From 6dec69d3f9ef02e85ba860f60d6b305c613c8e3a Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Mon, 1 Feb 2016 15:02:34 +0100 Subject: [PATCH 001/462] Initial FAQ --- docs/content/config/troubleshooting/faq.md | 34 ++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 docs/content/config/troubleshooting/faq.md diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md new file mode 100644 index 00000000..61dabcdf --- /dev/null +++ b/docs/content/config/troubleshooting/faq.md @@ -0,0 +1,34 @@ +# FAQ + +### What kind of database are you using? +None. No *sql database required. +This image is based on config files that can be versioned. +You'll probably want to `push` your config updates to your server and restart the container to apply changes. + +### Where are emails stored? +Mails are stored in `/var/mail/${domain}/${username}`. +You should use a data volume container for `/var/mail` for data persistence. Otherwise, your data may be lost. + +### How can I configure my email client? +Login are full email address (`user@domain.com`). +Both login and password are managed in `postfix/accounts.cf` file. +Please have a look to the `README` in order to manage users and aliases. + + # imap + username: + password: + server: + imap port: 143 or 993 with ssl (recommended) + imap path prefix: INBOX + + # smtp + smtp port: 25 or 587 with ssl (recommended) + username: + password: + +### How can I manage my custom Spamassassin rules? +Antispam rules are managed in `spamassassin/rules.cf`. + +### What kind of SSL certificates can I use? +You can use the same certificates you use with another mail server. +The only thing is that we provide a `self-signed` certificate tool and a `letsencrypt` certificate loader. From 4a0c20019361e60fa3d51a3e388c6e94eb9e9499 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Mon, 1 Feb 2016 15:02:34 +0100 Subject: [PATCH 002/462] Initial Home page --- docs/content/index.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 docs/content/index.md diff --git a/docs/content/index.md b/docs/content/index.md new file mode 100644 index 00000000..72b61e04 --- /dev/null +++ b/docs/content/index.md @@ -0,0 +1 @@ +Welcome to the docker-mailserver wiki! From d0a01f6ecce4b90126baecadcef08c3aff3df80e Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Mon, 1 Feb 2016 15:03:02 +0100 Subject: [PATCH 003/462] Updated FAQ (markdown) --- docs/content/config/troubleshooting/faq.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 61dabcdf..5402acfe 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -1,5 +1,3 @@ -# FAQ - ### What kind of database are you using? None. No *sql database required. This image is based on config files that can be versioned. From 2fd0574fc517dfa5cb9c56b64d5b71cbbe5f4cb8 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Mon, 1 Feb 2016 15:04:13 +0100 Subject: [PATCH 004/462] Updated FAQ (markdown) --- docs/content/config/troubleshooting/faq.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 5402acfe..80d8ccfd 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -30,3 +30,15 @@ Antispam rules are managed in `spamassassin/rules.cf`. ### What kind of SSL certificates can I use? You can use the same certificates you use with another mail server. The only thing is that we provide a `self-signed` certificate tool and a `letsencrypt` certificate loader. + +### What about backups? + +## Backups + +Assuming that you use `docker-compose` and a data volume container named `maildata`, you can backup your user mails like this: + + docker run --rm \ + --volumes-from maildata_1 \ + -v "$(pwd)":/backups \ + -ti tvial/docker-mailserver \ + tar cvzf /backups/docker-mailserver-`date +%y%m%d-%H%M%S`.tgz /var/mail From 7389402218d6c7ba77789e129dbb95572a12670d Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Mon, 1 Feb 2016 15:04:28 +0100 Subject: [PATCH 005/462] Updated FAQ (markdown) --- docs/content/config/troubleshooting/faq.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 80d8ccfd..64e07f2f 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -33,8 +33,6 @@ The only thing is that we provide a `self-signed` certificate tool and a `letsen ### What about backups? -## Backups - Assuming that you use `docker-compose` and a data volume container named `maildata`, you can backup your user mails like this: docker run --rm \ From b6b9b2b5c774a55a4032238cc8a1f7dc67afa519 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 10 Feb 2016 09:36:57 +0100 Subject: [PATCH 006/462] Updated FAQ (markdown) --- docs/content/config/troubleshooting/faq.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 64e07f2f..6d707221 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -5,7 +5,17 @@ You'll probably want to `push` your config updates to your server and restart th ### Where are emails stored? Mails are stored in `/var/mail/${domain}/${username}`. -You should use a data volume container for `/var/mail` for data persistence. Otherwise, your data may be lost. +You should use a [data volume container](https://medium.com/@ramangupta/why-docker-data-containers-are-good-589b3c6c749e#.uxyrp7xpu) for `/var/mail` for data persistence. Otherwise, your data may be lost. + +### What about backups? + +Assuming that you use `docker-compose` and a data volume container named `maildata`, you can backup your user mails like this: + + docker run --rm \ + --volumes-from maildata_1 \ + -v "$(pwd)":/backups \ + -ti tvial/docker-mailserver \ + tar cvzf /backups/docker-mailserver-`date +%y%m%d-%H%M%S`.tgz /var/mail ### How can I configure my email client? Login are full email address (`user@domain.com`). @@ -30,13 +40,3 @@ Antispam rules are managed in `spamassassin/rules.cf`. ### What kind of SSL certificates can I use? You can use the same certificates you use with another mail server. The only thing is that we provide a `self-signed` certificate tool and a `letsencrypt` certificate loader. - -### What about backups? - -Assuming that you use `docker-compose` and a data volume container named `maildata`, you can backup your user mails like this: - - docker run --rm \ - --volumes-from maildata_1 \ - -v "$(pwd)":/backups \ - -ti tvial/docker-mailserver \ - tar cvzf /backups/docker-mailserver-`date +%y%m%d-%H%M%S`.tgz /var/mail From 220681f469a2f27a869ca19199275f19e772c67c Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 10 Feb 2016 09:39:41 +0100 Subject: [PATCH 007/462] Updated FAQ (markdown) --- docs/content/config/troubleshooting/faq.md | 31 +++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 6d707221..e2ccfc6b 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -7,6 +7,35 @@ You'll probably want to `push` your config updates to your server and restart th Mails are stored in `/var/mail/${domain}/${username}`. You should use a [data volume container](https://medium.com/@ramangupta/why-docker-data-containers-are-good-589b3c6c749e#.uxyrp7xpu) for `/var/mail` for data persistence. Otherwise, your data may be lost. +### How can I use data volume container as proposed above? + +Here is a `docker-compose.yml` example which use a data volume container for email storage named `maildata`. + + maildata: + image: ubuntu + volumes: + - /var/mail + command: /bin/true + + mail: + image: "tvial/docker-mailserver" + hostname: "mail" + domainname: "domain.com" + volumes_from: + - maildata + ports: + - "25:25" + - "143:143" + - "587:587" + - "993:993" + volumes: + - ./spamassassin:/tmp/spamassassin/ + - ./postfix:/tmp/postfix/ + - ./opendkim/keys:/etc/opendkim/keys + - ./letsencrypt/etc:/etc/letsencrypt + environment: + - DMS_SSL=letsencrypt + ### What about backups? Assuming that you use `docker-compose` and a data volume container named `maildata`, you can backup your user mails like this: @@ -39,4 +68,4 @@ Antispam rules are managed in `spamassassin/rules.cf`. ### What kind of SSL certificates can I use? You can use the same certificates you use with another mail server. -The only thing is that we provide a `self-signed` certificate tool and a `letsencrypt` certificate loader. +The only thing is that we provide a `self-signed` certificate tool and a `letsencrypt` certificate loader. \ No newline at end of file From d2bbd332014f011bff54bcb34f5d36a433f9b4cd Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 10 Feb 2016 09:42:22 +0100 Subject: [PATCH 008/462] Updated FAQ (markdown) --- docs/content/config/troubleshooting/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index e2ccfc6b..79ace0f2 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -5,7 +5,7 @@ You'll probably want to `push` your config updates to your server and restart th ### Where are emails stored? Mails are stored in `/var/mail/${domain}/${username}`. -You should use a [data volume container](https://medium.com/@ramangupta/why-docker-data-containers-are-good-589b3c6c749e#.uxyrp7xpu) for `/var/mail` for data persistence. Otherwise, your data may be lost. +You should use a [data volume container](https://medium.com/@ramangupta/why-docker-data-containers-are-good-589b3c6c749e#.uxyrp7xpu) for `/var/mail` to persist data. Otherwise, your data may be lost. ### How can I use data volume container as proposed above? From fe40e08a901229705365c1152fe428926c68d2df Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 10 Feb 2016 09:44:33 +0100 Subject: [PATCH 009/462] Updated Home (markdown) --- docs/content/index.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/index.md b/docs/content/index.md index 72b61e04..fe5556b8 100644 --- a/docs/content/index.md +++ b/docs/content/index.md @@ -1 +1,3 @@ Welcome to the docker-mailserver wiki! + +[Please read the FAQ](https://github.com/tomav/docker-mailserver/wiki/FAQ) From 64feb9421bd1c2ae5ad023d726d2776a569db06a Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 10 Feb 2016 09:44:50 +0100 Subject: [PATCH 010/462] Updated Home (markdown) --- docs/content/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/index.md b/docs/content/index.md index fe5556b8..15beb582 100644 --- a/docs/content/index.md +++ b/docs/content/index.md @@ -1,3 +1,3 @@ Welcome to the docker-mailserver wiki! -[Please read the FAQ](https://github.com/tomav/docker-mailserver/wiki/FAQ) +## [Please read the FAQ](https://github.com/tomav/docker-mailserver/wiki/FAQ) From 38aad68e53df4f96fbecbd8209e1b19fd289cad5 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 10 Feb 2016 09:49:22 +0100 Subject: [PATCH 011/462] Created SSL (markdown) --- docs/content/ssl.md | 65 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 docs/content/ssl.md diff --git a/docs/content/ssl.md b/docs/content/ssl.md new file mode 100644 index 00000000..e443c800 --- /dev/null +++ b/docs/content/ssl.md @@ -0,0 +1,65 @@ +# docker-mailserver with ssl + +There are multiple options to enable SSL: + +* using [letsencrypt](https://letsencrypt.org/) (recommended) +* using self-signed certificates with the provided tool + +After installation, you can test your setup with [checktls.com](https://www.checktls.com/TestReceiver). + +## let's encrypt (recommended) + +To enable Let's Encrypt on your mail server, you have to: + +* get your certificate using [letsencrypt client](https://github.com/letsencrypt/letsencrypt) +* add an environment variable `DMS_SSL` with value `letsencrypt` (see `docker-compose.yml.dist`) +* mount your whole `letsencrypt` folder to `/etc/letsencrypt` +* the certs folder name located in `letsencrypt/live/` must be the `fqdn` of your container responding to the `hostname` command. + +You don't have anything else to do. Enjoy. + +## self signed certificates + +You can easily generate a self-signed SSL certificate by using the following command: + + docker run -ti --rm -v "$(pwd)"/postfix/ssl:/ssl -h mail.my-domain.com -t tvial/docker-mailserver generate-ssl-certificate + + # Press enter + # Enter a password when needed + # Fill information like Country, Organisation name + # Fill "my-domain.com" as FQDN for CA, and "mail.my-domain.com" for the certificate. + # They HAVE to be different, otherwise you'll get a `TXT_DB error number 2` + # Don't fill extras + # Enter same password when needed + # Sign the certificate? [y/n]:y + # 1 out of 1 certificate requests certified, commit? [y/n]y + + # will generate: + # postfix/ssl/mail.my-domain.com-key.pem (used in postfix) + # postfix/ssl/mail.my-domain.com-req.pem (only used to generate other files) + # postfix/ssl/mail.my-domain.com-cert.pem (used in postfix) + # postfix/ssl/mail.my-domain.com-combined.pem (used in courier) + # postfix/ssl/demoCA/cacert.pem (certificate authority) + +Note that the certificate will be generate for the container `fqdn`, that is passed as `-h` argument. +Check the following page for more information regarding [postfix and SSL/TLS configuration](http://www.mad-hacking.net/documentation/linux/applications/mail/using-ssl-tls-postfix-courier.xml). + +To use the certificate: + +* add an `DMS_SSL=self-signed` to your container environment variables +* if a matching certificate (files listed above) is found in `postfix/ssl`, it will be automatically setup in postfix and courier-imap-ssl. You just have to place them in `postfix/ssl` folder. + +### Testing certificate + +From your host: + + docker exec mail openssl s_client -connect 0.0.0.0:25 -starttls smtp -CApath /etc/ssl/certs/ + +or + + docker exec mail openssl s_client -connect 0.0.0.0:143 -starttls imap -CApath /etc/ssl/certs/ + + +And you should see the certificate chain, the server certificate and: + + Verify return code: 0 (ok) \ No newline at end of file From f3f52a7ef5f14a523e6ce681a15a3eb704ed1a11 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 10 Feb 2016 09:50:07 +0100 Subject: [PATCH 012/462] Updated FAQ (markdown) --- .../faq.md => faq---frequently-asked-questiond.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docs/content/{config/troubleshooting/faq.md => faq---frequently-asked-questiond.md} (100%) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/faq---frequently-asked-questiond.md similarity index 100% rename from docs/content/config/troubleshooting/faq.md rename to docs/content/faq---frequently-asked-questiond.md From aa63d2e3ccd3e20c991030cf57269cf747a4da6b Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 10 Feb 2016 09:50:18 +0100 Subject: [PATCH 013/462] Updated FAQ Frequently Asked Questiond (markdown) --- .../troubleshooting/faq.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docs/content/{faq---frequently-asked-questiond.md => config/troubleshooting/faq.md} (100%) diff --git a/docs/content/faq---frequently-asked-questiond.md b/docs/content/config/troubleshooting/faq.md similarity index 100% rename from docs/content/faq---frequently-asked-questiond.md rename to docs/content/config/troubleshooting/faq.md From c2237c0705c9b328b78c07f91693b5973b9a46ef Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 10 Feb 2016 09:51:31 +0100 Subject: [PATCH 014/462] Updated SSL (markdown) --- docs/content/ssl.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/content/ssl.md b/docs/content/ssl.md index e443c800..5edb4f6c 100644 --- a/docs/content/ssl.md +++ b/docs/content/ssl.md @@ -1,5 +1,3 @@ -# docker-mailserver with ssl - There are multiple options to enable SSL: * using [letsencrypt](https://letsencrypt.org/) (recommended) @@ -7,7 +5,7 @@ There are multiple options to enable SSL: After installation, you can test your setup with [checktls.com](https://www.checktls.com/TestReceiver). -## let's encrypt (recommended) +### Let's encrypt (recommended) To enable Let's Encrypt on your mail server, you have to: @@ -18,7 +16,7 @@ To enable Let's Encrypt on your mail server, you have to: You don't have anything else to do. Enjoy. -## self signed certificates +### Self-signed certificates (testing only) You can easily generate a self-signed SSL certificate by using the following command: From 14cf4b2353803dc96cc19066e669b64781b59bea Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 10 Feb 2016 09:54:57 +0100 Subject: [PATCH 015/462] Updated Home (markdown) --- docs/content/index.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/content/index.md b/docs/content/index.md index 15beb582..c13cd611 100644 --- a/docs/content/index.md +++ b/docs/content/index.md @@ -1,3 +1,4 @@ -Welcome to the docker-mailserver wiki! -## [Please read the FAQ](https://github.com/tomav/docker-mailserver/wiki/FAQ) + + +**[Please read the FAQ](https://github.com/tomav/docker-mailserver/wiki/FAQ)** From 94a2c9a798ae1c83c9ced54f3d3593eb12130f48 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Fri, 4 Mar 2016 18:56:45 +0100 Subject: [PATCH 016/462] Updated FAQ (markdown) --- docs/content/config/troubleshooting/faq.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 79ace0f2..aed1de4d 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -68,4 +68,9 @@ Antispam rules are managed in `spamassassin/rules.cf`. ### What kind of SSL certificates can I use? You can use the same certificates you use with another mail server. -The only thing is that we provide a `self-signed` certificate tool and a `letsencrypt` certificate loader. \ No newline at end of file +The only thing is that we provide a `self-signed` certificate tool and a `letsencrypt` certificate loader. + +### I just moved from my old mail server to docker-mailserver but "it doesn't work". +If this migration implies a DNS modification, be sure to wait for DNS propagation before opening an issue. +Few examples of symptoms can be found [here](https://github.com/tomav/docker-mailserver/issues/95) or [here](https://github.com/tomav/docker-mailserver/issues/97). +This could be related to a modification of your `MX` record, or the IP mapped to `mail.my-domain.tld`. \ No newline at end of file From 2c886fa3cdbf774223a9990f514f2f1ddce1aa99 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Fri, 4 Mar 2016 18:57:22 +0100 Subject: [PATCH 017/462] Updated FAQ (markdown) --- docs/content/config/troubleshooting/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index aed1de4d..673e6565 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -70,7 +70,7 @@ Antispam rules are managed in `spamassassin/rules.cf`. You can use the same certificates you use with another mail server. The only thing is that we provide a `self-signed` certificate tool and a `letsencrypt` certificate loader. -### I just moved from my old mail server to docker-mailserver but "it doesn't work". +### I just moved from my old mail server but "it doesn't work". If this migration implies a DNS modification, be sure to wait for DNS propagation before opening an issue. Few examples of symptoms can be found [here](https://github.com/tomav/docker-mailserver/issues/95) or [here](https://github.com/tomav/docker-mailserver/issues/97). This could be related to a modification of your `MX` record, or the IP mapped to `mail.my-domain.tld`. \ No newline at end of file From 7ad0ed0bed6b3f6deec338f3440fab49b3c254a0 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Fri, 4 Mar 2016 18:59:32 +0100 Subject: [PATCH 018/462] Updated FAQ (markdown) --- docs/content/config/troubleshooting/faq.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 673e6565..be428e71 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -73,4 +73,8 @@ The only thing is that we provide a `self-signed` certificate tool and a `letsen ### I just moved from my old mail server but "it doesn't work". If this migration implies a DNS modification, be sure to wait for DNS propagation before opening an issue. Few examples of symptoms can be found [here](https://github.com/tomav/docker-mailserver/issues/95) or [here](https://github.com/tomav/docker-mailserver/issues/97). -This could be related to a modification of your `MX` record, or the IP mapped to `mail.my-domain.tld`. \ No newline at end of file +This could be related to a modification of your `MX` record, or the IP mapped to `mail.my-domain.tld`. + +If everything is OK regarding DNS, please provide [formatted logs](https://guides.github.com/features/mastering-markdown/) and config files. This will allow us to help you. + +If we're blind, we won't be able to do anything. \ No newline at end of file From 884e7ab10533007a421a83e0ce4eaaa5909e89ea Mon Sep 17 00:00:00 2001 From: awb99 Date: Tue, 12 Apr 2016 15:00:44 +0200 Subject: [PATCH 019/462] I think the main reason to have the docker-mailserer image is so that one can really quickly start an email server for a couple of user accounts without being an expert in postfix/etc. And for testing sometimes pop access could be quite important. It took me a few hours to get it running; and with this page it should make it much easier for other novices. --- docs/content/pop3.md | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 docs/content/pop3.md diff --git a/docs/content/pop3.md b/docs/content/pop3.md new file mode 100644 index 00000000..732b715d --- /dev/null +++ b/docs/content/pop3.md @@ -0,0 +1,40 @@ +# Pop3 Mail access + +**docker-mailserver does not think that it is good idea to use pop.** + +But is you really want to you have to add 3 lines to the docker-compose.yml : +Add the ports 110 and 995 and add environment variable ENABLE_POP : + +``` + +maildata: + image: ubuntu + volumes: + - /var/mail + command: /bin/true + +mail: + image: "tvial/docker-mailserver" + hostname: "mail" + domainname: "domain.com" + volumes_from: + - maildata + ports: + - "25:25" + - "143:143" + - "587:587" + - "993:993" + - "110:110" + - "995:995" + + volumes: + - ./spamassassin:/tmp/spamassassin/ + - ./postfix:/tmp/postfix/ + - ./opendkim/keys:/etc/opendkim/keys + - ./letsencrypt/etc:/etc/letsencrypt + environment: + - DMS_SSL=letsencrypt + - ENABLE_POP3=1 + + +``` From 9577c05753a167b8b6ca291bec6e9c3535452c60 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Fri, 22 Apr 2016 17:01:44 +0200 Subject: [PATCH 020/462] Updated FAQ (markdown) --- docs/content/config/troubleshooting/faq.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index be428e71..5f416a1d 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -63,6 +63,8 @@ Please have a look to the `README` in order to manage users and aliases. username: password: +Please use `STARTTLS`. + ### How can I manage my custom Spamassassin rules? Antispam rules are managed in `spamassassin/rules.cf`. From ba01741d8ede055e6926ab4e31febefcf5cc3a98 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 24 Apr 2016 17:07:54 +0200 Subject: [PATCH 021/462] Updated Home (markdown) --- docs/content/index.md | 56 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 55 insertions(+), 1 deletion(-) diff --git a/docs/content/index.md b/docs/content/index.md index c13cd611..c6c4c8ea 100644 --- a/docs/content/index.md +++ b/docs/content/index.md @@ -1,4 +1,58 @@ +## Usage +#### Get v2 image + + docker pull tvial/docker-mailserver:v2 +#### Create a `docker-compose.yml` -**[Please read the FAQ](https://github.com/tomav/docker-mailserver/wiki/FAQ)** +Adapt this file with your FQDN. + + version: '2' + + services: + mail: + image: tvial/docker-mailserver:testing + # build: . + hostname: mail + domainname: domain.com + container_name: mail + volumes: + - maildata:/var/mail + ports: + - "25:25" + - "143:143" + - "587:587" + - "993:993" + volumes: + - ./config/:/tmp/docker-mailserver/ + - ./opendkim/:/tmp/docker-mailserver/opendkim/ + + volumes: + maildata: + driver: local + +#### Create your mail accounts + +Don't forget to adapt MAIL_USER and MAIL_PASS to your needs + + mkdir -p config + docker run --rm \ + -e MAIL_USER=user1@domain.tld \ + -e MAIL_PASS=mypassword \ + -ti tvial/docker-mailserver:v2 \ + /bin/sh -c 'echo "$MAIL_USER|$(doveadm pw -s CRAM-MD5 -u $MAIL_USER -p $MAIL_PASS)"' >> config/postfix-accounts.cf + +#### Generate DKIM keys + + docker run --rm \ + -v "$(pwd)/config":/tmp/docker-mailserver \ + -ti tvial/docker-mailserver:v2 generate-dkim-config + +Now the keys are generated, you can configure your DNS server by just pasting the content of `config/opedkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone. + +#### Start the container + + docker-compose up -d mail + +You're done! From 5354a1f3cc3f0fa4c4e949385c56b3a7c6cda9d2 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 24 Apr 2016 17:08:15 +0200 Subject: [PATCH 022/462] Updated Home (markdown) --- docs/content/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/index.md b/docs/content/index.md index c6c4c8ea..be7061f0 100644 --- a/docs/content/index.md +++ b/docs/content/index.md @@ -12,7 +12,7 @@ Adapt this file with your FQDN. services: mail: - image: tvial/docker-mailserver:testing + image: tvial/docker-mailserver:v2 # build: . hostname: mail domainname: domain.com From d48cff3f4bc7e4f3d4dff8173dd8c815ea4f6d93 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 24 Apr 2016 17:08:53 +0200 Subject: [PATCH 023/462] Updated Home (markdown) --- docs/content/{index.md => introduction-to-docker-mailserver.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docs/content/{index.md => introduction-to-docker-mailserver.md} (100%) diff --git a/docs/content/index.md b/docs/content/introduction-to-docker-mailserver.md similarity index 100% rename from docs/content/index.md rename to docs/content/introduction-to-docker-mailserver.md From b0337e7ec2b29474bd3342663acb55e8d337c6f4 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 24 Apr 2016 17:10:27 +0200 Subject: [PATCH 024/462] Created How to contribute (markdown) --- docs/content/how-to-contribute.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 docs/content/how-to-contribute.md diff --git a/docs/content/how-to-contribute.md b/docs/content/how-to-contribute.md new file mode 100644 index 00000000..29efe8cc --- /dev/null +++ b/docs/content/how-to-contribute.md @@ -0,0 +1,14 @@ +Contribution is like any other GitHub project: + +- Fork +- Improve +- Add integration tests in `test/tests.bats` +- Build image and run tests using `make` +- Document your improvements +- Commit, push and make a pull-request + +#### Project architecture + + ├── config # User: personal configurations + ├── target # Developer: default server configurations + └── test # Developer: integration tests From e9181e696b92ddfbd9e11daccc29ca7242381ef6 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 24 Apr 2016 17:10:27 +0200 Subject: [PATCH 025/462] Initial Home page --- docs/content/index.md | 1 + 1 file changed, 1 insertion(+) create mode 100644 docs/content/index.md diff --git a/docs/content/index.md b/docs/content/index.md new file mode 100644 index 00000000..72b61e04 --- /dev/null +++ b/docs/content/index.md @@ -0,0 +1 @@ +Welcome to the docker-mailserver wiki! From e4fafaf3ffb5e0d044c888a176fed4c6deae9072 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 24 Apr 2016 17:12:08 +0200 Subject: [PATCH 026/462] Destroyed Introduction to Docker MailServer (markdown) --- .../introduction-to-docker-mailserver.md | 58 ------------------- 1 file changed, 58 deletions(-) delete mode 100644 docs/content/introduction-to-docker-mailserver.md diff --git a/docs/content/introduction-to-docker-mailserver.md b/docs/content/introduction-to-docker-mailserver.md deleted file mode 100644 index be7061f0..00000000 --- a/docs/content/introduction-to-docker-mailserver.md +++ /dev/null @@ -1,58 +0,0 @@ -## Usage - -#### Get v2 image - - docker pull tvial/docker-mailserver:v2 - -#### Create a `docker-compose.yml` - -Adapt this file with your FQDN. - - version: '2' - - services: - mail: - image: tvial/docker-mailserver:v2 - # build: . - hostname: mail - domainname: domain.com - container_name: mail - volumes: - - maildata:/var/mail - ports: - - "25:25" - - "143:143" - - "587:587" - - "993:993" - volumes: - - ./config/:/tmp/docker-mailserver/ - - ./opendkim/:/tmp/docker-mailserver/opendkim/ - - volumes: - maildata: - driver: local - -#### Create your mail accounts - -Don't forget to adapt MAIL_USER and MAIL_PASS to your needs - - mkdir -p config - docker run --rm \ - -e MAIL_USER=user1@domain.tld \ - -e MAIL_PASS=mypassword \ - -ti tvial/docker-mailserver:v2 \ - /bin/sh -c 'echo "$MAIL_USER|$(doveadm pw -s CRAM-MD5 -u $MAIL_USER -p $MAIL_PASS)"' >> config/postfix-accounts.cf - -#### Generate DKIM keys - - docker run --rm \ - -v "$(pwd)/config":/tmp/docker-mailserver \ - -ti tvial/docker-mailserver:v2 generate-dkim-config - -Now the keys are generated, you can configure your DNS server by just pasting the content of `config/opedkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone. - -#### Start the container - - docker-compose up -d mail - -You're done! From e8df790cfe51c59b8d16a7d4e901401b2ce47bf4 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 24 Apr 2016 17:12:14 +0200 Subject: [PATCH 027/462] Updated Home (markdown) --- docs/content/index.md | 59 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 58 insertions(+), 1 deletion(-) diff --git a/docs/content/index.md b/docs/content/index.md index 72b61e04..be7061f0 100644 --- a/docs/content/index.md +++ b/docs/content/index.md @@ -1 +1,58 @@ -Welcome to the docker-mailserver wiki! +## Usage + +#### Get v2 image + + docker pull tvial/docker-mailserver:v2 + +#### Create a `docker-compose.yml` + +Adapt this file with your FQDN. + + version: '2' + + services: + mail: + image: tvial/docker-mailserver:v2 + # build: . + hostname: mail + domainname: domain.com + container_name: mail + volumes: + - maildata:/var/mail + ports: + - "25:25" + - "143:143" + - "587:587" + - "993:993" + volumes: + - ./config/:/tmp/docker-mailserver/ + - ./opendkim/:/tmp/docker-mailserver/opendkim/ + + volumes: + maildata: + driver: local + +#### Create your mail accounts + +Don't forget to adapt MAIL_USER and MAIL_PASS to your needs + + mkdir -p config + docker run --rm \ + -e MAIL_USER=user1@domain.tld \ + -e MAIL_PASS=mypassword \ + -ti tvial/docker-mailserver:v2 \ + /bin/sh -c 'echo "$MAIL_USER|$(doveadm pw -s CRAM-MD5 -u $MAIL_USER -p $MAIL_PASS)"' >> config/postfix-accounts.cf + +#### Generate DKIM keys + + docker run --rm \ + -v "$(pwd)/config":/tmp/docker-mailserver \ + -ti tvial/docker-mailserver:v2 generate-dkim-config + +Now the keys are generated, you can configure your DNS server by just pasting the content of `config/opedkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone. + +#### Start the container + + docker-compose up -d mail + +You're done! From d49c4e4ab5b92dc7cb3dc3cb20673543fcc9c2fe Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 24 Apr 2016 17:15:04 +0200 Subject: [PATCH 028/462] Updated POP3 (markdown) --- docs/content/config/pop3.md | 18 +++++++++++++++++ docs/content/pop3.md | 40 ------------------------------------- 2 files changed, 18 insertions(+), 40 deletions(-) create mode 100644 docs/content/config/pop3.md delete mode 100644 docs/content/pop3.md diff --git a/docs/content/config/pop3.md b/docs/content/config/pop3.md new file mode 100644 index 00000000..a860ebac --- /dev/null +++ b/docs/content/config/pop3.md @@ -0,0 +1,18 @@ +**We do not recommend using pop. Use IMAP instead.** + +If you really want to you have POP3 running, add 3 lines to the docker-compose.yml : +Add the ports 110 and 995, and add environment variable ENABLE_POP : + +``` +mail: + [...] + ports: + - "25:25" + - "143:143" + - "587:587" + - "993:993" + - "110:110" + - "995:995" + environment: + - ENABLE_POP3=1 +``` diff --git a/docs/content/pop3.md b/docs/content/pop3.md deleted file mode 100644 index 732b715d..00000000 --- a/docs/content/pop3.md +++ /dev/null @@ -1,40 +0,0 @@ -# Pop3 Mail access - -**docker-mailserver does not think that it is good idea to use pop.** - -But is you really want to you have to add 3 lines to the docker-compose.yml : -Add the ports 110 and 995 and add environment variable ENABLE_POP : - -``` - -maildata: - image: ubuntu - volumes: - - /var/mail - command: /bin/true - -mail: - image: "tvial/docker-mailserver" - hostname: "mail" - domainname: "domain.com" - volumes_from: - - maildata - ports: - - "25:25" - - "143:143" - - "587:587" - - "993:993" - - "110:110" - - "995:995" - - volumes: - - ./spamassassin:/tmp/spamassassin/ - - ./postfix:/tmp/postfix/ - - ./opendkim/keys:/etc/opendkim/keys - - ./letsencrypt/etc:/etc/letsencrypt - environment: - - DMS_SSL=letsencrypt - - ENABLE_POP3=1 - - -``` From e7b29aaf9b239d91105ddbbd397e57fe338d9eeb Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 24 Apr 2016 17:15:25 +0200 Subject: [PATCH 029/462] Updated Configure POP3 (markdown) --- docs/content/config/pop3.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/pop3.md b/docs/content/config/pop3.md index a860ebac..407e205f 100644 --- a/docs/content/config/pop3.md +++ b/docs/content/config/pop3.md @@ -1,4 +1,4 @@ -**We do not recommend using pop. Use IMAP instead.** +**We do not recommend using POP. Use IMAP instead.** If you really want to you have POP3 running, add 3 lines to the docker-compose.yml : Add the ports 110 and 995, and add environment variable ENABLE_POP : From 5adbdcfb106a5d25158d9bbbd388d313abb7d932 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 24 Apr 2016 17:16:23 +0200 Subject: [PATCH 030/462] Updated SSL (markdown) --- docs/content/{ => config/security}/ssl.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename docs/content/{ => config/security}/ssl.md (95%) diff --git a/docs/content/ssl.md b/docs/content/config/security/ssl.md similarity index 95% rename from docs/content/ssl.md rename to docs/content/config/security/ssl.md index 5edb4f6c..12013653 100644 --- a/docs/content/ssl.md +++ b/docs/content/config/security/ssl.md @@ -10,7 +10,7 @@ After installation, you can test your setup with [checktls.com](https://www.chec To enable Let's Encrypt on your mail server, you have to: * get your certificate using [letsencrypt client](https://github.com/letsencrypt/letsencrypt) -* add an environment variable `DMS_SSL` with value `letsencrypt` (see `docker-compose.yml.dist`) +* add an environment variable `SSL_TYPE` with value `letsencrypt` (see `docker-compose.yml.dist`) * mount your whole `letsencrypt` folder to `/etc/letsencrypt` * the certs folder name located in `letsencrypt/live/` must be the `fqdn` of your container responding to the `hostname` command. From 9bb13e7c3a06d6f297653377a70ba587cbf603a7 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 24 Apr 2016 17:17:17 +0200 Subject: [PATCH 031/462] Created Configure Aliases (markdown) --- docs/content/config/user-management/aliases.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 docs/content/config/user-management/aliases.md diff --git a/docs/content/config/user-management/aliases.md b/docs/content/config/user-management/aliases.md new file mode 100644 index 00000000..d54a6230 --- /dev/null +++ b/docs/content/config/user-management/aliases.md @@ -0,0 +1,16 @@ +Please first read [Postfix documentation on virtual aliases](http://www.postfix.org/VIRTUAL_README.html#virtual_alias). + +Aliases are managed in `config/postfix-virtual.cf`. +An alias is a full email address that will be: +* delivered to an existing account in `config/postfix-accounts.cf` +* redirected to one or more other email addresses + +Alias and target are space separated. + +Example: + + # Alias to existing account + alias1@domain.tld user1@domain.tld + + # Forward to external email address + alias2@domain.tld external@gmail.com \ No newline at end of file From b92d3cb1b3b00b6e37865b42e79b8f84d4a4948c Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 24 Apr 2016 17:18:18 +0200 Subject: [PATCH 032/462] Created Configure Accounts (markdown) --- .../config/user-management/accounts.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 docs/content/config/user-management/accounts.md diff --git a/docs/content/config/user-management/accounts.md b/docs/content/config/user-management/accounts.md new file mode 100644 index 00000000..9fffb355 --- /dev/null +++ b/docs/content/config/user-management/accounts.md @@ -0,0 +1,19 @@ +Users are managed in `config/postfix-accounts.cf`. +Just add the full email address and its encrypted password separated by a pipe. + +Example: + + user1@domain.tld|{CRAM-MD5}mypassword-cram-md5-encrypted + user2@otherdomain.tld|{CRAM-MD5}myotherpassword-cram-md5-encrypted + +To generate the password you could run for example the following: + + docker run --rm \ + -e MAIL_USER=user1@domain.tld \ + -ti tvial/docker-mailserver:v2 \ + /bin/sh -c 'echo "$MAIL_USER|$(doveadm pw -s CRAM-MD5 -u $MAIL_USER )"' + +You will be asked for a password. Just copy all the output string in the file `config/postfix-accounts.cf`. + +The `doveadm pw` command let you choose between several encryption schemes for the password. +Use doveadm pw -l to get a list of the currently supported encryption schemes. \ No newline at end of file From 237ced9d172cb82442729c5b20b48fe4b51dee6b Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 24 Apr 2016 17:20:18 +0200 Subject: [PATCH 033/462] Created Configure DKIM (markdown) --- docs/content/config/best-practices/dkim.md | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 docs/content/config/best-practices/dkim.md diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md new file mode 100644 index 00000000..0592dd6c --- /dev/null +++ b/docs/content/config/best-practices/dkim.md @@ -0,0 +1,8 @@ +To enable DKIM signature, you must have created your mail accounts. +Once its done, just run: + + docker run --rm \ + -v "$(pwd)/config":/tmp/docker-mailserver \ + -ti tvial/docker-mailserver:v2 generate-dkim-config + +Now the keys are generated, you can configure your DNS server by just pasting the content of `config/opedkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone. From 375acd2263b57c9448ef82a0db8139669fcd628a Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 24 Apr 2016 17:46:33 +0200 Subject: [PATCH 034/462] Created Configure SPF (markdown) --- docs/content/config/best-practices/spf.md | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 docs/content/config/best-practices/spf.md diff --git a/docs/content/config/best-practices/spf.md b/docs/content/config/best-practices/spf.md new file mode 100644 index 00000000..246c1658 --- /dev/null +++ b/docs/content/config/best-practices/spf.md @@ -0,0 +1,11 @@ +> Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators. The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged "from" addresses, so publishing and checking SPF records can be considered anti-spam techniques. + +To add a SPF record in your DNS, insert the following line in your DNS zone: + + ; Check that MX is declared + domain.com. IN MX 1 mail.domain.com. + + ; Add SPF record + domain.com. IN TXT "v=spf1 mx ~all" + +Increment DNS serial and reload configuration. \ No newline at end of file From 0c556012e072492c0a99089d1d7b9b5326dd4720 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 24 Apr 2016 17:46:45 +0200 Subject: [PATCH 035/462] Updated Configure SPF (markdown) --- docs/content/config/best-practices/spf.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/config/best-practices/spf.md b/docs/content/config/best-practices/spf.md index 246c1658..632337de 100644 --- a/docs/content/config/best-practices/spf.md +++ b/docs/content/config/best-practices/spf.md @@ -1,3 +1,5 @@ +From Wikipedia: + > Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators. The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged "from" addresses, so publishing and checking SPF records can be considered anti-spam techniques. To add a SPF record in your DNS, insert the following line in your DNS zone: From dadd53595414c0ecdfcb2f2715a1c9fbfaf5ea24 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 24 Apr 2016 17:49:08 +0200 Subject: [PATCH 036/462] Updated Configure DKIM (markdown) --- docs/content/config/best-practices/dkim.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index 0592dd6c..98d94b5b 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -6,3 +6,10 @@ Once its done, just run: -ti tvial/docker-mailserver:v2 generate-dkim-config Now the keys are generated, you can configure your DNS server by just pasting the content of `config/opedkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone. + +``` +; OpenDKIM +mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " + "p=AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN" ) ; ----- DKIM key mail for domain.com + +``` \ No newline at end of file From 6b18dc33a596de2d419a91ce4e30ac7bce80e1a1 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 24 Apr 2016 17:49:31 +0200 Subject: [PATCH 037/462] Updated Configure DKIM (markdown) --- docs/content/config/best-practices/dkim.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index 98d94b5b..3863e32d 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -10,6 +10,6 @@ Now the keys are generated, you can configure your DNS server by just pasting th ``` ; OpenDKIM mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " - "p=AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN" ) ; ----- DKIM key mail for domain.com + "p=AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN" ) ; ----- DKIM key mail for domain.tld ``` \ No newline at end of file From fc83970af4f292a6046ae47e3384892f8e8e0ae5 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 24 Apr 2016 17:55:39 +0200 Subject: [PATCH 038/462] Updated Configure SPF (markdown) --- docs/content/config/best-practices/spf.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/best-practices/spf.md b/docs/content/config/best-practices/spf.md index 632337de..88643ffc 100644 --- a/docs/content/config/best-practices/spf.md +++ b/docs/content/config/best-practices/spf.md @@ -1,4 +1,4 @@ -From Wikipedia: +From [Wikipedia](https://en.wikipedia.org/wiki/Sender_Policy_Framework): > Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators. The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged "from" addresses, so publishing and checking SPF records can be considered anti-spam techniques. From 5384ce7a017d3577ea132876f5ff0ea1dd50386e Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 24 Apr 2016 17:57:03 +0200 Subject: [PATCH 039/462] Updated FAQ (markdown) --- docs/content/config/troubleshooting/faq.md | 31 +--------------------- 1 file changed, 1 insertion(+), 30 deletions(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 5f416a1d..ffc580d5 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -7,35 +7,6 @@ You'll probably want to `push` your config updates to your server and restart th Mails are stored in `/var/mail/${domain}/${username}`. You should use a [data volume container](https://medium.com/@ramangupta/why-docker-data-containers-are-good-589b3c6c749e#.uxyrp7xpu) for `/var/mail` to persist data. Otherwise, your data may be lost. -### How can I use data volume container as proposed above? - -Here is a `docker-compose.yml` example which use a data volume container for email storage named `maildata`. - - maildata: - image: ubuntu - volumes: - - /var/mail - command: /bin/true - - mail: - image: "tvial/docker-mailserver" - hostname: "mail" - domainname: "domain.com" - volumes_from: - - maildata - ports: - - "25:25" - - "143:143" - - "587:587" - - "993:993" - volumes: - - ./spamassassin:/tmp/spamassassin/ - - ./postfix:/tmp/postfix/ - - ./opendkim/keys:/etc/opendkim/keys - - ./letsencrypt/etc:/etc/letsencrypt - environment: - - DMS_SSL=letsencrypt - ### What about backups? Assuming that you use `docker-compose` and a data volume container named `maildata`, you can backup your user mails like this: @@ -66,7 +37,7 @@ Please have a look to the `README` in order to manage users and aliases. Please use `STARTTLS`. ### How can I manage my custom Spamassassin rules? -Antispam rules are managed in `spamassassin/rules.cf`. +Antispam rules are managed in `config/spamassassin-rules.cf`. ### What kind of SSL certificates can I use? You can use the same certificates you use with another mail server. From e66f6f906bf175e35e81d48a340f14882cf1b92e Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 24 Apr 2016 17:57:42 +0200 Subject: [PATCH 040/462] Updated FAQ (markdown) --- docs/content/config/troubleshooting/faq.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index ffc580d5..4950c2b5 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -19,8 +19,6 @@ Assuming that you use `docker-compose` and a data volume container named `mailda ### How can I configure my email client? Login are full email address (`user@domain.com`). -Both login and password are managed in `postfix/accounts.cf` file. -Please have a look to the `README` in order to manage users and aliases. # imap username: From e41eaed7d5f8a53f83af34508dfb0f2b18c64af9 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Mon, 25 Apr 2016 06:06:15 +0200 Subject: [PATCH 041/462] Updated Configure Accounts (markdown) --- docs/content/config/user-management/accounts.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/content/config/user-management/accounts.md b/docs/content/config/user-management/accounts.md index 9fffb355..64ac847c 100644 --- a/docs/content/config/user-management/accounts.md +++ b/docs/content/config/user-management/accounts.md @@ -10,8 +10,9 @@ To generate the password you could run for example the following: docker run --rm \ -e MAIL_USER=user1@domain.tld \ + -e MAIL_PASS=mypassword \ -ti tvial/docker-mailserver:v2 \ - /bin/sh -c 'echo "$MAIL_USER|$(doveadm pw -s CRAM-MD5 -u $MAIL_USER )"' + /bin/sh -c 'echo "$MAIL_USER|$(doveadm pw -s CRAM-MD5 -u $MAIL_USER -p $MAIL_PASS)"' >> config/postfix-accounts.cf You will be asked for a password. Just copy all the output string in the file `config/postfix-accounts.cf`. From 395acf5e275e6c7a04d1d0a42e8b37374ac5045f Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Mon, 25 Apr 2016 06:07:51 +0200 Subject: [PATCH 042/462] Updated Configure Accounts (markdown) --- docs/content/config/user-management/accounts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/user-management/accounts.md b/docs/content/config/user-management/accounts.md index 64ac847c..4a77301c 100644 --- a/docs/content/config/user-management/accounts.md +++ b/docs/content/config/user-management/accounts.md @@ -17,4 +17,4 @@ To generate the password you could run for example the following: You will be asked for a password. Just copy all the output string in the file `config/postfix-accounts.cf`. The `doveadm pw` command let you choose between several encryption schemes for the password. -Use doveadm pw -l to get a list of the currently supported encryption schemes. \ No newline at end of file +Use doveadm pw -l to get a list of the currently supported encryption schemes. From d373185c1d4ccb496f72f07a556dc62407b6a16f Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Mon, 25 Apr 2016 06:08:46 +0200 Subject: [PATCH 043/462] Updated FAQ and Tips (markdown) --- docs/content/config/troubleshooting/faq.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 4950c2b5..cc867ae3 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -3,6 +3,11 @@ None. No *sql database required. This image is based on config files that can be versioned. You'll probably want to `push` your config updates to your server and restart the container to apply changes. +### What are the file format? + +Of course file are Unix format with LF line endings. +Please do not use CLRF. + ### Where are emails stored? Mails are stored in `/var/mail/${domain}/${username}`. You should use a [data volume container](https://medium.com/@ramangupta/why-docker-data-containers-are-good-589b3c6c749e#.uxyrp7xpu) for `/var/mail` to persist data. Otherwise, your data may be lost. From e7f16f56f0f7b577b5f0f4fe8f9314ed9b7eb15c Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 27 Apr 2016 23:54:08 +0200 Subject: [PATCH 044/462] Updated How to contribute (markdown) --- docs/content/how-to-contribute.md | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/docs/content/how-to-contribute.md b/docs/content/how-to-contribute.md index 29efe8cc..cab31ffa 100644 --- a/docs/content/how-to-contribute.md +++ b/docs/content/how-to-contribute.md @@ -1,14 +1,21 @@ -Contribution is like any other GitHub project: - -- Fork -- Improve -- Add integration tests in `test/tests.bats` -- Build image and run tests using `make` -- Document your improvements -- Commit, push and make a pull-request +`docker-mailserver` is OpenSource. That means that you can contribute on enhancements, bug fixing or improving the documentation in the Wiki. #### Project architecture ├── config # User: personal configurations ├── target # Developer: default server configurations └── test # Developer: integration tests + +#### Development Workflow + +When `v2` will be released, the development workflow will be: + +- Fork +- Improve +- Add integration tests in `test/tests.bats` +- Use `make` to build image locally and run tests +- Document your improvements +- Commit, push and make a pull-request on `develop` branch +- When tests are green, your branch is merged and tested on real servers by contributors +- When feedback is positive, develop is merged on master + From 9879d7a80aba0bea6ae1a514e22e2643dcbd3300 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 27 Apr 2016 23:56:55 +0200 Subject: [PATCH 045/462] Updated How to contribute (markdown) --- docs/content/how-to-contribute.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/docs/content/how-to-contribute.md b/docs/content/how-to-contribute.md index cab31ffa..b5124751 100644 --- a/docs/content/how-to-contribute.md +++ b/docs/content/how-to-contribute.md @@ -10,12 +10,15 @@ When `v2` will be released, the development workflow will be: -- Fork -- Improve +- Fork and clone your fork +- Create a branch using `git checkout -b branch_name` +- Code :-) - Add integration tests in `test/tests.bats` - Use `make` to build image locally and run tests - Document your improvements - Commit, push and make a pull-request on `develop` branch -- When tests are green, your branch is merged and tested on real servers by contributors -- When feedback is positive, develop is merged on master +- When tests are green, your branch is merged to `develop` +- Docker builds a new `develop` image +- `:develop` image is tested on real servers by contributors +- When feedback is positive, `develop` is merged on `master` From ed9830bb066229f91018f3e4f51cc58ea5fad2f2 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 27 Apr 2016 23:57:11 +0200 Subject: [PATCH 046/462] Updated How to contribute (markdown) --- docs/content/how-to-contribute.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/content/how-to-contribute.md b/docs/content/how-to-contribute.md index b5124751..a1107a99 100644 --- a/docs/content/how-to-contribute.md +++ b/docs/content/how-to-contribute.md @@ -21,4 +21,5 @@ When `v2` will be released, the development workflow will be: - Docker builds a new `develop` image - `:develop` image is tested on real servers by contributors - When feedback is positive, `develop` is merged on `master` +- Docker builds a new `latest` image From ba3a5fb1f0ce68edf3303e602908ad161148090d Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Thu, 28 Apr 2016 00:02:56 +0200 Subject: [PATCH 047/462] Updated How to contribute (markdown) --- docs/content/how-to-contribute.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/docs/content/how-to-contribute.md b/docs/content/how-to-contribute.md index a1107a99..a29949ee 100644 --- a/docs/content/how-to-contribute.md +++ b/docs/content/how-to-contribute.md @@ -16,10 +16,7 @@ When `v2` will be released, the development workflow will be: - Add integration tests in `test/tests.bats` - Use `make` to build image locally and run tests - Document your improvements -- Commit, push and make a pull-request on `develop` branch -- When tests are green, your branch is merged to `develop` -- Docker builds a new `develop` image -- `:develop` image is tested on real servers by contributors -- When feedback is positive, `develop` is merged on `master` +- Commit, push and make a pull-request +- When tests are green, your branch is merged to `master` - Docker builds a new `latest` image From dc99cf4c9184f159df0e7dbf420b4b09f7c96b7f Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Thu, 28 Apr 2016 00:09:05 +0200 Subject: [PATCH 048/462] Updated How to contribute (markdown) --- docs/content/how-to-contribute.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/how-to-contribute.md b/docs/content/how-to-contribute.md index a29949ee..79bd3fa1 100644 --- a/docs/content/how-to-contribute.md +++ b/docs/content/how-to-contribute.md @@ -16,7 +16,7 @@ When `v2` will be released, the development workflow will be: - Add integration tests in `test/tests.bats` - Use `make` to build image locally and run tests - Document your improvements -- Commit, push and make a pull-request +- [Commit](https://help.github.com/articles/closing-issues-via-commit-messages/), push and make a pull-request - When tests are green, your branch is merged to `master` - Docker builds a new `latest` image From e291fe67e189fe23a11180b56ff9903df54ef39a Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Thu, 28 Apr 2016 00:10:25 +0200 Subject: [PATCH 049/462] Updated How to contribute (markdown) --- docs/content/how-to-contribute.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/content/how-to-contribute.md b/docs/content/how-to-contribute.md index 79bd3fa1..992dc10a 100644 --- a/docs/content/how-to-contribute.md +++ b/docs/content/how-to-contribute.md @@ -8,15 +8,17 @@ #### Development Workflow -When `v2` will be released, the development workflow will be: +The development workflow is the following: -- Fork and clone your fork +- Fork project and clone your fork - Create a branch using `git checkout -b branch_name` - Code :-) - Add integration tests in `test/tests.bats` - Use `make` to build image locally and run tests - Document your improvements - [Commit](https://help.github.com/articles/closing-issues-via-commit-messages/), push and make a pull-request +- Branch is automatically tested on Travis - When tests are green, your branch is merged to `master` +- Master is automatically tested on Travis - Docker builds a new `latest` image From 9592b9f459dae10cef49202f9cf228402fa15f8c Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Thu, 28 Apr 2016 09:28:52 +0200 Subject: [PATCH 051/462] Updated How to contribute (markdown) --- docs/content/how-to-contribute.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/content/how-to-contribute.md b/docs/content/how-to-contribute.md index 992dc10a..9cf60b05 100644 --- a/docs/content/how-to-contribute.md +++ b/docs/content/how-to-contribute.md @@ -17,8 +17,8 @@ The development workflow is the following: - Use `make` to build image locally and run tests - Document your improvements - [Commit](https://help.github.com/articles/closing-issues-via-commit-messages/), push and make a pull-request -- Branch is automatically tested on Travis -- When tests are green, your branch is merged to `master` -- Master is automatically tested on Travis +- Pull-request is automatically tested on Travis +- When tests are green, your branch is merged into `master` +- `master` is automatically tested on Travis - Docker builds a new `latest` image From 101a4041718e051cf76f5e5907c9c48e1976ab88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Stein?= Date: Thu, 28 Apr 2016 10:24:17 +0200 Subject: [PATCH 052/462] Created Configuring Sieve filters (markdown) --- docs/content/advanced/mail-sieve.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 docs/content/advanced/mail-sieve.md diff --git a/docs/content/advanced/mail-sieve.md b/docs/content/advanced/mail-sieve.md new file mode 100644 index 00000000..115186c9 --- /dev/null +++ b/docs/content/advanced/mail-sieve.md @@ -0,0 +1,21 @@ +### User-defined sieve filters + +[Sieve](http://sieve.info/) allows to specify filtering rules for incoming emails that allow for example sorting mails into different folders depending on the title of an email. + +To specify a user-defined Sieve filter place a `.dovecot.sieve` file into a virtual user's mail folder e.g. `/var/mail/domain.com/user1/.dovecot.sieve`. If this file exists dovecot will apply the filtering rules. + +An example of a sieve filter that moves mails to a folder `INBOX/spam` depending on the sender address: + +``` +require ["fileinto", "reject"]; + +if address :contains ["From"] "spam@spam.com" { + fileinto "INBOX.spam"; +} else { + keep; +} +``` + +***Note:*** that folders have to exist beforehand if sieve should move them. + +For more examples or a detailed description of the Sieve language have a look at [the official site](http://sieve.info/examplescripts). \ No newline at end of file From ad735ac557a032d38e798065bd8dd352843e29d0 Mon Sep 17 00:00:00 2001 From: 00angus Date: Fri, 29 Apr 2016 10:17:18 +0200 Subject: [PATCH 053/462] Updated Configuring Sieve filters (markdown) --- docs/content/advanced/mail-sieve.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/docs/content/advanced/mail-sieve.md b/docs/content/advanced/mail-sieve.md index 115186c9..d003726a 100644 --- a/docs/content/advanced/mail-sieve.md +++ b/docs/content/advanced/mail-sieve.md @@ -4,6 +4,8 @@ To specify a user-defined Sieve filter place a `.dovecot.sieve` file into a virtual user's mail folder e.g. `/var/mail/domain.com/user1/.dovecot.sieve`. If this file exists dovecot will apply the filtering rules. +It's even possible to install a user provided Sieve filter at startup during users setup: simply include a Sieve file in the `config `path for each user login that need a filter. The file name provided should be in the form **\.dovecot.sieve**, so for example for `user1@domain.tld` you should provide a Sieve file named `config/user1@domain.tld.dovecot.sieve`. + An example of a sieve filter that moves mails to a folder `INBOX/spam` depending on the sender address: ``` @@ -18,4 +20,13 @@ if address :contains ["From"] "spam@spam.com" { ***Note:*** that folders have to exist beforehand if sieve should move them. -For more examples or a detailed description of the Sieve language have a look at [the official site](http://sieve.info/examplescripts). \ No newline at end of file + +Another example of a sieve filter that forward mails to a different address: + +``` +require ["copy"]; + +redirect :copy "user2@otherdomain.tld"; +``` + +For more examples or a detailed description of the Sieve language have a look at [the official site](http://sieve.info/examplescripts). Other resources are available on the internet where you can find several [examples](https://support.tigertech.net/sieve#sieve-example-rules-jmp). \ No newline at end of file From 4fa0f42f6eb05a4af1abd928948aac705dd06f88 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Stein?= Date: Fri, 29 Apr 2016 17:36:17 +0200 Subject: [PATCH 054/462] Updated Configuring Sieve filters (markdown) --- docs/content/advanced/mail-sieve.md | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/docs/content/advanced/mail-sieve.md b/docs/content/advanced/mail-sieve.md index d003726a..debd0177 100644 --- a/docs/content/advanced/mail-sieve.md +++ b/docs/content/advanced/mail-sieve.md @@ -29,4 +29,25 @@ require ["copy"]; redirect :copy "user2@otherdomain.tld"; ``` -For more examples or a detailed description of the Sieve language have a look at [the official site](http://sieve.info/examplescripts). Other resources are available on the internet where you can find several [examples](https://support.tigertech.net/sieve#sieve-example-rules-jmp). \ No newline at end of file +For more examples or a detailed description of the Sieve language have a look at [the official site](http://sieve.info/examplescripts). Other resources are available on the internet where you can find several [examples](https://support.tigertech.net/sieve#sieve-example-rules-jmp). + +### Manage Sieve + +The [Manage Sieve](http://wiki1.dovecot.org/ManageSieve) extension allows users to modify their Sieve script by themselves. The authentication mechanisms are the same as for the main dovecot service. ManageSieve runs on port `4190` and needs to be enabled using the `ENABLE_MANAGESIEVE=1` environment variable. + +``` +(docker-compose.yml) +ports: + - ... + - "4190:4190" +environment: + - ... + - ENABLE_MANAGESIEVE=1 +``` + +All user defined sieve scripts that are managed by ManageSieve are stored in the user's home folder in `/var/mail/domain.com/user1/sieve`. Just one sieve script might be active for a user and is sym-linked to `/var/mail/domain.com/user1/.dovecot.sieve` automatically. + +***Note:*** ManageSieve makes sure to not overwrite an existing `.dovecot.sieve` file. If a user activates a new sieve script the old one is backuped and moved to the `sieve` folder. + +The extension is known to work with the following ManageSieve clients: + * Thunderbird with latest **Sieve** extension. If the extension doesn't work with the add-on available directly from within Thunderbird, try the developer build at https://github.com/thsmi/sieve. \ No newline at end of file From df0ad1ebfdf1bfbe28ffcb9533e6871491d34afb Mon Sep 17 00:00:00 2001 From: Tobias Rittig Date: Sun, 1 May 2016 15:19:33 +0200 Subject: [PATCH 055/462] #Fix shadowing of local opendkim folder over ./config/opendkim/ --- docs/content/index.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/content/index.md b/docs/content/index.md index be7061f0..569b1ab4 100644 --- a/docs/content/index.md +++ b/docs/content/index.md @@ -26,7 +26,6 @@ Adapt this file with your FQDN. - "993:993" volumes: - ./config/:/tmp/docker-mailserver/ - - ./opendkim/:/tmp/docker-mailserver/opendkim/ volumes: maildata: From 756c6e3af21195d1407768450ecf1fea2b629e37 Mon Sep 17 00:00:00 2001 From: Alexey Bednyakov Date: Mon, 9 May 2016 06:21:39 +0400 Subject: [PATCH 056/462] This was a bit confusing --- docs/content/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/index.md b/docs/content/index.md index 569b1ab4..3274dde4 100644 --- a/docs/content/index.md +++ b/docs/content/index.md @@ -2,7 +2,7 @@ #### Get v2 image - docker pull tvial/docker-mailserver:v2 + docker pull tvial/docker-mailserver:latest #### Create a `docker-compose.yml` From f82e56f75be8e31a77685d967432c285e24ef088 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Mon, 9 May 2016 09:27:34 +0200 Subject: [PATCH 057/462] Updated Home (markdown) --- docs/content/index.md | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/docs/content/index.md b/docs/content/index.md index 3274dde4..ebe48ef0 100644 --- a/docs/content/index.md +++ b/docs/content/index.md @@ -1,8 +1,8 @@ ## Usage -#### Get v2 image +#### Get latest image - docker pull tvial/docker-mailserver:latest + docker pull tvial/docker-mailserver:latest #### Create a `docker-compose.yml` @@ -12,19 +12,18 @@ Adapt this file with your FQDN. services: mail: - image: tvial/docker-mailserver:v2 + image: tvial/docker-mailserver:latest # build: . hostname: mail domainname: domain.com container_name: mail - volumes: - - maildata:/var/mail ports: - "25:25" - "143:143" - "587:587" - "993:993" volumes: + - maildata:/var/mail - ./config/:/tmp/docker-mailserver/ volumes: @@ -39,14 +38,14 @@ Don't forget to adapt MAIL_USER and MAIL_PASS to your needs docker run --rm \ -e MAIL_USER=user1@domain.tld \ -e MAIL_PASS=mypassword \ - -ti tvial/docker-mailserver:v2 \ + -ti tvial/docker-mailserver:latest \ /bin/sh -c 'echo "$MAIL_USER|$(doveadm pw -s CRAM-MD5 -u $MAIL_USER -p $MAIL_PASS)"' >> config/postfix-accounts.cf #### Generate DKIM keys docker run --rm \ -v "$(pwd)/config":/tmp/docker-mailserver \ - -ti tvial/docker-mailserver:v2 generate-dkim-config + -ti tvial/docker-mailserver:latest generate-dkim-config Now the keys are generated, you can configure your DNS server by just pasting the content of `config/opedkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone. @@ -54,4 +53,4 @@ Now the keys are generated, you can configure your DNS server by just pasting th docker-compose up -d mail -You're done! +You're done! \ No newline at end of file From 6278567fb3e40b273ce79789ac75e1b2cbc21a62 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Tue, 10 May 2016 07:37:47 +0200 Subject: [PATCH 058/462] v2 is now latest --- docs/content/config/best-practices/dkim.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index 3863e32d..e04f2200 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -3,7 +3,7 @@ Once its done, just run: docker run --rm \ -v "$(pwd)/config":/tmp/docker-mailserver \ - -ti tvial/docker-mailserver:v2 generate-dkim-config + -ti tvial/docker-mailserver:latest generate-dkim-config Now the keys are generated, you can configure your DNS server by just pasting the content of `config/opedkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone. From 7c3902f86f1e407e7b762e1416aae66be5597564 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 11 May 2016 10:28:51 +0200 Subject: [PATCH 059/462] Updated Configure Accounts (markdown) --- docs/content/config/user-management/accounts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/user-management/accounts.md b/docs/content/config/user-management/accounts.md index 4a77301c..1833ff17 100644 --- a/docs/content/config/user-management/accounts.md +++ b/docs/content/config/user-management/accounts.md @@ -11,7 +11,7 @@ To generate the password you could run for example the following: docker run --rm \ -e MAIL_USER=user1@domain.tld \ -e MAIL_PASS=mypassword \ - -ti tvial/docker-mailserver:v2 \ + -ti tvial/docker-mailserver:latest \ /bin/sh -c 'echo "$MAIL_USER|$(doveadm pw -s CRAM-MD5 -u $MAIL_USER -p $MAIL_PASS)"' >> config/postfix-accounts.cf You will be asked for a password. Just copy all the output string in the file `config/postfix-accounts.cf`. From 85d4f006b1e11ff18fd4ff9944d593007391216d Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Fri, 13 May 2016 13:21:35 +0200 Subject: [PATCH 060/462] Add detailed --- docs/content/config/security/ssl.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 12013653..47ef6e6f 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -12,7 +12,7 @@ To enable Let's Encrypt on your mail server, you have to: * get your certificate using [letsencrypt client](https://github.com/letsencrypt/letsencrypt) * add an environment variable `SSL_TYPE` with value `letsencrypt` (see `docker-compose.yml.dist`) * mount your whole `letsencrypt` folder to `/etc/letsencrypt` -* the certs folder name located in `letsencrypt/live/` must be the `fqdn` of your container responding to the `hostname` command. +* the certs folder name located in `letsencrypt/live/` must be the `fqdn` of your container responding to the `hostname` command. The full qualified domain name (`fqdn`) inside the docker container is build combining the hostname and domainname values of the docker-compose file. You don't have anything else to do. Enjoy. From d113a5717fe8eff4de36137ca1d5db01292a8a36 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Fri, 13 May 2016 13:24:59 +0200 Subject: [PATCH 061/462] Add more informations how the fqdn is composed --- docs/content/config/security/ssl.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 47ef6e6f..70acbeb7 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -12,7 +12,7 @@ To enable Let's Encrypt on your mail server, you have to: * get your certificate using [letsencrypt client](https://github.com/letsencrypt/letsencrypt) * add an environment variable `SSL_TYPE` with value `letsencrypt` (see `docker-compose.yml.dist`) * mount your whole `letsencrypt` folder to `/etc/letsencrypt` -* the certs folder name located in `letsencrypt/live/` must be the `fqdn` of your container responding to the `hostname` command. The full qualified domain name (`fqdn`) inside the docker container is build combining the hostname and domainname values of the docker-compose file. +* the certs folder name located in `letsencrypt/live/` must be the `fqdn` of your container responding to the `hostname` command. The full qualified domain name (`fqdn`) inside the docker container is build combining the `hostname` and `domainname` values of the docker-compose file, e. g.: hostname: `mail`; domainname: `myserver.tld`; fqdn: `mail.myserver.tld` You don't have anything else to do. Enjoy. From 049c9a8311b1233ba8e9b0820d7bea29c3c530a4 Mon Sep 17 00:00:00 2001 From: Thomas Schmit Date: Sun, 15 May 2016 13:08:50 +0200 Subject: [PATCH 062/462] Create the postfix-accounts.cf file before using Docker --- docs/content/index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/content/index.md b/docs/content/index.md index ebe48ef0..36bd0622 100644 --- a/docs/content/index.md +++ b/docs/content/index.md @@ -35,6 +35,7 @@ Adapt this file with your FQDN. Don't forget to adapt MAIL_USER and MAIL_PASS to your needs mkdir -p config + touch config/postfix-accounts.cf docker run --rm \ -e MAIL_USER=user1@domain.tld \ -e MAIL_PASS=mypassword \ From 6c59d1fde261fccbcb0fa78b3ec65a738cfad712 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Thu, 19 May 2016 13:28:04 +0200 Subject: [PATCH 063/462] Created Override default postfix configuration (markdown) --- docs/content/advanced/override-defaults/postfix.md | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 docs/content/advanced/override-defaults/postfix.md diff --git a/docs/content/advanced/override-defaults/postfix.md b/docs/content/advanced/override-defaults/postfix.md new file mode 100644 index 00000000..fd839c12 --- /dev/null +++ b/docs/content/advanced/override-defaults/postfix.md @@ -0,0 +1,7 @@ +Postfix default configuration can easily be overrided providing a `config/postfix-main.cf` at postfix format. +This can be used to also add configuration that are not in out default configuration. + +Each line in the provided line will be loaded into postfix. + +Have a look to the code for more information: +https://github.com/tomav/docker-mailserver/blob/master/target/start-mailserver.sh#L196-L206 \ No newline at end of file From 0436172059db3615cadbc18f42184f42f221bd4e Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Thu, 19 May 2016 13:30:20 +0200 Subject: [PATCH 064/462] Updated Override default postfix configuration (markdown) --- docs/content/advanced/override-defaults/postfix.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/content/advanced/override-defaults/postfix.md b/docs/content/advanced/override-defaults/postfix.md index fd839c12..e979b8ff 100644 --- a/docs/content/advanced/override-defaults/postfix.md +++ b/docs/content/advanced/override-defaults/postfix.md @@ -1,5 +1,6 @@ Postfix default configuration can easily be overrided providing a `config/postfix-main.cf` at postfix format. This can be used to also add configuration that are not in out default configuration. +[Postfix documentation](http://www.postfix.org/documentation.html) remains the best place to find configuration options. Each line in the provided line will be loaded into postfix. From 3612f314dec48078343dc278bb73d967235e838f Mon Sep 17 00:00:00 2001 From: Thorsten von Eicken Date: Mon, 23 May 2016 21:08:23 -0700 Subject: [PATCH 065/462] Associated with PR #194 --- docs/content/config/user-management/aliases.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/docs/content/config/user-management/aliases.md b/docs/content/config/user-management/aliases.md index d54a6230..5f45d6d6 100644 --- a/docs/content/config/user-management/aliases.md +++ b/docs/content/config/user-management/aliases.md @@ -1,5 +1,7 @@ Please first read [Postfix documentation on virtual aliases](http://www.postfix.org/VIRTUAL_README.html#virtual_alias). +### Configuring aliases + Aliases are managed in `config/postfix-virtual.cf`. An alias is a full email address that will be: * delivered to an existing account in `config/postfix-accounts.cf` @@ -13,4 +15,12 @@ Example: alias1@domain.tld user1@domain.tld # Forward to external email address - alias2@domain.tld external@gmail.com \ No newline at end of file + alias2@domain.tld external@gmail.com + +### Configuring regexp aliases + +Additional regexp aliases can be configured by placing them into config/postfix-regexp.cf. The regexp aliases get evaluated after the virtual aliases (postfix-virtual.cf). For example, the following config/postfix-regexp.cf causes all email to "test" users to be delivered to qa@example.com: + +``` +/^test[0-9][0-9]*@example.com/ qa@example.com +``` From 280c68872adc5ffbce400c06f216daf003f137c3 Mon Sep 17 00:00:00 2001 From: Thorsten von Eicken Date: Mon, 23 May 2016 21:16:59 -0700 Subject: [PATCH 066/462] Support for AWS SES provided in PR #194 --- .../advanced/mail-forwarding/aws-ses.md | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 docs/content/advanced/mail-forwarding/aws-ses.md diff --git a/docs/content/advanced/mail-forwarding/aws-ses.md b/docs/content/advanced/mail-forwarding/aws-ses.md new file mode 100644 index 00000000..a6587cca --- /dev/null +++ b/docs/content/advanced/mail-forwarding/aws-ses.md @@ -0,0 +1,22 @@ +Instead of letting postfix deliver mail directly it is possible to configure it to deliver outgoing email via Amazon SES (Simple Email Service). (Receiving inbound email via SES is not implemented.) The configuration follows the guidelines provided by AWS in http://docs.aws.amazon.com/ses/latest/DeveloperGuide/postfix.html, specifically, the STARTTLS method. + +As described in the AWS Developer Guide you will have to generate SMTP credentials and define the following two environment variables in the docker-compose.yml with the appropriate values for your AWS SES subscription (the values for AWS_SES_USERPASS are the "SMTP username" and "SMTP password" provided when you create SMTP credentials for SES): + +``` + environment: + - AWS_SES_HOST=email-smtp.us-east-1.amazonaws.com + - AWS_SES_USERPASS=AKIAXXXXXXXXXXXXXXXX:kqXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX +``` + +When you start the container you will see a log line as follows confirming the configuration: +``` +Setting up outgoing email via AWS SES host email-smtp.us-east-1.amazonaws.com +``` +To verify proper operation, send an email to some external account of yours and inspect the mail headers. You will also see the connection to SES in the mail logs. For example: +``` +May 23 07:09:36 mail postfix/smtp[692]: Trusted TLS connection established to email-smtp.us-east-1.amazonaws.com[107.20.142.169]:25: +TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) +May 23 07:09:36 mail postfix/smtp[692]: 8C82A7E7: to=, relay=email-smtp.us-east-1.amazonaws.com[107.20.142.169]:25, +delay=0.35, delays=0/0.02/0.13/0.2, dsn=2.0.0, status=sent (250 Ok 01000154dc729264-93fdd7ea-f039-43d6-91ed-653e8547867c-000000) + +``` From db698ba9dbbf261940c3e7db3376491092ade58c Mon Sep 17 00:00:00 2001 From: Thorsten von Eicken Date: Tue, 31 May 2016 19:16:51 -0700 Subject: [PATCH 067/462] add info for verify-only DKIM --- docs/content/config/best-practices/dkim.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index e04f2200..952f1e41 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -12,4 +12,23 @@ Now the keys are generated, you can configure your DNS server by just pasting th mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN" ) ; ----- DKIM key mail for domain.tld +``` + +## Verify-only + +If you want DKIm to only verify incoming emails, the following version of /etc/opendkim.conf may be useful (right now there is no easy mechanism for installing it other than forking the repo): +``` +# This is a simple config file verifying messages only + +#LogWhy yes +Syslog yes +SyslogSuccess yes + +Socket inet:12301@localhost +PidFile /var/run/opendkim/opendkim.pid + +ReportAddress postmaster@voneicken.com +SendReports yes + +Mode v ``` \ No newline at end of file From e45d58cac0694a6b5fcbb721f2970f3f9e7b4c36 Mon Sep 17 00:00:00 2001 From: Thorsten von Eicken Date: Tue, 31 May 2016 19:22:15 -0700 Subject: [PATCH 068/462] added Fail2ban config page --- docs/content/config/security/fail2ban.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 docs/content/config/security/fail2ban.md diff --git a/docs/content/config/security/fail2ban.md b/docs/content/config/security/fail2ban.md new file mode 100644 index 00000000..3761dfdd --- /dev/null +++ b/docs/content/config/security/fail2ban.md @@ -0,0 +1,15 @@ +Fail2ban is installed automatically and bans IP addresses for 3 hours after 3 failed attempts in 10 minutes, see https://github.com/tve/docker-mailserver/blob/master/target/fail2ban/jail.conf#L58-L66 for these configs. + +__Important__: the mail container must be launched with the NET_ADMIN capability in order to be able to install the iptable rules that actually ban IP addresses. Thus either include `--cap-add=NET_ADMIN` in the docker run commandline or the equivalent docker-compose.yml: +``` + cap_add: + - NET_ADMIN +``` +If you don't you will see errors of the form +``` +iptables -w -X f2b-postfix -- stderr: "getsockopt failed strangely: Operation not permitted\niptables v1.4.21: can't initialize iptabl +es table `filter': Permission denied (you must be root)\nPerhaps iptables or your kernel needs to be upgraded.\niptables v1.4.21: can' +t initialize iptables table `filter': Permission denied (you must be root)\nPerhaps iptables or your kernel needs to be upgraded.\n" +2016-06-01 00:53:51,284 fail2ban.action [678]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports smtp,465,submission - +j f2b-postfix +``` \ No newline at end of file From 7c825641f031b2a81efea51857a0f4b17c159231 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 1 Jun 2016 12:43:13 +0200 Subject: [PATCH 069/462] Fixed repo URL --- docs/content/config/security/fail2ban.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/security/fail2ban.md b/docs/content/config/security/fail2ban.md index 3761dfdd..2451f643 100644 --- a/docs/content/config/security/fail2ban.md +++ b/docs/content/config/security/fail2ban.md @@ -1,4 +1,4 @@ -Fail2ban is installed automatically and bans IP addresses for 3 hours after 3 failed attempts in 10 minutes, see https://github.com/tve/docker-mailserver/blob/master/target/fail2ban/jail.conf#L58-L66 for these configs. +Fail2ban is installed automatically and bans IP addresses for 3 hours after 3 failed attempts in 10 minutes, see https://github.com/tomav/docker-mailserver/blob/master/target/fail2ban/jail.conf#L58-L66 for these configs. __Important__: the mail container must be launched with the NET_ADMIN capability in order to be able to install the iptable rules that actually ban IP addresses. Thus either include `--cap-add=NET_ADMIN` in the docker run commandline or the equivalent docker-compose.yml: ``` From 121a01fa4b0f84271eec56a501e3f28b594b45b5 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 1 Jun 2016 15:59:50 +0200 Subject: [PATCH 070/462] Updated Configure DKIM (markdown) --- docs/content/config/best-practices/dkim.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index 952f1e41..2f5df5b8 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -16,7 +16,7 @@ mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " ## Verify-only -If you want DKIm to only verify incoming emails, the following version of /etc/opendkim.conf may be useful (right now there is no easy mechanism for installing it other than forking the repo): +If you want DKIM to only verify incoming emails, the following version of /etc/opendkim.conf may be useful (right now there is no easy mechanism for installing it other than forking the repo): ``` # This is a simple config file verifying messages only @@ -27,7 +27,7 @@ SyslogSuccess yes Socket inet:12301@localhost PidFile /var/run/opendkim/opendkim.pid -ReportAddress postmaster@voneicken.com +ReportAddress postmaster@my-domain.com SendReports yes Mode v From 29b2233ba8451a66e0972a1122a137acbd69b3fc Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 1 Jun 2016 16:00:02 +0200 Subject: [PATCH 071/462] Updated Configure DKIM (markdown) --- docs/content/config/best-practices/dkim.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index 2f5df5b8..8319916f 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -25,7 +25,7 @@ Syslog yes SyslogSuccess yes Socket inet:12301@localhost -PidFile /var/run/opendkim/opendkim.pid +PidFile /var/run/opendkim/opendkim.pid ReportAddress postmaster@my-domain.com SendReports yes From 0dd6dc632400db49f6742f3b6617a318d0c1a96b Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Wed, 1 Jun 2016 21:08:22 +0200 Subject: [PATCH 072/462] Describe dovecot.cf --- docs/content/advanced/override-defaults/dovecot.md | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 docs/content/advanced/override-defaults/dovecot.md diff --git a/docs/content/advanced/override-defaults/dovecot.md b/docs/content/advanced/override-defaults/dovecot.md new file mode 100644 index 00000000..e3059f7b --- /dev/null +++ b/docs/content/advanced/override-defaults/dovecot.md @@ -0,0 +1,3 @@ +Dovecot default configuration can easily be overrided providing a `config/dovecot.cf`. +This can be used to also add configuration that are not in out default configuration. +[Dovecot documentation](http://wiki.dovecot.org/FrontPage) remains the best place to find configuration options. \ No newline at end of file From 1dee4065da46010e5418e5bcb1113d29ca572423 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Wed, 1 Jun 2016 21:12:41 +0200 Subject: [PATCH 073/462] Improve linguistic style --- docs/content/advanced/override-defaults/dovecot.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/advanced/override-defaults/dovecot.md b/docs/content/advanced/override-defaults/dovecot.md index e3059f7b..12fc07e7 100644 --- a/docs/content/advanced/override-defaults/dovecot.md +++ b/docs/content/advanced/override-defaults/dovecot.md @@ -1,3 +1,3 @@ -Dovecot default configuration can easily be overrided providing a `config/dovecot.cf`. -This can be used to also add configuration that are not in out default configuration. +The Dovecot default configuration can easily be overridden providing a `config/dovecot.cf` file. +This file can also be used to specify additional configurations. [Dovecot documentation](http://wiki.dovecot.org/FrontPage) remains the best place to find configuration options. \ No newline at end of file From a1158889fea75d2e062903df5ec6ba7e85abaf50 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Wed, 1 Jun 2016 21:13:39 +0200 Subject: [PATCH 074/462] Fix typos --- docs/content/advanced/override-defaults/postfix.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/advanced/override-defaults/postfix.md b/docs/content/advanced/override-defaults/postfix.md index e979b8ff..2e7d5e24 100644 --- a/docs/content/advanced/override-defaults/postfix.md +++ b/docs/content/advanced/override-defaults/postfix.md @@ -1,4 +1,4 @@ -Postfix default configuration can easily be overrided providing a `config/postfix-main.cf` at postfix format. +The Postfix default configuration can easily be overridden providing a `config/postfix-main.cf` at postfix format. This can be used to also add configuration that are not in out default configuration. [Postfix documentation](http://www.postfix.org/documentation.html) remains the best place to find configuration options. From 977cda00a0e130d5b943f0ae62d87a8c94520bd2 Mon Sep 17 00:00:00 2001 From: Dominik Winter Date: Sat, 4 Jun 2016 13:25:15 +0200 Subject: [PATCH 075/462] Updated Configure Fail2ban (markdown) --- docs/content/config/security/fail2ban.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/config/security/fail2ban.md b/docs/content/config/security/fail2ban.md index 2451f643..3b789d90 100644 --- a/docs/content/config/security/fail2ban.md +++ b/docs/content/config/security/fail2ban.md @@ -1,6 +1,6 @@ -Fail2ban is installed automatically and bans IP addresses for 3 hours after 3 failed attempts in 10 minutes, see https://github.com/tomav/docker-mailserver/blob/master/target/fail2ban/jail.conf#L58-L66 for these configs. +Fail2ban is installed automatically and bans IP addresses for 3 hours after 3 failed attempts in 10 minutes by default. If you want to change this, you can easily edit [config/fail2ban-jail.cf](https://github.com/tomav/docker-mailserver/blob/master/config/fail2ban-jail.cf). -__Important__: the mail container must be launched with the NET_ADMIN capability in order to be able to install the iptable rules that actually ban IP addresses. Thus either include `--cap-add=NET_ADMIN` in the docker run commandline or the equivalent docker-compose.yml: +__Important__: The mail container must be launched with the NET_ADMIN capability in order to be able to install the iptable rules that actually ban IP addresses. Thus either include `--cap-add=NET_ADMIN` in the docker run commandline or the equivalent docker-compose.yml: ``` cap_add: - NET_ADMIN From def7b556472604f06f4be359b0f2ca677a0b072b Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Tue, 14 Jun 2016 18:04:21 +0200 Subject: [PATCH 076/462] Updated Home (markdown) --- docs/content/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/index.md b/docs/content/index.md index 36bd0622..2235faf5 100644 --- a/docs/content/index.md +++ b/docs/content/index.md @@ -40,7 +40,7 @@ Don't forget to adapt MAIL_USER and MAIL_PASS to your needs -e MAIL_USER=user1@domain.tld \ -e MAIL_PASS=mypassword \ -ti tvial/docker-mailserver:latest \ - /bin/sh -c 'echo "$MAIL_USER|$(doveadm pw -s CRAM-MD5 -u $MAIL_USER -p $MAIL_PASS)"' >> config/postfix-accounts.cf + /bin/sh -c 'echo "$MAIL_USER|$(doveadm pw -s SHA512-CRYPT -u $MAIL_USER -p $MAIL_PASS)"' >> config/postfix-accounts.cf #### Generate DKIM keys From b21282cea8bb99e840cd3c075ae01471b969b462 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Tue, 14 Jun 2016 18:07:42 +0200 Subject: [PATCH 077/462] Updated Configure Accounts (markdown) --- docs/content/config/user-management/accounts.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/content/config/user-management/accounts.md b/docs/content/config/user-management/accounts.md index 1833ff17..a360a5ac 100644 --- a/docs/content/config/user-management/accounts.md +++ b/docs/content/config/user-management/accounts.md @@ -3,8 +3,8 @@ Just add the full email address and its encrypted password separated by a pipe. Example: - user1@domain.tld|{CRAM-MD5}mypassword-cram-md5-encrypted - user2@otherdomain.tld|{CRAM-MD5}myotherpassword-cram-md5-encrypted + user1@domain.tld|{SHA512-CRYPT}$6$2YpW1nYtPBs2yLYS$z.5PGH1OEzsHHNhl3gJrc3D.YMZkvKw/vp.r5WIiwya6z7P/CQ9GDEJDr2G2V0cAfjDFeAQPUoopsuWPXLk3u1 + user2@otherdomain.tld|{SHA512-CRYPT}$6$2YpW1nYtPBs2yLYS$z.5PGH1OEzsHHNhl3gJrc3D.YMZkvKw/vp.r5WIiwya6z7P/CQ9GDEJDr2G2V0cAfjDFeAQPUoopsuWPXLk3u1 To generate the password you could run for example the following: @@ -12,9 +12,9 @@ To generate the password you could run for example the following: -e MAIL_USER=user1@domain.tld \ -e MAIL_PASS=mypassword \ -ti tvial/docker-mailserver:latest \ - /bin/sh -c 'echo "$MAIL_USER|$(doveadm pw -s CRAM-MD5 -u $MAIL_USER -p $MAIL_PASS)"' >> config/postfix-accounts.cf + /bin/sh -c 'echo "$MAIL_USER|$(doveadm pw -s SHA512-CRYPT -u $MAIL_USER -p $MAIL_PASS)"' >> config/postfix-accounts.cf You will be asked for a password. Just copy all the output string in the file `config/postfix-accounts.cf`. The `doveadm pw` command let you choose between several encryption schemes for the password. -Use doveadm pw -l to get a list of the currently supported encryption schemes. +Use doveadm pw -l to get a list of the currently supported encryption schemes. \ No newline at end of file From ce8d586701bf862f5aec9bb4ee1d09644dc76a5e Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sat, 23 Jul 2016 18:38:34 +0200 Subject: [PATCH 078/462] Updated Override default postfix configuration (markdown) --- docs/content/advanced/override-defaults/postfix.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/advanced/override-defaults/postfix.md b/docs/content/advanced/override-defaults/postfix.md index 2e7d5e24..dc6ee652 100644 --- a/docs/content/advanced/override-defaults/postfix.md +++ b/docs/content/advanced/override-defaults/postfix.md @@ -5,4 +5,4 @@ This can be used to also add configuration that are not in out default configura Each line in the provided line will be loaded into postfix. Have a look to the code for more information: -https://github.com/tomav/docker-mailserver/blob/master/target/start-mailserver.sh#L196-L206 \ No newline at end of file +https://github.com/tomav/docker-mailserver/blob/master/target/start-mailserver.sh#L205-L215 \ No newline at end of file From f3c7e7bc0bfdd808e3865cdfb5d4961fb05f1ead Mon Sep 17 00:00:00 2001 From: Kyle Ondy Date: Thu, 28 Jul 2016 14:00:32 -0400 Subject: [PATCH 079/462] docker run --rm -it tvial/docker-mailserver:latest sh -c "dovecot --version" 2.2.9 --- docs/content/advanced/mail-sieve.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/advanced/mail-sieve.md b/docs/content/advanced/mail-sieve.md index debd0177..bae29d06 100644 --- a/docs/content/advanced/mail-sieve.md +++ b/docs/content/advanced/mail-sieve.md @@ -33,7 +33,7 @@ For more examples or a detailed description of the Sieve language have a look at ### Manage Sieve -The [Manage Sieve](http://wiki1.dovecot.org/ManageSieve) extension allows users to modify their Sieve script by themselves. The authentication mechanisms are the same as for the main dovecot service. ManageSieve runs on port `4190` and needs to be enabled using the `ENABLE_MANAGESIEVE=1` environment variable. +The [Manage Sieve](http://wiki2.dovecot.org/Pigeonhole/ManageSieve) extension allows users to modify their Sieve script by themselves. The authentication mechanisms are the same as for the main dovecot service. ManageSieve runs on port `4190` and needs to be enabled using the `ENABLE_MANAGESIEVE=1` environment variable. ``` (docker-compose.yml) From 01afb57ffa404db439bb3e5ba1da022a6951f33d Mon Sep 17 00:00:00 2001 From: Zehir Date: Wed, 17 Aug 2016 13:50:18 +0200 Subject: [PATCH 080/462] More details on the generation of DKIM key --- docs/content/config/best-practices/dkim.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index 8319916f..8bf2b9cf 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -1,5 +1,5 @@ To enable DKIM signature, you must have created your mail accounts. -Once its done, just run: +Once its done, just run from inside the directory of docker-compose.yml: docker run --rm \ -v "$(pwd)/config":/tmp/docker-mailserver \ From d2a9e6c1ee6ed2d696cd3071bfd11dfa2eb21571 Mon Sep 17 00:00:00 2001 From: GrupoCITEC Date: Wed, 17 Aug 2016 09:38:35 -0300 Subject: [PATCH 081/462] Updated Configure SSL (markdown) --- docs/content/config/security/ssl.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 70acbeb7..f10aea36 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -20,7 +20,7 @@ You don't have anything else to do. Enjoy. You can easily generate a self-signed SSL certificate by using the following command: - docker run -ti --rm -v "$(pwd)"/postfix/ssl:/ssl -h mail.my-domain.com -t tvial/docker-mailserver generate-ssl-certificate + docker run -ti --rm -v "$(pwd)"/config/ssl:/ssl -h mail.my-domain.com -t tvial/docker-mailserver generate-ssl-certificate # Press enter # Enter a password when needed @@ -33,11 +33,11 @@ You can easily generate a self-signed SSL certificate by using the following com # 1 out of 1 certificate requests certified, commit? [y/n]y # will generate: - # postfix/ssl/mail.my-domain.com-key.pem (used in postfix) - # postfix/ssl/mail.my-domain.com-req.pem (only used to generate other files) - # postfix/ssl/mail.my-domain.com-cert.pem (used in postfix) - # postfix/ssl/mail.my-domain.com-combined.pem (used in courier) - # postfix/ssl/demoCA/cacert.pem (certificate authority) + # config/ssl/mail.my-domain.com-key.pem (used in postfix) + # config/ssl/mail.my-domain.com-req.pem (only used to generate other files) + # config/ssl/mail.my-domain.com-cert.pem (used in postfix) + # config/ssl/mail.my-domain.com-combined.pem (used in courier) + # config/ssl/demoCA/cacert.pem (certificate authority) Note that the certificate will be generate for the container `fqdn`, that is passed as `-h` argument. Check the following page for more information regarding [postfix and SSL/TLS configuration](http://www.mad-hacking.net/documentation/linux/applications/mail/using-ssl-tls-postfix-courier.xml). @@ -45,7 +45,7 @@ Check the following page for more information regarding [postfix and SSL/TLS con To use the certificate: * add an `DMS_SSL=self-signed` to your container environment variables -* if a matching certificate (files listed above) is found in `postfix/ssl`, it will be automatically setup in postfix and courier-imap-ssl. You just have to place them in `postfix/ssl` folder. +* if a matching certificate (files listed above) is found in `config/ssl`, it will be automatically setup in postfix and courier-imap-ssl. You just have to place them in `config/ssl` folder. ### Testing certificate From feeb0aba6ec5c19c442efeb7ecaea69f8f50d094 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Thu, 18 Aug 2016 09:54:38 +0200 Subject: [PATCH 082/462] Updated Home (markdown) --- docs/content/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/index.md b/docs/content/index.md index 2235faf5..392307a9 100644 --- a/docs/content/index.md +++ b/docs/content/index.md @@ -48,7 +48,7 @@ Don't forget to adapt MAIL_USER and MAIL_PASS to your needs -v "$(pwd)/config":/tmp/docker-mailserver \ -ti tvial/docker-mailserver:latest generate-dkim-config -Now the keys are generated, you can configure your DNS server by just pasting the content of `config/opedkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone. +Now the keys are generated, you can configure your DNS server by just pasting the content of `config/opendkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone. #### Start the container From 3b7ed57dde973a8655af225978b76887b698a32c Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Sun, 21 Aug 2016 14:02:06 +0200 Subject: [PATCH 083/462] Add documentation proposal for fetchmail service --- docs/content/advanced/mail-fetchmail.md | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 docs/content/advanced/mail-fetchmail.md diff --git a/docs/content/advanced/mail-fetchmail.md b/docs/content/advanced/mail-fetchmail.md new file mode 100644 index 00000000..b7b44c9f --- /dev/null +++ b/docs/content/advanced/mail-fetchmail.md @@ -0,0 +1,9 @@ +# Warning! Not yet implemented feature + +To enable the `fetchmail` service to retrieve e-mails set the environment variable `ENABLE_FETCHMAIL` to `1` +Your docker-compose.yml file should look like following snippet: + +``` +- ENABLE_FETCHMAIL=1 +``` + From 45bc1a44d32517dd0afac060453a7fcc7dfd0500 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Sun, 21 Aug 2016 14:03:37 +0200 Subject: [PATCH 084/462] Better docker-compose example --- docs/content/advanced/mail-fetchmail.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/content/advanced/mail-fetchmail.md b/docs/content/advanced/mail-fetchmail.md index b7b44c9f..52625cf6 100644 --- a/docs/content/advanced/mail-fetchmail.md +++ b/docs/content/advanced/mail-fetchmail.md @@ -1,9 +1,12 @@ # Warning! Not yet implemented feature To enable the `fetchmail` service to retrieve e-mails set the environment variable `ENABLE_FETCHMAIL` to `1` -Your docker-compose.yml file should look like following snippet: +Your `docker-compose.yml` file should look like following snippet: ``` -- ENABLE_FETCHMAIL=1 +... +environment: + - ENABLE_FETCHMAIL=1 +... ``` From e633624155512248326b44de1dd2d5ff4aa77a1f Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Sun, 21 Aug 2016 14:10:33 +0200 Subject: [PATCH 085/462] Add configuration examples --- docs/content/advanced/mail-fetchmail.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/docs/content/advanced/mail-fetchmail.md b/docs/content/advanced/mail-fetchmail.md index 52625cf6..0fd7832d 100644 --- a/docs/content/advanced/mail-fetchmail.md +++ b/docs/content/advanced/mail-fetchmail.md @@ -10,3 +10,26 @@ environment: ... ``` +Generate a file called `fetchmail.cf` and place it in the `config` folder. + +## Example IMAP configuration + +``` +poll imap.example.com with proto IMAP + user 'username' there with + password 'secret' + is 'user1@domain.tld' + here ssl +``` + +## Example POP3 configuration + +``` +poll pop3.example.com with proto POP3 + user 'username' there with + password 'secret' + is 'user2@domain.tld' + here options keep ssl +``` + +By default the fetchmail service searches very 5 minutes for new mails on your external mail accounts. \ No newline at end of file From b8a31a801b0b90b903f0f287bfa3f4bf7562d9c1 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sun, 21 Aug 2016 22:11:11 +0200 Subject: [PATCH 086/462] Updated Home (markdown) --- docs/content/index.md | 68 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 67 insertions(+), 1 deletion(-) diff --git a/docs/content/index.md b/docs/content/index.md index 392307a9..05e1f30c 100644 --- a/docs/content/index.md +++ b/docs/content/index.md @@ -54,4 +54,70 @@ Now the keys are generated, you can configure your DNS server by just pasting th docker-compose up -d mail -You're done! \ No newline at end of file +You're done! + +## Environment variables + +Please check [how the container starts](https://github.com/tomav/docker-mailserver/blob/master/target/start-mailserver.sh) to understand what's expected. + +Value in **bold** is the default value. + +##### ENABLE_POP3 + + - **empty** => POP3 service disabled + - 1 => Enables POP3 service + +##### ENABLE_FAIL2BAN + + - **empty** => fail2ban service disabled + - 1 => Enables fail2ban service + +If you enable Fail2Ban, don't forget to add the following lines to your `docker-compose.yml`: + + cap_add: + - NET_ADMIN + +Otherwise, `iptables` won't be able to ban IPs. + +##### ENABLE_MANAGESIEVE + + - **empty** => Managesieve service disabled + - 1 => Enables Managesieve on port 4190 + +##### SA_TAG + + - **2.0** => add spam info headers if at, or above that level + +##### SA_TAG2 + + - **6.31** => add 'spam detected' headers at that level + +##### SA_KILL + + - **6.31** => triggers spam evasive actions + +##### SASL_PASSWD + + - **empty** => No sasl_passwd will be created + - string => `/etc/postfix/sasl_passwd` will be created with the string as password + +##### SMTP_ONLY + + - **empty** => all daemons start + - 1 => only launch postfix smtp + +##### SSL_TYPE + + - **empty** => SSL disabled + - letsencrypt => Enables Let's Encrypt certificates + - custom => Enables custom certificates + - self-signed => Enables self-signed certificates + +Please read [the SSL page in the wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-SSL) for more information. + +##### PERMIT_DOCKER + +Set different options for mynetworks option (can be overwrite in postfix-main.cf) + - **empty** => localhost only + - host => Add docker host (ipv4 only) + - network => Add all docker containers (ipv4 only) \ No newline at end of file From e354569edafe84f9066ac1780a90cf1a4647db2f Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Sun, 21 Aug 2016 23:32:05 +0200 Subject: [PATCH 087/462] Remove warning --- docs/content/advanced/mail-fetchmail.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/content/advanced/mail-fetchmail.md b/docs/content/advanced/mail-fetchmail.md index 0fd7832d..dc730098 100644 --- a/docs/content/advanced/mail-fetchmail.md +++ b/docs/content/advanced/mail-fetchmail.md @@ -1,5 +1,3 @@ -# Warning! Not yet implemented feature - To enable the `fetchmail` service to retrieve e-mails set the environment variable `ENABLE_FETCHMAIL` to `1` Your `docker-compose.yml` file should look like following snippet: From 0e9ce32dcc176394fb7674d4fe98d2aca87fd468 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Mon, 22 Aug 2016 10:12:04 +0200 Subject: [PATCH 088/462] Add debug commands --- docs/content/advanced/mail-fetchmail.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/content/advanced/mail-fetchmail.md b/docs/content/advanced/mail-fetchmail.md index dc730098..ee261149 100644 --- a/docs/content/advanced/mail-fetchmail.md +++ b/docs/content/advanced/mail-fetchmail.md @@ -30,4 +30,13 @@ poll pop3.example.com with proto POP3 here options keep ssl ``` +To debug your `fetchmail.cf` configuration run this command: + +``` +docker run --rm \ + -v "$(pwd)/config:/tmp/docker-mailserver" \ + -ti tvial/docker-mailserver:latest \ + sh -c "cat /etc/fetchmailrc_general /tmp/docker-mailserver/fetchmail.cf > /etc/fetchmailrc; /etc/init.d/fetchmail debug-run" +``` + By default the fetchmail service searches very 5 minutes for new mails on your external mail accounts. \ No newline at end of file From 4f46a059ce49fbb96e185f0d938f3ecc82375ea5 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Mon, 22 Aug 2016 10:16:47 +0200 Subject: [PATCH 089/462] Add tree view of folder structure --- docs/content/advanced/mail-fetchmail.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/docs/content/advanced/mail-fetchmail.md b/docs/content/advanced/mail-fetchmail.md index ee261149..11887213 100644 --- a/docs/content/advanced/mail-fetchmail.md +++ b/docs/content/advanced/mail-fetchmail.md @@ -8,7 +8,17 @@ environment: ... ``` -Generate a file called `fetchmail.cf` and place it in the `config` folder. +Generate a file called `fetchmail.cf` and place it in the `config` folder. Your dockermail folder should look like this example: + +``` +├── config +│   ├── dovecot.cf +│   ├── fetchmail.cf +│   ├── postfix-accounts.cf +│   └── postfix-virtual.cf +├── docker-compose.yml +└── README.md +``` ## Example IMAP configuration From 941114be1286c0019003c70582652b7e31be6bda Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Mon, 22 Aug 2016 10:20:59 +0200 Subject: [PATCH 090/462] Add link to fetchmail website --- docs/content/advanced/mail-fetchmail.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/content/advanced/mail-fetchmail.md b/docs/content/advanced/mail-fetchmail.md index 11887213..a92fa143 100644 --- a/docs/content/advanced/mail-fetchmail.md +++ b/docs/content/advanced/mail-fetchmail.md @@ -1,5 +1,4 @@ -To enable the `fetchmail` service to retrieve e-mails set the environment variable `ENABLE_FETCHMAIL` to `1` -Your `docker-compose.yml` file should look like following snippet: +To enable the [fetchmail](http://www.fetchmail.info) service to retrieve e-mails set the environment variable `ENABLE_FETCHMAIL` to `1`. Your `docker-compose.yml` file should look like following snippet: ``` ... From 8623b155a0bdbaf72786def94ba3f598b5e76a97 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Mon, 22 Aug 2016 10:23:51 +0200 Subject: [PATCH 091/462] Add more headlines --- docs/content/advanced/mail-fetchmail.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/content/advanced/mail-fetchmail.md b/docs/content/advanced/mail-fetchmail.md index a92fa143..be01a879 100644 --- a/docs/content/advanced/mail-fetchmail.md +++ b/docs/content/advanced/mail-fetchmail.md @@ -19,6 +19,8 @@ Generate a file called `fetchmail.cf` and place it in the `config` folder. Your └── README.md ``` +# Configuration + ## Example IMAP configuration ``` @@ -39,6 +41,8 @@ poll pop3.example.com with proto POP3 here options keep ssl ``` +# Debugging + To debug your `fetchmail.cf` configuration run this command: ``` From 2fbca66b2835b71514f69ef5bf8968558914bdde Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Mon, 22 Aug 2016 10:25:14 +0200 Subject: [PATCH 092/462] Updated Retrieve emails from a remote mail server (using builtin fetchmail) (markdown) --- docs/content/advanced/mail-fetchmail.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/advanced/mail-fetchmail.md b/docs/content/advanced/mail-fetchmail.md index be01a879..8bb92168 100644 --- a/docs/content/advanced/mail-fetchmail.md +++ b/docs/content/advanced/mail-fetchmail.md @@ -41,6 +41,8 @@ poll pop3.example.com with proto POP3 here options keep ssl ``` +More details how to configure fetchmail can be found in the [fetchmail man page](http://www.fetchmail.info/fetchmail-man.html). + # Debugging To debug your `fetchmail.cf` configuration run this command: From 256291895fe603a45c9b683c84f3d273779edc00 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Mon, 22 Aug 2016 10:40:34 +0200 Subject: [PATCH 093/462] Add link to the fetchmail man page --- docs/content/advanced/mail-fetchmail.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/advanced/mail-fetchmail.md b/docs/content/advanced/mail-fetchmail.md index 8bb92168..0d7564e3 100644 --- a/docs/content/advanced/mail-fetchmail.md +++ b/docs/content/advanced/mail-fetchmail.md @@ -21,6 +21,8 @@ Generate a file called `fetchmail.cf` and place it in the `config` folder. Your # Configuration +A detailed description of the configuration options can be found in the [online version of the manual page](www.fetchmail.info/fetchmail-man.html). + ## Example IMAP configuration ``` From 19d2fd6fecc61e381b386ed730def4cd6bc83b22 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Mon, 22 Aug 2016 10:41:52 +0200 Subject: [PATCH 094/462] Fix links --- docs/content/advanced/mail-fetchmail.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/advanced/mail-fetchmail.md b/docs/content/advanced/mail-fetchmail.md index 0d7564e3..1f136c89 100644 --- a/docs/content/advanced/mail-fetchmail.md +++ b/docs/content/advanced/mail-fetchmail.md @@ -21,7 +21,7 @@ Generate a file called `fetchmail.cf` and place it in the `config` folder. Your # Configuration -A detailed description of the configuration options can be found in the [online version of the manual page](www.fetchmail.info/fetchmail-man.html). +A detailed description of the configuration options can be found in the [online version of the manual page](http://www.fetchmail.info/fetchmail-man.html). ## Example IMAP configuration From 41a9de317bafdf0ca21f4f6735d82e974bd21b01 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Mon, 22 Aug 2016 10:45:14 +0200 Subject: [PATCH 095/462] Add link to chapter --- docs/content/advanced/mail-fetchmail.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/advanced/mail-fetchmail.md b/docs/content/advanced/mail-fetchmail.md index 1f136c89..4a58381a 100644 --- a/docs/content/advanced/mail-fetchmail.md +++ b/docs/content/advanced/mail-fetchmail.md @@ -43,7 +43,7 @@ poll pop3.example.com with proto POP3 here options keep ssl ``` -More details how to configure fetchmail can be found in the [fetchmail man page](http://www.fetchmail.info/fetchmail-man.html). +More details how to configure fetchmail can be found in the [fetchmail man page in the chapter “The run control file”](http://www.fetchmail.info/fetchmail-man.html#31). # Debugging From e963f7f65ea5003332074e1f67b2d1dbcbe8bcb0 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Mon, 22 Aug 2016 22:23:34 +0200 Subject: [PATCH 096/462] Shorter examples --- docs/content/advanced/mail-fetchmail.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/docs/content/advanced/mail-fetchmail.md b/docs/content/advanced/mail-fetchmail.md index 4a58381a..2c63bf37 100644 --- a/docs/content/advanced/mail-fetchmail.md +++ b/docs/content/advanced/mail-fetchmail.md @@ -26,21 +26,19 @@ A detailed description of the configuration options can be found in the [online ## Example IMAP configuration ``` -poll imap.example.com with proto IMAP - user 'username' there with - password 'secret' +poll imap.example.com proto imap + user 'username' + pass 'secret' is 'user1@domain.tld' - here ssl ``` ## Example POP3 configuration ``` -poll pop3.example.com with proto POP3 - user 'username' there with +poll pop3.example.com proto pop3 + user 'username' password 'secret' is 'user2@domain.tld' - here options keep ssl ``` More details how to configure fetchmail can be found in the [fetchmail man page in the chapter “The run control file”](http://www.fetchmail.info/fetchmail-man.html#31). From ec1064de3be9f9a0a107dc12cb0c789867354272 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Mon, 22 Aug 2016 22:24:07 +0200 Subject: [PATCH 097/462] password should be pass --- docs/content/advanced/mail-fetchmail.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/advanced/mail-fetchmail.md b/docs/content/advanced/mail-fetchmail.md index 2c63bf37..4276e987 100644 --- a/docs/content/advanced/mail-fetchmail.md +++ b/docs/content/advanced/mail-fetchmail.md @@ -37,7 +37,7 @@ poll imap.example.com proto imap ``` poll pop3.example.com proto pop3 user 'username' - password 'secret' + pass 'secret' is 'user2@domain.tld' ``` From 393b5239c57fc39267e654ff277f003f21a39382 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Mon, 22 Aug 2016 22:30:47 +0200 Subject: [PATCH 098/462] Add "IMPORTANT" warning --- docs/content/advanced/mail-fetchmail.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/advanced/mail-fetchmail.md b/docs/content/advanced/mail-fetchmail.md index 4276e987..fa161d00 100644 --- a/docs/content/advanced/mail-fetchmail.md +++ b/docs/content/advanced/mail-fetchmail.md @@ -41,6 +41,8 @@ poll pop3.example.com proto pop3 is 'user2@domain.tld' ``` +__IMPORTANT__: Don’t forget the last line: e. g. `is 'user1@domain.tld'`. After `is` you have to specify one email address from the configuration file `config/postfix-accounts.cf`. + More details how to configure fetchmail can be found in the [fetchmail man page in the chapter “The run control file”](http://www.fetchmail.info/fetchmail-man.html#31). # Debugging From 3a6b6ef1980f1f27f5d6a72412361de47a43556d Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Mon, 22 Aug 2016 22:42:25 +0200 Subject: [PATCH 099/462] Use quotation marks for hostnames for better separation between key and values. Imap and pop3 can't be written in quotation marks. --- docs/content/advanced/mail-fetchmail.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/advanced/mail-fetchmail.md b/docs/content/advanced/mail-fetchmail.md index fa161d00..8b9998b3 100644 --- a/docs/content/advanced/mail-fetchmail.md +++ b/docs/content/advanced/mail-fetchmail.md @@ -26,7 +26,7 @@ A detailed description of the configuration options can be found in the [online ## Example IMAP configuration ``` -poll imap.example.com proto imap +poll 'imap.example.com' proto imap user 'username' pass 'secret' is 'user1@domain.tld' @@ -35,7 +35,7 @@ poll imap.example.com proto imap ## Example POP3 configuration ``` -poll pop3.example.com proto pop3 +poll 'pop3.example.com' proto pop3 user 'username' pass 'secret' is 'user2@domain.tld' From 92a206a253b775f790d6c3352937623da0760eba Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Tue, 23 Aug 2016 11:51:43 +0200 Subject: [PATCH 100/462] Updated Home (markdown) --- docs/content/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/index.md b/docs/content/index.md index 05e1f30c..625526e6 100644 --- a/docs/content/index.md +++ b/docs/content/index.md @@ -6,7 +6,7 @@ #### Create a `docker-compose.yml` -Adapt this file with your FQDN. +Adapt this file with your FQDN. Install [docker-compose](https://docs.docker.com/compose/) in the version `1.6` or higher. version: '2' From e8c6badcf2943bfdd49a065d31f2532298d8449c Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Mon, 29 Aug 2016 21:51:09 +0200 Subject: [PATCH 101/462] New page about setup.sh --- ...mailserver`-using-the-script-`setup.sh`.md | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 docs/content/setup-`docker-mailserver`-using-the-script-`setup.sh`.md diff --git a/docs/content/setup-`docker-mailserver`-using-the-script-`setup.sh`.md b/docs/content/setup-`docker-mailserver`-using-the-script-`setup.sh`.md new file mode 100644 index 00000000..2db2e5fc --- /dev/null +++ b/docs/content/setup-`docker-mailserver`-using-the-script-`setup.sh`.md @@ -0,0 +1,29 @@ +The latest version of the script `setup.sh` is included in the `docker-mailserver` repository. Get the last version to the script by copying this command in your console: + +``` +wget -q -O setup.sh https://raw.githubusercontent.com/tomav/docker-mailserver/master/setup.sh; chmod a+x ./setup.sh +``` + +Run `./setup.sh` without arguments and you get some usage informations. + +``` +Usage: ./setup.sh [args] + +SUBCOMMANDS: + + email: + + ./setup.sh email add + ./setup.sh email del + ./setup.sh email list + + config: + + ./setup.sh config dkim + ./setup.sh config ssl + + debug: + + ./setup.sh debug fetchmail +``` + From d6c66fa2b7922908536dcd27932b8592cb7e3d29 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Mon, 29 Aug 2016 22:03:35 +0200 Subject: [PATCH 102/462] The title doesn't support markdown --- ...h`.md => setup-docker-mailserver-using-the-script-setup.sh.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docs/content/{setup-`docker-mailserver`-using-the-script-`setup.sh`.md => setup-docker-mailserver-using-the-script-setup.sh.md} (100%) diff --git a/docs/content/setup-`docker-mailserver`-using-the-script-`setup.sh`.md b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md similarity index 100% rename from docs/content/setup-`docker-mailserver`-using-the-script-`setup.sh`.md rename to docs/content/setup-docker-mailserver-using-the-script-setup.sh.md From fadfa853a20daf05b281c4d61f6815f677d27c97 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Mon, 29 Aug 2016 22:04:40 +0200 Subject: [PATCH 103/462] Use setup.sh for debugging --- docs/content/advanced/mail-fetchmail.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/docs/content/advanced/mail-fetchmail.md b/docs/content/advanced/mail-fetchmail.md index 8b9998b3..96220d6a 100644 --- a/docs/content/advanced/mail-fetchmail.md +++ b/docs/content/advanced/mail-fetchmail.md @@ -50,10 +50,9 @@ More details how to configure fetchmail can be found in the [fetchmail man page To debug your `fetchmail.cf` configuration run this command: ``` -docker run --rm \ - -v "$(pwd)/config:/tmp/docker-mailserver" \ - -ti tvial/docker-mailserver:latest \ - sh -c "cat /etc/fetchmailrc_general /tmp/docker-mailserver/fetchmail.cf > /etc/fetchmailrc; /etc/init.d/fetchmail debug-run" +./setup.sh debug fetchmail ``` +For more informations about the configuration script `setup.sh` [[read the corresponding wiki page|Setup-docker-mailserver-using-the-script-setup.sh]]. + By default the fetchmail service searches very 5 minutes for new mails on your external mail accounts. \ No newline at end of file From 51f59208b78f6dbeeff8e1f10f4ca39479264ea6 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Mon, 29 Aug 2016 22:13:22 +0200 Subject: [PATCH 104/462] New Section: Polling interval --- docs/content/advanced/mail-fetchmail.md | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/docs/content/advanced/mail-fetchmail.md b/docs/content/advanced/mail-fetchmail.md index 96220d6a..0100d8d8 100644 --- a/docs/content/advanced/mail-fetchmail.md +++ b/docs/content/advanced/mail-fetchmail.md @@ -43,7 +43,16 @@ poll 'pop3.example.com' proto pop3 __IMPORTANT__: Don’t forget the last line: e. g. `is 'user1@domain.tld'`. After `is` you have to specify one email address from the configuration file `config/postfix-accounts.cf`. -More details how to configure fetchmail can be found in the [fetchmail man page in the chapter “The run control file”](http://www.fetchmail.info/fetchmail-man.html#31). +More details how to configure fetchmail can be found in the [fetchmail man page in the chapter “The run control file”](http://www.fetchmail.info/fetchmail-man.html#31). + +## Polling interval + +By default the fetchmail service searches very 5 minutes for new mails on your external mail accounts. You can override this default value by adding this line to your `fetchmail.cf`. + +``` +set daemon 60 +``` +You must specify a numeric argument which is a polling interval in seconds. The example above polls every minute for new mails. # Debugging @@ -53,6 +62,4 @@ To debug your `fetchmail.cf` configuration run this command: ./setup.sh debug fetchmail ``` -For more informations about the configuration script `setup.sh` [[read the corresponding wiki page|Setup-docker-mailserver-using-the-script-setup.sh]]. - -By default the fetchmail service searches very 5 minutes for new mails on your external mail accounts. \ No newline at end of file +For more informations about the configuration script `setup.sh` [[read the corresponding wiki page|Setup-docker-mailserver-using-the-script-setup.sh]]. \ No newline at end of file From c47a50d971a066fe5a1bf558e1609922dddc8f66 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Tue, 30 Aug 2016 00:10:48 +0200 Subject: [PATCH 105/462] Add ssl to samlpe configuration. SSL is always good --- docs/content/advanced/mail-fetchmail.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/advanced/mail-fetchmail.md b/docs/content/advanced/mail-fetchmail.md index 0100d8d8..67843686 100644 --- a/docs/content/advanced/mail-fetchmail.md +++ b/docs/content/advanced/mail-fetchmail.md @@ -30,6 +30,7 @@ poll 'imap.example.com' proto imap user 'username' pass 'secret' is 'user1@domain.tld' + ssl ``` ## Example POP3 configuration @@ -39,6 +40,7 @@ poll 'pop3.example.com' proto pop3 user 'username' pass 'secret' is 'user2@domain.tld' + ssl ``` __IMPORTANT__: Don’t forget the last line: e. g. `is 'user1@domain.tld'`. After `is` you have to specify one email address from the configuration file `config/postfix-accounts.cf`. From b5ddfbd867eec1a0638a12acbaa730ba155f1b36 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Tue, 30 Aug 2016 00:14:21 +0200 Subject: [PATCH 106/462] Add sample debug output --- docs/content/advanced/mail-fetchmail.md | 44 ++++++++++++++++++++++++- 1 file changed, 43 insertions(+), 1 deletion(-) diff --git a/docs/content/advanced/mail-fetchmail.md b/docs/content/advanced/mail-fetchmail.md index 67843686..3571ffb7 100644 --- a/docs/content/advanced/mail-fetchmail.md +++ b/docs/content/advanced/mail-fetchmail.md @@ -64,4 +64,46 @@ To debug your `fetchmail.cf` configuration run this command: ./setup.sh debug fetchmail ``` -For more informations about the configuration script `setup.sh` [[read the corresponding wiki page|Setup-docker-mailserver-using-the-script-setup.sh]]. \ No newline at end of file +For more informations about the configuration script `setup.sh` [[read the corresponding wiki page|Setup-docker-mailserver-using-the-script-setup.sh]]. + +Here a sample output of `./setup.sh debug fetchmail`: + +``` +fetchmail: 6.3.26 querying outlook.office365.com (protocol POP3) at Mon Aug 29 22:11:09 2016: poll started +Trying to connect to 132.245.48.18/995...connected. +fetchmail: Server certificate: +fetchmail: Issuer Organization: Microsoft Corporation +fetchmail: Issuer CommonName: Microsoft IT SSL SHA2 +fetchmail: Subject CommonName: outlook.com +fetchmail: Subject Alternative Name: outlook.com +fetchmail: Subject Alternative Name: *.outlook.com +fetchmail: Subject Alternative Name: office365.com +fetchmail: Subject Alternative Name: *.office365.com +fetchmail: Subject Alternative Name: *.live.com +fetchmail: Subject Alternative Name: *.internal.outlook.com +fetchmail: Subject Alternative Name: *.outlook.office365.com +fetchmail: Subject Alternative Name: outlook.office.com +fetchmail: Subject Alternative Name: attachment.outlook.office.net +fetchmail: Subject Alternative Name: attachment.outlook.officeppe.net +fetchmail: Subject Alternative Name: *.office.com +fetchmail: outlook.office365.com key fingerprint: 3A:A4:58:42:56:CD:BD:11:19:5B:CF:1E:85:16:8E:4D +fetchmail: POP3< +OK The Microsoft Exchange POP3 service is ready. [SABFADEAUABSADAAMQBDAEEAMAAwADAANwAuAGUAdQByAHAAcgBkADAAMQAuAHAAcgBvAGQALgBlAHgAYwBoAGEAbgBnAGUAbABhAGIAcwAuAGMAbwBtAA==] +fetchmail: POP3> CAPA +fetchmail: POP3< +OK +fetchmail: POP3< TOP +fetchmail: POP3< UIDL +fetchmail: POP3< SASL PLAIN +fetchmail: POP3< USER +fetchmail: POP3< . +fetchmail: POP3> USER user1@outlook.com +fetchmail: POP3< +OK +fetchmail: POP3> PASS * +fetchmail: POP3< +OK User successfully logged on. +fetchmail: POP3> STAT +fetchmail: POP3< +OK 0 0 +fetchmail: No mail for user1@outlook.com at outlook.office365.com +fetchmail: POP3> QUIT +fetchmail: POP3< +OK Microsoft Exchange Server 2016 POP3 server signing off. +fetchmail: 6.3.26 querying outlook.office365.com (protocol POP3) at Mon Aug 29 22:11:11 2016: poll completed +fetchmail: normal termination, status 1 +``` \ No newline at end of file From 48c107a302311ee6fda69b7edde90600a051afc1 Mon Sep 17 00:00:00 2001 From: Stig Otnes Kolstad Date: Wed, 31 Aug 2016 16:28:52 +0200 Subject: [PATCH 107/462] Fixed incorrect environment variable --- docs/content/config/security/ssl.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index f10aea36..5d843e4a 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -44,7 +44,7 @@ Check the following page for more information regarding [postfix and SSL/TLS con To use the certificate: -* add an `DMS_SSL=self-signed` to your container environment variables +* add `SSL_TYPE=self-signed` to your container environment variables * if a matching certificate (files listed above) is found in `config/ssl`, it will be automatically setup in postfix and courier-imap-ssl. You just have to place them in `config/ssl` folder. ### Testing certificate From f47bfb7edb23093b683ead59c980193ef12c915e Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Thu, 1 Sep 2016 17:22:50 +0200 Subject: [PATCH 108/462] Latest version of docker-mailserver uses dovecot instead of courier --- docs/content/config/security/ssl.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 5d843e4a..67324121 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -45,7 +45,7 @@ Check the following page for more information regarding [postfix and SSL/TLS con To use the certificate: * add `SSL_TYPE=self-signed` to your container environment variables -* if a matching certificate (files listed above) is found in `config/ssl`, it will be automatically setup in postfix and courier-imap-ssl. You just have to place them in `config/ssl` folder. +* if a matching certificate (files listed above) is found in `config/ssl`, it will be automatically setup in postfix and dovecot. You just have to place them in `config/ssl` folder. ### Testing certificate From 9d7011a6fb2df37e67571083b8469aaab42a6a51 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Sun, 4 Sep 2016 19:00:17 +0200 Subject: [PATCH 109/462] Add more documentation --- .../advanced/override-defaults/dovecot.md | 24 ++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/docs/content/advanced/override-defaults/dovecot.md b/docs/content/advanced/override-defaults/dovecot.md index 12fc07e7..42fae048 100644 --- a/docs/content/advanced/override-defaults/dovecot.md +++ b/docs/content/advanced/override-defaults/dovecot.md @@ -1,3 +1,25 @@ The Dovecot default configuration can easily be overridden providing a `config/dovecot.cf` file. This file can also be used to specify additional configurations. -[Dovecot documentation](http://wiki.dovecot.org/FrontPage) remains the best place to find configuration options. \ No newline at end of file +[Dovecot documentation](http://wiki.dovecot.org/FrontPage) remains the best place to find configuration options. + +# Debugging + +To debug your dovecot configuration you can use this command: + +```sh +./setup.sh debug login doveconf | grep +``` + +[setup.sh](https://github.com/tomav/docker-mailserver/blob/master/setup.sh) is included in the `docker-mailserver` repository. + +or + +```sh +docker exec -ti doveconf | grep +``` + +The `config/dovecot.cf` is copied to `/etc/dovecot/local.conf`. To check this file run: + +```sh +docker exec -ti cat /etc/dovecot/local.conf +``` From 1276a7d95e46b4f4bdf35819b563b495f337e59d Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Sun, 4 Sep 2016 19:12:17 +0200 Subject: [PATCH 110/462] Update name --- docs/content/advanced/mail-fetchmail.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/advanced/mail-fetchmail.md b/docs/content/advanced/mail-fetchmail.md index 3571ffb7..b26b36b5 100644 --- a/docs/content/advanced/mail-fetchmail.md +++ b/docs/content/advanced/mail-fetchmail.md @@ -7,7 +7,7 @@ environment: ... ``` -Generate a file called `fetchmail.cf` and place it in the `config` folder. Your dockermail folder should look like this example: +Generate a file called `fetchmail.cf` and place it in the `config` folder. Your `docker-mailserver` folder should look like this example: ``` ├── config From 8d7301d6798ac8641b6170e16eaef2eef8e56168 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Sun, 4 Sep 2016 19:13:18 +0200 Subject: [PATCH 111/462] Add tree view of config folder --- docs/content/advanced/override-defaults/dovecot.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/content/advanced/override-defaults/dovecot.md b/docs/content/advanced/override-defaults/dovecot.md index 42fae048..798758b4 100644 --- a/docs/content/advanced/override-defaults/dovecot.md +++ b/docs/content/advanced/override-defaults/dovecot.md @@ -2,6 +2,17 @@ The Dovecot default configuration can easily be overridden providing a `config/d This file can also be used to specify additional configurations. [Dovecot documentation](http://wiki.dovecot.org/FrontPage) remains the best place to find configuration options. +Your `docker-mailserver` folder should look like this example: + +``` +├── config +│ ├── dovecot.cf +│ ├── postfix-accounts.cf +│ └── postfix-virtual.cf +├── docker-compose.yml +└── README.md +``` + # Debugging To debug your dovecot configuration you can use this command: From 2e283a0570e4c20ba9b6a07b84e87cfc24a45207 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Tue, 6 Sep 2016 17:19:44 +0200 Subject: [PATCH 112/462] Add override section --- .../advanced/override-defaults/dovecot.md | 22 +++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/docs/content/advanced/override-defaults/dovecot.md b/docs/content/advanced/override-defaults/dovecot.md index 798758b4..6b4c6084 100644 --- a/docs/content/advanced/override-defaults/dovecot.md +++ b/docs/content/advanced/override-defaults/dovecot.md @@ -1,5 +1,6 @@ -The Dovecot default configuration can easily be overridden providing a `config/dovecot.cf` file. -This file can also be used to specify additional configurations. +# Add configuration + +The Dovecot default configuration can easily be extended providing a `config/dovecot.cf` file. [Dovecot documentation](http://wiki.dovecot.org/FrontPage) remains the best place to find configuration options. Your `docker-mailserver` folder should look like this example: @@ -13,6 +14,23 @@ Your `docker-mailserver` folder should look like this example: └── README.md ``` +# Override configuration + +For major configuration changes it’s best to override the `dovecot` configuration files. For each configuration file you want to override, add a list entry under the `volumes:` key. + +```yaml +version: '2' + +services: + mail: + ... + volumes: + - maildata:/var/mail + ... + - ./config/dovecot/10-master.conf:/etc/dovecot/conf.d/10-master.conf + +``` + # Debugging To debug your dovecot configuration you can use this command: From c49f14a8bb0b5d80ee9f3af9e1df6c9ca9910c90 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Wed, 7 Sep 2016 18:37:43 +0200 Subject: [PATCH 113/462] Add dig command --- docs/content/config/best-practices/dkim.md | 31 ++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index 8bf2b9cf..54ff6977 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -31,4 +31,35 @@ ReportAddress postmaster@my-domain.com SendReports yes Mode v +``` + +## Debug the DKIM TXT Record + +You can debug your TXT record with the `dig` tool. + +``` +dig TXT mail._domainkey.domain.tld +``` + +Output: + +``` +; <<>> DiG 9.10.3-P4-Debian <<>> TXT mail._domainkey.domain.tld +;; global options: +cmd +;; Got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39669 +;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 + +;; OPT PSEUDOSECTION: +; EDNS: version: 0, flags:; udp: 512 +;; QUESTION SECTION: +;mail._domainkey.domain.tld. IN TXT + +;; ANSWER SECTION: +mail._domainkey.domain.tld. 3600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCxBSjG6RnWAdU3oOlqsdf2WC0FOUmU8uHVrzxPLW2R3yRBPGLrGO1++yy3tv6kMieWZwEBHVOdefM6uQOQsZ4brahu9lhG8sFLPX4MaKYN/NR6RK4gdjrZu+MYSdfk3THgSbNwIDAQAB" + +;; Query time: 50 msec +;; SERVER: 127.0.1.1#53(127.0.1.1) +;; WHEN: Wed Sep 07 18:22:57 CEST 2016 +;; MSG SIZE rcvd: 310 ``` \ No newline at end of file From b5ea16d761fb5a1b2872ae6e2a5de6ca95d3e84c Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Wed, 7 Sep 2016 19:24:38 +0200 Subject: [PATCH 114/462] Extend debugging section --- docs/content/config/best-practices/dkim.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index 54ff6977..c22f8f0b 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -33,9 +33,15 @@ SendReports yes Mode v ``` -## Debug the DKIM TXT Record +## Debugging -You can debug your TXT record with the `dig` tool. +### Tools + +* [DKIM-verifer](https://addons.mozilla.org/en-US/thunderbird/addon/dkim-verifier): A add-on for the mail client Thunderbird. + +### DKIM TXT Record + +You can debug your TXT records with the `dig` tool. ``` dig TXT mail._domainkey.domain.tld From e2fcdb3c1a40fcf6c5830647ce11e8fddc226aed Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Wed, 7 Sep 2016 19:35:21 +0200 Subject: [PATCH 115/462] Add section 'Configuration using a web interface' --- docs/content/config/best-practices/dkim.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index c22f8f0b..14fae5ab 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -14,6 +14,14 @@ mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " ``` +## Configuration using a web interface: + +1. Generate a new record of the type `TXT`. +2. In the `Name` field paste in `mail._domainkey`. +3. In the `Target` or `Value` field fill in `v=DKIM1; k=rsa; p=AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN` +4. In `TTL` (time to live): Time span in seconds. How long the DNS server should cache the `TXT` record. +5. Save. + ## Verify-only If you want DKIM to only verify incoming emails, the following version of /etc/opendkim.conf may be useful (right now there is no easy mechanism for installing it other than forking the repo): From 749b2f5244b1b141c055f7af23d2ff9a95fd8799 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Wed, 7 Sep 2016 19:36:40 +0200 Subject: [PATCH 116/462] Better wording --- docs/content/config/best-practices/dkim.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index 14fae5ab..5f326be5 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -17,7 +17,7 @@ mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " ## Configuration using a web interface: 1. Generate a new record of the type `TXT`. -2. In the `Name` field paste in `mail._domainkey`. +2. Paste `mail._domainkey` the `Name` txt field. 3. In the `Target` or `Value` field fill in `v=DKIM1; k=rsa; p=AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN` 4. In `TTL` (time to live): Time span in seconds. How long the DNS server should cache the `TXT` record. 5. Save. From c5228ff3f89c5fa976e1ff66b11d8a3937497009 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Wed, 7 Sep 2016 19:38:02 +0200 Subject: [PATCH 117/462] Shorten key --- docs/content/config/best-practices/dkim.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index 5f326be5..02d5d635 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -18,7 +18,7 @@ mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " 1. Generate a new record of the type `TXT`. 2. Paste `mail._domainkey` the `Name` txt field. -3. In the `Target` or `Value` field fill in `v=DKIM1; k=rsa; p=AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN` +3. In the `Target` or `Value` field fill in `v=DKIM1; k=rsa; p=AZERTYUGHJKLMWX...` 4. In `TTL` (time to live): Time span in seconds. How long the DNS server should cache the `TXT` record. 5. Save. From a1b486a7b91b130565cc58ec2d72fc3d9f3e6d7c Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Wed, 7 Sep 2016 19:38:50 +0200 Subject: [PATCH 118/462] Add missing dot --- docs/content/config/best-practices/dkim.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index 02d5d635..51b9e3b0 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -18,7 +18,7 @@ mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " 1. Generate a new record of the type `TXT`. 2. Paste `mail._domainkey` the `Name` txt field. -3. In the `Target` or `Value` field fill in `v=DKIM1; k=rsa; p=AZERTYUGHJKLMWX...` +3. In the `Target` or `Value` field fill in `v=DKIM1; k=rsa; p=AZERTYUGHJKLMWX...`. 4. In `TTL` (time to live): Time span in seconds. How long the DNS server should cache the `TXT` record. 5. Save. From 9149f5afa7cbca54eecd4df79974c3e953c1d810 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Wed, 7 Sep 2016 19:41:07 +0200 Subject: [PATCH 119/462] Add syntax highlighting for docker-compose.yml --- docs/content/index.md | 40 +++++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/docs/content/index.md b/docs/content/index.md index 625526e6..8ceda16e 100644 --- a/docs/content/index.md +++ b/docs/content/index.md @@ -8,27 +8,29 @@ Adapt this file with your FQDN. Install [docker-compose](https://docs.docker.com/compose/) in the version `1.6` or higher. - version: '2' - - services: - mail: - image: tvial/docker-mailserver:latest - # build: . - hostname: mail - domainname: domain.com - container_name: mail - ports: - - "25:25" - - "143:143" - - "587:587" - - "993:993" - volumes: - - maildata:/var/mail - - ./config/:/tmp/docker-mailserver/ +```yaml +version: '2' +services: + mail: + image: tvial/docker-mailserver:latest + # build: . + hostname: mail + domainname: domain.com + container_name: mail + ports: + - "25:25" + - "143:143" + - "587:587" + - "993:993" volumes: - maildata: - driver: local + - maildata:/var/mail + - ./config/:/tmp/docker-mailserver/ + +volumes: + maildata: + driver: local +``` #### Create your mail accounts From 968f957d0fa39ba8255905f980e546bbde9855a4 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Mon, 12 Sep 2016 16:00:05 +0200 Subject: [PATCH 120/462] Added cron regarding sa-learn --- docs/content/config/troubleshooting/faq.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index cc867ae3..f6cd572b 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -40,7 +40,16 @@ Login are full email address (`user@domain.com`). Please use `STARTTLS`. ### How can I manage my custom Spamassassin rules? -Antispam rules are managed in `config/spamassassin-rules.cf`. +Antispam rules are managed in `config/spamassassin-rules.cf`. + +### How can I make Spamassassin learn spam? + +Put received spams in `.Junk/` imap folder and add a cron like the fllowing: + +``` +# Everyday 2:00AM, learn spam for this specific user +0 2 * * * docker exec mail sa-learn --spam /var/mail/domain.com/username/.Junk +``` ### What kind of SSL certificates can I use? You can use the same certificates you use with another mail server. From 146f9e4fc96908726ce5665a62a36bebb6e1bf9c Mon Sep 17 00:00:00 2001 From: Lennart Rosam Date: Tue, 13 Sep 2016 18:40:45 +0200 Subject: [PATCH 121/462] Fix typo. That's carriage return, line feed aka CRLF =) --- docs/content/config/troubleshooting/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index f6cd572b..2c1c42a6 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -6,7 +6,7 @@ You'll probably want to `push` your config updates to your server and restart th ### What are the file format? Of course file are Unix format with LF line endings. -Please do not use CLRF. +Please do not use CRLF. ### Where are emails stored? Mails are stored in `/var/mail/${domain}/${username}`. From c72dfde78548299b83d930ab3595f670030cc595 Mon Sep 17 00:00:00 2001 From: Alexander Kachkaev Date: Tue, 13 Sep 2016 22:51:29 +0100 Subject: [PATCH 122/462] Explain how to skip inbox (should be a common case; I personally spent more than an hour investigating how to do this) --- docs/content/advanced/mail-sieve.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/content/advanced/mail-sieve.md b/docs/content/advanced/mail-sieve.md index bae29d06..ed13394e 100644 --- a/docs/content/advanced/mail-sieve.md +++ b/docs/content/advanced/mail-sieve.md @@ -29,6 +29,11 @@ require ["copy"]; redirect :copy "user2@otherdomain.tld"; ``` +Just forward all incoming emails and do not save them locally: +``` +redirect "user2@otherdomain.tld"; +``` + For more examples or a detailed description of the Sieve language have a look at [the official site](http://sieve.info/examplescripts). Other resources are available on the internet where you can find several [examples](https://support.tigertech.net/sieve#sieve-example-rules-jmp). ### Manage Sieve From 28639b0e7f84b1d8ef664c7d3a634c9a169159fb Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Tue, 20 Sep 2016 16:34:48 +0200 Subject: [PATCH 123/462] Add info about system requirements --- docs/content/config/troubleshooting/faq.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 2c1c42a6..e278c8ab 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -62,4 +62,7 @@ This could be related to a modification of your `MX` record, or the IP mapped to If everything is OK regarding DNS, please provide [formatted logs](https://guides.github.com/features/mastering-markdown/) and config files. This will allow us to help you. -If we're blind, we won't be able to do anything. \ No newline at end of file +If we're blind, we won't be able to do anything. + +### Which system requirements needs my container to run `docker-mailserver` effectively? +1 core and 1GB of RAM is recommended, even it could work with 512M of RAM. \ No newline at end of file From 95b2411b59c5aa721e272440c3c246c6772d9868 Mon Sep 17 00:00:00 2001 From: hogsim Date: Mon, 26 Sep 2016 19:25:40 +0200 Subject: [PATCH 124/462] Updated Configure DKIM (markdown) --- docs/content/config/best-practices/dkim.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index 51b9e3b0..0a804a24 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -5,7 +5,7 @@ Once its done, just run from inside the directory of docker-compose.yml: -v "$(pwd)/config":/tmp/docker-mailserver \ -ti tvial/docker-mailserver:latest generate-dkim-config -Now the keys are generated, you can configure your DNS server by just pasting the content of `config/opedkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone. +Now the keys are generated, you can configure your DNS server by just pasting the content of `config/opendkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone. ``` ; OpenDKIM From 913fc7e4e2ffa2322b904d1beef672f0d6ffddbe Mon Sep 17 00:00:00 2001 From: Pablo Castorino Date: Fri, 30 Sep 2016 11:47:36 -0300 Subject: [PATCH 125/462] Created Configure ELK (markdown) --- docs/content/configure-elk.md | 71 +++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 docs/content/configure-elk.md diff --git a/docs/content/configure-elk.md b/docs/content/configure-elk.md new file mode 100644 index 00000000..166eb3f0 --- /dev/null +++ b/docs/content/configure-elk.md @@ -0,0 +1,71 @@ +From [Wikipedia](https://en.wikipedia.org/wiki/Elasticsearch): +>Elasticsearch can be used to search all kinds of documents. It provides scalable search, has near real-time search, and supports multitenancy. "Elasticsearch is distributed, which means that indices can be divided into shards and each shard can have zero or more replicas. Each node hosts one or more shards, and acts as a coordinator to delegate operations to the correct shard(s). Rebalancing and routing are done automatically [...]" + +This implements sends mail logs to a ELK stack via filebeat client. + +# Environment variables: +**ENABLE_ELK_FORWARDER** +* **empty** => disabled +* **1** => enables forwarder + +**ELK_HOST** +* elk (default) + +**ELK_PORT** +* 5044 (default) + +# Configuration File: +the start-mailserver.sh scripts use `/etc/filebeat/filebeat.yml.tmpl` as a template to set HOST and PORT. +You can override that template or set a custom config file as ro volume. + +``` +mail: + ~ + volumes: + - config/filebeat.yml:/etc/filebeat.yml:ro +``` + +## Run ELK embedded on mailserver stack. +you can run directly the embeeded ELK using docker compose. No needs config. + +``` +cp docker-compose.elk.yml.dist docker-compose.yml +docker-compose up +``` + +## Use a external ELK. +you can be send logs to you own instance of ELK stack. +needs set the environments variables. + +``` +mail: + ~ + environment: + - ENABLE_ELK_FORWARDER=1 + - ELK_HOST=elk_host_or_ip + - ELK_PORT= 5044 +``` +On you ELK stack should be create a logstash input +``` +#/etc/logstash/conf.d/02-beats-input.conf +input { + beats { + port => 5044 + ssl => false + } +} +``` + + + +# Create Index on Kibana +Go http://localhost:5601. The first time needs create default index. +Steps: + +1. Create Index pattern + + - **Index name or pattern** * + - Select **Time-field name** (refresh fields): @timestamp (appears until process some log) + - Create + +1. Go to Discover and filter by fields. From bfe70de0c86b3359fbd9281d937e46871b9555d6 Mon Sep 17 00:00:00 2001 From: Sebastian Straub Date: Sat, 1 Oct 2016 15:49:10 +0200 Subject: [PATCH 126/462] how to add your own certificates --- docs/content/config/security/ssl.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 67324121..da03e1b9 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -2,6 +2,7 @@ There are multiple options to enable SSL: * using [letsencrypt](https://letsencrypt.org/) (recommended) * using self-signed certificates with the provided tool +* using your own certificates After installation, you can test your setup with [checktls.com](https://www.checktls.com/TestReceiver). @@ -47,6 +48,21 @@ To use the certificate: * add `SSL_TYPE=self-signed` to your container environment variables * if a matching certificate (files listed above) is found in `config/ssl`, it will be automatically setup in postfix and dovecot. You just have to place them in `config/ssl` folder. +### Custom certificate files + +You can also provide your own certificate files. Add these entries to your `docker-compose.yml`: + + volumes: + - /etc/ssl:/tmp/ssl:ro + environment: + - SSL_TYPE=manual + - SSL_CERT_PATH=/tmp/ssl/cert/public.crt + - SSL_KEY_PATH=/tmp/ssl/private/private.key + +This will mount the path where your ssl certificates reside as read-only under `/tmp/ssl`. Then all you have to do is to specify the location of your private key and the certificate. + +Please note that you may have to restart your mailserver once the certificates change. + ### Testing certificate From your host: From f5ba4308e955fc435b009c33005e6ac648fa6ac6 Mon Sep 17 00:00:00 2001 From: Florian Wendelborn Date: Tue, 11 Oct 2016 05:25:41 +0200 Subject: [PATCH 127/462] Updated FAQ and Tips (markdown) --- docs/content/config/troubleshooting/faq.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index e278c8ab..3f58e58d 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -3,10 +3,10 @@ None. No *sql database required. This image is based on config files that can be versioned. You'll probably want to `push` your config updates to your server and restart the container to apply changes. -### What are the file format? +### What is the file format? -Of course file are Unix format with LF line endings. -Please do not use CRLF. +All files are using the Unix format with `LF` line endings. +Please do not use `CRLF`. ### Where are emails stored? Mails are stored in `/var/mail/${domain}/${username}`. From 571baa16b109566e8453cd367ebe889124488e88 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Thu, 27 Oct 2016 17:01:08 +0200 Subject: [PATCH 128/462] How to configure docker-mailserver in a rancher environment --- docs/content/config/troubleshooting/faq.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 3f58e58d..267c5682 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -65,4 +65,8 @@ If everything is OK regarding DNS, please provide [formatted logs](https://guide If we're blind, we won't be able to do anything. ### Which system requirements needs my container to run `docker-mailserver` effectively? -1 core and 1GB of RAM is recommended, even it could work with 512M of RAM. \ No newline at end of file +1 core and 1GB of RAM is recommended, even it could work with 512M of RAM. + +### Is `docker-mailserver` running in a [rancher environment](http://rancher.com/rancher/)? + +Yes, but use the option `PERMIT_DOCKER: network`. \ No newline at end of file From e997c52c6d251138cf6df1bdc5b0021f9419d4ed Mon Sep 17 00:00:00 2001 From: Sam Collins Date: Wed, 9 Nov 2016 11:09:29 +0000 Subject: [PATCH 129/462] Updated Line Numbers for additinal postfix config --- docs/content/advanced/override-defaults/postfix.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/advanced/override-defaults/postfix.md b/docs/content/advanced/override-defaults/postfix.md index dc6ee652..9bb3e35d 100644 --- a/docs/content/advanced/override-defaults/postfix.md +++ b/docs/content/advanced/override-defaults/postfix.md @@ -5,4 +5,4 @@ This can be used to also add configuration that are not in out default configura Each line in the provided line will be loaded into postfix. Have a look to the code for more information: -https://github.com/tomav/docker-mailserver/blob/master/target/start-mailserver.sh#L205-L215 \ No newline at end of file +https://github.com/tomav/docker-mailserver/blob/master/target/start-mailserver.sh#L360-L367 \ No newline at end of file From 95fee5107d8cabd8525d4ea9ff4598247199c713 Mon Sep 17 00:00:00 2001 From: Emanuele Mazzotta Date: Sat, 19 Nov 2016 15:30:58 +0100 Subject: [PATCH 130/462] Updated Override default postfix configuration (markdown) --- .../postfix.md => override-fefault-postfix-configuration.md} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename docs/content/{advanced/override-defaults/postfix.md => override-fefault-postfix-configuration.md} (94%) diff --git a/docs/content/advanced/override-defaults/postfix.md b/docs/content/override-fefault-postfix-configuration.md similarity index 94% rename from docs/content/advanced/override-defaults/postfix.md rename to docs/content/override-fefault-postfix-configuration.md index 9bb3e35d..0b088989 100644 --- a/docs/content/advanced/override-defaults/postfix.md +++ b/docs/content/override-fefault-postfix-configuration.md @@ -5,4 +5,4 @@ This can be used to also add configuration that are not in out default configura Each line in the provided line will be loaded into postfix. Have a look to the code for more information: -https://github.com/tomav/docker-mailserver/blob/master/target/start-mailserver.sh#L360-L367 \ No newline at end of file +https://github.com/tomav/docker-mailserver/blob/master/target/start-mailserver.sh#L351-L361 \ No newline at end of file From 762f11802e83143886fb55aeee41468019f717c7 Mon Sep 17 00:00:00 2001 From: Josef Friedrich Date: Sat, 19 Nov 2016 18:27:41 +0100 Subject: [PATCH 131/462] Fix typo in title --- .../override-defaults/postfix.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docs/content/{override-fefault-postfix-configuration.md => advanced/override-defaults/postfix.md} (100%) diff --git a/docs/content/override-fefault-postfix-configuration.md b/docs/content/advanced/override-defaults/postfix.md similarity index 100% rename from docs/content/override-fefault-postfix-configuration.md rename to docs/content/advanced/override-defaults/postfix.md From 8cb5509a192e5b3962ae8d11feaf1f34b6ef3b13 Mon Sep 17 00:00:00 2001 From: Michael Date: Sat, 3 Dec 2016 01:11:25 +0100 Subject: [PATCH 132/462] Usage updated --- ...tup-docker-mailserver-using-the-script-setup.sh.md | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md index 2db2e5fc..1eba7ad5 100644 --- a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md +++ b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md @@ -7,7 +7,13 @@ wget -q -O setup.sh https://raw.githubusercontent.com/tomav/docker-mailserver/ma Run `./setup.sh` without arguments and you get some usage informations. ``` -Usage: ./setup.sh [args] +Usage: ./setup.sh [-i IMAGE_NAME] [-c CONTAINER_NAME] [args] + +OPTIONS: + + -i IMAGE_NAME The name of the docker-mailserver image, by default + 'tvial/docker-mailserver:latest'. + -c CONTAINER_NAME The name of the running container. SUBCOMMANDS: @@ -25,5 +31,8 @@ SUBCOMMANDS: debug: ./setup.sh debug fetchmail + ./setup.sh debug show-mail-logs + ./setup.sh debug inspect + ./setup.sh debug login ``` From 0d7cd4f7750071541cc8092443ad37a72bd930af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9F=AF=E5=8D=81=E5=85=AD=E5=A4=9C?= Date: Thu, 15 Dec 2016 03:19:31 +0800 Subject: [PATCH 133/462] Updated Configure Aliases (markdown) --- docs/content/config/user-management/aliases.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/user-management/aliases.md b/docs/content/config/user-management/aliases.md index 5f45d6d6..c64ade56 100644 --- a/docs/content/config/user-management/aliases.md +++ b/docs/content/config/user-management/aliases.md @@ -19,7 +19,7 @@ Example: ### Configuring regexp aliases -Additional regexp aliases can be configured by placing them into config/postfix-regexp.cf. The regexp aliases get evaluated after the virtual aliases (postfix-virtual.cf). For example, the following config/postfix-regexp.cf causes all email to "test" users to be delivered to qa@example.com: +Additional regexp aliases can be configured by placing them into `config/postfix-regexp.cf`. The regexp aliases get evaluated after the virtual aliases (postfix-virtual.cf). For example, the following `config/postfix-regexp.cf` causes all email to "test" users to be delivered to qa@example.com: ``` /^test[0-9][0-9]*@example.com/ qa@example.com From 3fe22472694c38a2ff3cd90b9bae7a4e674f6344 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=EA=99=A8d=D1=86=D3=8Do=CE=B7=D2=AC?= Date: Thu, 15 Dec 2016 22:45:19 +0100 Subject: [PATCH 134/462] "Add Environment Variable" is the words we could repair in the Rancher UI; which make more sense; at least for me; instead of looking for OPTION or PERMIT_DOCKER in Network. --- docs/content/config/troubleshooting/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 267c5682..c1abcc67 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -69,4 +69,4 @@ If we're blind, we won't be able to do anything. ### Is `docker-mailserver` running in a [rancher environment](http://rancher.com/rancher/)? -Yes, but use the option `PERMIT_DOCKER: network`. \ No newline at end of file +Yes, by Adding the Environment Variable `PERMIT_DOCKER: network`. \ No newline at end of file From c12a478da1ea9bcf2ecb0260352ee1aeed1ad219 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sat, 17 Dec 2016 16:29:44 +0100 Subject: [PATCH 135/462] Updated FAQ and Tips (markdown) --- docs/content/config/troubleshooting/faq.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index c1abcc67..c85f5e10 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -3,6 +3,15 @@ None. No *sql database required. This image is based on config files that can be versioned. You'll probably want to `push` your config updates to your server and restart the container to apply changes. +### How can I sync container with host date/time? + +Share the host `/etc/localtime` using: + +``` + volumes: + - /etc/localtime:/etc/localtime:ro +``` + ### What is the file format? All files are using the Unix format with `LF` line endings. From 74e1f6cead8c8f7971a9fad585a6934d75fb8671 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sat, 24 Dec 2016 14:52:05 +0100 Subject: [PATCH 136/462] Destroyed How to contribute (markdown) --- docs/content/how-to-contribute.md | 24 ------------------------ 1 file changed, 24 deletions(-) delete mode 100644 docs/content/how-to-contribute.md diff --git a/docs/content/how-to-contribute.md b/docs/content/how-to-contribute.md deleted file mode 100644 index 9cf60b05..00000000 --- a/docs/content/how-to-contribute.md +++ /dev/null @@ -1,24 +0,0 @@ -`docker-mailserver` is OpenSource. That means that you can contribute on enhancements, bug fixing or improving the documentation in the Wiki. - -#### Project architecture - - ├── config # User: personal configurations - ├── target # Developer: default server configurations - └── test # Developer: integration tests - -#### Development Workflow - -The development workflow is the following: - -- Fork project and clone your fork -- Create a branch using `git checkout -b branch_name` -- Code :-) -- Add integration tests in `test/tests.bats` -- Use `make` to build image locally and run tests -- Document your improvements -- [Commit](https://help.github.com/articles/closing-issues-via-commit-messages/), push and make a pull-request -- Pull-request is automatically tested on Travis -- When tests are green, your branch is merged into `master` -- `master` is automatically tested on Travis -- Docker builds a new `latest` image - From d8257d8985ad4087bf08b85e17e36deff88a7aea Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sat, 24 Dec 2016 14:58:42 +0100 Subject: [PATCH 137/462] Avoid lack of update, link to original README. --- docs/content/index.md | 126 +----------------------------------------- 1 file changed, 1 insertion(+), 125 deletions(-) diff --git a/docs/content/index.md b/docs/content/index.md index 8ceda16e..2fe4e035 100644 --- a/docs/content/index.md +++ b/docs/content/index.md @@ -1,125 +1 @@ -## Usage - -#### Get latest image - - docker pull tvial/docker-mailserver:latest - -#### Create a `docker-compose.yml` - -Adapt this file with your FQDN. Install [docker-compose](https://docs.docker.com/compose/) in the version `1.6` or higher. - -```yaml -version: '2' - -services: - mail: - image: tvial/docker-mailserver:latest - # build: . - hostname: mail - domainname: domain.com - container_name: mail - ports: - - "25:25" - - "143:143" - - "587:587" - - "993:993" - volumes: - - maildata:/var/mail - - ./config/:/tmp/docker-mailserver/ - -volumes: - maildata: - driver: local -``` - -#### Create your mail accounts - -Don't forget to adapt MAIL_USER and MAIL_PASS to your needs - - mkdir -p config - touch config/postfix-accounts.cf - docker run --rm \ - -e MAIL_USER=user1@domain.tld \ - -e MAIL_PASS=mypassword \ - -ti tvial/docker-mailserver:latest \ - /bin/sh -c 'echo "$MAIL_USER|$(doveadm pw -s SHA512-CRYPT -u $MAIL_USER -p $MAIL_PASS)"' >> config/postfix-accounts.cf - -#### Generate DKIM keys - - docker run --rm \ - -v "$(pwd)/config":/tmp/docker-mailserver \ - -ti tvial/docker-mailserver:latest generate-dkim-config - -Now the keys are generated, you can configure your DNS server by just pasting the content of `config/opendkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone. - -#### Start the container - - docker-compose up -d mail - -You're done! - -## Environment variables - -Please check [how the container starts](https://github.com/tomav/docker-mailserver/blob/master/target/start-mailserver.sh) to understand what's expected. - -Value in **bold** is the default value. - -##### ENABLE_POP3 - - - **empty** => POP3 service disabled - - 1 => Enables POP3 service - -##### ENABLE_FAIL2BAN - - - **empty** => fail2ban service disabled - - 1 => Enables fail2ban service - -If you enable Fail2Ban, don't forget to add the following lines to your `docker-compose.yml`: - - cap_add: - - NET_ADMIN - -Otherwise, `iptables` won't be able to ban IPs. - -##### ENABLE_MANAGESIEVE - - - **empty** => Managesieve service disabled - - 1 => Enables Managesieve on port 4190 - -##### SA_TAG - - - **2.0** => add spam info headers if at, or above that level - -##### SA_TAG2 - - - **6.31** => add 'spam detected' headers at that level - -##### SA_KILL - - - **6.31** => triggers spam evasive actions - -##### SASL_PASSWD - - - **empty** => No sasl_passwd will be created - - string => `/etc/postfix/sasl_passwd` will be created with the string as password - -##### SMTP_ONLY - - - **empty** => all daemons start - - 1 => only launch postfix smtp - -##### SSL_TYPE - - - **empty** => SSL disabled - - letsencrypt => Enables Let's Encrypt certificates - - custom => Enables custom certificates - - self-signed => Enables self-signed certificates - -Please read [the SSL page in the wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-SSL) for more information. - -##### PERMIT_DOCKER - -Set different options for mynetworks option (can be overwrite in postfix-main.cf) - - **empty** => localhost only - - host => Add docker host (ipv4 only) - - network => Add all docker containers (ipv4 only) \ No newline at end of file +Please have a look to [README.md](https://github.com/tomav/docker-mailserver/blob/master/README.md) \ No newline at end of file From 3c5c309fe0d8c16fbfa74a7c837801ffe800e408 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sat, 24 Dec 2016 14:59:51 +0100 Subject: [PATCH 138/462] Updated Home (markdown) --- docs/content/index.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/content/index.md b/docs/content/index.md index 2fe4e035..09bb0f7e 100644 --- a/docs/content/index.md +++ b/docs/content/index.md @@ -1 +1,2 @@ -Please have a look to [README.md](https://github.com/tomav/docker-mailserver/blob/master/README.md) \ No newline at end of file +Please have a look to [README.md](https://github.com/tomav/docker-mailserver/blob/master/README.md) for basic configuration. +Detailed examples are provided in the wiki navigation links. \ No newline at end of file From ba53c42acdb33e57b33767204846f8ae17524ee3 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Fri, 30 Dec 2016 19:57:56 +0100 Subject: [PATCH 139/462] Updated Override Default Postfix Configuration (markdown) --- docs/content/advanced/override-defaults/postfix.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/content/advanced/override-defaults/postfix.md b/docs/content/advanced/override-defaults/postfix.md index 0b088989..58067ca7 100644 --- a/docs/content/advanced/override-defaults/postfix.md +++ b/docs/content/advanced/override-defaults/postfix.md @@ -4,5 +4,4 @@ This can be used to also add configuration that are not in out default configura Each line in the provided line will be loaded into postfix. -Have a look to the code for more information: -https://github.com/tomav/docker-mailserver/blob/master/target/start-mailserver.sh#L351-L361 \ No newline at end of file +Have a look to the code for more information. \ No newline at end of file From 5cff4389271c19578b1b7414dfb957e89edf6ca5 Mon Sep 17 00:00:00 2001 From: Rubytastic2 Date: Wed, 4 Jan 2017 01:41:59 +0100 Subject: [PATCH 140/462] draft for adding a debugging page with many known issues and solutions --- docs/content/config/troubleshooting/debugging.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 docs/content/config/troubleshooting/debugging.md diff --git a/docs/content/config/troubleshooting/debugging.md b/docs/content/config/troubleshooting/debugging.md new file mode 100644 index 00000000..abf4022f --- /dev/null +++ b/docs/content/config/troubleshooting/debugging.md @@ -0,0 +1,5 @@ +#Documentation on debugging + + +## Invalid username or Password +..todo.. From c0f3113b629d23d7a6ce19f2cc3a7a9980f89c04 Mon Sep 17 00:00:00 2001 From: Rubytastic2 Date: Wed, 4 Jan 2017 01:46:39 +0100 Subject: [PATCH 141/462] Updated Debugging (markdown) --- docs/content/config/troubleshooting/debugging.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/content/config/troubleshooting/debugging.md b/docs/content/config/troubleshooting/debugging.md index abf4022f..369c1fe0 100644 --- a/docs/content/config/troubleshooting/debugging.md +++ b/docs/content/config/troubleshooting/debugging.md @@ -3,3 +3,11 @@ ## Invalid username or Password ..todo.. + +1. Login Container +docker exec -it bash + +2. Check log files +/var/log/mail +could not find any mention of incorrect logins here +neither in the dovecot logs From c41aed1df4ef3433e69da80d3fcd294df9c4a554 Mon Sep 17 00:00:00 2001 From: Rubytastic2 Date: Wed, 4 Jan 2017 01:58:12 +0100 Subject: [PATCH 142/462] Updated Debugging (markdown) --- docs/content/config/troubleshooting/debugging.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/content/config/troubleshooting/debugging.md b/docs/content/config/troubleshooting/debugging.md index 369c1fe0..d040d7e6 100644 --- a/docs/content/config/troubleshooting/debugging.md +++ b/docs/content/config/troubleshooting/debugging.md @@ -11,3 +11,4 @@ docker exec -it bash /var/log/mail could not find any mention of incorrect logins here neither in the dovecot logs + From d0e1eb280544f2c54ea53ec9d4c66bbcbc4ff790 Mon Sep 17 00:00:00 2001 From: Tim Buschmann Date: Thu, 5 Jan 2017 09:06:21 +0100 Subject: [PATCH 143/462] Updated FAQ and Tips (markdown) --- docs/content/config/troubleshooting/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index c85f5e10..ec7f569f 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -57,7 +57,7 @@ Put received spams in `.Junk/` imap folder and add a cron like the fllowing: ``` # Everyday 2:00AM, learn spam for this specific user -0 2 * * * docker exec mail sa-learn --spam /var/mail/domain.com/username/.Junk +0 2 * * * docker exec mail sa-learn --spam /var/mail/domain.com/username/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin ``` ### What kind of SSL certificates can I use? From 5583ad27797c8ab5e0c433b9dbd264b88cb9f32a Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Mon, 9 Jan 2017 17:39:22 +0100 Subject: [PATCH 144/462] Added common errors --- docs/content/config/troubleshooting/faq.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index ec7f569f..3c84f574 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -78,4 +78,16 @@ If we're blind, we won't be able to do anything. ### Is `docker-mailserver` running in a [rancher environment](http://rancher.com/rancher/)? -Yes, by Adding the Environment Variable `PERMIT_DOCKER: network`. \ No newline at end of file +Yes, by Adding the Environment Variable `PERMIT_DOCKER: network`. + +### Common errors + +``` +warning: connect to Milter service inet:localhost:8893: Connection refused +# DMARC not running +# => /etc/init.d/opendmarc restart + +warning: connect to Milter service inet:localhost:8891: Connection refused +# DKIM not running +# => /etc/init.d/opendkim restart +``` \ No newline at end of file From 5e2effeab0609f8174660fdfdfcf64952efcf52f Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Thu, 19 Jan 2017 21:39:20 +0100 Subject: [PATCH 145/462] Added info about ONE_DIR --- docs/content/config/troubleshooting/faq.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 3c84f574..714af3e5 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -57,6 +57,7 @@ Put received spams in `.Junk/` imap folder and add a cron like the fllowing: ``` # Everyday 2:00AM, learn spam for this specific user +# This assumes you're having `ONE_DIR=1` (consolidated in `/var/mail-state`) 0 2 * * * docker exec mail sa-learn --spam /var/mail/domain.com/username/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin ``` From bec968f4826377ba21ef67f5de0bf0fdef359968 Mon Sep 17 00:00:00 2001 From: Dominik Date: Thu, 19 Jan 2017 22:14:17 +0100 Subject: [PATCH 146/462] Updated FAQ and Tips (markdown) --- docs/content/config/troubleshooting/faq.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 714af3e5..2761088d 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -61,6 +61,8 @@ Put received spams in `.Junk/` imap folder and add a cron like the fllowing: 0 2 * * * docker exec mail sa-learn --spam /var/mail/domain.com/username/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin ``` +With the default settings, Spamassassin will require 200 mails trained for spam (for example with the method explained above) and 200 mails trained for ham (using the same command as above but using `--ham` and providing it with some ham mails). Until you provided these 200+200 mails, Spamassasin will not take the learned mails into account. For future reference, see the [Spamassassin Wiki](https://wiki.apache.org/spamassassin/BayesNotWorking). + ### What kind of SSL certificates can I use? You can use the same certificates you use with another mail server. The only thing is that we provide a `self-signed` certificate tool and a `letsencrypt` certificate loader. From 0b7f07c79cf964c285e96eecd51721aa79a53baa Mon Sep 17 00:00:00 2001 From: makloda Date: Sun, 29 Jan 2017 17:44:49 +0100 Subject: [PATCH 147/462] Added question about acl rules for Spamassassin domain matching handling in amavis --- docs/content/config/troubleshooting/faq.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 2761088d..2bef89d9 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -51,6 +51,10 @@ Please use `STARTTLS`. ### How can I manage my custom Spamassassin rules? Antispam rules are managed in `config/spamassassin-rules.cf`. +### Why are Spamassassin x-headers not inserted into my sample.domain.com subdomain emails? + +In the default setup, Amavis only applies Spamassassin x-headers into domains matching the template listed in the config file 05-domain_id (in the amavis defaults). The default setup @local_domains_acl = ( ".$mydomain" ); does not match subdomains. To match subdomains, you can override the @local_domains_acl directive in the Amavis user config file 50-user with @local_domains_maps = ("."); to match any sort of domain template. + ### How can I make Spamassassin learn spam? Put received spams in `.Junk/` imap folder and add a cron like the fllowing: From 0bb57163d29b35e838f0ec59fc1f7a376dbaed9d Mon Sep 17 00:00:00 2001 From: makloda Date: Sun, 29 Jan 2017 17:45:33 +0100 Subject: [PATCH 148/462] Updated FAQ and Tips (markdown) --- docs/content/config/troubleshooting/faq.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 2bef89d9..75832daa 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -53,11 +53,11 @@ Antispam rules are managed in `config/spamassassin-rules.cf`. ### Why are Spamassassin x-headers not inserted into my sample.domain.com subdomain emails? -In the default setup, Amavis only applies Spamassassin x-headers into domains matching the template listed in the config file 05-domain_id (in the amavis defaults). The default setup @local_domains_acl = ( ".$mydomain" ); does not match subdomains. To match subdomains, you can override the @local_domains_acl directive in the Amavis user config file 50-user with @local_domains_maps = ("."); to match any sort of domain template. +In the default setup, amavis only applies Spamassassin x-headers into domains matching the template listed in the config file 05-domain_id (in the amavis defaults). The default setup @local_domains_acl = ( ".$mydomain" ); does not match subdomains. To match subdomains, you can override the @local_domains_acl directive in the amavis user config file 50-user with @local_domains_maps = ("."); to match any sort of domain template. ### How can I make Spamassassin learn spam? -Put received spams in `.Junk/` imap folder and add a cron like the fllowing: +Put received spams in `.Junk/` imap folder and add a cron like the following: ``` # Everyday 2:00AM, learn spam for this specific user From 597d642f8cff1b464789b105aa62c5a35086da81 Mon Sep 17 00:00:00 2001 From: Wim Date: Tue, 31 Jan 2017 00:13:26 +0100 Subject: [PATCH 149/462] Add docker letsencrypt example --- docs/content/config/security/ssl.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index da03e1b9..c100732a 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -17,6 +17,28 @@ To enable Let's Encrypt on your mail server, you have to: You don't have anything else to do. Enjoy. +#### Example using docker for letsencrypt +Make a directory to store your letsencrypt logs and configs. + +In my case +``` +mkdir -p /home/ubuntu/docker/letsencrypt/log +mkdir -p /home/ubuntu/docker/letsencrypt/etc/letsencrypt +``` + +Now get the certificate (modify ```mail.myserver.tld```) and following the certbot instructions. +This will need access to port 443 from the internet, adjust your firewall if needed +``` +docker run --rm -ti -v $PWD/log/:/var/log/letsencrypt/ -v $PWD/etc/:/etc/letsencrypt/ -p 443:443 deliverous/certbot certonly --standalone -d mail.myserver.tld +``` +You can now mount /home/ubuntu/docker/letsencrypt/etc/letsencrypt in /etc/letsencrypt of ```docker-mailserver``` + +To renew your certificate just run (this will need access to port 443 from the internet, adjust your firewall if needed) +``` +docker run --rm -ti -v $PWD/log/:/var/log/letsencrypt/ -v $PWD/etc/:/etc/letsencrypt/ -p 443:443 deliverous/certbot renew +``` + + ### Self-signed certificates (testing only) You can easily generate a self-signed SSL certificate by using the following command: From 830fb9807b45fc0b90ebe1f03ef62b5f07b63128 Mon Sep 17 00:00:00 2001 From: Guillaume Simon Date: Sat, 11 Feb 2017 16:28:36 +0100 Subject: [PATCH 150/462] Wrong volume reference when using docker-compose (ref: http://stackoverflow.com/a/39125414) --- docs/content/config/troubleshooting/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 75832daa..442345b9 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -26,7 +26,7 @@ You should use a [data volume container](https://medium.com/@ramangupta/why-dock Assuming that you use `docker-compose` and a data volume container named `maildata`, you can backup your user mails like this: docker run --rm \ - --volumes-from maildata_1 \ + --volume dockermailserver_maildata:/var/mail \ -v "$(pwd)":/backups \ -ti tvial/docker-mailserver \ tar cvzf /backups/docker-mailserver-`date +%y%m%d-%H%M%S`.tgz /var/mail From 197318f1abce2a439be2d3725dd9225773a6eb4d Mon Sep 17 00:00:00 2001 From: Edward Knyshov Date: Sun, 12 Feb 2017 17:14:53 +0700 Subject: [PATCH 151/462] Updated Configure SSL (markdown) --- docs/content/config/security/ssl.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index c100732a..3a66df94 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -98,4 +98,21 @@ or And you should see the certificate chain, the server certificate and: - Verify return code: 0 (ok) \ No newline at end of file + Verify return code: 0 (ok) + +### Plain text access + +Not recommended for purposes other than testing. + +Just add this to config/dovecot.cf: + +``` +ssl = yes +disable_plaintext_auth=no +``` + +These options in conjunction mean: + +``` +ssl=yes and disable_plaintext_auth=no: SSL/TLS is offered to the client, but the client isn't required to use it. The client is allowed to login with plaintext authentication even when SSL/TLS isn't enabled on the connection. This is insecure, because the plaintext password is exposed to the internet. +``` \ No newline at end of file From 2a101fe241d25fd31cc65b5986361fae50c8d719 Mon Sep 17 00:00:00 2001 From: Erick Calder Date: Fri, 17 Mar 2017 15:34:05 -0700 Subject: [PATCH 152/462] Updated Setup docker mailserver using the script setup.sh (markdown) --- .../setup-docker-mailserver-using-the-script-setup.sh.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md index 1eba7ad5..683e6a81 100644 --- a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md +++ b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md @@ -3,6 +3,10 @@ The latest version of the script `setup.sh` is included in the `docker-mailserve ``` wget -q -O setup.sh https://raw.githubusercontent.com/tomav/docker-mailserver/master/setup.sh; chmod a+x ./setup.sh ``` +if you use curl: +``` +curl -o setup.sh https://raw.githubusercontent.com/tomav/docker-mailserver/master/setup.sh; chmod a+x ./setup.sh +``` Run `./setup.sh` without arguments and you get some usage informations. From 656cf5f34cda3abc2f514d28efd11ec9007989b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petar=20=C5=A0egina?= Date: Sun, 19 Mar 2017 14:54:58 +0100 Subject: [PATCH 153/462] Mention address tags #542 --- docs/content/config/user-management/aliases.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/content/config/user-management/aliases.md b/docs/content/config/user-management/aliases.md index c64ade56..9563d457 100644 --- a/docs/content/config/user-management/aliases.md +++ b/docs/content/config/user-management/aliases.md @@ -24,3 +24,9 @@ Additional regexp aliases can be configured by placing them into `config/postfix ``` /^test[0-9][0-9]*@example.com/ qa@example.com ``` + +### Address tags as an alternative + +Postfix supports address tags - i.e. address+tag@example.com will end up at address@example.com. This is configured by default and the (configurable) separator is set to `+`. + +For more info, see [How to use Address Tagging (user+tag@example.com) with Postfix](https://www.stevejenkins.com/blog/2011/03/how-to-use-address-tagging-usertagexample-com-with-postfix/). \ No newline at end of file From 19355761c6f387b2142fc32f4cd302bb70bcfa26 Mon Sep 17 00:00:00 2001 From: arneke Date: Mon, 27 Mar 2017 00:15:28 +0200 Subject: [PATCH 154/462] Expanded recipient delimiter description because the referenced blog post does not cover Dovecot LDA --- docs/content/config/user-management/aliases.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/content/config/user-management/aliases.md b/docs/content/config/user-management/aliases.md index 9563d457..2bf3107a 100644 --- a/docs/content/config/user-management/aliases.md +++ b/docs/content/config/user-management/aliases.md @@ -29,4 +29,9 @@ Additional regexp aliases can be configured by placing them into `config/postfix Postfix supports address tags - i.e. address+tag@example.com will end up at address@example.com. This is configured by default and the (configurable) separator is set to `+`. -For more info, see [How to use Address Tagging (user+tag@example.com) with Postfix](https://www.stevejenkins.com/blog/2011/03/how-to-use-address-tagging-usertagexample-com-with-postfix/). \ No newline at end of file +For more info, see [How to use Address Tagging (user+tag@example.com) with Postfix](https://www.stevejenkins.com/blog/2011/03/how-to-use-address-tagging-usertagexample-com-with-postfix/). + +Note that if you do decide to change the configurable separator, you must add the same line to *both* `config/postfix-main.cf` and `config/dovecot.cf`, because Dovecot is acting as the delivery agent. For example, to switch to `-`, add +``` +recipient_delimiter = - +``` From 2229284c110fbb51b964deb37ff111ca7e942a67 Mon Sep 17 00:00:00 2001 From: alinmear Date: Wed, 19 Apr 2017 10:49:26 +0200 Subject: [PATCH 155/462] Created Configue LDAP (markdown) --- docs/content/configue-ldap.md | 67 +++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 docs/content/configue-ldap.md diff --git a/docs/content/configue-ldap.md b/docs/content/configue-ldap.md new file mode 100644 index 00000000..8ecb342e --- /dev/null +++ b/docs/content/configue-ldap.md @@ -0,0 +1,67 @@ +**NOTE**: This page will provide several use cases like recipes to show, how this project can be used with it's LDAP Features. + +### Ldap Setup - Kopano/Zarafa +``` +--- +version: '2' + +services: + mail: + image: tvial/docker-mailserver:2.1 + hostname: mail + domainname: domain.com + container_name: mail + + ports: + - "25:25" + - "143:143" + - "587:587" + - "993:993" + + volumes: + - maildata:/var/mail + - mailstate:/var/mail-state + - ./config/:/tmp/docker-mailserver/ + + environment: + - SMTP_ONLY=1 + - ENABLE_SPAMASSASSIN=1 + - ENABLE_CLAMAV=1 + - ENABLE_FAIL2BAN=1 + - ENABLE_POSTGREY=1 + - SASLAUTHD_PASSWD= + # >>> SASL Authentication + - ENABLE_SASLAUTHD=1 + - SASLAUTHD_LDAP_SERVER= + - SASLAUTHD_LDAP_PROTO= + - SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=loc + - SASLAUTHD_LDAP_PASSWORD=mypassword + - SASLAUTHD_LDAP_SEARCH_BASE=dc=mydomain,dc=loc + - SASLAUTHD_LDAP_FILTER=(&(sAMAccountName=%U)(objectClass=person)) + - SASLAUTHD_MECHANISMS=ldap + # <<< SASL Authentication + # >>> Postfix Ldap Integration + - ENABLE_LDAP=1 + - LDAP_SERVER_HOST= + - LDAP_SEARCH_BASE=dc=mydomain,dc=loc + - LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=loc + - LDAP_BIND_PW=mypassword + # <<< Postfix Ldap Integration + # >>> Kopano Integration + - ENABLE_POSTFIX_VIRTUAL_TRANSPORT=1 + - POSTFIX_DAGENT=lmtp:kopano:2003 + # <<< Kopano Integration + - ONE_DIR=1 + - DMS_DEBUG=0 + - SSL_TYPE=letsencrypt + - PERMIT_DOCKER=host + + cap_add: + - NET_ADMIN + +volumes: + maildata: + driver: local + mailstate: + driver: local +``` \ No newline at end of file From a7b12e41b25ac58e41726d98277af9c5ff1b322a Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Thu, 27 Apr 2017 18:01:51 +0200 Subject: [PATCH 156/462] Updated Configue LDAP (markdown) --- docs/content/configue-ldap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/configue-ldap.md b/docs/content/configue-ldap.md index 8ecb342e..8418cc31 100644 --- a/docs/content/configue-ldap.md +++ b/docs/content/configue-ldap.md @@ -7,7 +7,7 @@ version: '2' services: mail: - image: tvial/docker-mailserver:2.1 + image: tvial/docker-mailserver:latest hostname: mail domainname: domain.com container_name: mail From eb6bd11d3d40765b0b8b86048b14cab895818c55 Mon Sep 17 00:00:00 2001 From: Arne Kepp Date: Thu, 11 May 2017 20:40:12 +0200 Subject: [PATCH 157/462] Mention sieve-pipe --- docs/content/advanced/mail-sieve.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/content/advanced/mail-sieve.md b/docs/content/advanced/mail-sieve.md index ed13394e..47881280 100644 --- a/docs/content/advanced/mail-sieve.md +++ b/docs/content/advanced/mail-sieve.md @@ -34,6 +34,13 @@ Just forward all incoming emails and do not save them locally: redirect "user2@otherdomain.tld"; ``` +You can also use external programs to filter or pipe (process) messages by adding executable scripts in `config/sieve-pipe` or `config/sieve-filter`. This can be used in lieu of a local alias file, for instance to forward an email to a webservice. These programs can then be referenced by filename, by all users. Note that the process running the scripts run as a privileged user. For further information see [Dovecot's wiki](https://wiki.dovecot.org/Pigeonhole/Sieve/Plugins/Pipe). +``` +require ["vnd.dovecot.pipe"]; +pipe "external-program"; +``` + + For more examples or a detailed description of the Sieve language have a look at [the official site](http://sieve.info/examplescripts). Other resources are available on the internet where you can find several [examples](https://support.tigertech.net/sieve#sieve-example-rules-jmp). ### Manage Sieve From c19bed7706a911e59686456474c8090704cf82ac Mon Sep 17 00:00:00 2001 From: Robert Gregor Date: Sat, 13 May 2017 14:15:04 -0400 Subject: [PATCH 158/462] added updated alias methods for setup.sh --- .../setup-docker-mailserver-using-the-script-setup.sh.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md index 683e6a81..63dbf199 100644 --- a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md +++ b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md @@ -27,6 +27,11 @@ SUBCOMMANDS: ./setup.sh email del ./setup.sh email list + alias: + ./setup.sh alias add + ./setup.sh alias del + ./setup.sh alias list + config: ./setup.sh config dkim From a8c8a8d2dd8f720555627c10577f0cb6e83c8315 Mon Sep 17 00:00:00 2001 From: Robert Gregor Date: Sat, 13 May 2017 14:16:08 -0400 Subject: [PATCH 159/462] Cleaned up headings, added call for authors/contributors --- docs/content/config/troubleshooting/debugging.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/content/config/troubleshooting/debugging.md b/docs/content/config/troubleshooting/debugging.md index d040d7e6..80fb5d1c 100644 --- a/docs/content/config/troubleshooting/debugging.md +++ b/docs/content/config/troubleshooting/debugging.md @@ -1,8 +1,6 @@ -#Documentation on debugging - - +..todo.. - Please contribute more to help others debug this package ## Invalid username or Password -..todo.. + 1. Login Container docker exec -it bash From 17fe0d7b706e16476cea13df05fa081729150d0e Mon Sep 17 00:00:00 2001 From: Florian Wendelborn Date: Sat, 13 May 2017 21:56:06 +0200 Subject: [PATCH 160/462] Updated Debugging (markdown) --- docs/content/config/troubleshooting/debugging.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/debugging.md b/docs/content/config/troubleshooting/debugging.md index 80fb5d1c..068da590 100644 --- a/docs/content/config/troubleshooting/debugging.md +++ b/docs/content/config/troubleshooting/debugging.md @@ -3,10 +3,14 @@ 1. Login Container + +```bash docker exec -it bash +``` 2. Check log files -/var/log/mail + +`/var/log/mail` could not find any mention of incorrect logins here neither in the dovecot logs From 02664c68cfd87ecb700f5584abe966c6cef8340d Mon Sep 17 00:00:00 2001 From: Marvin Blum Date: Tue, 6 Jun 2017 18:29:53 +0200 Subject: [PATCH 161/462] Typo, grammar. --- docs/content/advanced/override-defaults/postfix.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/content/advanced/override-defaults/postfix.md b/docs/content/advanced/override-defaults/postfix.md index 58067ca7..e5008786 100644 --- a/docs/content/advanced/override-defaults/postfix.md +++ b/docs/content/advanced/override-defaults/postfix.md @@ -1,7 +1,7 @@ -The Postfix default configuration can easily be overridden providing a `config/postfix-main.cf` at postfix format. -This can be used to also add configuration that are not in out default configuration. +The Postfix default configuration can easily be overwritten by providing a `config/postfix-main.cf` in postfix format. +This can also be used to add configuration that is not in our default configuration. [Postfix documentation](http://www.postfix.org/documentation.html) remains the best place to find configuration options. -Each line in the provided line will be loaded into postfix. +Each line in the provided file will be loaded into postfix. -Have a look to the code for more information. \ No newline at end of file +Have a look at the code for more information. \ No newline at end of file From 2af16ccc14168319759912be84ae7e3a340d044a Mon Sep 17 00:00:00 2001 From: Marvin Blum Date: Tue, 6 Jun 2017 18:30:49 +0200 Subject: [PATCH 162/462] Title --- .../postfix.md => overwrite-default-postfix-configuration.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docs/content/{advanced/override-defaults/postfix.md => overwrite-default-postfix-configuration.md} (100%) diff --git a/docs/content/advanced/override-defaults/postfix.md b/docs/content/overwrite-default-postfix-configuration.md similarity index 100% rename from docs/content/advanced/override-defaults/postfix.md rename to docs/content/overwrite-default-postfix-configuration.md From b8f17b4d0fb69f9bb58ab9b3b2c40758722be759 Mon Sep 17 00:00:00 2001 From: alinmear Date: Thu, 8 Jun 2017 08:42:23 +0200 Subject: [PATCH 163/462] Updated Configue LDAP (markdown) --- docs/content/configue-ldap.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/content/configue-ldap.md b/docs/content/configue-ldap.md index 8418cc31..75e6149a 100644 --- a/docs/content/configue-ldap.md +++ b/docs/content/configue-ldap.md @@ -46,6 +46,7 @@ services: - LDAP_SEARCH_BASE=dc=mydomain,dc=loc - LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=loc - LDAP_BIND_PW=mypassword + - LDAP_QUERY_FILTER=(&(sAMAccountName=%U)(objectClass=person)) # <<< Postfix Ldap Integration # >>> Kopano Integration - ENABLE_POSTFIX_VIRTUAL_TRANSPORT=1 From fc9f40b39878581208f19f3653908fa2a526dfbe Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Mon, 19 Jun 2017 20:38:37 +0200 Subject: [PATCH 164/462] Added information regarding multi-domain --- docs/content/config/user-management/accounts.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/content/config/user-management/accounts.md b/docs/content/config/user-management/accounts.md index a360a5ac..853ca2ee 100644 --- a/docs/content/config/user-management/accounts.md +++ b/docs/content/config/user-management/accounts.md @@ -1,4 +1,4 @@ -Users are managed in `config/postfix-accounts.cf`. +Users (email accounts) are managed in `config/postfix-accounts.cf`. Just add the full email address and its encrypted password separated by a pipe. Example: @@ -6,7 +6,10 @@ Example: user1@domain.tld|{SHA512-CRYPT}$6$2YpW1nYtPBs2yLYS$z.5PGH1OEzsHHNhl3gJrc3D.YMZkvKw/vp.r5WIiwya6z7P/CQ9GDEJDr2G2V0cAfjDFeAQPUoopsuWPXLk3u1 user2@otherdomain.tld|{SHA512-CRYPT}$6$2YpW1nYtPBs2yLYS$z.5PGH1OEzsHHNhl3gJrc3D.YMZkvKw/vp.r5WIiwya6z7P/CQ9GDEJDr2G2V0cAfjDFeAQPUoopsuWPXLk3u1 -To generate the password you could run for example the following: +In the previous example, we added 2 mail accounts for 2 different domains. +This is will automagically configure the mail-server as multi-domain. + +To generate a new mail account entry in your configuration, you could run for example the following: docker run --rm \ -e MAIL_USER=user1@domain.tld \ From 504494e4dde9e02a82cfb638abafc3d7707d96dc Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Mon, 19 Jun 2017 20:39:22 +0200 Subject: [PATCH 165/462] Updated Configure Accounts (markdown) --- docs/content/config/user-management/accounts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/user-management/accounts.md b/docs/content/config/user-management/accounts.md index 853ca2ee..148cfc25 100644 --- a/docs/content/config/user-management/accounts.md +++ b/docs/content/config/user-management/accounts.md @@ -7,7 +7,7 @@ Example: user2@otherdomain.tld|{SHA512-CRYPT}$6$2YpW1nYtPBs2yLYS$z.5PGH1OEzsHHNhl3gJrc3D.YMZkvKw/vp.r5WIiwya6z7P/CQ9GDEJDr2G2V0cAfjDFeAQPUoopsuWPXLk3u1 In the previous example, we added 2 mail accounts for 2 different domains. -This is will automagically configure the mail-server as multi-domain. +This is will automagically configure the mail-server as multi-domains. To generate a new mail account entry in your configuration, you could run for example the following: From 6162cac0fa2f32580b53648f41bc884e7608ed3a Mon Sep 17 00:00:00 2001 From: tyranron Date: Tue, 27 Jun 2017 22:23:54 +0300 Subject: [PATCH 166/462] Add in-Kubernetes usage docs --- docs/content/advanced/kubernetes.md | 377 ++++++++++++++++++++++++++++ 1 file changed, 377 insertions(+) create mode 100644 docs/content/advanced/kubernetes.md diff --git a/docs/content/advanced/kubernetes.md b/docs/content/advanced/kubernetes.md new file mode 100644 index 00000000..56276a58 --- /dev/null +++ b/docs/content/advanced/kubernetes.md @@ -0,0 +1,377 @@ +## Deployment example + +There is nothing much in deploying mailserver to Kubernetes itself. The things are pretty same as in [`docker-compose.yml`][1], but with Kubernetes syntax. + +```yaml +kind: Service +apiVersion: v1 +metadata: + name: mailserver + labels: + app: mailserver +spec: + selector: + app: mailserver + ports: + - name: smtp + port: 25 + targetPort: smtp + - name: smtp-auth + port: 587 + targetPort: smtp-auth + - name: imap-secure + port: 993 + targetPort: imap-secure + +--- + +kind: ConfigMap +apiVersion: v1 +metadata: + name: mailserver.config + labels: + app: mailserver +data: + postfix-accounts.cf: | + user1@example.com|{SHA512-CRYPT}$6$2YpW1nYtPBs2yLYS$z.5PGH1OEzsHHNhl3gJrc3D.YMZkvKw/vp.r5WIiwya6z7P/CQ9GDEJDr2G2V0cAfjDFeAQPUoopsuWPXLk3u1 + + postfix-virtual.cf: | + alias1@example.com user1@dexample.com + + SigningTable: | + *@example.com mail._domainkey.example.com + + KeyTable: | + mail._domainkey.example.com example.com:mail:/etc/opendkim/keys/example.com-mail.key + + TrustedHosts: | + 127.0.0.1 + localhost + +--- + +kind: Secret +apiVersion: v1 +metadata: + name: mailserver.opendkim.keys + labels: + app: mailserver +type: Opaque +data: + example.com-mail.key: 'base64-encoded-DKIM-key' + +--- + +kind: Deployment +apiVersion: extensions/v1beta1 +metadata: + name: mailserver + labels: + app: mailserver +spec: + strategy: + type: Recreate + template: + metadata: + labels: + app: mailserver + spec: + nodeSelector: + has/mail-server: 'true' + subdomain: mailserver + containers: + - name: mailserver + image: tvial/docker-mailserver:2.1 + ports: + - name: smtp + containerPort: 25 + - name: smtp-auth + containerPort: 587 + - name: imap-secure + containerPort: 993 + env: + - name: ONE_DIR + value: '1' + volumeMounts: + - name: config + subPath: postfix-accounts.cf + mountPath: /tmp/docker-mailserver/postfix-accounts.cf + readOnly: true + - name: config + subPath: postfix-virtual.cf + mountPath: /tmp/docker-mailserver/postfix-virtual.cf + readOnly: true + - name: config + subPath: SigningTable + mountPath: /tmp/docker-mailserver/opendkim/SigningTable + readOnly: true + - name: config + subPath: KeyTable + mountPath: /tmp/docker-mailserver/opendkim/KeyTable + readOnly: true + - name: config + subPath: TrustedHosts + mountPath: /tmp/docker-mailserver/opendkim/TrustedHosts + readOnly: true + - name: opendkim-keys + mountPath: /tmp/docker-mailserver/opendkim/keys + readOnly: true + - name: data + mountPath: /var/mail + - name: state + mountPath: /var/mail-state + volumes: + - name: config + configMap: + name: mailserver.config + - name: opendkim-keys + secret: + secretName: mailserver.opendkim.keys + - name: data + hostPath: + path: /path/to/mailserver/data + - name: state + hostPath: + path: /path/to/mailserver/state +``` + +__Note:__ +Any sensitive data (keys, etc) should be deployed via [Secrets][50]. Other configuration just fits well into [ConfigMaps][51]. + +__Note:__ +Make sure that [Pod][52] is [assigned][59] to specific [Node][53] in case you're using volume for data directly with `hostPath`. Otherwise Pod can be rescheduled on a different Node and previous data won't be found. Except the case when you're using some shared filesystem on your Nodes. + + + + +## Exposing to outside world + +The hard part with Kubernetes is to expose deployed mailserver to outside world. Kubernetes provides multiple ways for doing that. Each has its downsides and complexity. + +The major problem with exposing mailserver to outside world in Kubernetes is to [preserve real client IP][57]. Real client IP is required by mailserver for performing IP-based SPF checks and spam checks. + +Preserving real client IP is relatively [non-trivial in Kubernetes][57] and most exposing ways do not provide it. So, it's up to you to decide which exposing way suits better your needs in a price of complexity. + +If you do not require SPF checks for incoming mails you may disable them in [Postfix configuration][2] by dropping following line (which removes `check_policy_service unix:private/policyd-spf` option): +```yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: mailserver.config + labels: + app: mailserver +data: + postfix-main.cf: | + smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unauth_pipelining, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net +# ... + +--- + +kind: Deployment +apiVersion: extensions/v1beta1 +metadata: + name: mailserver +# ... + volumeMounts: + - name: config + subPath: postfix-main.cf + mountPath: /tmp/docker-mailserver/postfix-main.cf + readOnly: true +# ... +``` + + +### External IPs Service + +The simplest way is to expose mailserver as a [Service][55] with [external IPs][56]. + +```yaml +kind: Service +apiVersion: v1 +metadata: + name: mailserver + labels: + app: mailserver +spec: + selector: + app: mailserver + ports: + - name: smtp + port: 25 + targetPort: smtp +# ... + externalIPs: + - 80.11.12.10 +``` + +##### Downsides + +- __Real client IP is not preserved__, so SPF check of incoming mail will fail. + +- Requirement to specify exposed IPs explicitly. + + +### Proxy port to Service + +The [Proxy Pod][58] helps to avoid necessity of specifying external IPs explicitly. This comes in price of complexity: you must deploy Proxy Pod on each [Node][53] you want to expose mailserver on. + +##### Downsides + +- __Real client IP is not preserved__, so SPF check of incoming mail will fail. + + +### Bind to concrete Node and use host network + +The simplest way to preserve real client IP is to use `hostPort` and `hostNetwork: true` in the mailserver [Pod][52]. This comes in price of availability: you can talk to mailserver from outside world only via IPs of [Node][53] where mailserver is deployed. + +```yaml +kind: Deployment +apiVersion: extensions/v1beta1 +metadata: + name: mailserver +# ... + spec: + hostNetwork: true +# ... + containers: +# ... + ports: + - name: smtp + containerPort: 25 + hostPort: 25 + - name: smtp-auth + containerPort: 587 + hostPort: 587 + - name: imap-secure + containerPort: 993 + hostPort: 993 +# ... +``` + +##### Downsides + +- Not possible to access mailserver via other cluster Nodes, only via the one mailserver deployed at. + + +### Proxy port to Service via PROXY protocol + +This way is ideologically the same as [using Proxy Pod](#proxy-port-to-service) but instead Proxy Pod you should use [HAProxy image][11] or [Nginx Ingress Controller][12] and proxy TCP traffic to mailserver Pod with PROXY protocol usage which does real client IP preservation. + +This requires some additional mailserver configuration: you should enable PROXY protocol on ports that [Postfix][2] and [Dovecot][3] listen on for incoming connections. +```yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: mailserver.config + labels: + app: mailserver +data: + postfix-main.cf: | + smtpd_upstream_proxy_protocol = haproxy + dovecot.cf: | + service imap-login { + inet_listener imaps { + haproxy = yes + } + } +# ... + +--- + +kind: Deployment +apiVersion: extensions/v1beta1 +metadata: + name: mailserver +#... + volumeMounts: + - name: config + subPath: postfix-main.cf + mountPath: /tmp/docker-mailserver/postfix-main.cf + readOnly: true + - name: config + subPath: dovecot.cf + mountPath: /etc/dovecot/conf.d/zz-custom.cf + readOnly: true +# ... +``` + +##### Downsides + +- Not possible to access mailserver via inner cluster Kubernetes DNS, as PROXY protocol is required for incoming connections. + + + + +## Let's Encrypt certificates + +[Kube-Lego][10] may be used for a role of Let's Encrypt client. It works with Kubernetes [Ingress Resources][54] and automatically issues/manages certificates/keys for exposed services via Ingresses. + +```yaml +kind: Ingress +apiVersion: extensions/v1beta1 +metadata: + name: mailserver + labels: + app: mailserver + annotations: + kubernetes.io/tls-acme: 'true' +spec: + rules: + - host: example.com + http: + paths: + - path: / + backend: + serviceName: default-backend + servicePort: 80 + tls: + - secretName: mailserver.tls + hosts: + - example.com +``` + +Now, you can use Let's Encrypt cert and key from `mailserver.tls` [Secret][50] +in your [Pod][52] spec. + +```yaml +# ... + env: + - name: SSL_TYPE + value: 'manual' + - name: SSL_CERT_PATH + value: '/etc/ssl/mailserver/tls.crt' + - name: SSL_KEY_PATH + value: '/etc/ssl/mailserver/tls.key' +# ... + volumeMounts: + - name: tls + mountPath: /etc/ssl/mailserver + readOnly: true +# ... + volumes: + - name: tls + secret: + secretName: mailserver.tls +# ... +``` + + + + + +[1]: https://github.com/tomav/docker-mailserver/blob/master/docker-compose.yml.dist +[2]: https://github.com/tomav/docker-mailserver/wiki/Overwrite-Default-Postfix-Configuration +[3]: https://github.com/tomav/docker-mailserver/wiki/Override-Default-Dovecot-Configuration +[10]: https://github.com/jetstack/kube-lego +[11]: https://hub.docker.com/_/haproxy +[12]: https://github.com/kubernetes/ingress/tree/master/controllers/nginx#exposing-tcp-services +[50]: https://kubernetes.io/docs/concepts/configuration/secret +[51]: https://kubernetes.io/docs/tasks/configure-pod-container/configmap +[52]: https://kubernetes.io/docs/concepts/workloads/pods/pod +[53]: https://kubernetes.io/docs/concepts/architecture/nodes +[54]: https://kubernetes.io/docs/concepts/services-networking/ingress +[55]: https://kubernetes.io/docs/concepts/services-networking/service +[56]: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips +[57]: https://kubernetes.io/docs/tutorials/services/source-ip +[58]: https://github.com/kubernetes/contrib/tree/master/for-demos/proxy-to-service +[59]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node From a5a301e24d3fd1d2ab383bb51819fc653f3ef2a6 Mon Sep 17 00:00:00 2001 From: alinmear Date: Mon, 3 Jul 2017 13:47:12 +0200 Subject: [PATCH 167/462] Updated Configue LDAP (markdown) --- docs/content/configue-ldap.