sandstorm icon indicating copy to clipboard operation
sandstorm copied to clipboard

Published 20 hours ago verified publisher icon sandstorm-io

Cannot send mail messages to my Roundcube grains (Relay Access Denied)

Open bytersproblem opened this issue 4 years ago • 7 comments

Hi. I have a sandstorm instance that runs on non-standard ports 7443 and 7080, mail is set up to run on 30025. I have a sandcats.io subdomain. Sending mail from a Roundcube grain to outside works well, however, sending mail messages to the Roundcube grain returns the mail with the message Relay Access Denied. I would like to know what's the problem.

bytersproblem avatar Jan 16 '21 21:01 bytersproblem

Is there anything interesting in the grain log of your Roundcube instance, or the Sandstorm system log?

ocdtrekkie avatar Jan 16 '21 21:01 ocdtrekkie

I am sending logs from the grain and the sandstorm in the link, because of the length https://drive.google.com/file/d/1u9n3OlXSTnF-4OXJQKdsYEdPsUGUjNFg/view?usp=sharing

bytersproblem avatar Jan 16 '21 21:01 bytersproblem

Do you have a reverse smtp proxy set up somewhere (since you're not listening on port 25)? Is there anything in the logs there/can you share your config?

zenhack avatar Jan 16 '21 22:01 zenhack

/etc/nginx/nginx.conf (added lines)

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
# 
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}
mail {
    ssl_certificate /home/borivoje/certs/fdde.sandcats.io.crt;
    ssl_certificate_key /home/borivoje/certs/fdde.sandcats.io.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
    ssl_prefer_server_ciphers on;

    server {
        listen 25;
        server_name fdde.sandcats.io;
        auth_http localhost:8008/fake-smtp-auth;
        protocol smtp;
        timeout 30s;#
        proxy on;
       xclient off;
        smtp_auth none;
        starttls on;
    }

    server {
        listen 465;
        server_name fdde.sandcats.io;
        auth_http localhost:8008/fake-smtp-auth;
       protocol smtp;
       timeout 30s;
        proxy on;
        xclient off;
        smtp_auth none;
       ssl on;
   }
}

/opt/sandstorm/sandstorm.conf

SERVER_USER=sandstorm
PORT=7080
MONGO_PORT=6081
BIND_IP=0.0.0.0
BASE_URL=https://fdde.sandcats.io:7443
WILDCARD_HOST=*.fdde.sandcats.io:7443
UPDATE_CHANNEL=dev
ALLOW_DEV_ACCOUNTS=false
SMTP_LISTEN_PORT=30025
SANDCATS_BASE_DOMAIN=sandcats.io
HTTPS_PORT=7443
#SMTP_LISTEN_PORT=

bytersproblem avatar Jan 16 '21 22:01 bytersproblem

Looks like your nginx config is missing the section that actually maps /fake-smtp-auth. See:

https://docs.sandstorm.io/en/latest/administering/email/#configure-port-25-the-advanced-way-proxy-smtp

(the second code block in that section)

zenhack avatar Jan 16 '21 22:01 zenhack

Sorry, @zenhack, I have that code in my /etc/nginx/sites-enabled/default I forgot to mention. I followed the guidelines for that setup. And at first the mails were coming to my grain from multiple addresses. Now it says the relay access denied. I need to say that my Sandstorm instance runs inside a virtual machine, with a bridged adapter to the bare-metal yunohost system with many applications. But I guess that it doesn't have interference with the yunohost firewall and services there. My router is set up to forward 25 to yunohost and 30025 to sandstorm.

bytersproblem avatar Jan 16 '21 22:01 bytersproblem

I tried to put it back to port 25, removed the added setup for nginx and mail began to arrive. Isn't maybe the problem in certificates that I selfsigned?

bytersproblem avatar Jan 17 '21 00:01 bytersproblem