Please wait...
0 files
Subject: Re: Help need in "Fully qualified domain name" configuration.
Read this page, specially the part about contacting support.
We are not a paid employees here, and will not react kindly to demands.
Fri Apr 04 2025 13:00:11 UTC from luisgo Subject: Re: Help need in "Fully qualified domain name" configuration.Good morning (there),
About "And in the SSL certificates? I will have two. One for "host.net" and "www.host.net" and other for "mail.host.net". Do I put both in citadel?"
Can I put two private keys etc in the same file (/usr/local/citadel/keys/citadel.key) (and also in the other keys files)? One private key for "host.net" and other for "mail.host.net".
Thanks,
Luís.
Fri Apr 04 2025 09:40:23 UTC from luisgo Subject: Re: Help need in "Fully qualified domain name" configuration.I forgot to ask.
And in the SSL certificates? I will have two. One for "host.net" and "www.host.net" and other for "mail.host.net". Do I put both in citadel?
And a new DKIM key will be generated or it will be the same?
Thu Apr 03 2025 20:58:20 UTC from TaMeR Subject: Re: Help need in "Fully qualified domain name" configuration.
Thu Apr 03 2025 15:38:03 UTCfrom luisgo Subject: Help need in "Fully qualified domain name" configuration.Dear All,
I want to configure my server with "Fully qualified domain name".
The email subdomain will be mail.host.net (as an example).
There is a setting of "Fully qualified domain name" in the Citadel.
I have several questions:
1st Can I set the Fully qualified domain name as mail.host.net and the emails addresses as xxxxxxx@host.net? What must be done for that?
Yes,
- Just go in to the mail.host.net/select_user_to_edit
- Select user from "Edit or Delete users"
- Select Edit configuration
- modify Primary Internet e-mail address to xxx@host.net
- below at Internet e-mail aliases you can add aliases such as yyy@host.net, yyy@mail.host.net. webmaster@host.net, postmaster@host.net
2nd What to put in the below setting? "host.net"?
Local host aliases(domains for which this host receives mail)Yes, You can add multiples, separate with coma such as host.net, mail.host.net
3th I suppose I must set my DNS registry to answer also to "mail.host.net"
Yes
4th I suppose I must put the reverse DNS as "mail.host.net"
Yes
5th In the email client configuration the servers will be "mail.host.net".
Yes
Thank you for the possible answers,
Luís Gonçalves.
Dear All,
I did not report about the follow up of this.
I changed a password of a user (not administrator but own by me). The user had a password related with the login name (equal but with some capital letters and some numbers added). I suppose that the password was gotten by brut force.
Also to answer to an old thread that I said that the Client SSL email configuration in thunderbird does not work with citadel. Some time ago I managed to put to work despite I do not know what happened before.
Thanks,
Luís Gonçalves
data directory until disk full and citadel become unusable.
Please give me a solution. This way citadel become unusable.
You're either being spammed hard or someone has acquired the password to an account on your system. Didn't this happen to you before? I wonder if maybe the account they used didn't get locked down?
Really the only way to find out what's going on is to watch your syslogs and see what citserver is doing.
I still haven't figured out why STARTTLS isn't working here.
You have to turn that on. Administration --> Site Configuration --> SMTP --> Offer STARTTLS
It isn't turned on by default because offering STARTTLS with a self-signed certificate is far worse than not offering it at all. This is unfortunate from the perspective of easy deployment but there's little we can do about it because it has to do with the policy of *other* sites.
I still haven't figured out why STARTTLS isn't working here.
You have to turn that on. Administration --> Site Configuration --> SMTP --> Offer STARTTLS
It isn't turned on by default because offering STARTTLS with a self-signed certificate is far worse than not offering it at all. This is unfortunate from the perspective of easy deployment but there's little we can do about it because it has to do with the policy of *other* sites.
That's not it. I also tried all 3 ports, not just 25.
Has anyone created a citadel template for fail2ban?
Subject: Re: Help need in "Fully qualified domain name" configuration.
Sorry, about something I do not understand. I did not want to be rude.
Fri Apr 04 2025 13:00:11 UTC from luisgo Subject: Re: Help need in "Fully qualified domain name" configuration.Good morning (there),
About "And in the SSL certificates? I will have two. One for "host.net" and "www.host.net" and other for "mail.host.net". Do I put both in citadel?"
Can I put two private keys etc in the same file (/usr/local/citadel/keys/citadel.key) (and also in the other keys files)? One private key for "host.net" and other for "mail.host.net".
Thanks,
Luís.
