Fix docs
This commit is contained in:
parent
1a518c545f
commit
58806d12ea
@ -5,46 +5,50 @@ mailcow dockerized comes with a snakeoil CA "mailcow" and a server certificate i
|
|||||||
mailcow uses 3 domain names that should be covered by your new certificate:
|
mailcow uses 3 domain names that should be covered by your new certificate:
|
||||||
|
|
||||||
- ${MAILCOW_HOSTNAME}
|
- ${MAILCOW_HOSTNAME}
|
||||||
- autodiscover.*example.org*
|
- autodiscover.**example.org**
|
||||||
- autoconfig.*example.org*
|
- autoconfig.**example.org**
|
||||||
|
|
||||||
**Obtain multi-SAN certificate by Let's Encrypt**
|
**Obtain multi-SAN certificate by Let's Encrypt**
|
||||||
|
|
||||||
This is just an example of how to obtain certificates with certbot. There are several methods!
|
This is just an example of how to obtain certificates with certbot. There are several methods!
|
||||||
|
|
||||||
1. Get the certbot client:
|
1. Get the certbot client:
|
||||||
```
|
|
||||||
wget https://dl.eff.org/certbot-auto -O /usr/local/sbin/certbot && chmod +x /usr/local/sbin/certbot
|
```
|
||||||
```
|
wget https://dl.eff.org/certbot-auto -O /usr/local/sbin/certbot && chmod +x /usr/local/sbin/certbot
|
||||||
|
```
|
||||||
|
|
||||||
2. Make sure you set `HTTP_BIND=0.0.0.0` in `mailcow.conf` or setup a reverse proxy to enable connections to port 80. If you changed HTTP_BIND, then restart Nginx: `docker-compose restart nginx-mailcow`.
|
2. Make sure you set `HTTP_BIND=0.0.0.0` in `mailcow.conf` or setup a reverse proxy to enable connections to port 80. If you changed HTTP_BIND, then restart Nginx: `docker-compose restart nginx-mailcow`.
|
||||||
|
|
||||||
3. Request the certificate with the webroot method:
|
3. Request the certificate with the webroot method:
|
||||||
|
|
||||||
```
|
```
|
||||||
cd /path/to/git/clone/mailcow-dockerized
|
cd /path/to/git/clone/mailcow-dockerized
|
||||||
source mailcow.conf
|
source mailcow.conf
|
||||||
certbot certonly \
|
certbot certonly \
|
||||||
--webroot \
|
--webroot \
|
||||||
-w ${PWD}/data/web \
|
-w ${PWD}/data/web \
|
||||||
-d ${MAILCOW_HOSTNAME} \
|
-d ${MAILCOW_HOSTNAME} \
|
||||||
-d autodiscover.example.org \
|
-d autodiscover.example.org \
|
||||||
-d autoconfig.example.org \
|
-d autoconfig.example.org \
|
||||||
--email you@example.org \
|
--email you@example.org \
|
||||||
--agree-tos
|
--agree-tos
|
||||||
```
|
```
|
||||||
|
|
||||||
4. Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder:
|
4. Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder:
|
||||||
```
|
|
||||||
mv data/assets/ssl/cert.{pem,pem.backup}
|
```
|
||||||
mv data/assets/ssl/key.{pem,pem.backup}
|
mv data/assets/ssl/cert.{pem,pem.backup}
|
||||||
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/fullchain.pem) data/assets/ssl/cert.pem
|
mv data/assets/ssl/key.{pem,pem.backup}
|
||||||
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem) data/assets/ssl/key.pem
|
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/fullchain.pem) data/assets/ssl/cert.pem
|
||||||
```
|
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem) data/assets/ssl/key.pem
|
||||||
|
```
|
||||||
|
|
||||||
5. Restart affected containers:
|
5. Restart affected containers:
|
||||||
```
|
|
||||||
docker-compose restart postfix-mailcow dovecot-mailcow nginx-mailcow
|
```
|
||||||
```
|
docker-compose restart postfix-mailcow dovecot-mailcow nginx-mailcow
|
||||||
|
```
|
||||||
|
|
||||||
When renewing certificates, run the last two steps (link + restart) as post-hook in a script.
|
When renewing certificates, run the last two steps (link + restart) as post-hook in a script.
|
||||||
|
|
||||||
@ -52,18 +56,22 @@ When renewing certificates, run the last two steps (link + restart) as post-hook
|
|||||||
At first you may want to setup Rspamds web interface which provides some useful features and information.
|
At first you may want to setup Rspamds web interface which provides some useful features and information.
|
||||||
|
|
||||||
1. Generate a Rspamd controller password hash:
|
1. Generate a Rspamd controller password hash:
|
||||||
```
|
|
||||||
docker-compose exec rspamd-mailcow rspamadm pw
|
```
|
||||||
```
|
docker-compose exec rspamd-mailcow rspamadm pw
|
||||||
|
```
|
||||||
|
|
||||||
2. Replace the default hash in `data/conf/rspamd/override.d/worker-controller.inc` by your newly generated:
|
2. Replace the default hash in `data/conf/rspamd/override.d/worker-controller.inc` by your newly generated:
|
||||||
```
|
|
||||||
enable_password = "myhash";
|
```
|
||||||
```
|
enable_password = "myhash";
|
||||||
|
```
|
||||||
|
|
||||||
3. Restart rspamd:
|
3. Restart rspamd:
|
||||||
|
|
||||||
```
|
```
|
||||||
docker-compose restart rspamd-mailcow
|
docker-compose restart rspamd-mailcow
|
||||||
```
|
```
|
||||||
|
|
||||||
Open https://${MAILCOW_HOSTNAME}/rspamd in a browser and login!
|
Open https://${MAILCOW_HOSTNAME}/rspamd in a browser and login!
|
||||||
|
|
||||||
@ -72,60 +80,61 @@ Open https://${MAILCOW_HOSTNAME}/rspamd in a browser and login!
|
|||||||
You don't need to change the Nginx site that comes with mailcow: dockerized.
|
You don't need to change the Nginx site that comes with mailcow: dockerized.
|
||||||
mailcow: dockerized trusts the default gateway IP 172.22.1.1 as proxy. This is very important to control access to Rspamd's web UI.
|
mailcow: dockerized trusts the default gateway IP 172.22.1.1 as proxy. This is very important to control access to Rspamd's web UI.
|
||||||
|
|
||||||
Make sure you change HTTP_BIND and HTTPS_BIND in `mailcow.conf` to a local address and set the ports accordingly, for example:
|
1. Make sure you change HTTP_BIND and HTTPS_BIND in `mailcow.conf` to a local address and set the ports accordingly, for example:
|
||||||
```
|
|
||||||
HTTP_BIND=127.0.0.1
|
|
||||||
HTTP_PORT=8080
|
|
||||||
HTTPS_PORT=127.0.0.1
|
|
||||||
HTTPS_PORT=8443
|
|
||||||
```
|
|
||||||
|
|
||||||
Recreate affected containers by running `docker-compose up -d`.
|
```
|
||||||
|
HTTP_BIND=127.0.0.1
|
||||||
|
HTTP_PORT=8080
|
||||||
|
HTTPS_PORT=127.0.0.1
|
||||||
|
HTTPS_PORT=8443
|
||||||
|
```
|
||||||
|
|
||||||
Configure your local webserver as reverse proxy:
|
Recreate affected containers by running `docker-compose up -d`.
|
||||||
|
|
||||||
**Apache 2.4**
|
2. Configure your local webserver as reverse proxy:
|
||||||
```
|
|
||||||
<VirtualHost *:443>
|
|
||||||
ServerName mail.example.org
|
|
||||||
ServerAlias autodiscover.example.org
|
|
||||||
ServerAlias autoconfig.example.org
|
|
||||||
|
|
||||||
[...]
|
**Apache 2.4**
|
||||||
# You should proxy to a plain HTTP session to offload SSL processing
|
```
|
||||||
ProxyPass / http://127.0.0.1:8080
|
<VirtualHost *:443>
|
||||||
ProxyPassReverse / http://127.0.0.1:8080
|
ServerName mail.example.org
|
||||||
ProxyPreserveHost On
|
ServerAlias autodiscover.example.org
|
||||||
your-ssl-configuration-here
|
ServerAlias autoconfig.example.org
|
||||||
[...]
|
|
||||||
|
|
||||||
# If you plan to proxy to a HTTPS host:
|
[...]
|
||||||
#SSLProxyEngine On
|
# You should proxy to a plain HTTP session to offload SSL processing
|
||||||
|
ProxyPass / http://127.0.0.1:8080
|
||||||
# If you plan to proxy to an untrusted HTTPS host:
|
ProxyPassReverse / http://127.0.0.1:8080
|
||||||
#SSLProxyVerify none
|
ProxyPreserveHost On
|
||||||
#SSLProxyCheckPeerCN off
|
your-ssl-configuration-here
|
||||||
#SSLProxyCheckPeerName off
|
[...]