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/docs/content/configue-ldap.md b/docs/content/configue-ldap.md index 75e6149a..c7abc66f 100644 --- a/docs/content/configue-ldap.md +++ b/docs/content/configue-ldap.md @@ -1,3 +1,27 @@ +### Introduction + +Getting started with ldap and this mailserver we need to take 3 parts in account: + +* POSTFIX +* DOVECOT +* SASLAUTHD (this can also be handled by dovecot above) + +This is a list with the variables to control the container provisioning: + +__POSTFIX__: +* `LDAP_QUERY_FILTER_USER` +* `LDAP_QUERY_FILTER_GROUP` +* `LDAP_QUERY_FILTER_ALIAS` + +__SASLAUTHD__: + +* `SASLAUTHD_LDAP_FILTER` + +__DOVECOT__: +* `DOVECOT_USER_FILTER` +* `DOVECOT_PASS_FILTER` + + **NOTE**: This page will provide several use cases like recipes to show, how this project can be used with it's LDAP Features. ### Ldap Setup - Kopano/Zarafa From 4370439a878425b65ba9c81756e99c076f94503a Mon Sep 17 00:00:00 2001 From: alinmear Date: Mon, 3 Jul 2017 13:47:48 +0200 Subject: [PATCH 168/462] Updated Configue LDAP (markdown) --- docs/content/configue-ldap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/configue-ldap.md b/docs/content/configue-ldap.md index c7abc66f..372495b8 100644 --- a/docs/content/configue-ldap.md +++ b/docs/content/configue-ldap.md @@ -6,7 +6,7 @@ Getting started with ldap and this mailserver we need to take 3 parts in account * DOVECOT * SASLAUTHD (this can also be handled by dovecot above) -This is a list with the variables to control the container provisioning: +### List with the variables to control the container provisioning __POSTFIX__: * `LDAP_QUERY_FILTER_USER` From c15d0c2f39b8faca4dbc4a9c240351dc48103606 Mon Sep 17 00:00:00 2001 From: alinmear Date: Mon, 3 Jul 2017 13:52:19 +0200 Subject: [PATCH 169/462] Updated Configue LDAP (markdown) --- docs/content/configue-ldap.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/docs/content/configue-ldap.md b/docs/content/configue-ldap.md index 372495b8..40191e97 100644 --- a/docs/content/configue-ldap.md +++ b/docs/content/configue-ldap.md @@ -48,12 +48,14 @@ services: - ./config/:/tmp/docker-mailserver/ environment: + # We are not using dovecot here - SMTP_ONLY=1 - ENABLE_SPAMASSASSIN=1 - ENABLE_CLAMAV=1 - ENABLE_FAIL2BAN=1 - ENABLE_POSTGREY=1 - SASLAUTHD_PASSWD= + # >>> SASL Authentication - ENABLE_SASLAUTHD=1 - SASLAUTHD_LDAP_SERVER= @@ -61,21 +63,26 @@ services: - SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=loc - SASLAUTHD_LDAP_PASSWORD=mypassword - SASLAUTHD_LDAP_SEARCH_BASE=dc=mydomain,dc=loc - - SASLAUTHD_LDAP_FILTER=(&(sAMAccountName=%U)(objectClass=person)) + - SASLAUTHD_LDAP_FILTER="(&(sAMAccountName=%U)(objectClass=person))" - SASLAUTHD_MECHANISMS=ldap # <<< SASL Authentication + # >>> Postfix Ldap Integration - ENABLE_LDAP=1 - LDAP_SERVER_HOST= - LDAP_SEARCH_BASE=dc=mydomain,dc=loc - LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=loc - LDAP_BIND_PW=mypassword - - LDAP_QUERY_FILTER=(&(sAMAccountName=%U)(objectClass=person)) + - LDAP_QUERY_FILTER_USER="(&(objectClass=user)(mail=%s))" + - LDAP_QUERY_FILTER_GROUP="(&(objectclass=group)(mail=%s))" + - LDAP_QUERY_FILTER_ALIAS="(&(objectClass=user)(otherMailbox=%s))" # <<< Postfix Ldap Integration + # >>> Kopano Integration - ENABLE_POSTFIX_VIRTUAL_TRANSPORT=1 - POSTFIX_DAGENT=lmtp:kopano:2003 # <<< Kopano Integration + - ONE_DIR=1 - DMS_DEBUG=0 - SSL_TYPE=letsencrypt From 2a93f85b2d0b0689c52d77d30b9c33471e197ea3 Mon Sep 17 00:00:00 2001 From: Johan Smits Date: Fri, 28 Jul 2017 18:44:22 +0200 Subject: [PATCH 170/462] Create a new tutorial how to automatic update and cleanup old docker images --- .../maintenance/update-and-cleanup.md | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 docs/content/advanced/maintenance/update-and-cleanup.md diff --git a/docs/content/advanced/maintenance/update-and-cleanup.md b/docs/content/advanced/maintenance/update-and-cleanup.md new file mode 100644 index 00000000..8529c961 --- /dev/null +++ b/docs/content/advanced/maintenance/update-and-cleanup.md @@ -0,0 +1,37 @@ +# Automatic update + +Docker images are handy but it can get a a hassle to keep them updated. Also when a repository is automated you want to get these images when they get out. + +There is a nice docker image that solves this issue and can be very helpful. The image is: [v2tec/watchtower](https://hub.docker.com/r/v2tec/watchtower/). + +A docker-compose example: +```yaml +services: + watchtower: + restart: always + image: v2tec/watchtower:latest + volumes: + - /var/run/docker.sock:/var/run/docker.sock +``` + +For more details see the [manual](https://github.com/v2tec/watchtower/blob/master/README.md) + + +*** + + +# Automatic cleanup + +When you are pulling new images in automaticly it is nice to have them cleaned as well. There is also a docker images for this (from Spotify). The image is: [spotify/docker-gc](https://hub.docker.com/r/spotify/docker-gc/). + +A docker-compose example: +```yaml +services: + docker-gc: + restart: always + image: spotify/docker-gc:latest + volumes: + - /var/run/docker.sock:/var/run/docker.sock +``` + +For more details see the [manual](https://github.com/spotify/docker-gc/blob/master/README.md) \ No newline at end of file From 52ddb57dc57ffd2b03c77aed194a639925394b11 Mon Sep 17 00:00:00 2001 From: Johan Smits Date: Fri, 28 Jul 2017 18:54:16 +0200 Subject: [PATCH 171/462] Add the update and cleanup to the FAQ page --- docs/content/config/troubleshooting/faq.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 442345b9..e23631f4 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -97,4 +97,9 @@ warning: connect to Milter service inet:localhost:8893: Connection refused warning: connect to Milter service inet:localhost:8891: Connection refused # DKIM not running # => /etc/init.d/opendkim restart -``` \ No newline at end of file +``` + +### What about updates + +You can of course use a own script or every now and then pull && stop && rm && start the images but there are tools available for this. +There is a page in the [Update and cleanup](../Update-and-cleanup) wiki page that explains how to use it the docker way. \ No newline at end of file From 21ff017b23eb0923bece8b1d3c3761a94b3166a1 Mon Sep 17 00:00:00 2001 From: Johan Smits Date: Fri, 28 Jul 2017 18:54:54 +0200 Subject: [PATCH 172/462] Use the correct link to the wiki page. During edit it is wrong previewed. --- docs/content/config/troubleshooting/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index e23631f4..ad86915f 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -102,4 +102,4 @@ warning: connect to Milter service inet:localhost:8891: Connection refused ### What about updates You can of course use a own script or every now and then pull && stop && rm && start the images but there are tools available for this. -There is a page in the [Update and cleanup](../Update-and-cleanup) wiki page that explains how to use it the docker way. \ No newline at end of file +There is a page in the [Update and cleanup](Update-and-cleanup) wiki page that explains how to use it the docker way. \ No newline at end of file From 453ee67f237b824970665e5e0cc30258b50ef0d1 Mon Sep 17 00:00:00 2001 From: Leo Winter Date: Sun, 6 Aug 2017 22:16:34 +0200 Subject: [PATCH 173/462] cd to right path for the next command with $PWD --- docs/content/config/security/ssl.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 3a66df94..67df3f8c 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -24,6 +24,7 @@ In my case ``` mkdir -p /home/ubuntu/docker/letsencrypt/log mkdir -p /home/ubuntu/docker/letsencrypt/etc/letsencrypt +cd /home/ubuntu/docker/letsencrypt ``` Now get the certificate (modify ```mail.myserver.tld```) and following the certbot instructions. From 8d7579b45ed344215f53df9ff1e12b9e7a6f793a Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Sat, 19 Aug 2017 10:07:20 +0200 Subject: [PATCH 174/462] Updated FAQ and Tips (markdown) --- docs/content/config/troubleshooting/faq.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index ad86915f..2e642d69 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -81,7 +81,8 @@ If everything is OK regarding DNS, please provide [formatted logs](https://guide If we're blind, we won't be able to do anything. ### Which system requirements needs my container to run `docker-mailserver` effectively? -1 core and 1GB of RAM is recommended, even it could work with 512M of RAM. +1 core and 1GB of RAM + Swap partition is recommended to run `docker-mailserver` with Clamav. +Otherwise, it could work with 512M of RAM. ### Is `docker-mailserver` running in a [rancher environment](http://rancher.com/rancher/)? @@ -97,6 +98,13 @@ warning: connect to Milter service inet:localhost:8893: Connection refused warning: connect to Milter service inet:localhost:8891: Connection refused # DKIM not running # => /etc/init.d/opendkim restart + +mail amavis[1459]: (01459-01) (!)connect to /var/run/clamav/clamd.ctl failed, attempt #1: Can't connect to a UNIX socket /var/run/clamav/clamd.ctl: No such file or directory +mail amavis[1459]: (01459-01) (!)ClamAV-clamd: All attempts (1) failed connecting to /var/run/clamav/clamd.ctl, retrying (2) +mail amavis[1459]: (01459-01) (!)ClamAV-clamscan av-scanner FAILED: /usr/bin/clamscan KILLED, signal 9 (0009) at (eval 100) line 905. +mail amavis[1459]: (01459-01) (!!)AV: ALL VIRUS SCANNERS FAILED +# Clamav is not running (not started or because you don't have enough memory) +# => check requirements and/or start Clamav ``` ### What about updates From d513564d981aa141b9151195be7de2a07bf1761e Mon Sep 17 00:00:00 2001 From: Edmond Varga Date: Fri, 25 Aug 2017 09:15:39 +0300 Subject: [PATCH 175/462] After running certbot successfully and mounted ~/docker/letsencrypt/etc/letsencrypt, the /etc/letsencrypt in the docker-mailserver was empty. Certificates are now located in ~/docker/letsencrypt/etc/live, reason I suggested the edit for mounting the right path of `/home/ubuntu/docker/letsencrypt/etc/` --- docs/content/config/security/ssl.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 67df3f8c..2a5d5e75 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -32,7 +32,7 @@ This will need access to port 443 from the internet, adjust your firewall if nee ``` docker run --rm -ti -v $PWD/log/:/var/log/letsencrypt/ -v $PWD/etc/:/etc/letsencrypt/ -p 443:443 deliverous/certbot certonly --standalone -d mail.myserver.tld ``` -You can now mount /home/ubuntu/docker/letsencrypt/etc/letsencrypt in /etc/letsencrypt of ```docker-mailserver``` +You can now mount /home/ubuntu/docker/letsencrypt/etc/ in /etc/letsencrypt of ```docker-mailserver``` To renew your certificate just run (this will need access to port 443 from the internet, adjust your firewall if needed) ``` From 28eba2118c8df505a5edcc3a4602e9b5dc8218b0 Mon Sep 17 00:00:00 2001 From: alinmear Date: Thu, 31 Aug 2017 10:32:43 +0200 Subject: [PATCH 176/462] Updated Configue LDAP (markdown) --- docs/content/configue-ldap.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/configue-ldap.md b/docs/content/configue-ldap.md index 40191e97..47af32c2 100644 --- a/docs/content/configue-ldap.md +++ b/docs/content/configue-ldap.md @@ -12,6 +12,7 @@ __POSTFIX__: * `LDAP_QUERY_FILTER_USER` * `LDAP_QUERY_FILTER_GROUP` * `LDAP_QUERY_FILTER_ALIAS` +* `LDAP_QUERY_FILTER_DOMAIN` __SASLAUTHD__: @@ -76,6 +77,7 @@ services: - LDAP_QUERY_FILTER_USER="(&(objectClass=user)(mail=%s))" - LDAP_QUERY_FILTER_GROUP="(&(objectclass=group)(mail=%s))" - LDAP_QUERY_FILTER_ALIAS="(&(objectClass=user)(otherMailbox=%s))" + - LDAP_QUERY_FILTER_DOMAIN="(&(|(mail=*@%s)(user=*@%s)(group=*@%s))(mailEnabled=TRUE))" # <<< Postfix Ldap Integration # >>> Kopano Integration From 402f66ad2028e5c4d5676abcf88d6de4aa1f391a Mon Sep 17 00:00:00 2001 From: alinmear Date: Thu, 31 Aug 2017 10:34:31 +0200 Subject: [PATCH 177/462] Updated Configue LDAP (markdown) --- docs/content/configue-ldap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/configue-ldap.md b/docs/content/configue-ldap.md index 47af32c2..9a5ca44a 100644 --- a/docs/content/configue-ldap.md +++ b/docs/content/configue-ldap.md @@ -77,7 +77,7 @@ services: - LDAP_QUERY_FILTER_USER="(&(objectClass=user)(mail=%s))" - LDAP_QUERY_FILTER_GROUP="(&(objectclass=group)(mail=%s))" - LDAP_QUERY_FILTER_ALIAS="(&(objectClass=user)(otherMailbox=%s))" - - LDAP_QUERY_FILTER_DOMAIN="(&(|(mail=*@%s)(user=*@%s)(group=*@%s))(mailEnabled=TRUE))" + - LDAP_QUERY_FILTER_DOMAIN="(&(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))(mailEnabled=TRUE))" # <<< Postfix Ldap Integration # >>> Kopano Integration From af90682d6499dacf713d610120b3cd64b6126e1a Mon Sep 17 00:00:00 2001 From: Johan Smits Date: Thu, 7 Sep 2017 19:39:48 +0200 Subject: [PATCH 178/462] Initial wiki page --- docs/content/config/best-practices/autodiscover.md | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 docs/content/config/best-practices/autodiscover.md diff --git a/docs/content/config/best-practices/autodiscover.md b/docs/content/config/best-practices/autodiscover.md new file mode 100644 index 00000000..f51a08c3 --- /dev/null +++ b/docs/content/config/best-practices/autodiscover.md @@ -0,0 +1,10 @@ +Configuring clients just with autodiscover: + +* using [jsmitsnl/docker-email-autodiscover](https://hub.docker.com/r/jsmitsnl/docker-email-autodiscover/) +* using [jwilder/nginx-proxy](https://hub.docker.com/r/jwilder/nginx-proxy/) for ssl (recommended) + +### Docker Email Autodiscover + +With docker email auto discover you can accounts find the correct email settings by just filling their email address. Client will search for auto discover settings and prefill almost everything. + +There is a full [README](https://hub.docker.com/r/jsmitsnl/docker-email-autodiscover/) available on the docker repo to set it up. \ No newline at end of file From caaae0eb76138d7bfb20d70b11e81442d606ef78 Mon Sep 17 00:00:00 2001 From: Johan Smits Date: Wed, 13 Sep 2017 08:21:32 +0200 Subject: [PATCH 179/462] Add note that a container restart is needed --- docs/content/config/user-management/accounts.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/content/config/user-management/accounts.md b/docs/content/config/user-management/accounts.md index 148cfc25..cba77716 100644 --- a/docs/content/config/user-management/accounts.md +++ b/docs/content/config/user-management/accounts.md @@ -20,4 +20,6 @@ To generate a new mail account entry in your configuration, you could run for ex You will be asked for a password. Just copy all the output string in the file `config/postfix-accounts.cf`. The `doveadm pw` command let you choose between several encryption schemes for the password. -Use doveadm pw -l to get a list of the currently supported encryption schemes. \ No newline at end of file +Use doveadm pw -l to get a list of the currently supported encryption schemes. + +> Note: changes made with this script require a restart of the container. See [#552](../issues/552) \ No newline at end of file From f7e153ed2bfd38ab576fc7e512a3e12009b2aab8 Mon Sep 17 00:00:00 2001 From: presocratics Date: Tue, 26 Sep 2017 14:39:39 -0500 Subject: [PATCH 180/462] I added a sub-section describing how Let's Encrypt certificate generation and renewal for docker-mailserver can be done with nginx-proxy and letsencrypt-nginx-proxy-companion --- docs/content/config/security/ssl.md | 40 +++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 2a5d5e75..1baa9b37 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -39,6 +39,46 @@ To renew your certificate just run (this will need access to port 443 from the i docker run --rm -ti -v $PWD/log/:/var/log/letsencrypt/ -v $PWD/etc/:/etc/letsencrypt/ -p 443:443 deliverous/certbot renew ``` +#### Example using docker, nginx-proxy and letsencrypt-nginx-proxy-companion #### +If you are running a web server already, it is non-trivial to generate a Let's Encrypt certificate for your mail server using ```certbot```, because port 80 is already occupied. In the following example, we show how ```docker-mailserver``` can be run alongside the docker containers ```nginx-proxy``` and ```letsencrypt-nginx-proxy-companion```. + +There are several ways to start ```nginx-proxy``` and ```letsencrypt-nginx-proxy-companion```. Any method should be suitable here. For example start ```nginx-proxy``` as in the ```letsencrypt-nginx-proxy-companion``` [documentation](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion): + +``` +docker run -d -p 80:80 -p 443:443 \ + --name nginx-proxy \ + -v /path/to/certs:/etc/nginx/certs:ro \ + -v /etc/nginx/vhost.d \ + -v /usr/share/nginx/html \ + -v /var/run/docker.sock:/tmp/docker.sock:ro \ + --label com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy \ + jwilder/nginx-proxy +``` + +Then start ```letsencrypt-nginx-proxy-companion```: +``` +docker run -d \ + -v /path/to/certs:/etc/nginx/certs:rw \ + -v /var/run/docker.sock:/var/run/docker.sock:ro \ + --volumes-from nginx-proxy \ + jrcs/letsencrypt-nginx-proxy-companion +``` +Start the rest of your web server containers as usual. + +Start another container for your ```mail.myserver.tld```. This will generate a Let's Encrypt certificate for your domain, which can be used by ```docker-mailserver```. It will also run a web server on port 80 at that address.: +``` +docker run -d \ + --name webmail \ + -e "VIRTUAL_HOST=mail.myserver.tld" \ + -e "LETSENCRYPT_HOST=mail.myserver.tld" \ + -e "LETSENCRYPT_EMAIL=foo@bar.com" \ + library/nginx +``` +You may want to add ```-e LETSENCRYPT_TEST=true``` to the above while testing to avoid the Let's Encrypt certificate generation rate limits. + +Finally, start ```docker-mailserver``` with ```path/to/certs/mail.mydomain.tld``` mounted to ```/etc/letsencrypt/live/mail.mydomain.tld``` + + ### Self-signed certificates (testing only) From 8d7d9342675b5f4c67b659e36112469b387a48fc Mon Sep 17 00:00:00 2001 From: Johan Smits Date: Thu, 5 Oct 2017 08:30:23 +0200 Subject: [PATCH 181/462] Update wiki to change the fetchmail poll interval --- docs/content/advanced/mail-fetchmail.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/content/advanced/mail-fetchmail.md b/docs/content/advanced/mail-fetchmail.md index b26b36b5..e49a969d 100644 --- a/docs/content/advanced/mail-fetchmail.md +++ b/docs/content/advanced/mail-fetchmail.md @@ -1,9 +1,10 @@ To enable the [fetchmail](http://www.fetchmail.info) service to retrieve e-mails set the environment variable `ENABLE_FETCHMAIL` to `1`. Your `docker-compose.yml` file should look like following snippet: -``` +```yaml ... environment: - ENABLE_FETCHMAIL=1 + - FETCHMAIL_POLL=300 ... ``` @@ -49,10 +50,10 @@ More details how to configure fetchmail can be found in the [fetchmail man page ## Polling interval -By default the fetchmail service searches very 5 minutes for new mails on your external mail accounts. You can override this default value by adding this line to your `fetchmail.cf`. +By default the fetchmail service searches very 5 minutes for new mails on your external mail accounts. You can override this default value by changing the ENV variable `FETCHMAIL_POLL`. -``` -set daemon 60 +```yaml + - FETCHMAIL_POLL=60 ``` You must specify a numeric argument which is a polling interval in seconds. The example above polls every minute for new mails. From c7eef0ab4ccac4793caf9e15b7c85a0ab3bf65b9 Mon Sep 17 00:00:00 2001 From: Mohammed Chotia Date: Thu, 2 Nov 2017 12:32:42 +0200 Subject: [PATCH 182/462] Fix small typo --- docs/content/advanced/mail-fetchmail.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/advanced/mail-fetchmail.md b/docs/content/advanced/mail-fetchmail.md index e49a969d..596056db 100644 --- a/docs/content/advanced/mail-fetchmail.md +++ b/docs/content/advanced/mail-fetchmail.md @@ -50,7 +50,7 @@ More details how to configure fetchmail can be found in the [fetchmail man page ## Polling interval -By default the fetchmail service searches very 5 minutes for new mails on your external mail accounts. You can override this default value by changing the ENV variable `FETCHMAIL_POLL`. +By default the fetchmail service searches every 5 minutes for new mails on your external mail accounts. You can override this default value by changing the ENV variable `FETCHMAIL_POLL`. ```yaml - FETCHMAIL_POLL=60 From b7259d25009e60bb62be30012c52dc4da3804062 Mon Sep 17 00:00:00 2001 From: makloda Date: Sat, 11 Nov 2017 18:38:37 +0100 Subject: [PATCH 183/462] Added info on how to use Synology NAS generated letsencrypt certificates and how to find them --- docs/content/config/security/ssl.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 1baa9b37..32444845 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -78,7 +78,21 @@ You may want to add ```-e LETSENCRYPT_TEST=true``` to the above while testing to Finally, start ```docker-mailserver``` with ```path/to/certs/mail.mydomain.tld``` mounted to ```/etc/letsencrypt/live/mail.mydomain.tld``` +#### Example using the letsencrypt certificates on a Synology NAS +Version 6.2 and later of the Synology NAS DSM OS now come with an interface to generate and renew letencrypt certificates. Navigation into your DSM control panel and go to Security, then click on the tab Certificate to generate and manage letsencrypt certificates. Amongst other things, you can use these to secure your mail server. DSM locates the generated certificates in a folder below ```/usr/syno/etc/certificate/_archive/```. Navigate to that folder and note the 6 character random folder name of the certificate you'd like to use. Then, add the following to your ```docker-compose.yml``` declaration file: + +``` +volumes: + - /usr/syno/etc/certificate/_archive/YOUR_FOLDER/:/tmp/ssl +... +environment: + - SSL_TYPE=manual + - SSL_CERT_PATH=/tmp/ssl/fullchain.pem + - SSL_KEY_PATH=/tmp/ssl/privkey.pem + +``` +DSM-generated letsencrypt certificates get auto-renewed every three months. ### Self-signed certificates (testing only) From 2be8757322ad4d01f5a5ff6009f1c0e0b5f4c6c0 Mon Sep 17 00:00:00 2001 From: Marek Walczak Date: Thu, 30 Nov 2017 22:55:27 +0100 Subject: [PATCH 184/462] this an explaining PR #769 --- docs/content/config/security/fail2ban.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/content/config/security/fail2ban.md b/docs/content/config/security/fail2ban.md index 3b789d90..79f5faa6 100644 --- a/docs/content/config/security/fail2ban.md +++ b/docs/content/config/security/fail2ban.md @@ -1,4 +1,5 @@ Fail2ban is installed automatically and bans IP addresses for 3 hours after 3 failed attempts in 10 minutes by default. If you want to change this, you can easily edit [config/fail2ban-jail.cf](https://github.com/tomav/docker-mailserver/blob/master/config/fail2ban-jail.cf). +You can do the same with the values from fail2ban.conf, e.g dbpurgeage. In that case you need to edit [config/fail2ban-fail2ban.cf](https://github.com/tomav/docker-mailserver/blob/master/config/fail2ban-fail2ban.cf) __Important__: The mail container must be launched with the NET_ADMIN capability in order to be able to install the iptable rules that actually ban IP addresses. Thus either include `--cap-add=NET_ADMIN` in the docker run commandline or the equivalent docker-compose.yml: ``` From 8c4ba0e2d871903af719247037974466e796d9ef Mon Sep 17 00:00:00 2001 From: Steve Johnson Date: Mon, 1 Jan 2018 10:27:15 -0700 Subject: [PATCH 185/462] Updated Debugging (markdown) --- docs/content/config/troubleshooting/debugging.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/content/config/troubleshooting/debugging.md b/docs/content/config/troubleshooting/debugging.md index 068da590..8fa91485 100644 --- a/docs/content/config/troubleshooting/debugging.md +++ b/docs/content/config/troubleshooting/debugging.md @@ -14,3 +14,8 @@ docker exec -it bash could not find any mention of incorrect logins here neither in the dovecot logs +3. Make sure you set your hostname to 'mail' or whatever you specified in your docker-compose.yml file or else your FQDN will be wrong + +4. During setup, if you get errors trying to edit files inside of the container, you likely need to install vi: + sudo su + docker exec -it mail apt-get install -y vim From 1a94c99c3a55bfaa121a7b762813bccc03911927 Mon Sep 17 00:00:00 2001 From: Steve Johnson Date: Mon, 1 Jan 2018 10:27:39 -0700 Subject: [PATCH 186/462] Updated Debugging (markdown) --- docs/content/config/troubleshooting/debugging.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/content/config/troubleshooting/debugging.md b/docs/content/config/troubleshooting/debugging.md index 8fa91485..89181d2f 100644 --- a/docs/content/config/troubleshooting/debugging.md +++ b/docs/content/config/troubleshooting/debugging.md @@ -17,5 +17,6 @@ neither in the dovecot logs 3. Make sure you set your hostname to 'mail' or whatever you specified in your docker-compose.yml file or else your FQDN will be wrong 4. During setup, if you get errors trying to edit files inside of the container, you likely need to install vi: + sudo su docker exec -it mail apt-get install -y vim From 3363d77f967e603c8ff98d0595070e614df4859e Mon Sep 17 00:00:00 2001 From: Steve Johnson Date: Mon, 1 Jan 2018 10:28:23 -0700 Subject: [PATCH 187/462] Updated Debugging (markdown) --- docs/content/config/troubleshooting/debugging.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/content/config/troubleshooting/debugging.md b/docs/content/config/troubleshooting/debugging.md index 89181d2f..c3f0cdda 100644 --- a/docs/content/config/troubleshooting/debugging.md +++ b/docs/content/config/troubleshooting/debugging.md @@ -17,6 +17,5 @@ neither in the dovecot logs 3. Make sure you set your hostname to 'mail' or whatever you specified in your docker-compose.yml file or else your FQDN will be wrong 4. During setup, if you get errors trying to edit files inside of the container, you likely need to install vi: - - sudo su - docker exec -it mail apt-get install -y vim + `sudo su` + `docker exec -it mail apt-get install -y vim` From 1065e17dcba58e53661932e1e01591766b14f395 Mon Sep 17 00:00:00 2001 From: Steve Johnson Date: Mon, 1 Jan 2018 10:29:12 -0700 Subject: [PATCH 188/462] Updated Debugging (markdown) --- docs/content/config/troubleshooting/debugging.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/content/config/troubleshooting/debugging.md b/docs/content/config/troubleshooting/debugging.md index c3f0cdda..f703dd6c 100644 --- a/docs/content/config/troubleshooting/debugging.md +++ b/docs/content/config/troubleshooting/debugging.md @@ -17,5 +17,7 @@ neither in the dovecot logs 3. Make sure you set your hostname to 'mail' or whatever you specified in your docker-compose.yml file or else your FQDN will be wrong 4. During setup, if you get errors trying to edit files inside of the container, you likely need to install vi: - `sudo su` - `docker exec -it mail apt-get install -y vim` + +`sudo su` + +`docker exec -it mail apt-get install -y vim` From a95250e74f415d9216d93fed55fef4a0b56223e8 Mon Sep 17 00:00:00 2001 From: Steve Johnson Date: Mon, 1 Jan 2018 10:30:39 -0700 Subject: [PATCH 189/462] Updated Debugging (markdown) --- docs/content/config/troubleshooting/debugging.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/content/config/troubleshooting/debugging.md b/docs/content/config/troubleshooting/debugging.md index f703dd6c..f80a5f3e 100644 --- a/docs/content/config/troubleshooting/debugging.md +++ b/docs/content/config/troubleshooting/debugging.md @@ -16,8 +16,10 @@ neither in the dovecot logs 3. Make sure you set your hostname to 'mail' or whatever you specified in your docker-compose.yml file or else your FQDN will be wrong -4. During setup, if you get errors trying to edit files inside of the container, you likely need to install vi: +##Installation Errors -`sudo su` +1. During setup, if you get errors trying to edit files inside of the container, you likely need to install vi: -`docker exec -it mail apt-get install -y vim` + `sudo su` + + `docker exec -it mail apt-get install -y vim` From a77d21a6c450730f889c6d59e35b064efd5831ca Mon Sep 17 00:00:00 2001 From: Steve Johnson Date: Mon, 1 Jan 2018 10:30:55 -0700 Subject: [PATCH 190/462] Updated Debugging (markdown) --- docs/content/config/troubleshooting/debugging.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/debugging.md b/docs/content/config/troubleshooting/debugging.md index f80a5f3e..978ccb9e 100644 --- a/docs/content/config/troubleshooting/debugging.md +++ b/docs/content/config/troubleshooting/debugging.md @@ -16,7 +16,7 @@ neither in the dovecot logs 3. Make sure you set your hostname to 'mail' or whatever you specified in your docker-compose.yml file or else your FQDN will be wrong -##Installation Errors +## Installation Errors 1. During setup, if you get errors trying to edit files inside of the container, you likely need to install vi: From 11e5262b092a9a65da60471b87a7a8a3a49fadf3 Mon Sep 17 00:00:00 2001 From: Steve Johnson Date: Mon, 1 Jan 2018 10:32:03 -0700 Subject: [PATCH 191/462] Updated Debugging (markdown) --- docs/content/config/troubleshooting/debugging.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/debugging.md b/docs/content/config/troubleshooting/debugging.md index 978ccb9e..2db116e6 100644 --- a/docs/content/config/troubleshooting/debugging.md +++ b/docs/content/config/troubleshooting/debugging.md @@ -22,4 +22,4 @@ neither in the dovecot logs `sudo su` - `docker exec -it mail apt-get install -y vim` + `docker exec -it apt-get install -y vim` From 276f199e4f3f2420db719ae1bb13d3920dbb9627 Mon Sep 17 00:00:00 2001 From: Steve Johnson Date: Mon, 1 Jan 2018 10:33:39 -0700 Subject: [PATCH 192/462] Updated Debugging (markdown) --- docs/content/config/troubleshooting/debugging.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/content/config/troubleshooting/debugging.md b/docs/content/config/troubleshooting/debugging.md index 2db116e6..af057040 100644 --- a/docs/content/config/troubleshooting/debugging.md +++ b/docs/content/config/troubleshooting/debugging.md @@ -20,6 +20,7 @@ neither in the dovecot logs 1. During setup, if you get errors trying to edit files inside of the container, you likely need to install vi: - `sudo su` - - `docker exec -it apt-get install -y vim` +``` bash +sudo su +docker exec -it apt-get install -y vim +``` From 34f929ed6bc4e113f74a5c1e7c2f9a53673a915e Mon Sep 17 00:00:00 2001 From: Steve Johnson Date: Mon, 1 Jan 2018 14:20:58 -0700 Subject: [PATCH 193/462] Updated Debugging (markdown) --- .../config/troubleshooting/debugging.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/docs/content/config/troubleshooting/debugging.md b/docs/content/config/troubleshooting/debugging.md index af057040..21ad00d1 100644 --- a/docs/content/config/troubleshooting/debugging.md +++ b/docs/content/config/troubleshooting/debugging.md @@ -24,3 +24,22 @@ neither in the dovecot logs sudo su docker exec -it apt-get install -y vim ``` +## Testing Connection +I spent HOURS trying to debug "Connection Refused" and "Connection closed by foreign host" errors when trying to use telnet to troubleshoot my connection. I was also trying to connect from my email client (macOS mail) around the same time. Telnet had also worked earlier, so I was extremely confused as to why it suddenly stopped working. I stumbled upon fail2ban.log in my container. In short, when trying to get my macOS client working, I exceeded the number of failed login attempts and fail2ban put dovecot and postfix in jail! I got around it by whitelisting my ipaddresses (my ec2 instance and my local computer) + +```bash +sudo su +docker exec -ti mail bash +cd /var/log +cat fail2ban.log | grep dovecot + +# Whitelist ip addresses: +fail2ban-client set dovecot addignoreip 172.18.0.1 +fail2ban-client set dovecot addignoreip 75.171.128.95 +fail2ban-client set postfix addignoreip 75.171.128.95 +fail2ban-client set postfix addignoreip 172.18.0.1 + +# this will delete the jails entirely +fail2ban-client stop dovecot +fail2ban-client stop postfix +``` From db63b693d3b45ff83014bed10b027a35b94bc2c0 Mon Sep 17 00:00:00 2001 From: Steve Johnson Date: Mon, 1 Jan 2018 14:23:27 -0700 Subject: [PATCH 194/462] Updated Debugging (markdown) --- docs/content/config/troubleshooting/debugging.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/content/config/troubleshooting/debugging.md b/docs/content/config/troubleshooting/debugging.md index 21ad00d1..6fc4c347 100644 --- a/docs/content/config/troubleshooting/debugging.md +++ b/docs/content/config/troubleshooting/debugging.md @@ -34,12 +34,12 @@ cd /var/log cat fail2ban.log | grep dovecot # Whitelist ip addresses: -fail2ban-client set dovecot addignoreip 172.18.0.1 -fail2ban-client set dovecot addignoreip 75.171.128.95 -fail2ban-client set postfix addignoreip 75.171.128.95 -fail2ban-client set postfix addignoreip 172.18.0.1 +fail2ban-client set dovecot addignoreip # ec2 cloud server +fail2ban-client set postfix addignoreip +fail2ban-client set dovecot addignoreip # my desktop +fail2ban-client set postfix addignoreip -# this will delete the jails entirely +# this will delete the jails entirely - nuclear option fail2ban-client stop dovecot fail2ban-client stop postfix ``` From 55b0a5bfb8ee2dfe10bc35f961fbb8aea671a24e Mon Sep 17 00:00:00 2001 From: Steve Johnson Date: Mon, 1 Jan 2018 21:07:54 -0700 Subject: [PATCH 195/462] Updated Debugging (markdown) --- docs/content/config/troubleshooting/debugging.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/content/config/troubleshooting/debugging.md b/docs/content/config/troubleshooting/debugging.md index 6fc4c347..6556701f 100644 --- a/docs/content/config/troubleshooting/debugging.md +++ b/docs/content/config/troubleshooting/debugging.md @@ -43,3 +43,10 @@ fail2ban-client set postfix addignoreip fail2ban-client stop dovecot fail2ban-client stop postfix ``` +## No Mail? +I finally got my macOS client working, but was not receiving test messages. I edited docker-compose.yml and temporarily disabled the spam filter (and fail2ban). Now I am getting mail. I will troubleshoot those and re-enable them next week, but thought this might be of help for others trying to troubleshoot. +```bash + environment: + - ENABLE_MANAGESIEVE=0 + - ENABLE_FAIL2BAN=0 +``` \ No newline at end of file From 84c0d23a80e42da21c666d3ef9d91ff0954f6270 Mon Sep 17 00:00:00 2001 From: Johan Smits Date: Tue, 9 Jan 2018 08:39:54 +0100 Subject: [PATCH 196/462] Remove no mail option. --- docs/content/config/troubleshooting/debugging.md | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/docs/content/config/troubleshooting/debugging.md b/docs/content/config/troubleshooting/debugging.md index 6556701f..2b47dadf 100644 --- a/docs/content/config/troubleshooting/debugging.md +++ b/docs/content/config/troubleshooting/debugging.md @@ -34,19 +34,12 @@ cd /var/log cat fail2ban.log | grep dovecot # Whitelist ip addresses: -fail2ban-client set dovecot addignoreip # ec2 cloud server +fail2ban-client set dovecot addignoreip # Server fail2ban-client set postfix addignoreip -fail2ban-client set dovecot addignoreip # my desktop +fail2ban-client set dovecot addignoreip # Client fail2ban-client set postfix addignoreip # this will delete the jails entirely - nuclear option fail2ban-client stop dovecot fail2ban-client stop postfix -``` -## No Mail? -I finally got my macOS client working, but was not receiving test messages. I edited docker-compose.yml and temporarily disabled the spam filter (and fail2ban). Now I am getting mail. I will troubleshoot those and re-enable them next week, but thought this might be of help for others trying to troubleshoot. -```bash - environment: - - ENABLE_MANAGESIEVE=0 - - ENABLE_FAIL2BAN=0 ``` \ No newline at end of file From b0532e3d8856f6b40e87a6d65fc0e402200f7c81 Mon Sep 17 00:00:00 2001 From: Hugues Granger Date: Fri, 26 Jan 2018 18:32:53 +0100 Subject: [PATCH 197/462] AWS_SES_PORT was implemented, but wiki not updated --- docs/content/advanced/mail-forwarding/aws-ses.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/advanced/mail-forwarding/aws-ses.md b/docs/content/advanced/mail-forwarding/aws-ses.md index a6587cca..0bf38132 100644 --- a/docs/content/advanced/mail-forwarding/aws-ses.md +++ b/docs/content/advanced/mail-forwarding/aws-ses.md @@ -8,6 +8,8 @@ As described in the AWS Developer Guide you will have to generate SMTP credentia - AWS_SES_USERPASS=AKIAXXXXXXXXXXXXXXXX:kqXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ``` +If necessary, you can also provide AWS_SES_PORT. If not provided, it defaults to 25. + When you start the container you will see a log line as follows confirming the configuration: ``` Setting up outgoing email via AWS SES host email-smtp.us-east-1.amazonaws.com From b14249faf28aaae7f96aeaabe9090cd5b2005b49 Mon Sep 17 00:00:00 2001 From: 17Halbe Date: Tue, 30 Jan 2018 18:05:00 +0100 Subject: [PATCH 198/462] Updated Setup docker mailserver using the script setup.sh (markdown) --- ...ker-mailserver-using-the-script-setup.sh.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md index 63dbf199..c0ca67bc 100644 --- a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md +++ b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md @@ -24,6 +24,7 @@ SUBCOMMANDS: email: ./setup.sh email add + ./setup.sh email update ./setup.sh email del ./setup.sh email list @@ -44,4 +45,21 @@ SUBCOMMANDS: ./setup.sh debug inspect ./setup.sh debug login ``` +# email +* `./setup.sh email add `: Add an email-account (\ is optional) +* `./setup.sh email update `: Change the password of an email-account (\ is optional) +* `./setup.sh email del ': delete an email-account +* `./setup.sh email list`: list all existing email-accounts +# alias +* `./setup.sh alias add `: add an alias(email) for an email-account(recipient) +* `./setup.sh alias del `: delete an alias +* `./setup.sh alias list`: list all aliases +# config +* `./setup.sh config dkim`: autoconfig the dkim-config +* `./setup.sh config ssl`: generate ssl-certificates +# debug +* `./setup.sh debug fetchmail`: see [wiki](https://github.com/tomav/docker-mailserver/wiki/Retrieve-emails-from-a-remote-mail-server-%28using-builtin-fetchmail%29#debugging) +* `./setup.sh debug show-mail-logs`: show the logfile contents of the mail container +* `./setup.sh debug inspect`: show infos about the running container +* `./setup.sh debug login `: run a inside the mail container (omit the command to get shell access) From c1e490d6b50e061fcfdecce849a22e59f890493e Mon Sep 17 00:00:00 2001 From: 17Halbe Date: Thu, 1 Feb 2018 09:36:13 +0100 Subject: [PATCH 199/462] Added fail2ban description --- .../content/setup-docker-mailserver-using-the-script-setup.sh.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md index c0ca67bc..2c9f073d 100644 --- a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md +++ b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md @@ -59,6 +59,7 @@ SUBCOMMANDS: * `./setup.sh config ssl`: generate ssl-certificates # debug * `./setup.sh debug fetchmail`: see [wiki](https://github.com/tomav/docker-mailserver/wiki/Retrieve-emails-from-a-remote-mail-server-%28using-builtin-fetchmail%29#debugging) +* `./setup.sh debug fail2ban `: omitt all options to get a list of banned IPs, otherwise unban the specified IP. * `./setup.sh debug show-mail-logs`: show the logfile contents of the mail container * `./setup.sh debug inspect`: show infos about the running container * `./setup.sh debug login `: run a inside the mail container (omit the command to get shell access) From a643caf7937328f61fdb3a360059a61094273ec8 Mon Sep 17 00:00:00 2001 From: Johan Smits Date: Tue, 6 Feb 2018 19:57:16 +0100 Subject: [PATCH 200/462] Add restart message --- docs/content/config/best-practices/dkim.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index 0a804a24..51da03f2 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -7,6 +7,8 @@ Once its done, just run from inside the directory of docker-compose.yml: Now the keys are generated, you can configure your DNS server by just pasting the content of `config/opendkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone. +After generating DKIM keys you should restart the app. + ``` ; OpenDKIM mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " From 3afbf12a46abcd152e82b64bd6540728293bf80b Mon Sep 17 00:00:00 2001 From: Darren McGrandle Date: Wed, 7 Feb 2018 12:01:12 -0800 Subject: [PATCH 201/462] Updated Overwrite Default Postfix Configuration (markdown) --- docs/content/advanced/override-defaults/postfix.md | 14 ++++++++++++++ .../overwrite-default-postfix-configuration.md | 7 ------- 2 files changed, 14 insertions(+), 7 deletions(-) create mode 100644 docs/content/advanced/override-defaults/postfix.md delete mode 100644 docs/content/overwrite-default-postfix-configuration.md diff --git a/docs/content/advanced/override-defaults/postfix.md b/docs/content/advanced/override-defaults/postfix.md new file mode 100644 index 00000000..02827861 --- /dev/null +++ b/docs/content/advanced/override-defaults/postfix.md @@ -0,0 +1,14 @@ +The Postfix default configuration can easily be extended by providing a `config/postfix-main.cf` in postfix format. +This can also be used to add configuration that is not in our default configuration. + +For example, one common use of this file is for increasing the default maximum message size: +``` +# increase maximum message size + message_size_limit = 52428800 +``` + +[Postfix documentation](http://www.postfix.org/documentation.html) remains the best place to find configuration options. + +Each line in the provided file will be loaded into postfix. + +Have a look at the code for more information. \ No newline at end of file diff --git a/docs/content/overwrite-default-postfix-configuration.md b/docs/content/overwrite-default-postfix-configuration.md deleted file mode 100644 index e5008786..00000000 --- a/docs/content/overwrite-default-postfix-configuration.md +++ /dev/null @@ -1,7 +0,0 @@ -The Postfix default configuration can easily be overwritten by providing a `config/postfix-main.cf` in postfix format. -This can also be used to add configuration that is not in our default configuration. -[Postfix documentation](http://www.postfix.org/documentation.html) remains the best place to find configuration options. - -Each line in the provided file will be loaded into postfix. - -Have a look at the code for more information. \ No newline at end of file From 7fc0bf145ff46b211748cdc18e69ab229c44b6a8 Mon Sep 17 00:00:00 2001 From: 17Halbe Date: Thu, 8 Feb 2018 08:28:41 +0100 Subject: [PATCH 202/462] Updated Configure Fail2ban (markdown) --- docs/content/config/security/fail2ban.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/content/config/security/fail2ban.md b/docs/content/config/security/fail2ban.md index 79f5faa6..e04558bc 100644 --- a/docs/content/config/security/fail2ban.md +++ b/docs/content/config/security/fail2ban.md @@ -13,4 +13,5 @@ es table `filter': Permission denied (you must be root)\nPerhaps iptables or you t initialize iptables table `filter': Permission denied (you must be root)\nPerhaps iptables or your kernel needs to be upgraded.\n" 2016-06-01 00:53:51,284 fail2ban.action [678]: ERROR iptables -w -D INPUT -p tcp -m multiport --dports smtp,465,submission - j f2b-postfix -``` \ No newline at end of file +``` +You can also manage and list the banned IPs with the [setup.sh](https://github.com/tomav/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh) script. \ No newline at end of file From e5b15a33304e8cea3b4b7f160c4af8b1609622fe Mon Sep 17 00:00:00 2001 From: 17Halbe Date: Thu, 8 Feb 2018 08:32:56 +0100 Subject: [PATCH 203/462] Updated Setup docker mailserver using the script setup.sh (markdown) --- .../setup-docker-mailserver-using-the-script-setup.sh.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md index 2c9f073d..7a2769df 100644 --- a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md +++ b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md @@ -26,6 +26,7 @@ SUBCOMMANDS: ./setup.sh email add ./setup.sh email update ./setup.sh email del + ./setup.sh email restrict [] ./setup.sh email list alias: @@ -46,9 +47,10 @@ SUBCOMMANDS: ./setup.sh debug login ``` # email -* `./setup.sh email add `: Add an email-account (\ is optional) -* `./setup.sh email update `: Change the password of an email-account (\ is optional) +* `./setup.sh email add [\]`: Add an email-account (\ is optional) +* `./setup.sh email update [\]`: Change the password of an email-account (\ is optional) * `./setup.sh email del ': delete an email-account +* `./setup.sh email restrict [\]`: deny users to send or receive mail. You can also list the respective denied mail-accounts. * `./setup.sh email list`: list all existing email-accounts # alias * `./setup.sh alias add `: add an alias(email) for an email-account(recipient) From 260486b305a2472002d4d9fc413728f67f221b1a Mon Sep 17 00:00:00 2001 From: 17Halbe Date: Fri, 9 Feb 2018 22:16:48 +0100 Subject: [PATCH 204/462] Updated Configure SPF (markdown) --- docs/content/config/best-practices/spf.md | 26 ++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/docs/content/config/best-practices/spf.md b/docs/content/config/best-practices/spf.md index 88643ffc..dd99f8e4 100644 --- a/docs/content/config/best-practices/spf.md +++ b/docs/content/config/best-practices/spf.md @@ -10,4 +10,28 @@ To add a SPF record in your DNS, insert the following line in your DNS zone: ; Add SPF record domain.com. IN TXT "v=spf1 mx ~all" -Increment DNS serial and reload configuration. \ No newline at end of file +Increment DNS serial and reload configuration. + +## Backup MX, Secondary MX + +For whitelisting a IP-Address from the SPF test, you can create a config file(See [policyd-spf.conf](http://www.linuxcertif.com/man/5/policyd-spf.conf/)) and mount that file into `/etc/postfix-policyd-spf-python/policyd-spf.conf` + +**Example:** + +Create and edit a policyd-spf.conf file here `//config/postfix-policyd-spf.conf`: +```shell +debugLevel = 1 +#0(only errors)-4(complete data received) + +skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1 + +# Preferably use IP-Addresses for whitelist lookups: +Whitelist = 192.168.0.0/31,192.168.1.0/30 +# Domain_Whitelist = mx1.mybackupmx.com,mx2.mybackupmx.com + +``` +Then add this line to `docker-compose.yml` below the `volumes:` section + +```yaml +- ./config/postfix-policyd-spf.conf:/etc/postfix-policyd-spf-python/policyd-spf.conf +``` \ No newline at end of file From b644ced730b553fff56253bc1d888365544a0e08 Mon Sep 17 00:00:00 2001 From: 17Halbe Date: Thu, 1 Mar 2018 09:32:21 +0100 Subject: [PATCH 205/462] Updated Setup docker mailserver using the script setup.sh (markdown) --- .../setup-docker-mailserver-using-the-script-setup.sh.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md index 7a2769df..bed6de64 100644 --- a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md +++ b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md @@ -47,10 +47,10 @@ SUBCOMMANDS: ./setup.sh debug login ``` # email -* `./setup.sh email add [\]`: Add an email-account (\ is optional) -* `./setup.sh email update [\]`: Change the password of an email-account (\ is optional) +* `./setup.sh email add []`: Add an email-account (\ is optional) +* `./setup.sh email update []`: Change the password of an email-account (\ is optional) * `./setup.sh email del ': delete an email-account -* `./setup.sh email restrict [\]`: deny users to send or receive mail. You can also list the respective denied mail-accounts. +* `./setup.sh email restrict []`: deny users to send or receive mail. You can also list the respective denied mail-accounts. * `./setup.sh email list`: list all existing email-accounts # alias * `./setup.sh alias add `: add an alias(email) for an email-account(recipient) From d74fa95afa5635762d808b05afb741df7e1f5d4c Mon Sep 17 00:00:00 2001 From: Marek Walczak <2558195+mwlczk@users.noreply.github.com> Date: Sat, 3 Mar 2018 07:39:24 +0100 Subject: [PATCH 206/462] DKIM Key Size introduced in #868 --- docs/content/config/best-practices/dkim.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index 51da03f2..b55f4ba3 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -5,6 +5,12 @@ Once its done, just run from inside the directory of docker-compose.yml: -v "$(pwd)/config":/tmp/docker-mailserver \ -ti tvial/docker-mailserver:latest generate-dkim-config +The default keysize is 2048 for now. If you need to change it (e.g. your DNS-Provider limits the size) provide the size as the first parameter of the command + + docker run --rm \ + -v "$(pwd)/config":/tmp/docker-mailserver \ + -ti tvial/docker-mailserver:latest generate-dkim-config 2048 + Now the keys are generated, you can configure your DNS server by just pasting the content of `config/opendkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone. After generating DKIM keys you should restart the app. From 1ed7b7d4f95dfbded25796091010e240c0084a81 Mon Sep 17 00:00:00 2001 From: lokipo Date: Tue, 6 Mar 2018 11:05:44 +0100 Subject: [PATCH 207/462] Updated Update and cleanup (markdown) --- docs/content/advanced/maintenance/update-and-cleanup.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/content/advanced/maintenance/update-and-cleanup.md b/docs/content/advanced/maintenance/update-and-cleanup.md index 8529c961..7c32dd43 100644 --- a/docs/content/advanced/maintenance/update-and-cleanup.md +++ b/docs/content/advanced/maintenance/update-and-cleanup.md @@ -34,4 +34,5 @@ services: - /var/run/docker.sock:/var/run/docker.sock ``` -For more details see the [manual](https://github.com/spotify/docker-gc/blob/master/README.md) \ No newline at end of file +For more details see the [manual](https://github.com/spotify/docker-gc/blob/master/README.md) +Or you can just use the "--cleanup" option on v2tec/watchtower. :-) \ No newline at end of file From a9cb14a1c361adcf1283a18bed6c01d96e782ece Mon Sep 17 00:00:00 2001 From: lokipo Date: Tue, 6 Mar 2018 11:06:03 +0100 Subject: [PATCH 208/462] Updated Update and cleanup (markdown) --- docs/content/advanced/maintenance/update-and-cleanup.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/content/advanced/maintenance/update-and-cleanup.md b/docs/content/advanced/maintenance/update-and-cleanup.md index 7c32dd43..5bc388a5 100644 --- a/docs/content/advanced/maintenance/update-and-cleanup.md +++ b/docs/content/advanced/maintenance/update-and-cleanup.md @@ -35,4 +35,5 @@ services: ``` For more details see the [manual](https://github.com/spotify/docker-gc/blob/master/README.md) + Or you can just use the "--cleanup" option on v2tec/watchtower. :-) \ No newline at end of file From 3ef1447e12a6d077e4b8bc41ed7f3dbc8c5cd516 Mon Sep 17 00:00:00 2001 From: 17Halbe Date: Tue, 6 Mar 2018 14:00:37 +0100 Subject: [PATCH 209/462] Updated Setup docker mailserver using the script setup.sh (markdown) --- .../setup-docker-mailserver-using-the-script-setup.sh.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md index bed6de64..8ef54ef1 100644 --- a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md +++ b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md @@ -36,7 +36,7 @@ SUBCOMMANDS: config: - ./setup.sh config dkim + ./setup.sh config dkim (default: 2048) ./setup.sh config ssl debug: @@ -57,7 +57,7 @@ SUBCOMMANDS: * `./setup.sh alias del `: delete an alias * `./setup.sh alias list`: list all aliases # config -* `./setup.sh config dkim`: autoconfig the dkim-config +* `./setup.sh config dkim (default: 2048)`: autoconfig the dkim-config with an (optional) keysize value * `./setup.sh config ssl`: generate ssl-certificates # debug * `./setup.sh debug fetchmail`: see [wiki](https://github.com/tomav/docker-mailserver/wiki/Retrieve-emails-from-a-remote-mail-server-%28using-builtin-fetchmail%29#debugging) From b73a1cee2d804105fb9b464d96c89bb20cd7b2fa Mon Sep 17 00:00:00 2001 From: andymel Date: Tue, 27 Mar 2018 23:26:30 +0200 Subject: [PATCH 210/462] wrong binding of host<->container directory (etc/<->etc/letsencrypt) --- docs/content/config/security/ssl.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 32444845..f90a4a82 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -30,7 +30,7 @@ cd /home/ubuntu/docker/letsencrypt Now get the certificate (modify ```mail.myserver.tld```) and following the certbot instructions. This will need access to port 443 from the internet, adjust your firewall if needed ``` -docker run --rm -ti -v $PWD/log/:/var/log/letsencrypt/ -v $PWD/etc/:/etc/letsencrypt/ -p 443:443 deliverous/certbot certonly --standalone -d mail.myserver.tld +docker run --rm -ti -v $PWD/log/:/var/log/letsencrypt/ -v $PWD/etc/letsencrypt/:/etc/letsencrypt/ -p 443:443 deliverous/certbot certonly --standalone -d mail.myserver.tld ``` You can now mount /home/ubuntu/docker/letsencrypt/etc/ in /etc/letsencrypt of ```docker-mailserver``` From a67a8d81257a88e36e2c17e45c9d9992b7d181c0 Mon Sep 17 00:00:00 2001 From: andymel Date: Wed, 28 Mar 2018 00:24:49 +0200 Subject: [PATCH 211/462] undo my last edit as I'm surprised it seems to really edit the original page --- docs/content/config/security/ssl.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index f90a4a82..32444845 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -30,7 +30,7 @@ cd /home/ubuntu/docker/letsencrypt Now get the certificate (modify ```mail.myserver.tld```) and following the certbot instructions. This will need access to port 443 from the internet, adjust your firewall if needed ``` -docker run --rm -ti -v $PWD/log/:/var/log/letsencrypt/ -v $PWD/etc/letsencrypt/:/etc/letsencrypt/ -p 443:443 deliverous/certbot certonly --standalone -d mail.myserver.tld +docker run --rm -ti -v $PWD/log/:/var/log/letsencrypt/ -v $PWD/etc/:/etc/letsencrypt/ -p 443:443 deliverous/certbot certonly --standalone -d mail.myserver.tld ``` You can now mount /home/ubuntu/docker/letsencrypt/etc/ in /etc/letsencrypt of ```docker-mailserver``` From 9a2c7c88046eb8ef5a2ddd9a9a114097ba264007 Mon Sep 17 00:00:00 2001 From: Paul Adams Date: Mon, 2 Apr 2018 12:34:24 +0100 Subject: [PATCH 212/462] Created Configure Relay Hosts (markdown) --- .../advanced/mail-forwarding/relay-hosts.md | 73 +++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 docs/content/advanced/mail-forwarding/relay-hosts.md diff --git a/docs/content/advanced/mail-forwarding/relay-hosts.md b/docs/content/advanced/mail-forwarding/relay-hosts.md new file mode 100644 index 00000000..61e92f2a --- /dev/null +++ b/docs/content/advanced/mail-forwarding/relay-hosts.md @@ -0,0 +1,73 @@ +# Introduction + +Rather than having Postfix deliver mail directly, you can configure Postfix to send mail via another mail relay (smarthost). Examples include [Mailgun](https://www.mailgun.com/), [Sendgrid](https://sendgrid.com/) and [AWS SES](https://aws.amazon.com/ses/). + +Depending on the domain of the sender, you may want to send via a different relay, or authenticate in a different way. + +# Basic Configuration + +Basic configuration is done via environment variables: + +* **RELAY_HOST** _default host to relay mail through, empty will disable this feature_ +* **RELAY_PORT** _port on default relay, defaults to port 25_ +* **RELAY_USER** _username for the default relay_ +* **RELAY_PASSWORD** _password for the default user_ + +Setting these environment variables will cause mail for all sender domains to be routed via the specified host, authenticating with the user/password combination. + +Note for users of the previous AWS_SES_* variables: please update your configuration to use these new variables, no other configuration is required. + +# Advanced Configuration +## Sender-dependent Authentication + +Sender dependent authentication is done in `config/postfix-sasl-password.cf`. You can create this file manually, or use + +```bash +setup.sh relay add-auth [] +``` + +An example configuration file looks like this: + +``` +@domain1.com relay_user_1:password_1 +@domain2.com relay_user_2:password_2 +``` + +If there is no other configuration, this will cause Postfix to deliver email throught the relay specified in `RELAY_HOST` env variable, authenticating as `relay_user_1` when sent from domain1.com and authenticating as `relay_user_2` when sending from domain2.com. + +## Sender-dependent Relay Host + +Sender dependent relay hosts are configured in `config/postfix-relaymap.cf`. You can create this file manually, or use + +```bash +setup.sh relay add-domain [] +``` + +An example configuration file looks like this: + +``` +@domain1.com [relay1.org]:587 +@domain2.com [relay2.org]:2525 +``` + +Combined with the previous configuration in `config/postfix-sasl-password.cf`, this will cause Postfix to deliver mail sent from domain1.com via `relay1.org:587`, authenticating as `relay_user_1`, and mail sent from domain2.com via `relay2.org:2525` authenticating as `relay_user_2`. + +## Excluding Sender Domains + +If you want mail sent from some domains to be delivered directly, you can exclude them from being delivered via the default relay by adding them to `config/postfix-relaymap.cf` with no destination. You can also do this via + +```bash +setup.sh relay exclude-domain +``` + +Extending the configuration file from above: + +``` +@domain1.com [relay1.org]:587 +@domain2.com [relay2.org]:2525 +@domain3.com +``` + +This will cause email sent from domain3.com to be delivered directly. + + From cf5c2e51894c1b47a256eabf41f267cc66d688e8 Mon Sep 17 00:00:00 2001 From: Paul Adams Date: Mon, 2 Apr 2018 12:39:30 +0100 Subject: [PATCH 213/462] Updated Configure AWS SES (markdown) --- docs/content/advanced/mail-forwarding/aws-ses.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/advanced/mail-forwarding/aws-ses.md b/docs/content/advanced/mail-forwarding/aws-ses.md index 0bf38132..efd371c6 100644 --- a/docs/content/advanced/mail-forwarding/aws-ses.md +++ b/docs/content/advanced/mail-forwarding/aws-ses.md @@ -1,3 +1,5 @@ +Note: new configuration, see [Configure Relay Hosts](https://github.com/tomav/docker-mailserver/wiki/Configure-Relay-Hosts) + Instead of letting postfix deliver mail directly it is possible to configure it to deliver outgoing email via Amazon SES (Simple Email Service). (Receiving inbound email via SES is not implemented.) The configuration follows the guidelines provided by AWS in http://docs.aws.amazon.com/ses/latest/DeveloperGuide/postfix.html, specifically, the STARTTLS method. As described in the AWS Developer Guide you will have to generate SMTP credentials and define the following two environment variables in the docker-compose.yml with the appropriate values for your AWS SES subscription (the values for AWS_SES_USERPASS are the "SMTP username" and "SMTP password" provided when you create SMTP credentials for SES): From 13ea853bf0823165400ce335013101c56d4f3f79 Mon Sep 17 00:00:00 2001 From: Paul Adams Date: Mon, 2 Apr 2018 12:47:18 +0100 Subject: [PATCH 214/462] Updated Configure Relay Hosts (markdown) --- docs/content/advanced/mail-forwarding/relay-hosts.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/content/advanced/mail-forwarding/relay-hosts.md b/docs/content/advanced/mail-forwarding/relay-hosts.md index 61e92f2a..b8dfc80c 100644 --- a/docs/content/advanced/mail-forwarding/relay-hosts.md +++ b/docs/content/advanced/mail-forwarding/relay-hosts.md @@ -70,4 +70,9 @@ Extending the configuration file from above: This will cause email sent from domain3.com to be delivered directly. +### References + +Thanks to the author of [this article][1] for the inspiration. This is also worth reading to understand a bit more about how to set up Mailgun to work with this. + +[1]: https://community.rackspace.com/products/f/email-products-forum/3897/how-to-setup-postfix-with-a-mailgun-smtp-relay-when-using-multiple-domains From 8e9a6bb13c8dbf42ef3ae7d267189804ce5fb643 Mon Sep 17 00:00:00 2001 From: Paul Adams Date: Tue, 3 Apr 2018 02:23:44 +0100 Subject: [PATCH 215/462] Updated Configure Relay Hosts (markdown) --- docs/content/advanced/mail-forwarding/relay-hosts.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/advanced/mail-forwarding/relay-hosts.md b/docs/content/advanced/mail-forwarding/relay-hosts.md index b8dfc80c..73b6f339 100644 --- a/docs/content/advanced/mail-forwarding/relay-hosts.md +++ b/docs/content/advanced/mail-forwarding/relay-hosts.md @@ -35,6 +35,8 @@ An example configuration file looks like this: If there is no other configuration, this will cause Postfix to deliver email throught the relay specified in `RELAY_HOST` env variable, authenticating as `relay_user_1` when sent from domain1.com and authenticating as `relay_user_2` when sending from domain2.com. +**NOTE** to activate the configuration you must either restart the container, or you can also trigger an update by modifying a mail account. + ## Sender-dependent Relay Host Sender dependent relay hosts are configured in `config/postfix-relaymap.cf`. You can create this file manually, or use From 72f6dafc0df53313d8ccbb99df583d3f816eb0f4 Mon Sep 17 00:00:00 2001 From: helmutundarnold Date: Thu, 12 Apr 2018 23:25:12 +0200 Subject: [PATCH 216/462] Updated Configure DKIM (markdown) --- docs/content/config/best-practices/dkim.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index b55f4ba3..20fcfb9b 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -84,4 +84,7 @@ mail._domainkey.domain.tld. 3600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA ;; SERVER: 127.0.1.1#53(127.0.1.1) ;; WHEN: Wed Sep 07 18:22:57 CEST 2016 ;; MSG SIZE rcvd: 310 -``` \ No newline at end of file +``` + +## Switch off DKIM +Simply remove dkim key by recreating the mailserver-container. From e5c638ac0b0497e1bbd5eb4510308d9cb6c3d8b2 Mon Sep 17 00:00:00 2001 From: 17Halbe Date: Wed, 18 Apr 2018 15:31:34 +0200 Subject: [PATCH 217/462] Updated Configure Sieve filters (markdown) --- docs/content/advanced/mail-sieve.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/content/advanced/mail-sieve.md b/docs/content/advanced/mail-sieve.md index 47881280..146f378e 100644 --- a/docs/content/advanced/mail-sieve.md +++ b/docs/content/advanced/mail-sieve.md @@ -1,6 +1,13 @@ ### User-defined sieve filters [Sieve](http://sieve.info/) allows to specify filtering rules for incoming emails that allow for example sorting mails into different folders depending on the title of an email. +There are global and user specific filters which are filtering the incoming emails in the following order: + +- Global-before -> User specific -> Global-after + +Global filters are applied to EVERY incoming mail for EVERY email address. +To specify a global Sieve filter provide a `config/before.dovecot.sieve` or a `config/after.dovecot.sieve` file with your filter rules. +If any filter in this filtering chain discards an incoming mail, the delivery process will stop as well and the mail will not reach any following filters(e.g. global-before stops an incoming spam mail: The mail will get discarded and a user-specific filter won't get applied.) To specify a user-defined Sieve filter place a `.dovecot.sieve` file into a virtual user's mail folder e.g. `/var/mail/domain.com/user1/.dovecot.sieve`. If this file exists dovecot will apply the filtering rules. From 0c7aa95ed45076ccb220ccbe54792d1219b0deb0 Mon Sep 17 00:00:00 2001 From: 17Halbe Date: Wed, 18 Apr 2018 17:12:52 +0200 Subject: [PATCH 218/462] Created List of optional config files & directories (markdown) --- docs/content/advanced/optional-config.md | 31 ++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 docs/content/advanced/optional-config.md diff --git a/docs/content/advanced/optional-config.md b/docs/content/advanced/optional-config.md new file mode 100644 index 00000000..b2a2384f --- /dev/null +++ b/docs/content/advanced/optional-config.md @@ -0,0 +1,31 @@ +This is a list of all configuration files and directories which are optional or automatically generated in your `config` directory. + +## Directories: +- **sieve-filter:** directory for sieve filter scripts. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Sieve-filters) +- **sieve-pipe:** directory for sieve pipe scripts. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Sieve-filters) +- **opendkim:** DKIM directory. Autoconfigurable via [setup.sh config dkim](https://github.com/tomav/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh#config). See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-DKIM) for further info +- **ssl:** SSL Certificate directory. Autoconfigurable via [setup.sh config ssl](https://github.com/tomav/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh#config). Make sure to read the [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-SSL) as well to get a working mail server. + +## Files: +- **{user_email_address}.dovecot.sieve:** User specific Sieve filter file. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Sieve-filters) +- **before.dovecot.sieve:** Global Sieve filter file, applied prior to the ${login}.dovecot.sieve filter. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Sieve-filters) +- **after.dovecot.sieve:Global Sieve filter file, applied after the ${login}.dovecot.sieve filter. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Sieve-filters) +- **postfix-main.cf:** Every line will be added to the postfix main configuration. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Override-Default-Postfix-Configuration) +- **postfix-master.cf:** Every line will be added to the postfix master configuration. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Override-Default-Postfix-Configuration) +- **postfix-accounts.cf:** User accounts file. Modify via the [setup.sh email](https://github.com/tomav/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh#email) script. +- **postfix-send-access.cf:** List of users denied sending. Modify via [setup.sh email restrict](https://github.com/tomav/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh#email) +- **postfix-receive-access.cf:** List of users denied receiving. Modify via [setup.sh email restrict](https://github.com/tomav/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh#email) +- **postfix-virtual.cf:** Alias configuration file. Modify via [setup.sh alias](https://github.com/tomav/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh#alias) +- **postfix-sasl-password.cf:** listing of relayed domains with their respective username:password. Modify via `setup.sh relay add-domain []`. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Relay-Hosts#sender-dependent-authentication) +- **postfix-relaymap.cf:** domains to be excluded from relaying. Modify via `setup.sh relay exclude-domain`. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Relay-Hosts#excluding-sender-domains) +- **postfix-regexp.cf:** Regular expression alias file. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Aliases#configuring-regexp-aliases) +- **ldap-users.cf:** Configuration for the virtual user mapping (virtual_mailbox_maps). See the [start-mailserver.sh](https://github.com/tomav/docker-mailserver/blob/a564cca0e55feba40e273a5419d4c9a864460bf6/target/start-mailserver.sh#L583) script +- **ldap-groups.cf:** Configuration for the virtual alias mapping (virtual_alias_maps). See the [start-mailserver.sh](https://github.com/tomav/docker-mailserver/blob/a564cca0e55feba40e273a5419d4c9a864460bf6/target/start-mailserver.sh#L583) script +- **ldap-aliases.cf:** Configuration for the virtual alias mapping (virtual_alias_maps). See the [start-mailserver.sh](https://github.com/tomav/docker-mailserver/blob/a564cca0e55feba40e273a5419d4c9a864460bf6/target/start-mailserver.sh#L583) script +- **ldap-domains.cf:** Configuration for the virtual domain mapping (virtual_mailbox_domains). See the [start-mailserver.sh](https://github.com/tomav/docker-mailserver/blob/a564cca0e55feba40e273a5419d4c9a864460bf6/target/start-mailserver.sh#L583) script +- **whitelist_clients.local:** Whitelisted domains, not considered by postgrey. Enter one host or domain per line. +- **spamassassin-rules.cf:** Antispam rules for Spamassassin. See [wiki](https://github.com/tomav/docker-mailserver/wiki/FAQ-and-Tips#how-can-i-manage-my-custom-spamassassin-rules) +- **fail2ban-fail2ban.cf:** Additional config options for fail2ban.cf. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Fail2ban) +- **fail2ban-jail.cf:** Additional config options for fail2ban's jail behaviour. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Fail2ban) +- **amavis.cf:** replaces the /etc/amavis/conf.d/50-user file +- **dovecot.cf:** replaces /etc/dovecot/local.conf. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Override-Default-Dovecot-Configuration) From ae213ce28450a523c88f8b0a7fc6f03f04271c5a Mon Sep 17 00:00:00 2001 From: 17Halbe Date: Wed, 18 Apr 2018 17:30:44 +0200 Subject: [PATCH 219/462] Updated Home (markdown) --- docs/content/index.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/docs/content/index.md b/docs/content/index.md index 09bb0f7e..7c7c29bd 100644 --- a/docs/content/index.md +++ b/docs/content/index.md @@ -1,2 +1,10 @@ -Please have a look to [README.md](https://github.com/tomav/docker-mailserver/blob/master/README.md) for basic configuration. -Detailed examples are provided in the wiki navigation links. \ No newline at end of file +Please have a look at the [README.md](https://github.com/tomav/docker-mailserver/blob/master/README.md) to setup and configure this server. +Detailed examples are provided in the wiki navigation links. + +Some further hints: + +- A setup.sh script is supplied which supports you in configuring this server. +Information on how to use and get it is supplied [here](https://github.com/tomav/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh) +- A list of all configuration options is provided in the [README.md](https://github.com/tomav/docker-mailserver/blob/master/README.md) +- A list of all optional and automatically created configuration files and directories is located [here](https://github.com/tomav/docker-mailserver/wiki/List-of-optional-config-files-&-directories) +- See the [FAQ](https://github.com/tomav/docker-mailserver/wiki/FAQ-and-Tips) for some more tips From 45c8889a154f6369e08cd87592b9ae814f6dc72f Mon Sep 17 00:00:00 2001 From: Michel Albert Date: Tue, 1 May 2018 18:55:53 +0200 Subject: [PATCH 220/462] Fix minor markup error --- docs/content/advanced/optional-config.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/advanced/optional-config.md b/docs/content/advanced/optional-config.md index b2a2384f..e2b2be95 100644 --- a/docs/content/advanced/optional-config.md +++ b/docs/content/advanced/optional-config.md @@ -9,7 +9,7 @@ This is a list of all configuration files and directories which are optional or ## Files: - **{user_email_address}.dovecot.sieve:** User specific Sieve filter file. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Sieve-filters) - **before.dovecot.sieve:** Global Sieve filter file, applied prior to the ${login}.dovecot.sieve filter. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Sieve-filters) -- **after.dovecot.sieve:Global Sieve filter file, applied after the ${login}.dovecot.sieve filter. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Sieve-filters) +- **after.dovecot.sieve**: Global Sieve filter file, applied after the ${login}.dovecot.sieve filter. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Sieve-filters) - **postfix-main.cf:** Every line will be added to the postfix main configuration. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Override-Default-Postfix-Configuration) - **postfix-master.cf:** Every line will be added to the postfix master configuration. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Override-Default-Postfix-Configuration) - **postfix-accounts.cf:** User accounts file. Modify via the [setup.sh email](https://github.com/tomav/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh#email) script. From 000dd8314a708feb74da4009ccca3f74721569ab Mon Sep 17 00:00:00 2001 From: Paul Adams Date: Fri, 22 Jun 2018 08:43:13 +0100 Subject: [PATCH 221/462] Updated List of optional config files & directories (markdown) --- docs/content/advanced/optional-config.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/advanced/optional-config.md b/docs/content/advanced/optional-config.md index e2b2be95..e4a955ee 100644 --- a/docs/content/advanced/optional-config.md +++ b/docs/content/advanced/optional-config.md @@ -16,8 +16,8 @@ This is a list of all configuration files and directories which are optional or - **postfix-send-access.cf:** List of users denied sending. Modify via [setup.sh email restrict](https://github.com/tomav/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh#email) - **postfix-receive-access.cf:** List of users denied receiving. Modify via [setup.sh email restrict](https://github.com/tomav/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh#email) - **postfix-virtual.cf:** Alias configuration file. Modify via [setup.sh alias](https://github.com/tomav/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh#alias) -- **postfix-sasl-password.cf:** listing of relayed domains with their respective username:password. Modify via `setup.sh relay add-domain []`. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Relay-Hosts#sender-dependent-authentication) -- **postfix-relaymap.cf:** domains to be excluded from relaying. Modify via `setup.sh relay exclude-domain`. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Relay-Hosts#excluding-sender-domains) +- **postfix-sasl-password.cf:** listing of relayed domains with their respective username:password. Modify via `setup.sh relay add-auth []`. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Relay-Hosts#sender-dependent-authentication) +- **postfix-relaymap.cf:** domain-specific relays and exclusions Modify via `setup.sh relay add-domain` and setup.sh relay exclude-domain`. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Relay-Hosts#sender-dependent-relay-host) - **postfix-regexp.cf:** Regular expression alias file. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Aliases#configuring-regexp-aliases) - **ldap-users.cf:** Configuration for the virtual user mapping (virtual_mailbox_maps). See the [start-mailserver.sh](https://github.com/tomav/docker-mailserver/blob/a564cca0e55feba40e273a5419d4c9a864460bf6/target/start-mailserver.sh#L583) script - **ldap-groups.cf:** Configuration for the virtual alias mapping (virtual_alias_maps). See the [start-mailserver.sh](https://github.com/tomav/docker-mailserver/blob/a564cca0e55feba40e273a5419d4c9a864460bf6/target/start-mailserver.sh#L583) script From ef1408dcb238f124af795712bf089b9d22cdfa46 Mon Sep 17 00:00:00 2001 From: Paul Adams Date: Fri, 22 Jun 2018 08:43:52 +0100 Subject: [PATCH 222/462] Updated List of optional config files & directories (markdown) --- docs/content/advanced/optional-config.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/advanced/optional-config.md b/docs/content/advanced/optional-config.md index e4a955ee..9727d360 100644 --- a/docs/content/advanced/optional-config.md +++ b/docs/content/advanced/optional-config.md @@ -17,7 +17,7 @@ This is a list of all configuration files and directories which are optional or - **postfix-receive-access.cf:** List of users denied receiving. Modify via [setup.sh email restrict](https://github.com/tomav/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh#email) - **postfix-virtual.cf:** Alias configuration file. Modify via [setup.sh alias](https://github.com/tomav/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh#alias) - **postfix-sasl-password.cf:** listing of relayed domains with their respective username:password. Modify via `setup.sh relay add-auth []`. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Relay-Hosts#sender-dependent-authentication) -- **postfix-relaymap.cf:** domain-specific relays and exclusions Modify via `setup.sh relay add-domain` and setup.sh relay exclude-domain`. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Relay-Hosts#sender-dependent-relay-host) +- **postfix-relaymap.cf:** domain-specific relays and exclusions Modify via `setup.sh relay add-domain` and `setup.sh relay exclude-domain`. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Relay-Hosts#sender-dependent-relay-host) - **postfix-regexp.cf:** Regular expression alias file. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Aliases#configuring-regexp-aliases) - **ldap-users.cf:** Configuration for the virtual user mapping (virtual_mailbox_maps). See the [start-mailserver.sh](https://github.com/tomav/docker-mailserver/blob/a564cca0e55feba40e273a5419d4c9a864460bf6/target/start-mailserver.sh#L583) script - **ldap-groups.cf:** Configuration for the virtual alias mapping (virtual_alias_maps). See the [start-mailserver.sh](https://github.com/tomav/docker-mailserver/blob/a564cca0e55feba40e273a5419d4c9a864460bf6/target/start-mailserver.sh#L583) script From 71fd2bb05e0efe9b05bc56cc6429742073b580d8 Mon Sep 17 00:00:00 2001 From: Dashamir Hoxha Date: Thu, 5 Jul 2018 19:14:47 +0200 Subject: [PATCH 223/462] Created Installation Examples (markdown) --- docs/content/tutorials/installation-examples.md | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 docs/content/tutorials/installation-examples.md diff --git a/docs/content/tutorials/installation-examples.md b/docs/content/tutorials/installation-examples.md new file mode 100644 index 00000000..ee1e7b9a --- /dev/null +++ b/docs/content/tutorials/installation-examples.md @@ -0,0 +1,6 @@ +It can be useful for new users to see how other projects have built a mailserver from the container `docker-mailserver`. +Here is a list of such installation pages: + - https://github.com/docker-scripts/moodle/blob/master/docs/email-setup.md#building-a-simple-mailserver + - + +(Add other pages that you know) \ No newline at end of file From fb17b3e81f2900997f2cd7a9951ef3cc5661d691 Mon Sep 17 00:00:00 2001 From: Johan Smits Date: Tue, 10 Jul 2018 18:51:55 +0200 Subject: [PATCH 224/462] Import the url with relevant items only --- .../tutorials/installation-examples.md | 147 +++++++++++++++++- 1 file changed, 142 insertions(+), 5 deletions(-) diff --git a/docs/content/tutorials/installation-examples.md b/docs/content/tutorials/installation-examples.md index ee1e7b9a..ff6b655c 100644 --- a/docs/content/tutorials/installation-examples.md +++ b/docs/content/tutorials/installation-examples.md @@ -1,6 +1,143 @@ -It can be useful for new users to see how other projects have built a mailserver from the container `docker-mailserver`. -Here is a list of such installation pages: - - https://github.com/docker-scripts/moodle/blob/master/docs/email-setup.md#building-a-simple-mailserver - - +## Building a simple mailserver -(Add other pages that you know) \ No newline at end of file +We are going to use this docker based mailserver: + +- First create a directory for the mailserver and get the setup script: + ``` + mkdir -p /var/ds/mail.example.org + cd /var/ds/mail.example.org/ + + curl -o setup.sh \ + https://raw.githubusercontent.com/tomav/docker-mailserver/master/setup.sh + chmod a+x ./setup.sh + ``` + +- Create the file `docker-compose.yml` with a content like this: + ``` + version: '2' + + services: + mail: + image: tvial/docker-mailserver:latest + hostname: mail + domainname: example.org + container_name: mail + ports: + - "25:25" + - "587:587" + - "465:465" + volumes: + - ./data/:/var/mail/ + - ./state/:/var/mail-state/ + - ./config/:/tmp/docker-mailserver/ + - /var/ds/wsproxy/letsencrypt/:/etc/letsencrypt/ + environment: + - PERMIT_DOCKER=network + - SSL_TYPE=letsencrypt + - ONE_DIR=1 + - DMS_DEBUG=1 + - SPOOF_PROTECTION=0 + - REPORT_RECIPIENT=1 + - ENABLE_SPAMASSASSIN=0 + - ENABLE_CLAMAV=0 + - ENABLE_FAIL2BAN=1 + - ENABLE_POSTGREY=0 + cap_add: + - NET_ADMIN + - SYS_PTRACE + ``` + + For more details about the environment variables that can be used, + and their meaning and possible values, check also these: + - https://github.com/tomav/docker-mailserver#environment-variables + - https://github.com/tomav/docker-mailserver/blob/master/.env.dist + + Make sure to set the propper `domainname` that you will use for the + emails. We forward only SMTP ports (not POP3 and IMAP) because we + are not interested in accessing the mailserver directly (from a + client). We also use these settings: + - `PERMIT_DOCKER=network` because we want to send emails from other + docker containers. + - `SSL_TYPE=letsencrypt` because we will manage SSL certificates + with letsencrypt. + +- We need to open these ports on the firewall: `25`, `587`, `465` + ``` + ufw allow 25 + ufw allow 587 + ufw allow 465 + ``` + On your server you may have to do it differently. + +- Pull the docker image: + ``` + docker pull tvial/docker-mailserver:latest + ``` + +- Now generate the DKIM keys with `./setup.sh config dkim` and copy + the content of the file `config/opendkim/keys/domain.tld/mail.txt` + on the domain zone configuration at the DNS server. I use + [bind9](https://github.com/docker-scripts/bind9) for managing my + domains, so I just paste it on `example.org.db`: + ``` + mail._domainkey IN TXT ( "v=DKIM1; h=sha256; k=rsa; " + "p=MIIBIjANBgkqhkiG9w0BAQEFACAQ8AMIIBCgKCAQEAaH5KuPYPSF3Ppkt466BDMAFGOA4mgqn4oPjZ5BbFlYA9l5jU3bgzRj3l6/Q1n5a9lQs5fNZ7A/HtY0aMvs3nGE4oi+LTejt1jblMhV/OfJyRCunQBIGp0s8G9kIUBzyKJpDayk2+KJSJt/lxL9Iiy0DE5hIv62ZPP6AaTdHBAsJosLFeAzuLFHQ6USyQRojefqFQtgYqWQ2JiZQ3" + "iqq3bD/BVlwKRp5gH6TEYEmx8EBJUuDxrJhkWRUk2VDl1fqhVBy8A9O7Ah+85nMrlOHIFsTaYo9o6+cDJ6t1i6G1gu+bZD0d3/3bqGLPBQV9LyEL1Rona5V7TJBGg099NQkTz1IwIDAQAB" ) ; ----- DKIM key mail for example.org + + ``` + +- Add these configurations as well on the same file on the DNS server: + ``` + mail IN A 10.11.12.13 + + ; mailservers for example.org + 3600 IN MX 1 mail.example.org. + + ; Add SPF record + IN TXT "v=spf1 mx ~all" + ``` + Then don't forget to change the serial number and to restart the service. + +- Get an SSL certificate from letsencrypt. I use + [wsproxy](https://github.com/docker-scripts/wsproxy) for managing + SSL letsencrypt certificates of my domains: + ``` + cd /var/ds/wsproxy + ds domains-add mail mail.example.org + ds get-ssl-cert myemail@gmail.com mail.example.org --test + ds get-ssl-cert myemail@gmail.com mail.example.org + ``` + Now the certificates will be available on + `/var/ds/wsproxy/letsencrypt/live/mail.example.org`. + +- Start the mailserver and check for any errors: + ``` + apt install docker-compose + docker-compose up mail + ``` + +- Create email accounts and aliases: + ``` + ./setup.sh email add admin@example.org passwd123 + ./setup.sh email add info@example.org passwd123 + ./setup.sh alias add admin@example.org myemail@gmail.com + ./setup.sh alias add info@example.org myemail@gmail.com + ./setup.sh email list + ./setup.sh alias list + ``` + + Aliases make sure that any email that comes to these accounts is + forwarded to my real email address, so that I don't need to use + POP3/IMAP in order to get these messages. Also no anti-spam and + anti-virus software is needed, making the mailserver lighter. + +- Send some test emails to these addreses and make other tests. Then + stop the container with `Ctrl+c` and start it again as a daemon: + `docker-compose up mail -d`. + +- Now save on Moodle configuration the SMTP settings and test by + trying to send some messages to other users: + - **SMTP hosts**: `mail.example.org:465` + - **SMTP security**: `SSL` + - **SMTP username**: `info@example.org` + - **SMTP password**: `passwd123` \ No newline at end of file From 1fe0b8fb67fabe3917898a32884e1326e1d70ee9 Mon Sep 17 00:00:00 2001 From: Harry Youd Date: Fri, 24 Aug 2018 17:08:39 +0100 Subject: [PATCH 225/462] Correct page title --- docs/content/{configue-ldap.md => advanced/auth-ldap.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docs/content/{configue-ldap.md => advanced/auth-ldap.md} (100%) diff --git a/docs/content/configue-ldap.md b/docs/content/advanced/auth-ldap.md similarity index 100% rename from docs/content/configue-ldap.md rename to docs/content/advanced/auth-ldap.md From a4da228030faa2b482980e9c45d55bd5178889e1 Mon Sep 17 00:00:00 2001 From: Karthik K Date: Wed, 10 Oct 2018 11:57:53 +0530 Subject: [PATCH 226/462] typo --- docs/content/tutorials/installation-examples.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/tutorials/installation-examples.md b/docs/content/tutorials/installation-examples.md index ff6b655c..84029c39 100644 --- a/docs/content/tutorials/installation-examples.md +++ b/docs/content/tutorials/installation-examples.md @@ -52,7 +52,7 @@ We are going to use this docker based mailserver: - https://github.com/tomav/docker-mailserver#environment-variables - https://github.com/tomav/docker-mailserver/blob/master/.env.dist - Make sure to set the propper `domainname` that you will use for the + Make sure to set the proper `domainname` that you will use for the emails. We forward only SMTP ports (not POP3 and IMAP) because we are not interested in accessing the mailserver directly (from a client). We also use these settings: From cbe8cb91053493d55a70103eacbeafc706c43d40 Mon Sep 17 00:00:00 2001 From: Serge van den Boom Date: Sun, 28 Oct 2018 15:56:16 +0100 Subject: [PATCH 227/462] fix typo --- docs/content/config/security/ssl.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 32444845..905f4f12 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -13,7 +13,7 @@ To enable Let's Encrypt on your mail server, you have to: * get your certificate using [letsencrypt client](https://github.com/letsencrypt/letsencrypt) * add an environment variable `SSL_TYPE` with value `letsencrypt` (see `docker-compose.yml.dist`) * mount your whole `letsencrypt` folder to `/etc/letsencrypt` -* the certs folder name located in `letsencrypt/live/` must be the `fqdn` of your container responding to the `hostname` command. The full qualified domain name (`fqdn`) inside the docker container is build combining the `hostname` and `domainname` values of the docker-compose file, e. g.: hostname: `mail`; domainname: `myserver.tld`; fqdn: `mail.myserver.tld` +* the certs folder name located in `letsencrypt/live/` must be the `fqdn` of your container responding to the `hostname` command. The full qualified domain name (`fqdn`) inside the docker container is built combining the `hostname` and `domainname` values of the docker-compose file, e. g.: hostname: `mail`; domainname: `myserver.tld`; fqdn: `mail.myserver.tld` You don't have anything else to do. Enjoy. From a6048572009f0b2209e266fe80bd3a4451e4f81b Mon Sep 17 00:00:00 2001 From: tamueller Date: Sat, 10 Nov 2018 11:46:58 +0100 Subject: [PATCH 228/462] Updated Debugging (markdown) --- docs/content/config/troubleshooting/debugging.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/debugging.md b/docs/content/config/troubleshooting/debugging.md index 2b47dadf..399d7456 100644 --- a/docs/content/config/troubleshooting/debugging.md +++ b/docs/content/config/troubleshooting/debugging.md @@ -14,7 +14,11 @@ docker exec -it bash could not find any mention of incorrect logins here neither in the dovecot logs -3. Make sure you set your hostname to 'mail' or whatever you specified in your docker-compose.yml file or else your FQDN will be wrong +3. Check the supervisors logfiles +`/var/log/supervisor` +You can find the logs for startup of fetchmail, postfix and others here - they might indicate problems during startup + +4. Make sure you set your hostname to 'mail' or whatever you specified in your docker-compose.yml file or else your FQDN will be wrong ## Installation Errors From 907afcfbcec216458b86c166547bd736e0cbe302 Mon Sep 17 00:00:00 2001 From: Gabriel Landais Date: Mon, 12 Nov 2018 23:29:42 +0100 Subject: [PATCH 229/462] Updated Configure SSL (markdown) --- docs/content/config/security/ssl.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 905f4f12..126d8e74 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -28,9 +28,9 @@ cd /home/ubuntu/docker/letsencrypt ``` Now get the certificate (modify ```mail.myserver.tld```) and following the certbot instructions. -This will need access to port 443 from the internet, adjust your firewall if needed +This will need access to port 80 from the internet, adjust your firewall if needed ``` -docker run --rm -ti -v $PWD/log/:/var/log/letsencrypt/ -v $PWD/etc/:/etc/letsencrypt/ -p 443:443 deliverous/certbot certonly --standalone -d mail.myserver.tld +docker run --rm -ti -v $PWD/log/:/var/log/letsencrypt/ -v $PWD/etc/:/etc/letsencrypt/ -p 80:80 deliverous/certbot certonly --standalone -d mail.myserver.tld ``` You can now mount /home/ubuntu/docker/letsencrypt/etc/ in /etc/letsencrypt of ```docker-mailserver``` From 094ca0d5f00d20d4bdc1df1ac949873defce604e Mon Sep 17 00:00:00 2001 From: Christian Glahn Date: Mon, 31 Dec 2018 15:15:10 +0100 Subject: [PATCH 230/462] remove misplaced quotes and add example for custom schema handling in dovecot --- docs/content/advanced/auth-ldap.md | 29 +++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/docs/content/advanced/auth-ldap.md b/docs/content/advanced/auth-ldap.md index 9a5ca44a..210ea9a3 100644 --- a/docs/content/advanced/auth-ldap.md +++ b/docs/content/advanced/auth-ldap.md @@ -64,7 +64,7 @@ services: - SASLAUTHD_LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=loc - SASLAUTHD_LDAP_PASSWORD=mypassword - SASLAUTHD_LDAP_SEARCH_BASE=dc=mydomain,dc=loc - - SASLAUTHD_LDAP_FILTER="(&(sAMAccountName=%U)(objectClass=person))" + - SASLAUTHD_LDAP_FILTER=(&(sAMAccountName=%U)(objectClass=person)) - SASLAUTHD_MECHANISMS=ldap # <<< SASL Authentication @@ -74,10 +74,10 @@ services: - LDAP_SEARCH_BASE=dc=mydomain,dc=loc - LDAP_BIND_DN=cn=Administrator,cn=Users,dc=mydomain,dc=loc - LDAP_BIND_PW=mypassword - - LDAP_QUERY_FILTER_USER="(&(objectClass=user)(mail=%s))" - - LDAP_QUERY_FILTER_GROUP="(&(objectclass=group)(mail=%s))" - - LDAP_QUERY_FILTER_ALIAS="(&(objectClass=user)(otherMailbox=%s))" - - LDAP_QUERY_FILTER_DOMAIN="(&(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))(mailEnabled=TRUE))" + - LDAP_QUERY_FILTER_USER=(&(objectClass=user)(mail=%s)) + - LDAP_QUERY_FILTER_GROUP=(&(objectclass=group)(mail=%s)) + - LDAP_QUERY_FILTER_ALIAS=(&(objectClass=user)(otherMailbox=%s)) + - LDAP_QUERY_FILTER_DOMAIN=(&(|(mail=*@%s)(mailalias=*@%s)(mailGroupMember=*@%s))(mailEnabled=TRUE)) # <<< Postfix Ldap Integration # >>> Kopano Integration @@ -98,4 +98,21 @@ volumes: driver: local mailstate: driver: local -``` \ No newline at end of file +``` + +If your Directory has not the postfix-book schema installed, then you may want to change some internal attribute handling for dovecot. as shown in the example below: + +``` + - DOVECOT_PASS_ATTR==user,=password + - DOVECOT_USER_ATTR==home,=mail,=uid, =gid +``` + +If your directory has the qmail-Schema installed and ```uid``` is used, then this translates into: + +``` + - DOVECOT_PASS_ATTRS=uid=user,userPassword=password + - DOVECOT_USER_ATTRS=homeDirectory=home,qmailUID=uid,qmailGID=gid,mailMessageStore=mail + - DOVECOT_PASS_FILTER=(&(objectClass=qmailUser)(uid=%u)(accountStatus=active)) + - DOVECOT_USER_FILTER=(&(objectClass=qmailUser)(uid=%u)(accountStatus=active)) +``` + From bee20823a95aece9de705e70809e30619b438fb0 Mon Sep 17 00:00:00 2001 From: Christian Glahn Date: Mon, 31 Dec 2018 15:18:03 +0100 Subject: [PATCH 231/462] better readability and capitalisation --- docs/content/advanced/auth-ldap.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/advanced/auth-ldap.md b/docs/content/advanced/auth-ldap.md index 210ea9a3..9eb903ad 100644 --- a/docs/content/advanced/auth-ldap.md +++ b/docs/content/advanced/auth-ldap.md @@ -100,14 +100,14 @@ volumes: driver: local ``` -If your Directory has not the postfix-book schema installed, then you may want to change some internal attribute handling for dovecot. as shown in the example below: +If your directory has not the postfix-book schema installed, then you must change the internal attribute handling for dovecot. For this you have to change the ```pass_attr``` and the ```user_attr``` mapping, as shown in the example below: ``` - DOVECOT_PASS_ATTR==user,=password - DOVECOT_USER_ATTR==home,=mail,=uid, =gid ``` -If your directory has the qmail-Schema installed and ```uid``` is used, then this translates into: +The following example illustrates this for a directory that has the qmail-schema installed and that uses ```uid```: ``` - DOVECOT_PASS_ATTRS=uid=user,userPassword=password From cbbd1fbf0ead7166830be8aa64886eda60eea489 Mon Sep 17 00:00:00 2001 From: Christian Glahn Date: Sat, 19 Jan 2019 12:23:27 +0100 Subject: [PATCH 232/462] language fix --- docs/content/config/troubleshooting/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 2e642d69..45c9dd13 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -65,7 +65,7 @@ Put received spams in `.Junk/` imap folder and add a cron like the following: 0 2 * * * docker exec mail sa-learn --spam /var/mail/domain.com/username/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin ``` -With the default settings, Spamassassin will require 200 mails trained for spam (for example with the method explained above) and 200 mails trained for ham (using the same command as above but using `--ham` and providing it with some ham mails). Until you provided these 200+200 mails, Spamassasin will not take the learned mails into account. For future reference, see the [Spamassassin Wiki](https://wiki.apache.org/spamassassin/BayesNotWorking). +With the default settings, Spamassassin will require 200 mails trained for spam (for example with the method explained above) and 200 mails trained for ham (using the same command as above but using `--ham` and providing it with some ham mails). Until you provided these 200+200 mails, Spamassasin will not take the learned mails into account. For further reference, see the [Spamassassin Wiki](https://wiki.apache.org/spamassassin/BayesNotWorking). ### What kind of SSL certificates can I use? You can use the same certificates you use with another mail server. From 70887618e2f4b5c100c262020097137b4a9422ec Mon Sep 17 00:00:00 2001 From: Christian Glahn Date: Wed, 30 Jan 2019 08:32:42 +0100 Subject: [PATCH 233/462] Updated FAQ and Tips (markdown) --- docs/content/config/troubleshooting/faq.md | 25 ++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 45c9dd13..99172722 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -65,6 +65,31 @@ Put received spams in `.Junk/` imap folder and add a cron like the following: 0 2 * * * docker exec mail sa-learn --spam /var/mail/domain.com/username/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin ``` +If you run the server with docker compose on swarm, you can leverage on docker configs and the mailserver's own cron. +The following config works nicely: + +``` +version: "3.3" +services: + redis: + image: tvial/docker-mailserver:latest + // ... + configs: + - source: my_sa_crontab + target: /etc/cron.d/user-salearn-1 + - source: my_crontab_config + target: /etc/cron.d/user-salearn-2 + // ... + +configs: + my_sa_crontab: + file: ./my_local_crontab.txt + my_crontab_config: + external: true +``` + +The config should contain the lines shown above. + With the default settings, Spamassassin will require 200 mails trained for spam (for example with the method explained above) and 200 mails trained for ham (using the same command as above but using `--ham` and providing it with some ham mails). Until you provided these 200+200 mails, Spamassasin will not take the learned mails into account. For further reference, see the [Spamassassin Wiki](https://wiki.apache.org/spamassassin/BayesNotWorking). ### What kind of SSL certificates can I use? From 7a9737dd90c0ac7b1f0d386b134c835bd353ce1d Mon Sep 17 00:00:00 2001 From: Christian Glahn Date: Wed, 30 Jan 2019 08:44:39 +0100 Subject: [PATCH 234/462] add a better example for sa-learn cron-jobs --- docs/content/config/troubleshooting/faq.