0v0

joined 2 months ago
[–] 0v0@scribe.disroot.org 1 points 1 month ago (1 children)

Thanks, yeah I'm changing it now. I am new to server stuff in case that wasn't obvious, I just got a VPS and domain name as a bit of a personal project to learn more about server stuff :) Good to know all these things!

[–] 0v0@scribe.disroot.org 1 points 1 month ago (1 children)

Hm, with that setup I always have dovecot complaining that it couldn't read /etc/shadow despite me adding dovecot to the shadow group and /etc/shadow having the permissions

-rw-r-----    1 root     shadow         699 Nov  2 23:13 /etc/shadow

I ended up following the configuration here and manually managing an /etc/dovecot/passwd file with users and hashed passwords. With this setup I could log in and read my emails in Thunderbird.

Thanks for your help though! Even though I couldn't figure out how to set up using UNIX account password authentication, you still helped me figure out that the passdb/userdb settings were the issue so I could keep trying different options till they worked. And I suppose at least this method avoids the security concern of letting dovecot read my entire /etc/shadow file.

[–] 0v0@scribe.disroot.org 1 points 1 month ago (4 children)

I meant that for my one IP address, I set it to have a PTR to multiple domain names. My VPS host allows me to add multiple domains to my IP address's PTR records. But yeah I'll change it to the NAME.domain.com you suggested

[–] 0v0@scribe.disroot.org 2 points 1 month ago (1 children)

Thank you! I can now receive mail and my Maildir is being populated :)

Set system hostname, PTR, and myhostname to NAME.domain.com where NAME is a unique name that you made up (e.g. I have ‘polaris.dblsaiko.net’). This also makes adding more hosts later less awkward (as opposed to having the hostname be domain.com).

Cheers, will do

[–] 0v0@scribe.disroot.org 1 points 1 month ago (3 children)

Hm, still no luck. I now have

passdb {
  driver = passwd
}
userdb {
  driver = passwd
}

to be as simple as I can. I'm now getting

Nov 02 21:11:06 auth: Debug: Read auth token secret from /run/dovecot/auth-token-secret.dat
Nov 02 21:11:06 auth: Debug: auth client connected (pid=12662)
Nov 02 21:11:06 auth: Debug: client in: AUTH    1       PLAIN   service=imap    secured=tls     session=JNRsffQlRuXBIH/a        lip=<server IP>       rip=<home IP>      lport=993       rport=58694     local_name=mail.domain.com
Nov 02 21:11:06 auth: Debug: client passdb out: CONT    1       
Nov 02 21:11:06 auth: Debug: client in: CONT<hidden>
Nov 02 21:11:06 auth: Debug: passwd(user,<home IP>,<JNRsffQlRuXBIH/a>): Performing passdb lookup
Nov 02 21:11:06 auth-worker(12667): Debug: Loading modules from directory: /usr/lib/dovecot/auth
Nov 02 21:11:06 auth-worker(12667): Debug: Module loaded: /usr/lib/dovecot/auth/lib20_auth_var_expand_crypt.so
Nov 02 21:11:06 auth-worker(12667): Debug: conn unix:auth-worker (pid=12664,uid=90): Server accepted connection (fd=13)
Nov 02 21:11:06 auth-worker(12667): Debug: conn unix:auth-worker (pid=12664,uid=90): Sending version handshake
Nov 02 21:11:06 auth-worker(12667): Debug: conn unix:auth-worker (pid=12664,uid=90): auth-worker<1>: Handling PASSV request
Nov 02 21:11:06 auth-worker(12667): Debug: conn unix:auth-worker (pid=12664,uid=90): auth-worker<1>: passwd(user,<home IP>,<JNRsffQlRuXBIH/a>): Performing passdb lookup
Nov 02 21:11:06 auth-worker(12667): Debug: conn unix:auth-worker (pid=12664,uid=90): auth-worker<1>: passwd(user,<home IP>,<JNRsffQlRuXBIH/a>): lookup
Nov 02 21:11:06 auth-worker(12667): Info: conn unix:auth-worker (pid=12664,uid=90): auth-worker<1>: passwd(user,<home IP>,<JNRsffQlRuXBIH/a>): Password mismatch
Nov 02 21:11:06 auth-worker(12667): Debug: conn unix:auth-worker (pid=12664,uid=90): auth-worker<1>: passwd(user,<home IP>,<JNRsffQlRuXBIH/a>): Finished passdb lookup
Nov 02 21:11:06 auth-worker(12667): Debug: conn unix:auth-worker (pid=12664,uid=90): auth-worker<1>: Finished: password_mismatch
Nov 02 21:11:06 auth: Debug: passwd(user,<home IP>,<JNRsffQlRuXBIH/a>): Finished passdb lookup
Nov 02 21:11:06 auth: Debug: auth(user,<home IP>,<JNRsffQlRuXBIH/a>): Auth request finished
Nov 02 21:11:08 auth: Debug: client passdb out: FAIL    1       user=user

