Hi there
long time no see.
I’m trying to install a chatmail relay. I have my own domain at strato and I’ve tried to setup DNS correctly (not sure if I’ve actually managed it)
I try to follow this description: How to deploy a Chatmail server
But when I run
<scripts/cmdeploy dns>
I get the error which you can see in the uploaded file. I’m really inexperienced in these matters and would appreciate any kind of help.
Greetings from Austria
broncheolus
–log edited out–
There are similar issues at cmdeploy: "Request certificate" fails in NAT'ed environment · Issue #665 · chatmail/relay · GitHub, Can't request certificate while installing chatmail · Issue #774 · chatmail/relay · GitHub, acmetool reconcile fails: connection refused · Issue #826 · chatmail/relay · GitHub
Could you check with netstat -lntp what is listening on port 80? Maybe there is a web server preinstalled.
I forgot to mention. I’m trying to install to a Raspberry Pi behind a fritzbox. My local machine is in the same intranet. Ports a forwarded as seen in the picture. The output of netstat executed on the Rasp is as following:
edit: I can also use a certificate from strato instead of the lets-encrypt-cert
Output-netstat-nltp.txt (1.9 KB)
Ok, the problem is that the IP address you have put into DNS is not public, it is from 100.64.0.0/10 (IPv4 shared address space - Wikipedia), so Let’s Encrypt (CA) cannot connect to the server over HTTP.
If you are setting it up for the local network, you can get a TLS certificate and follow Running a relay with externally managed certificates, or you can create a subdomain that starts with _ (e.g. _cm.example.org) and follow Running a relay with self-signed certificates.
Ah, ok! Thanks a lot! I will try.
I have now a static ip and will try to install the relay.
Before I do so I have one more question. At my domain provider I have a ssh certificate.
Thxs.
If you mean SSL certificate, you can use it by following Setting up a chatmail relay - chatmail relay documentation if you the hoster gives you certificate and the key. If they don’t give you the key, but just offer a reverse proxy, then this is not usable for SMTP and IMAP. In any case you probably don’t want them to have SSL/TLS key for your server, and if you use their certificate you will need to renew it manually once it expires. So if you have static IP that can be used to connect to your server, better use Let’s Encrypt with built-in acmetool.
Thank you. I will follow your advice!
Really great! Have a nice evening.
Hi again,
The process went fine.
when testing (scripts/cmdeploy dns---scripts/cmdeploy status---scripts/cmdeploy test---scripts/cmdeploy bench) the output is the following (attachment “TestingTheServer.txt))
For me everything seems fine except the first part containing the DNS settings. I tried to set everything I could but for some of these DNS settings I could not find the place to do so. So are the relevant if everything else went fine? (for my blind eye)
–log edited out–
Edit: Actually, I already use my relay and it works perfectly so far, I’m so happy. DeltaChat is so brilliant.
Did I already mention that I’m sooo happy! ;-))
I tried to set everything I could but for some of these DNS settings I could not find the place to do so
The report is basically saying you have almost nothing configured in DNS, so I would take this as a more serious failure rather than a light warning. Looking up your zone, it uses rzone.de which is owned by strato.de; I do not read German but I think this is the doc with how to use their DNS control panel:
The settings being reported missing are kind of important to how modern email delivery in general works, you’re missing almost all of them.
Ok. I already tried to find the correct place to set some of those. Just an example:
_mta-sts.example.org. 3600 IN TXT “v=STSv1; id=202605071851\”
or
_dmarc.example.org. 3600 IN TXT “v=DMARC1;p=reject;adkim=s;aspf=s”
Is there something I get wrong? I also can’t find a place to set TTL.
Or:
example.org. 3600 IN CAA 0 issue “letsencrypt.org;accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1234”
Where’s the right place to set this?
I’m sorry to bother you with these things.
Setting TXT records look correct, but you probably don’t need to put the double quotes into the text field.
For CAA, if you cannot replace the type “TXT” with “CAA” because it is not in the list, you cannot set it, but you can skip this step, see CAA record on cPanel
It’s no bother, we all have to start and learn somehow. For the first problem, you are doing the right thing but running into an “invisible” problem - the quotation marks. When you see a line written like this:
example.org. 3600 IN CAA 0 issue “lets...”
…it’s in “BIND” (the original software for doing internet DNS developed at Berkeley) format which is a text file with a structure. But when you use a webUI / GUI DNS control panel at a provider, they are trying to help you by dealing with the minutiae because the BIND format is very strict with periods, quotes and things of that sort which we humans just sort of get wrong sometimes.
In this case, the control panel is handling the quotation marks for you – you should be able to just remove the beginning and ending quotes and paste it into the field. When saving, the control panel will add the appropriate quotes around it for internal use. They typically do the same thing with periods - by BIND spec you have to end everything with periods but it’s not natural for us humans, so they automate that part.
For the CAA record, it’s a specific type and it’s possible that Strato.de does not support them - they are “new” but like at least 5+ years old and “everyone” supports them. The control panel needs to have that option, or…. well, you stumbled on one of the rare, outdated DNS providers who hasn’t upgraded to support CAA records? I haven’t run into one of these in a long time, you may have gotten bad luck with your DNS host.
This might also be why you don’t see an option to change the TTL, but sometimes they hide it away behind an “Advanced” button or checkbox or something. I know nothing about strato.de but it might not have the most robust DNS solution. You can host DNS anywhere, a lot of folks use https://www.dnsperf.com/ to help them find a DNS provider they like.
Edit: I found someone asking for help about 2 years ago and the response at that time is Strato does not support CAA and is a limited DNS provider. DNS CAA? (Webserver, Strato, Nextcloud)
Edit 2, another confirmation Strato does not support CAA. Who Supports CAA Records?
Oh. So I just leave it that way? Is it necessary to change my provider? Would be some work again.
actually I could reduce the things missing.
Port 587 was already gone. But when checking again the entry seems to miss again. Maybe it takes some time till everything runs correctly TTL (=”refresh time”?) is 10000, I think. at strato.
Well I also realised, that I posted my domain. Now my private relay can be used by anyone. How stupid of me. :-)))
removed the double quotes
Well now everything is set except the CAA. So I will leave it that way except it s massively risky.
One last question or request,
Is it possible to remove the files and points where I mention my domain? I removed the entries where I could still edit my posts but there are still posts where it’s visible. I’ve no problem if other people use my relay but I’m kind of afraid that too many of them could bring my RaspPi to the limit.
I edited out everything i found