|
||||||
#SSLProxyCheckPeerExpire off
|
|
||||||
</VirtualHost>
|
|
||||||
```
|
|
||||||
|
|
||||||
**Nginx**
|
# If you plan to proxy to a HTTPS host:
|
||||||
```
|
#SSLProxyEngine On
|
||||||
server {
|
|
||||||
listen 443;
|
# If you plan to proxy to an untrusted HTTPS host:
|
||||||
server_name mail.example.org autodiscover.example.org autoconfig.example.org;
|
#SSLProxyVerify none
|
||||||
|
#SSLProxyCheckPeerCN off
|
||||||
|
#SSLProxyCheckPeerName off
|
||||||
|
#SSLProxyCheckPeerExpire off
|
||||||
|
</VirtualHost>
|
||||||
|
```
|
||||||
|
|
||||||
[...]
|
**Nginx**
|
||||||
your-ssl-configuration-here
|
```
|
||||||
location / {
|
server {
|
||||||
proxy_pass http://127.0.0.1:8080;
|
listen 443;
|
||||||
proxy_set_header Host $host;
|
server_name mail.example.org autodiscover.example.org autoconfig.example.org;
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
[...]
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
your-ssl-configuration-here
|
||||||
}
|
location / {
|
||||||
[...]
|
proxy_pass http://127.0.0.1:8080;
|
||||||
}
|
proxy_set_header Host $host;
|
||||||
```
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
[...]
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
@ -2,33 +2,38 @@
|
|||||||
|
|
||||||
1. You need Docker.
|
1. You need Docker.
|
||||||
|
|
||||||
Most systems can install Docker by running `wget -qO- https://get.docker.com/ | sh`.
|
Most systems can install Docker by running `wget -qO- https://get.docker.com/ | sh`.
|
||||||
|
|
||||||
2. You need Docker Compose
|
2. You need Docker Compose
|
||||||
Learn [how to install Docker Compose](https://docs.docker.com/compose/install/).
|
|
||||||
|
Learn [how to install Docker Compose](https://docs.docker.com/compose/install/).
|
||||||
|
|
||||||
|
|
||||||
3. Clone the master branch of the repository
|
3. Clone the master branch of the repository
|
||||||
```
|
|
||||||
git clone https://github.com/andryyy/mailcow-dockerized && cd mailcow-dockerized
|
```
|
||||||
```
|
git clone https://github.com/andryyy/mailcow-dockerized && cd mailcow-dockerized
|
||||||
|
```
|
||||||
|
|
||||||
4. Generate a configuration file. Use a FQDN (`host.domain.tld`) as hostname when asked.
|
4. Generate a configuration file. Use a FQDN (`host.domain.tld`) as hostname when asked.
|
||||||
```
|
|
||||||
./generate_config.sh
|
```
|
||||||
```
|
./generate_config.sh
|
||||||
|
```
|
||||||
|
|
||||||
5. Change configuration if you want or need to.
|
5. Change configuration if you want or need to.
|
||||||
```
|
|
||||||
nano mailcow.conf
|
```
|
||||||
```
|
nano mailcow.conf
|
||||||
|
```
|
||||||
|
|
||||||
If you plan to use a reverse proxy, you can, for example, bind HTTPS to 127.0.0.1 on port 8443 and HTTP to 127.0.0.1 on port 8080.
|
If you plan to use a reverse proxy, you can, for example, bind HTTPS to 127.0.0.1 on port 8443 and HTTP to 127.0.0.1 on port 8080.
|
||||||
|
|
||||||
6. Run the composer file.
|
6. Run the composer file.
|
||||||
```
|
|
||||||
docker-compose up -d
|
```
|
||||||
```
|
docker-compose up -d
|
||||||
|
```
|
||||||
|
|
||||||
Done!
|
Done!
|
||||||
|
|
||||||
|
@ -265,12 +265,12 @@ Reset mailcow admin to `admin:moohoo`:
|
|||||||
|
|
||||||
1. Drop admin table
|
1. Drop admin table
|
||||||
|
|
||||||
```
|
```
|
||||||
source mailcow.conf
|
source mailcow.conf
|
||||||
docker-compose exec mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP TABLE admin;"
|
docker-compose exec mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP TABLE admin;"
|
||||||
```
|
```
|
||||||
|
|
||||||
2. Open mailcow UI to auto-init the db
|
2. Open mailcow UI to auto-init the db
|
||||||
|
|
||||||
# Rspamd
|
# Rspamd
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user