Add pdns resolver, changed some other files

This commit is contained in:
andryyy 2016-12-11 18:58:29 +01:00
parent e3f0058f4f
commit 47a5166383
12 changed files with 201 additions and 42 deletions

View File

@ -1,18 +1,81 @@
# mailcow-dockerized
mailcow dockerized comes with 11 containers linked in a mailcow network:
Dovecot, Memcached, Redis, MariaDB, PowerDNS Recursor, PHP-FPM, Postfix, Nginx, Rmilter, Rspamd and SOGo.
## Installation
1. Open mailcow.conf and change stuff, do not use special chars in passwords. This will be fixed soon.
2. Run ./build-all.sh
3. Set a rspamd controller password (see section "rspamd")
Done.
The default username for mailcow is `admin` with password `moohoo`.
You can now access https://${MAILCOW_HOSTNAME} with the default credentials `admin` + password `moohoo`.
## Usage
## Configuration after installation
### Rspamd UI access
If you want to use Rspamds web UI, you need to set a Rspamd controller password:
```
# Generate hash
docker exec -it rspamd-mailcow rspamadm pw
```
Replace given hash in data/conf/rspamd/override.d/worker-controller.inc:
```
enable_password = "myhash";
```
Restart rspamd:
```
docker restart rspamd-mailcow
```
Open https://${MAILCOW_HOSTNAME}/rspamd in a browser.
### SSL (or: How to use Let's Encrypt)
mailcow dockerized comes with a self-signed certificate.
First you should renew the DH parameters. Assuming you are in the mailcow root folder:
```
openssl dhparam -out ./data/assets/ssl/dhparams.pem 2048
```
Get the certbot client:
```
wget https://dl.eff.org/certbot-auto && chmod +x certbot-auto
```
Please disable applications blocking port 80 and run certbot:
```
./certbot-auto certonly \
--standalone \
--standalone-supported-challenges http-01 \
-d ${MAILCOW_HOSTNAME} \
--email you@example.org \
--agree-tos
```
Link certificates to assets directory. Assuming you are still in the mailcow root folder:
```
mv data/assets/ssl/mail.{crt,crt_old}
mv data/assets/ssl/mail.{key,key_old}
ln -s /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/fullchain.pem data/assets/ssl/mail.crt
ln -s /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem data/assets/ssl/mail.key
```
Restart containers which use the certificate:
```
docker restart postfix-mailcow
docker restart dovecot-mailcow
docker restart nginx-mailcow
```
When renewing certificates, run the last two steps as post-hook in certbot.
## Special usage
### build-*.files
(Re)build a container:
@ -52,6 +115,10 @@ Dump database to file backup_${DBNAME}_${DATE}.sql:
./build-sql.sh --dump
```
Restore database from a file:
```
./build-sql.sh --restore filename
### Redis
Connect to redis database:
@ -59,7 +126,7 @@ Connect to redis database:
./build-sql.sh --client
```
### rspamd
### Rspamd examples
Use rspamadm:
```
@ -71,22 +138,6 @@ Use rspamc:
docker exec -it rspamd-mailcow rspamc --help
```
Set rspamd controller password:
```
# Generate hash
docker exec -it rspamd-mailcow rspamadm pw
```
Replace given hash in data/conf/rspamd/override.d/worker-controller.inc:
```
enable_password = "myhash";
```
Restart rspamd:
```
docker restart rspamd-mailcow
```
### Remove persistent data
MariaDB:

View File

@ -1,8 +1,9 @@
#!/bin/bash
/bin/bash build-network.sh
/bin/bash build-pdns.sh
[[ $? != 0 ]] && exit 1
for buildx in $(ls build-*.sh | grep -vE "all|network"); do
for buildx in $(ls build-*.sh | grep -vE "all|network|pdns"); do
echo "Starting build file ${buildx} ..."
/bin/bash ${buildx}
done

View File

@ -5,7 +5,7 @@ source mailcow.conf
NAME="dovecot-mailcow"
build() {
docker build --no-cache -t dovecot data/Dockerfiles/dovecot/.
docker build --no-cache -t dovecot:local data/Dockerfiles/dovecot/.
