Navigation

    Kopano
    • Register
    • Login
    • Search
    • Categories
    • Get Official Kopano Support
    • Recent
    Statement regarding the closure of the Kopano community forum and the end of the community edition

    Help configuring secure email via kopano-docker project

    Kopano Groupware Core
    2
    4
    500
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • nfaction
      nfaction last edited by

      Hello all,
      I have been looking at the documentation for the kopano-docker project regarding using 587 (Submission) instead of the default port 25 (SMTP), but am struggling to figure out how to modify this setup to do so.

      I am using my own ssl certificates and have attempted to modify the docker-mailserver to use those certificates. Here’s what I changed:

      # docker-compose.mail.yml
services:
  mail:
    image: mailserver/docker-mailserver:10
    restart: unless-stopped
    hostname: mail # hostname and domainname may need to be commented on some platforms (e.g. ChromeOS)
    domainname: ${LDAP_DOMAIN}
    container_name: ${COMPOSE_PROJECT_NAME}_mail
    ports:
      - "${SMTPPORT:-25}:25"
      - "${SMTPSPORT:-465}:465"
      - "${MSAPORT:-587}:587"
    volumes:
      - maildata:/var/mail
      - mailstate:/var/mail-state
      - maillogs:/var/log/mail
      - mtaconfig:/tmp/docker-mailserver/
      #- ./swag/config/etc/letsencrypt/live/example.org/:/tmp/ssl
      - type: bind
        source: ./swag/config/etc/letsencrypt/archive/example.org/fullchain1.pem
        target: /tmp/ssl/fullchain.pem
      - type: bind
        source: ./swag/config/etc/letsencrypt/archive/example.org/privkey1.pem
        target: /tmp/ssl/privkey.pem
    environment:
      - DMS_DEBUG=0
      - ENABLE_CLAMAV=1
      - ENABLE_FAIL2BAN=1
      - ENABLE_LDAP=1
      - ENABLE_POSTFIX_VIRTUAL_TRANSPORT=1
      - ENABLE_POSTGREY=1
      - ENABLE_SASLAUTHD=1
      - ENABLE_SPAMASSASSIN=1
      - LDAP_BIND_DN=${LDAP_BIND_DN}
      - LDAP_BIND_PW=${LDAP_BIND_PW}
      - LDAP_QUERY_FILTER_ALIAS=${LDAP_QUERY_FILTER_ALIAS}
      - LDAP_QUERY_FILTER_DOMAIN=${LDAP_QUERY_FILTER_DOMAIN}
      - LDAP_QUERY_FILTER_GROUP=${LDAP_QUERY_FILTER_GROUP}
      - LDAP_QUERY_FILTER_USER=${LDAP_QUERY_FILTER_USER}
      - LDAP_SEARCH_BASE=${LDAP_SEARCH_BASE}
      - LDAP_SERVER_HOST=${LDAP_SERVER}
      - ONE_DIR=1
      - PERMIT_DOCKER=connected-networks
      - POSTFIX_DAGENT=lmtp:kopano_dagent:2003
      - PFLOGSUMM_TRIGGER=logrotate
      - POSTMASTER_ADDRESS=${POSTMASTER_ADDRESS}
      - SASLAUTHD_LDAP_BIND_DN=${LDAP_BIND_DN}
      - SASLAUTHD_LDAP_FILTER=${SASLAUTHD_LDAP_FILTER}
      - SASLAUTHD_LDAP_PASSWORD=${LDAP_BIND_PW}
      - SASLAUTHD_LDAP_SEARCH_BASE=${LDAP_SEARCH_BASE}
      - SASLAUTHD_LDAP_SERVER=${LDAP_HOST}
      - SASLAUTHD_MECHANISMS=rimap
      - SASLAUTHD_MECH_OPTIONS=kopano_gateway
      # - SMTP_ONLY=
      - SMTP_ONLY=1
      - SPAMASSASSIN_SPAM_TO_INBOX=1
      # - SSL_TYPE=self-signed
      - SSL_TYPE=manual
      - SSL_CERT_PATH=/tmp/ssl/fullchain.pem
      - SSL_KEY_PATH=/tmp/ssl/privkey.pem
      - TZ=${TZ}
    env_file:
      - mail.env
    networks:
      - kopano-net
    dns: 1.1.1.1  # using Google DNS can lead to lookup errors uncomment this option and
    # set to the ip of a trusted dns service (Cloudflare is given as an example).
    # See https://github.com/zokradonh/kopano-docker/issues/52 for more information.
    cap_add:
      - NET_ADMIN
      - SYS_PTRACE

