2
Just installed on Ubuntu 24.04LTS
Question asked by Patrick Jeski - 5/1/2024 at 9:17 AM
Unanswered
Installed on a fresh VM Ubuntu 24.04 LTS with no errors.
Did note on of the installation instructions is slightly wrong, as the downloaded file includes the build number.

What happens if I choose "No" to use SmarterMail webserver?
Edit to Add: You don't get a web server. (Just tried it on a clean VM). Do we get to use nginx or apache in that case? Otherwise why is the choice there?

(Sorry if these are stupid questions, this is the first beta I've participated in, and I'm a complete noob when it comes to Linux)

22 Replies

Reply to Thread
0
Derek Curtis Replied
Employee Post
Patrick,

The install uses Kestrel, which is part of .NET, as the web server. We have it on our list to create KBs for moving to Nginx, Apache, etc. so it will be possible. 

As for the installation instructions, which ones are you referring to? The one in the Introduction to the SmarterMail BETA post references LINUX_DOWNLOAD_LINK_FOUND_BELOW -- we purposefully did that so we didn't have to edit the installation instructions with every release. 
Derek Curtis COO SmarterTools Inc. www.smartertools.com
5
Matthew Titley Replied
I just spun up a new Ubuntu 22.04 server VM. Downloaded via link, renamed it smartermail, Ran installer, and SmarterMail was up and running in what seemed like less than a minute. Poking around everything seems good. Seeing how easy it was I'll probably start over on a new VM once I learn the ins and outs. Seeing I've been running SM on Windows for getting close to 20 years I'm not ready to jump ship yet but it looks good so far. Congratulations SmarterTools! You did it!
1
Matt Petty Replied
Employee Post
When you choose no webserver we will bind to localhost:17017 (mimicking windows). We will not open this port automatically on the firewall. You can use NGINX or Caddy to reverse proxy. 

Heres some differences between the web servers I've seen so far.
Caddy: Works fine, can automatically fetch SSL certificates for you. 
Apache: I haven't set it up yet but a typical reverse proxy setup should work.
NGINX: Works fine, doesn't do automatic SNI SSL certificates like Caddy does.
Build in webserver: SM will automatically setup https for you when you enable automatic cert generation and add valid domain names to your server.
Matt Petty Software Developer SmarterTools Inc. www.smartertools.com
1
Patrick Jeski Replied
Derek,
The command to install is slightly wrong because of the build number in the downloaded file. I simply renamed the file as Matthew said above.
0
Derek Curtis Replied
Employee Post
Yeah, Patrick. Thanks for pointing that out. We've updated the instructions to show _XXXX so people know there's Build number that needs to go there. Good catch!!
Derek Curtis COO SmarterTools Inc. www.smartertools.com
0
Matthew Titley Replied
My linux skills are intermediate as I put off learning it for far too long, or just dabbled around in it. My feeling is that many people will want to run the SmarterMail web interface via Apache as it's kind of the gold standard (people can debate this of course) of web servers. Tutorials or docs on Apache integration will be useful. Don't know anything about Caddy yet but I'm going to read up on it.
1
Patrick Jeski Replied
Why does the automatic certificates page CSR require physical location when that's not something let's encrypt includes in their certs? (This question probably applies outside the beta as well, but I use certifytheweb on windows.) (Oh, also a wishlist item to be able to re-use or specify the private key like I can with CTW)

So, automatic certs working, bindings and ports set, dkim/dmarc set and tested.

mta-sts is working. (I created /opt/smartermail/wwwroot/.well-known, put the policy file in it, and updated certs and letsencrypt worked fine, no interference)

I'll get BIMI working next.

Got an "A" on ssl labs. How do I enable HSTS?
1
Matt Petty Replied
Employee Post
@Patrick, HSTS is enabled/disabled on a per-domain basis, you can find that in Options for the domain.
__
The built in webserver does by default sets some important settings that are needed for some protocols to function correctly, you don't need to ANY configuration if you use the built in server.
For NGINX these options are

# Buffer settings
proxy_buffer_size 4096k;
proxy_buffers 8 4096k;
proxy_busy_buffers_size 4096k;
# Timeouts
proxy_connect_timeout 1200s;
proxy_send_timeout 1200s;
proxy_read_timeout 1200s;

These timeouts are important because protocols like MAPI and EWS use long-standing web requests to detect changes. These values might be excessive as well, not a ton of testing was done yet on NGINX or Caddy besides getting it working.
__
If you have no strong reason to be using Apache, Nginx, etc, you'll have a much easier time just using the built in webserver. It's Kestrel, Microsoft has been working hard on it, it performs REALLY well, and we have direct control over it. We're using it in our production.
Matt Petty Software Developer SmarterTools Inc. www.smartertools.com
0
Patrick Jeski Replied
 Still only an A              
Strict Transport Security (HSTS)Yes                      TOO SHORT (less than 180 days)                   
max-age=2592000; includeSubDomains

I saved the install with No for smartermail web server. If i have time I'll try to set up NGINX or look at Caddy.
0
Patrick Jeski Replied
Under troubleshooting, the View Logs comes up blank. Downloading only gets me delivery.log. The logs seem just fine in /var/lib/smartermail/Logs, but there are two text files with names like "eea1ab5d91ec41a8bc72ff1e1d559a74.txt" that each contain only the word "test".
0
Matt Petty Replied
Employee Post
@Patrick, That's part of a permission check we're doing. We rolled that out fairly last minute and there was a small mistake, it creates but doesn't delete the file. 
We'll be releasing another version soon with some small fixes and thats one of them.

Not sure about the Logs, I'll look around on our server and see if I notice the same.

--
@Patrick, hmm I wonder if our max-age is set too short, since it is being detected. Not sure what the standard is. I'll make a note of it.
Matt Petty Software Developer SmarterTools Inc. www.smartertools.com
3
echoDreamz Replied
I would say, if putting a real web-server in front of Kestrel, I would go with NGINX, its performance, especially at high-rates of traffic is top-tier. Caddy is easy to configure and is great if you want the automatic Let's Encrypt stuff, though, this can also be done with Nginx with Certbot

Apache, I would not even bother with IMO.
0
Patrick Jeski Replied
Matt,

I think generally the minimum is 1 year,

31536000 seconds (1 year)
0
Matt Petty Replied
Employee Post
Yea thats what I'm seeing based on some research. I've made a task to adjust the max-age. 

I also checked a couple of our logs on our production and they seem to be fine. Are you getting any toasts or network errors (if you inspect and go to network) when you view the logs?
Matt Petty Software Developer SmarterTools Inc. www.smartertools.com
0
Patrick Jeski Replied
Two other things I noticed:
When I went to add IMAP SSL to ports, I got an error that a similar one already existed, but *EDIT new info* it didn't create it. I got the port set but it was a fight. Don't know what I did that actually worked.

The domain name I chose for the beta install is one that is a domain alias on my semi-production server. When I sent a test mail from the beta server to and account on the semi-production server, that server rejected it as “must authenticate for relay” or whatever. Deleted the alias, and the production server accepted the email. I don’t know why this is. If the from being local but not authenticated tripped it, why do we get spam from “ourselves” or other local addresses. Since the to was local, even if the from was a domain alias, it shouldn’t have been flagged as relay, should it? 
0
Patrick Jeski Replied
Hey Matt, I was simply misunderstanding the UI of the log page. It works ok as far as I can tell. On my servers, I view the logs in the OS with Notepad++, I just didn't expect the web UI to work that way.
0
Patrick Jeski Replied
Here's something from diagnostics:
Folder Permissions
Failed/App_Data/ Folder Permissions Test

Notes: Cannot READ from the directory.  Cannot WRITE to the directory.  Cannot DELETE from the directory.  
0
Sébastien Riccio Replied
Hello,

Just installed it on Ubuntu 24.04 and I have the same folder permission issue in Diags:


As a test, I tried to set /opt/smartermail/App_Data to 777. It doesn't change the issue

Sébastien Riccio System & Network Admin https://swisscenter.com
0
Patrick Jeski Replied
Should "Enable Automatic Certificates" be available when using other than the built in web server? I am running on nginx (http only, just got it working and haven't delved into it yet) and that choice is available.
1
Patrick Jeski Replied
Fixed in 8895:
HSTS seems good. Also:

Folder Permissions
Passed/App_Data/ Folder Permissions Test
0
Blake Blossom Replied
When you choose "No" during installation, SmarterMail doesn't set up its own web server. This gives you the flexibility to use an existing web server like Nginx or Apache with SmarterMail.
0
Patrick Jeski Replied
So I just updated my two VMs. On the one running nginx, the installer gave the the notice "Port 80 or 443 is in use, using port 17017 instead.", which to me implies that it is trying to bind 80 and 443. On that machine, of course, I chose "No"  to use SmarterMail webserver on initial install. That question never gets asked again when updating, so I've always assumed it carries that option forward. But then why the notice about port 80 and 443? Are updates actually installing the SmarterMail web server and failing to bind despite my initial choice?

The other VM that uses the SmarterMail web server updated without issue.

Reply to Thread