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 99172722..8a323f7f 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -65,7 +65,8 @@ Put received spams in `.Junk/` imap folder and add a cron like the following: 0 2 * * * docker exec mail sa-learn --spam /var/mail/domain.com/username/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin ``` -If you run the server with docker compose on swarm, you can leverage on docker configs and the mailserver's own cron. +If you run the server with docker compose on swarm, you can leverage on docker configs and the mailserver's own cron. This is less problematic than the simple solution shown above, because it decouples the learning from the host on which the mailserver is running and avoids errors if the server is not running. + The following config works nicely: ``` @@ -88,7 +89,18 @@ configs: external: true ``` -The config should contain the lines shown above. +The config should contain lines such as outlined in the following example. + +``` +# Everyday 2:00AM, learn spam for this specific user +# This assumes you're having `ONE_DIR=1` (consolidated in `/var/mail-state`) +0 2 * * * sa-learn --spam /var/mail/domain.com/username/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin +15 2 * * * sa-learn --ham /var/mail/domain.com/username/.Archive --dbpath /var/mail-state/lib-amavis/.spamassassin +# Everyday 3:00AM, learn spam for all users of otherdomain.com +# This assumes you're having `ONE_DIR=1` (consolidated in `/var/mail-state`) +0 3 * * * sa-learn --spam /var/mail/otherdomain.com/*/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin +15 3 * * * sa-learn --ham /var/mail/otherdomain.com/*/.Archive --dbpath /var/mail-state/lib-amavis/.spamassassin +``` With the default settings, Spamassassin will require 200 mails trained for spam (for example with the method explained above) and 200 mails trained for ham (using the same command as above but using `--ham` and providing it with some ham mails). Until you provided these 200+200 mails, Spamassasin will not take the learned mails into account. For further reference, see the [Spamassassin Wiki](https://wiki.apache.org/spamassassin/BayesNotWorking). From 2500b0704c1a6545726dfa87451cf86bbc8c2344 Mon Sep 17 00:00:00 2001 From: Anne <34578028+voordev@users.noreply.github.com> Date: Wed, 20 Feb 2019 14:46:54 +0100 Subject: [PATCH 235/462] Updated Configure SSL (markdown) --- docs/content/config/security/ssl.md | 35 ++++++++++++++++------------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 126d8e74..7d7fab93 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -22,8 +22,7 @@ Make a directory to store your letsencrypt logs and configs. In my case ``` -mkdir -p /home/ubuntu/docker/letsencrypt/log -mkdir -p /home/ubuntu/docker/letsencrypt/etc/letsencrypt +mkdir -p /home/ubuntu/docker/letsencrypt cd /home/ubuntu/docker/letsencrypt ``` @@ -45,23 +44,27 @@ If you are running a web server already, it is non-trivial to generate a Let's E There are several ways to start ```nginx-proxy``` and ```letsencrypt-nginx-proxy-companion```. Any method should be suitable here. For example start ```nginx-proxy``` as in the ```letsencrypt-nginx-proxy-companion``` [documentation](https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion): ``` -docker run -d -p 80:80 -p 443:443 \ - --name nginx-proxy \ - -v /path/to/certs:/etc/nginx/certs:ro \ - -v /etc/nginx/vhost.d \ - -v /usr/share/nginx/html \ - -v /var/run/docker.sock:/tmp/docker.sock:ro \ - --label com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy \ - jwilder/nginx-proxy + docker run --detach \ + --name nginx-proxy \ + --restart always \ + --publish 80:80 \ + --publish 443:443 \ + --volume /server/letsencrypt/etc:/etc/nginx/certs:ro \ + --volume /etc/nginx/vhost.d \ + --volume /usr/share/nginx/html \ + --volume /var/run/docker.sock:/tmp/docker.sock:ro \ + jwilder/nginx-proxy ``` -Then start ```letsencrypt-nginx-proxy-companion```: +Then start ```nginx-proxy-letsencrypt```: ``` -docker run -d \ - -v /path/to/certs:/etc/nginx/certs:rw \ - -v /var/run/docker.sock:/var/run/docker.sock:ro \ - --volumes-from nginx-proxy \ - jrcs/letsencrypt-nginx-proxy-companion + docker run --detach \ + --name nginx-proxy-letsencrypt \ + --restart always \ + --volume /server/letsencrypt/etc:/etc/nginx/certs:rw \ + --volumes-from nginx-proxy \ + --volume /var/run/docker.sock:/var/run/docker.sock:ro \ + jrcs/letsencrypt-nginx-proxy-companion ``` Start the rest of your web server containers as usual. From 225de9aadb9305dbe5906c58de205eed0952f7ca Mon Sep 17 00:00:00 2001 From: Anne <34578028+voordev@users.noreply.github.com> Date: Wed, 20 Feb 2019 14:50:48 +0100 Subject: [PATCH 236/462] Updated Configure SSL (markdown) --- docs/content/config/security/ssl.md | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 7d7fab93..41c51dad 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -79,7 +79,23 @@ docker run -d \ ``` You may want to add ```-e LETSENCRYPT_TEST=true``` to the above while testing to avoid the Let's Encrypt certificate generation rate limits. -Finally, start ```docker-mailserver``` with ```path/to/certs/mail.mydomain.tld``` mounted to ```/etc/letsencrypt/live/mail.mydomain.tld``` +Finally, start the mailserver with the docker-compose.yml +Make sure your mount path to the letsencrypt certificates is correct. +Inside your /path/to/mailserver/docker-compose.yml ( for the mailserver from this repo ) make sure volumes look like below example; + +``` + volumes: + - maildata:/var/mail + - mailstate:/var/mail-state + - ./config/:/tmp/docker-mailserver/ + _**- /server/letsencrypt/etc:/etc/letsencrypt/live**_ +``` + +Then + +/path/to/mailserver/docker-compose up -d mail + + #### Example using the letsencrypt certificates on a Synology NAS From 5d29e8e8c9cad76768e4357aaefdfc9cbe1f8349 Mon Sep 17 00:00:00 2001 From: Anne <34578028+voordev@users.noreply.github.com> Date: Wed, 20 Feb 2019 15:00:22 +0100 Subject: [PATCH 237/462] Updated Configure SSL (markdown) --- docs/content/config/security/ssl.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 41c51dad..3447e47d 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -88,7 +88,7 @@ Inside your /path/to/mailserver/docker-compose.yml ( for the mailserver from thi - maildata:/var/mail - mailstate:/var/mail-state - ./config/:/tmp/docker-mailserver/ - _**- /server/letsencrypt/etc:/etc/letsencrypt/live**_ + - /server/letsencrypt/etc:/etc/letsencrypt/live ``` Then From aa7774801f224615369036bf3f929315cd2d499e Mon Sep 17 00:00:00 2001 From: Sebastian Wiesendahl Date: Fri, 8 Mar 2019 15:57:33 +0100 Subject: [PATCH 238/462] add a plain docker-compose example without docker swarm --- docs/content/config/troubleshooting/faq.md | 62 ++++++++++++++-------- 1 file changed, 39 insertions(+), 23 deletions(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 8a323f7f..75e2b316 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -67,39 +67,55 @@ Put received spams in `.Junk/` imap folder and add a cron like the following: If you run the server with docker compose on swarm, you can leverage on docker configs and the mailserver's own cron. This is less problematic than the simple solution shown above, because it decouples the learning from the host on which the mailserver is running and avoids errors if the server is not running. -The following config works nicely: +The following config works nicely: +create a crontab file: +```sh +# in the docker-compose.yml root directory +mkdir cron +touch cron/sa-learn +chown root:root cron/sa-learn +chmod 0644 cron/sa-learn ``` + +edit the crontab file `nano cron/sa-learn`: +``` +# This assumes you're having `environment: ONE_DIR=1` in the docker-compose.yml (config consolidated in `/var/mail-state`) +# m h dom mon dow user command +# Everyday 2:00AM, learn spam from a specific user +0 2 * * * amavis sa-learn --spam /var/mail/domain.com/username/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin +15 2 * * * amavis sa-learn --ham /var/mail/domain.com/username/.Archive --dbpath /var/mail-state/lib-amavis/.spamassassin +# Everyday 3:00AM, learn spam from all users of a domain +0 3 * * * amavis sa-learn --spam /var/mail/otherdomain.com/*/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin +15 3 * * * amavis sa-learn --ham /var/mail/otherdomain.com/*/.Archive --dbpath /var/mail-state/lib-amavis/.spamassassin +``` + +with plain docker-compose: +```docker-compose +version: "3.3" + +services: + mail: + image: tvial/docker-mailserver:latest + # ... + volumes: + - ./cron/sa-learn:/etc/cron.d/sa-learn +``` + +with [docker swarm](https://docs.docker.com/engine/swarm/configs/): +```docker-compose version: "3.3" services: - redis: + mail: image: tvial/docker-mailserver:latest - // ... + # ... configs: - source: my_sa_crontab - target: /etc/cron.d/user-salearn-1 - - source: my_crontab_config - target: /etc/cron.d/user-salearn-2 - // ... + target: /etc/cron.d/sa-learn configs: my_sa_crontab: - file: ./my_local_crontab.txt - my_crontab_config: - external: true -``` - -The config should contain lines such as outlined in the following example. - -``` -# Everyday 2:00AM, learn spam for this specific user -# This assumes you're having `ONE_DIR=1` (consolidated in `/var/mail-state`) -0 2 * * * sa-learn --spam /var/mail/domain.com/username/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin -15 2 * * * sa-learn --ham /var/mail/domain.com/username/.Archive --dbpath /var/mail-state/lib-amavis/.spamassassin -# Everyday 3:00AM, learn spam for all users of otherdomain.com -# This assumes you're having `ONE_DIR=1` (consolidated in `/var/mail-state`) -0 3 * * * sa-learn --spam /var/mail/otherdomain.com/*/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin -15 3 * * * sa-learn --ham /var/mail/otherdomain.com/*/.Archive --dbpath /var/mail-state/lib-amavis/.spamassassin + file: ./cron/sa-learn ``` With the default settings, Spamassassin will require 200 mails trained for spam (for example with the method explained above) and 200 mails trained for ham (using the same command as above but using `--ham` and providing it with some ham mails). Until you provided these 200+200 mails, Spamassasin will not take the learned mails into account. For further reference, see the [Spamassassin Wiki](https://wiki.apache.org/spamassassin/BayesNotWorking). From b5a827ff31eeae4b0ed9a6f1c92a71908f9399da Mon Sep 17 00:00:00 2001 From: Sebastian Wiesendahl Date: Fri, 8 Mar 2019 15:59:27 +0100 Subject: [PATCH 239/462] change min docker-compose version --- docs/content/config/troubleshooting/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 75e2b316..1526b4ed 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -92,7 +92,7 @@ edit the crontab file `nano cron/sa-learn`: with plain docker-compose: ```docker-compose -version: "3.3" +version: "2" services: mail: From 90fa8b0544a28491e65cb9feee458c5adae486ff Mon Sep 17 00:00:00 2001 From: Sebastian Wiesendahl Date: Fri, 8 Mar 2019 16:01:17 +0100 Subject: [PATCH 240/462] remove docker-compose swarm only statement --- docs/content/config/troubleshooting/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 1526b4ed..e8bd2e39 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -65,7 +65,7 @@ Put received spams in `.Junk/` imap folder and add a cron like the following: 0 2 * * * docker exec mail sa-learn --spam /var/mail/domain.com/username/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin ``` -If you run the server with docker compose on swarm, you can leverage on docker configs and the mailserver's own cron. This is less problematic than the simple solution shown above, because it decouples the learning from the host on which the mailserver is running and avoids errors if the server is not running. +If you run the server with docker-compose, you can leverage on docker configs and the mailserver's own cron. This is less problematic than the simple solution shown above, because it decouples the learning from the host on which the mailserver is running and avoids errors if the server is not running. The following config works nicely: From a0fa63750ba7bfca1b5f93d3811818c597cd030e Mon Sep 17 00:00:00 2001 From: Sebastian Wiesendahl Date: Fri, 8 Mar 2019 16:06:13 +0100 Subject: [PATCH 241/462] unify documentation --- docs/content/config/troubleshooting/faq.md | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index e8bd2e39..f9af8d57 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -55,13 +55,16 @@ Antispam rules are managed in `config/spamassassin-rules.cf`. In the default setup, amavis only applies Spamassassin x-headers into domains matching the template listed in the config file 05-domain_id (in the amavis defaults). The default setup @local_domains_acl = ( ".$mydomain" ); does not match subdomains. To match subdomains, you can override the @local_domains_acl directive in the amavis user config file 50-user with @local_domains_maps = ("."); to match any sort of domain template. -### How can I make Spamassassin learn spam? +### How can I make SpamAssassin learn spam? -Put received spams in `.Junk/` imap folder and add a cron like the following: +Put received spams in `.Junk/` imap folder and add a user cron like the following: ``` -# Everyday 2:00AM, learn spam for this specific user -# This assumes you're having `ONE_DIR=1` (consolidated in `/var/mail-state`) +# This assumes you're having `environment: ONE_DIR=1` in the docker-compose.yml, +# with a consolidated config in `/var/mail-state` +# +# m h dom mon dow command +# Everyday 2:00AM, learn spam from a specific user 0 2 * * * docker exec mail sa-learn --spam /var/mail/domain.com/username/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin ``` @@ -80,8 +83,10 @@ chmod 0644 cron/sa-learn edit the crontab file `nano cron/sa-learn`: ``` -# This assumes you're having `environment: ONE_DIR=1` in the docker-compose.yml (config consolidated in `/var/mail-state`) -# m h dom mon dow user command +# This assumes you're having `environment: ONE_DIR=1` in the docker-compose.yml, +# with a consolidated config in `/var/mail-state` +# +# m h dom mon dow user command # Everyday 2:00AM, learn spam from a specific user 0 2 * * * amavis sa-learn --spam /var/mail/domain.com/username/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin 15 2 * * * amavis sa-learn --ham /var/mail/domain.com/username/.Archive --dbpath /var/mail-state/lib-amavis/.spamassassin From 4559699f9ac87f410c94f226292eeb0ef869c026 Mon Sep 17 00:00:00 2001 From: Sebastian Wiesendahl Date: Fri, 8 Mar 2019 16:11:45 +0100 Subject: [PATCH 242/462] add a blank line in the docker-compose.yml example --- docs/content/config/troubleshooting/faq.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index f9af8d57..2aa6af3a 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -110,6 +110,7 @@ services: with [docker swarm](https://docs.docker.com/engine/swarm/configs/): ```docker-compose version: "3.3" + services: mail: image: tvial/docker-mailserver:latest From 7bb9596f72a1bfe6f7990c15765cf2e492c1760a Mon Sep 17 00:00:00 2001 From: Sebastian Wiesendahl Date: Fri, 8 Mar 2019 16:14:51 +0100 Subject: [PATCH 243/462] add hint for system cron file --- docs/content/config/troubleshooting/faq.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 2aa6af3a..a69d9aa5 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -72,7 +72,7 @@ If you run the server with docker-compose, you can leverage on docker configs an The following config works nicely: -create a crontab file: +create a system cron file: ```sh # in the docker-compose.yml root directory mkdir cron @@ -81,7 +81,7 @@ chown root:root cron/sa-learn chmod 0644 cron/sa-learn ``` -edit the crontab file `nano cron/sa-learn`: +edit the system cron file `nano cron/sa-learn`: ``` # This assumes you're having `environment: ONE_DIR=1` in the docker-compose.yml, # with a consolidated config in `/var/mail-state` From 3d7b47c99a328dbe08d0431ca0e1726ceeca84fe Mon Sep 17 00:00:00 2001 From: Jeremy Shipman Date: Sat, 9 Mar 2019 09:54:33 +1300 Subject: [PATCH 244/462] Added info about DMS_DEBUG variable --- docs/content/config/troubleshooting/debugging.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/content/config/troubleshooting/debugging.md b/docs/content/config/troubleshooting/debugging.md index 399d7456..40f9dd13 100644 --- a/docs/content/config/troubleshooting/debugging.md +++ b/docs/content/config/troubleshooting/debugging.md @@ -1,4 +1,9 @@ ..todo.. - Please contribute more to help others debug this package + +## Enable verbose debugging output + +You may find it useful to enable the [https://github.com/tomav/docker-mailserver#dms_debug](DMS_DEBUG) environment variable. + ## Invalid username or Password From 7567d2e7a895c216486f893082e57afcbbbb3cf4 Mon Sep 17 00:00:00 2001 From: Jeremy Shipman Date: Sat, 9 Mar 2019 09:55:05 +1300 Subject: [PATCH 245/462] Typo in link --- docs/content/config/troubleshooting/debugging.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/debugging.md b/docs/content/config/troubleshooting/debugging.md index 40f9dd13..ade5b38f 100644 --- a/docs/content/config/troubleshooting/debugging.md +++ b/docs/content/config/troubleshooting/debugging.md @@ -2,7 +2,7 @@ ## Enable verbose debugging output -You may find it useful to enable the [https://github.com/tomav/docker-mailserver#dms_debug](DMS_DEBUG) environment variable. +You may find it useful to enable the [DMS_DEBUG](https://github.com/tomav/docker-mailserver#dms_debug) environment variable. ## Invalid username or Password From 4541b0dea95c402e097abf0854b78cd131430b56 Mon Sep 17 00:00:00 2001 From: Sebastian Wiesendahl Date: Mon, 11 Mar 2019 15:48:17 +0100 Subject: [PATCH 246/462] change user to root. amavis is not sufficient --- docs/content/config/troubleshooting/faq.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index a69d9aa5..2d935127 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -88,11 +88,11 @@ edit the system cron file `nano cron/sa-learn`: # # m h dom mon dow user command # Everyday 2:00AM, learn spam from a specific user -0 2 * * * amavis sa-learn --spam /var/mail/domain.com/username/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin -15 2 * * * amavis sa-learn --ham /var/mail/domain.com/username/.Archive --dbpath /var/mail-state/lib-amavis/.spamassassin +0 2 * * * root sa-learn --spam /var/mail/domain.com/username/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin +15 2 * * * root sa-learn --ham /var/mail/domain.com/username/.Archive --dbpath /var/mail-state/lib-amavis/.spamassassin # Everyday 3:00AM, learn spam from all users of a domain -0 3 * * * amavis sa-learn --spam /var/mail/otherdomain.com/*/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin -15 3 * * * amavis sa-learn --ham /var/mail/otherdomain.com/*/.Archive --dbpath /var/mail-state/lib-amavis/.spamassassin +0 3 * * * root sa-learn --spam /var/mail/otherdomain.com/*/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin +15 3 * * * root sa-learn --ham /var/mail/otherdomain.com/*/.Archive --dbpath /var/mail-state/lib-amavis/.spamassassin ``` with plain docker-compose: From d5ba2f8e42473ad0ddea55e68f1407691511f465 Mon Sep 17 00:00:00 2001 From: Sebastian Wiesendahl Date: Mon, 11 Mar 2019 15:49:47 +0100 Subject: [PATCH 247/462] emphasize difference between user and system crontab --- docs/content/config/troubleshooting/faq.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 2d935127..aaf52bc7 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -57,7 +57,7 @@ In the default setup, amavis only applies Spamassassin x-headers into domains ma ### How can I make SpamAssassin learn spam? -Put received spams in `.Junk/` imap folder and add a user cron like the following: +Put received spams in `.Junk/` imap folder and add a _user_ cron like the following: ``` # This assumes you're having `environment: ONE_DIR=1` in the docker-compose.yml, @@ -72,7 +72,7 @@ If you run the server with docker-compose, you can leverage on docker configs an The following config works nicely: -create a system cron file: +create a _system_ cron file: ```sh # in the docker-compose.yml root directory mkdir cron From 8f6249cc3ff3f27e55c562b149cbb7589c862370 Mon Sep 17 00:00:00 2001 From: Sebastian Wiesendahl Date: Tue, 12 Mar 2019 14:44:44 +0100 Subject: [PATCH 248/462] change ham folder to Archives --- docs/content/config/troubleshooting/faq.md | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index aaf52bc7..da1d0b58 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -70,7 +70,7 @@ Put received spams in `.Junk/` imap folder and add a _user_ cron like the follow If you run the server with docker-compose, you can leverage on docker configs and the mailserver's own cron. This is less problematic than the simple solution shown above, because it decouples the learning from the host on which the mailserver is running and avoids errors if the server is not running. -The following config works nicely: +The following configuration works nicely: create a _system_ cron file: ```sh @@ -81,18 +81,23 @@ chown root:root cron/sa-learn chmod 0644 cron/sa-learn ``` -edit the system cron file `nano cron/sa-learn`: +edit the system cron file `nano cron/sa-learn`, and set an appropriate configuration: ``` # This assumes you're having `environment: ONE_DIR=1` in the docker-compose.yml, # with a consolidated config in `/var/mail-state` # # m h dom mon dow user command +# # Everyday 2:00AM, learn spam from a specific user 0 2 * * * root sa-learn --spam /var/mail/domain.com/username/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin -15 2 * * * root sa-learn --ham /var/mail/domain.com/username/.Archive --dbpath /var/mail-state/lib-amavis/.spamassassin +15 2 * * * root sa-learn --ham /var/mail/domain.com/username/.Archives* --dbpath /var/mail-state/lib-amavis +30 2 * * * root sa-learn --ham /var/mail/domain.com/username/.INBOX.* --dbpath /var/mail-state/lib-amavis/.spamassassin +# # Everyday 3:00AM, learn spam from all users of a domain 0 3 * * * root sa-learn --spam /var/mail/otherdomain.com/*/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin -15 3 * * * root sa-learn --ham /var/mail/otherdomain.com/*/.Archive --dbpath /var/mail-state/lib-amavis/.spamassassin +15 3 * * * root sa-learn --ham /var/mail/otherdomain.com/*/.Archives* --dbpath /var/mail-state/lib-amavis/.spamassassin +# ham: inbox subdirectories +30 3 * * * root sa-learn --ham /var/mail/otherdomain.com/*/.INBOX.* --dbpath /var/mail-state/lib-amavis/.spamassassin ``` with plain docker-compose: From da78a4969dbe2f3574e94b185e06cc6acd761f75 Mon Sep 17 00:00:00 2001 From: Sebastian Wiesendahl Date: Tue, 12 Mar 2019 14:47:08 +0100 Subject: [PATCH 249/462] add consitent comments --- docs/content/config/troubleshooting/faq.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index da1d0b58..2d6e3ee2 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -89,12 +89,17 @@ edit the system cron file `nano cron/sa-learn`, and set an appropriate configura # m h dom mon dow user command # # Everyday 2:00AM, learn spam from a specific user +# spam: junk directory 0 2 * * * root sa-learn --spam /var/mail/domain.com/username/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin +# ham: archive directories 15 2 * * * root sa-learn --ham /var/mail/domain.com/username/.Archives* --dbpath /var/mail-state/lib-amavis +# ham: inbox subdirectories 30 2 * * * root sa-learn --ham /var/mail/domain.com/username/.INBOX.* --dbpath /var/mail-state/lib-amavis/.spamassassin # # Everyday 3:00AM, learn spam from all users of a domain +# spam: junk directory 0 3 * * * root sa-learn --spam /var/mail/otherdomain.com/*/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin +# ham: archive directories 15 3 * * * root sa-learn --ham /var/mail/otherdomain.com/*/.Archives* --dbpath /var/mail-state/lib-amavis/.spamassassin # ham: inbox subdirectories 30 3 * * * root sa-learn --ham /var/mail/otherdomain.com/*/.INBOX.* --dbpath /var/mail-state/lib-amavis/.spamassassin From 3ceeef5a0005331d3f726a5e6d41d35ef545e97d Mon Sep 17 00:00:00 2001 From: Sebastian Wiesendahl Date: Sun, 24 Mar 2019 18:17:35 +0100 Subject: [PATCH 250/462] SA_SPAM_SUBJECT values --- docs/content/config/troubleshooting/faq.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 2d6e3ee2..720b2108 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -51,6 +51,17 @@ Please use `STARTTLS`. ### How can I manage my custom Spamassassin rules? Antispam rules are managed in `config/spamassassin-rules.cf`. +### What are acceptable `SA_SPAM_SUBJECT` values? + +For no subject set `SA_SPAM_SUBJECT=undef`. + +For a trailing white-space subject one can define the whole variable with quotes in `docker-compose.yml`: + +```docker-compose + environment: + - "SA_SPAM_SUBJECT=[SPAM] " +``` + ### Why are Spamassassin x-headers not inserted into my sample.domain.com subdomain emails? In the default setup, amavis only applies Spamassassin x-headers into domains matching the template listed in the config file 05-domain_id (in the amavis defaults). The default setup @local_domains_acl = ( ".$mydomain" ); does not match subdomains. To match subdomains, you can override the @local_domains_acl directive in the amavis user config file 50-user with @local_domains_maps = ("."); to match any sort of domain template. From 2df81a970b860e8f57e28ccb503facda0dbaa7a1 Mon Sep 17 00:00:00 2001 From: MegaXLR <8215278+megaxlr@users.noreply.github.com> Date: Fri, 19 Apr 2019 14:15:44 +0200 Subject: [PATCH 251/462] LetsEncrypt has a http challenge that runs http and https. --- docs/content/config/security/ssl.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 3447e47d..9a53fb40 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -35,7 +35,7 @@ You can now mount /home/ubuntu/docker/letsencrypt/etc/ in /etc/letsencrypt of `` To renew your certificate just run (this will need access to port 443 from the internet, adjust your firewall if needed) ``` -docker run --rm -ti -v $PWD/log/:/var/log/letsencrypt/ -v $PWD/etc/:/etc/letsencrypt/ -p 443:443 deliverous/certbot renew +docker run --rm -ti -v $PWD/log/:/var/log/letsencrypt/ -v $PWD/etc/:/etc/letsencrypt/ -p 80:80 -p 443:443 deliverous/certbot renew ``` #### Example using docker, nginx-proxy and letsencrypt-nginx-proxy-companion #### From 2a43e3c47e53d2368b143ba67f9d153806c16882 Mon Sep 17 00:00:00 2001 From: marios88 Date: Wed, 15 May 2019 14:44:01 +0300 Subject: [PATCH 252/462] Updated Installation Examples (markdown) --- .../tutorials/installation-examples.md | 20 +++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/docs/content/tutorials/installation-examples.md b/docs/content/tutorials/installation-examples.md index 84029c39..a267a67d 100644 --- a/docs/content/tutorials/installation-examples.md +++ b/docs/content/tutorials/installation-examples.md @@ -116,7 +116,7 @@ We are going to use this docker based mailserver: docker-compose up mail ``` -- Create email accounts and aliases: +- Create email accounts and aliases with `SPOOF_PROTECTION=0`: ``` ./setup.sh email add admin@example.org passwd123 ./setup.sh email add info@example.org passwd123 @@ -125,15 +125,27 @@ We are going to use this docker based mailserver: ./setup.sh email list ./setup.sh alias list ``` - Aliases make sure that any email that comes to these accounts is forwarded to my real email address, so that I don't need to use POP3/IMAP in order to get these messages. Also no anti-spam and anti-virus software is needed, making the mailserver lighter. -- Send some test emails to these addreses and make other tests. Then +- Or create email accounts and aliases with `SPOOF_PROTECTION=1`: + ``` + ./setup.sh email add admin.gmail@example.org passwd123 + ./setup.sh email add info.gmail@example.org passwd123 + ./setup.sh alias add admin@example.org admin.gmail@example.org + ./setup.sh alias add info@example.org info.gmail@example.org + ./setup.sh alias add admin.gmail@example.org myemail@gmail.com + ./setup.sh alias add info.gmail@example.org myemail@gmail.com + ./setup.sh email list + ./setup.sh alias list + ``` + This extra step is required to avoid the `553 5.7.1 Sender address rejected: not owned by user` error (the account used for setting up gmail is `admin.gmail@example.org` and `info.gmail@example.org` ) + +- Send some test emails to these addresses and make other tests. Then stop the container with `Ctrl+c` and start it again as a daemon: - `docker-compose up mail -d`. + `docker-compose up -d mail`. - Now save on Moodle configuration the SMTP settings and test by trying to send some messages to other users: From 0a0e758d920b2b5107f1b49be18190e82685d07a Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 24 Jul 2019 14:31:42 +0200 Subject: [PATCH 253/462] Add info about mail-state --- docs/content/config/troubleshooting/faq.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 720b2108..83476562 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -31,6 +31,10 @@ Assuming that you use `docker-compose` and a data volume container named `mailda -ti tvial/docker-mailserver \ tar cvzf /backups/docker-mailserver-`date +%y%m%d-%H%M%S`.tgz /var/mail +### What about `mail-state` folder? +This folder consolidates all data generated by the server itself to persist when you upgrade. +Example of data folder persisted: lib-amavis, lib-clamav, lib-fail2ban, lib-postfix, lib-postgrey, lib-spamassasin, lib-spamassassin, spool-postfix, ... + ### How can I configure my email client? Login are full email address (`user@domain.com`). From e03af03ef9ed21ca96f0f0fe9a0dda8001507391 Mon Sep 17 00:00:00 2001 From: cternes Date: Fri, 2 Aug 2019 22:10:14 +0200 Subject: [PATCH 254/462] Fix wrong directory for spamassassin learning --- docs/content/config/troubleshooting/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 83476562..82e2a575 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -107,7 +107,7 @@ edit the system cron file `nano cron/sa-learn`, and set an appropriate configura # spam: junk directory 0 2 * * * root sa-learn --spam /var/mail/domain.com/username/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin # ham: archive directories -15 2 * * * root sa-learn --ham /var/mail/domain.com/username/.Archives* --dbpath /var/mail-state/lib-amavis +15 2 * * * root sa-learn --ham /var/mail/domain.com/username/.Archives* --dbpath /var/mail-state/lib-amavis/.spamassassin # ham: inbox subdirectories 30 2 * * * root sa-learn --ham /var/mail/domain.com/username/.INBOX.* --dbpath /var/mail-state/lib-amavis/.spamassassin # From c7e5755fb8b5699350db24223d57d2923ac81b1b Mon Sep 17 00:00:00 2001 From: Ovidiu Predescu Date: Tue, 6 Aug 2019 14:39:08 -0700 Subject: [PATCH 255/462] Syntax correction. --- docs/content/config/pop3.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/pop3.md b/docs/content/config/pop3.md index 407e205f..b95580b2 100644 --- a/docs/content/config/pop3.md +++ b/docs/content/config/pop3.md @@ -1,6 +1,6 @@ **We do not recommend using POP. Use IMAP instead.** -If you really want to you have POP3 running, add 3 lines to the docker-compose.yml : +If you really want to have POP3 running, add 3 lines to the docker-compose.yml : Add the ports 110 and 995, and add environment variable ENABLE_POP : ``` From b66d34e2b7b102139d319d9a7ab3884811422372 Mon Sep 17 00:00:00 2001 From: Erik Wramner Date: Wed, 21 Aug 2019 10:39:20 +0200 Subject: [PATCH 256/462] Added note about POSTFIX_MESSAGE_SIZE_LIMIT --- docs/content/advanced/override-defaults/postfix.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/advanced/override-defaults/postfix.md b/docs/content/advanced/override-defaults/postfix.md index 02827861..2d04132b 100644 --- a/docs/content/advanced/override-defaults/postfix.md +++ b/docs/content/advanced/override-defaults/postfix.md @@ -7,6 +7,8 @@ For example, one common use of this file is for increasing the default maximum m message_size_limit = 52428800 ``` +That specific example is now supported and can be handled by setting POSTFIX_MESSAGE_SIZE_LIMIT. + [Postfix documentation](http://www.postfix.org/documentation.html) remains the best place to find configuration options. Each line in the provided file will be loaded into postfix. From eb9c857903476101a8a0201151346576f1f1f9c0 Mon Sep 17 00:00:00 2001 From: lukas Date: Thu, 22 Aug 2019 10:12:23 -0600 Subject: [PATCH 257/462] Updated Configure SSL (markdown) --- docs/content/config/security/ssl.md | 98 +++++++++++++++++++++++++++++ 1 file changed, 98 insertions(+) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 9a53fb40..fef505f0 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -97,6 +97,104 @@ Then +#### Example using docker, nginx-proxy and letsencrypt-nginx-proxy-companion with docker-compose#### +The following docker-compose.yml is the basic setup you need for using letsencrypt-nginx-proxy-companion. It is mainly derived from its own wiki/documenation. + +``` +version: "2" + +services: + nginx: + image: nginx + container_name: nginx + ports: + - 80:80 + - 443:443 + volumes: + - /mnt/data/nginx/htpasswd:/etc/nginx/htpasswd + - /mnt/data/nginx/conf.d:/etc/nginx/conf.d + - /mnt/data/nginx/vhost.d:/etc/nginx/vhost.d + - /mnt/data/nginx/html:/usr/share/nginx/html + - /mnt/data/nginx/certs:/etc/nginx/certs:ro + networks: + - proxy-tier + restart: always + + nginx-gen: + image: jwilder/docker-gen + container_name: nginx-gen + volumes: + - /var/run/docker.sock:/tmp/docker.sock:ro + - /mnt/data/nginx/templates/nginx.tmpl:/etc/docker-gen/templates/nginx.tmpl:ro + volumes_from: + - nginx + entrypoint: /usr/local/bin/docker-gen -notify-sighup nginx -watch -wait 5s:30s /etc/docker-gen/templates/nginx.tmpl /etc/nginx/conf.d/default.conf + restart: always + + letsencrypt-nginx-proxy-companion: + image: jrcs/letsencrypt-nginx-proxy-companion + container_name: letsencrypt-companion + volumes_from: + - nginx + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - /mnt/data/nginx/certs:/etc/nginx/certs:rw + environment: + - NGINX_DOCKER_GEN_CONTAINER=nginx-gen + - DEBUG=false + restart: always + +networks: + proxy-tier: + external: + name: nginx-proxy +``` + +The second part of the setup is the actual mail container. So, in another folder, create another docker-compose.yml with the following content (Removed all ENV variables for this example): +``` +version: '2' +services: + mail: + image: tvial/docker-mailserver:latest + hostname: ${HOSTNAME} + domainname: ${DOMAINNAME} + container_name: ${CONTAINER_NAME} + ports: + - "25:25" + - "143:143" + - "465:465" + - "587:587" + - "993:993" + volumes: + - ./mail:/var/mail + - ./mail-state:/var/mail-state + - ./config/:/tmp/docker-mailserver/ + - /mnt/data/nginx/certs/:/etc/letsencrypt/live/:ro + cap_add: + - NET_ADMIN + - SYS_PTRACE + restart: always + + cert-companion: + image: nginx + environment: + - "VIRTUAL_HOST=" + - "VIRTUAL_NETWORK=nginx-proxy" + - "LETSENCRYPT_HOST=" + - "LETSENCRYPT_EMAIL=" + networks: + - proxy-tier + restart: always + +networks: + proxy-tier: + external: + name: nginx-proxy + +``` +The mail container needs to have the letsencrypt certificate folder mounted as a volume. No further changes are needed. The second container is a dummy-sidecar we need, because the mail-container do not expose any web-ports. Set your ENV variables as you need. (VIRTUAL_HOST and LETSENCRYPT_HOST are mandandory, see documentation) + + #### Example using the letsencrypt certificates on a Synology NAS Version 6.2 and later of the Synology NAS DSM OS now come with an interface to generate and renew letencrypt certificates. Navigation into your DSM control panel and go to Security, then click on the tab Certificate to generate and manage letsencrypt certificates. Amongst other things, you can use these to secure your mail server. DSM locates the generated certificates in a folder below ```/usr/syno/etc/certificate/_archive/```. Navigate to that folder and note the 6 character random folder name of the certificate you'd like to use. Then, add the following to your ```docker-compose.yml``` declaration file: From aaaa0398b661664e1b9e4df14d779c3aa21f3b6c Mon Sep 17 00:00:00 2001 From: lukas Date: Fri, 23 Aug 2019 12:31:33 -0600 Subject: [PATCH 258/462] Updated Configure SPF (markdown) --- docs/content/config/best-practices/spf.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/content/config/best-practices/spf.md b/docs/content/config/best-practices/spf.md index dd99f8e4..952a5702 100644 --- a/docs/content/config/best-practices/spf.md +++ b/docs/content/config/best-practices/spf.md @@ -10,6 +10,9 @@ To add a SPF record in your DNS, insert the following line in your DNS zone: ; Add SPF record domain.com. IN TXT "v=spf1 mx ~all" +This enables the Softfail mode for SPF. It is a good setting for getting started and testing everything. After verification, you might want to change your SPF record to: `v=spf1 mx -all`, to enforce the policy! + + Increment DNS serial and reload configuration. ## Backup MX, Secondary MX From 96524e30b47b1cef99a2d2cff68be3e4f51bc712 Mon Sep 17 00:00:00 2001 From: lukas Date: Fri, 23 Aug 2019 12:35:00 -0600 Subject: [PATCH 259/462] Updated Configure SSL (markdown) --- docs/content/config/security/ssl.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index fef505f0..75722f0d 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -97,7 +97,7 @@ Then -#### Example using docker, nginx-proxy and letsencrypt-nginx-proxy-companion with docker-compose#### +#### Example using docker, nginx-proxy and letsencrypt-nginx-proxy-companion with docker-compose The following docker-compose.yml is the basic setup you need for using letsencrypt-nginx-proxy-companion. It is mainly derived from its own wiki/documenation. ``` From 2c3dd2adb8388ebe48beb41d973bb58a3940beb3 Mon Sep 17 00:00:00 2001 From: Erik Wramner Date: Tue, 3 Sep 2019 15:59:31 +0200 Subject: [PATCH 260/462] Added reference to https://github.com/tomav/docker-mailserver/issues/1247. --- docs/content/config/troubleshooting/faq.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 82e2a575..2aecd0db 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -172,6 +172,10 @@ Otherwise, it could work with 512M of RAM. Yes, by Adding the Environment Variable `PERMIT_DOCKER: network`. +### How can I authenticate users with SMTP_ONLY? + +See https://github.com/tomav/docker-mailserver/issues/1247 for an example. + ### Common errors ``` From 4556c808d7b8601f43155071dffc1032208d0b90 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 11 Sep 2019 16:48:58 +0200 Subject: [PATCH 261/462] Edit backup script --- docs/content/config/troubleshooting/faq.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 2aecd0db..137cf939 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -25,11 +25,14 @@ You should use a [data volume container](https://medium.com/@ramangupta/why-dock Assuming that you use `docker-compose` and a data volume container named `maildata`, you can backup your user mails like this: - docker run --rm \ - --volume dockermailserver_maildata:/var/mail \ - -v "$(pwd)":/backups \ - -ti tvial/docker-mailserver \ - tar cvzf /backups/docker-mailserver-`date +%y%m%d-%H%M%S`.tgz /var/mail +```docker run --rm -ti \ + -v maildata:/var/mail \ + -v mailstate:/var/mail-state \ + -v /backup/mail:/backup \ + alpine:3.2 \ + tar cvzf /backup/mail-`date +%y%m%d-%H%M%S`.tgz /var/mail /var/mail-state + +find /backup/mail -type f -mtime +30 -exec rm -f {} \;``` ### What about `mail-state` folder? This folder consolidates all data generated by the server itself to persist when you upgrade. From 038ec5942edce74e9f9e69533c6de985e775c6ba Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 11 Sep 2019 16:49:25 +0200 Subject: [PATCH 262/462] Updated FAQ and Tips (markdown) --- docs/content/config/troubleshooting/faq.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 137cf939..1d476b47 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -25,14 +25,16 @@ You should use a [data volume container](https://medium.com/@ramangupta/why-dock Assuming that you use `docker-compose` and a data volume container named `maildata`, you can backup your user mails like this: -```docker run --rm -ti \ +``` +docker run --rm -ti \ -v maildata:/var/mail \ -v mailstate:/var/mail-state \ -v /backup/mail:/backup \ alpine:3.2 \ tar cvzf /backup/mail-`date +%y%m%d-%H%M%S`.tgz /var/mail /var/mail-state -find /backup/mail -type f -mtime +30 -exec rm -f {} \;``` +find /backup/mail -type f -mtime +30 -exec rm -f {} \; +``` ### What about `mail-state` folder? This folder consolidates all data generated by the server itself to persist when you upgrade. From 3fc2da3be26c52d89817d4df88358e7f720fd188 Mon Sep 17 00:00:00 2001 From: Thomas VIAL Date: Wed, 11 Sep 2019 16:50:15 +0200 Subject: [PATCH 263/462] Updated FAQ and Tips (markdown) --- docs/content/config/troubleshooting/faq.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 1d476b47..2e9a2e0c 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -23,7 +23,7 @@ You should use a [data volume container](https://medium.com/@ramangupta/why-dock ### What about backups? -Assuming that you use `docker-compose` and a data volume container named `maildata`, you can backup your user mails like this: +Assuming that you use `docker-compose` and a data volumes, you can backup your user mails like this: ``` docker run --rm -ti \ @@ -31,7 +31,7 @@ docker run --rm -ti \ -v mailstate:/var/mail-state \ -v /backup/mail:/backup \ alpine:3.2 \ - tar cvzf /backup/mail-`date +%y%m%d-%H%M%S`.tgz /var/mail /var/mail-state + tar czf /backup/mail-`date +%y%m%d-%H%M%S`.tgz /var/mail /var/mail-state find /backup/mail -type f -mtime +30 -exec rm -f {} \; ``` From 37966e425d401be7a7d5775aa21b29f0a9171c52 Mon Sep 17 00:00:00 2001 From: Andreas Perhab <38032588+ap-wtioit@users.noreply.github.com> Date: Fri, 11 Oct 2019 12:10:23 +0200 Subject: [PATCH 264/462] path for generated certificates has changed --- docs/content/config/security/ssl.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 75722f0d..0dc74f7e 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -215,7 +215,7 @@ DSM-generated letsencrypt certificates get auto-renewed every three months. You can easily generate a self-signed SSL certificate by using the following command: - docker run -ti --rm -v "$(pwd)"/config/ssl:/ssl -h mail.my-domain.com -t tvial/docker-mailserver generate-ssl-certificate + docker run -ti --rm -v "$(pwd)"/config/ssl:/tmp/docker-mailserver/ssl -h mail.my-domain.com -t tvial/docker-mailserver generate-ssl-certificate # Press enter # Enter a password when needed From c755c763f542844c008240e2e90bf8d2c50a0cc4 Mon Sep 17 00:00:00 2001 From: mchamplain Date: Sun, 27 Oct 2019 01:37:42 -0400 Subject: [PATCH 265/462] adding note about keys on multiple line --- docs/content/config/best-practices/dkim.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index 20fcfb9b..4940ee8e 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -30,6 +30,16 @@ mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " 4. In `TTL` (time to live): Time span in seconds. How long the DNS server should cache the `TXT` record. 5. Save. +Note: Sometimes the key in `config/opendkim/keys/domain.tld/mail.txt` can be on multiple lines, if so then you need to concatenate the values +``` +; OpenDKIM +mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " + "p=AZERTYUIOPQSDF..." + "asdfQWERTYUIOPQSDF..." ) ; ----- DKIM key mail for domain.tld +``` +the target (or value) field must then have all the parts together `v=DKIM1; k=rsa; p=AZERTYUIOPQSDF...asdfQWERTYUIOPQSDF...` + + ## Verify-only If you want DKIM to only verify incoming emails, the following version of /etc/opendkim.conf may be useful (right now there is no easy mechanism for installing it other than forking the repo): From bb7bfdbf1e2bb03418e6aedc2f7c4d4a2090b4b6 Mon Sep 17 00:00:00 2001 From: Erik Wramner Date: Mon, 28 Oct 2019 09:15:34 +0100 Subject: [PATCH 266/462] Added note about clamav memory usage and swap. --- docs/content/config/troubleshooting/faq.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 2e9a2e0c..8d3a85ec 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -170,9 +170,11 @@ If everything is OK regarding DNS, please provide [formatted logs](https://guide If we're blind, we won't be able to do anything. ### Which system requirements needs my container to run `docker-mailserver` effectively? -1 core and 1GB of RAM + Swap partition is recommended to run `docker-mailserver` with Clamav. +1 core and 1GB of RAM + swap partition is recommended to run `docker-mailserver` with clamav. Otherwise, it could work with 512M of RAM. +Please note that clamav can consume a lot of memory, as it reads the entire signature database into RAM. Current figure is about 850M and growing. If you get errors about clamav or amavis failing to allocate memory you need more RAM or more swap and of course docker must be allowed to use swap (not always the case). If you can't use swap at all you may need 3G RAM. + ### Is `docker-mailserver` running in a [rancher environment](http://rancher.com/rancher/)? Yes, by Adding the Environment Variable `PERMIT_DOCKER: network`. From 2ebea365e64e634c5c03f63b691978b52228ccb1 Mon Sep 17 00:00:00 2001 From: Germain Masse Date: Mon, 4 Nov 2019 19:36:52 +0100 Subject: [PATCH 267/462] Replace deliveries/certbot docker image by official certbot/cerbot --- docs/content/config/security/ssl.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 0dc74f7e..f57ff008 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -29,13 +29,13 @@ cd /home/ubuntu/docker/letsencrypt Now get the certificate (modify ```mail.myserver.tld```) and following the certbot instructions. This will need access to port 80 from the internet, adjust your firewall if needed ``` -docker run --rm -ti -v $PWD/log/:/var/log/letsencrypt/ -v $PWD/etc/:/etc/letsencrypt/ -p 80:80 deliverous/certbot certonly --standalone -d mail.myserver.tld +docker run --rm -ti -v $PWD/log/:/var/log/letsencrypt/ -v $PWD/etc/:/etc/letsencrypt/ -p 80:80 cerbot/certbot certonly --standalone -d mail.myserver.tld ``` You can now mount /home/ubuntu/docker/letsencrypt/etc/ in /etc/letsencrypt of ```docker-mailserver``` To renew your certificate just run (this will need access to port 443 from the internet, adjust your firewall if needed) ``` -docker run --rm -ti -v $PWD/log/:/var/log/letsencrypt/ -v $PWD/etc/:/etc/letsencrypt/ -p 80:80 -p 443:443 deliverous/certbot renew +docker run --rm -ti -v $PWD/log/:/var/log/letsencrypt/ -v $PWD/etc/:/etc/letsencrypt/ -p 80:80 -p 443:443 certbot/certbot renew ``` #### Example using docker, nginx-proxy and letsencrypt-nginx-proxy-companion #### From ff83bf1a014804cfcffc868eb6be40d7187e0ac2 Mon Sep 17 00:00:00 2001 From: Erik Wramner Date: Sun, 10 Nov 2019 10:10:32 +0100 Subject: [PATCH 268/462] Addded example for overriding postfix-master.cf --- docs/content/advanced/override-defaults/postfix.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/content/advanced/override-defaults/postfix.md b/docs/content/advanced/override-defaults/postfix.md index 2d04132b..763d32da 100644 --- a/docs/content/advanced/override-defaults/postfix.md +++ b/docs/content/advanced/override-defaults/postfix.md @@ -13,4 +13,10 @@ That specific example is now supported and can be handled by setting POSTFIX_MES Each line in the provided file will be loaded into postfix. +In the same way it is possible to add a custom `config/postfix-master.cf` file that will override the standard `master.cf`. Each line in the file will be passed to `postconf -P`. The expected format is service_name/type/parameter, for example: +``` +submission/inet/smtpd_reject_unlisted_recipient=no +``` +Run `postconf -P` in the container without arguments to see the active master options. + Have a look at the code for more information. \ No newline at end of file From 2598c2a3f1f26b6858c099b45a852beff92ce0ee Mon Sep 17 00:00:00 2001 From: Erik Wramner Date: Sun, 10 Nov 2019 10:12:55 +0100 Subject: [PATCH 269/462] Added warning about spaces in options --- docs/content/advanced/override-defaults/postfix.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/advanced/override-defaults/postfix.md b/docs/content/advanced/override-defaults/postfix.md index 763d32da..d8ed58eb 100644 --- a/docs/content/advanced/override-defaults/postfix.md +++ b/docs/content/advanced/override-defaults/postfix.md @@ -19,4 +19,6 @@ submission/inet/smtpd_reject_unlisted_recipient=no ``` Run `postconf -P` in the container without arguments to see the active master options. +Note! There should be no space between the parameter and the value. + Have a look at the code for more information. \ No newline at end of file From 404f9f9dbbe356d236bf46aa2710f3241f0c45ed Mon Sep 17 00:00:00 2001 From: Germain Masse Date: Tue, 12 Nov 2019 11:42:46 +0100 Subject: [PATCH 270/462] Wrong filebeat config path --- docs/content/configure-elk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/configure-elk.md b/docs/content/configure-elk.md index 166eb3f0..9eb257cf 100644 --- a/docs/content/configure-elk.md +++ b/docs/content/configure-elk.md @@ -22,7 +22,7 @@ You can override that template or set a custom config file as ro volume. mail: ~ volumes: - - config/filebeat.yml:/etc/filebeat.yml:ro + - config/filebeat.yml:/etc/filebeat/filebeat.yml:ro ``` ## Run ELK embedded on mailserver stack. From 477c84684a77923bcdffb3b10aac0927ac087363 Mon Sep 17 00:00:00 2001 From: Germain Masse Date: Tue, 12 Nov 2019 11:43:40 +0100 Subject: [PATCH 271/462] Fix wrong volume syntax --- docs/content/configure-elk.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/configure-elk.md b/docs/content/configure-elk.md index 9eb257cf..b5ca504b 100644 --- a/docs/content/configure-elk.md +++ b/docs/content/configure-elk.md @@ -22,7 +22,7 @@ You can override that template or set a custom config file as ro volume. mail: ~ volumes: - - config/filebeat.yml:/etc/filebeat/filebeat.yml:ro + - ./config/filebeat.yml:/etc/filebeat/filebeat.yml:ro ``` ## Run ELK embedded on mailserver stack. From 2305c464bb8aeca7b2a3b4e1e59d35351bc3fb4d Mon Sep 17 00:00:00 2001 From: Vilius <34487517+vilisas@users.noreply.github.com> Date: Sun, 17 Nov 2019 11:47:23 +0200 Subject: [PATCH 272/462] Fixed a typo in docker repository name (certbot instead of cerbot) --- docs/content/config/security/ssl.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index f57ff008..8d017d5b 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -29,7 +29,7 @@ cd /home/ubuntu/docker/letsencrypt Now get the certificate (modify ```mail.myserver.tld```) and following the certbot instructions. This will need access to port 80 from the internet, adjust your firewall if needed ``` -docker run --rm -ti -v $PWD/log/:/var/log/letsencrypt/ -v $PWD/etc/:/etc/letsencrypt/ -p 80:80 cerbot/certbot certonly --standalone -d mail.myserver.tld +docker run --rm -ti -v $PWD/log/:/var/log/letsencrypt/ -v $PWD/etc/:/etc/letsencrypt/ -p 80:80 certbot/certbot certonly --standalone -d mail.myserver.tld ``` You can now mount /home/ubuntu/docker/letsencrypt/etc/ in /etc/letsencrypt of ```docker-mailserver``` From 90a9cba1c02753b3cc59cebe2dc409abd49864c3 Mon Sep 17 00:00:00 2001 From: Kaan88 Date: Wed, 20 Nov 2019 15:10:46 +0300 Subject: [PATCH 273/462] Spamassing cron directories are wrong for Archive and Inbox. On my fresh install it's not .Archives but .Archive and I don't have a separate INBOX folder, just cur, new etc under main mail dir. --- docs/content/config/troubleshooting/faq.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 8d3a85ec..25cf2ec2 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -112,17 +112,17 @@ edit the system cron file `nano cron/sa-learn`, and set an appropriate configura # spam: junk directory 0 2 * * * root sa-learn --spam /var/mail/domain.com/username/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin # ham: archive directories -15 2 * * * root sa-learn --ham /var/mail/domain.com/username/.Archives* --dbpath /var/mail-state/lib-amavis/.spamassassin +15 2 * * * root sa-learn --ham /var/mail/domain.com/username/.Archive* --dbpath /var/mail-state/lib-amavis/.spamassassin # ham: inbox subdirectories -30 2 * * * root sa-learn --ham /var/mail/domain.com/username/.INBOX.* --dbpath /var/mail-state/lib-amavis/.spamassassin +30 2 * * * root sa-learn --ham /var/mail/domain.com/username/cur* --dbpath /var/mail-state/lib-amavis/.spamassassin # # Everyday 3:00AM, learn spam from all users of a domain # spam: junk directory 0 3 * * * root sa-learn --spam /var/mail/otherdomain.com/*/.Junk --dbpath /var/mail-state/lib-amavis/.spamassassin # ham: archive directories -15 3 * * * root sa-learn --ham /var/mail/otherdomain.com/*/.Archives* --dbpath /var/mail-state/lib-amavis/.spamassassin +15 3 * * * root sa-learn --ham /var/mail/otherdomain.com/*/.Archive* --dbpath /var/mail-state/lib-amavis/.spamassassin # ham: inbox subdirectories -30 3 * * * root sa-learn --ham /var/mail/otherdomain.com/*/.INBOX.* --dbpath /var/mail-state/lib-amavis/.spamassassin +30 3 * * * root sa-learn --ham /var/mail/otherdomain.com/*/cur* --dbpath /var/mail-state/lib-amavis/.spamassassin ``` with plain docker-compose: From 5d0715c2e1ae874beb06fc0bed21170af66b9ec3 Mon Sep 17 00:00:00 2001 From: Germain Masse Date: Fri, 20 Dec 2019 18:14:02 +0100 Subject: [PATCH 274/462] Add sections for catch-all and delete --- docs/content/config/troubleshooting/faq.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 25cf2ec2..005116b5 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -156,6 +156,22 @@ configs: With the default settings, Spamassassin will require 200 mails trained for spam (for example with the method explained above) and 200 mails trained for ham (using the same command as above but using `--ham` and providing it with some ham mails). Until you provided these 200+200 mails, Spamassasin will not take the learned mails into account. For further reference, see the [Spamassassin Wiki](https://wiki.apache.org/spamassassin/BayesNotWorking). +### How can I configure a catch-all? +Considering you want to redirect all incoming e-mails for the domain `domain.tld` to `user1@domain.tld`, add the following line to `config/postfix-virtual.cf`: +``` +@domain.tld user1@domain.tld +``` + +### How can I delete all the e-mails for a specific user? +First of all, create a special alias named `devnull` by editing `config/postfix-aliases.cf`: +``` +devnull: /dev/null +``` +Considering you want to delete all the e-mails received for `baduser@domain.tld`, add the following line to `config/postfix-virtual.cf`: +``` +baduser@domain.tld devnull +``` + ### What kind of SSL certificates can I use? You can use the same certificates you use with another mail server. The only thing is that we provide a `self-signed` certificate tool and a `letsencrypt` certificate loader. From 53f092e8c69e2880e23bcd670f5e3ddfb1fa6577 Mon Sep 17 00:00:00 2001 From: Erik Wramner Date: Sat, 18 Jan 2020 11:39:04 +0100 Subject: [PATCH 275/462] Added FAQ about naked/bare domains --- docs/content/config/troubleshooting/faq.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 005116b5..af900e06 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -71,6 +71,18 @@ For a trailing white-space subject one can define the whole variable with quotes - "SA_SPAM_SUBJECT=[SPAM] " ``` +### Can I use naked/bare domains (no host name)? + +Yes, but not without some configuration changes. Normally it is assumed that docker-mailserver runs on a host with a name, so the fully qualified host name might be mail.example.com with the domain is example.com. The MX records point to mail.example.com. To use a bare domain where the host name is example.com and the domain is also example.com, change mydestination from: + +`mydestination = $myhostname, localhost.$mydomain, localhost` + +To: + +`mydestination = localhost.$mydomain, localhost` + +Add the latter line to config/postfix-main.cf. That should work. + ### Why are Spamassassin x-headers not inserted into my sample.domain.com subdomain emails? In the default setup, amavis only applies Spamassassin x-headers into domains matching the template listed in the config file 05-domain_id (in the amavis defaults). The default setup @local_domains_acl = ( ".$mydomain" ); does not match subdomains. To match subdomains, you can override the @local_domains_acl directive in the amavis user config file 50-user with @local_domains_maps = ("."); to match any sort of domain template. From 30bbc15a8bc2b9527e7aab4dad58fd084c74bacc Mon Sep 17 00:00:00 2001 From: Erik Wramner Date: Sat, 18 Jan 2020 12:27:45 +0100 Subject: [PATCH 276/462] Improved description for bare domains --- docs/content/config/troubleshooting/faq.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index af900e06..3b3b1a81 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -73,7 +73,7 @@ For a trailing white-space subject one can define the whole variable with quotes ### Can I use naked/bare domains (no host name)? -Yes, but not without some configuration changes. Normally it is assumed that docker-mailserver runs on a host with a name, so the fully qualified host name might be mail.example.com with the domain is example.com. The MX records point to mail.example.com. To use a bare domain where the host name is example.com and the domain is also example.com, change mydestination from: +Yes, but not without some configuration changes. Normally it is assumed that docker-mailserver runs on a host with a name, so the fully qualified host name might be `mail.example.com` with the domain `example.com`. The MX records point to `mail.example.com`. To use a bare domain where the host name is `example.com` and the domain is also `example.com`, change mydestination from: `mydestination = $myhostname, localhost.$mydomain, localhost` @@ -81,7 +81,11 @@ To: `mydestination = localhost.$mydomain, localhost` -Add the latter line to config/postfix-main.cf. That should work. +Add the latter line to config/postfix-main.cf. That should work. Without that change there will be warnings in the logs like: + +`warning: do not list domain example.com in BOTH mydestination and virtual_mailbox_domains` + +Plus of course mail delivery fails. ### Why are Spamassassin x-headers not inserted into my sample.domain.com subdomain emails? From f9ec66904f5e538137d0456d964c23b594967fa8 Mon Sep 17 00:00:00 2001 From: Remo E Date: Sun, 2 Feb 2020 19:28:51 +0100 Subject: [PATCH 277/462] updated the deployment manifests. Tested with Kubernetes 1.17 and docker-mailserver v6.2.1 --- docs/content/advanced/kubernetes.md | 232 +++++++++++++++++++--------- 1 file changed, 162 insertions(+), 70 deletions(-) diff --git a/docs/content/advanced/kubernetes.md b/docs/content/advanced/kubernetes.md index 56276a58..3d4bf1dc 100644 --- a/docs/content/advanced/kubernetes.md +++ b/docs/content/advanced/kubernetes.md @@ -3,32 +3,35 @@ There is nothing much in deploying mailserver to Kubernetes itself. The things are pretty same as in [`docker-compose.yml`][1], but with Kubernetes syntax. ```yaml -kind: Service apiVersion: v1 +kind: Namespace metadata: name: mailserver +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: mailserver.env.config + namespace: mailserver labels: app: mailserver -spec: - selector: - app: mailserver - ports: - - name: smtp - port: 25 - targetPort: smtp - - name: smtp-auth - port: 587 - targetPort: smtp-auth - - name: imap-secure - port: 993 - targetPort: imap-secure +data: + OVERRIDE_HOSTNAME: example.com + ENABLE_FETCHMAIL: "0" + FETCHMAIL_POLL: "120" + ENABLE_SPAMASSASSIN: "0" + ENABLE_CLAMAV: "0" + ENABLE_FAIL2BAN: "0" + ENABLE_POSTGREY: "0" + ONE_DIR: "1" + DMS_DEBUG: "0" --- - kind: ConfigMap apiVersion: v1 metadata: name: mailserver.config + namespace: mailserver labels: app: mailserver data: @@ -38,6 +41,18 @@ data: postfix-virtual.cf: | alias1@example.com user1@dexample.com + #dovecot.cf: | + # service stats { + # unix_listener stats-reader { + # group = docker + # mode = 0666 + # } + # unix_listener stats-writer { + # group = docker + # mode = 0666 + # } + # } + SigningTable: | *@example.com mail._domainkey.example.com @@ -47,13 +62,18 @@ data: TrustedHosts: | 127.0.0.1 localhost - ---- + + #user-patches.sh: | + # #!/bin/bash + #fetchmail.cf: | + +--- kind: Secret apiVersion: v1 metadata: name: mailserver.opendkim.keys + namespace: mailserver labels: app: mailserver type: Opaque @@ -61,65 +81,137 @@ data: example.com-mail.key: 'base64-encoded-DKIM-key' --- - -kind: Deployment -apiVersion: extensions/v1beta1 +kind: Service +apiVersion: v1 metadata: name: mailserver + namespace: mailserver labels: app: mailserver spec: - strategy: - type: Recreate + selector: + app: mailserver + ports: + - name: smtp + port: 25 + targetPort: smtp + - name: smtp-secure + port: 465 + targetPort: smtp-secure + - name: smtp-auth + port: 587 + targetPort: smtp-auth + - name: imap + port: 143 + targetPort: imap + - name: imap-secure + port: 993 + targetPort: imap-secure +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mailserver + namespace: mailserver +spec: + replicas: 1 + selector: + matchLabels: + app: mailserver template: metadata: labels: app: mailserver + role: mail + tier: backend spec: - nodeSelector: - has/mail-server: 'true' - subdomain: mailserver + #nodeSelector: + # kubernetes.io/hostname: local.k8s + #initContainers: + #- name: init-myservice + # image: busybox + # command: ["/bin/sh", "-c", "cp /tmp/user-patches.sh /tmp/files"] + # volumeMounts: + # - name: config + # subPath: user-patches.sh + # mountPath: /tmp/user-patches.sh + # readOnly: true + # - name: tmp-files + # mountPath: /tmp/files containers: - - name: mailserver - image: tvial/docker-mailserver:2.1 - ports: - - name: smtp - containerPort: 25 - - name: smtp-auth - containerPort: 587 - - name: imap-secure - containerPort: 993 - env: - - name: ONE_DIR - value: '1' - volumeMounts: - - name: config - subPath: postfix-accounts.cf - mountPath: /tmp/docker-mailserver/postfix-accounts.cf - readOnly: true - - name: config - subPath: postfix-virtual.cf - mountPath: /tmp/docker-mailserver/postfix-virtual.cf - readOnly: true - - name: config - subPath: SigningTable - mountPath: /tmp/docker-mailserver/opendkim/SigningTable - readOnly: true - - name: config - subPath: KeyTable - mountPath: /tmp/docker-mailserver/opendkim/KeyTable - readOnly: true - - name: config - subPath: TrustedHosts - mountPath: /tmp/docker-mailserver/opendkim/TrustedHosts - readOnly: true - - name: opendkim-keys - mountPath: /tmp/docker-mailserver/opendkim/keys - readOnly: true - - name: data - mountPath: /var/mail - - name: state - mountPath: /var/mail-state + - name: smtp + image: tvial/docker-mailserver:release-v6.2.1 + imagePullPolicy: Always + volumeMounts: + - name: config + subPath: postfix-accounts.cf + mountPath: /tmp/docker-mailserver/postfix-accounts.cf + readOnly: true + #- name: config + # subPath: postfix-main.cf + # mountPath: /tmp/docker-mailserver/postfix-main.cf + # readOnly: true + - name: config + subPath: postfix-virtual.cf + mountPath: /tmp/docker-mailserver/postfix-virtual.cf + readOnly: true + - name: config + subPath: fetchmail.cf + mountPath: /tmp/docker-mailserver/fetchmail.cf + readOnly: true + - name: config + subPath: dovecot.cf + mountPath: /tmp/docker-mailserver/dovecot.cf + readOnly: true + #- name: config + # subPath: user1.example.com.dovecot.sieve + # mountPath: /tmp/docker-mailserver/user1@example.com.dovecot.sieve + # readOnly: true + #- name: tmp-files + # subPath: user-patches.sh + # mountPath: /tmp/docker-mailserver/user-patches.sh + - name: config + subPath: SigningTable + mountPath: /tmp/docker-mailserver/opendkim/SigningTable + readOnly: true + - name: config + subPath: KeyTable + mountPath: /tmp/docker-mailserver/opendkim/KeyTable + readOnly: true + - name: config + subPath: TrustedHosts + mountPath: /tmp/docker-mailserver/opendkim/TrustedHosts + readOnly: true + - name: opendkim-keys + mountPath: /tmp/docker-mailserver/opendkim/keys + readOnly: true + - name: data + mountPath: /var/mail + subPath: data + - name: data + mountPath: /var/mail-state + subPath: state + - name: data + mountPath: /var/log/mail + subPath: log + ports: + - name: smtp + containerPort: 25 + protocol: TCP + - name: smtp-secure + containerPort: 465 + protocol: TCP + - name: smtp-auth + containerPort: 587 + - name: imap + containerPort: 143 + protocol: TCP + - name: imap-secure + containerPort: 993 + protocol: TCP + envFrom: + - configMapRef: + name: mailserver.env.config volumes: - name: config configMap: @@ -128,11 +220,11 @@ spec: secret: secretName: mailserver.opendkim.keys - name: data - hostPath: - path: /path/to/mailserver/data - - name: state - hostPath: - path: /path/to/mailserver/state + persistentVolumeClaim: + claimName: mail-storage + - name: tmp-files + emptyDir: {} + ``` __Note:__ From 2e2c5d99318c048e0c9592c41d9dbfb40dcb2237 Mon Sep 17 00:00:00 2001 From: Claus Beerta Date: Sun, 2 Feb 2020 20:48:22 +0100 Subject: [PATCH 278/462] Add a note on the Biggest flaw of using `hostNetwork` --- docs/content/advanced/kubernetes.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/content/advanced/kubernetes.md b/docs/content/advanced/kubernetes.md index 3d4bf1dc..eca69981 100644 --- a/docs/content/advanced/kubernetes.md +++ b/docs/content/advanced/kubernetes.md @@ -343,6 +343,7 @@ metadata: ##### Downsides - Not possible to access mailserver via other cluster Nodes, only via the one mailserver deployed at. +- Every Port within the Container is exposed on the Host side, regardless of what the `ports` section in the Configuration defines. ### Proxy port to Service via PROXY protocol From 85aed0d1d112f388f2c8d8379edec3db0ae25a3e Mon Sep 17 00:00:00 2001 From: odinis <23659698+odinis@users.noreply.github.com> Date: Fri, 14 Feb 2020 01:14:31 +0200 Subject: [PATCH 279/462] Proxy setup is nowhere mentioned. --- docs/content/config/troubleshooting/faq.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 3b3b1a81..1c0b4725 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -232,6 +232,13 @@ mail amavis[1459]: (01459-01) (!)ClamAV-clamscan av-scanner FAILED: /usr/bin/cla mail amavis[1459]: (01459-01) (!!)AV: ALL VIRUS SCANNERS FAILED # Clamav is not running (not started or because you don't have enough memory) # => check requirements and/or start Clamav +``` +### Using behind proxy +Add to `/etc/postfix/main.cf` : +``` + +proxy_interfaces = X.X.X.X (your public IP) + ``` ### What about updates From 957e3056e6852c6eefadcc75f88454f495a457fd Mon Sep 17 00:00:00 2001 From: Hans-Cees Speel Date: Mon, 24 Feb 2020 22:11:50 +0100 Subject: [PATCH 280/462] Updated FAQ and Tips (markdown) --- docs/content/config/troubleshooting/faq.md | 35 +++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 1c0b4725..51eaf93a 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -244,4 +244,37 @@ proxy_interfaces = X.X.X.X (your public IP) ### What about updates You can of course use a own script or every now and then pull && stop && rm && start the images but there are tools available for this. -There is a page in the [Update and cleanup](Update-and-cleanup) wiki page that explains how to use it the docker way. \ No newline at end of file +There is a page in the [Update and cleanup](Update-and-cleanup) wiki page that explains how to use it the docker way. + + +### Howto adjust settings with the user-patches.sh script +Suppose you want to change a number of settings that are not listed as variables or add things to the server that are not included? + +This docker-container has a built-in way to do post-install processes. If you place a script called **user-patches.sh** in the config directory it will be run after all configuration files are set up, but before the postfix, amavis and other daemons are started. + +The config file I am talking about is this volume in the yml file: +`- ./config/:/tmp/docker-mailserver/` + +To place such a script you can just make it in the config dir, for instance like this: +`cd ./config` +`touch user-patches.sh` +`chmod +x user-patches.sh` +and then fill it with suitable code. + +If you want to test it you can move into the running container, run it and see if it does what you want. For instance: +`./setup.sh debug login # start shell in container` +`cat /tmp/docker-mailserver/user-patches.sh #check the file` +`/tmp/docker-mailserver/user-patches.sh ## run the script` +`exit` + +You can do a lot of things with such a script. You can find an example user-patches.sh script here: [example user-patches.sh script](https://github.com/hanscees/dockerscripts/blob/master/scripts/tomav-user-patches.sh) + + + + + + + + + + From 5ace30e413112cb1f35247ffcc59061a03dfc153 Mon Sep 17 00:00:00 2001 From: Hans-Cees Speel Date: Mon, 24 Feb 2020 22:13:16 +0100 Subject: [PATCH 281/462] Updated FAQ and Tips (markdown) --- docs/content/config/troubleshooting/faq.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 51eaf93a..c1357840 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -257,14 +257,20 @@ The config file I am talking about is this volume in the yml file: To place such a script you can just make it in the config dir, for instance like this: `cd ./config` + `touch user-patches.sh` + `chmod +x user-patches.sh` + and then fill it with suitable code. If you want to test it you can move into the running container, run it and see if it does what you want. For instance: `./setup.sh debug login # start shell in container` + `cat /tmp/docker-mailserver/user-patches.sh #check the file` + `/tmp/docker-mailserver/user-patches.sh ## run the script` + `exit` You can do a lot of things with such a script. You can find an example user-patches.sh script here: [example user-patches.sh script](https://github.com/hanscees/dockerscripts/blob/master/scripts/tomav-user-patches.sh) From 1b8612395413d283c77be714f06fda86b35ed89e Mon Sep 17 00:00:00 2001 From: Hans-Cees Speel Date: Mon, 24 Feb 2020 22:14:09 +0100 Subject: [PATCH 282/462] added user-patches.sh explanation and example --- docs/content/config/troubleshooting/faq.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index c1357840..4379b863 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -252,10 +252,12 @@ Suppose you want to change a number of settings that are not listed as variables This docker-container has a built-in way to do post-install processes. If you place a script called **user-patches.sh** in the config directory it will be run after all configuration files are set up, but before the postfix, amavis and other daemons are started. -The config file I am talking about is this volume in the yml file: +The config file I am talking about is this volume in the yml file: + `- ./config/:/tmp/docker-mailserver/` To place such a script you can just make it in the config dir, for instance like this: + `cd ./config` `touch user-patches.sh` @@ -265,6 +267,7 @@ To place such a script you can just make it in the config dir, for instance like and then fill it with suitable code. If you want to test it you can move into the running container, run it and see if it does what you want. For instance: + `./setup.sh debug login # start shell in container` `cat /tmp/docker-mailserver/user-patches.sh #check the file` From 4ca57b8e9efc8667a557ef8b0658433ed1920805 Mon Sep 17 00:00:00 2001 From: Hans-Cees Speel Date: Tue, 25 Feb 2020 14:24:36 +0100 Subject: [PATCH 283/462] Updated Configure SSL (markdown) --- docs/content/config/security/ssl.md | 105 +++++++++++++++++++++++++++- 1 file changed, 104 insertions(+), 1 deletion(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 8d017d5b..880ef1ad 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -287,4 +287,107 @@ These options in conjunction mean: ``` ssl=yes and disable_plaintext_auth=no: SSL/TLS is offered to the client, but the client isn't required to use it. The client is allowed to login with plaintext authentication even when SSL/TLS isn't enabled on the connection. This is insecure, because the plaintext password is exposed to the internet. -``` \ No newline at end of file +``` + +### Importing certificates obtained via another source +If you have another source for SSL/TLS certificates you can import them into the server via an external script. The external script can be found here: [external certificate import script](https://github.com/hanscees/dockerscripts/blob/master/scripts/tomav-renew-certs) + +The steps to follow are these: +1. Transport the new certificates to ./config/sll (/tmp/ssl in the container) +2. You should provide fullchain.key and privkey.pem +3. Place the script in ./config/ (or /tmp/docker-mailserver/ inside the container) +4. Make the script executable (chmod +x tomav-renew-certs.sh ) +5. Run the script: docker exec mail /tmp/docker-mailserver/tomav-renew-certs.sh + +If an error occurs the script will inform you. If not you will see both postfix and dovecot restart. + +After the certificates have been loaded you can check the certificate: + +``` + +openssl s_client -servername mail.mydomain.net -connect 192.168.0.72:465 2>/dev/null | openssl x509 + +# or + +openssl s_client -servername mail.mydomain.net -connect mail.mydomain.net:465 2>/dev/null | openssl x509 + +``` + +Or you can check how long the new certificate is valid with commands like: +``` +export SITE_URL="mail.mydomain.net" +export SITE_IP_URL="192.168.0.72" ## can also be mail.mydomain.net +export SITE_SSL_PORT="465" ##imap port dovecot + +##works: check if certificate will expire in two weeks +#2 weeks is 1209600 seconds +#3 weeks is 1814400 +#12 weeks is 7257600 +#15 weeks is 9072000 + +certcheck_2weeks=`openssl s_client -connect ${SITE_IP_URL}:${SITE_SSL_PORT} \ + -servername ${SITE_URL} 2> /dev/null | openssl x509 -noout -checkend 1209600` + +#################################### +#notes: output can be +#Certificate will not expire +#Certificate will expire +#################### + +``` + +What does the script that imports the certificates do: +1. Check if there are new certs in the /tmp/ssl folder +2. check with the ssl cert fingerprint if they differ from the current certificates +3. if so it will copy the certs to the right places +4. and restart postfix and dovecot + +You can ofcourse put the script and run it by cron once a week or something. In that way you could automate cert renewal. If you do so it is probably wise to run an automated check on certificate expiry as well. Such a check could look something like this: +``` + +## code below will alert if certificate expires in less than two weeks +## please adjust varables! + +export SITE_URL="mail.mydomain.net" +export SITE_IP_URL="192.168.2.72" ## can also be mail.mydomain.net +export SITE_SSL_PORT="465" ##imap port dovecot +export ALERT_EMAIL_ADDR="bill@gates321boom.com" + +certcheck_2weeks=`openssl s_client -connect ${SITE_IP_URL}:${SITE_SSL_PORT} \ + -servername ${SITE_URL} 2> /dev/null | openssl x509 -noout -checkend 1209600` + +#################################### +#notes: output can be +#Certificate will not expire +#Certificate will expire +#################### + +#echo "certcheck 2 weeks gives $certcheck_2weeks" + +##automated check you might run by cron or something +## does tls/ssl certificate expire within two weeks? + +if [ "$certcheck_2weeks" = "Certificate will not expire" ]; then + echo "all is wel, certwatch 2 weeks says $certcheck_2weeks" + else + echo "Cert seems to be expiring pretty soon, within two weeks: $certcheck_2weeks" + echo "we will send an alert email and log as well" + logger Certwatch: cert $SITE_URL will expire in two weeks + echo "Certwatch: cert $SITE_URL will expire in two weeks" | mail -s "cert $SITE_URL expires in two weeks " $ALERT_EMAIL_ADDR +fi + +``` + + + + + + + + + + + + + + From 88e1d453f043a80f3654846c7e90e43c6ea5eba4 Mon Sep 17 00:00:00 2001 From: Hans-Cees Speel Date: Tue, 25 Feb 2020 14:27:31 +0100 Subject: [PATCH 284/462] Updated Configure SSL (markdown) --- docs/content/config/security/ssl.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 880ef1ad..c7c899c1 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -342,11 +342,12 @@ What does the script that imports the certificates do: 3. if so it will copy the certs to the right places 4. and restart postfix and dovecot -You can ofcourse put the script and run it by cron once a week or something. In that way you could automate cert renewal. If you do so it is probably wise to run an automated check on certificate expiry as well. Such a check could look something like this: +You can ofcourse run the script by cron once a week or something. In that way you could automate cert renewal. If you do so it is probably wise to run an automated check on certificate expiry as well. Such a check could look something like this: ``` ## code below will alert if certificate expires in less than two weeks ## please adjust varables! +## make sure the mail -s command works! Test! export SITE_URL="mail.mydomain.net" export SITE_IP_URL="192.168.2.72" ## can also be mail.mydomain.net From b979d338f444ea5dfc44f4bb5333bd8b0e70c002 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lars=20P=C3=B6tter?= Date: Sun, 15 Mar 2020 06:59:58 +0100 Subject: [PATCH 285/462] command did not show up with the <> --- .../setup-docker-mailserver-using-the-script-setup.sh.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md index 8ef54ef1..4484b8f1 100644 --- a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md +++ b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md @@ -64,5 +64,5 @@ SUBCOMMANDS: * `./setup.sh debug fail2ban `: omitt all options to get a list of banned IPs, otherwise unban the specified IP. * `./setup.sh debug show-mail-logs`: show the logfile contents of the mail container * `./setup.sh debug inspect`: show infos about the running container -* `./setup.sh debug login `: run a inside the mail container (omit the command to get shell access) +* `./setup.sh debug login `: run a command inside the mail container (omit the command to get shell access) From 240a357dc88ef675bb7cf1e8b06eca7c1089ca0f Mon Sep 17 00:00:00 2001 From: Germain Masse Date: Sun, 22 Mar 2020 15:46:36 +0100 Subject: [PATCH 286/462] Filebeat container (v7.0.0) --- docs/content/configure-elk.md | 68 ++++++++++++++++++++++++++++++++--- 1 file changed, 64 insertions(+), 4 deletions(-) diff --git a/docs/content/configure-elk.md b/docs/content/configure-elk.md index b5ca504b..335ff029 100644 --- a/docs/content/configure-elk.md +++ b/docs/content/configure-elk.md @@ -1,7 +1,9 @@ From [Wikipedia](https://en.wikipedia.org/wiki/Elasticsearch): >Elasticsearch can be used to search all kinds of documents. It provides scalable search, has near real-time search, and supports multitenancy. "Elasticsearch is distributed, which means that indices can be divided into shards and each shard can have zero or more replicas. Each node hosts one or more shards, and acts as a coordinator to delegate operations to the correct shard(s). Rebalancing and routing are done automatically [...]" -This implements sends mail logs to a ELK stack via filebeat client. +This implements sending mail logs to a ELK stack via filebeat client. + +:construction: In the next release (v7.0.0), Filebeat client will not be included inside mailserver container anymore. The recommended practice is to run Filebeat in its own container (documented [below](#filebeat-container)). # Environment variables: **ENABLE_ELK_FORWARDER** @@ -56,8 +58,6 @@ input { } ``` - - # Create Index on Kibana Go http://localhost:5601. The first time needs create default index. Steps: @@ -68,4 +68,64 @@ Steps: - Select **Time-field name** (refresh fields): @timestamp (appears until process some log) - Create -1. Go to Discover and filter by fields. +2. Go to Discover and filter by fields. + +--- +--- +:warning: The following documentation only apply for the next release (v7.0.0). + +# Filebeat container +Configuration for each container is mainly done through _Hints based autodiscover_ (following [Elastic](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-autodiscover-hints.html) practice). +By default, filebeat will **not** retrieve logs from any containers, you must enable logging using Docker labels as documented below. + +## Configuration +### (Method 1) Using existing ELK + +Update `config/filebeat.docker.yml` with your existing logstash endpoint: +``` +output.logstash: + hosts: ["elk_host_or_ip:5044"] +``` + +Adapt your Docker Compose file or use the one provided: +``` +cp docker-compose.filebeat.yml.dist docker-compose.yml +docker-compose up -d +``` + +### (Method 2) Run ELK embedded on the same host + +Filebeat will use the configuration file `config/filebeat.docker.yml`. For basic needs, you don't need to update the file (logstash endpoint is `127.0.0.1:5044'`). + +#### Maxmind GeoIP license + +As of Dec 30 2019, Maxming GeoIP database is no more publicly available. You must first [sign-up](https://www.maxmind.com/en/geolite2/signup) (it's free) and request for a GeoLite2-City license. +Then update the ELK build environment variables: +``` +cp elk/.env.dist elk/.env +``` +With your license number: +``` +MAXMIND_LICENSE=your_license_number +``` + +#### Run containers +Adapt your Docker Compose file or use the one provided: +``` +cp docker-compose.elk.yml.dist docker-compose.yml +docker-compose up -d +``` + +#### Create Index on Kibana +Go http://localhost:5601. The first time needs create default index. +Steps: + +1. Create Index pattern + + - **Index name or pattern** * + - Select **Time-field name** (refresh fields): @timestamp (appears until process some log) + - Create + +2. Go to Discover and filter by fields. + +:bangbang: This ELK image is provided for testing purpose without any security measure. Please follow these [hardening procedures](https://elk-docker.readthedocs.io/#security-considerations). \ No newline at end of file From d0799aed95ac28366c8e38df706a513f58c17415 Mon Sep 17 00:00:00 2001 From: DuncanvR Date: Mon, 23 Mar 2020 11:38:24 +0100 Subject: [PATCH 287/462] Updated Using in Kubernetes (markdown) --- docs/content/advanced/kubernetes.md | 40 +++++++++++++++++++++++------ 1 file changed, 32 insertions(+), 8 deletions(-) diff --git a/docs/content/advanced/kubernetes.md b/docs/content/advanced/kubernetes.md index eca69981..fc0c7ddd 100644 --- a/docs/content/advanced/kubernetes.md +++ b/docs/content/advanced/kubernetes.md @@ -348,9 +348,23 @@ metadata: ### Proxy port to Service via PROXY protocol -This way is ideologically the same as [using Proxy Pod](#proxy-port-to-service) but instead Proxy Pod you should use [HAProxy image][11] or [Nginx Ingress Controller][12] and proxy TCP traffic to mailserver Pod with PROXY protocol usage which does real client IP preservation. +This way is ideologically the same as [using Proxy Pod](#proxy-port-to-service), but instead of a separate proxy pod, you configure your ingress to proxy TCP traffic to the mailserver pod using the PROXY protocol, which preserves the real client IP. -This requires some additional mailserver configuration: you should enable PROXY protocol on ports that [Postfix][2] and [Dovecot][3] listen on for incoming connections. +#### Configure your ingress +With an [NGINX ingress controller][12], set `externalTrafficPolicy: Local` for its service, and add the following to the TCP services config map (as described [here][13]): +```yaml +# ... + 25: "mailserver/mailserver:25::PROXY" + 465: "mailserver/mailserver:465::PROXY" + 587: "mailserver/mailserver:587::PROXY" + 993: "mailserver/mailserver:993::PROXY" +# ... +``` + +With [HAProxy][11], the configuration should look similar to the above. If you know what it actually looks like, add an example here. :) + +#### Configure the mailserver +Then, configure both [Postfix][2] and [Dovecot][3] to expect the PROXY protocol: ```yaml kind: ConfigMap apiVersion: v1 @@ -360,30 +374,40 @@ metadata: app: mailserver data: postfix-main.cf: | - smtpd_upstream_proxy_protocol = haproxy + postscreen_upstream_proxy_protocol = haproxy + postfix-master.cf: | + submission/inet/smtpd_upstream_proxy_protocol=haproxy + smtps/inet/smtpd_upstream_proxy_protocol=haproxy dovecot.cf: | + haproxy_trusted_networks = 10.0.0.0/8, 127.0.0.0/8 # Assuming your ingress controller is bound to 10.0.0.0/8 service imap-login { inet_listener imaps { haproxy = yes } } # ... - --- kind: Deployment apiVersion: extensions/v1beta1 metadata: name: mailserver -#... +spec: + template: + +# ... volumeMounts: - name: config subPath: postfix-main.cf mountPath: /tmp/docker-mailserver/postfix-main.cf readOnly: true + - name: config + subPath: postfix-master.cf + mountPath: /tmp/docker-mailserver/postfix-master.cf + readOnly: true - name: config subPath: dovecot.cf - mountPath: /etc/dovecot/conf.d/zz-custom.cf + mountPath: /tmp/docker-mailserver/dovecot.cf readOnly: true # ... ``` @@ -394,7 +418,6 @@ metadata: - ## Let's Encrypt certificates [Kube-Lego][10] may be used for a role of Let's Encrypt client. It works with Kubernetes [Ingress Resources][54] and automatically issues/manages certificates/keys for exposed services via Ingresses. @@ -457,7 +480,8 @@ in your [Pod][52] spec. [3]: https://github.com/tomav/docker-mailserver/wiki/Override-Default-Dovecot-Configuration [10]: https://github.com/jetstack/kube-lego [11]: https://hub.docker.com/_/haproxy -[12]: https://github.com/kubernetes/ingress/tree/master/controllers/nginx#exposing-tcp-services +[12]: https://kubernetes.github.io/ingress-nginx/ +[13]: https://kubernetes.github.io/ingress-nginx/user-guide/exposing-tcp-udp-services/ [50]: https://kubernetes.io/docs/concepts/configuration/secret [51]: https://kubernetes.io/docs/tasks/configure-pod-container/configmap [52]: https://kubernetes.io/docs/concepts/workloads/pods/pod From 141db76b55c9f98e93d5d1d1eb7df384028ebc1f Mon Sep 17 00:00:00 2001 From: DuncanvR Date: Mon, 23 Mar 2020 11:40:56 +0100 Subject: [PATCH 288/462] Rework section on PROXY protocol (including nameless previous change) --- docs/content/advanced/kubernetes.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/content/advanced/kubernetes.md b/docs/content/advanced/kubernetes.md index fc0c7ddd..43271aeb 100644 --- a/docs/content/advanced/kubernetes.md +++ b/docs/content/advanced/kubernetes.md @@ -139,7 +139,7 @@ spec: # - name: tmp-files # mountPath: /tmp/files containers: - - name: smtp + - name: docker-mailserver image: tvial/docker-mailserver:release-v6.2.1 imagePullPolicy: Always volumeMounts: @@ -394,8 +394,9 @@ metadata: name: mailserver spec: template: - -# ... + spec: + containers: + - name: docker-mailserver volumeMounts: - name: config subPath: postfix-main.cf From 404ac5a438feaec2013367e00f5af40129bf0b71 Mon Sep 17 00:00:00 2001 From: youtous Date: Thu, 23 Apr 2020 15:49:52 +0200 Subject: [PATCH 289/462] add ssl doc: traefik --- docs/content/config/security/ssl.md | 64 +++++++++++++++++++++++++++-- 1 file changed, 60 insertions(+), 4 deletions(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index c7c899c1..a222fced 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -1,10 +1,13 @@ There are multiple options to enable SSL: -* using [letsencrypt](https://letsencrypt.org/) (recommended) -* using self-signed certificates with the provided tool -* using your own certificates +* using [letsencrypt](#lets-encrypt-recommended) (recommended) +* using [traefik](#traefik) +* using [self-signed certificates](#self-signed-certificates-testing-only) with the provided tool +* using [your own certificates](#custom-certificate-files) -After installation, you can test your setup with [checktls.com](https://www.checktls.com/TestReceiver). +After installation, you can test your setup with: +- [checktls.com](https://www.checktls.com/TestReceiver) +- [testssl.sh](https://github.com/drwetter/testssl.sh) ### Let's encrypt (recommended) @@ -211,6 +214,59 @@ environment: ``` DSM-generated letsencrypt certificates get auto-renewed every three months. +### Traefik + +[Traefik](https://github.com/containous/traefik) is an open-source Edge Router which handles ACME protocol using [lego](https://github.com/go-acme/lego). +Traefik can request certificates for domains trougth the ACME protocol, the router will take care of renewals, challenge negotiations etc. + +If you are using traefik you might want to push your certificates in the *mailserver* container. +[youtous/mailserver-traefik](https://github.com/youtous/docker-mailserver-traefik) is a certificate renewal service for [tomav/dockermailserver](https://github.com/tomav/docker-mailserver/) relying on the [traefik acme storage](https://docs.traefik.io/https/acme/). + +#### Getting started + +Depending of your traefik configuration, certificates could be stored using a *file* or a *KV Store (consul, etcd...)* + +_docker-compose example:_ +``` +services: + cert-renewer-traefik: + image: youtous/mailserver-traefik:latest + volumes: + - /var/run/docker.sock:/var/run/docker.sock + - ./acme.json:/tmp/traefik/acme.json:ro # link traefik acme.json file (read-only) + environment: + - TRAEFIK_VERSION=2 + - CERTS_SOURCE=file + - DOMAINS=mail.localhost.com + + mailserver: + image: tvial/docker-mailserver:latest + hostname: mail + domainname: localhost.com + labels: + - "mailserver-traefik.renew.domain=mail.localhost.com" # tag the service + + # traefik service declaration (you can use static configuration too) + - "traefik.enable=true" + - "traefik.port=443" # dummy port, required generating certs with traefik + + - "traefik.http.routers.mail.rule=Host(`mail.localhost.com`)" + - "traefik.http.routers.mail.entrypoints=websecure" + - "traefik.http.routers.mail.middlewares=redirect-webmail@docker" # /!\ the router must redirect every requests. + - "traefik.http.middlewares.redirect-webmail.redirectregex.regex=.*" + - "traefik.http.middlewares.redirect-webmail.redirectregex.replacement=https://webmail.localhost.com/" + + environment: + - SSL_TYPE=manual # enable SSL on the *mailserver* and store certificates in pre-defined paths + - SSL_CERT_PATH=/var/mail-state/manual-ssl/cert # don't change theses paths! + - SSL_KEY_PATH=/var/mail-state/manual-ssl/key +``` + +Certificates will be renewed by *traefik* then pushed in the *mailserver* by the *cert-renewer* service, finally, dovecot and postfix will be restarted. +
+Documentation: https://github.com/youtous/docker-mailserver-traefik. + + ### Self-signed certificates (testing only) You can easily generate a self-signed SSL certificate by using the following command: From 6d9db5151f9136f9045c8f4889791109a6489992 Mon Sep 17 00:00:00 2001 From: youtous Date: Sat, 25 Apr 2020 22:58:50 +0200 Subject: [PATCH 290/462] quota update --- docs/content/advanced/optional-config.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/content/advanced/optional-config.md b/docs/content/advanced/optional-config.md index 9727d360..c3b9e7e2 100644 --- a/docs/content/advanced/optional-config.md +++ b/docs/content/advanced/optional-config.md @@ -29,3 +29,4 @@ This is a list of all configuration files and directories which are optional or - **fail2ban-jail.cf:** Additional config options for fail2ban's jail behaviour. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Fail2ban) - **amavis.cf:** replaces the /etc/amavis/conf.d/50-user file - **dovecot.cf:** replaces /etc/dovecot/local.conf. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Override-Default-Dovecot-Configuration) +- **dovecot-quotas.cf:** list of custom quotas per mailbox. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Accounts/_edit#mailbox-quota) From a8969647c60aa7517674ef736d3c6e41bf08fac2 Mon Sep 17 00:00:00 2001 From: youtous Date: Sat, 25 Apr 2020 23:29:37 +0200 Subject: [PATCH 291/462] quota update --- .../config/user-management/accounts.md | 34 ++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/docs/content/config/user-management/accounts.md b/docs/content/config/user-management/accounts.md index cba77716..7586c556 100644 --- a/docs/content/config/user-management/accounts.md +++ b/docs/content/config/user-management/accounts.md @@ -22,4 +22,36 @@ You will be asked for a password. Just copy all the output string in the file `c The `doveadm pw` command let you choose between several encryption schemes for the password. Use doveadm pw -l to get a list of the currently supported encryption schemes. -> Note: changes made with this script require a restart of the container. See [#552](../issues/552) \ No newline at end of file +> Note: changes made with this script require a restart of the container. See [#552](../issues/552) + +*** +## Mailbox quota +**coming soon: https://github.com/tomav/docker-mailserver/pull/1469** + +On top of the default quota (`POSTFIX_MAILBOX_SIZE_LIMIT`), you can define specific quotas per mailbox. +Quota implementation relies on [dovecot quota](https://wiki.dovecot.org/Quota/Configuration) which requires dovecot to be enabled. Consequently, quota directives are disabled when `SMTP_ONLY` is enabled. +
+ + +A warning message will be sent to the user when his mailbox is reaching quota limit. Have a look at [90-quota.cf](https://github.com/tomav/docker-mailserver/tree/master/target/dovecot/90-quota.conf) for further details. + +### Commands +_exec in the container_ + +- `setquota []`: define the quota of a mailbox (quota format e.g. 302M (B (byte), k (kilobyte), M (megabyte), G (gigabyte) or T (terabyte))) +- `delquota `: delete the quota of a mailbox +- `doveadm quota get -u `: display the quota and the statistics of a mailbox + +### `dovecot-quotas.cf` + +This file is a key-value database where quotas are stored. + +_dovecot-quotas.cf_ +``` +user@domain.tld:50M +john@other-domain.tld:1G +``` +### Notes +- *imap-quota* is enabled and allow clients to query their mailbox usage. +- When the mailbox is deleted, the quota directive is deleted as well. +- LDAP ? Dovecot quotas supports LDAP **but it's not implemented** (_PR are welcome!_). \ No newline at end of file From 0057877b43d93ece211f9110d6cb0ff042da1a76 Mon Sep 17 00:00:00 2001 From: youtous Date: Sat, 25 Apr 2020 23:32:25 +0200 Subject: [PATCH 292/462] quota update --- .../setup-docker-mailserver-using-the-script-setup.sh.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md index 4484b8f1..a4c040ef 100644 --- a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md +++ b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md @@ -34,6 +34,10 @@ SUBCOMMANDS: ./setup.sh alias del ./setup.sh alias list + quota: + ./setup.sh quota set [] + ./setup.sh quota del + config: ./setup.sh config dkim (default: 2048) @@ -56,6 +60,9 @@ SUBCOMMANDS: * `./setup.sh alias add `: add an alias(email) for an email-account(recipient) * `./setup.sh alias del `: delete an alias * `./setup.sh alias list`: list all aliases +# quota +* `./setup.sh quota set []`: define the quota of a mailbox (quota format e.g. 302M (B (byte), k (kilobyte), M (megabyte), G (gigabyte) or T (terabyte))) +* `./setup.sh quota del `: delete the quota of a mailbox # config * `./setup.sh config dkim (default: 2048)`: autoconfig the dkim-config with an (optional) keysize value * `./setup.sh config ssl`: generate ssl-certificates From 17b5aefbf6f2cc91f52ff3033a3ac5f816d966c8 Mon Sep 17 00:00:00 2001 From: youtous Date: Sat, 25 Apr 2020 23:33:35 +0200 Subject: [PATCH 293/462] quota update --- docs/content/advanced/optional-config.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/advanced/optional-config.md b/docs/content/advanced/optional-config.md index c3b9e7e2..a8bbe564 100644 --- a/docs/content/advanced/optional-config.md +++ b/docs/content/advanced/optional-config.md @@ -29,4 +29,4 @@ This is a list of all configuration files and directories which are optional or - **fail2ban-jail.cf:** Additional config options for fail2ban's jail behaviour. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Fail2ban) - **amavis.cf:** replaces the /etc/amavis/conf.d/50-user file - **dovecot.cf:** replaces /etc/dovecot/local.conf. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Override-Default-Dovecot-Configuration) -- **dovecot-quotas.cf:** list of custom quotas per mailbox. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Accounts/_edit#mailbox-quota) +- **dovecot-quotas.cf:** list of custom quotas per mailbox. See [wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-Accounts#mailbox-quota) From ee7e314c39ffc9cd48f605f10dfbfaac45831843 Mon Sep 17 00:00:00 2001 From: youtous Date: Sun, 26 Apr 2020 19:38:49 +0200 Subject: [PATCH 294/462] Updated Configure Accounts (markdown) --- docs/content/config/user-management/accounts.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/content/config/user-management/accounts.md b/docs/content/config/user-management/accounts.md index 7586c556..0b7833e6 100644 --- a/docs/content/config/user-management/accounts.md +++ b/docs/content/config/user-management/accounts.md @@ -26,7 +26,6 @@ Use doveadm pw -l to get a list of the currently supported encryption schemes. *** ## Mailbox quota -**coming soon: https://github.com/tomav/docker-mailserver/pull/1469** On top of the default quota (`POSTFIX_MAILBOX_SIZE_LIMIT`), you can define specific quotas per mailbox. Quota implementation relies on [dovecot quota](https://wiki.dovecot.org/Quota/Configuration) which requires dovecot to be enabled. Consequently, quota directives are disabled when `SMTP_ONLY` is enabled. From 478d073deba091aecf23cc5401c79e6778dfe1a8 Mon Sep 17 00:00:00 2001 From: youtous Date: Fri, 1 May 2020 23:53:23 +0200 Subject: [PATCH 295/462] quota update --- docs/content/config/user-management/accounts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/user-management/accounts.md b/docs/content/config/user-management/accounts.md index 0b7833e6..233eac77 100644 --- a/docs/content/config/user-management/accounts.md +++ b/docs/content/config/user-management/accounts.md @@ -28,7 +28,7 @@ Use doveadm pw -l to get a list of the currently supported encryption schemes. ## Mailbox quota On top of the default quota (`POSTFIX_MAILBOX_SIZE_LIMIT`), you can define specific quotas per mailbox. -Quota implementation relies on [dovecot quota](https://wiki.dovecot.org/Quota/Configuration) which requires dovecot to be enabled. Consequently, quota directives are disabled when `SMTP_ONLY` is enabled. +Quota implementation relies on [dovecot quota](https://wiki.dovecot.org/Quota/Configuration) which requires dovecot to be enabled. Consequently, quota directives are disabled when `SMTP_ONLY=1` or when `ENABLE_LDAP=1` or when explicitly disabled with `ENABLE_QUOTAS=0.
