Some last changes

master
andryyy 2016-12-12 21:53:58 +01:00
parent 64d92e504a
commit 5e883b6f51
22 changed files with 84 additions and 160 deletions

2
.gitignore vendored
View File

@ -1,4 +1,6 @@
data/db/mysql/* data/db/mysql/*
data/assets/ssl/*
!data/assets/ssl/.empty
!data/db/mysql/.mysql_data !data/db/mysql/.mysql_data
data/db/redis/* data/db/redis/*
!data/db/redis/.redis_data !data/db/redis/.redis_data

16
000-build-certs.sh 100755
View File

@ -0,0 +1,16 @@
#!/bin/bash
. mailcow.conf
openssl dhparam -out data/assets/ssl/dhparams.pem 2048
docker run \
--rm \
-v ${PWD}/data/assets/ssl:/certs \
ehazlett/certm \
-d /certs ca generate -o=mailcow
docker run \
--rm \
-v ${PWD}/data/assets/ssl:/certs \
ehazlett/certm \
-d /certs client generate --common-name=${MAILCOW_HOSTNAME} -o=mailcow

View File

@ -25,12 +25,9 @@ else
build build
fi fi
sed -i "s#allow-from.*#allow-from=127.0.0.0/8 ${DOCKER_SUBNET}#" data/conf/pdns/recursor.conf
docker run \ docker run \
-v ${PWD}/data/conf/pdns/:/etc/powerdns/ \ -v ${PWD}/data/conf/pdns/:/etc/powerdns/ \
--network=${DOCKER_NETWORK} \ --network=${DOCKER_NETWORK} \
--network-alias pdns \
-h pdns \ -h pdns \
--name ${NAME} \ --name ${NAME} \
-d pdns -d pdns

View File

@ -83,12 +83,11 @@ fi
docker run \ docker run \
-v ${PWD}/data/db/mysql/:/var/lib/mysql/ \ -v ${PWD}/data/db/mysql/:/var/lib/mysql/ \
-v ${PWD}/data/conf/mysql/:/etc/mysql/conf.d/ \ -v ${PWD}/data/conf/mysql/:/etc/mysql/conf.d/:ro \
-v ${PWD}/data/assets/mysql:/assets \ -v ${PWD}/data/assets/mysql:/assets:ro \
--name=${NAME} \ --name=${NAME} \
--network=${DOCKER_NETWORK} \ --network=${DOCKER_NETWORK} \
-h mysql \ -h mysql \
--network-alias mysql \
-e MYSQL_ROOT_PASSWORD=${DBROOT} \ -e MYSQL_ROOT_PASSWORD=${DBROOT} \
-e MYSQL_DATABASE=${DBNAME} \ -e MYSQL_DATABASE=${DBNAME} \
-e MYSQL_USER=${DBUSER} \ -e MYSQL_USER=${DBUSER} \

View File

@ -34,6 +34,5 @@ docker run \
-v ${PWD}/data/db/redis/:/data/ \ -v ${PWD}/data/db/redis/:/data/ \
--network=${DOCKER_NETWORK} \ --network=${DOCKER_NETWORK} \
-h redis \ -h redis \
--network-alias redis \
--name=${NAME} \ --name=${NAME} \
-d redis:${REDISVERS} --appendonly yes -d redis:${REDISVERS} --appendonly yes

