Mailhog on staging

iceteabottle · January 25, 2017, 4:48pm

Hi,
I want to use the mailhog service on the staging machine. I copied the mail.yml from the group_vars and added the mailhog role to the server.yml

Did I miss anything?

cfx · January 25, 2017, 5:34pm

Is it working as expected?

iceteabottle · January 25, 2017, 6:42pm

Oh, I forgot the most important thing. No it’s not working. I tried to visit staging.domain.com:8025 like development, but I don’t get the mailhog webinterface.

cfx · January 25, 2017, 10:34pm

Trellis sets up Mailhog on your local/development environment by default (see here).

If you want to use Mailhog as part of your remote/staging environment then you’ll need to make some changes to your server provisioning playbooks. Trellis sets up ssmtp for those environments by default (see here).

Also, refer to Trellis’s mail documentation here: https://roots.io/trellis/docs/mail/.

If you already made changes to your playbooks in an effort to setup Mailhog on your remote environment then please paste the changes you made, along with any relevant provisioning output, and finally, detailed output that indicates what you mean by “it’s not working.” A good example of that is error log output.

iceteabottle · January 26, 2017, 8:13am

Thx for your response. I just added the mailhog role to the provisioning playbook - { role: mailhog, tags: [mailhog, mail] } (and
So the main provisioning of staging looks nearly like the provisoning of the dev machine (yes I ignore production for now).
The problem is that I don’t get any errors except ERR_CONNECTION_REFUSED in Chrome when I visit staging.domain.com:8025. I don’t know how to debug this…

An excerpt of the provisioning:

TASK [mailhog : Ensure mailhog install directory exists.] **********************
ok: [192.168.10.5]

TASK [mailhog : Download MailHog and mhsendmail binaries.] *********************
ok: [192.168.10.5] => (item={u'url': u'https://github.com/mailhog/MailHog/releases/download/v0.2.0/MailHog_linux_amd64', u'dest': u'/opt/mailhog/mailhog'})
ok: [192.168.10.5] => (item={u'url': u'https://github.com/mailhog/mhsendmail/releases/download/v0.2.0/mhsendmail_linux_amd64', u'dest': u'/opt/mailhog/mhsendmail'})

TASK [mailhog : Copy mailhog init script into place.] **************************
ok: [192.168.10.5]

TASK [mailhog : Copy mailhog systemd unit file into place (for systemd systems).] ***
skipping: [192.168.10.5]

TASK [mailhog : Ensure mailhog is enabled and will start on boot.] *************
ok: [192.168.10.5]

fullyint · January 26, 2017, 10:38pm

I can get mailhog working on staging using the steps below. But first, a word of caution about security. Think twice before enabling Mailhog on a public server.

Mailhog doesn’t accommodate https so you’d be reading the emails over insecure http, which may expose secret credentials in email content.
The Mailhog email interface (and email content) can be accessed by anyone, even if they are not logged in to the WordPress site. One partial mitigation is to set an ip_whitelist for port 8025 (see below).

The following steps are what you already described, just adding conditionals on the mailhog and ssmtp roles in server.yml (although I didn’t test the necessity of conditional) and adding an updated ferm_input_list list to open port 8025 on staging.

Step 1. cp group_vars/development/mail.yml group_vars/staging/mail.yml

Step 2. adjust server.yml

     ...
     - { role: sshd, tags: [sshd] }
     - { role: mariadb, tags: [mariadb] }
+    - { role: mailhog, tags: [mailhog, mail], when: env != 'production' }
-    - { role: ssmtp, tags: [ssmtp, mail] }
+    - { role: ssmtp, tags: [ssmtp, mail], when: env == 'production' }
     - { role: php, tags: [php] }
     - { role: memcached, tags: [memcached] }
     ...

Step 3. Open port 8025 by overriding the default ferm_input_list, adding the following to group_vars/staging/main.yml (context/discussion):

ferm_input_list:
  - type: dport_accept
    dport: [http, https]
    filename: nginx_accept
  - type: dport_accept
    dport: [ssh]
    saddr: "{{ ip_whitelist }}"
  - type: dport_limit
    dport: [ssh]
    seconds: 300
    hits: 20
  - type: dport_accept
    dport: [8025]
    saddr: "{{ ip_whitelist }}"

That final saddr: "{{ ip_whitelist }}" is what keeps just anyone from accessing your Mailhog interface (allows only those accessing the port from an IP in your whitelist) , but I doubt this would be enough to meet official security policies, if you have them.

iceteabottle · January 29, 2017, 12:00pm

Great! Thx for your detailed response!
Our staging server isn’t really public in that special case. I will try it.

t0mk · March 9, 2017, 1:27pm

I enabled mailhog in staging, but I can’t see it because all my browsers try HTTPS (ssl) on port 8025 and then fail. Some trick to fix this?

Maybe put mailhog under the nginx, just under some different base URL.

discopatrick · March 9, 2017, 1:45pm

@iceteabottle, as an alternative, you could consider using the free https://mailtrap.io service. This is what I use on staging to capture my emails. I like this setup because it means staging more closely matches my production environment, in as much as they both use an external SMTP server for mail. It could potentially alert me to network problems on staging, rather than discovering the problem in production later on.