OPNsense Forum

English Forums => Documentation and Translation => Topic started by: opnsenseuser on January 05, 2019, 06:57:21 pm

Title: Letsencrypt and Mailserver (IRedmail) ?
Post by: opnsenseuser on January 05, 2019, 06:57:21 pm
Hello community! :-)

I have two questions and hope someone can help me!

I host my own email server for one day and use iredmail for it. Sending mails is already working. But do not receive yet. But thats another problem.

Additionally, I have letsencrypt installed. this rings so far without errors.

now I use squid. if I'm not mistaken, squid can not be used with the letsencrypt certificate!

How can i use the letsencrypt certificate that opnsense generated for my mailserver?
Do I have to export it from opnsense via the trust menu or can I somehow automate this?

Can someone give me a detailed guide. Unfortunately I did not find anything for this theme.

best regards, rene
Title: Re: Letsencrypt and Mailserver (IRedmail) ?
Post by: fabian on January 05, 2019, 09:50:44 pm
This is not an API enabled module (trust), so you have to export it using manual HTTP calls while handling the XSRF protection.

You can also export the config.xml  (use the api-backup plugin) and extract the certificate and the key from it (really simple when using nokogiri (https://www.nokogiri.org/)) if you want but long story short: It is not native supported.

This is an example (obsolete script for backups) for manual requests, before the api plugin existed:
https://github.com/fabianfrz/scripts/blob/master/OPNsense/backup_over_http.rb (https://github.com/fabianfrz/scripts/blob/master/OPNsense/backup_over_http.rb)
Title: Re: Letsencrypt and Mailserver (IRedmail) ?
Post by: opnsenseuser on January 05, 2019, 10:24:44 pm
thanks for the explanation. :-) Thats great!-> I'll think about how I do that. ;-)

my email server is running now.sending an recieving works perfect.
But I do not quite understand why a nat rule alone is sufficient.
I always thought I first had to open the port on the wan interface (25) and then make a nat rule for the internal server. but it was enough only to create the nat-rule. see the screenshot.

Can you explain that to me?
And what can I do to better secure the port? Is it save the way i created the rule?
I would be very grateful for any support.

best regards rené
Title: Re: Letsencrypt and Mailserver (IRedmail) ?
Post by: fabian on January 05, 2019, 11:05:55 pm
see the entry "Filter rule association" on you screenshot -> create a pass rule.
Title: Re: Letsencrypt and Mailserver (IRedmail) ?
Post by: opnsenseuser on January 05, 2019, 11:39:01 pm
where can i see this rule?
What else can i do to make the port saf(er)?
I made some wan rules! Does this make sense? (screenshot)

regards
René
Title: Re: Letsencrypt and Mailserver (IRedmail) ?
Post by: fabian on January 06, 2019, 12:20:20 am
where can i see this rule?
/tmp/rules.debug (PF rule file)

What else can i do to make the port saf(er)?
If you want to use only a DNAT, you can only use suricata. The mail plugin collection (postfix, rspamd, redis, clamav) offers more protection but something like this may be already included in your server.

I made some wan rules! Does this make sense? (screenshot)
would have to check /tmp/rules.debug but I don't want to do this currently so you can look it up by yourself.