This commit is contained in:
andryyy 2017-03-02 22:27:46 +01:00
parent 58806d12ea
commit 9d08bf3885
3 changed files with 121 additions and 139 deletions

View File

@ -12,66 +12,62 @@ mailcow uses 3 domain names that should be covered by your new certificate:
This is just an example of how to obtain certificates with certbot. There are several methods! This is just an example of how to obtain certificates with certbot. There are several methods!
1. Get the certbot client: 1\. Get the certbot client:
```
wget https://dl.eff.org/certbot-auto -O /usr/local/sbin/certbot && chmod +x /usr/local/sbin/certbot
```
``` 2\. Make sure you set `HTTP_BIND=0.0.0.0` in `mailcow.conf` or setup a reverse proxy to enable connections to port 80. If you changed HTTP_BIND, then restart Nginx:
wget https://dl.eff.org/certbot-auto -O /usr/local/sbin/certbot && chmod +x /usr/local/sbin/certbot ```
``` docker-compose restart nginx-mailcow
```
2. Make sure you set `HTTP_BIND=0.0.0.0` in `mailcow.conf` or setup a reverse proxy to enable connections to port 80. If you changed HTTP_BIND, then restart Nginx: `docker-compose restart nginx-mailcow`. 3\. Request the certificate with the webroot method:
```
cd /path/to/git/clone/mailcow-dockerized
source mailcow.conf
certbot certonly \
--webroot \
-w ${PWD}/data/web \
-d ${MAILCOW_HOSTNAME} \
-d autodiscover.example.org \
-d autoconfig.example.org \
--email you@example.org \
--agree-tos
```
4\. Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder:
```
mv data/assets/ssl/cert.{pem,pem.backup}
mv data/assets/ssl/key.{pem,pem.backup}
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/fullchain.pem) data/assets/ssl/cert.pem
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem) data/assets/ssl/key.pem
```
3. Request the certificate with the webroot method: 5\. Restart affected containers:
```
``` docker-compose restart postfix-mailcow dovecot-mailcow nginx-mailcow
cd /path/to/git/clone/mailcow-dockerized ```
source mailcow.conf
certbot certonly \
--webroot \
-w ${PWD}/data/web \
-d ${MAILCOW_HOSTNAME} \
-d autodiscover.example.org \
-d autoconfig.example.org \
--email you@example.org \
--agree-tos
```
4. Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder:
```
mv data/assets/ssl/cert.{pem,pem.backup}
mv data/assets/ssl/key.{pem,pem.backup}
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/fullchain.pem) data/assets/ssl/cert.pem
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem) data/assets/ssl/key.pem
```
5. Restart affected containers:
```
docker-compose restart postfix-mailcow dovecot-mailcow nginx-mailcow
```
When renewing certificates, run the last two steps (link + restart) as post-hook in a script. When renewing certificates, run the last two steps (link + restart) as post-hook in a script.
# Rspamd Web UI # Rspamd Web UI
At first you may want to setup Rspamds web interface which provides some useful features and information. At first you may want to setup Rspamds web interface which provides some useful features and information.
1. Generate a Rspamd controller password hash: 1\. Generate a Rspamd controller password hash:
```
docker-compose exec rspamd-mailcow rspamadm pw
```
``` 2\. Replace the default hash in `data/conf/rspamd/override.d/worker-controller.inc` by your newly generated:
docker-compose exec rspamd-mailcow rspamadm pw ```
``` enable_password = "myhash";
```
2. Replace the default hash in `data/conf/rspamd/override.d/worker-controller.inc` by your newly generated: 3\. Restart rspamd:
```
``` docker-compose restart rspamd-mailcow
enable_password = "myhash"; ```
```
3. Restart rspamd:
```
docker-compose restart rspamd-mailcow
```
Open https://${MAILCOW_HOSTNAME}/rspamd in a browser and login! Open https://${MAILCOW_HOSTNAME}/rspamd in a browser and login!
@ -80,61 +76,59 @@ Open https://${MAILCOW_HOSTNAME}/rspamd in a browser and login!
You don't need to change the Nginx site that comes with mailcow: dockerized. You don't need to change the Nginx site that comes with mailcow: dockerized.
mailcow: dockerized trusts the default gateway IP 172.22.1.1 as proxy. This is very important to control access to Rspamd's web UI. mailcow: dockerized trusts the default gateway IP 172.22.1.1 as proxy. This is very important to control access to Rspamd's web UI.
1. Make sure you change HTTP_BIND and HTTPS_BIND in `mailcow.conf` to a local address and set the ports accordingly, for example: 1\. Make sure you change HTTP_BIND and HTTPS_BIND in `mailcow.conf` to a local address and set the ports accordingly, for example:
```
HTTP_BIND=127.0.0.1
HTTP_PORT=8080
HTTPS_PORT=127.0.0.1
HTTPS_PORT=8443
```
``` Recreate affected containers by running `docker-compose up -d`.
HTTP_BIND=127.0.0.1
HTTP_PORT=8080
HTTPS_PORT=127.0.0.1
HTTPS_PORT=8443
```
Recreate affected containers by running `docker-compose up -d`. 2\. Configure your local webserver as reverse proxy:
**Apache 2.4**
```
<VirtualHost *:443>
ServerName mail.example.org
ServerAlias autodiscover.example.org
ServerAlias autoconfig.example.org
2. Configure your local webserver as reverse proxy: [...]
# You should proxy to a plain HTTP session to offload SSL processing
ProxyPass / http://127.0.0.1:8080
ProxyPassReverse / http://127.0.0.1:8080
ProxyPreserveHost On
your-ssl-configuration-here
[...]
