From 7676fe2dd2e86767ff847406cdc26a4426192937 Mon Sep 17 00:00:00 2001 From: andryyy Date: Thu, 20 Apr 2017 21:12:59 +0200 Subject: [PATCH] New index, Fail2ban setup --- docs/first_steps.md | 78 +++++++++++++++++++++++++++++++++++++++++++++ docs/index.md | 5 ++- 2 files changed, 82 insertions(+), 1 deletion(-) diff --git a/docs/first_steps.md b/docs/first_steps.md index ab7876dc..22e4f192 100644 --- a/docs/first_steps.md +++ b/docs/first_steps.md @@ -158,6 +158,84 @@ docker-compose exec postfix-mailcow chmod 660 /opt/postfix/conf/smarthost_passwd docker-compose exec postfix-mailcow postfix reload ``` +## Optional: Log to Syslog + +Enable Rsyslog to receive logs on 524/tcp: + +``` +# This setting depends on your Rsyslog version and configuration format. +# For most Debian derivates it will work like this... +$ModLoad imtcp +$TCPServerAddress 127.0.0.1 +$InputTCPServerRun 524 + +# ...while for Ubuntu 16.04 it looks like this: +module(load="imtcp") +input(type="imtcp" address="127.0.0.1" port="524") + +# No matter your Rsyslog version, you should set this option to off +# if you plan to use Fail2ban +$RepeatedMsgReduction off +``` + +Restart rsyslog after enabling the TCP listener. + +Now setup Docker daemon to start with the syslog driver. +This enables the syslog driver for all containers! + +Debian users can change the startup configuration in `/etc/default/docker` while CentOS users find it in `/etc/sysconfig/docker`: +``` +... +DOCKER_OPTS="--log-driver=syslog --log-opt syslog-address=tcp://127.0.0.1:524" +... +``` + +**Caution:** For some reason Ubuntu 16.04 and some, but not all, systemd based distros do not read the defaults file parameters. + +Just run `systemctl edit docker.service` and add the following content to fix it. + +**Note:** If "systemctl edit" is not available, just copy the content to `/etc/systemd/system/docker.service.d/override.conf`. + +The first empty ExecStart parameter is not a mistake. + +``` +[Service] +EnvironmentFile=/etc/default/docker +ExecStart= +ExecStart=/usr/bin/docker daemon -H fd:// $DOCKER_OPTS +``` + +Restart the Docker daemon and run `docker-compose down && docker-compose up -d` to recreate the containers. + +### Use Fail2ban + +**This is a subsection of "Log to Syslog", which is required for Fail2ban to work.** + +Open `/etc/fail2ban/filter.d/common.conf` and search for the prefix_line parameter, change it to ".*": + +``` +__prefix_line = .* +``` + +Create `/etc/fail2ban/jail.d/dovecot.conf`... +``` +[dovecot] +enabled = true +filter = dovecot +logpath = /var/log/syslog +chain = FORWARD +``` + +and `jail.d/postfix-sasl.conf`: +``` +[postfix-sasl] +enabled = true +filter = postfix-sasl +logpath = /var/log/syslog +chain = FORWARD +``` + +Restart Fail2ban. ## Install a local MTA diff --git a/docs/index.md b/docs/index.md index f4aea569..4a5943f0 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,6 +1,8 @@ # mailcow: dockerized - 🐮 + 🐋 = 💕 -[![Donate](https://img.shields.io/badge/Donate-PayPal-green.svg)](https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=JWBSYHF4SMC68) +[![Servercow](https://www.servercow.de/img/cow_globe_200.svg)](https://www.servercow.de) + +If you want to support mailcow, consider hosting mailcow on a Servercow virtual machine @ Servercow! ## Screenshots @@ -30,6 +32,7 @@ mailcow dockerized comes with **11 containers** linked in **one bridged network* - mysql-vol-1 - rspamd-vol-1 - postfix-vol-1 +- crypt-vol-1 The integrated **mailcow UI** allows administrative work on your mail server instance as well as separated domain administrator and mailbox user access: