mailcow-dockerized-docs/docs/firststeps-ssl.md

!!! warning
    mailcow dockerized comes with a snake-oil CA "mailcow" and a server certificate in `data/assets/ssl`. Please use your own trusted certificates.

mailcow uses **at least** 3 domain names that should be covered by your new certificate:

- ${MAILCOW_HOSTNAME}
- autodiscover.**example.org**
- autoconfig.**example.org**

## Let's Encrypt

This is just an example of how to obtain certificates with certbot. There are several methods!

1\. Get the certbot client:
``` bash
wget https://dl.eff.org/certbot-auto -O /usr/local/sbin/certbot && chmod +x /usr/local/sbin/certbot
```

2\. Make sure you set `HTTP_BIND=0.0.0.0` and `HTTP_PORT=80` in `mailcow.conf` or setup a reverse proxy to enable connections to port 80. If you changed HTTP_BIND, then rebuild Nginx:
``` bash
docker-compose up -d
```

3\. Request the certificate with the webroot method:
``` bash
cd /path/to/git/clone/mailcow-dockerized
source mailcow.conf
certbot certonly \
    --webroot \
    -w ${PWD}/data/web \
    -d ${MAILCOW_HOSTNAME} \
    -d autodiscover.example.org \
    -d autoconfig.example.org \
    --email you@example.org \
    --agree-tos
```

!!! warning
    Remember to replace the example.org domain with your own domain, this command will not work if you don't.

4\. Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder:
``` bash
mv data/assets/ssl/cert.{pem,pem.backup}
mv data/assets/ssl/key.{pem,pem.backup}
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/fullchain.pem) data/assets/ssl/cert.pem
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem) data/assets/ssl/key.pem
```

5\. Restart affected containers:
```
docker-compose restart postfix-mailcow dovecot-mailcow nginx-mailcow
```

When renewing certificates, run the last two steps (link + restart) as post-hook in a script.

## Check your configuration

To check if nginx serves the correct certificate, simply use a browser of your choice and check the displayed certificate.

To check the certificate served by dovecot or postfix we will use `openssl`:

```
# Connect via SMTP (25)
openssl s_client -starttls smtp -crlf -connect mx.mailcow.email:25
# Connect via SMTPS (465)
openssl s_client -showcerts -connect mx.mailcow.email:465
# Connect via SUBMISSION (587)
openssl s_client -starttls smtp -crlf -connect mx.mailcow.email:587
```
Added check on SSL 2017-05-09 17:20:59 +02:00			`!!! warning`
Spelling 2017-05-09 17:54:50 +02:00			mailcow dockerized comes with a snake-oil CA "mailcow" and a server certificate in `data/assets/ssl`. Please use your own trusted certificates.
Rearrange format, still a wip 2017-05-06 00:22:26 +02:00
Some minor corrections 2017-05-06 03:51:31 +02:00			`mailcow uses at least 3 domain names that should be covered by your new certificate:`
Rearrange format, still a wip 2017-05-06 00:22:26 +02:00
			`- ${MAILCOW_HOSTNAME}`
			`- autodiscover.example.org`
			`- autoconfig.example.org`

Added check on SSL 2017-05-09 17:20:59 +02:00			`## Let's Encrypt`
Rearrange format, still a wip 2017-05-06 00:22:26 +02:00
			`This is just an example of how to obtain certificates with certbot. There are several methods!`

Mama ist fertig! 2017-05-09 19:21:51 +02:00			`1\. Get the certbot client:`
Rearrange format, still a wip 2017-05-06 00:22:26 +02:00			``` bash
			`wget https://dl.eff.org/certbot-auto -O /usr/local/sbin/certbot && chmod +x /usr/local/sbin/certbot`
			```

Mama ist fertig! 2017-05-09 19:21:51 +02:00			2\. Make sure you set `HTTP_BIND=0.0.0.0` and `HTTP_PORT=80` in `mailcow.conf` or setup a reverse proxy to enable connections to port 80. If you changed HTTP_BIND, then rebuild Nginx:
Rearrange format, still a wip 2017-05-06 00:22:26 +02:00			``` bash
			`docker-compose up -d`
			```

Mama ist fertig! 2017-05-09 19:21:51 +02:00			`3\. Request the certificate with the webroot method:`
Rearrange format, still a wip 2017-05-06 00:22:26 +02:00			``` bash
			`cd /path/to/git/clone/mailcow-dockerized`
			`source mailcow.conf`
			`certbot certonly \`
			`--webroot \`
			`-w ${PWD}/data/web \`
			`-d ${MAILCOW_HOSTNAME} \`
			`-d autodiscover.example.org \`
			`-d autoconfig.example.org \`
			`--email you@example.org \`
			`--agree-tos`
			```

Added info box 2017-05-06 14:54:03 +02:00			`!!! warning`
Spelling 2017-05-09 17:54:50 +02:00			`Remember to replace the example.org domain with your own domain, this command will not work if you don't.`
Some minor corrections 2017-05-06 03:51:31 +02:00
Mama ist fertig! 2017-05-09 19:21:51 +02:00			`4\. Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder:`
Rearrange format, still a wip 2017-05-06 00:22:26 +02:00			``` bash
			`mv data/assets/ssl/cert.{pem,pem.backup}`
			`mv data/assets/ssl/key.{pem,pem.backup}`
			`ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/fullchain.pem) data/assets/ssl/cert.pem`
			`ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem) data/assets/ssl/key.pem`
			```

Mama ist fertig! 2017-05-09 19:21:51 +02:00			`5\. Restart affected containers:`
Rearrange format, still a wip 2017-05-06 00:22:26 +02:00			```
			`docker-compose restart postfix-mailcow dovecot-mailcow nginx-mailcow`
			```

			`When renewing certificates, run the last two steps (link + restart) as post-hook in a script.`
Added check on SSL 2017-05-09 17:20:59 +02:00
			`## Check your configuration`

			`To check if nginx serves the correct certificate, simply use a browser of your choice and check the displayed certificate.`

			To check the certificate served by dovecot or postfix we will use `openssl`:

			```
			`# Connect via SMTP (25)`
			`openssl s_client -starttls smtp -crlf -connect mx.mailcow.email:25`
			`# Connect via SMTPS (465)`
			`openssl s_client -showcerts -connect mx.mailcow.email:465`
			`# Connect via SUBMISSION (587)`
			`openssl s_client -starttls smtp -crlf -connect mx.mailcow.email:587`
			```