Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Encryption during forwarding #6

Closed
kachkaev opened this issue Jul 18, 2016 · 20 comments
Closed

Encryption during forwarding #6

kachkaev opened this issue Jul 18, 2016 · 20 comments

Comments

@kachkaev
Copy link

Hi again Zhuohuan,

A little possible issue here. Could you please document on how encryption can be done during forwarding? I've got this message from google after getting a redirected email.

screen shot 2016-07-19 at 00 33 48

Learn more points here.

No worries if this is not possible - I personally don't needed encryption. Just curious about how things work – this may also help other potential users :–)

@huan
Copy link
Owner

huan commented Jul 19, 2016

It seems because the SMF can't use TLS to send mail to gmail.

Why some emails might not be encrypted
If the person you’re emailing with is using an email service that doesn’t encrypt all messages using a system called Transport Layer Security (TLS), their emails might not be secure, even though Gmail will encrypt whenever possible. For delivery TLS to work, the email delivery services of both the sender and the receiver always have to use TLS. Learn more about email delivery with TLS encryption.

I see a red open padlock when replying to a message without a red padlock
It’s possible for email providers to send messages to Gmail users using TLS but not yet support receiving encrypted messages.

I did not see this warning in my Google Apps for Your Domain free plan.

Could you tell me about:

  1. Are you using a Business Plan of GAfYD?
  2. Will this warning appear when you REPLY this email in gmail?

@kachkaev
Copy link
Author

I'm just using a standard gmail acount ([email protected]) and the emails are just redirected there:
[email protected]:[email protected]. I did not set up anything else apart from running the container. Or did I have to?

@huan
Copy link
Owner

huan commented Jul 20, 2016

got it. I'll check for this when I have time.

thanks! :)

@huan huan added the bug label Jul 20, 2016
@counterbeing
Copy link

I've definitely noticed this as well. An unfortunate side effect for me, is that all of my messages end up in the spam folder. I was trying to use latest, which didn't work, so I rolled back to 0.4.1 which, seems to have this problem, but also does forward mail.

Thanks for the great image. Wonderfully easy interface, with all that i need. Please let me know if I can provide any info in helping to troubleshoot this issue. 👍

@huan
Copy link
Owner

huan commented Sep 21, 2016

@counterbeing thanks for your comments! I had just put it into README. :)

I have no idea why the lastest code not work, but it seems that the tests failed without any major modification for now. I will check it later.

and if you familar with postfix and run into this issue, I hope you can try to docker exec inside the container and try to make a work around. I had setup a lot of mail servers but it's 15 years before, so I have no experience of ca/tls.

help needed.

@dimitrovs
Copy link
Collaborator

I think the latest build fails because openssl is not included in the docker file. Tests still fail but it works fine.

@counterbeing
Copy link

I think it does have something to do with openssl, but I'm not sure what yet. I keep running into Error relocating /usr/bin/openssl: SRP_VBASE_get1_by_user: symbol not found. I tried using bash inside the container to run the same command that it uses to test and get that same response:

This being the command: openssl s_client -starttls smtp -crlf -connect 127.0.0.1:25

@dimitrovs
Copy link
Collaborator

The openssl package is missing that's why it can't find the binary. The proper fix for this is to add openssl to the list of packages in the dockerfile. If you just want to hack it together you can run "apk add openssl" inside the container.

@huan
Copy link
Owner

huan commented Sep 22, 2016

@dimitrovs I'm wondering why there's no problem before, because I know I used openssl command inside the test script...

@dimitrovs
Copy link
Collaborator

@zixi may be one of the underlying images changed? But that's not the only problem with the test scripts, I was never able to get them to pass even though forwarding works fine. It also tries to connect to some host that's not available during build/test, haven't figured out which one yet.

@huan
Copy link
Owner

huan commented Sep 26, 2016

@dimitrovs

yes, the unit test fail is because part of openssl not worked after apt-get upgrade for alpine.

after disabled it, all unit tests passed again, with new version 0.4.2

@counterbeing
Copy link

I can confirm, my tests are passing. Mail is forwarding as expected. But I'm still getting an unencrypted warning from gmail. Is that still expected?

@huan
Copy link
Owner

huan commented Sep 27, 2016

@counterbeing warning from gmail is not expected, it's a confirmed bug(but we do not know where it lies in yet).

hope somebody could fingure it out, then we can easy to get rid of it.

@nelfer
Copy link
Contributor

nelfer commented Oct 27, 2016

I'm experiencing this, at least in my case stuff is not going to SPAM.
So far what I read from Google is that when Google connects to the SMTP service, it ask if it supports TLS and if so, it tries to establish an encrypted connection. If TLS is not supported, that's when Google shows the warning (it's not so much of an issue, it's just telling you that the email was transmitted in plain text from that server to theirs).
I guess in theory, it should be a matter of providing the certificate and private key to postfix.
I'll play around and see if I can figure out something.

@kachkaev
Copy link
Author

@nelfer unfortunately I had to switch to tomav/docker-mailserver in order to overcome this. It turns out that handling emails is not so trivial and requires to learn various scary words like AMAVIS, DKIM, TLS, SPF and others.

When your emails go through your server either way, they need to be signed with a DKIM key, which is then verified by a receiver (e.g. gmail) by means of a special DKIM TXT record in your domain's DNS (yes, it's necessary to edit your DNS as well!).

Sorry for advertising a competing project; what I hope is it can work as an inspiration for this one. I'm not 100% happy with docker-mailserver, because it feels like I'm using a sledge-hammer to crack nuts :–)

If you decide not just to redirect emails, but also to 'reply as' via your server, what I'd recommend is this nice tool: http://mail-tester.com/

@nelfer
Copy link
Contributor

nelfer commented Oct 27, 2016

@kachkaev OK. I read a little bit about DKIM and that's for sending email and confirming that the [email protected] actually comes from @domain.com. I might be wrong, but I think this is not needed when we're just forwarding.
So I used a service that checks SMTP and I got this output:

[000.255]       Connection converted to SSL
[000.277]       

Certificate 1 of 2 in chain:
subject= /C=US/ST=Matrix/L=L/O=O/CN=simple-mail-forwarder.com
issuer= /C=US/ST=Matrix/L=L/O=O/CN=simple-mail-forwarder.com                                            

[000.297]       

Certificate 2 of 2 in chain:
subject= /C=US/ST=Matrix/L=L/O=O/CN=simple-mail-forwarder.com
issuer= /C=US/ST=Matrix/L=L/O=O/CN=simple-mail-forwarder.com                                              

[000.298]       Cert NOT VALIDATED: self signed certificate
[000.298]       So email is encrypted but the domain is not verified
[000.298]       Cert Hostname DOES NOT VERIFY (mail.nelfer.com != simple-mail-forwarder.com)
[000.298]       So email is encrypted but the host is not verified
[000.298]   ~~>     EHLO checktls.com

Because the certificate is self signed, it's not considered valid.
I do have a valid certificate from Lets Encrypt (https://letsencrypt.org/) so I will try tonight replacing that certificate (generated when the image is created) with mine and see if encryption is then supported.
I'll let you know about my progress.
If so, then we just need a volume to /etc/postfix/certs to put our own certificates.

@nelfer
Copy link
Contributor

nelfer commented Oct 28, 2016

I'm happy to report that I found the solution! And it is very simple.
Here's proof that it is working:
selection_001

For now I did the fix by doing a docker exec and going into the container to modify the main.cf file.
It needs this simple line:
smtp_tls_security_level = may

The issue is that smtpd is for the receiving point and that's configured already. But once an email is received, postfix must send it to another smpt server (in this case gmail's). So this settings tell it to use tls encryption. And it works with the certificates automatically generated in the image.

I'll try to send this as a pull request (also the ability to use your own certificates. I will modify init-ssl script so that, if a certificate already exists, not to generate a new one, that way we can use a volume with your own certificates)

@nelfer
Copy link
Contributor

nelfer commented Oct 28, 2016

Pull request is now just waiting for test/approval

@huan
Copy link
Owner

huan commented Oct 30, 2016

this issue should be fixed by #15 , thanks @nelfer !

@huan huan closed this as completed Oct 30, 2016
@nelfer
Copy link
Contributor

nelfer commented Oct 31, 2016

Hi @kachkaev
As you said, if the email is used for "Reply As", the email gets a spam-index less than 10 (10 being "not spam", based on that tool that you posted). That is because even tho I'm using gmail and their DKMI are in order and stuff, my email domain doesn't match, it gets some fraction removed, but the rest (in the authentication part) is OK. Overall now I'm getting over 8 score (the biggest drawback is that gmail IP is blocked in some blacklist, so that's beyond my control). For simple forwarding is fine to use now.
For sending emails from your email (using gmail for example) still pretty good now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants