Please wait...
0 files
I still haven't figured out why STARTTLS isn't working here.
You have to turn that on. Administration --> Site Configuration --> SMTP --> Offer STARTTLS
It isn't turned on by default because offering STARTTLS with a self-signed certificate is far worse than not offering it at all. This is unfortunate from the perspective of easy deployment but there's little we can do about it because it has to do with the policy of *other* sites.
That's not it. I also tried all 3 ports, not just 25.
Has anyone created a citadel template for fail2ban?
Subject: Re: Help need in "Fully qualified domain name" configuration.
Sorry, about something I do not understand. I did not want to be rude.
Fri Apr 04 2025 13:00:11 UTC from luisgo Subject: Re: Help need in "Fully qualified domain name" configuration.Good morning (there),
About "And in the SSL certificates? I will have two. One for "host.net" and "www.host.net" and other for "mail.host.net". Do I put both in citadel?"
Can I put two private keys etc in the same file (/usr/local/citadel/keys/citadel.key) (and also in the other keys files)? One private key for "host.net" and other for "mail.host.net".
Thanks,
Luís.
Fri Apr 04 2025 09:40:23 UTC from luisgo Subject: Re: Help need in "Fully qualified domain name" configuration.I forgot to ask.
And in the SSL certificates? I will have two. One for "host.net" and "www.host.net" and other for "mail.host.net". Do I put both in citadel?
And a new DKIM key will be generated or it will be the same?
Thu Apr 03 2025 20:58:20 UTC from TaMeR Subject: Re: Help need in "Fully qualified domain name" configuration.
Thu Apr 03 2025 15:38:03 UTCfrom luisgo Subject: Help need in "Fully qualified domain name" configuration.Dear All,
I want to configure my server with "Fully qualified domain name".
The email subdomain will be mail.host.net (as an example).
There is a setting of "Fully qualified domain name" in the Citadel.
I have several questions:
1st Can I set the Fully qualified domain name as mail.host.net and the emails addresses as xxxxxxx@host.net? What must be done for that?
Yes,
- Just go in to the mail.host.net/select_user_to_edit
- Select user from "Edit or Delete users"
- Select Edit configuration
- modify Primary Internet e-mail address to xxx@host.net
- below at Internet e-mail aliases you can add aliases such as yyy@host.net, yyy@mail.host.net. webmaster@host.net, postmaster@host.net
2nd What to put in the below setting? "host.net"?
Local host aliases(domains for which this host receives mail)Yes, You can add multiples, separate with coma such as host.net, mail.host.net
3th I suppose I must set my DNS registry to answer also to "mail.host.net"
Yes
4th I suppose I must put the reverse DNS as "mail.host.net"
Yes
5th In the email client configuration the servers will be "mail.host.net".
Yes
Thank you for the possible answers,
Luís Gonçalves.
I still haven't figured out why STARTTLS isn't working here.
You have to turn that on. Administration --> Site Configuration --> SMTP --> Offer STARTTLS
It isn't turned on by default because offering STARTTLS with a self-signed certificate is far worse than not offering it at all. This is unfortunate from the perspective of easy deployment but there's little we can do about it because it has to do with the policy of *other* sites.That's not it. I also tried all 3 ports, not just 25.
telnet srv2.tamer.pw 587 0.366s (master|💩) 22:58 Trying 107.189.21.115... Connected to srv2.tamer.pw. Escape character is '^]'. 220 srv2.tamer.pw ESMTP Citadel server ready. ehlo 250-Hello (37.155.91.16 [37.155.91.16]) 250-HELP 250-SIZE 10485760 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250 8BITMIME starttls 554 TLS not supported here quit 221 Goodbye... Connection closed by foreign host.
I still haven't figured out why STARTTLS isn't working here.
You have to turn that on. Administration --> Site Configuration --> SMTP --> Offer STARTTLS
It isn't turned on by default because offering STARTTLS with a self-signed certificate is far worse than not offering it at all. This is unfortunate from the perspective of easy deployment but there's little we can do about it because it has to do with the policy of *other* sites.That's not it. I also tried all 3 ports, not just 25.
I had switched the citadel and webcit domain name from srv2.tamer.pw to mail.hansaray.pw
I also had created new SSL certs with Letsencrypt for mail.hansaray.pw and everything.
