Encryption during forwarding

[kachkaev]

Hi again Zhuohuan,

A little possible issue here. Could you please document on how encryption can be done during forwarding? I've got this message from google after getting a redirected email.

Learn more points here.

No worries if this is not possible - I personally don't needed encryption. Just curious about how things work – this may also help other potential users :–)

[huan]

It seems because the SMF can't use TLS to send mail to gmail.

Why some emails might not be encrypted
If the person you’re emailing with is using an email service that doesn’t encrypt all messages using a system called Transport Layer Security (TLS), their emails might not be secure, even though Gmail will encrypt whenever possible. For delivery TLS to work, the email delivery services of both the sender and the receiver always have to use TLS. Learn more about email delivery with TLS encryption.

I see a red open padlock when replying to a message without a red padlock
It’s possible for email providers to send messages to Gmail users using TLS but not yet support receiving encrypted messages.

I did not see this warning in my Google Apps for Your Domain free plan.

Could you tell me about:

1. Are you using a Business Plan of GAfYD?
2. Will this warning appear when you REPLY this email in gmail?

[kachkaev]

I'm just using a standard gmail acount (xxx@gmail.com) and the emails are just redirected there:
SMF_CONFIG=email-redirect@my-website.org:xxx@gmail.com. I did not set up anything else apart from running the container. Or did I have to?

[huan]

got it. I'll check for this when I have time.

thanks! :)

[counterbeing]

I've definitely noticed this as well. An unfortunate side effect for me, is that all of my messages end up in the spam folder. I was trying to use latest, which didn't work, so I rolled back to 0.4.1 which, seems to have this problem, but also does forward mail.

Thanks for the great image. Wonderfully easy interface, with all that i need. Please let me know if I can provide any info in helping to troubleshoot this issue. 👍

[huan]

@counterbeing thanks for your comments! I had just put it into README. :)

I have no idea why the lastest code not work, but it seems that the tests failed without any major modification for now. I will check it later.

and if you familar with postfix and run into this issue, I hope you can try to docker exec inside the container and try to make a work around. I had setup a lot of mail servers but it's 15 years before, so I have no experience of ca/tls.

help needed.

[dimitrovs]

I think the latest build fails because openssl is not included in the docker file. Tests still fail but it works fine.

[counterbeing]

I think it does have something to do with openssl, but I'm not sure what yet. I keep running into Error relocating /usr/bin/openssl: SRP_VBASE_get1_by_user: symbol not found. I tried using bash inside the container to run the same command that it uses to test and get that same response:

This being the command: openssl s_client -starttls smtp -crlf -connect 127.0.0.1:25

[dimitrovs]

The openssl package is missing that's why it can't find the binary. The proper fix for this is to add openssl to the list of packages in the dockerfile. If you just want to hack it together you can run "apk add openssl" inside the container.

[huan]

@dimitrovs I'm wondering why there's no problem before, because I know I used openssl command inside the test script...

[dimitrovs]

@zixi may be one of the underlying images changed? But that's not the only problem with the test scripts, I was never able to get them to pass even though forwarding works fine. It also tries to connect to some host that's not available during build/test, haven't figured out which one yet.

[huan]

@dimitrovs

yes, the unit test fail is because part of openssl not worked after apt-get upgrade for alpine.

after disabled it, all unit tests passed again, with new version 0.4.2

[counterbeing]

I can confirm, my tests are passing. Mail is forwarding as expected. But I'm still getting an unencrypted warning from gmail. Is that still expected?

[huan]

@counterbeing warning from gmail is not expected, it's a confirmed bug(but we do not know where it lies in yet).

hope somebody could fingure it out, then we can easy to get rid of it.

[nelfer]

I'm experiencing this, at least in my case stuff is not going to SPAM.
So far what I read from Google is that when Google connects to the SMTP service, it ask if it supports TLS and if so, it tries to establish an encrypted connection. If TLS is not supported, that's when Google shows the warning (it's not so much of an issue, it's just telling you that the email was transmitted in plain text from that server to theirs).
I guess in theory, it should be a matter of providing the certificate and private key to postfix.
I'll play around and see if I can figure out something.

[kachkaev]

@nelfer unfortunately I had to switch to tomav/docker-mailserver in order to overcome this. It turns out that handling emails is not so trivial and requires to learn various scary words like AMAVIS, DKIM, TLS, SPF and others.

When your emails go through your server either way, they need to be signed with a DKIM key, which is then verified by a receiver (e.g. gmail) by means of a special DKIM TXT record in your domain's DNS (yes, it's necessary to edit your DNS as well!).

Sorry for advertising a competing project; what I hope is it can work as an inspiration for this one. I'm not 100% happy with docker-mailserver, because it feels like I'm using a sledge-hammer to crack nuts :–)

If you decide not just to redirect emails, but also to 'reply as' via your server, what I'd recommend is this nice tool: http://mail-tester.com/

[nelfer]

@kachkaev OK. I read a little bit about DKIM and that's for sending email and confirming that the name@domain.com actually comes from @domain.com. I might be wrong, but I think this is not needed when we're just forwarding.
So I used a service that checks SMTP and I got this output:

[000.255]       Connection converted to SSL
[000.277]       

Certificate 1 of 2 in chain:
subject= /C=US/ST=Matrix/L=L/O=O/CN=simple-mail-forwarder.com
issuer= /C=US/ST=Matrix/L=L/O=O/CN=simple-mail-forwarder.com                                            

[000.297]       

Certificate 2 of 2 in chain:
subject= /C=US/ST=Matrix/L=L/O=O/CN=simple-mail-forwarder.com
issuer= /C=US/ST=Matrix/L=L/O=O/CN=simple-mail-forwarder.com                                              

[000.298]       Cert NOT VALIDATED: self signed certificate
[000.298]       So email is encrypted but the domain is not verified
[000.298]       Cert Hostname DOES NOT VERIFY (mail.nelfer.com != simple-mail-forwarder.com)
[000.298]       So email is encrypted but the host is not verified
[000.298]   ~~>     EHLO checktls.com

Because the certificate is self signed, it's not considered valid.
I do have a valid certificate from Lets Encrypt (https://letsencrypt.org/) so I will try tonight replacing that certificate (generated when the image is created) with mine and see if encryption is then supported.
I'll let you know about my progress.
If so, then we just need a volume to /etc/postfix/certs to put our own certificates.

[nelfer]

I'm happy to report that I found the solution! And it is very simple.
Here's proof that it is working:

For now I did the fix by doing a docker exec and going into the container to modify the main.cf file.
It needs this simple line:
smtp_tls_security_level = may

The issue is that smtpd is for the receiving point and that's configured already. But once an email is received, postfix must send it to another smpt server (in this case gmail's). So this settings tell it to use tls encryption. And it works with the certificates automatically generated in the image.

I'll try to send this as a pull request (also the ability to use your own certificates. I will modify init-ssl script so that, if a certificate already exists, not to generate a new one, that way we can use a volume with your own certificates)

[nelfer]

Pull request is now just waiting for test/approval

[huan]

this issue should be fixed by #15 , thanks @nelfer !

[nelfer]

Hi @kachkaev
As you said, if the email is used for "Reply As", the email gets a spam-index less than 10 (10 being "not spam", based on that tool that you posted). That is because even tho I'm using gmail and their DKMI are in order and stuff, my email domain doesn't match, it gets some fraction removed, but the rest (in the authentication part) is OK. Overall now I'm getting over 8 score (the biggest drawback is that gmail IP is blocked in some blacklist, so that's beyond my control). For simple forwarding is fine to use now.
For sending emails from your email (using gmail for example) still pretty good now.