Fri Apr 04 2025 09:40:23 UTC from luisgo Subject: Re: Help need in "Fully qualified domain name" configuration.I forgot to ask.
And in the SSL certificates? I will have two. One for "host.net" and "www.host.net" and other for "mail.host.net". Do I put both in citadel?
And a new DKIM key will be generated or it will be the same?
Thu Apr 03 2025 20:58:20 UTC from TaMeR Subject: Re: Help need in "Fully qualified domain name" configuration.
Thu Apr 03 2025 15:38:03 UTCfrom luisgo Subject: Help need in "Fully qualified domain name" configuration.Dear All,
I want to configure my server with "Fully qualified domain name".
The email subdomain will be mail.host.net (as an example).
There is a setting of "Fully qualified domain name" in the Citadel.
I have several questions:
1st Can I set the Fully qualified domain name as mail.host.net and the emails addresses as xxxxxxx@host.net? What must be done for that?
Yes,
- Just go in to the mail.host.net/select_user_to_edit
- Select user from "Edit or Delete users"
- Select Edit configuration
- modify Primary Internet e-mail address to xxx@host.net
- below at Internet e-mail aliases you can add aliases such as yyy@host.net, yyy@mail.host.net. webmaster@host.net, postmaster@host.net
2nd What to put in the below setting? "host.net"?
Local host aliases(domains for which this host receives mail)Yes, You can add multiples, separate with coma such as host.net, mail.host.net
3th I suppose I must set my DNS registry to answer also to "mail.host.net"
Yes
4th I suppose I must put the reverse DNS as "mail.host.net"
Yes
5th In the email client configuration the servers will be "mail.host.net".
Yes
Thank you for the possible answers,
Luís Gonçalves.
I still haven't figured out why STARTTLS isn't working here.
You have to turn that on. Administration --> Site Configuration --> SMTP --> Offer STARTTLS
It isn't turned on by default because offering STARTTLS with a self-signed certificate is far worse than not offering it at all. This is unfortunate from the perspective of easy deployment but there's little we can do about it because it has to do with the policy of *other* sites.That's not it. I also tried all 3 ports, not just 25.
telnet srv2.tamer.pw 587 0.366s (master|💩) 22:58 Trying 107.189.21.115... Connected to srv2.tamer.pw. Escape character is '^]'. 220 srv2.tamer.pw ESMTP Citadel server ready. ehlo 250-Hello (37.155.91.16 [37.155.91.16]) 250-HELP 250-SIZE 10485760 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250 8BITMIME starttls 554 TLS not supported here quit 221 Goodbye... Connection closed by foreign host.
I still haven't figured out why STARTTLS isn't working here.
You have to turn that on. Administration --> Site Configuration --> SMTP --> Offer STARTTLS
It isn't turned on by default because offering STARTTLS with a self-signed certificate is far worse than not offering it at all. This is unfortunate from the perspective of easy deployment but there's little we can do about it because it has to do with the policy of *other* sites.That's not it. I also tried all 3 ports, not just 25.
I had switched the citadel and webcit domain name from srv2.tamer.pw to mail.hansaray.pw
I also had created new SSL certs with Letsencrypt for mail.hansaray.pw and everything.
Thinking that that may be the problem, I switched back to srv2.tamer.pw, since that is the main hostname.
But that wasn't it either. It still doesn't work.
It advertises the STARTTLS capability, but then it errors out TLS not supported here.
Oh, and webcit https works fine, go figure. Considering it uses the same certs.
telnet srv2.tamer.pw 587 0.366s (master|💩) 22:58 Trying 107.189.21.115... Connected to srv2.tamer.pw. Escape character is '^]'. 220 srv2.tamer.pw ESMTP Citadel server ready. ehlo 250-Hello (37.155.91.16 [37.155.91.16]) 250-HELP 250-SIZE 10485760 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250 8BITMIME starttls 554 TLS not supported here quit 221 Goodbye... Connection closed by foreign host.
But that wasn't it either. It still doesn't work.
It advertises the STARTTLS capability, but then it errors out TLS not
supported here.
I think I have a clue. The code that tells the SMTP server whether to offer STARTTLS doesn't actually check to see if Citadel Server is built with OpenSSL.
The code that handles the STARTTLS command, naturally, has to do that.
Let me check to see. You can check your server a couple of different ways.
First you can check the citserver binary to see if it's got OpenSSL linked into it. Also try some the other protocols to see if STARTTLS works. (Not WebCit of course, since that's a different binary.)
First you can check the citserver binary to see if it's got OpenSSL
linked into it. Also try some the other protocols to see if STARTTLS
works. (Not WebCit of course, since that's a different binary.)