From 19a86565d7c46422ead04df67b54a2aeeb82872c Mon Sep 17 00:00:00 2001 From: youtous Date: Fri, 1 May 2020 23:53:37 +0200 Subject: [PATCH 296/462] Updated Configure Accounts (markdown) --- docs/content/config/user-management/accounts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/user-management/accounts.md b/docs/content/config/user-management/accounts.md index 233eac77..84f665ba 100644 --- a/docs/content/config/user-management/accounts.md +++ b/docs/content/config/user-management/accounts.md @@ -28,7 +28,7 @@ Use doveadm pw -l to get a list of the currently supported encryption schemes. ## Mailbox quota On top of the default quota (`POSTFIX_MAILBOX_SIZE_LIMIT`), you can define specific quotas per mailbox. -Quota implementation relies on [dovecot quota](https://wiki.dovecot.org/Quota/Configuration) which requires dovecot to be enabled. Consequently, quota directives are disabled when `SMTP_ONLY=1` or when `ENABLE_LDAP=1` or when explicitly disabled with `ENABLE_QUOTAS=0. +Quota implementation relies on [dovecot quota](https://wiki.dovecot.org/Quota/Configuration) which requires dovecot to be enabled. Consequently, quota directives are disabled when `SMTP_ONLY=1` or when `ENABLE_LDAP=1` or when explicitly disabled with `ENABLE_QUOTAS=0`.
From 57837ccd92cfb6538fc2439589d17fa6dc5871a8 Mon Sep 17 00:00:00 2001 From: lukas Date: Sat, 2 May 2020 11:55:27 +0200 Subject: [PATCH 297/462] Updated FAQ and Tips (markdown) --- docs/content/config/troubleshooting/faq.md | 44 ++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 4379b863..76f04de7 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -188,6 +188,50 @@ Considering you want to delete all the e-mails received for `baduser@domain.tld` baduser@domain.tld devnull ``` +### How do I have more control about what SPAMASSASIN is filtering? + +By default, SPAM and INFECTED emails are put to a quarantine which is not very straight forward to access. Several config settings are affecting this behavior: + +First, make sure you have the proper thresholds set: +``` +SA_TAG=-100000.0 +SA_TAG2=3.75 +SA_KILL=100000.0 +``` + +The very negative vaue in `SA_TAG` makes sure, that all emails have the Spamassasin headers included. +`SA_TAG2` is the actual threshold to set the YES/NO flag for spam detection. +`SA_KILL` needs to be very high, to make sure nothing is bounced at all (`SA_KILL` superseeds `SPAMASSASSIN_SPAM_TO_INBOX`) + +Make sure everything (including SPAM) is delivered to the inbox and not quarantined. +``` +SPAMASSASSIN_SPAM_TO_INBOX=1 +``` + +Create a sieve script which puts spam to the Junk folder. + +``` +require ["comparator-i;ascii-numeric","relational","fileinto"]; + +if header :contains "X-Spam-Flag" "YES" { + fileinto "Junk"; +} elsif allof ( + not header :matches "x-spam-score" "-*", + header :value "ge" :comparator "i;ascii-numeric" "x-spam-score" "3.75" ) { + fileinto "Junk"; +} +``` + +Create a dedicated mailbox for emails which are infected/bad header and everything amavis is blocking by default and put its address into `config/amavis.cf` +``` +$clean_quarantine_to = "amavis\@domain.com"; +$virus_quarantine_to = "amavis\@domain.com"; +$banned_quarantine_to = "amavis\@domain.com"; +$bad_header_quarantine_to = "amavis\@domain.com"; +$spam_quarantine_to = "amavis\@domain.com"; + +``` + ### What kind of SSL certificates can I use? You can use the same certificates you use with another mail server. The only thing is that we provide a `self-signed` certificate tool and a `letsencrypt` certificate loader. From f5f7fc88796e3930071c09ca103f1e2e2f4ba24f Mon Sep 17 00:00:00 2001 From: youtous Date: Sat, 2 May 2020 19:40:16 +0200 Subject: [PATCH 298/462] Add MOVE_SPAM_TO_JUNK --- docs/content/config/troubleshooting/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 76f04de7..30a0faa1 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -208,7 +208,7 @@ Make sure everything (including SPAM) is delivered to the inbox and not quaranti SPAMASSASSIN_SPAM_TO_INBOX=1 ``` -Create a sieve script which puts spam to the Junk folder. +Use `MOVE_SPAM_TO_JUNK=1` or create a sieve script which puts spam to the Junk folder. ``` require ["comparator-i;ascii-numeric","relational","fileinto"]; From 5bb68e9905e41de2e46f9b51b5a2fe7b9605d5f8 Mon Sep 17 00:00:00 2001 From: youtous Date: Sat, 2 May 2020 19:41:36 +0200 Subject: [PATCH 299/462] Update SA-learn --- docs/content/config/troubleshooting/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 30a0faa1..7f1a70b8 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -93,7 +93,7 @@ In the default setup, amavis only applies Spamassassin x-headers into domains ma ### How can I make SpamAssassin learn spam? -Put received spams in `.Junk/` imap folder and add a _user_ cron like the following: +Put received spams in `.Junk/` imap folder using `SPAMASSASSIN_SPAM_TO_INBOX=1` and `MOVE_SPAM_TO_JUNK=1` and add a _user_ cron like the following: ``` # This assumes you're having `environment: ONE_DIR=1` in the docker-compose.yml, From 2e0284ded3d74607e4786b7923de5fabf1024411 Mon Sep 17 00:00:00 2001 From: Erik Wramner Date: Mon, 4 May 2020 08:01:53 +0200 Subject: [PATCH 300/462] Added note about caddy --- docs/content/config/security/ssl.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index a222fced..d10c7ec2 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -20,6 +20,26 @@ To enable Let's Encrypt on your mail server, you have to: You don't have anything else to do. Enjoy. +#### Pitfall with Caddy + +If you are using Caddy to renew your certificates, please note that only RSA certificates work. Read [issue 1440](https://github.com/tomav/docker-mailserver/issues/1440) for details. In short the caddy file should look something like: + +``` +https://mail.domain.com { + tls yourcurrentemail@gmail.com { + key_type rsa2048 + } +} +``` +EC certificates fail in the TLS handshake: + +``` +CONNECTED(00000003) +140342221178112:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1543:SSL alert number 40 +no peer certificate available +No client certificate CA names sent +``` + #### Example using docker for letsencrypt Make a directory to store your letsencrypt logs and configs. From 8b9b4d3b69a5ee5d768a49cec8e5d3eaa1ab42aa Mon Sep 17 00:00:00 2001 From: msheakoski Date: Fri, 8 May 2020 18:12:24 -0400 Subject: [PATCH 301/462] Update config file mentioned in cron instructions to env-mailserver --- docs/content/config/troubleshooting/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 7f1a70b8..73a6f09c 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -96,7 +96,7 @@ In the default setup, amavis only applies Spamassassin x-headers into domains ma Put received spams in `.Junk/` imap folder using `SPAMASSASSIN_SPAM_TO_INBOX=1` and `MOVE_SPAM_TO_JUNK=1` and add a _user_ cron like the following: ``` -# This assumes you're having `environment: ONE_DIR=1` in the docker-compose.yml, +# This assumes you're having `environment: ONE_DIR=1` in the env-mailserver, # with a consolidated config in `/var/mail-state` # # m h dom mon dow command From fa387eff1f507476108846b33ec936eefb08dd0d Mon Sep 17 00:00:00 2001 From: msheakoski Date: Fri, 8 May 2020 18:15:06 -0400 Subject: [PATCH 302/462] Update config file mentioned in cron instructions to env-mailserver --- docs/content/config/troubleshooting/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 73a6f09c..4b884913 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -119,7 +119,7 @@ chmod 0644 cron/sa-learn edit the system cron file `nano cron/sa-learn`, and set an appropriate configuration: ``` -# This assumes you're having `environment: ONE_DIR=1` in the docker-compose.yml, +# This assumes you're having `environment: ONE_DIR=1` in the env-mailserver, # with a consolidated config in `/var/mail-state` # # m h dom mon dow user command From 215c042bbe1f74d38938249caed8ae86948bbe28 Mon Sep 17 00:00:00 2001 From: youtous Date: Sat, 9 May 2020 23:37:34 +0200 Subject: [PATCH 303/462] update image: tvial/docker-mailserver ---> always use latest (https://github.com/tomav/docker-mailserver/issues/1504) --- docs/content/advanced/kubernetes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/advanced/kubernetes.md b/docs/content/advanced/kubernetes.md index 43271aeb..ecd24ef1 100644 --- a/docs/content/advanced/kubernetes.md +++ b/docs/content/advanced/kubernetes.md @@ -140,7 +140,7 @@ spec: # mountPath: /tmp/files containers: - name: docker-mailserver - image: tvial/docker-mailserver:release-v6.2.1 + image: tvial/docker-mailserver:latest imagePullPolicy: Always volumeMounts: - name: config From 20ec089dd0576152cb3f9eece609e9b67945d617 Mon Sep 17 00:00:00 2001 From: Erik Wramner Date: Mon, 11 May 2020 11:54:36 +0200 Subject: [PATCH 304/462] Added mail_max_userip_connections --- docs/content/advanced/override-defaults/dovecot.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/content/advanced/override-defaults/dovecot.md b/docs/content/advanced/override-defaults/dovecot.md index 6b4c6084..0f88762e 100644 --- a/docs/content/advanced/override-defaults/dovecot.md +++ b/docs/content/advanced/override-defaults/dovecot.md @@ -14,6 +14,13 @@ Your `docker-mailserver` folder should look like this example: └── README.md ``` +One common option to change is the maximum number of connections per user: + +``` +mail_max_userip_connections = 100 +``` + + # Override configuration For major configuration changes it’s best to override the `dovecot` configuration files. For each configuration file you want to override, add a list entry under the `volumes:` key. From 087a4ae7508945f11fbcb4dff83e89672a6e3d4f Mon Sep 17 00:00:00 2001 From: rhyst Date: Mon, 11 May 2020 17:52:25 +0100 Subject: [PATCH 305/462] Adding instructions for Caddy V2 --- docs/content/config/security/ssl.md | 76 ++++++++++++++++++++++++++++- 1 file changed, 75 insertions(+), 1 deletion(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index d10c7ec2..cac6e8fa 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -22,7 +22,7 @@ You don't have anything else to do. Enjoy. #### Pitfall with Caddy -If you are using Caddy to renew your certificates, please note that only RSA certificates work. Read [issue 1440](https://github.com/tomav/docker-mailserver/issues/1440) for details. In short the caddy file should look something like: +If you are using Caddy to renew your certificates, please note that only RSA certificates work. Read [issue 1440](https://github.com/tomav/docker-mailserver/issues/1440) for details. In short for Caddy v1 the Caddyfile should look something like: ``` https://mail.domain.com { @@ -31,6 +31,80 @@ https://mail.domain.com { } } ``` + +For Caddy v2 it is necessary to use the json structured Caddyfile. A minimal config would look something like this: + +``` +{ + "apps": { + "http": { + "servers": { + "srv0": { + "listen": [ + ":443" + ], + "routes": [ + { + "match": [ + { + "host": [ + "mail.domain.com", + ] + } + ], + "handle": [ + { + "handler": "subroute", + "routes": [ + { + "handle": [ + { + "body": "", + "handler": "static_response" + } + ] + } + ] + } + ], + "terminal": true + }, + ] + } + } + }, + "tls": { + "automation": { + "policies": [ + { + "subjects": [ + "mail.domain.com", + ], + "key_type": "rsa2048", + "issuer": { + "email": "email@email.com", + "module": "acme" + } + }, + { + "issuer": { + "email": "email@email.com", + "module": "acme" + } + } + ] + } + } + } +} +``` +The generated certificates can be mounted: +``` +volumes: + - ${CADDY_DATA_DIR}/certificates/acme-v02.api.letsencrypt.org-directory/mail.domain.com/mail.domain.com.crt:/etc/letsencrypt/live/mail.domain.com/fullchain.pem + - ${CADDY_DATA_DIR}/certificates/acme-v02.api.letsencrypt.org-directory/mail.domain.com/mail.domain.com.key:/etc/letsencrypt/live/mail.domain.com/privkey.pem +``` + EC certificates fail in the TLS handshake: ``` From a6b0a490c5954f73a865cf7900acb571dcd3202f Mon Sep 17 00:00:00 2001 From: youtous Date: Fri, 15 May 2020 18:45:33 +0200 Subject: [PATCH 306/462] Updated Configure DKIM (markdown) --- docs/content/config/best-practices/dkim.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index 4940ee8e..14a0c8a6 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -98,3 +98,8 @@ mail._domainkey.domain.tld. 3600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA ## Switch off DKIM Simply remove dkim key by recreating the mailserver-container. + +## DMARC + +DMARC Guide: https://github.com/internetstandards/toolbox-wiki/blob/master/DMARC-how-to.md + From bce69129880c695e3fff100ca817f5a4f38b4099 Mon Sep 17 00:00:00 2001 From: Oleg Kainov Date: Fri, 15 May 2020 22:49:00 +0200 Subject: [PATCH 307/462] Add DMARC guide --- docs/content/config/best-practices/dmarc.md | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 docs/content/config/best-practices/dmarc.md diff --git a/docs/content/config/best-practices/dmarc.md b/docs/content/config/best-practices/dmarc.md new file mode 100644 index 00000000..9c54afae --- /dev/null +++ b/docs/content/config/best-practices/dmarc.md @@ -0,0 +1,11 @@ +In `docker-mailserver` DMARC is configured out-of the box and the only thing you need to do is to add new TXT entry to your DNS. In contrast with [DKIM](https://github.com/tomav/docker-mailserver/wiki/Configure-DKIM), DMARC DNS entry does not require any keys but just setting the [configuration values](https://github.com/internetstandards/toolbox-wiki/blob/master/DMARC-how-to.md#overview-of-dmarc-configuration-tags). You can either handcraft the entry by yourself or use one of available generators (like https://dmarcguide.globalcyberalliance.org/). + +Typically something like this should be good to start with (don't forget to replace `domain.com` to valid addresses) +`_dmarc.domain.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc.report@domain.com; ruf=mailto:dmarc.report@domain.com; sp=none; ri=86400"` + +Or a bit more strict policies (mind `p=quarantine` and `sp=quarantine`) +` _dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc.report@domain.com; ruf=dmarc.report@domain.com; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=quarantine"` + +DMARC status is not being displayed in Gmail, so if you want to check it, you can use some services around the Internet such as mentioned https://dmarcguide.globalcyberalliance.org/ or https://ondmarc.redsift.com/ + +Reference: #1511 \ No newline at end of file From a5af73e8a3daf10366716c70acf5b0917c950899 Mon Sep 17 00:00:00 2001 From: Oleg Kainov Date: Fri, 15 May 2020 22:49:31 +0200 Subject: [PATCH 308/462] Updated Configure DMARC (markdown) --- docs/content/config/best-practices/dmarc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/best-practices/dmarc.md b/docs/content/config/best-practices/dmarc.md index 9c54afae..db09312e 100644 --- a/docs/content/config/best-practices/dmarc.md +++ b/docs/content/config/best-practices/dmarc.md @@ -8,4 +8,4 @@ Or a bit more strict policies (mind `p=quarantine` and `sp=quarantine`) DMARC status is not being displayed in Gmail, so if you want to check it, you can use some services around the Internet such as mentioned https://dmarcguide.globalcyberalliance.org/ or https://ondmarc.redsift.com/ -Reference: #1511 \ No newline at end of file +Reference: [#1511](https://github.com/tomav/docker-mailserver/issues/1511) \ No newline at end of file From c95e877a23072a3e11c410b121b99e888edd0e94 Mon Sep 17 00:00:00 2001 From: Oleg Kainov Date: Fri, 15 May 2020 22:49:53 +0200 Subject: [PATCH 309/462] Updated Configure DMARC (markdown) --- docs/content/config/best-practices/dmarc.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/content/config/best-practices/dmarc.md b/docs/content/config/best-practices/dmarc.md index db09312e..6d7aaef6 100644 --- a/docs/content/config/best-practices/dmarc.md +++ b/docs/content/config/best-practices/dmarc.md @@ -1,10 +1,14 @@ In `docker-mailserver` DMARC is configured out-of the box and the only thing you need to do is to add new TXT entry to your DNS. In contrast with [DKIM](https://github.com/tomav/docker-mailserver/wiki/Configure-DKIM), DMARC DNS entry does not require any keys but just setting the [configuration values](https://github.com/internetstandards/toolbox-wiki/blob/master/DMARC-how-to.md#overview-of-dmarc-configuration-tags). You can either handcraft the entry by yourself or use one of available generators (like https://dmarcguide.globalcyberalliance.org/). Typically something like this should be good to start with (don't forget to replace `domain.com` to valid addresses) -`_dmarc.domain.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc.report@domain.com; ruf=mailto:dmarc.report@domain.com; sp=none; ri=86400"` +``` +_dmarc.domain.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc.report@domain.com; ruf=mailto:dmarc.report@domain.com; sp=none; ri=86400" +``` Or a bit more strict policies (mind `p=quarantine` and `sp=quarantine`) -` _dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc.report@domain.com; ruf=dmarc.report@domain.com; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=quarantine"` +``` +_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc.report@domain.com; ruf=dmarc.report@domain.com; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=quarantine" +``` DMARC status is not being displayed in Gmail, so if you want to check it, you can use some services around the Internet such as mentioned https://dmarcguide.globalcyberalliance.org/ or https://ondmarc.redsift.com/ From 3ce6ecd9d16b008a377b4d206cb7d797bd9e163e Mon Sep 17 00:00:00 2001 From: Oleg Kainov Date: Sun, 17 May 2020 18:57:36 +0200 Subject: [PATCH 310/462] Updated Configure DMARC (markdown) --- docs/content/config/best-practices/dmarc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/best-practices/dmarc.md b/docs/content/config/best-practices/dmarc.md index 6d7aaef6..d3f3aa01 100644 --- a/docs/content/config/best-practices/dmarc.md +++ b/docs/content/config/best-practices/dmarc.md @@ -10,6 +10,6 @@ Or a bit more strict policies (mind `p=quarantine` and `sp=quarantine`) _dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc.report@domain.com; ruf=dmarc.report@domain.com; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=quarantine" ``` -DMARC status is not being displayed in Gmail, so if you want to check it, you can use some services around the Internet such as mentioned https://dmarcguide.globalcyberalliance.org/ or https://ondmarc.redsift.com/ +DMARC status is not being displayed instantly in Gmail. If you want to check it directly after DNS entries, you can use some services around the Internet such as mentioned https://dmarcguide.globalcyberalliance.org/ or https://ondmarc.redsift.com/. In other case Gmail will show "DMARC: PASS" in ~1 day or so. Reference: [#1511](https://github.com/tomav/docker-mailserver/issues/1511) \ No newline at end of file From e1c386628e07efb06f64e7bce07e2efb0c9fa215 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 29 May 2020 05:35:34 +0200 Subject: [PATCH 311/462] Updated Setup docker mailserver using the script setup.sh (markdown) --- .../setup-docker-mailserver-using-the-script-setup.sh.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md index a4c040ef..d19a382c 100644 --- a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md +++ b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md @@ -53,7 +53,7 @@ SUBCOMMANDS: # email * `./setup.sh email add []`: Add an email-account (\ is optional) * `./setup.sh email update []`: Change the password of an email-account (\ is optional) -* `./setup.sh email del ': delete an email-account +* `./setup.sh email del `: delete an email-account * `./setup.sh email restrict []`: deny users to send or receive mail. You can also list the respective denied mail-accounts. * `./setup.sh email list`: list all existing email-accounts # alias From aea271d6fe9a517dfbdd0fd47a122151f6fdf52e Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 29 May 2020 05:37:48 +0200 Subject: [PATCH 312/462] Updated Configure Accounts (markdown) --- docs/content/config/user-management/accounts.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/docs/content/config/user-management/accounts.md b/docs/content/config/user-management/accounts.md index 84f665ba..8e99048a 100644 --- a/docs/content/config/user-management/accounts.md +++ b/docs/content/config/user-management/accounts.md @@ -6,10 +6,9 @@ Example: user1@domain.tld|{SHA512-CRYPT}$6$2YpW1nYtPBs2yLYS$z.5PGH1OEzsHHNhl3gJrc3D.YMZkvKw/vp.r5WIiwya6z7P/CQ9GDEJDr2G2V0cAfjDFeAQPUoopsuWPXLk3u1 user2@otherdomain.tld|{SHA512-CRYPT}$6$2YpW1nYtPBs2yLYS$z.5PGH1OEzsHHNhl3gJrc3D.YMZkvKw/vp.r5WIiwya6z7P/CQ9GDEJDr2G2V0cAfjDFeAQPUoopsuWPXLk3u1 -In the previous example, we added 2 mail accounts for 2 different domains. -This is will automagically configure the mail-server as multi-domains. +In the example above, we've added 2 mail accounts for 2 different domains. Consequently, the mail-server will automagically be configured as multi-domains. -To generate a new mail account entry in your configuration, you could run for example the following: +To generate a new mail account entry in your configuration, you could for example run the following: docker run --rm \ -e MAIL_USER=user1@domain.tld \ @@ -19,8 +18,7 @@ To generate a new mail account entry in your configuration, you could run for ex You will be asked for a password. Just copy all the output string in the file `config/postfix-accounts.cf`. -The `doveadm pw` command let you choose between several encryption schemes for the password. -Use doveadm pw -l to get a list of the currently supported encryption schemes. +The `doveadm pw` command lets you choose between several encryption schemes for the password. Use doveadm pw -l to get a list of the currently supported encryption schemes. > Note: changes made with this script require a restart of the container. See [#552](../issues/552) From 1f220f54181dcf2f4b5d3c12ef006f096298071f Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 29 May 2020 05:40:17 +0200 Subject: [PATCH 313/462] Updated FAQ and Tips (markdown) --- docs/content/config/troubleshooting/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 4b884913..4a9c1b1d 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -5,7 +5,7 @@ You'll probably want to `push` your config updates to your server and restart th ### How can I sync container with host date/time? -Share the host `/etc/localtime` using: +Share the host's [`/etc/localtime`](https://www.freedesktop.org/software/systemd/man/localtime.html) descriptor with the mail-server container, using a volume: ``` volumes: From 729196d97e467e5c80ec1fe8fdcb6bda2bcb613d Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 29 May 2020 05:41:07 +0200 Subject: [PATCH 314/462] Updated FAQ and Tips (markdown) --- docs/content/config/troubleshooting/faq.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 4a9c1b1d..1c73c7bd 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -1,8 +1,14 @@ ### What kind of database are you using? + None. No *sql database required. This image is based on config files that can be versioned. You'll probably want to `push` your config updates to your server and restart the container to apply changes. +### Where are emails stored? + +Mails are stored in `/var/mail/${domain}/${username}`. +You should use a [data volume container](https://medium.com/@ramangupta/why-docker-data-containers-are-good-589b3c6c749e#.uxyrp7xpu) for `/var/mail` to persist data. Otherwise, your data may be lost. + ### How can I sync container with host date/time? Share the host's [`/etc/localtime`](https://www.freedesktop.org/software/systemd/man/localtime.html) descriptor with the mail-server container, using a volume: @@ -17,10 +23,6 @@ Share the host's [`/etc/localtime`](https://www.freedesktop.org/software/systemd All files are using the Unix format with `LF` line endings. Please do not use `CRLF`. -### Where are emails stored? -Mails are stored in `/var/mail/${domain}/${username}`. -You should use a [data volume container](https://medium.com/@ramangupta/why-docker-data-containers-are-good-589b3c6c749e#.uxyrp7xpu) for `/var/mail` to persist data. Otherwise, your data may be lost. - ### What about backups? Assuming that you use `docker-compose` and a data volumes, you can backup your user mails like this: From 6123f72b3b4ee67535b98237aa64cba2c91e264c Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 29 May 2020 05:58:54 +0200 Subject: [PATCH 315/462] Updated Update and cleanup (markdown) --- docs/content/advanced/maintenance/update-and-cleanup.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/advanced/maintenance/update-and-cleanup.md b/docs/content/advanced/maintenance/update-and-cleanup.md index 5bc388a5..12e1adf4 100644 --- a/docs/content/advanced/maintenance/update-and-cleanup.md +++ b/docs/content/advanced/maintenance/update-and-cleanup.md @@ -4,6 +4,8 @@ Docker images are handy but it can get a a hassle to keep them updated. Also whe There is a nice docker image that solves this issue and can be very helpful. The image is: [v2tec/watchtower](https://hub.docker.com/r/v2tec/watchtower/). +> Actually the upstream project is now https://hub.docker.com/r/containrrr/watchtower + A docker-compose example: ```yaml services: From 828afe19301daa5711117468e0d6aef377cde170 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 29 May 2020 06:14:20 +0200 Subject: [PATCH 316/462] Updated Update and cleanup (markdown) --- docs/content/advanced/maintenance/update-and-cleanup.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/docs/content/advanced/maintenance/update-and-cleanup.md b/docs/content/advanced/maintenance/update-and-cleanup.md index 12e1adf4..48491b33 100644 --- a/docs/content/advanced/maintenance/update-and-cleanup.md +++ b/docs/content/advanced/maintenance/update-and-cleanup.md @@ -2,21 +2,19 @@ Docker images are handy but it can get a a hassle to keep them updated. Also when a repository is automated you want to get these images when they get out. -There is a nice docker image that solves this issue and can be very helpful. The image is: [v2tec/watchtower](https://hub.docker.com/r/v2tec/watchtower/). - -> Actually the upstream project is now https://hub.docker.com/r/containrrr/watchtower +One could setup a complex action/hook-based workflow using probes, but there is a nice, easy to use docker image that solves this issue and could prove useful: [watchtower](https://hub.docker.com/r/containrrr/watchtower). A docker-compose example: ```yaml services: watchtower: restart: always - image: v2tec/watchtower:latest + image: containrrr/watchtower:latest volumes: - /var/run/docker.sock:/var/run/docker.sock ``` -For more details see the [manual](https://github.com/v2tec/watchtower/blob/master/README.md) +For more details see the [manual](https://containrrr.github.io/watchtower/) *** From 7fe6dc62c793c9a6c4f4479c3acfdc19f4fde712 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 29 May 2020 06:16:30 +0200 Subject: [PATCH 317/462] Updated Update and cleanup (markdown) --- .../advanced/maintenance/update-and-cleanup.md | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/docs/content/advanced/maintenance/update-and-cleanup.md b/docs/content/advanced/maintenance/update-and-cleanup.md index 48491b33..c6f07ce2 100644 --- a/docs/content/advanced/maintenance/update-and-cleanup.md +++ b/docs/content/advanced/maintenance/update-and-cleanup.md @@ -1,4 +1,4 @@ -# Automatic update +## Automatic update Docker images are handy but it can get a a hassle to keep them updated. Also when a repository is automated you want to get these images when they get out. @@ -14,15 +14,11 @@ services: - /var/run/docker.sock:/var/run/docker.sock ``` -For more details see the [manual](https://containrrr.github.io/watchtower/) +For more details, see the [manual](https://containrrr.github.io/watchtower/) +## Automatic cleanup -*** - - -# Automatic cleanup - -When you are pulling new images in automaticly it is nice to have them cleaned as well. There is also a docker images for this (from Spotify). The image is: [spotify/docker-gc](https://hub.docker.com/r/spotify/docker-gc/). +When you are pulling new images in automatically, it would be nice to have them cleaned up as well. There is also a docker image for this: [spotify/docker-gc](https://hub.docker.com/r/spotify/docker-gc/). A docker-compose example: ```yaml @@ -34,6 +30,6 @@ services: - /var/run/docker.sock:/var/run/docker.sock ``` -For more details see the [manual](https://github.com/spotify/docker-gc/blob/master/README.md) +For more details, see the [manual](https://github.com/spotify/docker-gc/blob/master/README.md) -Or you can just use the "--cleanup" option on v2tec/watchtower. :-) \ No newline at end of file +Or you can just use the [`--cleanup`](https://containrrr.github.io/watchtower/arguments/#cleanup) option provided by containrrr/watchtower. \ No newline at end of file From bbcc7e3038ac2cce0a3cee77f1705e51289c68a3 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 29 May 2020 10:23:58 +0200 Subject: [PATCH 318/462] better not to keep outdated example, upstream's doc is the way to go --- docs/content/config/security/ssl.md | 48 +++-------------------------- 1 file changed, 4 insertions(+), 44 deletions(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index cac6e8fa..47f91e0e 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -311,54 +311,14 @@ DSM-generated letsencrypt certificates get auto-renewed every three months. ### Traefik [Traefik](https://github.com/containous/traefik) is an open-source Edge Router which handles ACME protocol using [lego](https://github.com/go-acme/lego). -Traefik can request certificates for domains trougth the ACME protocol, the router will take care of renewals, challenge negotiations etc. -If you are using traefik you might want to push your certificates in the *mailserver* container. -[youtous/mailserver-traefik](https://github.com/youtous/docker-mailserver-traefik) is a certificate renewal service for [tomav/dockermailserver](https://github.com/tomav/docker-mailserver/) relying on the [traefik acme storage](https://docs.traefik.io/https/acme/). +Traefik can request certificates for domains trougth the ACME protocol (see [Traefik's documentation about its ACME negotiation & storage mechanism](https://docs.traefik.io/https/acme/)). Traefik's router will take care of renewals, challenge negotiations, etc. -#### Getting started +If you are using Traefik, you might want to push your Traefik-managed certificates to the *mailserver* container, in order to reuse them. Not an easy task, but fortunately, [youtous/mailserver-traefik](https://github.com/youtous/docker-mailserver-traefik) is a certificate renewal service for docker-mailserver. -Depending of your traefik configuration, certificates could be stored using a *file* or a *KV Store (consul, etcd...)* +Depending of your Traefik configuration, certificates may be stored using a *file* or a *KV Store (consul, etcd...) Either way, certificates will be renewed by Traefik, then automatically pushed to the mailserver thanks to the cert-renewer service. Finally, dovecot and postfix will be restarted. -_docker-compose example:_ -``` -services: - cert-renewer-traefik: - image: youtous/mailserver-traefik:latest - volumes: - - /var/run/docker.sock:/var/run/docker.sock - - ./acme.json:/tmp/traefik/acme.json:ro # link traefik acme.json file (read-only) - environment: - - TRAEFIK_VERSION=2 - - CERTS_SOURCE=file - - DOMAINS=mail.localhost.com - - mailserver: - image: tvial/docker-mailserver:latest - hostname: mail - domainname: localhost.com - labels: - - "mailserver-traefik.renew.domain=mail.localhost.com" # tag the service - - # traefik service declaration (you can use static configuration too) - - "traefik.enable=true" - - "traefik.port=443" # dummy port, required generating certs with traefik - - - "traefik.http.routers.mail.rule=Host(`mail.localhost.com`)" - - "traefik.http.routers.mail.entrypoints=websecure" - - "traefik.http.routers.mail.middlewares=redirect-webmail@docker" # /!\ the router must redirect every requests. - - "traefik.http.middlewares.redirect-webmail.redirectregex.regex=.*" - - "traefik.http.middlewares.redirect-webmail.redirectregex.replacement=https://webmail.localhost.com/" - - environment: - - SSL_TYPE=manual # enable SSL on the *mailserver* and store certificates in pre-defined paths - - SSL_CERT_PATH=/var/mail-state/manual-ssl/cert # don't change theses paths! - - SSL_KEY_PATH=/var/mail-state/manual-ssl/key -``` - -Certificates will be renewed by *traefik* then pushed in the *mailserver* by the *cert-renewer* service, finally, dovecot and postfix will be restarted. -
-Documentation: https://github.com/youtous/docker-mailserver-traefik. +Documentation: https://github.com/youtous/docker-mailserver-traefik ### Self-signed certificates (testing only) From 943b4a9f71b87897c6b0d99727fe0fed2464ee2c Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 29 May 2020 10:25:02 +0200 Subject: [PATCH 319/462] Updated Configure SSL (markdown) --- docs/content/config/security/ssl.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 47f91e0e..b219c4c8 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -312,11 +312,11 @@ DSM-generated letsencrypt certificates get auto-renewed every three months. [Traefik](https://github.com/containous/traefik) is an open-source Edge Router which handles ACME protocol using [lego](https://github.com/go-acme/lego). -Traefik can request certificates for domains trougth the ACME protocol (see [Traefik's documentation about its ACME negotiation & storage mechanism](https://docs.traefik.io/https/acme/)). Traefik's router will take care of renewals, challenge negotiations, etc. +Traefik can request certificates for domains through the ACME protocol (see [Traefik's documentation about its ACME negotiation & storage mechanism](https://docs.traefik.io/https/acme/)). Traefik's router will take care of renewals, challenge negotiations, etc. -If you are using Traefik, you might want to push your Traefik-managed certificates to the *mailserver* container, in order to reuse them. Not an easy task, but fortunately, [youtous/mailserver-traefik](https://github.com/youtous/docker-mailserver-traefik) is a certificate renewal service for docker-mailserver. +If you are using Traefik, you might want to _push_ your Traefik-managed certificates to the mailserver container, in order to reuse them. Not an easy task, but fortunately, [youtous/mailserver-traefik](https://github.com/youtous/docker-mailserver-traefik) is a certificate renewal service for docker-mailserver. -Depending of your Traefik configuration, certificates may be stored using a *file* or a *KV Store (consul, etcd...) Either way, certificates will be renewed by Traefik, then automatically pushed to the mailserver thanks to the cert-renewer service. Finally, dovecot and postfix will be restarted. +Depending of your Traefik configuration, certificates may be stored using a file or a KV Store (consul, etcd...) Either way, certificates will be renewed by Traefik, then automatically pushed to the mailserver thanks to the cert-renewer service. Finally, dovecot and postfix will be restarted. Documentation: https://github.com/youtous/docker-mailserver-traefik From 472088cf488ee7568663dae1681537705c19bf07 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Sun, 31 May 2020 04:30:39 +0200 Subject: [PATCH 320/462] Updated Configure Accounts (markdown) --- docs/content/config/user-management/accounts.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/config/user-management/accounts.md b/docs/content/config/user-management/accounts.md index 8e99048a..7f2c50a2 100644 --- a/docs/content/config/user-management/accounts.md +++ b/docs/content/config/user-management/accounts.md @@ -1,5 +1,5 @@ -Users (email accounts) are managed in `config/postfix-accounts.cf`. -Just add the full email address and its encrypted password separated by a pipe. +Users (email accounts) are managed in `/tmp/docker-mailserver/postfix-accounts.cf`. +Just add the _full_ email address and its encrypted password, separated by a pipe. Example: From 322cd2c169cf2516a701f487aed8bc0305364389 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Sun, 31 May 2020 04:32:43 +0200 Subject: [PATCH 321/462] Updated Configure Accounts (markdown) --- docs/content/config/user-management/accounts.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/content/config/user-management/accounts.md b/docs/content/config/user-management/accounts.md index 7f2c50a2..29e4c228 100644 --- a/docs/content/config/user-management/accounts.md +++ b/docs/content/config/user-management/accounts.md @@ -1,5 +1,8 @@ -Users (email accounts) are managed in `/tmp/docker-mailserver/postfix-accounts.cf`. -Just add the _full_ email address and its encrypted password, separated by a pipe. +Users (email accounts) are managed in `/tmp/docker-mailserver/postfix-accounts.cf`. + +The best way to manage accounts is to use the reliable [setup.sh](https://github.com/tomav/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh) script. + +Or you may directly add the _full_ email address and its encrypted password, separated by a pipe. Example: From dade40d66c2b27ca2001d4534760ba203addadf5 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Sun, 31 May 2020 04:36:09 +0200 Subject: [PATCH 322/462] Updated Configure Accounts (markdown) --- docs/content/config/user-management/accounts.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/content/config/user-management/accounts.md b/docs/content/config/user-management/accounts.md index 29e4c228..a59b5d6f 100644 --- a/docs/content/config/user-management/accounts.md +++ b/docs/content/config/user-management/accounts.md @@ -11,7 +11,7 @@ Example: In the example above, we've added 2 mail accounts for 2 different domains. Consequently, the mail-server will automagically be configured as multi-domains. -To generate a new mail account entry in your configuration, you could for example run the following: +Therefore, to _generate_ a new mail account data, directly from your docker host, you could for example run the following: docker run --rm \ -e MAIL_USER=user1@domain.tld \ @@ -19,11 +19,13 @@ To generate a new mail account entry in your configuration, you could for exampl -ti tvial/docker-mailserver:latest \ /bin/sh -c 'echo "$MAIL_USER|$(doveadm pw -s SHA512-CRYPT -u $MAIL_USER -p $MAIL_PASS)"' >> config/postfix-accounts.cf -You will be asked for a password. Just copy all the output string in the file `config/postfix-accounts.cf`. +You will then be asked for a password, and be given back the data for a new account entry, as text. -The `doveadm pw` command lets you choose between several encryption schemes for the password. Use doveadm pw -l to get a list of the currently supported encryption schemes. +To actually _add_ this new account, just copy all the output text in `config/postfix-accounts.cf` file of your running container. -> Note: changes made with this script require a restart of the container. See [#552](../issues/552) +Please note the `doveadm pw` command lets you choose between several encryption schemes for the password. Use doveadm pw -l to get a list of the currently supported encryption schemes. + +> Note: changes to the accounts list require a restart of the container, using `supervisord`. See [#552](../issues/552) *** ## Mailbox quota From e269f4f381f2edf654a36baa4e7ef46bdd178f2f Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Sun, 31 May 2020 04:36:25 +0200 Subject: [PATCH 323/462] Updated Configure Accounts (markdown) --- docs/content/config/user-management/accounts.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/config/user-management/accounts.md b/docs/content/config/user-management/accounts.md index a59b5d6f..c23f2862 100644 --- a/docs/content/config/user-management/accounts.md +++ b/docs/content/config/user-management/accounts.md @@ -1,3 +1,5 @@ +## Adding a new account + Users (email accounts) are managed in `/tmp/docker-mailserver/postfix-accounts.cf`. The best way to manage accounts is to use the reliable [setup.sh](https://github.com/tomav/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh) script. From 47f1ffe65c3fbf31ac74f7065e779f5d51bbdeb6 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Sun, 31 May 2020 04:52:34 +0200 Subject: [PATCH 324/462] Updated Configure Aliases (markdown) --- .../content/config/user-management/aliases.md | 29 ++++++++++++------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/docs/content/config/user-management/aliases.md b/docs/content/config/user-management/aliases.md index 2bf3107a..99f4c85d 100644 --- a/docs/content/config/user-management/aliases.md +++ b/docs/content/config/user-management/aliases.md @@ -2,36 +2,43 @@ Please first read [Postfix documentation on virtual aliases](http://www.postfix. ### Configuring aliases -Aliases are managed in `config/postfix-virtual.cf`. -An alias is a full email address that will be: -* delivered to an existing account in `config/postfix-accounts.cf` +Aliases are managed in `/tmp/docker-mailserver/postfix-aliases.cf`. + +An alias is a _full_ email address that will either be: + +* delivered to an existing account registered in `/tmp/docker-mailserver/postfix-accounts.cf` * redirected to one or more other email addresses Alias and target are space separated. -Example: +Example (on a server with domain.tld as its domain): - # Alias to existing account + # Alias delivered to an existing account alias1@domain.tld user1@domain.tld - # Forward to external email address + # Alias forwarded to an external email address alias2@domain.tld external@gmail.com ### Configuring regexp aliases -Additional regexp aliases can be configured by placing them into `config/postfix-regexp.cf`. The regexp aliases get evaluated after the virtual aliases (postfix-virtual.cf). For example, the following `config/postfix-regexp.cf` causes all email to "test" users to be delivered to qa@example.com: +Additional regexp aliases can be configured by placing them into `config/postfix-regexp.cf`. The regexp aliases get evaluated after the virtual aliases (/tmp/docker-mailserver/postfix-aliases.cf). + +For example, the following `config/postfix-regexp.cf` causes all email to "test" users to be delivered to qa@example.com: ``` /^test[0-9][0-9]*@example.com/ qa@example.com ``` -### Address tags as an alternative +### Address tags (extension delimiters) as an alternative to aliases -Postfix supports address tags - i.e. address+tag@example.com will end up at address@example.com. This is configured by default and the (configurable) separator is set to `+`. +Postfix supports so-called address tags, in the form of plus (+) tags - i.e. address+tag@example.com will end up at address@example.com. -For more info, see [How to use Address Tagging (user+tag@example.com) with Postfix](https://www.stevejenkins.com/blog/2011/03/how-to-use-address-tagging-usertagexample-com-with-postfix/). +This is configured by default and the (configurable !) separator is set to `+`. + +For more info, see [How to use Address Tagging (user+tag@example.com) with Postfix](https://www.stevejenkins.com/blog/2011/03/how-to-use-address-tagging-usertagexample-com-with-postfix/) and the [official documentation](http://www.postfix.org/postconf.5.html#recipient_delimiter). + +Note that if you do decide to change the configurable separator, you must add the same line to *both* `config/postfix-main.cf` and `config/dovecot.cf`, because Dovecot is acting as the delivery agent. For example, to switch to `-`, add: -Note that if you do decide to change the configurable separator, you must add the same line to *both* `config/postfix-main.cf` and `config/dovecot.cf`, because Dovecot is acting as the delivery agent. For example, to switch to `-`, add ``` recipient_delimiter = - ``` From 533a224963a2c1759d50c1d6c0b800989de2d1e2 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Sun, 31 May 2020 05:02:09 +0200 Subject: [PATCH 325/462] Updated Configure autodiscover (markdown) --- docs/content/config/best-practices/autodiscover.md | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/docs/content/config/best-practices/autodiscover.md b/docs/content/config/best-practices/autodiscover.md index f51a08c3..61de4190 100644 --- a/docs/content/config/best-practices/autodiscover.md +++ b/docs/content/config/best-practices/autodiscover.md @@ -1,10 +1,5 @@ -Configuring clients just with autodiscover: +Email auto-discovery means a client email is able to automagically find out about what ports and security options to use, based on the mail server URL. It can help simplify the tedious / confusing task of adding own's email account for non-tech savvy users. -* using [jsmitsnl/docker-email-autodiscover](https://hub.docker.com/r/jsmitsnl/docker-email-autodiscover/) -* using [jwilder/nginx-proxy](https://hub.docker.com/r/jwilder/nginx-proxy/) for ssl (recommended) +Basically, email clients will search for auto-discoverable settings and prefill almost everything when a user enters its email address :heart: -### Docker Email Autodiscover - -With docker email auto discover you can accounts find the correct email settings by just filling their email address. Client will search for auto discover settings and prefill almost everything. - -There is a full [README](https://hub.docker.com/r/jsmitsnl/docker-email-autodiscover/) available on the docker repo to set it up. \ No newline at end of file +There exists [docker-email-autodiscover](https://hub.docker.com/r/jsmitsnl/docker-email-autodiscover/) on hub.docker.com but the upstream project is actually gone from GitHub. There are some forks available though. \ No newline at end of file From e61114b4d81c43a83d80ebae08aba933a9155ccb Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Sun, 31 May 2020 05:10:32 +0200 Subject: [PATCH 326/462] Updated Configure DKIM (markdown) --- docs/content/config/best-practices/dkim.md | 45 ++++++++++++++-------- 1 file changed, 29 insertions(+), 16 deletions(-) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index 14a0c8a6..17bd8bb4 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -1,19 +1,26 @@ -To enable DKIM signature, you must have created your mail accounts. -Once its done, just run from inside the directory of docker-compose.yml: +DKIM is a security measure targeting email spoofing. It is greatly recommended one activates it. + +See https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail for more details on DKIM. + +## Enabling DKIM signature + +To enable DKIM signature, you must have created at least one email accounts. + +Once its done, just run the following command to generate the signature (here show from inside the directory of docker-compose.yml in order to use a volume on ./config): docker run --rm \ -v "$(pwd)/config":/tmp/docker-mailserver \ -ti tvial/docker-mailserver:latest generate-dkim-config -The default keysize is 2048 for now. If you need to change it (e.g. your DNS-Provider limits the size) provide the size as the first parameter of the command +> The default keysize when generating the signature is 2048 bits for now. If you need to change it (e.g. your DNS-Provider limits the size), then provide the size as the first parameter of the command: +> +> docker run --rm \ +> -v "$(pwd)/config":/tmp/docker-mailserver \ +> -ti tvial/docker-mailserver:latest generate-dkim-config 2048 - docker run --rm \ - -v "$(pwd)/config":/tmp/docker-mailserver \ - -ti tvial/docker-mailserver:latest generate-dkim-config 2048 +Now the keys are generated, you can configure your DNS server with DKIM signature, simply by adding a TXT record. -Now the keys are generated, you can configure your DNS server by just pasting the content of `config/opendkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone. - -After generating DKIM keys you should restart the app. +If you have direct access to your DNS zone file, then it's only a matter of pasting the content of `config/opendkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone. ``` ; OpenDKIM @@ -22,7 +29,8 @@ mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " ``` -## Configuration using a web interface: +
+Configuration using a web interface 1. Generate a new record of the type `TXT`. 2. Paste `mail._domainkey` the `Name` txt field. @@ -30,19 +38,24 @@ mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " 4. In `TTL` (time to live): Time span in seconds. How long the DNS server should cache the `TXT` record. 5. Save. -Note: Sometimes the key in `config/opendkim/keys/domain.tld/mail.txt` can be on multiple lines, if so then you need to concatenate the values +
+ +After generating DKIM keys, you should restart the mail server. DNS edits may take a few minutes to hours to propagate. + +Note: Sometimes the key in `config/opendkim/keys/domain.tld/mail.txt` can be on multiple lines. If so then you need to concatenate the values in the TXT record: + ``` ; OpenDKIM mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=AZERTYUIOPQSDF..." "asdfQWERTYUIOPQSDF..." ) ; ----- DKIM key mail for domain.tld ``` -the target (or value) field must then have all the parts together `v=DKIM1; k=rsa; p=AZERTYUIOPQSDF...asdfQWERTYUIOPQSDF...` +the target (or value) field must then have all the parts together: `v=DKIM1; k=rsa; p=AZERTYUIOPQSDF...asdfQWERTYUIOPQSDF...` ## Verify-only -If you want DKIM to only verify incoming emails, the following version of /etc/opendkim.conf may be useful (right now there is no easy mechanism for installing it other than forking the repo): +If you want DKIM to only _verify_ incoming emails, the following version of /etc/opendkim.conf may be useful (right now there is no easy mechanism for installing it other than forking the repo): ``` # This is a simple config file verifying messages only @@ -97,9 +110,9 @@ mail._domainkey.domain.tld. 3600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA ``` ## Switch off DKIM -Simply remove dkim key by recreating the mailserver-container. + +Simply remove the DKIM key by recreating (not just relaunching) the mailserver container. ## DMARC -DMARC Guide: https://github.com/internetstandards/toolbox-wiki/blob/master/DMARC-how-to.md - +DMARC Guide: https://github.com/internetstandards/toolbox-wiki/blob/master/DMARC-how-to.md \ No newline at end of file From acc2e31ba80f826f5cb9de250a0d9bb158af43be Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Sun, 31 May 2020 05:11:06 +0200 Subject: [PATCH 327/462] Updated Configure DKIM (markdown) --- docs/content/config/best-practices/dkim.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index 17bd8bb4..535a9608 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -111,8 +111,4 @@ mail._domainkey.domain.tld. 3600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA ## Switch off DKIM -Simply remove the DKIM key by recreating (not just relaunching) the mailserver container. - -## DMARC - -DMARC Guide: https://github.com/internetstandards/toolbox-wiki/blob/master/DMARC-how-to.md \ No newline at end of file +Simply remove the DKIM key by recreating (not just relaunching) the mailserver container. \ No newline at end of file From d4bfb7f2b455635279a18743ccda7b811d5869e4 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Sun, 31 May 2020 05:13:46 +0200 Subject: [PATCH 328/462] Updated Configure DMARC (markdown) --- docs/content/config/best-practices/dmarc.md | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/docs/content/config/best-practices/dmarc.md b/docs/content/config/best-practices/dmarc.md index d3f3aa01..e7c74451 100644 --- a/docs/content/config/best-practices/dmarc.md +++ b/docs/content/config/best-practices/dmarc.md @@ -1,15 +1,21 @@ -In `docker-mailserver` DMARC is configured out-of the box and the only thing you need to do is to add new TXT entry to your DNS. In contrast with [DKIM](https://github.com/tomav/docker-mailserver/wiki/Configure-DKIM), DMARC DNS entry does not require any keys but just setting the [configuration values](https://github.com/internetstandards/toolbox-wiki/blob/master/DMARC-how-to.md#overview-of-dmarc-configuration-tags). You can either handcraft the entry by yourself or use one of available generators (like https://dmarcguide.globalcyberalliance.org/). +DMARC Guide: https://github.com/internetstandards/toolbox-wiki/blob/master/DMARC-how-to.md -Typically something like this should be good to start with (don't forget to replace `domain.com` to valid addresses) +## Enabling DMARC + +In `docker-mailserver`, DMARC is pre-configured out-of the box. The only thing you need to do in order to enable it, is to add new TXT entry to your DNS. + +In contrast with [DKIM](https://github.com/tomav/docker-mailserver/wiki/Configure-DKIM), DMARC DNS entry does not require any keys, but merely setting the [configuration values](https://github.com/internetstandards/toolbox-wiki/blob/master/DMARC-how-to.md#overview-of-dmarc-configuration-tags). You can either handcraft the entry by yourself or use one of available generators (like https://dmarcguide.globalcyberalliance.org/). + +Typically something like this should be good to start with (don't forget to replace `@domain.com` to your actual domain) ``` _dmarc.domain.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc.report@domain.com; ruf=mailto:dmarc.report@domain.com; sp=none; ri=86400" ``` -Or a bit more strict policies (mind `p=quarantine` and `sp=quarantine`) +Or a bit more strict policies (mind `p=quarantine` and `sp=quarantine`): ``` _dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc.report@domain.com; ruf=dmarc.report@domain.com; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=quarantine" ``` -DMARC status is not being displayed instantly in Gmail. If you want to check it directly after DNS entries, you can use some services around the Internet such as mentioned https://dmarcguide.globalcyberalliance.org/ or https://ondmarc.redsift.com/. In other case Gmail will show "DMARC: PASS" in ~1 day or so. +DMARC status is not being displayed instantly in Gmail for instance. If you want to check it directly after DNS entries, you can use some services around the Internet such as https://dmarcguide.globalcyberalliance.org/ or https://ondmarc.redsift.com/. In other case, email clients will show "DMARC: PASS" in ~1 day or so. Reference: [#1511](https://github.com/tomav/docker-mailserver/issues/1511) \ No newline at end of file From dd30d3ce553d2de8358aa52a1c708f481cec2552 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Sun, 31 May 2020 05:17:04 +0200 Subject: [PATCH 329/462] Updated Configure ELK (markdown) --- docs/content/configure-elk.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/configure-elk.md b/docs/content/configure-elk.md index 335ff029..1c8e7c5d 100644 --- a/docs/content/configure-elk.md +++ b/docs/content/configure-elk.md @@ -1,9 +1,9 @@ From [Wikipedia](https://en.wikipedia.org/wiki/Elasticsearch): >Elasticsearch can be used to search all kinds of documents. It provides scalable search, has near real-time search, and supports multitenancy. "Elasticsearch is distributed, which means that indices can be divided into shards and each shard can have zero or more replicas. Each node hosts one or more shards, and acts as a coordinator to delegate operations to the correct shard(s). Rebalancing and routing are done automatically [...]" -This implements sending mail logs to a ELK stack via filebeat client. +In this page, you will implement sending mail logs to a ELK stack via a [Filebeat client](https://www.elastic.co/beats/filebeat). -:construction: In the next release (v7.0.0), Filebeat client will not be included inside mailserver container anymore. The recommended practice is to run Filebeat in its own container (documented [below](#filebeat-container)). +:construction: Starting with release v7.0.0 of docker-mailserver, a Filebeat client will _not_ be included inside the mailserver container anymore. The recommended practice is to run Filebeat in its own container (as documented [below](#filebeat-container)). # Environment variables: **ENABLE_ELK_FORWARDER** From eeeda460a84b9399fa26f714b4a6c4da60229d3d Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Sun, 31 May 2020 05:39:28 +0200 Subject: [PATCH 330/462] Updated FAQ and Tips (markdown) --- docs/content/config/troubleshooting/faq.md | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 1c73c7bd..87e8c3d8 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -1,14 +1,21 @@ ### What kind of database are you using? -None. No *sql database required. -This image is based on config files that can be versioned. -You'll probably want to `push` your config updates to your server and restart the container to apply changes. +None! No database is required. Filesystem is the database. +This image is based on config files that can be persisted using Docker volumes, and as such versioned, backed up and so forth. ### Where are emails stored? Mails are stored in `/var/mail/${domain}/${username}`. You should use a [data volume container](https://medium.com/@ramangupta/why-docker-data-containers-are-good-589b3c6c749e#.uxyrp7xpu) for `/var/mail` to persist data. Otherwise, your data may be lost. +### How to alter the running mailserver instance _without_ relaunching the container? + +docker-mailserver aggregates multiple "sub-services", such as Postfix, Dovecot, Fail2ban, SpamAssasin, etc. In many cases, on may edit a sub-service's config and reload that very sub-service, without stopping and relaunching the whole mail server. + +In order to do so, you'll probably want to push your config updates to your server through a Docker volume, then restart the sub-service to apply your changes, using `supervisorctl`. For instance, after editing fail2ban's config: `supervisorctl restart fail2ban`. + +See [supervisorctl's documentation](http://supervisord.org/running.html#running-supervisorctl). + ### How can I sync container with host date/time? Share the host's [`/etc/localtime`](https://www.freedesktop.org/software/systemd/man/localtime.html) descriptor with the mail-server container, using a volume: From 54e5ed90d59a908f696e0c79f01f48a98f52cbbf Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Sun, 31 May 2020 05:42:37 +0200 Subject: [PATCH 331/462] Updated FAQ and Tips (markdown) --- docs/content/config/troubleshooting/faq.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 87e8c3d8..c23b2060 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -16,13 +16,13 @@ In order to do so, you'll probably want to push your config updates to your serv See [supervisorctl's documentation](http://supervisord.org/running.html#running-supervisorctl). -### How can I sync container with host date/time? +### How can I sync container with host date/time? Timezone? -Share the host's [`/etc/localtime`](https://www.freedesktop.org/software/systemd/man/localtime.html) descriptor with the mail-server container, using a volume: +Share the host's [`/etc/localtime`](https://www.freedesktop.org/software/systemd/man/localtime.html) with the docker-mailserver container, using a Docker volume: ``` - volumes: - - /etc/localtime:/etc/localtime:ro +volumes: + - /etc/localtime:/etc/localtime:ro ``` ### What is the file format? From 3cb6c532ecc42f4e88d38ce1ab6971a52e9e9149 Mon Sep 17 00:00:00 2001 From: Sascha Scandella Date: Sun, 31 May 2020 20:58:58 +0200 Subject: [PATCH 332/462] Updated Configure Sieve filters (markdown) --- docs/content/advanced/mail-sieve.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/advanced/mail-sieve.md b/docs/content/advanced/mail-sieve.md index 146f378e..b4932ea4 100644 --- a/docs/content/advanced/mail-sieve.md +++ b/docs/content/advanced/mail-sieve.md @@ -69,4 +69,4 @@ All user defined sieve scripts that are managed by ManageSieve are stored in the ***Note:*** ManageSieve makes sure to not overwrite an existing `.dovecot.sieve` file. If a user activates a new sieve script the old one is backuped and moved to the `sieve` folder. The extension is known to work with the following ManageSieve clients: - * Thunderbird with latest **Sieve** extension. If the extension doesn't work with the add-on available directly from within Thunderbird, try the developer build at https://github.com/thsmi/sieve. \ No newline at end of file +* **Sieve Editor** a portable standalone application based on the former Thunderbird plugin (https://github.com/thsmi/sieve). From 698cd398946d4b31c5fc9a9c5326bf405e9d7611 Mon Sep 17 00:00:00 2001 From: Sascha Scandella Date: Sun, 31 May 2020 22:29:42 +0200 Subject: [PATCH 333/462] Updated Override Default Dovecot Configuration (markdown) --- docs/content/advanced/override-defaults/dovecot.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/content/advanced/override-defaults/dovecot.md b/docs/content/advanced/override-defaults/dovecot.md index 0f88762e..aabc6641 100644 --- a/docs/content/advanced/override-defaults/dovecot.md +++ b/docs/content/advanced/override-defaults/dovecot.md @@ -20,6 +20,13 @@ One common option to change is the maximum number of connections per user: mail_max_userip_connections = 100 ``` +Another option to change is the maximum number of connections per user: + +``` +mail_max_userip_connections = 100 +``` + +Another important option is the `default_process_limit` (defaults to 100). If high-security mode is enabled you'll need to make sure this count is higher than the maximum number of users that can be logged in simultaneously. # Override configuration From dcb0bf15773997a7eed7d4825fd0811ee559aa43 Mon Sep 17 00:00:00 2001 From: Sascha Scandella Date: Sun, 31 May 2020 22:30:00 +0200 Subject: [PATCH 334/462] Updated Override Default Dovecot Configuration (markdown) --- docs/content/advanced/override-defaults/dovecot.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/docs/content/advanced/override-defaults/dovecot.md b/docs/content/advanced/override-defaults/dovecot.md index aabc6641..50245176 100644 --- a/docs/content/advanced/override-defaults/dovecot.md +++ b/docs/content/advanced/override-defaults/dovecot.md @@ -20,12 +20,6 @@ One common option to change is the maximum number of connections per user: mail_max_userip_connections = 100 ``` -Another option to change is the maximum number of connections per user: - -``` -mail_max_userip_connections = 100 -``` - Another important option is the `default_process_limit` (defaults to 100). If high-security mode is enabled you'll need to make sure this count is higher than the maximum number of users that can be logged in simultaneously. # Override configuration From f91e577d53ac2f8b49dafadf20607e2ab1d86570 Mon Sep 17 00:00:00 2001 From: Sascha Scandella Date: Sun, 31 May 2020 22:30:20 +0200 Subject: [PATCH 335/462] Updated Override Default Dovecot Configuration (markdown) --- docs/content/advanced/override-defaults/dovecot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/advanced/override-defaults/dovecot.md b/docs/content/advanced/override-defaults/dovecot.md index 50245176..6d93ee32 100644 --- a/docs/content/advanced/override-defaults/dovecot.md +++ b/docs/content/advanced/override-defaults/dovecot.md @@ -20,7 +20,7 @@ One common option to change is the maximum number of connections per user: mail_max_userip_connections = 100 ``` -Another important option is the `default_process_limit` (defaults to 100). If high-security mode is enabled you'll need to make sure this count is higher than the maximum number of users that can be logged in simultaneously. +Another important option is the `default_process_limit` (defaults to `100`). If high-security mode is enabled you'll need to make sure this count is higher than the maximum number of users that can be logged in simultaneously. # Override configuration From 61096f58fe9ec5adfc8fdb035120768239d0e08b Mon Sep 17 00:00:00 2001 From: Sascha Scandella Date: Sun, 31 May 2020 22:31:50 +0200 Subject: [PATCH 336/462] Updated Override Default Dovecot Configuration (markdown) --- docs/content/advanced/override-defaults/dovecot.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/advanced/override-defaults/dovecot.md b/docs/content/advanced/override-defaults/dovecot.md index 6d93ee32..85c0d02b 100644 --- a/docs/content/advanced/override-defaults/dovecot.md +++ b/docs/content/advanced/override-defaults/dovecot.md @@ -20,7 +20,7 @@ One common option to change is the maximum number of connections per user: mail_max_userip_connections = 100 ``` -Another important option is the `default_process_limit` (defaults to `100`). If high-security mode is enabled you'll need to make sure this count is higher than the maximum number of users that can be logged in simultaneously. +Another important option is the `default_process_limit` (defaults to `100`). If high-security mode is enabled you'll need to make sure this count is higher than the maximum number of users that can be logged in simultaneously. This limit is quickly reached if users connect to the mail server with multiple end devices. # Override configuration From 78b09c20abe0f94e97d2992cfa468fc6cb826ede Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Mon, 1 Jun 2020 02:31:12 +0200 Subject: [PATCH 337/462] Updated Configure SPF (markdown) --- docs/content/config/best-practices/spf.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/docs/content/config/best-practices/spf.md b/docs/content/config/best-practices/spf.md index 952a5702..e542ea18 100644 --- a/docs/content/config/best-practices/spf.md +++ b/docs/content/config/best-practices/spf.md @@ -4,20 +4,22 @@ From [Wikipedia](https://en.wikipedia.org/wiki/Sender_Policy_Framework): To add a SPF record in your DNS, insert the following line in your DNS zone: - ; Check that MX is declared + ; MX record must be declared for SPF to work domain.com. IN MX 1 mail.domain.com. - ; Add SPF record + ; SPF record domain.com. IN TXT "v=spf1 mx ~all" -This enables the Softfail mode for SPF. It is a good setting for getting started and testing everything. After verification, you might want to change your SPF record to: `v=spf1 mx -all`, to enforce the policy! +This enables the _Softfail_ mode for SPF. You could first add this SPF record with a very low TTL. +_SoftFail_ is a good setting for getting started and testing, as it lets all email through, with spams tagged as such in the mailbox. +After verification, you _might_ want to change your SPF record to `v=spf1 mx -all` so as to enforce the _HardFail_ policy. See https://www.spf-record.com/syntax for more details about SPF policies. -Increment DNS serial and reload configuration. +In any case, increment the SPF record's TTL to its final value. ## Backup MX, Secondary MX -For whitelisting a IP-Address from the SPF test, you can create a config file(See [policyd-spf.conf](http://www.linuxcertif.com/man/5/policyd-spf.conf/)) and mount that file into `/etc/postfix-policyd-spf-python/policyd-spf.conf` +For whitelisting a IP-Address from the SPF test, you can create a config file (see [policyd-spf.conf](http://www.linuxcertif.com/man/5/policyd-spf.conf/)) and mount that file into `/etc/postfix-policyd-spf-python/policyd-spf.conf`. **Example:** From 8f4e56c98b178d926cd3effe7c6fc710eff5b7d3 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Mon, 1 Jun 2020 02:42:55 +0200 Subject: [PATCH 338/462] Updated Configure SPF (markdown) --- docs/content/config/best-practices/spf.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/best-practices/spf.md b/docs/content/config/best-practices/spf.md index e542ea18..1acb4b2f 100644 --- a/docs/content/config/best-practices/spf.md +++ b/docs/content/config/best-practices/spf.md @@ -13,7 +13,7 @@ To add a SPF record in your DNS, insert the following line in your DNS zone: This enables the _Softfail_ mode for SPF. You could first add this SPF record with a very low TTL. _SoftFail_ is a good setting for getting started and testing, as it lets all email through, with spams tagged as such in the mailbox. -After verification, you _might_ want to change your SPF record to `v=spf1 mx -all` so as to enforce the _HardFail_ policy. See https://www.spf-record.com/syntax for more details about SPF policies. +After verification, you _might_ want to change your SPF record to `v=spf1 mx -all` so as to enforce the _HardFail_ policy. See http://www.open-spf.org/SPF_Record_Syntax/ for more details about SPF policies. In any case, increment the SPF record's TTL to its final value. From 9ff7e1eaa372753d29256817fe4cb8938cd5d5d9 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Mon, 1 Jun 2020 02:53:42 +0200 Subject: [PATCH 339/462] Updated Configure SPF (markdown) --- docs/content/config/best-practices/spf.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/config/best-practices/spf.md b/docs/content/config/best-practices/spf.md index 1acb4b2f..d4b65d87 100644 --- a/docs/content/config/best-practices/spf.md +++ b/docs/content/config/best-practices/spf.md @@ -2,6 +2,8 @@ From [Wikipedia](https://en.wikipedia.org/wiki/Sender_Policy_Framework): > Sender Policy Framework (SPF) is a simple email-validation system designed to detect email spoofing by providing a mechanism to allow receiving mail exchangers to check that incoming mail from a domain comes from a host authorized by that domain's administrators. The list of authorized sending hosts for a domain is published in the Domain Name System (DNS) records for that domain in the form of a specially formatted TXT record. Email spam and phishing often use forged "from" addresses, so publishing and checking SPF records can be considered anti-spam techniques. +For a more technical review: https://github.com/internetstandards/toolbox-wiki/blob/master/SPF-how-to.md + To add a SPF record in your DNS, insert the following line in your DNS zone: ; MX record must be declared for SPF to work From 2b745c9f81f5ecb687d033ece8e75980d00a37fb Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Mon, 1 Jun 2020 02:54:02 +0200 Subject: [PATCH 340/462] Updated Configure SPF (markdown) --- docs/content/config/best-practices/spf.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/config/best-practices/spf.md b/docs/content/config/best-practices/spf.md index d4b65d87..c82f381a 100644 --- a/docs/content/config/best-practices/spf.md +++ b/docs/content/config/best-practices/spf.md @@ -4,6 +4,8 @@ From [Wikipedia](https://en.wikipedia.org/wiki/Sender_Policy_Framework): For a more technical review: https://github.com/internetstandards/toolbox-wiki/blob/master/SPF-how-to.md +## Add a SPF record + To add a SPF record in your DNS, insert the following line in your DNS zone: ; MX record must be declared for SPF to work From 1dc4328ed58d609ee6f0d11b471ad81d82012334 Mon Sep 17 00:00:00 2001 From: Sascha Scandella Date: Thu, 4 Jun 2020 23:49:10 +0200 Subject: [PATCH 341/462] Updated FAQ and Tips (markdown) --- docs/content/config/troubleshooting/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index c23b2060..bf29a33b 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -248,7 +248,7 @@ The only thing is that we provide a `self-signed` certificate tool and a `letsen ### I just moved from my old mail server but "it doesn't work". If this migration implies a DNS modification, be sure to wait for DNS propagation before opening an issue. Few examples of symptoms can be found [here](https://github.com/tomav/docker-mailserver/issues/95) or [here](https://github.com/tomav/docker-mailserver/issues/97). -This could be related to a modification of your `MX` record, or the IP mapped to `mail.my-domain.tld`. +This could be related to a modification of your `MX` record, or the IP mapped to `mail.my-domain.tld`. Additionally, [validate your DNS configuration](https://intodns.com/). If everything is OK regarding DNS, please provide [formatted logs](https://guides.github.com/features/mastering-markdown/) and config files. This will allow us to help you. From 56c0eac64c90b0f54f4cc1e609bc1b0d6ded5173 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Tue, 9 Jun 2020 22:15:25 +0200 Subject: [PATCH 342/462] Updated Home (markdown) --- docs/content/index.md | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/docs/content/index.md b/docs/content/index.md index 7c7c29bd..39979b2b 100644 --- a/docs/content/index.md +++ b/docs/content/index.md @@ -1,10 +1,13 @@ -Please have a look at the [README.md](https://github.com/tomav/docker-mailserver/blob/master/README.md) to setup and configure this server. -Detailed examples are provided in the wiki navigation links. +**Welcome to the extended documentation for docker-mailserver!** -Some further hints: +Please first have a look at the [README.md](https://github.com/tomav/docker-mailserver/blob/master/README.md) to setup and configure this server. +This wiki provides you with advanced configuration, detailed examples, hints… (see navigation on the right side). -- A setup.sh script is supplied which supports you in configuring this server. -Information on how to use and get it is supplied [here](https://github.com/tomav/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh) -- A list of all configuration options is provided in the [README.md](https://github.com/tomav/docker-mailserver/blob/master/README.md) -- A list of all optional and automatically created configuration files and directories is located [here](https://github.com/tomav/docker-mailserver/wiki/List-of-optional-config-files-&-directories) -- See the [FAQ](https://github.com/tomav/docker-mailserver/wiki/FAQ-and-Tips) for some more tips +**To get you started:** + +- A `setup.sh` script is supplied with this project, which supports you in configuring and administrating your server. + - Information on how to get it & how to use it is available [in the dedicated page](https://github.com/tomav/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh). + - Be aware that advanced tasks may still require tweaking env vars, reading through documentation and sometimes inspecting your running container for debug. Feel free to ask for help by [creating an issue](https://github.com/tomav/docker-mailserver/issues) with all relevant information. +- A list of all configuration options is provided in the [README.md](https://github.com/tomav/docker-mailserver/blob/master/README.md). That is a good starting point to understand what this image is capable of. +- A list of all optional and automatically created configuration files and directories is available [in the dedicated page](https://github.com/tomav/docker-mailserver/wiki/List-of-optional-config-files-&-directories). +- See the [FAQ](https://github.com/tomav/docker-mailserver/wiki/FAQ-and-Tips) for some more tips! From cf7c86c55777d07c8b77a9eb4c54c77981d07263 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Tue, 9 Jun 2020 22:37:53 +0200 Subject: [PATCH 343/462] Updated Setup docker mailserver using the script setup.sh (markdown) --- ...er-mailserver-using-the-script-setup.sh.md | 31 +++++++++++++------ 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md index d19a382c..fa93a56d 100644 --- a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md +++ b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md @@ -1,16 +1,18 @@ The latest version of the script `setup.sh` is included in the `docker-mailserver` repository. Get the last version to the script by copying this command in your console: -``` +```sh wget -q -O setup.sh https://raw.githubusercontent.com/tomav/docker-mailserver/master/setup.sh; chmod a+x ./setup.sh ``` -if you use curl: -``` + +Or if you use curl: + +```sh curl -o setup.sh https://raw.githubusercontent.com/tomav/docker-mailserver/master/setup.sh; chmod a+x ./setup.sh ``` -Run `./setup.sh` without arguments and you get some usage informations. +Run `./setup.sh` without arguments and you'll get some usage informations: -``` +```sh Usage: ./setup.sh [-i IMAGE_NAME] [-c CONTAINER_NAME] [args] OPTIONS: @@ -50,23 +52,32 @@ SUBCOMMANDS: ./setup.sh debug inspect ./setup.sh debug login ``` -# email + +## email + * `./setup.sh email add []`: Add an email-account (\ is optional) * `./setup.sh email update []`: Change the password of an email-account (\ is optional) * `./setup.sh email del `: delete an email-account * `./setup.sh email restrict []`: deny users to send or receive mail. You can also list the respective denied mail-accounts. * `./setup.sh email list`: list all existing email-accounts -# alias + +## alias * `./setup.sh alias add `: add an alias(email) for an email-account(recipient) * `./setup.sh alias del `: delete an alias * `./setup.sh alias list`: list all aliases -# quota + +## quota + * `./setup.sh quota set []`: define the quota of a mailbox (quota format e.g. 302M (B (byte), k (kilobyte), M (megabyte), G (gigabyte) or T (terabyte))) * `./setup.sh quota del `: delete the quota of a mailbox -# config + +## config + * `./setup.sh config dkim (default: 2048)`: autoconfig the dkim-config with an (optional) keysize value * `./setup.sh config ssl`: generate ssl-certificates -# debug + +## debug + * `./setup.sh debug fetchmail`: see [wiki](https://github.com/tomav/docker-mailserver/wiki/Retrieve-emails-from-a-remote-mail-server-%28using-builtin-fetchmail%29#debugging) * `./setup.sh debug fail2ban `: omitt all options to get a list of banned IPs, otherwise unban the specified IP. * `./setup.sh debug show-mail-logs`: show the logfile contents of the mail container From fd0a302149a253ec4809bd7e3530ed757cbcf173 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Tue, 9 Jun 2020 22:39:39 +0200 Subject: [PATCH 344/462] Updated Setup docker mailserver using the script setup.sh (markdown) --- .../setup-docker-mailserver-using-the-script-setup.sh.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md index fa93a56d..78af9c45 100644 --- a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md +++ b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md @@ -1,4 +1,7 @@ -The latest version of the script `setup.sh` is included in the `docker-mailserver` repository. Get the last version to the script by copying this command in your console: +`setup.sh` is an administration script that helps with the most common tasks, including initial configuration. +It is intented to be used from the host machine, _not_ from within your running container. + +The latest version of the script is included in the `docker-mailserver` repository. Get the last version to the script by copying this command in your console: ```sh wget -q -O setup.sh https://raw.githubusercontent.com/tomav/docker-mailserver/master/setup.sh; chmod a+x ./setup.sh From bce48753d39ce3d679b3dffcec0fe44ddf2c1b30 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Tue, 9 Jun 2020 22:40:40 +0200 Subject: [PATCH 345/462] Updated Setup docker mailserver using the script setup.sh (markdown) --- .../setup-docker-mailserver-using-the-script-setup.sh.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md index 78af9c45..111f48aa 100644 --- a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md +++ b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md @@ -1,5 +1,4 @@ -`setup.sh` is an administration script that helps with the most common tasks, including initial configuration. -It is intented to be used from the host machine, _not_ from within your running container. +[`setup.sh`](https://github.com/tomav/docker-mailserver/blob/master/setup.sh) is an administration script that helps with the most common tasks, including initial configuration. It is intented to be used from the host machine, _not_ from within your running container. The latest version of the script is included in the `docker-mailserver` repository. Get the last version to the script by copying this command in your console: From 02ce180bc33b6b9d6776fb6b57a84b60746b61c2 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Tue, 9 Jun 2020 22:42:44 +0200 Subject: [PATCH 346/462] Updated Setup docker mailserver using the script setup.sh (markdown) --- .../setup-docker-mailserver-using-the-script-setup.sh.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md index 111f48aa..d5f9e39b 100644 --- a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md +++ b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md @@ -1,6 +1,6 @@ [`setup.sh`](https://github.com/tomav/docker-mailserver/blob/master/setup.sh) is an administration script that helps with the most common tasks, including initial configuration. It is intented to be used from the host machine, _not_ from within your running container. -The latest version of the script is included in the `docker-mailserver` repository. Get the last version to the script by copying this command in your console: +The latest version of the script is included in the `docker-mailserver` repository. You may retrieve it at any time by running this command in your console: ```sh wget -q -O setup.sh https://raw.githubusercontent.com/tomav/docker-mailserver/master/setup.sh; chmod a+x ./setup.sh @@ -12,7 +12,9 @@ Or if you use curl: curl -o setup.sh https://raw.githubusercontent.com/tomav/docker-mailserver/master/setup.sh; chmod a+x ./setup.sh ``` -Run `./setup.sh` without arguments and you'll get some usage informations: +## Usage + +Run `./setup.sh` without arguments and you'll get some usage information: ```sh Usage: ./setup.sh [-i IMAGE_NAME] [-c CONTAINER_NAME] [args] From 7c27debb068a1feca82b917a17bdab7c588763be Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Tue, 9 Jun 2020 23:51:01 +0200 Subject: [PATCH 347/462] Created A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 56 +++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 docs/content/a-mail-server's-101.md diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md new file mode 100644 index 00000000..181a65af --- /dev/null +++ b/docs/content/a-mail-server's-101.md @@ -0,0 +1,56 @@ +What is a mail server and how does it perform its duty? +Here's an introduction to the field that covers everything you need to know to get started with docker-mailserver. + +## Anatomy of a mail server + +A mail server is only a part of a [client-server relationship](https://en.wikipedia.org/wiki/Client%E2%80%93server_model) aimed at exchanging information in the form of emails. + +This project provides with the server portion, whereas "the" client can be anything from a console, text-only software (eg. [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client))) to a fully-fledged desktop application (eg. [Mozilla Thunderbird](https://en.wikipedia.org/wiki/Mozilla_Thunderbird), [Microsoft Outlook](https://en.wikipedia.org/wiki/Microsoft_Outlook)…), to a webmail, etc. + +Similar to the client side, there are many components making up the server side. Specialized piece of software handle receiving emails, sending emails, filtering emails, etc. The docker-mailserver project made some informed choices and offers a comprehensive platform to run a feature-full mail exchange server. + +## Components + +The following components are required to create a [complete delivery chain](https://en.wikipedia.org/wiki/Email_agent_(infrastructure)): + +- MUA: a [Mail User Agent](https://en.wikipedia.org/wiki/Email_client) is basically any client sending emails to arbitrary mail servers, and most of the times, fetching emails from such servers. +- MTA: a [Mail Transfer Agent](https://en.wikipedia.org/wiki/Message_transfer_agent) are the so-called "mail servers", as seen from the MUA's perspective. It's a piece of software dedicated to accepting emails from clients. But it also is responsible for transferring emails to other, specialized programs, which may be either MTA (for further transferring) or "final destination" aka. mailboxes. +- MDA: a [Mail Delivery Agent](https://en.wikipedia.org/wiki/Mail_delivery_agent) is responsible for accepting emails and dropping it into its recipient's mailbox, whichever the form. + +There may be other moving parts or sub-divisions, but that's the big picture. + +docker-mailserver provides you with the following agents: + +- MTA: Postfix +- MDA: Dovecot + +One important thing to note is that both programs actually handle multiple tasks. For instance, Postfix is both an SMTP server (accepting email) and an MTA (transfering email); Dovecot is both an MDA (delivering emails in mailboxes) and an IMAP server (allowing MUAs to fetch emails from the so-called mail server). + +For both Postfix and Dovecot need to be accessible from the outside to act as servers, they expose themselves through TCP ports, which may be secured using different schemes. + +## About security, ports… + +### SMTP + +A MUA sending an email to a [SMTP](https://en.wikipedia.org/wiki/SMTP) server communicates using data packets exchanged over a network that both the client and the server are part of. In the case of docker-mailserver, the server is Postfix. The MUA may be anything, and its submission/request is (most frequently!) performed as [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) packets sent over the _public_ internet. This exchange of information may, or may not, be secured in order to counter eavesdropping. + +**The best practice as of 2020 would be [SMTPS](https://en.wikipedia.org/wiki/SMTPS) over port 465**. It has the server _enforce_ the client into using an encrypted TCP connection, using [TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security) (see [RFC 8314](https://tools.ietf.org/html/rfc8314)). With this setup, the mail server should deny any client attempting at submitting emails in plain text; it should require a TLS-encrypted exchange to exist from the get go (no connection upgrade using an opt-in STARTTLS mechanism). That SMTPS setup uses port 465 and _Implicit_ (aka. enforced) TLS encryption. + +Another well-documented, extensively used mail submission setup is SMTP+STARTTLS. It uses _Explicit_ (aka. opportunistic) TLS over port 587, with an opt-in TLS upgrade of the client-to-server connection using using [STARTTLS](https://en.wikipedia.org/wiki/Opportunistic_TLS). With this setup, the mail server should accept unencrypted requests but should automatically respond to the client with an "offer" to upgrade the connection to a TLS-encrypted one; but it also should allow the client to deny that proposal and eventually still accept unencrypted mail exchange (although some servers may eventually deny unencrypted trafic). Overall, this setup requires more configuration and is less secure by design (hence the name "opportunistic"). As of 2020, it is recommended by RFC 8314 for mail servers to support it, but as a to-be-deprecated protocol and to encourage clients to switch to SMTPS. + +A final setup exists and is akin SMTP+STARTTLS, but over port 25. That port has historically been reserved specifically for plain text mail exchange. One may upgrade the connection on port 25 to a TLS-encrypted one, but that should be considered a non-normative usage. It's better reserving port 25 for plain text trafic in order to support older clients, and inter-MTA exchange (although obviously non-secure). + +### IMAP + +A MUA reading emails from an [IMAP](https://en.wikipedia.org/wiki/IMAP) server communicates using data packets exchanged over a network that both the client and the server are part of. In the case of docker-mailserver, the server is Dovecot. The MUA may be anything, and its retrieval request is (most frequently!) performed as [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) packets sent over the _public_ internet. This exchange of information may, or may not, be secured in order to counter eavesdropping. + +As with SMTP (described above), the IMAP protocol may be secured with either: _Implicit_ (enforced) TLS (aka. [IMAPS](https://en.wikipedia.org/wiki/IMAPS), sometimes written IMAP4S); or _Explicit_ (opportunistic) TLS using STARTTLS. + +**The best practice as of 2020 would be IMAPS over port 993**, rather than IMAP+STARTTLS over port 143 (see [RFC 8314](https://tools.ietf.org/html/rfc8314)). + +### POP3 + +Similarly to IMAP, POP3 may be secured with either: _Implicit_ (enforced) TLS (aka. POP3S); or _Explicit_ (opportunistic) TLS using STARTTLS. + +**The best practice as of 2020 would be [POP3S](https://en.wikipedia.org/wiki/POP3S) over port 995**, rather than [POP3](https://en.wikipedia.org/wiki/POP3)+STARTTLS over port 110 (see [RFC 8314](https://tools.ietf.org/html/rfc8314)). + From bd61c9e52fe76e68b11231d6ebc46e29f183d59b Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Tue, 9 Jun 2020 23:54:21 +0200 Subject: [PATCH 348/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 181a65af..fe2e3361 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -7,7 +7,9 @@ A mail server is only a part of a [client-server relationship](https://en.wikipe This project provides with the server portion, whereas "the" client can be anything from a console, text-only software (eg. [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client))) to a fully-fledged desktop application (eg. [Mozilla Thunderbird](https://en.wikipedia.org/wiki/Mozilla_Thunderbird), [Microsoft Outlook](https://en.wikipedia.org/wiki/Microsoft_Outlook)…), to a webmail, etc. -Similar to the client side, there are many components making up the server side. Specialized piece of software handle receiving emails, sending emails, filtering emails, etc. The docker-mailserver project made some informed choices and offers a comprehensive platform to run a feature-full mail exchange server. +Unlike the client side where usually a single program is used, there are many components making up the server. Specialized piece of software handle atomic tasks, such as receiving emails, dropping emails into mailboxes, sending emails to other mail servers, filtering emails, exposing emails to authorized clients, etc. + +The docker-mailserver project made some informed choices and offers a comprehensive platform to run a feature-full mail exchange server. ## Components From c571eb7cfc999be7950db0c4b2d4aaa885becb09 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Tue, 9 Jun 2020 23:54:51 +0200 Subject: [PATCH 349/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index fe2e3361..91b4dd09 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -9,7 +9,7 @@ This project provides with the server portion, whereas "the" client can be anyth Unlike the client side where usually a single program is used, there are many components making up the server. Specialized piece of software handle atomic tasks, such as receiving emails, dropping emails into mailboxes, sending emails to other mail servers, filtering emails, exposing emails to authorized clients, etc. -The docker-mailserver project made some informed choices and offers a comprehensive platform to run a feature-full mail exchange server. +The docker-mailserver project has made some informed choices about those components and offers a comprehensive platform to run a feature-full mail server. ## Components From 9202770e2d57418011d6f539a618059c1a7f038c Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Tue, 9 Jun 2020 23:55:45 +0200 Subject: [PATCH 350/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 91b4dd09..607b08a2 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -15,7 +15,7 @@ The docker-mailserver project has made some informed choices about those compone The following components are required to create a [complete delivery chain](https://en.wikipedia.org/wiki/Email_agent_(infrastructure)): -- MUA: a [Mail User Agent](https://en.wikipedia.org/wiki/Email_client) is basically any client sending emails to arbitrary mail servers, and most of the times, fetching emails from such servers. +- MUA: a [Mail User Agent](https://en.wikipedia.org/wiki/Email_client) is basically any client/program capable of sending emails to arbitrary mail servers; and most of the times, capable of fetching emails from such mail servers. - MTA: a [Mail Transfer Agent](https://en.wikipedia.org/wiki/Message_transfer_agent) are the so-called "mail servers", as seen from the MUA's perspective. It's a piece of software dedicated to accepting emails from clients. But it also is responsible for transferring emails to other, specialized programs, which may be either MTA (for further transferring) or "final destination" aka. mailboxes. - MDA: a [Mail Delivery Agent](https://en.wikipedia.org/wiki/Mail_delivery_agent) is responsible for accepting emails and dropping it into its recipient's mailbox, whichever the form. From 5a7a4c6f532513f23ae811b4cf6fdf15fb1451c1 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Tue, 9 Jun 2020 23:58:37 +0200 Subject: [PATCH 351/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 607b08a2..b04bcdf0 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -16,8 +16,8 @@ The docker-mailserver project has made some informed choices about those compone The following components are required to create a [complete delivery chain](https://en.wikipedia.org/wiki/Email_agent_(infrastructure)): - MUA: a [Mail User Agent](https://en.wikipedia.org/wiki/Email_client) is basically any client/program capable of sending emails to arbitrary mail servers; and most of the times, capable of fetching emails from such mail servers. -- MTA: a [Mail Transfer Agent](https://en.wikipedia.org/wiki/Message_transfer_agent) are the so-called "mail servers", as seen from the MUA's perspective. It's a piece of software dedicated to accepting emails from clients. But it also is responsible for transferring emails to other, specialized programs, which may be either MTA (for further transferring) or "final destination" aka. mailboxes. -- MDA: a [Mail Delivery Agent](https://en.wikipedia.org/wiki/Mail_delivery_agent) is responsible for accepting emails and dropping it into its recipient's mailbox, whichever the form. +- MTA: a [Mail Transfer Agent](https://en.wikipedia.org/wiki/Message_transfer_agent) is the so-called "mail server" as seen from the MUA's perspective. It's a piece of software dedicated to accepting emails: either from MUAs or from other MTA (the latter task being symmetrical, meaning a MTA is also is capable of sending/transferring emails to other MTA, hence the name). +- MDA: a [Mail Delivery Agent](https://en.wikipedia.org/wiki/Mail_delivery_agent) is responsible for accepting emails from an MTA, but instead of forwarding it, it is capable of dropping those emails into their recipients' mailboxes, whichever the form. There may be other moving parts or sub-divisions, but that's the big picture. From b2d8f1b338b388b1027e092c423d0db2f43de7b3 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Wed, 10 Jun 2020 00:02:38 +0200 Subject: [PATCH 352/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index b04bcdf0..74e58edc 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -19,19 +19,21 @@ The following components are required to create a [complete delivery chain](http - MTA: a [Mail Transfer Agent](https://en.wikipedia.org/wiki/Message_transfer_agent) is the so-called "mail server" as seen from the MUA's perspective. It's a piece of software dedicated to accepting emails: either from MUAs or from other MTA (the latter task being symmetrical, meaning a MTA is also is capable of sending/transferring emails to other MTA, hence the name). - MDA: a [Mail Delivery Agent](https://en.wikipedia.org/wiki/Mail_delivery_agent) is responsible for accepting emails from an MTA, but instead of forwarding it, it is capable of dropping those emails into their recipients' mailboxes, whichever the form. -There may be other moving parts or sub-divisions, but that's the big picture. +There may be other moving parts or sub-divisions. For instance, at several point specialized programs may be filtering, bouncing, editing… exchanged emails. -docker-mailserver provides you with the following agents: +In a nutshell, docker-mailserver provides you with the following agents: - MTA: Postfix - MDA: Dovecot -One important thing to note is that both programs actually handle multiple tasks. For instance, Postfix is both an SMTP server (accepting email) and an MTA (transfering email); Dovecot is both an MDA (delivering emails in mailboxes) and an IMAP server (allowing MUAs to fetch emails from the so-called mail server). +and with some specialized, companion programs to form a complete delivery chain (minus the MUA of course). -For both Postfix and Dovecot need to be accessible from the outside to act as servers, they expose themselves through TCP ports, which may be secured using different schemes. +> One important thing to know is that both the MTA and MDA programs actually handle _multiple_ tasks. For instance, Postfix is both an SMTP server (accepting email) and an MTA (transfering email); Dovecot is both an MDA (delivering emails in mailboxes) and an IMAP server (allowing MUAs to fetch emails from the so-called mail server). On top of that, Postfix may rely on Dovecot's authentication capabilities. The exact relationship between all the components and their respective or, sometimes, shared responsibilities is beyond the scope of this document. Explore the wiki to get more insights about the toolchain. ## About security, ports… +For both Postfix and Dovecot need to be accessible from the outside to act as servers, they expose themselves through TCP ports, which may be secured using different schemes. + ### SMTP A MUA sending an email to a [SMTP](https://en.wikipedia.org/wiki/SMTP) server communicates using data packets exchanged over a network that both the client and the server are part of. In the case of docker-mailserver, the server is Postfix. The MUA may be anything, and its submission/request is (most frequently!) performed as [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) packets sent over the _public_ internet. This exchange of information may, or may not, be secured in order to counter eavesdropping. From 645a9c63f2fb32246e70b15615b77dcd0d54ec8c Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Wed, 10 Jun 2020 00:04:34 +0200 Subject: [PATCH 353/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 74e58edc..e225c42b 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -38,7 +38,7 @@ For both Postfix and Dovecot need to be accessible from the outside to act as se A MUA sending an email to a [SMTP](https://en.wikipedia.org/wiki/SMTP) server communicates using data packets exchanged over a network that both the client and the server are part of. In the case of docker-mailserver, the server is Postfix. The MUA may be anything, and its submission/request is (most frequently!) performed as [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) packets sent over the _public_ internet. This exchange of information may, or may not, be secured in order to counter eavesdropping. -**The best practice as of 2020 would be [SMTPS](https://en.wikipedia.org/wiki/SMTPS) over port 465**. It has the server _enforce_ the client into using an encrypted TCP connection, using [TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security) (see [RFC 8314](https://tools.ietf.org/html/rfc8314)). With this setup, the mail server should deny any client attempting at submitting emails in plain text; it should require a TLS-encrypted exchange to exist from the get go (no connection upgrade using an opt-in STARTTLS mechanism). That SMTPS setup uses port 465 and _Implicit_ (aka. enforced) TLS encryption. +**The best practice as of 2020 would be [SMTPS](https://en.wikipedia.org/wiki/SMTPS) over port 465**. It has the server _enforce_ the client into using an encrypted TCP connection, using [TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security) (see [RFC 8314](https://tools.ietf.org/html/rfc8314)). With this setup, the mail server should deny any client attempting at submitting emails in plain text; it should require a TLS-encrypted exchange to exist from the get go (no connection upgrade using an opt-in STARTTLS mechanism, see next paragraph). That SMTPS setup is said to _Implicit_ (aka. enforced) TLS encryption. Another well-documented, extensively used mail submission setup is SMTP+STARTTLS. It uses _Explicit_ (aka. opportunistic) TLS over port 587, with an opt-in TLS upgrade of the client-to-server connection using using [STARTTLS](https://en.wikipedia.org/wiki/Opportunistic_TLS). With this setup, the mail server should accept unencrypted requests but should automatically respond to the client with an "offer" to upgrade the connection to a TLS-encrypted one; but it also should allow the client to deny that proposal and eventually still accept unencrypted mail exchange (although some servers may eventually deny unencrypted trafic). Overall, this setup requires more configuration and is less secure by design (hence the name "opportunistic"). As of 2020, it is recommended by RFC 8314 for mail servers to support it, but as a to-be-deprecated protocol and to encourage clients to switch to SMTPS. From 87be1104cb19dd6b47e51b44b7d170348fd4f8b1 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Wed, 10 Jun 2020 00:13:41 +0200 Subject: [PATCH 354/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index e225c42b..bc39dc0c 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -58,3 +58,10 @@ Similarly to IMAP, POP3 may be secured with either: _Implicit_ (enforced) TLS (a **The best practice as of 2020 would be [POP3S](https://en.wikipedia.org/wiki/POP3S) over port 995**, rather than [POP3](https://en.wikipedia.org/wiki/POP3)+STARTTLS over port 110 (see [RFC 8314](https://tools.ietf.org/html/rfc8314)). +## How does docker-mailserver help with setting everything up? + +As an _all batteries included_ Docker image, docker-mailserver provides all the required components and a default configuration to run a mail server. On top of that, the [env-mailserver](https://github.com/tomav/docker-mailserver/blob/master/env-mailserver.dist) configuration file allow you to tweak your setup extensively. + +The default configuration may _not_ be considered 100% secure, because it aims at supporting all kinds of clients, including older ones not able to use TLS-encrypted connections. It is up to you deciding which kind of transportation encryption to use / enforce. + +The [README](https://github.com/tomav/docker-mailserver) is the best starting point in configuring and running your mail server. You may the explore this wiki to cover additional topics. From 66f2f6fb4e5c9eb3ef8c355ee018a30bc2dda126 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Wed, 10 Jun 2020 00:15:52 +0200 Subject: [PATCH 355/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index bc39dc0c..2448b62c 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -60,8 +60,8 @@ Similarly to IMAP, POP3 may be secured with either: _Implicit_ (enforced) TLS (a ## How does docker-mailserver help with setting everything up? -As an _all batteries included_ Docker image, docker-mailserver provides all the required components and a default configuration to run a mail server. On top of that, the [env-mailserver](https://github.com/tomav/docker-mailserver/blob/master/env-mailserver.dist) configuration file allow you to tweak your setup extensively. +As a _batteries included_ Docker image, docker-mailserver provides you with all the required components and a default configuration to run a mail server. On top of that, the [env-mailserver](https://github.com/tomav/docker-mailserver/blob/master/env-mailserver.dist) configuration file (and some other optional, advanced files!) allow you to tweak your setup extensively. You may even derive your own image from docker-mailserver for a complete control. The default configuration may _not_ be considered 100% secure, because it aims at supporting all kinds of clients, including older ones not able to use TLS-encrypted connections. It is up to you deciding which kind of transportation encryption to use / enforce. -The [README](https://github.com/tomav/docker-mailserver) is the best starting point in configuring and running your mail server. You may the explore this wiki to cover additional topics. +The [README](https://github.com/tomav/docker-mailserver) is the best starting point in configuring and running your mail server. You may the explore this wiki to cover additional topics, including but not limited to, security. From ace11eb9664487ac1afde2ab8e8e241ddd4300a2 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Wed, 10 Jun 2020 00:23:41 +0200 Subject: [PATCH 356/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 2448b62c..75ef71c9 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -58,6 +58,20 @@ Similarly to IMAP, POP3 may be secured with either: _Implicit_ (enforced) TLS (a **The best practice as of 2020 would be [POP3S](https://en.wikipedia.org/wiki/POP3S) over port 995**, rather than [POP3](https://en.wikipedia.org/wiki/POP3)+STARTTLS over port 110 (see [RFC 8314](https://tools.ietf.org/html/rfc8314)). +### Summary of ports/security setups + +| Protocol | Opt-in Encryption1 | Enforced Encryption | Purpose | +|----------|---------------------------------|---------------------|----------------------| +| SMTP | 25 | N/A | Transfer2 | +| ESMTP | 587 _(deprecated4)_ | 4653 | Submission | +| POP3 | 110 _(deprecated4)_ | 995 | Retrieval | +| IMAP4 | 143 _(deprecated4)_ | 993 | Retrieval | + +1. A connection *may* be secured over TLS when _both_ ends support `STARTTLS`. On ports 110, 143 and 587, `docker-mailserver` will reject a connection that cannot be secured _(preventing [MITM attacks](https://stackoverflow.com/questions/15796530/what-is-the-difference-between-ports-465-and-587/32460763#32460763) trough a downgrading)_. Port 25 is [required](https://serverfault.com/questions/623692/is-it-still-wrong-to-require-starttls-on-incoming-smtp-messages) to support insecure connections. +2. Port 25 receives email and filters for spam and viruses. For submitting outgoing mail you should prefer the submission ports (465, 587), which require authentication in docker-mailserver. Unless a relay host is configured, outgoing email will _leave_ the server via port 25 (thus outbound traffic must not be blocked by your provider or firewall). +3. Port 465 is a submission port since 2018, see [RFC 8314](https://tools.ietf.org/html/rfc8314). Originally a secure variant of port 25, it is now dedicated to SMTPS. +4. [RFC 8314](https://tools.ietf.org/html/rfc8314) is recommending that clear text exchanges to be abandoned and that all three common IETF mail protocols to be used only in implicit mode (no STARTTLS). + ## How does docker-mailserver help with setting everything up? As a _batteries included_ Docker image, docker-mailserver provides you with all the required components and a default configuration to run a mail server. On top of that, the [env-mailserver](https://github.com/tomav/docker-mailserver/blob/master/env-mailserver.dist) configuration file (and some other optional, advanced files!) allow you to tweak your setup extensively. You may even derive your own image from docker-mailserver for a complete control. From e1d01de2bcc4f381d04c79c89dc0fb38db59b5e9 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Wed, 10 Jun 2020 00:33:27 +0200 Subject: [PATCH 357/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 75ef71c9..4ae7284e 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -60,16 +60,18 @@ Similarly to IMAP, POP3 may be secured with either: _Implicit_ (enforced) TLS (a ### Summary of ports/security setups -| Protocol | Opt-in Encryption1 | Enforced Encryption | Purpose | -|----------|---------------------------------|---------------------|----------------------| -| SMTP | 25 | N/A | Transfer2 | -| ESMTP | 587 _(deprecated4)_ | 4653 | Submission | -| POP3 | 110 _(deprecated4)_ | 995 | Retrieval | -| IMAP4 | 143 _(deprecated4)_ | 993 | Retrieval | +When talking about emails, the following applies: -1. A connection *may* be secured over TLS when _both_ ends support `STARTTLS`. On ports 110, 143 and 587, `docker-mailserver` will reject a connection that cannot be secured _(preventing [MITM attacks](https://stackoverflow.com/questions/15796530/what-is-the-difference-between-ports-465-and-587/32460763#32460763) trough a downgrading)_. Port 25 is [required](https://serverfault.com/questions/623692/is-it-still-wrong-to-require-starttls-on-incoming-smtp-messages) to support insecure connections. -2. Port 25 receives email and filters for spam and viruses. For submitting outgoing mail you should prefer the submission ports (465, 587), which require authentication in docker-mailserver. Unless a relay host is configured, outgoing email will _leave_ the server via port 25 (thus outbound traffic must not be blocked by your provider or firewall). -3. Port 465 is a submission port since 2018, see [RFC 8314](https://tools.ietf.org/html/rfc8314). Originally a secure variant of port 25, it is now dedicated to SMTPS. +| Protocol | Purpose | Default port w/ opt-in Encryption1 | Enforced Encryption | +|----------|----------------------|-----------------------------------------------|------------------------| +| SMTP | Transfer2 | 25 | N/A | +| ESMTP | Submission | 587 _(deprecated4)_ | SMTPS 4653 | +| POP3 | Retrieval | 110 _(deprecated4)_ | POP3S 995 | +| IMAP4 | Retrieval | 143 _(deprecated4)_ | IMAPS 993 | + +1. An insecure, unencrypted connection *may* be upgraded to a secured one (over TLS) when _both_ ends support the `STARTTLS` mechanism. On ports 110, 143 and 587, `docker-mailserver` *will* reject a connection that cannot be secured with STARTTLS (_preventing [MITM attacks](https://stackoverflow.com/questions/15796530/what-is-the-difference-between-ports-465-and-587/32460763#32460763) trough a downgrading_). Note that port 25 is [required](https://serverfault.com/questions/623692/is-it-still-wrong-to-require-starttls-on-incoming-smtp-messages) to support insecure connections; whereas other ports are not and may be limited to STARTTLS (which docker-mailserver enforces). +2. Port 25 is for _incoming_ mail transfer_, ie. it receives email and may filter for spam and viruses upon reception. For transferring _outgoing_ mail (eg. sending emails from within docker-mailserver to another mail server), you should prefer the submission ports (465, 587), which require authentication in docker-mailserver. Unless a relay host is configured, outgoing email will _leave_ the server via port 25 (thus outbound traffic must not be blocked by your provider or firewall). +3. Port 465 is a submission port again since 2018, see [RFC 8314](https://tools.ietf.org/html/rfc8314). Originally a secure variant of port 25, it is now dedicated to SMTPS. 