In my dovecot logs. It claims a password mismatch, but I am pretty sure the password is the password to my UNIX user, copy and pasted from my password manager. I can log into my user through VNC by pasting this password and authenticate doas with this password, so unless it somehow pastes differently into Thunderbird...

I also tried authenticating with PAM instead but got

Nov 02 21:03:23 auth: Debug: Loading modules from directory: /usr/lib/dovecot/auth
Nov 02 21:03:23 auth: Fatal: Support not compiled in for passdb driver 'pam'

So I guess unfortunately the dovecot binary Alpine distributes doesn't support pam. I might try install a version compiled with pam support just to test it but I'd rather just use the dovecot from my package manager if I can get it to work.

Have you set up the users in that file (/etc/dovecot/users) if you even want to do that instead of just using passwd?

Yep I do want to use passwd/UNIX users, not a users file. Thanks for pointing that out—the tutorial didn't mention it so I assumed I didn't need to change that to get it working with UNIX users.

What do you have your passdb set to if you don't mind me asking?

[–] 0v0@scribe.disroot.org 1 points 1 month ago (9 children)

Thanks, I added $mydomain to mydestination. It seems to be sending although I can't see my mail in ~/Maildir, but this is in the syslog now:

Nov  2 20:45:46 domain mail.info postfix/smtpd[29768]: Anonymous TLS connection es
tablished from mail-43167.protonmail.ch[185.70.43.167]: TLSv1.3 with cipher TLS_AES_
256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1
) server-digest SHA256
Nov  2 20:45:46 domain mail.info postfix/smtpd[29768]: C2E9F125DF5: client=mail-43
167.protonmail.ch[185.70.43.167]
Nov  2 20:45:46 domain mail.info postfix/cleanup[29773]: C2E9F125DF5: message-id=<
id@protonmail.com>
Nov  2 20:45:46 domain mail.info postfix/qmgr[29128]: C2E9F125DF5: from=<my@
protonmail.com>, size=5933, nrcpt=1 (queue active)
Nov  2 20:45:46 domain mail.info postfix/smtpd[29768]: disconnect from mail-43167.
protonmail.ch[185.70.43.167] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=
7
Nov  2 20:45:46 domain mail.info postfix/local[29775]: C2E9F125DF5: passing <user@
domain.com> to transport=lmtp
Nov  2 20:45:46 domain mail.info postfix/lmtp[29776]: C2E9F125DF5: to=<user@domain.c
om>, relay=none, delay=0.05, delays=0.04/0.01/0.01/0, dsn=4.4.1, status=deferred
 (connect to mail.domain.com[private/dovecot-lmtp]: No such file or directory)

I think the last message in the log indicates what's wrong but I don't know how to fix it.

You’ll want those to match up, system hostname and postfix’s myhostname, since you’ll need to set the PTR record of your IP to match the hostname your SMTP server identifies itself as, and otherwise your server’s IP resolves to mail.domain.com while the canonical hostname is domain.com. It will work for mail, it’ll just not be nice when your server’s IP resolves to mail.domain.com for stuff that isn’t mail and that isn’t the canonical hostname. I recommend giving it some other hostname (or just setting both to mail.domain.com if the system just handles mail).

So I have the mail server on a server that's hosting a bunch of things on this domain. All the things I'm hosting have the same IP address. On domain.com is a static website (hosted on the same server & IP) for instance.

What would you suggest I set the PTR record to? I don't really want to pay my VPS host for more IP addresses if it's not necessary, but I can if there will be significant problems caused by sharing this IP address. Currently I have multiple PTR records for all the subdomains I'm using, which hasn't caused problems yet...

 

Hi there, was thinking around of the best place to post this. Initially I thought maybe the Dovecot mailing list but I'm not sure if this is a Dovecot issue or if the issue lies with Postfix, so I figured maybe a more general Linux community. If people have suggestions about where I could post this that may have more people see it who are able/willing to help, I would also appreciate that.

I apologise, this post will probably be quite long, so I really do appreciate if anyone takes the time to read it and give advice.

Anyway, I was following this tutorial to set up a mail server with Postfix and Dovecot. The tutorial is for Ubuntu but I am using an Alpine Linux server, however the tutorial mostly concerns configuring Postfix and Dovecot which is distro-independent.

Deviations from the tutorial

I followed the tutorial with the exceptions of the following (deviations listed in order of the part of the tutorial they deviated from, so hopefully this is easy to follow linearly):

My server's hostname is domain.com not mail.domain.com (mail.domain.com is what my MX record points to), but this shouldn't really matter as I configured postfix with:

myhostname=mail.domain.com
mydomain=domain.com

I installed packages with apk not apt obviously, and installed Postfix with doas apk add postfix.

I didn't get the ncurses Postfix configuration popup when I installed or started Postfix.

Alpine doesn't auto-start the Postfix service, so I did

doas rc-update add postfix default
doas rc-service postfix start

I used doas apk add mailutils --update-cache --repository https://dl-cdn.alpinelinux.org/alpine/edge/testing/ to install and test the mail program.

I didn't increase attachment size limit.

Alpine doesn't seem to have a dovecot-imapd package, so I just installed dovecot and dovecot-lmtpd.

When configuring /etc/dovecot/conf.d/15-mailboxes.conf, I also set Drafts, Junk, and Sent Messages to auto-create as well as Trash.

I started the dovecot service the same way I did postfix above.

What works

I can send mail with sendmail and GNU mailutils mail. The following works:

echo "test email" | sendmail my@email.com

And

mail -a FROM:me@domain.com my@email.com

(where domain.com is my Postfix mail server, and my@email.com is my existing email address with an external provider)

The above results in me receiving the email in my spam folder at my@email.com from me@domain.com, email all appears normal to me.

The issue

I've noticed two problems which may be related.

Can't log into Thunderbird

Firstly, I can't log into Thunderbird. I get the following error:

(Transcription: Unable to log in at server. Probably wrong configuration, username or password.)

To log in, I am entering my email address at user@domain.com, where user is my UNIX user (which is part of the mail group), and domain.com is my domain. I entered my password as my user account's password.

Thunderbird seems to recognise my mail server as it auto configured to the following:

INCOMING: IMAP, hostname mail.domain.com, port 993, SSL/TLS, normal password, username user (i.e. without the @domain.com)

OUTGOING: hostname mail.domain.com, port 465, SSL/TLS, normal password, username user

I have also tried the same configuration with STARTTLS and ports 143 and 587, to the same error.

Can't receive mail

I've also tried to send myself emails from my other email addresses. I've tried two of my external email addresses so far. My email clients say they've sent the emails and they appear in my Sent folder, however my Protonmail has sent me some emails today from their mailer daemon complaining that Your email could not be delivered for more than 12 hour(s).:

<user@domain.com>: host domain.com[MY IP] said: 454 4.7.1
    <user@domain.com>: Relay access denied (in reply to RCPT TO command)

I've checked /var/log/messages (which is the Alpine Linux syslog) and found the following, which I don't know how to interpret:

Nov  2 17:57:03 domain mail.info postfix/smtpd[28188]: connect from mail-41103.protonmail.ch[185.70.41.103]
Nov  2 17:57:03 domain mail.info postfix/smtpd[28188]: Anonymous TLS connection established from mail-41103.protonmail.ch[185.70.41.103]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (prime256v1)
Nov  2 17:57:04 domain mail.info postfix/smtpd[28188]: NOQUEUE: reject: RCPT from mail-41103.protonmail.ch[185.70.41.103]: 454 4.7.1 <user@domain.com>: Relay access denied; from=<my@protonmail.com> to=<user@domain.com> proto=ESMTP helo=<mail-41103.protonmail.ch>
Nov  2 17:57:04 domain mail.info postfix/smtpd[28188]: disconnect from mail-41103.protonmail.ch[185.70.41.103] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=6/8

I have dovecot configured to use the maildir format (or at least I think I do; I followed the tutorial to set it up to use maildir) but I don't see anything in my ~/Maildir directory.