Ok, so there's no such thing as a Citadel Server build that doesn't include SSL. I was pretty sure that it had become a requirement but I checked.
If you're getting "TLS not supported here" there's going to be a message in your syslog indicating what happened. Try to get that syslog message and we'll take it from there.
Hi,
without going into details: how do backup Citadel DB without stopping server? ctdldump require (accourding to docs) to stop citadel server. Is there any other way to do backup?
Kind regards
But that wasn't it either. It still doesn't work.
It advertises the STARTTLS capability, but then it errors out TLS not
supported here.
I think I have a clue. The code that tells the SMTP server whether to offer STARTTLS doesn't actually check to see if Citadel Server is built with OpenSSL.
The code that handles the STARTTLS command, naturally, has to do that.
Let me check to see. You can check your server a couple of different ways.
First you can check the citserver binary to see if it's got OpenSSL linked into it. Also try some the other protocols to see if STARTTLS works. (Not WebCit of course, since that's a different binary.)
I did some research on this.
The reason it is not working is. I had removed --network host from the docker command. (See below)
The options --network host and -a are in conflict, you can't run both!
Unless there is another way for me to change the webcit port this setup wont work for me.
I need to have a webserver for other things, and I will not run a dedicated server for mail only.
I know I started this whole docker thing, but I hate it now. Almost as much as I hate systemd.
The only reason I did try the docker thing was because easyinstall did not work on Void Linux.
Will easyinstall work on another Linux system, which does not use systemd? Such as Alpine Linux maybe?
If not, well I remember reading somewhere that easyinstall will work on FreeBSD. Maybe I have to do finally do the jump in to BSD, and kick Linux goodbye.
I am also done bothering you with this. Hope we will finally solve this issue.
docker run -d --restart=unless-stopped --hostname=${CIT_DOMAIN_NAME} \ --volume=/usr/local/citadel:/citadel-data \ --volume=/usr/local/webcit/.well-known:/usr/local/webcit/.well-known \ --volume=/usr/local/webcit/static.local:/usr/local/webcit/static.local \ -p 25:25 \ -p 110:110 \ -p 119:119 \ -p 143:143 \ -p 465:465 \ -p 504:504 \ -p 563:563 \ -p 587:587 \ -p 993:993 \ -p 995:995 \ -p 5222:5222 \ -p 8080:80 \ --name=citadel citadeldotorg/citadel
The code went of the screen. Here it is again with <pre>
docker run -d --restart=unless-stopped --hostname=${CIT_DOMAIN_NAME} \
--volume=/usr/local/citadel:/citadel-data \
--volume=/usr/local/webcit/.well-known:/usr/local/webcit/.well-known \
--volume=/usr/local/webcit/static.local:/usr/local/webcit/static.local \
-p 25:25 \
-p 110:110 \
-p 119:119 \
-p 143:143 \
-p 465:465 \
-p 504:504 \
-p 563:563 \
-p 587:587 \
-p 993:993 \
-p 995:995 \
-p 5222:5222 \
-p 8080:80 \
--name=citadel citadeldotorg/citadel
without going into details: how do backup Citadel DB without stopping
server? ctdldump require (accourding to docs) to stop citadel server. Is
there any other way to do backup?
You can back up the Citadel database directly [ https://www.citadel.org/what_is_the_best_way_to_backup_my_citadel_installation.html ] as long as you make sure the cdb.* files are backed up first, before the log.* files.
The dump format is not really intended for backups. It's intended for migrating between different architectures.
But let me tell you how I do it :)
I've got my Citadel stored on a filesystem that can do snapshots. For me, that's BTRFS, but you can use any filesystem that can do point-in-time snapshots.
So it's simple, really: take a snapshot of the volume (or subvolume) that has Citadel on it, then rsync that snapshot to wherever you want to save it.
I happen to go the extra mile and rotate my snapshots over the course of a week, but you get the idea: the snapshot is guaranteed by the filesystem to be point-in-time consistent, and Citadel Server of any version starting with 993 has absolutely rock solid recoverability as long as you've got all the recent logs still on disk.
The reason it is not working is. I had removed --network host from the docker command. (See below)
The options --network host and -a are in conflict, you can't run both!
Wait, doesn't "-a" just make it attach stdin/stdout? That's incompatible with using the host network? That doesn't sound right.
Unless there is another way for me to change the webcit port this setup wont work for me.
I need to have a webserver for other things, and I will not run a dedicated server for mail only.
If you need that, we can add it. The docker packaging is in a separate repo at https://code.citadel.org/citadel-docker.git and if we need to add options, it's pretty simple to do that. But let's explore everything before we go there.
