Hi all, I have the errors in mail.log 'Hostname [server1.example.com] does not resolve to address [serverIP].' Emails that are being sent from the server are not getting sent. Emails from users to other users are being sent and received no problem. I've verified the hostname with:- $ hostname mail $ hostname -f mail.example.com $ host example.com example.com has address [serverIP] example.com mail is handled by 10 mail.example.com $ dig mail.example.com |grep "ANSWER SECTION" --after-context=3 ;; ANSWER SECTION: mail.example.com. 3600 IN A [serverIP] ;; Query time: 56 msec $ host [serverIP] [serverIP].in-addr.arpa domain name pointer mail.example.com. Everything is as it should be. I did notice fail2ban had banned my [serverIP] it so I had to whitelist it. Also, letsencrypt will not update it's certificate on mail.example.com, so I implemented the instructions from the link below. I have certbot. https://forum.howtoforge.com/thread...d-lets-encrypt-ssl-certificate-certbot.86372/ Implementing this still failed to let letsencrypt assign a certificate to mail.example.com. But I noticed a catch 22 with the instructions. It says make the hostname the parent and add aliases for the other domains on your server using that as the parent. All the aliases were then able to pass the https://www.sslshopper.com/ssl-checker.html test, but the parent... mail.example.com still failed. Then I read from @till somewhere that we can't use the hostname as a website. So the question is... what do you use for the 'parent' of those aliases? You have to give the parent to postfix to use so all the aliases get the benefit of postfix... but the parent cannot be a website if it's the servers hostname. All that aside... I've hit a brick wall and am in exactly the same spot I was a year ago with my first post. Emails from server not working. I upgraded the server 6mnths ago using the migration tool and guess I just imported the problem along with it. I've been using self-signed certs with the dirty little (un-safe) hack, just to get by. 'streamOptions' => [ 'ssl' => [ 'allow_self_signed' => true, 'verify_peer' => false, 'verify_peer_name' => false, ], ] Any ideas is Most welcome. After a year... I conceed... it's beyond me :/ Thanx in advance if you can help. Oh yeh, an edit... when I did the migration I installed ispconfig on the new debian 11 server using the auto install, but I don't remember creating an A record 'beforehand' for the hostname with my provider... could that be where and why postfix is not recognising the IP address that everywhere else is? Just a thought, cause I saw that in the fine print on the auto installer instructions as I've just spun up another server in the hope of beating this lol edit 2: Or maybe it's incrons fault?
The error says server1.example.com is not found but your hostname seems to be mail.example.com according to the hostname command output. So you must check postfix main.cf file and /etc/mailname file to see where server1.example.com is used and change that, then restart postfix. Yes, because the website might not work then, this has no effects on the mail system, so it's unrelated to your issue. If you don't create an A-Record before you install, then you won't get a Let's Encrypt cert for the mail system and ISPConfig as Let#s Encrypt will not issue a SSL cert for non existing domains or subdomains and they will also not issue certs for domains pointing to the wrong IP address. That's why it is so important to do this upfront before installing the system. Normally your mistake is easily fixable by running: ispconfig_update.sh --force and let the updater create a new Let's Encrypt SSL cert for you. But as you reconfigured your mail system now to use a different LE cert as described here https://forum.howtoforge.com/thread...d-lets-encrypt-ssl-certificate-certbot.86372/, this easy fix is not applicable on your server anymore. For your system, you will have to fix and debug this manually now by following the Let's Encrypt error FAQ: https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/ Btw. You should really consider just contacting ISPConfig business support as you struggle for such a long time to resolve the issue yourself. https://www.ispconfig.org/get-support/?type=ispconfig
Thank you for your reply Till. I will persist with this new server then, I really just want to get back to a known base again
So to understand and for completeness sake... 1/ spin up new server. 2/ create an A record to myNewServer.com (or to server1.myNewServer.com) or both, using the new IP address. Then only 'After' I get a response that the A record has propogated around the world, Then I can install Ispconfig using the Auto installer? I was only ever creating NS records pointing to my server before, and creating all the A records within IspConfig for all my websites within there.
Yes if you want LE certs to be immediately created during ISPConfig install. No if you want to install immediately, in which scenario self-signed certs will be created instead and you can re-run ISPConfig update after the A record has been propagated later to replace that with LE certs. Both ways are possible as they are just a matter of preference or choice.
Ok, Getting closer I now have the very same error I had way back on the original server. Code: stream_socket_enable_crypto(): Peer certificate CN='server1.server.com' did not match expected CN='mail.secondDomain.com' Because postfix is using 'server1.server.com' for the letsencrypt certificate, does that mean that I have to change the mx record of my secondDomain from 'mail.secondDomain.com' to 'server1.server.com' in order to prevent the above error? The error comes from php7.4 running on secondDomain.com website when trying to send out an email. Or maybe I have to revert back to the hack I had to implement previously... Code: 'streamOptions' => [ 'ssl' => [ 'allow_self_signed' => true, 'verify_peer' => false, 'verify_peer_name' => false, ], ] Why can't postfix read/use the different domains Letsencrypt certs when sending emails? Is there a way to make that happen?