}
if [[ ${1} == "--reconf" ]]; then
@ -23,7 +23,7 @@ if [[ ! -z "$(docker images -q dovecot)" ]]; then
read -r -p "Found image locally. Delete local and rebuild without cache anyway? [y/N] " response
response=${response,,}
if [[ $response =~ ^(yes|y)$ ]]; then
docker rmi dovecot
docker rmi dovecot:local
build
fi
else
@ -45,6 +45,6 @@ docker run \
--network=${DOCKER_NETWORK} \
--network-alias dovecot \
-h ${MAILCOW_HOSTNAME} \
-d dovecot
-d dovecot:local
/bin/bash ./fix-permissions.sh

36
build-pdns.sh Executable file
View File

@ -0,0 +1,36 @@
#!/bin/bash
. mailcow.conf
NAME="pdns-mailcow"
echo "Stopping and removing containers with name tag ${NAME}..."
if [[ ! -z $(docker ps -af "name=${NAME}" -q) ]]; then
docker stop $(docker ps -af "name=${NAME}" -q)
docker rm $(docker ps -af "name=${NAME}" -q)
fi
build() {
docker build --no-cache -t pdns data/Dockerfiles/pdns/.
}
if [[ ! -z "$(docker images -q pdns)" ]]; then
read -r -p "Found image locally. Delete local and rebuild without cache anyway? [y/N] " response
response=${response,,}
if [[ $response =~ ^(yes|y)$ ]]; then
docker rmi pdns
build
fi
else
build
fi
sed -i "s#allow-from.*#allow-from=127.0.0.0/8 ${DOCKER_SUBNET}#" data/conf/pdns/recursor.conf
docker run \
-v ${PWD}/data/conf/pdns/:/etc/powerdns/ \
--network=${DOCKER_NETWORK} \
--network-alias pdns \
-h pdns \
--name ${NAME} \
-d pdns

View File

@ -4,6 +4,12 @@
NAME="postfix-mailcow"
PDNS_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' pdns-mailcow 2> /dev/null)
if [[ ! ${PDNS_IP} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "Cannot determine Powerdns Recursor ip address. Is the container running?"
exit 1
fi
build() {
docker build --no-cache -t postfix data/Dockerfiles/postfix/.
}
@ -45,6 +51,8 @@ docker run \
-p ${SUBMISSION_PORT}:587 \
-v ${PWD}/data/conf/postfix:/opt/postfix/conf:ro \
-v ${PWD}/data/assets/ssl:/etc/ssl/mail/:ro \
--dns=${PDNS_IP} \
--dns-search=${DOCKER_NETWORK} \
--name ${NAME} \
--network=${DOCKER_NETWORK} \
--network-alias postfix \

View File

@ -8,6 +8,12 @@ build() {
docker build --no-cache -t rspamd data/Dockerfiles/rspamd/.
}
PDNS_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' pdns-mailcow 2> /dev/null)
if [[ ! ${PDNS_IP} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "Cannot determine Powerdns Recursor ip address. Is the container running?"
exit 1
fi
echo "Stopping and removing containers with name tag ${NAME}..."