View File

@ -32,15 +32,14 @@ else
fi fi
docker run \ docker run \
-v ${PWD}/data/conf/rspamd/override.d/:/etc/rspamd/override.d/ \ -v ${PWD}/data/conf/rspamd/override.d/:/etc/rspamd/override.d/ro \
-v ${PWD}/data/conf/rspamd/local.d/:/etc/rspamd/local.d/ \ -v ${PWD}/data/conf/rspamd/local.d/:/etc/rspamd/local.d/ro \
-v ${PWD}/data/conf/rspamd/lua/:/etc/rspamd/lua/ \ -v ${PWD}/data/conf/rspamd/lua/:/etc/rspamd/lua/:ro \
-v ${PWD}/data/dkim/txt/:/etc/rspamd/dkim/txt/:ro \ -v ${PWD}/data/dkim/txt/:/etc/rspamd/dkim/txt/:ro \
-v ${PWD}/data/dkim/keys/:/etc/rspamd/dkim/keys/:ro \ -v ${PWD}/data/dkim/keys/:/etc/rspamd/dkim/keys/:ro \
--dns=${PDNS_IP} \ --dns=${PDNS_IP} \
--dns-search=${DOCKER_NETWORK} \ --dns-search=${DOCKER_NETWORK} \
--network=${DOCKER_NETWORK} \ --network=${DOCKER_NETWORK} \
--network-alias rspamd \
-h rspamd \ -h rspamd \
--name ${NAME} \ --name ${NAME} \
-d rspamd -d rspamd

View File

@ -22,10 +22,12 @@ docker run \
-v ${PWD}/data/conf/rspamd/dynmaps:/dynmaps:ro \ -v ${PWD}/data/conf/rspamd/dynmaps:/dynmaps:ro \
-v ${PWD}/data/dkim/:/shared/dkim/ \ -v ${PWD}/data/dkim/:/shared/dkim/ \
-d --network=${DOCKER_NETWORK} \ -d --network=${DOCKER_NETWORK} \
--name ${NAME} --network-alias phpfpm -h phpfpm php:${PHPVERS} --name ${NAME} \
-h phpfpm \
php:${PHPVERS}
echo "Installing intl and mysql pdo extension..." echo "Installing intl and mysql pdo extension..."
docker exec ${NAME} /bin/bash -c "apt-get update && apt-get install -y zlib1g-dev libicu-dev g++ libidn11-dev dovecot-core" docker exec ${NAME} /bin/bash -c "apt-get update && apt-get install -y zlib1g-dev libicu-dev g++ libidn11-dev"
docker exec ${NAME} docker-php-ext-configure intl pdo pdo_mysql docker exec ${NAME} docker-php-ext-configure intl pdo pdo_mysql
docker exec ${NAME} docker-php-ext-install intl pdo pdo_mysql docker exec ${NAME} docker-php-ext-install intl pdo pdo_mysql
echo "Restarting container..." echo "Restarting container..."

View File

@ -31,7 +31,6 @@ docker run \
-v ${PWD}/data/assets/ssl/:/etc/ssl/mail/:ro \ -v ${PWD}/data/assets/ssl/:/etc/ssl/mail/:ro \
-v ${PWD}/data/conf/nginx/:/etc/nginx/conf.d/:ro \ -v ${PWD}/data/conf/nginx/:/etc/nginx/conf.d/:ro \
--network=${DOCKER_NETWORK} \ --network=${DOCKER_NETWORK} \
--network-alias nginx \
-h nginx \ -h nginx \
-d nginx:${NGINXVERS} -d nginx:${NGINXVERS}

View File

@ -26,9 +26,8 @@ else
fi fi
docker run \ docker run \
-v ${PWD}/data/conf/rmilter/:/etc/rmilter.conf.d/ \ -v ${PWD}/data/conf/rmilter/:/etc/rmilter.conf.d/:ro \
--network=${DOCKER_NETWORK} \ --network=${DOCKER_NETWORK} \
--network-alias rmilter \
-h rmilter \ -h rmilter \
--name ${NAME} \ --name ${NAME} \
-d rmilter -d rmilter

View File

@ -21,6 +21,5 @@ fi
docker run \ docker run \
--network=${DOCKER_NETWORK} \ --network=${DOCKER_NETWORK} \
-h memcached \ -h memcached \
--network-alias memcached \
--name=${NAME} \ --name=${NAME} \
-d memcached -d memcached