Which is what any mail system that communicated with your postfix instance expects it to be. No. MX Records just have to match an A-Record pointing to the IP of the mail system. They do not have to point to the server hostname (but they can of course). The error just means that you are using the wrong SMTP server name in your PHP script, nothing wrong with your mail system here. So all you have to do is to use the correct SMTP server name in the script and the correct SMTP server name is the hostname of your system " server1.server.com". Plus undo the stream option settings you did of course.
I know we mentioned not to make a website using the servers hostname... ie 'server1.server.com' but can I make one for 'server.com' without causing problems?
Sure. The reason why a server hostname should be a subdomain is exactly to enable you to use the domain itself as a website.
Just to elaborate only: Basically the current problem lies in server that uses acme.sh, but not certbot, so it is possible to make such website if your server is using certbot, but not if it is using acme.sh, for now. Expand This is my observation: If one look deeply into ISPConfig code that is using acme.sh tend to follow literally install of LE certificates where acme.sh developers clearly mentioned that in acme.sh install LE certs simply means copy i.e. they actually "need not be copied" but are "preferred to be copied" to another location. The problem with this acme.sh install is there can only be one location to be copied to and that will stored in the LE certs config file. The only solution for multiple location is only to use renewal hook, if this install method is used, as confirmed by the developer himself. Well, to me preferred to be copied is not a solution, as problem with copy is that it creates more of the same files in another location which will use more of one storage, though may not be significant. So why install (copy) when you can manually use symbolic link (symlink)? They said, at a very very long time ago, when acme.sh was not stable, that because it structures (location) may change but that had never happened, until today. We may also add its location to backup, like we backup letsencrypt folder in etc directory, if we didn't change it to etc directory. My thinking for solution: Expand (which I obviously don't want to code it into ISPConfig because there'll usually be a lot of arguments especially when people think it was never a problem at the first place): is ignore this install method and remove it totally, create ISPConfig own method which I'd suggest to use symlink (I noted that acme.sh is just a bash programming so basically no problem to just use that), add backup to acme.sh directory when ISPConfig is installed / updated, or obviously don't use /root/acme.sh but use /etc/acme.sh (use --home /etc/myacme issuing LE certs so ISPConfig may use its own structure). This way, there'll be no problem in creating website using server hostname with acme.sh as well (and reduce a very very minor usage of spaces), or at least I think it will work in such a way. Sorry for sharing my unnecessary observations and thinking, that is why I put it in a spoiler, but i hope it is useful at least to make one thinking again instead of being complacent with what we already did.
Doh, now the emails between users aren't working... Outlook is complaining that the certificate Doh! And the server I was just about to ditch runs with certbot because I used the migration tool to move everything from the centos 7 server to debian. The migration tool states that the target server must have the same as the old server... either certbot or acme.sh. I thought I was doing myself a favour by ditching certbot, but I can see now, I'm prolly shooting myself in the foot LOL. I definately thought I was on the home stretch here, but in all this... I've just discovered that while this brand new server (with acme.sh) can send out emails now, the users clients like outlook etc. Outlook is now saying it can't connect with the smtp settings on the server. I tried putting in the same details as Till described above, ie:- hostname that postfix uses, but still no cigar. Most frustrating, either the server can't send emails and users can, or vice versa, but not both working at the same time
If Outlook complains the certificate is wrong, maybe you have not restarted dovecot? Or dovecot does not use the new certificate? Make sure dovecot, postfix etc. do use the same certificate and it is the one that your LE client creates. Can Outlook show details of the certificate it sees? This way you could check if it indeed is using some other certificate.
What @ahrasis posted is actually not the case, so just forget what he told you. He mixed up a few things, what you can't do is create a website for the hostname (server1.example.com) when using acme.sh, but that's not what we are talking about here. You can have a website example.com on a server that has the hostname server1.example.com with acme.sh and also with certbot, no issues at all with that. Check your outlook settings, you likely use the wrong SMTP server name in outlook. The SMTP and IMAP server must be server1.example.com (the hostname), as shown when running 'hostname -f' command. When changing the names in outlook, I'll recommend restarting outlook and also delete the email that you tried to send, outlook has the tendency to keep using old email settings for a mail that waits for being send even if you changed settings in outlook.
Thank you Till, it was only after I completely deleted the email and removed all ost, pst files did it use the settings I was entering. Now she is running fine as with the website as well Thank you Taleman... I didn't have to apply what you suggeted, but I would've done a re-start on Dovecot if Till's suggestion didn't work because I hadn't done that at all yet. And a BIG thank you to @ahrasis and his comments, for without which I could very well have been in the same spot for another year LOL I've learnt a lot in thread and hope it can go someway to helping other isp newbies like myself Thank you all again.