Running GNU mail results in the output:

Cannot open mailbox /var/mail/user: No such file or directory
No mail for user

My configuration

Output of postconf -n:

command_directory = /usr/sbin
compatibility_level = 3.9
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
html_directory = no
inet_protocols = ipv4
mail_owner = postfix
mailbox_size_limit = 0
mailbox_transport = lmtp:unix:private/dovecot-lmtp
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
meta_directory = /etc/postfix
mydomain = domain.com
myhostname = mail.domain.com
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/readme
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_header_checks = regexp:/etc/postfix/smtp_header_checks
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.domain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.domain.com/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtputf8_enable = no
unknown_local_recipient_reject_code = 550

Output of doveconf -n:

# 2.3.21.1 (d492236fa0): /etc/dovecot/dovecot.conf
# OS: Linux 6.6.58-0-lts x86_64  
# Hostname: domain.com
auth_debug = yes
auth_mechanisms = plain login
auth_username_format = %n
auth_verbose = yes
log_path = /var/log/dovecot.log
mail_debug = yes
mail_location = maildir:~/Maildir
mail_privileged_group = mail
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    auto = create
    special_use = \Drafts
  }
  mailbox Junk {
    auto = create
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    auto = create
    special_use = \Sent
  }
  mailbox Trash {
    auto = create
    special_use = \Trash
  }
  prefix = 
}
passdb {
  args = scheme=CRYPT username_format=%u /etc/dovecot/users
  driver = passwd-file
}
protocols = imap lmtp lmtp
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}
service lmtp {
  unix_listener lmtp {
    group = postfix
    mode = 0600
    user = postfix
  }
}
ssl = required
ssl_cert = </etc/letsencrypt/live/mail.domain.com/fullchain.pem
ssl_key = # hidden, use -P to show it
ssl_prefer_server_ciphers = yes
userdb {
  args = username_format=%u /etc/dovecot/users
  driver = passwd-file
}

Logs

This seems to be a dovecot log of an authentication attempt.

Nov 02 18:11:11 auth: Debug: client in: AUTH    3       PLAIN   service=imap    secured=tls     session=JeHL+PEltufBIH/a        lip=<my server IP>       rip=<my home IP>      lport=993       rport=59318     local_name=mail.domain.com       resp=<hidden>
Nov 02 18:11:11 auth: Debug: passwd-file(user,<my home IP>,<JeHL+PEltufBIH/a>): Performing passdb lookup
Nov 02 18:11:11 auth: Debug: passwd-file(user,<my home IP>,<JeHL+PEltufBIH/a>): lookup: user=user file=/etc/dovecot/users
Nov 02 18:11:11 auth: Info: passwd-file(user,<my home IP>,<JeHL+PEltufBIH/a>): unknown user
Nov 02 18:11:11 auth: Debug: passwd-file(user,<my home IP>,<JeHL+PEltufBIH/a>): Finished passdb lookup
Nov 02 18:11:11 auth: Debug: auth(user,<my home IP>,<JeHL+PEltufBIH/a>): Auth request finished
Nov 02 18:11:13 auth: Debug: client passdb out: FAIL    3       user=user       original_user=user@domain.com
Nov 02 18:11:13 imap-login: Debug: Ignoring unknown passdb extra field: original_user
Nov 02 18:11:13 imap-login: Info: Disconnected: Connection closed (auth failed, 3 attempts in 22 secs): user=<user>, method=PLAIN, rip=<my home IP>, lip=<my server IP>, TLS, session=<JeHL+PEltufBIH/a>

Thanks for reading this fairly long post. Do ask if I need to provide any more configs, logs, etc. Appreciate any help, thanks in advance

[–] 0v0@scribe.disroot.org 1 points 1 month ago

I wanted to reply just as an update as I finally got round to migrating my Nextcloud instance to be behind nginx, and should anyone else stumble upon this thread maybe this will help you.

I think you misunderstood my question btw but don't worry, I figured it out anyway.

My question was about whether or not I could transfer my Nextcloud instance (including data) to be behind a reverse proxy. The answer is simply yes, you can use the same Docker volumes and it'll be the "same" Nextcloud instance (ie exact same config, user data, etc, no need to set anything up again).