4. [RFC 8314](https://tools.ietf.org/html/rfc8314) is recommending that clear text exchanges to be abandoned and that all three common IETF mail protocols to be used only in implicit mode (no STARTTLS). ## How does docker-mailserver help with setting everything up? From 6bfeca219f3870edb04e8a9fb9bf45451bb0e088 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Wed, 10 Jun 2020 00:35:14 +0200 Subject: [PATCH 358/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 4ae7284e..10e9b696 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -78,6 +78,6 @@ When talking about emails, the following applies: As a _batteries included_ Docker image, docker-mailserver provides you with all the required components and a default configuration to run a mail server. On top of that, the [env-mailserver](https://github.com/tomav/docker-mailserver/blob/master/env-mailserver.dist) configuration file (and some other optional, advanced files!) allow you to tweak your setup extensively. You may even derive your own image from docker-mailserver for a complete control. -The default configuration may _not_ be considered 100% secure, because it aims at supporting all kinds of clients, including older ones not able to use TLS-encrypted connections. It is up to you deciding which kind of transportation encryption to use / enforce. +The default configuration may _not_ be considered 100% secure as it enforces opportunistic connections using STARTTLS. The reason is because the project aims at supporting, by default, all kinds of clients including older ones not able to use enforced TLS-encrypted connections. It is up to you deciding which kind of transportation encryption to use / enforce, and set up your instance accordingly. -The [README](https://github.com/tomav/docker-mailserver) is the best starting point in configuring and running your mail server. You may the explore this wiki to cover additional topics, including but not limited to, security. +The [README](https://github.com/tomav/docker-mailserver) is the best starting point in configuring and running your mail server. You may then explore this wiki to cover additional topics, including but not limited to, security. From 8bdaef68903540abcee81e89f4f27441f0f696b2 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Wed, 10 Jun 2020 01:07:10 +0200 Subject: [PATCH 359/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 10e9b696..3a4d702f 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -76,8 +76,8 @@ When talking about emails, the following applies: ## How does docker-mailserver help with setting everything up? -As a _batteries included_ Docker image, docker-mailserver provides you with all the required components and a default configuration to run a mail server. On top of that, the [env-mailserver](https://github.com/tomav/docker-mailserver/blob/master/env-mailserver.dist) configuration file (and some other optional, advanced files!) allow you to tweak your setup extensively. You may even derive your own image from docker-mailserver for a complete control. +As a _batteries included_ Docker image, docker-mailserver provides you with all the required components and a default configuration to run a mail server. On top of that, the [env-mailserver](https://github.com/tomav/docker-mailserver/blob/master/env-mailserver.dist) configuration file (and some other optional, advanced files!) allow you to tweak your setup extensively. You may even derive your own image from docker-mailserver for a complete control! -The default configuration may _not_ be considered 100% secure as it enforces opportunistic connections using STARTTLS. The reason is because the project aims at supporting, by default, all kinds of clients including older ones not able to use enforced TLS-encrypted connections. It is up to you deciding which kind of transportation encryption to use / enforce, and set up your instance accordingly. +When it comes to security, one may consider docker-mailserver's default configuration to _not_ be 100% secure, as it uses _opportunistic_ connections using STARTTLS instead of _enforcing_ TLS-encrypted connection (SMTPS, IMAPS). That choice has been consciously made for the project aims at supporting, _by default and without custom configuration required_, all kinds of clients, including ones not able (== not configured) to use enforced/implicit TLS-encrypted connections. Please note though that _no plain text exchange will occur_ in case a client denies a STARTTLS offer, for docker-mailserver is using a [strict offer](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level) by default :relieved: It is up to you deciding which kind of transportation encryption to use / enforce, and set up your instance accordingly. The [README](https://github.com/tomav/docker-mailserver) is the best starting point in configuring and running your mail server. You may then explore this wiki to cover additional topics, including but not limited to, security. From 52067e7ff0f2732bff08a54aa26ba7deb4f100a3 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Wed, 10 Jun 2020 01:19:51 +0200 Subject: [PATCH 360/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 3a4d702f..2f0392b2 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -78,6 +78,6 @@ When talking about emails, the following applies: As a _batteries included_ Docker image, docker-mailserver provides you with all the required components and a default configuration to run a mail server. On top of that, the [env-mailserver](https://github.com/tomav/docker-mailserver/blob/master/env-mailserver.dist) configuration file (and some other optional, advanced files!) allow you to tweak your setup extensively. You may even derive your own image from docker-mailserver for a complete control! -When it comes to security, one may consider docker-mailserver's default configuration to _not_ be 100% secure, as it uses _opportunistic_ connections using STARTTLS instead of _enforcing_ TLS-encrypted connection (SMTPS, IMAPS). That choice has been consciously made for the project aims at supporting, _by default and without custom configuration required_, all kinds of clients, including ones not able (== not configured) to use enforced/implicit TLS-encrypted connections. Please note though that _no plain text exchange will occur_ in case a client denies a STARTTLS offer, for docker-mailserver is using a [strict offer](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level) by default :relieved: It is up to you deciding which kind of transportation encryption to use / enforce, and set up your instance accordingly. +When it comes to security, one may consider docker-mailserver's default configuration to _not_ be 100% secure, as it uses _opportunistic_ connections using STARTTLS instead of _enforcing_ TLS-encrypted connection (SMTPS, IMAPS). That choice has been consciously made for the project aims at supporting, _by default and without custom configuration required_, all kinds of clients, including ones not able (== not configured) to use enforced/implicit TLS-encrypted connections. Please note though that _no plain text exchange will occur_ in case a client denies a STARTTLS offer, for docker-mailserver is using a [strict offer](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level) (`encrypt`) by default and will drop the client unencrypted request :relieved: Eventually it is up to you deciding which kind of transportation encryption to use / enforce, and set up your instance accordingly. The [README](https://github.com/tomav/docker-mailserver) is the best starting point in configuring and running your mail server. You may then explore this wiki to cover additional topics, including but not limited to, security. From 48cf8a5eee840ba492da0c7dc2fb0f29d66f80a9 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Wed, 10 Jun 2020 01:40:19 +0200 Subject: [PATCH 361/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 2f0392b2..d3fdb5e5 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -3,7 +3,7 @@ Here's an introduction to the field that covers everything you need to know to g ## Anatomy of a mail server -A mail server is only a part of a [client-server relationship](https://en.wikipedia.org/wiki/Client%E2%80%93server_model) aimed at exchanging information in the form of emails. +A mail server is only a part of a [client-server relationship](https://en.wikipedia.org/wiki/Client%E2%80%93server_model) aimed at exchanging information in the form of emails. Exchanging emails requires using specific means (programs and protocols). This project provides with the server portion, whereas "the" client can be anything from a console, text-only software (eg. [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client))) to a fully-fledged desktop application (eg. [Mozilla Thunderbird](https://en.wikipedia.org/wiki/Mozilla_Thunderbird), [Microsoft Outlook](https://en.wikipedia.org/wiki/Microsoft_Outlook)…), to a webmail, etc. From 328f2e2ecf849276b349dcfc73a63370c369914f Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Wed, 10 Jun 2020 01:55:07 +0200 Subject: [PATCH 362/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index d3fdb5e5..5c871ff3 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -78,6 +78,8 @@ When talking about emails, the following applies: As a _batteries included_ Docker image, docker-mailserver provides you with all the required components and a default configuration to run a mail server. On top of that, the [env-mailserver](https://github.com/tomav/docker-mailserver/blob/master/env-mailserver.dist) configuration file (and some other optional, advanced files!) allow you to tweak your setup extensively. You may even derive your own image from docker-mailserver for a complete control! -When it comes to security, one may consider docker-mailserver's default configuration to _not_ be 100% secure, as it uses _opportunistic_ connections using STARTTLS instead of _enforcing_ TLS-encrypted connection (SMTPS, IMAPS). That choice has been consciously made for the project aims at supporting, _by default and without custom configuration required_, all kinds of clients, including ones not able (== not configured) to use enforced/implicit TLS-encrypted connections. Please note though that _no plain text exchange will occur_ in case a client denies a STARTTLS offer, for docker-mailserver is using a [strict offer](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level) (`encrypt`) by default and will drop the client unencrypted request :relieved: Eventually it is up to you deciding which kind of transportation encryption to use / enforce, and set up your instance accordingly. +When it comes to security, one may consider docker-mailserver's default configuration to _not_ be 100% secure, as it uses _opportunistic_ connections using STARTTLS instead of _enforcing_ TLS-encrypted connection (SMTPS, IMAPS). That choice has been consciously made for the project aims at supporting, _by default and without custom configuration required_, all kinds of clients, including ones not able (== not configured) to use enforced/implicit TLS-encrypted connections, but still capable of handling opportunistic TLS. Please note though that _no plain text exchange will occur_ in case a client denies a STARTTLS offer, for docker-mailserver is using a [strict offer](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level) (`encrypt`) by default and will drop the client unencrypted request :relieved: + +We believe docker-mailserver's default configuration (enforcing TLS, either opportunistic or implicit) to be a good middle ground: it goes beyond [RFC 2487](https://tools.ietf.org/html/rfc2487) "old" (1999) recommandation and abides by the "newest" (2018) [RFC 8314](https://tools.ietf.org/html/rfc8314). It means clients without support for TLS are not supported by default. Eventually it is up to you deciding which kind of transportation encryption to use / enforce, and set up your instance accordingly. The [README](https://github.com/tomav/docker-mailserver) is the best starting point in configuring and running your mail server. You may then explore this wiki to cover additional topics, including but not limited to, security. From 1027ec309e2f16c1d52ecbc41f26344b802f1a63 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Wed, 10 Jun 2020 02:54:51 +0200 Subject: [PATCH 363/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 5c871ff3..ce55edaa 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -80,6 +80,6 @@ As a _batteries included_ Docker image, docker-mailserver provides you with all When it comes to security, one may consider docker-mailserver's default configuration to _not_ be 100% secure, as it uses _opportunistic_ connections using STARTTLS instead of _enforcing_ TLS-encrypted connection (SMTPS, IMAPS). That choice has been consciously made for the project aims at supporting, _by default and without custom configuration required_, all kinds of clients, including ones not able (== not configured) to use enforced/implicit TLS-encrypted connections, but still capable of handling opportunistic TLS. Please note though that _no plain text exchange will occur_ in case a client denies a STARTTLS offer, for docker-mailserver is using a [strict offer](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level) (`encrypt`) by default and will drop the client unencrypted request :relieved: -We believe docker-mailserver's default configuration (enforcing TLS, either opportunistic or implicit) to be a good middle ground: it goes beyond [RFC 2487](https://tools.ietf.org/html/rfc2487) "old" (1999) recommandation and abides by the "newest" (2018) [RFC 8314](https://tools.ietf.org/html/rfc8314). It means clients without support for TLS are not supported by default. Eventually it is up to you deciding which kind of transportation encryption to use / enforce, and set up your instance accordingly. +We believe docker-mailserver's default configuration (enforcing TLS, either opportunistic or implicit) to be a good middle ground: it goes beyond [RFC 2487](https://tools.ietf.org/html/rfc2487) "old" (1999) recommandation and abides by the "newest" (2018) [RFC 8314](https://tools.ietf.org/html/rfc8314), under the assumption that most MUA (clients) nowadays support TLS. It does mean clients without support for TLS are not supported by default though. Eventually, it is up to you deciding which kind of transportation encryption to use / enforce, and customize your instance accordingly, with the help of the project's documentation. The [README](https://github.com/tomav/docker-mailserver) is the best starting point in configuring and running your mail server. You may then explore this wiki to cover additional topics, including but not limited to, security. From 3987a8638f89379861057db56a05e3da3ef2e44c Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Wed, 10 Jun 2020 02:57:53 +0200 Subject: [PATCH 364/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index ce55edaa..b80a3e4e 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -80,6 +80,6 @@ As a _batteries included_ Docker image, docker-mailserver provides you with all When it comes to security, one may consider docker-mailserver's default configuration to _not_ be 100% secure, as it uses _opportunistic_ connections using STARTTLS instead of _enforcing_ TLS-encrypted connection (SMTPS, IMAPS). That choice has been consciously made for the project aims at supporting, _by default and without custom configuration required_, all kinds of clients, including ones not able (== not configured) to use enforced/implicit TLS-encrypted connections, but still capable of handling opportunistic TLS. Please note though that _no plain text exchange will occur_ in case a client denies a STARTTLS offer, for docker-mailserver is using a [strict offer](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level) (`encrypt`) by default and will drop the client unencrypted request :relieved: -We believe docker-mailserver's default configuration (enforcing TLS, either opportunistic or implicit) to be a good middle ground: it goes beyond [RFC 2487](https://tools.ietf.org/html/rfc2487) "old" (1999) recommandation and abides by the "newest" (2018) [RFC 8314](https://tools.ietf.org/html/rfc8314), under the assumption that most MUA (clients) nowadays support TLS. It does mean clients without support for TLS are not supported by default though. Eventually, it is up to you deciding which kind of transportation encryption to use / enforce, and customize your instance accordingly, with the help of the project's documentation. +We believe docker-mailserver's default configuration (enforcing TLS, either opportunistic or implicit) to be a good middle ground: it goes beyond [RFC 2487](https://tools.ietf.org/html/rfc2487) "old" (1999) recommandation and abides by the "newest" (2018) [RFC 8314](https://tools.ietf.org/html/rfc8314), under the assumption that most MUA (clients) nowadays support TLS. It does mean clients without support for TLS are not supported by default though. Eventually, it is up to you deciding which kind of transportation encryption to use / enforce, and customize your instance accordingly (looser or stricter security), with the help of the project's documentation. The [README](https://github.com/tomav/docker-mailserver) is the best starting point in configuring and running your mail server. You may then explore this wiki to cover additional topics, including but not limited to, security. From 66203427db600adfb1f60398fff239a764bf7240 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Wed, 10 Jun 2020 03:14:21 +0200 Subject: [PATCH 365/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index b80a3e4e..e748c55a 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -78,8 +78,14 @@ When talking about emails, the following applies: As a _batteries included_ Docker image, docker-mailserver provides you with all the required components and a default configuration to run a mail server. On top of that, the [env-mailserver](https://github.com/tomav/docker-mailserver/blob/master/env-mailserver.dist) configuration file (and some other optional, advanced files!) allow you to tweak your setup extensively. You may even derive your own image from docker-mailserver for a complete control! -When it comes to security, one may consider docker-mailserver's default configuration to _not_ be 100% secure, as it uses _opportunistic_ connections using STARTTLS instead of _enforcing_ TLS-encrypted connection (SMTPS, IMAPS). That choice has been consciously made for the project aims at supporting, _by default and without custom configuration required_, all kinds of clients, including ones not able (== not configured) to use enforced/implicit TLS-encrypted connections, but still capable of handling opportunistic TLS. Please note though that _no plain text exchange will occur_ in case a client denies a STARTTLS offer, for docker-mailserver is using a [strict offer](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level) (`encrypt`) by default and will drop the client unencrypted request :relieved: +When it comes to security, one may consider docker-mailserver's **default** configuration to _not_ be 100% secure: -We believe docker-mailserver's default configuration (enforcing TLS, either opportunistic or implicit) to be a good middle ground: it goes beyond [RFC 2487](https://tools.ietf.org/html/rfc2487) "old" (1999) recommandation and abides by the "newest" (2018) [RFC 8314](https://tools.ietf.org/html/rfc8314), under the assumption that most MUA (clients) nowadays support TLS. It does mean clients without support for TLS are not supported by default though. Eventually, it is up to you deciding which kind of transportation encryption to use / enforce, and customize your instance accordingly (looser or stricter security), with the help of the project's documentation. +- it supports port 25 (unencrypted trafic by design) +- it enforces [strict opportunistic](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level) TLS-encrypted connections on ports 110 (POP3), 143 (IMAP) and 587 (SMTP) using STARTTLS +- it does _not_ support enforced TLS-encrypted connections (POP3S, IMAPS, SMTPS) + +That default setup has been consciously chosen, for the project aims at supporting _by default and without custom configuration required_ all kinds of clients, including ones not supporting TLS, or ones not able (== not configured) to use enforced/implicit TLS-encrypted connections but still capable of handling opportunistic TLS. + +We believe docker-mailserver's default configuration (enforcing TLS, either opportunistic or implicit) to be a good middle ground: it goes beyond [RFC 2487](https://tools.ietf.org/html/rfc2487) "old" (1999) recommandation and abides by the "newest" (2018) [RFC 8314](https://tools.ietf.org/html/rfc8314), under the assumption that most MUA (clients) nowadays support TLS; while still supporting unencrypted exchange on port 25. Eventually, it is up to you deciding exactly what kind of transportation encryption to use and/or enforce, and to customize your instance accordingly (looser or stricter security); with the help of the project's documentation. The [README](https://github.com/tomav/docker-mailserver) is the best starting point in configuring and running your mail server. You may then explore this wiki to cover additional topics, including but not limited to, security. From ee16eceb481d7aa95f50869827b7511f2e8c425a Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Wed, 10 Jun 2020 03:15:06 +0200 Subject: [PATCH 366/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index e748c55a..025b9454 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -81,7 +81,7 @@ As a _batteries included_ Docker image, docker-mailserver provides you with all When it comes to security, one may consider docker-mailserver's **default** configuration to _not_ be 100% secure: - it supports port 25 (unencrypted trafic by design) -- it enforces [strict opportunistic](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level) TLS-encrypted connections on ports 110 (POP3), 143 (IMAP) and 587 (SMTP) using STARTTLS +- it enforces [strict (`encrypt`) opportunistic](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level) TLS-encrypted connections on ports 110 (POP3), 143 (IMAP) and 587 (SMTP) using STARTTLS - it does _not_ support enforced TLS-encrypted connections (POP3S, IMAPS, SMTPS) That default setup has been consciously chosen, for the project aims at supporting _by default and without custom configuration required_ all kinds of clients, including ones not supporting TLS, or ones not able (== not configured) to use enforced/implicit TLS-encrypted connections but still capable of handling opportunistic TLS. From 34ddfbaff2849e7bc80d57b7f707425f905b82fd Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Wed, 10 Jun 2020 03:16:42 +0200 Subject: [PATCH 367/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 025b9454..39f7d517 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -86,6 +86,6 @@ When it comes to security, one may consider docker-mailserver's **default** conf That default setup has been consciously chosen, for the project aims at supporting _by default and without custom configuration required_ all kinds of clients, including ones not supporting TLS, or ones not able (== not configured) to use enforced/implicit TLS-encrypted connections but still capable of handling opportunistic TLS. -We believe docker-mailserver's default configuration (enforcing TLS, either opportunistic or implicit) to be a good middle ground: it goes beyond [RFC 2487](https://tools.ietf.org/html/rfc2487) "old" (1999) recommandation and abides by the "newest" (2018) [RFC 8314](https://tools.ietf.org/html/rfc8314), under the assumption that most MUA (clients) nowadays support TLS; while still supporting unencrypted exchange on port 25. Eventually, it is up to you deciding exactly what kind of transportation encryption to use and/or enforce, and to customize your instance accordingly (looser or stricter security); with the help of the project's documentation. +We believe docker-mailserver's default configuration (enforcing TLS, either opportunistic or implicit) to be a good middle ground: it goes slightly beyond [RFC 2487](https://tools.ietf.org/html/rfc2487) "old" (1999) recommandation and, through configuration, makes it pretty easy to abide by the "newest" (2018) [RFC 8314](https://tools.ietf.org/html/rfc8314), under the assumption that most MUA (clients) nowadays support TLS. Eventually, it is up to you deciding exactly what kind of transportation encryption to use and/or enforce, and to customize your instance accordingly (looser or stricter security); with the help of the project's documentation. The [README](https://github.com/tomav/docker-mailserver) is the best starting point in configuring and running your mail server. You may then explore this wiki to cover additional topics, including but not limited to, security. From f5de8197f80053f1a558b7e18ec62f2f7e2a8e5c Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Wed, 10 Jun 2020 03:18:48 +0200 Subject: [PATCH 368/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 39f7d517..79a277be 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -86,6 +86,8 @@ When it comes to security, one may consider docker-mailserver's **default** conf That default setup has been consciously chosen, for the project aims at supporting _by default and without custom configuration required_ all kinds of clients, including ones not supporting TLS, or ones not able (== not configured) to use enforced/implicit TLS-encrypted connections but still capable of handling opportunistic TLS. -We believe docker-mailserver's default configuration (enforcing TLS, either opportunistic or implicit) to be a good middle ground: it goes slightly beyond [RFC 2487](https://tools.ietf.org/html/rfc2487) "old" (1999) recommandation and, through configuration, makes it pretty easy to abide by the "newest" (2018) [RFC 8314](https://tools.ietf.org/html/rfc8314), under the assumption that most MUA (clients) nowadays support TLS. Eventually, it is up to you deciding exactly what kind of transportation encryption to use and/or enforce, and to customize your instance accordingly (looser or stricter security); with the help of the project's documentation. +We believe docker-mailserver's default configuration (enforcing TLS, either opportunistic or implicit) to be a good middle ground: it goes slightly beyond [RFC 2487](https://tools.ietf.org/html/rfc2487) "old" (1999) recommandation, and with developper-friendly configuration settings, makes it pretty easy to abide by the "newest" (2018) [RFC 8314](https://tools.ietf.org/html/rfc8314) by exposing POP3S/IMAPS/SMTPS. + +Eventually, it is up to you deciding exactly what kind of transportation encryption to use and/or enforce, and to customize your instance accordingly (looser or stricter security); with the help of the project's documentation. The [README](https://github.com/tomav/docker-mailserver) is the best starting point in configuring and running your mail server. You may then explore this wiki to cover additional topics, including but not limited to, security. From cbfe8425bcaa5edeb95ba8156c5df3ec4bad09bf Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 05:48:11 +0200 Subject: [PATCH 369/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 170 ++++++++++++++++++++-------- 1 file changed, 123 insertions(+), 47 deletions(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 79a277be..41217287 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -3,91 +3,167 @@ Here's an introduction to the field that covers everything you need to know to g ## Anatomy of a mail server -A mail server is only a part of a [client-server relationship](https://en.wikipedia.org/wiki/Client%E2%80%93server_model) aimed at exchanging information in the form of emails. Exchanging emails requires using specific means (programs and protocols). +A mail server is only a part of a [client-server relationship](https://en.wikipedia.org/wiki/Client%E2%80%93server_model) aimed at exchanging information in the form of [emails](https://en.wikipedia.org/wiki/Email). Exchanging emails requires using specific means (programs and protocols). -This project provides with the server portion, whereas "the" client can be anything from a console, text-only software (eg. [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client))) to a fully-fledged desktop application (eg. [Mozilla Thunderbird](https://en.wikipedia.org/wiki/Mozilla_Thunderbird), [Microsoft Outlook](https://en.wikipedia.org/wiki/Microsoft_Outlook)…), to a webmail, etc. +docker-mailserver provides you with the server portion, whereas "the" client can be anything from a console, text-only software (eg. [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client))) to a fully-fledged desktop application (eg. [Mozilla Thunderbird](https://en.wikipedia.org/wiki/Mozilla_Thunderbird), [Microsoft Outlook](https://en.wikipedia.org/wiki/Microsoft_Outlook)…), to a webmail, etc. -Unlike the client side where usually a single program is used, there are many components making up the server. Specialized piece of software handle atomic tasks, such as receiving emails, dropping emails into mailboxes, sending emails to other mail servers, filtering emails, exposing emails to authorized clients, etc. +Unlike the client side where usually a single program is used to perform retrieval and reading of emails, the server side is composed of many specialized components. "The" mail server is capable of accepting, forwarding, delivering, storing and overall exchanging messages, but each one of those tasks is actually handled by a specific piece of software, which must be integrated with one another. -The docker-mailserver project has made some informed choices about those components and offers a comprehensive platform to run a feature-full mail server. +docker-mailserver has made some informed choices about those components and their (default) configuration. It offers a comprehensive platform to run a feature-full mail server in no time! ## Components The following components are required to create a [complete delivery chain](https://en.wikipedia.org/wiki/Email_agent_(infrastructure)): -- MUA: a [Mail User Agent](https://en.wikipedia.org/wiki/Email_client) is basically any client/program capable of sending emails to arbitrary mail servers; and most of the times, capable of fetching emails from such mail servers. -- MTA: a [Mail Transfer Agent](https://en.wikipedia.org/wiki/Message_transfer_agent) is the so-called "mail server" as seen from the MUA's perspective. It's a piece of software dedicated to accepting emails: either from MUAs or from other MTA (the latter task being symmetrical, meaning a MTA is also is capable of sending/transferring emails to other MTA, hence the name). -- MDA: a [Mail Delivery Agent](https://en.wikipedia.org/wiki/Mail_delivery_agent) is responsible for accepting emails from an MTA, but instead of forwarding it, it is capable of dropping those emails into their recipients' mailboxes, whichever the form. +- MUA: a [Mail User Agent](https://en.wikipedia.org/wiki/Email_client) is basically any client/program capable of sending emails to arbitrary mail servers; and most of the times, capable of fetching emails from such mail servers and presenting them to the end users. +- MTA: a [Mail Transfer Agent](https://en.wikipedia.org/wiki/Message_transfer_agent) is the so-called "mail server" as seen from the MUA's perspective. More specifically, it's a piece of software dedicated to accepting, and in some cases, transfering/relaying emails. A MTA may accept incoming emails either from MUAs or from other MTAs. It may then relay emails to either other MTAs or, eventually, an MDA. +- MDA: a [Mail Delivery Agent](https://en.wikipedia.org/wiki/Mail_delivery_agent) is responsible for accepting emails from a MTA, but instead of forwarding it to another MTA, it is responsible for dropping emails into their recipients' mailboxes, whichever the form. -There may be other moving parts or sub-divisions. For instance, at several point specialized programs may be filtering, bouncing, editing… exchanged emails. +Here's a schematic view of mail delivery: -In a nutshell, docker-mailserver provides you with the following agents: +```txt +Sending an email: MUA ---> MTA ---> MTA ---> ... ---> MTA ---> MDA +Fetching an email: MUA <--------------------------------------- MDA +``` -- MTA: Postfix -- MDA: Dovecot +There may be other moving parts or sub-divisions (for instance, at several point along the chain, specialized programs may be analyzing, filtering, bouncing, editing… the exchanged emails). -and with some specialized, companion programs to form a complete delivery chain (minus the MUA of course). +In a nutshell, docker-mailserver provides you with the following components: -> One important thing to know is that both the MTA and MDA programs actually handle _multiple_ tasks. For instance, Postfix is both an SMTP server (accepting email) and an MTA (transfering email); Dovecot is both an MDA (delivering emails in mailboxes) and an IMAP server (allowing MUAs to fetch emails from the so-called mail server). On top of that, Postfix may rely on Dovecot's authentication capabilities. The exact relationship between all the components and their respective or, sometimes, shared responsibilities is beyond the scope of this document. Explore the wiki to get more insights about the toolchain. +- MTA: [Postfix](http://www.postfix.org/) +- MDA: [Dovecot](https://dovecot.org/) +- a bunch of additional programs to improve security and emails processing -## About security, ports… +Here's where docker-mailserver's toochain fits within the delivery chain: -For both Postfix and Dovecot need to be accessible from the outside to act as servers, they expose themselves through TCP ports, which may be secured using different schemes. +```txt + docker-mailserver is here: + ┏━━━━━━━┓ +Sending an email: MUA ---> MTA ---> MTA ---> ... ---> ┫ MTA ╮ ┃ +Fetching an email: MUA <------------------------------ ┫ MDA ╯ ┃ + ┗━━━━━━━┛ +``` -### SMTP +By default, docker-mailserver does not act as a relay nor does it accept emails from relays. It only handles direct email trafic, bound to a specific hostname. Thus our schema can be further simplified to look like this: -A MUA sending an email to a [SMTP](https://en.wikipedia.org/wiki/SMTP) server communicates using data packets exchanged over a network that both the client and the server are part of. In the case of docker-mailserver, the server is Postfix. The MUA may be anything, and its submission/request is (most frequently!) performed as [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) packets sent over the _public_ internet. This exchange of information may, or may not, be secured in order to counter eavesdropping. +```txt + docker-mailserver is here: + ┏━━━━━━━┓ +Sending an email: MUA ---> ┫ MTA ╮ ┃ +Fetching an email: MUA <--- ┫ MDA ╯ ┃ + ┗━━━━━━━┛ +``` -**The best practice as of 2020 would be [SMTPS](https://en.wikipedia.org/wiki/SMTPS) over port 465**. It has the server _enforce_ the client into using an encrypted TCP connection, using [TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security) (see [RFC 8314](https://tools.ietf.org/html/rfc8314)). With this setup, the mail server should deny any client attempting at submitting emails in plain text; it should require a TLS-encrypted exchange to exist from the get go (no connection upgrade using an opt-in STARTTLS mechanism, see next paragraph). That SMTPS setup is said to _Implicit_ (aka. enforced) TLS encryption. +> Of course the MUA and docker-mailserver's MTA may be located in distant (network-wise) places, so don't expect a _direct_ connection between MUAs and your mail server. It is very likely email trafic will hop through many relaying HTTP servers (simply not MTA servers). -Another well-documented, extensively used mail submission setup is SMTP+STARTTLS. It uses _Explicit_ (aka. opportunistic) TLS over port 587, with an opt-in TLS upgrade of the client-to-server connection using using [STARTTLS](https://en.wikipedia.org/wiki/Opportunistic_TLS). With this setup, the mail server should accept unencrypted requests but should automatically respond to the client with an "offer" to upgrade the connection to a TLS-encrypted one; but it also should allow the client to deny that proposal and eventually still accept unencrypted mail exchange (although some servers may eventually deny unencrypted trafic). Overall, this setup requires more configuration and is less secure by design (hence the name "opportunistic"). As of 2020, it is recommended by RFC 8314 for mail servers to support it, but as a to-be-deprecated protocol and to encourage clients to switch to SMTPS. +One important thing to note is that MTA and MDA programs may actually handle _multiple_ tasks (which is the case with docker-mailserver's Postfix and Dovecot). -A final setup exists and is akin SMTP+STARTTLS, but over port 25. That port has historically been reserved specifically for plain text mail exchange. One may upgrade the connection on port 25 to a TLS-encrypted one, but that should be considered a non-normative usage. It's better reserving port 25 for plain text trafic in order to support older clients, and inter-MTA exchange (although obviously non-secure). +For instance, Postfix is both a SMTP server (accepting emails) and a relaying MTA (transfering ie. sending emails to other MTA/MDA); Dovecot is both a MDA (delivering emails in mailboxes) and an IMAP server (allowing MUAs to fetch emails from the so-called "mail server"). On top of that, Postfix may rely on Dovecot's authentication capabilities! -### IMAP +The exact relationship between all the components and their respective (and sometimes, shared) responsibilities is beyond the scope of this document. Please explore this wiki & the web to get more insights about docker-mailserver's toolchain. -A MUA reading emails from an [IMAP](https://en.wikipedia.org/wiki/IMAP) server communicates using data packets exchanged over a network that both the client and the server are part of. In the case of docker-mailserver, the server is Dovecot. The MUA may be anything, and its retrieval request is (most frequently!) performed as [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) packets sent over the _public_ internet. This exchange of information may, or may not, be secured in order to counter eavesdropping. +## About security & ports -As with SMTP (described above), the IMAP protocol may be secured with either: _Implicit_ (enforced) TLS (aka. [IMAPS](https://en.wikipedia.org/wiki/IMAPS), sometimes written IMAP4S); or _Explicit_ (opportunistic) TLS using STARTTLS. +In the previous section, different components were outlined. Each one of those is responsible for a specific task, it has a specific purpose. -**The best practice as of 2020 would be IMAPS over port 993**, rather than IMAP+STARTTLS over port 143 (see [RFC 8314](https://tools.ietf.org/html/rfc8314)). +Three main purposes exist when it comes to exchanging emails: -### POP3 +- _Submission_: for a MUA (client), the act of sending actual email data over the network, toward a MTA (server). +- _Transfer_ (aka. _Relay_): for a MTA, the act of sending actual email data over the network, toward another MTA (server) closer to the final destination (where a MTA will forward data to a MDA). +- _Retrieval_: for a MUA (client), the act of fetching actual email data over the network, from a MDA. -Similarly to IMAP, POP3 may be secured with either: _Implicit_ (enforced) TLS (aka. POP3S); or _Explicit_ (opportunistic) TLS using STARTTLS. +Postfix handles Submission (and might handle Relay), whereas Dovecot handles Retrieval. They both need to be accessible by MUAs in order to act as servers, therefore they expose public endpoints on specific TCP ports. Those endpoints _may_ be secured, using an encryption scheme. -**The best practice as of 2020 would be [POP3S](https://en.wikipedia.org/wiki/POP3S) over port 995**, rather than [POP3](https://en.wikipedia.org/wiki/POP3)+STARTTLS over port 110 (see [RFC 8314](https://tools.ietf.org/html/rfc8314)). +When it comes to the specifics of email exchange, we have to look at protocols and ports enabled to support all the identified purposes. There are several valid options and they've been evolving overtime. -### Summary of ports/security setups +**Here's docker-mailserver's _default_ configuration:** -When talking about emails, the following applies: +| Purpose | Protocol | TCP port / encryption | +|----------------|----------|--------------------------------| +| Transfer/Relay | SMTP | 25 (unencrypted) | +| Submission | ESMTP | 587 (encrypted using STARTTLS) | +| Retrieval | IMAP4 | 143 (encrypted using STARTTLS) + 993 (TLS) | +| Retrieval | POP3 | _Not activated_ | -| Protocol | Purpose | Default port w/ opt-in Encryption1 | Enforced Encryption | -|----------|----------------------|-----------------------------------------------|------------------------| -| SMTP | Transfer2 | 25 | N/A | -| ESMTP | Submission | 587 _(deprecated4)_ | SMTPS 4653 | -| POP3 | Retrieval | 110 _(deprecated4)_ | POP3S 995 | -| IMAP4 | Retrieval | 143 _(deprecated4)_ | IMAPS 993 | +If you're new to the field, that table may be confusing. +Read on to gain insights about docker-mailserver's configuration and how you may customize it. -1. An insecure, unencrypted connection *may* be upgraded to a secured one (over TLS) when _both_ ends support the `STARTTLS` mechanism. On ports 110, 143 and 587, `docker-mailserver` *will* reject a connection that cannot be secured with STARTTLS (_preventing [MITM attacks](https://stackoverflow.com/questions/15796530/what-is-the-difference-between-ports-465-and-587/32460763#32460763) trough a downgrading_). Note that port 25 is [required](https://serverfault.com/questions/623692/is-it-still-wrong-to-require-starttls-on-incoming-smtp-messages) to support insecure connections; whereas other ports are not and may be limited to STARTTLS (which docker-mailserver enforces). -2. Port 25 is for _incoming_ mail transfer_, ie. it receives email and may filter for spam and viruses upon reception. For transferring _outgoing_ mail (eg. sending emails from within docker-mailserver to another mail server), you should prefer the submission ports (465, 587), which require authentication in docker-mailserver. Unless a relay host is configured, outgoing email will _leave_ the server via port 25 (thus outbound traffic must not be blocked by your provider or firewall). -3. Port 465 is a submission port again since 2018, see [RFC 8314](https://tools.ietf.org/html/rfc8314). Originally a secure variant of port 25, it is now dedicated to SMTPS. -4. [RFC 8314](https://tools.ietf.org/html/rfc8314) is recommending that clear text exchanges to be abandoned and that all three common IETF mail protocols to be used only in implicit mode (no STARTTLS). +On a final note, here's what docker-mailserver's default configuration provides you with (feel free to skip this schema for now): + +```txt + ┏━━━━━━━━ Submission ━━━━━━━━┓┏━━━━━━━━━━━━ Transfer/Relay ━━━━━━━━━━━━┓ + ┌────────────────────┐ ┌┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┐ +Sending an email: MUA --- STARTTLS --> ┤(587) MTA ╮ (25)├ <-- plain text --> ┊ Third-party MTA ┊ + |┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄| └┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┘ +Fetching an email: MUA <-- STARTTLS --- ┤(143) MDA ╯ | + <---- TLS ------ ┤(993) | + └────────────────────┘ + ┗━━━━━━━━━ Retrieval ━━━━━━━━━┛ +``` + +### Submission - SMTP + +A MUA willing to send an email to a MTA needs to establish a connection with that server, then push data packets over a network that both the MUA (client) and the MTA (server) are connected to. The server implements the [SMTP](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) protocol, which makes it capable of handling _Submission_. + +In the case of docker-mailserver, the MTA (SMTP server) is Postfix. The MUA (client) may vary, yet its Submission request is performed as [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) packets sent over the _public_ internet. This exchange of information may be secured in order to counter eavesdropping. + +The best practice as of 2020 would be to handle emails Submission using an _Implicit TLS connection with an ESMTP server on port 465_ (see [RFC 8314](https://tools.ietf.org/html/rfc8314)). Let's break it down. + +- Implicit TLS means the server _enforces_ the client into using an encrypted TCP connection, using [TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security). With this kind of connection, the MUA _has_ to establish a TLS-encrypted connection from the get go. The mail server would deny any client attempting at submitting emails in plain text (== not secure) or requesting a plain text connection to be upgraded to a TLS-encrypted one (== eventually secure). It is also known as Enforced TLS. +- [ESMTP](https://en.wikipedia.org/wiki/ESMTP) is [SMTP](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) + extensions. It's the version of the SMTP protocol that most mail servers speak nowadays. For the purpose of this documentation, ESMTP and SMTP are synonymous. +- Port 465 is _de facto_ the TCP port that's reserved for Implicit TLS SMTP connections. There is a boisterus history to it, but let's keep it simple. + +> Note: this Submission setup is sometimes refered to as [SMTPS](https://en.wikipedia.org/wiki/SMTPS). Long story short: this is incorrect and should be avoided. + +Although a very satisfactory setup, Implicit TLS on port 465 is somewhat "cutting edge". There exists another well established mail Submission setup that must be supported as well, SMTP+STARTTLS on port 587. It uses Explicit TLS: the client starts with a plain text connection, then the server informs a TLS-encrypted "upgraded" connection may be established, and the client _may_ eventually decide to establish it prior to the Submission. Basically it's an opportunistic, opt-in TLS upgrade of the connection between the client and the server, at the client's discretion, using a mechanism known as [STARTTLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) that both ends need to implement. + +In many implementations, the mail server doesn't enforce TLS encryption, for backwards compatibility. Clients are thus free to deny the TLS-upgrade proposal, and the server eventually accepts unencrypted (plain text) mail exchange, which poses a confidentiality threat and, to some extent, spam issues. [RFC 8314 (section 3.3)](https://tools.ietf.org/html/rfc8314) recommends for mail servers to support both Implicit and Explicit TLS for Submission, _and_ to enforce TLS-encryption on ports 587 (Explicit TLS) and 465 (Implicit TLS). That's exactly docker-mailserver's default configuration: abiding by RFC 8314, it [enforces a strict (`encrypt`) STARTTLS policy](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level), where a denied TLS upgrade terminates the connection thus preventing unencrypted (plain text) Submission by the client. + +- **docker-mailserver's default configuration enables and _requires_ Explicit TLS (STARTTLS) for Submission on port 587.** +- It does not enable Implicit TLS Submission on port 465 by default. One may enable it through simple custom configuration, either as a replacement or (better!) supplementary mean of secure Submission. +- It does not support old MUAs (clients) not supporting TLS encryption. One may relax that constraint through advanced custom configuration, for backwards compatibility. + +A final Submission setup exists and is akin SMTP+STARTTLS on port 587, but on port 25. That port has historically been reserved specifically for unencrypted (plain text) mail exchange though, making STARTTLS a bit of a misusage. As is expected by [RFC 5321](https://tools.ietf.org/html/rfc5321), docker-mailserver uses port 25 for unencrypted Submission in order to support older clients (Submission), but most importantly for unencrypted Transfer/Relay between MTAs. + +- **docker-mailserver's default configuration enables unencrypted (plain text) for Transfer/Relay on port 25.** +- It does not enable Explicit TLS (STARTTLS) Transfer/Relay on port 25 by default. One may enable it through advanced custom configuration, either as a replacement (bad!) or as a supplementary mean of secure Transfer/Relay. +- One may also secure Transfer/Relay on port 25 using advanced encryption scheme, such as DANE and/or MTA-STS. + +### Retrieval - IMAP + +A MUA willing to fetch an email from a mail server will most likely communicate with its [IMAP](https://en.wikipedia.org/wiki/IMAP) server. As with SMTP described earlier, communication will take place in the form of data packets exchanged over a network that both the client and the server are connected to. The IMAP protocol makes the server capable of handling _Retrieval_. + +In the case of docker-mailserver, the IMAP server is Dovecot. The MUA (client) may vary, yet its Retrieval request is performed as [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) packets sent over the _public_ internet. This exchange of information may be secured in order to counter eavesdropping. + +Again, as with SMTP described earlier, the IMAP protocol may be secured with either Implicit TLS (aka. [IMAPS](https://en.wikipedia.org/wiki/IMAPS)/IMAP4S) or Explicit TLS (using STARTTLS). + +The best practice as of 2020 is to enforce IMAPS on port 993, rather than IMAP+STARTTLS on port 143 (see [RFC 8314](https://tools.ietf.org/html/rfc8314)); yet the latter is usually provided for backwards compatibility. + +**docker-mailserver's default configuration enables both Implicit and Explicit TLS for Retrievial, on ports 993 and 143 respectively.** + +### Retrieval - POP3 + +Similarly to IMAP, the older POP3 protocol may be secured with either Implicit or Explicit TLS. + +The best practice as of 2020 would be [POP3S](https://en.wikipedia.org/wiki/POP3S) on port 995, rather than [POP3](https://en.wikipedia.org/wiki/POP3)+STARTTLS on port 110 (see [RFC 8314](https://tools.ietf.org/html/rfc8314)). + +**docker-mailserver's default configuration disables POP3 altogether.** One should expect MUAs to use TLS-encrypted IMAP for Retrieval. ## How does docker-mailserver help with setting everything up? -As a _batteries included_ Docker image, docker-mailserver provides you with all the required components and a default configuration to run a mail server. On top of that, the [env-mailserver](https://github.com/tomav/docker-mailserver/blob/master/env-mailserver.dist) configuration file (and some other optional, advanced files!) allow you to tweak your setup extensively. You may even derive your own image from docker-mailserver for a complete control! +As a _batteries included_ Docker image, docker-mailserver provides you with all the required components and a default configuration, to run a decent and secure mail server. -When it comes to security, one may consider docker-mailserver's **default** configuration to _not_ be 100% secure: +One may customize all aspects of internal components. +- Simple customization is supported through [docker-compose configuration](https://github.com/tomav/docker-mailserver/blob/master/docker-compose.yml.dist) and the [env-mailserver](https://github.com/tomav/docker-mailserver/blob/master/env-mailserver.dist) configuration file. +- Advanced customization is supported through providing "monkey-patching" configuration files and/or [deriving your own image](https://github.com/tomav/docker-mailserver/blob/master/Dockerfile) from docker-mailserver's upstream, for a complete control over how things run! -- it supports port 25 (unencrypted trafic by design) -- it enforces [strict (`encrypt`) opportunistic](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level) TLS-encrypted connections on ports 110 (POP3), 143 (IMAP) and 587 (SMTP) using STARTTLS -- it does _not_ support enforced TLS-encrypted connections (POP3S, IMAPS, SMTPS) +On the subject of security, one might consider docker-mailserver's **default** configuration to _not_ be 100% secure: -That default setup has been consciously chosen, for the project aims at supporting _by default and without custom configuration required_ all kinds of clients, including ones not supporting TLS, or ones not able (== not configured) to use enforced/implicit TLS-encrypted connections but still capable of handling opportunistic TLS. +- it enables unencrypted trafic on port 25 for Transfer/Relay (between MTAs for MX service) +- it enables Explicit TLS (STARTTLS) on port 587 for SMTP, instead of Implicit TLS on port 465 -We believe docker-mailserver's default configuration (enforcing TLS, either opportunistic or implicit) to be a good middle ground: it goes slightly beyond [RFC 2487](https://tools.ietf.org/html/rfc2487) "old" (1999) recommandation, and with developper-friendly configuration settings, makes it pretty easy to abide by the "newest" (2018) [RFC 8314](https://tools.ietf.org/html/rfc8314) by exposing POP3S/IMAPS/SMTPS. +We believe docker-mailserver's default configuration to be a good middle ground: it goes slightly beyond "old" (1999) [RFC 2487](https://tools.ietf.org/html/rfc2487); and with developper-friendly configuration settings, it makes it pretty easy to abide by the "newest" (2018) [RFC 8314](https://tools.ietf.org/html/rfc8314). -Eventually, it is up to you deciding exactly what kind of transportation encryption to use and/or enforce, and to customize your instance accordingly (looser or stricter security); with the help of the project's documentation. +Eventually, it is up to _you_ deciding exactly what kind of transportation/encryption to use and/or enforce, and to customize your instance accordingly (with looser or stricter security). The [README](https://github.com/tomav/docker-mailserver) is the best starting point in configuring and running your mail server. You may then explore this wiki to cover additional topics, including but not limited to, security. From d4fc2087767b6b2ef696e597638647b7f081ec25 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 05:57:55 +0200 Subject: [PATCH 370/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 25 ++++++++++++------------- 1 file changed, 12 insertions(+), 13 deletions(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 41217287..54e83e1f 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -85,22 +85,21 @@ When it comes to the specifics of email exchange, we have to look at protocols a | Retrieval | IMAP4 | 143 (encrypted using STARTTLS) + 993 (TLS) | | Retrieval | POP3 | _Not activated_ | -If you're new to the field, that table may be confusing. -Read on to gain insights about docker-mailserver's configuration and how you may customize it. - -On a final note, here's what docker-mailserver's default configuration provides you with (feel free to skip this schema for now): - ```txt - ┏━━━━━━━━ Submission ━━━━━━━━┓┏━━━━━━━━━━━━ Transfer/Relay ━━━━━━━━━━━━┓ - ┌────────────────────┐ ┌┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┐ -Sending an email: MUA --- STARTTLS --> ┤(587) MTA ╮ (25)├ <-- plain text --> ┊ Third-party MTA ┊ - |┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄| └┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┘ -Fetching an email: MUA <-- STARTTLS --- ┤(143) MDA ╯ | - <---- TLS ------ ┤(993) | - └────────────────────┘ - ┗━━━━━━━━━ Retrieval ━━━━━━━━━┛ + ┏━━━━━━━━━━ Submission ━━━━━━━━━┓┏━━━━━━━━━━━━━ Transfer/Relay ━━━━━━━━━━━┓ + ┌─────────────────────┐ ┌┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┐ +Sending an email: MUA ----- STARTTLS ---> ┤(587) MTA ╮ (25)├ <-- plain text --> ┊ Third-party MTA ┊ + ---- plain text --> ┤(25) │ | └┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┘ + |┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄| +Fetching an email: MUA <---- STARTTLS ---- ┤(143) MDA ╯ | + <-- enforced TLS -- ┤(993) | + └─────────────────────┘ + ┗━━━━━━━━━━ Retrieval ━━━━━━━━━━┛ ``` +If you're new to the field, both that table and schema may be confusing. +Read on to gain insights about all those concepts, docker-mailserver's configuration and how you could customize it. + ### Submission - SMTP A MUA willing to send an email to a MTA needs to establish a connection with that server, then push data packets over a network that both the MUA (client) and the MTA (server) are connected to. The server implements the [SMTP](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) protocol, which makes it capable of handling _Submission_. From 10dc34fee858123c114ba07e27b52c100203d23c Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 05:58:30 +0200 Subject: [PATCH 371/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 54e83e1f..1a9c42f7 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -86,15 +86,15 @@ When it comes to the specifics of email exchange, we have to look at protocols a | Retrieval | POP3 | _Not activated_ | ```txt - ┏━━━━━━━━━━ Submission ━━━━━━━━━┓┏━━━━━━━━━━━━━ Transfer/Relay ━━━━━━━━━━━┓ - ┌─────────────────────┐ ┌┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┐ -Sending an email: MUA ----- STARTTLS ---> ┤(587) MTA ╮ (25)├ <-- plain text --> ┊ Third-party MTA ┊ - ---- plain text --> ┤(25) │ | └┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┘ - |┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄| -Fetching an email: MUA <---- STARTTLS ---- ┤(143) MDA ╯ | - <-- enforced TLS -- ┤(993) | - └─────────────────────┘ - ┗━━━━━━━━━━ Retrieval ━━━━━━━━━━┛ + ┏━━━━━━━━━━ Submission ━━━━━━━━━┓┏━━━━━━━━━━━━━ Transfer/Relay ━━━━━━━━━━━┓ + ┌─────────────────────┐ ┌┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┐ +Sending an email: MUA ----- STARTTLS ---> ┤(587) MTA ╮ (25)├ <-- plain text --> ┊ Third-party MTA ┊ + ---- plain text --> ┤(25) │ | └┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┘ + |┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄| +Fetching an email: MUA <---- STARTTLS ---- ┤(143) MDA ╯ | + <-- enforced TLS -- ┤(993) | + └─────────────────────┘ + ┗━━━━━━━━━━ Retrieval ━━━━━━━━━━┛ ``` If you're new to the field, both that table and schema may be confusing. From a7f3c8b8827c9c5942b46e93b85add8d1385bfc5 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 05:59:16 +0200 Subject: [PATCH 372/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 1a9c42f7..0ceeb9c5 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -86,15 +86,15 @@ When it comes to the specifics of email exchange, we have to look at protocols a | Retrieval | POP3 | _Not activated_ | ```txt - ┏━━━━━━━━━━ Submission ━━━━━━━━━┓┏━━━━━━━━━━━━━ Transfer/Relay ━━━━━━━━━━━┓ - ┌─────────────────────┐ ┌┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┐ -Sending an email: MUA ----- STARTTLS ---> ┤(587) MTA ╮ (25)├ <-- plain text --> ┊ Third-party MTA ┊ - ---- plain text --> ┤(25) │ | └┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┘ - |┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄| -Fetching an email: MUA <---- STARTTLS ---- ┤(143) MDA ╯ | - <-- enforced TLS -- ┤(993) | - └─────────────────────┘ - ┗━━━━━━━━━━ Retrieval ━━━━━━━━━━┛ + ┏━━━━━━━━━━ Submission ━━━━━━━━━┓┏━━━━━━━━━━━━━ Transfer/Relay ━━━━━━━━━━━┓ + ┌─────────────────────┐ ┌┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┐ +MUA ----- STARTTLS ---> ┤(587) MTA ╮ (25)├ <-- plain text --> ┊ Third-party MTA ┊ + ---- plain text --> ┤(25) │ | └┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┘ + |┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄| +MUA <---- STARTTLS ---- ┤(143) MDA ╯ | + <-- enforced TLS -- ┤(993) | + └─────────────────────┘ + ┗━━━━━━━━━━ Retrieval ━━━━━━━━━━┛ ``` If you're new to the field, both that table and schema may be confusing. @@ -165,4 +165,4 @@ We believe docker-mailserver's default configuration to be a good middle ground: Eventually, it is up to _you_ deciding exactly what kind of transportation/encryption to use and/or enforce, and to customize your instance accordingly (with looser or stricter security). -The [README](https://github.com/tomav/docker-mailserver) is the best starting point in configuring and running your mail server. You may then explore this wiki to cover additional topics, including but not limited to, security. +The [README](https://github.com/tomav/docker-mailserver) is the best starting point in configuring and running your mail server. You may then explore this wiki to cover additional topics, including but not limited to, security. \ No newline at end of file From 4f947c2862203f6d7334bad6be9595601fc5f3db Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 06:00:55 +0200 Subject: [PATCH 373/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 0ceeb9c5..610167e9 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -54,7 +54,7 @@ Fetching an email: MUA <--- ┫ MDA ╯ ┃ ┗━━━━━━━┛ ``` -> Of course the MUA and docker-mailserver's MTA may be located in distant (network-wise) places, so don't expect a _direct_ connection between MUAs and your mail server. It is very likely email trafic will hop through many relaying HTTP servers (simply not MTA servers). +> Of course the MUA and docker-mailserver's MTA may be located in distant (network-wise) places, so don't expect a _direct_ connection between MUAs and your mail server. It is very likely email trafic will hop through several relaying HTTP(S) server-but those will not be MTA servers, so are irrelevant here. One important thing to note is that MTA and MDA programs may actually handle _multiple_ tasks (which is the case with docker-mailserver's Postfix and Dovecot). From ce0e4bf63ae867d62df043b7dc124474f6cb2a81 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 06:04:25 +0200 Subject: [PATCH 374/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 610167e9..8a49396a 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -110,7 +110,7 @@ The best practice as of 2020 would be to handle emails Submission using an _Impl - Implicit TLS means the server _enforces_ the client into using an encrypted TCP connection, using [TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security). With this kind of connection, the MUA _has_ to establish a TLS-encrypted connection from the get go. The mail server would deny any client attempting at submitting emails in plain text (== not secure) or requesting a plain text connection to be upgraded to a TLS-encrypted one (== eventually secure). It is also known as Enforced TLS. - [ESMTP](https://en.wikipedia.org/wiki/ESMTP) is [SMTP](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) + extensions. It's the version of the SMTP protocol that most mail servers speak nowadays. For the purpose of this documentation, ESMTP and SMTP are synonymous. -- Port 465 is _de facto_ the TCP port that's reserved for Implicit TLS SMTP connections. There is a boisterus history to it, but let's keep it simple. +- Port 465 is (starting 2018) the reserved TCP port for Implicit TLS Submission. There is acually a boisterous history to that port's usage, but let's keep it simple. > Note: this Submission setup is sometimes refered to as [SMTPS](https://en.wikipedia.org/wiki/SMTPS). Long story short: this is incorrect and should be avoided. From 7d4f0b106494e129f46681d8ba9b35ddee872a14 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 06:07:28 +0200 Subject: [PATCH 375/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 8a49396a..c1d9c1aa 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -7,7 +7,7 @@ A mail server is only a part of a [client-server relationship](https://en.wikipe docker-mailserver provides you with the server portion, whereas "the" client can be anything from a console, text-only software (eg. [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client))) to a fully-fledged desktop application (eg. [Mozilla Thunderbird](https://en.wikipedia.org/wiki/Mozilla_Thunderbird), [Microsoft Outlook](https://en.wikipedia.org/wiki/Microsoft_Outlook)…), to a webmail, etc. -Unlike the client side where usually a single program is used to perform retrieval and reading of emails, the server side is composed of many specialized components. "The" mail server is capable of accepting, forwarding, delivering, storing and overall exchanging messages, but each one of those tasks is actually handled by a specific piece of software, which must be integrated with one another. +Unlike the client side where usually a single program is used to perform retrieval and reading of emails, the server side is composed of many specialized components. "The" mail server is capable of accepting, forwarding, delivering, storing and overall exchanging messages, but each one of those tasks is actually handled by a specific piece of software. All those "agents" must be integrated with one another for the exchange to take place. docker-mailserver has made some informed choices about those components and their (default) configuration. It offers a comprehensive platform to run a feature-full mail server in no time! From 1b826f47bc28a6ee411c61a577c59f32e699ef88 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 06:09:12 +0200 Subject: [PATCH 376/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index c1d9c1aa..e2a99528 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -26,7 +26,7 @@ Sending an email: MUA ---> MTA ---> MTA ---> ... ---> MTA ---> MDA Fetching an email: MUA <--------------------------------------- MDA ``` -There may be other moving parts or sub-divisions (for instance, at several point along the chain, specialized programs may be analyzing, filtering, bouncing, editing… the exchanged emails). +There may be other moving parts or sub-divisions (for instance, at several points along the chain, specialized programs may be analyzing, filtering, bouncing, editing… the exchanged emails). In a nutshell, docker-mailserver provides you with the following components: From c67f8fe4a870b326204091b7dc69fc8333cde911 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 06:09:50 +0200 Subject: [PATCH 377/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index e2a99528..64a7b1ca 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -30,8 +30,8 @@ There may be other moving parts or sub-divisions (for instance, at several point In a nutshell, docker-mailserver provides you with the following components: -- MTA: [Postfix](http://www.postfix.org/) -- MDA: [Dovecot](https://dovecot.org/) +- a MTA: [Postfix](http://www.postfix.org/) +- a MDA: [Dovecot](https://dovecot.org/) - a bunch of additional programs to improve security and emails processing Here's where docker-mailserver's toochain fits within the delivery chain: From e1a3f868fa3ab7a5d780b053315be80fd99c5a96 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 06:11:20 +0200 Subject: [PATCH 378/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 64a7b1ca..907e8c4d 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -54,7 +54,7 @@ Fetching an email: MUA <--- ┫ MDA ╯ ┃ ┗━━━━━━━┛ ``` -> Of course the MUA and docker-mailserver's MTA may be located in distant (network-wise) places, so don't expect a _direct_ connection between MUAs and your mail server. It is very likely email trafic will hop through several relaying HTTP(S) server-but those will not be MTA servers, so are irrelevant here. +> Of course the MUA and docker-mailserver's MTA may be located in distant (network-wise) places, so don't expect a _direct_ connection between MUAs and your mail server. It is very likely email trafic will hop through several relaying TCP servers-but those will not be MTA servers, so are irrelevant here. One important thing to note is that MTA and MDA programs may actually handle _multiple_ tasks (which is the case with docker-mailserver's Postfix and Dovecot). From 6262f13e6511dd47e2b8dcee36886fddc2b3ba2e Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 06:14:24 +0200 Subject: [PATCH 379/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 907e8c4d..030f3f8a 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -72,7 +72,7 @@ Three main purposes exist when it comes to exchanging emails: - _Transfer_ (aka. _Relay_): for a MTA, the act of sending actual email data over the network, toward another MTA (server) closer to the final destination (where a MTA will forward data to a MDA). - _Retrieval_: for a MUA (client), the act of fetching actual email data over the network, from a MDA. -Postfix handles Submission (and might handle Relay), whereas Dovecot handles Retrieval. They both need to be accessible by MUAs in order to act as servers, therefore they expose public endpoints on specific TCP ports. Those endpoints _may_ be secured, using an encryption scheme. +Postfix handles Submission (and might handle Relay), whereas Dovecot handles Retrieval. They both need to be accessible by MUAs in order to act as servers, therefore they expose public endpoints on specific TCP ports. Those endpoints _may_ be secured, using an encryption scheme and TLS certificates. When it comes to the specifics of email exchange, we have to look at protocols and ports enabled to support all the identified purposes. There are several valid options and they've been evolving overtime. From 7b842cf9542bddfa3b0b1592dcd28ce77af30e66 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 06:15:36 +0200 Subject: [PATCH 380/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 030f3f8a..d8acd6ca 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -98,7 +98,7 @@ MUA <---- STARTTLS ---- ┤(143) MDA ╯ | ``` If you're new to the field, both that table and schema may be confusing. -Read on to gain insights about all those concepts, docker-mailserver's configuration and how you could customize it. +Read on to gain insights about all those concepts, docker-mailserver's default configuration and how you could customize it. ### Submission - SMTP From a6ed4a20312011db96d063c86ab079edae477daf Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 06:21:02 +0200 Subject: [PATCH 381/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index d8acd6ca..a98480da 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -120,7 +120,7 @@ In many implementations, the mail server doesn't enforce TLS encryption, for bac - **docker-mailserver's default configuration enables and _requires_ Explicit TLS (STARTTLS) for Submission on port 587.** - It does not enable Implicit TLS Submission on port 465 by default. One may enable it through simple custom configuration, either as a replacement or (better!) supplementary mean of secure Submission. -- It does not support old MUAs (clients) not supporting TLS encryption. One may relax that constraint through advanced custom configuration, for backwards compatibility. +- It does not support old MUAs (clients) not supporting TLS encryption on ports 587/465 (those should perform Submission on port 25, more details below). One may relax that constraint through advanced custom configuration, for backwards compatibility. A final Submission setup exists and is akin SMTP+STARTTLS on port 587, but on port 25. That port has historically been reserved specifically for unencrypted (plain text) mail exchange though, making STARTTLS a bit of a misusage. As is expected by [RFC 5321](https://tools.ietf.org/html/rfc5321), docker-mailserver uses port 25 for unencrypted Submission in order to support older clients (Submission), but most importantly for unencrypted Transfer/Relay between MTAs. From ce4381a4564272605896fdaf0e6949a77256b282 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 06:22:06 +0200 Subject: [PATCH 382/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index a98480da..550c5825 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -122,7 +122,7 @@ In many implementations, the mail server doesn't enforce TLS encryption, for bac - It does not enable Implicit TLS Submission on port 465 by default. One may enable it through simple custom configuration, either as a replacement or (better!) supplementary mean of secure Submission. - It does not support old MUAs (clients) not supporting TLS encryption on ports 587/465 (those should perform Submission on port 25, more details below). One may relax that constraint through advanced custom configuration, for backwards compatibility. -A final Submission setup exists and is akin SMTP+STARTTLS on port 587, but on port 25. That port has historically been reserved specifically for unencrypted (plain text) mail exchange though, making STARTTLS a bit of a misusage. As is expected by [RFC 5321](https://tools.ietf.org/html/rfc5321), docker-mailserver uses port 25 for unencrypted Submission in order to support older clients (Submission), but most importantly for unencrypted Transfer/Relay between MTAs. +A final Submission setup exists and is akin SMTP+STARTTLS on port 587, but on port 25. That port has historically been reserved specifically for unencrypted (plain text) mail exchange though, making STARTTLS a bit of a misusage. As is expected by [RFC 5321](https://tools.ietf.org/html/rfc5321), docker-mailserver uses port 25 for unencrypted Submission in order to support older clients, but most importantly for unencrypted Transfer/Relay between MTAs. - **docker-mailserver's default configuration enables unencrypted (plain text) for Transfer/Relay on port 25.** - It does not enable Explicit TLS (STARTTLS) Transfer/Relay on port 25 by default. One may enable it through advanced custom configuration, either as a replacement (bad!) or as a supplementary mean of secure Transfer/Relay. From 6de0102c96b996433f01fc671d51be19e2bf17af Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 06:23:07 +0200 Subject: [PATCH 383/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 550c5825..e1bac8b0 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -124,7 +124,7 @@ In many implementations, the mail server doesn't enforce TLS encryption, for bac A final Submission setup exists and is akin SMTP+STARTTLS on port 587, but on port 25. That port has historically been reserved specifically for unencrypted (plain text) mail exchange though, making STARTTLS a bit of a misusage. As is expected by [RFC 5321](https://tools.ietf.org/html/rfc5321), docker-mailserver uses port 25 for unencrypted Submission in order to support older clients, but most importantly for unencrypted Transfer/Relay between MTAs. -- **docker-mailserver's default configuration enables unencrypted (plain text) for Transfer/Relay on port 25.** +- **docker-mailserver's default configuration enables unencrypted (plain text) for Submission & Transfer/Relay on port 25.** - It does not enable Explicit TLS (STARTTLS) Transfer/Relay on port 25 by default. One may enable it through advanced custom configuration, either as a replacement (bad!) or as a supplementary mean of secure Transfer/Relay. - One may also secure Transfer/Relay on port 25 using advanced encryption scheme, such as DANE and/or MTA-STS. From 2b30e8df8022b06cfb72e7ee4b705bfb8be4642f Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 06:24:01 +0200 Subject: [PATCH 384/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index e1bac8b0..85c85e5b 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -125,7 +125,7 @@ In many implementations, the mail server doesn't enforce TLS encryption, for bac A final Submission setup exists and is akin SMTP+STARTTLS on port 587, but on port 25. That port has historically been reserved specifically for unencrypted (plain text) mail exchange though, making STARTTLS a bit of a misusage. As is expected by [RFC 5321](https://tools.ietf.org/html/rfc5321), docker-mailserver uses port 25 for unencrypted Submission in order to support older clients, but most importantly for unencrypted Transfer/Relay between MTAs. - **docker-mailserver's default configuration enables unencrypted (plain text) for Submission & Transfer/Relay on port 25.** -- It does not enable Explicit TLS (STARTTLS) Transfer/Relay on port 25 by default. One may enable it through advanced custom configuration, either as a replacement (bad!) or as a supplementary mean of secure Transfer/Relay. +- It does not enable Explicit TLS (STARTTLS) Transfer/Relay on port 25 by default. One may enable it through advanced custom configuration, either as a replacement (bad!) or as a supplementary mean of secure Submission & Transfer/Relay. - One may also secure Transfer/Relay on port 25 using advanced encryption scheme, such as DANE and/or MTA-STS. ### Retrieval - IMAP From 0c6e157844dac8fcdf6e29e8d237c71f6832afca Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 06:24:21 +0200 Subject: [PATCH 385/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 85c85e5b..f0a8bb12 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -125,7 +125,7 @@ In many implementations, the mail server doesn't enforce TLS encryption, for bac A final Submission setup exists and is akin SMTP+STARTTLS on port 587, but on port 25. That port has historically been reserved specifically for unencrypted (plain text) mail exchange though, making STARTTLS a bit of a misusage. As is expected by [RFC 5321](https://tools.ietf.org/html/rfc5321), docker-mailserver uses port 25 for unencrypted Submission in order to support older clients, but most importantly for unencrypted Transfer/Relay between MTAs. - **docker-mailserver's default configuration enables unencrypted (plain text) for Submission & Transfer/Relay on port 25.** -- It does not enable Explicit TLS (STARTTLS) Transfer/Relay on port 25 by default. One may enable it through advanced custom configuration, either as a replacement (bad!) or as a supplementary mean of secure Submission & Transfer/Relay. +- It does not enable Explicit TLS (STARTTLS) on port 25 by default. One may enable it through advanced custom configuration, either as a replacement (bad!) or as a supplementary mean of secure Submission & Transfer/Relay. - One may also secure Transfer/Relay on port 25 using advanced encryption scheme, such as DANE and/or MTA-STS. ### Retrieval - IMAP From addd22db993613424c2b3ed4629804d1ea1922d0 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 06:26:59 +0200 Subject: [PATCH 386/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index f0a8bb12..254ffc9c 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -152,7 +152,7 @@ The best practice as of 2020 would be [POP3S](https://en.wikipedia.org/wiki/POP3 As a _batteries included_ Docker image, docker-mailserver provides you with all the required components and a default configuration, to run a decent and secure mail server. -One may customize all aspects of internal components. +One may then customize all aspects of its internal components. - Simple customization is supported through [docker-compose configuration](https://github.com/tomav/docker-mailserver/blob/master/docker-compose.yml.dist) and the [env-mailserver](https://github.com/tomav/docker-mailserver/blob/master/env-mailserver.dist) configuration file. - Advanced customization is supported through providing "monkey-patching" configuration files and/or [deriving your own image](https://github.com/tomav/docker-mailserver/blob/master/Dockerfile) from docker-mailserver's upstream, for a complete control over how things run! From 6cb1a0b76841d3f7bcddb697fdd07927d84304b4 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 06:28:27 +0200 Subject: [PATCH 387/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 254ffc9c..d174027c 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -158,8 +158,8 @@ One may then customize all aspects of its internal components. On the subject of security, one might consider docker-mailserver's **default** configuration to _not_ be 100% secure: -- it enables unencrypted trafic on port 25 for Transfer/Relay (between MTAs for MX service) -- it enables Explicit TLS (STARTTLS) on port 587 for SMTP, instead of Implicit TLS on port 465 +- it enables unencrypted trafic on port 25 +- it enables Explicit TLS (STARTTLS) on port 587, instead of Implicit TLS on port 465 We believe docker-mailserver's default configuration to be a good middle ground: it goes slightly beyond "old" (1999) [RFC 2487](https://tools.ietf.org/html/rfc2487); and with developper-friendly configuration settings, it makes it pretty easy to abide by the "newest" (2018) [RFC 8314](https://tools.ietf.org/html/rfc8314). From 20d1eb4b5075d7e7c8ff74cecba1ce0558852988 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 06:36:30 +0200 Subject: [PATCH 388/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index d174027c..d7200e14 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -116,7 +116,7 @@ The best practice as of 2020 would be to handle emails Submission using an _Impl Although a very satisfactory setup, Implicit TLS on port 465 is somewhat "cutting edge". There exists another well established mail Submission setup that must be supported as well, SMTP+STARTTLS on port 587. It uses Explicit TLS: the client starts with a plain text connection, then the server informs a TLS-encrypted "upgraded" connection may be established, and the client _may_ eventually decide to establish it prior to the Submission. Basically it's an opportunistic, opt-in TLS upgrade of the connection between the client and the server, at the client's discretion, using a mechanism known as [STARTTLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) that both ends need to implement. -In many implementations, the mail server doesn't enforce TLS encryption, for backwards compatibility. Clients are thus free to deny the TLS-upgrade proposal, and the server eventually accepts unencrypted (plain text) mail exchange, which poses a confidentiality threat and, to some extent, spam issues. [RFC 8314 (section 3.3)](https://tools.ietf.org/html/rfc8314) recommends for mail servers to support both Implicit and Explicit TLS for Submission, _and_ to enforce TLS-encryption on ports 587 (Explicit TLS) and 465 (Implicit TLS). That's exactly docker-mailserver's default configuration: abiding by RFC 8314, it [enforces a strict (`encrypt`) STARTTLS policy](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level), where a denied TLS upgrade terminates the connection thus preventing unencrypted (plain text) Submission by the client. +In many implementations, the mail server doesn't enforce TLS encryption, for backwards compatibility. Clients are thus free to deny the TLS-upgrade proposal (or [misled by a hacker](https://certified-senders.org/wp-content/uploads/2020/02/Email-Transport-Encryption-STARTTLS-vs.-DANE-vs.-MTA-STS_updated.pdf) about STARTTLS not being available), and the server eventually accepts unencrypted (plain text) mail exchange, which poses a confidentiality threat and, to some extent, spam issues. [RFC 8314 (section 3.3)](https://tools.ietf.org/html/rfc8314) recommends for mail servers to support both Implicit and Explicit TLS for Submission, _and_ to enforce TLS-encryption on ports 587 (Explicit TLS) and 465 (Implicit TLS). That's exactly docker-mailserver's default configuration: abiding by RFC 8314, it [enforces a strict (`encrypt`) STARTTLS policy](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level), where a denied TLS upgrade terminates the connection thus preventing unencrypted (plain text) Submission by the client. - **docker-mailserver's default configuration enables and _requires_ Explicit TLS (STARTTLS) for Submission on port 587.** - It does not enable Implicit TLS Submission on port 465 by default. One may enable it through simple custom configuration, either as a replacement or (better!) supplementary mean of secure Submission. From 631cdc0b5a638ce100b592dfb3ef9f3ddc2e3926 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 06:54:44 +0200 Subject: [PATCH 389/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index d7200e14..d6dc4f70 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -116,7 +116,7 @@ The best practice as of 2020 would be to handle emails Submission using an _Impl Although a very satisfactory setup, Implicit TLS on port 465 is somewhat "cutting edge". There exists another well established mail Submission setup that must be supported as well, SMTP+STARTTLS on port 587. It uses Explicit TLS: the client starts with a plain text connection, then the server informs a TLS-encrypted "upgraded" connection may be established, and the client _may_ eventually decide to establish it prior to the Submission. Basically it's an opportunistic, opt-in TLS upgrade of the connection between the client and the server, at the client's discretion, using a mechanism known as [STARTTLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) that both ends need to implement. -In many implementations, the mail server doesn't enforce TLS encryption, for backwards compatibility. Clients are thus free to deny the TLS-upgrade proposal (or [misled by a hacker](https://certified-senders.org/wp-content/uploads/2020/02/Email-Transport-Encryption-STARTTLS-vs.-DANE-vs.-MTA-STS_updated.pdf) about STARTTLS not being available), and the server eventually accepts unencrypted (plain text) mail exchange, which poses a confidentiality threat and, to some extent, spam issues. [RFC 8314 (section 3.3)](https://tools.ietf.org/html/rfc8314) recommends for mail servers to support both Implicit and Explicit TLS for Submission, _and_ to enforce TLS-encryption on ports 587 (Explicit TLS) and 465 (Implicit TLS). That's exactly docker-mailserver's default configuration: abiding by RFC 8314, it [enforces a strict (`encrypt`) STARTTLS policy](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level), where a denied TLS upgrade terminates the connection thus preventing unencrypted (plain text) Submission by the client. +In many implementations, the mail server doesn't enforce TLS encryption, for backwards compatibility. Clients are thus free to deny the TLS-upgrade proposal (or [misled by a hacker](https://security.stackexchange.com/questions/168998/what-happens-if-starttls-dropped-in-smtp) about STARTTLS not being available), and the server eventually accepts unencrypted (plain text) mail exchange, which poses a confidentiality threat and, to some extent, spam issues. [RFC 8314 (section 3.3)](https://tools.ietf.org/html/rfc8314) recommends for mail servers to support both Implicit and Explicit TLS for Submission, _and_ to enforce TLS-encryption on ports 587 (Explicit TLS) and 465 (Implicit TLS). That's exactly docker-mailserver's default configuration: abiding by RFC 8314, it [enforces a strict (`encrypt`) STARTTLS policy](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level), where a denied TLS upgrade terminates the connection thus preventing unencrypted (plain text) Submission by the client. - **docker-mailserver's default configuration enables and _requires_ Explicit TLS (STARTTLS) for Submission on port 587.