mjl- / mox

modern full-featured open source secure mail server for low-maintenance self-hosted email
https://www.xmox.nl
MIT License
3.7k stars 111 forks source link

webmail accessible only for those who has ssh-access to the server... #165

Closed vipas84 closed 6 months ago

vipas84 commented 6 months ago

as far as I understand there is no other way to access webmail without ssh-tunneling (I hope I did not say something stupid)

If there are efforts and resources applied to make webmail more beautiful, the login page for it should be publicly accessible, otherwise it will be used only by sysadmins and investing time and resources for it is a waste.

If there is an idea that webmail should be accessible by all users who has a mailbox in this custom setup, so it should not be hidden behind ssh-tunneling.

It could be great if by defauld it was rendered at mail.[my_custome_domain]... Probably there is such config and I simply missed it...

mjl- commented 6 months ago

You're right that the default quickstart setup makes the web interfaces (admin, account, webmail) only accessible on the internal listener. I have wireguard on my machines, so I can access these web interfaces on new installs without needing an SSH tunnel.

You can change mox.conf, and enable the account/webmail and admin web interfaces for the public listener too. It's just not the default in the quickstart.

Domains have a configuration field "ClientSettingsDomain". By default, it is set to mail.<domain>. It is used for SMTP and IMAP server settings in clients. And once the web interfaces are enabled on the public listener, that mail.<domain> should also allow you to login to the webmail and account interfaces. You can also change the default configuration of paths: Webmail is at /webmail/ and account at / by default, but you could change it to / and /account/. See https://www.xmox.nl/config/#cfg-mox-conf-Listeners-x-WebmailHTTP and the Path fields.

I think the quickstart can be changed to make webmail appear at / by default, and the account web interface at /account/. When the webmail was introduced it was quite experimental and I didn't know if it was going to be all that useful. But it's useful enough at least for me.

I don't want to make the quickstart interactive. But I do have ideas for a future new command to setup a new mox instance. A "mox setup" that starts a simple webserver with a webapp that asks questions, guides you through the process of setting up mox, and does checks along the way (if outgoing smtp connections can be made, if DNSSEC works, if DNS records are setup properly, etc). And it can ask if you want to make the webmail/account web interfaces accessible on the public port. Will add it to the roadmap. I think it will make setting up mox quite a bit easier.

vipas84 commented 6 months ago

I do this below... What do I miss?

nano /home/mox/config/mox.conf

            AdminHTTP:
                    Enabled: true
                    Port: 80
                    Path: /admin
                    Forwarded: true

            WebmailHTTP:
                    Enabled: true
                    Port: 80
                    Path: /
                    Forwarded: true

            WebmailHTTPS:
                    Enabled: true
                    Port: 443
                    Path: /
                    Forwarded: true

systemctl restart mox.service

mjl- commented 6 months ago

Are you getting an error message when mox is starting? And/or are you getting 404's when making http(s) requests to the host? Is this on the "public" listener? And are you running a reverse proxy in fronted? If not, then "Forwarded: true" should not be set.

vipas84 commented 6 months ago

I do not see errors when starting.... No I do not get 404 - simply "refused to connect" After your comment I put those configs into public listener No reverse proxy, so changed to "Forwarded: false"

And no result, unfortunately

vipas84 commented 6 months ago

Removed completely "Forwarded: " parameter and it helped!!! thnks for clarifications... Im passing this quest step-by-step!!!

vipas84 commented 6 months ago

Final solution: nano /home/mox/config/mox.conf add to section Listeners: Public:

                AdminHTTP:
                        Enabled: true
                        Port: 80
                        Path: /admin/

                AdminHTTPS:
                        Enabled: true
                        Port: 443
                        Path: /admin/

                WebmailHTTP:
                        Enabled: true
                        Port: 80
                        Path: /

                WebmailHTTPS:
                        Enabled: true
                        Port: 443
                        Path: /