paxton
/
mailcow
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add Unbound as better DNSSEC enabled resolver

master
andryyy 2017-06-12 23:48:27 +02:00
parent db01b08926
commit b367ec0ace
4 changed files with 119 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
data/Dockerfiles/unbound/Dockerfile 100644
View File

@ -0,0 +1,21 @@
FROM alpine:3.6
LABEL maintainer "Andre Peters <andre.peters@servercow.de>"
RUN apk add --update --no-cache \
curl \
unbound \
bash \
openssl \
drill \
&& curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache \
&& chown root:unbound /etc/unbound \
&& chmod 775 /etc/unbound
COPY unbound.conf /etc/unbound/unbound.conf
EXPOSE 53/udp 53/tcp
COPY docker-entrypoint.sh /docker-entrypoint.sh
ENTRYPOINT ["/docker-entrypoint.sh"]

9
data/Dockerfiles/unbound/docker-entrypoint.sh 100755
View File

@ -0,0 +1,9 @@
#!/bin/bash
unbound-control-setup
echo "Receiving anchor key..."
/usr/sbin/unbound-anchor -a /etc/unbound/trusted-key.key
echo "Receiving root hints..."
curl -#o /etc/unbound/root.hints https://www.internic.net/domain/named.cache
exec "$@"

28
data/Dockerfiles/unbound/unbound.conf 100644
View File

@ -0,0 +1,28 @@
server:
verbosity: 2
interface: 0.0.0.0
interface: ::0
logfile: /dev/stdout
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
do-daemonize: no
access-control: 172.22.1.0/24 allow
access-control: fd4d:6169:6c63:6f77::/64 allow
directory: "/etc/unbound"
username: unbound
auto-trust-anchor-file: trusted-key.key
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: 169.254.0.0/16
private-address: fd00::/8
private-address: fe80::/10
root-hints: "/etc/unbound/root.hints"
remote-control:
control-enable: yes
server-key-file: /etc/unbound/unbound_server.key
server-cert-file: /etc/unbound/unbound_server.pem
control-key-file: /etc/unbound/unbound_control.key
control-cert-file: /etc/unbound/unbound_control.pem

