[00:38:13]
<kiriko09> > <@tag:lostpod.me> Can you share the result of the diagnosis ?
https://paste.yunohost.org/raw/ociyonizup
```
=================================
Base system (basesystem)
=================================
[INFO] Server hardware architecture is bare-metal arm64
- Server model is Raspberry Pi 4 Model B Rev 1.5
[INFO] Server is running Linux kernel 5.15.76-v8+
[INFO] Server is running Debian 11.8
[INFO] Server is running YunoHost 11.2.5 (stable)
- yunohost version: 11.2.5 (stable)
- yunohost-admin version: 11.2.3 (stable)
- moulinette version: 11.2 (stable)
- ssowat version: 11.2 (stable)
[WARNING] There's been a suspiciously high number of authentication failures recently. You may want to make sure that fail2ban is running and is correctly configured, or use a custom port for SSH as explained in https://yunohost.org/security.
=================================
Internet connectivity (ip)
=================================
[SUCCESS] Domain name resolution is working!
[SUCCESS] The server is connected to the Internet through IPv4!
- Global IP: xx.xx.xx.xx
- Local IP: 192.168.0.33
[WARNING] The server does not have working IPv6.
- IPv6 should usually be automatically configured by the system or your provider if it's available. Otherwise, you might need to configure a few things manually as explained in the documentation here: https://yunohost.org/#/ipv6.
=================================
DNS records (dnsrecords)
=================================
[SUCCESS] DNS records are correctly configured for domain maindomain.tld (category basic)
[SUCCESS] DNS records are correctly configured for domain maindomain.tld (category mail)
[SUCCESS] DNS records are correctly configured for domain maindomain.tld (category xmpp)
[SUCCESS] DNS records are correctly configured for domain maindomain.tld (category extra)
=================================
Ports exposure (ports)
=================================
[SUCCESS] Port 22 is reachable from the outside.
- Exposing this port is needed for admin features (service ssh)
[SUCCESS] Port 25 is reachable from the outside.
- Exposing this port is needed for email features (service postfix)
[SUCCESS] Port 80 is reachable from the outside.
- Exposing this port is needed for web features (service nginx)
[SUCCESS] Port 443 is reachable from the outside.
- Exposing this port is needed for web features (service nginx)
[SUCCESS] Port 587 is reachable from the outside.
- Exposing this port is needed for email features (service postfix)
[SUCCESS] Port 993 is reachable from the outside.
- Exposing this port is needed for email features (service dovecot)
[SUCCESS] Port 5222 is reachable from the outside.
- Exposing this port is needed for xmpp features (service metronome)
[SUCCESS] Port 5269 is reachable from the outside.
- Exposing this port is needed for xmpp features (service metronome)
=================================
Web (web)
=================================
[SUCCESS] Domain maindomain.tld is reachable through HTTP from outside the local network.
=================================
Email (mail)
=================================
[SUCCESS] The SMTP mail server is able to send emails (outgoing port 25 is not blocked).
[SUCCESS] The SMTP mail server is reachable from the outside and therefore is able to receive emails!
[ERROR] Reverse DNS is not correctly configured for IPv4. Some emails may fail to get delivered or be flagged as spam.
- Current reverse DNS: 209-6-117-155.s1689.c3-0.arl-cbr1.sbo-arl.ma.cable.rcncustomer.com
Expected value: maindomain.tld
- You should first try to configure reverse DNS with maindomain.tld in your internet router interface or your hosting provider interface. (Some hosting providers may require you to send them a support ticket for this).
- Some providers won't let you configure your reverse DNS (or their feature might be broken...). If you are experiencing issues because of this, consider the following solutions:
- Some ISP provide the alternative of using a mail server relay though it implies that the relay will be able to spy on your email traffic.
- A privacy-friendly alternative is to use a VPN *with a dedicated public IP* to bypass this kind of limits. See https://yunohost.org/#/vpn_advantage
- Or it's possible to switch to a different provider
[SUCCESS] The IPs and domains used by this server do not appear to be blacklisted
[SUCCESS] 0 pending emails in the mail queues
=================================
Services status check (services)
=================================
[SUCCESS] Service dnsmasq is running!
[SUCCESS] Service dovecot is running!
[SUCCESS] Service fail2ban is running!