View File

@ -7,22 +7,22 @@ All configurations were written with security in mind.
### Exposed ports: ### Exposed ports:
| Service | External bindings | Internal bindings | | Service | Hostname, Alias | External bindings | Internal bindings |
|:----------------------|:---------------------------------------------|:-------------------------------| |:-------------|:-------------------------------|:---------------------------------------------|:-------------------------------|
| Postfix | 25/tcp, 465/tcp, 587/tcp | 588/tcp | | Postfix | ${MAILCOW_HOSTNAME}, postfix | 25/tcp, 465/tcp, 587/tcp | 588/tcp |
| Dovecot | 110/tcp, 143/tcp, 993/tcp, 995/tcp, 4190/tcp | 24/tcp, 10001/tcp | | Dovecot | ${MAILCOW_HOSTNAME}, dovecot | 110/tcp, 143/tcp, 993/tcp, 995/tcp, 4190/tcp | 24/tcp, 10001/tcp |
| Nginx | 443/tcp | 80/tcp, 8081/tcp | | Nginx | nginx | 443/tcp | 80/tcp, 8081/tcp |
| PowerDNS Recursor | - | 53/udp | | PowerDNS | pdns | - | 53/udp |
| Rspamd | - | 11333/tcp, 11334/tcp | | Rspamd | rspamd | - | 11333/tcp, 11334/tcp |
| MariaDB | - | 3306/tcp | | MariaDB | mysql | - | 3306/tcp |
| Rmilter | - | 9000/tcp | | Rmilter | rmilter | - | 9000/tcp |
| PHP FPM | - | 9000/tcp | | PHP FPM | phpfpm | - | 9000/tcp |
| SOGo | - | 9000/tcp | | SOGo | sogo | - | 9000/tcp |
| Redis | - | 6379/tcp | | Redis | redis | - | 6379/tcp |
| Memcached | - | 11211/tcp | | Memcached | memcached | - | 11211/tcp |
All containers share a network ${MAILCOW_NETWORK} (name can be changed, but remove all containers and rebuild them after changing).
All containers share a network "mailcow-network" (name can be changed, but remove all containers and rebuild them after changing). IPs are dynamic and taken from subnet ${DOCKER_SUBNET}.
## Installation ## Installation
@ -59,16 +59,8 @@ docker restart rspamd-mailcow
Open https://${MAILCOW_HOSTNAME}/rspamd in a browser. Open https://${MAILCOW_HOSTNAME}/rspamd in a browser.
### SSL (or: How to use Let's Encrypt) ### SSL (and: How to use Let's Encrypt)
mailcow dockerized comes with a self-signed certificate. Certificates and DH parameters are saved as `data/assets/ssl/{dhparams.pem,mail.{crt,key}}`. mailcow dockerized generates a CA named "mailcow" with a self-signed server certificate in `data/assets/ssl` via `000-build-certs.sh`.
First you should renew the DH parameters.
Soem say you should use 4096, but be prepared for a long waiting period when generating such a file.
Assuming you are in the mailcow root folder:
```
openssl dhparam -out ./data/assets/ssl/dhparams.pem 2048
```
Get the certbot client: Get the certbot client:
``` ```
@ -87,8 +79,8 @@ certbot-auto certonly \
Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder: Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder:
``` ```
mv data/assets/ssl/mail.{crt,crt_old} mv data/assets/ssl/cert.{pem,pem.backup}
mv data/assets/ssl/mail.{key,key_old} mv data/assets/ssl/key.{pem,pem.backup}
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/fullchain.pem) data/assets/ssl/mail.crt ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/fullchain.pem) data/assets/ssl/mail.crt
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem) data/assets/ssl/mail.key ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem) data/assets/ssl/mail.key
``` ```
@ -113,11 +105,11 @@ When renewing certificates, run the last two steps (link + restart) as post-hook
No persistent data is deleted at any time. No persistent data is deleted at any time.
If an image exists, you will be asked wether or not to repull/rebuild it. If an image exists, you will be asked wether or not to repull/rebuild it.
Build files are numbered "nnn" for dependencies.
### Logs ### Logs
You can use docker logs $name for almost all containers. Only rmilter does not log to stdout. You can check rspamd logs for rmilter reponses. You can use docker logs $name for almost all containers. Only rmilter does not log to stdout. You can check rspamd logs for rmilter responses.
When a process dies, the container dies, too. Except for Postfix' container.
### MariaDB ### MariaDB

View File

View File

@ -1,8 +0,0 @@
-----BEGIN DH PARAMETERS-----
MIIBCAKCAQEAytfW/P+fV4BLTcJhlHG49Vq7hQrmyUPP+NZ/6MUIG8FNlFaXxbFl
NtarS/gfOpj+Q5LhS91gToQOqJIij03Jr7t3PdUkkDuIs11y5Ux6zsEQdBhok+yY
tYvdYT4lbex1dLX36u/tn2VnPdh2jLltRjWN2jiUxjh/O+vXtfej8u4Rc2oOOOFS
f0e2Ye2WeWXvQlhkcGu87kKIqklxbjmqVtE1fx5Ydvrl1P/HQiCq4YQLIx5skgQn
e4LyvBdiuA44v1WhXSa0Lb4PcXUQcGhesGJZ/A3M1K/h/ZO47oUyL93odyAO8x3e
mLHHsOWAh5MGO0ID2jANwuziri5LEeW4+wIBAg==
-----END DH PARAMETERS-----

View File

@ -1,32 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIFezCCA2OgAwIBAgIJALl64rYl1fjjMA0GCSqGSIb3DQEBCwUAMFQxCzAJBgNV
BAYTAkRFMQwwCgYDVQQIDANOUlcxCzAJBgNVBAcMAktSMRIwEAYDVQQKDAlTZXJ2
ZXJjb3cxFjAUBgNVBAMMDW1haWxjb3cubG9jYWwwHhcNMTYxMjA4MjEzMDM2WhcN
MjYxMjA2MjEzMDM2WjBUMQswCQYDVQQGEwJERTEMMAoGA1UECAwDTlJXMQswCQYD
VQQHDAJLUjESMBAGA1UECgwJU2VydmVyY293MRYwFAYDVQQDDA1tYWlsY293Lmxv
Y2FsMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvd/79BmtXZcgzwJw
8i76C8e0waehYypibOkBqnFi4bF6Q7mhB1j/bA4LmXG4UpcX7ULlDozzaM7Hfi9Q
v1STYR/S9ShXZNStwDYibOa1q/FG+b4qTjtFiWBW8wH/XxIv6JHX8/IjqwHIs/3B
EVEl0LEs1RdNMKgSEJ9wbK3q+0pOvw9B6FnhCE2414SE1e7wYL50+NaKTHQcbft3
ZcRGDTEh4euRKMmVTrBwmpYnNtiljJvHU4F9cdAFg8ZailwJerod1VXB93YX3Jtc
qRQ9akNjFzLQ/6a4PhKAB8uaStEzri0yBdp+O0Qs/tbloAArAJW3dgE7Omxzso79
Du4idDHyRmcLu5rsQzST+7kwaCHHWQ4c2mjlhibICGMUzwks39s1QI8CtjmU6AIy
7F/XpYAJ70Fl7qy99ugrz8X50cPBFtLTYX18wZTUjl/s4qy+JPvUBt2MALPj/YnR
fXck/emkwscmE1UhaycMW4U21/+5gOhWpFIBCKWnsvRn0SHi7lUzuWBnXvL5tmrA
gsaFrm/L2JhW2WerZ61UpOVookYtUbk4Hr+Pq6yTgJShUw2i/B71Qr173PIxRV7u
1qJeOWY3UMPLcfiAnEZFAo7cfLRvqZmHiNp6lALdmoiWllnVvzcRwR/DBvg4gaFt
R6FeLDArhCdu04WENTd5E3XHRrUCAwEAAaNQME4wHQYDVR0OBBYEFFBMhsQlfxCI
1GaT1ZGvGheUOGRkMB8GA1UdIwQYMBaAFFBMhsQlfxCI1GaT1ZGvGheUOGRkMAwG
A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBADujbXk9XVhkF6/WVTxANXVB
tpIojCPEsXYqEhvMGtDGfqd8sJlEWM0vmuUvM52G7ULMf8aVfiOhLUkEFWpadL9v
/uZ8EPUc+ZWxxBOEnJbszqrxs94u7K9dxmQnL1rjrW1UtkrT0ptuzJBBQcjdicwe
VIl5Cn/eq+mkKZRVlctGtD4r1z8u5rUHoOE4RCOU5mfSafu15zzwiglh9wLuuXHC
bi7Onau9gB1EfmhZwUAL2xZZwvlNGRc6Dz1LG+OXVIOgRHeyfnZQa1ErC4FY5J0Y
NR+KT7JQW9zivyu0MsV3E2J7GzRAywKyP0m/F/qHJFWxPymILAyWVUlwtJswR5sE
bT19zPeajrVrbpUMtQv3FhFObtSyw/eI/yRWUuhBapkk95DWl7OkffkQ5OUHG+fs
QWj1d2Mdhf+jkpgqyL1DyPILsG7ADT0dL/3kZoJf1wjeqNfW3dDo0Ex9DlbznP2h
ldnMeIQYuyNBqzNfaZGW2WManwHWtASV2Hn76QMVrMfLDnf3RRdEUplW3fsIfLQ0
f2YVunLJNvll+2QGdCkmJUbLEvvvWmz0Ve+RalGtKi+VTd2I3u4fvFsAXad48wwq
oK5xd6Se0MsTkcOukaPEkggjffmITyg5Hpqmg1yBSoaH5D/wujTy9X3QcQA30fU/
ttoPblK2hlItcK4hHnkK
-----END CERTIFICATE-----

View File

@ -1,51 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEAvd/79BmtXZcgzwJw8i76C8e0waehYypibOkBqnFi4bF6Q7mh
B1j/bA4LmXG4UpcX7ULlDozzaM7Hfi9Qv1STYR/S9ShXZNStwDYibOa1q/FG+b4q
TjtFiWBW8wH/XxIv6JHX8/IjqwHIs/3BEVEl0LEs1RdNMKgSEJ9wbK3q+0pOvw9B
6FnhCE2414SE1e7wYL50+NaKTHQcbft3ZcRGDTEh4euRKMmVTrBwmpYnNtiljJvH
U4F9cdAFg8ZailwJerod1VXB93YX3JtcqRQ9akNjFzLQ/6a4PhKAB8uaStEzri0y
Bdp+O0Qs/tbloAArAJW3dgE7Omxzso79Du4idDHyRmcLu5rsQzST+7kwaCHHWQ4c
2mjlhibICGMUzwks39s1QI8CtjmU6AIy7F/XpYAJ70Fl7qy99ugrz8X50cPBFtLT
YX18wZTUjl/s4qy+JPvUBt2MALPj/YnRfXck/emkwscmE1UhaycMW4U21/+5gOhW
pFIBCKWnsvRn0SHi7lUzuWBnXvL5tmrAgsaFrm/L2JhW2WerZ61UpOVookYtUbk4
Hr+Pq6yTgJShUw2i/B71Qr173PIxRV7u1qJeOWY3UMPLcfiAnEZFAo7cfLRvqZmH
iNp6lALdmoiWllnVvzcRwR/DBvg4gaFtR6FeLDArhCdu04WENTd5E3XHRrUCAwEA
AQKCAgEArhCYOb8QX6wcN6pVQLAwKnx6CM5T9UT11kIFdOtdaun42/1g0guUnMqD
d7f48j3xgWDB/ATbYEmwOM3HiJ9QPMmf63+AHr+aSYtXI96czXPzTSA4SF+t77KS
A1Thd5aEtQB+qPRiHnMUO211gRqTQC4sm20xJlntta90sSz/Lj+A0UZ7dTZwRdx6
h5jE7hqN4yK2uSh0wIHxTiIp4vF8Brv0A9igynOCnRDDKfRdHrqdibmFkdgz2BKL
+7HrbsvRJOFaWCi2GNX6KhODbr1PUAtW2/2J+9QrMzxigsL0P4JpjlOAeD1FW6+0
UCtRdsywn2ihN10JnxWtOxQ6iWVlzut52uDnwUa09GThSVnurJihV9mSWyk9lNuy
0kILtSmYn6UbokOgmfjH0E2Ks1qbskD8GlI9g/wkhs5YC+ZYW2MP9FG39n4/QSnk
boOTqht8JylWPVyzmvvcRf5nfEOZ5mF82L28Y/OfPn0gakYARxn1EnzpguF3ffFD
NEn9lWzEAbldlnDslzi6YPOeyQwA6iLCesag5LSGdADrM7kAGHksJggeUb02BSd6
Nmy6MVMF6tzQYdaqgKXoqKs5nRJLZR1k70ftju2UNWEN24aUd6U2lDOlkaYoucSk
