Avatar of Mohammed Hamada
Mohammed Hamada
Flag for Portugal asked on

I have built Docker Mailserver but unable to connect to IMAP due to SSL error

I am working on Docker Mailserver on Ubuntu, Purchased 1 year SSL certificate and placed it in /home/ubuntu/cert path and tried to mount it in the docker-compose.yml file

The problem is when I recreate the docker image all looks like it works fine but the certificate doesn't take effect.

I checked the ssl config using "egrep cert /etc/postfix/main.cf" and also /etc/dovecot and its showing the following:
/etc/postfix/ssl/key
/etc/postfix/ssl/cert

Now I am lost how should the docker-compose.yml file mount looks like? or should I do the docker mount command instead?

I am with very limited docker knowledge and would appreciate if anyone would help.
LinuxSSL / HTTPSDockerUbuntuLinux OS Dev

Avatar of undefined
Last Comment
David Favor

8/22/2022 - Mon
David Favor

Postfix == SMTP

SMTP != IMAP

So you'll never... effect any IMAP connection behavior... in any way, with any action at the Postfix level.

The way you'll do this...

1) Create a TLS cert, likely using https://LetsEncrypt.org + setup your cert for auto renewal + to bounce (stop/restart) your IMAP server each time cert renews.

https://www.experts-exchange.com/questions/29218434/Cluster-must-have-at-least-one-etcd-plane-host-failed-to-connect-to-the-following-etcd-host-when-rotating-certs-in-rancher.html covers initial cert generation + auto renewal + daemon restarts.

2) Then you select your IMAP server, which will almost surely be Dovecot.

3) Then you plumb your TLS cert into Dovecot.

4) Now you'll have a working IMAP server.

5) Said differently, if you've only install Postfix (SMTP), then your connection problem is no running IMAP server.
Mohammed Hamada

ASKER
Hi David, I am not sure if you're familiar with Docker but this is a ready packed Dovecot and Postfix together within the mailserver image of Docker.

I already have certificate and only thing I am doing is trying to get docker image mailserver to see the certificate. Either purchased or Letsencrypt I got both of them but even with mounting the folder of cert from host to the image I can't get the docker image to see it.

I am following these links for troubleshooting
https://github.com/docker-mailserver/docker-mailserver/issues/1400
https://github.com/docker-mailserver/docker-mailserver/issues/995

Things I have done so far,
1- Got the mailserver container Name.
2- Mounted the folder of the certificates from host to inside the docker image (logging to the image still doesn't show any files)
3-  Recreated the image, changed docker-compose.yml settings to reflect the mounted folder.
4- Changed mailserver.env file certificate option to Manual and to letsencrypt and tried both certificates.
5- Tested the local connection with openssl to see if there's any bind certificate: openssl s_client -connect  mail.domain.com:993 



David Favor

1) There are Docker instances with both Postfix + Dovecot.

To debug these, the approach I take is to also add sshd to the container start YAML config file, as the only way to debug connections problems is to... be inside the Docker/LXD... namespace... to view connections from inside the container runtime environment.

Near impossible to understand the problem looking... into a container... from machine level, because at machine level... all commands pin to the machine namespace being used, rather than container namespace.

2) You mentioned, "even with mounting the folder of cert from host to the image I can't get the docker image to see it."

This is the common problem using Docker, rather than LXD.

With LXD you have a self-contained, bootable unit, just like a normal machine.

With Docker, you have to correctly... build up your own home brewed, hand rolled LXD file management system.

This means it's up to you to ensure the Docker data volumes you setup are readable to containers + also are passed correctly at container startup or in your YAML config file.

3) So first item to debug, install sshd into your container, then do this...

a) At machine level run this command...

inotifywait -mrq list-of-all-docker-data-volumes-referenced-by-container

Open in new window


b) Now ssh into your container.

c) Verify the passed data volumes actually show up inside the container.

If not, you must fix this in your container startup.

d) After data volumes show up (running ls under ssh into your container), simple do this...

cat /path-to-cert

Open in new window


In the inotifywait, you should see a file open + several read accesses + file close.

If not, you'll then debug your data volume ownership + permissions.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Mohammed Hamada

ASKER
Yes true, I used this command to mount the folder
sudo docker run -v /home/ubuntu/cert/:/etc/letsencrypt/live/ -d mailserver/docker-mailserver "update-ca-certificates"

It doesn't return any error, after that I use the following command to login to the container
./setup.sh debug login

Then I try to ls the content of /etc/letsencrypt/live but it returns nothing.

I tried running the command you provided but it returns a no such file or directory error
inotifywait -mrq list-of-all-docker-data-volumes-referenced-by-container
Couldn't watch list-of-all-docker-data-volumes-referenced-by-container: No such file or directory
ASKER CERTIFIED SOLUTION
David Favor

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question