** - It does not enable Implicit TLS Submission on port 465 by default. One may enable it through simple custom configuration, either as a replacement or (better!) supplementary mean of secure Submission. From 555ace5a11e92cb6b7cb1df3d3ed996e1956ec06 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 07:15:22 +0200 Subject: [PATCH 390/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index d6dc4f70..bbe3738f 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -163,6 +163,6 @@ On the subject of security, one might consider docker-mailserver's **default** c We believe docker-mailserver's default configuration to be a good middle ground: it goes slightly beyond "old" (1999) [RFC 2487](https://tools.ietf.org/html/rfc2487); and with developper-friendly configuration settings, it makes it pretty easy to abide by the "newest" (2018) [RFC 8314](https://tools.ietf.org/html/rfc8314). -Eventually, it is up to _you_ deciding exactly what kind of transportation/encryption to use and/or enforce, and to customize your instance accordingly (with looser or stricter security). +Eventually, it is up to _you_ deciding exactly what kind of transportation/encryption to use and/or enforce, and to customize your instance accordingly (with looser or stricter security). Be also aware that protocols and ports can only go so far and that unencrypted/weak relaying (typically between MTAs) not under your control may defeat your highly-secure-on-paper setup; advanced counter-measure such as DANE, MTA-STS and full body encryption should be considered as well for increased confidentiality, without forgetting about backwards compatibility. The [README](https://github.com/tomav/docker-mailserver) is the best starting point in configuring and running your mail server. You may then explore this wiki to cover additional topics, including but not limited to, security. \ No newline at end of file From f453a0fd4178ff0bdb5889efcd2bccc4d61fa679 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 07:19:32 +0200 Subject: [PATCH 391/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index bbe3738f..dc02c51a 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -163,6 +163,6 @@ On the subject of security, one might consider docker-mailserver's **default** c We believe docker-mailserver's default configuration to be a good middle ground: it goes slightly beyond "old" (1999) [RFC 2487](https://tools.ietf.org/html/rfc2487); and with developper-friendly configuration settings, it makes it pretty easy to abide by the "newest" (2018) [RFC 8314](https://tools.ietf.org/html/rfc8314). -Eventually, it is up to _you_ deciding exactly what kind of transportation/encryption to use and/or enforce, and to customize your instance accordingly (with looser or stricter security). Be also aware that protocols and ports can only go so far and that unencrypted/weak relaying (typically between MTAs) not under your control may defeat your highly-secure-on-paper setup; advanced counter-measure such as DANE, MTA-STS and full body encryption should be considered as well for increased confidentiality, without forgetting about backwards compatibility. +Eventually, it is up to _you_ deciding exactly what kind of transportation/encryption to use and/or enforce, and to customize your instance accordingly (with looser or stricter security). Be also aware that protocols and ports can only go so far and that unencrypted/weak relaying (typically between MTAs) not under your control may defeat your highly-secure-on-paper setup; advanced counter-measure such as DANE, MTA-STS and/or full body encryption (eg. PGP) should be considered as well for increased confidentiality, without forgetting about backwards compatibility. The [README](https://github.com/tomav/docker-mailserver) is the best starting point in configuring and running your mail server. You may then explore this wiki to cover additional topics, including but not limited to, security. \ No newline at end of file From f456b75691710102407b222fb799138ae2354f78 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 07:32:01 +0200 Subject: [PATCH 392/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index dc02c51a..a9a304d1 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -163,6 +163,6 @@ On the subject of security, one might consider docker-mailserver's **default** c We believe docker-mailserver's default configuration to be a good middle ground: it goes slightly beyond "old" (1999) [RFC 2487](https://tools.ietf.org/html/rfc2487); and with developper-friendly configuration settings, it makes it pretty easy to abide by the "newest" (2018) [RFC 8314](https://tools.ietf.org/html/rfc8314). -Eventually, it is up to _you_ deciding exactly what kind of transportation/encryption to use and/or enforce, and to customize your instance accordingly (with looser or stricter security). Be also aware that protocols and ports can only go so far and that unencrypted/weak relaying (typically between MTAs) not under your control may defeat your highly-secure-on-paper setup; advanced counter-measure such as DANE, MTA-STS and/or full body encryption (eg. PGP) should be considered as well for increased confidentiality, without forgetting about backwards compatibility. +Eventually, it is up to _you_ deciding exactly what kind of transportation/encryption to use and/or enforce, and to customize your instance accordingly (with looser or stricter security). Be also aware that protocols and ports on your server can only go so far with security; third-party MTAs might relay your emails on insecure connections, man-in-the-middle attacks might still prove effective, etc. Advanced counter-measure such as DANE, MTA-STS and/or full body encryption (eg. PGP) should be considered as well for increased confidentiality, but ideally without compromising about backwards compatibility so as to not block emails. The [README](https://github.com/tomav/docker-mailserver) is the best starting point in configuring and running your mail server. You may then explore this wiki to cover additional topics, including but not limited to, security. \ No newline at end of file From 217ebc7a6f4e771d6bbc1ca8f669a1036ae08909 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 07:37:20 +0200 Subject: [PATCH 393/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index a9a304d1..42529667 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -116,7 +116,7 @@ The best practice as of 2020 would be to handle emails Submission using an _Impl Although a very satisfactory setup, Implicit TLS on port 465 is somewhat "cutting edge". There exists another well established mail Submission setup that must be supported as well, SMTP+STARTTLS on port 587. It uses Explicit TLS: the client starts with a plain text connection, then the server informs a TLS-encrypted "upgraded" connection may be established, and the client _may_ eventually decide to establish it prior to the Submission. Basically it's an opportunistic, opt-in TLS upgrade of the connection between the client and the server, at the client's discretion, using a mechanism known as [STARTTLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) that both ends need to implement. -In many implementations, the mail server doesn't enforce TLS encryption, for backwards compatibility. Clients are thus free to deny the TLS-upgrade proposal (or [misled by a hacker](https://security.stackexchange.com/questions/168998/what-happens-if-starttls-dropped-in-smtp) about STARTTLS not being available), and the server eventually accepts unencrypted (plain text) mail exchange, which poses a confidentiality threat and, to some extent, spam issues. [RFC 8314 (section 3.3)](https://tools.ietf.org/html/rfc8314) recommends for mail servers to support both Implicit and Explicit TLS for Submission, _and_ to enforce TLS-encryption on ports 587 (Explicit TLS) and 465 (Implicit TLS). That's exactly docker-mailserver's default configuration: abiding by RFC 8314, it [enforces a strict (`encrypt`) STARTTLS policy](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level), where a denied TLS upgrade terminates the connection thus preventing unencrypted (plain text) Submission by the client. +In many implementations, the mail server doesn't enforce TLS encryption, for backwards compatibility. Clients are thus free to deny the TLS-upgrade proposal (or [misled by a hacker](https://security.stackexchange.com/questions/168998/what-happens-if-starttls-dropped-in-smtp) about STARTTLS not being available), and the server eventually accepts unencrypted (plain text) mail exchange, which poses a confidentiality threat and, to some extent, spam issues. [RFC 8314 (section 3.3)](https://tools.ietf.org/html/rfc8314) recommends for mail servers to support both Implicit and Explicit TLS for Submission, _and_ to enforce TLS-encryption on ports 587 (Explicit TLS) and 465 (Implicit TLS). That's exactly docker-mailserver's default configuration: abiding by RFC 8314, it [enforces a strict (`encrypt`) STARTTLS policy](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level), where a denied TLS upgrade terminates the connection thus (hopefully but at the client's discretion) preventing unencrypted (plain text) Submission. - **docker-mailserver's default configuration enables and _requires_ Explicit TLS (STARTTLS) for Submission on port 587.** - It does not enable Implicit TLS Submission on port 465 by default. One may enable it through simple custom configuration, either as a replacement or (better!) supplementary mean of secure Submission. From e73041687b40d7d4b5b4a47e52cb9eb92da88d8d Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 08:01:49 +0200 Subject: [PATCH 394/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 42529667..77536f80 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -44,7 +44,7 @@ Fetching an email: MUA <------------------------------ ┫ MDA ╯ ┃ ┗━━━━━━━┛ ``` -By default, docker-mailserver does not act as a relay nor does it accept emails from relays. It only handles direct email trafic, bound to a specific hostname. Thus our schema can be further simplified to look like this: +In its simplest use-case, docker-mailserver will handle direct email trafic bound to a specific hostname: a MUA established a direct connection to docker-mailserver's MTA. Thus our schema could be further simplified to look like this: ```txt docker-mailserver is here: From a88658fccb62d8e212422088a2baacb09059bf0a Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 08:02:31 +0200 Subject: [PATCH 395/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 77536f80..0348a8b5 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -44,7 +44,7 @@ Fetching an email: MUA <------------------------------ ┫ MDA ╯ ┃ ┗━━━━━━━┛ ``` -In its simplest use-case, docker-mailserver will handle direct email trafic bound to a specific hostname: a MUA established a direct connection to docker-mailserver's MTA. Thus our schema could be further simplified to look like this: +In its simplest use-case, docker-mailserver will handle direct email trafic bound to a specific hostname: a MUA establishes a direct connection to docker-mailserver's MTA, authenticates and submits an email. Thus our schema could be further simplified to look like this: ```txt docker-mailserver is here: From 5a31fc72fcca6ab0520f0fbea64f80b4eeeb006c Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 08:08:16 +0200 Subject: [PATCH 396/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 0348a8b5..c096f4c5 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -44,17 +44,7 @@ Fetching an email: MUA <------------------------------ ┫ MDA ╯ ┃ ┗━━━━━━━┛ ``` -In its simplest use-case, docker-mailserver will handle direct email trafic bound to a specific hostname: a MUA establishes a direct connection to docker-mailserver's MTA, authenticates and submits an email. Thus our schema could be further simplified to look like this: - -```txt - docker-mailserver is here: - ┏━━━━━━━┓ -Sending an email: MUA ---> ┫ MTA ╮ ┃ -Fetching an email: MUA <--- ┫ MDA ╯ ┃ - ┗━━━━━━━┛ -``` - -> Of course the MUA and docker-mailserver's MTA may be located in distant (network-wise) places, so don't expect a _direct_ connection between MUAs and your mail server. It is very likely email trafic will hop through several relaying TCP servers-but those will not be MTA servers, so are irrelevant here. +> Of course the MUA and docker-mailserver's MTA are likely to be located in distant places (network-wise), so don't expect a _direct_ connection between MUAs and your mail server. It is very likely email trafic will hop through several relays: some will be TCP servers, some will be MTAs. MUA only has control over the first "hop", and that will prove important when it comes to securing email trafic. One important thing to note is that MTA and MDA programs may actually handle _multiple_ tasks (which is the case with docker-mailserver's Postfix and Dovecot). From 6ce7e1be85a0bb57c6ea46090d08f7cf104b20c3 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Fri, 12 Jun 2020 08:31:42 +0200 Subject: [PATCH 397/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index c096f4c5..0936c964 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -44,7 +44,11 @@ Fetching an email: MUA <------------------------------ ┫ MDA ╯ ┃ ┗━━━━━━━┛ ``` -> Of course the MUA and docker-mailserver's MTA are likely to be located in distant places (network-wise), so don't expect a _direct_ connection between MUAs and your mail server. It is very likely email trafic will hop through several relays: some will be TCP servers, some will be MTAs. MUA only has control over the first "hop", and that will prove important when it comes to securing email trafic. +> Make sure not to conflate these two very different scenarios: +> Let's say Alice owns a Gmail account, alice@gmail.com; whereas Bob owns an account on a docker-mailserver's instance, bob@dms.io. +> 1. Alice sends an email to bob@dms.io => the email is submitted to MTA smtp.gmail.com, then relayed to MTA smtp.dms.io +> 2. Bob sends an email to alice@gmail.com => the email is submitted to MTA smtp.dms.io, then relayed to MTA smtp.gmail.com +> In the first scenario, the email's "initial" submission is _not_ handled by the docker-mailserver instance; its MTA merely receives the email after it has been relayed by Gmail. In the other scenario, a direct connection is established between Bob's MUA and the docker-mailserver's instance's MTA. That will prove very important when it comes to security management. One important thing to note is that MTA and MDA programs may actually handle _multiple_ tasks (which is the case with docker-mailserver's Postfix and Dovecot). From e46c43f71ebd89b6ba95bfa1fcc1dfd7bfd07a3f Mon Sep 17 00:00:00 2001 From: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Date: Fri, 12 Jun 2020 19:35:14 +1200 Subject: [PATCH 398/462] Minor changes: `plain text` to `cleartext`, inline codeblock `docker-mailserver`, some rephrasing and grammar fixes --- docs/content/a-mail-server's-101.md | 100 ++++++++++++++-------------- 1 file changed, 50 insertions(+), 50 deletions(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 0936c964..0ab9ff70 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -1,40 +1,40 @@ What is a mail server and how does it perform its duty? -Here's an introduction to the field that covers everything you need to know to get started with docker-mailserver. +Here's an introduction to the field that covers everything you need to know to get started with `docker-mailserver`. ## Anatomy of a mail server A mail server is only a part of a [client-server relationship](https://en.wikipedia.org/wiki/Client%E2%80%93server_model) aimed at exchanging information in the form of [emails](https://en.wikipedia.org/wiki/Email). Exchanging emails requires using specific means (programs and protocols). -docker-mailserver provides you with the server portion, whereas "the" client can be anything from a console, text-only software (eg. [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client))) to a fully-fledged desktop application (eg. [Mozilla Thunderbird](https://en.wikipedia.org/wiki/Mozilla_Thunderbird), [Microsoft Outlook](https://en.wikipedia.org/wiki/Microsoft_Outlook)…), to a webmail, etc. +`docker-mailserver` provides you with the server portion, whereas the client can be anything from a terminal via text-based software (eg. [Mutt](https://en.wikipedia.org/wiki/Mutt_(email_client))) to a fully-fledged desktop application (eg. [Mozilla Thunderbird](https://en.wikipedia.org/wiki/Mozilla_Thunderbird), [Microsoft Outlook](https://en.wikipedia.org/wiki/Microsoft_Outlook)…), to a web interface, etc. -Unlike the client side where usually a single program is used to perform retrieval and reading of emails, the server side is composed of many specialized components. "The" mail server is capable of accepting, forwarding, delivering, storing and overall exchanging messages, but each one of those tasks is actually handled by a specific piece of software. All those "agents" must be integrated with one another for the exchange to take place. +Unlike the client-side where usually a single program is used to perform retrieval and viewing of emails, the server-side is composed of many specialized components. The mail server is capable of accepting, forwarding, delivering, storing and overall exchanging messages, but each one of those tasks is actually handled by a specific piece of software. All of these "agents" must be integrated with one another for the exchange to take place. -docker-mailserver has made some informed choices about those components and their (default) configuration. It offers a comprehensive platform to run a feature-full mail server in no time! +`docker-mailserver` has made informed choices about those components and their (default) configuration. It offers a comprehensive platform to run a fully featured mail server in no time! ## Components The following components are required to create a [complete delivery chain](https://en.wikipedia.org/wiki/Email_agent_(infrastructure)): -- MUA: a [Mail User Agent](https://en.wikipedia.org/wiki/Email_client) is basically any client/program capable of sending emails to arbitrary mail servers; and most of the times, capable of fetching emails from such mail servers and presenting them to the end users. -- MTA: a [Mail Transfer Agent](https://en.wikipedia.org/wiki/Message_transfer_agent) is the so-called "mail server" as seen from the MUA's perspective. More specifically, it's a piece of software dedicated to accepting, and in some cases, transfering/relaying emails. A MTA may accept incoming emails either from MUAs or from other MTAs. It may then relay emails to either other MTAs or, eventually, an MDA. -- MDA: a [Mail Delivery Agent](https://en.wikipedia.org/wiki/Mail_delivery_agent) is responsible for accepting emails from a MTA, but instead of forwarding it to another MTA, it is responsible for dropping emails into their recipients' mailboxes, whichever the form. +- MUA: a [Mail User Agent](https://en.wikipedia.org/wiki/Email_client) is basically any client/program capable of sending emails to arbitrary mail servers; while also capable of fetching emails from mail servers for presenting them to the end users. +- MTA: a [Mail Transfer Agent](https://en.wikipedia.org/wiki/Message_transfer_agent) is the so-called "mail server" as seen from the MUA's perspective. More specifically, it's a piece of software dedicated to accepting, and in some cases, transferring/relaying emails. An MTA may accept incoming emails either from MUAs or from other MTAs. It may then relay emails through other MTAs or final delivery to an MDA. +- MDA: a [Mail Delivery Agent](https://en.wikipedia.org/wiki/Mail_delivery_agent) is responsible for accepting emails from an MTA, but instead of forwarding it to another MTA, it is responsible for dropping emails into their recipients' mailboxes, whichever the form. Here's a schematic view of mail delivery: ```txt -Sending an email: MUA ---> MTA ---> MTA ---> ... ---> MTA ---> MDA -Fetching an email: MUA <--------------------------------------- MDA +Sending an email: MUA ----> MTA ----> (MTA relays) ----> MDA +Fetching an email: MUA <--------------------------------- MDA ``` There may be other moving parts or sub-divisions (for instance, at several points along the chain, specialized programs may be analyzing, filtering, bouncing, editing… the exchanged emails). -In a nutshell, docker-mailserver provides you with the following components: +In a nutshell, `docker-mailserver` provides you with the following components: -- a MTA: [Postfix](http://www.postfix.org/) -- a MDA: [Dovecot](https://dovecot.org/) -- a bunch of additional programs to improve security and emails processing +- A MTA: [Postfix](http://www.postfix.org/) +- A MDA: [Dovecot](https://dovecot.org/) +- A bunch of additional programs to improve security and emails processing -Here's where docker-mailserver's toochain fits within the delivery chain: +Here's where `docker-mailserver`'s toochain fits within the delivery chain: ```txt docker-mailserver is here: @@ -45,16 +45,16 @@ Fetching an email: MUA <------------------------------ ┫ MDA ╯ ┃ ``` > Make sure not to conflate these two very different scenarios: -> Let's say Alice owns a Gmail account, alice@gmail.com; whereas Bob owns an account on a docker-mailserver's instance, bob@dms.io. -> 1. Alice sends an email to bob@dms.io => the email is submitted to MTA smtp.gmail.com, then relayed to MTA smtp.dms.io -> 2. Bob sends an email to alice@gmail.com => the email is submitted to MTA smtp.dms.io, then relayed to MTA smtp.gmail.com -> In the first scenario, the email's "initial" submission is _not_ handled by the docker-mailserver instance; its MTA merely receives the email after it has been relayed by Gmail. In the other scenario, a direct connection is established between Bob's MUA and the docker-mailserver's instance's MTA. That will prove very important when it comes to security management. +> Let's say Alice owns a Gmail account, `alice@gmail.com`; whereas Bob owns an account on a `docker-mailserver`'s instance, `bob@dms.io`. +> 1. Alice sends an email to `bob@dms.io` => the email is submitted to MTA `smtp.gmail.com`, then relayed to MTA `smtp.dms.io`. +> 2. Bob sends an email to `alice@gmail.com` => the email is submitted to MTA `smtp.dms.io`, then relayed to MTA `smtp.gmail.com`. +> In the first scenario, the email's *initial* submission is _not_ handled by the `docker-mailserver` instance; its MTA merely receives the email after it has been relayed by Gmail. In the other scenario, a direct connection is established between Bob's MUA and the `docker-mailserver`'s instance's MTA. That will prove very important when it comes to security management. -One important thing to note is that MTA and MDA programs may actually handle _multiple_ tasks (which is the case with docker-mailserver's Postfix and Dovecot). +One important thing to note is that MTA and MDA programs may actually handle _multiple_ tasks (which is the case with `docker-mailserver`'s Postfix and Dovecot). -For instance, Postfix is both a SMTP server (accepting emails) and a relaying MTA (transfering ie. sending emails to other MTA/MDA); Dovecot is both a MDA (delivering emails in mailboxes) and an IMAP server (allowing MUAs to fetch emails from the so-called "mail server"). On top of that, Postfix may rely on Dovecot's authentication capabilities! +For instance, Postfix is both an SMTP server (accepting emails) and a relaying MTA (transferring, ie. sending emails to other MTA/MDA); Dovecot is both an MDA (delivering emails in mailboxes) and an IMAP server (allowing MUAs to fetch emails from the *mail server*). On top of that, Postfix may rely on Dovecot's authentication capabilities. -The exact relationship between all the components and their respective (and sometimes, shared) responsibilities is beyond the scope of this document. Please explore this wiki & the web to get more insights about docker-mailserver's toolchain. +The exact relationship between all the components and their respective (sometimes shared) responsibilities is beyond the scope of this document. Please explore this wiki & the web to get more insights about `docker-mailserver`'s toolchain. ## About security & ports @@ -62,15 +62,15 @@ In the previous section, different components were outlined. Each one of those i Three main purposes exist when it comes to exchanging emails: -- _Submission_: for a MUA (client), the act of sending actual email data over the network, toward a MTA (server). -- _Transfer_ (aka. _Relay_): for a MTA, the act of sending actual email data over the network, toward another MTA (server) closer to the final destination (where a MTA will forward data to a MDA). -- _Retrieval_: for a MUA (client), the act of fetching actual email data over the network, from a MDA. +- _Submission_: for a MUA (client), the act of sending actual email data over the network, toward an MTA (server). +- _Transfer_ (aka. _Relay_): for an MTA, the act of sending actual email data over the network, toward another MTA (server) closer to the final destination (where an MTA will forward data to an MDA). +- _Retrieval_: for a MUA (client), the act of fetching actual email data over the network, from an MDA. Postfix handles Submission (and might handle Relay), whereas Dovecot handles Retrieval. They both need to be accessible by MUAs in order to act as servers, therefore they expose public endpoints on specific TCP ports. Those endpoints _may_ be secured, using an encryption scheme and TLS certificates. When it comes to the specifics of email exchange, we have to look at protocols and ports enabled to support all the identified purposes. There are several valid options and they've been evolving overtime. -**Here's docker-mailserver's _default_ configuration:** +**Here's `docker-mailserver`'s _default_ configuration:** | Purpose | Protocol | TCP port / encryption | |----------------|----------|--------------------------------| @@ -82,8 +82,8 @@ When it comes to the specifics of email exchange, we have to look at protocols a ```txt ┏━━━━━━━━━━ Submission ━━━━━━━━━┓┏━━━━━━━━━━━━━ Transfer/Relay ━━━━━━━━━━━┓ ┌─────────────────────┐ ┌┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┐ -MUA ----- STARTTLS ---> ┤(587) MTA ╮ (25)├ <-- plain text --> ┊ Third-party MTA ┊ - ---- plain text --> ┤(25) │ | └┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┘ +MUA ----- STARTTLS ---> ┤(587) MTA ╮ (25)├ <-- cleartext ---> ┊ Third-party MTA ┊ + ---- cleartext ---> ┤(25) │ | └┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┘ |┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄| MUA <---- STARTTLS ---- ┤(143) MDA ╯ | <-- enforced TLS -- ┤(993) | @@ -91,34 +91,34 @@ MUA <---- STARTTLS ---- ┤(143) MDA ╯ | ┗━━━━━━━━━━ Retrieval ━━━━━━━━━━┛ ``` -If you're new to the field, both that table and schema may be confusing. -Read on to gain insights about all those concepts, docker-mailserver's default configuration and how you could customize it. +If you're new to email infrastructure, both that table and the schema may be confusing. +Read on to expand your understanding and learn about `docker-mailserver`'s configuration, including how you can customize it. ### Submission - SMTP -A MUA willing to send an email to a MTA needs to establish a connection with that server, then push data packets over a network that both the MUA (client) and the MTA (server) are connected to. The server implements the [SMTP](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) protocol, which makes it capable of handling _Submission_. +For a MUA to send an email to an MTA, it needs to establish a connection with that server, then push data packets over a network that both the MUA (client) and the MTA (server) are connected to. The server implements the [SMTP](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) protocol, which makes it capable of handling _Submission_. -In the case of docker-mailserver, the MTA (SMTP server) is Postfix. The MUA (client) may vary, yet its Submission request is performed as [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) packets sent over the _public_ internet. This exchange of information may be secured in order to counter eavesdropping. +In the case of `docker-mailserver`, the MTA (SMTP server) is Postfix. The MUA (client) may vary, yet its Submission request is performed as [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) packets sent over the _public_ internet. This exchange of information may be secured in order to counter eavesdropping. -The best practice as of 2020 would be to handle emails Submission using an _Implicit TLS connection with an ESMTP server on port 465_ (see [RFC 8314](https://tools.ietf.org/html/rfc8314)). Let's break it down. +The best practice as of 2020 is to handle SMTP Submission using an _Implicit TLS connection via ESMTP on port 465_ (see [RFC 8314](https://tools.ietf.org/html/rfc8314)). Let's break it down. -- Implicit TLS means the server _enforces_ the client into using an encrypted TCP connection, using [TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security). With this kind of connection, the MUA _has_ to establish a TLS-encrypted connection from the get go. The mail server would deny any client attempting at submitting emails in plain text (== not secure) or requesting a plain text connection to be upgraded to a TLS-encrypted one (== eventually secure). It is also known as Enforced TLS. +- Implicit TLS means the server _enforces_ the client into using an encrypted TCP connection, using [TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security). With this kind of connection, the MUA _has_ to establish a TLS-encrypted connection from the get go. The mail server would deny any client attempting to submit email in cleartext (unencrypted, not secure) or requesting a cleartext connection to be upgraded to a TLS-encrypted one (secure if `STARTTLS` is successful). It is also known as Enforced TLS. - [ESMTP](https://en.wikipedia.org/wiki/ESMTP) is [SMTP](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) + extensions. It's the version of the SMTP protocol that most mail servers speak nowadays. For the purpose of this documentation, ESMTP and SMTP are synonymous. -- Port 465 is (starting 2018) the reserved TCP port for Implicit TLS Submission. There is acually a boisterous history to that port's usage, but let's keep it simple. +- Port 465 is the reserved TCP port for Implicit TLS Submission (since 2018). There is actually a boisterous history to that ports usage, but let's keep it simple. -> Note: this Submission setup is sometimes refered to as [SMTPS](https://en.wikipedia.org/wiki/SMTPS). Long story short: this is incorrect and should be avoided. +> Note: This Submission setup is sometimes refered to as [SMTPS](https://en.wikipedia.org/wiki/SMTPS). Long story short: this is incorrect and should be avoided. -Although a very satisfactory setup, Implicit TLS on port 465 is somewhat "cutting edge". There exists another well established mail Submission setup that must be supported as well, SMTP+STARTTLS on port 587. It uses Explicit TLS: the client starts with a plain text connection, then the server informs a TLS-encrypted "upgraded" connection may be established, and the client _may_ eventually decide to establish it prior to the Submission. Basically it's an opportunistic, opt-in TLS upgrade of the connection between the client and the server, at the client's discretion, using a mechanism known as [STARTTLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) that both ends need to implement. +Although a very satisfactory setup, Implicit TLS on port 465 is somewhat "cutting edge". There exists another well established mail Submission setup that must be supported as well, SMTP+STARTTLS on port 587. It uses Explicit TLS: the client starts with a cleartext connection, then the server informs a TLS-encrypted "upgraded" connection may be established, and the client _may_ eventually decide to establish it prior to the Submission. Basically it's an opportunistic, opt-in TLS upgrade of the connection between the client and the server, at the client's discretion, using a mechanism known as [STARTTLS](https://en.wikipedia.org/wiki/Opportunistic_TLS) that both ends need to implement. -In many implementations, the mail server doesn't enforce TLS encryption, for backwards compatibility. Clients are thus free to deny the TLS-upgrade proposal (or [misled by a hacker](https://security.stackexchange.com/questions/168998/what-happens-if-starttls-dropped-in-smtp) about STARTTLS not being available), and the server eventually accepts unencrypted (plain text) mail exchange, which poses a confidentiality threat and, to some extent, spam issues. [RFC 8314 (section 3.3)](https://tools.ietf.org/html/rfc8314) recommends for mail servers to support both Implicit and Explicit TLS for Submission, _and_ to enforce TLS-encryption on ports 587 (Explicit TLS) and 465 (Implicit TLS). That's exactly docker-mailserver's default configuration: abiding by RFC 8314, it [enforces a strict (`encrypt`) STARTTLS policy](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level), where a denied TLS upgrade terminates the connection thus (hopefully but at the client's discretion) preventing unencrypted (plain text) Submission. +In many implementations, the mail server doesn't enforce TLS encryption, for backwards compatibility. Clients are thus free to deny the TLS-upgrade proposal (or [misled by a hacker](https://security.stackexchange.com/questions/168998/what-happens-if-starttls-dropped-in-smtp) about STARTTLS not being available), and the server accepts unencrypted (cleartext) mail exchange, which poses a confidentiality threat and, to some extent, spam issues. [RFC 8314 (section 3.3)](https://tools.ietf.org/html/rfc8314) recommends for mail servers to support both Implicit and Explicit TLS for Submission, _and_ to enforce TLS-encryption on ports 587 (Explicit TLS) and 465 (Implicit TLS). That's exactly `docker-mailserver`'s default configuration: abiding by RFC 8314, it [enforces a strict (`encrypt`) STARTTLS policy](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level), where a denied TLS upgrade terminates the connection thus (hopefully but at the client's discretion) preventing unencrypted (cleartext) Submission. -- **docker-mailserver's default configuration enables and _requires_ Explicit TLS (STARTTLS) for Submission on port 587.** +- **`docker-mailserver`'s default configuration enables and _requires_ Explicit TLS (STARTTLS) for Submission on port 587.** - It does not enable Implicit TLS Submission on port 465 by default. One may enable it through simple custom configuration, either as a replacement or (better!) supplementary mean of secure Submission. - It does not support old MUAs (clients) not supporting TLS encryption on ports 587/465 (those should perform Submission on port 25, more details below). One may relax that constraint through advanced custom configuration, for backwards compatibility. -A final Submission setup exists and is akin SMTP+STARTTLS on port 587, but on port 25. That port has historically been reserved specifically for unencrypted (plain text) mail exchange though, making STARTTLS a bit of a misusage. As is expected by [RFC 5321](https://tools.ietf.org/html/rfc5321), docker-mailserver uses port 25 for unencrypted Submission in order to support older clients, but most importantly for unencrypted Transfer/Relay between MTAs. +A final Submission setup exists and is akin SMTP+STARTTLS on port 587, but on port 25. That port has historically been reserved specifically for unencrypted (cleartext) mail exchange though, making STARTTLS a bit wrong to use. As is expected by [RFC 5321](https://tools.ietf.org/html/rfc5321), `docker-mailserver` uses port 25 for unencrypted Submission in order to support older clients, but most importantly for unencrypted Transfer/Relay between MTAs. -- **docker-mailserver's default configuration enables unencrypted (plain text) for Submission & Transfer/Relay on port 25.** +- **`docker-mailserver`'s default configuration enables unencrypted (cleartext) for Submission & Transfer/Relay on port 25.** - It does not enable Explicit TLS (STARTTLS) on port 25 by default. One may enable it through advanced custom configuration, either as a replacement (bad!) or as a supplementary mean of secure Submission & Transfer/Relay. - One may also secure Transfer/Relay on port 25 using advanced encryption scheme, such as DANE and/or MTA-STS. @@ -126,13 +126,13 @@ A final Submission setup exists and is akin SMTP+STARTTLS on port 587, but on po A MUA willing to fetch an email from a mail server will most likely communicate with its [IMAP](https://en.wikipedia.org/wiki/IMAP) server. As with SMTP described earlier, communication will take place in the form of data packets exchanged over a network that both the client and the server are connected to. The IMAP protocol makes the server capable of handling _Retrieval_. -In the case of docker-mailserver, the IMAP server is Dovecot. The MUA (client) may vary, yet its Retrieval request is performed as [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) packets sent over the _public_ internet. This exchange of information may be secured in order to counter eavesdropping. +In the case of `docker-mailserver`, the IMAP server is Dovecot. The MUA (client) may vary, yet its Retrieval request is performed as [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) packets sent over the _public_ internet. This exchange of information may be secured in order to counter eavesdropping. Again, as with SMTP described earlier, the IMAP protocol may be secured with either Implicit TLS (aka. [IMAPS](https://en.wikipedia.org/wiki/IMAPS)/IMAP4S) or Explicit TLS (using STARTTLS). The best practice as of 2020 is to enforce IMAPS on port 993, rather than IMAP+STARTTLS on port 143 (see [RFC 8314](https://tools.ietf.org/html/rfc8314)); yet the latter is usually provided for backwards compatibility. -**docker-mailserver's default configuration enables both Implicit and Explicit TLS for Retrievial, on ports 993 and 143 respectively.** +**`docker-mailserver`'s default configuration enables both Implicit and Explicit TLS for Retrievial, on ports 993 and 143 respectively.** ### Retrieval - POP3 @@ -140,23 +140,23 @@ Similarly to IMAP, the older POP3 protocol may be secured with either Implicit o The best practice as of 2020 would be [POP3S](https://en.wikipedia.org/wiki/POP3S) on port 995, rather than [POP3](https://en.wikipedia.org/wiki/POP3)+STARTTLS on port 110 (see [RFC 8314](https://tools.ietf.org/html/rfc8314)). -**docker-mailserver's default configuration disables POP3 altogether.** One should expect MUAs to use TLS-encrypted IMAP for Retrieval. +**`docker-mailserver`'s default configuration disables POP3 altogether.** One should expect MUAs to use TLS-encrypted IMAP for Retrieval. -## How does docker-mailserver help with setting everything up? +## How does `docker-mailserver` help with setting everything up? -As a _batteries included_ Docker image, docker-mailserver provides you with all the required components and a default configuration, to run a decent and secure mail server. +As a _batteries included_ Docker image, `docker-mailserver` provides you with all the required components and a default configuration, to run a decent and secure mail server. One may then customize all aspects of its internal components. - Simple customization is supported through [docker-compose configuration](https://github.com/tomav/docker-mailserver/blob/master/docker-compose.yml.dist) and the [env-mailserver](https://github.com/tomav/docker-mailserver/blob/master/env-mailserver.dist) configuration file. -- Advanced customization is supported through providing "monkey-patching" configuration files and/or [deriving your own image](https://github.com/tomav/docker-mailserver/blob/master/Dockerfile) from docker-mailserver's upstream, for a complete control over how things run! +- Advanced customization is supported through providing "monkey-patching" configuration files and/or [deriving your own image](https://github.com/tomav/docker-mailserver/blob/master/Dockerfile) from `docker-mailserver`'s upstream, for a complete control over how things run. -On the subject of security, one might consider docker-mailserver's **default** configuration to _not_ be 100% secure: +On the subject of security, one might consider `docker-mailserver`'s **default** configuration to _not_ be 100% secure: -- it enables unencrypted trafic on port 25 +- it enables unencrypted traffic on port 25 - it enables Explicit TLS (STARTTLS) on port 587, instead of Implicit TLS on port 465 -We believe docker-mailserver's default configuration to be a good middle ground: it goes slightly beyond "old" (1999) [RFC 2487](https://tools.ietf.org/html/rfc2487); and with developper-friendly configuration settings, it makes it pretty easy to abide by the "newest" (2018) [RFC 8314](https://tools.ietf.org/html/rfc8314). +We believe `docker-mailserver`'s default configuration to be a good middle ground: it goes slightly beyond "old" (1999) [RFC 2487](https://tools.ietf.org/html/rfc2487); and with developer friendly configuration settings, it makes it pretty easy to abide by the "newest" (2018) [RFC 8314](https://tools.ietf.org/html/rfc8314). -Eventually, it is up to _you_ deciding exactly what kind of transportation/encryption to use and/or enforce, and to customize your instance accordingly (with looser or stricter security). Be also aware that protocols and ports on your server can only go so far with security; third-party MTAs might relay your emails on insecure connections, man-in-the-middle attacks might still prove effective, etc. Advanced counter-measure such as DANE, MTA-STS and/or full body encryption (eg. PGP) should be considered as well for increased confidentiality, but ideally without compromising about backwards compatibility so as to not block emails. +Eventually, it is up to _you_ deciding exactly what kind of transportation/encryption to use and/or enforce, and to customize your instance accordingly (with looser or stricter security). Be also aware that protocols and ports on your server can only go so far with security; third-party MTAs might relay your emails on insecure connections, man-in-the-middle attacks might still prove effective, etc. Advanced counter-measure such as DANE, MTA-STS and/or full body encryption (eg. PGP) should be considered as well for increased confidentiality, but ideally without compromising backwards compatibility so as to not block emails. The [README](https://github.com/tomav/docker-mailserver) is the best starting point in configuring and running your mail server. You may then explore this wiki to cover additional topics, including but not limited to, security. \ No newline at end of file From f86e6e43189222e1ec55d5aef2f83f176e0f54f1 Mon Sep 17 00:00:00 2001 From: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Date: Fri, 12 Jun 2020 19:49:28 +1200 Subject: [PATCH 399/462] Fix rendering of ASCII flows (assuming this isn't an inconsistency between mono fonts chosen by browsers) --- docs/content/a-mail-server's-101.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 0ab9ff70..4aab16d7 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -39,8 +39,8 @@ Here's where `docker-mailserver`'s toochain fits within the delivery chain: ```txt docker-mailserver is here: ┏━━━━━━━┓ -Sending an email: MUA ---> MTA ---> MTA ---> ... ---> ┫ MTA ╮ ┃ -Fetching an email: MUA <------------------------------ ┫ MDA ╯ ┃ +Sending an email: MUA ---> MTA ---> MTA ---> ... ---> ┫ MTA ╮ ┃ +Fetching an email: MUA <------------------------------ ┫ MDA ╯ ┃ ┗━━━━━━━┛ ``` @@ -82,10 +82,10 @@ When it comes to the specifics of email exchange, we have to look at protocols a ```txt ┏━━━━━━━━━━ Submission ━━━━━━━━━┓┏━━━━━━━━━━━━━ Transfer/Relay ━━━━━━━━━━━┓ ┌─────────────────────┐ ┌┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┐ -MUA ----- STARTTLS ---> ┤(587) MTA ╮ (25)├ <-- cleartext ---> ┊ Third-party MTA ┊ - ---- cleartext ---> ┤(25) │ | └┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┘ - |┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄| -MUA <---- STARTTLS ---- ┤(143) MDA ╯ | +MUA ----- STARTTLS ---> ┤(587) MTA ╮ (25)├ <-- cleartext --> ┊ Third-party MTA ┊ + ---- cleartext ---> ┤(25) │ | └┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┘ + |---------------------| +MUA <---- STARTTLS ---- ┤(143) MDA ╯ | <-- enforced TLS -- ┤(993) | └─────────────────────┘ ┗━━━━━━━━━━ Retrieval ━━━━━━━━━━┛ From acf3d88d43f70fb130a1f2b7f8d591cd87298dbd Mon Sep 17 00:00:00 2001 From: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Date: Fri, 12 Jun 2020 20:19:52 +1200 Subject: [PATCH 400/462] Initial more details page to redirect from README on the ports section --- .../security/understanding-the-ports.md | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 docs/content/config/security/understanding-the-ports.md diff --git a/docs/content/config/security/understanding-the-ports.md b/docs/content/config/security/understanding-the-ports.md new file mode 100644 index 00000000..cc2f6403 --- /dev/null +++ b/docs/content/config/security/understanding-the-ports.md @@ -0,0 +1,40 @@ +## Overview of email ports + +### Explicit TLS (aka Opportunistic TLS) - Opt-in Encryption + +Communication on these ports begin in [cleartext](https://www.denimgroup.com/resources/blog/2007/10/cleartext-vs-pl/), indicating support for `STARTTLS`. If both client and server support `STARTTLS` the connection will be secured over TLS, otherwise no encryption will be used. + +Support for `STARTTLS` is not always implemented correctly, which can lead to leaking credentials(client sending too early) prior to a TLS connection being established. Third-parties such as some ISPs have also been known to intercept the `STARTTLS` exchange, modifying network traffic to prevent establishing a secure connection. + +Due to these security concerns, [RFC 8314 (Section 4.1)](https://tools.ietf.org/html/rfc8314#section-4.1) encourages you to **prefer Implicit TLS ports where possible**. + +### Implicit TLS - Enforced Encryption + +Communication is always encrypted, avoiding the above mentioned issues with Explicit TLS. + +You may know of these ports as **SMTPS, POP3S, IMAPS**, which indicate the protocol in combination with a TLS connection. However, Explicit TLS ports provide the same benefit when `STARTTLS` is successfully negotiated; Implicit TLS better communicates the improved security to all three protocols (SMTP/POP3/IMAP over Implicit TLS). + +Additionally, referring to port 465 as *SMTPS* would be incorrect, as it is a submissions port requiring authentication to proceed via *ESMTP*, whereas ESMTPS has a different meaning(STARTTLS supported). Port 25 may lack Implicit TLS, but can be configured to be more secure between trusted parties via MTA-STS, STARTTLS Policy List, DNSSEC and DANE. + +| Protocol | Explicit TLS1 | Implicit TLS | Purpose | +|----------|--------------------------|-----------------|----------------------| +| SMTP | 25 | N/A | Transfer2 | +| ESMTP | 587 | 4653 | Submission | +| POP3 | 110 | 995 | Retrieval | +| IMAP4 | 143 | 993 | Retrieval | + +1. A connection *may* be secured over TLS when both ends support `STARTTLS`. On ports 110, 143 and 587, `docker-mailserver` will reject a connection that cannot be secured. Port 25 is [required](https://serverfault.com/questions/623692/is-it-still-wrong-to-require-starttls-on-incoming-smtp-messages) to support insecure connections. +2. Receives email, `docker-mailserver` additionally filters for spam and viruses. For submitting email to the server to be sent to third-parties, you should prefer the *submission* ports(465, 587) - which require authentication. Unless a relay host is configured(eg SendGrid), outgoing email will leave the server via port 25(thus outbound traffic must not be blocked by your provider or firewall). +3. A *submission* port since 2018 ([RFC 8314](https://tools.ietf.org/html/rfc8314)). Previously a secure variant of port 25. + +## Security + +**TODO:** *This section should provide any related configuration advice, and probably expand on and link to resources about DANE, DNSSEC, MTA-STS and STARTTLS Policy list, with advice on how to configure/setup these added security layers.* + +**TODO:** *A related section or page on ciphers used may be useful, although less important for users to be concerned about.* + +### TLS connections on mail servers, compared to web browsers + +Unlike with HTTP where a web browser client communicates directly with the server providing a website, a secure TLS connection as discussed below is not the equivalent safety that HTTPS provides when the transit of email (receiving or sending) is sent through third-parties, as the secure connection is only between two machines, any additional machines (MTAs) between the MUA and the MDA depends on them establishing secure connections between one another successfully. + +Other machines that facilitate a connection that generally aren't taken into account can exist between a client and server, such as those where your connection passes through your ISP provider are capable of compromising a cleartext connection through interception. \ No newline at end of file From 2c0100280c7b670a0deff16b9c33210d2bca5f38 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Sat, 13 Jun 2020 04:35:12 +0200 Subject: [PATCH 401/462] Revert e46c43f71ebd89b6ba95bfa1fcc1dfd7bfd07a3f...f86e6e43189222e1ec55d5aef2f83f176e0f54f1 on A mail server's 101 --- docs/content/a-mail-server's-101.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 4aab16d7..0ab9ff70 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -39,8 +39,8 @@ Here's where `docker-mailserver`'s toochain fits within the delivery chain: ```txt docker-mailserver is here: ┏━━━━━━━┓ -Sending an email: MUA ---> MTA ---> MTA ---> ... ---> ┫ MTA ╮ ┃ -Fetching an email: MUA <------------------------------ ┫ MDA ╯ ┃ +Sending an email: MUA ---> MTA ---> MTA ---> ... ---> ┫ MTA ╮ ┃ +Fetching an email: MUA <------------------------------ ┫ MDA ╯ ┃ ┗━━━━━━━┛ ``` @@ -82,10 +82,10 @@ When it comes to the specifics of email exchange, we have to look at protocols a ```txt ┏━━━━━━━━━━ Submission ━━━━━━━━━┓┏━━━━━━━━━━━━━ Transfer/Relay ━━━━━━━━━━━┓ ┌─────────────────────┐ ┌┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┐ -MUA ----- STARTTLS ---> ┤(587) MTA ╮ (25)├ <-- cleartext --> ┊ Third-party MTA ┊ - ---- cleartext ---> ┤(25) │ | └┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┘ - |---------------------| -MUA <---- STARTTLS ---- ┤(143) MDA ╯ | +MUA ----- STARTTLS ---> ┤(587) MTA ╮ (25)├ <-- cleartext ---> ┊ Third-party MTA ┊ + ---- cleartext ---> ┤(25) │ | └┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┘ + |┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄| +MUA <---- STARTTLS ---- ┤(143) MDA ╯ | <-- enforced TLS -- ┤(993) | └─────────────────────┘ ┗━━━━━━━━━━ Retrieval ━━━━━━━━━━┛ From ee3b4ed9b94125366fc0ad63a549b259804e3ec7 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Sat, 13 Jun 2020 05:36:11 +0200 Subject: [PATCH 402/462] More details on Submission (Outward vs Inward) --- docs/content/a-mail-server's-101.md | 68 +++++++++++++++++++++++------ 1 file changed, 54 insertions(+), 14 deletions(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 0ab9ff70..cd833de6 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -16,8 +16,8 @@ Unlike the client-side where usually a single program is used to perform retriev The following components are required to create a [complete delivery chain](https://en.wikipedia.org/wiki/Email_agent_(infrastructure)): - MUA: a [Mail User Agent](https://en.wikipedia.org/wiki/Email_client) is basically any client/program capable of sending emails to arbitrary mail servers; while also capable of fetching emails from mail servers for presenting them to the end users. -- MTA: a [Mail Transfer Agent](https://en.wikipedia.org/wiki/Message_transfer_agent) is the so-called "mail server" as seen from the MUA's perspective. More specifically, it's a piece of software dedicated to accepting, and in some cases, transferring/relaying emails. An MTA may accept incoming emails either from MUAs or from other MTAs. It may then relay emails through other MTAs or final delivery to an MDA. -- MDA: a [Mail Delivery Agent](https://en.wikipedia.org/wiki/Mail_delivery_agent) is responsible for accepting emails from an MTA, but instead of forwarding it to another MTA, it is responsible for dropping emails into their recipients' mailboxes, whichever the form. +- MTA: a [Mail Transfer Agent](https://en.wikipedia.org/wiki/Message_transfer_agent) is the so-called "mail server" as seen from the MUA's perspective. It's a piece of software dedicated to accepting submitted emails, then forwarding them-where exactly will depend on an email's final destination. If the receiving MTA is responsible for the hostname the email is sent to, then an MTA is to forward that email to an MDA (see below). Otherwise, it is to transfer (ie. forward, relay) to another MTA, "closer" to the email's final destination. +- MDA: a [Mail Delivery Agent](https://en.wikipedia.org/wiki/Mail_delivery_agent) is responsible for accepting emails from an MTA and dropping them into their recipients' mailboxes, whichever the form. Here's a schematic view of mail delivery: @@ -39,16 +39,20 @@ Here's where `docker-mailserver`'s toochain fits within the delivery chain: ```txt docker-mailserver is here: ┏━━━━━━━┓ -Sending an email: MUA ---> MTA ---> MTA ---> ... ---> ┫ MTA ╮ ┃ +Sending an email: MUA ---> MTA ---> (MTA relays) ---> ┫ MTA ╮ ┃ Fetching an email: MUA <------------------------------ ┫ MDA ╯ ┃ ┗━━━━━━━┛ ``` +> Let's say Alice owns a Gmail account, `alice@gmail.com`; and Bob owns an account on a `docker-mailserver`'s instance, `bob@dms.io`. +> > Make sure not to conflate these two very different scenarios: -> Let's say Alice owns a Gmail account, `alice@gmail.com`; whereas Bob owns an account on a `docker-mailserver`'s instance, `bob@dms.io`. -> 1. Alice sends an email to `bob@dms.io` => the email is submitted to MTA `smtp.gmail.com`, then relayed to MTA `smtp.dms.io`. -> 2. Bob sends an email to `alice@gmail.com` => the email is submitted to MTA `smtp.dms.io`, then relayed to MTA `smtp.gmail.com`. -> In the first scenario, the email's *initial* submission is _not_ handled by the `docker-mailserver` instance; its MTA merely receives the email after it has been relayed by Gmail. In the other scenario, a direct connection is established between Bob's MUA and the `docker-mailserver`'s instance's MTA. That will prove very important when it comes to security management. +> 1. Alice sends an email to `bob@dms.io` => the email is first submitted to MTA `smtp.gmail.com`, then relayed to MTA `smtp.dms.io` and eventually delivered into Bob's mailbox. +> 2. Bob sends an email to `alice@gmail.com` => the email is first submitted to MTA `smtp.dms.io`, then relayed to MTA `smtp.gmail.com` and eventually delivered into Alice's mailbox. +> +> In the first scenario where the email leaves Gmail's premises, the email's *initial* submission is _not_ handled by the `docker-mailserver` instance/MTA; it merely receives the email after it has been relayed by Gmail's MTA. In the second scenario, the docker-mailserver instance's MTA does handle the submission, prior to relaying. +> +> The main takeaway from that is that sending an email to a docker-mailserver's MTA (any MTA for that matter) does _not_ establish a direct connection with that MTA. Email submission first goes through the sender's MTA, and relaying between at least two MTAs is required to deliver an email. That will prove very important when it comes to security management. One important thing to note is that MTA and MDA programs may actually handle _multiple_ tasks (which is the case with `docker-mailserver`'s Postfix and Dovecot). @@ -100,7 +104,35 @@ For a MUA to send an email to an MTA, it needs to establish a connection with th In the case of `docker-mailserver`, the MTA (SMTP server) is Postfix. The MUA (client) may vary, yet its Submission request is performed as [TCP](https://en.wikipedia.org/wiki/Transmission_Control_Protocol) packets sent over the _public_ internet. This exchange of information may be secured in order to counter eavesdropping. -The best practice as of 2020 is to handle SMTP Submission using an _Implicit TLS connection via ESMTP on port 465_ (see [RFC 8314](https://tools.ietf.org/html/rfc8314)). Let's break it down. +#### Two kinds of Submission + +Let's say I own an account on a docker-mailserver instance, `me@dms.io`. There are two very different use-cases for Submission: + +1. I want to send an email to someone +2. Someone wants to send you an email + +In the first scenario, I will be submitting my email directly to my `docker-mailserver` instance's MTA (Postfix), which will then relay the email to its recipient's MTA for final delivery. In this case, Submission is first handled by establishing a direct connection to my own MTA-so at least for this portion of the delivery chain, I'll be able to ensure security/confidentiality. Not so much for what comes next, ie. relaying between MTAs and final delivery. + +In the second scenario, a third-party email account owner will be first submitting an email to some third-party MTA. I have no control over this initial portion of the delivery chain, nor do I have control over the relaying that comes next. My MTA will merely accept a relayed email coming "out of the blue". + +My MTA will thus have to support two kinds of Submission: + +- Outward Submission (self-owned email is submitted directly to the MTA, then is relayed "outside") +- Inward Submission (third-party email has been submitted & relayed, then is accepted "inside" by the MTA) + +```txt + ┏━━━━ Outward Submission ━━━━┓ + ┌────────────────────┐ ┌┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┐ +Me ---------------> ┤ ├ -----------------> ┊ ┊ + │ My MTA │ ┊ Third-party MTA ┊ +Me <--------------- ┤ ├ <----------------- ┊ ┊ + └────────────────────┘ └┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┘ + ┗━━━━━━━━━━ Inward Submission ━━━━━━━━━━┛ +``` + +##### Outward Submission + +The best practice as of 2020 when it comes to securing Outward Submission is to use _Implicit TLS connection via ESMTP on port 465_ (see [RFC 8314](https://tools.ietf.org/html/rfc8314)). Let's break it down. - Implicit TLS means the server _enforces_ the client into using an encrypted TCP connection, using [TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security). With this kind of connection, the MUA _has_ to establish a TLS-encrypted connection from the get go. The mail server would deny any client attempting to submit email in cleartext (unencrypted, not secure) or requesting a cleartext connection to be upgraded to a TLS-encrypted one (secure if `STARTTLS` is successful). It is also known as Enforced TLS. - [ESMTP](https://en.wikipedia.org/wiki/ESMTP) is [SMTP](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) + extensions. It's the version of the SMTP protocol that most mail servers speak nowadays. For the purpose of this documentation, ESMTP and SMTP are synonymous. @@ -112,15 +144,23 @@ Although a very satisfactory setup, Implicit TLS on port 465 is somewhat "cuttin In many implementations, the mail server doesn't enforce TLS encryption, for backwards compatibility. Clients are thus free to deny the TLS-upgrade proposal (or [misled by a hacker](https://security.stackexchange.com/questions/168998/what-happens-if-starttls-dropped-in-smtp) about STARTTLS not being available), and the server accepts unencrypted (cleartext) mail exchange, which poses a confidentiality threat and, to some extent, spam issues. [RFC 8314 (section 3.3)](https://tools.ietf.org/html/rfc8314) recommends for mail servers to support both Implicit and Explicit TLS for Submission, _and_ to enforce TLS-encryption on ports 587 (Explicit TLS) and 465 (Implicit TLS). That's exactly `docker-mailserver`'s default configuration: abiding by RFC 8314, it [enforces a strict (`encrypt`) STARTTLS policy](http://www.postfix.org/postconf.5.html#smtpd_tls_security_level), where a denied TLS upgrade terminates the connection thus (hopefully but at the client's discretion) preventing unencrypted (cleartext) Submission. -- **`docker-mailserver`'s default configuration enables and _requires_ Explicit TLS (STARTTLS) for Submission on port 587.** -- It does not enable Implicit TLS Submission on port 465 by default. One may enable it through simple custom configuration, either as a replacement or (better!) supplementary mean of secure Submission. +- **`docker-mailserver`'s default configuration enables and _requires_ Explicit TLS (STARTTLS) on port 587 for Outward Submission.** +- It does not enable Implicit TLS Outward Submission on port 465 by default. One may enable it through simple custom configuration, either as a replacement or (better!) supplementary mean of secure Submission. - It does not support old MUAs (clients) not supporting TLS encryption on ports 587/465 (those should perform Submission on port 25, more details below). One may relax that constraint through advanced custom configuration, for backwards compatibility. -A final Submission setup exists and is akin SMTP+STARTTLS on port 587, but on port 25. That port has historically been reserved specifically for unencrypted (cleartext) mail exchange though, making STARTTLS a bit wrong to use. As is expected by [RFC 5321](https://tools.ietf.org/html/rfc5321), `docker-mailserver` uses port 25 for unencrypted Submission in order to support older clients, but most importantly for unencrypted Transfer/Relay between MTAs. +A final Outward Submission setup exists and is akin SMTP+STARTTLS on port 587, but on port 25. That port has historically been reserved specifically for unencrypted (cleartext) mail exchange though, making STARTTLS a bit wrong to use. As is expected by [RFC 5321](https://tools.ietf.org/html/rfc5321), `docker-mailserver` uses port 25 for unencrypted Submission in order to support older clients, but most importantly for unencrypted Transfer/Relay between MTAs. -- **`docker-mailserver`'s default configuration enables unencrypted (cleartext) for Submission & Transfer/Relay on port 25.** -- It does not enable Explicit TLS (STARTTLS) on port 25 by default. One may enable it through advanced custom configuration, either as a replacement (bad!) or as a supplementary mean of secure Submission & Transfer/Relay. -- One may also secure Transfer/Relay on port 25 using advanced encryption scheme, such as DANE and/or MTA-STS. +- **`docker-mailserver`'s default configuration also enables unencrypted (cleartext) on port 25 for Outward Submission.** +- It does not enable Explicit TLS (STARTTLS) on port 25 by default. One may enable it through advanced custom configuration, either as a replacement (bad!) or as a supplementary mean of secure Outward Submission. +- One may also secure Outward Submission using advanced encryption scheme, such as DANE/DNSSEC and/or MTA-STS. + +##### Inward Submission + +Granted it's still very difficult enforcing encryption between MTAs (Transfer/Relay) without risking dropping emails (when relayed by MTAs not supporting TLS-encryption), Inward Submission is to be handled in cleartext on port 25 by default. + +- **`docker-mailserver`'s default configuration enables unencrypted (cleartext) on port 25 for Inward Submission.** +- It does not enable Explicit TLS (STARTTLS) on port 25 by default. One may enable it through advanced custom configuration, either as a replacement (bad!) or as a supplementary mean of secure Inward Submission. +- One may also secure Inward Submission using advanced encryption scheme, such as DANE/DNSSEC and/or MTA-STS. ### Retrieval - IMAP From a454f6bcc1586a157b4d165eafcf1956b3a14cfc Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Sat, 13 Jun 2020 05:49:10 +0200 Subject: [PATCH 403/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index cd833de6..34772eaf 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -50,9 +50,9 @@ Fetching an email: MUA <------------------------------ ┫ MDA ╯ ┃ > 1. Alice sends an email to `bob@dms.io` => the email is first submitted to MTA `smtp.gmail.com`, then relayed to MTA `smtp.dms.io` and eventually delivered into Bob's mailbox. > 2. Bob sends an email to `alice@gmail.com` => the email is first submitted to MTA `smtp.dms.io`, then relayed to MTA `smtp.gmail.com` and eventually delivered into Alice's mailbox. > -> In the first scenario where the email leaves Gmail's premises, the email's *initial* submission is _not_ handled by the `docker-mailserver` instance/MTA; it merely receives the email after it has been relayed by Gmail's MTA. In the second scenario, the docker-mailserver instance's MTA does handle the submission, prior to relaying. +> In the first scenario where the email leaves Gmail's premises, the email's *initial* submission is _not_ handled by the `docker-mailserver` instance/MTA; it merely receives the email after it has been relayed by Gmail's MTA. In the second scenario, the `docker-mailserver` instance/MTA does handle the submission, prior to relaying. > -> The main takeaway from that is that sending an email to a docker-mailserver's MTA (any MTA for that matter) does _not_ establish a direct connection with that MTA. Email submission first goes through the sender's MTA, and relaying between at least two MTAs is required to deliver an email. That will prove very important when it comes to security management. +> The main takeaway from that is that sending an email to a `docker-mailserver` instance/MTA (or any MTA for that matter) does _not_ establish a direct connection with that MTA. Email submission first goes through the sender's MTA, and relaying between at least two MTAs is required to deliver an email. That will prove very important when it comes to security management. One important thing to note is that MTA and MDA programs may actually handle _multiple_ tasks (which is the case with `docker-mailserver`'s Postfix and Dovecot). @@ -106,12 +106,12 @@ In the case of `docker-mailserver`, the MTA (SMTP server) is Postfix. The MUA (c #### Two kinds of Submission -Let's say I own an account on a docker-mailserver instance, `me@dms.io`. There are two very different use-cases for Submission: +Let's say I own an account on a `docker-mailserver` instance, `me@dms.io`. There are two very different use-cases for Submission: 1. I want to send an email to someone 2. Someone wants to send you an email -In the first scenario, I will be submitting my email directly to my `docker-mailserver` instance's MTA (Postfix), which will then relay the email to its recipient's MTA for final delivery. In this case, Submission is first handled by establishing a direct connection to my own MTA-so at least for this portion of the delivery chain, I'll be able to ensure security/confidentiality. Not so much for what comes next, ie. relaying between MTAs and final delivery. +In the first scenario, I will be submitting my email directly to my `docker-mailserver` instance/MTA (Postfix), which will then relay the email to its recipient's MTA for final delivery. In this case, Submission is first handled by establishing a direct connection to my own MTA-so at least for this portion of the delivery chain, I'll be able to ensure security/confidentiality. Not so much for what comes next, ie. relaying between MTAs and final delivery. In the second scenario, a third-party email account owner will be first submitting an email to some third-party MTA. I have no control over this initial portion of the delivery chain, nor do I have control over the relaying that comes next. My MTA will merely accept a relayed email coming "out of the blue". From 38218001942359dcfabc8475d915b64f625128e8 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Sat, 13 Jun 2020 05:59:32 +0200 Subject: [PATCH 404/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 34772eaf..e2ff39b4 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -70,7 +70,7 @@ Three main purposes exist when it comes to exchanging emails: - _Transfer_ (aka. _Relay_): for an MTA, the act of sending actual email data over the network, toward another MTA (server) closer to the final destination (where an MTA will forward data to an MDA). - _Retrieval_: for a MUA (client), the act of fetching actual email data over the network, from an MDA. -Postfix handles Submission (and might handle Relay), whereas Dovecot handles Retrieval. They both need to be accessible by MUAs in order to act as servers, therefore they expose public endpoints on specific TCP ports. Those endpoints _may_ be secured, using an encryption scheme and TLS certificates. +Postfix handles Submission (and might handle Relay), whereas Dovecot handles Retrieval. They both need to be accessible by MUAs in order to act as servers, therefore they expose public endpoints on specific TCP ports (see. [_Understanding the ports_](https://github.com/tomav/docker-mailserver/wiki/Understanding-the-ports) for more details). Those endpoints _may_ be secured, using an encryption scheme and TLS certificates. When it comes to the specifics of email exchange, we have to look at protocols and ports enabled to support all the identified purposes. There are several valid options and they've been evolving overtime. From c57122514e91aca665e626dc814823d0fb7378b8 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Sat, 13 Jun 2020 06:03:30 +0200 Subject: [PATCH 405/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index e2ff39b4..acfd97e1 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -134,7 +134,7 @@ Me <--------------- ┤ ├ <----------------- ┊ The best practice as of 2020 when it comes to securing Outward Submission is to use _Implicit TLS connection via ESMTP on port 465_ (see [RFC 8314](https://tools.ietf.org/html/rfc8314)). Let's break it down. -- Implicit TLS means the server _enforces_ the client into using an encrypted TCP connection, using [TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security). With this kind of connection, the MUA _has_ to establish a TLS-encrypted connection from the get go. The mail server would deny any client attempting to submit email in cleartext (unencrypted, not secure) or requesting a cleartext connection to be upgraded to a TLS-encrypted one (secure if `STARTTLS` is successful). It is also known as Enforced TLS. +- Implicit TLS means the server _enforces_ the client into using an encrypted TCP connection, using [TLS](https://en.wikipedia.org/wiki/Transport_Layer_Security). With this kind of connection, the MUA _has_ to establish a TLS-encrypted connection from the get go (TLS is implied, hence the name "Implicit"). Any client attempting to either submit email in cleartext (unencrypted, not secure), or requesting a cleartext connection to be upgraded to a TLS-encrypted one using `STARTTLS`, is to be denied. Implicit TLS is sometimes called Enforced TLS for that reason. - [ESMTP](https://en.wikipedia.org/wiki/ESMTP) is [SMTP](https://en.wikipedia.org/wiki/Simple_Mail_Transfer_Protocol) + extensions. It's the version of the SMTP protocol that most mail servers speak nowadays. For the purpose of this documentation, ESMTP and SMTP are synonymous. - Port 465 is the reserved TCP port for Implicit TLS Submission (since 2018). There is actually a boisterous history to that ports usage, but let's keep it simple. From 51e497b848a402adb70765bfff6e8c57de2ff692 Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Sat, 13 Jun 2020 06:28:06 +0200 Subject: [PATCH 406/462] Updated A mail server's 101 (markdown) --- docs/content/a-mail-server's-101.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index acfd97e1..9e721dcb 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -125,7 +125,7 @@ My MTA will thus have to support two kinds of Submission: ┌────────────────────┐ ┌┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┐ Me ---------------> ┤ ├ -----------------> ┊ ┊ │ My MTA │ ┊ Third-party MTA ┊ -Me <--------------- ┤ ├ <----------------- ┊ ┊ + │ ├ <----------------- ┊ ┊ └────────────────────┘ └┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┘ ┗━━━━━━━━━━ Inward Submission ━━━━━━━━━━┛ ``` @@ -162,6 +162,18 @@ Granted it's still very difficult enforcing encryption between MTAs (Transfer/Re - It does not enable Explicit TLS (STARTTLS) on port 25 by default. One may enable it through advanced custom configuration, either as a replacement (bad!) or as a supplementary mean of secure Inward Submission. - One may also secure Inward Submission using advanced encryption scheme, such as DANE/DNSSEC and/or MTA-STS. +Overall, `docker-mailserver`'s default configuration for SMTP looks like this: + +```txt + ┏━━━━ Outward Submission ━━━━┓ + ┌────────────────────┐ ┌┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┐ +Me -- cleartext --> ┤(25) (25)├ --- cleartext ---> ┊ ┊ +Me -- STARTTLS ---> ┤(587) My MTA │ ┊ Third-party MTA ┊ + │ (25)├ <---cleartext ---- ┊ ┊ + └────────────────────┘ └┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┄┘ + ┗━━━━━━━━━━ Inward Submission ━━━━━━━━━━┛ +``` + ### Retrieval - IMAP A MUA willing to fetch an email from a mail server will most likely communicate with its [IMAP](https://en.wikipedia.org/wiki/IMAP) server. As with SMTP described earlier, communication will take place in the form of data packets exchanged over a network that both the client and the server are connected to. The IMAP protocol makes the server capable of handling _Retrieval_. From a584386824c1f0f005a693ea4afdb64315d37ccc Mon Sep 17 00:00:00 2001 From: Jean-Denis Vauguet Date: Sat, 13 Jun 2020 06:52:13 +0200 Subject: [PATCH 407/462] clarification about third-party sending email to dms' MTA --- docs/content/a-mail-server's-101.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 9e721dcb..3231abdb 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -52,7 +52,7 @@ Fetching an email: MUA <------------------------------ ┫ MDA ╯ ┃ > > In the first scenario where the email leaves Gmail's premises, the email's *initial* submission is _not_ handled by the `docker-mailserver` instance/MTA; it merely receives the email after it has been relayed by Gmail's MTA. In the second scenario, the `docker-mailserver` instance/MTA does handle the submission, prior to relaying. > -> The main takeaway from that is that sending an email to a `docker-mailserver` instance/MTA (or any MTA for that matter) does _not_ establish a direct connection with that MTA. Email submission first goes through the sender's MTA, and relaying between at least two MTAs is required to deliver an email. That will prove very important when it comes to security management. +> The main takeaway from that is that when a third-party sends an email to a `docker-mailserver` instance/MTA (or any MTA for that matter), it does _not_ establish a direct connection with that MTA. Email submission first goes through the sender's MTA, then some relaying between at least two MTAs is required to deliver the email. That will prove very important when it comes to security management. One important thing to note is that MTA and MDA programs may actually handle _multiple_ tasks (which is the case with `docker-mailserver`'s Postfix and Dovecot). From 4a53a2566ad181839937c7013a7d75059e0f0534 Mon Sep 17 00:00:00 2001 From: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Date: Sat, 13 Jun 2020 20:44:34 +1200 Subject: [PATCH 408/462] Add flowchart for SMTP, expand on inbound/outband SMTP traffic and ports --- .../security/understanding-the-ports.md | 89 +++++++++++++++---- 1 file changed, 73 insertions(+), 16 deletions(-) diff --git a/docs/content/config/security/understanding-the-ports.md b/docs/content/config/security/understanding-the-ports.md index cc2f6403..ba853e70 100644 --- a/docs/content/config/security/understanding-the-ports.md +++ b/docs/content/config/security/understanding-the-ports.md @@ -1,21 +1,9 @@ +## Quick Reference + +Prefer Implicit TLS ports, they're more secure and if you use a Reverse Proxy, should be less hassle (although it's probably wiser to expose these ports directly to `docker-mailserver`). + ## Overview of email ports -### Explicit TLS (aka Opportunistic TLS) - Opt-in Encryption - -Communication on these ports begin in [cleartext](https://www.denimgroup.com/resources/blog/2007/10/cleartext-vs-pl/), indicating support for `STARTTLS`. If both client and server support `STARTTLS` the connection will be secured over TLS, otherwise no encryption will be used. - -Support for `STARTTLS` is not always implemented correctly, which can lead to leaking credentials(client sending too early) prior to a TLS connection being established. Third-parties such as some ISPs have also been known to intercept the `STARTTLS` exchange, modifying network traffic to prevent establishing a secure connection. - -Due to these security concerns, [RFC 8314 (Section 4.1)](https://tools.ietf.org/html/rfc8314#section-4.1) encourages you to **prefer Implicit TLS ports where possible**. - -### Implicit TLS - Enforced Encryption - -Communication is always encrypted, avoiding the above mentioned issues with Explicit TLS. - -You may know of these ports as **SMTPS, POP3S, IMAPS**, which indicate the protocol in combination with a TLS connection. However, Explicit TLS ports provide the same benefit when `STARTTLS` is successfully negotiated; Implicit TLS better communicates the improved security to all three protocols (SMTP/POP3/IMAP over Implicit TLS). - -Additionally, referring to port 465 as *SMTPS* would be incorrect, as it is a submissions port requiring authentication to proceed via *ESMTP*, whereas ESMTPS has a different meaning(STARTTLS supported). Port 25 may lack Implicit TLS, but can be configured to be more secure between trusted parties via MTA-STS, STARTTLS Policy List, DNSSEC and DANE. - | Protocol | Explicit TLS1 | Implicit TLS | Purpose | |----------|--------------------------|-----------------|----------------------| | SMTP | 25 | N/A | Transfer2 | @@ -27,6 +15,75 @@ Additionally, referring to port 465 as *SMTPS* would be incorrect, as it is a su 2. Receives email, `docker-mailserver` additionally filters for spam and viruses. For submitting email to the server to be sent to third-parties, you should prefer the *submission* ports(465, 587) - which require authentication. Unless a relay host is configured(eg SendGrid), outgoing email will leave the server via port 25(thus outbound traffic must not be blocked by your provider or firewall). 3. A *submission* port since 2018 ([RFC 8314](https://tools.ietf.org/html/rfc8314)). Previously a secure variant of port 25. +### What ports should I use? (SMTP) + +[![Best Practice - Ports (SMTP)](https://mermaid.ink/img/eyJjb2RlIjoiZmxvd2NoYXJ0IExSXG4gICAgc3ViZ3JhcGggeW91ci1zZXJ2ZXIgW1wiWW91ciBTZXJ2ZXJcIl1cbiAgICAgICAgaW5fMjUoMjUpIC0tPiBzZXJ2ZXJcbiAgICAgICAgaW5fNDY1KDQ2NSkgLS0-IHNlcnZlclxuICAgICAgICBzZXJ2ZXIoKFwiZG9ja2VyLW1haWxzZXJ2ZXI8YnIvPmhlbGxvQHdvcmxkLmNvbVwiKSlcbiAgICAgICAgc2VydmVyIC0tLSBvdXRfMjUoMjUpXG4gICAgICAgIHNlcnZlciAtLS0gb3V0XzQ2NSg0NjUpXG4gICAgZW5kXG5cbiAgICB0aGlyZC1wYXJ0eShcIlRoaXJkLXBhcnR5PGJyLz4oc2VuZGluZyB5b3UgZW1haWwpXCIpIC0tLXxcIlJlY2VpdmUgZW1haWwgZm9yPGJyLz5oZWxsb0B3b3JsZC5jb21cInwgaW5fMjVcblxuICAgIHN1YmdyYXBoIGNsaWVudHMgW1wiQ2xpZW50cyAoTVVBKVwiXVxuICAgICAgICBtdWEtY2xpZW50KFRodW5kZXJiaXJkLDxici8-V2VibWFpbCw8YnIvPk11dHQsPGJyLz5ldGMpXG4gICAgICAgIG11YS1zZXJ2aWNlKEJhY2tlbmQgc29mdHdhcmU8YnIvPm9uIGFub3RoZXIgc2VydmVyKVxuICAgIGVuZFxuICAgIGNsaWVudHMgLS0tfFwiU2VuZCBlbWFpbCBhczxici8-aGVsbG9Ad29ybGQuY29tXCJ8IGluXzQ2NVxuXG4gICAgb3V0XzI1KDI1KSAtLT58XCJEaXJlY3Q8YnIvPkRlbGl2ZXJ5XCJ8IHRpbl8yNVxuICAgIG91dF80NjUoNDY1KSAtLT4gcmVsYXkoXCJNVEE8YnIvPlJlbGF5IFNlcnZlclwiKSAtLT4gdGluXzI1KDI1KVxuXG4gICAgc3ViZ3JhcGggdGhpcmQtcGFydHktc2VydmVyW1wiVGhpcmQtcGFydHkgU2VydmVyXCJdXG4gICAgICAgIHRoaXJkLXBhcnR5LW10YShcIk1UQTxici8-ZnJpZW5kQGV4YW1wbGUuY29tXCIpXG4gICAgICAgIHRpbl8yNSgyNSkgLS0-IHRoaXJkLXBhcnR5LW10YVxuICAgIGVuZCIsIm1lcm1haWQiOnsidGhlbWUiOiJkZWZhdWx0In0sInVwZGF0ZUVkaXRvciI6ZmFsc2V9)](https://mermaid-js.github.io/mermaid-live-editor/#/edit/eyJjb2RlIjoiZmxvd2NoYXJ0IExSXG4gICAgc3ViZ3JhcGggeW91ci1zZXJ2ZXIgW1wiWW91ciBTZXJ2ZXJcIl1cbiAgICAgICAgaW5fMjUoMjUpIC0tPiBzZXJ2ZXJcbiAgICAgICAgaW5fNDY1KDQ2NSkgLS0-IHNlcnZlclxuICAgICAgICBzZXJ2ZXIoKFwiZG9ja2VyLW1haWxzZXJ2ZXI8YnIvPmhlbGxvQHdvcmxkLmNvbVwiKSlcbiAgICAgICAgc2VydmVyIC0tLSBvdXRfMjUoMjUpXG4gICAgICAgIHNlcnZlciAtLS0gb3V0XzQ2NSg0NjUpXG4gICAgZW5kXG5cbiAgICB0aGlyZC1wYXJ0eShcIlRoaXJkLXBhcnR5PGJyLz4oc2VuZGluZyB5b3UgZW1haWwpXCIpIC0tLXxcIlJlY2VpdmUgZW1haWwgZm9yPGJyLz5oZWxsb0B3b3JsZC5jb21cInwgaW5fMjVcblxuICAgIHN1YmdyYXBoIGNsaWVudHMgW1wiQ2xpZW50cyAoTVVBKVwiXVxuICAgICAgICBtdWEtY2xpZW50KFRodW5kZXJiaXJkLDxici8-V2VibWFpbCw8YnIvPk11dHQsPGJyLz5ldGMpXG4gICAgICAgIG11YS1zZXJ2aWNlKEJhY2tlbmQgc29mdHdhcmU8YnIvPm9uIGFub3RoZXIgc2VydmVyKVxuICAgIGVuZFxuICAgIGNsaWVudHMgLS0tfFwiU2VuZCBlbWFpbCBhczxici8-aGVsbG9Ad29ybGQuY29tXCJ8IGluXzQ2NVxuXG4gICAgb3V0XzI1KDI1KSAtLT58XCJEaXJlY3Q8YnIvPkRlbGl2ZXJ5XCJ8IHRpbl8yNVxuICAgIG91dF80NjUoNDY1KSAtLT4gcmVsYXkoXCJNVEE8YnIvPlJlbGF5IFNlcnZlclwiKSAtLT4gdGluXzI1KDI1KVxuXG4gICAgc3ViZ3JhcGggdGhpcmQtcGFydHktc2VydmVyW1wiVGhpcmQtcGFydHkgU2VydmVyXCJdXG4gICAgICAgIHRoaXJkLXBhcnR5LW10YShcIk1UQTxici8-ZnJpZW5kQGV4YW1wbGUuY29tXCIpXG4gICAgICAgIHRpbl8yNSgyNSkgLS0-IHRoaXJkLXBhcnR5LW10YVxuICAgIGVuZCIsIm1lcm1haWQiOnsidGhlbWUiOiJkZWZhdWx0In0sInVwZGF0ZUVkaXRvciI6ZmFsc2V9) + +
+Flowchart - Mermaid.js source: + +View in the [Live Editor](https://mermaid-js.github.io/mermaid-live-editor/#/edit/eyJjb2RlIjoiZmxvd2NoYXJ0IExSXG4gICAgc3ViZ3JhcGggeW91ci1zZXJ2ZXIgW1wiWW91ciBTZXJ2ZXJcIl1cbiAgICAgICAgaW5fMjUoMjUpIC0tPiBzZXJ2ZXJcbiAgICAgICAgaW5fNDY1KDQ2NSkgLS0-IHNlcnZlclxuICAgICAgICBzZXJ2ZXIoKFwiZG9ja2VyLW1haWxzZXJ2ZXI8YnIvPmhlbGxvQHdvcmxkLmNvbVwiKSlcbiAgICAgICAgc2VydmVyIC0tLSBvdXRfMjUoMjUpXG4gICAgICAgIHNlcnZlciAtLS0gb3V0XzQ2NSg0NjUpXG4gICAgZW5kXG5cbiAgICB0aGlyZC1wYXJ0eShcIlRoaXJkLXBhcnR5PGJyLz4oc2VuZGluZyB5b3UgZW1haWwpXCIpIC0tLXxcIlJlY2VpdmUgZW1haWwgZm9yPGJyLz5oZWxsb0B3b3JsZC5jb21cInwgaW5fMjVcblxuICAgIHN1YmdyYXBoIGNsaWVudHMgW1wiQ2xpZW50cyAoTVVBKVwiXVxuICAgICAgICBtdWEtY2xpZW50KFRodW5kZXJiaXJkLDxici8-V2VibWFpbCw8YnIvPk11dHQsPGJyLz5ldGMpXG4gICAgICAgIG11YS1zZXJ2aWNlKEJhY2tlbmQgc29mdHdhcmU8YnIvPm9uIGFub3RoZXIgc2VydmVyKVxuICAgIGVuZFxuICAgIGNsaWVudHMgLS0tfFwiU2VuZCBlbWFpbCBhczxici8-aGVsbG9Ad29ybGQuY29tXCJ8IGluXzQ2NVxuXG4gICAgb3V0XzI1KDI1KSAtLT58XCJEaXJlY3Q8YnIvPkRlbGl2ZXJ5XCJ8IHRpbl8yNVxuICAgIG91dF80NjUoNDY1KSAtLT4gcmVsYXkoXCJNVEE8YnIvPlJlbGF5IFNlcnZlclwiKSAtLT4gdGluXzI1KDI1KVxuXG4gICAgc3ViZ3JhcGggdGhpcmQtcGFydHktc2VydmVyW1wiVGhpcmQtcGFydHkgU2VydmVyXCJdXG4gICAgICAgIHRoaXJkLXBhcnR5LW10YShcIk1UQTxici8-ZnJpZW5kQGV4YW1wbGUuY29tXCIpXG4gICAgICAgIHRpbl8yNSgyNSkgLS0-IHRoaXJkLXBhcnR5LW10YVxuICAgIGVuZCIsIm1lcm1haWQiOnsidGhlbWUiOiJkZWZhdWx0In0sInVwZGF0ZUVkaXRvciI6ZmFsc2V9). + +``` +flowchart LR + subgraph your-server ["Your Server"] + in_25(25) --> server + in_465(465) --> server + server(("docker-mailserver
hello@world.com")) + server --- out_25(25) + server --- out_465(465) + end + + third-party("Third-party
(sending you email)") ---|"Receive email for
hello@world.com"| in_25 + + subgraph clients ["Clients (MUA)"] + mua-client(Thunderbird,
Webmail,
Mutt,
etc) + mua-service(Backend software
on another server) + end + clients ---|"Send email as
hello@world.com"| in_465 + + out_25(25) -->|"Direct
Delivery"| tin_25 + out_465(465) --> relay("MTA
Relay Server") --> tin_25(25) + + subgraph third-party-server["Third-party Server"] + third-party-mta("MTA
friend@example.com") + tin_25(25) --> third-party-mta + end +``` + +--- + +