# docker-compose.yml
  kopano_spooler:
    image: ${docker_repo:-zokradonh}/kopano_core:${CORE_VERSION:-latest}
    read_only: true
    restart: unless-stopped
    hostname: spooler # hostname and domainname may need to be commented on some platforms (e.g. ChromeOS)
    domainname: ${LDAP_DOMAIN}
    depends_on:
      - kopano_server
    volumes:
      - /etc/machine-id:/etc/machine-id
      - /etc/machine-id:/var/lib/dbus/machine-id
      - kopanosocket/:/run/kopano
      - kopanossl/:/kopano/ssl
    environment:
      - KCCONF_SPOOLER_LOG_LEVEL=3
      - KCCONF_SPOOLER_LOG_TIMESTAMP=0
      - KCCONF_SPOOLER_SMTP_SERVER=mail
      - KCCONF_SPOOLER_SMTP_PORT=587
      - KCCONF_SPOOLER_SSLKEY_FILE=/kopano/ssl/kopano_spooler.pem
      - SERVICE_TO_START=spooler
      - TZ=${TZ}
    env_file:
      - kopano_spooler.env
    networks:
      - kopano-net
    tmpfs:
      - /tmp

      Take note that I changed KCCONF_SPOOLER_SMTP_PORT to point to 587 and am using SSL_TYPE, SSL_{CERT,KEY}_PATH to point to my SSL certificate generated via a separate Letsencrypt instance.

      After making these changes, I run into this error when trying to send email via the WebApp:

      Unfortunately, kopano-spooler was unable to deliver your mail.
The error given was:

5.7.0 Must issue a STARTTLS command first

You may need to contact your e-mail administrator to solve this problem.

      I have looked all over the docker-mailserver docs, but don’t see any obvious suggestions on how to change this in the way it’s being used with kopano-docker. I feel like I am missing something obvious.

      Any suggestions would be much appreciated!

      fbartels 1 Reply Last reply Reply Quote 0
      • fbartels
        fbartels Kopano @nfaction last edited by

        Hi @nfaction,

        @nfaction said in Help configuring secure email via kopano-docker project:

        Take note that I changed KCCONF_SPOOLER_SMTP_PORT to point to 587

        kopano-spooler always needs a plain port without authentication to submit its mails to. But this is not a problem at all, since this only happens on an internal connection/network.

        If you want to securely send from external clients (other services, pop3/imap clients) you should still set it up, but for everything Kopano related (WebApp, ActiveSync clients) its not relevant.

        Regards Felix

        Resources:
        https://kopano.com/blog/how-to-get-kopano/
        https://documentation.kopano.io/
        https://kb.kopano.io/

        Support overview:
        https://kopano.com/support/

        nfaction 1 Reply Last reply Reply Quote 0
        • nfaction
          nfaction @fbartels last edited by

          @fbartels said in Help configuring secure email via kopano-docker project:

          If you want to securely send from external clients (other services, pop3/imap clients) you should still set it up, but for everything Kopano related (WebApp, ActiveSync clients) its not relevant.

          Could you elaborate a bit more? While it makes sense that backend email is handled via the MTA, I don’t follow what would need to be changed to get external mail to be secure.

          As of now, all email is sent and received on Port 25. I do see that the docker-mailserver has all ports open, but I can’t figure out how to modify that so that it works with kopano and can send externally in a secure fashion.

          Are you suggesting I set up another docker-mailserver to handle external mail? I’m not following what you mean.

          fbartels 1 Reply Last reply Reply Quote 0
          • fbartels
            fbartels Kopano @nfaction last edited by fbartels

            Hi @nfaction,

            maybe I need to phrase it a bit differently:

            • to be able to send mails from the Kopano clients (WebApp, ActiveSync clients) nothing need to be changed in the configuration of kopano-spooler or the kopano_spooler container
            • if you want to change configuration in the mail container, then I suggest to check their docs (you already linked to https://docker-mailserver.github.io/docker-mailserver/edge/config/security/understanding-the-ports/) and ask in their project if you encounter any issues sending mail for example through Thunderbird. In my eyes this is out of the scope of the kopano-docker project, but should be possible to achieve through configuration nonetheless.
            • running a second instance of docker-mailserver is not necessary

            PS: why did you delete your topic regarding the use of linuxserver.io swag?

            Regards Felix

            Resources:
            https://kopano.com/blog/how-to-get-kopano/
            https://documentation.kopano.io/
            https://kb.kopano.io/

            Support overview:
            https://kopano.com/support/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post