mailcow / mailcow-dockerized

mailcow: dockerized - 🐮 + 🐋 = 💕
https://mailcow.email
GNU General Public License v3.0
9.09k stars 1.19k forks source link

tls intermittent along with letsencrypt #1417

Closed kilo42L closed 6 years ago

kilo42L commented 6 years ago

I am having problems with letsencrypt randomly disabling the https but there is nothing in the logs about any failures and im also having some strange problems with tls. All my clients are using outlook to get messages and 2 are from outside the network. I have to disable security internally because the outlook clients will not connect with encryption enabled.

The external clients will handshake tls and connect for a few seconds and then they loose connection. I m really at a loss as to why this is all happeneing.

using https://www.checktls.com/perl/TestReceiver.pl

I get a good report one second then if I run report again it all fails.

seconds   test stage and result
[000.052]   Connected to server
[002.598] <-- 220 mail.forestproperties.com ESMTP Postfix
[002.600]   We are allowed to connect
[002.600] --> EHLO www6.CheckTLS.com
[002.646] <-- 250-mail.forestproperties.com250-PIPELINING250-SIZE 26214400250-ETRN250-STARTTLS250-ENHANCEDSTATUSCODES250-8BITMIME250 DSN
[002.646]   We can use this server
[002.646]   TLS is an option on this server

Thanks for any help you can provide

andryyy commented 6 years ago

How does LE randomly disable HTTPS? I don't understand. https://mail.forestproperties.com/ looks fine.

"The external clients will handshake tls and connect for a few seconds" <- That's what happens on port 25! That's not a port for clients to use (use port 587 STARTTLS or 465 TLS-wrapped here).

This delay is created by postscreen to catch spam scripts. Once a server has passed this test, it is whitelisted for a while.

kilo42L commented 6 years ago

Thank you for the fast reply and you are right about port 25. I meant to say 587. As far as the https goes.. im not sure I realized that in mailcow.conf this was not filled out with my local ip.

# You should use HTTPS, but in case of SSL offloaded reverse proxies:
HTTP_PORT=80
HTTP_BIND=0.0.0.0

HTTPS_PORT=443
HTTPS_BIND=0.0.0.0

Not sure whats going on with tls though as I had to disable encryption in dovecot just so the outlook clients could work today. I have tried about everything I can think of to get outlook to work.

andryyy commented 6 years ago

A bind does not need to be filled with your local IP. 0.0.0.0 is fine. Why did you disable TLS in Dovecot? I don't see how that relates to your previous problem. LE does not enable or disable certificates by itself. Port 25 and 587 aren't opened by Dovecot but Postfix.

What do you mean, you "meant to say 587? You never said 25.

I don't know what is happening here, sorry.

kilo42L commented 6 years ago

oh boy i screwed up now.
i changed a cipher temporarily and broke docker conatiners Starting mailcowdockerized_sogo-mailcow_1 ... error Starting mailcowdockerized_mysql-mailcow_1 ... mailcowdockerized_memcached-mailcow_1 is up-to-date mailcowdockerized_php-fpm-mailcow_1 is up-to-date Starting mailcowdockerized_unbound-mailcow_1 ... error Starting mailcowdockerized_dovecot-mailcow_1 ... error

ERROR: for mailcowdockerized_unbound-mailcow_1 Cannot start service unbound-mailcow: Address already in use

ERROR: for mailcowdockerized_dovecot-mailcow_1 Cannot start service dovecot-mailcow: driver failed programming external connectivity on endpoint mailcowdockerized_doStarting mailcowdockerized_mysql-mailcow_1 ... error

ERROR: for mailcowdockerized_mysql-mailcow_1 Cannot start service mysql-mailcow: driver failed programming external connectivity on endpoint mailcowdockerized_mysql-mailcow_1 (bbf5f2108e90f7b191232caa784de740e499a01e9eb60f874f7b8e98e3ea0df3): Bind for 127.0.0.1:13306 failed: port is already allocated

ERROR: for sogo-mailcow Cannot start service sogo-mailcow: Address already in use

can you help ?

kilo42L commented 6 years ago

Thank God for proxmox snapshots