[SUCCESS] Service kresus is running!
[SUCCESS] Service metronome is running!
[SUCCESS] Service mysql is running!
[SUCCESS] Service nginx is running!
[SUCCESS] Service php7.4-fpm is running!
[SUCCESS] Service php8.2-fpm is running!
[SUCCESS] Service postfix is running!
[SUCCESS] Service postgresql is running!
[SUCCESS] Service redis-server is running!
[SUCCESS] Service rspamd is running!
[SUCCESS] Service slapd is running!
[SUCCESS] Service ssh is running!
[SUCCESS] Service yunohost-api is running!
[SUCCESS] Service yunohost-firewall is running!
[SUCCESS] Service yunomdns is running!
=================================
System resources (systemresources)
=================================
[SUCCESS] The system still has 7.0 GiB (92%) RAM available out of 7.6 GiB.
[INFO] The system has only 100 MiB swap. You should consider having at least 512 MiB to avoid situations where the system runs out of memory.
- Please be careful and aware that if the server is hosting swap on an SD card or SSD storage, it may drastically reduce the life expectancy of the device.
[SUCCESS] Storage / (on device /dev/root) still has 20 GiB (72%) space left (out of 28 GiB)!
[SUCCESS] Storage /boot (on device /dev/mmcblk0p1) still has 224 MiB (88%) space left (out of 255 MiB)!
=================================
System configurations (regenconf)
=================================
[SUCCESS] All configuration files are in line with the recommended configuration!
=================================
Applications (apps)
=================================
[SUCCESS] All installed apps respect basic packaging practices
```
[01:58:05]
<kiriko09> Tag: does it help ?
[08:02:41]
<ChriChri[m]> > <@chrichri:librem.one> I guess it doesn't help much. Here's my terminal from my test using `wget` as I described above:
> ```
> root@link-goe:/etc/fail2ban# wget -S -O/dev/null http://muc.link-goe.de/.well-known/acme-challenge/4Uc63umur6XfWyf1ZIZmhYczwhaCQp4ENdkCjP06Y8E
> --2023-11-20 12:06:04-- http://muc.link-goe.de/.well-known/acme-challenge/4Uc63umur6XfWyf1ZIZmhYczwhaCQp4ENdkCjP06Y8E
> Auflösen des Hostnamens muc.link-goe.de (muc.link-goe.de)… 88.130.112.56
> Verbindungsaufbau zu muc.link-goe.de (muc.link-goe.de)|88.130.112.56|:80 … ^C
> root@link-goe:/etc/fail2ban# man wget
> root@link-goe:/etc/fail2ban# cat /etc/resolv.conf
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
> # 127.0.0.53 is the systemd-resolved stub resolver.
> # run "resolvectl status" to see details about the actual nameservers.
>
> nameserver 127.0.0.1
> root@link-goe:/etc/fail2ban# wget -S -O/dev/null http://muc.link-goe.de/.well-known/acme-challenge/4Uc63umur6XfWyf1ZIZmhYczwhaCQp4ENdkCjP06Y8E
> --2023-11-20 12:07:49-- http://muc.link-goe.de/.well-known/acme-challenge/4Uc63umur6XfWyf1ZIZmhYczwhaCQp4ENdkCjP06Y8E
> Auflösen des Hostnamens muc.link-goe.de (muc.link-goe.de)… 127.0.0.1
> Verbindungsaufbau zu muc.link-goe.de (muc.link-goe.de)|127.0.0.1|:80 … verbunden.
> HTTP-Anforderung gesendet, auf Antwort wird gewartet …
> HTTP/1.1 200 OK
> Server: nginx
> Date: Mon, 20 Nov 2023 11:07:49 GMT
> Content-Type: text/plain
> Content-Length: 87
> Last-Modified: Mon, 20 Nov 2023 06:39:47 GMT
> Connection: keep-alive
> X-SSO-WAT: You've just been SSOed
> ETag: "655aff33-57"
> Accept-Ranges: bytes
> Länge: 87 [text/plain]
> Wird in »/dev/null« gespeichert.
