Mise à jour du mail-receiver auto-hébergé suite au changement de certificat racine de Let's Encrypt

This announcement only affects self-hosters who are running Configure direct-delivery incoming email for self-hosted sites with Mail-Receiver. Managed hosting customers, and self-hosters using POP3 for incoming mail are not affected.

As you may be aware, Let’s Encrypt recently changed their root certificate. The old root certificate expired today, and has caused a number of issues for out-of-date clients across the web. All of our systems at CDCK are up-to-date, and were not affected by today’s expiration. Unfortunately we missed the public mail-receiver docker image, which has not been updated for a few months.

This means that existing self-hosted mail-receiver installations will be unable to deliver mail to letsencrypt-secured sites.

We just pushed an updated version to DockerHub, which includes the new root certificate. Assuming you followed the official installation instructions, you can update your installation by running

docker pull discourse/mail-receiver:release
cd /var/discourse
./launcher rebuild mail-receiver

Mails received by broken installations will have been temporarily queued on the sending server. Those servers should attempt to redeliver the mail periodically, so any missed mails should arrive soon after you update the image.

If you’re still seeing issues after following these steps, make sure you’re running the release version of mail-receiver. You can find information on that in this topic.

Sorry for the disruption here! Big thanks to @wlandgraf for initially reporting the issue, and helping us test the fix

Thanks for the fix! My update got stuck with the following error message. I haven’t made any changes to this template, so I’m not sure what to do?

root@ba /var/discourse # ./launcher rebuild mail-receiver
Ensuring launcher is up to date
Fetching origin
Updating Launcher...
Updating 46d899f..990519e
error: Your local changes to the following files would be overwritten by merge:
	templates/web.letsencrypt.ssl.template.yml
Please commit your changes or stash them before you merge.
Aborting
failed to update

What happens if you

cd /var/discourse
git diff

Does it show any differences in the web.letsencrypt.ssl.template.yml file?

If so, you can reset them using git reset --hard

Ah, I did make a change I got it to upgrade now, thanks!

You can test whether you’re running the old mail-receiver like this.

docker exec mail-receiver bash -c "cat /etc/issue|grep Alpine"

If it’s Alpine, it’s the old one.

docker exec mail-receiver bash -c "cat /etc/issue|grep 'Debian GNU/Linux 11'"

If it’s Debian, it’s the new one.

@david, would you mind having a look at the issues below, the latest update to the mail-receiver removed the ability to implement additional anti-spam measures, which worked wonders in the previous version, and my forum is under increasing spam pressure again due to the last change.

I tried to figure out what the root issue is, but I don’t have deep enough knowledge of postfix to figure it out. I found similar reports (client=unknown even when PTR record exists in DNS) regarding postfix in a chroot jail, so this might have something to do with it. Also, dnsutils seem to be missing from the new mail-receiver Debian image, but installing them still doesn’t fix the issue?

This one should be fixed easily:

@david Merci pour cette correction ! Je viens de l’exécuter et je vois que ça fonctionne.

Y a-t-il un moyen de voir quels e-mails n’ont pas pu être livrés depuis le 1er octobre ?

J’ai essayé ceci, mais je ne vois que 5 requêtes (la plus ancienne a été reçue le 26 novembre) :

/var/discourse/launcher enter mail-receiver
mailq

J’ai aussi essayé de regarder les logs, mais je n’ai obtenu que l’avertissement signalé ici :

Je pense que tout ce qui n’est pas encore dans la file d’attente aurait dû être renvoyé à l’expéditeur. Je crains de ne pas savoir si le conteneur a des journaux qui remontent plus loin que ce que vous avez trouvé.

L’ajout de pull_image après la ligne 657 résoudrait-il simplement le besoin de tirer explicitement l’image avant la reconstruction ? C’est-à-dire :

  # Si l'image en cours d'amorçage n'est pas l'image de base de Discourse
  if [[ ! X"" = X"$base_image" ]]; then
    image=$base_image
    # Tenter de mettre à jour l'image
    pull_image
  fi

Cela provoquera un docker pull $image à chaque fois lors d’un amorçage/reconstruction d’un conteneur avec base_image défini dans son fichier yml. Je ne pense pas que cela nuise au récepteur de courrier s’il est déjà à jour, mais je ne suis pas sûr s’il existe d’autres situations où cela pourrait poser problème.

Oui, un pull inconditionnel a probablement du sens ici. C’est un peu étrange qu’il ne s’applique qu’à notre image de base principale pour le moment. Qu’en pensez-vous @Falco ?

J’aimerais connaître une réponse définitive à cette question

Je pense que vous pouvez le voir en interrogeant la table postgres incoming_emails

Malheureusement, cela ne montre rien pour la période pertinente (octobre 2021 à février 2022).

Y aurait-il des journaux dans le conteneur mail-receiver lui-même ?