diff --git a/docs/first_steps.md b/docs/first_steps.md index 53d29714..6e9e54ae 100644 --- a/docs/first_steps.md +++ b/docs/first_steps.md @@ -5,46 +5,50 @@ mailcow dockerized comes with a snakeoil CA "mailcow" and a server certificate i mailcow uses 3 domain names that should be covered by your new certificate: - ${MAILCOW_HOSTNAME} -- autodiscover.*example.org* -- autoconfig.*example.org* +- autodiscover.**example.org** +- autoconfig.**example.org** **Obtain multi-SAN certificate by Let's Encrypt** This is just an example of how to obtain certificates with certbot. There are several methods! 1. Get the certbot client: -``` -wget https://dl.eff.org/certbot-auto -O /usr/local/sbin/certbot && chmod +x /usr/local/sbin/certbot -``` + + ``` + wget https://dl.eff.org/certbot-auto -O /usr/local/sbin/certbot && chmod +x /usr/local/sbin/certbot + ``` + 2. Make sure you set `HTTP_BIND=0.0.0.0` in `mailcow.conf` or setup a reverse proxy to enable connections to port 80. If you changed HTTP_BIND, then restart Nginx: `docker-compose restart nginx-mailcow`. 3. Request the certificate with the webroot method: -``` -cd /path/to/git/clone/mailcow-dockerized -source mailcow.conf -certbot certonly \ - --webroot \ - -w ${PWD}/data/web \ - -d ${MAILCOW_HOSTNAME} \ - -d autodiscover.example.org \ - -d autoconfig.example.org \ - --email you@example.org \ - --agree-tos -``` + ``` + cd /path/to/git/clone/mailcow-dockerized + source mailcow.conf + certbot certonly \ + --webroot \ + -w ${PWD}/data/web \ + -d ${MAILCOW_HOSTNAME} \ + -d autodiscover.example.org \ + -d autoconfig.example.org \ + --email you@example.org \ + --agree-tos + ``` 4. Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder: -``` -mv data/assets/ssl/cert.{pem,pem.backup} -mv data/assets/ssl/key.{pem,pem.backup} -ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/fullchain.pem) data/assets/ssl/cert.pem -ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem) data/assets/ssl/key.pem -``` + + ``` + mv data/assets/ssl/cert.{pem,pem.backup} + mv data/assets/ssl/key.{pem,pem.backup} + ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/fullchain.pem) data/assets/ssl/cert.pem + ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem) data/assets/ssl/key.pem + ``` 5. Restart affected containers: -``` -docker-compose restart postfix-mailcow dovecot-mailcow nginx-mailcow -``` + + ``` + docker-compose restart postfix-mailcow dovecot-mailcow nginx-mailcow + ``` When renewing certificates, run the last two steps (link + restart) as post-hook in a script. @@ -52,18 +56,22 @@ When renewing certificates, run the last two steps (link + restart) as post-hook At first you may want to setup Rspamds web interface which provides some useful features and information. 1. Generate a Rspamd controller password hash: -``` -docker-compose exec rspamd-mailcow rspamadm pw -``` + + ``` + docker-compose exec rspamd-mailcow rspamadm pw + ``` + 2. Replace the default hash in `data/conf/rspamd/override.d/worker-controller.inc` by your newly generated: -``` -enable_password = "myhash"; -``` + + ``` + enable_password = "myhash"; + ``` + 3. Restart rspamd: -``` -docker-compose restart rspamd-mailcow -``` + ``` + docker-compose restart rspamd-mailcow + ``` Open https://${MAILCOW_HOSTNAME}/rspamd in a browser and login! @@ -72,60 +80,61 @@ Open https://${MAILCOW_HOSTNAME}/rspamd in a browser and login! You don't need to change the Nginx site that comes with mailcow: dockerized. mailcow: dockerized trusts the default gateway IP 172.22.1.1 as proxy. This is very important to control access to Rspamd's web UI. -Make sure you change HTTP_BIND and HTTPS_BIND in `mailcow.conf` to a local address and set the ports accordingly, for example: -``` -HTTP_BIND=127.0.0.1 -HTTP_PORT=8080 -HTTPS_PORT=127.0.0.1 -HTTPS_PORT=8443 -``` +1. Make sure you change HTTP_BIND and HTTPS_BIND in `mailcow.conf` to a local address and set the