**Apache 2.4** # If you plan to proxy to a HTTPS host:
``` #SSLProxyEngine On
<VirtualHost *:443>
ServerName mail.example.org # If you plan to proxy to an untrusted HTTPS host:
ServerAlias autodiscover.example.org #SSLProxyVerify none
ServerAlias autoconfig.example.org #SSLProxyCheckPeerCN off
#SSLProxyCheckPeerName off
#SSLProxyCheckPeerExpire off
</VirtualHost>
```
[...] **Nginx**
# You should proxy to a plain HTTP session to offload SSL processing ```
ProxyPass / http://127.0.0.1:8080 server {
ProxyPassReverse / http://127.0.0.1:8080 listen 443;
ProxyPreserveHost On server_name mail.example.org autodiscover.example.org autoconfig.example.org;
your-ssl-configuration-here
[...]
# If you plan to proxy to a HTTPS host: [...]
#SSLProxyEngine On your-ssl-configuration-here
location / {
# If you plan to proxy to an untrusted HTTPS host: proxy_pass http://127.0.0.1:8080;
#SSLProxyVerify none proxy_set_header Host $host;
#SSLProxyCheckPeerCN off proxy_set_header X-Real-IP $remote_addr;
#SSLProxyCheckPeerName off proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#SSLProxyCheckPeerExpire off proxy_set_header X-Forwarded-Proto $scheme;
</VirtualHost>
```
**Nginx**
```
server {
listen 443;
server_name mail.example.org autodiscover.example.org autoconfig.example.org;
[...]
your-ssl-configuration-here
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
[...]
} }
``` [...]
}
```

View File

@ -1,39 +1,29 @@
# Install mailcow # Install mailcow
1. You need Docker. You need Docker and Docker Compose.
Most systems can install Docker by running `wget -qO- https://get.docker.com/ | sh`. 1\. Learn how to install [Docker](https://docs.docker.com/engine/installation/linux/) and [Docker Compose](https://docs.docker.com/compose/install/).
2. You need Docker Compose 2\. Clone the master branch of the repository
```
git clone https://github.com/andryyy/mailcow-dockerized && cd mailcow-dockerized
```
Learn [how to install Docker Compose](https://docs.docker.com/compose/install/). 3\. Generate a configuration file. Use a FQDN (`host.domain.tld`) as hostname when asked.
```
./generate_config.sh
3. Clone the master branch of the repository ```
```
git clone https://github.com/andryyy/mailcow-dockerized && cd mailcow-dockerized
```
4. Generate a configuration file. Use a FQDN (`host.domain.tld`) as hostname when asked.
```
./generate_config.sh
```
5. Change configuration if you want or need to.
```
nano mailcow.conf
```
4\. Change configuration if you want or need to.
```
nano mailcow.conf
```
If you plan to use a reverse proxy, you can, for example, bind HTTPS to 127.0.0.1 on port 8443 and HTTP to 127.0.0.1 on port 8080. If you plan to use a reverse proxy, you can, for example, bind HTTPS to 127.0.0.1 on port 8443 and HTTP to 127.0.0.1 on port 8080.
6. Run the composer file. 5\. Run the composer file.
```
``` docker-compose up -d
docker-compose up -d ```
```
Done! Done!

View File

@ -263,18 +263,17 @@ Running `docker-compose down -v` will **destroy all mailcow: dockerized volumes*
# Reset admin password # Reset admin password
Reset mailcow admin to `admin:moohoo`: Reset mailcow admin to `admin:moohoo`:
1. Drop admin table 1\. Drop admin table
```
source mailcow.conf
docker-compose exec mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP TABLE admin;"
```
``` 2\. Open mailcow UI to auto-init the db
source mailcow.conf
docker-compose exec mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP TABLE admin;"
```
2. Open mailcow UI to auto-init the db
# Rspamd # Rspamd
**Learn spam and ham*** **Learn spam and ham**
Rspamd learns mail as spam or ham when you move a message in or out of the junk folder to any mailbox besides trash. Rspamd learns mail as spam or ham when you move a message in or out of the junk folder to any mailbox besides trash.
This is archived by using the Dovecot plugin "antispam" and a simple parser script. This is archived by using the Dovecot plugin "antispam" and a simple parser script.
@ -372,8 +371,9 @@ docker-compose restart service-mailcow
Mailbox users can tag their mail address like in `me+facebook@example.org` and choose between to setups to handle this tag: Mailbox users can tag their mail address like in `me+facebook@example.org` and choose between to setups to handle this tag:
1. Move this message to a subfolder "facebook" (will be created lower case if not existing) 1\. Move this message to a subfolder "facebook" (will be created lower case if not existing)
2. Prepend the tag to the subject: "[facebook] Subject"
2\. Prepend the tag to the subject: "[facebook] Subject"
# Two-factor authentication # Two-factor authentication
@ -406,5 +406,3 @@ Most systems use either a public or a local caching DNS resolver.
That's a very bad idea when it comes to filter spam using DNS-based blackhole lists (DNSBL) or similar technics. That's a very bad idea when it comes to filter spam using DNS-based blackhole lists (DNSBL) or similar technics.
Most if not all providers apply a rate limit based on the DNS resolver that is used to query their service. Most if not all providers apply a rate limit based on the DNS resolver that is used to query their service.
Using a public resolver like Googles 4x8, OpenDNS or any other shared DNS resolver like your ISPs will hit that limit very soon. Using a public resolver like Googles 4x8, OpenDNS or any other shared DNS resolver like your ISPs will hit that limit very soon.