|
|
@@ -12,66 +12,62 @@ mailcow uses 3 domain names that should be covered by your new certificate:
|
|
|
|
|
|
This is just an example of how to obtain certificates with certbot. There are several methods!
|
|
|
|
|
|
-1. Get the certbot client:
|
|
|
-
|
|
|
- ```
|
|
|
- wget https://dl.eff.org/certbot-auto -O /usr/local/sbin/certbot && chmod +x /usr/local/sbin/certbot
|
|
|
- ```
|
|
|
-
|
|
|
-2. Make sure you set `HTTP_BIND=0.0.0.0` in `mailcow.conf` or setup a reverse proxy to enable connections to port 80. If you changed HTTP_BIND, then restart Nginx: `docker-compose restart nginx-mailcow`.
|
|
|
-
|
|
|
-3. Request the certificate with the webroot method:
|
|
|
-
|
|
|
- ```
|
|
|
- cd /path/to/git/clone/mailcow-dockerized
|
|
|
- source mailcow.conf
|
|
|
- certbot certonly \
|
|
|
- --webroot \
|
|
|
- -w ${PWD}/data/web \
|
|
|
- -d ${MAILCOW_HOSTNAME} \
|
|
|
- -d autodiscover.example.org \
|
|
|
- -d autoconfig.example.org \
|
|
|
- --email you@example.org \
|
|
|
- --agree-tos
|
|
|
- ```
|
|
|
-
|
|
|
-4. Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder:
|
|
|
-
|
|
|
- ```
|
|
|
- mv data/assets/ssl/cert.{pem,pem.backup}
|
|
|
- mv data/assets/ssl/key.{pem,pem.backup}
|
|
|
- ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/fullchain.pem) data/assets/ssl/cert.pem
|
|
|
- ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem) data/assets/ssl/key.pem
|
|
|
- ```
|
|
|
-
|
|
|
-5. Restart affected containers:
|
|
|
-
|
|
|
- ```
|
|
|
- docker-compose restart postfix-mailcow dovecot-mailcow nginx-mailcow
|
|
|
- ```
|
|
|
+1\. Get the certbot client:
|
|
|
+```
|
|
|
+wget https://dl.eff.org/certbot-auto -O /usr/local/sbin/certbot && chmod +x /usr/local/sbin/certbot
|
|
|
+```
|
|
|
+
|
|
|
+2\. Make sure you set `HTTP_BIND=0.0.0.0` in `mailcow.conf` or setup a reverse proxy to enable connections to port 80. If you changed HTTP_BIND, then restart Nginx:
|
|
|
+```
|
|
|
+docker-compose restart nginx-mailcow
|
|
|
+```
|
|
|
+
|
|
|
+3\. Request the certificate with the webroot method:
|
|
|
+```
|
|
|
+cd /path/to/git/clone/mailcow-dockerized
|
|
|
+source mailcow.conf
|
|
|
+certbot certonly \
|
|
|
+ --webroot \
|
|
|
+ -w ${PWD}/data/web \
|
|
|
+ -d ${MAILCOW_HOSTNAME} \
|
|
|
+ -d autodiscover.example.org \
|
|
|
+ -d autoconfig.example.org \
|
|
|
+ --email you@example.org \
|
|
|
+ --agree-tos
|
|
|
+```
|
|
|
+
|
|
|
+4\. Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder:
|
|
|
+```
|
|
|
+mv data/assets/ssl/cert.{pem,pem.backup}
|
|
|
+mv data/assets/ssl/key.{pem,pem.backup}
|
|
|
+ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/fullchain.pem) data/assets/ssl/cert.pem
|
|
|
+ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem) data/assets/ssl/key.pem
|
|
|
+```
|
|
|
+
|
|
|
+5\. Restart affected containers:
|
|
|
+```
|
|
|
+docker-compose restart postfix-mailcow dovecot-mailcow nginx-mailcow
|
|
|
+```
|
|
|
|
|
|
When renewing certificates, run the last two steps (link + restart) as post-hook in a script.
|
|
|
|
|
|
# Rspamd Web UI
|
|
|
At first you may want to setup Rspamds web interface which provides some useful features and information.
|
|
|
|
|
|
-1. Generate a Rspamd controller password hash:
|
|
|
-
|
|
|
- ```
|
|
|
- docker-compose exec rspamd-mailcow rspamadm pw
|
|
|
- ```
|
|
|
-
|
|
|
-2. Replace the default hash in `data/conf/rspamd/override.d/worker-controller.inc` by your newly generated:
|
|
|
-
|
|
|
- ```
|
|
|
- enable_password = "myhash";
|
|
|
- ```
|
|
|
+1\. Generate a Rspamd controller password hash:
|
|
|
+```
|
|
|
+docker-compose exec rspamd-mailcow rspamadm pw
|
|
|
+```
|
|
|
|
|
|
-3. Restart rspamd:
|
|
|
+2\. Replace the default hash in `data/conf/rspamd/override.d/worker-controller.inc` by your newly generated:
|
|
|
+```
|
|
|
+enable_password = "myhash";
|
|
|
+```
|
|
|
|
|
|
- ```
|
|
|
- docker-compose restart rspamd-mailcow
|
|
|
- ```
|
|
|
+3\. Restart rspamd:
|
|
|
+```
|
|
|
+docker-compose restart rspamd-mailcow
|
|
|
+```
|
|
|
|
|
|
Open https://${MAILCOW_HOSTNAME}/rspamd in a browser and login!
|
|
|
|
|
|
@@ -80,61 +76,59 @@ Open https://${MAILCOW_HOSTNAME}/rspamd in a browser and login!
|
|
|
You don't need to change the Nginx site that comes with mailcow: dockerized.
|
|
|
mailcow: dockerized trusts the default gateway IP 172.22.1.1 as proxy. This is very important to control access to Rspamd's web UI.
|
|
|
|
|
|
-1. Make sure you change HTTP_BIND and HTTPS_BIND in `mailcow.conf` to a local address and set the ports accordingly, for example:
|
|
|
-
|
|
|
- ```
|
|
|
- HTTP_BIND=127.0.0.1
|
|
|
- HTTP_PORT=8080
|
|
|
- HTTPS_PORT=127.0.0.1
|
|
|
- HTTPS_PORT=8443
|
|
|
- ```
|
|
|
-
|
|
|
- Recreate affected containers by running `docker-compose up -d`.
|
|
|
-
|
|
|
-2. Configure your local webserver as reverse proxy:
|
|
|
-
|
|
|
- **Apache 2.4**
|
|
|
- ```
|
|
|
- <VirtualHost *:443>
|
|
|
- ServerName mail.example.org
|
|
|
- ServerAlias autodiscover.example.org
|
|
|
- ServerAlias autoconfig.example.org
|
|
|
-
|
|
|
- [...]
|
|
|
- # You should proxy to a plain HTTP session to offload SSL processing
|
|
|
- ProxyPass / http://127.0.0.1:8080
|
|
|
- ProxyPassReverse / http://127.0.0.1:8080
|
|
|
- ProxyPreserveHost On
|
|
|
- your-ssl-configuration-here
|
|
|
- [...]
|
|
|
-
|
|
|
- # If you plan to proxy to a HTTPS host:
|
|
|
- #SSLProxyEngine On
|
|
|
-
|
|
|
- # If you plan to proxy to an untrusted HTTPS host:
|
|
|
- #SSLProxyVerify none
|
|
|
- #SSLProxyCheckPeerCN off
|
|
|
- #SSLProxyCheckPeerName off
|
|
|
- #SSLProxyCheckPeerExpire off
|
|
|
- </VirtualHost>
|
|
|
- ```
|
|
|
-
|
|
|
- **Nginx**
|
|
|
- ```
|
|
|
- server {
|
|
|
- listen 443;
|
|
|
- server_name mail.example.org autodiscover.example.org autoconfig.example.org;
|
|
|
-
|
|
|
- [...]
|
|
|
- your-ssl-configuration-here
|
|
|
- location / {
|
|
|
- proxy_pass http://127.0.0.1:8080;
|
|
|
- proxy_set_header Host $host;
|
|
|
- proxy_set_header X-Real-IP $remote_addr;
|
|
|
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
- proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
- }
|
|
|
- [...]
|
|
|
+1\. Make sure you change HTTP_BIND and HTTPS_BIND in `mailcow.conf` to a local address and set the ports accordingly, for example:
|
|
|
+```
|
|
|
+HTTP_BIND=127.0.0.1
|
|
|
+HTTP_PORT=8080
|
|
|
+HTTPS_PORT=127.0.0.1
|
|
|
+HTTPS_PORT=8443
|
|
|
+```
|
|
|
+
|
|
|
+Recreate affected containers by running `docker-compose up -d`.
|
|
|
+
|
|
|
+2\. Configure your local webserver as reverse proxy:
|
|
|
+**Apache 2.4**
|
|
|
+```
|
|
|
+<VirtualHost *:443>
|
|
|
+ ServerName mail.example.org
|
|
|
+ ServerAlias autodiscover.example.org
|
|
|
+ ServerAlias autoconfig.example.org
|
|
|
+
|
|
|
+ [...]
|
|
|
+ # You should proxy to a plain HTTP session to offload SSL processing
|
|
|
+ ProxyPass / http://127.0.0.1:8080
|
|
|
+ ProxyPassReverse / http://127.0.0.1:8080
|
|
|
+ ProxyPreserveHost On
|
|
|
+ your-ssl-configuration-here
|
|
|
+ [...]
|
|
|
+
|
|
|
+ # If you plan to proxy to a HTTPS host:
|
|
|
+ #SSLProxyEngine On
|
|
|
+
|
|
|
+ # If you plan to proxy to an untrusted HTTPS host:
|
|
|
+ #SSLProxyVerify none
|
|
|
+ #SSLProxyCheckPeerCN off
|
|
|
+ #SSLProxyCheckPeerName off
|
|
|
+ #SSLProxyCheckPeerExpire off
|
|
|
+</VirtualHost>
|
|
|
+```
|
|
|
+
|
|
|
+**Nginx**
|
|
|
+```
|
|
|
+server {
|
|
|
+ listen 443;
|
|
|
+ server_name mail.example.org autodiscover.example.org autoconfig.example.org;
|
|
|
+
|
|
|
+ [...]
|
|
|
+ your-ssl-configuration-here
|
|
|
+ location / {
|
|
|
+ proxy_pass http://127.0.0.1:8080;
|
|
|
+ proxy_set_header Host $host;
|
|
|
+ proxy_set_header X-Real-IP $remote_addr;
|
|
|
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
+ proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
}
|
|
|
- ```
|
|
|
+ [...]
|
|
|
+}
|
|
|
+```
|
|
|
|
andryyy