Add pdns resolver, changed some other files
This commit is contained in:
parent
e3f0058f4f
commit
47a5166383
93
README.md
93
README.md
@ -1,18 +1,81 @@
|
||||
# mailcow-dockerized
|
||||
|
||||
mailcow dockerized comes with 11 containers linked in a mailcow network:
|
||||
Dovecot, Memcached, Redis, MariaDB, PowerDNS Recursor, PHP-FPM, Postfix, Nginx, Rmilter, Rspamd and SOGo.
|
||||
|
||||
## Installation
|
||||
|
||||
1. Open mailcow.conf and change stuff, do not use special chars in passwords. This will be fixed soon.
|
||||
|
||||
2. Run ./build-all.sh
|
||||
|
||||
3. Set a rspamd controller password (see section "rspamd")
|
||||
|
||||
Done.
|
||||
|
||||
The default username for mailcow is `admin` with password `moohoo`.
|
||||
You can now access https://${MAILCOW_HOSTNAME} with the default credentials `admin` + password `moohoo`.
|
||||
|
||||
## Usage
|
||||
## Configuration after installation
|
||||
|
||||
### Rspamd UI access
|
||||
If you want to use Rspamds web UI, you need to set a Rspamd controller password:
|
||||
|
||||
```
|
||||
# Generate hash
|
||||
docker exec -it rspamd-mailcow rspamadm pw
|
||||
```
|
||||
|
||||
Replace given hash in data/conf/rspamd/override.d/worker-controller.inc:
|
||||
```
|
||||
enable_password = "myhash";
|
||||
```
|
||||
|
||||
Restart rspamd:
|
||||
```
|
||||
docker restart rspamd-mailcow
|
||||
```
|
||||
|
||||
Open https://${MAILCOW_HOSTNAME}/rspamd in a browser.
|
||||
|
||||
### SSL (or: How to use Let's Encrypt)
|
||||
mailcow dockerized comes with a self-signed certificate.
|
||||
|
||||
First you should renew the DH parameters. Assuming you are in the mailcow root folder:
|
||||
```
|
||||
openssl dhparam -out ./data/assets/ssl/dhparams.pem 2048
|
||||
```
|
||||
|
||||
Get the certbot client:
|
||||
```
|
||||
wget https://dl.eff.org/certbot-auto && chmod +x certbot-auto
|
||||
```
|
||||
|
||||
Please disable applications blocking port 80 and run certbot:
|
||||
```
|
||||
./certbot-auto certonly \
|
||||
--standalone \
|
||||
--standalone-supported-challenges http-01 \
|
||||
-d ${MAILCOW_HOSTNAME} \
|
||||
--email you@example.org \
|
||||
--agree-tos
|
||||
```
|
||||
|
||||
Link certificates to assets directory. Assuming you are still in the mailcow root folder:
|
||||
```
|
||||
mv data/assets/ssl/mail.{crt,crt_old}
|
||||
mv data/assets/ssl/mail.{key,key_old}
|
||||
ln -s /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/fullchain.pem data/assets/ssl/mail.crt
|
||||
ln -s /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem data/assets/ssl/mail.key
|
||||
```
|
||||
|
||||
Restart containers which use the certificate:
|
||||
```
|
||||
docker restart postfix-mailcow
|
||||
docker restart dovecot-mailcow
|
||||
docker restart nginx-mailcow
|
||||
```
|
||||
|
||||
When renewing certificates, run the last two steps as post-hook in certbot.
|
||||
|
||||
## Special usage
|
||||
### build-*.files
|
||||
|
||||
(Re)build a container:
|
||||
@ -52,6 +115,10 @@ Dump database to file backup_${DBNAME}_${DATE}.sql:
|
||||
./build-sql.sh --dump
|
||||
```
|
||||
|
||||
Restore database from a file:
|
||||
```
|
||||
./build-sql.sh --restore filename
|
||||
|
||||
### Redis
|
||||
|
||||
Connect to redis database:
|
||||
@ -59,7 +126,7 @@ Connect to redis database:
|
||||
./build-sql.sh --client
|
||||
```
|
||||
|
||||
### rspamd
|
||||
### Rspamd examples
|
||||
|
||||
Use rspamadm:
|
||||
```
|
||||
@ -71,22 +138,6 @@ Use rspamc:
|
||||
docker exec -it rspamd-mailcow rspamc --help
|
||||
```
|
||||
|
||||
Set rspamd controller password:
|
||||
```
|
||||
# Generate hash
|
||||
docker exec -it rspamd-mailcow rspamadm pw
|
||||
```
|
||||
|
||||
Replace given hash in data/conf/rspamd/override.d/worker-controller.inc:
|
||||
```
|
||||
enable_password = "myhash";
|
||||
```
|
||||
|
||||
Restart rspamd:
|
||||
```
|
||||
docker restart rspamd-mailcow
|
||||
```
|
||||
|
||||
### Remove persistent data
|
||||
|
||||
MariaDB:
|
||||
|
@ -1,8 +1,9 @@
|
||||
#!/bin/bash
|
||||
|
||||
/bin/bash build-network.sh
|
||||
/bin/bash build-pdns.sh
|
||||
[[ $? != 0 ]] && exit 1
|
||||
for buildx in $(ls build-*.sh | grep -vE "all|network"); do
|
||||
for buildx in $(ls build-*.sh | grep -vE "all|network|pdns"); do
|
||||
echo "Starting build file ${buildx} ..."
|
||||
/bin/bash ${buildx}
|
||||
done
|
||||
|
@ -5,7 +5,7 @@ source mailcow.conf
|
||||
NAME="dovecot-mailcow"
|
||||
|
||||
build() {
|
||||
docker build --no-cache -t dovecot data/Dockerfiles/dovecot/.
|
||||
docker build --no-cache -t dovecot:local data/Dockerfiles/dovecot/.
|
||||
}
|
||||
|
||||
if [[ ${1} == "--reconf" ]]; then
|
||||
@ -23,7 +23,7 @@ if [[ ! -z "$(docker images -q dovecot)" ]]; then
|
||||
read -r -p "Found image locally. Delete local and rebuild without cache anyway? [y/N] " response
|
||||
response=${response,,}
|
||||
if [[ $response =~ ^(yes|y)$ ]]; then
|
||||
docker rmi dovecot
|
||||
docker rmi dovecot:local
|
||||
build
|
||||
fi
|
||||
else
|
||||
@ -45,6 +45,6 @@ docker run \
|
||||
--network=${DOCKER_NETWORK} \
|
||||
--network-alias dovecot \
|
||||
-h ${MAILCOW_HOSTNAME} \
|
||||
-d dovecot
|
||||
-d dovecot:local
|
||||
|
||||
/bin/bash ./fix-permissions.sh
|
||||
|
36
build-pdns.sh
Executable file
36
build-pdns.sh
Executable file
@ -0,0 +1,36 @@
|
||||
#!/bin/bash
|
||||
|
||||
. mailcow.conf
|
||||
|
||||
NAME="pdns-mailcow"
|
||||
|
||||
echo "Stopping and removing containers with name tag ${NAME}..."
|
||||
if [[ ! -z $(docker ps -af "name=${NAME}" -q) ]]; then
|
||||
docker stop $(docker ps -af "name=${NAME}" -q)
|
||||
docker rm $(docker ps -af "name=${NAME}" -q)
|
||||
fi
|
||||
|
||||
build() {
|
||||
docker build --no-cache -t pdns data/Dockerfiles/pdns/.
|
||||
}
|
||||
|
||||
if [[ ! -z "$(docker images -q pdns)" ]]; then
|
||||
read -r -p "Found image locally. Delete local and rebuild without cache anyway? [y/N] " response
|
||||
response=${response,,}
|
||||
if [[ $response =~ ^(yes|y)$ ]]; then
|
||||
docker rmi pdns
|
||||
build
|
||||
fi
|
||||
else
|
||||
build
|
||||
fi
|
||||
|
||||
sed -i "s#allow-from.*#allow-from=127.0.0.0/8 ${DOCKER_SUBNET}#" data/conf/pdns/recursor.conf
|
||||
|
||||
docker run \
|
||||
-v ${PWD}/data/conf/pdns/:/etc/powerdns/ \
|
||||
--network=${DOCKER_NETWORK} \
|
||||
--network-alias pdns \
|
||||
-h pdns \
|
||||
--name ${NAME} \
|
||||
-d pdns
|
@ -4,6 +4,12 @@
|
||||
|
||||
NAME="postfix-mailcow"
|
||||
|
||||
PDNS_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' pdns-mailcow 2> /dev/null)
|
||||
if [[ ! ${PDNS_IP} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
|
||||
echo "Cannot determine Powerdns Recursor ip address. Is the container running?"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
build() {
|
||||
docker build --no-cache -t postfix data/Dockerfiles/postfix/.
|
||||
}
|
||||
@ -45,6 +51,8 @@ docker run \
|
||||
-p ${SUBMISSION_PORT}:587 \
|
||||
-v ${PWD}/data/conf/postfix:/opt/postfix/conf:ro \
|
||||
-v ${PWD}/data/assets/ssl:/etc/ssl/mail/:ro \
|
||||
--dns=${PDNS_IP} \
|
||||
--dns-search=${DOCKER_NETWORK} \
|
||||
--name ${NAME} \
|
||||
--network=${DOCKER_NETWORK} \
|
||||
--network-alias postfix \
|
||||
|
@ -8,6 +8,12 @@ build() {
|
||||
docker build --no-cache -t rspamd data/Dockerfiles/rspamd/.
|
||||
}
|
||||
|
||||
PDNS_IP=$(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' pdns-mailcow 2> /dev/null)
|
||||
if [[ ! ${PDNS_IP} =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
|
||||
echo "Cannot determine Powerdns Recursor ip address. Is the container running?"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Stopping and removing containers with name tag ${NAME}..."
|
||||
if [[ ! -z $(docker ps -af "name=${NAME}" -q) ]]; then
|
||||
docker stop $(docker ps -af "name=${NAME}" -q)
|
||||
@ -29,6 +35,8 @@ docker run \
|
||||
-v ${PWD}/data/conf/rspamd/lua/:/etc/rspamd/lua/ \
|
||||
-v ${PWD}/data/dkim/txt/:/etc/rspamd/dkim/txt/:ro \
|
||||
-v ${PWD}/data/dkim/keys/:/etc/rspamd/dkim/keys/:ro \
|
||||
--dns=${PDNS_IP} \
|
||||
--dns-search=${DOCKER_NETWORK} \
|
||||
--network=${DOCKER_NETWORK} \
|
||||
--network-alias rspamd \
|
||||
-h rspamd \
|
||||
|
18
data/Dockerfiles/pdns/Dockerfile
Normal file
18
data/Dockerfiles/pdns/Dockerfile
Normal file
@ -0,0 +1,18 @@
|
||||
FROM debian:jessie
|
||||
MAINTAINER Andre Peters <andre.peters@debinux.de>
|
||||
|
||||
ENV DEBIAN_FRONTEND noninteractive
|
||||
|
||||
RUN echo 'deb http://repo.powerdns.com/debian jessie-rec-40 main' > /etc/apt/sources.list.d/pdns.list
|
||||
|
||||
RUN echo 'Package: pdns-*\n\
|
||||
Pin: origin repo.powerdns.com\n\
|
||||
Pin-Priority: 600\n' > /etc/apt/preferences.d/pdns
|
||||
|
||||
RUN apt-key adv --fetch-keys http://repo.powerdns.com/FD380FBB-pub.asc \
|
||||
&& apt-get update \
|
||||
&& apt-get install -y --force-yes pdns-recursor
|
||||
|
||||
CMD ["/usr/sbin/pdns_recursor"]
|
||||
|
||||
EXPOSE 53/udp
|
@ -3,6 +3,11 @@ server {
|
||||
ssl on;
|
||||
ssl_certificate /etc/ssl/mail/mail.crt;
|
||||
ssl_certificate_key /etc/ssl/mail/mail.key;
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
|
||||
ssl_ecdh_curve secp384r1;
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
|
||||
index index.php index.html;
|
||||
server_name _;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
1
data/conf/pdns/pdns_custom.lua
Normal file
1
data/conf/pdns/pdns_custom.lua
Normal file
@ -0,0 +1 @@
|
||||
addNTA("mailcow-network", "nta for local")
|
41
data/conf/pdns/recursor.conf
Normal file
41
data/conf/pdns/recursor.conf
Normal file
@ -0,0 +1,41 @@
|
||||
allow-from=127.0.0.0/8 172.18.0.0/16
|
||||
config-dir=/etc/powerdns
|
||||
daemon=no
|
||||
disable-syslog=yes
|
||||
dnssec=process
|
||||
dnssec-log-bogus=yes
|
||||
dont-query=10.0.0.0/8, 100.64.0.0/10, 169.254.0.0/16, 192.168.0.0/16, 172.16.0.0/12, ::1/128, fc00::/7, fe80::/10, 0.0.0.0/8, 192.0.0.0/24, 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, 240.0.0.0/4, ::/96, ::ffff:0:0/96, 100::/64, 2001:db8::/32
|
||||
export-etc-hosts=off
|
||||
# forward-zones=
|
||||
forward-zones-recurse=mailcow-network.=127.0.0.11
|
||||
local-address=0.0.0.0
|
||||
local-port=53
|
||||
loglevel=6
|
||||
# lowercase-outgoing=no
|
||||
lua-config-file=/etc/powerdns/pdns_custom.lua
|
||||
# max-cache-entries=1000000
|
||||
# max-cache-ttl=86400
|
||||
# max-mthreads=2048
|
||||
# max-negative-ttl=3600
|
||||
# max-packetcache-entries=500000
|
||||
# max-qperq=50
|
||||
# max-tcp-clients=128
|
||||
# max-tcp-per-client=0
|
||||
# max-total-msec=7000
|
||||
# minimum-ttl-override=0
|
||||
# network-timeout=1500
|
||||
# packetcache-servfail-ttl=60
|
||||
# packetcache-ttl=3600
|
||||
quiet=no
|
||||
# security-poll-suffix=secpoll.powerdns.com.
|
||||
# serve-rfc1918=yes
|
||||
# server-down-max-fails=64
|
||||
# server-down-throttle-time=60
|
||||
setgid=pdns
|
||||
setuid=pdns
|
||||
# spoof-nearmiss-max=20
|
||||
# stack-size=200000
|
||||
# threads=2
|
||||
# trace=off
|
||||
version-string=PowerDNS Recursor
|
||||
webserver=no
|
@ -1,4 +1,4 @@
|
||||
myhostname=mail.mailcow.de
|
||||
myhostname=demo.example.org
|
||||
biff = no
|
||||
append_dot_mydomain = no
|
||||
smtpd_tls_cert_file = /etc/ssl/mail/mail.crt
|
||||
@ -9,9 +9,9 @@ smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
|
||||
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
|
||||
alias_maps = hash:/etc/aliases
|
||||
alias_database = hash:/etc/aliases
|
||||
myhostname=mail.mailcow.de
|
||||
myhostname=demo.example.org
|
||||
relayhost =
|
||||
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.55.0.0/16
|
||||
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 172.55.0.0/16 172.18.0.0/16
|
||||
mailbox_size_limit = 0
|
||||
recipient_delimiter = +
|
||||
inet_interfaces = all
|
||||
@ -50,7 +50,8 @@ smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
|
||||
smtp_tls_cert_file = /etc/ssl/mail/mail.crt
|
||||
smtp_tls_key_file = /etc/ssl/mail/mail.key
|
||||
smtp_tls_loglevel = 1
|
||||
smtp_tls_security_level = may
|
||||
smtp_dns_support_level = dnssec
|
||||
smtp_tls_security_level = dane
|
||||
smtpd_data_restrictions = reject_unauth_pipelining, permit
|
||||
smtpd_delay_reject = yes
|
||||
smtpd_error_sleep_time = 10s
|
||||
|
15
mailcow.conf
15
mailcow.conf
@ -3,7 +3,7 @@
|
||||
# Default admin user is "admin"
|
||||
# Default password is "moohoo"
|
||||
|
||||
MAILCOW_HOSTNAME=mail.mailcow.de
|
||||
MAILCOW_HOSTNAME=logs.servercow.de
|
||||
|
||||
# SQL database configuration
|
||||
DBNAME=mailcow
|
||||
@ -25,7 +25,7 @@ NGINXVERS="stable"
|
||||
|
||||
# You should leave that alone
|
||||
# Can also be 11.22.33.44:25 or 0.0.0.0:465 etc. for specific binding
|
||||
SMTP_PORT=25
|
||||
SMTP_PORT=26
|
||||
SMTPS_PORT=465
|
||||
SUBMISSION_PORT=587
|
||||
IMAP_PORT=143
|
||||
@ -43,14 +43,3 @@ REDISVERS="latest"
|
||||
DOCKER_NETWORK="mailcow-network"
|
||||
DOCKER_SUBNET="172.18.0.0/16"
|
||||
|
||||
# ======= ADVANCED ======
|
||||
# - not yet implemented -
|
||||
# =======================
|
||||
# Use existing containers
|
||||
# =======================
|
||||
|
||||
# USE_REDIS="container-name-of-exisiting-redis"
|
||||
# USE_REDIS_NETWORK="docker-network-name-of-existing-redis-container"
|
||||
|
||||
# USE_MEMCACHED="container-name-of-exisiting-memcached"
|
||||
# USE_MEMCACHED_NETWORK="docker-network-name-of-existing-memcached-container"
|
||||
|
Loading…
Reference in New Issue
Block a user