NohTUKXX0dibSGd9eU7hCNS75YoG1x2gCEOatVelG4EZQfIU/EECggEBAN6gBjv4
kDuIZ1wk0BBt/ijARH8FAzHm0hr8oyWpq6Sdrq5y9iAbvFNwEXJ/ft6NNcCF9maT
e5oG5NpoaV0FN5W8qQ8rGnESV/fZOxJEr1yJPEq4yDIspHEXkBjvTgYWjuXRve9n
NtsSv1crRFxW5IizPkZklbJUZD7oH5iHB15UGfdpKr5Fx3JpsaXht3dMEJ4YQetF
Mr9jcBGwYCYmlWgpKkD+HadgjbNdG4ztKTFEU7/ElEIIR86IDcqJsz0XsmZIjwUU
3lsPhVo8Km8ohvGA/WqAaf6ebN9PXjiUFXfjHlveHPTtrd5MCutnxUk0kY4/srmB
5avH3bxXbKiufiMCggEBANpXEGY9f020vHFUC0vNOeCym8XuXqFyvx6Cl6tTlj8S
dZCWoHljnJg2HbbJcdh92rri9f+ahNNpZ9/0PQi9yBThWt9aP90Tw3+BhxUyvlPL
FsFX5IdNq403Ls9iyZuj1Rf9lc65d9lr7TVC5CMI7+BN3CftjvOw3yGucJno+MLW
AvENx3+NnZ2Hy9nNJp54lbDJe8anP57kvDIKcbmmvVW2ktQKcZqAyBUq0E8mOtkz
66ZRV+/pSnwugb0Eols3s54OvtOoGBnq1r8GVhf/x23J0UvBoHqqURQFJ5oTKxQW
zAJ7suGn3xUKBOatypXgg8ZL67rQqo0PxoNK0RcJuUcCggEAHWrf6ATMalF39wEW
TVV7hD8DzhUHewyZLt+7XzqwZ6w+bObcBxojJJNmes7GIPpf4/TPvnY2mv/WNdYe
NiB+W9b2L/7uG4rk/OdDmwJgecXYpbcNHTQw9pC6hdD5amyIrW2tv3jQEtrDVe1t
txX0VOv6iqq37Tyhkn5xzmHpY1mRpNPMxh/KXyAATX8qEyWF/J4P99rI/elR4cSA
sAnhLEZkQvpRSNDFaLIg9dpQ2yXAO1LqlF8rverUh7LycFw1QrbLz0wWpcnDQU05
/j5Itpjo463cU7zzff6q4KcQvyrP1Cvhf6v4katSthCcTTQZF8brAwBbLPvYHQ8g
WJnWKQKCAQAVJ8ZxAZhqIQ75NBl8GMB44xVw0i3dGs8l16V2djzik5lMjyuxV1N+
9A9g/JfJUDh3TzJit8gS6+2ip3madTkDvOofJhF2DEou+o/qH+aNG+pyhV+hNIdg
wW4Jrhq2t+MX1fxD8XiJWom7VWXhdyY255RjUgM93W9hRhOm9gnUZwQV8y3XUBNr
hhLcYaJSTIDEhmE12FKzxJnvh0+Jm3xQ58XGQdTMEZpRYrqYUK33Ca7ViKAqoMIU
0jTD6cUJbZY7xFX9EBZ1vGleTPDelmvuWVWsL3CrMgF1HSK/LQhJhAP0YaPtdWSK
F1RuPXyZlQ1vkz+d9EXyMQsdAYzM3KZVAoIBAF0gvM4fY0EvSDKevWnZtLyINHZV
TC2HhElAREmblbziQ1GO00nCw+RXYmA7fMHuMNnHMcB/QubpMQxEPetAbtcX9jXW
iBNIpHTQwNWBe+IGd1I7n6FA6Cqis4tdNFmaWxXv1aMpzU7K/aVcO3sK3SsjSy6A
4bDJ9mlGCnIv5zc1on3lpMARBUGRF8mAQ6ejMuUjubtPa8cSUhUv3hoH0xG9bLJh
0VDZ6bZ7QFLpNxFUlX7muSj8DNsjR77TBuN+Buk+pI68GDl6177Gm6UkZRYx4yi5
xFCP9932L2tufcQaRsiIHdNEFAGMMPe2M22DUmSI0cSNgx4xKuLGJI4PkTM=
-----END RSA PRIVATE KEY-----

View File

@ -183,8 +183,8 @@ service lmtp {
user = vmail user = vmail
} }
listen = *,[::] listen = *,[::]
ssl_cert = </etc/ssl/mail/mail.crt ssl_cert = </etc/ssl/mail/cert.pem
ssl_key = </etc/ssl/mail/mail.key ssl_key = </etc/ssl/mail/key.pem
userdb { userdb {
args = /etc/dovecot/sql/dovecot-mysql.conf args = /etc/dovecot/sql/dovecot-mysql.conf
driver = sql driver = sql

View File

@ -1,8 +1,8 @@
server { server {
listen 443; listen 443;
ssl on; ssl on;
ssl_certificate /etc/ssl/mail/mail.crt; ssl_certificate /etc/ssl/mail/cert.pem;
ssl_certificate_key /etc/ssl/mail/mail.key; ssl_certificate_key /etc/ssl/mail/key.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

View File

@ -1,4 +1,4 @@
allow-from=127.0.0.0/8 172.18.0.0/16 allow-from=127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
