Hestia notification emails

Felix · February 20, 2021, 7:28pm

I’m facing the following issue and I don’t know how to solve it

Suppose a user starts a restore job. When this job is done, an email is being sent to the user’s email address. This message is being sent from the email address [email protected]. If the recipient’s email server is using rspamd, spamassasin, etc, then this email is being rejected (with the error 550 High scoring spam message has been dropped), because it does not follow email best practices (like SPF, DKIM, etc).

I suppose, this is also true for password recovery emails, or other email messages that are being sent by Hestia, but I haven’t tested those.

What I would like to accomplish, is to be able to configure the Hestia server to use an external SMTP host (which is 100% compliant with email best practices), to send those emails. But I have no idea if this is possible or how to accomplish this.

Except using an external SMTP host, as I described above, is there any other way to configure Hestia so that the emails sent from the Control Panel are compatible with DKIM and SPF?

jlguerrero · February 20, 2021, 7:49pm

How about you host mail for server.example.com?

Felix · February 20, 2021, 8:18pm

I’m not sure that this will work, because I see this in the email headers for the sent message:

X-Mailer: Php/libMailv1.3

which makes me think that even if I setup a mail domain for server.example.com and configured a mailbox named hestia, the sent emails will still not get signed with DKIM. I may be wrong though…

Complete headers below for a message as it is being sent now by Hestia:

Return-path: <[email protected]>
Received: from root by server.example.com with local (Exim 4.93)
	(envelope-from <[email protected]>)
	id 1lDOCM-008Cwi-Gc
	for [email protected]; Sat, 20 Feb 2021 11:05:10 +0200
To: <[email protected] >
Subject: =?utf-8?B?c29feW91X2FyZV9zbWFydCDihpIgcmVzdG9yZSBoYXMgYmVlbiBjb21wbGV0ZWQ==?=
From: Hestia Control Panel <[email protected]> 
X-Priority: 3 (Normal)
CC:
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8 
Content-Transfer-Encoding: 8bit
X-Mailer: Php/libMailv1.3
Message-Id: <[email protected]>
Date: Sat, 20 Feb 2021 11:05:10 +0200

jlguerrero · February 20, 2021, 9:05pm

I am afraid I can only point out the obvious.

Configure relay to your mx
Connect to an SMTP server
Use a domain like example.net for your machine and then set dns records
Connect to an external relay like amazon ses
Try to configure the subdomain as a local email account + dns account. That would set up dkim, and DMARC
If your customer’s addresses are under your control you may whitelist.
Don’t use DMARC
Don’t use dkim

eris · February 20, 2021, 9:48pm

We send mail via PHP Mail

github.com

hestiacp/hestiacp/blob/e1a66e207f5a43b8f8b85916f808d899d1c206be/web/inc/main.php#L265-L280


function send_email($to,$subject,$mailtext,$from) {
    $charset = "utf-8";
    $to = '<'.$to.'>';
    $boundary = '--' . md5( uniqid("myboundary") );
    $priorities = array( '1 (Highest)', '2 (High)', '3 (Normal)', '4 (Low)', '5 (Lowest)' );
    $priority = $priorities[2];
    $ctencoding = "8bit";
    $sep = chr(13) . chr(10);
    $disposition = "inline";
    $subject = "=?$charset?B?".base64_encode($subject)."?=";
    $header = "From: $from \nX-Priority: $priority\nCC:\n";
    $header .= "Mime-Version: 1.0\nContent-Type: text/plain; charset=$charset \n";
    $header .= "Content-Transfer-Encoding: $ctencoding\nX-Mailer: Php/libMailv1.3\n";
    $message = $mailtext;
    mail($to, $subject, $message, $header);
}

Easiest way is probably set an smtp relay…

Felix · February 21, 2021, 7:35am

My first try was with ssmtp, which is quite easy to configure. But that completely uninstalled exim4 So I removed it, installed exim4 again and made sure it works OK.

Nice find @eris So I setup exim like this, allowing emails from some senders to go through the remote SMTP host. Working great as we speak.

Now I’m facing a different issue while trying to setup DKIM for the subdomain server.example.com The zone for example.com is hosted on a different Hestia server (than the one I’m trying to send email from). I have an A record for server.example.com in that zone. When I try to add the TXT record for the DKIM for the subdomain (which is selector._domainkey.server.example.com) I get the error:

Error: invalid record format :: selector._domainkey.server.

although this is a valid setup and proposed by google too. Is this by Hestia design or just a glitch?

I didn’t face any issues creating the subdomain SPF record, in the same zone as above.

Felix · February 21, 2021, 9:42am

Moving forward with this, I see that the From email of the Hestia notifications is hard coded and cannot be configured in the panel. So I see only one possible solution to send out fully authenticated emails:
Create both mail domain and DNS domain for server.example.com and also create mail user (mailbox) [email protected]

These need to be created on the server.example.com. Here is the DNS zone for server.example.com

$TTL 3600
@    IN    SOA    server.example.com.    root.server.example.com. (
                                            2021022111
                                            7200
                                            3600
                                            1209600
                                            180 )

@	3600	IN	NS		server.example.com.
@	3600	IN	A		185.185.185.185
mail	3600	IN	A		185.185.185.185
webmail	3600	IN	A		185.185.185.185
@	3600	IN	MX	0	server.example.com.
@	3600	IN	TXT		"v=spf1 a mx ip4:185.185.185.185 -all"
_dmarc	3600	IN	TXT		"v=DMARC1; p=quarantine; pct=100"
_domainkey	3600	IN	TXT		"t=y; o=~;"
mail._domainkey	3600	IN	TXT		"v=DKIM1; k=rsa; p=[very-long-string]"

But we also need to create a DNS entry on the authoritative name server for example.com. This will be the NS record for server.example.com like this:

server	3600	IN	NS		server.example.com.

Yes! It’s working.
Emails sent from Hestia (like restore complete notification) are fully authenticated with SPF and DKIM. Yay!

But…
I believe this setup is not optimal because we need to maintain different DNS zones and mailbox, and can be quite confusing for people not “fluent” with how the Domain Name System works. I think it would be easier to be able to configure the Hestia From address for system messages, and then add some config lines in exim to route messages to the correct SMTP host.

Why bother you ask?

I took the time to analyze this, because with every passing day email gets more and more complicated and pretty soon messages with no authentication will be dropped by default. When this happens, Hestia end users (and maybe admins) will get no email notifications from Hestia (unless they configure whitelists).