If you've already followed these instructions on a server that doesn't already have a web server running, just take your containers down and follow Nextcloud AIO's reverse proxy guide. If you use the commands suggested in both guides, the volume names will be the same, so the new docker container will use the same volume that the old docker container used. You'll have to delete or rename the old containers so Docker doesn't complain about a container by the same name already existing.

[–] 0v0@scribe.disroot.org 2 points 2 months ago (2 children)

Thank you! That's very helpful.

As an aside/follow up question, I set up Nextcloud with their all in one container. I see they've got separate instructions for setting it up behind a reverse proxy. Is there a need to start from scratch and follow the reverse proxy instructions or can I somehow transfer my Nextcloud instance to be behind a reverse proxy?

 

Hi there, I will preface this by saying that I'm brand new to server stuff. I have used Linux for a very long time as a personal desktop computer, but not as a server exposed to the internet. I've previously only hosted Minecraft servers for my friends and also once had a VPS for a Discord bot, but otherwise never touched servers.

I've bought a VPS and domain name (let's call it domain.com) and have spun up a Nextcloud instance with it, currently at cloud.domain.com. It's all working smoothly and I'm happy with it.

I wanted to use this VPS to host multiple services. Currently wanting to self-host the following:

  • Mail server
  • Mastodon instance
  • Matrix server
  • Static website (on domain.com)
  • Forgejo instance
  • Possibly other miscellaneous things I might want to put on it, but that's what I'm planning for now

Now this is where the noob question comes in. I want to use this same VPS to host these services, probably as Docker containers, under subdomains like mail.domain.com, mastodon.domain.com, matrix.domain.com, etc, with the root domain being used to host my static website. Is it possible to do this all on one VPS? What about all on one IP address just using different ports? e.g. could I have mastodon.domain.com pointing to the same IP address as cloud.domain.com but just a different port? How do I set up the DNS records to do this?

Currently I have an A record at domain.com pointing to my VPS's IP address (so I can ssh into it with ssh 0v0@domain.com) and a CNAME record at cloud.domain.com pointing to domain.com. This was kind of a complete guess as to how to set this up as this is my first time managing a domain name and I didn't know anything about DNS records before doing this. It seems to work with my current setup of just using the VPS for Nextcloud but obviously I want to do more with this VPS, either that or I'd like to reduce the specs of this VPS to save money as I picked an option that I imagined would be capable of hosting all these things. Is it possible to set up DNS records such that when you connect to subdomain.domain.com it connects you to a specific port? Or is that not something DNS records can do, but I can set up server-side on my VPS?

My VPS provider also lets me buy additional IPv4 addresses for the VPS, if I can't have them on the same IP address with different ports should I buy more IP addresses instead? How do I go about using different IP addresses for the same server?

Or do I need to host these services on completely different VPSes and point towards the different IP addresses with A records?

I've also heard of reverse proxies and that they might be able to achieve this, is this something I should look into or am I barking up the wrong tree here?

I know this question betrays a complete lack of knowledge as to how networking works, so please bear with me. Before someone says "well if you don't know this, you shouldn't be hosting all these services", I have been finding the experience so far (i.e. just having set up my server with Nextcloud) to be fun and educational. I learn best by doing (I have ADHD and struggle with just reading books without doing any exercises alongside it) and I'd like to try host all these services just for the sake of the experience. I'm not hosting anything critical, it is purely for personal projects and I plan to have my friends on my Mastodon and Matrix servers. If this were for something serious I agree I'd get it managed by a professional sysadmin or at least someone who knows what they're doing, but this is just for fun.

I don't need my hand completely held, like I don't need a step by step, but if I could at least be pointed towards concepts/things to research to achieve what I want, I would appreciate that. Literally if I could just be told search terms to look up that would be great, or if you have any more specific pointers than that with specific articles etc even better, or just explain on a high level how I would achieve this setup. Thanks in advance for any help!

TLDR: Is it possible to host these different services on one VPS with one IP address on different ports? If so, how do I set up the DNS records accordingly with my subdomains? If not, how should I achieve hosting these different services on different subdomains, preferably on the same VPS if at all possible?

Edit: Thank you for all the responses, sorry I couldn't give everyone an individual response, but I'm grateful for all the help. I'll look into reverse proxies :) Appreciate it!