if [[ ! -z $(docker ps -af "name=${NAME}" -q) ]]; then
docker stop $(docker ps -af "name=${NAME}" -q)
@ -29,6 +35,8 @@ docker run \
-v ${PWD}/data/conf/rspamd/lua/:/etc/rspamd/lua/ \
-v ${PWD}/data/dkim/txt/:/etc/rspamd/dkim/txt/:ro \
-v ${PWD}/data/dkim/keys/:/etc/rspamd/dkim/keys/:ro \
--dns=${PDNS_IP} \
--dns-search=${DOCKER_NETWORK} \
--network=${DOCKER_NETWORK} \
--network-alias rspamd \
-h rspamd \

View File

@ -0,0 +1,18 @@
FROM debian:jessie
MAINTAINER Andre Peters <andre.peters@debinux.de>
ENV DEBIAN_FRONTEND noninteractive
RUN echo 'deb http://repo.powerdns.com/debian jessie-rec-40 main' > /etc/apt/sources.list.d/pdns.list
RUN echo 'Package: pdns-*\n\
Pin: origin repo.powerdns.com\n\
Pin-Priority: 600\n' > /etc/apt/preferences.d/pdns
RUN apt-key adv --fetch-keys http://repo.powerdns.com/FD380FBB-pub.asc \
&& apt-get update \
&& apt-get install -y --force-yes pdns-recursor
CMD ["/usr/sbin/pdns_recursor"]
EXPOSE 53/udp

View File

@ -3,6 +3,11 @@ server {
ssl on;
ssl_certificate /etc/ssl/mail/mail.crt;
ssl_certificate_key /etc/ssl/mail/mail.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
index index.php index.html;
server_name _;
error_log /var/log/nginx/error.log;

View File

@ -0,0 +1 @@
addNTA("mailcow-network", "nta for local")

View File

@ -0,0 +1,41 @@
allow-from=127.0.0.0/8 172.18.0.0/16
config-dir=/etc/powerdns
daemon=no
disable-syslog=yes
dnssec=process
dnssec-log-bogus=yes
dont-query=10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10, 0.0.0.0/8, 192.0.0.0/24, 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 240.0.0.0/4, ::/96, ::ffff:0:0/96, 100::/64, 2001:db8::/32
export-etc-hosts=off
# forward-zones=
forward-zones-recurse=mailcow-network.=127.0.0.11
local-address=0.0.0.0
local-port=53
loglevel=6
# lowercase-outgoing=no
lua-config-file=/etc/powerdns/pdns_custom.lua
# max-cache-entries=1000000
# max-cache-ttl=86400
# max-mthreads=2048
# max-negative-ttl=3600
# max-packetcache-entries=500000
# max-qperq=50
# max-tcp-clients=128
# max-tcp-per-client=0
# max-total-msec=7000
# minimum-ttl-override=0
# network-timeout=1500
# packetcache-servfail-ttl=60
# packetcache-ttl=3600
quiet=no
# security-poll-suffix=secpoll.powerdns.com.
# serve-rfc1918=yes
# server-down-max-fails=64
# server-down-throttle-time=60
setgid=pdns
setuid=pdns
# spoof-nearmiss-max=20
# stack-size=200000
# threads=2
# trace=off
version-string=PowerDNS Recursor
webserver=no

View File

@ -1,4 +1,4 @@
myhostname=mail.mailcow.de
myhostname=demo.example.org
biff = no
append_dot_mydomain = no
smtpd_tls_cert_file = /etc/ssl/mail/mail.crt
@ -9,9 +9,9 @@ smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myhostname=mail.mailcow.de
myhostname=demo.example.org
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.55.0.0/16
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.55.0.0/16 172.18.0.0/16
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
@ -50,7 +50,8 @@ smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_cert_file = /etc/ssl/mail/mail.crt
smtp_tls_key_file = /etc/ssl/mail/mail.key
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_dns_support_level = dnssec
smtp_tls_security_level = dane
smtpd_data_restrictions = reject_unauth_pipelining, permit
smtpd_delay_reject = yes
smtpd_error_sleep_time = 10s

View File

@ -3,7 +3,7 @@
# Default admin user is "admin"
# Default password is "moohoo"
MAILCOW_HOSTNAME=mail.mailcow.de
MAILCOW_HOSTNAME=logs.servercow.de
# SQL database configuration
DBNAME=mailcow
@ -25,7 +25,7 @@ NGINXVERS="stable"
# You should leave that alone
# Can also be 11.22.33.44:25 or 0.0.0.0:465 etc. for specific binding
SMTP_PORT=25
SMTP_PORT=26
SMTPS_PORT=465
SUBMISSION_PORT=587
IMAP_PORT=143
@ -43,14 +43,3 @@ REDISVERS="latest"
DOCKER_NETWORK="mailcow-network"
DOCKER_SUBNET="172.18.0.0/16"
# ======= ADVANCED ======
# - not yet implemented -
# =======================
# Use existing containers
# =======================
# USE_REDIS="container-name-of-exisiting-redis"
# USE_REDIS_NETWORK="docker-network-name-of-existing-redis-container"
# USE_MEMCACHED="container-name-of-exisiting-memcached"
# USE_MEMCACHED_NETWORK="docker-network-name-of-existing-memcached-container"