+ + +#### Inbound Traffic (On the left): +- **Port 25:** Think of this like a physical mailbox, it is open to receive email from anyone who wants to. `docker-mailserver` will actively filter email delivered on this port for spam or viruses and refuse mail from known bad sources. While you could also use this port internally to send email outbound without requiring authentication, you really should prefer the *Submission* ports(587, 465). +- **Port 465(*and 587*):** This is the equivalent of a post office box where you would send email to be delivered on your behalf(`docker-mailserver` is that metaphorical post office, aka the MTA). Unlike port 25, these two ports are known as the *Submission* ports and require a valid email account on the server with a password to be able to send email to anyone outside of the server(an MTA you do not control, eg Outlook or Gmail). Prefer port 465 which provides Implicit TLS. + +#### Outbound Traffic (On the Right): +- **Port 25:** Send the email directly to the given email address MTA as possible. Like your own `docker-mailserver` port 25, this is the standard port for receiving email on, thus email will almost always arrive to the final MTA on this port. Note that, there may be additional MTAs further in the chain, but this would be the public facing one representing that email address. +- **Port 465(*and 587*):** SMTP Relays are a popular choice to hand-off delivery of email through. Services like SendGrid are useful for bulk email(marketing) or when your webhost or ISP are preventing you from using standard ports like port 25 to send out email(which can be abused by spammers). + + `docker-mailserver` can serve as a relay too, but the difference between a DIY relay and a professional service is reputation, which is referenced by MTAs you're delivering to such as Outlook, Gmail or others(perhaps another `docker-mailserver` server!), when deciding if email should be marked as junked or potentially not delivered at all. As a service like SendGrid has a reputation to maintain, relay is restricted to registered users who must authenticate(even on port 25), they do not store email, merely forward it to another MTA which could be delivered on a different port like 25. + +### Explicit vs Implicit TLS + +#### Explicit TLS (aka Opportunistic TLS) - Opt-in Encryption + +Communication on these ports begin in [cleartext](https://www.denimgroup.com/resources/blog/2007/10/cleartext-vs-pl/), indicating support for `STARTTLS`. If both client and server support `STARTTLS` the connection will be secured over TLS, otherwise no encryption will be used. + +Support for `STARTTLS` is not always implemented correctly, which can lead to leaking credentials(client sending too early) prior to a TLS connection being established. Third-parties such as some ISPs have also been known to intercept the `STARTTLS` exchange, modifying network traffic to prevent establishing a secure connection. + +Due to these security concerns, [RFC 8314 (Section 4.1)](https://tools.ietf.org/html/rfc8314#section-4.1) encourages you to **prefer Implicit TLS ports where possible**. + +#### Implicit TLS - Enforced Encryption + +Communication is always encrypted, avoiding the above mentioned issues with Explicit TLS. + +You may know of these ports as **SMTPS, POP3S, IMAPS**, which indicate the protocol in combination with a TLS connection. However, Explicit TLS ports provide the same benefit when `STARTTLS` is successfully negotiated; Implicit TLS better communicates the improved security to all three protocols (SMTP/POP3/IMAP over Implicit TLS). + +Additionally, referring to port 465 as *SMTPS* would be incorrect, as it is a submissions port requiring authentication to proceed via *ESMTP*, whereas ESMTPS has a different meaning(STARTTLS supported). Port 25 may lack Implicit TLS, but can be configured to be more secure between trusted parties via MTA-STS, STARTTLS Policy List, DNSSEC and DANE. + ## Security **TODO:** *This section should provide any related configuration advice, and probably expand on and link to resources about DANE, DNSSEC, MTA-STS and STARTTLS Policy list, with advice on how to configure/setup these added security layers.* From d67c7f16770190d07c44a6eaf29fe4528fc69b21 Mon Sep 17 00:00:00 2001 From: Brennan Kinney <5098581+polarathene@users.noreply.github.com> Date: Sun, 14 Jun 2020 16:05:12 +1200 Subject: [PATCH 409/462] Slight changes to Alice and Bob example --- docs/content/a-mail-server's-101.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/a-mail-server's-101.md index 3231abdb..feadc837 100644 --- a/docs/content/a-mail-server's-101.md +++ b/docs/content/a-mail-server's-101.md @@ -47,12 +47,12 @@ Fetching an email: MUA <------------------------------ ┫ MDA ╯ ┃ > Let's say Alice owns a Gmail account, `alice@gmail.com`; and Bob owns an account on a `docker-mailserver`'s instance, `bob@dms.io`. > > Make sure not to conflate these two very different scenarios: -> 1. Alice sends an email to `bob@dms.io` => the email is first submitted to MTA `smtp.gmail.com`, then relayed to MTA `smtp.dms.io` and eventually delivered into Bob's mailbox. -> 2. Bob sends an email to `alice@gmail.com` => the email is first submitted to MTA `smtp.dms.io`, then relayed to MTA `smtp.gmail.com` and eventually delivered into Alice's mailbox. +> A) Alice sends an email to `bob@dms.io` => the email is first submitted to MTA `smtp.gmail.com`, then relayed to MTA `smtp.dms.io` where it is then delivered into Bob's mailbox. +> B) Bob sends an email to `alice@gmail.com` => the email is first submitted to MTA `smtp.dms.io`, then relayed to MTA `smtp.gmail.com` and eventually delivered into Alice's mailbox. > -> In the first scenario where the email leaves Gmail's premises, the email's *initial* submission is _not_ handled by the `docker-mailserver` instance/MTA; it merely receives the email after it has been relayed by Gmail's MTA. In the second scenario, the `docker-mailserver` instance/MTA does handle the submission, prior to relaying. +> In scenario *A* the email leaves Gmail's premises, that email's *initial* submission is _not_ handled by your `docker-mailserver` instance(MTA); it merely receives the email after it has been relayed by Gmail's MTA. In scenario *B*, the `docker-mailserver` instance(MTA) handles the submission, prior to relaying. > -> The main takeaway from that is that when a third-party sends an email to a `docker-mailserver` instance/MTA (or any MTA for that matter), it does _not_ establish a direct connection with that MTA. Email submission first goes through the sender's MTA, then some relaying between at least two MTAs is required to deliver the email. That will prove very important when it comes to security management. +> The main takeaway is that when a third-party sends an email to a `docker-mailserver` instance(MTA) (or any MTA for that matter), it does _not_ establish a direct connection with that MTA. Email submission first goes through the sender's MTA, then some relaying between at least two MTAs is required to deliver the email. That will prove very important when it comes to security management. One important thing to note is that MTA and MDA programs may actually handle _multiple_ tasks (which is the case with `docker-mailserver`'s Postfix and Dovecot). From 78af9f97a28a4353855199bde751e2f6b51f2c30 Mon Sep 17 00:00:00 2001 From: Amin Vakil Date: Sun, 21 Jun 2020 10:01:01 +0430 Subject: [PATCH 410/462] Change postfix-aliases.cf to postfix-virtual.cf & add setup.sh alias link --- docs/content/config/user-management/aliases.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/content/config/user-management/aliases.md b/docs/content/config/user-management/aliases.md index 99f4c85d..e93b2164 100644 --- a/docs/content/config/user-management/aliases.md +++ b/docs/content/config/user-management/aliases.md @@ -2,7 +2,9 @@ Please first read [Postfix documentation on virtual aliases](http://www.postfix. ### Configuring aliases -Aliases are managed in `/tmp/docker-mailserver/postfix-aliases.cf`. +You can use [setup.sh](https://github.com/tomav/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh#alias) instead of creating and editing files manually. + +Aliases are managed in `/tmp/docker-mailserver/postfix-virtual.cf`. An alias is a _full_ email address that will either be: @@ -21,7 +23,7 @@ Example (on a server with domain.tld as its domain): ### Configuring regexp aliases -Additional regexp aliases can be configured by placing them into `config/postfix-regexp.cf`. The regexp aliases get evaluated after the virtual aliases (/tmp/docker-mailserver/postfix-aliases.cf). +Additional regexp aliases can be configured by placing them into `config/postfix-regexp.cf`. The regexp aliases get evaluated after the virtual aliases (`/tmp/docker-mailserver/postfix-virtual.cf`). For example, the following `config/postfix-regexp.cf` causes all email to "test" users to be delivered to qa@example.com: From 68e9e5dd36287125ee3c42f1952a343db590add2 Mon Sep 17 00:00:00 2001 From: idaadi Date: Tue, 7 Jul 2020 00:58:25 +0200 Subject: [PATCH 411/462] mailto was missing from the forensics receiver (ruf) --- docs/content/config/best-practices/dmarc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/best-practices/dmarc.md b/docs/content/config/best-practices/dmarc.md index e7c74451..12129211 100644 --- a/docs/content/config/best-practices/dmarc.md +++ b/docs/content/config/best-practices/dmarc.md @@ -13,7 +13,7 @@ _dmarc.domain.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc.report@domain.com; Or a bit more strict policies (mind `p=quarantine` and `sp=quarantine`): ``` -_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc.report@domain.com; ruf=dmarc.report@domain.com; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=quarantine" +_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc.report@domain.com; ruf=mailto:dmarc.report@domain.com; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; sp=quarantine" ``` DMARC status is not being displayed instantly in Gmail for instance. If you want to check it directly after DNS entries, you can use some services around the Internet such as https://dmarcguide.globalcyberalliance.org/ or https://ondmarc.redsift.com/. In other case, email clients will show "DMARC: PASS" in ~1 day or so. From c6f1af4fffbcf4d737aa28c666fe859f619649a1 Mon Sep 17 00:00:00 2001 From: Trangar Date: Wed, 15 Jul 2020 08:32:38 +0200 Subject: [PATCH 412/462] Added information about stealth blocks on port 25 --- docs/content/config/troubleshooting/debugging.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/debugging.md b/docs/content/config/troubleshooting/debugging.md index ade5b38f..102563ed 100644 --- a/docs/content/config/troubleshooting/debugging.md +++ b/docs/content/config/troubleshooting/debugging.md @@ -51,4 +51,12 @@ fail2ban-client set postfix addignoreip # this will delete the jails entirely - nuclear option fail2ban-client stop dovecot fail2ban-client stop postfix -``` \ No newline at end of file +``` + +## Send email is never received + +Some hosting provides have a stealth block on port 25. Make sure to check with your hosting provider that traffic on port 25 is allowed + +Common hosting providers known to have this issue: +- [Azure](https://docs.microsoft.com/en-us/azure/virtual-network/troubleshoot-outbound-smtp-connectivity) +- [AWS EC2](https://aws.amazon.com/premiumsupport/knowledge-center/ec2-port-25-throttle/) \ No newline at end of file From 6f04051ffd7339a12e51738b6d0b2d1f7619cc53 Mon Sep 17 00:00:00 2001 From: Michael Date: Thu, 16 Jul 2020 21:12:50 +0200 Subject: [PATCH 413/462] traefik v2 section added --- docs/content/config/security/ssl.md | 58 ++++++++++++++++++++++++++++- 1 file changed, 56 insertions(+), 2 deletions(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index b219c4c8..51efb692 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -1,7 +1,7 @@ There are multiple options to enable SSL: * using [letsencrypt](#lets-encrypt-recommended) (recommended) -* using [traefik](#traefik) +* using [Traefik](#traefik) * using [self-signed certificates](#self-signed-certificates-testing-only) with the provided tool * using [your own certificates](#custom-certificate-files) @@ -314,7 +314,61 @@ DSM-generated letsencrypt certificates get auto-renewed every three months. Traefik can request certificates for domains through the ACME protocol (see [Traefik's documentation about its ACME negotiation & storage mechanism](https://docs.traefik.io/https/acme/)). Traefik's router will take care of renewals, challenge negotiations, etc. -If you are using Traefik, you might want to _push_ your Traefik-managed certificates to the mailserver container, in order to reuse them. Not an easy task, but fortunately, [youtous/mailserver-traefik](https://github.com/youtous/docker-mailserver-traefik) is a certificate renewal service for docker-mailserver. +##### Traefik v2 + +(For Traefik v1 see [next section](#traefik-v1)) +Traefik's V2 storage format is natively supported if the `acme.json` store is mounted into the container at `/etc/letsencrypt/acme.json`. The file is also monitored for changes and will trigger a reload of the mail services. Lookup of the certificate domain happens in the following order: + + 1. $SSL_DOMAIN + 2. $HOSTNAME + 3. $DOMAINNAME + +This allows for support of wild card certificates: `"SSL_DOMAIN=*.example.com"`. Here is an example setup for [docker-compose](https://docs.docker.com/compose/): + +```yaml +version: '3.8' +services: + mail: + image: tvial/docker-mailserver:stable + hostname: mail + domainname: example.com + volumes: + - /etc/ssl/acme-v2.json:/etc/letsencrypt/acme.json:ro + environment: + SSL_TYPE: letsencrypt + # SSL_DOMAIN: "*.example.com" + traefik: + image: traefik:v2.2 + restart: always + ports: + - "80:80" + - "443:443" + command: + - --providers.docker + - --entrypoints.web.address=:80 + - --entrypoints.web.http.redirections.entryPoint.to=websecure + - --entrypoints.web.http.redirections.entryPoint.scheme=https + - --entrypoints.websecure.address=:443 + - --entrypoints.websecure.http.middlewares=hsts@docker + - --entrypoints.websecure.http.tls.certResolver=le + - --certificatesresolvers.le.acme.email=admin@example.net + - --certificatesresolvers.le.acme.storage=/acme.json + - --certificatesresolvers.le.acme.httpchallenge.entrypoint=web + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - /etc/ssl/acme-v2.json:/acme.json + + whoami: + image: containous/whoami + labels: + - "traefik.http.routers.whoami.rule=Host(`mail.example.com`)" +``` + +This setup only comes with one caveat: The domain has to be configured on another service for traefik to actually request it from lets-encrypt (`whoami` in this case). + +##### Traefik V1 + +If you are using Traefik v1, you might want to _push_ your Traefik-managed certificates to the mailserver container, in order to reuse them. Not an easy task, but fortunately, [youtous/mailserver-traefik](https://github.com/youtous/docker-mailserver-traefik) is a certificate renewal service for docker-mailserver. Depending of your Traefik configuration, certificates may be stored using a file or a KV Store (consul, etcd...) Either way, certificates will be renewed by Traefik, then automatically pushed to the mailserver thanks to the cert-renewer service. Finally, dovecot and postfix will be restarted. From 6dce6c6cf7b1f29c3eaa61fd405fa97eee9cf606 Mon Sep 17 00:00:00 2001 From: Erik Wramner Date: Fri, 7 Aug 2020 09:54:31 +0200 Subject: [PATCH 414/462] Changed stable to latest for Traefik as the code has not been merged into stable yet --- docs/content/config/security/ssl.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 51efb692..0ec0512f 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -329,7 +329,7 @@ This allows for support of wild card certificates: `"SSL_DOMAIN=*.example.com"`. version: '3.8' services: mail: - image: tvial/docker-mailserver:stable + image: tvial/docker-mailserver:latest hostname: mail domainname: example.com volumes: From cde15e365f6d379f024cf5de518e22f1f50c20aa Mon Sep 17 00:00:00 2001 From: pyy Date: Thu, 10 Sep 2020 20:59:33 +0200 Subject: [PATCH 415/462] how to set timezone for container --- docs/content/config/troubleshooting/faq.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index bf29a33b..002f8164 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -25,6 +25,12 @@ volumes: - /etc/localtime:/etc/localtime:ro ``` +(optional) Add one line to `.env` or `env-mailserver` to set timetzone for container, for example: +``` +TZ=Europe/Berlin +``` +check here for [`tz name list`](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) + ### What is the file format? All files are using the Unix format with `LF` line endings. From 4424495f63dbc4c6dddd321b6e5ced862301c4af Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Date: Sat, 26 Sep 2020 14:52:36 +0200 Subject: [PATCH 416/462] Traefik2's wildcard certificates now work with `:stable` --- docs/content/config/security/ssl.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 0ec0512f..a65c0592 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -248,7 +248,8 @@ networks: ``` The second part of the setup is the actual mail container. So, in another folder, create another docker-compose.yml with the following content (Removed all ENV variables for this example): -``` + +``` YAML version: '2' services: mail: @@ -289,6 +290,7 @@ networks: name: nginx-proxy ``` + The mail container needs to have the letsencrypt certificate folder mounted as a volume. No further changes are needed. The second container is a dummy-sidecar we need, because the mail-container do not expose any web-ports. Set your ENV variables as you need. (VIRTUAL_HOST and LETSENCRYPT_HOST are mandandory, see documentation) @@ -317,6 +319,7 @@ Traefik can request certificates for domains through the ACME protocol (see [Tra ##### Traefik v2 (For Traefik v1 see [next section](#traefik-v1)) + Traefik's V2 storage format is natively supported if the `acme.json` store is mounted into the container at `/etc/letsencrypt/acme.json`. The file is also monitored for changes and will trigger a reload of the mail services. Lookup of the certificate domain happens in the following order: 1. $SSL_DOMAIN @@ -325,11 +328,11 @@ Traefik's V2 storage format is natively supported if the `acme.json` store is mo This allows for support of wild card certificates: `"SSL_DOMAIN=*.example.com"`. Here is an example setup for [docker-compose](https://docs.docker.com/compose/): -```yaml +``` YAML version: '3.8' services: mail: - image: tvial/docker-mailserver:latest + image: tvial/docker-mailserver:stable hostname: mail domainname: example.com volumes: From 6aad01abbd61e523414051ad9d13317784d989a5 Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Date: Sun, 27 Sep 2020 22:14:27 +0200 Subject: [PATCH 417/462] added warning message for PERMIT_DOCKER=network when using IPv6 (#1405) --- docs/content/config/troubleshooting/faq.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 002f8164..99595209 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -270,6 +270,8 @@ Please note that clamav can consume a lot of memory, as it reads the entire sign Yes, by Adding the Environment Variable `PERMIT_DOCKER: network`. +**WARNING**: Adding the docker network's gateway to the list of trusted hosts, e.g. using the `network` or `connected-networks` option, can create an [**open relay**](https://en.wikipedia.org/wiki/Open_mail_relay), [for instance](https://github.com/tomav/docker-mailserver/issues/1405#issuecomment-590106498) if IPv6 is enabled on the host machine but not in Docker. ([#1405](https://github.com/tomav/docker-mailserver/issues/1405)) + ### How can I authenticate users with SMTP_ONLY? See https://github.com/tomav/docker-mailserver/issues/1247 for an example. From 68e27162f319ed7f6bbfdb67fb30e5389f241487 Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Date: Sun, 27 Sep 2020 22:15:21 +0200 Subject: [PATCH 418/462] added warning message for PERMIT_DOCKER=network when using IPv6 (#1405) --- docs/content/tutorials/installation-examples.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/tutorials/installation-examples.md b/docs/content/tutorials/installation-examples.md index a267a67d..b84447fa 100644 --- a/docs/content/tutorials/installation-examples.md +++ b/docs/content/tutorials/installation-examples.md @@ -1,5 +1,7 @@ ## Building a simple mailserver +**WARNING**: Adding the docker network's gateway to the list of trusted hosts, e.g. using the `network` or `connected-networks` option, can create an [**open relay**](https://en.wikipedia.org/wiki/Open_mail_relay), [for instance](https://github.com/tomav/docker-mailserver/issues/1405#issuecomment-590106498) if IPv6 is enabled on the host machine but not in Docker. ([#1405](https://github.com/tomav/docker-mailserver/issues/1405)) + We are going to use this docker based mailserver: - First create a directory for the mailserver and get the setup script: From 4fc4fe97f7a2adac5c28dd41cab36a622def3523 Mon Sep 17 00:00:00 2001 From: squash Date: Thu, 1 Oct 2020 14:06:51 -0400 Subject: [PATCH 419/462] Update for key_type global option with Caddy v2 for people sharing their LE certs between Caddy and docker-mailserver --- docs/content/config/security/ssl.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index a65c0592..8f673b3e 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -31,8 +31,20 @@ https://mail.domain.com { } } ``` +For Caddy v2 you can specify the key_type in your server's global settings, which would end up looking something like this if you're using a Caddyfile: +``` +{ +debug +admin localhost:2019 +http_port 80 +https_port 443 +default_sni mywebserver.com +key_type rsa4096 -For Caddy v2 it is necessary to use the json structured Caddyfile. A minimal config would look something like this: +} +```` + +If you are instead using a json config for Caddy v2, you can set it in your site's TLS automation policies: ``` { From 16df7b8b8b9590d4b455a22804393573d3a05261 Mon Sep 17 00:00:00 2001 From: engelant Date: Sun, 4 Oct 2020 13:44:21 +0200 Subject: [PATCH 420/462] Updated FAQ and Tips (markdown) --- docs/content/config/troubleshooting/faq.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 99595209..8199fe90 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -339,6 +339,15 @@ If you want to test it you can move into the running container, run it and see i You can do a lot of things with such a script. You can find an example user-patches.sh script here: [example user-patches.sh script](https://github.com/hanscees/dockerscripts/blob/master/scripts/tomav-user-patches.sh) +#### Special case pathcing supervisord config +It seems worth noting, that the `user-patches.sh` gets executed trough supervisord. If you need to patch some supervisord config (e.g. `/etc/supervisor/conf.d/saslauth.conf`), the patching happens too late. +An easy workaround is to make the `user-patches.sh` reload the supervisord config after patching it: +```bash +#!/bin/bash +sed -i 's/rimap -r/rimap/' /etc/supervisor/conf.d/saslauth.conf +supervisorctl update +``` + From e633eca38e4076078bfab9c1c5ebb4b31f4c0476 Mon Sep 17 00:00:00 2001 From: engelant Date: Sun, 4 Oct 2020 13:45:29 +0200 Subject: [PATCH 421/462] Updated FAQ and Tips (markdown) --- docs/content/config/troubleshooting/faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index 8199fe90..ebe89f8b 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -339,7 +339,7 @@ If you want to test it you can move into the running container, run it and see i You can do a lot of things with such a script. You can find an example user-patches.sh script here: [example user-patches.sh script](https://github.com/hanscees/dockerscripts/blob/master/scripts/tomav-user-patches.sh) -#### Special case pathcing supervisord config +#### Special case patching supervisord config It seems worth noting, that the `user-patches.sh` gets executed trough supervisord. If you need to patch some supervisord config (e.g. `/etc/supervisor/conf.d/saslauth.conf`), the patching happens too late. An easy workaround is to make the `user-patches.sh` reload the supervisord config after patching it: ```bash From 673d7307b6ef24877fc1164fe095cbc1c7071440 Mon Sep 17 00:00:00 2001 From: pyy Date: Tue, 6 Oct 2020 19:30:33 +0200 Subject: [PATCH 422/462] add account without restart container --- docs/content/config/troubleshooting/faq.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index ebe89f8b..cc8464b0 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -16,6 +16,9 @@ In order to do so, you'll probably want to push your config updates to your serv See [supervisorctl's documentation](http://supervisord.org/running.html#running-supervisorctl). +Tips: to add/update/delete an email account, there is no need to restart postfix/dovecot service inside the container after using setup.sh script. +For more information, see [issues/1639](https://github.com/tomav/docker-mailserver/issues/1639) + ### How can I sync container with host date/time? Timezone? Share the host's [`/etc/localtime`](https://www.freedesktop.org/software/systemd/man/localtime.html) with the docker-mailserver container, using a Docker volume: From b986c4375b8eab529d7dd577ab1005bc74a86c0b Mon Sep 17 00:00:00 2001 From: Luke Cyca Date: Thu, 8 Oct 2020 15:36:39 -0700 Subject: [PATCH 423/462] Created Full-text search (markdown) --- docs/content/advanced/full-text-search.md | 52 +++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 docs/content/advanced/full-text-search.md diff --git a/docs/content/advanced/full-text-search.md b/docs/content/advanced/full-text-search.md new file mode 100644 index 00000000..de9c96e9 --- /dev/null +++ b/docs/content/advanced/full-text-search.md @@ -0,0 +1,52 @@ +Full-text search allows all messages to be indexed, so that mail clients can quickly and efficiently search messages by their full text content. + +## Overview + +The [dovecot-solr Plugin](https://wiki2.dovecot.org/Plugins/FTS/Solr) is used in conjunction with [Apache Solr](https://lucene.apache.org/solr/) running in a separate container. This is quite straightforward to setup using the following instructions. + +## Setup Steps + +1. docker-compose.yml: + +``` + solr: + image: lmmdock/dovecot-solr:latest + volumes: + - solr-dovecot:/opt/solr/server/solr/dovecot + restart: always + + mailserver: + image: tvial/docker-mailserver:latest + ... + volumes: + ... + - ./etc/dovecot/conf.d/10-plugin.conf:/etc/dovecot/conf.d/10-plugin.conf:ro + ... + +volumes: + solr-dovecot: + driver: local + +``` + +2. `etc/dovecot/conf.d/10-plugin.conf`: +``` +mail_plugins = fts fts_solr + +plugin { + fts = solr + fts_autoindex = yes + fts_solr = url=http://solr:8983/solr/dovecot/ +} +``` + +3. Start the solr container: `docker-compose up -d --remove-orphans solr` + +4. Restart the mailserver container: `docker-compose restart mailserver` + +5. Flag all user mailbox FTS indexes as invalid, so they are rescanned on demand when they are next searched +``` +docker-compose exec mailserver doveadm fts rescan -A +``` + +Further discussion on #905 \ No newline at end of file From 3db4b75d6e53bec7141f646656d45d192fb3a5c3 Mon Sep 17 00:00:00 2001 From: Luke Cyca Date: Thu, 8 Oct 2020 15:37:26 -0700 Subject: [PATCH 424/462] Updated Full text search (markdown) --- docs/content/advanced/full-text-search.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/content/advanced/full-text-search.md b/docs/content/advanced/full-text-search.md index de9c96e9..fcf6237e 100644 --- a/docs/content/advanced/full-text-search.md +++ b/docs/content/advanced/full-text-search.md @@ -1,7 +1,7 @@ -Full-text search allows all messages to be indexed, so that mail clients can quickly and efficiently search messages by their full text content. - ## Overview +Full-text search allows all messages to be indexed, so that mail clients can quickly and efficiently search messages by their full text content. + The [dovecot-solr Plugin](https://wiki2.dovecot.org/Plugins/FTS/Solr) is used in conjunction with [Apache Solr](https://lucene.apache.org/solr/) running in a separate container. This is quite straightforward to setup using the following instructions. ## Setup Steps @@ -49,4 +49,4 @@ plugin { docker-compose exec mailserver doveadm fts rescan -A ``` -Further discussion on #905 \ No newline at end of file +Further discussion on [#905](https://github.com/tomav/docker-mailserver/issues/905) \ No newline at end of file From ad240b00e97b66bdabf599a9bb4fa8b68eb70c72 Mon Sep 17 00:00:00 2001 From: Luke Cyca Date: Thu, 8 Oct 2020 15:38:12 -0700 Subject: [PATCH 425/462] Updated Full text search (markdown) --- docs/content/advanced/full-text-search.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/content/advanced/full-text-search.md b/docs/content/advanced/full-text-search.md index fcf6237e..9885d76d 100644 --- a/docs/content/advanced/full-text-search.md +++ b/docs/content/advanced/full-text-search.md @@ -49,4 +49,6 @@ plugin { docker-compose exec mailserver doveadm fts rescan -A ``` -Further discussion on [#905](https://github.com/tomav/docker-mailserver/issues/905) \ No newline at end of file + +## Further discussion +See [issue #905](https://github.com/tomav/docker-mailserver/issues/905) \ No newline at end of file From 854c1b52238af9922f73f8decfededc81efba8de Mon Sep 17 00:00:00 2001 From: Luke Cyca Date: Thu, 8 Oct 2020 15:45:58 -0700 Subject: [PATCH 426/462] Created IPv6 (markdown) --- docs/content/advanced/ipv6.md | 42 +++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 docs/content/advanced/ipv6.md diff --git a/docs/content/advanced/ipv6.md b/docs/content/advanced/ipv6.md new file mode 100644 index 00000000..4a00485e --- /dev/null +++ b/docs/content/advanced/ipv6.md @@ -0,0 +1,42 @@ +## Background + +If your container host supports IPv6, then `docker-mailserver` will automatically accept IPv6 connections by way of the docker host's IPv6. However, incoming mail will fail SPF checks because they will appear to come from the IPv4 gateway that docker is using to proxy the IPv6 connection (172.20.0.1 is the gateway). + +This can be solved by supporting IPv6 connections all the way to the `docker-mailserver` container. + +## Setup steps + +```diff ++++ b/serv/docker-compose.yml +@@ -1,4 +1,4 @@ +-version: '2' ++version: '2.1' + +@@ -32,6 +32,16 @@ services: + ++ ipv6nat: ++ image: robbertkl/ipv6nat ++ restart: always ++ network_mode: "host" ++ cap_add: ++ - NET_ADMIN ++ - SYS_MODULE ++ volumes: ++ - /var/run/docker.sock:/var/run/docker.sock:ro ++ - /lib/modules:/lib/modules:ro + +@@ -306,4 +316,13 @@ networks: + ++ default: ++ driver: bridge ++ enable_ipv6: true ++ ipam: ++ driver: default ++ config: ++ - subnet: fd00:0123:4567::/48 ++ gateway: fd00:0123:4567::1 +``` + +## Further discussion + +See [issue #1438](https://github.com/tomav/docker-mailserver/issues/1438) \ No newline at end of file From 28a5fb643662f3b18bce7a8bdb421c858e6c5d09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dorian=20Ayll=C3=B3n?= Date: Wed, 21 Oct 2020 17:08:34 +0200 Subject: [PATCH 427/462] Fix example YAML markdown code block --- docs/content/config/security/ssl.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 8f673b3e..4bc441ba 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -209,7 +209,7 @@ Then #### Example using docker, nginx-proxy and letsencrypt-nginx-proxy-companion with docker-compose The following docker-compose.yml is the basic setup you need for using letsencrypt-nginx-proxy-companion. It is mainly derived from its own wiki/documenation. -``` +```YAML version: "2" services: From 63fc2511aaacf9e1e2e7712a7168357422c34e1d Mon Sep 17 00:00:00 2001 From: omarc1492 <10967529+omarc1492@users.noreply.github.com> Date: Fri, 30 Oct 2020 12:36:38 -0500 Subject: [PATCH 428/462] Add new options to reflect support for SELinux --- .../setup-docker-mailserver-using-the-script-setup.sh.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md index d5f9e39b..f86dcd8a 100644 --- a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md +++ b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md @@ -23,8 +23,17 @@ OPTIONS: -i IMAGE_NAME The name of the docker-mailserver image, by default 'tvial/docker-mailserver:latest'. + -c CONTAINER_NAME The name of the running container. + -z Allow container access to the bind mount content + that is shared among multiple containers + on a SELinux-enabled host. + + -Z Allow container access to the bind mount content + that is private and unshared with other containers + on a SELinux-enabled host. + SUBCOMMANDS: email: From 77308d269dba7709909169cc62462c9053c10ae7 Mon Sep 17 00:00:00 2001 From: Germain Masse Date: Sun, 29 Nov 2020 19:44:50 +0100 Subject: [PATCH 429/462] Moving Caddy pitfall to a dedicated section --- docs/content/config/security/ssl.md | 211 ++++++++++++++-------------- 1 file changed, 107 insertions(+), 104 deletions(-) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 4bc441ba..48578bd1 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -1,6 +1,7 @@ There are multiple options to enable SSL: * using [letsencrypt](#lets-encrypt-recommended) (recommended) +* using [Caddy](#caddy) * using [Traefik](#traefik) * using [self-signed certificates](#self-signed-certificates-testing-only) with the provided tool * using [your own certificates](#custom-certificate-files) @@ -20,111 +21,7 @@ To enable Let's Encrypt on your mail server, you have to: You don't have anything else to do. Enjoy. -#### Pitfall with Caddy -If you are using Caddy to renew your certificates, please note that only RSA certificates work. Read [issue 1440](https://github.com/tomav/docker-mailserver/issues/1440) for details. In short for Caddy v1 the Caddyfile should look something like: - -``` -https://mail.domain.com { - tls yourcurrentemail@gmail.com { - key_type rsa2048 - } -} -``` -For Caddy v2 you can specify the key_type in your server's global settings, which would end up looking something like this if you're using a Caddyfile: -``` -{ -debug -admin localhost:2019 -http_port 80 -https_port 443 -default_sni mywebserver.com -key_type rsa4096 - -} -```` - -If you are instead using a json config for Caddy v2, you can set it in your site's TLS automation policies: - -``` -{ - "apps": { - "http": { - "servers": { - "srv0": { - "listen": [ - ":443" - ], - "routes": [ - { - "match": [ - { - "host": [ - "mail.domain.com", - ] - } - ], - "handle": [ - { - "handler": "subroute", - "routes": [ - { - "handle": [ - { - "body": "", - "handler": "static_response" - } - ] - } - ] - } - ], - "terminal": true - }, - ] - } - } - }, - "tls": { - "automation": { - "policies": [ - { - "subjects": [ - "mail.domain.com", - ], - "key_type": "rsa2048", - "issuer": { - "email": "email@email.com", - "module": "acme" - } - }, - { - "issuer": { - "email": "email@email.com", - "module": "acme" - } - } - ] - } - } - } -} -``` -The generated certificates can be mounted: -``` -volumes: - - ${CADDY_DATA_DIR}/certificates/acme-v02.api.letsencrypt.org-directory/mail.domain.com/mail.domain.com.crt:/etc/letsencrypt/live/mail.domain.com/fullchain.pem - - ${CADDY_DATA_DIR}/certificates/acme-v02.api.letsencrypt.org-directory/mail.domain.com/mail.domain.com.key:/etc/letsencrypt/live/mail.domain.com/privkey.pem -``` - -EC certificates fail in the TLS handshake: - -``` -CONNECTED(00000003) -140342221178112:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1543:SSL alert number 40 -no peer certificate available -No client certificate CA names sent -``` #### Example using docker for letsencrypt Make a directory to store your letsencrypt logs and configs. @@ -322,6 +219,112 @@ environment: ``` DSM-generated letsencrypt certificates get auto-renewed every three months. +### Caddy + +If you are using Caddy to renew your certificates, please note that only RSA certificates work. Read [issue 1440](https://github.com/tomav/docker-mailserver/issues/1440) for details. In short for Caddy v1 the Caddyfile should look something like: + +``` +https://mail.domain.com { + tls yourcurrentemail@gmail.com { + key_type rsa2048 + } +} +``` +For Caddy v2 you can specify the key_type in your server's global settings, which would end up looking something like this if you're using a Caddyfile: +``` +{ +debug +admin localhost:2019 +http_port 80 +https_port 443 +default_sni mywebserver.com +key_type rsa4096 + +} +```` + +If you are instead using a json config for Caddy v2, you can set it in your site's TLS automation policies: + +``` +{ + "apps": { + "http": { + "servers": { + "srv0": { + "listen": [ + ":443" + ], + "routes": [ + { + "match": [ + { + "host": [ + "mail.domain.com", + ] + } + ], + "handle": [ + { + "handler": "subroute", + "routes": [ + { + "handle": [ + { + "body": "", + "handler": "static_response" + } + ] + } + ] + } + ], + "terminal": true + }, + ] + } + } + }, + "tls": { + "automation": { + "policies": [ + { + "subjects": [ + "mail.domain.com", + ], + "key_type": "rsa2048", + "issuer": { + "email": "email@email.com", + "module": "acme" + } + }, + { + "issuer": { + "email": "email@email.com", + "module": "acme" + } + } + ] + } + } + } +} +``` +The generated certificates can be mounted: +``` +volumes: + - ${CADDY_DATA_DIR}/certificates/acme-v02.api.letsencrypt.org-directory/mail.domain.com/mail.domain.com.crt:/etc/letsencrypt/live/mail.domain.com/fullchain.pem + - ${CADDY_DATA_DIR}/certificates/acme-v02.api.letsencrypt.org-directory/mail.domain.com/mail.domain.com.key:/etc/letsencrypt/live/mail.domain.com/privkey.pem +``` + +EC certificates fail in the TLS handshake: + +``` +CONNECTED(00000003) +140342221178112:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1543:SSL alert number 40 +no peer certificate available +No client certificate CA names sent +``` + ### Traefik [Traefik](https://github.com/containous/traefik) is an open-source Edge Router which handles ACME protocol using [lego](https://github.com/go-acme/lego). From ee557c9e3fc1ed9dbcbcd1633bb70cce7a6158a3 Mon Sep 17 00:00:00 2001 From: Germain Masse Date: Sun, 29 Nov 2020 20:23:43 +0100 Subject: [PATCH 430/462] Command-line to verify certificate dates --- docs/content/config/security/ssl.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/content/config/security/ssl.md b/docs/content/config/security/ssl.md index 48578bd1..3f2ae276 100644 --- a/docs/content/config/security/ssl.md +++ b/docs/content/config/security/ssl.md @@ -454,6 +454,11 @@ And you should see the certificate chain, the server certificate and: Verify return code: 0 (ok) +In addition, to verify certificate dates: + + docker exec mail openssl s_client -connect 0.0.0.0:25 -starttls smtp -CApath /etc/ssl/certs/ 2>/dev/null | openssl x509 -noout -dates + + ### Plain text access Not recommended for purposes other than testing. From cee1b06d0e25fbfdcba15fef88eb3c9991ea8cc1 Mon Sep 17 00:00:00 2001 From: William Desportes Date: Sat, 5 Dec 2020 21:01:26 +0100 Subject: [PATCH 431/462] Better highlighting on config blocks --- docs/content/advanced/auth-ldap.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/content/advanced/auth-ldap.md b/docs/content/advanced/auth-ldap.md index 9eb903ad..e602240c 100644 --- a/docs/content/advanced/auth-ldap.md +++ b/docs/content/advanced/auth-ldap.md @@ -26,7 +26,7 @@ __DOVECOT__: **NOTE**: This page will provide several use cases like recipes to show, how this project can be used with it's LDAP Features. ### Ldap Setup - Kopano/Zarafa -``` +```yml --- version: '2' @@ -102,14 +102,14 @@ volumes: If your directory has not the postfix-book schema installed, then you must change the internal attribute handling for dovecot. For this you have to change the ```pass_attr``` and the ```user_attr``` mapping, as shown in the example below: -``` +```yml - DOVECOT_PASS_ATTR==user,=password - DOVECOT_USER_ATTR==home,=mail,=uid, =gid ``` The following example illustrates this for a directory that has the qmail-schema installed and that uses ```uid```: -``` +```yml - DOVECOT_PASS_ATTRS=uid=user,userPassword=password - DOVECOT_USER_ATTRS=homeDirectory=home,qmailUID=uid,qmailGID=gid,mailMessageStore=mail - DOVECOT_PASS_FILTER=(&(objectClass=qmailUser)(uid=%u)(accountStatus=active)) From ccd99636e8c4bfa27840928e2eb33653d0cae7b7 Mon Sep 17 00:00:00 2001 From: Patrizio Bekerle Date: Fri, 11 Dec 2020 10:18:01 +0100 Subject: [PATCH 432/462] Update "Manage Sieve" link --- docs/content/advanced/mail-sieve.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/advanced/mail-sieve.md b/docs/content/advanced/mail-sieve.md index b4932ea4..83654dba 100644 --- a/docs/content/advanced/mail-sieve.md +++ b/docs/content/advanced/mail-sieve.md @@ -52,7 +52,7 @@ For more examples or a detailed description of the Sieve language have a look at ### Manage Sieve -The [Manage Sieve](http://wiki2.dovecot.org/Pigeonhole/ManageSieve) extension allows users to modify their Sieve script by themselves. The authentication mechanisms are the same as for the main dovecot service. ManageSieve runs on port `4190` and needs to be enabled using the `ENABLE_MANAGESIEVE=1` environment variable. +The [Manage Sieve](https://doc.dovecot.org/admin_manual/pigeonhole_managesieve_server/) extension allows users to modify their Sieve script by themselves. The authentication mechanisms are the same as for the main dovecot service. ManageSieve runs on port `4190` and needs to be enabled using the `ENABLE_MANAGESIEVE=1` environment variable. ``` (docker-compose.yml) From 8b9a102e3e6ab7126b0e4058285605e12377558c Mon Sep 17 00:00:00 2001 From: Patrizio Bekerle Date: Sun, 13 Dec 2020 21:42:51 +0100 Subject: [PATCH 433/462] Mention maintained autodiscover-email-settings --- docs/content/config/best-practices/autodiscover.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/best-practices/autodiscover.md b/docs/content/config/best-practices/autodiscover.md index 61de4190..7bd5b34e 100644 --- a/docs/content/config/best-practices/autodiscover.md +++ b/docs/content/config/best-practices/autodiscover.md @@ -2,4 +2,4 @@ Email auto-discovery means a client email is able to automagically find out abou Basically, email clients will search for auto-discoverable settings and prefill almost everything when a user enters its email address :heart: -There exists [docker-email-autodiscover](https://hub.docker.com/r/jsmitsnl/docker-email-autodiscover/) on hub.docker.com but the upstream project is actually gone from GitHub. There are some forks available though. \ No newline at end of file +There exists [autodiscover-email-settings](https://hub.docker.com/r/monogramm/autodiscover-email-settings/) on hub.docker.com which provides IMAP/POP/SMTP/LDAP autodiscover capabilities on Microsoft Outlook/Apple Mail, autoconfig capabilities for Thunderbird or kmail and configuration profiles for iOS/Apple Mail. \ No newline at end of file From 8a7dcc67b099e3da6b324f40ddda55094bd3b458 Mon Sep 17 00:00:00 2001 From: Dashamir Hoxha Date: Wed, 30 Dec 2020 20:40:36 +0100 Subject: [PATCH 434/462] Add a ToDo note --- docs/content/config/troubleshooting/faq.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/content/config/troubleshooting/faq.md b/docs/content/config/troubleshooting/faq.md index cc8464b0..9ed73b52 100644 --- a/docs/content/config/troubleshooting/faq.md +++ b/docs/content/config/troubleshooting/faq.md @@ -279,6 +279,8 @@ Yes, by Adding the Environment Variable `PERMIT_DOCKER: network`. See https://github.com/tomav/docker-mailserver/issues/1247 for an example. +*ToDo: Write a HowTo/UseCase/Tutorial about authentication with SMTP_ONLY.* + ### Common errors ``` From c916e21308ae337a5a81fdbe8329e4ddce825fa3 Mon Sep 17 00:00:00 2001 From: Dashamir Hoxha Date: Wed, 30 Dec 2020 21:15:38 +0100 Subject: [PATCH 435/462] Created Forward-Only mailserver with LDAP authentication (markdown) --- ...nly-mailserver-with-ldap-authentication.md | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 docs/content/uses-cases/forward-only-mailserver-with-ldap-authentication.md diff --git a/docs/content/uses-cases/forward-only-mailserver-with-ldap-authentication.md b/docs/content/uses-cases/forward-only-mailserver-with-ldap-authentication.md new file mode 100644 index 00000000..fda4e84c --- /dev/null +++ b/docs/content/uses-cases/forward-only-mailserver-with-ldap-authentication.md @@ -0,0 +1,26 @@ +# Forward-Only mailserver with LDAP authentication + +## Building a Forward-Only mailserver + +A **forward-only** mailserver does not have any local mailboxes. Instead, it has only aliases that forward emails to external email accounts (for example to a gmail account). You can also send email from the localhost (the computer where the mailserver is installed), using as sender any of the alias addresses. + +The important settings for this setup (on `mailserver.env`) are these: + +``` +PERMIT_DOCKER=host +ENABLE_POP3= +ENABLE_CLAMAV=0 +SMTP_ONLY=1 +ENABLE_SPAMASSASSIN=0 +ENABLE_FETCHMAIL=0 +``` + +Since there are no local mailboxes, we use `SMTP_ONLY=1` to disable `dovecot`. We disable as well the other services that are related to local mailboxes (`POP3`, `ClamAV`, `SpamAssassin`, etc.) + +We can create aliases with `./setup.sh`, like this: + +``` +./setup.sh alias add +``` + +## Authenticating with LDAP From cfd78782611bbcb1dbd151b914a8035d433f50e2 Mon Sep 17 00:00:00 2001 From: Dashamir Hoxha Date: Wed, 30 Dec 2020 22:57:24 +0100 Subject: [PATCH 436/462] Describe how to authenticate with LDAP --- ...nly-mailserver-with-ldap-authentication.md | 79 ++++++++++++++++++- 1 file changed, 76 insertions(+), 3 deletions(-) diff --git a/docs/content/uses-cases/forward-only-mailserver-with-ldap-authentication.md b/docs/content/uses-cases/forward-only-mailserver-with-ldap-authentication.md index fda4e84c..3ab795f1 100644 --- a/docs/content/uses-cases/forward-only-mailserver-with-ldap-authentication.md +++ b/docs/content/uses-cases/forward-only-mailserver-with-ldap-authentication.md @@ -1,4 +1,3 @@ -# Forward-Only mailserver with LDAP authentication ## Building a Forward-Only mailserver @@ -6,7 +5,7 @@ A **forward-only** mailserver does not have any local mailboxes. Instead, it has The important settings for this setup (on `mailserver.env`) are these: -``` +```console PERMIT_DOCKER=host ENABLE_POP3= ENABLE_CLAMAV=0 @@ -19,8 +18,82 @@ Since there are no local mailboxes, we use `SMTP_ONLY=1` to disable `dovecot`. W We can create aliases with `./setup.sh`, like this: -``` +```bash ./setup.sh alias add ``` ## Authenticating with LDAP + +If you want to send emails from outside the mailserver you have to authenticate somehow (with a username and password). One way of doing it is described in [this discussion](https://github.com/tomav/docker-mailserver/issues/1247). However if there are many user accounts, it is better to use authentication with LDAP. The settings for this on `mailserver.env` are: + +```console +ENABLE_LDAP=1 +LDAP_START_TLS=yes +LDAP_SERVER_HOST=ldap.example.org +LDAP_SEARCH_BASE=ou=users,dc=example,dc=org +LDAP_BIND_DN=cn=mailserver,dc=example,dc=org +LDAP_BIND_PW=pass1234 + +ENABLE_SASLAUTHD=1 +SASLAUTHD_MECHANISMS=ldap +SASLAUTHD_LDAP_SERVER=ldap.example.org +SASLAUTHD_LDAP_SSL=0 +SASLAUTHD_LDAP_START_TLS=yes +SASLAUTHD_LDAP_BIND_DN=cn=mailserver,dc=example,dc=org +SASLAUTHD_LDAP_PASSWORD=pass1234 +SASLAUTHD_LDAP_SEARCH_BASE=ou=users,dc=example,dc=org +SASLAUTHD_LDAP_FILTER=(&(uid=%U)(objectClass=inetOrgPerson)) +``` + +My LDAP data structure is very basic, containing only the username, password, and the external email address where to forward emails for this user. An entry looks like this + +```console +add uid=username,ou=users,dc=example,dc=org +uid: username +objectClass: inetOrgPerson +sn: username +cn: username +userPassword: {SSHA}abcdefghi123456789 +email: real-email-address@external-domain.com +``` + +This structure is different from what is expected/assumed from the configuration scripts of the mailserver, so it doesn't work just by using the `LDAP_QUERY_FILTER_...` settings. Instead, I had to do [custom configuration](https://github.com/tomav/docker-mailserver#custom-user-changes--patches). I created the script `config/user-patches.sh`, with a content like this: + +```bash +#!/bin/bash + +rm -f /etc/postfix/{ldap-groups.cf,ldap-domains.cf} + +postconf \ + "virtual_mailbox_domains = /etc/postfix/vhost" \ + "virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf texthash:/etc/postfix/virtual" \ + "smtpd_sender_login_maps = ldap:/etc/postfix/ldap-users.cf" + +sed -i /etc/postfix/ldap-users.cf \ + -e '/query_filter/d' \ + -e '/result_attribute/d' \ + -e '/result_format/d' +cat <> /etc/postfix/ldap-users.cf +query_filter = (uid=%u) +result_attribute = uid +result_format = %s@example.org +EOF + +sed -i /etc/postfix/ldap-aliases.cf \ + -e '/domain/d' \ + -e '/query_filter/d' \ + -e '/result_attribute/d' +cat <> /etc/postfix/ldap-aliases.cf +domain = example.org +query_filter = (uid=%u) +result_attribute = mail +EOF + +postfix reload +``` + +You see that besides `query_filter`, I had to customize as well `result_attribute` and `result_format`. + +For more details about using LDAP see: [LDAP managed mail server with Postfix and Dovecot for multiple domains](https://www.vennedey.net/resources/2-LDAP-managed-mail-server-with-Postfix-and-Dovecot-for-multiple-domains) + +Another solution that serves as a forward-only mailserver is this: https://gitlab.com/docker-scripts/postfix From 641746a0f58173afb01d31306567cbdca2e28fd1 Mon Sep 17 00:00:00 2001 From: FL42 <46161216+fl42@users.noreply.github.com> Date: Sat, 2 Jan 2021 22:58:06 +0100 Subject: [PATCH 437/462] Mention that RELAY_HOST needs to be set even in advanced mode --- docs/content/advanced/mail-forwarding/relay-hosts.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/content/advanced/mail-forwarding/relay-hosts.md b/docs/content/advanced/mail-forwarding/relay-hosts.md index 73b6f339..3df5c873 100644 --- a/docs/content/advanced/mail-forwarding/relay-hosts.md +++ b/docs/content/advanced/mail-forwarding/relay-hosts.md @@ -53,6 +53,7 @@ An example configuration file looks like this: ``` Combined with the previous configuration in `config/postfix-sasl-password.cf`, this will cause Postfix to deliver mail sent from domain1.com via `relay1.org:587`, authenticating as `relay_user_1`, and mail sent from domain2.com via `relay2.org:2525` authenticating as `relay_user_2`. +Note: You still have to define RELAY_HOST to activate the feature ## Excluding Sender Domains From 41508c01f9106faf54a1edad7769fac874eb7854 Mon Sep 17 00:00:00 2001 From: FL42 <46161216+fl42@users.noreply.github.com> Date: Sat, 2 Jan 2021 22:59:37 +0100 Subject: [PATCH 438/462] style --- docs/content/advanced/mail-forwarding/relay-hosts.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/advanced/mail-forwarding/relay-hosts.md b/docs/content/advanced/mail-forwarding/relay-hosts.md index 3df5c873..70003536 100644 --- a/docs/content/advanced/mail-forwarding/relay-hosts.md +++ b/docs/content/advanced/mail-forwarding/relay-hosts.md @@ -52,8 +52,8 @@ An example configuration file looks like this: @domain2.com [relay2.org]:2525 ``` -Combined with the previous configuration in `config/postfix-sasl-password.cf`, this will cause Postfix to deliver mail sent from domain1.com via `relay1.org:587`, authenticating as `relay_user_1`, and mail sent from domain2.com via `relay2.org:2525` authenticating as `relay_user_2`. -Note: You still have to define RELAY_HOST to activate the feature +Combined with the previous configuration in `config/postfix-sasl-password.cf`, this will cause Postfix to deliver mail sent from domain1.com via `relay1.org:587`, authenticating as `relay_user_1`, and mail sent from domain2.com via `relay2.org:2525` authenticating as `relay_user_2`. +**NOTE** You still have to define RELAY_HOST to activate the feature ## Excluding Sender Domains From a669ef9c62aed8736ca7f53461058ff05e49159a Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Date: Tue, 19 Jan 2021 09:45:01 +0100 Subject: [PATCH 439/462] Updated Setup docker mailserver using the script setup.sh (markdown) --- ...er-mailserver-using-the-script-setup.sh.md | 71 ++++++++----------- 1 file changed, 29 insertions(+), 42 deletions(-) diff --git a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md index f86dcd8a..3c9d7c40 100644 --- a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md +++ b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md @@ -1,4 +1,4 @@ -[`setup.sh`](https://github.com/tomav/docker-mailserver/blob/master/setup.sh) is an administration script that helps with the most common tasks, including initial configuration. It is intented to be used from the host machine, _not_ from within your running container. +[`setup.sh`](https://github.com/docker-mailserver/docker-mailserver/blob/master/setup.sh) is an administration script that helps with the most common tasks, including initial configuration. It is intented to be used from the host machine, _not_ from within your running container. The latest version of the script is included in the `docker-mailserver` repository. You may retrieve it at any time by running this command in your console: @@ -8,24 +8,32 @@ wget -q -O setup.sh https://raw.githubusercontent.com/tomav/docker-mailserver/ma Or if you use curl: -```sh -curl -o setup.sh https://raw.githubusercontent.com/tomav/docker-mailserver/master/setup.sh; chmod a+x ./setup.sh +``` BASH +wget https://raw.githubusercontent.com/docker-mailserver/docker-mailserver/master/setup.sh +chmod a+x ./setup.sh ``` ## Usage -Run `./setup.sh` without arguments and you'll get some usage information: +Run `./setup.sh -h` and you'll get some usage information: + +``` BASH +setup.sh Bootstrapping Script -```sh Usage: ./setup.sh [-i IMAGE_NAME] [-c CONTAINER_NAME] [args] OPTIONS: - -i IMAGE_NAME The name of the docker-mailserver image, by default - 'tvial/docker-mailserver:latest'. + -i IMAGE_NAME The name of the docker-mailserver image + The default value is + 'docker.io/mailserver/docker-maiserver:latest' -c CONTAINER_NAME The name of the running container. + -p PATH Config folder path (default: /home/georg/github/docker-mailserver/config) + + -h Show this help dialogue + -z Allow container access to the bind mount content that is shared among multiple containers on a SELinux-enabled host. @@ -38,8 +46,8 @@ SUBCOMMANDS: email: - ./setup.sh email add - ./setup.sh email update + ./setup.sh email add [] + ./setup.sh email update [] ./setup.sh email del ./setup.sh email restrict [] ./setup.sh email list @@ -56,44 +64,23 @@ SUBCOMMANDS: config: ./setup.sh config dkim (default: 2048) - ./setup.sh config ssl + ./setup.sh config ssl + + relay: + + ./setup.sh relay add-domain [] + ./setup.sh relay add-auth [] + ./setup.sh relay exclude-domain debug: ./setup.sh debug fetchmail + ./setup.sh debug fail2ban [ ] ./setup.sh debug show-mail-logs ./setup.sh debug inspect ./setup.sh debug login + + help: Show this help dialogue + + ``` - -## email - -* `./setup.sh email add []`: Add an email-account (\ is optional) -* `./setup.sh email update []`: Change the password of an email-account (\ is optional) -* `./setup.sh email del `: delete an email-account -* `./setup.sh email restrict []`: deny users to send or receive mail. You can also list the respective denied mail-accounts. -* `./setup.sh email list`: list all existing email-accounts - -## alias -* `./setup.sh alias add `: add an alias(email) for an email-account(recipient) -* `./setup.sh alias del `: delete an alias -* `./setup.sh alias list`: list all aliases - -## quota - -* `./setup.sh quota set []`: define the quota of a mailbox (quota format e.g. 302M (B (byte), k (kilobyte), M (megabyte), G (gigabyte) or T (terabyte))) -* `./setup.sh quota del `: delete the quota of a mailbox - -## config - -* `./setup.sh config dkim (default: 2048)`: autoconfig the dkim-config with an (optional) keysize value -* `./setup.sh config ssl`: generate ssl-certificates - -## debug - -* `./setup.sh debug fetchmail`: see [wiki](https://github.com/tomav/docker-mailserver/wiki/Retrieve-emails-from-a-remote-mail-server-%28using-builtin-fetchmail%29#debugging) -* `./setup.sh debug fail2ban `: omitt all options to get a list of banned IPs, otherwise unban the specified IP. -* `./setup.sh debug show-mail-logs`: show the logfile contents of the mail container -* `./setup.sh debug inspect`: show infos about the running container -* `./setup.sh debug login `: run a command inside the mail container (omit the command to get shell access) - From 29f4367d8d109c6760293b6ce3d657e7d7c3566b Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Date: Tue, 19 Jan 2021 09:45:29 +0100 Subject: [PATCH 440/462] Updated Setup docker mailserver using the script setup.sh (markdown) --- .../setup-docker-mailserver-using-the-script-setup.sh.md | 6 ------ 1 file changed, 6 deletions(-) diff --git a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md index 3c9d7c40..c5fcc94f 100644 --- a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md +++ b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md @@ -2,12 +2,6 @@ The latest version of the script is included in the `docker-mailserver` repository. You may retrieve it at any time by running this command in your console: -```sh -wget -q -O setup.sh https://raw.githubusercontent.com/tomav/docker-mailserver/master/setup.sh; chmod a+x ./setup.sh -``` - -Or if you use curl: - ``` BASH wget https://raw.githubusercontent.com/docker-mailserver/docker-mailserver/master/setup.sh chmod a+x ./setup.sh From b5dc7ed8c1e1a3909d64e102501d81fda2cf2861 Mon Sep 17 00:00:00 2001 From: Frederic Werner <20406381+wernerfred@users.noreply.github.com> Date: Sun, 24 Jan 2021 17:09:12 +0100 Subject: [PATCH 441/462] Add section to use mailserver with proxy protocol --- .../tutorials/installation-examples.md | 114 +++++++++++++++++- 1 file changed, 113 insertions(+), 1 deletion(-) diff --git a/docs/content/tutorials/installation-examples.md b/docs/content/tutorials/installation-examples.md index b84447fa..2c8310bb 100644 --- a/docs/content/tutorials/installation-examples.md +++ b/docs/content/tutorials/installation-examples.md @@ -154,4 +154,116 @@ We are going to use this docker based mailserver: - **SMTP hosts**: `mail.example.org:465` - **SMTP security**: `SSL` - **SMTP username**: `info@example.org` - - **SMTP password**: `passwd123` \ No newline at end of file + - **SMTP password**: `passwd123` + +## Using docker-mailserver behind proxy +### Information +If you are hiding your container behind a proxy service you might have discovered that the proxied requests from now on contain the proxy IP as the request origin. Whilst this behavior is technical correct it produces certain problems on the containers behind the proxy as they cannot distinguish the real origin of the requests anymore. + +To solve this problem on TCP connections we can make use of the [proxy protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt). Compared to other workarounds that exist (`X-Forwarded-For` which only works for HTTP requests or `Tproxy` that requires you to recompile your kernel the proxy protocol: +- it is protocol agnostic (can work with any layer 7 protocols, even when encrypted). +- it does not require any infrastructure changes +- nat-ing firewalls have no impact it +- it is scalable +The is only one condition: **both endpoints** of the connection MUST be compatible with proxy protocol. + +Luckily `dovecot` and `postfix` are both Proxy-Protocol ready softwares so it depends only on your used reverse-proxy/loadbalancer. + +### Configuration of the used proxy software + +The configuration depends on the used proxy system. I will provide the configuration examples of [traefik v2](https://traefik.io/) using IMAP and SMTP with implicit TLS. Feel free to add your configuration if you achived the same goal using different proxy software below: + +
+ traefik v2 + + Truncated configuration of traefik itself: +``` +version: '3.7' +services: + reverse-proxy: + image: traefik:v2.4 + container_name: docker-traefik + restart: always + command: + - "--providers.docker" + - "--providers.docker.exposedbydefault=false" + - "--providers.docker.network=proxy" + - "--entrypoints.web.address=:80" + - "--entryPoints.websecure.address=:443" + - "--entryPoints.smtp.address=:25" + - "--entryPoints.smtp-ssl.address=:465" + - "--entryPoints.imap-ssl.address=:993" + - "--entryPoints.sieve.address=:4190" + ports: + - "25:25" + - "465:465" + - "993:993" + - "4190:4190" +[...] +``` + +Truncated list of neccessary labels on the mailserver container: + +``` +version: '2' +services: + mail: + image: tvial/docker-mailserver:release-v7.2.0 + restart: always + networks: + - proxy + labels: + - "traefik.enable=true" + - "traefik.tcp.routers.smtp.rule=HostSNI(`*`)" + - "traefik.tcp.routers.smtp.entrypoints=smtp" + - "traefik.tcp.routers.smtp.service=smtp" + - "traefik.tcp.services.smtp.loadbalancer.server.port=25" + - "traefik.tcp.services.smtp.loadbalancer.proxyProtocol.version=1" + - "traefik.tcp.routers.smtp-ssl.rule=HostSNI(`*`)" + - "traefik.tcp.routers.smtp-ssl.entrypoints=smtp-ssl" + - "traefik.tcp.routers.smtp-ssl.service=smtp-ssl" + - "traefik.tcp.services.smtp-ssl.loadbalancer.server.port=465" + - "traefik.tcp.services.smtp-ssl.loadbalancer.proxyProtocol.version=1" + - "traefik.tcp.routers.imap-ssl.rule=HostSNI(`*`)" + - "traefik.tcp.routers.imap-ssl.entrypoints=imap-ssl" + - "traefik.tcp.routers.imap-ssl.service=imap-ssl" + - "traefik.tcp.services.imap-ssl.loadbalancer.server.port=10993" + - "traefik.tcp.services.imap-ssl.loadbalancer.proxyProtocol.version=2" + - "traefik.tcp.routers.sieve.rule=HostSNI(`*`)" + - "traefik.tcp.routers.sieve.entrypoints=sieve" + - "traefik.tcp.routers.sieve.service=sieve" + - "traefik.tcp.services.sieve.loadbalancer.server.port=4190" +[...] +``` +Keep in mind that it is neccessary to use port `10993` here. More information below at `dovecot` configuration. + +
+ +### Configuration of the backend (`dovecot` and `postfix`) + +The following changes can be achived completely by adding the content to the appropriate files by using the projects [function to overwrite config files](https://github.com/docker-mailserver/docker-mailserver/wiki/List-of-optional-config-files-&-directories). + +Changes for `postfix` can be applied by adding the following content to `config/postfix-main.cf`: +``` +postscreen_upstream_proxy_protocol = haproxy +``` + +and to `config/postfix-master.cd`: +``` +submission/inet/smtpd_upstream_proxy_protocol=haproxy +smtps/inet/smtpd_upstream_proxy_protocol=haproxy +``` + +Changes for `dovecot` can be applied by adding the following content to `config/dovecot.cf`: +``` +haproxy_trusted_networks = , +haproxy_timeout = 3 secs +service imap-login { + inet_listener imaps { + haproxy = yes + ssl = yes + port = 10993 + } +} +``` +Note that port `10993` is used here to avoid conflicts with internal systems like `postscreen` and `amavis` as they will exchange messages on the default port and obviously have a different origin then compared to the proxy. \ No newline at end of file From 1e1059349d0f1d5d44d3b0f50473731df02d77b9 Mon Sep 17 00:00:00 2001 From: Frederic Werner <20406381+wernerfred@users.noreply.github.com> Date: Sun, 24 Jan 2021 18:20:34 +0100 Subject: [PATCH 442/462] Updated Installation Examples (markdown) --- docs/content/tutorials/installation-examples.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/tutorials/installation-examples.md b/docs/content/tutorials/installation-examples.md index 2c8310bb..9ca64f1c 100644 --- a/docs/content/tutorials/installation-examples.md +++ b/docs/content/tutorials/installation-examples.md @@ -160,7 +160,7 @@ We are going to use this docker based mailserver: ### Information If you are hiding your container behind a proxy service you might have discovered that the proxied requests from now on contain the proxy IP as the request origin. Whilst this behavior is technical correct it produces certain problems on the containers behind the proxy as they cannot distinguish the real origin of the requests anymore. -To solve this problem on TCP connections we can make use of the [proxy protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt). Compared to other workarounds that exist (`X-Forwarded-For` which only works for HTTP requests or `Tproxy` that requires you to recompile your kernel the proxy protocol: +To solve this problem on TCP connections we can make use of the [proxy protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt). Compared to other workarounds that exist (`X-Forwarded-For` which only works for HTTP requests or `Tproxy` that requires you to recompile your kernel) the proxy protocol: - it is protocol agnostic (can work with any layer 7 protocols, even when encrypted). - it does not require any infrastructure changes - nat-ing firewalls have no impact it From 342d38f86f8f3eb320821683c7d1bd4f6433adbe Mon Sep 17 00:00:00 2001 From: Tin Date: Tue, 26 Jan 2021 04:24:24 +0100 Subject: [PATCH 443/462] Otherwise it will completly set the variable and disable any plugins loaded beforehand e.x. quota --- docs/content/advanced/full-text-search.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/advanced/full-text-search.md b/docs/content/advanced/full-text-search.md index 9885d76d..b4ec6f6a 100644 --- a/docs/content/advanced/full-text-search.md +++ b/docs/content/advanced/full-text-search.md @@ -31,7 +31,7 @@ volumes: 2. `etc/dovecot/conf.d/10-plugin.conf`: ``` -mail_plugins = fts fts_solr +mail_plugins = $mail_plugins fts fts_solr plugin { fts = solr From 3c74995158b05d7d027998a2b9633cc38033df82 Mon Sep 17 00:00:00 2001 From: Frederic Werner <20406381+wernerfred@users.noreply.github.com> Date: Tue, 26 Jan 2021 17:23:24 +0100 Subject: [PATCH 444/462] Updated Setup docker mailserver using the script setup.sh (markdown) --- .../setup-docker-mailserver-using-the-script-setup.sh.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md index c5fcc94f..18563823 100644 --- a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md +++ b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md @@ -57,7 +57,7 @@ SUBCOMMANDS: config: - ./setup.sh config dkim (default: 2048) + ./setup.sh config dkim (default: 2048) (optional - for LDAP setups) ./setup.sh config ssl relay: From 6e04c1ce76a6f60d57254aa0f02525dbea6f0b54 Mon Sep 17 00:00:00 2001 From: Frederic Werner <20406381+wernerfred@users.noreply.github.com> Date: Tue, 26 Jan 2021 17:28:40 +0100 Subject: [PATCH 445/462] Updated Configure DKIM (markdown) --- docs/content/config/best-practices/dkim.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index 535a9608..74358322 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -18,6 +18,12 @@ Once its done, just run the following command to generate the signature (here sh > -v "$(pwd)/config":/tmp/docker-mailserver \ > -ti tvial/docker-mailserver:latest generate-dkim-config 2048 +For LDAP systems that do not have any directly created user account you can run the following command (since `8.0.0`) to generate the signature by additionally providing the desired domain name (if you have multiple domains use the command multiple times or provide a comma-separated list of domains): + + docker run --rm \ + -v "$(pwd)/config":/tmp/docker-mailserver \ + -ti docker-mailserver/docker-mailserver:latest generate-dkim-config [,] + Now the keys are generated, you can configure your DNS server with DKIM signature, simply by adding a TXT record. If you have direct access to your DNS zone file, then it's only a matter of pasting the content of `config/opendkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone. From d41922a4308b392dcf0ec15c41f884b20471bcbe Mon Sep 17 00:00:00 2001 From: Frederic Werner <20406381+wernerfred@users.noreply.github.com> Date: Wed, 27 Jan 2021 13:41:37 +0100 Subject: [PATCH 446/462] Updated Configure DKIM (markdown) --- docs/content/config/best-practices/dkim.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index 74358322..372c0915 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -12,11 +12,11 @@ Once its done, just run the following command to generate the signature (here sh -v "$(pwd)/config":/tmp/docker-mailserver \ -ti tvial/docker-mailserver:latest generate-dkim-config -> The default keysize when generating the signature is 2048 bits for now. If you need to change it (e.g. your DNS-Provider limits the size), then provide the size as the first parameter of the command: +> The default keysize when generating the signature is 4096 bits for now. If you need to change it (e.g. your DNS-Provider limits the size), then provide the size as the first parameter of the command: > > docker run --rm \ > -v "$(pwd)/config":/tmp/docker-mailserver \ -> -ti tvial/docker-mailserver:latest generate-dkim-config 2048 +> -ti tvial/docker-mailserver:latest generate-dkim-config 4096 For LDAP systems that do not have any directly created user account you can run the following command (since `8.0.0`) to generate the signature by additionally providing the desired domain name (if you have multiple domains use the command multiple times or provide a comma-separated list of domains): From 937a54c6597a805abe8eaaa4aa9d83895a893399 Mon Sep 17 00:00:00 2001 From: Frederic Werner <20406381+wernerfred@users.noreply.github.com> Date: Wed, 27 Jan 2021 13:41:53 +0100 Subject: [PATCH 447/462] Updated Setup docker mailserver using the script setup.sh (markdown) --- .../setup-docker-mailserver-using-the-script-setup.sh.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md index 18563823..26170983 100644 --- a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md +++ b/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md @@ -57,7 +57,7 @@ SUBCOMMANDS: config: - ./setup.sh config dkim (default: 2048) (optional - for LDAP setups) + ./setup.sh config dkim (default: 4096) (optional - for LDAP setups) ./setup.sh config ssl relay: From d365f58e19f04c02982f2c698d429797382dfdb5 Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Date: Wed, 27 Jan 2021 22:02:56 +0100 Subject: [PATCH 448/462] adjusting to the migrated repo and improvements --- docs/content/index.md | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/docs/content/index.md b/docs/content/index.md index 39979b2b..5b68b243 100644 --- a/docs/content/index.md +++ b/docs/content/index.md @@ -1,13 +1,11 @@ -**Welcome to the extended documentation for docker-mailserver!** +### Welcome to the extended documentation for docker-mailserver! -Please first have a look at the [README.md](https://github.com/tomav/docker-mailserver/blob/master/README.md) to setup and configure this server. -This wiki provides you with advanced configuration, detailed examples, hints… (see navigation on the right side). +Please first have a look at the [README.md](https://github.com/docker-mailserver/docker-mailserver/blob/master/README.md) to setup and configure this server. This wiki provides you with advanced configuration, detailed examples, hints - see navigation on the right side. -**To get you started:** +#### To get you started -- A `setup.sh` script is supplied with this project, which supports you in configuring and administrating your server. - - Information on how to get it & how to use it is available [in the dedicated page](https://github.com/tomav/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh). - - Be aware that advanced tasks may still require tweaking env vars, reading through documentation and sometimes inspecting your running container for debug. Feel free to ask for help by [creating an issue](https://github.com/tomav/docker-mailserver/issues) with all relevant information. -- A list of all configuration options is provided in the [README.md](https://github.com/tomav/docker-mailserver/blob/master/README.md). That is a good starting point to understand what this image is capable of. -- A list of all optional and automatically created configuration files and directories is available [in the dedicated page](https://github.com/tomav/docker-mailserver/wiki/List-of-optional-config-files-&-directories). -- See the [FAQ](https://github.com/tomav/docker-mailserver/wiki/FAQ-and-Tips) for some more tips! +1. The script `setup.sh` is supplied with this project. It supports you in configuring and administrating your server. Information on how to get it and how to use it is available [on a dedicated page](https://github.com/docker-mailserver/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh). +2. Be aware that advanced tasks may still require tweaking environment variables, reading through documentation and sometimes inspecting your running container for debugging purposes. After all, a mail server is a complex arrangement of various programs. +3. A list of all configuration options is provided in [`ENVIRONMENT.md`](https://github.com/docker-mailserver/docker-mailserver/blob/master/ENVIRONMENT.md). The [`README`](https://github.com/docker-mailserver/docker-mailserver/blob/master/REEADME.md) is a good starting point to understand what this image is capable of. +4. A list of all optional and automatically created configuration files and directories is available [on the dedicated page](https://github.com/docker-mailserver/docker-mailserver/wiki/List-of-optional-config-files-&-directories). +5. See the [FAQ](https://github.com/docker-mailserver/docker-mailserver/wiki/FAQ-and-Tips) for some more tips! From e5aae324cb489fe494338359060e1d78c6fda730 Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Date: Wed, 27 Jan 2021 22:04:49 +0100 Subject: [PATCH 449/462] Updated Home (markdown) --- docs/content/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/index.md b/docs/content/index.md index 5b68b243..7c2a368a 100644 --- a/docs/content/index.md +++ b/docs/content/index.md @@ -1,11 +1,11 @@ ### Welcome to the extended documentation for docker-mailserver! -Please first have a look at the [README.md](https://github.com/docker-mailserver/docker-mailserver/blob/master/README.md) to setup and configure this server. This wiki provides you with advanced configuration, detailed examples, hints - see navigation on the right side. +Please first have a look at the [`README.md`](https://github.com/docker-mailserver/docker-mailserver/blob/master/README.md) to setup and configure this server. This wiki provides you with advanced configuration, detailed examples, hints - see navigation on the right side. #### To get you started 1. The script `setup.sh` is supplied with this project. It supports you in configuring and administrating your server. Information on how to get it and how to use it is available [on a dedicated page](https://github.com/docker-mailserver/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh). 2. Be aware that advanced tasks may still require tweaking environment variables, reading through documentation and sometimes inspecting your running container for debugging purposes. After all, a mail server is a complex arrangement of various programs. -3. A list of all configuration options is provided in [`ENVIRONMENT.md`](https://github.com/docker-mailserver/docker-mailserver/blob/master/ENVIRONMENT.md). The [`README`](https://github.com/docker-mailserver/docker-mailserver/blob/master/REEADME.md) is a good starting point to understand what this image is capable of. +3. A list of all configuration options is provided in [`ENVIRONMENT.md`](https://github.com/docker-mailserver/docker-mailserver/blob/master/ENVIRONMENT.md). The [`README.md`](https://github.com/docker-mailserver/docker-mailserver/blob/master/REEADME.md) is a good starting point to understand what this image is capable of. 4. A list of all optional and automatically created configuration files and directories is available [on the dedicated page](https://github.com/docker-mailserver/docker-mailserver/wiki/List-of-optional-config-files-&-directories). 5. See the [FAQ](https://github.com/docker-mailserver/docker-mailserver/wiki/FAQ-and-Tips) for some more tips! From 1c27d5f8d9c30b2afa5459053b48495d7bf641ba Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Date: Wed, 27 Jan 2021 22:06:36 +0100 Subject: [PATCH 450/462] Updated Setup docker mailserver using the script setup.sh (markdown) --- ...d => setup-docker-mailserver-using-the-setup.sh-script.md} | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) rename docs/content/{setup-docker-mailserver-using-the-script-setup.sh.md => setup-docker-mailserver-using-the-setup.sh-script.md} (99%) diff --git a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md b/docs/content/setup-docker-mailserver-using-the-setup.sh-script.md similarity index 99% rename from docs/content/setup-docker-mailserver-using-the-script-setup.sh.md rename to docs/content/setup-docker-mailserver-using-the-setup.sh-script.md index 26170983..e33388c7 100644 --- a/docs/content/setup-docker-mailserver-using-the-script-setup.sh.md +++ b/docs/content/setup-docker-mailserver-using-the-setup.sh-script.md @@ -75,6 +75,4 @@ SUBCOMMANDS: ./setup.sh debug login help: Show this help dialogue - - -``` +``` \ No newline at end of file From 4609759703ff8d3cec4d7ae1c5a7dcf1870288d4 Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Date: Wed, 27 Jan 2021 22:07:42 +0100 Subject: [PATCH 451/462] Updated Configure Accounts (markdown) --- docs/content/config/user-management/accounts.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/config/user-management/accounts.md b/docs/content/config/user-management/accounts.md index c23f2862..748a5edf 100644 --- a/docs/content/config/user-management/accounts.md +++ b/docs/content/config/user-management/accounts.md @@ -2,7 +2,7 @@ Users (email accounts) are managed in `/tmp/docker-mailserver/postfix-accounts.cf`. -The best way to manage accounts is to use the reliable [setup.sh](https://github.com/tomav/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh) script. +The best way to manage accounts is to use the reliable [setup.sh](https://github.com/docker-mailserver/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh) script. Or you may directly add the _full_ email address and its encrypted password, separated by a pipe. @@ -37,7 +37,7 @@ Quota implementation relies on [dovecot quota](https://wiki.dovecot.org/Quota/Co
-A warning message will be sent to the user when his mailbox is reaching quota limit. Have a look at [90-quota.cf](https://github.com/tomav/docker-mailserver/tree/master/target/dovecot/90-quota.conf) for further details. +A warning message will be sent to the user when his mailbox is reaching quota limit. Have a look at [90-quota.cf](https://github.com/docker-mailserver/docker-mailserver/tree/master/target/dovecot/90-quota.conf) for further details. ### Commands _exec in the container_ From 7e04232f76d2b368b5e735eed256b11e9900a98d Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Date: Wed, 27 Jan 2021 22:07:59 +0100 Subject: [PATCH 452/462] Updated Configure Aliases (markdown) --- docs/content/config/user-management/aliases.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/config/user-management/aliases.md b/docs/content/config/user-management/aliases.md index e93b2164..913e6b52 100644 --- a/docs/content/config/user-management/aliases.md +++ b/docs/content/config/user-management/aliases.md @@ -2,7 +2,7 @@ Please first read [Postfix documentation on virtual aliases](http://www.postfix. ### Configuring aliases -You can use [setup.sh](https://github.com/tomav/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh#alias) instead of creating and editing files manually. +You can use [setup.sh](https://github.com/docker-mailserver/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh#alias) instead of creating and editing files manually. Aliases are managed in `/tmp/docker-mailserver/postfix-virtual.cf`. From 9ec789d7c5d0711024a6d162b6b1b94bd75f0434 Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Date: Wed, 27 Jan 2021 22:10:26 +0100 Subject: [PATCH 453/462] Updated Configure DKIM (markdown) --- docs/content/config/best-practices/dkim.md | 38 ++++++++++++---------- 1 file changed, 21 insertions(+), 17 deletions(-) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index 372c0915..2b84625d 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -1,34 +1,38 @@ -DKIM is a security measure targeting email spoofing. It is greatly recommended one activates it. +DKIM is a security measure targeting email spoofing. It is greatly recommended one activates it. See [the Wikipedia page](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) for more details on DKIM. -See https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail for more details on DKIM. +### Enabling DKIM signature -## Enabling DKIM signature - -To enable DKIM signature, you must have created at least one email accounts. +To enable DKIM signature, **you must have created at least one email account**. Once its done, just run the following command to generate the signature (here show from inside the directory of docker-compose.yml in order to use a volume on ./config): - docker run --rm \ - -v "$(pwd)/config":/tmp/docker-mailserver \ - -ti tvial/docker-mailserver:latest generate-dkim-config +```BASH +docker run --rm \ + -v "$(pwd)/config":/tmp/docker-mailserver \ + -ti tvial/docker-mailserver:latest generate-dkim-config +``` -> The default keysize when generating the signature is 4096 bits for now. If you need to change it (e.g. your DNS-Provider limits the size), then provide the size as the first parameter of the command: -> -> docker run --rm \ -> -v "$(pwd)/config":/tmp/docker-mailserver \ -> -ti tvial/docker-mailserver:latest generate-dkim-config 4096 +The default keysize when generating the signature is 4096 bits for now. If you need to change it (e.g. your DNS-Provider limits the size), then provide the size as the first parameter of the command: + +```BASH +docker run --rm \ + -v "$(pwd)/config":/tmp/docker-mailserver \ + -ti tvial/docker-mailserver:latest generate-dkim-config 4096 +``` For LDAP systems that do not have any directly created user account you can run the following command (since `8.0.0`) to generate the signature by additionally providing the desired domain name (if you have multiple domains use the command multiple times or provide a comma-separated list of domains): - docker run --rm \ - -v "$(pwd)/config":/tmp/docker-mailserver \ - -ti docker-mailserver/docker-mailserver:latest generate-dkim-config [,] +```BASH +docker run --rm \ + -v "$(pwd)/config":/tmp/docker-mailserver \ + -ti docker-mailserver/docker-mailserver:latest generate-dkim-config [,] +``` Now the keys are generated, you can configure your DNS server with DKIM signature, simply by adding a TXT record. If you have direct access to your DNS zone file, then it's only a matter of pasting the content of `config/opendkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone. -``` +``` TXT ; OpenDKIM mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN" ) ; ----- DKIM key mail for domain.tld From 1fbabeefc0eb910ebc75f960abe401766fe96be6 Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Date: Wed, 27 Jan 2021 22:17:07 +0100 Subject: [PATCH 454/462] Updated Configure DKIM (markdown) --- docs/content/config/best-practices/dkim.md | 33 ++++++++++------------ 1 file changed, 15 insertions(+), 18 deletions(-) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index 2b84625d..68e46acd 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -4,28 +4,22 @@ DKIM is a security measure targeting email spoofing. It is greatly recommended o To enable DKIM signature, **you must have created at least one email account**. -Once its done, just run the following command to generate the signature (here show from inside the directory of docker-compose.yml in order to use a volume on ./config): +Once its done, just run the following command to generate the signature: ```BASH -docker run --rm \ - -v "$(pwd)/config":/tmp/docker-mailserver \ - -ti tvial/docker-mailserver:latest generate-dkim-config +./setup.sh config dkim ``` -The default keysize when generating the signature is 4096 bits for now. If you need to change it (e.g. your DNS-Provider limits the size), then provide the size as the first parameter of the command: +The script assumes you're being in the directory where the `config/` directory is located. The default keysize when generating the signature is 4096 bits for now. If you need to change it (e.g. your DNS-Provider limits the size), then provide the size as the first parameter of the command: ```BASH -docker run --rm \ - -v "$(pwd)/config":/tmp/docker-mailserver \ - -ti tvial/docker-mailserver:latest generate-dkim-config 4096 +./setup.sh config dkim ``` For LDAP systems that do not have any directly created user account you can run the following command (since `8.0.0`) to generate the signature by additionally providing the desired domain name (if you have multiple domains use the command multiple times or provide a comma-separated list of domains): ```BASH -docker run --rm \ - -v "$(pwd)/config":/tmp/docker-mailserver \ - -ti docker-mailserver/docker-mailserver:latest generate-dkim-config [,] +./setup.sh config dkim [,] ``` Now the keys are generated, you can configure your DNS server with DKIM signature, simply by adding a TXT record. @@ -33,10 +27,10 @@ Now the keys are generated, you can configure your DNS server with DKIM signatur If you have direct access to your DNS zone file, then it's only a matter of pasting the content of `config/opendkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone. ``` TXT -; OpenDKIM -mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " - "p=AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN" ) ; ----- DKIM key mail for domain.tld - +$ dig mail._domainkey.domain.tld TXT +--- +;; ANSWER SECTION +mail._domainkey. 300 IN TXT "v=DKIM1; k=rsa; p=AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN" ```
@@ -55,10 +49,12 @@ After generating DKIM keys, you should restart the mail server. DNS edits may ta Note: Sometimes the key in `config/opendkim/keys/domain.tld/mail.txt` can be on multiple lines. If so then you need to concatenate the values in the TXT record: ``` -; OpenDKIM +$ dig mail._domainkey.domain.tld TXT +--- +;; ANSWER SECTION mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " "p=AZERTYUIOPQSDF..." - "asdfQWERTYUIOPQSDF..." ) ; ----- DKIM key mail for domain.tld + "asdfQWERTYUIOPQSDF..." ) ``` the target (or value) field must then have all the parts together: `v=DKIM1; k=rsa; p=AZERTYUIOPQSDF...asdfQWERTYUIOPQSDF...` @@ -66,7 +62,8 @@ the target (or value) field must then have all the parts together: `v=DKIM1; k=r ## Verify-only If you want DKIM to only _verify_ incoming emails, the following version of /etc/opendkim.conf may be useful (right now there is no easy mechanism for installing it other than forking the repo): -``` + +``` TXT # This is a simple config file verifying messages only #LogWhy yes From f448f59434fb4097c8d926b404639db7e4bbc87b Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Date: Wed, 27 Jan 2021 22:17:52 +0100 Subject: [PATCH 455/462] Destroyed Configure ELK (markdown) --- docs/content/configure-elk.md | 131 ---------------------------------- 1 file changed, 131 deletions(-) delete mode 100644 docs/content/configure-elk.md diff --git a/docs/content/configure-elk.md b/docs/content/configure-elk.md deleted file mode 100644 index 1c8e7c5d..00000000 --- a/docs/content/configure-elk.md +++ /dev/null @@ -1,131 +0,0 @@ -From [Wikipedia](https://en.wikipedia.org/wiki/Elasticsearch): ->Elasticsearch can be used to search all kinds of documents. It provides scalable search, has near real-time search, and supports multitenancy. "Elasticsearch is distributed, which means that indices can be divided into shards and each shard can have zero or more replicas. Each node hosts one or more shards, and acts as a coordinator to delegate operations to the correct shard(s). Rebalancing and routing are done automatically [...]" - -In this page, you will implement sending mail logs to a ELK stack via a [Filebeat client](https://www.elastic.co/beats/filebeat). - -:construction: Starting with release v7.0.0 of docker-mailserver, a Filebeat client will _not_ be included inside the mailserver container anymore. The recommended practice is to run Filebeat in its own container (as documented [below](#filebeat-container)). - -# Environment variables: -**ENABLE_ELK_FORWARDER** -* **empty** => disabled -* **1** => enables forwarder - -**ELK_HOST** -* elk (default) - -**ELK_PORT** -* 5044 (default) - -# Configuration File: -the start-mailserver.sh scripts use `/etc/filebeat/filebeat.yml.tmpl` as a template to set HOST and PORT. -You can override that template or set a custom config file as ro volume. - -``` -mail: - ~ - volumes: - - ./config/filebeat.yml:/etc/filebeat/filebeat.yml:ro -``` - -## Run ELK embedded on mailserver stack. -you can run directly the embeeded ELK using docker compose. No needs config. - -``` -cp docker-compose.elk.yml.dist docker-compose.yml -docker-compose up -``` - -## Use a external ELK. -you can be send logs to you own instance of ELK stack. -needs set the environments variables. - -``` -mail: - ~ - environment: - - ENABLE_ELK_FORWARDER=1 - - ELK_HOST=elk_host_or_ip - - ELK_PORT= 5044 -``` -On you ELK stack should be create a logstash input -``` -#/etc/logstash/conf.d/02-beats-input.conf -input { - beats { - port => 5044 - ssl => false - } -} -``` - -# Create Index on Kibana -Go http://localhost:5601. The first time needs create default index. -Steps: - -1. Create Index pattern - - - **Index name or pattern** * - - Select **Time-field name** (refresh fields): @timestamp (appears until process some log) - - Create - -2. Go to Discover and filter by fields. - ---- ---- -:warning: The following documentation only apply for the next release (v7.0.0). - -# Filebeat container -Configuration for each container is mainly done through _Hints based autodiscover_ (following [Elastic](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-autodiscover-hints.html) practice). -By default, filebeat will **not** retrieve logs from any containers, you must enable logging using Docker labels as documented below. - -## Configuration -### (Method 1) Using existing ELK - -Update `config/filebeat.docker.yml` with your existing logstash endpoint: -``` -output.logstash: - hosts: ["elk_host_or_ip:5044"] -``` - -Adapt your Docker Compose file or use the one provided: -``` -cp docker-compose.filebeat.yml.dist docker-compose.yml -docker-compose up -d -``` - -### (Method 2) Run ELK embedded on the same host - -Filebeat will use the configuration file `config/filebeat.docker.yml`. For basic needs, you don't need to update the file (logstash endpoint is `127.0.0.1:5044'`). - -#### Maxmind GeoIP license - -As of Dec 30 2019, Maxming GeoIP database is no more publicly available. You must first [sign-up](https://www.maxmind.com/en/geolite2/signup) (it's free) and request for a GeoLite2-City license. -Then update the ELK build environment variables: -``` -cp elk/.env.dist elk/.env -``` -With your license number: -``` -MAXMIND_LICENSE=your_license_number -``` - -#### Run containers -Adapt your Docker Compose file or use the one provided: -``` -cp docker-compose.elk.yml.dist docker-compose.yml -docker-compose up -d -``` - -#### Create Index on Kibana -Go http://localhost:5601. The first time needs create default index. -Steps: - -1. Create Index pattern - - - **Index name or pattern** * - - Select **Time-field name** (refresh fields): @timestamp (appears until process some log) - - Create - -2. Go to Discover and filter by fields. - -:bangbang: This ELK image is provided for testing purpose without any security measure. Please follow these [hardening procedures](https://elk-docker.readthedocs.io/#security-considerations). \ No newline at end of file From 4ea6598d2788464d3db78080a4314cdfea55b7a0 Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Date: Wed, 27 Jan 2021 22:18:24 +0100 Subject: [PATCH 456/462] Updated Setup docker mailserver using the setup.sh script (markdown) --- .../setup.sh.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docs/content/{setup-docker-mailserver-using-the-setup.sh-script.md => config/setup.sh.md} (100%) diff --git a/docs/content/setup-docker-mailserver-using-the-setup.sh-script.md b/docs/content/config/setup.sh.md similarity index 100% rename from docs/content/setup-docker-mailserver-using-the-setup.sh-script.md rename to docs/content/config/setup.sh.md From 2c496e3d5e09988898d5edd25633910faddfa3ad Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Date: Mon, 8 Feb 2021 11:54:41 +0100 Subject: [PATCH 457/462] Updated A mail server's 101 (markdown) --- docs/content/{a-mail-server's-101.md => introduction.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename docs/content/{a-mail-server's-101.md => introduction.md} (100%) diff --git a/docs/content/a-mail-server's-101.md b/docs/content/introduction.md similarity index 100% rename from docs/content/a-mail-server's-101.md rename to docs/content/introduction.md From b5c46127ae18b57b96fa08b2105ae73f40bccc87 Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Date: Mon, 8 Feb 2021 12:09:38 +0100 Subject: [PATCH 458/462] Updated Configure Accounts (markdown) --- .../config/user-management/accounts.md | 75 ++++++------------- 1 file changed, 22 insertions(+), 53 deletions(-) diff --git a/docs/content/config/user-management/accounts.md b/docs/content/config/user-management/accounts.md index 748a5edf..f69ad5a7 100644 --- a/docs/content/config/user-management/accounts.md +++ b/docs/content/config/user-management/accounts.md @@ -1,61 +1,30 @@ ## Adding a new account -Users (email accounts) are managed in `/tmp/docker-mailserver/postfix-accounts.cf`. +Users (email accounts) are managed in `/tmp/docker-mailserver/postfix-accounts.cf`. **_The best way to manage accounts is to use the reliable [setup.sh](https://github.com/docker-mailserver/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh) script_**. Or you may directly add the _full_ email address and its encrypted password, separated by a pipe: -The best way to manage accounts is to use the reliable [setup.sh](https://github.com/docker-mailserver/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh) script. +``` INI +user1@domain.tld|{SHA512-CRYPT}$6$2YpW1nYtPBs2yLYS$z.5PGH1OEzsHHNhl3gJrc3D.YMZkvKw/vp.r5WIiwya6z7P/CQ9GDEJDr2G2V0cAfjDFeAQPUoopsuWPXLk3u1 +user2@otherdomain.tld|{SHA512-CRYPT}$6$2YpW1nYtPBs2yLYS$z.5PGH1OEzsHHNhl3gJrc3D.YMZkvKw/vp.r5WIiwya6z7P/CQ9GDEJDr2G2V0cAfjDFeAQPUoopsuWPXLk3u1 +```` -Or you may directly add the _full_ email address and its encrypted password, separated by a pipe. +In the example above, we've added 2 mail accounts for 2 different domains. Consequently, the mail server will automatically be configured for multi-domains. Therefore, to generate a new mail account data, directly from your docker host, you could for example run the following: -Example: - - user1@domain.tld|{SHA512-CRYPT}$6$2YpW1nYtPBs2yLYS$z.5PGH1OEzsHHNhl3gJrc3D.YMZkvKw/vp.r5WIiwya6z7P/CQ9GDEJDr2G2V0cAfjDFeAQPUoopsuWPXLk3u1 - user2@otherdomain.tld|{SHA512-CRYPT}$6$2YpW1nYtPBs2yLYS$z.5PGH1OEzsHHNhl3gJrc3D.YMZkvKw/vp.r5WIiwya6z7P/CQ9GDEJDr2G2V0cAfjDFeAQPUoopsuWPXLk3u1 - -In the example above, we've added 2 mail accounts for 2 different domains. Consequently, the mail-server will automagically be configured as multi-domains. - -Therefore, to _generate_ a new mail account data, directly from your docker host, you could for example run the following: - - docker run --rm \ - -e MAIL_USER=user1@domain.tld \ - -e MAIL_PASS=mypassword \ - -ti tvial/docker-mailserver:latest \ - /bin/sh -c 'echo "$MAIL_USER|$(doveadm pw -s SHA512-CRYPT -u $MAIL_USER -p $MAIL_PASS)"' >> config/postfix-accounts.cf - -You will then be asked for a password, and be given back the data for a new account entry, as text. - -To actually _add_ this new account, just copy all the output text in `config/postfix-accounts.cf` file of your running container. - -Please note the `doveadm pw` command lets you choose between several encryption schemes for the password. Use doveadm pw -l to get a list of the currently supported encryption schemes. - -> Note: changes to the accounts list require a restart of the container, using `supervisord`. See [#552](../issues/552) - -*** -## Mailbox quota - -On top of the default quota (`POSTFIX_MAILBOX_SIZE_LIMIT`), you can define specific quotas per mailbox. -Quota implementation relies on [dovecot quota](https://wiki.dovecot.org/Quota/Configuration) which requires dovecot to be enabled. Consequently, quota directives are disabled when `SMTP_ONLY=1` or when `ENABLE_LDAP=1` or when explicitly disabled with `ENABLE_QUOTAS=0`. -
- - -A warning message will be sent to the user when his mailbox is reaching quota limit. Have a look at [90-quota.cf](https://github.com/docker-mailserver/docker-mailserver/tree/master/target/dovecot/90-quota.conf) for further details. - -### Commands -_exec in the container_ - -- `setquota []`: define the quota of a mailbox (quota format e.g. 302M (B (byte), k (kilobyte), M (megabyte), G (gigabyte) or T (terabyte))) -- `delquota `: delete the quota of a mailbox -- `doveadm quota get -u `: display the quota and the statistics of a mailbox - -### `dovecot-quotas.cf` - -This file is a key-value database where quotas are stored. - -_dovecot-quotas.cf_ -``` -user@domain.tld:50M -john@other-domain.tld:1G +``` BASH +docker run --rm \ + -e MAIL_USER=user1@domain.tld \ + -e MAIL_PASS=mypassword \ + -ti mailserver/docker-mailserver:latest \ + /bin/sh -c 'echo "$MAIL_USER|$(doveadm pw -s SHA512-CRYPT -u $MAIL_USER -p $MAIL_PASS)"' >> config/postfix-accounts.cf ``` + +You will then be asked for a password, and be given back the data for a new account entry, as text. To actually _add_ this new account, just copy all the output text in `config/postfix-accounts.cf` file of your running container. Please note the `doveadm pw` command lets you choose between several encryption schemes for the password. Use doveadm pw -l to get a list of the currently supported encryption schemes. + +**Note**: Changes to the accounts list require a restart of the container, using `supervisord`. See [#552](https://github.com/docker-mailserver/docker-mailserver/issues/552). + +--- + ### Notes -- *imap-quota* is enabled and allow clients to query their mailbox usage. + +- `imap-quota` is enabled and allow clients to query their mailbox usage. - When the mailbox is deleted, the quota directive is deleted as well. -- LDAP ? Dovecot quotas supports LDAP **but it's not implemented** (_PR are welcome!_). \ No newline at end of file +- Dovecot quotas support LDAP, **but it's not implemented** (_PR are welcome!_). \ No newline at end of file From a5a6096032bb5de26a5b277985d8caa1e85de2b5 Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Date: Mon, 8 Feb 2021 12:11:47 +0100 Subject: [PATCH 459/462] Updated Configure Aliases (markdown) --- .../content/config/user-management/aliases.md | 38 +++++++------------ 1 file changed, 13 insertions(+), 25 deletions(-) diff --git a/docs/content/config/user-management/aliases.md b/docs/content/config/user-management/aliases.md index 913e6b52..95f4c81d 100644 --- a/docs/content/config/user-management/aliases.md +++ b/docs/content/config/user-management/aliases.md @@ -1,46 +1,34 @@ -Please first read [Postfix documentation on virtual aliases](http://www.postfix.org/VIRTUAL_README.html#virtual_alias). +Please read the [Postfix documentation on virtual aliases](http://www.postfix.org/VIRTUAL_README.html#virtual_alias) first. -### Configuring aliases - -You can use [setup.sh](https://github.com/docker-mailserver/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh#alias) instead of creating and editing files manually. - -Aliases are managed in `/tmp/docker-mailserver/postfix-virtual.cf`. - -An alias is a _full_ email address that will either be: +You can use [setup.sh](https://github.com/docker-mailserver/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh#alias) instead of creating and editing files manually. Aliases are managed in `/tmp/docker-mailserver/postfix-virtual.cf`. An alias is a _full_ email address that will either be: * delivered to an existing account registered in `/tmp/docker-mailserver/postfix-accounts.cf` * redirected to one or more other email addresses -Alias and target are space separated. +Alias and target are space separated. An example on a server with domain.tld as its domain: -Example (on a server with domain.tld as its domain): +``` INI +# Alias delivered to an existing account +alias1@domain.tld user1@domain.tld - # Alias delivered to an existing account - alias1@domain.tld user1@domain.tld - - # Alias forwarded to an external email address - alias2@domain.tld external@gmail.com +# Alias forwarded to an external email address +alias2@domain.tld external@gmail.com +``` ### Configuring regexp aliases -Additional regexp aliases can be configured by placing them into `config/postfix-regexp.cf`. The regexp aliases get evaluated after the virtual aliases (`/tmp/docker-mailserver/postfix-virtual.cf`). +Additional regexp aliases can be configured by placing them into `config/postfix-regexp.cf`. The regexp aliases get evaluated after the virtual aliases (`/tmp/docker-mailserver/postfix-virtual.cf`). For example, the following `config/postfix-regexp.cf` causes all email to "test" users to be delivered to qa@example.com: -For example, the following `config/postfix-regexp.cf` causes all email to "test" users to be delivered to qa@example.com: - -``` +``` INI /^test[0-9][0-9]*@example.com/ qa@example.com ``` ### Address tags (extension delimiters) as an alternative to aliases -Postfix supports so-called address tags, in the form of plus (+) tags - i.e. address+tag@example.com will end up at address@example.com. - -This is configured by default and the (configurable !) separator is set to `+`. - -For more info, see [How to use Address Tagging (user+tag@example.com) with Postfix](https://www.stevejenkins.com/blog/2011/03/how-to-use-address-tagging-usertagexample-com-with-postfix/) and the [official documentation](http://www.postfix.org/postconf.5.html#recipient_delimiter). +Postfix supports so-called address tags, in the form of plus (+) tags - i.e. address+tag@example.com will end up at address@example.com. This is configured by default and the (configurable !) separator is set to `+`. For more info, see [How to use Address Tagging (user+tag@example.com) with Postfix](https://www.stevejenkins.com/blog/2011/03/how-to-use-address-tagging-usertagexample-com-with-postfix/) and the [official documentation](http://www.postfix.org/postconf.5.html#recipient_delimiter). Note that if you do decide to change the configurable separator, you must add the same line to *both* `config/postfix-main.cf` and `config/dovecot.cf`, because Dovecot is acting as the delivery agent. For example, to switch to `-`, add: -``` +``` INI recipient_delimiter = - ``` From 7b3e4161843568aba9639b4224e9773887a5e13c Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Date: Mon, 8 Feb 2021 12:21:12 +0100 Subject: [PATCH 460/462] Updated Configure DKIM (markdown) --- docs/content/config/best-practices/dkim.md | 62 ++++++++-------------- 1 file changed, 22 insertions(+), 40 deletions(-) diff --git a/docs/content/config/best-practices/dkim.md b/docs/content/config/best-practices/dkim.md index 68e46acd..253e2407 100644 --- a/docs/content/config/best-practices/dkim.md +++ b/docs/content/config/best-practices/dkim.md @@ -1,40 +1,35 @@ DKIM is a security measure targeting email spoofing. It is greatly recommended one activates it. See [the Wikipedia page](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) for more details on DKIM. -### Enabling DKIM signature +#### Enabling DKIM signature -To enable DKIM signature, **you must have created at least one email account**. +To enable DKIM signature, **you must have created at least one email account**. Once its done, just run the following command to generate the signature: -Once its done, just run the following command to generate the signature: - -```BASH +``` BASH ./setup.sh config dkim ``` -The script assumes you're being in the directory where the `config/` directory is located. The default keysize when generating the signature is 4096 bits for now. If you need to change it (e.g. your DNS-Provider limits the size), then provide the size as the first parameter of the command: +After generating DKIM keys, you should restart the mail server. DNS edits may take a few minutes to hours to propagate. The script assumes you're being in the directory where the `config/` directory is located. The default keysize when generating the signature is 4096 bits for now. If you need to change it (e.g. your DNS provider limits the size), then provide the size as the first parameter of the command: -```BASH +``` BASH ./setup.sh config dkim ``` For LDAP systems that do not have any directly created user account you can run the following command (since `8.0.0`) to generate the signature by additionally providing the desired domain name (if you have multiple domains use the command multiple times or provide a comma-separated list of domains): -```BASH +``` BASH ./setup.sh config dkim [,] ``` -Now the keys are generated, you can configure your DNS server with DKIM signature, simply by adding a TXT record. +Now the keys are generated, you can configure your DNS server with DKIM signature, simply by adding a TXT record. If you have direct access to your DNS zone file, then it's only a matter of pasting the content of `config/opendkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone. -If you have direct access to your DNS zone file, then it's only a matter of pasting the content of `config/opendkim/keys/domain.tld/mail.txt` in your `domain.tld.hosts` zone. - -``` TXT +``` BASH $ dig mail._domainkey.domain.tld TXT --- ;; ANSWER SECTION mail._domainkey. 300 IN TXT "v=DKIM1; k=rsa; p=AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN/AZERTYUIOPQSDFGHJKLMWXCVBN" ``` -
-Configuration using a web interface +#### Configuration using a web interface 1. Generate a new record of the type `TXT`. 2. Paste `mail._domainkey` the `Name` txt field. @@ -42,24 +37,20 @@ mail._domainkey. 300 IN TXT "v=DKIM1; k=rsa; p=AZERTYUIOPQSDFGHJKLMWX 4. In `TTL` (time to live): Time span in seconds. How long the DNS server should cache the `TXT` record. 5. Save. -
+**Note**: Sometimes the key in `config/opendkim/keys/domain.tld/mail.txt` can be on multiple lines. If so then you need to concatenate the values in the TXT record: -After generating DKIM keys, you should restart the mail server. DNS edits may take a few minutes to hours to propagate. - -Note: Sometimes the key in `config/opendkim/keys/domain.tld/mail.txt` can be on multiple lines. If so then you need to concatenate the values in the TXT record: - -``` +``` BASH $ dig mail._domainkey.domain.tld TXT --- ;; ANSWER SECTION -mail._domainkey IN TXT ( "v=DKIM1; k=rsa; " +mail._domainkey. 300 IN TXT "v=DKIM1; k=rsa; " "p=AZERTYUIOPQSDF..." - "asdfQWERTYUIOPQSDF..." ) + "asdfQWERTYUIOPQSDF..." ``` -the target (or value) field must then have all the parts together: `v=DKIM1; k=rsa; p=AZERTYUIOPQSDF...asdfQWERTYUIOPQSDF...` +The target (or value) field must then have all the parts together: `v=DKIM1; k=rsa; p=AZERTYUIOPQSDF...asdfQWERTYUIOPQSDF...` -## Verify-only +#### Verify-only If you want DKIM to only _verify_ incoming emails, the following version of /etc/opendkim.conf may be useful (right now there is no easy mechanism for installing it other than forking the repo): @@ -79,23 +70,14 @@ SendReports yes Mode v ``` -## Debugging +#### Debugging -### Tools +- [DKIM-verifer](https://addons.mozilla.org/en-US/thunderbird/addon/dkim-verifier): A add-on for the mail client Thunderbird. +- You can debug your TXT records with the `dig` tool. -* [DKIM-verifer](https://addons.mozilla.org/en-US/thunderbird/addon/dkim-verifier): A add-on for the mail client Thunderbird. - -### DKIM TXT Record - -You can debug your TXT records with the `dig` tool. - -``` -dig TXT mail._domainkey.domain.tld -``` - -Output: - -``` +``` BASH +$ dig TXT mail._domainkey.domain.tld +--- ; <<>> DiG 9.10.3-P4-Debian <<>> TXT mail._domainkey.domain.tld ;; global options: +cmd ;; Got answer: @@ -116,6 +98,6 @@ mail._domainkey.domain.tld. 3600 IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA ;; MSG SIZE rcvd: 310 ``` -## Switch off DKIM +#### Switch off DKIM Simply remove the DKIM key by recreating (not just relaunching) the mailserver container. \ No newline at end of file From 1db28eb6fcf7e83ba30ba5dd8d2ca7576fb19afa Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Date: Mon, 8 Feb 2021 16:43:54 +0100 Subject: [PATCH 461/462] Updated Home (markdown) --- docs/content/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/index.md b/docs/content/index.md index 7c2a368a..d46d6816 100644 --- a/docs/content/index.md +++ b/docs/content/index.md @@ -4,7 +4,7 @@ Please first have a look at the [`README.md`](https://github.com/docker-mailserv #### To get you started -1. The script `setup.sh` is supplied with this project. It supports you in configuring and administrating your server. Information on how to get it and how to use it is available [on a dedicated page](https://github.com/docker-mailserver/docker-mailserver/wiki/Setup-docker-mailserver-using-the-script-setup.sh). +1. The script `setup.sh` is supplied with this project. It supports you in configuring and administrating your server. Information on how to get it and how to use it is available [on a dedicated page](https://github.com/docker-mailserver/docker-mailserver/wiki/setup.sh). 2. Be aware that advanced tasks may still require tweaking environment variables, reading through documentation and sometimes inspecting your running container for debugging purposes. After all, a mail server is a complex arrangement of various programs. 3. A list of all configuration options is provided in [`ENVIRONMENT.md`](https://github.com/docker-mailserver/docker-mailserver/blob/master/ENVIRONMENT.md). The [`README.md`](https://github.com/docker-mailserver/docker-mailserver/blob/master/REEADME.md) is a good starting point to understand what this image is capable of. 4. A list of all optional and automatically created configuration files and directories is available [on the dedicated page](https://github.com/docker-mailserver/docker-mailserver/wiki/List-of-optional-config-files-&-directories). From 6fee0cbd5b0d4724a56a83ef9c813ec9a8e64046 Mon Sep 17 00:00:00 2001 From: Georg Lauterbach <44545919+aendeavor@users.noreply.github.com> Date: Mon, 8 Feb 2021 16:44:11 +0100 Subject: [PATCH 462/462] Updated Home (markdown) --- docs/content/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/index.md b/docs/content/index.md index d46d6816..ef77024d 100644 --- a/docs/content/index.md +++ b/docs/content/index.md @@ -4,7 +4,7 @@ Please first have a look at the [`README.md`](https://github.com/docker-mailserv #### To get you started -1. The script `setup.sh` is supplied with this project. It supports you in configuring and administrating your server. Information on how to get it and how to use it is available [on a dedicated page](https://github.com/docker-mailserver/docker-mailserver/wiki/setup.sh). +1. The script `setup.sh` is supplied with this project. It supports you in **configuring and administrating** your server. Information on how to get it and how to use it is available [on a dedicated page](https://github.com/docker-mailserver/docker-mailserver/wiki/setup.sh). 2. Be aware that advanced tasks may still require tweaking environment variables, reading through documentation and sometimes inspecting your running container for debugging purposes. After all, a mail server is a complex arrangement of various programs. 3. A list of all configuration options is provided in [`ENVIRONMENT.md`](https://github.com/docker-mailserver/docker-mailserver/blob/master/ENVIRONMENT.md). The [`README.md`](https://github.com/docker-mailserver/docker-mailserver/blob/master/REEADME.md) is a good starting point to understand what this image is capable of. 4. A list of all optional and automatically created configuration files and directories is available [on the dedicated page](https://github.com/docker-mailserver/docker-mailserver/wiki/List-of-optional-config-files-&-directories).