2
h4xx3r
330d

Did any of you tried to configure iRedMail with an https only domain that also maps in nginx as a reverse proxy?

(Ps: FFS why the developers of iRedMail develop with nginx in mind but there isn't any .conf about iRedMail?)

Comments
  • 1
    As far as I know, @Linux is more of an Apache guy, but he ought still have some insight on your issue.
  • 3
    I have no idea what you are trying to say?

    I use it only over HTTPS,
  • 0
    @Linux After the setup it's configured to rely on self generated certificate, and with certbot it doesn't find the domain setup for email 😕
  • 2
    @h4xx3r

    eh? Have you set up all the DNS-records and stuff? seems like you have missed some quite important stuff.
  • 0
    The DNS records are already pointing to my IP (static), I'm just used to certbot --nginx finding the list of configured servers and let me create the certificate, but once I setup iRedMail following the installation process, despite having nginx selected, the default outside interface is with a self signed certificate, something that I learned is unacceptable by browsers with the domain .app, so I have to setup a letsencrypt certificate, but certbot can't find the iRedMail settings for mail.myapp.app

    Any help at what I'm doing wrong?
    (I also saw that the iRedMail developers highly discourage the use of certbot because of seeing manipulation, but this doesn't give me any help on how to do without certbot)

    @Linux
  • 1
    I'm currently attempting to move my mailers behind an Nginx reverse proxy. As far as HTTPS only goes, yes, and everything I interact with as a user is hidden within a VPN. As far as TLS on the mailing systems go, opportunistic. Governments are a PITA, their mailers don't support TLS at all...
  • 1
    @Condor what are you answering o.o?
  • 1
    @h4xx3r

    Ah, the the enitire .app domain is HSTS preloaded. You can use a stupid browser (like ARORA) to go around that, because it does not have security :P

    Otherwhise, you have to open up port 80 in nginx in order to make it work.

    Thing is, I stopped using LE on my emailserver so I can get DANE working without headache.

    Otherwhise, you should try doing the DNS-challenge instead.
  • 1
    There is some rewrite rules that messes with the HTTP verification sadly.
  • 0
    @Linux this... Right now I totally reinstalled the OS and setup again nextcloud and reverse proxies to my.net core apps and I'm re-evaluating reinstalling iRedMail because previously it did mess up with the default nginx configurations 😥

    Can you suggest any sane drop in email server that does work with nginx without overtaking its configs?
  • 1
    @h4xx3r

    Just install iredmail first, as iredmail itself says.

    All the bundles I know of actually messes with apache/nginx configs.
  • 0
    @Linux 🙁 oh, shit, here we go again.

    The issue still remains with iRedMail, after the setup the certificate that's being provided for mail.domain.app is self signed, and out of the box the command certbot --nginx doesn't see the configuration for mail.domain.app so I can't enable the server to fully function online (except for old, insecure browsers)
  • 1
    @h4xx3r

    Just do DNS-verification.
  • 1
    Also, you'll find the config in /etc/nginx/templates.

    The SSL config is then included in sites-available/00-default-ssl.conf
  • 0
    @Linux any site or guide does that?

    I didn't look the templates folder, I'll investigate it further post iRedMail installation.
    Thanks.

    Ps: do you need a powerful server for low traffic emails?
  • 1
    @h4xx3r

    the certbot manual has the information how to do DNS-verification. Depending on what DNS-provider you use - you can automate that aswell.

    Amavis+ClamAV can take quite some reasources. So I recommend 2GB RAM unless you want crashing all the time :) Or good amount of swap
  • 1
    @h4xx3r the quality of the question defines the quality of the answer. I've made a fair amount of assumptions when making that answer. But when in doubt, Google should be able to help you best.
Add Comment