-
-
Notifications
You must be signed in to change notification settings - Fork 286
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix app mail - Add main domain into hosts file #1780
base: dev
Are you sure you want to change the base?
Conversation
For apps which send mail (or receive) which need a valid TLS certificate the way to make it work is to pass a valid domain (and not localhost), so the target domain match with the provided certificate. But postfix and dovecot refuse app authentication from external IP. So we need to force the request on local interface (with the public domain).
humm yes, but what if an app uses the domain name where it is hosted? and not the ynh main domain? i think we have to do the same thing for all the installed doamins on ynh |
Well, we don't must use the app domain. We must use a domain which has a valid certificate. By example: main_domain:
Let's say that synapse is installed on |
Yes, but it’s a bit less explicit for the user who receives the mail |
Well for users it won't change anything as the can still come from We can also add all domain but I'm not sure that everybody will be happy to edit a lot the hosts file. And more modification (to the hosts file) might make this PR more complicated to merge. |
I don't understand why it's not currently enough. When i ping my main domain i already have ::1 or 127.0.0.1 as answer (and this domain is not listed in Are you sure dnsmasq is correctly configured on your test instance ?
It works, but it probably brokes nextcloud as it's not configured to accept local request (by default, nextcloud consider request with local ip as potential security attack). And if the main domain is changed ? This means package should implement hook mechanism to change that... |
Investiguated and on my test intance I didn't had
Don't really understand as on your setup as you said it won't change anything.
Well yes you are true. So anyway for now let's leave it as it is. |
The diagnosis checks precisely for this and complains about it if that's not the case |
The problem
Some apps like synapse need to send email but don't have option to allow invalid certificate. In this case the target server defined on the app must match with the certificate provided by postfix (or dovecot in reception case). But currently it's not possible as postfix (and dovecot) are configured to only accept app connexion on local IP (so 127.0.0.1 or ::1).
So for instance we have a server with main domain
yolo.xyz
.In synapse to send email we have mainly 2 solutions:
yolo.xyz
but the SMTP client expect to receive a certificate for the configured domain, solocalhost
in this case.eth0
) and postfix don't allow app connection from external interface.Solution
To solve this I thought about 2 potential solutions:
yolo.xyz
will resolve this to 127.0.0.1 and so the connection will be with a matching certificate to the configured domain. And on postfix side the connection will be on local interface so it will be happy.yolo.xyz
. The provided certificate will match with the configured domain. And if postfix is configured to allow external connection from app there will be no problem.This PR implement the first solution which I think is the best one.
PR Status
Tested on my side and it work well.
How to test
Run regen-conf for dnsmasq and ping main domain and see that ping go directly to
127.0.0.1
.