73
docker-compose.yml
View File

@ -1,5 +1,24 @@
version: '2.1'
services:
unbound-mailcow:
image: mailcow/unbound
command: /usr/sbin/unbound
depends_on:
mysql-mailcow:
condition: service_healthy
healthcheck:
test: ["CMD", "drill", "A", "servercow.de", "@127.0.0.1"]
interval: 10s
timeout: 30s
retries: 5
restart: always
networks:
mailcow-network:
ipv4_address: 172.22.1.254
aliases:
- bind9
mysql-mailcow:
image: mariadb:10.1
healthcheck:
@ -16,6 +35,9 @@ services:
- MYSQL_USER=${DBUSER}
- MYSQL_PASSWORD=${DBPASS}
restart: always
dns:
- 172.22.1.254
dns_search: mailcow-network
networks:
mailcow-network:
aliases:
@ -24,11 +46,13 @@ services:
redis-mailcow:
image: redis:alpine
depends_on:
mysql-mailcow:
condition: service_healthy
- unbound-mailcow
volumes:
- redis-vol-1:/data/
restart: always
dns:
- 172.22.1.254
dns_search: mailcow-network
networks:
mailcow-network:
aliases:
@ -38,6 +62,9 @@ services:
image: mailcow/clamd
build: ./data/Dockerfiles/clamav
restart: always
dns:
- 172.22.1.254
dns_search: mailcow-network
networks:
mailcow-network:
aliases:
@ -52,8 +79,7 @@ services:
/usr/bin/rspamd -f -u _rspamd -g _rspamd
"
depends_on:
nginx-mailcow:
condition: service_healthy
- nginx-mailcow
volumes:
- ./data/conf/rspamd/override.d/:/etc/rspamd/override.d:ro
- ./data/conf/rspamd/local.d/:/etc/rspamd/local.d:ro
@ -61,6 +87,9 @@ services:
- dkim-vol-1:/data/dkim
- rspamd-vol-1:/var/lib/rspamd
restart: always
dns:
- 172.22.1.254
dns_search: mailcow-network
hostname: rspamd
networks:
mailcow-network:
@ -84,6 +113,9 @@ services:
- DBPASS=${DBPASS}
- MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME}
restart: always
dns:
- 172.22.1.254
dns_search: mailcow-network
networks:
mailcow-network:
aliases:
@ -93,8 +125,7 @@ services:
image: mailcow/sogo
build: ./data/Dockerfiles/sogo
depends_on:
mysql-mailcow:
condition: service_healthy
- unbound-mailcow
environment:
- DBNAME=${DBNAME}
- DBUSER=${DBUSER}
@ -103,6 +134,9 @@ services:
volumes:
- ./data/conf/sogo/:/etc/sogo/
restart: always
dns:
- 172.22.1.254
dns_search: mailcow-network
networks:
mailcow-network:
ipv4_address: 172.22.1.252
@ -113,8 +147,7 @@ services:
image: mailcow/dovecot
build: ./data/Dockerfiles/dovecot
depends_on:
mysql-mailcow:
condition: service_healthy
- unbound-mailcow
volumes:
- ./data/conf/dovecot:/usr/local/etc/dovecot
- ./data/assets/ssl:/etc/ssl/mail/:ro
@ -132,6 +165,9 @@ services:
- "${POPS_PORT:-995}:995"
- "${SIEVE_PORT:-4190}:4190"
restart: always
dns:
- 172.22.1.254
dns_search: mailcow-network
hostname: ${MAILCOW_HOSTNAME}
networks:
mailcow-network:
@ -142,8 +178,7 @@ services:
image: mailcow/postfix
build: ./data/Dockerfiles/postfix
depends_on:
mysql-mailcow:
condition: service_healthy
- unbound-mailcow
volumes:
- ./data/conf/postfix:/opt/postfix/conf
- ./data/assets/ssl:/etc/ssl/mail/:ro
@ -158,6 +193,9 @@ services:
- "${SMTPS_PORT:-465}:465"
- "${SUBMISSION_PORT:-587}:587"
restart: always
dns:
- 172.22.1.254
dns_search: mailcow-network
hostname: ${MAILCOW_HOSTNAME}
networks:
mailcow-network:
@ -167,9 +205,11 @@ services:
memcached-mailcow:
image: memcached:alpine
depends_on:
mysql-mailcow:
condition: service_healthy
- unbound-mailcow
restart: always
dns:
- 172.22.1.254
dns_search: mailcow-network
networks:
mailcow-network:
aliases:
@ -202,6 +242,9 @@ services:
- "${HTTPS_BIND:-0.0.0.0}:${HTTPS_PORT:-443}:${HTTPS_PORT:-443}"
- "${HTTP_BIND:-127.0.0.1}:${HTTP_PORT:-80}:${HTTP_PORT:-80}"
restart: always
dns:
- 172.22.1.254
dns_search: mailcow-network
networks:
mailcow-network:
ipv4_address: 172.22.1.251
@ -213,6 +256,9 @@ services:
- nginx-mailcow
image: mailcow/acme
build: ./data/Dockerfiles/acme
dns:
- 172.22.1.254
dns_search: mailcow-network
# All domains to be included in the certificate
environment:
- CONTAINERS_RESTART=mailcowdockerized_postfix-mailcow_1 mailcowdockerized_dovecot-mailcow_1 mailcowdockerized_nginx-mailcow_1
@ -239,6 +285,9 @@ services:
- sogo-mailcow
- php-fpm-mailcow
restart: always
dns:
- 172.22.1.254
dns_search: mailcow-network
privileged: true
network_mode: "host"
volumes: