:53"
  #     - "53:53/udp"
  #   volumes:
  #     - ${VOLUMES_ROOT_PATH}/nsd/conf:/etc/nsd
  #     - ${VOLUMES_ROOT_PATH}/nsd/zones:/zones
  #     - ${VOLUMES_ROOT_PATH}/nsd/db:/var/db/nsd

  # Database
  # https://github.com/docker-library/mariadb
  # https://mariadb.org/
  mariadb:
    image: mariadb:10.2
    labels:
        - "traefik.enable=false"
    container_name: mariadb
    restart: ${RESTART_MODE}
    # Info : These variables are ignored when the volume already exists (if databases was created before).
    environment:
      - MYSQL_RANDOM_ROOT_PASSWORD=yes
      - MYSQL_DATABASE=postfix
      - MYSQL_USER=postfix
      - MYSQL_PASSWORD=${DATABASE_USER_PASSWORD}
    volumes:
      - ${VOLUMES_ROOT_PATH}/mysql/db:/var/lib/mysql
    networks:
      - mail_network

  # Database
  # https://github.com/docker-library/redis
  # https://redis.io/
  redis:
    image: redis:4.0-alpine
    labels:
        - "traefik.enable=false"
    container_name: redis
    restart: ${RESTART_MODE}
    command: redis-server --appendonly yes
    volumes:
      - ${VOLUMES_ROOT_PATH}/redis/db:/data
    networks:
      - mail_network

.env:

# for variable substitution in your docker compose file.
# https://docs.docker.com/compose/env-file/

#
# MANDATORY
# /!\ if this variables are unset, the mail server will not start.
#

# Your domain name (eg. domain.tld)
MAILSERVER_DOMAIN=domain.tld

# MariaDB/PostgreSQL database password
DATABASE_USER_PASSWORD=XXX

# Rspamd WebUI and controller password
RSPAMD_PASSWORD=XXX

#
# NOT MANDATORY
#

# Your mailserver hostname (eg. mail for mail.domain.tld)
MAILSERVER_HOSTNAME=mail

# Mailserver version
# 1.1-stable : Stable version (v1.1-stable github branch)
# 1.1-latest : Latest development build (master github branch)
# Latest development builds have been validated through
# the CI automation system but they are not meant for
# deployment in production.
# 1.1-stable and 1.1-latest are rebuilt weekly on the docker hub but if you
# have any problem with a new build you can switch to 1.1-stable-fallback
# The fallback tag is rebuilt monthly.
MAILSERVER_DOCKER_TAG=1.1-stable

# Docker volumes parent folder
VOLUMES_ROOT_PATH=/live/storage/mailserver

# Docker containers restart mode
# https://docs.docker.com/compose/compose-file/#restart
RESTART_MODE=unless-stopped

traefik.toml:

defaultEntryPoints = ["http", "https"]

[web]
address = ":7777"
  [web.auth.basic]
  users = ["superadmin:XXXX"]

[docker]
domain = "main.domain.tld"
watch = true

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]

[acme]
  email="info@domain.tld"
  storage="acme.json"
  entryPoint="https"
  acmeLogging=true
  onDemand=false
  OnHostRule=true

[acme.httpChallenge]
  entryPoint = "http"

thanks... I have no more ideas on how-to debug this.. help needed!

hardware commented 6 years ago

Use a trusted certificate as explained here :

https://github.com/hardware/mailserver#ssl-certificates

albjeremias commented 6 years ago

cool! :) now it works! Should I create a PR adding this as a comment on the default docker-compose file? thanks a lot!

hardware commented 6 years ago

Should I create a PR adding this as a comment on the default docker-compose file ?

Yeah go for it :)