ports accordingly, for example: -Recreate affected containers by running `docker-compose up -d`. + ``` + HTTP_BIND=127.0.0.1 + HTTP_PORT=8080 + HTTPS_PORT=127.0.0.1 + HTTPS_PORT=8443 + ``` -Configure your local webserver as reverse proxy: + Recreate affected containers by running `docker-compose up -d`. -**Apache 2.4** -``` - - ServerName mail.example.org - ServerAlias autodiscover.example.org - ServerAlias autoconfig.example.org +2. Configure your local webserver as reverse proxy: - [...] - # You should proxy to a plain HTTP session to offload SSL processing - ProxyPass / http://127.0.0.1:8080 - ProxyPassReverse / http://127.0.0.1:8080 - ProxyPreserveHost On - your-ssl-configuration-here - [...] + **Apache 2.4** + ``` + + ServerName mail.example.org + ServerAlias autodiscover.example.org + ServerAlias autoconfig.example.org - # If you plan to proxy to a HTTPS host: - #SSLProxyEngine On - - # If you plan to proxy to an untrusted HTTPS host: - #SSLProxyVerify none - #SSLProxyCheckPeerCN off - #SSLProxyCheckPeerName off - #SSLProxyCheckPeerExpire off - -``` + [...] + # You should proxy to a plain HTTP session to offload SSL processing + ProxyPass / http://127.0.0.1:8080 + ProxyPassReverse / http://127.0.0.1:8080 + ProxyPreserveHost On + your-ssl-configuration-here + [...] -**Nginx** -``` -server { - listen 443; - server_name mail.example.org autodiscover.example.org autoconfig.example.org; + # If you plan to proxy to a HTTPS host: + #SSLProxyEngine On + + # If you plan to proxy to an untrusted HTTPS host: + #SSLProxyVerify none + #SSLProxyCheckPeerCN off + #SSLProxyCheckPeerName off + #SSLProxyCheckPeerExpire off + + ``` - [...] - your-ssl-configuration-here - location / { - proxy_pass http://127.0.0.1:8080; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - } - [...] -} -``` + **Nginx** + ``` + server { + listen 443; + server_name mail.example.org autodiscover.example.org autoconfig.example.org; + + [...] + your-ssl-configuration-here + location / { + proxy_pass http://127.0.0.1:8080; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + [...] + } + ``` diff --git a/docs/install.md b/docs/install.md index a188c862..85917a50 100644 --- a/docs/install.md +++ b/docs/install.md @@ -2,33 +2,38 @@ 1. You need Docker. -Most systems can install Docker by running `wget -qO- https://get.docker.com/ | sh`. + Most systems can install Docker by running `wget -qO- https://get.docker.com/ | sh`. 2. You need Docker Compose -Learn [how to install Docker Compose](https://docs.docker.com/compose/install/). + + Learn [how to install Docker Compose](https://docs.docker.com/compose/install/). 3. Clone the master branch of the repository -``` -git clone https://github.com/andryyy/mailcow-dockerized && cd mailcow-dockerized -``` + + ``` + git clone https://github.com/andryyy/mailcow-dockerized && cd mailcow-dockerized + ``` 4. Generate a configuration file. Use a FQDN (`host.domain.tld`) as hostname when asked. -``` -./generate_config.sh -``` + + ``` + ./generate_config.sh + ``` 5. Change configuration if you want or need to. -``` -nano mailcow.conf -``` + + ``` + nano mailcow.conf + ``` If you plan to use a reverse proxy, you can, for example, bind HTTPS to 127.0.0.1 on port 8443 and HTTP to 127.0.0.1 on port 8080. 6. Run the composer file. -``` -docker-compose up -d -``` + + ``` + docker-compose up -d + ``` Done! diff --git a/docs/u_and_e.md b/docs/u_and_e.md index af18e961..1ca66c4c 100644 --- a/docs/u_and_e.md +++ b/docs/u_and_e.md @@ -265,12 +265,12 @@ Reset mailcow admin to `admin:moohoo`: 1. Drop admin table -``` -source mailcow.conf -docker-compose exec mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP TABLE admin;" -``` + ``` + source mailcow.conf + docker-compose exec mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP TABLE admin;" + ``` -2. Open mailcow UI to auto-init the db + 2. Open mailcow UI to auto-init the db # Rspamd