Thinking that that may be the problem, I switched back to srv2.tamer.pw, since that is the main hostname.
But that wasn't it either. It still doesn't work.
It advertises the STARTTLS capability, but then it errors out TLS not supported here.
Oh, and webcit https works fine, go figure. Considering it uses the same certs.
telnet srv2.tamer.pw 587 0.366s (master|💩) 22:58 Trying 107.189.21.115... Connected to srv2.tamer.pw. Escape character is '^]'. 220 srv2.tamer.pw ESMTP Citadel server ready. ehlo 250-Hello (37.155.91.16 [37.155.91.16]) 250-HELP 250-SIZE 10485760 250-STARTTLS 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN 250 8BITMIME starttls 554 TLS not supported here quit 221 Goodbye... Connection closed by foreign host.
But that wasn't it either. It still doesn't work.
It advertises the STARTTLS capability, but then it errors out TLS not
supported here.
I think I have a clue. The code that tells the SMTP server whether to offer STARTTLS doesn't actually check to see if Citadel Server is built with OpenSSL.
The code that handles the STARTTLS command, naturally, has to do that.
Let me check to see. You can check your server a couple of different ways.
First you can check the citserver binary to see if it's got OpenSSL linked into it. Also try some the other protocols to see if STARTTLS works. (Not WebCit of course, since that's a different binary.)
First you can check the citserver binary to see if it's got OpenSSL
linked into it. Also try some the other protocols to see if STARTTLS
works. (Not WebCit of course, since that's a different binary.)
Ok, so there's no such thing as a Citadel Server build that doesn't include SSL. I was pretty sure that it had become a requirement but I checked.
If you're getting "TLS not supported here" there's going to be a message in your syslog indicating what happened. Try to get that syslog message and we'll take it from there.
Hi,
without going into details: how do backup Citadel DB without stopping server? ctdldump require (accourding to docs) to stop citadel server. Is there any other way to do backup?
Kind regards
But that wasn't it either. It still doesn't work.
It advertises the STARTTLS capability, but then it errors out TLS not
supported here.
I think I have a clue. The code that tells the SMTP server whether to offer STARTTLS doesn't actually check to see if Citadel Server is built with OpenSSL.
The code that handles the STARTTLS command, naturally, has to do that.
Let me check to see. You can check your server a couple of different ways.
First you can check the citserver binary to see if it's got OpenSSL linked into it. Also try some the other protocols to see if STARTTLS works. (Not WebCit of course, since that's a different binary.)
I did some research on this.
The reason it is not working is. I had removed --network host from the docker command. (See below)
The options --network host and -a are in conflict, you can't run both!
Unless there is another way for me to change the webcit port this setup wont work for me.
I need to have a webserver for other things, and I will not run a dedicated server for mail only.
I know I started this whole docker thing, but I hate it now. Almost as much as I hate systemd.
The only reason I did try the docker thing was because easyinstall did not work on Void Linux.
Will easyinstall work on another Linux system, which does not use systemd? Such as Alpine Linux maybe?
If not, well I remember reading somewhere that easyinstall will work on FreeBSD. Maybe I have to do finally do the jump in to BSD, and kick Linux goodbye.
I am also done bothering you with this. Hope we will finally solve this issue.
docker run -d --restart=unless-stopped --hostname=${CIT_DOMAIN_NAME} \ --volume=/usr/local/citadel:/citadel-data \ --volume=/usr/local/webcit/.well-known:/usr/local/webcit/.well-known \ --volume=/usr/local/webcit/static.local:/usr/local/webcit/static.local \ -p 25:25 \ -p 110:110 \ -p 119:119 \ -p 143:143 \ -p 465:465 \ -p 504:504 \ -p 563:563 \ -p 587:587 \ -p 993:993 \ -p 995:995 \ -p 5222:5222 \ -p 8080:80 \ --name=citadel citadeldotorg/citadel
The code went of the screen. Here it is again with <pre>
docker run -d --restart=unless-stopped --hostname=${CIT_DOMAIN_NAME} \
--volume=/usr/local/citadel:/citadel-data \
--volume=/usr/local/webcit/.well-known:/usr/local/webcit/.well-known \
--volume=/usr/local/webcit/static.local:/usr/local/webcit/static.local \
-p 25:25 \
-p 110:110 \
-p 119:119 \
-p 143:143 \
-p 465:465 \
-p 504:504 \
-p 563:563 \
-p 587:587 \
-p 993:993 \
-p 995:995 \
-p 5222:5222 \
-p 8080:80 \
--name=citadel citadeldotorg/citadel
without going into details: how do backup Citadel DB without stopping
server? ctdldump require (accourding to docs) to stop citadel server. Is
there any other way to do backup?
