News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

gmail authenticity alert, please look in to this

Started by jraju, December 20, 2017, 07:35:30 AM

Previous topic - Next topic

jraju

Hi, Whenever i receive email from this forum, i get gmail alert about the authenticity of the gmail by the web owner.The jpg is enclosed for ready reference. When i go to the gmail about this, they give suggestion to tell that to the website admin. Hence this post.

vbgamer45

It requires simplemachines.org server to enable TLS on the outbound email connections
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Arantor


vbgamer45

Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Just Another Member

The site is probably running a dedicated server and hasn't added a SSL/TLS certificate to postfix/dovecot. I had a heck of a time getting my emails to be graciously accepted by Gmail before I added this.

There's a site you should know about where you can certificates for free: Let's Encrypt. You can get SSL/TLS certs there that many hosting providers are SELLING! There are plenty of tutorials around the web and the certs are FREE. Their mission is to go 100% SSL on the Internet but the certs work just fine on your postfix/dovecot installation.

I can't post links: letsencrypt.org

By the way you want to set up your renewal process on a cron job.

Wow, it's like we can already get ALL the software we need to run our servers, and now we can get free certs too! :)

Arantor

This site already has a certificate - as verified by the fact it's successfully using HTTPS with a certificate via COMODO and thus Let's Encrypt is not so relevant.

Except that certs on the web are not the same as certs used for emails, it's a completely different thing.

Just Another Member

Quote from: Arantor on December 23, 2017, 01:55:36 PM
This site already has a certificate - as verified by the fact it's successfully using HTTPS with a certificate via COMODO and thus Let's Encrypt is not so relevant.

Except that certs on the web are not the same as certs used for emails, it's a completely different thing.
Actually no it's not. My SSL/TLS cert works fine.

And anyway who has  $350/year for a comersh cert? Not me.

Arantor

No-one is arguing whether your certificate works or not. Having a certificate doesn't automatically fix the problem.

This site HAS a certificate. That isn't the problem! Going to use Let's Encrypt or not won't magically fix the issue here, if anything switching to the free cert would actually make it worse than using a paid cert, but the presence or absence of the cert is not the cause here.

The problem stems from the fact that this site has multiple physical servers whose configuration is somewhat more complicated and things like SPF and DKIM (which are missing for long, complex technical reasons) haven't been set up precisely because of multiple servers.

Plus the fact that for other reasons, emails may go out with http links rather than https links even though the site has a certificate. But sure, the problem is the absence of a free certificate.

Just Another Member

 Please forgive me for laughing Arantor.  I think you just told me the site is too complicated for you guys to handle. LOL

Don't worry. My sites are too complicated for me to handle but that doesn't stop me, LOL!

Where is the fun of having everything so simple that it's easy!  ;)

Aleksi "Lex" Kilpinen

Quote from: Susan Addams on December 24, 2017, 12:14:25 AM
Please forgive me for laughing Arantor.  I think you just told me the site is too complicated for you guys to handle. LOL
I seem to recall, this has actually proven to be true at times before, but that is not the reasoning really :P 
Seriously, this is a monster for a site, and there are many things that need to be taken into consideration, even with the smallest of changes.
I do not envy the part of the site and server teams here.
Slava
Ukraini!
"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum. Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

How you can help SMF

Arantor

No, I think I just told you that the site architecture is massively more complex than you think, and that solving all the problems relies on stuff from upstream packages.

Just Another Member

Quote from: Aleksi "Lex" Kilpinen on December 24, 2017, 02:08:19 AM
Quote from: Susan Addams on December 24, 2017, 12:14:25 AM
Please forgive me for laughing Arantor.  I think you just told me the site is too complicated for you guys to handle. LOL
I seem to recall, this has actually proven to be true at times before, but that is not the reasoning really :P 
Seriously, this is a monster for a site, and there are many things that need to be taken into consideration, even with the smallest of changes.
I do not envy the part of the site and server teams here.

Oh I realize what a huge site SMF is, particularly when compared to typical forum sites. I'm sure you have dual servers and function specific servers and redundant backups and more things than I can imagine.

Compare that to my poor little dedicated server where it isn't even complicated to host multiple websites because at some level all websites are the same. I have it simple compared to you.

I hope nobody took my comments as any form of criticism. Just the opposite, I'm awed. I'd ask for a block diagram but I doubt that I would understand it. Want a block diagram of my server arrangement? Draw a square. Draw a line sticking out to a cloud. There ya go, my server in a nut shell! :) Suzy has it easy compared to your server crew! :)

Just Another Member

Quote from: Arantor on December 24, 2017, 04:44:48 AM
No, I think I just told you that the site architecture is massively more complex than you think, and that solving all the problems relies on stuff from upstream packages.

No, that's not what I intended. What I intended is that I think the site is massively complex, obviously complex, and that I don't want to worry my little mind about it as long as you make it work.

