search

katefike / sage

A personal finance app that's like Mint, but better. It uses a dockerized postfix/dovecot email server. Parses transaction data from alert emails.
MIT License
5 stars 0 forks source link

Add TLS config back to the production MX #115

Closed katefike closed 6 months ago

katefike commented 9 months ago

Problem

I can receive an email over port 587 from telnet. But not from gmail.

Solution

Trying to only receive email on port 587 was a fool's errand (explained in this Server Fault post). TLS enforcement is derived from the postfix config. Namely smtpd_tls_security_level=encrypt. The MX need only listen on port 25 for SMTPD.

Testing

The MX rejects non-TLS submissions.

kfike@pop-os:~$ telnet prod.sagefinancial.dev 25
Trying 178.128.132.77...
Connected to prod.sagefinancial.dev.
Escape character is '^]'.
220 prod ESMTP Postfix (Ubuntu)
ehlo prod.sagefinancial.dev
250-prod
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
MAIL FROM: <support@port25.com>
530 5.7.0 Must issue a STARTTLS command first

Emails is received when using STARTTLS

kfike@pop-os:~$ openssl s_client -starttls smtp -ign_eof -crlf -connect prod.sagefinancial.dev:25
ehlo prod.sagefinancial.dev
MAIL FROM: <support@port25.com>
250 2.1.0 Ok
RCPT TO: <kfike@prod.sagefinancial.dev>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Subject: Test email open_ssl 25
Test email open_ssl 25             
(.venv) kfike@prod:~/sage$ python3 scripts/get_all_emails.py 
UID: 1
Date: 1900-01-01 00:00:00
To: ()
From: 
Text: Test email open_ssl 25

1 emails were retrieved.

And Gmail

UID: 2
Date: 2024-03-01 09:45:23+07:00
To: ('kfike@prod.sagefinancial.dev',)
From: kate.e.fike@gmail.com
Text: Test email gmail 25

2 emails were retrieved.
katefike commented 8 months ago

Testing

Send emails from gmail to kfike@prod.sagefinancial.dev

Telnet on port 587

kfike@pop-os:~$ telnet prod.sagefinancial.dev 587
Trying 178.128.132.77...
Connected to prod.sagefinancial.dev.
Escape character is '^]'.
220 prod ESMTP Postfix (Ubuntu)
ehlo prod.sagefinancial.dev
250-prod
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250-SMTPUTF8
250 CHUNKING
MAIL FROM: <support@port25.com>
250 2.1.0 Ok
RCPT TO: <kfike@prod.sagefinancial.dev>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Subject: Test email
This is a test email. 24011501   
.
250 2.0.0 Ok: queued as AA027C4397
quit
221 2.0.0 Bye
Connection closed by foreign host.

Docker logs

kfike@prod:~/sage$ docker compose -f docker-compose.yml -f docker-compose.prod.yml up

Retrieving inbox

kfike@prod:~/sage$  source ~/sage/.venv/bin/activate
(.venv) kfike@prod:~/sage$ python3 scripts/get_all_emails.py

Changing configs in the mailserver container

kfike@prod:~/sage$ docker exec -it sage-mailserver bash
root@6c310f1436ce:/# cat /etc/postfix/master.cf
root@6c310f1436ce:/# cat /etc/postfix/main.cf
katefike commented 8 months ago

Troubleshooting

Are the TLS certs expired?

Shows the expiration date

sudo openssl x509 -enddate -noout -in /etc/letsencrypt/live/prod.sagefinancial.dev/fullchain.pem | cut -d= -f2
Dec 13 02:20:04 2023 GMT

In this case the certs were expired.