I have built Docker Mailserver but unable to connect to IMAP due to SSL error
I am working on Docker Mailserver on Ubuntu, Purchased 1 year SSL certificate and placed it in /home/ubuntu/cert path and tried to mount it in the docker-compose.yml file
The problem is when I recreate the docker image all looks like it works fine but the certificate doesn't take effect.
I checked the ssl config using "egrep cert /etc/postfix/main.cf" and also /etc/dovecot and its showing the following:
/etc/postfix/ssl/key
/etc/postfix/ssl/cert
Now I am lost how should the docker-compose.yml file mount looks like? or should I do the docker mount command instead?
I am with very limited docker knowledge and would appreciate if anyone would help.
The problem is when I recreate the docker image all looks like it works fine but the certificate doesn't take effect.
I checked the ssl config using "egrep cert /etc/postfix/main.cf" and also /etc/dovecot and its showing the following:
/etc/postfix/ssl/key
/etc/postfix/ssl/cert
Now I am lost how should the docker-compose.yml file mount looks like? or should I do the docker mount command instead?
I am with very limited docker knowledge and would appreciate if anyone would help.
Last Comment
ASKER
Hi David, I am not sure if you're familiar with Docker but this is a ready packed Dovecot and Postfix together within the mailserver image of Docker.
I already have certificate and only thing I am doing is trying to get docker image mailserver to see the certificate. Either purchased or Letsencrypt I got both of them but even with mounting the folder of cert from host to the image I can't get the docker image to see it.
I am following these links for troubleshooting
https://github.com/docker-mailserver/docker-mailserver/issues/1400
https://github.com/docker-mailserver/docker-mailserver/issues/995
Things I have done so far,
1- Got the mailserver container Name.
2- Mounted the folder of the certificates from host to inside the docker image (logging to the image still doesn't show any files)
3- Recreated the image, changed docker-compose.yml settings to reflect the mounted folder.
4- Changed mailserver.env file certificate option to Manual and to letsencrypt and tried both certificates.
5- Tested the local connection with openssl to see if there's any bind certificate: openssl s_client -connect mail.domain.com:993
I already have certificate and only thing I am doing is trying to get docker image mailserver to see the certificate. Either purchased or Letsencrypt I got both of them but even with mounting the folder of cert from host to the image I can't get the docker image to see it.
I am following these links for troubleshooting
https://github.com/docker-mailserver/docker-mailserver/issues/1400
https://github.com/docker-mailserver/docker-mailserver/issues/995
Things I have done so far,
1- Got the mailserver container Name.
2- Mounted the folder of the certificates from host to inside the docker image (logging to the image still doesn't show any files)
3- Recreated the image, changed docker-compose.yml settings to reflect the mounted folder.
4- Changed mailserver.env file certificate option to Manual and to letsencrypt and tried both certificates.
5- Tested the local connection with openssl to see if there's any bind certificate: openssl s_client -connect mail.domain.com:993
1) There are Docker instances with both Postfix + Dovecot.
To debug these, the approach I take is to also add sshd to the container start YAML config file, as the only way to debug connections problems is to... be inside the Docker/LXD... namespace... to view connections from inside the container runtime environment.
Near impossible to understand the problem looking... into a container... from machine level, because at machine level... all commands pin to the machine namespace being used, rather than container namespace.
2) You mentioned, "even with mounting the folder of cert from host to the image I can't get the docker image to see it."
This is the common problem using Docker, rather than LXD.
With LXD you have a self-contained, bootable unit, just like a normal machine.
With Docker, you have to correctly... build up your own home brewed, hand rolled LXD file management system.
This means it's up to you to ensure the Docker data volumes you setup are readable to containers + also are passed correctly at container startup or in your YAML config file.
3) So first item to debug, install sshd into your container, then do this...
a) At machine level run this command...
b) Now ssh into your container.
c) Verify the passed data volumes actually show up inside the container.
If not, you must fix this in your container startup.
d) After data volumes show up (running ls under ssh into your container), simple do this...
In the inotifywait, you should see a file open + several read accesses + file close.
If not, you'll then debug your data volume ownership + permissions.
To debug these, the approach I take is to also add sshd to the container start YAML config file, as the only way to debug connections problems is to... be inside the Docker/LXD... namespace... to view connections from inside the container runtime environment.
Near impossible to understand the problem looking... into a container... from machine level, because at machine level... all commands pin to the machine namespace being used, rather than container namespace.
2) You mentioned, "even with mounting the folder of cert from host to the image I can't get the docker image to see it."
This is the common problem using Docker, rather than LXD.
With LXD you have a self-contained, bootable unit, just like a normal machine.
With Docker, you have to correctly... build up your own home brewed, hand rolled LXD file management system.
This means it's up to you to ensure the Docker data volumes you setup are readable to containers + also are passed correctly at container startup or in your YAML config file.
3) So first item to debug, install sshd into your container, then do this...
a) At machine level run this command...
inotifywait -mrq list-of-all-docker-data-volumes-referenced-by-container
b) Now ssh into your container.
c) Verify the passed data volumes actually show up inside the container.
If not, you must fix this in your container startup.
d) After data volumes show up (running ls under ssh into your container), simple do this...
cat /path-to-cert
In the inotifywait, you should see a file open + several read accesses + file close.
If not, you'll then debug your data volume ownership + permissions.
ASKER
Yes true, I used this command to mount the folder
sudo docker run -v /home/ubuntu/cert/:/etc/letsencrypt/live/ -d mailserver/docker-mailserver "update-ca-certificates"
It doesn't return any error, after that I use the following command to login to the container
./setup.sh debug login
Then I try to ls the content of /etc/letsencrypt/live but it returns nothing.
I tried running the command you provided but it returns a no such file or directory error
inotifywait -mrq list-of-all-docker-data-volumes-referenced-by-container
Couldn't watch list-of-all-docker-data-volumes-referenced-by-container: No such file or directory
sudo docker run -v /home/ubuntu/cert/:/etc/letsencrypt/live/ -d mailserver/docker-mailserver "update-ca-certificates"
It doesn't return any error, after that I use the following command to login to the container
./setup.sh debug login
Then I try to ls the content of /etc/letsencrypt/live but it returns nothing.
I tried running the command you provided but it returns a no such file or directory error
inotifywait -mrq list-of-all-docker-data-volumes-referenced-by-container
Couldn't watch list-of-all-docker-data-volumes-referenced-by-container: No such file or directory
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Linux
Linux is a UNIX-like open source operating system with hundreds of distinct distributions, including: Fedora, openSUSE, Ubuntu, Debian, Slackware, Gentoo, CentOS, and Arch Linux. Linux is generally associated with web and database servers, but has become popular in many niche industries and applications.
71K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
SMTP != IMAP
So you'll never... effect any IMAP connection behavior... in any way, with any action at the Postfix level.
The way you'll do this...
1) Create a TLS cert, likely using https://LetsEncrypt.org + setup your cert for auto renewal + to bounce (stop/restart) your IMAP server each time cert renews.
https://www.experts-exchange.com/questions/29218434/Cluster-must-have-at-least-one-etcd-plane-host-failed-to-connect-to-the-following-etcd-host-when-rotating-certs-in-rancher.html covers initial cert generation + auto renewal + daemon restarts.
2) Then you select your IMAP server, which will almost surely be Dovecot.
3) Then you plumb your TLS cert into Dovecot.
4) Now you'll have a working IMAP server.
5) Said differently, if you've only install Postfix (SMTP), then your connection problem is no running IMAP server.