You have my respect for designing such an awesome system and then making it all work. Of course there will be a few problems like an http for an https etc. Nothing that big could have absolutely no flaws at all.

And yet it works. You have an awesome site! I hope mine never gets this awesome, LOL! :)

SleePy

Quote from: Susan Addams on December 23, 2017, 12:41:14 PM
The site is probably running a dedicated server and hasn't added a SSL/TLS certificate to postfix/dovecot. I had a heck of a time getting my emails to be graciously accepted by Gmail before I added this.
Lack of a SSL certificate should not cause mail issues.  You are looking for another problem.  It can raise the scores used by Google to not have DKIM/SPF, but not by much.  Since much of the world still isn't using these technologies or using it wrong (SPF is commonly implanted incorrectly), most mail systems do not dock much points against it by default.

Quote from: Susan Addams on December 23, 2017, 12:41:14 PM
There's a site you should know about where you can certificates for free: Let's Encrypt. You can get SSL/TLS certs there that many hosting providers are SELLING! There are plenty of tutorials around the web and the certs are FREE. Their mission is to go 100% SSL on the Internet but the certs work just fine on your postfix/dovecot installation.

You most likely don't know this, but I've been running LE certs since the open beta.  Way before they even had cert bot to do automatic renewals.  I still have my old cron scripts that did the renewal process on each cert I had at the time, rather than a simple single command to renew all certificates that they do today.  They didn't even support nginx at the time, but I got around that (since they support standalone).

So yes, LE certs could be used, but we don't for other reasons.

Quote from: Susan Addams on December 24, 2017, 10:11:01 AM
Oh I realize what a huge site SMF is, particularly when compared to typical forum sites. I'm sure you have dual servers and function specific servers and redundant backups and more things than I can imagine.
Your lack of knowledge of our infrastructure shows here with your assumptions on what we run.  Its a bit more complex than that.  We are simplifying parts.  As you can imagine this site has been running for years and through a couple admins.  Things like Chef or Puppet didn't even exist back then!

Quote from: Susan Addams on December 24, 2017, 10:14:35 AM
You have my respect for designing such an awesome system and then making it all work. Of course there will be a few problems like an http for an https etc. Nothing that big could have absolutely no flaws at all.
You have our thanks.  We do our best, but as volunteers we can only put in so much time.  Working on projects affecting our server infrastructure happens at a slower pace since this does not pay my bills.

Problems with SSL certs on our mail system will be resolved someday in the future.  We are working on the groundwork/planning for those changes of how we foresee the future of our site.
Jeremy D ~ Site Team / SMF Developer ~ GitHub Profile ~ Join us on IRC @ Libera.chat/#smf ~ Support the SMF Support team!

Just Another Member

Sleepy, my postfix/dovecot didn't make it through to Gmail vetting until I added the certs. Of course SSL is for HTTPS, not emails. Now I can send to Gmail addys just fine. But not before I added the certs.

Well of course I didn't know you were running Let's Encrypt, but don't call me DoPey! LOL! ;) (Love your cat avatar!) I run my certbot on a cron. I'm not sure how nginx would affect it except how you implement your certs, but I run nginx and mine works fine. I must have done something right.

I wasn't suggesting you run LE certs. I run them because I can't afford paid ones. Oh, and next month there's going to be a big announcement. Not a secret if I know it, something about multiple on one cert. I think it has to do with subdomains.

And I don't have a lack of knowledge of your infrastructure, I have a total lack of any info whatsoever, just happy dudes like you take care of it. :)

And thank you for doing what you do. I recall in another post somebody was whining about SMF, I told them that you are all unpaid volunteers, and that said complainer should be more polite. :)

SleePy

Quote from: Susan Addams on December 24, 2017, 03:14:21 PM
I wasn't suggesting you run LE certs. I run them because I can't afford paid ones. Oh, and next month there's going to be a big announcement. Not a secret if I know it, something about multiple on one cert. I think it has to do with subdomains.

Wildcard certificate announcement will bring LE doing wildcard certificates in addition to the SAN certs they already do.  You will need to do DNS records to issue those though.  I may take it for a spin using my script that builds dkim records for my server and test it.
Jeremy D ~ Site Team / SMF Developer ~ GitHub Profile ~ Join us on IRC @ Libera.chat/#smf ~ Support the SMF Support team!

Just Another Member

Sleepy, I hope I will have you around to explain it. I'm just a dumb blonde (brunette actually, like my avatar) but I want my server to work well. I am much anticipating Let's Encrypt's announcement expected soon!

Can you like, friend people here? :)

Steve

There is a buddies/ignore list in your profile. That's the closest right now. :)
DO NOT pm me for support!

Just Another Member

Well Steve and Sleepy you have both been very nice to me and I appreciate that! :)

LiroyvH

#19
Thanks. Was a misconfiguration in DNS indeed, this should be sorted.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Advertisement: