From a95800e47697ca3b92edc6c59e05924d3a0c18a9 Mon Sep 17 00:00:00 2001 From: andryyy Date: Thu, 2 Mar 2017 11:17:07 +0100 Subject: [PATCH] Add docs --- .gitignore | 3 +- docs/_config.yml | 1 - docs/first_steps.md | 76 +++++++++ docs/index.md | 2 +- docs/install.md | 61 +++++++ docs/u_and_e.md | 383 ++++++++++++++++++++++++++++++++++++++++++++ mkdocs.yml | 9 ++ 7 files changed, 532 insertions(+), 3 deletions(-) delete mode 100644 docs/_config.yml create mode 100644 docs/first_steps.md create mode 100644 docs/install.md create mode 100644 docs/u_and_e.md create mode 100644 mkdocs.yml diff --git a/.gitignore b/.gitignore index 6692f2c6..e088e56d 100644 --- a/.gitignore +++ b/.gitignore @@ -3,5 +3,6 @@ data/conf/sogo/sieve.creds data/conf/dovecot/dovecot-master.passwd mailcow.conf mailcow.conf_backup -data/conf/nginx/listen.active +data/conf/nginx/listen*active data/web/inc/vars.local.inc.php +site/ diff --git a/docs/_config.yml b/docs/_config.yml deleted file mode 100644 index c4192631..00000000 --- a/docs/_config.yml +++ /dev/null @@ -1 +0,0 @@ -theme: jekyll-theme-cayman \ No newline at end of file diff --git a/docs/first_steps.md b/docs/first_steps.md new file mode 100644 index 00000000..85a1d09f --- /dev/null +++ b/docs/first_steps.md @@ -0,0 +1,76 @@ +# Change default language + +Change `data/conf/sogo/sogo.conf` and replace English by your language. + +Create a file `data/web/inc/vars.local.inc.php` and add "DEFAULT_LANG" with either "en", "pt", "de" or "nl": +``` + array('verify_peer' => false, 'verify_peer_name' => false, 'allow_self_signed' => true) +); +$config['enable_installer'] = false; +$config['smtp_conn_options'] = array( +'ssl' => array('verify_peer' => false, 'verify_peer_name' => false, 'allow_self_signed' => true) +); +``` + +Point your browser to `https://myserver/rc/installer` and follow the instructions. +Initialize the database and leave the installer. +**Delete the directory `data/web/rc/installer` after a successful installation!** + +## Enable password changing + +Open `data/web/rc/config.inc.php` and enable the password plugin: + +``` +... +$config['plugins'] = array( + 'archive', + 'password', +); +... +``` + +Open `data/web/rc/plugins/password/password.php`, search for `case 'ssha':` and add above: + +``` + case 'ssha256': + $salt = rcube_utils::random_bytes(8); + $crypted = base64_encode( hash('sha256', $password . $salt, TRUE ) . $salt ); + $prefix = '{SSHA256}'; + break; +``` + +Open `data/web/rc/plugins/password/config.inc.php` and change the following parameters (or add them at the bottom of that file): + +``` +$config['password_driver'] = 'sql'; +$config['password_algorithm'] = 'ssha256'; +$config['password_algorithm_prefix'] = '{SSHA256}'; +$config['password_query'] = "UPDATE mailbox SET password = %P WHERE username = %u"; +``` + +# Learn spam and ham + +Rspamd learns mail as spam or ham when you move a message in or out of the junk folder to any mailbox besides trash. +This is archived by using the Dovecot plugin "antispam" and a simple parser script. + +Rspamd also auto-learns mail when a high or low score is detected (see https://rspamd.com/doc/configuration/statistic.html#autolearning) + +The bayes statistics are written to Redis as keys `BAYES_HAM` and `BAYES_SPAM`. + +You can also use Rspamds web ui to learn ham and/or spam. + +# MySQL + +### Connect to the MySQL database: +``` +source mailcow.conf +docker-compose exec mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} +``` + +### Backup the database: +``` +cd /path/to/mailcow-dockerized +source mailcow.conf +DATE=$(date +"%Y%m%d_%H%M%S") +docker-compose exec mysql-mailcow mysqldump --default-character-set=utf8mb4 -u${DBUSER} -p${DBPASS} ${DBNAME} > backup_${DBNAME}_${DATE}.sql +``` + +### Restore the database: +``` +cd /path/to/mailcow-dockerized +source mailcow.conf +docker-compose exec mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} < backup_file.sql +``` + +# Read logs +You can use `docker-compose logs $service-name` for all containers. + +Run `docker-compose logs` for all logs at once. + +Follow the log output by running docker-compose with `logs -f`. + +# Redirect port 80 to 443 + +Since February the 28th 2017 mailcow does come with port 80 and 443 enabled. + +Open `mailcow.conf` and set `HTTP_BIND=0.0.0.0`. + +Open `data/conf/nginx/site.conf` and add a new "catch-all" site at the top of that file: + +``` +server { + listen 80 default_server; + server_name _; + return 301 https://$host$request_uri; +} +``` + +Restart the stack, changed containers will be updated: + +`docker-compose up -d` + +# Redis + +## Connect to redis key store: + +``` +docker-compose exec redis-mailcow redis-cli +``` + +# Remove persistent data + +- Remove volume `mysql-vol-1` to remove all MySQL data. +- Remove volume `redis-vol-1` to remove all Redis data. +- Remove volume `vmail-vol-1` to remove all contents of `/var/vmail` mounted to `dovecot-mailcow`. +- Remove volume `dkim-vol-1` to remove all DKIM keys. +- Remove volume `rspamd-vol-1` to remove all Rspamd data. + +Running `docker-compose down -v` will **destroy all mailcow: dockerized volumes** and delete any related containers.Reset mailcow admin to `admin:moohoo`: + +1. Drop admin table + +``` +source mailcow.conf +docker-compose exec mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP TABLE admin;" +``` + +2. Open mailcow UI to auto-init the db + +# Rspamd + +## Rspamd CLI tools + +``` +docker-compose exec rspamd-mailcow rspamc --help +docker-compose exec rspamd-mailcow rspamadm --help +``` + +See [Rspamd documentation](https://rspamd.com/doc/index.html) + +# Adjust service configurations +The most important configuration files are mounted from the host into the related containers: +``` +data/conf/ +├── dovecot +│   ├── dovecot.conf +│   ├── dovecot-master.passwd +│   ├── sieve_after +│   └── sql +│   ├── dovecot-dict-sql.conf +│   └── dovecot-mysql.conf +├── mysql +│   └── my.cnf +├── nginx +│   ├── dynmaps.conf +│   ├── listen.template +│   └── site.conf +├── bind9 +│   └── named.conf +├── postfix +│   ├── main.cf +│   ├── master.cf +│   ├── postscreen_access.cidr +│   ├── smtp_dsn_filter +│   └── sql +│   ├── mysql_relay_recipient_maps.cf +│   ├── mysql_tls_enforce_in_policy.cf +│   ├── mysql_tls_enforce_out_policy.cf +│   ├── mysql_virtual_alias_domain_catchall_maps.cf +│   ├── mysql_virtual_alias_domain_maps.cf +│   ├── mysql_virtual_alias_maps.cf +│   ├── mysql_virtual_domains_maps.cf +│   ├── mysql_virtual_mailbox_maps.cf +│   ├── mysql_virtual_relay_domain_maps.cf +│   ├── mysql_virtual_sender_acl.cf +│   └── mysql_virtual_spamalias_maps.cf +├── rmilter +│   └── rmilter.conf +├── rspamd +│   ├── dynmaps +│   │   ├── authoritative.php +│   │   ├── settings.php +│   │   ├── tags.php +│   │   └── vars.inc.php -> ../../../web/inc/vars.inc.php +│   ├── local.d +│   │   ├── dkim.conf +│   │   ├── metrics.conf +│   │   ├── options.inc +│   │   ├── redis.conf +│   │   ├── rspamd.conf.local +│   │   └── statistic.conf +│   ├── lua +│   │   └── rspamd.local.lua +│   └── override.d +│   ├── logging.inc +│   ├── worker-controller.inc +│   └── worker-normal.inc +└── sogo + ├── sieve.creds + └── sogo.conf +``` +Just change the according configuration file on the host and restart the related service: `docker-compose restart service-mailcow` +# Tagging + +Mailbox users can tag their mail address like in `me+facebook@example.org` and choose between to setups to handle this tag: + +1. Move this message to a subfolder "facebook" (will be created lower case if not existing) +2. Prepend the tag to the subject: "[facebook] Subject" +# Two-factor authentication + +So far two methods for TFA are impelemented. Both work with the fantastic [Yubikey](https://www.yubico.com). + +While Yubi OTP needs an active internet connection and an API ID/key, U2F will work with any FIDO U2F USB key out of the box. + +Both methods support mulitple YubiKeys. + +As administrator you are able to temporary disable a domain adminsitrators TFA login until they successfully logged in. + +The key used to login will be displayed in green, while other keys remain grey. + +## Yubi OTP + +The Yubi API ID and Key will be checked against the Yubico Cloud API. When setting up TFA you will be asked for your personal API account for this key. +The API ID, API key and the first 12 characters (your YubiKeys ID in modhex) are stored in the MySQL table as secret. + +## U2F + +Only Google Chrome (+derivates) and Opera support U2F authentication to this day natively. +For Firefox you will need to install the "U2F Support Add-on" as provided on [mozilla.org](https://addons.mozilla.org/en-US/firefox/addon/u2f-support-add-on/). +U2F works without an internet connection.# Why does mailcow come with a DNS resolver? + +For DNS blacklist lookups and DNSSEC. + +Most systems use either a public or a local caching DNS resolver. +That's a very bad idea when it comes to filter spam using DNS-based blackhole lists (DNSBL) or similar technics. +Most if not all providers apply a rate limit based on the DNS resolver that is used to query their service. +Using a public resolver like Googles 4x8, OpenDNS or any other shared DNS resolver like your ISPs will hit that limit very soon. + + diff --git a/mkdocs.yml b/mkdocs.yml new file mode 100644 index 00000000..52edf2dd --- /dev/null +++ b/mkdocs.yml @@ -0,0 +1,9 @@ +site_name: "mailcow: dockerized" +repo_url: https://github.com/andryyy/mailcow-dockerized/ +remote_branch: master +theme: readthedocs +pages: + - 'Overview': 'index.md' + - 'Installation': 'install.md' + - 'First Steps': 'first_steps.md' + - 'Usage & Examples': 'u_and_e.md'