You can back up the Citadel database directly [ https://www.citadel.org/what_is_the_best_way_to_backup_my_citadel_installation.html ] as long as you make sure the cdb.* files are backed up first, before the log.* files.
The dump format is not really intended for backups. It's intended for migrating between different architectures.
But let me tell you how I do it :)
I've got my Citadel stored on a filesystem that can do snapshots. For me, that's BTRFS, but you can use any filesystem that can do point-in-time snapshots.
So it's simple, really: take a snapshot of the volume (or subvolume) that has Citadel on it, then rsync that snapshot to wherever you want to save it.
I happen to go the extra mile and rotate my snapshots over the course of a week, but you get the idea: the snapshot is guaranteed by the filesystem to be point-in-time consistent, and Citadel Server of any version starting with 993 has absolutely rock solid recoverability as long as you've got all the recent logs still on disk.
The reason it is not working is. I had removed --network host from the docker command. (See below)
The options --network host and -a are in conflict, you can't run both!
Wait, doesn't "-a" just make it attach stdin/stdout? That's incompatible with using the host network? That doesn't sound right.
Unless there is another way for me to change the webcit port this setup wont work for me.
I need to have a webserver for other things, and I will not run a dedicated server for mail only.
If you need that, we can add it. The docker packaging is in a separate repo at https://code.citadel.org/citadel-docker.git and if we need to add options, it's pretty simple to do that. But let's explore everything before we go there.
The only reason I did try the docker thing was because easyinstall did not work on Void Linux.
Will easyinstall work on another Linux system, which does not use systemd? Such as Alpine Linux maybe?
Easy Install targets systemd because that's what most people have. But until a few years ago it wrote out sysvinit scripts, because for a long time that is what most people had. I don't know much about Void Linux. Is the absence of systemd the only issue, or does Easy Install have other issues building on there? Hmmm ... I'm doing a quick lookup and it seems that Void has its own package manager? That'd probably make Easy Install have trouble installing dependencies.
I am also done bothering you with this. Hope we will finally solve this issue.
Unacceptable. Keep bothering me. If it's an issue for you then it's an issue for someone else, and we'll find a solution. Having a "less concise" solution for an edge case is fine as long as it doesn't compromise the "out of the box" easy way for newbies.
There's also the possibility of just compiling it yourself and running it. It's not that hard. Install a few libraries, then for each of libcitadel, citadel, webcit, you do the usual configure, make, make install. Then throw something in your startup scripts to launch them.
Which of the above options sounds interesting to you?
Check out https://www.citadel.org/docker.html and scroll to the bottom to see. Specifically, you can now do "--http-port" and/or "--https-port" to change the port numbers used by WebCit for HTTP and/or HTTPS.
That ought to make "--network=host" mode work better on your system, right?
By the way, I tried the "-a" option to "docker run" and it worked fine when combined with "--network=host" so I'm not sure what's different on yours.
Also, why "-a" and not "-i"? Doesn't "-i" do the same thing?
Anyway, if there's anything else we can do to make the container run better on your system, let me know. It really isn't that difficult to add options.
without going into details: how do backup Citadel DB without stopping
server? ctdldump require (accourding to docs) to stop citadel server. Is
there any other way to do backup?
You can back up the Citadel database directly [ https://www.citadel.org/what_is_the_best_way_to_backup_my_citadel_installation.html ] as long as you make sure the cdb.* files are backed up first, before the log.* files.
The dump format is not really intended for backups. It's intended for migrating between different architectures.
But let me tell you how I do it :)
I've got my Citadel stored on a filesystem that can do snapshots. For me, that's BTRFS, but you can use any filesystem that can do point-in-time snapshots.
So it's simple, really: take a snapshot of the volume (or subvolume) that has Citadel on it, then rsync that snapshot to wherever you want to save it.
I happen to go the extra mile and rotate my snapshots over the course of a week, but you get the idea: the snapshot is guaranteed by the filesystem to be point-in-time consistent, and Citadel Server of any version starting with 993 has absolutely rock solid recoverability as long as you've got all the recent logs still on disk.
Hi,
thanks a lot. Seems that I have to migrate to btrfs of lvm.
Thanks for fast reply.
All right, my friend, it was bothering me that the container image was missing a few simple options that might make it work better for you, so I added them.
Check out https://www.citadel.org/docker.html and scroll to the bottom to see. Specifically, you can now do "--http-port" and/or "--https-port" to change the port numbers used by WebCit for HTTP and/or HTTPS.
That ought to make "--network=host" mode work better on your system, right?
By the way, I tried the "-a" option to "docker run" and it worked fine when combined with "--network=host" so I'm not sure what's different on yours.
Also, why "-a" and not "-i"? Doesn't "-i" do the same thing?
Anyway, if there's anything else we can do to make the container run better on your system, let me know. It really isn't that difficult to add options.
First of all, thank you for putting up with me, and this issue. I am sure it will turn up all to be my own fault.
Second I was wrong it has nothing to do with --network-host
I did upgrade to the new docker version of yours. Webcit has the same ssl problem I am running webcit on port 8443 so you can check that here: https://srv2.tamer.pw:8443/ vs the same ssl keys running behind lightltp web server https://srv2.tamer.pw
Making sure I got the right keys linked in to docker:
root@srv2 /u/l/c/keys# la
total 0
lrwxrwxrwx 1 root root 49 Apr 6 19:35 citadel.cer -> /etc/letsencrypt/live/srv2.tamer.pw/fullchain.pem
lrwxrwxrwx 1 root root 47 Apr 6 19:34 citadel.key -> /etc/letsencrypt/live/srv2.tamer.pw/privkey.pem
I also checked other ports again as you suggested such as imap on 143, pop3 on 993, and smtp on 587
So the only thing left to check is your suggestion to see if citadel is linked to openssl.
I don't know how to do that. I am quite ignorant when it comes to C coding. And I can't figure out why that would be when I am running your docker code without modification.
Can you please walk me though that?
Thanks again. We will figure this out.
Subject: Citadel Server sudden stop and restart fails with error DBD2055
Hello,
out of the blue yesterday night Citadel server (DB version 998) stopped. Was unable to restart and got message DBD2055 in the log. File system shows lots of db log files which was unusual so I assumed some sort of DB corruption. Restored from last backup the day before (after which the server was running fine for at least 16 hours), i.e. this db was good.
After starting the server it was running for some minutes and I could see connections from MTAs as well as users but then again sudden stop and same symptom in the logs:
Apr 10 10:40:25 [hostname] citserver[659026]: Existing database version on disk is 998
Apr 10 10:40:25 [hostname] citserver[659026]: extensions: service DICT_TCP has been manually disabled, skipping
Apr 10 10:40:25 [hostname] citserver[659026]: extensions: TCP port 0.0.0.0:5222: (XMPP) registered.
Apr 10 10:40:25 [hostname] citserver[659026]: main: changing uid to 116
Apr 10 10:40:26 [hostname] citserver[659026]: citserver[659026]: bdb: BDB2055 Lock table is out of available lock entries
Apr 10 10:40:26 [hostname] citserver[659026]: citserver[659026]: bdb: bdb_fetch(9): error 12: Cannot allocate memory
Apr 10 10:40:26 [hostname] citserver[659026]: bdb: BDB2055 Lock table is out of available lock entries
Apr 10 10:40:26 [hostname] citserver[659026]: bdb: bdb_fetch(9): error 12: Cannot allocate memory
Apr 10 10:40:26 [hostname] systemd[1]: citadel.service: Main process exited, code=killed, status=6/ABRT
Hi,
I faced suspicious behaviour happening on SMTP. There is a some servers that connecting to SMTP and try to login with different account names. This is obvious account scanning. Do you know a way to prevent such attacks?
I manually add some of those IPs on firewall, but this is not a way. Especially that after few minutes of silence new one occurs. IPs are from around the world so blocking specifing country is not a solution.
Kind regards,
Wojtek
I have install, reinstalled, reinstalled, reinstalled, reinstalled, etc. but each time Citadel comes up the same ->
Citadel Server
Just that but the login does not work...
Can anyone suggest what is wrong?
Zemran