This commit is contained in:
andryyy 2017-03-02 21:43:08 +01:00
parent 1a518c545f
commit 58806d12ea
3 changed files with 117 additions and 103 deletions

View File

@ -5,46 +5,50 @@ mailcow dockerized comes with a snakeoil CA "mailcow" and a server certificate i
mailcow uses 3 domain names that should be covered by your new certificate: mailcow uses 3 domain names that should be covered by your new certificate:
- ${MAILCOW_HOSTNAME} - ${MAILCOW_HOSTNAME}
- autodiscover.*example.org* - autodiscover.**example.org**
- autoconfig.*example.org* - autoconfig.**example.org**
**Obtain multi-SAN certificate by Let's Encrypt** **Obtain multi-SAN certificate by Let's Encrypt**
This is just an example of how to obtain certificates with certbot. There are several methods! This is just an example of how to obtain certificates with certbot. There are several methods!
1. Get the certbot client: 1. Get the certbot client:
```
wget https://dl.eff.org/certbot-auto -O /usr/local/sbin/certbot && chmod +x /usr/local/sbin/certbot ```
``` wget https://dl.eff.org/certbot-auto -O /usr/local/sbin/certbot && chmod +x /usr/local/sbin/certbot
```
2. Make sure you set `HTTP_BIND=0.0.0.0` in `mailcow.conf` or setup a reverse proxy to enable connections to port 80. If you changed HTTP_BIND, then restart Nginx: `docker-compose restart nginx-mailcow`. 2. Make sure you set `HTTP_BIND=0.0.0.0` in `mailcow.conf` or setup a reverse proxy to enable connections to port 80. If you changed HTTP_BIND, then restart Nginx: `docker-compose restart nginx-mailcow`.
3. Request the certificate with the webroot method: 3. Request the certificate with the webroot method:
``` ```
cd /path/to/git/clone/mailcow-dockerized cd /path/to/git/clone/mailcow-dockerized
source mailcow.conf source mailcow.conf
certbot certonly \ certbot certonly \
--webroot \ --webroot \
-w ${PWD}/data/web \ -w ${PWD}/data/web \
-d ${MAILCOW_HOSTNAME} \ -d ${MAILCOW_HOSTNAME} \
-d autodiscover.example.org \ -d autodiscover.example.org \
-d autoconfig.example.org \ -d autoconfig.example.org \
--email you@example.org \ --email you@example.org \
--agree-tos --agree-tos
``` ```
4. Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder: 4. Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder:
```
mv data/assets/ssl/cert.{pem,pem.backup} ```
mv data/assets/ssl/key.{pem,pem.backup} mv data/assets/ssl/cert.{pem,pem.backup}
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/fullchain.pem) data/assets/ssl/cert.pem mv data/assets/ssl/key.{pem,pem.backup}
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem) data/assets/ssl/key.pem ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/fullchain.pem) data/assets/ssl/cert.pem
``` ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem) data/assets/ssl/key.pem
```
5. Restart affected containers: 5. Restart affected containers:
```
docker-compose restart postfix-mailcow dovecot-mailcow nginx-mailcow ```
``` docker-compose restart postfix-mailcow dovecot-mailcow nginx-mailcow
```
When renewing certificates, run the last two steps (link + restart) as post-hook in a script. When renewing certificates, run the last two steps (link + restart) as post-hook in a script.
@ -52,18 +56,22 @@ When renewing certificates, run the last two steps (link + restart) as post-hook
At first you may want to setup Rspamds web interface which provides some useful features and information. At first you may want to setup Rspamds web interface which provides some useful features and information.
1. Generate a Rspamd controller password hash: 1. Generate a Rspamd controller password hash:
```
docker-compose exec rspamd-mailcow rspamadm pw ```
``` docker-compose exec rspamd-mailcow rspamadm pw
```
2. Replace the default hash in `data/conf/rspamd/override.d/worker-controller.inc` by your newly generated: 2. Replace the default hash in `data/conf/rspamd/override.d/worker-controller.inc` by your newly generated:
```
enable_password = "myhash"; ```
``` enable_password = "myhash";
```
3. Restart rspamd: 3. Restart rspamd:
``` ```
docker-compose restart rspamd-mailcow docker-compose restart rspamd-mailcow
``` ```
Open https://${MAILCOW_HOSTNAME}/rspamd in a browser and login! Open https://${MAILCOW_HOSTNAME}/rspamd in a browser and login!
@ -72,60 +80,61 @@ Open https://${MAILCOW_HOSTNAME}/rspamd in a browser and login!
You don't need to change the Nginx site that comes with mailcow: dockerized. You don't need to change the Nginx site that comes with mailcow: dockerized.
mailcow: dockerized trusts the default gateway IP 172.22.1.1 as proxy. This is very important to control access to Rspamd's web UI. mailcow: dockerized trusts the default gateway IP 172.22.1.1 as proxy. This is very important to control access to Rspamd's web UI.
Make sure you change HTTP_BIND and HTTPS_BIND in `mailcow.conf` to a local address and set the ports accordingly, for example: 1. Make sure you change HTTP_BIND and HTTPS_BIND in `mailcow.conf` to a local address and set the ports accordingly, for example:
```
HTTP_BIND=127.0.0.1
HTTP_PORT=8080
HTTPS_PORT=127.0.0.1
HTTPS_PORT=8443
```
Recreate affected containers by running `docker-compose up -d`. ```
HTTP_BIND=127.0.0.1
HTTP_PORT=8080
HTTPS_PORT=127.0.0.1
HTTPS_PORT=8443
```
Configure your local webserver as reverse proxy: Recreate affected containers by running `docker-compose up -d`.
**Apache 2.4** 2. Configure your local webserver as reverse proxy:
```
<VirtualHost *:443>
ServerName mail.example.org
ServerAlias autodiscover.example.org
ServerAlias autoconfig.example.org
[...] **Apache 2.4**
# You should proxy to a plain HTTP session to offload SSL processing ```
ProxyPass / http://127.0.0.1:8080 <VirtualHost *:443>
ProxyPassReverse / http://127.0.0.1:8080 ServerName mail.example.org
ProxyPreserveHost On ServerAlias autodiscover.example.org
your-ssl-configuration-here ServerAlias autoconfig.example.org
[...]
# If you plan to proxy to a HTTPS host: [...]
#SSLProxyEngine On # You should proxy to a plain HTTP session to offload SSL processing
ProxyPass / http://127.0.0.1:8080
ProxyPassReverse / http://127.0.0.1:8080
ProxyPreserveHost On
your-ssl-configuration-here
[...]
# If you plan to proxy to an untrusted HTTPS host: # If you plan to proxy to a HTTPS host:
#SSLProxyVerify none #SSLProxyEngine On
#SSLProxyCheckPeerCN off
#SSLProxyCheckPeerName off
#SSLProxyCheckPeerExpire off
</VirtualHost>
```
**Nginx** # If you plan to proxy to an untrusted HTTPS host:
``` #SSLProxyVerify none
server { #SSLProxyCheckPeerCN off
listen 443; #SSLProxyCheckPeerName off
server_name mail.example.org autodiscover.example.org autoconfig.example.org; #SSLProxyCheckPeerExpire off
</VirtualHost>
```
[...] **Nginx**
your-ssl-configuration-here ```
location / { server {
proxy_pass http://127.0.0.1:8080; listen 443;
proxy_set_header Host $host; server_name mail.example.org autodiscover.example.org autoconfig.example.org;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; [...]
proxy_set_header X-Forwarded-Proto $scheme; your-ssl-configuration-here
} location / {
[...] proxy_pass http://127.0.0.1:8080;
} proxy_set_header Host $host;
``` proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
[...]
}
```

View File

@ -2,33 +2,38 @@
1. You need Docker. 1. You need Docker.
Most systems can install Docker by running `wget -qO- https://get.docker.com/ | sh`. Most systems can install Docker by running `wget -qO- https://get.docker.com/ | sh`.
2. You need Docker Compose 2. You need Docker Compose
Learn [how to install Docker Compose](https://docs.docker.com/compose/install/).
Learn [how to install Docker Compose](https://docs.docker.com/compose/install/).
3. Clone the master branch of the repository 3. Clone the master branch of the repository
```
git clone https://github.com/andryyy/mailcow-dockerized && cd mailcow-dockerized ```
``` git clone https://github.com/andryyy/mailcow-dockerized && cd mailcow-dockerized
```
4. Generate a configuration file. Use a FQDN (`host.domain.tld`) as hostname when asked. 4. Generate a configuration file. Use a FQDN (`host.domain.tld`) as hostname when asked.
```
./generate_config.sh ```
``` ./generate_config.sh
```
5. Change configuration if you want or need to. 5. Change configuration if you want or need to.
```
nano mailcow.conf ```
``` nano mailcow.conf
```
If you plan to use a reverse proxy, you can, for example, bind HTTPS to 127.0.0.1 on port 8443 and HTTP to 127.0.0.1 on port 8080. If you plan to use a reverse proxy, you can, for example, bind HTTPS to 127.0.0.1 on port 8443 and HTTP to 127.0.0.1 on port 8080.
6. Run the composer file. 6. Run the composer file.
```
docker-compose up -d ```
``` docker-compose up -d
```
Done! Done!

View File

@ -265,12 +265,12 @@ Reset mailcow admin to `admin:moohoo`:
1. Drop admin table 1. Drop admin table
``` ```
source mailcow.conf source mailcow.conf
docker-compose exec mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP TABLE admin;" docker-compose exec mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP TABLE admin;"
``` ```
2. Open mailcow UI to auto-init the db 2. Open mailcow UI to auto-init the db
# Rspamd # Rspamd