mailcow/README.md

186 lines
6.9 KiB
Markdown

# mailcow-dockerized
mailcow dockerized comes with 11 containers linked in a mailcow network:
Dovecot, Memcached, Redis, MariaDB, PowerDNS Recursor, PHP-FPM, Postfix, Nginx, Rmilter, Rspamd and SOGo.
All configurations were written with security in mind.
### Exposed ports:
| Name | Service | Hostname, Alias | External bindings | Internal bindings |
|:------------------|:-------------|:-------------------------------|:---------------------------------------------|:-------------------------------|
| postfix-mailcow | Postfix | ${MAILCOW_HOSTNAME}, postfix | 25/tcp, 465/tcp, 587/tcp | 588/tcp |
| dovecot-mailcow | Dovecot | ${MAILCOW_HOSTNAME}, dovecot | 110/tcp, 143/tcp, 993/tcp, 995/tcp, 4190/tcp | 24/tcp, 10001/tcp |
| nginx-mailcow | Nginx | nginx | 443/tcp | 80/tcp, 8081/tcp |
| pdns-mailcow | PowerDNS | pdns | - | 53/udp |
| rspamd-mailcow | Rspamd | rspamd | - | 11333/tcp, 11334/tcp |
| mariadb-mailcow | MariaDB | mysql | - | 3306/tcp |
| rmilter-mailcow | Rmilter | rmilter | - | 9000/tcp |
| phpfpm-mailcow | PHP FPM | phpfpm | - | 9000/tcp |
| sogo-mailcow | SOGo | sogo | - | 9000/tcp |
| redis-mailcow | Redis | redis | - | 6379/tcp |
| memcached-mailcow | Memcached | memcached | - | 11211/tcp |
All containers share a network "mailcow-network" with the subnet 172.22.1.0/24 - if you want to change it, set it in the composer file.
IPs are dynamic except for PowerDNS resolver which has a static ip address 172.22.1.2.
### **FAQ**
- rspamd learns mail as spam or ham when you move a message in or out of the junk folder to any mailbox besides trash.
- rspamd auto-learns mail when a high or low score is detected (see https://rspamd.com/doc/configuration/statistic.html#autolearning)
- You can upgrade SOGo by running `docker-compose up -d sogo-mailcow nginx-mailcow`.
- Only Postfix and Rspamd use the PowerDNS resolver for DNSSEC.
- Linking to existing redis and memcached containers will be possible soon
## Installation
1. You need Docker and Docker Compose. Most systems can install Docker by running `wget -qO- https://get.docker.com/ | sh` - see [this link](https://docs.docker.com/compose/install/) for installing Docker Compose.
2. Clone this repository and configure `mailcow.conf`, do not use special chars in passwords in this file (will be fixed soon).
3. `docker-compose up -d` - leave the `-d` out for a wall of logs in case of debugging.
Done.
You can now access https://${MAILCOW_HOSTNAME} with the default credentials `admin` + password `moohoo`. The database will be initialized when you first visit the UI.
## Configuration after installation
### Rspamd UI access
If you want to use Rspamds web UI, you need to set a Rspamd controller password:
```
# Generate hash
docker-compose exec rspamd-mailcow rspamadm pw
```
Replace given hash in data/conf/rspamd/override.d/worker-controller.inc:
```
enable_password = "myhash";
```
Restart rspamd:
```
docker-compose restart rspamd-mailcow
```
Open https://${MAILCOW_HOSTNAME}/rspamd in a browser.
### SSL (and: How to use Let's Encrypt)
mailcow dockerized comes with a snakeoil CA "mailcow" and a server certificate in `data/assets/ssl`. Please use your own trusted certificates.
**Use Let's Encrypt**
Get the certbot client:
```
wget https://dl.eff.org/certbot-auto -O /usr/local/sbin/certbot && chmod +x /usr/local/sbin/certbot
```
Please disable applications blocking port 80 and run certbot:
```
certbot-auto certonly \
--standalone \
--standalone-supported-challenges http-01 \
-d ${MAILCOW_HOSTNAME} \
--email you@example.org \
--agree-tos
```
Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder:
```
mv data/assets/ssl/cert.{pem,pem.backup}
mv data/assets/ssl/key.{pem,pem.backup}
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/fullchain.pem) data/assets/ssl/cert.pem
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem) data/assets/ssl/key.pem
```
Restart containers which use the certificate:
```
docker-compose restart postfix-mailcow
docker-compose restart dovecot-mailcow
docker-compose restart nginx-mailcow
```
When renewing certificates, run the last two steps (link + restart) as post-hook in certbot.
## More useful commands and examples (todo: move to wiki soon)
### Logs
You can use `docker-compose logs $service-name` for almost all containers. Only rmilter does not log to stdout. You can check rspamd logs for rmilter responses.
### MariaDB
Connect to MariaDB database:
```
source mailcow.conf
docker-compose exec mariadb-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME}
```
Init schema (will be auto-installed by mailcow UI, but just in case...):
```
source mailcow.conf
docker-compose exec mariadb-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} < data/web/inc/init.sql
```
Reset mailcow admin to `admin:moohoo`:
```
source mailcow.conf
docker-compose exec mariadb-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "DROP TABLE admin; DROP TABLE domain_admins"
# Open mailcow UI to auto-init the db
```
Backup and restore database:
```
source mailcow.conf
# Create
DATE=$(date +"%Y%m%d_%H%M%S")
docker-compose exec mariadb-mailcow mysqldump --default-character-set=utf8mb4 -u${DBUSER} -p${DBPASS} ${DBNAME} > backup_${DBNAME}_${DATE}.sql
# Restore
docker exec -i mariadb-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} < ${1}
```
### Redis
Connect to redis key store:
```
docker-compose exec redis-mailcow redis-cli
```
### Use rspamadm:
```
docker-compose exec rspamd-mailcow rspamadm --help
```
### Use rspamc:
```
docker-compose exec rspamd-mailcow rspamc --help
```
### Use doveadm:
```
docker-compose exec dovecot-mailcow doveadm
```
### Remove persistent data
MariaDB:
```
docker stop mariadb-mailcow
docker rm mariadb-mailcow
rm -rf data/db/mysql/*
./n-build-sql.sh
```
Redis:
```
# If you feel hardcore:
docker stop redis-mailcow
docker rm redus-mailcow
rm -rf data/db/redis/*
./n-build-redis.sh
## It is almost always enough to just flush all keys:
./n-build-redis client
# FLUSHALL [ENTER]
```