config-dir=/etc/powerdns config-dir=/etc/powerdns
daemon=no daemon=no
disable-syslog=yes disable-syslog=yes

View File

@ -1,7 +1,7 @@
biff = no biff = no
append_dot_mydomain = no append_dot_mydomain = no
smtpd_tls_cert_file = /etc/ssl/mail/mail.crt smtpd_tls_cert_file = /etc/ssl/mail/cert.pem
smtpd_tls_key_file = /etc/ssl/mail/mail.key smtpd_tls_key_file = /etc/ssl/mail/key.pem
smtpd_use_tls=yes smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
@ -45,8 +45,8 @@ relay_domains = proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_mxdomain_maps.cf
relay_recipient_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_relay_recipient_maps.cf relay_recipient_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_relay_recipient_maps.cf
sender_dependent_default_transport_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_out_policy.cf sender_dependent_default_transport_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_tls_enforce_out_policy.cf
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_cert_file = /etc/ssl/mail/mail.crt smtp_tls_cert_file = /etc/ssl/mail/cert.pem
smtp_tls_key_file = /etc/ssl/mail/mail.key smtp_tls_key_file = /etc/ssl/mail/key.pem
smtp_tls_loglevel = 1 smtp_tls_loglevel = 1
smtp_dns_support_level = dnssec smtp_dns_support_level = dnssec
smtp_tls_security_level = dane smtp_tls_security_level = dane

View File

@ -1,12 +1,7 @@
<?php <?php
function hash_password($password) { function hash_password($password) {
$salt_str = bin2hex(openssl_random_pseudo_bytes(8)); $salt_str = bin2hex(openssl_random_pseudo_bytes(8));
if ($GLOBALS['HASHING'] == "SHA512-CRYPT") { return "{SSHA256}".base64_encode(hash('sha256', $password.$salt_str, true).$salt_str);
return "{SHA512-CRYPT}".crypt($password, '$6$'.$salt_str.'$');
}
else {
return "{SSHA256}".base64_encode(hash('sha256', $password.$salt_str, true).$salt_str);
}
} }
function hasDomainAccess($username, $role, $domain) { function hasDomainAccess($username, $role, $domain) {
global $pdo; global $pdo;
@ -37,6 +32,23 @@ function hasDomainAccess($username, $role, $domain) {
} }
return false; return false;
} }
function verify_ssha256($password, $hash) {
// Remove tag if any
$hash = ltrim($hash, '{SSHA256}');
// Decode hash
$dhash = base64_decode($hash);
// Get first 32 bytes of binary which equals a SHA256 hash
$ohash = substr($dhash, 0, 32);
// Remove SHA256 hash from decoded hash to get original salt string
$osalt = str_replace($ohash, '', $dhash);
// Check single salted SHA256 hash against extracted hash
if (hash('sha256', $password . $osalt, true) == $ohash) {
return true;
}
else {
return false;
}
}
function doveadm_authenticate($hash, $algorithm, $password) { function doveadm_authenticate($hash, $algorithm, $password) {
$descr = array(0 => array('pipe', 'r'), 1 => array('pipe', 'w'), 2 => array('pipe', 'w')); $descr = array(0 => array('pipe', 'r'), 1 => array('pipe', 'w'), 2 => array('pipe', 'w'));
$pipes = array(); $pipes = array();
@ -76,7 +88,7 @@ function check_login($user, $pass) {
$stmt->execute(array(':user' => $user)); $stmt->execute(array(':user' => $user));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
foreach ($rows as $row) { foreach ($rows as $row) {
if (doveadm_authenticate($row['password'], $GLOBALS['HASHING'], $pass) !== false) { if (verify_ssha256($row['password'], $pass) !== false) {
unset($_SESSION['ldelay']); unset($_SESSION['ldelay']);
return "admin"; return "admin";
} }
@ -88,7 +100,7 @@ function check_login($user, $pass) {
$stmt->execute(array(':user' => $user)); $stmt->execute(array(':user' => $user));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
foreach ($rows as $row) { foreach ($rows as $row) {
if (doveadm_authenticate($row['password'], $GLOBALS['HASHING'], $pass) !== false) { if (doveadm_authenticate($row['password'], $pass) !== false) {
unset($_SESSION['ldelay']); unset($_SESSION['ldelay']);
return "domainadmin"; return "domainadmin";
} }
@ -99,7 +111,7 @@ function check_login($user, $pass) {
$stmt->execute(array(':user' => $user)); $stmt->execute(array(':user' => $user));
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
foreach ($rows as $row) { foreach ($rows as $row) {
if (doveadm_authenticate($row['password'], $GLOBALS['HASHING'], $pass) !== false) { if (doveadm_authenticate($row['password'], $pass) !== false) {
unset($_SESSION['ldelay']); unset($_SESSION['ldelay']);
return "user"; return "user";
} }

View File

@ -31,6 +31,4 @@ $DEFAULT_LANG = "en";
// See https://bootswatch.com/ // See https://bootswatch.com/
$DEFAULT_THEME = "lumen"; $DEFAULT_THEME = "lumen";
$HASHING = "SSHA256";
?> ?>

View File

@ -2,9 +2,11 @@
. mailcow.conf . mailcow.conf
if [[ -z $(which ss) ]]; then echo "Please install the ss util first."; exit 1; fi
for port in ${SMTP_PORT} ${SMTPS_PORT} ${SUBMISSION_PORT} ${IMAP_PORT} ${IMAPS_PORT} ${POP_PORT} ${POPS_PORT} ${SIEVE_PORT} 443; do for port in ${SMTP_PORT} ${SMTPS_PORT} ${SUBMISSION_PORT} ${IMAP_PORT} ${IMAPS_PORT} ${POP_PORT} ${POPS_PORT} ${SIEVE_PORT} 443; do
if [[ ! -z $(ss -tlnp "( sport = :$port )" 2> /dev/null | grep LISTEN | grep -vi docker) ]]; then if [[ ! -z $(ss -tlnp "( sport = :$port )" 2> /dev/null | grep LISTEN | grep -vi docker) ]]; then
echo "Port $port is in use by other process." echo "Port $port is in use by another process."
err=1 err=1
fi fi
done done