The only reason I did try the docker thing was because easyinstall did not work on Void Linux.
Will easyinstall work on another Linux system, which does not use systemd? Such as Alpine Linux maybe?
Easy Install targets systemd because that's what most people have. But until a few years ago it wrote out sysvinit scripts, because for a long time that is what most people had. I don't know much about Void Linux. Is the absence of systemd the only issue, or does Easy Install have other issues building on there? Hmmm ... I'm doing a quick lookup and it seems that Void has its own package manager? That'd probably make Easy Install have trouble installing dependencies.
I am also done bothering you with this. Hope we will finally solve this issue.
Unacceptable. Keep bothering me. If it's an issue for you then it's an issue for someone else, and we'll find a solution. Having a "less concise" solution for an edge case is fine as long as it doesn't compromise the "out of the box" easy way for newbies.
There's also the possibility of just compiling it yourself and running it. It's not that hard. Install a few libraries, then for each of libcitadel, citadel, webcit, you do the usual configure, make, make install. Then throw something in your startup scripts to launch them.
Which of the above options sounds interesting to you?
Check out https://www.citadel.org/docker.html and scroll to the bottom to see. Specifically, you can now do "--http-port" and/or "--https-port" to change the port numbers used by WebCit for HTTP and/or HTTPS.
That ought to make "--network=host" mode work better on your system, right?
By the way, I tried the "-a" option to "docker run" and it worked fine when combined with "--network=host" so I'm not sure what's different on yours.
Also, why "-a" and not "-i"? Doesn't "-i" do the same thing?
Anyway, if there's anything else we can do to make the container run better on your system, let me know. It really isn't that difficult to add options.
without going into details: how do backup Citadel DB without stopping
server? ctdldump require (accourding to docs) to stop citadel server. Is
there any other way to do backup?
You can back up the Citadel database directly [ https://www.citadel.org/what_is_the_best_way_to_backup_my_citadel_installation.html ] as long as you make sure the cdb.* files are backed up first, before the log.* files.
The dump format is not really intended for backups. It's intended for migrating between different architectures.
But let me tell you how I do it :)
I've got my Citadel stored on a filesystem that can do snapshots. For me, that's BTRFS, but you can use any filesystem that can do point-in-time snapshots.
So it's simple, really: take a snapshot of the volume (or subvolume) that has Citadel on it, then rsync that snapshot to wherever you want to save it.
I happen to go the extra mile and rotate my snapshots over the course of a week, but you get the idea: the snapshot is guaranteed by the filesystem to be point-in-time consistent, and Citadel Server of any version starting with 993 has absolutely rock solid recoverability as long as you've got all the recent logs still on disk.
Hi,
thanks a lot. Seems that I have to migrate to btrfs of lvm.
Thanks for fast reply.
All right, my friend, it was bothering me that the container image was missing a few simple options that might make it work better for you, so I added them.
Check out https://www.citadel.org/docker.html and scroll to the bottom to see. Specifically, you can now do "--http-port" and/or "--https-port" to change the port numbers used by WebCit for HTTP and/or HTTPS.
That ought to make "--network=host" mode work better on your system, right?
By the way, I tried the "-a" option to "docker run" and it worked fine when combined with "--network=host" so I'm not sure what's different on yours.
Also, why "-a" and not "-i"? Doesn't "-i" do the same thing?
Anyway, if there's anything else we can do to make the container run better on your system, let me know. It really isn't that difficult to add options.
First of all, thank you for putting up with me, and this issue. I am sure it will turn up all to be my own fault.
Second I was wrong it has nothing to do with --network-host
I did upgrade to the new docker version of yours. Webcit has the same ssl problem I am running webcit on port 8443 so you can check that here: https://srv2.tamer.pw:8443/ vs the same ssl keys running behind lightltp web server https://srv2.tamer.pw
Making sure I got the right keys linked in to docker:
root@srv2 /u/l/c/keys# la
total 0
lrwxrwxrwx 1 root root 49 Apr 6 19:35 citadel.cer -> /etc/letsencrypt/live/srv2.tamer.pw/fullchain.pem
lrwxrwxrwx 1 root root 47 Apr 6 19:34 citadel.key -> /etc/letsencrypt/live/srv2.tamer.pw/privkey.pem
I also checked other ports again as you suggested such as imap on 143, pop3 on 993, and smtp on 587
So the only thing left to check is your suggestion to see if citadel is linked to openssl.
I don't know how to do that. I am quite ignorant when it comes to C coding. And I can't figure out why that would be when I am running your docker code without modification.
Can you please walk me though that?
Thanks again. We will figure this out.