From a74cecc4e8d3427bbc8da38d3ca6899c07f4f18f Mon Sep 17 00:00:00 2001 From: thopic Date: Thu, 2 Mar 2023 13:22:07 +0100 Subject: [PATCH] [GNOUS] prod --- data/assets/ssl-example/cert.pem | 48 ++++++++++++------- data/assets/ssl-example/key.pem | 79 +++++++++++++++++++++----------- data/conf/postfix/main.cf | 2 + data/conf/unbound/unbound.conf | 2 +- docker-compose.yml | 32 ++++++++++++- 5 files changed, 116 insertions(+), 47 deletions(-) diff --git a/data/assets/ssl-example/cert.pem b/data/assets/ssl-example/cert.pem index 96d16bec..8e3001b7 100644 --- a/data/assets/ssl-example/cert.pem +++ b/data/assets/ssl-example/cert.pem @@ -1,19 +1,33 @@ -----BEGIN CERTIFICATE----- -MIIDBDCCAe6gAwIBAgIQeJMoL/3dxhxhT9EwuRTL/DALBgkqhkiG9w0BAQswEjEQ -MA4GA1UEChMHbWFpbGNvdzAeFw0xNjEyMTMxMDExMDBaFw0xOTExMjgxMDExMDBa -MC0xEDAOBgNVBAoTB21haWxjb3cxGTAXBgNVBAMTEG1haWwuZXhhbXBsZS5vcmcw -ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRg0xT3At9DSb3H5OMp3K1 -MpXAgYyotSK6TS61fC0QEHy2fMXiws7Agcye6Ln7CG63Fe1eN2jkdlefy9xJivS8 -y5w0M8i168v5znzC8fnylL2iOiSYfK/B/oEqfU7YH4RcegO53oDDIUZmi4Frgnu7 -39VVOU1ZyHEVqGJ2H2aAIkoZRjGzumD9Ym4LWGidtKJzBgFt/qmhUeWXipM8w281 -XkQnJU79+x2ywnJSvEZ3r/ZVJC7kbjiVw+/k15k9Cxk6Ik8wmJ0X/+xWxoZomHQI -1LM0VKAS/iaU95dn2bplvL6jTiiyWAbrMjSKs4XbPt/fIbOicNkj6+CFy0MVfyyH -AgMBAAGjPzA9MA4GA1UdDwEB/wQEAwIAqDAdBgNVHSUEFjAUBggrBgEFBQcDAgYI -KwYBBQUHAwEwDAYDVR0TAQH/BAIwADALBgkqhkiG9w0BAQsDggEBAI/jBJa1P8nB -eHUN5muQmjBVDVOYyWAAEapOe2HYsBcpjaB2H8Iw3DQzJtz6peYeYSCmHRVqFLCm -VPrq36l9mPUotyPDPlQQAxCj9R2+WbGaJO+N/E1F8FQ94dr3jqwUyfjVPoqEjmIH -NFkvbA0RJOeBm9oYGdhM0wjOBV9c9MTHFG82nQ/zQeTuPb7GXuKIOXYCxoLNOZMw -UJ02Cqjv5ImrgOhcstAKX3Ip0urSvZUGvtPla4CGh+M6yDFJ08GzX6OiMIH207RW -jAbUXXERSUv/7hysdDjGo5HZjCeMzVu9KAxoZXqnmvkk8g2swKWtWBRcoeU1VGx0 -Bx4Q4KMjuYQ= +MIIFszCCA5ugAwIBAgIUK9hVp//3lB80sg1vrIpE7178FqAwDQYJKoZIhvcNAQEL +BQAwaTELMAkGA1UEBhMCREUxDDAKBgNVBAgMA05SVzEQMA4GA1UEBwwHV2lsbGlj +aDEQMA4GA1UECgwHbWFpbGNvdzEQMA4GA1UECwwHbWFpbGNvdzEWMBQGA1UEAwwN +bWFpbC5nbm91cy5mcjAeFw0yMTAzMDIxMTEzMzlaFw0yMjAzMDIxMTEzMzlaMGkx +CzAJBgNVBAYTAkRFMQwwCgYDVQQIDANOUlcxEDAOBgNVBAcMB1dpbGxpY2gxEDAO +BgNVBAoMB21haWxjb3cxEDAOBgNVBAsMB21haWxjb3cxFjAUBgNVBAMMDW1haWwu +Z25vdXMuZnIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCvFtjY5uAH +GAIm2N5c2lXlAW1tCgIQl8+QfM1OsGMEs1svHA0LOtvrWHcBtgG9e/eWQkSRh67m +LAmFy0vY0XO61Fj0dTkXOp4nESs+OQP6p7VZPvQ+v0umlVMvRlgUazynaXtRvUsp +9icQGsTFmPfjP7le3JbjJ/N58rAlTBv3Jxcujbr/QoZEGnX+Jb4mn3FmWM9U+zct +sNiFLsi6mKl2H8a7gwdD783n4t7VHyeOZElzaFfkGGCReUQ2PF9BIjIhM/HvA86N +bB53558liMmn1ctrwDnlr/xJ/pgHfAdZ1kCtyNLQ/X3XrFp2VoEtt4drYb3cb8Jz +uBean8fMBriePs9yqqFIVGZaVUeJqNPm7+F6MOqp78D15q0uxvgTPKHtT/3MFKs9 +UYnm0xn7wxXf02UZLNJWPus0ALYiD8QufGSksEMy+zX/T+0eKlI62m7g/YU1RIij +ByvgS3AC0hXJPBj5aKzD+DSsrqYr34SGReG+8AuuyUt9/wqSAovmskonpjJ3etxz +1Cer2agUVwP/akVVpfPamHuwlnq2xwJcsT6ykBxc3+wit25nSXf86fxfqK/mm9og +5SCsmAedvsiYEzakOzKl6foB7OzmscFAGVnwdu5p78AxCskwo9EPULbHm/dHsyiM +3YB0Xk2/FykPxeyJPuNo2f5GTZ8YCB7T4QIDAQABo1MwUTAdBgNVHQ4EFgQU1Wkn +Y1tRMJTshNm9O35iZ8UBS2MwHwYDVR0jBBgwFoAU1WknY1tRMJTshNm9O35iZ8UB +S2MwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEACJOsqpuRJOGr +waT/5xm3j6o2CYhZO8n0aRfwvwIQVABuqGVMcbx7GwFt+Gq/afYkxfUObSgu4jAL +QVRwhE72N8RNDxWyJNaOWa1jvRvvTYoDKiMsOONUpgk3tGKYmVQlPaSV2eyQS1t7 +56LB53EvQlb9AVY6T3kODNTmY8yDRA6Ys+ggGZQ5weaud6pFdgMTgfll/GAdPXU2 +3dE/6+dN9mNF6z4jArgC3wJzyeedv85D7bxlXfdz7fw/c1WEPfGdbqqsxX1VZUNJ +l2rhc/6P3wDtQFJKckV2ryLBCn7JD8FtUa3HZLmjO/Leo4gAbJqCDSZvNvP8pPyk +LTt2W67vbHgZFlhUDDGQizEqBsCElIwfJRc/o+s4mVweZLIdhDVU8ZPVRdGqu7B0 +lLsIw0+68JthiweL+6d/skenuEgZdfXWsV+Xy/vUXtelWe09558SrsX3fBhzD8jK ++oTxkN5fX6Bg3lOz+PcIlvgsLSaOgrz9Kfx652l3fh01nKlNXYxqLtOljfiFeKks +eWOPIxHodxWUUzAbO/PM8Nn5q/oJ7Zw4xAlZlNjO6OKq+WgizdQQdCgJvgKlGUYd +AGAqgVf09HBw/CLSXdtGrkMEHzWM0DfYRzQ2MOlvbyu2W08dC7dBGcQNfKKEls9i +FmRXfgDgPxHLt+f3OIn8CfNDlvhKZN4= -----END CERTIFICATE----- diff --git a/data/assets/ssl-example/key.pem b/data/assets/ssl-example/key.pem index cedf35a0..25aeac8b 100644 --- a/data/assets/ssl-example/key.pem +++ b/data/assets/ssl-example/key.pem @@ -1,27 +1,52 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA0YNMU9wLfQ0m9x+TjKdytTKVwIGMqLUiuk0utXwtEBB8tnzF -4sLOwIHMnui5+whutxXtXjdo5HZXn8vcSYr0vMucNDPItevL+c58wvH58pS9ojok -mHyvwf6BKn1O2B+EXHoDud6AwyFGZouBa4J7u9/VVTlNWchxFahidh9mgCJKGUYx -s7pg/WJuC1honbSicwYBbf6poVHll4qTPMNvNV5EJyVO/fsdssJyUrxGd6/2VSQu -5G44lcPv5NeZPQsZOiJPMJidF//sVsaGaJh0CNSzNFSgEv4mlPeXZ9m6Zby+o04o -slgG6zI0irOF2z7f3yGzonDZI+vghctDFX8shwIDAQABAoIBAQC9kiLnIgxXGyZt -pmmYdA6re1jatZ2zLSp+DcY8ul3/0hs195IKCyCOOSQPiR520Pt0t+duP46uYZIJ -aakp9gxaI5Vz+oMacH/AyaBDuDTj1Mf9WMSyIOfbDVCMRJOppGLcVh62+Gfjp2EO -+h2hTJBuvypFkbK2kVIZOaHVpbXWKw1oYuEcTftk9XfxxvfSMw1HQ12/P2CAcbaa -jPmVbisunv6kpXtewSBTcaLSYWJf1MYD5Hi8fzkD2FJSXYbfQd8RKvT2rj6FA7ux -CDMzbYhdnd7lc63OARCIjfCRNtDT1cZ3gR1CQHD98lWxmPQIZukv+w7s/bSrFgnQ -ROZ0ghBJAoGBAOmE/3d5FDmp0aJNxXynKcRGdpEEM4O40RIdqa2eR6Pa7aTRosao -z0qVgdFuJrqjlB3jgedxXEX1M0abCUzzM9Q5F7JLl+KsjwRwpkIOkPiyUncLp7LK -QbY3tvYBIdpjlF1USOMGRL4j11hqr4vQC/yPBF7jj81kCZDTbmZhp82jAoGBAOWu -ql5QFUOlmqkuWIAFkiLEZhOu+ptqkE+zG50CCGMJIX0dJ2PHXFyNGInomAeT0nbI -pbnK3x7KeEKiGrAqZFNCTHhApTwkrIj0L/RQbMDZ7u7j1AEUVNFEhIm62kg84FtG -xtfxVxredE+NQc/tyV3hXegdNZxegALirlcMKIvNAoGAWFwIxk48Ru1o8z72QQqH -lUsMRicOzwK5qV8r+xPvC6MlVL42F3F8rj4QFwzU/r4yp3SUjNyqC5aSRl8Xj9Re -gijwPHi6Cf09SHLPliMo29GtvnnchJxfbPF7+23GP3p6gy4HPk/65u9s5nnH3uFk -B7ad8sGsgg0eSXyXQ4okEn0CgYEAnogPuedGthlxBgMiPMMbmfm7hyyId4t3Ljuu -/JExnsHnpobf8EPjoVIWNOIhRWGnrCtUEEhR9tvDZCKljyDDfKBPTdU496lMmX8K -NnToi7gg7iy84T3aSVMktDgPgDrclMPmbZh8CeSvnVUfrtgu3Ci4+4Rlw5eKffNe -aGDQ/6UCgYAbUq9mRT2WOXIo+Dchi9VzDWgtfOw5VEyqkSpb7hPiIYx5jNaENnVK -cAi3iqbBgPJBuMlTrKmmaxdmssGOEZNJLuuXLDbCU+f5cpu5PQ4crC6UtRI5rlhp -8Yc+oiv3HWbSw3sVRpMFB6NP4DnvgFW3B2Wdfb/lNzPCKWqBsX7gWw== ------END RSA PRIVATE KEY----- +-----BEGIN PRIVATE KEY----- +MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQCvFtjY5uAHGAIm +2N5c2lXlAW1tCgIQl8+QfM1OsGMEs1svHA0LOtvrWHcBtgG9e/eWQkSRh67mLAmF +y0vY0XO61Fj0dTkXOp4nESs+OQP6p7VZPvQ+v0umlVMvRlgUazynaXtRvUsp9icQ +GsTFmPfjP7le3JbjJ/N58rAlTBv3Jxcujbr/QoZEGnX+Jb4mn3FmWM9U+zctsNiF +Lsi6mKl2H8a7gwdD783n4t7VHyeOZElzaFfkGGCReUQ2PF9BIjIhM/HvA86NbB53 +558liMmn1ctrwDnlr/xJ/pgHfAdZ1kCtyNLQ/X3XrFp2VoEtt4drYb3cb8JzuBea +n8fMBriePs9yqqFIVGZaVUeJqNPm7+F6MOqp78D15q0uxvgTPKHtT/3MFKs9UYnm +0xn7wxXf02UZLNJWPus0ALYiD8QufGSksEMy+zX/T+0eKlI62m7g/YU1RIijByvg +S3AC0hXJPBj5aKzD+DSsrqYr34SGReG+8AuuyUt9/wqSAovmskonpjJ3etxz1Cer +2agUVwP/akVVpfPamHuwlnq2xwJcsT6ykBxc3+wit25nSXf86fxfqK/mm9og5SCs +mAedvsiYEzakOzKl6foB7OzmscFAGVnwdu5p78AxCskwo9EPULbHm/dHsyiM3YB0 +Xk2/FykPxeyJPuNo2f5GTZ8YCB7T4QIDAQABAoICAQCaSRGwoFGNLrTGspfPTn4e +HFHmockMAhpfgfoQexHmFH4nVxqPaMBd9Eh58345EMItYBu3+c4++VMy2N/vITJP +0crJL3qtY3P1jQWEAQ3mlF4TVIw5tqvdEPyKTfxTkeOSyjpm3t0bDtOBN3Vpgc/+ +KisY0l0Lsiq0rQxW8Wg7M/ETjsTXJjHWVVLgLzYOJrXwsBWTFwOaeZlyUrWC5/98 +Hagrl9yRGwFgcuRU/O0IZorq7Wl1j52Y0zkuaaiuZomyBGoOalZa/Ikks6/jjVPV +V2m3e14Jbjhso7In9j0sBsZb3PkYPCfmIvRcDwIp3O2xzCFX3AuHmRMDqASRXuLS +6Lhe4HxzExw2d7/8v34+SzkqgKb51NyvRTxm4gf4IqbVfyHoXpJ4RphjQHTj5J67 +FN8kag6gaWVuZHse9gBz4l5FkqEd1yvUVYrbxdH/FzmxOPw0YOpRE5xd3Sr8yXgm +/4WN9Ao5jEdfNbTT2a6HfkxZZcXft7pPjIyASv4Qz7sEPDVlRPC3qrpDJS0X2Z4W +Rk2jsxowG12vpyyTD2ylFQaCVImp93zKJfBin2/W280dcfaOgS5VWNj3VysK1GLl +h9BGEBdo2nhRG1o1Ml0CGhgZQ15L22MysgPoBgUW5vZlFQchBGkwyhB+X3afxDiS +2755nRJJFdNsHh09LaL62QKCAQEA5dan2MMKcMmvOAMukvFZ1p8n/IlWrxUH9lHt +urJJ/WM5NqcMKjpmsCy6bix6NVbF3xxybsAJNm9XCkpgLviua20LzdaMlA5N/AxX +CdnDaKorH1pWVKWlT5oIWViekzJZVWtkXGPNIAGuE6hH+QHK7MAqKct4Vzt6/K9a +jvldKXd+DTumEuUxNi+mV0bWh13oFQjfBlJkv2/Llldb7Eq0Bcz9GeLVU0hWwty8 +BjafhqKC79IQtPZRmVbyqWieDGZsmW1pAY2RF+A7nuC/HjctPmXcF+AjHyhaqs5I +D1jv/TDMdccMnu7/esZV1nKKBT+r3Uqf2pOBEzxzbMN0zwvuzwKCAQEAwwTVdHhL +vUwSQBcBST160ds2i0s/SZ1qYS8g48dZpoSyxzMqID5clDjOe+O5vQrzGyaFa2Jp +A3UnFMDD3jDj2yjxy6v1Z6KgyW7q2l6lNEoacEB2PqW6eqoDmBT9ORhK/oQH0UzQ +Vo8zfnhmW8JbQceDy73zIRmUxuJhgRLMtieNfMyTI94hwQZHPipSdx18w81Nz5zo +JdD8UpkQqlRFX8tKr7OlEUBJ34KoHbuz4mpx0ENtO8IrqeEdCtSTKgmcFgLeU+PU +S8LJBzQy8JN+9cD9IuvGPEpJsiVLtXQ1Xc1MH4Ly0N7SvwFl+vlqn+DUefRrb/rf +buUQyAuhnUY+TwKCAQEAsBnGRRk72KtPa5VUjBYMhZswohgAqOluTlb71T5h3pm1 +7qATfA9/OqEqvtupT1ELDyXWr/DHnkO05xeRlqvHyFum3bHzyEUlj2dNESkexgUM +QVuQJg89GD6nAv4ZkiLTu9Uq8nctZcajwEAB1VKATuH17EwQCpZyZ0VcF4wMy4bY +t/7qAjRFfoUH6HtISDO1bNh9OXTL6LoZvTl2Hxgl0wP7MWhRlxwoDenezsvvctL1 +jBbh4iWQ4/Jwv0h/QHUB5JSmDiCP+UE/rT36cYZJTjPxbQG5J1heD9057ThxuQc4 +wU0f6G6qpUFt53+fLOJaJpXU4T5/eWOp9L3VtAYqlQKCAQA7ynabP+qQvgr2ZVc6 +mkPWpWwCpu5fZojgBPADhfIhkJuzYSdwPU5rD0OXTkl7ASlp0JSlSMXDjp6NyVAE +Bl9FqTcA59bUkFLVj1En5E6oSnPyqIDYUj1rMEbr0LuWTrFneRlgfTl+4Ga8RrOz +PFJ4R3BL/g/VvR8VHwEf7qCe1F+XvKz8GTWmFYOwNo+T/5FqAr7xgTzXo0xJEq6+ +Whnu9cgPOHfKYziC828RtqO/Lj14ycNqx+xVKDScRnJcOBgH05dQhxBmrfCuab2Y +btBFDodNtpXPlEMmADNHDbry6GeHXcGOclKQxx/6I5AiNm9OeLab3YG1YTuU6aQC +MTAXAoIBAHBXGy9wM+8f2wsP1dgv4aiwuOK8WbbqpjQ/vdCOUxVHxVRrgG/3epsE +jXAuzzERzWSJax4cW3XvB0xzVf3P+6bVbAwUd9dwrKUG1AQ19MuvHJ+S4hXLmu1B ++E5/xyGHJhjbvzSSH8e98mvbv6gQ2s7kmGbY7pCYPuWYIaw54aqDLH0agAjAxC8i +wVK5B8yMyxL//PEPjTQHZx4LIICPkApT6dvvrSNMxVltqgTu/qbvCn+wgpb6snU9 +YhqrcA2tpSrwe4WGMK7Q1+/EGSUKvQy21EuenF2IHxkZYRgWrFDOowib/Paw8WM5 +tCCpMpFrpTx5YHRXKh/2WxLbGzUpbzA= +-----END PRIVATE KEY----- diff --git a/data/conf/postfix/main.cf b/data/conf/postfix/main.cf index ab58874e..7098fcb1 100644 --- a/data/conf/postfix/main.cf +++ b/data/conf/postfix/main.cf @@ -199,3 +199,5 @@ parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks # DO NOT EDIT ANYTHING BELOW # # User overrides # +myhostname = mail.gnous.fr + diff --git a/data/conf/unbound/unbound.conf b/data/conf/unbound/unbound.conf index 27110c04..90c16ee0 100644 --- a/data/conf/unbound/unbound.conf +++ b/data/conf/unbound/unbound.conf @@ -4,7 +4,7 @@ server: interface: ::0 logfile: /dev/console do-ip4: yes - do-ip6: yes + do-ip6: no do-udp: yes do-tcp: yes do-daemonize: no diff --git a/docker-compose.yml b/docker-compose.yml index 962d08d4..ca34479c 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -344,13 +344,39 @@ services: - ./data/conf/rspamd/meta_exporter:/meta_exporter:ro,z - sogo-web-vol-1:/usr/lib/GNUstep/SOGo/:z ports: - - "${HTTPS_BIND:-:}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}" - - "${HTTP_BIND:-:}:${HTTP_PORT:-80}:${HTTP_PORT:-80}" + - "${HTTP_PORT:-80}" restart: always networks: + proxy: mailcow-network: aliases: - nginx + labels: + - traefik.enable=true + - traefik.docker.network=proxy + - traefik.http.middlewares.mail-redirect-websecure.redirectscheme.scheme=https + - traefik.http.routers.mail-http.middlewares=mail-redirect-websecure + - traefik.http.routers.mail-http.rule=Host(`${MAILCOW_HOSTNAME}`) + - traefik.http.routers.mail-http.entrypoints=web + - traefik.http.routers.mail-https.rule=Host(`${MAILCOW_HOSTNAME}`) + - traefik.http.routers.mail-https.entrypoints=websecure + - traefik.http.routers.mail-https.tls=true + - traefik.http.routers.mail-https.tls.certresolver=myhttpchallenge + - traefik.http.services.mail.loadbalancer.server.port=80 + + certdumper: + image: humenius/traefik-certs-dumper + container_name: traefik_certdumper + network_mode: none + volumes: + # mount the folder which contains Traefik's `acme.json' file + # in this case Traefik is started from its own docker-compose in ../traefik + - ${DATA_PATH}/traefik:/traefik:ro + # mount mailcow's SSL folder + - ./data/assets/ssl/:/output:rw + environment: + # only change this, if you're using another domain for mailcow's web frontend compared to the standard config + - DOMAIN=${MAILCOW_HOSTNAME} acme-mailcow: depends_on: @@ -602,6 +628,8 @@ networks: config: - subnet: ${IPV4_NETWORK:-172.22.1}.0/24 - subnet: ${IPV6_NETWORK:-fd4d:6169:6c63:6f77::/64} + proxy: + external: true volumes: vmail-vol-1: