2017-05-09 17:20:59 +02:00
!!! warning
2017-05-09 17:54:50 +02:00
mailcow dockerized comes with a snake-oil CA "mailcow" and a server certificate in `data/assets/ssl` . Please use your own trusted certificates.
2017-05-06 00:22:26 +02:00
2017-05-06 03:51:31 +02:00
mailcow uses **at least** 3 domain names that should be covered by your new certificate:
2017-05-06 00:22:26 +02:00
- ${MAILCOW_HOSTNAME}
- autodiscover.**example.org**
- autoconfig.**example.org**
2017-05-09 17:20:59 +02:00
## Let's Encrypt
2017-05-06 00:22:26 +02:00
This is just an example of how to obtain certificates with certbot. There are several methods!
2017-05-09 19:21:51 +02:00
1\. Get the certbot client:
2017-05-06 00:22:26 +02:00
``` bash
wget https://dl.eff.org/certbot-auto -O /usr/local/sbin/certbot & & chmod +x /usr/local/sbin/certbot
```
2017-05-09 19:21:51 +02:00
2\. Make sure you set `HTTP_BIND=0.0.0.0` and `HTTP_PORT=80` in `mailcow.conf` or setup a reverse proxy to enable connections to port 80. If you changed HTTP_BIND, then rebuild Nginx:
2017-05-06 00:22:26 +02:00
``` bash
docker-compose up -d
```
2017-05-09 19:21:51 +02:00
3\. Request the certificate with the webroot method:
2017-05-06 00:22:26 +02:00
``` bash
cd /path/to/git/clone/mailcow-dockerized
source mailcow.conf
certbot certonly \
--webroot \
-w ${PWD}/data/web \
-d ${MAILCOW_HOSTNAME} \
-d autodiscover.example.org \
-d autoconfig.example.org \
--email you@example.org \
--agree-tos
```
2017-05-06 14:54:03 +02:00
!!! warning
2017-05-09 17:54:50 +02:00
Remember to replace the example.org domain with your own domain, this command will not work if you don't.
2017-05-06 03:51:31 +02:00
2017-05-09 19:21:51 +02:00
4\. Create hard links to the full path of the new certificates. Assuming you are still in the mailcow root folder:
2017-05-06 00:22:26 +02:00
``` bash
mv data/assets/ssl/cert.{pem,pem.backup}
mv data/assets/ssl/key.{pem,pem.backup}
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/fullchain.pem) data/assets/ssl/cert.pem
ln $(readlink -f /etc/letsencrypt/live/${MAILCOW_HOSTNAME}/privkey.pem) data/assets/ssl/key.pem
```
2017-05-09 19:21:51 +02:00
5\. Restart affected containers:
2017-05-06 00:22:26 +02:00
```
docker-compose restart postfix-mailcow dovecot-mailcow nginx-mailcow
```
When renewing certificates, run the last two steps (link + restart) as post-hook in a script.
2017-05-09 17:20:59 +02:00
## Check your configuration
To check if nginx serves the correct certificate, simply use a browser of your choice and check the displayed certificate.
To check the certificate served by dovecot or postfix we will use `openssl` :
```
# Connect via SMTP (25)
openssl s_client -starttls smtp -crlf -connect mx.mailcow.email:25
# Connect via SMTPS (465)
openssl s_client -showcerts -connect mx.mailcow.email:465
# Connect via SUBMISSION (587)
openssl s_client -starttls smtp -crlf -connect mx.mailcow.email:587
```