> ```
> Tag
I waited for cron to try again today and I have the same picture:
* First time I try to run `wget` to get the URL with the challenge-response it tries to connect to my official IP saved in my DynDNS server
* Stopped the wget, because it got stuck (last time not)
* Tried using `host` to resolve the IP of muc.<domain> and got 127.0.0.1
* Tried again using the same `wget` command and it worked - it downloaded the challenge-response
[08:19:31]
<ChriChri[m]> ```
root@link-goe:/etc/dnsmasq.d# host muc.link-goe.de
muc.link-goe.de is an alias for link-goe.de.
link-goe.de has address 88.130.112.56
link-goe.de mail is handled by 5 link-goe.de.
root@link-goe:/etc/dnsmasq.d# host muc.link-goe.de
muc.link-goe.de is an alias for link-goe.de.
link-goe.de has address 127.0.0.1
link-goe.de mail is handled by 5 link-goe.de.
```
[08:21:56]
<ChriChri[m]> > <@chrichri:librem.one> ```
> root@link-goe:/etc/dnsmasq.d# host muc.link-goe.de
> muc.link-goe.de is an alias for link-goe.de.
> link-goe.de has address 88.130.112.56
> link-goe.de mail is handled by 5 link-goe.de.
> root@link-goe:/etc/dnsmasq.d# host muc.link-goe.de
> muc.link-goe.de is an alias for link-goe.de.
> link-goe.de has address 127.0.0.1
> link-goe.de mail is handled by 5 link-goe.de.
> ```
The alias is defined in the external dns (DeSEC). First try returns the IP from the external DNS, second try the one from `/etc/hosts`. Is that the way it should be? Or should I have a DNAT on my router to rewrite the connection outgoing to the official address (located on the router) to get back to the ynh?
[08:25:04]
<ChriChri[m]> Running `yunohost --debug domain cert renew` directly after a `host` request returning 127.0.0.1 worked. The problem seems to be in `dnsmasq`…
[14:42:00]
<Salamandar> Hey guys, I got an issue with Vaultwarden, SMTP does not work anymore
[14:42:00]
<Salamandar> > [2023-11-21 14:41:32.530][vaultwarden::mail][ERROR] SMTP client error: internal client error: No compatible authentication mechanism was found
[14:42:16]
<Salamandar> it worked before, because I could register
[14:43:13]
<Salamandar> I have 2 instances and they are both broken
[14:43:23]
<Salamandar> I read the existing issues on this subject but no luck ☹️
[14:44:17]
<Salamandar> Here’s the config panel
[14:44:20]
<Salamandar> https://aria.im/_matrix/media/v1/download/matrix.org/sHZKQfdGzXRaJsytBaTDGTBI
[14:45:14]
<Salamandar> the password is the mail_pwd app setting
[14:47:08]
<Salamandar> Actually I can’t event send emails with telnet…
[14:47:46]
<Salamandar> ```
# telnet 127.0.0.1 25
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 vault.XXX.com Service ready
HELO vault.XXX.com
250 vault.XXX.com
mail from: admin@vault.XXX.com
501 5.1.7 Bad sender address syntax
```
[14:50:06]
<Salamandar> ah yes ok via telnet you need <email>
[14:50:13]
<Salamandar> but it doesn’t help for vaultwarden ☹️
[14:57:31]
<Salamandar> OK, managed to make it work with `Accept Invalid Certs (Know the risks!)= true` and `Secure SMTP = starttls` …
[14:57:42]
<tituspijean> IIRC I fixed it with
[14:57:44]
<tituspijean> https://aria.im/_matrix/media/v1/download/pijean.ovh/c117cafd741fe16385813314f1b17baffde42a43544f8df5a7cc541897e3c741
[14:59:15]
<tituspijean> dang I forgot to propose a PR for that
[15:01:57]
<Salamandar> ah 😄
[15:02:06]
<Salamandar> I don’t really like the "accept invalid certs"…
[15:06:03]
<tituspijean> it's the local one, there is not really a risk here
[15:06:44]
<tituspijean> but it's totally possible that it's YunoHost "unencrypted" email config that's funky
[18:40:33]
<orhtej2> > <@titus:pijean.ovh> but it's totally possible that it's YunoHost "unencrypted" email config that's funky
cf https://github.com/YunoHost/issues/issues/2276
[18:41:13]
<orhtej2> there's no 'unencrypted' option because IIRC if you enable encryption for one domain in dovecot you have to enable it for all domains, including `lolcathost`